refactor: code quality improvements across the backend

- Remove insecure SSL verification bypass in attendance.py
- Add gunicorn as production WSGI server (Dockerfile + entrypoint)
- Fix silent data loss in reconciliation (log + surface unmatched members)
- Add required column validation in payment sheet parsing
- Add input validation on /qr route (account format, amount bounds, SPD injection)
- Centralize configuration into scripts/config.py
- Extract credentials path to env-configurable constant
- Hide unmatched transactions from reconcile-juniors page
- Fix test mocks to bypass cache layer (all 8 tests now pass reliably)
- Add pytest + pytest-cov dev dependencies
- Fix typo "Inffering" in infer_payments.py
- Update CLAUDE.md to reflect current project state

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

build/Dockerfile

@@ -14,7 +14,8 @@ RUN pip install --no-cache-dir \
     google-auth-httplib2 \
     google-auth-oauthlib \
     qrcode \
-    pillow
+    pillow \
+    gunicorn
 
 COPY app.py Makefile ./
 COPY scripts/ ./scripts/

build/entrypoint.sh

@@ -1,8 +1,11 @@
 #!/bin/bash
 set -euo pipefail
 
-echo "[entrypoint] Starting Flask app on port 5001..."
+echo "[entrypoint] Starting gunicorn on port 5001..."
 
-# Running the app directly via python
-# For a production setup, we would ideally use gunicorn/waitress, but sticking to what's in app.py for now.
-exec python3 /app/app.py
+exec gunicorn \
+    --bind 0.0.0.0:5001 \
+    --workers "${GUNICORN_WORKERS:-2}" \
+    --timeout "${GUNICORN_TIMEOUT:-120}" \
+    --access-logfile - \
+    app:app