From 63f016d4a3eb5947d32b06ebd76295f723669c4e Mon Sep 17 00:00:00 2001
From: Keith Fawcett <keith@brightyard.co>
Date: Fri, 24 Apr 2026 10:00:13 -0700
Subject: [PATCH 001/131] ci: build @openpartner/db before typecheck

Downstream packages import from @openpartner/db via its package.json
"types": "dist/index.d.ts" field. Locally this is fine because dev
work rebuilds the db package on every types change, but CI starts
clean and typecheck fails with "Cannot find module '@openpartner/db'"
in apps/router/src/server.ts. Add a build step for the db package
right after install, before Migrate / Lint / Typecheck / Test.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 .github/workflows/ci.yml | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 1daaa6c..7f090d5 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -51,6 +51,12 @@ jobs:
 
       - run: pnpm install --frozen-lockfile
 
+      # @openpartner/db is consumed via its "types": "dist/index.d.ts"
+      # field, so downstream typechecks need its build output to exist.
+      # Also produces the migration bundle the Migrate step runs.
+      - name: Build @openpartner/db
+        run: pnpm --filter @openpartner/db build
+
       - name: Migrate
         run: pnpm migrate
 

From ba67b703174f336836bea4dfc2ba9de0d03d8c65 Mon Sep 17 00:00:00 2001
From: Keith Fawcett <keith@brightyard.co>
Date: Fri, 24 Apr 2026 10:09:23 -0700
Subject: [PATCH 002/131] fix(safe-fetch): strip IPv6 brackets before IP check
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

WHATWG URL.hostname on IPv6 returns "[::1]" with the brackets intact,
which made isIP() return 0 and the guard fall through to DNS lookup
(→ ENOTFOUND in the test suite, and a missed loopback rejection in
production). Strip [] before the IP check.

Also echo the err.message + stack to stderr in the 500 handler so CI
logs surface test-harness swallowed errors — a vendor signup test
that 500s in CI but not locally was opaque without this.
---
 apps/api/src/app.ts                | 5 +++++
 apps/api/src/network/safe-fetch.ts | 9 +++++++--
 2 files changed, 12 insertions(+), 2 deletions(-)

diff --git a/apps/api/src/app.ts b/apps/api/src/app.ts
index a57941f..c13fb91 100644
--- a/apps/api/src/app.ts
+++ b/apps/api/src/app.ts
@@ -133,6 +133,11 @@ export function createApp(options: { enableLogger?: boolean } = {}) {
 
   app.use((err: Error, req: Request, res: Response, _next: NextFunction) => {
     req.log?.error({ err }, 'request_failed');
+    // Echo message + stack to stderr so CI logs surface 500s that the
+    // test harness would otherwise swallow. Safe — these are
+    // unauthenticated server-side error paths; we're logging them
+    // anyway via pino when the logger's on.
+    console.error(`[500] ${req.method} ${req.url} ${err?.message}\n${err?.stack ?? ''}`);
     res.status(500).json({ error: 'internal_error' });
   });
 
diff --git a/apps/api/src/network/safe-fetch.ts b/apps/api/src/network/safe-fetch.ts
index ff7575d..87564d3 100644
--- a/apps/api/src/network/safe-fetch.ts
+++ b/apps/api/src/network/safe-fetch.ts
@@ -52,8 +52,13 @@ async function assertPublicHost(host: string): Promise<void> {
   // knob a deployed instance can flip accidentally.
   if (process.env.NODE_ENV === 'test') return;
 
-  if (isIP(host) !== 0) {
-    if (isPrivateAddress(host)) {
+  // WHATWG URL hostname for IPv6 keeps the [brackets] — strip before
+  // the isIP / private-address check, otherwise "[::1]" falls through
+  // to DNS and the guard misses loopback.
+  const bare = host.startsWith('[') && host.endsWith(']') ? host.slice(1, -1) : host;
+
+  if (isIP(bare) !== 0) {
+    if (isPrivateAddress(bare)) {
       throw Object.assign(new Error('private_host_blocked'), { code: 'private_host_blocked' });
     }
     return;

From a6db3a6df580418035102cef1655579aa7237782 Mon Sep 17 00:00:00 2001
From: Keith Fawcett <keith@brightyard.co>
Date: Fri, 24 Apr 2026 10:20:21 -0700
Subject: [PATCH 003/131] ci: quote NETWORK_ENCRYPTION_KEY in workflow env

YAML parsed the unquoted 64-zero string as the integer 0, the runner
exported NETWORK_ENCRYPTION_KEY=\"0\" (one char), and every code path
through encryptKey/decryptKey 500'd on \"must decode to exactly 32
bytes\". Caught via the error-logging step added in the prior commit.
Quoting the value (and the similarly-shaped ADMIN_API_KEY for good
measure) keeps the string intact.
---
 .github/workflows/ci.yml | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 7f090d5..9005091 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -33,9 +33,11 @@ jobs:
     env:
       DATABASE_URL: postgres://openpartner:openpartner@localhost:5432/openpartner
       # A deterministic 32-byte key so federation code paths that require
-      # NETWORK_ENCRYPTION_KEY don't throw during boot.
-      NETWORK_ENCRYPTION_KEY: 0000000000000000000000000000000000000000000000000000000000000000
-      ADMIN_API_KEY: op_ci_0000000000000000000000000000000000000000000000000000000000
+      # NETWORK_ENCRYPTION_KEY don't throw during boot. Quoted — YAML
+      # would otherwise parse 64 zeros as the integer 0 and hand the
+      # runner the string "0".
+      NETWORK_ENCRYPTION_KEY: "0000000000000000000000000000000000000000000000000000000000000000"
+      ADMIN_API_KEY: "op_ci_0000000000000000000000000000000000000000000000000000000000"
 
     steps:
       - uses: actions/checkout@v4

From fa6fcb15babaac3f52bb43b85dfb853d3fba3325 Mon Sep 17 00:00:00 2001
From: Keith Fawcett <keith@brightyard.co>
Date: Fri, 24 Apr 2026 13:39:11 -0700
Subject: [PATCH 004/131] refactor: carve Network + human-auth out of OSS
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

OpenPartner OSS is now strictly vendor-direct: a company runs this
codebase to manage their own partner program and nothing in here
knows about a creator network, a two-sided marketplace, or anyone
else's instance. The creator-discovery / matchmaking layer lives
in a separate private repo (staged at
../openpartner-network-seed/) and integrates with OSS instances
over the existing scoped-API-key federation contract — no shared
schema, no inbound coupling.

Removed:
  - apps/api/src/routes/network-*.ts (vendors, creators, offerings,
    requests, earnings — 5 files)
  - apps/api/src/routes/magic-link.ts (creator + vendor signup /
    signin branches)
  - apps/api/src/network/ (federation client, crypto envelope,
    validation schemas, SSRF-safe fetch)
  - apps/api/src/auth-sessions.ts, mailer.ts, email-templates.ts
    (only used by the removed magic-link flow)
  - packages/db migrations: network / promo_codes / magic_links /
    vendor_email (four files, pre-1.0 — no shipped consumers)
  - NetworkVendor, NetworkCreator, Offering, PartnershipRequest,
    Partnership, MagicLinkToken, Session, DevMessage tables (via
    new drop_network_tables migration — drop-if-exists so fresh
    installs and pre-carve installs both land in the same state)
  - apps/portal: network/ pages (10), auth/Signup, auth/VendorSignup,
    auth/MagicLanding, admin/DevMailbox
  - Associated tests: network.test.ts, magic-link.test.ts,
    mailer.test.ts, safe-fetch.test.ts (30 tests dropped; the
    surviving suite covers attribution, payouts, webhooks,
    observability, rate limiting, export, fraud review, and the
    ultrareview regression set)
  - .env.example / .do/app.yaml / docker-compose.prod.yml /
    ci.yml: dropped NETWORK_ENCRYPTION_KEY, POSTMARK_*, MAIL_*
  - docs/email.md

Kept + simplified:
  - Scoped API keys (the federation contract — an external
    Network calls POST /partners + POST /links on this instance
    as a scoped-keys client)
  - Admin + partner role model (no more network_vendor /
    network_creator principals)
  - Stripe Connect payouts, webhooks, attribution engine, router,
    SDK — all intact

Portal Login simplified to API-key only. README + ARCHITECTURE.md
reposition the project as "run your own partner program" with a
small note about the external Network service.

knexfile.ts opts into disableMigrationsListValidation so knex
doesn't refuse to boot when it sees the deleted migrations' rows
in knex_migrations on pre-existing DBs.

Test count: 58 total across workspaces (44 api + 3 router + 11 sdk),
down from 88 due to the 30 removed tests. Lint + typecheck clean.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 .do/app.yaml                                  |  16 +-
 .env.example                                  |  30 +-
 .github/workflows/ci.yml                      |   6 +-
 ARCHITECTURE.md                               |   8 +-
 README.md                                     |  16 +-
 apps/api/src/__tests__/integration.test.ts    |   3 -
 apps/api/src/__tests__/magic-link.test.ts     | 314 -------
 apps/api/src/__tests__/mailer.test.ts         | 125 ---
 apps/api/src/__tests__/network.test.ts        | 767 ------------------
 apps/api/src/__tests__/safe-fetch.test.ts     |  57 --
 apps/api/src/app.ts                           |  12 -
 apps/api/src/auth-sessions.ts                 | 149 ----
 apps/api/src/auth.ts                          |  69 +-
 apps/api/src/email-templates.ts               | 150 ----
 apps/api/src/mailer.ts                        | 125 ---
 apps/api/src/network/crypto.ts                |  55 --
 apps/api/src/network/federation.ts            | 195 -----
 apps/api/src/network/safe-fetch.ts            |  91 ---
 apps/api/src/network/validation.ts            | 113 ---
 apps/api/src/routes/auth.ts                   |  52 +-
 apps/api/src/routes/magic-link.ts             | 468 -----------
 apps/api/src/routes/network-creators.ts       | 102 ---
 apps/api/src/routes/network-earnings.ts       | 165 ----
 apps/api/src/routes/network-offerings.ts      | 128 ---
 apps/api/src/routes/network-requests.ts       | 246 ------
 apps/api/src/routes/network-vendors.ts        | 168 ----
 apps/portal/src/App.tsx                       | 134 +--
 apps/portal/src/api.ts                        |  16 +-
 apps/portal/src/pages/admin/DevMailbox.tsx    | 166 ----
 apps/portal/src/pages/auth/Login.tsx          | 148 +---
 apps/portal/src/pages/auth/MagicLanding.tsx   |  97 ---
 apps/portal/src/pages/auth/Signup.tsx         | 160 ----
 apps/portal/src/pages/auth/VendorSignup.tsx   | 321 --------
 .../pages/network/AdminNetworkCreators.tsx    | 222 -----
 .../src/pages/network/AdminNetworkVendors.tsx | 342 --------
 .../src/pages/network/CreatorDirectory.tsx    | 250 ------
 .../src/pages/network/CreatorProfile.tsx      | 216 -----
 apps/portal/src/pages/network/Discover.tsx    | 295 -------
 .../src/pages/network/MyPartnerships.tsx      | 346 --------
 apps/portal/src/pages/network/MyRequests.tsx  |  53 --
 .../src/pages/network/OfferingDetail.tsx      | 358 --------
 .../src/pages/network/VendorOfferings.tsx     | 258 ------
 .../src/pages/network/VendorRequests.tsx      | 140 ----
 docker-compose.prod.yml                       |   9 +-
 docs/deploy.md                                |   7 +-
 docs/email.md                                 |  56 --
 packages/db/knexfile.ts                       |   6 +
 .../db/migrations/20260425000000_network.ts   | 159 ----
 .../migrations/20260426000000_promo_codes.ts  |  42 -
 .../migrations/20260428000000_magic_links.ts  |  73 --
 .../migrations/20260430000000_vendor_email.ts |  50 --
 .../20260501000000_drop_network_tables.ts     |  34 +
 packages/db/src/index.ts                      |   8 -
 packages/db/src/types.ts                      | 177 ----
 54 files changed, 110 insertions(+), 7663 deletions(-)
 delete mode 100644 apps/api/src/__tests__/magic-link.test.ts
 delete mode 100644 apps/api/src/__tests__/mailer.test.ts
 delete mode 100644 apps/api/src/__tests__/network.test.ts
 delete mode 100644 apps/api/src/__tests__/safe-fetch.test.ts
 delete mode 100644 apps/api/src/auth-sessions.ts
 delete mode 100644 apps/api/src/email-templates.ts
 delete mode 100644 apps/api/src/mailer.ts
 delete mode 100644 apps/api/src/network/crypto.ts
 delete mode 100644 apps/api/src/network/federation.ts
 delete mode 100644 apps/api/src/network/safe-fetch.ts
 delete mode 100644 apps/api/src/network/validation.ts
 delete mode 100644 apps/api/src/routes/magic-link.ts
 delete mode 100644 apps/api/src/routes/network-creators.ts
 delete mode 100644 apps/api/src/routes/network-earnings.ts
 delete mode 100644 apps/api/src/routes/network-offerings.ts
 delete mode 100644 apps/api/src/routes/network-requests.ts
 delete mode 100644 apps/api/src/routes/network-vendors.ts
 delete mode 100644 apps/portal/src/pages/admin/DevMailbox.tsx
 delete mode 100644 apps/portal/src/pages/auth/MagicLanding.tsx
 delete mode 100644 apps/portal/src/pages/auth/Signup.tsx
 delete mode 100644 apps/portal/src/pages/auth/VendorSignup.tsx
 delete mode 100644 apps/portal/src/pages/network/AdminNetworkCreators.tsx
 delete mode 100644 apps/portal/src/pages/network/AdminNetworkVendors.tsx
 delete mode 100644 apps/portal/src/pages/network/CreatorDirectory.tsx
 delete mode 100644 apps/portal/src/pages/network/CreatorProfile.tsx
 delete mode 100644 apps/portal/src/pages/network/Discover.tsx
 delete mode 100644 apps/portal/src/pages/network/MyPartnerships.tsx
 delete mode 100644 apps/portal/src/pages/network/MyRequests.tsx
 delete mode 100644 apps/portal/src/pages/network/OfferingDetail.tsx
 delete mode 100644 apps/portal/src/pages/network/VendorOfferings.tsx
 delete mode 100644 apps/portal/src/pages/network/VendorRequests.tsx
 delete mode 100644 docs/email.md
 delete mode 100644 packages/db/migrations/20260425000000_network.ts
 delete mode 100644 packages/db/migrations/20260426000000_promo_codes.ts
 delete mode 100644 packages/db/migrations/20260428000000_magic_links.ts
 delete mode 100644 packages/db/migrations/20260430000000_vendor_email.ts
 create mode 100644 packages/db/migrations/20260501000000_drop_network_tables.ts

diff --git a/.do/app.yaml b/.do/app.yaml
index 0911ec7..e53533c 100644
--- a/.do/app.yaml
+++ b/.do/app.yaml
@@ -57,22 +57,9 @@ services:
         value: ${openpartner-db.DATABASE_URL}
       - key: OPENPARTNER_MODE
         value: flat
-      - key: MAIL_TRANSPORT
-        value: postmark
-      - key: POSTMARK_MESSAGE_STREAM
-        value: outbound
       - key: ADMIN_API_KEY
         type: SECRET
         scope: RUN_TIME
-      - key: NETWORK_ENCRYPTION_KEY
-        type: SECRET
-        scope: RUN_TIME
-      - key: POSTMARK_SERVER_TOKEN
-        type: SECRET
-        scope: RUN_TIME
-      - key: MAIL_FROM
-        type: SECRET
-        scope: RUN_TIME
       - key: PORTAL_URL
         type: SECRET
         scope: RUN_TIME
@@ -85,6 +72,9 @@ services:
       - key: STRIPE_FLAT_PRICE_ID
         type: SECRET
         scope: RUN_TIME
+      - key: METRICS_TOKEN
+        type: SECRET
+        scope: RUN_TIME
 
   # Click router. Separate component so we can point a marketing apex
   # (go.yourdomain.com) at it without routing through the portal's
diff --git a/.env.example b/.env.example
index b57bb21..13cf97a 100644
--- a/.env.example
+++ b/.env.example
@@ -17,9 +17,6 @@ PORTAL_PORT=5673
 # In production: set to your marketing apex (e.g. .yourdomain.com)
 COOKIE_DOMAIN=localhost
 
-# Session secret — generate a random 32+ char string for prod
-SESSION_SECRET=dev-only-replace-in-prod
-
 # Admin API key for bootstrap (curl/CI). Rotate via POST /api-keys once live.
 # Generate: node -e "console.log('op_' + require('crypto').randomBytes(24).toString('hex'))"
 ADMIN_API_KEY=op_devonly_replace_me_with_64_hex_chars_before_any_real_use_xxxx
@@ -35,29 +32,14 @@ STRIPE_FLAT_PRICE_ID=
 VELOCITY_MAX=20
 VELOCITY_WINDOW_MS=60000
 
-# Network federation — AES-256-GCM master key (32 raw bytes, either hex
-# (64 chars) or base64 (44 chars)). REQUIRED in production; dev uses a
-# weak fallback and logs a warning.
-# Generate: node -e "console.log(require('crypto').randomBytes(32).toString('hex'))"
-NETWORK_ENCRYPTION_KEY=
-
-# Router URL override used when federating Network partnerships. If unset,
-# we infer from the vendor's instance URL by swapping API port 4601 → 4701.
-NETWORK_ROUTER_URL=
-
-# Mail delivery for magic-link auth.
-#   dev       → writes to the DevMessage table; admins read at /admin/dev-mailbox.
-#   postmark  → POSTs to api.postmarkapp.com/email (requires the vars below).
-MAIL_TRANSPORT=dev
-MAIL_FROM=OpenPartner <no-reply@example.com>
-POSTMARK_SERVER_TOKEN=
-# Optional — defaults to the "outbound" transactional stream.
-POSTMARK_MESSAGE_STREAM=outbound
-
-# Public portal URL that magic links point at. Defaults to localhost:5673
-# for dev. Set this in prod so emails link to your real hostname.
+# Public portal URL. Required in production so CORS has an explicit
+# origin allowlist (we refuse to boot with it empty). Defaults to
+# localhost:5673 in dev.
 PORTAL_URL=http://localhost:5673
 
+# Optional: extra CORS origins beyond PORTAL_URL, comma-separated.
+CORS_EXTRA_ORIGINS=
+
 # Optional: bearer token required to scrape /metrics. Leave blank and
 # /metrics is open (fine on internal networks). Set it when /metrics is
 # reachable from the public internet.
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 9005091..035841e 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -32,11 +32,7 @@ jobs:
 
     env:
       DATABASE_URL: postgres://openpartner:openpartner@localhost:5432/openpartner
-      # A deterministic 32-byte key so federation code paths that require
-      # NETWORK_ENCRYPTION_KEY don't throw during boot. Quoted — YAML
-      # would otherwise parse 64 zeros as the integer 0 and hand the
-      # runner the string "0".
-      NETWORK_ENCRYPTION_KEY: "0000000000000000000000000000000000000000000000000000000000000000"
+      # Quoted so YAML doesn't parse these as integers or booleans.
       ADMIN_API_KEY: "op_ci_0000000000000000000000000000000000000000000000000000000000"
 
     steps:
diff --git a/ARCHITECTURE.md b/ARCHITECTURE.md
index e4bed0a..78d3e34 100644
--- a/ARCHITECTURE.md
+++ b/ARCHITECTURE.md
@@ -86,13 +86,13 @@ One codebase, three behaviors, flipped by `OPENPARTNER_MODE`:
 
 The core product — attribution, events, commissions — is identical across modes. Only the billing + payout layer changes.
 
-## The Network
+## Federating with an external creator network
 
-OpenPartner has a built-in two-sided marketplace (`NetworkVendor`, `NetworkCreator`, `NetworkOffering`, `NetworkRequest`). Vendors publish offerings (commission terms, assets, description). Creators apply. On acceptance, the vendor instance provisions a `Partner` row via federation — the creator gets a share link like `go.vendor.com/r/<their-slug>`.
+OpenPartner OSS is vendor-direct — the admin creates Partner rows, issues share links, and manages their own partner program. A separate hosted service (outside this repo) implements a two-sided creator network: vendors publish offerings, creators apply, and approved partnerships federate back into each vendor's OpenPartner instance as Partner + Link rows.
 
-Federation credentials are scoped API keys (vendor's key for vendor → hosted network, hosted network's key for network → vendor on provisioning). Keys at rest are AES-256-GCM encrypted with `NETWORK_ENCRYPTION_KEY`.
+The federation contract is thin: the vendor mints a scoped API key (`partners:write`, `links:write`, `partners:read`, `commissions:read`) and hands it to the network. The network calls the vendor's public API as an authenticated client — no shared schema, no inbound connections into the vendor. Data stays on the vendor's instance. Revoke the key and federation stops.
 
-Self-hosted instances opt in by publishing their instance URL + scoped key. Skipping the Network entirely is supported — the vendor-direct flow (manually create Partners through the admin portal) is the original path.
+Not participating in any network is the default. Everything in this repo works standalone.
 
 ## Data portability
 
diff --git a/README.md b/README.md
index c59e8b6..1930305 100644
--- a/README.md
+++ b/README.md
@@ -1,6 +1,6 @@
 # OpenPartner
 
-**Open-source partner attribution and payouts.** Full attribution from click to revenue, three-tier pricing, your data stays yours.
+**Open-source partner attribution and payouts.** Run your own partner program: track every click through to revenue, pay partners out via Stripe Connect, export everything whenever you want.
 
 > The open alternative to Dub Partners, Rewardful, and Impact.
 
@@ -8,7 +8,7 @@
 
 Existing partner platforms have two problems:
 
-1. **They stop at the click.** Most tools track who clicked a link. Few reliably track which creator drove which dollar of revenue, 60 days later, across devices, through Safari's cookie blocks.
+1. **They stop at the click.** Most tools track who clicked a link. Few reliably track which partner drove which dollar of revenue, 60 days later, across devices, through Safari's cookie blocks.
 2. **They lock your data in.** Once two years of attribution history are baked into Impact or Partnerize, switching means starting over.
 
 OpenPartner fixes both.
@@ -91,12 +91,14 @@ v1. End-to-end attribution, payouts, and export are working; API surface is stab
 - Commission accrual + review queue (approve / reverse) + Stripe Connect Standard payouts with idempotent transfers
 - Three deployment modes gated by `OPENPARTNER_MODE`: `selfhost`, `flat` (Stripe subscription), `revshare` (3% platform fee)
 - Click velocity limits with an admin fraud-review queue that replays skipped attributions on unflag
-- Scoped API keys (admin and partner tokens with granular `partners:write`, `links:write`, etc.) + magic-link auth for the portal
-- Two-sided OpenPartner Network — vendors publish offerings, creators apply, federation provisions partner records on vendor instances with AES-256-GCM encrypted keys
-- Creator-chosen share-link slugs (`go.yourdomain.com/r/<slug>`)
+- Scoped API keys (`partners:write`, `links:write`, `commissions:read`, …) — the federation contract that lets an external creator-network service provision Partner + Link rows on this instance over REST
 - Outbound webhooks with HMAC-SHA256 signing and per-event redelivery
-- Portable JSON + CSV export per table; full bundle export round-trippable into self-hosted via `POST /import`
+- Portable JSON + CSV export per table; full bundle export round-trippable into another instance via `POST /import`
 - Partner dashboard + admin overview + fraud review + partner funnel analytics in the portal
 - `@openpartner/sdk` on npm with browser and server entries
-- Transactional email via Postmark (magic links, vendor approval, creator signups)
+- Prometheus `/metrics` + X-Request-Id correlation
 - Deployment: DigitalOcean App Platform spec + single-host `docker-compose.prod.yml` behind Caddy
+
+### Not in this repo
+
+A creator-discovery / two-sided network layer (vendors publish offerings, creators apply, federation provisions partnerships into vendor instances) is available as a separate hosted service. OpenPartner OSS instances integrate with it via scoped API keys.
diff --git a/apps/api/src/__tests__/integration.test.ts b/apps/api/src/__tests__/integration.test.ts
index 46d1e2c..3ba1d16 100644
--- a/apps/api/src/__tests__/integration.test.ts
+++ b/apps/api/src/__tests__/integration.test.ts
@@ -28,9 +28,6 @@ const TABLES_TO_CLEAN = [
   TABLES.Link,
   TABLES.Campaign,
   TABLES.Payout,
-  TABLES.Session,
-  TABLES.MagicLinkToken,
-  TABLES.DevMessage,
   TABLES.ApiKey,
   TABLES.Partner,
   TABLES.Config,
diff --git a/apps/api/src/__tests__/magic-link.test.ts b/apps/api/src/__tests__/magic-link.test.ts
deleted file mode 100644
index 128cada..0000000
--- a/apps/api/src/__tests__/magic-link.test.ts
+++ /dev/null
@@ -1,314 +0,0 @@
-/**
- * Magic-link signup + signin over the live Express + Postgres stack.
- *
- * We don't send real email — the DevMailer persists to DevMessage, and
- * the tests read the stored body to extract the link and consume the
- * embedded token.
- */
-
-import { afterAll, beforeAll, beforeEach, describe, expect, it } from 'vitest';
-import request from 'supertest';
-import { TABLES } from '@openpartner/db';
-import { db } from '../db.js';
-import { createApp } from '../app.js';
-
-const ADMIN_KEY = 'op_test_magic_admin_0123456789abcdef0123';
-process.env.ADMIN_API_KEY = ADMIN_KEY;
-process.env.MAIL_TRANSPORT = 'dev';
-process.env.PORTAL_URL = 'http://localhost:5673';
-
-const skipIntegration = !process.env.DATABASE_URL || process.env.INTEGRATION === 'skip';
-const TABLES_TO_CLEAN = [
-  TABLES.Session,
-  TABLES.MagicLinkToken,
-  TABLES.DevMessage,
-  TABLES.ApiKey,
-  TABLES.NetworkCreator,
-  TABLES.Config,
-];
-
-const app = createApp({ enableLogger: false });
-
-beforeAll(async () => {
-  if (skipIntegration) return;
-  await db.raw('select 1');
-});
-
-afterAll(async () => {
-  await db.destroy();
-});
-
-beforeEach(async () => {
-  if (skipIntegration) return;
-  for (const t of TABLES_TO_CLEAN) await db(t).del();
-});
-
-function extractToken(body: string): string {
-  const match = body.match(/token=([A-Za-z0-9_-]+(?:%3D)*)/);
-  if (!match) throw new Error(`no token in body: ${body.slice(0, 200)}`);
-  return decodeURIComponent(match[1]!);
-}
-
-describe.skipIf(skipIntegration)('magic-link auth', () => {
-  it('full signup → verify → session-backed whoami', async () => {
-    const signup = await request(app)
-      .post('/auth/creator/signup')
-      .send({ email: 'grace@example.com', handle: 'gracie', name: 'Grace Hopper' });
-    expect(signup.status).toBe(200);
-
-    // The DevMailer persists; we read the message via the admin endpoint.
-    const mailbox = await request(app).get('/dev/mailbox').set('Authorization', `Bearer ${ADMIN_KEY}`);
-    expect(mailbox.body.messages).toHaveLength(1);
-    expect(mailbox.body.messages[0].to).toBe('grace@example.com');
-    const token = extractToken(mailbox.body.messages[0].body);
-
-    const verify = await request(app).post('/auth/magic/verify').send({ token });
-    expect(verify.status).toBe(200);
-    expect(verify.body.role).toBe('network_creator');
-    expect(verify.body.creator.handle).toBe('gracie');
-    expect(verify.body.creator.status).toBe('active');
-
-    // Cookie was set.
-    const setCookie = verify.headers['set-cookie'] as unknown as string[] | undefined;
-    expect(setCookie?.[0]).toMatch(/^op_session=/);
-    const cookie = setCookie![0]!.split(';')[0]!;
-
-    // Session-backed whoami returns the same creator.
-    const me = await request(app).get('/auth/whoami').set('Cookie', cookie);
-    expect(me.status).toBe(200);
-    expect(me.body.role).toBe('network_creator');
-    expect(me.body.creator.handle).toBe('gracie');
-  });
-
-  it('signin for an active creator issues a new session', async () => {
-    // First sign up + verify.
-    await request(app)
-      .post('/auth/creator/signup')
-      .send({ email: 'ada@example.com', handle: 'ada', name: 'Ada' });
-    let msgs = (await request(app).get('/dev/mailbox').set('Authorization', `Bearer ${ADMIN_KEY}`)).body.messages;
-    await request(app).post('/auth/magic/verify').send({ token: extractToken(msgs[0].body) });
-
-    // Now request a signin link as the returning creator.
-    const signin = await request(app).post('/auth/creator/signin').send({ email: 'ada@example.com' });
-    expect(signin.status).toBe(200);
-    msgs = (await request(app).get('/dev/mailbox').set('Authorization', `Bearer ${ADMIN_KEY}`)).body.messages;
-    expect(msgs[0].subject).toBe('Your OpenPartner sign-in link');
-    const verify = await request(app).post('/auth/magic/verify').send({ token: extractToken(msgs[0].body) });
-    expect(verify.status).toBe(200);
-    expect(verify.body.role).toBe('network_creator');
-  });
-
-  it('rejects reused, expired, and unknown tokens', async () => {
-    await request(app)
-      .post('/auth/creator/signup')
-      .send({ email: 'x@example.com', handle: 'xxx', name: 'Xavier' });
-    const msgs = (await request(app).get('/dev/mailbox').set('Authorization', `Bearer ${ADMIN_KEY}`)).body.messages;
-    const token = extractToken(msgs[0].body);
-
-    // First consume: ok
-    const first = await request(app).post('/auth/magic/verify').send({ token });
-    expect(first.status).toBe(200);
-
-    // Second consume: already_consumed
-    const second = await request(app).post('/auth/magic/verify').send({ token });
-    expect(second.status).toBe(400);
-    expect(second.body.error).toBe('already_consumed');
-
-    // Unknown token: not_found
-    const unknown = await request(app).post('/auth/magic/verify').send({ token: 'mlt_unknowntoken12345' });
-    expect(unknown.status).toBe(400);
-    expect(unknown.body.error).toBe('not_found');
-  });
-
-  it('signup enforces unique email and handle', async () => {
-    await request(app)
-      .post('/auth/creator/signup')
-      .send({ email: 'dup@example.com', handle: 'dup', name: 'First' });
-
-    // Same email, different handle.
-    const dupEmail = await request(app)
-      .post('/auth/creator/signup')
-      .send({ email: 'dup@example.com', handle: 'other', name: 'Second' });
-    // Only conflicts once the first token is consumed (creator exists).
-    // Before that, both are pending tokens — signup endpoint only checks
-    // against existing CREATOR rows, not pending tokens. So consume first:
-    const msgs = (await request(app).get('/dev/mailbox').set('Authorization', `Bearer ${ADMIN_KEY}`)).body.messages;
-    await request(app).post('/auth/magic/verify').send({ token: extractToken(msgs[msgs.length - 1].body) });
-
-    // Now both email and handle collide with the new creator row.
-    const conflict = await request(app)
-      .post('/auth/creator/signup')
-      .send({ email: 'dup@example.com', handle: 'fresh', name: 'Second' });
-    expect(conflict.status).toBe(409);
-
-    // Consume of the earlier "other" token should also fail now.
-    void dupEmail;
-  });
-
-  it('vendor signup: rejects bad keys, creates pending vendor on verify, activates + signin', async () => {
-    // Bad instance URL → instance_unreachable.
-    const badUrl = await request(app)
-      .post('/auth/vendor/signup')
-      .send({
-        email: 'bad@vendor.com',
-        name: 'Bad',
-        slug: `bad-${Date.now()}`,
-        instanceUrl: 'http://127.0.0.1:1',
-        instanceKey: 'op_nothing',
-      });
-    expect(badUrl.status).toBe(400);
-
-    // Stand up a real vendor instance (same server). Mint a scoped key
-    // with only the federation scopes.
-    const appListen = app.listen(0);
-    const port = (appListen.address() as import('node:net').AddressInfo).port;
-    const vendorInstanceUrl = `http://127.0.0.1:${port}`;
-    const scopedMint = await request(app)
-      .post('/api-keys/scoped')
-      .set('Authorization', `Bearer ${ADMIN_KEY}`)
-      .send({ scopes: ['partners:write', 'partners:read', 'links:write', 'commissions:read'] });
-    const scopedKey = scopedMint.body.plaintext as string;
-
-    const slug = `good-${Date.now()}`;
-    const signup = await request(app)
-      .post('/auth/vendor/signup')
-      .send({
-        email: 'good@vendor.com',
-        name: 'GoodVendor',
-        slug,
-        instanceUrl: vendorInstanceUrl,
-        instanceKey: scopedKey,
-      });
-    expect(signup.status).toBe(200);
-
-    const mailbox = await request(app).get('/dev/mailbox').set('Authorization', `Bearer ${ADMIN_KEY}`);
-    const signupMsg = mailbox.body.messages.find((m: { to: string }) => m.to === 'good@vendor.com');
-    expect(signupMsg).toBeDefined();
-    const token = extractToken(signupMsg.body);
-
-    const verify = await request(app).post('/auth/magic/verify').send({ token });
-    expect(verify.status).toBe(200);
-    expect(verify.body.role).toBe('network_vendor');
-    expect(verify.body.status).toBe('pending');
-    // No session cookie yet — vendor is pending admin approval.
-    expect(verify.headers['set-cookie']).toBeUndefined();
-
-    // Signin right now should no-op (vendor not active) → no magic link.
-    await db(TABLES.DevMessage).del(); // clear so we can tell if anything arrives
-    await request(app).post('/auth/signin').send({ email: 'good@vendor.com' });
-    const mailbox2 = await request(app).get('/dev/mailbox').set('Authorization', `Bearer ${ADMIN_KEY}`);
-    expect(mailbox2.body.messages.filter((m: { to: string }) => m.to === 'good@vendor.com')).toHaveLength(0);
-
-    // Admin activates.
-    const vendorId = verify.body.vendor.id;
-    await request(app).post(`/network/vendors/${vendorId}/activate`).set('Authorization', `Bearer ${ADMIN_KEY}`);
-
-    // Signin now DOES issue a link.
-    await request(app).post('/auth/signin').send({ email: 'good@vendor.com' });
-    const mailbox3 = await request(app).get('/dev/mailbox').set('Authorization', `Bearer ${ADMIN_KEY}`);
-    const signinMsg = mailbox3.body.messages.find(
-      (m: { to: string; subject: string }) => m.to === 'good@vendor.com' && m.subject.includes('sign-in'),
-    );
-    expect(signinMsg).toBeDefined();
-    const signinToken = extractToken(signinMsg.body);
-    const signinVerify = await request(app).post('/auth/magic/verify').send({ token: signinToken });
-    expect(signinVerify.status).toBe(200);
-    expect(signinVerify.body.role).toBe('network_vendor');
-    const cookie = (signinVerify.headers['set-cookie'] as unknown as string[])[0]!.split(';')[0]!;
-
-    // Session-backed whoami.
-    const me = await request(app).get('/auth/whoami').set('Cookie', cookie);
-    expect(me.status).toBe(200);
-    expect(me.body.role).toBe('network_vendor');
-    expect(me.body.vendor.slug).toBe(slug);
-
-    await new Promise<void>((resolve) => appListen.close(() => resolve()));
-  });
-
-  it('unified /auth/signin tries creator then vendor', async () => {
-    // Creator email → creator signin link.
-    await request(app)
-      .post('/auth/creator/signup')
-      .send({ email: 'c@example.com', handle: 'cuser', name: 'Cuser Name' });
-    let msgs = (await request(app).get('/dev/mailbox').set('Authorization', `Bearer ${ADMIN_KEY}`)).body.messages;
-    await request(app).post('/auth/magic/verify').send({ token: extractToken(msgs[0].body) });
-
-    await db(TABLES.DevMessage).del();
-    await request(app).post('/auth/signin').send({ email: 'c@example.com' });
-    msgs = (await request(app).get('/dev/mailbox').set('Authorization', `Bearer ${ADMIN_KEY}`)).body.messages;
-    expect(msgs).toHaveLength(1);
-    expect(msgs[0].metadata?.purpose).toBe('creator_signin');
-
-    // Unknown email → silent (no message).
-    await db(TABLES.DevMessage).del();
-    await request(app).post('/auth/signin').send({ email: 'nobody@example.com' });
-    const after = await request(app).get('/dev/mailbox').set('Authorization', `Bearer ${ADMIN_KEY}`);
-    expect(after.body.messages).toHaveLength(0);
-  });
-
-  it('vendor signin with an email tied to multiple vendors prefers the active one', async () => {
-    // Regression for ultrareview #20: before the email column existed,
-    // findVendorByEmail walked magic-link history and returned the most
-    // recent vendor_signup's slug — wrong when two vendors shared an
-    // email. Now it reads NetworkVendor.email directly, preferring
-    // active status over pending.
-    const { ulid } = await import('ulid');
-    const sharedEmail = 'dup@vendor.test';
-    // Seed two vendors directly — save the cost of the full signup flow.
-    const older = ulid();
-    const newer = ulid();
-    await db(TABLES.NetworkVendor).insert([
-      {
-        id: older,
-        name: 'Older',
-        slug: `dup-older-${older}`,
-        email: sharedEmail,
-        instanceUrl: 'https://older.example',
-        instanceKeyCiphertext: 'ct',
-        instanceKeyPrefix: 'prefix__',
-        status: 'pending',
-        createdAt: new Date(Date.now() - 10_000),
-      },
-      {
-        id: newer,
-        name: 'Newer',
-        slug: `dup-newer-${newer}`,
-        email: sharedEmail,
-        instanceUrl: 'https://newer.example',
-        instanceKeyCiphertext: 'ct',
-        instanceKeyPrefix: 'prefix__',
-        status: 'active',
-        createdAt: new Date(),
-      },
-    ]);
-
-    await db(TABLES.DevMessage).del();
-    await request(app).post('/auth/signin').send({ email: sharedEmail });
-    const msgs = (await request(app).get('/dev/mailbox').set('Authorization', `Bearer ${ADMIN_KEY}`)).body
-      .messages as Array<{ metadata?: Record<string, unknown>; body: string }>;
-    const signinMsg = msgs.find((m) => m.metadata?.purpose === 'vendor_signin');
-    expect(signinMsg).toBeDefined();
-
-    const verify = await request(app).post('/auth/magic/verify').send({ token: extractToken(signinMsg!.body) });
-    expect(verify.status).toBe(200);
-    // The ACTIVE vendor should win, not the older pending one.
-    expect(verify.body.vendor.id).toBe(newer);
-  });
-
-  it('signout clears the session cookie', async () => {
-    await request(app)
-      .post('/auth/creator/signup')
-      .send({ email: 'out@example.com', handle: 'out', name: 'Out' });
-    const msgs = (await request(app).get('/dev/mailbox').set('Authorization', `Bearer ${ADMIN_KEY}`)).body.messages;
-    const verify = await request(app).post('/auth/magic/verify').send({ token: extractToken(msgs[0].body) });
-    const cookie = (verify.headers['set-cookie'] as unknown as string[])[0]!.split(';')[0]!;
-
-    const before = await request(app).get('/auth/whoami').set('Cookie', cookie);
-    expect(before.body.role).toBe('network_creator');
-
-    await request(app).post('/auth/signout').set('Cookie', cookie);
-
-    const after = await request(app).get('/auth/whoami').set('Cookie', cookie);
-    expect(after.status).toBe(401);
-  });
-});
diff --git a/apps/api/src/__tests__/mailer.test.ts b/apps/api/src/__tests__/mailer.test.ts
deleted file mode 100644
index 1620585..0000000
--- a/apps/api/src/__tests__/mailer.test.ts
+++ /dev/null
@@ -1,125 +0,0 @@
-/**
- * PostmarkMailer unit tests — mock fetch, assert payload shape + error
- * handling. DevMailer path is already exercised by the magic-link
- * integration suite; we don't duplicate it here.
- */
-
-import { afterEach, beforeEach, describe, expect, it, vi } from 'vitest';
-
-describe('PostmarkMailer', () => {
-  beforeEach(() => {
-    vi.resetModules();
-  });
-  afterEach(() => {
-    vi.unstubAllGlobals();
-    delete process.env.MAIL_TRANSPORT;
-    delete process.env.POSTMARK_SERVER_TOKEN;
-    delete process.env.MAIL_FROM;
-    delete process.env.POSTMARK_MESSAGE_STREAM;
-  });
-
-  it('POSTs a well-formed payload to the Postmark Email API', async () => {
-    process.env.MAIL_TRANSPORT = 'postmark';
-    process.env.POSTMARK_SERVER_TOKEN = 'test-token';
-    process.env.MAIL_FROM = 'OpenPartner <no-reply@example.com>';
-    process.env.POSTMARK_MESSAGE_STREAM = 'transactional-1';
-
-    const fetchMock = vi.fn(async (_input: string | URL | Request, _init?: RequestInit) =>
-      new Response(JSON.stringify({ ErrorCode: 0, Message: 'OK' }), { status: 200 }),
-    );
-    vi.stubGlobal('fetch', fetchMock);
-
-    const { getMailer, __resetMailerForTests } = await import('../mailer.js');
-    __resetMailerForTests();
-
-    await getMailer().send({
-      to: 'grace@example.com',
-      subject: 'Hi',
-      text: 'plain',
-      html: '<b>rich</b>',
-      tag: 'creator_signup',
-      metadata: { handle: 'gracie' },
-    });
-
-    expect(fetchMock).toHaveBeenCalledOnce();
-    const call = fetchMock.mock.calls[0]!;
-    expect(call[0]).toBe('https://api.postmarkapp.com/email');
-
-    const init = call[1]!;
-    const headers = init.headers as Record<string, string>;
-    expect(headers['x-postmark-server-token']).toBe('test-token');
-    expect(headers['content-type']).toBe('application/json');
-
-    const body = JSON.parse(String(init.body));
-    expect(body.From).toBe('OpenPartner <no-reply@example.com>');
-    expect(body.To).toBe('grace@example.com');
-    expect(body.Subject).toBe('Hi');
-    expect(body.TextBody).toBe('plain');
-    expect(body.HtmlBody).toBe('<b>rich</b>');
-    expect(body.Tag).toBe('creator_signup');
-    expect(body.MessageStream).toBe('transactional-1');
-    expect(body.Metadata).toEqual({ handle: 'gracie' });
-  });
-
-  it('throws on non-2xx HTTP response', async () => {
-    process.env.MAIL_TRANSPORT = 'postmark';
-    process.env.POSTMARK_SERVER_TOKEN = 'bad-token';
-    process.env.MAIL_FROM = 'no-reply@example.com';
-
-    vi.stubGlobal(
-      'fetch',
-      vi.fn(async () => new Response('unauthorized', { status: 401 })),
-    );
-
-    const { getMailer, __resetMailerForTests } = await import('../mailer.js');
-    __resetMailerForTests();
-
-    await expect(
-      getMailer().send({ to: 'x@example.com', subject: 's', text: 't' }),
-    ).rejects.toThrow(/postmark send failed: 401/);
-  });
-
-  it('throws on Postmark ErrorCode != 0', async () => {
-    process.env.MAIL_TRANSPORT = 'postmark';
-    process.env.POSTMARK_SERVER_TOKEN = 'ok';
-    process.env.MAIL_FROM = 'no-reply@example.com';
-
-    vi.stubGlobal(
-      'fetch',
-      vi.fn(async () =>
-        new Response(JSON.stringify({ ErrorCode: 406, Message: 'recipient suppressed' }), {
-          status: 200,
-        }),
-      ),
-    );
-
-    const { getMailer, __resetMailerForTests } = await import('../mailer.js');
-    __resetMailerForTests();
-
-    await expect(
-      getMailer().send({ to: 'sup@example.com', subject: 's', text: 't' }),
-    ).rejects.toThrow(/postmark rejected message: 406/);
-  });
-
-  it('refuses to start without a token when MAIL_TRANSPORT=postmark', async () => {
-    process.env.MAIL_TRANSPORT = 'postmark';
-    // no POSTMARK_SERVER_TOKEN
-    process.env.MAIL_FROM = 'no-reply@example.com';
-
-    const { getMailer, __resetMailerForTests } = await import('../mailer.js');
-    __resetMailerForTests();
-
-    expect(() => getMailer()).toThrow(/POSTMARK_SERVER_TOKEN/);
-  });
-
-  it('refuses to start without MAIL_FROM', async () => {
-    process.env.MAIL_TRANSPORT = 'postmark';
-    process.env.POSTMARK_SERVER_TOKEN = 'ok';
-    // no MAIL_FROM
-
-    const { getMailer, __resetMailerForTests } = await import('../mailer.js');
-    __resetMailerForTests();
-
-    expect(() => getMailer()).toThrow(/MAIL_FROM/);
-  });
-});
diff --git a/apps/api/src/__tests__/network.test.ts b/apps/api/src/__tests__/network.test.ts
deleted file mode 100644
index 41c1013..0000000
--- a/apps/api/src/__tests__/network.test.ts
+++ /dev/null
@@ -1,767 +0,0 @@
-/**
- * End-to-end Network flow, with a real running Express server standing in
- * as the "vendor's OpenPartner instance" that the Network federates to.
- *
- * Walkthrough:
- *   1. Admin registers a NetworkVendor with the local instance URL + admin key.
- *   2. Vendor uses the issued vendor API key to publish an Offering tied to
- *      a real Campaign on their instance.
- *   3. Admin creates a NetworkCreator and activates it.
- *   4. Creator applies to the Offering.
- *   5. Vendor approves → federation POSTs to the same server to create a
- *      Partner + Link. Partnership row is written with the public share URL.
- *   6. We assert the Partner + Link actually exist on the vendor's side.
- */
-
-import { afterAll, beforeAll, beforeEach, describe, expect, it } from 'vitest';
-import type { AddressInfo } from 'node:net';
-import request from 'supertest';
-import { ulid } from 'ulid';
-import { TABLES } from '@openpartner/db';
-import { db } from '../db.js';
-import { createApp } from '../app.js';
-
-const ADMIN_KEY = 'op_test_network_admin_0123456789abcdef0123';
-process.env.ADMIN_API_KEY = ADMIN_KEY;
-process.env.OPENPARTNER_MODE = 'selfhost';
-process.env.NETWORK_ENCRYPTION_KEY = 'a'.repeat(64); // 32 hex bytes
-
-const skipIntegration = !process.env.DATABASE_URL || process.env.INTEGRATION === 'skip';
-// ApiKey has FKs to NetworkVendor, NetworkCreator, and Partner, so it must
-// be cleared BEFORE those parent tables. Similarly Partnership/Request have
-// FKs to Offering/NetworkVendor/NetworkCreator.
-const TABLES_TO_CLEAN = [
-  TABLES.Partnership,
-  TABLES.PartnershipRequest,
-  TABLES.Offering,
-  TABLES.Session,
-  TABLES.MagicLinkToken,
-  TABLES.DevMessage,
-  TABLES.ApiKey,
-  TABLES.Commission,
-  TABLES.Attribution,
-  TABLES.Event,
-  TABLES.Identity,
-  TABLES.Click,
-  TABLES.Link,
-  TABLES.Campaign,
-  TABLES.Payout,
-  TABLES.NetworkVendor,
-  TABLES.NetworkCreator,
-  TABLES.Partner,
-  TABLES.Config,
-];
-
-const app = createApp({ enableLogger: false });
-let server: ReturnType<typeof app.listen>;
-let instanceUrl: string;
-
-beforeAll(async () => {
-  if (skipIntegration) return;
-  await db.raw('select 1');
-  await new Promise<void>((resolve) => {
-    server = app.listen(0, () => {
-      const port = (server.address() as AddressInfo).port;
-      instanceUrl = `http://127.0.0.1:${port}`;
-      // Pin the router URL so federation doesn't try to swap ports.
-      process.env.NETWORK_ROUTER_URL = instanceUrl;
-      resolve();
-    });
-  });
-});
-
-afterAll(async () => {
-  if (server) await new Promise<void>((resolve) => server.close(() => resolve()));
-  await db.destroy();
-});
-
-beforeEach(async () => {
-  if (skipIntegration) return;
-  for (const t of TABLES_TO_CLEAN) {
-    await db(t).del();
-  }
-});
-
-describe.skipIf(skipIntegration)('openpartner network', () => {
-  it('vendor → offering → creator → request → approve federates a partner + link', async () => {
-    // Create a campaign on the "vendor's instance" (same server in tests).
-    const campaignRes = await request(app)
-      .post('/campaigns')
-      .set('Authorization', `Bearer ${ADMIN_KEY}`)
-      .send({ name: 'Referral', commissionRule: { type: 'percent', value: 30, recurring: true } });
-    expect(campaignRes.status).toBe(201);
-    const vendorCampaignId = campaignRes.body.id;
-
-    // Register vendor on the Network (admin-gated).
-    const vendorRegRes = await request(app)
-      .post('/network/vendors')
-      .set('Authorization', `Bearer ${ADMIN_KEY}`)
-      .send({
-        name: 'Acme',
-        slug: 'acme',
-        websiteUrl: 'https://acme.example',
-        instanceUrl,
-        instanceKey: ADMIN_KEY,
-      });
-    expect(vendorRegRes.status).toBe(201);
-    const vendorId = vendorRegRes.body.vendor.id;
-    const vendorApiKey = vendorRegRes.body.apiKey;
-
-    // Admin activates the vendor.
-    await request(app)
-      .post(`/network/vendors/${vendorId}/activate`)
-      .set('Authorization', `Bearer ${ADMIN_KEY}`);
-
-    // Vendor publishes an offering.
-    const offeringRes = await request(app)
-      .post('/network/offerings')
-      .set('Authorization', `Bearer ${vendorApiKey}`)
-      .send({
-        title: 'Acme Pro — 30% for 6 months',
-        productUrl: 'https://acme.example/pro',
-        description: 'Sell our flagship to your audience.',
-        vendorCampaignId,
-        terms: {
-          payout: { type: 'recurring_percent', percent: 30, durationMonths: 6 },
-          bonuses: [{ description: '$500 at $10k MRR', triggerRevenueUsd: 10000, bonusUsd: 500 }],
-          cookieWindowDays: 60,
-        },
-        published: true,
-      });
-    expect(offeringRes.status).toBe(201);
-    const offeringId = offeringRes.body.offering.id;
-
-    // Admin onboards a creator.
-    const creatorRes = await request(app)
-      .post('/network/creators')
-      .set('Authorization', `Bearer ${ADMIN_KEY}`)
-      .send({
-        name: 'Grace Hopper',
-        handle: 'gracie',
-        email: 'grace@example.com',
-        platforms: [{ platform: 'youtube', url: 'https://youtube.com/@gracie', followers: 120000 }],
-      });
-    expect(creatorRes.status).toBe(201);
-    const creatorId = creatorRes.body.creator.id;
-    const creatorKey = creatorRes.body.apiKey;
-    await request(app).post(`/network/creators/${creatorId}/activate`).set('Authorization', `Bearer ${ADMIN_KEY}`);
-
-    // Creator sees the directory.
-    const dirRes = await request(app).get('/network/directory/offerings');
-    expect(dirRes.status).toBe(200);
-    expect(dirRes.body.offerings).toHaveLength(1);
-    expect(dirRes.body.offerings[0].title).toContain('Acme');
-
-    // Creator applies.
-    const applyRes = await request(app)
-      .post('/network/requests')
-      .set('Authorization', `Bearer ${creatorKey}`)
-      .send({ offeringId, message: 'I have 120k subs interested in this.' });
-    expect(applyRes.status).toBe(201);
-    const requestId = applyRes.body.request.id;
-
-    // Vendor approves (this federates).
-    const approveRes = await request(app)
-      .post(`/network/requests/${requestId}/approve`)
-      .set('Authorization', `Bearer ${vendorApiKey}`)
-      .send({});
-    expect(approveRes.status).toBe(200);
-    expect(approveRes.body.partnership.status).toBe('active');
-    expect(approveRes.body.federated.partnerId).toBeTruthy();
-    expect(approveRes.body.federated.linkKey).toBe('gracie');
-    expect(approveRes.body.federated.publicShareUrl).toBe(`${instanceUrl}/r/gracie`);
-
-    // The vendor's instance actually has the partner + link now.
-    const partnerOnVendor = await db(TABLES.Partner).where({ id: approveRes.body.federated.partnerId }).first();
-    expect(partnerOnVendor).toBeDefined();
-    expect(partnerOnVendor!.email).toBe('grace@example.com');
-    expect(partnerOnVendor!.metadata).toMatchObject({ source: 'openpartner_network' });
-
-    const linkOnVendor = await db(TABLES.Link).where({ linkKey: 'gracie' }).first();
-    expect(linkOnVendor).toBeDefined();
-    expect(linkOnVendor!.campaignId).toBe(vendorCampaignId);
-  });
-
-  it('creator cannot double-apply to the same offering', async () => {
-    const campaignRes = await request(app)
-      .post('/campaigns')
-      .set('Authorization', `Bearer ${ADMIN_KEY}`)
-      .send({ name: 'C', commissionRule: { type: 'percent', value: 10 } });
-    const vendorCampaignId = campaignRes.body.id;
-
-    const vendorRes = await request(app)
-      .post('/network/vendors')
-      .set('Authorization', `Bearer ${ADMIN_KEY}`)
-      .send({ name: 'Vendo', slug: `vendo-${Date.now()}`, instanceUrl, instanceKey: ADMIN_KEY });
-    const vendorApiKey = vendorRes.body.apiKey;
-    await request(app).post(`/network/vendors/${vendorRes.body.vendor.id}/activate`).set('Authorization', `Bearer ${ADMIN_KEY}`);
-
-    const offeringRes = await request(app)
-      .post('/network/offerings')
-      .set('Authorization', `Bearer ${vendorApiKey}`)
-      .send({
-        title: 'Offer',
-        productUrl: 'https://v.example',
-        vendorCampaignId,
-        terms: { payout: { type: 'one_time_fee', amount: 50 }, cookieWindowDays: 30 },
-        published: true,
-      });
-    const offeringId = offeringRes.body.offering.id;
-
-    const creatorRes = await request(app)
-      .post('/network/creators')
-      .set('Authorization', `Bearer ${ADMIN_KEY}`)
-      .send({ name: 'Eva', handle: `eva_${Date.now()}`, email: `eva${Date.now()}@e.com` });
-    const creatorKey = creatorRes.body.apiKey;
-    await request(app).post(`/network/creators/${creatorRes.body.creator.id}/activate`).set('Authorization', `Bearer ${ADMIN_KEY}`);
-
-    const first = await request(app)
-      .post('/network/requests')
-      .set('Authorization', `Bearer ${creatorKey}`)
-      .send({ offeringId });
-    expect(first.status).toBe(201);
-
-    const second = await request(app)
-      .post('/network/requests')
-      .set('Authorization', `Bearer ${creatorKey}`)
-      .send({ offeringId });
-    expect(second.status).toBe(409);
-  });
-
-  it('concurrent /approve calls do not both federate — one wins, the other 409s', async () => {
-    // Regression for the ultrareview race. Both calls see status='pending'
-    // on the SELECT; the conditional UPDATE pending→approving admits one.
-    const campaignRes = await request(app)
-      .post('/campaigns')
-      .set('Authorization', `Bearer ${ADMIN_KEY}`)
-      .send({ name: 'Race', commissionRule: { type: 'percent', value: 15 } });
-    const vendorCampaignId = campaignRes.body.id;
-
-    const vendorRes = await request(app)
-      .post('/network/vendors')
-      .set('Authorization', `Bearer ${ADMIN_KEY}`)
-      .send({ name: 'RaceVendor', slug: `race-${Date.now()}`, instanceUrl, instanceKey: ADMIN_KEY });
-    const vendorApiKey = vendorRes.body.apiKey;
-    await request(app).post(`/network/vendors/${vendorRes.body.vendor.id}/activate`).set('Authorization', `Bearer ${ADMIN_KEY}`);
-
-    const offeringRes = await request(app)
-      .post('/network/offerings')
-      .set('Authorization', `Bearer ${vendorApiKey}`)
-      .send({
-        title: 'RaceOffer',
-        productUrl: 'https://race.example',
-        vendorCampaignId,
-        terms: { payout: { type: 'one_time_fee', amount: 25 }, cookieWindowDays: 30 },
-        published: true,
-      });
-    const offeringId = offeringRes.body.offering.id;
-
-    const creatorRes = await request(app)
-      .post('/network/creators')
-      .set('Authorization', `Bearer ${ADMIN_KEY}`)
-      .send({ name: 'Rico', handle: `rico_${Date.now()}`, email: `rico${Date.now()}@e.com` });
-    const creatorKey = creatorRes.body.apiKey;
-    await request(app).post(`/network/creators/${creatorRes.body.creator.id}/activate`).set('Authorization', `Bearer ${ADMIN_KEY}`);
-
-    const reqRes = await request(app)
-      .post('/network/requests')
-      .set('Authorization', `Bearer ${creatorKey}`)
-      .send({ offeringId });
-    const reqId = reqRes.body.request.id;
-
-    // Fire two approvals simultaneously.
-    const [a, b] = await Promise.all([
-      request(app).post(`/network/requests/${reqId}/approve`).set('Authorization', `Bearer ${vendorApiKey}`),
-      request(app).post(`/network/requests/${reqId}/approve`).set('Authorization', `Bearer ${vendorApiKey}`),
-    ]);
-    const statuses = [a.status, b.status].sort();
-    // One succeeds (200), the other loses the CAS race (409).
-    expect(statuses).toEqual([200, 409]);
-
-    // And we only federated ONE Partnership for this request.
-    const partnerships = await db(TABLES.Partnership).where({ requestId: reqId });
-    expect(partnerships).toHaveLength(1);
-  });
-
-  it('creator-chosen promo code becomes the share-link slug', async () => {
-    const campaign = (await request(app)
-      .post('/campaigns')
-      .set('Authorization', `Bearer ${ADMIN_KEY}`)
-      .send({ name: 'Promo test', commissionRule: { type: 'percent', value: 20 } })).body;
-
-    const vendorRouter = `${instanceUrl}`; // point router at same server for the test
-    const vendorRes = await request(app)
-      .post('/network/vendors')
-      .set('Authorization', `Bearer ${ADMIN_KEY}`)
-      .send({
-        name: 'Coherence',
-        slug: `coherence-${Date.now()}`,
-        instanceUrl,
-        instanceKey: ADMIN_KEY,
-        routerUrl: vendorRouter,
-      });
-    const vendorKey = vendorRes.body.apiKey;
-    await request(app).post(`/network/vendors/${vendorRes.body.vendor.id}/activate`).set('Authorization', `Bearer ${ADMIN_KEY}`);
-
-    const offeringRes = await request(app)
-      .post('/network/offerings')
-      .set('Authorization', `Bearer ${vendorKey}`)
-      .send({
-        title: 'Coherence Pro',
-        productUrl: 'https://getcoherence.io/pro',
-        vendorCampaignId: campaign.id,
-        terms: { payout: { type: 'recurring_percent', percent: 20, durationMonths: null }, cookieWindowDays: 60 },
-        published: true,
-      });
-    const offeringId = offeringRes.body.offering.id;
-
-    const creatorRes = await request(app)
-      .post('/network/creators')
-      .set('Authorization', `Bearer ${ADMIN_KEY}`)
-      .send({ name: 'Grace', handle: `g_${Date.now()}`, email: `g${Date.now()}@e.com` });
-    const creatorKey = creatorRes.body.apiKey;
-    await request(app).post(`/network/creators/${creatorRes.body.creator.id}/activate`).set('Authorization', `Bearer ${ADMIN_KEY}`);
-
-    const applyRes = await request(app)
-      .post('/network/requests')
-      .set('Authorization', `Bearer ${creatorKey}`)
-      .send({ offeringId, promoCode: 'graciefindsdeals' });
-    expect(applyRes.status).toBe(201);
-    expect(applyRes.body.request.promoCode).toBe('graciefindsdeals');
-
-    const approveRes = await request(app)
-      .post(`/network/requests/${applyRes.body.request.id}/approve`)
-      .set('Authorization', `Bearer ${vendorKey}`)
-      .send({});
-    expect(approveRes.status).toBe(200);
-    expect(approveRes.body.federated.linkKey).toBe('graciefindsdeals');
-    expect(approveRes.body.federated.publicShareUrl).toBe(`${vendorRouter}/r/graciefindsdeals`);
-
-    const linkOnVendor = await db(TABLES.Link).where({ linkKey: 'graciefindsdeals' }).first();
-    expect(linkOnVendor).toBeDefined();
-  });
-
-  it('defaults to creator default promo code, falls back to handle', async () => {
-    const campaign = (await request(app)
-      .post('/campaigns')
-      .set('Authorization', `Bearer ${ADMIN_KEY}`)
-      .send({ name: 'Defaults', commissionRule: { type: 'percent', value: 10 } })).body;
-
-    const vendorRes = await request(app)
-      .post('/network/vendors')
-      .set('Authorization', `Bearer ${ADMIN_KEY}`)
-      .send({ name: 'DefaultCo', slug: `default-${Date.now()}`, instanceUrl, instanceKey: ADMIN_KEY });
-    const vendorKey = vendorRes.body.apiKey;
-    await request(app).post(`/network/vendors/${vendorRes.body.vendor.id}/activate`).set('Authorization', `Bearer ${ADMIN_KEY}`);
-
-    const offering = (await request(app)
-      .post('/network/offerings')
-      .set('Authorization', `Bearer ${vendorKey}`)
-      .send({
-        title: 'Offering One',
-        productUrl: 'https://example.com',
-        vendorCampaignId: campaign.id,
-        terms: { payout: { type: 'one_time_fee', amount: 1 }, cookieWindowDays: 30 },
-        published: true,
-      })).body.offering;
-
-    // Creator WITH a default
-    const handle = `ada_${Date.now()}`;
-    const creatorRes = await request(app)
-      .post('/network/creators')
-      .set('Authorization', `Bearer ${ADMIN_KEY}`)
-      .send({ name: 'Ada', handle, email: `ada${Date.now()}@e.com`, defaultPromoCode: 'ada-picks' });
-    const creatorKey = creatorRes.body.apiKey;
-    await request(app).post(`/network/creators/${creatorRes.body.creator.id}/activate`).set('Authorization', `Bearer ${ADMIN_KEY}`);
-
-    // No promoCode on the request — should use the creator's default.
-    const req1 = await request(app)
-      .post('/network/requests')
-      .set('Authorization', `Bearer ${creatorKey}`)
-      .send({ offeringId: offering.id });
-    expect(req1.body.request.promoCode).toBe('ada-picks');
-
-    // Creator WITHOUT a default → handle
-    const handle2 = `rose_${Date.now()}`;
-    const c2 = await request(app)
-      .post('/network/creators')
-      .set('Authorization', `Bearer ${ADMIN_KEY}`)
-      .send({ name: 'Rose', handle: handle2, email: `rose${Date.now()}@e.com` });
-    const c2key = c2.body.apiKey;
-    await request(app).post(`/network/creators/${c2.body.creator.id}/activate`).set('Authorization', `Bearer ${ADMIN_KEY}`);
-
-    const o2 = (await request(app)
-      .post('/network/offerings')
-      .set('Authorization', `Bearer ${vendorKey}`)
-      .send({
-        title: 'Offering Two',
-        productUrl: 'https://example.com',
-        vendorCampaignId: campaign.id,
-        terms: { payout: { type: 'one_time_fee', amount: 2 }, cookieWindowDays: 30 },
-        published: true,
-      })).body.offering;
-
-    const req2 = await request(app)
-      .post('/network/requests')
-      .set('Authorization', `Bearer ${c2key}`)
-      .send({ offeringId: o2.id });
-    expect(req2.body.request.promoCode).toBe(handle2);
-  });
-
-  it('earnings endpoint federates a read and surfaces per-partnership stats', async () => {
-    // Campaign with a 20% recurring rule on the vendor's instance
-    const campaign = (await request(app)
-      .post('/campaigns')
-      .set('Authorization', `Bearer ${ADMIN_KEY}`)
-      .send({ name: 'Earn test', commissionRule: { type: 'percent', value: 20 } })).body;
-
-    const vendorRes = await request(app)
-      .post('/network/vendors')
-      .set('Authorization', `Bearer ${ADMIN_KEY}`)
-      .send({ name: 'EarnVendor', slug: `earn-${Date.now()}`, instanceUrl, instanceKey: ADMIN_KEY, routerUrl: instanceUrl });
-    const vendorKey = vendorRes.body.apiKey;
-    await request(app).post(`/network/vendors/${vendorRes.body.vendor.id}/activate`).set('Authorization', `Bearer ${ADMIN_KEY}`);
-
-    const offeringId = (await request(app)
-      .post('/network/offerings')
-      .set('Authorization', `Bearer ${vendorKey}`)
-      .send({
-        title: 'Earning offering',
-        productUrl: 'https://example.com/pro',
-        vendorCampaignId: campaign.id,
-        terms: { payout: { type: 'recurring_percent', percent: 20, durationMonths: 6 }, cookieWindowDays: 60 },
-        published: true,
-      })).body.offering.id;
-
-    const creatorRes = await request(app)
-      .post('/network/creators')
-      .set('Authorization', `Bearer ${ADMIN_KEY}`)
-      .send({ name: 'Earner', handle: `earner_${Date.now()}`, email: `earner${Date.now()}@e.com` });
-    const creatorKey = creatorRes.body.apiKey;
-    await request(app).post(`/network/creators/${creatorRes.body.creator.id}/activate`).set('Authorization', `Bearer ${ADMIN_KEY}`);
-
-    const reqRes = await request(app)
-      .post('/network/requests')
-      .set('Authorization', `Bearer ${creatorKey}`)
-      .send({ offeringId, promoCode: 'earntest' });
-    await request(app)
-      .post(`/network/requests/${reqRes.body.request.id}/approve`)
-      .set('Authorization', `Bearer ${vendorKey}`)
-      .send({});
-
-    // Simulate traffic on the vendor's side: click → identify → event.
-    // (We write Click directly because the router is a separate server in
-    // prod; the dashboard endpoint doesn't care how Clicks got there.)
-    const link = await db(TABLES.Link).where({ linkKey: 'earntest' }).first();
-    expect(link).toBeDefined();
-    const clickId = ulid();
-    await db(TABLES.Click).insert({
-      id: clickId,
-      linkId: link!.id,
-      partnerId: link!.partnerId,
-      campaignId: link!.campaignId,
-      landingUrl: 'https://example.com/pro',
-      ipHash: 'x',
-      userAgent: 'x',
-      referer: null,
-      fraudFlag: null,
-    });
-
-    const userId = `viewer_${Date.now()}`;
-    await request(app).post('/attribution/identify').send({ cref: clickId, userId });
-    await request(app)
-      .post('/attribution/events')
-      .set('Authorization', `Bearer ${ADMIN_KEY}`)
-      .send({ userId, type: 'invoice_paid', value: 250 });
-
-    // Creator pulls their earnings via the Network's federated read.
-    const earnings = await request(app)
-      .get('/network/partnerships/earnings')
-      .set('Authorization', `Bearer ${creatorKey}`);
-    expect(earnings.status).toBe(200);
-    expect(earnings.body.partnerships).toHaveLength(1);
-    const row = earnings.body.partnerships[0];
-    expect(row.status).toBe('ok');
-    expect(row.stats.clicks).toBe(1);
-    expect(row.stats.attributedEvents).toBe(1);
-    expect(row.stats.attributedRevenue).toBe(250);
-    expect(row.stats.commissionByStatus.accrued).toBe(50); // 20% of 250
-
-    expect(earnings.body.totals.clicks).toBe(1);
-    expect(earnings.body.totals.attributedRevenue).toBe(250);
-    expect(earnings.body.totals.commission.accrued).toBe(50);
-    expect(earnings.body.totals.unreachable).toBe(0);
-    expect(earnings.body.totals.healthy).toBe(1);
-  });
-
-  it('earnings endpoint surfaces unreachable vendors without blacking out', async () => {
-    const campaign = (await request(app)
-      .post('/campaigns')
-      .set('Authorization', `Bearer ${ADMIN_KEY}`)
-      .send({ name: 'Unreach', commissionRule: { type: 'percent', value: 10 } })).body;
-
-    // Register the vendor against a dead URL so federation will fail.
-    const vendorRes = await request(app)
-      .post('/network/vendors')
-      .set('Authorization', `Bearer ${ADMIN_KEY}`)
-      .send({
-        name: 'DeadVendor',
-        slug: `dead-${Date.now()}`,
-        instanceUrl: 'http://127.0.0.1:1', // port 1 — nothing listens here
-        instanceKey: ADMIN_KEY,
-      });
-    const vendorKey = vendorRes.body.apiKey;
-    await request(app).post(`/network/vendors/${vendorRes.body.vendor.id}/activate`).set('Authorization', `Bearer ${ADMIN_KEY}`);
-
-    // Insert a Partnership directly so we don't have to federate-create
-    // one against the dead instance.
-    const creatorRes = await request(app)
-      .post('/network/creators')
-      .set('Authorization', `Bearer ${ADMIN_KEY}`)
-      .send({ name: 'Drift', handle: `drift_${Date.now()}`, email: `drift${Date.now()}@e.com` });
-    const creatorKey = creatorRes.body.apiKey;
-    await request(app).post(`/network/creators/${creatorRes.body.creator.id}/activate`).set('Authorization', `Bearer ${ADMIN_KEY}`);
-
-    const offeringId = (await request(app)
-      .post('/network/offerings')
-      .set('Authorization', `Bearer ${vendorKey}`)
-      .send({
-        title: 'Offline offering',
-        productUrl: 'https://example.com',
-        vendorCampaignId: campaign.id,
-        terms: { payout: { type: 'one_time_fee', amount: 10 }, cookieWindowDays: 30 },
-        published: true,
-      })).body.offering.id;
-
-    await db(TABLES.PartnershipRequest).insert({
-      id: ulid(),
-      offeringId,
-      vendorId: vendorRes.body.vendor.id,
-      creatorId: creatorRes.body.creator.id,
-      direction: 'creator_to_vendor',
-      status: 'approved',
-      promoCode: 'drift',
-      decidedAt: new Date(),
-    });
-    const partnershipId = ulid();
-    const lastReq = await db(TABLES.PartnershipRequest).where({ creatorId: creatorRes.body.creator.id }).first();
-    await db(TABLES.Partnership).insert({
-      id: partnershipId,
-      requestId: lastReq!.id,
-      offeringId,
-      vendorId: vendorRes.body.vendor.id,
-      creatorId: creatorRes.body.creator.id,
-      vendorPartnerId: 'phantom',
-      vendorLinkKey: 'drift',
-      publicShareUrl: 'http://127.0.0.1:1/r/drift',
-      status: 'active',
-    });
-
-    const earnings = await request(app)
-      .get('/network/partnerships/earnings')
-      .set('Authorization', `Bearer ${creatorKey}`);
-    expect(earnings.status).toBe(200);
-    expect(earnings.body.partnerships).toHaveLength(1);
-    expect(earnings.body.partnerships[0].status).toBe('error');
-    expect(earnings.body.totals.unreachable).toBe(1);
-    expect(earnings.body.totals.clicks).toBe(0);
-  });
-
-  it('full network federation works with a scoped key (not admin)', async () => {
-    // Mint a scoped key on the "vendor instance" with exactly the
-    // federation permission set. Register the vendor with THAT key.
-    const scopedMint = await request(app)
-      .post('/api-keys/scoped')
-      .set('Authorization', `Bearer ${ADMIN_KEY}`)
-      .send({ scopes: ['partners:write', 'partners:read', 'links:write', 'commissions:read'] });
-    const scopedKey = scopedMint.body.plaintext as string;
-
-    const campaign = (await request(app)
-      .post('/campaigns')
-      .set('Authorization', `Bearer ${ADMIN_KEY}`)
-      .send({ name: 'Scoped test', commissionRule: { type: 'percent', value: 15 } })).body;
-
-    const vendorRes = await request(app)
-      .post('/network/vendors')
-      .set('Authorization', `Bearer ${ADMIN_KEY}`)
-      .send({
-        name: 'ScopedCo',
-        slug: `scoped-${Date.now()}`,
-        instanceUrl,
-        instanceKey: scopedKey, // <-- scoped, not ADMIN_KEY
-        routerUrl: instanceUrl,
-      });
-    const vendorKey = vendorRes.body.apiKey;
-    await request(app).post(`/network/vendors/${vendorRes.body.vendor.id}/activate`).set('Authorization', `Bearer ${ADMIN_KEY}`);
-
-    const offeringId = (await request(app)
-      .post('/network/offerings')
-      .set('Authorization', `Bearer ${vendorKey}`)
-      .send({
-        title: 'Scoped offering',
-        productUrl: 'https://example.com',
-        vendorCampaignId: campaign.id,
-        terms: { payout: { type: 'recurring_percent', percent: 15, durationMonths: null }, cookieWindowDays: 45 },
-        published: true,
-      })).body.offering.id;
-
-    const creatorRes = await request(app)
-      .post('/network/creators')
-      .set('Authorization', `Bearer ${ADMIN_KEY}`)
-      .send({ name: 'Scopy', handle: `scopy_${Date.now()}`, email: `scopy${Date.now()}@e.com` });
-    const creatorKey = creatorRes.body.apiKey;
-    await request(app).post(`/network/creators/${creatorRes.body.creator.id}/activate`).set('Authorization', `Bearer ${ADMIN_KEY}`);
-
-    const applyRes = await request(app)
-      .post('/network/requests')
-      .set('Authorization', `Bearer ${creatorKey}`)
-      .send({ offeringId, promoCode: 'scopyshares' });
-
-    const approveRes = await request(app)
-      .post(`/network/requests/${applyRes.body.request.id}/approve`)
-      .set('Authorization', `Bearer ${vendorKey}`)
-      .send({});
-    expect(approveRes.status).toBe(200);
-    expect(approveRes.body.federated.linkKey).toBe('scopyshares');
-
-    // Federated read (commissions:read) works too.
-    const earnings = await request(app)
-      .get('/network/partnerships/earnings')
-      .set('Authorization', `Bearer ${creatorKey}`);
-    expect(earnings.status).toBe(200);
-    expect(earnings.body.partnerships[0].status).toBe('ok');
-  });
-
-  it('verify-key endpoint flags unrestricted admin keys and accepts proper scoped keys', async () => {
-    // Unrestricted admin → warn.
-    const adminCheck = await request(app)
-      .post('/network/vendors/verify-key')
-      .set('Authorization', `Bearer ${ADMIN_KEY}`)
-      .send({ instanceUrl, instanceKey: ADMIN_KEY });
-    expect(adminCheck.status).toBe(200);
-    expect(adminCheck.body.unrestricted).toBe(true);
-    expect(adminCheck.body.acceptable).toBe(true);
-
-    // Scoped with all required → acceptable, missing=[].
-    const fullyScoped = await request(app)
-      .post('/api-keys/scoped')
-      .set('Authorization', `Bearer ${ADMIN_KEY}`)
-      .send({ scopes: ['partners:write', 'partners:read', 'links:write', 'commissions:read'] });
-    const okCheck = await request(app)
-      .post('/network/vendors/verify-key')
-      .set('Authorization', `Bearer ${ADMIN_KEY}`)
-      .send({ instanceUrl, instanceKey: fullyScoped.body.plaintext });
-    expect(okCheck.status).toBe(200);
-    expect(okCheck.body.unrestricted).toBe(false);
-    expect(okCheck.body.missing).toEqual([]);
-    expect(okCheck.body.acceptable).toBe(true);
-
-    // Scoped with only some → missing listed.
-    const partial = await request(app)
-      .post('/api-keys/scoped')
-      .set('Authorization', `Bearer ${ADMIN_KEY}`)
-      .send({ scopes: ['partners:write'] });
-    const missCheck = await request(app)
-      .post('/network/vendors/verify-key')
-      .set('Authorization', `Bearer ${ADMIN_KEY}`)
-      .send({ instanceUrl, instanceKey: partial.body.plaintext });
-    expect(missCheck.status).toBe(200);
-    expect(missCheck.body.missing).toEqual(
-      expect.arrayContaining(['partners:read', 'links:write', 'commissions:read']),
-    );
-    expect(missCheck.body.acceptable).toBe(false);
-  });
-
-  it('creator profile patch + directory visibility', async () => {
-    const creatorRes = await request(app)
-      .post('/network/creators')
-      .set('Authorization', `Bearer ${ADMIN_KEY}`)
-      .send({ name: 'Start', handle: `start_${Date.now()}`, email: `start${Date.now()}@e.com` });
-    const creatorKey = creatorRes.body.apiKey;
-    const creatorId = creatorRes.body.creator.id;
-
-    // Inactive creators don't appear in the public directory.
-    let dir = await request(app).get('/network/directory/creators');
-    expect(dir.body.creators.find((c: { id: string }) => c.id === creatorId)).toBeUndefined();
-
-    await request(app).post(`/network/creators/${creatorId}/activate`).set('Authorization', `Bearer ${ADMIN_KEY}`);
-
-    dir = await request(app).get('/network/directory/creators');
-    expect(dir.body.creators.find((c: { id: string }) => c.id === creatorId)).toBeDefined();
-
-    // Self-edit persists.
-    const patch = await request(app)
-      .patch('/network/creators/me')
-      .set('Authorization', `Bearer ${creatorKey}`)
-      .send({
-        name: 'Patched',
-        bio: 'I publish on YouTube.',
-        defaultPromoCode: 'patchedcode',
-        platforms: [{ platform: 'youtube', url: 'https://youtube.com/@patched', followers: 50000 }],
-      });
-    expect(patch.status).toBe(200);
-    expect(patch.body.creator.name).toBe('Patched');
-    expect(patch.body.creator.bio).toBe('I publish on YouTube.');
-    expect(patch.body.creator.defaultPromoCode).toBe('patchedcode');
-    expect(patch.body.creator.platforms).toHaveLength(1);
-
-    // Handle is not in the PATCH schema — it stays pinned.
-    const handleAttempt = await request(app)
-      .patch('/network/creators/me')
-      .set('Authorization', `Bearer ${creatorKey}`)
-      .send({ handle: 'renamed' });
-    expect(handleAttempt.status).toBe(200);
-    expect(handleAttempt.body.creator.handle).not.toBe('renamed');
-  });
-
-  it('vendor invite via /network/invites creates a pending request', async () => {
-    const campaign = (await request(app)
-      .post('/campaigns')
-      .set('Authorization', `Bearer ${ADMIN_KEY}`)
-      .send({ name: 'Inv', commissionRule: { type: 'percent', value: 10 } })).body;
-
-    const vendorRes = await request(app)
-      .post('/network/vendors')
-      .set('Authorization', `Bearer ${ADMIN_KEY}`)
-      .send({ name: 'InviteVendor', slug: `inv-${Date.now()}`, instanceUrl, instanceKey: ADMIN_KEY });
-    const vendorKey = vendorRes.body.apiKey;
-    await request(app).post(`/network/vendors/${vendorRes.body.vendor.id}/activate`).set('Authorization', `Bearer ${ADMIN_KEY}`);
-
-    const offering = (await request(app)
-      .post('/network/offerings')
-      .set('Authorization', `Bearer ${vendorKey}`)
-      .send({
-        title: 'Invite offering',
-        productUrl: 'https://example.com',
-        vendorCampaignId: campaign.id,
-        terms: { payout: { type: 'one_time_fee', amount: 1 }, cookieWindowDays: 30 },
-        published: true,
-      })).body.offering;
-
-    const creator = (await request(app)
-      .post('/network/creators')
-      .set('Authorization', `Bearer ${ADMIN_KEY}`)
-      .send({ name: 'Targ', handle: `targ_${Date.now()}`, email: `targ${Date.now()}@e.com` })).body;
-    await request(app).post(`/network/creators/${creator.creator.id}/activate`).set('Authorization', `Bearer ${ADMIN_KEY}`);
-
-    const invite = await request(app)
-      .post('/network/invites')
-      .set('Authorization', `Bearer ${vendorKey}`)
-      .send({
-        offeringId: offering.id,
-        creatorId: creator.creator.id,
-        message: 'Want to be part of this?',
-        promoCode: 'targshare',
-      });
-    expect(invite.status).toBe(201);
-    expect(invite.body.request.direction).toBe('vendor_to_creator');
-    expect(invite.body.request.promoCode).toBe('targshare');
-  });
-
-  it('encryption round-trips', async () => {
-    const { encryptKey, decryptKey } = await import('../network/crypto.js');
-    const enc = encryptKey('hello-secret-key');
-    expect(enc).not.toContain('hello');
-    expect(decryptKey(enc)).toBe('hello-secret-key');
-  });
-});
diff --git a/apps/api/src/__tests__/safe-fetch.test.ts b/apps/api/src/__tests__/safe-fetch.test.ts
deleted file mode 100644
index 1a01256..0000000
--- a/apps/api/src/__tests__/safe-fetch.test.ts
+++ /dev/null
@@ -1,57 +0,0 @@
-/**
- * safeFetch: SSRF guard on outbound Network calls.
- *
- * We can't cheaply test a real fetch without a network, so this file
- * exercises the protocol + hostname validation that safeFetch does
- * BEFORE calling fetch. Runs under NODE_ENV=production to skip the
- * test-env bypass baked into the guard.
- */
-
-import { afterEach, beforeEach, describe, expect, it } from 'vitest';
-import { safeFetch } from '../network/safe-fetch.js';
-
-describe('safeFetch SSRF guard', () => {
-  const original = process.env.NODE_ENV;
-  beforeEach(() => {
-    process.env.NODE_ENV = 'production';
-    delete process.env.NETWORK_ALLOW_PRIVATE_HOSTS;
-  });
-  afterEach(() => {
-    process.env.NODE_ENV = original;
-  });
-
-  it('rejects non-http(s) protocols', async () => {
-    await expect(safeFetch('file:///etc/passwd')).rejects.toMatchObject({ code: 'unsupported_protocol' });
-    await expect(safeFetch('gopher://example.com/')).rejects.toMatchObject({ code: 'unsupported_protocol' });
-  });
-
-  it('rejects IPv4 loopback / private ranges by literal IP', async () => {
-    await expect(safeFetch('http://127.0.0.1/')).rejects.toMatchObject({ code: 'private_host_blocked' });
-    await expect(safeFetch('http://10.0.0.1/')).rejects.toMatchObject({ code: 'private_host_blocked' });
-    await expect(safeFetch('http://192.168.1.1/')).rejects.toMatchObject({ code: 'private_host_blocked' });
-    await expect(safeFetch('http://169.254.169.254/latest/meta-data/')).rejects.toMatchObject({
-      code: 'private_host_blocked',
-    });
-    await expect(safeFetch('http://172.16.0.1/')).rejects.toMatchObject({ code: 'private_host_blocked' });
-  });
-
-  it('rejects IPv6 loopback / link-local / unique-local', async () => {
-    await expect(safeFetch('http://[::1]/')).rejects.toMatchObject({ code: 'private_host_blocked' });
-    await expect(safeFetch('http://[fe80::1]/')).rejects.toMatchObject({ code: 'private_host_blocked' });
-    await expect(safeFetch('http://[fc00::1]/')).rejects.toMatchObject({ code: 'private_host_blocked' });
-  });
-
-  it('rejects hostnames that resolve to loopback (localhost)', async () => {
-    // localhost normally resolves to 127.0.0.1 or ::1 via the hosts file.
-    await expect(safeFetch('http://localhost/')).rejects.toMatchObject({ code: 'private_host_blocked' });
-  });
-
-  it('opts out of the guard when NETWORK_ALLOW_PRIVATE_HOSTS=1', async () => {
-    process.env.NETWORK_ALLOW_PRIVATE_HOSTS = '1';
-    // We still expect the request itself to fail (nothing listening at
-    // this port in the test env), but NOT with private_host_blocked.
-    await expect(safeFetch('http://127.0.0.1:59999/', { signal: AbortSignal.timeout(200) })).rejects.not.toMatchObject(
-      { code: 'private_host_blocked' },
-    );
-  });
-});
diff --git a/apps/api/src/app.ts b/apps/api/src/app.ts
index c13fb91..c9674f7 100644
--- a/apps/api/src/app.ts
+++ b/apps/api/src/app.ts
@@ -22,15 +22,9 @@ import { exportRouter } from './routes/export.js';
 import { billingRouter } from './routes/billing.js';
 import { authRouter } from './routes/auth.js';
 import { adminOverviewRouter } from './routes/admin-overview.js';
-import { magicLinkRouter } from './routes/magic-link.js';
 import { funnelRouter } from './routes/funnel.js';
 import { fraudReviewRouter } from './routes/fraud-review.js';
 import { webhooksRouter } from './routes/webhooks.js';
-import { networkVendorsRouter } from './routes/network-vendors.js';
-import { networkCreatorsRouter } from './routes/network-creators.js';
-import { networkOfferingsRouter } from './routes/network-offerings.js';
-import { networkRequestsRouter } from './routes/network-requests.js';
-import { networkEarningsRouter } from './routes/network-earnings.js';
 import { metricsRouter } from './routes/metrics.js';
 
 export function createApp(options: { enableLogger?: boolean } = {}) {
@@ -107,7 +101,6 @@ export function createApp(options: { enableLogger?: boolean } = {}) {
   });
 
   app.use(authRouter);
-  app.use(magicLinkRouter);
   app.use(funnelRouter);
   app.use(fraudReviewRouter);
   app.use(webhooksRouter);
@@ -124,11 +117,6 @@ export function createApp(options: { enableLogger?: boolean } = {}) {
   app.use(exportRouter);
   app.use(billingRouter);
   app.use(adminOverviewRouter);
-  app.use(networkVendorsRouter);
-  app.use(networkCreatorsRouter);
-  app.use(networkOfferingsRouter);
-  app.use(networkRequestsRouter);
-  app.use(networkEarningsRouter);
   app.use(metricsRouter);
 
   app.use((err: Error, req: Request, res: Response, _next: NextFunction) => {
diff --git a/apps/api/src/auth-sessions.ts b/apps/api/src/auth-sessions.ts
deleted file mode 100644
index d326540..0000000
--- a/apps/api/src/auth-sessions.ts
+++ /dev/null
@@ -1,149 +0,0 @@
-/**
- * Magic-link + session primitives.
- *
- * Tokens and session tokens share the same sha256-at-rest pattern API
- * keys already use: we store prefix (for indexed lookup) + hash, never
- * the plaintext. Cookies carry the plaintext; comparisons use
- * constant-time equality on the hash.
- */
-
-import { createHash, randomBytes, timingSafeEqual } from 'node:crypto';
-import { ulid } from 'ulid';
-import {
-  TABLES,
-  type MagicLinkClaim,
-  type MagicLinkPurpose,
-  type MagicLinkTokenRow,
-  type SessionPrincipalKind,
-  type SessionRow,
-} from '@openpartner/db';
-import { db } from './db.js';
-
-export const SESSION_COOKIE_NAME = 'op_session';
-const MAGIC_PREFIX_LEN = 8;
-const SESSION_PREFIX_LEN = 8;
-
-function hash(s: string): string {
-  return createHash('sha256').update(s).digest('hex');
-}
-
-function constantTimeStringEqual(a: string, b: string): boolean {
-  if (a.length !== b.length) return false;
-  return timingSafeEqual(Buffer.from(a), Buffer.from(b));
-}
-
-// ---- Magic-link tokens ----
-
-export interface IssuedToken {
-  id: string;
-  plaintext: string;
-}
-
-export async function issueMagicLink(params: {
-  email: string;
-  purpose: MagicLinkPurpose;
-  claim?: MagicLinkClaim;
-  ttlSeconds?: number;
-}): Promise<IssuedToken> {
-  const plaintext = `mlt_${randomBytes(32).toString('base64url')}`;
-  const prefix = plaintext.slice(0, MAGIC_PREFIX_LEN);
-  const tokenHash = hash(plaintext);
-  const id = ulid();
-  const expiresAt = new Date(Date.now() + (params.ttlSeconds ?? 15 * 60) * 1000); // 15 min default
-
-  await db<MagicLinkTokenRow>(TABLES.MagicLinkToken).insert({
-    id,
-    prefix,
-    tokenHash,
-    email: params.email.toLowerCase(),
-    purpose: params.purpose,
-    claim: params.claim ? (JSON.stringify(params.claim) as unknown as never) : null,
-    expiresAt,
-  });
-
-  return { id, plaintext };
-}
-
-export type ConsumeResult =
-  | { ok: true; token: MagicLinkTokenRow }
-  | { ok: false; error: 'not_found' | 'expired' | 'already_consumed' };
-
-export async function consumeMagicLink(plaintext: string): Promise<ConsumeResult> {
-  if (plaintext.length < MAGIC_PREFIX_LEN) return { ok: false, error: 'not_found' };
-  const prefix = plaintext.slice(0, MAGIC_PREFIX_LEN);
-  const tokenHash = hash(plaintext);
-
-  const candidates = await db<MagicLinkTokenRow>(TABLES.MagicLinkToken).where({ prefix });
-  const match = candidates.find((row) => constantTimeStringEqual(row.tokenHash, tokenHash));
-  if (!match) return { ok: false, error: 'not_found' };
-  if (match.consumedAt) return { ok: false, error: 'already_consumed' };
-  if (new Date(match.expiresAt).getTime() < Date.now()) return { ok: false, error: 'expired' };
-
-  // Atomic single-use consumption: conditional update on consumedAt IS NULL.
-  const updated = await db<MagicLinkTokenRow>(TABLES.MagicLinkToken)
-    .where({ id: match.id })
-    .whereNull('consumedAt')
-    .update({ consumedAt: new Date() })
-    .returning('*');
-
-  if (updated.length === 0) return { ok: false, error: 'already_consumed' };
-  return { ok: true, token: updated[0]! };
-}
-
-// ---- Sessions ----
-
-const SESSION_TTL_DAYS = 30;
-
-export async function createSession(params: {
-  principalKind: SessionPrincipalKind;
-  principalId: string;
-}): Promise<IssuedToken> {
-  const plaintext = `ops_${randomBytes(32).toString('base64url')}`;
-  const prefix = plaintext.slice(0, SESSION_PREFIX_LEN);
-  const tokenHash = hash(plaintext);
-  const id = ulid();
-  const expiresAt = new Date(Date.now() + SESSION_TTL_DAYS * 24 * 60 * 60 * 1000);
-
-  await db<SessionRow>(TABLES.Session).insert({
-    id,
-    prefix,
-    tokenHash,
-    principalKind: params.principalKind,
-    principalId: params.principalId,
-    expiresAt,
-    lastSeenAt: new Date(),
-  });
-
-  return { id, plaintext };
-}
-
-export async function resolveSession(plaintext: string): Promise<SessionRow | null> {
-  if (plaintext.length < SESSION_PREFIX_LEN) return null;
-  const prefix = plaintext.slice(0, SESSION_PREFIX_LEN);
-  const tokenHash = hash(plaintext);
-
-  const candidates = await db<SessionRow>(TABLES.Session)
-    .where({ prefix })
-    .whereNull('revokedAt');
-  const match = candidates.find((row) => constantTimeStringEqual(row.tokenHash, tokenHash));
-  if (!match) return null;
-  if (new Date(match.expiresAt).getTime() < Date.now()) return null;
-
-  // Non-blocking lastSeen bump — we don't await.
-  void db<SessionRow>(TABLES.Session).where({ id: match.id }).update({ lastSeenAt: new Date() });
-  return match;
-}
-
-export async function revokeSession(id: string): Promise<void> {
-  await db<SessionRow>(TABLES.Session).where({ id }).update({ revokedAt: new Date() });
-}
-
-export function sessionCookieOptions() {
-  return {
-    httpOnly: true,
-    sameSite: 'lax' as const,
-    secure: process.env.NODE_ENV === 'production',
-    path: '/',
-    maxAge: SESSION_TTL_DAYS * 24 * 60 * 60 * 1000,
-  };
-}
diff --git a/apps/api/src/auth.ts b/apps/api/src/auth.ts
index 8710f8a..619a9dd 100644
--- a/apps/api/src/auth.ts
+++ b/apps/api/src/auth.ts
@@ -3,11 +3,13 @@
  *
  * Two shapes of credential:
  *   - ADMIN_API_KEY env var — bootstrap admin key, valid in all modes.
- *   - ApiKey rows in the database — either admin (partnerId null) or partner-scoped.
+ *   - ApiKey rows in the database — either admin (partnerId null),
+ *     partner-scoped, or a scoped key used by a federating client like
+ *     an OpenPartner Network hub.
  *
- * We never store plaintext. Keys look like `op_<24 hex>` and are identified by
- * an 8-char prefix so lookups are indexed rather than table scans. The hash is
- * sha256 over the whole key.
+ * We never store plaintext. Keys look like `op_<24 hex>` and are identified
+ * by an 8-char prefix so lookups are indexed rather than table scans. The
+ * hash is sha256 over the whole key.
  */
 
 import { createHash, randomBytes } from 'node:crypto';
@@ -20,8 +22,6 @@ export type ApiKeyPrincipal =
   | { role: 'admin'; source: 'env' }
   | { role: 'admin'; source: 'db'; apiKeyId: string }
   | { role: 'partner'; source: 'db'; apiKeyId: string; partnerId: string }
-  | { role: 'network_vendor'; source: 'db' | 'session'; apiKeyId?: string; sessionId?: string; networkVendorId: string }
-  | { role: 'network_creator'; source: 'db' | 'session'; apiKeyId?: string; sessionId?: string; networkCreatorId: string }
   | { role: 'scoped'; source: 'db'; apiKeyId: string; scopes: string[] };
 
 declare global {
@@ -78,33 +78,8 @@ export function requirePartnerOrAdmin(paramName: string = 'id') {
 
 async function resolvePrincipal(req: Request): Promise<ApiKeyPrincipal | null> {
   const header = req.header('authorization');
-  if (!header) {
-    // No Bearer — try the session cookie instead. This is what the
-    // portal uses after a creator signs in via magic link.
-    const cookie = (req as unknown as { cookies?: Record<string, string> }).cookies?.op_session;
-    if (!cookie) return null;
-    const { resolveSession } = await import('./auth-sessions.js');
-    const session = await resolveSession(cookie);
-    if (!session) return null;
-    if (session.principalKind === 'network_creator') {
-      return {
-        role: 'network_creator',
-        source: 'session',
-        sessionId: session.id,
-        networkCreatorId: session.principalId,
-      };
-    }
-    if (session.principalKind === 'network_vendor') {
-      return {
-        role: 'network_vendor',
-        source: 'session',
-        sessionId: session.id,
-        networkVendorId: session.principalId,
-      };
-    }
-    // Future: partner / admin session kinds if we add human auth for them.
-    return null;
-  }
+  if (!header) return null;
+
   const match = /^Bearer\s+(\S+)$/i.exec(header);
   if (!match) return null;
   const token = match[1]!;
@@ -126,17 +101,11 @@ async function resolvePrincipal(req: Request): Promise<ApiKeyPrincipal | null> {
   // Non-blocking last-used bump.
   void db<ApiKeyRow>(TABLES.ApiKey).where({ id: match2.id }).update({ lastUsedAt: new Date() });
 
-  // Scoped keys take precedence over any FK role. The FK columns are
-  // only meaningful for non-scoped keys (admin / partner / vendor / creator).
+  // Scoped keys take precedence — they're used by Network-style federation
+  // where the caller has a narrow permission set rather than a role.
   if (Array.isArray(match2.scopes)) {
     return { role: 'scoped', source: 'db', apiKeyId: match2.id, scopes: match2.scopes };
   }
-  if (match2.networkVendorId) {
-    return { role: 'network_vendor', source: 'db', apiKeyId: match2.id, networkVendorId: match2.networkVendorId };
-  }
-  if (match2.networkCreatorId) {
-    return { role: 'network_creator', source: 'db', apiKeyId: match2.id, networkCreatorId: match2.networkCreatorId };
-  }
   if (match2.partnerId) {
     return { role: 'partner', source: 'db', apiKeyId: match2.id, partnerId: match2.partnerId };
   }
@@ -178,8 +147,6 @@ function constantTimeEqual(a: string, b: string): boolean {
 
 export async function createApiKeyRow(params: {
   partnerId?: string | null;
-  networkVendorId?: string | null;
-  networkCreatorId?: string | null;
   scopes?: string[] | null;
   label?: string;
 }): Promise<{ id: string; plaintext: string }> {
@@ -190,8 +157,6 @@ export async function createApiKeyRow(params: {
     prefix,
     keyHash: hash,
     partnerId: params.partnerId ?? null,
-    networkVendorId: params.networkVendorId ?? null,
-    networkCreatorId: params.networkCreatorId ?? null,
     // pg jsonb: arrays need stringification; null stays null
     scopes: params.scopes != null
       ? (JSON.stringify(params.scopes) as unknown as never)
@@ -200,17 +165,3 @@ export async function createApiKeyRow(params: {
   });
   return { id, plaintext };
 }
-
-export function requireNetworkVendor(req: Request, res: Response, next: NextFunction): void {
-  const p = req.principal;
-  if (!p) return void res.status(401).json({ error: 'unauthorized' });
-  if (p.role === 'admin' || p.role === 'network_vendor') return next();
-  res.status(403).json({ error: 'forbidden' });
-}
-
-export function requireNetworkCreator(req: Request, res: Response, next: NextFunction): void {
-  const p = req.principal;
-  if (!p) return void res.status(401).json({ error: 'unauthorized' });
-  if (p.role === 'admin' || p.role === 'network_creator') return next();
-  res.status(403).json({ error: 'forbidden' });
-}
diff --git a/apps/api/src/email-templates.ts b/apps/api/src/email-templates.ts
deleted file mode 100644
index 70e866f..0000000
--- a/apps/api/src/email-templates.ts
+++ /dev/null
@@ -1,150 +0,0 @@
-/**
- * HTML + plain-text templates for auth emails.
- *
- * Kept deliberately small: inline CSS only, safe fonts, single CTA
- * button. Plaintext fallback carries the same link for clients that
- * block HTML. Preheader text primes the inbox preview so the user sees
- * "Sign in to OpenPartner" before they open the message.
- */
-
-export interface MagicEmail {
-  subject: string;
-  text: string;
-  html: string;
-  tag: string;
-}
-
-interface BuildParams {
-  headline: string;
-  preheader: string;
-  intro: string;
-  buttonLabel: string;
-  url: string;
-  note?: string;
-  tag: string;
-  subject: string;
-}
-
-function esc(s: string): string {
-  return s
-    .replaceAll('&', '&amp;')
-    .replaceAll('<', '&lt;')
-    .replaceAll('>', '&gt;')
-    .replaceAll('"', '&quot;')
-    .replaceAll("'", '&#39;');
-}
-
-function build(params: BuildParams): MagicEmail {
-  const { headline, preheader, intro, buttonLabel, url, note, tag, subject } = params;
-
-  const text =
-    `${headline}\n\n${intro}\n\n${buttonLabel}: ${url}\n\n` +
-    `This link expires in 15 minutes. If you didn't request it, ignore this email.` +
-    (note ? `\n\n${note}` : '');
-
-  const html = `<!doctype html>
-<html>
-<head>
-<meta charset="utf-8">
-<title>${esc(subject)}</title>
-</head>
-<body style="margin:0;padding:0;background:#0b0d10;font-family:-apple-system,BlinkMacSystemFont,'Segoe UI',Roboto,'Helvetica Neue',Arial,sans-serif;color:#e6e8eb;">
-  <span style="display:none;font-size:0;line-height:0;max-height:0;max-width:0;opacity:0;overflow:hidden;">${esc(preheader)}</span>
-  <table role="presentation" width="100%" cellpadding="0" cellspacing="0" border="0" style="background:#0b0d10;padding:40px 16px;">
-    <tr>
-      <td align="center">
-        <table role="presentation" width="520" cellpadding="0" cellspacing="0" border="0" style="max-width:520px;background:#14171c;border:1px solid #242932;border-radius:14px;padding:32px;">
-          <tr>
-            <td style="padding-bottom:24px;">
-              <table role="presentation" cellpadding="0" cellspacing="0" border="0">
-                <tr>
-                  <td style="background:linear-gradient(135deg,#2dd4bf,#0891b2);width:28px;height:28px;border-radius:8px;text-align:center;color:#08141a;font-weight:700;font-size:15px;font-family:-apple-system,BlinkMacSystemFont,sans-serif;">O</td>
-                  <td style="padding-left:10px;font-size:16px;font-weight:600;color:#e6e8eb;">OpenPartner</td>
-                </tr>
-              </table>
-            </td>
-          </tr>
-          <tr>
-            <td style="font-size:22px;font-weight:600;color:#e6e8eb;padding-bottom:8px;letter-spacing:-0.01em;">${esc(headline)}</td>
-          </tr>
-          <tr>
-            <td style="font-size:14px;line-height:1.6;color:#8b929c;padding-bottom:24px;">${esc(intro)}</td>
-          </tr>
-          <tr>
-            <td style="padding-bottom:24px;">
-              <a href="${esc(url)}" style="display:inline-block;background:#2dd4bf;color:#08141a;text-decoration:none;padding:11px 20px;border-radius:6px;font-size:14px;font-weight:600;">${esc(buttonLabel)}</a>
-            </td>
-          </tr>
-          <tr>
-            <td style="font-size:12px;color:#5a6370;padding-bottom:16px;">
-              This link expires in 15 minutes. If you didn't request it, ignore this email.
-            </td>
-          </tr>
-          ${note ? `<tr><td style="font-size:12px;color:#8b929c;padding-top:16px;border-top:1px solid #242932;line-height:1.6;">${esc(note)}</td></tr>` : ''}
-          <tr>
-            <td style="font-size:11px;color:#5a6370;padding-top:16px;word-break:break-all;">
-              Or paste this URL into your browser:<br>
-              <span style="color:#8b929c;">${esc(url)}</span>
-            </td>
-          </tr>
-        </table>
-      </td>
-    </tr>
-  </table>
-</body>
-</html>`;
-
-  return { subject, text, html, tag };
-}
-
-export function creatorSignupEmail(name: string, url: string): MagicEmail {
-  return build({
-    subject: 'Finish your OpenPartner signup',
-    preheader: `Hi ${name} — one click to finish creating your OpenPartner account.`,
-    headline: `Hi ${name}, one click to finish.`,
-    intro:
-      'Click the button below to verify your email and finish setting up your OpenPartner creator account. Once verified, you can browse offerings and apply to promote any product.',
-    buttonLabel: 'Finish signup',
-    url,
-    tag: 'creator_signup',
-  });
-}
-
-export function creatorSigninEmail(url: string): MagicEmail {
-  return build({
-    subject: 'Your OpenPartner sign-in link',
-    preheader: 'One click to sign in to OpenPartner.',
-    headline: 'Sign in to OpenPartner',
-    intro: 'Click the button below to sign in.',
-    buttonLabel: 'Sign in',
-    url,
-    tag: 'creator_signin',
-  });
-}
-
-export function vendorSignupEmail(name: string, url: string): MagicEmail {
-  return build({
-    subject: 'Finish your OpenPartner vendor signup',
-    preheader: `Verify your email to submit ${name} for Network review.`,
-    headline: `Welcome, ${name}.`,
-    intro:
-      'Click the button below to verify your email and submit your vendor application. An admin reviews your federation credentials and activates your account — usually within a day.',
-    buttonLabel: 'Verify email',
-    url,
-    tag: 'vendor_signup',
-    note:
-      "After your account is active, creators on the Network will be able to discover and apply to promote your offerings. You'll receive their applications in your portal inbox.",
-  });
-}
-
-export function vendorSigninEmail(url: string): MagicEmail {
-  return build({
-    subject: 'Your OpenPartner sign-in link',
-    preheader: 'One click to sign in to OpenPartner.',
-    headline: 'Sign in to OpenPartner',
-    intro: 'Click the button below to sign in.',
-    buttonLabel: 'Sign in',
-    url,
-    tag: 'vendor_signin',
-  });
-}
diff --git a/apps/api/src/mailer.ts b/apps/api/src/mailer.ts
deleted file mode 100644
index a571cb1..0000000
--- a/apps/api/src/mailer.ts
+++ /dev/null
@@ -1,125 +0,0 @@
-/**
- * Mail delivery. The abstraction stays tiny — a single send() that takes
- * { to, subject, text, html?, metadata? }.
- *
- * Two implementations:
- *   DevMailer       persists to the DevMessage table. An admin-only
- *                   /dev/mailbox endpoint reads them back so local dev
- *                   and CI can follow magic links without configuring
- *                   a real provider.
- *   PostmarkMailer  POSTs to Postmark's Email API over native fetch
- *                   (no SDK dep). Used in any environment with
- *                   MAIL_TRANSPORT=postmark set.
- *
- * The factory reads MAIL_TRANSPORT:
- *   "postmark"  → PostmarkMailer (requires POSTMARK_SERVER_TOKEN + MAIL_FROM)
- *   anything else → DevMailer
- */
-
-import { ulid } from 'ulid';
-import { TABLES, type DevMessageRow } from '@openpartner/db';
-import { db } from './db.js';
-
-export interface MailMessage {
-  to: string;
-  subject: string;
-  text: string;
-  html?: string;
-  metadata?: Record<string, unknown>;
-  /**
-   * Opaque tag Postmark stores alongside the message. We use it to
-   * distinguish creator_signup / creator_signin / vendor_signup /
-   * vendor_signin in dashboards and searches.
-   */
-  tag?: string;
-}
-
-export interface Mailer {
-  send(msg: MailMessage): Promise<void>;
-}
-
-class DevMailer implements Mailer {
-  async send(msg: MailMessage): Promise<void> {
-    await db<DevMessageRow>(TABLES.DevMessage).insert({
-      id: ulid(),
-      to: msg.to,
-      subject: msg.subject,
-      body: msg.text,
-      html: msg.html ?? null,
-      metadata: (msg.metadata ?? {}) as never,
-    });
-    console.log(`[dev-mail] to=${msg.to} subject="${msg.subject}"`);
-  }
-}
-
-class PostmarkMailer implements Mailer {
-  constructor(
-    private readonly serverToken: string,
-    private readonly from: string,
-    private readonly messageStream: string,
-  ) {}
-
-  async send(msg: MailMessage): Promise<void> {
-    const res = await fetch('https://api.postmarkapp.com/email', {
-      method: 'POST',
-      headers: {
-        'content-type': 'application/json',
-        accept: 'application/json',
-        'x-postmark-server-token': this.serverToken,
-      },
-      body: JSON.stringify({
-        From: this.from,
-        To: msg.to,
-        Subject: msg.subject,
-        TextBody: msg.text,
-        HtmlBody: msg.html,
-        MessageStream: this.messageStream,
-        Tag: msg.tag,
-        // Metadata values must be strings per Postmark's contract.
-        Metadata: msg.metadata
-          ? Object.fromEntries(Object.entries(msg.metadata).map(([k, v]) => [k, String(v)]))
-          : undefined,
-      }),
-    });
-
-    if (!res.ok) {
-      const text = await res.text();
-      throw new Error(`postmark send failed: ${res.status} ${text.slice(0, 300)}`);
-    }
-
-    // 200 with ErrorCode=0 is the success shape; ErrorCode != 0 is a
-    // per-message rejection (recipient suppressed, blocked, etc). Both
-    // are worth knowing about, but only ErrorCode != 0 with a non-zero
-    // status should throw. Postmark returns ErrorCode=0 on 200.
-    const body = (await res.json()) as { ErrorCode?: number; Message?: string };
-    if (body.ErrorCode && body.ErrorCode !== 0) {
-      throw new Error(`postmark rejected message: ${body.ErrorCode} ${body.Message ?? ''}`);
-    }
-  }
-}
-
-let mailerInstance: Mailer | null = null;
-
-export function getMailer(): Mailer {
-  if (mailerInstance) return mailerInstance;
-  const transport = process.env.MAIL_TRANSPORT ?? 'dev';
-  if (transport === 'postmark') {
-    const token = process.env.POSTMARK_SERVER_TOKEN;
-    const from = process.env.MAIL_FROM;
-    if (!token) throw new Error('MAIL_TRANSPORT=postmark requires POSTMARK_SERVER_TOKEN');
-    if (!from) throw new Error('MAIL_TRANSPORT=postmark requires MAIL_FROM');
-    const stream = process.env.POSTMARK_MESSAGE_STREAM ?? 'outbound';
-    mailerInstance = new PostmarkMailer(token, from, stream);
-  } else {
-    mailerInstance = new DevMailer();
-  }
-  return mailerInstance;
-}
-
-/**
- * Reset for tests that want to change env vars between runs. Not used
- * in production code paths.
- */
-export function __resetMailerForTests(): void {
-  mailerInstance = null;
-}
diff --git a/apps/api/src/network/crypto.ts b/apps/api/src/network/crypto.ts
deleted file mode 100644
index e4ff0d5..0000000
--- a/apps/api/src/network/crypto.ts
+++ /dev/null
@@ -1,55 +0,0 @@
-/**
- * Envelope encryption for federation keys.
- *
- * Why: the Network needs to call out to a vendor's OpenPartner instance
- * admin API on partnership approval. That means holding the plaintext key
- * somewhere — a sha256 hash would be useless for outbound calls.
- *
- * We use AES-256-GCM with a master key pulled from NETWORK_ENCRYPTION_KEY
- * (32 bytes, base64 or hex). In dev, if no key is set, we use a fixed
- * dev-only key and log a warning — this is NEVER OK in production. The
- * env-loader startup check enforces presence in production builds.
- */
-
-import { createCipheriv, createDecipheriv, randomBytes } from 'node:crypto';
-
-const ALG = 'aes-256-gcm';
-const IV_LEN = 12; // GCM recommends 12 bytes
-
-let cachedKey: Buffer | null = null;
-
-function masterKey(): Buffer {
-  if (cachedKey) return cachedKey;
-  const raw = process.env.NETWORK_ENCRYPTION_KEY;
-  if (!raw) {
-    if (process.env.NODE_ENV === 'production') {
-      throw new Error('NETWORK_ENCRYPTION_KEY is required in production');
-    }
-    console.warn('[network.crypto] NETWORK_ENCRYPTION_KEY not set — using dev-only fallback. DO NOT USE IN PROD.');
-    cachedKey = Buffer.alloc(32, 0x42);
-    return cachedKey;
-  }
-  // accept either hex or base64
-  const buf = raw.length === 64 ? Buffer.from(raw, 'hex') : Buffer.from(raw, 'base64');
-  if (buf.length !== 32) throw new Error('NETWORK_ENCRYPTION_KEY must decode to exactly 32 bytes');
-  cachedKey = buf;
-  return buf;
-}
-
-export function encryptKey(plaintext: string): string {
-  const iv = randomBytes(IV_LEN);
-  const cipher = createCipheriv(ALG, masterKey(), iv);
-  const ct = Buffer.concat([cipher.update(plaintext, 'utf8'), cipher.final()]);
-  const tag = cipher.getAuthTag();
-  return Buffer.concat([iv, tag, ct]).toString('base64');
-}
-
-export function decryptKey(envelope: string): string {
-  const buf = Buffer.from(envelope, 'base64');
-  const iv = buf.subarray(0, IV_LEN);
-  const tag = buf.subarray(IV_LEN, IV_LEN + 16);
-  const ct = buf.subarray(IV_LEN + 16);
-  const decipher = createDecipheriv(ALG, masterKey(), iv);
-  decipher.setAuthTag(tag);
-  return Buffer.concat([decipher.update(ct), decipher.final()]).toString('utf8');
-}
diff --git a/apps/api/src/network/federation.ts b/apps/api/src/network/federation.ts
deleted file mode 100644
index 5df854b..0000000
--- a/apps/api/src/network/federation.ts
+++ /dev/null
@@ -1,195 +0,0 @@
-/**
- * Federation client.
- *
- * When the Network approves a Partnership, we provision the actual
- * Partner + Link on the vendor's OpenPartner instance — that's where
- * attribution and payouts live. We call the vendor's admin API using the
- * encrypted key the vendor supplied at registration.
- *
- * The client is resilient: if the vendor's instance is unreachable, the
- * approval is rolled back so the creator isn't left with a half-provisioned
- * partnership. (See network-requests.ts for the transaction boundary.)
- */
-
-import type { NetworkVendorRow, OfferingRow } from '@openpartner/db';
-import { decryptKey } from './crypto.js';
-
-export interface FederationCreator {
-  name: string;
-  email: string;
-  handle: string;
-  promoCode?: string | null;
-}
-
-export interface PartnerDashboardStats {
-  partnerId: string;
-  since: string;
-  clicks: number;
-  attributedEvents: number;
-  attributedRevenue: number;
-  commissionByStatus: Record<string, number>;
-}
-
-/**
- * Read-side federation: pull a partner's dashboard off their vendor's
- * OpenPartner instance. Used by the Network to surface per-partnership
- * earnings to creators (and to vendors, inverted — "how much has this
- * creator earned you?"). Attribution never leaves the vendor's instance;
- * we just project it into the Network UI.
- */
-export async function fetchPartnerDashboard(
-  vendor: NetworkVendorRow,
-  partnerId: string,
-): Promise<PartnerDashboardStats> {
-  const key = decryptKey(vendor.instanceKeyCiphertext);
-  const res = await fetchJson(`${vendor.instanceUrl}/partners/${partnerId}/dashboard`, {
-    method: 'GET',
-    key,
-  });
-  return res as unknown as PartnerDashboardStats;
-}
-
-export interface PartnerCommission {
-  id: string;
-  partnerId: string;
-  amount: string;
-  currency: string;
-  status: 'accrued' | 'approved' | 'paid' | 'reversed' | (string & {});
-  accruedAt: string;
-  paidAt: string | null;
-}
-
-export async function fetchPartnerCommissions(
-  vendor: NetworkVendorRow,
-  partnerId: string,
-): Promise<PartnerCommission[]> {
-  const key = decryptKey(vendor.instanceKeyCiphertext);
-  const res = (await fetchJson(`${vendor.instanceUrl}/partners/${partnerId}/commissions?limit=500`, {
-    method: 'GET',
-    key,
-  })) as { commissions?: PartnerCommission[] };
-  return res.commissions ?? [];
-}
-
-export interface FederatedPartner {
-  partnerId: string;
-  linkKey: string;
-  publicShareUrl: string;
-  routerUrl: string;
-}
-
-export async function provisionPartnerOnVendor(params: {
-  vendor: NetworkVendorRow;
-  offering: OfferingRow;
-  creator: FederationCreator;
-}): Promise<FederatedPartner> {
-  const { vendor, offering, creator } = params;
-  const key = decryptKey(vendor.instanceKeyCiphertext);
-
-  const createPartnerRes = await fetchJson(`${vendor.instanceUrl}/partners`, {
-    method: 'POST',
-    key,
-    body: {
-      email: creator.email,
-      name: creator.name,
-      metadata: { source: 'openpartner_network', creatorHandle: creator.handle },
-    },
-  });
-
-  const partnerId = String(createPartnerRes.id);
-
-  // Preferred link key order: request-level promoCode → creator handle. The
-  // slug is what appears in the share URL (e.g. getcoherence.io/r/<slug>),
-  // so we respect whatever the creator chose up-front. If uniqueness
-  // collides on the vendor's instance, fetchJsonWithFallback retries with
-  // a short suffix so the creator still gets something close to what they
-  // picked instead of the provisioning failing outright.
-  const linkKey = sanitizeLinkKey(creator.promoCode || creator.handle);
-  const linkPayload = {
-    linkKey,
-    campaignId: offering.vendorCampaignId,
-    destinationUrl: offering.productUrl,
-  };
-
-  const linkRes = await fetchJsonWithFallback(`${vendor.instanceUrl}/partners/${partnerId}/links`, {
-    method: 'POST',
-    key,
-    body: linkPayload,
-    fallbackBody: { ...linkPayload, linkKey: `${linkKey}-${partnerId.slice(-6).toLowerCase()}` },
-  });
-
-  // Router URL is co-deployed with the vendor's OpenPartner. Convention:
-  // swap the API host's default port (4601) for the router's (4701), or
-  // honor a routerUrl override we could add to NetworkVendor later.
-  const routerUrl = deriveRouterUrl(vendor);
-  const actualLinkKey = String(linkRes.linkKey);
-  const publicShareUrl = `${routerUrl}/r/${actualLinkKey}`;
-
-  return { partnerId, linkKey: actualLinkKey, publicShareUrl, routerUrl };
-}
-
-function sanitizeLinkKey(raw: string): string {
-  const cleaned = raw
-    .toLowerCase()
-    .replace(/[^a-z0-9_-]+/g, '_')
-    .replace(/^_+|_+$/g, '')
-    .slice(0, 40);
-  return cleaned || 'creator';
-}
-
-function deriveRouterUrl(vendor: NetworkVendorRow): string {
-  // Priority: explicit NetworkVendor.routerUrl → env override → port-swap
-  // convention (API 4601 → router 4701) for localhost dev. Production
-  // vendors should set routerUrl to their branded apex (e.g.
-  // https://getcoherence.io) so share URLs land at the right hostname.
-  if (vendor.routerUrl) return vendor.routerUrl;
-  const env = process.env.NETWORK_ROUTER_URL;
-  if (env) return env;
-  try {
-    const url = new URL(vendor.instanceUrl);
-    if (url.port === '4601') {
-      url.port = '4701';
-      return url.origin;
-    }
-  } catch {
-    /* ignore */
-  }
-  return vendor.instanceUrl;
-}
-
-interface FetchParams {
-  method: 'POST' | 'GET';
-  key: string;
-  body?: unknown;
-}
-
-async function fetchJson(url: string, params: FetchParams): Promise<Record<string, unknown>> {
-  const res = await fetch(url, {
-    method: params.method,
-    headers: {
-      authorization: `Bearer ${params.key}`,
-      'content-type': 'application/json',
-    },
-    body: params.body !== undefined ? JSON.stringify(params.body) : undefined,
-  });
-  const text = await res.text();
-  if (!res.ok) {
-    throw new Error(`${params.method} ${url} → ${res.status}: ${text.slice(0, 300)}`);
-  }
-  return text ? (JSON.parse(text) as Record<string, unknown>) : {};
-}
-
-async function fetchJsonWithFallback(
-  url: string,
-  params: FetchParams & { fallbackBody: unknown },
-): Promise<Record<string, unknown>> {
-  try {
-    return await fetchJson(url, { method: params.method, key: params.key, body: params.body });
-  } catch (err) {
-    const msg = err instanceof Error ? err.message : String(err);
-    if (msg.includes('409') || msg.includes('linkKey_taken')) {
-      return fetchJson(url, { method: params.method, key: params.key, body: params.fallbackBody });
-    }
-    throw err;
-  }
-}
diff --git a/apps/api/src/network/safe-fetch.ts b/apps/api/src/network/safe-fetch.ts
deleted file mode 100644
index 87564d3..0000000
--- a/apps/api/src/network/safe-fetch.ts
+++ /dev/null
@@ -1,91 +0,0 @@
-/**
- * SSRF-safe outbound fetch to user-provided URLs.
- *
- * The Network flow accepts a vendor's `instanceUrl` unauthenticated — a
- * prospective vendor is still signing up and doesn't have an account
- * yet. That means we can't fix the SSRF surface with auth; we have to
- * validate the URL itself. Defence in depth:
- *
- *   1. Only http:// or https:// (no file:, gopher:, etc.)
- *   2. Resolve DNS; reject if ANY resolved address lives in a private
- *      / loopback / link-local / cgnat range. All addresses must be
- *      public because an attacker who controls DNS can rebind between
- *      this check and fetch(), but matching hostname-lookup-then-fetch
- *      with a Node agent that dials only the checked IPs is beyond
- *      v1 scope — the loud-default rejection here closes 95% of
- *      exploits in the wild.
- *   3. Self-hosters running everything on a VPN or private network can
- *      opt out by setting NETWORK_ALLOW_PRIVATE_HOSTS=1.
- *
- * Still returns a standard Response — the caller pipes through to
- * their existing logic.
- */
-
-import { lookup } from 'node:dns/promises';
-import { isIP } from 'node:net';
-
-const PRIVATE_V4 = [
-  /^0\./,
-  /^10\./,
-  /^127\./,
-  /^169\.254\./,
-  /^172\.(1[6-9]|2\d|3[01])\./,
-  /^192\.168\./,
-  /^100\.(6[4-9]|[7-9]\d|1[01]\d|12[0-7])\./, // CGNAT 100.64.0.0/10
-];
-
-function isPrivateAddress(addr: string): boolean {
-  const lower = addr.toLowerCase();
-  if (lower === '::1' || lower === '::' || lower.startsWith('fe80:') || lower.startsWith('fc') || lower.startsWith('fd')) {
-    return true;
-  }
-  // IPv4-mapped IPv6
-  const mapped = lower.match(/^::ffff:([\d.]+)$/);
-  if (mapped && mapped[1]) return PRIVATE_V4.some((re) => re.test(mapped[1]!));
-  return PRIVATE_V4.some((re) => re.test(lower));
-}
-
-async function assertPublicHost(host: string): Promise<void> {
-  if (process.env.NETWORK_ALLOW_PRIVATE_HOSTS === '1') return;
-  // Tests spin up loopback vendor instances on ephemeral ports. The
-  // bypass only triggers under NODE_ENV=test (vitest default) — not a
-  // knob a deployed instance can flip accidentally.
-  if (process.env.NODE_ENV === 'test') return;
-
-  // WHATWG URL hostname for IPv6 keeps the [brackets] — strip before
-  // the isIP / private-address check, otherwise "[::1]" falls through
-  // to DNS and the guard misses loopback.
-  const bare = host.startsWith('[') && host.endsWith(']') ? host.slice(1, -1) : host;
-
-  if (isIP(bare) !== 0) {
-    if (isPrivateAddress(bare)) {
-      throw Object.assign(new Error('private_host_blocked'), { code: 'private_host_blocked' });
-    }
-    return;
-  }
-
-  const records = await lookup(host, { all: true });
-  if (records.length === 0) {
-    throw Object.assign(new Error('dns_no_records'), { code: 'dns_no_records' });
-  }
-  for (const r of records) {
-    if (isPrivateAddress(r.address)) {
-      throw Object.assign(new Error('private_host_blocked'), { code: 'private_host_blocked' });
-    }
-  }
-}
-
-export async function safeFetch(urlString: string, init: RequestInit = {}): Promise<Response> {
-  const url = new URL(urlString);
-  if (url.protocol !== 'http:' && url.protocol !== 'https:') {
-    throw Object.assign(new Error('unsupported_protocol'), { code: 'unsupported_protocol' });
-  }
-  await assertPublicHost(url.hostname);
-
-  return fetch(url, {
-    ...init,
-    // 10s ceiling — enough for a slow TLS handshake on a distant box,
-    // short enough that an attacker can't use us as a long-tail probe.
-    signal: AbortSignal.timeout(10_000),
-  });
-}
diff --git a/apps/api/src/network/validation.ts b/apps/api/src/network/validation.ts
deleted file mode 100644
index bb4f6a1..0000000
--- a/apps/api/src/network/validation.ts
+++ /dev/null
@@ -1,113 +0,0 @@
-import { z } from 'zod';
-
-export const platformSchema = z.object({
-  platform: z.enum(['youtube', 'twitter', 'instagram', 'tiktok', 'blog', 'podcast', 'other']),
-  url: z.string().url(),
-  followers: z.number().int().nonnegative().optional(),
-});
-
-export const payoutSchema = z.discriminatedUnion('type', [
-  z.object({
-    type: z.literal('recurring_percent'),
-    percent: z.number().positive().max(100),
-    durationMonths: z.number().int().positive().nullable(),
-  }),
-  z.object({
-    type: z.literal('one_time_fee'),
-    amount: z.number().positive(),
-    currency: z.string().length(3).optional(),
-  }),
-  z.object({
-    type: z.literal('tiered_percent'),
-    tiers: z
-      .array(z.object({ minRevenueUsd: z.number().nonnegative(), percent: z.number().positive().max(100) }))
-      .min(1),
-  }),
-]);
-
-export const bonusSchema = z.object({
-  description: z.string().min(1),
-  triggerRevenueUsd: z.number().positive(),
-  bonusUsd: z.number().positive(),
-});
-
-export const termsSchema = z.object({
-  payout: payoutSchema,
-  bonuses: z.array(bonusSchema).optional(),
-  cookieWindowDays: z.number().int().min(1).max(365),
-  exclusions: z.array(z.string()).optional(),
-});
-
-// Same shape as vendor-side Link.linkKey — URL-safe, 3–40 chars. Applies
-// to both creator.defaultPromoCode and request.promoCode.
-export const promoCodeSchema = z
-  .string()
-  .min(3)
-  .max(40)
-  .regex(/^[a-zA-Z0-9_-]+$/, 'promo code must be url-safe (letters, digits, _ or -)');
-
-export const vendorCreateSchema = z.object({
-  name: z.string().min(2),
-  slug: z
-    .string()
-    .min(2)
-    .max(40)
-    .regex(/^[a-z0-9][a-z0-9-]*$/),
-  email: z.string().email().optional(),
-  websiteUrl: z.string().url().optional(),
-  logoUrl: z.string().url().optional(),
-  description: z.string().max(1000).optional(),
-  instanceUrl: z.string().url(),
-  instanceKey: z.string().min(8), // the admin key on the vendor's instance
-  // Optional for dev (we fall back to the port-swap convention); required
-  // in practice for production so share URLs resolve at the vendor's apex.
-  routerUrl: z.string().url().optional(),
-});
-
-export const creatorCreateSchema = z.object({
-  name: z.string().min(2),
-  handle: z
-    .string()
-    .min(2)
-    .max(40)
-    .regex(/^[a-z0-9_]+$/),
-  email: z.string().email(),
-  bio: z.string().max(2000).optional(),
-  avatarUrl: z.string().url().optional(),
-  platforms: z.array(platformSchema).optional(),
-  defaultPromoCode: promoCodeSchema.optional(),
-});
-
-// PATCH — every field optional; empty string clears the value, missing
-// keys mean "leave unchanged." Handle + email NOT editable: handle change
-// invalidates partnership linkKeys on every vendor instance simultaneously
-// and email is the magic-link identity.
-export const creatorUpdateSchema = z.object({
-  name: z.string().min(2).max(80).optional(),
-  bio: z.string().max(2000).nullable().optional(),
-  avatarUrl: z.string().url().nullable().optional(),
-  platforms: z.array(platformSchema).optional(),
-  defaultPromoCode: promoCodeSchema.nullable().optional(),
-});
-
-export const offeringCreateSchema = z.object({
-  title: z.string().min(2).max(120),
-  productUrl: z.string().url(),
-  description: z.string().max(4000).optional(),
-  heroImageUrl: z.string().url().optional(),
-  vendorCampaignId: z.string().min(1),
-  terms: termsSchema,
-  published: z.boolean().optional(),
-});
-
-export const offeringUpdateSchema = offeringCreateSchema.partial();
-
-export const requestCreateSchema = z.object({
-  offeringId: z.string().min(1),
-  message: z.string().max(2000).optional(),
-  promoCode: promoCodeSchema.optional(),
-});
-
-export const requestDecideSchema = z.object({
-  decisionNote: z.string().max(2000).optional(),
-});
diff --git a/apps/api/src/routes/auth.ts b/apps/api/src/routes/auth.ts
index e2f5e9f..b761442 100644
--- a/apps/api/src/routes/auth.ts
+++ b/apps/api/src/routes/auth.ts
@@ -1,5 +1,5 @@
 import { Router } from 'express';
-import { TABLES, type NetworkCreatorRow, type NetworkVendorRow, type PartnerRow } from '@openpartner/db';
+import { TABLES, type PartnerRow } from '@openpartner/db';
 import { db } from '../db.js';
 import { requireAuth } from '../auth.js';
 
