From 387df40c1474b2f4d0cfb8c8dcd8b074f7f79ab5 Mon Sep 17 00:00:00 2001
From: "google-labs-jules[bot]"
 <161369871+google-labs-jules[bot]@users.noreply.github.com>
Date: Wed, 25 Mar 2026 06:00:35 +0000
Subject: [PATCH] =?UTF-8?q?=F0=9F=9B=A1=EF=B8=8F=20Sentinel:=20[security?=
 =?UTF-8?q?=20improvement]=20Move=20staff=20verification=20to=20backend?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- Remove hardcoded password from js/main.js
- Implement /api/verify-staff endpoint in backend/main.py
- Use hmac.compare_digest to prevent timing attacks
- Add StaffLogin model to backend/models.py
- Update .env.example with STAFF_PASSWORD
- Add vite.config.js with proxy for local development
- Add backend/tests/test_staff.py for verification

Co-authored-by: LVT-ENG <214667862+LVT-ENG@users.noreply.github.com>
---
 .env.example                                  |   3 ++
 .../__pycache__/jules_engine.cpython-312.pyc  | Bin 2876 -> 0 bytes
 backend/__pycache__/main.cpython-312.pyc      | Bin 4161 -> 0 bytes
 backend/__pycache__/models.cpython-312.pyc    | Bin 1449 -> 0 bytes
 .../test_jules.cpython-312-pytest-9.0.2.pyc   | Bin 3028 -> 0 bytes
 backend/main.py                               |  11 +++++-
 backend/models.py                             |   3 ++
 .../test_main.cpython-312-pytest-9.0.2.pyc    | Bin 4712 -> 0 bytes
 backend/tests/test_staff.py                   |  36 ++++++++++++++++++
 js/main.js                                    |  28 ++++++++++----
 vite.config.js                                |  12 ++++++
 11 files changed, 85 insertions(+), 8 deletions(-)
 delete mode 100644 backend/__pycache__/jules_engine.cpython-312.pyc
 delete mode 100644 backend/__pycache__/main.cpython-312.pyc
 delete mode 100644 backend/__pycache__/models.cpython-312.pyc
 delete mode 100644 backend/__pycache__/test_jules.cpython-312-pytest-9.0.2.pyc
 delete mode 100644 backend/tests/__pycache__/test_main.cpython-312-pytest-9.0.2.pyc
 create mode 100644 backend/tests/test_staff.py
 create mode 100644 vite.config.js

diff --git a/.env.example b/.env.example
index 178641c..34df0e4 100644
--- a/.env.example
+++ b/.env.example
@@ -7,5 +7,8 @@ LVT_SECRET_KEY=your_secure_secret_here
 # Allowed CORS origins (comma-separated list, e.g., https://yourdomain.com,http://localhost:3000)
 LVT_ALLOWED_ORIGINS=*
 
+# Staff password for access to the private bunker area
+STAFF_PASSWORD=your_secure_staff_password_here
+
 # Google Gemini API Key for Jules AI advice
 GEMINI_API_KEY=your_gemini_api_key_here
