feat: security hardening, structured logging, and regression tests for 1.0

CSRF protection (double-submit cookie) on all 31 POST handlers, per-IP
rate limiting on booking endpoints, server-side input validation,
double-booking prevention via SQLite unique index + transactions,
crash-proof web handlers (37 unwrap removals), graceful shutdown,
and 50 structured tracing points across auth, bookings, CalDAV, admin,
and email delivery.

28 new regression tests (191 → 219) covering ICS timezone/location bugs,
input validation, CSRF token verification, and date range validation.

Updated docs: security.md, architecture.md, deployment.md, booking-flow.md,
introduction.md, README.md, CHANGELOG.md, and CLAUDE.md.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: olivierlambert

CHANGELOG.md

@@ -69,9 +69,32 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/), and this
 | Matrix-style initials | 0.17.1 | Two-letter avatar fallback (first+last name initials) across all pages |
 | Multiple availability windows | 0.18.0 | Define morning + afternoon slots with lunch breaks (multiple time windows per event type) |
 | Calendar reminders (VALARM) | 0.18.1 | ICS events include native calendar reminders (popup/notification) based on event type settings |
+| ICS timezone fix | 0.18.2 | ICS events use UTC times with Z suffix instead of floating times |
+| Version in sidebar | 0.18.2 | calrs version displayed in the dashboard sidebar |
+| CSRF protection | 1.0.0 | Double-submit cookie pattern on all 31 POST handlers |
+| Booking rate limiting | 1.0.0 | Per-IP rate limiting on all booking endpoints (10 req / 5 min) |
+| Input validation | 1.0.0 | Server-side validation on all user-submitted data |
+| Double-booking prevention | 1.0.0 | SQLite unique index + transactions prevent race conditions |
+| Crash-proof handlers | 1.0.0 | All web handler `.unwrap()` replaced with proper error handling |
+| Graceful shutdown | 1.0.0 | SIGINT/SIGTERM handling with in-flight request draining |
+| Structured logging | 1.0.0 | 50 tracing points across auth, bookings, CalDAV, admin, email |
+| Regression tests | 1.0.0 | 28 new tests (191 → 219) covering ICS, validation, CSRF |
 
 ## [Unreleased]
 
+## [0.18.2] - 2026-03-12
+
+### Fixed
+
+- **ICS location field corruption** — LOCATION line in `.ics` calendar invites had trailing whitespace after CRLF, causing the ORGANIZER field to be interpreted as a continuation of LOCATION per RFC 5545 line folding rules. BlueMind and other strict CalDAV servers displayed the organizer info inside the location field.
+- **ICS floating times** — DTSTART/DTEND in `.ics` invites used floating times (no timezone) instead of UTC. Events appeared at the wrong time for guests in different timezones. Now converts to UTC with `Z` suffix via `convert_to_utc()`.
+- **Hardcoded UTC guest timezone** — `confirm_booking` and `approve_booking_by_token` handlers passed `"UTC"` as guest timezone instead of the actual stored timezone, causing ICS times in approval emails to be wrong.
+- **Broken "Add source" link on dashboard overview** — pointed to `/dashboard/sources/add` instead of `/dashboard/sources/new`
+
+### Added
+
+- **Version display in sidebar** — calrs version shown at the bottom of the dashboard sidebar
+
 ## [0.18.1] - 2026-03-11
 
 ### Added

CLAUDE.md

@@ -31,6 +31,8 @@
 | Auth (OIDC) | `openidconnect` 4.x | OpenID Connect SSO (Keycloak, etc.) with PKCE |
 | Sessions | `axum-extra` (cookies) | Server-side sessions in SQLite, HttpOnly cookies |
 | Email | `lettre` 0.11 | SMTP with STARTTLS, async tokio transport |
+| Logging | `tracing` + `tracing-subscriber` | Structured logging with env-filter |
+| HTTP tracing | `tower-http` 0.6 | TraceLayer for request-level observability |
 | Error handling | `anyhow` (app-level) + `thiserror` (lib-level) | Standard Rust pattern |
 | Config/paths | `directories` crate | XDG-compliant data dir: `$XDG_DATA_HOME/calrs` |
 
@@ -59,7 +61,8 @@ calrs/
 │   ├── 012_reminders.sql         ← reminder_minutes on event_types, reminder_sent_at on bookings
 │   ├── 013_booking_email.sql     ← booking_email on users
 │   ├── 014_team_links.sql        ← team_links, team_link_members, team_link_bookings tables
-│   └── 015_user_profile.sql      ← title, bio, avatar_path on users
+│   ├── 015_user_profile.sql      ← title, bio, avatar_path on users
+│   └── 016_booking_unique.sql    ← partial unique index for double-booking prevention
 ├── templates/
 │   ├── base.html                 ← base layout + CSS (light/dark mode)
 │   ├── dashboard_base.html       ← sidebar layout (extends base.html, all dashboard pages extend this)
@@ -237,6 +240,18 @@ File: `src/web/mod.rs`, templates in `templates/`
 
 **CalDAV write-back:** Confirmed bookings are pushed to the host's CalDAV calendar (if `write_calendar_href` is configured on the source). On cancellation, the event is deleted from CalDAV.
 
