Replace kiosk SignalR with polling — Azure App Service blocks anonymous hub handshakes

SignalR WebSocket and SSE both receive immediate 'Handshake was canceled' from the
server-side hub context. The 15-second delay between negotiate and SSE connect
reveals the handshake timer has expired before the transport opens — caused by Azure
App Service's ingress proxy resetting anonymous long-lived connections.

Replacement: /Kiosk/PollSession (anonymous GET, no-cache) queried every 3 seconds.
Returns the most recent Active InPerson session created in the last 60 seconds.
The kiosk navigates when hasSession=true. Status dot: gray->green on first success,
yellow on network error, blue when navigating. Removed signalr.min.js from kiosk layout.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

src/PowderCoating.Web/Controllers/KioskController.cs

@@ -68,7 +68,8 @@ public class KioskController : Controller
     /// <summary>
     /// Idle branded screen displayed on the front-desk tablet.
     /// Validates the KioskDevice cookie; returns 403 if missing or token mismatch.
-    /// The view connects to KioskHub and listens for StartIntake events.
+    /// The view polls /Kiosk/PollSession every 3 seconds and navigates when staff
+    /// triggers a session via the Dashboard "Start Intake" button.
     /// </summary>
     [AllowAnonymous]
     public async Task<IActionResult> Welcome()
@@ -86,6 +87,35 @@ public class KioskController : Controller
         return View();
     }
 
+    /// <summary>
+    /// Lightweight polling endpoint called every 3 seconds by the kiosk Welcome screen.
+    /// Returns the most recent InPerson KioskSession created in the last 60 seconds so
+    /// the tablet can navigate without relying on SignalR (which Azure App Service blocks
+    /// for anonymous WebSocket/SSE connections through its ingress proxy).
+    /// </summary>
+    [AllowAnonymous, HttpGet]
+    [ResponseCache(NoStore = true, Location = ResponseCacheLocation.None)]
+    public async Task<IActionResult> PollSession()
+    {
+        var cookie = ReadKioskCookie();
+        if (cookie == null) return Json(new { hasSession = false });
+
+        var company = await _unitOfWork.Companies.GetByIdAsync(cookie.Value.companyId, ignoreQueryFilters: true);
+        if (company == null || company.KioskActivationToken != cookie.Value.token)
+            return Json(new { hasSession = false });
+
+        var window  = DateTime.UtcNow.AddSeconds(-60);
+        var session = await _unitOfWork.KioskSessions.FirstOrDefaultAsync(
+            s => s.CompanyId == cookie.Value.companyId
+              && s.SessionType == KioskSessionType.InPerson
+              && s.Status == KioskSessionStatus.Active
+              && s.CreatedAt >= window,
+            ignoreQueryFilters: true);
+
+        if (session == null) return Json(new { hasSession = false });
+        return Json(new { hasSession = true, sessionToken = session.SessionToken });
+    }
+
     /// <summary>
     /// Serves the company logo for anonymous kiosk pages. Resolves the company from the
     /// KioskDevice cookie so no tenant context is needed on the anonymous request.