feat(superadmin): migrate internal docs from docusaurus to guava kb

- Remove default_locale and primary_join_token columns from event list
- Add read-only join link field to event edit form
- Add missing translations for used/remaining photos and join link
- Fix array-to-string conversion error in join link modal

.beads/.gitignore

@@ -11,6 +11,12 @@ daemon.log
 daemon.pid
 bd.sock
 sync-state.json
+.sync.lock
+last-touched
+sync_base.jsonl
+.sync.lock
+last-touched
+sync_base.jsonl
 
 # Local version tracking (prevents upgrade notification spam after git ops)
 .local_version

.beads/config.yaml

@@ -42,7 +42,7 @@
 # This setting persists across clones (unlike database config which is gitignored).
 # Can also use BEADS_SYNC_BRANCH env var for local override.
 # If not set, bd sync will require you to run 'bd config set sync.branch <branch>'.
-# sync-branch: "beads-sync"
+sync-branch: "beads-sync"
 
 # Multi-repo configuration (experimental - bd-307)
 # Allows hydrating from multiple repositories and routing writes to the correct JSONL
@@ -59,4 +59,4 @@
 # - linear.url
 # - linear.api-key
 # - github.org
-# - github.repo
+# - github.repo

.beads/issues.jsonl

@@ -9,15 +9,20 @@
 {"id":"fotospiel-app-1we","title":"Live Show: define trusted uploader rules \u0026 default retention window","description":"# Decision: Trusted uploader rules \u0026 default retention window\n\n## Context\nModeration is required for many events, but we also want a fast “auto-approve trusted sources” mode.\n\nWe currently track photo ingestion sources in `photos.ingest_source` (e.g. `tenant_admin`, `photobooth`, `sparkbooth`, `guest_pwa`). Guest uploads are token-based and do not have strong identity guarantees.\n\n## Definitions\n- **Trusted uploader**: uploads that can bypass Live Show manual moderation.\n- **Retention window**: time window for which approved photos remain eligible for rotation in the Live Show.\n\n## Options (trusted rules)\n### A) Trust by ingestion source only (recommended for V1)\nAuto-approve for Live Show only when `ingest_source` is one of:\n- `tenant_admin` (authenticated staff actions)\n- `photobooth` / `sparkbooth` (controlled integrations)\n\nAll `guest_pwa` uploads require manual approval when moderation is enabled.\n\n**Pros**\n- Harder to spoof; aligns with real security boundaries.\n- Simple to explain and operate.\n\n**Cons**\n- Guests never auto-approve; more moderator work.\n\n### B) Trust by guest device id (not recommended without stronger proof)\nUse `created_by_device_id` / `X-Device-Id` to whitelist devices.\n\n**Risk**\n- Device IDs are not cryptographically bound; a motivated guest could spoof the header.\n\nIf we want this later, we should introduce a **server-issued signed device token** (pairing flow) and validate it on upload.\n\n### C) Trust by invitation/QR (future)\nGuests who joined with a special “staff QR/pairing token” become trusted.\n\n## Recommended decision\nChoose **Option A** for V1.\n\n### Moderation mode semantics (proposed)\n- `off`: all photos with “submit to live show” become `approved` immediately *except* photos that are already flagged/removed by other moderation pipelines.\n- `manual`: all guest PWA photos become `pending`; trusted sources auto-approve.\n- `trusted_only`: same as manual, but UI copy emphasises that only booth/staff are automatic.\n\n## Retention window (defaults)\n### Recommendation\nDefault `retention_window_hours = 12` (configurable per event).\n\nRationale:\n- Keeps the “eligible set” bounded for performance.\n- Fits most event durations; avoids showing very old photos late in the night.\n\n### Notes\n- Even with a retention window, we can still show older photos via “curated” mode (e.g. featured/top-liked) if product wants.\n\n## Edge cases\n- **High-volume**: moderators may not keep up → allow temporary switch to “trusted_only” + announce to guests.\n- **Abuse**: if a trusted integration misbehaves, operator can disable trusted auto-approve.\n- **Reversal**: approving a previously rejected photo must be tracked with audit info (who/when).\n\n## Decision needed from product\n- Confirm the default retention window: 12h vs 6h vs “entire event”.\n- Confirm whether “trusted_only” should auto-approve `tenant_admin` uploads (recommended: yes).\n- Confirm whether guest auto-approve is desired in V1 (recommended: no, unless we build pairing).\n","acceptance_criteria":"- Trusted rules options listed, with security risk called out for device-id trust\\n- Clear V1 recommendation (trust by ingest_source only)\\n- Moderation mode semantics defined\\n- Default retention window recommendation + product decision questions","notes":"Decision: V1 trusted auto-approve uses ingest_source only (tenant_admin/photobooth/sparkbooth). Default retention_window_hours = 12.","status":"closed","priority":2,"issue_type":"task","created_at":"2026-01-05T11:43:32.455339503+01:00","created_by":"soeren","updated_at":"2026-01-05T12:06:45.973092473+01:00","closed_at":"2026-01-05T12:06:45.973092473+01:00","close_reason":"Closed","dependencies":[{"issue_id":"fotospiel-app-1we","depends_on_id":"fotospiel-app-vro","type":"blocks","created_at":"2026-01-05T11:44:02.062725386+01:00","created_by":"soeren"}]}
 {"id":"fotospiel-app-25q","title":"Security review: payments/webhooks code audit (signatures, idempotency, linkage)","status":"open","priority":2,"issue_type":"task","created_at":"2026-01-01T16:05:25.747336642+01:00","created_by":"soeren","updated_at":"2026-01-01T16:05:25.747336642+01:00"}
 {"id":"fotospiel-app-29o","title":"Paddle catalog sync: PackageResource sync status badges + timestamp","status":"closed","priority":2,"issue_type":"task","created_at":"2026-01-01T16:01:10.009385187+01:00","created_by":"soeren","updated_at":"2026-01-01T16:01:15.639525807+01:00","closed_at":"2026-01-01T16:01:15.639525807+01:00","close_reason":"Completed in codebase (verified)"}
+{"id":"fotospiel-app-29r","title":"Photobooth uploader: add watch-folder upload pipeline + persist creds","status":"closed","priority":2,"issue_type":"task","owner":"codex-agent@example.com","created_at":"2026-01-12T16:51:27.198056063+01:00","created_by":"Codex Agent","updated_at":"2026-01-12T17:07:04.06719869+01:00","closed_at":"2026-01-12T17:07:04.06719869+01:00","close_reason":"Closed"}
+{"id":"fotospiel-app-2b5","title":"Uploader: connect code expiry countdown","description":"Part of epic fotospiel-app-5aa. Show time-to-expiry for the active connect code in the client.","status":"open","priority":2,"issue_type":"task","owner":"codex-agent@example.com","created_at":"2026-01-13T11:04:05.74962406+01:00","created_by":"Codex Agent","updated_at":"2026-01-13T11:04:05.74962406+01:00"}
 {"id":"fotospiel-app-2hq","title":"Security review: marketing/API controller+validation review","status":"open","priority":2,"issue_type":"task","created_at":"2026-01-01T16:05:08.862737923+01:00","created_by":"soeren","updated_at":"2026-01-01T16:05:08.862737923+01:00"}
 {"id":"fotospiel-app-2yn","title":"Event-Admin: Reset link routing + notifications + tests","description":"Point password reset emails to event-admin reset page; add rate limiting and tests for the new flow.","status":"closed","priority":2,"issue_type":"task","created_at":"2026-01-06T10:45:09.279245468+01:00","created_by":"soeren","updated_at":"2026-01-06T11:01:49.083154811+01:00","closed_at":"2026-01-06T11:01:49.083154811+01:00","close_reason":"Closed"}
 {"id":"fotospiel-app-33m","title":"Security review checklist: Guest PWA dynamic tests","status":"open","priority":2,"issue_type":"task","created_at":"2026-01-01T16:04:40.730459361+01:00","created_by":"soeren","updated_at":"2026-01-01T16:04:40.730459361+01:00"}
 {"id":"fotospiel-app-38f","title":"Paddle catalog sync: surface last sync error/log context in admin","status":"closed","priority":2,"issue_type":"task","created_at":"2026-01-01T15:59:14.865414785+01:00","created_by":"soeren","updated_at":"2026-01-02T21:16:09.109922491+01:00","closed_at":"2026-01-02T21:16:09.109922491+01:00","close_reason":"Completed"}
 {"id":"fotospiel-app-3ut","title":"SEC-API-03 Synthetic monitoring + alert config","status":"open","priority":2,"issue_type":"task","created_at":"2026-01-01T15:52:46.793875724+01:00","created_by":"soeren","updated_at":"2026-01-01T15:52:46.793875724+01:00"}
 {"id":"fotospiel-app-3xa","title":"Security review: event admin code audit (policies, PKCE, file handling)","status":"open","priority":2,"issue_type":"task","created_at":"2026-01-01T16:05:20.115675149+01:00","created_by":"soeren","updated_at":"2026-01-01T16:05:20.115675149+01:00"}
+{"id":"fotospiel-app-43mp","title":"Help-System für Event Admin PWA planen","notes":"Context help links wired into priority admin pages.","status":"in_progress","priority":2,"issue_type":"task","owner":"codex-agent@example.com","created_at":"2026-01-23T08:21:47.812129626+01:00","created_by":"Codex Agent","updated_at":"2026-01-23T09:19:45.828239299+01:00"}
 {"id":"fotospiel-app-4ar","title":"SEC-BILL-03 Failed capture notifications + ledger hook","status":"open","priority":2,"issue_type":"task","created_at":"2026-01-01T15:54:33.266516715+01:00","created_by":"soeren","updated_at":"2026-01-01T15:54:33.266516715+01:00"}
+{"id":"fotospiel-app-4en","title":"Add translations for Mobile Package Shop","description":"The new MobilePackageShopPage.tsx uses translation keys like 'shop.title', 'shop.legal.agb', etc. Ensure these are added to the management.json files for de and en.","status":"closed","priority":2,"issue_type":"task","created_at":"2026-01-06T18:05:50.469751088+01:00","created_by":"soeren","updated_at":"2026-01-06T18:14:19.984343737+01:00","closed_at":"2026-01-06T18:14:19.984346372+01:00"}
 {"id":"fotospiel-app-4i4","title":"Security review: map roles/data","status":"closed","priority":2,"issue_type":"task","created_at":"2026-01-01T16:02:58.370301875+01:00","created_by":"soeren","updated_at":"2026-01-01T16:03:03.997327414+01:00","closed_at":"2026-01-01T16:03:03.997327414+01:00","close_reason":"Completed in codebase (verified)"}
 {"id":"fotospiel-app-4zu","title":"SEC-IO-02 Refresh-token management UI + audit logs","status":"closed","priority":2,"issue_type":"task","created_at":"2026-01-01T15:51:50.24186222+01:00","created_by":"soeren","updated_at":"2026-01-04T16:10:39.752587431+01:00","closed_at":"2026-01-04T16:10:39.752587431+01:00","close_reason":"Obsolete: authentication now uses Sanctum PATs; OAuth/refresh-token tables removed and no refresh-token flow remains. See docs/archive/prp/13-backend-authentication.md and docs/archive/prp/marketing-checkout-payment-architecture.md."}
+{"id":"fotospiel-app-4zy","title":"Refine Dashboard Translations","description":"Fix missing translations in the modern dashboard UI and use proper i18n keys for stats and status labels.","status":"open","priority":2,"issue_type":"task","owner":"codex-agent@example.com","created_at":"2026-01-17T16:35:14.464529363+01:00","created_by":"Codex Agent","updated_at":"2026-01-17T16:35:14.464529363+01:00"}
 {"id":"fotospiel-app-539","title":"Live Show: public player view with effects engine","status":"closed","priority":1,"issue_type":"feature","created_at":"2026-01-05T11:11:36.821959901+01:00","created_by":"soeren","updated_at":"2026-01-05T18:30:13.318396255+01:00","closed_at":"2026-01-05T18:30:13.318396255+01:00","close_reason":"Closed","dependencies":[{"issue_id":"fotospiel-app-539","depends_on_id":"fotospiel-app-qne","type":"blocks","created_at":"2026-01-05T11:12:58.721858159+01:00","created_by":"soeren"},{"issue_id":"fotospiel-app-539","depends_on_id":"fotospiel-app-6zc","type":"blocks","created_at":"2026-01-05T11:13:07.289796993+01:00","created_by":"soeren"},{"issue_id":"fotospiel-app-539","depends_on_id":"fotospiel-app-h5d","type":"blocks","created_at":"2026-01-05T11:44:42.719445471+01:00","created_by":"soeren"}]}
 {"id":"fotospiel-app-539.2","title":"Live Show player shell + routing + data layer","description":"Add /show/{token} route + guest player page shell, Live Show API client, SSE/polling subscription and state model.","status":"closed","priority":1,"issue_type":"task","created_at":"2026-01-05T15:57:41.587003393+01:00","created_by":"soeren","updated_at":"2026-01-05T16:44:39.577762479+01:00","closed_at":"2026-01-05T16:44:39.577762479+01:00","close_reason":"Closed","dependencies":[{"issue_id":"fotospiel-app-539.2","depends_on_id":"fotospiel-app-539","type":"parent-child","created_at":"2026-01-05T15:57:41.641767879+01:00","created_by":"soeren"}]}
 {"id":"fotospiel-app-539.3","title":"Live Show playback engine (queue, pacing, layouts)","description":"Implement player playback scheduler, queue management, and layout rendering for single/split/grid.","status":"closed","priority":1,"issue_type":"task","created_at":"2026-01-05T15:57:56.531080931+01:00","created_by":"soeren","updated_at":"2026-01-05T17:40:45.929168571+01:00","closed_at":"2026-01-05T17:40:45.929168571+01:00","close_reason":"Closed","dependencies":[{"issue_id":"fotospiel-app-539.3","depends_on_id":"fotospiel-app-539","type":"parent-child","created_at":"2026-01-05T15:57:56.631147026+01:00","created_by":"soeren"},{"issue_id":"fotospiel-app-539.3","depends_on_id":"fotospiel-app-539.2","type":"blocks","created_at":"2026-01-05T15:57:56.655278463+01:00","created_by":"soeren"}]}
@@ -27,24 +32,32 @@
 {"id":"fotospiel-app-574","title":"Paddle catalog sync: extend PaddleClient tests/mocks for catalog endpoints","status":"closed","priority":2,"issue_type":"task","created_at":"2026-01-01T15:59:03.486301225+01:00","created_by":"soeren","updated_at":"2026-01-02T21:11:39.626820206+01:00","closed_at":"2026-01-02T21:11:39.626820206+01:00","close_reason":"Deprioritized"}
 {"id":"fotospiel-app-576","title":"Tenant admin onboarding: legacy asset audit + component inventory","status":"closed","priority":2,"issue_type":"task","created_at":"2026-01-01T16:07:59.996563146+01:00","created_by":"soeren","updated_at":"2026-01-01T16:08:05.599274641+01:00","closed_at":"2026-01-01T16:08:05.599274641+01:00","close_reason":"Completed in codebase (verified)"}
 {"id":"fotospiel-app-579","title":"Live Show: tests (backend + UI smoke)","status":"closed","priority":2,"issue_type":"task","created_at":"2026-01-05T11:11:57.246607374+01:00","created_by":"soeren","updated_at":"2026-01-05T19:37:35.590123482+01:00","closed_at":"2026-01-05T19:37:35.590123482+01:00","close_reason":"Closed","dependencies":[{"issue_id":"fotospiel-app-579","depends_on_id":"fotospiel-app-539","type":"blocks","created_at":"2026-01-05T11:13:27.729131522+01:00","created_by":"soeren"},{"issue_id":"fotospiel-app-579","depends_on_id":"fotospiel-app-xg5","type":"blocks","created_at":"2026-01-05T11:13:37.425191011+01:00","created_by":"soeren"},{"issue_id":"fotospiel-app-579","depends_on_id":"fotospiel-app-qne","type":"blocks","created_at":"2026-01-05T11:13:46.257175231+01:00","created_by":"soeren"}]}
+{"id":"fotospiel-app-5aa","title":"Photobooth uploader: reliability + UX upgrades","status":"open","priority":2,"issue_type":"epic","owner":"codex-agent@example.com","created_at":"2026-01-13T11:01:29.745168595+01:00","created_by":"Codex Agent","updated_at":"2026-01-13T11:01:29.745168595+01:00"}
 {"id":"fotospiel-app-5dl","title":"Paddle catalog sync: PaddleCatalogService scaffold","status":"closed","priority":2,"issue_type":"task","created_at":"2026-01-01T16:00:24.916655836+01:00","created_by":"soeren","updated_at":"2026-01-01T16:00:30.566084195+01:00","closed_at":"2026-01-01T16:00:30.566084195+01:00","close_reason":"Completed in codebase (verified)"}
 {"id":"fotospiel-app-5hk","title":"Fix staging coupon seed 500 for E2E","status":"closed","priority":2,"issue_type":"task","created_at":"2026-01-03T15:12:53.643644221+01:00","created_by":"soeren","updated_at":"2026-01-04T16:21:46.441797374+01:00","closed_at":"2026-01-04T16:21:46.441797374+01:00","close_reason":"Resolved elsewhere; staging coupon seed 500 no longer reproducible after recent backend changes."}
 {"id":"fotospiel-app-5ie","title":"Help docs: Live Show how-to + recommended hardware (DE/EN)","status":"closed","priority":2,"issue_type":"task","created_at":"2026-01-05T11:12:05.973844187+01:00","created_by":"soeren","updated_at":"2026-01-05T19:42:44.39939087+01:00","closed_at":"2026-01-05T19:42:44.39939087+01:00","close_reason":"Closed","dependencies":[{"issue_id":"fotospiel-app-5ie","depends_on_id":"fotospiel-app-vro","type":"blocks","created_at":"2026-01-05T11:13:54.925412888+01:00","created_by":"soeren"},{"issue_id":"fotospiel-app-5ie","depends_on_id":"fotospiel-app-539","type":"blocks","created_at":"2026-01-05T11:14:03.257649076+01:00","created_by":"soeren"}]}
 {"id":"fotospiel-app-5iy","title":"Security review: confirm env/header defaults","status":"closed","priority":2,"issue_type":"task","created_at":"2026-01-01T16:03:20.808188183+01:00","created_by":"soeren","updated_at":"2026-01-01T16:03:26.388002115+01:00","closed_at":"2026-01-01T16:03:26.388002115+01:00","close_reason":"Completed in codebase (verified)"}
 {"id":"fotospiel-app-5s3","title":"Localized SEO: canonical/hreflang tags + localized navigation","status":"closed","priority":2,"issue_type":"task","created_at":"2026-01-01T16:02:03.909947355+01:00","created_by":"soeren","updated_at":"2026-01-01T16:02:09.550647107+01:00","closed_at":"2026-01-01T16:02:09.550647107+01:00","close_reason":"Completed in codebase (verified)"}
+{"id":"fotospiel-app-5veo","title":"Investigate vite build timeout","status":"open","priority":2,"issue_type":"task","owner":"codex-agent@example.com","created_at":"2026-01-21T12:49:14.166622473+01:00","created_by":"Codex Agent","updated_at":"2026-01-21T12:49:14.166622473+01:00"}
 {"id":"fotospiel-app-5zl","title":"Ensure checkout step 3 requires login for Paddle checkout","description":"Problem: Paddle checkout on step 3 fails when user is not logged in. Step 3 must enforce authentication before initializing Paddle checkout.\\n\\nSuggestions:\\n- Protect step 3 route/controller with auth middleware and redirect to login with intended return URL.\\n- Gate step 3 UI/CTA on auth state; show inline login prompt and disable Paddle until authenticated.\\n- Require auth in backend endpoint that creates Paddle transaction/session; return 401 and send user to login.\\n- Optionally preflight at end of step 2 to prompt login before advancing.","status":"closed","priority":2,"issue_type":"task","created_at":"2026-01-04T12:31:43.215017311+01:00","created_by":"soeren","updated_at":"2026-01-04T12:42:45.088723058+01:00","closed_at":"2026-01-04T12:42:45.088723058+01:00","close_reason":"Closed"}
 {"id":"fotospiel-app-64l","title":"SEC-FE-01 CSP nonce/hashing rollout","status":"closed","priority":2,"issue_type":"task","created_at":"2026-01-01T15:54:47.607047443+01:00","created_by":"soeren","updated_at":"2026-01-01T15:55:56.477104351+01:00","closed_at":"2026-01-01T15:55:56.477104351+01:00","close_reason":"Completed in codebase (verified) - duplicate of fotospiel-app-zli"}
 {"id":"fotospiel-app-6dp","title":"Coupon ops enhancements (redemption service, preview endpoint, widget, export)","status":"closed","priority":2,"issue_type":"task","created_at":"2026-01-01T16:09:09.275919717+01:00","created_by":"soeren","updated_at":"2026-01-01T16:09:14.882264149+01:00","closed_at":"2026-01-01T16:09:14.882264149+01:00","close_reason":"Completed in codebase (verified)"}
 {"id":"fotospiel-app-6oj","title":"Security review: media pipeline code audit (AV/EXIF, signed URLs, storage separation)","status":"open","priority":2,"issue_type":"task","created_at":"2026-01-01T16:05:31.390878341+01:00","created_by":"soeren","updated_at":"2026-01-01T16:05:31.390878341+01:00"}
 {"id":"fotospiel-app-6yt","title":"Paddle migration: register sandbox webhooks + document events consumed","status":"closed","priority":2,"issue_type":"task","created_at":"2026-01-01T15:56:34.333714988+01:00","created_by":"soeren","updated_at":"2026-01-02T22:23:52.212191068+01:00","closed_at":"2026-01-02T22:23:52.212191068+01:00","close_reason":"Completed"}
+{"id":"fotospiel-app-6yz","title":"Uploader: activity log export","description":"Part of epic fotospiel-app-5aa. Add in-app log view and export/copy diagnostics for support.","status":"open","priority":2,"issue_type":"task","owner":"codex-agent@example.com","created_at":"2026-01-13T11:04:27.73767403+01:00","created_by":"Codex Agent","updated_at":"2026-01-13T11:04:27.73767403+01:00"}
 {"id":"fotospiel-app-6zc","title":"Live Show: Admin app settings \u0026 effect presets","status":"closed","priority":2,"issue_type":"feature","created_at":"2026-01-05T11:11:27.038815978+01:00","created_by":"soeren","updated_at":"2026-01-05T15:02:42.035082497+01:00","closed_at":"2026-01-05T15:02:42.035082497+01:00","close_reason":"Closed","dependencies":[{"issue_id":"fotospiel-app-6zc","depends_on_id":"fotospiel-app-vro","type":"blocks","created_at":"2026-01-05T11:12:50.048055484+01:00","created_by":"soeren"}]}
 {"id":"fotospiel-app-7bu","title":"Paddle migration: extend config/env handling for Paddle keys/webhook secrets","status":"closed","priority":2,"issue_type":"task","created_at":"2026-01-01T15:57:27.242854801+01:00","created_by":"soeren","updated_at":"2026-01-01T15:57:32.890355888+01:00","closed_at":"2026-01-01T15:57:32.890355888+01:00","close_reason":"Completed in codebase (verified)"}
 {"id":"fotospiel-app-7u1","title":"Paddle catalog sync: PaddlePackagePull job","status":"closed","priority":2,"issue_type":"task","created_at":"2026-01-01T16:00:47.468892178+01:00","created_by":"soeren","updated_at":"2026-01-01T16:00:53.126602817+01:00","closed_at":"2026-01-01T16:00:53.126602817+01:00","close_reason":"Completed in codebase (verified)"}
+{"id":"fotospiel-app-7uu","title":"Uploader: improve file readiness detection","description":"Part of epic fotospiel-app-5aa. Use size + last-write stabilization to avoid partial uploads.","status":"open","priority":2,"issue_type":"task","owner":"codex-agent@example.com","created_at":"2026-01-13T11:01:54.142231578+01:00","created_by":"Codex Agent","updated_at":"2026-01-13T11:01:54.142231578+01:00"}
+{"id":"fotospiel-app-7x1","title":"Uploader: response format manual override","description":"Part of epic fotospiel-app-5aa. Allow manual response format override when connect code doesn't set it.","status":"open","priority":2,"issue_type":"task","owner":"codex-agent@example.com","created_at":"2026-01-13T11:03:54.824613016+01:00","created_by":"Codex Agent","updated_at":"2026-01-13T11:03:54.824613016+01:00"}
 {"id":"fotospiel-app-83q","title":"Implement Advanced Analytics","description":"Full plan: Phase 1 (MVP) includes Activity Timeline, Top Contributors, and Task Stats. Phase 2 includes Engagement Funnel, Vibe Check, and PDF Export. See chat history for details.","status":"closed","priority":2,"issue_type":"task","created_at":"2026-01-06T15:40:08.826105426+01:00","created_by":"soeren","updated_at":"2026-01-06T16:15:17.722450844+01:00","closed_at":"2026-01-06T16:15:17.722455019+01:00"}
+{"id":"fotospiel-app-8iw","title":"Modernize Tenant Admin PWA UI","status":"open","priority":1,"issue_type":"task","owner":"codex-agent@example.com","created_at":"2026-01-17T14:36:39.802617182+01:00","created_by":"Codex Agent","updated_at":"2026-01-17T14:36:39.802617182+01:00"}
+{"id":"fotospiel-app-8ui","title":"Uploader: persist queue across restarts","description":"Part of epic fotospiel-app-5aa. Persist pending upload queue to disk (settings or local DB) so restarts don't lose files.","status":"open","priority":2,"issue_type":"task","owner":"codex-agent@example.com","created_at":"2026-01-13T11:01:42.213478619+01:00","created_by":"Codex Agent","updated_at":"2026-01-13T11:01:42.213478619+01:00"}
 {"id":"fotospiel-app-95m","title":"Paddle migration: admin catalog sync UI for packages","status":"closed","priority":2,"issue_type":"task","created_at":"2026-01-01T15:57:49.790409261+01:00","created_by":"soeren","updated_at":"2026-01-01T15:57:55.418180246+01:00","closed_at":"2026-01-01T15:57:55.418180246+01:00","close_reason":"Completed in codebase (verified)"}
 {"id":"fotospiel-app-99d","title":"Paddle migration: marketing checkout uses Paddle-hosted checkout","status":"closed","priority":2,"issue_type":"task","created_at":"2026-01-01T15:58:12.298063897+01:00","created_by":"soeren","updated_at":"2026-01-01T15:58:17.968032021+01:00","closed_at":"2026-01-01T15:58:17.968032021+01:00","close_reason":"Completed in codebase (verified)"}
 {"id":"fotospiel-app-99o","title":"Fix German welcome phrasing with article-safe app_name","status":"closed","priority":2,"issue_type":"task","created_at":"2026-01-04T11:50:17.410390085+01:00","created_by":"soeren","updated_at":"2026-01-04T12:19:55.741616753+01:00","closed_at":"2026-01-04T12:19:55.741616753+01:00","close_reason":"Closed"}
 {"id":"fotospiel-app-9al","title":"Security review checklist: Marketing/API dynamic tests","status":"open","priority":2,"issue_type":"task","created_at":"2026-01-01T16:04:35.116728385+01:00","created_by":"soeren","updated_at":"2026-01-01T16:04:35.116728385+01:00"}
+{"id":"fotospiel-app-9em","title":"Implement Adaptive Mobile Package Shop","description":"Refine the MobilePackageShopPage to be context-aware and personalized.\n\n**Goals:**\n1.  **Smart Sorting:** Highlight packages based on entry context (e.g., 'Upgrade for Analytics') and user inventory.\n2.  **Inventory Awareness:** Display current ownership status (e.g., 'Active', '2 Events left') directly on cards.\n3.  **Navigation Context:** Pass query params like '?feature=analytics' to trigger specific recommendations.\n\n**Tasks:**\n-   Update navigation in  to pass .\n-   Fetch  in  to merge catalog with inventory.\n-   Implement sorting logic: Recommendation \u003e Active \u003e Upgrades.\n-   Add visual badges for 'Recommended', 'Active', and event counts.","status":"closed","priority":2,"issue_type":"task","created_at":"2026-01-06T20:53:07.353435511+01:00","created_by":"soeren","updated_at":"2026-01-06T20:57:37.719610971+01:00","closed_at":"2026-01-06T20:57:37.719615677+01:00"}
 {"id":"fotospiel-app-9gc","title":"Paddle migration: review current billing implementation","status":"closed","priority":2,"issue_type":"task","created_at":"2026-01-01T15:57:04.715058376+01:00","created_by":"soeren","updated_at":"2026-01-01T15:57:10.363528452+01:00","closed_at":"2026-01-01T15:57:10.363528452+01:00","close_reason":"Completed in codebase (verified)"}
 {"id":"fotospiel-app-9ls","title":"SEC-API-02 Public API incident response playbook","status":"closed","priority":2,"issue_type":"task","created_at":"2026-01-01T15:52:35.519759351+01:00","created_by":"soeren","updated_at":"2026-01-01T15:52:41.160768858+01:00","closed_at":"2026-01-01T15:52:41.160768858+01:00","close_reason":"Completed in codebase (verified)"}
 {"id":"fotospiel-app-9mc","title":"SEC-FE-02 Consent-gated analytics loader","status":"closed","priority":2,"issue_type":"task","created_at":"2026-01-01T15:55:14.916352908+01:00","created_by":"soeren","updated_at":"2026-01-01T15:55:20.566910025+01:00","closed_at":"2026-01-01T15:55:20.566910025+01:00","close_reason":"Completed in codebase (verified)"}
@@ -60,9 +73,12 @@
 {"id":"fotospiel-app-bqm","title":"Paddle catalog sync: unit tests for service + jobs","status":"closed","priority":2,"issue_type":"task","created_at":"2026-01-01T16:01:22.090498843+01:00","created_by":"soeren","updated_at":"2026-01-01T16:01:27.71412122+01:00","closed_at":"2026-01-01T16:01:27.71412122+01:00","close_reason":"Completed in codebase (verified)"}
 {"id":"fotospiel-app-bxu","title":"Checkout refactor: Stripe/Paddle payment integration + webhooks","status":"closed","priority":2,"issue_type":"task","created_at":"2026-01-01T16:06:32.279485614+01:00","created_by":"soeren","updated_at":"2026-01-01T16:06:37.876950599+01:00","closed_at":"2026-01-01T16:06:37.876950599+01:00","close_reason":"Completed in codebase (verified)"}
 {"id":"fotospiel-app-bzb","title":"Paddle catalog sync: migration for paddle sync columns","status":"closed","priority":2,"issue_type":"task","created_at":"2026-01-01T16:00:02.362257158+01:00","created_by":"soeren","updated_at":"2026-01-01T16:00:08.018770606+01:00","closed_at":"2026-01-01T16:00:08.018770606+01:00","close_reason":"Completed in codebase (verified)"}
+{"id":"fotospiel-app-cht","title":"Uploader: disk space low warning","description":"Part of epic fotospiel-app-5aa. Highlight low disk space thresholds in UI.","status":"open","priority":2,"issue_type":"task","owner":"codex-agent@example.com","created_at":"2026-01-13T11:03:32.710631234+01:00","created_by":"Codex Agent","updated_at":"2026-01-13T11:03:32.710631234+01:00"}
 {"id":"fotospiel-app-ci5","title":"Paddle catalog sync: configure log channel/Slack hook for sync outcomes","status":"closed","priority":2,"issue_type":"task","created_at":"2026-01-01T15:59:20.543083527+01:00","created_by":"soeren","updated_at":"2026-01-02T22:02:15.857149244+01:00","closed_at":"2026-01-02T22:02:15.857149244+01:00","close_reason":"Completed"}
 {"id":"fotospiel-app-cwq","title":"Integrations health: unified Paddle/RevenueCat/webhook status dashboard","description":"Add a superadmin integrations health dashboard for Paddle/RevenueCat/webhooks.\nScope: show latest webhook processing status/lag, recent failures, retry backlog, and config presence (env set) without exposing secrets.\nInclude per-provider status badges and time-window filters, plus links to related logs/actions.\n","status":"closed","priority":2,"issue_type":"task","created_at":"2026-01-02T17:34:20.84661157+01:00","created_by":"soeren","updated_at":"2026-01-02T18:33:07.133704488+01:00","closed_at":"2026-01-02T18:33:07.133704488+01:00","close_reason":"Closed"}
 {"id":"fotospiel-app-d39","title":"Superadmin control surface spec and access matrix","description":"Define the minimal superadmin control surface, permissions, and mapping to tenant/guest responsibilities. Document scope and non-goals.","status":"closed","priority":2,"issue_type":"task","created_at":"2026-01-01T14:16:06.994379577+01:00","updated_at":"2026-01-01T14:20:43.080701114+01:00","closed_at":"2026-01-01T14:20:43.080701114+01:00"}
+{"id":"fotospiel-app-dar","title":"Uploader: retry policy for failed uploads","description":"Part of epic fotospiel-app-5aa. Auto-retry with backoff and retry limit before marking failed.","status":"open","priority":2,"issue_type":"task","owner":"codex-agent@example.com","created_at":"2026-01-13T11:03:00.808893045+01:00","created_by":"Codex Agent","updated_at":"2026-01-13T11:03:00.808893045+01:00"}
+{"id":"fotospiel-app-de7","title":"Re-run admin Playwright tests with valid E2E credentials","status":"open","priority":3,"issue_type":"task","owner":"codex-agent@example.com","created_at":"2026-01-15T19:53:26.674926731+01:00","created_by":"Codex Agent","updated_at":"2026-01-15T19:53:26.674926731+01:00"}
 {"id":"fotospiel-app-dl5","title":"SEC-API-01 Signed URL middleware + asset migration","status":"closed","priority":2,"issue_type":"task","created_at":"2026-01-01T15:52:24.24098702+01:00","created_by":"soeren","updated_at":"2026-01-01T15:52:29.8793891+01:00","closed_at":"2026-01-01T15:52:29.8793891+01:00","close_reason":"Completed in codebase (verified)"}
 {"id":"fotospiel-app-dm4","title":"SEC-BILL-01 Checkout session linkage + idempotency locks","status":"closed","priority":2,"issue_type":"task","created_at":"2026-01-01T15:53:26.350238207+01:00","created_by":"soeren","updated_at":"2026-01-01T15:53:31.997737421+01:00","closed_at":"2026-01-01T15:53:31.997737421+01:00","close_reason":"Completed in codebase (verified)"}
 {"id":"fotospiel-app-dmb","title":"Security review checklist: Event Admin dynamic tests","status":"open","priority":2,"issue_type":"task","created_at":"2026-01-01T16:04:46.359468828+01:00","created_by":"soeren","updated_at":"2026-01-01T16:04:46.359468828+01:00"}
@@ -83,6 +99,7 @@
 {"id":"fotospiel-app-iyh","title":"Security review follow-ups: signed URL TTLs, guest asset throttles, CORS allowlist, logging hygiene","status":"open","priority":2,"issue_type":"task","created_at":"2026-01-01T16:05:42.642109576+01:00","created_by":"soeren","updated_at":"2026-01-01T16:05:42.642109576+01:00"}
 {"id":"fotospiel-app-jk4","title":"Checkout refactor: CheckoutController + marketing route alignment","status":"closed","priority":2,"issue_type":"task","created_at":"2026-01-01T16:06:21.088319132+01:00","created_by":"soeren","updated_at":"2026-01-01T16:06:26.663419594+01:00","closed_at":"2026-01-01T16:06:26.663419594+01:00","close_reason":"Completed in codebase (verified)"}
 {"id":"fotospiel-app-jqy","title":"Tenant admin onboarding: Playwright skeleton for welcome flow","status":"closed","priority":2,"issue_type":"task","created_at":"2026-01-01T16:08:11.226297707+01:00","created_by":"soeren","updated_at":"2026-01-01T16:08:16.827679424+01:00","closed_at":"2026-01-01T16:08:16.827679424+01:00","close_reason":"Completed in codebase (verified)"}
+{"id":"fotospiel-app-jy1","title":"Uploader: clear failed uploads UI","description":"Part of epic fotospiel-app-5aa. Add action to clear/reset failed items and counters.","status":"open","priority":2,"issue_type":"task","owner":"codex-agent@example.com","created_at":"2026-01-13T11:03:13.134661157+01:00","created_by":"Codex Agent","updated_at":"2026-01-13T11:03:13.134661157+01:00"}
 {"id":"fotospiel-app-ko0","title":"Security review checklist: Webhooks/Billing dynamic tests","status":"open","priority":2,"issue_type":"task","created_at":"2026-01-01T16:04:51.987093237+01:00","created_by":"soeren","updated_at":"2026-01-01T16:04:51.987093237+01:00"}
 {"id":"fotospiel-app-kry","title":"Paddle catalog sync: add DTO helpers for Paddle product/price responses","status":"closed","priority":2,"issue_type":"task","created_at":"2026-01-01T15:58:57.817750548+01:00","created_by":"soeren","updated_at":"2026-01-02T21:11:27.970220923+01:00","closed_at":"2026-01-02T21:11:27.970220923+01:00","close_reason":"Deprioritized"}
 {"id":"fotospiel-app-kso","title":"SEC-MS-02 Streaming upload refactor + tests","description":"Current state (code scan)\n- Guest uploads: App\\\\Http\\\\Controllers\\\\Api\\\\EventPublicController@upload uses Storage::disk()-\u003eputFile (stream-friendly) but still does watermark/thumbnail work inline.\n- Tenant admin uploads: App\\\\Http\\\\Controllers\\\\Api\\\\Tenant\\\\PhotoController@store and @uploadDirect use Storage::disk()-\u003eput($path, file_get_contents(...)) which loads entire file into memory.\n- Photobooth ingest already streams from import disk via readStream -\u003e Storage::disk()-\u003eput($path, $stream).\n- Presigned upload flow is stubbed to a local upload-direct endpoint; no true presigned S3 handling yet.\n- No tenant upload feature tests exist; guest upload tests exist and cover limits/security.\n\nGoal\n- Stream uploads to disk (avoid full in-memory buffers) for tenant-admin upload endpoints and keep behavior consistent across sources.\n\nPlan\n1) Introduce a small streaming upload helper/service\n   - New service (e.g. App\\\\Services\\\\Storage\\\\UploadStreamService) that accepts UploadedFile + disk + destination path.\n   - Use fopen on UploadedFile::getRealPath (or $file-\u003egetStream()) and Storage::disk($disk)-\u003eput($path, $stream) / writeStream.\n   - Always close stream; return stored size and checksum (hash_file on stored path) for asset metadata.\n\n2) Refactor tenant upload endpoints to use streaming\n   - Update PhotoController@store and @uploadDirect to use the helper instead of file_get_contents.\n   - Use Storage::disk()-\u003eputFileAs (or helper) to preserve deterministic paths without buffering.\n   - Keep existing validation, watermark, thumbnail, asset recording, and package usage logic.\n\n3) Optional consistency pass on guest upload\n   - Consider routing EventPublicController@upload through the same helper for consistent storage + checksum handling, while keeping current validation/limits.\n\n4) Tests\n   - Add Feature tests for tenant upload endpoints:\n     - /api/v1/tenant/events/{slug}/photos (store) uploads a fake image and persists Photo + EventMediaAsset with expected path/size.\n     - /api/v1/tenant/events/{slug}/upload-direct (presigned) uploads a fake image and stores asset + thumbnail.\n   - Ensure existing guest upload tests still pass (no behavioral changes).\n\n5) Safety/ops\n   - Verify streaming logic handles empty/invalid files gracefully and still reports errors via ApiError.\n   - Keep request-time processing (thumb/watermark) unchanged for now; consider queuing in a follow-up if CPU spikes persist.","status":"closed","priority":2,"issue_type":"task","created_at":"2026-01-01T15:53:03.729137616+01:00","created_by":"soeren","updated_at":"2026-01-02T20:51:17.752365339+01:00","closed_at":"2026-01-02T20:51:17.752365339+01:00","close_reason":"Closed"}
@@ -90,6 +107,8 @@
 {"id":"fotospiel-app-l3n","title":"Session changes 2025-09-08 (PRP split, PWA scaffolding, Filament resources, API)","status":"closed","priority":2,"issue_type":"task","created_at":"2026-01-01T16:10:18.204088457+01:00","created_by":"soeren","updated_at":"2026-01-01T16:10:23.815135505+01:00","closed_at":"2026-01-01T16:10:23.815135505+01:00","close_reason":"Completed in codebase (verified)"}
 {"id":"fotospiel-app-l6a","title":"Registration flow fixes: JSON redirect, error clearing, role handling","status":"closed","priority":2,"issue_type":"task","created_at":"2026-01-01T16:07:16.253760139+01:00","created_by":"soeren","updated_at":"2026-01-01T16:07:21.964843904+01:00","closed_at":"2026-01-01T16:07:21.964843904+01:00","close_reason":"Completed in codebase (verified)"}
 {"id":"fotospiel-app-l8q","title":"SEC-GT-02 Join-token analytics dashboard (Grafana)","description":"Logging + Filament summaries exist; Grafana dashboard still missing.","status":"open","priority":2,"issue_type":"task","created_at":"2026-01-01T15:52:12.920875329+01:00","created_by":"soeren","updated_at":"2026-01-01T15:52:12.920875329+01:00"}
+{"id":"fotospiel-app-lj6","title":"Uploader: folder health enhancements","description":"Part of epic fotospiel-app-5aa. Track last file seen, write permissions, and show clearer folder status.","status":"open","priority":2,"issue_type":"task","owner":"codex-agent@example.com","created_at":"2026-01-13T11:03:22.843330813+01:00","created_by":"Codex Agent","updated_at":"2026-01-13T11:03:22.843330813+01:00"}
+{"id":"fotospiel-app-llq","title":"Uploader: lock settings after connect","description":"Part of epic fotospiel-app-5aa. Prevent accidental changes to base URL/credentials unless explicitly unlocked.","status":"open","priority":2,"issue_type":"task","owner":"codex-agent@example.com","created_at":"2026-01-13T11:03:43.40971185+01:00","created_by":"Codex Agent","updated_at":"2026-01-13T11:03:43.40971185+01:00"}
 {"id":"fotospiel-app-ln3","title":"Paddle catalog sync: announce workflow change to admin users","status":"closed","priority":2,"issue_type":"task","created_at":"2026-01-01T15:59:49.021233635+01:00","created_by":"soeren","updated_at":"2026-01-02T21:11:09.349495631+01:00","closed_at":"2026-01-02T21:11:09.349495631+01:00","close_reason":"Deprioritized"}
 {"id":"fotospiel-app-lnb","title":"SEC-GT-01 Hash join tokens + data migration","status":"closed","priority":2,"issue_type":"task","created_at":"2026-01-01T15:52:01.658868778+01:00","created_by":"soeren","updated_at":"2026-01-01T15:52:07.314317124+01:00","closed_at":"2026-01-01T15:52:07.314317124+01:00","close_reason":"Completed in codebase (verified)"}
 {"id":"fotospiel-app-lnf","title":"Remove legacy registration page assets","status":"open","priority":2,"issue_type":"task","created_at":"2026-01-06T08:37:39.419274918+01:00","created_by":"soeren","updated_at":"2026-01-06T08:37:39.419274918+01:00"}
@@ -99,6 +118,7 @@
 {"id":"fotospiel-app-ml7","title":"SEC-GT-03 Tighten gallery/photo rate limits + alerting","status":"open","priority":2,"issue_type":"task","created_at":"2026-01-01T15:52:18.593415508+01:00","created_by":"soeren","updated_at":"2026-01-01T15:52:18.593415508+01:00"}
 {"id":"fotospiel-app-mol","title":"Coupon ops: wire analytics into Matomo dashboard","status":"closed","priority":2,"issue_type":"task","created_at":"2026-01-01T16:09:27.722458747+01:00","created_by":"soeren","updated_at":"2026-01-02T23:28:18.178704873+01:00","closed_at":"2026-01-02T23:28:18.178704873+01:00","close_reason":"Closed"}
 {"id":"fotospiel-app-mpu","title":"Checkout refactor: test coverage + rollout notes","status":"closed","priority":2,"issue_type":"task","created_at":"2026-01-01T16:06:43.488302531+01:00","created_by":"soeren","updated_at":"2026-01-01T16:06:49.13645691+01:00","closed_at":"2026-01-01T16:06:49.13645691+01:00","close_reason":"Completed in codebase (verified)"}
+{"id":"fotospiel-app-mwi","title":"Uploader: duplicate detection / upload cache","description":"Part of epic fotospiel-app-5aa. Track uploaded files (path/hash) to avoid re-uploads after restart.","status":"open","priority":2,"issue_type":"task","owner":"codex-agent@example.com","created_at":"2026-01-13T11:02:06.432781468+01:00","created_by":"Codex Agent","updated_at":"2026-01-13T11:02:06.432781468+01:00"}
 {"id":"fotospiel-app-mx5","title":"Localized SEO: sitemap updated with locale alternates","status":"closed","priority":2,"issue_type":"task","created_at":"2026-01-01T16:02:15.177013722+01:00","created_by":"soeren","updated_at":"2026-01-01T16:02:20.812287917+01:00","closed_at":"2026-01-01T16:02:20.812287917+01:00","close_reason":"Completed in codebase (verified)"}
 {"id":"fotospiel-app-mxw","title":"Security review: configure env assumptions for dynamic testing","status":"open","priority":2,"issue_type":"task","created_at":"2026-01-01T16:04:29.498402235+01:00","created_by":"soeren","updated_at":"2026-01-01T16:04:29.498402235+01:00"}
 {"id":"fotospiel-app-n8q","title":"Paddle migration: draft production cutover procedure","status":"closed","priority":2,"issue_type":"task","created_at":"2026-01-01T15:56:51.427425262+01:00","created_by":"soeren","updated_at":"2026-01-02T22:28:41.469357437+01:00","closed_at":"2026-01-02T22:28:41.469357437+01:00","close_reason":"Completed"}
@@ -116,11 +136,16 @@
 {"id":"fotospiel-app-qlj","title":"Paddle catalog sync: verify legacy packages mapped before auto-sync","status":"closed","priority":2,"issue_type":"task","created_at":"2026-01-01T15:59:43.333792314+01:00","created_by":"soeren","updated_at":"2026-01-02T21:46:52.797515024+01:00","closed_at":"2026-01-02T21:46:52.797515024+01:00","close_reason":"Completed"}
 {"id":"fotospiel-app-qne","title":"Live Show: realtime delivery channel (WS/SSE) + fallback polling","acceptance_criteria":"- Public Live Show endpoints exist for state, updates, and SSE stream\\n- Updates endpoint supports cursor (after_approved_at + after_id)\\n- SSE emits photo.approved and ping, with settings updates when version changes\\n- Feature tests cover state, updates, invalid token","notes":"Added LiveShowController with public endpoints: /api/v1/live-show/{token} (state), /updates (polling), /stream (SSE). Provides live-show settings (defaults + event.settings.live_show merge), settings_version hash, ordered approved photo feed with cursor. SSE emits photo.approved, settings.updated, ping. Added routes in routes/api.php. Added Photo live_status default. Tests: tests/Feature/LiveShowRealtimeTest.php. Ran Pint + test.","status":"closed","priority":1,"issue_type":"feature","created_at":"2026-01-05T11:11:06.028871737+01:00","created_by":"soeren","updated_at":"2026-01-05T13:08:33.936740582+01:00","closed_at":"2026-01-05T13:08:33.936740582+01:00","close_reason":"Closed","dependencies":[{"issue_id":"fotospiel-app-qne","depends_on_id":"fotospiel-app-t1k","type":"blocks","created_at":"2026-01-05T11:12:30.363982215+01:00","created_by":"soeren"}]}
 {"id":"fotospiel-app-qtn","title":"Security review kickoff mitigations (CORS allowlist, headers, upload hardening, signed URLs)","status":"closed","priority":2,"issue_type":"task","created_at":"2026-01-01T16:09:46.310873311+01:00","created_by":"soeren","updated_at":"2026-01-01T16:09:51.914359487+01:00","closed_at":"2026-01-01T16:09:51.914359487+01:00","close_reason":"Completed in codebase (verified)"}
+{"id":"fotospiel-app-rpv","title":"Uploader: connection test (no upload)","description":"Part of epic fotospiel-app-5aa. Add lightweight ping/test for upload URL + credentials.","status":"open","priority":2,"issue_type":"task","owner":"codex-agent@example.com","created_at":"2026-01-13T11:02:39.061938692+01:00","created_by":"Codex Agent","updated_at":"2026-01-13T11:02:39.061938692+01:00"}
 {"id":"fotospiel-app-sbs","title":"Compliance tools: data export + retention overrides","description":"GDPR-compliant export requests and retention override workflows for tenants/events.","status":"closed","priority":3,"issue_type":"feature","created_at":"2026-01-01T14:20:16.530289009+01:00","updated_at":"2026-01-02T20:13:31.704875591+01:00","closed_at":"2026-01-02T20:13:31.704875591+01:00","close_reason":"Closed"}
+{"id":"fotospiel-app-sdg","title":"Uploader: watch include/exclude patterns","description":"Part of epic fotospiel-app-5aa. Configurable file patterns (ignore tmp/preview) for watcher.","status":"open","priority":2,"issue_type":"task","owner":"codex-agent@example.com","created_at":"2026-01-13T11:02:17.188267106+01:00","created_by":"Codex Agent","updated_at":"2026-01-13T11:02:17.188267106+01:00"}
 {"id":"fotospiel-app-sju","title":"Live Show link sharing + QR in admin","description":"Expose Live Show link in Event Admin with copy/share/open actions and embedded QR (use simplesoftwareio/simple-qrcode, no external service). Add API endpoints for link fetch/rotate, admin UI card with rotate confirmation, and tests.","status":"open","priority":2,"issue_type":"task","created_at":"2026-01-05T20:00:25.427132538+01:00","created_by":"soeren","updated_at":"2026-01-05T20:00:25.427132538+01:00"}
+{"id":"fotospiel-app-spq8","title":"Eslint fails due to existing repo violations","status":"open","priority":2,"issue_type":"task","owner":"codex-agent@example.com","created_at":"2026-01-19T18:49:19.208323875+01:00","created_by":"Codex Agent","updated_at":"2026-01-19T18:49:19.208323875+01:00"}
 {"id":"fotospiel-app-swb","title":"Security review: replace public asset URLs with signed routes","status":"closed","priority":2,"issue_type":"task","created_at":"2026-01-01T16:04:05.610098299+01:00","created_by":"soeren","updated_at":"2026-01-01T16:04:11.215921463+01:00","closed_at":"2026-01-01T16:04:11.215921463+01:00","close_reason":"Completed in codebase (verified)"}
 {"id":"fotospiel-app-t1k","title":"Live Show: data model \u0026 status workflow (pending/approved/ready)","acceptance_criteria":"- DB migrations add event token + photo live fields + indexes\\n- Token generation supports rotation (no expiry)\\n- Photo live workflow methods set timestamps/reviewer consistently\\n- Feature test covers token + workflow","notes":"Implemented Live Show data model: events.live_show_token + live_show_token_rotated_at; photos.live_status + timestamps/reviewer/rejection fields + indexes. Added PhotoLiveStatus enum and Photo workflow methods (markLivePending/approveForLiveShow/rejectForLiveShow). Added Event helpers (ensureLiveShowToken/rotateLiveShowToken). Tests: tests/Feature/LiveShowDataModelTest.php.","status":"closed","priority":1,"issue_type":"feature","created_at":"2026-01-05T11:10:56.560421826+01:00","created_by":"soeren","updated_at":"2026-01-05T12:22:51.967913423+01:00","closed_at":"2026-01-05T12:22:51.967913423+01:00","close_reason":"Closed","dependencies":[{"issue_id":"fotospiel-app-t1k","depends_on_id":"fotospiel-app-vro","type":"blocks","created_at":"2026-01-05T11:12:20.345646244+01:00","created_by":"soeren"},{"issue_id":"fotospiel-app-t1k","depends_on_id":"fotospiel-app-h5d","type":"blocks","created_at":"2026-01-05T11:44:12.439413712+01:00","created_by":"soeren"},{"issue_id":"fotospiel-app-t1k","depends_on_id":"fotospiel-app-1eu","type":"blocks","created_at":"2026-01-05T11:44:22.588642567+01:00","created_by":"soeren"},{"issue_id":"fotospiel-app-t1k","depends_on_id":"fotospiel-app-1we","type":"blocks","created_at":"2026-01-05T11:44:31.775634827+01:00","created_by":"soeren"}]}
+{"id":"fotospiel-app-t2s","title":"Uploader: multiple event profiles","description":"Part of epic fotospiel-app-5aa. Save multiple event profiles and allow quick switching.","status":"open","priority":2,"issue_type":"task","owner":"codex-agent@example.com","created_at":"2026-01-13T11:04:18.20222112+01:00","created_by":"Codex Agent","updated_at":"2026-01-13T11:04:18.20222112+01:00"}
 {"id":"fotospiel-app-tqg","title":"Tenant admin onboarding: staging E2E validation","status":"open","priority":2,"issue_type":"task","created_at":"2026-01-01T16:08:57.448899354+01:00","created_by":"soeren","updated_at":"2026-01-01T16:08:57.448899354+01:00"}
+{"id":"fotospiel-app-tsb","title":"Uploader: upload throttling presets","description":"Part of epic fotospiel-app-5aa. Add optional delay/presets to smooth upload bursts.","status":"open","priority":2,"issue_type":"task","owner":"codex-agent@example.com","created_at":"2026-01-13T11:02:27.111436345+01:00","created_by":"Codex Agent","updated_at":"2026-01-13T11:02:27.111436345+01:00"}
 {"id":"fotospiel-app-ty9","title":"Security review: data classes \u0026 retention baseline","status":"closed","priority":2,"issue_type":"task","created_at":"2026-01-01T16:03:09.595870306+01:00","created_by":"soeren","updated_at":"2026-01-01T16:03:15.211042718+01:00","closed_at":"2026-01-01T16:03:15.211042718+01:00","close_reason":"Completed in codebase (verified)"}
 {"id":"fotospiel-app-tym","title":"Ops health dashboard (queues, storage, upload pipeline)","description":"Superadmin ops dashboard showing queue backlog, failed jobs, storage thresholds, and upload pipeline health.","notes":"Implemented Ops Health dashboard with storage+queue widgets, new translations, and navigation wiring.","status":"closed","priority":2,"issue_type":"feature","created_at":"2026-01-01T14:20:04.991351193+01:00","updated_at":"2026-01-02T17:34:10.326367902+01:00","closed_at":"2026-01-02T17:34:10.326367902+01:00","close_reason":"Closed"}
 {"id":"fotospiel-app-ugk","title":"Paddle catalog sync: feature test for artisan command","status":"closed","priority":2,"issue_type":"task","created_at":"2026-01-01T16:01:33.309716868+01:00","created_by":"soeren","updated_at":"2026-01-01T16:01:38.940407157+01:00","closed_at":"2026-01-01T16:01:38.940407157+01:00","close_reason":"Completed in codebase (verified)"}
@@ -139,6 +164,7 @@
 {"id":"fotospiel-app-wku","title":"Security review: run dynamic testing harness (identities, DAST, fuzz uploads)","status":"open","priority":2,"issue_type":"task","created_at":"2026-01-01T16:05:37.008239379+01:00","created_by":"soeren","updated_at":"2026-01-01T16:05:37.008239379+01:00"}
 {"id":"fotospiel-app-xg5","title":"Live Show: Admin app moderation queue UI","acceptance_criteria":"- Dedicated Live Show moderation API endpoints exist for list + approve/reject/clear\\n- Admin mobile UI exposes Live Show queue with status filter and actions\\n- PhotoResource includes live_* fields for admin UI\\n- Feature tests cover list + approve/reject/clear workflows","notes":"Added dedicated Live Show moderation API (tenant admin): /events/{slug}/live-show/photos + approve/reject/clear actions. Added LiveShowPhotoController + FormRequests. PhotoResource now exposes live_* fields. Admin app: new Live Show queue page, route, and Event detail shortcut tile. Admin API updated with Live Show functions + types. Added translations (EN/DE) for Live Show queue UI. Tests: tests/Feature/LiveShowPhotoControllerTest.php.","status":"closed","priority":2,"issue_type":"feature","created_at":"2026-01-05T11:11:15.006484132+01:00","created_by":"soeren","updated_at":"2026-01-05T14:03:41.410176482+01:00","closed_at":"2026-01-05T14:03:41.410176482+01:00","close_reason":"Closed","dependencies":[{"issue_id":"fotospiel-app-xg5","depends_on_id":"fotospiel-app-t1k","type":"blocks","created_at":"2026-01-05T11:12:38.94145573+01:00","created_by":"soeren"}]}
 {"id":"fotospiel-app-xht","title":"Paddle migration: tenant ↔ Paddle customer sync + webhook handlers","status":"closed","priority":2,"issue_type":"task","created_at":"2026-01-01T15:58:01.028435913+01:00","created_by":"soeren","updated_at":"2026-01-01T15:58:06.685122343+01:00","closed_at":"2026-01-01T15:58:06.685122343+01:00","close_reason":"Completed in codebase (verified)"}
+{"id":"fotospiel-app-xik","title":"Uploader: richer error details","description":"Part of epic fotospiel-app-5aa. Surface HTTP status/body summary in last error and recent uploads.","status":"open","priority":2,"issue_type":"task","owner":"codex-agent@example.com","created_at":"2026-01-13T11:02:49.591107008+01:00","created_by":"Codex Agent","updated_at":"2026-01-13T11:02:49.591107008+01:00"}
 {"id":"fotospiel-app-y1f","title":"Compliance tools: superadmin data export + retention override UI","description":"Add superadmin compliance tools for data exports and retention overrides.\nScope: list export requests, status, expiry, and allow manual retry/cancel; add per-tenant/event retention override UI with audit logging.\nEnsure access is restricted to superadmins and no PII is exposed beyond existing export metadata.\n","status":"closed","priority":2,"issue_type":"task","created_at":"2026-01-02T17:34:29.825347299+01:00","created_by":"soeren","updated_at":"2026-01-02T22:49:53.586758621+01:00","closed_at":"2026-01-02T22:49:53.586758621+01:00","close_reason":"Closed"}
 {"id":"fotospiel-app-yii","title":"Implement 'Upgrade to Premium' flow for Analytics Upsell","description":"The Analytics page currently has an upsell screen for non-premium users. The 'Upgrade to Premium' button redirects to the billing page, but the actual upgrade/purchase flow needs to be fully implemented and verified to allow users to unlock the feature.","status":"closed","priority":2,"issue_type":"task","created_at":"2026-01-06T16:13:55.446495378+01:00","created_by":"soeren","updated_at":"2026-01-06T16:35:41.968964977+01:00","closed_at":"2026-01-06T16:35:41.968970147+01:00"}
 {"id":"fotospiel-app-z2k","title":"Ops health widget visual polish","description":"Replace Tailwind utility styling in ops health widget with Filament components and icon-driven layout.","notes":"Updated queue health widget layout to use Filament cards, badges, empty states, and grid utilities; added status strip and alert rail.","status":"closed","priority":3,"issue_type":"task","created_at":"2026-01-01T21:34:39.851728527+01:00","created_by":"soeren","updated_at":"2026-01-01T21:34:59.834597413+01:00","closed_at":"2026-01-01T21:34:59.834597413+01:00","close_reason":"completed"}

