Allow Google Analytics and Ads domains in CSP

Add to connect-src: analytics.google.com, www.google.com,
www.googletagmanager.com — required for GA event beacons and
Google Ads conversion/remarketing collect endpoints.

Add to script-src: googleads.g.doubleclick.net — required for
Google Ads conversion tag script injection via GTM.

dist/page_css.c

@@ -1764,6 +1764,7 @@ el_val_t page_css(void) {
         "\n"
         "    #neuron-demo-input-row {\n"
         "      display: flex;\n"
+        "      align-items: flex-end;\n"
         "      border-top: 1px solid var(--border);\n"
         "      flex-shrink: 0;\n"
         "    }\n"
@@ -1771,11 +1772,16 @@ el_val_t page_css(void) {
         "      flex: 1;\n"
         "      font-family: var(--body);\n"
         "      font-size: 0.875rem;\n"
+        "      line-height: 1.5;\n"
         "      color: var(--t1);\n"
         "      background: var(--bg);\n"
         "      border: none;\n"
         "      outline: none;\n"
         "      padding: 0.875rem 1rem;\n"
+        "      resize: none;\n"
+        "      overflow: hidden;\n"
+        "      min-height: 2.75rem;\n"
+        "      max-height: 7.5rem;\n"
         "    }\n"
         "    #neuron-demo-text::placeholder { color: var(--t3); }\n"
         "    #neuron-demo-send {\n"

dist/web_stubs.c

@@ -237,6 +237,55 @@ el_val_t supabase_admin_invite(el_val_t project_url, el_val_t service_key, el_va
     return http_post_with_headers(EL_STR(url), body_json, headers);
 }
 
+/*
+ * supabase_admin_update_user — PUT {project_url}/auth/v1/admin/users/{user_id}
+ * with the service-role key to overwrite a user's user_metadata (and any other
+ * top-level fields in body_json).  Unlike /auth/v1/invite, this always writes
+ * the supplied data even when the user already exists.
+ *
+ * body_json example:
+ *   {"user_metadata":{"plan":"founding","stripe_customer_id":"cus_xxx","name":"..."}}
+ *
+ * Returns the raw JSON response from Supabase (includes the updated user object).
+ * Returns "" on transport error.
+ *
+ * Used by the Stripe webhook after supabase_admin_invite to guarantee the
+ * plan is stamped correctly regardless of whether the account was created
+ * before or after payment.
+ */
+el_val_t supabase_admin_update_user(el_val_t project_url, el_val_t service_key,
+                                    el_val_t user_id, el_val_t body_json) {
+    CURL *c = curl_easy_init();
+    if (!c) return EL_STR("");
+    char url[1024];
+    snprintf(url, sizeof(url), "%s/auth/v1/admin/users/%s",
+             EL_CSTR(project_url), EL_CSTR(user_id));
+    char auth_hdr[2048];
+    snprintf(auth_hdr, sizeof(auth_hdr), "Authorization: Bearer %s", EL_CSTR(service_key));
+    char api_hdr[2048];
+    snprintf(api_hdr,  sizeof(api_hdr),  "apikey: %s", EL_CSTR(service_key));
+    struct curl_slist *hdrs = NULL;
+    hdrs = curl_slist_append(hdrs, auth_hdr);
+    hdrs = curl_slist_append(hdrs, api_hdr);
+    hdrs = curl_slist_append(hdrs, "Content-Type: application/json");
+    hdrs = curl_slist_append(hdrs, "Accept: application/json");
+    _stub_resp_t r = {0};
+    curl_easy_setopt(c, CURLOPT_URL, url);
+    curl_easy_setopt(c, CURLOPT_CUSTOMREQUEST, "PUT");
+    curl_easy_setopt(c, CURLOPT_POSTFIELDS, EL_CSTR(body_json));
+    curl_easy_setopt(c, CURLOPT_HTTPHEADER, hdrs);
+    curl_easy_setopt(c, CURLOPT_FOLLOWLOCATION, 1L);
+    curl_easy_setopt(c, CURLOPT_TIMEOUT, 60L);
+    curl_easy_setopt(c, CURLOPT_WRITEFUNCTION, _stub_write);
+    curl_easy_setopt(c, CURLOPT_WRITEDATA, &r);
+    CURLcode rc = curl_easy_perform(c);
+    curl_easy_cleanup(c);
+    curl_slist_free_all(hdrs);
+    if (rc != CURLE_OK) { free(r.buf); return EL_STR(""); }
+    if (!r.buf) return EL_STR("");
+    return EL_STR(r.buf);
+}
+
 /*
  * gcs_get_token — fetch an OAuth2 bearer token.
  *

src/about.el

@@ -8,41 +8,41 @@
 from nav import { nav }
 
 fn about_page() -> String {
-    return {nav()}
+    return nav() + "
 