diff --git a/backend/__pycache__/jules_engine.cpython-312.pyc b/backend/__pycache__/jules_engine.cpython-312.pyc
deleted file mode 100644
index e245657bb89d36f11d66b8c75097767cbc63b9ac..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 2876
zcma)8O>7&-6`m!z<dULDsj@6qmF<ZmS79Jgw(KH+@`DDBq^OaM)Up#;C_oH%hvZ1h
zU1D}9nFJj$fPqRUyXYYTnijegP@x<O^x|_*1$vP|1y(jTV56tpn98S~`et{jAHxMY
zz|QPEzW42$_wx<^+1r~yF#b0BcgEug{Y!4T1NPoH%qa+cg$!gUCR+Aar4m{WEAl;L
zMk?yE>b-}}XeG8BQ&0#|bvH2gc4(z9*q&I7$Sxquu^gvyXINSpYFGAu+i75zFrugI
z!YgNe<dZXve-nE}D|7O9|J~5KI?KI)95dqIB)Sr#ho+1qJiYLwXsW0g>HCrHNte?`
z-+i>)S68zAKS;0}S;g%!ZDQmNTTp8awsDi!@;cGW)J@IJEY9DU&wu#oeEyS}JB?(4
z=&RH+CUc<Lc=vO{EoPOb@o6<|*#Z~snq^>SVbEmUwkp&Tc#UvI3MO@O@SPZ`vivHo
zH~LDn!Ynp%CHISoqDh?c4=wOaYE;Nwhc&31ple{B7xgN2lO@6>Sl%KP>Z%4OAWTrO
z6HI5Ku1Dm#f*}he49{T!CMXc4sr&&7qKRM*H$yN-nqipLKgRDxL|}x_inMuUG>=N*
zp4wDbPJSiOTteAsV=;kY%v*wTi<r1f%_`+s*w~9GURYSfoa%N3j$jbMY|Ftl2ZD&J
zoK=`$YZS|4Iyn!gVR_3PyM_s;c<fg-2;SH@Cb-N><q5#RMF<$cU>%@prXUbzBJdnB
zDQDEd3#3TuR0!$=eu#CG$y6{0k^@dsM^G<Mq73*AZ45HU0l$&UCA@FnqI%h4I-KRY
z4F-3`v?rdxv!uY8jz5wKn8uCa)8d(<giK@dXK11TjX0}5z|7sMNuWN~%XKWu;7*WN
z>6!Ee!d9fZz<SwcI`zB)G2_@_X4$UEBjEyZsNsFr5#Wn3>lh+Yw%0v`qVHhEUV}Ig
z2o*6%RX}7ti=|sP=da(wH*YV@EcqT?$>AF_pUvFFvb<zS*C_;9j6)Lr6#`?`DiBv4
zRESgKRB8sPntIh*R<48JS{lcT<9J~l`_=`@9c;2yimzQB$JeH^eqOHT@T{%Z9O*wb
zX^B`m9fzD&ARFL;^j-#~NK6yk#S_Q#&9CL~r`%p+22>BIK~}3!4pjEvET@)U9)|#$
zro9fiF4XaiRWg}V_F$K)#DaGpCmVLvifvHSg{HJ9CxYgouz(qa8<EM+MkNU&E;*U^
z$SDbv8?AD?QWdV&{jw7UvFrql|1&a4s@2IZb*#t|&Qq(zESjs<-Aukjh0ixe-v5yp
zYmjn&1|SCEaefU`3w08qpNu{qy}bRwUo(&1el*fS;aO#{6Gdl#_HeF)l#$_s;n6J+
z_xxP#^!BH;*6hns)HnDfed%%f(sr?(o@jl1&@=Gh{mu9HBAG(~MS4ii!8js|UwXHR
z2$&zCreY|&fhO;7DzBr5F2mjnS<^!8LN*m~^o1jYa8m)TF%dh~GD1dpHz1u;@(A2E
zuaifQ<wor5@V$_b-g~2oR=gXtyAPzHmEO}5xr6U&UB8;I*N`3rXZRl)(w9JEH=sqJ
z!gyoH>$AC_j${jBTCrtk0hu_WZc5q{tcur}fQ}a3zLVmDZPaD6dF=w7<293CqqiMN
zYd3EPj0)7ssZj%pklboQ#aepZqYF-}6t+f}Sth+(L^f4{Sw8prh;GCH@^B;GjS{<U
zty=cF<yE(<Ediq%gd1L+XTw}x$H#@=NC(<LxZbUljk&QhaflF{4}q$iV8HGUfauhX
zL8W`Y$jbKm$PI%Cnl4^*D9^)%KtRbyI=<+n*pWp5&BO;JC^V-y-76PCJPD8UCzx93
zWfE!WjrFbQe(b`*(D|>Lzia;fi_PTI_`t)tuW#+gFM@D0`BFoJBU^LZpY7afpLypg
zynnu3+G(^0r=JeLu|2l)-lO66@JBz!BALWS5+IYK2U`CVZRD{wa-f}gqGcXynXR*X
zZ%nndtH*+&?YG<7#PNP)yV2IB4&!Pv+Ci!s<+7)<{cgy1+<}s9mrR-q$Odjd!r<V3
z$@n`Jb|8%U|4+D#gBvf_EM3^P>2O(aZWQ7H|1-EG9an{$6zD1ryj5f+AZa%p)F1#Z
zN^;{VsTYPj!{Zn(gZCHY`Q^t~dk;tuc<KW#V=8&Tk^S8XD~j?xia$edK11i9p$k7o
zk&?XM`#dqQaq&TRGrM<Yw4J!rihUPLy@;eAruHKj4pKuKg$Hbt?PcC-r?RcN7qQfL
zk@#L>Za?zzbChnWzfFIc-im#T@PT%2Lw%y1d#s(?JAb*YU1_N=l*GfU`^r!!G^G4=
jXP|>%d34=d{t@<;y*t18x0D`+Q7Gf79Zn4?evtnQD5ve?