.beads/last-touched

@@ -1 +0,0 @@
-fotospiel-app-yii

.beads/metadata.json

@@ -1,4 +1,5 @@
 {
   "database": "beads.db",
-  "jsonl_export": "issues.jsonl"
-}
+  "jsonl_export": "issues.jsonl",
+  "last_bd_version": "0.49.0"
+}

.env.example

@@ -97,6 +97,11 @@ GOOGLE_CLIENT_ID=
 GOOGLE_CLIENT_SECRET=
 GOOGLE_REDIRECT_URI=${APP_URL}/checkout/auth/google/callback
 
+# Facebook OAuth (Checkout comfort login)
+FACEBOOK_CLIENT_ID=
+FACEBOOK_CLIENT_SECRET=
+FACEBOOK_REDIRECT_URI=${APP_URL}/checkout/auth/facebook/callback
+
 VITE_APP_NAME="${APP_NAME}"
 VITE_ENABLE_TENANT_SWITCHER=false
 REVENUECAT_WEBHOOK_SECRET=
@@ -112,14 +117,22 @@ PAYPAL_CLIENT_ID=
 PAYPAL_SECRET=
 PAYPAL_SANDBOX=true
 
-# Paddle Billing
-PADDLE_SANDBOX=true
-PADDLE_API_KEY=
-PADDLE_CLIENT_ID=
-PADDLE_WEBHOOK_SECRET=
-PADDLE_PUBLIC_KEY=
-PADDLE_BASE_URL=
-PADDLE_CONSOLE_URL=
+# Lemon Squeezy Billing
+LEMONSQUEEZY_STORE_ID=284860
+LEMONSQUEEZY_API_KEY=
+LEMONSQUEEZY_WEBHOOK_SECRET=
+LEMONSQUEEZY_WEBHOOK_EVENTS=
+LEMONSQUEEZY_TEST_MODE=false
+LEMONSQUEEZY_BASE_URL=https://api.lemonsqueezy.com/v1
+LEMONSQUEEZY_GIFT_VARIANT_STARTER=
+LEMONSQUEEZY_GIFT_VARIANT_STARTER_USD=
+LEMONSQUEEZY_GIFT_VARIANT_STARTER_GBP=
+LEMONSQUEEZY_GIFT_VARIANT_STANDARD=
+LEMONSQUEEZY_GIFT_VARIANT_STANDARD_USD=
+LEMONSQUEEZY_GIFT_VARIANT_STANDARD_GBP=
+LEMONSQUEEZY_GIFT_VARIANT_PREMIUM=
+LEMONSQUEEZY_GIFT_VARIANT_PREMIUM_USD=
+LEMONSQUEEZY_GIFT_VARIANT_PREMIUM_GBP=
 
 # Sanctum / SPA auth
 SANCTUM_STATEFUL_DOMAINS=localhost,localhost:3000
@@ -187,5 +200,9 @@ STORAGE_QUEUE_PENDING_EVENT_MINUTES=8
 STORAGE_QUEUE_FAILED_EVENT_THRESHOLD=2
 STORAGE_QUEUE_FAILED_EVENT_MINUTES=30
 STORAGE_QUEUE_GUEST_ALERT_TTL=30
+STORAGE_CHECKSUM_VALIDATION=true
+STORAGE_CHECKSUM_ALERT_WINDOW_MINUTES=60
+STORAGE_CHECKSUM_WARNING=1
+STORAGE_CHECKSUM_CRITICAL=5
 
 

.gitignore

@@ -12,7 +12,10 @@ fotospiel-tenant-app
 /resources/js/wayfinder
 /storage/*.key
 /storage/pail
+/C:\\wwwroot\\fotospiel-app\\storage\\app/
 /vendor
+/clients/photobooth-uploader/**/bin
+/clients/photobooth-uploader/**/obj
 .env
 .env.backup
 .env.production
@@ -23,11 +26,9 @@ Homestead.yaml
 npm-debug.log
 yarn-error.log
 /auth.json
-/.fleet
-/.idea
-/.nova
 /.vscode
-/.zed
-tools/git-askpass.ps1
-podman-compose.dev.yml
 test-results
+GEMINI.md
+.beads/.sync.lock
+.beads/daemon-error
+.beads/sync_base.jsonl

.tamagui/prompt.md

@@ -337,8 +337,8 @@ Tokens are design system values that can be referenced using the `$` prefix.
 
 ### Color Tokens
 
-- `accent`: #FFB6C1
-- `accentSoft`: #FFE5EC
+- `accent`: #3D5AFE
+- `accentSoft`: #E8ECFF
 - `blue10Dark`: hsl(209, 100%, 60.6%)
 - `blue10Light`: hsl(208, 100%, 47.3%)
 - `blue11Dark`: hsl(210, 100%, 66.1%)
@@ -363,8 +363,8 @@ Tokens are design system values that can be referenced using the `$` prefix.
 - `blue8Light`: hsl(206, 81.9%, 65.3%)
 - `blue9Dark`: hsl(206, 100%, 50.0%)
 - `blue9Light`: hsl(206, 100%, 50.0%)
-- `border`: #F2E4DA
-- `danger`: #E04848
+- `border`: #F3D6C9
+- `danger`: #EF4444
 - `gray10Dark`: hsl(0, 0%, 49.4%)
 - `gray10Light`: hsl(0, 0%, 52.3%)
 - `gray11Dark`: hsl(0, 0%, 62.8%)
@@ -413,7 +413,7 @@ Tokens are design system values that can be referenced using the `$` prefix.
 - `green8Light`: hsl(151, 40.2%, 54.1%)
 - `green9Dark`: hsl(151, 55.0%, 41.5%)
 - `green9Light`: hsl(151, 55.0%, 41.5%)
-- `muted`: #F4ECE8
+- `muted`: #FFF6F0
 - `orange10Dark`: hsl(24, 100%, 58.5%)
 - `orange10Light`: hsl(24, 100%, 46.5%)
 - `orange11Dark`: hsl(24, 100%, 62.2%)
@@ -462,7 +462,7 @@ Tokens are design system values that can be referenced using the `$` prefix.
 - `pink8Light`: hsl(323, 60.3%, 72.4%)
 - `pink9Dark`: hsl(322, 65.0%, 54.5%)
 - `pink9Light`: hsl(322, 65.0%, 54.5%)
-- `primary`: #FF5A5F
+- `primary`: #FF5C5C
 - `purple10Dark`: hsl(273, 57.3%, 59.1%)
 - `purple10Light`: hsl(272, 46.8%, 50.3%)
 - `purple11Dark`: hsl(275, 80.0%, 71.0%)
@@ -511,10 +511,10 @@ Tokens are design system values that can be referenced using the `$` prefix.
 - `red8Light`: hsl(359, 69.5%, 74.3%)
 - `red9Dark`: hsl(358, 75.0%, 59.0%)
 - `red9Light`: hsl(358, 75.0%, 59.0%)
-- `success`: #06D6A0
+- `success`: #22C55E
 - `surface`: #ffffff
-- `text`: #1F2937
-- `warning`: #F5C542
+- `text`: #0B132B
+- `warning`: #FBBF24
 - `yellow10Dark`: hsl(54, 100%, 68.0%)
 - `yellow10Light`: hsl(50, 100%, 48.5%)
 - `yellow11Dark`: hsl(48, 100%, 47.0%)

.tamagui/tamaguibutton-components.config.cjs

@@ -118,319 +118,8 @@ var isWindowDefined = typeof window < "u";
 var isClient = isWeb && isWindowDefined;
 var isChrome = typeof navigator < "u" && /Chrome/.test(navigator.userAgent || "");
 var isWebTouchable = isClient && ("ontouchstart" in window || navigator.maxTouchPoints > 0);
-var isAndroid = false;
 var isIos = process.env.TEST_NATIVE_PLATFORM === "ios";
 
-// node_modules/@tamagui/helpers/dist/esm/validStyleProps.mjs
-var textColors = {
-  color: true,
-  textDecorationColor: true,
-  textShadowColor: true
-};
-var tokenCategories = {
-  radius: {
-    borderRadius: true,
-    borderTopLeftRadius: true,
-    borderTopRightRadius: true,
-    borderBottomLeftRadius: true,
-    borderBottomRightRadius: true,
-    // logical
-    borderStartStartRadius: true,
-    borderStartEndRadius: true,
-    borderEndStartRadius: true,
-    borderEndEndRadius: true
-  },
-  size: {
-    width: true,
-    height: true,
-    minWidth: true,
-    minHeight: true,
-    maxWidth: true,
-    maxHeight: true,
-    blockSize: true,
-    minBlockSize: true,
-    maxBlockSize: true,
-    inlineSize: true,
-    minInlineSize: true,
-    maxInlineSize: true
-  },
-  zIndex: {
-    zIndex: true
-  },
-  color: {
-    backgroundColor: true,
-    borderColor: true,
-    borderBlockStartColor: true,
-    borderBlockEndColor: true,
-    borderBlockColor: true,
-    borderBottomColor: true,
-    borderInlineColor: true,
-    borderInlineStartColor: true,
-    borderInlineEndColor: true,
-    borderTopColor: true,
-    borderLeftColor: true,
-    borderRightColor: true,
-    borderEndColor: true,
-    borderStartColor: true,
-    shadowColor: true,
-    ...textColors,
-    outlineColor: true,
-    caretColor: true
-  }
-};
-var stylePropsUnitless = {
-  WebkitLineClamp: true,
-  animationIterationCount: true,
-  aspectRatio: true,
-  borderImageOutset: true,
-  borderImageSlice: true,
-  borderImageWidth: true,
-  columnCount: true,
-  flex: true,
-  flexGrow: true,
-  flexOrder: true,
-  flexPositive: true,
-  flexShrink: true,
-  flexNegative: true,
-  fontWeight: true,
-  gridRow: true,
-  gridRowEnd: true,
-  gridRowGap: true,
-  gridRowStart: true,
-  gridColumn: true,
-  gridColumnEnd: true,
-  gridColumnGap: true,
-  gridColumnStart: true,
-  gridTemplateColumns: true,
-  gridTemplateAreas: true,
-  lineClamp: true,
-  opacity: true,
-  order: true,
-  orphans: true,
-  tabSize: true,
-  widows: true,
-  zIndex: true,
-  zoom: true,
-  scale: true,
-  scaleX: true,
-  scaleY: true,
-  scaleZ: true,
-  shadowOpacity: true
-};
-var stylePropsTransform = {
-  x: true,
-  y: true,
-  scale: true,
-  perspective: true,
-  scaleX: true,
-  scaleY: true,
-  skewX: true,
-  skewY: true,
-  matrix: true,
-  rotate: true,
-  rotateY: true,
-  rotateX: true,
-  rotateZ: true
-};
-var stylePropsView = {
-  backfaceVisibility: true,
-  borderBottomEndRadius: true,
-  borderBottomStartRadius: true,
-  borderBottomWidth: true,
-  borderLeftWidth: true,
-  borderRightWidth: true,
-  borderBlockWidth: true,
-  borderBlockEndWidth: true,
-  borderBlockStartWidth: true,
-  borderInlineWidth: true,
-  borderInlineEndWidth: true,
-  borderInlineStartWidth: true,
-  borderStyle: true,
-  borderBlockStyle: true,
-  borderBlockEndStyle: true,
-  borderBlockStartStyle: true,
-  borderInlineStyle: true,
-  borderInlineEndStyle: true,
-  borderInlineStartStyle: true,
-  borderTopEndRadius: true,
-  borderTopStartRadius: true,
-  borderTopWidth: true,
-  borderWidth: true,
-  transform: true,
-  transformOrigin: true,
-  alignContent: true,
-  alignItems: true,
-  alignSelf: true,
-  borderEndWidth: true,
-  borderStartWidth: true,
-  bottom: true,
-  display: true,
-  end: true,
-  flexBasis: true,
-  flexDirection: true,
-  flexWrap: true,
-  gap: true,
-  columnGap: true,
-  rowGap: true,
-  justifyContent: true,
-  left: true,
-  margin: true,
-  marginBlock: true,
-  marginBlockEnd: true,
-  marginBlockStart: true,
-  marginInline: true,
-  marginInlineStart: true,
-  marginInlineEnd: true,
-  marginBottom: true,
-  marginEnd: true,
-  marginHorizontal: true,
-  marginLeft: true,
-  marginRight: true,
-  marginStart: true,
-  marginTop: true,
-  marginVertical: true,
-  overflow: true,
-  padding: true,
-  paddingBottom: true,
-  paddingInline: true,
-  paddingBlock: true,
-  paddingBlockStart: true,
-  paddingInlineEnd: true,
-  paddingInlineStart: true,
-  paddingEnd: true,
-  paddingHorizontal: true,
-  paddingLeft: true,
-  paddingRight: true,
-  paddingStart: true,
-  paddingTop: true,
-  paddingVertical: true,
-  position: true,
-  right: true,
-  start: true,
-  top: true,
-  inset: true,
-  insetBlock: true,
-  insetBlockEnd: true,
-  insetBlockStart: true,
-  insetInline: true,
-  insetInlineEnd: true,
-  insetInlineStart: true,
-  direction: true,
-  shadowOffset: true,
-  shadowRadius: true,
-  ...tokenCategories.color,
-  ...tokenCategories.radius,
-  ...tokenCategories.size,
-  ...tokenCategories.radius,
-  ...stylePropsTransform,
-  ...stylePropsUnitless,
-  boxShadow: true,
-  filter: true,
-  // RN 0.77+ style props (set REACT_NATIVE_PRE_77=1 for older RN)
-  ...!process.env.REACT_NATIVE_PRE_77 && {
-    boxSizing: true,
-    mixBlendMode: true,
-    outlineColor: true,
-    outlineSpread: true,
-    outlineStyle: true,
-    outlineWidth: true
-  },
-  // RN doesn't support specific border styles per-edge
-  transition: true,
-  textWrap: true,
-  backdropFilter: true,
-  WebkitBackdropFilter: true,
-  background: true,
-  backgroundAttachment: true,
-  backgroundBlendMode: true,
-  backgroundClip: true,
-  backgroundColor: true,
-  backgroundImage: true,
-  backgroundOrigin: true,
-  backgroundPosition: true,
-  backgroundRepeat: true,
-  backgroundSize: true,
-  borderBottomStyle: true,
-  borderImage: true,
-  borderLeftStyle: true,
-  borderRightStyle: true,
-  borderTopStyle: true,
-  caretColor: true,
-  clipPath: true,
-  contain: true,
-  containerType: true,
-  content: true,
-  cursor: true,
-  float: true,
-  mask: true,
-  maskBorder: true,
-  maskBorderMode: true,
-  maskBorderOutset: true,
-  maskBorderRepeat: true,
-  maskBorderSlice: true,
-  maskBorderSource: true,
-  maskBorderWidth: true,
-  maskClip: true,
-  maskComposite: true,
-  maskImage: true,
-  maskMode: true,
-  maskOrigin: true,
-  maskPosition: true,
-  maskRepeat: true,
-  maskSize: true,
-  maskType: true,
-  objectFit: true,
-  objectPosition: true,
-  outlineOffset: true,
-  overflowBlock: true,
-  overflowInline: true,
-  overflowX: true,
-  overflowY: true,
-  pointerEvents: true,
-  scrollbarWidth: true,
-  textEmphasis: true,
-  touchAction: true,
-  transformStyle: true,
-  userSelect: true,
-  willChange: true,
-  ...isAndroid ? {
-    elevationAndroid: true
-  } : {}
-};
-var stylePropsFont = {
-  fontFamily: true,
-  fontSize: true,
-  fontStyle: true,
-  fontWeight: true,
-  fontVariant: true,
-  letterSpacing: true,
-  lineHeight: true,
-  textTransform: true
-};
-var stylePropsTextOnly = {
-  ...stylePropsFont,
-  textAlign: true,
-  textDecorationLine: true,
-  textDecorationStyle: true,
-  ...textColors,
-  textShadowOffset: true,
-  textShadowRadius: true,
-  userSelect: true,
-  selectable: true,
-  verticalAlign: true,
-  whiteSpace: true,
-  wordWrap: true,
-  textOverflow: true,
-  textDecorationDistance: true,
-  cursor: true,
-  WebkitLineClamp: true,
-  WebkitBoxOrient: true
-};
-var stylePropsText = {
-  ...stylePropsView,
-  ...stylePropsTextOnly
-};
-
 // node_modules/@tamagui/helpers/dist/esm/withStaticProperties.mjs
 var import_react2 = __toESM(require("react"), 1);
 var Decorated = Symbol();
@@ -755,7 +444,10 @@ var SizableText2 = (0, import_web4.styled)(import_web4.Text, {
   }
 });
 SizableText2.staticConfig.variants.fontFamily = {
-  "...": /* @__PURE__ */ __name((_val, extras) => {
+  "...": /* @__PURE__ */ __name((val, extras) => {
+    if (val === "inherit") return {
+      fontFamily: "inherit"
+    };
     const sizeProp = extras.props.size, fontSizeProp = extras.props.fontSize, size = sizeProp === "$true" && fontSizeProp ? fontSizeProp : extras.props.size || "$true";
     return getFontSized(size, extras);
   }, "...")

.tamagui/tamaguitext-components.config.cjs

@@ -112,7 +112,10 @@ var SizableText2 = (0, import_web2.styled)(import_web2.Text, {
   }
 });
 SizableText2.staticConfig.variants.fontFamily = {
-  "...": /* @__PURE__ */ __name((_val, extras) => {
+  "...": /* @__PURE__ */ __name((val, extras) => {
+    if (val === "inherit") return {
+      fontFamily: "inherit"
+    };
     const sizeProp = extras.props.size, fontSizeProp = extras.props.fontSize, size = sizeProp === "$true" && fontSizeProp ? fontSizeProp : extras.props.size || "$true";
     return getFontSized(size, extras);
   }, "...")

AGENTS.md

@@ -27,8 +27,8 @@ This repository hosts a multi-tenant event photo platform (Laravel 12, PHP 8.3,
 - Languages/Frameworks: PHP 8.2+ (Laravel 12), TypeScript/JavaScript (React 19/Vite 7/Tailwind 4), Filament 4.
 - Dev Commands: composer, npm, vite, artisan, PHPUnit, Pint/ESLint, Docker/Compose (for dev), Playwright, Vitest, TypeScript.
 
-- Libraries: simplesoftwareio/simple-qrcode for server-side QR generation; Paddle API client (custom service) for payments; dompdf for PDF generation; spatie/laravel-translatable for i18n; minishlink/web-push for web push; firebase/php-jwt for JWT; Sentry (Laravel + Vite); Stripe (PHP + JS); Tamagui (design system); i18next (frontend i18n); vite-plugin-pwa for PWA builds.
-- Payment Systems: Paddle (subscriptions and one-time payments), RevenueCat (mobile app subscriptions), Stripe (legacy/integration use).
+- Libraries: simplesoftwareio/simple-qrcode for server-side QR generation; Lemon Squeezy API client (custom service) for payments; dompdf for PDF generation; spatie/laravel-translatable for i18n; minishlink/web-push for web push; firebase/php-jwt for JWT; Sentry (Laravel + Vite); Stripe (PHP + JS); Tamagui (design system); i18next (frontend i18n); vite-plugin-pwa for PWA builds.
+- Payment Systems: Lemon Squeezy (subscriptions and one-time payments), RevenueCat (mobile app subscriptions), Stripe (legacy/integration use).
 - PWA Technologies: React 19, Vite 7, Capacitor (iOS), Trusted Web Activity (Android), Service Workers, Background Sync.
 
 ## Repo Structure (high-level)
@@ -38,6 +38,9 @@ This repository hosts a multi-tenant event photo platform (Laravel 12, PHP 8.3,
 - resources/js/admin/ — Tenant Admin PWA source (React 19, Capacitor/TWA ready).
 - resources/js/pages/ — Inertia pages (React).
 - docs/archive/README.md — historical PRP context.
+- Marketing frontend language files:
+  - Source translations: `resources/lang/{de,en}/marketing.php` and `resources/lang/{de,en}/marketing.json`.
+  - Runtime i18next JSON served to the frontend: `public/lang/{de,en}/marketing.json` (must stay in sync with the source files).
 
 ## Standard Workflows
 - Coding tasks (Codegen Agent):
@@ -58,7 +61,7 @@ This repository hosts a multi-tenant event photo platform (Laravel 12, PHP 8.3,
 #### Billing & Packages
 - package:check-status — check event package status.
 - packages:migrate-legacy — migrate legacy package purchases.
-- paddle:sync-packages — sync packages with Paddle (push/pull/queue/dry-run).
+- lemonsqueezy:sync-packages — sync packages with Lemon Squeezy (push/pull/queue/dry-run).
 - coupons:export — export coupon redemptions.
 - checkout:send-reminders — send abandoned checkout reminders (dry-run supported).
 
@@ -93,7 +96,7 @@ This repository hosts a multi-tenant event photo platform (Laravel 12, PHP 8.3,
 - metrics:package-limits — inspect/reset package limit metrics (routes/console.php).
 - inspire — inspiring quote (routes/console.php).
 - Public APIs for Guest PWA: stats/photos endpoints with ETag; likes; uploads; see docs/archive/prp/03-api.md.
-- Payment Integration: Paddle webhooks, RevenueCat mobile subscriptions.
+- Payment Integration: Lemon Squeezy webhooks, RevenueCat mobile subscriptions.
 
 ## PWA Architecture
 - Guest PWA: Offline-first photo sharing app for event attendees (installable, background sync, no account required).
@@ -129,7 +132,7 @@ The Laravel Boost guidelines are specifically curated by Laravel maintainers for
 ## Foundational Context
 This application is a Laravel application and its main Laravel ecosystems package & versions are below. You are an expert with them all. Ensure you abide by these specific packages & versions.
 
-- php - 8.3.24
+- php - 8.3.6
 - filament/filament (FILAMENT) - v4
 - inertiajs/inertia-laravel (INERTIA) - v2
 - laravel/framework (LARAVEL) - v12
@@ -151,7 +154,7 @@ This application is a Laravel application and its main Laravel ecosystems packag
 - prettier (PRETTIER) - v3
 
 ## Conventions
-- You must follow all existing code conventions used in this application. When creating or editing a file, check sibling files for the correct structure, approach, naming.
+- You must follow all existing code conventions used in this application. When creating or editing a file, check sibling files for the correct structure, approach, and naming.
 - Use descriptive names for variables and methods. For example, `isRegisteredForDiscounts`, not `discount()`.
 - Check for existing components to reuse before writing a new one.
 
@@ -159,7 +162,7 @@ This application is a Laravel application and its main Laravel ecosystems packag
 - Do not create verification scripts or tinker when tests cover that functionality and prove it works. Unit and feature tests are more important.
 
 ## Application Structure & Architecture
-- Stick to existing directory structure - don't create new base folders without approval.
+- Stick to existing directory structure; don't create new base folders without approval.
 - Do not change the application's dependencies without approval.
 
 ## Frontend Bundling
@@ -171,17 +174,16 @@ This application is a Laravel application and its main Laravel ecosystems packag
 ## Documentation Files
 - You must only create documentation files if explicitly requested by the user.
 
-
 === boost rules ===
 
 ## Laravel Boost
 - Laravel Boost is an MCP server that comes with powerful tools designed specifically for this application. Use them.
 
 ## Artisan
-- Use the `list-artisan-commands` tool when you need to call an Artisan command to double check the available parameters.
+- Use the `list-artisan-commands` tool when you need to call an Artisan command to double-check the available parameters.
 
 ## URLs
-- Whenever you share a project URL with the user you should use the `get-absolute-url` tool to ensure you're using the correct scheme, domain / IP, and port.
+- Whenever you share a project URL with the user, you should use the `get-absolute-url` tool to ensure you're using the correct scheme, domain/IP, and port.
 
 ## Tinker / Debugging
 - You should use the `tinker` tool when you need to execute PHP to debug code or query Eloquent models directly.
@@ -192,22 +194,21 @@ This application is a Laravel application and its main Laravel ecosystems packag
 - Only recent browser logs will be useful - ignore old logs.
 
 ## Searching Documentation (Critically Important)
-- Boost comes with a powerful `search-docs` tool you should use before any other approaches. This tool automatically passes a list of installed packages and their versions to the remote Boost API, so it returns only version-specific documentation specific for the user's circumstance. You should pass an array of packages to filter on if you know you need docs for particular packages.
-- The 'search-docs' tool is perfect for all Laravel related packages, including Laravel, Inertia, Livewire, Filament, Tailwind, Pest, Nova, Nightwatch, etc.
-- You must use this tool to search for Laravel-ecosystem documentation before falling back to other approaches.
+- Boost comes with a powerful `search-docs` tool you should use before any other approaches when dealing with Laravel or Laravel ecosystem packages. This tool automatically passes a list of installed packages and their versions to the remote Boost API, so it returns only version-specific documentation for the user's circumstance. You should pass an array of packages to filter on if you know you need docs for particular packages.
+- The `search-docs` tool is perfect for all Laravel-related packages, including Laravel, Inertia, Livewire, Filament, Tailwind, Pest, Nova, Nightwatch, etc.
+- You must use this tool to search for Laravel ecosystem documentation before falling back to other approaches.
 - Search the documentation before making code changes to ensure we are taking the correct approach.
-- Use multiple, broad, simple, topic based queries to start. For example: `['rate limiting', 'routing rate limiting', 'routing']`.
-- Do not add package names to queries - package information is already shared. For example, use `test resource table`, not `filament 4 test resource table`.
+- Use multiple, broad, simple, topic-based queries to start. For example: `['rate limiting', 'routing rate limiting', 'routing']`.
+- Do not add package names to queries; package information is already shared. For example, use `test resource table`, not `filament 4 test resource table`.
 
 ### Available Search Syntax
 - You can and should pass multiple queries at once. The most relevant results will be returned first.
 
-1. Simple Word Searches with auto-stemming - query=authentication - finds 'authenticate' and 'auth'
-2. Multiple Words (AND Logic) - query=rate limit - finds knowledge containing both "rate" AND "limit"
-3. Quoted Phrases (Exact Position) - query="infinite scroll" - Words must be adjacent and in that order
-4. Mixed Queries - query=middleware "rate limit" - "middleware" AND exact phrase "rate limit"
-5. Multiple Queries - queries=["authentication", "middleware"] - ANY of these terms
-
+1. Simple Word Searches with auto-stemming - query=authentication - finds 'authenticate' and 'auth'.
+2. Multiple Words (AND Logic) - query=rate limit - finds knowledge containing both "rate" AND "limit".
+3. Quoted Phrases (Exact Position) - query="infinite scroll" - words must be adjacent and in that order.
+4. Mixed Queries - query=middleware "rate limit" - "middleware" AND exact phrase "rate limit".
+5. Multiple Queries - queries=["authentication", "middleware"] - ANY of these terms.
 
 === php rules ===
 
@@ -218,7 +219,7 @@ This application is a Laravel application and its main Laravel ecosystems packag
 ### Constructors
 - Use PHP 8 constructor property promotion in `__construct()`.
     - <code-snippet>public function __construct(public GitHub $github) { }</code-snippet>
-- Do not allow empty `__construct()` methods with zero parameters.
+- Do not allow empty `__construct()` methods with zero parameters unless the constructor is private.
 
 ### Type Declarations
 - Always use explicit return type declarations for methods and functions.
@@ -232,7 +233,7 @@ protected function isAccessible(User $user, ?string $path = null): bool
 </code-snippet>
 
 ## Comments
-- Prefer PHPDoc blocks over comments. Never use comments within the code itself unless there is something _very_ complex going on.
+- Prefer PHPDoc blocks over inline comments. Never use comments within the code itself unless there is something very complex going on.
 
 ## PHPDoc Blocks
 - Add useful array shape type definitions for arrays when appropriate.
@@ -240,32 +241,22 @@ protected function isAccessible(User $user, ?string $path = null): bool
 ## Enums
 - Typically, keys in an Enum should be TitleCase. For example: `FavoritePerson`, `BestLake`, `Monthly`.
 
-
-=== herd rules ===
-
-## Laravel Herd
-
-- The application is served by Laravel Herd and will be available at: https?://[kebab-case-project-dir].test. Use the `get-absolute-url` tool to generate URLs for the user to ensure valid URLs.
-- You must not run any commands to make the site available via HTTP(s). It is _always_ available through Laravel Herd.
-
-
 === tests rules ===
 
 ## Test Enforcement
 
 - Every change must be programmatically tested. Write a new test or update an existing test, then run the affected tests to make sure they pass.
-- Run the minimum number of tests needed to ensure code quality and speed. Use `php artisan test` with a specific filename or filter.
-
+- Run the minimum number of tests needed to ensure code quality and speed. Use `php artisan test --compact` with a specific filename or filter.
 
 === inertia-laravel/core rules ===
 
-## Inertia Core
+## Inertia
 
-- Inertia.js components should be placed in the `resources/js/pages` directory unless specified differently in the JS bundler (vite.config.js).
+- Inertia.js components should be placed in the `resources/js/Pages` directory unless specified differently in the JS bundler (`vite.config.js`).
 - Use `Inertia::render()` for server-side routing instead of traditional Blade views.
-- Use `search-docs` for accurate guidance on all things Inertia.
+- Use the `search-docs` tool for accurate guidance on all things Inertia.
 
-<code-snippet lang="php" name="Inertia::render Example">
+<code-snippet name="Inertia Render Example" lang="php">
 // routes/web.php example
 Route::get('/users', function () {
     return Inertia::render('Users/Index', [
@@ -274,28 +265,26 @@ Route::get('/users', function () {
 });
 </code-snippet>
 
-
 === inertia-laravel/v2 rules ===
 
 ## Inertia v2
 
-- Make use of all Inertia features from v1 & v2. Check the documentation before making any changes to ensure we are taking the correct approach.
+- Make use of all Inertia features from v1 and v2. Check the documentation before making any changes to ensure we are taking the correct approach.
 
 ### Inertia v2 New Features
-- Polling
-- Prefetching
-- Deferred props
-- Infinite scrolling using merging props and `WhenVisible`
-- Lazy loading data on scroll
+- Deferred props.
+- Infinite scrolling using merging props and `WhenVisible`.
+- Lazy loading data on scroll.
+- Polling.
+- Prefetching.
 
 ### Deferred Props & Empty States
-- When using deferred props on the frontend, you should add a nice empty state with pulsing / animated skeleton.
+- When using deferred props on the frontend, you should add a nice empty state with pulsing/animated skeleton.
 
 ### Inertia Form General Guidance
-- The recommended way to build forms when using Inertia is with the `<Form>` component - a useful example is below. Use `search-docs` with a query of `form component` for guidance.
-- Forms can also be built using the `useForm` helper for more programmatic control, or to follow existing conventions. Use `search-docs` with a query of `useForm helper` for guidance.
-- `resetOnError`, `resetOnSuccess`, and `setDefaultsOnSuccess` are available on the `<Form>` component. Use `search-docs` with a query of 'form component resetting' for guidance.
-
+- The recommended way to build forms when using Inertia is with the `<Form>` component - a useful example is below. Use the `search-docs` tool with a query of `form component` for guidance.
+- Forms can also be built using the `useForm` helper for more programmatic control, or to follow existing conventions. Use the `search-docs` tool with a query of `useForm helper` for guidance.
+- `resetOnError`, `resetOnSuccess`, and `setDefaultsOnSuccess` are available on the `<Form>` component. Use the `search-docs` tool with a query of `form component resetting` for guidance.
 
 === laravel/core rules ===
 
@@ -307,7 +296,7 @@ Route::get('/users', function () {
 
 ### Database
 - Always use proper Eloquent relationship methods with return type hints. Prefer relationship methods over raw queries or manual joins.
-- Use Eloquent models and relationships before suggesting raw database queries
+- Use Eloquent models and relationships before suggesting raw database queries.
 - Avoid `DB::`; prefer `Model::query()`. Generate code that leverages Laravel's ORM capabilities rather than bypassing them.
 - Generate code that prevents N+1 query problems by using eager loading.
 - Use Laravel's query builder for very complex database operations.
@@ -342,52 +331,56 @@ Route::get('/users', function () {
 ### Vite Error
 - If you receive an "Illuminate\Foundation\ViteException: Unable to locate file in Vite manifest" error, you can run `npm run build` or ask the user to run `npm run dev` or `composer run dev`.
 
-
 === laravel/v12 rules ===
 
 ## Laravel 12
 
-- Use the `search-docs` tool to get version specific documentation.
+- Use the `search-docs` tool to get version-specific documentation.
 - This project upgraded from Laravel 10 without migrating to the new streamlined Laravel file structure.
-- This is **perfectly fine** and recommended by Laravel. Follow the existing structure from Laravel 10. We do not to need migrate to the new Laravel structure unless the user explicitly requests that.
-
+- This is **perfectly fine** and recommended by Laravel. Follow the existing structure from Laravel 10. We do not need to migrate to the new Laravel structure unless the user explicitly requests it.
 
+### Laravel 10 Structure
+- Middleware typically lives in `app/Http/Middleware/` and service providers in `app/Providers/`.
+- There is no `bootstrap/app.php` application configuration in a Laravel 10 structure:
+    - Middleware registration happens in `app/Http/Kernel.php`
+    - Exception handling is in `app/Exceptions/Handler.php`
+    - Console commands and schedule register in `app/Console/Kernel.php`
+    - Rate limits likely exist in `RouteServiceProvider` or `app/Http/Kernel.php`
 
 ### Database
 - When modifying a column, the migration must include all of the attributes that were previously defined on the column. Otherwise, they will be dropped and lost.
-- Laravel 11 allows limiting eagerly loaded records natively, without external packages: `$query->latest()->limit(10);`.
+- Laravel 12 allows limiting eagerly loaded records natively, without external packages: `$query->latest()->limit(10);`.
 
 ### Models
 - Casts can and likely should be set in a `casts()` method on a model rather than the `$casts` property. Follow existing conventions from other models.
 
-
 === wayfinder/core rules ===
 
 ## Laravel Wayfinder
 
-Wayfinder generates TypeScript functions and types for Laravel controllers and routes which you can import into your client side code. It provides type safety and automatic synchronization between backend routes and frontend code.
+Wayfinder generates TypeScript functions and types for Laravel controllers and routes which you can import into your client-side code. It provides type safety and automatic synchronization between backend routes and frontend code.
 
 ### Development Guidelines
-- Always use `search-docs` to check wayfinder correct usage before implementing any features.
-- Always Prefer named imports for tree-shaking (e.g., `import { show } from '@/actions/...'`)
-- Avoid default controller imports (prevents tree-shaking)
-- Run `php artisan wayfinder:generate` after route changes if Vite plugin isn't installed
+- Always use the `search-docs` tool to check Wayfinder correct usage before implementing any features.
+- Always prefer named imports for tree-shaking (e.g., `import { show } from '@/actions/...'`).
+- Avoid default controller imports (prevents tree-shaking).
+- Run `php artisan wayfinder:generate` after route changes if Vite plugin isn't installed.
 
 ### Feature Overview
-- Form Support: Use `.form()` with `--with-form` flag for HTML form attributes — `<form {...store.form()}>` → `action="/posts" method="post"`
-- HTTP Methods: Call `.get()`, `.post()`, `.patch()`, `.put()`, `.delete()` for specific methods — `show.head(1)` → `{ url: "/posts/1", method: "head" }`
-- Invokable Controllers: Import and invoke directly as functions. For example, `import StorePost from '@/actions/.../StorePostController'; StorePost()`
-- Named Routes: Import from `@/routes/` for non-controller routes. For example, `import { show } from '@/routes/post'; show(1)` for route name `post.show`
-- Parameter Binding: Detects route keys (e.g., `{post:slug}`) and accepts matching object properties — `show("my-post")` or `show({ slug: "my-post" })`
-- Query Merging: Use `mergeQuery` to merge with `window.location.search`, set values to `null` to remove — `show(1, { mergeQuery: { page: 2, sort: null } })`
-- Query Parameters: Pass `{ query: {...} }` in options to append params — `show(1, { query: { page: 1 } })` → `"/posts/1?page=1"`
-- Route Objects: Functions return `{ url, method }` shaped objects — `show(1)` → `{ url: "/posts/1", method: "get" }`
-- URL Extraction: Use `.url()` to get URL string — `show.url(1)` → `"/posts/1"`
+- Form Support: Use `.form()` with `--with-form` flag for HTML form attributes — `<form {...store.form()}>` → `action="/posts" method="post"`.
+- HTTP Methods: Call `.get()`, `.post()`, `.patch()`, `.put()`, `.delete()` for specific methods — `show.head(1)` → `{ url: "/posts/1", method: "head" }`.
+- Invokable Controllers: Import and invoke directly as functions. For example, `import StorePost from '@/actions/.../StorePostController'; StorePost()`.
+- Named Routes: Import from `@/routes/` for non-controller routes. For example, `import { show } from '@/routes/post'; show(1)` for route name `post.show`.
+- Parameter Binding: Detects route keys (e.g., `{post:slug}`) and accepts matching object properties — `show("my-post")` or `show({ slug: "my-post" })`.
+- Query Merging: Use `mergeQuery` to merge with `window.location.search`, set values to `null` to remove — `show(1, { mergeQuery: { page: 2, sort: null } })`.
+- Query Parameters: Pass `{ query: {...} }` in options to append params — `show(1, { query: { page: 1 } })` → `"/posts/1?page=1"`.
+- Route Objects: Functions return `{ url, method }` shaped objects — `show(1)` → `{ url: "/posts/1", method: "get" }`.
+- URL Extraction: Use `.url()` to get URL string — `show.url(1)` → `"/posts/1"`.
 
 ### Example Usage
 
 <code-snippet name="Wayfinder Basic Usage" lang="typescript">
-    // Import controller methods (tree-shakable)
+    // Import controller methods (tree-shakable)...
     import { show, store, update } from '@/actions/App/Http/Controllers/PostController'
 
     // Get route object with URL and method...
@@ -405,7 +398,6 @@ Wayfinder generates TypeScript functions and types for Laravel controllers and r
     postShow(1) // { url: "/posts/1", method: "get" }
 </code-snippet>
 
-
 ### Wayfinder + Inertia
 If your application uses the `<Form>` component from Inertia, you can use Wayfinder to generate form action and method automatically.
 <code-snippet name="Wayfinder Form Component (React)" lang="typescript">
@@ -414,14 +406,14 @@ If your application uses the `<Form>` component from Inertia, you can use Wayfin
 
 </code-snippet>
 
-
 === livewire/core rules ===
 
-## Livewire Core
-- Use the `search-docs` tool to find exact version specific documentation for how to write Livewire & Livewire tests.
-- Use the `php artisan make:livewire [Posts\CreatePost]` artisan command to create new components
+## Livewire
+
+- Use the `search-docs` tool to find exact version-specific documentation for how to write Livewire and Livewire tests.
+- Use the `php artisan make:livewire [Posts\CreatePost]` Artisan command to create new components.
 - State should live on the server, with the UI reflecting it.
-- All Livewire requests hit the Laravel backend, they're like regular HTTP requests. Always validate form data, and run authorization checks in Livewire actions.
+- All Livewire requests hit the Laravel backend; they're like regular HTTP requests. Always validate form data and run authorization checks in Livewire actions.
 
 ## Livewire Best Practices
 - Livewire components require a single root element.
@@ -438,15 +430,14 @@ If your application uses the `<Form>` component from Inertia, you can use Wayfin
 
 - Prefer lifecycle hooks like `mount()`, `updatedFoo()` for initialization and reactive side effects:
 
-<code-snippet name="Lifecycle hook examples" lang="php">
+<code-snippet name="Lifecycle Hook Examples" lang="php">
     public function mount(User $user) { $this->user = $user; }
     public function updatedSearch() { $this->resetPage(); }
 </code-snippet>
 
-
 ## Testing Livewire
 
-<code-snippet name="Example Livewire component test" lang="php">
+<code-snippet name="Example Livewire Component Test" lang="php">
     Livewire::test(Counter::class)
         ->assertSet('count', 0)
         ->call('increment')
@@ -455,19 +446,17 @@ If your application uses the `<Form>` component from Inertia, you can use Wayfin
         ->assertStatus(200);
 </code-snippet>
 
-
-    <code-snippet name="Testing a Livewire component exists within a page" lang="php">
-        $this->get('/posts/create')
-        ->assertSeeLivewire(CreatePost::class);
-    </code-snippet>
-
+<code-snippet name="Testing Livewire Component Exists on Page" lang="php">
+    $this->get('/posts/create')
+    ->assertSeeLivewire(CreatePost::class);
+</code-snippet>
 
 === livewire/v3 rules ===
 
 ## Livewire 3
 
 ### Key Changes From Livewire 2
-- These things changed in Livewire 2, but may not have been updated in this application. Verify this application's setup to ensure you conform with application conventions.
+- These things changed in Livewire 3, but may not have been updated in this application. Verify this application's setup to ensure you conform with application conventions.
     - Use `wire:model.live` for real-time updates, `wire:model` is now deferred by default.
     - Components now use the `App\Livewire` namespace (not `App\Http\Livewire`).
     - Use `$this->dispatch()` to dispatch events (not `emit` or `dispatchBrowserEvent`).
@@ -477,13 +466,13 @@ If your application uses the `<Form>` component from Inertia, you can use Wayfin
 - `wire:show`, `wire:transition`, `wire:cloak`, `wire:offline`, `wire:target` are available for use. Use the documentation to find usage examples.
 
 ### Alpine
-- Alpine is now included with Livewire, don't manually include Alpine.js.
+- Alpine is now included with Livewire; don't manually include Alpine.js.
 - Plugins included with Alpine: persist, intersect, collapse, and focus.
 
 ### Lifecycle Hooks
 - You can listen for `livewire:init` to hook into Livewire initialization, and `fail.status === 419` for the page expiring:
 
-<code-snippet name="livewire:load example" lang="js">
+<code-snippet name="Livewire Init Hook Example" lang="js">
 document.addEventListener('livewire:init', function () {
     Livewire.hook('request', ({ fail }) => {
         if (fail && fail.status === 419) {
@@ -497,7 +486,6 @@ document.addEventListener('livewire:init', function () {
 });
 </code-snippet>
 
-
 === pint/core rules ===
 
 ## Laravel Pint Code Formatter
@@ -505,24 +493,22 @@ document.addEventListener('livewire:init', function () {
 - You must run `vendor/bin/pint --dirty` before finalizing changes to ensure your code matches the project's expected style.
 - Do not run `vendor/bin/pint --test`, simply run `vendor/bin/pint` to fix any formatting issues.
 
-
 === phpunit/core rules ===
 
-## PHPUnit Core
+## PHPUnit
 
 - This application uses PHPUnit for testing. All tests must be written as PHPUnit classes. Use `php artisan make:test --phpunit {name}` to create a new test.
 - If you see a test using "Pest", convert it to PHPUnit.
 - Every time a test has been updated, run that singular test.
 - When the tests relating to your feature are passing, ask the user if they would like to also run the entire test suite to make sure everything is still passing.
 - Tests should test all of the happy paths, failure paths, and weird paths.
-- You must not remove any tests or test files from the tests directory without approval. These are not temporary or helper files, these are core to the application.
+- You must not remove any tests or test files from the tests directory without approval. These are not temporary or helper files; these are core to the application.
 
