TODO

Fix account.php: replace !== CSRF token check with hash_equals (constant-time comparison)
Fix ShareLink::setPassword(): also encrypt and store plain-text password, matching create() behavior
Audit: confirm all remaining credential comparison sites use constant-time hash_equals or password_verify
Fix .gitignore: anchor vendor/ to root (/vendor/) so app/public/assets/js/vendor/ (htmx, OverType, FilePond) is tracked