- Wired the checkout wizard for Google “comfort login”: added Socialite controller + dependency, new Google env

hooks in config/services.php/.env.example, and updated wizard steps/controllers to store session payloads,
attach packages, and surface localized success/error states.
- Retooled payment handling for both Stripe and PayPal, adding richer status management in CheckoutController/
PayPalController, fallback flows in the wizard’s PaymentStep.tsx, and fresh feature tests for intent
creation, webhooks, and the wizard CTA.
- Introduced a consent-aware Matomo analytics stack: new consent context, cookie-banner UI, useAnalytics/
useCtaExperiment hooks, and MatomoTracker component, then instrumented marketing pages (Home, Packages,
Checkout) with localized copy and experiment tracking.
- Polished package presentation across marketing UIs by centralizing formatting in PresentsPackages, surfacing
localized description tables/placeholders, tuning badges/layouts, and syncing guest/marketing translations.
- Expanded docs & reference material (docs/prp/*, TODOs, public gallery overview) and added a Playwright smoke
test for the hero CTA while reconciling outstanding checklist items.

tests/Feature/GuestJoinTokenFlowTest.php

@@ -137,6 +137,16 @@ class GuestJoinTokenFlowTest extends TestCase
             ->assertJsonPath('error.code', 'token_expired');
     }
 
+    public function test_slug_access_is_rejected(): void
+    {
+        $event = $this->createPublishedEvent();
+
+        $response = $this->getJson("/api/v1/events/{$event->slug}");
+
+        $response->assertStatus(404)
+            ->assertJsonPath('error.code', 'invalid_token');
+    }
+
     public function test_guest_cannot_access_event_with_revoked_token(): void
     {
         $event = $this->createPublishedEvent();