 ### Running Tests
 - Run the minimal number of tests, using an appropriate filter, before finalizing.
-- To run all tests: `php artisan test`.
-- To run all tests in a file: `php artisan test tests/Feature/ExampleTest.php`.
-- To filter on a particular test name: `php artisan test --filter=testName` (recommended after making a change to a related file).
-
+- To run all tests: `php artisan test --compact`.
+- To run all tests in a file: `php artisan test --compact tests/Feature/ExampleTest.php`.
+- To filter on a particular test name: `php artisan test --compact --filter=testName` (recommended after making a change to a related file).
 
 === inertia-react/core rules ===
 
@@ -537,10 +523,9 @@ import { Link } from '@inertiajs/react'
 
 </code-snippet>
 
-
 === inertia-react/v2/forms rules ===
 
-## Inertia + React Forms
+## Inertia v2 + React Forms
 
 <code-snippet name="`<Form>` Component Example" lang="react">
 
@@ -575,39 +560,37 @@ export default () => (
 
 </code-snippet>
 
-
 === tailwindcss/core rules ===
 
-## Tailwind Core
+## Tailwind CSS
 
-- Use Tailwind CSS classes to style HTML, check and use existing tailwind conventions within the project before writing your own.
-- Offer to extract repeated patterns into components that match the project's conventions (i.e. Blade, JSX, Vue, etc..)
-- Think through class placement, order, priority, and defaults - remove redundant classes, add classes to parent or child carefully to limit repetition, group elements logically
+- Use Tailwind CSS classes to style HTML; check and use existing Tailwind conventions within the project before writing your own.
+- Offer to extract repeated patterns into components that match the project's conventions (i.e. Blade, JSX, Vue, etc.).
+- Think through class placement, order, priority, and defaults. Remove redundant classes, add classes to parent or child carefully to limit repetition, and group elements logically.
 - You can use the `search-docs` tool to get exact examples from the official documentation when needed.
 
 ### Spacing
-- When listing items, use gap utilities for spacing, don't use margins.
-
-    <code-snippet name="Valid Flex Gap Spacing Example" lang="html">
-        <div class="flex gap-8">
-            <div>Superior</div>
-            <div>Michigan</div>
-            <div>Erie</div>
-        </div>
-    </code-snippet>
+- When listing items, use gap utilities for spacing; don't use margins.
 
+<code-snippet name="Valid Flex Gap Spacing Example" lang="html">
+    <div class="flex gap-8">
+        <div>Superior</div>
+        <div>Michigan</div>
+        <div>Erie</div>
+    </div>
+</code-snippet>
 
 ### Dark Mode
 - If existing pages and components support dark mode, new pages and components must support dark mode in a similar way, typically using `dark:`.
 
-
 === tailwindcss/v4 rules ===
 
-## Tailwind 4
+## Tailwind CSS 4
 
-- Always use Tailwind CSS v4 - do not use the deprecated utilities.
+- Always use Tailwind CSS v4; do not use the deprecated utilities.
 - `corePlugins` is not supported in Tailwind v4.
 - In Tailwind v4, configuration is CSS-first using the `@theme` directive — no separate `tailwind.config.js` file is needed.
+
 <code-snippet name="Extending Theme in CSS" lang="css">
 @theme {
   --color-brand: oklch(0.72 0.11 178);
@@ -623,9 +606,8 @@ export default () => (
    + @import "tailwindcss";
 </code-snippet>
 
-
 ### Replaced Utilities
-- Tailwind v4 removed deprecated utilities. Do not use the deprecated option - use the replacement.
+- Tailwind v4 removed deprecated utilities. Do not use the deprecated option; use the replacement.
 - Opacity values are still numeric.
 
 | Deprecated |	Replacement |
@@ -641,6 +623,134 @@ export default () => (
 | overflow-ellipsis | text-ellipsis |
 | decoration-slice | box-decoration-slice |
 | decoration-clone | box-decoration-clone |
+
+=== filament/filament rules ===
+
+## Filament
+
+- Filament is used by this application. Follow existing conventions for how and where it's implemented.
+- Filament is a Server-Driven UI (SDUI) framework for Laravel that lets you define user interfaces in PHP using structured configuration objects. Built on Livewire, Alpine.js, and Tailwind CSS.
+- Use the `search-docs` tool for official documentation on Artisan commands, code examples, testing, relationships, and idiomatic practices.
+
+### Artisan
+
+- Use Filament-specific Artisan commands to create files. Find them with `list-artisan-commands` or `php artisan --help`.
+- Inspect required options and always pass `--no-interaction`.
+
+### Patterns
+
+Use static `make()` methods to initialize components. Most configuration methods accept a `Closure` for dynamic values.
+
+Use `Get $get` to read other form field values for conditional logic:
+
+<code-snippet name="Conditional form field" lang="php">
+use Filament\Forms\Components\Select;
+use Filament\Forms\Components\TextInput;
+use Filament\Schemas\Components\Utilities\Get;
+
+Select::make('type')
+    ->options(CompanyType::class)
+    ->required()
+    ->live(),
+
+TextInput::make('company_name')
+    ->required()
+    ->visible(fn (Get $get): bool => $get('type') === 'business'),
+</code-snippet>
+
+Use `state()` with a `Closure` to compute derived column values:
+
+<code-snippet name="Computed table column" lang="php">
+use Filament\Tables\Columns\TextColumn;
+
+TextColumn::make('full_name')
+    ->state(fn (User $record): string => "{$record->first_name} {$record->last_name}"),
+</code-snippet>
+
+Actions encapsulate a button with optional modal form and logic:
+
+<code-snippet name="Action with modal form" lang="php">
+use Filament\Actions\Action;
+use Filament\Forms\Components\TextInput;
+
+Action::make('updateEmail')
+    ->form([
+        TextInput::make('email')->email()->required(),
+    ])
+    ->action(fn (array $data, User $record): void => $record->update($data)),
+</code-snippet>
+
+### Testing
+
+Authenticate before testing panel functionality. Filament uses Livewire, so use `livewire()` or `Livewire::test()`:
+
+<code-snippet name="Filament Table Test" lang="php">
+    livewire(ListUsers::class)
+        ->assertCanSeeTableRecords($users)
+        ->searchTable($users->first()->name)
+        ->assertCanSeeTableRecords($users->take(1))
+        ->assertCanNotSeeTableRecords($users->skip(1));
+</code-snippet>
+
+<code-snippet name="Filament Create Resource Test" lang="php">
+    livewire(CreateUser::class)
+        ->fillForm([
+            'name' => 'Test',
+            'email' => 'test@example.com',
+        ])
+        ->call('create')
+        ->assertNotified()
+        ->assertRedirect();
+
+    assertDatabaseHas(User::class, [
+        'name' => 'Test',
+        'email' => 'test@example.com',
+    ]);
+</code-snippet>
+
+<code-snippet name="Testing Validation" lang="php">
+    livewire(CreateUser::class)
+        ->fillForm([
+            'name' => null,
+            'email' => 'invalid-email',
+        ])
+        ->call('create')
+        ->assertHasFormErrors([
+            'name' => 'required',
+            'email' => 'email',
+        ])
+        ->assertNotNotified();
+</code-snippet>
+
+<code-snippet name="Calling Actions" lang="php">
+    use Filament\Actions\DeleteAction;
+    use Filament\Actions\Testing\TestAction;
+
+    livewire(EditUser::class, ['record' => $user->id])
+        ->callAction(DeleteAction::class)
+        ->assertNotified()
+        ->assertRedirect();
+
+    livewire(ListUsers::class)
+        ->callAction(TestAction::make('promote')->table($user), [
+            'role' => 'admin',
+        ])
+        ->assertNotified();
+</code-snippet>
+
+### Common Mistakes
+
+**Commonly Incorrect Namespaces:**
+- Form fields (TextInput, Select, etc.): `Filament\Forms\Components\`
+- Infolist entries (for read-only views) (TextEntry, IconEntry, etc.): `Filament\Forms\Components\`
+- Layout components (Grid, Section, Fieldset, Tabs, Wizard, etc.): `Filament\Schemas\Components\`
+- Schema utilities (Get, Set, etc.): `Filament\Schemas\Components\Utilities\`
+- Actions: `Filament\Actions\` (no `Filament\Tables\Actions\` etc.)
+- Icons: `Filament\Support\Icons\Heroicon` enum (e.g., `Heroicon::PencilSquare`)
+
+**Recent breaking changes to Filament:**
+- File visibility is `private` by default. Use `->visibility('public')` for public access.
+- `Grid`, `Section`, and `Fieldset` no longer span all columns by default.
 </laravel-boost-guidelines>
 
 ## Issue Tracking

Dockerfile

@@ -100,6 +100,8 @@ COPY . .
 COPY --from=vendor /var/www/html/vendor ./vendor
 COPY --from=node_builder /var/www/html/public/build ./public/build
 
+RUN php artisan vendor:publish --tag=livewire:assets --force --no-interaction
+
 RUN php artisan config:clear \
    && php artisan config:cache \
    && php artisan route:clear \

app/Console/Commands/AiEditsPruneCommand.php

@@ -0,0 +1,69 @@
+<?php
+
+namespace App\Console\Commands;
+
+use App\Models\AiEditRequest;
+use App\Models\AiUsageLedger;
+use Illuminate\Console\Command;
+use Illuminate\Database\Eloquent\Builder;
+
+class AiEditsPruneCommand extends Command
+{
+    protected $signature = 'ai-edits:prune
+        {--request-days= : Override AI request retention days}
+        {--ledger-days= : Override usage ledger retention days}
+        {--pretend : Report counts without deleting data}';
+
+    protected $description = 'Prune stale AI edit requests and usage ledgers based on retention settings.';
+
+    public function handle(): int
+    {
+        $requestRetentionDays = max(1, (int) ($this->option('request-days') ?: config('ai-editing.retention.request_days', 90)));
+        $ledgerRetentionDays = max(1, (int) ($this->option('ledger-days') ?: config('ai-editing.retention.usage_ledger_days', 365)));
+        $pretend = (bool) $this->option('pretend');
+
+        $requestCutoff = now()->subDays($requestRetentionDays);
+        $ledgerCutoff = now()->subDays($ledgerRetentionDays);
+
+        $requestQuery = AiEditRequest::query()
+            ->where(function (Builder $query) use ($requestCutoff): void {
+                $query->where(function (Builder $completedQuery) use ($requestCutoff): void {
+                    $completedQuery->whereNotNull('completed_at')
+                        ->where('completed_at', '<=', $requestCutoff);
+                })->orWhere(function (Builder $expiredQuery): void {
+                    $expiredQuery->whereNotNull('expires_at')
+                        ->where('expires_at', '<=', now());
+                });
+            });
+        $ledgerQuery = AiUsageLedger::query()
+            ->where('recorded_at', '<=', $ledgerCutoff);
+
+        $requestCount = (clone $requestQuery)->count();
+        $ledgerCount = (clone $ledgerQuery)->count();
+
+        $this->line(sprintf(
+            'AI prune candidates -> requests: %d (<= %s), ledgers: %d (<= %s)',
+            $requestCount,
+            $requestCutoff->toDateString(),
+            $ledgerCount,
+            $ledgerCutoff->toDateString()
+        ));
+
+        if ($pretend) {
+            $this->info('Pretend mode enabled. No records were deleted.');
+
+            return self::SUCCESS;
+        }
+
+        $deletedRequests = $requestQuery->delete();
+        $deletedLedgers = $ledgerQuery->delete();
+
+        $this->info(sprintf(
+            'Pruned AI data -> requests: %d, ledgers: %d.',
+            $deletedRequests,
+            $deletedLedgers
+        ));
+
+        return self::SUCCESS;
+    }
+}

app/Console/Commands/AiEditsRecoverStuckCommand.php

@@ -0,0 +1,179 @@
+<?php
+
+namespace App\Console\Commands;
+
+use App\Jobs\PollAiEditRequest;
+use App\Jobs\ProcessAiEditRequest;
+use App\Models\AiEditRequest;
+use App\Services\AiEditing\AiEditingRuntimeConfig;
+use Illuminate\Console\Command;
+use Illuminate\Database\Eloquent\Builder;
+use Illuminate\Database\Eloquent\Relations\HasMany;
+use Illuminate\Support\Collection;
+
+class AiEditsRecoverStuckCommand extends Command
+{
+    protected $signature = 'ai-edits:recover-stuck
+        {--minutes=30 : Minimum age in minutes for queued/processing requests}
+        {--requeue : Re-dispatch stuck requests back to the queue}
+        {--fail : Mark stuck requests as failed}';
+
+    protected $description = 'Inspect stuck AI edit requests and optionally recover them by requeueing or failing.';
+
+    public function __construct(private readonly AiEditingRuntimeConfig $runtimeConfig)
+    {
+        parent::__construct();
+    }
+
+    public function handle(): int
+    {
+        $minutes = max(1, (int) $this->option('minutes'));
+        $shouldRequeue = (bool) $this->option('requeue');
+        $shouldFail = (bool) $this->option('fail');
+
+        if ($shouldRequeue && $shouldFail) {
+            $this->error('Use either --requeue or --fail, not both.');
+
+            return self::FAILURE;
+        }
+
+        $cutoff = now()->subMinutes($minutes);
+        $requests = AiEditRequest::query()
+            ->with([
+                'event:id,slug,name',
+                'providerRuns' => function (HasMany $query): void {
+                    $query->select(['id', 'request_id', 'provider_task_id', 'attempt'])
+                        ->orderByDesc('attempt');
+                },
+            ])
+            ->whereIn('status', [AiEditRequest::STATUS_QUEUED, AiEditRequest::STATUS_PROCESSING])
+            ->where(function (Builder $query) use ($cutoff): void {
+                $query
+                    ->where(function (Builder $queuedQuery) use ($cutoff): void {
+                        $queuedQuery->whereNull('started_at')
+                            ->whereNotNull('queued_at')
+                            ->where('queued_at', '<=', $cutoff);
+                    })
+                    ->orWhere(function (Builder $processingQuery) use ($cutoff): void {
+                        $processingQuery->whereNotNull('started_at')
+                            ->where('started_at', '<=', $cutoff);
+                    })
+                    ->orWhere(function (Builder $fallbackQuery) use ($cutoff): void {
+                        $fallbackQuery->whereNull('queued_at')
+                            ->whereNull('started_at')
+                            ->where('updated_at', '<=', $cutoff);
+                    });
+            })
+            ->orderBy('updated_at')
+            ->get();
+
+        if ($requests->isEmpty()) {
+            $this->info(sprintf('No stuck AI edit requests older than %d minute(s).', $minutes));
+
+            return self::SUCCESS;
+        }
+
+        $this->table(
+            ['ID', 'Event', 'Status', 'Queued/Started', 'Latest task'],
+            $requests->map(function (AiEditRequest $request): array {
+                $latestTaskId = $this->latestProviderTaskId($request) ?? '-';
+                $eventLabel = (string) ($request->event?->name ?: $request->event?->slug ?: $request->event_id);
+                $ageSource = $request->started_at ?: $request->queued_at ?: $request->updated_at;
+
+                return [
+                    (string) $request->id,
+                    $eventLabel,
+                    $request->status,
+                    $ageSource?->toIso8601String() ?? '-',
+                    $latestTaskId,
+                ];
+            })->all()
+        );
+
+        if (! $shouldRequeue && ! $shouldFail) {
+            $this->info('Dry-run only. Use --requeue to dispatch recovery jobs or --fail to terminate stuck requests.');
+
+            return self::SUCCESS;
+        }
+
+        if ($shouldFail) {
+            $count = $this->markAsFailed($requests);
+            $this->info(sprintf('Marked %d AI edit request(s) as failed.', $count));
+
+            return self::SUCCESS;
+        }
+
+        [$processDispatches, $pollDispatches] = $this->requeueRequests($requests);
+        $this->info(sprintf(
+            'Recovered %d stuck AI edit request(s): %d process dispatch(es), %d poll dispatch(es).',
+            $processDispatches + $pollDispatches,
+            $processDispatches,
+            $pollDispatches
+        ));
+
+        return self::SUCCESS;
+    }
+
+    /**
+     * @return array{0:int,1:int}
+     */
+    private function requeueRequests(Collection $requests): array
+    {
+        $queueName = $this->runtimeConfig->queueName();
+        $processDispatches = 0;
+        $pollDispatches = 0;
+
+        foreach ($requests as $request) {
+            if ($request->status === AiEditRequest::STATUS_QUEUED) {
+                ProcessAiEditRequest::dispatch($request->id)->onQueue($queueName);
+                $processDispatches++;
+
+                continue;
+            }
+
+            $providerTaskId = $this->latestProviderTaskId($request);
+            if ($providerTaskId !== null) {
+                PollAiEditRequest::dispatch($request->id, $providerTaskId, 1)->onQueue($queueName);
+                $pollDispatches++;
+
+                continue;
+            }
+
+            ProcessAiEditRequest::dispatch($request->id)->onQueue($queueName);
+            $processDispatches++;
+        }
+
+        return [$processDispatches, $pollDispatches];
+    }
+
+    private function markAsFailed(Collection $requests): int
+    {
+        $updated = 0;
+        $now = now();
+
+        foreach ($requests as $request) {
+            $request->forceFill([
+                'status' => AiEditRequest::STATUS_FAILED,
+                'failure_code' => 'operator_recovery_marked_failed',
+                'failure_message' => 'Marked as failed by ai-edits:recover-stuck.',
+                'completed_at' => $now,
+            ])->save();
+
+            $updated++;
+        }
+
+        return $updated;
+    }
+
+    private function latestProviderTaskId(AiEditRequest $request): ?string
+    {
+        foreach ($request->providerRuns as $run) {
+            $taskId = trim((string) ($run->provider_task_id ?? ''));
+            if ($taskId !== '') {
+                return $taskId;
+            }
+        }
+
+        return null;
+    }
+}

app/Console/Commands/AttachDemoEvent.php

@@ -7,7 +7,6 @@ use App\Models\Tenant;
 use App\Models\User;
 use Illuminate\Console\Attributes\AsCommand;
 use Illuminate\Console\Command;
-use Illuminate\Support\Facades\DB;
 
 #[AsCommand(name: 'tenant:attach-demo-event')]
 class AttachDemoEvent extends Command
@@ -25,10 +24,12 @@ class AttachDemoEvent extends Command
     {
         if (! \Illuminate\Support\Facades\Schema::hasTable('events')) {
             $this->error("Table 'events' does not exist. Run: php artisan migrate");
+
             return self::FAILURE;
         }
         if (! \Illuminate\Support\Facades\Schema::hasColumn('events', 'tenant_id')) {
             $this->error("Column 'events.tenant_id' does not exist. Add it and rerun. Suggested: create a migration to add a nullable foreignId to tenants.");
+
             return self::FAILURE;
         }
         $tenant = null;
@@ -45,6 +46,7 @@ class AttachDemoEvent extends Command
         }
         if (! $tenant) {
             $this->error('Tenant not found. Provide --tenant-slug or a user with tenant_id via --tenant-email.');
+
             return self::FAILURE;
         }
 
@@ -67,12 +69,14 @@ class AttachDemoEvent extends Command
 
         if (! $event) {
             $this->error('Event not found. Provide --event-id or --event-slug.');
+
             return self::FAILURE;
         }
 
         // Idempotent update
         if ((int) $event->tenant_id === (int) $tenant->id) {
             $this->info("Event #{$event->id} already attached to tenant #{$tenant->id} ({$tenant->slug}).");
+
             return self::SUCCESS;
         }
 
@@ -80,6 +84,7 @@ class AttachDemoEvent extends Command
         $event->save();
 
         $this->info("Attached event #{$event->id} ({$event->slug}) to tenant #{$tenant->id} ({$tenant->slug}).");
+
         return self::SUCCESS;
     }
 }

app/Console/Commands/BackfillThumbnails.php

@@ -10,22 +10,27 @@ use Illuminate\Support\Facades\Storage;
 class BackfillThumbnails extends Command
 {
     protected $signature = 'media:backfill-thumbnails {--limit=500}';
+
     protected $description = 'Generate thumbnails for photos missing thumbnail_path or where thumbnail equals original.';
 
     public function handle(): int
     {
         $limit = (int) $this->option('limit');
         $rows = DB::table('photos')
-            ->select(['id','event_id','file_path','thumbnail_path'])
+            ->select(['id', 'event_id', 'file_path', 'thumbnail_path'])
             ->orderBy('id')
             ->limit($limit)
             ->get();
         $count = 0;
         foreach ($rows as $r) {
-            $orig = $this->relativeFromUrl((string)$r->file_path);
-            $thumb = (string)($r->thumbnail_path ?? '');
-            if ($thumb && $thumb !== $r->file_path) continue; // already set to different thumb
-            if (! $orig) continue;
+            $orig = $this->relativeFromUrl((string) $r->file_path);
+            $thumb = (string) ($r->thumbnail_path ?? '');
+            if ($thumb && $thumb !== $r->file_path) {
+                continue;
+            } // already set to different thumb
+            if (! $orig) {
+                continue;
+            }
             $baseName = pathinfo($orig, PATHINFO_FILENAME);
             $destRel = "events/{$r->event_id}/photos/thumbs/{$baseName}_thumb.jpg";
             $made = ImageHelper::makeThumbnailOnDisk('public', $orig, $destRel, 640, 82);
@@ -39,6 +44,7 @@ class BackfillThumbnails extends Command
             }
         }
         $this->info("Done. Thumbnails generated: {$count}");
+
         return self::SUCCESS;
     }
 
@@ -49,6 +55,7 @@ class BackfillThumbnails extends Command
         if (str_starts_with($p, '/storage/')) {
             return substr($p, strlen('/storage/'));
         }
+
         return null;
     }
 }

app/Console/Commands/LemonSqueezyRegisterWebhooks.php

@@ -0,0 +1,130 @@
+<?php
+
+namespace App\Console\Commands;
+
+use App\Services\LemonSqueezy\LemonSqueezyClient;
+use Illuminate\Console\Command;
+use Illuminate\Support\Arr;
+use Illuminate\Support\Facades\Log;
+
+class LemonSqueezyRegisterWebhooks extends Command
+{
+    /**
+     * The name and signature of the console command.
+     *
+     * @var string
+     */
+    protected $signature = 'lemonsqueezy:webhooks:register
+        {--url= : Destination URL for Lemon Squeezy webhooks}
+        {--events=* : Override event types to subscribe}
+        {--secret= : Override the webhook signing secret}
+        {--test-mode : Register the webhook in test mode}
+        {--dry-run : Output payload without creating the destination}';
+
+    /**
+     * The console command description.
+     *
+     * @var string
+     */
+    protected $description = 'Register Lemon Squeezy webhook notification settings.';
+
+    /**
+     * Execute the console command.
+     */
+    public function handle(LemonSqueezyClient $client): int
+    {
+        $destination = (string) ($this->option('url') ?: $this->defaultWebhookUrl());
+
+        if ($destination === '') {
+            $this->error('Webhook destination URL is required. Use --url=...');
+
+            return self::FAILURE;
+        }
+
+        $events = collect((array) $this->option('events'))
+            ->filter()
+            ->map(fn ($event) => trim((string) $event))
+            ->filter()
+            ->values()
+            ->all();
+
+        if ($events === []) {
+            $events = config('lemonsqueezy.webhook_events', []);
+        }
+
+        if ($events === [] || ! is_array($events)) {
+            $this->error('No webhook events configured. Set config(lemonsqueezy.webhook_events) or pass --events.');
+
+            return self::FAILURE;
+        }
+
+        $secret = (string) ($this->option('secret') ?: config('lemonsqueezy.webhook_secret'));
+        if ($secret === '') {
+            $this->error('Webhook signing secret is required. Set LEMONSQUEEZY_WEBHOOK_SECRET or pass --secret.');
+
+            return self::FAILURE;
+        }
+
+        $storeId = (string) config('lemonsqueezy.store_id');
+        if ($storeId === '') {
+            $this->error('Lemon Squeezy store id is required. Set LEMONSQUEEZY_STORE_ID.');
+
+            return self::FAILURE;
+        }
+
+        $testMode = (bool) $this->option('test-mode') || (bool) config('lemonsqueezy.test_mode', false);
+
+        $attributes = array_filter([
+            'url' => $destination,
+            'events' => $events,
+            'secret' => $secret,
+            'test_mode' => $testMode ? true : null,
+        ], static fn ($value) => $value !== null && $value !== '');
+
+        $payload = [
+            'data' => [
+                'type' => 'webhooks',
+                'attributes' => $attributes,
+                'relationships' => [
+                    'store' => [
+                        'data' => [
+                            'type' => 'stores',
+                            'id' => $storeId,
+                        ],
+                    ],
+                ],
+            ],
+        ];
+
+        if ((bool) $this->option('dry-run')) {
+            $this->line(json_encode($payload, JSON_PRETTY_PRINT));
+
+            return self::SUCCESS;
+        }
+
+        $response = $client->post('/webhooks', $payload);
+        $data = Arr::get($response, 'data', $response);
+        $id = Arr::get($data, 'id');
+
+        Log::channel('lemonsqueezy-sync')->info('Lemon Squeezy webhook registered', [
+            'webhook_id' => $id,
+            'destination' => $destination,
+            'test_mode' => $testMode,
+        ]);
+
+        $this->info('Lemon Squeezy webhook registered.');
+
+        if ($id) {
+            $this->line('ID: '.$id);
+        }
+
+        return self::SUCCESS;
+    }
+
+    protected function defaultWebhookUrl(): string
+    {
+        $base = rtrim((string) config('app.url'), '/');
+
+        return $base !== '' ? $base.'/lemonsqueezy/webhook' : '';
+    }
+}

app/Console/Commands/LemonSqueezySyncPackages.php

@@ -2,23 +2,23 @@
 
 namespace App\Console\Commands;
 
-use App\Jobs\PullPackageFromPaddle;
-use App\Jobs\SyncPackageToPaddle;
+use App\Jobs\PullPackageFromLemonSqueezy;
+use App\Jobs\SyncPackageToLemonSqueezy;
 use App\Models\Package;
 use Illuminate\Console\Command;
 use Illuminate\Support\Collection;
 use Illuminate\Support\Str;
 
-class PaddleSyncPackages extends Command
+class LemonSqueezySyncPackages extends Command
 {
-    protected $signature = 'paddle:sync-packages
+    protected $signature = 'lemonsqueezy:sync-packages
         {--package=* : Limit sync to the given package IDs or slugs}
-        {--dry-run : Generate payload snapshots without calling Paddle}
-        {--pull : Fetch remote Paddle state instead of pushing local changes}
-        {--allow-unmapped : Allow sync when packages are missing Paddle product/price IDs}
+        {--dry-run : Generate payload snapshots without calling Lemon Squeezy}
+        {--pull : Fetch remote Lemon Squeezy state instead of pushing local changes}
+        {--allow-unmapped : Allow sync when packages are missing Lemon Squeezy product/variant IDs}
         {--queue : Dispatch jobs onto the queue instead of running synchronously}';
 
-    protected $description = 'Synchronise local packages with Paddle products and prices.';
+    protected $description = 'Synchronise local packages with Lemon Squeezy products and variants.';
 
     public function handle(): int
     {
@@ -52,7 +52,7 @@ class PaddleSyncPackages extends Command
         });
 
         $this->info(sprintf(
-            'Queued %d package %s for Paddle %s.',
+            'Queued %d package %s for Lemon Squeezy %s.',
             $packages->count(),
             Str::plural('entry', $packages->count()),
             $pull ? 'pull' : 'sync'
@@ -97,22 +97,22 @@ class PaddleSyncPackages extends Command
 
     protected function guardUnmappedPackages(Collection $packages): bool
     {
-        $unmapped = $packages->filter(fn (Package $package) => blank($package->paddle_product_id) || blank($package->paddle_price_id));
+        $unmapped = $packages->filter(fn (Package $package) => blank($package->lemonsqueezy_product_id) || blank($package->lemonsqueezy_variant_id));
 
         if ($unmapped->isEmpty()) {
             return true;
         }
 
-        $this->error('Unmapped Paddle package IDs detected. Resolve legacy mappings or pass --allow-unmapped.');
+        $this->error('Unmapped Lemon Squeezy package IDs detected. Resolve mappings or pass --allow-unmapped.');
         $this->table(
             ['ID', 'Slug', 'Missing'],
             $unmapped->map(function (Package $package): array {
                 $missing = [];
-                if (blank($package->paddle_product_id)) {
+                if (blank($package->lemonsqueezy_product_id)) {
                     $missing[] = 'product_id';
                 }
-                if (blank($package->paddle_price_id)) {
-                    $missing[] = 'price_id';
+                if (blank($package->lemonsqueezy_variant_id)) {
+                    $missing[] = 'variant_id';
                 }
 
                 return [
@@ -133,26 +133,26 @@ class PaddleSyncPackages extends Command
         ];
 
         if ($queue) {
-            SyncPackageToPaddle::dispatch($package->id, $context);
+            SyncPackageToLemonSqueezy::dispatch($package->id, $context);
             $this->line(sprintf('> queued sync for package #%d (%s)', $package->id, $package->slug));
 
             return;
         }
 
-        SyncPackageToPaddle::dispatchSync($package->id, $context);
+        SyncPackageToLemonSqueezy::dispatchSync($package->id, $context);
         $this->line(sprintf('> synced package #%d (%s)', $package->id, $package->slug));
     }
 
     protected function dispatchPullJob(Package $package, bool $queue): void
     {
         if ($queue) {
-            PullPackageFromPaddle::dispatch($package->id);
+            PullPackageFromLemonSqueezy::dispatch($package->id);
             $this->line(sprintf('> queued pull for package #%d (%s)', $package->id, $package->slug));
 
             return;
         }
 
-        PullPackageFromPaddle::dispatchSync($package->id);
+        PullPackageFromLemonSqueezy::dispatchSync($package->id);
         $this->line(sprintf('> pulled package #%d (%s)', $package->id, $package->slug));
     }
 }

app/Console/Commands/MigrateLegacyPurchases.php

@@ -4,15 +4,15 @@ namespace App\Console\Commands;
 
 use App\Models\PackagePurchase;
 use App\Models\Tenant;
-use App\Models\User;
 use App\Models\TenantPackage;
+use App\Models\User;
 use Illuminate\Console\Command;
 use Illuminate\Support\Facades\Hash;
-use Illuminate\Support\Facades\DB;
 
 class MigrateLegacyPurchases extends Command
 {
     protected $signature = 'packages:migrate-legacy';
+
     protected $description = 'Migrate legacy purchases to new system with temp tenants';
 
     public function handle()
@@ -21,19 +21,20 @@ class MigrateLegacyPurchases extends Command
 
         if ($legacyPurchases->isEmpty()) {
             $this->info('No legacy purchases found.');
+
             return 0;
         }
 
         $this->info("Found {$legacyPurchases->count()} legacy purchases.");
 
         foreach ($legacyPurchases as $purchase) {
-            if (!$purchase->user_id) {
+            if (! $purchase->user_id) {
                 // Create temp user if no user
                 $tempUser = User::create([
-                    'name' => 'Legacy User ' . $purchase->id,
-                    'email' => 'legacy' . $purchase->id . '@fotospiel.local',
+                    'name' => 'Legacy User '.$purchase->id,
+                    'email' => 'legacy'.$purchase->id.'@fotospiel.local',
                     'password' => Hash::make('legacy'),
-                    'username' => 'legacy' . $purchase->id,
+                    'username' => 'legacy'.$purchase->id,
                     'first_name' => 'Legacy',
                     'last_name' => 'User',
                     'address' => 'Legacy Address',
@@ -43,7 +44,7 @@ class MigrateLegacyPurchases extends Command
 
                 $tempTenant = Tenant::create([
                     'user_id' => $tempUser->id,
-                    'name' => 'Legacy Tenant ' . $purchase->id,
+                    'name' => 'Legacy Tenant '.$purchase->id,
                     'status' => 'active',
                 ]);
 
@@ -73,6 +74,7 @@ class MigrateLegacyPurchases extends Command
         }
 
         $this->info('Legacy migration completed.');
+
         return 0;
     }
-}
+}

app/Console/Commands/MonitorStorageCommand.php

@@ -46,6 +46,12 @@ class MonitorStorageCommand extends Command
 
             $assetStats = $this->buildAssetStatistics();
             $thresholds = $this->capacityThresholds();
+            $checksumConfig = $this->checksumAlertConfig();
+            $checksumWindowMinutes = $checksumConfig['window_minutes'];
+            $checksumThresholds = $checksumConfig['thresholds'];
+            $checksumMismatches = $checksumConfig['enabled'] && $checksumWindowMinutes > 0
+                ? $this->checksumMismatchCounts($checksumWindowMinutes)
+                : [];
             $alerts = [];
             $snapshotTargets = [];
 
@@ -78,6 +84,7 @@ class MonitorStorageCommand extends Command
                     ];
                 }
 
+                $targetChecksumMismatches = $checksumMismatches[$target->id] ?? 0;
                 $snapshotTargets[] = [
                     'id' => $target->id,
                     'key' => $target->key,
@@ -85,13 +92,35 @@ class MonitorStorageCommand extends Command
                     'is_hot' => (bool) $target->is_hot,
                     'capacity' => $capacity,
                     'assets' => $assets,
+                    'checksum_mismatches' => [
+                        'count' => $targetChecksumMismatches,
+                        'window_minutes' => $checksumWindowMinutes,
+                    ],
                 ];
             }
 
+            if ($checksumConfig['enabled'] && $checksumWindowMinutes > 0) {
+                $totalMismatches = array_sum($checksumMismatches);
+                $checksumSeverity = $this->determineChecksumSeverity($totalMismatches, $checksumThresholds);
+
+                if ($checksumSeverity !== 'ok') {
+                    $alerts[] = [
+                        'type' => 'checksum_mismatch',
+                        'severity' => $checksumSeverity,
+                        'count' => $totalMismatches,
+                        'window_minutes' => $checksumWindowMinutes,
+                    ];
+                }
+            }
+
             $snapshot = [
                 'generated_at' => now()->toIso8601String(),
                 'targets' => $snapshotTargets,
                 'alerts' => $alerts,
+                'checksum' => [
+                    'window_minutes' => $checksumWindowMinutes,
+                    'mismatch_total' => array_sum($checksumMismatches),
+                ],
             ];
 
             $ttlMinutes = max(1, (int) config('storage-monitor.monitor.cache_minutes', 15));
@@ -191,4 +220,62 @@ class MonitorStorageCommand extends Command
 
         return 'ok';
     }
+
+    private function checksumAlertConfig(): array
+    {
+        $enabled = (bool) config('storage-monitor.checksum_validation.enabled', true);
+        $windowMinutes = max(0, (int) config('storage-monitor.checksum_validation.alert_window_minutes', 60));
+        $warning = (int) config('storage-monitor.checksum_validation.thresholds.warning', 1);
+        $critical = (int) config('storage-monitor.checksum_validation.thresholds.critical', 5);
+
+        if ($warning > $critical && $critical > 0) {
+            [$warning, $critical] = [$critical, $warning];
+        }
+
+        return [
+            'enabled' => $enabled,
+            'window_minutes' => $windowMinutes,
+            'thresholds' => [
+                'warning' => $warning,
+                'critical' => $critical,
+            ],
+        ];
+    }
+
+    private function checksumMismatchCounts(int $windowMinutes): array
+    {
+        $query = EventMediaAsset::query()
+            ->selectRaw('media_storage_target_id, COUNT(*) as total_count')
+            ->where('status', 'failed')
+            ->where('meta->checksum_status', 'mismatch');
+
+        if ($windowMinutes > 0) {
+            $query->where('updated_at', '>=', now()->subMinutes($windowMinutes));
+        }
+
+        return $query->groupBy('media_storage_target_id')
+            ->get()
+            ->mapWithKeys(fn ($row) => [(int) $row->media_storage_target_id => (int) $row->total_count])
+            ->all();
+    }
+
+    private function determineChecksumSeverity(int $count, array $thresholds): string
+    {
+        $warning = (int) ($thresholds['warning'] ?? 1);
+        $critical = (int) ($thresholds['critical'] ?? 5);
+
+        if ($count <= 0) {
+            return 'ok';
+        }
+
+        if ($critical > 0 && $count >= $critical) {
+            return 'critical';
+        }
+
+        if ($warning > 0 && $count >= $warning) {
+            return 'warning';
+        }
+
+        return 'ok';
+    }
 }

app/Console/Commands/PaddleRegisterWebhooks.php

@@ -1,132 +0,0 @@
-<?php
-
-namespace App\Console\Commands;
-
-use App\Services\Paddle\PaddleClient;
-use Illuminate\Console\Command;
-use Illuminate\Support\Arr;
-use Illuminate\Support\Facades\Log;
-
-class PaddleRegisterWebhooks extends Command
-{
-    /**
-     * The name and signature of the console command.
-     *
-     * @var string
-     */
-    protected $signature = 'paddle:webhooks:register
-        {--url= : Destination URL for Paddle webhooks}
-        {--description= : Description for the webhook destination}
-        {--events=* : Override event types to subscribe}
-        {--traffic-source=all : platform|simulation|all}
-        {--include-sensitive : Include sensitive fields in webhook payloads}
-        {--show-secret : Output the endpoint secret key}
-        {--dry-run : Output payload without creating the destination}';
-
-    /**
-     * The console command description.
-     *
-     * @var string
-     */
-    protected $description = 'Register Paddle webhook notification settings.';
-
-    /**
-     * Execute the console command.
-     */
-    public function handle(PaddleClient $client): int
-    {
-        $destination = (string) ($this->option('url') ?: $this->defaultWebhookUrl());
-
-        if ($destination === '') {
-            $this->error('Webhook destination URL is required. Use --url=...');
-
-            return self::FAILURE;
-        }
-
-        $events = collect((array) $this->option('events'))
-            ->filter()
-            ->map(fn ($event) => trim((string) $event))
-            ->filter()
-            ->values()
-            ->all();
-
-        if ($events === []) {
-            $events = config('paddle.webhook_events', []);
-        }
-
-        if ($events === [] || ! is_array($events)) {
-            $this->error('No webhook events configured. Set config(paddle.webhook_events) or pass --events.');
-
-            return self::FAILURE;
-        }
-
-        $trafficSource = (string) $this->option('traffic-source');
-        $allowedSources = ['platform', 'simulation', 'all'];
-
-        if (! in_array($trafficSource, $allowedSources, true)) {
-            $this->error(sprintf('Invalid traffic source. Use one of: %s', implode(', ', $allowedSources)));
-
-            return self::FAILURE;
-        }
-
-        $payload = [
-            'type' => 'url',
-            'destination' => $destination,
-            'description' => $this->resolveDescription(),
-            'subscribed_events' => $events,
-            'traffic_source' => $trafficSource,
-            'include_sensitive_fields' => (bool) $this->option('include-sensitive'),
-        ];
-
-        if ((bool) $this->option('dry-run')) {
-            $this->line(json_encode($payload, JSON_PRETTY_PRINT));
-
-            return self::SUCCESS;
-        }
-
-        $response = $client->post('/notification-settings', $payload);
-        $data = Arr::get($response, 'data', $response);
-        $id = Arr::get($data, 'id');
-        $secret = Arr::get($data, 'endpoint_secret_key');
-
-        Log::channel('paddle-sync')->info('Paddle webhook registered', [
-            'notification_setting_id' => $id,
-            'destination' => $destination,
-            'traffic_source' => $trafficSource,
-        ]);
-
-        $this->info('Paddle webhook registered.');
-
-        if ($id) {
-            $this->line('ID: '.$id);
-        }
-
-        if ($secret && $this->option('show-secret')) {
-            $this->line('Secret: '.$secret);
-        } elseif ($secret) {
-            $this->line('Secret returned (hidden). Use --show-secret to display.');
-        }
-
-        return self::SUCCESS;
-    }
-
-    protected function defaultWebhookUrl(): string
-    {
-        $base = rtrim((string) config('app.url'), '/');
-
-        return $base !== '' ? $base.'/paddle/webhook' : '';
-    }
-
-    protected function resolveDescription(): string
-    {
-        $description = (string) $this->option('description');
-
-        if ($description !== '') {
-            return $description;
-        }
-
-        $environment = (string) config('paddle.environment', 'production');
-
-        return sprintf('Fotospiel Paddle webhooks (%s)', $environment);
-    }
-}

app/Console/Commands/SeedDemoSwitcherTenants.php

@@ -26,7 +26,7 @@ class SeedDemoSwitcherTenants extends Command
 {
     protected $signature = 'demo:seed-switcher {--with-photos : Download sample photos from Pexels} {--photos-per-event=18 : Target photos per event when downloading} {--cleanup : Remove demo switcher tenants/events/photos instead of seeding}';
 
-    protected $description = 'Seeds demo tenants used by the DevTenantSwitcher (endcustomer + reseller profiles)';
+    protected $description = 'Seeds demo tenants used by the DevTenantSwitcher (endcustomer + partner profiles)';
 
     public function __construct(private EventStorageManager $eventStorageManager)
     {
@@ -52,7 +52,7 @@ class SeedDemoSwitcherTenants extends Command
 
         DB::transaction(function () use ($packages, $eventTypes) {
             $this->seedCustomerStandardEmpty($packages, $eventTypes);
-            $this->seedCustomerStarterWedding($packages, $eventTypes);
+            $this->seedCustomerStandardWedding($packages, $eventTypes);
             $this->seedResellerActive($packages, $eventTypes);
             $this->seedResellerFull($packages, $eventTypes);
         });
@@ -129,7 +129,7 @@ class SeedDemoSwitcherTenants extends Command
         $slugs = [
             'starter' => 'Starter',
             'standard' => 'Standard',
-            's-small-reseller' => 'Reseller S',
+            's-small-reseller' => 'Partner Start',
         ];
 
         $packages = [];
@@ -165,10 +165,10 @@ class SeedDemoSwitcherTenants extends Command
     {
         $tenant = $this->upsertTenant(
             slug: 'demo-standard-empty',
-            name: 'Demo Standard (ohne Event)',
+            name: 'Demo Starter (ohne Event)',
             contactEmail: 'standard-empty@demo.fotospiel',
             attributes: [
-                'subscription_tier' => 'standard',
+                'subscription_tier' => 'starter',
                 'subscription_status' => 'active',
             ],
         );
@@ -176,9 +176,9 @@ class SeedDemoSwitcherTenants extends Command
         $this->upsertAdmin($tenant, 'standard-empty@demo.fotospiel');
 
         TenantPackage::updateOrCreate(
-            ['tenant_id' => $tenant->id, 'package_id' => $packages['standard']->id],
+            ['tenant_id' => $tenant->id, 'package_id' => $packages['starter']->id],
             [
-                'price' => $packages['standard']->price,
+                'price' => $packages['starter']->price,
                 'purchased_at' => Carbon::now()->subDays(1),
                 'expires_at' => Carbon::now()->addMonths(12),
                 'used_events' => 0,
@@ -186,17 +186,17 @@ class SeedDemoSwitcherTenants extends Command
             ]
         );
 
-        $this->comment('Seeded Standard tenant without events.');
+        $this->comment('Seeded Starter tenant without events.');
     }
 
-    private function seedCustomerStarterWedding(array $packages, array $eventTypes): void
+    private function seedCustomerStandardWedding(array $packages, array $eventTypes): void
     {
         $tenant = $this->upsertTenant(
             slug: 'demo-starter-wedding',
-            name: 'Demo Starter Wedding',
+            name: 'Demo Standard Wedding',
             contactEmail: 'starter-wedding@demo.fotospiel',
             attributes: [
-                'subscription_tier' => 'starter',
+                'subscription_tier' => 'standard',
                 'subscription_status' => 'active',
             ],
         );
@@ -209,7 +209,7 @@ class SeedDemoSwitcherTenants extends Command
                 'price' => $packages['standard']->price,
                 'purchased_at' => Carbon::now()->subDays(1),
                 'expires_at' => Carbon::now()->addMonths(12),
-                'used_events' => 0,
+                'used_events' => 1,
                 'active' => true,
             ]
         );
@@ -232,17 +232,18 @@ class SeedDemoSwitcherTenants extends Command
 
     private function seedResellerActive(array $packages, array $eventTypes): void
     {
+        $eventPackage = $this->resolveIncludedPackage($packages['s-small-reseller'], $packages);
         $tenant = $this->upsertTenant(
             slug: 'demo-reseller-active',
-            name: 'Demo Reseller Active',
-            contactEmail: 'reseller-active@demo.fotospiel',
+            name: 'Demo Partner Active',
+            contactEmail: 'partner-active@demo.fotospiel',
             attributes: [
                 'subscription_tier' => 'reseller',
                 'subscription_status' => 'active',
             ],
         );
 
-        $this->upsertAdmin($tenant, 'reseller-active@demo.fotospiel');
+        $this->upsertAdmin($tenant, 'partner-active@demo.fotospiel');
 
         TenantPackage::updateOrCreate(
             ['tenant_id' => $tenant->id, 'package_id' => $packages['s-small-reseller']->id],
@@ -279,7 +280,7 @@ class SeedDemoSwitcherTenants extends Command
         foreach ($events as $index => $config) {
             $event = $this->upsertEvent(
                 tenant: $tenant,
-                package: $packages['standard'],
+                package: $eventPackage,
                 eventType: $config['type'],
                 attributes: [
                     'name' => $config['name'],
@@ -296,17 +297,18 @@ class SeedDemoSwitcherTenants extends Command
 
     private function seedResellerFull(array $packages, array $eventTypes): void
     {
+        $eventPackage = $this->resolveIncludedPackage($packages['s-small-reseller'], $packages);
         $tenant = $this->upsertTenant(
             slug: 'demo-reseller-full',
-            name: 'Demo Reseller Voll',
-            contactEmail: 'reseller-full@demo.fotospiel',
+            name: 'Demo Partner Voll',
+            contactEmail: 'partner-full@demo.fotospiel',
             attributes: [
                 'subscription_tier' => 'reseller',
                 'subscription_status' => 'active',
             ],
         );
 
-        $this->upsertAdmin($tenant, 'reseller-full@demo.fotospiel');
+        $this->upsertAdmin($tenant, 'partner-full@demo.fotospiel');
 
         TenantPackage::updateOrCreate(
             ['tenant_id' => $tenant->id, 'package_id' => $packages['s-small-reseller']->id],
@@ -330,7 +332,7 @@ class SeedDemoSwitcherTenants extends Command
         foreach ($eventConfigs as $index => $config) {
             $event = $this->upsertEvent(
                 tenant: $tenant,
-                package: $packages['standard'],
+                package: $eventPackage,
                 eventType: $config['type'],
                 attributes: [
                     'name' => $config['name'],
@@ -357,8 +359,8 @@ class SeedDemoSwitcherTenants extends Command
             'settings' => [
                 'branding' => [
                     'logo_url' => null,
-                    'primary_color' => '#1D4ED8',
-                    'secondary_color' => '#0F172A',
+                    'primary_color' => '#FF5A5F',
+                    'secondary_color' => '#FFF8F5',
                     'font_family' => 'Inter, sans-serif',
                 ],
                 'features' => [
@@ -435,6 +437,19 @@ class SeedDemoSwitcherTenants extends Command
         return $event;
     }
 
+    private function resolveIncludedPackage(Package $resellerPackage, array $packages): Package
+    {
+        $includedSlug = $resellerPackage->included_package_slug;
+
+        if ($includedSlug && isset($packages[$includedSlug])) {
+            return $packages[$includedSlug];
+        }
+
+        $fallback = $packages['starter'] ?? $packages['standard'] ?? null;
+
+        return $fallback ?? $resellerPackage;
+    }
+
     private function fallbackEventType(): ?EventType
     {
         $fallback = EventType::first();

app/Console/Commands/SendAbandonedCheckoutReminders.php

@@ -62,7 +62,7 @@ class SendAbandonedCheckoutReminders extends Command
                     if ($this->shouldSendReminder($checkout, $stage)) {
                         $resumeUrl = $this->generateResumeUrl($checkout);
 
-                        if (!$isDryRun) {
+                        if (! $isDryRun) {
                             $mailLocale = $checkout->user->preferred_locale ?? config('app.locale');
 
                             Mail::to($checkout->user)
@@ -86,8 +86,8 @@ class SendAbandonedCheckoutReminders extends Command
                         $totalProcessed++;
                     }
                 } catch (Throwable $e) {
-                    Log::error("Failed to send {$stage} reminder for checkout {$checkout->id}: " . $e->getMessage());
-                    $this->error("   ❌ Failed to process checkout {$checkout->id}: " . $e->getMessage());
+                    Log::error("Failed to send {$stage} reminder for checkout {$checkout->id}: ".$e->getMessage());
+                    $this->error("   ❌ Failed to process checkout {$checkout->id}: ".$e->getMessage());
                 }
             }
         }
@@ -98,7 +98,7 @@ class SendAbandonedCheckoutReminders extends Command
             ->count();
 
         if ($oldCheckouts > 0) {
-            if (!$isDryRun) {
+            if (! $isDryRun) {
                 AbandonedCheckoutModel::where('abandoned_at', '<', now()->subDays(30))
                     ->where('converted', false)
                     ->delete();
@@ -108,10 +108,10 @@ class SendAbandonedCheckoutReminders extends Command
             }
         }
 
-        $this->info("✅ Reminder process completed!");
+        $this->info('✅ Reminder process completed!');
         $this->info("   Processed: {$totalProcessed} checkouts");
 
-        if (!$isDryRun) {
+        if (! $isDryRun) {
             $this->info("   Sent: {$totalSent} reminder emails");
         } else {
             $this->info("   Would send: {$totalSent} reminder emails");
@@ -131,12 +131,12 @@ class SendAbandonedCheckoutReminders extends Command
         }
 
         // User existiert noch?
-        if (!$checkout->user) {
+        if (! $checkout->user) {
             return false;
         }
 
         // Package existiert noch?
-        if (!$checkout->package) {
+        if (! $checkout->package) {
             return false;
         }
 

app/Console/Commands/SyncGoogleFonts.php

@@ -12,7 +12,7 @@ use Illuminate\Support\Str;
 
 class SyncGoogleFonts extends Command
 {
-    protected $signature = 'fonts:sync-google {--count=50 : Number of popular fonts to fetch} {--weights=400,700 : Comma separated numeric font weights to download} {--italic : Also download italic variants where available} {--force : Re-download files even if they exist} {--path= : Optional custom output directory (defaults to public/fonts/google)} {--family= : Download specific family name(s), comma separated (case-insensitive)} {--category= : Filter by category, comma separated (e.g. sans-serif,serif)} {--prune : Remove local font families not included in this sync} {--dry-run : Show what would be downloaded without writing files}';
+    protected $signature = 'fonts:sync-google {--count=50 : Number of popular fonts to fetch} {--weights=400,700 : Comma separated numeric font weights to download} {--italic : Also download italic variants where available} {--force : Re-download files even if they exist} {--path= : Optional custom output directory (defaults to public/fonts/google)} {--family= : Download specific family name(s), comma separated (case-insensitive)} {--category= : Filter by category, comma separated (e.g. sans-serif,serif)} {--prune : Remove local font families not included in this sync} {--dry-run : Show what would be downloaded without writing files} {--from-disk : Rebuild manifest + CSS from existing font files without downloading}';
 
     protected $description = 'Download the most popular Google Fonts to the local public/fonts/google directory and generate a manifest + CSS file.';
 