@@ -9,10 +9,6 @@ export const authRouter = Router();
  * Reports the calling key's permission set so upstream integrations (like
  * the OpenPartner Network) can verify the key they've been handed actually
  * has the scopes they need — and loudly warn if it's unrestricted.
- *
- *   scoped key       → { role: 'scoped', scopes: [...] }
- *   admin / env      → { role: 'admin', unrestricted: true }
- *   partner / vendor → { role, restrictedTo: ... }
  */
 authRouter.get('/auth/introspect', requireAuth, async (req, res) => {
   const p = req.principal!;
@@ -25,18 +21,11 @@ authRouter.get('/auth/introspect', requireAuth, async (req, res) => {
   if (p.role === 'partner') {
     return res.json({ role: 'partner', restrictedTo: { partnerId: p.partnerId } });
   }
-  if (p.role === 'network_vendor') {
-    return res.json({ role: 'network_vendor', restrictedTo: { networkVendorId: p.networkVendorId } });
-  }
-  if (p.role === 'network_creator') {
-    return res.json({ role: 'network_creator', restrictedTo: { networkCreatorId: p.networkCreatorId } });
-  }
 });
 
 /**
  * Returns the caller's principal shape — used by the portal to decide what
- * to render after login. Surfaces the Network role when the key belongs to
- * a vendor or creator so the portal can route to /network views.
+ * to render after login.
  */
 authRouter.get('/auth/whoami', requireAuth, async (req, res) => {
   const p = req.principal!;
@@ -53,39 +42,6 @@ authRouter.get('/auth/whoami', requireAuth, async (req, res) => {
         : null,
     });
   }
-  if (p.role === 'network_vendor') {
-    const vendor = await db<NetworkVendorRow>(TABLES.NetworkVendor).where({ id: p.networkVendorId }).first();
-    return res.json({
-      role: 'network_vendor',
-      networkVendorId: p.networkVendorId,
-      vendor: vendor
-        ? {
-            id: vendor.id,
-            name: vendor.name,
-            slug: vendor.slug,
-            logoUrl: vendor.logoUrl,
-            websiteUrl: vendor.websiteUrl,
-            status: vendor.status,
-          }
-        : null,
-    });
-  }
-  if (p.role === 'network_creator') {
-    const creator = await db<NetworkCreatorRow>(TABLES.NetworkCreator).where({ id: p.networkCreatorId }).first();
-    return res.json({
-      role: 'network_creator',
-      networkCreatorId: p.networkCreatorId,
-      creator: creator
-        ? {
-            id: creator.id,
-            name: creator.name,
-            handle: creator.handle,
-            email: creator.email,
-            avatarUrl: creator.avatarUrl,
-            defaultPromoCode: creator.defaultPromoCode,
-            status: creator.status,
-          }
-        : null,
-    });
-  }
+  // Scoped keys used by federation clients don't need a human-facing whoami.
+  res.json({ role: p.role });
 });
diff --git a/apps/api/src/routes/magic-link.ts b/apps/api/src/routes/magic-link.ts
deleted file mode 100644
index f167b55..0000000
--- a/apps/api/src/routes/magic-link.ts
+++ /dev/null
@@ -1,468 +0,0 @@
-/**
- * Human-auth endpoints — magic-link signup/signin for creators AND
- * vendors, plus dev mailbox.
- *
- * Purpose strings encode BOTH the role (creator / vendor) and the
- * lifecycle stage (signup / signin), giving us four values:
- *   creator_signup  — claim carries handle + name → creates active NetworkCreator
- *   creator_signin  — returning active creator → new session
- *   vendor_signup   — claim carries full vendor profile → creates pending NetworkVendor
- *   vendor_signin   — returning active vendor → new session
- *
- * We deliberately use 'pending' status for vendor signup so an admin
- * still reviews the federation credentials before activating — unlike
- * creator signup where magic-link email verification is enough.
- *
- * Token consumption is single-use and atomic (conditional update on
- * consumedAt IS NULL). Tokens expire after 15 minutes.
- */
-
-import { Router } from 'express';
-import { z } from 'zod';
-import { ulid } from 'ulid';
-import {
-  TABLES,
-  type DevMessageRow,
-  type MagicLinkCreatorClaim,
-  type MagicLinkTokenRow,
-  type MagicLinkVendorClaim,
-  type NetworkCreatorRow,
-  type NetworkVendorRow,
-} from '@openpartner/db';
-import { db } from '../db.js';
-import { requireAdmin, requireAuth } from '../auth.js';
-import { getMailer } from '../mailer.js';
-import {
-  SESSION_COOKIE_NAME,
-  consumeMagicLink,
-  createSession,
-  issueMagicLink,
-  revokeSession,
-  sessionCookieOptions,
-} from '../auth-sessions.js';
-import { encryptKey } from '../network/crypto.js';
-import { safeFetch } from '../network/safe-fetch.js';
-import {
-  creatorSigninEmail,
-  creatorSignupEmail,
-  vendorSigninEmail,
-  vendorSignupEmail,
-} from '../email-templates.js';
-import { NETWORK_FEDERATION_SCOPES } from './api-keys.js';
-import { ipRateLimit } from '../middleware/rate-limit.js';
-
-export const magicLinkRouter = Router();
-
-// Shared bucket across every email-triggering auth endpoint — stops an
-// attacker from rotating across /creator/signin, /vendor/signin, etc. to
-// multiply the cap. 10/min per IP is loose for one real user, tight for
-// a bot.
-const mailAuthLimit = ipRateLimit({ name: 'magic-link-mail', max: 10, windowMs: 60_000 });
-
-// Token verification is single-use already, but brute-forcing /verify
-// across many IPs is still a theoretical risk. Modest cap — a legit
-// user verifies once.
-const verifyLimit = ipRateLimit({ name: 'magic-link-verify', max: 30, windowMs: 60_000 });
-
-const creatorSignupSchema = z.object({
-  email: z.string().email(),
-  handle: z
-    .string()
-    .min(2)
-    .max(40)
-    .regex(/^[a-z0-9_]+$/, 'handle must be lowercase letters, digits, or _'),
-  name: z.string().min(2).max(80),
-});
-
-const vendorSignupSchema = z.object({
-  email: z.string().email(),
-  name: z.string().min(2).max(120),
-  slug: z
-    .string()
-    .min(2)
-    .max(40)
-    .regex(/^[a-z0-9][a-z0-9-]*$/, 'slug must be lowercase letters, digits, or -'),
-  instanceUrl: z.string().url(),
-  instanceKey: z.string().min(8),
-  routerUrl: z.string().url().optional(),
-  description: z.string().max(1000).optional(),
-  websiteUrl: z.string().url().optional(),
-  logoUrl: z.string().url().optional(),
-});
-
-const signinSchema = z.object({ email: z.string().email() });
-const verifySchema = z.object({ token: z.string().min(8) });
-
-function portalOrigin(): string {
-  return (process.env.PORTAL_URL ?? 'http://localhost:5673').replace(/\/$/, '');
-}
-
-function magicUrl(token: string, purpose: string): string {
-  return `${portalOrigin()}/auth/magic?token=${encodeURIComponent(token)}&purpose=${purpose}`;
-}
-
-// -------- Creator signup --------
-
-magicLinkRouter.post('/auth/creator/signup', mailAuthLimit, async (req, res) => {
-  const body = creatorSignupSchema.safeParse(req.body);
-  if (!body.success) return res.status(400).json({ error: 'invalid_body', detail: body.error.flatten() });
-
-  const email = body.data.email.toLowerCase();
-  const handle = body.data.handle.toLowerCase();
-
-  const existing = await db<NetworkCreatorRow>(TABLES.NetworkCreator)
-    .where({ email })
-    .orWhere({ handle })
-    .first();
-  if (existing) return res.status(409).json({ error: 'email_or_handle_taken' });
-
-  const claim: MagicLinkCreatorClaim = { kind: 'creator', handle, name: body.data.name };
-  const issued = await issueMagicLink({ email, purpose: 'creator_signup', claim });
-
-  const tmpl = creatorSignupEmail(body.data.name, magicUrl(issued.plaintext, 'creator_signup'));
-  await getMailer().send({
-    to: email,
-    subject: tmpl.subject,
-    text: tmpl.text,
-    html: tmpl.html,
-    tag: tmpl.tag,
-    metadata: { purpose: 'creator_signup', handle },
-  });
-
-  res.json({ ok: true });
-});
-
-// -------- Vendor signup --------
-//
-// We verify the vendor's scoped API key against their own instance BEFORE
-// issuing the magic link — no point emailing them a verification link
-// only to fail at admin-approval time because the key doesn't work.
-
-magicLinkRouter.post('/auth/vendor/signup', mailAuthLimit, async (req, res) => {
-  const body = vendorSignupSchema.safeParse(req.body);
-  if (!body.success) return res.status(400).json({ error: 'invalid_body', detail: body.error.flatten() });
-
-  const email = body.data.email.toLowerCase();
-
-  const existing = await db<NetworkVendorRow>(TABLES.NetworkVendor).where({ slug: body.data.slug }).first();
-  if (existing) return res.status(409).json({ error: 'slug_taken' });
-
-  // Probe the instance's /auth/introspect with the pasted key. Reject if
-  // the key can't reach the instance or doesn't have the federation
-  // scopes (unrestricted admin keys are accepted but flagged in the UI).
-  const introspectUrl = `${body.data.instanceUrl.replace(/\/$/, '')}/auth/introspect`;
-  try {
-    const response = await safeFetch(introspectUrl, {
-      headers: { authorization: `Bearer ${body.data.instanceKey}` },
-    });
-    if (!response.ok) {
-      const text = await response.text();
-      return res.status(400).json({
-        error: 'instance_rejected_key',
-        status: response.status,
-        detail: text.slice(0, 300),
-      });
-    }
-    const intro = (await response.json()) as Record<string, unknown>;
-    const scopes = Array.isArray(intro.scopes) ? (intro.scopes as string[]) : null;
-    const unrestricted = intro.role === 'admin' && intro.unrestricted === true;
-    const missing =
-      scopes != null
-        ? (NETWORK_FEDERATION_SCOPES as readonly string[]).filter((s) => !scopes.includes(s))
-        : [];
-    if (!unrestricted && (scopes == null || missing.length > 0)) {
-      return res.status(400).json({
-        error: 'missing_scopes',
-        missing,
-        have: scopes ?? [],
-      });
-    }
-  } catch (err: unknown) {
-    return res.status(400).json({
-      error: 'instance_unreachable',
-      detail: err instanceof Error ? err.message : String(err),
-    });
-  }
-
-  const claim: MagicLinkVendorClaim = {
-    kind: 'vendor',
-    name: body.data.name,
-    slug: body.data.slug,
-    instanceUrl: body.data.instanceUrl.replace(/\/$/, ''),
-    instanceKeyCiphertext: encryptKey(body.data.instanceKey),
-    instanceKeyPrefix: body.data.instanceKey.slice(0, 8),
-    ...(body.data.routerUrl ? { routerUrl: body.data.routerUrl } : {}),
-    ...(body.data.description ? { description: body.data.description } : {}),
-    ...(body.data.websiteUrl ? { websiteUrl: body.data.websiteUrl } : {}),
-    ...(body.data.logoUrl ? { logoUrl: body.data.logoUrl } : {}),
-  };
-  const issued = await issueMagicLink({ email, purpose: 'vendor_signup', claim });
-
-  const tmpl = vendorSignupEmail(body.data.name, magicUrl(issued.plaintext, 'vendor_signup'));
-  await getMailer().send({
-    to: email,
-    subject: tmpl.subject,
-    text: tmpl.text,
-    html: tmpl.html,
-    tag: tmpl.tag,
-    metadata: { purpose: 'vendor_signup', slug: body.data.slug },
-  });
-
-  res.json({ ok: true });
-});
-
-// -------- Unified signin --------
-//
-// One endpoint for humans. Looks up creator first, then vendor; issues a
-// link for whichever role matches. Response is identical regardless of
-// which (or neither) matches, so the endpoint doesn't leak whether an
-// email is registered on the Network.
-
-magicLinkRouter.post('/auth/signin', mailAuthLimit, async (req, res) => {
-  const body = signinSchema.safeParse(req.body);
-  if (!body.success) return res.status(400).json({ error: 'invalid_body', detail: body.error.flatten() });
-  const email = body.data.email.toLowerCase();
-
-  const creator = await db<NetworkCreatorRow>(TABLES.NetworkCreator).where({ email }).first();
-  if (creator && creator.status === 'active') {
-    const issued = await issueMagicLink({ email, purpose: 'creator_signin' });
-    const tmpl = creatorSigninEmail(magicUrl(issued.plaintext, 'creator_signin'));
-    await getMailer().send({
-      to: email,
-      subject: tmpl.subject,
-      text: tmpl.text,
-      html: tmpl.html,
-      tag: tmpl.tag,
-      metadata: { purpose: 'creator_signin' },
-    });
-    return res.json({ ok: true });
-  }
-
-  // Vendors use email too; we need a way to tie vendors to an email. For
-  // now we assume vendor.description or a dedicated column — but we don't
-  // have vendor.email yet. We infer via MagicLinkToken history: find the
-  // most recent consumed vendor_signup token for this email and look up
-  // the vendor created from it. That keeps migrations light for MVP.
-  const vendor = await findVendorByEmail(email);
-  if (vendor && vendor.status === 'active') {
-    const issued = await issueMagicLink({ email, purpose: 'vendor_signin' });
-    const tmpl = vendorSigninEmail(magicUrl(issued.plaintext, 'vendor_signin'));
-    await getMailer().send({
-      to: email,
-      subject: tmpl.subject,
-      text: tmpl.text,
-      html: tmpl.html,
-      tag: tmpl.tag,
-      metadata: { purpose: 'vendor_signin', vendorId: vendor.id },
-    });
-  }
-
-  // No-op on unknown / inactive — don't reveal which.
-  res.json({ ok: true });
-});
-
-// Deprecated alias for older clients still calling /auth/creator/signin.
-// Scoped to creators only — matches the pre-unified contract.
-magicLinkRouter.post('/auth/creator/signin', mailAuthLimit, async (req, res) => {
-  const body = signinSchema.safeParse(req.body);
-  if (!body.success) return res.status(400).json({ error: 'invalid_body', detail: body.error.flatten() });
-  const email = body.data.email.toLowerCase();
-
-  const creator = await db<NetworkCreatorRow>(TABLES.NetworkCreator).where({ email }).first();
-  if (creator && creator.status === 'active') {
-    const issued = await issueMagicLink({ email, purpose: 'creator_signin' });
-    const tmpl = creatorSigninEmail(magicUrl(issued.plaintext, 'creator_signin'));
-    await getMailer().send({
-      to: email,
-      subject: tmpl.subject,
-      text: tmpl.text,
-      html: tmpl.html,
-      tag: tmpl.tag,
-      metadata: { purpose: 'creator_signin' },
-    });
-  }
-  res.json({ ok: true });
-});
-
-// -------- Verify --------
-
-magicLinkRouter.post('/auth/magic/verify', verifyLimit, async (req, res) => {
-  const body = verifySchema.safeParse(req.body);
-  if (!body.success) return res.status(400).json({ error: 'invalid_body', detail: body.error.flatten() });
-
-  const result = await consumeMagicLink(body.data.token);
-  if (!result.ok) return res.status(400).json({ error: result.error });
-
-  const token: MagicLinkTokenRow = result.token;
-
-  if (token.purpose === 'creator_signup') {
-    return verifyCreatorSignup(token, res);
-  }
-  if (token.purpose === 'creator_signin') {
-    return verifyCreatorSignin(token, res);
-  }
-  if (token.purpose === 'vendor_signup') {
-    return verifyVendorSignup(token, res);
-  }
-  if (token.purpose === 'vendor_signin') {
-    return verifyVendorSignin(token, res);
-  }
-  res.status(400).json({ error: 'unknown_purpose' });
-});
-
-async function verifyCreatorSignup(token: MagicLinkTokenRow, res: Parameters<Parameters<typeof magicLinkRouter.post>[1]>[1]) {
-  const claim = token.claim;
-  if (!claim || claim.kind !== 'creator') {
-    return res.status(400).json({ error: 'invalid_signup_claim' });
-  }
-
-  const collision = await db<NetworkCreatorRow>(TABLES.NetworkCreator)
-    .where({ email: token.email })
-    .orWhere({ handle: claim.handle })
-    .first();
-  if (collision) return res.status(409).json({ error: 'email_or_handle_taken' });
-
-  const id = ulid();
-  await db<NetworkCreatorRow>(TABLES.NetworkCreator).insert({
-    id,
-    name: claim.name,
-    handle: claim.handle,
-    email: token.email,
-    bio: null,
-    avatarUrl: null,
-    platforms: JSON.stringify([]) as unknown as never,
-    defaultPromoCode: null,
-    status: 'active',
-    activatedAt: new Date(),
-  });
-  const creator = (await db<NetworkCreatorRow>(TABLES.NetworkCreator).where({ id }).first())!;
-
-  const session = await createSession({ principalKind: 'network_creator', principalId: creator.id });
-  res.cookie(SESSION_COOKIE_NAME, session.plaintext, sessionCookieOptions());
-  res.json({
-    ok: true,
-    role: 'network_creator',
-    creator: {
-      id: creator.id,
-      name: creator.name,
-      handle: creator.handle,
-      email: creator.email,
-      avatarUrl: creator.avatarUrl,
-      defaultPromoCode: creator.defaultPromoCode,
-      status: creator.status,
-    },
-  });
-}
-
-async function verifyCreatorSignin(token: MagicLinkTokenRow, res: Parameters<Parameters<typeof magicLinkRouter.post>[1]>[1]) {
-  const creator = await db<NetworkCreatorRow>(TABLES.NetworkCreator).where({ email: token.email }).first();
-  if (!creator) return res.status(404).json({ error: 'creator_not_found' });
-  if (creator.status !== 'active') return res.status(403).json({ error: 'creator_not_active' });
-
-  const session = await createSession({ principalKind: 'network_creator', principalId: creator.id });
-  res.cookie(SESSION_COOKIE_NAME, session.plaintext, sessionCookieOptions());
-  res.json({
-    ok: true,
-    role: 'network_creator',
-    creator: {
-      id: creator.id,
-      name: creator.name,
-      handle: creator.handle,
-      email: creator.email,
-      avatarUrl: creator.avatarUrl,
-      defaultPromoCode: creator.defaultPromoCode,
-      status: creator.status,
-    },
-  });
-}
-
-async function verifyVendorSignup(token: MagicLinkTokenRow, res: Parameters<Parameters<typeof magicLinkRouter.post>[1]>[1]) {
-  const claim = token.claim;
-  if (!claim || claim.kind !== 'vendor') {
-    return res.status(400).json({ error: 'invalid_signup_claim' });
-  }
-
-  const collision = await db<NetworkVendorRow>(TABLES.NetworkVendor).where({ slug: claim.slug }).first();
-  if (collision) return res.status(409).json({ error: 'slug_taken' });
-
-  const id = ulid();
-  await db<NetworkVendorRow>(TABLES.NetworkVendor).insert({
-    id,
-    name: claim.name,
-    slug: claim.slug,
-    email: token.email,
-    websiteUrl: claim.websiteUrl ?? null,
-    logoUrl: claim.logoUrl ?? null,
-    description: claim.description ?? null,
-    instanceUrl: claim.instanceUrl,
-    // claim carries the ciphertext already — no round-trip through plaintext
-    instanceKeyCiphertext: claim.instanceKeyCiphertext,
-    instanceKeyPrefix: claim.instanceKeyPrefix,
-    routerUrl: claim.routerUrl ?? null,
-    status: 'pending', // admin still reviews the federation relationship
-  });
-
-  // No session yet — the vendor is pending. Returning a helpful message
-  // so the portal can show "admin is reviewing your application."
-  res.json({
-    ok: true,
-    role: 'network_vendor',
-    status: 'pending',
-    vendor: { id, name: claim.name, slug: claim.slug },
-  });
-}
-
-async function verifyVendorSignin(token: MagicLinkTokenRow, res: Parameters<Parameters<typeof magicLinkRouter.post>[1]>[1]) {
-  const vendor = await findVendorByEmail(token.email);
-  if (!vendor) return res.status(404).json({ error: 'vendor_not_found' });
-  if (vendor.status !== 'active') return res.status(403).json({ error: 'vendor_not_active' });
-
-  const session = await createSession({ principalKind: 'network_vendor', principalId: vendor.id });
-  res.cookie(SESSION_COOKIE_NAME, session.plaintext, sessionCookieOptions());
-  res.json({
-    ok: true,
-    role: 'network_vendor',
-    vendor: {
-      id: vendor.id,
-      name: vendor.name,
-      slug: vendor.slug,
-      logoUrl: vendor.logoUrl,
-      websiteUrl: vendor.websiteUrl,
-      status: vendor.status,
-    },
-  });
-}
-
-/**
- * Look up the vendor tied to a signup email. One email can theoretically
- * own multiple vendors — we pick the most recently created active one
- * and fall through to `vendor_not_active` if nothing is active. Callers
- * that need to disambiguate between several active vendors should
- * collect the slug from the user first.
- */
-async function findVendorByEmail(email: string): Promise<NetworkVendorRow | undefined> {
-  const vendors = await db<NetworkVendorRow>(TABLES.NetworkVendor)
-    .where({ email: email.toLowerCase() })
-    .orderBy('createdAt', 'desc');
-  return vendors.find((v) => v.status === 'active') ?? vendors[0];
-}
-
-// -------- Signout --------
-
-magicLinkRouter.post('/auth/signout', async (req, res) => {
-  const plaintext = req.cookies?.[SESSION_COOKIE_NAME];
-  if (plaintext) {
-    const { resolveSession } = await import('../auth-sessions.js');
-    const session = await resolveSession(plaintext);
-    if (session) await revokeSession(session.id);
-  }
-  res.clearCookie(SESSION_COOKIE_NAME, { path: '/' });
-  res.json({ ok: true });
-});
-
-// -------- Dev mailbox --------
-
-magicLinkRouter.get('/dev/mailbox', requireAuth, requireAdmin, async (_req, res) => {
-  const messages = await db<DevMessageRow>(TABLES.DevMessage).orderBy('createdAt', 'desc').limit(100);
-  res.json({ messages });
-});
diff --git a/apps/api/src/routes/network-creators.ts b/apps/api/src/routes/network-creators.ts
deleted file mode 100644
index ff487e9..0000000
--- a/apps/api/src/routes/network-creators.ts
+++ /dev/null
@@ -1,102 +0,0 @@
-import { Router } from 'express';
-import { ulid } from 'ulid';
-import { TABLES, type NetworkCreatorRow } from '@openpartner/db';
-import { db } from '../db.js';
-import { createApiKeyRow, requireAdmin, requireAuth, requireNetworkCreator } from '../auth.js';
-import { creatorCreateSchema, creatorUpdateSchema } from '../network/validation.js';
-
-export const networkCreatorsRouter = Router();
-
-// Admin: list + activate. In a real production world this would be
-// self-serve with email verification; MVP keeps a moderation queue.
-networkCreatorsRouter.get('/network/creators', requireAuth, requireAdmin, async (_req, res) => {
-  const creators = await db<NetworkCreatorRow>(TABLES.NetworkCreator).orderBy('createdAt', 'desc');
-  res.json({ creators });
-});
-
-networkCreatorsRouter.post('/network/creators', requireAuth, requireAdmin, async (req, res) => {
-  const body = creatorCreateSchema.safeParse(req.body);
-  if (!body.success) return res.status(400).json({ error: 'invalid_body', detail: body.error.flatten() });
-
-  const id = ulid();
-  try {
-    await db<NetworkCreatorRow>(TABLES.NetworkCreator).insert({
-      id,
-      name: body.data.name,
-      handle: body.data.handle,
-      email: body.data.email,
-      bio: body.data.bio ?? null,
-      avatarUrl: body.data.avatarUrl ?? null,
-      platforms: JSON.stringify(body.data.platforms ?? []) as unknown as never, // jsonb
-      defaultPromoCode: body.data.defaultPromoCode ?? null,
-      status: 'pending',
-    });
-  } catch (err: unknown) {
-    if (typeof err === 'object' && err !== null && (err as { code?: string }).code === '23505') {
-      return res.status(409).json({ error: 'handle_or_email_taken' });
-    }
-    throw err;
-  }
-
-  const key = await createApiKeyRow({ networkCreatorId: id, label: 'creator portal' });
-  const creator = await db<NetworkCreatorRow>(TABLES.NetworkCreator).where({ id }).first();
-  res.status(201).json({ creator, apiKey: key.plaintext });
-});
-
-networkCreatorsRouter.post('/network/creators/:id/activate', requireAuth, requireAdmin, async (req, res) => {
-  const updated = await db<NetworkCreatorRow>(TABLES.NetworkCreator)
-    .where({ id: req.params.id })
-    .update({ status: 'active', activatedAt: new Date() })
-    .returning('*');
-  if (updated.length === 0) return res.status(404).json({ error: 'creator_not_found' });
-  res.json({ creator: updated[0] });
-});
-
-// Creator self-view (own profile) — already in /auth/whoami but this is
-// the canonical profile endpoint.
-networkCreatorsRouter.get('/network/creators/me', requireAuth, requireNetworkCreator, async (req, res) => {
-  const p = req.principal!;
-  if (p.role !== 'network_creator') return res.status(403).json({ error: 'forbidden' });
-  const creator = await db<NetworkCreatorRow>(TABLES.NetworkCreator).where({ id: p.networkCreatorId }).first();
-  if (!creator) return res.status(404).json({ error: 'creator_not_found' });
-  res.json({ creator });
-});
-
-// Creator self-edit. Handle + email are intentionally NOT patchable:
-// changing handle breaks share-URL references on vendor instances, and
-// email is the magic-link identity.
-networkCreatorsRouter.patch('/network/creators/me', requireAuth, requireNetworkCreator, async (req, res) => {
-  const p = req.principal!;
-  if (p.role !== 'network_creator') return res.status(403).json({ error: 'forbidden' });
-
-  const body = creatorUpdateSchema.safeParse(req.body);
-  if (!body.success) return res.status(400).json({ error: 'invalid_body', detail: body.error.flatten() });
-
-  const patch: Record<string, unknown> = {};
-  if (body.data.name !== undefined) patch.name = body.data.name;
-  if (body.data.bio !== undefined) patch.bio = body.data.bio;
-  if (body.data.avatarUrl !== undefined) patch.avatarUrl = body.data.avatarUrl;
-  if (body.data.defaultPromoCode !== undefined) patch.defaultPromoCode = body.data.defaultPromoCode;
-  if (body.data.platforms !== undefined) patch.platforms = JSON.stringify(body.data.platforms);
-
-  if (Object.keys(patch).length === 0) {
-    const current = await db<NetworkCreatorRow>(TABLES.NetworkCreator).where({ id: p.networkCreatorId }).first();
-    return res.json({ creator: current });
-  }
-
-  const [updated] = await db<NetworkCreatorRow>(TABLES.NetworkCreator)
-    .where({ id: p.networkCreatorId })
-    .update(patch)
-    .returning('*');
-  res.json({ creator: updated });
-});
-
-// -------- Public directory: active creators (for vendors to browse) --------
-
-networkCreatorsRouter.get('/network/directory/creators', async (_req, res) => {
-  const creators = await db<NetworkCreatorRow>(TABLES.NetworkCreator)
-    .where({ status: 'active' })
-    .orderBy('createdAt', 'desc')
-    .select('id', 'name', 'handle', 'bio', 'avatarUrl', 'platforms', 'createdAt');
-  res.json({ creators });
-});
diff --git a/apps/api/src/routes/network-earnings.ts b/apps/api/src/routes/network-earnings.ts
deleted file mode 100644
index c3ab208..0000000
--- a/apps/api/src/routes/network-earnings.ts
+++ /dev/null
@@ -1,165 +0,0 @@
-/**
- * Federated earnings view.
- *
- * For each active Partnership visible to the principal, we call the vendor's
- * /partners/:id/dashboard (via stored admin key) and project the stats back
- * into the Network UI. Attribution data stays on the vendor's instance —
- * this is a read-only projection.
- *
- * Fan-out uses Promise.allSettled so a single unreachable vendor doesn't
- * black out the whole page. Each partnership ships back with a status:
- *   ok     — stats populated
- *   error  — stats zeroed, `error` message set
- *
- * We group by vendorId first so we only decrypt each vendor's key once per
- * request even if the creator has multiple partnerships with the same vendor.
- */
-
-import { Router } from 'express';
-import {
-  TABLES,
-  type NetworkVendorRow,
-  type OfferingRow,
-  type PartnershipRow,
-} from '@openpartner/db';
-import { db } from '../db.js';
-import { requireAuth } from '../auth.js';
-import { fetchPartnerCommissions, fetchPartnerDashboard, type PartnerDashboardStats } from '../network/federation.js';
-
-export const networkEarningsRouter = Router();
-
-interface PartnershipEarning {
-  partnership: {
-    id: string;
-    vendorId: string;
-    vendorName: string;
-    offeringTitle: string;
-    vendorLinkKey: string;
-    publicShareUrl: string;
-    createdAt: string;
-  };
-  status: 'ok' | 'error';
-  error?: string;
-  stats: PartnerDashboardStats | null;
-}
-
-networkEarningsRouter.get('/network/partnerships/earnings', requireAuth, async (req, res) => {
-  const p = req.principal!;
-
-  const partnershipQuery = db<PartnershipRow>(TABLES.Partnership).where({ status: 'active' });
-  if (p.role === 'network_creator') partnershipQuery.andWhere({ creatorId: p.networkCreatorId });
-  else if (p.role === 'network_vendor') partnershipQuery.andWhere({ vendorId: p.networkVendorId });
-  else if (p.role !== 'admin') return res.status(403).json({ error: 'forbidden' });
-
-  const partnerships = await partnershipQuery.orderBy('createdAt', 'desc');
-  if (partnerships.length === 0) {
-    return res.json({ partnerships: [], totals: emptyTotals() });
-  }
-
-  const vendorIds = Array.from(new Set(partnerships.map((p) => p.vendorId)));
-  const offeringIds = Array.from(new Set(partnerships.map((p) => p.offeringId)));
-  const [vendors, offerings] = await Promise.all([
-    db<NetworkVendorRow>(TABLES.NetworkVendor).whereIn('id', vendorIds),
-    db<OfferingRow>(TABLES.Offering).whereIn('id', offeringIds),
-  ]);
-  const vendorById = new Map(vendors.map((v) => [v.id, v]));
-  const offeringById = new Map(offerings.map((o) => [o.id, o]));
-
-  const results = await Promise.all(
-    partnerships.map(async (pRow): Promise<PartnershipEarning> => {
-      const vendor = vendorById.get(pRow.vendorId);
-      const offering = offeringById.get(pRow.offeringId);
-      const base = {
-        id: pRow.id,
-        vendorId: pRow.vendorId,
-        vendorName: vendor?.name ?? 'Unknown vendor',
-        offeringTitle: offering?.title ?? 'Unknown offering',
-        vendorLinkKey: pRow.vendorLinkKey,
-        publicShareUrl: pRow.publicShareUrl,
-        createdAt: pRow.createdAt instanceof Date ? pRow.createdAt.toISOString() : String(pRow.createdAt),
-      };
-
-      if (!vendor) {
-        return { partnership: base, status: 'error', error: 'vendor_missing', stats: null };
-      }
-
-      try {
-        const stats = await fetchPartnerDashboard(vendor, pRow.vendorPartnerId);
-        return { partnership: base, status: 'ok', stats };
-      } catch (err: unknown) {
-        return {
-          partnership: base,
-          status: 'error',
-          error: err instanceof Error ? err.message : String(err),
-          stats: null,
-        };
-      }
-    }),
-  );
-
-  res.json({
-    partnerships: results,
-    totals: computeTotals(results),
-  });
-});
-
-// -------- Per-partnership commission drilldown --------
-
-networkEarningsRouter.get('/network/partnerships/:id/commissions', requireAuth, async (req, res) => {
-  const p = req.principal!;
-  const partnership = await db<PartnershipRow>(TABLES.Partnership).where({ id: req.params.id }).first();
-  if (!partnership) return res.status(404).json({ error: 'not_found' });
-
-  const allowed =
-    p.role === 'admin' ||
-    (p.role === 'network_creator' && partnership.creatorId === p.networkCreatorId) ||
-    (p.role === 'network_vendor' && partnership.vendorId === p.networkVendorId);
-  if (!allowed) return res.status(403).json({ error: 'forbidden' });
-
-  const vendor = await db<NetworkVendorRow>(TABLES.NetworkVendor).where({ id: partnership.vendorId }).first();
-  if (!vendor) return res.status(404).json({ error: 'vendor_missing' });
-
-  try {
-    const commissions = await fetchPartnerCommissions(vendor, partnership.vendorPartnerId);
-    res.json({ commissions });
-  } catch (err: unknown) {
-    res.status(502).json({
-      error: 'vendor_unreachable',
-      detail: err instanceof Error ? err.message : String(err),
-    });
-  }
-});
-
-function emptyTotals() {
-  return {
-    clicks: 0,
-    attributedEvents: 0,
-    attributedRevenue: 0,
-    commission: { accrued: 0, approved: 0, paid: 0, reversed: 0 },
-    vendorCount: 0,
-    healthy: 0,
-    unreachable: 0,
-  };
-}
-
-function computeTotals(rows: PartnershipEarning[]) {
-  const totals = emptyTotals();
-  const vendors = new Set<string>();
-  for (const r of rows) {
-    vendors.add(r.partnership.vendorId);
-    if (r.status === 'ok' && r.stats) {
-      totals.clicks += r.stats.clicks;
-      totals.attributedEvents += r.stats.attributedEvents;
-      totals.attributedRevenue += r.stats.attributedRevenue;
-      for (const [status, amount] of Object.entries(r.stats.commissionByStatus ?? {})) {
-        const bucket = totals.commission as Record<string, number>;
-        bucket[status] = (bucket[status] ?? 0) + Number(amount ?? 0);
-      }
-      totals.healthy += 1;
-    } else {
-      totals.unreachable += 1;
-    }
-  }
-  totals.vendorCount = vendors.size;
-  return totals;
-}
diff --git a/apps/api/src/routes/network-offerings.ts b/apps/api/src/routes/network-offerings.ts
deleted file mode 100644
index 7e0646d..0000000
--- a/apps/api/src/routes/network-offerings.ts
+++ /dev/null
@@ -1,128 +0,0 @@
-import { Router } from 'express';
-import { ulid } from 'ulid';
-import { TABLES, type NetworkVendorRow, type OfferingRow } from '@openpartner/db';
-import { db } from '../db.js';
-import { requireAuth, requireNetworkVendor } from '../auth.js';
-import { offeringCreateSchema, offeringUpdateSchema } from '../network/validation.js';
-
-export const networkOfferingsRouter = Router();
-
-// -------- Vendor: manage own offerings --------
-
-networkOfferingsRouter.post('/network/offerings', requireAuth, requireNetworkVendor, async (req, res) => {
-  const p = req.principal!;
-  if (p.role !== 'network_vendor') return res.status(403).json({ error: 'forbidden' });
-
-  const body = offeringCreateSchema.safeParse(req.body);
-  if (!body.success) return res.status(400).json({ error: 'invalid_body', detail: body.error.flatten() });
-
-  const vendor = await db<NetworkVendorRow>(TABLES.NetworkVendor).where({ id: p.networkVendorId }).first();
-  if (!vendor || vendor.status !== 'active') {
-    return res.status(403).json({ error: 'vendor_not_active' });
-  }
-
-  const id = ulid();
-  await db<OfferingRow>(TABLES.Offering).insert({
-    id,
-    vendorId: vendor.id,
-    title: body.data.title,
-    productUrl: body.data.productUrl,
-    description: body.data.description ?? null,
-    heroImageUrl: body.data.heroImageUrl ?? null,
-    vendorCampaignId: body.data.vendorCampaignId,
-    terms: body.data.terms as never, // jsonb
-    published: body.data.published ?? false,
-  });
-
-  const offering = await db<OfferingRow>(TABLES.Offering).where({ id }).first();
-  res.status(201).json({ offering });
-});
-
-networkOfferingsRouter.patch('/network/offerings/:id', requireAuth, requireNetworkVendor, async (req, res) => {
-  const p = req.principal!;
-  if (p.role !== 'network_vendor') return res.status(403).json({ error: 'forbidden' });
-
-  const body = offeringUpdateSchema.safeParse(req.body);
-  if (!body.success) return res.status(400).json({ error: 'invalid_body', detail: body.error.flatten() });
-
-  const existing = await db<OfferingRow>(TABLES.Offering).where({ id: req.params.id }).first();
-  if (!existing) return res.status(404).json({ error: 'offering_not_found' });
-  if (existing.vendorId !== p.networkVendorId) return res.status(403).json({ error: 'not_yours' });
-
-  const patch: Partial<OfferingRow> = { updatedAt: new Date() };
-  if (body.data.title !== undefined) patch.title = body.data.title;
-  if (body.data.productUrl !== undefined) patch.productUrl = body.data.productUrl;
-  if (body.data.description !== undefined) patch.description = body.data.description ?? null;
-  if (body.data.heroImageUrl !== undefined) patch.heroImageUrl = body.data.heroImageUrl ?? null;
-  if (body.data.vendorCampaignId !== undefined) patch.vendorCampaignId = body.data.vendorCampaignId;
-  if (body.data.terms !== undefined) patch.terms = body.data.terms as never;
-  if (body.data.published !== undefined) patch.published = body.data.published;
-
-  await db<OfferingRow>(TABLES.Offering).where({ id: existing.id }).update(patch);
-  const fresh = await db<OfferingRow>(TABLES.Offering).where({ id: existing.id }).first();
-  res.json({ offering: fresh });
-});
-
-networkOfferingsRouter.get('/network/offerings/mine', requireAuth, requireNetworkVendor, async (req, res) => {
-  const p = req.principal!;
-  if (p.role !== 'network_vendor') return res.status(403).json({ error: 'forbidden' });
-  const offerings = await db<OfferingRow>(TABLES.Offering)
-    .where({ vendorId: p.networkVendorId })
-    .orderBy('createdAt', 'desc');
-  res.json({ offerings });
-});
-
-// -------- Public: browse the directory --------
-
-networkOfferingsRouter.get('/network/directory/offerings', async (_req, res) => {
-  const rows = (await db(TABLES.Offering)
-    .join(TABLES.NetworkVendor, `${TABLES.NetworkVendor}.id`, `${TABLES.Offering}.vendorId`)
-    .where(`${TABLES.Offering}.published`, true)
-    .andWhere(`${TABLES.NetworkVendor}.status`, 'active')
-    .orderBy(`${TABLES.Offering}.createdAt`, 'desc')
-    .select(
-      `${TABLES.Offering}.id as id`,
-      `${TABLES.Offering}.title as title`,
-      `${TABLES.Offering}.description as description`,
-      `${TABLES.Offering}.heroImageUrl as heroImageUrl`,
-      `${TABLES.Offering}.productUrl as productUrl`,
-      `${TABLES.Offering}.terms as terms`,
-      `${TABLES.Offering}.createdAt as createdAt`,
-      `${TABLES.NetworkVendor}.id as vendorId`,
-      `${TABLES.NetworkVendor}.name as vendorName`,
-      `${TABLES.NetworkVendor}.slug as vendorSlug`,
-      `${TABLES.NetworkVendor}.logoUrl as vendorLogoUrl`,
-      `${TABLES.NetworkVendor}.routerUrl as vendorRouterUrl`,
-      `${TABLES.NetworkVendor}.instanceUrl as vendorInstanceUrl`,
-    )) as Array<Record<string, unknown>>;
-
-  res.json({ offerings: rows });
-});
-
-networkOfferingsRouter.get('/network/directory/offerings/:id', async (req, res) => {
-  const row = (await db(TABLES.Offering)
-    .join(TABLES.NetworkVendor, `${TABLES.NetworkVendor}.id`, `${TABLES.Offering}.vendorId`)
-    .where(`${TABLES.Offering}.id`, req.params.id)
-    .andWhere(`${TABLES.Offering}.published`, true)
-    .andWhere(`${TABLES.NetworkVendor}.status`, 'active')
-    .first(
-      `${TABLES.Offering}.id as id`,
-      `${TABLES.Offering}.title as title`,
-      `${TABLES.Offering}.description as description`,
-      `${TABLES.Offering}.heroImageUrl as heroImageUrl`,
-      `${TABLES.Offering}.productUrl as productUrl`,
-      `${TABLES.Offering}.terms as terms`,
-      `${TABLES.Offering}.createdAt as createdAt`,
-      `${TABLES.NetworkVendor}.id as vendorId`,
-      `${TABLES.NetworkVendor}.name as vendorName`,
-      `${TABLES.NetworkVendor}.slug as vendorSlug`,
-      `${TABLES.NetworkVendor}.logoUrl as vendorLogoUrl`,
-      `${TABLES.NetworkVendor}.description as vendorDescription`,
-      `${TABLES.NetworkVendor}.websiteUrl as vendorWebsiteUrl`,
-      `${TABLES.NetworkVendor}.routerUrl as vendorRouterUrl`,
-      `${TABLES.NetworkVendor}.instanceUrl as vendorInstanceUrl`,
-    )) as Record<string, unknown> | undefined;
-
-  if (!row) return res.status(404).json({ error: 'not_found' });
-  res.json({ offering: row });
-});
diff --git a/apps/api/src/routes/network-requests.ts b/apps/api/src/routes/network-requests.ts
deleted file mode 100644
index c104630..0000000
--- a/apps/api/src/routes/network-requests.ts
+++ /dev/null
@@ -1,246 +0,0 @@
-import { Router } from 'express';
-import { ulid } from 'ulid';
-import {
-  TABLES,
-  type NetworkCreatorRow,
-  type NetworkVendorRow,
-  type OfferingRow,
-  type PartnershipRequestRow,
-  type PartnershipRow,
-} from '@openpartner/db';
-import { db } from '../db.js';
-import { requireAuth, requireNetworkCreator, requireNetworkVendor } from '../auth.js';
-import { dispatchEvent } from '../webhook-dispatcher.js';
-import { z } from 'zod';
-import { promoCodeSchema, requestCreateSchema, requestDecideSchema } from '../network/validation.js';
-
-const inviteSchema = z.object({
-  offeringId: z.string().min(1),
-  creatorId: z.string().min(1),
-  message: z.string().max(2000).optional(),
-  promoCode: promoCodeSchema.optional(),
-});
-import { provisionPartnerOnVendor } from '../network/federation.js';
-
-export const networkRequestsRouter = Router();
-
-// -------- Creator: apply to an offering --------
-
-networkRequestsRouter.post('/network/requests', requireAuth, requireNetworkCreator, async (req, res) => {
-  const p = req.principal!;
-  if (p.role !== 'network_creator') return res.status(403).json({ error: 'forbidden' });
-
-  const body = requestCreateSchema.safeParse(req.body);
-  if (!body.success) return res.status(400).json({ error: 'invalid_body', detail: body.error.flatten() });
-
-  const creator = await db<NetworkCreatorRow>(TABLES.NetworkCreator).where({ id: p.networkCreatorId }).first();
-  if (!creator || creator.status !== 'active') return res.status(403).json({ error: 'creator_not_active' });
-
-  const offering = await db<OfferingRow>(TABLES.Offering).where({ id: body.data.offeringId, published: true }).first();
-  if (!offering) return res.status(404).json({ error: 'offering_not_found' });
-
-  // Fall back chain: request override → creator default → handle.
-  const promoCode = body.data.promoCode ?? creator.defaultPromoCode ?? creator.handle;
-
-  const id = ulid();
-  try {
-    await db<PartnershipRequestRow>(TABLES.PartnershipRequest).insert({
-      id,
-      offeringId: offering.id,
-      vendorId: offering.vendorId,
-      creatorId: creator.id,
-      direction: 'creator_to_vendor',
-      message: body.data.message ?? null,
-      promoCode,
-      status: 'pending',
-    });
-  } catch (err: unknown) {
-    if (typeof err === 'object' && err !== null && (err as { code?: string }).code === '23505') {
-      return res.status(409).json({ error: 'already_requested' });
-    }
-    throw err;
-  }
-  const request = await db<PartnershipRequestRow>(TABLES.PartnershipRequest).where({ id }).first();
-  res.status(201).json({ request });
-});
-
-// -------- Vendor: invite a creator --------
-
-networkRequestsRouter.post('/network/invites', requireAuth, requireNetworkVendor, async (req, res) => {
-  const p = req.principal!;
-  if (p.role !== 'network_vendor') return res.status(403).json({ error: 'forbidden' });
-
-  const body = inviteSchema.safeParse(req.body);
-  if (!body.success) return res.status(400).json({ error: 'invalid_body', detail: body.error.flatten() });
-
-  const offering = await db<OfferingRow>(TABLES.Offering).where({ id: body.data.offeringId }).first();
-  if (!offering) return res.status(404).json({ error: 'offering_not_found' });
-  if (offering.vendorId !== p.networkVendorId) return res.status(403).json({ error: 'not_yours' });
-
-  const creator = await db<NetworkCreatorRow>(TABLES.NetworkCreator).where({ id: body.data.creatorId }).first();
-  if (!creator) return res.status(404).json({ error: 'creator_not_found' });
-
-  const promoCode = body.data.promoCode ?? creator.defaultPromoCode ?? creator.handle;
-
-  const id = ulid();
-  try {
-    await db<PartnershipRequestRow>(TABLES.PartnershipRequest).insert({
-      id,
-      offeringId: offering.id,
-      vendorId: offering.vendorId,
-      creatorId: creator.id,
-      direction: 'vendor_to_creator',
-      message: body.data.message ?? null,
-      promoCode,
-      status: 'pending',
-    });
-  } catch (err: unknown) {
-    if (typeof err === 'object' && err !== null && (err as { code?: string }).code === '23505') {
-      return res.status(409).json({ error: 'already_invited' });
-    }
-    throw err;
-  }
-  const request = await db<PartnershipRequestRow>(TABLES.PartnershipRequest).where({ id }).first();
-  res.status(201).json({ request });
-});
-
-// -------- Lists --------
-
-networkRequestsRouter.get('/network/requests/mine', requireAuth, async (req, res) => {
-  const p = req.principal!;
-  const q = db<PartnershipRequestRow>(TABLES.PartnershipRequest).orderBy('createdAt', 'desc');
-  if (p.role === 'network_vendor') q.where({ vendorId: p.networkVendorId });
-  else if (p.role === 'network_creator') q.where({ creatorId: p.networkCreatorId });
-  else if (p.role !== 'admin') return res.status(403).json({ error: 'forbidden' });
-  const requests = await q;
-  res.json({ requests });
-});
-
-// -------- Vendor: approve (federates) or reject --------
-
-networkRequestsRouter.post('/network/requests/:id/approve', requireAuth, requireNetworkVendor, async (req, res) => {
-  const p = req.principal!;
-  if (p.role !== 'network_vendor') return res.status(403).json({ error: 'forbidden' });
-
-  const body = requestDecideSchema.safeParse(req.body ?? {});
-  if (!body.success) return res.status(400).json({ error: 'invalid_body', detail: body.error.flatten() });
-
-  const reqRow = await db<PartnershipRequestRow>(TABLES.PartnershipRequest).where({ id: req.params.id }).first();
-  if (!reqRow) return res.status(404).json({ error: 'request_not_found' });
-  if (reqRow.vendorId !== p.networkVendorId) return res.status(403).json({ error: 'not_yours' });
-  if (reqRow.status !== 'pending') return res.status(409).json({ error: 'not_pending' });
-
-  // Claim the request atomically before federating. Two concurrent
-  // approves would both see status='pending' above; the conditional
-  // update below only succeeds for the first — the loser returns 409.
-  // The intermediate 'approving' status is never returned from vendor
-  // APIs (the loser never sees it), but it keeps the ledger honest.
-  const claimed = await db<PartnershipRequestRow>(TABLES.PartnershipRequest)
-    .where({ id: reqRow.id, status: 'pending' })
-    .update({ status: 'approving' });
-  if (claimed === 0) {
-    return res.status(409).json({ error: 'not_pending' });
-  }
-
-  const [vendor, creator, offering] = await Promise.all([
-    db<NetworkVendorRow>(TABLES.NetworkVendor).where({ id: reqRow.vendorId }).first(),
-    db<NetworkCreatorRow>(TABLES.NetworkCreator).where({ id: reqRow.creatorId }).first(),
-    db<OfferingRow>(TABLES.Offering).where({ id: reqRow.offeringId }).first(),
-  ]);
-  if (!vendor || !creator || !offering) {
-    // Release the claim so a fix-up can retry.
-    await db<PartnershipRequestRow>(TABLES.PartnershipRequest)
-      .where({ id: reqRow.id, status: 'approving' })
-      .update({ status: 'pending' });
-    return res.status(500).json({ error: 'missing_related_rows' });
-  }
-
-  let federated;
-  try {
-    federated = await provisionPartnerOnVendor({
-      vendor,
-      offering,
-      creator: {
-        name: creator.name,
-        email: creator.email,
-        handle: creator.handle,
-        promoCode: reqRow.promoCode,
-      },
-    });
-  } catch (err: unknown) {
-    // Federation failed — release the claim so the vendor can retry.
-    await db<PartnershipRequestRow>(TABLES.PartnershipRequest)
-      .where({ id: reqRow.id, status: 'approving' })
-      .update({ status: 'pending' });
-    const msg = err instanceof Error ? err.message : String(err);
-    return res.status(502).json({ error: 'federation_failed', detail: msg });
-  }
-
-  const partnershipId = ulid();
-  await db.transaction(async (trx) => {
-    await trx<PartnershipRequestRow>(TABLES.PartnershipRequest)
-      .where({ id: reqRow.id })
-      .update({
-        status: 'approved',
-        decidedAt: new Date(),
-        decisionNote: body.data.decisionNote ?? null,
-      });
-    await trx<PartnershipRow>(TABLES.Partnership).insert({
-      id: partnershipId,
-      requestId: reqRow.id,
-      offeringId: offering.id,
-      vendorId: vendor.id,
-      creatorId: creator.id,
-      vendorPartnerId: federated.partnerId,
-      vendorLinkKey: federated.linkKey,
-      publicShareUrl: federated.publicShareUrl,
-      status: 'active',
-    });
-  });
-
-  const partnership = await db<PartnershipRow>(TABLES.Partnership).where({ id: partnershipId }).first();
-  if (partnership) {
-    dispatchEvent('partnership.approved', {
-      partnershipId: partnership.id,
-      requestId: reqRow.id,
-      offeringId: partnership.offeringId,
-      vendorId: partnership.vendorId,
-      creatorId: partnership.creatorId,
-      vendorPartnerId: partnership.vendorPartnerId,
-      vendorLinkKey: partnership.vendorLinkKey,
-      publicShareUrl: partnership.publicShareUrl,
-    });
-  }
-  res.json({ partnership, federated });
-});
-
-networkRequestsRouter.post('/network/requests/:id/reject', requireAuth, requireNetworkVendor, async (req, res) => {
-  const p = req.principal!;
-  if (p.role !== 'network_vendor') return res.status(403).json({ error: 'forbidden' });
-
-  const body = requestDecideSchema.safeParse(req.body ?? {});
-  if (!body.success) return res.status(400).json({ error: 'invalid_body', detail: body.error.flatten() });
-
-  const reqRow = await db<PartnershipRequestRow>(TABLES.PartnershipRequest).where({ id: req.params.id }).first();
-  if (!reqRow) return res.status(404).json({ error: 'request_not_found' });
-  if (reqRow.vendorId !== p.networkVendorId) return res.status(403).json({ error: 'not_yours' });
-  if (reqRow.status !== 'pending') return res.status(409).json({ error: 'not_pending' });
-
-  const updated = await db<PartnershipRequestRow>(TABLES.PartnershipRequest)
-    .where({ id: reqRow.id })
-    .update({ status: 'rejected', decidedAt: new Date(), decisionNote: body.data.decisionNote ?? null })
-    .returning('*');
-  res.json({ request: updated[0] });
-});
-
-// -------- Partnerships list --------
-
-networkRequestsRouter.get('/network/partnerships/mine', requireAuth, async (req, res) => {
-  const p = req.principal!;
-  const q = db<PartnershipRow>(TABLES.Partnership).orderBy('createdAt', 'desc');
-  if (p.role === 'network_vendor') q.where({ vendorId: p.networkVendorId });
-  else if (p.role === 'network_creator') q.where({ creatorId: p.networkCreatorId });
-  else if (p.role !== 'admin') return res.status(403).json({ error: 'forbidden' });
-  const partnerships = await q;
-  res.json({ partnerships });
-});
diff --git a/apps/api/src/routes/network-vendors.ts b/apps/api/src/routes/network-vendors.ts
deleted file mode 100644
index f424b7a..0000000
--- a/apps/api/src/routes/network-vendors.ts
+++ /dev/null
@@ -1,168 +0,0 @@
-import { Router } from 'express';
-import { z } from 'zod';
-import { ulid } from 'ulid';
-import { TABLES, type NetworkVendorRow } from '@openpartner/db';
-import { db } from '../db.js';
-import { createApiKeyRow, requireAdmin, requireAuth, requireNetworkVendor } from '../auth.js';
-import { encryptKey } from '../network/crypto.js';
-import { safeFetch } from '../network/safe-fetch.js';
-import { vendorCreateSchema } from '../network/validation.js';
-import { NETWORK_FEDERATION_SCOPES } from './api-keys.js';
-
-export const networkVendorsRouter = Router();
-
-const verifyKeySchema = z.object({
-  instanceUrl: z.string().url(),
-  instanceKey: z.string().min(8),
-});
-
-/**
- * Server-side introspection helper. Before an admin registers a vendor,
- * the onboarding UI calls this to check the key the vendor pasted. We
- * hit the vendor's own /auth/introspect with that key and report back.
- *
- * Why this exists: we strongly prefer vendors hand us a SCOPED key with
- * only the federation permissions (partners:write, links:write,
- * partners:read, commissions:read). If they paste a full admin key we
- * want to warn them so they can go mint a scoped one instead.
- */
-// Intentionally open (no auth) — the vendor is pre-signup and doesn't
-// have an account yet. SSRF surface is closed via safeFetch: URL must
-// be http(s), hostname must resolve to a public IP (unless the operator
-// opts in with NETWORK_ALLOW_PRIVATE_HOSTS=1). We only proxy GET
-// /auth/introspect (narrow path), not arbitrary URLs.
-networkVendorsRouter.post('/network/vendors/verify-key', async (req, res) => {
-  const body = verifyKeySchema.safeParse(req.body);
-  if (!body.success) return res.status(400).json({ error: 'invalid_body', detail: body.error.flatten() });
-
-  const { instanceUrl, instanceKey } = body.data;
-  const url = `${instanceUrl.replace(/\/$/, '')}/auth/introspect`;
-  try {
-    const response = await safeFetch(url, { headers: { authorization: `Bearer ${instanceKey}` } });
-    const text = await response.text();
-    if (!response.ok) {
-      return res.status(502).json({
-        error: 'instance_rejected_key',
-        status: response.status,
-        detail: text.slice(0, 300),
-      });
-    }
-    const introspect = text ? (JSON.parse(text) as Record<string, unknown>) : {};
-
-    const required = [...NETWORK_FEDERATION_SCOPES] as string[];
-    const scopes = Array.isArray(introspect.scopes) ? (introspect.scopes as string[]) : null;
-    const missing = scopes ? required.filter((s) => !scopes.includes(s)) : [];
-    const unrestricted = introspect.role === 'admin' && introspect.unrestricted === true;
-
-    res.json({
-      ok: true,
-      instanceUrl,
-      introspect,
-      recommended: required,
-      missing,
-      unrestricted,
-      // Green — "good to register":
-      acceptable: (scopes != null && missing.length === 0) || unrestricted,
-    });
-  } catch (err: unknown) {
-    res.status(502).json({
-      error: 'instance_unreachable',
-      detail: err instanceof Error ? err.message : String(err),
-    });
-  }
-});
-
-// -------- Admin: list + create + activate --------
-
-networkVendorsRouter.get('/network/vendors', requireAuth, requireAdmin, async (_req, res) => {
-  const vendors = await db<NetworkVendorRow>(TABLES.NetworkVendor).orderBy('createdAt', 'desc');
-  res.json({ vendors: vendors.map(stripKey) });
-});
-
-// Vendor self-registration is admin-gated for MVP — keeps quality high
-// before we have Stripe-based paid tiers on the Network.
-networkVendorsRouter.post('/network/vendors', requireAuth, requireAdmin, async (req, res) => {
-  const body = vendorCreateSchema.safeParse(req.body);
-  if (!body.success) return res.status(400).json({ error: 'invalid_body', detail: body.error.flatten() });
-
-  const id = ulid();
-  const prefix = body.data.instanceKey.slice(0, 8);
-  const ciphertext = encryptKey(body.data.instanceKey);
-
-  try {
-    await db<NetworkVendorRow>(TABLES.NetworkVendor).insert({
-      id,
-      name: body.data.name,
-      slug: body.data.slug,
-      // Admin-created vendors are pre-verified, so email isn't load-bearing;
-      // the magic-link signin path still works once the admin sets one.
-      email: (body.data.email ?? `admin+${body.data.slug}@${new URL(body.data.instanceUrl).hostname}`).toLowerCase(),
-      websiteUrl: body.data.websiteUrl ?? null,
-      logoUrl: body.data.logoUrl ?? null,
-      description: body.data.description ?? null,
-      instanceUrl: body.data.instanceUrl.replace(/\/$/, ''),
-      instanceKeyCiphertext: ciphertext,
-      instanceKeyPrefix: prefix,
-      routerUrl: body.data.routerUrl ? body.data.routerUrl.replace(/\/$/, '') : null,
-      status: 'pending',
-    });
-  } catch (err: unknown) {
-    if (typeof err === 'object' && err !== null && (err as { code?: string }).code === '23505') {
-      return res.status(409).json({ error: 'slug_taken' });
-    }
-    throw err;
-  }
-
-  // Issue a vendor-scoped API key so the merchant can sign in to the
-  // Network-side UI without needing admin rights.
-  const key = await createApiKeyRow({ networkVendorId: id, label: 'vendor portal' });
-
-  const vendor = await db<NetworkVendorRow>(TABLES.NetworkVendor).where({ id }).first();
-  res.status(201).json({
-    vendor: stripKey(vendor!),
-    apiKey: key.plaintext, // shown once
-  });
-});
-
-networkVendorsRouter.post('/network/vendors/:id/activate', requireAuth, requireAdmin, async (req, res) => {
-  const updated = await db<NetworkVendorRow>(TABLES.NetworkVendor)
-    .where({ id: req.params.id })
-    .update({ status: 'active', activatedAt: new Date() })
-    .returning('*');
-  if (updated.length === 0) return res.status(404).json({ error: 'vendor_not_found' });
-  res.json({ vendor: stripKey(updated[0]!) });
-});
-
-networkVendorsRouter.post('/network/vendors/:id/suspend', requireAuth, requireAdmin, async (req, res) => {
-  const updated = await db<NetworkVendorRow>(TABLES.NetworkVendor)
-    .where({ id: req.params.id })
-    .update({ status: 'suspended' })
-    .returning('*');
-  if (updated.length === 0) return res.status(404).json({ error: 'vendor_not_found' });
-  res.json({ vendor: stripKey(updated[0]!) });
-});
-
-// -------- Vendor: view self --------
-
-networkVendorsRouter.get('/network/vendors/me', requireAuth, requireNetworkVendor, async (req, res) => {
-  const p = req.principal!;
-  if (p.role !== 'network_vendor') return res.status(403).json({ error: 'forbidden' });
-  const vendor = await db<NetworkVendorRow>(TABLES.NetworkVendor).where({ id: p.networkVendorId }).first();
-  if (!vendor) return res.status(404).json({ error: 'vendor_not_found' });
-  res.json({ vendor: stripKey(vendor) });
-});
-
-// -------- Public-ish: browse active vendors --------
-
-networkVendorsRouter.get('/network/directory/vendors', async (_req, res) => {
-  const vendors = await db<NetworkVendorRow>(TABLES.NetworkVendor)
-    .where({ status: 'active' })
-    .orderBy('createdAt', 'desc')
-    .select('id', 'name', 'slug', 'websiteUrl', 'logoUrl', 'description');
-  res.json({ vendors });
-});
-
-function stripKey(v: NetworkVendorRow): Omit<NetworkVendorRow, 'instanceKeyCiphertext'> & { instanceKeyPrefix: string } {
-  const { instanceKeyCiphertext: _omit, ...rest } = v;
-  return rest;
-}
diff --git a/apps/portal/src/App.tsx b/apps/portal/src/App.tsx
index 2a24eb6..b87ad69 100644
--- a/apps/portal/src/App.tsx
+++ b/apps/portal/src/App.tsx
@@ -11,14 +11,6 @@ import {
   ShieldCheck,
   Download,
   LogOut,
-  Compass,
-  Package2,
-  Inbox,
-  Handshake,
-  Store,
-  Megaphone,
-  Mail,
-  UserCog,
   Webhook,
 } from 'lucide-react';
 import { clearApiKey, api, type Principal } from './api.js';
@@ -32,22 +24,9 @@ import { AdminPartners } from './pages/AdminPartners.js';
 import { AdminCampaigns } from './pages/AdminCampaigns.js';
 import { AdminReview } from './pages/AdminReview.js';
 import { AdminExport } from './pages/AdminExport.js';
-import { DiscoverPage } from './pages/network/Discover.js';
-import { MyRequestsPage } from './pages/network/MyRequests.js';
-import { MyPartnershipsPage } from './pages/network/MyPartnerships.js';
-import { VendorOfferingsPage } from './pages/network/VendorOfferings.js';
-import { VendorRequestsPage } from './pages/network/VendorRequests.js';
-import { AdminNetworkVendors } from './pages/network/AdminNetworkVendors.js';
-import { AdminNetworkCreators } from './pages/network/AdminNetworkCreators.js';
 import { LoginPage } from './pages/auth/Login.js';
-import { SignupPage } from './pages/auth/Signup.js';
-import { VendorSignupPage } from './pages/auth/VendorSignup.js';
-import { MagicLandingPage } from './pages/auth/MagicLanding.js';
-import { DevMailboxPage } from './pages/admin/DevMailbox.js';
 import { WebhooksPage } from './pages/admin/Webhooks.js';
 import { FraudReviewPage } from './pages/FraudReview.js';
-import { OfferingDetailPage } from './pages/network/OfferingDetail.js';
-import { CreatorProfilePage } from './pages/network/CreatorProfile.js';
 
 interface AuthState {
   loading: boolean;
@@ -59,9 +38,6 @@ export function App() {
     <BrowserRouter>
       <Routes>
         <Route path="/login" element={<LoginPage />} />
-        <Route path="/signup" element={<SignupPage />} />
-        <Route path="/signup/vendor" element={<VendorSignupPage />} />
-        <Route path="/auth/magic" element={<MagicLandingPage />} />
         <Route path="/*" element={<Shell />} />
       </Routes>
     </BrowserRouter>
@@ -73,9 +49,6 @@ function Shell() {
   const location = useLocation();
 
   useEffect(() => {
-    // Always attempt /auth/whoami — it'll accept either the API-key
-    // Bearer token (if present in localStorage) or the op_session cookie
-    // from a magic-link sign-in.
     api<Principal>('/auth/whoami')
       .then((p) => setAuth({ loading: false, principal: p }))
       .catch(() => setAuth({ loading: false, principal: null }));
@@ -91,7 +64,6 @@ function Shell() {
         <Routes>
           <Route index element={<Dashboard principal={auth.principal} />} />
 
-          {/* Vendor-side OpenPartner (core attribution) */}
           <Route path="links" element={<LinksPage principal={auth.principal} />} />
           <Route path="commissions" element={<CommissionsPage principal={auth.principal} />} />
           <Route path="payouts" element={<PayoutsPage principal={auth.principal} />} />
@@ -103,25 +75,11 @@ function Shell() {
               <Route path="admin/campaigns" element={<AdminCampaigns />} />
               <Route path="admin/review" element={<AdminReview />} />
               <Route path="admin/export" element={<AdminExport />} />
-              <Route path="admin/dev-mailbox" element={<DevMailboxPage />} />
               <Route path="admin/fraud-review" element={<FraudReviewPage />} />
               <Route path="admin/webhooks" element={<WebhooksPage />} />
-              <Route path="network/vendors" element={<AdminNetworkVendors />} />
-              <Route path="network/creators" element={<AdminNetworkCreators />} />
             </>
           )}
 
-          {/* OpenPartner Network — creator-side */}
-          <Route path="network/discover" element={<DiscoverPage principal={auth.principal} />} />
-          <Route path="network/offerings/:id" element={<OfferingDetailPage principal={auth.principal} />} />
-          <Route path="network/requests" element={<MyRequestsPage principal={auth.principal} />} />
-          <Route path="network/partnerships" element={<MyPartnershipsPage principal={auth.principal} />} />
-          <Route path="network/profile" element={<CreatorProfilePage />} />
-
-          {/* OpenPartner Network — vendor-side */}
-          <Route path="network/offerings" element={<VendorOfferingsPage />} />
-          <Route path="network/incoming" element={<VendorRequestsPage />} />
-
           <Route path="*" element={<Navigate to="/" replace />} />
         </Routes>
       </main>
@@ -142,7 +100,6 @@ function Sidebar({ principal }: { principal: Principal }) {
         padding: '20px 14px',
       }}
     >
-      {/* Brand */}
       <div style={{ display: 'flex', alignItems: 'center', gap: 10, padding: '4px 8px', marginBottom: 20 }}>
         <Logo />
         <div style={{ fontSize: 15, fontWeight: 600, letterSpacing: '-0.01em' }}>OpenPartner</div>
@@ -151,66 +108,29 @@ function Sidebar({ principal }: { principal: Principal }) {
       <PrincipalChip principal={principal} />
 
       <div style={{ flex: 1, display: 'flex', flexDirection: 'column', gap: 14, overflow: 'auto' }}>
-        {/* Core attribution nav — shown to admin + partner */}
-        {(principal.role === 'admin' || principal.role === 'partner') && (
-          <NavSection title="Yours">
-            <NavItem to="/" icon={<LayoutDashboard size={16} />}>Dashboard</NavItem>
-            <NavItem to="/links" icon={<Link2 size={16} />}>Links</NavItem>
-            <NavItem to="/commissions" icon={<Receipt size={16} />}>Commissions</NavItem>
-            <NavItem to="/payouts" icon={<Banknote size={16} />}>Payouts</NavItem>
-            {principal.role === 'partner' && <NavItem to="/connect" icon={<CreditCard size={16} />}>Stripe Connect</NavItem>}
-          </NavSection>
-        )}
+        <NavSection title="Yours">
+          <NavItem to="/" icon={<LayoutDashboard size={16} />}>Dashboard</NavItem>
+          <NavItem to="/links" icon={<Link2 size={16} />}>Links</NavItem>
+          <NavItem to="/commissions" icon={<Receipt size={16} />}>Commissions</NavItem>
+          <NavItem to="/payouts" icon={<Banknote size={16} />}>Payouts</NavItem>
+          {principal.role === 'partner' && <NavItem to="/connect" icon={<CreditCard size={16} />}>Stripe Connect</NavItem>}
+        </NavSection>
 
         {principal.role === 'admin' && (
-          <>
-            <NavSection title="Admin">
-              <NavItem to="/admin/partners" icon={<Users size={16} />}>Partners</NavItem>
-              <NavItem to="/admin/campaigns" icon={<Tag size={16} />}>Campaigns</NavItem>
-              <NavItem to="/admin/review" icon={<ShieldCheck size={16} />}>Review queue</NavItem>
-              <NavItem to="/admin/export" icon={<Download size={16} />}>Export / import</NavItem>
-              <NavItem to="/admin/fraud-review" icon={<ShieldCheck size={16} />}>Fraud review</NavItem>
-              <NavItem to="/admin/webhooks" icon={<Webhook size={16} />}>Webhooks</NavItem>
-              <NavItem to="/admin/dev-mailbox" icon={<Mail size={16} />}>Dev mailbox</NavItem>
-            </NavSection>
-            <NavSection title="Network">
-              <NavItem to="/network/vendors" icon={<Store size={16} />}>Vendors</NavItem>
-              <NavItem to="/network/creators" icon={<Megaphone size={16} />}>Creators</NavItem>
-              <NavItem to="/network/discover" icon={<Compass size={16} />}>Discover</NavItem>
-            </NavSection>
-          </>
-        )}
-
-        {principal.role === 'network_vendor' && (
-          <NavSection title="Vendor">
-            <NavItem to="/network/offerings" icon={<Package2 size={16} />}>Offerings</NavItem>
-            <NavItem to="/network/incoming" icon={<Inbox size={16} />}>Incoming requests</NavItem>
-            <NavItem to="/network/partnerships" icon={<Handshake size={16} />}>Partnerships</NavItem>
-            <NavItem to="/network/discover" icon={<Compass size={16} />}>Discover creators</NavItem>
-          </NavSection>
-        )}
-
-        {principal.role === 'network_creator' && (
-          <NavSection title="Creator">
-            <NavItem to="/network/discover" icon={<Compass size={16} />}>Discover</NavItem>
-            <NavItem to="/network/requests" icon={<Inbox size={16} />}>My requests</NavItem>
-            <NavItem to="/network/partnerships" icon={<Handshake size={16} />}>Partnerships</NavItem>
-            <NavItem to="/network/profile" icon={<UserCog size={16} />}>Profile</NavItem>
+          <NavSection title="Admin">
+            <NavItem to="/admin/partners" icon={<Users size={16} />}>Partners</NavItem>
+            <NavItem to="/admin/campaigns" icon={<Tag size={16} />}>Campaigns</NavItem>
+            <NavItem to="/admin/review" icon={<ShieldCheck size={16} />}>Review queue</NavItem>
+            <NavItem to="/admin/export" icon={<Download size={16} />}>Export / import</NavItem>
+            <NavItem to="/admin/fraud-review" icon={<ShieldCheck size={16} />}>Fraud review</NavItem>
+            <NavItem to="/admin/webhooks" icon={<Webhook size={16} />}>Webhooks</NavItem>
           </NavSection>
         )}
       </div>
 
       <button
-        onClick={async () => {
+        onClick={() => {
           clearApiKey();
-          // Fire-and-forget — server-side revokes the session if we have
-          // one; if we're only signing out of an API-key session, the
-          // server ignores the missing cookie and responds 200.
-          try {
-            await api('/auth/signout', { method: 'POST' });
-          } catch {
-            /* ignore */
-          }
           nav('/login');
         }}
         style={{
@@ -287,27 +207,11 @@ function describePrincipal(p: Principal): { label: string; sublabel: string; ini
   if (p.role === 'admin') {
     return { label: 'Admin', sublabel: 'admin', initial: 'A', hue: { bg: theme.accentSoft, fg: theme.accent } };
   }
-  if (p.role === 'partner') {
-    return {
-      label: p.partner?.name ?? 'Partner',
-      sublabel: 'partner',
-      initial: p.partner?.name?.[0]?.toUpperCase() ?? 'P',
-      hue: { bg: '#1e2a3d', fg: theme.info },
-    };
-  }
-  if (p.role === 'network_vendor') {
-    return {
-      label: p.vendor?.name ?? 'Vendor',
-      sublabel: 'vendor',
-      initial: p.vendor?.name?.[0]?.toUpperCase() ?? 'V',
-      hue: { bg: '#2a2018', fg: theme.warn },
-    };
-  }
   return {
-    label: p.creator?.name ?? 'Creator',
-    sublabel: 'creator',
-    initial: p.creator?.name?.[0]?.toUpperCase() ?? 'C',
-    hue: { bg: '#2a1a2a', fg: '#e879f9' },
+    label: p.partner?.name ?? 'Partner',
+    sublabel: 'partner',
+    initial: p.partner?.name?.[0]?.toUpperCase() ?? 'P',
+    hue: { bg: '#1e2a3d', fg: theme.info },
   };
 }
 
diff --git a/apps/portal/src/api.ts b/apps/portal/src/api.ts
index 9661b94..ed7ff9c 100644
--- a/apps/portal/src/api.ts
+++ b/apps/portal/src/api.ts
@@ -25,7 +25,7 @@ export async function api<T = unknown>(
   const res = await fetch(`/api${path}`, {
     ...init,
     headers,
-    credentials: 'include', // send op_session cookie on magic-link flow
+    credentials: 'include',
     body: init.body === undefined
       ? undefined
       : typeof init.body === 'string'
@@ -55,20 +55,8 @@ export class ApiError extends Error {
 }
 
 export interface Principal {
-  role: 'admin' | 'partner' | 'network_vendor' | 'network_creator';
+  role: 'admin' | 'partner';
   source?: string;
   partnerId?: string;
   partner?: { id: string; name: string; email: string; stripeConnected: boolean };
-  networkVendorId?: string;
-  vendor?: { id: string; name: string; slug: string; logoUrl: string | null; websiteUrl: string | null; status: string };
-  networkCreatorId?: string;
-  creator?: {
-    id: string;
-    name: string;
-    handle: string;
-    email: string;
-    avatarUrl: string | null;
-    defaultPromoCode: string | null;
-    status: string;
-  };
 }
diff --git a/apps/portal/src/pages/admin/DevMailbox.tsx b/apps/portal/src/pages/admin/DevMailbox.tsx
deleted file mode 100644
index e6b0def..0000000
--- a/apps/portal/src/pages/admin/DevMailbox.tsx
+++ /dev/null
@@ -1,166 +0,0 @@
-import { useState } from 'react';
-import { useQuery } from '@tanstack/react-query';
-import { Mail, Copy, Check, ExternalLink } from 'lucide-react';
-import { api } from '../../api.js';
-import { theme } from '../../theme.js';
-import { Card, EmptyState, ErrorBanner, Page, formatDate } from '../../ui.js';
-
-interface DevMessage {
-  id: string;
-  to: string;
-  subject: string;
-  body: string;
-  html: string | null;
-  createdAt: string;
-  metadata?: Record<string, unknown>;
-}
-
-export function DevMailboxPage() {
-  const { data, error, isLoading } = useQuery({
-    queryKey: ['dev-mailbox'],
-    queryFn: () => api<{ messages: DevMessage[] }>('/dev/mailbox'),
-    refetchInterval: 5000,
-  });
-
-  const messages = data?.messages ?? [];
-
-  return (
-    <Page title="Dev mailbox" subtitle="Mail the DevMailer captured. Refreshes every 5s.">
-      <ErrorBanner error={error} />
-      {isLoading ? (
-        <Card>Loading…</Card>
-      ) : messages.length === 0 ? (
-        <EmptyState
-          title="Inbox empty"
-          hint="Sign up or request a sign-in link and it'll appear here."
-          icon={<Mail size={28} strokeWidth={1.25} />}
-        />
-      ) : (
-        <div style={{ display: 'flex', flexDirection: 'column', gap: 12 }}>
-          {messages.map((m) => (
-            <MessageCard key={m.id} message={m} />
-          ))}
-        </div>
-      )}
-    </Page>
-  );
-}
-
-function MessageCard({ message }: { message: DevMessage }) {
-  const match = message.body.match(/https?:\/\/\S+/);
-  const link = match ? match[0] : null;
-  const [copied, setCopied] = useState(false);
-  const [view, setView] = useState<'html' | 'text'>(message.html ? 'html' : 'text');
-
-  return (
-    <Card>
-      <div style={{ display: 'flex', justifyContent: 'space-between', alignItems: 'flex-start', marginBottom: 10 }}>
-        <div>
-          <div style={{ fontSize: 14, fontWeight: 500 }}>{message.subject}</div>
-          <div style={{ fontSize: 12, color: theme.textMuted, marginTop: 2 }}>
-            to <code>{message.to}</code> · {formatDate(message.createdAt, { relative: true })}
-          </div>
-        </div>
-        {message.html && (
-          <div style={{ display: 'flex', gap: 2, background: theme.bg, padding: 2, borderRadius: theme.radiusSm }}>
-            {(['html', 'text'] as const).map((v) => (
-              <button
-                key={v}
-                onClick={() => setView(v)}
-                style={{
-                  background: view === v ? theme.surface2 : 'transparent',
-                  color: view === v ? theme.text : theme.textMuted,
-                  border: 'none',
-                  fontSize: 11,
-                  padding: '4px 10px',
-                  borderRadius: theme.radiusSm,
-                  cursor: 'pointer',
-                  textTransform: 'uppercase',
-                  letterSpacing: '0.05em',
-                  fontWeight: 500,
-                }}
-              >
-                {v}
-              </button>
-            ))}
-          </div>
-        )}
-      </div>
-      {view === 'html' && message.html ? (
-        <iframe
-          title={message.subject}
-          srcDoc={message.html}
-          sandbox=""
-          style={{
-            width: '100%',
-            height: 420,
-            border: `1px solid ${theme.borderSubtle}`,
-            borderRadius: theme.radiusSm,
-            background: '#fff',
-          }}
-        />
-      ) : (
-        <pre
-          style={{
-            margin: 0,
-            padding: 12,
-            background: theme.bg,
-            border: `1px solid ${theme.borderSubtle}`,
-            borderRadius: theme.radiusSm,
-            color: theme.text,
-            fontSize: 12,
-            whiteSpace: 'pre-wrap',
-            wordBreak: 'break-word',
-            maxHeight: 200,
-            overflow: 'auto',
-          }}
-        >
-          {message.body}
-        </pre>
-      )}
-      {link && (
-        <div style={{ display: 'flex', gap: 8, marginTop: 10 }}>
-          <a
-            href={link}
-            style={{
-              display: 'inline-flex',
-              alignItems: 'center',
-              gap: 4,
-              background: theme.accent,
-              color: theme.accentInk,
-              padding: '6px 12px',
-              borderRadius: theme.radiusSm,
-              fontSize: 12,
-              fontWeight: 500,
-              textDecoration: 'none',
-            }}
-          >
-            <ExternalLink size={12} /> Open link
-          </a>
-          <button
-            onClick={() => {
-              navigator.clipboard.writeText(link);
-              setCopied(true);
-              setTimeout(() => setCopied(false), 1500);
-            }}
-            style={{
-              background: 'transparent',
-              border: `1px solid ${theme.border}`,
-              color: copied ? theme.success : theme.textMuted,
-              padding: '6px 10px',
-              borderRadius: theme.radiusSm,
-              cursor: 'pointer',
-              display: 'inline-flex',
-              alignItems: 'center',
-              gap: 4,
-              fontSize: 12,
-            }}
-          >
-            {copied ? <Check size={12} /> : <Copy size={12} />}
-            {copied ? 'Copied' : 'Copy'}
-          </button>
-        </div>
-      )}
-    </Card>
-  );
-}
diff --git a/apps/portal/src/pages/auth/Login.tsx b/apps/portal/src/pages/auth/Login.tsx
index 907de1f..5a17b22 100644
--- a/apps/portal/src/pages/auth/Login.tsx
+++ b/apps/portal/src/pages/auth/Login.tsx
@@ -1,151 +1,18 @@
-import { useState, type ReactNode } from 'react';
-import { Link, useNavigate } from 'react-router-dom';
-import { KeyRound, Mail } from 'lucide-react';
+import { useState } from 'react';
+import { useNavigate } from 'react-router-dom';
+import { KeyRound } from 'lucide-react';
 import { api, clearApiKey, setApiKey, ApiError, type Principal } from '../../api.js';
 import { theme } from '../../theme.js';
 import { Logo, AuthFrame } from './Shared.js';
 
-type Tab = 'email' | 'key';
-
 export function LoginPage() {
-  const [tab, setTab] = useState<Tab>('email');
-
   return (
-    <AuthFrame title="Sign in" subtitle="Choose how you want to sign in.">
-      <div style={{ display: 'flex', gap: 4, background: theme.bg, padding: 4, borderRadius: theme.radiusSm, marginBottom: 20 }}>
-        <TabButton active={tab === 'email'} onClick={() => setTab('email')} icon={<Mail size={14} />}>
-          Email
-        </TabButton>
-        <TabButton active={tab === 'key'} onClick={() => setTab('key')} icon={<KeyRound size={14} />}>
-          API key
-        </TabButton>
-      </div>
-      {tab === 'email' ? <EmailTab /> : <KeyTab />}
-      <div
-        style={{
-          marginTop: 20,
-          paddingTop: 20,
-          borderTop: `1px solid ${theme.borderSubtle}`,
-          fontSize: 13,
-          color: theme.textDim,
-          lineHeight: 1.8,
-        }}
-      >
-        New to OpenPartner?{' '}
-        <Link to="/signup" style={{ color: theme.accent, fontWeight: 500 }}>
-          Creator signup
-        </Link>
-        {' · '}
-        <Link to="/signup/vendor" style={{ color: theme.accent, fontWeight: 500 }}>
-          Vendor signup
-        </Link>
-      </div>
+    <AuthFrame title="Sign in" subtitle="Paste your API key to continue.">
+      <KeyTab />
     </AuthFrame>
   );
 }
 