+**Security hardening (1.0):**
+- **CSRF protection** — double-submit cookie pattern on all 31 POST handlers via `csrf_cookie_middleware`. Client-side JS injects `_csrf` hidden field. Multipart forms use query parameter.
+- **Booking rate limiting** — per-IP (10 req / 5 min) on all 4 booking handlers. Uses `X-Forwarded-For`.
+- **Input validation** — server-side on all booking forms (name 1–255, email format, notes max 5000, date max 365 days), registration, settings, avatar upload (content-type whitelist).
+- **Double-booking prevention** — partial unique index `idx_bookings_no_overlap` on `(event_type_id, start_at)` + `BEGIN IMMEDIATE` transactions.
+- **Crash-proof handlers** — all `.unwrap()` in web handlers replaced with proper error responses.
+
+**Observability (1.0):**
+- **Structured logging** — `tracing` crate with 50 log points across auth, bookings, CalDAV, admin, email, DB migrations. Configurable via `RUST_LOG` env var (default: `calrs=info,tower_http=info`).
+- **HTTP request tracing** — `tower-http` `TraceLayer` logs every request (method, path, status, latency).
+- **Graceful shutdown** — SIGINT/SIGTERM handling with `with_graceful_shutdown()`, drains in-flight requests.
+
 ---
 
 ## CLI UX conventions

Cargo.lock

@@ -53,6 +53,11 @@ lettre = { version = "0.11", default-features = false, features = ["tokio1-rustl
 axum = { version = "0.8", features = ["macros", "multipart"] }
 axum-extra = { version = "0.10", features = ["cookie", "form"] }
 minijinja = { version = "2", features = ["loader"] }
+tower-http = { version = "0.6", features = ["trace"] }
+
+# Logging
+tracing = "0.1"
+tracing-subscriber = { version = "0.3", features = ["env-filter"] }
 
 # Encryption (credential storage)
 aes-gcm = "0.10"

Cargo.toml

@@ -135,6 +135,7 @@
 - **SQLite storage** — single-file WAL-mode database, zero ops
 - **CLI** — full command set for headless operation (init, source, sync, event-type, booking, config, user)
 - **Single binary** — no runtime dependencies beyond the binary itself
+- **Structured logging** — `tracing` + `tower-http` for request-level observability, configurable via `RUST_LOG`
 
 ## Install
 
@@ -335,6 +336,50 @@ Get certificates with certbot: `sudo certbot --nginx -d cal.example.com`.
 
 > **Important:** Set `CALRS_BASE_URL` to your public URL (e.g. `https://cal.example.com`) so that OIDC redirect URIs and email links point to the right host.
 
