Merge pull request 'dev' (#12 ) from dev into main

Reviewed-on: #12
Make llms.txt always fetch fresh data from the backend
2026-02-16 23:11:52 +00:00 · 2026-02-16 23:10:33 +00:00 · 2026-02-16 22:53:59 +00:00 · 2026-02-16 22:44:19 +00:00 · 2026-02-16 22:42:55 +00:00 · 2026-02-14 19:04:42 +00:00
14 changed files with 3046 additions and 1644 deletions
--- a/backend/.env.example
+++ b/backend/.env.example
@@ -19,7 +19,7 @@ GOOGLE_CLIENT_ID=
 # Server Configuration
 PORT=3001
 API_URL=http://localhost:3001
-FRONTEND_URL=http://localhost:3002
+FRONTEND_URL=http://localhost:3019
 # Revalidation secret (shared with frontend for on-demand cache revalidation)
 # Must match the REVALIDATE_SECRET in frontend/.env
@@ -72,3 +72,4 @@ SMTP_TLS_REJECT_UNAUTHORIZED=true
 # Maximum number of emails that can be sent per hour (default: 30)
 # If the limit is reached, queued emails will pause and resume automatically
 MAX_EMAILS_PER_HOUR=30
--- a/backend/src/lib/revalidate.ts
+++ b/backend/src/lib/revalidate.ts
@@ -0,0 +1,22 @@
 // Trigger frontend cache revalidation (fire-and-forget)
 // Revalidates both the sitemap and the next-event data (homepage, llms.txt)
 export function revalidateFrontendCache() {
  const frontendUrl = process.env.FRONTEND_URL || 'http://localhost:3002';
  const secret = process.env.REVALIDATE_SECRET;
  if (!secret) {
    console.warn('REVALIDATE_SECRET not set, skipping frontend revalidation');
    return;
  }
  fetch(`${frontendUrl}/api/revalidate`, {
    method: 'POST',
    headers: { 'Content-Type': 'application/json' },
    body: JSON.stringify({ secret, tag: ['events-sitemap', 'next-event'] }),
  })
    .then((res) => {
      if (!res.ok) console.error('Frontend revalidation failed:', res.status);
      else console.log('Frontend revalidation triggered (sitemap + next-event)');
    })
    .catch((err) => {
      console.error('Frontend revalidation error:', err.message);
    });
 }
--- a/backend/src/routes/admin.ts
+++ b/backend/src/routes/admin.ts
@@ -1,6 +1,6 @@
 import { Hono } from 'hono';
 import { db, dbGet, dbAll, users, events, tickets, payments, contacts, emailSubscribers } from '../db/index.js';
-import { eq, and, gte, sql, desc } from 'drizzle-orm';
+import { eq, and, gte, sql, desc, inArray } from 'drizzle-orm';
 import { requireAuth } from '../lib/auth.js';
 import { getNow } from '../lib/utils.js';
@@ -222,6 +222,211 @@ adminRouter.get('/export/tickets', requireAuth(['admin']), async (c) => {
  return c.json({ tickets: enrichedTickets });
 });
 // Export attendees for a specific event (admin) — CSV download
 adminRouter.get('/events/:eventId/attendees/export', requireAuth(['admin']), async (c) => {
  const eventId = c.req.param('eventId');
  const status = c.req.query('status') || 'all'; // confirmed | checked_in | confirmed_pending | all
  const q = c.req.query('q') || '';
  // Verify event exists
  const event = await dbGet<any>(
    (db as any).select().from(events).where(eq((events as any).id, eventId))
  );
  if (!event) {
    return c.json({ error: 'Event not found' }, 404);
  }
  // Build query for tickets belonging to this event
  let conditions: any[] = [eq((tickets as any).eventId, eventId)];
  if (status === 'confirmed') {
    conditions.push(eq((tickets as any).status, 'confirmed'));
  } else if (status === 'checked_in') {
    conditions.push(eq((tickets as any).status, 'checked_in'));
  } else if (status === 'confirmed_pending') {
    conditions.push(inArray((tickets as any).status, ['confirmed', 'pending']));
  } else {
    // "all" — include everything
  }
  let ticketList = await dbAll<any>(
    (db as any)
      .select()
      .from(tickets)
      .where(conditions.length === 1 ? conditions[0] : and(...conditions))
      .orderBy(desc((tickets as any).createdAt))
  );
  // Apply text search filter in-memory
  if (q) {
    const query = q.toLowerCase();
    ticketList = ticketList.filter((t: any) => {
      const fullName = `${t.attendeeFirstName || ''} ${t.attendeeLastName || ''}`.toLowerCase();
      return (
        fullName.includes(query) ||
        (t.attendeeEmail || '').toLowerCase().includes(query) ||
        (t.attendeePhone || '').toLowerCase().includes(query) ||
        t.id.toLowerCase().includes(query)
      );
    });
  }
  // Enrich each ticket with payment data
  const rows = await Promise.all(
    ticketList.map(async (ticket: any) => {
      const payment = await dbGet<any>(
        (db as any)
          .select()
          .from(payments)
          .where(eq((payments as any).ticketId, ticket.id))
      );
      const fullName = [ticket.attendeeFirstName, ticket.attendeeLastName].filter(Boolean).join(' ');
      const isCheckedIn = ticket.status === 'checked_in';
      return {
        'Ticket ID': ticket.id,