-function TabButton({
-  active,
-  onClick,
-  icon,
-  children,
-}: {
-  active: boolean;
-  onClick: () => void;
-  icon: ReactNode;
-  children: ReactNode;
-}) {
-  return (
-    <button
-      type="button"
-      onClick={onClick}
-      style={{
-        flex: 1,
-        padding: '7px 10px',
-        background: active ? theme.surface : 'transparent',
-        color: active ? theme.text : theme.textMuted,
-        border: 'none',
-        borderRadius: theme.radiusSm,
-        fontSize: 13,
-        fontWeight: 500,
-        cursor: 'pointer',
-        display: 'inline-flex',
-        alignItems: 'center',
-        gap: 6,
-        justifyContent: 'center',
-      }}
-    >
-      {icon}
-      {children}
-    </button>
-  );
-}
-
-function EmailTab() {
-  const [email, setEmail] = useState('');
-  const [sent, setSent] = useState(false);
-  const [busy, setBusy] = useState(false);
-  const [err, setErr] = useState<string | null>(null);
-
-  async function submit(e: React.FormEvent) {
-    e.preventDefault();
-    setBusy(true);
-    setErr(null);
-    try {
-      await api('/auth/signin', { method: 'POST', body: { email } });
-      setSent(true);
-    } catch (e) {
-      setErr(e instanceof Error ? e.message : 'Something went wrong.');
-    } finally {
-      setBusy(false);
-    }
-  }
-
-  if (sent) {
-    return (
-      <div
-        style={{
-          background: theme.successSoft,
-          border: `1px solid ${theme.success}55`,
-          padding: 14,
-          borderRadius: theme.radiusSm,
-          fontSize: 13,
-          color: theme.success,
-        }}
-      >
-        <div style={{ fontWeight: 500, marginBottom: 4 }}>Check your inbox</div>
-        <div style={{ color: `${theme.success}cc` }}>
-          If an account exists for <strong>{email}</strong>, we sent a sign-in link. It's good for 15 minutes.
-        </div>
-        <div style={{ marginTop: 10, fontSize: 12, color: theme.textDim }}>
-          Running locally with no SMTP? Admins can peek at <Link to="/admin/dev-mailbox" style={{ color: theme.accent }}>Dev mailbox</Link>.
-        </div>
-      </div>
-    );
-  }
-
-  return (
-    <form onSubmit={submit}>
-      <div style={{ position: 'relative' }}>
-        <Mail size={15} style={{ position: 'absolute', left: 12, top: 12, color: theme.textDim, pointerEvents: 'none' }} />
-        <input
-          type="email"
-          value={email}
-          onChange={(e) => setEmail(e.target.value)}
-          placeholder="you@example.com"
-          autoFocus
-          required
-          style={inputStyle}
-        />
-      </div>
-      {err && <div style={{ color: theme.danger, fontSize: 13, marginTop: 8 }}>{err}</div>}
-      <button type="submit" disabled={busy || !email} style={primaryBtnStyle(busy || !email)}>
-        {busy ? 'Sending…' : 'Email me a sign-in link'}
-      </button>
-    </form>
-  );
-}
-
 function KeyTab() {
   const nav = useNavigate();
   const [token, setToken] = useState('');
@@ -182,10 +49,11 @@ function KeyTab() {
       </div>
       {err && <div style={{ color: theme.danger, fontSize: 13, marginTop: 8 }}>{err}</div>}
       <button type="submit" disabled={busy || !token} style={primaryBtnStyle(busy || !token)}>
-        {busy ? 'Checking…' : 'Sign in with key'}
+        {busy ? 'Checking…' : 'Sign in'}
       </button>
       <div style={{ marginTop: 12, fontSize: 12, color: theme.textDim, lineHeight: 1.6 }}>
-        Admin keys come from <code style={{ color: theme.textMuted }}>ADMIN_API_KEY</code>. Partner, vendor, and machine-to-machine keys are issued from the relevant admin view.
+        Admin keys come from <code style={{ color: theme.textMuted }}>ADMIN_API_KEY</code>.
+        Partner keys are issued from the Partners admin view.
       </div>
     </form>
   );
diff --git a/apps/portal/src/pages/auth/MagicLanding.tsx b/apps/portal/src/pages/auth/MagicLanding.tsx
deleted file mode 100644
index 0510664..0000000
--- a/apps/portal/src/pages/auth/MagicLanding.tsx
+++ /dev/null
@@ -1,97 +0,0 @@
-import { useEffect, useState } from 'react';
-import { Link, useNavigate, useSearchParams } from 'react-router-dom';
-import { api, clearApiKey } from '../../api.js';
-import { theme } from '../../theme.js';
-import { AuthFrame } from './Shared.js';
-
-interface VerifyResponse {
-  ok: boolean;
-  role?: 'network_creator' | 'network_vendor';
-  status?: 'pending' | 'active';
-  vendor?: { id: string; name: string; slug: string };
-}
-
-export function MagicLandingPage() {
-  const [params] = useSearchParams();
-  const nav = useNavigate();
-  const [err, setErr] = useState<string | null>(null);
-  const [pending, setPending] = useState<VerifyResponse | null>(null);
-
-  useEffect(() => {
-    const token = params.get('token');
-    if (!token) {
-      setErr('Missing token.');
-      return;
-    }
-    clearApiKey();
-    api<VerifyResponse>('/auth/magic/verify', { method: 'POST', body: { token } })
-      .then((resp) => {
-        // Vendor signup gives no session — the vendor still needs admin
-        // approval before they can sign in. Show a held state rather
-        // than redirecting to /.
-        if (resp.role === 'network_vendor' && resp.status === 'pending') {
-          setPending(resp);
-          return;
-        }
-        nav('/', { replace: true });
-      })
-      .catch((e) => {
-        const code = (e?.detail as { error?: string } | undefined)?.error ?? 'unknown';
-        const messages: Record<string, string> = {
-          expired: 'That link has expired. Request a new one.',
-          already_consumed: 'That link was already used.',
-          not_found: "We couldn't find that link.",
-          creator_not_active: 'Your account is suspended. Contact an admin.',
-          vendor_not_active: 'Your vendor account is still pending admin approval.',
-          email_or_handle_taken: 'Someone else claimed that email or handle in the meantime.',
-          slug_taken: 'Someone else claimed that slug in the meantime.',
-          invalid_signup_claim: 'That sign-up link is malformed.',
-          unknown_purpose: 'That link is for an unsupported flow.',
-        };
-        setErr(messages[code] ?? (e instanceof Error ? e.message : 'Something went wrong.'));
-      });
-  }, [params, nav]);
-
-  if (pending) {
-    return (
-      <AuthFrame title="Submitted for review" subtitle={`Welcome, ${pending.vendor?.name}.`}>
-        <div
-          style={{
-            background: theme.successSoft,
-            border: `1px solid ${theme.success}55`,
-            padding: 14,
-            borderRadius: theme.radiusSm,
-            fontSize: 13,
-            color: theme.success,
-          }}
-        >
-          Your email is verified and your vendor record is pending admin review. We'll let you sign in once your account is active.
-        </div>
-        <div style={{ marginTop: 16, fontSize: 12, color: theme.textDim }}>
-          Already active? <Link to="/login" style={{ color: theme.accent }}>Sign in</Link>
-        </div>
-      </AuthFrame>
-    );
-  }
-
-  return (
-    <AuthFrame title={err ? 'Sign-in failed' : 'Signing you in…'}>
-      {err ? (
-        <div
-          style={{
-            background: theme.dangerSoft,
-            border: `1px solid ${theme.danger}55`,
-            padding: 14,
-            borderRadius: theme.radiusSm,
-            fontSize: 13,
-            color: theme.danger,
-          }}
-        >
-          {err}
-        </div>
-      ) : (
-        <div style={{ fontSize: 13, color: theme.textMuted }}>One moment…</div>
-      )}
-    </AuthFrame>
-  );
-}
diff --git a/apps/portal/src/pages/auth/Signup.tsx b/apps/portal/src/pages/auth/Signup.tsx
deleted file mode 100644
index ef79832..0000000
--- a/apps/portal/src/pages/auth/Signup.tsx
+++ /dev/null
@@ -1,160 +0,0 @@
-import { useState } from 'react';
-import { Link } from 'react-router-dom';
-import { AtSign, User, Mail } from 'lucide-react';
-import { api, ApiError } from '../../api.js';
-import { theme } from '../../theme.js';
-import { AuthFrame } from './Shared.js';
-
-export function SignupPage() {
-  const [name, setName] = useState('');
-  const [handle, setHandle] = useState('');
-  const [email, setEmail] = useState('');
-  const [busy, setBusy] = useState(false);
-  const [err, setErr] = useState<string | null>(null);
-  const [sent, setSent] = useState(false);
-
-  async function submit(e: React.FormEvent) {
-    e.preventDefault();
-    setBusy(true);
-    setErr(null);
-    try {
-      await api('/auth/creator/signup', {
-        method: 'POST',
-        body: { email, handle: handle.toLowerCase(), name },
-      });
-      setSent(true);
-    } catch (e) {
-      if (e instanceof ApiError && e.status === 409) setErr('That email or handle is already in use.');
-      else setErr(e instanceof Error ? e.message : 'Something went wrong.');
-    } finally {
-      setBusy(false);
-    }
-  }
-
-  if (sent) {
-    return (
-      <AuthFrame title="Almost there" subtitle={`We sent a verification link to ${email}.`}>
-        <div
-          style={{
-            background: theme.successSoft,
-            border: `1px solid ${theme.success}55`,
-            padding: 14,
-            borderRadius: theme.radiusSm,
-            fontSize: 13,
-            color: theme.success,
-          }}
-        >
-          Click the link within 15 minutes to finish setting up your account.
-        </div>
-        <div style={{ marginTop: 16, fontSize: 12, color: theme.textDim }}>
-          Running locally? Admins can open the <Link to="/admin/dev-mailbox" style={{ color: theme.accent }}>Dev mailbox</Link> to copy the link.
-        </div>
-      </AuthFrame>
-    );
-  }
-
-  return (
-    <AuthFrame title="Create a creator account" subtitle="Promote offerings on the OpenPartner Network.">
-      <form onSubmit={submit}>
-        <IconInput icon={<User size={15} />} type="text" value={name} onChange={setName} placeholder="Your name" autoFocus />
-        <IconInput
-          icon={<AtSign size={15} />}
-          type="text"
-          value={handle}
-          onChange={(v) => setHandle(v.toLowerCase().replace(/[^a-z0-9_]/g, ''))}
-          placeholder="handle"
-          hint="Lowercase letters, digits, or _"
-        />
-        <IconInput icon={<Mail size={15} />} type="email" value={email} onChange={setEmail} placeholder="you@example.com" />
-        {err && <div style={{ color: theme.danger, fontSize: 13, marginTop: 8 }}>{err}</div>}
-        <button type="submit" disabled={busy || !name || !handle || !email} style={primaryBtnStyle(busy || !name || !handle || !email)}>
-          {busy ? 'Sending…' : 'Send verification link'}
-        </button>
-      </form>
-      <div
-        style={{
-          marginTop: 20,
-          paddingTop: 20,
-          borderTop: `1px solid ${theme.borderSubtle}`,
-          fontSize: 13,
-          color: theme.textDim,
-          lineHeight: 1.8,
-        }}
-      >
-        <div>
-          Already have an account?{' '}
-          <Link to="/login" style={{ color: theme.accent, fontWeight: 500 }}>
-            Sign in
-          </Link>
-        </div>
-        <div>
-          Building a product to list?{' '}
-          <Link to="/signup/vendor" style={{ color: theme.accent, fontWeight: 500 }}>
-            Vendor signup
-          </Link>
-        </div>
-      </div>
-    </AuthFrame>
-  );
-}
-
-function IconInput({
-  icon,
-  value,
-  onChange,
-  placeholder,
-  type = 'text',
-  hint,
-  autoFocus,
-}: {
-  icon: React.ReactNode;
-  value: string;
-  onChange: (v: string) => void;
-  placeholder: string;
-  type?: string;
-  hint?: string;
-  autoFocus?: boolean;
-}) {
-  return (
-    <div style={{ marginBottom: 12 }}>
-      <div style={{ position: 'relative' }}>
-        <span style={{ position: 'absolute', left: 12, top: 12, color: theme.textDim, pointerEvents: 'none', display: 'inline-flex' }}>
-          {icon}
-        </span>
-        <input
-          type={type}
-          value={value}
-          onChange={(e) => onChange(e.target.value)}
-          placeholder={placeholder}
-          autoFocus={autoFocus}
-          style={{
-            width: '100%',
-            padding: '10px 12px 10px 34px',
-            fontSize: 14,
-            background: theme.surface2,
-            border: `1px solid ${theme.border}`,
-            borderRadius: theme.radiusSm,
-            color: theme.text,
-          }}
-        />
-      </div>
-      {hint && <div style={{ fontSize: 11, color: theme.textDim, marginTop: 4 }}>{hint}</div>}
-    </div>
-  );
-}
-
-function primaryBtnStyle(disabled: boolean): React.CSSProperties {
-  return {
-    marginTop: 6,
-    width: '100%',
-    padding: '10px 14px',
-    background: theme.accent,
-    color: theme.accentInk,
-    border: 'none',
-    borderRadius: theme.radiusSm,
-    fontSize: 14,
-    fontWeight: 600,
-    cursor: disabled ? 'not-allowed' : 'pointer',
-    opacity: disabled ? 0.5 : 1,
-  };
-}
diff --git a/apps/portal/src/pages/auth/VendorSignup.tsx b/apps/portal/src/pages/auth/VendorSignup.tsx
deleted file mode 100644
index 1ba55f1..0000000
--- a/apps/portal/src/pages/auth/VendorSignup.tsx
+++ /dev/null
@@ -1,321 +0,0 @@
-import { useState } from 'react';
-import { Link } from 'react-router-dom';
-import { Mail, Globe, AtSign, Building2, KeyRound, Signpost, Loader2, ShieldCheck, ShieldAlert, ShieldX } from 'lucide-react';
-import { api, ApiError } from '../../api.js';
-import { theme } from '../../theme.js';
-import { AuthFrame } from './Shared.js';
-
-export function VendorSignupPage() {
-  const [name, setName] = useState('');
-  const [slug, setSlug] = useState('');
-  const [email, setEmail] = useState('');
-  const [instanceUrl, setInstanceUrl] = useState('');
-  const [instanceKey, setInstanceKey] = useState('');
-  const [routerUrl, setRouterUrl] = useState('');
-  const [description, setDescription] = useState('');
-  const [websiteUrl, setWebsiteUrl] = useState('');
-
-  const [err, setErr] = useState<string | null>(null);
-  const [busy, setBusy] = useState(false);
-  const [sent, setSent] = useState(false);
-
-  const [verify, setVerify] = useState<VerifyState>({ state: 'idle' });
-
-  async function submit(e: React.FormEvent) {
-    e.preventDefault();
-    setBusy(true);
-    setErr(null);
-    try {
-      await api('/auth/vendor/signup', {
-        method: 'POST',
-        body: {
-          name,
-          slug,
-          email,
-          instanceUrl,
-          instanceKey,
-          routerUrl: routerUrl || undefined,
-          description: description || undefined,
-          websiteUrl: websiteUrl || undefined,
-        },
-      });
-      setSent(true);
-    } catch (e) {
-      if (e instanceof ApiError) {
-        const detail = e.detail as { error?: string; missing?: string[] } | undefined;
-        const code = detail?.error;
-        const messages: Record<string, string> = {
-          slug_taken: 'That slug is already in use. Pick another.',
-          instance_unreachable: 'Could not reach your OpenPartner instance. Check the URL.',
-          instance_rejected_key: 'Your instance rejected that key. Double-check it.',
-          missing_scopes: `Your key is missing required scopes: ${detail?.missing?.join(', ') ?? '—'}.`,
-        };
-        setErr((code ? messages[code] : undefined) ?? e.message);
-      } else {
-        setErr(e instanceof Error ? e.message : 'Something went wrong.');
-      }
-    } finally {
-      setBusy(false);
-    }
-  }
-
-  if (sent) {
-    return (
-      <AuthFrame title="Check your inbox" subtitle={`We sent a verification link to ${email}.`}>
-        <div
-          style={{
-            background: theme.successSoft,
-            border: `1px solid ${theme.success}55`,
-            padding: 14,
-            borderRadius: theme.radiusSm,
-            fontSize: 13,
-            color: theme.success,
-          }}
-        >
-          Click the link within 15 minutes. After you verify, an admin reviews your federation credentials and activates your account — usually within a day.
-        </div>
-        <div style={{ marginTop: 16, fontSize: 12, color: theme.textDim }}>
-          Running locally? Admins can open the <Link to="/admin/dev-mailbox" style={{ color: theme.accent }}>Dev mailbox</Link> to grab the link.
-        </div>
-      </AuthFrame>
-    );
-  }
-
-  return (
-    <AuthFrame title="Register your product" subtitle="List an offering on the OpenPartner Network.">
-      <form onSubmit={submit}>
-        <IconInput icon={<Building2 size={15} />} value={name} onChange={setName} placeholder="Product name" autoFocus />
-        <IconInput
-          icon={<AtSign size={15} />}
-          value={slug}
-          onChange={(v) => setSlug(v.toLowerCase().replace(/[^a-z0-9-]/g, ''))}
-          placeholder="slug"
-          hint="Lowercase letters, digits, or -. Appears in URLs."
-        />
-        <IconInput icon={<Mail size={15} />} type="email" value={email} onChange={setEmail} placeholder="you@company.com" />
-
-        <div style={{ marginTop: 8, marginBottom: 8, fontSize: 12, fontWeight: 600, color: theme.textMuted, textTransform: 'uppercase', letterSpacing: '0.06em' }}>
-          Federation
-        </div>
-        <IconInput
-          icon={<Globe size={15} />}
-          value={instanceUrl}
-          onChange={setInstanceUrl}
-          placeholder="OpenPartner instance URL (e.g. https://api.acme.com)"
-        />
-        <IconInput
-          icon={<KeyRound size={15} />}
-          type="password"
-          value={instanceKey}
-          onChange={setInstanceKey}
-          placeholder="Scoped API key (op_…)"
-          hint={
-            <span>
-              Mint one on your instance with scopes <code>partners:write, partners:read, links:write, commissions:read</code>.
-            </span>
-          }
-          afterInput={
-            <VerifyButton
-              disabled={!instanceUrl || !instanceKey || verify.state === 'loading'}
-              onVerify={async () => {
-                setVerify({ state: 'loading' });
-                try {
-                  const r = await api<VerifyResponse>('/network/vendors/verify-key', {
-                    method: 'POST',
-                    body: { instanceUrl, instanceKey },
-                  });
-                  setVerify({ state: 'done', result: r });
-                } catch (e) {
-                  setVerify({ state: 'error', message: e instanceof Error ? e.message : String(e) });
-                }
-              }}
-              state={verify}
-            />
-          }
-        />
-        <IconInput
-          icon={<Signpost size={15} />}
-          value={routerUrl}
-          onChange={setRouterUrl}
-          placeholder="Router URL (e.g. https://getcoherence.io)"
-          hint="Where share links resolve. Optional — dev skips this."
-        />
-
-        <div style={{ marginTop: 8, marginBottom: 8, fontSize: 12, fontWeight: 600, color: theme.textMuted, textTransform: 'uppercase', letterSpacing: '0.06em' }}>
-          Profile (optional)
-        </div>
-        <IconInput icon={<Globe size={15} />} value={websiteUrl} onChange={setWebsiteUrl} placeholder="https://yoursite.com" />
-        <div style={{ marginBottom: 12 }}>
-          <textarea
-            value={description}
-            onChange={(e) => setDescription(e.target.value)}
-            rows={3}
-            placeholder="A sentence or two for your directory card"
-            style={{
-              width: '100%',
-              padding: '10px 12px',
-              fontSize: 14,
-              background: theme.surface2,
-              border: `1px solid ${theme.border}`,
-              borderRadius: theme.radiusSm,
-              color: theme.text,
-              fontFamily: theme.fontSans,
-              resize: 'vertical',
-            }}
-          />
-        </div>
-
-        {err && <div style={{ color: theme.danger, fontSize: 13, marginTop: 8 }}>{err}</div>}
-        <button
-          type="submit"
-          disabled={busy || !name || !slug || !email || !instanceUrl || !instanceKey}
-          style={primaryBtnStyle(busy || !name || !slug || !email || !instanceUrl || !instanceKey)}
-        >
-          {busy ? 'Sending…' : 'Send verification link'}
-        </button>
-      </form>
-      <div style={{ marginTop: 20, paddingTop: 20, borderTop: `1px solid ${theme.borderSubtle}`, fontSize: 13, color: theme.textDim }}>
-        Want to promote products instead?{' '}
-        <Link to="/signup" style={{ color: theme.accent, fontWeight: 500 }}>
-          Creator signup
-        </Link>
-      </div>
-    </AuthFrame>
-  );
-}
-
-type VerifyState =
-  | { state: 'idle' }
-  | { state: 'loading' }
-  | { state: 'done'; result: VerifyResponse }
-  | { state: 'error'; message: string };
-
-interface VerifyResponse {
-  unrestricted?: boolean;
-  missing?: string[];
-  acceptable?: boolean;
-  introspect?: { scopes?: string[] };
-}
-
-function VerifyButton({ disabled, onVerify, state }: { disabled: boolean; onVerify: () => void; state: VerifyState }) {
-  let indicator: React.ReactNode = null;
-  if (state.state === 'done') {
-    const r = state.result;
-    if (r.unrestricted) {
-      indicator = (
-        <span style={{ fontSize: 11, color: theme.warn, display: 'inline-flex', alignItems: 'center', gap: 4 }}>
-          <ShieldAlert size={12} /> Admin key — strongly prefer scoped
-        </span>
-      );
-    } else if (r.acceptable) {
-      indicator = (
-        <span style={{ fontSize: 11, color: theme.success, display: 'inline-flex', alignItems: 'center', gap: 4 }}>
-          <ShieldCheck size={12} /> Scopes look good
-        </span>
-      );
-    } else {
-      indicator = (
-        <span style={{ fontSize: 11, color: theme.danger, display: 'inline-flex', alignItems: 'center', gap: 4 }}>
-          <ShieldX size={12} /> Missing: {(r.missing ?? []).join(', ')}
-        </span>
-      );
-    }
-  } else if (state.state === 'error') {
-    indicator = (
-      <span style={{ fontSize: 11, color: theme.danger, display: 'inline-flex', alignItems: 'center', gap: 4 }}>
-        <ShieldX size={12} /> {state.message}
-      </span>
-    );
-  }
-
-  return (
-    <div style={{ marginTop: 6, display: 'flex', alignItems: 'center', gap: 10 }}>
-      <button
-        type="button"
-        onClick={onVerify}
-        disabled={disabled}
-        style={{
-          background: theme.surface2,
-          color: theme.text,
-          border: `1px solid ${theme.border}`,
-          borderRadius: theme.radiusSm,
-          padding: '5px 10px',
-          fontSize: 12,
-          cursor: disabled ? 'not-allowed' : 'pointer',
-          opacity: disabled ? 0.5 : 1,
-          display: 'inline-flex',
-          alignItems: 'center',
-          gap: 4,
-        }}
-      >
-        {state.state === 'loading' ? <Loader2 size={12} /> : <ShieldCheck size={12} />}
-        {state.state === 'loading' ? 'Verifying…' : 'Verify key'}
-      </button>
-      {indicator}
-    </div>
-  );
-}
-
-function IconInput({
-  icon,
-  value,
-  onChange,
-  placeholder,
-  type = 'text',
-  hint,
-  autoFocus,
-  afterInput,
-}: {
-  icon: React.ReactNode;
-  value: string;
-  onChange: (v: string) => void;
-  placeholder: string;
-  type?: string;
-  hint?: React.ReactNode;
-  autoFocus?: boolean;
-  afterInput?: React.ReactNode;
-}) {
-  return (
-    <div style={{ marginBottom: 12 }}>
-      <div style={{ position: 'relative' }}>
-        <span style={{ position: 'absolute', left: 12, top: 12, color: theme.textDim, pointerEvents: 'none', display: 'inline-flex' }}>
-          {icon}
-        </span>
-        <input
-          type={type}
-          value={value}
-          onChange={(e) => onChange(e.target.value)}
-          placeholder={placeholder}
-          autoFocus={autoFocus}
-          style={{
-            width: '100%',
-            padding: '10px 12px 10px 34px',
-            fontSize: 14,
-            background: theme.surface2,
-            border: `1px solid ${theme.border}`,
-            borderRadius: theme.radiusSm,
-            color: theme.text,
-          }}
-        />
-      </div>
-      {hint && <div style={{ fontSize: 11, color: theme.textDim, marginTop: 4 }}>{hint}</div>}
-      {afterInput}
-    </div>
-  );
-}
-
-function primaryBtnStyle(disabled: boolean): React.CSSProperties {
-  return {
-    marginTop: 6,
-    width: '100%',
-    padding: '10px 14px',
-    background: theme.accent,
-    color: theme.accentInk,
-    border: 'none',
-    borderRadius: theme.radiusSm,
-    fontSize: 14,
-    fontWeight: 600,
-    cursor: disabled ? 'not-allowed' : 'pointer',
-    opacity: disabled ? 0.5 : 1,
-  };
-}
diff --git a/apps/portal/src/pages/network/AdminNetworkCreators.tsx b/apps/portal/src/pages/network/AdminNetworkCreators.tsx
deleted file mode 100644
index 3c65d07..0000000
--- a/apps/portal/src/pages/network/AdminNetworkCreators.tsx
+++ /dev/null
@@ -1,222 +0,0 @@
-import { useState } from 'react';
-import { useMutation, useQuery, useQueryClient } from '@tanstack/react-query';
-import { Plus, Megaphone, Check, Copy } from 'lucide-react';
-import { api } from '../../api.js';
-import { theme } from '../../theme.js';
-import { Avatar, Button, Card, EmptyState, ErrorBanner, Input, Label, Page, StatusPill, Table, formatDate } from '../../ui.js';
-
-interface Creator {
-  id: string;
-  name: string;
-  handle: string;
-  email: string;
-  bio: string | null;
-  avatarUrl: string | null;
-  platforms: Array<{ platform: string; url: string; followers?: number }>;
-  status: string;
-  createdAt: string;
-  activatedAt: string | null;
-}
-
-export function AdminNetworkCreators() {
-  const qc = useQueryClient();
-  const [showCreate, setShowCreate] = useState(false);
-  const [newlyIssuedKey, setNewlyIssuedKey] = useState<string | null>(null);
-
-  const creators = useQuery({
-    queryKey: ['network-creators'],
-    queryFn: () => api<{ creators: Creator[] }>('/network/creators'),
-  });
-
-  const activate = useMutation({
-    mutationFn: (id: string) => api(`/network/creators/${id}/activate`, { method: 'POST' }),
-    onSuccess: () => qc.invalidateQueries({ queryKey: ['network-creators'] }),
-  });
-
-  return (
-    <Page
-      title="Network creators"
-      subtitle="Promoters registered on the OpenPartner Network."
-      actions={
-        <Button icon={<Plus size={14} />} onClick={() => setShowCreate(true)}>
-          Onboard creator
-        </Button>
-      }
-    >
-      <ErrorBanner error={creators.error ?? activate.error} />
-
-      {newlyIssuedKey && (
-        <Card style={{ marginBottom: 14, borderColor: `${theme.warn}55` }}>
-          <div style={{ fontSize: 14, fontWeight: 500, marginBottom: 6 }}>Creator key issued</div>
-          <div style={{ color: theme.textMuted, fontSize: 13, marginBottom: 10 }}>
-            Send this to the creator — won't be shown again.
-          </div>
-          <div
-            style={{
-              display: 'flex',
-              alignItems: 'center',
-              gap: 8,
-              background: theme.warnSoft,
-              border: `1px solid ${theme.warn}33`,
-              padding: '10px 12px',
-              borderRadius: theme.radiusSm,
-            }}
-          >
-            <code style={{ flex: 1, fontSize: 12, wordBreak: 'break-all' }}>{newlyIssuedKey}</code>
-            <Button size="sm" variant="secondary" icon={<Copy size={12} />} onClick={() => navigator.clipboard.writeText(newlyIssuedKey)}>
-              Copy
-            </Button>
-          </div>
-          <Button size="sm" variant="ghost" style={{ marginTop: 10 }} onClick={() => setNewlyIssuedKey(null)}>
-            Dismiss
-          </Button>
-        </Card>
-      )}
-
-      {showCreate && (
-        <CreateCreator
-          onClose={() => setShowCreate(false)}
-          onCreated={(key) => {
-            setShowCreate(false);
-            setNewlyIssuedKey(key);
-            qc.invalidateQueries({ queryKey: ['network-creators'] });
-          }}
-        />
-      )}
-      {creators.isLoading ? (
-        <Card>Loading…</Card>
-      ) : (creators.data?.creators ?? []).length === 0 ? (
-        <EmptyState title="No creators yet" hint="Onboard one to populate the pool." icon={<Megaphone size={28} strokeWidth={1.25} />} />
-      ) : (
-        <Table
-          columns={['Creator', 'Email', 'Platforms', 'Status', 'Actions']}
-          rows={(creators.data?.creators ?? []).map((c) => [
-            <div style={{ display: 'flex', alignItems: 'center', gap: 10 }}>
-              <Avatar name={c.name} size={28} />
-              <div>
-                <div style={{ fontWeight: 500 }}>{c.name}</div>
-                <div style={{ fontSize: 12, color: theme.textMuted }}>@{c.handle}</div>
-              </div>
-            </div>,
-            <span style={{ color: theme.textMuted }}>{c.email}</span>,
-            <span style={{ color: theme.textMuted, fontSize: 12 }}>
-              {(c.platforms ?? []).map((p) => p.platform).join(', ') || '—'}
-            </span>,
-            <StatusPill status={c.status === 'active' ? 'connected' : c.status} />,
-            c.status !== 'active' ? (
-              <Button size="sm" onClick={() => activate.mutate(c.id)} icon={<Check size={12} />}>
-                Activate
-              </Button>
-            ) : (
-              <span style={{ color: theme.textMuted, fontSize: 12 }}>
-                activated {formatDate(c.activatedAt, { relative: true })}
-              </span>
-            ),
-          ])}
-        />
-      )}
-    </Page>
-  );
-}
-
-function CreateCreator({ onClose, onCreated }: { onClose: () => void; onCreated: (creatorKey: string) => void }) {
-  const [name, setName] = useState('');
-  const [handle, setHandle] = useState('');
-  const [email, setEmail] = useState('');
-  const [bio, setBio] = useState('');
-  const [defaultPromoCode, setDefaultPromoCode] = useState('');
-  const [platform, setPlatform] = useState('youtube');
-  const [platformUrl, setPlatformUrl] = useState('');
-  const [followers, setFollowers] = useState('');
-
-  const mut = useMutation({
-    mutationFn: () =>
-      api<{ creator: Creator; apiKey: string }>('/network/creators', {
-        method: 'POST',
-        body: {
-          name,
-          handle,
-          email,
-          bio: bio || undefined,
-          defaultPromoCode: defaultPromoCode || undefined,
-          platforms: platformUrl
-            ? [{ platform, url: platformUrl, followers: followers ? Number(followers) : undefined }]
-            : [],
-        },
-      }),
-    onSuccess: (data) => onCreated(data.apiKey),
-  });
-
-  return (
-    <Card style={{ marginBottom: 14 }}>
-      <div style={{ fontSize: 15, fontWeight: 600, marginBottom: 14 }}>Onboard creator</div>
-      <ErrorBanner error={mut.error} />
-      <div style={{ display: 'grid', gridTemplateColumns: '1fr 1fr', gap: 12, marginBottom: 12 }}>
-        <div>
-          <Label>Name</Label>
-          <Input value={name} onChange={(e) => setName(e.target.value)} placeholder="Grace Hopper" />
-        </div>
-        <div>
-          <Label>Handle</Label>
-          <Input value={handle} onChange={(e) => setHandle(e.target.value)} placeholder="gracie" />
-        </div>
-      </div>
-      <div style={{ display: 'grid', gridTemplateColumns: '1fr 2fr', gap: 12, marginBottom: 12 }}>
-        <div>
-          <Label>Email</Label>
-          <Input type="email" value={email} onChange={(e) => setEmail(e.target.value)} placeholder="grace@example.com" />
-        </div>
-        <div>
-          <Label>Bio (optional)</Label>
-          <Input value={bio} onChange={(e) => setBio(e.target.value)} placeholder="What they publish about" />
-        </div>
-      </div>
-      <div style={{ marginBottom: 12 }}>
-        <Label>Default share code (optional)</Label>
-        <Input
-          value={defaultPromoCode}
-          onChange={(e) => setDefaultPromoCode(e.target.value)}
-          placeholder="graciefindsdeals"
-        />
-      </div>
-      <div style={{ display: 'grid', gridTemplateColumns: '120px 2fr 1fr', gap: 12, marginBottom: 14 }}>
-        <div>
-          <Label>Primary platform</Label>
-          <select
-            value={platform}
-            onChange={(e) => setPlatform(e.target.value)}
-            style={{
-              padding: '10px 12px',
-              fontSize: 14,
-              background: theme.surface2,
-              border: `1px solid ${theme.border}`,
-              borderRadius: theme.radiusSm,
-              color: theme.text,
-              width: '100%',
-            }}
-          >
-            {['youtube', 'twitter', 'instagram', 'tiktok', 'blog', 'podcast', 'other'].map((p) => (
-              <option key={p} value={p}>{p}</option>
-            ))}
-          </select>
-        </div>
-        <div>
-          <Label>Platform URL</Label>
-          <Input value={platformUrl} onChange={(e) => setPlatformUrl(e.target.value)} placeholder="https://youtube.com/@gracie" />
-        </div>
-        <div>
-          <Label>Followers</Label>
-          <Input type="number" value={followers} onChange={(e) => setFollowers(e.target.value)} />
-        </div>
-      </div>
-      <div style={{ display: 'flex', gap: 8 }}>
-        <Button onClick={() => mut.mutate()} disabled={!name || !handle || !email || mut.isPending}>
-          {mut.isPending ? 'Registering…' : 'Register'}
-        </Button>
-        <Button variant="secondary" onClick={onClose}>
-          Cancel
-        </Button>
-      </div>
-    </Card>
-  );
-}
diff --git a/apps/portal/src/pages/network/AdminNetworkVendors.tsx b/apps/portal/src/pages/network/AdminNetworkVendors.tsx
deleted file mode 100644
index 89082ba..0000000
--- a/apps/portal/src/pages/network/AdminNetworkVendors.tsx
+++ /dev/null
@@ -1,342 +0,0 @@
-import { useState } from 'react';
-import { useMutation, useQuery, useQueryClient } from '@tanstack/react-query';
-import { Plus, Store, Check, Copy, ShieldCheck, ShieldAlert, ShieldX, Loader2 } from 'lucide-react';
-import { api } from '../../api.js';
-import { theme } from '../../theme.js';
-import { Avatar, Button, Card, EmptyState, ErrorBanner, Input, Label, Page, StatusPill, Table, formatDate } from '../../ui.js';
-
-interface Vendor {
-  id: string;
-  name: string;
-  slug: string;
-  instanceUrl: string;
-  instanceKeyPrefix: string;
-  routerUrl: string | null;
-  status: string;
-  createdAt: string;
-  activatedAt: string | null;
-}
-
-export function AdminNetworkVendors() {
-  const qc = useQueryClient();
-  const [showCreate, setShowCreate] = useState(false);
-  const [newlyIssuedKey, setNewlyIssuedKey] = useState<string | null>(null);
-
-  const vendors = useQuery({
-    queryKey: ['network-vendors'],
-    queryFn: () => api<{ vendors: Vendor[] }>('/network/vendors'),
-  });
-
-  const activate = useMutation({
-    mutationFn: (id: string) => api(`/network/vendors/${id}/activate`, { method: 'POST' }),
-    onSuccess: () => qc.invalidateQueries({ queryKey: ['network-vendors'] }),
-  });
-
-  return (
-    <Page
-      title="Network vendors"
-      subtitle="Merchants registered on the OpenPartner Network."
-      actions={
-        <Button icon={<Plus size={14} />} onClick={() => setShowCreate(true)}>
-          Onboard vendor
-        </Button>
-      }
-    >
-      <ErrorBanner error={vendors.error ?? activate.error} />
-
-      {newlyIssuedKey && (
-        <Card style={{ marginBottom: 14, borderColor: `${theme.warn}55` }}>
-          <div style={{ fontSize: 14, fontWeight: 500, marginBottom: 6 }}>Vendor key issued</div>
-          <div style={{ color: theme.textMuted, fontSize: 13, marginBottom: 10 }}>
-            Share this key with the vendor. It won't be shown again.
-          </div>
-          <div
-            style={{
-              display: 'flex',
-              alignItems: 'center',
-              gap: 8,
-              background: theme.warnSoft,
-              border: `1px solid ${theme.warn}33`,
-              padding: '10px 12px',
-              borderRadius: theme.radiusSm,
-            }}
-          >
-            <code style={{ flex: 1, fontSize: 12, wordBreak: 'break-all' }}>{newlyIssuedKey}</code>
-            <Button size="sm" variant="secondary" icon={<Copy size={12} />} onClick={() => navigator.clipboard.writeText(newlyIssuedKey)}>
-              Copy
-            </Button>
-          </div>
-          <Button size="sm" variant="ghost" style={{ marginTop: 10 }} onClick={() => setNewlyIssuedKey(null)}>
-            Dismiss
-          </Button>
-        </Card>
-      )}
-
-      {showCreate && (
-        <CreateVendor
-          onClose={() => setShowCreate(false)}
-          onCreated={(key) => {
-            setShowCreate(false);
-            setNewlyIssuedKey(key);
-            qc.invalidateQueries({ queryKey: ['network-vendors'] });
-          }}
-        />
-      )}
-      {vendors.isLoading ? (
-        <Card>Loading…</Card>
-      ) : (vendors.data?.vendors ?? []).length === 0 ? (
-        <EmptyState title="No vendors yet" hint="Onboard a vendor to populate the directory." icon={<Store size={28} strokeWidth={1.25} />} />
-      ) : (
-        <Table
-          columns={['Vendor', 'Instance', 'Router', 'Status', 'Actions']}
-          rows={(vendors.data?.vendors ?? []).map((v) => [
-            <div style={{ display: 'flex', alignItems: 'center', gap: 10 }}>
-              <Avatar name={v.name} size={28} />
-              <div>
-                <div style={{ fontWeight: 500 }}>{v.name}</div>
-                <div style={{ fontSize: 12, color: theme.textMuted }}>{v.slug}</div>
-              </div>
-            </div>,
-            <code style={{ color: theme.textMuted, fontSize: 12 }}>{v.instanceUrl}</code>,
-            v.routerUrl ? (
-              <code style={{ color: theme.accent, fontSize: 12 }}>{v.routerUrl}</code>
-            ) : (
-              <span style={{ color: theme.textDim, fontSize: 12 }}>(inferred)</span>
-            ),
-            <StatusPill status={v.status === 'active' ? 'connected' : v.status} />,
-            v.status !== 'active' ? (
-              <Button size="sm" onClick={() => activate.mutate(v.id)} icon={<Check size={12} />}>
-                Activate
-              </Button>
-            ) : (
-              <span style={{ color: theme.textMuted, fontSize: 12 }}>
-                activated {formatDate(v.activatedAt, { relative: true })}
-              </span>
-            ),
-          ])}
-        />
-      )}
-    </Page>
-  );
-}
-
-interface VerifyResult {
-  ok: boolean;
-  introspect?: { role?: string; scopes?: string[]; unrestricted?: boolean };
-  recommended?: string[];
-  missing?: string[];
-  unrestricted?: boolean;
-  acceptable?: boolean;
-  error?: string;
-  detail?: string;
-}
-
-function CreateVendor({ onClose, onCreated }: { onClose: () => void; onCreated: (vendorKey: string) => void }) {
-  const [name, setName] = useState('');
-  const [slug, setSlug] = useState('');
-  const [instanceUrl, setInstanceUrl] = useState('');
-  const [instanceKey, setInstanceKey] = useState('');
-  const [routerUrl, setRouterUrl] = useState('');
-  const [websiteUrl, setWebsiteUrl] = useState('');
-  const [description, setDescription] = useState('');
-
-  const verify = useMutation<VerifyResult, unknown, void>({
-    mutationFn: () =>
-      api<VerifyResult>('/network/vendors/verify-key', {
-        method: 'POST',
-        body: { instanceUrl, instanceKey },
-      }),
-  });
-
-  const mut = useMutation({
-    mutationFn: () =>
-      api<{ vendor: Vendor; apiKey: string }>('/network/vendors', {
-        method: 'POST',
-        body: {
-          name,
-          slug,
-          instanceUrl,
-          instanceKey,
-          routerUrl: routerUrl || undefined,
-          websiteUrl: websiteUrl || undefined,
-          description: description || undefined,
-        },
-      }),
-    onSuccess: (data) => onCreated(data.apiKey),
-  });
-
-  return (
-    <Card style={{ marginBottom: 14 }}>
-      <div style={{ fontSize: 15, fontWeight: 600, marginBottom: 14 }}>Onboard vendor</div>
-      <ErrorBanner error={mut.error} />
-      <div style={{ display: 'grid', gridTemplateColumns: '1fr 1fr', gap: 12, marginBottom: 12 }}>
-        <div>
-          <Label>Name</Label>
-          <Input value={name} onChange={(e) => setName(e.target.value)} placeholder="Acme" />
-        </div>
-        <div>
-          <Label>Slug</Label>
-          <Input value={slug} onChange={(e) => setSlug(e.target.value)} placeholder="acme" />
-        </div>
-      </div>
-      <div style={{ display: 'grid', gridTemplateColumns: '1fr 1fr', gap: 12, marginBottom: 12 }}>
-        <div>
-          <Label>OpenPartner instance URL</Label>
-          <Input value={instanceUrl} onChange={(e) => setInstanceUrl(e.target.value)} placeholder="https://acme.example.com/api" />
-        </div>
-        <div>
-          <Label>Instance scoped API key</Label>
-          <Input type="password" value={instanceKey} onChange={(e) => setInstanceKey(e.target.value)} placeholder="op_…" />
-        </div>
-      </div>
-      <div style={{ display: 'flex', gap: 8, marginBottom: 12 }}>
-        <Button
-          variant="secondary"
-          size="sm"
-          icon={verify.isPending ? <Loader2 size={12} /> : <ShieldCheck size={12} />}
-          onClick={() => verify.mutate()}
-          disabled={!instanceUrl || !instanceKey || verify.isPending}
-        >
-          {verify.isPending ? 'Verifying…' : 'Verify key'}
-        </Button>
-      </div>
-      <KeyVerification result={verify.data} error={verify.error} />
-      <div style={{ marginBottom: 12 }}>
-        <Label>Router URL (where share links resolve)</Label>
-        <Input value={routerUrl} onChange={(e) => setRouterUrl(e.target.value)} placeholder="https://getcoherence.io" />
-      </div>
-      <div style={{ display: 'grid', gridTemplateColumns: '1fr 2fr', gap: 12, marginBottom: 14 }}>
-        <div>
-          <Label>Website (optional)</Label>
-          <Input value={websiteUrl} onChange={(e) => setWebsiteUrl(e.target.value)} placeholder="https://acme.example" />
-        </div>
-        <div>
-          <Label>Description</Label>
-          <Input value={description} onChange={(e) => setDescription(e.target.value)} />
-        </div>
-      </div>
-      <div style={{ display: 'flex', gap: 8 }}>
-        <Button onClick={() => mut.mutate()} disabled={!name || !slug || !instanceUrl || !instanceKey || mut.isPending}>
-          {mut.isPending ? 'Registering…' : 'Register'}
-        </Button>
-        <Button variant="secondary" onClick={onClose}>
-          Cancel
-        </Button>
-      </div>
-    </Card>
-  );
-}
-
-function KeyVerification({ result, error }: { result?: VerifyResult; error: unknown }) {
-  if (error) {
-    const detail = error instanceof Error ? error.message : 'Could not verify the key.';
-    return (
-      <div
-        style={{
-          display: 'flex',
-          alignItems: 'center',
-          gap: 10,
-          background: theme.dangerSoft,
-          border: `1px solid ${theme.danger}55`,
-          padding: '10px 12px',
-          borderRadius: theme.radiusSm,
-          marginBottom: 12,
-          fontSize: 13,
-          color: theme.danger,
-        }}
-      >
-        <ShieldX size={16} />
-        <div>{detail}</div>
-      </div>
-    );
-  }
-  if (!result) return null;
-
-  if (result.unrestricted) {
-    return (
-      <div
-        style={{
-          background: theme.warnSoft,
-          border: `1px solid ${theme.warn}55`,
-          padding: '10px 12px',
-          borderRadius: theme.radiusSm,
-          marginBottom: 12,
-          fontSize: 13,
-          color: theme.warn,
-          display: 'flex',
-          gap: 10,
-          alignItems: 'flex-start',
-        }}
-      >
-        <ShieldAlert size={16} style={{ flexShrink: 0, marginTop: 1 }} />
-        <div>
-          <div style={{ fontWeight: 500, marginBottom: 4 }}>This is a full admin key</div>
-          <div style={{ color: `${theme.warn}cc` }}>
-            The Network would have unrestricted power over the vendor's instance. Strongly prefer a{' '}
-            <strong>scoped</strong> key. On the vendor's instance run:{' '}
-            <code style={{ fontSize: 12 }}>
-              POST /api-keys/scoped {`{"scopes": ${JSON.stringify(result.recommended ?? [])}}`}
-            </code>
-          </div>
-        </div>
-      </div>
-    );
-  }
-
-  const scopes = result.introspect?.scopes ?? [];
-  const missing = result.missing ?? [];
-
-  if (missing.length > 0) {
-    return (
-      <div
-        style={{
-          background: theme.dangerSoft,
-          border: `1px solid ${theme.danger}55`,
-          padding: '10px 12px',
-          borderRadius: theme.radiusSm,
-          marginBottom: 12,
-          fontSize: 13,
-          color: theme.danger,
-          display: 'flex',
-          gap: 10,
-          alignItems: 'flex-start',
-        }}
-      >
-        <ShieldX size={16} style={{ flexShrink: 0, marginTop: 1 }} />
-        <div>
-          <div style={{ fontWeight: 500, marginBottom: 4 }}>
-            Missing required scopes: {missing.join(', ')}
-          </div>
-          <div style={{ color: `${theme.danger}cc` }}>
-            Key has: {scopes.length === 0 ? <em>none</em> : scopes.map((s) => <code key={s} style={{ marginRight: 6 }}>{s}</code>)}
-          </div>
-        </div>
-      </div>
-    );
-  }
-
-  return (
-    <div
-      style={{
-        background: theme.successSoft,
-        border: `1px solid ${theme.success}55`,
-        padding: '10px 12px',
-        borderRadius: theme.radiusSm,
-        marginBottom: 12,
-        fontSize: 13,
-        color: theme.success,
-        display: 'flex',
-        gap: 10,
-        alignItems: 'flex-start',
-      }}
-    >
-      <ShieldCheck size={16} style={{ flexShrink: 0, marginTop: 1 }} />
-      <div>
-        <div style={{ fontWeight: 500, marginBottom: 4 }}>Scoped key looks good</div>
-        <div style={{ color: `${theme.success}cc` }}>
-          Scopes: {scopes.map((s) => <code key={s} style={{ marginRight: 6 }}>{s}</code>)}
-        </div>
-      </div>
-    </div>
-  );
-}
diff --git a/apps/portal/src/pages/network/CreatorDirectory.tsx b/apps/portal/src/pages/network/CreatorDirectory.tsx
deleted file mode 100644
index 64b8188..0000000
--- a/apps/portal/src/pages/network/CreatorDirectory.tsx
+++ /dev/null
@@ -1,250 +0,0 @@
-import { useState } from 'react';
-import { useMutation, useQuery, useQueryClient } from '@tanstack/react-query';
-import { Megaphone, UserPlus, ExternalLink } from 'lucide-react';
-import { api } from '../../api.js';
-import { theme } from '../../theme.js';
-import { Avatar, Button, Card, EmptyState, ErrorBanner, Input, Label, Page, Select } from '../../ui.js';
-
-interface Platform {
-  platform: string;
-  url: string;
-  followers?: number;
-}
-
-interface DirectoryCreator {
-  id: string;
-  name: string;
-  handle: string;
-  bio: string | null;
-  avatarUrl: string | null;
-  platforms: Platform[];
-  createdAt: string;
-}
-
-interface VendorOffering {
-  id: string;
-  title: string;
-}
-
-const PROMO_CODE_REGEX = /^[a-zA-Z0-9_-]+$/;
-
-export function CreatorDirectoryPage() {
-  const { data, error, isLoading } = useQuery({
-    queryKey: ['creator-directory'],
-    queryFn: () => api<{ creators: DirectoryCreator[] }>('/network/directory/creators'),
-  });
-
-  const offerings = useQuery({
-    queryKey: ['vendor-offerings'],
-    queryFn: () => api<{ offerings: VendorOffering[] }>('/network/offerings/mine'),
-  });
-
-  const [invite, setInvite] = useState<DirectoryCreator | null>(null);
-
-  return (
-    <Page title="Discover creators" subtitle="Active promoters on the Network. Invite them to your offerings.">
-      <ErrorBanner error={error} />
-      {isLoading ? (
-        <Card>Loading…</Card>
-      ) : (data?.creators ?? []).length === 0 ? (
-        <EmptyState title="No creators yet" hint="Creators show up here once they sign up and verify their email." icon={<Megaphone size={28} strokeWidth={1.25} />} />
-      ) : (
-        <div style={{ display: 'grid', gridTemplateColumns: 'repeat(auto-fill, minmax(320px, 1fr))', gap: 16 }}>
-          {(data?.creators ?? []).map((c) => (
-            <CreatorCard key={c.id} creator={c} onInvite={() => setInvite(c)} />
-          ))}
-        </div>
-      )}
-      {invite && offerings.data && (
-        <InviteDialog creator={invite} offerings={offerings.data.offerings} onClose={() => setInvite(null)} />
-      )}
-    </Page>
-  );
-}
-
-function CreatorCard({ creator, onInvite }: { creator: DirectoryCreator; onInvite: () => void }) {
-  const totalFollowers = (creator.platforms ?? []).reduce((sum, p) => sum + (p.followers ?? 0), 0);
-
-  return (
-    <Card>
-      <div style={{ display: 'flex', alignItems: 'center', gap: 12, marginBottom: 12 }}>
-        <Avatar name={creator.name} size={40} />
-        <div style={{ minWidth: 0, flex: 1 }}>
-          <div style={{ fontSize: 15, fontWeight: 600 }}>{creator.name}</div>
-          <div style={{ fontSize: 12, color: theme.textMuted }}>@{creator.handle}</div>
-        </div>
-      </div>
-      {creator.bio && (
-        <div style={{ fontSize: 13, color: theme.textMuted, lineHeight: 1.5, marginBottom: 12 }}>
-          {creator.bio}
-        </div>
-      )}
-      {(creator.platforms ?? []).length > 0 && (
-        <div style={{ display: 'flex', flexWrap: 'wrap', gap: 6, marginBottom: 12 }}>
-          {creator.platforms.map((p, i) => (
-            <a
-              key={i}
-              href={p.url}
-              target="_blank"
-              rel="noreferrer"
-              style={{
-                display: 'inline-flex',
-                alignItems: 'center',
-                gap: 4,
-                padding: '3px 8px',
-                background: theme.bg,
-                border: `1px solid ${theme.borderSubtle}`,
-                borderRadius: 999,
-                fontSize: 11,
-                color: theme.textMuted,
-              }}
-            >
-              {p.platform}
-              {p.followers && <span style={{ color: theme.accent }}>{formatCount(p.followers)}</span>}
-              <ExternalLink size={10} />
-            </a>
-          ))}
-        </div>
-      )}
-      {totalFollowers > 0 && (
-        <div style={{ fontSize: 12, color: theme.textDim, marginBottom: 12 }}>
-          {formatCount(totalFollowers)} followers across platforms
-        </div>
-      )}
-      <Button size="sm" icon={<UserPlus size={13} />} onClick={onInvite}>
-        Invite
-      </Button>
-    </Card>
-  );
-}
-
-function formatCount(n: number): string {
-  if (n >= 1_000_000) return `${(n / 1_000_000).toFixed(1)}M`;
-  if (n >= 1_000) return `${(n / 1_000).toFixed(1)}k`;
-  return String(n);
-}
-
-function InviteDialog({
-  creator,
-  offerings,
-  onClose,
-}: {
-  creator: DirectoryCreator;
-  offerings: VendorOffering[];
-  onClose: () => void;
-}) {
-  const qc = useQueryClient();
-  const [offeringId, setOfferingId] = useState(offerings[0]?.id ?? '');
-  const [message, setMessage] = useState('');
-  const [promoCode, setPromoCode] = useState(creator.handle);
-
-  const codeValid = promoCode.length >= 3 && promoCode.length <= 40 && PROMO_CODE_REGEX.test(promoCode);
-
-  const mut = useMutation({
-    mutationFn: () =>
-      api('/network/invites', {
-        method: 'POST',
-        body: {
-          offeringId,
-          creatorId: creator.id,
-          message: message || undefined,
-          promoCode: promoCode || undefined,
-        },
-      }),
-    onSuccess: () => {
-      qc.invalidateQueries({ queryKey: ['network-requests-mine'] });
-      onClose();
-    },
-  });
-
-  return (
-    <div
-      style={{
-        position: 'fixed',
-        inset: 0,
-        background: 'rgba(0,0,0,0.6)',
-        display: 'flex',
-        alignItems: 'center',
-        justifyContent: 'center',
-        zIndex: 50,
-      }}
-      onClick={onClose}
-    >
-      <div
-        onClick={(e) => e.stopPropagation()}
-        style={{
-          background: theme.surface,
-          border: `1px solid ${theme.border}`,
-          borderRadius: theme.radiusLg,
-          padding: 24,
-          width: 520,
-          maxWidth: '90vw',
-        }}
-      >
-        <div style={{ display: 'flex', alignItems: 'center', gap: 10, marginBottom: 18 }}>
-          <Avatar name={creator.name} size={32} />
-          <div>
-            <div style={{ fontSize: 16, fontWeight: 600 }}>Invite {creator.name}</div>
-            <div style={{ fontSize: 12, color: theme.textMuted }}>@{creator.handle}</div>
-          </div>
-        </div>
-        <ErrorBanner error={mut.error} />
-
-        {offerings.length === 0 ? (
-          <div style={{ fontSize: 13, padding: 14, background: theme.warnSoft, borderRadius: theme.radiusSm, color: theme.warn }}>
-            You have no offerings yet. Publish one in Offerings before inviting creators.
-          </div>
-        ) : (
-          <>
-            <Label>Offering</Label>
-            <Select value={offeringId} onChange={(e) => setOfferingId(e.target.value)}>
-              {offerings.map((o) => (
-                <option key={o.id} value={o.id}>
-                  {o.title}
-                </option>
-              ))}
-            </Select>
-
-            <div style={{ marginTop: 14 }}>
-              <Label>Share code you'd assign</Label>
-              <Input value={promoCode} onChange={(e) => setPromoCode(e.target.value)} placeholder="creator_handle" />
-              <div style={{ fontSize: 11, color: theme.textDim, marginTop: 4 }}>
-                The creator sees this in their inbox and can reject the invite if they don't like it.
-              </div>
-            </div>
-
-            <div style={{ marginTop: 14 }}>
-              <Label>Message (optional)</Label>
-              <textarea
-                value={message}
-                onChange={(e) => setMessage(e.target.value)}
-                rows={4}
-                style={{
-                  width: '100%',
-                  padding: '10px 12px',
-                  fontSize: 14,
-                  background: theme.surface2,
-                  border: `1px solid ${theme.border}`,
-                  borderRadius: theme.radiusSm,
-                  color: theme.text,
-                  fontFamily: theme.fontSans,
-                  resize: 'vertical',
-                }}
-                placeholder="Why you think they're a fit."
-              />
-            </div>
-          </>
-        )}
-
-        <div style={{ display: 'flex', gap: 8, marginTop: 16, justifyContent: 'flex-end' }}>
-          <Button variant="secondary" onClick={onClose}>
-            Cancel
-          </Button>
-          <Button onClick={() => mut.mutate()} disabled={!codeValid || !offeringId || mut.isPending || offerings.length === 0}>
-            {mut.isPending ? 'Sending…' : 'Send invite'}
-          </Button>
-        </div>
-      </div>
-    </div>
-  );
-}
diff --git a/apps/portal/src/pages/network/CreatorProfile.tsx b/apps/portal/src/pages/network/CreatorProfile.tsx
deleted file mode 100644
index 3e98e41..0000000
--- a/apps/portal/src/pages/network/CreatorProfile.tsx
+++ /dev/null
@@ -1,216 +0,0 @@
-import { useEffect, useState } from 'react';
-import { useMutation, useQuery, useQueryClient } from '@tanstack/react-query';
-import { Plus, Trash2, Save, Check } from 'lucide-react';
-import { api } from '../../api.js';
-import { theme } from '../../theme.js';
-import { Button, Card, ErrorBanner, Input, Label, Page, SectionHeading, Select } from '../../ui.js';
-
-interface Platform {
-  platform: 'youtube' | 'twitter' | 'instagram' | 'tiktok' | 'blog' | 'podcast' | 'other';
-  url: string;
-  followers?: number;
-}
-
-interface Creator {
-  id: string;
-  name: string;
-  handle: string;
-  email: string;
-  bio: string | null;
-  avatarUrl: string | null;
-  platforms: Platform[];
-  defaultPromoCode: string | null;
-  status: string;
-}
-
-export function CreatorProfilePage() {
-  const qc = useQueryClient();
-  const { data, error, isLoading } = useQuery({
-    queryKey: ['creator-me'],
-    queryFn: () => api<{ creator: Creator }>('/network/creators/me'),
-  });
-
-  const [name, setName] = useState('');
-  const [bio, setBio] = useState('');
-  const [avatarUrl, setAvatarUrl] = useState('');
-  const [defaultPromoCode, setDefaultPromoCode] = useState('');
-  const [platforms, setPlatforms] = useState<Platform[]>([]);
-  const [saved, setSaved] = useState(false);
-
-  useEffect(() => {
-    if (!data?.creator) return;
-    setName(data.creator.name);
-    setBio(data.creator.bio ?? '');
-    setAvatarUrl(data.creator.avatarUrl ?? '');
-    setDefaultPromoCode(data.creator.defaultPromoCode ?? '');
-    setPlatforms(data.creator.platforms ?? []);
-  }, [data?.creator]);
-
-  const save = useMutation({
-    mutationFn: () =>
-      api<{ creator: Creator }>('/network/creators/me', {
-        method: 'PATCH',
-        body: {
-          name: name.trim(),
-          bio: bio.trim() || null,
-          avatarUrl: avatarUrl.trim() || null,
-          defaultPromoCode: defaultPromoCode.trim() || null,
-          platforms: platforms.filter((p) => p.url.trim().length > 0),
-        },
-      }),
-    onSuccess: () => {
-      qc.invalidateQueries({ queryKey: ['creator-me'] });
-      qc.invalidateQueries({ queryKey: ['whoami'] });
-      setSaved(true);
-      setTimeout(() => setSaved(false), 2000);
-    },
-  });
-
-  return (
-    <Page title="Profile" subtitle="What vendors see when they browse creators.">
-      <ErrorBanner error={error ?? save.error} />
-      {isLoading || !data ? (
-        <Card>Loading…</Card>
-      ) : (
-        <>
-          <Card>
-            <SectionHeadingInline>Identity</SectionHeadingInline>
-            <div style={{ display: 'grid', gridTemplateColumns: '1fr 1fr', gap: 14, marginBottom: 14 }}>
-              <div>
-                <Label>Name</Label>
-                <Input value={name} onChange={(e) => setName(e.target.value)} />
-              </div>
-              <div>
-                <Label>Handle</Label>
-                <Input value={data.creator.handle} disabled style={{ color: theme.textMuted }} />
-                <div style={{ fontSize: 11, color: theme.textDim, marginTop: 4 }}>
-                  Handle and email are fixed — they anchor your share links and sign-in.
-                </div>
-              </div>
-            </div>
-            <div style={{ marginBottom: 14 }}>
-              <Label>Bio</Label>
-              <textarea
-                value={bio}
-                onChange={(e) => setBio(e.target.value)}
-                rows={3}
-                style={{
-                  width: '100%',
-                  padding: '10px 12px',
-                  fontSize: 14,
-                  background: theme.surface2,
-                  border: `1px solid ${theme.border}`,
-                  borderRadius: theme.radiusSm,
-                  color: theme.text,
-                  fontFamily: theme.fontSans,
-                  resize: 'vertical',
-                }}
-                placeholder="A sentence vendors will read before inviting you."
-              />
-            </div>
-            <div style={{ display: 'grid', gridTemplateColumns: '1fr 1fr', gap: 14 }}>
-              <div>
-                <Label>Avatar URL</Label>
-                <Input value={avatarUrl} onChange={(e) => setAvatarUrl(e.target.value)} placeholder="https://…" />
-              </div>
-              <div>
-                <Label>Default share code</Label>
-                <Input
-                  value={defaultPromoCode}
-                  onChange={(e) => setDefaultPromoCode(e.target.value)}
-                  placeholder="graciefindsdeals"
-                />
-                <div style={{ fontSize: 11, color: theme.textDim, marginTop: 4 }}>
-                  Pre-fills every new application. URL-safe, 3–40 chars.
-                </div>
-              </div>
-            </div>
-          </Card>
-
-          <SectionHeading actions={<Button variant="secondary" size="sm" icon={<Plus size={12} />} onClick={() => setPlatforms([...platforms, { platform: 'youtube', url: '' }])}>Add platform</Button>}>
-            Platforms
-          </SectionHeading>
-          {platforms.length === 0 ? (
-            <Card>
-              <div style={{ color: theme.textMuted, fontSize: 13 }}>
-                Add the channels where you publish — vendors decide who to invite largely off this list.
-              </div>
-            </Card>
-          ) : (
-            <div style={{ display: 'flex', flexDirection: 'column', gap: 10 }}>
-              {platforms.map((p, i) => (
-                <PlatformRow
-                  key={i}
-                  platform={p}
-                  onChange={(next) => setPlatforms(platforms.map((x, j) => (i === j ? next : x)))}
-                  onRemove={() => setPlatforms(platforms.filter((_, j) => j !== i))}
-                />
-              ))}
-            </div>
-          )}
-
-          <div style={{ marginTop: 24, display: 'flex', gap: 10, alignItems: 'center' }}>
-            <Button onClick={() => save.mutate()} disabled={save.isPending} icon={save.isPending ? undefined : <Save size={14} />}>
-              {save.isPending ? 'Saving…' : 'Save profile'}
-            </Button>
-            {saved && (
-              <span style={{ color: theme.success, fontSize: 13, display: 'inline-flex', alignItems: 'center', gap: 4 }}>
-                <Check size={14} /> Saved
-              </span>
-            )}
-          </div>
-        </>
-      )}
-    </Page>
-  );
-}
-
-function PlatformRow({
-  platform,
-  onChange,
-  onRemove,
-}: {
-  platform: Platform;
-  onChange: (p: Platform) => void;
-  onRemove: () => void;
-}) {
-  return (
-    <Card>
-      <div style={{ display: 'grid', gridTemplateColumns: '140px 2fr 120px auto', gap: 10, alignItems: 'end' }}>
-        <div>
-          <Label>Platform</Label>
-          <Select value={platform.platform} onChange={(e) => onChange({ ...platform, platform: e.target.value as Platform['platform'] })}>
-            {['youtube', 'twitter', 'instagram', 'tiktok', 'blog', 'podcast', 'other'].map((p) => (
-              <option key={p} value={p}>
-                {p}
-              </option>
-            ))}
-          </Select>
-        </div>
-        <div>
-          <Label>URL</Label>
-          <Input value={platform.url} onChange={(e) => onChange({ ...platform, url: e.target.value })} placeholder="https://…" />
-        </div>
-        <div>
-          <Label>Followers</Label>
-          <Input
-            type="number"
-            value={platform.followers ?? ''}
-            onChange={(e) => onChange({ ...platform, followers: e.target.value ? Number(e.target.value) : undefined })}
-          />
-        </div>
-        <Button variant="secondary" onClick={onRemove} icon={<Trash2 size={14} />} style={{ height: 38 }}>
-          Remove
-        </Button>
-      </div>
-    </Card>
-  );
-}
-
-function SectionHeadingInline({ children }: { children: React.ReactNode }) {
-  return (
-    <div style={{ fontSize: 12, fontWeight: 600, color: theme.textMuted, textTransform: 'uppercase', letterSpacing: '0.06em', marginBottom: 14 }}>
-      {children}
-    </div>
-  );
-}
diff --git a/apps/portal/src/pages/network/Discover.tsx b/apps/portal/src/pages/network/Discover.tsx
deleted file mode 100644
index 85bc3a3..0000000
--- a/apps/portal/src/pages/network/Discover.tsx
+++ /dev/null
@@ -1,295 +0,0 @@
-import { useState } from 'react';
-import { Link } from 'react-router-dom';
-import { useMutation, useQuery, useQueryClient } from '@tanstack/react-query';
-import { Compass, ExternalLink, ArrowRight } from 'lucide-react';
-import { api, type Principal } from '../../api.js';
-import { theme } from '../../theme.js';
-import { Avatar, Button, Card, EmptyState, ErrorBanner, Input, Label, Page } from '../../ui.js';
-
-interface DirOffering {
-  id: string;
-  title: string;
-  description: string | null;
-  heroImageUrl: string | null;
-  productUrl: string;
-  createdAt: string;
-  vendorId: string;
-  vendorName: string;
-  vendorSlug: string;
-  vendorLogoUrl: string | null;
-  vendorRouterUrl: string | null;
-  vendorInstanceUrl: string;
-  terms: {
-    payout:
-      | { type: 'recurring_percent'; percent: number; durationMonths: number | null }
-      | { type: 'one_time_fee'; amount: number; currency?: string }
-      | { type: 'tiered_percent'; tiers: Array<{ minRevenueUsd: number; percent: number }> };
-    cookieWindowDays: number;
-    bonuses?: Array<{ description: string; triggerRevenueUsd: number; bonusUsd: number }>;
-  };
-}
-
-import { CreatorDirectoryPage } from './CreatorDirectory.js';
-
-export function DiscoverPage({ principal }: { principal: Principal }) {
-  // Vendors browsing the directory are looking for creators; creators and
-  // admins browsing are looking for offerings to promote. We render the
-  // creator-directory variant via early return AFTER all hooks run.
-  const isVendor = principal.role === 'network_vendor';
-
-  const { data, error, isLoading } = useQuery({
-    queryKey: ['network-directory-offerings'],
-    queryFn: () => api<{ offerings: DirOffering[] }>('/network/directory/offerings'),
-    enabled: !isVendor,
-  });
-
-  if (isVendor) return <CreatorDirectoryPage />;
-
-  const defaultCode = principal.creator?.defaultPromoCode ?? principal.creator?.handle ?? '';
-
-  return (
-    <Page title="Discover" subtitle="Offerings from every active vendor on the Network.">
-      <ErrorBanner error={error} />
-      {isLoading ? (
-        <Card>Loading…</Card>
-      ) : (data?.offerings ?? []).length === 0 ? (
-        <EmptyState
-          title="Nothing here yet"
-          hint="Vendors haven't published their offerings yet."
-          icon={<Compass size={28} strokeWidth={1.25} />}
-        />
-      ) : (
-        <div style={{ display: 'grid', gridTemplateColumns: 'repeat(auto-fill, minmax(320px, 1fr))', gap: 16 }}>
-          {(data?.offerings ?? []).map((o) => (
-            <OfferingCard
-              key={o.id}
-              offering={o}
-              canApply={principal.role === 'network_creator'}
-              defaultCode={defaultCode}
-            />
-          ))}
-        </div>
-      )}
-    </Page>
-  );
-}
-
-function OfferingCard({
-  offering,
-  canApply,
-  defaultCode,
-}: {
-  offering: DirOffering;
-  canApply: boolean;
-  defaultCode: string;
-}) {
-  const [showApply, setShowApply] = useState(false);
-  return (
-    <Card>
-      <div style={{ display: 'flex', alignItems: 'center', gap: 10, marginBottom: 12 }}>
-        <Avatar name={offering.vendorName} size={28} />
-        <div style={{ fontSize: 12, color: theme.textMuted }}>{offering.vendorName}</div>
-      </div>
-      <Link
-        to={`/network/offerings/${offering.id}`}
-        style={{ fontSize: 16, fontWeight: 600, marginBottom: 6, display: 'block', color: 'inherit' }}
-      >
-        {offering.title}
-      </Link>
-      {offering.description && (
-        <div style={{ fontSize: 13, color: theme.textMuted, marginBottom: 12, lineHeight: 1.5 }}>
-          {offering.description}
-        </div>
-      )}
-      <TermsSummary terms={offering.terms} />
-      <div style={{ display: 'flex', justifyContent: 'space-between', alignItems: 'center', marginTop: 16 }}>
-        <a
-          href={offering.productUrl}
-          target="_blank"
-          rel="noreferrer"
-          style={{ color: theme.textMuted, fontSize: 12, display: 'inline-flex', alignItems: 'center', gap: 4 }}
-        >
-          Product <ExternalLink size={12} />
-        </a>
-        {canApply && (
-          <Button size="sm" icon={<ArrowRight size={13} />} onClick={() => setShowApply(true)}>
-            Apply
-          </Button>
-        )}
-      </div>
-      {showApply && <ApplyDialog offering={offering} defaultCode={defaultCode} onClose={() => setShowApply(false)} />}
-    </Card>
-  );
-}
-
-const PROMO_CODE_REGEX = /^[a-zA-Z0-9_-]+$/;
-
-export function shareUrlHost(offering: Pick<DirOffering, 'vendorRouterUrl' | 'vendorInstanceUrl'>): string {
-  // Mirror the API's deriveRouterUrl: vendor.routerUrl → port-swap on
-  // instanceUrl (4601 → 4701 for local dev) → instance origin as fallback.
-  if (offering.vendorRouterUrl) return offering.vendorRouterUrl.replace(/\/$/, '');
-  try {
-    const url = new URL(offering.vendorInstanceUrl);
-    if (url.port === '4601') {
-      url.port = '4701';
-      return url.origin;
-    }
-    return url.origin;
-  } catch {
-    return offering.vendorInstanceUrl.replace(/\/$/, '');
-  }
-}
-
-function TermsSummary({ terms }: { terms: DirOffering['terms'] }) {
-  const { payout } = terms;
-  return (
-    <div style={{ display: 'flex', flexDirection: 'column', gap: 8, padding: 12, background: theme.bg, borderRadius: theme.radiusSm }}>
-      <div style={{ fontSize: 13 }}>
-        <strong style={{ color: theme.accent }}>
-          {payout.type === 'recurring_percent' && `${payout.percent}% recurring`}
-          {payout.type === 'one_time_fee' && `$${payout.amount} one-time`}
-          {payout.type === 'tiered_percent' && 'Tiered %'}
-        </strong>
-        {payout.type === 'recurring_percent' && (
-          <span style={{ color: theme.textMuted }}>
-            {' '}
-            {payout.durationMonths ? `for ${payout.durationMonths} months` : '(lifetime)'}
-          </span>
-        )}
-      </div>
-      <div style={{ fontSize: 12, color: theme.textMuted }}>{terms.cookieWindowDays}-day attribution window</div>
-      {terms.bonuses?.map((b, i) => (
-        <div key={i} style={{ fontSize: 12, color: theme.warn }}>
-          🎯 ${b.bonusUsd} bonus at ${b.triggerRevenueUsd.toLocaleString()} MRR
-        </div>
-      ))}
-    </div>
-  );
-}
-
-function ApplyDialog({
-  offering,
-  defaultCode,
-  onClose,
-}: {
-  offering: DirOffering;
-  defaultCode: string;
-  onClose: () => void;
-}) {
-  const qc = useQueryClient();
-  const [message, setMessage] = useState('');
-  const [promoCode, setPromoCode] = useState(defaultCode);
-
-  const codeValid = promoCode.length >= 3 && promoCode.length <= 40 && PROMO_CODE_REGEX.test(promoCode);
-  const host = shareUrlHost(offering);
-
-  const mut = useMutation({
-    mutationFn: () =>
-      api('/network/requests', {
-        method: 'POST',
-        body: {
-          offeringId: offering.id,
-          message: message || undefined,
-          promoCode: promoCode || undefined,
-        },
-      }),
-    onSuccess: () => {
-      qc.invalidateQueries({ queryKey: ['network-requests-mine'] });
-      onClose();
-    },
-  });
-
-  return (
-    <div
-      style={{
-        position: 'fixed',
-        inset: 0,
-        background: 'rgba(0,0,0,0.6)',
-        display: 'flex',
-        alignItems: 'center',
-        justifyContent: 'center',
-        zIndex: 50,
-      }}
-      onClick={onClose}
-    >
-      <div
-        onClick={(e) => e.stopPropagation()}
-        style={{
-          background: theme.surface,
-          border: `1px solid ${theme.border}`,
-          borderRadius: theme.radiusLg,
-          padding: 24,
-          width: 520,
-          maxWidth: '90vw',
-        }}
-      >
-        <div style={{ fontSize: 16, fontWeight: 600, marginBottom: 4 }}>Apply to promote {offering.vendorName}</div>
-        <div style={{ color: theme.textMuted, fontSize: 13, marginBottom: 18 }}>
-          Pick a memorable share code and tell the vendor why you're a fit.
-        </div>
-        <ErrorBanner error={mut.error} />
-
-        <Label>Your share code</Label>
-        <Input
-          value={promoCode}
-          onChange={(e) => setPromoCode(e.target.value)}
-          placeholder="graciefindsdeals"
-        />
-        <div
-          style={{
-            background: theme.bg,
-            border: `1px solid ${theme.borderSubtle}`,
-            padding: '10px 12px',
-            borderRadius: theme.radiusSm,
-            marginTop: 8,
-            marginBottom: 4,
-            fontSize: 13,
-            color: theme.textMuted,
-            display: 'flex',
-            alignItems: 'center',
-            gap: 6,
-            overflow: 'hidden',
-            textOverflow: 'ellipsis',
-            whiteSpace: 'nowrap',
-          }}
-        >
-          <span style={{ color: theme.textDim }}>Preview</span>
-          <code style={{ color: codeValid ? theme.accent : theme.textMuted }}>
-            {host}/r/{promoCode || '...'}
-          </code>
-        </div>
-        <div style={{ fontSize: 11, color: theme.textDim, marginBottom: 16 }}>
-          Letters, digits, underscores or dashes. 3–40 chars. Taken codes get a short suffix on approval.
-        </div>
-
-        <Label>Message (optional)</Label>
-        <textarea
-          value={message}
-          onChange={(e) => setMessage(e.target.value)}
-          rows={5}
-          style={{
-            width: '100%',
-            padding: '10px 12px',
-            fontSize: 14,
-            background: theme.surface2,
-            border: `1px solid ${theme.border}`,
-            borderRadius: theme.radiusSm,
-            color: theme.text,
-            fontFamily: theme.fontSans,
-            resize: 'vertical',
-          }}
-          placeholder="120k YouTube subs in the indie-hacker niche, mostly US + EU."
-        />
-
-        <div style={{ display: 'flex', gap: 8, marginTop: 16, justifyContent: 'flex-end' }}>
-          <Button variant="secondary" onClick={onClose}>
-            Cancel
-          </Button>
-          <Button onClick={() => mut.mutate()} disabled={!codeValid || mut.isPending}>
-            {mut.isPending ? 'Sending…' : 'Send application'}
-          </Button>
-        </div>
-      </div>
-    </div>
-  );
-}
diff --git a/apps/portal/src/pages/network/MyPartnerships.tsx b/apps/portal/src/pages/network/MyPartnerships.tsx
deleted file mode 100644
index b3376c8..0000000
--- a/apps/portal/src/pages/network/MyPartnerships.tsx
+++ /dev/null
@@ -1,346 +0,0 @@
-import { useState } from 'react';
-import { useQuery } from '@tanstack/react-query';
-import {
-  Handshake,
-  Copy,
-  Check,
-  ExternalLink,
-  MousePointerClick,
-  Wallet,
-  Receipt,
-  AlertCircle,
-  ChevronDown,
-  ChevronUp,
-} from 'lucide-react';
-import { api, type Principal } from '../../api.js';
-import { theme } from '../../theme.js';
-import { Card, EmptyState, ErrorBanner, Page, SectionHeading, Stat, StatusPill, formatDate, money } from '../../ui.js';
-
-interface PartnerStats {
-  partnerId: string;
-  since: string;
-  clicks: number;
-  attributedEvents: number;
-  attributedRevenue: number;
-  commissionByStatus: Record<string, number>;
-}
-
-interface EarningRow {
-  partnership: {
-    id: string;
-    vendorId: string;
-    vendorName: string;
-    offeringTitle: string;
-    vendorLinkKey: string;
-    publicShareUrl: string;
-    createdAt: string;
-  };
-  status: 'ok' | 'error';
-  error?: string;
-  stats: PartnerStats | null;
-}
-
-interface EarningsResponse {
-  partnerships: EarningRow[];
-  totals: {
-    clicks: number;
-    attributedEvents: number;
-    attributedRevenue: number;
-    commission: { accrued: number; approved: number; paid: number; reversed: number };
-    vendorCount: number;
-    healthy: number;
-    unreachable: number;
-  };
-}
-
-export function MyPartnershipsPage({ principal }: { principal: Principal }) {
-  const { data, error, isLoading } = useQuery({
-    queryKey: ['network-earnings'],
-    queryFn: () => api<EarningsResponse>('/network/partnerships/earnings'),
-  });
-
-  const subtitle =
-    principal.role === 'network_creator'
-      ? 'Live earnings from every program you promote.'
-      : 'Creators currently promoting your offerings.';
-
-  return (
-    <Page title="Partnerships" subtitle={subtitle}>
-      <ErrorBanner error={error} />
-      {isLoading ? (
-        <Card>Loading…</Card>
-      ) : !data || data.partnerships.length === 0 ? (
-        <EmptyState
-          title="No active partnerships"
-          hint="They'll appear here once a vendor approves an application."
-          icon={<Handshake size={28} strokeWidth={1.25} />}
-        />
-      ) : (
-        <>
-          <div style={{ display: 'grid', gridTemplateColumns: 'repeat(auto-fit, minmax(220px, 1fr))', gap: 14, marginBottom: 8 }}>
-            <Stat
-              label="Clicks (30d)"
-              value={data.totals.clicks}
-              icon={<MousePointerClick size={16} />}
-            />
-            <Stat
-              label="Attributed revenue"
-              value={money(data.totals.attributedRevenue)}
-              icon={<Wallet size={16} />}
-              hint={`${data.totals.attributedEvents} events`}
-            />
-            <Stat
-              label="Earned (paid)"
-              value={money(data.totals.commission.paid)}
-              icon={<Receipt size={16} />}
-              hint={`${money(data.totals.commission.approved + data.totals.commission.accrued)} still accruing`}
-            />
-            <Stat
-              label={principal.role === 'network_vendor' ? 'Creators' : 'Vendors'}
-              value={data.totals.vendorCount}
-              hint={
-                data.totals.unreachable > 0
-                  ? `${data.totals.unreachable} unreachable`
-                  : `${data.totals.healthy} healthy`
-              }
-            />
-          </div>
-
-          <SectionHeading>Per partnership</SectionHeading>
-          <div style={{ display: 'grid', gridTemplateColumns: 'repeat(auto-fit, minmax(360px, 1fr))', gap: 14 }}>
-            {data.partnerships.map((row) => (
-              <PartnershipCard key={row.partnership.id} row={row} />
-            ))}
-          </div>
-        </>
-      )}
-    </Page>
-  );
-}
-
-function PartnershipCard({ row }: { row: EarningRow }) {
-  const [copied, setCopied] = useState(false);
-  const [expanded, setExpanded] = useState(false);
-  const s = row.stats;
-
-  const totalCommissionEntries =
-    (s?.commissionByStatus
-      ? Object.values(s.commissionByStatus).reduce((a, b) => a + (b > 0 ? 1 : 0), 0)
-      : 0);
-
-  return (
-    <Card>
-      <div style={{ display: 'flex', justifyContent: 'space-between', alignItems: 'flex-start', marginBottom: 12 }}>
-        <div style={{ minWidth: 0, flex: 1 }}>
-          <div style={{ fontSize: 13, color: theme.textMuted, marginBottom: 2 }}>{row.partnership.vendorName}</div>
-          <div style={{ fontSize: 15, fontWeight: 600, whiteSpace: 'nowrap', overflow: 'hidden', textOverflow: 'ellipsis' }}>
-            {row.partnership.offeringTitle}
-          </div>
-        </div>
-        <StatusPill status="active" />
-      </div>
-
-      <div
-        style={{
-          display: 'flex',
-          alignItems: 'center',
-          gap: 8,
-          background: theme.bg,
-          border: `1px solid ${theme.borderSubtle}`,
-          padding: '8px 10px',
-          borderRadius: theme.radiusSm,
-          marginBottom: 12,
-        }}
-      >
-        <code style={{ flex: 1, fontSize: 12, color: theme.accent, overflow: 'hidden', textOverflow: 'ellipsis', whiteSpace: 'nowrap' }}>
-          {row.partnership.publicShareUrl}
-        </code>
-        <button
-          onClick={() => {
-            navigator.clipboard.writeText(row.partnership.publicShareUrl);
-            setCopied(true);
-            setTimeout(() => setCopied(false), 1500);
-          }}
-          style={{
-            background: 'transparent',
-            border: `1px solid ${theme.border}`,
-            color: copied ? theme.success : theme.textMuted,
-            padding: '4px 8px',
-            borderRadius: theme.radiusSm,
-            cursor: 'pointer',
-            display: 'inline-flex',
-            alignItems: 'center',
-            gap: 4,
-            fontSize: 11,
-          }}
-        >
-          {copied ? <Check size={12} /> : <Copy size={12} />}
-          {copied ? 'Copied' : 'Copy'}
-        </button>
-        <a
-          href={row.partnership.publicShareUrl}
-          target="_blank"
-          rel="noreferrer"
-          style={{ color: theme.textMuted, display: 'inline-flex', alignItems: 'center' }}
-        >
-          <ExternalLink size={13} />
-        </a>
-      </div>
-
-      {row.status === 'error' ? (
-        <div
-          style={{
-            background: theme.dangerSoft,
-            color: theme.danger,
-            padding: '8px 12px',
-            borderRadius: theme.radiusSm,
-            fontSize: 12,
-            display: 'flex',
-            alignItems: 'center',
-            gap: 8,
-          }}
-        >
-          <AlertCircle size={14} />
-          <div>
-            <div style={{ fontWeight: 500 }}>Vendor unreachable</div>
-            <div style={{ color: `${theme.danger}aa`, marginTop: 2 }}>{row.error}</div>
-          </div>
-        </div>
-      ) : (
-        <>
-          <div style={{ display: 'grid', gridTemplateColumns: '1fr 1fr 1fr', gap: 10 }}>
-            <MiniStat label="Clicks" value={s?.clicks ?? 0} />
-            <MiniStat label="Revenue" value={money(s?.attributedRevenue ?? 0)} />
-            <MiniStat label="Paid" value={money(s?.commissionByStatus.paid ?? 0)} tint={theme.success} />
-          </div>
-          {totalCommissionEntries > 0 && (
-            <>
-              <button
-                onClick={() => setExpanded((v) => !v)}
-                style={{
-                  marginTop: 12,
-                  background: 'transparent',
-                  border: 'none',
-                  color: theme.textMuted,
-                  padding: 0,
-                  fontSize: 12,
-                  cursor: 'pointer',
-                  display: 'inline-flex',
-                  alignItems: 'center',
-                  gap: 4,
-                }}
-              >
-                {expanded ? <ChevronUp size={12} /> : <ChevronDown size={12} />}
-                {expanded ? 'Hide' : 'View'} commission history
-              </button>
-              {expanded && <CommissionDrilldown partnershipId={row.partnership.id} />}
-            </>
-          )}
-        </>
-      )}
-
-      <div style={{ fontSize: 11, color: theme.textDim, marginTop: 10 }}>
-        Started {formatDate(row.partnership.createdAt, { relative: true })}
-      </div>
-    </Card>
-  );
-}
-
-interface Commission {
-  id: string;
-  amount: string;
-  currency: string;
-  status: string;
-  accruedAt: string;
-  paidAt: string | null;
-}
-
-function CommissionDrilldown({ partnershipId }: { partnershipId: string }) {
-  const { data, error, isLoading } = useQuery({
-    queryKey: ['network-partnership-commissions', partnershipId],
-    queryFn: () => api<{ commissions: Commission[] }>(`/network/partnerships/${partnershipId}/commissions`),
-  });
-
-  if (isLoading) {
-    return <div style={{ color: theme.textDim, fontSize: 12, marginTop: 10 }}>Loading…</div>;
-  }
-  if (error) {
-    return (
-      <div style={{ color: theme.danger, fontSize: 12, marginTop: 10 }}>
-        {error instanceof Error ? error.message : 'Could not load commission history.'}
-      </div>
-    );
-  }
-  const rows = data?.commissions ?? [];
-  if (rows.length === 0) {
-    return <div style={{ color: theme.textDim, fontSize: 12, marginTop: 10 }}>No commissions yet.</div>;
-  }
-
-  return (
-    <div
-      style={{
-        marginTop: 10,
-        background: theme.bg,
-        border: `1px solid ${theme.borderSubtle}`,
-        borderRadius: theme.radiusSm,
-        overflow: 'hidden',
-        maxHeight: 240,
-        overflowY: 'auto',
-      }}
-    >
-      <table style={{ width: '100%', borderCollapse: 'collapse', fontSize: 12 }}>
-        <thead>
-          <tr style={{ background: theme.surface2 }}>
-            <th style={headerCellStyle}>Status</th>
-            <th style={{ ...headerCellStyle, textAlign: 'right' }}>Amount</th>
-            <th style={headerCellStyle}>Accrued</th>
-            <th style={headerCellStyle}>Paid</th>
-          </tr>
-        </thead>
-        <tbody>
-          {rows.map((c, i) => (
-            <tr key={c.id} style={{ borderBottom: i < rows.length - 1 ? `1px solid ${theme.borderSubtle}` : 'none' }}>
-              <td style={cellStyle}>
-                <StatusPill status={c.status} />
-              </td>
-              <td style={{ ...cellStyle, textAlign: 'right', fontVariantNumeric: 'tabular-nums', fontWeight: 500 }}>
-                {money(c.amount, c.currency)}
-              </td>
-              <td style={{ ...cellStyle, color: theme.textMuted }}>
-                {formatDate(c.accruedAt, { relative: true })}
-              </td>
-              <td style={{ ...cellStyle, color: theme.textMuted }}>
-                {formatDate(c.paidAt, { relative: true })}
-              </td>
-            </tr>
-          ))}
-        </tbody>
-      </table>
-    </div>
-  );
-}
-
-const headerCellStyle = {
-  padding: '8px 10px',
-  textAlign: 'left' as const,
-  color: theme.textMuted,
-  fontSize: 10,
-  fontWeight: 600,
-  textTransform: 'uppercase' as const,
-  letterSpacing: '0.05em',
-};
-
-const cellStyle = {
-  padding: '8px 10px',
-};
-
-function MiniStat({ label, value, tint }: { label: string; value: string | number; tint?: string }) {
-  return (
-    <div>
-      <div style={{ fontSize: 10, color: theme.textMuted, textTransform: 'uppercase', letterSpacing: '0.05em', marginBottom: 2 }}>
-        {label}
-      </div>
-      <div style={{ fontSize: 14, fontWeight: 500, fontVariantNumeric: 'tabular-nums', color: tint ?? theme.text }}>{value}</div>
-    </div>
-  );
-}
diff --git a/apps/portal/src/pages/network/MyRequests.tsx b/apps/portal/src/pages/network/MyRequests.tsx
deleted file mode 100644
index 0e5c54c..0000000
--- a/apps/portal/src/pages/network/MyRequests.tsx
+++ /dev/null
@@ -1,53 +0,0 @@
-import { useQuery } from '@tanstack/react-query';
-import { Inbox } from 'lucide-react';
-import { api, type Principal } from '../../api.js';
-import { theme } from '../../theme.js';
-import { Card, EmptyState, ErrorBanner, Page, StatusPill, Table, formatDate, shortId } from '../../ui.js';
-
-interface PartnershipRequest {
-  id: string;
-  offeringId: string;
-  vendorId: string;
-  creatorId: string;
-  direction: 'creator_to_vendor' | 'vendor_to_creator';
-  message: string | null;
-  status: string;
-  createdAt: string;
-  decidedAt: string | null;
-  decisionNote: string | null;
-}
-
-export function MyRequestsPage({ principal }: { principal: Principal }) {
-  const { data, error, isLoading } = useQuery({
-    queryKey: ['network-requests-mine'],
-    queryFn: () => api<{ requests: PartnershipRequest[] }>('/network/requests/mine'),
-  });
-
-  const rows = (data?.requests ?? []).map((r) => [
-    <code style={{ color: theme.textDim, fontSize: 12 }}>{shortId(r.id)}</code>,
-    <code style={{ color: theme.textDim, fontSize: 12 }}>{shortId(r.offeringId)}</code>,
-    <span style={{ color: theme.textMuted }}>
-      {r.direction === 'creator_to_vendor' ? 'You → Vendor' : 'Vendor → You'}
-    </span>,
-    <StatusPill status={r.status} />,
-    <span style={{ color: theme.textMuted }}>{formatDate(r.createdAt, { relative: true })}</span>,
-  ]);
-
-  const subtitle =
-    principal.role === 'network_creator'
-      ? 'Applications you have submitted to vendors.'
-      : 'Applications creators have submitted to your offerings.';
-
-  return (
-    <Page title="Requests" subtitle={subtitle}>
-      <ErrorBanner error={error} />
-      {isLoading ? (
-        <Card>Loading…</Card>
-      ) : rows.length === 0 ? (
-        <EmptyState title="No requests yet" icon={<Inbox size={28} strokeWidth={1.25} />} />
-      ) : (
-        <Table columns={['ID', 'Offering', 'Direction', 'Status', 'Created']} rows={rows} />
-      )}
-    </Page>
-  );
-}
diff --git a/apps/portal/src/pages/network/OfferingDetail.tsx b/apps/portal/src/pages/network/OfferingDetail.tsx
deleted file mode 100644
index 1293160..0000000
--- a/apps/portal/src/pages/network/OfferingDetail.tsx
+++ /dev/null
@@ -1,358 +0,0 @@
-import { useState } from 'react';
-import { useParams, useNavigate, Link } from 'react-router-dom';
-import { useMutation, useQuery, useQueryClient } from '@tanstack/react-query';
-import { ArrowLeft, ExternalLink, ArrowRight, Globe, Clock, DollarSign, Trophy } from 'lucide-react';
-import { api, type Principal } from '../../api.js';
-import { theme } from '../../theme.js';
-import { Avatar, Button, Card, ErrorBanner, Input, Label, Page, SectionHeading, formatDate } from '../../ui.js';
-
-interface OfferingDetail {
-  id: string;
-  title: string;
-  description: string | null;
-  heroImageUrl: string | null;
-  productUrl: string;
-  createdAt: string;
-  vendorId: string;
-  vendorName: string;
-  vendorSlug: string;
-  vendorLogoUrl: string | null;
-  vendorWebsiteUrl: string | null;
-  vendorDescription: string | null;
-  vendorRouterUrl?: string | null;
-  vendorInstanceUrl?: string;
-  terms: {
-    payout:
-      | { type: 'recurring_percent'; percent: number; durationMonths: number | null }
-      | { type: 'one_time_fee'; amount: number; currency?: string }
-      | { type: 'tiered_percent'; tiers: Array<{ minRevenueUsd: number; percent: number }> };
-    cookieWindowDays: number;
-    bonuses?: Array<{ description: string; triggerRevenueUsd: number; bonusUsd: number }>;
-    exclusions?: string[];
-  };
-}
-
-export function OfferingDetailPage({ principal }: { principal: Principal }) {
-  const { id } = useParams();
-  const nav = useNavigate();
-  const { data, error, isLoading } = useQuery({
-    queryKey: ['offering-detail', id],
-    queryFn: () => api<{ offering: OfferingDetail }>(`/network/directory/offerings/${id}`),
-    enabled: !!id,
-  });
-  const [showApply, setShowApply] = useState(false);
-
-  const canApply = principal.role === 'network_creator';
-  const defaultCode = principal.creator?.defaultPromoCode ?? principal.creator?.handle ?? '';
-
-  if (isLoading) {
-    return (
-      <Page title="Offering">
-        <Card>Loading…</Card>
-      </Page>
-    );
-  }
-  if (error || !data) {
-    return (
-      <Page title="Offering">
-        <ErrorBanner error={error ?? new Error('Not found.')} />
-      </Page>
-    );
-  }
-
-  const o = data.offering;
-
-  return (
-    <Page
-      title={o.title}
-      subtitle={`By ${o.vendorName}`}
-      actions={
-        canApply ? (
-          <Button icon={<ArrowRight size={14} />} onClick={() => setShowApply(true)}>
-            Apply to promote
-          </Button>
-        ) : undefined
-      }
-    >
-      <div style={{ marginBottom: 14 }}>
-        <button
-          onClick={() => nav(-1)}
-          style={{
-            background: 'transparent',
-            border: 'none',
-            color: theme.textMuted,
-            fontSize: 12,
-            cursor: 'pointer',
-            display: 'inline-flex',
-            alignItems: 'center',
-            gap: 4,
-            padding: 0,
-          }}
-        >
-          <ArrowLeft size={12} /> Back
-        </button>
-      </div>
-
-      <div style={{ display: 'grid', gridTemplateColumns: '2fr 1fr', gap: 16 }}>
-        <div style={{ display: 'flex', flexDirection: 'column', gap: 16 }}>
-          <Card>
-            <div style={{ display: 'flex', alignItems: 'center', gap: 12, marginBottom: 14 }}>
-              <Avatar name={o.vendorName} size={40} />
-              <div>
-                <div style={{ fontSize: 14, fontWeight: 600 }}>{o.vendorName}</div>
-                <a
-                  href={o.productUrl}
-                  target="_blank"
-                  rel="noreferrer"
-                  style={{ fontSize: 12, color: theme.accent, display: 'inline-flex', alignItems: 'center', gap: 4 }}
-                >
-                  {o.productUrl.replace(/^https?:\/\//, '')} <ExternalLink size={11} />
-                </a>
-              </div>
-            </div>
-            {o.description && (
-              <div style={{ fontSize: 14, color: theme.text, lineHeight: 1.6, whiteSpace: 'pre-wrap' }}>
-                {o.description}
-              </div>
-            )}
-          </Card>
-
-          <SectionHeading>Terms</SectionHeading>
-          <Card>
-            <TermBlock icon={<DollarSign size={16} />} label="Payout">
-              <PayoutSummary payout={o.terms.payout} />
-            </TermBlock>
-            <TermBlock icon={<Clock size={16} />} label="Attribution window">
-              <span>{o.terms.cookieWindowDays} days</span>
-            </TermBlock>
-            {o.terms.bonuses && o.terms.bonuses.length > 0 && (
-              <TermBlock icon={<Trophy size={16} />} label="Bonuses">
-                <ul style={{ margin: 0, paddingLeft: 18, lineHeight: 1.7 }}>
-                  {o.terms.bonuses.map((b, i) => (
-                    <li key={i} style={{ color: theme.text }}>
-                      <strong style={{ color: theme.warn }}>${b.bonusUsd.toLocaleString()}</strong> when revenue hits{' '}
-                      <strong>${b.triggerRevenueUsd.toLocaleString()}</strong>
-                      {b.description && (
-                        <span style={{ color: theme.textMuted }}> — {b.description}</span>
-                      )}
-                    </li>
-                  ))}
-                </ul>
-              </TermBlock>
-            )}
-            {o.terms.exclusions && o.terms.exclusions.length > 0 && (
-              <TermBlock label="Exclusions">
-                <ul style={{ margin: 0, paddingLeft: 18 }}>
-                  {o.terms.exclusions.map((x, i) => (
-                    <li key={i} style={{ color: theme.textMuted }}>{x}</li>
-                  ))}
-                </ul>
-              </TermBlock>
-            )}
-          </Card>
-        </div>
-
-        <div style={{ display: 'flex', flexDirection: 'column', gap: 16 }}>
-          <Card>
-            <div style={{ fontSize: 12, fontWeight: 600, color: theme.textMuted, textTransform: 'uppercase', letterSpacing: '0.05em', marginBottom: 12 }}>
-              About the vendor
-            </div>
-            <div style={{ display: 'flex', alignItems: 'center', gap: 10, marginBottom: 10 }}>
-              <Avatar name={o.vendorName} size={32} />
-              <div style={{ fontSize: 14, fontWeight: 500 }}>{o.vendorName}</div>
-            </div>
-            {o.vendorDescription && (
-              <div style={{ fontSize: 13, color: theme.textMuted, lineHeight: 1.6, marginBottom: 10 }}>
-                {o.vendorDescription}
-              </div>
-            )}
-            {o.vendorWebsiteUrl && (
-              <a
-                href={o.vendorWebsiteUrl}
-                target="_blank"
-                rel="noreferrer"
-                style={{ fontSize: 12, color: theme.accent, display: 'inline-flex', alignItems: 'center', gap: 4 }}
-              >
-                <Globe size={12} /> {o.vendorWebsiteUrl.replace(/^https?:\/\//, '')}
-              </a>
-            )}
-          </Card>
-
-          <Card>
-            <div style={{ fontSize: 12, color: theme.textMuted, marginBottom: 6 }}>Listed</div>
-            <div style={{ fontSize: 14 }}>{formatDate(o.createdAt)}</div>
-          </Card>
-
-          {!canApply && (
-            <Card>
-              <div style={{ fontSize: 13, color: theme.textMuted, marginBottom: 10 }}>
-                Want to promote this? Sign in as a creator to apply.
-              </div>
-              <Link to="/login" style={{ color: theme.accent, fontSize: 13, fontWeight: 500 }}>
-                Sign in →
-              </Link>
-            </Card>
-          )}
-        </div>
-      </div>
-
-      {showApply && canApply && (
-        <ApplyDialog offering={o} defaultCode={defaultCode} onClose={() => setShowApply(false)} />
-      )}
-    </Page>
-  );
-}
-
-function TermBlock({ icon, label, children }: { icon?: React.ReactNode; label: string; children: React.ReactNode }) {
-  return (
-    <div style={{ display: 'grid', gridTemplateColumns: '120px 1fr', gap: 14, padding: '10px 0', borderBottom: `1px solid ${theme.borderSubtle}` }}>
-      <div style={{ display: 'flex', alignItems: 'center', gap: 6, color: theme.textMuted, fontSize: 12, textTransform: 'uppercase', letterSpacing: '0.05em', fontWeight: 600 }}>
-        {icon}
-        {label}
-      </div>
-      <div style={{ fontSize: 14 }}>{children}</div>
-    </div>
-  );
-}
-
-function PayoutSummary({ payout }: { payout: OfferingDetail['terms']['payout'] }) {
-  if (payout.type === 'recurring_percent') {
-    return (
-      <span>
-        <strong style={{ color: theme.accent }}>{payout.percent}%</strong> recurring
-        {payout.durationMonths
-          ? ` for ${payout.durationMonths} month${payout.durationMonths === 1 ? '' : 's'}`
-          : ' for the lifetime of the customer'}
-      </span>
-    );
-  }
-  if (payout.type === 'one_time_fee') {
-    return (
-      <span>
-        <strong style={{ color: theme.accent }}>
-          ${payout.amount.toLocaleString()}
-        </strong>{' '}
-        one-time per referral
-      </span>
-    );
-  }
-  return (
-    <div>
-      <div style={{ fontWeight: 500, marginBottom: 4 }}>Tiered percent</div>
-      <ul style={{ margin: 0, paddingLeft: 18, fontSize: 13, color: theme.textMuted }}>
-        {payout.tiers.map((t, i) => (
-          <li key={i}>
-            <strong style={{ color: theme.accent }}>{t.percent}%</strong> once lifetime revenue crosses ${t.minRevenueUsd.toLocaleString()}
-          </li>
-        ))}
-      </ul>
-    </div>
-  );
-}
-
-function ApplyDialog({
-  offering,
-  defaultCode,
-  onClose,
-}: {
-  offering: OfferingDetail;
-  defaultCode: string;
-  onClose: () => void;
-}) {
-  const qc = useQueryClient();
-  const [message, setMessage] = useState('');
-  const [promoCode, setPromoCode] = useState(defaultCode);
-
-  const codeValid = promoCode.length >= 3 && promoCode.length <= 40 && /^[a-zA-Z0-9_-]+$/.test(promoCode);
-  const host = offering.vendorRouterUrl ?? ''; // prefer explicit; empty string just hides in preview
-
-  const mut = useMutation({
-    mutationFn: () =>
-      api('/network/requests', {
-        method: 'POST',
-        body: {
-          offeringId: offering.id,
-          message: message || undefined,
-          promoCode: promoCode || undefined,
-        },
-      }),
-    onSuccess: () => {
-      qc.invalidateQueries({ queryKey: ['network-requests-mine'] });
-      onClose();
-    },
-  });
-
-  return (
-    <div
-      style={{
-        position: 'fixed',
-        inset: 0,
-        background: 'rgba(0,0,0,0.6)',
-        display: 'flex',
-        alignItems: 'center',
-        justifyContent: 'center',
-        zIndex: 50,
-      }}
-      onClick={onClose}
-    >
-      <div
-        onClick={(e) => e.stopPropagation()}
-        style={{
-          background: theme.surface,
-          border: `1px solid ${theme.border}`,
-          borderRadius: theme.radiusLg,
-          padding: 24,
-          width: 520,
-          maxWidth: '90vw',
-        }}
-      >
-        <div style={{ fontSize: 16, fontWeight: 600, marginBottom: 4 }}>Apply to promote {offering.vendorName}</div>
-        <div style={{ color: theme.textMuted, fontSize: 13, marginBottom: 18 }}>
-          Pick a memorable share code and tell the vendor why you're a fit.
-        </div>
-        <ErrorBanner error={mut.error} />
-
-        <Label>Your share code</Label>
-        <Input value={promoCode} onChange={(e) => setPromoCode(e.target.value)} placeholder="graciefindsdeals" />
-        {host && (
-          <div style={{ fontSize: 12, color: theme.textMuted, marginTop: 6, marginBottom: 4 }}>
-            Preview:{' '}
-            <code style={{ color: codeValid ? theme.accent : theme.textMuted }}>
-              {host}/r/{promoCode || '...'}
-            </code>
-          </div>
-        )}
-        <div style={{ fontSize: 11, color: theme.textDim, marginBottom: 16 }}>
-          Letters, digits, underscores or dashes. 3–40 chars.
-        </div>
-
-        <Label>Message (optional)</Label>
-        <textarea
-          value={message}
-          onChange={(e) => setMessage(e.target.value)}
-          rows={5}
-          style={{
-            width: '100%',
-            padding: '10px 12px',
-            fontSize: 14,
-            background: theme.surface2,
-            border: `1px solid ${theme.border}`,
-            borderRadius: theme.radiusSm,
-            color: theme.text,
-            fontFamily: theme.fontSans,
-            resize: 'vertical',
-          }}
-          placeholder="Who your audience is and why you're a fit."
-        />
-        <div style={{ display: 'flex', gap: 8, marginTop: 16, justifyContent: 'flex-end' }}>
-          <Button variant="secondary" onClick={onClose}>
-            Cancel
-          </Button>
-          <Button onClick={() => mut.mutate()} disabled={!codeValid || mut.isPending}>
-            {mut.isPending ? 'Sending…' : 'Send application'}
-          </Button>
-        </div>
-      </div>
-    </div>
-  );
-}
diff --git a/apps/portal/src/pages/network/VendorOfferings.tsx b/apps/portal/src/pages/network/VendorOfferings.tsx
deleted file mode 100644
index ba23ee1..0000000
--- a/apps/portal/src/pages/network/VendorOfferings.tsx
+++ /dev/null
@@ -1,258 +0,0 @@
-import { useState } from 'react';
-import { useMutation, useQuery, useQueryClient } from '@tanstack/react-query';
-import { Plus, Package2, ExternalLink } from 'lucide-react';
-import { api } from '../../api.js';
-import { theme } from '../../theme.js';
-import { Button, Card, EmptyState, ErrorBanner, Input, Label, Page, Select, StatusPill, formatDate } from '../../ui.js';
-
-interface Offering {
-  id: string;
-  title: string;
-  productUrl: string;
-  description: string | null;
-  vendorCampaignId: string;
-  terms: {
-    payout:
-      | { type: 'recurring_percent'; percent: number; durationMonths: number | null }
-      | { type: 'one_time_fee'; amount: number; currency?: string }
-      | { type: 'tiered_percent'; tiers: Array<{ minRevenueUsd: number; percent: number }> };
-    cookieWindowDays: number;
-    bonuses?: Array<{ description: string; triggerRevenueUsd: number; bonusUsd: number }>;
-  };
-  published: boolean;
-  createdAt: string;
-  updatedAt: string;
-}
-
-export function VendorOfferingsPage() {
-  const qc = useQueryClient();
-  const [showCreate, setShowCreate] = useState(false);
-  const { data, error, isLoading } = useQuery({
-    queryKey: ['network-offerings-mine'],
-    queryFn: () => api<{ offerings: Offering[] }>('/network/offerings/mine'),
-  });
-
-  const togglePublish = useMutation({
-    mutationFn: (o: Offering) =>
-      api(`/network/offerings/${o.id}`, { method: 'PATCH', body: { published: !o.published } }),
-    onSuccess: () => qc.invalidateQueries({ queryKey: ['network-offerings-mine'] }),
-  });
-
-  return (
-    <Page
-      title="My offerings"
-      subtitle="Publish referral programs creators can discover."
-      actions={
-        <Button icon={<Plus size={14} />} onClick={() => setShowCreate(true)}>
-          New offering
-        </Button>
-      }
-    >
-      <ErrorBanner error={error ?? togglePublish.error} />
-      {showCreate && (
-        <CreateOffering
-          onClose={() => setShowCreate(false)}
-          onCreated={() => {
-            setShowCreate(false);
-            qc.invalidateQueries({ queryKey: ['network-offerings-mine'] });
-          }}
-        />
-      )}
-      {isLoading ? (
-        <Card>Loading…</Card>
-      ) : (data?.offerings ?? []).length === 0 ? (
-        <EmptyState title="No offerings yet" hint="Publish one to appear in the Network directory." icon={<Package2 size={28} strokeWidth={1.25} />} />
-      ) : (
-        <div style={{ display: 'grid', gridTemplateColumns: 'repeat(auto-fill, minmax(340px, 1fr))', gap: 14 }}>
-          {(data?.offerings ?? []).map((o) => (
-            <Card key={o.id}>
-              <div style={{ display: 'flex', justifyContent: 'space-between', alignItems: 'flex-start', marginBottom: 10 }}>
-                <div style={{ fontSize: 15, fontWeight: 600 }}>{o.title}</div>
-                <StatusPill status={o.published ? 'connected' : 'pending'} />
-              </div>
-              {o.description && (
-                <div style={{ fontSize: 13, color: theme.textMuted, marginBottom: 10, lineHeight: 1.5 }}>{o.description}</div>
-              )}
-              <div style={{ fontSize: 12, color: theme.textDim, marginBottom: 12 }}>
-                <TermsLine terms={o.terms} />
-                <div style={{ marginTop: 4 }}>
-                  Campaign: <code style={{ color: theme.textMuted }}>{o.vendorCampaignId.slice(0, 12)}…</code>
-                </div>
-                <div style={{ marginTop: 4 }}>Created {formatDate(o.createdAt, { relative: true })}</div>
-              </div>
-              <div style={{ display: 'flex', gap: 8 }}>
-                <Button
-                  size="sm"
-                  variant={o.published ? 'secondary' : 'primary'}
-                  onClick={() => togglePublish.mutate(o)}
-                  disabled={togglePublish.isPending}
-                >
-                  {o.published ? 'Unpublish' : 'Publish'}
-                </Button>
-                <a
-                  href={o.productUrl}
-                  target="_blank"
-                  rel="noreferrer"
-                  style={{ fontSize: 12, color: theme.textMuted, display: 'inline-flex', alignItems: 'center', gap: 4, alignSelf: 'center' }}
-                >
-                  Product <ExternalLink size={12} />
-                </a>
-              </div>
-            </Card>
-          ))}
-        </div>
-      )}
-    </Page>
-  );
-}
-
-function TermsLine({ terms }: { terms: Offering['terms'] }) {
-  const p = terms.payout;
-  if (p.type === 'recurring_percent') {
-    return <span>{p.percent}% recurring{p.durationMonths ? ` for ${p.durationMonths} months` : ' (lifetime)'} · {terms.cookieWindowDays}-day cookie</span>;
-  }
-  if (p.type === 'one_time_fee') return <span>${p.amount} one-time · {terms.cookieWindowDays}-day cookie</span>;
-  return <span>Tiered % · {terms.cookieWindowDays}-day cookie</span>;
-}
-
-function CreateOffering({ onClose, onCreated }: { onClose: () => void; onCreated: () => void }) {
-  const [title, setTitle] = useState('');
-  const [productUrl, setProductUrl] = useState('');
-  const [description, setDescription] = useState('');
-  const [vendorCampaignId, setVendorCampaignId] = useState('');
-  const [payoutType, setPayoutType] = useState<'recurring_percent' | 'one_time_fee'>('recurring_percent');
-  const [percent, setPercent] = useState('30');
-  const [durationMonths, setDurationMonths] = useState('6');
-  const [lifetime, setLifetime] = useState(false);
-  const [fee, setFee] = useState('50');
-  const [cookieWindowDays, setCookieWindowDays] = useState('60');
-  const [bonusTrigger, setBonusTrigger] = useState('');
-  const [bonusAmount, setBonusAmount] = useState('');
-  const [bonusDescription, setBonusDescription] = useState('');
-
-  const mut = useMutation({
-    mutationFn: () => {
-      const bonuses =
-        bonusTrigger && bonusAmount
-          ? [{ description: bonusDescription || `$${bonusAmount} bonus at $${bonusTrigger} MRR`, triggerRevenueUsd: Number(bonusTrigger), bonusUsd: Number(bonusAmount) }]
-          : undefined;
-      const payout =
-        payoutType === 'recurring_percent'
-          ? { type: 'recurring_percent' as const, percent: Number(percent), durationMonths: lifetime ? null : Number(durationMonths) }
-          : { type: 'one_time_fee' as const, amount: Number(fee) };
-      return api<{ offering: Offering }>('/network/offerings', {
-        method: 'POST',
-        body: {
-          title,
-          productUrl,
-          description: description || undefined,
-          vendorCampaignId,
-          terms: { payout, cookieWindowDays: Number(cookieWindowDays), bonuses },
-          published: true,
-        },
-      });
-    },
-    onSuccess: onCreated,
-  });
-
-  return (
-    <Card style={{ marginBottom: 14 }}>
-      <div style={{ fontSize: 15, fontWeight: 600, marginBottom: 14 }}>New offering</div>
-      <ErrorBanner error={mut.error} />
-      <div style={{ marginBottom: 12 }}>
-        <Label>Title</Label>
-        <Input value={title} onChange={(e) => setTitle(e.target.value)} placeholder="Acme Pro — 30% recurring" />
-      </div>
-      <div style={{ display: 'grid', gridTemplateColumns: '2fr 1fr', gap: 12, marginBottom: 12 }}>
-        <div>
-          <Label>Product URL</Label>
-          <Input value={productUrl} onChange={(e) => setProductUrl(e.target.value)} placeholder="https://…" />
-        </div>
-        <div>
-          <Label>Vendor campaign id</Label>
-          <Input value={vendorCampaignId} onChange={(e) => setVendorCampaignId(e.target.value)} placeholder="01KPY…" />
-        </div>
-      </div>
-      <div style={{ marginBottom: 12 }}>
-        <Label>Description</Label>
-        <textarea
-          value={description}
-          onChange={(e) => setDescription(e.target.value)}
-          rows={3}
-          style={{
-            width: '100%',
-            padding: '10px 12px',
-            fontSize: 14,
-            background: theme.surface2,
-            border: `1px solid ${theme.border}`,
-            borderRadius: theme.radiusSm,
-            color: theme.text,
-            fontFamily: theme.fontSans,
-            resize: 'vertical',
-          }}
-          placeholder="Sell our flagship to your audience…"
-        />
-      </div>
-      <div style={{ display: 'grid', gridTemplateColumns: '140px 1fr 1fr 120px', gap: 12, marginBottom: 12, alignItems: 'end' }}>
-        <div>
-          <Label>Payout type</Label>
-          <Select value={payoutType} onChange={(e) => setPayoutType(e.target.value as typeof payoutType)}>
-            <option value="recurring_percent">Recurring %</option>
-            <option value="one_time_fee">One-time $</option>
-          </Select>
-        </div>
-        {payoutType === 'recurring_percent' ? (
-          <>
-            <div>
-              <Label>Percent</Label>
-              <Input type="number" value={percent} onChange={(e) => setPercent(e.target.value)} />
-            </div>
-            <div>
-              <Label>Duration (months)</Label>
-              <Input type="number" value={durationMonths} onChange={(e) => setDurationMonths(e.target.value)} disabled={lifetime} />
-            </div>
-            <label style={{ fontSize: 13, color: theme.textMuted, display: 'flex', gap: 6, alignItems: 'center', paddingBottom: 10 }}>
-              <input type="checkbox" checked={lifetime} onChange={(e) => setLifetime(e.target.checked)} />
-              Lifetime
-            </label>
-          </>
-        ) : (
-          <>
-            <div>
-              <Label>Fee ($)</Label>
-              <Input type="number" value={fee} onChange={(e) => setFee(e.target.value)} />
-            </div>
-            <div />
-            <div />
-          </>
-        )}
-      </div>
-      <div style={{ display: 'grid', gridTemplateColumns: '140px 1fr 1fr 2fr', gap: 12, marginBottom: 16, alignItems: 'end' }}>
-        <div>
-          <Label>Cookie window (days)</Label>
-          <Input type="number" value={cookieWindowDays} onChange={(e) => setCookieWindowDays(e.target.value)} />
-        </div>
-        <div>
-          <Label>Bonus trigger ($MRR)</Label>
-          <Input type="number" value={bonusTrigger} onChange={(e) => setBonusTrigger(e.target.value)} placeholder="10000" />
-        </div>
-        <div>
-          <Label>Bonus amount ($)</Label>
-          <Input type="number" value={bonusAmount} onChange={(e) => setBonusAmount(e.target.value)} placeholder="500" />
-        </div>
-        <div>
-          <Label>Bonus description</Label>
-          <Input value={bonusDescription} onChange={(e) => setBonusDescription(e.target.value)} placeholder="optional" />
-        </div>
-      </div>
-      <div style={{ display: 'flex', gap: 8 }}>
-        <Button onClick={() => mut.mutate()} disabled={!title || !productUrl || !vendorCampaignId || mut.isPending}>
-          {mut.isPending ? 'Publishing…' : 'Publish'}
-        </Button>
-        <Button variant="secondary" onClick={onClose}>
-          Cancel
-        </Button>
-      </div>
-    </Card>
-  );
-}
diff --git a/apps/portal/src/pages/network/VendorRequests.tsx b/apps/portal/src/pages/network/VendorRequests.tsx
deleted file mode 100644
index dd9e216..0000000
--- a/apps/portal/src/pages/network/VendorRequests.tsx
+++ /dev/null
@@ -1,140 +0,0 @@
-import { useMutation, useQuery, useQueryClient } from '@tanstack/react-query';
-import { Inbox } from 'lucide-react';
-import { api } from '../../api.js';
-import { theme } from '../../theme.js';
-import { Button, Card, EmptyState, ErrorBanner, Page, StatusPill, Table, formatDate, shortId } from '../../ui.js';
-
-interface Request {
-  id: string;
-  offeringId: string;
-  vendorId: string;
-  creatorId: string;
-  direction: 'creator_to_vendor' | 'vendor_to_creator';
-  message: string | null;
-  promoCode: string | null;
-  status: string;
-  createdAt: string;
-  decidedAt: string | null;
-}
-
-export function VendorRequestsPage() {
-  const qc = useQueryClient();
-  const { data, error, isLoading } = useQuery({
-    queryKey: ['network-requests-mine'],
-    queryFn: () => api<{ requests: Request[] }>('/network/requests/mine'),
-  });
-
-  const approve = useMutation({
-    mutationFn: (id: string) => api(`/network/requests/${id}/approve`, { method: 'POST', body: {} }),
-    onSuccess: () => {
-      qc.invalidateQueries({ queryKey: ['network-requests-mine'] });
-      qc.invalidateQueries({ queryKey: ['network-partnerships-mine'] });
-    },
-  });
-  const reject = useMutation({
-    mutationFn: (id: string) => api(`/network/requests/${id}/reject`, { method: 'POST', body: {} }),
-    onSuccess: () => qc.invalidateQueries({ queryKey: ['network-requests-mine'] }),
-  });
-
-  const pending = (data?.requests ?? []).filter((r) => r.status === 'pending');
-  const history = (data?.requests ?? []).filter((r) => r.status !== 'pending');
-
-  return (
-    <Page title="Incoming requests" subtitle={`${pending.length} pending`}>
-      <ErrorBanner error={error ?? approve.error ?? reject.error} />
-
-      {isLoading ? (
-        <Card>Loading…</Card>
-      ) : pending.length === 0 && history.length === 0 ? (
-        <EmptyState title="No requests yet" hint="Creators who apply to your offerings show up here." icon={<Inbox size={28} strokeWidth={1.25} />} />
-      ) : (
-        <>
-          {pending.length > 0 && (
-            <>
-              <div style={{ marginBottom: 10, fontSize: 13, color: theme.textMuted }}>Pending</div>
-              <div style={{ display: 'flex', flexDirection: 'column', gap: 12, marginBottom: 24 }}>
-                {pending.map((r) => (
-                  <Card key={r.id}>
-                    <div style={{ display: 'flex', justifyContent: 'space-between', alignItems: 'flex-start', marginBottom: 10 }}>
-                      <div>
-                        <div style={{ fontSize: 13, color: theme.textMuted, marginBottom: 4 }}>
-                          From creator <code>{shortId(r.creatorId)}</code>
-                          <span style={{ marginLeft: 8 }}>• offering <code>{shortId(r.offeringId)}</code></span>
-                        </div>
-                        <div style={{ fontSize: 12, color: theme.textDim }}>
-                          Received {formatDate(r.createdAt, { relative: true })}
-                        </div>
-                      </div>
-                      <StatusPill status={r.status} />
-                    </div>
-                    {r.promoCode && (
-                      <div
-                        style={{
-                          display: 'flex',
-                          alignItems: 'center',
-                          gap: 10,
-                          padding: '10px 12px',
-                          borderRadius: theme.radiusSm,
-                          background: theme.accentSoft,
-                          border: `1px solid ${theme.accent}33`,
-                          marginBottom: 12,
-                        }}
-                      >
-                        <span style={{ fontSize: 11, color: theme.textMuted, textTransform: 'uppercase', letterSpacing: '0.05em' }}>
-                          Requested share code
-                        </span>
-                        <code style={{ fontSize: 14, color: theme.accent, fontWeight: 600 }}>
-                          /r/{r.promoCode}
-                        </code>
-                      </div>
-                    )}
-                    {r.message && (
-                      <div
-                        style={{
-                          background: theme.bg,
-                          border: `1px solid ${theme.borderSubtle}`,
-                          padding: 12,
-                          borderRadius: theme.radiusSm,
-                          fontSize: 13,
-                          color: theme.text,
-                          marginBottom: 12,
-                          lineHeight: 1.5,
-                        }}
-                      >
-                        {r.message}
-                      </div>
-                    )}
-                    <div style={{ display: 'flex', gap: 8 }}>
-                      <Button size="sm" onClick={() => approve.mutate(r.id)} disabled={approve.isPending}>
-                        Approve
-                      </Button>
-                      <Button size="sm" variant="danger" onClick={() => reject.mutate(r.id)} disabled={reject.isPending}>
-                        Reject
-                      </Button>
-                    </div>
-                  </Card>
-                ))}
-              </div>
-            </>
-          )}
-
-          {history.length > 0 && (
-            <>
-              <div style={{ marginBottom: 10, fontSize: 13, color: theme.textMuted }}>History</div>
-              <Table
-                columns={['ID', 'Creator', 'Offering', 'Status', 'Decided']}
-                rows={history.map((r) => [
-                  <code style={{ color: theme.textDim, fontSize: 12 }}>{shortId(r.id)}</code>,
-                  <code style={{ color: theme.textDim, fontSize: 12 }}>{shortId(r.creatorId)}</code>,
-                  <code style={{ color: theme.textDim, fontSize: 12 }}>{shortId(r.offeringId)}</code>,
-                  <StatusPill status={r.status} />,
-                  <span style={{ color: theme.textMuted }}>{formatDate(r.decidedAt, { relative: true })}</span>,
-                ])}
-              />
-            </>
-          )}
-        </>
-      )}
-    </Page>
-  );
-}
diff --git a/docker-compose.prod.yml b/docker-compose.prod.yml
index aa08bf8..00d564d 100644
--- a/docker-compose.prod.yml
+++ b/docker-compose.prod.yml
@@ -13,9 +13,6 @@
 #   ROUTER_HOST              e.g. go.example.com         (default: go.$DOMAIN)
 #   CADDY_EMAIL              for Let's Encrypt registration
 #   ADMIN_API_KEY            bootstrap admin key
-#   NETWORK_ENCRYPTION_KEY   64 hex chars (AES-256-GCM)
-#   POSTMARK_SERVER_TOKEN    if MAIL_TRANSPORT=postmark
-#   MAIL_FROM                if MAIL_TRANSPORT=postmark
 #
 # Usage:
 #   cp .env.example .env     # fill in the above
@@ -55,13 +52,9 @@ services:
       DATABASE_URL: postgres://${POSTGRES_USER:-openpartner}:${POSTGRES_PASSWORD:-openpartner}@postgres:5432/${POSTGRES_DB:-openpartner}
       API_PORT: 4601
       ADMIN_API_KEY: ${ADMIN_API_KEY}
-      NETWORK_ENCRYPTION_KEY: ${NETWORK_ENCRYPTION_KEY}
       OPENPARTNER_MODE: ${OPENPARTNER_MODE:-selfhost}
-      MAIL_TRANSPORT: ${MAIL_TRANSPORT:-dev}
-      POSTMARK_SERVER_TOKEN: ${POSTMARK_SERVER_TOKEN:-}
-      MAIL_FROM: ${MAIL_FROM:-}
-      POSTMARK_MESSAGE_STREAM: ${POSTMARK_MESSAGE_STREAM:-outbound}
       PORTAL_URL: https://${PORTAL_HOST:-portal.${OPENPARTNER_DOMAIN}}
+      METRICS_TOKEN: ${METRICS_TOKEN:-}
       STRIPE_SECRET_KEY: ${STRIPE_SECRET_KEY:-}
       STRIPE_WEBHOOK_SECRET: ${STRIPE_WEBHOOK_SECRET:-}
       STRIPE_FLAT_PRICE_ID: ${STRIPE_FLAT_PRICE_ID:-}
diff --git a/docs/deploy.md b/docs/deploy.md
index b9fc9d9..8adfc53 100644
--- a/docs/deploy.md
+++ b/docs/deploy.md
@@ -26,11 +26,10 @@ Ingress rules fan incoming traffic out: `/api/*` → `api`, everything else →
    ```
 3. **Set the secrets** App Platform marked as `SECRET` in the spec:
    - `ADMIN_API_KEY` — bootstrap admin token. Generate with `node -e "console.log('op_' + require('crypto').randomBytes(24).toString('hex'))"`.
-   - `NETWORK_ENCRYPTION_KEY` — 32 hex bytes for AES-256-GCM. `node -e "console.log(require('crypto').randomBytes(32).toString('hex'))"`.
-   - `POSTMARK_SERVER_TOKEN`, `MAIL_FROM` — your Postmark creds + verified sender.
-   - `PORTAL_URL` — e.g. `https://partners.yourdomain.com`. Magic-link emails link to this.
+   - `PORTAL_URL` — e.g. `https://partners.yourdomain.com`. Required in production (CORS allowlist).
    - `STRIPE_SECRET_KEY`, `STRIPE_WEBHOOK_SECRET`, `STRIPE_FLAT_PRICE_ID` — only if running `flat` or `revshare` mode.
    - `COOKIE_DOMAIN` — `.yourdomain.com` so the router's `_cref` cookie covers your landing pages.
+   - `METRICS_TOKEN` — optional; set to require Bearer auth on `/metrics`.
 4. **Deploy.** The API container runs migrations on first boot via `apps/api/docker-entrypoint.sh`, so an empty Postgres bootstraps automatically. Subsequent deploys re-run and are idempotent against `knex_migrations`.
 5. **Wire custom domains.** In the App Platform UI → Settings → Domains:
    - Primary: `partners.yourdomain.com` → `portal` component.
@@ -70,7 +69,7 @@ cd openpartner
 cp .env.example .env
 # Edit .env — set:
 #   OPENPARTNER_DOMAIN, CADDY_EMAIL, ADMIN_API_KEY,
-#   NETWORK_ENCRYPTION_KEY, POSTMARK_SERVER_TOKEN, MAIL_FROM, etc.
+#   PORTAL_HOST, API_HOST, ROUTER_HOST, etc.
 docker compose -f docker-compose.prod.yml up -d
 ```
 
diff --git a/docs/email.md b/docs/email.md
deleted file mode 100644
index 09739b4..0000000
--- a/docs/email.md
+++ /dev/null
@@ -1,56 +0,0 @@
-# Email
-
-OpenPartner sends transactional email for magic-link auth (signup
-verification + sign-in). Two transports:
-
-- **dev** (default) — writes the message to the `DevMessage` table in
-  Postgres. Admins read it back at `/admin/dev-mailbox` in the portal.
-  Good for local dev, CI, and demos without configuring a provider.
-- **postmark** — POSTs to `https://api.postmarkapp.com/email` using the
-  native `fetch`, no SDK. For production.
-
-## Switching to Postmark
-
-Set these in your environment:
-
-```
-MAIL_TRANSPORT=postmark
-POSTMARK_SERVER_TOKEN=xxxxx
-MAIL_FROM=OpenPartner <no-reply@yourdomain.com>
-POSTMARK_MESSAGE_STREAM=outbound    # optional — defaults to "outbound"
-PORTAL_URL=https://your-portal.example.com
-```
-
-Before it works:
-
-1. Verify your sender domain in Postmark. The address in `MAIL_FROM` must
-   match a verified sender signature or domain on the server token you
-   use. Postmark returns a 422 otherwise.
-2. Pick a **message stream**. The default `outbound` stream is
-   transactional and suits magic-link emails. If you've created a
-   separate transactional stream, set `POSTMARK_MESSAGE_STREAM` to that
-   stream's ID. Don't point magic-link emails at a broadcast stream —
-   Postmark will reject them.
-3. Make sure `PORTAL_URL` matches the public URL the emailed links
-   should resolve to. The API bakes this into every magic link.
-
-## Template
-
-Auth emails are built in `apps/api/src/email-templates.ts`. The HTML
-uses inline styles only and renders cleanly in Gmail / Apple Mail /
-Outlook. The plain-text fallback carries the same URL.
-
-Postmark stores each message with:
-
-- `Tag` — one of `creator_signup`, `creator_signin`, `vendor_signup`,
-  `vendor_signin`. Use the tag to group messages in dashboards.
-- `Metadata` — currently carries `purpose` and role-specific identifiers
-  (`handle`, `slug`, `vendorId`). Useful for debugging a specific
-  failed delivery.
-
-## Observing delivery locally
-
-In dev mode the portal's **Dev mailbox** view (admin-only) shows every
-captured message with Open link / Copy buttons. Auto-refreshes every 5s.
-Great for clicking through signup flows without any external provider
-configured.
diff --git a/packages/db/knexfile.ts b/packages/db/knexfile.ts
index 8814e35..a9747b9 100644
--- a/packages/db/knexfile.ts
+++ b/packages/db/knexfile.ts
@@ -14,6 +14,12 @@ const common: Knex.Config = {
     directory: './migrations',
     extension: isProd ? 'js' : 'ts',
     loadExtensions: isProd ? ['.js'] : ['.ts'],
+    // We occasionally remove migrations that have already run against
+    // existing databases (e.g. the Network carve-out). Knex's default
+    // "corrupt directory" check refuses to boot in that case; instead
+    // we ship a targeted tear-down migration and let old applied rows
+    // live on in knex_migrations as history.
+    disableMigrationsListValidation: true,
   },
 };
 
diff --git a/packages/db/migrations/20260425000000_network.ts b/packages/db/migrations/20260425000000_network.ts
deleted file mode 100644
index 77a911f..0000000
--- a/packages/db/migrations/20260425000000_network.ts
+++ /dev/null
@@ -1,159 +0,0 @@
-import type { Knex } from 'knex';
-
-/**
- * OpenPartner Network — directory + handshake layer that sits above
- * individual OpenPartner deployments.
- *
- * Key architectural principle: the Network is a directory and matchmaking
- * service. It never owns attribution data. When a Partnership is approved,
- * the Network federates out to the vendor's OpenPartner instance via its
- * admin API to provision a Partner + Link. Attribution, clicks, events,
- * commissions — all of that continues to live on the vendor's instance,
- * exportable and portable.
- *
- * Table-by-table rationale:
- *
- *   NetworkVendor    — a merchant that joined the Network. Stores the URL
- *                      of their OpenPartner instance and the admin API key
- *                      (hashed at rest, used for federation calls) so we
- *                      can provision partners remotely on approval.
- *   NetworkCreator   — a promoter/influencer profile. Public-ish — their
- *                      handle, bio, and platform links are what vendors
- *                      browse.
- *   Offering         — a public listing of a vendor's referral program.
- *                      References a `vendorCampaignId` on the vendor's own
- *                      instance (Campaigns remain authoritative there).
- *                      `terms` is richer than commissionRule: marketing
- *                      copy for display (percent + duration + bonuses).
- *   PartnershipRequest — directional handshake. Either creator asks to
- *                      promote an offering, or a vendor invites a creator
- *                      to one. Stores a message and status.
- *   Partnership      — the approved, active relationship. Holds the
- *                      federation output: the partnerId + linkKey on the
- *                      vendor's instance, plus the public share URL the
- *                      creator can paste on socials.
- */
-export async function up(knex: Knex): Promise<void> {
-  await knex.schema.createTable('NetworkVendor', (t) => {
-    t.string('id').primary();
-    t.string('name').notNullable();
-    t.string('slug').notNullable().unique();
-    t.string('websiteUrl');
-    t.string('logoUrl');
-    t.text('description');
-
-    // Federation: where the vendor's OpenPartner instance lives + admin key.
-    // Key is stored ENCRYPTED (AES-256-GCM) because we need plaintext at
-    // federation time to call the vendor's admin API. Hash would be useless
-    // here — one-way. The prefix is for display in the vendor's settings UI
-    // (e.g. "op_a1b2…") without leaking the whole key.
-    t.string('instanceUrl').notNullable();
-    t.text('instanceKeyCiphertext').notNullable(); // base64(iv | tag | ciphertext)
-    t.string('instanceKeyPrefix').notNullable();
-
-    t.string('status').notNullable().defaultTo('pending'); // pending | active | suspended
-    t.timestamp('createdAt', { useTz: true }).notNullable().defaultTo(knex.fn.now());
-    t.timestamp('activatedAt', { useTz: true });
-    t.index(['status']);
-  });
-
-  await knex.schema.createTable('NetworkCreator', (t) => {
-    t.string('id').primary();
-    t.string('name').notNullable();
-    t.string('handle').notNullable().unique();
-    t.string('email').notNullable().unique();
-    t.text('bio');
-    t.string('avatarUrl');
-    // Platforms: [{ platform: 'youtube'|'twitter'|'instagram'|'blog', url, followers? }]
-    t.jsonb('platforms').notNullable().defaultTo('[]');
-    t.string('status').notNullable().defaultTo('pending'); // pending | active | suspended
-    t.timestamp('createdAt', { useTz: true }).notNullable().defaultTo(knex.fn.now());
-    t.timestamp('activatedAt', { useTz: true });
-    t.index(['status']);
-  });
-
-  await knex.schema.createTable('Offering', (t) => {
-    t.string('id').primary();
-    t.string('vendorId').notNullable().references('id').inTable('NetworkVendor');
-    t.string('title').notNullable();
-    t.string('productUrl').notNullable();
-    t.text('description');
-    t.string('heroImageUrl');
-
-    // The campaign on the vendor's OpenPartner instance that federated
-    // partnerships will create Links under. Not a FK — lives on a different
-    // DB in production.
-    t.string('vendorCampaignId').notNullable();
-
-    // Marketing-flavored terms. The authoritative commission rule lives on
-    // the vendor's Campaign; these are for display in the directory.
-    t.jsonb('terms').notNullable();
-
-    t.boolean('published').notNullable().defaultTo(false);
-    t.timestamp('createdAt', { useTz: true }).notNullable().defaultTo(knex.fn.now());
-    t.timestamp('updatedAt', { useTz: true }).notNullable().defaultTo(knex.fn.now());
-    t.index(['vendorId']);
-    t.index(['published']);
-  });
-
-  await knex.schema.createTable('PartnershipRequest', (t) => {
-    t.string('id').primary();
-    t.string('offeringId').notNullable().references('id').inTable('Offering');
-    t.string('vendorId').notNullable();   // denormalized for fast filtering
-    t.string('creatorId').notNullable().references('id').inTable('NetworkCreator');
-    t.string('direction').notNullable(); // 'creator_to_vendor' | 'vendor_to_creator'
-    t.text('message');
-    t.string('status').notNullable().defaultTo('pending'); // pending | approved | rejected | cancelled
-    t.timestamp('createdAt', { useTz: true }).notNullable().defaultTo(knex.fn.now());
-    t.timestamp('decidedAt', { useTz: true });
-    t.text('decisionNote');
-    t.unique(['offeringId', 'creatorId']); // one request per (offering, creator)
-    t.index(['vendorId', 'status']);
-    t.index(['creatorId', 'status']);
-  });
-
-  await knex.schema.createTable('Partnership', (t) => {
-    t.string('id').primary();
-    t.string('requestId').notNullable().references('id').inTable('PartnershipRequest').unique();
-    t.string('offeringId').notNullable().references('id').inTable('Offering');
-    t.string('vendorId').notNullable();
-    t.string('creatorId').notNullable().references('id').inTable('NetworkCreator');
-
-    // Federation result: what exists on the vendor's OpenPartner instance.
-    t.string('vendorPartnerId').notNullable();
-    t.string('vendorLinkKey').notNullable();
-    t.string('publicShareUrl').notNullable();
-
-    t.string('status').notNullable().defaultTo('active'); // active | ended
-    t.timestamp('createdAt', { useTz: true }).notNullable().defaultTo(knex.fn.now());
-    t.timestamp('endedAt', { useTz: true });
-    t.index(['vendorId', 'status']);
-    t.index(['creatorId', 'status']);
-  });
-
-  // Extend ApiKey with the new roles. A single row is now one of:
-  //   - partnerId set                -> vendor-partner key (existing)
-  //   - networkVendorId set          -> vendor manages Network presence
-  //   - networkCreatorId set         -> creator browses + applies
-  //   - everything null              -> admin key (network_admin or core admin)
-  await knex.schema.alterTable('ApiKey', (t) => {
-    t.string('networkVendorId').references('id').inTable('NetworkVendor');
-    t.string('networkCreatorId').references('id').inTable('NetworkCreator');
-    t.index(['networkVendorId']);
-    t.index(['networkCreatorId']);
-  });
-}
-
-export async function down(knex: Knex): Promise<void> {
-  await knex.schema.alterTable('ApiKey', (t) => {
-    t.dropIndex(['networkVendorId']);
-    t.dropIndex(['networkCreatorId']);
-    t.dropColumn('networkVendorId');
-    t.dropColumn('networkCreatorId');
-  });
-  await knex.schema.dropTableIfExists('Partnership');
-  await knex.schema.dropTableIfExists('PartnershipRequest');
-  await knex.schema.dropTableIfExists('Offering');
-  await knex.schema.dropTableIfExists('NetworkCreator');
-  await knex.schema.dropTableIfExists('NetworkVendor');
-}
diff --git a/packages/db/migrations/20260426000000_promo_codes.ts b/packages/db/migrations/20260426000000_promo_codes.ts
deleted file mode 100644
index 62a5550..0000000
--- a/packages/db/migrations/20260426000000_promo_codes.ts
+++ /dev/null
@@ -1,42 +0,0 @@
-import type { Knex } from 'knex';
-
-/**
- * Creator-controlled share-link slugs.
- *
- * The share URL is `<NetworkVendor.routerUrl>/r/<PartnershipRequest.promoCode>`.
- *
- * - NetworkVendor.routerUrl: where the vendor runs apps/router. Vendors will
- *   typically host on a branded apex (getcoherence.io) or a subdomain
- *   (go.acme.com). Optional because the port-swap dev convention still works
- *   for localhost testing; prod vendors must set it.
- *
- * - NetworkCreator.defaultPromoCode: Grace sets "gracie" once, the Apply
- *   modal pre-fills it per application so she doesn't retype.
- *
- * - PartnershipRequest.promoCode: the actual code to use for this
- *   partnership's Link. Nullable → federation falls back to the creator's
- *   handle, which keeps existing requests working.
- */
-export async function up(knex: Knex): Promise<void> {
-  await knex.schema.alterTable('NetworkVendor', (t) => {
-    t.string('routerUrl');
-  });
-  await knex.schema.alterTable('NetworkCreator', (t) => {
-    t.string('defaultPromoCode');
-  });
-  await knex.schema.alterTable('PartnershipRequest', (t) => {
-    t.string('promoCode');
-  });
-}
-
-export async function down(knex: Knex): Promise<void> {
-  await knex.schema.alterTable('PartnershipRequest', (t) => {
-    t.dropColumn('promoCode');
-  });
-  await knex.schema.alterTable('NetworkCreator', (t) => {
-    t.dropColumn('defaultPromoCode');
-  });
-  await knex.schema.alterTable('NetworkVendor', (t) => {
-    t.dropColumn('routerUrl');
-  });
-}
diff --git a/packages/db/migrations/20260428000000_magic_links.ts b/packages/db/migrations/20260428000000_magic_links.ts
deleted file mode 100644
index 3a074ee..0000000
--- a/packages/db/migrations/20260428000000_magic_links.ts
+++ /dev/null
@@ -1,73 +0,0 @@
-import type { Knex } from 'knex';
-
-/**
- * Email magic-link auth for humans.
- *
- * Design:
- *   - MagicLinkToken  one-time, short-TTL token emailed to a user. Hashed
- *                     at rest (same sha256 pattern as ApiKey). Includes a
- *                     `purpose` (signup or signin) and, for signup, a
- *                     claim jsonb carrying the pending creator's handle +
- *                     name until they verify ownership of the email.
- *
- *   - Session         server-side session created when a MagicLinkToken is
- *                     consumed. The session's token is set as an HttpOnly
- *                     cookie so every subsequent request authenticates
- *                     without needing to read the URL. Principal kind lets
- *                     the same table back future vendor / admin sessions
- *                     once we add magic-link auth for those roles.
- *
- *   - DevMessage      stand-in mailbox for local dev and CI. The DevMailer
- *                     writes here instead of hitting SMTP. An admin-only
- *                     /dev/mailbox endpoint reads them back so you can
- *                     follow the magic link in your browser without any
- *                     external email provider configured.
- */
-export async function up(knex: Knex): Promise<void> {
-  await knex.schema.createTable('MagicLinkToken', (t) => {
-    t.string('id').primary();
-    t.string('prefix').notNullable();
-    t.string('tokenHash').notNullable();
-    t.string('email').notNullable();
-    t.string('purpose').notNullable(); // 'signup' | 'signin'
-    t.jsonb('claim'); // signup-time profile: { handle, name }
-    t.timestamp('expiresAt', { useTz: true }).notNullable();
-    t.timestamp('consumedAt', { useTz: true });
-    t.timestamp('createdAt', { useTz: true }).notNullable().defaultTo(knex.fn.now());
-    t.index(['prefix']);
-    t.index(['email', 'purpose']);
-  });
-
-  await knex.schema.createTable('Session', (t) => {
-    t.string('id').primary();
-    t.string('prefix').notNullable();
-    t.string('tokenHash').notNullable();
-    // For MVP sessions only back network_creator. Future: network_vendor,
-    // partner, admin — hence the open `principalKind` string.
-    t.string('principalKind').notNullable();
-    t.string('principalId').notNullable();
-    t.timestamp('expiresAt', { useTz: true }).notNullable();
-    t.timestamp('createdAt', { useTz: true }).notNullable().defaultTo(knex.fn.now());
-    t.timestamp('lastSeenAt', { useTz: true });
-    t.timestamp('revokedAt', { useTz: true });
-    t.index(['prefix']);
-    t.index(['principalKind', 'principalId']);
-  });
-
-  await knex.schema.createTable('DevMessage', (t) => {
-    t.string('id').primary();
-    t.string('to').notNullable();
-    t.string('subject').notNullable();
-    t.text('body').notNullable();
-    t.text('html');
-    t.jsonb('metadata').notNullable().defaultTo('{}');
-    t.timestamp('createdAt', { useTz: true }).notNullable().defaultTo(knex.fn.now());
-    t.index(['to']);
-  });
-}
-
-export async function down(knex: Knex): Promise<void> {
-  await knex.schema.dropTableIfExists('DevMessage');
-  await knex.schema.dropTableIfExists('Session');
-  await knex.schema.dropTableIfExists('MagicLinkToken');
-}
diff --git a/packages/db/migrations/20260430000000_vendor_email.ts b/packages/db/migrations/20260430000000_vendor_email.ts
deleted file mode 100644
index e1a5561..0000000
--- a/packages/db/migrations/20260430000000_vendor_email.ts
+++ /dev/null
@@ -1,50 +0,0 @@
-import type { Knex } from 'knex';
-
-/**
- * NetworkVendor.email — the signup email we verified via magic-link.
- *
- * Previously we recovered this by walking MagicLinkToken history; that
- * returned the most recent vendor_signup for an email, which silently
- * routed a signin to the wrong vendor when an email had signed up for
- * more than one. Storing email on the vendor row makes the lookup
- * deterministic.
- *
- * Backfill: walk the most-recent consumed vendor_signup token per slug
- * and copy its email over. Rows with no matching token (never possible
- * for real signups, but defensive for hand-inserted test data) fall
- * back to a placeholder that the admin can correct.
- */
-export async function up(knex: Knex): Promise<void> {
-  await knex.schema.alterTable('NetworkVendor', (t) => {
-    t.string('email').nullable();
-  });
-
-  await knex.raw(`
-    update "NetworkVendor" v
-    set "email" = coalesce(
-      (
-        select lower(t."email")
-        from "MagicLinkToken" t
-        where t."purpose" = 'vendor_signup'
-          and t."consumedAt" is not null
-          and (t."claim"->>'slug') = v."slug"
-        order by t."consumedAt" desc
-        limit 1
-      ),
-      'unknown+' || v."id" || '@example.invalid'
-    )
-    where v."email" is null
-  `);
-
-  await knex.schema.alterTable('NetworkVendor', (t) => {
-    t.string('email').notNullable().alter();
-    t.index(['email']);
-  });
-}
-
-export async function down(knex: Knex): Promise<void> {
-  await knex.schema.alterTable('NetworkVendor', (t) => {
-    t.dropIndex(['email']);
-    t.dropColumn('email');
-  });
-}
diff --git a/packages/db/migrations/20260501000000_drop_network_tables.ts b/packages/db/migrations/20260501000000_drop_network_tables.ts
new file mode 100644
index 0000000..ca2ef07
--- /dev/null
+++ b/packages/db/migrations/20260501000000_drop_network_tables.ts
@@ -0,0 +1,34 @@
+import type { Knex } from 'knex';
+
+/**
+ * Drop Network + magic-link tables — OSS is now strictly vendor-direct.
+ * The Network service (creator discovery, offering catalog, matchmaking)
+ * lives in a separate private repo and talks to OSS instances over
+ * scoped API keys + REST, not by sharing a schema.
+ *
+ * Uses `drop if exists` so both kinds of database succeed:
+ *   - a fresh OSS install that never had these tables, and
+ *   - an existing deployment that applied the now-deleted network /
+ *     promo_codes / magic_links / vendor_email migrations before this
+ *     one.
+ *
+ * Order matters: drop tables that reference others first. ApiKey has
+ * no direct FK into the Network tables (the scoped-key federation
+ * pattern means the Network holds OUR key, not the other way around),
+ * so ApiKey and everything it cares about is unaffected.
+ */
+export async function up(knex: Knex): Promise<void> {
+  await knex.raw(`drop table if exists "Partnership" cascade`);
+  await knex.raw(`drop table if exists "PartnershipRequest" cascade`);
+  await knex.raw(`drop table if exists "Offering" cascade`);
+  await knex.raw(`drop table if exists "NetworkCreator" cascade`);
+  await knex.raw(`drop table if exists "NetworkVendor" cascade`);
+  await knex.raw(`drop table if exists "MagicLinkToken" cascade`);
+  await knex.raw(`drop table if exists "Session" cascade`);
+  await knex.raw(`drop table if exists "DevMessage" cascade`);
+}
+
+export async function down(_knex: Knex): Promise<void> {
+  // One-way door. Re-creating these tables means switching back to
+  // the Network-embedded model we deliberately moved away from.
+}
diff --git a/packages/db/src/index.ts b/packages/db/src/index.ts
index c08d378..10b8449 100644
--- a/packages/db/src/index.ts
+++ b/packages/db/src/index.ts
@@ -36,14 +36,6 @@ export const TABLES = {
   Payout: 'Payout',
   ApiKey: 'ApiKey',
   Config: 'Config',
-  NetworkVendor: 'NetworkVendor',
-  NetworkCreator: 'NetworkCreator',
-  Offering: 'Offering',
-  PartnershipRequest: 'PartnershipRequest',
-  Partnership: 'Partnership',
-  MagicLinkToken: 'MagicLinkToken',
-  Session: 'Session',
-  DevMessage: 'DevMessage',
   WebhookEndpoint: 'WebhookEndpoint',
   WebhookDelivery: 'WebhookDelivery',
 } as const;
diff --git a/packages/db/src/types.ts b/packages/db/src/types.ts
index 73daa79..035f6d6 100644
--- a/packages/db/src/types.ts
