1215356990
Native app uses supabase.auth.signInWithPassword directly, bypassing /api/auth/login. This authenticated endpoint runs the same device-lock check post-auth: 409 DEVICE_LOCKED if bound to another user, 200+bind if Pro/Legend user, no-op bind for Free users. CORS headers extended to include x-device-name/model/os. 34 tests green. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>