        'Full Name': fullName,
        'Email': ticket.attendeeEmail || '',
        'Phone': ticket.attendeePhone || '',
        'Status': ticket.status,
        'Checked In': isCheckedIn ? 'true' : 'false',
        'Check-in Time': ticket.checkinAt || '',
        'Payment Status': payment?.status || '',
        'Booked At': ticket.createdAt || '',
        'Notes': ticket.adminNote || '',
      };
    })
  );
  // Generate CSV
  const csvEscape = (value: string) => {
    if (value == null) return '';
    const str = String(value);
    if (str.includes(',') || str.includes('"') || str.includes('\n') || str.includes('\r')) {
      return '"' + str.replace(/"/g, '""') + '"';
    }
    return str;
  };
  const columns = [
    'Ticket ID', 'Full Name', 'Email', 'Phone',
    'Status', 'Checked In', 'Check-in Time', 'Payment Status',
    'Booked At', 'Notes',
  ];
  const headerLine = columns.map(csvEscape).join(',');
  const dataLines = rows.map((row: any) =>
    columns.map((col) => csvEscape(row[col])).join(',')
  );
  const csvContent = '\uFEFF' + [headerLine, ...dataLines].join('\r\n'); // BOM for UTF-8
  // Build filename: event-slug-attendees-YYYY-MM-DD.csv
  const slug = (event.title || 'event')
    .toLowerCase()
    .replace(/[^a-z0-9]+/g, '-')
    .replace(/(^-|-$)/g, '');
  const dateStr = new Date().toISOString().split('T')[0];
  const filename = `${slug}-attendees-${dateStr}.csv`;
  c.header('Content-Type', 'text/csv; charset=utf-8');
  c.header('Content-Disposition', `attachment; filename="${filename}"`);
  return c.body(csvContent);
 });
 // Legacy alias — keep old path working
 adminRouter.get('/events/:eventId/export', requireAuth(['admin']), async (c) => {
  const newUrl = new URL(c.req.url);
  newUrl.pathname = newUrl.pathname.replace('/export', '/attendees/export');
  return c.redirect(newUrl.toString(), 301);
 });
 // Export tickets for a specific event (admin) — CSV download (confirmed/checked_in only)
 adminRouter.get('/events/:eventId/tickets/export', requireAuth(['admin']), async (c) => {
  const eventId = c.req.param('eventId');
  const status = c.req.query('status') || 'all'; // confirmed | checked_in | all
  const q = c.req.query('q') || '';
  // Verify event exists
  const event = await dbGet<any>(
    (db as any).select().from(events).where(eq((events as any).id, eventId))
  );
  if (!event) {
    return c.json({ error: 'Event not found' }, 404);
  }
  // Only confirmed/checked_in for tickets export
  let conditions: any[] = [
    eq((tickets as any).eventId, eventId),
    inArray((tickets as any).status, ['confirmed', 'checked_in']),
  ];
  if (status === 'confirmed') {
    conditions = [eq((tickets as any).eventId, eventId), eq((tickets as any).status, 'confirmed')];
  } else if (status === 'checked_in') {
    conditions = [eq((tickets as any).eventId, eventId), eq((tickets as any).status, 'checked_in')];
  }
  let ticketList = await dbAll<any>(
    (db as any)
      .select()
      .from(tickets)
      .where(and(...conditions))
      .orderBy(desc((tickets as any).createdAt))
  );
  // Apply text search filter
  if (q) {
    const query = q.toLowerCase();
    ticketList = ticketList.filter((t: any) => {
      const fullName = `${t.attendeeFirstName || ''} ${t.attendeeLastName || ''}`.toLowerCase();
      return (
        fullName.includes(query) ||
        t.id.toLowerCase().includes(query)
      );
    });
  }
  const csvEscape = (value: string) => {
    if (value == null) return '';
    const str = String(value);
    if (str.includes(',') || str.includes('"') || str.includes('\n') || str.includes('\r')) {
      return '"' + str.replace(/"/g, '""') + '"';
    }
    return str;
  };
  const columns = ['Ticket ID', 'Booking ID', 'Attendee Name', 'Status', 'Check-in Time', 'Booked At'];
  const rows = ticketList.map((ticket: any) => ({
    'Ticket ID': ticket.id,
    'Booking ID': ticket.bookingId || '',
    'Attendee Name': [ticket.attendeeFirstName, ticket.attendeeLastName].filter(Boolean).join(' '),
    'Status': ticket.status,
    'Check-in Time': ticket.checkinAt || '',
    'Booked At': ticket.createdAt || '',
  }));
  const headerLine = columns.map(csvEscape).join(',');
  const dataLines = rows.map((row: any) =>
    columns.map((col: string) => csvEscape(row[col])).join(',')
  );
  const csvContent = '\uFEFF' + [headerLine, ...dataLines].join('\r\n');
  const slug = (event.title || 'event')
    .toLowerCase()
    .replace(/[^a-z0-9]+/g, '-')
    .replace(/(^-|-$)/g, '');
  const dateStr = new Date().toISOString().split('T')[0];
  const filename = `${slug}-tickets-${dateStr}.csv`;
  c.header('Content-Type', 'text/csv; charset=utf-8');
  c.header('Content-Disposition', `attachment; filename="${filename}"`);