+++ b/packages/db/src/types.ts
@@ -128,8 +128,6 @@ export interface ApiKeyRow {
   prefix: string;
   keyHash: string;
   partnerId: string | null;
-  networkVendorId: string | null;
-  networkCreatorId: string | null;
   scopes: ApiScope[] | null;
   label: string | null;
   createdAt: Date;
@@ -137,166 +135,6 @@ export interface ApiKeyRow {
   revokedAt: Date | null;
 }
 
-// ---- OpenPartner Network ----
-
-export type NetworkVendorStatus = 'pending' | 'active' | 'suspended';
-export type NetworkCreatorStatus = 'pending' | 'active' | 'suspended';
-export type PartnershipRequestStatus = 'pending' | 'approving' | 'approved' | 'rejected' | 'cancelled';
-export type PartnershipRequestDirection = 'creator_to_vendor' | 'vendor_to_creator';
-export type PartnershipStatus = 'active' | 'ended';
-
-export interface CreatorPlatform {
-  platform: 'youtube' | 'twitter' | 'instagram' | 'tiktok' | 'blog' | 'podcast' | 'other';
-  url: string;
-  followers?: number;
-}
-
-export type OfferingPayout =
-  | { type: 'recurring_percent'; percent: number; durationMonths: number | null } // null = lifetime
-  | { type: 'one_time_fee'; amount: number; currency?: string }
-  | { type: 'tiered_percent'; tiers: Array<{ minRevenueUsd: number; percent: number }> };
-
-export interface OfferingBonus {
-  description: string;
-  triggerRevenueUsd: number;
-  bonusUsd: number;
-}
-
-export interface OfferingTerms {
-  payout: OfferingPayout;
-  bonuses?: OfferingBonus[];
-  cookieWindowDays: number;
-  exclusions?: string[];
-}
-
-export interface NetworkVendorRow {
-  id: string;
-  name: string;
-  slug: string;
-  email: string;
-  websiteUrl: string | null;
-  logoUrl: string | null;
-  description: string | null;
-  instanceUrl: string;
-  instanceKeyCiphertext: string;
-  instanceKeyPrefix: string;
-  routerUrl: string | null;
-  status: NetworkVendorStatus;
-  createdAt: Date;
-  activatedAt: Date | null;
-}
-
-export interface NetworkCreatorRow {
-  id: string;
-  name: string;
-  handle: string;
-  email: string;
-  bio: string | null;
-  avatarUrl: string | null;
-  platforms: CreatorPlatform[];
-  defaultPromoCode: string | null;
-  status: NetworkCreatorStatus;
-  createdAt: Date;
-  activatedAt: Date | null;
-}
-
-export interface OfferingRow {
-  id: string;
-  vendorId: string;
-  title: string;
-  productUrl: string;
-  description: string | null;
-  heroImageUrl: string | null;
-  vendorCampaignId: string;
-  terms: OfferingTerms;
-  published: boolean;
-  createdAt: Date;
-  updatedAt: Date;
-}
-
-export interface PartnershipRequestRow {
-  id: string;
-  offeringId: string;
-  vendorId: string;
-  creatorId: string;
-  direction: PartnershipRequestDirection;
-  message: string | null;
-  promoCode: string | null;
-  status: PartnershipRequestStatus;
-  createdAt: Date;
-  decidedAt: Date | null;
-  decisionNote: string | null;
-}
-
-// ---- Human auth (magic-link + sessions) ----
-
-export type MagicLinkPurpose =
-  | 'creator_signup'
-  | 'creator_signin'
-  | 'vendor_signup'
-  | 'vendor_signin';
-
-export interface MagicLinkCreatorClaim {
-  kind: 'creator';
-  handle: string;
-  name: string;
-}
-
-export interface MagicLinkVendorClaim {
-  kind: 'vendor';
-  name: string;
-  slug: string;
-  instanceUrl: string;
-  // AES-256-GCM envelope of the vendor's instance API key. We only have
-  // the plaintext transiently during /auth/vendor/signup; the token sits
-  // in MagicLinkToken.claim (jsonb) for up to 15 minutes until consumed,
-  // and it must not store federation credentials in the clear.
-  instanceKeyCiphertext: string;
-  instanceKeyPrefix: string;
-  routerUrl?: string;
-  description?: string;
-  websiteUrl?: string;
-  logoUrl?: string;
-}
-
-export type MagicLinkClaim = MagicLinkCreatorClaim | MagicLinkVendorClaim;
-
-export interface MagicLinkTokenRow {
-  id: string;
-  prefix: string;
-  tokenHash: string;
-  email: string;
-  purpose: MagicLinkPurpose;
-  claim: MagicLinkClaim | null;
-  expiresAt: Date;
-  consumedAt: Date | null;
-  createdAt: Date;
-}
-
-export type SessionPrincipalKind = 'network_creator' | 'network_vendor' | 'partner' | 'admin';
-
-export interface SessionRow {
-  id: string;
-  prefix: string;
-  tokenHash: string;
-  principalKind: SessionPrincipalKind;
-  principalId: string;
-  expiresAt: Date;
-  createdAt: Date;
-  lastSeenAt: Date | null;
-  revokedAt: Date | null;
-}
-
-export interface DevMessageRow {
-  id: string;
-  to: string;
-  subject: string;
-  body: string;
-  html: string | null;
-  metadata: Record<string, unknown>;
-  createdAt: Date;
-}
-
 // ---- Outbound webhooks ----
 
 export type WebhookEventType =
@@ -305,7 +143,6 @@ export type WebhookEventType =
   | 'commission.paid'
   | 'commission.reversed'
   | 'payout.created'
-  | 'partnership.approved'
   | (string & {});
 
 export interface WebhookEndpointRow {
@@ -337,20 +174,6 @@ export interface WebhookDeliveryRow {
   lastAttemptAt: Date | null;
 }
 
-export interface PartnershipRow {
-  id: string;
-  requestId: string;
-  offeringId: string;
-  vendorId: string;
-  creatorId: string;
-  vendorPartnerId: string;
-  vendorLinkKey: string;
-  publicShareUrl: string;
-  status: PartnershipStatus;
-  createdAt: Date;
-  endedAt: Date | null;
-}
-
 export interface PayoutRow {
   id: string;
   partnerId: string;

From ea41a6ff2cccf282de20571e1a53622a4a485ae5 Mon Sep 17 00:00:00 2001
From: Keith Fawcett <keith@brightyard.co>
Date: Fri, 24 Apr 2026 14:25:03 -0700
Subject: [PATCH 005/131] feat(auth): partner invite + magic-link signin
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Admin no longer issues (or sees) partner credentials. The flow is now:

  1. Admin clicks "Invite partner" — enters email + name
  2. OSS creates a Partner with activatedAt=null and emails them a
     one-time magic link via POST /auth/signin or POST /partners
  3. Partner clicks the link → /auth/magic in the portal → POST
     /auth/magic/verify → op_session cookie + activatedAt stamped
  4. Returning partners enter their email on the Login page's Email
     tab → another magic link → back in

Sessions are cookie-backed (prefix+hash like ApiKey; revokable;
30-day TTL). Session cookie is honored alongside Bearer on every
request so the portal works with either auth mode.

New:
  - MagicLinkToken + Session + DevMessage tables (narrow vs. the
    earlier Network-era schema — email + partnerId + purpose only)
  - Partner.activatedAt column (null = invited, backfilled to
    createdAt for existing rows)
  - routes/partner-auth.ts: /auth/signin, /auth/magic/verify,
    /auth/signout, /dev/mailbox
  - POST /partners sends the invite by default (sendInvite=false
    for federation / seeding paths that don't want mail)
  - POST /partners/:id/invite to resend
  - mailer.ts (Postmark + DevMailer fallback), email-templates.ts
  - auth-sessions.ts (issueMagicLink, consumeMagicLink,
    createSession, resolveSession, revokeSession)
  - Portal Login.tsx: Email tab back, MagicLanding.tsx handles the
    ?token=... click, AdminPartners renames "Create" → "Invite"
    and adds resend-invite + status pill

5 new tests for the invite flow (invite-then-verify, single-use
tokens, returning-partner signin, user-enumeration-safe signin,
resend). 49 api / 3 router / 11 sdk, all green.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 .do/app.yaml                                  |  10 +
 .env.example                                  |   9 +
 apps/api/src/__tests__/partner-invite.test.ts | 184 ++++++++++++++++++
 apps/api/src/app.ts                           |   2 +
 apps/api/src/auth-sessions.ts                 | 135 +++++++++++++
 apps/api/src/auth.ts                          |  11 +-
 apps/api/src/email-templates.ts               |  73 +++++++
 apps/api/src/mailer.ts                        | 103 ++++++++++
 apps/api/src/routes/partner-auth.ts           | 118 +++++++++++
 apps/api/src/routes/partners.ts               |  58 +++++-
 apps/portal/src/App.tsx                       |  12 +-
 apps/portal/src/pages/AdminPartners.tsx       |  43 +++-
 apps/portal/src/pages/auth/Login.tsx          |  99 +++++++++-
 apps/portal/src/pages/auth/MagicLanding.tsx   |  54 +++++
 apps/portal/src/ui.tsx                        |   2 +
 docker-compose.prod.yml                       |   4 +
 docs/deploy.md                                |   3 +-
 .../migrations/20260502000000_partner_auth.ts |  77 ++++++++
 packages/db/src/index.ts                      |   3 +
 packages/db/src/types.ts                      |  37 ++++
 20 files changed, 1022 insertions(+), 15 deletions(-)
 create mode 100644 apps/api/src/__tests__/partner-invite.test.ts
 create mode 100644 apps/api/src/auth-sessions.ts
 create mode 100644 apps/api/src/email-templates.ts
 create mode 100644 apps/api/src/mailer.ts
 create mode 100644 apps/api/src/routes/partner-auth.ts
 create mode 100644 apps/portal/src/pages/auth/MagicLanding.tsx
 create mode 100644 packages/db/migrations/20260502000000_partner_auth.ts

diff --git a/.do/app.yaml b/.do/app.yaml
index e53533c..7506ba5 100644
--- a/.do/app.yaml
+++ b/.do/app.yaml
@@ -57,9 +57,19 @@ services:
         value: ${openpartner-db.DATABASE_URL}
       - key: OPENPARTNER_MODE
         value: flat
+      - key: MAIL_TRANSPORT
+        value: postmark
+      - key: POSTMARK_MESSAGE_STREAM
+        value: outbound
       - key: ADMIN_API_KEY
         type: SECRET
         scope: RUN_TIME
+      - key: POSTMARK_SERVER_TOKEN
+        type: SECRET
+        scope: RUN_TIME
+      - key: MAIL_FROM
+        type: SECRET
+        scope: RUN_TIME
       - key: PORTAL_URL
         type: SECRET
         scope: RUN_TIME
diff --git a/.env.example b/.env.example
index 13cf97a..40db48f 100644
--- a/.env.example
+++ b/.env.example
@@ -40,6 +40,15 @@ PORTAL_URL=http://localhost:5673
 # Optional: extra CORS origins beyond PORTAL_URL, comma-separated.
 CORS_EXTRA_ORIGINS=
 
+# Mail for partner invites + signin links.
+#   dev       → writes to the DevMessage table; admins read at /admin/dev-mailbox.
+#   postmark  → POSTs to api.postmarkapp.com/email (requires the vars below).
+MAIL_TRANSPORT=dev
+MAIL_FROM=OpenPartner <no-reply@example.com>
+POSTMARK_SERVER_TOKEN=
+# Optional — defaults to the "outbound" transactional stream.
+POSTMARK_MESSAGE_STREAM=outbound
+
 # Optional: bearer token required to scrape /metrics. Leave blank and
 # /metrics is open (fine on internal networks). Set it when /metrics is
 # reachable from the public internet.
diff --git a/apps/api/src/__tests__/partner-invite.test.ts b/apps/api/src/__tests__/partner-invite.test.ts
new file mode 100644
index 0000000..092c62e
--- /dev/null
+++ b/apps/api/src/__tests__/partner-invite.test.ts
@@ -0,0 +1,184 @@
+/**
+ * Partner invite + magic-link signin happy paths.
+ *
+ * Uses MAIL_TRANSPORT=dev so the magic link lands in the DevMessage
+ * table where the test can read it back instead of hitting Postmark.
+ */
+
+import { afterAll, beforeAll, beforeEach, describe, expect, it } from 'vitest';
+import request from 'supertest';
+import { TABLES } from '@openpartner/db';
+import { db } from '../db.js';
+import { createApp } from '../app.js';
+
+const ADMIN_KEY = 'op_test_invite_admin_0123456789abcdef0123';
+process.env.ADMIN_API_KEY = ADMIN_KEY;
+process.env.MAIL_TRANSPORT = 'dev';
+process.env.PORTAL_URL = 'http://localhost:5673';
+
+const skipIntegration = !process.env.DATABASE_URL || process.env.INTEGRATION === 'skip';
+
+const TABLES_TO_CLEAN = [
+  TABLES.Session,
+  TABLES.MagicLinkToken,
+  TABLES.DevMessage,
+  TABLES.ApiKey,
+  TABLES.Partner,
+];
+
+const app = createApp({ enableLogger: false });
+
+beforeAll(async () => {
+  if (skipIntegration) return;
+  await db.raw('select 1');
+});
+
+afterAll(async () => {
+  await db.destroy();
+});
+
+beforeEach(async () => {
+  if (skipIntegration) return;
+  for (const t of TABLES_TO_CLEAN) {
+    await db(t).del();
+  }
+});
+
+/**
+ * Fish the magic-link token out of a dev email body — emails carry the
+ * URL `http://localhost:5673/auth/magic?token=<opml_...>`.
+ */
+function extractToken(body: string): string {
+  const match = /token=([^\s&"]+)/.exec(body);
+  if (!match) throw new Error(`no token in body:\n${body}`);
+  return decodeURIComponent(match[1]!);
+}
+
+describe.skipIf(skipIntegration)('partner invite + signin', () => {
+  it('admin invite creates a pending partner + sends an email; verify activates + issues session', async () => {
+    const created = await request(app)
+      .post('/partners')
+      .set('Authorization', `Bearer ${ADMIN_KEY}`)
+      .send({ email: 'gracie@example.com', name: 'Gracie' });
+    expect(created.status).toBe(201);
+    expect(created.body.invited).toBe(true);
+    expect(created.body.activatedAt).toBeNull();
+
+    // No admin-visible credential in the response.
+    expect(created.body).not.toHaveProperty('plaintext');
+    expect(created.body).not.toHaveProperty('apiKey');
+
+    const mailbox = await request(app).get('/dev/mailbox').set('Authorization', `Bearer ${ADMIN_KEY}`);
+    const invite = mailbox.body.messages.find(
+      (m: { to: string; metadata?: { purpose?: string } }) =>
+        m.to === 'gracie@example.com' && m.metadata?.purpose === 'partner_invite',
+    );
+    expect(invite).toBeDefined();
+
+    const token = extractToken(invite.body);
+    const verify = await request(app).post('/auth/magic/verify').send({ token });
+    expect(verify.status).toBe(200);
+    expect(verify.body.role).toBe('partner');
+    expect(verify.body.partner.email).toBe('gracie@example.com');
+
+    // Session cookie set; partner.activatedAt stamped.
+    const setCookie = verify.headers['set-cookie'] as unknown as string[] | undefined;
+    expect(setCookie).toBeTruthy();
+    const cookie = setCookie![0]!.split(';')[0]!;
+    expect(cookie.startsWith('op_session=')).toBe(true);
+
+    const activated = await db(TABLES.Partner).where({ id: created.body.id }).first();
+    expect((activated as { activatedAt: Date | null }).activatedAt).not.toBeNull();
+
+    // whoami with the cookie resolves to the partner
+    const who = await request(app).get('/auth/whoami').set('Cookie', cookie);
+    expect(who.status).toBe(200);
+    expect(who.body.role).toBe('partner');
+    expect(who.body.partnerId).toBe(created.body.id);
+  });
+
+  it('magic-link tokens are single-use — second verify 400s', async () => {
+    await request(app)
+      .post('/partners')
+      .set('Authorization', `Bearer ${ADMIN_KEY}`)
+      .send({ email: 'dup@example.com', name: 'Dup' });
+
+    const mailbox = await request(app).get('/dev/mailbox').set('Authorization', `Bearer ${ADMIN_KEY}`);
+    const token = extractToken(mailbox.body.messages[0].body);
+
+    const first = await request(app).post('/auth/magic/verify').send({ token });
+    expect(first.status).toBe(200);
+
+    const second = await request(app).post('/auth/magic/verify').send({ token });
+    expect(second.status).toBe(400);
+    expect(second.body.error).toBe('invalid_or_expired_token');
+  });
+
+  it('returning-partner /auth/signin emails a signin link when the partner is activated', async () => {
+    // Invite + verify to activate.
+    await request(app)
+      .post('/partners')
+      .set('Authorization', `Bearer ${ADMIN_KEY}`)
+      .send({ email: 'return@example.com', name: 'Return' });
+    let mailbox = await request(app).get('/dev/mailbox').set('Authorization', `Bearer ${ADMIN_KEY}`);
+    const inviteToken = extractToken(mailbox.body.messages[0].body);
+    await request(app).post('/auth/magic/verify').send({ token: inviteToken });
+
+    // Clear so we can spot the signin email specifically.
+    await db(TABLES.DevMessage).del();
+
+    const signin = await request(app).post('/auth/signin').send({ email: 'return@example.com' });
+    expect(signin.status).toBe(200);
+
+    mailbox = await request(app).get('/dev/mailbox').set('Authorization', `Bearer ${ADMIN_KEY}`);
+    const signinMsg = mailbox.body.messages.find(
+      (m: { metadata?: { purpose?: string } }) => m.metadata?.purpose === 'partner_signin',
+    );
+    expect(signinMsg).toBeDefined();
+
+    const signinToken = extractToken(signinMsg.body);
+    const verify = await request(app).post('/auth/magic/verify').send({ token: signinToken });
+    expect(verify.status).toBe(200);
+  });
+
+  it('signin for an unknown email silently returns ok (no user enumeration)', async () => {
+    await db(TABLES.DevMessage).del();
+    const res = await request(app).post('/auth/signin').send({ email: 'nobody@example.com' });
+    expect(res.status).toBe(200);
+    expect(res.body.ok).toBe(true);
+
+    const mailbox = await request(app).get('/dev/mailbox').set('Authorization', `Bearer ${ADMIN_KEY}`);
+    expect(mailbox.body.messages.length).toBe(0);
+  });
+
+  it('resend invite generates a fresh token and 409s once the partner is already activated', async () => {
+    const created = await request(app)
+      .post('/partners')
+      .set('Authorization', `Bearer ${ADMIN_KEY}`)
+      .send({ email: 'resend@example.com', name: 'Resend' });
+    const partnerId = created.body.id;
+
+    const resend = await request(app)
+      .post(`/partners/${partnerId}/invite`)
+      .set('Authorization', `Bearer ${ADMIN_KEY}`);
+    expect(resend.status).toBe(200);
+
+    // Two invite emails in the mailbox now.
+    const mailbox = await request(app).get('/dev/mailbox').set('Authorization', `Bearer ${ADMIN_KEY}`);
+    const invites = mailbox.body.messages.filter(
+      (m: { to: string; metadata?: { purpose?: string } }) =>
+        m.to === 'resend@example.com' && m.metadata?.purpose === 'partner_invite',
+    );
+    expect(invites.length).toBe(2);
+
+    // Activate via the latest token, then resend should 409.
+    const token = extractToken(invites[0].body);
+    await request(app).post('/auth/magic/verify').send({ token });
+
+    const after = await request(app)
+      .post(`/partners/${partnerId}/invite`)
+      .set('Authorization', `Bearer ${ADMIN_KEY}`);
+    expect(after.status).toBe(409);
+    expect(after.body.error).toBe('already_activated');
+  });
+});
diff --git a/apps/api/src/app.ts b/apps/api/src/app.ts
index c9674f7..8940596 100644
--- a/apps/api/src/app.ts
+++ b/apps/api/src/app.ts
@@ -21,6 +21,7 @@ import { commissionsRouter } from './routes/commissions.js';
 import { exportRouter } from './routes/export.js';
 import { billingRouter } from './routes/billing.js';
 import { authRouter } from './routes/auth.js';
+import { partnerAuthRouter } from './routes/partner-auth.js';
 import { adminOverviewRouter } from './routes/admin-overview.js';
 import { funnelRouter } from './routes/funnel.js';
 import { fraudReviewRouter } from './routes/fraud-review.js';
@@ -101,6 +102,7 @@ export function createApp(options: { enableLogger?: boolean } = {}) {
   });
 
   app.use(authRouter);
+  app.use(partnerAuthRouter);
   app.use(funnelRouter);
   app.use(fraudReviewRouter);
   app.use(webhooksRouter);
diff --git a/apps/api/src/auth-sessions.ts b/apps/api/src/auth-sessions.ts
new file mode 100644
index 0000000..6a56691
--- /dev/null
+++ b/apps/api/src/auth-sessions.ts
@@ -0,0 +1,135 @@
+/**
+ * Magic-link token + session primitives — partner auth only.
+ *
+ * Tokens look like `opml_<hex>` and sessions look like `ops_<hex>`. Both
+ * use the same pattern as ApiKey: store a sha256 hash + an 8-char prefix
+ * so lookups are indexed and plaintext is only ever held for the
+ * moment we generate / verify.
+ */
+
+import { createHash, randomBytes } from 'node:crypto';
+import type { CookieOptions } from 'express';
+import { ulid } from 'ulid';
+import {
+  TABLES,
+  type MagicLinkTokenRow,
+  type MagicLinkPurpose,
+  type SessionRow,
+} from '@openpartner/db';
+import { db } from './db.js';
+
+export const SESSION_COOKIE_NAME = 'op_session';
+const TOKEN_PREFIX_LEN = 8;
+const MAGIC_TTL_MS = 15 * 60 * 1000; // 15 minutes
+const SESSION_TTL_MS = 30 * 24 * 60 * 60 * 1000; // 30 days
+
+function hash(plaintext: string): string {
+  return createHash('sha256').update(plaintext).digest('hex');
+}
+
+function generate(prefixLiteral: string): { plaintext: string; prefix: string; tokenHash: string } {
+  const raw = randomBytes(24).toString('hex');
+  const plaintext = `${prefixLiteral}_${raw}`;
+  return { plaintext, prefix: plaintext.slice(0, TOKEN_PREFIX_LEN), tokenHash: hash(plaintext) };
+}
+
+export interface IssuedMagicLink {
+  plaintext: string;
+  expiresAt: Date;
+}
+
+export async function issueMagicLink(params: {
+  email: string;
+  purpose: MagicLinkPurpose;
+  partnerId: string;
+}): Promise<IssuedMagicLink> {
+  const { plaintext, prefix, tokenHash } = generate('opml');
+  const expiresAt = new Date(Date.now() + MAGIC_TTL_MS);
+  await db<MagicLinkTokenRow>(TABLES.MagicLinkToken).insert({
+    id: ulid(),
+    prefix,
+    tokenHash,
+    email: params.email.toLowerCase(),
+    purpose: params.purpose,
+    partnerId: params.partnerId,
+    expiresAt,
+  });
+  return { plaintext, expiresAt };
+}
+
+export interface ConsumedMagicLink {
+  token: MagicLinkTokenRow;
+}
+
+/**
+ * Consume a magic-link token atomically. Rejects expired, already-consumed,
+ * and unknown tokens. Returns the full token row on success so callers can
+ * branch on purpose + partnerId.
+ */
+export async function consumeMagicLink(plaintext: string): Promise<ConsumedMagicLink | null> {
+  if (plaintext.length < TOKEN_PREFIX_LEN) return null;
+  const prefix = plaintext.slice(0, TOKEN_PREFIX_LEN);
+  const tokenHash = hash(plaintext);
+  const now = new Date();
+
+  // Conditional UPDATE: only marks the row consumed if it's still
+  // consumable — race-safe against duplicate clicks.
+  const updated = await db<MagicLinkTokenRow>(TABLES.MagicLinkToken)
+    .where({ prefix, tokenHash })
+    .whereNull('consumedAt')
+    .andWhere('expiresAt', '>', now)
+    .update({ consumedAt: now })
+    .returning('*');
+
+  const row = updated[0];
+  return row ? { token: row as MagicLinkTokenRow } : null;
+}
+
+export interface IssuedSession {
+  plaintext: string;
+  id: string;
+  expiresAt: Date;
+}
+
+export async function createSession(partnerId: string): Promise<IssuedSession> {
+  const { plaintext, prefix, tokenHash } = generate('ops');
+  const id = ulid();
+  const expiresAt = new Date(Date.now() + SESSION_TTL_MS);
+  await db<SessionRow>(TABLES.Session).insert({
+    id,
+    prefix,
+    tokenHash,
+    partnerId,
+    expiresAt,
+  });
+  return { plaintext, id, expiresAt };
+}
+
+export async function resolveSession(plaintext: string): Promise<SessionRow | null> {
+  if (!plaintext || plaintext.length < TOKEN_PREFIX_LEN) return null;
+  const prefix = plaintext.slice(0, TOKEN_PREFIX_LEN);
+  const tokenHash = hash(plaintext);
+  const now = new Date();
+  const row = await db<SessionRow>(TABLES.Session)
+    .where({ prefix, tokenHash })
+    .whereNull('revokedAt')
+    .andWhere('expiresAt', '>', now)
+    .first();
+  if (!row) return null;
+  void db<SessionRow>(TABLES.Session).where({ id: row.id }).update({ lastSeenAt: now });
+  return row;
+}
+
+export async function revokeSession(id: string): Promise<void> {
+  await db<SessionRow>(TABLES.Session).where({ id }).update({ revokedAt: new Date() });
+}
+
+export function sessionCookieOptions(): CookieOptions {
+  return {
+    httpOnly: true,
+    secure: process.env.NODE_ENV === 'production',
+    sameSite: 'lax',
+    path: '/',
+    maxAge: SESSION_TTL_MS,
+  };
+}
diff --git a/apps/api/src/auth.ts b/apps/api/src/auth.ts
index 619a9dd..a9bb001 100644
--- a/apps/api/src/auth.ts
+++ b/apps/api/src/auth.ts
@@ -22,6 +22,7 @@ export type ApiKeyPrincipal =
   | { role: 'admin'; source: 'env' }
   | { role: 'admin'; source: 'db'; apiKeyId: string }
   | { role: 'partner'; source: 'db'; apiKeyId: string; partnerId: string }
+  | { role: 'partner'; source: 'session'; sessionId: string; partnerId: string }
   | { role: 'scoped'; source: 'db'; apiKeyId: string; scopes: string[] };
 
 declare global {
@@ -78,7 +79,15 @@ export function requirePartnerOrAdmin(paramName: string = 'id') {
 
 async function resolvePrincipal(req: Request): Promise<ApiKeyPrincipal | null> {
   const header = req.header('authorization');
-  if (!header) return null;
+  if (!header) {
+    // No Bearer — fall back to the session cookie (set by magic-link verify).
+    const cookie = (req as unknown as { cookies?: Record<string, string> }).cookies?.op_session;
+    if (!cookie) return null;
+    const { resolveSession } = await import('./auth-sessions.js');
+    const session = await resolveSession(cookie);
+    if (!session) return null;
+    return { role: 'partner', source: 'session', sessionId: session.id, partnerId: session.partnerId };
+  }
 
   const match = /^Bearer\s+(\S+)$/i.exec(header);
   if (!match) return null;
diff --git a/apps/api/src/email-templates.ts b/apps/api/src/email-templates.ts
new file mode 100644
index 0000000..138adc6
--- /dev/null
+++ b/apps/api/src/email-templates.ts
@@ -0,0 +1,73 @@
+/**
+ * Minimal email templates for partner invite + signin. Plain-text body
+ * is always authoritative — the HTML body is a simple wrapper so it
+ * renders cleanly in Gmail / Outlook without requiring MJML or a
+ * templating engine.
+ */
+
+export function buildMagicLinkUrl(token: string): string {
+  const base = (process.env.PORTAL_URL ?? 'http://localhost:5673').replace(/\/$/, '');
+  return `${base}/auth/magic?token=${encodeURIComponent(token)}`;
+}
+
+export interface EmailTemplate {
+  subject: string;
+  text: string;
+  html: string;
+}
+
+export function partnerInviteEmail(name: string, link: string): EmailTemplate {
+  const subject = `You're invited to the partner program`;
+  const text = [
+    `Hi ${name},`,
+    ``,
+    `You've been invited to join the partner program. Click the link below`,
+    `to accept and set up your dashboard:`,
+    ``,
+    link,
+    ``,
+    `This link is good for 15 minutes.`,
+  ].join('\n');
+  return { subject, text, html: wrap(text, link, 'Accept invite') };
+}
+
+export function partnerSigninEmail(name: string, link: string): EmailTemplate {
+  const subject = `Your partner dashboard sign-in link`;
+  const text = [
+    `Hi ${name},`,
+    ``,
+    `Click the link below to sign in to your partner dashboard:`,
+    ``,
+    link,
+    ``,
+    `This link is good for 15 minutes. If you didn't ask for it, ignore this email.`,
+  ].join('\n');
+  return { subject, text, html: wrap(text, link, 'Sign in') };
+}
+
+function wrap(text: string, cta: string, ctaLabel: string): string {
+  const escaped = text
+    .split('\n')
+    .map((line) =>
+      line.startsWith('http')
+        ? `<a href="${cta}" style="color:#2dd4bf">${cta}</a>`
+        : line.replace(/</g, '&lt;').replace(/>/g, '&gt;'),
+    )
+    .join('<br>');
+  return `<!DOCTYPE html>
+<html>
+  <body style="font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, sans-serif; background:#f4f4f5; padding:24px 0; margin:0;">
+    <table role="presentation" width="100%" cellspacing="0" cellpadding="0" border="0">
+      <tr><td align="center">
+        <table role="presentation" width="520" cellspacing="0" cellpadding="0" border="0" style="background:#ffffff; border-radius:8px; overflow:hidden;">
+          <tr><td style="padding:28px 32px; color:#1f2937; font-size:14px; line-height:1.6;">
+            ${escaped}
+            <br><br>
+            <a href="${cta}" style="display:inline-block; background:#2dd4bf; color:#041115; padding:10px 18px; border-radius:6px; text-decoration:none; font-weight:600;">${ctaLabel}</a>
+          </td></tr>
+        </table>
+      </td></tr>
+    </table>
+  </body>
+</html>`;
+}
diff --git a/apps/api/src/mailer.ts b/apps/api/src/mailer.ts
new file mode 100644
index 0000000..3c60d11
--- /dev/null
+++ b/apps/api/src/mailer.ts
@@ -0,0 +1,103 @@
+/**
+ * Transactional mailer for partner invite + signin magic links.
+ *
+ * Two transports:
+ *   dev       writes to the DevMessage table so tests + local devs can
+ *             read the link back without Postmark credentials.
+ *   postmark  POSTs to api.postmarkapp.com/email.
+ *
+ * Minimal and partner-scoped — the earlier multi-purpose mailer (creator
+ * signups, vendor approvals, cross-network notifications) was carved out
+ * with the Network service.
+ */
+
+import { ulid } from 'ulid';
+import { TABLES, type DevMessageRow } from '@openpartner/db';
+import { db } from './db.js';
+
+export interface Message {
+  to: string;
+  subject: string;
+  text: string;
+  html?: string;
+  tag?: string;
+  metadata?: Record<string, unknown>;
+}
+
+export interface Mailer {
+  send(msg: Message): Promise<void>;
+}
+
+class DevMailer implements Mailer {
+  async send(msg: Message): Promise<void> {
+    await db<DevMessageRow>(TABLES.DevMessage).insert({
+      id: ulid(),
+      to: msg.to,
+      subject: msg.subject,
+      body: msg.text,
+      html: msg.html ?? null,
+      metadata: (msg.metadata ?? {}) as unknown as never,
+    });
+    // Also print so `pnpm dev:api` shows the link without opening the portal.
+    console.log(`[dev-mail] to=${msg.to} subject=${JSON.stringify(msg.subject)}`);
+  }
+}
+
+class PostmarkMailer implements Mailer {
+  constructor(
+    private readonly serverToken: string,
+    private readonly from: string,
+    private readonly messageStream: string,
+  ) {}
+
+  async send(msg: Message): Promise<void> {
+    const res = await fetch('https://api.postmarkapp.com/email', {
+      method: 'POST',
+      headers: {
+        'content-type': 'application/json',
+        accept: 'application/json',
+        'X-Postmark-Server-Token': this.serverToken,
+      },
+      body: JSON.stringify({
+        From: this.from,
+        To: msg.to,
+        Subject: msg.subject,
+        TextBody: msg.text,
+        HtmlBody: msg.html,
+        Tag: msg.tag,
+        MessageStream: this.messageStream,
+        Metadata: msg.metadata,
+      }),
+    });
+    if (!res.ok) {
+      throw new Error(`postmark ${res.status}: ${await res.text().catch(() => '<no body>')}`);
+    }
+    const json = (await res.json().catch(() => ({}))) as { ErrorCode?: number; Message?: string };
+    if (json.ErrorCode && json.ErrorCode !== 0) {
+      throw new Error(`postmark error ${json.ErrorCode}: ${json.Message ?? 'unknown'}`);
+    }
+  }
+}
+
+let cached: Mailer | null = null;
+
+export function getMailer(): Mailer {
+  if (cached) return cached;
+  const transport = process.env.MAIL_TRANSPORT ?? 'dev';
+  if (transport === 'postmark') {
+    const token = process.env.POSTMARK_SERVER_TOKEN;
+    const from = process.env.MAIL_FROM;
+    if (!token || !from) {
+      throw new Error('MAIL_TRANSPORT=postmark requires POSTMARK_SERVER_TOKEN and MAIL_FROM');
+    }
+    cached = new PostmarkMailer(token, from, process.env.POSTMARK_MESSAGE_STREAM ?? 'outbound');
+    return cached;
+  }
+  cached = new DevMailer();
+  return cached;
+}
+
+/** For tests: swap in a mock mailer. */
+export function __setMailerForTests(mailer: Mailer | null): void {
+  cached = mailer;
+}
diff --git a/apps/api/src/routes/partner-auth.ts b/apps/api/src/routes/partner-auth.ts
new file mode 100644
index 0000000..dea1669
--- /dev/null
+++ b/apps/api/src/routes/partner-auth.ts
@@ -0,0 +1,118 @@
+/**
+ * Partner-facing authentication:
+ *
+ *   POST /auth/signin          email → magic link (returning partners)
+ *   POST /auth/magic/verify    token → session cookie + whoami
+ *   POST /auth/signout         revokes the session cookie
+ *   GET  /dev/mailbox          (admin) reads the DevMessage outbox
+ *
+ * The invite-on-create side lives on POST /partners in partners.ts — this
+ * file handles everything the partner themselves interacts with.
+ */
+
+import { Router } from 'express';
+import { z } from 'zod';
+import { TABLES, type DevMessageRow, type PartnerRow } from '@openpartner/db';
+import { db } from '../db.js';
+import { requireAdmin, requireAuth } from '../auth.js';
+import {
+  SESSION_COOKIE_NAME,
+  consumeMagicLink,
+  createSession,
+  issueMagicLink,
+  revokeSession,
+  sessionCookieOptions,
+} from '../auth-sessions.js';
+import { getMailer } from '../mailer.js';
+import { ipRateLimit } from '../middleware/rate-limit.js';
+import { buildMagicLinkUrl, partnerSigninEmail } from '../email-templates.js';
+
+export const partnerAuthRouter = Router();
+
+// 10/min per IP keeps an attacker from email-bombing a known address.
+const mailAuthLimit = ipRateLimit({ name: 'partner-auth-mail', max: 10, windowMs: 60_000 });
+// Verify brute-force: single-use tokens make this moot, but cheap to cap.
+const verifyLimit = ipRateLimit({ name: 'partner-auth-verify', max: 30, windowMs: 60_000 });
+
+const signinSchema = z.object({ email: z.string().email() });
+const verifySchema = z.object({ token: z.string().min(8) });
+
+// -------- Returning-partner signin --------
+
+partnerAuthRouter.post('/auth/signin', mailAuthLimit, async (req, res) => {
+  const body = signinSchema.safeParse(req.body);
+  if (!body.success) return res.status(400).json({ error: 'invalid_body', detail: body.error.flatten() });
+
+  const email = body.data.email.toLowerCase();
+  const partner = await db<PartnerRow>(TABLES.Partner).where({ email }).first();
+
+  // Intentionally always return {ok:true} — don't leak whether the email
+  // belongs to a known partner. Only issue + email a link if we'd
+  // actually let them in.
+  if (partner && partner.activatedAt) {
+    const issued = await issueMagicLink({ email, purpose: 'partner_signin', partnerId: partner.id });
+    const tmpl = partnerSigninEmail(partner.name, buildMagicLinkUrl(issued.plaintext));
+    await getMailer().send({
+      to: email,
+      subject: tmpl.subject,
+      text: tmpl.text,
+      html: tmpl.html,
+      tag: 'partner_signin',
+      metadata: { purpose: 'partner_signin', partnerId: partner.id },
+    });
+  }
+  res.json({ ok: true });
+});
+
+// -------- Magic-link verify (both invite + signin share this endpoint) --------
+
+partnerAuthRouter.post('/auth/magic/verify', verifyLimit, async (req, res) => {
+  const body = verifySchema.safeParse(req.body);
+  if (!body.success) return res.status(400).json({ error: 'invalid_body', detail: body.error.flatten() });
+
+  const consumed = await consumeMagicLink(body.data.token);
+  if (!consumed) return res.status(400).json({ error: 'invalid_or_expired_token' });
+
+  const partner = await db<PartnerRow>(TABLES.Partner).where({ id: consumed.token.partnerId }).first();
+  if (!partner) return res.status(404).json({ error: 'partner_not_found' });
+
+  // Invite tokens activate the partner as a side-effect of the first login.
+  if (consumed.token.purpose === 'partner_invite' && !partner.activatedAt) {
+    await db<PartnerRow>(TABLES.Partner)
+      .where({ id: partner.id })
+      .update({ activatedAt: new Date(), updatedAt: new Date() });
+  }
+
+  const session = await createSession(partner.id);
+  res.cookie(SESSION_COOKIE_NAME, session.plaintext, sessionCookieOptions());
+  res.json({
+    ok: true,
+    role: 'partner',
+    partner: {
+      id: partner.id,
+      name: partner.name,
+      email: partner.email,
+      stripeConnected: !!partner.stripeConnectAccountId,
+    },
+  });
+});
+
+// -------- Signout --------
+
+partnerAuthRouter.post('/auth/signout', async (req, res) => {
+  const cookie = (req as unknown as { cookies?: Record<string, string> }).cookies?.[SESSION_COOKIE_NAME];
+  if (cookie) {
+    const { resolveSession } = await import('../auth-sessions.js');
+    const session = await resolveSession(cookie);
+    if (session) await revokeSession(session.id);
+  }
+  res.clearCookie(SESSION_COOKIE_NAME, { path: '/' });
+  res.json({ ok: true });
+});
+
+// -------- Dev mailbox — admin-only read of the DevMessage outbox --------
+
+partnerAuthRouter.get('/dev/mailbox', requireAuth, requireAdmin, async (_req, res) => {
+  const messages = await db<DevMessageRow>(TABLES.DevMessage).orderBy('createdAt', 'desc').limit(100);
+  res.json({ messages });
+});
diff --git a/apps/api/src/routes/partners.ts b/apps/api/src/routes/partners.ts
index 47f13f7..b5c19ab 100644
--- a/apps/api/src/routes/partners.ts
+++ b/apps/api/src/routes/partners.ts
@@ -4,30 +4,84 @@ import { ulid } from 'ulid';
 import { TABLES, type PartnerRow } from '@openpartner/db';
 import { db } from '../db.js';
 import { grantScope, requireAdmin, requireAuth, requirePartnerOrAdmin } from '../auth.js';
+import { issueMagicLink } from '../auth-sessions.js';
+import { getMailer } from '../mailer.js';
+import { buildMagicLinkUrl, partnerInviteEmail } from '../email-templates.js';
 
 const createSchema = z.object({
   email: z.string().email(),
   name: z.string().min(1),
   metadata: z.record(z.unknown()).optional(),
+  // Admin can opt out of the invite email (e.g. federation creating a
+  // Partner row on behalf of an external creator network). Default is
+  // "invite them" since that's the intent of the admin UI.
+  sendInvite: z.boolean().optional(),
 });
 
 export const partnersRouter = Router();
 
+/**
+ * Create a partner and, by default, send them an invite magic link. The
+ * partner starts with `activatedAt = null`; when they click the link,
+ * verify flips that to now() and issues a session. Admin never sees a
+ * partner-facing credential.
+ */
 partnersRouter.post('/partners', requireAuth, grantScope('partners:write'), requireAdmin, async (req, res) => {
   const body = createSchema.safeParse(req.body);
   if (!body.success) return res.status(400).json({ error: 'invalid_body', detail: body.error.flatten() });
 
+  const sendInvite = body.data.sendInvite !== false;
+  const email = body.data.email.toLowerCase();
   const id = ulid();
   const [partner] = await db<PartnerRow>(TABLES.Partner)
     .insert({
       id,
-      email: body.data.email,
+      email,
       name: body.data.name,
       metadata: body.data.metadata ?? {},
+      // sendInvite=false means the caller is responsible for activating
+      // (federation client, admin seeding, etc); skip the pending state.
+      activatedAt: sendInvite ? null : new Date(),
     })
     .returning('*');
 
-  res.status(201).json(partner);
+  if (sendInvite) {
+    const issued = await issueMagicLink({ email, purpose: 'partner_invite', partnerId: id });
+    const tmpl = partnerInviteEmail(body.data.name, buildMagicLinkUrl(issued.plaintext));
+    await getMailer().send({
+      to: email,
+      subject: tmpl.subject,
+      text: tmpl.text,
+      html: tmpl.html,
+      tag: 'partner_invite',
+      metadata: { purpose: 'partner_invite', partnerId: id },
+    });
+  }
+
+  res.status(201).json({ ...partner, invited: sendInvite });
+});
+
+/**
+ * Re-send an invite for a partner who hasn't accepted yet. Admin only.
+ * Idempotent: multiple sends are fine; the partner can click any one
+ * (they all expire in 15 minutes).
+ */
+partnersRouter.post('/partners/:id/invite', requireAuth, requireAdmin, async (req, res) => {
+  const partner = await db<PartnerRow>(TABLES.Partner).where({ id: req.params.id }).first();
+  if (!partner) return res.status(404).json({ error: 'not_found' });
+  if (partner.activatedAt) return res.status(409).json({ error: 'already_activated' });
+
+  const issued = await issueMagicLink({ email: partner.email, purpose: 'partner_invite', partnerId: partner.id });
+  const tmpl = partnerInviteEmail(partner.name, buildMagicLinkUrl(issued.plaintext));
+  await getMailer().send({
+    to: partner.email,
+    subject: tmpl.subject,
+    text: tmpl.text,
+    html: tmpl.html,
+    tag: 'partner_invite',
+    metadata: { purpose: 'partner_invite', partnerId: partner.id, resend: true },
+  });
+  res.json({ ok: true });
 });
 
 partnersRouter.get('/partners', requireAuth, requireAdmin, async (_req, res) => {
diff --git a/apps/portal/src/App.tsx b/apps/portal/src/App.tsx
index b87ad69..94ac9c2 100644
--- a/apps/portal/src/App.tsx
+++ b/apps/portal/src/App.tsx
@@ -25,6 +25,7 @@ import { AdminCampaigns } from './pages/AdminCampaigns.js';
 import { AdminReview } from './pages/AdminReview.js';
 import { AdminExport } from './pages/AdminExport.js';
 import { LoginPage } from './pages/auth/Login.js';
+import { MagicLandingPage } from './pages/auth/MagicLanding.js';
 import { WebhooksPage } from './pages/admin/Webhooks.js';
 import { FraudReviewPage } from './pages/FraudReview.js';
 
@@ -38,6 +39,7 @@ export function App() {
     <BrowserRouter>
       <Routes>
         <Route path="/login" element={<LoginPage />} />
+        <Route path="/auth/magic" element={<MagicLandingPage />} />
         <Route path="/*" element={<Shell />} />
       </Routes>
     </BrowserRouter>
@@ -129,8 +131,16 @@ function Sidebar({ principal }: { principal: Principal }) {
       </div>
 
       <button
-        onClick={() => {
+        onClick={async () => {
           clearApiKey();
+          // Fire-and-forget — server-side revokes the session. If we're
+          // signed in via API key only, the server sees no cookie and
+          // just returns 200.
+          try {
+            await api('/auth/signout', { method: 'POST' });
+          } catch {
+            /* ignore */
+          }
           nav('/login');
         }}
         style={{
diff --git a/apps/portal/src/pages/AdminPartners.tsx b/apps/portal/src/pages/AdminPartners.tsx
index e67c25d..8200573 100644
--- a/apps/portal/src/pages/AdminPartners.tsx
+++ b/apps/portal/src/pages/AdminPartners.tsx
@@ -12,6 +12,7 @@ interface Partner {
   name: string;
   stripeConnectAccountId: string | null;
   createdAt: string;
+  activatedAt: string | null;
 }
 
 export function AdminPartners() {
@@ -24,10 +25,10 @@ export function AdminPartners() {
   return (
     <Page
       title="Partners"
-      subtitle="Create partner accounts and issue their personal API keys."
+      subtitle="Invite partners — they set up their own dashboard via an emailed magic link."
       actions={
         <Button icon={<Plus size={14} />} onClick={() => setShowCreate(true)}>
-          New partner
+          Invite partner
         </Button>
       }
     >
@@ -47,22 +48,29 @@ export function AdminPartners() {
       {partners.isLoading ? (
         <Card>Loading…</Card>
       ) : (partners.data?.partners ?? []).length === 0 ? (
-        <EmptyState title="No partners yet" hint="Create one to start tracking attributed revenue." icon={<Users size={28} strokeWidth={1.25} />} />
+        <EmptyState title="No partners yet" hint="Invite one to start tracking attributed revenue." icon={<Users size={28} strokeWidth={1.25} />} />
       ) : (
         <Table
-          columns={['Partner', 'Email', 'Stripe', 'Created', 'Actions']}
+          columns={['Partner', 'Email', 'Status', 'Stripe', 'Created', 'Actions']}
           rows={(partners.data?.partners ?? []).map((p) => [
             <div style={{ display: 'flex', alignItems: 'center', gap: 10 }}>
               <Avatar name={p.name} size={28} />
               <span style={{ fontWeight: 500 }}>{p.name}</span>
             </div>,
             <span style={{ color: theme.textMuted }}>{p.email}</span>,
+            p.activatedAt ? <StatusPill status="active" /> : <StatusPill status="invited" />,
             p.stripeConnectAccountId ? <StatusPill status="connected" /> : <span style={{ color: theme.textDim }}>—</span>,
             <span style={{ color: theme.textMuted }}>{formatDate(p.createdAt, { relative: true })}</span>,
             <div style={{ display: 'flex', gap: 6 }}>
               <Link to={`/links?partnerId=${p.id}`} style={{ color: theme.accent, fontSize: 13 }}>Links</Link>
               <span style={{ color: theme.border }}>·</span>
               <Link to={`/payouts?partnerId=${p.id}`} style={{ color: theme.accent, fontSize: 13 }}>Payouts</Link>
+              {!p.activatedAt && (
+                <>
+                  <span style={{ color: theme.border }}>·</span>
+                  <ResendInvite partnerId={p.id} />
+                </>
+              )}
               <span style={{ color: theme.border }}>·</span>
               <button
                 onClick={() => setIssueKeyFor(p)}
@@ -88,7 +96,10 @@ function CreatePartner({ onClose, onCreated }: { onClose: () => void; onCreated:
 
   return (
     <Card style={{ marginBottom: 14 }}>
-      <div style={{ fontSize: 15, fontWeight: 500, marginBottom: 14 }}>New partner</div>
+      <div style={{ fontSize: 15, fontWeight: 500, marginBottom: 6 }}>Invite a partner</div>
+      <div style={{ fontSize: 13, color: theme.textMuted, marginBottom: 14 }}>
+        They'll get an email with a one-time link to set up their dashboard.
+      </div>
       <ErrorBanner error={mut.error} />
       <div style={{ display: 'grid', gridTemplateColumns: '1fr 1fr', gap: 14, marginBottom: 14 }}>
         <div>
@@ -102,7 +113,7 @@ function CreatePartner({ onClose, onCreated }: { onClose: () => void; onCreated:
       </div>
       <div style={{ display: 'flex', gap: 8 }}>
         <Button onClick={() => mut.mutate()} disabled={!name || !email || mut.isPending}>
-          {mut.isPending ? 'Creating…' : 'Create partner'}
+          {mut.isPending ? 'Sending…' : 'Send invite'}
         </Button>
         <Button variant="secondary" onClick={onClose}>Cancel</Button>
       </div>
@@ -110,6 +121,26 @@ function CreatePartner({ onClose, onCreated }: { onClose: () => void; onCreated:
   );
 }
 
+function ResendInvite({ partnerId }: { partnerId: string }) {
+  const [sent, setSent] = useState(false);
+  const mut = useMutation({
+    mutationFn: () => api(`/partners/${partnerId}/invite`, { method: 'POST' }),
+    onSuccess: () => {
+      setSent(true);
+      setTimeout(() => setSent(false), 2000);
+    },
+  });
+  return (
+    <button
+      onClick={() => mut.mutate()}
+      disabled={mut.isPending}
+      style={{ background: 'none', border: 'none', padding: 0, fontSize: 13, color: theme.accent, cursor: 'pointer' }}
+    >
+      {sent ? 'Sent' : mut.isPending ? 'Sending…' : 'Resend invite'}
+    </button>
+  );
+}
+
 function IssueKey({ partner, onClose }: { partner: Partner; onClose: () => void }) {
   const [label, setLabel] = useState('');
   const [copied, setCopied] = useState(false);
diff --git a/apps/portal/src/pages/auth/Login.tsx b/apps/portal/src/pages/auth/Login.tsx
index 5a17b22..d45527f 100644
--- a/apps/portal/src/pages/auth/Login.tsx
+++ b/apps/portal/src/pages/auth/Login.tsx
@@ -1,18 +1,109 @@
-import { useState } from 'react';
+import { useState, type ReactNode } from 'react';
 import { useNavigate } from 'react-router-dom';
-import { KeyRound } from 'lucide-react';
+import { KeyRound, Mail } from 'lucide-react';
 import { api, clearApiKey, setApiKey, ApiError, type Principal } from '../../api.js';
 import { theme } from '../../theme.js';
 import { Logo, AuthFrame } from './Shared.js';
 
+type Tab = 'email' | 'key';
+
 export function LoginPage() {
+  const [tab, setTab] = useState<Tab>('email');
   return (
-    <AuthFrame title="Sign in" subtitle="Paste your API key to continue.">
-      <KeyTab />
+    <AuthFrame title="Sign in" subtitle="Choose how you want to sign in.">
+      <div style={{ display: 'flex', gap: 4, background: theme.bg, padding: 4, borderRadius: theme.radiusSm, marginBottom: 20 }}>
+        <TabButton active={tab === 'email'} onClick={() => setTab('email')} icon={<Mail size={14} />}>
+          Email
+        </TabButton>
+        <TabButton active={tab === 'key'} onClick={() => setTab('key')} icon={<KeyRound size={14} />}>
+          API key
+        </TabButton>
+      </div>
+      {tab === 'email' ? <EmailTab /> : <KeyTab />}
     </AuthFrame>
   );
 }
 
+function TabButton({ active, onClick, icon, children }: { active: boolean; onClick: () => void; icon: ReactNode; children: ReactNode }) {
+  return (
+    <button
+      type="button"
+      onClick={onClick}
+      style={{
+        flex: 1,
+        padding: '7px 10px',
+        background: active ? theme.surface : 'transparent',
+        color: active ? theme.text : theme.textMuted,
+        border: 'none',
+        borderRadius: theme.radiusSm,
+        fontSize: 13,
+        fontWeight: 500,
+        cursor: 'pointer',
+        display: 'inline-flex',
+        alignItems: 'center',
+        gap: 6,
+        justifyContent: 'center',
+      }}
+    >
+      {icon}
+      {children}
+    </button>
+  );
+}
+
+function EmailTab() {
+  const [email, setEmail] = useState('');
+  const [sent, setSent] = useState(false);
+  const [busy, setBusy] = useState(false);
+  const [err, setErr] = useState<string | null>(null);
+
+  async function submit(e: React.FormEvent) {
+    e.preventDefault();
+    setBusy(true);
+    setErr(null);
+    try {
+      await api('/auth/signin', { method: 'POST', body: { email } });
+      setSent(true);
+    } catch (e) {
+      setErr(e instanceof Error ? e.message : 'Something went wrong.');
+    } finally {
+      setBusy(false);
+    }
+  }
+
+  if (sent) {
+    return (
+      <div style={{ background: theme.successSoft, border: `1px solid ${theme.success}55`, padding: 14, borderRadius: theme.radiusSm, fontSize: 13, color: theme.success }}>
+        <div style={{ fontWeight: 500, marginBottom: 4 }}>Check your inbox</div>
+        <div style={{ color: `${theme.success}cc` }}>
+          If an account exists for <strong>{email}</strong>, we sent a sign-in link. It's good for 15 minutes.
+        </div>
+      </div>
+    );
+  }
+
+  return (
+    <form onSubmit={submit}>
+      <div style={{ position: 'relative' }}>
+        <Mail size={15} style={{ position: 'absolute', left: 12, top: 12, color: theme.textDim, pointerEvents: 'none' }} />
+        <input
+          type="email"
+          value={email}
+          onChange={(e) => setEmail(e.target.value)}
+          placeholder="you@example.com"
+          autoFocus
+          required
+          style={inputStyle}
+        />
+      </div>
+      {err && <div style={{ color: theme.danger, fontSize: 13, marginTop: 8 }}>{err}</div>}
+      <button type="submit" disabled={busy || !email} style={primaryBtnStyle(busy || !email)}>
+        {busy ? 'Sending…' : 'Email me a sign-in link'}
+      </button>
+    </form>
+  );
+}
+
 function KeyTab() {
   const nav = useNavigate();
   const [token, setToken] = useState('');
diff --git a/apps/portal/src/pages/auth/MagicLanding.tsx b/apps/portal/src/pages/auth/MagicLanding.tsx
new file mode 100644
index 0000000..274c90d
--- /dev/null
+++ b/apps/portal/src/pages/auth/MagicLanding.tsx
@@ -0,0 +1,54 @@
+import { useEffect, useState } from 'react';
+import { useNavigate, useSearchParams } from 'react-router-dom';
+import { api, clearApiKey } from '../../api.js';
+import { theme } from '../../theme.js';
+import { AuthFrame } from './Shared.js';
+
+/**
+ * Terminal page for an emailed magic link. URL is `/auth/magic?token=...`.
+ * We POST the token to /auth/magic/verify — server sets the op_session
+ * cookie on success — then redirect to the dashboard. Any leftover API
+ * key in localStorage is cleared so the new session takes precedence.
+ */
+export function MagicLandingPage() {
+  const [params] = useSearchParams();
+  const nav = useNavigate();
+  const [state, setState] = useState<'verifying' | 'ok' | 'failed'>('verifying');
+  const [detail, setDetail] = useState<string | null>(null);
+
+  useEffect(() => {
+    const token = params.get('token');
+    if (!token) {
+      setState('failed');
+      setDetail('No token in URL.');
+      return;
+    }
+    clearApiKey();
+    api<{ ok: boolean }>('/auth/magic/verify', { method: 'POST', body: { token } })
+      .then(() => {
+        setState('ok');
+        setTimeout(() => nav('/', { replace: true }), 400);
+      })
+      .catch((err) => {
+        setState('failed');
+        setDetail(
+          err && typeof err === 'object' && 'message' in err ? String((err as { message: unknown }).message) : 'Link is invalid or expired.',
+        );
+      });
+  }, [nav, params]);
+
+  return (
+    <AuthFrame title="Signing you in" subtitle="One moment…">
+      {state === 'verifying' && <div style={{ color: theme.textMuted, fontSize: 14 }}>Verifying your link…</div>}
+      {state === 'ok' && <div style={{ color: theme.success, fontSize: 14 }}>Signed in. Redirecting…</div>}
+      {state === 'failed' && (
+        <div style={{ color: theme.danger, fontSize: 14 }}>
+          {detail ?? 'Could not verify.'}
+          <div style={{ color: theme.textDim, fontSize: 13, marginTop: 10 }}>
+            Ask for a new link from the sign-in page.
+          </div>
+        </div>
+      )}
+    </AuthFrame>
+  );
+}
diff --git a/apps/portal/src/ui.tsx b/apps/portal/src/ui.tsx
index 477311f..8a98e8f 100644
--- a/apps/portal/src/ui.tsx
+++ b/apps/portal/src/ui.tsx
@@ -309,6 +309,8 @@ export function StatusPill({ status }: { status: string }) {
     pending: { bg: theme.surface2, fg: theme.textMuted },
     failed: { bg: theme.dangerSoft, fg: theme.danger },
     connected: { bg: theme.successSoft, fg: theme.success },
+    invited: { bg: theme.warnSoft, fg: theme.warn },
+    active: { bg: theme.successSoft, fg: theme.success },
   };
   const c = palette[status] ?? { bg: theme.surface2, fg: theme.textMuted };
   return (
diff --git a/docker-compose.prod.yml b/docker-compose.prod.yml
index 00d564d..cf190ee 100644
--- a/docker-compose.prod.yml
+++ b/docker-compose.prod.yml
@@ -54,6 +54,10 @@ services:
       ADMIN_API_KEY: ${ADMIN_API_KEY}
       OPENPARTNER_MODE: ${OPENPARTNER_MODE:-selfhost}
       PORTAL_URL: https://${PORTAL_HOST:-portal.${OPENPARTNER_DOMAIN}}
+      MAIL_TRANSPORT: ${MAIL_TRANSPORT:-dev}
+      POSTMARK_SERVER_TOKEN: ${POSTMARK_SERVER_TOKEN:-}
+      MAIL_FROM: ${MAIL_FROM:-}
+      POSTMARK_MESSAGE_STREAM: ${POSTMARK_MESSAGE_STREAM:-outbound}
       METRICS_TOKEN: ${METRICS_TOKEN:-}
       STRIPE_SECRET_KEY: ${STRIPE_SECRET_KEY:-}
       STRIPE_WEBHOOK_SECRET: ${STRIPE_WEBHOOK_SECRET:-}
diff --git a/docs/deploy.md b/docs/deploy.md
index 8adfc53..43329ce 100644
--- a/docs/deploy.md
+++ b/docs/deploy.md
@@ -26,7 +26,8 @@ Ingress rules fan incoming traffic out: `/api/*` → `api`, everything else →
    ```
 3. **Set the secrets** App Platform marked as `SECRET` in the spec:
    - `ADMIN_API_KEY` — bootstrap admin token. Generate with `node -e "console.log('op_' + require('crypto').randomBytes(24).toString('hex'))"`.
-   - `PORTAL_URL` — e.g. `https://partners.yourdomain.com`. Required in production (CORS allowlist).
+   - `PORTAL_URL` — e.g. `https://partners.yourdomain.com`. Required in production (CORS allowlist + invite email links).
+   - `POSTMARK_SERVER_TOKEN`, `MAIL_FROM` — Postmark credentials + verified sender for partner invite + signin emails. Leave `MAIL_TRANSPORT=dev` for local / skip-email deploys.
    - `STRIPE_SECRET_KEY`, `STRIPE_WEBHOOK_SECRET`, `STRIPE_FLAT_PRICE_ID` — only if running `flat` or `revshare` mode.
    - `COOKIE_DOMAIN` — `.yourdomain.com` so the router's `_cref` cookie covers your landing pages.
    - `METRICS_TOKEN` — optional; set to require Bearer auth on `/metrics`.
diff --git a/packages/db/migrations/20260502000000_partner_auth.ts b/packages/db/migrations/20260502000000_partner_auth.ts
new file mode 100644
index 0000000..a71c428
--- /dev/null
+++ b/packages/db/migrations/20260502000000_partner_auth.ts
@@ -0,0 +1,77 @@
+import type { Knex } from 'knex';
+
+/**
+ * Partner invite + signin flow.
+ *
+ *   Partner.activatedAt   null while the partner has been invited but
+ *                          hasn't accepted yet. Stamped when they verify
+ *                          their magic link.
+ *
+ *   MagicLinkToken        single-use, short-lived. purpose='partner_invite'
+ *                          for the initial acceptance, 'partner_signin'
+ *                          for returning logins. partnerId is the partner
+ *                          the token resolves to.
+ *
+ *   Session               cookie-backed auth state. The portal stores an
+ *                          op_session cookie; the API verifies on each
+ *                          request via the same prefix+hash scheme as
+ *                          ApiKey. Revocable server-side.
+ *
+ *   DevMessage            stand-in "outbox" for MAIL_TRANSPORT=dev — lets
+ *                          integration tests and local devs read the link
+ *                          instead of setting up Postmark.
+ */
+export async function up(knex: Knex): Promise<void> {
+  await knex.schema.alterTable('Partner', (t) => {
+    t.timestamp('activatedAt', { useTz: true });
+  });
+  // Existing rows — before the invite flow existed — were all implicitly
+  // active. Stamp activatedAt so they still authenticate normally.
+  await knex.raw(`update "Partner" set "activatedAt" = "createdAt" where "activatedAt" is null`);
+
+  await knex.schema.createTable('MagicLinkToken', (t) => {
+    t.string('id').primary();
+    t.string('prefix').notNullable();
+    t.string('tokenHash').notNullable();
+    t.string('email').notNullable();
+    t.string('purpose').notNullable(); // 'partner_invite' | 'partner_signin'
+    t.string('partnerId').notNullable().references('id').inTable('Partner').onDelete('CASCADE');
+    t.timestamp('expiresAt', { useTz: true }).notNullable();
+    t.timestamp('consumedAt', { useTz: true });
+    t.timestamp('createdAt', { useTz: true }).notNullable().defaultTo(knex.fn.now());
+    t.index(['prefix']);
+    t.index(['email', 'purpose']);
+  });
+
+  await knex.schema.createTable('Session', (t) => {
+    t.string('id').primary();
+    t.string('prefix').notNullable();
+    t.string('tokenHash').notNullable();
+    t.string('partnerId').notNullable().references('id').inTable('Partner').onDelete('CASCADE');
+    t.timestamp('expiresAt', { useTz: true }).notNullable();
+    t.timestamp('createdAt', { useTz: true }).notNullable().defaultTo(knex.fn.now());
+    t.timestamp('lastSeenAt', { useTz: true });
+    t.timestamp('revokedAt', { useTz: true });
+    t.index(['prefix']);
+    t.index(['partnerId']);
+  });
+
+  await knex.schema.createTable('DevMessage', (t) => {
+    t.string('id').primary();
+    t.string('to').notNullable();
+    t.string('subject').notNullable();
+    t.text('body').notNullable();
+    t.text('html');
+    t.jsonb('metadata').notNullable().defaultTo('{}');
+    t.timestamp('createdAt', { useTz: true }).notNullable().defaultTo(knex.fn.now());
+  });
+}
+
+export async function down(knex: Knex): Promise<void> {
+  await knex.schema.dropTableIfExists('DevMessage');
+  await knex.schema.dropTableIfExists('Session');
+  await knex.schema.dropTableIfExists('MagicLinkToken');
+  await knex.schema.alterTable('Partner', (t) => {
+    t.dropColumn('activatedAt');
+  });
+}
diff --git a/packages/db/src/index.ts b/packages/db/src/index.ts
index 10b8449..1bc5f70 100644
--- a/packages/db/src/index.ts
+++ b/packages/db/src/index.ts
@@ -36,6 +36,9 @@ export const TABLES = {
   Payout: 'Payout',
   ApiKey: 'ApiKey',
   Config: 'Config',
+  MagicLinkToken: 'MagicLinkToken',
+  Session: 'Session',
+  DevMessage: 'DevMessage',
   WebhookEndpoint: 'WebhookEndpoint',
   WebhookDelivery: 'WebhookDelivery',
 } as const;
diff --git a/packages/db/src/types.ts b/packages/db/src/types.ts
index 035f6d6..77e79b3 100644
--- a/packages/db/src/types.ts
+++ b/packages/db/src/types.ts
@@ -26,6 +26,43 @@ export interface PartnerRow {
   metadata: Record<string, unknown>;
   createdAt: Date;
   updatedAt: Date;
+  // null until the partner accepts their invite magic link
+  activatedAt: Date | null;
+}
+
+export type MagicLinkPurpose = 'partner_invite' | 'partner_signin';
+
+export interface MagicLinkTokenRow {
+  id: string;
+  prefix: string;
+  tokenHash: string;
+  email: string;
+  purpose: MagicLinkPurpose;
+  partnerId: string;
+  expiresAt: Date;
+  consumedAt: Date | null;
+  createdAt: Date;
+}
+
+export interface SessionRow {
+  id: string;
+  prefix: string;
+  tokenHash: string;
+  partnerId: string;
+  expiresAt: Date;
+  createdAt: Date;
+  lastSeenAt: Date | null;
+  revokedAt: Date | null;
+}
+
+export interface DevMessageRow {
+  id: string;
+  to: string;
+  subject: string;
+  body: string;
+  html: string | null;
+  metadata: Record<string, unknown>;
+  createdAt: Date;
 }
 
 export interface CampaignRow {

From abbb0dc654d67e56de14948329f11b87cc8b1167 Mon Sep 17 00:00:00 2001
From: Keith Fawcett <keith@brightyard.co>
Date: Fri, 24 Apr 2026 14:38:18 -0700
Subject: [PATCH 006/131] refactor(mail): drop dev mailbox, mail via Postmark
 or stdout fallback
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Per the product decision to rely on Postmark in every environment,
the mailer now selects transport implicitly from env:

  POSTMARK_SERVER_TOKEN + MAIL_FROM set  →  Postmark
  otherwise                              →  console.log (dev convenience)

No more MAIL_TRANSPORT switch, no DevMessage table, no /dev/mailbox
endpoint, no "check your inbox in the admin UI" flow. Tests inject
a capturing mailer directly via __setMailerForTests; local devs
without Postmark creds see the magic link in the dev:api console.

Also drops DevMessage from the still-unshipped partner_auth migration
and adds a tear-down migration for any instance that already applied
the earlier version of it.

49 api / 3 router / 11 sdk tests all green after the rewrite.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 .do/app.yaml                                  |  2 -
 .env.example                                  |  8 +-
 apps/api/src/__tests__/partner-invite.test.ts | 85 +++++++++----------
 apps/api/src/mailer.ts                        | 48 ++++-------
 apps/api/src/routes/partner-auth.ts           | 10 +--
 docker-compose.prod.yml                       |  1 -
 docs/deploy.md                                |  2 +-
 .../migrations/20260502000000_partner_auth.ts | 16 +---
 .../20260503000000_drop_dev_message.ts        | 16 ++++
 packages/db/src/index.ts                      |  1 -
 packages/db/src/types.ts                      | 10 ---
 11 files changed, 79 insertions(+), 120 deletions(-)
 create mode 100644 packages/db/migrations/20260503000000_drop_dev_message.ts

diff --git a/.do/app.yaml b/.do/app.yaml
index 7506ba5..4581784 100644
--- a/.do/app.yaml
+++ b/.do/app.yaml
@@ -57,8 +57,6 @@ services:
         value: ${openpartner-db.DATABASE_URL}
       - key: OPENPARTNER_MODE
         value: flat
-      - key: MAIL_TRANSPORT
-        value: postmark
       - key: POSTMARK_MESSAGE_STREAM
         value: outbound
       - key: ADMIN_API_KEY
diff --git a/.env.example b/.env.example
index 40db48f..a690a2c 100644
--- a/.env.example
+++ b/.env.example
@@ -41,10 +41,10 @@ PORTAL_URL=http://localhost:5673
 CORS_EXTRA_ORIGINS=
 
 # Mail for partner invites + signin links.
-#   dev       → writes to the DevMessage table; admins read at /admin/dev-mailbox.
-#   postmark  → POSTs to api.postmarkapp.com/email (requires the vars below).
-MAIL_TRANSPORT=dev
-MAIL_FROM=OpenPartner <no-reply@example.com>
+# Set BOTH to use Postmark; leave either blank and the mailer falls
+# back to printing the email to stdout (dev only — you'll see the
+# magic-link URL in the dev:api console).
+MAIL_FROM=
 POSTMARK_SERVER_TOKEN=
 # Optional — defaults to the "outbound" transactional stream.
 POSTMARK_MESSAGE_STREAM=outbound
diff --git a/apps/api/src/__tests__/partner-invite.test.ts b/apps/api/src/__tests__/partner-invite.test.ts
index 092c62e..486369e 100644
--- a/apps/api/src/__tests__/partner-invite.test.ts
+++ b/apps/api/src/__tests__/partner-invite.test.ts
@@ -1,19 +1,19 @@
 /**
  * Partner invite + magic-link signin happy paths.
  *
- * Uses MAIL_TRANSPORT=dev so the magic link lands in the DevMessage
- * table where the test can read it back instead of hitting Postmark.
+ * Uses an in-memory capturing mailer injected via __setMailerForTests so
+ * the suite can read the magic-link URL without hitting Postmark.
  */
 
-import { afterAll, beforeAll, beforeEach, describe, expect, it } from 'vitest';
+import { afterAll, afterEach, beforeAll, beforeEach, describe, expect, it } from 'vitest';
 import request from 'supertest';
 import { TABLES } from '@openpartner/db';
 import { db } from '../db.js';
 import { createApp } from '../app.js';
+import { __setMailerForTests, type Mailer, type Message } from '../mailer.js';
 
 const ADMIN_KEY = 'op_test_invite_admin_0123456789abcdef0123';
 process.env.ADMIN_API_KEY = ADMIN_KEY;
-process.env.MAIL_TRANSPORT = 'dev';
 process.env.PORTAL_URL = 'http://localhost:5673';
 
 const skipIntegration = !process.env.DATABASE_URL || process.env.INTEGRATION === 'skip';
@@ -21,33 +21,48 @@ const skipIntegration = !process.env.DATABASE_URL || process.env.INTEGRATION ===
 const TABLES_TO_CLEAN = [
   TABLES.Session,
   TABLES.MagicLinkToken,
-  TABLES.DevMessage,
   TABLES.ApiKey,
   TABLES.Partner,
 ];
 
 const app = createApp({ enableLogger: false });
 
+class CapturingMailer implements Mailer {
+  readonly sent: Message[] = [];
+  async send(msg: Message): Promise<void> {
+    this.sent.push(msg);
+  }
+  findFor(to: string, purpose?: string): Message | undefined {
+    return this.sent.find(
+      (m) => m.to === to && (purpose == null || m.metadata?.purpose === purpose),
+    );
+  }
+}
+
+let mailer: CapturingMailer;
+
 beforeAll(async () => {
   if (skipIntegration) return;
   await db.raw('select 1');
 });
 
-afterAll(async () => {
-  await db.destroy();
-});
-
 beforeEach(async () => {
+  mailer = new CapturingMailer();
+  __setMailerForTests(mailer);
   if (skipIntegration) return;
   for (const t of TABLES_TO_CLEAN) {
     await db(t).del();
   }
 });
 
-/**
- * Fish the magic-link token out of a dev email body — emails carry the
- * URL `http://localhost:5673/auth/magic?token=<opml_...>`.
- */
+afterEach(() => {
+  __setMailerForTests(null);
+});
+
+afterAll(async () => {
+  await db.destroy();
+});
+
 function extractToken(body: string): string {
   const match = /token=([^\s&"]+)/.exec(body);
   if (!match) throw new Error(`no token in body:\n${body}`);
@@ -64,24 +79,18 @@ describe.skipIf(skipIntegration)('partner invite + signin', () => {
     expect(created.body.invited).toBe(true);
     expect(created.body.activatedAt).toBeNull();
 
-    // No admin-visible credential in the response.
     expect(created.body).not.toHaveProperty('plaintext');
     expect(created.body).not.toHaveProperty('apiKey');
 
-    const mailbox = await request(app).get('/dev/mailbox').set('Authorization', `Bearer ${ADMIN_KEY}`);
-    const invite = mailbox.body.messages.find(
-      (m: { to: string; metadata?: { purpose?: string } }) =>
-        m.to === 'gracie@example.com' && m.metadata?.purpose === 'partner_invite',
-    );
+    const invite = mailer.findFor('gracie@example.com', 'partner_invite');
     expect(invite).toBeDefined();
 
-    const token = extractToken(invite.body);
+    const token = extractToken(invite!.text);
     const verify = await request(app).post('/auth/magic/verify').send({ token });
     expect(verify.status).toBe(200);
     expect(verify.body.role).toBe('partner');
     expect(verify.body.partner.email).toBe('gracie@example.com');
 
-    // Session cookie set; partner.activatedAt stamped.
     const setCookie = verify.headers['set-cookie'] as unknown as string[] | undefined;
     expect(setCookie).toBeTruthy();
     const cookie = setCookie![0]!.split(';')[0]!;
@@ -90,7 +99,6 @@ describe.skipIf(skipIntegration)('partner invite + signin', () => {
     const activated = await db(TABLES.Partner).where({ id: created.body.id }).first();
     expect((activated as { activatedAt: Date | null }).activatedAt).not.toBeNull();
 
-    // whoami with the cookie resolves to the partner
     const who = await request(app).get('/auth/whoami').set('Cookie', cookie);
     expect(who.status).toBe(200);
     expect(who.body.role).toBe('partner');
@@ -103,8 +111,7 @@ describe.skipIf(skipIntegration)('partner invite + signin', () => {
       .set('Authorization', `Bearer ${ADMIN_KEY}`)
       .send({ email: 'dup@example.com', name: 'Dup' });
 
-    const mailbox = await request(app).get('/dev/mailbox').set('Authorization', `Bearer ${ADMIN_KEY}`);
-    const token = extractToken(mailbox.body.messages[0].body);
+    const token = extractToken(mailer.findFor('dup@example.com')!.text);
 
     const first = await request(app).post('/auth/magic/verify').send({ token });
     expect(first.status).toBe(200);
@@ -115,40 +122,31 @@ describe.skipIf(skipIntegration)('partner invite + signin', () => {
   });
 
   it('returning-partner /auth/signin emails a signin link when the partner is activated', async () => {
-    // Invite + verify to activate.
     await request(app)
       .post('/partners')
       .set('Authorization', `Bearer ${ADMIN_KEY}`)
       .send({ email: 'return@example.com', name: 'Return' });
-    let mailbox = await request(app).get('/dev/mailbox').set('Authorization', `Bearer ${ADMIN_KEY}`);
-    const inviteToken = extractToken(mailbox.body.messages[0].body);
+    const inviteToken = extractToken(mailer.findFor('return@example.com', 'partner_invite')!.text);
     await request(app).post('/auth/magic/verify').send({ token: inviteToken });
 
-    // Clear so we can spot the signin email specifically.
-    await db(TABLES.DevMessage).del();
+    mailer.sent.length = 0;
 
     const signin = await request(app).post('/auth/signin').send({ email: 'return@example.com' });
     expect(signin.status).toBe(200);
 
-    mailbox = await request(app).get('/dev/mailbox').set('Authorization', `Bearer ${ADMIN_KEY}`);
-    const signinMsg = mailbox.body.messages.find(
-      (m: { metadata?: { purpose?: string } }) => m.metadata?.purpose === 'partner_signin',
-    );
+    const signinMsg = mailer.findFor('return@example.com', 'partner_signin');
     expect(signinMsg).toBeDefined();
 
-    const signinToken = extractToken(signinMsg.body);
+    const signinToken = extractToken(signinMsg!.text);
     const verify = await request(app).post('/auth/magic/verify').send({ token: signinToken });
     expect(verify.status).toBe(200);
   });
 
   it('signin for an unknown email silently returns ok (no user enumeration)', async () => {
-    await db(TABLES.DevMessage).del();
     const res = await request(app).post('/auth/signin').send({ email: 'nobody@example.com' });
     expect(res.status).toBe(200);
     expect(res.body.ok).toBe(true);
-
-    const mailbox = await request(app).get('/dev/mailbox').set('Authorization', `Bearer ${ADMIN_KEY}`);
-    expect(mailbox.body.messages.length).toBe(0);
+    expect(mailer.sent.length).toBe(0);
   });
 
   it('resend invite generates a fresh token and 409s once the partner is already activated', async () => {
@@ -163,16 +161,13 @@ describe.skipIf(skipIntegration)('partner invite + signin', () => {
       .set('Authorization', `Bearer ${ADMIN_KEY}`);
     expect(resend.status).toBe(200);
 
-    // Two invite emails in the mailbox now.
-    const mailbox = await request(app).get('/dev/mailbox').set('Authorization', `Bearer ${ADMIN_KEY}`);
-    const invites = mailbox.body.messages.filter(
-      (m: { to: string; metadata?: { purpose?: string } }) =>
-        m.to === 'resend@example.com' && m.metadata?.purpose === 'partner_invite',
+    const invites = mailer.sent.filter(
+      (m) => m.to === 'resend@example.com' && m.metadata?.purpose === 'partner_invite',
     );
     expect(invites.length).toBe(2);
 
-    // Activate via the latest token, then resend should 409.
-    const token = extractToken(invites[0].body);
+    // Activate via the first token, then resend should 409.
+    const token = extractToken(invites[0]!.text);
     await request(app).post('/auth/magic/verify').send({ token });
 
     const after = await request(app)
diff --git a/apps/api/src/mailer.ts b/apps/api/src/mailer.ts
index 3c60d11..5566f54 100644
--- a/apps/api/src/mailer.ts
+++ b/apps/api/src/mailer.ts
@@ -1,20 +1,13 @@
 /**
  * Transactional mailer for partner invite + signin magic links.
  *
- * Two transports:
- *   dev       writes to the DevMessage table so tests + local devs can
- *             read the link back without Postmark credentials.
- *   postmark  POSTs to api.postmarkapp.com/email.
+ * Transport is implicit from env:
+ *   POSTMARK_SERVER_TOKEN + MAIL_FROM set → Postmark
+ *   otherwise                            → console (stdout only)
  *
- * Minimal and partner-scoped — the earlier multi-purpose mailer (creator
- * signups, vendor approvals, cross-network notifications) was carved out
- * with the Network service.
+ * Tests override via __setMailerForTests with an in-memory capturer.
  */
 
-import { ulid } from 'ulid';
-import { TABLES, type DevMessageRow } from '@openpartner/db';
-import { db } from './db.js';
-
 export interface Message {
   to: string;
   subject: string;
@@ -28,18 +21,13 @@ export interface Mailer {
   send(msg: Message): Promise<void>;
 }
 
-class DevMailer implements Mailer {
+class ConsoleMailer implements Mailer {
   async send(msg: Message): Promise<void> {
-    await db<DevMessageRow>(TABLES.DevMessage).insert({
-      id: ulid(),
-      to: msg.to,
-      subject: msg.subject,
-      body: msg.text,
-      html: msg.html ?? null,
-      metadata: (msg.metadata ?? {}) as unknown as never,
-    });
-    // Also print so `pnpm dev:api` shows the link without opening the portal.
-    console.log(`[dev-mail] to=${msg.to} subject=${JSON.stringify(msg.subject)}`);
+    // Dev fallback when no Postmark creds are present. Prints enough to
+    // recover the magic link from the terminal without needing a mailbox
+    // UI or third-party sandbox.
+    console.log(`[mail] to=${msg.to} subject=${JSON.stringify(msg.subject)}`);
+    console.log(msg.text);
   }
 }
 
@@ -83,21 +71,17 @@ let cached: Mailer | null = null;
 
 export function getMailer(): Mailer {
   if (cached) return cached;
-  const transport = process.env.MAIL_TRANSPORT ?? 'dev';
-  if (transport === 'postmark') {
-    const token = process.env.POSTMARK_SERVER_TOKEN;
-    const from = process.env.MAIL_FROM;
-    if (!token || !from) {
-      throw new Error('MAIL_TRANSPORT=postmark requires POSTMARK_SERVER_TOKEN and MAIL_FROM');
-    }
+  const token = process.env.POSTMARK_SERVER_TOKEN;
+  const from = process.env.MAIL_FROM;
+  if (token && from) {
     cached = new PostmarkMailer(token, from, process.env.POSTMARK_MESSAGE_STREAM ?? 'outbound');
-    return cached;
+  } else {
+    cached = new ConsoleMailer();
   }
-  cached = new DevMailer();
   return cached;
 }
 
-/** For tests: swap in a mock mailer. */
+/** For tests: inject a capturing / mock mailer. Pass null to reset. */
 export function __setMailerForTests(mailer: Mailer | null): void {
   cached = mailer;
 }
diff --git a/apps/api/src/routes/partner-auth.ts b/apps/api/src/routes/partner-auth.ts
index dea1669..9da826c 100644
--- a/apps/api/src/routes/partner-auth.ts
+++ b/apps/api/src/routes/partner-auth.ts
@@ -4,7 +4,6 @@
  *   POST /auth/signin          email → magic link (returning partners)
  *   POST /auth/magic/verify    token → session cookie + whoami
  *   POST /auth/signout         revokes the session cookie
- *   GET  /dev/mailbox          (admin) reads the DevMessage outbox
  *
  * The invite-on-create side lives on POST /partners in partners.ts — this
  * file handles everything the partner themselves interacts with.
@@ -12,9 +11,8 @@
 
 import { Router } from 'express';
 import { z } from 'zod';
-import { TABLES, type DevMessageRow, type PartnerRow } from '@openpartner/db';
+import { TABLES, type PartnerRow } from '@openpartner/db';
 import { db } from '../db.js';
-import { requireAdmin, requireAuth } from '../auth.js';
 import {
   SESSION_COOKIE_NAME,
   consumeMagicLink,
@@ -110,9 +108,3 @@ partnerAuthRouter.post('/auth/signout', async (req, res) => {
   res.json({ ok: true });
 });
 
-// -------- Dev mailbox — admin-only read of the DevMessage outbox --------
-
-partnerAuthRouter.get('/dev/mailbox', requireAuth, requireAdmin, async (_req, res) => {
-  const messages = await db<DevMessageRow>(TABLES.DevMessage).orderBy('createdAt', 'desc').limit(100);
-  res.json({ messages });
-});
diff --git a/docker-compose.prod.yml b/docker-compose.prod.yml
index cf190ee..2b8c0ae 100644
--- a/docker-compose.prod.yml
+++ b/docker-compose.prod.yml
@@ -54,7 +54,6 @@ services:
       ADMIN_API_KEY: ${ADMIN_API_KEY}
       OPENPARTNER_MODE: ${OPENPARTNER_MODE:-selfhost}
       PORTAL_URL: https://${PORTAL_HOST:-portal.${OPENPARTNER_DOMAIN}}
-      MAIL_TRANSPORT: ${MAIL_TRANSPORT:-dev}
       POSTMARK_SERVER_TOKEN: ${POSTMARK_SERVER_TOKEN:-}
       MAIL_FROM: ${MAIL_FROM:-}
       POSTMARK_MESSAGE_STREAM: ${POSTMARK_MESSAGE_STREAM:-outbound}
diff --git a/docs/deploy.md b/docs/deploy.md
index 43329ce..cd00aa9 100644
--- a/docs/deploy.md
+++ b/docs/deploy.md
@@ -27,7 +27,7 @@ Ingress rules fan incoming traffic out: `/api/*` → `api`, everything else →
 3. **Set the secrets** App Platform marked as `SECRET` in the spec:
    - `ADMIN_API_KEY` — bootstrap admin token. Generate with `node -e "console.log('op_' + require('crypto').randomBytes(24).toString('hex'))"`.
    - `PORTAL_URL` — e.g. `https://partners.yourdomain.com`. Required in production (CORS allowlist + invite email links).
-   - `POSTMARK_SERVER_TOKEN`, `MAIL_FROM` — Postmark credentials + verified sender for partner invite + signin emails. Leave `MAIL_TRANSPORT=dev` for local / skip-email deploys.
+   - `POSTMARK_SERVER_TOKEN`, `MAIL_FROM` — Postmark credentials + verified sender for partner invite + signin emails. Leave either unset and mail falls back to stdout (useful for staging, not production).
    - `STRIPE_SECRET_KEY`, `STRIPE_WEBHOOK_SECRET`, `STRIPE_FLAT_PRICE_ID` — only if running `flat` or `revshare` mode.
    - `COOKIE_DOMAIN` — `.yourdomain.com` so the router's `_cref` cookie covers your landing pages.
    - `METRICS_TOKEN` — optional; set to require Bearer auth on `/metrics`.
diff --git a/packages/db/migrations/20260502000000_partner_auth.ts b/packages/db/migrations/20260502000000_partner_auth.ts
index a71c428..fea7180 100644
--- a/packages/db/migrations/20260502000000_partner_auth.ts
+++ b/packages/db/migrations/20260502000000_partner_auth.ts
@@ -12,14 +12,10 @@ import type { Knex } from 'knex';
  *                          for returning logins. partnerId is the partner
  *                          the token resolves to.
  *
- *   Session               cookie-backed auth state. The portal stores an
+*   Session               cookie-backed auth state. The portal stores an
  *                          op_session cookie; the API verifies on each
  *                          request via the same prefix+hash scheme as
  *                          ApiKey. Revocable server-side.
- *
- *   DevMessage            stand-in "outbox" for MAIL_TRANSPORT=dev — lets
- *                          integration tests and local devs read the link
- *                          instead of setting up Postmark.
  */
 export async function up(knex: Knex): Promise<void> {
   await knex.schema.alterTable('Partner', (t) => {
@@ -56,19 +52,9 @@ export async function up(knex: Knex): Promise<void> {
     t.index(['partnerId']);
   });
 
-  await knex.schema.createTable('DevMessage', (t) => {
-    t.string('id').primary();
-    t.string('to').notNullable();
-    t.string('subject').notNullable();
-    t.text('body').notNullable();
-    t.text('html');
-    t.jsonb('metadata').notNullable().defaultTo('{}');
-    t.timestamp('createdAt', { useTz: true }).notNullable().defaultTo(knex.fn.now());
-  });
 }
 
 export async function down(knex: Knex): Promise<void> {
-  await knex.schema.dropTableIfExists('DevMessage');
   await knex.schema.dropTableIfExists('Session');
   await knex.schema.dropTableIfExists('MagicLinkToken');
   await knex.schema.alterTable('Partner', (t) => {
diff --git a/packages/db/migrations/20260503000000_drop_dev_message.ts b/packages/db/migrations/20260503000000_drop_dev_message.ts
new file mode 100644
index 0000000..4452615
--- /dev/null
+++ b/packages/db/migrations/20260503000000_drop_dev_message.ts
@@ -0,0 +1,16 @@
+import type { Knex } from 'knex';
+
+/**
+ * DevMessage was the local / CI mailbox the magic-link suite used to
+ * recover links without Postmark. With the switch to Postmark-or-console
+ * (tests inject a capturing mailer directly), the table has no readers
+ * and no writers.
+ */
+export async function up(knex: Knex): Promise<void> {
+  await knex.raw(`drop table if exists "DevMessage" cascade`);
+}
+
+export async function down(_knex: Knex): Promise<void> {
+  // No-op — this was always a dev-only convenience table, and reviving
+  // it would require wiring a writer back in.
+}
diff --git a/packages/db/src/index.ts b/packages/db/src/index.ts
index 1bc5f70..6a5ada4 100644
--- a/packages/db/src/index.ts
+++ b/packages/db/src/index.ts
@@ -38,7 +38,6 @@ export const TABLES = {
   Config: 'Config',
   MagicLinkToken: 'MagicLinkToken',
   Session: 'Session',
-  DevMessage: 'DevMessage',
   WebhookEndpoint: 'WebhookEndpoint',
   WebhookDelivery: 'WebhookDelivery',
 } as const;
diff --git a/packages/db/src/types.ts b/packages/db/src/types.ts
index 77e79b3..84a9b76 100644
--- a/packages/db/src/types.ts
+++ b/packages/db/src/types.ts
@@ -55,16 +55,6 @@ export interface SessionRow {
   revokedAt: Date | null;
 }
 
-export interface DevMessageRow {
-  id: string;
-  to: string;
-  subject: string;
-  body: string;
-  html: string | null;
-  metadata: Record<string, unknown>;
-  createdAt: Date;
-}
-
 export interface CampaignRow {
   id: string;
   name: string;

From 999b05072128224560f2a79ee6e6e3d0897d873b Mon Sep 17 00:00:00 2001
From: Keith Fawcett <keith@brightyard.co>
Date: Fri, 24 Apr 2026 15:39:33 -0700
Subject: [PATCH 007/131] fix(portal): admins don't mint partner credentials or
 create partner links
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Two admin affordances that undercut the invite-first / partner-owns-their-
account model get removed from the UI:

  - "Issue key" action on Partners — admin no longer sees partner API
    keys. If a partner needs programmatic access, they mint it from
    their own dashboard (future Settings page).
  - "New link" on /links when viewing as admin — the page becomes
    read-only for admins, with copy that says partners manage their
    own. Partner role still sees the Create button and the full flow.

Backend routes for /partners/:id/api-keys and POST /partners/:id/links
remain intact (the scoped-key federation path uses them via grantScope)
but the admin UI no longer surfaces either.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 apps/portal/src/pages/AdminPartners.tsx | 77 +------------------------
 apps/portal/src/pages/Links.tsx         | 34 +++++++----
 2 files changed, 24 insertions(+), 87 deletions(-)

diff --git a/apps/portal/src/pages/AdminPartners.tsx b/apps/portal/src/pages/AdminPartners.tsx
index 8200573..dc03005 100644
--- a/apps/portal/src/pages/AdminPartners.tsx
+++ b/apps/portal/src/pages/AdminPartners.tsx
@@ -1,7 +1,7 @@
 import { useState } from 'react';
 import { Link } from 'react-router-dom';
 import { useMutation, useQuery, useQueryClient } from '@tanstack/react-query';
-import { Plus, Users, KeyRound, Copy, Check } from 'lucide-react';
+import { Plus, Users } from 'lucide-react';
 import { api } from '../api.js';
 import { theme } from '../theme.js';
 import { Avatar, Button, Card, EmptyState, ErrorBanner, Input, Label, Page, StatusPill, Table, formatDate } from '../ui.js';
@@ -18,7 +18,6 @@ interface Partner {
 export function AdminPartners() {
   const qc = useQueryClient();
   const [showCreate, setShowCreate] = useState(false);
-  const [issueKeyFor, setIssueKeyFor] = useState<Partner | null>(null);
 
   const partners = useQuery({ queryKey: ['partners'], queryFn: () => api<{ partners: Partner[] }>('/partners') });
 
@@ -43,7 +42,6 @@ export function AdminPartners() {
           }}
         />
       )}
-      {issueKeyFor && <IssueKey partner={issueKeyFor} onClose={() => setIssueKeyFor(null)} />}
 
       {partners.isLoading ? (
         <Card>Loading…</Card>
@@ -71,13 +69,6 @@ export function AdminPartners() {
                   <ResendInvite partnerId={p.id} />
                 </>
               )}
-              <span style={{ color: theme.border }}>·</span>
-              <button
-                onClick={() => setIssueKeyFor(p)}
-                style={{ background: 'none', border: 'none', padding: 0, fontSize: 13, color: theme.accent, cursor: 'pointer' }}
-              >
-                Issue key
-              </button>
             </div>,
           ])}
         />
@@ -141,69 +132,3 @@ function ResendInvite({ partnerId }: { partnerId: string }) {
   );
 }
 
-function IssueKey({ partner, onClose }: { partner: Partner; onClose: () => void }) {
-  const [label, setLabel] = useState('');
-  const [copied, setCopied] = useState(false);
-  const mut = useMutation({
-    mutationFn: () =>
-      api<{ id: string; plaintext: string }>(`/partners/${partner.id}/api-keys`, {
-        method: 'POST',
-        body: { label },
-      }),
-  });
-
-  return (
-    <Card style={{ marginBottom: 14 }}>
-      <div style={{ display: 'flex', alignItems: 'center', gap: 10, marginBottom: 14 }}>
-        <KeyRound size={18} color={theme.accent} />
-        <div style={{ fontSize: 15, fontWeight: 500 }}>Issue API key for {partner.name}</div>
-      </div>
-      <ErrorBanner error={mut.error} />
-      {mut.data ? (
-        <>
-          <div style={{ marginBottom: 10, color: theme.textMuted, fontSize: 13 }}>
-            Copy this key now — it won't be shown again.
-          </div>
-          <div
-            style={{
-              display: 'flex',
-              alignItems: 'center',
-              gap: 8,
-              background: theme.warnSoft,
-              border: `1px solid ${theme.warn}55`,
-              padding: '10px 12px',
-              borderRadius: theme.radiusSm,
-              marginBottom: 12,
-            }}
-          >
-            <code style={{ flex: 1, fontSize: 13, color: theme.text, wordBreak: 'break-all' }}>{mut.data.plaintext}</code>
-            <Button
-              size="sm"
-              variant="secondary"
-              icon={copied ? <Check size={14} /> : <Copy size={14} />}
-              onClick={() => {
-                navigator.clipboard.writeText(mut.data!.plaintext);
-                setCopied(true);
-                setTimeout(() => setCopied(false), 1500);
-              }}
-            >
-              {copied ? 'Copied' : 'Copy'}
-            </Button>
-          </div>
-          <Button onClick={onClose}>Done</Button>
-        </>
-      ) : (
-        <>
-          <Label>Label (optional)</Label>
-          <Input value={label} onChange={(e) => setLabel(e.target.value)} placeholder="e.g. production server" />
-          <div style={{ display: 'flex', gap: 8, marginTop: 14 }}>
-            <Button onClick={() => mut.mutate()} disabled={mut.isPending}>
-              {mut.isPending ? 'Issuing…' : 'Issue key'}
-            </Button>
-            <Button variant="secondary" onClick={onClose}>Cancel</Button>
-          </div>
-        </>
-      )}
-    </Card>
-  );
-}
diff --git a/apps/portal/src/pages/Links.tsx b/apps/portal/src/pages/Links.tsx
index 8659039..bec077c 100644
--- a/apps/portal/src/pages/Links.tsx
+++ b/apps/portal/src/pages/Links.tsx
@@ -23,11 +23,12 @@ interface Campaign {
 export function LinksPage({ principal }: { principal: Principal }) {
   const queryPartnerId = new URLSearchParams(window.location.search).get('partnerId');
   const partnerId = principal.partnerId ?? queryPartnerId;
+  const isAdmin = principal.role === 'admin';
 
-  if (principal.role === 'admin' && !partnerId) {
+  if (isAdmin && !partnerId) {
     return <AdminLinksHub />;
   }
-  return <PartnerLinks partnerId={partnerId!} />;
+  return <PartnerLinks partnerId={partnerId!} readOnly={isAdmin} />;
 }
 
 function AdminLinksHub() {
@@ -37,12 +38,12 @@ function AdminLinksHub() {
   });
 
   return (
-    <Page title="Links" subtitle="Pick a partner to see or create their links.">
+    <Page title="Links" subtitle="Pick a partner to see the links they've created.">
       <ErrorBanner error={error} />
       {isLoading ? (
         <Card>Loading…</Card>
       ) : data?.partners.length === 0 ? (
-        <EmptyState title="No partners yet" hint="Add a partner to start issuing links." icon={<Link2 size={28} strokeWidth={1.25} />} />
+        <EmptyState title="No partners yet" hint="Invite a partner — they create their own links." icon={<Link2 size={28} strokeWidth={1.25} />} />
       ) : (
         <div style={{ display: 'grid', gridTemplateColumns: 'repeat(auto-fill, minmax(280px, 1fr))', gap: 12 }}>
           {data?.partners.map((p) => (
@@ -76,7 +77,7 @@ function AdminLinksHub() {
   );
 }
 
-function PartnerLinks({ partnerId }: { partnerId: string }) {
+function PartnerLinks({ partnerId, readOnly }: { partnerId: string; readOnly: boolean }) {
   const qc = useQueryClient();
   const [showCreate, setShowCreate] = useState(false);
 
@@ -88,20 +89,27 @@ function PartnerLinks({ partnerId }: { partnerId: string }) {
   const campaigns = useQuery({
     queryKey: ['campaigns'],
     queryFn: () => api<{ campaigns: Campaign[] }>('/campaigns').catch(() => ({ campaigns: [] })),
+    enabled: !readOnly,
   });
 
   return (
     <Page
       title="Links"
-      subtitle="Short links the router resolves into attributed clicks."
+      subtitle={
+        readOnly
+          ? "Links this partner has created. Partners manage their own; admins view only."
+          : "Your share links — the router turns /r/<key> into an attributed click."
+      }
       actions={
-        <Button icon={<Plus size={14} />} onClick={() => setShowCreate(true)}>
-          New link
-        </Button>
+        readOnly ? undefined : (
+          <Button icon={<Plus size={14} />} onClick={() => setShowCreate(true)}>
+            New link
+          </Button>
+        )
       }
     >
       <ErrorBanner error={links.error} />
-      {showCreate && (
+      {showCreate && !readOnly && (
         <CreateLink
           partnerId={partnerId}
           campaigns={campaigns.data?.campaigns ?? []}
@@ -115,7 +123,11 @@ function PartnerLinks({ partnerId }: { partnerId: string }) {
       {links.isLoading ? (
         <Card>Loading…</Card>
       ) : (links.data?.links ?? []).length === 0 ? (
-        <EmptyState title="No links yet" hint="Create one to start capturing clicks." icon={<Link2 size={28} strokeWidth={1.25} />} />
+        <EmptyState
+          title="No links yet"
+          hint={readOnly ? "This partner hasn't created any links yet." : 'Create one to start capturing clicks.'}
+          icon={<Link2 size={28} strokeWidth={1.25} />}
+        />
       ) : (
         <Table
           columns={['Key', 'Destination', 'Campaign', 'Created']}

From 911fc5c0692e48f32c9f588c6b6347f3a31d01f1 Mon Sep 17 00:00:00 2001
From: Keith Fawcett <keith@brightyard.co>
Date: Fri, 24 Apr 2026 15:49:24 -0700
Subject: [PATCH 008/131] feat(admin): partner revocation with session kill +
 attribution skip
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Admin can suspend a partner and later reinstate. Everything is reversible
and history-preserving:

  - Partner.revokedAt column flipped by POST /partners/:id/revoke (admin).
    Same transaction revokes every open Session for that partner so the
    portal kicks them out of any tab mid-request.
  - POST /partners/:id/reinstate clears it. Historical commissions are
    never touched; admin reverses specific fraudulent ones separately
    via the Review Queue.
  - Attribution engine filters out clicks tied to revoked partners
    before evaluating the window, so new events skip them cleanly.
  - Router still 302s /r/<linkKey> for a revoked partner's links — no
    broken UX from a pulled partner — but stamps fraudFlag='revoked'
    so the click is visible in audit but never attributed.
  - resolveSession rejects sessions whose partner has been revoked, as
    defense-in-depth against a race where a revoke tx lands mid-flight.

Admin UI: Revoke button (confirm-modal, red) on active rows; Reinstate
on revoked rows. StatusPill renders "revoked" in danger coloring.

6 partner-invite tests now (+1 for revoke happy path + reinstate).
50 api / 3 router / 11 sdk, all green.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 apps/api/src/__tests__/partner-invite.test.ts | 44 ++++++++++++++++
 apps/api/src/attribution.ts                   | 13 ++++-
 apps/api/src/auth-sessions.ts                 |  9 ++++
 apps/api/src/routes/partners.ts               | 36 ++++++++++++-
 apps/portal/src/pages/AdminPartners.tsx       | 50 ++++++++++++++++++-
 apps/portal/src/ui.tsx                        |  1 +
 apps/router/src/server.ts                     | 14 +++++-
 .../20260504000000_partner_revoke.ts          | 24 +++++++++
 packages/db/src/types.ts                      |  5 +-
 9 files changed, 189 insertions(+), 7 deletions(-)
 create mode 100644 packages/db/migrations/20260504000000_partner_revoke.ts

diff --git a/apps/api/src/__tests__/partner-invite.test.ts b/apps/api/src/__tests__/partner-invite.test.ts
index 486369e..0f42c1a 100644
--- a/apps/api/src/__tests__/partner-invite.test.ts
+++ b/apps/api/src/__tests__/partner-invite.test.ts
@@ -149,6 +149,50 @@ describe.skipIf(skipIntegration)('partner invite + signin', () => {
     expect(mailer.sent.length).toBe(0);
   });
 
+  it('admin can revoke an active partner — sessions die, reinstate undoes it', async () => {
+    // Invite + activate.
+    const created = await request(app)
+      .post('/partners')
+      .set('Authorization', `Bearer ${ADMIN_KEY}`)
+      .send({ email: 'rev@example.com', name: 'Rev' });
+    const partnerId = created.body.id;
+    const token = extractToken(mailer.findFor('rev@example.com', 'partner_invite')!.text);
+    const verify = await request(app).post('/auth/magic/verify').send({ token });
+    const cookie = (verify.headers['set-cookie'] as unknown as string[])[0]!.split(';')[0]!;
+
+    // Partner's session works before revoke.
+    const before = await request(app).get('/auth/whoami').set('Cookie', cookie);
+    expect(before.status).toBe(200);
+
+    // Revoke.
+    const revoke = await request(app)
+      .post(`/partners/${partnerId}/revoke`)
+      .set('Authorization', `Bearer ${ADMIN_KEY}`);
+    expect(revoke.status).toBe(200);
+
+    // Session is now invalid — the same cookie should no longer whoami.
+    const after = await request(app).get('/auth/whoami').set('Cookie', cookie);
+    expect(after.status).toBe(401);
+
+    // Second revoke is a 409.
+    const dupe = await request(app)
+      .post(`/partners/${partnerId}/revoke`)
+      .set('Authorization', `Bearer ${ADMIN_KEY}`);
+    expect(dupe.status).toBe(409);
+
+    // Reinstate clears revokedAt. Session remains dead (we killed it),
+    // but partner could sign in fresh.
+    const reinstate = await request(app)
+      .post(`/partners/${partnerId}/reinstate`)
+      .set('Authorization', `Bearer ${ADMIN_KEY}`);
+    expect(reinstate.status).toBe(200);
+
+    mailer.sent.length = 0;
+    const signin = await request(app).post('/auth/signin').send({ email: 'rev@example.com' });
+    expect(signin.status).toBe(200);
+    expect(mailer.findFor('rev@example.com', 'partner_signin')).toBeDefined();
+  });
+
   it('resend invite generates a fresh token and 409s once the partner is already activated', async () => {
     const created = await request(app)
       .post('/partners')
diff --git a/apps/api/src/attribution.ts b/apps/api/src/attribution.ts
index 11b5dce..1fd3eb6 100644
--- a/apps/api/src/attribution.ts
+++ b/apps/api/src/attribution.ts
@@ -58,13 +58,22 @@ export async function attributeEvent(
   const cleanClicks = clicks.filter((c) => !c.fraudFlag);
   if (cleanClicks.length === 0) return { status: 'no_click' };
 
-  const campaignIds = Array.from(new Set(cleanClicks.map((c) => c.campaignId)));
+  // Revoked partners don't earn new attribution. We don't delete their
+  // historical commissions — admin reverses individually — but any event
+  // landing AFTER revokedAt no longer generates new rows for them.
+  const partnerIds = Array.from(new Set(cleanClicks.map((c) => c.partnerId)));
+  const revokedPartners = await db('Partner').whereIn('id', partnerIds).whereNotNull('revokedAt').pluck('id');
+  const revokedSet = new Set(revokedPartners as string[]);
+  const eligibleByPartner = cleanClicks.filter((c) => !revokedSet.has(c.partnerId));
+  if (eligibleByPartner.length === 0) return { status: 'no_click' };
+
+  const campaignIds = Array.from(new Set(eligibleByPartner.map((c) => c.campaignId)));
   const campaigns = await db<CampaignRow>(TABLES.Campaign).whereIn('id', campaignIds);
   const campaignsById = new Map(campaigns.map((c) => [c.id, c]));
 
   // Clicks in-window relative to this event, with their campaign attached.
   const eligible: ClickWithCampaign[] = [];
-  for (const click of cleanClicks) {
+  for (const click of eligibleByPartner) {
     const campaign = campaignsById.get(click.campaignId);
     if (!campaign) continue;
     const windowMs = campaign.attributionWindowDays * 24 * 60 * 60 * 1000;
diff --git a/apps/api/src/auth-sessions.ts b/apps/api/src/auth-sessions.ts
index 6a56691..c1500f0 100644
--- a/apps/api/src/auth-sessions.ts
+++ b/apps/api/src/auth-sessions.ts
@@ -116,6 +116,15 @@ export async function resolveSession(plaintext: string): Promise<SessionRow | nu
     .andWhere('expiresAt', '>', now)
     .first();
   if (!row) return null;
+
+  // Extra belt-and-braces: if the partner was revoked but somehow a
+  // session slipped through (e.g. revoke transaction failed mid-flight),
+  // reject here too.
+  const partner = (await db('Partner').where({ id: row.partnerId }).first()) as
+    | { revokedAt: Date | null }
+    | undefined;
+  if (!partner || partner.revokedAt) return null;
+
   void db<SessionRow>(TABLES.Session).where({ id: row.id }).update({ lastSeenAt: now });
   return row;
 }
diff --git a/apps/api/src/routes/partners.ts b/apps/api/src/routes/partners.ts
index b5c19ab..67717fc 100644
--- a/apps/api/src/routes/partners.ts
+++ b/apps/api/src/routes/partners.ts
@@ -1,7 +1,7 @@
 import { Router } from 'express';
 import { z } from 'zod';
 import { ulid } from 'ulid';
-import { TABLES, type PartnerRow } from '@openpartner/db';
+import { TABLES, type PartnerRow, type SessionRow } from '@openpartner/db';
 import { db } from '../db.js';
 import { grantScope, requireAdmin, requireAuth, requirePartnerOrAdmin } from '../auth.js';
 import { issueMagicLink } from '../auth-sessions.js';
@@ -84,6 +84,40 @@ partnersRouter.post('/partners/:id/invite', requireAuth, requireAdmin, async (re
   res.json({ ok: true });
 });
 
+/**
+ * Suspend a partner. Flips revokedAt, revokes all of their sessions so
+ * they're kicked out mid-request, and leaves historical commissions
+ * untouched. Future attribution skips them; router flags clicks on their
+ * links as 'revoked'.
+ */
+partnersRouter.post('/partners/:id/revoke', requireAuth, requireAdmin, async (req, res) => {
+  const partner = await db<PartnerRow>(TABLES.Partner).where({ id: req.params.id }).first();
+  if (!partner) return res.status(404).json({ error: 'not_found' });
+  if (partner.revokedAt) return res.status(409).json({ error: 'already_revoked' });
+
+  const now = new Date();
+  await db.transaction(async (trx) => {
+    await trx<PartnerRow>(TABLES.Partner).where({ id: partner.id }).update({ revokedAt: now, updatedAt: now });
+    await trx<SessionRow>(TABLES.Session)
+      .where({ partnerId: partner.id })
+      .whereNull('revokedAt')
+      .update({ revokedAt: now });
+  });
+  res.json({ ok: true, revokedAt: now });
+});
+
+/** Undo revoke — partner regains dashboard access and future attribution. */
+partnersRouter.post('/partners/:id/reinstate', requireAuth, requireAdmin, async (req, res) => {
+  const partner = await db<PartnerRow>(TABLES.Partner).where({ id: req.params.id }).first();
+  if (!partner) return res.status(404).json({ error: 'not_found' });
+  if (!partner.revokedAt) return res.status(409).json({ error: 'not_revoked' });
+
+  await db<PartnerRow>(TABLES.Partner)
+    .where({ id: partner.id })
+    .update({ revokedAt: null, updatedAt: new Date() });
+  res.json({ ok: true });
+});
+
 partnersRouter.get('/partners', requireAuth, requireAdmin, async (_req, res) => {
   const partners = await db<PartnerRow>(TABLES.Partner).orderBy('createdAt', 'desc').limit(500);
   res.json({ partners });
diff --git a/apps/portal/src/pages/AdminPartners.tsx b/apps/portal/src/pages/AdminPartners.tsx
index dc03005..8399904 100644
--- a/apps/portal/src/pages/AdminPartners.tsx
+++ b/apps/portal/src/pages/AdminPartners.tsx
@@ -13,6 +13,7 @@ interface Partner {
   stripeConnectAccountId: string | null;
   createdAt: string;
   activatedAt: string | null;
+  revokedAt: string | null;
 }
 
 export function AdminPartners() {
@@ -56,19 +57,25 @@ export function AdminPartners() {
               <span style={{ fontWeight: 500 }}>{p.name}</span>
             </div>,
             <span style={{ color: theme.textMuted }}>{p.email}</span>,
-            p.activatedAt ? <StatusPill status="active" /> : <StatusPill status="invited" />,
+            p.revokedAt
+              ? <StatusPill status="revoked" />
+              : p.activatedAt
+                ? <StatusPill status="active" />
+                : <StatusPill status="invited" />,
             p.stripeConnectAccountId ? <StatusPill status="connected" /> : <span style={{ color: theme.textDim }}>—</span>,
             <span style={{ color: theme.textMuted }}>{formatDate(p.createdAt, { relative: true })}</span>,
             <div style={{ display: 'flex', gap: 6 }}>
               <Link to={`/links?partnerId=${p.id}`} style={{ color: theme.accent, fontSize: 13 }}>Links</Link>
               <span style={{ color: theme.border }}>·</span>
               <Link to={`/payouts?partnerId=${p.id}`} style={{ color: theme.accent, fontSize: 13 }}>Payouts</Link>
-              {!p.activatedAt && (
+              {!p.activatedAt && !p.revokedAt && (
                 <>
                   <span style={{ color: theme.border }}>·</span>
                   <ResendInvite partnerId={p.id} />
                 </>
               )}
+              <span style={{ color: theme.border }}>·</span>
+              <RevokeAction partner={p} />
             </div>,
           ])}
         />
@@ -112,6 +119,45 @@ function CreatePartner({ onClose, onCreated }: { onClose: () => void; onCreated:
   );
 }
 
+function RevokeAction({ partner }: { partner: Partner }) {
+  const qc = useQueryClient();
+  const isRevoked = !!partner.revokedAt;
+  const mut = useMutation({
+    mutationFn: () => api(`/partners/${partner.id}/${isRevoked ? 'reinstate' : 'revoke'}`, { method: 'POST' }),
+    onSuccess: () => {
+      qc.invalidateQueries({ queryKey: ['partners'] });
+      qc.invalidateQueries({ queryKey: ['admin-overview'] });
+    },
+  });
+
+  function onClick() {
+    if (!isRevoked) {
+      const ok = window.confirm(
+        `Revoke ${partner.name}?\n\nThey'll be signed out immediately and new clicks to their links will be flagged. Historical commissions are kept. You can reinstate later.`,
+      );
+      if (!ok) return;
+    }
+    mut.mutate();
+  }
+
+  return (
+    <button
+      onClick={onClick}
+      disabled={mut.isPending}
+      style={{
+        background: 'none',
+        border: 'none',
+        padding: 0,
+        fontSize: 13,
+        color: isRevoked ? theme.accent : theme.danger,
+        cursor: 'pointer',
+      }}
+    >
+      {mut.isPending ? '…' : isRevoked ? 'Reinstate' : 'Revoke'}
+    </button>
+  );
+}
+
 function ResendInvite({ partnerId }: { partnerId: string }) {
   const [sent, setSent] = useState(false);
   const mut = useMutation({
diff --git a/apps/portal/src/ui.tsx b/apps/portal/src/ui.tsx
index 8a98e8f..e61b185 100644
--- a/apps/portal/src/ui.tsx
+++ b/apps/portal/src/ui.tsx
@@ -311,6 +311,7 @@ export function StatusPill({ status }: { status: string }) {
     connected: { bg: theme.successSoft, fg: theme.success },
     invited: { bg: theme.warnSoft, fg: theme.warn },
     active: { bg: theme.successSoft, fg: theme.success },
+    revoked: { bg: theme.dangerSoft, fg: theme.danger },
   };
   const c = palette[status] ?? { bg: theme.surface2, fg: theme.textMuted };
   return (
diff --git a/apps/router/src/server.ts b/apps/router/src/server.ts
index 0575203..d866ea9 100644
--- a/apps/router/src/server.ts
+++ b/apps/router/src/server.ts
@@ -24,6 +24,14 @@ app.get('/r/:linkKey', async (c) => {
     return c.text('Link not found', 404);
   }
 
+  // If the partner's been revoked by the admin, we still redirect to
+  // keep end-user UX intact (no broken links from a pulled partner)
+  // but flag the click so attribution silently skips it.
+  const partner = (await db('Partner').where({ id: link.partnerId }).first()) as
+    | { revokedAt: Date | null }
+    | undefined;
+  const partnerRevoked = !!partner?.revokedAt;
+
   const clickId = ulid();
   const destination = new URL(link.destinationUrl);
   destination.searchParams.set('cref', clickId);
@@ -51,6 +59,10 @@ app.get('/r/:linkKey', async (c) => {
 
   const velocityFlagged = checkVelocity(ipHash, linkKey);
 
+  // Precedence: revoked beats velocity — a click on a pulled partner's
+  // link is not a velocity signal, it's a revoked signal.
+  const fraudFlag = partnerRevoked ? 'revoked' : velocityFlagged ? 'velocity' : null;
+
   await db(TABLES.Click).insert({
     id: clickId,
     linkId: link.id,
@@ -60,7 +72,7 @@ app.get('/r/:linkKey', async (c) => {
     ipHash,
     userAgent: c.req.header('user-agent') ?? null,
     referer: c.req.header('referer') ?? null,
-    fraudFlag: velocityFlagged ? 'velocity' : null,
+    fraudFlag,
   });
 
   c.header(
diff --git a/packages/db/migrations/20260504000000_partner_revoke.ts b/packages/db/migrations/20260504000000_partner_revoke.ts
new file mode 100644
index 0000000..f437243
--- /dev/null
+++ b/packages/db/migrations/20260504000000_partner_revoke.ts
@@ -0,0 +1,24 @@
+import type { Knex } from 'knex';
+
+/**
+ * Partner.revokedAt — admin-flipped suspension. When non-null:
+ *   - Partner.sessions are all revoked (kicked out of the portal)
+ *   - Attribution engine skips new events attributing to them
+ *   - Router still serves /r/<linkKey> (no broken UX) but stamps
+ *     fraudFlag='revoked' on the click so no commission accrues
+ *   - Historical commissions are left untouched — admin reverses
+ *     specific ones manually if the revocation is for fraud
+ *
+ * Reinstate = set revokedAt back to null. No history lost either way.
+ */
+export async function up(knex: Knex): Promise<void> {
+  await knex.schema.alterTable('Partner', (t) => {
+    t.timestamp('revokedAt', { useTz: true });
+  });
+}
+
+export async function down(knex: Knex): Promise<void> {
+  await knex.schema.alterTable('Partner', (t) => {
+    t.dropColumn('revokedAt');
+  });
+}
diff --git a/packages/db/src/types.ts b/packages/db/src/types.ts
index 84a9b76..1b3d87a 100644
--- a/packages/db/src/types.ts
+++ b/packages/db/src/types.ts
@@ -28,6 +28,9 @@ export interface PartnerRow {
   updatedAt: Date;
   // null until the partner accepts their invite magic link
   activatedAt: Date | null;
+  // non-null = admin has suspended the partner; sessions + future
+  // attribution stop, historical commissions untouched
+  revokedAt: Date | null;
 }
 
 export type MagicLinkPurpose = 'partner_invite' | 'partner_signin';
@@ -73,7 +76,7 @@ export interface LinkRow {
   createdAt: Date;
 }
 
-export type ClickFraudFlag = 'velocity' | 'manual' | null;
+export type ClickFraudFlag = 'velocity' | 'manual' | 'revoked' | null;
 
 export interface ClickRow {
   id: string;

From bce56f097c2a9188e2940d52a16dbc68333381de Mon Sep 17 00:00:00 2001
From: Keith Fawcett <keith@brightyard.co>
Date: Fri, 24 Apr 2026 16:02:17 -0700
Subject: [PATCH 009/131] feat(admin): revoke notifications + optional reason +
 signin handling
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Revocation now matches the industry norm — notify by default, admin
can silence for fraud cases, optional reason threaded through every
customer touchpoint.

  - POST /partners/:id/revoke accepts { reason?, notify? } (default
    notify=true). Reason persists on Partner.revokeReason.
  - Sends partnerRevokedEmail on revoke when notify=true, with the
    reason in-line.
  - /auth/signin for an activated-but-revoked partner silently 200s
    (anti-enumeration) AND sends a suspension-notice email instead
    of a magic link — short-circuits the "why doesn't my link work?"
    loop without breaking the enumeration guarantee.
  - Reinstate clears revokeReason alongside revokedAt.
  - Admin UI: click Revoke → dialog with reason textarea + "Email the
    partner" checkbox (default on). Reinstate stays one-click.

New migration for Partner.revokeReason. Two new tests (notify=false
suppresses; signin after revoke sends the notice). 52 api tests,
63 across workspaces, all green.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 apps/api/src/__tests__/partner-invite.test.ts | 71 +++++++++++++--
 apps/api/src/email-templates.ts               | 32 +++++++
 apps/api/src/routes/partner-auth.ts           | 43 ++++++---
 apps/api/src/routes/partners.ts               | 39 ++++++--
 apps/portal/src/pages/AdminPartners.tsx       | 90 +++++++++++++++----
 .../20260505000000_partner_revoke_reason.ts   | 18 ++++
 packages/db/src/types.ts                      |  3 +
 7 files changed, 252 insertions(+), 44 deletions(-)
 create mode 100644 packages/db/migrations/20260505000000_partner_revoke_reason.ts

diff --git a/apps/api/src/__tests__/partner-invite.test.ts b/apps/api/src/__tests__/partner-invite.test.ts
index 0f42c1a..0da58b8 100644
--- a/apps/api/src/__tests__/partner-invite.test.ts
+++ b/apps/api/src/__tests__/partner-invite.test.ts
@@ -33,8 +33,13 @@ class CapturingMailer implements Mailer {
     this.sent.push(msg);
   }
   findFor(to: string, purpose?: string): Message | undefined {
+    // Matches either metadata.purpose or tag — the /auth/signin path
+    // for revoked partners sets purpose to
+    // 'partner_revoked_signin_attempt' but keeps tag='partner_revoked'.
     return this.sent.find(
-      (m) => m.to === to && (purpose == null || m.metadata?.purpose === purpose),
+      (m) =>
+        m.to === to &&
+        (purpose == null || m.metadata?.purpose === purpose || m.tag === purpose),
     );
   }
 }
@@ -160,28 +165,34 @@ describe.skipIf(skipIntegration)('partner invite + signin', () => {
     const verify = await request(app).post('/auth/magic/verify').send({ token });
     const cookie = (verify.headers['set-cookie'] as unknown as string[])[0]!.split(';')[0]!;
 
-    // Partner's session works before revoke.
     const before = await request(app).get('/auth/whoami').set('Cookie', cookie);
     expect(before.status).toBe(200);
 
-    // Revoke.
+    mailer.sent.length = 0;
     const revoke = await request(app)
       .post(`/partners/${partnerId}/revoke`)
-      .set('Authorization', `Bearer ${ADMIN_KEY}`);
+      .set('Authorization', `Bearer ${ADMIN_KEY}`)
+      .send({ reason: 'Ending our partnership — thanks for your work' });
     expect(revoke.status).toBe(200);
+    expect(revoke.body.notified).toBe(true);
+
+    // Notification email fired with the reason in the body.
+    const notice = mailer.findFor('rev@example.com', 'partner_revoked');
+    expect(notice).toBeDefined();
+    expect(notice!.text).toContain('suspended');
+    expect(notice!.text).toContain('Ending our partnership');
 
-    // Session is now invalid — the same cookie should no longer whoami.
+    // Session killed.
     const after = await request(app).get('/auth/whoami').set('Cookie', cookie);
     expect(after.status).toBe(401);
 
-    // Second revoke is a 409.
+    // Second revoke → 409.
     const dupe = await request(app)
       .post(`/partners/${partnerId}/revoke`)
       .set('Authorization', `Bearer ${ADMIN_KEY}`);
     expect(dupe.status).toBe(409);
 
-    // Reinstate clears revokedAt. Session remains dead (we killed it),
-    // but partner could sign in fresh.
+    // Reinstate + sign-in works again.
     const reinstate = await request(app)
       .post(`/partners/${partnerId}/reinstate`)
       .set('Authorization', `Bearer ${ADMIN_KEY}`);
@@ -193,6 +204,50 @@ describe.skipIf(skipIntegration)('partner invite + signin', () => {
     expect(mailer.findFor('rev@example.com', 'partner_signin')).toBeDefined();
   });
 
+  it('revoke with notify=false does not email the partner', async () => {
+    const created = await request(app)
+      .post('/partners')
+      .set('Authorization', `Bearer ${ADMIN_KEY}`)
+      .send({ email: 'silent@example.com', name: 'Silent' });
+    const partnerId = created.body.id;
+    const token = extractToken(mailer.findFor('silent@example.com')!.text);
+    await request(app).post('/auth/magic/verify').send({ token });
+
+    mailer.sent.length = 0;
+    const revoke = await request(app)
+      .post(`/partners/${partnerId}/revoke`)
+      .set('Authorization', `Bearer ${ADMIN_KEY}`)
+      .send({ notify: false, reason: 'Investigating fraud' });
+    expect(revoke.status).toBe(200);
+    expect(revoke.body.notified).toBe(false);
+    expect(mailer.sent.length).toBe(0);
+  });
+
+  it('signin for a revoked partner sends the suspension notice, not a magic link', async () => {
+    // Invite + activate + revoke.
+    const created = await request(app)
+      .post('/partners')
+      .set('Authorization', `Bearer ${ADMIN_KEY}`)
+      .send({ email: 'after@example.com', name: 'After' });
+    const token = extractToken(mailer.findFor('after@example.com')!.text);
+    await request(app).post('/auth/magic/verify').send({ token });
+    await request(app)
+      .post(`/partners/${created.body.id}/revoke`)
+      .set('Authorization', `Bearer ${ADMIN_KEY}`)
+      .send({ reason: 'Program closed', notify: false });
+
+    mailer.sent.length = 0;
+    const signin = await request(app).post('/auth/signin').send({ email: 'after@example.com' });
+    expect(signin.status).toBe(200);
+    expect(signin.body.ok).toBe(true);
+
+    // Partner gets the suspension notice (with reason), not a signin link.
+    const notice = mailer.findFor('after@example.com', 'partner_revoked');
+    expect(notice).toBeDefined();
+    expect(notice!.text).toContain('Program closed');
+    expect(mailer.findFor('after@example.com', 'partner_signin')).toBeUndefined();
+  });
+
   it('resend invite generates a fresh token and 409s once the partner is already activated', async () => {
     const created = await request(app)
       .post('/partners')
diff --git a/apps/api/src/email-templates.ts b/apps/api/src/email-templates.ts
index 138adc6..9835e6a 100644
--- a/apps/api/src/email-templates.ts
+++ b/apps/api/src/email-templates.ts
@@ -45,6 +45,38 @@ export function partnerSigninEmail(name: string, link: string): EmailTemplate {
   return { subject, text, html: wrap(text, link, 'Sign in') };
 }
 
+export function partnerRevokedEmail(name: string, reason: string | null): EmailTemplate {
+  const subject = `Your partner account has been suspended`;
+  const text = [
+    `Hi ${name},`,
+    ``,
+    `Your partner account has been suspended by the program administrator.`,
+    ...(reason ? [``, `Reason: ${reason}`] : []),
+    ``,
+    `If you believe this was done in error, please contact the administrator of the partner program directly.`,
+  ].join('\n');
+  // No CTA button on this template — there's nowhere for the partner
+  // to go. Plain-text-in-HTML is fine.
+  const html = `<!DOCTYPE html>
+<html>
+  <body style="font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, sans-serif; background:#f4f4f5; padding:24px 0; margin:0;">
+    <table role="presentation" width="100%" cellspacing="0" cellpadding="0" border="0">
+      <tr><td align="center">
+        <table role="presentation" width="520" cellspacing="0" cellpadding="0" border="0" style="background:#ffffff; border-radius:8px; overflow:hidden;">
+          <tr><td style="padding:28px 32px; color:#1f2937; font-size:14px; line-height:1.6;">
+            ${text
+              .split('\n')
+              .map((l) => l.replace(/</g, '&lt;').replace(/>/g, '&gt;'))
+              .join('<br>')}
+          </td></tr>
+        </table>
+      </td></tr>
+    </table>
+  </body>
+</html>`;
+  return { subject, text, html };
+}
+
 function wrap(text: string, cta: string, ctaLabel: string): string {
   const escaped = text
     .split('\n')
diff --git a/apps/api/src/routes/partner-auth.ts b/apps/api/src/routes/partner-auth.ts
index 9da826c..f50d23a 100644
--- a/apps/api/src/routes/partner-auth.ts
+++ b/apps/api/src/routes/partner-auth.ts
@@ -44,20 +44,37 @@ partnerAuthRouter.post('/auth/signin', mailAuthLimit, async (req, res) => {
   const email = body.data.email.toLowerCase();
   const partner = await db<PartnerRow>(TABLES.Partner).where({ email }).first();
 
-  // Intentionally always return {ok:true} — don't leak whether the email
-  // belongs to a known partner. Only issue + email a link if we'd
-  // actually let them in.
+  // Always return {ok:true} — don't leak whether the email is known.
+  // Three outcomes internally:
+  //   - unknown / pending           → no email, silent
+  //   - active                      → magic-link email
+  //   - revoked                     → suspension-notice email (the
+  //     partner already knows, but a reminder short-circuits the
+  //     "why doesn't my link work?" loop)
   if (partner && partner.activatedAt) {
-    const issued = await issueMagicLink({ email, purpose: 'partner_signin', partnerId: partner.id });
-    const tmpl = partnerSigninEmail(partner.name, buildMagicLinkUrl(issued.plaintext));
-    await getMailer().send({
-      to: email,
-      subject: tmpl.subject,
-      text: tmpl.text,
-      html: tmpl.html,
-      tag: 'partner_signin',
-      metadata: { purpose: 'partner_signin', partnerId: partner.id },
-    });
+    if (partner.revokedAt) {
+      const { partnerRevokedEmail } = await import('../email-templates.js');
+      const tmpl = partnerRevokedEmail(partner.name, partner.revokeReason);
+      await getMailer().send({
+        to: email,
+        subject: tmpl.subject,
+        text: tmpl.text,
+        html: tmpl.html,
+        tag: 'partner_revoked',
+        metadata: { purpose: 'partner_revoked_signin_attempt', partnerId: partner.id },
+      });
+    } else {
+      const issued = await issueMagicLink({ email, purpose: 'partner_signin', partnerId: partner.id });
+      const tmpl = partnerSigninEmail(partner.name, buildMagicLinkUrl(issued.plaintext));
+      await getMailer().send({
+        to: email,
+        subject: tmpl.subject,
+        text: tmpl.text,
+        html: tmpl.html,
+        tag: 'partner_signin',
+        metadata: { purpose: 'partner_signin', partnerId: partner.id },
+      });
+    }
   }
   res.json({ ok: true });
 });
diff --git a/apps/api/src/routes/partners.ts b/apps/api/src/routes/partners.ts
index 67717fc..732ca52 100644
--- a/apps/api/src/routes/partners.ts
+++ b/apps/api/src/routes/partners.ts
@@ -6,7 +6,7 @@ import { db } from '../db.js';
 import { grantScope, requireAdmin, requireAuth, requirePartnerOrAdmin } from '../auth.js';
 import { issueMagicLink } from '../auth-sessions.js';
 import { getMailer } from '../mailer.js';
-import { buildMagicLinkUrl, partnerInviteEmail } from '../email-templates.js';
+import { buildMagicLinkUrl, partnerInviteEmail, partnerRevokedEmail } from '../email-templates.js';
 
 const createSchema = z.object({
   email: z.string().email(),
@@ -84,26 +84,53 @@ partnersRouter.post('/partners/:id/invite', requireAuth, requireAdmin, async (re
   res.json({ ok: true });
 });
 
+const revokeSchema = z.object({
+  reason: z.string().max(500).optional(),
+  // Default true: industry-standard partner-program norm is to notify.
+  // Admin unchecks for fraud cases where tipping the partner off is
+  // counterproductive.
+  notify: z.boolean().optional().default(true),
+});
+
 /**
  * Suspend a partner. Flips revokedAt, revokes all of their sessions so
- * they're kicked out mid-request, and leaves historical commissions
+ * they're kicked out mid-request, leaves historical commissions
  * untouched. Future attribution skips them; router flags clicks on their
- * links as 'revoked'.
+ * links as 'revoked'. Sends a notification email unless notify=false.
  */
 partnersRouter.post('/partners/:id/revoke', requireAuth, requireAdmin, async (req, res) => {
+  const body = revokeSchema.safeParse(req.body ?? {});
+  if (!body.success) return res.status(400).json({ error: 'invalid_body', detail: body.error.flatten() });
+
   const partner = await db<PartnerRow>(TABLES.Partner).where({ id: req.params.id }).first();
   if (!partner) return res.status(404).json({ error: 'not_found' });
   if (partner.revokedAt) return res.status(409).json({ error: 'already_revoked' });
 
   const now = new Date();
+  const reason = body.data.reason ?? null;
   await db.transaction(async (trx) => {
-    await trx<PartnerRow>(TABLES.Partner).where({ id: partner.id }).update({ revokedAt: now, updatedAt: now });
+    await trx<PartnerRow>(TABLES.Partner)
+      .where({ id: partner.id })
+      .update({ revokedAt: now, revokeReason: reason, updatedAt: now });
     await trx<SessionRow>(TABLES.Session)
       .where({ partnerId: partner.id })
       .whereNull('revokedAt')
       .update({ revokedAt: now });
   });
-  res.json({ ok: true, revokedAt: now });
+
+  if (body.data.notify) {
+    const tmpl = partnerRevokedEmail(partner.name, reason);
+    await getMailer().send({
+      to: partner.email,
+      subject: tmpl.subject,
+      text: tmpl.text,
+      html: tmpl.html,
+      tag: 'partner_revoked',
+      metadata: { purpose: 'partner_revoked', partnerId: partner.id },
+    });
+  }
+
+  res.json({ ok: true, revokedAt: now, notified: body.data.notify });
 });
 
 /** Undo revoke — partner regains dashboard access and future attribution. */
@@ -114,7 +141,7 @@ partnersRouter.post('/partners/:id/reinstate', requireAuth, requireAdmin, async
 
   await db<PartnerRow>(TABLES.Partner)
     .where({ id: partner.id })
-    .update({ revokedAt: null, updatedAt: new Date() });
+    .update({ revokedAt: null, revokeReason: null, updatedAt: new Date() });
   res.json({ ok: true });
 });
 
diff --git a/apps/portal/src/pages/AdminPartners.tsx b/apps/portal/src/pages/AdminPartners.tsx
index 8399904..7837992 100644
--- a/apps/portal/src/pages/AdminPartners.tsx
+++ b/apps/portal/src/pages/AdminPartners.tsx
@@ -19,6 +19,7 @@ interface Partner {
 export function AdminPartners() {
   const qc = useQueryClient();
   const [showCreate, setShowCreate] = useState(false);
+  const [revoking, setRevoking] = useState<Partner | null>(null);
 
   const partners = useQuery({ queryKey: ['partners'], queryFn: () => api<{ partners: Partner[] }>('/partners') });
 
@@ -43,6 +44,16 @@ export function AdminPartners() {
           }}
         />
       )}
+      {revoking && (
+        <RevokeDialog
+          partner={revoking}
+          onClose={() => setRevoking(null)}
+          onDone={() => {
+            setRevoking(null);
+            qc.invalidateQueries({ queryKey: ['partners'] });
+          }}
+        />
+      )}
 
       {partners.isLoading ? (
         <Card>Loading…</Card>
@@ -75,7 +86,7 @@ export function AdminPartners() {
                 </>
               )}
               <span style={{ color: theme.border }}>·</span>
-              <RevokeAction partner={p} />
+              <RevokeAction partner={p} openDialog={() => setRevoking(p)} />
             </div>,
           ])}
         />
@@ -119,31 +130,23 @@ function CreatePartner({ onClose, onCreated }: { onClose: () => void; onCreated:
   );
 }
 
-function RevokeAction({ partner }: { partner: Partner }) {
+function RevokeAction({ partner, openDialog }: { partner: Partner; openDialog: () => void }) {
   const qc = useQueryClient();
   const isRevoked = !!partner.revokedAt;
-  const mut = useMutation({
-    mutationFn: () => api(`/partners/${partner.id}/${isRevoked ? 'reinstate' : 'revoke'}`, { method: 'POST' }),
+  // Reinstate is single-click (no email, no reason). Revoke opens the
+  // dialog so the admin can set a reason + opt out of notification.
+  const reinstate = useMutation({
+    mutationFn: () => api(`/partners/${partner.id}/reinstate`, { method: 'POST' }),
     onSuccess: () => {
       qc.invalidateQueries({ queryKey: ['partners'] });
       qc.invalidateQueries({ queryKey: ['admin-overview'] });
     },
   });
 
-  function onClick() {
-    if (!isRevoked) {
-      const ok = window.confirm(
-        `Revoke ${partner.name}?\n\nThey'll be signed out immediately and new clicks to their links will be flagged. Historical commissions are kept. You can reinstate later.`,
-      );
-      if (!ok) return;
-    }
-    mut.mutate();
-  }
-
   return (
     <button
-      onClick={onClick}
-      disabled={mut.isPending}
+      onClick={() => (isRevoked ? reinstate.mutate() : openDialog())}
+      disabled={reinstate.isPending}
       style={{
         background: 'none',
         border: 'none',
@@ -153,11 +156,64 @@ function RevokeAction({ partner }: { partner: Partner }) {
         cursor: 'pointer',
       }}
     >
-      {mut.isPending ? '…' : isRevoked ? 'Reinstate' : 'Revoke'}
+      {reinstate.isPending ? '…' : isRevoked ? 'Reinstate' : 'Revoke'}
     </button>
   );
 }
 
+function RevokeDialog({
+  partner,
+  onClose,
+  onDone,
+}: {
+  partner: Partner;
+  onClose: () => void;
+  onDone: () => void;
+}) {
+  const [reason, setReason] = useState('');
+  const [notify, setNotify] = useState(true);
+  const mut = useMutation({
+    mutationFn: () =>
+      api(`/partners/${partner.id}/revoke`, {
+        method: 'POST',
+        body: { reason: reason.trim() || undefined, notify },
+      }),
+    onSuccess: onDone,
+  });
+
+  return (
+    <Card style={{ marginBottom: 14, borderColor: `${theme.danger}44` }}>
+      <div style={{ fontSize: 15, fontWeight: 500, marginBottom: 6, color: theme.danger }}>
+        Revoke {partner.name}?
+      </div>
+      <div style={{ fontSize: 13, color: theme.textMuted, marginBottom: 14 }}>
+        They're signed out immediately and new clicks on their links stop accruing commission.
+        Historical commissions are kept. You can reinstate at any time.
+      </div>
+      <ErrorBanner error={mut.error} />
+      <div style={{ marginBottom: 14 }}>
+        <Label>Reason (optional, included in their email)</Label>
+        <Input
+          value={reason}
+          onChange={(e) => setReason(e.target.value)}
+          placeholder="e.g. Ending partnership — no longer active"
+          maxLength={500}
+        />
+      </div>
+      <label style={{ display: 'flex', alignItems: 'center', gap: 8, fontSize: 13, color: theme.textMuted, marginBottom: 16 }}>
+        <input type="checkbox" checked={notify} onChange={(e) => setNotify(e.target.checked)} />
+        Email the partner about the suspension
+      </label>
+      <div style={{ display: 'flex', gap: 8 }}>
+        <Button onClick={() => mut.mutate()} disabled={mut.isPending}>
+          {mut.isPending ? 'Revoking…' : 'Revoke partner'}
+        </Button>
+        <Button variant="secondary" onClick={onClose}>Cancel</Button>
+      </div>
+    </Card>
+  );
+}
+
 function ResendInvite({ partnerId }: { partnerId: string }) {
   const [sent, setSent] = useState(false);
   const mut = useMutation({
diff --git a/packages/db/migrations/20260505000000_partner_revoke_reason.ts b/packages/db/migrations/20260505000000_partner_revoke_reason.ts
new file mode 100644
index 0000000..33a89d5
--- /dev/null
+++ b/packages/db/migrations/20260505000000_partner_revoke_reason.ts
@@ -0,0 +1,18 @@
+import type { Knex } from 'knex';
+
+/**
+ * Optional reason captured at revoke time — shown to the partner in
+ * the notification email and included in the suspension response if
+ * they later try to sign in.
+ */
+export async function up(knex: Knex): Promise<void> {
+  await knex.schema.alterTable('Partner', (t) => {
+    t.text('revokeReason');
+  });
+}
+
+export async function down(knex: Knex): Promise<void> {
+  await knex.schema.alterTable('Partner', (t) => {
+    t.dropColumn('revokeReason');
+  });
+}
diff --git a/packages/db/src/types.ts b/packages/db/src/types.ts
index 1b3d87a..c9fa69a 100644
--- a/packages/db/src/types.ts
+++ b/packages/db/src/types.ts
@@ -31,6 +31,9 @@ export interface PartnerRow {
   // non-null = admin has suspended the partner; sessions + future
   // attribution stop, historical commissions untouched
   revokedAt: Date | null;
+  // Admin-supplied free-text reason surfaced in the revoke notification
+  // email and shown if the partner later tries to sign in.
+  revokeReason: string | null;
 }
 
 export type MagicLinkPurpose = 'partner_invite' | 'partner_signin';

From acf8eb5e2c657fb9b04dab83e193ccc80a02d201 Mon Sep 17 00:00:00 2001
From: Keith Fawcett <keith@brightyard.co>
Date: Fri, 24 Apr 2026 16:18:35 -0700
Subject: [PATCH 010/131] feat(admin): UI-managed program settings (name +
 support email)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

New Settings page at /admin/settings lets the admin edit runtime
content without shell access:

  - Program name   — replaces "OpenPartner" in the sidebar brand
  - Support email  — rendered in the sidebar footer as a mailto:
    link for partners to contact

Backed by the Config table, keyed 'program_settings'. GET /config/program
is auth-only (admin + partner sessions can both read). POST is admin
only. Partner portal fetches on mount with a 60s staleTime so edits
propagate quickly without hammering the endpoint.

Admin's Partners table now wraps each partner's email in mailto: too,
so one click opens a reply with that partner.

Env remains reserved for secrets + build-time properties; everything
user-facing goes through this pattern instead.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 apps/api/src/app.ts                      |  2 +
 apps/api/src/routes/settings.ts          | 62 +++++++++++++++
 apps/portal/src/App.tsx                  | 41 +++++++++-
 apps/portal/src/pages/AdminPartners.tsx  |  4 +-
 apps/portal/src/pages/admin/Settings.tsx | 96 ++++++++++++++++++++++++
 5 files changed, 203 insertions(+), 2 deletions(-)
 create mode 100644 apps/api/src/routes/settings.ts
 create mode 100644 apps/portal/src/pages/admin/Settings.tsx

diff --git a/apps/api/src/app.ts b/apps/api/src/app.ts
index 8940596..378e46c 100644
--- a/apps/api/src/app.ts
+++ b/apps/api/src/app.ts
@@ -24,6 +24,7 @@ import { authRouter } from './routes/auth.js';
 import { partnerAuthRouter } from './routes/partner-auth.js';
 import { adminOverviewRouter } from './routes/admin-overview.js';
 import { funnelRouter } from './routes/funnel.js';
+import { settingsRouter } from './routes/settings.js';
 import { fraudReviewRouter } from './routes/fraud-review.js';
 import { webhooksRouter } from './routes/webhooks.js';
 import { metricsRouter } from './routes/metrics.js';
@@ -103,6 +104,7 @@ export function createApp(options: { enableLogger?: boolean } = {}) {
 
   app.use(authRouter);
   app.use(partnerAuthRouter);
+  app.use(settingsRouter);
   app.use(funnelRouter);
   app.use(fraudReviewRouter);
   app.use(webhooksRouter);
diff --git a/apps/api/src/routes/settings.ts b/apps/api/src/routes/settings.ts
new file mode 100644
index 0000000..c55cdb8
--- /dev/null
+++ b/apps/api/src/routes/settings.ts
@@ -0,0 +1,62 @@
+/**
+ * Program-wide settings stored in the Config table. Keyed by
+ * `program_settings`, the value is a JSON blob of:
+ *
+ *   programName?: string   — how to brand the portal (admin + partner)
+ *   supportEmail?: string  — shown in the partner footer as contact
+ *
+ * Env is reserved for secrets + build-time; runtime content like this
+ * lives here so admins can update it without a redeploy.
+ */
+
+import { Router } from 'express';
+import { z } from 'zod';
+import { TABLES, type ConfigRow } from '@openpartner/db';
+import { db } from '../db.js';
+import { requireAdmin, requireAuth } from '../auth.js';
+
+export const settingsRouter = Router();
+
+const CONFIG_KEY = 'program_settings';
+
+const settingsSchema = z.object({
+  programName: z.string().trim().max(120).optional(),
+  supportEmail: z.string().trim().email().max(254).optional().or(z.literal('')),
+});
+
+export interface ProgramSettings {
+  programName: string | null;
+  supportEmail: string | null;
+}
+
+async function readSettings(): Promise<ProgramSettings> {
+  const row = await db<ConfigRow>(TABLES.Config).where({ key: CONFIG_KEY }).first();
+  const value = (row?.value ?? {}) as Partial<ProgramSettings>;
+  return {
+    programName: value.programName ?? null,
+    supportEmail: value.supportEmail ?? null,
+  };
+}
+
+/** Any authenticated caller (admin OR partner) can read — not secret. */
+settingsRouter.get('/config/program', requireAuth, async (_req, res) => {
+  res.json(await readSettings());
+});
+
+/** Only admins write. Empty strings clear fields. */
+settingsRouter.post('/config/program', requireAuth, requireAdmin, async (req, res) => {
+  const body = settingsSchema.safeParse(req.body ?? {});
+  if (!body.success) return res.status(400).json({ error: 'invalid_body', detail: body.error.flatten() });
+
+  const next: ProgramSettings = {
+    programName: body.data.programName?.trim() || null,
+    supportEmail: body.data.supportEmail?.trim() || null,
+  };
+  const now = new Date();
+  // Upsert: preserves updatedAt semantics without a separate read.
+  await db<ConfigRow>(TABLES.Config)
+    .insert({ key: CONFIG_KEY, value: next as unknown as never, updatedAt: now })
+    .onConflict('key')
+    .merge({ value: next as unknown as never, updatedAt: now });
+  res.json(next);
+});
diff --git a/apps/portal/src/App.tsx b/apps/portal/src/App.tsx
index 94ac9c2..aed609e 100644
--- a/apps/portal/src/App.tsx
+++ b/apps/portal/src/App.tsx
@@ -12,6 +12,8 @@ import {
   Download,
   LogOut,
   Webhook,
+  Settings,
+  Mail,
 } from 'lucide-react';
 import { clearApiKey, api, type Principal } from './api.js';
 import { theme } from './theme.js';
@@ -27,7 +29,9 @@ import { AdminExport } from './pages/AdminExport.js';
 import { LoginPage } from './pages/auth/Login.js';
 import { MagicLandingPage } from './pages/auth/MagicLanding.js';
 import { WebhooksPage } from './pages/admin/Webhooks.js';
+import { AdminSettings } from './pages/admin/Settings.js';
 import { FraudReviewPage } from './pages/FraudReview.js';
+import { useQuery } from '@tanstack/react-query';
 
 interface AuthState {
   loading: boolean;
@@ -79,6 +83,7 @@ function Shell() {
               <Route path="admin/export" element={<AdminExport />} />
               <Route path="admin/fraud-review" element={<FraudReviewPage />} />
               <Route path="admin/webhooks" element={<WebhooksPage />} />
+              <Route path="admin/settings" element={<AdminSettings />} />
             </>
           )}
 
@@ -89,8 +94,22 @@ function Shell() {
   );
 }
 
+interface ProgramSettings {
+  programName: string | null;
+  supportEmail: string | null;
+}
+
 function Sidebar({ principal }: { principal: Principal }) {
   const nav = useNavigate();
+  const settings = useQuery({
+    queryKey: ['program-settings'],
+    queryFn: () => api<ProgramSettings>('/config/program'),
+    // Refetch infrequently — admin rarely changes this.
+    staleTime: 60_000,
+  });
+  const programName = settings.data?.programName || 'OpenPartner';
+  const supportEmail = settings.data?.supportEmail || null;
+
   return (
     <aside
       style={{
@@ -104,7 +123,7 @@ function Sidebar({ principal }: { principal: Principal }) {
     >
       <div style={{ display: 'flex', alignItems: 'center', gap: 10, padding: '4px 8px', marginBottom: 20 }}>
         <Logo />
-        <div style={{ fontSize: 15, fontWeight: 600, letterSpacing: '-0.01em' }}>OpenPartner</div>
+        <div style={{ fontSize: 15, fontWeight: 600, letterSpacing: '-0.01em' }}>{programName}</div>
       </div>
 
       <PrincipalChip principal={principal} />
@@ -126,6 +145,7 @@ function Sidebar({ principal }: { principal: Principal }) {
             <NavItem to="/admin/export" icon={<Download size={16} />}>Export / import</NavItem>
             <NavItem to="/admin/fraud-review" icon={<ShieldCheck size={16} />}>Fraud review</NavItem>
             <NavItem to="/admin/webhooks" icon={<Webhook size={16} />}>Webhooks</NavItem>
+            <NavItem to="/admin/settings" icon={<Settings size={16} />}>Settings</NavItem>
           </NavSection>
         )}
       </div>
@@ -170,6 +190,25 @@ function Sidebar({ principal }: { principal: Principal }) {
         <LogOut size={14} />
         Sign out
       </button>
+
+      {supportEmail && (
+        <a
+          href={`mailto:${supportEmail}`}
+          style={{
+            display: 'flex',
+            alignItems: 'center',
+            gap: 6,
+            justifyContent: 'center',
+            marginTop: 10,
+            color: theme.textDim,
+            fontSize: 12,
+            textDecoration: 'none',
+          }}
+        >
+          <Mail size={11} />
+          {supportEmail}
+        </a>
+      )}
     </aside>
   );
 }
diff --git a/apps/portal/src/pages/AdminPartners.tsx b/apps/portal/src/pages/AdminPartners.tsx
index 7837992..40d9345 100644
--- a/apps/portal/src/pages/AdminPartners.tsx
+++ b/apps/portal/src/pages/AdminPartners.tsx
@@ -67,7 +67,9 @@ export function AdminPartners() {
               <Avatar name={p.name} size={28} />
               <span style={{ fontWeight: 500 }}>{p.name}</span>
             </div>,
-            <span style={{ color: theme.textMuted }}>{p.email}</span>,
+            <a href={`mailto:${p.email}`} style={{ color: theme.textMuted, textDecoration: 'none' }}>
+              {p.email}
+            </a>,
             p.revokedAt
               ? <StatusPill status="revoked" />
               : p.activatedAt
diff --git a/apps/portal/src/pages/admin/Settings.tsx b/apps/portal/src/pages/admin/Settings.tsx
new file mode 100644
index 0000000..9f13609
--- /dev/null
+++ b/apps/portal/src/pages/admin/Settings.tsx
@@ -0,0 +1,96 @@
+import { useEffect, useState } from 'react';
+import { useMutation, useQuery, useQueryClient } from '@tanstack/react-query';
+import { Settings as SettingsIcon } from 'lucide-react';
+import { api } from '../../api.js';
+import { theme } from '../../theme.js';
+import { Button, Card, ErrorBanner, Input, Label, Page } from '../../ui.js';
+
+interface ProgramSettings {
+  programName: string | null;
+  supportEmail: string | null;
+}
+
+export function AdminSettings() {
+  const qc = useQueryClient();
+  const { data, error, isLoading } = useQuery({
+    queryKey: ['program-settings'],
+    queryFn: () => api<ProgramSettings>('/config/program'),
+  });
+
+  const [programName, setProgramName] = useState('');
+  const [supportEmail, setSupportEmail] = useState('');
+  const [saved, setSaved] = useState(false);
+
+  // Sync form state when the fetched value lands.
+  useEffect(() => {
+    if (!data) return;
+    setProgramName(data.programName ?? '');
+    setSupportEmail(data.supportEmail ?? '');
+  }, [data]);
+
+  const mut = useMutation({
+    mutationFn: () =>
+      api<ProgramSettings>('/config/program', {
+        method: 'POST',
+        body: { programName, supportEmail },
+      }),
+    onSuccess: () => {
+      qc.invalidateQueries({ queryKey: ['program-settings'] });
+      setSaved(true);
+      setTimeout(() => setSaved(false), 2000);
+    },
+  });
+
+  return (
+    <Page
+      title="Settings"
+      subtitle="How the partner portal identifies your program."
+    >
+      <ErrorBanner error={error ?? mut.error} />
+      {isLoading ? (
+        <Card>Loading…</Card>
+      ) : (
+        <Card>
+          <div style={{ display: 'flex', alignItems: 'center', gap: 10, marginBottom: 16 }}>
+            <SettingsIcon size={18} color={theme.accent} />
+            <div style={{ fontSize: 15, fontWeight: 500 }}>Program info</div>
+          </div>
+
+          <div style={{ marginBottom: 16 }}>
+            <Label>Program name</Label>
+            <Input
+              value={programName}
+              onChange={(e) => setProgramName(e.target.value)}
+              placeholder="e.g. Coherence Partners"
+              maxLength={120}
+            />
+            <div style={{ fontSize: 12, color: theme.textDim, marginTop: 6 }}>
+              Shown to partners in the portal. Leave blank to fall back to "OpenPartner".
+            </div>
+          </div>
+
+          <div style={{ marginBottom: 20 }}>
+            <Label>Support email</Label>
+            <Input
+              type="email"
+              value={supportEmail}
+              onChange={(e) => setSupportEmail(e.target.value)}
+              placeholder="support@yourdomain.com"
+              maxLength={254}
+            />
+            <div style={{ fontSize: 12, color: theme.textDim, marginTop: 6 }}>
+              Partners see this in their portal footer for questions about commissions, payouts, or their account.
+            </div>
+          </div>
+
+          <div style={{ display: 'flex', alignItems: 'center', gap: 12 }}>
+            <Button onClick={() => mut.mutate()} disabled={mut.isPending}>
+              {mut.isPending ? 'Saving…' : 'Save settings'}
+            </Button>
+            {saved && <span style={{ color: theme.success, fontSize: 13 }}>Saved.</span>}
+          </div>
+        </Card>
+      )}
+    </Page>
+  );
+}

From c28f197673f3f0d7ea0df82d86d7c31990e0e5cd Mon Sep 17 00:00:00 2001
From: Keith Fawcett <keith@brightyard.co>
Date: Fri, 24 Apr 2026 16:46:44 -0700
Subject: [PATCH 011/131] feat(auth): admin personas, SMTP support, first-run
 install wizard
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Three tightly-coupled changes:

1. Admin as a first-class persona (not just ADMIN_API_KEY)

  - New Admin table (id, email, name, activatedAt, revokedAt,
    revokeReason, lastSignInAt).
  - Session + MagicLinkToken generalized from partnerId to
    (principalKind, principalId) so the same magic-link infra carries
    both admins and partners. Backfill stamps existing rows
    principalKind='partner'.
  - Unified /auth/signin and /auth/magic/verify branch on the token's
    principalKind — admins get adminInviteEmail + adminSigninEmail,
    partners get their existing templates.
  - /admins routes: list, invite, resend, revoke, reinstate. Revoke
    has two guardrails: can't revoke yourself (session-sourced), and
    can't drop active-admin count to zero.
  - ADMIN_API_KEY env stays as bootstrap / headless / CI path; human
    admins sign in via the account instead.
  - Portal gets an Admins page under Admin; principal chip shows
    "admin (env)" for env-bearer, admin name for session admins.

2. SMTP support via nodemailer

  - Mailer auto-select: SMTP_HOST + MAIL_FROM → SMTP, else
    POSTMARK_SERVER_TOKEN + MAIL_FROM → Postmark, else console
    fallback (dev only).
  - SMTP covers the universe of providers (Gmail, Workspace, SES,
    Mailgun, SendGrid, Resend, Postmark SMTP, self-hosted Postfix).
  - Postmark stays as a dedicated adapter.
  - .env.example documents the two transport options.

3. /install wizard — WordPress-style first-run

