/api/settings was missing from the middleware public routes allowlist,
causing unauthenticated (guest) requests to be blocked before reaching
the route handler. The error was silently caught, leaving settings null
and hiding the amount owed, payment methods, and payment instructions.
Logged-in users were unaffected as their session token passed middleware.
Also update CLAUDE.md to reflect the WebSocket userId-based auth change.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Philip
d4c82867d4