Initial commit: SmoothSchedule multi-tenant scheduling platform

This commit includes:
- Django backend with multi-tenancy (django-tenants)
- React + TypeScript frontend with Vite
- Platform administration API with role-based access control
- Authentication system with token-based auth
- Quick login dev tools for testing different user roles
- CORS and CSRF configuration for local development
- Docker development environment setup

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

frontend/CSP-PRODUCTION.md

@@ -0,0 +1,29 @@
+# Content Security Policy for Production
+
+During development, CSP is disabled in `index.html` to avoid conflicts with browser extensions.
+
+For production, configure CSP via server headers (nginx/CloudFlare):
+
+```nginx
+# nginx configuration
+add_header Content-Security-Policy "
+  default-src 'self';
+  script-src 'self' 'unsafe-inline' 'unsafe-eval' https://js.stripe.com https://connect-js.stripe.com blob:;
+  style-src 'self' 'unsafe-inline' https://fonts.googleapis.com;
+  font-src 'self' https://fonts.gstatic.com;
+  img-src 'self' data: https:;
+  connect-src 'self' https://api.stripe.com https://connect-js.stripe.com https://yourdomain.com;
+  frame-src 'self' https://js.stripe.com https://connect-js.stripe.com;
+" always;
+```
+
+## Why not in HTML meta tag?
+
+1. **Browser extensions interfere**: Extensions inject their own CSP rules causing false errors
+2. **Dynamic configuration**: Production domains differ from development (lvh.me vs yourdomain.com)
+3. **Better control**: Server headers can vary by environment without changing source code
+4. **Standard practice**: Industry best practice is CSP via headers, not meta tags
+
+## Testing CSP
+
+Test your production CSP at: https://csp-evaluator.withgoogle.com/