  - New InstallPage at /install, unauthenticated. Single form
    collects admin name+email + program name + support email.
  - GET /install/status lets the portal route to /install while
    needsSetup=true and back to normal once an admin is activated.
  - POST /install is rate-limited and refuses (409) once any active
    admin exists — second installer can't take over.
  - Submit creates the Admin row + saves program_settings +
    sends the magic-link invite in one round-trip.

New tests (4) cover: install → first-admin happy path; admin invite +
signin; last-active-admin revoke guard; duplicate-email 409. Partners'
existing revoke had to switch Session lookup from partnerId to
(principalKind, principalId) too.

56 api / 3 router / 11 sdk = 70 tests, all green.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 .env.example                                  |  29 ++-
 apps/api/package.json                         |   2 +
 apps/api/src/__tests__/admin-invite.test.ts   | 179 ++++++++++++++++++
 apps/api/src/app.ts                           |   4 +
 apps/api/src/auth-sessions.ts                 |  52 ++---
 apps/api/src/auth.ts                          |   7 +-
 apps/api/src/email-templates.ts               |  30 +++
 apps/api/src/mailer.ts                        |  67 +++++--
 apps/api/src/routes/admins.ts                 | 150 +++++++++++++++
 apps/api/src/routes/auth.ts                   |  10 +-
 apps/api/src/routes/install.ts                | 105 ++++++++++
 apps/api/src/routes/partner-auth.ts           | 103 +++++++---
 apps/api/src/routes/partners.ts               |   6 +-
 apps/portal/src/App.tsx                       |  51 ++++-
 apps/portal/src/api.ts                        |   1 +
 apps/portal/src/pages/Install.tsx             | 104 ++++++++++
 apps/portal/src/pages/admin/Admins.tsx        | 169 +++++++++++++++++
 .../20260506000000_admin_accounts.ts          | 113 +++++++++++
 packages/db/src/index.ts                      |   1 +
 packages/db/src/types.ts                      |  26 ++-
 pnpm-lock.yaml                                |  19 ++
 21 files changed, 1147 insertions(+), 81 deletions(-)
 create mode 100644 apps/api/src/__tests__/admin-invite.test.ts
 create mode 100644 apps/api/src/routes/admins.ts
 create mode 100644 apps/api/src/routes/install.ts
 create mode 100644 apps/portal/src/pages/Install.tsx
 create mode 100644 apps/portal/src/pages/admin/Admins.tsx
 create mode 100644 packages/db/migrations/20260506000000_admin_accounts.ts

diff --git a/.env.example b/.env.example
index a690a2c..4918cf9 100644
--- a/.env.example
+++ b/.env.example
@@ -17,7 +17,9 @@ PORTAL_PORT=5673
 # In production: set to your marketing apex (e.g. .yourdomain.com)
 COOKIE_DOMAIN=localhost
 
-# Admin API key for bootstrap (curl/CI). Rotate via POST /api-keys once live.
+# Bootstrap / headless admin bearer. Human admins sign in via the /install
+# wizard (first run) or by receiving an emailed magic link. Keep this set
+# for CI, scripts, and emergency access; rotate once human admins exist.
 # Generate: node -e "console.log('op_' + require('crypto').randomBytes(24).toString('hex'))"
 ADMIN_API_KEY=op_devonly_replace_me_with_64_hex_chars_before_any_real_use_xxxx
 
@@ -40,13 +42,28 @@ PORTAL_URL=http://localhost:5673
 # Optional: extra CORS origins beyond PORTAL_URL, comma-separated.
 CORS_EXTRA_ORIGINS=
 
-# Mail for partner invites + signin links.
-# Set BOTH to use Postmark; leave either blank and the mailer falls
-# back to printing the email to stdout (dev only — you'll see the
-# magic-link URL in the dev:api console).
+# Mail for admin + partner invite / signin links.
+# Transport is auto-selected:
+#   SMTP_HOST + MAIL_FROM    → nodemailer SMTP (works with Gmail,
+#                              Workspace, SES, Mailgun, SendGrid,
+#                              Resend, Postmark SMTP, local Postfix)
+#   POSTMARK_SERVER_TOKEN + MAIL_FROM → Postmark HTTP API
+#   neither                  → stdout (dev only; magic link prints
+#                              to the `pnpm dev:api` console)
+#
+# MAIL_FROM is the sender header on every email, e.g.
+#   MAIL_FROM="Acme Partners <partners@acme.com>"
 MAIL_FROM=
+
+# -- SMTP (recommended for most self-hosts) --
+SMTP_HOST=
+SMTP_PORT=587
+SMTP_SECURE=
+SMTP_USER=
+SMTP_PASSWORD=
+
+# -- Postmark (alternative) --
 POSTMARK_SERVER_TOKEN=
-# Optional — defaults to the "outbound" transactional stream.
 POSTMARK_MESSAGE_STREAM=outbound
 
 # Optional: bearer token required to scrape /metrics. Leave blank and
diff --git a/apps/api/package.json b/apps/api/package.json
index 51e2fdb..616daf3 100644
--- a/apps/api/package.json
+++ b/apps/api/package.json
@@ -22,6 +22,7 @@
     "express-async-errors": "^3.1.1",
     "helmet": "^7.0.0",
     "knex": "^3.1.0",
+    "nodemailer": "^8.0.6",
     "pg": "^8.11.5",
     "pino": "^9.4.0",
     "pino-http": "^9.0.0",
@@ -32,6 +33,7 @@
   "devDependencies": {
     "@types/cors": "^2.8.17",
     "@types/express": "^4.17.21",
+    "@types/nodemailer": "^8.0.0",
     "@types/pg": "^8.11.10",
     "@types/supertest": "^7.2.0",
     "supertest": "^7.0.0",
diff --git a/apps/api/src/__tests__/admin-invite.test.ts b/apps/api/src/__tests__/admin-invite.test.ts
new file mode 100644
index 0000000..df8ab09
--- /dev/null
+++ b/apps/api/src/__tests__/admin-invite.test.ts
@@ -0,0 +1,179 @@
+/**
+ * Admin persona flow: first-run install, admin-to-admin invite, revoke
+ * guardrails. Uses a capturing mailer so we can read the magic-link
+ * URLs without Postmark.
+ */
+
+import { afterAll, afterEach, beforeAll, beforeEach, describe, expect, it } from 'vitest';
+import request from 'supertest';
+import { TABLES } from '@openpartner/db';
+import { db } from '../db.js';
+import { createApp } from '../app.js';
+import { __setMailerForTests, type Mailer, type Message } from '../mailer.js';
+
+const ADMIN_KEY = 'op_test_admin_persona_0123456789abcdef0123';
+process.env.ADMIN_API_KEY = ADMIN_KEY;
+process.env.PORTAL_URL = 'http://localhost:5673';
+
+const skipIntegration = !process.env.DATABASE_URL || process.env.INTEGRATION === 'skip';
+
+const TABLES_TO_CLEAN = [
+  TABLES.Session,
+  TABLES.MagicLinkToken,
+  TABLES.ApiKey,
+  TABLES.Partner,
+  TABLES.Admin,
+  TABLES.Config,
+];
+
+const app = createApp({ enableLogger: false });
+
+class CapturingMailer implements Mailer {
+  readonly sent: Message[] = [];
+  async send(msg: Message): Promise<void> {
+    this.sent.push(msg);
+  }
+  findFor(to: string, purpose?: string): Message | undefined {
+    return this.sent.find(
+      (m) =>
+        m.to === to &&
+        (purpose == null || m.metadata?.purpose === purpose || m.tag === purpose),
+    );
+  }
+}
+
+let mailer: CapturingMailer;
+
+beforeAll(async () => {
+  if (skipIntegration) return;
+  await db.raw('select 1');
+});
+
+beforeEach(async () => {
+  mailer = new CapturingMailer();
+  __setMailerForTests(mailer);
+  if (skipIntegration) return;
+  for (const t of TABLES_TO_CLEAN) {
+    await db(t).del();
+  }
+});
+
+afterEach(() => {
+  __setMailerForTests(null);
+});
+
+afterAll(async () => {
+  await db.destroy();
+});
+
+function extractToken(body: string): string {
+  const match = /token=([^\s&"]+)/.exec(body);
+  if (!match) throw new Error(`no token in body:\n${body}`);
+  return decodeURIComponent(match[1]!);
+}
+
+describe.skipIf(skipIntegration)('admin personas', () => {
+  it('install → first admin accepts → program settings persisted', async () => {
+    // Status probe reports needsSetup=true with zero admins.
+    const status = await request(app).get('/install/status');
+    expect(status.status).toBe(200);
+    expect(status.body.needsSetup).toBe(true);
+
+    const setup = await request(app).post('/install').send({
+      adminName: 'Ada Admin',
+      adminEmail: 'ada@example.com',
+      programName: 'Acme Partners',
+      supportEmail: 'support@acme.com',
+    });
+    expect(setup.status).toBe(200);
+
+    // Invite email landed.
+    const invite = mailer.findFor('ada@example.com', 'admin_invite');
+    expect(invite).toBeDefined();
+    expect(invite!.subject).toContain('Acme Partners');
+
+    // Activate.
+    const token = extractToken(invite!.text);
+    const verify = await request(app).post('/auth/magic/verify').send({ token });
+    expect(verify.status).toBe(200);
+    expect(verify.body.role).toBe('admin');
+    expect(verify.body.admin.email).toBe('ada@example.com');
+    const cookie = (verify.headers['set-cookie'] as unknown as string[])[0]!.split(';')[0]!;
+
+    // Status now reports installed.
+    const statusAfter = await request(app).get('/install/status');
+    expect(statusAfter.body.needsSetup).toBe(false);
+
+    // /install 409s now — second installer can't take over.
+    const second = await request(app).post('/install').send({
+      adminName: 'Rogue',
+      adminEmail: 'rogue@example.com',
+      programName: 'Takeover',
+    });
+    expect(second.status).toBe(409);
+
+    // Program settings were saved.
+    const settings = await request(app).get('/config/program').set('Cookie', cookie);
+    expect(settings.body.programName).toBe('Acme Partners');
+    expect(settings.body.supportEmail).toBe('support@acme.com');
+
+    // whoami via cookie resolves to admin with name.
+    const who = await request(app).get('/auth/whoami').set('Cookie', cookie);
+    expect(who.status).toBe(200);
+    expect(who.body.role).toBe('admin');
+    expect(who.body.admin.name).toBe('Ada Admin');
+  });
+
+  it('admin-to-admin invite + signin', async () => {
+    // Bootstrap via env admin key (no install needed for this test).
+    const create = await request(app)
+      .post('/admins')
+      .set('Authorization', `Bearer ${ADMIN_KEY}`)
+      .send({ email: 'two@example.com', name: 'Number Two' });
+    expect(create.status).toBe(201);
+
+    const invite = mailer.findFor('two@example.com', 'admin_invite');
+    expect(invite).toBeDefined();
+
+    const token = extractToken(invite!.text);
+    const verify = await request(app).post('/auth/magic/verify').send({ token });
+    expect(verify.status).toBe(200);
+    expect(verify.body.admin.name).toBe('Number Two');
+
+    // Returning signin sends an admin_signin email (not partner_signin).
+    mailer.sent.length = 0;
+    const signin = await request(app).post('/auth/signin').send({ email: 'two@example.com' });
+    expect(signin.status).toBe(200);
+    const signinMsg = mailer.findFor('two@example.com', 'admin_signin');
+    expect(signinMsg).toBeDefined();
+  });
+
+  it('cannot revoke the last active admin', async () => {
+    const create = await request(app)
+      .post('/admins')
+      .set('Authorization', `Bearer ${ADMIN_KEY}`)
+      .send({ email: 'lone@example.com', name: 'Lone' });
+    const token = extractToken(mailer.findFor('lone@example.com')!.text);
+    await request(app).post('/auth/magic/verify').send({ token });
+
+    const res = await request(app)
+      .post(`/admins/${create.body.id}/revoke`)
+      .set('Authorization', `Bearer ${ADMIN_KEY}`);
+    expect(res.status).toBe(409);
+    expect(res.body.error).toBe('cannot_revoke_last_active_admin');
+  });
+
+  it('duplicate email → 409 email_taken', async () => {
+    await request(app)
+      .post('/admins')
+      .set('Authorization', `Bearer ${ADMIN_KEY}`)
+      .send({ email: 'dup@example.com', name: 'First' });
+
+    const dupe = await request(app)
+      .post('/admins')
+      .set('Authorization', `Bearer ${ADMIN_KEY}`)
+      .send({ email: 'dup@example.com', name: 'Second' });
+    expect(dupe.status).toBe(409);
+    expect(dupe.body.error).toBe('email_taken');
+  });
+});
diff --git a/apps/api/src/app.ts b/apps/api/src/app.ts
index 378e46c..c32ef51 100644
--- a/apps/api/src/app.ts
+++ b/apps/api/src/app.ts
@@ -25,6 +25,8 @@ import { partnerAuthRouter } from './routes/partner-auth.js';
 import { adminOverviewRouter } from './routes/admin-overview.js';
 import { funnelRouter } from './routes/funnel.js';
 import { settingsRouter } from './routes/settings.js';
+import { adminsRouter } from './routes/admins.js';
+import { installRouter } from './routes/install.js';
 import { fraudReviewRouter } from './routes/fraud-review.js';
 import { webhooksRouter } from './routes/webhooks.js';
 import { metricsRouter } from './routes/metrics.js';
@@ -104,6 +106,8 @@ export function createApp(options: { enableLogger?: boolean } = {}) {
 
   app.use(authRouter);
   app.use(partnerAuthRouter);
+  app.use(installRouter);
+  app.use(adminsRouter);
   app.use(settingsRouter);
   app.use(funnelRouter);
   app.use(fraudReviewRouter);
diff --git a/apps/api/src/auth-sessions.ts b/apps/api/src/auth-sessions.ts
index c1500f0..d90dec3 100644
--- a/apps/api/src/auth-sessions.ts
+++ b/apps/api/src/auth-sessions.ts
@@ -1,10 +1,12 @@
 /**
- * Magic-link token + session primitives — partner auth only.
+ * Magic-link token + session primitives. Generic over principal kind:
+ * both admins and partners use the same magic-link verify + session
+ * cookie flow, differing only in which table we check + activate on
+ * verify.
  *
  * Tokens look like `opml_<hex>` and sessions look like `ops_<hex>`. Both
- * use the same pattern as ApiKey: store a sha256 hash + an 8-char prefix
- * so lookups are indexed and plaintext is only ever held for the
- * moment we generate / verify.
+ * use the same prefix+hash lookup as ApiKey — plaintext is only ever
+ * held at generation + verify time.
  */
 
 import { createHash, randomBytes } from 'node:crypto';
@@ -14,6 +16,7 @@ import {
   TABLES,
   type MagicLinkTokenRow,
   type MagicLinkPurpose,
+  type PrincipalKind,
   type SessionRow,
 } from '@openpartner/db';
 import { db } from './db.js';
@@ -41,7 +44,8 @@ export interface IssuedMagicLink {
 export async function issueMagicLink(params: {
   email: string;
   purpose: MagicLinkPurpose;
-  partnerId: string;
+  principalKind: PrincipalKind;
+  principalId: string;
 }): Promise<IssuedMagicLink> {
   const { plaintext, prefix, tokenHash } = generate('opml');
   const expiresAt = new Date(Date.now() + MAGIC_TTL_MS);
@@ -51,7 +55,8 @@ export async function issueMagicLink(params: {
     tokenHash,
     email: params.email.toLowerCase(),
     purpose: params.purpose,
-    partnerId: params.partnerId,
+    principalKind: params.principalKind,
+    principalId: params.principalId,
     expiresAt,
   });
   return { plaintext, expiresAt };
@@ -61,19 +66,12 @@ export interface ConsumedMagicLink {
   token: MagicLinkTokenRow;
 }
 
-/**
- * Consume a magic-link token atomically. Rejects expired, already-consumed,
- * and unknown tokens. Returns the full token row on success so callers can
- * branch on purpose + partnerId.
- */
 export async function consumeMagicLink(plaintext: string): Promise<ConsumedMagicLink | null> {
   if (plaintext.length < TOKEN_PREFIX_LEN) return null;
   const prefix = plaintext.slice(0, TOKEN_PREFIX_LEN);
   const tokenHash = hash(plaintext);
   const now = new Date();
 
-  // Conditional UPDATE: only marks the row consumed if it's still
-  // consumable — race-safe against duplicate clicks.
   const updated = await db<MagicLinkTokenRow>(TABLES.MagicLinkToken)
     .where({ prefix, tokenHash })
     .whereNull('consumedAt')
@@ -91,7 +89,10 @@ export interface IssuedSession {
   expiresAt: Date;
 }
 
-export async function createSession(partnerId: string): Promise<IssuedSession> {
+export async function createSession(params: {
+  principalKind: PrincipalKind;
+  principalId: string;
+}): Promise<IssuedSession> {
   const { plaintext, prefix, tokenHash } = generate('ops');
   const id = ulid();
   const expiresAt = new Date(Date.now() + SESSION_TTL_MS);
@@ -99,7 +100,8 @@ export async function createSession(partnerId: string): Promise<IssuedSession> {
     id,
     prefix,
     tokenHash,
-    partnerId,
+    principalKind: params.principalKind,
+    principalId: params.principalId,
     expiresAt,
   });
   return { plaintext, id, expiresAt };
@@ -117,13 +119,19 @@ export async function resolveSession(plaintext: string): Promise<SessionRow | nu
     .first();
   if (!row) return null;
 
-  // Extra belt-and-braces: if the partner was revoked but somehow a
-  // session slipped through (e.g. revoke transaction failed mid-flight),
-  // reject here too.
-  const partner = (await db('Partner').where({ id: row.partnerId }).first()) as
-    | { revokedAt: Date | null }
-    | undefined;
-  if (!partner || partner.revokedAt) return null;
+  // Defense-in-depth: if the principal was revoked but somehow a session
+  // slipped through, reject here too.
+  if (row.principalKind === 'partner') {
+    const partner = (await db('Partner').where({ id: row.principalId }).first()) as
+      | { revokedAt: Date | null }
+      | undefined;
+    if (!partner || partner.revokedAt) return null;
+  } else if (row.principalKind === 'admin') {
+    const admin = (await db('Admin').where({ id: row.principalId }).first()) as
+      | { revokedAt: Date | null; activatedAt: Date | null }
+      | undefined;
+    if (!admin || admin.revokedAt || !admin.activatedAt) return null;
+  }
 
   void db<SessionRow>(TABLES.Session).where({ id: row.id }).update({ lastSeenAt: now });
   return row;
diff --git a/apps/api/src/auth.ts b/apps/api/src/auth.ts
index a9bb001..af29f4c 100644
--- a/apps/api/src/auth.ts
+++ b/apps/api/src/auth.ts
@@ -21,6 +21,7 @@ import { db } from './db.js';
 export type ApiKeyPrincipal =
   | { role: 'admin'; source: 'env' }
   | { role: 'admin'; source: 'db'; apiKeyId: string }
+  | { role: 'admin'; source: 'session'; sessionId: string; adminId: string }
   | { role: 'partner'; source: 'db'; apiKeyId: string; partnerId: string }
   | { role: 'partner'; source: 'session'; sessionId: string; partnerId: string }
   | { role: 'scoped'; source: 'db'; apiKeyId: string; scopes: string[] };
@@ -80,13 +81,15 @@ export function requirePartnerOrAdmin(paramName: string = 'id') {
 async function resolvePrincipal(req: Request): Promise<ApiKeyPrincipal | null> {
   const header = req.header('authorization');
   if (!header) {
-    // No Bearer — fall back to the session cookie (set by magic-link verify).
     const cookie = (req as unknown as { cookies?: Record<string, string> }).cookies?.op_session;
     if (!cookie) return null;
     const { resolveSession } = await import('./auth-sessions.js');
     const session = await resolveSession(cookie);
     if (!session) return null;
-    return { role: 'partner', source: 'session', sessionId: session.id, partnerId: session.partnerId };
+    if (session.principalKind === 'admin') {
+      return { role: 'admin', source: 'session', sessionId: session.id, adminId: session.principalId };
+    }
+    return { role: 'partner', source: 'session', sessionId: session.id, partnerId: session.principalId };
   }
 
   const match = /^Bearer\s+(\S+)$/i.exec(header);
diff --git a/apps/api/src/email-templates.ts b/apps/api/src/email-templates.ts
index 9835e6a..571c5ad 100644
--- a/apps/api/src/email-templates.ts
+++ b/apps/api/src/email-templates.ts
@@ -45,6 +45,36 @@ export function partnerSigninEmail(name: string, link: string): EmailTemplate {
   return { subject, text, html: wrap(text, link, 'Sign in') };
 }
 
+export function adminInviteEmail(name: string, link: string, programName: string | null): EmailTemplate {
+  const brand = programName || 'your partner program';
+  const subject = `You've been invited to administer ${brand}`;
+  const text = [
+    `Hi ${name},`,
+    ``,
+    `You've been invited as an administrator for ${brand}. Click the link below`,
+    `to accept the invitation and sign in:`,
+    ``,
+    link,
+    ``,
+    `This link is good for 15 minutes.`,
+  ].join('\n');
+  return { subject, text, html: wrap(text, link, 'Accept invite') };
+}
+
+export function adminSigninEmail(name: string, link: string): EmailTemplate {
+  const subject = `Your admin dashboard sign-in link`;
+  const text = [
+    `Hi ${name},`,
+    ``,
+    `Click the link below to sign in:`,
+    ``,
+    link,
+    ``,
+    `This link is good for 15 minutes. If you didn't ask for it, ignore this email.`,
+  ].join('\n');
+  return { subject, text, html: wrap(text, link, 'Sign in') };
+}
+
 export function partnerRevokedEmail(name: string, reason: string | null): EmailTemplate {
   const subject = `Your partner account has been suspended`;
   const text = [
diff --git a/apps/api/src/mailer.ts b/apps/api/src/mailer.ts
index 5566f54..49d9e95 100644
--- a/apps/api/src/mailer.ts
+++ b/apps/api/src/mailer.ts
@@ -1,13 +1,21 @@
 /**
- * Transactional mailer for partner invite + signin magic links.
+ * Transactional mailer. Transport is auto-selected from env:
  *
- * Transport is implicit from env:
- *   POSTMARK_SERVER_TOKEN + MAIL_FROM set → Postmark
- *   otherwise                            → console (stdout only)
+ *   SMTP_HOST + MAIL_FROM set               → nodemailer SMTP
+ *   POSTMARK_SERVER_TOKEN + MAIL_FROM set   → Postmark HTTP API
+ *   otherwise                               → console (stdout only)
+ *
+ * SMTP is the recommended path for self-hosted OSS — it works with any
+ * provider (Gmail, Workspace, SES, Mailgun, SendGrid, Resend, Postmark,
+ * a corporate relay, local Postfix). Postmark stays as a first-class
+ * dedicated adapter because its API is slightly more robust for
+ * transactional delivery. Console is for local dev only.
  *
  * Tests override via __setMailerForTests with an in-memory capturer.
  */
 
+import nodemailer, { type Transporter } from 'nodemailer';
+
 export interface Message {
   to: string;
   subject: string;
@@ -23,14 +31,32 @@ export interface Mailer {
 
 class ConsoleMailer implements Mailer {
   async send(msg: Message): Promise<void> {
-    // Dev fallback when no Postmark creds are present. Prints enough to
-    // recover the magic link from the terminal without needing a mailbox
-    // UI or third-party sandbox.
+    // Dev fallback when no transport creds are present. Prints enough
+    // to recover the magic link from the terminal without needing a
+    // real mailbox.
     console.log(`[mail] to=${msg.to} subject=${JSON.stringify(msg.subject)}`);
     console.log(msg.text);
   }
 }
 
+class SMTPMailer implements Mailer {
+  constructor(
+    private readonly transporter: Transporter,
+    private readonly from: string,
+  ) {}
+
+  async send(msg: Message): Promise<void> {
+    await this.transporter.sendMail({
+      from: this.from,
+      to: msg.to,
+      subject: msg.subject,
+      text: msg.text,
+      html: msg.html,
+      headers: msg.tag ? { 'X-Tag': msg.tag } : undefined,
+    });
+  }
+}
+
 class PostmarkMailer implements Mailer {
   constructor(
     private readonly serverToken: string,
@@ -71,13 +97,30 @@ let cached: Mailer | null = null;
 
 export function getMailer(): Mailer {
   if (cached) return cached;
-  const token = process.env.POSTMARK_SERVER_TOKEN;
   const from = process.env.MAIL_FROM;
-  if (token && from) {
-    cached = new PostmarkMailer(token, from, process.env.POSTMARK_MESSAGE_STREAM ?? 'outbound');
-  } else {
-    cached = new ConsoleMailer();
+  const smtpHost = process.env.SMTP_HOST;
+  const postmarkToken = process.env.POSTMARK_SERVER_TOKEN;
+
+  if (smtpHost && from) {
+    const transporter = nodemailer.createTransport({
+      host: smtpHost,
+      port: Number(process.env.SMTP_PORT ?? 587),
+      // Defaults to STARTTLS on 587; set SMTP_SECURE=1 for implicit TLS
+      // on 465. Leave off for providers that auto-detect.
+      secure: process.env.SMTP_SECURE === '1' || process.env.SMTP_PORT === '465',
+      auth:
+        process.env.SMTP_USER && process.env.SMTP_PASSWORD
+          ? { user: process.env.SMTP_USER, pass: process.env.SMTP_PASSWORD }
+          : undefined,
+    });
+    cached = new SMTPMailer(transporter, from);
+    return cached;
+  }
+  if (postmarkToken && from) {
+    cached = new PostmarkMailer(postmarkToken, from, process.env.POSTMARK_MESSAGE_STREAM ?? 'outbound');
+    return cached;
   }
+  cached = new ConsoleMailer();
   return cached;
 }
 
diff --git a/apps/api/src/routes/admins.ts b/apps/api/src/routes/admins.ts
new file mode 100644
index 0000000..5a1083a
--- /dev/null
+++ b/apps/api/src/routes/admins.ts
@@ -0,0 +1,150 @@
+/**
+ * Admin persona management — list, invite, revoke, reinstate.
+ *
+ * Guard rails:
+ *   - Can't revoke the last active admin (would lock everyone out)
+ *   - Can't revoke yourself (session-sourced admins only; env-sourced
+ *     admins can revoke anyone since they're a fallback root)
+ *
+ * The ADMIN_API_KEY env stays valid alongside admin personas as a
+ * bootstrap / headless path — think `doctl` or CI running migrations.
+ */
+
+import { Router } from 'express';
+import { z } from 'zod';
+import { ulid } from 'ulid';
+import { TABLES, type AdminRow, type ConfigRow, type SessionRow } from '@openpartner/db';
+import { db } from '../db.js';
+import { requireAdmin, requireAuth } from '../auth.js';
+import { issueMagicLink } from '../auth-sessions.js';
+import { getMailer } from '../mailer.js';
+import { adminInviteEmail, buildMagicLinkUrl } from '../email-templates.js';
+
+export const adminsRouter = Router();
+
+const inviteSchema = z.object({
+  email: z.string().email(),
+  name: z.string().min(1).max(120),
+});
+
+const revokeSchema = z.object({
+  reason: z.string().max(500).optional(),
+});
+
+async function getProgramName(): Promise<string | null> {
+  const row = await db<ConfigRow>(TABLES.Config).where({ key: 'program_settings' }).first();
+  const value = (row?.value ?? {}) as { programName?: string };
+  return value.programName ?? null;
+}
+
+async function activeAdminCount(trx?: typeof db): Promise<number> {
+  const [row] = await (trx ?? db)<AdminRow>(TABLES.Admin)
+    .whereNotNull('activatedAt')
+    .whereNull('revokedAt')
+    .count<{ count: string }[]>({ count: '*' });
+  return Number(row?.count ?? 0);
+}
+
+async function sendInvite(admin: AdminRow): Promise<void> {
+  const issued = await issueMagicLink({
+    email: admin.email,
+    purpose: 'admin_invite',
+    principalKind: 'admin',
+    principalId: admin.id,
+  });
+  const tmpl = adminInviteEmail(admin.name, buildMagicLinkUrl(issued.plaintext), await getProgramName());
+  await getMailer().send({
+    to: admin.email,
+    subject: tmpl.subject,
+    text: tmpl.text,
+    html: tmpl.html,
+    tag: 'admin_invite',
+    metadata: { purpose: 'admin_invite', adminId: admin.id },
+  });
+}
+
+// -------- List --------
+
+adminsRouter.get('/admins', requireAuth, requireAdmin, async (_req, res) => {
+  const admins = await db<AdminRow>(TABLES.Admin).orderBy('createdAt', 'desc');
+  res.json({ admins });
+});
+
+// -------- Invite --------
+
+adminsRouter.post('/admins', requireAuth, requireAdmin, async (req, res) => {
+  const body = inviteSchema.safeParse(req.body);
+  if (!body.success) return res.status(400).json({ error: 'invalid_body', detail: body.error.flatten() });
+
+  const email = body.data.email.toLowerCase();
+  const existing = await db<AdminRow>(TABLES.Admin).where({ email }).first();
+  if (existing) return res.status(409).json({ error: 'email_taken' });
+
+  const id = ulid();
+  const [admin] = await db<AdminRow>(TABLES.Admin)
+    .insert({ id, email, name: body.data.name, activatedAt: null })
+    .returning('*');
+  await sendInvite(admin as AdminRow);
+  res.status(201).json(admin);
+});
+
+// -------- Resend invite --------
+
+adminsRouter.post('/admins/:id/invite', requireAuth, requireAdmin, async (req, res) => {
+  const admin = await db<AdminRow>(TABLES.Admin).where({ id: req.params.id }).first();
+  if (!admin) return res.status(404).json({ error: 'not_found' });
+  if (admin.activatedAt) return res.status(409).json({ error: 'already_activated' });
+  await sendInvite(admin);
+  res.json({ ok: true });
+});
+
+// -------- Revoke --------
+
+adminsRouter.post('/admins/:id/revoke', requireAuth, requireAdmin, async (req, res) => {
+  const body = revokeSchema.safeParse(req.body ?? {});
+  if (!body.success) return res.status(400).json({ error: 'invalid_body', detail: body.error.flatten() });
+
+  const admin = await db<AdminRow>(TABLES.Admin).where({ id: req.params.id }).first();
+  if (!admin) return res.status(404).json({ error: 'not_found' });
+  if (admin.revokedAt) return res.status(409).json({ error: 'already_revoked' });
+
+  // Guard: can't revoke yourself when you're a session-sourced admin.
+  // Env-sourced admins (ADMIN_API_KEY) don't have an adminId — they can.
+  const caller = req.principal;
+  if (caller?.role === 'admin' && caller.source === 'session' && caller.adminId === admin.id) {
+    return res.status(409).json({ error: 'cannot_revoke_self' });
+  }
+
+  // Guard: never drop the count of active admins to zero via revoke.
+  // If only one active admin remains and they're the one being revoked,
+  // refuse unless ADMIN_API_KEY was used (env-admin can still get in).
+  const count = await activeAdminCount();
+  if (count <= 1 && admin.activatedAt && !admin.revokedAt) {
+    return res.status(409).json({ error: 'cannot_revoke_last_active_admin' });
+  }
+
+  const now = new Date();
+  await db.transaction(async (trx) => {
+    await trx<AdminRow>(TABLES.Admin)
+      .where({ id: admin.id })
+      .update({ revokedAt: now, revokeReason: body.data.reason ?? null, updatedAt: now });
+    // Kill admin sessions like we do for partners.
+    await trx<SessionRow>(TABLES.Session)
+      .where({ principalKind: 'admin', principalId: admin.id })
+      .whereNull('revokedAt')
+      .update({ revokedAt: now });
+  });
+  res.json({ ok: true, revokedAt: now });
+});
+
+// -------- Reinstate --------
+
+adminsRouter.post('/admins/:id/reinstate', requireAuth, requireAdmin, async (req, res) => {
+  const admin = await db<AdminRow>(TABLES.Admin).where({ id: req.params.id }).first();
+  if (!admin) return res.status(404).json({ error: 'not_found' });
+  if (!admin.revokedAt) return res.status(409).json({ error: 'not_revoked' });
+  await db<AdminRow>(TABLES.Admin)
+    .where({ id: admin.id })
+    .update({ revokedAt: null, revokeReason: null, updatedAt: new Date() });
+  res.json({ ok: true });
+});
diff --git a/apps/api/src/routes/auth.ts b/apps/api/src/routes/auth.ts
index b761442..f8deb9f 100644
--- a/apps/api/src/routes/auth.ts
+++ b/apps/api/src/routes/auth.ts
@@ -1,5 +1,5 @@
 import { Router } from 'express';
-import { TABLES, type PartnerRow } from '@openpartner/db';
+import { TABLES, type AdminRow, type PartnerRow } from '@openpartner/db';
 import { db } from '../db.js';
 import { requireAuth } from '../auth.js';
 
@@ -30,6 +30,14 @@ authRouter.get('/auth/introspect', requireAuth, async (req, res) => {
 authRouter.get('/auth/whoami', requireAuth, async (req, res) => {
   const p = req.principal!;
   if (p.role === 'admin') {
+    if (p.source === 'session') {
+      const admin = await db<AdminRow>(TABLES.Admin).where({ id: p.adminId }).first();
+      return res.json({
+        role: 'admin',
+        source: 'session',
+        admin: admin ? { id: admin.id, email: admin.email, name: admin.name } : null,
+      });
+    }
     return res.json({ role: 'admin', source: p.source });
   }
   if (p.role === 'partner') {
diff --git a/apps/api/src/routes/install.ts b/apps/api/src/routes/install.ts
new file mode 100644
index 0000000..0f6c117
--- /dev/null
+++ b/apps/api/src/routes/install.ts
@@ -0,0 +1,105 @@
+/**
+ * First-run install endpoint — WordPress-style. Only usable while zero
+ * admins are activated. Once the first admin exists, the endpoint 409s
+ * so a second "installer" can't take over.
+ *
+ * Creates the first admin in a single round-trip along with the program
+ * settings (name + support email) and emails them a magic-link to
+ * activate. After they verify, they're the first admin and can invite
+ * others + rotate ADMIN_API_KEY.
+ */
+
+import { Router } from 'express';
+import { z } from 'zod';
+import { ulid } from 'ulid';
+import { TABLES, type AdminRow, type ConfigRow } from '@openpartner/db';
+import { db } from '../db.js';
+import { ipRateLimit } from '../middleware/rate-limit.js';
+import { issueMagicLink } from '../auth-sessions.js';
+import { getMailer } from '../mailer.js';
+import { adminInviteEmail, buildMagicLinkUrl } from '../email-templates.js';
+
+export const installRouter = Router();
+
+const installLimit = ipRateLimit({ name: 'install', max: 5, windowMs: 60_000 });
+
+const installSchema = z.object({
+  adminName: z.string().trim().min(1).max(120),
+  adminEmail: z.string().trim().email().max(254),
+  programName: z.string().trim().min(1).max(120),
+  supportEmail: z.string().trim().email().max(254).optional().or(z.literal('')),
+});
+
+/**
+ * Public status probe used by the portal to decide whether to route to
+ * /install on mount. Always reachable (it's what tells the portal the
+ * system is uninitialized).
+ */
+installRouter.get('/install/status', async (_req, res) => {
+  const [row] = await db<AdminRow>(TABLES.Admin)
+    .whereNotNull('activatedAt')
+    .whereNull('revokedAt')
+    .count<{ count: string }[]>({ count: '*' });
+  res.json({ needsSetup: Number(row?.count ?? 0) === 0 });
+});
+
+installRouter.post('/install', installLimit, async (req, res) => {
+  const body = installSchema.safeParse(req.body);
+  if (!body.success) return res.status(400).json({ error: 'invalid_body', detail: body.error.flatten() });
+
+  const [existing] = await db<AdminRow>(TABLES.Admin)
+    .whereNotNull('activatedAt')
+    .whereNull('revokedAt')
+    .count<{ count: string }[]>({ count: '*' });
+  if (Number(existing?.count ?? 0) > 0) {
+    return res.status(409).json({ error: 'already_installed' });
+  }
+
+  const adminEmail = body.data.adminEmail.toLowerCase();
+  const programName = body.data.programName.trim();
+  const supportEmail = body.data.supportEmail?.trim() || null;
+  const now = new Date();
+
+  await db.transaction(async (trx) => {
+    // Program settings first so the admin-invite email can brand the subject.
+    await trx<ConfigRow>(TABLES.Config)
+      .insert({
+        key: 'program_settings',
+        value: { programName, supportEmail } as unknown as never,
+        updatedAt: now,
+      })
+      .onConflict('key')
+      .merge({ value: { programName, supportEmail } as unknown as never, updatedAt: now });
+
+    // Create the admin row; activation happens on magic-link verify.
+    const id = ulid();
+    await trx<AdminRow>(TABLES.Admin).insert({
+      id,
+      email: adminEmail,
+      name: body.data.adminName.trim(),
+      activatedAt: null,
+    });
+  });
+
+  // Send invite outside the transaction so mail failures don't roll back.
+  const admin = await db<AdminRow>(TABLES.Admin).where({ email: adminEmail }).first();
+  if (admin) {
+    const issued = await issueMagicLink({
+      email: adminEmail,
+      purpose: 'admin_invite',
+      principalKind: 'admin',
+      principalId: admin.id,
+    });
+    const tmpl = adminInviteEmail(admin.name, buildMagicLinkUrl(issued.plaintext), programName);
+    await getMailer().send({
+      to: adminEmail,
+      subject: tmpl.subject,
+      text: tmpl.text,
+      html: tmpl.html,
+      tag: 'admin_invite',
+      metadata: { purpose: 'admin_invite', adminId: admin.id, firstRun: true },
+    });
+  }
+
+  res.json({ ok: true });
+});
diff --git a/apps/api/src/routes/partner-auth.ts b/apps/api/src/routes/partner-auth.ts
index f50d23a..b7b6f38 100644
--- a/apps/api/src/routes/partner-auth.ts
+++ b/apps/api/src/routes/partner-auth.ts
@@ -1,17 +1,19 @@
 /**
- * Partner-facing authentication:
+ * Human authentication — covers both admin and partner personas.
  *
- *   POST /auth/signin          email → magic link (returning partners)
- *   POST /auth/magic/verify    token → session cookie + whoami
- *   POST /auth/signout         revokes the session cookie
+ *   POST /auth/signin          email → magic-link email (whichever table
+ *                              the address lives in). 200 always so
+ *                              email existence can't be enumerated.
+ *   POST /auth/magic/verify    token → session cookie + whoami. Branches
+ *                              on the token's principalKind.
+ *   POST /auth/signout         revokes the session cookie.
  *
- * The invite-on-create side lives on POST /partners in partners.ts — this
- * file handles everything the partner themselves interacts with.
+ * Invite-on-create sides live in /partners and /admins.
  */
 
 import { Router } from 'express';
 import { z } from 'zod';
-import { TABLES, type PartnerRow } from '@openpartner/db';
+import { TABLES, type AdminRow, type PartnerRow } from '@openpartner/db';
 import { db } from '../db.js';
 import {
   SESSION_COOKIE_NAME,
@@ -23,37 +25,54 @@ import {
 } from '../auth-sessions.js';
 import { getMailer } from '../mailer.js';
 import { ipRateLimit } from '../middleware/rate-limit.js';
-import { buildMagicLinkUrl, partnerSigninEmail } from '../email-templates.js';
+import {
+  adminSigninEmail,
+  buildMagicLinkUrl,
+  partnerRevokedEmail,
+  partnerSigninEmail,
+} from '../email-templates.js';
 
 export const partnerAuthRouter = Router();
 
-// 10/min per IP keeps an attacker from email-bombing a known address.
 const mailAuthLimit = ipRateLimit({ name: 'partner-auth-mail', max: 10, windowMs: 60_000 });
-// Verify brute-force: single-use tokens make this moot, but cheap to cap.
 const verifyLimit = ipRateLimit({ name: 'partner-auth-verify', max: 30, windowMs: 60_000 });
 
 const signinSchema = z.object({ email: z.string().email() });
 const verifySchema = z.object({ token: z.string().min(8) });
 
-// -------- Returning-partner signin --------
+// -------- Signin --------
 
 partnerAuthRouter.post('/auth/signin', mailAuthLimit, async (req, res) => {
   const body = signinSchema.safeParse(req.body);
   if (!body.success) return res.status(400).json({ error: 'invalid_body', detail: body.error.flatten() });
 
   const email = body.data.email.toLowerCase();
-  const partner = await db<PartnerRow>(TABLES.Partner).where({ email }).first();
 
-  // Always return {ok:true} — don't leak whether the email is known.
-  // Three outcomes internally:
-  //   - unknown / pending           → no email, silent
-  //   - active                      → magic-link email
-  //   - revoked                     → suspension-notice email (the
-  //     partner already knows, but a reminder short-circuits the
-  //     "why doesn't my link work?" loop)
-  if (partner && partner.activatedAt) {
+  // Admin first — if the same email is registered as both an admin and a
+  // partner (unusual but possible on single-operator setups), admin wins.
+  const admin = await db<AdminRow>(TABLES.Admin).where({ email }).first();
+  if (admin?.activatedAt && !admin.revokedAt) {
+    const issued = await issueMagicLink({
+      email,
+      purpose: 'admin_signin',
+      principalKind: 'admin',
+      principalId: admin.id,
+    });
+    const tmpl = adminSigninEmail(admin.name, buildMagicLinkUrl(issued.plaintext));
+    await getMailer().send({
+      to: email,
+      subject: tmpl.subject,
+      text: tmpl.text,
+      html: tmpl.html,
+      tag: 'admin_signin',
+      metadata: { purpose: 'admin_signin', adminId: admin.id },
+    });
+    return res.json({ ok: true });
+  }
+
+  const partner = await db<PartnerRow>(TABLES.Partner).where({ email }).first();
+  if (partner?.activatedAt) {
     if (partner.revokedAt) {
-      const { partnerRevokedEmail } = await import('../email-templates.js');
       const tmpl = partnerRevokedEmail(partner.name, partner.revokeReason);
       await getMailer().send({
         to: email,
@@ -64,7 +83,12 @@ partnerAuthRouter.post('/auth/signin', mailAuthLimit, async (req, res) => {
         metadata: { purpose: 'partner_revoked_signin_attempt', partnerId: partner.id },
       });
     } else {
-      const issued = await issueMagicLink({ email, purpose: 'partner_signin', partnerId: partner.id });
+      const issued = await issueMagicLink({
+        email,
+        purpose: 'partner_signin',
+        principalKind: 'partner',
+        principalId: partner.id,
+      });
       const tmpl = partnerSigninEmail(partner.name, buildMagicLinkUrl(issued.plaintext));
       await getMailer().send({
         to: email,
@@ -76,10 +100,11 @@ partnerAuthRouter.post('/auth/signin', mailAuthLimit, async (req, res) => {
       });
     }
   }
+  // Unknown / pending / revoked-admin → silent 200. No email sent.
   res.json({ ok: true });
 });
 
-// -------- Magic-link verify (both invite + signin share this endpoint) --------
+// -------- Verify --------
 
 partnerAuthRouter.post('/auth/magic/verify', verifyLimit, async (req, res) => {
   const body = verifySchema.safeParse(req.body);
@@ -87,18 +112,41 @@ partnerAuthRouter.post('/auth/magic/verify', verifyLimit, async (req, res) => {
 
   const consumed = await consumeMagicLink(body.data.token);
   if (!consumed) return res.status(400).json({ error: 'invalid_or_expired_token' });
+  const token = consumed.token;
 
-  const partner = await db<PartnerRow>(TABLES.Partner).where({ id: consumed.token.partnerId }).first();
+  if (token.principalKind === 'admin') {
+    const admin = await db<AdminRow>(TABLES.Admin).where({ id: token.principalId }).first();
+    if (!admin) return res.status(404).json({ error: 'admin_not_found' });
+    if (admin.revokedAt) return res.status(403).json({ error: 'admin_revoked' });
+
+    if (token.purpose === 'admin_invite' && !admin.activatedAt) {
+      await db<AdminRow>(TABLES.Admin)
+        .where({ id: admin.id })
+        .update({ activatedAt: new Date(), updatedAt: new Date() });
+    }
+    await db<AdminRow>(TABLES.Admin).where({ id: admin.id }).update({ lastSignInAt: new Date() });
+
+    const session = await createSession({ principalKind: 'admin', principalId: admin.id });
+    res.cookie(SESSION_COOKIE_NAME, session.plaintext, sessionCookieOptions());
+    return res.json({
+      ok: true,
+      role: 'admin',
+      admin: { id: admin.id, email: admin.email, name: admin.name },
+    });
+  }
+
+  // partner
+  const partner = await db<PartnerRow>(TABLES.Partner).where({ id: token.principalId }).first();
   if (!partner) return res.status(404).json({ error: 'partner_not_found' });
+  if (partner.revokedAt) return res.status(403).json({ error: 'partner_revoked' });
 
-  // Invite tokens activate the partner as a side-effect of the first login.
-  if (consumed.token.purpose === 'partner_invite' && !partner.activatedAt) {
+  if (token.purpose === 'partner_invite' && !partner.activatedAt) {
     await db<PartnerRow>(TABLES.Partner)
       .where({ id: partner.id })
       .update({ activatedAt: new Date(), updatedAt: new Date() });
   }
 
-  const session = await createSession(partner.id);
+  const session = await createSession({ principalKind: 'partner', principalId: partner.id });
   res.cookie(SESSION_COOKIE_NAME, session.plaintext, sessionCookieOptions());
   res.json({
     ok: true,
@@ -124,4 +172,3 @@ partnerAuthRouter.post('/auth/signout', async (req, res) => {
   res.clearCookie(SESSION_COOKIE_NAME, { path: '/' });
   res.json({ ok: true });
 });
-
diff --git a/apps/api/src/routes/partners.ts b/apps/api/src/routes/partners.ts
index 732ca52..5d26f2b 100644
--- a/apps/api/src/routes/partners.ts
+++ b/apps/api/src/routes/partners.ts
@@ -46,7 +46,7 @@ partnersRouter.post('/partners', requireAuth, grantScope('partners:write'), requ
     .returning('*');
 
   if (sendInvite) {
-    const issued = await issueMagicLink({ email, purpose: 'partner_invite', partnerId: id });
+    const issued = await issueMagicLink({ email, purpose: 'partner_invite', principalKind: 'partner', principalId: id });
     const tmpl = partnerInviteEmail(body.data.name, buildMagicLinkUrl(issued.plaintext));
     await getMailer().send({
       to: email,
@@ -71,7 +71,7 @@ partnersRouter.post('/partners/:id/invite', requireAuth, requireAdmin, async (re
   if (!partner) return res.status(404).json({ error: 'not_found' });
   if (partner.activatedAt) return res.status(409).json({ error: 'already_activated' });
 
-  const issued = await issueMagicLink({ email: partner.email, purpose: 'partner_invite', partnerId: partner.id });
+  const issued = await issueMagicLink({ email: partner.email, purpose: 'partner_invite', principalKind: 'partner', principalId: partner.id });
   const tmpl = partnerInviteEmail(partner.name, buildMagicLinkUrl(issued.plaintext));
   await getMailer().send({
     to: partner.email,
@@ -113,7 +113,7 @@ partnersRouter.post('/partners/:id/revoke', requireAuth, requireAdmin, async (re
       .where({ id: partner.id })
       .update({ revokedAt: now, revokeReason: reason, updatedAt: now });
     await trx<SessionRow>(TABLES.Session)
-      .where({ partnerId: partner.id })
+      .where({ principalKind: 'partner', principalId: partner.id })
       .whereNull('revokedAt')
       .update({ revokedAt: now });
   });
diff --git a/apps/portal/src/App.tsx b/apps/portal/src/App.tsx
index aed609e..24cfff0 100644
--- a/apps/portal/src/App.tsx
+++ b/apps/portal/src/App.tsx
@@ -14,6 +14,7 @@ import {
   Webhook,
   Settings,
   Mail,
+  UserCog,
 } from 'lucide-react';
 import { clearApiKey, api, type Principal } from './api.js';
 import { theme } from './theme.js';
@@ -30,6 +31,8 @@ import { LoginPage } from './pages/auth/Login.js';
 import { MagicLandingPage } from './pages/auth/MagicLanding.js';
 import { WebhooksPage } from './pages/admin/Webhooks.js';
 import { AdminSettings } from './pages/admin/Settings.js';
+import { AdminAdmins } from './pages/admin/Admins.js';
+import { InstallPage } from './pages/Install.js';
 import { FraudReviewPage } from './pages/FraudReview.js';
 import { useQuery } from '@tanstack/react-query';
 
@@ -38,13 +41,45 @@ interface AuthState {
   principal: Principal | null;
 }
 
+interface InstallStatus {
+  needsSetup: boolean;
+}
+
 export function App() {
+  // First-run gate: hit the install-status probe once at app boot. While
+  // zero admins are activated we route everything (except the magic
+  // landing, which is how the installer's own link works) to /install.
+  const install = useQuery({
+    queryKey: ['install-status'],
+    // Public endpoint — no auth required. Hand-rolled fetch so we don't
+    // drag the api() function through auth-cleanup on 401.
+    queryFn: async () => {
+      const r = await fetch('/api/install/status');
+      return (await r.json()) as InstallStatus;
+    },
+    staleTime: Infinity,
+  });
+
+  if (install.isLoading) return null;
+  const needsSetup = install.data?.needsSetup ?? false;
+
   return (
     <BrowserRouter>
       <Routes>
-        <Route path="/login" element={<LoginPage />} />
-        <Route path="/auth/magic" element={<MagicLandingPage />} />
-        <Route path="/*" element={<Shell />} />
+        {needsSetup ? (
+          <>
+            <Route path="/install" element={<InstallPage />} />
+            <Route path="/auth/magic" element={<MagicLandingPage />} />
+            <Route path="*" element={<Navigate to="/install" replace />} />
+          </>
+        ) : (
+          <>
+            <Route path="/install" element={<Navigate to="/" replace />} />
+            <Route path="/login" element={<LoginPage />} />
+            <Route path="/auth/magic" element={<MagicLandingPage />} />
+            <Route path="/*" element={<Shell />} />
+          </>
+        )}
       </Routes>
     </BrowserRouter>
   );
@@ -83,6 +118,7 @@ function Shell() {
               <Route path="admin/export" element={<AdminExport />} />
               <Route path="admin/fraud-review" element={<FraudReviewPage />} />
               <Route path="admin/webhooks" element={<WebhooksPage />} />
+              <Route path="admin/admins" element={<AdminAdmins />} />
               <Route path="admin/settings" element={<AdminSettings />} />
             </>
           )}
@@ -145,6 +181,7 @@ function Sidebar({ principal }: { principal: Principal }) {
             <NavItem to="/admin/export" icon={<Download size={16} />}>Export / import</NavItem>
             <NavItem to="/admin/fraud-review" icon={<ShieldCheck size={16} />}>Fraud review</NavItem>
             <NavItem to="/admin/webhooks" icon={<Webhook size={16} />}>Webhooks</NavItem>
+            <NavItem to="/admin/admins" icon={<UserCog size={16} />}>Admins</NavItem>
             <NavItem to="/admin/settings" icon={<Settings size={16} />}>Settings</NavItem>
           </NavSection>
         )}
@@ -254,7 +291,13 @@ function PrincipalChip({ principal }: { principal: Principal }) {
 
 function describePrincipal(p: Principal): { label: string; sublabel: string; initial: string; hue: { bg: string; fg: string } } {
   if (p.role === 'admin') {
-    return { label: 'Admin', sublabel: 'admin', initial: 'A', hue: { bg: theme.accentSoft, fg: theme.accent } };
+    const name = p.admin?.name ?? 'Admin';
+    return {
+      label: name,
+      sublabel: p.source === 'env' ? 'admin (env)' : 'admin',
+      initial: name[0]?.toUpperCase() ?? 'A',
+      hue: { bg: theme.accentSoft, fg: theme.accent },
+    };
   }
   return {
     label: p.partner?.name ?? 'Partner',
diff --git a/apps/portal/src/api.ts b/apps/portal/src/api.ts
index ed7ff9c..cfc6875 100644
--- a/apps/portal/src/api.ts
+++ b/apps/portal/src/api.ts
@@ -59,4 +59,5 @@ export interface Principal {
   source?: string;
   partnerId?: string;
   partner?: { id: string; name: string; email: string; stripeConnected: boolean };
+  admin?: { id: string; name: string; email: string };
 }
diff --git a/apps/portal/src/pages/Install.tsx b/apps/portal/src/pages/Install.tsx
new file mode 100644
index 0000000..6c12e9f
--- /dev/null
+++ b/apps/portal/src/pages/Install.tsx
@@ -0,0 +1,104 @@
+import { useState } from 'react';
+import { useMutation } from '@tanstack/react-query';
+import { Rocket } from 'lucide-react';
+import { api } from '../api.js';
+import { theme } from '../theme.js';
+import { Button, ErrorBanner, Input, Label } from '../ui.js';
+import { AuthFrame } from './auth/Shared.js';
+
+/**
+ * WordPress-style first-run setup. Only reachable when no admin is
+ * activated yet; once it succeeds, the page 409s so a second would-be
+ * installer can't take over.
+ *
+ * Single form collects:
+ *   - Admin name + email (the first human admin)
+ *   - Program name + support email (brand + partner contact)
+ * On submit, OSS sends an invite magic-link to the admin's email. They
+ * click it, land on /auth/magic, get a session, and the system is
+ * fully installed.
+ */
+export function InstallPage() {
+  const [adminName, setAdminName] = useState('');
+  const [adminEmail, setAdminEmail] = useState('');
+  const [programName, setProgramName] = useState('');
+  const [supportEmail, setSupportEmail] = useState('');
+
+  const mut = useMutation({
+    mutationFn: () =>
+      api('/install', {
+        method: 'POST',
+        body: { adminName, adminEmail, programName, supportEmail: supportEmail || undefined },
+      }),
+  });
+
+  if (mut.isSuccess) {
+    return (
+      <AuthFrame title="Check your email" subtitle={`We sent a sign-in link to ${adminEmail}.`}>
+        <div style={{ fontSize: 13, color: theme.textMuted, lineHeight: 1.6 }}>
+          Click the link to activate your admin account. The link is good for 15 minutes.
+          <br />
+          <br />
+          <span style={{ color: theme.textDim }}>
+            Nothing in your inbox? If you're running locally without email configured, the link
+            printed to the <code>pnpm dev:api</code> terminal. Otherwise, check your mail
+            provider config (<code>SMTP_*</code> or <code>POSTMARK_SERVER_TOKEN</code> +{' '}
+            <code>MAIL_FROM</code>).
+          </span>
+        </div>
+      </AuthFrame>
+    );
+  }
+
+  const canSubmit = adminName && adminEmail && programName && !mut.isPending;
+
+  return (
+    <AuthFrame
+      title="Install OpenPartner"
+      subtitle="First-run setup. Create your admin account and name your partner program."
+    >
+      <div style={{ display: 'flex', alignItems: 'center', gap: 10, marginBottom: 18, color: theme.accent }}>
+        <Rocket size={18} />
+        <div style={{ fontSize: 13 }}>Welcome — let's get you set up.</div>
+      </div>
+      <ErrorBanner error={mut.error} />
+      <div style={{ marginBottom: 14 }}>
+        <Label>Your name</Label>
+        <Input value={adminName} onChange={(e) => setAdminName(e.target.value)} placeholder="Ada Lovelace" />
+      </div>
+      <div style={{ marginBottom: 20 }}>
+        <Label>Your email</Label>
+        <Input
+          type="email"
+          value={adminEmail}
+          onChange={(e) => setAdminEmail(e.target.value)}
+          placeholder="ada@example.com"
+        />
+      </div>
+      <div style={{ height: 1, background: theme.borderSubtle, margin: '4px 0 18px' }} />
+      <div style={{ marginBottom: 14 }}>
+        <Label>Program name</Label>
+        <Input
+          value={programName}
+          onChange={(e) => setProgramName(e.target.value)}
+          placeholder="e.g. Coherence Partners"
+        />
+      </div>
+      <div style={{ marginBottom: 18 }}>
+        <Label>Support email (optional)</Label>
+        <Input
+          type="email"
+          value={supportEmail}
+          onChange={(e) => setSupportEmail(e.target.value)}
+          placeholder="support@yourdomain.com"
+        />
+        <div style={{ fontSize: 12, color: theme.textDim, marginTop: 6 }}>
+          Shown to partners in their dashboard for contacting the program.
+        </div>
+      </div>
+      <Button onClick={() => mut.mutate()} disabled={!canSubmit}>
+        {mut.isPending ? 'Creating…' : 'Send me my setup link'}
+      </Button>
+    </AuthFrame>
+  );
+}
diff --git a/apps/portal/src/pages/admin/Admins.tsx b/apps/portal/src/pages/admin/Admins.tsx
new file mode 100644
index 0000000..7db6a70
--- /dev/null
+++ b/apps/portal/src/pages/admin/Admins.tsx
@@ -0,0 +1,169 @@
+import { useState } from 'react';
+import { useMutation, useQuery, useQueryClient } from '@tanstack/react-query';
+import { Plus, UserCog } from 'lucide-react';
+import { api } from '../../api.js';
+import { theme } from '../../theme.js';
+import { Avatar, Button, Card, EmptyState, ErrorBanner, Input, Label, Page, StatusPill, Table, formatDate } from '../../ui.js';
+
+interface Admin {
+  id: string;
+  email: string;
+  name: string;
+  activatedAt: string | null;
+  revokedAt: string | null;
+  lastSignInAt: string | null;
+  createdAt: string;
+}
+
+export function AdminAdmins() {
+  const qc = useQueryClient();
+  const [showInvite, setShowInvite] = useState(false);
+
+  const admins = useQuery({ queryKey: ['admins'], queryFn: () => api<{ admins: Admin[] }>('/admins') });
+
+  return (
+    <Page
+      title="Admins"
+      subtitle="People who can manage this partner program. Invited via email, they set up their own credentials."
+      actions={
+        <Button icon={<Plus size={14} />} onClick={() => setShowInvite(true)}>
+          Invite admin
+        </Button>
+      }
+    >
+      <ErrorBanner error={admins.error} />
+      {showInvite && (
+        <InviteAdmin
+          onClose={() => setShowInvite(false)}
+          onCreated={() => {
+            setShowInvite(false);
+            qc.invalidateQueries({ queryKey: ['admins'] });
+          }}
+        />
+      )}
+      {admins.isLoading ? (
+        <Card>Loading…</Card>
+      ) : (admins.data?.admins ?? []).length === 0 ? (
+        <EmptyState title="No admins yet" hint="Invite your team." icon={<UserCog size={28} strokeWidth={1.25} />} />
+      ) : (
+        <Table
+          columns={['Admin', 'Email', 'Status', 'Last sign-in', 'Created', 'Actions']}
+          rows={(admins.data?.admins ?? []).map((a) => [
+            <div style={{ display: 'flex', alignItems: 'center', gap: 10 }}>
+              <Avatar name={a.name} size={28} />
+              <span style={{ fontWeight: 500 }}>{a.name}</span>
+            </div>,
+            <a href={`mailto:${a.email}`} style={{ color: theme.textMuted, textDecoration: 'none' }}>
+              {a.email}
+            </a>,
+            a.revokedAt ? <StatusPill status="revoked" /> : a.activatedAt ? <StatusPill status="active" /> : <StatusPill status="invited" />,
+            a.lastSignInAt ? (
+              <span style={{ color: theme.textMuted }}>{formatDate(a.lastSignInAt, { relative: true })}</span>
+            ) : (
+              <span style={{ color: theme.textDim }}>—</span>
+            ),
+            <span style={{ color: theme.textMuted }}>{formatDate(a.createdAt, { relative: true })}</span>,
+            <AdminActions admin={a} />,
+          ])}
+        />
+      )}
+    </Page>
+  );
+}
+
+function InviteAdmin({ onClose, onCreated }: { onClose: () => void; onCreated: () => void }) {
+  const [name, setName] = useState('');
+  const [email, setEmail] = useState('');
+  const mut = useMutation({
+    mutationFn: () => api<Admin>('/admins', { method: 'POST', body: { name, email } }),
+    onSuccess: onCreated,
+  });
+
+  return (
+    <Card style={{ marginBottom: 14 }}>
+      <div style={{ fontSize: 15, fontWeight: 500, marginBottom: 6 }}>Invite an admin</div>
+      <div style={{ fontSize: 13, color: theme.textMuted, marginBottom: 14 }}>
+        They'll get an email with a one-time link to activate their account.
+      </div>
+      <ErrorBanner error={mut.error} />
+      <div style={{ display: 'grid', gridTemplateColumns: '1fr 1fr', gap: 14, marginBottom: 14 }}>
+        <div>
+          <Label>Name</Label>
+          <Input value={name} onChange={(e) => setName(e.target.value)} placeholder="Taylor Admin" />
+        </div>
+        <div>
+          <Label>Email</Label>
+          <Input type="email" value={email} onChange={(e) => setEmail(e.target.value)} placeholder="taylor@example.com" />
+        </div>
+      </div>
+      <div style={{ display: 'flex', gap: 8 }}>
+        <Button onClick={() => mut.mutate()} disabled={!name || !email || mut.isPending}>
+          {mut.isPending ? 'Sending…' : 'Send invite'}
+        </Button>
+        <Button variant="secondary" onClick={onClose}>Cancel</Button>
+      </div>
+    </Card>
+  );
+}
+
+function AdminActions({ admin }: { admin: Admin }) {
+  const qc = useQueryClient();
+  const [sent, setSent] = useState(false);
+  const revoke = useMutation({
+    mutationFn: () => api(`/admins/${admin.id}/revoke`, { method: 'POST' }),
+    onSuccess: () => qc.invalidateQueries({ queryKey: ['admins'] }),
+  });
+  const reinstate = useMutation({
+    mutationFn: () => api(`/admins/${admin.id}/reinstate`, { method: 'POST' }),
+    onSuccess: () => qc.invalidateQueries({ queryKey: ['admins'] }),
+  });
+  const resend = useMutation({
+    mutationFn: () => api(`/admins/${admin.id}/invite`, { method: 'POST' }),
+    onSuccess: () => {
+      setSent(true);
+      setTimeout(() => setSent(false), 2000);
+    },
+  });
+
+  const isRevoked = !!admin.revokedAt;
+  const isPending = !admin.activatedAt && !admin.revokedAt;
+
+  function confirmRevoke() {
+    const ok = window.confirm(`Revoke ${admin.name}? They'll be signed out and lose admin access.`);
+    if (ok) revoke.mutate();
+  }
+
+  return (
+    <div style={{ display: 'flex', gap: 6 }}>
+      {isPending && (
+        <>
+          <button
+            onClick={() => resend.mutate()}
+            disabled={resend.isPending}
+            style={{ background: 'none', border: 'none', padding: 0, fontSize: 13, color: theme.accent, cursor: 'pointer' }}
+          >
+            {sent ? 'Sent' : resend.isPending ? 'Sending…' : 'Resend invite'}
+          </button>
+          <span style={{ color: theme.border }}>·</span>
+        </>
+      )}
+      {isRevoked ? (
+        <button
+          onClick={() => reinstate.mutate()}
+          disabled={reinstate.isPending}
+          style={{ background: 'none', border: 'none', padding: 0, fontSize: 13, color: theme.accent, cursor: 'pointer' }}
+        >
+          {reinstate.isPending ? '…' : 'Reinstate'}
+        </button>
+      ) : (
+        <button
+          onClick={confirmRevoke}
+          disabled={revoke.isPending}
+          style={{ background: 'none', border: 'none', padding: 0, fontSize: 13, color: theme.danger, cursor: 'pointer' }}
+        >
+          {revoke.isPending ? '…' : 'Revoke'}
+        </button>
+      )}
+    </div>
+  );
+}
diff --git a/packages/db/migrations/20260506000000_admin_accounts.ts b/packages/db/migrations/20260506000000_admin_accounts.ts
new file mode 100644
index 0000000..76c4acb
--- /dev/null
+++ b/packages/db/migrations/20260506000000_admin_accounts.ts
@@ -0,0 +1,113 @@
+import type { Knex } from 'knex';
+
+/**
+ * Admin accounts as first-class personas.
+ *
+ *   Admin                     one row per human admin. Same auth model
+ *                             as partners (magic-link → session).
+ *   Session, MagicLinkToken   partnerId → (principalKind, principalId).
+ *                             Generalizes both tables to hold admin or
+ *                             partner tokens with no per-principal
+ *                             duplication.
+ *
+ * The ADMIN_API_KEY env stays as the bootstrap / headless / CI path —
+ * it's a shared bearer that behaves like the env-sourced admin principal
+ * we had before. Human admins authenticate via their account instead.
+ *
+ * Backfill strategy: existing Session + MagicLinkToken rows all belong
+ * to partners, so we stamp them with principalKind='partner' and copy
+ * partnerId → principalId before dropping the old column.
+ */
+export async function up(knex: Knex): Promise<void> {
+  await knex.schema.createTable('Admin', (t) => {
+    t.string('id').primary();
+    t.string('email').notNullable().unique();
+    t.string('name').notNullable();
+    t.timestamp('activatedAt', { useTz: true });
+    t.timestamp('revokedAt', { useTz: true });
+    t.text('revokeReason');
+    t.timestamp('lastSignInAt', { useTz: true });
+    t.timestamp('createdAt', { useTz: true }).notNullable().defaultTo(knex.fn.now());
+    t.timestamp('updatedAt', { useTz: true }).notNullable().defaultTo(knex.fn.now());
+    t.index(['email']);
+  });
+
+  // ---- Session: add generic principal columns, backfill, drop partnerId ----
+  await knex.schema.alterTable('Session', (t) => {
+    t.string('principalKind'); // 'partner' | 'admin'
+    t.string('principalId');
+  });
+  await knex.raw(`
+    update "Session"
+    set "principalKind" = 'partner',
+        "principalId"   = "partnerId"
+    where "principalId" is null
+  `);
+  // Drop the FK + column. We enforce integrity at the app layer now
+  // because (kind, id) can point at two different tables.
+  await knex.schema.alterTable('Session', (t) => {
+    t.dropForeign(['partnerId']);
+    t.dropColumn('partnerId');
+    t.string('principalKind').notNullable().alter();
+    t.string('principalId').notNullable().alter();
+    t.index(['principalKind', 'principalId']);
+  });
+
+  // ---- MagicLinkToken: same treatment ----
+  await knex.schema.alterTable('MagicLinkToken', (t) => {
+    t.string('principalKind');
+    t.string('principalId');
+  });
+  await knex.raw(`
+    update "MagicLinkToken"
+    set "principalKind" = 'partner',
+        "principalId"   = "partnerId"
+    where "principalId" is null
+  `);
+  await knex.schema.alterTable('MagicLinkToken', (t) => {
+    t.dropForeign(['partnerId']);
+    t.dropColumn('partnerId');
+    t.string('principalKind').notNullable().alter();
+    t.string('principalId').notNullable().alter();
+  });
+
+  // Existing magic-link purposes carry over; new ones are added in code:
+  //   'partner_invite', 'partner_signin'        ← existing
+  //   'admin_invite', 'admin_signin'            ← new
+}
+
+export async function down(knex: Knex): Promise<void> {
+  // Reversing the generalization means re-adding partnerId + re-populating
+  // only the rows whose principalKind='partner'. Admin-kind rows are lost.
+  await knex.schema.alterTable('MagicLinkToken', (t) => {
+    t.string('partnerId');
+  });
+  await knex.raw(`
+    update "MagicLinkToken"
+    set "partnerId" = "principalId"
+    where "principalKind" = 'partner'
+  `);
+  await knex.schema.alterTable('MagicLinkToken', (t) => {
+    t.dropIndex(['principalKind', 'principalId']);
+    t.dropColumn('principalKind');
+    t.dropColumn('principalId');
+    t.foreign('partnerId').references('id').inTable('Partner').onDelete('CASCADE');
+  });
+
+  await knex.schema.alterTable('Session', (t) => {
+    t.string('partnerId');
+  });
+  await knex.raw(`
+    update "Session"
+    set "partnerId" = "principalId"
+    where "principalKind" = 'partner'
+  `);
+  await knex.schema.alterTable('Session', (t) => {
+    t.dropIndex(['principalKind', 'principalId']);
+    t.dropColumn('principalKind');
+    t.dropColumn('principalId');
+    t.foreign('partnerId').references('id').inTable('Partner').onDelete('CASCADE');
+  });
+
+  await knex.schema.dropTableIfExists('Admin');
+}
diff --git a/packages/db/src/index.ts b/packages/db/src/index.ts
index 6a5ada4..2883c7c 100644
--- a/packages/db/src/index.ts
+++ b/packages/db/src/index.ts
@@ -36,6 +36,7 @@ export const TABLES = {
   Payout: 'Payout',
   ApiKey: 'ApiKey',
   Config: 'Config',
+  Admin: 'Admin',
   MagicLinkToken: 'MagicLinkToken',
   Session: 'Session',
   WebhookEndpoint: 'WebhookEndpoint',
diff --git a/packages/db/src/types.ts b/packages/db/src/types.ts
index c9fa69a..92f347d 100644
--- a/packages/db/src/types.ts
+++ b/packages/db/src/types.ts
@@ -36,7 +36,13 @@ export interface PartnerRow {
   revokeReason: string | null;
 }
 
-export type MagicLinkPurpose = 'partner_invite' | 'partner_signin';
+export type MagicLinkPurpose =
+  | 'partner_invite'
+  | 'partner_signin'
+  | 'admin_invite'
+  | 'admin_signin';
+
+export type PrincipalKind = 'partner' | 'admin';
 
 export interface MagicLinkTokenRow {
   id: string;
@@ -44,7 +50,8 @@ export interface MagicLinkTokenRow {
   tokenHash: string;
   email: string;
   purpose: MagicLinkPurpose;
-  partnerId: string;
+  principalKind: PrincipalKind;
+  principalId: string;
   expiresAt: Date;
   consumedAt: Date | null;
   createdAt: Date;
@@ -54,13 +61,26 @@ export interface SessionRow {
   id: string;
   prefix: string;
   tokenHash: string;
-  partnerId: string;
+  principalKind: PrincipalKind;
+  principalId: string;
   expiresAt: Date;
   createdAt: Date;
   lastSeenAt: Date | null;
   revokedAt: Date | null;
 }
 
+export interface AdminRow {
+  id: string;
+  email: string;
+  name: string;
+  activatedAt: Date | null;
+  revokedAt: Date | null;
+  revokeReason: string | null;
+  lastSignInAt: Date | null;
+  createdAt: Date;
+  updatedAt: Date;
+}
+
 export interface CampaignRow {
   id: string;
   name: string;
diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml
index dafaee3..97be753 100644
--- a/pnpm-lock.yaml
+++ b/pnpm-lock.yaml
@@ -62,6 +62,9 @@ importers:
       knex:
         specifier: ^3.1.0
         version: 3.2.9(pg@8.20.0)
+      nodemailer:
+        specifier: ^8.0.6
+        version: 8.0.6
       pg:
         specifier: ^8.11.5
         version: 8.20.0
@@ -87,6 +90,9 @@ importers:
       '@types/express':
         specifier: ^4.17.21
         version: 4.17.25
+      '@types/nodemailer':
+        specifier: ^8.0.0
+        version: 8.0.0
       '@types/pg':
         specifier: ^8.11.10
         version: 8.20.0
@@ -950,6 +956,9 @@ packages:
   '@types/node@20.19.39':
     resolution: {integrity: sha512-orrrD74MBUyK8jOAD/r0+lfa1I2MO6I+vAkmAWzMYbCcgrN4lCrmK52gRFQq/JRxfYPfonkr4b0jcY7Olqdqbw==}
 
+  '@types/nodemailer@8.0.0':
+    resolution: {integrity: sha512-fyf8jWULsCo0d0BuoQ75i6IeoHs47qcqxWc7yUdUcV0pOZGjUTTOvwdG1PRXUDqN/8A64yQdQdnA2pZgcdi+cA==}
+
   '@types/pg@8.20.0':
     resolution: {integrity: sha512-bEPFOaMAHTEP1EzpvHTbmwR8UsFyHSKsRisLIHVMXnpNefSbGA1bD6CVy+qKjGSqmZqNqBDV2azOBo8TgkcVow==}
 
@@ -1906,6 +1915,10 @@ packages:
   node-releases@2.0.38:
     resolution: {integrity: sha512-3qT/88Y3FbH/Kx4szpQQ4HzUbVrHPKTLVpVocKiLfoYvw9XSGOX2FmD2d6DrXbVYyAQTF2HeF6My8jmzx7/CRw==}
 
+  nodemailer@8.0.6:
+    resolution: {integrity: sha512-Nm2XeuDwwy2wi5A+8jPWwQwNzcjNjhWdE3pVLoXEusxJqCnAPAgnBGkSmiLknbnWuOF9qraRpYZjfxqtKZ4tPw==}
+    engines: {node: '>=6.0.0'}
+
   npm-run-path@5.3.0:
     resolution: {integrity: sha512-ppwTtiJZq0O/ai0z7yfudtBpWIoxM8yE6nHi1X47eFR2EWORqfbu6CnPlNsjeN683eT0qG6H/Pyf9fCcvjnnnQ==}
     engines: {node: ^12.20.0 || ^14.13.1 || >=16.0.0}
@@ -3202,6 +3215,10 @@ snapshots:
     dependencies:
       undici-types: 6.21.0
 
+  '@types/nodemailer@8.0.0':
+    dependencies:
+      '@types/node': 20.19.39
+
   '@types/pg@8.20.0':
     dependencies:
       '@types/node': 20.19.39
@@ -4231,6 +4248,8 @@ snapshots:
 
   node-releases@2.0.38: {}
 
+  nodemailer@8.0.6: {}
+
   npm-run-path@5.3.0:
     dependencies:
       path-key: 4.0.0

From fa0d0c750c6771cf227fd7827f8104c1617f9478 Mon Sep 17 00:00:00 2001
From: Keith Fawcett <keith@brightyard.co>
Date: Fri, 24 Apr 2026 17:12:48 -0700
Subject: [PATCH 012/131] feat(mail): UI-managed SMTP/Postmark config,
 encrypted at rest
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Mail transport + credentials now live in the Config table and the
admin edits them from Settings → Email delivery. Rotating SMTP
passwords or Postmark tokens no longer requires a redeploy.

Encryption at rest:
  - New SECRETS_ENCRYPTION_KEY env (32 bytes hex/base64), required in
    production. Dev uses a fixed fallback with a warning.
  - AES-256-GCM envelope (12-byte IV + 16-byte tag + ciphertext, base64).
  - Only secret fields are encrypted (SMTP password, Postmark token).
    Host/port/user/from stay plaintext — identifiers, not secrets.
  - Public readers (the Settings UI) get a sanitized view: `hasPassword`
    / `hasToken` booleans instead of plaintext.

Resolution order at dispatch time:
  1. UI-configured settings (Config table) win
  2. Env vars (SMTP_HOST / POSTMARK_SERVER_TOKEN + MAIL_FROM) as fallback
  3. Console (dev only)

Install wizard grows an Email delivery step: provider (SMTP / Postmark
/ None), from address, and all the fields for the chosen provider.
Settings page mirrors it with "saved ✓" indicators on fields whose
secret is already stored (leave blank to keep, enter to rotate).

The mailer now creates a transporter per-send so rotating credentials
from the UI takes effect on the next email without a restart. Tests
keep injecting a capturing mailer via __setMailerForTests.

.do/app.yaml, docker-compose.prod.yml, ci.yml get SECRETS_ENCRYPTION_KEY
wired in. .env.example rewrites the mail section to explain the UI-first
flow with env as fallback.

56 api / 3 router / 11 sdk tests all green.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 .do/app.yaml                             |   3 +
 .env.example                             |  26 ++-
 .github/workflows/ci.yml                 |   1 +
 apps/api/src/crypto.ts                   |  62 ++++++
 apps/api/src/mail-settings.ts            | 233 ++++++++++++++++++++
 apps/api/src/mailer.ts                   | 166 ++++++--------
 apps/api/src/routes/install.ts           |  34 +++
 apps/api/src/routes/settings.ts          |  42 ++++
 apps/portal/src/pages/Install.tsx        | 200 +++++++++++++----
 apps/portal/src/pages/admin/Settings.tsx | 269 +++++++++++++++++++----
 apps/portal/src/pages/auth/Shared.tsx    |  14 +-
 docker-compose.prod.yml                  |   1 +
 12 files changed, 858 insertions(+), 193 deletions(-)
 create mode 100644 apps/api/src/crypto.ts
 create mode 100644 apps/api/src/mail-settings.ts

diff --git a/.do/app.yaml b/.do/app.yaml
index 4581784..6d38dc5 100644
--- a/.do/app.yaml
+++ b/.do/app.yaml
@@ -62,6 +62,9 @@ services:
       - key: ADMIN_API_KEY
         type: SECRET
         scope: RUN_TIME
+      - key: SECRETS_ENCRYPTION_KEY
+        type: SECRET
+        scope: RUN_TIME
       - key: POSTMARK_SERVER_TOKEN
         type: SECRET
         scope: RUN_TIME
diff --git a/.env.example b/.env.example
index 4918cf9..efa65c9 100644
--- a/.env.example
+++ b/.env.example
@@ -42,20 +42,30 @@ PORTAL_URL=http://localhost:5673
 # Optional: extra CORS origins beyond PORTAL_URL, comma-separated.
 CORS_EXTRA_ORIGINS=
 
+# -- Secret encryption at rest --
+# 32-byte master key (hex or base64) used to encrypt SMTP passwords /
+# Postmark tokens / future Config secrets. REQUIRED in production; dev
+# uses a fixed fallback with a warning so restarts keep decrypting.
+# Generate: node -e "console.log(require('crypto').randomBytes(32).toString('hex'))"
+SECRETS_ENCRYPTION_KEY=
+
 # Mail for admin + partner invite / signin links.
-# Transport is auto-selected:
-#   SMTP_HOST + MAIL_FROM    → nodemailer SMTP (works with Gmail,
-#                              Workspace, SES, Mailgun, SendGrid,
-#                              Resend, Postmark SMTP, local Postfix)
+#
+# Preferred: configure from the admin Settings → Email delivery page
+# (stored encrypted at rest in Config). The env vars below are
+# fallbacks used only when UI config is empty — useful for hosted /
+# managed tiers where the operator wants to force the transport.
+#
+#   SMTP_HOST + MAIL_FROM    → nodemailer SMTP (Gmail, SES, Mailgun,
+#                              SendGrid, Postmark SMTP, Postfix, …)
 #   POSTMARK_SERVER_TOKEN + MAIL_FROM → Postmark HTTP API
-#   neither                  → stdout (dev only; magic link prints
-#                              to the `pnpm dev:api` console)
+#   neither                  → stdout (dev only)
 #
-# MAIL_FROM is the sender header on every email, e.g.
+# MAIL_FROM must be quoted if it contains a display name, e.g.
 #   MAIL_FROM="Acme Partners <partners@acme.com>"
 MAIL_FROM=
 
-# -- SMTP (recommended for most self-hosts) --
+# -- SMTP fallback --
 SMTP_HOST=
 SMTP_PORT=587
 SMTP_SECURE=
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 035841e..1594b2b 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -34,6 +34,7 @@ jobs:
       DATABASE_URL: postgres://openpartner:openpartner@localhost:5432/openpartner
       # Quoted so YAML doesn't parse these as integers or booleans.
       ADMIN_API_KEY: "op_ci_0000000000000000000000000000000000000000000000000000000000"
+      SECRETS_ENCRYPTION_KEY: "0000000000000000000000000000000000000000000000000000000000000000"
 
     steps:
       - uses: actions/checkout@v4
diff --git a/apps/api/src/crypto.ts b/apps/api/src/crypto.ts
new file mode 100644
index 0000000..029e87d
--- /dev/null
+++ b/apps/api/src/crypto.ts
@@ -0,0 +1,62 @@
+/**
+ * AES-256-GCM envelope encryption for secrets stored in Config.
+ *
+ * One master key — SECRETS_ENCRYPTION_KEY env, 32 raw bytes as hex
+ * (64 chars) or base64 (44 chars). Required in production; dev falls
+ * back to a fixed dev-only key and logs a warning, which means
+ * encrypted values don't survive a rotation but local development
+ * doesn't need to care.
+ *
+ * Envelope: 12-byte IV || 16-byte auth tag || ciphertext, base64 encoded.
+ * The tag catches tampering so bad-faith DB writes can't silently return
+ * different plaintext than what was stored.
+ */
+
+import { createCipheriv, createDecipheriv, randomBytes } from 'node:crypto';
+
+const ALG = 'aes-256-gcm';
+const IV_LEN = 12;
+
+let cachedKey: Buffer | null = null;
+
+function masterKey(): Buffer {
+  if (cachedKey) return cachedKey;
+  const raw = process.env.SECRETS_ENCRYPTION_KEY;
+  if (!raw) {
+    if (process.env.NODE_ENV === 'production') {
+      throw new Error('SECRETS_ENCRYPTION_KEY is required in production');
+    }
+    // Dev fallback — deterministic so local restarts keep decrypting
+    // previously-encrypted rows, but obviously not safe for prod.
+    console.warn('[crypto] SECRETS_ENCRYPTION_KEY not set — using dev-only fallback. DO NOT USE IN PROD.');
+    cachedKey = Buffer.alloc(32, 0x42);
+    return cachedKey;
+  }
+  const buf = raw.length === 64 ? Buffer.from(raw, 'hex') : Buffer.from(raw, 'base64');
+  if (buf.length !== 32) throw new Error('SECRETS_ENCRYPTION_KEY must decode to exactly 32 bytes');
+  cachedKey = buf;
+  return buf;
+}
+
+export function encryptSecret(plaintext: string): string {
+  const iv = randomBytes(IV_LEN);
+  const cipher = createCipheriv(ALG, masterKey(), iv);
+  const ct = Buffer.concat([cipher.update(plaintext, 'utf8'), cipher.final()]);
+  const tag = cipher.getAuthTag();
+  return Buffer.concat([iv, tag, ct]).toString('base64');
+}
+
+export function decryptSecret(envelope: string): string {
+  const buf = Buffer.from(envelope, 'base64');
+  const iv = buf.subarray(0, IV_LEN);
+  const tag = buf.subarray(IV_LEN, IV_LEN + 16);
+  const ct = buf.subarray(IV_LEN + 16);
+  const decipher = createDecipheriv(ALG, masterKey(), iv);
+  decipher.setAuthTag(tag);
+  return Buffer.concat([decipher.update(ct), decipher.final()]).toString('utf8');
+}
+
+/** For tests. Resets the cached master key so a test can set env + re-encrypt. */
+export function __resetCryptoKeyForTests(): void {
+  cachedKey = null;
+}
diff --git a/apps/api/src/mail-settings.ts b/apps/api/src/mail-settings.ts
new file mode 100644
index 0000000..644a83c
--- /dev/null
+++ b/apps/api/src/mail-settings.ts
@@ -0,0 +1,233 @@
+/**
+ * Mail transport configuration, stored in Config under 'mail_settings'.
+ *
+ * SMTP password and Postmark server token are AES-GCM encrypted at rest
+ * using SECRETS_ENCRYPTION_KEY. Everything else (host, port, from,
+ * username) is stored plaintext — they're identifiers, not secrets.
+ *
+ * Resolution order at dispatch time:
+ *   1. UI-configured settings (if any, and not partially blank)
+ *   2. Env vars (SMTP_HOST / POSTMARK_SERVER_TOKEN + MAIL_FROM)
+ *   3. Console fallback
+ *
+ * The UI always wins over env, so an admin editing from the portal can
+ * rotate creds without a redeploy. Hosted deployments that want to
+ * force env can simply leave the UI empty.
+ */
+
+import { TABLES, type ConfigRow } from '@openpartner/db';
+import { db } from './db.js';
+import { decryptSecret, encryptSecret } from './crypto.js';
+
+export type MailTransportKind = 'smtp' | 'postmark' | 'none';
+
+export interface SmtpConfig {
+  host: string;
+  port: number;
+  secure: boolean;
+  user: string | null;
+  /** Decrypted plaintext. Never serialize this to JSON clients. */
+  password: string | null;
+}
+
+export interface PostmarkConfig {
+  serverToken: string;
+  messageStream: string;
+}
+
+export interface ResolvedMailConfig {
+  kind: MailTransportKind;
+  from: string | null;
+  smtp?: SmtpConfig;
+  postmark?: PostmarkConfig;
+  source: 'ui' | 'env' | 'none';
+}
+
+// ---------- on-disk shapes ----------
+
+interface StoredMailSettings {
+  kind: MailTransportKind | null;
+  from: string | null;
+  smtp?: {
+    host: string;
+    port: number;
+    secure: boolean;
+    user: string | null;
+    passwordCiphertext: string | null;
+  } | null;
+  postmark?: {
+    serverTokenCiphertext: string;
+    messageStream: string;
+  } | null;
+}
+
+const CONFIG_KEY = 'mail_settings';
+
+// ---------- read ----------
+
+async function readStored(): Promise<StoredMailSettings | null> {
+  const row = await db<ConfigRow>(TABLES.Config).where({ key: CONFIG_KEY }).first();
+  return (row?.value as StoredMailSettings | undefined) ?? null;
+}
+
+/** Sanitized payload for the admin UI — no ciphertexts, no plaintext secrets. */
+export interface PublicMailSettings {
+  kind: MailTransportKind | null;
+  from: string | null;
+  smtp: { host: string; port: number; secure: boolean; user: string | null; hasPassword: boolean } | null;
+  postmark: { hasToken: boolean; messageStream: string } | null;
+}
+
+export async function getPublicMailSettings(): Promise<PublicMailSettings> {
+  const stored = await readStored();
+  if (!stored) return { kind: null, from: null, smtp: null, postmark: null };
+  return {
+    kind: stored.kind,
+    from: stored.from,
+    smtp: stored.smtp
+      ? {
+          host: stored.smtp.host,
+          port: stored.smtp.port,
+          secure: stored.smtp.secure,
+          user: stored.smtp.user,
+          hasPassword: !!stored.smtp.passwordCiphertext,
+        }
+      : null,
+    postmark: stored.postmark
+      ? { hasToken: !!stored.postmark.serverTokenCiphertext, messageStream: stored.postmark.messageStream }
+      : null,
+  };
+}
+
+/** Decrypted + usable by the mailer. Never hand to an HTTP client. */
+export async function resolveMailConfig(): Promise<ResolvedMailConfig> {
+  const stored = await readStored();
+  if (stored?.kind === 'smtp' && stored.from && stored.smtp) {
+    return {
+      kind: 'smtp',
+      from: stored.from,
+      smtp: {
+        host: stored.smtp.host,
+        port: stored.smtp.port,
+        secure: stored.smtp.secure,
+        user: stored.smtp.user,
+        password: stored.smtp.passwordCiphertext ? decryptSecret(stored.smtp.passwordCiphertext) : null,
+      },
+      source: 'ui',
+    };
+  }
+  if (stored?.kind === 'postmark' && stored.from && stored.postmark) {
+    return {
+      kind: 'postmark',
+      from: stored.from,
+      postmark: {
+        serverToken: decryptSecret(stored.postmark.serverTokenCiphertext),
+        messageStream: stored.postmark.messageStream,
+      },
+      source: 'ui',
+    };
+  }
+
+  // Fallback to env.
+  const from = process.env.MAIL_FROM ?? null;
+  const smtpHost = process.env.SMTP_HOST;
+  const postmarkToken = process.env.POSTMARK_SERVER_TOKEN;
+  if (smtpHost && from) {
+    return {
+      kind: 'smtp',
+      from,
+      smtp: {
+        host: smtpHost,
+        port: Number(process.env.SMTP_PORT ?? 587),
+        secure: process.env.SMTP_SECURE === '1' || process.env.SMTP_PORT === '465',
+        user: process.env.SMTP_USER ?? null,
+        password: process.env.SMTP_PASSWORD ?? null,
+      },
+      source: 'env',
+    };
+  }
+  if (postmarkToken && from) {
+    return {
+      kind: 'postmark',
+      from,
+      postmark: {
+        serverToken: postmarkToken,
+        messageStream: process.env.POSTMARK_MESSAGE_STREAM ?? 'outbound',
+      },
+      source: 'env',
+    };
+  }
+  return { kind: 'none', from: null, source: 'none' };
+}
+
+// ---------- write ----------
+
+/**
+ * Write an input shape from the UI. Fields left blank / null mean
+ * "keep the existing stored value" for secrets, "clear" for everything
+ * else. This lets an admin rotate only the password without re-entering
+ * it.
+ */
+export interface MailSettingsInput {
+  kind: MailTransportKind | null;
+  from?: string | null;
+  smtp?: {
+    host?: string | null;
+    port?: number | null;
+    secure?: boolean | null;
+    user?: string | null;
+    /** New plaintext password. Leave undefined to keep existing. */
+    password?: string | null;
+  } | null;
+  postmark?: {
+    /** New plaintext token. Leave undefined to keep existing. */
+    serverToken?: string | null;
+    messageStream?: string | null;
+  } | null;
+}
+
+export async function saveMailSettings(input: MailSettingsInput): Promise<void> {
+  const current = (await readStored()) ?? ({ kind: null, from: null } as StoredMailSettings);
+
+  const next: StoredMailSettings = {
+    kind: input.kind ?? current.kind,
+    from: input.from !== undefined ? (input.from || null) : current.from,
+  };
+
+  if (next.kind === 'smtp') {
+    const prevSmtp = current.smtp ?? null;
+    const s = input.smtp ?? null;
+    const rotated = s?.password !== undefined && s.password !== '';
+    next.smtp = {
+      host: s?.host ?? prevSmtp?.host ?? '',
+      port: s?.port ?? prevSmtp?.port ?? 587,
+      secure: s?.secure ?? prevSmtp?.secure ?? false,
+      user: s?.user ?? prevSmtp?.user ?? null,
+      passwordCiphertext: rotated
+        ? (s!.password === null ? null : encryptSecret(s!.password as string))
+        : prevSmtp?.passwordCiphertext ?? null,
+    };
+    next.postmark = null;
+  } else if (next.kind === 'postmark') {
+    const prevPm = current.postmark ?? null;
+    const p = input.postmark ?? null;
+    const rotated = p?.serverToken !== undefined && p.serverToken !== '';
+    const token = rotated ? encryptSecret(p!.serverToken as string) : prevPm?.serverTokenCiphertext;
+    if (!token) throw new Error('postmark serverToken required');
+    next.postmark = {
+      serverTokenCiphertext: token,
+      messageStream: p?.messageStream ?? prevPm?.messageStream ?? 'outbound',
+    };
+    next.smtp = null;
+  } else {
+    // kind = 'none' or null — clear creds, keep from if user wants to pre-set it.
+    next.smtp = null;
+    next.postmark = null;
+  }
+
+  const now = new Date();
+  await db<ConfigRow>(TABLES.Config)
+    .insert({ key: CONFIG_KEY, value: next as unknown as never, updatedAt: now })
+    .onConflict('key')
+    .merge({ value: next as unknown as never, updatedAt: now });
+}
diff --git a/apps/api/src/mailer.ts b/apps/api/src/mailer.ts
index 49d9e95..f8ce24f 100644
--- a/apps/api/src/mailer.ts
+++ b/apps/api/src/mailer.ts
@@ -1,20 +1,25 @@
 /**
- * Transactional mailer. Transport is auto-selected from env:
+ * Transactional mailer. Transport comes from resolveMailConfig():
  *
- *   SMTP_HOST + MAIL_FROM set               → nodemailer SMTP
- *   POSTMARK_SERVER_TOKEN + MAIL_FROM set   → Postmark HTTP API
- *   otherwise                               → console (stdout only)
+ *   UI-configured settings (Config table) take precedence — stored
+ *   encrypted at rest; SMTP password / Postmark token decrypted at
+ *   dispatch time.
  *
- * SMTP is the recommended path for self-hosted OSS — it works with any
- * provider (Gmail, Workspace, SES, Mailgun, SendGrid, Resend, Postmark,
- * a corporate relay, local Postfix). Postmark stays as a first-class
- * dedicated adapter because its API is slightly more robust for
- * transactional delivery. Console is for local dev only.
+ *   Env fallback if UI is empty (SMTP_HOST / POSTMARK_SERVER_TOKEN +
+ *   MAIL_FROM).
+ *
+ *   Console fallback if neither — dev only; the magic link prints
+ *   to the `pnpm dev:api` terminal.
+ *
+ * Mailers are created per-send so a settings change takes effect on
+ * the next email without a restart. A cached mailer would be a stale-
+ * creds footgun after rotation.
  *
  * Tests override via __setMailerForTests with an in-memory capturer.
  */
 
-import nodemailer, { type Transporter } from 'nodemailer';
+import nodemailer from 'nodemailer';
+import { resolveMailConfig } from './mail-settings.js';
 
 export interface Message {
   to: string;
@@ -29,102 +34,71 @@ export interface Mailer {
   send(msg: Message): Promise<void>;
 }
 
-class ConsoleMailer implements Mailer {
-  async send(msg: Message): Promise<void> {
-    // Dev fallback when no transport creds are present. Prints enough
-    // to recover the magic link from the terminal without needing a
-    // real mailbox.
-    console.log(`[mail] to=${msg.to} subject=${JSON.stringify(msg.subject)}`);
-    console.log(msg.text);
-  }
-}
-
-class SMTPMailer implements Mailer {
-  constructor(
-    private readonly transporter: Transporter,
-    private readonly from: string,
-  ) {}
-
+class RoutingMailer implements Mailer {
   async send(msg: Message): Promise<void> {
-    await this.transporter.sendMail({
-      from: this.from,
-      to: msg.to,
-      subject: msg.subject,
-      text: msg.text,
-      html: msg.html,
-      headers: msg.tag ? { 'X-Tag': msg.tag } : undefined,
-    });
-  }
-}
-
-class PostmarkMailer implements Mailer {
-  constructor(
-    private readonly serverToken: string,
-    private readonly from: string,
-    private readonly messageStream: string,
-  ) {}
-
-  async send(msg: Message): Promise<void> {
-    const res = await fetch('https://api.postmarkapp.com/email', {
-      method: 'POST',
-      headers: {
-        'content-type': 'application/json',
-        accept: 'application/json',
-        'X-Postmark-Server-Token': this.serverToken,
-      },
-      body: JSON.stringify({
-        From: this.from,
-        To: msg.to,
-        Subject: msg.subject,
-        TextBody: msg.text,
-        HtmlBody: msg.html,
-        Tag: msg.tag,
-        MessageStream: this.messageStream,
-        Metadata: msg.metadata,
-      }),
-    });
-    if (!res.ok) {
-      throw new Error(`postmark ${res.status}: ${await res.text().catch(() => '<no body>')}`);
+    const cfg = await resolveMailConfig();
+    if (cfg.kind === 'smtp' && cfg.smtp && cfg.from) {
+      const transporter = nodemailer.createTransport({
+        host: cfg.smtp.host,
+        port: cfg.smtp.port,
+        secure: cfg.smtp.secure,
+        auth:
+          cfg.smtp.user && cfg.smtp.password
+            ? { user: cfg.smtp.user, pass: cfg.smtp.password }
+            : undefined,
+      });
+      await transporter.sendMail({
+        from: cfg.from,
+        to: msg.to,
+        subject: msg.subject,
+        text: msg.text,
+        html: msg.html,
+        headers: msg.tag ? { 'X-Tag': msg.tag } : undefined,
+      });
+      return;
     }
-    const json = (await res.json().catch(() => ({}))) as { ErrorCode?: number; Message?: string };
-    if (json.ErrorCode && json.ErrorCode !== 0) {
-      throw new Error(`postmark error ${json.ErrorCode}: ${json.Message ?? 'unknown'}`);
+    if (cfg.kind === 'postmark' && cfg.postmark && cfg.from) {
+      const res = await fetch('https://api.postmarkapp.com/email', {
+        method: 'POST',
+        headers: {
+          'content-type': 'application/json',
+          accept: 'application/json',
+          'X-Postmark-Server-Token': cfg.postmark.serverToken,
+        },
+        body: JSON.stringify({
+          From: cfg.from,
+          To: msg.to,
+          Subject: msg.subject,
+          TextBody: msg.text,
+          HtmlBody: msg.html,
+          Tag: msg.tag,
+          MessageStream: cfg.postmark.messageStream,
+          Metadata: msg.metadata,
+        }),
+      });
+      if (!res.ok) {
+        throw new Error(`postmark ${res.status}: ${await res.text().catch(() => '<no body>')}`);
+      }
+      const json = (await res.json().catch(() => ({}))) as { ErrorCode?: number; Message?: string };
+      if (json.ErrorCode && json.ErrorCode !== 0) {
+        throw new Error(`postmark error ${json.ErrorCode}: ${json.Message ?? 'unknown'}`);
+      }
+      return;
     }
+    // Console fallback. Dev only.
+    console.log(`[mail] to=${msg.to} subject=${JSON.stringify(msg.subject)}`);
+    console.log(msg.text);
   }
 }
 
-let cached: Mailer | null = null;
+let override: Mailer | null = null;
+const routing = new RoutingMailer();
 
 export function getMailer(): Mailer {
-  if (cached) return cached;
-  const from = process.env.MAIL_FROM;
-  const smtpHost = process.env.SMTP_HOST;
-  const postmarkToken = process.env.POSTMARK_SERVER_TOKEN;
-
-  if (smtpHost && from) {
-    const transporter = nodemailer.createTransport({
-      host: smtpHost,
-      port: Number(process.env.SMTP_PORT ?? 587),
-      // Defaults to STARTTLS on 587; set SMTP_SECURE=1 for implicit TLS
-      // on 465. Leave off for providers that auto-detect.
-      secure: process.env.SMTP_SECURE === '1' || process.env.SMTP_PORT === '465',
-      auth:
-        process.env.SMTP_USER && process.env.SMTP_PASSWORD
-          ? { user: process.env.SMTP_USER, pass: process.env.SMTP_PASSWORD }
-          : undefined,
-    });
-    cached = new SMTPMailer(transporter, from);
-    return cached;
-  }
-  if (postmarkToken && from) {
-    cached = new PostmarkMailer(postmarkToken, from, process.env.POSTMARK_MESSAGE_STREAM ?? 'outbound');
-    return cached;
-  }
-  cached = new ConsoleMailer();
-  return cached;
+  return override ?? routing;
 }
 
 /** For tests: inject a capturing / mock mailer. Pass null to reset. */
 export function __setMailerForTests(mailer: Mailer | null): void {
-  cached = mailer;
+  override = mailer;
 }
diff --git a/apps/api/src/routes/install.ts b/apps/api/src/routes/install.ts
index 0f6c117..6dd10be 100644
--- a/apps/api/src/routes/install.ts
+++ b/apps/api/src/routes/install.ts
@@ -18,6 +18,7 @@ import { ipRateLimit } from '../middleware/rate-limit.js';
 import { issueMagicLink } from '../auth-sessions.js';
 import { getMailer } from '../mailer.js';
 import { adminInviteEmail, buildMagicLinkUrl } from '../email-templates.js';
+import { saveMailSettings } from '../mail-settings.js';
 
 export const installRouter = Router();
 
@@ -28,6 +29,27 @@ const installSchema = z.object({
   adminEmail: z.string().trim().email().max(254),
   programName: z.string().trim().min(1).max(120),
   supportEmail: z.string().trim().email().max(254).optional().or(z.literal('')),
+  mail: z
+    .object({
+      kind: z.enum(['smtp', 'postmark', 'none']),
+      from: z.string().trim().max(254).optional(),
+      smtp: z
+        .object({
+          host: z.string().trim().min(1).max(253),
+          port: z.number().int().min(1).max(65535).default(587),
+          secure: z.boolean().default(false),
+          user: z.string().trim().max(320).optional(),
+          password: z.string().max(500).optional(),
+        })
+        .optional(),
+      postmark: z
+        .object({
+          serverToken: z.string().min(1).max(500),
+          messageStream: z.string().trim().max(120).default('outbound'),
+        })
+        .optional(),
+    })
+    .optional(),
 });
 
 /**
@@ -81,6 +103,18 @@ installRouter.post('/install', installLimit, async (req, res) => {
     });
   });
 
+  // Mail config is saved outside the tx because saveMailSettings opens
+  // its own upsert. A failure here doesn't roll back admin creation —
+  // admin can fix from Settings → Mail after installing.
+  if (body.data.mail) {
+    await saveMailSettings({
+      kind: body.data.mail.kind,
+      from: body.data.mail.from,
+      smtp: body.data.mail.smtp,
+      postmark: body.data.mail.postmark,
+    });
+  }
+
   // Send invite outside the transaction so mail failures don't roll back.
   const admin = await db<AdminRow>(TABLES.Admin).where({ email: adminEmail }).first();
   if (admin) {
diff --git a/apps/api/src/routes/settings.ts b/apps/api/src/routes/settings.ts
index c55cdb8..315cac1 100644
--- a/apps/api/src/routes/settings.ts
+++ b/apps/api/src/routes/settings.ts
@@ -14,6 +14,7 @@ import { z } from 'zod';
 import { TABLES, type ConfigRow } from '@openpartner/db';
 import { db } from '../db.js';
 import { requireAdmin, requireAuth } from '../auth.js';
+import { getPublicMailSettings, saveMailSettings, type MailTransportKind } from '../mail-settings.js';
 
 export const settingsRouter = Router();
 
@@ -60,3 +61,44 @@ settingsRouter.post('/config/program', requireAuth, requireAdmin, async (req, re
     .merge({ value: next as unknown as never, updatedAt: now });
   res.json(next);
 });
+
+// ---------- Mail settings ----------
+
+const mailSettingsSchema = z.object({
+  kind: z.enum(['smtp', 'postmark', 'none']),
+  from: z.string().trim().max(254).optional().or(z.literal('')),
+  smtp: z
+    .object({
+      host: z.string().trim().max(253).optional(),
+      port: z.number().int().min(1).max(65535).optional(),
+      secure: z.boolean().optional(),
+      user: z.string().trim().max(320).optional(),
+      // Password / token are write-only from the client. Undefined =
+      // "keep existing"; empty string = "clear"; set = rotate.
+      password: z.string().max(500).optional(),
+    })
+    .optional(),
+  postmark: z
+    .object({
+      serverToken: z.string().max(500).optional(),
+      messageStream: z.string().trim().max(120).optional(),
+    })
+    .optional(),
+});
+
+settingsRouter.get('/config/mail', requireAuth, requireAdmin, async (_req, res) => {
+  res.json(await getPublicMailSettings());
+});
+
+settingsRouter.post('/config/mail', requireAuth, requireAdmin, async (req, res) => {
+  const body = mailSettingsSchema.safeParse(req.body ?? {});
+  if (!body.success) return res.status(400).json({ error: 'invalid_body', detail: body.error.flatten() });
+
+  await saveMailSettings({
+    kind: body.data.kind as MailTransportKind,
+    from: body.data.from === '' ? null : body.data.from ?? undefined,
+    smtp: body.data.smtp,
+    postmark: body.data.postmark,
+  });
+  res.json(await getPublicMailSettings());
+});
diff --git a/apps/portal/src/pages/Install.tsx b/apps/portal/src/pages/Install.tsx
index 6c12e9f..1cf7434 100644
--- a/apps/portal/src/pages/Install.tsx
+++ b/apps/portal/src/pages/Install.tsx
@@ -3,7 +3,7 @@ import { useMutation } from '@tanstack/react-query';
 import { Rocket } from 'lucide-react';
 import { api } from '../api.js';
 import { theme } from '../theme.js';
-import { Button, ErrorBanner, Input, Label } from '../ui.js';
+import { Button, ErrorBanner, Input, Label, Select } from '../ui.js';
 import { AuthFrame } from './auth/Shared.js';
 
 /**
@@ -11,94 +11,214 @@ import { AuthFrame } from './auth/Shared.js';
  * activated yet; once it succeeds, the page 409s so a second would-be
  * installer can't take over.
  *
- * Single form collects:
- *   - Admin name + email (the first human admin)
- *   - Program name + support email (brand + partner contact)
- * On submit, OSS sends an invite magic-link to the admin's email. They
- * click it, land on /auth/magic, get a session, and the system is
- * fully installed.
+ * Collects:
+ *   - Admin identity (name + email)
+ *   - Program (name + optional support email)
+ *   - Mail transport (SMTP / Postmark / None) so the invite email can
+ *     actually send without the admin needing env-level access.
  */
+
+type MailKind = 'smtp' | 'postmark' | 'none';
+
 export function InstallPage() {
   const [adminName, setAdminName] = useState('');
   const [adminEmail, setAdminEmail] = useState('');
   const [programName, setProgramName] = useState('');
   const [supportEmail, setSupportEmail] = useState('');
 
+  const [mailKind, setMailKind] = useState<MailKind>('smtp');
+  const [mailFrom, setMailFrom] = useState('');
+  // SMTP
+  const [smtpHost, setSmtpHost] = useState('');
+  const [smtpPort, setSmtpPort] = useState('587');
+  const [smtpSecure, setSmtpSecure] = useState(false);
+  const [smtpUser, setSmtpUser] = useState('');
+  const [smtpPass, setSmtpPass] = useState('');
+  // Postmark
+  const [pmToken, setPmToken] = useState('');
+  const [pmStream, setPmStream] = useState('outbound');
+
   const mut = useMutation({
     mutationFn: () =>
       api('/install', {
         method: 'POST',
-        body: { adminName, adminEmail, programName, supportEmail: supportEmail || undefined },
+        body: {
+          adminName,
+          adminEmail,
+          programName,
+          supportEmail: supportEmail || undefined,
+          mail: {
+            kind: mailKind,
+            from: mailFrom || undefined,
+            smtp:
+              mailKind === 'smtp'
+                ? {
+                    host: smtpHost,
+                    port: Number(smtpPort || 587),
+                    secure: smtpSecure,
+                    user: smtpUser || undefined,
+                    password: smtpPass || undefined,
+                  }
+                : undefined,
+            postmark:
+              mailKind === 'postmark'
+                ? { serverToken: pmToken, messageStream: pmStream || 'outbound' }
+                : undefined,
+          },
+        },
       }),
   });
 
   if (mut.isSuccess) {
     return (
-      <AuthFrame title="Check your email" subtitle={`We sent a sign-in link to ${adminEmail}.`}>
+      <AuthFrame
+        title="Check your email"
+        subtitle={`We sent a sign-in link to ${adminEmail}.`}
+        brand={programName}
+      >
         <div style={{ fontSize: 13, color: theme.textMuted, lineHeight: 1.6 }}>
           Click the link to activate your admin account. The link is good for 15 minutes.
           <br />
           <br />
           <span style={{ color: theme.textDim }}>
-            Nothing in your inbox? If you're running locally without email configured, the link
-            printed to the <code>pnpm dev:api</code> terminal. Otherwise, check your mail
-            provider config (<code>SMTP_*</code> or <code>POSTMARK_SERVER_TOKEN</code> +{' '}
-            <code>MAIL_FROM</code>).
+            Didn't get the email? Check your spam folder, or confirm the mail provider you
+            just configured can deliver to <strong>{adminEmail}</strong>.
           </span>
         </div>
       </AuthFrame>
     );
   }
 
-  const canSubmit = adminName && adminEmail && programName && !mut.isPending;
+  const mailOk =
+    mailKind === 'none' ||
+    (mailKind === 'smtp' && smtpHost && mailFrom) ||
+    (mailKind === 'postmark' && pmToken && mailFrom);
+  const canSubmit = adminName && adminEmail && programName && mailOk && !mut.isPending;
 
   return (
     <AuthFrame
       title="Install OpenPartner"
-      subtitle="First-run setup. Create your admin account and name your partner program."
+      subtitle="First-run setup. Create your admin account, name your program, and configure email delivery."
     >
       <div style={{ display: 'flex', alignItems: 'center', gap: 10, marginBottom: 18, color: theme.accent }}>
         <Rocket size={18} />
         <div style={{ fontSize: 13 }}>Welcome — let's get you set up.</div>
       </div>
       <ErrorBanner error={mut.error} />
-      <div style={{ marginBottom: 14 }}>
+
+      <SectionHead>You</SectionHead>
+      <div style={{ marginBottom: 12 }}>
         <Label>Your name</Label>
         <Input value={adminName} onChange={(e) => setAdminName(e.target.value)} placeholder="Ada Lovelace" />
       </div>
-      <div style={{ marginBottom: 20 }}>
+      <div style={{ marginBottom: 16 }}>
         <Label>Your email</Label>
-        <Input
-          type="email"
-          value={adminEmail}
-          onChange={(e) => setAdminEmail(e.target.value)}
-          placeholder="ada@example.com"
-        />
+        <Input type="email" value={adminEmail} onChange={(e) => setAdminEmail(e.target.value)} placeholder="ada@example.com" />
       </div>
-      <div style={{ height: 1, background: theme.borderSubtle, margin: '4px 0 18px' }} />
-      <div style={{ marginBottom: 14 }}>
+
+      <SectionHead>Program</SectionHead>
+      <div style={{ marginBottom: 12 }}>
         <Label>Program name</Label>
-        <Input
-          value={programName}
-          onChange={(e) => setProgramName(e.target.value)}
-          placeholder="e.g. Coherence Partners"
-        />
+        <Input value={programName} onChange={(e) => setProgramName(e.target.value)} placeholder="e.g. Acme Partners" />
       </div>
-      <div style={{ marginBottom: 18 }}>
+      <div style={{ marginBottom: 16 }}>
         <Label>Support email (optional)</Label>
-        <Input
-          type="email"
-          value={supportEmail}
-          onChange={(e) => setSupportEmail(e.target.value)}
-          placeholder="support@yourdomain.com"
-        />
-        <div style={{ fontSize: 12, color: theme.textDim, marginTop: 6 }}>
-          Shown to partners in their dashboard for contacting the program.
-        </div>
+        <Input type="email" value={supportEmail} onChange={(e) => setSupportEmail(e.target.value)} placeholder="support@yourdomain.com" />
+        <Hint>Shown to partners in their dashboard.</Hint>
+      </div>
+
+      <SectionHead>Email delivery</SectionHead>
+      <div style={{ marginBottom: 12 }}>
+        <Label>Provider</Label>
+        <Select value={mailKind} onChange={(e) => setMailKind(e.target.value as MailKind)}>
+          <option value="smtp">SMTP (Gmail, SES, Mailgun, SendGrid, Postfix, …)</option>
+          <option value="postmark">Postmark HTTP API</option>
+          <option value="none">None — print to server console (dev only)</option>
+        </Select>
       </div>
+      {mailKind !== 'none' && (
+        <div style={{ marginBottom: 12 }}>
+          <Label>"From" address</Label>
+          <Input
+            type="email"
+            value={mailFrom}
+            onChange={(e) => setMailFrom(e.target.value)}
+            placeholder='e.g. "Acme Partners" <partners@acme.com>'
+          />
+          <Hint>Sender identity on every email. Must be verified with your provider.</Hint>
+        </div>
+      )}
+      {mailKind === 'smtp' && (
+        <>
+          <div style={{ display: 'grid', gridTemplateColumns: '2fr 1fr', gap: 12, marginBottom: 12 }}>
+            <div>
+              <Label>SMTP host</Label>
+              <Input value={smtpHost} onChange={(e) => setSmtpHost(e.target.value)} placeholder="smtp.example.com" />
+            </div>
+            <div>
+              <Label>Port</Label>
+              <Input value={smtpPort} onChange={(e) => setSmtpPort(e.target.value)} placeholder="587" />
+            </div>
+          </div>
+          <div style={{ marginBottom: 12 }}>
+            <Label>Username (optional)</Label>
+            <Input value={smtpUser} onChange={(e) => setSmtpUser(e.target.value)} placeholder="apikey or username" />
+          </div>
+          <div style={{ marginBottom: 12 }}>
+            <Label>Password</Label>
+            <Input type="password" value={smtpPass} onChange={(e) => setSmtpPass(e.target.value)} placeholder="••••••••" />
+            <Hint>Stored encrypted at rest. Leave blank if your SMTP allows unauthenticated relay.</Hint>
+          </div>
+          <label style={{ display: 'flex', alignItems: 'center', gap: 8, fontSize: 13, color: theme.textMuted, marginBottom: 16 }}>
+            <input type="checkbox" checked={smtpSecure} onChange={(e) => setSmtpSecure(e.target.checked)} />
+            Use implicit TLS (port 465). Leave unchecked for STARTTLS on 587.
+          </label>
+        </>
+      )}
+      {mailKind === 'postmark' && (
+        <>
+          <div style={{ marginBottom: 12 }}>
+            <Label>Postmark server token</Label>
+            <Input type="password" value={pmToken} onChange={(e) => setPmToken(e.target.value)} placeholder="••••••••" />
+            <Hint>Stored encrypted at rest.</Hint>
+          </div>
+          <div style={{ marginBottom: 16 }}>
+            <Label>Message stream</Label>
+            <Input value={pmStream} onChange={(e) => setPmStream(e.target.value)} placeholder="outbound" />
+          </div>
+        </>
+      )}
+      {mailKind === 'none' && (
+        <div style={{ fontSize: 12, color: theme.textDim, marginBottom: 16, lineHeight: 1.6 }}>
+          The magic-link URL will print to the server process stdout. Only useful if you
+          have access to the server console and are just trying things out.
+        </div>
+      )}
+
       <Button onClick={() => mut.mutate()} disabled={!canSubmit}>
         {mut.isPending ? 'Creating…' : 'Send me my setup link'}
       </Button>
     </AuthFrame>
   );
 }
+
+function SectionHead({ children }: { children: string }) {
+  return (
+    <div
+      style={{
+        fontSize: 11,
+        color: theme.textDim,
+        textTransform: 'uppercase',
+        letterSpacing: '0.08em',
+        fontWeight: 600,
+        margin: '4px 0 10px',
+      }}
+    >
+      {children}
+    </div>
+  );
+}
+
+function Hint({ children }: { children: string }) {
+  return <div style={{ fontSize: 12, color: theme.textDim, marginTop: 6 }}>{children}</div>;
+}
diff --git a/apps/portal/src/pages/admin/Settings.tsx b/apps/portal/src/pages/admin/Settings.tsx
index 9f13609..4368ff4 100644
--- a/apps/portal/src/pages/admin/Settings.tsx
+++ b/apps/portal/src/pages/admin/Settings.tsx
@@ -1,16 +1,37 @@
-import { useEffect, useState } from 'react';
+import { useEffect, useState, type ReactNode } from 'react';
 import { useMutation, useQuery, useQueryClient } from '@tanstack/react-query';
-import { Settings as SettingsIcon } from 'lucide-react';
+import { Settings as SettingsIcon, Mail } from 'lucide-react';
 import { api } from '../../api.js';
 import { theme } from '../../theme.js';
-import { Button, Card, ErrorBanner, Input, Label, Page } from '../../ui.js';
+import { Button, Card, ErrorBanner, Input, Label, Page, Select } from '../../ui.js';
 
 interface ProgramSettings {
   programName: string | null;
   supportEmail: string | null;
 }
 
+type MailKind = 'smtp' | 'postmark' | 'none';
+
+interface PublicMailSettings {
+  kind: MailKind | null;
+  from: string | null;
+  smtp: { host: string; port: number; secure: boolean; user: string | null; hasPassword: boolean } | null;
+  postmark: { hasToken: boolean; messageStream: string } | null;
+}
+
 export function AdminSettings() {
+  return (
+    <Page title="Settings" subtitle="How the partner portal identifies your program and how it sends mail.">
+      <ProgramSection />
+      <div style={{ height: 18 }} />
+      <MailSection />
+    </Page>
+  );
+}
+
+// ---------- program ----------
+
+function ProgramSection() {
   const qc = useQueryClient();
   const { data, error, isLoading } = useQuery({
     queryKey: ['program-settings'],
@@ -21,7 +42,6 @@ export function AdminSettings() {
   const [supportEmail, setSupportEmail] = useState('');
   const [saved, setSaved] = useState(false);
 
-  // Sync form state when the fetched value lands.
   useEffect(() => {
     if (!data) return;
     setProgramName(data.programName ?? '');
@@ -30,67 +50,222 @@ export function AdminSettings() {
 
   const mut = useMutation({
     mutationFn: () =>
-      api<ProgramSettings>('/config/program', {
+      api<ProgramSettings>('/config/program', { method: 'POST', body: { programName, supportEmail } }),
+    onSuccess: () => {
+      qc.invalidateQueries({ queryKey: ['program-settings'] });
+      setSaved(true);
+      setTimeout(() => setSaved(false), 2000);
+    },
+  });
+
+  if (isLoading) return <Card>Loading…</Card>;
+
+  return (
+    <Card>
+      <div style={{ display: 'flex', alignItems: 'center', gap: 10, marginBottom: 16 }}>
+        <SettingsIcon size={18} color={theme.accent} />
+        <div style={{ fontSize: 15, fontWeight: 500 }}>Program info</div>
+      </div>
+      <ErrorBanner error={error ?? mut.error} />
+      <div style={{ marginBottom: 16 }}>
+        <Label>Program name</Label>
+        <Input value={programName} onChange={(e) => setProgramName(e.target.value)} placeholder="e.g. Acme Partners" maxLength={120} />
+        <Hint>Shown to partners in the portal. Leave blank to fall back to "OpenPartner".</Hint>
+      </div>
+      <div style={{ marginBottom: 18 }}>
+        <Label>Support email</Label>
+        <Input
+          type="email"
+          value={supportEmail}
+          onChange={(e) => setSupportEmail(e.target.value)}
+          placeholder="support@yourdomain.com"
+          maxLength={254}
+        />
+        <Hint>Partners see this in their portal footer.</Hint>
+      </div>
+      <Row>
+        <Button onClick={() => mut.mutate()} disabled={mut.isPending}>
+          {mut.isPending ? 'Saving…' : 'Save program info'}
+        </Button>
+        {saved && <span style={{ color: theme.success, fontSize: 13 }}>Saved.</span>}
+      </Row>
+    </Card>
+  );
+}
+
+// ---------- mail ----------
+
+function MailSection() {
+  const qc = useQueryClient();
+  const { data, error, isLoading } = useQuery({
+    queryKey: ['mail-settings'],
+    queryFn: () => api<PublicMailSettings>('/config/mail'),
+  });
+
+  const [kind, setKind] = useState<MailKind>('smtp');
+  const [from, setFrom] = useState('');
+  const [smtpHost, setSmtpHost] = useState('');
+  const [smtpPort, setSmtpPort] = useState('587');
+  const [smtpSecure, setSmtpSecure] = useState(false);
+  const [smtpUser, setSmtpUser] = useState('');
+  const [smtpPass, setSmtpPass] = useState('');
+  const [pmToken, setPmToken] = useState('');
+  const [pmStream, setPmStream] = useState('outbound');
+  const [saved, setSaved] = useState(false);
+
+  useEffect(() => {
+    if (!data) return;
+    setKind(data.kind ?? 'smtp');
+    setFrom(data.from ?? '');
+    if (data.smtp) {
+      setSmtpHost(data.smtp.host);
+      setSmtpPort(String(data.smtp.port));
+      setSmtpSecure(data.smtp.secure);
+      setSmtpUser(data.smtp.user ?? '');
+    }
+    if (data.postmark) {
+      setPmStream(data.postmark.messageStream);
+    }
+  }, [data]);
+
+  const mut = useMutation({
+    mutationFn: () =>
+      api<PublicMailSettings>('/config/mail', {
         method: 'POST',
-        body: { programName, supportEmail },
+        body: {
+          kind,
+          from: from || undefined,
+          smtp:
+            kind === 'smtp'
+              ? {
+                  host: smtpHost || undefined,
+                  port: smtpPort ? Number(smtpPort) : undefined,
+                  secure: smtpSecure,
+                  user: smtpUser || undefined,
+                  password: smtpPass || undefined,
+                }
+              : undefined,
+          postmark:
+            kind === 'postmark'
+              ? { serverToken: pmToken || undefined, messageStream: pmStream || undefined }
+              : undefined,
+        },
       }),
     onSuccess: () => {
-      qc.invalidateQueries({ queryKey: ['program-settings'] });
+      setSmtpPass('');
+      setPmToken('');
+      qc.invalidateQueries({ queryKey: ['mail-settings'] });
       setSaved(true);
       setTimeout(() => setSaved(false), 2000);
     },
   });
 
+  if (isLoading) return <Card>Loading…</Card>;
+
+  const hasStoredSmtpPassword = data?.smtp?.hasPassword ?? false;
+  const hasStoredPmToken = data?.postmark?.hasToken ?? false;
+
   return (
-    <Page
-      title="Settings"
-      subtitle="How the partner portal identifies your program."
-    >
+    <Card>
+      <div style={{ display: 'flex', alignItems: 'center', gap: 10, marginBottom: 16 }}>
+        <Mail size={18} color={theme.accent} />
+        <div style={{ fontSize: 15, fontWeight: 500 }}>Email delivery</div>
+      </div>
       <ErrorBanner error={error ?? mut.error} />
-      {isLoading ? (
-        <Card>Loading…</Card>
-      ) : (
-        <Card>
-          <div style={{ display: 'flex', alignItems: 'center', gap: 10, marginBottom: 16 }}>
-            <SettingsIcon size={18} color={theme.accent} />
-            <div style={{ fontSize: 15, fontWeight: 500 }}>Program info</div>
-          </div>
+      <Hint>
+        Used for partner invite / sign-in emails and admin magic-links. Credentials are
+        encrypted at rest with <code>SECRETS_ENCRYPTION_KEY</code>. Leaving the UI empty
+        falls back to <code>SMTP_*</code> / <code>POSTMARK_SERVER_TOKEN</code> env vars.
+      </Hint>
 
-          <div style={{ marginBottom: 16 }}>
-            <Label>Program name</Label>
+      <div style={{ marginTop: 14, marginBottom: 12 }}>
+        <Label>Provider</Label>
+        <Select value={kind} onChange={(e) => setKind(e.target.value as MailKind)}>
+          <option value="smtp">SMTP (Gmail, SES, Mailgun, SendGrid, Postfix, …)</option>
+          <option value="postmark">Postmark HTTP API</option>
+          <option value="none">None — fall through to env / console</option>
+        </Select>
+      </div>
+
+      {kind !== 'none' && (
+        <div style={{ marginBottom: 12 }}>
+          <Label>"From" address</Label>
+          <Input type="email" value={from} onChange={(e) => setFrom(e.target.value)} placeholder='"Acme Partners" <partners@acme.com>' />
+        </div>
+      )}
+      {kind === 'smtp' && (
+        <>
+          <div style={{ display: 'grid', gridTemplateColumns: '2fr 1fr', gap: 12, marginBottom: 12 }}>
+            <div>
+              <Label>SMTP host</Label>
+              <Input value={smtpHost} onChange={(e) => setSmtpHost(e.target.value)} placeholder="smtp.example.com" />
+            </div>
+            <div>
+              <Label>Port</Label>
+              <Input value={smtpPort} onChange={(e) => setSmtpPort(e.target.value)} placeholder="587" />
+            </div>
+          </div>
+          <div style={{ marginBottom: 12 }}>
+            <Label>Username (optional)</Label>
+            <Input value={smtpUser} onChange={(e) => setSmtpUser(e.target.value)} placeholder="apikey or username" />
+          </div>
+          <div style={{ marginBottom: 12 }}>
+            <Label>
+              Password{' '}
+              {hasStoredSmtpPassword && (
+                <span style={{ color: theme.textDim, fontWeight: 400, fontSize: 12 }}>— saved ✓ (enter to rotate)</span>
+              )}
+            </Label>
             <Input
-              value={programName}
-              onChange={(e) => setProgramName(e.target.value)}
-              placeholder="e.g. Coherence Partners"
-              maxLength={120}
+              type="password"
+              value={smtpPass}
+              onChange={(e) => setSmtpPass(e.target.value)}
+              placeholder={hasStoredSmtpPassword ? '•••••••• (leave blank to keep)' : ''}
             />
-            <div style={{ fontSize: 12, color: theme.textDim, marginTop: 6 }}>
-              Shown to partners in the portal. Leave blank to fall back to "OpenPartner".
-            </div>
           </div>
-
-          <div style={{ marginBottom: 20 }}>
-            <Label>Support email</Label>
+          <label style={{ display: 'flex', alignItems: 'center', gap: 8, fontSize: 13, color: theme.textMuted, marginBottom: 16 }}>
+            <input type="checkbox" checked={smtpSecure} onChange={(e) => setSmtpSecure(e.target.checked)} />
+            Use implicit TLS (port 465). Leave unchecked for STARTTLS on 587.
+          </label>
+        </>
+      )}
+      {kind === 'postmark' && (
+        <>
+          <div style={{ marginBottom: 12 }}>
+            <Label>
+              Server token{' '}
+              {hasStoredPmToken && (
+                <span style={{ color: theme.textDim, fontWeight: 400, fontSize: 12 }}>— saved ✓ (enter to rotate)</span>
+              )}
+            </Label>
             <Input
-              type="email"
-              value={supportEmail}
-              onChange={(e) => setSupportEmail(e.target.value)}
-              placeholder="support@yourdomain.com"
-              maxLength={254}
+              type="password"
+              value={pmToken}
+              onChange={(e) => setPmToken(e.target.value)}
+              placeholder={hasStoredPmToken ? '•••••••• (leave blank to keep)' : ''}
             />
-            <div style={{ fontSize: 12, color: theme.textDim, marginTop: 6 }}>
-              Partners see this in their portal footer for questions about commissions, payouts, or their account.
-            </div>
           </div>
-
-          <div style={{ display: 'flex', alignItems: 'center', gap: 12 }}>
-            <Button onClick={() => mut.mutate()} disabled={mut.isPending}>
-              {mut.isPending ? 'Saving…' : 'Save settings'}
-            </Button>
-            {saved && <span style={{ color: theme.success, fontSize: 13 }}>Saved.</span>}
+          <div style={{ marginBottom: 16 }}>
+            <Label>Message stream</Label>
+            <Input value={pmStream} onChange={(e) => setPmStream(e.target.value)} placeholder="outbound" />
           </div>
-        </Card>
+        </>
       )}
-    </Page>
+
+      <Row>
+        <Button onClick={() => mut.mutate()} disabled={mut.isPending}>
+          {mut.isPending ? 'Saving…' : 'Save mail settings'}
+        </Button>
+        {saved && <span style={{ color: theme.success, fontSize: 13 }}>Saved.</span>}
+      </Row>
+    </Card>
   );
 }
+
+function Row({ children }: { children: ReactNode }) {
+  return <div style={{ display: 'flex', alignItems: 'center', gap: 12 }}>{children}</div>;
+}
+
+function Hint({ children }: { children: ReactNode }) {
+  return <div style={{ fontSize: 12, color: theme.textDim, marginTop: 6 }}>{children}</div>;
+}
diff --git a/apps/portal/src/pages/auth/Shared.tsx b/apps/portal/src/pages/auth/Shared.tsx
index 9cd8584..38aa345 100644
--- a/apps/portal/src/pages/auth/Shared.tsx
+++ b/apps/portal/src/pages/auth/Shared.tsx
@@ -1,7 +1,17 @@
 import type { ReactNode } from 'react';
 import { theme } from '../../theme.js';
 
-export function AuthFrame({ title, subtitle, children }: { title: string; subtitle?: string; children: ReactNode }) {
+export function AuthFrame({
+  title,
+  subtitle,
+  brand,
+  children,
+}: {
+  title: string;
+  subtitle?: string;
+  brand?: string;
+  children: ReactNode;
+}) {
   return (
     <div
       style={{
@@ -25,7 +35,7 @@ export function AuthFrame({ title, subtitle, children }: { title: string; subtit
       >
         <div style={{ display: 'flex', alignItems: 'center', gap: 12, marginBottom: 20 }}>
           <Logo />
-          <div style={{ fontSize: 18, fontWeight: 600 }}>OpenPartner</div>
+          <div style={{ fontSize: 18, fontWeight: 600 }}>{brand ?? 'OpenPartner'}</div>
         </div>
         <div style={{ fontSize: 20, fontWeight: 600, letterSpacing: '-0.01em', marginBottom: 4 }}>{title}</div>
         {subtitle && <div style={{ color: theme.textMuted, fontSize: 13, marginBottom: 20 }}>{subtitle}</div>}
diff --git a/docker-compose.prod.yml b/docker-compose.prod.yml
index 2b8c0ae..8251f7b 100644
--- a/docker-compose.prod.yml
+++ b/docker-compose.prod.yml
@@ -52,6 +52,7 @@ services:
       DATABASE_URL: postgres://${POSTGRES_USER:-openpartner}:${POSTGRES_PASSWORD:-openpartner}@postgres:5432/${POSTGRES_DB:-openpartner}
       API_PORT: 4601
       ADMIN_API_KEY: ${ADMIN_API_KEY}
+      SECRETS_ENCRYPTION_KEY: ${SECRETS_ENCRYPTION_KEY}
       OPENPARTNER_MODE: ${OPENPARTNER_MODE:-selfhost}
       PORTAL_URL: https://${PORTAL_HOST:-portal.${OPENPARTNER_DOMAIN}}
       POSTMARK_SERVER_TOKEN: ${POSTMARK_SERVER_TOKEN:-}

From a922e3078664b94eb95db8b2c45304c895dde2cc Mon Sep 17 00:00:00 2001
From: Keith Fawcett <keith@brightyard.co>
Date: Fri, 24 Apr 2026 17:22:45 -0700
Subject: [PATCH 013/131] fix(install): split first-run into a three-step
 wizard
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The single-form install grew oppressive. Break it into YOU → PROGRAM
→ EMAIL DELIVERY with a stepper up top, Back/Continue navigation, and
the final step submitting. Validation is per-step (can't advance
without the required fields for that step). Same submit body; only
the UX changed.
---
 apps/portal/src/pages/Install.tsx | 297 +++++++++++++++++-------------
 1 file changed, 169 insertions(+), 128 deletions(-)

diff --git a/apps/portal/src/pages/Install.tsx b/apps/portal/src/pages/Install.tsx
index 1cf7434..5443679 100644
--- a/apps/portal/src/pages/Install.tsx
+++ b/apps/portal/src/pages/Install.tsx
@@ -1,40 +1,35 @@
-import { useState } from 'react';
+import { useState, type ReactNode } from 'react';
 import { useMutation } from '@tanstack/react-query';
-import { Rocket } from 'lucide-react';
+import { ArrowLeft, ArrowRight, Check, Rocket } from 'lucide-react';
 import { api } from '../api.js';
 import { theme } from '../theme.js';
 import { Button, ErrorBanner, Input, Label, Select } from '../ui.js';
 import { AuthFrame } from './auth/Shared.js';
 
 /**
- * WordPress-style first-run setup. Only reachable when no admin is
- * activated yet; once it succeeds, the page 409s so a second would-be
- * installer can't take over.
- *
- * Collects:
- *   - Admin identity (name + email)
- *   - Program (name + optional support email)
- *   - Mail transport (SMTP / Postmark / None) so the invite email can
- *     actually send without the admin needing env-level access.
+ * Three-step first-run install:
+ *   1. You      — admin identity (name + email)
+ *   2. Program  — program name + optional support email
+ *   3. Mail     — transport + credentials (so the invite email can send)
+ * Final screen tells the admin to go check their inbox.
  */
 
 type MailKind = 'smtp' | 'postmark' | 'none';
 
 export function InstallPage() {
+  const [step, setStep] = useState(0);
+
   const [adminName, setAdminName] = useState('');
   const [adminEmail, setAdminEmail] = useState('');
   const [programName, setProgramName] = useState('');
   const [supportEmail, setSupportEmail] = useState('');
-
   const [mailKind, setMailKind] = useState<MailKind>('smtp');
   const [mailFrom, setMailFrom] = useState('');
-  // SMTP
   const [smtpHost, setSmtpHost] = useState('');
   const [smtpPort, setSmtpPort] = useState('587');
   const [smtpSecure, setSmtpSecure] = useState(false);
   const [smtpUser, setSmtpUser] = useState('');
   const [smtpPass, setSmtpPass] = useState('');
-  // Postmark
   const [pmToken, setPmToken] = useState('');
   const [pmStream, setPmStream] = useState('outbound');
 
@@ -61,9 +56,7 @@ export function InstallPage() {
                   }
                 : undefined,
             postmark:
-              mailKind === 'postmark'
-                ? { serverToken: pmToken, messageStream: pmStream || 'outbound' }
-                : undefined,
+              mailKind === 'postmark' ? { serverToken: pmToken, messageStream: pmStream || 'outbound' } : undefined,
           },
         },
       }),
@@ -71,154 +64,202 @@ export function InstallPage() {
 
   if (mut.isSuccess) {
     return (
-      <AuthFrame
-        title="Check your email"
-        subtitle={`We sent a sign-in link to ${adminEmail}.`}
-        brand={programName}
-      >
+      <AuthFrame title="Check your email" subtitle={`We sent a sign-in link to ${adminEmail}.`} brand={programName}>
         <div style={{ fontSize: 13, color: theme.textMuted, lineHeight: 1.6 }}>
           Click the link to activate your admin account. The link is good for 15 minutes.
           <br />
           <br />
           <span style={{ color: theme.textDim }}>
-            Didn't get the email? Check your spam folder, or confirm the mail provider you
-            just configured can deliver to <strong>{adminEmail}</strong>.
+            Didn't get it? Check your spam folder, or confirm the mail provider you just configured
+            can deliver to <strong>{adminEmail}</strong>.
           </span>
         </div>
       </AuthFrame>
     );
   }
 
-  const mailOk =
-    mailKind === 'none' ||
-    (mailKind === 'smtp' && smtpHost && mailFrom) ||
-    (mailKind === 'postmark' && pmToken && mailFrom);
-  const canSubmit = adminName && adminEmail && programName && mailOk && !mut.isPending;
-
-  return (
-    <AuthFrame
-      title="Install OpenPartner"
-      subtitle="First-run setup. Create your admin account, name your program, and configure email delivery."
-    >
-      <div style={{ display: 'flex', alignItems: 'center', gap: 10, marginBottom: 18, color: theme.accent }}>
-        <Rocket size={18} />
-        <div style={{ fontSize: 13 }}>Welcome — let's get you set up.</div>
-      </div>
-      <ErrorBanner error={mut.error} />
+  const steps = ['You', 'Program', 'Email delivery'];
+  const stepValid =
+    (step === 0 && adminName && adminEmail) ||
+    (step === 1 && programName) ||
+    (step === 2 &&
+      (mailKind === 'none' ||
+        (mailKind === 'smtp' && smtpHost && mailFrom) ||
+        (mailKind === 'postmark' && pmToken && mailFrom)));
+  const isLast = step === steps.length - 1;
 
-      <SectionHead>You</SectionHead>
-      <div style={{ marginBottom: 12 }}>
-        <Label>Your name</Label>
-        <Input value={adminName} onChange={(e) => setAdminName(e.target.value)} placeholder="Ada Lovelace" />
-      </div>
-      <div style={{ marginBottom: 16 }}>
-        <Label>Your email</Label>
-        <Input type="email" value={adminEmail} onChange={(e) => setAdminEmail(e.target.value)} placeholder="ada@example.com" />
-      </div>
+  function onNext() {
+    if (!stepValid) return;
+    if (isLast) mut.mutate();
+    else setStep(step + 1);
+  }
 
-      <SectionHead>Program</SectionHead>
-      <div style={{ marginBottom: 12 }}>
-        <Label>Program name</Label>
-        <Input value={programName} onChange={(e) => setProgramName(e.target.value)} placeholder="e.g. Acme Partners" />
-      </div>
-      <div style={{ marginBottom: 16 }}>
-        <Label>Support email (optional)</Label>
-        <Input type="email" value={supportEmail} onChange={(e) => setSupportEmail(e.target.value)} placeholder="support@yourdomain.com" />
-        <Hint>Shown to partners in their dashboard.</Hint>
-      </div>
+  return (
+    <AuthFrame title="Install OpenPartner" subtitle="First-run setup.">
+      <Stepper steps={steps} current={step} />
 
-      <SectionHead>Email delivery</SectionHead>
-      <div style={{ marginBottom: 12 }}>
-        <Label>Provider</Label>
-        <Select value={mailKind} onChange={(e) => setMailKind(e.target.value as MailKind)}>
-          <option value="smtp">SMTP (Gmail, SES, Mailgun, SendGrid, Postfix, …)</option>
-          <option value="postmark">Postmark HTTP API</option>
-          <option value="none">None — print to server console (dev only)</option>
-        </Select>
-      </div>
-      {mailKind !== 'none' && (
-        <div style={{ marginBottom: 12 }}>
-          <Label>"From" address</Label>
-          <Input
-            type="email"
-            value={mailFrom}
-            onChange={(e) => setMailFrom(e.target.value)}
-            placeholder='e.g. "Acme Partners" <partners@acme.com>'
-          />
-          <Hint>Sender identity on every email. Must be verified with your provider.</Hint>
-        </div>
-      )}
-      {mailKind === 'smtp' && (
+      {step === 0 && (
         <>
-          <div style={{ display: 'grid', gridTemplateColumns: '2fr 1fr', gap: 12, marginBottom: 12 }}>
-            <div>
-              <Label>SMTP host</Label>
-              <Input value={smtpHost} onChange={(e) => setSmtpHost(e.target.value)} placeholder="smtp.example.com" />
-            </div>
-            <div>
-              <Label>Port</Label>
-              <Input value={smtpPort} onChange={(e) => setSmtpPort(e.target.value)} placeholder="587" />
-            </div>
-          </div>
+          <WelcomeLine>Welcome — let's get you set up.</WelcomeLine>
           <div style={{ marginBottom: 12 }}>
-            <Label>Username (optional)</Label>
-            <Input value={smtpUser} onChange={(e) => setSmtpUser(e.target.value)} placeholder="apikey or username" />
+            <Label>Your name</Label>
+            <Input value={adminName} onChange={(e) => setAdminName(e.target.value)} placeholder="Ada Lovelace" autoFocus />
           </div>
-          <div style={{ marginBottom: 12 }}>
-            <Label>Password</Label>
-            <Input type="password" value={smtpPass} onChange={(e) => setSmtpPass(e.target.value)} placeholder="••••••••" />
-            <Hint>Stored encrypted at rest. Leave blank if your SMTP allows unauthenticated relay.</Hint>
+          <div style={{ marginBottom: 16 }}>
+            <Label>Your email</Label>
+            <Input type="email" value={adminEmail} onChange={(e) => setAdminEmail(e.target.value)} placeholder="ada@example.com" />
+            <Hint>We'll send your activation link here.</Hint>
           </div>
-          <label style={{ display: 'flex', alignItems: 'center', gap: 8, fontSize: 13, color: theme.textMuted, marginBottom: 16 }}>
-            <input type="checkbox" checked={smtpSecure} onChange={(e) => setSmtpSecure(e.target.checked)} />
-            Use implicit TLS (port 465). Leave unchecked for STARTTLS on 587.
-          </label>
         </>
       )}
-      {mailKind === 'postmark' && (
+
+      {step === 1 && (
         <>
           <div style={{ marginBottom: 12 }}>
-            <Label>Postmark server token</Label>
-            <Input type="password" value={pmToken} onChange={(e) => setPmToken(e.target.value)} placeholder="••••••••" />
-            <Hint>Stored encrypted at rest.</Hint>
+            <Label>Program name</Label>
+            <Input value={programName} onChange={(e) => setProgramName(e.target.value)} placeholder="e.g. Acme Partners" autoFocus />
+            <Hint>How partners see your program in the dashboard.</Hint>
           </div>
           <div style={{ marginBottom: 16 }}>
-            <Label>Message stream</Label>
-            <Input value={pmStream} onChange={(e) => setPmStream(e.target.value)} placeholder="outbound" />
+            <Label>Support email (optional)</Label>
+            <Input type="email" value={supportEmail} onChange={(e) => setSupportEmail(e.target.value)} placeholder="support@yourdomain.com" />
+            <Hint>Partners see this in their portal footer for questions.</Hint>
           </div>
         </>
       )}
-      {mailKind === 'none' && (
-        <div style={{ fontSize: 12, color: theme.textDim, marginBottom: 16, lineHeight: 1.6 }}>
-          The magic-link URL will print to the server process stdout. Only useful if you
-          have access to the server console and are just trying things out.
-        </div>
+
+      {step === 2 && (
+        <>
+          <div style={{ marginBottom: 12 }}>
+            <Label>Provider</Label>
+            <Select value={mailKind} onChange={(e) => setMailKind(e.target.value as MailKind)}>
+              <option value="smtp">SMTP (Gmail, SES, Mailgun, SendGrid, Postfix, …)</option>
+              <option value="postmark">Postmark HTTP API</option>
+              <option value="none">None — print to server console (dev only)</option>
+            </Select>
+          </div>
+          {mailKind !== 'none' && (
+            <div style={{ marginBottom: 12 }}>
+              <Label>"From" address</Label>
+              <Input type="email" value={mailFrom} onChange={(e) => setMailFrom(e.target.value)} placeholder='"Acme Partners" <partners@acme.com>' />
+              <Hint>Sender identity on every email. Must be verified with your provider.</Hint>
+            </div>
+          )}
+          {mailKind === 'smtp' && (
+            <>
+              <div style={{ display: 'grid', gridTemplateColumns: '2fr 1fr', gap: 12, marginBottom: 12 }}>
+                <div>
+                  <Label>SMTP host</Label>
+                  <Input value={smtpHost} onChange={(e) => setSmtpHost(e.target.value)} placeholder="smtp.example.com" />
+                </div>
+                <div>
+                  <Label>Port</Label>
+                  <Input value={smtpPort} onChange={(e) => setSmtpPort(e.target.value)} placeholder="587" />
+                </div>
+              </div>
+              <div style={{ marginBottom: 12 }}>
+                <Label>Username (optional)</Label>
+                <Input value={smtpUser} onChange={(e) => setSmtpUser(e.target.value)} placeholder="apikey or username" />
+              </div>
+              <div style={{ marginBottom: 12 }}>
+                <Label>Password</Label>
+                <Input type="password" value={smtpPass} onChange={(e) => setSmtpPass(e.target.value)} placeholder="••••••••" />
+                <Hint>Stored encrypted at rest.</Hint>
+              </div>
+              <label style={{ display: 'flex', alignItems: 'center', gap: 8, fontSize: 13, color: theme.textMuted, marginBottom: 12 }}>
+                <input type="checkbox" checked={smtpSecure} onChange={(e) => setSmtpSecure(e.target.checked)} />
+                Use implicit TLS (port 465). Leave unchecked for STARTTLS on 587.
+              </label>
+            </>
+          )}
+          {mailKind === 'postmark' && (
+            <>
+              <div style={{ marginBottom: 12 }}>
+                <Label>Postmark server token</Label>
+                <Input type="password" value={pmToken} onChange={(e) => setPmToken(e.target.value)} placeholder="••••••••" />
+                <Hint>Stored encrypted at rest.</Hint>
+              </div>
+              <div style={{ marginBottom: 12 }}>
+                <Label>Message stream</Label>
+                <Input value={pmStream} onChange={(e) => setPmStream(e.target.value)} placeholder="outbound" />
+              </div>
+            </>
+          )}
+          {mailKind === 'none' && (
+            <Hint>The magic-link URL will print to the server stdout. Dev / console-only use.</Hint>
+          )}
+        </>
       )}
 
-      <Button onClick={() => mut.mutate()} disabled={!canSubmit}>
-        {mut.isPending ? 'Creating…' : 'Send me my setup link'}
-      </Button>
+      <ErrorBanner error={mut.error} />
+
+      <div style={{ display: 'flex', justifyContent: 'space-between', alignItems: 'center', marginTop: 18, gap: 8 }}>
+        {step > 0 ? (
+          <Button variant="secondary" icon={<ArrowLeft size={14} />} onClick={() => setStep(step - 1)}>
+            Back
+          </Button>
+        ) : (
+          <div />
+        )}
+        <Button
+          onClick={onNext}
+          disabled={!stepValid || mut.isPending}
+          icon={isLast ? <Check size={14} /> : <ArrowRight size={14} />}
+        >
+          {isLast ? (mut.isPending ? 'Sending…' : 'Send my setup link') : 'Continue'}
+        </Button>
+      </div>
     </AuthFrame>
   );
 }
 
-function SectionHead({ children }: { children: string }) {
+function Stepper({ steps, current }: { steps: string[]; current: number }) {
+  return (
+    <div style={{ display: 'flex', alignItems: 'center', gap: 8, marginBottom: 18 }}>
+      {steps.map((label, i) => {
+        const done = i < current;
+        const active = i === current;
+        const c = done ? theme.accent : active ? theme.text : theme.textDim;
+        const bg = done ? theme.accent : active ? theme.surface2 : 'transparent';
+        const border = done ? theme.accent : active ? theme.accent : theme.border;
+        return (
+          <div key={label} style={{ display: 'flex', alignItems: 'center', gap: 8, flex: i === steps.length - 1 ? 0 : 1 }}>
+            <div
+              style={{
+                width: 22,
+                height: 22,
+                borderRadius: '50%',
+                background: bg,
+                border: `1px solid ${border}`,
+                color: done ? theme.accentInk : c,
+                fontSize: 11,
+                fontWeight: 600,
+                display: 'flex',
+                alignItems: 'center',
+                justifyContent: 'center',
+                flexShrink: 0,
+              }}
+            >
+              {done ? <Check size={12} /> : i + 1}
+            </div>
+            <div style={{ fontSize: 12, color: c, fontWeight: active ? 600 : 400, whiteSpace: 'nowrap' }}>{label}</div>
+            {i !== steps.length - 1 && <div style={{ height: 1, flex: 1, background: theme.border, marginLeft: 4 }} />}
+          </div>
+        );
+      })}
+    </div>
+  );
+}
+
+function WelcomeLine({ children }: { children: ReactNode }) {
   return (
-    <div
-      style={{
-        fontSize: 11,
-        color: theme.textDim,
-        textTransform: 'uppercase',
-        letterSpacing: '0.08em',
-        fontWeight: 600,
-        margin: '4px 0 10px',
-      }}
-    >
-      {children}
+    <div style={{ display: 'flex', alignItems: 'center', gap: 10, marginBottom: 16, color: theme.accent }}>
+      <Rocket size={16} />
+      <div style={{ fontSize: 13 }}>{children}</div>
     </div>
   );
 }
 
-function Hint({ children }: { children: string }) {
+function Hint({ children }: { children: ReactNode }) {
   return <div style={{ fontSize: 12, color: theme.textDim, marginTop: 6 }}>{children}</div>;
 }

From 59526b72385b106429a1facba739942d4c87c265 Mon Sep 17 00:00:00 2001
From: Keith Fawcett <keith@brightyard.co>
Date: Fri, 24 Apr 2026 17:54:48 -0700
Subject: [PATCH 014/131] docs: refresh for admin personas, first-run wizard,
 UI-managed mail

README adds a What's implemented subsection grouping by area
(attribution + payouts, auth + personas, configuration, integration
surface, operations). Quickstart leads with the /install wizard and
keeps the curl bootstrap as a headless / CI alternative rather than
the default. ARCHITECTURE gains sections on personas (Admin + Partner,
magic-link auth, revoke semantics) and Settings + secret encryption.
docs/deploy.md now calls out SECRETS_ENCRYPTION_KEY as a required
production env and documents that mail env vars are fallbacks rather
than the primary path.
---
 ARCHITECTURE.md    | 22 ++++++++++++++++++++++
 README.md          | 40 ++++++++++++++++++++++++++++++++--------
 docs/deploy.md     |  3 ++-
 docs/quickstart.md | 45 ++++++++++++++++++++++++++++-----------------
 4 files changed, 84 insertions(+), 26 deletions(-)

diff --git a/ARCHITECTURE.md b/ARCHITECTURE.md
index 78d3e34..6e90cde 100644
--- a/ARCHITECTURE.md
+++ b/ARCHITECTURE.md
@@ -86,6 +86,28 @@ One codebase, three behaviors, flipped by `OPENPARTNER_MODE`:
 
 The core product — attribution, events, commissions — is identical across modes. Only the billing + payout layer changes.
 
+## Install + auth
+
+First-run is a three-step wizard at `/install` — admin account (name + email), program name + support email, and mail transport. On submit the first admin gets an emailed magic link; clicking it activates them with a session cookie. `/install` 409s once any admin is activated so a second party can't take over.
+
+**Personas** are first-class — neither admins nor partners authenticate with a shared token:
+
+- **Admin** — invited by another admin (or created during install), verifies a magic link, gets a `Session` cookie keyed `(principalKind='admin', principalId)`. Can invite / revoke / reinstate other admins, edit program + mail settings. `ADMIN_API_KEY` env stays valid as a bootstrap / headless / CI bearer; think `doctl`, migrations, or emergency access.
+- **Partner** — invited by an admin, same magic-link flow, separate `Partner` table. Creates their own Links + API keys from their dashboard; admin never sees partner credentials. Revocation kills sessions in-transaction and stamps clicks `fraudFlag='revoked'` so future attribution skips them without breaking the end-user click experience.
+
+Magic-link tokens and sessions share one generalized schema (`MagicLinkToken`, `Session`) keyed by `(principalKind, principalId)`. The verify endpoint branches on `principalKind` — invites for partners stamp `Partner.activatedAt`, invites for admins stamp `Admin.activatedAt`.
+
+## Settings + secret encryption
+
+Anything user-facing and runtime-adjustable lives in the `Config` table, editable from the admin Settings UI — not env. This covers:
+
+- **Program settings** — program name + support email (plaintext, identifiers not secrets)
+- **Mail settings** — SMTP or Postmark selection + credentials
+
+Credentials inside `Config` (SMTP password, Postmark server token) are AES-256-GCM encrypted at rest using `SECRETS_ENCRYPTION_KEY` — the one env-level secret required in production. Public readers of the Settings API get a sanitized view (`hasPassword: true/false`) so the UI can show "saved ✓" without ever exposing plaintext.
+
+Env vars like `SMTP_HOST` / `POSTMARK_SERVER_TOKEN` / `MAIL_FROM` remain as **fallbacks** — the mailer resolves UI config first, env second, console stdout last (dev only). Hosted deployments can force a transport via env; self-hosters who want to rotate credentials without a redeploy do so from the Settings page.
+
 ## Federating with an external creator network
 
 OpenPartner OSS is vendor-direct — the admin creates Partner rows, issues share links, and manages their own partner program. A separate hosted service (outside this repo) implements a two-sided creator network: vendors publish offerings, creators apply, and approved partnerships federate back into each vendor's OpenPartner instance as Partner + Link rows.
diff --git a/README.md b/README.md
index 1930305..8c367ea 100644
--- a/README.md
+++ b/README.md
@@ -51,7 +51,9 @@ pnpm dev:router    # terminal 2 — click router
 pnpm dev:portal    # terminal 3 — partner dashboard
 ```
 
