- /api/stats: add verifyCsrf middleware (defense-in-depth; no-op for GETs)
- VerifyEmailPage: useRef guard to prevent React StrictMode double-fire of
the single-use verify token in dev
- router.tsx: route-level code splitting via React.lazy + Suspense; initial
bundle drops from 397 KB to 224 KB with per-route chunks (0.3–14 KB each)
- e2e: wait for verify-email completion before login; bump Account-menu
timeout to handle Vite cold-chunk compile
Bert Hausmans
e27c1ca06c