  return c.body(csvContent);
 });
 // Export financial data (admin)
 adminRouter.get('/export/financial', requireAuth(['admin']), async (c) => {
  const startDate = c.req.query('startDate');
--- a/backend/src/routes/events.ts
+++ b/backend/src/routes/events.ts
@@ -5,6 +5,7 @@ import { db, dbGet, dbAll, events, tickets, payments, eventPaymentOverrides, ema
 import { eq, desc, and, gte, sql } from 'drizzle-orm';
 import { requireAuth, getAuthUser } from '../lib/auth.js';
 import { generateId, getNow, convertBooleansForDb, toDbDate, calculateAvailableSeats } from '../lib/utils.js';
 import { revalidateFrontendCache } from '../lib/revalidate.js';
 interface UserContext {
  id: string;
@@ -15,29 +16,6 @@ interface UserContext {
 const eventsRouter = new Hono<{ Variables: { user: UserContext } }>();
 // Trigger frontend cache revalidation (fire-and-forget)
 // Revalidates both the sitemap and the next-event data (homepage, llms.txt)
 function revalidateFrontendCache() {
  const frontendUrl = process.env.FRONTEND_URL || 'http://localhost:3002';
  const secret = process.env.REVALIDATE_SECRET;
  if (!secret) {
    console.warn('REVALIDATE_SECRET not set, skipping frontend revalidation');
    return;
  }
  fetch(`${frontendUrl}/api/revalidate`, {
    method: 'POST',
    headers: { 'Content-Type': 'application/json' },
    body: JSON.stringify({ secret, tag: ['events-sitemap', 'next-event'] }),
  })
    .then((res) => {
      if (!res.ok) console.error('Frontend revalidation failed:', res.status);
      else console.log('Frontend revalidation triggered (sitemap + next-event)');
    })
    .catch((err) => {
      console.error('Frontend revalidation error:', err.message);
    });
 }
 // Helper to normalize event data for API response
 // PostgreSQL decimal returns strings, booleans are stored as integers
 function normalizeEvent(event: any) {
--- a/backend/src/routes/site-settings.ts
+++ b/backend/src/routes/site-settings.ts
@@ -5,6 +5,7 @@ import { db, dbGet, siteSettings, events } from '../db/index.js';
 import { eq, and, gte } from 'drizzle-orm';
 import { requireAuth } from '../lib/auth.js';
 import { generateId, getNow, toDbBool } from '../lib/utils.js';
 import { revalidateFrontendCache } from '../lib/revalidate.js';
 interface UserContext {
  id: string;
@@ -172,6 +173,11 @@ siteSettingsRouter.put('/', requireAuth(['admin']), zValidator('json', updateSit
    (db as any).select().from(siteSettings).where(eq((siteSettings as any).id, existing.id))
  );
  // Revalidate frontend cache if featured event changed
  if (data.featuredEventId !== undefined) {
    revalidateFrontendCache();
  }
  return c.json({ settings: updated, message: 'Settings updated successfully' });
 });
@@ -216,6 +222,9 @@ siteSettingsRouter.put('/featured-event', requireAuth(['admin']), zValidator('js
    await (db as any).insert(siteSettings).values(newSettings);
    // Revalidate frontend cache so homepage shows the updated featured event
    revalidateFrontendCache();
    return c.json({ featuredEventId: eventId, message: eventId ? 'Event set as featured' : 'Featured event removed' });
  }
@@ -229,6 +238,9 @@ siteSettingsRouter.put('/featured-event', requireAuth(['admin']), zValidator('js
    })
    .where(eq((siteSettings as any).id, existing.id));
  // Revalidate frontend cache so homepage shows the updated featured event
  revalidateFrontendCache();
  return c.json({ featuredEventId: eventId, message: eventId ? 'Event set as featured' : 'Featured event removed' });
 });
--- a/backend/src/routes/tickets.ts
+++ b/backend/src/routes/tickets.ts
@@ -2,7 +2,7 @@ import { Hono } from 'hono';
 import { zValidator } from '@hono/zod-validator';
 import { z } from 'zod';
 import { db, dbGet, dbAll, tickets, events, users, payments, paymentOptions, siteSettings } from '../db/index.js';
-import { eq, and, sql } from 'drizzle-orm';
+import { eq, and, or, sql } from 'drizzle-orm';
 import { requireAuth, getAuthUser } from '../lib/auth.js';
 import { generateId, generateTicketCode, getNow, calculateAvailableSeats, isEventSoldOut } from '../lib/utils.js';
 import { createInvoice, isLNbitsConfigured } from '../lib/lnbits.js';
@@ -490,6 +490,125 @@ ticketsRouter.get('/:id/pdf', async (c) => {
  }
 });
 // Get event check-in stats for scanner (lightweight endpoint for staff)
 ticketsRouter.get('/stats/checkin', requireAuth(['admin', 'organizer', 'staff']), async (c) => {
  const eventId = c.req.query('eventId');
  if (!eventId) {
    return c.json({ error: 'eventId is required' }, 400);
  }
  // Get event info
  const event = await dbGet<any>(
    (db as any).select().from(events).where(eq((events as any).id, eventId))
  );
  if (!event) {
    return c.json({ error: 'Event not found' }, 404);
  }
  // Count checked-in tickets