diff --git a/backend/__pycache__/main.cpython-312.pyc b/backend/__pycache__/main.cpython-312.pyc
deleted file mode 100644
index 326c4676eb24f1cf191f394946f00e85b58a9928..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 4161
zcmaJ^Yit|G5#D?7Em05JdRt~}DGB|c9)2ax!_|Y9Wy`WE%5KCaIh<~n)JY_d-8<S6
zOBG5QAP$<KHX6VR;-Jc}s;~>V|BU`}>^~`*qLgLC%Em!lv_G0Z1s(fGkoHGskD??u
zX;<Ry?Cj3m?Ci|9bAPI=^de}LJ8tSPRwDE_J}5WW8u4&MK<E;}2n$IREA>K5u*YId
zw0kKgK`$odlq2RyIb%+NualCllso3OX*uahd1GFib|ihNidaReGFEAiok@SHDpn;R
z5fKM=U3Fi9H}V#%Ce>3rOZ4U^@nTOxz@;ZpSAAC;rFqa-5v#?Ou>kgyEw~DP)nsej
ziEG}FV|BQe)Z+lz5|{B77&n0SeVg@`XuP%je!LCWkqTUIOEkRUxU#l5)<l|d<Mh)A
z(I$KUEwL7`y=Cg~ceRmf+=QF2wp@`)a{`(bW`$7eS9~}e5}E6$YFa%bgRJt{*w{#9
zMk5(ZH_{=2RUD6=8XhHP#z>n4#{RxjqtTN(#z}Hcr37T%r%ghmnwn-c(PO7Z29J&_
zgTrSc!(*pL$3dVvK`dn|n<S>9;<LI&a&`UsSv^gRU~e`(O=z%J)uu@r!&-->TS>x%
zU1K4cRjSFPaZWL)p3u`Kt0@gNN-#-Vx|%f0D^kRoH1PUxlBk$alQj;V8B?N>zR}2-
zGBSFqU+H|dtGoM|?(Xhf%}C!^M`WbCv-?0t=fOk!x(+c{7IvZN7;G@W8s?<L%F?tZ
zZt|uRXzsy>89N$1C@)N{MaiaB5ToU@dl{tX#5u`Y^E*P;T8tnxC2y7~(dDx(%Wuf#
z#WF7k*@DICemHkwR<g<&f~MTx)o0n6#rac^S^wS2Z_A_i5tj4f`{)Dd|E;t9Wero+
zWon}@$JSI}gIA`?Z<>=g*}J7YyV2*RynJQN<59E|31}S6N;A?pIwyo2!%PV4FTwOt
zCL9j=n8VB@b&E-Q+G4V$rwEfLQ>w<KG&#q-YbSpqGR~YNtr?gw*Q9DrCiMyCG$+;W
z0|%LBlFVQ|K}?JJH6xXQfL2Q5kb~BMU9=V+OtefUnR<e`$xMc57QrSz#vpIsZs|}n
znU0B440ohdJsr->GT&K3_4ur!X01v3BrI-(pZN|v=21~}I2u=L>o4uTxO+icson9G
z>%4fr@1D>9w)M-|w`PCw(-mLyWo>cC`-x>=`;v6qxBFV;UZDQcGZ&w^eEe?9-sP6P
zD=i(@2ChAOz32MG^|3-%@7=D!<*vb%t`nd9=r6DS@zs^U%Xb6u<v@HTFnQj6uPSi2
zYR7Wbj>UaT?v<*pg1hURRk`8ffp1NISg-e>-Y)c!)Uy}5n_Xh>0f~9-bU3H#;2M{1
zkrbrHW4XW`VCTZyKwLuBdLB$|&KQ{EEx(=-b7EdJg;|tGc@YcTDbS0&&w<9A5AsFA
zQeM);8F9J^p&5ZX08eF3r$tQ^(43r?H?k-%VMjS)@?u<yqL6c#RoaFt@uX@gT8jBi
z3$j_8RN|^;88i{M+dq#a{`?7V#Uo$worEOHQ;10bSj<6<EI^WjJ_RfaAd8sH-M~C?
z-BR>4CNs>dn@WbzI7GxoJkWN&wo+4*S{7bU6j)EYf%gRb%$MLXkM8+e?)rkuzTjg0
ziZ3+Z|Cz69K`uH`P4fa?JhI%n?;0*VcVhYA&~oe0a`nmiL71zpTWI{WX4fLVQ?qOS
z_^NN~yV-^DC1It0*HVAM*IAG|AA)X_^Fui59h5*grvOx$Y;t7wCR7STu>A2;<Qx7u
z{2tzh^E(0gw)rIU=zGud`;lwy)XmC`495Z%uS(_9d0ntP+(O<!^Ext>I5t-(ueGCO
zvnClkHfzd@FT;t=Nptd?!&*nSsdaqX(21R8+|0{)xYv24VK+z5yhKIpNy80pt)m(C
zU3SblJ;++eFo@Ij_?mNpOxxpHXbY~w)xfLdngK^^K9KS*T#Ez1+fw3vAOgLW(|ISZ
zyDZ`Q%Z@0*4Y+ZWoZps%TRQL5h0=<h$Xdt9Hbet+Zd~!W#GGp!YMeRu&)jbhm-=(U
zIaI>S-${U(EyMb+;AFF{@bVr_Bc>6gfOb?*Cv<EC)nstu)*tvK9EOYBXIiS2H5D5x
zotRjvp48vv;+-HqLLr>gVA=>`omT_;M3MwaI!Ka1O|@=)m^2bFMS{^uBLm16&egP!
