Highlights
Security hardening — CSRF protection on all 31 POST handlers, per-IP booking rate limiting (10 req / 5 min), server-side input validation, double-booking prevention via unique index + transactions, crash-proof handlers (no more .unwrap()), graceful shutdown.
Observability — 50 structured tracing log points across auth, bookings, CalDAV, admin, email, DB migrations. HTTP request tracing via tower-http. Configurable via RUST_LOG (default: calrs=info,tower_http=info).
Bug fixes
- ICS events had midnight/zero-duration times when confirming or cancelling bookings
- Host never received email after approving a pending booking
- Email send failures were silently discarded
Features
- Calendar events show attendee names: "30min call — John & Olivier"
- Guest notes included in ICS DESCRIPTION field
- Host gets a dedicated confirmation email (without duplicate ICS) after approval
- 223 tests (up from 191)
See the full CHANGELOG for details.