feat: Phases 4-7 — Full Feature Expansion (26 features)

Phase 4 — New Widget Types:
- Clock/Weather, System Stats, RSS/Feed, Calendar, Markdown,
  Metric/Counter, Link Group, Camera/Stream widgets
- Backend services with caching for each data source
- Full creation form with dynamic config fields per type

Phase 5 — Visual & Styling Enhancements:
- Glassmorphism card style (solid/glass/outline)
- Board-level themes with per-board hue/saturation
- Animated SVG status rings replacing static dots
- Card size options (compact/medium/large)
- Custom CSS injection (admin + per-board, sanitized)
- Wallpaper backgrounds with blur/overlay/parallax

Phase 6 — Functional Features:
- Favorites bar with drag-and-drop reordering
- Recent apps tracking with privacy toggle
- Uptime dashboard page (/status, guest-accessible)
- Notifications system (Discord/Slack/Telegram/HTTP webhooks)
- App tags with filtering in board view
- Multi-URL app cards with expandable sub-links
- Personal API tokens with scoped permissions
- Audit log with retention and admin viewer

Phase 7 — Quality of Life:
- Onboarding wizard (5-step first-launch setup)
- App URL health preview with favicon/title detection
- Board templates (4 built-in + custom import/export)
- Keyboard shortcut overlay (j/k nav, 1-9 boards, ? help)

212 files changed, 15641 insertions, 980 deletions.
Build, lint, type check, and 222 tests all pass.

plans/mvp-web-app-launcher/phase-3-authentication.md

@@ -5,6 +5,7 @@
 **Domain:** fullstack
 
 ## Objective
+
 Implement the full local authentication flow: login, registration, session management with JWT + refresh tokens in HTTP-only cookies, auth middleware in hooks.server.ts, and guest mode support.
 
 ## Tasks
@@ -26,6 +27,7 @@ Implement the full local authentication flow: login, registration, session manag
 - [x] Task 15: Create logout endpoint/action — invalidate refresh token, clear cookies
 
 ## Files to Modify/Create
+
 - `src/hooks.server.ts` — auth middleware
 - `src/lib/server/utils/jwt.ts` — JWT utilities
 - `src/lib/server/utils/password.ts` — password utilities
@@ -43,6 +45,7 @@ Implement the full local authentication flow: login, registration, session manag
 - `src/app.d.ts` — augment `Locals` with user session type (already done in Phase 2)
 
 ## Acceptance Criteria
+
 - Users can register (when enabled) and log in with email/password
 - JWT access token + refresh token issued in HTTP-only cookies
 - `hooks.server.ts` validates tokens on every request and injects user into `event.locals`
@@ -53,6 +56,7 @@ Implement the full local authentication flow: login, registration, session manag
 - Form validation with Superforms + Zod shows errors inline
 
 ## Notes
+
 - Access token expiry: 15 minutes; Refresh token expiry: 7 days
 - Store refresh tokens in DB (User model) for server-side invalidation
 - OAuth is deferred to Phase 2 of the project (post-MVP)
@@ -60,6 +64,7 @@ Implement the full local authentication flow: login, registration, session manag
 - Big Bang: login page will be functional but unstyled/minimal until Phase 7
 
 ## Review Checklist
+
 - [x] All tasks completed
 - [x] Code follows project conventions
 - [x] No unintended side effects
@@ -69,6 +74,7 @@ Implement the full local authentication flow: login, registration, session manag
 ## Handoff to Next Phase
 
 **What's ready for Phase 4:**
+
 - Full local auth flow is implemented: login, registration, logout, token refresh.
 - `hooks.server.ts` validates JWT access tokens on every request and injects `event.locals.user` and `event.locals.session`. Expired access tokens are silently refreshed via refresh token rotation.
 - Protected routes (anything except `/login`, `/register`, `/auth/*`, `/api/health`) redirect unauthenticated users to `/login`.