z?`==*ZO6g(V~5*M9&V2UVq1nbO?j;3Jo`J_gVCNdk^Y?6*&cE*4~K9tA(df%RnxLm
z)n*k_GbmwIww$7#1&dU8FRL%z&I%L*S&dgJiVo<lS<IP%oJ(7|`f`n-8R@uAQ!4Bh
z$RLx`YKqXUU;%SQPxtjjqS4&b$Bd-9Cukb8!I5xJ_;fh<KcsWJ!@;p^(A1Mz@J^7J
z;7#!1EO&xBl{GE!h#4d^9A?6-b~G~F9~o6nor#PN^^7Y6L%q4+q-ABy!yO&!#93k)
zW*G9cLsO~Mp<;YQ$1gDNS(WOlovO@{p-?b|Bvx&fysBuEM4L9U7VYCZ@NzJsBx6tu
z9Ox{aAM<3?ta8=>NsfH8NjU7a(u+C4GVm62Wz^ZEp<?D7jYRu;hI4~!8#l8Folp|A
zuP+@8+t^wd>NNn9lmR<Tu6szGFpXr^GJ<e<szECoWP!2K!GQtTcXTioQF{8%4E9B6
z1k4Tj?3-}oVx=;0ZE$1`8?h-*66S^gjobIRbEIbs3Q5X=gLyW}QV-qFB@fuExeu^v
zsWu+tQfUd1#si0T@D(m75W$ZoJ;p}@F}XT^ciXK5*fr~jsjNXIJp-%uz|ZW36!-`F
zW*$9qqKf(p)}{Q#{NmVeVjsrt_&V?To0p`*{;@m$(*^fwSW&%gVeHqj_hL&;D^>gF
zkA3C~tSyP(@h1xI#QoMMm*wX9;};wktVeEC*L3NXi?0-R9$eXaXtinkYV-C**LyE4
zbuBmV`K<f-51+fycCWVKfzMgxoF6FG%8owa?~S3QwrlcA<AL-32X5r9y?_@ET}&;i
zx9gs|Uk4icZuEa#_tDUe7Yjek7aHeQTlcKi?YjTu(HqvsL(2o>g`=@T+mBZpw=E>z
z+qT-;{=g+S_#gPZ)!riVdc4IZR1ZpUf#`*)%rf~&0n-9C3yqeoX!mME+hU?n9|oJa
zgwx~w=Ft<VV(ZsP0OMAhyRYrP?)?4p*TOf1LSyec{(luEKJjmpgUIW>V&7B3O-Dta
z8{Moq1oSPpr>{-ARpaT~F5PN!aL#rI=d?*cGq<Afl1fo>uFkOir~hC(gpvrgo&mLq
zY{$O9YI=KyPWB8AE7558K_xmgcrw&Vp=LmoLtiPb<SCPfejGk^;EtsH&bK3w)vU3?
zfQ|Ndj!AiW!|KcY)cW@h<SR8P{}5o#6x5VSlky6@R5?_XK640wYnqgTR)XRX;0$AB
zLkDf)5~sKh2|}I86NZtrQ-e9;kd>u+fo~0Fc@%OlaM)55_)LLMD1)Y%M6>DNBD#;O
zvP%y4^I#8rX1z$Kfd?Ur%rD>p-WP<=k?(Wlx1YW*(XKD}fA^Ot`~?dA)md5CvgeL-
z@4R#$Nq150GOAsbYgYqx7ur|rno2z%6n#htJVH)EEY>1_Xx_W(X_<ExWv9@%5P&!k
z8W*E>w>0*UkBZeEp=*H@5p+x1L*5nZkmz``;kAZ>w`oOaejs)T-o>Yj2)gUi*Svcu
tA+e>%`NatV$ra~wx249<!5q12e&Ed$ubsFcEkN{tDt8neNN%#X{~xJFLhb+n

diff --git a/backend/__pycache__/models.cpython-312.pyc b/backend/__pycache__/models.cpython-312.pyc
deleted file mode 100644
index a1357dc0d5d4a0c900594af2084862d5b6867ff6..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 1449
zcmb7EO-~y~7@oCv?X``;A7E^tsg+csj!GO*Afb&KLHURyV<JqD;>&2dGr*Mf+MQif
znOjRL@eiU_xmOice?+gnB;wH3NKvKs#4Qv~J@uW%CRJ6b>KvYV=6#=cXXcri{W+P8
zBWT~f_Y*(T5&B&X`Yq8T=RX2@jwqs<jhb3R(-aTcp=P)dZt4xaX*3KCh0rRZ;b(~I
zOgj!=);1zR)PQK@Z_y}?Qj^ALoF?c1P0~R+L{l$fG)*%!ONZ$Q&CyYsr-dLo_9E0U
zLx{zg`PoQ+ac}$M9zE82b0)gurHNBDC}}dbNL;qoqRcLZrM|>1PwG|fdeU5Pd%Wck
z+v?Q^U2om!d=7@s5kn1)qDJTmVqvCJ?LI^U77CaFvG7$)SFCH4BGP=~GEujPBcmN)
zm{VzZtv%*Q;|roDkF$N|c-ZT<SxxCNc1V+9EaMnATeM><K7jG(9b)$~Vb>FK2xH<n
zEsv<ByPz?)?H2LAN9Stwf9A@h-7bGhESQRx;X}-JZ?(I^gk%74#K_G7e2x5M>agl3
z1`i+k3B^*`XX|3PFZ_2?HX;2#Oi}g(rmzSw<I1SW6^jOznWdPFt`gA%Ph<$p($$`2
zGVls-+r-0GQx1Xw%(Hg!HnF^xkcR8EtUYP81-F=t?-RiZc*<$56ctIekwFDR3Q`Kv
