diff --git a/heat-stack/app/routes/settings+/profile.password.tsx b/heat-stack/app/routes/settings+/profile.password.tsx
index 5dcf6cf9..91ede00f 100644
--- a/heat-stack/app/routes/settings+/profile.password.tsx
+++ b/heat-stack/app/routes/settings+/profile.password.tsx
@@ -1,7 +1,9 @@
 import { conform, useForm } from '@conform-to/react'
 import { getFieldsetConstraint, parse } from '@conform-to/zod'
+import { type SEOHandle } from '@nasa-gcn/remix-seo'
 import { json, redirect, type DataFunctionArgs } from '@remix-run/node'
 import { Form, Link, useActionData } from '@remix-run/react'
+import { AuthenticityTokenInput } from 'remix-utils/csrf/react'
 import { z } from 'zod'
 import { ErrorList, Field } from '#app/components/forms.tsx'
 import { Button } from '#app/components/ui/button.tsx'
@@ -12,13 +14,16 @@ import {
 	requireUserId,
 	verifyUserPassword,
 } from '#app/utils/auth.server.ts'
+import { validateCSRF } from '#app/utils/csrf.server.ts'
 import { prisma } from '#app/utils/db.server.ts'
 import { useIsPending } from '#app/utils/misc.tsx'
 import { redirectWithToast } from '#app/utils/toast.server.ts'
 import { PasswordSchema } from '#app/utils/user-validation.ts'
+import { type BreadcrumbHandle } from './profile.tsx'
 
-export const handle = {
+export const handle: BreadcrumbHandle & SEOHandle = {
 	breadcrumb: <Icon name="dots-horizontal">Password</Icon>,
+	getSitemapEntries: () => null,
 }
 
 const ChangePasswordForm = z
@@ -31,7 +36,7 @@ const ChangePasswordForm = z
 		if (confirmNewPassword !== newPassword) {
 			ctx.addIssue({
 				path: ['confirmNewPassword'],
-				code: 'custom',
+				code: z.ZodIssueCode.custom,
 				message: 'The passwords must match',
 			})
 		}
@@ -57,6 +62,7 @@ export async function action({ request }: DataFunctionArgs) {
 	const userId = await requireUserId(request)
 	await requirePassword(userId)
 	const formData = await request.formData()
+	await validateCSRF(formData, request.headers)
 	const submission = await parse(formData, {
 		async: true,
 		schema: ChangePasswordForm.superRefine(
@@ -66,7 +72,7 @@ export async function action({ request }: DataFunctionArgs) {
 					if (!user) {
 						ctx.addIssue({
 							path: ['currentPassword'],
-							code: 'custom',
+							code: z.ZodIssueCode.custom,
 							message: 'Incorrect password.',
 						})
 					}
@@ -126,6 +132,7 @@ export default function ChangePasswordRoute() {
 
 	return (
 		<Form method="POST" {...form.props} className="mx-auto max-w-md">
+			<AuthenticityTokenInput />
 			<Field
 				labelProps={{ children: 'Current Password' }}
 				inputProps={conform.input(fields.currentPassword, { type: 'password' })}
diff --git a/heat-stack/app/routes/settings+/profile.password_.create.tsx b/heat-stack/app/routes/settings+/profile.password_.create.tsx
index e5bc636e..2771106b 100644
--- a/heat-stack/app/routes/settings+/profile.password_.create.tsx
+++ b/heat-stack/app/routes/settings+/profile.password_.create.tsx
@@ -1,8 +1,8 @@
 import { conform, useForm } from '@conform-to/react'
 import { getFieldsetConstraint, parse } from '@conform-to/zod'
+import { type SEOHandle } from '@nasa-gcn/remix-seo'
 import { json, redirect, type DataFunctionArgs } from '@remix-run/node'
 import { Form, Link, useActionData } from '@remix-run/react'
-import { z } from 'zod'
 import { ErrorList, Field } from '#app/components/forms.tsx'
 import { Button } from '#app/components/ui/button.tsx'
 import { Icon } from '#app/components/ui/icon.tsx'
@@ -10,26 +10,15 @@ import { StatusButton } from '#app/components/ui/status-button.tsx'
 import { getPasswordHash, requireUserId } from '#app/utils/auth.server.ts'
 import { prisma } from '#app/utils/db.server.ts'
 import { useIsPending } from '#app/utils/misc.tsx'
-import { PasswordSchema } from '#app/utils/user-validation.ts'
+import { PasswordAndConfirmPasswordSchema } from '#app/utils/user-validation.ts'
+import { type BreadcrumbHandle } from './profile.tsx'
 
-export const handle = {
+export const handle: BreadcrumbHandle & SEOHandle = {
 	breadcrumb: <Icon name="dots-horizontal">Password</Icon>,
+	getSitemapEntries: () => null,
 }
 
-const CreatePasswordForm = z
-	.object({
-		newPassword: PasswordSchema,
-		confirmNewPassword: PasswordSchema,
-	})
-	.superRefine(({ confirmNewPassword, newPassword }, ctx) => {
-		if (confirmNewPassword !== newPassword) {
-			ctx.addIssue({
-				path: ['confirmNewPassword'],
-				code: 'custom',
-				message: 'The passwords must match',
-			})
-		}
-	})
+const CreatePasswordForm = PasswordAndConfirmPasswordSchema
 
 async function requireNoPassword(userId: string) {
 	const password = await prisma.password.findUnique({
@@ -66,7 +55,7 @@ export async function action({ request }: DataFunctionArgs) {
 		return json({ status: 'error', submission } as const, { status: 400 })
 	}
 
-	const { newPassword } = submission.value
+	const { password } = submission.value
 
 	await prisma.user.update({
 		select: { username: true },
@@ -74,7 +63,7 @@ export async function action({ request }: DataFunctionArgs) {
 		data: {
 			password: {
 				create: {
-					hash: await getPasswordHash(newPassword),
+					hash: await getPasswordHash(password),
 				},
 			},
 		},
@@ -101,15 +90,15 @@ export default function CreatePasswordRoute() {
 		<Form method="POST" {...form.props} className="mx-auto max-w-md">
 			<Field
 				labelProps={{ children: 'New Password' }}
-				inputProps={conform.input(fields.newPassword, { type: 'password' })}
-				errors={fields.newPassword.errors}
+				inputProps={conform.input(fields.password, { type: 'password' })}
+				errors={fields.password.errors}
 			/>
 			<Field
 				labelProps={{ children: 'Confirm New Password' }}
-				inputProps={conform.input(fields.confirmNewPassword, {
+				inputProps={conform.input(fields.confirmPassword, {
 					type: 'password',
 				})}
-				errors={fields.confirmNewPassword.errors}
+				errors={fields.confirmPassword.errors}
 			/>
 			<ErrorList id={form.errorId} errors={form.errors} />
 			<div className="grid w-full grid-cols-2 gap-6">
diff --git a/heat-stack/app/routes/settings+/profile.photo.tsx b/heat-stack/app/routes/settings+/profile.photo.tsx
index 5fc95aa6..30264243 100644
--- a/heat-stack/app/routes/settings+/profile.photo.tsx
+++ b/heat-stack/app/routes/settings+/profile.photo.tsx
@@ -1,5 +1,6 @@
 import { conform, useForm } from '@conform-to/react'
 import { getFieldsetConstraint, parse } from '@conform-to/zod'
+import { type SEOHandle } from '@nasa-gcn/remix-seo'
 import {
 	json,
 	redirect,
@@ -7,15 +8,21 @@ import {
 	unstable_parseMultipartFormData,
 	type DataFunctionArgs,
 } from '@remix-run/node'
-import { Form, useActionData, useLoaderData } from '@remix-run/react'
+import {
+	Form,
+	useActionData,
+	useLoaderData,
+	useNavigation,
+} from '@remix-run/react'
 import { useState } from 'react'
-import { ServerOnly } from 'remix-utils'
+import { AuthenticityTokenInput } from 'remix-utils/csrf/react'
 import { z } from 'zod'
 import { ErrorList } from '#app/components/forms.tsx'
 import { Button } from '#app/components/ui/button.tsx'
 import { Icon } from '#app/components/ui/icon.tsx'
 import { StatusButton } from '#app/components/ui/status-button.tsx'
 import { requireUserId } from '#app/utils/auth.server.ts'
+import { validateCSRF } from '#app/utils/csrf.server.ts'
 import { prisma } from '#app/utils/db.server.ts'
 import {
 	getUserImgSrc,
@@ -23,9 +30,11 @@ import {
 	useDoubleCheck,
 	useIsPending,
 } from '#app/utils/misc.tsx'
+import { type BreadcrumbHandle } from './profile.tsx'
 
-export const handle = {
+export const handle: BreadcrumbHandle & SEOHandle = {
 	breadcrumb: <Icon name="avatar">Photo</Icon>,
+	getSitemapEntries: () => null,
 }
 
 const MAX_SIZE = 1024 * 1024 * 3 // 3MB
@@ -34,7 +43,7 @@ const DeleteImageSchema = z.object({
 	intent: z.literal('delete'),
 })
 
-const SubmitFormSchema = z.object({
+const NewImageSchema = z.object({
 	intent: z.literal('submit'),
 	photoFile: z
 		.instanceof(File)
@@ -42,7 +51,7 @@ const SubmitFormSchema = z.object({
 		.refine(file => file.size <= MAX_SIZE, 'Image size must be less than 3MB'),
 })
 
-const PhotoFormSchema = z.union([DeleteImageSchema, SubmitFormSchema])
+const PhotoFormSchema = z.union([DeleteImageSchema, NewImageSchema])
 
 export async function loader({ request }: DataFunctionArgs) {
 	const userId = await requireUserId(request)
@@ -65,6 +74,7 @@ export async function action({ request }: DataFunctionArgs) {
 		request,
 		unstable_createMemoryUploadHandler({ maxPartSize: MAX_SIZE }),
 	)
+	await validateCSRF(formData, request.headers)
 
 	const submission = await parse(formData, {
 		schema: PhotoFormSchema.transform(async data => {
@@ -112,18 +122,26 @@ export default function PhotoRoute() {
 	const doubleCheckDeleteImage = useDoubleCheck()
 
 	const actionData = useActionData<typeof action>()
+	const navigation = useNavigation()
 
 	const [form, fields] = useForm({
 		id: 'profile-photo',
 		constraint: getFieldsetConstraint(PhotoFormSchema),
 		lastSubmission: actionData?.submission,
 		onValidate({ formData }) {
-			return parse(formData, { schema: PhotoFormSchema })
+			// otherwise, the best error zod gives us is "Invalid input" which is not
+			// enough
+			if (formData.get('intent') === 'delete') {
+				return parse(formData, { schema: DeleteImageSchema })
+			}
+			return parse(formData, { schema: NewImageSchema })
 		},
 		shouldRevalidate: 'onBlur',
 	})
 
 	const isPending = useIsPending()
+	const pendingIntent = isPending ? navigation.formData?.get('intent') : null
+	const lastSubmissionIntent = actionData?.submission.value?.intent
 
 	const [newImageSrc, setNewImageSrc] = useState<string | null>(null)
 