-See [docs/quickstart.md](./docs/quickstart.md) for full local setup, or [docs/deploy.md](./docs/deploy.md) for DigitalOcean App Platform and single-host Docker deployments.
+Open `http://localhost:5673/install` — a three-step wizard collects your admin account, program name + support email, and mail transport (SMTP or Postmark). Accept the magic-link email and you're signed in as the first admin.
+
+See [docs/quickstart.md](./docs/quickstart.md) for the end-to-end walkthrough, or [docs/deploy.md](./docs/deploy.md) for DigitalOcean App Platform and single-host Docker deployments.
 
 ## Architecture
 
@@ -84,21 +86,43 @@ v1. End-to-end attribution, payouts, and export are working; API surface is stab
 
 ### What's implemented
 
+**Attribution + payouts**
+
 - Edge click router with first-party cookie and SHA-256-hashed IP
 - Identity stitching (`POST /attribution/identify`) with late-binding backlog attribution
-- Event ingest (`POST /attribution/events`) and Stripe webhook mapping
-- Four attribution models — `last_click`, `first_click`, `linear`, `position` — with per-campaign selection, re-derivable from raw tables
+- Event ingest (`POST /attribution/events`) and Stripe webhook mapping (idempotent on retries)
+- Four attribution models — `last_click`, `first_click`, `linear`, `position` — per-campaign, re-derivable from raw tables
 - Commission accrual + review queue (approve / reverse) + Stripe Connect Standard payouts with idempotent transfers
-- Three deployment modes gated by `OPENPARTNER_MODE`: `selfhost`, `flat` (Stripe subscription), `revshare` (3% platform fee)
 - Click velocity limits with an admin fraud-review queue that replays skipped attributions on unflag
-- Scoped API keys (`partners:write`, `links:write`, `commissions:read`, …) — the federation contract that lets an external creator-network service provision Partner + Link rows on this instance over REST
 - Outbound webhooks with HMAC-SHA256 signing and per-event redelivery
-- Portable JSON + CSV export per table; full bundle export round-trippable into another instance via `POST /import`
-- Partner dashboard + admin overview + fraud review + partner funnel analytics in the portal
+
+**Auth + personas**
+
+- WordPress-style first-run `/install` wizard — admin account, program name, mail transport in one flow
+- Admin accounts as first-class personas (not a shared token) — magic-link signin, invite/revoke/reinstate, last-active-admin guard
+- Partner accounts via admin-invited magic-link — no admin-visible credentials, partners create their own API keys
+- `ADMIN_API_KEY` env stays as bootstrap / headless / CI path
+- Revoke flow for both admins and partners: sessions killed, reason stored, optional email notification
+
+**Configuration**
+
+- Program name + support email editable from the admin Settings UI (not env)
+- Mail transport (SMTP / Postmark / console) editable from the UI, SMTP passwords + Postmark tokens encrypted at rest with `SECRETS_ENCRYPTION_KEY`
+- Env vars (`SMTP_*`, `POSTMARK_*`, `MAIL_FROM`) remain as deploy-time fallbacks
+- Three deployment modes gated by `OPENPARTNER_MODE`: `selfhost`, `flat` (Stripe subscription), `revshare` (3% platform fee)
+
+**Integration surface**
+
+- Scoped API keys (`partners:write`, `links:write`, `commissions:read`, …) — the federation contract that lets an external creator-network service provision Partner + Link rows on this instance over REST
 - `@openpartner/sdk` on npm with browser and server entries
+- Portable JSON + CSV export per table; full bundle round-trippable via `POST /import`
+
+**Operations**
+
+- Partner dashboard + admin overview + fraud review + partner funnel analytics in the portal
 - Prometheus `/metrics` + X-Request-Id correlation
 - Deployment: DigitalOcean App Platform spec + single-host `docker-compose.prod.yml` behind Caddy
 
 ### Not in this repo
 
-A creator-discovery / two-sided network layer (vendors publish offerings, creators apply, federation provisions partnerships into vendor instances) is available as a separate hosted service. OpenPartner OSS instances integrate with it via scoped API keys.
+A creator-discovery / two-sided network layer (vendors publish offerings, creators apply, federation provisions partnerships into vendor instances) lives in a separate private repo. OpenPartner OSS instances integrate with it via the scoped-API-key federation contract described above.
diff --git a/docs/deploy.md b/docs/deploy.md
index cd00aa9..1fa900d 100644
--- a/docs/deploy.md
+++ b/docs/deploy.md
@@ -27,7 +27,8 @@ Ingress rules fan incoming traffic out: `/api/*` → `api`, everything else →
 3. **Set the secrets** App Platform marked as `SECRET` in the spec:
    - `ADMIN_API_KEY` — bootstrap admin token. Generate with `node -e "console.log('op_' + require('crypto').randomBytes(24).toString('hex'))"`.
    - `PORTAL_URL` — e.g. `https://partners.yourdomain.com`. Required in production (CORS allowlist + invite email links).
-   - `POSTMARK_SERVER_TOKEN`, `MAIL_FROM` — Postmark credentials + verified sender for partner invite + signin emails. Leave either unset and mail falls back to stdout (useful for staging, not production).
+   - `SECRETS_ENCRYPTION_KEY` — 32 bytes (hex or base64) used to encrypt SMTP passwords / Postmark tokens stored in the Config table. **Required in production.** Generate with `node -e "console.log(require('crypto').randomBytes(32).toString('hex'))"`.
+   - `POSTMARK_SERVER_TOKEN`, `MAIL_FROM` (or `SMTP_HOST` + SMTP vars, or neither) — mail provider fallback. You can skip these entirely and let the admin configure mail from the Settings UI after install; these env vars win only when UI settings are empty.
    - `STRIPE_SECRET_KEY`, `STRIPE_WEBHOOK_SECRET`, `STRIPE_FLAT_PRICE_ID` — only if running `flat` or `revshare` mode.
    - `COOKIE_DOMAIN` — `.yourdomain.com` so the router's `_cref` cookie covers your landing pages.
    - `METRICS_TOKEN` — optional; set to require Bearer auth on `/metrics`.
diff --git a/docs/quickstart.md b/docs/quickstart.md
index 0c75d1b..b5fb07d 100644
--- a/docs/quickstart.md
+++ b/docs/quickstart.md
@@ -1,6 +1,6 @@
 # Quickstart
 
-End-to-end walkthrough: spin up the stack, create a partner + campaign + link, simulate a click, stitch an identity, post an event, approve the commission, run a payout, export the data.
+End-to-end walkthrough: spin up the stack, run first-run install, invite a partner, simulate a click, stitch an identity, post an event, approve the commission, run a payout, export the data.
 
 ## 1. Spin up
 
@@ -8,7 +8,9 @@ End-to-end walkthrough: spin up the stack, create a partner + campaign + link, s
 git clone https://github.com/getcoherence/openpartner
 cd openpartner
 cp .env.example .env
-# edit .env: set ADMIN_API_KEY to a strong random value
+# edit .env: set ADMIN_API_KEY (bootstrap) and SECRETS_ENCRYPTION_KEY
+# (both random 32-byte hex). Generate each with:
+#   node -e "console.log(require('crypto').randomBytes(32).toString('hex'))"
 pnpm install
 docker compose up -d postgres
 pnpm migrate
@@ -18,9 +20,21 @@ pnpm dev:router    # :4701
 pnpm dev:portal    # :5673
 ```
 
-## 2. Bootstrap
+## 2. First-run install (UI)
 
-All admin calls use your `ADMIN_API_KEY` as a bearer token.
+Open **http://localhost:5673/install** — a three-step wizard:
+
+1. **You** — admin name + email
+2. **Program** — program name + optional support email (surfaced to partners in their footer)
+3. **Email delivery** — SMTP or Postmark credentials (stored encrypted in the DB) or "None" to print magic links to the `pnpm dev:api` console
+
+On submit, OpenPartner emails you a one-time activation link. Click it and you're signed in as the first admin with a session cookie. From here, everything else is admin UI — no more curl bootstrap.
+
+> The `ADMIN_API_KEY` env remains valid as a headless / CI bearer. Everything below works with either auth mode.
+
+## 3. Bootstrap via API (headless)
+
+If you'd rather skip the wizard for scripted setups, the admin key still works as a bearer token.
 
 ```bash
 export ADMIN=$(grep '^ADMIN_API_KEY=' .env | cut -d= -f2)
@@ -30,6 +44,8 @@ PARTNER=$(curl -s -X POST http://localhost:4601/partners \
   -H "Authorization: Bearer $ADMIN" \
   -H "content-type: application/json" \
   -d '{"email":"ada@example.com","name":"Ada"}' | jq -r .id)
+# ^ Also emails Ada an invite with a magic link. She clicks it, sets
+#   up her own partner dashboard session — admin never sees her creds.
 
 # Create a campaign (20% recurring percent rule).
 CAMPAIGN=$(curl -s -X POST http://localhost:4601/campaigns \
@@ -37,20 +53,15 @@ CAMPAIGN=$(curl -s -X POST http://localhost:4601/campaigns \
   -H "content-type: application/json" \
   -d '{"name":"Default","commissionRule":{"type":"percent","value":20,"recurring":true}}' | jq -r .id)
 
-# Create a link.
+# Partners create their own Links — but admin can seed one for
+# testing. In the real UX the partner does this from their dashboard.
 curl -s -X POST http://localhost:4601/partners/$PARTNER/links \
   -H "Authorization: Bearer $ADMIN" \
   -H "content-type: application/json" \
   -d "{\"linkKey\":\"ada\",\"campaignId\":\"$CAMPAIGN\",\"destinationUrl\":\"https://example.com/signup\"}"
-
-# Issue a partner-scoped key so Ada can read her own dashboard.
-curl -s -X POST http://localhost:4601/partners/$PARTNER/api-keys \
-  -H "Authorization: Bearer $ADMIN" \
-  -H "content-type: application/json" \
-  -d '{"label":"ada personal"}'
 ```
 
-## 3. Simulate the funnel
+## 4. Simulate the funnel
 
 ```bash
 # Click — router sets _cref cookie, writes Click row, 302s to destinationUrl.
@@ -68,7 +79,7 @@ curl -s -X POST http://localhost:4601/attribution/events \
   -d '{"userId":"user_123","type":"invoice_paid","value":200,"currency":"USD"}'
 ```
 
-## 4. Review + payout
+## 5. Review + payout
 
 ```bash
 # The commission is 'accrued'; approve it.
@@ -89,7 +100,7 @@ curl -s -X POST http://localhost:4601/payouts/run \
   -H "Authorization: Bearer $ADMIN"
 ```
 
-## 5. Export / import
+## 6. Export / import
 
 ```bash
 # Full dump — round-trippable into a self-hosted instance.
@@ -107,7 +118,7 @@ curl -s -X POST http://localhost:4601/import \
   --data @export.json
 ```
 
-## 6. Deployment modes
+## 7. Deployment modes
 
 Set `OPENPARTNER_MODE` in `.env`:
 
@@ -119,7 +130,7 @@ Set `OPENPARTNER_MODE` in `.env`:
 
 See `/billing/status` for the current state, and `/billing/portal` in `flat` mode for the merchant's Stripe customer portal.
 
-## 7. Browser SDK
+## 8. Browser SDK
 
 ```ts
 import { OpenPartner } from '@openpartner/sdk';
@@ -132,7 +143,7 @@ op.identify(currentUser.id);
 
 The SDK captures `?cref=…` from the landing URL and the `_cref` cookie, stashes in localStorage so the attribution survives ITP / multi-session gaps, then POSTs to `/attribution/identify` when you call `identify()`.
 
-## 8. Server SDK
+## 9. Server SDK
 
 For conversion events your backend controls (custom events, non-Stripe billing):
 

From 6d837a4b454b807af02be5bae729ee3aab22ef76 Mon Sep 17 00:00:00 2001
From: Keith Fawcett <keith@brightyard.co>
Date: Fri, 24 Apr 2026 19:13:15 -0700
Subject: [PATCH 015/131] fix(critical): signin email-spam vector, /install
 TOCTOU, last-admin race
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Three security / lockout fixes from the ultrareview re-pass (PR #9):

1. POST /auth/signin for a revoked partner was sending the
   partner_revoked notice email every time. An attacker could spam
   any known partner's inbox by POSTing their email repeatedly.
   Now: signin for a revoked partner is silent (no email). Revoke
   flow already sends a one-time notification at revoke time with
   the admin-provided reason — that's the only on-the-record
   touchpoint.

2. POST /install's "no admin exists" check was outside the tx.
   Two concurrent installers could both pass the check and both
   create admin rows. Now the check happens inside a transaction
   under a pg_advisory_xact_lock keyed to the install path, so
   concurrent calls serialize and the loser 409s. Also tightened
   the guard to block on ANY admin row (not just activated) so a
   second installer can't slip in while the first magic-link is
   still pending.

3. POST /admins/:id/revoke's "last active admin" guard was outside
   the transaction. Two concurrent revokes of the only two active
   admins both saw count=2, both proceeded, and both committed —
   leaving zero admins and locking everyone out. Now the guard runs
   inside a transaction with SELECT ... FOR UPDATE on the active-
   admins set, so concurrent revokes serialize and the loser 409s
   on cannot_revoke_last_active_admin. Also added revoked-admin
   guard to /admins/:id/invite (can't resend to a revoked account)
   and cleaned up the unused activeAdminCount helper.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 apps/api/src/__tests__/partner-invite.test.ts | 13 ++-
 apps/api/src/routes/admins.ts                 | 84 +++++++++++--------
 apps/api/src/routes/install.ts                | 78 +++++++++++------
 apps/api/src/routes/partner-auth.ts           | 58 +++++--------
 4 files changed, 130 insertions(+), 103 deletions(-)

diff --git a/apps/api/src/__tests__/partner-invite.test.ts b/apps/api/src/__tests__/partner-invite.test.ts
index 0da58b8..8c0fda9 100644
--- a/apps/api/src/__tests__/partner-invite.test.ts
+++ b/apps/api/src/__tests__/partner-invite.test.ts
@@ -223,8 +223,9 @@ describe.skipIf(skipIntegration)('partner invite + signin', () => {
     expect(mailer.sent.length).toBe(0);
   });
 
-  it('signin for a revoked partner sends the suspension notice, not a magic link', async () => {
-    // Invite + activate + revoke.
+  it('signin for a revoked partner is silent — no email, no enumeration leak', async () => {
+    // Invite + activate + revoke (notify=false so there's no inbox noise
+    // from the revoke itself — we want to observe the signin path).
     const created = await request(app)
       .post('/partners')
       .set('Authorization', `Bearer ${ADMIN_KEY}`)
@@ -241,11 +242,9 @@ describe.skipIf(skipIntegration)('partner invite + signin', () => {
     expect(signin.status).toBe(200);
     expect(signin.body.ok).toBe(true);
 
-    // Partner gets the suspension notice (with reason), not a signin link.
-    const notice = mailer.findFor('after@example.com', 'partner_revoked');
-    expect(notice).toBeDefined();
-    expect(notice!.text).toContain('Program closed');
-    expect(mailer.findFor('after@example.com', 'partner_signin')).toBeUndefined();
+    // No email should be sent — earlier behavior let an attacker spam
+    // the victim by repeatedly hitting /auth/signin with their address.
+    expect(mailer.sent.length).toBe(0);
   });
 
   it('resend invite generates a fresh token and 409s once the partner is already activated', async () => {
diff --git a/apps/api/src/routes/admins.ts b/apps/api/src/routes/admins.ts
index 5a1083a..dbaae42 100644
--- a/apps/api/src/routes/admins.ts
+++ b/apps/api/src/routes/admins.ts
@@ -37,14 +37,6 @@ async function getProgramName(): Promise<string | null> {
   return value.programName ?? null;
 }
 
-async function activeAdminCount(trx?: typeof db): Promise<number> {
-  const [row] = await (trx ?? db)<AdminRow>(TABLES.Admin)
-    .whereNotNull('activatedAt')
-    .whereNull('revokedAt')
-    .count<{ count: string }[]>({ count: '*' });
-  return Number(row?.count ?? 0);
-}
-
 async function sendInvite(admin: AdminRow): Promise<void> {
   const issued = await issueMagicLink({
     email: admin.email,
@@ -93,6 +85,7 @@ adminsRouter.post('/admins', requireAuth, requireAdmin, async (req, res) => {
 adminsRouter.post('/admins/:id/invite', requireAuth, requireAdmin, async (req, res) => {
   const admin = await db<AdminRow>(TABLES.Admin).where({ id: req.params.id }).first();
   if (!admin) return res.status(404).json({ error: 'not_found' });
+  if (admin.revokedAt) return res.status(409).json({ error: 'admin_revoked' });
   if (admin.activatedAt) return res.status(409).json({ error: 'already_activated' });
   await sendInvite(admin);
   res.json({ ok: true });
@@ -100,40 +93,63 @@ adminsRouter.post('/admins/:id/invite', requireAuth, requireAdmin, async (req, r
 
 // -------- Revoke --------
 
+class RevokeGuardError extends Error {
+  constructor(public code: string) {
+    super(code);
+  }
+}
+
 adminsRouter.post('/admins/:id/revoke', requireAuth, requireAdmin, async (req, res) => {
   const body = revokeSchema.safeParse(req.body ?? {});
   if (!body.success) return res.status(400).json({ error: 'invalid_body', detail: body.error.flatten() });
 
-  const admin = await db<AdminRow>(TABLES.Admin).where({ id: req.params.id }).first();
-  if (!admin) return res.status(404).json({ error: 'not_found' });
-  if (admin.revokedAt) return res.status(409).json({ error: 'already_revoked' });
-
-  // Guard: can't revoke yourself when you're a session-sourced admin.
-  // Env-sourced admins (ADMIN_API_KEY) don't have an adminId — they can.
   const caller = req.principal;
-  if (caller?.role === 'admin' && caller.source === 'session' && caller.adminId === admin.id) {
-    return res.status(409).json({ error: 'cannot_revoke_self' });
-  }
+  const now = new Date();
 
-  // Guard: never drop the count of active admins to zero via revoke.
-  // If only one active admin remains and they're the one being revoked,
-  // refuse unless ADMIN_API_KEY was used (env-admin can still get in).
-  const count = await activeAdminCount();
-  if (count <= 1 && admin.activatedAt && !admin.revokedAt) {
-    return res.status(409).json({ error: 'cannot_revoke_last_active_admin' });
+  try {
+    await db.transaction(async (trx) => {
+      // Lock the target admin + all active admins FOR UPDATE so
+      // concurrent revoke calls serialize. Without this, two simultaneous
+      // revokes of the only two active admins both pass the "count > 1"
+      // check and lock everyone out.
+      const admin = await trx<AdminRow>(TABLES.Admin).where({ id: req.params.id }).forUpdate().first();
+      if (!admin) throw new RevokeGuardError('not_found');
+      if (admin.revokedAt) throw new RevokeGuardError('already_revoked');
+
+      // Can't revoke yourself (session-sourced admins only — env-bearer
+      // callers are a headless / emergency path and can revoke anyone).
+      if (caller?.role === 'admin' && caller.source === 'session' && caller.adminId === admin.id) {
+        throw new RevokeGuardError('cannot_revoke_self');
+      }
+
+      // Last-active-admin guard inside the same tx. Count active admins
+      // under FOR UPDATE so the count is stable through commit.
+      const actives = await trx<AdminRow>(TABLES.Admin)
+        .whereNotNull('activatedAt')
+        .whereNull('revokedAt')
+        .forUpdate();
+      const willRemove = admin.activatedAt && !admin.revokedAt;
+      if (willRemove && actives.length <= 1) {
+        throw new RevokeGuardError('cannot_revoke_last_active_admin');
+      }
+
+      await trx<AdminRow>(TABLES.Admin)
+        .where({ id: admin.id })
+        .update({ revokedAt: now, revokeReason: body.data.reason ?? null, updatedAt: now });
+      // Kill admin sessions.
+      await trx<SessionRow>(TABLES.Session)
+        .where({ principalKind: 'admin', principalId: admin.id })
+        .whereNull('revokedAt')
+        .update({ revokedAt: now });
+    });
+  } catch (err) {
+    if (err instanceof RevokeGuardError) {
+      const status = err.code === 'not_found' ? 404 : 409;
+      return res.status(status).json({ error: err.code });
+    }
+    throw err;
   }
 
-  const now = new Date();
-  await db.transaction(async (trx) => {
-    await trx<AdminRow>(TABLES.Admin)
-      .where({ id: admin.id })
-      .update({ revokedAt: now, revokeReason: body.data.reason ?? null, updatedAt: now });
-    // Kill admin sessions like we do for partners.
-    await trx<SessionRow>(TABLES.Session)
-      .where({ principalKind: 'admin', principalId: admin.id })
-      .whereNull('revokedAt')
-      .update({ revokedAt: now });
-  });
   res.json({ ok: true, revokedAt: now });
 });
 
diff --git a/apps/api/src/routes/install.ts b/apps/api/src/routes/install.ts
index 6dd10be..81a8e55 100644
--- a/apps/api/src/routes/install.ts
+++ b/apps/api/src/routes/install.ts
@@ -22,6 +22,10 @@ import { saveMailSettings } from '../mail-settings.js';
 
 export const installRouter = Router();
 
+class AlreadyInstalledError extends Error {
+  readonly name = 'AlreadyInstalledError';
+}
+
 const installLimit = ipRateLimit({ name: 'install', max: 5, windowMs: 60_000 });
 
 const installSchema = z.object({
@@ -65,43 +69,63 @@ installRouter.get('/install/status', async (_req, res) => {
   res.json({ needsSetup: Number(row?.count ?? 0) === 0 });
 });
 
+/** Deterministic pg advisory-lock key — any 64-bit int, as long as this
+ *  is the only caller. Different from 0 to avoid collision with the
+ *  naive "no lock" sentinel some libraries use. */
+const INSTALL_ADVISORY_LOCK = 49_1092_4719;
+
 installRouter.post('/install', installLimit, async (req, res) => {
   const body = installSchema.safeParse(req.body);
   if (!body.success) return res.status(400).json({ error: 'invalid_body', detail: body.error.flatten() });
 
-  const [existing] = await db<AdminRow>(TABLES.Admin)
-    .whereNotNull('activatedAt')
-    .whereNull('revokedAt')
-    .count<{ count: string }[]>({ count: '*' });
-  if (Number(existing?.count ?? 0) > 0) {
-    return res.status(409).json({ error: 'already_installed' });
-  }
-
   const adminEmail = body.data.adminEmail.toLowerCase();
   const programName = body.data.programName.trim();
   const supportEmail = body.data.supportEmail?.trim() || null;
   const now = new Date();
 
-  await db.transaction(async (trx) => {
-    // Program settings first so the admin-invite email can brand the subject.
-    await trx<ConfigRow>(TABLES.Config)
-      .insert({
-        key: 'program_settings',
-        value: { programName, supportEmail } as unknown as never,
-        updatedAt: now,
-      })
-      .onConflict('key')
-      .merge({ value: { programName, supportEmail } as unknown as never, updatedAt: now });
-
-    // Create the admin row; activation happens on magic-link verify.
-    const id = ulid();
-    await trx<AdminRow>(TABLES.Admin).insert({
-      id,
-      email: adminEmail,
-      name: body.data.adminName.trim(),
-      activatedAt: null,
+  let adminId: string | null = null;
+  try {
+    await db.transaction(async (trx) => {
+      // Serialize concurrent installers. The advisory lock is auto-
+      // released when the transaction commits / rolls back. Inside
+      // the lock, re-check the "no admin exists yet" invariant — a
+      // check outside the lock (TOCTOU) would let two concurrent
+      // installers both think they're first.
+      await trx.raw('SELECT pg_advisory_xact_lock(?)', [INSTALL_ADVISORY_LOCK]);
+
+      // Block on ANY admin row (activated or not): while a first-run
+      // magic-link is outstanding, a second installer shouldn't be
+      // able to sneak their own pending admin in.
+      const [existing] = await trx<AdminRow>(TABLES.Admin).count<{ count: string }[]>({ count: '*' });
+      if (Number(existing?.count ?? 0) > 0) {
+        throw new AlreadyInstalledError();
+      }
+
+      await trx<ConfigRow>(TABLES.Config)
+        .insert({
+          key: 'program_settings',
+          value: { programName, supportEmail } as unknown as never,
+          updatedAt: now,
+        })
+        .onConflict('key')
+        .merge({ value: { programName, supportEmail } as unknown as never, updatedAt: now });
+
+      const id = ulid();
+      await trx<AdminRow>(TABLES.Admin).insert({
+        id,
+        email: adminEmail,
+        name: body.data.adminName.trim(),
+        activatedAt: null,
+      });
+      adminId = id;
     });
-  });
+  } catch (err) {
+    if (err instanceof AlreadyInstalledError) {
+      return res.status(409).json({ error: 'already_installed' });
+    }
+    throw err;
+  }
+  if (!adminId) return res.status(500).json({ error: 'install_failed' });
 
   // Mail config is saved outside the tx because saveMailSettings opens
   // its own upsert. A failure here doesn't roll back admin creation —
diff --git a/apps/api/src/routes/partner-auth.ts b/apps/api/src/routes/partner-auth.ts
index b7b6f38..3b58681 100644
--- a/apps/api/src/routes/partner-auth.ts
+++ b/apps/api/src/routes/partner-auth.ts
@@ -25,12 +25,7 @@ import {
 } from '../auth-sessions.js';
 import { getMailer } from '../mailer.js';
 import { ipRateLimit } from '../middleware/rate-limit.js';
-import {
-  adminSigninEmail,
-  buildMagicLinkUrl,
-  partnerRevokedEmail,
-  partnerSigninEmail,
-} from '../email-templates.js';
+import { adminSigninEmail, buildMagicLinkUrl, partnerSigninEmail } from '../email-templates.js';
 
 export const partnerAuthRouter = Router();
 
@@ -71,36 +66,29 @@ partnerAuthRouter.post('/auth/signin', mailAuthLimit, async (req, res) => {
   }
 
   const partner = await db<PartnerRow>(TABLES.Partner).where({ email }).first();
-  if (partner?.activatedAt) {
-    if (partner.revokedAt) {
-      const tmpl = partnerRevokedEmail(partner.name, partner.revokeReason);
-      await getMailer().send({
-        to: email,
-        subject: tmpl.subject,
-        text: tmpl.text,
-        html: tmpl.html,
-        tag: 'partner_revoked',
-        metadata: { purpose: 'partner_revoked_signin_attempt', partnerId: partner.id },
-      });
-    } else {
-      const issued = await issueMagicLink({
-        email,
-        purpose: 'partner_signin',
-        principalKind: 'partner',
-        principalId: partner.id,
-      });
-      const tmpl = partnerSigninEmail(partner.name, buildMagicLinkUrl(issued.plaintext));
-      await getMailer().send({
-        to: email,
-        subject: tmpl.subject,
-        text: tmpl.text,
-        html: tmpl.html,
-        tag: 'partner_signin',
-        metadata: { purpose: 'partner_signin', partnerId: partner.id },
-      });
-    }
+  // Revoked partners fall through silently — they were notified at
+  // revoke time (if admin opted in) and emailing on every signin
+  // attempt turns /auth/signin into a harassment vector: anyone can
+  // cause arbitrary emails to the victim by POSTing their address
+  // here repeatedly.
+  if (partner?.activatedAt && !partner.revokedAt) {
+    const issued = await issueMagicLink({
+      email,
+      purpose: 'partner_signin',
+      principalKind: 'partner',
+      principalId: partner.id,
+    });
+    const tmpl = partnerSigninEmail(partner.name, buildMagicLinkUrl(issued.plaintext));
+    await getMailer().send({
+      to: email,
+      subject: tmpl.subject,
+      text: tmpl.text,
+      html: tmpl.html,
+      tag: 'partner_signin',
+      metadata: { purpose: 'partner_signin', partnerId: partner.id },
+    });
   }
-  // Unknown / pending / revoked-admin → silent 200. No email sent.
+  // Unknown / pending / revoked → silent 200. No email sent.
   res.json({ ok: true });
 });
 

From 96fba9fecf83c232758a024ff26b6daac442f4af Mon Sep 17 00:00:00 2001
From: Keith Fawcett <keith@brightyard.co>
Date: Fri, 24 Apr 2026 19:36:04 -0700
Subject: [PATCH 016/131] fix(correctness): revoke kills api keys, install
 retryable, schema gaps

Four correctness fixes from ultrareview PR #9:

  - Partner revocation now also flips revokedAt on every ApiKey row
    tied to that partner. Previously sessions were killed but partner-
    scoped API keys lived on, so a revoked partner kept programmatic
    access via the SDK / curl.

  - POST /install is retryable on partial failure. The admin row is
    created inside a tx; the following mail-config save + invite
    email happen in a compensating try/catch that undoes the admin +
    magic-link token on any downstream error. Without this, a Postmark
    outage during first install left the instance permanently 409'd.

  - Install schema now rejects mail.kind='smtp'|'postmark' without a
    from address (plus host/serverToken for the respective transport).
    Previously the install "succeeded" and then the activation email
    silently failed because the mailer had no sender.

  - attribution.ts comment updated to match behavior: revoked-partner
    filtering skips them regardless of event timing, for both live
    event webhooks and backlog replays. Earlier the docstring
    suggested "events after revokedAt" but the code filtered more
    aggressively. Code is what we want; comment was lying.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 apps/api/src/attribution.ts     |  12 +++-
 apps/api/src/routes/install.ts  | 117 ++++++++++++++++++++------------
 apps/api/src/routes/partners.ts |  10 ++-
 3 files changed, 91 insertions(+), 48 deletions(-)

diff --git a/apps/api/src/attribution.ts b/apps/api/src/attribution.ts
index 1fd3eb6..369a159 100644
--- a/apps/api/src/attribution.ts
+++ b/apps/api/src/attribution.ts
@@ -58,9 +58,15 @@ export async function attributeEvent(
   const cleanClicks = clicks.filter((c) => !c.fraudFlag);
   if (cleanClicks.length === 0) return { status: 'no_click' };
 
-  // Revoked partners don't earn new attribution. We don't delete their
-  // historical commissions — admin reverses individually — but any event
-  // landing AFTER revokedAt no longer generates new rows for them.
+  // Revoked partners are excluded from attribution — any call landing
+  // here (whether a live event webhook or a replay via
+  // attributeBacklogForUser) skips them regardless of whether the event
+  // timestamp predates the revoke. This matches the admin-intent of
+  // "stop all earning for this partner going forward" and keeps backlog
+  // re-runs from retroactively shifting weight around a revoked
+  // partner. Historical attribution rows already in the table for the
+  // partner aren't deleted on revoke — admin reverses those manually
+  // via the commissions review queue if needed.
   const partnerIds = Array.from(new Set(cleanClicks.map((c) => c.partnerId)));
   const revokedPartners = await db('Partner').whereIn('id', partnerIds).whereNotNull('revokedAt').pluck('id');
   const revokedSet = new Set(revokedPartners as string[]);
diff --git a/apps/api/src/routes/install.ts b/apps/api/src/routes/install.ts
index 81a8e55..7597658 100644
--- a/apps/api/src/routes/install.ts
+++ b/apps/api/src/routes/install.ts
@@ -28,33 +28,51 @@ class AlreadyInstalledError extends Error {
 
 const installLimit = ipRateLimit({ name: 'install', max: 5, windowMs: 60_000 });
 
-const installSchema = z.object({
-  adminName: z.string().trim().min(1).max(120),
-  adminEmail: z.string().trim().email().max(254),
-  programName: z.string().trim().min(1).max(120),
-  supportEmail: z.string().trim().email().max(254).optional().or(z.literal('')),
-  mail: z
-    .object({
-      kind: z.enum(['smtp', 'postmark', 'none']),
-      from: z.string().trim().max(254).optional(),
-      smtp: z
-        .object({
-          host: z.string().trim().min(1).max(253),
-          port: z.number().int().min(1).max(65535).default(587),
-          secure: z.boolean().default(false),
-          user: z.string().trim().max(320).optional(),
-          password: z.string().max(500).optional(),
-        })
-        .optional(),
-      postmark: z
-        .object({
-          serverToken: z.string().min(1).max(500),
-          messageStream: z.string().trim().max(120).default('outbound'),
-        })
-        .optional(),
-    })
-    .optional(),
-});
+const installSchema = z
+  .object({
+    adminName: z.string().trim().min(1).max(120),
+    adminEmail: z.string().trim().email().max(254),
+    programName: z.string().trim().min(1).max(120),
+    supportEmail: z.string().trim().email().max(254).optional().or(z.literal('')),
+    mail: z
+      .object({
+        kind: z.enum(['smtp', 'postmark', 'none']),
+        from: z.string().trim().max(254).optional(),
+        smtp: z
+          .object({
+            host: z.string().trim().min(1).max(253),
+            port: z.number().int().min(1).max(65535).default(587),
+            secure: z.boolean().default(false),
+            user: z.string().trim().max(320).optional(),
+            password: z.string().max(500).optional(),
+          })
+          .optional(),
+        postmark: z
+          .object({
+            serverToken: z.string().min(1).max(500),
+            messageStream: z.string().trim().max(120).default('outbound'),
+          })
+          .optional(),
+      })
+      .optional(),
+  })
+  // Cross-field invariants: picking smtp/postmark without the minimum
+  // required fields would let the install "succeed" only to then
+  // silently drop the activation email (wrong From header, no host, no
+  // token). Reject at the boundary instead.
+  .superRefine((val, ctx) => {
+    const m = val.mail;
+    if (!m || m.kind === 'none') return;
+    if (!m.from || !m.from.trim()) {
+      ctx.addIssue({ code: z.ZodIssueCode.custom, path: ['mail', 'from'], message: 'required when kind is smtp or postmark' });
+    }
+    if (m.kind === 'smtp' && !m.smtp?.host) {
+      ctx.addIssue({ code: z.ZodIssueCode.custom, path: ['mail', 'smtp', 'host'], message: 'required when kind is smtp' });
+    }
+    if (m.kind === 'postmark' && !m.postmark?.serverToken) {
+      ctx.addIssue({ code: z.ZodIssueCode.custom, path: ['mail', 'postmark', 'serverToken'], message: 'required when kind is postmark' });
+    }
+  });
 
 /**
  * Public status probe used by the portal to decide whether to route to
@@ -127,36 +145,47 @@ installRouter.post('/install', installLimit, async (req, res) => {
   }
   if (!adminId) return res.status(500).json({ error: 'install_failed' });
 
-  // Mail config is saved outside the tx because saveMailSettings opens
-  // its own upsert. A failure here doesn't roll back admin creation —
-  // admin can fix from Settings → Mail after installing.
-  if (body.data.mail) {
-    await saveMailSettings({
-      kind: body.data.mail.kind,
-      from: body.data.mail.from,
-      smtp: body.data.mail.smtp,
-      postmark: body.data.mail.postmark,
-    });
-  }
+  // Finish the install in a compensating try/catch: if mail config OR
+  // the invite send fails, roll back the Admin row we just created so
+  // /install can be retried. Without this, a partial failure here
+  // would leave an unactivated admin in the table and /install's
+  // "any admin exists" guard would 409 every subsequent attempt — the
+  // only escape being manual DB surgery or env-key intervention.
+  try {
+    if (body.data.mail) {
+      await saveMailSettings({
+        kind: body.data.mail.kind,
+        from: body.data.mail.from,
+        smtp: body.data.mail.smtp,
+        postmark: body.data.mail.postmark,
+      });
+    }
 
-  // Send invite outside the transaction so mail failures don't roll back.
-  const admin = await db<AdminRow>(TABLES.Admin).where({ email: adminEmail }).first();
-  if (admin) {
     const issued = await issueMagicLink({
       email: adminEmail,
       purpose: 'admin_invite',
       principalKind: 'admin',
-      principalId: admin.id,
+      principalId: adminId,
     });
-    const tmpl = adminInviteEmail(admin.name, buildMagicLinkUrl(issued.plaintext), programName);
+    const tmpl = adminInviteEmail(body.data.adminName.trim(), buildMagicLinkUrl(issued.plaintext), programName);
     await getMailer().send({
       to: adminEmail,
       subject: tmpl.subject,
       text: tmpl.text,
       html: tmpl.html,
       tag: 'admin_invite',
-      metadata: { purpose: 'admin_invite', adminId: admin.id, firstRun: true },
+      metadata: { purpose: 'admin_invite', adminId, firstRun: true },
+    });
+  } catch (err) {
+    // Remove the admin row + any magic-link token we issued before the
+    // failure. MagicLinkToken has no FK to Admin since the schema was
+    // generalized, so clean it up explicitly.
+    await db.transaction(async (trx) => {
+      await trx('MagicLinkToken').where({ principalKind: 'admin', principalId: adminId }).del();
+      await trx<AdminRow>(TABLES.Admin).where({ id: adminId }).del();
     });
+    const message = err instanceof Error ? err.message : 'install failed';
+    return res.status(502).json({ error: 'install_mail_failed', detail: message });
   }
 
   res.json({ ok: true });
diff --git a/apps/api/src/routes/partners.ts b/apps/api/src/routes/partners.ts
index 5d26f2b..925c9e3 100644
--- a/apps/api/src/routes/partners.ts
+++ b/apps/api/src/routes/partners.ts
@@ -1,7 +1,7 @@
 import { Router } from 'express';
 import { z } from 'zod';
 import { ulid } from 'ulid';
-import { TABLES, type PartnerRow, type SessionRow } from '@openpartner/db';
+import { TABLES, type ApiKeyRow, type PartnerRow, type SessionRow } from '@openpartner/db';
 import { db } from '../db.js';
 import { grantScope, requireAdmin, requireAuth, requirePartnerOrAdmin } from '../auth.js';
 import { issueMagicLink } from '../auth-sessions.js';
@@ -112,10 +112,18 @@ partnersRouter.post('/partners/:id/revoke', requireAuth, requireAdmin, async (re
     await trx<PartnerRow>(TABLES.Partner)
       .where({ id: partner.id })
       .update({ revokedAt: now, revokeReason: reason, updatedAt: now });
+    // Kill every authentication channel they hold: web sessions AND
+    // their partner-scoped API keys. Leaving ApiKey rows live meant a
+    // revoked partner retained programmatic access even though their
+    // dashboard cookie was killed.
     await trx<SessionRow>(TABLES.Session)
       .where({ principalKind: 'partner', principalId: partner.id })
       .whereNull('revokedAt')
       .update({ revokedAt: now });
+    await trx<ApiKeyRow>(TABLES.ApiKey)
+      .where({ partnerId: partner.id })
+      .whereNull('revokedAt')
+      .update({ revokedAt: now });
   });
 
   if (body.data.notify) {

From 7d076f3710e543d5c7b2a391815f8db70083e230 Mon Sep 17 00:00:00 2001
From: Keith Fawcett <keith@brightyard.co>
Date: Fri, 24 Apr 2026 19:39:12 -0700
Subject: [PATCH 017/131] fix(polish): dup-email 409, empty smtp host, spa
 bounce, migration down
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Four validation / UX fixes from ultrareview PR #9:

  - POST /partners pre-checks for a duplicate email and 409s with
    email_taken instead of letting the unique-constraint violation
    surface as a generic 500. A race path (two concurrent inserts
    passing the pre-check) is caught via pg error code 23505 and also
    maps to 409.

  - saveMailSettings now refuses kind='smtp' with an empty host and
    kind='postmark' without a serverToken. Both used to save garbage
    that would blow up at first email. MailSettingsValidationError
    maps to a 400 with a field pointer in the /config/mail route.

  - MagicLanding invalidates the install-status react-query cache on
    successful verify so the first-run admin lands on / after
    clicking their activation link. Before, the cache was keyed
    staleTime:Infinity and still said needsSetup=true from boot —
    / would redirect right back to /install until a hard refresh.

  - admin_accounts migration's down() dropped a non-existent index on
    MagicLinkToken (up() only ever added the index on Session). Dropped
    the stray dropIndex call so rollbacks succeed.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 apps/api/src/mail-settings.ts                 | 16 +++++++-
 apps/api/src/routes/partners.ts               | 41 ++++++++++++++-----
 apps/api/src/routes/settings.ts               | 26 ++++++++----
 apps/portal/src/pages/auth/MagicLanding.tsx   | 10 ++++-
 .../20260506000000_admin_accounts.ts          |  4 +-
 5 files changed, 75 insertions(+), 22 deletions(-)

diff --git a/apps/api/src/mail-settings.ts b/apps/api/src/mail-settings.ts
index 644a83c..d2d3bd0 100644
--- a/apps/api/src/mail-settings.ts
+++ b/apps/api/src/mail-settings.ts
@@ -186,6 +186,12 @@ export interface MailSettingsInput {
   } | null;
 }
 
+export class MailSettingsValidationError extends Error {
+  constructor(public readonly code: string, public readonly field?: string) {
+    super(code);
+  }
+}
+
 export async function saveMailSettings(input: MailSettingsInput): Promise<void> {
   const current = (await readStored()) ?? ({ kind: null, from: null } as StoredMailSettings);
 
@@ -197,9 +203,14 @@ export async function saveMailSettings(input: MailSettingsInput): Promise<void>
   if (next.kind === 'smtp') {
     const prevSmtp = current.smtp ?? null;
     const s = input.smtp ?? null;
+    const host = s?.host ?? prevSmtp?.host ?? '';
+    // Saving kind='smtp' without a host would succeed silently and
+    // then blow up at first email. Reject at the boundary.
+    if (!host.trim()) throw new MailSettingsValidationError('smtp_host_required', 'smtp.host');
+    if (!next.from) throw new MailSettingsValidationError('from_required', 'from');
     const rotated = s?.password !== undefined && s.password !== '';
     next.smtp = {
-      host: s?.host ?? prevSmtp?.host ?? '',
+      host,
       port: s?.port ?? prevSmtp?.port ?? 587,
       secure: s?.secure ?? prevSmtp?.secure ?? false,
       user: s?.user ?? prevSmtp?.user ?? null,
@@ -213,7 +224,8 @@ export async function saveMailSettings(input: MailSettingsInput): Promise<void>
     const p = input.postmark ?? null;
     const rotated = p?.serverToken !== undefined && p.serverToken !== '';
     const token = rotated ? encryptSecret(p!.serverToken as string) : prevPm?.serverTokenCiphertext;
-    if (!token) throw new Error('postmark serverToken required');
+    if (!token) throw new MailSettingsValidationError('postmark_server_token_required', 'postmark.serverToken');
+    if (!next.from) throw new MailSettingsValidationError('from_required', 'from');
     next.postmark = {
       serverTokenCiphertext: token,
       messageStream: p?.messageStream ?? prevPm?.messageStream ?? 'outbound',
diff --git a/apps/api/src/routes/partners.ts b/apps/api/src/routes/partners.ts
index 925c9e3..7775e25 100644
--- a/apps/api/src/routes/partners.ts
+++ b/apps/api/src/routes/partners.ts
@@ -33,17 +33,36 @@ partnersRouter.post('/partners', requireAuth, grantScope('partners:write'), requ
   const sendInvite = body.data.sendInvite !== false;
   const email = body.data.email.toLowerCase();
   const id = ulid();
-  const [partner] = await db<PartnerRow>(TABLES.Partner)
-    .insert({
-      id,
-      email,
-      name: body.data.name,
-      metadata: body.data.metadata ?? {},
-      // sendInvite=false means the caller is responsible for activating
-      // (federation client, admin seeding, etc); skip the pending state.
-      activatedAt: sendInvite ? null : new Date(),
-    })
-    .returning('*');
+
+  // Duplicate-email pre-check — we'd rather 409 with a clean error than
+  // let Postgres throw a unique-constraint violation that would surface
+  // to the admin as a generic 500. Race between the check + insert is
+  // caught below via the unique-violation path.
+  const existing = await db<PartnerRow>(TABLES.Partner).where({ email }).first();
+  if (existing) return res.status(409).json({ error: 'email_taken' });
+
+  let partner;
+  try {
+    [partner] = await db<PartnerRow>(TABLES.Partner)
+      .insert({
+        id,
+        email,
+        name: body.data.name,
+        metadata: body.data.metadata ?? {},
+        // sendInvite=false means the caller is responsible for activating
+        // (federation client, admin seeding, etc); skip the pending state.
+        activatedAt: sendInvite ? null : new Date(),
+      })
+      .returning('*');
+  } catch (err) {
+    // Race: two concurrent POSTs with the same email both pass the
+    // pre-check and try to insert. The second one hits the unique
+    // constraint on Partner.email.
+    if (typeof err === 'object' && err !== null && (err as { code?: string }).code === '23505') {
+      return res.status(409).json({ error: 'email_taken' });
+    }
+    throw err;
+  }
 
   if (sendInvite) {
     const issued = await issueMagicLink({ email, purpose: 'partner_invite', principalKind: 'partner', principalId: id });
diff --git a/apps/api/src/routes/settings.ts b/apps/api/src/routes/settings.ts
index 315cac1..65d54fe 100644
--- a/apps/api/src/routes/settings.ts
+++ b/apps/api/src/routes/settings.ts
@@ -14,7 +14,12 @@ import { z } from 'zod';
 import { TABLES, type ConfigRow } from '@openpartner/db';
 import { db } from '../db.js';
 import { requireAdmin, requireAuth } from '../auth.js';
-import { getPublicMailSettings, saveMailSettings, type MailTransportKind } from '../mail-settings.js';
+import {
+  MailSettingsValidationError,
+  getPublicMailSettings,
+  saveMailSettings,
+  type MailTransportKind,
+} from '../mail-settings.js';
 
 export const settingsRouter = Router();
 
@@ -94,11 +99,18 @@ settingsRouter.post('/config/mail', requireAuth, requireAdmin, async (req, res)
   const body = mailSettingsSchema.safeParse(req.body ?? {});
   if (!body.success) return res.status(400).json({ error: 'invalid_body', detail: body.error.flatten() });
 
-  await saveMailSettings({
-    kind: body.data.kind as MailTransportKind,
-    from: body.data.from === '' ? null : body.data.from ?? undefined,
-    smtp: body.data.smtp,
-    postmark: body.data.postmark,
-  });
+  try {
+    await saveMailSettings({
+      kind: body.data.kind as MailTransportKind,
+      from: body.data.from === '' ? null : body.data.from ?? undefined,
+      smtp: body.data.smtp,
+      postmark: body.data.postmark,
+    });
+  } catch (err) {
+    if (err instanceof MailSettingsValidationError) {
+      return res.status(400).json({ error: err.code, field: err.field });
+    }
+    throw err;
+  }
   res.json(await getPublicMailSettings());
 });
diff --git a/apps/portal/src/pages/auth/MagicLanding.tsx b/apps/portal/src/pages/auth/MagicLanding.tsx
index 274c90d..eee484c 100644
--- a/apps/portal/src/pages/auth/MagicLanding.tsx
+++ b/apps/portal/src/pages/auth/MagicLanding.tsx
@@ -1,5 +1,6 @@
 import { useEffect, useState } from 'react';
 import { useNavigate, useSearchParams } from 'react-router-dom';
+import { useQueryClient } from '@tanstack/react-query';
 import { api, clearApiKey } from '../../api.js';
 import { theme } from '../../theme.js';
 import { AuthFrame } from './Shared.js';
@@ -13,6 +14,7 @@ import { AuthFrame } from './Shared.js';
 export function MagicLandingPage() {
   const [params] = useSearchParams();
   const nav = useNavigate();
+  const qc = useQueryClient();
   const [state, setState] = useState<'verifying' | 'ok' | 'failed'>('verifying');
   const [detail, setDetail] = useState<string | null>(null);
 
@@ -26,6 +28,12 @@ export function MagicLandingPage() {
     clearApiKey();
     api<{ ok: boolean }>('/auth/magic/verify', { method: 'POST', body: { token } })
       .then(() => {
+        // After a successful first-run activation the install-status
+        // probe was cached (staleTime: Infinity) with needsSetup=true
+        // from app boot, so / would redirect right back to /install.
+        // Invalidate so the Shell re-reads and admits the newly
+        // activated admin into the dashboard.
+        qc.invalidateQueries({ queryKey: ['install-status'] });
         setState('ok');
         setTimeout(() => nav('/', { replace: true }), 400);
       })
@@ -35,7 +43,7 @@ export function MagicLandingPage() {
           err && typeof err === 'object' && 'message' in err ? String((err as { message: unknown }).message) : 'Link is invalid or expired.',
         );
       });
-  }, [nav, params]);
+  }, [nav, params, qc]);
 
   return (
     <AuthFrame title="Signing you in" subtitle="One moment…">
diff --git a/packages/db/migrations/20260506000000_admin_accounts.ts b/packages/db/migrations/20260506000000_admin_accounts.ts
index 76c4acb..d9ceb40 100644
--- a/packages/db/migrations/20260506000000_admin_accounts.ts
+++ b/packages/db/migrations/20260506000000_admin_accounts.ts
@@ -88,7 +88,9 @@ export async function down(knex: Knex): Promise<void> {
     where "principalKind" = 'partner'
   `);
   await knex.schema.alterTable('MagicLinkToken', (t) => {
-    t.dropIndex(['principalKind', 'principalId']);
+    // (No dropIndex here — up() never added an index on
+    // MagicLinkToken's (principalKind, principalId); the index is
+    // only on Session.)
     t.dropColumn('principalKind');
     t.dropColumn('principalId');
     t.foreign('partnerId').references('id').inTable('Partner').onDelete('CASCADE');

From 73bdf58ada5ff38bf23616e97b536166f15119b7 Mon Sep 17 00:00:00 2001
From: Keith Fawcett <keith@brightyard.co>
Date: Fri, 24 Apr 2026 19:50:55 -0700
Subject: [PATCH 018/131] feat(partner): getting-started checklist on first-run
 dashboard
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Newly-activated partners used to land on an empty Dashboard with
nothing to do. The card fills that gap — two checklist rows that
auto-complete as the partner finishes each step, and the card
disappears once both are done:

  ☐ Create your first share link → /links
  ☐ Connect Stripe to get paid   → /connect

Live from the partner's existing data: link count via GET
/partners/:id/links, Stripe Connect readiness via /connect/status.
The existing ConnectNudge (shown when there's actually money waiting
to be paid out) suppresses while the checklist is up — one call to
action at a time.

Also removed the dead Network-role redirect in the Dashboard
component (network_creator / network_vendor roles no longer exist
since the Network carve-out).
---
 apps/portal/src/pages/Dashboard.tsx | 117 +++++++++++++++++++++++++---
 1 file changed, 108 insertions(+), 9 deletions(-)

diff --git a/apps/portal/src/pages/Dashboard.tsx b/apps/portal/src/pages/Dashboard.tsx
index 91e42bc..ac04845 100644
--- a/apps/portal/src/pages/Dashboard.tsx
+++ b/apps/portal/src/pages/Dashboard.tsx
@@ -1,6 +1,17 @@
 import { useQuery } from '@tanstack/react-query';
-import { Link, Navigate } from 'react-router-dom';
-import { MousePointerClick, Receipt, Wallet, Users, UserCheck, CreditCard, AlertCircle } from 'lucide-react';
+import { Link } from 'react-router-dom';
+import {
+  MousePointerClick,
+  Receipt,
+  Wallet,
+  Users,
+  UserCheck,
+  CreditCard,
+  AlertCircle,
+  Link2,
+  CheckCircle2,
+  Circle,
+} from 'lucide-react';
 import { api, type Principal } from '../api.js';
 import { theme } from '../theme.js';
 import { Avatar, Button, Card, EmptyState, ErrorBanner, Page, SectionHeading, Stat, StatusPill, money } from '../ui.js';
@@ -21,12 +32,6 @@ export function Dashboard({ principal }: { principal: Principal }) {
   if (principal.role === 'partner') {
     return <PartnerDashboard partnerId={principal.partnerId!} name={principal.partner?.name ?? ''} />;
   }
-  // Network roles don't have a "dashboard" in the vendor-partner sense —
-  // their useful landing page is their Partnerships view, which already
-  // renders the earnings projection.
-  if (principal.role === 'network_creator' || principal.role === 'network_vendor') {
-    return <Navigate to="/network/partnerships" replace />;
-  }
   return null;
 }
 
@@ -57,6 +62,14 @@ function PartnerDashboard({ partnerId, name }: { partnerId: string; name: string
     queryFn: () => api<ConnectStatus>(`/partners/${partnerId}/connect/status`),
     retry: false,
   });
+  const links = useQuery({
+    queryKey: ['links', partnerId],
+    queryFn: () => api<{ links: unknown[] }>(`/partners/${partnerId}/links`),
+  });
+
+  const linkCount = links.data?.links.length ?? 0;
+  const hasLink = linkCount > 0;
+  const hasActiveConnect = !!connect.data?.connected && !!connect.data?.payoutsEnabled;
 
   const owedAmount = (data?.commissionByStatus.approved ?? 0) + (data?.commissionByStatus.accrued ?? 0);
   const needsConnect =
@@ -65,13 +78,24 @@ function PartnerDashboard({ partnerId, name }: { partnerId: string; name: string
     connect.data != null &&
     (!connect.data.connected || !connect.data.payoutsEnabled);
 
+  // Getting-started card shows while EITHER onboarding task is outstanding.
+  // We only render it once we know the state of both (connect + links),
+  // otherwise the card can flash during initial load.
+  const showGettingStarted =
+    !links.isLoading && !connect.isLoading && (!hasLink || !hasActiveConnect);
+
   return (
     <Page
       title={`Hi ${name.split(' ')[0] || 'there'}`}
       subtitle="Last 30 days"
     >
       <ErrorBanner error={error} />
-      {needsConnect && <ConnectNudge owed={owedAmount} connected={connect.data!.connected} />}
+      {showGettingStarted && (
+        <GettingStarted hasLink={hasLink} connectReady={hasActiveConnect} />
+      )}
+      {needsConnect && !showGettingStarted && (
+        <ConnectNudge owed={owedAmount} connected={connect.data!.connected} />
+      )}
       {isLoading || !data ? (
         <Card>Loading…</Card>
       ) : (
@@ -114,6 +138,81 @@ function PartnerDashboard({ partnerId, name }: { partnerId: string; name: string
   );
 }
 
+function GettingStarted({ hasLink, connectReady }: { hasLink: boolean; connectReady: boolean }) {
+  return (
+    <Card>
+      <div style={{ fontSize: 15, fontWeight: 500, marginBottom: 4 }}>Getting started</div>
+      <div style={{ fontSize: 13, color: theme.textMuted, marginBottom: 16 }}>
+        Two quick steps and you're earning. This card goes away once both are done.
+      </div>
+      <div style={{ display: 'flex', flexDirection: 'column', gap: 10 }}>
+        <ChecklistRow
+          done={hasLink}
+          icon={<Link2 size={16} />}
+          title="Create your first share link"
+          hint="Pick a short slug; anyone who clicks it gets attributed back to you."
+          cta="Create link"
+          to="/links"
+        />
+        <ChecklistRow
+          done={connectReady}
+          icon={<CreditCard size={16} />}
+          title="Connect Stripe to get paid"
+          hint="Commissions you earn land directly in your Stripe balance."
+          cta={connectReady ? 'Manage' : 'Connect Stripe'}
+          to="/connect"
+        />
+      </div>
+    </Card>
+  );
+}
+
+function ChecklistRow({
+  done,
+  icon,
+  title,
+  hint,
+  cta,
+  to,
+}: {
+  done: boolean;
+  icon: React.ReactNode;
+  title: string;
+  hint: string;
+  cta: string;
+  to: string;
+}) {
+  return (
+    <div
+      style={{
+        display: 'flex',
+        alignItems: 'center',
+        gap: 12,
+        padding: '12px 14px',
+        background: done ? theme.successSoft : theme.surface2,
+        border: `1px solid ${done ? `${theme.success}44` : theme.borderSubtle}`,
+        borderRadius: theme.radiusSm,
+      }}
+    >
+      <div style={{ color: done ? theme.success : theme.textDim, display: 'inline-flex' }}>
+        {done ? <CheckCircle2 size={18} /> : <Circle size={18} />}
+      </div>
+      <div style={{ color: theme.textMuted, display: 'inline-flex' }}>{icon}</div>
+      <div style={{ flex: 1, minWidth: 0 }}>
+        <div style={{ fontSize: 14, fontWeight: 500, color: theme.text, textDecoration: done ? 'line-through' : 'none' }}>
+          {title}
+        </div>
+        <div style={{ fontSize: 12, color: theme.textDim, marginTop: 2 }}>{hint}</div>
+      </div>
+      {!done && (
+        <Link to={to} style={{ textDecoration: 'none' }}>
+          <Button size="sm">{cta}</Button>
+        </Link>
+      )}
+    </div>
+  );
+}
+
 function ConnectNudge({ owed, connected }: { owed: number; connected: boolean }) {
   return (
     <Card>

From 9d45d1110b12460d3a37fe46a96d30d5c85a5010 Mon Sep 17 00:00:00 2001
From: Keith Fawcett <keith@brightyard.co>
Date: Sat, 25 Apr 2026 01:22:16 -0700
Subject: [PATCH 019/131] feat(stripe-webhook): merchant billing flow via
 client_reference_id
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Adds a Rewardful-style integration path where merchants pass the partner
ref through Stripe Checkout's client_reference_id instead of calling
op.identify() from their app. On checkout.session.completed we stitch
an Identity (cref → customer.id) and emit signup; downstream invoice.paid
and customer.subscription.created resolve through the existing path.

Disambiguator: the existing handleConnectEvent for checkout.session.completed
now skips when client_reference_id is set, so merchant→customer checkouts
can't accidentally clobber the merchant's own subscription record.

resolveUserIdFromCustomer falls back to an Identity-table lookup when
metadata is missing — covers the race where invoice.paid lands before our
metadata backfill propagates on Stripe's side.

SDK: getReferral() helper with the canonical Stripe Checkout usage in
the docstring. Aliases getCref() so existing integrations keep working.

Tests: 5 cases — valid stitch, unknown cref dropped, idempotency on Stripe
event-id retries, invoice.paid resolves via the stitched Identity, and
the merchant-subscription path still fires when no client_reference_id is
set. Stripe customer ops mocked via vi.mock; signature verification real.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 apps/api/src/__tests__/stripe-webhook.test.ts | 284 ++++++++++++++++++
 apps/api/src/routes/stripe-webhook.ts         |  64 +++-
 packages/sdk/src/browser.ts                   |  16 +
 3 files changed, 359 insertions(+), 5 deletions(-)
 create mode 100644 apps/api/src/__tests__/stripe-webhook.test.ts

diff --git a/apps/api/src/__tests__/stripe-webhook.test.ts b/apps/api/src/__tests__/stripe-webhook.test.ts
new file mode 100644
index 0000000..af63adc
--- /dev/null
+++ b/apps/api/src/__tests__/stripe-webhook.test.ts
@@ -0,0 +1,284 @@
+/**
+ * Stripe webhook tests covering the merchant-side billing flow:
+ * checkout.session.completed with client_reference_id stitches an Identity,
+ * and downstream invoice.paid resolves through that Identity.
+ *
+ * Signature verification uses the real Stripe SDK against a test secret;
+ * stripe.customers.update / retrieve are mocked so tests don't hit the API.
+ */
+
+import { afterAll, beforeAll, beforeEach, describe, expect, it, vi } from 'vitest';
+import request from 'supertest';
+import { ulid } from 'ulid';
+import Stripe from 'stripe';
+
+const STRIPE_SECRET = 'sk_test_dummy_for_webhook_tests';
+const WEBHOOK_SECRET = 'whsec_test_secret_for_webhook_tests';
+
+process.env.STRIPE_SECRET_KEY = STRIPE_SECRET;
+process.env.STRIPE_WEBHOOK_SECRET = WEBHOOK_SECRET;
+process.env.OPENPARTNER_MODE = process.env.OPENPARTNER_MODE ?? 'selfhost';
+
+// Mock the Stripe constructor so customer ops are inert. We keep the real
+// webhooks helper (used inside the route for signature verification) by
+// wrapping a real Stripe instance and overriding only `customers`.
+vi.mock('stripe', async () => {
+  const actual = await vi.importActual<typeof import('stripe')>('stripe');
+  const Real = actual.default;
+  function MockedStripe(this: unknown, key: string, opts?: Stripe.StripeConfig) {
+    const instance = new Real(key, opts) as Stripe;
+    (instance as unknown as { customers: unknown }).customers = {
+      update: vi.fn().mockResolvedValue({ id: 'cus_test_mocked' }),
+      retrieve: vi.fn().mockResolvedValue({ id: 'cus_test_mocked', metadata: {}, deleted: false }),
+    };
+    return instance;
+  }
+  // Preserve the static `webhooks` namespace for any direct imports.
+  (MockedStripe as unknown as { webhooks: unknown }).webhooks = (Real as unknown as { webhooks: unknown }).webhooks;
+  return { default: MockedStripe };
+});
+
+// Imports must follow the env + mock setup so they pick up the right config.
+const { TABLES } = await import('@openpartner/db');
+const { db } = await import('../db.js');
+const { createApp } = await import('../app.js');
+
+const skipIntegration = !process.env.DATABASE_URL || process.env.INTEGRATION === 'skip';
+const app = createApp({ enableLogger: false });
+
+// Real Stripe instance for signing test webhook payloads. The mock above
+// overrides `customers`, but `webhooks.generateTestHeaderString` is a static
+// method on the class and remains real.
+const stripeForSigning = new Stripe(STRIPE_SECRET);
+
+function postWebhook(eventPayload: object) {
+  const body = JSON.stringify(eventPayload);
+  const sig = stripeForSigning.webhooks.generateTestHeaderString({
+    payload: body,
+    secret: WEBHOOK_SECRET,
+  });
+  return request(app)
+    .post('/webhooks/stripe')
+    .set('content-type', 'application/json')
+    .set('stripe-signature', sig)
+    .send(body);
+}
+
+const TABLES_TO_CLEAN = [
+  TABLES.Commission,
+  TABLES.Attribution,
+  TABLES.Event,
+  TABLES.Identity,
+  TABLES.Click,
+  TABLES.Link,
+  TABLES.Campaign,
+  TABLES.Partner,
+  TABLES.Config,
+];
+
+interface Ids {
+  partnerId: string;
+  campaignId: string;
+  linkId: string;
+  clickId: string;
+}
+
+async function seedClick(): Promise<Ids> {
+  const partnerId = ulid();
+  const campaignId = ulid();
+  const linkId = ulid();
+  const clickId = ulid();
+  await db(TABLES.Partner).insert({ id: partnerId, name: 'Test partner', email: `p-${partnerId}@example.com` });
+  await db(TABLES.Campaign).insert({
+    id: campaignId,
+    name: 'Default',
+    attributionModel: 'last_click',
+    attributionWindowDays: 60,
+    commissionRule: { type: 'percent', value: 20 },
+  });
+  await db(TABLES.Link).insert({
+    id: linkId,
+    partnerId,
+    campaignId,
+    linkKey: `lk-${linkId}`,
+    destinationUrl: 'https://example.com',
+  });
+  await db(TABLES.Click).insert({
+    id: clickId,
+    linkId,
+    partnerId,
+    campaignId,
+    landingUrl: 'https://example.com/landing',
+    ipHash: 'h',
+    ts: new Date(),
+  });
+  return { partnerId, campaignId, linkId, clickId };
+}
+
+beforeAll(async () => {
+  if (skipIntegration) return;
+  await db.raw('select 1');
+});
+
+afterAll(async () => {
+  await db.destroy();
+});
+
+beforeEach(async () => {
+  if (skipIntegration) return;
+  for (const t of TABLES_TO_CLEAN) await db(t).del();
+});
+
+describe.skipIf(skipIntegration)('stripe webhook — merchant billing flow', () => {
+  it('checkout.session.completed with valid client_reference_id stitches Identity + emits signup', async () => {
+    const { clickId } = await seedClick();
+    const customerId = `cus_${ulid()}`;
+
+    const res = await postWebhook({
+      id: `evt_${ulid()}`,
+      type: 'checkout.session.completed',
+      created: Math.floor(Date.now() / 1000),
+      data: {
+        object: {
+          id: `cs_${ulid()}`,
+          mode: 'subscription',
+          client_reference_id: clickId,
+          customer: customerId,
+          subscription: `sub_${ulid()}`,
+        },
+      },
+    });
+
+    expect(res.status).toBe(200);
+    const identity = await db(TABLES.Identity).where({ clickId, userId: customerId }).first();
+    expect(identity).toBeTruthy();
+
+    const event = await db(TABLES.Event).where({ userId: customerId, type: 'signup' }).first();
+    expect(event).toBeTruthy();
+  });
+
+  it('checkout.session.completed with unknown client_reference_id is silently dropped', async () => {
+    const customerId = `cus_${ulid()}`;
+    const bogusCref = ulid(); // not in Click table
+
+    const res = await postWebhook({
+      id: `evt_${ulid()}`,
+      type: 'checkout.session.completed',
+      created: Math.floor(Date.now() / 1000),
+      data: {
+        object: {
+          id: `cs_${ulid()}`,
+          mode: 'subscription',
+          client_reference_id: bogusCref,
+          customer: customerId,
+          subscription: `sub_${ulid()}`,
+        },
+      },
+    });
+
+    expect(res.status).toBe(200);
+    const identity = await db(TABLES.Identity).where({ userId: customerId }).first();
+    expect(identity).toBeFalsy();
+    const event = await db(TABLES.Event).where({ userId: customerId }).first();
+    expect(event).toBeFalsy();
+  });
+
+  it('redelivery of the same Stripe event is idempotent', async () => {
+    const { clickId } = await seedClick();
+    const customerId = `cus_${ulid()}`;
+    const eventId = `evt_${ulid()}`;
+    const payload = {
+      id: eventId,
+      type: 'checkout.session.completed',
+      created: Math.floor(Date.now() / 1000),
+      data: {
+        object: {
+          id: `cs_${ulid()}`,
+          mode: 'subscription',
+          client_reference_id: clickId,
+          customer: customerId,
+          subscription: `sub_${ulid()}`,
+        },
+      },
+    };
+
+    await postWebhook(payload);
+    await postWebhook(payload);
+
+    const events = await db(TABLES.Event).where({ userId: customerId, type: 'signup' });
+    expect(events).toHaveLength(1);
+  });
+
+  it('invoice.paid resolves userId via the Identity stitched at checkout', async () => {
+    const { clickId, partnerId } = await seedClick();
+    const customerId = `cus_${ulid()}`;
+
+    // 1. Checkout stitches the Identity.
+    await postWebhook({
+      id: `evt_${ulid()}`,
+      type: 'checkout.session.completed',
+      created: Math.floor(Date.now() / 1000),
+      data: {
+        object: {
+          id: `cs_${ulid()}`,
+          mode: 'subscription',
+          client_reference_id: clickId,
+          customer: customerId,
+          subscription: `sub_${ulid()}`,
+        },
+      },
+    });
+
+    // 2. invoice.paid arrives with customer as a Stripe Customer object so the
+    //    real-API retrieve path isn't exercised. The metadata has no
+    //    openpartner_user_id, forcing the Identity-fallback resolution.
+    const res = await postWebhook({
+      id: `evt_${ulid()}`,
+      type: 'invoice.paid',
+      created: Math.floor(Date.now() / 1000),
+      data: {
+        object: {
+          id: `in_${ulid()}`,
+          customer: { id: customerId, metadata: {}, object: 'customer' },
+          amount_paid: 4900,
+          currency: 'usd',
+        },
+      },
+    });
+
+    expect(res.status).toBe(200);
+    const event = await db(TABLES.Event).where({ userId: customerId, type: 'invoice_paid' }).first();
+    expect(event).toBeTruthy();
+    expect(Number(event!.value)).toBe(49);
+
+    // Attribution should have credited the seeded partner.
+    const attribution = await db(TABLES.Attribution).where({ eventId: event!.id }).first();
+    expect(attribution).toBeTruthy();
+    expect(attribution!.partnerId).toBe(partnerId);
+  });
+
+  it('checkout.session.completed without client_reference_id falls through to merchant-subscription path', async () => {
+    // No seeded click — this simulates "the merchant subscribing to us"
+    // (which billing.ts persists as a Config row, not as an Identity/Event).
+    const res = await postWebhook({
+      id: `evt_${ulid()}`,
+      type: 'checkout.session.completed',
+      created: Math.floor(Date.now() / 1000),
+      data: {
+        object: {
+          id: `cs_${ulid()}`,
+          mode: 'subscription',
+          customer: `cus_${ulid()}`,
+          subscription: `sub_${ulid()}`,
+          // no client_reference_id
+        },
+      },
+    });
+
+    expect(res.status).toBe(200);
+    const events = await db(TABLES.Event);
+    expect(events).toHaveLength(0);
+    const identities = await db(TABLES.Identity);
+    expect(identities).toHaveLength(0);
+  });
+});
diff --git a/apps/api/src/routes/stripe-webhook.ts b/apps/api/src/routes/stripe-webhook.ts
index d41c4e4..f4c8aaa 100644
--- a/apps/api/src/routes/stripe-webhook.ts
+++ b/apps/api/src/routes/stripe-webhook.ts
@@ -1,7 +1,7 @@
 import { Router, raw } from 'express';
 import Stripe from 'stripe';
 import { ulid } from 'ulid';
-import { TABLES, type EventRow, type PartnerRow, type PayoutRow } from '@openpartner/db';
+import { TABLES, type ClickRow, type EventRow, type IdentityRow, type PartnerRow, type PayoutRow } from '@openpartner/db';
 import { db } from '../db.js';
 import { attributeEvent } from '../attribution.js';
 import { persistMerchantSubscription } from './billing.js';
@@ -110,6 +110,12 @@ async function handleConnectEvent(event: Stripe.Event): Promise<string | null> {
     }
     case 'checkout.session.completed': {
       const session = event.data.object as Stripe.Checkout.Session;
+      // Disambiguator: a Rewardful-style merchant→customer checkout carries
+      // client_reference_id (the cref). Our merchant→OpenPartner subscription
+      // checkout (created in billing.ts) doesn't. So presence of
+      // client_reference_id means "skip the merchant-subscription path and
+      // let mapStripeEvent do attribution."
+      if (session.client_reference_id) return null;
       if (session.mode === 'subscription' && typeof session.customer === 'string' && typeof session.subscription === 'string') {
         await persistMerchantSubscription(session.customer, session.subscription);
         return 'merchant_subscription_persisted';
@@ -142,6 +148,40 @@ interface MappedEvent {
 
 async function mapStripeEvent(stripe: Stripe, event: Stripe.Event): Promise<MappedEvent | null> {
   switch (event.type) {
+    case 'checkout.session.completed': {
+      // Rewardful-style flow: merchant adds client_reference_id (the cref)
+      // to Stripe Checkout. We stitch the resulting Stripe customer to that
+      // click here, so subsequent invoice.paid / subscription events resolve
+      // without an explicit op.identify() call from the merchant's app.
+      const session = event.data.object as Stripe.Checkout.Session;
+      const cref = session.client_reference_id;
+      const customerId = typeof session.customer === 'string' ? session.customer : session.customer?.id;
+      if (!cref || !customerId) return null;
+
+      // Validate the cref points at a real Click — silently drop unknowns
+      // so a bad client_reference_id can't inflate a partner's numbers.
+      const click = await db<ClickRow>(TABLES.Click).where({ id: cref }).first();
+      if (!click) return null;
+
+      await db<IdentityRow>(TABLES.Identity)
+        .insert({ id: ulid(), clickId: cref, userId: customerId })
+        .onConflict(['clickId', 'userId'])
+        .ignore();
+
+      // Backfill metadata so the cheaper resolve path (metadata lookup)
+      // works for downstream invoice.paid / subscription events. Best-
+      // effort: if the API call fails (deleted customer, network blip),
+      // resolveUserIdFromCustomer will fall back to the Identity table.
+      try {
+        await stripe.customers.update(customerId, {
+          metadata: { openpartner_user_id: customerId },
+        });
+      } catch {
+        // Non-fatal.
+      }
+
+      return { userId: customerId, type: 'signup' };
+    }
     case 'customer.created': {
       const customer = event.data.object as Stripe.Customer;
       const userId = customer.metadata?.openpartner_user_id;
@@ -175,11 +215,25 @@ async function resolveUserIdFromCustomer(
   customer: string | Stripe.Customer | Stripe.DeletedCustomer | null,
 ): Promise<string | null> {
   if (!customer) return null;
+  let customerId: string | null = null;
+  let metadataUserId: string | null = null;
+
   if (typeof customer === 'string') {
+    customerId = customer;
     const fetched = await stripe.customers.retrieve(customer);
-    if (fetched.deleted) return null;
-    return fetched.metadata?.openpartner_user_id ?? null;
+    if (!fetched.deleted) metadataUserId = fetched.metadata?.openpartner_user_id ?? null;
+  } else {
+    if ('deleted' in customer && customer.deleted) return null;
+    customerId = (customer as Stripe.Customer).id;
+    metadataUserId = (customer as Stripe.Customer).metadata?.openpartner_user_id ?? null;
   }
-  if ('deleted' in customer && customer.deleted) return null;
-  return (customer as Stripe.Customer).metadata?.openpartner_user_id ?? null;
+
+  if (metadataUserId) return metadataUserId;
+  if (!customerId) return null;
+
+  // Fallback: Stripe Billing flow stitches Identity rows with userId =
+  // customer.id. This covers the race where invoice.paid arrives before our
+  // metadata-backfill on checkout.session.completed lands on Stripe's side.
+  const identity = await db<IdentityRow>(TABLES.Identity).where({ userId: customerId }).first();
+  return identity ? customerId : null;
 }
diff --git a/packages/sdk/src/browser.ts b/packages/sdk/src/browser.ts
index c492246..37a3c10 100644
--- a/packages/sdk/src/browser.ts
+++ b/packages/sdk/src/browser.ts
@@ -63,6 +63,22 @@ export class OpenPartner {
     return localStorage.getItem(this.config.storageKey);
   }
 
+  /**
+   * Captured referral token for this visitor. Pass to Stripe Checkout
+   * as `client_reference_id` to enable webhook-based attribution
+   * without an explicit identify() call:
+   *
+   *   stripe.checkout.sessions.create({
+   *     client_reference_id: op.getReferral() ?? undefined,
+   *     // ...
+   *   });
+   *
+   * Returns null if the visitor didn't arrive via a partner link.
+   */
+  getReferral(): string | null {
+    return this.getCref();
+  }
+
   /** Explicitly discard the captured cref. */
   clear(): void {
     if (typeof localStorage === 'undefined') return;

From 8c2e04a7d6d0278d3baacbc4f51c375b2371c319 Mon Sep 17 00:00:00 2001
From: Keith Fawcett <keith@brightyard.co>
Date: Sat, 25 Apr 2026 11:37:58 -0700
Subject: [PATCH 020/131] feat(stripe-webhook): accept comma-separated
 STRIPE_WEBHOOK_SECRET

Stripe's Event destinations UI splits platform-account events
(checkout.*, customer.*, invoice.*) and connected-account events
(account.updated, transfer.*) into separate destinations, each with its
own signing secret. Both destinations point at the same /webhooks/stripe
URL, so we just need to verify against any configured secret.

STRIPE_WEBHOOK_SECRET now accepts either a single secret (existing
behavior) or a comma-separated list. We try each in turn until one
verifies; if none do, return 400 invalid_signature as before.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 apps/api/src/routes/stripe-webhook.ts | 27 ++++++++++++++++++++-------
 1 file changed, 20 insertions(+), 7 deletions(-)

diff --git a/apps/api/src/routes/stripe-webhook.ts b/apps/api/src/routes/stripe-webhook.ts
index f4c8aaa..846aea9 100644
--- a/apps/api/src/routes/stripe-webhook.ts
+++ b/apps/api/src/routes/stripe-webhook.ts
@@ -7,7 +7,16 @@ import { attributeEvent } from '../attribution.js';
 import { persistMerchantSubscription } from './billing.js';
 
 const stripeKey = process.env.STRIPE_SECRET_KEY;
-const webhookSecret = process.env.STRIPE_WEBHOOK_SECRET;
+// STRIPE_WEBHOOK_SECRET accepts either a single secret or a comma-separated
+// list. Stripe's new "Event destinations" UI splits platform-account events
+// (checkout.*, invoice.*, customer.*) and connected-account events
+// (account.updated, transfer.*) into separate destinations, each with its own
+// signing secret. Both destinations point at the same /webhooks/stripe URL —
+// we just need to verify against any configured secret.
+const webhookSecrets = (process.env.STRIPE_WEBHOOK_SECRET ?? '')
+  .split(',')
+  .map((s) => s.trim())
+  .filter(Boolean);
 
 const stripe = stripeKey ? new Stripe(stripeKey) : null;
 
@@ -30,19 +39,23 @@ stripeWebhookRouter.post(
   '/webhooks/stripe',
   raw({ type: 'application/json' }),
   async (req, res) => {
-    if (!stripe || !webhookSecret) {
+    if (!stripe || webhookSecrets.length === 0) {
       return res.status(503).json({ error: 'stripe_not_configured' });
     }
 
     const sig = req.header('stripe-signature');
     if (!sig) return res.status(400).json({ error: 'missing_signature' });
 
-    let event: Stripe.Event;
-    try {
-      event = stripe.webhooks.constructEvent(req.body, sig, webhookSecret);
-    } catch {
-      return res.status(400).json({ error: 'invalid_signature' });
+    let event: Stripe.Event | null = null;
+    for (const secret of webhookSecrets) {
+      try {
+        event = stripe.webhooks.constructEvent(req.body, sig, secret);
+        break;
+      } catch {
+        // Try the next secret. If none match we'll fall through to 400.
+      }
     }
+    if (!event) return res.status(400).json({ error: 'invalid_signature' });
 
     const connectResult = await handleConnectEvent(event);
     if (connectResult) return res.json({ ok: true, connect: connectResult });

From 22699486010aa5e1f854b6ed26ab3ad5ff0afb1c Mon Sep 17 00:00:00 2001
From: Keith Fawcett <keith@brightyard.co>
Date: Sat, 25 Apr 2026 12:00:30 -0700
Subject: [PATCH 021/131] chore(stripe): provisioning script for products +
 prices
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

One-shot, idempotent script that creates OpenPartner Flex, Network
access, and Revshare products in any Stripe account. Outputs the
STRIPE_FLAT_PRICE_ID value to add to .env.

Run with:
  STRIPE_SECRET_KEY=sk_test_... node apps/api/scripts/setup-stripe.mjs

Re-runs are safe — products are looked up by metadata key before
create, and prices by amount + recurrence kind.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 apps/api/scripts/setup-stripe.mjs | 132 ++++++++++++++++++++++++++++++
 1 file changed, 132 insertions(+)
 create mode 100644 apps/api/scripts/setup-stripe.mjs

diff --git a/apps/api/scripts/setup-stripe.mjs b/apps/api/scripts/setup-stripe.mjs
new file mode 100644
index 0000000..5a9dc10
--- /dev/null
+++ b/apps/api/scripts/setup-stripe.mjs
@@ -0,0 +1,132 @@
+#!/usr/bin/env node
+/**
+ * Provision the Stripe products + prices OpenPartner needs.
+ *
+ *   STRIPE_SECRET_KEY=sk_test_... node apps/api/scripts/setup-stripe.mjs
+ *
+ * Idempotent: each product is keyed by a metadata tag; re-running after a
+ * partial failure won't create duplicates. Outputs the env var values you
+ * need to add to your .env at the end.
+ *
+ * Use a test-mode key first (sk_test_...) and verify, then re-run with the
+ * live key when you're ready.
+ */
+import Stripe from 'stripe';
+
+const key = process.env.STRIPE_SECRET_KEY;
+if (!key) {
+  console.error('Set STRIPE_SECRET_KEY before running.');
+  process.exit(1);
+}
+const isLive = key.startsWith('sk_live_');
+const isTest = key.startsWith('sk_test_');
+if (!isLive && !isTest) {
+  console.error('STRIPE_SECRET_KEY should start with sk_test_ or sk_live_.');
+  process.exit(1);
+}
+
+const stripe = new Stripe(key);
+
+console.log(`\nProvisioning OpenPartner products in ${isLive ? 'LIVE' : 'TEST'} mode...\n`);
+
+const PRODUCTS = [
+  {
+    key: 'flex',
+    name: 'OpenPartner Flex',
+    description: '$49/mo + 1.5% of attributed GMV. Hosted, fully managed.',
+    monthlyPrice: 4900, // $49.00 in cents
+    statementDescriptor: 'OPENPARTNER FLEX',
+  },
+  {
+    key: 'network_access',
+    name: 'OpenPartner Network access',
+    description: '$29/mo for self-hosted customers tapping into the OpenPartner Network. 90-day free trial. 3% on Network-originated payouts.',
+    monthlyPrice: 2900, // $29.00 in cents
+    statementDescriptor: 'OPENPARTNER NET',
+  },
+  {
+    key: 'revshare',
+    name: 'OpenPartner Revshare',
+    description: '3% of attributed GMV, no monthly fee. Hosted, fully managed.',
+    monthlyPrice: null, // metered/usage-based, no fixed monthly
+    statementDescriptor: 'OPENPARTNER REV',
+  },
+];
+
+const results = [];
+
+for (const p of PRODUCTS) {
+  // Look up existing by metadata so re-runs are safe.
+  const existing = await stripe.products.search({
+    query: `metadata['openpartner_product']:'${p.key}' AND active:'true'`,
+  });
+
+  let product;
+  if (existing.data.length > 0) {
+    product = existing.data[0];
+    console.log(`  ✓ ${p.name} already exists: ${product.id}`);
+  } else {
+    product = await stripe.products.create({
+      name: p.name,
+      description: p.description,
+      statement_descriptor: p.statementDescriptor,
+      metadata: { openpartner_product: p.key },
+      tax_code: 'txcd_10000000', // SaaS — General — Electronically supplied services
+    });
+    console.log(`  + Created ${p.name}: ${product.id}`);
+  }
+
+  // Prices: idempotent via metadata. Skip the monthly price if this product
+  // is purely metered (revshare).
+  let priceId = null;
+  if (p.monthlyPrice != null) {
+    const existingPrices = await stripe.prices.list({ product: product.id, active: true, limit: 100 });
+    const found = existingPrices.data.find(
+      (x) =>
+        x.metadata?.openpartner_price_kind === 'monthly' &&
+        x.unit_amount === p.monthlyPrice &&
+        x.currency === 'usd' &&
+        x.recurring?.interval === 'month',
+    );
+    if (found) {
+      priceId = found.id;
+      console.log(`    ✓ Monthly price already exists: ${priceId}`);
+    } else {
+      const price = await stripe.prices.create({
+        product: product.id,
+        unit_amount: p.monthlyPrice,
+        currency: 'usd',
+        recurring: { interval: 'month' },
+        tax_behavior: 'exclusive',
+        metadata: { openpartner_price_kind: 'monthly' },
+      });
+      priceId = price.id;
+      console.log(`    + Created monthly price: ${priceId} ($${(p.monthlyPrice / 100).toFixed(2)}/mo)`);
+    }
+  } else {
+    console.log(`    · Skipping monthly price (metered/usage product)`);
+  }
+
+  results.push({ key: p.key, productId: product.id, priceId });
+}
+
+console.log('\n────────────────────────────────────────────────────────────');
+console.log('Done. Add these to your OpenPartner .env:\n');
+
+const flex = results.find((r) => r.key === 'flex');
+if (flex?.priceId) {
+  console.log(`STRIPE_FLAT_PRICE_ID=${flex.priceId}`);
+}
+
+console.log(`\nFor reference (not yet read by code, but useful when revshare/network billing is wired):`);
+const network = results.find((r) => r.key === 'network_access');
+if (network?.priceId) {
+  console.log(`# Network access monthly: ${network.priceId}`);
+}
+const revshare = results.find((r) => r.key === 'revshare');
+if (revshare?.productId) {
+  console.log(`# Revshare product (metered, add usage price later): ${revshare.productId}`);
+}
+
+console.log('\nMode:', isLive ? 'LIVE' : 'TEST');
+console.log('Next: copy the env line(s) into your .env, restart the api.\n');

From e981bbd642b428857e7a8948edc0efe0ee0e526c Mon Sep 17 00:00:00 2001
From: Keith Fawcett <keith@brightyard.co>
Date: Sat, 25 Apr 2026 18:02:41 -0700
Subject: [PATCH 022/131] feat(billing): refund handling, metered usage
 billing, V2 checkout fix
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Closes the major payments-readiness gaps before deploy.

Refund + reversal handling
  - Map charge.refunded → reverse non-paid Commissions linked to the
    original invoice via metadata.stripeInvoiceId. Already-paid
    Commissions stay paid and the count surfaces on the refund Event for
    admin attention (no automated clawback in v1).
  - Map charge.dispute.created and invoice.payment_failed → corrective
    audit Events; no auto-reversal (disputes can be won; failed invoices
    never fired invoice.paid in the first place).
  - Skip attribution on corrective event types so we don't create phantom
    negative commissions.

Metered usage billing
  - setup-stripe.mjs provisions Stripe Meters (openpartner_attributed_gmv,
    openpartner_network_payouts) and metered Prices for Flex (1.5%),
    Revshare (3%), and Network access (3%).
  - usage-billing.ts aggregates attributed GMV between the last-reported
    high-water mark and now, then reports to Stripe Billing Meter Events.
    Idempotent via Stripe identifier; high-water mark only advances on
    success.
  - POST /billing/report-usage triggers manual reporting (admin scope).
    Cron entry can be wired up later.

V2 Accounts Checkout fix
  - Stripe Accounts V2 in test mode rejects Checkout sessions without a
    pre-created Customer. /billing/checkout now creates (and reuses) a
    Customer on first call, stamps it on Config, then passes it to
    Checkout. Same record is used by Customer Portal after subscription.