z3NipP%pFf;)iBtwx>RDc59&d<lK|k6nK)ea<H^H{pUt1>d4ITYq8ECmDd*mrrpje{
zaiO}lP^sa1eP#~VtCh8b+#<1?ggeE$&6`sz+$%m}#Bom-K)<scv_Brm<btqvxyLN8
zBZw`dOI>h)Tc-n{>cjx1Z_Ui#F8=n_4+l4PIQ_6(c6VECzTGW97I0lGZ|idR<vVv~
zXXoZhF_DKNQBW|ZU>raiRFF1U#cbkw+~QtWOsM2L3a%+dy1KkospHw{+qk~DvAp@o
z!-G_n?Q^#Xp<;cHJ5Kj>36wkEexusi18J<-9XK+x?h%I)K~JY3-H8HBL&<-y`0m|%
z_vYtIAyI@9p?t5E2Bg{UQaDX+3H2gn1YQbvc7(dW!cY)V5Zvoa=j#vGA6HhM;!166
zxwg5!@l@)zdTEh;Vt1G;<EslBYmmW9i~l%zY2LqlavzHs_^A4exJLkQ!kVVNM%R8t
zldsU^g|2JEN8Jkq-Nir@IKM#9y~(4Y>wfBezcB8PUGvjLKliSm&id&IKljmDHa-^V
wDX#Ywc|TVS6k~nGSz&Y}^b)1dX3${fW#+~&nVYXNH%~GjoFu2dj0bo0FC3e8bN~PV

diff --git a/backend/__pycache__/test_jules.cpython-312-pytest-9.0.2.pyc b/backend/__pycache__/test_jules.cpython-312-pytest-9.0.2.pyc
deleted file mode 100644
index a7209d82add22b51559619728437e61a573a2a6c..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 3028
zcmZ`)-E$My6~C+9l~%GWTQ)Y59q2lkfC`o!;y~jNiol9T@dvGC(jbOzm)&c5&1$9D
zUD=i@r)FS^+u;GGNnnPgC4He3I>VpP5_sy1T*TPDz;veJp?&iNI+L`0=(&>CG8wuf
z?K$_{bM8GKzjOA_&CNapPiW^|EiNGRC0#g=r_Mb434_oTq#~8kQHrTjSB6zw49ajR
zo~iA)Q|{`HC*`S9AteBH>E4Vl<zo<b&vrToH|T7*!8;uGyi~K>*>BMQqq(i2;c&R+
z7Q{fGZ_~Q>t(jn|jX^GieYa|g2)9Y?b+#7amedxAh}AnXovF^M9j9;2gi;~k`SU0h
z#$BrW%x;9t5S$~-?su#k6y#y&e8&?86_^4O@%)pjO+*;t9hcLZGM-h=z#?d3C7a1$
zLzU993DgFmaNNRXQjra%aWq1-UgzNd?AI=YE_g-}168x@aU-Z+<3^ix3>|M4p;jd%
zfo1I}A=~Znvw)0mKeJWbyeO46EbJC%M`cw`<yH4>&n>PdTVyu*B$SxhR!6r%uOZd@
z8QbvJi&USAbnl|8;knv$+wW+UT+)U=_EzVd5~DWX4&188bPlTcQ;7Q$_6qxRo=1!9
zCO<at!EDZ0Yl&5Z6r$JAXD;Wi7c|;lCIzc@YSq|tBrn6eQ-NQ4(n#I%TV|27H?Y3!
znP$|E^FoOmMvk6ys_Eb4f2Sh_G;NMx>t^`@bg{Gp*{?YH=|$$7i~OcjLiTr@y%O(O
zz8HJ84y}vsl6!WCquZd4j|@5i*<R#7<O_8=&&;C*_5_+|{=m*Nk?=%*0L=RO`o#6$
z-1xmXoOnMm5kDrz5<}v9$H(GHF+MQ@64;21OdLy2C60=qTs$;2qgf*SWKqvA<jsO;
z*##YovO1?JSkw&hT@xG1%w92Wq;<^#MmAJ2nUf7zL`nNt?A_Rj_|#Nf8jHt<rQ^x?
zWHI#mfx&_O-y0kl7>Fhl<HyHhQ}JObnHWh|Bm3jzVZx2bx*Xw%Cl8$`X)59E>=|qj
zeqPoroA~e?bf#n%a<~|n!j`QWX^}SQkXU4+(Wpr=I0c>SH?f^J4QWo+^OyvW#Ky*B
zi3us0+_zs!jwQxH#aHihxFz2MX1<eu|Ma6%;t^Sa3srFvTe+-ZVPF)j&0%$@C?sv!
z&Ratwaa&cc*zKd4ttB!!bz&?o#)jWd9F5Z)k^oH^I4ISU7V!|*nKW@J8N%wPEy7t^
z5fjdqb)C59v6h~(iF>9>m5pHne$f%~2K=AB2Ct8q+PEp9Q!p$RnG*90*BttUxxz5$
zqK^YmR?E&z+(Z$UxS|7uo6njmao2pX=wYI`^zW{IIhX4{U5mBfhD=Jcc^zBPT!DBG
zrm=w+a^|68kC`_lRg=?37ILjb59(P()~!R)4HY_kE&9dz`XA`)B~%U!-i%!DUA8aH
zUHtH7<Qt0)qjP~EQ|$Ad>^UX=C^k8fm>3xX0E%?TYFPuT;&j$Lt*I(DKxUhoVnvH@
z`%Wg0A3YjRCQkuUscWF6>)Clww`Z`JGqpKcDO6EcM`+H>+F2#5M~i;n$q!D6@yW?!