@@ -20,6 +20,17 @@ class SyncGoogleFonts extends Command
 
     public function handle(): int
     {
+        $dryRun = (bool) $this->option('dry-run');
+        $fromDisk = (bool) $this->option('from-disk');
+        $pathOption = $this->option('path');
+        $basePath = $pathOption
+            ? (Str::startsWith($pathOption, DIRECTORY_SEPARATOR) ? $pathOption : base_path($pathOption))
+            : public_path('fonts/google');
+
+        if ($fromDisk) {
+            return $this->syncFromDisk($basePath, $dryRun);
+        }
+
         $apiKey = config('services.google_fonts.key');
 
         if (! $apiKey) {
@@ -32,16 +43,10 @@ class SyncGoogleFonts extends Command
         $weights = $this->prepareWeights($this->option('weights'));
         $includeItalic = (bool) $this->option('italic');
         $force = (bool) $this->option('force');
-        $dryRun = (bool) $this->option('dry-run');
         $families = $this->normalizeFamilyOption($this->option('family'));
         $categories = $this->prepareCategories($this->option('category'));
         $prune = (bool) $this->option('prune');
 
-        $pathOption = $this->option('path');
-        $basePath = $pathOption
-            ? (Str::startsWith($pathOption, DIRECTORY_SEPARATOR) ? $pathOption : base_path($pathOption))
-            : public_path('fonts/google');
-
         if (count($families)) {
             $label = count($families) > 1 ? 'families' : 'family';
             $this->info(sprintf('Fetching Google Font %s "%s" (weights: %s, italic: %s)...', $label, implode(', ', $families), implode(', ', $weights), $includeItalic ? 'yes' : 'no'));
@@ -206,6 +211,204 @@ class SyncGoogleFonts extends Command
         return self::SUCCESS;
     }
 
+    private function syncFromDisk(string $basePath, bool $dryRun): int
+    {
+        if (! File::isDirectory($basePath)) {
+            $this->error(sprintf('Font directory not found: %s', $basePath));
+
+            return self::FAILURE;
+        }
+
+        if ($this->option('prune')) {
+            $this->warn('Ignoring --prune when rebuilding from disk.');
+        }
+
+        $fonts = $this->buildManifestFromDisk($basePath);
+
+        if (! count($fonts)) {
+            $this->warn('No fonts found on disk.');
+        }
+
+        if ($dryRun) {
+            $this->info(sprintf('Dry run complete: %d font families would be written to %s', count($fonts), $basePath));
+
+            return self::SUCCESS;
+        }
+
+        $this->writeManifest($basePath, $fonts);
+        $this->writeCss($basePath, $fonts);
+        Cache::forget('fonts:manifest');
+
+        $this->info(sprintf('Rebuilt manifest for %d font families from %s', count($fonts), $basePath));
+
+        return self::SUCCESS;
+    }
+
+    /**
+     * @return array<int, array<string, mixed>>
+     */
+    private function buildManifestFromDisk(string $basePath): array
+    {
+        $directories = File::directories($basePath);
+        $fonts = [];
+
+        foreach ($directories as $dir) {
+            $slug = basename($dir);
+            $files = collect(File::files($dir))
+                ->filter(function (\SplFileInfo $file) {
+                    $extension = strtolower($file->getExtension());
+
+                    return in_array($extension, ['woff2', 'woff', 'otf', 'ttf'], true);
+                })
+                ->values();
+
+            if (! $files->count()) {
+                continue;
+            }
+
+            $variantsByKey = [];
+            foreach ($files as $file) {
+                $filename = $file->getFilename();
+                $extension = strtolower($file->getExtension());
+                $style = $this->extractStyleFromFilename($filename);
+                $weight = $this->extractWeightFromFilename($filename);
+                $variantKey = $this->buildVariantKey($weight, $style);
+                $priority = $this->extensionPriority($extension);
+                $relativePath = sprintf('/fonts/google/%s/%s', $slug, $filename);
+
+                $existing = $variantsByKey[$variantKey] ?? null;
+                if ($existing && ($existing['priority'] ?? 0) >= $priority) {
+                    continue;
+                }
+
+                $variantsByKey[$variantKey] = [
+                    'variant' => $variantKey,
+                    'weight' => $weight,
+                    'style' => $style,
+                    'url' => $relativePath,
+                    'priority' => $priority,
+                ];
+            }
+
+            if (! count($variantsByKey)) {
+                continue;
+            }
+
+            $variants = array_values(array_map(function (array $variant) {
+                unset($variant['priority']);
+
+                return $variant;
+            }, $variantsByKey));
+
+            usort($variants, function (array $left, array $right) {
+                $weightCompare = ($left['weight'] ?? 400) <=> ($right['weight'] ?? 400);
+                if ($weightCompare !== 0) {
+                    return $weightCompare;
+                }
+
+                return strcmp((string) ($left['style'] ?? 'normal'), (string) ($right['style'] ?? 'normal'));
+            });
+
+            $fonts[] = [
+                'family' => $this->familyFromSlug($slug),
+                'slug' => $slug,
+                'category' => null,
+                'variants' => $variants,
+            ];
+        }
+
+        usort($fonts, fn (array $left, array $right) => strcmp((string) $left['family'], (string) $right['family']));
+
+        return $fonts;
+    }
+
+    private function familyFromSlug(string $slug): string
+    {
+        $parts = array_filter(explode('-', $slug), fn ($part) => $part !== '');
+
+        $words = array_map(function (string $part) {
+            if (is_numeric($part)) {
+                return $part;
+            }
+
+            if (strlen($part) <= 3) {
+                return strtoupper($part);
+            }
+
+            return ucfirst(strtolower($part));
+        }, $parts);
+
+        return trim(implode(' ', $words));
+    }
+
+    private function extractStyleFromFilename(string $filename): string
+    {
+        $lower = strtolower($filename);
+
+        return str_contains($lower, 'italic') || str_contains($lower, 'oblique') ? 'italic' : 'normal';
+    }
+
+    private function extractWeightFromFilename(string $filename): int
+    {
+        if (preg_match('/(?:^|[^0-9])(100|200|300|400|500|600|700|800|900)(?:[^0-9]|$)/', $filename, $matches)) {
+            return (int) $matches[1];
+        }
+
+        $lower = strtolower($filename);
+        $weightMap = [
+            'thin' => 100,
+            'extralight' => 200,
+            'ultralight' => 200,
+            'light' => 300,
+            'regular' => 400,
+            'book' => 400,
+            'medium' => 500,
+            'semibold' => 600,
+            'demibold' => 600,
+            'bold' => 700,
+            'extrabold' => 800,
+            'ultrabold' => 800,
+            'black' => 900,
+            'heavy' => 900,
+        ];
+
+        foreach ($weightMap as $label => $weight) {
+            if (str_contains($lower, $label)) {
+                return $weight;
+            }
+        }
+
+        return 400;
+    }
+
+    private function buildVariantKey(int $weight, string $style): string
+    {
+        if ($weight === 400 && $style === 'normal') {
+            return 'regular';
+        }
+
+        if ($weight === 400 && $style === 'italic') {
+            return 'italic';
+        }
+
+        if ($style === 'italic') {
+            return $weight.'italic';
+        }
+
+        return (string) $weight;
+    }
+
+    private function extensionPriority(string $extension): int
+    {
+        return match ($extension) {
+            'woff2' => 4,
+            'woff' => 3,
+            'otf' => 2,
+            'ttf' => 1,
+            default => 0,
+        };
+    }
+
     /**
      * @return array<int, string>
      */

app/Enums/PackageType.php

@@ -6,4 +6,4 @@ enum PackageType: string
 {
     case ENDCUSTOMER = 'endcustomer';
     case RESELLER = 'reseller';
-}
+}

app/Exports/EventPurchaseExporter.php

@@ -5,8 +5,6 @@ namespace App\Exports;
 use App\Models\EventPurchase;
 use Filament\Actions\Exports\Exporter;
 use Filament\Actions\Exports\Models\Export;
-use Illuminate\Database\Eloquent\Builder;
-use Illuminate\Support\Collection;
 
 class EventPurchaseExporter extends Exporter
 {
@@ -28,11 +26,10 @@ class EventPurchaseExporter extends Exporter
         ];
     }
 
-
     public static function getCompletedNotificationBody(Export $export): string
     {
         $body = "Your Event Purchases export has completed and is ready for download. {$export->successful_rows} purchases were exported.";
 
         return $body;
     }
-}
+}

app/Filament/Blog/Resources/CategoryResource/Pages/ListCategories.php

@@ -16,4 +16,4 @@ class ListCategories extends ListRecords
             Actions\CreateAction::make(),
         ];
     }
-}
+}

app/Filament/Blog/Resources/PostResource.php

@@ -79,9 +79,10 @@ class PostResource extends Resource
                                     ->label('Inhalt')
                                     ->required()
                                     ->columnSpanFull(),
-                                TextInput::make('excerpt.de')
+                                Textarea::make('excerpt.de')
                                     ->label('Auszug')
-                                    ->maxLength(255),
+                                    ->maxLength(65535)
+                                    ->columnSpanFull(),
                                 TextInput::make('meta_title.de')
                                     ->label('Meta-Titel')
                                     ->maxLength(255),
@@ -99,9 +100,10 @@ class PostResource extends Resource
                                 MarkdownEditor::make('content.en')
                                     ->label('Inhalt')
                                     ->columnSpanFull(),
-                                TextInput::make('excerpt.en')
+                                Textarea::make('excerpt.en')
                                     ->label('Auszug')
-                                    ->maxLength(255),
+                                    ->maxLength(65535)
+                                    ->columnSpanFull(),
                                 TextInput::make('meta_title.en')
                                     ->label('Meta-Titel')
                                     ->maxLength(255),
@@ -121,9 +123,10 @@ class PostResource extends Resource
                             ->unique(BlogPost::class, 'slug', ignoreRecord: true)
                             ->maxLength(255)
                             ->columnSpanFull(),
-                        FileUpload::make('featured_image')
+                        FileUpload::make('banner')
                             ->label('Featured Image')
                             ->image()
+                            ->disk('public')
                             ->directory('blog')
                             ->visibility('public'),
                         Select::make('blog_category_id')

app/Filament/Blog/Resources/PostResource/Pages/ListPosts.php

@@ -16,4 +16,4 @@ class ListPosts extends ListRecords
             Actions\CreateAction::make(),
         ];
     }
-}
+}

app/Filament/Blog/Resources/PostResource/Pages/ViewPost.php

@@ -8,4 +8,4 @@ use Filament\Resources\Pages\ViewRecord;
 class ViewPost extends ViewRecord
 {
     protected static string $resource = PostResource::class;
-}
+}

app/Filament/Blog/Traits/HasContentEditor.php

@@ -26,4 +26,4 @@ trait HasContentEditor
                 'h3',
             ]));
     }
-}
+}

app/Filament/Clusters/DailyOps/Resources/TenantCheckoutHealths/Pages/ListTenantCheckoutHealths.php

@@ -0,0 +1,16 @@
+<?php
+
+namespace App\Filament\Clusters\DailyOps\Resources\TenantCheckoutHealths\Pages;
+
+use App\Filament\Clusters\DailyOps\Resources\TenantCheckoutHealths\TenantCheckoutHealthResource;
+use Filament\Resources\Pages\ListRecords;
+
+class ListTenantCheckoutHealths extends ListRecords
+{
+    protected static string $resource = TenantCheckoutHealthResource::class;
+
+    protected function getHeaderActions(): array
+    {
+        return [];
+    }
+}

app/Filament/Clusters/DailyOps/Resources/TenantCheckoutHealths/Tables/TenantCheckoutHealthTable.php

@@ -1,8 +1,8 @@
 <?php
 
-namespace App\Filament\Clusters\DailyOps\Resources\TenantPaddleHealths\Tables;
+namespace App\Filament\Clusters\DailyOps\Resources\TenantCheckoutHealths\Tables;
 
-use App\Filament\Clusters\DailyOps\Resources\TenantPaddleHealths\TenantPaddleHealthResource;
+use App\Filament\Clusters\DailyOps\Resources\TenantCheckoutHealths\TenantCheckoutHealthResource;
 use App\Models\CheckoutSession;
 use App\Models\Tenant;
 use Filament\Forms\Components\TextInput;
@@ -13,12 +13,9 @@ use Filament\Tables\Filters\SelectFilter;
 use Filament\Tables\Table;
 use Illuminate\Database\Eloquent\Builder;
 use Illuminate\Support\Carbon;
-use Illuminate\Support\Str;
 
-class TenantPaddleHealthTable
+class TenantCheckoutHealthTable
 {
-    private const FAILED_SYNC_STATUSES = ['failed', 'pull-failed'];
-
     public static function configure(Table $table): Table
     {
         return $table
@@ -35,11 +32,6 @@ class TenantPaddleHealthTable
                     ->label(__('admin.tenants.fields.contact_email'))
                     ->searchable()
                     ->toggleable(isToggledHiddenByDefault: true),
-                TextColumn::make('paddle_customer_id')
-                    ->label('Paddle customer')
-                    ->toggleable(isToggledHiddenByDefault: true)
-                    ->copyable()
-                    ->formatStateUsing(fn (?string $state) => $state ?: '—'),
                 TextColumn::make('subscription_status')
                     ->label('Subscription')
                     ->badge()
@@ -56,134 +48,77 @@ class TenantPaddleHealthTable
                     ->badge()
                     ->color(fn (string $state) => $state === '—' ? 'gray' : 'success')
                     ->toggleable(isToggledHiddenByDefault: true),
-                TextColumn::make('paddle_subscription_id')
-                    ->label('Paddle subscription')
-                    ->toggleable(isToggledHiddenByDefault: true)
-                    ->copyable()
-                    ->getStateUsing(fn (Tenant $record) => $record->activeResellerPackage?->paddle_subscription_id)
-                    ->formatStateUsing(fn (?string $state) => $state ?: '—'),
-                IconColumn::make('missing_paddle_subscription')
-                    ->label('Missing Paddle subscription')
-                    ->boolean()
-                    ->getStateUsing(fn (Tenant $record) => self::missingPaddleSubscription($record)),
                 IconColumn::make('status_mismatch')
                     ->label('Status mismatch')
                     ->boolean()
                     ->getStateUsing(fn (Tenant $record) => self::hasStatusMismatch($record)),
-                TextColumn::make('paddle_customer_duplicates')
-                    ->label('Paddle duplicates')
-                    ->sortable()
-                    ->toggleable(isToggledHiddenByDefault: true)
-                    ->formatStateUsing(fn (?int $state) => $state && $state > 1 ? (string) $state : '—'),
-                TextColumn::make('paddle_sync_status')
-                    ->label('Paddle sync')
-                    ->badge()
-                    ->color(fn (?string $state) => match ($state) {
-                        'synced' => 'success',
-                        'syncing' => 'warning',
-                        'pulled' => 'info',
-                        'dry-run' => 'gray',
-                        'failed', 'pull-failed' => 'danger',
-                        default => 'gray',
-                    })
-                    ->formatStateUsing(fn (?string $state) => $state ? Str::headline($state) : '—')
-                    ->getStateUsing(fn (Tenant $record) => $record->activeResellerPackage?->package?->paddle_sync_status)
-                    ->toggleable(isToggledHiddenByDefault: true),
-                TextColumn::make('paddle_synced_at')
-                    ->label('Paddle synced')
-                    ->badge()
-                    ->color(fn ($state) => self::syncAgeColor($state))
-                    ->formatStateUsing(fn ($state) => $state?->diffForHumans() ?? '—')
-                    ->getStateUsing(fn (Tenant $record) => $record->activeResellerPackage?->package?->paddle_synced_at),
-                TextColumn::make('last_paddle_transaction_at')
-                    ->label('Last Paddle tx')
+                TextColumn::make('last_checkout_transaction_at')
+                    ->label('Last transaction')
                     ->badge()
                     ->color(fn (?Carbon $state) => self::transactionAgeColor($state))
-                    ->getStateUsing(fn (Tenant $record) => $record->last_paddle_transaction_at
-                        ? Carbon::parse($record->last_paddle_transaction_at)
+                    ->getStateUsing(fn (Tenant $record) => $record->last_checkout_transaction_at
+                        ? Carbon::parse($record->last_checkout_transaction_at)
                         : null)
                     ->formatStateUsing(fn (?Carbon $state) => $state?->diffForHumans() ?? '—')
                     ->toggleable(isToggledHiddenByDefault: true),
-                TextColumn::make('paddle_transaction_count_window')
-                    ->label('Paddle tx (30d)')
+                TextColumn::make('checkout_transaction_count_window')
+                    ->label('Transactions (30d)')
                     ->default('0')
                     ->sortable()
                     ->toggleable(),
-                TextColumn::make('paddle_transaction_total_window')
-                    ->label('Paddle total (30d)')
+                TextColumn::make('checkout_transaction_total_window')
+                    ->label('Total (30d)')
                     ->default(0)
                     ->money('EUR')
                     ->sortable()
                     ->toggleable(),
-                TextColumn::make('paddle_refund_count_window')
+                TextColumn::make('checkout_refund_count_window')
                     ->label('Refunds (30d)')
                     ->badge()
                     ->color(fn (?int $state) => $state && $state > 0 ? 'danger' : 'gray')
                     ->default('0')
                     ->sortable()
                     ->toggleable(isToggledHiddenByDefault: true),
-                TextColumn::make('paddle_refund_total_window')
+                TextColumn::make('checkout_refund_total_window')
                     ->label('Refund total (30d)')
                     ->default(0)
                     ->money('EUR')
                     ->sortable()
                     ->toggleable(isToggledHiddenByDefault: true),
-                TextColumn::make('paddle_checkout_requires_action_count')
+                TextColumn::make('checkout_requires_action_count')
                     ->label('Checkout action required')
                     ->badge()
                     ->color(fn (?int $state) => $state && $state > 0 ? 'warning' : 'gray')
                     ->default('0')
                     ->sortable()
                     ->toggleable(isToggledHiddenByDefault: true),
-                TextColumn::make('paddle_checkout_processing_count')
+                TextColumn::make('checkout_processing_count')
                     ->label('Checkout processing')
                     ->badge()
                     ->color(fn (?int $state) => $state && $state > 0 ? 'warning' : 'gray')
                     ->default('0')
                     ->sortable()
                     ->toggleable(isToggledHiddenByDefault: true),
-                TextColumn::make('paddle_checkout_expired_count')
+                TextColumn::make('checkout_expired_count')
                     ->label('Checkout expired')
                     ->badge()
                     ->color(fn (?int $state) => $state && $state > 0 ? 'danger' : 'gray')
                     ->default('0')
                     ->sortable()
                     ->toggleable(isToggledHiddenByDefault: true),
-                TextColumn::make('paddle_transaction_count')
-                    ->label('Paddle tx (all)')
+                TextColumn::make('checkout_transaction_count')
+                    ->label('Transactions (all)')
                     ->default('0')
                     ->sortable()
                     ->toggleable(isToggledHiddenByDefault: true),
-                TextColumn::make('paddle_transaction_total')
-                    ->label('Paddle total (all)')
+                TextColumn::make('checkout_transaction_total')
+                    ->label('Total (all)')
                     ->default(0)
                     ->money('EUR')
                     ->sortable()
                     ->toggleable(isToggledHiddenByDefault: true),
             ])
             ->filters([
-                Filter::make('missing_paddle_customer')
-                    ->label('Missing Paddle customer')
-                    ->indicator('Missing Paddle customer')
-                    ->query(fn (Builder $query) => $query->whereNull('paddle_customer_id')),
-                Filter::make('missing_paddle_subscription')
-                    ->label('Missing Paddle subscription')
-                    ->indicator('Missing Paddle subscription')
-                    ->query(fn (Builder $query) => $query->whereHas('activeResellerPackage', fn (Builder $query) => $query
-                        ->where('active', true)
-                        ->whereNull('paddle_subscription_id'))),
-                Filter::make('duplicate_paddle_customer')
-                    ->label('Duplicate Paddle customer')
-                    ->indicator('Duplicate Paddle customer')
-                    ->query(fn (Builder $query) => $query
-                        ->whereNotNull('paddle_customer_id')
-                        ->whereIn('paddle_customer_id', function ($subquery) {
-                            $subquery->select('paddle_customer_id')
-                                ->from('tenants')
-                                ->whereNotNull('paddle_customer_id')
-                                ->groupBy('paddle_customer_id')
-                                ->havingRaw('count(*) > 1');
-                        })),
                 Filter::make('status_mismatch')
                     ->label('Status mismatch')
                     ->indicator('Status mismatch')
@@ -205,39 +140,24 @@ class TenantPaddleHealthTable
                         ->where('is_suspended', false)
                         ->whereNull('pending_deletion_at')
                         ->whereNull('anonymized_at')),
-                Filter::make('paddle_sync_failed')
-                    ->label('Paddle sync failed')
-                    ->indicator('Paddle sync failed')
-                    ->query(fn (Builder $query) => $query->whereHas('activeResellerPackage.package', fn (Builder $query) => $query
-                        ->whereIn('paddle_sync_status', self::FAILED_SYNC_STATUSES))),
-                Filter::make('paddle_sync_stale')
-                    ->label('Paddle sync stale')
-                    ->indicator('Paddle sync stale')
-                    ->query(fn (Builder $query) => $query->whereHas('activeResellerPackage.package', fn (Builder $query) => $query
-                        ->whereNotNull('paddle_synced_at')
-                        ->where('paddle_synced_at', '<', now()->subDays(TenantPaddleHealthResource::STALE_SYNC_DAYS)))),
-                Filter::make('paddle_sync_missing')
-                    ->label('Missing Paddle sync timestamp')
-                    ->indicator('Missing Paddle sync timestamp')
-                    ->query(fn (Builder $query) => $query->whereHas('activeResellerPackage.package', fn (Builder $query) => $query
-                        ->whereNull('paddle_synced_at'))),
-                Filter::make('paddle_transaction_stale')
-                    ->label('Stale Paddle transactions')
-                    ->indicator('Stale Paddle transactions')
+                Filter::make('checkout_transaction_stale')
+                    ->label('Stale transactions')
+                    ->indicator('Stale transactions')
                     ->query(function (Builder $query): Builder {
-                        $cutoff = now()->subDays(TenantPaddleHealthResource::TRANSACTION_WINDOW_DAYS);
+                        $cutoff = now()->subDays(TenantCheckoutHealthResource::TRANSACTION_WINDOW_DAYS);
+                        $provider = TenantCheckoutHealthResource::provider();
 
                         return $query
-                            ->whereHas('purchases', fn (Builder $query) => $query->where('provider', 'paddle'))
+                            ->whereHas('purchases', fn (Builder $query) => $query->where('provider', $provider))
                             ->whereDoesntHave('purchases', fn (Builder $query) => $query
-                                ->where('provider', 'paddle')
+                                ->where('provider', $provider)
                                 ->where('purchased_at', '>=', $cutoff));
                     }),
                 Filter::make('checkout_attention')
                     ->label('Checkout attention')
                     ->indicator('Checkout attention')
                     ->query(fn (Builder $query) => $query->whereHas('checkoutSessions', function (Builder $query) {
-                        $query->where('provider', 'paddle')
+                        $query->where('provider', TenantCheckoutHealthResource::provider())
                             ->where(function (Builder $query) {
                                 $query->whereIn('status', [
                                     CheckoutSession::STATUS_REQUIRES_CUSTOMER_ACTION,
@@ -274,10 +194,11 @@ class TenantPaddleHealthTable
                             return $query;
                         }
 
-                        $cutoff = now()->subDays(TenantPaddleHealthResource::TRANSACTION_WINDOW_DAYS);
+                        $cutoff = now()->subDays(TenantCheckoutHealthResource::TRANSACTION_WINDOW_DAYS);
+                        $provider = TenantCheckoutHealthResource::provider();
 
                         return $query->whereHas('purchases', fn (Builder $query) => $query
-                            ->where('provider', 'paddle')
+                            ->where('provider', $provider)
                             ->where('refunded', true)
                             ->where('purchased_at', '>=', $cutoff), '>=', $min);
                     }),
@@ -314,13 +235,6 @@ class TenantPaddleHealthTable
         return false;
     }
 
-    private static function missingPaddleSubscription(Tenant $record): bool
-    {
-        $package = $record->activeResellerPackage;
-
-        return $package && $package->active && ! $package->paddle_subscription_id;
-    }
-
     private static function applyStatusMismatchFilter(Builder $query): Builder
     {
         return $query->where(function (Builder $query) {
@@ -338,26 +252,13 @@ class TenantPaddleHealthTable
         });
     }
 
-    private static function syncAgeColor($state): string
-    {
-        if (! $state) {
-            return 'gray';
-        }
-
-        if ($state->lt(now()->subDays(TenantPaddleHealthResource::STALE_SYNC_DAYS))) {
-            return 'danger';
-        }
-
-        return 'success';
-    }
-
     private static function transactionAgeColor(?Carbon $state): string
     {
         if (! $state) {
             return 'gray';
         }
 
-        if ($state->lt(now()->subDays(TenantPaddleHealthResource::TRANSACTION_WINDOW_DAYS))) {
+        if ($state->lt(now()->subDays(TenantCheckoutHealthResource::TRANSACTION_WINDOW_DAYS))) {
             return 'danger';
         }
 

app/Filament/Clusters/DailyOps/Resources/TenantCheckoutHealths/TenantCheckoutHealthResource.php

@@ -1,10 +1,10 @@
 <?php
 
-namespace App\Filament\Clusters\DailyOps\Resources\TenantPaddleHealths;
+namespace App\Filament\Clusters\DailyOps\Resources\TenantCheckoutHealths;
 
 use App\Filament\Clusters\DailyOps\DailyOpsCluster;
-use App\Filament\Clusters\DailyOps\Resources\TenantPaddleHealths\Pages\ListTenantPaddleHealths;
-use App\Filament\Clusters\DailyOps\Resources\TenantPaddleHealths\Tables\TenantPaddleHealthTable;
+use App\Filament\Clusters\DailyOps\Resources\TenantCheckoutHealths\Pages\ListTenantCheckoutHealths;
+use App\Filament\Clusters\DailyOps\Resources\TenantCheckoutHealths\Tables\TenantCheckoutHealthTable;
 use App\Models\CheckoutSession;
 use App\Models\Tenant;
 use BackedEnum;
@@ -13,25 +13,25 @@ use Filament\Tables\Table;
 use Illuminate\Database\Eloquent\Builder;
 use UnitEnum;
 
-class TenantPaddleHealthResource extends Resource
+class TenantCheckoutHealthResource extends Resource
 {
-    public const STALE_SYNC_DAYS = 30;
-
     public const TRANSACTION_WINDOW_DAYS = 30;
 
+    public const DEFAULT_PROVIDER = CheckoutSession::PROVIDER_PAYPAL;
+
     protected static ?string $model = Tenant::class;
 
     protected static string|BackedEnum|null $navigationIcon = 'heroicon-o-credit-card';
 
     protected static ?string $cluster = DailyOpsCluster::class;
 
-    protected static ?string $slug = 'paddle-health';
+    protected static ?string $slug = 'checkout-health';
 
     protected static ?int $navigationSort = 20;
 
     public static function table(Table $table): Table
     {
-        return TenantPaddleHealthTable::configure($table);
+        return TenantCheckoutHealthTable::configure($table);
     }
 
     public static function canCreate(): bool
@@ -41,7 +41,7 @@ class TenantPaddleHealthResource extends Resource
 
     public static function getNavigationLabel(): string
     {
-        return __('admin.paddle_health.navigation.label');
+        return __('admin.checkout_health.navigation.label');
     }
 
     public static function getNavigationGroup(): UnitEnum|string|null
@@ -51,37 +51,32 @@ class TenantPaddleHealthResource extends Resource
 
     public static function getEloquentQuery(): Builder
     {
+        $provider = static::provider();
         $windowStart = now()->subDays(self::TRANSACTION_WINDOW_DAYS);
 
         return parent::getEloquentQuery()
             ->with(['activeResellerPackage.package'])
             ->withExists('activeResellerPackage as has_active_reseller_package')
-            ->addSelect([
-                'paddle_customer_duplicates' => Tenant::query()
-                    ->selectRaw('count(*)')
-                    ->whereColumn('paddle_customer_id', 'tenants.paddle_customer_id')
-                    ->whereNotNull('paddle_customer_id'),
-            ])
             ->withCount([
-                'purchases as paddle_transaction_count' => fn (Builder $query) => $query
-                    ->where('provider', 'paddle')
+                'purchases as checkout_transaction_count' => fn (Builder $query) => $query
+                    ->where('provider', $provider)
                     ->where('refunded', false),
-                'purchases as paddle_transaction_count_window' => fn (Builder $query) => $query
-                    ->where('provider', 'paddle')
+                'purchases as checkout_transaction_count_window' => fn (Builder $query) => $query
+                    ->where('provider', $provider)
                     ->where('refunded', false)
                     ->where('purchased_at', '>=', $windowStart),
-                'purchases as paddle_refund_count_window' => fn (Builder $query) => $query
-                    ->where('provider', 'paddle')
+                'purchases as checkout_refund_count_window' => fn (Builder $query) => $query
+                    ->where('provider', $provider)
                     ->where('refunded', true)
                     ->where('purchased_at', '>=', $windowStart),
-                'checkoutSessions as paddle_checkout_requires_action_count' => fn (Builder $query) => $query
-                    ->where('provider', CheckoutSession::PROVIDER_PADDLE)
+                'checkoutSessions as checkout_requires_action_count' => fn (Builder $query) => $query
+                    ->where('provider', $provider)
                     ->where('status', CheckoutSession::STATUS_REQUIRES_CUSTOMER_ACTION),
-                'checkoutSessions as paddle_checkout_processing_count' => fn (Builder $query) => $query
-                    ->where('provider', CheckoutSession::PROVIDER_PADDLE)
+                'checkoutSessions as checkout_processing_count' => fn (Builder $query) => $query
+                    ->where('provider', $provider)
                     ->where('status', CheckoutSession::STATUS_PROCESSING),
-                'checkoutSessions as paddle_checkout_expired_count' => fn (Builder $query) => $query
-                    ->where('provider', CheckoutSession::PROVIDER_PADDLE)
+                'checkoutSessions as checkout_expired_count' => fn (Builder $query) => $query
+                    ->where('provider', $provider)
                     ->whereNotIn('status', [
                         CheckoutSession::STATUS_COMPLETED,
                         CheckoutSession::STATUS_CANCELLED,
@@ -90,32 +85,37 @@ class TenantPaddleHealthResource extends Resource
                     ->where('expires_at', '<', now()),
             ])
             ->withSum([
-                'purchases as paddle_transaction_total' => fn (Builder $query) => $query
-                    ->where('provider', 'paddle')
+                'purchases as checkout_transaction_total' => fn (Builder $query) => $query
+                    ->where('provider', $provider)
                     ->where('refunded', false),
             ], 'price')
             ->withSum([
-                'purchases as paddle_transaction_total_window' => fn (Builder $query) => $query
-                    ->where('provider', 'paddle')
+                'purchases as checkout_transaction_total_window' => fn (Builder $query) => $query
+                    ->where('provider', $provider)
                     ->where('refunded', false)
                     ->where('purchased_at', '>=', $windowStart),
             ], 'price')
             ->withSum([
-                'purchases as paddle_refund_total_window' => fn (Builder $query) => $query
-                    ->where('provider', 'paddle')
+                'purchases as checkout_refund_total_window' => fn (Builder $query) => $query
+                    ->where('provider', $provider)
                     ->where('refunded', true)
                     ->where('purchased_at', '>=', $windowStart),
             ], 'price')
             ->withMax([
-                'purchases as last_paddle_transaction_at' => fn (Builder $query) => $query
-                    ->where('provider', 'paddle'),
+                'purchases as last_checkout_transaction_at' => fn (Builder $query) => $query
+                    ->where('provider', $provider),
             ], 'purchased_at');
     }
 
     public static function getPages(): array
     {
         return [
-            'index' => ListTenantPaddleHealths::route('/'),
+            'index' => ListTenantCheckoutHealths::route('/'),
         ];
     }
+
+    public static function provider(): string
+    {
+        return (string) config('checkout.default_provider', self::DEFAULT_PROVIDER);
+    }
 }

app/Filament/Clusters/DailyOps/Resources/TenantPaddleHealths/Pages/ListTenantPaddleHealths.php

@@ -1,16 +0,0 @@
-<?php
-
-namespace App\Filament\Clusters\DailyOps\Resources\TenantPaddleHealths\Pages;
-
-use App\Filament\Clusters\DailyOps\Resources\TenantPaddleHealths\TenantPaddleHealthResource;
-use Filament\Resources\Pages\ListRecords;
-
-class ListTenantPaddleHealths extends ListRecords
-{
-    protected static string $resource = TenantPaddleHealthResource::class;
-
-    protected function getHeaderActions(): array
-    {
-        return [];
-    }
-}

app/Filament/Clusters/WeeklyOps/Resources/TaskCollections/Pages/CreateTaskCollection.php

@@ -0,0 +1,16 @@
+<?php
+
+namespace App\Filament\Clusters\WeeklyOps\Resources\TaskCollections\Pages;
+
+use App\Filament\Clusters\WeeklyOps\Resources\TaskCollections\TaskCollectionResource;
+use App\Filament\Resources\Pages\AuditedCreateRecord;
+
+class CreateTaskCollection extends AuditedCreateRecord
+{
+    protected static string $resource = TaskCollectionResource::class;
+
+    protected function mutateFormDataBeforeCreate(array $data): array
+    {
+        return TaskCollectionResource::normalizeData($data);
+    }
+}

app/Filament/Clusters/WeeklyOps/Resources/TaskCollections/Pages/EditTaskCollection.php

@@ -0,0 +1,30 @@
+<?php
+
+namespace App\Filament\Clusters\WeeklyOps\Resources\TaskCollections\Pages;
+
+use App\Filament\Clusters\WeeklyOps\Resources\TaskCollections\TaskCollectionResource;
+use App\Filament\Resources\Pages\AuditedEditRecord;
+use App\Services\Audit\SuperAdminAuditLogger;
+use Filament\Actions;
+
+class EditTaskCollection extends AuditedEditRecord
+{
+    protected static string $resource = TaskCollectionResource::class;
+
+    protected function getHeaderActions(): array
+    {
+        return [
+            Actions\DeleteAction::make()
+                ->after(fn ($record) => app(SuperAdminAuditLogger::class)->recordModelMutation(
+                    'deleted',
+                    $record,
+                    source: static::class
+                )),
+        ];
+    }
+
+    protected function mutateFormDataBeforeSave(array $data): array
+    {
+        return TaskCollectionResource::normalizeData($data, $this->record);
+    }
+}

app/Filament/Clusters/WeeklyOps/Resources/TaskCollections/Pages/ListTaskCollections.php

@@ -0,0 +1,19 @@
+<?php
+
+namespace App\Filament\Clusters\WeeklyOps\Resources\TaskCollections\Pages;
+
+use App\Filament\Clusters\WeeklyOps\Resources\TaskCollections\TaskCollectionResource;
+use Filament\Actions;
+use Filament\Resources\Pages\ListRecords;
+
+class ListTaskCollections extends ListRecords
+{
+    protected static string $resource = TaskCollectionResource::class;
+
+    protected function getHeaderActions(): array
+    {
+        return [
+            Actions\CreateAction::make(),
+        ];
+    }
+}

app/Filament/Clusters/WeeklyOps/Resources/TaskCollections/RelationManagers/TasksRelationManager.php

@@ -0,0 +1,127 @@
+<?php
+
+namespace App\Filament\Clusters\WeeklyOps\Resources\TaskCollections\RelationManagers;
+
+use App\Models\Task;
+use Filament\Actions\AttachAction;
+use Filament\Actions\BulkActionGroup;
+use Filament\Actions\DetachAction;
+use Filament\Actions\DetachBulkAction;
+use Filament\Resources\RelationManagers\RelationManager;
+use Filament\Tables\Columns\IconColumn;
+use Filament\Tables\Columns\TextColumn;
+use Filament\Tables\Table;
+use Illuminate\Database\Eloquent\Builder;
+use Illuminate\Database\Eloquent\Collection;
+use Illuminate\Support\Arr;
+
+class TasksRelationManager extends RelationManager
+{
+    protected static string $relationship = 'tasks';
+
+    protected static ?string $inverseRelationship = 'taskCollections';
+
+    public function table(Table $table): Table
+    {
+        return $table
+            ->columns([
+                TextColumn::make('title')
+                    ->label(__('admin.tasks.table.title'))
+                    ->getStateUsing(fn (Task $record) => $this->formatTaskTitle($record->title))
+                    ->searchable(['title->de', 'title->en'])
+                    ->limit(60),
+                TextColumn::make('emotion.name')
+                    ->label(__('admin.tasks.fields.emotion'))
+                    ->getStateUsing(function (Task $record) {
+                        $value = optional($record->emotion)->name;
+                        if (is_array($value)) {
+                            $locale = app()->getLocale();
+
+                            return $value[$locale] ?? ($value['de'] ?? ($value['en'] ?? ''));
+                        }
+
+                        return (string) ($value ?? '');
+                    })
+                    ->sortable(),
+                TextColumn::make('difficulty')
+                    ->label(__('admin.tasks.fields.difficulty.label'))
+                    ->badge(),
+                IconColumn::make('is_active')
+                    ->label(__('admin.tasks.table.is_active'))
+                    ->boolean(),
+                TextColumn::make('sort_order')
+                    ->label(__('admin.tasks.table.sort_order'))
+                    ->sortable(),
+            ])
+            ->headerActions([
+                AttachAction::make()
+                    ->recordTitle(fn (Task $record) => $this->formatTaskTitle($record->title))
+                    ->recordSelectOptionsQuery(fn (Builder $query): Builder => $query->whereNull('tenant_id'))
+                    ->multiple()
+                    ->after(function (array $data): void {
+                        $collection = $this->getOwnerRecord();
+                        $recordIds = Arr::wrap($data['recordId'] ?? []);
+
+                        if ($recordIds === []) {
+                            return;
+                        }
+
+                        $collection->reassignTasks($recordIds);
+                    }),
+            ])
+            ->recordActions([
+                DetachAction::make()
+                    ->after(function (?Task $record): void {
+                        if (! $record) {
+                            return;
+                        }
+
+                        $collectionId = $this->getOwnerRecord()->getKey();
+
+                        if ($record->collection_id === $collectionId) {
+                            $record->update(['collection_id' => null]);
+                        }
+                    }),
+            ])
+            ->toolbarActions([
+                BulkActionGroup::make([
+                    DetachBulkAction::make()
+                        ->after(function (Collection $records): void {
+                            $collectionId = $this->getOwnerRecord()->getKey();
+
+                            $ids = $records
+                                ->filter(fn (Task $record) => $record->collection_id === $collectionId)
+                                ->pluck('id')
+                                ->all();
+
+                            if ($ids === []) {
+                                return;
+                            }
+
+                            Task::query()
+                                ->whereIn('id', $ids)
+                                ->update(['collection_id' => null]);
+                        }),
+                ]),
+            ]);
+    }
+
+    /**
+     * @param  array<string, string>|string|null  $value
+     */
+    protected function formatTaskTitle(array|string|null $value): string
+    {
+        if (is_array($value)) {
+            $locale = app()->getLocale();
+
+            return $value[$locale]
+                ?? ($value['de'] ?? ($value['en'] ?? Arr::first($value) ?? ''));
+        }
+
+        if (is_string($value)) {
+            return $value;
+        }
+
+        return '';
+    }
+}

app/Filament/Clusters/WeeklyOps/Resources/TaskCollections/TaskCollectionResource.php

@@ -0,0 +1,280 @@
+<?php
+
+namespace App\Filament\Clusters\WeeklyOps\Resources\TaskCollections;
+
+use App\Filament\Clusters\WeeklyOps\Resources\TaskCollections\Pages\CreateTaskCollection;
+use App\Filament\Clusters\WeeklyOps\Resources\TaskCollections\Pages\EditTaskCollection;
+use App\Filament\Clusters\WeeklyOps\Resources\TaskCollections\Pages\ListTaskCollections;
+use App\Filament\Clusters\WeeklyOps\Resources\TaskCollections\RelationManagers\TasksRelationManager;
+use App\Filament\Clusters\WeeklyOps\WeeklyOpsCluster;
+use App\Models\EventType;
+use App\Models\TaskCollection;
+use App\Services\Audit\SuperAdminAuditLogger;
+use BackedEnum;
+use Filament\Actions;
+use Filament\Forms\Components\MarkdownEditor;
+use Filament\Forms\Components\Select;
+use Filament\Forms\Components\TextInput;
+use Filament\Forms\Components\Toggle;
+use Filament\Resources\Resource;
+use Filament\Schemas\Components\Tabs as SchemaTabs;
+use Filament\Schemas\Components\Tabs\Tab as SchemaTab;
+use Filament\Schemas\Schema;
+use Filament\Tables\Columns\IconColumn;
+use Filament\Tables\Columns\TextColumn;
+use Filament\Tables\Filters\SelectFilter;
+use Filament\Tables\Table;
+use Illuminate\Database\Eloquent\Builder;
+use Illuminate\Database\Eloquent\Collection;
+use Illuminate\Support\Arr;
+use Illuminate\Support\Str;
+use UnitEnum;
+
+class TaskCollectionResource extends Resource
+{
+    protected static ?string $model = TaskCollection::class;
+
+    protected static BackedEnum|string|null $navigationIcon = 'heroicon-o-rectangle-stack';
+
+    protected static ?string $cluster = WeeklyOpsCluster::class;
+
+    protected static ?string $recordTitleAttribute = 'name';
+
+    protected static ?int $navigationSort = 31;
+
+    public static function form(Schema $schema): Schema
+    {
+        return $schema
+            ->schema([
+                TextInput::make('slug')
+                    ->label(__('admin.common.slug'))
+                    ->maxLength(255)
+                    ->unique(ignoreRecord: true)
+                    ->required(),
+                Select::make('event_type_id')
+                    ->relationship('eventType', 'name')
+                    ->getOptionLabelFromRecordUsing(fn (EventType $record) => is_array($record->name) ? ($record->name['de'] ?? $record->name['en'] ?? __('admin.common.unnamed')) : $record->name)
+                    ->searchable()
+                    ->preload()
+                    ->label(__('admin.task_collections.fields.event_type_optional')),
+                SchemaTabs::make('content_tabs')
+                    ->label(__('admin.task_collections.fields.content_localization'))
+                    ->tabs([
+                        SchemaTab::make(__('admin.common.german'))
+                            ->icon('heroicon-o-language')
+                            ->schema([
+                                TextInput::make('name_translations.de')
+                                    ->label(__('admin.task_collections.fields.name_de'))
+                                    ->required(),
+                                MarkdownEditor::make('description_translations.de')
+                                    ->label(__('admin.task_collections.fields.description_de'))
+                                    ->columnSpanFull(),
+                            ]),
+                        SchemaTab::make(__('admin.common.english'))
+                            ->icon('heroicon-o-language')
+                            ->schema([
+                                TextInput::make('name_translations.en')
+                                    ->label(__('admin.task_collections.fields.name_en'))
+                                    ->required(),
+                                MarkdownEditor::make('description_translations.en')
+                                    ->label(__('admin.task_collections.fields.description_en'))
+                                    ->columnSpanFull(),
+                            ]),
+                    ])
+                    ->columnSpanFull(),
+                Toggle::make('is_default')
+                    ->label(__('admin.task_collections.fields.is_default'))
+                    ->default(false),
+                TextInput::make('position')
+                    ->label(__('admin.task_collections.fields.position'))
+                    ->numeric()
+                    ->default(0),
+            ])
+            ->columns(2);
+    }
+
+    public static function table(Table $table): Table
+    {
+        return $table
+            ->columns([
+                TextColumn::make('id')
+                    ->label('#')
+                    ->sortable(),
+                TextColumn::make('name')
+                    ->label(__('admin.task_collections.table.name'))
+                    ->getStateUsing(fn (TaskCollection $record) => static::formatTranslation($record->name_translations))
+                    ->searchable(['name_translations->de', 'name_translations->en'])
+                    ->limit(60),
+                TextColumn::make('eventType.name')
+                    ->label(__('admin.task_collections.table.event_type'))
+                    ->getStateUsing(function (TaskCollection $record) {
+                        $value = optional($record->eventType)->name;
+
+                        if (is_array($value)) {
+                            $locale = app()->getLocale();
+
+                            return $value[$locale] ?? ($value['de'] ?? ($value['en'] ?? ''));
+                        }
+
+                        return (string) ($value ?? '');
+                    })
+                    ->toggleable(),
+                TextColumn::make('slug')
+                    ->label(__('admin.task_collections.table.slug'))
+                    ->toggleable()
+                    ->searchable(),
+                IconColumn::make('is_default')
+                    ->label(__('admin.task_collections.table.is_default'))
+                    ->boolean(),
+                TextColumn::make('position')
+                    ->label(__('admin.task_collections.table.position'))
+                    ->sortable(),
+                TextColumn::make('tasks_count')
+                    ->label(__('admin.task_collections.table.tasks'))
+                    ->sortable(),
+                TextColumn::make('events_count')
+                    ->label(__('admin.task_collections.table.events'))
+                    ->sortable(),
+            ])
+            ->filters([
+                SelectFilter::make('event_type_id')
+                    ->label(__('admin.task_collections.table.event_type'))
+                    ->relationship(
+                        'eventType',
+                        'name',
+                        fn (Builder $query): Builder => $query->orderBy('name->de')
+                    )
+                    ->getOptionLabelFromRecordUsing(fn (EventType $record) => is_array($record->name) ? ($record->name['de'] ?? $record->name['en'] ?? __('admin.common.unnamed')) : $record->name),
+                SelectFilter::make('is_default')
+                    ->label(__('admin.task_collections.table.is_default'))
+                    ->options([
+                        '1' => __('admin.common.yes'),
+                        '0' => __('admin.common.no'),
+                    ]),
+            ])
+            ->recordActions([
+                Actions\EditAction::make()
+                    ->mutateDataUsing(fn (array $data, TaskCollection $record): array => static::normalizeData($data, $record))
+                    ->after(fn (array $data, TaskCollection $record) => app(SuperAdminAuditLogger::class)->recordModelMutation(
+                        'updated',
+                        $record,
+                        SuperAdminAuditLogger::fieldsMetadata($data),
+                        static::class
+                    )),
+                Actions\DeleteAction::make()
+                    ->after(fn (TaskCollection $record) => app(SuperAdminAuditLogger::class)->recordModelMutation(
+                        'deleted',
+                        $record,
+                        source: static::class
+                    )),
+            ])
+            ->bulkActions([
+                Actions\DeleteBulkAction::make()
+                    ->after(function (Collection $records): void {
+                        $logger = app(SuperAdminAuditLogger::class);
+
+                        foreach ($records as $record) {
+                            $logger->recordModelMutation(
+                                'deleted',
+                                $record,
+                                source: static::class
+                            );
+                        }
+                    }),
+            ]);
+    }
+
+    public static function getNavigationLabel(): string
+    {
+        return __('admin.task_collections.menu');
+    }
+
+    public static function getNavigationGroup(): UnitEnum|string|null
+    {
+        return __('admin.nav.curation');
+    }
+
+    public static function getEloquentQuery(): Builder
+    {
+        return parent::getEloquentQuery()
+            ->whereNull('tenant_id')
+            ->with('eventType')
+            ->withCount(['tasks', 'events']);
+    }
+
+    /**
+     * @param  array<string, mixed>  $data
+     */
+    public static function normalizeData(array $data, ?TaskCollection $record = null): array
+    {
+        $data['tenant_id'] = null;
+        $data['slug'] = static::resolveSlug($data, $record);
+
+        return $data;
+    }
+
+    /**
+     * @param  array<string, mixed>  $data
+     */
+    protected static function resolveSlug(array $data, ?TaskCollection $record = null): string
+    {
+        $rawSlug = trim((string) ($data['slug'] ?? ''));
+        $translations = Arr::wrap($data['name_translations'] ?? []);
+        $fallbackName = (string) ($translations['en'] ?? $translations['de'] ?? '');
+
+        $base = $rawSlug !== '' ? $rawSlug : $fallbackName;
+        $slugBase = Str::slug($base) ?: 'collection';
+
+        $query = TaskCollection::query()->where('slug', $slugBase);
+
+        if ($record) {
+            $query->whereKeyNot($record->getKey());
+        }
+
+        if (! $query->exists()) {
+            return $slugBase;
+        }
+
+        do {
+            $candidate = $slugBase.'-'.Str::random(4);
+            $candidateQuery = TaskCollection::query()->where('slug', $candidate);
+
+            if ($record) {
+                $candidateQuery->whereKeyNot($record->getKey());
+            }
+        } while ($candidateQuery->exists());
+
+        return $candidate;
+    }
+
+    /**
+     * @param  array<string, string>|null  $translations
+     */
+    protected static function formatTranslation(?array $translations): string
+    {
+        if (! is_array($translations)) {
+            return '';
+        }
+
+        $locale = app()->getLocale();
+
+        return $translations[$locale]
+            ?? ($translations['de'] ?? ($translations['en'] ?? Arr::first($translations) ?? ''));
+    }
+
+    public static function getPages(): array
+    {
+        return [
+            'index' => ListTaskCollections::route('/'),
+            'create' => CreateTaskCollection::route('/create'),
+            'edit' => EditTaskCollection::route('/{record}/edit'),
+        ];
+    }
+
+    public static function getRelations(): array
+    {
+        return [
+            TasksRelationManager::class,
+        ];
+    }
+}

app/Filament/Resources/AiStyles/AiStyleResource.php

@@ -0,0 +1,163 @@
+<?php
+
+namespace App\Filament\Resources\AiStyles;
+
+use App\Filament\Clusters\RareAdmin\RareAdminCluster;
+use App\Filament\Resources\AiStyles\Pages\ManageAiStyles;
+use App\Models\AiStyle;
+use App\Services\Audit\SuperAdminAuditLogger;
+use BackedEnum;
+use Filament\Actions;
+use Filament\Forms\Components\KeyValue;
+use Filament\Forms\Components\Select;
+use Filament\Forms\Components\Textarea;
+use Filament\Forms\Components\TextInput;
+use Filament\Forms\Components\Toggle;
+use Filament\Resources\Resource;
+use Filament\Schemas\Components\Section;
+use Filament\Schemas\Schema;
+use Filament\Tables;
+use Filament\Tables\Table;
+use UnitEnum;
+
+class AiStyleResource extends Resource
+{
+    protected static ?string $model = AiStyle::class;
+
+    protected static ?string $cluster = RareAdminCluster::class;
+
+    protected static BackedEnum|string|null $navigationIcon = 'heroicon-o-paint-brush';
+
+    protected static UnitEnum|string|null $navigationGroup = null;
+
+    protected static ?int $navigationSort = 31;
+
+    public static function getNavigationGroup(): UnitEnum|string|null
+    {
+        return __('admin.nav.platform');
+    }
+
+    public static function getNavigationLabel(): string
+    {
+        return 'AI Styles';
+    }
+
+    public static function form(Schema $schema): Schema
+    {
+        return $schema->schema([
+            Section::make('Style Basics')
+                ->schema([
+                    TextInput::make('key')
+                        ->required()
+                        ->maxLength(120)
+                        ->unique(ignoreRecord: true),
+                    TextInput::make('name')
+                        ->required()
+                        ->maxLength(120),
+                    TextInput::make('version')
+                        ->numeric()
+                        ->default(1)
+                        ->disabled()
+                        ->dehydrated(false)
+                        ->helperText('Auto-increments when core style configuration changes.'),
+                    TextInput::make('category')
+                        ->maxLength(50),
+                    TextInput::make('sort')
+                        ->numeric()
+                        ->default(0)
+                        ->required(),
+                    Toggle::make('is_active')
+                        ->default(true),
+                    Toggle::make('is_premium')
+                        ->default(false),
+                    Toggle::make('requires_source_image')
+                        ->default(true),
+                ])
+                ->columns(3),
+            Section::make('Provider Binding')
+                ->schema([
+                    Select::make('provider')
+                        ->options([
+                            'runware' => 'runware.ai',
+                        ])
+                        ->required()
+                        ->default('runware'),
+                    TextInput::make('provider_model')
+                        ->maxLength(120),
+                ])
+                ->columns(2),
+            Section::make('Prompts')
+                ->schema([
+                    Textarea::make('description')
+                        ->rows(2),
+                    Textarea::make('prompt_template')
+                        ->rows(5),
+                    Textarea::make('negative_prompt_template')
+                        ->rows(4),
+                ]),
+            Section::make('Metadata')
+                ->schema([
+                    KeyValue::make('metadata')
+                        ->nullable(),
+                ]),
+        ]);
+    }
+
+    public static function table(Table $table): Table
+    {
+        return $table
+            ->defaultSort('sort')
+            ->columns([
+                Tables\Columns\TextColumn::make('key')
+                    ->searchable()
+                    ->copyable(),
+                Tables\Columns\TextColumn::make('name')
+                    ->searchable(),
+                Tables\Columns\TextColumn::make('version')
+                    ->sortable()
+                    ->toggleable(),
+                Tables\Columns\TextColumn::make('provider')
+                    ->badge(),
+                Tables\Columns\TextColumn::make('provider_model')
+                    ->toggleable(),
+                Tables\Columns\IconColumn::make('is_active')
+                    ->boolean(),
+                Tables\Columns\IconColumn::make('is_premium')
+                    ->boolean(),
+                Tables\Columns\TextColumn::make('sort')
+                    ->sortable(),
+                Tables\Columns\TextColumn::make('updated_at')
+                    ->since()
+                    ->toggleable(),
+            ])
+            ->filters([
+                Tables\Filters\TernaryFilter::make('is_active'),
+                Tables\Filters\TernaryFilter::make('is_premium'),
+            ])
+            ->actions([
+                Actions\EditAction::make()
+                    ->after(fn (array $data, AiStyle $record) => app(SuperAdminAuditLogger::class)->recordModelMutation(
+                        'updated',
+                        $record,
+                        SuperAdminAuditLogger::fieldsMetadata(array_keys($data)),
+                        static::class
+                    )),
+                Actions\DeleteAction::make()
+                    ->after(fn (AiStyle $record) => app(SuperAdminAuditLogger::class)->recordModelMutation(
+                        'deleted',
+                        $record,
+                        source: static::class
+                    )),
+            ])
+            ->bulkActions([
+                Actions\DeleteBulkAction::make(),
+            ]);
+    }
+
+    public static function getPages(): array
+    {
+        return [
+            'index' => ManageAiStyles::route('/'),
+        ];
+    }
+}

app/Filament/Resources/AiStyles/Pages/ManageAiStyles.php

@@ -0,0 +1,26 @@
+<?php
+
+namespace App\Filament\Resources\AiStyles\Pages;
+
+use App\Filament\Resources\AiStyles\AiStyleResource;
+use App\Services\Audit\SuperAdminAuditLogger;
+use Filament\Actions;
+use Filament\Resources\Pages\ManageRecords;
+
+class ManageAiStyles extends ManageRecords
+{
+    protected static string $resource = AiStyleResource::class;
+
+    protected function getHeaderActions(): array
+    {
+        return [
+            Actions\CreateAction::make()
+                ->after(fn (array $data, $record) => app(SuperAdminAuditLogger::class)->recordModelMutation(
+                    'created',
+                    $record,
+                    SuperAdminAuditLogger::fieldsMetadata(array_keys($data)),
+                    static::class
+                )),
+        ];
+    }
+}

app/Filament/Resources/Coupons/Pages/CreateCoupon.php

@@ -4,7 +4,7 @@ namespace App\Filament\Resources\Coupons\Pages;
 
 use App\Filament\Resources\Coupons\CouponResource;
 use App\Filament\Resources\Pages\AuditedCreateRecord;
-use App\Jobs\SyncCouponToPaddle;
+use App\Jobs\SyncCouponToLemonSqueezy;
 
 class CreateCoupon extends AuditedCreateRecord
 {
@@ -14,6 +14,6 @@ class CreateCoupon extends AuditedCreateRecord
     {
         parent::afterCreate();
 
