RLS Repair, Nginx Hardening & Marketing Polish

Security & Infrastructure

• RLS runtime repairs — Fixed 6 broken files from the v3.5.0 sed migration: admin-bug-reports.ts (corrupted handlers), admin.ts (handler signatures), admin-additions.ts (webhook handler), bug-reports.ts, server.ts (admin cleanup hooks). All replaced as complete drop-ins — no more sed.
• Admin middleware — requireAdmin now checks out a dedicated PoolClient and elevates to speybooks_admin role (BYPASSRLS). Cleanup via onResponse hook in server.ts.
• Transparency page — Fixed tagged template literal bug in fetch calls (fetch\…`→fetch(`…“). Stats and recent bug reports now load correctly.
• Status page CSP — Added app.speybooks.com and docs.speybooks.com to connect-src so health checks work.

Nginx Hardening (all 4 domains)

• IPv6 — Added [::]:80 and [::]:443 listeners across app, api, docs, and marketing configs.
• Per-site logging — Each domain now logs to /var/log/nginx/{domain}.{access,error}.log.
• Gzip — Enabled JSON compression on api.speybooks.com.
• OCSP — Removed non-functional OCSP stapling block from docs.speybooks.com (Let’s Encrypt ECDSA certs lack OCSP responder URL in chain).
• Symlink fix — docs.speybooks.com in sites-enabled was a standalone file, not a symlink. Replaced with proper symlink to sites-available.

Marketing Site

• Insights featured card — Changed from side-by-side layout to stacked (text top, hero bottom full-width), matching SpeyTech design.
• Page width consistency — Standardised max-w-4xl for status and insights article pages.
• Transparency status link — “All systems operational” indicator now links to /status/ page.

Known Issue

• Audit log on auth routes — Login/register audit trail silently fails when no tenant context is set. Auth works correctly; only the audit write is affected. Tracked for v3.5.2.