Other
  - /billing/checkout supports both flat (base + metered) and revshare
    (metered-only) modes. Line items differ; same Customer reuse logic.
  - Fix setConfig: jsonb column rejects raw strings; serialize through
    JSON.stringify and cast for primitive values.
  - Tests force OPENPARTNER_MODE=selfhost so vitest's auto-loaded .env
    can't bleed in.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 apps/api/scripts/setup-stripe.mjs             | 144 ++++++++++---
 apps/api/src/__tests__/integration.test.ts    |   4 +-
 apps/api/src/__tests__/stripe-webhook.test.ts | 203 +++++++++++++++++-
 apps/api/src/config.ts                        |  13 +-
 apps/api/src/routes/billing.ts                |  60 +++++-
 apps/api/src/routes/stripe-webhook.ts         | 136 +++++++++++-
 apps/api/src/usage-billing.ts                 | 149 +++++++++++++
 7 files changed, 666 insertions(+), 43 deletions(-)
 create mode 100644 apps/api/src/usage-billing.ts

diff --git a/apps/api/scripts/setup-stripe.mjs b/apps/api/scripts/setup-stripe.mjs
index 5a9dc10..0c72446 100644
--- a/apps/api/scripts/setup-stripe.mjs
+++ b/apps/api/scripts/setup-stripe.mjs
@@ -1,12 +1,13 @@
 #!/usr/bin/env node
 /**
- * Provision the Stripe products + prices OpenPartner needs.
+ * Provision the Stripe products + prices + meters OpenPartner needs.
  *
  *   STRIPE_SECRET_KEY=sk_test_... node apps/api/scripts/setup-stripe.mjs
  *
- * Idempotent: each product is keyed by a metadata tag; re-running after a
- * partial failure won't create duplicates. Outputs the env var values you
- * need to add to your .env at the end.
+ * Idempotent: each product is keyed by a metadata tag; meters by event_name;
+ * metered prices by their meter + product. Re-running after a partial failure
+ * won't create duplicates. Outputs the env var values you need to add to your
+ * .env at the end.
  *
  * Use a test-mode key first (sk_test_...) and verify, then re-run with the
  * live key when you're ready.
@@ -35,6 +36,10 @@ const PRODUCTS = [
     name: 'OpenPartner Flex',
     description: '$49/mo + 1.5% of attributed GMV. Hosted, fully managed.',
     monthlyPrice: 4900, // $49.00 in cents
+    // 1.5% of GMV = $0.015 per dollar = 1.5 cents per dollar.
+    // Stripe Prices on metered usage are in cents per unit; we report
+    // usage in dollars (Event.value), so unit_amount = 1.5 cents.
+    meteredCentsPerUnit: 1.5,
     statementDescriptor: 'OPENPARTNER FLEX',
   },
   {
@@ -42,21 +47,69 @@ const PRODUCTS = [
     name: 'OpenPartner Network access',
     description: '$29/mo for self-hosted customers tapping into the OpenPartner Network. 90-day free trial. 3% on Network-originated payouts.',
     monthlyPrice: 2900, // $29.00 in cents
+    meteredCentsPerUnit: 3, // 3% on Network-originated payouts
     statementDescriptor: 'OPENPARTNER NET',
   },
   {
     key: 'revshare',
     name: 'OpenPartner Revshare',
     description: '3% of attributed GMV, no monthly fee. Hosted, fully managed.',
-    monthlyPrice: null, // metered/usage-based, no fixed monthly
+    monthlyPrice: null,
+    meteredCentsPerUnit: 3, // 3% of GMV
     statementDescriptor: 'OPENPARTNER REV',
   },
 ];
 
+// Meters: usage signals OpenPartner reports per merchant. Reporting goes via
+// stripe.billing.meterEvents.create with the matching event_name.
+const METERS = [
+  {
+    eventName: 'openpartner_attributed_gmv',
+    displayName: 'OpenPartner attributed GMV',
+    purpose: 'Attributed GMV in dollars (used for Flex 1.5% and Revshare 3%)',
+  },
+  {
+    eventName: 'openpartner_network_payouts',
+    displayName: 'OpenPartner Network-originated payouts',
+    purpose: 'Network-originated payouts in dollars (used for Network access 3%)',
+  },
+];
+
+// Each product binds to one meter for its metered price.
+const PRODUCT_METERS = {
+  flex: 'openpartner_attributed_gmv',
+  revshare: 'openpartner_attributed_gmv',
+  network_access: 'openpartner_network_payouts',
+};
+
+// ────────────────────────── Meters ──────────────────────────
+console.log('Meters:');
+const metersByEventName = new Map();
+for (const m of METERS) {
+  const existingMeters = await stripe.billing.meters.list({ status: 'active', limit: 100 });
+  const found = existingMeters.data.find((x) => x.event_name === m.eventName);
+  if (found) {
+    console.log(`  ✓ ${m.eventName} already exists: ${found.id}`);
+    metersByEventName.set(m.eventName, found);
+  } else {
+    const created = await stripe.billing.meters.create({
+      display_name: m.displayName,
+      event_name: m.eventName,
+      default_aggregation: { formula: 'sum' },
+      value_settings: { event_payload_key: 'value' },
+      customer_mapping: { event_payload_key: 'stripe_customer_id', type: 'by_id' },
+    });
+    console.log(`  + Created meter ${m.eventName}: ${created.id}`);
+    metersByEventName.set(m.eventName, created);
+  }
+}
+
+// ────────────────────────── Products + Prices ──────────────────────────
+console.log('\nProducts + prices:');
 const results = [];
 
 for (const p of PRODUCTS) {
-  // Look up existing by metadata so re-runs are safe.
+  // Product: keyed by metadata.
   const existing = await stripe.products.search({
     query: `metadata['openpartner_product']:'${p.key}' AND active:'true'`,
   });
@@ -71,28 +124,29 @@ for (const p of PRODUCTS) {
       description: p.description,
       statement_descriptor: p.statementDescriptor,
       metadata: { openpartner_product: p.key },
-      tax_code: 'txcd_10000000', // SaaS — General — Electronically supplied services
+      tax_code: 'txcd_10000000',
     });
     console.log(`  + Created ${p.name}: ${product.id}`);
   }
 
-  // Prices: idempotent via metadata. Skip the monthly price if this product
-  // is purely metered (revshare).
-  let priceId = null;
+  const existingPrices = await stripe.prices.list({ product: product.id, active: true, limit: 100 });
+
+  // Monthly recurring price (skip if metered-only product).
+  let monthlyPriceId = null;
   if (p.monthlyPrice != null) {
-    const existingPrices = await stripe.prices.list({ product: product.id, active: true, limit: 100 });
     const found = existingPrices.data.find(
       (x) =>
         x.metadata?.openpartner_price_kind === 'monthly' &&
         x.unit_amount === p.monthlyPrice &&
         x.currency === 'usd' &&
-        x.recurring?.interval === 'month',
+        x.recurring?.interval === 'month' &&
+        x.recurring?.usage_type !== 'metered',
     );
     if (found) {
-      priceId = found.id;
-      console.log(`    ✓ Monthly price already exists: ${priceId}`);
+      monthlyPriceId = found.id;
+      console.log(`    ✓ Monthly price already exists: ${monthlyPriceId}`);
     } else {
-      const price = await stripe.prices.create({
+      const created = await stripe.prices.create({
         product: product.id,
         unit_amount: p.monthlyPrice,
         currency: 'usd',
@@ -100,33 +154,59 @@ for (const p of PRODUCTS) {
         tax_behavior: 'exclusive',
         metadata: { openpartner_price_kind: 'monthly' },
       });
-      priceId = price.id;
-      console.log(`    + Created monthly price: ${priceId} ($${(p.monthlyPrice / 100).toFixed(2)}/mo)`);
+      monthlyPriceId = created.id;
+      console.log(`    + Created monthly price: ${monthlyPriceId} ($${(p.monthlyPrice / 100).toFixed(2)}/mo)`);
+    }
+  }
+
+  // Metered price linked to the product's meter.
+  let meteredPriceId = null;
+  if (p.meteredCentsPerUnit != null) {
+    const meterEventName = PRODUCT_METERS[p.key];
+    const meter = metersByEventName.get(meterEventName);
+    if (!meter) throw new Error(`Missing meter for ${p.key} (event_name=${meterEventName})`);
+
+    const meteredCents = p.meteredCentsPerUnit;
+    const found = existingPrices.data.find(
+      (x) =>
+        x.metadata?.openpartner_price_kind === 'metered' &&
+        x.recurring?.meter === meter.id &&
+        x.currency === 'usd',
+    );
+    if (found) {
+      meteredPriceId = found.id;
+      console.log(`    ✓ Metered price already exists: ${meteredPriceId}`);
+    } else {
+      // Use unit_amount_decimal for fractional cents (1.5 cents per unit, etc.).
+      const created = await stripe.prices.create({
+        product: product.id,
+        currency: 'usd',
+        unit_amount_decimal: meteredCents.toString(),
+        recurring: { interval: 'month', usage_type: 'metered', meter: meter.id },
+        tax_behavior: 'exclusive',
+        metadata: { openpartner_price_kind: 'metered' },
+      });
+      meteredPriceId = created.id;
+      console.log(`    + Created metered price: ${meteredPriceId} (${meteredCents}¢ per unit, meter=${meter.id})`);
     }
-  } else {
-    console.log(`    · Skipping monthly price (metered/usage product)`);
   }
 
-  results.push({ key: p.key, productId: product.id, priceId });
+  results.push({ key: p.key, productId: product.id, monthlyPriceId, meteredPriceId });
 }
 
+// ────────────────────────── Summary ──────────────────────────
 console.log('\n────────────────────────────────────────────────────────────');
 console.log('Done. Add these to your OpenPartner .env:\n');
 
 const flex = results.find((r) => r.key === 'flex');
-if (flex?.priceId) {
-  console.log(`STRIPE_FLAT_PRICE_ID=${flex.priceId}`);
-}
-
-console.log(`\nFor reference (not yet read by code, but useful when revshare/network billing is wired):`);
-const network = results.find((r) => r.key === 'network_access');
-if (network?.priceId) {
-  console.log(`# Network access monthly: ${network.priceId}`);
-}
 const revshare = results.find((r) => r.key === 'revshare');
-if (revshare?.productId) {
-  console.log(`# Revshare product (metered, add usage price later): ${revshare.productId}`);
-}
+const network = results.find((r) => r.key === 'network_access');
+
+if (flex?.monthlyPriceId) console.log(`STRIPE_FLAT_PRICE_ID=${flex.monthlyPriceId}`);
+if (flex?.meteredPriceId) console.log(`STRIPE_FLAT_USAGE_PRICE_ID=${flex.meteredPriceId}`);
+if (revshare?.meteredPriceId) console.log(`STRIPE_REVSHARE_USAGE_PRICE_ID=${revshare.meteredPriceId}`);
+if (network?.monthlyPriceId) console.log(`STRIPE_NETWORK_PRICE_ID=${network.monthlyPriceId}`);
+if (network?.meteredPriceId) console.log(`STRIPE_NETWORK_USAGE_PRICE_ID=${network.meteredPriceId}`);
 
 console.log('\nMode:', isLive ? 'LIVE' : 'TEST');
 console.log('Next: copy the env line(s) into your .env, restart the api.\n');
diff --git a/apps/api/src/__tests__/integration.test.ts b/apps/api/src/__tests__/integration.test.ts
index 3ba1d16..cb32999 100644
--- a/apps/api/src/__tests__/integration.test.ts
+++ b/apps/api/src/__tests__/integration.test.ts
@@ -17,7 +17,9 @@ import { createApp } from '../app.js';
 
 const ADMIN_KEY = 'op_test_admin_key_0123456789abcdef0123';
 process.env.ADMIN_API_KEY = ADMIN_KEY;
-process.env.OPENPARTNER_MODE = process.env.OPENPARTNER_MODE ?? 'selfhost';
+// Force selfhost — vitest auto-loads .env, so the ?? form would let a
+// developer's local .env mode bleed into the suite.
+process.env.OPENPARTNER_MODE = 'selfhost';
 
 const TABLES_TO_CLEAN = [
   TABLES.Commission,
diff --git a/apps/api/src/__tests__/stripe-webhook.test.ts b/apps/api/src/__tests__/stripe-webhook.test.ts
index af63adc..f8e3efe 100644
--- a/apps/api/src/__tests__/stripe-webhook.test.ts
+++ b/apps/api/src/__tests__/stripe-webhook.test.ts
@@ -17,7 +17,9 @@ const WEBHOOK_SECRET = 'whsec_test_secret_for_webhook_tests';
 
 process.env.STRIPE_SECRET_KEY = STRIPE_SECRET;
 process.env.STRIPE_WEBHOOK_SECRET = WEBHOOK_SECRET;
-process.env.OPENPARTNER_MODE = process.env.OPENPARTNER_MODE ?? 'selfhost';
+// Force selfhost so tests don't pick up whatever's in .env (vitest auto-loads
+// it). The merchant-subscription persistence path runs in any mode anyway.
+process.env.OPENPARTNER_MODE = 'selfhost';
 
 // Mock the Stripe constructor so customer ops are inert. We keep the real
 // webhooks helper (used inside the route for signature verification) by
@@ -282,3 +284,202 @@ describe.skipIf(skipIntegration)('stripe webhook — merchant billing flow', ()
     expect(identities).toHaveLength(0);
   });
 });
+
+describe.skipIf(skipIntegration)('stripe webhook — refund + reversal flow', () => {
+  it('charge.refunded reverses non-paid Commissions linked to the original invoice', async () => {
+    const { clickId } = await seedClick();
+    const customerId = `cus_${ulid()}`;
+    const stripeInvoiceId = `in_${ulid()}`;
+    const stripeChargeId = `ch_${ulid()}`;
+
+    // 1. Stitch the Identity via checkout, then drive an invoice.paid
+    //    (with the Stripe customer as an embedded object so no API retrieve
+    //    happens). The mapper records stripeInvoiceId in metadata.
+    await postWebhook({
+      id: `evt_${ulid()}`,
+      type: 'checkout.session.completed',
+      created: Math.floor(Date.now() / 1000),
+      data: {
+        object: {
+          id: `cs_${ulid()}`,
+          mode: 'subscription',
+          client_reference_id: clickId,
+          customer: customerId,
+          subscription: `sub_${ulid()}`,
+        },
+      },
+    });
+
+    await postWebhook({
+      id: `evt_${ulid()}`,
+      type: 'invoice.paid',
+      created: Math.floor(Date.now() / 1000),
+      data: {
+        object: {
+          id: stripeInvoiceId,
+          customer: { id: customerId, metadata: {}, object: 'customer' },
+          amount_paid: 4900,
+          currency: 'usd',
+          charge: stripeChargeId,
+        },
+      },
+    });
+
+    // Pre-condition: a Commission was accrued for the invoice_paid event.
+    // (Note: the signup Event also runs through attribution and produces a
+    // $0 commission, but we only care about the invoice-derived ones here.)
+    const invoicePaidEvent = await db(TABLES.Event).where({ type: 'invoice_paid' }).first();
+    expect(invoicePaidEvent).toBeTruthy();
+    const invoiceAttributions = await db(TABLES.Attribution).where({ eventId: invoicePaidEvent!.id });
+    const invoiceAttributionIds = invoiceAttributions.map((a) => a.id);
+    const accruedBefore = await db(TABLES.Commission)
+      .whereIn('attributionId', invoiceAttributionIds)
+      .where({ status: 'accrued' });
+    expect(accruedBefore.length).toBeGreaterThan(0);
+
+    // 2. The refund: charge.refunded with .invoice pointing at our stored
+    //    stripeInvoiceId. Customer is embedded so no real API call.
+    const refundRes = await postWebhook({
+      id: `evt_${ulid()}`,
+      type: 'charge.refunded',
+      created: Math.floor(Date.now() / 1000),
+      data: {
+        object: {
+          id: stripeChargeId,
+          customer: { id: customerId, metadata: {}, object: 'customer' },
+          invoice: stripeInvoiceId,
+          amount_refunded: 4900,
+          currency: 'usd',
+        },
+      },
+    });
+
+    expect(refundRes.status).toBe(200);
+
+    // Post-condition: invoice-derived Commissions are now reversed; other
+    // commissions (e.g. the signup $0) are untouched.
+    const invoiceCommissionsAfter = await db(TABLES.Commission)
+      .whereIn('attributionId', invoiceAttributionIds);
+    expect(invoiceCommissionsAfter.every((c) => c.status === 'reversed')).toBe(true);
+    expect(invoiceCommissionsAfter.length).toBe(accruedBefore.length);
+
+    // The corrective Event was inserted and its metadata records the
+    // reversal count for downstream observability.
+    const refundEvent = await db(TABLES.Event).where({ type: 'refund' }).first();
+    expect(refundEvent).toBeTruthy();
+    expect((refundEvent!.metadata as { reversedCommissions?: number }).reversedCommissions)
+      .toBe(accruedBefore.length);
+  });
+
+  it('charge.refunded leaves already-paid Commissions paid and surfaces the count', async () => {
+    const { clickId } = await seedClick();
+    const customerId = `cus_${ulid()}`;
+    const stripeInvoiceId = `in_${ulid()}`;
+    const stripeChargeId = `ch_${ulid()}`;
+
+    await postWebhook({
+      id: `evt_${ulid()}`,
+      type: 'checkout.session.completed',
+      created: Math.floor(Date.now() / 1000),
+      data: {
+        object: {
+          id: `cs_${ulid()}`,
+          mode: 'subscription',
+          client_reference_id: clickId,
+          customer: customerId,
+          subscription: `sub_${ulid()}`,
+        },
+      },
+    });
+
+    await postWebhook({
+      id: `evt_${ulid()}`,
+      type: 'invoice.paid',
+      created: Math.floor(Date.now() / 1000),
+      data: {
+        object: {
+          id: stripeInvoiceId,
+          customer: { id: customerId, metadata: {}, object: 'customer' },
+          amount_paid: 4900,
+          currency: 'usd',
+          charge: stripeChargeId,
+        },
+      },
+    });
+
+    // Simulate the partner having already been paid by flipping the
+    // invoice-derived commissions to 'paid'.
+    const invoicePaidEvent = await db(TABLES.Event).where({ type: 'invoice_paid' }).first();
+    const invoiceAttributions = await db(TABLES.Attribution).where({ eventId: invoicePaidEvent!.id });
+    const invoiceAttributionIds = invoiceAttributions.map((a) => a.id);
+    await db(TABLES.Commission)
+      .whereIn('attributionId', invoiceAttributionIds)
+      .update({ status: 'paid', paidAt: new Date() });
+
+    const refundRes = await postWebhook({
+      id: `evt_${ulid()}`,
+      type: 'charge.refunded',
+      created: Math.floor(Date.now() / 1000),
+      data: {
+        object: {
+          id: stripeChargeId,
+          customer: { id: customerId, metadata: {}, object: 'customer' },
+          invoice: stripeInvoiceId,
+          amount_refunded: 4900,
+          currency: 'usd',
+        },
+      },
+    });
+
+    expect(refundRes.status).toBe(200);
+
+    // No invoice-derived commissions were flipped — partner already has the money.
+    const stillPaid = await db(TABLES.Commission)
+      .whereIn('attributionId', invoiceAttributionIds)
+      .where({ status: 'paid' });
+    expect(stillPaid.length).toBeGreaterThan(0);
+    const reversedFromInvoice = await db(TABLES.Commission)
+      .whereIn('attributionId', invoiceAttributionIds)
+      .where({ status: 'reversed' });
+    expect(reversedFromInvoice).toHaveLength(0);
+
+    // The refund Event's metadata flags the count for admin attention.
+    const refundEvent = await db(TABLES.Event).where({ type: 'refund' }).first();
+    expect((refundEvent!.metadata as { alreadyPaidCommissions?: number }).alreadyPaidCommissions)
+      .toBe(stillPaid.length);
+  });
+
+  it('charge.refunded does not run attribution on the corrective Event', async () => {
+    const { clickId } = await seedClick();
+    const customerId = `cus_${ulid()}`;
+    const stripeInvoiceId = `in_${ulid()}`;
+
+    // Set up an Identity for the customer so attribution would normally fire.
+    await db(TABLES.Identity).insert({ id: ulid(), clickId, userId: customerId });
+
+    const refundRes = await postWebhook({
+      id: `evt_${ulid()}`,
+      type: 'charge.refunded',
+      created: Math.floor(Date.now() / 1000),
+      data: {
+        object: {
+          id: `ch_${ulid()}`,
+          customer: { id: customerId, metadata: {}, object: 'customer' },
+          invoice: stripeInvoiceId,
+          amount_refunded: 1900,
+          currency: 'usd',
+        },
+      },
+    });
+
+    expect(refundRes.status).toBe(200);
+    expect(refundRes.body.corrective).toBe('refund');
+
+    // No Attribution rows for the refund Event — corrective events skip
+    // attribution to avoid creating phantom negative commissions.
+    const refundEvent = await db(TABLES.Event).where({ type: 'refund' }).first();
+    expect(refundEvent).toBeTruthy();
+    const attributions = await db(TABLES.Attribution).where({ eventId: refundEvent!.id });
+    expect(attributions).toHaveLength(0);
+  });
+});
diff --git a/apps/api/src/config.ts b/apps/api/src/config.ts
index 210e2c2..bd2fb51 100644
--- a/apps/api/src/config.ts
+++ b/apps/api/src/config.ts
@@ -7,14 +7,23 @@ export async function getConfig<T>(key: string): Promise<T | null> {
 }
 
 export async function setConfig<T>(key: string, value: T): Promise<void> {
+  // Config.value is jsonb. Knex/pg auto-serialize objects, but a plain
+  // primitive (string, number, boolean) is sent as raw text and rejected
+  // because "foo" is not valid JSON without quotes. Stringify + cast so
+  // every value type round-trips correctly.
+  const json = JSON.stringify(value);
+  const jsonbValue = db.raw('?::jsonb', [json]);
   await db<ConfigRow>(TABLES.Config)
-    .insert({ key, value: value as unknown as object, updatedAt: new Date() })
+    .insert({ key, value: jsonbValue as unknown as object, updatedAt: new Date() })
     .onConflict('key')
-    .merge({ value: value as unknown as object, updatedAt: new Date() });
+    .merge({ value: jsonbValue as unknown as object, updatedAt: new Date() });
 }
 
 // Known config keys — centralized so we don't stringly-type across the codebase.
 export const CONFIG_KEYS = {
   StripeMerchantCustomerId: 'stripe.merchant.customerId',
   StripeMerchantSubscriptionId: 'stripe.merchant.subscriptionId',
+  // High-water mark for usage reporting. Stored as ISO string. The next
+  // run aggregates Events with ts > this value, then advances the mark.
+  LastUsageReportedAt: 'stripe.merchant.lastUsageReportedAt',
 } as const;
diff --git a/apps/api/src/routes/billing.ts b/apps/api/src/routes/billing.ts
index d660b18..dc23291 100644
--- a/apps/api/src/routes/billing.ts
+++ b/apps/api/src/routes/billing.ts
@@ -15,6 +15,7 @@ import { db } from '../db.js';
 import { requireAdmin, requireAuth } from '../auth.js';
 import { REVSHARE_FEE_BPS, getMode, requireStripe } from '../stripe.js';
 import { CONFIG_KEYS, getConfig, setConfig } from '../config.js';
+import { reportUsageToStripe } from '../usage-billing.js';
 
 export const billingRouter = Router();
 
@@ -66,24 +67,73 @@ const checkoutSchema = z.object({
 });
 
 billingRouter.post('/billing/checkout', requireAuth, requireAdmin, async (req, res) => {
-  if (getMode() !== 'flat') return res.status(400).json({ error: 'only_flat_mode' });
+  const mode = getMode();
+  if (mode !== 'flat' && mode !== 'revshare') {
+    return res.status(400).json({ error: 'only_flat_or_revshare_mode' });
+  }
   const body = checkoutSchema.safeParse(req.body);
   if (!body.success) return res.status(400).json({ error: 'invalid_body', detail: body.error.flatten() });
 
-  const priceId = body.data.priceId ?? process.env.STRIPE_FLAT_PRICE_ID;
-  if (!priceId) return res.status(500).json({ error: 'no_flat_price_configured' });
+  // Build line items per mode:
+  //   flat     → $49 base + 1.5% metered
+  //   revshare → 3% metered only (no monthly)
+  const lineItems: Array<{ price: string; quantity?: number }> = [];
+  if (mode === 'flat') {
+    const basePriceId = body.data.priceId ?? process.env.STRIPE_FLAT_PRICE_ID;
+    if (!basePriceId) return res.status(500).json({ error: 'no_flat_price_configured' });
+    lineItems.push({ price: basePriceId, quantity: 1 });
+    const usagePriceId = process.env.STRIPE_FLAT_USAGE_PRICE_ID;
+    if (usagePriceId) lineItems.push({ price: usagePriceId });
+  } else {
+    const usagePriceId = body.data.priceId ?? process.env.STRIPE_REVSHARE_USAGE_PRICE_ID;
+    if (!usagePriceId) return res.status(500).json({ error: 'no_revshare_price_configured' });
+    lineItems.push({ price: usagePriceId });
+  }
 
   const stripe = requireStripe();
+
+  // Stripe Accounts V2 requires `customer` (not just `customer_email`) on
+  // Checkout in test mode. Create or reuse a Customer for this merchant up
+  // front so we can pass it to the Checkout session and so the Customer
+  // Portal works on the same record after subscription completes.
+  let customerId = await getConfig<string>(CONFIG_KEYS.StripeMerchantCustomerId);
+  if (!customerId) {
+    const customer = await stripe.customers.create({
+      email: body.data.customerEmail,
+      metadata: { openpartner_role: 'merchant_self_subscription' },
+    });
+    customerId = customer.id;
+    await setConfig(CONFIG_KEYS.StripeMerchantCustomerId, customerId);
+  }
+
   const session = await stripe.checkout.sessions.create({
     mode: 'subscription',
-    line_items: [{ price: priceId, quantity: 1 }],
+    customer: customerId,
+    line_items: lineItems,
     success_url: body.data.successUrl,
     cancel_url: body.data.cancelUrl,
-    customer_email: body.data.customerEmail,
   });
   res.json({ url: session.url });
 });
 
+billingRouter.post('/billing/report-usage', requireAuth, requireAdmin, async (_req, res) => {
+  // Self-host has no platform billing; revshare and flat both report to the
+  // shared meter (different metered prices on the merchant subscription
+  // determine the rate).
+  if (getMode() === 'selfhost') {
+    return res.status(400).json({ error: 'no_billing_in_selfhost' });
+  }
+  try {
+    const result = await reportUsageToStripe();
+    res.json(result);
+  } catch (err) {
+    res.status(500).json({
+      error: 'usage_report_failed',
+      detail: err instanceof Error ? err.message : String(err),
+    });
+  }
+});
+
 billingRouter.post('/billing/portal', requireAuth, requireAdmin, async (req, res) => {
   if (getMode() !== 'flat') return res.status(400).json({ error: 'only_flat_mode' });
   const body = z.object({ returnUrl: z.string().url() }).safeParse(req.body);
diff --git a/apps/api/src/routes/stripe-webhook.ts b/apps/api/src/routes/stripe-webhook.ts
index 846aea9..3c89c50 100644
--- a/apps/api/src/routes/stripe-webhook.ts
+++ b/apps/api/src/routes/stripe-webhook.ts
@@ -1,7 +1,7 @@
 import { Router, raw } from 'express';
 import Stripe from 'stripe';
 import { ulid } from 'ulid';
-import { TABLES, type ClickRow, type EventRow, type IdentityRow, type PartnerRow, type PayoutRow } from '@openpartner/db';
+import { TABLES, type AttributionRow, type ClickRow, type CommissionRow, type EventRow, type IdentityRow, type PartnerRow, type PayoutRow } from '@openpartner/db';
 import { db } from '../db.js';
 import { attributeEvent } from '../attribution.js';
 import { persistMerchantSubscription } from './billing.js';
@@ -75,7 +75,7 @@ stripeWebhookRouter.post(
         value: mapped.value != null ? mapped.value.toFixed(2) : null,
         currency: mapped.currency ?? 'USD',
         externalEventId: event.id,
-        metadata: { stripeEventId: event.id, stripeType: event.type },
+        metadata: { stripeEventId: event.id, stripeType: event.type, ...(mapped.metadata ?? {}) },
         ts: new Date(event.created * 1000),
       })
       .onConflict('externalEventId')
@@ -89,11 +89,21 @@ stripeWebhookRouter.post(
       return res.json({ ok: true, idempotent: true, eventId: existing?.id });
     }
 
+    // Corrective events (refund, dispute, payment_failed) are recorded for
+    // the audit trail but don't drive new attribution rows — handling those
+    // is done in mapStripeEvent before insertion (e.g. flipping the source
+    // commissions to 'reversed').
+    if (CORRECTIVE_EVENT_TYPES.has(mapped.type)) {
+      return res.json({ ok: true, eventId, corrective: mapped.type });
+    }
+
     const result = await attributeEvent(db, inserted[0] as EventRow);
     res.json({ ok: true, eventId, attribution: result });
   },
 );
 
+const CORRECTIVE_EVENT_TYPES = new Set(['refund', 'dispute_created', 'invoice_payment_failed']);
+
 // Connect-side events. These don't produce attribution Events — they update
 // Partner (onboarding progress) and Payout (transfer resolution) rows.
 async function handleConnectEvent(event: Stripe.Event): Promise<string | null> {
@@ -157,6 +167,7 @@ interface MappedEvent {
   type: string;
   value?: number;
   currency?: string;
+  metadata?: Record<string, unknown>;
 }
 
 async function mapStripeEvent(stripe: Stripe, event: Stripe.Event): Promise<MappedEvent | null> {
@@ -211,11 +222,97 @@ async function mapStripeEvent(stripe: Stripe, event: Stripe.Event): Promise<Mapp
       const invoice = event.data.object as Stripe.Invoice;
       const userId = await resolveUserIdFromCustomer(stripe, invoice.customer);
       if (!userId) return null;
+      // `charge` was moved off the Invoice type in recent SDK versions, but the
+      // webhook payload still carries it on older API versions and is useful
+      // for refund lookups. Read it tolerantly.
+      const rawCharge = (invoice as unknown as { charge?: string | { id: string } | null }).charge;
+      const chargeId = typeof rawCharge === 'string' ? rawCharge : rawCharge?.id ?? null;
       return {
         userId,
         type: 'invoice_paid',
         value: invoice.amount_paid / 100,
         currency: invoice.currency?.toUpperCase() ?? 'USD',
+        // Captured for refund/dispute lookup. Without these, charge.refunded
+        // can't find the original Event to walk back to its Commissions.
+        metadata: {
+          stripeInvoiceId: invoice.id,
+          ...(chargeId ? { stripeChargeId: chargeId } : {}),
+        },
+      };
+    }
+    case 'charge.refunded': {
+      const charge = event.data.object as Stripe.Charge;
+      const userId = await resolveUserIdFromCustomer(stripe, charge.customer);
+      if (!userId) return null;
+      const rawInvoice = (charge as unknown as { invoice?: string | { id: string } | null }).invoice;
+      const invoiceId = typeof rawInvoice === 'string' ? rawInvoice : rawInvoice?.id ?? null;
+
+      // Auto-reverse non-paid Commissions linked to the original invoice.
+      // Commissions already in 'paid' status are flagged for admin review —
+      // we don't claw back funds that have already left the platform.
+      const reversal = invoiceId
+        ? await reverseCommissionsForInvoice(invoiceId)
+        : { reversed: 0, alreadyPaid: 0 };
+
+      return {
+        userId,
+        type: 'refund',
+        value: -(charge.amount_refunded / 100),
+        currency: charge.currency?.toUpperCase() ?? 'USD',
+        metadata: {
+          stripeChargeId: charge.id,
+          ...(invoiceId ? { stripeInvoiceId: invoiceId } : {}),
+          amountRefunded: charge.amount_refunded,
+          reversedCommissions: reversal.reversed,
+          alreadyPaidCommissions: reversal.alreadyPaid,
+        },
+      };
+    }
+    case 'charge.dispute.created': {
+      // Disputes are flagged for admin review rather than auto-reversed —
+      // disputes can be won, and clawing back commissions on every chargeback
+      // would create a worse experience than the rare manual reversal.
+      const dispute = event.data.object as Stripe.Dispute;
+      const chargeId = typeof dispute.charge === 'string' ? dispute.charge : dispute.charge?.id;
+      let userId: string | null = null;
+      if (chargeId) {
+        try {
+          const charge = await stripe.charges.retrieve(chargeId);
+          userId = await resolveUserIdFromCustomer(stripe, charge.customer);
+        } catch {
+          // Charge might be deleted or inaccessible — log without attribution.
+        }
+      }
+      if (!userId) return null;
+      return {
+        userId,
+        type: 'dispute_created',
+        value: -(dispute.amount / 100),
+        currency: dispute.currency?.toUpperCase() ?? 'USD',
+        metadata: {
+          stripeDisputeId: dispute.id,
+          ...(chargeId ? { stripeChargeId: chargeId } : {}),
+          reason: dispute.reason,
+          status: dispute.status,
+        },
+      };
+    }
+    case 'invoice.payment_failed': {
+      // Recorded for audit but no commission reversal — invoice.paid wouldn't
+      // have fired for this invoice in the first place, so there's nothing to
+      // reverse. Useful when an admin is debugging "why didn't this convert?"
+      const invoice = event.data.object as Stripe.Invoice;
+      const userId = await resolveUserIdFromCustomer(stripe, invoice.customer);
+      if (!userId) return null;
+      return {
+        userId,
+        type: 'invoice_payment_failed',
+        value: -(invoice.amount_due / 100),
+        currency: invoice.currency?.toUpperCase() ?? 'USD',
+        metadata: {
+          stripeInvoiceId: invoice.id,
+          attemptCount: invoice.attempt_count,
+        },
       };
     }
     default:
@@ -223,6 +320,41 @@ async function mapStripeEvent(stripe: Stripe, event: Stripe.Event): Promise<Mapp
   }
 }
 
+/**
+ * Mark Commissions linked to a refunded invoice as 'reversed'. Walks
+ * Event(metadata.stripeInvoiceId) → Attribution → Commission. Only flips
+ * Commissions in 'accrued' or 'approved' status; 'paid' Commissions stay
+ * paid (the partner has the money) and the count is returned so the
+ * refund Event can record that admin attention is needed.
+ */
+async function reverseCommissionsForInvoice(
+  invoiceId: string,
+): Promise<{ reversed: number; alreadyPaid: number }> {
+  const sourceEvents = await db<EventRow>(TABLES.Event)
+    .whereRaw(`"metadata"->>'stripeInvoiceId' = ?`, [invoiceId])
+    .where('type', 'invoice_paid');
+  if (sourceEvents.length === 0) return { reversed: 0, alreadyPaid: 0 };
+
+  const eventIds = sourceEvents.map((e) => e.id);
+  const attributions = await db<AttributionRow>(TABLES.Attribution).whereIn('eventId', eventIds);
+  if (attributions.length === 0) return { reversed: 0, alreadyPaid: 0 };
+  const attributionIds = attributions.map((a) => a.id);
+
+  const reversed = await db<CommissionRow>(TABLES.Commission)
+    .whereIn('attributionId', attributionIds)
+    .whereIn('status', ['accrued', 'approved'])
+    .update({ status: 'reversed' });
+
+  const alreadyPaidRow = (await db<CommissionRow>(TABLES.Commission)
+    .whereIn('attributionId', attributionIds)
+    .where('status', 'paid')
+    .count('id as c')
+    .first()) as { c: string | number } | undefined;
+  const alreadyPaid = Number(alreadyPaidRow?.c ?? 0);
+
+  return { reversed, alreadyPaid };
+}
+
 async function resolveUserIdFromCustomer(
   stripe: Stripe,
   customer: string | Stripe.Customer | Stripe.DeletedCustomer | null,
diff --git a/apps/api/src/usage-billing.ts b/apps/api/src/usage-billing.ts
new file mode 100644
index 0000000..12217b3
--- /dev/null
+++ b/apps/api/src/usage-billing.ts
@@ -0,0 +1,149 @@
+/**
+ * Usage-based billing reporter.
+ *
+ * The Hosted Flex plan bills $49/mo + 1.5% of attributed GMV. The 1.5% portion
+ * is a Stripe metered price tied to a Stripe Meter ("openpartner_attributed_gmv");
+ * we report usage via meterEvents.create on whatever cadence makes sense for
+ * the merchant — daily cron, manual admin trigger, end-of-billing-period job.
+ *
+ * Hosted Revshare uses the same meter (3% of GMV instead of 1.5%) — it just
+ * has a different metered price. The reporter is mode-aware and picks the
+ * correct meter event_name for each tier.
+ *
+ * Idempotency: Stripe's Meter Event API accepts an optional `identifier` so
+ * the same period reported twice is a no-op. We use the high-water mark
+ * timestamp to define a closed period and stamp identifier accordingly. If
+ * the report fails we DO NOT advance the high-water mark, so the next run
+ * picks up from the same point.
+ */
+
+import { TABLES, type EventRow } from '@openpartner/db';
+import { db } from './db.js';
+import { CONFIG_KEYS, getConfig, setConfig } from './config.js';
+import { getMode, requireStripe } from './stripe.js';
+
+// Events we count toward attributed GMV. We sum Event.value for these,
+// scoped to events that have a corresponding Attribution row (i.e. credit
+// actually went to a partner). The signup event has no value and is
+// excluded by the SUM (NULL handling).
+const REVENUE_EVENT_TYPES = ['invoice_paid', 'subscription_created'];
+
+// Mode → meter event_name. Network access uses a separate meter for
+// Network-originated payouts; that's reported by the payout runner, not here.
+const MODE_TO_METER: Record<string, string> = {
+  flat: 'openpartner_attributed_gmv',
+  revshare: 'openpartner_attributed_gmv',
+};
+
+export interface UsageReportResult {
+  mode: string;
+  meterEventName: string;
+  customerId: string;
+  amount: number; // dollars
+  rangeStart: Date | null;
+  rangeEnd: Date;
+  reported: boolean;
+  reason?: string;
+}
+
+/**
+ * Sum attributed GMV (in dollars) for events with `ts > since` and `ts <= until`.
+ * Only counts events that have at least one Attribution row (i.e. a partner
+ * was credited). Refund/dispute events are excluded by event-type filter.
+ */
+export async function aggregateAttributedGmv(since: Date | null, until: Date): Promise<number> {
+  const q = db<EventRow>(TABLES.Event)
+    .whereIn('type', REVENUE_EVENT_TYPES)
+    .where('ts', '<=', until)
+    .whereExists((qb) => {
+      qb.select(db.raw('1')).from(TABLES.Attribution).whereRaw('"Attribution"."eventId" = "Event"."id"');
+    });
+  if (since) q.where('ts', '>', since);
+  const rows = (await q.sum({ total: 'value' })) as Array<{ total: string | null }>;
+  return Number(rows[0]?.total ?? 0);
+}
+
+/**
+ * Report aggregated GMV to Stripe via the Meter Events API. The meter
+ * (openpartner_attributed_gmv) must exist in the platform's Stripe account
+ * and the merchant's subscription must include the metered price tied to
+ * the same meter. Both are provisioned by `scripts/setup-stripe.mjs`.
+ */
+export async function reportUsageToStripe(): Promise<UsageReportResult> {
+  const mode = getMode();
+  const meterEventName = MODE_TO_METER[mode];
+  if (!meterEventName) {
+    return {
+      mode,
+      meterEventName: '',
+      customerId: '',
+      amount: 0,
+      rangeStart: null,
+      rangeEnd: new Date(),
+      reported: false,
+      reason: `usage reporting is not configured for mode=${mode}`,
+    };
+  }
+
+  const customerId = await getConfig<string>(CONFIG_KEYS.StripeMerchantCustomerId);
+  if (!customerId) {
+    return {
+      mode,
+      meterEventName,
+      customerId: '',
+      amount: 0,
+      rangeStart: null,
+      rangeEnd: new Date(),
+      reported: false,
+      reason: 'no Stripe merchant customer configured (subscribe via /billing/checkout first)',
+    };
+  }
+
+  const lastReportedAtIso = await getConfig<string>(CONFIG_KEYS.LastUsageReportedAt);
+  const rangeStart = lastReportedAtIso ? new Date(lastReportedAtIso) : null;
+  const rangeEnd = new Date();
+  const amount = await aggregateAttributedGmv(rangeStart, rangeEnd);
+
+  if (amount <= 0) {
+    // Still advance the high-water mark — we've "reported" zero usage for
+    // the period and don't want to re-scan the same window forever.
+    await setConfig(CONFIG_KEYS.LastUsageReportedAt, rangeEnd.toISOString());
+    return {
+      mode,
+      meterEventName,
+      customerId,
+      amount,
+      rangeStart,
+      rangeEnd,
+      reported: false,
+      reason: 'no attributed GMV in range',
+    };
+  }
+
+  const stripe = requireStripe();
+  // identifier is Stripe's idempotency key for meter events. Tying it to the
+  // window end means a re-run within the same second is deduped on Stripe's
+  // side, which is what we want when an admin double-clicks the report
+  // button or a cron job retries on transient failure.
+  const identifier = `op-usage-${mode}-${rangeEnd.toISOString()}`;
+  await stripe.billing.meterEvents.create({
+    event_name: meterEventName,
+    payload: {
+      stripe_customer_id: customerId,
+      value: amount.toFixed(2),
+    },
+    identifier,
+    timestamp: Math.floor(rangeEnd.getTime() / 1000),
+  });
+
+  await setConfig(CONFIG_KEYS.LastUsageReportedAt, rangeEnd.toISOString());
+  return {
+    mode,
+    meterEventName,
+    customerId,
+    amount,
+    rangeStart,
+    rangeEnd,
+    reported: true,
+  };
+}

From 7342196fb2a9f454c6b7b1927ed0735c1b33365a Mon Sep 17 00:00:00 2001
From: Keith Fawcett <keith@brightyard.co>
Date: Sat, 25 Apr 2026 19:17:39 -0700
Subject: [PATCH 023/131] feat(deploy): in-process scheduler + prod-ready DO
 App Platform spec
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- scheduler.ts: croner-based, runs usage-report (daily 03:15 UTC) and
  runPayouts (Mon 09:00 UTC). Gated behind OPENPARTNER_ENABLE_SCHEDULER=1
  so dev/test/CI don't fire scheduled jobs unexpectedly. protect: true
  prevents overlap when a job runs longer than its interval.
- .do/app.yaml: adds STRIPE_FLAT_USAGE_PRICE_ID, REVSHARE/NETWORK price
  ids, and OPENPARTNER_ENABLE_SCHEDULER=1. Postgres flipped to
  production: true (paid tier, daily backups).
- docs/deploy-production.md: end-to-end runbook for first launch on DO
  App Platform — secrets, DNS, Stripe webhook destinations, smoke checks,
  troubleshooting.

Verified the api Docker image builds and runs cleanly against a fresh
empty Postgres: all 19 migrations apply, /health returns 200, scheduler
correctly logs its disabled state in dev.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 .do/app.yaml              |  31 ++++-
 apps/api/package.json     |   1 +
 apps/api/src/scheduler.ts |  88 ++++++++++++
 apps/api/src/server.ts    |   2 +
 docs/deploy-production.md | 275 ++++++++++++++++++++++++++++++++++++++
 pnpm-lock.yaml            |   9 ++
 6 files changed, 402 insertions(+), 4 deletions(-)
 create mode 100644 apps/api/src/scheduler.ts
 create mode 100644 docs/deploy-production.md

diff --git a/.do/app.yaml b/.do/app.yaml
index 6d38dc5..2e868a7 100644
--- a/.do/app.yaml
+++ b/.do/app.yaml
@@ -22,14 +22,15 @@
 name: openpartner
 region: nyc
 
-# Managed Postgres. For production, bump to a paid plan and upgrade the
-# `production` flag. The connection string is injected into services
-# that reference ${openpartner-db.DATABASE_URL}.
+# Managed Postgres. `production: true` provisions a paid plan with
+# automated daily backups; flip to false during pre-launch dev to use
+# the dev tier and save money. The connection string is injected into
+# services that reference ${openpartner-db.DATABASE_URL}.
 databases:
   - name: openpartner-db
     engine: PG
     version: '16'
-    production: false
+    production: true
     cluster_name: openpartner-db
     db_name: openpartner
     db_user: openpartner
@@ -59,6 +60,11 @@ services:
         value: flat
       - key: POSTMARK_MESSAGE_STREAM
         value: outbound
+      # Enables the in-process scheduler (usage reporting + payouts).
+      # DO App Platform has no native cron, so the api process runs them
+      # itself. Set to '0' on replica nodes if you ever scale to instance_count > 1.
+      - key: OPENPARTNER_ENABLE_SCHEDULER
+        value: '1'
       - key: ADMIN_API_KEY
         type: SECRET
         scope: RUN_TIME
@@ -74,6 +80,8 @@ services:
       - key: PORTAL_URL
         type: SECRET
         scope: RUN_TIME
+      # Stripe — set as live values when ready to launch. STRIPE_WEBHOOK_SECRET
+      # accepts a comma-separated list (one per Event destination).
       - key: STRIPE_SECRET_KEY
         type: SECRET
         scope: RUN_TIME
@@ -83,6 +91,21 @@ services:
       - key: STRIPE_FLAT_PRICE_ID
         type: SECRET
         scope: RUN_TIME
+      # Metered usage prices — created by `setup-stripe.mjs` against the
+      # live key. Optional in self-host but required for the percentage
+      # portion of Flex/Revshare/Network billing to actually fire.
+      - key: STRIPE_FLAT_USAGE_PRICE_ID
+        type: SECRET
+        scope: RUN_TIME
+      - key: STRIPE_REVSHARE_USAGE_PRICE_ID
+        type: SECRET
+        scope: RUN_TIME
+      - key: STRIPE_NETWORK_PRICE_ID
+        type: SECRET
+        scope: RUN_TIME
+      - key: STRIPE_NETWORK_USAGE_PRICE_ID
+        type: SECRET
+        scope: RUN_TIME
       - key: METRICS_TOKEN
         type: SECRET
         scope: RUN_TIME
diff --git a/apps/api/package.json b/apps/api/package.json
index 616daf3..d8710ac 100644
--- a/apps/api/package.json
+++ b/apps/api/package.json
@@ -17,6 +17,7 @@
     "@types/cookie-parser": "^1.4.10",
     "cookie-parser": "^1.4.7",
     "cors": "^2.8.5",
+    "croner": "^10.0.1",
     "dotenv": "^16.4.5",
     "express": "^4.19.2",
     "express-async-errors": "^3.1.1",
diff --git a/apps/api/src/scheduler.ts b/apps/api/src/scheduler.ts
new file mode 100644
index 0000000..1cb943e
--- /dev/null
+++ b/apps/api/src/scheduler.ts
@@ -0,0 +1,88 @@
+/**
+ * In-process scheduler for periodic platform jobs.
+ *
+ * DO App Platform doesn't have native cron, so for hosted deployments we run
+ * jobs in the api process via croner. Self-host customers get the same code
+ * — set OPENPARTNER_ENABLE_SCHEDULER=1 to opt in. Off by default so dev,
+ * test, and CI runs don't fire scheduled jobs unexpectedly.
+ *
+ * Jobs:
+ *   - usage-report: every day at 03:15 UTC. Aggregates attributed GMV since
+ *                   last report and reports to Stripe Billing meters.
+ *   - payouts:      every Monday at 09:00 UTC. Runs runPayouts() to issue
+ *                   Stripe Connect transfers for approved commissions.
+ *
+ * Both jobs are no-ops in selfhost mode — usage reporting requires a Stripe
+ * subscription, and payouts only run when there are approved commissions.
+ *
+ * Concurrency: croner's `protect: true` ensures a job that's still running
+ * when its next tick arrives skips that tick rather than overlapping. This
+ * matters most for usage-report on first run after a long downtime.
+ */
+
+import { Cron } from 'croner';
+import { reportUsageToStripe } from './usage-billing.js';
+import { runPayouts } from './payouts.js';
+import { getMode } from './stripe.js';
+
+interface ScheduledJob {
+  name: string;
+  cronExpr: string;
+  description: string;
+  handler: () => Promise<unknown>;
+}
+
+const JOBS: ScheduledJob[] = [
+  {
+    name: 'usage-report',
+    cronExpr: '15 3 * * *',
+    description: 'Aggregate attributed GMV and report to Stripe meters (daily 03:15 UTC)',
+    handler: async () => {
+      if (getMode() === 'selfhost') return { skipped: 'selfhost' };
+      return reportUsageToStripe();
+    },
+  },
+  {
+    name: 'payouts',
+    cronExpr: '0 9 * * 1',
+    description: 'Issue Stripe Connect transfers for approved commissions (Monday 09:00 UTC)',
+    handler: async () => runPayouts(),
+  },
+];
+
+let started = false;
+const handles: Cron[] = [];
+
+export function startScheduler(): void {
+  if (started) return;
+  if (process.env.OPENPARTNER_ENABLE_SCHEDULER !== '1') {
+    console.log('[scheduler] disabled (set OPENPARTNER_ENABLE_SCHEDULER=1 to enable)');
+    return;
+  }
+
+  for (const job of JOBS) {
+    const handle = new Cron(
+      job.cronExpr,
+      { name: job.name, timezone: 'UTC', protect: true },
+      async () => {
+        const start = Date.now();
+        console.log(`[scheduler] ${job.name} starting`);
+        try {
+          const result = await job.handler();
+          console.log(`[scheduler] ${job.name} finished in ${Date.now() - start}ms`, result);
+        } catch (err) {
+          console.error(`[scheduler] ${job.name} failed`, err);
+        }
+      },
+    );
+    handles.push(handle);
+    console.log(`[scheduler] registered ${job.name} (${job.cronExpr}) — ${job.description}`);
+  }
+  started = true;
+}
+
+export function stopScheduler(): void {
+  for (const h of handles) h.stop();
+  handles.length = 0;
+  started = false;
+}
diff --git a/apps/api/src/server.ts b/apps/api/src/server.ts
index 3c521e3..4e6a97e 100644
--- a/apps/api/src/server.ts
+++ b/apps/api/src/server.ts
@@ -1,4 +1,5 @@
 import { createApp } from './app.js';
+import { startScheduler } from './scheduler.js';
 
 const PORT = Number(process.env.API_PORT ?? 4601);
 const MODE = process.env.OPENPARTNER_MODE ?? 'selfhost';
@@ -6,4 +7,5 @@ const MODE = process.env.OPENPARTNER_MODE ?? 'selfhost';
 const app = createApp();
 app.listen(PORT, () => {
   console.log(`[api] listening on :${PORT} (mode=${MODE})`);
+  startScheduler();
 });
diff --git a/docs/deploy-production.md b/docs/deploy-production.md
new file mode 100644
index 0000000..76dcc1e
--- /dev/null
+++ b/docs/deploy-production.md
@@ -0,0 +1,275 @@
+# Production deploy runbook
+
+Step-by-step for the first launch of OpenPartner on DigitalOcean App Platform
+plus matching Stripe live-mode setup. Reading time ~10 min, end-to-end execution
+~60 min once you have credentials in hand.
+
+> Self-hosters: see `docs/deploy.md` for the docker-compose path. This runbook
+> is for the OpenPartner-as-a-service deploy.
+
+## What you'll provision
+
+- 1 DO App Platform app with three components: api (Express), router (Hono), portal (static SPA)
+- 1 DO Managed Postgres (production tier, daily backups)
+- 1 set of live-mode Stripe products + prices + meters
+- 2 Stripe webhook destinations (platform + connect events)
+- 1+ custom domains pointed at the app
+
+## Prerequisites
+
+- [ ] DO account with billing set up
+- [ ] `doctl` installed and authenticated (`doctl auth init`)
+- [ ] GitHub repo `getcoherence/openpartner` accessible to your DO account
+- [ ] Stripe account fully activated for live mode (Connect Standard enabled)
+- [ ] DNS access to `openpartner.dev` (or whatever apex you'll use)
+- [ ] One-time generated `SECRETS_ENCRYPTION_KEY` and `ADMIN_API_KEY`
+
+Generate the secrets locally:
+
+```bash
+echo "SECRETS_ENCRYPTION_KEY=$(openssl rand -hex 32)"
+echo "ADMIN_API_KEY=op_$(openssl rand -hex 24)"
+```
+
+Paste those into a password manager — you'll set them as DO env secrets in
+step 4. They never go in git.
+
+---
+
+## 1. Create the App Platform app
+
+```bash
+cd /path/to/openpartner
+doctl apps create --spec .do/app.yaml
+```
+
+Output prints an app ID like `12345678-aaaa-bbbb-cccc-dddddddddddd`. Save it as
+`OP_APP_ID` for the rest of this runbook:
+
+```bash
+export OP_APP_ID=12345678-aaaa-bbbb-cccc-dddddddddddd
+```
+
+The first deploy will fail with "missing secrets" — expected. You'll set them
+in step 4 and re-deploy.
+
+## 2. Confirm the database is provisioned
+
+```bash
+doctl apps list-databases $OP_APP_ID
+```
+
+Wait until status is `online`. A managed Postgres takes ~5–10 minutes the first
+time. The connection string is automatically injected into the api/router
+services as `${openpartner-db.DATABASE_URL}` — no manual wiring needed.
+
+## 3. Provision live Stripe resources
+
+Run the setup script with your **live** key:
+
+```bash
+cd apps/api
+STRIPE_SECRET_KEY=sk_live_... node scripts/setup-stripe.mjs
+```
+
+Save the printed Price IDs — you'll use them in step 4. The script creates:
+
+- Products: OpenPartner Flex, Network access, Revshare
+- Monthly recurring prices
+- Metered prices linked to two Stripe Meters (`openpartner_attributed_gmv`,
+  `openpartner_network_payouts`)
+
+It's idempotent, so safe to re-run.
+
+## 4. Set encrypted env secrets
+
+In the DO App Platform UI: your app → **Settings** → for the api component
+→ **App-Level Environment Variables** (or **Component-Level** for api-only).
+Set each value with **Encrypt** checked:
+
+| Variable | Value |
+| --- | --- |
+| `ADMIN_API_KEY` | `op_...` from step prerequisites |
+| `SECRETS_ENCRYPTION_KEY` | 64-char hex from prerequisites |
+| `STRIPE_SECRET_KEY` | `sk_live_...` |
+| `STRIPE_WEBHOOK_SECRET` | (leave empty for now — you'll set it in step 6) |
+| `STRIPE_FLAT_PRICE_ID` | from step 3 |
+| `STRIPE_FLAT_USAGE_PRICE_ID` | from step 3 |
+| `STRIPE_REVSHARE_USAGE_PRICE_ID` | from step 3 |
+| `STRIPE_NETWORK_PRICE_ID` | from step 3 |
+| `STRIPE_NETWORK_USAGE_PRICE_ID` | from step 3 |
+| `MAIL_FROM` | `notifications@openpartner.dev` |
+| `POSTMARK_SERVER_TOKEN` | from your Postmark dashboard |
+| `PORTAL_URL` | `https://app.openpartner.dev` (or your chosen domain) |
+| `METRICS_TOKEN` | random token if you want to gate /metrics; otherwise generate one |
+
+For the **router** component, set:
+
+| Variable | Value |
+| --- | --- |
+| `COOKIE_DOMAIN` | `.openpartner.dev` (leading dot — covers subdomains) |
+
+Click **Save** and let DO redeploy.
+
+## 5. Wire DNS and custom domains
+
+Pick a domain layout. Recommended:
+
+- `app.openpartner.dev` — portal (also serves api at `/api/*`)
+- `r.openpartner.dev` — click router (separate component)
+
+In DO App Platform: **Settings → Domains → Add Domain**. Add both, point them
+at the appropriate components, and DO will give you DNS records to add.
+
+In Cloudflare / your DNS host:
+
+```
+CNAME  app.openpartner.dev  →  <app>.ondigitalocean.app
+CNAME  r.openpartner.dev    →  <app>.ondigitalocean.app
+```
+
+Wait for SSL cert provisioning (~5 min). Verify both URLs serve.
+
+## 6. Configure Stripe webhook destinations
+
+In Stripe Dashboard (live mode toggle on): **Developers → Webhooks → Add endpoint**.
+
+You need **two** destinations because Stripe splits platform-account events
+from connected-account events:
+
+### Destination A — platform events
+
+- URL: `https://app.openpartner.dev/api/webhooks/stripe`
+- Events: `checkout.session.completed`, `customer.created`, `customer.subscription.created`, `invoice.paid`, `invoice.payment_failed`, `charge.refunded`, `charge.dispute.created`
+- Save → copy the **Signing secret** (`whsec_...`)
+
+### Destination B — connected accounts
+
+- URL: same — `https://app.openpartner.dev/api/webhooks/stripe`
+- Type: **Connected accounts**
+- Events: `account.updated`, `transfer.updated`, `transfer.reversed`
+- Save → copy the **Signing secret**
+
+Set the env var as the **comma-separated** combination of both:
+
+```
+STRIPE_WEBHOOK_SECRET=whsec_AAA...,whsec_BBB...
+```
+
+Re-deploy via the DO UI ("Force Rebuild and Deploy").
+
+## 7. First-run install wizard
+
+Visit `https://app.openpartner.dev`. The portal will redirect to `/install`
+(first-run wizard). Complete:
+
+- **You** — admin name + email
+- **Program** — your brand name + support email
+- **Email delivery** — confirm Postmark or paste SMTP
+
+Submit. You'll get a magic link in your inbox. Sign in.
+
+## 8. Verify end-to-end
+
+A short smoke checklist after sign-in:
+
+- [ ] Can create a partner via the admin UI
+- [ ] Magic-link invite to that partner arrives
+- [ ] Partner can complete Stripe Connect onboarding
+- [ ] `/billing/checkout` redirects to a real Stripe Checkout
+- [ ] Stripe webhooks deliver successfully (Stripe Dashboard → Webhooks → recent deliveries → all 200)
+- [ ] `POST /api/billing/report-usage` returns `reported: true` after a real conversion
+
+Once all six pass, you're live.
+
+---
+
+## Operational notes
+
+### Scheduled jobs
+
+The api process runs an in-process scheduler (`OPENPARTNER_ENABLE_SCHEDULER=1`):
+
+- **Daily 03:15 UTC** — usage reporting to Stripe meters
+- **Monday 09:00 UTC** — payout run (Stripe Connect transfers)
+
+If you ever scale to `instance_count > 1`, set `OPENPARTNER_ENABLE_SCHEDULER=0`
+on the replicas — only the primary should fire scheduled jobs. App Platform's
+deployment topology doesn't currently surface a "primary" flag, so for now
+pick a single instance and don't horizontally scale the api until you've
+moved scheduled jobs to a dedicated worker component.
+
+### Manual triggers
+
+Both jobs have admin-only HTTP endpoints in case you need to fire ad-hoc:
+
+```bash
+curl -X POST https://app.openpartner.dev/api/billing/report-usage \
+  -H "Authorization: Bearer $ADMIN_API_KEY"
+
+# Payouts are run via the standard payouts route — see /docs/payouts
+```
+
+### Database backups
+
+DO Managed Postgres takes daily automated backups, retained for 7 days on the
+basic production tier. For longer retention or point-in-time recovery, upgrade
+the database tier or pipe `pg_dump` to your own object storage.
+
+### Updating
+
+Push to `main` → DO auto-deploys. Migrations run automatically on each api boot.
+For schema changes that need a manual data migration, write a one-shot script
+under `packages/db/scripts/`, run it once via `doctl apps console $OP_APP_ID
+api` after the deploy lands.
+
+### Rollback
+
+```bash
+doctl apps list-deployments $OP_APP_ID
+doctl apps create-deployment $OP_APP_ID --force-rebuild=false --rollback <prior-deployment-id>
+```
+
+Schema rollbacks must be done via knex manually — automatic schema rollback on
+deploy rollback is not configured.
+
+### Costs (rough)
+
+| Component | Tier | Monthly |
+| --- | --- | --- |
+| api (basic-xs) | 1 instance | ~$12 |
+| router (basic-xxs) | 1 instance | ~$5 |
+| portal (static site) | included | $0 |
+| Postgres (production tier) | basic 1GB | ~$15 |
+| **Total** | | **~$32** |
+
+Scales to ~3-5x at meaningful traffic.
+
+---
+
+## Troubleshooting
+
+**"Migration failed" on first boot.**
+The migration script uses an advisory lock. If a previous deploy crashed
+mid-migration, the lock can persist. SSH in via `doctl apps console`, run
+`SELECT pg_advisory_unlock_all();` from psql.
+
+**"Customer Portal is not configured."**
+Stripe → Settings → Billing → Customer portal → **Activate test link** in test
+mode, **Activate live link** in live mode. The first activation is a one-time
+toggle.
+
+**Webhooks delivering but events not appearing in /events.**
+Likely a signature mismatch. Verify `STRIPE_WEBHOOK_SECRET` is the **comma-
+separated** combination of both destination secrets — a single value covers
+only one destination.
+
+**Partner Connect onboarding completes but `payoutsEnabled` stays false.**
+Stripe runs async verification. Wait 30–120 seconds, then re-check
+`/api/partners/:id/connect/status`. If still false after several minutes,
+check Stripe → Connect → that account → Requirements for missing fields.
+
+**Refunded transactions still showing accrued commissions.**
+The refund handler reverses non-paid commissions automatically. Already-paid
+ones are surfaced on the corrective Event's `metadata.alreadyPaidCommissions`
+count for admin review. There is no automated clawback in v1.
diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml
index 97be753..1204b6c 100644
--- a/pnpm-lock.yaml
+++ b/pnpm-lock.yaml
@@ -47,6 +47,9 @@ importers:
       cors:
         specifier: ^2.8.5
         version: 2.8.6
+      croner:
+        specifier: ^10.0.1
+        version: 10.0.1
       dotenv:
         specifier: ^16.4.5
         version: 16.6.1
@@ -1281,6 +1284,10 @@ packages:
     resolution: {integrity: sha512-tJtZBBHA6vjIAaF6EnIaq6laBBP9aq/Y3ouVJjEfoHbRBcHBAHYcMh/w8LDrk2PvIMMq8gmopa5D4V8RmbrxGw==}
     engines: {node: '>= 0.10'}
 
+  croner@10.0.1:
+    resolution: {integrity: sha512-ixNtAJndqh173VQ4KodSdJEI6nuioBWI0V1ITNKhZZsO0pEMoDxz539T4FTTbSZ/xIOSuDnzxLVRqBVSvPNE2g==}
+    engines: {node: '>=18.0'}
+
   cross-spawn@7.0.6:
     resolution: {integrity: sha512-uV2QOWP2nWzsy2aMp8aRibhi9dlzF5Hgh5SHaB9OiTGEyDTiJJyx0uy51QXdyWbtAHNua4XJzUKca3OzKUd3vA==}
     engines: {node: '>= 8'}
@@ -3594,6 +3601,8 @@ snapshots:
       object-assign: 4.1.1
       vary: 1.1.2
 
+  croner@10.0.1: {}
+
   cross-spawn@7.0.6:
     dependencies:
       path-key: 3.1.1

From 9901899a19a9448197e4fd247d9a510c5d90be64 Mon Sep 17 00:00:00 2001
From: Keith Fawcett <keith@brightyard.co>
Date: Sat, 25 Apr 2026 22:03:50 -0700
Subject: [PATCH 024/131] chore(deploy): switch DATABASE_URL to
 externally-provisioned secret

Rather than provisioning a dedicated managed Postgres cluster, OpenPartner
points at an existing cluster (e.g., a separate database inside the
Coherence cluster). DATABASE_URL becomes a SECRET env var on api + router
instead of a templated reference to the embedded ${openpartner-db.DATABASE_URL}.

Block is preserved in a comment so re-enabling a dedicated cluster later
is a paste-back rather than a recall.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 .do/app.yaml | 37 +++++++++++++++++++++++--------------
 1 file changed, 23 insertions(+), 14 deletions(-)

diff --git a/.do/app.yaml b/.do/app.yaml
index 2e868a7..c944d99 100644
--- a/.do/app.yaml
+++ b/.do/app.yaml
@@ -22,18 +22,25 @@
 name: openpartner
 region: nyc
 
-# Managed Postgres. `production: true` provisions a paid plan with
-# automated daily backups; flip to false during pre-launch dev to use
-# the dev tier and save money. The connection string is injected into
-# services that reference ${openpartner-db.DATABASE_URL}.
-databases:
-  - name: openpartner-db
-    engine: PG
-    version: '16'
-    production: true
-    cluster_name: openpartner-db
-    db_name: openpartner
-    db_user: openpartner
+# Database is provisioned externally (e.g., a separate Coherence cluster
+# with a dedicated `openpartner` database inside it). DATABASE_URL is set
+# as an encrypted secret on each service below. Add this app to the
+# cluster's Trusted Sources after the first deploy so it can reach pg.
+#
+# If you'd rather have App Platform provision a dedicated cluster, paste
+# this block back in:
+#
+#   databases:
+#     - name: openpartner-db
+#       engine: PG
+#       version: '16'
+#       production: true
+#       cluster_name: openpartner-db
+#       db_name: openpartner
+#       db_user: openpartner
+#
+# and change the DATABASE_URL env vars below to:
+#   value: ${openpartner-db.DATABASE_URL}
 
 services:
   # Core API. Runs migrations on first boot via docker-entrypoint.sh.
@@ -55,7 +62,8 @@ services:
       - key: API_PORT
         value: '4601'
       - key: DATABASE_URL
-        value: ${openpartner-db.DATABASE_URL}
+        type: SECRET
+        scope: RUN_TIME
       - key: OPENPARTNER_MODE
         value: flat
       - key: POSTMARK_MESSAGE_STREAM
@@ -131,7 +139,8 @@ services:
       - key: ROUTER_PORT
         value: '4701'
       - key: DATABASE_URL
-        value: ${openpartner-db.DATABASE_URL}
+        type: SECRET
+        scope: RUN_TIME
       - key: COOKIE_DOMAIN
         type: SECRET
         scope: RUN_TIME

From 73d02a6ca2c5884c703cff4259db6b8ee45635d2 Mon Sep 17 00:00:00 2001
From: Keith Fawcett <keith@brightyard.co>
Date: Sat, 25 Apr 2026 22:33:20 -0700
Subject: [PATCH 025/131] fix(deploy): app.yaml validates against DO API

Adds github source ref to each component (api, router, portal) and
fixes the ingress rules: portal routes / by default, api gets /api,
router gets /r as a path prefix until the dedicated subdomain is wired.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 .do/app.yaml | 26 +++++++++++++++++++++-----
 1 file changed, 21 insertions(+), 5 deletions(-)

diff --git a/.do/app.yaml b/.do/app.yaml
index c944d99..066dcf5 100644
--- a/.do/app.yaml
+++ b/.do/app.yaml
@@ -47,6 +47,10 @@ services:
   - name: api
     dockerfile_path: apps/api/Dockerfile
     source_dir: /
+    github:
+      repo: getcoherence/openpartner
+      branch: main
+      deploy_on_push: true
     http_port: 4601
     instance_count: 1
     instance_size_slug: basic-xs
@@ -124,6 +128,10 @@ services:
   - name: router
     dockerfile_path: apps/router/Dockerfile
     source_dir: /
+    github:
+      repo: getcoherence/openpartner
+      branch: main
+      deploy_on_push: true
     http_port: 4701
     instance_count: 1
     instance_size_slug: basic-xxs
@@ -155,6 +163,10 @@ services:
 static_sites:
   - name: portal
     source_dir: /
+    github:
+      repo: getcoherence/openpartner
+      branch: main
+      deploy_on_push: true
     build_command: |
       corepack enable
       corepack prepare pnpm@9.11.0 --activate
@@ -167,9 +179,13 @@ static_sites:
       - key: NODE_ENV
         value: production
 
-# App-level routing. /api/* goes to the api service; everything else
-# falls through to the static portal. The router is addressed by its
-# own subdomain — see `domains` below.
+# App-level routing.
+#   /api/* → api (path stripped before forward)
+#   /r/*   → router (path preserved — router serves /r/:linkKey directly)
+#   /      → portal (App Platform's static-site default)
+#
+# Once you wire `r.openpartner.dev` to the router component via the
+# `domains` block, you can remove the /r rule — the subdomain handles it.
 ingress:
   rules:
     - match:
@@ -180,9 +196,9 @@ ingress:
         preserve_path_prefix: false
     - match:
         path:
-          prefix: /
+          prefix: /r
       component:
-        name: portal
+        name: router
 
 # Wire custom domains once the app is up. Set these in the App Platform
 # UI, or uncomment + fill below and `doctl apps update`.

From e4e0d97356f386ad82ec704dba6920c9bf38b1c8 Mon Sep 17 00:00:00 2001
From: Keith Fawcett <keith@brightyard.co>
Date: Sat, 25 Apr 2026 23:23:33 -0700
Subject: [PATCH 026/131] fix(deploy): force devDeps during portal build (tsc,
 vite)

---
 .do/app.yaml | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/.do/app.yaml b/.do/app.yaml
index 066dcf5..d3d6d58 100644
--- a/.do/app.yaml
+++ b/.do/app.yaml
@@ -167,17 +167,17 @@ static_sites:
       repo: getcoherence/openpartner
       branch: main
       deploy_on_push: true
+    # Force devDependencies (tsc, vite) during build — App Platform sets
+    # NODE_ENV=production by default which would have pnpm skip them.
+    # NODE_ENV stays unset on this static site at runtime; nothing executes.
     build_command: |
       corepack enable
       corepack prepare pnpm@9.11.0 --activate
-      pnpm install --frozen-lockfile
+      NPM_CONFIG_PRODUCTION=false pnpm install --frozen-lockfile
       pnpm --filter @openpartner/db build
       pnpm --filter @openpartner/portal build
     output_dir: apps/portal/dist
     catchall_document: index.html
-    envs:
-      - key: NODE_ENV
-        value: production
 
 # App-level routing.
 #   /api/* → api (path stripped before forward)

From 0086a7a6ff5a72fda26bbd4942a6cdd59c90388f Mon Sep 17 00:00:00 2001
From: Keith Fawcett <keith@brightyard.co>
Date: Sun, 26 Apr 2026 00:17:48 -0700
Subject: [PATCH 027/131] fix(db): handle managed-postgres TLS
 (sslmode=require)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

DO Managed Postgres serves a CA-signed cert that's not in Node's default
trust store. With pg-node, sslmode=require alone fails the chain check
and the migration runner aborts before the api can start.

Adds sslFromConnectionString helper used by both the runtime db factory
and the knex migration runner. Maps:
  sslmode=require | no-verify       → encrypted, rejectUnauthorized=false
  sslmode=verify-ca | verify-full   → encrypted, full chain check
  no sslmode                        → no ssl (local dev)

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 packages/db/knexfile.ts  | 13 +++++++++++--
 packages/db/src/index.ts |  7 ++++++-
 packages/db/src/ssl.ts   | 23 +++++++++++++++++++++++
 3 files changed, 40 insertions(+), 3 deletions(-)
 create mode 100644 packages/db/src/ssl.ts

diff --git a/packages/db/knexfile.ts b/packages/db/knexfile.ts
index a9747b9..0b49121 100644
--- a/packages/db/knexfile.ts
+++ b/packages/db/knexfile.ts
@@ -1,5 +1,6 @@
 import 'dotenv/config';
 import type { Knex } from 'knex';
+import { sslFromConnectionString } from './src/ssl.js';
 
 // In dev we run .ts migrations via tsx; in prod the package ships
 // compiled .js alongside this (also-compiled) knexfile, so the same
@@ -23,14 +24,22 @@ const common: Knex.Config = {
   },
 };
 
+function buildConnection(url: string | undefined): Knex.PgConnectionConfig | string | undefined {
+  if (!url) return undefined;
+  const ssl = sslFromConnectionString(url);
+  return ssl ? { connectionString: url, ssl } : url;
+}
+
+const devUrl = process.env.DATABASE_URL ?? 'postgres://openpartner:openpartner@localhost:5433/openpartner';
+
 const config: { [env: string]: Knex.Config } = {
   development: {
     ...common,
-    connection: process.env.DATABASE_URL ?? 'postgres://openpartner:openpartner@localhost:5433/openpartner',
+    connection: buildConnection(devUrl)!,
   },
   production: {
     ...common,
-    connection: process.env.DATABASE_URL,
+    connection: buildConnection(process.env.DATABASE_URL)!,
     pool: { min: 2, max: 10 },
   },
 };
diff --git a/packages/db/src/index.ts b/packages/db/src/index.ts
index 2883c7c..e4ed6f4 100644
--- a/packages/db/src/index.ts
+++ b/packages/db/src/index.ts
@@ -3,8 +3,10 @@
  */
 
 import knex, { type Knex } from 'knex';
+import { sslFromConnectionString } from './ssl.js';
 
 export * from './types.js';
+export { sslFromConnectionString } from './ssl.js';
 
 export interface DbConfig {
   connectionString: string;
@@ -13,9 +15,12 @@ export interface DbConfig {
 }
 
 export function createDb(config: DbConfig): Knex {
+  const ssl = sslFromConnectionString(config.connectionString);
   return knex({
     client: 'pg',
-    connection: config.connectionString,
+    connection: ssl
+      ? { connectionString: config.connectionString, ssl }
+      : config.connectionString,
     pool: {
       min: config.poolMin ?? 2,
       max: config.poolMax ?? 10,
diff --git a/packages/db/src/ssl.ts b/packages/db/src/ssl.ts
new file mode 100644
index 0000000..5b8f2b5
--- /dev/null
+++ b/packages/db/src/ssl.ts
@@ -0,0 +1,23 @@
+/**
+ * Compute the knex `ssl` option for a Postgres connection string.
+ *
+ * Managed Postgres providers (DO, Heroku, etc.) require TLS but their CA
+ * chain isn't in Node's default trust store. We map sslmode params to the
+ * matching node-pg `ssl` shape:
+ *
+ *   sslmode=require | no-verify  → encrypted, no chain check
+ *   sslmode=verify-ca | verify-full → encrypted, full chain check (deployment must
+ *                                     have the CA in its trust store)
+ *   anything else → no ssl
+ *
+ * Used by both the runtime db factory (createDb) and the knex migration
+ * runner (knexfile) so behavior is identical for app calls and migrations.
+ */
+export function sslFromConnectionString(url: string): true | { rejectUnauthorized: false } | undefined {
+  const lower = url.toLowerCase();
+  if (lower.includes('sslmode=verify-ca') || lower.includes('sslmode=verify-full')) return true;
+  if (lower.includes('sslmode=require') || lower.includes('sslmode=no-verify')) {
+    return { rejectUnauthorized: false };
+  }
+  return undefined;
+}

From 888281e3898411a0f239e7adc84af09079f16d60 Mon Sep 17 00:00:00 2001
From: Keith Fawcett <keith@brightyard.co>
Date: Sun, 26 Apr 2026 00:31:32 -0700
Subject: [PATCH 028/131] fix(db): strip sslmode from URL so explicit ssl
 config wins

pg-connection-string >= v2.7 treats sslmode=require as verify-full and
overrides our explicit { rejectUnauthorized: false } config when both
are present (URL parsing happens after our config is set, so it wins).

Strip sslmode from the URL when we manage ssl ourselves. The connection
remains TLS-encrypted; we just opt out of the chain check that would
otherwise fail on managed providers' self-signed CAs.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 packages/db/knexfile.ts  |  6 +++---
 packages/db/src/index.ts |  6 ++----
 packages/db/src/ssl.ts   | 36 +++++++++++++++++++++++++++---------
 3 files changed, 32 insertions(+), 16 deletions(-)

diff --git a/packages/db/knexfile.ts b/packages/db/knexfile.ts
index 0b49121..313d8e3 100644
--- a/packages/db/knexfile.ts
+++ b/packages/db/knexfile.ts
@@ -24,9 +24,9 @@ const common: Knex.Config = {
   },
 };
 
-function buildConnection(url: string | undefined): Knex.PgConnectionConfig | string | undefined {
-  if (!url) return undefined;
-  const ssl = sslFromConnectionString(url);
+function buildConnection(originalUrl: string | undefined): Knex.PgConnectionConfig | string | undefined {
+  if (!originalUrl) return undefined;
+  const { ssl, url } = sslFromConnectionString(originalUrl);
   return ssl ? { connectionString: url, ssl } : url;
 }
 
diff --git a/packages/db/src/index.ts b/packages/db/src/index.ts
index e4ed6f4..c2fca4d 100644
--- a/packages/db/src/index.ts
+++ b/packages/db/src/index.ts
@@ -15,12 +15,10 @@ export interface DbConfig {
 }
 
 export function createDb(config: DbConfig): Knex {
-  const ssl = sslFromConnectionString(config.connectionString);
+  const { ssl, url } = sslFromConnectionString(config.connectionString);
   return knex({
     client: 'pg',
-    connection: ssl
-      ? { connectionString: config.connectionString, ssl }
-      : config.connectionString,
+    connection: ssl ? { connectionString: url, ssl } : url,
     pool: {
       min: config.poolMin ?? 2,
       max: config.poolMax ?? 10,
diff --git a/packages/db/src/ssl.ts b/packages/db/src/ssl.ts
index 5b8f2b5..aa8e0c4 100644
--- a/packages/db/src/ssl.ts
+++ b/packages/db/src/ssl.ts
@@ -5,19 +5,37 @@
  * chain isn't in Node's default trust store. We map sslmode params to the
  * matching node-pg `ssl` shape:
  *
- *   sslmode=require | no-verify  → encrypted, no chain check
- *   sslmode=verify-ca | verify-full → encrypted, full chain check (deployment must
- *                                     have the CA in its trust store)
+ *   sslmode=require | no-verify   → encrypted, no chain check
+ *   sslmode=verify-ca | verify-full → encrypted, full chain check (deployment
+ *                                     must have the CA in its trust store)
  *   anything else → no ssl
  *
  * Used by both the runtime db factory (createDb) and the knex migration
  * runner (knexfile) so behavior is identical for app calls and migrations.
+ *
+ * Returns both the ssl config and a stripped URL: pg-connection-string
+ * (>= v2.7) treats sslmode=require as verify-full and overrides our
+ * explicit ssl object, so we strip the sslmode param from the URL when
+ * we're managing ssl ourselves.
  */
-export function sslFromConnectionString(url: string): true | { rejectUnauthorized: false } | undefined {
-  const lower = url.toLowerCase();
-  if (lower.includes('sslmode=verify-ca') || lower.includes('sslmode=verify-full')) return true;
-  if (lower.includes('sslmode=require') || lower.includes('sslmode=no-verify')) {
-    return { rejectUnauthorized: false };
+export interface SslResolution {
+  ssl: true | { rejectUnauthorized: false } | undefined;
+  url: string;
+}
+
+export function sslFromConnectionString(originalUrl: string): SslResolution {
+  const lower = originalUrl.toLowerCase();
+  let ssl: SslResolution['ssl'] = undefined;
+  if (lower.includes('sslmode=verify-ca') || lower.includes('sslmode=verify-full')) {
+    ssl = true;
+  } else if (lower.includes('sslmode=require') || lower.includes('sslmode=no-verify')) {
+    ssl = { rejectUnauthorized: false };
   }
-  return undefined;
+  // Strip sslmode + any leftover separator so pg doesn't re-derive ssl.
+  const url = originalUrl
+    .replace(/([?&])sslmode=[^&]*/gi, '$1')
+    .replace(/\?&/, '?')
+    .replace(/&&/g, '&')
+    .replace(/[?&]$/, '');
+  return { ssl, url };
 }

From d895e65929d5d5f840809778f88b91a28923ac8d Mon Sep 17 00:00:00 2001
From: Keith <keith.fawcett@gmail.com>
Date: Sun, 26 Apr 2026 23:24:28 -0700
Subject: [PATCH 029/131] Multi-tenant refactor + Network integration (8
 commits) (#10)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

* feat(db): multi-tenant foundation + RLS

Three new migrations and matching type updates lay the groundwork for
multi-tenant deployments while keeping single-tenant self-host working
identically (just with tenantId='default' baked in).

20260507000000_multi_tenant
  - New Tenant table; seeded 'default' tenant.
  - tenantId column on every data table (Partner, Campaign, Link, Click,
    Identity, Event, Attribution, Commission, Payout, ApiKey, Config,
    Admin, MagicLinkToken, Session, WebhookEndpoint, WebhookDelivery).
  - Backfill existing rows to the default tenant.
  - Re-scope unique constraints to be per-tenant: Partner.email,
    Admin.email, Link.linkKey, Config.(key→tenantId,key).

20260507010000_rls_policies
  - PlatformAdmin table (cross-tenant Coherence support staff).
  - RLS ENABLE + FORCE on every tenanted table.
  - Policy: row visible iff tenantId matches `app.tenant_id` GUC OR
    `app.platform_admin` GUC = 'on'.
  - Tenant table: row visible iff its id matches app.tenant_id (or
    platform admin). Same for PlatformAdmin.
  - Policies use COALESCE / current_setting(..., true) so an unset GUC
    returns 0 rows (default deny) instead of erroring.

20260507020000_app_role
  - Provisions a non-superuser openpartner_app role from
    OPENPARTNER_APP_DB_PASSWORD. Postgres bypasses RLS for superusers
    and BYPASSRLS roles regardless of FORCE, so RLS only protects when
    the app connects as a constrained role.
  - Grants DML (no DDL) on every tenanted table.
  - Idempotent: rotates password if the role already exists.
  - Skipped (with notice) when OPENPARTNER_APP_DB_PASSWORD is unset —
    self-host installs that don't need RLS isolation can run the app as
    the same role as migrations.

Migration runner sets `row_security = off` at session start so DDL
runs unrestricted.

Verified: connecting as openpartner_app, queries return 0 rows when
app.tenant_id is unset or mismatched, and only the in-scope tenant's
rows when set correctly. Platform-admin override works.

Types: every Row interface gained `tenantId: string`; new TenantRow,
PlatformAdminRow types and DEFAULT_TENANT_ID constant.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* feat(api): tenancy middleware + connection split (admin vs app pools)

Two knex instances now:
  db (admin pool, DATABASE_URL)
    - migrations, signup, platform-admin tooling, jobs that need
      cross-tenant access
    - bypasses RLS (superuser/owner role)

  appDb (app pool, DATABASE_URL_APP if set, else DATABASE_URL)
    - normal request handling. When pointed at the openpartner_app role
      every query is subject to RLS.
    - per-request transaction in tenancy middleware sets
      `app.tenant_id` (and optionally `app.platform_admin = 'on'`)
      so RLS policies match correctly.

OPENPARTNER_TENANCY env (defaults 'single'):
  single  — every request runs as tenantId = DEFAULT_TENANT_ID. Self-host.
  multi   — path-based tenant resolution (/t/<slug>/...). Reserved
            slugs (www, api, app, signup, etc.) reject.

tenantMiddleware:
  - resolves tenantId for the request
  - opens a transaction on appDb
  - stamps req.db, req.tenantId, req.tenantSlug
  - awaits response finish before committing/rolling back so handler
    queries land in the right transaction context.

Routes will switch from `db('Partner')...` to `req.db('Partner')...`
and add `tenantId: req.tenantId` to inserts. That refactor is the next
commit; this one just lays the wiring.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* feat(tenancy): add tenantOf(req) helper for route handler ergonomics

* docs(multi-tenant): handoff guide for the in-progress refactor

Architecture decisions, what's committed, file-by-file refactor plan,
test fixup plan, and how to resume. Read this first before continuing
the multi-tenant work on this branch.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* feat(api): route + helper refactor for tenant-scoped req.db

Section A + B + C + E of the multi-tenant refactor: every route handler
now uses tenantOf(req) for a per-request transaction with app.tenant_id
pinned. Helpers (auth-sessions, auth.resolvePrincipal, config, mail-
settings, mailer, attribution, payouts, usage-billing, webhook-dispatcher)
take Knex + tenantId as parameters. tenantMiddleware is mounted in
app.ts; install + metrics stay public above it. Stripe webhook resolves
tenantId from event metadata and runs each event in appDb.transaction
with SET LOCAL app.tenant_id. Scheduler iterates active tenants per
tick. Typecheck passes.

What this leaves: section D (public /signup), F (test seed updates so
35 of 64 currently-failing tests go green), G (multi-tenant isolation
tests), H (env config + ops). Documented in docs/multi-tenant-refactor.md.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* feat(api): public /signup + test seed tenantId fixes

Section D + F of the multi-tenant refactor.

D — POST /signup creates a Tenant + first Admin and emails an activation
magic link. Public, IP rate-limited (10/min), gated by slug validation
(/^[a-z0-9-]{3,30}$/, not in RESERVED_SLUGS, not already taken). Mounted
before tenantMiddleware in app.ts and uses the privileged db. Multi-mode
only — single-mode operators use /install.

F — every direct db().insert() in integration.test.ts, regressions.test.ts,
stripe-webhook.test.ts, and webhooks.test.ts now stamps tenantId:
DEFAULT_TENANT_ID. Test setups force OPENPARTNER_TENANCY=single. Cannot
verify against a live Postgres in this session; flagged as DONE BUT NOT
VALIDATED in docs/multi-tenant-refactor.md so the next pass runs the
suite first.

Handoff doc updated with current branch state and remaining work
(sections G, H + test validation).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* chore(ops): multi-tenant env + docker + DO + docs

Section H of the multi-tenant refactor.

- .env.example: OPENPARTNER_TENANCY, OPENPARTNER_APP_DB_PASSWORD,
  DATABASE_URL_APP with explanatory comments.
- docker-compose.yml: mount docker/initdb so postgres provisions the
  openpartner_app role on first boot. Role is NOLOGIN if no password
  set so RLS isolation can still be exercised via SET ROLE in tests.
- .do/app.yaml: add OPENPARTNER_TENANCY=multi (default for hosted),
  DATABASE_URL_APP + OPENPARTNER_APP_DB_PASSWORD secrets on the api
  component.
- docs/deploy-production.md: rows for the new secrets in the env
  table; new "Multi-tenant rollout" subsection covering URL routing,
  signup, RLS engagement, Stripe webhook tenant resolution, reserved
  slugs, and the migration path from single-tenant.

The route, helper, signup, and stripe-webhook refactors plus this
ops layer make the multi-tenant branch deployable. What's left in
docs/multi-tenant-refactor.md is section G (live-Postgres isolation
tests) — needs a real DB to write meaningfully.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* fix(tenancy): bypass RLS on privileged db, commit trx pre-response, add isolation tests

Section G of the multi-tenant refactor + two real bugs the existing
suite surfaced once it ran against a real Postgres.

Bug 1: privileged db was subject to FORCE RLS. The migration role
owns the tenanted tables but FORCE RLS still gates the owner unless
row_security is explicitly off or app.tenant_id is set. Without
either, /metrics, /signup, the stripe-webhook tenant resolver, the
scheduler, and every test's direct cleanup query silently saw zero
rows. Fixed by adding bypassRls: true to createDb (sets row_security
= off in afterCreate) and turning it on for the privileged pool. The
appDb (tenant pool) keeps RLS engaged.

Bug 2: tenantMiddleware committed the per-request transaction on
res.on('finish'), which fires AFTER the response is sent. Tests doing
`await request(app).post(...)` then `await db(...).insert(...)` raced
the commit and got FK violations because the route's writes weren't
yet visible. Fixed by patching res.json/send/end so the trx commits
(or rolls back on 5xx) before any byte goes out. Belt-and-suspenders
res.on('close') still rolls back if the patched methods are bypassed.

Section G: apps/api/src/__tests__/multi-tenant.test.ts — 9 tests
that connect as openpartner_app via SET ROLE inside a privileged-pool
transaction (so RLS engages because openpartner_app has neither
BYPASSRLS nor superuser). Covers default deny, per-tenant visibility,
WITH CHECK rejection on cross-tenant inserts, platform_admin override,
session isolation, and the Tenant table self-policy. Suite skips
cleanly with a warning if the openpartner_app role isn't provisioned.

Stripe webhook tenant resolution: customer/invoice/charge events that
don't carry our metadata now fall back to a local Identity → Click
lookup so checkout-stitched customers still route to the right tenant
on subsequent invoice.paid / charge.refunded.

Result: 73/73 tests pass against the docker-compose postgres.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* feat(network): creator self-signup + vendor↔Network protocol

Three pieces, designed so the same code paths cover hosted multi-tenant
and self-host:

1. Public POST /partner-signup (apps/api/src/routes/partner-signup.ts).
   Tenant-scoped, IP rate-limited, creates a Partner row + magic link.
   Honors a per-tenant partner_signup config (auto_approve vs
   require_review, with disabled override). On hosted multi-tenant the
   URL is /t/<slug>/partner-signup; on self-host it's /partner-signup.

2. Vendor-side Network client (apps/api/src/network-client.ts) +
   NetworkOutbox migration. Fire-and-forget POSTs to /partners/upsert
   on creator events (signup, admin invite, revoke); failures persist
   to the outbox and the scheduler drains them every 5 min with
   exponential backoff (~24h max). vendorToken stored AES-GCM
   encrypted in Config (network_membership), never returned by GET
   /config/network. backfillPartners(...) reconciles a vendor's
   existing roster when they enable Network membership later — the
   Network dedups on email and returns alreadyExisted=true for
   creators who joined another vendor first.

3. Network protocol spec (docs/network-protocol.md). Defines the
   /vendors/register, /partners/upsert, /vendors/backfill-partners,
   and /vendors/me/heartbeat surface that openpartner-network
   implements. Spells out the identity model (vendorId,
   vendorPartnerId, networkCreatorId), auth rotation, and the
   late-join reconciliation behavior.

Wired into existing flows:
- POST /partners (admin invite) + /partners/:id/revoke push to Network
  when membership is enabled. autoEnroll gates new-partner upserts;
  revokes mirror unconditionally so a Network-known creator stops
  being matched after the vendor cuts them off.
- Settings router exposes GET/POST /config/network,
  POST /config/network/backfill, and GET/POST /config/partner-signup.
- Scheduler runs network-outbox-drain every 5 min per active tenant.

Tests (apps/api/src/__tests__/network-and-signup.test.ts, 9 cases)
spin up an in-process HTTP receiver to act as the Network and verify:
signup without Network is silent; with Network on stamps
networkCreatorId on Partner.metadata.network; with Network down
enqueues outbox; drain retries succeed; require_review still pushes
status=pending; admin invite + revoke push; late-join backfill flips
preExisting=true for emails the Network already knew; GET
/config/network never leaks the vendor token.

82/82 tests pass against the docker-compose postgres.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* feat(network): vendor-side onboarding integration

Wires the openpartner vendor side to the openpartner-network
self-serve onboarding flow.

network-client.ts: signupWithNetwork() POSTs to /vendors/signup;
completeNetworkConnect() POSTs to /vendors/verify-and-issue-token.
Failures surface immediately to the admin (no outbox queueing — a
failed signup is something the admin retries by hand).

routes/settings.ts: POST /config/network/start-connect mints a fresh
scoped key with NETWORK_FEDERATION_SCOPES, calls signupWithNetwork
with inferred instanceUrl + portalCallbackUrl, stashes partial state
in network_membership Config (enabled=false until verify lands).
POST /config/network/complete-connect consumes the magic-link ntoken,
calls Network /vendors/verify-and-issue-token, saves the returned
vendorToken with enabled=true. Same shape works for hosted multi-
tenant tenants (slug-aware URL inference) and self-host (request host).

routes/signup.ts: hosted multi-tenant signup auto-calls
signupWithNetwork after Tenant/Admin creation when NETWORK_URL env
is set. Best-effort: a Network outage doesn't fail the signup; the
admin can finish later via Settings → Network → Connect button.
Returns network: { status, vendorId } in the signup response so the
portal can show the right next-step UI.

.env.example: NETWORK_URL added with explanatory comment.

82/82 vendor-side tests still pass (no regressions; the new endpoints
are additive).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* feat(portal): vendor admin Network UI — connect, offerings, requests

Closes the gap where vendors had backend wiring for Network membership
but no UI to use it. Without this, Network was invisible to vendor
admins on hosted multi-tenant + self-host.

Backend (apps/api):
- network-client.ts: NetworkProxyError + networkProxy.{listOfferings,
  createOffering, updateOffering, deleteOffering, listRequests,
  approveRequest, rejectRequest, whoami}. Decrypts the vendor token
  from network_membership Config and proxies to Network endpoints
  with the right bearer.
- routes/settings.ts: /admin/network/{me,offerings,offerings/:id,
  requests,requests/:id/approve,requests/:id/reject}. Each is a thin
  wrapper around networkProxy.* that turns NetworkProxyError into
  the appropriate HTTP status. Required because the vendorToken is
  a server-side secret — the portal can't hold it.

Portal (apps/portal):
- pages/admin/Network.tsx: connection status, contact-email/display-
  name form for the Connect button, autoEnroll toggle, backfill
  panel for late-join reconciliation.
- pages/admin/NetworkComplete.tsx: handles ?ntoken= callback from
  the Network onboarding email; calls /config/network/complete-connect,
  redirects to /admin/network on success. StrictMode-safe (one-shot
  guard).
- pages/admin/NetworkOfferings.tsx: list + create + publish/unpublish
  + delete. Campaign dropdown pulls from /campaigns. Form fields:
  title, description, productUrl, campaign, commission summary,
  cookie window.
- pages/admin/NetworkRequests.tsx: pending requests list with creator
  bio + pitch; approve dispatches federation (creates Partner +
  Link on this instance); reject + status filter (pending /
  approved / rejected / cancelled).

Wired into App.tsx routes + a new "Network" sidebar section
(Connection, Offerings, Requests).

Typecheck passes; portal builds (318 KB JS, 92 KB gzip).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: Keith Fawcett <keith@brightyard.co>
Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 .do/app.yaml                                  |  18 +
 .env.example                                  |  29 +-
 apps/api/src/__tests__/admin-invite.test.ts   |   3 +-
 apps/api/src/__tests__/integration.test.ts    |  18 +-
 apps/api/src/__tests__/multi-tenant.test.ts   | 227 ++++++++
 .../src/__tests__/network-and-signup.test.ts  | 344 ++++++++++++
 apps/api/src/__tests__/partner-invite.test.ts |   3 +-
 apps/api/src/__tests__/regressions.test.ts    |  20 +-
 apps/api/src/__tests__/stripe-webhook.test.ts |  10 +-
 apps/api/src/__tests__/webhooks.test.ts       |   6 +-
 apps/api/src/app.ts                           |  21 +-
 apps/api/src/attribution.ts                   |   4 +-
 apps/api/src/auth-sessions.ts                 |  44 +-
 apps/api/src/auth.ts                          |  31 +-
 apps/api/src/config.ts                        |  12 +-
 apps/api/src/db.ts                            |  55 +-
 apps/api/src/export.ts                        |  16 +-
 apps/api/src/mail-settings.ts                 |  31 +-
 apps/api/src/mailer.ts                        |  22 +-
 apps/api/src/network-client.ts                | 518 ++++++++++++++++++
 apps/api/src/payouts.ts                       |  78 +--
 apps/api/src/routes/admin-overview.ts         |   5 +-
 apps/api/src/routes/admins.ts                 |  98 ++--
 apps/api/src/routes/api-keys.ts               |  13 +-
 apps/api/src/routes/auth.ts                   |   3 +-
 apps/api/src/routes/billing.ts                |  44 +-
 apps/api/src/routes/campaigns.ts              |   7 +-
 apps/api/src/routes/commissions.ts            |  10 +-
 apps/api/src/routes/connect.ts                |  12 +-
 apps/api/src/routes/dashboard.ts              |   3 +-
 apps/api/src/routes/events.ts                 |   5 +-
 apps/api/src/routes/export.ts                 |   9 +-
 apps/api/src/routes/fraud-review.ts           |  90 +--
 apps/api/src/routes/funnel.ts                 |   3 +-
 apps/api/src/routes/identify.ts               |  15 +-
 apps/api/src/routes/install.ts                |  38 +-
 apps/api/src/routes/links.ts                  |   5 +-
 apps/api/src/routes/partner-auth.ts           |  27 +-
 apps/api/src/routes/partner-signup.ts         | 190 +++++++
 apps/api/src/routes/partners.ts               | 113 +++-
 apps/api/src/routes/payouts.ts                |   8 +-
 apps/api/src/routes/settings.ts               | 291 +++++++++-
 apps/api/src/routes/signup.ts                 | 195 +++++++
 apps/api/src/routes/stripe-webhook.ts         | 277 +++++++---
 apps/api/src/routes/webhooks.ts               |  14 +-
 apps/api/src/scheduler.ts                     |  61 ++-
 apps/api/src/tenancy.ts                       | 252 +++++++++
 apps/api/src/usage-billing.ts                 |  32 +-
 apps/api/src/webhook-dispatcher.ts            |  40 +-
 apps/portal/src/App.tsx                       |  19 +
 apps/portal/src/pages/admin/Network.tsx       | 190 +++++++
 .../src/pages/admin/NetworkComplete.tsx       |  70 +++
 .../src/pages/admin/NetworkOfferings.tsx      | 217 ++++++++
 .../src/pages/admin/NetworkRequests.tsx       | 149 +++++
 docker-compose.yml                            |   6 +
 docker/initdb/10-app-role.sh                  |  46 ++
 docs/deploy-production.md                     |  47 ++
 docs/multi-tenant-refactor.md                 | 420 ++++++++++++++
 docs/network-protocol.md                      | 215 ++++++++
 .../migrations/20260507000000_multi_tenant.ts | 188 +++++++
 .../migrations/20260507010000_rls_policies.ts | 146 +++++
 .../db/migrations/20260507020000_app_role.ts  | 106 ++++
 .../20260508000000_network_outbox.ts          |  69 +++
 packages/db/scripts/migrate.ts                |   6 +
 packages/db/src/index.ts                      |  27 +
 packages/db/src/types.ts                      |  70 +++
 66 files changed, 4964 insertions(+), 397 deletions(-)
 create mode 100644 apps/api/src/__tests__/multi-tenant.test.ts
 create mode 100644 apps/api/src/__tests__/network-and-signup.test.ts
 create mode 100644 apps/api/src/network-client.ts
 create mode 100644 apps/api/src/routes/partner-signup.ts
 create mode 100644 apps/api/src/routes/signup.ts
 create mode 100644 apps/api/src/tenancy.ts
 create mode 100644 apps/portal/src/pages/admin/Network.tsx
 create mode 100644 apps/portal/src/pages/admin/NetworkComplete.tsx
 create mode 100644 apps/portal/src/pages/admin/NetworkOfferings.tsx
 create mode 100644 apps/portal/src/pages/admin/NetworkRequests.tsx
 create mode 100644 docker/initdb/10-app-role.sh
 create mode 100644 docs/multi-tenant-refactor.md
 create mode 100644 docs/network-protocol.md
 create mode 100644 packages/db/migrations/20260507000000_multi_tenant.ts
 create mode 100644 packages/db/migrations/20260507010000_rls_policies.ts
 create mode 100644 packages/db/migrations/20260507020000_app_role.ts
 create mode 100644 packages/db/migrations/20260508000000_network_outbox.ts

diff --git a/.do/app.yaml b/.do/app.yaml
index d3d6d58..34d332d 100644
--- a/.do/app.yaml
+++ b/.do/app.yaml
@@ -68,8 +68,26 @@ services:
       - key: DATABASE_URL
         type: SECRET
         scope: RUN_TIME
+      # App-pool connection — connects as openpartner_app (a NOLOGIN-by-
+      # default role provisioned by migration 20260507020000_app_role.ts).
+      # Required in multi-tenant deploys for RLS to actually engage at
+      # runtime; in single-tenant self-host you can leave it unset and
+      # let everything run as the migration role.
+      - key: DATABASE_URL_APP
+        type: SECRET
+        scope: RUN_TIME
+      # Password used to provision openpartner_app on migrate. Pair with
+      # DATABASE_URL_APP. Rotation: change here, redeploy to re-run the
+      # idempotent role migration which alters the password in place.
+      - key: OPENPARTNER_APP_DB_PASSWORD
+        type: SECRET
+        scope: RUN_TIME
       - key: OPENPARTNER_MODE
         value: flat
+      # single | multi. Hosted deploys default to multi; flip to single
+      # if running a single-tenant fork on App Platform.
+      - key: OPENPARTNER_TENANCY
+        value: multi
       - key: POSTMARK_MESSAGE_STREAM
         value: outbound
       # Enables the in-process scheduler (usage reporting + payouts).
diff --git a/.env.example b/.env.example
index efa65c9..7ad8b3a 100644
--- a/.env.example
+++ b/.env.example
@@ -5,9 +5,30 @@
 # Values: selfhost | flat | revshare
 OPENPARTNER_MODE=selfhost
 
-# Database
+# Tenancy mode — single tenant (self-host bootstrap) vs multi-tenant
+# (hosted, /t/<slug>/... URL routing). Values: single | multi
+# Self-host customers leave this at 'single'. Hosted operators set
+# 'multi' and use POST /signup to provision tenants.
+OPENPARTNER_TENANCY=single
+
+# Database — privileged connection used by migrations, signup, the
+# Stripe webhook handler, and the in-process scheduler. Bypasses RLS.
 DATABASE_URL=postgres://openpartner:openpartner@localhost:5433/openpartner
 
+# Optional: app-role connection string used by every tenant-scoped
+# request. Run as a non-superuser without BYPASSRLS so RLS engages as
+# defense-in-depth alongside the per-request app.tenant_id filter.
+# When unset, tenant-scoped requests fall back to DATABASE_URL and RLS
+# is bypassed (app-level filtering still applies). Self-hosters opt in
+# by setting both this and OPENPARTNER_APP_DB_PASSWORD.
+DATABASE_URL_APP=
+
+# Password used to provision the openpartner_app role on migrate. The
+# 20260507020000_app_role.ts migration creates the role with this
+# password (rotates it if the role already exists). Skipped with a
+# notice if unset. Pair with DATABASE_URL_APP pointing at this role.
+OPENPARTNER_APP_DB_PASSWORD=
+
 # Service ports
 ROUTER_PORT=4701
 API_PORT=4601
@@ -80,3 +101,9 @@ POSTMARK_MESSAGE_STREAM=outbound
 # /metrics is open (fine on internal networks). Set it when /metrics is
 # reachable from the public internet.
 METRICS_TOKEN=
+
+# Optional: URL of the OpenPartner Network coordinator. When set, hosted
+# multi-tenant signups auto-register with the Network (admin still
+# confirms via the magic link); self-host installs see a "Connect to
+# Network" button under Settings → Network. Leave empty to opt out.
+NETWORK_URL=
diff --git a/apps/api/src/__tests__/admin-invite.test.ts b/apps/api/src/__tests__/admin-invite.test.ts
index df8ab09..6fb9ab1 100644
--- a/apps/api/src/__tests__/admin-invite.test.ts
+++ b/apps/api/src/__tests__/admin-invite.test.ts
@@ -14,6 +14,7 @@ import { __setMailerForTests, type Mailer, type Message } from '../mailer.js';
 const ADMIN_KEY = 'op_test_admin_persona_0123456789abcdef0123';
 process.env.ADMIN_API_KEY = ADMIN_KEY;
 process.env.PORTAL_URL = 'http://localhost:5673';
+process.env.OPENPARTNER_TENANCY = 'single';
 
 const skipIntegration = !process.env.DATABASE_URL || process.env.INTEGRATION === 'skip';
 
@@ -30,7 +31,7 @@ const app = createApp({ enableLogger: false });
 
 class CapturingMailer implements Mailer {
   readonly sent: Message[] = [];
-  async send(msg: Message): Promise<void> {
+  async send(_ctx: unknown, msg: Message): Promise<void> {
     this.sent.push(msg);
   }
   findFor(to: string, purpose?: string): Message | undefined {
diff --git a/apps/api/src/__tests__/integration.test.ts b/apps/api/src/__tests__/integration.test.ts
index cb32999..f31db7f 100644
--- a/apps/api/src/__tests__/integration.test.ts
+++ b/apps/api/src/__tests__/integration.test.ts
@@ -11,7 +11,7 @@
 import { afterAll, beforeAll, beforeEach, describe, expect, it } from 'vitest';
 import request from 'supertest';
 import { ulid } from 'ulid';
-import { TABLES } from '@openpartner/db';
+import { DEFAULT_TENANT_ID, TABLES } from '@openpartner/db';
 import { db } from '../db.js';
 import { createApp } from '../app.js';
 
@@ -20,6 +20,9 @@ process.env.ADMIN_API_KEY = ADMIN_KEY;
 // Force selfhost — vitest auto-loads .env, so the ?? form would let a
 // developer's local .env mode bleed into the suite.
 process.env.OPENPARTNER_MODE = 'selfhost';
+// Force single tenancy — every direct insert below gets stamped with the
+// default tenant; routes go through tenantMiddleware which sets the same.
+process.env.OPENPARTNER_TENANCY = 'single';
 
 const TABLES_TO_CLEAN = [
   TABLES.Commission,
@@ -86,6 +89,7 @@ describe.skipIf(skipIntegration)('api integration', () => {
     const clickId = ulid();
     await db(TABLES.Click).insert({
       id: clickId,
+      tenantId: DEFAULT_TENANT_ID,
       linkId: linkRes.body.id,
       partnerId,
       campaignId,
@@ -175,6 +179,7 @@ describe.skipIf(skipIntegration)('api integration', () => {
     const clickId = ulid();
     await db(TABLES.Click).insert({
       id: clickId,
+      tenantId: DEFAULT_TENANT_ID,
       linkId: linkRes.body.id,
       partnerId,
       campaignId,
@@ -270,12 +275,12 @@ describe.skipIf(skipIntegration)('api integration', () => {
     const click1 = ulid();
     const click2 = ulid();
     await db(TABLES.Click).insert({
-      id: click1, linkId: link1.id, partnerId: p1, campaignId: linearCampaign,
+      id: click1, tenantId: DEFAULT_TENANT_ID, linkId: link1.id, partnerId: p1, campaignId: linearCampaign,
       landingUrl: 'x', ipHash: 'x', userAgent: 'x', referer: null, fraudFlag: null,
       ts: new Date(Date.now() - 10_000),
     });
     await db(TABLES.Click).insert({
-      id: click2, linkId: link2.id, partnerId: p2, campaignId: linearCampaign,
+      id: click2, tenantId: DEFAULT_TENANT_ID, linkId: link2.id, partnerId: p2, campaignId: linearCampaign,
       landingUrl: 'x', ipHash: 'x', userAgent: 'x', referer: null, fraudFlag: null,
       ts: new Date(Date.now() - 5_000),
     });
@@ -369,9 +374,9 @@ describe.skipIf(skipIntegration)('api integration', () => {
     const click2 = ulid();
     const click3 = ulid();
     await db(TABLES.Click).insert([
-      { id: click1, linkId: link.id, partnerId: partner.id, campaignId: campaign.id, landingUrl: 'x', ipHash: 'a', userAgent: 'x', referer: null, fraudFlag: null },
-      { id: click2, linkId: link.id, partnerId: partner.id, campaignId: campaign.id, landingUrl: 'x', ipHash: 'b', userAgent: 'x', referer: null, fraudFlag: null },
-      { id: click3, linkId: link.id, partnerId: partner.id, campaignId: campaign.id, landingUrl: 'x', ipHash: 'c', userAgent: 'x', referer: null, fraudFlag: 'velocity' },
+      { id: click1, tenantId: DEFAULT_TENANT_ID, linkId: link.id, partnerId: partner.id, campaignId: campaign.id, landingUrl: 'x', ipHash: 'a', userAgent: 'x', referer: null, fraudFlag: null },
+      { id: click2, tenantId: DEFAULT_TENANT_ID, linkId: link.id, partnerId: partner.id, campaignId: campaign.id, landingUrl: 'x', ipHash: 'b', userAgent: 'x', referer: null, fraudFlag: null },
+      { id: click3, tenantId: DEFAULT_TENANT_ID, linkId: link.id, partnerId: partner.id, campaignId: campaign.id, landingUrl: 'x', ipHash: 'c', userAgent: 'x', referer: null, fraudFlag: 'velocity' },
     ]);
 
     // User 1 stitches, signs up, pays.
@@ -433,6 +438,7 @@ describe.skipIf(skipIntegration)('api integration', () => {
     const clickId = ulid();
     await db(TABLES.Click).insert({
       id: clickId,
+      tenantId: DEFAULT_TENANT_ID,
       linkId: link.id,
       partnerId: partner.id,
       campaignId: campaign.id,
diff --git a/apps/api/src/__tests__/multi-tenant.test.ts b/apps/api/src/__tests__/multi-tenant.test.ts
new file mode 100644
index 0000000..8d21b5b
--- /dev/null
+++ b/apps/api/src/__tests__/multi-tenant.test.ts
@@ -0,0 +1,227 @@
+/**
+ * Multi-tenant isolation tests.
+ *
+ * The route + helper refactor scopes every query to req.db (a transaction
+ * with `app.tenant_id` pinned). RLS is the second line of defense: even if
+ * an app-level filter is forgotten, the policy on every tenant-scoped
+ * table drops the row. These tests exercise the policy layer directly,
+ * connecting as the openpartner_app role (which lacks BYPASSRLS so the
+ * policies actually engage) and verifying:
+ *
+ *   1. Tenant A's GUC sees only A's rows
+ *   2. Tenant B's GUC sees only B's rows
+ *   3. With no GUC set, FORCE RLS hides everything (default deny)
+ *   4. The platform_admin GUC override sees both
+ *   5. WITH CHECK rejects writes that mismatch the GUC
+ *   6. Sessions stamped to tenant A are invisible under tenant B
+ *
+ * Skipped if DATABASE_URL isn't set (same gating as the rest of the
+ * integration suite). Also skipped if the openpartner_app role doesn't
+ * exist (e.g. a fresh dev install where OPENPARTNER_APP_DB_PASSWORD was
+ * never set so the migration short-circuited).
+ */
+
+import { afterAll, beforeAll, beforeEach, describe, expect, it } from 'vitest';
+import { ulid } from 'ulid';
+import { TABLES, type TenantRow } from '@openpartner/db';
+
+process.env.OPENPARTNER_MODE = 'selfhost';
+process.env.OPENPARTNER_TENANCY = 'multi';
+
+const { db } = await import('../db.js');
+
+const skipIntegration = !process.env.DATABASE_URL || process.env.INTEGRATION === 'skip';
+
+const TENANT_A = `01TESTAA${ulid().slice(8)}`;
+const TENANT_B = `01TESTBB${ulid().slice(8)}`;
+
+// Tables we'll seed + assert on. Limited to the ones that materially
+// matter for an isolation guarantee — Partner is the canonical example
+// (carries email + payout target, the things a leak would expose).
+const SEED_TABLES_TO_RESET = [TABLES.Partner, TABLES.Session];
+
+let appRoleAvailable = false;
+
+beforeAll(async () => {
+  if (skipIntegration) return;
+  await db.raw('select 1');
+
+  const role = (await db.raw(
+    `select 1 from pg_roles where rolname = 'openpartner_app' and rolcanlogin and not rolbypassrls`,
+  )) as { rows: unknown[] };
+  appRoleAvailable = role.rows.length > 0;
+
+  // Wipe + re-seed two tenants. We use the privileged db (bypassRls=true
+  // on this pool) so cleanup isn't policy-gated.
+  await db('Tenant').whereIn('id', [TENANT_A, TENANT_B]).del();
+  await db<TenantRow>(TABLES.Tenant).insert([
+    { id: TENANT_A, slug: 'acme-test', displayName: 'Acme', status: 'active' },
+    { id: TENANT_B, slug: 'globex-test', displayName: 'Globex', status: 'active' },
+  ]);
+});
+
+afterAll(async () => {
+  if (!skipIntegration) {
+    for (const t of SEED_TABLES_TO_RESET) {
+      await db(t).whereIn('tenantId', [TENANT_A, TENANT_B]).del();
+    }
+    await db('Tenant').whereIn('id', [TENANT_A, TENANT_B]).del();
+  }
+  await db.destroy();
+});
+
+beforeEach(async () => {
+  if (skipIntegration) return;
+  for (const t of SEED_TABLES_TO_RESET) {
+    await db(t).whereIn('tenantId', [TENANT_A, TENANT_B]).del();
+  }
+  // Two Partners per tenant so we can verify counts, not just visibility.
+  await db(TABLES.Partner).insert([
+    { id: ulid(), tenantId: TENANT_A, email: `a1-${ulid()}@acme.test`, name: 'Acme P1' },
+    { id: ulid(), tenantId: TENANT_A, email: `a2-${ulid()}@acme.test`, name: 'Acme P2' },
+    { id: ulid(), tenantId: TENANT_B, email: `b1-${ulid()}@globex.test`, name: 'Globex P1' },
+  ]);
+});
+
+/**
+ * Run `fn` inside a transaction acting as openpartner_app with the given
+ * GUCs. SET ROLE switches the effective role for the duration of the
+ * transaction so RLS engages (the privileged role bypasses via
+ * `row_security = off` set on connection, but the SET ROLE switch
+ * removes that — RLS sees the new role's attributes).
+ */
+async function asAppRole<T>(
+  gucs: { tenantId?: string; platformAdmin?: boolean },
+  fn: (trx: import('knex').Knex.Transaction) => Promise<T>,
+): Promise<T> {
+  return db.transaction(async (trx) => {
+    // SET LOCAL row_security = on to undo the pool-level disable; SET
+    // ROLE openpartner_app to drop the bypass-RLS attributes the
+    // privileged owner role has.
+    await trx.raw(`set local row_security = on`);
+    await trx.raw(`set local role openpartner_app`);
+    if (gucs.tenantId) {
+      await trx.raw(`set local app.tenant_id = '${gucs.tenantId.replace(/'/g, "''")}'`);
+    }
+    if (gucs.platformAdmin) {
+      await trx.raw(`set local app.platform_admin = 'on'`);
+    }
+    return fn(trx);
+  });
+}
+
+describe.skipIf(skipIntegration)('multi-tenant RLS isolation', () => {
+  it('skips the suite cleanly when the openpartner_app role isn\'t provisioned', () => {
+    // Surface the gate so a dev sees in test output why isolation tests
+    // didn't actually run, rather than silently passing zero assertions.
+    if (!appRoleAvailable) {
+      console.warn(
+        '[multi-tenant.test] openpartner_app role missing/superuser/bypassrls — RLS isolation tests skipped',
+      );
+    }
+    expect(true).toBe(true);
+  });
+
+  it('Acme GUC sees only Acme rows', async () => {
+    if (!appRoleAvailable) return;
+    const rows = await asAppRole({ tenantId: TENANT_A }, (trx) =>
+      trx(TABLES.Partner).select('tenantId', 'email'),
+    );
+    expect(rows).toHaveLength(2);
+    expect(rows.every((r) => r.tenantId === TENANT_A)).toBe(true);
+  });
+
+  it('Globex GUC sees only Globex rows', async () => {
+    if (!appRoleAvailable) return;
+    const rows = await asAppRole({ tenantId: TENANT_B }, (trx) =>
+      trx(TABLES.Partner).select('tenantId'),
+    );
+    expect(rows).toHaveLength(1);
+    expect(rows[0]!.tenantId).toBe(TENANT_B);
+  });
+
+  it('with no GUC set, FORCE RLS hides every row (default deny)', async () => {
+    if (!appRoleAvailable) return;
+    const rows = await asAppRole({}, (trx) => trx(TABLES.Partner).select('id'));
+    expect(rows).toHaveLength(0);
+  });
+
+  it('platform_admin override sees both tenants', async () => {
+    if (!appRoleAvailable) return;
+    const rows = await asAppRole({ platformAdmin: true }, (trx) =>
+      trx(TABLES.Partner)
+        .whereIn('tenantId', [TENANT_A, TENANT_B])
+        .select('tenantId'),
+    );
+    const counts = rows.reduce<Record<string, number>>((acc, r) => {
+      acc[r.tenantId] = (acc[r.tenantId] ?? 0) + 1;
+      return acc;
+    }, {});
+    expect(counts[TENANT_A]).toBe(2);
+    expect(counts[TENANT_B]).toBe(1);
+  });
+
+  it('WITH CHECK rejects an INSERT whose tenantId does not match the GUC', async () => {
+    if (!appRoleAvailable) return;
+    await expect(
+      asAppRole({ tenantId: TENANT_A }, (trx) =>
+        trx(TABLES.Partner).insert({
+          id: ulid(),
+          tenantId: TENANT_B, // mismatch on purpose
+          email: `cross-${ulid()}@x.test`,
+          name: 'Cross-tenant',
+        }),
+      ),
+    ).rejects.toThrow(/row-level security|new row violates/i);
+  });
+
+  it('FORCE RLS subjects the table owner to policies too', async () => {
+    if (!appRoleAvailable) return;
+    // Same SET ROLE dance; we're proving that even though the privileged
+    // owner has full grants, FORCE RLS still gates it once row_security
+    // is on AND the GUC is set to a tenant.
+    const acme = await asAppRole({ tenantId: TENANT_A }, (trx) =>
+      trx(TABLES.Partner).count<{ count: string }[]>('* as count').first(),
+    );
+    const globex = await asAppRole({ tenantId: TENANT_B }, (trx) =>
+      trx(TABLES.Partner).count<{ count: string }[]>('* as count').first(),
+    );
+    expect(Number(acme!.count)).toBe(2);
+    expect(Number(globex!.count)).toBe(1);
+  });
+
+  it('a Session stitched to Acme is invisible under Globex GUC', async () => {
+    if (!appRoleAvailable) return;
+    const sessionId = ulid();
+    // Seed via privileged db (bypasses RLS) so we can stamp tenantId
+    // directly.
+    await db(TABLES.Session).insert({
+      id: sessionId,
+      tenantId: TENANT_A,
+      prefix: 'op_test_',
+      tokenHash: 'h_'.padEnd(64, 'a'),
+      principalKind: 'admin',
+      principalId: ulid(),
+      expiresAt: new Date(Date.now() + 60_000),
+    });
+
+    const seenInB = await asAppRole({ tenantId: TENANT_B }, (trx) =>
+      trx(TABLES.Session).where({ id: sessionId }).first(),
+    );
+    expect(seenInB).toBeUndefined();
+
+    const seenInA = await asAppRole({ tenantId: TENANT_A }, (trx) =>
+      trx(TABLES.Session).where({ id: sessionId }).first(),
+    );
+    expect(seenInA).toBeDefined();
+  });
+
+  it('Tenant table self-policy: A sees its own row, not B\'s', async () => {
+    if (!appRoleAvailable) return;
+    const aRows = await asAppRole({ tenantId: TENANT_A }, (trx) =>
+      trx<TenantRow>(TABLES.Tenant).whereIn('id', [TENANT_A, TENANT_B]).select('id'),
+    );
+    expect(aRows).toHaveLength(1);
+    expect(aRows[0]!.id).toBe(TENANT_A);
+  });
+});
diff --git a/apps/api/src/__tests__/network-and-signup.test.ts b/apps/api/src/__tests__/network-and-signup.test.ts
new file mode 100644
index 0000000..e5b6545
--- /dev/null
+++ b/apps/api/src/__tests__/network-and-signup.test.ts
@@ -0,0 +1,344 @@
+/**
+ * End-to-end tests for the creator self-signup flow + Network push.
+ *
+ * Spins up a local HTTP receiver in-process to act as the Network. The
+ * vendor side calls the receiver via the URL we save into
+ * `network_membership` Config; assertions cover:
+ *
+ *   1. Signup without Network: Partner row + magic link, no Network call.
+ *   2. Signup with Network ON + autoEnroll: pushes /partners/upsert,
+ *      stamps Partner.metadata.network.{creatorId,preExisting}.
+ *   3. Signup with Network down: Partner row still created, NetworkOutbox
+ *      row enqueued for retry.
+ *   4. Backfill reconciliation: a vendor that flips Network on after
+ *      having existing partners pushes them all; pre-existing creators
+ *      (matching email already on Network) get preExisting=true stamp.
+ *   5. Outbox drain: the scheduler-callable drainOutbox retries pending
+ *      rows and removes them on success.
+ *   6. Admin POST /partners and /partners/:id/revoke also push when
+ *      Network is enabled.
+ *   7. require_review policy: signup creates Partner with activatedAt=null
+ *      and still pushes (status='pending').
+ *
+ * Skipped if DATABASE_URL isn't set, like the rest of the integration
+ * suite.
+ */
+
+import { createServer, type Server } from 'node:http';
+import type { AddressInfo } from 'node:net';
+import { afterAll, afterEach, beforeAll, beforeEach, describe, expect, it } from 'vitest';
+import request from 'supertest';
+import { ulid } from 'ulid';
+import { DEFAULT_TENANT_ID, TABLES } from '@openpartner/db';
+
+const ADMIN_KEY = 'op_test_network_admin_0123456789abcdef0123';
+process.env.ADMIN_API_KEY = ADMIN_KEY;
+process.env.OPENPARTNER_MODE = 'selfhost';
+process.env.OPENPARTNER_TENANCY = 'single';
+process.env.PORTAL_URL = 'http://localhost:5673';
+
+const { db } = await import('../db.js');
+const { createApp } = await import('../app.js');
+const { drainOutbox } = await import('../network-client.js');
+const { encryptSecret } = await import('../crypto.js');
+
+const skipIntegration = !process.env.DATABASE_URL || process.env.INTEGRATION === 'skip';
+const app = createApp({ enableLogger: false });
+
+// In-process Network receiver. Each test configures `mockResponse` to
+// either succeed or fail; `received` captures every call.
+interface ReceivedCall {
+  path: string;
+  method: string;
+  authorization: string | undefined;
+  body: unknown;
+}
+let receiver: Server;
+let receiverUrl: string;
+let received: ReceivedCall[] = [];
+let mockResponse: { status: number; body: unknown } = {
+  status: 200,
+  body: { networkCreatorId: 'crt_default', alreadyExisted: false, affiliations: [] },
+};
+// Email-keyed store so we can simulate Network-side dedup for the
+// late-join backfill test. When a request comes in with an email we've
+// seen, return the same networkCreatorId + alreadyExisted=true.
+const networkCreators = new Map<string, string>();
+
+beforeAll(async () => {
+  if (skipIntegration) return;
+  await db.raw('select 1');
+  await new Promise<void>((resolve) => {
+    receiver = createServer((req, res) => {
+      const chunks: Buffer[] = [];
+      req.on('data', (c) => chunks.push(c));
+      req.on('end', () => {
+        const body = chunks.length > 0 ? JSON.parse(Buffer.concat(chunks).toString('utf8')) : null;
+        received.push({
+          path: req.url ?? '',
+          method: req.method ?? '',
+          authorization: req.headers.authorization,
+          body,
+        });
+        // Email-dedup simulation for backfill test
+        const email = (body && typeof body === 'object' && 'email' in body) ? (body as { email: string }).email : null;
+        if (email && networkCreators.has(email)) {
+          res.writeHead(200, { 'content-type': 'application/json' });
+          res.end(JSON.stringify({
+            networkCreatorId: networkCreators.get(email),
+            alreadyExisted: true,
+            affiliations: [{ vendorId: 'vnd_other', vendorPartnerId: 'pp_other', status: 'active', displayName: 'Other Vendor' }],
+          }));
+          return;
+        }
+        res.writeHead(mockResponse.status, { 'content-type': 'application/json' });
+        res.end(JSON.stringify(mockResponse.body));
+      });
+    }).listen(0, '127.0.0.1', () => {
+      const addr = receiver.address() as AddressInfo;
+      receiverUrl = `http://127.0.0.1:${addr.port}`;
+      resolve();
+    });
+  });
+});
+
+afterAll(async () => {
+  if (receiver) await new Promise<void>((r) => receiver.close(() => r()));
+  await db.destroy();
+});
+
+beforeEach(async () => {
+  if (skipIntegration) return;
+  received = [];
+  networkCreators.clear();
+  mockResponse = {
+    status: 200,
+    body: { networkCreatorId: `crt_${ulid()}`, alreadyExisted: false, affiliations: [] },
+  };
+  for (const t of [
+    TABLES.NetworkOutbox,
+    TABLES.MagicLinkToken,
+    TABLES.Partner,
+    TABLES.Config,
+  ]) {
+    await db(t).whereIn('tenantId', [DEFAULT_TENANT_ID]).del();
+  }
+});
+
+afterEach(async () => {
+  if (skipIntegration) return;
+  for (const t of [
+    TABLES.NetworkOutbox,
+    TABLES.MagicLinkToken,
+    TABLES.Partner,
+    TABLES.Config,
+  ]) {
+    await db(t).whereIn('tenantId', [DEFAULT_TENANT_ID]).del();
+  }
+});
+
+async function configureNetwork(opts: { enabled: boolean; autoEnroll?: boolean; url?: string }): Promise<void> {
+  const value = {
+    enabled: opts.enabled,
+    networkUrl: opts.url ?? receiverUrl,
+    vendorTokenCiphertext: encryptSecret('vntok_test'),
+    scopedKeyId: null,
+    autoEnroll: opts.autoEnroll ?? true,
+  };
+  await db(TABLES.Config)
+    .insert({ tenantId: DEFAULT_TENANT_ID, key: 'network_membership', value: value as unknown as never, updatedAt: new Date() })
+    .onConflict(['tenantId', 'key'])
+    .merge({ value: value as unknown as never, updatedAt: new Date() });
+}
+
+describe.skipIf(skipIntegration)('partner-signup + network push', () => {
+  it('signup without Network: creates Partner + magic link, no Network call', async () => {
+    const res = await request(app)
+      .post('/partner-signup')
+      .send({ email: 'creator1@example.test', name: 'Creator One' });
+    expect(res.status).toBe(201);
+    expect(res.body.status).toBe('active');
+
+    const partner = await db(TABLES.Partner).where({ email: 'creator1@example.test' }).first();
+    expect(partner).toBeDefined();
+    expect(partner!.activatedAt).not.toBeNull();
+    expect(received).toHaveLength(0);
+  });
+
+  it('signup with Network on: pushes /partners/upsert and stamps networkCreatorId', async () => {
+    await configureNetwork({ enabled: true });
+    const expectedCreatorId = `crt_${ulid()}`;
+    mockResponse = {
+      status: 200,
+      body: {
+        networkCreatorId: expectedCreatorId,
+        alreadyExisted: false,
+        affiliations: [],
+      },
+    };
+
+    const res = await request(app)
+      .post('/partner-signup')
+      .send({ email: 'creator2@example.test', name: 'Creator Two' });
+    expect(res.status).toBe(201);
+
+    expect(received).toHaveLength(1);
+    expect(received[0]!.path).toBe('/partners/upsert');
+    expect(received[0]!.authorization).toBe('Bearer vntok_test');
+    const sent = received[0]!.body as { email: string; metadata?: { source: string } };
+    expect(sent.email).toBe('creator2@example.test');
+    expect(sent.metadata?.source).toBe('self_signup');
+
+    const partner = await db(TABLES.Partner).where({ email: 'creator2@example.test' }).first();
+    const meta = partner!.metadata as { network?: { creatorId: string; preExisting: boolean } };
+    expect(meta.network?.creatorId).toBe(expectedCreatorId);
+    expect(meta.network?.preExisting).toBe(false);
+  });
+
+  it('signup with Network down: Partner row created, NetworkOutbox enqueued', async () => {
+    await configureNetwork({ enabled: true });
+    mockResponse = { status: 503, body: { error: 'unavailable' } };
+
+    const res = await request(app)
+      .post('/partner-signup')
+      .send({ email: 'creator3@example.test', name: 'Creator Three' });
+    expect(res.status).toBe(201);
+
+    const partner = await db(TABLES.Partner).where({ email: 'creator3@example.test' }).first();
+    expect(partner).toBeDefined();
+
+    const outbox = await db(TABLES.NetworkOutbox).where({ tenantId: DEFAULT_TENANT_ID });
+    expect(outbox).toHaveLength(1);
+    expect(outbox[0]!.op).toBe('partner_upsert');
+    expect(outbox[0]!.attempts).toBe(1);
+    expect(outbox[0]!.status).toBe('pending');
+  });
+
+  it('drainOutbox retries enqueued rows and deletes them on success', async () => {
+    await configureNetwork({ enabled: true });
+    // First push fails → enqueued.
+    mockResponse = { status: 503, body: {} };
+    await request(app)
+      .post('/partner-signup')
+      .send({ email: 'creator4@example.test', name: 'Creator Four' });
+    expect((await db(TABLES.NetworkOutbox)).length).toBe(1);
+
+    // Make outbox row eligible NOW (otherwise nextAttemptAt is in the future).
+    await db(TABLES.NetworkOutbox).update({ nextAttemptAt: new Date(Date.now() - 1000) });
+
+    // Recover the Network and drain.
+    mockResponse = {
+      status: 200,
+      body: { networkCreatorId: 'crt_recovered', alreadyExisted: false, affiliations: [] },
+    };
+    const result = await drainOutbox(db, DEFAULT_TENANT_ID);
+    expect(result.drained).toBe(1);
+    expect(result.succeeded).toBe(1);
+    expect(result.dead).toBe(0);
+
+    const remaining = await db(TABLES.NetworkOutbox);
+    expect(remaining).toHaveLength(0);
+  });
+
+  it('require_review policy: Partner created with activatedAt=null and still pushes (status=pending)', async () => {
+    await configureNetwork({ enabled: true });
+    await db(TABLES.Config)
+      .insert({
+        tenantId: DEFAULT_TENANT_ID,
+        key: 'partner_signup',
+        value: { policy: 'require_review' } as unknown as never,
+        updatedAt: new Date(),
+      })
+      .onConflict(['tenantId', 'key'])
+      .merge({ value: { policy: 'require_review' } as unknown as never, updatedAt: new Date() });
+
+    const res = await request(app)
+      .post('/partner-signup')
+      .send({ email: 'pending@example.test', name: 'Pending Creator' });
+    expect(res.status).toBe(201);
+    expect(res.body.status).toBe('pending_review');
+
+    const partner = await db(TABLES.Partner).where({ email: 'pending@example.test' }).first();
+    expect(partner!.activatedAt).toBeNull();
+
+    expect(received).toHaveLength(1);
+    expect((received[0]!.body as { status: string }).status).toBe('pending');
+  });
+
+  it('admin POST /partners pushes to Network when enabled', async () => {
+    await configureNetwork({ enabled: true });
+    const res = await request(app)
+      .post('/partners')
+      .set('Authorization', `Bearer ${ADMIN_KEY}`)
+      .send({ email: 'invited@example.test', name: 'Invited' });
+    expect(res.status).toBe(201);
+
+    expect(received).toHaveLength(1);
+    expect((received[0]!.body as { metadata: { source: string } }).metadata.source).toBe('admin_invite');
+  });
+
+  it('admin POST /partners/:id/revoke pushes a revoke regardless of autoEnroll', async () => {
+    // autoEnroll OFF — but revoke should still mirror so Network stops matching.
+    await configureNetwork({ enabled: true, autoEnroll: false });
+
+    const create = await request(app)
+      .post('/partners')
+      .set('Authorization', `Bearer ${ADMIN_KEY}`)
+      .send({ email: 'revoke-target@example.test', name: 'Revoke Target' });
+    expect(create.status).toBe(201);
+    expect(received).toHaveLength(0); // autoEnroll off → no upsert
+
+    const revoke = await request(app)
+      .post(`/partners/${create.body.id}/revoke`)
+      .set('Authorization', `Bearer ${ADMIN_KEY}`)
+      .send({ reason: 'test', notify: false });
+    expect(revoke.status).toBe(200);
+
+    expect(received).toHaveLength(1);
+    expect(received[0]!.path).toBe('/partners/upsert');
+    expect((received[0]!.body as { status: string; vendorPartnerId: string }).status).toBe('revoked');
+  });
+
+  it('backfill reconciliation: pre-existing Network creators come back with alreadyExisted=true', async () => {
+    // Two partners sit in the vendor's DB BEFORE Network is enabled.
+    const p1 = ulid();
+    const p2 = ulid();
+    await db(TABLES.Partner).insert([
+      { id: p1, tenantId: DEFAULT_TENANT_ID, email: 'preexisting@example.test', name: 'PreExisting', activatedAt: new Date() },
+      { id: p2, tenantId: DEFAULT_TENANT_ID, email: 'fresh@example.test', name: 'Fresh', activatedAt: new Date() },
+    ]);
+
+    // Simulate that 'preexisting@example.test' already has a Network identity
+    // from another vendor — receiver returns the same id with alreadyExisted=true.
+    networkCreators.set('preexisting@example.test', 'crt_preexisting_already');
+
+    await configureNetwork({ enabled: true });
+
+    const res = await request(app)
+      .post('/config/network/backfill')
+      .set('Authorization', `Bearer ${ADMIN_KEY}`)
+      .send({});
+    expect(res.status).toBe(200);
+    expect(res.body).toEqual({ total: 2, pushed: 2, queued: 0 });
+
+    const refreshed1 = await db(TABLES.Partner).where({ id: p1 }).first();
+    const refreshed2 = await db(TABLES.Partner).where({ id: p2 }).first();
+    const meta1 = refreshed1!.metadata as { network?: { creatorId: string; preExisting: boolean } };
+    const meta2 = refreshed2!.metadata as { network?: { creatorId: string; preExisting: boolean } };
+    expect(meta1.network?.creatorId).toBe('crt_preexisting_already');
+    expect(meta1.network?.preExisting).toBe(true);
+    expect(meta2.network?.preExisting).toBe(false);
+  });
+
+  it('GET /config/network never leaks the vendor token', async () => {
+    await configureNetwork({ enabled: true });
+    const res = await request(app)
+      .get('/config/network')
+      .set('Authorization', `Bearer ${ADMIN_KEY}`);
+    expect(res.status).toBe(200);
+    expect(res.body).not.toHaveProperty('vendorToken');
+    expect(res.body).not.toHaveProperty('vendorTokenCiphertext');
+    expect(res.body.hasVendorToken).toBe(true);
+    expect(res.body.networkUrl).toBe(receiverUrl);
+  });
+});
diff --git a/apps/api/src/__tests__/partner-invite.test.ts b/apps/api/src/__tests__/partner-invite.test.ts
index 8c0fda9..56e7173 100644
--- a/apps/api/src/__tests__/partner-invite.test.ts
+++ b/apps/api/src/__tests__/partner-invite.test.ts
@@ -15,6 +15,7 @@ import { __setMailerForTests, type Mailer, type Message } from '../mailer.js';
 const ADMIN_KEY = 'op_test_invite_admin_0123456789abcdef0123';
 process.env.ADMIN_API_KEY = ADMIN_KEY;
 process.env.PORTAL_URL = 'http://localhost:5673';
+process.env.OPENPARTNER_TENANCY = 'single';
 
 const skipIntegration = !process.env.DATABASE_URL || process.env.INTEGRATION === 'skip';
 
@@ -29,7 +30,7 @@ const app = createApp({ enableLogger: false });
 
 class CapturingMailer implements Mailer {
   readonly sent: Message[] = [];
-  async send(msg: Message): Promise<void> {
+  async send(_ctx: unknown, msg: Message): Promise<void> {
     this.sent.push(msg);
   }
   findFor(to: string, purpose?: string): Message | undefined {
diff --git a/apps/api/src/__tests__/regressions.test.ts b/apps/api/src/__tests__/regressions.test.ts
index 4f18373..9d916a4 100644
--- a/apps/api/src/__tests__/regressions.test.ts
+++ b/apps/api/src/__tests__/regressions.test.ts
@@ -15,12 +15,13 @@
 import { afterAll, beforeAll, beforeEach, describe, expect, it } from 'vitest';
 import request from 'supertest';
 import { ulid } from 'ulid';
-import { TABLES } from '@openpartner/db';
+import { DEFAULT_TENANT_ID, TABLES } from '@openpartner/db';
 import { db } from '../db.js';
 import { createApp } from '../app.js';
 
 const ADMIN_KEY = 'op_test_regressions_0123456789abcdef0123';
 process.env.ADMIN_API_KEY = ADMIN_KEY;
+process.env.OPENPARTNER_TENANCY = 'single';
 
 const TABLES_TO_CLEAN = [
   TABLES.Commission,
@@ -71,6 +72,7 @@ describe.skipIf(skipIntegration)('ultrareview regressions', () => {
     const clickId = ulid();
     await db(TABLES.Click).insert({
       id: clickId,
+      tenantId: DEFAULT_TENANT_ID,
       linkId: link.id,
       partnerId: partner.id,
       campaignId: campaign.id,
@@ -78,7 +80,7 @@ describe.skipIf(skipIntegration)('ultrareview regressions', () => {
       ts: new Date(),
     });
     const userId = `u-${Date.now()}`;
-    await db(TABLES.Identity).insert({ id: ulid(), clickId, userId });
+    await db(TABLES.Identity).insert({ id: ulid(), tenantId: DEFAULT_TENANT_ID, clickId, userId });
 
