Release v4.0.0-rc1 (#27)

* Add OIDC social login and two-factor authentication (v4.0.0)

Backend:
- OIDC provider support (Google, Apple, Microsoft, generic OIDC)
- Email OTP and passkey (WebAuthn) two-factor authentication
- Recovery codes for 2FA backup access
- OAuth account linking/unlinking with safety checks
- ID token signature verification via JWKS
- Cryptographically secure OTP generation
- OAuth state nonce replay protection
- Database migrations for oauth_accounts, twofa_config,
  twofa_challenges, and webauthn_credentials tables

Frontend:
- Social login buttons on login page (config-driven)
- OAuth callback handler and auth flow integration
- Security Settings page with 2FA management
- TwoFactorSettings component (enable/disable, recovery codes)
- LinkedAccounts component (connect/disconnect providers)
- TwoFactorVerify page (email OTP, passkey, recovery code)
- Admin panel security tab for feature flag visibility

Testing:
- 93 backend pytest tests (config, migrations, OAuth, 2FA)
- 3 new Playwright spec files (oauth-ui, security-settings, two-factor)
- Updated test-e2e.sh with Phase 6 (OIDC/2FA backend tests)
- Added port collision prevention and lock file to test runner

* Add comprehensive store submission guide

* Add STORE-SUBMISSION.md to .gitignore (internal docs)

* chore: prep v4.0.0 release

Tighten token handling and telemetry ingestion, and add mobile Vitest coverage. Ignore local agent/tool state files from the repo.

* fix: enforce 2FA on login flows

Require a 2FA challenge whenever a user has 2FA enabled, including OAuth callback logins. Ignore coverage artifacts and align auth test password to current validation rules.

* chore: bump Flask and clean bandit

Update Flask to 3.1.3 to address a pip-audit finding, and add targeted nosec annotations for Bandit false positives.

* fix: stabilize auth refresh and audit indexes

* fix: address CodeQL oauth and logging findings

* fix: remove provider detail from oauth warning log

* fix: use query response mode for Apple OAuth callback

* Revert "fix: use query response mode for Apple OAuth callback"

This reverts commit dfcbd5f.

* fix: use query response mode for Apple OAuth callback

* fix: preserve account context when linking oauth providers

* fix: add passkey registration action in security settings

* fix: support Apple form_post OAuth callback bridge

* Revert "fix: support Apple form_post OAuth callback bridge"

This reverts commit 1dddfcf.

* fix: bridge Apple form_post callback to SPA route

* fix: keep oauth linking in-session and add account deletion

* feat: expose security settings from admin panel

* refactor: keep security actions in admin flow

* fix: surface passkey registration conflicts clearly

* Revert "fix: surface passkey registration conflicts clearly"

This reverts commit 54fff17.

* fix: show oauth callback failure instead of spinner

* fix: surface oauth callback errors to users

* style: increase spacing in admin security sections

* fix: improve passkey registration error handling

* fix: support Apple token exchange and passkey parsing

* fix: normalize Apple private key env formatting

* fix: support legacy webauthn registration credential fields

* fix: decode base64url fields for legacy passkey parsing

* fix: construct attestation response for legacy webauthn

* fix: use theme-aware background for passkey device rows

* fix: send WebAuthn assertion for passkey 2FA login

* fix: normalize passkey transports for auth options

* fix: support legacy passkey authentication credential parsing

* fix: resolve CI security findings for release branch

Author: brdweb

.gitignore

@@ -38,6 +38,10 @@ marketing-plan.md
 # Test files
 test_*.py
 
+# Coverage outputs
+.coverage
+coverage.xml
+
 # Marketing site is in separate repo (git@git.brdweb.com:brdweb/billmanager-marketing)
 marketing/
 
@@ -57,5 +61,12 @@ setup_kuma.py
 # Testing status (local only)
 TESTING_STATUS.md
 
+# Store submission (sensitive internal docs)
+STORE-SUBMISSION.md
+
+# Local agent instructions / tool state
+AGENTS.md
+.playwright-mcp/
+
 # Root package-lock (monorepo uses per-app locks)
-/package-lock.json
+/package-lock.json

README.md

@@ -6,25 +6,17 @@ A **secure multi-user** web application for tracking recurring expenses and inco
 
 ---
 
-## 🎉 What's New in v3.8.1
+## 🎉 What's New in v4.0.0
 
-**Dashboard & Analytics Overhaul** - New Dashboard, Calendar, and Analytics pages with spending trends, interactive stat cards, and improved navigation.
+**Social Login & Two-Factor Authentication** - Sign in with Google, Apple, Microsoft, or any OIDC provider. Protect your account with email OTP or passkey-based two-factor authentication.
 
 ### Highlights
 
-- **Dashboard Page** - At-a-glance stat cards (Total Bills, Due This Week, Overdue, Monthly Total) with clickable navigation
-- **Calendar Page** - Multi-month calendar view with bill due date indicators
-- **Analytics Page** - Spending trends charts, account pie chart, year-over-year comparison, and yearly summary with labeled totals
-- **Filter Indicators** - Clear visual banner on Bills page when filters are active
-- **Improved Navigation** - Sidebar calendar and Upcoming Bills filters navigate directly to filtered Bills view
-- **Payment History** - Dedicated sidebar nav link and default 30-day date range
-
-### Bug Fixes
-
-- Fixed editing payments from All Payments page not saving changes
-- Fixed deleting payments not refreshing the list
-- Fixed yearly summary background too bright in dark mode
-- Fixed "Today" button text clipped on Calendar page
+- **Social Login (OIDC)** - Connect Google, Apple, Microsoft, or any OpenID Connect provider for one-click sign-in
+- **Two-Factor Authentication** - Email OTP and passkey (WebAuthn) support for account security
+- **Recovery Codes** - Backup access codes in case you lose your 2FA device
+- **Linked Accounts** - Manage connected OAuth providers from your Security Settings
+- **Security Hardened** - ID token signature verification, state replay protection, cryptographic OTP generation
 
 ---