@@ -136,6 +154,7 @@ export default function PhotoRoute() {
 				onReset={() => setNewImageSrc(null)}
 				{...form.props}
 			>
+				<AuthenticityTokenInput />
 				<img
 					src={
 						newImageSrc ?? (data.user ? getUserImgSrc(data.user.image?.id) : '')
@@ -144,78 +163,85 @@ export default function PhotoRoute() {
 					alt={data.user?.name ?? data.user?.username}
 				/>
 				<ErrorList errors={fields.photoFile.errors} id={fields.photoFile.id} />
-				<input
-					{...conform.input(fields.photoFile, { type: 'file' })}
-					accept="image/*"
-					className="peer sr-only"
-					tabIndex={newImageSrc ? -1 : 0}
-					onChange={e => {
-						const file = e.currentTarget.files?.[0]
-						if (file) {
-							const reader = new FileReader()
-							reader.onload = event => {
-								setNewImageSrc(event.target?.result?.toString() ?? null)
+				<div className="flex gap-4">
+					{/*
+						We're doing some kinda odd things to make it so this works well
+						without JavaScript. Basically, we're using CSS to ensure the right
+						buttons show up based on the input's "valid" state (whether or not
+						an image has been selected). Progressive enhancement FTW!
+					*/}
+					<input
+						{...conform.input(fields.photoFile, { type: 'file' })}
+						accept="image/*"
+						className="peer sr-only"
+						required
+						tabIndex={newImageSrc ? -1 : 0}
+						onChange={e => {
+							const file = e.currentTarget.files?.[0]
+							if (file) {
+								const reader = new FileReader()
+								reader.onload = event => {
+									setNewImageSrc(event.target?.result?.toString() ?? null)
+								}
+								reader.readAsDataURL(file)
 							}
-							reader.readAsDataURL(file)
+						}}
+					/>
+					<Button
+						asChild
+						className="cursor-pointer peer-valid:hidden peer-focus-within:ring-4 peer-focus-visible:ring-4"
+					>
+						<label htmlFor={fields.photoFile.id}>
+							<Icon name="pencil-1">Change</Icon>
+						</label>
+					</Button>
+					<StatusButton
+						name="intent"
+						value="submit"
+						type="submit"
+						className="peer-invalid:hidden"
+						status={
+							pendingIntent === 'submit'
+								? 'pending'
+								: lastSubmissionIntent === 'submit'
+								  ? actionData?.status ?? 'idle'
+								  : 'idle'
 						}
-					}}
-				/>
-				{newImageSrc ? (
-					<div className="flex gap-4">
+					>
+						Save Photo
+					</StatusButton>
+					<Button
+						type="reset"
+						variant="destructive"
+						className="peer-invalid:hidden"
+					>
+						<Icon name="trash">Reset</Icon>
+					</Button>
+					{data.user.image?.id ? (
 						<StatusButton
-							type="submit"
-							name="intent"
-							value="submit"
-							status={isPending ? 'pending' : actionData?.status ?? 'idle'}
-							disabled={isPending}
+							className="peer-valid:hidden"
+							variant="destructive"
+							{...doubleCheckDeleteImage.getButtonProps({
+								type: 'submit',
+								name: 'intent',
+								value: 'delete',
+							})}
+							status={
+								pendingIntent === 'delete'
+									? 'pending'
+									: lastSubmissionIntent === 'delete'
+									  ? actionData?.status ?? 'idle'
+									  : 'idle'
+							}
 						>
-							Save Photo
+							<Icon name="trash">
+								{doubleCheckDeleteImage.doubleCheck
+									? 'Are you sure?'
+									: 'Delete'}
+							</Icon>
 						</StatusButton>
-						<Button type="reset" variant="secondary">
-							Reset
-						</Button>
-					</div>
-				) : (
-					<div className="flex gap-4 peer-invalid:[&>.server-only[type='submit']]:hidden">
-						<Button asChild className="cursor-pointer">
-							<label htmlFor={fields.photoFile.id}>
-								<Icon name="pencil-1">Change</Icon>
-							</label>
-						</Button>
-
-						{/* This is here for progressive enhancement. If the client doesn't
-						hydrate (or hasn't yet) this button will be available to submit the
-						selected photo. */}
-						<ServerOnly>
-							{() => (
-								<Button
-									name="intent"
-									value="submit"
-									type="submit"
-									className="server-only"
-								>
-									Save Photo
-								</Button>
-							)}
-						</ServerOnly>
-						{data.user.image?.id ? (
-							<Button
-								variant="destructive"
-								{...doubleCheckDeleteImage.getButtonProps({
-									type: 'submit',
-									name: 'intent',
-									value: 'delete',
-								})}
-							>
-								<Icon name="trash">
-									{doubleCheckDeleteImage.doubleCheck
-										? 'Are you sure?'
-										: 'Delete'}
-								</Icon>
-							</Button>
-						) : null}
-					</div>
-				)}
+					) : null}
+				</div>
 				<ErrorList errors={form.errors} />
 			</Form>
 		</div>
diff --git a/heat-stack/app/routes/settings+/profile.tsx b/heat-stack/app/routes/settings+/profile.tsx
index 09f7df2d..cf8869cb 100644
--- a/heat-stack/app/routes/settings+/profile.tsx
+++ b/heat-stack/app/routes/settings+/profile.tsx
@@ -1,3 +1,4 @@
+import { type SEOHandle } from '@nasa-gcn/remix-seo'
 import { json, type DataFunctionArgs } from '@remix-run/node'
 import { Link, Outlet, useMatches } from '@remix-run/react'
 import { z } from 'zod'
@@ -8,8 +9,12 @@ import { prisma } from '#app/utils/db.server.ts'
 import { cn, invariantResponse } from '#app/utils/misc.tsx'
 import { useUser } from '#app/utils/user.ts'
 
-export const handle = {
+export const BreadcrumbHandle = z.object({ breadcrumb: z.any() })
+export type BreadcrumbHandle = z.infer<typeof BreadcrumbHandle>
+
+export const handle: BreadcrumbHandle & SEOHandle = {
 	breadcrumb: <Icon name="file-text">Edit Profile</Icon>,
+	getSitemapEntries: () => null,
 }
 
 export async function loader({ request }: DataFunctionArgs) {
@@ -23,7 +28,7 @@ export async function loader({ request }: DataFunctionArgs) {
 }
 
 const BreadcrumbHandleMatch = z.object({
-	handle: z.object({ breadcrumb: z.any() }),
+	handle: BreadcrumbHandle,
 })
 
 export default function EditUserProfile() {
@@ -32,7 +37,7 @@ export default function EditUserProfile() {
 	const breadcrumbs = matches
 		.map(m => {
 			const result = BreadcrumbHandleMatch.safeParse(m)
-			if (!result.success) return null
+			if (!result.success || !result.data.handle.breadcrumb) return null
 			return (
 				<Link key={m.id} to={m.pathname} className="flex items-center">
 					{result.data.handle.breadcrumb}
@@ -42,29 +47,31 @@ export default function EditUserProfile() {
 		.filter(Boolean)
 
 	return (
-		<div className="container m-auto mb-36 mt-16 max-w-3xl">
-			<ul className="flex gap-3">
-				<li>
-					<Link
-						className="text-muted-foreground"
-						to={`/users/${user.username}`}
-					>
-						Profile
-					</Link>
-				</li>
-				{breadcrumbs.map((breadcrumb, i, arr) => (
-					<li
-						key={i}
-						className={cn('flex items-center gap-3', {
-							'text-muted-foreground': i < arr.length - 1,
-						})}
-					>
-						▶️ {breadcrumb}
+		<div className="m-auto mb-24 mt-16 max-w-3xl">
+			<div className="container">
+				<ul className="flex gap-3">
+					<li>
+						<Link
+							className="text-muted-foreground"
+							to={`/users/${user.username}`}
+						>
+							Profile
+						</Link>
 					</li>
-				))}
-			</ul>
+					{breadcrumbs.map((breadcrumb, i, arr) => (
+						<li
+							key={i}
+							className={cn('flex items-center gap-3', {
+								'text-muted-foreground': i < arr.length - 1,
+							})}
+						>
+							▶️ {breadcrumb}
+						</li>
+					))}
+				</ul>
+			</div>
 			<Spacer size="xs" />
-			<main>
+			<main className="mx-auto bg-muted px-6 py-8 md:container md:rounded-3xl">
 				<Outlet />
 			</main>
 		</div>
diff --git a/heat-stack/app/routes/settings+/profile.two-factor.disable.tsx b/heat-stack/app/routes/settings+/profile.two-factor.disable.tsx
index 1b627f86..89282877 100644
--- a/heat-stack/app/routes/settings+/profile.two-factor.disable.tsx
+++ b/heat-stack/app/routes/settings+/profile.two-factor.disable.tsx
@@ -1,16 +1,21 @@
+import { type SEOHandle } from '@nasa-gcn/remix-seo'
 import { json, type DataFunctionArgs } from '@remix-run/node'
 import { useFetcher } from '@remix-run/react'
+import { AuthenticityTokenInput } from 'remix-utils/csrf/react'
 import { Icon } from '#app/components/ui/icon.tsx'
 import { StatusButton } from '#app/components/ui/status-button.tsx'
 import { requireRecentVerification } from '#app/routes/_auth+/verify.tsx'
 import { requireUserId } from '#app/utils/auth.server.ts'
+import { validateCSRF } from '#app/utils/csrf.server.ts'
 import { prisma } from '#app/utils/db.server.ts'
 import { useDoubleCheck } from '#app/utils/misc.tsx'
 import { redirectWithToast } from '#app/utils/toast.server.ts'
+import { type BreadcrumbHandle } from './profile.tsx'
 import { twoFAVerificationType } from './profile.two-factor.tsx'
 
-export const handle = {
+export const handle: BreadcrumbHandle & SEOHandle = {
 	breadcrumb: <Icon name="lock-open-1">Disable</Icon>,
+	getSitemapEntries: () => null,
 }
 
 export async function loader({ request }: DataFunctionArgs) {
@@ -20,6 +25,7 @@ export async function loader({ request }: DataFunctionArgs) {
 
 export async function action({ request }: DataFunctionArgs) {
 	await requireRecentVerification(request)
+	await validateCSRF(await request.formData(), request.headers)
 	const userId = await requireUserId(request)
 	await prisma.verification.delete({
 		where: { target_type: { target: userId, type: twoFAVerificationType } },
@@ -36,7 +42,8 @@ export default function TwoFactorDisableRoute() {
 
 	return (
 		<div className="mx-auto max-w-sm">
-			<disable2FAFetcher.Form method="POST" preventScrollReset>
+			<disable2FAFetcher.Form method="POST">
+				<AuthenticityTokenInput />
 				<p>
 					Disabling two factor authentication is not recommended. However, if
 					you would like to do so, click here:
diff --git a/heat-stack/app/routes/settings+/profile.two-factor.index.tsx b/heat-stack/app/routes/settings+/profile.two-factor.index.tsx
index 22c92259..dbc3a18f 100644
--- a/heat-stack/app/routes/settings+/profile.two-factor.index.tsx
+++ b/heat-stack/app/routes/settings+/profile.two-factor.index.tsx
@@ -1,13 +1,20 @@
-import { generateTOTP } from '@epic-web/totp'
+import { type SEOHandle } from '@nasa-gcn/remix-seo'
 import { json, redirect, type DataFunctionArgs } from '@remix-run/node'
 import { Link, useFetcher, useLoaderData } from '@remix-run/react'
+import { AuthenticityTokenInput } from 'remix-utils/csrf/react'
 import { Icon } from '#app/components/ui/icon.tsx'
 import { StatusButton } from '#app/components/ui/status-button.tsx'
 import { requireUserId } from '#app/utils/auth.server.ts'
+import { validateCSRF } from '#app/utils/csrf.server.ts'
 import { prisma } from '#app/utils/db.server.ts'
+import { generateTOTP } from '#app/utils/totp.server.ts'
 import { twoFAVerificationType } from './profile.two-factor.tsx'
 import { twoFAVerifyVerificationType } from './profile.two-factor.verify.tsx'
 
+export const handle: SEOHandle = {
+	getSitemapEntries: () => null,
+}
+
 export async function loader({ request }: DataFunctionArgs) {
 	const userId = await requireUserId(request)
 	const verification = await prisma.verification.findUnique({
@@ -19,6 +26,7 @@ export async function loader({ request }: DataFunctionArgs) {
 
 export async function action({ request }: DataFunctionArgs) {
 	const userId = await requireUserId(request)
+	await validateCSRF(await request.formData(), request.headers)
 	const { otp: _otp, ...config } = generateTOTP()
 	const verificationData = {
 		...config,
@@ -68,7 +76,8 @@ export default function TwoFactorRoute() {
 						</a>{' '}
 						to log in.
 					</p>
-					<enable2FAFetcher.Form method="POST" preventScrollReset>
+					<enable2FAFetcher.Form method="POST">
+						<AuthenticityTokenInput />
 						<StatusButton
 							type="submit"
 							name="intent"
diff --git a/heat-stack/app/routes/settings+/profile.two-factor.tsx b/heat-stack/app/routes/settings+/profile.two-factor.tsx
index ae3eb614..7f5dfd19 100644
--- a/heat-stack/app/routes/settings+/profile.two-factor.tsx
+++ b/heat-stack/app/routes/settings+/profile.two-factor.tsx
@@ -1,9 +1,12 @@
+import { type SEOHandle } from '@nasa-gcn/remix-seo'
 import { Outlet } from '@remix-run/react'
 import { Icon } from '#app/components/ui/icon.tsx'
 import { type VerificationTypes } from '#app/routes/_auth+/verify.tsx'
+import { type BreadcrumbHandle } from './profile.tsx'
 
-export const handle = {
+export const handle: BreadcrumbHandle & SEOHandle = {
 	breadcrumb: <Icon name="lock-closed">2FA</Icon>,
+	getSitemapEntries: () => null,
 }
 
 export const twoFAVerificationType = '2fa' satisfies VerificationTypes
diff --git a/heat-stack/app/routes/settings+/profile.two-factor.verify.tsx b/heat-stack/app/routes/settings+/profile.two-factor.verify.tsx
index 71a4f484..dd5bbf17 100644
--- a/heat-stack/app/routes/settings+/profile.two-factor.verify.tsx
+++ b/heat-stack/app/routes/settings+/profile.two-factor.verify.tsx
@@ -1,6 +1,6 @@
 import { conform, useForm } from '@conform-to/react'
 import { getFieldsetConstraint, parse } from '@conform-to/zod'
-import { getTOTPAuthUri } from '@epic-web/totp'
+import { type SEOHandle } from '@nasa-gcn/remix-seo'
 import { json, redirect, type DataFunctionArgs } from '@remix-run/node'
 import {
 	Form,
@@ -9,25 +9,34 @@ import {
 	useNavigation,
 } from '@remix-run/react'
 import * as QRCode from 'qrcode'
+import { AuthenticityTokenInput } from 'remix-utils/csrf/react'
 import { z } from 'zod'
-import { Field } from '#app/components/forms.tsx'
+import { ErrorList, Field } from '#app/components/forms.tsx'
 import { Icon } from '#app/components/ui/icon.tsx'
 import { StatusButton } from '#app/components/ui/status-button.tsx'
 import { isCodeValid } from '#app/routes/_auth+/verify.tsx'
 import { requireUserId } from '#app/utils/auth.server.ts'
+import { validateCSRF } from '#app/utils/csrf.server.ts'
 import { prisma } from '#app/utils/db.server.ts'
 import { getDomainUrl, useIsPending } from '#app/utils/misc.tsx'
 import { redirectWithToast } from '#app/utils/toast.server.ts'
+import { getTOTPAuthUri } from '#app/utils/totp.server.ts'
+import { type BreadcrumbHandle } from './profile.tsx'
 import { twoFAVerificationType } from './profile.two-factor.tsx'
 