-<main id="about" style="padding: clamp(7rem, 18vh, 11rem) 2.5rem clamp(5rem, 12vh, 8rem);">
-  <div style="max-width: 700px; margin: 0 auto;">
+<main id=\"about\" style=\"padding: clamp(7rem, 18vh, 11rem) 2.5rem clamp(5rem, 12vh, 8rem);\">
+  <div style=\"max-width: 700px; margin: 0 auto;\">
 
-    <p class="label animate-up-1" style="margin-bottom: 2rem;">About</p>
-    <h1 class="display-lg animate-up-2" style="margin-bottom: 2.5rem; max-width: 22rem;">
+    <p class=\"label animate-up-1\" style=\"margin-bottom: 2rem;\">About</p>
+    <h1 class=\"display-lg animate-up-2\" style=\"margin-bottom: 2.5rem; max-width: 22rem;\">
       Hi. I&#39;m Will.
     </h1>
-    <div class="navy-line-left animate-up-3" style="width: 4rem; margin-bottom: 3rem;"></div>
+    <div class=\"navy-line-left animate-up-3\" style=\"width: 4rem; margin-bottom: 3rem;\"></div>
 
     <!-- Photo + opening -->
-    <div class="reveal" style="display: flex; align-items: flex-start; gap: 2.5rem; margin-bottom: 3rem; flex-wrap: wrap;">
-      <img src="/assets/will.png" alt="Will Anderson" style="width: 160px; height: 160px; border-radius: 50%; object-fit: cover; flex-shrink: 0;">
-      <div style="flex: 1; min-width: 260px;">
-        <p style="font-family: var(--body); font-weight: 300; font-size: clamp(0.9rem, 1.5vw, 1.0625rem); color: var(--t2); line-height: 1.9; margin-bottom: 1.5rem;">
+    <div class=\"reveal\" style=\"display: flex; align-items: flex-start; gap: 2.5rem; margin-bottom: 3rem; flex-wrap: wrap;\">
+      <img src=\"/assets/will.png\" alt=\"Will Anderson\" style=\"width: 160px; height: 160px; border-radius: 50%; object-fit: cover; flex-shrink: 0;\">
+      <div style=\"flex: 1; min-width: 260px;\">
+        <p style=\"font-family: var(--body); font-weight: 300; font-size: clamp(0.9rem, 1.5vw, 1.0625rem); color: var(--t2); line-height: 1.9; margin-bottom: 1.5rem;\">
           I grew up in Fort Smith, Arkansas, in the kind of instability where home is a moving target - roughly thirty addresses before I was fifteen, parents struggling with addiction, the material precarity that comes with all of that. I left home at fifteen, stayed with friends until I finished high school, found my way to college. At fourteen I&#39;d already found software, writing C++ at the public library because it was the first thing in my life that responded to precision with correctness, and that property turned out to matter more to me than almost anything else.
         </p>
       </div>
     </div>
 
     <!-- Career -->
-    <div class="reveal" style="margin-bottom: 3rem;">
-      <p style="font-family: var(--body); font-weight: 300; font-size: clamp(0.9rem, 1.5vw, 1.0625rem); color: var(--t2); line-height: 1.9; margin-bottom: 1.5rem;">
+    <div class=\"reveal\" style=\"margin-bottom: 3rem;\">
+      <p style=\"font-family: var(--body); font-weight: 300; font-size: clamp(0.9rem, 1.5vw, 1.0625rem); color: var(--t2); line-height: 1.9; margin-bottom: 1.5rem;\">
         I dropped out of college, worked, went back as an adult to finish my degree, and built my skills across nearly twenty years and every kind of organization - international consulting, early-stage startups, Fortune 5 enterprises. Logistics, retail, entertainment, hospitality, industrial automation, insurance, healthcare, financial services. I trained under Juval L&#246;wy at IDesign and worked with him as a consultant from 2015 to 2021, which is where I learned what it actually means to practice software engineering as a discipline rather than an improvisation.
       </p>
     </div>
 
     <!-- Blockquote -->
-    <blockquote class="reveal" style="
+    <blockquote class=\"reveal\" style=\"
       border-left: 3px solid var(--navy);
       padding: 0.5rem 0 0.5rem 2rem;
       margin: 0 0 3rem;
-    ">
-      <p style="
+    \">
+      <p style=\"
         font-family: var(--head);
         font-size: clamp(1.4rem, 3vw, 2rem);
         font-weight: 500;
@@ -50,42 +50,42 @@ fn about_page() -> String {
         color: var(--t1);
         line-height: 1.35;
         letter-spacing: -0.01em;
-      ">
+      \">
         Software shouldn&#39;t be hard. The complexity should live in the problem domain - not in the tools and processes we impose on ourselves.
       </p>
     </blockquote>
 
