Add /home landing page and /privacy policy page for Google OAuth compliance

src/routes/api/shifts/start/+server.ts

@@ -4,74 +4,68 @@ import { operators, shifts } from '$lib/server/db/schema';
 import { eq, and, isNull } from 'drizzle-orm';
 import { verifyPasscode, checkRateLimit, clearRateLimit, logAuthFailure, createOperatorSession, rehashIfPlaintext } from '$lib/server/auth';
 import { dev } from '$app/environment';
-import { logger } from '$lib/server/logger';
 import type { RequestHandler } from './$types';
 
 export const POST: RequestHandler = async ({ request, cookies, getClientAddress }) => {
-	try {
-		const clientIp = getClientAddress();
-		const rateCheck = await checkRateLimit(`shift-start:${clientIp}`);
-		if (!rateCheck.allowed) {
-			return json(
-				{ error: 'Too many login attempts. Try again later.' },
-				{ status: 429, headers: { 'Retry-After': String(rateCheck.retryAfterSeconds) } }
-			);
-		}
+	const clientIp = getClientAddress();
+	const rateCheck = await checkRateLimit(`shift-start:${clientIp}`);
+	if (!rateCheck.allowed) {
+		return json(
+			{ error: 'Too many login attempts. Try again later.' },
+			{ status: 429, headers: { 'Retry-After': String(rateCheck.retryAfterSeconds) } }
+		);
+	}
 
-		const { operatorId, passcode } = await request.json();
+	const { operatorId, passcode } = await request.json();
 
-		if (!operatorId || !passcode) {
-			return json({ error: 'Operator ID and passcode required' }, { status: 400 });
-		}
+	if (!operatorId || !passcode) {
+		return json({ error: 'Operator ID and passcode required' }, { status: 400 });
+	}
 
-		const [operator] = await db
-			.select()
-			.from(operators)
-			.where(and(eq(operators.id, operatorId), eq(operators.isActive, true)));
+	const [operator] = await db
+		.select()
+		.from(operators)
+		.where(and(eq(operators.id, operatorId), eq(operators.isActive, true)));
 
-		if (!operator) {
-			logAuthFailure('/api/shifts/start', String(operatorId), clientIp);
-			return json({ error: 'Invalid credentials' }, { status: 401 });
-		}
+	if (!operator) {
+		logAuthFailure('/api/shifts/start', String(operatorId), clientIp);
+		return json({ error: 'Invalid credentials' }, { status: 401 });
+	}
 
-		const valid = await verifyPasscode(passcode, operator.passcode);
-		if (!valid) {
-			logAuthFailure('/api/shifts/start', String(operatorId), clientIp);
-			return json({ error: 'Invalid credentials' }, { status: 401 });
-		}
+	const valid = await verifyPasscode(passcode, operator.passcode);
+	if (!valid) {
+		logAuthFailure('/api/shifts/start', String(operatorId), clientIp);
+		return json({ error: 'Invalid credentials' }, { status: 401 });
+	}
 
-		await clearRateLimit(`shift-start:${clientIp}`);
-		rehashIfPlaintext('operators', operatorId, operator.passcode).catch(() => {});
+	await clearRateLimit(`shift-start:${clientIp}`);
+	rehashIfPlaintext('operators', operatorId, operator.passcode).catch(() => {});
 
-		const [existingShift] = await db
-			.select()
-			.from(shifts)
-			.where(and(eq(shifts.operatorId, operatorId), isNull(shifts.endedAt)));
+	const [existingShift] = await db
+		.select()
+		.from(shifts)
+		.where(and(eq(shifts.operatorId, operatorId), isNull(shifts.endedAt)));
 
-		let shift = existingShift;
-		if (!existingShift) {
-			const [newShift] = await db
-				.insert(shifts)
-				.values({
-					operatorId
-				})
-				.returning();
-			shift = newShift;
-		}
+	let shift = existingShift;
+	if (!existingShift) {
+		const [newShift] = await db
+			.insert(shifts)
+			.values({
+				operatorId
+			})
+			.returning();
+		shift = newShift;
+	}
 