-export const handle = {
+export const handle: BreadcrumbHandle & SEOHandle = {
 	breadcrumb: <Icon name="check">Verify</Icon>,
+	getSitemapEntries: () => null,
 }
 
+const CancelSchema = z.object({ intent: z.literal('cancel') })
 const VerifySchema = z.object({
+	intent: z.literal('verify'),
 	code: z.string().min(6).max(6),
 })
 
+const ActionSchema = z.union([CancelSchema, VerifySchema])
+
 export const twoFAVerifyVerificationType = '2fa-verify'
 
 export async function loader({ request }: DataFunctionArgs) {
@@ -64,16 +73,12 @@ export async function loader({ request }: DataFunctionArgs) {
 export async function action({ request }: DataFunctionArgs) {
 	const userId = await requireUserId(request)
 	const formData = await request.formData()
+	await validateCSRF(formData, request.headers)
 
-	if (formData.get('intent') === 'cancel') {
-		await prisma.verification.deleteMany({
-			where: { type: twoFAVerifyVerificationType, target: userId },
-		})
-		return redirect('/settings/profile/two-factor')
-	}
 	const submission = await parse(formData, {
 		schema: () =>
-			VerifySchema.superRefine(async (data, ctx) => {
+			ActionSchema.superRefine(async (data, ctx) => {
+				if (data.intent === 'cancel') return null
 				const codeIsValid = await isCodeValid({
 					code: data.code,
 					type: twoFAVerifyVerificationType,
@@ -85,7 +90,7 @@ export async function action({ request }: DataFunctionArgs) {
 						code: z.ZodIssueCode.custom,
 						message: `Invalid code`,
 					})
-					return
+					return z.NEVER
 				}
 			}),
 		async: true,
@@ -98,17 +103,27 @@ export async function action({ request }: DataFunctionArgs) {
 		return json({ status: 'error', submission } as const, { status: 400 })
 	}
 
-	await prisma.verification.update({
-		where: {
-			target_type: { type: twoFAVerifyVerificationType, target: userId },
-		},
-		data: { type: twoFAVerificationType },
-	})
-	return redirectWithToast('/settings/profile/two-factor', {
-		type: 'success',
-		title: 'Enabled',
-		description: 'Two-factor authentication has been enabled.',
-	})
+	switch (submission.value.intent) {
+		case 'cancel': {
+			await prisma.verification.deleteMany({
+				where: { type: twoFAVerifyVerificationType, target: userId },
+			})
+			return redirect('/settings/profile/two-factor')
+		}
+		case 'verify': {
+			await prisma.verification.update({
+				where: {
+					target_type: { type: twoFAVerifyVerificationType, target: userId },
+				},
+				data: { type: twoFAVerificationType },
+			})
+			return redirectWithToast('/settings/profile/two-factor', {
+				type: 'success',
+				title: 'Enabled',
+				description: 'Two-factor authentication has been enabled.',
+			})
+		}
+	}
 }
 
 export default function TwoFactorRoute() {
@@ -118,12 +133,18 @@ export default function TwoFactorRoute() {
 
 	const isPending = useIsPending()
 	const pendingIntent = isPending ? navigation.formData?.get('intent') : null
+	const lastSubmissionIntent = actionData?.submission.value?.intent
 
 	const [form, fields] = useForm({
 		id: 'verify-form',
-		constraint: getFieldsetConstraint(VerifySchema),
+		constraint: getFieldsetConstraint(ActionSchema),
 		lastSubmission: actionData?.submission,
 		onValidate({ formData }) {
+			// otherwise, the best error zod gives us is "Invalid input" which is not
+			// enough
+			if (formData.get('intent') === 'cancel') {
+				return parse(formData, { schema: CancelSchema })
+			}
 			return parse(formData, { schema: VerifySchema })
 		},
 	})
@@ -154,6 +175,7 @@ export default function TwoFactorRoute() {
 				</p>
 				<div className="flex w-full max-w-xs flex-col justify-center gap-4">
 					<Form method="POST" {...form.props} className="flex-1">
+						<AuthenticityTokenInput />
 						<Field
 							labelProps={{
 								htmlFor: fields.code.id,
@@ -162,25 +184,37 @@ export default function TwoFactorRoute() {
 							inputProps={{ ...conform.input(fields.code), autoFocus: true }}
 							errors={fields.code.errors}
 						/>
+
+						<div className="min-h-[32px] px-4 pb-3 pt-1">
+							<ErrorList id={form.errorId} errors={form.errors} />
+						</div>
+
 						<div className="flex justify-between gap-4">
 							<StatusButton
 								className="w-full"
 								status={
 									pendingIntent === 'verify'
 										? 'pending'
-										: actionData?.status ?? 'idle'
+										: lastSubmissionIntent === 'verify'
+										  ? actionData?.status ?? 'idle'
+										  : 'idle'
 								}
 								type="submit"
 								name="intent"
 								value="verify"
-								disabled={isPending}
 							>
 								Submit
 							</StatusButton>
 							<StatusButton
 								className="w-full"
 								variant="secondary"
-								status={pendingIntent === 'cancel' ? 'pending' : 'idle'}
+								status={
+									pendingIntent === 'cancel'
+										? 'pending'
+										: lastSubmissionIntent === 'cancel'
+										  ? actionData?.status ?? 'idle'
+										  : 'idle'
+								}
 								type="submit"
 								name="intent"
 								value="cancel"
diff --git a/heat-stack/app/routes/users+/$username.test.tsx b/heat-stack/app/routes/users+/$username.test.tsx
index 5487b306..d0c47a67 100644
--- a/heat-stack/app/routes/users+/$username.test.tsx
+++ b/heat-stack/app/routes/users+/$username.test.tsx
@@ -2,14 +2,14 @@
  * @vitest-environment jsdom
  */
 import { faker } from '@faker-js/faker'
-import { unstable_createRemixStub as createRemixStub } from '@remix-run/testing'
+import { createRemixStub } from '@remix-run/testing'
 import { render, screen } from '@testing-library/react'
 import setCookieParser from 'set-cookie-parser'
 import { test } from 'vitest'
 import { loader as rootLoader } from '#app/root.tsx'
 import { getSessionExpirationDate, sessionKey } from '#app/utils/auth.server.ts'
 import { prisma } from '#app/utils/db.server.ts'
-import { sessionStorage } from '#app/utils/session.server.ts'
+import { authSessionStorage } from '#app/utils/session.server.ts'
 import { createUser, getUserImages } from '#tests/db-utils.ts'
 import { default as UsernameRoute, loader } from './$username.tsx'
 
@@ -53,9 +53,9 @@ test('The user profile when logged in as self', async () => {
 		},
 	})
 
-	const cookieSession = await sessionStorage.getSession()
-	cookieSession.set(sessionKey, session.id)
-	const setCookieHeader = await sessionStorage.commitSession(cookieSession)
+	const authSession = await authSessionStorage.getSession()
+	authSession.set(sessionKey, session.id)
+	const setCookieHeader = await authSessionStorage.commitSession(authSession)
 	const parsedCookie = setCookieParser.parseString(setCookieHeader)
 	const cookieHeader = new URLSearchParams({
 		[parsedCookie.name]: parsedCookie.value,
diff --git a/heat-stack/app/routes/users+/$username_+/__note-editor.tsx b/heat-stack/app/routes/users+/$username_+/__note-editor.tsx
index e74ce751..0c083a5e 100644
--- a/heat-stack/app/routes/users+/$username_+/__note-editor.tsx
+++ b/heat-stack/app/routes/users+/$username_+/__note-editor.tsx
@@ -17,8 +17,9 @@ import {
 	type DataFunctionArgs,
 	type SerializeFrom,
 } from '@remix-run/node'
-import { Form, useFetcher } from '@remix-run/react'
+import { Form, useActionData, useNavigation } from '@remix-run/react'
 import { useRef, useState } from 'react'
+import { AuthenticityTokenInput } from 'remix-utils/csrf/react'
 import { z } from 'zod'
 import { GeneralErrorBoundary } from '#app/components/error-boundary.tsx'
 import { floatingToolbarClassName } from '#app/components/floating-toolbar.tsx'
@@ -29,6 +30,7 @@ import { Label } from '#app/components/ui/label.tsx'
 import { StatusButton } from '#app/components/ui/status-button.tsx'
 import { Textarea } from '#app/components/ui/textarea.tsx'
 import { requireUserId } from '#app/utils/auth.server.ts'
+import { validateCSRF } from '#app/utils/csrf.server.ts'
 import { prisma } from '#app/utils/db.server.ts'
 import { cn, getNoteImgSrc } from '#app/utils/misc.tsx'
 
@@ -78,6 +80,7 @@ export async function action({ request }: DataFunctionArgs) {
 		request,
 		createMemoryUploadHandler({ maxPartSize: MAX_UPLOAD_SIZE }),
 	)
+	await validateCSRF(formData, request.headers)
 
 	const submission = await parse(formData, {
 		schema: NoteEditorSchema.superRefine(async (data, ctx) => {
@@ -89,7 +92,7 @@ export async function action({ request }: DataFunctionArgs) {
 			})
 			if (!note) {
 				ctx.addIssue({
-					code: 'custom',
+					code: z.ZodIssueCode.custom,
 					message: 'Note not found',
 				})
 			}
@@ -131,11 +134,11 @@ export async function action({ request }: DataFunctionArgs) {
 	})
 
 	if (submission.intent !== 'submit') {
-		return json({ status: 'idle', submission } as const)
+		return json({ submission } as const)
 	}
 
 	if (!submission.value) {
-		return json({ status: 'error', submission } as const, { status: 400 })
+		return json({ submission } as const, { status: 400 })
 	}
 
 	const {
@@ -183,13 +186,15 @@ export function NoteEditor({
 		}
 	>
 }) {
-	const noteFetcher = useFetcher<typeof action>()
-	const isPending = noteFetcher.state !== 'idle'
+	const actionData = useActionData<typeof action>()
+
+	const navigation = useNavigation()
+	const isPending = navigation.state !== 'idle'
 
 	const [form, fields] = useForm({
 		id: 'note-editor',
 		constraint: getFieldsetConstraint(NoteEditorSchema),
-		lastSubmission: noteFetcher.data?.submission,
+		lastSubmission: actionData?.submission,
 		onValidate({ formData }) {
 			return parse(formData, { schema: NoteEditorSchema })
 		},
@@ -204,11 +209,12 @@ export function NoteEditor({
 	return (
 		<div className="absolute inset-0">
 			<Form
-				method="post"
+				method="POST"
 				className="flex h-full flex-col gap-y-4 overflow-y-auto overflow-x-hidden px-10 pb-28 pt-12"
 				{...form.props}
 				encType="multipart/form-data"
 			>
+				<AuthenticityTokenInput />
 				{/*
 					This hidden submit button is here to ensure that when the user hits
 					"enter" on an input field, the primary form function is submitted
@@ -241,7 +247,7 @@ export function NoteEditor({
 									className="relative border-b-2 border-muted-foreground"
 								>
 									<button
-										className="absolute right-0 top-0 text-destructive"
+										className="absolute right-0 top-0 text-foreground-destructive"
 										{...list.remove(fields.images.name, { index })}
 									>
 										<span aria-hidden>
@@ -256,7 +262,7 @@ export function NoteEditor({
 					</div>
 					<Button
 						className="mt-3"
-						{...list.append(fields.images.name, { defaultValue: {} })}
+						{...list.insert(fields.images.name, { defaultValue: {} })}
 					>
 						<span aria-hidden>
 							<Icon name="plus">Image</Icon>
diff --git a/heat-stack/app/routes/users+/$username_+/notes.$noteId.tsx b/heat-stack/app/routes/users+/$username_+/notes.$noteId.tsx
index 3f440ec6..ccd1a5e7 100644
--- a/heat-stack/app/routes/users+/$username_+/notes.$noteId.tsx
+++ b/heat-stack/app/routes/users+/$username_+/notes.$noteId.tsx
@@ -1,5 +1,5 @@
 import { useForm } from '@conform-to/react'
-import { getFieldsetConstraint, parse } from '@conform-to/zod'
+import { parse } from '@conform-to/zod'
 import { json, type DataFunctionArgs } from '@remix-run/node'
 import {
 	Form,
@@ -9,6 +9,7 @@ import {
 	type MetaFunction,
 } from '@remix-run/react'
 import { formatDistanceToNow } from 'date-fns'
+import { AuthenticityTokenInput } from 'remix-utils/csrf/react'
 import { z } from 'zod'
 import { GeneralErrorBoundary } from '#app/components/error-boundary.tsx'
 import { floatingToolbarClassName } from '#app/components/floating-toolbar.tsx'
@@ -17,6 +18,7 @@ import { Button } from '#app/components/ui/button.tsx'
 import { Icon } from '#app/components/ui/icon.tsx'
 import { StatusButton } from '#app/components/ui/status-button.tsx'
 import { requireUserId } from '#app/utils/auth.server.ts'
+import { validateCSRF } from '#app/utils/csrf.server.ts'
 import { prisma } from '#app/utils/db.server.ts'
 import {
 	getNoteImgSrc,
@@ -68,6 +70,7 @@ const DeleteFormSchema = z.object({
 export async function action({ request }: DataFunctionArgs) {
 	const userId = await requireUserId(request)
 	const formData = await request.formData()
+	await validateCSRF(formData, request.headers)
 	const submission = parse(formData, {
 		schema: DeleteFormSchema,
 	})
@@ -164,14 +167,11 @@ export function DeleteNote({ id }: { id: string }) {
 	const [form] = useForm({
 		id: 'delete-note',
 		lastSubmission: actionData?.submission,
-		constraint: getFieldsetConstraint(DeleteFormSchema),
-		onValidate({ formData }) {
-			return parse(formData, { schema: DeleteFormSchema })
-		},
 	})
 
