Fix gallery HTML structure bug and replace email auth with OTP flow

Gallery: remove <a> from share allowlist. Gallery cards wrap content in
<a class="gal-link">; allowing <a> in sanitized answer HTML causes nested
anchors that the HTML5 adoption agency algorithm resolves by restructuring
the DOM, producing mismatched </div> tags that leave gallery-grid open and
pull sibling elements into the grid as spurious grid columns.

Account: replace email+password sign-up/sign-in with magic-link OTP.
supabase.auth.signInWithOtp handles both new and existing users in one
flow. Existing onAuthStateChange listener (dadeb8ddb9a8.js) retained for
post-redirect dashboard display. sendMagicLink added to extract-js
RESERVED_GLOBALS so the obfuscator does not mangle the onclick reference.

scripts/extract-js.py

@@ -76,6 +76,7 @@ RESERVED_GLOBALS = [
     "signInWith",
     "signInWithEmail",
     "signUpWithEmail",
+    "sendMagicLink",
     "signOut",
     "resetPassword",
     "sendResetEmail",

src/account.el

@@ -652,8 +652,8 @@ fn account_page(supabase_url: String, supabase_anon_key: String) -> String {
             <circle cx=\"12\" cy=\"7\" r=\"4\"/>
           </svg>
         </div>
-        <h1 class=\"signin-title\">Sign in to view your account</h1>
+        <h1 class=\"signin-title\">Sign in to your account</h1>
-        <p class=\"signin-sub\">Use the same sign-in method you used when you signed up.</p>
+        <p class=\"signin-sub\">Enter your email to receive a sign-in link, or continue with a social account.</p>
         <!-- Single width-controlled container for ALL sign-in options -->
         <div style=\"width:100%;max-width:20rem;margin:0 auto;display:flex;flex-direction:column;gap:.75rem\">
           <button type=\"button\" class=\"signin-btn\" id=\"btn-google\" onclick=\"signInWith('google')\">
@@ -680,15 +680,10 @@ fn account_page(supabase_url: String, supabase_anon_key: String) -> String {
 
           <input type=\"email\" id=\"acct-email-input\" placeholder=\"Email address\" autocomplete=\"email\"
             style=\"font-family:var(--body);font-size:.875rem;font-weight:300;color:var(--t1);background:#fff;border:1px solid var(--border2);padding:.875rem 1rem;outline:none;transition:border-color .2s;width:100%;box-sizing:border-box\">
-          <input type=\"password\" id=\"acct-pass-input\" placeholder=\"Password\" autocomplete=\"current-password\"
+          <button type=\"button\" id=\"acct-magic-btn\" onclick=\"sendMagicLink()\"
-            style=\"font-family:var(--body);font-size:.875rem;font-weight:300;color:var(--t1);background:#fff;border:1px solid var(--border2);padding:.875rem 1rem;outline:none;transition:border-color .2s;width:100%;box-sizing:border-box\">
-          <button type=\"button\" id=\"acct-signin-btn\" onclick=\"signInWithEmail()\"
             style=\"font-family:var(--body);font-size:.75rem;font-weight:500;letter-spacing:.14em;text-transform:uppercase;color:#fff;background:var(--navy);border:none;padding:.875rem 1rem;cursor:pointer;transition:background .2s;width:100%;box-sizing:border-box\">
-            Sign in
+            Continue with email
           </button>
-          <p id=\"acct-mode-hint\" style=\"font-family:var(--body);font-size:.8rem;font-weight:300;color:var(--t3);text-align:center\">
-            No account? <a href=\"#\" onclick=\"switchToSignUp();return false;\" style=\"color:var(--navy)\">Create one</a>
-          </p>
           <p id=\"acct-email-msg\" style=\"display:none;font-size:.8rem;text-align:center;margin-top:.25rem\"></p>
         </div>
       </div>
@@ -896,7 +891,9 @@ fn account_page(supabase_url: String, supabase_anon_key: String) -> String {
 </div>
 
 <script src=\"https://cdn.jsdelivr.net/npm/@supabase/supabase-js@2/dist/umd/supabase.min.js\"></script>
-<script>window.NEURON_CFG=window.NEURON_CFG||{};window.NEURON_CFG.supabase_url=\"" + supabase_url + "\";window.NEURON_CFG.supabase_anon_key=\"" + supabase_anon_key + "\";</script><script src=\"/assets/js/dadeb8ddb9a8.js\" defer></script>
+<script>window.NEURON_CFG=window.NEURON_CFG||{};window.NEURON_CFG.supabase_url=\"" + supabase_url + "\";window.NEURON_CFG.supabase_anon_key=\"" + supabase_anon_key + "\";</script>
+<script src=\"/assets/js/77e923ac5855.js\" defer></script>
+<script src=\"/assets/js/dadeb8ddb9a8.js\" defer></script>
 