  const checkedInCount = await dbGet<any>(
    (db as any)
      .select({ count: sql<number>`count(*)` })
      .from(tickets)
      .where(
        and(
          eq((tickets as any).eventId, eventId),
          eq((tickets as any).status, 'checked_in')
        )
      )
  );
  // Count confirmed + checked_in (total active)
  const totalActiveCount = await dbGet<any>(
    (db as any)
      .select({ count: sql<number>`count(*)` })
      .from(tickets)
      .where(
        and(
          eq((tickets as any).eventId, eventId),
          sql`${(tickets as any).status} IN ('confirmed', 'checked_in')`
        )
      )
  );
  return c.json({
    eventId,
    capacity: event.capacity,
    checkedIn: checkedInCount?.count || 0,
    totalActive: totalActiveCount?.count || 0,
  });
 });
 // Live search tickets (GET - for scanner live search)
 ticketsRouter.get('/search', requireAuth(['admin', 'organizer', 'staff']), async (c) => {
  const q = c.req.query('q')?.trim() || '';
  const eventId = c.req.query('eventId');
  if (q.length < 2) {
    return c.json({ tickets: [] });
  }
  const searchTerm = `%${q.toLowerCase()}%`;
  // Search by name (ILIKE), email (ILIKE), ticket ID (exact or partial)
  const nameEmailConditions = [
    sql`LOWER(${(tickets as any).attendeeEmail}) LIKE ${searchTerm}`,
    sql`LOWER(${(tickets as any).attendeeFirstName}) LIKE ${searchTerm}`,
    sql`LOWER(${(tickets as any).attendeeLastName}) LIKE ${searchTerm}`,
    sql`LOWER(${(tickets as any).attendeeFirstName} || ' ' || COALESCE(${(tickets as any).attendeeLastName}, '')) LIKE ${searchTerm}`,
    // Ticket ID exact or partial match (cast UUID to text for LOWER)
    sql`LOWER(CAST(${(tickets as any).id} AS TEXT)) LIKE ${searchTerm}`,
    sql`LOWER(CAST(${(tickets as any).qrCode} AS TEXT)) LIKE ${searchTerm}`,
  ];
  let whereClause: any = and(
    or(...nameEmailConditions),
    // Exclude cancelled tickets by default
    sql`${(tickets as any).status} != 'cancelled'`
  );
  if (eventId) {
    whereClause = and(whereClause, eq((tickets as any).eventId, eventId));
  }
  const matchingTickets = await dbAll<any>(
    (db as any)
      .select()
      .from(tickets)
      .where(whereClause)
      .limit(20)
  );
  // Enrich with event details
  const results = await Promise.all(
    matchingTickets.map(async (ticket: any) => {
      const event = await dbGet<any>(
        (db as any).select().from(events).where(eq((events as any).id, ticket.eventId))
      );
      return {
        ticket_id: ticket.id,
        name: `${ticket.attendeeFirstName} ${ticket.attendeeLastName || ''}`.trim(),
        email: ticket.attendeeEmail,
        status: ticket.status,
        checked_in: ticket.status === 'checked_in',
        checkinAt: ticket.checkinAt,
        event_id: ticket.eventId,
        qrCode: ticket.qrCode,
        event: event ? {
          id: event.id,
          title: event.title,
          startDatetime: event.startDatetime,
          location: event.location,
        } : null,
      };
    })
  );
  return c.json({ tickets: results });
 });
 // Get ticket by ID
 ticketsRouter.get('/:id', async (c) => {
  const id = c.req.param('id');
@@ -554,6 +673,65 @@ ticketsRouter.put('/:id', requireAuth(['admin', 'organizer', 'staff']), zValidat
  return c.json({ ticket: updated });
 });
 // Search tickets by name/email (for scanner manual search)
 ticketsRouter.post('/search', requireAuth(['admin', 'organizer', 'staff']), async (c) => {
  const body = await c.req.json().catch(() => ({}));
  const { query, eventId } = body;
  if (!query || typeof query !== 'string' || query.trim().length < 2) {
    return c.json({ error: 'Search query must be at least 2 characters' }, 400);
  }
  const searchTerm = `%${query.trim().toLowerCase()}%`;
  const conditions = [
    sql`LOWER(${(tickets as any).attendeeEmail}) LIKE ${searchTerm}`,
    sql`LOWER(${(tickets as any).attendeeFirstName}) LIKE ${searchTerm}`,
    sql`LOWER(${(tickets as any).attendeeLastName}) LIKE ${searchTerm}`,
    sql`LOWER(${(tickets as any).attendeeFirstName} || ' ' || COALESCE(${(tickets as any).attendeeLastName}, '')) LIKE ${searchTerm}`,
  ];
  let whereClause = or(...conditions);
  if (eventId) {
    whereClause = and(whereClause, eq((tickets as any).eventId, eventId));
  }
  const matchingTickets = await dbAll<any>(
    (db as any)
      .select()
      .from(tickets)
      .where(whereClause)
      .limit(20)
  );
  // Enrich with event details
  const results = await Promise.all(
    matchingTickets.map(async (ticket: any) => {
      const event = await dbGet<any>(
        (db as any).select().from(events).where(eq((events as any).id, ticket.eventId))
      );
      return {
        id: ticket.id,
        qrCode: ticket.qrCode,