 	return (
-		<Form method="post" {...form.props}>
+		<Form method="POST" {...form.props}>
+			<AuthenticityTokenInput />
 			<input type="hidden" name="noteId" value={id} />
 			<StatusButton
 				type="submit"
diff --git a/heat-stack/app/routes/users+/$username_+/notes.new.tsx b/heat-stack/app/routes/users+/$username_+/notes.new.tsx
index 35248e99..64c5c6b9 100644
--- a/heat-stack/app/routes/users+/$username_+/notes.new.tsx
+++ b/heat-stack/app/routes/users+/$username_+/notes.new.tsx
@@ -1,4 +1,4 @@
-import { json } from '@remix-run/router'
+import { json } from '@remix-run/node'
 import { type DataFunctionArgs } from '@remix-run/server-runtime'
 import { requireUserId } from '#app/utils/auth.server.ts'
 import { NoteEditor, action } from './__note-editor.tsx'
diff --git a/heat-stack/app/styles/tailwind.css b/heat-stack/app/styles/tailwind.css
index 801bd23e..e084967a 100644
--- a/heat-stack/app/styles/tailwind.css
+++ b/heat-stack/app/styles/tailwind.css
@@ -8,13 +8,13 @@
 		/* --font-mono: here if you got it... */
 
 		/* prefixed with foreground because it should look good on the background */
-		--foreground-danger: 345 82.7% 40.8%;
+		--foreground-destructive: 345 82.7% 40.8%;
 
 		--background: 0 0% 100%;
 		--foreground: 222.2 84% 4.9%;
 
-		--muted: 210 40% 96.1%;
-		--muted-foreground: 215.4 16.3% 46.9%;
+		--muted: 210 40% 93%;
+		--muted-foreground: 215.4 16.3% 30%;
 
 		--popover: 0 0% 100%;
 		--popover-foreground: 222.2 84% 4.9%;
@@ -29,13 +29,13 @@
 		--primary: 222.2 47.4% 11.2%;
 		--primary-foreground: 210 40% 98%;
 
-		--secondary: 210 40% 96.1%;
+		--secondary: 210 20% 83%;
 		--secondary-foreground: 222.2 47.4% 11.2%;
 
 		--accent: 210 40% 90%;
 		--accent-foreground: 222.2 47.4% 11.2%;
 
-		--destructive: 0 84.2% 60.2%;
+		--destructive: 0 70% 50%;
 		--destructive-foreground: 210 40% 98%;
 
 		--ring: 215 20.2% 65.1%;
@@ -48,9 +48,9 @@
 		--foreground: 210 40% 98%;
 
 		/* prefixed with foreground because it should look good on the background */
-		--foreground-danger: -4 84% 60%;
+		--foreground-destructive: -4 84% 60%;
 
-		--muted: 217.2 32.6% 17.5%;
+		--muted: 217.2 32.6% 12%;
 		--muted-foreground: 215 20.2% 65.1%;
 
 		--popover: 222.2 84% 4.9%;
@@ -66,16 +66,16 @@
 		--primary: 210 40% 98%;
 		--primary-foreground: 222.2 47.4% 11.2%;
 
-		--secondary: 217.2 32.6% 17.5%;
+		--secondary: 217.2 20% 24%;
 		--secondary-foreground: 210 40% 98%;
 
 		--accent: 217.2 32.6% 10%;
 		--accent-foreground: 210 40% 98%;
 
-		--destructive: 0 62.8% 30.6%;
+		--destructive: 0 60% 40%;
 		--destructive-foreground: 0 85.7% 97.3%;
 
-		--ring: 217.2 32.6% 17.5%;
+		--ring: 217.2 32.6% 60%;
 	}
 }
 
diff --git a/heat-stack/app/utils/auth.server.ts b/heat-stack/app/utils/auth.server.ts
index 4b8857e3..72693c77 100644
--- a/heat-stack/app/utils/auth.server.ts
+++ b/heat-stack/app/utils/auth.server.ts
@@ -2,12 +2,12 @@ import { type Connection, type Password, type User } from '@prisma/client'
 import { redirect } from '@remix-run/node'
 import bcrypt from 'bcryptjs'
 import { Authenticator } from 'remix-auth'
-import { safeRedirect } from 'remix-utils'
+import { safeRedirect } from 'remix-utils/safe-redirect'
 import { connectionSessionStorage, providers } from './connections.server.ts'
 import { prisma } from './db.server.ts'
 import { combineHeaders, downloadFile } from './misc.tsx'
 import { type ProviderUser } from './providers/provider.ts'
-import { sessionStorage } from './session.server.ts'
+import { authSessionStorage } from './session.server.ts'
 
 export const SESSION_EXPIRATION_TIME = 1000 * 60 * 60 * 24 * 30
 export const getSessionExpirationDate = () =>
@@ -24,10 +24,10 @@ for (const [providerName, provider] of Object.entries(providers)) {
 }
 
 export async function getUserId(request: Request) {
-	const cookieSession = await sessionStorage.getSession(
+	const authSession = await authSessionStorage.getSession(
 		request.headers.get('cookie'),
 	)
-	const sessionId = cookieSession.get(sessionKey)
+	const sessionId = authSession.get(sessionKey)
 	if (!sessionId) return null
 	const session = await prisma.session.findUnique({
 		select: { user: { select: { id: true } } },
@@ -36,7 +36,7 @@ export async function getUserId(request: Request) {
 	if (!session?.user) {
 		throw redirect('/', {
 			headers: {
-				'set-cookie': await sessionStorage.destroySession(cookieSession),
+				'set-cookie': await authSessionStorage.destroySession(authSession),
 			},
 		})
 	}
@@ -96,7 +96,7 @@ export async function resetUserPassword({
 	username: User['username']
 	password: string
 }) {
-	const hashedPassword = await bcrypt.hash(password, 10)
+	const hashedPassword = await getPasswordHash(password)
 	return prisma.user.update({
 		where: { username },
 		data: {
@@ -168,6 +168,7 @@ export async function signupWithConnection({
 					email: email.toLowerCase(),
 					username: username.toLowerCase(),
 					name,
+					roles: { connect: { name: 'user' } },
 					connections: { create: { providerId, providerName } },
 					image: imageUrl
 						? { create: await downloadFile(imageUrl) }
@@ -191,17 +192,17 @@ export async function logout(
 	},
 	responseInit?: ResponseInit,
 ) {
-	const cookieSession = await sessionStorage.getSession(
+	const authSession = await authSessionStorage.getSession(
 		request.headers.get('cookie'),
 	)
-	const sessionId = cookieSession.get(sessionKey)
+	const sessionId = authSession.get(sessionKey)
 	// if this fails, we still need to delete the session from the user's browser
 	// and it doesn't do any harm staying in the db anyway.
-	void prisma.session.delete({ where: { id: sessionId } })
+	if (sessionId) void prisma.session.deleteMany({ where: { id: sessionId } })
 	throw redirect(safeRedirect(redirectTo), {
 		...responseInit,
 		headers: combineHeaders(
-			{ 'set-cookie': await sessionStorage.destroySession(cookieSession) },
+			{ 'set-cookie': await authSessionStorage.destroySession(authSession) },
 			responseInit?.headers,
 		),
 	})
diff --git a/heat-stack/app/utils/cache.server.ts b/heat-stack/app/utils/cache.server.ts
index 3b9373eb..635faa39 100644
--- a/heat-stack/app/utils/cache.server.ts
+++ b/heat-stack/app/utils/cache.server.ts
@@ -1,6 +1,4 @@
 import fs from 'fs'
-import { remember } from '@epic-web/remember'
-import Database from 'better-sqlite3'
 import {
 	cachified as baseCachified,
 	lruCacheAdapter,
@@ -9,7 +7,9 @@ import {
 	type CacheEntry,
 	type Cache as CachifiedCache,
 	type CachifiedOptions,
-} from 'cachified'
+} from '@epic-web/cachified'
+import { remember } from '@epic-web/remember'
+import Database from 'better-sqlite3'
 import { LRUCache } from 'lru-cache'
 import { z } from 'zod'
 import { updatePrimaryCacheValue } from '#app/routes/admin+/cache_.sqlite.tsx'
diff --git a/heat-stack/app/utils/client-hints.tsx b/heat-stack/app/utils/client-hints.tsx
index f3e1628e..546dfd2c 100644
--- a/heat-stack/app/utils/client-hints.tsx
+++ b/heat-stack/app/utils/client-hints.tsx
@@ -2,78 +2,23 @@
  * This file contains utilities for using client hints for user preference which
  * are needed by the server, but are only known by the browser.
  */
+import { getHintUtils } from '@epic-web/client-hints'
+import {
+	clientHint as colorSchemeHint,
+	subscribeToSchemeChange,
+} from '@epic-web/client-hints/color-scheme'
+import { clientHint as timeZoneHint } from '@epic-web/client-hints/time-zone'
 import { useRevalidator } from '@remix-run/react'
 import * as React from 'react'
 import { useRequestInfo } from './request-info.ts'
 
-const clientHints = {
-	theme: {
-		cookieName: 'CH-prefers-color-scheme',
-		getValueCode: `window.matchMedia('(prefers-color-scheme: dark)').matches ? 'dark' : 'light'`,
-		fallback: 'light',
-		transform(value: string) {
-			return value === 'dark' ? 'dark' : 'light'
-		},
-	},
-	timeZone: {
-		cookieName: 'CH-time-zone',
-		getValueCode: `Intl.DateTimeFormat().resolvedOptions().timeZone`,
-		fallback: 'UTC',
-	},
+const hintsUtils = getHintUtils({
+	theme: colorSchemeHint,
+	timeZone: timeZoneHint,
 	// add other hints here
-}
-
-type ClientHintNames = keyof typeof clientHints
-
-function getCookieValue(cookieString: string, name: ClientHintNames) {
-	const hint = clientHints[name]
-	if (!hint) {
-		throw new Error(`Unknown client hint: ${name}`)
-	}
-	const value = cookieString
-		.split(';')
-		.map(c => c.trim())
-		.find(c => c.startsWith(hint.cookieName + '='))
-		?.split('=')[1]
-
-	return value ? decodeURIComponent(value) : null
-}
-
-/**
- *
- * @param request {Request} - optional request object (only used on server)
- * @returns an object with the client hints and their values
- */
-export function getHints(request?: Request) {
-	const cookieString =
-		typeof document !== 'undefined'
-			? document.cookie
-			: typeof request !== 'undefined'
-			? request.headers.get('Cookie') ?? ''
-			: ''
+})
 
-	return Object.entries(clientHints).reduce(
-		(acc, [name, hint]) => {
-			const hintName = name as ClientHintNames
-			if ('transform' in hint) {
-				acc[hintName] = hint.transform(
-					getCookieValue(cookieString, hintName) ?? hint.fallback,
-				)
-			} else {
-				// @ts-expect-error - this is fine (PRs welcome though)
-				acc[hintName] = getCookieValue(cookieString, hintName) ?? hint.fallback
-			}
-			return acc
-		},
-		{} as {
-			[name in ClientHintNames]: (typeof clientHints)[name] extends {
-				transform: (value: any) => infer ReturnValue
-			}
-				? ReturnValue
-				: (typeof clientHints)[name]['fallback']
-		},
-	)
-}
+export const { getHints } = hintsUtils
 