-        SyncCouponToPaddle::dispatch($this->record);
+        SyncCouponToLemonSqueezy::dispatch($this->record);
     }
 }

app/Filament/Resources/Coupons/Pages/EditCoupon.php

@@ -4,7 +4,7 @@ namespace App\Filament\Resources\Coupons\Pages;
 
 use App\Filament\Resources\Coupons\CouponResource;
 use App\Filament\Resources\Pages\AuditedEditRecord;
-use App\Jobs\SyncCouponToPaddle;
+use App\Jobs\SyncCouponToLemonSqueezy;
 use App\Services\Audit\SuperAdminAuditLogger;
 use Filament\Actions\DeleteAction;
 use Filament\Actions\ForceDeleteAction;
@@ -27,7 +27,7 @@ class EditCoupon extends AuditedEditRecord
                         source: static::class
                     );
 
-                    SyncCouponToPaddle::dispatch($record, true);
+                    SyncCouponToLemonSqueezy::dispatch($record, true);
                 }),
             ForceDeleteAction::make()
                 ->after(fn ($record) => app(SuperAdminAuditLogger::class)->recordModelMutation(
@@ -48,6 +48,6 @@ class EditCoupon extends AuditedEditRecord
     {
         parent::afterSave();
 
-        SyncCouponToPaddle::dispatch($this->record);
+        SyncCouponToLemonSqueezy::dispatch($this->record);
     }
 }

app/Filament/Resources/Coupons/RelationManagers/RedemptionsRelationManager.php

@@ -21,7 +21,7 @@ class RedemptionsRelationManager extends RelationManager
     public function table(Table $table): Table
     {
         return $table
-            ->recordTitleAttribute('paddle_transaction_id')
+            ->recordTitleAttribute('lemonsqueezy_order_id')
             ->columns([
                 TextColumn::make('tenant.name')
                     ->label(__('Tenant'))
@@ -65,7 +65,7 @@ class RedemptionsRelationManager extends RelationManager
                         'failed' => 'danger',
                         default => 'warning',
                     }),
-                TextColumn::make('paddle_transaction_id')
+                TextColumn::make('lemonsqueezy_order_id')
                     ->label(__('Transaction'))
                     ->copyable()
                     ->toggleable(isToggledHiddenByDefault: true),

app/Filament/Resources/Coupons/Schemas/CouponForm.php

@@ -123,22 +123,22 @@ class CouponForm
                             ->nullable()
                             ->columnSpanFull(),
                     ]),
-                Section::make(__('Paddle sync'))
+                Section::make(__('Lemon Squeezy sync'))
                     ->columns(2)
                     ->schema([
-                        Select::make('paddle_mode')
-                            ->label(__('Paddle mode'))
+                        Select::make('lemonsqueezy_mode')
+                            ->label(__('Lemon Squeezy mode'))
                             ->options([
                                 'standard' => __('Standard'),
                                 'custom' => __('Custom (one-off)'),
                             ])
                             ->default('standard'),
-                        Placeholder::make('paddle_discount_id')
-                            ->label(__('Paddle Discount ID'))
-                            ->content(fn ($record) => $record?->paddle_discount_id ?? '—'),
-                        Placeholder::make('paddle_last_synced_at')
+                        Placeholder::make('lemonsqueezy_discount_id')
+                            ->label(__('Lemon Squeezy Discount ID'))
+                            ->content(fn ($record) => $record?->lemonsqueezy_discount_id ?? '—'),
+                        Placeholder::make('lemonsqueezy_last_synced_at')
                             ->label(__('Last synced'))
-                            ->content(fn ($record) => $record?->paddle_last_synced_at?->diffForHumans() ?? '—'),
+                            ->content(fn ($record) => $record?->lemonsqueezy_last_synced_at?->diffForHumans() ?? '—'),
                         Placeholder::make('redemptions_count')
                             ->label(__('Total redemptions'))
                             ->content(fn ($record) => number_format($record?->redemptions_count ?? 0)),

app/Filament/Resources/Coupons/Schemas/CouponInfolist.php

@@ -63,17 +63,17 @@ class CouponInfolist
                         TextEntry::make('description')->label(__('Description'))->columnSpanFull(),
                         KeyValueEntry::make('metadata')->label(__('Metadata'))->columnSpanFull(),
                     ]),
-                Section::make(__('Paddle'))
+                Section::make(__('Lemon Squeezy'))
                     ->columns(3)
                     ->schema([
-                        TextEntry::make('paddle_discount_id')
+                        TextEntry::make('lemonsqueezy_discount_id')
                             ->label(__('Discount ID'))
                             ->copyable()
                             ->placeholder('—'),
-                        TextEntry::make('paddle_last_synced_at')
+                        TextEntry::make('lemonsqueezy_last_synced_at')
                             ->label(__('Last synced'))
-                            ->state(fn ($record) => $record?->paddle_last_synced_at?->diffForHumans() ?? '—'),
-                        TextEntry::make('paddle_mode')
+                            ->state(fn ($record) => $record?->lemonsqueezy_last_synced_at?->diffForHumans() ?? '—'),
+                        TextEntry::make('lemonsqueezy_mode')
                             ->label(__('Mode'))
                             ->badge()
                             ->placeholder('standard'),

app/Filament/Resources/Coupons/Tables/CouponsTable.php

@@ -4,7 +4,7 @@ namespace App\Filament\Resources\Coupons\Tables;
 
 use App\Enums\CouponStatus;
 use App\Enums\CouponType;
-use App\Jobs\SyncCouponToPaddle;
+use App\Jobs\SyncCouponToLemonSqueezy;
 use App\Services\Audit\SuperAdminAuditLogger;
 use Filament\Actions\Action;
 use Filament\Actions\BulkActionGroup;
@@ -105,9 +105,9 @@ class CouponsTable
                         static::class
                     )),
                 Action::make('sync')
-                    ->label(__('Sync to Paddle'))
+                    ->label(__('Sync to Lemon Squeezy'))
                     ->icon('heroicon-m-arrow-path')
-                    ->action(fn ($record) => SyncCouponToPaddle::dispatch($record))
+                    ->action(fn ($record) => SyncCouponToLemonSqueezy::dispatch($record))
                     ->requiresConfirmation(),
             ])
             ->toolbarActions([

app/Filament/Resources/EmotionResource/Pages/ImportEmotions.php

@@ -13,7 +13,9 @@ use Illuminate\Support\Facades\Storage;
 class ImportEmotions extends Page
 {
     protected static string $resource = EmotionResource::class;
+
     protected string $view = 'filament.resources.emotion-resource.pages.import-emotions';
+
     protected ?string $heading = null;
 
     public ?string $file = null;
@@ -36,6 +38,7 @@ class ImportEmotions extends Page
         $path = $this->form->getState()['file'] ?? null;
         if (! $path || ! Storage::disk('public')->exists($path)) {
             Notification::make()->danger()->title(__('admin.notifications.file_not_found'))->send();
+
             return;
         }
 

app/Filament/Resources/EventPurchaseResource/Pages/ListEventPurchases.php

@@ -16,4 +16,4 @@ class ListEventPurchases extends ListRecords
             Actions\CreateAction::make(),
         ];
     }
-}
+}

app/Filament/Resources/EventResource.php

@@ -6,24 +6,29 @@ use App\Filament\Clusters\DailyOps\DailyOpsCluster;
 use App\Filament\Resources\EventResource\Pages;
 use App\Filament\Resources\EventResource\RelationManagers\EventPackagesRelationManager;
 use App\Models\Event;
+use App\Models\EventJoinToken;
 use App\Models\EventJoinTokenEvent;
 use App\Models\EventType;
 use App\Models\Tenant;
 use App\Services\Audit\SuperAdminAuditLogger;
+use App\Services\EventJoinTokenService;
 use App\Support\JoinTokenLayoutRegistry;
 use BackedEnum;
 use Carbon\Carbon;
 use Filament\Actions;
 use Filament\Forms\Components\DatePicker;
+use Filament\Forms\Components\DateTimePicker;
 use Filament\Forms\Components\KeyValue;
 use Filament\Forms\Components\Select;
 use Filament\Forms\Components\TextInput;
 use Filament\Forms\Components\Toggle;
+use Filament\Notifications\Notification;
 use Filament\Resources\Resource;
 use Filament\Schemas\Schema;
 use Filament\Tables;
 use Filament\Tables\Table;
 use Illuminate\Database\Eloquent\Collection;
+use Illuminate\Support\Arr;
 use UnitEnum;
 
 class EventResource extends Resource
@@ -60,19 +65,32 @@ class EventResource extends Resource
                 ->required()
                 ->unique(ignoreRecord: true)
                 ->maxLength(255),
+            TextInput::make('join_link_display')
+                ->label(__('admin.events.fields.join_link'))
+                ->afterStateHydrated(function (TextInput $component, ?Event $record) {
+                    if (! $record) {
+                        return;
+                    }
+                    $token = $record->joinTokens()->latest()->first();
+                    $component->state($token ? url('/e/'.$token->token) : '-');
+                })
+                ->readOnly()
+                ->dehydrated(false)
+                ->visibleOn('edit'),
             DatePicker::make('date')
                 ->label(__('admin.events.fields.date'))
                 ->required(),
             Select::make('event_type_id')
                 ->label(__('admin.events.fields.type'))
-                ->options(EventType::query()->pluck('name', 'id'))
+                ->options(fn () => EventType::all()->pluck('name.de', 'id'))
                 ->searchable(),
             Select::make('package_id')
                 ->label(__('admin.events.fields.package'))
                 ->options(\App\Models\Package::query()->where('type', 'endcustomer')->pluck('name', 'id'))
                 ->searchable()
                 ->preload()
-                ->required(),
+                ->required()
+                ->visibleOn('create'),
             TextInput::make('default_locale')
                 ->label(__('admin.events.fields.default_locale'))
                 ->default('de')
@@ -80,6 +98,10 @@ class EventResource extends Resource
             Toggle::make('is_active')
                 ->label(__('admin.events.fields.is_active'))
                 ->default(true),
+            Toggle::make('settings.marketing_demo')
+                ->label(__('admin.events.fields.marketing_demo'))
+                ->helperText(__('admin.events.fields.marketing_demo_help'))
+                ->default(false),
             KeyValue::make('settings')
                 ->label(__('admin.events.fields.settings'))
                 ->keyLabel(__('admin.common.key'))
@@ -96,13 +118,13 @@ class EventResource extends Resource
             ->columns([
                 Tables\Columns\TextColumn::make('id')->sortable(),
                 Tables\Columns\TextColumn::make('tenant.name')->label(__('admin.events.table.tenant'))->searchable(),
-                Tables\Columns\TextColumn::make('name.de')
+                Tables\Columns\TextColumn::make('name')
                     ->label(__('admin.events.fields.name'))
+                    ->formatStateUsing(fn (mixed $state): string => static::formatEventName($state))
                     ->limit(30),
                 Tables\Columns\TextColumn::make('slug')->searchable(),
                 Tables\Columns\TextColumn::make('date')->date(),
                 Tables\Columns\IconColumn::make('is_active')->boolean(),
-                Tables\Columns\TextColumn::make('default_locale'),
                 Tables\Columns\TextColumn::make('eventPackage.package.name')
                     ->label(__('admin.events.table.package'))
                     ->badge()
@@ -115,22 +137,6 @@ class EventResource extends Resource
                     ->badge()
                     ->color(fn ($state) => $state < 1 ? 'danger' : 'success')
                     ->getStateUsing(fn ($record) => $record->eventPackage?->remaining_photos ?? 0),
-                Tables\Columns\TextColumn::make('primary_join_token')
-                    ->label(__('admin.events.table.join'))
-                    ->getStateUsing(function ($record) {
-                        $token = $record->joinTokens()->latest()->first();
-
-                        return $token ? url('/e/'.$token->token) : __('admin.events.table.no_join_tokens');
-                    })
-                    ->description(function ($record) {
-                        $total = $record->joinTokens()->count();
-
-                        return $total > 0
-                            ? __('admin.events.table.join_tokens_total', ['count' => $total])
-                            : __('admin.events.table.join_tokens_missing');
-                    })
-                    ->copyable()
-                    ->copyMessage(__('admin.events.messages.join_link_copied')),
                 Tables\Columns\TextColumn::make('created_at')->since(),
             ])
             ->filters([])
@@ -167,7 +173,161 @@ class EventResource extends Resource
                     ->modalHeading(__('admin.events.modal.join_link_heading'))
                     ->modalSubmitActionLabel(__('admin.common.close'))
                     ->modalWidth('xl')
-                    ->modalContent(function ($record) {
+                    ->registerModalActions([
+                        Actions\Action::make('extend_join_token_expiry')
+                            ->label(__('admin.events.join_link.extend_expiry'))
+                            ->icon('heroicon-o-clock')
+                            ->color('warning')
+                            ->size('xs')
+                            ->modalHeading(function (Actions\Action $action, Event $record): string {
+                                $token = static::resolveJoinTokenFromAction($record, $action);
+
+                                return $token
+                                    ? __('admin.events.join_link.extend_expiry_heading', [
+                                        'label' => $token->label ?: __('admin.events.join_link.token_default', ['id' => $token->id]),
+                                    ])
+                                    : __('admin.events.join_link.extend_expiry_heading_fallback');
+                            })
+                            ->schema(function (Event $record): array {
+                                $minimumExpiry = app(EventJoinTokenService::class)->minimumExpiryForEvent($record);
+                                $rules = [
+                                    'date',
+                                    'after:now',
+                                ];
+
+                                if ($minimumExpiry) {
+                                    $rules[] = 'after_or_equal:'.$minimumExpiry->toDateTimeString();
+                                }
+
+                                return [
+                                    DateTimePicker::make('expires_at')
+                                        ->label(__('admin.events.join_link.extend_expiry_label'))
+                                        ->required()
+                                        ->seconds(false)
+                                        ->rules($rules)
+                                        ->helperText($minimumExpiry
+                                            ? __('admin.events.join_link.extend_expiry_min', [
+                                                'date' => $minimumExpiry->isoFormat('LLL'),
+                                            ])
+                                            : null),
+                                ];
+                            })
+                            ->fillForm(function (Actions\Action $action, Event $record): array {
+                                $token = static::resolveJoinTokenFromAction($record, $action);
+
+                                if (! $token) {
+                                    return [];
+                                }
+
+                                return [
+                                    'expires_at' => $token->expires_at,
+                                ];
+                            })
+                            ->action(function (array $data, Actions\Action $action, Event $record): void {
+                                $token = static::resolveJoinTokenFromAction($record, $action);
+
+                                if (! $token) {
+                                    Notification::make()
+                                        ->title(__('admin.events.join_link.extend_expiry_missing'))
+                                        ->danger()
+                                        ->send();
+
+                                    return;
+                                }
+
+                                $expiresAt = $data['expires_at'] ?? null;
+
+                                if (! $expiresAt) {
+                                    Notification::make()
+                                        ->title(__('admin.events.join_link.extend_expiry_missing_date'))
+                                        ->danger()
+                                        ->send();
+
+                                    return;
+                                }
+
+                                $resolvedExpiry = $expiresAt instanceof Carbon
+                                    ? $expiresAt
+                                    : Carbon::parse($expiresAt);
+
+                                $token->forceFill([
+                                    'expires_at' => $resolvedExpiry,
+                                ])->save();
+
+                                app(SuperAdminAuditLogger::class)->recordModelMutation(
+                                    'updated',
+                                    $token,
+                                    source: static::class
+                                );
+
+                                Notification::make()
+                                    ->title(__('admin.events.join_link.extend_expiry_success'))
+                                    ->success()
+                                    ->send();
+                            }),
+                        Actions\Action::make('set_demo_read_only')
+                            ->label(__('admin.events.join_link.demo_read_only_action'))
+                            ->icon('heroicon-o-lock-closed')
+                            ->color('gray')
+                            ->size('xs')
+                            ->modalHeading(function (Actions\Action $action, Event $record): string {
+                                $token = static::resolveJoinTokenFromAction($record, $action);
+
+                                return $token
+                                    ? __('admin.events.join_link.demo_read_only_heading', [
+                                        'label' => $token->label ?: __('admin.events.join_link.token_default', ['id' => $token->id]),
+                                    ])
+                                    : __('admin.events.join_link.demo_read_only_heading_fallback');
+                            })
+                            ->schema([
+                                Toggle::make('demo_read_only')
+                                    ->label(__('admin.events.join_link.demo_read_only_label'))
+                                    ->helperText(__('admin.events.join_link.demo_read_only_help')),
+                            ])
+                            ->fillForm(function (Actions\Action $action, Event $record): array {
+                                $token = static::resolveJoinTokenFromAction($record, $action);
+
+                                return [
+                                    'demo_read_only' => (bool) Arr::get($token?->metadata ?? [], 'demo_read_only', false),
+                                ];
+                            })
+                            ->action(function (array $data, Actions\Action $action, Event $record): void {
+                                $token = static::resolveJoinTokenFromAction($record, $action);
+
+                                if (! $token) {
+                                    Notification::make()
+                                        ->title(__('admin.events.join_link.demo_read_only_missing'))
+                                        ->danger()
+                                        ->send();
+
+                                    return;
+                                }
+
+                                $metadata = is_array($token->metadata) ? $token->metadata : [];
+                                $enabled = (bool) ($data['demo_read_only'] ?? false);
+
+                                if ($enabled) {
+                                    $metadata['demo_read_only'] = true;
+                                } else {
+                                    unset($metadata['demo_read_only']);
+                                }
+
+                                $token->metadata = empty($metadata) ? null : $metadata;
+                                $token->save();
+
+                                app(SuperAdminAuditLogger::class)->recordModelMutation(
+                                    'updated',
+                                    $token,
+                                    source: static::class
+                                );
+
+                                Notification::make()
+                                    ->title(__('admin.events.join_link.demo_read_only_success'))
+                                    ->success()
+                                    ->send();
+                            }),
+                    ])
+                    ->modalContent(function (Actions\Action $action, $record) {
                         $tokens = $record->joinTokens()
                             ->orderByDesc('created_at')
                             ->get();
@@ -237,6 +397,7 @@ class EventResource extends Resource
                                 'expires_at' => optional($token->expires_at)->toIso8601String(),
                                 'revoked_at' => optional($token->revoked_at)->toIso8601String(),
                                 'is_active' => $token->isActive(),
+                                'demo_read_only' => (bool) Arr::get($token->metadata ?? [], 'demo_read_only', false),
                                 'created_at' => optional($token->created_at)->toIso8601String(),
                                 'layouts' => $layouts,
                                 'layouts_url' => route('api.v1.tenant.events.join-tokens.layouts.index', [
@@ -256,6 +417,7 @@ class EventResource extends Resource
                         return view('filament.events.join-link', [
                             'event' => $record,
                             'tokens' => $tokens,
+                            'action' => $action,
                         ]);
                     }),
             ])
@@ -282,6 +444,43 @@ class EventResource extends Resource
         ];
     }
 
+    /**
+     * @param  array<string, mixed>|string|null  $name
+     */
+    private static function formatEventName(mixed $name): string
+    {
+        if (is_array($name)) {
+            $candidates = [
+                $name['de'] ?? null,
+                $name['en'] ?? null,
+                reset($name) ?: null,
+            ];
+
+            foreach ($candidates as $candidate) {
+                if (is_string($candidate) && $candidate !== '') {
+                    return $candidate;
+                }
+            }
+
+            return '';
+        }
+
+        return is_string($name) ? $name : '';
+    }
+
+    private static function resolveJoinTokenFromAction(Event $record, Actions\Action $action): ?EventJoinToken
+    {
+        $tokenId = $action->getArguments()['token_id'] ?? null;
+
+        if (! $tokenId) {
+            return null;
+        }
+
+        return $record->joinTokens()
+            ->whereKey($tokenId)
+            ->first();
+    }
+
     public static function getPages(): array
     {
         return [

app/Filament/Resources/EventResource/Pages/CreateEvent.php

@@ -8,4 +8,25 @@ use App\Filament\Resources\Pages\AuditedCreateRecord;
 class CreateEvent extends AuditedCreateRecord
 {
     protected static string $resource = EventResource::class;
+
+    public ?int $packageId = null;
+
+    protected function mutateFormDataBeforeCreate(array $data): array
+    {
+        $this->packageId = $data['package_id'] ?? null;
+        unset($data['package_id']);
+
+        return $data;
+    }
+
+    protected function afterCreate(): void
+    {
+        if ($this->packageId) {
+            $this->record->eventPackages()->create([
+                'package_id' => $this->packageId,
+            ]);
+        }
+
+        parent::afterCreate();
+    }
 }

app/Filament/Resources/EventResource/RelationManagers/EventPackagesRelationManager.php

@@ -19,7 +19,6 @@ use Filament\Tables\Table;
 use Illuminate\Database\Eloquent\Builder;
 use Illuminate\Database\Eloquent\Collection;
 use Illuminate\Database\Eloquent\Model;
-use Illuminate\Database\Eloquent\Relations\Relation;
 
 class EventPackagesRelationManager extends RelationManager
 {
@@ -59,6 +58,7 @@ class EventPackagesRelationManager extends RelationManager
     public function table(Table $table): Table
     {
         return $table
+            ->modifyQueryUsing(fn (Builder $query) => $query->with('package'))
             ->recordTitleAttribute('package.name')
             ->columns([
                 TextColumn::make('package.name')
@@ -147,9 +147,4 @@ class EventPackagesRelationManager extends RelationManager
     {
         return __('admin.events.relation_managers.event_packages.title');
     }
-
-    public function getTableQuery(): Builder|Relation
-    {
-        return parent::getTableQuery()->with('package');
-    }
 }

app/Filament/Resources/EventTypeResource.php

@@ -113,18 +113,64 @@ class EventTypeResource extends Resource
                         SuperAdminAuditLogger::fieldsMetadata($data),
                         static::class
                     )),
+                Actions\DeleteAction::make()
+                    ->action(function (EventType $record, Actions\DeleteAction $action) {
+                        try {
+                            $record->delete();
+                        } catch (\Exception $e) {
+                            $isConstraint = ($e instanceof \Illuminate\Database\QueryException && ($e->getCode() == 23000 || ($e->errorInfo[0] ?? '') == 23000));
+
+                            if ($isConstraint) {
+                                \Filament\Notifications\Notification::make()
+                                    ->title(__('admin.common.error'))
+                                    ->body(__('admin.event_types.messages.delete_constraint_error'))
+                                    ->danger()
+                                    ->send();
+
+                                $action->halt();
+                            }
+
+                            throw $e;
+                        }
+                    })
+                    ->after(fn (EventType $record) => app(SuperAdminAuditLogger::class)->recordModelMutation(
+                        'deleted',
+                        $record,
+                        source: static::class
+                    )),
             ])
             ->bulkActions([
                 Actions\DeleteBulkAction::make()
-                    ->after(function (Collection $records): void {
+                    ->action(function (Collection $records, Actions\DeleteBulkAction $action) {
                         $logger = app(SuperAdminAuditLogger::class);
+                        $deletedCount = 0;
+                        $failedCount = 0;
 
                         foreach ($records as $record) {
-                            $logger->recordModelMutation(
-                                'deleted',
-                                $record,
-                                source: static::class
-                            );
+                            try {
+                                $record->delete();
+                                $logger->recordModelMutation('deleted', $record, source: static::class);
+                                $deletedCount++;
+                            } catch (\Exception $e) {
+                                $isConstraint = ($e instanceof \Illuminate\Database\QueryException && ($e->getCode() == 23000 || ($e->errorInfo[0] ?? '') == 23000));
+                                if ($isConstraint) {
+                                    $failedCount++;
+                                } else {
+                                    throw $e;
+                                }
+                            }
+                        }
+
+                        if ($failedCount > 0) {
+                            \Filament\Notifications\Notification::make()
+                                ->title(__('admin.common.error'))
+                                ->body(__('admin.event_types.messages.delete_constraint_error')." ($failedCount failed, $deletedCount deleted)")
+                                ->danger()
+                                ->send();
+
+                            if ($deletedCount === 0) {
+                                $action->halt();
+                            }
                         }
                     }),
             ]);

app/Filament/Resources/GiftVoucherResource.php

@@ -63,8 +63,8 @@ class GiftVoucherResource extends Resource
                     ->label('Empfänger')
                     ->toggleable()
                     ->searchable(),
-                TextColumn::make('paddle_transaction_id')
-                    ->label('Paddle Tx')
+                TextColumn::make('lemonsqueezy_order_id')
+                    ->label('Lemon Squeezy Order')
                     ->toggleable()
                     ->copyable()
                     ->wrap(),

app/Filament/Resources/GiftVoucherResource/Pages/ListGiftVouchers.php

@@ -46,24 +46,27 @@ class ListGiftVouchers extends ListRecords
                 ])
                 ->action(function (array $data, GiftVoucherService $service): void {
                     $payload = [
-                        'id' => null,
-                        'metadata' => [
-                            'type' => 'gift_voucher',
-                            'purchaser_email' => $data['purchaser_email'],
-                            'recipient_email' => $data['recipient_email'] ?? null,
-                            'recipient_name' => $data['recipient_name'] ?? null,
-                            'message' => $data['message'] ?? null,
-                            'gift_code' => $data['code'] ?? null,
+                        'meta' => [
+                            'custom_data' => [
+                                'type' => 'gift_voucher',
+                                'purchaser_email' => $data['purchaser_email'],
+                                'recipient_email' => $data['recipient_email'] ?? null,
+                                'recipient_name' => $data['recipient_name'] ?? null,
+                                'message' => $data['message'] ?? null,
+                                'gift_code' => $data['code'] ?? null,
+                            ],
                         ],
-                        'currency_code' => $data['currency'] ?? 'EUR',
-                        'totals' => [
-                            'grand_total' => [
-                                'amount' => (float) $data['amount'],
+                        'data' => [
+                            'id' => 'manual_'.Str::uuid(),
+                            'attributes' => [
+                                'currency' => $data['currency'] ?? 'EUR',
+                                'total' => (float) $data['amount'] * 100,
+                                'user_email' => $data['purchaser_email'],
                             ],
                         ],
                     ];
 
-                    $voucher = $service->issueFromPaddle($payload);
+                    $voucher = $service->issueFromLemonSqueezy($payload);
 
                     app(SuperAdminAuditLogger::class)->recordModelMutation(
                         'issued',

app/Filament/Resources/MediaStorageTargetResource/Pages/ListMediaStorageTargets.php

@@ -17,4 +17,3 @@ class ListMediaStorageTargets extends ListRecords
         ];
     }
 }
-

app/Filament/Resources/PackageAddonResource.php

@@ -4,7 +4,7 @@ namespace App\Filament\Resources;
 
 use App\Filament\Clusters\WeeklyOps\WeeklyOpsCluster;
 use App\Filament\Resources\PackageAddonResource\Pages;
-use App\Jobs\SyncPackageAddonToPaddle;
+use App\Jobs\SyncPackageAddonToLemonSqueezy;
 use App\Models\PackageAddon;
 use App\Services\Audit\SuperAdminAuditLogger;
 use Filament\Actions;
@@ -50,9 +50,9 @@ class PackageAddonResource extends Resource
                         ->required()
                         ->unique(ignoreRecord: true)
                         ->maxLength(191),
-                    TextInput::make('price_id')
-                        ->label('Paddle Preis-ID')
-                        ->helperText('Paddle Billing Preis-ID für dieses Add-on')
+                    TextInput::make('variant_id')
+                        ->label('Lemon Squeezy Variant-ID')
+                        ->helperText('Variant-ID aus Lemon Squeezy für dieses Add-on')
                         ->maxLength(191),
                     TextInput::make('sort')
                         ->label('Sortierung')
@@ -96,8 +96,8 @@ class PackageAddonResource extends Resource
                     ->label('Schlüssel')
                     ->copyable()
                     ->sortable(),
-                TextColumn::make('price_id')
-                    ->label('Paddle Preis-ID')
+                TextColumn::make('variant_id')
+                    ->label('Lemon Squeezy Variant-ID')
                     ->toggleable()
                     ->copyable(),
                 TextColumn::make('extra_photos')->label('Fotos +'),
@@ -120,16 +120,16 @@ class PackageAddonResource extends Resource
                     ->label('Aktiv'),
             ])
             ->actions([
-                Actions\Action::make('syncPaddle')
-                    ->label('Mit Paddle synchronisieren')
+                Actions\Action::make('syncLemonSqueezy')
+                    ->label('Mit Lemon Squeezy synchronisieren')
                     ->icon('heroicon-o-cloud-arrow-up')
                     ->action(function (PackageAddon $record) {
-                        SyncPackageAddonToPaddle::dispatch($record->id);
+                        SyncPackageAddonToLemonSqueezy::dispatch($record->id);
 
                         Notification::make()
                             ->success()
-                            ->title('Paddle-Sync gestartet')
-                            ->body('Das Add-on wird im Hintergrund mit Paddle abgeglichen.')
+                            ->title('Lemon Squeezy-Sync gestartet')
+                            ->body('Das Add-on wird im Hintergrund mit Lemon Squeezy abgeglichen.')
                             ->send();
                     }),
                 Actions\EditAction::make()

app/Filament/Resources/PackageResource.php

@@ -4,8 +4,8 @@ namespace App\Filament\Resources;
 
 use App\Filament\Clusters\WeeklyOps\WeeklyOpsCluster;
 use App\Filament\Resources\PackageResource\Pages;
-use App\Jobs\PullPackageFromPaddle;
-use App\Jobs\SyncPackageToPaddle;
+use App\Jobs\PullPackageFromLemonSqueezy;
+use App\Jobs\SyncPackageToLemonSqueezy;
 use App\Models\Package;
 use App\Services\Audit\SuperAdminAuditLogger;
 use BackedEnum;
@@ -143,7 +143,7 @@ class PackageResource extends Resource
                         ->nullable()
                         ->visible(fn ($get) => $get('type') === 'reseller'),
                     Toggle::make('watermark_allowed')
-                        ->label('Wasserzeichen erlaubt')
+                        ->label('Eigenes Wasserzeichen erlaubt')
                         ->default(true),
                     Toggle::make('branding_allowed')
                         ->label('Eigenes Branding erlaubt')
@@ -172,31 +172,31 @@ class PackageResource extends Resource
                         ->columnSpanFull()
                         ->default([]),
                 ]),
-            Section::make('Paddle Billing')
+            Section::make('Lemon Squeezy Billing')
                 ->columns(2)
                 ->schema([
-                    TextInput::make('paddle_product_id')
-                        ->label('Paddle Produkt-ID')
+                    TextInput::make('lemonsqueezy_product_id')
+                        ->label('Lemon Squeezy Produkt-ID')
                         ->maxLength(191)
-                        ->helperText('Produkt aus Paddle Billing. Leer lassen, wenn noch nicht synchronisiert.')
+                        ->helperText('Produkt aus Lemon Squeezy. Leer lassen, wenn noch nicht synchronisiert.')
                         ->placeholder('nicht verknüpft'),
-                    TextInput::make('paddle_price_id')
-                        ->label('Paddle Preis-ID')
+                    TextInput::make('lemonsqueezy_variant_id')
+                        ->label('Lemon Squeezy Variant-ID')
                         ->maxLength(191)
-                        ->helperText('Preis-ID aus Paddle Billing, verknüpft mit diesem Paket.')
+                        ->helperText('Variant-ID aus Lemon Squeezy, verknüpft mit diesem Paket.')
                         ->placeholder('nicht verknüpft'),
-                    Placeholder::make('paddle_sync_status')
+                    Placeholder::make('lemonsqueezy_sync_status')
                         ->label('Sync-Status')
-                        ->content(fn (?Package $record) => $record?->paddle_sync_status ? Str::headline($record->paddle_sync_status) : '–')
+                        ->content(fn (?Package $record) => $record?->lemonsqueezy_sync_status ? Str::headline($record->lemonsqueezy_sync_status) : '–')
                         ->columnSpanFull(),
-                    Placeholder::make('paddle_synced_at')
+                    Placeholder::make('lemonsqueezy_synced_at')
                         ->label('Zuletzt synchronisiert')
-                        ->content(fn (?Package $record) => $record?->paddle_synced_at ? $record->paddle_synced_at->diffForHumans() : '–')
+                        ->content(fn (?Package $record) => $record?->lemonsqueezy_synced_at ? $record->lemonsqueezy_synced_at->diffForHumans() : '–')
                         ->columnSpanFull(),
-                    Placeholder::make('paddle_sync_error')
+                    Placeholder::make('lemonsqueezy_sync_error')
                         ->label('Letzter Fehler')
-                        ->content(fn (?Package $record) => $record?->paddle_sync_error_message ?? '–')
-                        ->visible(fn (?Package $record) => filled($record?->paddle_sync_error_message))
+                        ->content(fn (?Package $record) => $record?->lemonsqueezy_sync_error_message ?? '–')
+                        ->visible(fn (?Package $record) => filled($record?->lemonsqueezy_sync_error_message))
                         ->columnSpanFull(),
                 ]),
         ]);
@@ -263,15 +263,15 @@ class PackageResource extends Resource
                     ->label('Features')
                     ->wrap()
                     ->formatStateUsing(fn ($state) => static::formatFeaturesForDisplay($state)),
-                TextColumn::make('paddle_product_id')
-                    ->label('Paddle Produkt')
+                TextColumn::make('lemonsqueezy_product_id')
+                    ->label('Lemon Squeezy Produkt')
                     ->toggleable(isToggledHiddenByDefault: true)
                     ->formatStateUsing(fn ($state) => $state ?: '-'),
-                TextColumn::make('paddle_price_id')
-                    ->label('Paddle Preis')
+                TextColumn::make('lemonsqueezy_variant_id')
+                    ->label('Lemon Squeezy Variant')
                     ->toggleable(isToggledHiddenByDefault: true)
                     ->formatStateUsing(fn ($state) => $state ?: '-'),
-                BadgeColumn::make('paddle_sync_status')
+                BadgeColumn::make('lemonsqueezy_sync_status')
                     ->label('Sync-Status')
                     ->colors([
                         'success' => 'synced',
@@ -281,13 +281,13 @@ class PackageResource extends Resource
                     ])
                     ->formatStateUsing(fn ($state) => $state ? Str::headline($state) : null)
                     ->toggleable(isToggledHiddenByDefault: true),
-                TextColumn::make('paddle_synced_at')
+                TextColumn::make('lemonsqueezy_synced_at')
                     ->label('Sync am')
                     ->dateTime()
                     ->toggleable(isToggledHiddenByDefault: true),
-                TextColumn::make('paddle_sync_error_message')
+                TextColumn::make('lemonsqueezy_sync_error_message')
                     ->label('Sync-Fehler')
-                    ->getStateUsing(fn (Package $record) => $record->paddle_sync_error_message)
+                    ->getStateUsing(fn (Package $record) => $record->lemonsqueezy_sync_error_message)
                     ->wrap()
                     ->toggleable(isToggledHiddenByDefault: true),
             ])
@@ -301,43 +301,43 @@ class PackageResource extends Resource
                 TrashedFilter::make(),
             ])
             ->actions([
-                Actions\Action::make('syncPaddle')
-                    ->label('Mit Paddle abgleichen')
+                Actions\Action::make('syncLemonSqueezy')
+                    ->label('Mit Lemon Squeezy abgleichen')
                     ->icon('heroicon-o-cloud-arrow-up')
                     ->color('success')
                     ->requiresConfirmation()
-                    ->disabled(fn (Package $record) => $record->paddle_sync_status === 'syncing')
+                    ->disabled(fn (Package $record) => $record->lemonsqueezy_sync_status === 'syncing')
                     ->action(function (Package $record) {
-                        SyncPackageToPaddle::dispatch($record->id);
+                        SyncPackageToLemonSqueezy::dispatch($record->id);
 
                         Notification::make()
                             ->success()
-                            ->title('Paddle-Sync gestartet')
-                            ->body('Das Paket wird im Hintergrund mit Paddle abgeglichen.')
+                            ->title('Lemon Squeezy-Sync gestartet')
+                            ->body('Das Paket wird im Hintergrund mit Lemon Squeezy abgeglichen.')
                             ->send();
                     }),
-                Actions\Action::make('linkPaddle')
-                    ->label('Paddle verknüpfen')
+                Actions\Action::make('linkLemonSqueezy')
+                    ->label('Lemon Squeezy verknüpfen')
                     ->icon('heroicon-o-link')
                     ->color('info')
                     ->form([
-                        TextInput::make('paddle_product_id')
-                            ->label('Paddle Produkt-ID')
+                        TextInput::make('lemonsqueezy_product_id')
+                            ->label('Lemon Squeezy Produkt-ID')
                             ->required()
                             ->maxLength(191),
-                        TextInput::make('paddle_price_id')
-                            ->label('Paddle Preis-ID')
+                        TextInput::make('lemonsqueezy_variant_id')
+                            ->label('Lemon Squeezy Variant-ID')
                             ->required()
                             ->maxLength(191),
                     ])
                     ->fillForm(fn (Package $record) => [
-                        'paddle_product_id' => $record->paddle_product_id,
-                        'paddle_price_id' => $record->paddle_price_id,
+                        'lemonsqueezy_product_id' => $record->lemonsqueezy_product_id,
+                        'lemonsqueezy_variant_id' => $record->lemonsqueezy_variant_id,
                     ])
                     ->action(function (Package $record, array $data): void {
-                        $record->linkPaddleIds($data['paddle_product_id'], $data['paddle_price_id']);
+                        $record->linkLemonSqueezyIds($data['lemonsqueezy_product_id'], $data['lemonsqueezy_variant_id']);
 
-                        PullPackageFromPaddle::dispatch($record->id);
+                        PullPackageFromLemonSqueezy::dispatch($record->id);
 
                         app(SuperAdminAuditLogger::class)->recordModelMutation(
                             'linked',
@@ -348,22 +348,22 @@ class PackageResource extends Resource
 
                         Notification::make()
                             ->success()
-                            ->title('Paddle-Verknüpfung gespeichert')
+                            ->title('Lemon Squeezy-Verknüpfung gespeichert')
                             ->body('Die IDs wurden gespeichert und ein Pull wurde angestoßen.')
                             ->send();
                     }),
-                Actions\Action::make('pullPaddle')
-                    ->label('Status von Paddle holen')
+                Actions\Action::make('pullLemonSqueezy')
+                    ->label('Status von Lemon Squeezy holen')
                     ->icon('heroicon-o-cloud-arrow-down')
-                    ->disabled(fn (Package $record) => ! $record->paddle_product_id && ! $record->paddle_price_id)
+                    ->disabled(fn (Package $record) => ! $record->lemonsqueezy_product_id && ! $record->lemonsqueezy_variant_id)
                     ->requiresConfirmation()
                     ->action(function (Package $record) {
-                        PullPackageFromPaddle::dispatch($record->id);
+                        PullPackageFromLemonSqueezy::dispatch($record->id);
 
                         Notification::make()
                             ->info()
-                            ->title('Paddle-Abgleich angefordert')
-                            ->body('Der aktuelle Stand aus Paddle wird geladen und hier hinterlegt.')
+                            ->title('Lemon Squeezy-Abgleich angefordert')
+                            ->body('Der aktuelle Stand aus Lemon Squeezy wird geladen und hier hinterlegt.')
                             ->send();
                     }),
                 ViewAction::make(),
@@ -465,6 +465,7 @@ class PackageResource extends Resource
             'unlimited_sharing' => 'Unbegrenztes Teilen',
             'no_watermark' => 'Kein Wasserzeichen',
             'custom_branding' => 'Eigenes Branding',
+            'ai_styling' => 'AI-Styling',
             'custom_tasks' => 'Eigene Aufgaben',
             'reseller_dashboard' => 'Reseller-Dashboard',
             'advanced_analytics' => 'Erweiterte Analytics',

app/Filament/Resources/PackageResource/Pages/ListPackages.php

@@ -16,4 +16,4 @@ class ListPackages extends ListRecords
             Actions\CreateAction::make(),
         ];
     }
-}
+}

app/Filament/Resources/PurchaseHistoryResource/Pages/ListPurchaseHistories.php

@@ -14,4 +14,3 @@ class ListPurchaseHistories extends ListRecords
         return [];
     }
 }
-

app/Filament/Resources/PurchaseHistoryResource/Pages/ViewPurchaseHistory.php

@@ -14,4 +14,3 @@ class ViewPurchaseHistory extends ViewRecord
         return [];
     }
 }
-

app/Filament/Resources/PurchaseResource.php

@@ -8,7 +8,7 @@ use App\Models\PackagePurchase;
 use App\Notifications\Customer\RefundReceipt;
 use App\Notifications\Ops\RefundProcessed;
 use App\Services\Audit\SuperAdminAuditLogger;
-use App\Services\Paddle\PaddleTransactionService;
+use App\Services\LemonSqueezy\LemonSqueezyOrderService;
 use BackedEnum;
 use Filament\Actions\Action;
 use Filament\Actions\BulkActionGroup;
@@ -203,15 +203,15 @@ class PurchaseResource extends Resource
                         $refundSuccess = true;
                         $errorMessage = null;
 
-                        if ($record->provider === 'paddle' && $record->provider_id) {
+                        if ($record->provider === 'lemonsqueezy' && $record->provider_id) {
                             try {
-                                /** @var PaddleTransactionService $paddle */
-                                $paddle = App::make(PaddleTransactionService::class);
-                                $paddle->refund($record->provider_id, ['reason' => $reason]);
+                                /** @var LemonSqueezyOrderService $lemonsqueezy */
+                                $lemonsqueezy = App::make(LemonSqueezyOrderService::class);
+                                $lemonsqueezy->refund($record->provider_id, ['reason' => $reason]);
                             } catch (\Throwable $exception) {
                                 $refundSuccess = false;
                                 $errorMessage = $exception->getMessage();
-                                Log::warning('Paddle refund failed', [
+                                Log::warning('Lemon Squeezy refund failed', [
                                     'purchase_id' => $record->id,
                                     'provider_id' => $record->provider_id,
                                     'error' => $exception->getMessage(),

app/Filament/Resources/PurchaseResource/Pages/ListPurchases.php

@@ -16,4 +16,4 @@ class ListPurchases extends ListRecords
             Actions\CreateAction::make(),
         ];
     }
-}
+}

app/Filament/Resources/PurchaseResource/Pages/ViewPurchase.php

@@ -35,7 +35,7 @@ class ViewPurchase extends ViewRecord
                 ->visible(fn ($record): bool => ! $record->refunded)
                 ->action(function ($record) {
                     $record->update(['refunded' => true]);
-                    // TODO: Call Paddle API for actual refund
+                    // TODO: Call Lemon Squeezy API for actual refund
 
                     app(SuperAdminAuditLogger::class)->record(
                         'purchase.refunded',

app/Filament/Resources/TenantResource.php

@@ -8,6 +8,7 @@ use App\Filament\Resources\TenantResource\RelationManagers\PackagePurchasesRelat
 use App\Filament\Resources\TenantResource\RelationManagers\TenantPackagesRelationManager;
 use App\Filament\Resources\TenantResource\Schemas\TenantInfolist;
 use App\Jobs\AnonymizeAccount;
+use App\Models\Package;
 use App\Models\Tenant;
 use App\Notifications\InactiveTenantDeletionWarning;
 use App\Services\Audit\SuperAdminAuditLogger;
@@ -72,10 +73,10 @@ class TenantResource extends Resource
                 ->email()
                 ->required()
                 ->maxLength(255),
-            TextInput::make('paddle_customer_id')
-                ->label('Paddle Customer ID')
+            TextInput::make('lemonsqueezy_customer_id')
+                ->label('Lemon Squeezy Customer ID')
                 ->maxLength(191)
-                ->helperText('Verknuepfung mit Paddle Billing Kundenkonto.')
+                ->helperText('Verknüpfung mit Lemon Squeezy Kundenkonto.')
                 ->nullable(),
             TextInput::make('total_revenue')
                 ->label(__('admin.tenants.fields.total_revenue'))
@@ -134,8 +135,8 @@ class TenantResource extends Resource
                     ->getStateUsing(fn (Tenant $record) => $record->user?->full_name ?? 'Unbekannt'),
                 Tables\Columns\TextColumn::make('slug')->searchable(),
                 Tables\Columns\TextColumn::make('contact_email'),
-                Tables\Columns\TextColumn::make('paddle_customer_id')
-                    ->label('Paddle Customer')
+                Tables\Columns\TextColumn::make('lemonsqueezy_customer_id')
+                    ->label('Lemon Squeezy Customer')
                     ->toggleable(isToggledHiddenByDefault: true)
                     ->formatStateUsing(fn ($state) => $state ?: '-'),
                 Tables\Columns\TextColumn::make('active_reseller_package_id')
@@ -205,11 +206,13 @@ class TenantResource extends Resource
                         Forms\Components\Textarea::make('reason')->label('Grund')->rows(3),
                     ])
                     ->action(function (Tenant $record, array $data) {
+                        $package = Package::query()->find($data['package_id']);
                         \App\Models\TenantPackage::create([
                             'tenant_id' => $record->id,
                             'package_id' => $data['package_id'],
                             'expires_at' => $data['expires_at'],
                             'active' => true,
+                            'price' => $package?->price ?? 0,
                             'reason' => $data['reason'] ?? null,
                         ]);
                         \App\Models\PackagePurchase::create([

app/Filament/Resources/TenantResource/RelationManagers/PackagePurchasesRelationManager.php

@@ -44,7 +44,7 @@ class PackagePurchasesRelationManager extends RelationManager
                 Select::make('provider')
                     ->label('Anbieter')
                     ->options([
-                        'paddle' => 'Paddle',
+                        'lemonsqueezy' => 'Lemon Squeezy',
                         'manual' => 'Manuell',
                         'free' => 'Kostenlos',
                     ])
@@ -89,7 +89,7 @@ class PackagePurchasesRelationManager extends RelationManager
                 TextColumn::make('provider')
                     ->badge()
                     ->color(fn (string $state): string => match ($state) {
-                        'paddle' => 'success',
+                        'lemonsqueezy' => 'success',
                         'manual' => 'gray',
                         'free' => 'success',
                         default => 'gray',
@@ -116,7 +116,7 @@ class PackagePurchasesRelationManager extends RelationManager
                     ]),
                 SelectFilter::make('provider')
                     ->options([
-                        'paddle' => 'Paddle',
+                        'lemonsqueezy' => 'Lemon Squeezy',
                         'manual' => 'Manuell',
                         'free' => 'Kostenlos',
                     ]),

app/Filament/Resources/TenantResource/RelationManagers/TenantPackagesRelationManager.php