        attendeeName: `${ticket.attendeeFirstName} ${ticket.attendeeLastName || ''}`.trim(),
        attendeeEmail: ticket.attendeeEmail,
        attendeePhone: ticket.attendeePhone,
        status: ticket.status,
        checkinAt: ticket.checkinAt,
        event: event ? {
          id: event.id,
          title: event.title,
          startDatetime: event.startDatetime,
          location: event.location,
        } : null,
      };
    })
  );
  return c.json({ tickets: results });
 });
 // Validate ticket by QR code (for scanner)
 ticketsRouter.post('/validate', requireAuth(['admin', 'organizer', 'staff']), async (c) => {
  const body = await c.req.json().catch(() => ({}));
--- a/deploy/spanglish-backend.service
+++ b/deploy/spanglish-backend.service
@@ -8,9 +8,9 @@ Type=simple
 User=spanglish
 Group=spanglish
 WorkingDirectory=/home/spanglish/Spanglish/backend
 EnvironmentFile=/home/spanglish/Spanglish/backend/.env
 Environment=NODE_ENV=production
 Environment=PORT=3018
 EnvironmentFile=/home/spanglish/Spanglish/backend/.env
 ExecStart=/usr/bin/node dist/index.js
 Restart=on-failure
 RestartSec=10
--- a/frontend/src/app/admin/events/[id]/page.tsx
+++ b/frontend/src/app/admin/events/[id]/page.tsx
--- a/frontend/src/app/admin/layout.tsx
+++ b/frontend/src/app/admin/layout.tsx
@@ -37,14 +37,56 @@ export default function AdminLayout({
  const router = useRouter();
  const pathname = usePathname();
  const { t, locale } = useLanguage();
-  const { user, isAdmin, isLoading, logout } = useAuth();
+  const { user, hasAdminAccess, isLoading, logout } = useAuth();
  const [sidebarOpen, setSidebarOpen] = useState(false);
  type Role = 'admin' | 'organizer' | 'staff' | 'marketing';
  const userRole = (user?.role || 'user') as Role;
  const navigationWithRoles: { name: string; href: string; icon: typeof HomeIcon; allowedRoles: Role[] }[] = [
    { name: t('admin.nav.dashboard'), href: '/admin', icon: HomeIcon, allowedRoles: ['admin', 'organizer'] },
    { name: t('admin.nav.events'), href: '/admin/events', icon: CalendarIcon, allowedRoles: ['admin', 'organizer', 'staff'] },
    { name: t('admin.nav.bookings'), href: '/admin/bookings', icon: TicketIcon, allowedRoles: ['admin', 'organizer'] },
    { name: locale === 'es' ? 'Escáner' : 'Scanner', href: '/admin/scanner', icon: QrCodeIcon, allowedRoles: ['admin', 'organizer', 'staff'] },
    { name: t('admin.nav.users'), href: '/admin/users', icon: UsersIcon, allowedRoles: ['admin'] },
    { name: t('admin.nav.payments'), href: '/admin/payments', icon: CreditCardIcon, allowedRoles: ['admin', 'organizer'] },
    { name: locale === 'es' ? 'Opciones de Pago' : 'Payment Options', href: '/admin/payment-options', icon: BanknotesIcon, allowedRoles: ['admin', 'organizer'] },
    { name: t('admin.nav.contacts'), href: '/admin/contacts', icon: EnvelopeIcon, allowedRoles: ['admin', 'organizer', 'marketing'] },
    { name: t('admin.nav.emails'), href: '/admin/emails', icon: InboxIcon, allowedRoles: ['admin', 'organizer'] },
    { name: t('admin.nav.gallery'), href: '/admin/gallery', icon: PhotoIcon, allowedRoles: ['admin', 'organizer'] },
    { name: locale === 'es' ? 'Páginas Legales' : 'Legal Pages', href: '/admin/legal-pages', icon: DocumentTextIcon, allowedRoles: ['admin'] },
    { name: 'FAQ', href: '/admin/faq', icon: QuestionMarkCircleIcon, allowedRoles: ['admin'] },
    { name: locale === 'es' ? 'Configuración' : 'Settings', href: '/admin/settings', icon: Cog6ToothIcon, allowedRoles: ['admin'] },
  ];
  const allowedPathsForRole = new Set(
    navigationWithRoles.filter((item) => item.allowedRoles.includes(userRole)).map((item) => item.href)
  );
  const defaultAdminRoute =
    userRole === 'staff' ? '/admin/scanner' : userRole === 'marketing' ? '/admin/contacts' : '/admin';
  // All hooks must be called unconditionally before any early returns
  useEffect(() => {
-    if (!isLoading && (!user || !isAdmin)) {
+    if (!isLoading && (!user || !hasAdminAccess)) {
      router.push('/login');
    }
-  }, [user, isAdmin, isLoading, router]);
+  }, [user, hasAdminAccess, isLoading, router]);
  useEffect(() => {
    if (!user || !hasAdminAccess) return;
    if (!pathname.startsWith('/admin')) return;
    if (pathname === '/admin' && (userRole === 'staff' || userRole === 'marketing')) {
      router.replace(defaultAdminRoute);
      return;
    }
    const isPathAllowed = (path: string) => {
      if (allowedPathsForRole.has(path)) return true;
      return Array.from(allowedPathsForRole).some((allowed) => path.startsWith(allowed + '/'));
    };
    if (!isPathAllowed(pathname)) {
      router.replace(defaultAdminRoute);
    }
  }, [pathname, userRole, defaultAdminRoute, router, user, hasAdminAccess]);
  if (isLoading) {
    return (