+## Observability
+
+calrs uses structured logging via the `tracing` crate. All log output goes to stderr and is captured by systemd journal, Docker logs, or any log aggregator.
+
+### Configuration
+
+Set the log level via the `RUST_LOG` environment variable:
+
+```bash
+# Default (recommended for production)
+RUST_LOG=calrs=info,tower_http=info
+
+# Verbose (debug HTTP requests + internal events)
+RUST_LOG=calrs=debug,tower_http=debug
+
+# Quiet (errors only)
+RUST_LOG=calrs=error
+```
+
+### Log categories
+
+| Category | Level | Events |
+|----------|-------|--------|
+| **Auth** | info/warn | Login success/failure, registration, logout, OIDC login |
+| **Bookings** | info | Created, cancelled, approved, declined, guest self-cancel, reminder sent |
+| **CalDAV** | info/error | Sync started/completed, write-back success/failure, source added/removed |
+| **Admin** | info/warn | Role changes, user enable/disable, auth/OIDC config updates, impersonation |
+| **Email** | debug/error | Delivery success, send failures |
+| **HTTP** | info | Every request via `tower-http` TraceLayer (method, path, status, latency) |
+| **Database** | info | Migration applied on startup |
+| **Server** | info | Startup, shutdown |
+
+### Example output
+
+```
+2026-03-12T14:30:00Z  INFO calrs: calrs server listening on 127.0.0.1:3000
+2026-03-12T14:30:05Z  INFO calrs::auth: user login email=alice@example.com ip=192.168.1.1
+2026-03-12T14:31:00Z  INFO calrs::web: booking created booking_id=a1b2c3 event_type=intro guest=bob@example.com
+2026-03-12T14:31:01Z  INFO tower_http::trace: response{method=POST path="/u/alice/intro/book" status=200 latency="45ms"}
+2026-03-12T14:31:02Z ERROR calrs::web: CalDAV write-back failed uid=a1b2c3@calrs error="connection refused"
+2026-03-12T14:32:00Z  WARN calrs::auth: login failed email=eve@example.com ip=10.0.0.5
+2026-03-12T15:00:00Z  WARN calrs::web: rate limited ip=10.0.0.5
+```
+
 ## CLI reference
 
 ```

README.md

@@ -21,7 +21,9 @@ calrs/
 │   ├── 011_event_type_calendars.sql
 │   ├── 012_reminders.sql
 │   ├── 013_booking_email.sql
-│   └── 014_team_links.sql
+│   ├── 014_team_links.sql
+│   ├── 015_user_profile.sql
+│   └── 016_booking_unique.sql
 ├── templates/              Minijinja HTML templates
 │   ├── base.html           Base layout + CSS (light/dark mode)
 │   ├── auth/               Login, registration
@@ -109,6 +111,13 @@ calrs/
 | `/dashboard/team-links/*` | Team link management |
 | `/t/{token}` | Team link public slot picker + booking |
 
+### Middleware
+
+| Layer | Purpose |
+|---|---|
+| `TraceLayer` | Logs every HTTP request (method, path, status, latency) |
+| `csrf_cookie_middleware` | Sets `calrs_csrf` cookie on responses for CSRF protection |
+
 ## CalDAV client
 
 Minimal RFC 4791 implementation:
@@ -128,7 +137,7 @@ Handles absolute and relative hrefs, BlueMind/Apple namespace prefixes, tags wit
 - CSS custom properties for theming
 - Dark mode via `prefers-color-scheme`
 - Responsive layout
-- No JavaScript framework — vanilla JS only where needed (timezone detection, provider presets)
+- No JavaScript framework — vanilla JS only where needed (timezone detection, provider presets, CSRF token injection)
 
 ## Email
 
@@ -160,7 +169,7 @@ The approval request email includes Approve and Decline action buttons (table-ba
 
 ## Testing
 
-calrs has an automated test suite with 147+ tests, run on every push and pull request via [GitHub Actions](https://github.com/olivierlambert/calrs/actions/workflows/ci.yml).
+calrs has an automated test suite with 219 tests, run on every push and pull request via [GitHub Actions](https://github.com/olivierlambert/calrs/actions/workflows/ci.yml).
 
 **What's tested:**
 
@@ -173,6 +182,8 @@ calrs has an automated test suite with 147+ tests, run on every push and pull re
 | Availability engine | Free/busy computation, buffer times, minimum notice, conflict detection |
 | Web server | Rate limiter (allow/block/reset/per-IP isolation) |
 | Authentication | Argon2 password hashing roundtrip, hash uniqueness |
+| Input validation | Booking name/email/notes/date validation, CSRF token verification |
+| ICS regression | UTC timezone suffix, location field integrity, convert_to_utc |
 
 ```bash
 # Run the full suite
@@ -199,3 +210,5 @@ Key crates:
 | `argon2` | Password hashing |
 | `openidconnect` | OIDC client |
 | `icalendar` | ICS parsing |
+| `tracing` + `tracing-subscriber` | Structured logging |
+| `tower-http` | HTTP request tracing (TraceLayer) |

docs/src/architecture.md

@@ -21,7 +21,7 @@
 |---|---|
 | `confirmed` | Booking is active. Slot is blocked. Emails sent. |
 | `pending` | Awaiting host approval (when `requires_confirmation` is on). |
-| `cancelled` | Cancelled by host. Slot is freed. |
+| `cancelled` | Cancelled by host or guest. Slot is freed. |
 | `declined` | Declined by host (pending booking rejected). |
 
 ## Confirmation mode
@@ -48,6 +48,17 @@ From the dashboard, click **Cancel** on an upcoming booking:
 3. Both guest and host receive cancellation emails with a `METHOD:CANCEL` `.ics` attachment
 4. If the booking was pushed to CalDAV, the event is deleted from the calendar
 
+### Guest self-cancellation
+
+Guests can cancel their own bookings via a link in the confirmation email:
+
+1. Click the "Cancel booking" link in the email
+2. Optionally enter a reason
+3. Confirm the cancellation
+4. Both guest and host are notified
+
+The cancellation email correctly attributes who cancelled (host vs guest).
+
 ## Conflict detection
 
 Before a booking is accepted, calrs checks for conflicts:
@@ -57,6 +68,8 @@ Before a booking is accepted, calrs checks for conflicts:
 - **Buffer times** — the buffer before/after is included in the conflict window
 - **Minimum notice** — slots too close to the current time are rejected
 
+Additionally, a database-level unique index prevents two bookings from occupying the same slot, even if two guests submit simultaneously.
+
 ## CalDAV write-back
 
 When a booking is confirmed (either directly or via approval), calrs can push the event to the host's CalDAV calendar. See [CalDAV Integration > Write-back](./caldav.md#caldav-write-back) for setup.
@@ -71,6 +84,7 @@ If SMTP is configured, calrs sends emails at these moments:
 | Booking pending | "Awaiting confirmation" notice | Approval request with Approve/Decline buttons |
 | Booking declined | Decline notice (with optional reason) | — |
 | Booking cancelled | Cancellation + `.ics` CANCEL | Cancellation + `.ics` CANCEL |
+| Booking reminder | Reminder with cancel button | Reminder with details |
 
 All emails are sent as **HTML with plain text fallback**. They include event title, date, time, timezone, location, and notes. The HTML templates are responsive and support dark mode in email clients that honor `prefers-color-scheme`.