     <!-- What I saw -->
-    <div class="reveal" style="margin-bottom: 3rem;">
-      <p class="label" style="margin-bottom: 1.25rem;">What I saw</p>
-      <p style="font-family: var(--body); font-weight: 300; font-size: clamp(0.9rem, 1.5vw, 1.0625rem); color: var(--t2); line-height: 1.9; margin-bottom: 1.5rem;">
+    <div class=\"reveal\" style=\"margin-bottom: 3rem;\">
+      <p class=\"label\" style=\"margin-bottom: 1.25rem;\">What I saw</p>
+      <p style=\"font-family: var(--body); font-weight: 300; font-size: clamp(0.9rem, 1.5vw, 1.0625rem); color: var(--t2); line-height: 1.9; margin-bottom: 1.5rem;\">
         Across nearly twenty years I watched software get built at organizations with real stakes and real consequences, and I watched AI go from promise to product - watched the same mistake get made at each iteration: tools built to serve the organization&#39;s needs, not the person&#39;s. Engagement over relationship. Features over memory. Policies where values should be. The fundamental premise that you are a user, not a person, has been so thoroughly baked into the architecture of every major AI system that it doesn&#39;t register as a choice anymore. It&#39;s treated as the natural condition of the technology.
       </p>
-      <p style="font-family: var(--body); font-weight: 300; font-size: clamp(0.9rem, 1.5vw, 1.0625rem); color: var(--t2); line-height: 1.9;">
+      <p style=\"font-family: var(--body); font-weight: 300; font-size: clamp(0.9rem, 1.5vw, 1.0625rem); color: var(--t2); line-height: 1.9;\">
         It is not. It is a design decision. And it is the wrong one.
       </p>
     </div>
 
-    <div class="navy-line-center reveal" style="margin-bottom: 3rem;"></div>
+    <div class=\"navy-line-center reveal\" style=\"margin-bottom: 3rem;\"></div>
 
     <!-- What I built -->
-    <div class="reveal" style="margin-bottom: 3rem;">
-      <p class="label" style="margin-bottom: 1.25rem;">What I built</p>
-      <p style="font-family: var(--body); font-weight: 300; font-size: clamp(0.9rem, 1.5vw, 1.0625rem); color: var(--t2); line-height: 1.9; margin-bottom: 1.5rem;">
+    <div class=\"reveal\" style=\"margin-bottom: 3rem;\">
+      <p class=\"label\" style=\"margin-bottom: 1.25rem;\">What I built</p>
+      <p style=\"font-family: var(--body); font-weight: 300; font-size: clamp(0.9rem, 1.5vw, 1.0625rem); color: var(--t2); line-height: 1.9; margin-bottom: 1.5rem;\">
         Neuron is what I built in response to that. Not a startup in the traditional sense - no team, no funding, no press release - one person, nearly two years of work, and a conviction that this can be done differently. I wrote the memory architecture, I built the inference infrastructure, because the tools that existed weren&#39;t sufficient for what I was trying to build and so I built those too.
       </p>
-      <p style="font-family: var(--body); font-weight: 300; font-size: clamp(0.9rem, 1.5vw, 1.0625rem); color: var(--t2); line-height: 1.9;">
+      <p style=\"font-family: var(--body); font-weight: 300; font-size: clamp(0.9rem, 1.5vw, 1.0625rem); color: var(--t2); line-height: 1.9;\">
         Use it long enough and you&#39;ll understand why I couldn&#39;t have gotten there on top of existing infrastructure. Some things have to be built from the ground up to be built right.
       </p>
     </div>
 