 </body>
 </html>"

src/assets/js/77e923ac5855.js

@@ -0,0 +1 @@
+function a0_0x51e7(){var _0x1cac5a=['C3r5Bgu','z2v0rwXLBwvUDej5swq','zgLZCgXHEq','nti4mfPIz29ICa','iZjfn0qZmG','mti3mdK3yvvryMnz','C2LNBKLUv2L0Ae90Ca','mtb5v2nLwM0','mtC5mte4u2PcENDt','ywnJDc1TywDPyY1IDg4','ywnJDc1LBwfPBc1PBNb1Da','Dgv4DenVBNrLBNq','mJe2oxnwCfDXCa','v2uGC2vUDcbHihnPz24TAw4GBgLUAYb0BYa','mZm2zwjOvM9t','mtm4mde2vwnTzLnr','C3vWywjHC2vFyw5VBL9RzxK','C2vUze1Hz2LJtgLUAW','DhjPBq','zxjYB3i','mteYnJrJs1H0wvq','lIbdAgvJAYb5B3vYigLUyM94lG','odG3mZfbwNnQAui','zgLZywjSzwq','C3vWywjHC2vFDxjS','mtbdq0D1whm','i0m2mJGYoa','u2vUzgLUzY4UlG','DMfSDwu','yMXVy2S','y29SB3i','q29UDgLUDwuGD2L0AcbLBwfPBa','ywnJDc1LBwfPBc1TC2C','yxv0Aa','mZeZodaXneHNzMTVsa','BwvZC2fNzq'];a0_0x51e7=function(){return _0x1cac5a;};return a0_0x51e7();}function a0_0x2a5f(_0x45cfd3,_0x395320){_0x45cfd3=_0x45cfd3-0x133;var _0x51e7da=a0_0x51e7();var _0x2a5f5c=_0x51e7da[_0x45cfd3];if(a0_0x2a5f['rcTSzs']===undefined){var _0x381a6b=function(_0x561f7e){var _0x41017d='abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789+/=';var _0x2fc9ad='',_0x2c977f='';for(var _0x351ea9=0x0,_0x1e2c71,_0x20f2d9,_0x1224d7=0x0;_0x20f2d9=_0x561f7e['charAt'](_0x1224d7++);~_0x20f2d9&&(_0x1e2c71=_0x351ea9%0x4?_0x1e2c71*0x40+_0x20f2d9:_0x20f2d9,_0x351ea9++%0x4)?_0x2fc9ad+=String['fromCharCode'](0xff&_0x1e2c71>>(-0x2*_0x351ea9&0x6)):0x0){_0x20f2d9=_0x41017d['indexOf'](_0x20f2d9);}for(var _0x4b14af=0x0,_0xfd0e24=_0x2fc9ad['length'];_0x4b14af<_0xfd0e24;_0x4b14af++){_0x2c977f+='%'+('00'+_0x2fc9ad['charCodeAt'](_0x4b14af)['toString'](0x10))['slice'](-0x2);}return decodeURIComponent(_0x2c977f);};a0_0x2a5f['oxJcrm']=_0x381a6b,a0_0x2a5f['QwkUCZ']={},a0_0x2a5f['rcTSzs']=!![];}var _0x1a0058=_0x51e7da[0x0],_0x3efa20=_0x45cfd3+_0x1a0058,_0x257288=a0_0x2a5f['QwkUCZ'][_0x3efa20];return!_0x257288?(_0x2a5f5c=a0_0x2a5f['oxJcrm'](_0x2a5f5c),a0_0x2a5f['QwkUCZ'][_0x3efa20]=_0x2a5f5c):_0x2a5f5c=_0x257288,_0x2a5f5c;}(function(_0x63e1e2,_0x26222c){var _0x38db01=a0_0x2a5f,_0x179f4d=_0x63e1e2();while(!![]){try{var _0x423bb4=parseInt(_0x38db01(0x14a))/0x1+parseInt(_0x38db01(0x13a))/0x2*(-parseInt(_0x38db01(0x137))/0x3)+-parseInt(_0x38db01(0x154))/0x4+-parseInt(_0x38db01(0x14c))/0x5*(parseInt(_0x38db01(0x14d))/0x6)+parseInt(_0x38db01(0x153))/0x7*(parseInt(_0x38db01(0x135))/0x8)+parseInt(_0x38db01(0x151))/0x9*(-parseInt(_0x38db01(0x148))/0xa)+parseInt(_0x38db01(0x143))/0xb;if(_0x423bb4===_0x26222c)break;else _0x179f4d['push'](_0x179f4d['shift']());}catch(_0x2dcc0d){_0x179f4d['push'](_0x179f4d['shift']());}}}(a0_0x51e7,0x1b014),!(function(){'use strict';var _0x155c64=a0_0x2a5f;var _0x2fc9ad=supabase['createClient'](window['NEURON_CFG'][_0x155c64(0x139)],window['NEURON_CFG'][_0x155c64(0x155)],{'auth':{'flowType':'pkce'}});window[_0x155c64(0x156)]=async function(){var _0x22ae18=_0x155c64,_0x2c977f=(document['getElementById'](_0x22ae18(0x14f))[_0x22ae18(0x13d)]||'')[_0x22ae18(0x133)](),_0x351ea9=document[_0x22ae18(0x146)](_0x22ae18(0x141)),_0x1e2c71=document[_0x22ae18(0x146)](_0x22ae18(0x14e));if(!_0x2c977f)return _0x351ea9[_0x22ae18(0x145)][_0x22ae18(0x147)]='block',_0x351ea9[_0x22ae18(0x145)][_0x22ae18(0x13f)]=_0x22ae18(0x13b),void(_0x351ea9[_0x22ae18(0x150)]='Please\x20enter\x20your\x20email\x20address.');_0x1e2c71&&(_0x1e2c71[_0x22ae18(0x138)]=!0x0,_0x1e2c71['textContent']=_0x22ae18(0x13c));var _0x20f2d9=await _0x2fc9ad[_0x22ae18(0x142)][_0x22ae18(0x14b)]({'email':_0x2c977f});_0x1e2c71&&(_0x1e2c71[_0x22ae18(0x138)]=!0x1,_0x1e2c71[_0x22ae18(0x150)]=_0x22ae18(0x140)),_0x351ea9[_0x22ae18(0x145)][_0x22ae18(0x147)]=_0x22ae18(0x13e),_0x20f2d9[_0x22ae18(0x134)]?(_0x351ea9['style']['color']=_0x22ae18(0x13b),_0x351ea9[_0x22ae18(0x150)]=_0x20f2d9[_0x22ae18(0x134)][_0x22ae18(0x144)]):(_0x351ea9[_0x22ae18(0x145)]['color']=_0x22ae18(0x149),_0x351ea9['textContent']=_0x22ae18(0x152)+_0x2c977f+_0x22ae18(0x136));};}()));