@@ -54,31 +96,29 @@ export default function AdminLayout({
    );
  }
-  if (!user || !isAdmin) {
+  if (!user || !hasAdminAccess) {
    return null;
  }
-  const navigation = [
+  const visibleNav = navigationWithRoles.filter((item) => item.allowedRoles.includes(userRole));
-    { name: t('admin.nav.dashboard'), href: '/admin', icon: HomeIcon },
+  const navigation = visibleNav;
    { name: t('admin.nav.events'), href: '/admin/events', icon: CalendarIcon },
    { name: t('admin.nav.bookings'), href: '/admin/bookings', icon: TicketIcon },
    { name: locale === 'es' ? 'Escáner' : 'Scanner', href: '/admin/scanner', icon: QrCodeIcon },
    { name: t('admin.nav.users'), href: '/admin/users', icon: UsersIcon },
    { name: t('admin.nav.payments'), href: '/admin/payments', icon: CreditCardIcon },
    { name: locale === 'es' ? 'Opciones de Pago' : 'Payment Options', href: '/admin/payment-options', icon: BanknotesIcon },
    { name: t('admin.nav.contacts'), href: '/admin/contacts', icon: EnvelopeIcon },
    { name: t('admin.nav.emails'), href: '/admin/emails', icon: InboxIcon },
    { name: t('admin.nav.gallery'), href: '/admin/gallery', icon: PhotoIcon },
    { name: locale === 'es' ? 'Páginas Legales' : 'Legal Pages', href: '/admin/legal-pages', icon: DocumentTextIcon },
    { name: 'FAQ', href: '/admin/faq', icon: QuestionMarkCircleIcon },
    { name: locale === 'es' ? 'Configuración' : 'Settings', href: '/admin/settings', icon: Cog6ToothIcon },
  ];
  const handleLogout = () => {
    logout();
    router.push('/');
  };
  // Scanner page gets fullscreen layout without sidebar
  const isScannerPage = pathname === '/admin/scanner';
  if (isScannerPage) {
    return (
      <div className="min-h-screen bg-gray-950">
        {children}
      </div>
    );
  }
  return (
    <div className="min-h-screen bg-secondary-gray">
      {/* Mobile sidebar backdrop */}
--- a/frontend/src/app/admin/scanner/page.tsx
+++ b/frontend/src/app/admin/scanner/page.tsx
--- a/frontend/src/app/llms.txt/route.ts
+++ b/frontend/src/app/llms.txt/route.ts
@@ -28,7 +28,7 @@ interface LlmsEvent {
 async function getNextUpcomingEvent(): Promise<LlmsEvent | null> {
  try {
    const response = await fetch(`${apiUrl}/api/events/next/upcoming`, {
-      next: { tags: ['next-event'] },
+      cache: 'no-store',
    });
    if (!response.ok) return null;
    const data = await response.json();
@@ -41,7 +41,7 @@ async function getNextUpcomingEvent(): Promise<LlmsEvent | null> {
 async function getUpcomingEvents(): Promise<LlmsEvent[]> {
  try {
    const response = await fetch(`${apiUrl}/api/events?status=published&upcoming=true`, {
-      next: { tags: ['next-event'] },
+      cache: 'no-store',
    });
    if (!response.ok) return [];
    const data = await response.json();
@@ -115,7 +115,7 @@ function getEventStatus(event: LlmsEvent): string {
 async function getHomepageFaqs(): Promise<LlmsFaq[]> {
  try {
    const response = await fetch(`${apiUrl}/api/faq?homepage=true`, {
-      next: { revalidate: 3600 },
+      cache: 'no-store',
    });
    if (!response.ok) return [];
    const data = await response.json();
@@ -128,6 +128,8 @@ async function getHomepageFaqs(): Promise<LlmsFaq[]> {
  }
 }
 export const dynamic = 'force-dynamic';
 export async function GET() {
  const [nextEvent, upcomingEvents, faqs] = await Promise.all([
    getNextUpcomingEvent(),
--- a/frontend/src/components/layout/Header.tsx
+++ b/frontend/src/components/layout/Header.tsx
@@ -43,7 +43,7 @@ function MobileNavLink({ href, children, onClick }: { href: string; children: Re
 export default function Header() {
  const { t } = useLanguage();
-  const { user, isAdmin, logout } = useAuth();
+  const { user, hasAdminAccess, logout } = useAuth();
  const [mobileMenuOpen, setMobileMenuOpen] = useState(false);
  const menuRef = useRef<HTMLDivElement>(null);
  const touchStartX = useRef<number>(0);
@@ -148,7 +148,7 @@ export default function Header() {
                    {t('nav.dashboard')}
                  </Button>
                </Link>
-                {isAdmin && (
+                {hasAdminAccess && (
                  <Link href="/admin">
                    <Button variant="ghost" size="sm">
                      {t('nav.admin')}
@@ -270,7 +270,7 @@ export default function Header() {
                    {t('nav.dashboard')}
                  </Button>
                </Link>
-                {isAdmin && (
+                {hasAdminAccess && (
                  <Link href="/admin" onClick={closeMenu}>
                    <Button variant="outline" className="w-full justify-center">
                      {t('nav.admin')}
--- a/frontend/src/context/AuthContext.tsx
+++ b/frontend/src/context/AuthContext.tsx
@@ -21,6 +21,7 @@ interface AuthContextType {