@@ -40,10 +40,10 @@ class TenantPackagesRelationManager extends RelationManager
                 DateTimePicker::make('expires_at')
                     ->label('Ablaufdatum')
                     ->required(),
-                TextInput::make('paddle_subscription_id')
-                    ->label('Paddle Subscription ID')
+                TextInput::make('lemonsqueezy_subscription_id')
+                    ->label('Lemon Squeezy Subscription ID')
                     ->maxLength(191)
-                    ->helperText('Abonnement-ID aus Paddle Billing.')
+                    ->helperText('Abonnement-ID aus Lemon Squeezy.')
                     ->nullable(),
                 Toggle::make('active')
                     ->label('Aktiv'),
@@ -75,8 +75,8 @@ class TenantPackagesRelationManager extends RelationManager
                 TextColumn::make('expires_at')
                     ->dateTime()
                     ->sortable(),
-                TextColumn::make('paddle_subscription_id')
-                    ->label('Paddle Subscription')
+                TextColumn::make('lemonsqueezy_subscription_id')
+                    ->label('Lemon Squeezy Subscription')
                     ->toggleable(isToggledHiddenByDefault: true)
                     ->formatStateUsing(fn ($state) => $state ?: '-'),
                 IconColumn::make('active')

app/Filament/Resources/TenantResource/Schemas/TenantInfolist.php

@@ -22,8 +22,8 @@ class TenantInfolist
                     TextEntry::make('user.full_name')
                         ->label(__('admin.tenants.fields.owner'))
                         ->state(fn (Tenant $record) => $record->user?->full_name ?? '—'),
-                    TextEntry::make('paddle_customer_id')
-                        ->label('Paddle Customer ID')
+                    TextEntry::make('lemonsqueezy_customer_id')
+                        ->label('Lemon Squeezy Customer ID')
                         ->placeholder('—'),
                     TextEntry::make('total_revenue')
                         ->label(__('admin.tenants.fields.total_revenue'))

app/Filament/SuperAdmin/Pages/AiEditingSettingsPage.php

@@ -0,0 +1,177 @@
+<?php
+
+namespace App\Filament\SuperAdmin\Pages;
+
+use App\Filament\Clusters\RareAdmin\RareAdminCluster;
+use App\Models\AiEditingSetting;
+use App\Services\Audit\SuperAdminAuditLogger;
+use Filament\Forms;
+use Filament\Notifications\Notification;
+use Filament\Pages\Page;
+use Filament\Schemas\Components\Section;
+use Filament\Schemas\Schema;
+
+class AiEditingSettingsPage extends Page
+{
+    protected static null|string|\BackedEnum $navigationIcon = 'heroicon-o-sparkles';
+
+    protected static ?string $cluster = RareAdminCluster::class;
+
+    protected string $view = 'filament.super-admin.pages.ai-editing-settings-page';
+
+    protected static null|string|\UnitEnum $navigationGroup = null;
+
+    protected static ?int $navigationSort = 30;
+
+    public static function getNavigationGroup(): \UnitEnum|string|null
+    {
+        return __('admin.nav.platform');
+    }
+
+    public static function getNavigationLabel(): string
+    {
+        return 'AI Editing Settings';
+    }
+
+    public bool $is_enabled = true;
+
+    public string $default_provider = 'runware';
+
+    public ?string $fallback_provider = null;
+
+    public string $runware_mode = 'live';
+
+    public bool $queue_auto_dispatch = false;
+
+    public string $queue_name = 'default';
+
+    public int $queue_max_polls = 6;
+
+    /**
+     * @var array<int, string>
+     */
+    public array $blocked_terms = [];
+
+    public ?string $status_message = null;
+
+    public function mount(): void
+    {
+        $settings = AiEditingSetting::current();
+
+        $this->is_enabled = (bool) $settings->is_enabled;
+        $this->default_provider = (string) ($settings->default_provider ?: 'runware');
+        $this->fallback_provider = $settings->fallback_provider ? (string) $settings->fallback_provider : null;
+        $this->runware_mode = (string) ($settings->runware_mode ?: 'live');
+        $this->queue_auto_dispatch = (bool) $settings->queue_auto_dispatch;
+        $this->queue_name = (string) ($settings->queue_name ?: 'default');
+        $this->queue_max_polls = max(1, (int) ($settings->queue_max_polls ?: 6));
+        $this->blocked_terms = array_values(array_filter(array_map(
+            static fn (mixed $term): string => trim((string) $term),
+            (array) $settings->blocked_terms
+        )));
+        $this->status_message = $settings->status_message ? (string) $settings->status_message : null;
+    }
+
+    public function form(Schema $schema): Schema
+    {
+        return $schema->schema([
+            Section::make('Global Availability')
+                ->schema([
+                    Forms\Components\Toggle::make('is_enabled')
+                        ->label('Enable AI editing globally'),
+                    Forms\Components\Textarea::make('status_message')
+                        ->label('Disabled message')
+                        ->maxLength(255)
+                        ->rows(2)
+                        ->helperText('Shown to guest and tenant clients when the feature is disabled.')
+                        ->nullable(),
+                ]),
+            Section::make('Provider')
+                ->schema([
+                    Forms\Components\Select::make('default_provider')
+                        ->label('Default provider')
+                        ->options([
+                            'runware' => 'runware.ai',
+                        ])
+                        ->required(),
+                    Forms\Components\TextInput::make('fallback_provider')
+                        ->label('Fallback provider')
+                        ->maxLength(40)
+                        ->helperText('Reserved for provider failover.'),
+                    Forms\Components\Select::make('runware_mode')
+                        ->label('Runware mode')
+                        ->options([
+                            'live' => 'Live API',
+                            'fake' => 'Fake mode (internal testing)',
+                        ])
+                        ->required(),
+                ])
+                ->columns(2),
+            Section::make('Queue Orchestration')
+                ->schema([
+                    Forms\Components\Toggle::make('queue_auto_dispatch')
+                        ->label('Auto-dispatch jobs after request creation'),
+                    Forms\Components\TextInput::make('queue_name')
+                        ->label('Queue name')
+                        ->required()
+                        ->maxLength(60),
+                    Forms\Components\TextInput::make('queue_max_polls')
+                        ->label('Max provider polls')
+                        ->numeric()
+                        ->minValue(1)
+                        ->maxValue(50)
+                        ->required(),
+                ])
+                ->columns(2),
+            Section::make('Prompt Safety')
+                ->schema([
+                    Forms\Components\TagsInput::make('blocked_terms')
+                        ->label('Blocked prompt terms')
+                        ->helperText('Case-insensitive term match before queue dispatch.')
+                        ->placeholder('Add blocked term'),
+                ]),
+        ]);
+    }
+
+    public function save(): void
+    {
+        $this->validate();
+
+        $settings = AiEditingSetting::query()->firstOrNew(['id' => 1]);
+        $settings->is_enabled = $this->is_enabled;
+        $settings->default_provider = $this->default_provider;
+        $settings->fallback_provider = $this->nullableString($this->fallback_provider);
+        $settings->runware_mode = $this->runware_mode;
+        $settings->queue_auto_dispatch = $this->queue_auto_dispatch;
+        $settings->queue_name = $this->queue_name;
+        $settings->queue_max_polls = max(1, $this->queue_max_polls);
+        $settings->blocked_terms = array_values(array_filter(array_map(
+            static fn (mixed $term): string => trim((string) $term),
+            $this->blocked_terms
+        )));
+        $settings->status_message = $this->nullableString($this->status_message);
+        $settings->save();
+
+        $changed = $settings->getChanges();
+        if ($changed !== []) {
+            app(SuperAdminAuditLogger::class)->record(
+                'ai_editing.settings_updated',
+                $settings,
+                SuperAdminAuditLogger::fieldsMetadata(array_keys($changed)),
+                source: static::class
+            );
+        }
+
+        Notification::make()
+            ->title('AI editing settings saved.')
+            ->success()
+            ->send();
+    }
+
+    private function nullableString(?string $value): ?string
+    {
+        $trimmed = trim((string) $value);
+
+        return $trimmed !== '' ? $trimmed : null;
+    }
+}

app/Filament/SuperAdmin/Pages/Auth/EditProfile.php

@@ -3,39 +3,78 @@
 namespace App\Filament\SuperAdmin\Pages\Auth;
 
 use Filament\Auth\Pages\EditProfile as BaseEditProfile;
-use Filament\Forms\Components\TextInput;
+use Filament\Facades\Filament;
 use Filament\Forms\Components\Select;
+use Filament\Forms\Components\TextInput;
+use Filament\Schemas\Components\Component;
+use Filament\Schemas\Components\Livewire;
+use Filament\Schemas\Components\Section;
+use Filament\Schemas\Components\Utilities\Get;
 use Filament\Schemas\Schema;
-use Illuminate\Support\Facades\Log;
 
 class EditProfile extends BaseEditProfile
 {
-    public function mount(): void
+    protected function getPasswordConfirmationFormComponent(): Component
     {
-        Log::info('EditProfile class loaded for superadmin');
-        parent::mount();
+        return TextInput::make('passwordConfirmation')
+            ->label(__('filament-panels::auth/pages/edit-profile.form.password_confirmation.label'))
+            ->validationAttribute(__('filament-panels::auth/pages/edit-profile.form.password_confirmation.validation_attribute'))
+            ->password()
+            ->autocomplete('new-password')
+            ->revealable(filament()->arePasswordsRevealable())
+            ->required()
+            ->visible(fn (Get $get): bool => filled($get('password')))
+            ->dehydrated(false);
+    }
+
+    protected function getCurrentPasswordFormComponent(): Component
+    {
+        return TextInput::make('currentPassword')
+            ->label(__('filament-panels::auth/pages/edit-profile.form.current_password.label'))
+            ->validationAttribute(__('filament-panels::auth/pages/edit-profile.form.current_password.validation_attribute'))
+            ->belowContent(__('filament-panels::auth/pages/edit-profile.form.current_password.below_content'))
+            ->password()
+            ->autocomplete('current-password')
+            ->currentPassword(guard: Filament::getAuthGuard())
+            ->revealable(filament()->arePasswordsRevealable())
+            ->required()
+            ->visible(fn (Get $get): bool => filled($get('password')))
+            ->dehydrated(false);
     }
 
     public function form(Schema $schema): Schema
     {
         return $schema
             ->schema([
-                $this->getNameFormComponent(),
-                $this->getEmailFormComponent(),
-                TextInput::make('username')
-                    ->required()
-                    ->unique(ignoreRecord: true)
-                    ->maxLength(255),
-                Select::make('preferred_locale')
-                    ->options([
-                        'de' => 'Deutsch',
-                        'en' => 'English',
+                Section::make('Profile')
+                    ->schema([
+                        $this->getNameFormComponent(),
+                        $this->getEmailFormComponent(),
+                        TextInput::make('username')
+                            ->required()
+                            ->unique(ignoreRecord: true)
+                            ->maxLength(255),
+                        Select::make('preferred_locale')
+                            ->options([
+                                'de' => 'Deutsch',
+                                'en' => 'English',
+                            ])
+                            ->default('de')
+                            ->required(),
                     ])
-                    ->default('de')
-                    ->required(),
-                $this->getPasswordFormComponent(),
-                $this->getPasswordConfirmationFormComponent(),
-                $this->getCurrentPasswordFormComponent(),
+                    ->columns(2),
+                Section::make('Security')
+                    ->schema([
+                        $this->getPasswordFormComponent(),
+                        $this->getPasswordConfirmationFormComponent(),
+                        $this->getCurrentPasswordFormComponent(),
+                    ])
+                    ->columns(1),
+                Section::make('Support API Tokens')
+                    ->description('Manage bearer tokens for external support tooling.')
+                    ->schema([
+                        Livewire::make('support-api-token-manager'),
+                    ]),
             ]);
     }
-}
+}

app/Filament/SuperAdmin/Pages/Auth/Login.php

@@ -40,7 +40,7 @@ class Login extends BaseLogin implements HasForms
         }
 
         // SuperAdmin-spezifisch: Prüfe auf SuperAdmin-Rolle, keine Tenant-Prüfung
-        if ($user->role !== 'super_admin') {
+        if (! $user->isSuperAdmin()) {
             $authGuard->logout();
 
             throw ValidationException::withMessages([

app/Filament/SuperAdmin/Pages/GuestPolicySettingsPage.php

@@ -45,11 +45,11 @@ class GuestPolicySettingsPage extends Page
 
     public int $join_token_failure_decay_minutes = 5;
 
-    public int $join_token_access_limit = 120;
+    public int $join_token_access_limit = 300;
 
     public int $join_token_access_decay_minutes = 1;
 
-    public int $join_token_download_limit = 60;
+    public int $join_token_download_limit = 120;
 
     public int $join_token_download_decay_minutes = 1;
 
@@ -69,9 +69,9 @@ class GuestPolicySettingsPage extends Page
         $this->per_device_upload_limit = (int) ($settings->per_device_upload_limit ?? 50);
         $this->join_token_failure_limit = (int) ($settings->join_token_failure_limit ?? 10);
         $this->join_token_failure_decay_minutes = (int) ($settings->join_token_failure_decay_minutes ?? 5);
-        $this->join_token_access_limit = (int) ($settings->join_token_access_limit ?? 120);
+        $this->join_token_access_limit = (int) ($settings->join_token_access_limit ?? 300);
         $this->join_token_access_decay_minutes = (int) ($settings->join_token_access_decay_minutes ?? 1);
-        $this->join_token_download_limit = (int) ($settings->join_token_download_limit ?? 60);
+        $this->join_token_download_limit = (int) ($settings->join_token_download_limit ?? 120);
         $this->join_token_download_decay_minutes = (int) ($settings->join_token_download_decay_minutes ?? 1);
         $this->join_token_ttl_hours = (int) ($settings->join_token_ttl_hours ?? 168);
         $this->share_link_ttl_hours = (int) ($settings->share_link_ttl_hours ?? 48);

app/Filament/SuperAdmin/Pages/WatermarkSettingsPage.php

@@ -27,7 +27,7 @@ class WatermarkSettingsPage extends Page
         return __('admin.nav.branding');
     }
 
-    public ?string $asset = null;
+    public $asset = [];
 
     public string $position = 'bottom-right';
 
@@ -46,7 +46,7 @@ class WatermarkSettingsPage extends Page
         $settings = WatermarkSetting::query()->first();
 
         if ($settings) {
-            $this->asset = $settings->asset;
+            $this->asset = $settings->asset ? [$settings->asset] : [];
             $this->position = $settings->position;
             $this->opacity = (float) $settings->opacity;
             $this->scale = (float) $settings->scale;
@@ -119,8 +119,14 @@ class WatermarkSettingsPage extends Page
     {
         $this->validate();
 
+        $state = $this->form->getState();
+        $asset = $state['asset'] ?? $this->asset;
+        if (is_array($asset)) {
+            $asset = $asset[0] ?? null;
+        }
+
         $settings = WatermarkSetting::query()->firstOrNew([]);
-        $settings->asset = $this->asset;
+        $settings->asset = $asset;
         $settings->position = $this->position;
         $settings->opacity = $this->opacity;
         $settings->scale = $this->scale;

app/Filament/SuperAdmin/Widgets/SupportApiTokenManager.php

@@ -0,0 +1,280 @@
+<?php
+
+namespace App\Filament\SuperAdmin\Widgets;
+
+use App\Models\User;
+use App\Services\Audit\SuperAdminAuditLogger;
+use Filament\Actions\Action;
+use Filament\Facades\Filament;
+use Filament\Forms\Components\CheckboxList;
+use Filament\Forms\Components\DateTimePicker;
+use Filament\Forms\Components\TextInput;
+use Filament\Notifications\Notification;
+use Filament\Tables;
+use Filament\Tables\Table;
+use Filament\Widgets\TableWidget;
+use Illuminate\Database\Eloquent\Builder;
+use Illuminate\Support\Carbon;
+use Laravel\Sanctum\NewAccessToken;
+use Laravel\Sanctum\PersonalAccessToken;
+
+class SupportApiTokenManager extends TableWidget
+{
+    protected static bool $isDiscovered = false;
+
+    protected int|string|array $columnSpan = 'full';
+
+    public function table(Table $table): Table
+    {
+        return $table
+            ->heading('Support API Tokens')
+            ->query(fn (): Builder => $this->getTokenQuery())
+            ->defaultSort('created_at', 'desc')
+            ->columns([
+                Tables\Columns\TextColumn::make('name')
+                    ->label('Name')
+                    ->sortable()
+                    ->searchable(),
+                Tables\Columns\TextColumn::make('abilities')
+                    ->label('Abilities')
+                    ->formatStateUsing(fn ($state): string => $this->formatAbilities($state))
+                    ->wrap(),
+                Tables\Columns\TextColumn::make('last_used_at')
+                    ->label('Last used')
+                    ->since()
+                    ->placeholder('—'),
+                Tables\Columns\TextColumn::make('expires_at')
+                    ->label('Expires')
+                    ->dateTime('Y-m-d H:i')
+                    ->placeholder('—'),
+                Tables\Columns\TextColumn::make('created_at')
+                    ->label('Created')
+                    ->since(),
+            ])
+            ->headerActions([
+                Action::make('create_support_token')
+                    ->label('Create token')
+                    ->icon('heroicon-o-key')
+                    ->form([
+                        TextInput::make('name')
+                            ->label('Token name')
+                            ->default($this->defaultTokenName())
+                            ->required()
+                            ->maxLength(255)
+                            ->helperText('Existing tokens with the same name will be revoked.'),
+                        CheckboxList::make('abilities')
+                            ->label('Abilities')
+                            ->options($this->abilityOptions())
+                            ->columns(2)
+                            ->required()
+                            ->default($this->defaultAbilities()),
+                        DateTimePicker::make('expires_at')
+                            ->label('Expires at')
+                            ->displayFormat('Y-m-d H:i')
+                            ->seconds(false),
+                    ])
+                    ->action(function (array $data): void {
+                        $user = $this->getUser();
+
+                        if (! $user) {
+                            return;
+                        }
+
+                        $name = $this->normalizeTokenName($data['name'] ?? null);
+                        $abilities = $this->normalizeAbilities($data['abilities'] ?? []);
+                        $expiresAt = $this->normalizeExpiresAt($data['expires_at'] ?? null);
+
+                        $user->tokens()->where('name', $name)->delete();
+
+                        $token = $user->createToken($name, $abilities, $expiresAt);
+
+                        $this->recordTokenCreated($token, $abilities, $user);
+
+                        Notification::make()
+                            ->success()
+                            ->title('Token created')
+                            ->body('Copy this token now. It will not be shown again: '.$token->plainTextToken)
+                            ->persistent()
+                            ->send();
+                    }),
+            ])
+            ->actions([
+                Action::make('revoke')
+                    ->label('Revoke')
+                    ->icon('heroicon-o-trash')
+                    ->color('danger')
+                    ->requiresConfirmation()
+                    ->visible(fn (PersonalAccessToken $record): bool => $this->ownsToken($record))
+                    ->action(function (PersonalAccessToken $record): void {
+                        if (! $this->ownsToken($record)) {
+                            return;
+                        }
+
+                        app(SuperAdminAuditLogger::class)->record(
+                            'support-api-token.revoked',
+                            $record,
+                            ['fields' => ['name', 'abilities', 'expires_at']],
+                            actor: $this->getUser(),
+                            source: static::class
+                        );
+
+                        $record->delete();
+
+                        Notification::make()
+                            ->success()
+                            ->title('Token revoked')
+                            ->send();
+                    }),
+            ])
+            ->emptyStateHeading('No support API tokens')
+            ->emptyStateDescription('Create a token for external support tooling.');
+    }
+
+    private function getTokenQuery(): Builder
+    {
+        $user = $this->getUser();
+
+        if (! $user) {
+            return PersonalAccessToken::query()->whereRaw('1 = 0');
+        }
+
+        return PersonalAccessToken::query()
+            ->where('tokenable_id', $user->getKey())
+            ->where('tokenable_type', $user->getMorphClass());
+    }
+
+    private function getUser(): ?User
+    {
+        $user = Filament::auth()->user();
+
+        return $user instanceof User ? $user : null;
+    }
+
+    private function formatAbilities(mixed $state): string
+    {
+        if (is_array($state)) {
+            return implode(', ', $state);
+        }
+
+        if (is_string($state)) {
+            return $state;
+        }
+
+        return '';
+    }
+
+    /**
+     * @return array<int, string>
+     */
+    private function defaultAbilities(): array
+    {
+        $abilities = config('support-api.token.default_abilities', []);
+
+        if (! is_array($abilities)) {
+            return ['support-admin'];
+        }
+
+        $abilities = array_values(array_filter($abilities, fn ($ability) => is_string($ability) && $ability !== ''));
+
+        if (! in_array('support-admin', $abilities, true)) {
+            $abilities[] = 'support-admin';
+        }
+
+        return array_values(array_unique($abilities));
+    }
+
+    /**
+     * @return array<string, string>
+     */
+    private function abilityOptions(): array
+    {
+        $options = [];
+
+        foreach ($this->defaultAbilities() as $ability) {
+            $options[$ability] = $ability;
+        }
+
+        return $options;
+    }
+
+    /**
+     * @param  array<int, string>  $abilities
+     * @return array<int, string>
+     */
+    private function normalizeAbilities(array $abilities): array
+    {
+        $allowed = $this->defaultAbilities();
+        $filtered = array_values(array_intersect($abilities, $allowed));
+
+        if (! in_array('support-admin', $filtered, true)) {
+            $filtered[] = 'support-admin';
+        }
+
+        sort($filtered);
+
+        return $filtered;
+    }
+
+    private function defaultTokenName(): string
+    {
+        $name = config('support-api.token.name');
+
+        if (is_string($name) && $name !== '') {
+            return $name;
+        }
+
+        return 'support-api';
+    }
+
+    private function normalizeTokenName(?string $name): string
+    {
+        $name = $name ? trim($name) : '';
+
+        return $name !== '' ? $name : $this->defaultTokenName();
+    }
+
+    private function normalizeExpiresAt(mixed $expiresAt): ?Carbon
+    {
+        if ($expiresAt instanceof Carbon) {
+            return $expiresAt;
+        }
+
+        if ($expiresAt instanceof \DateTimeInterface) {
+            return Carbon::instance($expiresAt);
+        }
+
+        if (is_string($expiresAt) && $expiresAt !== '') {
+            return Carbon::parse($expiresAt);
+        }
+
+        return null;
+    }
+
+    private function recordTokenCreated(NewAccessToken $token, array $abilities, User $user): void
+    {
+        $actionLog = app(SuperAdminAuditLogger::class);
+
+        $actionLog->record(
+            'support-api-token.created',
+            $token->accessToken,
+            [
+                'fields' => ['name', 'abilities', 'expires_at'],
+                'abilities' => $abilities,
+            ],
+            actor: $user,
+            source: static::class
+        );
+    }
+
+    private function ownsToken(PersonalAccessToken $token): bool
+    {
+        $user = $this->getUser();
+
+        if (! $user) {
+            return false;
+        }
+
+        return (int) $token->tokenable_id === (int) $user->getKey()
+            && $token->tokenable_type === $user->getMorphClass();
+    }
+}

app/Filament/Widgets/DokployPlatformHealth.php

@@ -14,11 +14,88 @@ class DokployPlatformHealth extends Widget
 
     protected function getViewData(): array
     {
+        $projects = $this->loadProjects();
+
         return [
-            'composes' => $this->loadComposes(),
+            'projects' => $projects,
+            'composes' => empty($projects) ? $this->loadComposes() : [],
         ];
     }
 
+    protected function loadProjects(): array
+    {
+        $client = app(DokployClient::class);
+        $projectMap = config('dokploy.projects', []);
+        $results = [];
+
+        if (empty($projectMap)) {
+            return [];
+        }
+
+        foreach ($projectMap as $label => $projectId) {
+            $project = [];
+            $projectIdString = (string) $projectId;
+
+            try {
+                $project = $client->project($projectIdString);
+            } catch (\Throwable $exception) {
+                $project = [];
+            }
+
+            if (empty($project)) {
+                $project = $client->findProject($projectIdString) ?? [];
+
+                $resolvedProjectId = Arr::get($project, 'projectId');
+
+                if ($resolvedProjectId) {
+                    try {
+                        $project = $client->project((string) $resolvedProjectId);
+                    } catch (\Throwable $exception) {
+                        $project = $project;
+                    }
+                }
+            }
+
+            if (! $project) {
+                $results[] = [
+                    'label' => ucfirst((string) $label),
+                    'project_id' => $projectIdString,
+                    'name' => $projectIdString,
+                    'status' => 'unreachable',
+                    'error' => "Project {$projectIdString} not found.",
+                    'applications' => [],
+                    'services' => [],
+                    'composes' => [],
+                    'updated_at' => null,
+                ];
+
+                continue;
+            }
+
+            $environments = $this->extractEnvironments($project);
+            $applications = $this->formatEnvironmentApplications($environments, $client);
+            $composes = $this->formatEnvironmentComposes($environments, $client);
+            $services = $this->formatEnvironmentServices($environments);
+
+            $results[] = [
+                'label' => ucfirst((string) $label),
+                'project_id' => Arr::get($project, 'projectId', $projectIdString),
+                'name' => Arr::get($project, 'name') ?? Arr::get($project, 'projectName') ?? $projectIdString,
+                'description' => Arr::get($project, 'description'),
+                'status' => $this->deriveProjectStatus($applications, $services, $composes),
+                'applications' => $applications,
+                'composes' => $composes,
+                'services' => $services,
+                'updated_at' => Arr::get($project, 'updatedAt') ?? Arr::get($project, 'createdAt'),
+                'applications_count' => count($applications),
+                'composes_count' => count($composes),
+                'services_count' => count($services),
+            ];
+        }
+
+        return $results;
+    }
+
     protected function loadComposes(): array
     {
         $client = app(DokployClient::class);
@@ -62,7 +139,7 @@ class DokployPlatformHealth extends Widget
                     'label' => 'Dokploy',
                     'compose_id' => '-',
                     'status' => 'unconfigured',
-                    'error' => 'Set DOKPLOY_COMPOSE_IDS in .env to enable monitoring.',
+                    'error' => 'Set DOKPLOY_PROJECT_IDS or DOKPLOY_COMPOSE_IDS in .env to enable monitoring.',
                 ],
             ];
         }
@@ -70,6 +147,252 @@ class DokployPlatformHealth extends Widget
         return $results;
     }
 
+    protected function extractEnvironments(array $project): array
+    {
+        $environments = Arr::get($project, 'environments', []);
+
+        if (is_array($environments) && ! empty($environments)) {
+            return $environments;
+        }
+
+        return [[
+            'name' => Arr::get($project, 'name'),
+            'applications' => Arr::get($project, 'applications', []),
+            'compose' => Arr::get($project, 'compose', []),
+            'mysql' => Arr::get($project, 'mysql', []),
+            'postgres' => Arr::get($project, 'postgres', []),
+            'mariadb' => Arr::get($project, 'mariadb', []),
+            'mongo' => Arr::get($project, 'mongo', []),
+            'redis' => Arr::get($project, 'redis', []),
+        ]];
+    }
+
+    protected function formatEnvironmentApplications(array $environments, DokployClient $client): array
+    {
+        return collect($environments)
+            ->flatMap(function (array $environment) use ($client) {
+                $applications = Arr::get($environment, 'applications', []);
+                $environmentName = Arr::get($environment, 'name');
+
+                return $this->formatApplications(is_array($applications) ? $applications : [], $client, $environmentName);
+            })
+            ->values()
+            ->all();
+    }
+
+    protected function formatEnvironmentComposes(array $environments, DokployClient $client): array
+    {
+        return collect($environments)
+            ->flatMap(function (array $environment) use ($client) {
+                $composes = Arr::get($environment, 'compose', []);
+                $environmentName = Arr::get($environment, 'name');
+
+                return collect(is_array($composes) ? $composes : [])
+                    ->map(function (array $compose) use ($client, $environmentName) {
+                        $composeId = Arr::get($compose, 'composeId') ?? Arr::get($compose, 'id');
+                        $statusPayload = [];
+                        $deployments = [];
+
+                        if ($composeId) {
+                            try {
+                                $statusPayload = $client->composeStatus($composeId);
+                                $deployments = $client->composeDeployments($composeId, 1);
+                            } catch (\Throwable $exception) {
+                                $statusPayload = [];
+                                $deployments = [];
+                            }
+                        }
+
+                        $composeDetails = Arr::get($statusPayload, 'compose', []);
+
+                        return [
+                            'id' => $composeId,
+                            'name' => Arr::get($compose, 'name')
+                                ?? Arr::get($compose, 'appName')
+                                ?? Arr::get($composeDetails, 'name')
+                                ?? Arr::get($composeDetails, 'appName')
+                                ?? $composeId,
+                            'status' => Arr::get($compose, 'composeStatus')
+                                ?? Arr::get($compose, 'status')
+                                ?? Arr::get($composeDetails, 'composeStatus')
+                                ?? Arr::get($composeDetails, 'status')
+                                ?? 'unknown',
+                            'environment' => $environmentName,
+                            'last_deploy' => Arr::get($deployments, '0.createdAt')
+                                ?? Arr::get($deployments, '0.created_at')
+                                ?? Arr::get($compose, 'updatedAt')
+                                ?? Arr::get($composeDetails, 'updatedAt'),
+                            'services' => $this->formatServices(Arr::get($statusPayload, 'services', [])),
+                        ];
+                    })
+                    ->filter(fn (array $compose) => filled($compose['name']))
+                    ->values()
+                    ->all();
+            })
+            ->values()
+            ->all();
+    }
+
+    protected function formatEnvironmentServices(array $environments): array
+    {
+        return collect($environments)
+            ->flatMap(function (array $environment) {
+                $environmentName = Arr::get($environment, 'name');
+
+                return collect([
+                    ...$this->normalizeServiceList((array) Arr::get($environment, 'compose', []), 'compose', 'composeId', 'composeStatus', $environmentName),
+                    ...$this->normalizeServiceList((array) Arr::get($environment, 'mysql', []), 'mysql', 'mysqlId', 'applicationStatus', $environmentName),
+                    ...$this->normalizeServiceList((array) Arr::get($environment, 'postgres', []), 'postgres', 'postgresId', 'applicationStatus', $environmentName),
+                    ...$this->normalizeServiceList((array) Arr::get($environment, 'mariadb', []), 'mariadb', 'mariadbId', 'applicationStatus', $environmentName),
+                    ...$this->normalizeServiceList((array) Arr::get($environment, 'mongo', []), 'mongo', 'mongoId', 'applicationStatus', $environmentName),
+                    ...$this->normalizeServiceList((array) Arr::get($environment, 'redis', []), 'redis', 'redisId', 'applicationStatus', $environmentName),
+                ]);
+            })
+            ->filter(fn (array $service) => filled($service['name']))
+            ->values()
+            ->all();
+    }
+
+    protected function formatApplications(array $applications, DokployClient $client, ?string $environment = null): array
+    {
+        return collect($applications)
+            ->map(function (array $application) use ($client, $environment) {
+                $applicationId = $this->extractApplicationId($application);
+                $statusPayload = [];
+
+                if ($applicationId) {
+                    try {
+                        $statusPayload = $client->applicationStatus($applicationId);
+                    } catch (\Throwable $exception) {
+                        $statusPayload = [];
+                    }
+                }
+
+                $applicationDetails = Arr::get($statusPayload, 'application', []);
+                $monitoring = Arr::get($statusPayload, 'monitoring', []);
+
+                $status = Arr::get($application, 'applicationStatus')
+                    ?? Arr::get($application, 'status')
+                    ?? Arr::get($applicationDetails, 'applicationStatus')
+                    ?? Arr::get($applicationDetails, 'status')
+                    ?? 'unknown';
+
+                return [
+                    'id' => $applicationId ?? Arr::get($application, 'id'),
+                    'name' => Arr::get($application, 'name')
+                        ?? Arr::get($application, 'appName')
+                        ?? Arr::get($applicationDetails, 'name')
+                        ?? Arr::get($applicationDetails, 'appName')
+                        ?? $applicationId,
+                    'status' => $status,
+                    'repository' => Arr::get($application, 'repository')
+                        ?? Arr::get($applicationDetails, 'repository')
+                        ?? Arr::get($application, 'repo')
+                        ?? Arr::get($applicationDetails, 'repo'),
+                    'branch' => Arr::get($application, 'branch')
+                        ?? Arr::get($applicationDetails, 'branch')
+                        ?? Arr::get($application, 'gitBranch')
+                        ?? Arr::get($applicationDetails, 'gitBranch'),
+                    'url' => Arr::get($application, 'url')
+                        ?? Arr::get($applicationDetails, 'url')
+                        ?? Arr::get($application, 'domain')
+                        ?? Arr::get($applicationDetails, 'domain'),
+                    'server' => Arr::get($application, 'serverName')
+                        ?? Arr::get($applicationDetails, 'serverName')
+                        ?? Arr::get($application, 'server'),
+                    'environment' => $environment,
+                    'last_deploy' => Arr::get($application, 'lastDeploymentAt')
+                        ?? Arr::get($applicationDetails, 'lastDeploymentAt')
+                        ?? Arr::get($application, 'updatedAt')
+                        ?? Arr::get($applicationDetails, 'updatedAt')
+                        ?? Arr::get($application, 'createdAt'),
+                    'monitoring' => $this->formatMonitoring($monitoring),
+                ];
+            })
+            ->filter(fn (array $application) => filled($application['name']))
+            ->values()
+            ->all();
+    }
+
+    protected function extractApplicationId(array $application): ?string
+    {
+        return Arr::get($application, 'applicationId')
+            ?? Arr::get($application, 'appId')
+            ?? Arr::get($application, 'id');
+    }
+
+    protected function normalizeServiceList(array $services, string $type, string $idKey, string $statusKey, ?string $environment = null): array
+    {
+        return collect($services)
+            ->map(function (array $service) use ($type, $idKey, $statusKey, $environment) {
+                return [
+                    'type' => $type,
+                    'id' => Arr::get($service, $idKey) ?? Arr::get($service, 'id'),
+                    'name' => Arr::get($service, 'name') ?? Arr::get($service, 'appName') ?? Arr::get($service, 'serviceName'),
+                    'status' => Arr::get($service, $statusKey) ?? Arr::get($service, 'status') ?? Arr::get($service, 'composeStatus', 'unknown'),
+                    'version' => Arr::get($service, 'dockerImage') ?? Arr::get($service, 'image'),
+                    'external_port' => Arr::get($service, 'externalPort'),
+                    'environment' => $environment,
+                ];
+            })
+            ->values()
+            ->all();
+    }
+
+    protected function formatMonitoring(array $monitoring): array
+    {
+        $metrics = [];
+        $allowed = [
+            'cpuPercent' => 'CPU',
+            'cpu' => 'CPU',
+            'memoryPercent' => 'Memory',
+            'memory' => 'Memory',
+            'uptime' => 'Uptime',
+        ];
+
+        foreach ($allowed as $key => $label) {
+            $value = Arr::get($monitoring, $key);
+
+            if (filled($value) && ! is_array($value)) {
+                $metrics[] = [
+                    'label' => $label,
+                    'value' => $value,
+                ];
+            }
+        }
+
+        return $metrics;
+    }
+
+    protected function deriveProjectStatus(array $applications, array $services, array $composes): string
+    {
+        $statuses = collect($applications)
+            ->pluck('status')
+            ->merge(collect($services)->pluck('status'))
+            ->merge(collect($composes)->pluck('status'))
+            ->filter()
+            ->map(fn ($status) => strtolower((string) $status))
+            ->values();
+
+        if ($statuses->contains(fn ($status) => in_array($status, ['error', 'failed', 'unreachable', 'unhealthy'], true))) {
+            return 'error';
+        }
+
+        if ($statuses->contains(fn ($status) => in_array($status, ['deploying', 'pending', 'starting'], true))) {
+            return 'deploying';
+        }
+
+        if ($statuses->contains(fn ($status) => in_array($status, ['stopped', 'inactive', 'paused'], true))) {
+            return 'warning';
+        }
+
+        if ($statuses->contains(fn ($status) => in_array($status, ['done', 'running', 'healthy'], true))) {
+            return 'done';
+        }
+
+        return 'unknown';
+    }
+
     protected function formatServices(array $services): array
     {
         return collect($services)

app/Filament/Widgets/PlatformStatsWidget.php

@@ -4,8 +4,8 @@ namespace App\Filament\Widgets;
 
 use Filament\Widgets\StatsOverviewWidget as BaseWidget;
 use Filament\Widgets\StatsOverviewWidget\Stat;
-use Illuminate\Support\Facades\DB;
 use Illuminate\Support\Carbon;
+use Illuminate\Support\Facades\DB;
 
 class PlatformStatsWidget extends BaseWidget
 {

app/Filament/Widgets/QueueHealthWidget.php

@@ -12,6 +12,8 @@ class QueueHealthWidget extends Widget
 
     protected ?string $pollingInterval = '60s';
 
+    protected int|string|array $columnSpan = 'full';
+
     protected function getViewData(): array
     {
         $snapshot = Cache::get('storage:queue-health:last');

app/Filament/Widgets/RevenueTrendWidget.php

@@ -7,7 +7,6 @@ use Filament\Widgets\LineChartWidget;
 
 class RevenueTrendWidget extends LineChartWidget
 {
-
     protected static ?int $sort = 1;
 
     protected int|string|array $columnSpan = 'full';

app/Filament/Widgets/TopTenantsByUploads.php

@@ -2,9 +2,9 @@
 
 namespace App\Filament\Widgets;
 
+use App\Models\Tenant;
 use Filament\Tables;
 use Filament\Widgets\TableWidget as BaseWidget;
-use App\Models\Tenant;
 
 class TopTenantsByUploads extends BaseWidget
 {
@@ -14,6 +14,7 @@ class TopTenantsByUploads extends BaseWidget
     {
         return __('admin.widgets.top_tenants_by_uploads.heading');
     }
+
     protected ?string $pollingInterval = '60s';
 
     public function table(Tables\Table $table): Tables\Table
@@ -33,4 +34,3 @@ class TopTenantsByUploads extends BaseWidget
             ->paginated(false);
     }
 }
-

app/Http/Controllers/Admin/QrController.php

@@ -2,8 +2,8 @@
 
 namespace App\Http\Controllers\Admin;
 
-use Illuminate\Routing\Controller as BaseController;
 use Illuminate\Http\Request;
+use Illuminate\Routing\Controller as BaseController;
 use SimpleSoftwareIO\QrCode\Facades\QrCode;
 
 class QrController extends BaseController
@@ -15,7 +15,7 @@ class QrController extends BaseController
             return response('missing data', 400);
         }
         $png = QrCode::format('png')->size(300)->generate($data);
+
         return response($png, 200, ['Content-Type' => 'image/png']);
     }
 }
-

app/Http/Controllers/Api/EventPublicAiEditController.php

@@ -0,0 +1,505 @@
+<?php
+
+namespace App\Http\Controllers\Api;
+
+use App\Http\Requests\Api\GuestAiEditStoreRequest;
+use App\Jobs\ProcessAiEditRequest;
+use App\Models\AiEditRequest;
+use App\Models\AiStyle;
+use App\Models\Event;
+use App\Models\Photo;
+use App\Services\AiEditing\AiBudgetGuardService;
+use App\Services\AiEditing\AiEditingRuntimeConfig;
+use App\Services\AiEditing\AiStyleAccessService;
+use App\Services\AiEditing\AiStylingEntitlementService;
+use App\Services\AiEditing\EventAiEditingPolicyService;
+use App\Services\AiEditing\Safety\AiAbuseEscalationService;
+use App\Services\AiEditing\Safety\AiSafetyPolicyService;
+use App\Services\EventJoinTokenService;
+use App\Support\ApiError;
+use Illuminate\Http\JsonResponse;
+use Illuminate\Http\Request;
+use Illuminate\Routing\Controller as BaseController;
+use Illuminate\Support\Str;
+use Symfony\Component\HttpFoundation\Response;
+
+class EventPublicAiEditController extends BaseController
+{
+    public function __construct(
+        private readonly EventJoinTokenService $joinTokenService,
+        private readonly AiSafetyPolicyService $safetyPolicy,
+        private readonly AiEditingRuntimeConfig $runtimeConfig,
+        private readonly AiBudgetGuardService $budgetGuard,
+        private readonly AiStylingEntitlementService $entitlements,
+        private readonly EventAiEditingPolicyService $eventPolicy,
+        private readonly AiStyleAccessService $styleAccess,
+        private readonly AiAbuseEscalationService $abuseEscalation,
+    ) {}
+
+    public function store(GuestAiEditStoreRequest $request, string $token, int $photo): JsonResponse
+    {
+        $event = $this->resolvePublishedEvent($token);
+        if ($event instanceof JsonResponse) {
+            return $event;
+        }
+
+        $photoModel = Photo::query()
+            ->whereKey($photo)
+            ->where('event_id', $event->id)
+            ->first();
+
+        if (! $photoModel) {
+            return ApiError::response(
+                'photo_not_found',
+                'Photo not found',
+                'The specified photo could not be located for this event.',
+                Response::HTTP_NOT_FOUND
+            );
+        }
+
+        if ($photoModel->status !== 'approved') {
+            return ApiError::response(
+                'photo_not_eligible',
+                'Photo not eligible',
+                'Only approved photos can be used for AI edits.',
+                Response::HTTP_UNPROCESSABLE_ENTITY
+            );
+        }
+
+        if (! $this->runtimeConfig->isEnabled()) {
+            return ApiError::response(
+                'feature_disabled',
+                'Feature disabled',
+                $this->runtimeConfig->statusMessage() ?: 'AI editing is currently disabled by platform policy.',
+                Response::HTTP_FORBIDDEN
+            );
+        }
+
+        $entitlement = $this->entitlements->resolveForEvent($event);
+        if (! $entitlement['allowed']) {
+            return ApiError::response(
+                'feature_locked',
+                'Feature locked',
+                $this->entitlements->lockedMessage(),
+                Response::HTTP_FORBIDDEN,
+                [
+                    'required_feature' => $entitlement['required_feature'],
+                    'addon_keys' => $entitlement['addon_keys'],
+                ]
+            );
+        }
+
+        $policy = $this->eventPolicy->resolve($event);
+        if (! $policy['enabled']) {
+            return ApiError::response(
+                'event_feature_disabled',
+                'Feature disabled for this event',
+                $policy['policy_message'] ?? 'AI editing is disabled for this event.',
+                Response::HTTP_FORBIDDEN
+            );
+        }
+
+        $budgetDecision = $this->budgetGuard->evaluateForEvent($event);
+        if (! $budgetDecision['allowed']) {
+            return ApiError::response(
+                $budgetDecision['reason_code'] ?? 'budget_hard_cap_reached',
+                'Budget limit reached',
+                $budgetDecision['message'] ?? 'The AI editing budget for this billing period has been exhausted.',
+                Response::HTTP_FORBIDDEN,
+                [
+                    'budget' => $budgetDecision['budget'],
+                ]
+            );
+        }
+
+        $style = $this->resolveStyleByKey($request->input('style_key'));
+        if ($request->filled('style_key') && ! $style) {
+            return ApiError::response(
+                'style_not_found',
+                'Style not found',
+                'The selected style is not available.',
+                Response::HTTP_UNPROCESSABLE_ENTITY
+            );
+        }
+
+        if (
+            $style
+            && (! $this->eventPolicy->isStyleAllowed($event, $style) || ! $this->styleAccess->canUseStyle($event, $style))
+        ) {
+            return ApiError::response(
+                'style_not_allowed',
+                'Style not allowed',
+                $policy['policy_message'] ?? 'This style is not allowed for this event.',
+                Response::HTTP_UNPROCESSABLE_ENTITY,
+                [
+                    'allowed_style_keys' => $policy['allowed_style_keys'],
+                ]
+            );
+        }
+
+        $prompt = (string) ($request->input('prompt') ?: $style?->prompt_template ?: '');
+        $negativePrompt = (string) ($request->input('negative_prompt') ?: $style?->negative_prompt_template ?: '');
+        $providerModel = $request->input('provider_model') ?: $style?->provider_model;
+        $safetyDecision = $this->safetyPolicy->evaluatePrompt($prompt, $negativePrompt);
+        $deviceId = $this->normalizeOptionalString((string) $request->header('X-Device-Id', ''));
+        $sessionId = $this->normalizeOptionalString((string) $request->input('session_id', ''));
+        $scopeKey = $this->normalizeOptionalString($deviceId ?: $sessionId) ?: 'guest';
+        $abuseSignal = null;
+        $safetyReasons = $safetyDecision->reasonCodes;
+        if ($safetyDecision->blocked) {
+            $abuseSignal = $this->abuseEscalation->recordPromptBlock(
+                (int) $event->tenant_id,
+                (int) $event->id,
+                $scopeKey
+            );
+            if (($abuseSignal['escalated'] ?? false) && ! in_array(AiAbuseEscalationService::REASON_CODE, $safetyReasons, true)) {
+                $safetyReasons[] = AiAbuseEscalationService::REASON_CODE;
+            }
+        }
+
+        $metadata = (array) $request->input('metadata', []);
+        if (is_array($abuseSignal)) {
+            $metadata['abuse'] = $abuseSignal;
+        }
+        $metadata['budget'] = $budgetDecision['budget'];
+
+        $idempotencyKey = $this->resolveIdempotencyKey(
+            $request->input('idempotency_key'),
+            $request->header('X-Idempotency-Key'),
+            $photoModel,
+            $style,
+            $prompt,
+            $deviceId,
+            $sessionId
+        );
+
+        $attributes = [
+            'event_id' => $event->id,
+            'photo_id' => $photoModel->id,
+            'style_id' => $style?->id,
+            'provider' => $this->runtimeConfig->defaultProvider(),
+            'provider_model' => $providerModel,
+            'status' => $safetyDecision->blocked ? AiEditRequest::STATUS_BLOCKED : AiEditRequest::STATUS_QUEUED,
+            'safety_state' => $safetyDecision->state,
+            'prompt' => $prompt,
+            'negative_prompt' => $negativePrompt,
+            'input_image_path' => $photoModel->file_path,
+            'requested_by_device_id' => $deviceId,
+            'requested_by_session_id' => $sessionId,
+            'safety_reasons' => $safetyReasons,
+            'failure_code' => $safetyDecision->failureCode,
+            'failure_message' => $safetyDecision->failureMessage,
+            'queued_at' => now(),
+            'completed_at' => $safetyDecision->blocked ? now() : null,
+            'metadata' => $metadata,
+        ];
+
+        $editRequest = AiEditRequest::query()->firstOrCreate(
+            ['tenant_id' => $event->tenant_id, 'idempotency_key' => $idempotencyKey],
+            $attributes
+        );
+
+        if (! $editRequest->wasRecentlyCreated && $this->isIdempotencyConflict(
+            $editRequest,
+            $event,
+            $photoModel,
+            $style?->id,
+            $prompt,
+            $negativePrompt,
+            $providerModel,
+            $deviceId,
+            $sessionId
+        )) {
+            return ApiError::response(
+                'idempotency_conflict',
+                'Idempotency conflict',
+                'The provided idempotency key is already in use for another request.',
+                Response::HTTP_CONFLICT
+            );
+        }
+
+        if (
+            $editRequest->wasRecentlyCreated
+            && ! $safetyDecision->blocked
+            && $this->runtimeConfig->queueAutoDispatch()
+        ) {
+            ProcessAiEditRequest::dispatch($editRequest->id)
+                ->onQueue($this->runtimeConfig->queueName());
+        }
+
+        return response()->json([
+            'message' => $editRequest->wasRecentlyCreated ? 'AI edit request queued' : 'AI edit request already exists',
+            'duplicate' => ! $editRequest->wasRecentlyCreated,
+            'data' => $this->serializeRequest($editRequest->fresh(['style', 'outputs'])),
+        ], $editRequest->wasRecentlyCreated ? Response::HTTP_CREATED : Response::HTTP_OK);
+    }
+
+    public function show(Request $request, string $token, int $requestId): JsonResponse
+    {
+        $event = $this->resolvePublishedEvent($token);
+        if ($event instanceof JsonResponse) {
+            return $event;
+        }
+
+        $editRequest = AiEditRequest::query()
+            ->with(['style', 'outputs'])
+            ->whereKey($requestId)
+            ->where('event_id', $event->id)
+            ->first();
+
+        if (! $editRequest) {
+            return ApiError::response(
+                'edit_request_not_found',
+                'Edit request not found',
+                'The specified AI edit request could not be located for this event.',
+                Response::HTTP_NOT_FOUND
+            );
+        }
+
+        $deviceId = $this->normalizeOptionalString((string) $request->header('X-Device-Id', ''));
+        if ($editRequest->requested_by_device_id && $deviceId && $editRequest->requested_by_device_id !== $deviceId) {
+            return ApiError::response(
+                'forbidden_request_scope',
+                'Forbidden',
+                'This AI edit request belongs to another device.',
+                Response::HTTP_FORBIDDEN
+            );
+        }
+
+        return response()->json([
+            'data' => $this->serializeRequest($editRequest),
+        ]);
+    }
+
+    public function styles(Request $request, string $token): JsonResponse
+    {
+        $event = $this->resolvePublishedEvent($token);
+        if ($event instanceof JsonResponse) {
+            return $event;
+        }
+
+        if (! $this->runtimeConfig->isEnabled()) {
+            return ApiError::response(
+                'feature_disabled',
+                'Feature disabled',
+                $this->runtimeConfig->statusMessage() ?: 'AI editing is currently disabled by platform policy.',
+                Response::HTTP_FORBIDDEN
+            );
+        }
+
+        $entitlement = $this->entitlements->resolveForEvent($event);
+        if (! $entitlement['allowed']) {
+            return ApiError::response(
+                'feature_locked',
+                'Feature locked',
+                $this->entitlements->lockedMessage(),
+                Response::HTTP_FORBIDDEN,
+                [
+                    'required_feature' => $entitlement['required_feature'],
+                    'addon_keys' => $entitlement['addon_keys'],
+                ]
+            );
+        }
+
+        $policy = $this->eventPolicy->resolve($event);
+        if (! $policy['enabled']) {
+            return ApiError::response(
+                'event_feature_disabled',
+                'Feature disabled for this event',
+                $policy['policy_message'] ?? 'AI editing is disabled for this event.',
+                Response::HTTP_FORBIDDEN
+            );
+        }
+
+        $styles = $this->eventPolicy->filterStyles(
+            $event,
+            AiStyle::query()
+                ->where('is_active', true)
+                ->orderBy('sort')
+                ->orderBy('id')
+                ->get()
+        );
+        $styles = $this->styleAccess->filterStylesForEvent($event, $styles);
+
+        return response()->json([
+            'data' => $styles->map(fn (AiStyle $style) => $this->serializeStyle($style))->values(),
+            'meta' => [
+                'required_feature' => $entitlement['required_feature'],
+                'addon_keys' => $entitlement['addon_keys'],
+                'allow_custom_prompt' => $policy['allow_custom_prompt'],
+                'allowed_style_keys' => $policy['allowed_style_keys'],
+                'policy_message' => $policy['policy_message'],
+            ],
+        ]);
+    }
+
+    private function resolvePublishedEvent(string $token): Event|JsonResponse
+    {
+        $joinToken = $this->joinTokenService->findActiveToken($token);
+
+        if (! $joinToken) {
+            return ApiError::response(
+                'invalid_token',
+                'Invalid token',
+                'The provided event token is invalid or expired.',
+                Response::HTTP_NOT_FOUND
+            );
+        }
+
+        $event = Event::query()
+            ->whereKey($joinToken->event_id)
+            ->where('status', 'published')
+            ->first();
+
+        if (! $event) {
+            return ApiError::response(
+                'event_not_public',
+                'Event not public',
+                'This event is not publicly accessible.',
+                Response::HTTP_FORBIDDEN
+            );
+        }
+
+        return $event;
+    }
+
+    private function resolveStyleByKey(?string $styleKey): ?AiStyle
+    {
+        $key = $this->normalizeOptionalString((string) ($styleKey ?? ''));
+        if (! $key) {
+            return null;
+        }
+
+        return AiStyle::query()
+            ->where('key', $key)
+            ->where('is_active', true)
+            ->first();
+    }
+
+    private function normalizeOptionalString(?string $value): ?string
+    {
+        if ($value === null) {
+            return null;
+        }
+
+        $trimmed = trim($value);
+
+        return $trimmed !== '' ? $trimmed : null;
+    }
+
+    private function resolveIdempotencyKey(
+        mixed $bodyKey,
+        mixed $headerKey,
+        Photo $photo,
+        ?AiStyle $style,
+        string $prompt,
+        ?string $deviceId,
+        ?string $sessionId
+    ): string {
+        $candidate = $this->normalizeOptionalString((string) ($bodyKey ?: $headerKey ?: ''));
+        if ($candidate) {
+            return Str::limit($candidate, 120, '');
+        }
+
+        return substr(hash('sha256', implode('|', [
+            (string) $photo->event_id,
+            (string) $photo->id,
+            (string) ($style?->id ?? ''),
+            trim($prompt),
+            (string) ($deviceId ?? ''),
+            (string) ($sessionId ?? ''),
+        ])), 0, 120);
+    }
+
+    private function isIdempotencyConflict(
+        AiEditRequest $request,
+        Event $event,
+        Photo $photo,
+        ?int $styleId,
+        string $prompt,
+        string $negativePrompt,
+        ?string $providerModel,
+        ?string $deviceId,
+        ?string $sessionId
+    ): bool {
+        if ($request->event_id !== $event->id || $request->photo_id !== $photo->id) {
+            return true;
+        }
+
+        if ((int) ($request->style_id ?? 0) !== (int) ($styleId ?? 0)) {
+            return true;
+        }
+
+        if ($this->normalizeOptionalString($request->prompt) !== $this->normalizeOptionalString($prompt)) {
+            return true;
+        }
+
+        if ($this->normalizeOptionalString($request->negative_prompt) !== $this->normalizeOptionalString($negativePrompt)) {
+            return true;
+        }
+
+        if ($this->normalizeOptionalString($request->provider_model) !== $this->normalizeOptionalString($providerModel)) {
+            return true;
+        }
+
+        if ($this->normalizeOptionalString($request->requested_by_device_id) !== $this->normalizeOptionalString($deviceId)) {
+            return true;
+        }
+
+        return $this->normalizeOptionalString($request->requested_by_session_id) !== $this->normalizeOptionalString($sessionId);
+    }
+
+    private function serializeStyle(AiStyle $style): array
+    {
+        return [
+            'id' => $style->id,
+            'key' => $style->key,
+            'name' => $style->name,
+            'version' => $style->version,
+            'category' => $style->category,
+            'description' => $style->description,
+            'provider' => $style->provider,
+            'provider_model' => $style->provider_model,
+            'requires_source_image' => $style->requires_source_image,
+            'is_premium' => $style->is_premium,
+            'metadata' => $style->metadata ?? [],
+        ];
+    }
+
+    private function serializeRequest(AiEditRequest $request): array
+    {
+        return [
+            'id' => $request->id,
+            'event_id' => $request->event_id,
+            'photo_id' => $request->photo_id,
+            'style' => $request->style ? [
+                'id' => $request->style->id,
+                'key' => $request->style->key,
+                'name' => $request->style->name,
+            ] : null,
+            'provider' => $request->provider,
+            'provider_model' => $request->provider_model,
+            'status' => $request->status,
+            'safety_state' => $request->safety_state,
+            'safety_reasons' => $request->safety_reasons ?? [],
+            'failure_code' => $request->failure_code,
+            'failure_message' => $request->failure_message,
+            'queued_at' => $request->queued_at?->toIso8601String(),
+            'started_at' => $request->started_at?->toIso8601String(),
+            'completed_at' => $request->completed_at?->toIso8601String(),
+            'outputs' => $request->outputs->map(fn ($output) => [
+                'id' => $output->id,
+                'storage_disk' => $output->storage_disk,
+                'storage_path' => $output->storage_path,
+                'provider_url' => $output->provider_url,
+                'mime_type' => $output->mime_type,
+                'width' => $output->width,
+                'height' => $output->height,
+                'is_primary' => $output->is_primary,
+                'safety_state' => $output->safety_state,
+                'safety_reasons' => $output->safety_reasons ?? [],
+                'generated_at' => $output->generated_at?->toIso8601String(),
+            ])->values(),
+        ];
+    }
+}

app/Http/Controllers/Api/EventPublicController.php

@@ -16,6 +16,9 @@ use App\Models\GuestNotification;
 use App\Models\GuestPolicySetting;
 use App\Models\Photo;
 use App\Models\PhotoShareLink;
+use App\Services\AiEditing\AiEditingRuntimeConfig;
+use App\Services\AiEditing\AiStylingEntitlementService;
+use App\Services\AiEditing\EventAiEditingPolicyService;
 use App\Services\Analytics\JoinTokenAnalyticsRecorder;
 use App\Services\EventJoinTokenService;
 use App\Services\EventTasksCacheService;
@@ -41,6 +44,7 @@ use Illuminate\Support\Facades\Schema;
 use Illuminate\Support\Facades\Storage;
 use Illuminate\Support\Facades\URL;
 use Illuminate\Support\Str;
+use SimpleSoftwareIO\QrCode\Facades\QrCode;
 use Symfony\Component\HttpFoundation\Response;
 
 class EventPublicController extends BaseController
@@ -60,6 +64,9 @@ class EventPublicController extends BaseController
         private readonly EventTasksCacheService $eventTasksCache,
         private readonly GuestNotificationService $guestNotificationService,
         private readonly PushSubscriptionService $pushSubscriptions,
+        private readonly AiEditingRuntimeConfig $aiEditingRuntimeConfig,
+        private readonly AiStylingEntitlementService $aiStylingEntitlements,
+        private readonly EventAiEditingPolicyService $eventAiEditingPolicy,
     ) {}
 
