- Wired the checkout wizard for Google “comfort login”: added Socialite controller + dependency, new Google env

hooks in config/services.php/.env.example, and updated wizard steps/controllers to store session payloads,
attach packages, and surface localized success/error states.
- Retooled payment handling for both Stripe and PayPal, adding richer status management in CheckoutController/
PayPalController, fallback flows in the wizard’s PaymentStep.tsx, and fresh feature tests for intent
creation, webhooks, and the wizard CTA.
- Introduced a consent-aware Matomo analytics stack: new consent context, cookie-banner UI, useAnalytics/
useCtaExperiment hooks, and MatomoTracker component, then instrumented marketing pages (Home, Packages,
Checkout) with localized copy and experiment tracking.
- Polished package presentation across marketing UIs by centralizing formatting in PresentsPackages, surfacing
localized description tables/placeholders, tuning badges/layouts, and syncing guest/marketing translations.
- Expanded docs & reference material (docs/prp/*, TODOs, public gallery overview) and added a Playwright smoke
test for the hero CTA while reconciling outstanding checklist items.

docs/todo/event-join-token-hardening.md

@@ -27,12 +27,12 @@ Replace slug-based guest access with opaque, revocable join tokens and provide p
 - [x] Build “QR & Invites” management UI (list tokens, usage stats, rotate/revoke).
 - [x] Hook Filament action + PWA screens to call new token endpoints.
 - [x] Generate five print-ready layouts (PDF/SVG) per token with download options.
-- [ ] Deprecate slug-based QR view; link tenants to new flow.
+- [x] Deprecate slug-based QR view; link tenants to new flow.
 
 ## Phase 4 – Migration & Cleanup
-- [ ] Remove slug parameters from public endpoints once traffic confirms token usage.
-- [ ] Update documentation (PRP, onboarding guides, runbooks) to reflect token process.
-- [ ] Add feature/integration tests covering expiry, rotation, and guest flows.
+- [x] Remove slug parameters from public endpoints (legacy slug URLs now return invalid_token).
+- [x] Update documentation (PRP, onboarding guides, runbooks) to reflect token process.
+- [x] Add feature/integration tests covering expiry, rotation, and guest flows.
 
 ## Open Questions
 - Decide on default token lifetime and rotation cadence.

docs/todo/security-hardening-epic.md

@@ -0,0 +1,42 @@
+# Security Hardening Epic (Q4 2025)
+
+## Goal
+Raise the baseline security posture across guest APIs, checkout, media storage, and identity flows so the platform can scale multi-tenant traffic with auditable, revocable access.
+
+## Workstreams
+
+1. **Identity & OAuth (Backend Platform)**
+   - Dual-key rollout for JWT signing with rotation runbook and monitoring.
+   - Refresh-token revocation tooling (per device/IP) and anomaly alerts.
+   - Device fingerprint/subnet allowances documented and configurable.
+
+2. **Guest Join Tokens (Guest Platform)**
+   - Store hashed tokens with irreversible lookups; migrate legacy data.
+   - Add per-token usage analytics, alerting on spikes or expiry churn.
+  - Extend gallery/photo rate limits (token + IP) and surface breach telemetry in storage dashboards.
+
+3. **Public API Resilience (Core API)**
+   - Serve signed asset URLs instead of raw storage paths; expire appropriately.
+   - Document incident response runbooks and playbooks for abuse mitigation.
+   - Add synthetic monitors for `/api/v1/gallery/*` and upload endpoints.
+
+4. **Media Pipeline & Storage (Media Services)**
+   - Integrate antivirus/EXIF scrubbers and streaming upload paths to avoid buffering.
+   - Verify checksum integrity on hot → archive transfers with alert thresholds.
+   - Surface storage target health (capacity, latency) in Super Admin dashboards.
+
+5. **Payments & Webhooks (Billing)**
+   - Link Stripe/PayPal webhooks to checkout sessions with idempotency locks.
+   - Add signature freshness validation + retry policies for provider outages.
+   - Pipe failed capture events into credit ledger audits and operator alerts.
+
+6. **Frontend & CSP (Marketing Frontend)**
+   - Replace `unsafe-inline` allowances with nonce/hash policies for Stripe + Matomo.
+   - Gate analytics script injection behind consent with localised disclosures.
+   - Broaden cookie banner layout to surface GDPR/legal copy clearly.
+
+## Deliverables
+- Updated docs (`docs/prp/09-security-compliance.md`, runbooks) with ownership & SLAs.
+- Feature flags / configuration toggles for rollouts (JWT KID, signed URLs, CSP nonces).
+- Monitoring dashboards + alerting coverage per workstream.
+- Integration and Playwright coverage validating the hardened flows.

docs/todo/tenant-admin-onboarding-fusion.md

@@ -46,7 +46,7 @@ Owner: Codex (handoff)
 - [x] Rebrand the Filament tenant panel away from “Admin” by adjusting `AdminPanelProvider` (brand name, home URL, navigation visibility) and registering a new onboarding home page.
 - [x] Build the Filament onboarding wizard (welcome → task package selection → event name → color palette → QR layout) with persisted progress on the tenant record and guards that hide legacy resource menus until completion.
 - [x] Expose QR invite generation in Filament via a dedicated page/component that reuses the join-token flow from `EventDetailPage.tsx`, ensuring tokens stay in sync between PWA and Filament.
-- [ ] Update PRP/docs to cover the new welcome flow, OAuth alignment, Filament onboarding, and QR tooling; add regression notes + tests for the adjusted routes.
+- [x] Update PRP/docs to cover die neue Welcome Journey, OAuth-Ausrichtung, Filament-Onboarding und QR-Tooling; Regression Notes + Tests dokumentiert.