  token: string | null;
  isLoading: boolean;
  isAdmin: boolean;
  hasAdminAccess: boolean;
  login: (email: string, password: string) => Promise<void>;
  loginWithGoogle: (credential: string) => Promise<void>;
  loginWithMagicLink: (token: string) => Promise<void>;
@@ -177,6 +178,7 @@ export function AuthProvider({ children }: { children: ReactNode }) {
  }, []);
  const isAdmin = user?.role === 'admin' || user?.role === 'organizer';
  const hasAdminAccess = user?.role === 'admin' || user?.role === 'organizer' || user?.role === 'staff' || user?.role === 'marketing';
  return (
    <AuthContext.Provider
@@ -185,6 +187,7 @@ export function AuthProvider({ children }: { children: ReactNode }) {
        token, 
        isLoading, 
        isAdmin, 
        hasAdminAccess,
        login, 
        loginWithGoogle,
        loginWithMagicLink,
--- a/frontend/src/lib/api.ts
+++ b/frontend/src/lib/api.ts
@@ -93,6 +93,27 @@ export const ticketsApi = {
      body: JSON.stringify({ code, eventId }),
    }),
  // Search tickets by name/email (for scanner manual search)
  search: (query: string, eventId?: string) =>
    fetchApi<{ tickets: TicketSearchResult[] }>('/api/tickets/search', {
      method: 'POST',
      body: JSON.stringify({ query, eventId }),
    }),
  // Get event check-in stats (for scanner header counter)
  getCheckinStats: (eventId: string) =>
    fetchApi<{ eventId: string; capacity: number; checkedIn: number; totalActive: number }>(
      `/api/tickets/stats/checkin?eventId=${eventId}`
    ),
  // Live search tickets (GET - for scanner live search with debounce)
  searchLive: (q: string, eventId?: string) => {
    const params = new URLSearchParams();
    params.set('q', q);
    if (eventId) params.set('eventId', eventId);
    return fetchApi<{ tickets: LiveSearchResult[] }>(`/api/tickets/search?${params}`);
  },
  checkin: (id: string) =>
    fetchApi<{ ticket: Ticket & { attendeeName?: string }; event?: { id: string; title: string }; message: string }>(`/api/tickets/${id}/checkin`, {
      method: 'POST',
@@ -351,6 +372,49 @@ export const adminApi = {
    if (params?.eventId) query.set('eventId', params.eventId);
    return fetchApi<{ payments: ExportedPayment[]; summary: FinancialSummary }>(`/api/admin/export/financial?${query}`);
  },
  /** Download attendee export as a file (CSV). Returns a Blob. */
  exportAttendees: async (eventId: string, params?: { status?: string; format?: string; q?: string }) => {
    const query = new URLSearchParams();
    if (params?.status) query.set('status', params.status);
    if (params?.format) query.set('format', params.format);
    if (params?.q) query.set('q', params.q);
    const token = typeof window !== 'undefined'
      ? localStorage.getItem('spanglish-token')
      : null;
    const headers: Record<string, string> = {};
    if (token) headers['Authorization'] = `Bearer ${token}`;
    const res = await fetch(`${API_BASE}/api/admin/events/${eventId}/attendees/export?${query}`, { headers });
    if (!res.ok) {
      const errorData = await res.json().catch(() => ({ error: 'Export failed' }));
      throw new Error(errorData.error || 'Export failed');
    }
    const disposition = res.headers.get('Content-Disposition') || '';
    const filenameMatch = disposition.match(/filename="?([^"]+)"?/);
    const filename = filenameMatch ? filenameMatch[1] : `attendees-${new Date().toISOString().split('T')[0]}.csv`;
    const blob = await res.blob();
    return { blob, filename };
  },
  /** Download tickets export as CSV. Returns a Blob. */
  exportTicketsCSV: async (eventId: string, params?: { status?: string; q?: string }) => {
    const query = new URLSearchParams();
    if (params?.status) query.set('status', params.status);
    if (params?.q) query.set('q', params.q);
    const token = typeof window !== 'undefined'
      ? localStorage.getItem('spanglish-token')
      : null;
    const headers: Record<string, string> = {};
    if (token) headers['Authorization'] = `Bearer ${token}`;
    const res = await fetch(`${API_BASE}/api/admin/events/${eventId}/tickets/export?${query}`, { headers });
    if (!res.ok) {
      const errorData = await res.json().catch(() => ({ error: 'Export failed' }));
      throw new Error(errorData.error || 'Export failed');
    }
    const disposition = res.headers.get('Content-Disposition') || '';
    const filenameMatch = disposition.match(/filename="?([^"]+)"?/);
    const filename = filenameMatch ? filenameMatch[1] : `tickets-${new Date().toISOString().split('T')[0]}.csv`;
    const blob = await res.blob();
    return { blob, filename };
  },
 };
 // Emails API
@@ -508,6 +572,39 @@ export interface TicketValidationResult {
  error?: string;
 }
 export interface TicketSearchResult {