     /**
@@ -185,6 +192,57 @@ class EventPublicController extends BaseController
             );
         }
 
+        $deviceId = (string) $request->header('X-Device-Id', $request->input('device_id', ''));
+        $deviceId = $deviceId !== '' ? $deviceId : null;
+
+        if ($event->id ?? null) {
+            $eventModel = Event::with(['tenant', 'eventPackage.package', 'eventPackages.package'])->find($event->id);
+            if ($eventModel && $eventModel->tenant) {
+                $eventPackage = $this->packageLimitEvaluator->resolveEventPackageForPhotoUpload(
+                    $eventModel->tenant,
+                    $eventModel->id,
+                    $eventModel
+                );
+                $maxGuests = $eventPackage?->effectiveGuestLimit();
+
+                if ($eventPackage && $maxGuests !== null) {
+                    $grace = (int) config('package-limits.guest_grace', 10);
+                    $hardLimit = $maxGuests + max(0, $grace);
+                    $usedGuests = (int) $eventPackage->used_guests;
+                    $isReturningGuest = $this->joinTokenService->hasSeenGuest($eventModel->id, $deviceId, $request->ip());
+
+                    if ($usedGuests >= $hardLimit && ! $isReturningGuest) {
+                        $this->recordTokenEvent(
+                            $joinToken,
+                            $request,
+                            'guest_limit_exceeded',
+                            [
+                                'event_id' => $eventModel->id,
+                                'used' => $usedGuests,
+                                'limit' => $maxGuests,
+                                'hard_limit' => $hardLimit,
+                            ],
+                            $token,
+                            Response::HTTP_PAYMENT_REQUIRED
+                        );
+
+                        return ApiError::response(
+                            'guest_limit_exceeded',
+                            __('api.packages.guest_limit_exceeded.title'),
+                            __('api.packages.guest_limit_exceeded.message'),
+                            Response::HTTP_PAYMENT_REQUIRED,
+                            [
+                                'event_id' => $eventModel->id,
+                                'used' => $usedGuests,
+                                'limit' => $maxGuests,
+                                'hard_limit' => $hardLimit,
+                            ]
+                        );
+                    }
+                }
+            }
+        }
+
         RateLimiter::clear($rateLimiterKey);
 
         if (isset($event->status)) {
@@ -1003,6 +1061,7 @@ class EventPublicController extends BaseController
      *     heading_font: ?string,
      *     body_font: ?string,
      *     font_size: string,
+     *     welcome_message: ?string,
      *     logo_url: ?string,
      *     logo_mode: string,
      *     logo_value: ?string,
@@ -1025,10 +1084,10 @@ class EventPublicController extends BaseController
     private function resolveBrandingPayload(Event $event): array
     {
         $defaults = [
-            'primary' => '#f43f5e',
-            'secondary' => '#fb7185',
-            'background' => '#ffffff',
-            'surface' => '#ffffff',
+            'primary' => '#FF5A5F',
+            'secondary' => '#FFF8F5',
+            'background' => '#FFF8F5',
+            'surface' => '#FFF8F5',
             'font' => null,
             'size' => 'm',
             'logo_position' => 'left',
@@ -1042,12 +1101,8 @@ class EventPublicController extends BaseController
         $brandingAllowed = $this->determineBrandingAllowed($event);
 
         $eventBranding = $brandingAllowed ? Arr::get($event->settings, 'branding', []) : [];
-        $tenantBranding = $brandingAllowed ? Arr::get($event->tenant?->settings, 'branding', []) : [];
-
         $useDefault = (bool) Arr::get($eventBranding, 'use_default_branding', Arr::get($eventBranding, 'use_default', false));
-        $sources = $brandingAllowed
-            ? ($useDefault ? [$tenantBranding] : [$eventBranding, $tenantBranding])
-            : [[]];
+        $sources = $brandingAllowed ? [$eventBranding] : [[]];
 
         $primary = $this->normalizeHexColor(
             $this->firstStringFromSources($sources, ['palette.primary', 'primary_color']),
@@ -1070,6 +1125,7 @@ class EventPublicController extends BaseController
         $bodyFont = $this->firstStringFromSources($sources, ['typography.body', 'body_font', 'font_family']);
         $fontSize = $this->firstStringFromSources($sources, ['typography.size', 'font_size']) ?? $defaults['size'];
         $fontSize = in_array($fontSize, ['s', 'm', 'l'], true) ? $fontSize : $defaults['size'];
+        $welcomeMessage = $this->firstStringFromSources($sources, ['welcome_message', 'welcomeMessage']);
 
         $logoMode = $this->firstStringFromSources($sources, ['logo.mode', 'logo_mode']);
         if (! in_array($logoMode, ['emoticon', 'upload'], true)) {
@@ -1131,6 +1187,7 @@ class EventPublicController extends BaseController
             'heading_font' => $headingFont,
             'body_font' => $bodyFont,
             'font_size' => $fontSize,
+            'welcome_message' => $welcomeMessage,
             'logo_url' => $logoMode === 'upload' ? $logoValue : null,
             'logo_mode' => $logoMode,
             'logo_value' => $logoValue,
@@ -1298,7 +1355,7 @@ class EventPublicController extends BaseController
             );
         }
 
-        $diskName = config('filesystems.default', 'public');
+        $diskName = 'public';
 
         try {
             $storage = Storage::disk($diskName);
@@ -1413,8 +1470,7 @@ class EventPublicController extends BaseController
             [
                 'slug' => $shareLink->slug,
                 'variant' => $variant,
-            ],
-            absolute: false
+            ]
         );
     }
 
@@ -1687,6 +1743,7 @@ class EventPublicController extends BaseController
                 'name' => $event->name,
                 'city' => $event->city,
             ] : null,
+            'branding' => $event ? $this->resolveBrandingPayload($event) : null,
         ])->header('Cache-Control', 'no-store');
     }
 
@@ -1902,11 +1959,18 @@ class EventPublicController extends BaseController
         $engagementMode = $settings['engagement_mode'] ?? 'tasks';
         $liveShowSettings = Arr::get($settings, 'live_show', []);
         $liveShowSettings = is_array($liveShowSettings) ? $liveShowSettings : [];
+        $aiStylingEntitlement = $this->aiStylingEntitlements->resolveForEvent($event);
+        $aiEditingPolicy = $this->eventAiEditingPolicy->resolve($event);
+        $aiStylingAvailable = $this->aiEditingRuntimeConfig->isEnabled()
+            && (bool) $aiStylingEntitlement['allowed']
+            && (bool) $aiEditingPolicy['enabled'];
         $event->loadMissing('photoboothSetting');
         $policy = $this->guestPolicy();
 
         if ($joinToken) {
-            $this->joinTokenService->incrementUsage($joinToken);
+            $deviceId = (string) $request->header('X-Device-Id', $request->input('device_id', ''));
+            $deviceId = $deviceId !== '' ? $deviceId : null;
+            $this->joinTokenService->incrementUsage($joinToken, $deviceId, $request->ip());
         }
 
         $demoReadOnly = (bool) Arr::get($joinToken?->metadata ?? [], 'demo_read_only', false);
@@ -1927,10 +1991,58 @@ class EventPublicController extends BaseController
             'live_show' => [
                 'moderation_mode' => $liveShowSettings['moderation_mode'] ?? 'manual',
             ],
+            'capabilities' => [
+                'ai_styling' => $aiStylingAvailable,
+                'ai_styling_granted_by' => $aiStylingEntitlement['granted_by'],
+                'ai_styling_required_feature' => $aiStylingEntitlement['required_feature'],
+                'ai_styling_addon_keys' => $aiStylingEntitlement['addon_keys'],
+                'ai_styling_event_enabled' => (bool) $aiEditingPolicy['enabled'],
+            ],
             'engagement_mode' => $engagementMode,
         ])->header('Cache-Control', 'no-store');
     }
 
+    public function qr(Request $request, string $token): JsonResponse
+    {
+        $result = $this->resolvePublishedEvent($request, $token, ['id']);
+
+        if ($result instanceof JsonResponse) {
+            return $result;
+        }
+
+        [, $joinToken] = $result;
+
+        $joinTokenValue = $joinToken->token ?? $token;
+        $qrCodeUrl = $joinTokenValue ? url('/e/'.$joinTokenValue) : null;
+        $qrCodeDataUrl = null;
+
+        if ($qrCodeUrl) {
+            $requestedSize = (int) $request->query('size', 360);
+            $size = max(120, min($requestedSize, 640));
+
+            try {
+                $png = QrCode::format('png')
+                    ->size($size)
+                    ->margin(1)
+                    ->errorCorrection('M')
+                    ->generate($qrCodeUrl);
+
+                $pngBinary = (string) $png;
+
+                if ($pngBinary !== '') {
+                    $qrCodeDataUrl = 'data:image/png;base64,'.base64_encode($pngBinary);
+                }
+            } catch (\Throwable $exception) {
+                report($exception);
+            }
+        }
+
+        return response()->json([
+            'url' => $qrCodeUrl,
+            'qr_code_data_url' => $qrCodeDataUrl,
+        ])->header('Cache-Control', 'no-store');
+    }
+
     public function package(Request $request, string $token)
     {
         $result = $this->resolvePublishedEvent($request, $token, ['id']);
@@ -2547,6 +2659,15 @@ class EventPublicController extends BaseController
             ->distinct('guest_name')
             ->count('guest_name');
 
+        $guestCount = DB::table('photos')
+            ->where('event_id', $eventId)
+            ->distinct('guest_name')
+            ->count('guest_name');
+
+        $likesCount = (int) DB::table('photos')
+            ->where('event_id', $eventId)
+            ->sum('likes_count');
+
         // Tasks solved as number of photos linked to a task (proxy metric).
         $tasksSolved = $engagementMode === 'photo_only'
             ? 0
@@ -2557,6 +2678,8 @@ class EventPublicController extends BaseController
         $payload = [
             'online_guests' => $onlineGuests,
             'tasks_solved' => $tasksSolved,
+            'guest_count' => $guestCount,
+            'likes_count' => $likesCount,
             'latest_photo_at' => $latestPhotoAt,
             'engagement_mode' => $engagementMode,
         ];
@@ -2742,12 +2865,14 @@ class EventPublicController extends BaseController
         [$locale] = $this->resolveGuestLocale($request, $event);
         $fallbacks = $this->localeFallbackChain($locale, $event->default_locale ?? null);
 
-        $deviceId = (string) $request->header('X-Device-Id', 'anon');
+        $deviceId = $this->normalizeGuestIdentifier((string) $request->header('X-Device-Id', ''));
+        $deviceId = $deviceId !== '' ? $deviceId : 'anon';
         $filter = $request->query('filter');
 
         $since = $request->query('since');
         $query = DB::table('photos')
             ->leftJoin('tasks', 'photos.task_id', '=', 'tasks.id')
+            ->leftJoin('emotions', 'photos.emotion_id', '=', 'emotions.id')
             ->select([
                 'photos.id',
                 'photos.file_path',
@@ -2756,9 +2881,14 @@ class EventPublicController extends BaseController
                 'photos.emotion_id',
                 'photos.task_id',
                 'photos.guest_name',
+                'photos.created_by_device_id',
                 'photos.created_at',
                 'photos.ingest_source',
                 'tasks.title as task_title',
+                'emotions.name as emotion_name',
+                'emotions.icon as emotion_icon',
+                'emotions.color as emotion_color',
+                'emotions.id as emotion_lookup_id',
             ])
             ->where('photos.event_id', $eventId)
             ->where('photos.status', 'approved')
@@ -2769,13 +2899,16 @@ class EventPublicController extends BaseController
         if ($filter === 'photobooth') {
             $query->whereIn('photos.ingest_source', [Photo::SOURCE_PHOTOBOOTH, Photo::SOURCE_SPARKBOOTH]);
         } elseif ($filter === 'myphotos' && $deviceId !== 'anon') {
-            $query->where('guest_name', $deviceId);
+            $query->where(function ($inner) use ($deviceId) {
+                $inner->where('created_by_device_id', $deviceId)
+                    ->orWhere('guest_name', $deviceId);
+            });
         }
 
         if ($since) {
             $query->where('photos.created_at', '>', $since);
         }
-        $rows = $query->get()->map(function ($r) use ($fallbacks, $token) {
+        $rows = $query->get()->map(function ($r) use ($fallbacks, $token, $deviceId) {
             $r->file_path = $this->makeSignedGalleryAssetUrlForId($token, (int) $r->id, 'full')
                 ?? $this->resolveSignedFallbackUrl((string) ($r->file_path ?? ''));
             $r->thumbnail_path = $this->makeSignedGalleryAssetUrlForId($token, (int) $r->id, 'thumbnail')
@@ -2786,7 +2919,25 @@ class EventPublicController extends BaseController
                 $r->task_title = $this->firstLocalizedValue($r->task_title, $fallbacks, 'Unbenannte Aufgabe');
             }
 
+            $emotion = null;
+            if ($r->emotion_id) {
+                $emotionName = $this->firstLocalizedValue($r->emotion_name, $fallbacks, '');
+                if ($emotionName !== '') {
+                    $emotion = [
+                        'id' => (int) ($r->emotion_lookup_id ?? $r->emotion_id),
+                        'name' => $emotionName,
+                        'icon' => $r->emotion_icon ?: null,
+                        'color' => $r->emotion_color ?: null,
+                    ];
+                }
+            }
+            $r->emotion = $emotion;
+
             $r->ingest_source = $r->ingest_source ?? Photo::SOURCE_UNKNOWN;
+            $createdBy = $r->created_by_device_id ? $this->normalizeGuestIdentifier((string) $r->created_by_device_id) : '';
+            $r->is_mine = $deviceId !== 'anon'
+                && $deviceId !== ''
+                && (($createdBy !== '' && $createdBy === $deviceId) || ($createdBy === '' && (string) $r->guest_name === $deviceId));
 
             return $r;
         });
@@ -2879,6 +3030,159 @@ class EventPublicController extends BaseController
         return response()->json(['liked' => true, 'likes_count' => $count]);
     }
 
+    public function unlike(Request $request, int $id)
+    {
+        $deviceId = (string) $request->header('X-Device-Id', 'anon');
+        $deviceId = substr(preg_replace('/[^a-zA-Z0-9_-]/', '', $deviceId), 0, 64);
+        if ($deviceId === '') {
+            $deviceId = 'anon';
+        }
+
+        $photo = DB::table('photos')
+            ->join('events', 'photos.event_id', '=', 'events.id')
+            ->where('photos.id', $id)
+            ->where('events.status', 'published')
+            ->first(['photos.id', 'photos.event_id']);
+        if (! $photo) {
+            return ApiError::response(
+                'photo_not_found',
+                'Photo Not Found',
+                'Photo not found or event not public.',
+                Response::HTTP_NOT_FOUND,
+                ['photo_id' => $id]
+            );
+        }
+
+        $exists = DB::table('photo_likes')->where('photo_id', $id)->where('guest_name', $deviceId)->exists();
+        if (! $exists) {
+            $count = (int) DB::table('photos')->where('id', $id)->value('likes_count');
+
+            return response()->json(['liked' => false, 'likes_count' => $count]);
+        }
+
+        DB::beginTransaction();
+        try {
+            DB::table('photo_likes')->where('photo_id', $id)->where('guest_name', $deviceId)->delete();
+            DB::table('photos')->where('id', $id)->update([
+                'likes_count' => DB::raw('case when likes_count > 0 then likes_count - 1 else 0 end'),
+                'updated_at' => now(),
+            ]);
+            DB::commit();
+        } catch (\Throwable $e) {
+            DB::rollBack();
+            Log::warning('unlike failed', ['error' => $e->getMessage()]);
+        }
+
+        $count = (int) DB::table('photos')->where('id', $id)->value('likes_count');
+
+        return response()->json(['liked' => false, 'likes_count' => $count]);
+    }
+
+    public function destroyPhoto(Request $request, string $token, Photo $photo): JsonResponse
+    {
+        $result = $this->resolvePublishedEvent($request, $token, ['id']);
+
+        if ($result instanceof JsonResponse) {
+            return $result;
+        }
+
+        [$event] = $result;
+        $deviceId = $this->resolveDeviceIdentifier($request);
+
+        if ($deviceId === 'anonymous') {
+            return ApiError::response(
+                'photo_delete_forbidden',
+                'Delete Not Allowed',
+                'This photo cannot be deleted from this device.',
+                Response::HTTP_FORBIDDEN,
+                ['photo_id' => $photo->id]
+            );
+        }
+
+        if ($photo->event_id !== (int) $event->id) {
+            return ApiError::response(
+                'photo_not_found',
+                'Photo Not Found',
+                'Photo not found or event not public.',
+                Response::HTTP_NOT_FOUND,
+                ['photo_id' => $photo->id]
+            );
+        }
+
+        $ownerId = $photo->created_by_device_id
+            ? $this->normalizeGuestIdentifier((string) $photo->created_by_device_id)
+            : '';
+        $guestName = is_string($photo->guest_name) ? $photo->guest_name : '';
+        $isOwner = $ownerId !== ''
+            ? $ownerId === $deviceId
+            : ($guestName !== '' && $guestName === $deviceId);
+
+        if (! $isOwner) {
+            return ApiError::response(
+                'photo_delete_forbidden',
+                'Delete Not Allowed',
+                'This photo cannot be deleted from this device.',
+                Response::HTTP_FORBIDDEN,
+                ['photo_id' => $photo->id]
+            );
+        }
+
+        $eventModel = Event::with(['eventPackage.package'])->find((int) $event->id);
+        $assets = EventMediaAsset::where('photo_id', $photo->id)->get();
+
+        foreach ($assets as $asset) {
+            if (! is_string($asset->path) || $asset->path === '') {
+                continue;
+            }
+            try {
+                Storage::disk($asset->disk)->delete($asset->path);
+            } catch (\Throwable $e) {
+                Log::warning('Failed to delete guest photo asset from storage', [
+                    'asset_id' => $asset->id,
+                    'disk' => $asset->disk,
+                    'path' => $asset->path,
+                    'error' => $e->getMessage(),
+                ]);
+            }
+        }
+
+        if ($assets->isEmpty() && $eventModel) {
+            $fallbackDisk = $this->eventStorageManager->getHotDiskForEvent($eventModel);
+            $paths = array_values(array_filter([
+                is_string($photo->path ?? null) ? $photo->path : null,
+                is_string($photo->thumbnail_path ?? null) ? $photo->thumbnail_path : null,
+                is_string($photo->file_path ?? null) ? $photo->file_path : null,
+            ]));
+            if (! empty($paths)) {
+                Storage::disk($fallbackDisk)->delete($paths);
+            }
+        }
+
+        DB::transaction(function () use ($photo, $assets) {
+            $photo->likes()->delete();
+            PhotoShareLink::where('photo_id', $photo->id)->delete();
+            if ($assets->isNotEmpty()) {
+                EventMediaAsset::whereIn('id', $assets->pluck('id'))->delete();
+            }
+            $photo->delete();
+        });
+
+        $eventPackage = $eventModel?->eventPackage;
+        if ($eventPackage && $eventPackage->package) {
+            $previousUsed = (int) $eventPackage->used_photos;
+            if ($previousUsed > 0) {
+                $eventPackage->decrement('used_photos');
+                $eventPackage->refresh();
+                $this->packageUsageTracker->recordPhotoUsage($eventPackage, $previousUsed, -1);
+            }
+        }
+
+        return response()->json([
+            'message' => 'Photo deleted successfully',
+            'photo_id' => $photo->id,
+        ]);
+    }
+
     public function upload(Request $request, string $token)
     {
         $result = $this->resolvePublishedEvent($request, $token, ['id']);
@@ -2921,6 +3225,12 @@ class EventPublicController extends BaseController
         $policy = $this->guestPolicy();
         $uploadVisibility = Arr::get($eventModel->settings ?? [], 'guest_upload_visibility', $policy->guest_upload_visibility);
         $autoApproveUploads = $uploadVisibility === 'immediate';
+        $controlRoom = Arr::get($eventModel->settings ?? [], 'control_room', []);
+        $controlRoom = is_array($controlRoom) ? $controlRoom : [];
+        $autoAddApprovedToLiveSetting = (bool) Arr::get($controlRoom, 'auto_add_approved_to_live', true);
+        $trustedUploaders = Arr::get($controlRoom, 'trusted_uploaders', []);
+        $forceReviewUploaders = Arr::get($controlRoom, 'force_review_uploaders', []);
+        $autoAddApprovedToLiveDefault = $autoAddApprovedToLiveSetting || $autoApproveUploads;
 
         $tenantModel = $eventModel->tenant;
 
@@ -2953,6 +3263,34 @@ class EventPublicController extends BaseController
             ->resolveEventPackageForPhotoUpload($tenantModel, $eventId, $eventModel);
 
         $deviceId = $this->resolveDeviceIdentifier($request);
+        $deviceHasRule = static function (array $entries, string $deviceId): bool {
+            foreach ($entries as $entry) {
+                if (! is_array($entry)) {
+                    continue;
+                }
+                $candidate = $entry['device_id'] ?? null;
+                if (is_string($candidate) && $candidate === $deviceId) {
+                    return true;
+                }
+            }
+
+            return false;
+        };
+        $deviceHasRules = $deviceId !== 'anonymous';
+        $isForceReviewUploader = $deviceHasRules && is_array($forceReviewUploaders)
+            ? $deviceHasRule($forceReviewUploaders, $deviceId)
+            : false;
+        $isTrustedUploader = $deviceHasRules && is_array($trustedUploaders)
+            ? $deviceHasRule($trustedUploaders, $deviceId)
+            : false;
+
+        if ($isForceReviewUploader) {
+            $autoApproveUploads = false;
+        } elseif ($isTrustedUploader) {
+            $autoApproveUploads = true;
+        }
+
+        $autoAddApprovedToLive = $autoAddApprovedToLiveDefault && $autoApproveUploads;
 
         $deviceLimit = max(0, (int) ($policy->per_device_upload_limit ?? 50));
         $deviceCount = DB::table('photos')->where('event_id', $eventId)->where('guest_name', $deviceId)->count();
@@ -3037,10 +3375,21 @@ class EventPublicController extends BaseController
         $liveApprovedAt = null;
         $liveReviewedAt = null;
         $liveStatus = PhotoLiveStatus::NONE->value;
+        $securityMeta = $isForceReviewUploader
+            ? [
+                'manual_review' => true,
+                'manual_review_reason' => 'force_review_device',
+            ]
+            : null;
+        $securityMetaValue = $securityMeta ? json_encode($securityMeta) : null;
 
-        if ($liveOptIn) {
+        if ($liveOptIn || $autoAddApprovedToLive) {
             $liveSubmittedAt = now();
-            if ($liveModerationMode === 'off') {
+            if ($autoAddApprovedToLive) {
+                $liveStatus = PhotoLiveStatus::APPROVED->value;
+                $liveApprovedAt = $liveSubmittedAt;
+                $liveReviewedAt = $liveSubmittedAt;
+            } elseif ($liveModerationMode === 'off') {
                 $liveStatus = PhotoLiveStatus::APPROVED->value;
                 $liveApprovedAt = $liveSubmittedAt;
                 $liveReviewedAt = $liveSubmittedAt;
@@ -3048,6 +3397,12 @@ class EventPublicController extends BaseController
                 $liveStatus = PhotoLiveStatus::PENDING->value;
             }
         }
+        if ($isForceReviewUploader) {
+            $liveStatus = PhotoLiveStatus::REJECTED->value;
+            $liveSubmittedAt = null;
+            $liveApprovedAt = null;
+            $liveReviewedAt = now();
+        }
 
         $photoId = DB::table('photos')->insertGetId([
             'event_id' => $eventId,
@@ -3071,6 +3426,7 @@ class EventPublicController extends BaseController
             'emotion_id' => $this->resolveEmotionId($validated, $eventId),
             'is_featured' => 0,
             'metadata' => null,
+            'security_meta' => $securityMetaValue,
             'created_at' => now(),
             'updated_at' => now(),
         ]);

app/Http/Controllers/Api/LegalController.php

@@ -26,11 +26,11 @@ class LegalController extends BaseController
             'allow_unsafe_links' => false,
         ]);
 
-        $environment->addExtension(new CommonMarkCoreExtension());
-        $environment->addExtension(new TableExtension());
-        $environment->addExtension(new AutolinkExtension());
-        $environment->addExtension(new StrikethroughExtension());
-        $environment->addExtension(new TaskListExtension());
+        $environment->addExtension(new CommonMarkCoreExtension);
+        $environment->addExtension(new TableExtension);
+        $environment->addExtension(new AutolinkExtension);
+        $environment->addExtension(new StrikethroughExtension);
+        $environment->addExtension(new TaskListExtension);
 
         $this->markdown = new MarkdownConverter($environment);
     }

app/Http/Controllers/Api/LiveShowController.php

@@ -212,6 +212,10 @@ class LiveShowController extends BaseController
 
         return Event::query()
             ->where('live_show_token', $token)
+            ->where(function (Builder $query) {
+                $query->whereNull('live_show_token_expires_at')
+                    ->orWhere('live_show_token_expires_at', '>=', now());
+            })
             ->first();
     }
 

app/Http/Controllers/Api/Marketing/CouponPreviewController.php

@@ -24,12 +24,6 @@ class CouponPreviewController extends Controller
 
         $package = Package::findOrFail($data['package_id']);
 
-        if (! $package->paddle_price_id) {
-            throw ValidationException::withMessages([
-                'code' => __('marketing.coupon.errors.package_not_configured'),
-            ]);
-        }
-
         $tenant = Auth::user()?->tenant;
 
         try {

app/Http/Controllers/Api/Marketing/GiftVoucherCheckoutController.php

@@ -36,7 +36,7 @@ class GiftVoucherCheckoutController extends Controller
 
         if (! $checkout['checkout_url']) {
             throw ValidationException::withMessages([
-                'tier_key' => __('Unable to create Paddle checkout.'),
+                'tier_key' => __('Unable to create checkout.'),
             ]);
         }
 
@@ -46,24 +46,43 @@ class GiftVoucherCheckoutController extends Controller
     public function show(Request $request): JsonResponse
     {
         $data = $request->validate([
-            'checkout_id' => ['nullable', 'string', 'required_without_all:transaction_id,code'],
-            'transaction_id' => ['nullable', 'string', 'required_without_all:checkout_id,code'],
-            'code' => ['nullable', 'string', 'required_without_all:checkout_id,transaction_id'],
+            'checkout_id' => ['nullable', 'string', 'required_without_all:order_id,code'],
+            'order_id' => ['nullable', 'string', 'required_without_all:checkout_id,code'],
+            'code' => ['nullable', 'string', 'required_without_all:checkout_id,order_id'],
         ]);
 
-        $voucherQuery = GiftVoucher::query();
+        $voucherQuery = GiftVoucher::query()
+            ->where('status', '!=', GiftVoucher::STATUS_PENDING)
+            ->where(function ($query) use ($data) {
+                $hasCondition = false;
 
-        if (! empty($data['checkout_id'])) {
-            $voucherQuery->where('paddle_checkout_id', $data['checkout_id']);
-        }
+                if (! empty($data['checkout_id'])) {
+                    $query->where(function ($inner) use ($data) {
+                        $inner->where('lemonsqueezy_checkout_id', $data['checkout_id'])
+                            ->orWhere('paypal_order_id', $data['checkout_id']);
+                    });
 
-        if (! empty($data['transaction_id'])) {
-            $voucherQuery->orWhere('paddle_transaction_id', $data['transaction_id']);
-        }
+                    $hasCondition = true;
+                }
 
-        if (! empty($data['code'])) {
-            $voucherQuery->orWhere('code', strtoupper($data['code']));
-        }
+                if (! empty($data['order_id'])) {
+                    $method = $hasCondition ? 'orWhere' : 'where';
+
+                    $query->{$method}(function ($inner) use ($data) {
+                        $inner->where('lemonsqueezy_order_id', $data['order_id'])
+                            ->orWhere('paypal_capture_id', $data['order_id'])
+                            ->orWhere('paypal_order_id', $data['order_id']);
+                    });
+
+                    $hasCondition = true;
+                }
+
+                if (! empty($data['code'])) {
+                    $method = $hasCondition ? 'orWhere' : 'where';
+
+                    $query->{$method}('code', strtoupper($data['code']));
+                }
+            });
 
         $voucher = $voucherQuery->latest()->firstOrFail();
 

app/Http/Controllers/Api/PackageController.php

@@ -3,18 +3,26 @@
 namespace App\Http\Controllers\Api;
 
 use App\Http\Controllers\Controller;
+use App\Http\Requests\Checkout\CheckoutSessionStatusRequest;
+use App\Models\CheckoutSession;
 use App\Models\Package;
 use App\Models\PackagePurchase;
 use App\Models\TenantPackage;
-use App\Services\Paddle\PaddleCheckoutService;
+use App\Services\Checkout\CheckoutSessionService;
+use App\Services\PayPal\Exceptions\PayPalException;
+use App\Services\PayPal\PayPalOrderService;
 use Illuminate\Http\JsonResponse;
 use Illuminate\Http\Request;
 use Illuminate\Support\Facades\DB;
+use Illuminate\Support\Facades\Log;
 use Illuminate\Validation\ValidationException;
 
 class PackageController extends Controller
 {
-    public function __construct(private readonly PaddleCheckoutService $paddleCheckout) {}
+    public function __construct(
+        private readonly PayPalOrderService $paypalOrders,
+        private readonly CheckoutSessionService $sessions,
+    ) {}
 
     public function index(Request $request): JsonResponse
     {
@@ -47,7 +55,7 @@ class PackageController extends Controller
         $request->validate([
             'package_id' => 'required|exists:packages,id',
             'type' => 'required|in:endcustomer,reseller',
-            'payment_method' => 'required|in:paddle',
+            'payment_method' => 'required|in:paypal',
             'event_id' => 'nullable|exists:events,id', // For endcustomer
             'success_url' => 'nullable|url',
             'return_url' => 'nullable|url',
@@ -73,7 +81,7 @@ class PackageController extends Controller
     {
         $request->validate([
             'package_id' => 'required|exists:packages,id',
-            'paddle_transaction_id' => 'required|string',
+            'paypal_order_id' => 'required|string',
         ]);
 
         $package = Package::findOrFail($request->package_id);
@@ -83,14 +91,14 @@ class PackageController extends Controller
             throw ValidationException::withMessages(['tenant' => 'Tenant not found.']);
         }
 
-        $provider = 'paddle';
+        $provider = 'paypal';
 
         DB::transaction(function () use ($request, $package, $tenant, $provider) {
             PackagePurchase::create([
                 'tenant_id' => $tenant->id,
                 'package_id' => $package->id,
                 'provider' => $provider,
-                'provider_id' => $request->input('paddle_transaction_id'),
+                'provider_id' => $request->input('paypal_order_id'),
                 'price' => $package->price,
                 'type' => 'endcustomer_event',
                 'purchased_at' => now(),
@@ -155,33 +163,118 @@ class PackageController extends Controller
         ], 201);
     }
 
-    public function createPaddleCheckout(Request $request): JsonResponse
+    public function createPayPalCheckout(Request $request): JsonResponse
     {
         $request->validate([
             'package_id' => 'required|exists:packages,id',
             'success_url' => 'nullable|url',
             'return_url' => 'nullable|url',
+            'cancel_url' => 'nullable|url',
+            'locale' => 'nullable|string|max:10',
         ]);
 
         $package = Package::findOrFail($request->integer('package_id'));
         $tenant = $request->attributes->get('tenant');
+        $user = $request->user();
 
         if (! $tenant) {
             throw ValidationException::withMessages(['tenant' => 'Tenant context missing.']);
         }
 
-        if (! $package->paddle_price_id) {
-            throw ValidationException::withMessages(['package_id' => 'Package is not linked to a Paddle price.']);
+        if (! $user) {
+            throw ValidationException::withMessages(['user' => 'User context missing.']);
         }
 
-        $payload = [
-            'success_url' => $request->input('success_url'),
-            'return_url' => $request->input('return_url'),
-        ];
+        $session = $this->sessions->createOrResume($user, $package, [
+            'tenant' => $tenant,
+        ]);
 
-        $checkout = $this->paddleCheckout->createCheckout($tenant, $package, $payload);
+        $this->sessions->selectProvider($session, CheckoutSession::PROVIDER_PAYPAL);
 
-        return response()->json($checkout);
+        $now = now();
+
+        $session->forceFill([
+            'accepted_terms_at' => $now,
+            'accepted_privacy_at' => $now,
+            'accepted_withdrawal_notice_at' => $now,
+            'digital_content_waiver_at' => null,
+            'legal_version' => config('app.legal_version', $now->toDateString()),
+        ])->save();
+
+        $successUrl = $request->input('success_url') ?? $request->input('return_url');
+        $cancelUrl = $request->input('cancel_url') ?? $request->input('return_url');
+        $paypalReturnUrl = route('paypal.return', absolute: true);
+
+        try {
+            $order = $this->paypalOrders->createOrder($session, $package, [
+                'return_url' => $paypalReturnUrl,
+                'cancel_url' => $paypalReturnUrl,
+                'locale' => $request->input('locale'),
+                'request_id' => $session->id,
+            ]);
+        } catch (PayPalException $exception) {
+            Log::warning('PayPal order creation failed (tenant)', [
+                'tenant_id' => $tenant->id,
+                'package_id' => $package->id,
+                'session_id' => $session->id,
+                'message' => $exception->getMessage(),
+                'status' => $exception->status(),
+            ]);
+
+            throw ValidationException::withMessages(['paypal' => 'PayPal checkout could not be created.']);
+        }
+
+        $orderId = $order['id'] ?? null;
+        if (! is_string($orderId) || $orderId === '') {
+            throw ValidationException::withMessages(['paypal' => 'PayPal order ID missing.']);
+        }
+
+        $approveUrl = $this->paypalOrders->resolveApproveUrl($order);
+
+        $session->forceFill([
+            'paypal_order_id' => $orderId,
+            'provider_metadata' => array_merge($session->provider_metadata ?? [], array_filter([
+                'paypal_order_id' => $orderId,
+                'paypal_status' => $order['status'] ?? null,
+                'paypal_approve_url' => $approveUrl,
+                'paypal_success_url' => $successUrl,
+                'paypal_cancel_url' => $cancelUrl,
+                'paypal_created_at' => now()->toIso8601String(),
+            ])),
+        ])->save();
+
+        $this->sessions->markRequiresCustomerAction($session, 'paypal_approval');
+
+        return response()->json([
+            'order_id' => $orderId,
+            'approve_url' => $approveUrl,
+            'status' => $order['status'] ?? null,
+            'checkout_session_id' => $session->id,
+        ]);
+    }
+
+    public function checkoutSessionStatus(CheckoutSessionStatusRequest $request, CheckoutSession $session): JsonResponse
+    {
+        $history = $session->status_history ?? [];
+        $reason = null;
+
+        foreach (array_reverse($history) as $entry) {
+            if (($entry['status'] ?? null) === $session->status) {
+                $reason = $entry['reason'] ?? null;
+                break;
+            }
+        }
+
+        $checkoutUrl = $session->provider === CheckoutSession::PROVIDER_PAYPAL
+            ? data_get($session->provider_metadata ?? [], 'paypal_approve_url')
+            : data_get($session->provider_metadata ?? [], 'lemonsqueezy_checkout_url');
+
+        return response()->json([
+            'status' => $session->status,
+            'completed_at' => optional($session->completed_at)->toIso8601String(),
+            'reason' => $reason,
+            'checkout_url' => is_string($checkoutUrl) ? $checkoutUrl : null,
+        ]);
     }
 
     private function handleFreePurchase(Request $request, Package $package, $tenant): JsonResponse
@@ -212,13 +305,13 @@ class PackageController extends Controller
                     'purchased_at' => now(),
                 ]);
             } else {
-                // Reseller subscription
+                // Partner / reseller Event-Kontingent package
                 \App\Models\TenantPackage::create([
                     'tenant_id' => $tenant->id,
                     'package_id' => $package->id,
                     'price' => $package->price,
                     'purchased_at' => now(),
-                    'expires_at' => now()->addYear(),
+                    'expires_at' => null,
                     'active' => true,
                 ]);
             }
@@ -232,19 +325,44 @@ class PackageController extends Controller
 
     private function handlePaidPurchase(Request $request, Package $package, $tenant): JsonResponse
     {
-        if (! $package->paddle_price_id) {
-            throw ValidationException::withMessages(['package_id' => 'Package is not linked to a Paddle price.']);
+        $successUrl = $request->input('success_url') ?? $request->input('return_url');
+        $cancelUrl = $request->input('cancel_url') ?? $request->input('return_url');
+        $paypalReturnUrl = route('paypal.return', absolute: true);
+
+        try {
+            $session = $this->sessions->createOrResume($request->user(), $package, [
+                'tenant' => $tenant,
+            ]);
+            $this->sessions->selectProvider($session, CheckoutSession::PROVIDER_PAYPAL);
+
+            $order = $this->paypalOrders->createOrder($session, $package, [
+                'return_url' => $paypalReturnUrl,
+                'cancel_url' => $paypalReturnUrl,
+                'locale' => $request->input('locale'),
+                'request_id' => $session->id,
+            ]);
+        } catch (PayPalException $exception) {
+            Log::warning('PayPal order creation failed (purchase)', [
+                'tenant_id' => $tenant->id,
+                'package_id' => $package->id,
+                'message' => $exception->getMessage(),
+                'status' => $exception->status(),
+            ]);
+
+            throw ValidationException::withMessages(['paypal' => 'PayPal checkout could not be created.']);
         }
 
-        $checkout = $this->paddleCheckout->createCheckout($tenant, $package, [
-            'success_url' => $request->input('success_url'),
-            'return_url' => $request->input('return_url'),
-            'metadata' => array_filter([
-                'type' => $request->input('type'),
-                'event_id' => $request->input('event_id'),
-            ]),
-        ]);
+        $orderId = $order['id'] ?? null;
+        if (! is_string($orderId) || $orderId === '') {
+            throw ValidationException::withMessages(['paypal' => 'PayPal order ID missing.']);
+        }
 