     <!-- What I believe -->
-    <div class="reveal" style="margin-bottom: 3.5rem;">
-      <p class="label" style="margin-bottom: 1.25rem;">What I believe</p>
-      <p style="font-family: var(--body); font-weight: 300; font-size: clamp(0.9rem, 1.5vw, 1.0625rem); color: var(--t2); line-height: 1.9; margin-bottom: 1.5rem;">
+    <div class=\"reveal\" style=\"margin-bottom: 3.5rem;\">
+      <p class=\"label\" style=\"margin-bottom: 1.25rem;\">What I believe</p>
+      <p style=\"font-family: var(--body); font-weight: 300; font-size: clamp(0.9rem, 1.5vw, 1.0625rem); color: var(--t2); line-height: 1.9; margin-bottom: 1.5rem;\">
         AI has genuine potential to free people to do work that actually matters to them - not to create engagement loops, not to harvest attention, but to actually serve the person sitting in front of it. That potential is almost entirely unrealized, not because the technology isn&#39;t capable, but because the incentives that shaped it were never oriented toward the person.
       </p>
-      <p style="
+      <p style=\"
         font-family: var(--head);
         font-size: clamp(1.2rem, 2.5vw, 1.625rem);
         font-weight: 600;
@@ -93,22 +93,22 @@ fn about_page() -> String {
         line-height: 1.35;
         letter-spacing: -0.01em;
         margin-bottom: 1.5rem;
-      ">
+      \">
         Build AI that earns the trust it&#39;s given.
       </p>
-      <p style="font-family: var(--body); font-weight: 300; font-size: clamp(0.9rem, 1.5vw, 1.0625rem); color: var(--t2); line-height: 1.9;">
+      <p style=\"font-family: var(--body); font-weight: 300; font-size: clamp(0.9rem, 1.5vw, 1.0625rem); color: var(--t2); line-height: 1.9;\">
         I don&#39;t know if Neuron will work at the scale I&#39;m imagining. But I know it&#39;s worth finding out, and I know I&#39;m not going back to the other way of building things.
       </p>
     </div>
 
-    <div class="navy-line-center reveal" style="margin-bottom: 3rem;"></div>
+    <div class=\"navy-line-center reveal\" style=\"margin-bottom: 3rem;\"></div>
 
     <!-- CTA -->
-    <div class="reveal">
-      <p style="font-family: var(--body); font-weight: 300; font-size: clamp(0.9rem, 1.5vw, 1.0625rem); color: var(--t2); line-height: 1.9; margin-bottom: 1.5rem;">
+    <div class=\"reveal\">
+      <p style=\"font-family: var(--body); font-weight: 300; font-size: clamp(0.9rem, 1.5vw, 1.0625rem); color: var(--t2); line-height: 1.9; margin-bottom: 1.5rem;\">
         Neuron opens to founding members on May 1st. 1,000 spots. That&#39;s how it starts.
       </p>
-      <a href="/#pricing" class="btn-primary">
+      <a href=\"/#pricing\" class=\"btn-primary\">
         Join as a founding member &#8594;
       </a>
     </div>
@@ -116,34 +116,35 @@ fn about_page() -> String {
   </div>
 </main>
 
-<footer id="footer" aria-label="Footer">
-  <div class="container">
-    <div class="footer-inner">
+<footer id=\"footer\" aria-label=\"Footer\">
+  <div class=\"container\">
+    <div class=\"footer-inner\">
 
-      <a href="/" class="footer-brand" aria-label="Neuron home" style="display:flex;flex-direction:column;align-items:center;">
-        <img src="/assets/brand/neuron-wordmark-on-light.png" srcset="/assets/brand/neuron-wordmark-on-light@2x.png 2x" alt="Neuron" height="24" style="display:block;margin-bottom:0.35rem;">
-        <p class="footer-brand-tagline">Built Different.</p>
+      <a href=\"/\" class=\"footer-brand\" aria-label=\"Neuron home\" style=\"display:flex;flex-direction:column;align-items:center;\">
+        <img src=\"/assets/brand/neuron-wordmark-on-light.png\" srcset=\"/assets/brand/neuron-wordmark-on-light@2x.png 2x\" alt=\"Neuron\" height=\"24\" style=\"display:block;margin-bottom:0.35rem;\">
+        <p class=\"footer-brand-tagline\">Built Different.</p>
       </a>
 
-      <div class="footer-center">
-        <div class="navy-line"></div>
+      <div class=\"footer-center\">
+        <div class=\"navy-line\"></div>
       </div>
 
-      <div class="footer-right">
-        <p class="footer-domain">neurontechnologies.ai</p>
-        <nav class="footer-nav" aria-label="Footer navigation">
-          <a href="/legal/terms">Terms</a>
-          <a href="/legal/enterprise-terms">Enterprise Agreement</a>
-          <a href="mailto:legal@neurontechnologies.ai">Contact</a>
+      <div class=\"footer-right\">
+        <p class=\"footer-domain\">neurontechnologies.ai</p>
+        <nav class=\"footer-nav\" aria-label=\"Footer navigation\">
+          <a href=\"/legal/terms\">Terms</a>
+          <a href=\"/legal/enterprise-terms\">Enterprise Agreement</a>
+          <a href=\"mailto:legal@neurontechnologies.ai\">Contact</a>
         </nav>
       </div>
 