 /**
  * @returns an object with the client hints and their values
@@ -90,51 +35,16 @@ export function useHints() {
  */
 export function ClientHintCheck({ nonce }: { nonce: string }) {
 	const { revalidate } = useRevalidator()
-	React.useEffect(() => {
-		const themeQuery = window.matchMedia('(prefers-color-scheme: dark)')
-		function handleThemeChange() {
-			document.cookie = `${clientHints.theme.cookieName}=${
-				themeQuery.matches ? 'dark' : 'light'
-			}`
-			revalidate()
-		}
-		themeQuery.addEventListener('change', handleThemeChange)
-		return () => {
-			themeQuery.removeEventListener('change', handleThemeChange)
-		}
-	}, [revalidate])
+	React.useEffect(
+		() => subscribeToSchemeChange(() => revalidate()),
+		[revalidate],
+	)
 
 	return (
 		<script
 			nonce={nonce}
 			dangerouslySetInnerHTML={{
-				__html: `
-const cookies = document.cookie.split(';').map(c => c.trim()).reduce((acc, cur) => {
-	const [key, value] = cur.split('=');
-	acc[key] = value;
-	return acc;
-}, {});
-let cookieChanged = false;
-const hints = [
-${Object.values(clientHints)
-	.map(hint => {
-		const cookieName = JSON.stringify(hint.cookieName)
-		return `{ name: ${cookieName}, actual: String(${hint.getValueCode}), cookie: cookies[${cookieName}] }`
-	})
-	.join(',\n')}
-];
-for (const hint of hints) {
-	if (decodeURIComponent(hint.cookie) !== hint.actual) {
-		cookieChanged = true;
-		document.cookie = encodeURIComponent(hint.name) + '=' + encodeURIComponent(hint.actual) + ';path=/';
-	}
-}
-// if the cookie changed, reload the page, unless the browser doesn't support
-// cookies (in which case we would enter an infinite loop of reloads)
-if (cookieChanged && navigator.cookieEnabled) {
-	window.location.reload();
-}
-			`,
+				__html: hintsUtils.getClientHintCheckScript(),
 			}}
 		/>
 	)
diff --git a/heat-stack/app/utils/confetti.server.ts b/heat-stack/app/utils/confetti.server.ts
deleted file mode 100644
index 10c2704d..00000000
--- a/heat-stack/app/utils/confetti.server.ts
+++ /dev/null
@@ -1,42 +0,0 @@
-import { redirect } from '@remix-run/node'
-import * as cookie from 'cookie'
-import { combineHeaders } from './misc.tsx'
-
-const cookieName = 'en_confetti'
-
-export function getConfetti(request: Request) {
-	const cookieHeader = request.headers.get('cookie')
-	const confettiId = cookieHeader
-		? cookie.parse(cookieHeader)[cookieName]
-		: null
-	return {
-		confettiId,
-		headers: confettiId ? createConfettiHeaders(null) : null,
-	}
-}
-
-/**
- * This defaults the value to something reasonable if you want to show confetti.
- * If you want to clear the cookie, pass null and it will make a set-cookie
- * header that will delete the cookie
- *
- * @param value the value for the cookie in the set-cookie header
- * @returns Headers with a set-cookie header set to the value
- */
-export function createConfettiHeaders(
-	value: string | null = String(Date.now()),
-) {
-	return new Headers({
-		'set-cookie': cookie.serialize(cookieName, value ? value : '', {
-			path: '/',
-			maxAge: value ? 60 : -1,
-		}),
-	})
-}
-
-export async function redirectWithConfetti(url: string, init?: ResponseInit) {
-	return redirect(url, {
-		...init,
-		headers: combineHeaders(init?.headers, await createConfettiHeaders()),
-	})
-}
diff --git a/heat-stack/app/utils/connections.server.ts b/heat-stack/app/utils/connections.server.ts
index a81ee84a..db0c0af5 100644
--- a/heat-stack/app/utils/connections.server.ts
+++ b/heat-stack/app/utils/connections.server.ts
@@ -2,6 +2,7 @@ import { createCookieSessionStorage } from '@remix-run/node'
 import { type ProviderName } from './connections.tsx'
 import { GitHubProvider } from './providers/github.server.ts'
 import { type AuthProvider } from './providers/provider.ts'
+import { type Timings } from './timing.server.ts'
 
 export const connectionSessionStorage = createCookieSessionStorage({
 	cookie: {
@@ -26,6 +27,7 @@ export function handleMockAction(providerName: ProviderName, request: Request) {
 export function resolveConnectionData(
 	providerName: ProviderName,
 	providerId: string,
+	options?: { timings?: Timings },
 ) {
-	return providers[providerName].resolveConnectionData(providerId)
+	return providers[providerName].resolveConnectionData(providerId, options)
 }
diff --git a/heat-stack/app/utils/csrf.server.ts b/heat-stack/app/utils/csrf.server.ts
new file mode 100644
index 00000000..5edcf91d
--- /dev/null
+++ b/heat-stack/app/utils/csrf.server.ts
@@ -0,0 +1,23 @@
+import { createCookie } from '@remix-run/node'
+import { CSRF, CSRFError } from 'remix-utils/csrf/server'
+
+const cookie = createCookie('csrf', {
+	path: '/',
+	httpOnly: true,
+	secure: process.env.NODE_ENV === 'production',
+	sameSite: 'lax',
+	secrets: process.env.SESSION_SECRET.split(','),
+})
+
+export const csrf = new CSRF({ cookie })
+
+export async function validateCSRF(formData: FormData, headers: Headers) {
+	try {
+		await csrf.validate(formData, headers)
+	} catch (error) {
+		if (error instanceof CSRFError) {
+			throw new Response('Invalid CSRF token', { status: 403 })
+		}
+		throw error
+	}
+}
diff --git a/heat-stack/app/utils/env.server.ts b/heat-stack/app/utils/env.server.ts
index 4c53cbbf..d713e5e5 100644
--- a/heat-stack/app/utils/env.server.ts
+++ b/heat-stack/app/utils/env.server.ts
@@ -6,6 +6,7 @@ const schema = z.object({
 	DATABASE_URL: z.string(),
 	SESSION_SECRET: z.string(),
 	INTERNAL_COMMAND_TOKEN: z.string(),
+	HONEYPOT_SECRET: z.string(),
 	CACHE_DATABASE_PATH: z.string(),
 	// If you plan on using Sentry, uncomment this line
 	// SENTRY_DSN: z.string(),
@@ -32,7 +33,7 @@ export function init() {
 			parsed.error.flatten().fieldErrors,
 		)
 
-		throw new Error('Invalid envirmonment variables')
+		throw new Error('Invalid environment variables')
 	}
 }
 
diff --git a/heat-stack/app/utils/extended-theme.ts b/heat-stack/app/utils/extended-theme.ts
index 5f2147b5..f1d69945 100644
--- a/heat-stack/app/utils/extended-theme.ts
+++ b/heat-stack/app/utils/extended-theme.ts
@@ -9,12 +9,12 @@ export const extendedTheme = {
 		},
 		ring: {
 			DEFAULT: 'hsl(var(--ring))',
-			invalid: 'hsl(var(--foreground-danger))',
+			invalid: 'hsl(var(--foreground-destructive))',
 		},
 		background: 'hsl(var(--background))',
 		foreground: {
 			DEFAULT: 'hsl(var(--foreground))',
-			danger: 'hsl(var(--foreground-danger))',
+			destructive: 'hsl(var(--foreground-destructive))',
 		},
 		primary: {
 			DEFAULT: 'hsl(var(--primary))',
diff --git a/heat-stack/app/utils/honeypot.server.ts b/heat-stack/app/utils/honeypot.server.ts
new file mode 100644
index 00000000..86605d79
--- /dev/null
+++ b/heat-stack/app/utils/honeypot.server.ts
@@ -0,0 +1,17 @@
+import { Honeypot, SpamError } from 'remix-utils/honeypot/server'
+
+export const honeypot = new Honeypot({
+	validFromFieldName: process.env.TESTING ? null : undefined,
+	encryptionSeed: process.env.HONEYPOT_SECRET,
+})
+
+export function checkHoneypot(formData: FormData) {
+	try {
+		honeypot.check(formData)
+	} catch (error) {
+		if (error instanceof SpamError) {
+			throw new Response('Form not submitted properly', { status: 400 })
+		}
+		throw error
+	}
+}
diff --git a/heat-stack/app/utils/misc.tsx b/heat-stack/app/utils/misc.tsx
index c2c3e610..687cd064 100644
--- a/heat-stack/app/utils/misc.tsx
+++ b/heat-stack/app/utils/misc.tsx
@@ -42,22 +42,24 @@ function formatColors() {
 	return colors
 }
 
-const customTwMerge = extendTailwindMerge({
-	theme: {
-		colors: formatColors(),
-		borderRadius: Object.keys(extendedTheme.borderRadius),
-	},
-	classGroups: {
-		'font-size': [
-			{
-				text: Object.keys(extendedTheme.fontSize),
-			},
-		],
-		animate: [
-			{
-				animate: Object.keys(extendedTheme.animation),
-			},
-		],
+const customTwMerge = extendTailwindMerge<string, string>({
+	extend: {
+		theme: {
+			colors: formatColors(),
+			borderRadius: Object.keys(extendedTheme.borderRadius),
+		},
+		classGroups: {
+			'font-size': [
+				{
+					text: Object.keys(extendedTheme.fontSize),
+				},
+			],
+			animate: [
+				{
+					animate: Object.keys(extendedTheme.animation),
+				},
+			],
+		},
 	},
 })
 
diff --git a/heat-stack/app/utils/monitoring.client.tsx b/heat-stack/app/utils/monitoring.client.tsx
index cd7d1180..47cc6856 100644
--- a/heat-stack/app/utils/monitoring.client.tsx
+++ b/heat-stack/app/utils/monitoring.client.tsx
@@ -5,6 +5,7 @@ import { useEffect } from 'react'
 export function init() {
 	Sentry.init({
 		dsn: ENV.SENTRY_DSN,
+		environment: ENV.MODE,
 		integrations: [
 			new Sentry.BrowserTracing({
 				routingInstrumentation: Sentry.remixRouterInstrumentation(
@@ -15,6 +16,7 @@ export function init() {
 			}),
 			// Replay is only available in the client
 			new Sentry.Replay(),
+			new Sentry.BrowserProfilingIntegration(),
 		],
 
 		// Set tracesSampleRate to 1.0 to capture 100%
diff --git a/heat-stack/app/utils/monitoring.server.ts b/heat-stack/app/utils/monitoring.server.ts
index cc79a987..e33206d4 100644
--- a/heat-stack/app/utils/monitoring.server.ts
+++ b/heat-stack/app/utils/monitoring.server.ts
@@ -1,10 +1,42 @@
+import { ProfilingIntegration } from '@sentry/profiling-node'
 import * as Sentry from '@sentry/remix'
+import { prisma } from './db.server.ts'
 
 export function init() {
 	Sentry.init({
 		dsn: ENV.SENTRY_DSN,
-		tracesSampleRate: 1,
-		// TODO: Make this work with Prisma
-		// integrations: [new Sentry.Integrations.Prisma({ client: prisma })],
+		environment: ENV.MODE,
+		tracesSampleRate: ENV.MODE === 'production' ? 1 : 0,
+		denyUrls: [
+			/\/resources\/healthcheck/,
+			// TODO: be smarter about the public assets...
+			/\/build\//,
+			/\/favicons\//,
+			/\/img\//,
+			/\/fonts\//,
+			/\/favicon.ico/,
+			/\/site\.webmanifest/,
+		],
+		integrations: [
+			new Sentry.Integrations.Http({ tracing: true }),
+			new Sentry.Integrations.Prisma({ client: prisma }),
+			new ProfilingIntegration(),
+		],
+		tracesSampler(samplingContext) {
+			// ignore healthcheck transactions by other services (consul, etc.)
+			if (samplingContext.request?.url?.includes('/resources/healthcheck')) {
+				return 0
+			}
+			return 1
+		},
+		beforeSendTransaction(event) {
+			// ignore all healthcheck related transactions
+			//  note that name of header here is case-sensitive
+			if (event.request?.headers?.['x-healthcheck'] === 'true') {
+				return null
+			}
+
+			return event
+		},
 	})
 }
diff --git a/heat-stack/app/utils/providers/github.server.ts b/heat-stack/app/utils/providers/github.server.ts
index 678d1009..81337e73 100644
--- a/heat-stack/app/utils/providers/github.server.ts
+++ b/heat-stack/app/utils/providers/github.server.ts
@@ -2,10 +2,22 @@ import { createId as cuid } from '@paralleldrive/cuid2'
 import { redirect } from '@remix-run/node'
 import { GitHubStrategy } from 'remix-auth-github'
 import { z } from 'zod'
+import { cache, cachified } from '../cache.server.ts'
 import { connectionSessionStorage } from '../connections.server.ts'
+import { type Timings } from '../timing.server.ts'
 import { type AuthProvider } from './provider.ts'
 
 const GitHubUserSchema = z.object({ login: z.string() })
+const GitHubUserParseResult = z
+	.object({
+		success: z.literal(true),
+		data: GitHubUserSchema,
+	})
+	.or(
+		z.object({
+			success: z.literal(false),
+		}),
+	)
 
 const shouldMock = process.env.GITHUB_CLIENT_ID?.startsWith('MOCK_')
 
