<!doctype html>
<html lang="en">
<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width,initial-scale=1,viewport-fit=cover">
<title>Palanca Club App</title>
<link rel="preconnect" href="https://cdn.jsdelivr.net">
<!-- No hardcoded Supabase preconnect here on purpose: the correct project
     host differs per environment (Preview/Production) and is only known
     once /api/public-config.js responds. A dynamic preconnect hint for
     the actual configured project is injected there instead. Hardcoding
     the production host here would leak which project is "real" from any
     deployment's page source, and would preconnect to the WRONG project
     on Preview. -->
<meta name="theme-color" content="#050505">
<meta name="description" content="Palanca Club member app for Palanca Card users.">
<link rel="manifest" href="manifest.json">
<link rel="stylesheet" href="css/styles.css">
</head>
<body>
<div id="app" class="app"><div class="login"><div class="login-card"><div class="logo" aria-label="Palanca logo"></div><h1 class="h1">Loading...</h1></div></div></div>
<div id="toast" class="toast"></div>
<script src="https://cdn.jsdelivr.net/npm/@supabase/supabase-js@2"></script>
<!-- Environment-aware config: reads THIS deployment's own env vars
     (SUPABASE_URL/SUPABASE_ANON_KEY) server-side and sets
     window.PALANCA_SUPABASE. A plain <script> tag (no async/defer) so it
     blocks and fully executes before js/app.js parses at all — the app
     cannot start without configuration by construction, not by a runtime
     check racing against it. -->
<script src="/api/public-config.js"></script>
<!-- Local-dev-only fallback if the above didn't set anything (e.g. a
     plain static server with no /api/ runtime) — see js/config.js. -->
<script src="js/config.js"></script>
<script src="js/lib/paymentDisplay.js"></script>
<script src="js/lib/normalize.js"></script>
<script src="js/lib/passwordPolicy.js"></script>
<script src="js/app.js"></script>
</body>
</html>
