/gemini review

@cyrus-sratrc[bot] does this look good?

Review: PR #136 (dev → main)

Large PR (27 files, +7.8k). Mostly a new bus-coordinator system (login/OTP, coordinator dashboard, bus management/details, bulk Excel upload) plus utsav meal fields, wifi router export, and a debounce on bulk-food updates.

Verdict: functional and consistent with existing patterns, but one recurring concern worth addressing before merge.

✅ Good

• Auth wired correctly: coordinator pages use coordinatorToken + checkCoordinatorAuth(); admin pages use token. All fetches send the right Bearer.
• No hardcoded API URLs — uses CONFIG.baseUrl / CONFIG.basePath correctly.
• Error handling is consistent (!response.ok → throw → alert).
• sudo cardno column + td:nth-child(4) selector bump is correct; utsav meal multi-selects fine; bulk-food debounce (optimistic UI + 2500ms + refetch on failure) is sound.

⚠️ Main concern — XSS (unescaped innerHTML)
API/Excel data is interpolated raw into markup across all new travel files. Highest risk:

• Free-text comments field in coordinator dashboard.
• Excel-sourced bus_name / stop_name in bulk-upload previews (attacker-controllable).
• Attribute injection in inline onclick="...('${passenger_id}')" / exportBusPassengers('${bus_name}') — a quote in the value breaks the handler / injects JS.

This matches the existing codebase pattern, so it's not a regression — but the new bulk-Excel + free-text paths widen the surface. Recommend an escapeHtml() helper for text and addEventListener (or encoded args) for action links.

Minor

• travelBusDetails.js: handleBulkUpload() is dead code (defined, never wired; different endpoint than the active inline flow).
• coordinatorDashboard.js toggleBoardingStatus: doesn't handle 401/403, so expired token shows a parse error instead of logging out.
• travelBusManagement.js: "No Data" colspan="4" wrong for the 3-col invalid table; confirmBulkMasterImport assumes a prior upload exists.
• coordinatorLogin.js / coordinatorAuth.js missing trailing newline; utsav JS files gained exec bit (100755) — harmless.

Want me to apply fixes? I'd suggest the dead-code removal + 401/403 handling + an escapeHtml() pass on the new bulk/comments paths — happy to scope it tighter if you prefer minimal changes.