@@ -32,12 +44,33 @@ export class GitHubProvider implements AuthProvider {
 		)
 	}
 
-	async resolveConnectionData(providerId: string) {
-		const response = await fetch(`https://api.github.com/user/${providerId}`, {
-			headers: { Authorization: `token ${process.env.GITHUB_TOKEN}` },
+	async resolveConnectionData(
+		providerId: string,
+		{ timings }: { timings?: Timings } = {},
+	) {
+		const result = await cachified({
+			key: `connection-data:github:${providerId}`,
+			cache,
+			timings,
+			ttl: 1000 * 60,
+			swr: 1000 * 60 * 60 * 24 * 7,
+			async getFreshValue(context) {
+				await new Promise(r => setTimeout(r, 3000))
+				const response = await fetch(
+					`https://api.github.com/user/${providerId}`,
+					{ headers: { Authorization: `token ${process.env.GITHUB_TOKEN}` } },
+				)
+				const rawJson = await response.json()
+				const result = GitHubUserSchema.safeParse(rawJson)
+				if (!result.success) {
+					// if it was unsuccessful, then we should kick it out of the cache
+					// asap and try again.
+					context.metadata.ttl = 0
+				}
+				return result
+			},
+			checkValue: GitHubUserParseResult,
 		})
-		const rawJson = await response.json()
-		const result = GitHubUserSchema.safeParse(rawJson)
 		return {
 			displayName: result.success ? result.data.login : 'Unknown',
 			link: result.success ? `https://github.com/${result.data.login}` : null,
diff --git a/heat-stack/app/utils/providers/provider.ts b/heat-stack/app/utils/providers/provider.ts
index efc1089a..b9731a77 100644
--- a/heat-stack/app/utils/providers/provider.ts
+++ b/heat-stack/app/utils/providers/provider.ts
@@ -1,4 +1,5 @@
 import { type Strategy } from 'remix-auth'
+import { type Timings } from '../timing.server.ts'
 
 // Define a user type for cleaner typing
 export type ProviderUser = {
@@ -12,7 +13,10 @@ export type ProviderUser = {
 export interface AuthProvider {
 	getAuthStrategy(): Strategy<ProviderUser, any>
 	handleMockAction(request: Request): Promise<void>
-	resolveConnectionData(providerId: string): Promise<{
+	resolveConnectionData(
+		providerId: string,
+		options?: { timings?: Timings },
+	): Promise<{
 		displayName: string
 		link?: string | null
 	}>
diff --git a/heat-stack/app/utils/session.server.ts b/heat-stack/app/utils/session.server.ts
index a4c005c9..249c5a4d 100644
--- a/heat-stack/app/utils/session.server.ts
+++ b/heat-stack/app/utils/session.server.ts
@@ -1,6 +1,6 @@
 import { createCookieSessionStorage } from '@remix-run/node'
 
-export const sessionStorage = createCookieSessionStorage({
+export const authSessionStorage = createCookieSessionStorage({
 	cookie: {
 		name: 'en_session',
 		sameSite: 'lax',
@@ -13,9 +13,9 @@ export const sessionStorage = createCookieSessionStorage({
 
 // we have to do this because every time you commit the session you overwrite it
 // so we store the expiration time in the cookie and reset it every time we commit
-const originalCommitSession = sessionStorage.commitSession
+const originalCommitSession = authSessionStorage.commitSession
 
-Object.defineProperty(sessionStorage, 'commitSession', {
+Object.defineProperty(authSessionStorage, 'commitSession', {
 	value: async function commitSession(
 		...args: Parameters<typeof originalCommitSession>
 	) {
diff --git a/heat-stack/app/utils/timing.server.ts b/heat-stack/app/utils/timing.server.ts
index 807245ad..2fd64a00 100644
--- a/heat-stack/app/utils/timing.server.ts
+++ b/heat-stack/app/utils/timing.server.ts
@@ -1,4 +1,4 @@
-import { type CreateReporter } from 'cachified'
+import { type CreateReporter } from '@epic-web/cachified'
 
 export type Timings = Record<
 	string,
diff --git a/heat-stack/app/utils/totp.server.ts b/heat-stack/app/utils/totp.server.ts
new file mode 100644
index 00000000..bc5ff269
--- /dev/null
+++ b/heat-stack/app/utils/totp.server.ts
@@ -0,0 +1,3 @@
+// @epic-web/totp should be used server-side only. It imports `Crypto` which results in Remix
+// including a big polyfill. So we put the import in a `.server.ts` file to avoid that
+export * from '@epic-web/totp'
diff --git a/heat-stack/app/utils/user-validation.ts b/heat-stack/app/utils/user-validation.ts
index 731633b2..2c70ce2f 100644
--- a/heat-stack/app/utils/user-validation.ts
+++ b/heat-stack/app/utils/user-validation.ts
@@ -25,3 +25,15 @@ export const EmailSchema = z
 	.max(100, { message: 'Email is too long' })
 	// users can type the email in any case, but we store it in lowercase
 	.transform(value => value.toLowerCase())
+
+export const PasswordAndConfirmPasswordSchema = z
+	.object({ password: PasswordSchema, confirmPassword: PasswordSchema })
+	.superRefine(({ confirmPassword, password }, ctx) => {
+		if (confirmPassword !== password) {
+			ctx.addIssue({
+				path: ['confirmPassword'],
+				code: 'custom',
+				message: 'The passwords must match',
+			})
+		}
+	})
diff --git a/heat-stack/other/Dockerfile b/heat-stack/other/Dockerfile
index 306cb278..972129c5 100644
--- a/heat-stack/other/Dockerfile
+++ b/heat-stack/other/Dockerfile
@@ -70,7 +70,7 @@ COPY --from=build /myapp/prisma /myapp/prisma
 COPY --from=build /myapp/app/components/ui/icons /myapp/app/components/ui/icons
 
 # prepare for litefs
-COPY --from=flyio/litefs:0.5.5 /usr/local/bin/litefs /usr/local/bin/litefs
+COPY --from=flyio/litefs:0.5.8 /usr/local/bin/litefs /usr/local/bin/litefs
 ADD other/litefs.yml /etc/litefs.yml
 RUN mkdir -p /data ${LITEFS_DIR}
 
diff --git a/heat-stack/other/patches/@remix-run+dev+1.19.1.patch b/heat-stack/other/patches/@remix-run+dev+1.19.1.patch
new file mode 100644
index 00000000..eedfbb29
--- /dev/null
+++ b/heat-stack/other/patches/@remix-run+dev+1.19.1.patch
@@ -0,0 +1,27 @@
+diff --git a/node_modules/@remix-run/dev/dist/compiler/utils/loaders.js b/node_modules/@remix-run/dev/dist/compiler/utils/loaders.js
+index 7bb79b6..033429e 100644
+--- a/node_modules/@remix-run/dev/dist/compiler/utils/loaders.js
++++ b/node_modules/@remix-run/dev/dist/compiler/utils/loaders.js
+@@ -66,6 +66,7 @@ const loaders = {
+   ".otf": "file",
+   ".png": "file",
+   ".psd": "file",
++  ".py": "text",
+   ".sql": "text",
+   ".svg": "file",
+   ".ts": "ts",
+diff --git a/node_modules/@remix-run/dev/dist/modules.d.ts b/node_modules/@remix-run/dev/dist/modules.d.ts
+index 25fd1f6..2193142 100644
+--- a/node_modules/@remix-run/dev/dist/modules.d.ts
++++ b/node_modules/@remix-run/dev/dist/modules.d.ts
+@@ -115,6 +115,10 @@ declare module "*.psd" {
+     let asset: string;
+     export default asset;
+ }
++declare module "*.py" {
++    let asset: string;
++    export default asset;
++}
+ declare module "*.sql" {
+     let asset: string;
+     export default asset;
diff --git a/heat-stack/other/patches/remix-utils+6.6.0.patch b/heat-stack/other/patches/remix-utils+6.6.0.patch
deleted file mode 100644
index 85f92a74..00000000
--- a/heat-stack/other/patches/remix-utils+6.6.0.patch
+++ /dev/null
@@ -1,19 +0,0 @@
-diff --git a/node_modules/remix-utils/browser/react/use-global-pending-state.js b/node_modules/remix-utils/browser/react/use-global-pending-state.js
-index 4db18dd..26e2185 100644
---- a/node_modules/remix-utils/browser/react/use-global-pending-state.js
-+++ b/node_modules/remix-utils/browser/react/use-global-pending-state.js
-@@ -1,4 +1,4 @@
--import { useTransition, useFetchers } from "@remix-run/react";
-+import { useNavigation, useFetchers } from "@remix-run/react";
- import { useMemo } from "react";
- /**
-  * This is a helper hook that returns the state of every fetcher active on
-@@ -14,7 +14,7 @@ import { useMemo } from "react";
-  * // The app is idle
-  */
- export function useGlobalTransitionStates() {
--    let transition = useTransition();
-+    let transition = useNavigation();
-     let fetchers = useFetchers();
-     /**
-      * This gets the state of every fetcher active on the app and combine it with
diff --git a/heat-stack/other/sentry-create-release.js b/heat-stack/other/sentry-create-release.js
index b4b694a4..4a78f240 100644
--- a/heat-stack/other/sentry-create-release.js
+++ b/heat-stack/other/sentry-create-release.js
@@ -1,4 +1,6 @@
+import fs from 'node:fs'
 import { createRelease } from '@sentry/remix/scripts/createRelease.js'
+import { glob } from 'glob'
 import 'dotenv/config'
 
 const DEFAULT_URL_PREFIX = '#build/'
@@ -17,3 +19,8 @@ if (
 		'Missing Sentry environment variables, skipping sourcemap upload.',
 	)
 }
+const files = await glob(['./public/**/*.map', './build/**/*.map'])
+for (const file of files) {
+	// remove file
+	await fs.promises.unlink(file)
+}
diff --git a/heat-stack/prisma/migrations/20230914194400_init/migration.sql b/heat-stack/prisma/migrations/20230914194400_init/migration.sql
index fbce1a0e..6349954e 100644
--- a/heat-stack/prisma/migrations/20230914194400_init/migration.sql
+++ b/heat-stack/prisma/migrations/20230914194400_init/migration.sql
@@ -168,3 +168,44 @@ CREATE UNIQUE INDEX "_RoleToUser_AB_unique" ON "_RoleToUser"("A", "B");
 