zlS5*pjqspt*d`4g5{?&a;;%+4VI!>>nDCjbignUT<2Gd*OG?(T!8@}VEKHuh{8ihG
ztQn+f4x8F^L6Y<Kj7j4oJoU>YtZYE`;tLAS(ZC36*(UMYrmSF^Y2vNAA>jojB9P_`
ze0U_YjxtcAHLw86=1zK~8+P)#O}rbqAq+P6P*>=8*P@>avGyD`w^NJ2i?uTMfiOr_
zhX75r>OAJWW#7RH_s(-S>e&9P(WUXV@QJ1I3fH-IVEFvlD%ZKfb*^%|R=8aiZV;4$
z;kDMCYk}Qsfwr~w@N+L8bT1{I2N3UDp1AtfYIpxicYnES;0{~%4OX}}*WF$G_Gbd}
zZh73@d#AV3ePEfZ2%)E2cmFP2{{CcTYjQQ1Ty{Sdn#+NG72%D?Lh~izYUg!fB^)V-
zzFQ9LsR(;PSPty12z|gTPnSD(t^{7I2)owZs4Y|u?Oq8+R)hU3!Ttxq*O%R7%jmNA
zX;a_<#T~pVO@oj9!E)P?hyJ5aDf5Ge{vWPyLv2&cH_t`n@AwL_{C0Y8^QX%7o@>)r
zKPXp^e<Xy~gy5>sy&`n43foqMZU0&Kfa-s(W01phvEFzy^QYZAhyCboGc)Yt?gnE0
zu=wH~1~$Gp)CBxJFXiv~7|Q#-aUXlHV^5rC?;{@M_jw*9_kAqzM35v3B}t0BLWI+K
zO@~2d5&z*_LE2b_rCfo6A}U)j3n`$YCZ0Dn8x!w_h<F^C4~(lAk^zWT!6L4#MLe=q
zFcd9In)8NcS5Kp`t9L?9wr5~6<Z>|Yh)2~-L(X8ZIc-&Uz{zP%$C5<a)7flV$I*I!
zz%-OK;(uYq!wQ5gBefO+m2uir=BtpsDxzzh;;wd@RqH8=P?`#QE!@HafXyzDJ%c~0
zfm%2S2GIS7%u$fhv1t7aUh6EwFn>enJUZulguIVX;0f9R2w}Jj!dc-$%h{Got}C9)
zo+~YvTduoqcs}>sX!*S5j_^Qy>p|;K1-<<*(Cz(esOMVK5??_bU!wLW=+!5v`zx-G
p*}nc`266u7;$PVC8rQNka$)rB=;gqJR`DU%v(6%}%X|-f_#cWj=v4p!

diff --git a/backend/main.py b/backend/main.py
index fb88c85..7df20f4 100644
--- a/backend/main.py
+++ b/backend/main.py
@@ -7,7 +7,7 @@
 from fastapi.responses import JSONResponse
 from fastapi.middleware.cors import CORSMiddleware
 from dotenv import load_dotenv
-from models import UserScan, SHOPIFY_INVENTORY
+from models import UserScan, StaffLogin, SHOPIFY_INVENTORY
 from jules_engine import get_jules_advice
 
 # Load .env file
@@ -28,6 +28,7 @@
 
 # 🛡️ Configuración Maestra (abvetos.com) - Secrets moved to environment variables
 SECRET_KEY = os.getenv("LVT_SECRET_KEY", "DEVELOPMENT_SECRET_DO_NOT_USE_IN_PROD")
+STAFF_PASSWORD = os.getenv("STAFF_PASSWORD", "DEVELOPMENT_STAFF_PASS")
 PATENT = "PCT/EP2025/067317"
 
 def verify_auth(user_id: str, token: str) -> bool:
@@ -49,6 +50,14 @@ def calculate_fit(user_waist: float, item_id: str):
     is_perfect = 0.95 <= fit_index <= 1.05
     return is_perfect, round(fit_index, 3), item
 
+@app.post("/api/verify-staff")
+async def verify_staff(login: StaffLogin):
+    # 🛡️ Use hmac.compare_digest to prevent timing attacks
+    if hmac.compare_digest(login.password, STAFF_PASSWORD):
+        return {"status": "SUCCESS", "message": "Access granted"}
+    else:
+        raise HTTPException(status_code=401, detail="Access denied")
+
 @app.post("/api/recommend")
 async def recommend_garment(scan: UserScan, garment_id: str = "BALMAIN_SS26_SLIM"):
     # 1. Seguridad y Handshake
diff --git a/backend/models.py b/backend/models.py
index 652f4cd..8a33bba 100644
--- a/backend/models.py
+++ b/backend/models.py
@@ -7,6 +7,9 @@ class UserScan(BaseModel):
     waist: float
     event_type: str  # e.g., 'Gala', 'Business', 'Cocktail'
 
+class StaffLogin(BaseModel):
+    password: str
+
 class Garment(BaseModel):
     id: str
     name: str
diff --git a/backend/tests/__pycache__/test_main.cpython-312-pytest-9.0.2.pyc b/backend/tests/__pycache__/test_main.cpython-312-pytest-9.0.2.pyc
deleted file mode 100644
