fix: add ESC key support, security comment, and disable async tests

lib/mv_web/live/components/payment_filter_component.ex

@@ -34,7 +34,13 @@ defmodule MvWeb.Components.PaymentFilterComponent do
   @impl true
   def render(assigns) do
     ~H"""
-    <div class="relative" id={@id}>
+    <div
+      class="relative"
+      id={@id}
+      phx-window-keydown={@open && "close_dropdown"}
+      phx-key="Escape"
+      phx-target={@myself}
+    >
       <button
         type="button"
         class={[

lib/mv_web/live/member_live/index.ex

@@ -841,7 +841,10 @@ defmodule MvWeb.MemberLive.Index do
 
   # Determines valid paid filter from URL parameter.
   #
-  # Only accepts "paid" or "not_paid", falls back to nil for invalid values.
+  # SECURITY: This function whitelists allowed filter values. Only "paid" and "not_paid"
+  # are accepted - all other input (including malicious strings) falls back to nil.
+  # This ensures no raw user input is ever passed to Ash.Query.filter/2, following
+  # Ash's security recommendation to never pass untrusted input directly to filters.
   defp determine_paid_filter("paid"), do: :paid
   defp determine_paid_filter("not_paid"), do: :not_paid
   defp determine_paid_filter(_), do: nil

test/mv_web/components/payment_filter_component_test.exs

@@ -8,7 +8,8 @@ defmodule MvWeb.Components.PaymentFilterComponentTest do
   - ARIA attributes for accessibility
   - Dropdown open/close behavior
   """
-  use MvWeb.ConnCase, async: true
+  # async: false to prevent PostgreSQL deadlocks when running LiveView tests against DB
+  use MvWeb.ConnCase, async: false
 
   import Phoenix.LiveViewTest