 -- CreateIndex
 CREATE INDEX "_RoleToUser_B_index" ON "_RoleToUser"("B");
+
+--------------------------------- Manual Seeding --------------------------
+-- Hey there, Kent here! This is how you can reliably seed your database with
+-- some data. You edit the migration.sql file and that will handle it for you.
+
+INSERT INTO Permission VALUES('clnf2zvli0000pcou3zzzzome','create','user','own','',1696625465526,1696625465526);
+INSERT INTO Permission VALUES('clnf2zvll0001pcouly1310ku','create','user','any','',1696625465529,1696625465529);
+INSERT INTO Permission VALUES('clnf2zvll0002pcouka7348re','read','user','own','',1696625465530,1696625465530);
+INSERT INTO Permission VALUES('clnf2zvlm0003pcouea4dee51','read','user','any','',1696625465530,1696625465530);
+INSERT INTO Permission VALUES('clnf2zvlm0004pcou2guvolx5','update','user','own','',1696625465531,1696625465531);
+INSERT INTO Permission VALUES('clnf2zvln0005pcoun78ps5ap','update','user','any','',1696625465531,1696625465531);
+INSERT INTO Permission VALUES('clnf2zvlo0006pcouyoptc5jp','delete','user','own','',1696625465532,1696625465532);
+INSERT INTO Permission VALUES('clnf2zvlo0007pcouw1yzoyam','delete','user','any','',1696625465533,1696625465533);
+INSERT INTO Permission VALUES('clnf2zvlp0008pcou9r0fhbm8','create','note','own','',1696625465533,1696625465533);
+INSERT INTO Permission VALUES('clnf2zvlp0009pcouj3qib9q9','create','note','any','',1696625465534,1696625465534);
+INSERT INTO Permission VALUES('clnf2zvlq000apcouxnspejs9','read','note','own','',1696625465535,1696625465535);
+INSERT INTO Permission VALUES('clnf2zvlr000bpcouf4cg3x72','read','note','any','',1696625465535,1696625465535);
+INSERT INTO Permission VALUES('clnf2zvlr000cpcouy1vp6oeg','update','note','own','',1696625465536,1696625465536);
+INSERT INTO Permission VALUES('clnf2zvls000dpcouvzwjjzrq','update','note','any','',1696625465536,1696625465536);
+INSERT INTO Permission VALUES('clnf2zvls000epcou4ts5ui8f','delete','note','own','',1696625465537,1696625465537);
+INSERT INTO Permission VALUES('clnf2zvlt000fpcouk29jbmxn','delete','note','any','',1696625465538,1696625465538);
+
+INSERT INTO Role VALUES('clnf2zvlw000gpcour6dyyuh6','admin','',1696625465540,1696625465540);
+INSERT INTO Role VALUES('clnf2zvlx000hpcou5dfrbegs','user','',1696625465542,1696625465542);
+
+INSERT INTO _PermissionToRole VALUES('clnf2zvll0001pcouly1310ku','clnf2zvlw000gpcour6dyyuh6');
+INSERT INTO _PermissionToRole VALUES('clnf2zvlm0003pcouea4dee51','clnf2zvlw000gpcour6dyyuh6');
+INSERT INTO _PermissionToRole VALUES('clnf2zvln0005pcoun78ps5ap','clnf2zvlw000gpcour6dyyuh6');
+INSERT INTO _PermissionToRole VALUES('clnf2zvlo0007pcouw1yzoyam','clnf2zvlw000gpcour6dyyuh6');
+INSERT INTO _PermissionToRole VALUES('clnf2zvlp0009pcouj3qib9q9','clnf2zvlw000gpcour6dyyuh6');
+INSERT INTO _PermissionToRole VALUES('clnf2zvlr000bpcouf4cg3x72','clnf2zvlw000gpcour6dyyuh6');
+INSERT INTO _PermissionToRole VALUES('clnf2zvls000dpcouvzwjjzrq','clnf2zvlw000gpcour6dyyuh6');
+INSERT INTO _PermissionToRole VALUES('clnf2zvlt000fpcouk29jbmxn','clnf2zvlw000gpcour6dyyuh6');
+INSERT INTO _PermissionToRole VALUES('clnf2zvli0000pcou3zzzzome','clnf2zvlx000hpcou5dfrbegs');
+INSERT INTO _PermissionToRole VALUES('clnf2zvll0002pcouka7348re','clnf2zvlx000hpcou5dfrbegs');
+INSERT INTO _PermissionToRole VALUES('clnf2zvlm0004pcou2guvolx5','clnf2zvlx000hpcou5dfrbegs');
+INSERT INTO _PermissionToRole VALUES('clnf2zvlo0006pcouyoptc5jp','clnf2zvlx000hpcou5dfrbegs');
+INSERT INTO _PermissionToRole VALUES('clnf2zvlp0008pcou9r0fhbm8','clnf2zvlx000hpcou5dfrbegs');
+INSERT INTO _PermissionToRole VALUES('clnf2zvlq000apcouxnspejs9','clnf2zvlx000hpcou5dfrbegs');
+INSERT INTO _PermissionToRole VALUES('clnf2zvlr000cpcouy1vp6oeg','clnf2zvlx000hpcou5dfrbegs');
+INSERT INTO _PermissionToRole VALUES('clnf2zvls000epcou4ts5ui8f','clnf2zvlx000hpcou5dfrbegs');
\ No newline at end of file
diff --git a/heat-stack/prisma/seed.ts b/heat-stack/prisma/seed.ts
index b445fc6b..13416248 100644
--- a/heat-stack/prisma/seed.ts
+++ b/heat-stack/prisma/seed.ts
@@ -1,7 +1,8 @@
 import { faker } from '@faker-js/faker'
-import { promiseHash } from 'remix-utils'
+import { promiseHash } from 'remix-utils/promise'
 import { prisma } from '#app/utils/db.server.ts'
 import {
+	cleanupDb,
 	createPassword,
 	createUser,
 	getNoteImages,
@@ -15,10 +16,7 @@ async function seed() {
 	console.time(`🌱 Database has been seeded`)
 
 	console.time('🧹 Cleaned up the database...')
-	await prisma.user.deleteMany()
-	await prisma.verification.deleteMany()
-	await prisma.role.deleteMany()
-	await prisma.permission.deleteMany()
+	await cleanupDb(prisma)
 	console.timeEnd('🧹 Cleaned up the database...')
 
 	console.time('🔑 Created permissions...')
@@ -59,12 +57,6 @@ async function seed() {
 	})
 	console.timeEnd('👑 Created roles...')
 
-	if (process.env.MINIMAL_SEED) {
-		console.log('👍 Minimal seed complete')
-		console.timeEnd(`🌱 Database has been seeded`)
-		return
-	}
-
 	const totalUsers = 5
 	console.time(`👤 Created ${totalUsers} users...`)
 	const noteImages = await getNoteImages()
diff --git a/heat-stack/server/index.ts b/heat-stack/server/index.ts
index 55f27c53..3f85b125 100644
--- a/heat-stack/server/index.ts
+++ b/heat-stack/server/index.ts
@@ -10,8 +10,8 @@ import {
 	installGlobals,
 	type ServerBuild,
 } from '@remix-run/node'
-import { wrapExpressCreateRequestHandler } from '@sentry/remix'
-import address from 'address'
+import * as Sentry from '@sentry/remix'
+import { ip as ipAddress } from 'address'
 import chalk from 'chalk'
 import closeWithGrace from 'close-with-grace'
 import compression from 'compression'
@@ -25,7 +25,7 @@ installGlobals()
 
 const MODE = process.env.NODE_ENV
 
-const createRequestHandler = wrapExpressCreateRequestHandler(
+const createRequestHandler = Sentry.wrapExpressCreateRequestHandler(
 	_createRequestHandler,
 )
 
@@ -44,6 +44,9 @@ const app = express()
 const getHost = (req: { get: (key: string) => string | undefined }) =>
 	req.get('X-Forwarded-Host') ?? req.get('host') ?? ''
 
+// fly is our proxy
+app.set('trust proxy', true)
+
 // ensure HTTPS only (X-Forwarded-Proto comes from Fly)
 app.use((req, res, next) => {
 	const proto = req.get('X-Forwarded-Proto')
@@ -73,6 +76,9 @@ app.use(compression())
 // http://expressjs.com/en/advanced/best-practice-security.html#at-a-minimum-disable-x-powered-by-header
 app.disable('x-powered-by')
 
+app.use(Sentry.Handlers.requestHandler())
+app.use(Sentry.Handlers.tracingHandler())
+
 // Remix fingerprints its assets so we can cache forever.
 app.use(
 	'/build',
@@ -89,6 +95,12 @@ app.use(
 // more aggressive with this caching.
 app.use(express.static('public', { maxAge: '1h' }))
 
+app.get(['/build/*', '/img/*', '/fonts/*', '/favicons/*'], (req, res) => {
+	// if we made it past the express.static for these, then we're missing something.
+	// So we'll just send a 404 and won't bother calling other middleware.
+	return res.status(404).send('Not found')
+})
+
 morgan.token('url', (req, res) => decodeURIComponent(req.url ?? ''))
 app.use(
 	morgan('tiny', {
@@ -148,6 +160,9 @@ const rateLimitDefault = {
 	max: 1000 * maxMultiple,
 	standardHeaders: true,
 	legacyHeaders: false,
+	// Fly.io prevents spoofing of X-Forwarded-For
+	// so no need to validate the trustProxy config
+	validate: { trustProxy: false },
 }
 
 const strongestRateLimit = rateLimit({
@@ -229,7 +244,7 @@ const server = app.listen(portToUse, () => {
 	console.log(`🚀  We have liftoff!`)
 	const localUrl = `http://localhost:${portUsed}`
 	let lanUrl: string | null = null
-	const localIp = address.ip()
+	const localIp = ipAddress() ?? 'Unknown'
 	// Check if the address is a private ip
 	// https://en.wikipedia.org/wiki/Private_network#Private_IPv4_address_spaces
 	// https://github.com/facebook/create-react-app/blob/d960b9e38c062584ff6cfb1a70e1512509a966e7/packages/react-dev-utils/WebpackDevServerUtils.js#LL48C9-L54C10
@@ -269,8 +284,10 @@ if (MODE === 'development') {
 	const dirname = path.dirname(fileURLToPath(import.meta.url))
 	const watchPath = path.join(dirname, WATCH_PATH).replace(/\\/g, '/')
 
-	chokidar
+	const buildWatcher = chokidar
 		.watch(watchPath, { ignoreInitial: true })
 		.on('add', reloadBuild)
 		.on('change', reloadBuild)
+
+	closeWithGrace(() => buildWatcher.close())
 }
diff --git a/heat-stack/tests/db-utils.ts b/heat-stack/tests/db-utils.ts
index 32fb1d40..276c348f 100644
--- a/heat-stack/tests/db-utils.ts
+++ b/heat-stack/tests/db-utils.ts
@@ -1,5 +1,6 @@
 import fs from 'node:fs'
 import { faker } from '@faker-js/faker'
+import { type PrismaClient } from '@prisma/client'
 import bcrypt from 'bcryptjs'
 import { UniqueEnforcer } from 'enforce-unique'
 
@@ -113,3 +114,19 @@ export async function img({
 		blob: await fs.promises.readFile(filepath),
 	}
 }
+
+export async function cleanupDb(prisma: PrismaClient) {
+	const tables = await prisma.$queryRaw<
+		{ name: string }[]
+	>`SELECT name FROM sqlite_master WHERE type='table' AND name NOT LIKE 'sqlite_%' AND name NOT LIKE '_prisma_migrations';`
+
+	await prisma.$transaction([
+		// Disable FK constraints to avoid relation conflicts during deletion
+		prisma.$executeRawUnsafe(`PRAGMA foreign_keys = OFF`),
+		// Delete all rows from each table, preserving table structures
+		...tables.map(({ name }) =>
+			prisma.$executeRawUnsafe(`DELETE from "${name}"`),
+		),
+		prisma.$executeRawUnsafe(`PRAGMA foreign_keys = ON`),
+	])
+}
diff --git a/heat-stack/tests/e2e/2fa.test.ts b/heat-stack/tests/e2e/2fa.test.ts
index e70a5a40..e0fa6edc 100644
--- a/heat-stack/tests/e2e/2fa.test.ts
+++ b/heat-stack/tests/e2e/2fa.test.ts
@@ -1,5 +1,5 @@
-import { generateTOTP } from '@epic-web/totp'
 import { faker } from '@faker-js/faker'
+import { generateTOTP } from '#app/utils/totp.server.ts'
 import { expect, test } from '#tests/playwright-utils.ts'
 
 test('Users can add 2FA to their account and use it when logging in', async ({
diff --git a/heat-stack/tests/e2e/error-boundary.test.ts b/heat-stack/tests/e2e/error-boundary.test.ts
index ee67bc15..5254f0f2 100644
--- a/heat-stack/tests/e2e/error-boundary.test.ts
+++ b/heat-stack/tests/e2e/error-boundary.test.ts
@@ -1,8 +1,9 @@
 import { expect, test } from '#tests/playwright-utils.ts'
 
 test('Test root error boundary caught', async ({ page }) => {
-	await page.goto('/does-not-exist')
+	const pageUrl = '/does-not-exist'
+	const res = await page.goto(pageUrl)
 
