Added opaque join-token support across backend and frontend: new migration/model/service/endpoints, guest controllers now resolve tokens, and the demo seeder seeds a token. Tenant event details list/manage tokens with copy/revoke actions, and the guest PWA uses tokens end-to-end (routing, storage, uploads, achievements, etc.). Docs TODO updated to reflect completed steps.

docs/changes/2025-10-10-tenant-admin-onboarding-plan.md

@@ -74,6 +74,7 @@ These primitives live under `resources/js/admin/onboarding/` and integrate with
 - **Inline Checkout**: Die Order-Summary-Seite unterstützt jetzt Stripe-Kartenzahlungen (Payment Element) und PayPal (Orders API) direkt aus dem Onboarding heraus. Free-Packages lassen sich ohne Umweg aktivieren.
 - Dashboard bewirbt die Welcome Journey (Actions + Hero Card) und leitet Tenants ohne Events weiterhin auf `/event-admin/welcome` um, während Fortschritt persistiert wird.
 - Playwright-Skelett `tests/e2e/tenant-onboarding-flow.test.ts` angelegt und via `npm run test:e2e` ausführbar; Tests sind vorerst deaktiviert, bis Seed-Daten + Auth-Helper zur Verfügung stehen.
+- Welcome Landing, Packages, Summary und Event-Setup sind zweisprachig (DE/EN) via react-i18next; LanguageSwitcher im Dashboard & Welcome-Layout steuert die Locale.
 
 ## Status — verbleibende Arbeiten
 - PayPal-Testabdeckung (Playwright/RTL) und Error-UX gehören noch in die Roadmap, ebenso wie End-to-End-Validierung auf Staging.
@@ -82,3 +83,4 @@ These primitives live under `resources/js/admin/onboarding/` and integrate with
 - Keep current management modules untouched until welcome flow is ready; ship incrementally behind feature flag if needed.
 - Reuse new API helpers, QueryClient, and constants to avoid divergence between flows.
 
+

docs/todo/event-join-token-hardening.md

@@ -0,0 +1,34 @@
+# Event Join Token Hardening TODO
+
+## Goal
+Replace slug-based guest access with opaque, revocable join tokens and provide printable QR layouts tied to those tokens.
+
+## Phase 1 – Data & Backend
+- [x] Create `event_join_tokens` table (token, event_id, usage_limit/count, expires_at, revoked_at, created_by).
+- [x] Add Eloquent model + relations (`Event::joinTokens()`), factory, and seed helper.
+- [x] Implement service for token generation/rotation (secure RNG, audit logging).
+- [x] Expose tenant API endpoints for listing/creating/revoking tokens.
+- [x] Introduce middleware/controller updates so guest API resolves `/e/{token}` → event.
+- [ ] Add rate limiting + logging for invalid token attempts.
+
+## Phase 2 – Guest PWA
+- [x] Update router and data loaders to use `:token` paths.
+- [x] Adjust storage/cache keys to use token identifiers.
+- [ ] Display friendly error states for expired/invalid tokens.
+- [ ] Regression-test photo upload, likes, and stats flows via token.
+
+## Phase 3 – Tenant Admin UX
+- [x] Build “QR & Invites” management UI (list tokens, usage stats, rotate/revoke).
+- [x] Hook Filament action + PWA screens to call new token endpoints.
+- [ ] Generate five print-ready layouts (PDF/SVG) per token with download options.
+- [ ] Deprecate slug-based QR view; link tenants to new flow.
+
+## Phase 4 – Migration & Cleanup
+- [ ] Backfill tokens for existing published events and notify tenants to reprint.
+- [ ] Remove slug parameters from public endpoints once traffic confirms token usage.
+- [ ] Update documentation (PRP, onboarding guides, runbooks) to reflect token process.
+- [ ] Add feature/integration tests covering expiry, rotation, and guest flows.
+
+## Open Questions
+- Decide on default token lifetime and rotation cadence.
+- Confirm whether guest tokens should embed locale or package metadata.

docs/todo/tenant-admin-onboarding-fusion.md

@@ -33,10 +33,11 @@ Owner: Codex (handoff)
 - [ ] Extend docs: update PRP onboarding sections and add a walkthrough video/screencaps under docs/screenshots/tenant-admin-onboarding. Capture test scope for future Playwright/E2E coverage.
 - [ ] Add automated coverage (React Testing Library for step flows, feature tests for routing guard) once implementation stabilises. Playwright spec `tests/e2e/tenant-onboarding-flow.test.ts` now executes with seeded creds—extend it to cover Stripe/PayPal happy paths and guard edge cases.
 - [ ] Finalise direct checkout in the welcome summary. Stripe + PayPal hooks are live; add mocked/unit coverage and end-to-end assertions before rolling out broadly.
+- [x] Lokalisierung ausbauen: Landing-, Packages-, Summary- und Event-Setup-Screens sind nun DE/EN übersetzt; Copy-Review für weitere Module (Tasks/Billing/Members) bleibt offen.
 
 ## Risks & Open Questions
 - Confirm checkout UX expectations (Stripe vs PayPal) before wiring package purchase into onboarding.
-- Validate whether onboarding flow must be localized at launch; coordinate with i18n JSON updates.
+- Validate whether onboarding flow must be localized at launch; coordinate mit den neuen i18n JSONs und fehlenden Übersetzungen.
 - Determine deprecation plan for fotospiel-tenant-app/tenant-admin-app once the merged flow ships.