Dashboard account section, profile API, and CSS account panels

- SSO session auth gating on all protected pages
- dashboard.php: account section (profile form + workspace panel),
  onboarding prompt modal, overview bar extracted to CSS classes,
  dashboard.css linked in page head
- api/profile.php: save/dismiss endpoint for optional profile fields
- assets/css/dashboard.css: account grid, dash-account-panel,
  dash-profile-form, profile-prompt-backdrop modal, overview bar
  classes, dash-section-kicker, dash-tier-badge base styles
- includes/bootstrap.php: dbnToolsMainUserProfile,
  dbnToolsProfileNeedsPrompt, dbnToolsRequirePageAuth
- scripts/sql/004_user_profile_fields.sql: nullable phone, address,
  and profile_prompt_dismissed_at columns

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

index.php

@@ -4,23 +4,8 @@ declare(strict_types=1);
 require_once __DIR__ . '/includes/bootstrap.php';
 require_once __DIR__ . '/includes/PricingCatalog.php';
 
-function dbnToolsSafeReturn(mixed $value, string $default = '/'): string
-{
-    $return = trim((string)$value);
-    if ($return === '') {
-        return $default;
-    }
-    if (!str_starts_with($return, '/') || str_starts_with($return, '//')) {
-        return $default;
-    }
-    if (preg_match('/[\r\n]/', $return)) {
-        return $default;
-    }
-    return $return;
-}
-
 $uiLang = dbnToolsCurrentLanguage();
-$returnPath = dbnToolsSafeReturn($_GET['return'] ?? '/', '/');
+$returnPath = dbnToolsSafeReturnPath($_GET['return'] ?? '/', '/');
 
 // Handle SSO token from dobetternorge.no
 if (isset($_GET['sso']) && !dbnToolsIsAuthenticated()) {
@@ -33,9 +18,19 @@ if (isset($_GET['sso']) && !dbnToolsIsAuthenticated()) {
             $_SESSION['dbn_tools_authenticated_at'] = time();
             $_SESSION['dbn_tools_sso_uid']          = (int)$tokenData['uid'];
             $_SESSION['dbn_tools_user_id']          = (int)$tokenData['uid'];
+            $_SESSION['dbn_tools_sso_email']        = (string)$tokenData['email'];
             $_SESSION['dbn_tools_user_email']       = (string)$tokenData['email'];
+            $_SESSION['dbn_tools_sso_name']         = (string)($tokenData['name'] ?? '');
+            $_SESSION['dbn_tools_user_name']        = (string)($tokenData['name'] ?? '');
             $_SESSION['dbn_tools_user_role']        = 'sso';
             $_SESSION['dbn_tools_tier']             = (string)($tokenData['tier'] ?? 'free');
+            $_SESSION['lang']                       = dbnToolsNormalizeUiLanguage($tokenData['lang'] ?? $uiLang);
+            try {
+                require_once __DIR__ . '/includes/FreeTier.php';
+                FreeTier::ensureRow((int)$tokenData['uid']);
+            } catch (Throwable) {
+                // Non-fatal: the token has already been verified; credit checks will fail closed if DB is unavailable.
+            }
             // Send to workbench directly after SSO; honour a specific return path if set
             header('Location: ' . ($returnPath === '/' ? '/dashboard.php' : $returnPath));
             exit;