Harden login and make personal-best records self-correct

Login: add an in-memory per-IP throttle (8 failed attempts -> 15-min lockout, 429 + Retry-After), raise the change-password minimum to 8 with a 72-char cap, and apply the same minimum on the StartOS Set Login Password action.

Records: add a record_floor column for manually-pinned bests plus recomputeRecord(); the live record is now the direction-aware best of the best logged value and the floor, recomputed on entry edit/delete so it can drop again (never below the floor). Settings exposes the floor as an override and shows the live best as a placeholder.

Bump package 0.1.6:0 -> 0.1.7:0 and the service-worker cache to v7.

AGENTS.md

@@ -33,7 +33,7 @@ Run from repo root unless noted.
 
 ## Data model notes
 
-- Metrics live in `category_metrics`; `kind` is one of `count | duration | score | decimal`. Records are `track_record` (bool) + `record` (REAL) on the metric; bumped automatically when a logged value beats them (respecting `higher_is_better`).
+- Metrics live in `category_metrics`; `kind` is one of `count | duration | score | decimal`. Records are `track_record` (bool) + `record` (REAL, the live best) + `record_floor` (REAL, optional manually-pinned best) on the metric. `record` = the direction-aware best of the best logged value and `record_floor` (`src/records.js` `recomputeRecord`, respecting `higher_is_better`); it bumps up on logging and is **recomputed on entry edit/delete** so it can drop again, but never below `record_floor`. The Settings record field sets the floor.
 - Entries: one row per logged session (`entries`, with `note`); metric readings in `entry_values`.
 
 ## Config (env-var names only — never hardcode secrets)
@@ -71,10 +71,11 @@ Run from repo root unless noted.
 
 ## Current state
 
-Live on StartOS (deploy host set in `~/.startos/config.yaml` `host:`, not in this repo) at **v0.1.6:0**; `make install` deploys and the PWA self-updates via the in-app banner. Pushed to self-hosted Gitea (`origin`).
+Live on StartOS (deploy host set in `~/.startos/config.yaml` `host:`, not in this repo) at **v0.1.7:0**; `make install` deploys and the PWA self-updates via the in-app banner. Pushed to self-hosted Gitea (`origin`).
 
-- **Working**: daily logging, weekly planning, goals + thermometer, dashboard (streak calendar, radar, line/series charts, records), personal-best records (auto + manual set), per-session notes, EPA Max/Weighted Speed, tap-to-type number fields, full category/metric management in Settings, "Set Login Password" action.
+- **Working**: daily logging, weekly planning, goals + thermometer, dashboard (streak calendar, radar, line/series charts, records), personal-best records (auto + manual floor, self-correcting on edit/delete), per-session notes, EPA Max/Weighted Speed, tap-to-type number fields, full category/metric management in Settings, "Set Login Password" action. Login is rate-limited (per-IP, 8 fails → 15-min lockout) and the password minimum is 8 chars.
 - **In progress**: none — all requested features are built, committed, and deployed.
 - **Decided, not yet done**: reconcile in-app password change with the StartOS action (env wins on restart); optional "log another" for a second same-category session in a day. See `ROADMAP.md`.
 - **Known issues**: changing the password from the app's own Settings reverts on restart under StartOS — use the action.
-- **Next steps**: (1) set a real login password via the "Set Login Password" action; (2) confirm speed unit (`mph` vs `km/h`); (3) decide whether to add a "log another" same-category session.
+- **Eval backlog**: a full evaluation lives in `EVALUATION.md` — remaining items include the `@fastify/static` upgrade, input-validation gaps (metric `kind`, calendar dates, FK 500), CSRF, and no test suite. Registry-submission blockers are intentionally parked (not publishing).
+- **Next steps**: (1) set a real login password via the "Set Login Password" action; (2) confirm speed unit (`mph` vs `km/h`); (3) work the `EVALUATION.md` P2 backlog if desired.