SSO integration: validate dobetternorge.no signed tokens, update landing page

- bootstrap.php: dbnToolsValidateSsoToken(), SSO session check in dbnToolsIsAuthenticated()
- index.php: SSO handler at top, Do Better Norge member panel in login card
- .env: DBN_SSO_SECRET placeholder

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

index.php

@@ -3,6 +3,28 @@ declare(strict_types=1);
 
 require_once __DIR__ . '/includes/bootstrap.php';
 
+// Handle SSO token from dobetternorge.no
+if (isset($_GET['sso']) && !dbnToolsIsAuthenticated()) {
+    $ssoSecret = (string) dbnToolsEnv('DBN_SSO_SECRET', '');
+    if ($ssoSecret !== '') {
+        $tokenData = dbnToolsValidateSsoToken((string)$_GET['sso'], $ssoSecret);
+        if ($tokenData !== null) {
+            session_regenerate_id(true);
+            $_SESSION['dbn_tools_authenticated']    = true;
+            $_SESSION['dbn_tools_authenticated_at'] = time();
+            $_SESSION['dbn_tools_sso_uid']          = (int)$tokenData['uid'];
+            $_SESSION['dbn_tools_user_id']          = (int)$tokenData['uid'];
+            $_SESSION['dbn_tools_user_email']       = (string)$tokenData['email'];
+            $_SESSION['dbn_tools_user_role']        = 'sso';
+            header('Location: ask.php');
+            exit;
+        }
+    }
+    // Invalid/expired token — redirect back to main site to re-login
+    header('Location: https://dobetternorge.no/account.php?error=' . urlencode('Session expired. Please log in and try again.'));
+    exit;
+}
+
 if (dbnToolsIsAuthenticated()) {
     $return = $_GET['return'] ?? '';
     $dest   = ($return && str_starts_with($return, '/') && !str_contains($return, '//'))
@@ -144,6 +166,15 @@ if (dbnToolsIsAuthenticated()) {
                 <p class="eyebrow">Do Better Norge</p>
                 <h2 id="accessTitle">Access Legal Tools</h2>
                 <p class="gate-copy">Legal information and preparation support, not final legal advice.</p>
+
+                <div style="margin-bottom:20px;padding:14px 18px;background:rgba(0,32,91,.06);border-radius:10px;border:1px solid rgba(0,32,91,.12);font-size:14px;color:#333;text-align:center;">
+                    <strong>Do Better Norge member?</strong>
+                    <a href="https://dobetternorge.no/account.php" style="color:#00205B;font-weight:600;margin-left:6px;">Log in at dobetternorge.no →</a><br>
+                    <span style="color:#888;font-size:13px;">Then open Tools from your account dashboard</span>
+                </div>
+
+                <div style="text-align:center;margin:16px 0 12px;font-size:13px;color:#aaa;letter-spacing:.05em;">OR SIGN IN WITH CAVEAU ACCOUNT</div>
+
                 <form id="passcodeForm" class="passcode-form">
                     <label for="loginEmail">Email</label>
                     <input id="loginEmail" name="email" type="email" autocomplete="username email" required>
@@ -154,6 +185,11 @@ if (dbnToolsIsAuthenticated()) {
                     </div>
                     <p id="gateStatus" class="form-status" role="status" aria-live="polite"></p>
                 </form>
+
+                <p style="text-align:center;margin-top:16px;font-size:13px;color:#888;">
+                    No account yet?
+                    <a href="https://dobetternorge.no/register.php" style="color:#00205B;font-weight:600;">Register free at dobetternorge.no</a>
+                </p>
             </div>
         </section>