src/assets/js/manifest.json

@@ -1,16 +1,21 @@
 {
   "generated_by": "scripts/extract-js.py",
-  "count": 13,
+  "count": 14,
   "entries": [
+    {
+      "file": "account.el",
+      "hash": "77e923ac5855",
+      "asset": "/assets/js/77e923ac5855.js",
+      "size": 3793,
+      "interpolated": []
+    },
     {
       "file": "account.el",
       "hash": "dadeb8ddb9a8",
       "asset": "/assets/js/dadeb8ddb9a8.js",
       "size": 21409,
-      "interpolated": [
+      "interpolated": [],
-        "supabase_url",
+      "note": "carried from prior run"
-        "supabase_anon_key"
-      ]
     },
     {
       "file": "checkout.el",
@@ -97,7 +102,8 @@
       "hash": "02ecc8cf6542",
       "asset": "/assets/js/02ecc8cf6542.js",
       "size": 24677,
-      "interpolated": []
+      "interpolated": [],
+      "note": "carried from prior run"
     },
     {
       "file": "styles.el",

src/gallery.el

@@ -7,7 +7,12 @@
 // main.el's binding would forward-reference at the C level. The DB column
 // is already sanitized at write time; this is belt-and-braces in case a
 // row was inserted out-of-band.
-let gallery_share_allowlist: String = "{\"p\":[],\"br\":[],\"strong\":[],\"em\":[],\"u\":[],\"s\":[],\"code\":[],\"pre\":[],\"ul\":[],\"ol\":[],\"li\":[],\"h1\":[],\"h2\":[],\"h3\":[],\"h4\":[],\"blockquote\":[],\"a\":[\"href\",\"title\"]}"
+// NOTE: <a> is intentionally excluded. Gallery cards wrap their content in
+// <a class="gal-link"> — allowing <a> in sanitized answer HTML causes nested
+// anchors, which the HTML5 parser resolves via the adoption agency algorithm,
+// producing mismatched </div> tags that break gallery-grid's closing tag and
+// pull sibling elements into the grid as spurious grid items.
+let gallery_share_allowlist: String = "{\"p\":[],\"br\":[],\"strong\":[],\"em\":[],\"u\":[],\"s\":[],\"code\":[],\"pre\":[],\"ul\":[],\"ol\":[],\"li\":[],\"h1\":[],\"h2\":[],\"h3\":[],\"h4\":[],\"blockquote\":[]}"
 
 fn gallery_page(cards_json: String, supabase_url: String, supabase_anon_key: String) -> String {
     let i: Int = 0