Added opaque join-token support across backend and frontend: new migration/model/service/endpoints, guest controllers now resolve tokens, and the demo seeder seeds a token. Tenant event details list/manage tokens with copy/revoke actions, and the guest PWA uses tokens end-to-end (routing, storage, uploads, achievements, etc.). Docs TODO updated to reflect completed steps.

resources/js/guest/services/photosApi.ts

@@ -77,7 +77,7 @@ export async function uploadPhoto(slug: string, file: File, taskId?: number, emo
   if (emotionSlug) formData.append('emotion_slug', emotionSlug);
   formData.append('device_id', getDeviceId());
 
-  const res = await fetch(`/api/v1/events/${slug}/upload`, {
+  const res = await fetch(`/api/v1/events/${encodeURIComponent(slug)}/upload`, {
     method: 'POST',
     credentials: 'include',
     body: formData,
@@ -99,4 +99,3 @@ export async function uploadPhoto(slug: string, file: File, taskId?: number, emo
   const json = await res.json();
   return json.photo_id ?? json.id ?? json.data?.id ?? 0;
 }
-