fix(P1): Update SECURITY.md to reflect all security improvements (sessions, 15min, fail-closed)

fix(P1): Auth store uses memory access token, persists only refresh token

fix(P1): Frontend stores access token in memory only, refresh token persisted for rotation

fix(P1): .env.example with 15min access token, ENCRYPTION_KEY required note, REDIS_PASSWORD

fix(P1-security): Rate limiter fails CLOSED for auth/AI endpoints when Redis is down

fix(P1-security): Auth routes use refresh sessions, logout revokes, 15min access tokens

fix(P1-security): Reduce access token to 15min, add refresh session table, implement token revocation on logout

fix(P0): Add key_prefix and key_last4 to UserAPIKey model, settings route uses them"

fix(P0): Production compose removes direct backend/frontend ports, only nginx exposed

fix(P0): Migration uses vector(768), remove direct port exposure in prod compose, add lockfile note

fix(P0): encryption.py uses settings.ENCRYPTION_KEY from config properly

fix(P0): Remove unused Field import from config, add ENCRYPTION_KEY to settings"

fix(P0): Fix semantic search to use 768 dims (nomic-embed-text) for local-first, document choice

fix(P0): Document ENCRYPTION_KEY in .env.example, add key_last4/prefix to model and settings route

fix(P0): CI workflow removes --frozen-lockfile, uses eslint directly, fixes lint step

fix: Frontend API client uses relative URL by default (same-origin, works with nginx proxy)

fix: Separate ENCRYPTION_KEY from SECRET_KEY, add key_last4 to avoid decrypt on list

fix: LLM gateway with Pydantic schema validation per task + safe retry variable + user-key-aware routing

fix: Frontend Dockerfile removes --frozen-lockfile (no lockfile committed yet), uses pnpm install

fix(critical): Production frontend URL, lockfile note, LLM schema validation, provider availability

fix(critical): Alembic env.py uses settings.database_url_sync consistently

fix(critical): LLM gateway actually passes user API keys to litellm calls

fix(critical): database.py uses correct settings.database_url_async property

fix: Honest README - real feature status, no false claims, actual ATS count"

fix: Implement real salary parsing + fix normalize_salary stub"

fix: Clean main.py - uses centralized api_router, much simpler

fix: Router refactor - centralized api_router.py instead of 65 imports in main.py

fix: LLM gateway with JSON retry, all providers configured, structured validation

fix: Add cryptography to pyproject.toml for Fernet encryption

fix: .env.example with consistent port (5432) and honest comments

fix: Add Next.js standalone output, fix .env port, add cryptography to deps

fix: Add PRIVACY.md with data handling, retention, and LLM disclosure

fix: Add SECURITY.md + PRIVACY.md documenting data handling and known limitations

fix: Auth register with password validation, proper flush order, stronger Pydantic

fix(security): Enforce SECRET_KEY in prod, stronger password validation, fix config

fix(security): Settings API uses real encryption, never returns raw keys

fix(security): Real Fernet encryption for API keys, JWT secret enforcement, password validation

feat: 🕷️ Full scraper UI page - both URL mode and params search mode with results display

feat: 🕷️ SmartJobSearch - searches ALL sources with params, no URL needed

feat: 🕷️ Complete scraper rewrite - smart scraping with params OR urls, full data extraction

fix: Production docker-compose also uses pgvector image

fix: Update Dockerfile to install fpdf2 + weasyprint deps, playwright setup

fix: Add fpdf2 to deps, register pdf_export + all remaining routes in main.py

fix: Wire up resume PDF download API endpoint using @react-pdf on server

fix: Add python-docx + pdfminer to pyproject.toml, add dotenv dep for alembic

fix: Use pgvector Docker image + update docker-compose for full functionality

fix: 🎨 Cover letters + Networking + Compare pages neo-brutalism

fix: 🎨 Admin page neo-brutalism + dark mode

fix: 🎨 Job detail page neo-brutalism + dark mode

fix: 🎨 Offline page neo-brutalism