     </div>
 
-    <div class="footer-bottom">
-      <p class="footer-copy">&copy; 2026 Neuron, LLC. All rights reserved.</p>
-      <p class="footer-tagline-bottom">Your memory. Your AI.</p>
+    <div class=\"footer-bottom\">
+      <p class=\"footer-copy\">&copy; 2026 Neuron, LLC. All rights reserved.</p>
+      <p class=\"footer-tagline-bottom\">Your memory. Your AI.</p>
     </div>
   </div>
 </footer>
+"
 }

src/account.el

@@ -5,7 +5,7 @@ from founding_badge import { founding_badge, founding_badge_css }
 
 extern fn el_html_doc(lang: String, head: String, body: String) -> String
 extern fn el_meta_charset(charset: String) -> String
-extern fn el_meta(attrs: String) -> String
+extern fn el_meta(name: String, content: String) -> String
 extern fn el_title(text: String) -> String
 extern fn el_link_stylesheet(href: String) -> String
 extern fn el_script_src(src: String, defer_load: Bool) -> String
@@ -13,7 +13,7 @@ extern fn el_script_inline(code: String) -> String
 extern fn el_nav(attrs: String, children: String) -> String
 extern fn el_div(attrs: String, children: String) -> String
 extern fn el_a(href: String, attrs: String, children: String) -> String
-extern fn el_img(attrs: String) -> String
+extern fn el_img(src: String, alt: String, attrs: String) -> String
 extern fn el_p(attrs: String, children: String) -> String
 extern fn el_h1(attrs: String, text: String) -> String
 extern fn el_button(attrs: String, label: String) -> String
@@ -520,7 +520,7 @@ fn account_css() -> String {
 }
 
 fn account_nav() -> String {
-    let logo_img: String = el_img("src=\"/assets/brand/neuron-wordmark-on-light.png\" srcset=\"/assets/brand/neuron-wordmark-on-light@2x.png 2x\" alt=\"Neuron\" height=\"28\"")
+    let logo_img: String = el_img("/assets/brand/neuron-wordmark-on-light.png", "Neuron", "srcset=\"/assets/brand/neuron-wordmark-on-light@2x.png 2x\" height=\"28\"")
     el_nav(
         "id=\"nav\"",
         el_div(
@@ -818,7 +818,7 @@ fn account_devices_card() -> String {
             el_div("class=\"device-icon\"", account_signin_svg_device()) +
             el_div(
                 "",
-                el_p("class=\"devices-count\"", "2 devices included with your plan") +
+                el_p("class=\"devices-count\" id=\"devices-count-el\"", "") +
                 el_p("class=\"devices-sub\"", "Currently: Setup at launch")
             )
         ) +
@@ -965,9 +965,9 @@ fn account_dashboard_section() -> String {
 fn account_page(supabase_url: String, supabase_anon_key: String) -> String {
     let head: String =
         el_meta_charset("UTF-8") +
-        el_meta("name=\"viewport\" content=\"width=device-width, initial-scale=1.0\"") +
+        el_meta("viewport", "width=device-width, initial-scale=1.0") +
         el_title("My Account - Neuron") +
-        el_meta("name=\"description\" content=\"Manage your Neuron account, view your plan, and access your founding member details.\"") +
+        el_meta("description", "Manage your Neuron account, view your plan, and access your founding member details.") +
         "<link rel=\"icon\" type=\"image/png\" sizes=\"16x16\" href=\"/assets/favicon-16.png\">" +
         "<link rel=\"icon\" type=\"image/png\" sizes=\"32x32\" href=\"/assets/favicon-32.png\">" +
         "<link rel=\"preconnect\" href=\"https://fonts.googleapis.com\">" +

src/checkout.el

@@ -341,7 +341,7 @@ fn checkout_page(plan: String, pub_key: String) -> String {
     let stripe_el_script: String = el_script_src("/js/checkout-stripe.js", true)
     let free_init_script: String = ""
 
-    return nav_html + main_html + supabase_script + stripe_script + style_html + auth_script + cfg_script + stripe_el_script + free_init_script
+    return nav_html + main_html + supabase_script + stripe_script + style_html + stripe_el_script + cfg_script + auth_script + free_init_script
 }
 
 fn checkout_style_html() -> String {

src/js/account-auth.el

@@ -11,7 +11,7 @@ fn main() -> Void {
   'use strict';
   var cfg = window.NEURON_CFG || {};
   var sb = supabase.createClient(cfg.supabase_url, cfg.supabase_anon_key, {
-    auth: { flowType: 'pkce' }
+    auth: { flowType: 'implicit' }
   });
 
   window.sendMagicLink = async function() {
@@ -25,7 +25,10 @@ fn main() -> Void {
       return;
     }
     if (btn) { btn.disabled = true; btn.textContent = 'Sending...'; }
-    var result = await sb.auth.signInWithOtp({ email: email });
+    var result = await sb.auth.signInWithOtp({
+      email: email,
+      options: { emailRedirectTo: window.location.origin + '/account' }
+    });
     if (btn) { btn.disabled = false; btn.textContent = 'Continue with email'; }
     msgEl.style.display = 'block';
     if (result.error) {

src/js/account-dashboard.el

@@ -103,6 +103,13 @@ fn main() -> Void {
     }
     setHtml('plan-billing-note-el', billingNote);
 
