- .github/renovate.json: auto-merge patch updates, weekly Monday schedule,
web3 deps require manual minor review, dev-tooling auto-merges.
- workers/api/src/session.ts: refreshSessionCookie() + applySessionRefresh().
Every authenticated request now re-issues __Host-dfid with a fresh 7-day
TTL for sliding expiration. No more silent login expiry.
- workers/api/src/index.ts: withSession() helper wraps requireSession +
handler + cookie refresh. All 5 protected routes use it.
- workers/api/src/routes/notify.ts: POST /api/notify endpoint for landing
page email subscriptions. KV-backed (SUBSCRIPTIONS). Capped at 10k.
- workers/api/src/routes/account.ts: POST /api/account/export (return all
user data from KV) and POST /api/account/delete (wipe + clear cookie).
GDPR portability + right-to-erasure.
- apps/web/src/app/privacy/page.tsx, terms/page.tsx: legal pages.
- apps/web/src/components/Shell.tsx: Privacy + Terms footer links.