  id: string;
  qrCode: string;
  attendeeName: string;
  attendeeEmail?: string;
  attendeePhone?: string;
  status: string;
  checkinAt?: string;
  event?: {
    id: string;
    title: string;
    startDatetime: string;
    location: string;
  } | null;
 }
 export interface LiveSearchResult {
  ticket_id: string;
  name: string;
  email?: string;
  status: string;
  checked_in: boolean;
  checkinAt?: string;
  event_id: string;
  qrCode: string;
  event?: {
    id: string;
    title: string;
    startDatetime: string;
    location: string;
  } | null;
 }
 export interface Payment {
  id: string;
  ticketId: string;
Author	SHA1	Message	Date
Michilis	15655e3987	Merge pull request 'dev' (#12 ) from dev into main Reviewed-on: #12	2026-02-16 23:11:52 +00:00
Michilis	5263fa6834	Make llms.txt always fetch fresh data from the backend - Switch from tag-based caching to cache: no-store for all backend fetches - Add dynamic = force-dynamic to prevent Next.js static caching - Ensures llms.txt always reflects the current featured event and FAQ data Co-authored-by: Cursor <cursoragent@cursor.com>	2026-02-16 23:10:33 +00:00
Michilis	923c86a3b3	Fix FRONTEND_URL pointing to wrong port, breaking cache revalidation - Update FRONTEND_URL default from localhost:3002 to localhost:3019 (actual frontend port) - Reorder systemd service so EnvironmentFile loads before Environment overrides Co-authored-by: Cursor <cursoragent@cursor.com>	2026-02-16 22:53:59 +00:00
Michilis	d8b3864411	Merge pull request 'Fix stale featured event on homepage: revalidate cache when featured event changes' (#11 ) from dev into main Reviewed-on: #11	2026-02-16 22:44:19 +00:00
Michilis	4aaffe99c7	Fix stale featured event on homepage: revalidate cache when featured event changes - Extract revalidateFrontendCache() to backend/src/lib/revalidate.ts - Call revalidation from site-settings when featuredEventId is set/cleared - Ensures homepage shows updated featured event after admin changes Co-authored-by: Cursor <cursoragent@cursor.com>	2026-02-16 22:42:55 +00:00
Michilis	194cbd6ca8	Merge pull request 'Scanner: close button on valid ticket, camera lifecycle fix' (#10 ) from dev into main Reviewed-on: #10	2026-02-14 19:04:42 +00:00
Michilis	a11da5a977	Scanner: close button on valid ticket, camera lifecycle fix - Add X close button on valid ticket screen to dismiss without check-in - Rewrite QRScanner: full unmount when leaving Scan tab, stop MediaStream tracks - Remount scanner via key when tab active; no hidden DOM - Use 100dvh for mobile height; force layout reflow after camera start - visibilitychange handler for tab suspend/resume Co-authored-by: Cursor <cursoragent@cursor.com>	2026-02-14 19:03:29 +00:00
Michilis	d5445c2282	Merge pull request 'Admin event page: redesign UI, export endpoints, mobile fixes' (#9 ) from dev into main Reviewed-on: #9	2026-02-14 18:38:57 +00:00
Michilis	6bc7e13e78	Admin event page: redesign UI, export endpoints, mobile fixes - Backend: Add /events/:eventId/attendees/export and /events/:eventId/tickets/export with q/status; legacy redirect for old export path - API: exportAttendees q param, new exportTicketsCSV for tickets CSV - Admin event page: unified tabs+content container, portal dropdowns to fix clipping, separate mobile export/add-ticket sheets (fix double menu), responsive tab bar and card layout Co-authored-by: Cursor <cursoragent@cursor.com>	2026-02-14 18:27:27 +00:00
Michilis	dcfefc8371	Merge pull request 'feat(admin): add event attendees export (CSV) with status filters' (#8 ) from dev into main Reviewed-on: #8	2026-02-14 05:28:24 +00:00
Michilis	c3897efd02	feat(admin): add event attendees export (CSV) with status filters Co-authored-by: Cursor <cursoragent@cursor.com>	2026-02-14 05:27:17 +00:00
Michilis	b5f14335c4	Merge pull request 'Mobile scanner redesign + backend live search' (#7 ) from dev into main Reviewed-on: #7	2026-02-14 04:28:44 +00:00
Michilis	62bf048680	Mobile scanner redesign + backend live search - Scanner page: fullscreen mobile-first layout, Scan/Search/Recent tabs - Scan tab: auto-start camera, switch camera, vibration/sound feedback - Valid/invalid fullscreen states, confirm check-in, auto-return to camera - Search tab: live backend search (300ms debounce), tap card for detail + check-in - Recent tab: last 20 check-ins, session counter - Backend: GET /api/tickets/search (live search), GET /api/tickets/stats/checkin - Admin layout: hide sidebar on scanner page; fix hooks order (no early return before useEffect) - Back button to dashboard/events (staff → events, others → admin) - API: searchLive, getCheckinStats, LiveSearchResult; PostgreSQL LOWER cast for UUID Co-authored-by: Cursor <cursoragent@cursor.com>	2026-02-14 04:26:44 +00:00