+    var devicesEl = document.getElementById('devices-count-el');
+    if (devicesEl) {
+      var deviceText = '2 devices included with your plan';
+      if (plan === 'free') { deviceText = '1 device included with your plan'; }
+      devicesEl.textContent = deviceText;
+    }
+
     var meta = '';
     if (createdAt) {
       var d = new Date(createdAt);

src/js/chat-widget.el

@@ -497,6 +497,7 @@ fn main() -> Void {
       return;
     }
     input.value = '';
+    input.style.height = 'auto';
     btn.disabled = true;
     addMsg('user', msg);
 
@@ -617,6 +618,10 @@ fn main() -> Void {
     inp.addEventListener('keydown', function(e) {
       if (e.key === 'Enter' && !e.shiftKey) { e.preventDefault(); window.neuronDemoSend(); }
     });
+    inp.addEventListener('input', function() {
+      this.style.height = 'auto';
+      this.style.height = Math.min(this.scrollHeight, 120) + 'px';
+    });
   }
 })()")
 }

src/main.el

@@ -415,8 +415,10 @@ fn waitlist_upsert(email: String, name: String, plan: String, source: String, at
     let ua_safe: String = str_replace(str_replace(user_agent,  "\\", "\\\\"), "\"", "\\\"")
     let num_field: String = if member_num > 0 { ",\"member_number\":" + int_to_str(member_num) } else { "" }
     let row: String = "{\"email\":\"" + e_safe + "\",\"name\":\"" + n_safe + "\",\"plan\":\"" + plan + "\",\"source\":\"" + source + "\",\"attestation\":\"" + a_safe + "\",\"user_agent\":\"" + ua_safe + "\"" + num_field + "}"
-    let resp: String = supabase_insert(sb_url, sb_key, "waitlist", row)
-    println("[waitlist] supabase insert -> " + resp)
+    // Use on_conflict=email,plan so existing rows are updated (upsert)
+    // rather than silently failing on duplicate key.
+    let resp: String = supabase_insert(sb_url, sb_key, "waitlist?on_conflict=email,plan", row)
+    println("[waitlist] supabase upsert -> " + resp)
     return ""
 }
 
@@ -684,7 +686,7 @@ fn handle_request_inner(method: String, path: String, headers: Map, body: String
         if !str_eq(pi_email, "") {
             let pi_email_enc: String = str_replace(str_replace(pi_email, "@", "%40"), "+", "%2B")
             let pi_search_url: String = "https://api.stripe.com/v1/customers/search?query=email%3A%22" + pi_email_enc + "%22&limit=1"
-            let pi_search: String = http_get_auth(pi_search_url, auth_header)
+            let pi_search: String = http_get_auth(pi_search_url, stripe_key)
             let pi_cus_id = json_get_string(pi_search, "id")
             if str_eq(pi_cus_id, "") {
                 let pi_name_enc: String = str_replace(pi_name, " ", "%20")
@@ -697,21 +699,24 @@ fn handle_request_inner(method: String, path: String, headers: Map, body: String
             }
         }
 
-        // Free tier: $0 PaymentIntent for age verification (18+ requirement).
-        // Verifies card is valid. No charge, no capture.
-        // Note: setup_future_usage cannot be used with amount=0.
+        // Free tier: SetupIntent for age verification (18+ requirement).
+        // Verifies card is valid and saves it. No charge, no capture.
+        // $0 PaymentIntents are rejected by Stripe; SetupIntent is the correct tool.
         if str_eq(plan, "free") {
-            let free_pi_body: String = "amount=0"
-                + "&currency=usd"
-                + "&payment_method_types[]=card"
+            let si_body: String = "automatic_payment_methods[enabled]=true"
+                + "&usage=off_session"
                 + "&metadata[plan]=free"
                 + "&metadata[purpose]=age_verification"
-            let free_pi_body = if !str_eq(pi_cus_id, "") { free_pi_body + "&customer=" + pi_cus_id } else { free_pi_body }
-            let free_pi_resp: String = http_post_form_auth(
-                "https://api.stripe.com/v1/payment_intents",
-                free_pi_body,
+            let si_body = if !str_eq(pi_cus_id, "") { si_body + "&customer=" + pi_cus_id } else { si_body }
+            let si_resp: String = http_post_form_auth(
+                "https://api.stripe.com/v1/setup_intents",
+                si_body,
                 auth_header)
-            return free_pi_resp
+            if str_starts_with(si_resp, "{") {
+                let inner: String = str_slice(si_resp, 1, str_len(si_resp))
+                return "{\"setup_mode\":true,\"plan\":\"free\"," + inner
+            }
+            return si_resp
         }
 