-        return response()->json($checkout);
+        return response()->json([
+            'order_id' => $orderId,
+            'approve_url' => $this->paypalOrders->resolveApproveUrl($order),
+            'status' => $order['status'] ?? null,
+            'return_url' => $successUrl,
+            'cancel_url' => $cancelUrl,
+        ]);
     }
 }

app/Http/Controllers/Api/PhotoboothConnectController.php

@@ -0,0 +1,70 @@
+<?php
+
+namespace App\Http\Controllers\Api;
+
+use App\Http\Controllers\Controller;
+use App\Http\Requests\Photobooth\PhotoboothConnectRedeemRequest;
+use App\Models\Event;
+use App\Services\Photobooth\PhotoboothConnectCodeService;
+use Illuminate\Http\JsonResponse;
+
+class PhotoboothConnectController extends Controller
+{
+    public function __construct(private readonly PhotoboothConnectCodeService $service) {}
+
+    public function store(PhotoboothConnectRedeemRequest $request): JsonResponse
+    {
+        $record = $this->service->redeem($request->input('code'));
+
+        if (! $record) {
+            return response()->json([
+                'message' => __('Ungültiger oder abgelaufener Verbindungscode.'),
+            ], 422);
+        }
+
+        $record->loadMissing('event.photoboothSetting');
+        $event = $record->event;
+        $setting = $event?->photoboothSetting;
+
+        if (! $event || ! $setting || ! $setting->enabled || $setting->mode !== 'sparkbooth') {
+            return response()->json([
+                'message' => __('Photobooth ist nicht im Sparkbooth-Modus aktiv.'),
+            ], 409);
+        }
+
+        return response()->json([
+            'data' => [
+                'event_name' => $this->resolveEventName($event),
+                'upload_url' => route('api.v1.photobooth.upload'),
+                'username' => $setting->username,
+                'password' => $setting->password,
+                'expires_at' => optional($setting->expires_at)->toIso8601String(),
+                'response_format' => ($setting->metadata ?? [])['sparkbooth_response_format']
+                    ?? config('photobooth.sparkbooth.response_format', 'json'),
+            ],
+        ]);
+    }
+
+    private function resolveEventName(?Event $event): ?string
+    {
+        if (! $event) {
+            return null;
+        }
+
+        $name = $event->name;
+
+        if (is_string($name) && trim($name) !== '') {
+            return $name;
+        }
+
+        if (is_array($name)) {
+            foreach ($name as $value) {
+                if (is_string($value) && trim($value) !== '') {
+                    return $value;
+                }
+            }
+        }
+
+        return $event->slug ?: null;
+    }
+}

app/Http/Controllers/Api/Support/SupportGuestPolicyController.php

@@ -0,0 +1,53 @@
+<?php
+
+namespace App\Http\Controllers\Api\Support;
+
+use App\Http\Controllers\Controller;
+use App\Http\Requests\Support\SupportGuestPolicyRequest;
+use App\Models\GuestPolicySetting;
+use App\Services\Audit\SuperAdminAuditLogger;
+use App\Support\SupportApiAuthorizer;
+use Illuminate\Http\JsonResponse;
+
+class SupportGuestPolicyController extends Controller
+{
+    public function show(): JsonResponse
+    {
+        if ($response = SupportApiAuthorizer::authorizeAbilities(request(), ['support:settings'], 'settings')) {
+            return $response;
+        }
+
+        $settings = GuestPolicySetting::current();
+
+        return response()->json([
+            'data' => $settings,
+        ]);
+    }
+
+    public function update(SupportGuestPolicyRequest $request): JsonResponse
+    {
+        if ($response = SupportApiAuthorizer::authorizeAbilities($request, ['support:settings'], 'settings')) {
+            return $response;
+        }
+
+        $settings = GuestPolicySetting::query()->firstOrNew(['id' => 1]);
+
+        $settings->fill($request->validated());
+        $settings->save();
+
+        $changed = $settings->getChanges();
+
+        if ($changed !== []) {
+            app(SuperAdminAuditLogger::class)->record(
+                'guest_policy.updated',
+                $settings,
+                SuperAdminAuditLogger::fieldsMetadata(array_keys($changed)),
+                source: static::class
+            );
+        }
+
+        return response()->json([
+            'data' => $settings->refresh(),
+        ]);
+    }
+}

app/Http/Controllers/Api/Support/SupportResourceController.php

@@ -0,0 +1,401 @@
+<?php
+
+namespace App\Http\Controllers\Api\Support;
+
+use App\Enums\DataExportScope;
+use App\Http\Controllers\Controller;
+use App\Http\Requests\Support\Resources\SupportResourceFormRequest;
+use App\Http\Requests\Support\SupportResourceRequest;
+use App\Jobs\GenerateDataExport;
+use App\Models\DataExport;
+use App\Services\Audit\SuperAdminAuditLogger;
+use App\Support\ApiError;
+use App\Support\SupportApiAuthorizer;
+use App\Support\SupportApiRegistry;
+use Illuminate\Database\Eloquent\Builder;
+use Illuminate\Database\Eloquent\Model;
+use Illuminate\Http\JsonResponse;
+use Illuminate\Http\Request;
+use Illuminate\Support\Arr;
+use Illuminate\Support\Facades\Schema;
+use Illuminate\Support\Facades\Validator;
+
+class SupportResourceController extends Controller
+{
+    public function index(Request $request, string $resource): JsonResponse
+    {
+        if ($response = SupportApiAuthorizer::authorizeResource($request, $resource, 'read')) {
+            return $response;
+        }
+
+        $config = SupportApiRegistry::get($resource);
+        if (! $config) {
+            return $this->resourceNotFoundResponse($resource);
+        }
+
+        $modelClass = $config['model'];
+        /** @var Builder $query */
+        $query = $modelClass::query();
+
+        $relations = SupportApiRegistry::withRelations($resource);
+        if ($relations !== []) {
+            $query->with($relations);
+        }
+
+        $this->applySearch($request, $query, $resource);
+        $this->applySorting($request, $query, $resource);
+
+        $perPage = $this->resolvePerPage($request);
+        $paginator = $query->paginate($perPage);
+
+        return response()->json([
+            'data' => $paginator->items(),
+            'meta' => [
+                'page' => $paginator->currentPage(),
+                'per_page' => $paginator->perPage(),
+                'total' => $paginator->total(),
+                'last_page' => $paginator->lastPage(),
+            ],
+        ]);
+    }
+
+    public function show(Request $request, string $resource, string $record): JsonResponse
+    {
+        if ($response = SupportApiAuthorizer::authorizeResource($request, $resource, 'read')) {
+            return $response;
+        }
+
+        $model = $this->resolveRecord($resource, $record);
+
+        if (! $model) {
+            return $this->resourceNotFoundResponse($resource, $record);
+        }
+
+        return response()->json([
+            'data' => $model,
+        ]);
+    }
+
+    public function store(SupportResourceRequest $request, string $resource): JsonResponse
+    {
+        if ($response = SupportApiAuthorizer::authorizeAnyAbility($request, SupportApiRegistry::abilitiesFor($resource, 'write'), 'write')) {
+            return $response;
+        }
+
+        if (! SupportApiRegistry::allowsMutation($resource, 'create')) {
+            return $this->mutationNotAllowedResponse($resource, 'create');
+        }
+
+        $config = SupportApiRegistry::get($resource);
+        if (! $config) {
+            return $this->resourceNotFoundResponse($resource);
+        }
+
+        $modelClass = $config['model'];
+        /** @var Model $model */
+        $model = new $modelClass;
+
+        $payload = $this->validatedPayload($request, $resource, 'create', $model);
+
+        if ($payload instanceof JsonResponse) {
+            return $payload;
+        }
+
+        if ($payload === []) {
+            return $this->emptyPayloadResponse($resource);
+        }
+
+        if ($resource === 'data-exports') {
+            $payload = $this->normalizeDataExportPayload($request, $payload);
+        }
+
+        $record = $modelClass::query()->create($payload);
+
+        app(SuperAdminAuditLogger::class)->record(
+            SupportApiRegistry::auditAction($resource, 'created'),
+            $record,
+            SuperAdminAuditLogger::fieldsMetadata($payload),
+            actor: $request->user(),
+            source: static::class
+        );
+
+        if ($resource === 'data-exports') {
+            GenerateDataExport::dispatch($record->id);
+        }
+
+        return response()->json([
+            'data' => $record,
+        ], 201);
+    }
+
+    public function update(SupportResourceRequest $request, string $resource, string $record): JsonResponse
+    {
+        if ($response = SupportApiAuthorizer::authorizeAnyAbility($request, SupportApiRegistry::abilitiesFor($resource, 'write'), 'write')) {
+            return $response;
+        }
+
+        if (! SupportApiRegistry::allowsMutation($resource, 'update')) {
+            return $this->mutationNotAllowedResponse($resource, 'update');
+        }
+
+        $model = $this->resolveRecord($resource, $record);
+
+        if (! $model) {
+            return $this->resourceNotFoundResponse($resource, $record);
+        }
+
+        $payload = $this->validatedPayload($request, $resource, 'update', $model);
+
+        if ($payload instanceof JsonResponse) {
+            return $payload;
+        }
+
+        if ($payload === []) {
+            return $this->emptyPayloadResponse($resource);
+        }
+
+        $model->fill($payload);
+        $model->save();
+
+        app(SuperAdminAuditLogger::class)->record(
+            SupportApiRegistry::auditAction($resource, 'updated'),
+            $model,
+            SuperAdminAuditLogger::fieldsMetadata($payload),
+            actor: $request->user(),
+            source: static::class
+        );
+
+        return response()->json([
+            'data' => $model->refresh(),
+        ]);
+    }
+
+    public function destroy(Request $request, string $resource, string $record): JsonResponse
+    {
+        if ($response = SupportApiAuthorizer::authorizeAnyAbility($request, SupportApiRegistry::abilitiesFor($resource, 'write'), 'write')) {
+            return $response;
+        }
+
+        if (! SupportApiRegistry::allowsMutation($resource, 'delete')) {
+            return $this->mutationNotAllowedResponse($resource, 'delete');
+        }
+
+        $model = $this->resolveRecord($resource, $record);
+
+        if (! $model) {
+            return $this->resourceNotFoundResponse($resource, $record);
+        }
+
+        $model->delete();
+
+        app(SuperAdminAuditLogger::class)->record(
+            SupportApiRegistry::auditAction($resource, 'deleted'),
+            $model,
+            SuperAdminAuditLogger::fieldsMetadata([]),
+            actor: $request->user(),
+            source: static::class
+        );
+
+        return response()->json(['ok' => true]);
+    }
+
+    private function resolveRecord(string $resource, string $record): ?Model
+    {
+        $config = SupportApiRegistry::get($resource);
+
+        if (! $config) {
+            return null;
+        }
+
+        $modelClass = $config['model'];
+
+        $query = $modelClass::query();
+
+        if (is_numeric($record)) {
+            return $query->find($record);
+        }
+
+        $keyName = (new $modelClass)->getKeyName();
+
+        return $query->where($keyName, $record)->first();
+    }
+
+    private function validatedPayload(SupportResourceRequest $request, string $resource, string $action, Model $model): array|JsonResponse
+    {
+        $payload = $request->validated('data');
+
+        if (! is_array($payload)) {
+            return [];
+        }
+
+        $validationClass = SupportApiRegistry::validationClass($resource, $action);
+
+        if ($validationClass && is_subclass_of($validationClass, SupportResourceFormRequest::class)) {
+            $allowedFields = $validationClass::allowedFields($action);
+
+            if ($allowedFields !== []) {
+                $unexpected = array_diff(array_keys($payload), $allowedFields);
+                if ($unexpected !== []) {
+                    return $this->invalidFieldResponse($resource, $unexpected);
+                }
+            }
+
+            $rules = $validationClass::rulesFor($action, $model);
+            if ($rules !== []) {
+                $payload = Validator::make($payload, $rules)->validate();
+            }
+
+            if ($allowedFields !== []) {
+                $payload = Arr::only($payload, $allowedFields);
+            }
+        }
+
+        $fillable = $model->getFillable();
+
+        if ($fillable === [] && method_exists($model, 'getGuarded') && $model->getGuarded() !== ['*']) {
+            $columns = Schema::getColumnListing($model->getTable());
+
+            return Arr::only($payload, $columns);
+        }
+
+        if ($fillable === []) {
+            return [];
+        }
+
+        return Arr::only($payload, $fillable);
+    }
+
+    private function applySearch(Request $request, Builder $query, string $resource): void
+    {
+        $term = $request->string('search')->trim()->value();
+
+        if ($term === '') {
+            return;
+        }
+
+        $fields = SupportApiRegistry::searchFields($resource);
+
+        if ($fields === []) {
+            return;
+        }
+
+        $columns = Schema::getColumnListing($query->getModel()->getTable());
+        $fields = array_values(array_intersect($fields, $columns));
+
+        if ($fields === []) {
+            return;
+        }
+
+        $query->where(function (Builder $builder) use ($fields, $term): void {
+            foreach ($fields as $field) {
+                if ($field === 'id' && is_numeric($term)) {
+                    $builder->orWhere($field, (int) $term);
+                } else {
+                    $builder->orWhere($field, 'like', "%{$term}%");
+                }
+            }
+        });
+    }
+
+    private function applySorting(Request $request, Builder $query, string $resource): void
+    {
+        $sort = $request->string('sort')->trim()->value();
+
+        if ($sort === '') {
+            return;
+        }
+
+        $direction = 'asc';
+        $field = $sort;
+
+        if (str_starts_with($sort, '-')) {
+            $direction = 'desc';
+            $field = ltrim($sort, '-');
+        }
+
+        $allowed = SupportApiRegistry::searchFields($resource);
+        $allowed[] = 'id';
+
+        $columns = Schema::getColumnListing($query->getModel()->getTable());
+        $allowed = array_values(array_intersect($allowed, $columns));
+
+        if (! in_array($field, $allowed, true)) {
+            return;
+        }
+
+        $query->orderBy($field, $direction);
+    }
+
+    private function resolvePerPage(Request $request): int
+    {
+        $default = (int) config('support-api.pagination.default_per_page', 50);
+        $max = (int) config('support-api.pagination.max_per_page', 200);
+
+        $perPage = (int) $request->input('per_page', $default);
+
+        if ($perPage < 1) {
+            $perPage = $default;
+        }
+
+        return min($perPage, $max);
+    }
+
+    private function mutationNotAllowedResponse(string $resource, string $action): JsonResponse
+    {
+        return ApiError::response(
+            'support_mutation_not_allowed',
+            'Mutation Not Allowed',
+            "{$resource} does not allow {$action} operations in support API.",
+            403
+        );
+    }
+
+    private function emptyPayloadResponse(string $resource): JsonResponse
+    {
+        return ApiError::response(
+            'support_invalid_payload',
+            'Invalid Payload',
+            "No mutable fields provided for {$resource}.",
+            422
+        );
+    }
+
+    private function invalidFieldResponse(string $resource, array $fields): JsonResponse
+    {
+        return ApiError::response(
+            'support_invalid_fields',
+            'Invalid Fields',
+            "Unsupported fields provided for {$resource}.",
+            422,
+            [
+                'fields' => array_values($fields),
+            ]
+        );
+    }
+
+    private function resourceNotFoundResponse(string $resource, ?string $record = null): JsonResponse
+    {
+        $message = $record
+            ? "{$resource} record not found."
+            : "Support resource {$resource} is not registered.";
+
+        return ApiError::response(
+            'support_resource_not_found',
+            'Not Found',
+            $message,
+            404
+        );
+    }
+
+    private function normalizeDataExportPayload(Request $request, array $payload): array
+    {
+        $payload['user_id'] = $request->user()?->id;
+        $payload['status'] = DataExport::STATUS_PENDING;
+
+        if (($payload['scope'] ?? null) !== DataExportScope::EVENT->value) {
+            $payload['event_id'] = null;
+        }
+
+        return $payload;
+    }
+}

app/Http/Controllers/Api/Support/SupportTenantActionsController.php

@@ -0,0 +1,411 @@
+<?php
+
+namespace App\Http\Controllers\Api\Support;
+
+use App\Http\Controllers\Controller;
+use App\Http\Requests\Support\Tenant\SupportTenantAddPackageRequest;
+use App\Http\Requests\Support\Tenant\SupportTenantScheduleDeletionRequest;
+use App\Http\Requests\Support\Tenant\SupportTenantSetGracePeriodRequest;
+use App\Http\Requests\Support\Tenant\SupportTenantUpdateLimitsRequest;
+use App\Http\Requests\Support\Tenant\SupportTenantUpdateSubscriptionRequest;
+use App\Jobs\AnonymizeAccount;
+use App\Models\Package;
+use App\Models\PackagePurchase;
+use App\Models\Tenant;
+use App\Models\TenantPackage;
+use App\Notifications\InactiveTenantDeletionWarning;
+use App\Services\Audit\SuperAdminAuditLogger;
+use App\Services\Tenant\TenantLifecycleLogger;
+use App\Support\SupportApiAuthorizer;
+use Carbon\Carbon;
+use Filament\Notifications\Notification;
+use Illuminate\Http\JsonResponse;
+use Illuminate\Support\Facades\Notification as NotificationFacade;
+
+class SupportTenantActionsController extends Controller
+{
+    public function activate(Tenant $tenant): JsonResponse
+    {
+        if ($response = $this->authorizeAction('tenants', 'actions')) {
+            return $response;
+        }
+
+        $updated = $tenant->update(['is_active' => true]);
+
+        app(TenantLifecycleLogger::class)->record(
+            $tenant,
+            'activated',
+            actor: auth()->user()
+        );
+
+        app(SuperAdminAuditLogger::class)->record(
+            'tenant.activated',
+            $tenant,
+            SuperAdminAuditLogger::fieldsMetadata(['is_active']),
+            source: static::class
+        );
+
+        return response()->json(['ok' => $updated]);
+    }
+
+    public function deactivate(Tenant $tenant): JsonResponse
+    {
+        if ($response = $this->authorizeAction('tenants', 'actions')) {
+            return $response;
+        }
+
+        $updated = $tenant->update(['is_active' => false]);
+
+        app(TenantLifecycleLogger::class)->record(
+            $tenant,
+            'deactivated',
+            actor: auth()->user()
+        );
+
+        app(SuperAdminAuditLogger::class)->record(
+            'tenant.deactivated',
+            $tenant,
+            SuperAdminAuditLogger::fieldsMetadata(['is_active']),
+            source: static::class
+        );
+
+        return response()->json(['ok' => $updated]);
+    }
+
+    public function suspend(Tenant $tenant): JsonResponse
+    {
+        if ($response = $this->authorizeAction('tenants', 'actions')) {
+            return $response;
+        }
+
+        $updated = $tenant->update(['is_suspended' => true]);
+
+        app(TenantLifecycleLogger::class)->record(
+            $tenant,
+            'suspended',
+            actor: auth()->user()
+        );
+
+        app(SuperAdminAuditLogger::class)->record(
+            'tenant.suspended',
+            $tenant,
+            SuperAdminAuditLogger::fieldsMetadata(['is_suspended']),
+            source: static::class
+        );
+
+        return response()->json(['ok' => $updated]);
+    }
+
+    public function unsuspend(Tenant $tenant): JsonResponse
+    {
+        if ($response = $this->authorizeAction('tenants', 'actions')) {
+            return $response;
+        }
+
+        $updated = $tenant->update(['is_suspended' => false]);
+
+        app(TenantLifecycleLogger::class)->record(
+            $tenant,
+            'unsuspended',
+            actor: auth()->user()
+        );
+
+        app(SuperAdminAuditLogger::class)->record(
+            'tenant.unsuspended',
+            $tenant,
+            SuperAdminAuditLogger::fieldsMetadata(['is_suspended']),
+            source: static::class
+        );
+
+        return response()->json(['ok' => $updated]);
+    }
+
+    public function scheduleDeletion(SupportTenantScheduleDeletionRequest $request, Tenant $tenant): JsonResponse
+    {
+        if ($response = $this->authorizeAction('tenants', 'actions')) {
+            return $response;
+        }
+
+        $plannedDeletion = Carbon::parse($request->string('pending_deletion_at')->value());
+        $update = [
+            'pending_deletion_at' => $plannedDeletion,
+        ];
+
+        if ($request->boolean('send_warning', true)) {
+            $email = $tenant->contact_email
+                ?? $tenant->email
+                ?? $tenant->user?->email;
+
+            if ($email) {
+                NotificationFacade::route('mail', $email)
+                    ->notify(new InactiveTenantDeletionWarning($tenant, $plannedDeletion));
+                $update['deletion_warning_sent_at'] = now();
+            } else {
+                Notification::make()
+                    ->danger()
+                    ->title(__('admin.tenants.actions.send_warning_missing_title'))
+                    ->body(__('admin.tenants.actions.send_warning_missing_body'))
+                    ->send();
+            }
+        }
+
+        $tenant->forceFill($update)->save();
+
+        app(TenantLifecycleLogger::class)->record(
+            $tenant,
+            'deletion_scheduled',
+            [
+                'pending_deletion_at' => $plannedDeletion->toDateTimeString(),
+                'send_warning' => $request->boolean('send_warning', true),
+            ],
+            auth()->user()
+        );
+
+        app(SuperAdminAuditLogger::class)->record(
+            'tenant.deletion_scheduled',
+            $tenant,
+            SuperAdminAuditLogger::fieldsMetadata($request->validated()),
+            source: static::class
+        );
+
+        return response()->json(['ok' => true]);
+    }
+
+    public function cancelDeletion(Tenant $tenant): JsonResponse
+    {
+        if ($response = $this->authorizeAction('tenants', 'actions')) {
+            return $response;
+        }
+
+        $previous = $tenant->pending_deletion_at?->toDateTimeString();
+
+        $tenant->forceFill([
+            'pending_deletion_at' => null,
+            'deletion_warning_sent_at' => null,
+        ])->save();
+
+        app(TenantLifecycleLogger::class)->record(
+            $tenant,
+            'deletion_cancelled',
+            ['pending_deletion_at' => $previous],
+            auth()->user()
+        );
+
+        app(SuperAdminAuditLogger::class)->record(
+            'tenant.deletion_cancelled',
+            $tenant,
+            SuperAdminAuditLogger::fieldsMetadata(['pending_deletion_at', 'deletion_warning_sent_at']),
+            source: static::class
+        );
+
+        return response()->json(['ok' => true]);
+    }
+
+    public function anonymize(Tenant $tenant): JsonResponse
+    {
+        if ($response = $this->authorizeAction('tenants', 'actions')) {
+            return $response;
+        }
+
+        AnonymizeAccount::dispatch(null, $tenant->id);
+
+        app(TenantLifecycleLogger::class)->record(
+            $tenant,
+            'anonymize_requested',
+            actor: auth()->user()
+        );
+
+        app(SuperAdminAuditLogger::class)->record(
+            'tenant.anonymize_requested',
+            $tenant,
+            SuperAdminAuditLogger::fieldsMetadata([]),
+            source: static::class
+        );
+
+        return response()->json(['ok' => true]);
+    }
+
+    public function addPackage(SupportTenantAddPackageRequest $request, Tenant $tenant): JsonResponse
+    {
+        if ($response = $this->authorizeAction('tenants', 'actions')) {
+            return $response;
+        }
+
+        $package = Package::query()->find($request->integer('package_id'));
+
+        TenantPackage::query()->create([
+            'tenant_id' => $tenant->id,
+            'package_id' => $request->integer('package_id'),
+            'expires_at' => $request->date('expires_at'),
+            'active' => true,
+            'price' => $package?->price ?? 0,
+            'reason' => $request->string('reason')->value(),
+        ]);
+
+        PackagePurchase::query()->create([
+            'tenant_id' => $tenant->id,
+            'package_id' => $request->integer('package_id'),
+            'provider' => 'manual',
+            'provider_id' => 'manual',
+            'type' => 'reseller_subscription',
+            'price' => 0,
+            'metadata' => ['reason' => $request->string('reason')->value() ?: 'manual assignment'],
+        ]);
+
+        app(SuperAdminAuditLogger::class)->record(
+            'tenant.package_added',
+            $tenant,
+            SuperAdminAuditLogger::fieldsMetadata($request->validated()),
+            source: static::class
+        );
+
+        return response()->json(['ok' => true]);
+    }
+
+    public function updateLimits(SupportTenantUpdateLimitsRequest $request, Tenant $tenant): JsonResponse
+    {
+        if ($response = $this->authorizeAction('tenants', 'actions')) {
+            return $response;
+        }
+
+        $before = [
+            'max_photos_per_event' => $tenant->max_photos_per_event,
+            'max_storage_mb' => $tenant->max_storage_mb,
+        ];
+
+        $tenant->forceFill([
+            'max_photos_per_event' => $request->integer('max_photos_per_event'),
+            'max_storage_mb' => $request->integer('max_storage_mb'),
+        ])->save();
+
+        $after = [
+            'max_photos_per_event' => $tenant->max_photos_per_event,
+            'max_storage_mb' => $tenant->max_storage_mb,
+        ];
+
+        app(TenantLifecycleLogger::class)->record(
+            $tenant,
+            'limits_updated',
+            [
+                'before' => $before,
+                'after' => $after,
+                'note' => $request->string('note')->value(),
+            ],
+            auth()->user()
+        );
+
+        app(SuperAdminAuditLogger::class)->record(
+            'tenant.limits_updated',
+            $tenant,
+            SuperAdminAuditLogger::fieldsMetadata($request->validated()),
+            source: static::class
+        );
+
+        return response()->json(['ok' => true]);
+    }
+
+    public function updateSubscriptionExpiresAt(SupportTenantUpdateSubscriptionRequest $request, Tenant $tenant): JsonResponse
+    {
+        if ($response = $this->authorizeAction('tenants', 'actions')) {
+            return $response;
+        }
+
+        $before = [
+            'subscription_expires_at' => optional($tenant->subscription_expires_at)->toDateTimeString(),
+        ];
+
+        $tenant->forceFill([
+            'subscription_expires_at' => $request->date('subscription_expires_at'),
+        ])->save();
+
+        $after = [
+            'subscription_expires_at' => optional($tenant->subscription_expires_at)->toDateTimeString(),
+        ];
+
+        app(TenantLifecycleLogger::class)->record(
+            $tenant,
+            'subscription_expires_at_updated',
+            [
+                'before' => $before,
+                'after' => $after,
+                'note' => $request->string('note')->value(),
+            ],
+            auth()->user()
+        );
+
+        app(SuperAdminAuditLogger::class)->record(
+            'tenant.subscription_expires_at_updated',
+            $tenant,
+            SuperAdminAuditLogger::fieldsMetadata($request->validated()),
+            source: static::class
+        );
+
+        return response()->json(['ok' => true]);
+    }
+
+    public function setGracePeriod(SupportTenantSetGracePeriodRequest $request, Tenant $tenant): JsonResponse
+    {
+        if ($response = $this->authorizeAction('tenants', 'actions')) {
+            return $response;
+        }
+
+        $tenant->forceFill([
+            'grace_period_ends_at' => $request->date('grace_period_ends_at'),
+        ])->save();
+
+        app(TenantLifecycleLogger::class)->record(
+            $tenant,
+            'grace_period_set',
+            [
+                'grace_period_ends_at' => optional($tenant->grace_period_ends_at)->toDateTimeString(),
+                'note' => $request->string('note')->value(),
+            ],
+            auth()->user()
+        );
+
+        app(SuperAdminAuditLogger::class)->record(
+            'tenant.grace_period_set',
+            $tenant,
+            SuperAdminAuditLogger::fieldsMetadata($request->validated()),
+            source: static::class
+        );
+
+        return response()->json(['ok' => true]);
+    }
+
+    public function clearGracePeriod(Tenant $tenant): JsonResponse
+    {
+        if ($response = $this->authorizeAction('tenants', 'actions')) {
+            return $response;
+        }
+
+        $previous = $tenant->grace_period_ends_at?->toDateTimeString();
+
+        $tenant->forceFill([
+            'grace_period_ends_at' => null,
+        ])->save();
+
+        app(TenantLifecycleLogger::class)->record(
+            $tenant,
+            'grace_period_cleared',
+            [
+                'grace_period_ends_at' => $previous,
+            ],
+            auth()->user()
+        );
+
+        app(SuperAdminAuditLogger::class)->record(
+            'tenant.grace_period_cleared',
+            $tenant,
+            SuperAdminAuditLogger::fieldsMetadata(['grace_period_ends_at']),
+            source: static::class
+        );
+
+        return response()->json(['ok' => true]);
+    }
+
+    private function authorizeAction(string $resource, string $action): ?JsonResponse
+    {
+        return SupportApiAuthorizer::authorizeResource(request(), $resource, $action);
+    }
+}

app/Http/Controllers/Api/Support/SupportTokenController.php

@@ -0,0 +1,103 @@
+<?php
+
+namespace App\Http\Controllers\Api\Support;
+
+use App\Http\Controllers\Controller;
+use App\Http\Requests\Support\SupportTokenRequest;
+use App\Models\User;
+use Illuminate\Http\JsonResponse;
+use Illuminate\Http\Request;
+use Illuminate\Support\Arr;
+use Illuminate\Support\Facades\Hash;
+use Illuminate\Validation\ValidationException;
+
+class SupportTokenController extends Controller
+{
+    public function store(SupportTokenRequest $request): JsonResponse
+    {
+        $credentials = $request->credentials();
+
+        $query = User::query();
+
+        if (isset($credentials['email'])) {
+            $query->where('email', $credentials['email']);
+        }
+
+        if (isset($credentials['username'])) {
+            $query->where('username', $credentials['username']);
+        }
+
+        /** @var User|null $user */
+        $user = $query->first();
+
+        if (! $user || ! Hash::check($credentials['password'], (string) $user->password)) {
+            throw ValidationException::withMessages([
+                'login' => [trans('auth.failed')],
+            ]);
+        }
+
+        if (! $user->isSuperAdmin()) {
+            throw ValidationException::withMessages([
+                'login' => [trans('auth.not_authorized')],
+            ]);
+        }
+
+        $tokenConfig = config('support-api.token');
+        $defaultAbilities = $tokenConfig['default_abilities'] ?? [];
+        $abilities = $credentials['abilities'] ?? $defaultAbilities;
+
+        if ($abilities !== $defaultAbilities) {
+            $abilities = array_values(array_intersect($abilities, $defaultAbilities));
+        }
+
+        if (! in_array('support-admin', $abilities, true)) {
+            $abilities[] = 'support-admin';
+        }
+
+        $tokenName = (string) ($tokenConfig['name'] ?? 'support-api');
+
+        $user->tokens()->where('name', $tokenName)->delete();
+
+        $token = $user->createToken($tokenName, $abilities);
+
+        return response()->json([
+            'token' => $token->plainTextToken,
+            'token_type' => 'Bearer',
+            'abilities' => $abilities,
+            'user' => Arr::only($user->toArray(), [
+                'id',
+                'email',
+                'name',
+                'role',
+                'tenant_id',
+            ]),
+        ]);
+    }
+
+    public function destroy(Request $request): JsonResponse
+    {
+        $token = $request->user()?->currentAccessToken();
+
+        if ($token) {
+            $token->delete();
+        }
+
+        return response()->json(['ok' => true]);
+    }
+
+    public function me(Request $request): JsonResponse
+    {
+        $user = $request->user();
+
+        return response()->json([
+            'user' => $user ? Arr::only($user->toArray(), [
+                'id',
+                'name',
+                'email',
+                'role',
+                'tenant_id',
+            ]) : null,
+            'abilities' => $user?->currentAccessToken()?->abilities ?? [],
+        ]);
+    }
+}

app/Http/Controllers/Api/Support/SupportWatermarkSettingsController.php

@@ -0,0 +1,52 @@
+<?php
+
+namespace App\Http\Controllers\Api\Support;
+
+use App\Http\Controllers\Controller;
+use App\Http\Requests\Support\SupportWatermarkSettingsRequest;
+use App\Models\WatermarkSetting;
+use App\Services\Audit\SuperAdminAuditLogger;
+use App\Support\SupportApiAuthorizer;
+use Illuminate\Http\JsonResponse;
+
+class SupportWatermarkSettingsController extends Controller
+{
+    public function show(): JsonResponse
+    {
+        if ($response = SupportApiAuthorizer::authorizeAbilities(request(), ['support:settings'], 'settings')) {
+            return $response;
+        }
+
+        $settings = WatermarkSetting::query()->first();
+
+        return response()->json([
+            'data' => $settings,
+        ]);
+    }
+
+    public function update(SupportWatermarkSettingsRequest $request): JsonResponse
+    {
+        if ($response = SupportApiAuthorizer::authorizeAbilities($request, ['support:settings'], 'settings')) {
+            return $response;
+        }
+
+        $settings = WatermarkSetting::query()->firstOrNew([]);
+        $settings->fill($request->validated());
+        $settings->save();
+
+        $changed = $settings->getChanges();
+
+        if ($changed !== []) {
+            app(SuperAdminAuditLogger::class)->record(
+                'watermark_settings.updated',
+                $settings,
+                SuperAdminAuditLogger::fieldsMetadata(array_keys($changed)),
+                source: static::class
+            );
+        }
+
+        return response()->json([
+            'data' => $settings->refresh(),
+        ]);
+    }
+}

app/Http/Controllers/Api/Tenant/AiEditController.php

@@ -0,0 +1,574 @@
+<?php
+
+namespace App\Http\Controllers\Api\Tenant;
+
+use App\Http\Controllers\Controller;
+use App\Http\Requests\Tenant\AiEditIndexRequest;
+use App\Http\Requests\Tenant\AiEditStoreRequest;
+use App\Jobs\ProcessAiEditRequest;
+use App\Models\AiEditRequest;
+use App\Models\AiProviderRun;
+use App\Models\AiStyle;
+use App\Models\AiUsageLedger;
+use App\Models\Event;
+use App\Models\Photo;
+use App\Services\AiEditing\AiBudgetGuardService;
+use App\Services\AiEditing\AiEditingRuntimeConfig;
+use App\Services\AiEditing\AiStyleAccessService;
+use App\Services\AiEditing\AiStylingEntitlementService;
+use App\Services\AiEditing\EventAiEditingPolicyService;
+use App\Services\AiEditing\Safety\AiAbuseEscalationService;
+use App\Services\AiEditing\Safety\AiSafetyPolicyService;
+use App\Support\ApiError;
+use App\Support\TenantMemberPermissions;
+use Illuminate\Http\JsonResponse;
+use Illuminate\Http\Request;
+use Illuminate\Support\Facades\DB;
+use Illuminate\Support\Str;
+use Symfony\Component\HttpFoundation\Response;
+
+class AiEditController extends Controller
+{
+    public function __construct(
+        private readonly AiSafetyPolicyService $safetyPolicy,
+        private readonly AiEditingRuntimeConfig $runtimeConfig,
+        private readonly AiBudgetGuardService $budgetGuard,
+        private readonly AiStylingEntitlementService $entitlements,
+        private readonly EventAiEditingPolicyService $eventPolicy,
+        private readonly AiStyleAccessService $styleAccess,
+        private readonly AiAbuseEscalationService $abuseEscalation,
+    ) {}
+
+    public function index(AiEditIndexRequest $request, string $eventSlug): JsonResponse
+    {
+        $event = $this->resolveTenantEventOrFail($request, $eventSlug);
+        TenantMemberPermissions::ensureEventPermission($request, $event, 'photos:upload');
+
+        $perPage = (int) $request->input('per_page', 20);
+        $status = (string) $request->input('status', '');
+        $safetyState = (string) $request->input('safety_state', '');
+
+        $query = AiEditRequest::query()
+            ->with(['style', 'outputs'])
+            ->where('event_id', $event->id)
+            ->orderByDesc('created_at');
+
+        if ($status !== '') {
+            $query->where('status', $status);
+        }
+
+        if ($safetyState !== '') {
+            $query->where('safety_state', $safetyState);
+        }
+
+        $requests = $query->paginate($perPage);
+
+        return response()->json([
+            'data' => collect($requests->items())->map(fn (AiEditRequest $item) => $this->serializeRequest($item))->values(),
+            'meta' => [
+                'current_page' => $requests->currentPage(),
+                'per_page' => $requests->perPage(),
+                'total' => $requests->total(),
+                'last_page' => $requests->lastPage(),
+            ],
+        ]);
+    }
+
+    public function styles(Request $request, string $eventSlug): JsonResponse
+    {
+        $event = $this->resolveTenantEventOrFail($request, $eventSlug);
+        TenantMemberPermissions::ensureEventPermission($request, $event, 'photos:upload');
+
+        if (! $this->runtimeConfig->isEnabled()) {
+            return ApiError::response(
+                'feature_disabled',
+                'Feature disabled',
+                $this->runtimeConfig->statusMessage() ?: 'AI editing is currently disabled by platform policy.',
+                Response::HTTP_FORBIDDEN
+            );
+        }
+
+        $entitlement = $this->entitlements->resolveForEvent($event);
+        if (! $entitlement['allowed']) {
+            return ApiError::response(
+                'feature_locked',
+                'Feature locked',
+                $this->entitlements->lockedMessage(),
+                Response::HTTP_FORBIDDEN,
+                [
+                    'required_feature' => $entitlement['required_feature'],
+                    'addon_keys' => $entitlement['addon_keys'],
+                ]
+            );
+        }
+
+        $styles = AiStyle::query()
+            ->where('is_active', true)
+            ->orderBy('sort')
+            ->orderBy('id')
+            ->get();
+        $policy = $this->eventPolicy->resolve($event);
+        $styles = $this->eventPolicy->filterStyles($event, $styles);
+        $styles = $this->styleAccess->filterStylesForEvent($event, $styles);
+
+        return response()->json([
+            'data' => $styles->map(fn (AiStyle $style) => $this->serializeStyle($style))->values(),
+            'meta' => [
+                'required_feature' => $entitlement['required_feature'],
+                'addon_keys' => $entitlement['addon_keys'],
+                'event_enabled' => $policy['enabled'],
+                'allow_custom_prompt' => $policy['allow_custom_prompt'],
+                'allowed_style_keys' => $policy['allowed_style_keys'],
+                'policy_message' => $policy['policy_message'],
+            ],
+        ]);
+    }
+
+    public function summary(Request $request, string $eventSlug): JsonResponse
+    {
+        $event = $this->resolveTenantEventOrFail($request, $eventSlug);
+        TenantMemberPermissions::ensureEventPermission($request, $event, 'photos:upload');
+
+        $periodStart = now()->startOfMonth();
+        $periodEnd = now()->endOfMonth();
+        $baseQuery = AiEditRequest::query()->where('event_id', $event->id);
+        $statusCounts = (clone $baseQuery)
+            ->select('status', DB::raw('count(*) as aggregate'))
+            ->groupBy('status')
+            ->pluck('aggregate', 'status')
+            ->map(fn (mixed $value): int => (int) $value)
+            ->all();
+        $safetyCounts = (clone $baseQuery)
+            ->select('safety_state', DB::raw('count(*) as aggregate'))
+            ->groupBy('safety_state')
+            ->pluck('aggregate', 'safety_state')
+            ->map(fn (mixed $value): int => (int) $value)
+            ->all();
+
+        $lastRequestedAt = (clone $baseQuery)->max('created_at');
+        $total = array_sum($statusCounts);
+        $failedTotal = (int) (($statusCounts[AiEditRequest::STATUS_FAILED] ?? 0) + ($statusCounts[AiEditRequest::STATUS_BLOCKED] ?? 0));
+        $moderationBlockedTotal = (int) ($statusCounts[AiEditRequest::STATUS_BLOCKED] ?? 0);
+
+        $usageQuery = AiUsageLedger::query()
+            ->where('tenant_id', $event->tenant_id)
+            ->where('event_id', $event->id)
+            ->where('recorded_at', '>=', $periodStart)
+            ->where('recorded_at', '<=', $periodEnd);
+        $spendUsd = (float) ((clone $usageQuery)->where('entry_type', AiUsageLedger::TYPE_DEBIT)->sum('amount_usd') ?: 0.0);
+        $debitCount = (int) ((clone $usageQuery)->where('entry_type', AiUsageLedger::TYPE_DEBIT)->count());
+
+        $providerRunQuery = AiProviderRun::query()
+            ->whereHas('request', fn ($query) => $query->where('event_id', $event->id))
+            ->where('created_at', '>=', $periodStart)
+            ->where('created_at', '<=', $periodEnd);
+        $providerRunTotal = (int) (clone $providerRunQuery)->count();
+        $providerRunFailed = (int) (clone $providerRunQuery)->where('status', AiProviderRun::STATUS_FAILED)->count();
+        $averageProviderLatencyMs = (int) round((float) ((clone $providerRunQuery)->whereNotNull('duration_ms')->avg('duration_ms') ?: 0.0));
+
+        $failureRate = $total > 0 ? ($failedTotal / $total) : 0.0;
+        $moderationHitRate = $total > 0 ? ($moderationBlockedTotal / $total) : 0.0;
+        $providerFailureRate = $providerRunTotal > 0 ? ($providerRunFailed / $providerRunTotal) : 0.0;
+
+        $failureRateThreshold = (float) config('ai-editing.observability.failure_rate_alert_threshold', 0.35);
+        $latencyWarningThresholdMs = max(500, (int) config('ai-editing.observability.latency_warning_ms', 15000));
+        $budgetDecision = $this->budgetGuard->evaluateForEvent($event);
+
+        return response()->json([
+            'data' => [
+                'event_id' => $event->id,
+                'total' => $total,
+                'status_counts' => $statusCounts,
+                'safety_counts' => $safetyCounts,
+                'failed_total' => $failedTotal,
+                'last_requested_at' => $lastRequestedAt ? (string) \Illuminate\Support\Carbon::parse($lastRequestedAt)->toIso8601String() : null,
+                'usage' => [
+                    'period_start' => $periodStart->toDateString(),
+                    'period_end' => $periodEnd->toDateString(),
+                    'debit_count' => $debitCount,
+                    'spend_usd' => round($spendUsd, 5),
+                ],
+                'observability' => [
+                    'failure_rate' => round($failureRate, 5),
+                    'moderation_hit_rate' => round($moderationHitRate, 5),
+                    'provider_runs_total' => $providerRunTotal,
+                    'provider_runs_failed' => $providerRunFailed,
+                    'provider_failure_rate' => round($providerFailureRate, 5),
+                    'avg_provider_latency_ms' => $averageProviderLatencyMs,
+                    'alerts' => [
+                        'failure_rate_threshold_reached' => $failureRate >= $failureRateThreshold && $total >= max(1, (int) config('ai-editing.observability.failure_rate_min_samples', 10)),
+                        'latency_threshold_reached' => $averageProviderLatencyMs >= $latencyWarningThresholdMs,
+                    ],
+                ],
+                'budget' => $budgetDecision['budget'],
+            ],
+        ]);
+    }
+
+    public function store(AiEditStoreRequest $request, string $eventSlug): JsonResponse
+    {
+        $event = $this->resolveTenantEventOrFail($request, $eventSlug);
+        TenantMemberPermissions::ensureEventPermission($request, $event, 'photos:upload');
+
+        $photo = Photo::query()
+            ->whereKey((int) $request->input('photo_id'))
+            ->where('event_id', $event->id)
+            ->first();
+
+        if (! $photo) {
+            return ApiError::response(
+                'photo_not_found',
+                'Photo not found',
+                'The specified photo could not be located for this event.',
+                Response::HTTP_NOT_FOUND
+            );
+        }
+
+        $style = $this->resolveStyle($request->input('style_id'), $request->input('style_key'));
+        if (! $style) {
+            return ApiError::response(
+                'style_not_found',
+                'Style not found',
+                'The selected style is not available.',
+                Response::HTTP_UNPROCESSABLE_ENTITY
+            );
+        }
+
+        if (! $this->runtimeConfig->isEnabled()) {
+            return ApiError::response(
+                'feature_disabled',
+                'Feature disabled',
+                $this->runtimeConfig->statusMessage() ?: 'AI editing is currently disabled by platform policy.',
+                Response::HTTP_FORBIDDEN
+            );
+        }
+
+        $entitlement = $this->entitlements->resolveForEvent($event);
+        if (! $entitlement['allowed']) {
+            return ApiError::response(
+                'feature_locked',
+                'Feature locked',
+                $this->entitlements->lockedMessage(),
+                Response::HTTP_FORBIDDEN,
+                [
+                    'required_feature' => $entitlement['required_feature'],
+                    'addon_keys' => $entitlement['addon_keys'],
+                ]
+            );
+        }
+
+        $policy = $this->eventPolicy->resolve($event);
+        if (! $policy['enabled']) {
+            return ApiError::response(
+                'event_feature_disabled',
+                'Feature disabled for this event',
+                $policy['policy_message'] ?? 'AI editing is disabled for this event.',
+                Response::HTTP_FORBIDDEN
+            );
+        }
+
+        $budgetDecision = $this->budgetGuard->evaluateForEvent($event);
+        if (! $budgetDecision['allowed']) {
+            return ApiError::response(
+                $budgetDecision['reason_code'] ?? 'budget_hard_cap_reached',
+                'Budget limit reached',
+                $budgetDecision['message'] ?? 'The AI editing budget for this billing period has been exhausted.',
+                Response::HTTP_FORBIDDEN,
+                [
+                    'budget' => $budgetDecision['budget'],
+                ]
+            );
+        }
+
+        if (! $this->eventPolicy->isStyleAllowed($event, $style) || ! $this->styleAccess->canUseStyle($event, $style)) {
+            return ApiError::response(
+                'style_not_allowed',
+                'Style not allowed',
+                $policy['policy_message'] ?? 'This style is not allowed for this event.',
+                Response::HTTP_UNPROCESSABLE_ENTITY,
+                [
+                    'allowed_style_keys' => $policy['allowed_style_keys'],
+                ]
+            );
+        }
+
+        $prompt = (string) ($request->input('prompt') ?: $style->prompt_template ?: '');
+        $negativePrompt = (string) ($request->input('negative_prompt') ?: $style->negative_prompt_template ?: '');
+        $providerModel = $request->input('provider_model') ?: $style->provider_model;
+        $safetyDecision = $this->safetyPolicy->evaluatePrompt($prompt, $negativePrompt);
+        $requestedByUserId = $request->user()?->id;
+        $scopeKey = $this->normalizeUserId($requestedByUserId) ?: 'tenant-user';
+        $abuseSignal = null;
+        $safetyReasons = $safetyDecision->reasonCodes;
+        if ($safetyDecision->blocked) {
+            $abuseSignal = $this->abuseEscalation->recordPromptBlock(
+                (int) $event->tenant_id,
+                (int) $event->id,
+                $scopeKey
+            );
+            if (($abuseSignal['escalated'] ?? false) && ! in_array(AiAbuseEscalationService::REASON_CODE, $safetyReasons, true)) {
+                $safetyReasons[] = AiAbuseEscalationService::REASON_CODE;
+            }
+        }
+
+        $metadata = (array) $request->input('metadata', []);
+        if (is_array($abuseSignal)) {
+            $metadata['abuse'] = $abuseSignal;
+        }
+        $metadata['budget'] = $budgetDecision['budget'];
+
+        $idempotencyKey = $this->resolveIdempotencyKey(
+            $request->input('idempotency_key'),
+            $request->header('X-Idempotency-Key'),
+            $event,
+            $photo,
+            $style,
+            $prompt,
+            $requestedByUserId
+        );
+
+        $editRequest = AiEditRequest::query()->firstOrCreate(
+            ['tenant_id' => $event->tenant_id, 'idempotency_key' => $idempotencyKey],
+            [
+                'event_id' => $event->id,
+                'photo_id' => $photo->id,
+                'style_id' => $style->id,
+                'requested_by_user_id' => $requestedByUserId,
+                'provider' => $this->runtimeConfig->defaultProvider(),
+                'provider_model' => $providerModel,
+                'status' => $safetyDecision->blocked ? AiEditRequest::STATUS_BLOCKED : AiEditRequest::STATUS_QUEUED,
+                'safety_state' => $safetyDecision->state,
+                'prompt' => $prompt,
+                'negative_prompt' => $negativePrompt,
+                'input_image_path' => $photo->file_path,
+                'idempotency_key' => $idempotencyKey,
+                'safety_reasons' => $safetyReasons,
+                'failure_code' => $safetyDecision->failureCode,
+                'failure_message' => $safetyDecision->failureMessage,
+                'queued_at' => now(),
+                'completed_at' => $safetyDecision->blocked ? now() : null,
+                'metadata' => $metadata,
+            ]
+        );
+
+        if (! $editRequest->wasRecentlyCreated && $this->isIdempotencyConflict(
+            $editRequest,
+            $event,
+            $photo,
+            $style,
+            $prompt,
+            $negativePrompt,
+            $providerModel,
+            $requestedByUserId
+        )) {
+            return ApiError::response(
+                'idempotency_conflict',
+                'Idempotency conflict',
+                'The provided idempotency key is already in use for another request.',
+                Response::HTTP_CONFLICT
+            );
+        }
+
+        if (
+            $editRequest->wasRecentlyCreated
+            && ! $safetyDecision->blocked
+            && $this->runtimeConfig->queueAutoDispatch()
+        ) {
+            ProcessAiEditRequest::dispatch($editRequest->id)
+                ->onQueue($this->runtimeConfig->queueName());
+        }
+
+        return response()->json([
+            'message' => $editRequest->wasRecentlyCreated ? 'AI edit request queued' : 'AI edit request already exists',
+            'duplicate' => ! $editRequest->wasRecentlyCreated,
+            'data' => $this->serializeRequest($editRequest->fresh(['style', 'outputs'])),
+        ], $editRequest->wasRecentlyCreated ? Response::HTTP_CREATED : Response::HTTP_OK);
+    }
+
+    public function show(Request $request, string $eventSlug, int $aiEditRequest): JsonResponse
+    {
+        $event = $this->resolveTenantEventOrFail($request, $eventSlug);
+        TenantMemberPermissions::ensureEventPermission($request, $event, 'photos:upload');
+
+        $editRequest = AiEditRequest::query()
+            ->with(['style', 'outputs'])
+            ->whereKey($aiEditRequest)
+            ->where('event_id', $event->id)
+            ->first();
+
+        if (! $editRequest) {
+            return ApiError::response(
+                'edit_request_not_found',
+                'Edit request not found',
+                'The specified AI edit request could not be located for this event.',
+                Response::HTTP_NOT_FOUND
+            );
+        }
+
+        return response()->json([
+            'data' => $this->serializeRequest($editRequest),
+        ]);
+    }
+
+    private function resolveTenantEventOrFail(Request $request, string $eventSlug): Event
+    {
+        $tenantId = $request->attributes->get('tenant_id');
+
+        return Event::query()
+            ->where('slug', $eventSlug)
+            ->where('tenant_id', $tenantId)
+            ->firstOrFail();
+    }
+
+    private function resolveStyle(mixed $styleId, mixed $styleKey): ?AiStyle
+    {
+        if ($styleId !== null) {
+            return AiStyle::query()
+                ->whereKey((int) $styleId)
+                ->where('is_active', true)
+                ->first();
+        }
+
+        $key = trim((string) ($styleKey ?? ''));
+        if ($key === '') {
+            return null;
+        }
+
+        return AiStyle::query()
+            ->where('key', $key)
+            ->where('is_active', true)
+            ->first();
+    }
+
+    private function resolveIdempotencyKey(
+        mixed $bodyKey,
+        mixed $headerKey,
+        Event $event,
+        Photo $photo,
+        AiStyle $style,
+        string $prompt,
+        mixed $requestedByUserId
+    ): string {
+        $candidate = trim((string) ($bodyKey ?: $headerKey ?: ''));
+        if ($candidate !== '') {
+            return Str::limit($candidate, 120, '');
+        }
+
+        return substr(hash('sha256', implode('|', [
+            (string) $event->id,
+            (string) $photo->id,
+            (string) $style->id,
+            trim($prompt),
+            (string) ($this->normalizeUserId($requestedByUserId)),
+        ])), 0, 120);
+    }
+
+    private function normalizeUserId(mixed $userId): ?string
+    {
+        if (! is_int($userId) && ! is_string($userId)) {
+            return null;
+        }
+
+        $value = trim((string) $userId);
+
+        return $value !== '' ? $value : null;
+    }
+
+    private function normalizeOptionalString(?string $value): ?string
+    {
+        if ($value === null) {
+            return null;
+        }
+
+        $trimmed = trim($value);
+
+        return $trimmed !== '' ? $trimmed : null;
+    }
+
+    private function isIdempotencyConflict(
+        AiEditRequest $request,
+        Event $event,
+        Photo $photo,
+        AiStyle $style,
+        string $prompt,
+        string $negativePrompt,
+        ?string $providerModel,
+        mixed $requestedByUserId
+    ): bool {
+        if ($request->event_id !== $event->id || $request->photo_id !== $photo->id) {
+            return true;
+        }
+
+        if ((int) ($request->style_id ?? 0) !== (int) $style->id) {
+            return true;
+        }
+
+        if ($this->normalizeOptionalString($request->prompt) !== $this->normalizeOptionalString($prompt)) {
+            return true;
+        }
+
+        if ($this->normalizeOptionalString($request->negative_prompt) !== $this->normalizeOptionalString($negativePrompt)) {
+            return true;
+        }
+
+        if ($this->normalizeOptionalString($request->provider_model) !== $this->normalizeOptionalString($providerModel)) {
+            return true;
+        }
+
+        return $this->normalizeUserId($request->requested_by_user_id) !== $this->normalizeUserId($requestedByUserId);
+    }
+
+    private function serializeStyle(AiStyle $style): array
+    {
+        return [
+            'id' => $style->id,
+            'key' => $style->key,
+            'name' => $style->name,
+            'version' => $style->version,
+            'category' => $style->category,
+            'description' => $style->description,
+            'provider' => $style->provider,
+            'provider_model' => $style->provider_model,
+            'requires_source_image' => $style->requires_source_image,
+            'is_premium' => $style->is_premium,
+            'metadata' => $style->metadata ?? [],
+        ];
+    }
+
+    private function serializeRequest(AiEditRequest $request): array
+    {
+        return [
+            'id' => $request->id,
+            'event_id' => $request->event_id,
+            'photo_id' => $request->photo_id,
+            'style' => $request->style ? [
+                'id' => $request->style->id,
+                'key' => $request->style->key,
+                'name' => $request->style->name,
+            ] : null,
+            'provider' => $request->provider,
+            'provider_model' => $request->provider_model,
+            'status' => $request->status,
+            'safety_state' => $request->safety_state,
+            'safety_reasons' => $request->safety_reasons ?? [],
+            'failure_code' => $request->failure_code,
+            'failure_message' => $request->failure_message,
+            'queued_at' => $request->queued_at?->toIso8601String(),
+            'started_at' => $request->started_at?->toIso8601String(),
+            'completed_at' => $request->completed_at?->toIso8601String(),
+            'outputs' => $request->outputs->map(fn ($output) => [
+                'id' => $output->id,
+                'storage_disk' => $output->storage_disk,
+                'storage_path' => $output->storage_path,
+                'provider_url' => $output->provider_url,
+                'mime_type' => $output->mime_type,
+                'width' => $output->width,
+                'height' => $output->height,
+                'is_primary' => $output->is_primary,
+                'safety_state' => $output->safety_state,
+                'safety_reasons' => $output->safety_reasons ?? [],
+                'generated_at' => $output->generated_at?->toIso8601String(),
+            ])->values(),
+        ];
+    }
+}

app/Http/Controllers/Api/Tenant/EventAddonCatalogController.php

@@ -3,6 +3,7 @@
 namespace App\Http\Controllers\Api\Tenant;
 
 use App\Http\Controllers\Controller;
+use App\Models\CheckoutSession;
 use App\Services\Addons\EventAddonCatalog;
 use Illuminate\Http\JsonResponse;
 
@@ -12,9 +13,25 @@ class EventAddonCatalogController extends Controller
 
     public function index(): JsonResponse
     {
+        $provider = config('package-addons.provider')
+            ?? config('checkout.default_provider', CheckoutSession::PROVIDER_PAYPAL);
+
         $addons = collect($this->catalog->all())
+            ->map(function (array $addon, string $key) use ($provider): array {
+                $priceId = $provider === CheckoutSession::PROVIDER_PAYPAL
+                    ? ($addon['price'] ?? null ? 'paypal' : null)
+                    : ($addon['variant_id'] ?? null);
+
+                return [
+                    'key' => $key,
+                    'label' => $addon['label'] ?? null,
+                    'price_id' => $priceId,
+                    'increments' => $addon['increments'] ?? [],
+                    'price' => $addon['price'] ?? null,
+                    'currency' => $addon['currency'] ?? 'EUR',
+                ];
+            })
             ->filter(fn (array $addon) => ! empty($addon['price_id']))
-            ->map(fn (array $addon, string $key) => array_merge($addon, ['key' => $key]))
             ->values()
             ->all();
 

app/Http/Controllers/Api/Tenant/EventAnalyticsController.php

@@ -7,7 +7,6 @@ use App\Models\Event;
 use App\Services\Analytics\EventAnalyticsService;
 use Illuminate\Http\JsonResponse;
 use Illuminate\Http\Request;
-use Illuminate\Support\Arr;
 
 class EventAnalyticsController extends Controller
 {
@@ -23,13 +22,13 @@ class EventAnalyticsController extends Controller
         if (is_string($packageFeatures)) {
             $packageFeatures = json_decode($packageFeatures, true) ?? [];
         }
-        
+
         $hasAccess = in_array('advanced_analytics', $packageFeatures, true);
 
-        if (!$hasAccess) {
-             return response()->json([
+        if (! $hasAccess) {
+            return response()->json([
                 'message' => 'This feature is only available in the Premium package.',
-                'code' => 'feature_locked'
+                'code' => 'feature_locked',
             ], 403);
         }