+	expect(res?.status()).toBe(404)
 	await expect(page.getByText(/We can't find this page/i)).toBeVisible()
-	// TODO: figure out how to assert the 404 status code
 })
diff --git a/heat-stack/tests/e2e/note-images.test.ts b/heat-stack/tests/e2e/note-images.test.ts
new file mode 100644
index 00000000..5c3824e4
--- /dev/null
+++ b/heat-stack/tests/e2e/note-images.test.ts
@@ -0,0 +1,140 @@
+import fs from 'fs'
+import { faker } from '@faker-js/faker'
+import { type NoteImage, type Note } from '@prisma/client'
+import { prisma } from '#app/utils/db.server.ts'
+import { expect, test } from '#tests/playwright-utils.ts'
+
+test('Users can create note with an image', async ({ page, login }) => {
+	const user = await login()
+	await page.goto(`/users/${user.username}/notes`)
+
+	const newNote = createNote()
+	const altText = 'cute koala'
+	await page.getByRole('link', { name: 'new note' }).click()
+
+	// fill in form and submit
+	await page.getByRole('textbox', { name: 'title' }).fill(newNote.title)
+	await page.getByRole('textbox', { name: 'content' }).fill(newNote.content)
+	await page
+		.getByLabel('image')
+		.nth(0)
+		.setInputFiles('tests/fixtures/images/kody-notes/cute-koala.png')
+	await page.getByRole('textbox', { name: 'alt text' }).fill(altText)
+
+	await page.getByRole('button', { name: 'submit' }).click()
+	await expect(page).toHaveURL(new RegExp(`/users/${user.username}/notes/.*`))
+	await expect(page.getByRole('heading', { name: newNote.title })).toBeVisible()
+	await expect(page.getByAltText(altText)).toBeVisible()
+})
+
+test('Users can create note with multiple images', async ({ page, login }) => {
+	const user = await login()
+	await page.goto(`/users/${user.username}/notes`)
+
+	const newNote = createNote()
+	const altText1 = 'cute koala'
+	const altText2 = 'koala coder'
+	await page.getByRole('link', { name: 'new note' }).click()
+
+	// fill in form and submit
+	await page.getByRole('textbox', { name: 'title' }).fill(newNote.title)
+	await page.getByRole('textbox', { name: 'content' }).fill(newNote.content)
+	await page
+		.getByLabel('image')
+		.nth(0)
+		.setInputFiles('tests/fixtures/images/kody-notes/cute-koala.png')
+	await page.getByLabel('alt text').nth(0).fill(altText1)
+	await page.getByRole('button', { name: 'add image' }).click()
+
+	await page
+		.getByLabel('image')
+		.nth(1)
+		.setInputFiles('tests/fixtures/images/kody-notes/koala-coder.png')
+	await page.getByLabel('alt text').nth(1).fill(altText2)
+
+	await page.getByRole('button', { name: 'submit' }).click()
+	await expect(page).toHaveURL(new RegExp(`/users/${user.username}/notes/.*`))
+	await expect(page.getByRole('heading', { name: newNote.title })).toBeVisible()
+	await expect(page.getByAltText(altText1)).toBeVisible()
+	await expect(page.getByAltText(altText2)).toBeVisible()
+})
+
+test('Users can edit note image', async ({ page, login }) => {
+	const user = await login()
+
+	const note = await prisma.note.create({
+		select: { id: true },
+		data: {
+			...createNoteWithImage(),
+			ownerId: user.id,
+		},
+	})
+	await page.goto(`/users/${user.username}/notes/${note.id}`)
+
+	// edit the image
+	await page.getByRole('link', { name: 'Edit', exact: true }).click()
+	const updatedImage = {
+		altText: 'koala coder',
+		location: 'tests/fixtures/images/kody-notes/koala-coder.png',
+	}
+	await page.getByLabel('image').nth(0).setInputFiles(updatedImage.location)
+	await page.getByLabel('alt text').nth(0).fill(updatedImage.altText)
+	await page.getByRole('button', { name: 'submit' }).click()
+
+	await expect(page).toHaveURL(new RegExp(`/users/${user.username}/notes/.*`))
+	await expect(page.getByAltText(updatedImage.altText)).toBeVisible()
+})
+
+test('Users can delete note image', async ({ page, login }) => {
+	const user = await login()
+
+	const note = await prisma.note.create({
+		select: { id: true, title: true },
+		data: {
+			...createNoteWithImage(),
+			ownerId: user.id,
+		},
+	})
+	await page.goto(`/users/${user.username}/notes/${note.id}`)
+
+	await expect(page.getByRole('heading', { name: note.title })).toBeVisible()
+	// find image tags
+	const images = page
+		.getByRole('main')
+		.getByRole('list')
+		.getByRole('listitem')
+		.getByRole('img')
+	const countBefore = await images.count()
+	await page.getByRole('link', { name: 'Edit', exact: true }).click()
+	await page.getByRole('button', { name: 'remove image' }).click()
+	await page.getByRole('button', { name: 'submit' }).click()
+	await expect(page).toHaveURL(new RegExp(`/users/${user.username}/notes/.*`))
+	const countAfter = await images.count()
+	expect(countAfter).toEqual(countBefore - 1)
+})
+
+function createNote() {
+	return {
+		title: faker.lorem.words(3),
+		content: faker.lorem.paragraphs(3),
+	} satisfies Omit<Note, 'id' | 'createdAt' | 'updatedAt' | 'type' | 'ownerId'>
+}
+function createNoteWithImage() {
+	return {
+		...createNote(),
+		images: {
+			create: {
+				altText: 'cute koala',
+				contentType: 'image/png',
+				blob: fs.readFileSync(
+					'tests/fixtures/images/kody-notes/cute-koala.png',
+				),
+			},
+		},
+	} satisfies Omit<
+		Note,
+		'id' | 'createdAt' | 'updatedAt' | 'type' | 'ownerId'
+	> & {
+		images: { create: Pick<NoteImage, 'altText' | 'blob' | 'contentType'> }
+	}
+}
diff --git a/heat-stack/tests/e2e/onboarding.test.ts b/heat-stack/tests/e2e/onboarding.test.ts
index f495b815..88022349 100644
--- a/heat-stack/tests/e2e/onboarding.test.ts
+++ b/heat-stack/tests/e2e/onboarding.test.ts
@@ -28,9 +28,7 @@ const test = base.extend<{
 			}
 			return onboardingData
 		})
-		await prisma.user
-			.delete({ where: { username: userData.username } })
-			.catch(() => {})
+		await prisma.user.deleteMany({ where: { username: userData.username } })
 	},
 })
 
@@ -68,6 +66,13 @@ test('onboarding with link', async ({ page, getOnboardingData }) => {
 	invariant(onboardingUrl, 'Onboarding URL not found')
 	await page.goto(onboardingUrl)
 
+	await expect(page).toHaveURL(/\/verify/)
+
+	await page
+		.getByRole('main')
+		.getByRole('button', { name: /submit/i })
+		.click()
+
 	await expect(page).toHaveURL(`/onboarding`)
 	await page
 		.getByRole('textbox', { name: /^username/i })
@@ -167,6 +172,13 @@ test('reset password with a link', async ({ page, insertNewUser }) => {
 	invariant(resetPasswordUrl, 'Reset password URL not found')
 	await page.goto(resetPasswordUrl)
 
+	await expect(page).toHaveURL(/\/verify/)
+
+	await page
+		.getByRole('main')
+		.getByRole('button', { name: /submit/i })
+		.click()
+
 	await expect(page).toHaveURL(`/reset-password`)
 	const newPassword = faker.internet.password()
 	await page.getByLabel(/^new password$/i).fill(newPassword)
diff --git a/heat-stack/tests/mocks/index.ts b/heat-stack/tests/mocks/index.ts
index 96239e66..62a4786a 100644
--- a/heat-stack/tests/mocks/index.ts
+++ b/heat-stack/tests/mocks/index.ts
@@ -1,7 +1,7 @@
 import closeWithGrace from 'close-with-grace'
 import { passthrough, http } from 'msw'
 import { setupServer } from 'msw/node'
-// import { handlers as githubHandlers } from './github.ts'
+import { handlers as githubHandlers } from './github.ts'
 import { handlers as resendHandlers } from './resend.ts'
 
 const miscHandlers = [
@@ -13,7 +13,7 @@ const miscHandlers = [
 export const server = setupServer(
 	...miscHandlers,
 	...resendHandlers,
-	//	...githubHandlers, /* commenting out to enable app/utils/pyodide.test.ts */
+	...githubHandlers,
 )
 
 server.listen({ onUnhandledRequest: 'warn' })
diff --git a/heat-stack/tests/playwright-utils.ts b/heat-stack/tests/playwright-utils.ts
index b9157e8d..e1631424 100644
--- a/heat-stack/tests/playwright-utils.ts
+++ b/heat-stack/tests/playwright-utils.ts
@@ -7,7 +7,7 @@ import {
 	sessionKey,
 } from '#app/utils/auth.server.ts'
 import { prisma } from '#app/utils/db.server.ts'
-import { sessionStorage } from '#app/utils/session.server.ts'
+import { authSessionStorage } from '#app/utils/session.server.ts'
 import { createUser } from './db-utils.ts'
 
 export * from './db-utils.ts'
@@ -82,17 +82,17 @@ export const test = base.extend<{
 				select: { id: true },
 			})
 
-			const cookieSession = await sessionStorage.getSession()
-			cookieSession.set(sessionKey, session.id)
+			const authSession = await authSessionStorage.getSession()
+			authSession.set(sessionKey, session.id)
 			const cookieConfig = setCookieParser.parseString(
-				await sessionStorage.commitSession(cookieSession),
+				await authSessionStorage.commitSession(authSession),
 			) as any
 			await page
 				.context()
 				.addCookies([{ ...cookieConfig, domain: 'localhost' }])
 			return user
 		})
-		await prisma.user.delete({ where: { id: userId } }).catch(() => {})
+		await prisma.user.deleteMany({ where: { id: userId } })
 	},
 })
 export const { expect } = test
diff --git a/heat-stack/tests/setup/custom-matchers.ts b/heat-stack/tests/setup/custom-matchers.ts
index 94b89ba7..eb4b3d75 100644
--- a/heat-stack/tests/setup/custom-matchers.ts
+++ b/heat-stack/tests/setup/custom-matchers.ts
@@ -2,7 +2,7 @@ import * as setCookieParser from 'set-cookie-parser'
 import { expect } from 'vitest'
 import { sessionKey } from '#app/utils/auth.server.ts'
 import { prisma } from '#app/utils/db.server.ts'
-import { sessionStorage } from '#app/utils/session.server.ts'
+import { authSessionStorage } from '#app/utils/session.server.ts'
 import {
 	type OptionalToast,
 	toastSessionStorage,
@@ -89,10 +89,10 @@ expect.extend({
 			}
 		}
 
-		const cookieSession = await sessionStorage.getSession(
+		const authSession = await authSessionStorage.getSession(
 			convertSetCookieToCookie(sessionSetCookie),
 		)
-		const sessionValue = cookieSession.get(sessionKey)
+		const sessionValue = authSession.get(sessionKey)
 
 		if (!sessionValue) {
 			return {
diff --git a/heat-stack/tests/setup/db-setup.ts b/heat-stack/tests/setup/db-setup.ts
index 354b2789..ea66e14b 100644
--- a/heat-stack/tests/setup/db-setup.ts
+++ b/heat-stack/tests/setup/db-setup.ts
@@ -1,6 +1,7 @@
 import path from 'node:path'
 import fsExtra from 'fs-extra'
 import { afterAll, afterEach, beforeAll } from 'vitest'
+import { cleanupDb } from '#tests/db-utils.ts'
 import { BASE_DATABASE_PATH } from './global-setup.ts'
 
 const databaseFile = `./tests/prisma/data.${process.env.VITEST_POOL_ID || 0}.db`
@@ -12,17 +13,14 @@ beforeAll(async () => {
 })
 
 // we *must* use dynamic imports here so the process.env.DATABASE_URL is set
-// befor prisma is imported and initialized
+// before prisma is imported and initialized
 afterEach(async () => {
 	const { prisma } = await import('#app/utils/db.server.ts')
-	await prisma.user.deleteMany()
-	await prisma.verification.deleteMany()
-	await prisma.role.deleteMany()
-	await prisma.permission.deleteMany()
+	await cleanupDb(prisma)
 })
 
 afterAll(async () => {
 	const { prisma } = await import('#app/utils/db.server.ts')
-	prisma.$disconnect()
+	await prisma.$disconnect()
 	await fsExtra.remove(databasePath)
 })
diff --git a/heat-stack/tests/setup/global-setup.ts b/heat-stack/tests/setup/global-setup.ts
index 4c935793..b4ae8db3 100644
--- a/heat-stack/tests/setup/global-setup.ts
+++ b/heat-stack/tests/setup/global-setup.ts
@@ -11,12 +11,14 @@ export async function setup() {
 	const databaseExists = await fsExtra.pathExists(BASE_DATABASE_PATH)
 	if (databaseExists) return
 
-	await execaCommand('prisma migrate reset --force --skip-generate', {
-		stdio: 'inherit',
-		env: {
-			...process.env,
-			MINIMAL_SEED: 'true',
-			DATABASE_URL: `file:${BASE_DATABASE_PATH}`,
+	await execaCommand(
+		'prisma migrate reset --force --skip-seed --skip-generate',
+		{
+			stdio: 'inherit',
+			env: {
+				...process.env,
+				DATABASE_URL: `file:${BASE_DATABASE_PATH}`,
+			},
 		},
-	})
+	)
 }
diff --git a/heat-stack/tests/utils.ts b/heat-stack/tests/utils.ts
index 546a3b66..b39457d9 100644
--- a/heat-stack/tests/utils.ts
+++ b/heat-stack/tests/utils.ts
@@ -1,6 +1,6 @@
 import * as setCookieParser from 'set-cookie-parser'
 import { sessionKey } from '#app/utils/auth.server.ts'
-import { sessionStorage } from '#app/utils/session.server.ts'
+import { authSessionStorage } from '#app/utils/session.server.ts'
 
 export const BASE_URL = 'https://www.epicstack.dev'
 
@@ -15,9 +15,9 @@ export async function getSessionSetCookieHeader(
 	session: { id: string },
 	existingCookie?: string,
 ) {
-	const cookieSession = await sessionStorage.getSession(existingCookie)
-	cookieSession.set(sessionKey, session.id)
-	const setCookieHeader = await sessionStorage.commitSession(cookieSession)
+	const authSession = await authSessionStorage.getSession(existingCookie)
+	authSession.set(sessionKey, session.id)
+	const setCookieHeader = await authSessionStorage.commitSession(authSession)
 	return setCookieHeader
 }