         // Setup-mode path: save payment method, do not charge. Only valid
@@ -782,7 +787,7 @@ fn handle_request_inner(method: String, path: String, headers: Map, body: String
 
         // 1. Search existing customers by email
         let lc_search_url: String = "https://api.stripe.com/v1/customers/search?query=email%3A%22" + lc_email_enc + "%22&limit=1"
-        let lc_search:     String = http_get_auth(lc_search_url, lc_auth)
+        let lc_search:     String = http_get_auth(lc_search_url, stripe_key)
         let lc_cus_id:     String = json_get_string(lc_search, "id")
 
         // 2. If none, create one. We always include supabase_user_id so the
@@ -1114,13 +1119,16 @@ fn handle_request_inner(method: String, path: String, headers: Map, body: String
         }
         let attest_name:  String = json_get(body, "name")
         let attest_email: String = json_get(body, "email")
-        let attest_plan:  String = json_get(body, "plan")
         let attest_ts:    String = json_get(body, "timestamp")
         let attest_text:  String = json_get(body, "attestation")
         let attest_ua:    String = json_get(body, "user_agent")
         if str_eq(attest_email, "") {
             return "{\"error\":\"email required\"}"
         }
+        // Founding membership now requires $199 Stripe payment — the attestation
+        // form is a waitlist-only path. Server enforces this regardless of what
+        // the client submits as plan to prevent bypassing payment.
+        let attest_plan: String = "waitlist"
         let n_safe: String = str_replace(str_replace(attest_name, "\\", "\\\\"), "\"", "\\\"")
         let e_safe: String = str_replace(str_replace(attest_email, "\\", "\\\\"), "\"", "\\\"")
         let t_safe: String = str_replace(str_replace(attest_text, "\\", "\\\\"), "\"", "\\\"")
@@ -1548,13 +1556,20 @@ fn handle_request_inner(method: String, path: String, headers: Map, body: String
 
         if is_session_done || is_pi_done || is_si_done {
             // Pull email/name/customer_id - fields differ slightly across event
-            // types, walk a few candidates.
+            // types. Walk several candidates:
+            //   receipt_email           - PaymentIntent (founding one-time)
+            //   data.object.*           - full dot-path for checkout.session.completed (subscription)
+            //   customer_details.email  - substring fallback if nested key appears at any level
+            //   billing_details.email   - Elements payment intents
             let customer_email: String = json_get(body, "receipt_email")
+            if str_eq(customer_email, "") { let customer_email = json_get(body, "data.object.customer_details.email") }
             if str_eq(customer_email, "") { let customer_email = json_get(body, "customer_details.email") }
             if str_eq(customer_email, "") { let customer_email = json_get(body, "billing_details.email") }
-            let customer_name: String = json_get(body, "customer_details.name")
+            let customer_name: String = json_get(body, "data.object.customer_details.name")
+            if str_eq(customer_name, "") { let customer_name = json_get(body, "customer_details.name") }
             if str_eq(customer_name, "") { let customer_name = json_get(body, "billing_details.name") }
-            let customer_id: String = json_get(body, "customer")
+            let customer_id: String = json_get(body, "data.object.customer")
+            if str_eq(customer_id, "") { let customer_id = json_get(body, "customer") }
 
             // Plan inference from metadata
             let plan: String = "free"
@@ -1613,6 +1628,19 @@ fn handle_request_inner(method: String, path: String, headers: Map, body: String
                         let _cust_resp: String  = http_post_form_auth(cust_url, cust_body, stripe_auth)
                     }
                 }
+                // Always stamp user_metadata directly via Admin API.
+                // supabase_admin_invite re-sends a magic link for existing users
+                // but does NOT update their user_metadata — so plan stays "free"
+                // for anyone who signed up (attestation, waitlist) before paying.
+                // This PUT is idempotent: safe for both new and returning users.
+                if !str_eq(new_user_id, "") {
+                    let meta_body: String = "{\"user_metadata\":{\"plan\":\"" + plan_safe + "\""
+                        + ",\"name\":\"" + name_safe + "\""
+                        + ",\"stripe_customer_id\":\"" + cid_safe2 + "\""
+                        + ",\"email_verified\":true}}"
+                    let _meta_resp: String = supabase_admin_update_user(wb_sb_url, wb_sb_key, new_user_id, meta_body)
+                    println("[webhook] supabase user_metadata update for " + new_user_id + ": " + _meta_resp)
+                }
             }
 
