Tightened the Sendblue webhook auth, killed a Markdown XSS in hosted notes, and added security headers across the app.
A pre-broader-launch sweep. The webhook now verifies Sendblue''s signature properly and rejects anything that isn''t signed correctly. The Markdown renderer that backs the hosted-page artifacts had a small injection path; it''s closed. CSP and the usual hardening headers (X-Frame-Options, Referrer-Policy, etc.) are set at the framework level.