index 8ee35419d16682196cede9269ec7f338b8e49468..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 4712
zcmb^!&2QV*{ZXPmX?<D#jNMsXW+z%(Czc)C0iv{S;<QO>2dg~{^M#=GXqh%85+v<J
zG6fr34lR0UFGD&Yhg^qj|AWy}fL`P!MFL{QFzl3DQg;~8(|(VSPofMP@vsr%d%y3`
z_d$J|NW>95W24_Fe+VJ;PlB)~=mCez06ah#VNOLWoI3|9!BT)j6@DeeQBHUz44i-(
zsYF+zE-k3WD)E&#hXP2B%JIh>wYMT*{ytjis&V<yOF~-Ab549&Hmz%_B3CWIf|9P6
zJaJbk0wW3M@L8CIVxtW|*A+n!9uC|`j{_8i5Q6tngF8W%w>h6=2#0Y5M{(>S-w0Tq
z1%x)BBu5_{w*!9`m~JCz2R9(5qfdj!U5${<+o8?#2sOfX*!+tXV^SM#(HTZ(oUp@d
z98MCQwZLQEqo%9`liNr#s69XSz-?sq`s}CM5)86~tO15!vYYYSb6c{?;grwnak4zK
z`UbfWlf&tU!8%l|5y2VUZATQ&#iCX(i@;~8kI~w*9c7l-{5uY3?{N(t-Z0cWxG~t4
zW)Q1WBZhk#aXW6uwoyZ{1@n(SZ^w0|*A}2FeMF<(6`#&=HEAt%-2Z>;UW{e?#_qKw
zp?m#!;9<b6Zx<fKXY4Mo+L2RNJHq_3*{gQEA(RoU@*$`q)RdIGk+20j0d)=8A*gZ4
z9LB?qWQ&`!lXeQYX*&(vw3)zfH8L%3x1F)Oft$6nq(5JArs%8k@tp}lXMRR}p1Lyv
z%fe^-xDF<m93JuN*MoETZM(;-U$4z?46(J<p6y<y$05jn-{<An40h9y!OwS-yQx!W
zkYpZwwvWpo#pLi=FM~e(3p{G~c^UMdkU>AwgACGd?!j&rG8o&<>~^0zgADWVh77uy
z96sk|Fo4hFyglG$FnB@+gG`S@J`cm~E-}dF@h{mqt{``poWbwlckMHthoMvNk|E}k
z&1{!==aK+(2;Ky|NqE!nrr^!Mn{9O0vibMwJMkPm<Q~jf>k=8{+yzNjE*Nr2t5oDF
z&cUl|O4Z7hGy|xXTFb3VRjkTpZcS3uEkib4BWs3MarJL)5#HQQ&@3xeId{G+TjB;G
ziW1&dN^*YORj3cFN~KLOKVFfP>iD*7C~GxQ+OpP5t;^6WTNdU+ayvahaDxXHm;Z$F
z0f*aiILjomx!g}95Vn57vv|RRj7)bFUE_MqiC$5q$|{zw)@KM;Y-K2xB?B_GL>jN?
zWi@_9)k>0TUIl<El1tGfQS71po<o>Xi45!^-wGq}9uC0p09mcC1<bWO1i{ybmXykt
zDp@inRhp+&x<P9RA0n~&dnH-76s-z5@{&<Do$%&eGJCliWM4bI6|J->9<6Qt`hS_+
zu~x`cZjzgS5B)9K-yFE~G&$XjP8(f7s=w9Iwxa<!vE})tW%1Wb^Pf6h3wN&Fp1&?G
z-?=@%SO#4%_^S^b{v%11^1Kt-GG#+luoJR0SO-q%uB4cj6PLG1H>{d2*Wc+}jPJ8n
zDY*FI+$RfjHy6dFrNXqh^vTTyC>_6HYSoudz)zn0DNrotx%%YjdA(N1oADhF$Q5%0
zx|lb|O-r)2OtGY4Io`+>DdSS!bfU1Rb**a3`JfX7SuzyJaH*b@Oo-ZYZOniu5N8&h
zq-oVurCMeyoO1$76})#7R}*<Nr&L{yNzmZ2WJ%Ck(3~K{WQR>~Z;(|~@B2_v$=b~=
zsY>O&8;X^?B}-LU3%UV&Msgz8m2KEw8uJ3CnV0FjnGYDFV1?M9u181|vozRQkneG$
z@`W`qMKl~9BARf=se06v0ZT4E-O{?;c2j_|dRmu>RG~n%3SiB}r(TjhP*3?vRv<Ma
zvNQRV6ES7zfMq!0lKT}73=I~5;OmPM|3I&~OIk9Vj0hW2g`KM#a60LdAv;~b7FV|v
z)lx`p=$3T`L~~u+Qn4#4mQ`(4QpKuNk)4=mN^3H);3VhVPQpH$Hw?{ivf`R%R3tbD
z?&+#jmB<b>$Tx-)hNA^)?j)JSs-~%$o*#CEidNl}Yr15W){P92jp$NM)g)|?!`~4|
zcr^V9KQiS<CMiO_Py3Ns<LnVD7yXI_zifxeOSCYa=ZhWKWCvF0z-IkeVWI=`T+=XT
z{H`xkIm(&ve0$i8pI7jFQ(mD%vM}8tIct&vlH2K|haQ8Yr#kP9--0pnhtABvF};Ug
zb)iuDIp2T4!|7Hyn3{ja-}oWSg=StweT<pr<;7?G9ia7$yvV?>_eJ0E>sTli-uvjs
zG)nh<x%2r>bLitIcR$;Cn)=P&#~|6&^IRA?5JsB(*rQ1pn!?DV$pc~RIZuAyc?62J
z#shxrvssEgZG+ETVM_ihG1roB0U-TC$bMP;y!gfYd)HqGLrwl{QyBW%Y6@qc^W^uP
zN1)hK7o%`%1f8#~7N3DFHUOaZI)FmA17P+QBETc7`R<j2b47{)xp}VG6pBB(%>4mM
zezM&BboF4NM6vyW=0d4CSE4e_vhL|x_W-DKw*s#b+Tv~pJhIF8@O2>n+coVUJweyE
zpAJ_u4b@NlffCOZ{lt^te|c#@z<v>Gcz?i8^XzsC`UU(jwM$bcsrh+c)MedIq}CzP
zqtbq%{{^NIxfgpr;Y8U<YRr;zXHcYP?>Ie2;5-~R<hzDq!8zI@IT4R$OcR|jRdKr4
zBsj)(Wt{9!db}It3(4v7e?A!GbIO<`1KFVl*`jVRbaO|qR5T1<j#mu{800cB--h8;
kkmI<&BXl4AKJh)ue~*U$5zBsc?TeAU@F70}b#+br2Y{PN+yDRo

diff --git a/backend/tests/test_staff.py b/backend/tests/test_staff.py
new file mode 100644
index 0000000..8cab73c
--- /dev/null
+++ b/backend/tests/test_staff.py
@@ -0,0 +1,36 @@
+import pytest
+from fastapi.testclient import TestClient
+from backend.main import app
+
+client = TestClient(app)