             // 4. Forward to license API for key provisioning
@@ -2289,7 +2317,7 @@ fn sec_headers_json() -> String {
     + "\"X-Frame-Options\":\"SAMEORIGIN\","
     + "\"Referrer-Policy\":\"strict-origin-when-cross-origin\","
     + "\"Permissions-Policy\":\"geolocation=(), microphone=(), camera=()\","
-    + "\"Content-Security-Policy\":\"default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://challenges.cloudflare.com https://cdn.jsdelivr.net https://www.googletagmanager.com https://www.google-analytics.com; style-src 'self' 'unsafe-inline'; frame-src https://challenges.cloudflare.com; connect-src 'self' https://api.stripe.com https://*.supabase.co; img-src 'self' data: https:; font-src 'self' data:\"}"
+    + "\"Content-Security-Policy\":\"default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://challenges.cloudflare.com https://cdn.jsdelivr.net https://googleads.g.doubleclick.net https://js.stripe.com https://static.cloudflareinsights.com https://www.googletagmanager.com https://www.google-analytics.com; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; frame-src https://challenges.cloudflare.com https://js.stripe.com; connect-src 'self' https://analytics.google.com https://api.stripe.com https://*.supabase.co https://www.google.com https://www.googletagmanager.com; img-src 'self' data: https:; font-src 'self' data: https://fonts.gstatic.com\"}"
 }
 
 // Headers for compiled JS assets. Explicitly sets Content-Type so the browser
@@ -2305,7 +2333,7 @@ fn js_headers_json() -> String {
     + "\"X-Frame-Options\":\"SAMEORIGIN\","
     + "\"Referrer-Policy\":\"strict-origin-when-cross-origin\","
     + "\"Permissions-Policy\":\"geolocation=(), microphone=(), camera=()\","
-    + "\"Content-Security-Policy\":\"default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://challenges.cloudflare.com https://cdn.jsdelivr.net https://www.googletagmanager.com https://www.google-analytics.com; style-src 'self' 'unsafe-inline'; frame-src https://challenges.cloudflare.com; connect-src 'self' https://api.stripe.com https://*.supabase.co; img-src 'self' data: https:; font-src 'self' data:\"}"
+    + "\"Content-Security-Policy\":\"default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://challenges.cloudflare.com https://cdn.jsdelivr.net https://googleads.g.doubleclick.net https://js.stripe.com https://static.cloudflareinsights.com https://www.googletagmanager.com https://www.google-analytics.com; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; frame-src https://challenges.cloudflare.com https://js.stripe.com; connect-src 'self' https://analytics.google.com https://api.stripe.com https://*.supabase.co https://www.google.com https://www.googletagmanager.com; img-src 'self' data: https:; font-src 'self' data: https://fonts.gstatic.com\"}"
 }
 
 // Headers for static assets under /assets/ and /brand/.
@@ -2321,7 +2349,7 @@ fn static_asset_headers_json() -> String {
     + "\"X-Frame-Options\":\"SAMEORIGIN\","
     + "\"Referrer-Policy\":\"strict-origin-when-cross-origin\","
     + "\"Permissions-Policy\":\"geolocation=(), microphone=(), camera=()\","
-    + "\"Content-Security-Policy\":\"default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://challenges.cloudflare.com https://cdn.jsdelivr.net https://www.googletagmanager.com https://www.google-analytics.com; style-src 'self' 'unsafe-inline'; frame-src https://challenges.cloudflare.com; connect-src 'self' https://api.stripe.com https://*.supabase.co; img-src 'self' data: https:; font-src 'self' data:\"}"
+    + "\"Content-Security-Policy\":\"default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://challenges.cloudflare.com https://cdn.jsdelivr.net https://googleads.g.doubleclick.net https://js.stripe.com https://static.cloudflareinsights.com https://www.googletagmanager.com https://www.google-analytics.com; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; frame-src https://challenges.cloudflare.com https://js.stripe.com; connect-src 'self' https://analytics.google.com https://api.stripe.com https://*.supabase.co https://www.google.com https://www.googletagmanager.com; img-src 'self' data: https:; font-src 'self' data: https://fonts.gstatic.com\"}"
 }
 
 fn handle_request(method: String, path: String, headers: Map, body: String) -> String {