- gRPC sync sends username+password in metadata on every RPC,
verified by unary interceptor. No login RPC or token management.
- Password stored in Android EncryptedSharedPreferences (Keystore)
- Web UI retains bearer token flow for browser sessions
- FIDO2/U2F scoped to web UI only, not gRPC sync path
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- No grid in web view (writing aid only)
- No per-page share links for now (URL structure supports it later)
- No server-side deletion — server mirrors tablet exactly via sync
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Covers: gRPC sync API (full notebook push), REST API for web viewing,
SVG/JPG/PDF rendering, password + FIDO2/U2F auth via WebAuthn,
shareable links with optional expiry, Android app integration points.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