-		const sessionToken = await createOperatorSession(operatorId);
-		cookies.set('operatorSession', sessionToken, {
-			path: '/',
-			httpOnly: true,
-			sameSite: 'lax',
-			secure: !dev,
-			maxAge: 60 * 60 * 24
-		});
+	const sessionToken = await createOperatorSession(operatorId);
+	cookies.set('operatorSession', sessionToken, {
+		path: '/',
+		httpOnly: true,
+		sameSite: 'lax',
+		secure: !dev,
+		maxAge: 60 * 60 * 24
+	});
 
-		const { passcode: _, ...safeOperator } = operator;
-		return json({ operator: safeOperator, shift });
-	} catch (err) {
-		logger.error({ err, endpoint: '/api/shifts/start' }, 'shift_start_error');
-		return json({ error: String(err) }, { status: 500 });
-	}
+	const { passcode: _, ...safeOperator } = operator;
+	return json({ operator: safeOperator, shift });
 };

src/routes/home/+page.svelte

@@ -0,0 +1,86 @@
+<svelte:head>
+	<title>Rental Manager</title>
+</svelte:head>
+
+<div class="home">
+	<div class="hero">
+		<span class="material-symbols-rounded hero-icon">point_of_sale</span>
+		<h1 class="md-display-small">Rental Manager</h1>
+		<p class="md-body-large subtitle">Equipment rental and point-of-sale management</p>
+		<a href="/login" class="login-link">
+			<span class="material-symbols-rounded">login</span>
+			Go to Login
+		</a>
+	</div>
+
+	<footer class="home-footer">
+		<a href="/privacy" class="md-body-small">Privacy Policy</a>
+	</footer>
+</div>
+
+<style>
+	.home {
+		display: flex;
+		flex-direction: column;
+		min-height: 100vh;
+		background: var(--md-sys-color-surface);
+	}
+
+	.hero {
+		flex: 1;
+		display: flex;
+		flex-direction: column;
+		align-items: center;
+		justify-content: center;
+		gap: var(--md-sys-spacing-md);
+		padding: var(--md-sys-spacing-xxl);
+		text-align: center;
+	}
+
+	.hero-icon {
+		font-size: 72px;
+		color: var(--md-sys-color-primary);
+	}
+
+	h1 {
+		color: var(--md-sys-color-on-surface);
+		margin: 0;
+	}
+
+	.subtitle {
+		color: var(--md-sys-color-on-surface-variant);
+		margin: 0;
+	}
+
+	.login-link {
+		display: inline-flex;
+		align-items: center;
+		gap: var(--md-sys-spacing-sm);
+		margin-top: var(--md-sys-spacing-md);
+		padding: var(--md-sys-spacing-sm) var(--md-sys-spacing-lg);
+		background: var(--md-sys-color-primary);
+		color: var(--md-sys-color-on-primary);
+		border-radius: var(--md-sys-shape-corner-full);
+		text-decoration: none;
+		font: var(--md-sys-typescale-label-large);
+		height: 40px;
+	}
+
+	.login-link:hover {
+		box-shadow: var(--md-sys-elevation-level1);
+	}
+
+	.home-footer {
+		padding: var(--md-sys-spacing-md);
+		text-align: center;
+	}
+
+	.home-footer a {
+		color: var(--md-sys-color-on-surface-variant);
+		text-decoration: none;
+	}
+
+	.home-footer a:hover {
+		text-decoration: underline;
+	}
+</style>

