Adds a credential hint box directly in the Tink Link connection UI
showing username (u04877810) and password (vxw774) with copy buttons.
No more hunting in Tink Console during a demo.
Previously Step 2 (create user) and Step 3 (Tink Link) were disconnected —
the bank connection went to an anonymous new user, not the one just created.
Fix: Step 3 now calls /api/v1/oauth/authorization-grant/delegate with the
user_id from session to get an authorization_code, which is injected into
the Tink Link URL. This binds the bank connection to the correct customer.
Also stores user_market in session so Step 3 uses the same market as Step 2.
Shows a note confirming which user Tink Link is bound to.
- TinkClient now accepts on_request callback; all API methods log via
shared _get/_post helpers (method, url, req/resp body, status, timing)
- _logger(sess) helper creates a session-bound callback (max 50 entries)
- All route handlers pass _logger(sess) to _client()
- New GET /demo/log — shows all API calls in reverse-chronological order,
collapsible req/resp bodies, status + duration badges
- New POST /demo/log/clear — clears the log
- Navbar gets 'API Log' link (always visible)
- _ctx() now applied to ALL template responses (steps 1–6)
- Replace /events/v2/* endpoints (404 in sandbox) with /api/v1/webhooks
- Add list_webhooks() and register_webhook() methods to TinkClient
- Step 6 now shows: webhook flow diagram + curl examples + live API + sample payload
- Handle sandbox 404 gracefully (shows example data, no red error)
- Remove .env.production from git tracking (credentials via Gitea secrets)
- deploy.yml: write .env.production from TINK_CLIENT_ID/SECRET secrets
