Clone https://github.com/dannystocker/navidocs, checkout branch claude/install-run-ssh-01RZPPuRFwrveZKec62363vu (latest build with E2E tests passing), create new branch fix/critical-security-ux, then implement these 8 critical fixes using 8 Haiku agents in parallel (single message with 8 Task tool calls):

SECURITY FIXES (Agents 1-4):

Agent 1 - JWT Secret Enforcement:
- File: server/services/auth.service.js line 13
- Change: const JWT_SECRET = process.env.JWT_SECRET || 'your-jwt-secret-here-change-in-production'
- To: const JWT_SECRET = process.env.JWT_SECRET; if (!JWT_SECRET || JWT_SECRET.length < 32) throw new Error('JWT_SECRET required, min 32 chars');
- Test: Server should crash on startup without JWT_SECRET

Agent 2 - Document/Image Route Auth:
- Files: server/routes/documents.js, server/routes/images.js
- Find all: const userId = req.user?.id || 'test-user-id'
- Change to: const userId = req.user.userId (and add authenticateToken middleware to routes)
- Import: import { authenticateToken } from '../middleware/auth.middleware.js'
- Test: Unauthenticated requests should return 401

Agent 3 - Search/Upload Route Auth:
- Files: server/routes/search.js, server/routes/upload.js
- Same pattern: Remove 'test-user-id' fallbacks, add authenticateToken middleware
- Test: Unauthenticated uploads/searches should return 401

Agent 4 - Stats Route Protection:
- File: server/routes/stats.js
- Add: import { authenticateToken, requireSystemAdmin } from '../middleware/auth.middleware.js'
- Change: router.get('/', async (req, res) => TO router.get('/', authenticateToken, requireSystemAdmin, async (req, res) =>
- Test: Non-admin requests should return 403

MARINE UX FIXES (Agents 5-8):

Agent 5 - Touch Targets 60px Minimum:
- Files: client/src/components/TocSidebar.vue, SearchResultsSidebar.vue, TocEntry.vue
- Find all: width: 20px, width: 32px, width: 40px, height: 20px, height: 32px, height: 40px
- Change to: min-width: 60px, min-height: 60px, padding: 10px
- Test: grep -r "width.*px|height.*px" client/src/components/ should show no values under 60px for buttons

Agent 6 - Font Sizes 16px Minimum:
- Files: client/src/views/SearchView.vue, client/src/components/TocSidebar.vue, SearchResultsSidebar.vue
- Find all: font-size: 10px, 11px, 12px, 13px, 14px
- Change to: font-size: 16px minimum
- Test: grep -r "font-size.*px" client/src/ should show no values under 16px

Agent 7 - ARIA Labels:
- Scan: grep -r "<button" client/src/ | grep -v "aria-label"
- Add aria-label to all icon-only buttons
- Pattern: <button aria-label="Delete item" @click="deleteItem"><TrashIcon aria-hidden="true" /></button>
- Test: All interactive elements should have descriptive labels

Agent 8 - Image Alt Text:
- Files: client/src/views/SearchView.vue, client/src/components/FigureZoom.vue
- Find all: <img :src= without alt attribute
- Add: :alt="descriptive text"
- Pattern: <img :src="thumbnail" :alt="title + ' thumbnail'">
- Test: grep -r "<img" client/src/ | grep -v "alt=" should return 0 results

After all 8 agents complete, run tests:
- npm audit --production (should be 0 critical/high)
- npm run build (should succeed)
- Manual test: Start server without JWT_SECRET (should crash with error)
- Manual test: Try accessing /api/documents without auth (should 401)

Then commit and push:
git add .
git commit -m "Fix 8 critical security and marine UX issues

Security:
- Enforce JWT_SECRET (no fallback to known default)
- Require auth on document/image/search/upload/stats routes
- Remove all test-user-id synthetic user patterns

Marine UX:
- Increase touch targets to 60px minimum (glove-friendly)
- Increase fonts to 16px minimum (sunlight-readable)
- Add ARIA labels to icon-only buttons (accessibility)
- Add alt text to all images (accessibility)

Source: Codex security review + Gemini UX review
Blockers: 8 critical issues preventing production deployment
"
git push -u origin fix/critical-security-ux

Then report completion with list of files changed and test results.