src/routes/privacy/+page.svelte

@@ -0,0 +1,148 @@
+<svelte:head>
+	<title>Privacy Policy - Rental Manager</title>
+</svelte:head>
+
+<div class="privacy">
+	<div class="content">
+		<a href="/home" class="back-link md-body-medium">
+			<span class="material-symbols-rounded">arrow_back</span>
+			Back to Home
+		</a>
+
+		<h1 class="md-headline-large">Privacy Policy</h1>
+		<p class="md-body-small updated">Last updated: February 2026</p>
+
+		<section>
+			<h2 class="md-title-large">Overview</h2>
+			<p class="md-body-large">
+				Rental Manager is an internal equipment rental and point-of-sale management system.
+				This policy describes how we handle data within the application.
+			</p>
+		</section>
+
+		<section>
+			<h2 class="md-title-large">Data We Collect</h2>
+			<p class="md-body-large">
+				The application stores data necessary for rental operations, including:
+			</p>
+			<ul class="md-body-large">
+				<li>Operator names and authentication credentials</li>
+				<li>Guide names and availability status</li>
+				<li>Equipment inventory and rental records</li>
+				<li>Sales transaction records</li>
+				<li>Shift logs and operational data</li>
+			</ul>
+		</section>
+
+		<section>
+			<h2 class="md-title-large">Google API Usage</h2>
+			<p class="md-body-large">
+				This application uses Google APIs (Sheets and Drive) solely to export shift reports.
+				We only access data you explicitly authorize and do not share it with third parties.
+				Our use of Google API data adheres to the
+				<a href="https://developers.google.com/terms/api-services-user-data-policy" target="_blank" rel="noopener">
+					Google API Services User Data Policy</a>, including the Limited Use requirements.
+			</p>
+		</section>
+
+		<section>
+			<h2 class="md-title-large">Data Storage</h2>
+			<p class="md-body-large">
+				All data is stored on a secure server. We do not sell, share, or transfer data to
+				third parties beyond what is described above.
+			</p>
+		</section>
+
+		<section>
+			<h2 class="md-title-large">Contact</h2>
+			<p class="md-body-large">
+				For questions about this policy, contact the system administrator.
+			</p>
+		</section>
+	</div>
+
+	<footer class="privacy-footer">
+		<a href="/home" class="md-body-small">Home</a>
+	</footer>
+</div>
+
+<style>
+	.privacy {
+		display: flex;
+		flex-direction: column;
+		min-height: 100vh;
+		background: var(--md-sys-color-surface);
+	}
+
+	.content {
+		flex: 1;
+		max-width: 720px;
+		margin: 0 auto;
+		padding: var(--md-sys-spacing-xl) var(--md-sys-spacing-md);
+	}
+
+	.back-link {
+		display: inline-flex;
+		align-items: center;
+		gap: var(--md-sys-spacing-xs);
+		color: var(--md-sys-color-primary);
+		text-decoration: none;
+		margin-bottom: var(--md-sys-spacing-lg);
+	}
+
+	.back-link:hover {
+		text-decoration: underline;
+	}
+
+	h1 {
+		color: var(--md-sys-color-on-surface);
+		margin: 0 0 var(--md-sys-spacing-xs);
+	}
+
+	.updated {
+		color: var(--md-sys-color-on-surface-variant);
+		margin: 0 0 var(--md-sys-spacing-xl);
+	}
+
+	section {
+		margin-bottom: var(--md-sys-spacing-xl);
+	}
+
+	h2 {
+		color: var(--md-sys-color-on-surface);
+		margin: 0 0 var(--md-sys-spacing-sm);
+	}
+
+	p {
+		color: var(--md-sys-color-on-surface-variant);
+		margin: 0;
+	}
+
+	ul {
+		color: var(--md-sys-color-on-surface-variant);
+		margin: var(--md-sys-spacing-sm) 0 0;
+		padding-left: var(--md-sys-spacing-lg);
+	}
+
+	li {
+		margin-bottom: var(--md-sys-spacing-xs);
+	}
+
+	section a {
+		color: var(--md-sys-color-primary);
+	}
+
+	.privacy-footer {
+		padding: var(--md-sys-spacing-md);
+		text-align: center;
+	}
+
+	.privacy-footer a {
+		color: var(--md-sys-color-on-surface-variant);
+		text-decoration: none;
+	}
+
+	.privacy-footer a:hover {
+		text-decoration: underline;
+	}
+</style>