+
+def test_verify_staff_success(monkeypatch):
+    """Test successful staff verification."""
+    # Mock STAFF_PASSWORD in main module
+    monkeypatch.setattr("backend.main.STAFF_PASSWORD", "TEST_STAFF_PASS")
+
+    payload = {"password": "TEST_STAFF_PASS"}
+    response = client.post("/api/verify-staff", json=payload)
+
+    assert response.status_code == 200
+    assert response.json() == {"status": "SUCCESS", "message": "Access granted"}
+
+def test_verify_staff_failure(monkeypatch):
+    """Test failed staff verification."""
+    # Mock STAFF_PASSWORD in main module
+    monkeypatch.setattr("backend.main.STAFF_PASSWORD", "TEST_STAFF_PASS")
+
+    payload = {"password": "WRONG_PASS"}
+    response = client.post("/api/verify-staff", json=payload)
+
+    assert response.status_code == 401
+    assert response.json()["detail"] == "Access denied"
+
+def test_verify_staff_empty_password(monkeypatch):
+    """Test verification with empty password."""
+    monkeypatch.setattr("backend.main.STAFF_PASSWORD", "TEST_STAFF_PASS")
+
+    payload = {"password": ""}
+    response = client.post("/api/verify-staff", json=payload)
+
+    assert response.status_code == 401
diff --git a/js/main.js b/js/main.js
index dcf1947..879b40b 100644
--- a/js/main.js
+++ b/js/main.js
@@ -232,14 +232,28 @@ class TryOnYouBunker {
         modal.style.display = 'none';
     }
 
-    verifyPrivatePass() {
+    async verifyPrivatePass() {
         const input = document.getElementById('private-pass-input');
-        if (input.value === "SAC_MUSEUM_2026") {
-            this.showNotification('ACCESO CONCEDIDO', 'success');
-            setTimeout(() => { window.location.href = "/staff-dashboard"; }, 1500);
-        } else {
-            this.showNotification('ACCESO DENEGADO', 'error');
-            input.value = "";
+        const password = input.value;
+
+        try {
+            // 🛡️ Verify credentials via backend to avoid hardcoded secrets in JS
+            const response = await fetch('/api/verify-staff', {
+                method: 'POST',
+                headers: { 'Content-Type': 'application/json' },
+                body: JSON.stringify({ password })
+            });
+
+            if (response.ok) {
+                this.showNotification('ACCESO CONCEDIDO', 'success');
+                setTimeout(() => { window.location.href = "/staff-dashboard"; }, 1500);
+            } else {
+                this.showNotification('ACCESO DENEGADO', 'error');
+                input.value = "";
+            }
+        } catch (error) {
+            console.error('Staff verification failed:', error);
+            this.showNotification('ERROR DE CONEXIÓN AL BÚNKER', 'error');
         }
     }
 }
diff --git a/vite.config.js b/vite.config.js
new file mode 100644
index 0000000..7af6018
--- /dev/null
+++ b/vite.config.js
@@ -0,0 +1,12 @@
+import { defineConfig } from 'vite';
+
+export default defineConfig({
+  server: {
+    proxy: {
+      '/api': {
+        target: 'http://localhost:8000',
+        changeOrigin: true,
+      },
+    },
+  },
+});