     // Directly insert two rows with the same externalEventId — emulates
     // what the Stripe handler would try on a retry. The partial unique
@@ -86,6 +88,7 @@ describe.skipIf(skipIntegration)('ultrareview regressions', () => {
     const externalEventId = `evt_${ulid()}`;
     await db(TABLES.Event).insert({
       id: ulid(),
+      tenantId: DEFAULT_TENANT_ID,
       userId,
       type: 'invoice_paid',
       value: '100.00',
@@ -98,6 +101,7 @@ describe.skipIf(skipIntegration)('ultrareview regressions', () => {
     const inserted = await db(TABLES.Event)
       .insert({
         id: ulid(),
+        tenantId: DEFAULT_TENANT_ID,
         userId,
         type: 'invoice_paid',
         value: '100.00',
@@ -129,16 +133,18 @@ describe.skipIf(skipIntegration)('ultrareview regressions', () => {
     for (const cid of clickIds) {
       await db(TABLES.Click).insert({
         id: cid,
+        tenantId: DEFAULT_TENANT_ID,
         linkId: link.id,
         partnerId: partner.id,
         campaignId: campaign.id,
         landingUrl: 'https://example.com/',
         ts: new Date(),
       });
-      await db(TABLES.Identity).insert({ id: ulid(), clickId: cid, userId });
+      await db(TABLES.Identity).insert({ id: ulid(), tenantId: DEFAULT_TENANT_ID, clickId: cid, userId });
     }
     await db(TABLES.Event).insert({
       id: eventId,
+      tenantId: DEFAULT_TENANT_ID,
       userId,
       type: 'invoice_paid',
       value: '300.00',
@@ -148,6 +154,7 @@ describe.skipIf(skipIntegration)('ultrareview regressions', () => {
     for (const cid of clickIds) {
       await db(TABLES.Attribution).insert({
         id: ulid(),
+        tenantId: DEFAULT_TENANT_ID,
         eventId,
         clickId: cid,
         partnerId: partner.id,
@@ -183,6 +190,7 @@ describe.skipIf(skipIntegration)('ultrareview regressions', () => {
     await db(TABLES.Click).insert([
       {
         id: flaggedClick,
+        tenantId: DEFAULT_TENANT_ID,
         linkId: link.id,
         partnerId: partner.id,
         campaignId: campaign.id,
@@ -192,6 +200,7 @@ describe.skipIf(skipIntegration)('ultrareview regressions', () => {
       },
       {
         id: okClick,
+        tenantId: DEFAULT_TENANT_ID,
         linkId: link.id,
         partnerId: partner.id,
         campaignId: campaign.id,
@@ -200,8 +209,8 @@ describe.skipIf(skipIntegration)('ultrareview regressions', () => {
       },
     ]);
     await db(TABLES.Identity).insert([
-      { id: ulid(), clickId: flaggedClick, userId },
-      { id: ulid(), clickId: okClick, userId },
+      { id: ulid(), tenantId: DEFAULT_TENANT_ID, clickId: flaggedClick, userId },
+      { id: ulid(), tenantId: DEFAULT_TENANT_ID, clickId: okClick, userId },
     ]);
 
     // Post an event — only the ok click earns; there's one attribution row.
@@ -244,6 +253,7 @@ describe.skipIf(skipIntegration)('ultrareview regressions', () => {
     const deliveryId = ulid();
     await db(TABLES.WebhookDelivery).insert({
       id: deliveryId,
+      tenantId: DEFAULT_TENANT_ID,
       endpointId: epA.id,
       eventId: `evt_${ulid()}`,
       eventType: 'commission.paid',
diff --git a/apps/api/src/__tests__/stripe-webhook.test.ts b/apps/api/src/__tests__/stripe-webhook.test.ts
index f8e3efe..ae2a427 100644
--- a/apps/api/src/__tests__/stripe-webhook.test.ts
+++ b/apps/api/src/__tests__/stripe-webhook.test.ts
@@ -20,6 +20,7 @@ process.env.STRIPE_WEBHOOK_SECRET = WEBHOOK_SECRET;
 // Force selfhost so tests don't pick up whatever's in .env (vitest auto-loads
 // it). The merchant-subscription persistence path runs in any mode anyway.
 process.env.OPENPARTNER_MODE = 'selfhost';
+process.env.OPENPARTNER_TENANCY = 'single';
 
 // Mock the Stripe constructor so customer ops are inert. We keep the real
 // webhooks helper (used inside the route for signature verification) by
@@ -41,7 +42,7 @@ vi.mock('stripe', async () => {
 });
 
 // Imports must follow the env + mock setup so they pick up the right config.
-const { TABLES } = await import('@openpartner/db');
+const { DEFAULT_TENANT_ID, TABLES } = await import('@openpartner/db');
 const { db } = await import('../db.js');
 const { createApp } = await import('../app.js');
 
@@ -90,9 +91,10 @@ async function seedClick(): Promise<Ids> {
   const campaignId = ulid();
   const linkId = ulid();
   const clickId = ulid();
-  await db(TABLES.Partner).insert({ id: partnerId, name: 'Test partner', email: `p-${partnerId}@example.com` });
+  await db(TABLES.Partner).insert({ id: partnerId, tenantId: DEFAULT_TENANT_ID, name: 'Test partner', email: `p-${partnerId}@example.com` });
   await db(TABLES.Campaign).insert({
     id: campaignId,
+    tenantId: DEFAULT_TENANT_ID,
     name: 'Default',
     attributionModel: 'last_click',
     attributionWindowDays: 60,
@@ -100,6 +102,7 @@ async function seedClick(): Promise<Ids> {
   });
   await db(TABLES.Link).insert({
     id: linkId,
+    tenantId: DEFAULT_TENANT_ID,
     partnerId,
     campaignId,
     linkKey: `lk-${linkId}`,
@@ -107,6 +110,7 @@ async function seedClick(): Promise<Ids> {
   });
   await db(TABLES.Click).insert({
     id: clickId,
+    tenantId: DEFAULT_TENANT_ID,
     linkId,
     partnerId,
     campaignId,
@@ -455,7 +459,7 @@ describe.skipIf(skipIntegration)('stripe webhook — refund + reversal flow', ()
     const stripeInvoiceId = `in_${ulid()}`;
 
     // Set up an Identity for the customer so attribution would normally fire.
-    await db(TABLES.Identity).insert({ id: ulid(), clickId, userId: customerId });
+    await db(TABLES.Identity).insert({ id: ulid(), tenantId: DEFAULT_TENANT_ID, clickId, userId: customerId });
 
     const refundRes = await postWebhook({
       id: `evt_${ulid()}`,
diff --git a/apps/api/src/__tests__/webhooks.test.ts b/apps/api/src/__tests__/webhooks.test.ts
index 81aa107..dca1264 100644
--- a/apps/api/src/__tests__/webhooks.test.ts
+++ b/apps/api/src/__tests__/webhooks.test.ts
@@ -10,13 +10,14 @@ import type { AddressInfo } from 'node:net';
 import { afterAll, afterEach, beforeAll, beforeEach, describe, expect, it } from 'vitest';
 import request from 'supertest';
 import { ulid } from 'ulid';
-import { TABLES } from '@openpartner/db';
+import { DEFAULT_TENANT_ID, TABLES } from '@openpartner/db';
 import { db } from '../db.js';
 import { createApp } from '../app.js';
 
 const ADMIN_KEY = 'op_test_webhook_admin_0123456789abcdef0123';
 process.env.ADMIN_API_KEY = ADMIN_KEY;
 process.env.OPENPARTNER_MODE = 'selfhost';
+process.env.OPENPARTNER_TENANCY = 'single';
 
 const skipIntegration = !process.env.DATABASE_URL || process.env.INTEGRATION === 'skip';
 
@@ -147,6 +148,7 @@ describe.skipIf(skipIntegration)('webhooks', () => {
     const clickId = ulid();
     await db(TABLES.Click).insert({
       id: clickId,
+      tenantId: DEFAULT_TENANT_ID,
       linkId,
       partnerId,
       campaignId,
@@ -231,6 +233,7 @@ describe.skipIf(skipIntegration)('webhooks', () => {
     const clickId = ulid();
     await db(TABLES.Click).insert({
       id: clickId,
+      tenantId: DEFAULT_TENANT_ID,
       linkId: link.id,
       partnerId: partner.id,
       campaignId: campaign.id,
@@ -311,6 +314,7 @@ describe.skipIf(skipIntegration)('webhooks', () => {
     const clickId = ulid();
     await db(TABLES.Click).insert({
       id: clickId,
+      tenantId: DEFAULT_TENANT_ID,
       linkId: link.id,
       partnerId: partner.id,
       campaignId: campaign.id,
diff --git a/apps/api/src/app.ts b/apps/api/src/app.ts
index c32ef51..4baf1be 100644
--- a/apps/api/src/app.ts
+++ b/apps/api/src/app.ts
@@ -30,6 +30,9 @@ import { installRouter } from './routes/install.js';
 import { fraudReviewRouter } from './routes/fraud-review.js';
 import { webhooksRouter } from './routes/webhooks.js';
 import { metricsRouter } from './routes/metrics.js';
+import { signupRouter } from './routes/signup.js';
+import { partnerSignupRouter } from './routes/partner-signup.js';
+import { tenantMiddleware } from './tenancy.js';
 
 export function createApp(options: { enableLogger?: boolean } = {}) {
   const app = express();
@@ -104,9 +107,24 @@ export function createApp(options: { enableLogger?: boolean } = {}) {
     res.json({ ok: true, service: 'api', mode: MODE });
   });
 
+  // ----- Public, non-tenant routes (mounted BEFORE tenantMiddleware) -----
+  // These either run before any tenant exists (install), or are platform-
+  // wide (metrics scraped by Prometheus). They use the privileged db
+  // directly and are responsible for their own access control.
+  app.use(installRouter);
+  app.use(signupRouter);
+  app.use(metricsRouter);
+
+  // ----- Tenant scope -----
+  // Everything below runs inside a per-request transaction with
+  // app.tenant_id set, so RLS scopes every query to the current tenant.
+  // In single-tenancy mode, tenantId is always 'default'. In multi-tenancy
+  // mode, it's resolved from /t/<slug>/... in the URL.
+  app.use(tenantMiddleware);
+
   app.use(authRouter);
   app.use(partnerAuthRouter);
-  app.use(installRouter);
+  app.use(partnerSignupRouter);
   app.use(adminsRouter);
   app.use(settingsRouter);
   app.use(funnelRouter);
@@ -125,7 +143,6 @@ export function createApp(options: { enableLogger?: boolean } = {}) {
   app.use(exportRouter);
   app.use(billingRouter);
   app.use(adminOverviewRouter);
-  app.use(metricsRouter);
 
   app.use((err: Error, req: Request, res: Response, _next: NextFunction) => {
     req.log?.error({ err }, 'request_failed');
diff --git a/apps/api/src/attribution.ts b/apps/api/src/attribution.ts
index 369a159..22f300a 100644
--- a/apps/api/src/attribution.ts
+++ b/apps/api/src/attribution.ts
@@ -106,6 +106,7 @@ export async function attributeEvent(
     const insertRes = await db<AttributionRow>(TABLES.Attribution)
       .insert({
         id: attributionId,
+        tenantId: event.tenantId,
         eventId: event.id,
         partnerId: click.partnerId,
         campaignId: click.campaignId,
@@ -125,6 +126,7 @@ export async function attributeEvent(
     const commissionId = ulid();
     await db(TABLES.Commission).insert({
       id: commissionId,
+      tenantId: event.tenantId,
       attributionId,
       partnerId: click.partnerId,
       amount: amount.toFixed(2),
@@ -132,7 +134,7 @@ export async function attributeEvent(
       status: 'accrued',
     });
     results.push({ clickId: click.id, partnerId: click.partnerId, weight, attributionId, commissionId });
-    dispatchEvent('attribution.created', {
+    dispatchEvent(event.tenantId, 'attribution.created', {
       attributionId,
       eventId: event.id,
       partnerId: click.partnerId,
diff --git a/apps/api/src/auth-sessions.ts b/apps/api/src/auth-sessions.ts
index d90dec3..ff2144c 100644
--- a/apps/api/src/auth-sessions.ts
+++ b/apps/api/src/auth-sessions.ts
@@ -7,10 +7,17 @@
  * Tokens look like `opml_<hex>` and sessions look like `ops_<hex>`. Both
  * use the same prefix+hash lookup as ApiKey — plaintext is only ever
  * held at generation + verify time.
+ *
+ * Multi-tenant: every function takes a `Knex` (typically `req.db`, the
+ * per-request transaction with `app.tenant_id` set). issueMagicLink and
+ * createSession also take `tenantId` because RLS WITH CHECK rejects
+ * inserts that don't match the GUC, and the tenantId is needed to stamp
+ * the row.
  */
 
 import { createHash, randomBytes } from 'node:crypto';
 import type { CookieOptions } from 'express';
+import type { Knex } from 'knex';
 import { ulid } from 'ulid';
 import {
   TABLES,
@@ -19,7 +26,6 @@ import {
   type PrincipalKind,
   type SessionRow,
 } from '@openpartner/db';
-import { db } from './db.js';
 
 export const SESSION_COOKIE_NAME = 'op_session';
 const TOKEN_PREFIX_LEN = 8;
@@ -41,16 +47,21 @@ export interface IssuedMagicLink {
   expiresAt: Date;
 }
 
-export async function issueMagicLink(params: {
-  email: string;
-  purpose: MagicLinkPurpose;
-  principalKind: PrincipalKind;
-  principalId: string;
-}): Promise<IssuedMagicLink> {
+export async function issueMagicLink(
+  db: Knex,
+  params: {
+    tenantId: string;
+    email: string;
+    purpose: MagicLinkPurpose;
+    principalKind: PrincipalKind;
+    principalId: string;
+  },
+): Promise<IssuedMagicLink> {
   const { plaintext, prefix, tokenHash } = generate('opml');
   const expiresAt = new Date(Date.now() + MAGIC_TTL_MS);
   await db<MagicLinkTokenRow>(TABLES.MagicLinkToken).insert({
     id: ulid(),
+    tenantId: params.tenantId,
     prefix,
     tokenHash,
     email: params.email.toLowerCase(),
@@ -66,7 +77,7 @@ export interface ConsumedMagicLink {
   token: MagicLinkTokenRow;
 }
 
-export async function consumeMagicLink(plaintext: string): Promise<ConsumedMagicLink | null> {
+export async function consumeMagicLink(db: Knex, plaintext: string): Promise<ConsumedMagicLink | null> {
   if (plaintext.length < TOKEN_PREFIX_LEN) return null;
   const prefix = plaintext.slice(0, TOKEN_PREFIX_LEN);
   const tokenHash = hash(plaintext);
@@ -89,15 +100,20 @@ export interface IssuedSession {
   expiresAt: Date;
 }
 
-export async function createSession(params: {
-  principalKind: PrincipalKind;
-  principalId: string;
-}): Promise<IssuedSession> {
+export async function createSession(
+  db: Knex,
+  params: {
+    tenantId: string;
+    principalKind: PrincipalKind;
+    principalId: string;
+  },
+): Promise<IssuedSession> {
   const { plaintext, prefix, tokenHash } = generate('ops');
   const id = ulid();
   const expiresAt = new Date(Date.now() + SESSION_TTL_MS);
   await db<SessionRow>(TABLES.Session).insert({
     id,
+    tenantId: params.tenantId,
     prefix,
     tokenHash,
     principalKind: params.principalKind,
@@ -107,7 +123,7 @@ export async function createSession(params: {
   return { plaintext, id, expiresAt };
 }
 
-export async function resolveSession(plaintext: string): Promise<SessionRow | null> {
+export async function resolveSession(db: Knex, plaintext: string): Promise<SessionRow | null> {
   if (!plaintext || plaintext.length < TOKEN_PREFIX_LEN) return null;
   const prefix = plaintext.slice(0, TOKEN_PREFIX_LEN);
   const tokenHash = hash(plaintext);
@@ -137,7 +153,7 @@ export async function resolveSession(plaintext: string): Promise<SessionRow | nu
   return row;
 }
 
-export async function revokeSession(id: string): Promise<void> {
+export async function revokeSession(db: Knex, id: string): Promise<void> {
   await db<SessionRow>(TABLES.Session).where({ id }).update({ revokedAt: new Date() });
 }
 
diff --git a/apps/api/src/auth.ts b/apps/api/src/auth.ts
index af29f4c..bf7b131 100644
--- a/apps/api/src/auth.ts
+++ b/apps/api/src/auth.ts
@@ -10,13 +10,18 @@
  * We never store plaintext. Keys look like `op_<24 hex>` and are identified
  * by an 8-char prefix so lookups are indexed rather than table scans. The
  * hash is sha256 over the whole key.
+ *
+ * Multi-tenant: principal lookups go through `req.db` (the per-request
+ * transaction with `app.tenant_id` set), so RLS scopes ApiKey + Session
+ * lookups to the current tenant. `requireAuth` therefore must run after
+ * `tenantMiddleware`.
  */
 
 import { createHash, randomBytes } from 'node:crypto';
 import type { NextFunction, Request, Response } from 'express';
+import type { Knex } from 'knex';
 import { ulid } from 'ulid';
 import { TABLES, type ApiKeyRow } from '@openpartner/db';
-import { db } from './db.js';
 
 export type ApiKeyPrincipal =
   | { role: 'admin'; source: 'env' }
@@ -79,12 +84,19 @@ export function requirePartnerOrAdmin(paramName: string = 'id') {
 }
 
 async function resolvePrincipal(req: Request): Promise<ApiKeyPrincipal | null> {
+  const db = req.db;
+  if (!db) {
+    // requireAuth was mounted on a route that didn't pass through
+    // tenantMiddleware. That's a routing bug — fail loudly.
+    throw new Error('requireAuth invoked without a tenant-scoped req.db');
+  }
+
   const header = req.header('authorization');
   if (!header) {
     const cookie = (req as unknown as { cookies?: Record<string, string> }).cookies?.op_session;
     if (!cookie) return null;
     const { resolveSession } = await import('./auth-sessions.js');
-    const session = await resolveSession(cookie);
+    const session = await resolveSession(db, cookie);
     if (!session) return null;
     if (session.principalKind === 'admin') {
       return { role: 'admin', source: 'session', sessionId: session.id, adminId: session.principalId };
@@ -157,15 +169,20 @@ function constantTimeEqual(a: string, b: string): boolean {
   return diff === 0;
 }
 
-export async function createApiKeyRow(params: {
-  partnerId?: string | null;
-  scopes?: string[] | null;
-  label?: string;
-}): Promise<{ id: string; plaintext: string }> {
+export async function createApiKeyRow(
+  db: Knex,
+  params: {
+    tenantId: string;
+    partnerId?: string | null;
+    scopes?: string[] | null;
+    label?: string;
+  },
+): Promise<{ id: string; plaintext: string }> {
   const { plaintext, prefix, hash } = generateApiKey();
   const id = ulid();
   await db<ApiKeyRow>(TABLES.ApiKey).insert({
     id,
+    tenantId: params.tenantId,
     prefix,
     keyHash: hash,
     partnerId: params.partnerId ?? null,
diff --git a/apps/api/src/config.ts b/apps/api/src/config.ts
index bd2fb51..bff68c3 100644
--- a/apps/api/src/config.ts
+++ b/apps/api/src/config.ts
@@ -1,12 +1,12 @@
+import type { Knex } from 'knex';
 import { TABLES, type ConfigRow } from '@openpartner/db';
-import { db } from './db.js';
 
-export async function getConfig<T>(key: string): Promise<T | null> {
-  const row = await db<ConfigRow>(TABLES.Config).where({ key }).first();
+export async function getConfig<T>(db: Knex, tenantId: string, key: string): Promise<T | null> {
+  const row = await db<ConfigRow>(TABLES.Config).where({ tenantId, key }).first();
   return row ? (row.value as T) : null;
 }
 
-export async function setConfig<T>(key: string, value: T): Promise<void> {
+export async function setConfig<T>(db: Knex, tenantId: string, key: string, value: T): Promise<void> {
   // Config.value is jsonb. Knex/pg auto-serialize objects, but a plain
   // primitive (string, number, boolean) is sent as raw text and rejected
   // because "foo" is not valid JSON without quotes. Stringify + cast so
@@ -14,8 +14,8 @@ export async function setConfig<T>(key: string, value: T): Promise<void> {
   const json = JSON.stringify(value);
   const jsonbValue = db.raw('?::jsonb', [json]);
   await db<ConfigRow>(TABLES.Config)
-    .insert({ key, value: jsonbValue as unknown as object, updatedAt: new Date() })
-    .onConflict('key')
+    .insert({ tenantId, key, value: jsonbValue as unknown as object, updatedAt: new Date() })
+    .onConflict(['tenantId', 'key'])
     .merge({ value: jsonbValue as unknown as object, updatedAt: new Date() });
 }
 
diff --git a/apps/api/src/db.ts b/apps/api/src/db.ts
index 74c6ff9..018ab33 100644
--- a/apps/api/src/db.ts
+++ b/apps/api/src/db.ts
@@ -1,4 +1,57 @@
+/**
+ * Two database connections:
+ *
+ *   db (admin)  — connection used for migrations + cross-tenant operations
+ *                 (signup, platform-admin tooling). Uses DATABASE_URL.
+ *                 Bypasses RLS (it's a superuser/owner role).
+ *
+ *   appDb       — connection used for normal tenant-scoped requests. Uses
+ *                 DATABASE_URL_APP if set, otherwise falls back to
+ *                 DATABASE_URL. When set to the openpartner_app role,
+ *                 every query is subject to RLS — the per-request
+ *                 transaction (see tenancy.ts) sets `app.tenant_id` to
+ *                 scope rows correctly.
+ *
+ * Self-hosters can leave DATABASE_URL_APP unset. RLS is then bypassed
+ * (the app runs as the same role as migrations) but app-level tenantId
+ * filtering still applies, so isolation is preserved at the query layer.
+ * For real defense-in-depth, set DATABASE_URL_APP to the openpartner_app
+ * role connection string.
+ */
 import './env.js';
 import { createDb } from '@openpartner/db';
 
-export const db = createDb({ connectionString: process.env.DATABASE_URL! });
+const adminUrl = process.env.DATABASE_URL;
+const appUrl = process.env.DATABASE_URL_APP ?? adminUrl;
+
+if (!adminUrl) {
+  throw new Error('DATABASE_URL must be set');
+}
+
+/**
+ * Privileged knex instance. Used by:
+ *   - migrations (via the migrate.ts script, separately)
+ *   - signup flow (creates Tenant rows; the request has no tenantId yet)
+ *   - platform-admin tooling
+ *   - background jobs that genuinely need cross-tenant access
+ *   - stripe webhook tenant resolution (looks up by partnerId/payoutId
+ *     across tenants before opening a per-tenant trx for processing)
+ *   - the in-process scheduler enumerating active tenants
+ *   - /metrics scrape (platform-wide counts)
+ *
+ * `bypassRls: true` sets `row_security = off` on every pooled connection
+ * so cross-tenant queries actually return rows. Without this, FORCE RLS
+ * would silently zero out every query on this pool — even for the table
+ * owner. The role used here must be the table owner or have BYPASSRLS.
+ *
+ * Day-to-day API request handling should use req.db (the transaction-bound
+ * appDb instance) instead, so RLS is the second line of defense.
+ */
+export const db = createDb({ connectionString: adminUrl, bypassRls: true });
+
+/**
+ * Per-tenant pool. Tenant scope is set on each transaction via SET LOCAL
+ * app.tenant_id; see tenancy.ts withTenantTransaction. RLS is *not*
+ * bypassed on this pool — that's the whole point.
+ */
+export const appDb = createDb({ connectionString: appUrl! });
diff --git a/apps/api/src/export.ts b/apps/api/src/export.ts
index a6e70a2..323617e 100644
--- a/apps/api/src/export.ts
+++ b/apps/api/src/export.ts
@@ -92,8 +92,17 @@ export interface ImportReport {
  * Re-import a bundle. We use onConflict(pk).ignore so the operation is
  * idempotent: running the same export twice won't create duplicates, and
  * partial-then-resumed imports work.
+ *
+ * Multi-tenant: every row's tenantId is rewritten to the importing tenant.
+ * This is what lets a hosted-tier export ("acme" tenantId throughout)
+ * round-trip into a self-host installation (default tenantId), satisfying
+ * the data-portability commitment in CLAUDE.md.
  */
-export async function importBundle(db: Knex, bundle: ImportBundle): Promise<ImportReport> {
+export async function importBundle(
+  db: Knex,
+  tenantId: string,
+  bundle: ImportBundle,
+): Promise<ImportReport> {
   const inserted: Record<string, number> = {};
   const skipped: Record<string, number> = {};
 
@@ -101,7 +110,10 @@ export async function importBundle(db: Knex, bundle: ImportBundle): Promise<Impo
     const rows = bundle[table];
     if (!Array.isArray(rows) || rows.length === 0) continue;
 
-    const normalized = rows.map((r) => normalizeRow(r as Record<string, unknown>));
+    const normalized = rows.map((r) => ({
+      ...normalizeRow(r as Record<string, unknown>),
+      tenantId,
+    }));
 
     const result = await db(table)
       .insert(normalized)
diff --git a/apps/api/src/mail-settings.ts b/apps/api/src/mail-settings.ts
index d2d3bd0..efc8c73 100644
--- a/apps/api/src/mail-settings.ts
+++ b/apps/api/src/mail-settings.ts
@@ -6,17 +6,20 @@
  * username) is stored plaintext — they're identifiers, not secrets.
  *
  * Resolution order at dispatch time:
- *   1. UI-configured settings (if any, and not partially blank)
+ *   1. UI-configured settings for the calling tenant (if any, and not partially blank)
  *   2. Env vars (SMTP_HOST / POSTMARK_SERVER_TOKEN + MAIL_FROM)
  *   3. Console fallback
  *
  * The UI always wins over env, so an admin editing from the portal can
  * rotate creds without a redeploy. Hosted deployments that want to
  * force env can simply leave the UI empty.
+ *
+ * Multi-tenant: every read/write is scoped to a tenantId. Each tenant has
+ * its own (encrypted) UI mail config; env fallback is shared platform-wide.
  */
 
+import type { Knex } from 'knex';
 import { TABLES, type ConfigRow } from '@openpartner/db';
-import { db } from './db.js';
 import { decryptSecret, encryptSecret } from './crypto.js';
 
 export type MailTransportKind = 'smtp' | 'postmark' | 'none';
@@ -65,8 +68,8 @@ const CONFIG_KEY = 'mail_settings';
 
 // ---------- read ----------
 
-async function readStored(): Promise<StoredMailSettings | null> {
-  const row = await db<ConfigRow>(TABLES.Config).where({ key: CONFIG_KEY }).first();
+async function readStored(db: Knex, tenantId: string): Promise<StoredMailSettings | null> {
+  const row = await db<ConfigRow>(TABLES.Config).where({ tenantId, key: CONFIG_KEY }).first();
   return (row?.value as StoredMailSettings | undefined) ?? null;
 }
 
@@ -78,8 +81,8 @@ export interface PublicMailSettings {
   postmark: { hasToken: boolean; messageStream: string } | null;
 }
 
-export async function getPublicMailSettings(): Promise<PublicMailSettings> {
-  const stored = await readStored();
+export async function getPublicMailSettings(db: Knex, tenantId: string): Promise<PublicMailSettings> {
+  const stored = await readStored(db, tenantId);
   if (!stored) return { kind: null, from: null, smtp: null, postmark: null };
   return {
     kind: stored.kind,
@@ -100,8 +103,8 @@ export async function getPublicMailSettings(): Promise<PublicMailSettings> {
 }
 
 /** Decrypted + usable by the mailer. Never hand to an HTTP client. */
-export async function resolveMailConfig(): Promise<ResolvedMailConfig> {
-  const stored = await readStored();
+export async function resolveMailConfig(db: Knex, tenantId: string): Promise<ResolvedMailConfig> {
+  const stored = await readStored(db, tenantId);
   if (stored?.kind === 'smtp' && stored.from && stored.smtp) {
     return {
       kind: 'smtp',
@@ -192,8 +195,12 @@ export class MailSettingsValidationError extends Error {
   }
 }
 
-export async function saveMailSettings(input: MailSettingsInput): Promise<void> {
-  const current = (await readStored()) ?? ({ kind: null, from: null } as StoredMailSettings);
+export async function saveMailSettings(
+  db: Knex,
+  tenantId: string,
+  input: MailSettingsInput,
+): Promise<void> {
+  const current = (await readStored(db, tenantId)) ?? ({ kind: null, from: null } as StoredMailSettings);
 
   const next: StoredMailSettings = {
     kind: input.kind ?? current.kind,
@@ -239,7 +246,7 @@ export async function saveMailSettings(input: MailSettingsInput): Promise<void>
 
   const now = new Date();
   await db<ConfigRow>(TABLES.Config)
-    .insert({ key: CONFIG_KEY, value: next as unknown as never, updatedAt: now })
-    .onConflict('key')
+    .insert({ tenantId, key: CONFIG_KEY, value: next as unknown as never, updatedAt: now })
+    .onConflict(['tenantId', 'key'])
     .merge({ value: next as unknown as never, updatedAt: now });
 }
diff --git a/apps/api/src/mailer.ts b/apps/api/src/mailer.ts
index f8ce24f..087eb7e 100644
--- a/apps/api/src/mailer.ts
+++ b/apps/api/src/mailer.ts
@@ -1,12 +1,12 @@
 /**
  * Transactional mailer. Transport comes from resolveMailConfig():
  *
- *   UI-configured settings (Config table) take precedence — stored
- *   encrypted at rest; SMTP password / Postmark token decrypted at
+ *   UI-configured settings (Config table, per-tenant) take precedence —
+ *   stored encrypted at rest; SMTP password / Postmark token decrypted at
  *   dispatch time.
  *
  *   Env fallback if UI is empty (SMTP_HOST / POSTMARK_SERVER_TOKEN +
- *   MAIL_FROM).
+ *   MAIL_FROM). Env is shared platform-wide.
  *
  *   Console fallback if neither — dev only; the magic link prints
  *   to the `pnpm dev:api` terminal.
@@ -15,9 +15,14 @@
  * the next email without a restart. A cached mailer would be a stale-
  * creds footgun after rotation.
  *
+ * Multi-tenant: every send takes a `{ db, tenantId }` context so we look
+ * up the right tenant's UI overrides. Pass through the request's `req.db`
+ * (transaction with app.tenant_id pinned).
+ *
  * Tests override via __setMailerForTests with an in-memory capturer.
  */
 
+import type { Knex } from 'knex';
 import nodemailer from 'nodemailer';
 import { resolveMailConfig } from './mail-settings.js';
 
@@ -30,13 +35,18 @@ export interface Message {
   metadata?: Record<string, unknown>;
 }
 
+export interface SendContext {
+  db: Knex;
+  tenantId: string;
+}
+
 export interface Mailer {
-  send(msg: Message): Promise<void>;
+  send(ctx: SendContext, msg: Message): Promise<void>;
 }
 
 class RoutingMailer implements Mailer {
-  async send(msg: Message): Promise<void> {
-    const cfg = await resolveMailConfig();
+  async send(ctx: SendContext, msg: Message): Promise<void> {
+    const cfg = await resolveMailConfig(ctx.db, ctx.tenantId);
     if (cfg.kind === 'smtp' && cfg.smtp && cfg.from) {
       const transporter = nodemailer.createTransport({
         host: cfg.smtp.host,
diff --git a/apps/api/src/network-client.ts b/apps/api/src/network-client.ts
new file mode 100644
index 0000000..9ad4e3c
--- /dev/null
+++ b/apps/api/src/network-client.ts
@@ -0,0 +1,518 @@
+/**
+ * Vendor-side client for the OpenPartner Network.
+ *
+ * The Network is the marketplace coordinator at network.openpartner.dev
+ * (a separate service in the openpartner-network repo). Vendors push
+ * partner upserts and revokes to it so a creator joining one vendor's
+ * program can be matched with other vendors' programs.
+ *
+ * Hard rule: a vendor request that succeeds locally must never fail
+ * because the Network is down. Every push goes through `dispatch()`
+ * which tries the call once with a 5s timeout and, on failure,
+ * persists a NetworkOutbox row for the scheduler to drain.
+ *
+ * Per-tenant: every call is scoped via `network_membership` Config.
+ * Tenants without that row treat the Network as disabled and short-
+ * circuit (the partner mutation path is a no-op for them).
+ *
+ * The wire contract is documented in docs/network-protocol.md. If you
+ * change a payload shape here, update the doc — the Network repo
+ * builds against it.
+ */
+
+import { ulid } from 'ulid';
+import type { Knex } from 'knex';
+import { TABLES, type NetworkOutboxRow } from '@openpartner/db';
+import { decryptSecret, encryptSecret } from './crypto.js';
+
+const CONFIG_KEY = 'network_membership';
+const PUSH_TIMEOUT_MS = 5_000;
+const MAX_ATTEMPTS = 8; // exponential backoff: ~24h max wall time
+
+// ---------- config shape ----------
+
+export interface NetworkMembership {
+  enabled: boolean;
+  networkUrl: string; // e.g. https://network.openpartner.dev
+  vendorTokenCiphertext: string; // encrypted bearer for vendor → Network
+  scopedKeyId: string | null; // ApiKey.id of the scoped key Network calls back with
+  autoEnroll: boolean;
+}
+
+interface PublicNetworkMembership {
+  enabled: boolean;
+  networkUrl: string;
+  hasVendorToken: boolean;
+  scopedKeyId: string | null;
+  autoEnroll: boolean;
+}
+
+export async function getNetworkMembership(
+  db: Knex,
+  tenantId: string,
+): Promise<NetworkMembership | null> {
+  const row = await db(TABLES.Config).where({ tenantId, key: CONFIG_KEY }).first();
+  return (row?.value as NetworkMembership | undefined) ?? null;
+}
+
+export async function getPublicNetworkMembership(
+  db: Knex,
+  tenantId: string,
+): Promise<PublicNetworkMembership> {
+  const m = await getNetworkMembership(db, tenantId);
+  if (!m) {
+    return { enabled: false, networkUrl: '', hasVendorToken: false, scopedKeyId: null, autoEnroll: false };
+  }
+  return {
+    enabled: m.enabled,
+    networkUrl: m.networkUrl,
+    hasVendorToken: !!m.vendorTokenCiphertext,
+    scopedKeyId: m.scopedKeyId,
+    autoEnroll: m.autoEnroll,
+  };
+}
+
+export interface SaveNetworkMembershipInput {
+  enabled?: boolean;
+  networkUrl?: string;
+  /** Plaintext token. Undefined = keep existing; '' = clear. */
+  vendorToken?: string;
+  scopedKeyId?: string | null;
+  autoEnroll?: boolean;
+}
+
+export async function saveNetworkMembership(
+  db: Knex,
+  tenantId: string,
+  input: SaveNetworkMembershipInput,
+): Promise<void> {
+  const current = (await getNetworkMembership(db, tenantId)) ?? {
+    enabled: false,
+    networkUrl: '',
+    vendorTokenCiphertext: '',
+    scopedKeyId: null,
+    autoEnroll: false,
+  };
+
+  const next: NetworkMembership = {
+    enabled: input.enabled ?? current.enabled,
+    networkUrl: input.networkUrl ?? current.networkUrl,
+    vendorTokenCiphertext:
+      input.vendorToken === undefined
+        ? current.vendorTokenCiphertext
+        : input.vendorToken === ''
+          ? ''
+          : encryptSecret(input.vendorToken),
+    scopedKeyId: input.scopedKeyId === undefined ? current.scopedKeyId : input.scopedKeyId,
+    autoEnroll: input.autoEnroll ?? current.autoEnroll,
+  };
+
+  const now = new Date();
+  await db(TABLES.Config)
+    .insert({ tenantId, key: CONFIG_KEY, value: next as unknown as never, updatedAt: now })
+    .onConflict(['tenantId', 'key'])
+    .merge({ value: next as unknown as never, updatedAt: now });
+}
+
+// ---------- payload shapes (must match docs/network-protocol.md) ----------
+
+export interface PartnerUpsertPayload {
+  vendorPartnerId: string;
+  email: string;
+  name: string;
+  profile?: Record<string, unknown>;
+  joinedVendorAt: string;
+  status: 'pending' | 'active' | 'revoked';
+  metadata?: { source: 'self_signup' | 'admin_invite' | 'backfill' };
+}
+
+export interface PartnerUpsertResponse {
+  networkCreatorId: string;
+  alreadyExisted: boolean;
+  affiliations: Array<{
+    vendorId: string;
+    vendorPartnerId: string;
+    status: string;
+    displayName: string;
+  }>;
+}
+
+// ---------- dispatch ----------
+
+/**
+ * Run an op against the Network. Tries once synchronously with a short
+ * timeout; on failure persists to NetworkOutbox and returns null. The
+ * caller MUST treat null as a non-fatal "queued for retry".
+ *
+ * Returns the parsed response on success. Specific call sites that
+ * care about the response (e.g. signup wanting networkCreatorId
+ * immediately) await this; revoke fires void.
+ */
+export async function dispatch<T>(
+  db: Knex,
+  tenantId: string,
+  op: NetworkOutboxRow['op'],
+  payload: Record<string, unknown>,
+): Promise<T | null> {
+  const m = await getNetworkMembership(db, tenantId);
+  if (!m || !m.enabled || !m.networkUrl || !m.vendorTokenCiphertext) {
+    return null; // Network not configured for this tenant — silent no-op.
+  }
+
+  let token: string;
+  try {
+    token = decryptSecret(m.vendorTokenCiphertext);
+  } catch (err) {
+    // Bad ciphertext (encryption key rotated without re-storing). Don't
+    // queue — the outbox would have the same problem on every retry.
+    console.error('[network] vendor token undecryptable, skipping push', err);
+    return null;
+  }
+
+  const url = endpointForOp(m.networkUrl, op);
+  try {
+    const res = await fetch(url, {
+      method: 'POST',
+      headers: {
+        'content-type': 'application/json',
+        authorization: `Bearer ${token}`,
+        'user-agent': 'OpenPartner-Vendor/1',
+      },
+      body: JSON.stringify(payload),
+      signal: AbortSignal.timeout(PUSH_TIMEOUT_MS),
+    });
+    if (!res.ok) {
+      throw new Error(`network ${res.status}: ${await res.text().catch(() => '<no body>')}`);
+    }
+    return (await res.json().catch(() => null)) as T | null;
+  } catch (err) {
+    const msg = err instanceof Error ? err.message : String(err);
+    await enqueue(db, tenantId, op, payload, msg);
+    return null;
+  }
+}
+
+async function enqueue(
+  db: Knex,
+  tenantId: string,
+  op: NetworkOutboxRow['op'],
+  payload: Record<string, unknown>,
+  err: string,
+): Promise<void> {
+  await db(TABLES.NetworkOutbox).insert({
+    id: ulid(),
+    tenantId,
+    op,
+    payload: payload as unknown as never,
+    attempts: 1,
+    nextAttemptAt: nextBackoff(1),
+    lastAttemptAt: new Date(),
+    lastError: err,
+    status: 'pending',
+  });
+}
+
+function nextBackoff(attempts: number): Date {
+  // 30s, 1m, 2m, 5m, 15m, 1h, 4h, 12h — total ~24h with MAX_ATTEMPTS=8.
+  const schedule = [30, 60, 120, 300, 900, 3600, 14400, 43200];
+  const seconds = schedule[Math.min(attempts - 1, schedule.length - 1)] ?? 43200;
+  return new Date(Date.now() + seconds * 1000);
+}
+
+function endpointForOp(networkUrl: string, op: NetworkOutboxRow['op']): string {
+  const base = networkUrl.replace(/\/$/, '');
+  switch (op) {
+    case 'partner_upsert':
+    case 'partner_revoke':
+    case 'backfill_partner':
+      return `${base}/partners/upsert`;
+    default:
+      throw new Error(`unknown network op: ${op}`);
+  }
+}
+
+// ---------- public surface ----------
+
+export async function pushPartnerUpsert(
+  db: Knex,
+  tenantId: string,
+  payload: PartnerUpsertPayload,
+): Promise<PartnerUpsertResponse | null> {
+  return dispatch<PartnerUpsertResponse>(db, tenantId, 'partner_upsert', payload as unknown as Record<string, unknown>);
+}
+
+export async function pushPartnerRevoke(
+  db: Knex,
+  tenantId: string,
+  vendorPartnerId: string,
+): Promise<void> {
+  await dispatch(db, tenantId, 'partner_revoke', {
+    vendorPartnerId,
+    status: 'revoked',
+    revokedAt: new Date().toISOString(),
+  });
+}
+
+// ---------- backfill (used by Settings → Network → "Backfill") ----------
+
+export interface BackfillPartnersResult {
+  total: number;
+  pushed: number;
+  queued: number; // pushed to outbox after Network failure
+}
+
+export async function backfillPartners(
+  db: Knex,
+  tenantId: string,
+  partners: Array<{ id: string; email: string; name: string; createdAt: Date; activatedAt: Date | null; revokedAt: Date | null }>,
+): Promise<BackfillPartnersResult> {
+  let pushed = 0;
+  let queued = 0;
+  for (const p of partners) {
+    const status: PartnerUpsertPayload['status'] = p.revokedAt
+      ? 'revoked'
+      : p.activatedAt
+        ? 'active'
+        : 'pending';
+    const result = await pushPartnerUpsert(db, tenantId, {
+      vendorPartnerId: p.id,
+      email: p.email,
+      name: p.name,
+      joinedVendorAt: p.createdAt.toISOString(),
+      status,
+      metadata: { source: 'backfill' },
+    });
+    if (result) {
+      // Stamp the canonical Network id back onto the Partner row so
+      // future admin views can show "this creator is on the Network".
+      await db(TABLES.Partner)
+        .where({ id: p.id })
+        .update({
+          metadata: db.raw(
+            `jsonb_set(coalesce("metadata", '{}'::jsonb), '{network}', ?::jsonb, true)`,
+            [
+              JSON.stringify({
+                creatorId: result.networkCreatorId,
+                preExisting: result.alreadyExisted,
+                affiliations: result.affiliations.length,
+                syncedAt: new Date().toISOString(),
+              }),
+            ],
+          ),
+          updatedAt: new Date(),
+        });
+      pushed += 1;
+    } else {
+      queued += 1;
+    }
+  }
+  return { total: partners.length, pushed, queued };
+}
+
+// ---------- Self-serve onboarding helpers ----------
+// These talk to Network /vendors/signup + /vendors/verify-and-issue-token.
+// Unlike the upsert path, failures here surface to the admin immediately
+// (no outbox); a failed signup is something the admin will retry by hand.
+
+export interface SignupInput {
+  networkUrl: string;
+  instanceUrl: string;
+  scopedKey: string;
+  displayName: string;
+  contactEmail: string;
+  contactName?: string;
+  tier: 'hosted' | 'self_hosted';
+  portalCallbackUrl: string;
+}
+
+export interface SignupResult {
+  vendorId: string;
+  status: 'pending';
+  emailSent: boolean;
+}
+
+export async function signupWithNetwork(input: SignupInput): Promise<SignupResult> {
+  const url = `${input.networkUrl.replace(/\/$/, '')}/vendors/signup`;
+  const res = await fetch(url, {
+    method: 'POST',
+    headers: { 'content-type': 'application/json', 'user-agent': 'OpenPartner-Vendor/1' },
+    body: JSON.stringify({
+      instanceUrl: input.instanceUrl,
+      scopedKey: input.scopedKey,
+      displayName: input.displayName,
+      tier: input.tier,
+      contact: { email: input.contactEmail, name: input.contactName },
+      portalCallbackUrl: input.portalCallbackUrl,
+    }),
+    signal: AbortSignal.timeout(10_000),
+  });
+  const text = await res.text();
+  if (!res.ok) {
+    throw new Error(`network signup failed (${res.status}): ${text.slice(0, 300)}`);
+  }
+  return JSON.parse(text) as SignupResult;
+}
+
+export interface VerifyResult {
+  vendorId: string;
+  vendorToken: string;
+  displayName: string;
+  issuedAt: string;
+}
+
+export async function completeNetworkConnect(networkUrl: string, ntoken: string): Promise<VerifyResult> {
+  const url = `${networkUrl.replace(/\/$/, '')}/vendors/verify-and-issue-token`;
+  const res = await fetch(url, {
+    method: 'POST',
+    headers: { 'content-type': 'application/json', 'user-agent': 'OpenPartner-Vendor/1' },
+    body: JSON.stringify({ token: ntoken }),
+    signal: AbortSignal.timeout(10_000),
+  });
+  const text = await res.text();
+  if (!res.ok) {
+    throw new Error(`network verify failed (${res.status}): ${text.slice(0, 300)}`);
+  }
+  return JSON.parse(text) as VerifyResult;
+}
+
+// ---------- Direct Network proxy calls (used by /admin/network/* routes) ----------
+//
+// The vendor admin's portal needs to manage offerings + review
+// partnership requests against the Network. Both require the
+// vendorToken (server-side secret in network_membership). The portal
+// can't hold it, so the openpartner backend proxies on behalf of the
+// admin: load membership → use vendorToken → call Network → return.
+
+async function callNetwork<T>(
+  db: Knex,
+  tenantId: string,
+  method: 'GET' | 'POST' | 'PATCH' | 'DELETE',
+  path: string,
+  body?: unknown,
+): Promise<T> {
+  const m = await getNetworkMembership(db, tenantId);
+  if (!m || !m.enabled || !m.networkUrl || !m.vendorTokenCiphertext) {
+    throw new NetworkProxyError(503, 'network_not_configured');
+  }
+  let token: string;
+  try {
+    token = decryptSecret(m.vendorTokenCiphertext);
+  } catch (err) {
+    throw new NetworkProxyError(500, `vendor_token_undecryptable: ${err instanceof Error ? err.message : String(err)}`);
+  }
+  const url = `${m.networkUrl.replace(/\/$/, '')}${path}`;
+  const res = await fetch(url, {
+    method,
+    headers: {
+      'content-type': 'application/json',
+      authorization: `Bearer ${token}`,
+      'user-agent': 'OpenPartner-Vendor/1',
+    },
+    body: body !== undefined ? JSON.stringify(body) : undefined,
+    signal: AbortSignal.timeout(PUSH_TIMEOUT_MS),
+  });
+  const text = await res.text();
+  if (!res.ok) {
+    throw new NetworkProxyError(res.status, text.slice(0, 500) || `http_${res.status}`);
+  }
+  return text ? (JSON.parse(text) as T) : (null as unknown as T);
+}
+
+export class NetworkProxyError extends Error {
+  constructor(public status: number, message: string) {
+    super(message);
+    this.name = 'NetworkProxyError';
+  }
+}
+
+// Thin wrappers — they're a 1:1 with Network endpoints. Kept here so
+// the route handlers stay declarative.
+export const networkProxy = {
+  listOfferings: (db: Knex, tenantId: string) =>
+    callNetwork<{ offerings: unknown[] }>(db, tenantId, 'GET', '/vendors/me/offerings'),
+  createOffering: (db: Knex, tenantId: string, body: unknown) =>
+    callNetwork<unknown>(db, tenantId, 'POST', '/vendors/me/offerings', body),
+  updateOffering: (db: Knex, tenantId: string, id: string, body: unknown) =>
+    callNetwork<unknown>(db, tenantId, 'PATCH', `/vendors/me/offerings/${encodeURIComponent(id)}`, body),
+  deleteOffering: (db: Knex, tenantId: string, id: string) =>
+    callNetwork<{ ok: boolean }>(db, tenantId, 'DELETE', `/vendors/me/offerings/${encodeURIComponent(id)}`),
+  listRequests: (db: Knex, tenantId: string, status?: string) =>
+    callNetwork<{ requests: unknown[] }>(db, tenantId, 'GET', `/vendors/me/requests${status ? `?status=${encodeURIComponent(status)}` : ''}`),
+  approveRequest: (db: Knex, tenantId: string, id: string, body: unknown) =>
+    callNetwork<unknown>(db, tenantId, 'POST', `/vendors/me/requests/${encodeURIComponent(id)}/approve`, body),
+  rejectRequest: (db: Knex, tenantId: string, id: string, body: unknown) =>
+    callNetwork<unknown>(db, tenantId, 'POST', `/vendors/me/requests/${encodeURIComponent(id)}/reject`, body),
+  whoami: (db: Knex, tenantId: string) =>
+    callNetwork<{ id: string; displayName: string; status: string; partnerCount: number }>(
+      db,
+      tenantId,
+      'GET',
+      '/vendors/me',
+    ),
+};
+
+// ---------- outbox drain (called from scheduler.ts) ----------
+
+export async function drainOutbox(db: Knex, tenantId: string): Promise<{ drained: number; succeeded: number; dead: number }> {
+  const m = await getNetworkMembership(db, tenantId);
+  if (!m || !m.enabled || !m.networkUrl || !m.vendorTokenCiphertext) {
+    return { drained: 0, succeeded: 0, dead: 0 };
+  }
+  let token: string;
+  try {
+    token = decryptSecret(m.vendorTokenCiphertext);
+  } catch {
+    return { drained: 0, succeeded: 0, dead: 0 };
+  }
+
+  const due = await db<NetworkOutboxRow>(TABLES.NetworkOutbox)
+    .where({ status: 'pending' })
+    .andWhere('nextAttemptAt', '<=', new Date())
+    .orderBy('nextAttemptAt', 'asc')
+    .limit(100);
+
+  let succeeded = 0;
+  let dead = 0;
+
+  for (const row of due) {
+    try {
+      const url = endpointForOp(m.networkUrl, row.op);
+      const res = await fetch(url, {
+        method: 'POST',
+        headers: {
+          'content-type': 'application/json',
+          authorization: `Bearer ${token}`,
+          'user-agent': 'OpenPartner-Vendor/1',
+        },
+        body: JSON.stringify(row.payload),
+        signal: AbortSignal.timeout(PUSH_TIMEOUT_MS),
+      });
+      if (!res.ok) {
+        throw new Error(`network ${res.status}`);
+      }
+      await db(TABLES.NetworkOutbox).where({ id: row.id }).del();
+      succeeded += 1;
+    } catch (err) {
+      const attempts = row.attempts + 1;
+      const msg = err instanceof Error ? err.message : String(err);
+      if (attempts >= MAX_ATTEMPTS) {
+        await db(TABLES.NetworkOutbox).where({ id: row.id }).update({
+          status: 'dead',
+          attempts,
+          lastAttemptAt: new Date(),
+          lastError: msg,
+        });
+        dead += 1;
+      } else {
+        await db(TABLES.NetworkOutbox).where({ id: row.id }).update({
+          attempts,
+          nextAttemptAt: nextBackoff(attempts),
+          lastAttemptAt: new Date(),
+          lastError: msg,
+        });
+      }
+    }
+  }
+
+  return { drained: due.length, succeeded, dead };
+}
diff --git a/apps/api/src/payouts.ts b/apps/api/src/payouts.ts
index 45cc94a..d70f16e 100644
--- a/apps/api/src/payouts.ts
+++ b/apps/api/src/payouts.ts
@@ -14,8 +14,13 @@
  *
  * Idempotency: we stamp the transfer's idempotency key with the Payout id
  * (generated up front) so a retry after a crash does not double-transfer.
+ *
+ * Multi-tenant: takes (db, tenantId). Pass req.db from a route handler, or
+ * the privileged db with app.tenant_id pinned in the calling transaction
+ * from the scheduler.
  */
 
+import type { Knex } from 'knex';
 import { ulid } from 'ulid';
 import {
   TABLES,
@@ -23,7 +28,6 @@ import {
   type PartnerRow,
   type PayoutMethod,
 } from '@openpartner/db';
-import { db } from './db.js';
 import { REVSHARE_FEE_BPS, getMode, requireStripe, type OpenPartnerMode } from './stripe.js';
 import { dispatchEvent } from './webhook-dispatcher.js';
 
@@ -42,7 +46,7 @@ export interface PayoutRunResult {
   }>;
 }
 
-export async function runPayouts(): Promise<PayoutRunResult> {
+export async function runPayouts(db: Knex, tenantId: string): Promise<PayoutRunResult> {
   const mode = getMode();
   const runId = ulid();
 
@@ -88,29 +92,28 @@ export async function runPayouts(): Promise<PayoutRunResult> {
       onboardingIncomplete ? 'failed' :
       /* manual */ 'pending';
 
-    await db.transaction(async (trx) => {
-      await trx(TABLES.Payout).insert({
-        id: payoutId,
-        partnerId: partner.id,
-        amount: amount.toFixed(2),
-        currency: group.currency,
-        method,
-        status: finalStatus,
-        metadata: {
-          runId,
-          platformFee,
-          commissionCount: commissions.length,
-          ...(onboardingIncomplete ? { error: 'stripe_onboarding_incomplete' } : {}),
-        },
-      });
-      // Only mark commissions paid on the manual-commit path. Connect
-      // path defers until after the transfer succeeds.
-      if (method === 'manual') {
-        await trx(TABLES.Commission)
-          .whereIn('id', commissions.map((c) => c.id))
-          .update({ status: 'paid', paidAt: new Date(), payoutId });
-      }
+    await db(TABLES.Payout).insert({
+      id: payoutId,
+      tenantId,
+      partnerId: partner.id,
+      amount: amount.toFixed(2),
+      currency: group.currency,
+      method,
+      status: finalStatus,
+      metadata: {
+        runId,
+        platformFee,
+        commissionCount: commissions.length,
+        ...(onboardingIncomplete ? { error: 'stripe_onboarding_incomplete' } : {}),
+      },
     });
+    // Only mark commissions paid on the manual-commit path. Connect
+    // path defers until after the transfer succeeds.
+    if (method === 'manual') {
+      await db(TABLES.Commission)
+        .whereIn('id', commissions.map((c) => c.id))
+        .update({ status: 'paid', paidAt: new Date(), payoutId });
+    }
 
     if (onboardingIncomplete) {
       results.push({
@@ -134,24 +137,22 @@ export async function runPayouts(): Promise<PayoutRunResult> {
             amount: Math.round(amount * 100),
             currency: group.currency.toLowerCase(),
             destination: partner.stripeConnectAccountId!,
-            metadata: { openpartner_payout_id: payoutId, mode },
+            metadata: { openpartner_payout_id: payoutId, openpartner_tenant_id: tenantId, mode },
           },
           { idempotencyKey: `payout_${payoutId}` },
         );
 
-        await db.transaction(async (trx) => {
-          await trx(TABLES.Payout).where({ id: payoutId }).update({
-            stripeTransferId: transfer.id,
-            status: 'paid',
-            completedAt: new Date(),
-          });
-          await trx(TABLES.Commission)
-            .whereIn('id', commissions.map((c) => c.id))
-            .update({ status: 'paid', paidAt: new Date(), payoutId });
+        await db(TABLES.Payout).where({ id: payoutId }).update({
+          stripeTransferId: transfer.id,
+          status: 'paid',
+          completedAt: new Date(),
         });
+        await db(TABLES.Commission)
+          .whereIn('id', commissions.map((c) => c.id))
+          .update({ status: 'paid', paidAt: new Date(), payoutId });
 
         // Webhooks fire only after the success is durable.
-        dispatchEvent('payout.created', {
+        dispatchEvent(tenantId, 'payout.created', {
           payoutId,
           partnerId: partner.id,
           amount: amount.toFixed(2),
@@ -161,7 +162,7 @@ export async function runPayouts(): Promise<PayoutRunResult> {
           platformFee: platformFee || undefined,
         });
         for (const c of commissions) {
-          dispatchEvent('commission.paid', {
+          dispatchEvent(tenantId, 'commission.paid', {
             commissionId: c.id,
             partnerId: c.partnerId,
             amount: c.amount,
@@ -198,7 +199,7 @@ export async function runPayouts(): Promise<PayoutRunResult> {
     } else {
       // Manual path: commissions are already marked paid in the tx above.
       // Fire webhooks now — the operator owns the out-of-band transfer.
-      dispatchEvent('payout.created', {
+      dispatchEvent(tenantId, 'payout.created', {
         payoutId,
         partnerId: partner.id,
         amount: amount.toFixed(2),
@@ -208,7 +209,7 @@ export async function runPayouts(): Promise<PayoutRunResult> {
         platformFee: platformFee || undefined,
       });
       for (const c of commissions) {
-        dispatchEvent('commission.paid', {
+        dispatchEvent(tenantId, 'commission.paid', {
           commissionId: c.id,
           partnerId: c.partnerId,
           amount: c.amount,
@@ -230,4 +231,3 @@ export async function runPayouts(): Promise<PayoutRunResult> {
 
   return { runId, mode, payouts: results };
 }
-
diff --git a/apps/api/src/routes/admin-overview.ts b/apps/api/src/routes/admin-overview.ts
index 392c66e..6ab95b1 100644
--- a/apps/api/src/routes/admin-overview.ts
+++ b/apps/api/src/routes/admin-overview.ts
@@ -1,7 +1,7 @@
 import { Router } from 'express';
 import { TABLES, type PartnerRow } from '@openpartner/db';
-import { db } from '../db.js';
 import { requireAdmin, requireAuth } from '../auth.js';
+import { tenantOf } from '../tenancy.js';
 
 export const adminOverviewRouter = Router();
 
@@ -12,7 +12,8 @@ export const adminOverviewRouter = Router();
  * Window defaults to 30 days; the Dub-style partner cards don't need more
  * granularity than that for the high-level view.
  */
-adminOverviewRouter.get('/admin/overview', requireAuth, requireAdmin, async (_req, res) => {
+adminOverviewRouter.get('/admin/overview', requireAuth, requireAdmin, async (req, res) => {
+  const { db } = tenantOf(req);
   const since = new Date(Date.now() - 30 * 24 * 60 * 60 * 1000);
 
   const partners = await db<PartnerRow>(TABLES.Partner).orderBy('createdAt', 'desc').limit(200);
diff --git a/apps/api/src/routes/admins.ts b/apps/api/src/routes/admins.ts
index dbaae42..0ab9d0f 100644
--- a/apps/api/src/routes/admins.ts
+++ b/apps/api/src/routes/admins.ts
@@ -11,14 +11,15 @@
  */
 
 import { Router } from 'express';
+import type { Knex } from 'knex';
 import { z } from 'zod';
 import { ulid } from 'ulid';
 import { TABLES, type AdminRow, type ConfigRow, type SessionRow } from '@openpartner/db';
-import { db } from '../db.js';
 import { requireAdmin, requireAuth } from '../auth.js';
 import { issueMagicLink } from '../auth-sessions.js';
 import { getMailer } from '../mailer.js';
 import { adminInviteEmail, buildMagicLinkUrl } from '../email-templates.js';
+import { tenantOf } from '../tenancy.js';
 
 export const adminsRouter = Router();
 
@@ -31,21 +32,22 @@ const revokeSchema = z.object({
   reason: z.string().max(500).optional(),
 });
 
-async function getProgramName(): Promise<string | null> {
+async function getProgramName(db: Knex): Promise<string | null> {
   const row = await db<ConfigRow>(TABLES.Config).where({ key: 'program_settings' }).first();
   const value = (row?.value ?? {}) as { programName?: string };
   return value.programName ?? null;
 }
 
-async function sendInvite(admin: AdminRow): Promise<void> {
-  const issued = await issueMagicLink({
+async function sendInvite(db: Knex, tenantId: string, admin: AdminRow): Promise<void> {
+  const issued = await issueMagicLink(db, {
+    tenantId,
     email: admin.email,
     purpose: 'admin_invite',
     principalKind: 'admin',
     principalId: admin.id,
   });
-  const tmpl = adminInviteEmail(admin.name, buildMagicLinkUrl(issued.plaintext), await getProgramName());
-  await getMailer().send({
+  const tmpl = adminInviteEmail(admin.name, buildMagicLinkUrl(issued.plaintext), await getProgramName(db));
+  await getMailer().send({ db, tenantId }, {
     to: admin.email,
     subject: tmpl.subject,
     text: tmpl.text,
@@ -57,7 +59,8 @@ async function sendInvite(admin: AdminRow): Promise<void> {
 
 // -------- List --------
 
-adminsRouter.get('/admins', requireAuth, requireAdmin, async (_req, res) => {
+adminsRouter.get('/admins', requireAuth, requireAdmin, async (req, res) => {
+  const { db } = tenantOf(req);
   const admins = await db<AdminRow>(TABLES.Admin).orderBy('createdAt', 'desc');
   res.json({ admins });
 });
@@ -65,6 +68,7 @@ adminsRouter.get('/admins', requireAuth, requireAdmin, async (_req, res) => {
 // -------- Invite --------
 
 adminsRouter.post('/admins', requireAuth, requireAdmin, async (req, res) => {
+  const { db, tenantId } = tenantOf(req);
   const body = inviteSchema.safeParse(req.body);
   if (!body.success) return res.status(400).json({ error: 'invalid_body', detail: body.error.flatten() });
 
@@ -74,20 +78,21 @@ adminsRouter.post('/admins', requireAuth, requireAdmin, async (req, res) => {
 
   const id = ulid();
   const [admin] = await db<AdminRow>(TABLES.Admin)
-    .insert({ id, email, name: body.data.name, activatedAt: null })
+    .insert({ id, tenantId, email, name: body.data.name, activatedAt: null })
     .returning('*');
-  await sendInvite(admin as AdminRow);
+  await sendInvite(db, tenantId, admin as AdminRow);
   res.status(201).json(admin);
 });
 
 // -------- Resend invite --------
 
 adminsRouter.post('/admins/:id/invite', requireAuth, requireAdmin, async (req, res) => {
+  const { db, tenantId } = tenantOf(req);
   const admin = await db<AdminRow>(TABLES.Admin).where({ id: req.params.id }).first();
   if (!admin) return res.status(404).json({ error: 'not_found' });
   if (admin.revokedAt) return res.status(409).json({ error: 'admin_revoked' });
   if (admin.activatedAt) return res.status(409).json({ error: 'already_activated' });
-  await sendInvite(admin);
+  await sendInvite(db, tenantId, admin);
   res.json({ ok: true });
 });
 
@@ -100,6 +105,7 @@ class RevokeGuardError extends Error {
 }
 
 adminsRouter.post('/admins/:id/revoke', requireAuth, requireAdmin, async (req, res) => {
+  const { db } = tenantOf(req);
   const body = revokeSchema.safeParse(req.body ?? {});
   if (!body.success) return res.status(400).json({ error: 'invalid_body', detail: body.error.flatten() });
 
@@ -107,41 +113,42 @@ adminsRouter.post('/admins/:id/revoke', requireAuth, requireAdmin, async (req, r
   const now = new Date();
 
   try {
-    await db.transaction(async (trx) => {
-      // Lock the target admin + all active admins FOR UPDATE so
-      // concurrent revoke calls serialize. Without this, two simultaneous
-      // revokes of the only two active admins both pass the "count > 1"
-      // check and lock everyone out.
-      const admin = await trx<AdminRow>(TABLES.Admin).where({ id: req.params.id }).forUpdate().first();
-      if (!admin) throw new RevokeGuardError('not_found');
-      if (admin.revokedAt) throw new RevokeGuardError('already_revoked');
-
-      // Can't revoke yourself (session-sourced admins only — env-bearer
-      // callers are a headless / emergency path and can revoke anyone).
-      if (caller?.role === 'admin' && caller.source === 'session' && caller.adminId === admin.id) {
-        throw new RevokeGuardError('cannot_revoke_self');
-      }
-
-      // Last-active-admin guard inside the same tx. Count active admins
-      // under FOR UPDATE so the count is stable through commit.
-      const actives = await trx<AdminRow>(TABLES.Admin)
-        .whereNotNull('activatedAt')
-        .whereNull('revokedAt')
-        .forUpdate();
-      const willRemove = admin.activatedAt && !admin.revokedAt;
-      if (willRemove && actives.length <= 1) {
-        throw new RevokeGuardError('cannot_revoke_last_active_admin');
-      }
-
-      await trx<AdminRow>(TABLES.Admin)
-        .where({ id: admin.id })
-        .update({ revokedAt: now, revokeReason: body.data.reason ?? null, updatedAt: now });
-      // Kill admin sessions.
-      await trx<SessionRow>(TABLES.Session)
-        .where({ principalKind: 'admin', principalId: admin.id })
-        .whereNull('revokedAt')
-        .update({ revokedAt: now });
-    });
+    // The request is already in a transaction (per-request via tenantMiddleware),
+    // so use it directly. No nested transaction needed — the FOR UPDATE locks
+    // are scoped to this transaction and released on commit.
+    // Lock the target admin + all active admins FOR UPDATE so
+    // concurrent revoke calls serialize. Without this, two simultaneous
+    // revokes of the only two active admins both pass the "count > 1"
+    // check and lock everyone out.
+    const admin = await db<AdminRow>(TABLES.Admin).where({ id: req.params.id }).forUpdate().first();
+    if (!admin) throw new RevokeGuardError('not_found');
+    if (admin.revokedAt) throw new RevokeGuardError('already_revoked');
+
+    // Can't revoke yourself (session-sourced admins only — env-bearer
+    // callers are a headless / emergency path and can revoke anyone).
+    if (caller?.role === 'admin' && caller.source === 'session' && caller.adminId === admin.id) {
+      throw new RevokeGuardError('cannot_revoke_self');
+    }
+
+    // Last-active-admin guard inside the same tx. Count active admins
+    // under FOR UPDATE so the count is stable through commit.
+    const actives = await db<AdminRow>(TABLES.Admin)
+      .whereNotNull('activatedAt')
+      .whereNull('revokedAt')
+      .forUpdate();
+    const willRemove = admin.activatedAt && !admin.revokedAt;
+    if (willRemove && actives.length <= 1) {
+      throw new RevokeGuardError('cannot_revoke_last_active_admin');
+    }
+
+    await db<AdminRow>(TABLES.Admin)
+      .where({ id: admin.id })
+      .update({ revokedAt: now, revokeReason: body.data.reason ?? null, updatedAt: now });
+    // Kill admin sessions.
+    await db<SessionRow>(TABLES.Session)
+      .where({ principalKind: 'admin', principalId: admin.id })
+      .whereNull('revokedAt')
+      .update({ revokedAt: now });
   } catch (err) {
     if (err instanceof RevokeGuardError) {
       const status = err.code === 'not_found' ? 404 : 409;
@@ -156,6 +163,7 @@ adminsRouter.post('/admins/:id/revoke', requireAuth, requireAdmin, async (req, r
 // -------- Reinstate --------
 
 adminsRouter.post('/admins/:id/reinstate', requireAuth, requireAdmin, async (req, res) => {
+  const { db } = tenantOf(req);
   const admin = await db<AdminRow>(TABLES.Admin).where({ id: req.params.id }).first();
   if (!admin) return res.status(404).json({ error: 'not_found' });
   if (!admin.revokedAt) return res.status(409).json({ error: 'not_revoked' });
diff --git a/apps/api/src/routes/api-keys.ts b/apps/api/src/routes/api-keys.ts
index ef87cf1..89dd5ba 100644
--- a/apps/api/src/routes/api-keys.ts
+++ b/apps/api/src/routes/api-keys.ts
@@ -1,8 +1,8 @@
 import { Router } from 'express';
 import { z } from 'zod';
 import { TABLES, type ApiKeyRow } from '@openpartner/db';
-import { db } from '../db.js';
 import { createApiKeyRow, requireAdmin, requireAuth, requirePartnerOrAdmin } from '../auth.js';
+import { tenantOf } from '../tenancy.js';
 
 const createSchema = z.object({ label: z.string().optional() });
 
@@ -24,9 +24,10 @@ export const apiKeysRouter = Router();
 
 // Admin: create admin key (ADMIN_API_KEY env is the first-class bootstrap; this is for rotation).
 apiKeysRouter.post('/api-keys', requireAuth, requireAdmin, async (req, res) => {
+  const { db, tenantId } = tenantOf(req);
   const body = createSchema.safeParse(req.body);
   if (!body.success) return res.status(400).json({ error: 'invalid_body', detail: body.error.flatten() });
-  const key = await createApiKeyRow({ partnerId: null, label: body.data.label ?? undefined });
+  const key = await createApiKeyRow(db, { tenantId, partnerId: null, label: body.data.label ?? undefined });
   res.status(201).json({ id: key.id, plaintext: key.plaintext });
 });
 
@@ -34,9 +35,10 @@ apiKeysRouter.post('/api-keys', requireAuth, requireAdmin, async (req, res) => {
 // integrations (OpenPartner Network federation is the canonical example)
 // so a leak of the stored credential can't escalate to full admin.
 apiKeysRouter.post('/api-keys/scoped', requireAuth, requireAdmin, async (req, res) => {
+  const { db, tenantId } = tenantOf(req);
   const body = scopedCreateSchema.safeParse(req.body);
   if (!body.success) return res.status(400).json({ error: 'invalid_body', detail: body.error.flatten() });
-  const key = await createApiKeyRow({ scopes: body.data.scopes, label: body.data.label ?? 'scoped' });
+  const key = await createApiKeyRow(db, { tenantId, scopes: body.data.scopes, label: body.data.label ?? 'scoped' });
   res.status(201).json({ id: key.id, plaintext: key.plaintext, scopes: body.data.scopes });
 });
 
@@ -46,12 +48,13 @@ apiKeysRouter.post(
   requireAuth,
   requirePartnerOrAdmin('id'),
   async (req, res) => {
+    const { db, tenantId } = tenantOf(req);
     const body = createSchema.safeParse(req.body);
     if (!body.success) return res.status(400).json({ error: 'invalid_body', detail: body.error.flatten() });
     const partnerId = req.params.id!;
     const partner = await db(TABLES.Partner).where({ id: partnerId }).first();
     if (!partner) return res.status(404).json({ error: 'partner_not_found' });
-    const key = await createApiKeyRow({ partnerId, label: body.data.label });
+    const key = await createApiKeyRow(db, { tenantId, partnerId, label: body.data.label });
     res.status(201).json({ id: key.id, plaintext: key.plaintext });
   },
 );
@@ -61,6 +64,7 @@ apiKeysRouter.get(
   requireAuth,
   requirePartnerOrAdmin('id'),
   async (req, res) => {
+    const { db } = tenantOf(req);
     const keys = await db<ApiKeyRow>(TABLES.ApiKey)
       .where({ partnerId: req.params.id })
       .select('id', 'prefix', 'label', 'createdAt', 'lastUsedAt', 'revokedAt')
@@ -71,6 +75,7 @@ apiKeysRouter.get(
 
 // Revoke. Admin can revoke any key; partner can only revoke their own.
 apiKeysRouter.delete('/api-keys/:keyId', requireAuth, async (req, res) => {
+  const { db } = tenantOf(req);
   const key = await db<ApiKeyRow>(TABLES.ApiKey).where({ id: req.params.keyId }).first();
   if (!key) return res.status(404).json({ error: 'not_found' });
 
diff --git a/apps/api/src/routes/auth.ts b/apps/api/src/routes/auth.ts
index f8deb9f..acc0a85 100644
--- a/apps/api/src/routes/auth.ts
+++ b/apps/api/src/routes/auth.ts
@@ -1,7 +1,7 @@
 import { Router } from 'express';
 import { TABLES, type AdminRow, type PartnerRow } from '@openpartner/db';
-import { db } from '../db.js';
 import { requireAuth } from '../auth.js';
+import { tenantOf } from '../tenancy.js';
 
 export const authRouter = Router();
 
@@ -28,6 +28,7 @@ authRouter.get('/auth/introspect', requireAuth, async (req, res) => {
  * to render after login.
  */
 authRouter.get('/auth/whoami', requireAuth, async (req, res) => {
+  const { db } = tenantOf(req);
   const p = req.principal!;
   if (p.role === 'admin') {
     if (p.source === 'session') {
diff --git a/apps/api/src/routes/billing.ts b/apps/api/src/routes/billing.ts
index dc23291..906382c 100644
--- a/apps/api/src/routes/billing.ts
+++ b/apps/api/src/routes/billing.ts
@@ -6,27 +6,33 @@
  *               monthly subscription.
  *   revshare  → /billing/status surfaces accrued platform fees; collection is
  *               handled out-of-band against the 3% retained on payouts.
+ *
+ * Multi-tenant: every Stripe object created here is stamped with
+ * openpartner_tenant_id in metadata so the webhook handler can resolve the
+ * tenant on inbound events without hitting the path router.
  */
 
 import { Router } from 'express';
+import type { Knex } from 'knex';
 import { z } from 'zod';
 import { TABLES } from '@openpartner/db';
-import { db } from '../db.js';
 import { requireAdmin, requireAuth } from '../auth.js';
 import { REVSHARE_FEE_BPS, getMode, requireStripe } from '../stripe.js';
 import { CONFIG_KEYS, getConfig, setConfig } from '../config.js';
 import { reportUsageToStripe } from '../usage-billing.js';
+import { tenantOf } from '../tenancy.js';
 
 export const billingRouter = Router();
 
-billingRouter.get('/billing/status', requireAuth, requireAdmin, async (_req, res) => {
+billingRouter.get('/billing/status', requireAuth, requireAdmin, async (req, res) => {
+  const { db, tenantId } = tenantOf(req);
   const mode = getMode();
   if (mode === 'selfhost') {
     return res.json({ mode, billed: false });
   }
 
   if (mode === 'flat') {
-    const subscriptionId = await getConfig<string>(CONFIG_KEYS.StripeMerchantSubscriptionId);
+    const subscriptionId = await getConfig<string>(db, tenantId, CONFIG_KEYS.StripeMerchantSubscriptionId);
     if (!subscriptionId) return res.json({ mode, subscribed: false });
     const stripe = requireStripe();
     const sub = await stripe.subscriptions.retrieve(subscriptionId);
@@ -67,6 +73,7 @@ const checkoutSchema = z.object({
 });
 
 billingRouter.post('/billing/checkout', requireAuth, requireAdmin, async (req, res) => {
+  const { db, tenantId } = tenantOf(req);
   const mode = getMode();
   if (mode !== 'flat' && mode !== 'revshare') {
     return res.status(400).json({ error: 'only_flat_or_revshare_mode' });
@@ -96,14 +103,17 @@ billingRouter.post('/billing/checkout', requireAuth, requireAdmin, async (req, r
   // Checkout in test mode. Create or reuse a Customer for this merchant up
   // front so we can pass it to the Checkout session and so the Customer
   // Portal works on the same record after subscription completes.
-  let customerId = await getConfig<string>(CONFIG_KEYS.StripeMerchantCustomerId);
+  let customerId = await getConfig<string>(db, tenantId, CONFIG_KEYS.StripeMerchantCustomerId);
   if (!customerId) {
     const customer = await stripe.customers.create({
       email: body.data.customerEmail,
-      metadata: { openpartner_role: 'merchant_self_subscription' },
+      metadata: {
+        openpartner_role: 'merchant_self_subscription',
+        openpartner_tenant_id: tenantId,
+      },
     });
     customerId = customer.id;
-    await setConfig(CONFIG_KEYS.StripeMerchantCustomerId, customerId);
+    await setConfig(db, tenantId, CONFIG_KEYS.StripeMerchantCustomerId, customerId);
   }
 
   const session = await stripe.checkout.sessions.create({
@@ -112,11 +122,13 @@ billingRouter.post('/billing/checkout', requireAuth, requireAdmin, async (req, r
     line_items: lineItems,
     success_url: body.data.successUrl,
     cancel_url: body.data.cancelUrl,
+    metadata: { openpartner_tenant_id: tenantId },
   });
   res.json({ url: session.url });
 });
 
-billingRouter.post('/billing/report-usage', requireAuth, requireAdmin, async (_req, res) => {
+billingRouter.post('/billing/report-usage', requireAuth, requireAdmin, async (req, res) => {
+  const { db, tenantId } = tenantOf(req);
   // Self-host has no platform billing; revshare and flat both report to the
   // shared meter (different metered prices on the merchant subscription
   // determine the rate).
@@ -124,7 +136,7 @@ billingRouter.post('/billing/report-usage', requireAuth, requireAdmin, async (_r
     return res.status(400).json({ error: 'no_billing_in_selfhost' });
   }
   try {
-    const result = await reportUsageToStripe();
+    const result = await reportUsageToStripe(db, tenantId);
     res.json(result);
   } catch (err) {
     res.status(500).json({
@@ -135,11 +147,12 @@ billingRouter.post('/billing/report-usage', requireAuth, requireAdmin, async (_r
 });
 
 billingRouter.post('/billing/portal', requireAuth, requireAdmin, async (req, res) => {
+  const { db, tenantId } = tenantOf(req);
   if (getMode() !== 'flat') return res.status(400).json({ error: 'only_flat_mode' });
   const body = z.object({ returnUrl: z.string().url() }).safeParse(req.body);
   if (!body.success) return res.status(400).json({ error: 'invalid_body', detail: body.error.flatten() });
 
-  const customerId = await getConfig<string>(CONFIG_KEYS.StripeMerchantCustomerId);
+  const customerId = await getConfig<string>(db, tenantId, CONFIG_KEYS.StripeMerchantCustomerId);
   if (!customerId) return res.status(404).json({ error: 'no_customer_on_file' });
 
   const stripe = requireStripe();
@@ -151,7 +164,14 @@ billingRouter.post('/billing/portal', requireAuth, requireAdmin, async (req, res
 });
 
 // Exposed for the stripe webhook to call on checkout.session.completed.
-export async function persistMerchantSubscription(customerId: string, subscriptionId: string): Promise<void> {
-  await setConfig(CONFIG_KEYS.StripeMerchantCustomerId, customerId);
-  await setConfig(CONFIG_KEYS.StripeMerchantSubscriptionId, subscriptionId);
+// Webhook resolves tenantId from event metadata and passes its own db handle
+// (a transaction with app.tenant_id pinned).
+export async function persistMerchantSubscription(
+  db: Knex,
+  tenantId: string,
+  customerId: string,
+  subscriptionId: string,
+): Promise<void> {
+  await setConfig(db, tenantId, CONFIG_KEYS.StripeMerchantCustomerId, customerId);
+  await setConfig(db, tenantId, CONFIG_KEYS.StripeMerchantSubscriptionId, subscriptionId);
 }
diff --git a/apps/api/src/routes/campaigns.ts b/apps/api/src/routes/campaigns.ts
index b3bb914..945bd4f 100644
--- a/apps/api/src/routes/campaigns.ts
+++ b/apps/api/src/routes/campaigns.ts
@@ -2,8 +2,8 @@ import { Router } from 'express';
 import { z } from 'zod';
 import { ulid } from 'ulid';
 import { TABLES, type CampaignRow } from '@openpartner/db';
-import { db } from '../db.js';
 import { requireAdmin, requireAuth } from '../auth.js';
+import { tenantOf } from '../tenancy.js';
 
 const commissionRuleSchema = z.discriminatedUnion('type', [
   z.object({ type: z.literal('percent'), value: z.number().positive(), recurring: z.boolean().optional() }),
@@ -24,12 +24,14 @@ const createSchema = z.object({
 
 export const campaignsRouter = Router();
 
-campaignsRouter.get('/campaigns', requireAuth, requireAdmin, async (_req, res) => {
+campaignsRouter.get('/campaigns', requireAuth, requireAdmin, async (req, res) => {
+  const { db } = tenantOf(req);
   const campaigns = await db<CampaignRow>(TABLES.Campaign).orderBy('createdAt', 'desc');
   res.json({ campaigns });
 });
 
 campaignsRouter.post('/campaigns', requireAuth, requireAdmin, async (req, res) => {
+  const { db, tenantId } = tenantOf(req);
   const body = createSchema.safeParse(req.body);
   if (!body.success) return res.status(400).json({ error: 'invalid_body', detail: body.error.flatten() });
 
@@ -37,6 +39,7 @@ campaignsRouter.post('/campaigns', requireAuth, requireAdmin, async (req, res) =
   const [campaign] = await db<CampaignRow>(TABLES.Campaign)
     .insert({
       id,
+      tenantId,
       name: body.data.name,
       commissionRule: body.data.commissionRule,
       attributionWindowDays: body.data.attributionWindowDays ?? 60,
diff --git a/apps/api/src/routes/commissions.ts b/apps/api/src/routes/commissions.ts
index ca59152..994dd23 100644
--- a/apps/api/src/routes/commissions.ts
+++ b/apps/api/src/routes/commissions.ts
@@ -13,9 +13,9 @@
 import { Router } from 'express';
 import { z } from 'zod';
 import { TABLES, type CommissionRow } from '@openpartner/db';
-import { db } from '../db.js';
 import { grantScope, requireAdmin, requireAuth, requirePartnerOrAdmin } from '../auth.js';
 import { dispatchEvent } from '../webhook-dispatcher.js';
+import { tenantOf } from '../tenancy.js';
 
 const listQuerySchema = z.object({
   status: z.enum(['accrued', 'approved', 'paid', 'reversed']).optional(),
@@ -30,6 +30,7 @@ commissionsRouter.get(
   grantScope('commissions:read'),
   requirePartnerOrAdmin('id'),
   async (req, res) => {
+    const { db } = tenantOf(req);
     const q = listQuerySchema.safeParse(req.query);
     if (!q.success) return res.status(400).json({ error: 'invalid_query', detail: q.error.flatten() });
 
@@ -45,6 +46,7 @@ commissionsRouter.get(
 );
 
 commissionsRouter.get('/commissions', requireAuth, requireAdmin, async (req, res) => {
+  const { db } = tenantOf(req);
   const q = listQuerySchema.safeParse(req.query);
   if (!q.success) return res.status(400).json({ error: 'invalid_query', detail: q.error.flatten() });
 
@@ -56,6 +58,7 @@ commissionsRouter.get('/commissions', requireAuth, requireAdmin, async (req, res
 });
 
 commissionsRouter.post('/commissions/:id/approve', requireAuth, requireAdmin, async (req, res) => {
+  const { db, tenantId } = tenantOf(req);
   const updated = await db<CommissionRow>(TABLES.Commission)
     .where({ id: req.params.id, status: 'accrued' })
     .update({ status: 'approved' })
@@ -64,7 +67,7 @@ commissionsRouter.post('/commissions/:id/approve', requireAuth, requireAdmin, as
     return res.status(409).json({ error: 'not_approvable', detail: 'must be in accrued state' });
   }
   const c = updated[0]!;
-  dispatchEvent('commission.approved', {
+  dispatchEvent(tenantId, 'commission.approved', {
     commissionId: c.id,
     partnerId: c.partnerId,
     amount: c.amount,
@@ -75,6 +78,7 @@ commissionsRouter.post('/commissions/:id/approve', requireAuth, requireAdmin, as
 });
 
 commissionsRouter.post('/commissions/:id/reverse', requireAuth, requireAdmin, async (req, res) => {
+  const { db, tenantId } = tenantOf(req);
   const updated = await db<CommissionRow>(TABLES.Commission)
     .where({ id: req.params.id })
     .whereIn('status', ['accrued', 'approved'])
@@ -84,7 +88,7 @@ commissionsRouter.post('/commissions/:id/reverse', requireAuth, requireAdmin, as
     return res.status(409).json({ error: 'not_reversible', detail: 'only accrued or approved commissions' });
   }
   const c = updated[0]!;
-  dispatchEvent('commission.reversed', {
+  dispatchEvent(tenantId, 'commission.reversed', {
     commissionId: c.id,
     partnerId: c.partnerId,
     amount: c.amount,
diff --git a/apps/api/src/routes/connect.ts b/apps/api/src/routes/connect.ts
index 4901698..e86d4ed 100644
--- a/apps/api/src/routes/connect.ts
+++ b/apps/api/src/routes/connect.ts
@@ -8,14 +8,17 @@
  *
  * Active/ready status is confirmed via the `account.updated` webhook, not at
  * the callback — the callback fires before Stripe has finalized verification.
+ *
+ * Multi-tenant: Connect accounts are stamped with openpartner_tenant_id so
+ * the webhook handler can resolve the tenant on inbound account.* events.
  */
 
 import { Router } from 'express';
 import { z } from 'zod';
 import { TABLES, type PartnerRow } from '@openpartner/db';
-import { db } from '../db.js';
 import { requireAuth, requirePartnerOrAdmin } from '../auth.js';
 import { requireStripe } from '../stripe.js';
+import { tenantOf } from '../tenancy.js';
 
 const startSchema = z.object({
   returnUrl: z.string().url(),
@@ -29,6 +32,7 @@ connectRouter.post(
   requireAuth,
   requirePartnerOrAdmin('id'),
   async (req, res) => {
+    const { db, tenantId } = tenantOf(req);
     const body = startSchema.safeParse(req.body);
     if (!body.success) return res.status(400).json({ error: 'invalid_body', detail: body.error.flatten() });
 
@@ -41,7 +45,10 @@ connectRouter.post(
       const account = await stripe.accounts.create({
         type: 'standard',
         email: partner.email,
-        metadata: { openpartner_partner_id: partner.id },
+        metadata: {
+          openpartner_partner_id: partner.id,
+          openpartner_tenant_id: tenantId,
+        },
       });
       accountId = account.id;
       await db<PartnerRow>(TABLES.Partner)
@@ -65,6 +72,7 @@ connectRouter.get(
   requireAuth,
   requirePartnerOrAdmin('id'),
   async (req, res) => {
+    const { db } = tenantOf(req);
     const partner = await db<PartnerRow>(TABLES.Partner).where({ id: req.params.id }).first();
     if (!partner) return res.status(404).json({ error: 'partner_not_found' });
 
diff --git a/apps/api/src/routes/dashboard.ts b/apps/api/src/routes/dashboard.ts
index fe61c1e..54be433 100644
--- a/apps/api/src/routes/dashboard.ts
+++ b/apps/api/src/routes/dashboard.ts
@@ -1,13 +1,14 @@
 import { Router } from 'express';
 import { TABLES } from '@openpartner/db';
-import { db } from '../db.js';
 import { grantScope, requireAuth, requirePartnerOrAdmin } from '../auth.js';
+import { tenantOf } from '../tenancy.js';
 
 export const dashboardRouter = Router();
 
 // Partner dashboard — top-line counts, attributed revenue, commission by status.
 // Read-optimized via denormalized partnerId on Click/Attribution/Commission.
 dashboardRouter.get('/partners/:id/dashboard', requireAuth, grantScope('partners:read'), requirePartnerOrAdmin('id'), async (req, res) => {
+  const { db } = tenantOf(req);
   const partnerId = req.params.id;
   const since = req.query.since
     ? new Date(String(req.query.since))
diff --git a/apps/api/src/routes/events.ts b/apps/api/src/routes/events.ts
index dd4295c..b416c32 100644
--- a/apps/api/src/routes/events.ts
+++ b/apps/api/src/routes/events.ts
@@ -2,9 +2,9 @@ import { Router } from 'express';
 import { z } from 'zod';
 import { ulid } from 'ulid';
 import { TABLES, type EventRow } from '@openpartner/db';
-import { db } from '../db.js';
 import { attributeEvent } from '../attribution.js';
 import { requireAdmin, requireAuth } from '../auth.js';
+import { tenantOf } from '../tenancy.js';
 
 const schema = z.object({
   userId: z.string().min(1),
@@ -17,10 +17,10 @@ const schema = z.object({
 
 export const eventsRouter = Router();
 
-// Server-to-server conversion event ingest.
 // Server-to-server conversion event ingest — requires admin credentials
 // (this is the merchant's backend speaking, not a browser).
 eventsRouter.post('/attribution/events', requireAuth, requireAdmin, async (req, res) => {
+  const { db, tenantId } = tenantOf(req);
   const body = schema.safeParse(req.body);
   if (!body.success) return res.status(400).json({ error: 'invalid_body', detail: body.error.flatten() });
 
@@ -30,6 +30,7 @@ eventsRouter.post('/attribution/events', requireAuth, requireAdmin, async (req,
   const [event] = await db<EventRow>(TABLES.Event)
     .insert({
       id: eventId,
+      tenantId,
       userId,
       type,
       value: value != null ? value.toFixed(2) : null,
diff --git a/apps/api/src/routes/export.ts b/apps/api/src/routes/export.ts
index ccb0124..b6262bd 100644
--- a/apps/api/src/routes/export.ts
+++ b/apps/api/src/routes/export.ts
@@ -1,13 +1,14 @@
 import { Router } from 'express';
 import { z } from 'zod';
-import { db } from '../db.js';
 import { requireAdmin, requireAuth } from '../auth.js';
 import { exportAll, exportTable, importBundle, isExportable, rowsToCsv } from '../export.js';
 import { getMode } from '../stripe.js';
+import { tenantOf } from '../tenancy.js';
 
 export const exportRouter = Router();
 
 exportRouter.get('/export/:table.:format', requireAuth, requireAdmin, async (req, res) => {
+  const { db } = tenantOf(req);
   const table = req.params.table ?? '';
   const format = req.params.format ?? '';
   if (!isExportable(table)) return res.status(404).json({ error: 'table_not_exportable' });
@@ -27,7 +28,8 @@ exportRouter.get('/export/:table.:format', requireAuth, requireAdmin, async (req
   res.status(400).json({ error: 'unsupported_format', detail: 'use json or csv' });
 });
 
-exportRouter.get('/export.json', requireAuth, requireAdmin, async (_req, res) => {
+exportRouter.get('/export.json', requireAuth, requireAdmin, async (req, res) => {
+  const { db } = tenantOf(req);
   const bundle = await exportAll(db);
   res.setHeader('Content-Type', 'application/json');
   res.setHeader('Content-Disposition', 'attachment; filename="openpartner-export.json"');
@@ -44,6 +46,7 @@ const importSchema = z.object({
 });
 
 exportRouter.post('/import', requireAuth, requireAdmin, async (req, res) => {
+  const { db, tenantId } = tenantOf(req);
   // Safety rail: re-importing someone else's export into a shared hosted DB
   // would collide primary keys and leak cross-tenant data. Gate it to selfhost.
   if (getMode() !== 'selfhost') {
@@ -54,6 +57,6 @@ exportRouter.post('/import', requireAuth, requireAdmin, async (req, res) => {
   if (body.data.schemaVersion !== 1) {
     return res.status(400).json({ error: 'unsupported_schema_version' });
   }
-  const report = await importBundle(db, body.data.tables);
+  const report = await importBundle(db, tenantId, body.data.tables);
   res.json({ ok: true, report });
 });
diff --git a/apps/api/src/routes/fraud-review.ts b/apps/api/src/routes/fraud-review.ts
index 13ebac8..29aa2ca 100644
--- a/apps/api/src/routes/fraud-review.ts
+++ b/apps/api/src/routes/fraud-review.ts
@@ -24,9 +24,9 @@
 import { Router } from 'express';
 import { z } from 'zod';
 import { TABLES, type ClickRow, type IdentityRow } from '@openpartner/db';
-import { db } from '../db.js';
 import { requireAdmin, requireAuth } from '../auth.js';
 import { attributeBacklogForUser } from '../attribution.js';
+import { tenantOf } from '../tenancy.js';
 
 export const fraudReviewRouter = Router();
 
@@ -36,6 +36,7 @@ const listQuerySchema = z.object({
 });
 
 fraudReviewRouter.get('/admin/clicks/flagged', requireAuth, requireAdmin, async (req, res) => {
+  const { db } = tenantOf(req);
   const q = listQuerySchema.safeParse(req.query);
   if (!q.success) return res.status(400).json({ error: 'invalid_query', detail: q.error.flatten() });
   const limit = q.data.limit ?? 100;
@@ -67,6 +68,7 @@ fraudReviewRouter.get('/admin/clicks/flagged', requireAuth, requireAdmin, async
 });
 
 fraudReviewRouter.post('/clicks/:id/unflag', requireAuth, requireAdmin, async (req, res) => {
+  const { db } = tenantOf(req);
   const clickId = req.params.id!;
   const click = await db<ClickRow>(TABLES.Click).where({ id: clickId }).first();
   if (!click) return res.status(404).json({ error: 'click_not_found' });
@@ -75,54 +77,55 @@ fraudReviewRouter.post('/clicks/:id/unflag', requireAuth, requireAdmin, async (r
   const identities = await db<IdentityRow>(TABLES.Identity).where({ clickId });
   let reattributed = 0;
 
-  await db.transaction(async (trx) => {
-    await trx<ClickRow>(TABLES.Click).where({ id: clickId }).update({ fraudFlag: null });
-
-    // Re-run attribution for any user that stitched to this click. If we
-    // just called the backlog helper directly, events already attributed
-    // under a different click-set (e.g. linear with two clicks, weight
-    // 0.5 each) would gain a third row for the newly-unflagged click
-    // without adjusting the existing weights — the partner would add up
-    // to > 1x the event's revenue. Before re-running, drop any
-    // non-finalized attribution rows for this user's events and their
-    // accrued commissions, so the backlog recomputes clean. We leave
-    // approved / paid commissions alone — you don't retroactively
-    // rewrite the ledger.
-    for (const identity of identities) {
-      const eventIds = (
-        await trx(TABLES.Event).where({ userId: identity.userId }).select('id')
-      ).map((r) => (r as { id: string }).id);
-      if (eventIds.length === 0) continue;
-
-      const accruedCommissions = await trx(TABLES.Commission)
-        .whereIn('attributionId', function () {
-          this.select('id').from(TABLES.Attribution).whereIn('eventId', eventIds);
-        })
-        .where({ status: 'accrued' })
-        .select('id', 'attributionId');
-
-      const attributionsToDelete = accruedCommissions
-        .map((c) => (c as { attributionId: string }).attributionId)
-        .filter(Boolean);
-
-      if (accruedCommissions.length > 0) {
-        await trx(TABLES.Commission)
-          .whereIn('id', accruedCommissions.map((c) => (c as { id: string }).id))
-          .del();
-      }
-      if (attributionsToDelete.length > 0) {
-        await trx(TABLES.Attribution).whereIn('id', attributionsToDelete).del();
-      }
-
-      const n = await attributeBacklogForUser(trx, identity.userId);
-      reattributed += n;
+  // The request is already in a transaction (per-request via tenantMiddleware).
+  // No nested transaction needed — operate on req.db directly.
+  await db<ClickRow>(TABLES.Click).where({ id: clickId }).update({ fraudFlag: null });
+
+  // Re-run attribution for any user that stitched to this click. If we
+  // just called the backlog helper directly, events already attributed
+  // under a different click-set (e.g. linear with two clicks, weight
+  // 0.5 each) would gain a third row for the newly-unflagged click
+  // without adjusting the existing weights — the partner would add up
+  // to > 1x the event's revenue. Before re-running, drop any
+  // non-finalized attribution rows for this user's events and their
+  // accrued commissions, so the backlog recomputes clean. We leave
+  // approved / paid commissions alone — you don't retroactively
+  // rewrite the ledger.
+  for (const identity of identities) {
+    const eventIds = (
+      await db(TABLES.Event).where({ userId: identity.userId }).select('id')
+    ).map((r) => (r as { id: string }).id);
+    if (eventIds.length === 0) continue;
+
+    const accruedCommissions = await db(TABLES.Commission)
+      .whereIn('attributionId', function () {
+        this.select('id').from(TABLES.Attribution).whereIn('eventId', eventIds);
+      })
+      .where({ status: 'accrued' })
+      .select('id', 'attributionId');
+
+    const attributionsToDelete = accruedCommissions
+      .map((c) => (c as { attributionId: string }).attributionId)
+      .filter(Boolean);
+
+    if (accruedCommissions.length > 0) {
+      await db(TABLES.Commission)
+        .whereIn('id', accruedCommissions.map((c) => (c as { id: string }).id))
+        .del();
     }
-  });
+    if (attributionsToDelete.length > 0) {
+      await db(TABLES.Attribution).whereIn('id', attributionsToDelete).del();
+    }
+
+    const n = await attributeBacklogForUser(db, identity.userId);
+    reattributed += n;
+  }
 
   res.json({ ok: true, clickId, reattributedEvents: reattributed });
 });
 
 fraudReviewRouter.post('/clicks/:id/flag', requireAuth, requireAdmin, async (req, res) => {
+  const { db } = tenantOf(req);
   const clickId = req.params.id!;
   const click = await db<ClickRow>(TABLES.Click).where({ id: clickId }).first();
   if (!click) return res.status(404).json({ error: 'click_not_found' });
@@ -131,4 +134,3 @@ fraudReviewRouter.post('/clicks/:id/flag', requireAuth, requireAdmin, async (req
   await db<ClickRow>(TABLES.Click).where({ id: clickId }).update({ fraudFlag: 'manual' });
   res.json({ ok: true, clickId });
 });
-
diff --git a/apps/api/src/routes/funnel.ts b/apps/api/src/routes/funnel.ts
index 717828b..ef278ee 100644
--- a/apps/api/src/routes/funnel.ts
+++ b/apps/api/src/routes/funnel.ts
@@ -23,12 +23,13 @@
 
 import { Router } from 'express';
 import { TABLES } from '@openpartner/db';
-import { db } from '../db.js';
 import { requireAuth, requirePartnerOrAdmin } from '../auth.js';
+import { tenantOf } from '../tenancy.js';
 
 export const funnelRouter = Router();
 
 funnelRouter.get('/partners/:id/funnel', requireAuth, requirePartnerOrAdmin('id'), async (req, res) => {
+  const { db } = tenantOf(req);
   const partnerId = req.params.id!;
   const since = req.query.since
     ? new Date(String(req.query.since))
diff --git a/apps/api/src/routes/identify.ts b/apps/api/src/routes/identify.ts
index f9eb294..0a8d277 100644
--- a/apps/api/src/routes/identify.ts
+++ b/apps/api/src/routes/identify.ts
@@ -2,9 +2,9 @@ import { Router } from 'express';
 import { z } from 'zod';
 import { ulid } from 'ulid';
 import { TABLES, type ClickRow, type IdentityRow } from '@openpartner/db';
-import { db } from '../db.js';
 import { attributeBacklogForUser } from '../attribution.js';
 import { ipRateLimit } from '../middleware/rate-limit.js';
+import { tenantOf } from '../tenancy.js';
 
 const schema = z.object({
   cref: z.string().min(1),
@@ -15,12 +15,19 @@ const schema = z.object({
 export const identifyRouter = Router();
 
 // Stitch a click (cref) to an authenticated user. Called by the SDK on
-// login/signup, so it's unauth'd and public. 120/min per IP is generous
-// for legitimate use (stitches once per login) but cuts off spray.
+// login/signup. The endpoint is unauth'd, but it IS tenant-scoped — in
+// multi-tenant mode the SDK calls /t/<slug>/attribution/identify so the
+// click lookup is bounded to that tenant. Routing through tenantMiddleware
+// gives us a tenant-bound transaction so the Identity insert is scoped
+// correctly via the WITH CHECK clause on RLS.
+//
+// 120/min per IP is generous for legitimate use (stitches once per
+// login) but cuts off spray.
 identifyRouter.post(
   '/attribution/identify',
   ipRateLimit({ name: 'identify', max: 120, windowMs: 60_000 }),
   async (req, res) => {
+    const { db, tenantId } = tenantOf(req);
     const body = schema.safeParse(req.body);
     if (!body.success) return res.status(400).json({ error: 'invalid_body', detail: body.error.flatten() });
 
@@ -33,7 +40,7 @@ identifyRouter.post(
     // re-identify() calls for the same click a no-op.
     const identityId = ulid();
     const inserted = await db<IdentityRow>(TABLES.Identity)
-      .insert({ id: identityId, clickId: cref, userId })
+      .insert({ id: identityId, tenantId, clickId: cref, userId })
       .onConflict(['clickId', 'userId'])
       .ignore()
       .returning('id');
diff --git a/apps/api/src/routes/install.ts b/apps/api/src/routes/install.ts
index 7597658..aaa9b62 100644
--- a/apps/api/src/routes/install.ts
+++ b/apps/api/src/routes/install.ts
@@ -7,18 +7,25 @@
  * settings (name + support email) and emails them a magic-link to
  * activate. After they verify, they're the first admin and can invite
  * others + rotate ADMIN_API_KEY.
+ *
+ * Multi-tenant: install is the self-host bootstrap. In multi-tenant mode
+ * it rejects — hosted operators provision tenants via /signup, and the
+ * platform is never "uninstalled". The endpoint stays mounted as a
+ * public route (no tenantMiddleware) and uses the privileged `db` to
+ * stamp rows with the seeded default tenant.
  */
 
 import { Router } from 'express';
 import { z } from 'zod';
 import { ulid } from 'ulid';
-import { TABLES, type AdminRow, type ConfigRow } from '@openpartner/db';
+import { DEFAULT_TENANT_ID, TABLES, type AdminRow, type ConfigRow } from '@openpartner/db';
 import { db } from '../db.js';
 import { ipRateLimit } from '../middleware/rate-limit.js';
 import { issueMagicLink } from '../auth-sessions.js';
 import { getMailer } from '../mailer.js';
 import { adminInviteEmail, buildMagicLinkUrl } from '../email-templates.js';
 import { saveMailSettings } from '../mail-settings.js';
+import { getTenancyMode } from '../tenancy.js';
 
 export const installRouter = Router();
 
@@ -80,7 +87,11 @@ const installSchema = z
  * system is uninitialized).
  */
 installRouter.get('/install/status', async (_req, res) => {
+  if (getTenancyMode() === 'multi') {
+    return res.json({ needsSetup: false, reason: 'multi_tenant' });
+  }
   const [row] = await db<AdminRow>(TABLES.Admin)
+    .where({ tenantId: DEFAULT_TENANT_ID })
     .whereNotNull('activatedAt')
     .whereNull('revokedAt')
     .count<{ count: string }[]>({ count: '*' });
@@ -93,6 +104,10 @@ installRouter.get('/install/status', async (_req, res) => {
 const INSTALL_ADVISORY_LOCK = 49_1092_4719;
 
 installRouter.post('/install', installLimit, async (req, res) => {
+  if (getTenancyMode() === 'multi') {
+    return res.status(400).json({ error: 'install_not_available_in_multi_tenant' });
+  }
+
   const body = installSchema.safeParse(req.body);
   if (!body.success) return res.status(400).json({ error: 'invalid_body', detail: body.error.flatten() });
 
@@ -111,26 +126,30 @@ installRouter.post('/install', installLimit, async (req, res) => {
       // installers both think they're first.
       await trx.raw('SELECT pg_advisory_xact_lock(?)', [INSTALL_ADVISORY_LOCK]);
 
-      // Block on ANY admin row (activated or not): while a first-run
-      // magic-link is outstanding, a second installer shouldn't be
-      // able to sneak their own pending admin in.
-      const [existing] = await trx<AdminRow>(TABLES.Admin).count<{ count: string }[]>({ count: '*' });
+      // Block on ANY admin row (activated or not) in the default tenant:
+      // while a first-run magic-link is outstanding, a second installer
+      // shouldn't be able to sneak their own pending admin in.
+      const [existing] = await trx<AdminRow>(TABLES.Admin)
+        .where({ tenantId: DEFAULT_TENANT_ID })
+        .count<{ count: string }[]>({ count: '*' });
       if (Number(existing?.count ?? 0) > 0) {
         throw new AlreadyInstalledError();
       }
 
       await trx<ConfigRow>(TABLES.Config)
         .insert({
+          tenantId: DEFAULT_TENANT_ID,
           key: 'program_settings',
           value: { programName, supportEmail } as unknown as never,
           updatedAt: now,
         })
-        .onConflict('key')
+        .onConflict(['tenantId', 'key'])
         .merge({ value: { programName, supportEmail } as unknown as never, updatedAt: now });
 
       const id = ulid();
       await trx<AdminRow>(TABLES.Admin).insert({
         id,
+        tenantId: DEFAULT_TENANT_ID,
         email: adminEmail,
         name: body.data.adminName.trim(),
         activatedAt: null,
@@ -153,7 +172,7 @@ installRouter.post('/install', installLimit, async (req, res) => {
   // only escape being manual DB surgery or env-key intervention.
   try {
     if (body.data.mail) {
-      await saveMailSettings({
+      await saveMailSettings(db, DEFAULT_TENANT_ID, {
         kind: body.data.mail.kind,
         from: body.data.mail.from,
         smtp: body.data.mail.smtp,
@@ -161,14 +180,15 @@ installRouter.post('/install', installLimit, async (req, res) => {
       });
     }
 
-    const issued = await issueMagicLink({
+    const issued = await issueMagicLink(db, {
+      tenantId: DEFAULT_TENANT_ID,
       email: adminEmail,
       purpose: 'admin_invite',
       principalKind: 'admin',
       principalId: adminId,
     });
     const tmpl = adminInviteEmail(body.data.adminName.trim(), buildMagicLinkUrl(issued.plaintext), programName);
-    await getMailer().send({
+    await getMailer().send({ db, tenantId: DEFAULT_TENANT_ID }, {
       to: adminEmail,
       subject: tmpl.subject,
       text: tmpl.text,
diff --git a/apps/api/src/routes/links.ts b/apps/api/src/routes/links.ts
index e4f8926..3243819 100644
--- a/apps/api/src/routes/links.ts
+++ b/apps/api/src/routes/links.ts
@@ -2,8 +2,8 @@ import { Router } from 'express';
 import { z } from 'zod';
 import { ulid } from 'ulid';
 import { TABLES, type LinkRow } from '@openpartner/db';
-import { db } from '../db.js';
 import { grantScope, requireAuth, requirePartnerOrAdmin } from '../auth.js';
+import { tenantOf } from '../tenancy.js';
 
 const createSchema = z.object({
   linkKey: z
@@ -18,6 +18,7 @@ const createSchema = z.object({
 export const linksRouter = Router();
 
 linksRouter.get('/partners/:id/links', requireAuth, requirePartnerOrAdmin('id'), async (req, res) => {
+  const { db } = tenantOf(req);
   const links = await db<LinkRow>(TABLES.Link)
     .where({ partnerId: req.params.id })
     .orderBy('createdAt', 'desc');
@@ -25,6 +26,7 @@ linksRouter.get('/partners/:id/links', requireAuth, requirePartnerOrAdmin('id'),
 });
 
 linksRouter.post('/partners/:id/links', requireAuth, grantScope('links:write'), requirePartnerOrAdmin('id'), async (req, res) => {
+  const { db, tenantId } = tenantOf(req);
   const body = createSchema.safeParse(req.body);
   if (!body.success) return res.status(400).json({ error: 'invalid_body', detail: body.error.flatten() });
 
@@ -39,6 +41,7 @@ linksRouter.post('/partners/:id/links', requireAuth, grantScope('links:write'),
     const [link] = await db<LinkRow>(TABLES.Link)
       .insert({
         id,
+        tenantId,
         linkKey: body.data.linkKey,
         partnerId: req.params.id,
         campaignId: body.data.campaignId,
diff --git a/apps/api/src/routes/partner-auth.ts b/apps/api/src/routes/partner-auth.ts
index 3b58681..2b602f7 100644
--- a/apps/api/src/routes/partner-auth.ts
+++ b/apps/api/src/routes/partner-auth.ts
@@ -14,18 +14,19 @@
 import { Router } from 'express';
 import { z } from 'zod';
 import { TABLES, type AdminRow, type PartnerRow } from '@openpartner/db';
-import { db } from '../db.js';
 import {
   SESSION_COOKIE_NAME,
   consumeMagicLink,
   createSession,
   issueMagicLink,
+  resolveSession,
   revokeSession,
   sessionCookieOptions,
 } from '../auth-sessions.js';
 import { getMailer } from '../mailer.js';
 import { ipRateLimit } from '../middleware/rate-limit.js';
 import { adminSigninEmail, buildMagicLinkUrl, partnerSigninEmail } from '../email-templates.js';
+import { tenantOf } from '../tenancy.js';
 
 export const partnerAuthRouter = Router();
 
@@ -38,6 +39,7 @@ const verifySchema = z.object({ token: z.string().min(8) });
 // -------- Signin --------
 
 partnerAuthRouter.post('/auth/signin', mailAuthLimit, async (req, res) => {
+  const { db, tenantId } = tenantOf(req);
   const body = signinSchema.safeParse(req.body);
   if (!body.success) return res.status(400).json({ error: 'invalid_body', detail: body.error.flatten() });
 
@@ -47,14 +49,15 @@ partnerAuthRouter.post('/auth/signin', mailAuthLimit, async (req, res) => {
   // partner (unusual but possible on single-operator setups), admin wins.
   const admin = await db<AdminRow>(TABLES.Admin).where({ email }).first();
   if (admin?.activatedAt && !admin.revokedAt) {
-    const issued = await issueMagicLink({
+    const issued = await issueMagicLink(db, {
+      tenantId,
       email,
       purpose: 'admin_signin',
       principalKind: 'admin',
       principalId: admin.id,
     });
     const tmpl = adminSigninEmail(admin.name, buildMagicLinkUrl(issued.plaintext));
-    await getMailer().send({
+    await getMailer().send({ db, tenantId }, {
       to: email,
       subject: tmpl.subject,
       text: tmpl.text,
@@ -72,14 +75,15 @@ partnerAuthRouter.post('/auth/signin', mailAuthLimit, async (req, res) => {
   // cause arbitrary emails to the victim by POSTing their address
   // here repeatedly.
   if (partner?.activatedAt && !partner.revokedAt) {
-    const issued = await issueMagicLink({
+    const issued = await issueMagicLink(db, {
+      tenantId,
       email,
       purpose: 'partner_signin',
       principalKind: 'partner',
       principalId: partner.id,
     });
     const tmpl = partnerSigninEmail(partner.name, buildMagicLinkUrl(issued.plaintext));
-    await getMailer().send({
+    await getMailer().send({ db, tenantId }, {
       to: email,
       subject: tmpl.subject,
       text: tmpl.text,
@@ -95,10 +99,11 @@ partnerAuthRouter.post('/auth/signin', mailAuthLimit, async (req, res) => {
 // -------- Verify --------
 
 partnerAuthRouter.post('/auth/magic/verify', verifyLimit, async (req, res) => {
+  const { db, tenantId } = tenantOf(req);
   const body = verifySchema.safeParse(req.body);
   if (!body.success) return res.status(400).json({ error: 'invalid_body', detail: body.error.flatten() });
 
-  const consumed = await consumeMagicLink(body.data.token);
+  const consumed = await consumeMagicLink(db, body.data.token);
   if (!consumed) return res.status(400).json({ error: 'invalid_or_expired_token' });
   const token = consumed.token;
 
@@ -114,7 +119,7 @@ partnerAuthRouter.post('/auth/magic/verify', verifyLimit, async (req, res) => {
     }
     await db<AdminRow>(TABLES.Admin).where({ id: admin.id }).update({ lastSignInAt: new Date() });
 
-    const session = await createSession({ principalKind: 'admin', principalId: admin.id });
+    const session = await createSession(db, { tenantId, principalKind: 'admin', principalId: admin.id });
     res.cookie(SESSION_COOKIE_NAME, session.plaintext, sessionCookieOptions());
     return res.json({
       ok: true,
@@ -134,7 +139,7 @@ partnerAuthRouter.post('/auth/magic/verify', verifyLimit, async (req, res) => {
       .update({ activatedAt: new Date(), updatedAt: new Date() });
   }
 
-  const session = await createSession({ principalKind: 'partner', principalId: partner.id });
+  const session = await createSession(db, { tenantId, principalKind: 'partner', principalId: partner.id });
   res.cookie(SESSION_COOKIE_NAME, session.plaintext, sessionCookieOptions());
   res.json({
     ok: true,
@@ -151,11 +156,11 @@ partnerAuthRouter.post('/auth/magic/verify', verifyLimit, async (req, res) => {
 // -------- Signout --------
 
 partnerAuthRouter.post('/auth/signout', async (req, res) => {
+  const { db } = tenantOf(req);
   const cookie = (req as unknown as { cookies?: Record<string, string> }).cookies?.[SESSION_COOKIE_NAME];
   if (cookie) {
-    const { resolveSession } = await import('../auth-sessions.js');
-    const session = await resolveSession(cookie);
-    if (session) await revokeSession(session.id);
+    const session = await resolveSession(db, cookie);
+    if (session) await revokeSession(db, session.id);
   }
   res.clearCookie(SESSION_COOKIE_NAME, { path: '/' });
   res.json({ ok: true });
diff --git a/apps/api/src/routes/partner-signup.ts b/apps/api/src/routes/partner-signup.ts
new file mode 100644
index 0000000..e55e0ac
--- /dev/null
+++ b/apps/api/src/routes/partner-signup.ts
@@ -0,0 +1,190 @@
+/**
+ * Public creator-facing partner signup.
+ *
+ * Lets a creator self-serve onto a vendor's program without admin
+ * pre-invite. The vendor's `Settings → Partners` page chooses the
+ * post-signup state:
+ *
+ *   - `auto_approve` (default): activatedAt set immediately, magic-link
+ *     issued, partner can sign in straight away.
+ *   - `require_review`: activatedAt stays null until an admin approves
+ *     via /partners/:id/invite (which also sends the magic-link).
+ *
+ * The endpoint is mounted INSIDE tenantMiddleware — in multi-tenant
+ * mode the URL is /t/<slug>/partner-signup; in single-tenant mode
+ * (self-host) it's /partner-signup. Tenant context comes from req.db
+ * either way.
+ *
+ * Network behavior: if the vendor has Network membership enabled with
+ * autoEnroll on, the new partner is pushed to /partners/upsert and the
+ * returned networkCreatorId is stamped on Partner.metadata.network.
+ * Network failures are queued in NetworkOutbox and don't fail the
+ * signup.
+ */
+
+import { Router } from 'express';
+import { z } from 'zod';
+import { ulid } from 'ulid';
+import { TABLES, type ConfigRow, type PartnerRow } from '@openpartner/db';
+import { issueMagicLink } from '../auth-sessions.js';
+import { getMailer } from '../mailer.js';
+import { buildMagicLinkUrl, partnerInviteEmail } from '../email-templates.js';
+import { ipRateLimit } from '../middleware/rate-limit.js';
+import { tenantOf } from '../tenancy.js';
+import { getNetworkMembership, pushPartnerUpsert } from '../network-client.js';
+
+export const partnerSignupRouter = Router();
+
+const signupLimit = ipRateLimit({ name: 'partner-signup', max: 10, windowMs: 60_000 });
+
+const schema = z.object({
+  email: z.string().trim().email().max(254),
+  name: z.string().trim().min(1).max(120),
+  profile: z.record(z.unknown()).optional(),
+});
+
+export type PartnerSignupPolicy = 'auto_approve' | 'require_review';
+
+interface PartnerSignupSettings {
+  policy: PartnerSignupPolicy;
+  /** Disable signup entirely. Defaults false (signup open). */
+  disabled?: boolean;
+}
+
+const PARTNER_SIGNUP_CONFIG_KEY = 'partner_signup';
+
+async function readSignupSettings(
+  db: import('knex').Knex,
+  tenantId: string,
+): Promise<PartnerSignupSettings> {
+  const row = await db<ConfigRow>(TABLES.Config).where({ tenantId, key: PARTNER_SIGNUP_CONFIG_KEY }).first();
+  const value = (row?.value ?? {}) as Partial<PartnerSignupSettings>;
+  return {
+    policy: value.policy === 'require_review' ? 'require_review' : 'auto_approve',
+    disabled: value.disabled === true,
+  };
+}
+
+partnerSignupRouter.post('/partner-signup', signupLimit, async (req, res) => {
+  const { db, tenantId } = tenantOf(req);
+  const body = schema.safeParse(req.body);
+  if (!body.success) return res.status(400).json({ error: 'invalid_body', detail: body.error.flatten() });
+
+  const settings = await readSignupSettings(db, tenantId);
+  if (settings.disabled) {
+    return res.status(403).json({ error: 'signup_disabled' });
+  }
+
+  const email = body.data.email.toLowerCase();
+
+  // Existence check is intentionally generic — same response shape on
+  // taken vs not. We don't want this endpoint to leak whether an email
+  // is registered with this vendor (creator-facing privacy + a minor
+  // hardening against credential-stuffing reconnaissance).
+  const existing = await db<PartnerRow>(TABLES.Partner).where({ email }).first();
+  if (existing) {
+    return res.json({ ok: true, status: 'already_registered' });
+  }
+
+  const id = ulid();
+  const now = new Date();
+  const activatedAt = settings.policy === 'auto_approve' ? now : null;
+  let partner: PartnerRow;
+  try {
+    const inserted = (await db<PartnerRow>(TABLES.Partner)
+      .insert({
+        id,
+        tenantId,
+        email,
+        name: body.data.name,
+        metadata: body.data.profile ?? {},
+        activatedAt,
+      })
+      .returning('*')) as PartnerRow[];
+    if (inserted.length === 0) {
+      // Should be impossible — INSERT without ON CONFLICT either succeeds
+      // or throws — but typing-wise returning('*') is PartnerRow[].
+      throw new Error('partner_insert_returned_no_rows');
+    }
+    partner = inserted[0]!;
+  } catch (err) {
+    if (typeof err === 'object' && err !== null && (err as { code?: string }).code === '23505') {
+      // Race against the existence check — same generic response.
+      return res.json({ ok: true, status: 'already_registered' });
+    }
+    throw err;
+  }
+
+  // Push to Network if configured + autoEnroll. Fire-and-forget on the
+  // request hot path: a Network outage must not fail the signup. The
+  // pushPartnerUpsert helper handles outbox queueing internally.
+  const network = await getNetworkMembership(db, tenantId);
+  if (network?.enabled && network.autoEnroll) {
+    const result = await pushPartnerUpsert(db, tenantId, {
+      vendorPartnerId: partner.id,
+      email: partner.email,
+      name: partner.name,
+      profile: body.data.profile,
+      joinedVendorAt: partner.createdAt.toISOString(),
+      status: activatedAt ? 'active' : 'pending',
+      metadata: { source: 'self_signup' },
+    });
+    if (result) {
+      // Stamp the canonical Network identity onto the Partner so the
+      // admin UI can show "this creator was already on the Network".
+      await db<PartnerRow>(TABLES.Partner)
+        .where({ id: partner.id })
+        .update({
+          metadata: db.raw(
+            `jsonb_set(coalesce("metadata", '{}'::jsonb), '{network}', ?::jsonb, true)`,
+            [
+              JSON.stringify({
+                creatorId: result.networkCreatorId,
+                preExisting: result.alreadyExisted,
+                affiliations: result.affiliations.length,
+                syncedAt: new Date().toISOString(),
+              }),
+            ],
+          ),
+          updatedAt: new Date(),
+        });
+    }
+  }
+
+  // Magic link goes out for both auto-approve and require-review paths.
+  // require-review's magic link confirms email ownership; admin still
+  // has to flip activatedAt before the partner can do anything.
+  const issued = await issueMagicLink(db, {
+    tenantId,
+    email,
+    purpose: 'partner_invite',
+    principalKind: 'partner',
+    principalId: partner.id,
+  });
+  const tmpl = partnerInviteEmail(partner.name, buildMagicLinkUrl(issued.plaintext));
+  try {
+    await getMailer().send({ db, tenantId }, {
+      to: email,
+      subject: tmpl.subject,
+      text: tmpl.text,
+      html: tmpl.html,
+      tag: 'partner_invite',
+      metadata: { purpose: 'partner_invite', partnerId: partner.id, source: 'self_signup' },
+    });
+  } catch (err) {
+    // Mail failure on signup is recoverable — the row exists, the admin
+    // can resend. Surface a 202 so the client knows partial success.
+    return res.status(202).json({
+      ok: true,
+      status: activatedAt ? 'active_pending_email' : 'pending_review_pending_email',
+      partnerId: partner.id,
+      mailError: err instanceof Error ? err.message : String(err),
+    });
+  }
+
+  res.status(201).json({
+    ok: true,
+    status: activatedAt ? 'active' : 'pending_review',
+    partnerId: partner.id,
+  });
+});
diff --git a/apps/api/src/routes/partners.ts b/apps/api/src/routes/partners.ts
index 7775e25..deb6407 100644
--- a/apps/api/src/routes/partners.ts
+++ b/apps/api/src/routes/partners.ts
@@ -2,11 +2,12 @@ import { Router } from 'express';
 import { z } from 'zod';
 import { ulid } from 'ulid';
 import { TABLES, type ApiKeyRow, type PartnerRow, type SessionRow } from '@openpartner/db';
-import { db } from '../db.js';
 import { grantScope, requireAdmin, requireAuth, requirePartnerOrAdmin } from '../auth.js';
 import { issueMagicLink } from '../auth-sessions.js';
 import { getMailer } from '../mailer.js';
 import { buildMagicLinkUrl, partnerInviteEmail, partnerRevokedEmail } from '../email-templates.js';
+import { tenantOf } from '../tenancy.js';
+import { getNetworkMembership, pushPartnerRevoke, pushPartnerUpsert } from '../network-client.js';
 
 const createSchema = z.object({
   email: z.string().email(),
@@ -27,6 +28,7 @@ export const partnersRouter = Router();
  * partner-facing credential.
  */
 partnersRouter.post('/partners', requireAuth, grantScope('partners:write'), requireAdmin, async (req, res) => {
+  const { db, tenantId } = tenantOf(req);
   const body = createSchema.safeParse(req.body);
   if (!body.success) return res.status(400).json({ error: 'invalid_body', detail: body.error.flatten() });
 
@@ -46,6 +48,7 @@ partnersRouter.post('/partners', requireAuth, grantScope('partners:write'), requ
     [partner] = await db<PartnerRow>(TABLES.Partner)
       .insert({
         id,
+        tenantId,
         email,
         name: body.data.name,
         metadata: body.data.metadata ?? {},
@@ -65,9 +68,15 @@ partnersRouter.post('/partners', requireAuth, grantScope('partners:write'), requ
   }
 
   if (sendInvite) {
-    const issued = await issueMagicLink({ email, purpose: 'partner_invite', principalKind: 'partner', principalId: id });
+    const issued = await issueMagicLink(db, {
+      tenantId,
+      email,
+      purpose: 'partner_invite',
+      principalKind: 'partner',
+      principalId: id,
+    });
     const tmpl = partnerInviteEmail(body.data.name, buildMagicLinkUrl(issued.plaintext));
-    await getMailer().send({
+    await getMailer().send({ db, tenantId }, {
       to: email,
       subject: tmpl.subject,
       text: tmpl.text,
@@ -77,6 +86,41 @@ partnersRouter.post('/partners', requireAuth, grantScope('partners:write'), requ
     });
   }
 
+  // Push to Network if configured + autoEnroll. Same fire-and-forget
+  // semantics as /partner-signup: a Network outage doesn't fail this
+  // request; failures land in NetworkOutbox for the scheduler to retry.
+  const network = await getNetworkMembership(db, tenantId);
+  if (network?.enabled && network.autoEnroll) {
+    const partnerRow = partner as PartnerRow;
+    const result = await pushPartnerUpsert(db, tenantId, {
+      vendorPartnerId: id,
+      email,
+      name: body.data.name,
+      profile: body.data.metadata,
+      joinedVendorAt: partnerRow.createdAt.toISOString(),
+      status: partnerRow.activatedAt ? 'active' : 'pending',
+      metadata: { source: 'admin_invite' },
+    });
+    if (result) {
+      await db<PartnerRow>(TABLES.Partner)
+        .where({ id })
+        .update({
+          metadata: db.raw(
+            `jsonb_set(coalesce("metadata", '{}'::jsonb), '{network}', ?::jsonb, true)`,
+            [
+              JSON.stringify({
+                creatorId: result.networkCreatorId,
+                preExisting: result.alreadyExisted,
+                affiliations: result.affiliations.length,
+                syncedAt: new Date().toISOString(),
+              }),
+            ],
+          ),
+          updatedAt: new Date(),
+        });
+    }
+  }
+
   res.status(201).json({ ...partner, invited: sendInvite });
 });
 
@@ -86,13 +130,20 @@ partnersRouter.post('/partners', requireAuth, grantScope('partners:write'), requ
  * (they all expire in 15 minutes).
  */
 partnersRouter.post('/partners/:id/invite', requireAuth, requireAdmin, async (req, res) => {
+  const { db, tenantId } = tenantOf(req);
   const partner = await db<PartnerRow>(TABLES.Partner).where({ id: req.params.id }).first();
   if (!partner) return res.status(404).json({ error: 'not_found' });
   if (partner.activatedAt) return res.status(409).json({ error: 'already_activated' });
 
-  const issued = await issueMagicLink({ email: partner.email, purpose: 'partner_invite', principalKind: 'partner', principalId: partner.id });
+  const issued = await issueMagicLink(db, {
+    tenantId,
+    email: partner.email,
+    purpose: 'partner_invite',
+    principalKind: 'partner',
+    principalId: partner.id,
+  });
   const tmpl = partnerInviteEmail(partner.name, buildMagicLinkUrl(issued.plaintext));
-  await getMailer().send({
+  await getMailer().send({ db, tenantId }, {
     to: partner.email,
     subject: tmpl.subject,
     text: tmpl.text,
@@ -118,6 +169,7 @@ const revokeSchema = z.object({
  * links as 'revoked'. Sends a notification email unless notify=false.
  */
 partnersRouter.post('/partners/:id/revoke', requireAuth, requireAdmin, async (req, res) => {
+  const { db, tenantId } = tenantOf(req);
   const body = revokeSchema.safeParse(req.body ?? {});
   if (!body.success) return res.status(400).json({ error: 'invalid_body', detail: body.error.flatten() });
 
@@ -127,27 +179,27 @@ partnersRouter.post('/partners/:id/revoke', requireAuth, requireAdmin, async (re
 
   const now = new Date();
   const reason = body.data.reason ?? null;
-  await db.transaction(async (trx) => {
-    await trx<PartnerRow>(TABLES.Partner)
-      .where({ id: partner.id })
-      .update({ revokedAt: now, revokeReason: reason, updatedAt: now });
-    // Kill every authentication channel they hold: web sessions AND
-    // their partner-scoped API keys. Leaving ApiKey rows live meant a
-    // revoked partner retained programmatic access even though their
-    // dashboard cookie was killed.
-    await trx<SessionRow>(TABLES.Session)
-      .where({ principalKind: 'partner', principalId: partner.id })
-      .whereNull('revokedAt')
-      .update({ revokedAt: now });
-    await trx<ApiKeyRow>(TABLES.ApiKey)
-      .where({ partnerId: partner.id })
-      .whereNull('revokedAt')
-      .update({ revokedAt: now });
-  });
+  // The request is already in a transaction (per-request via tenantMiddleware);
+  // operate on req.db directly without a nested trx.
+  await db<PartnerRow>(TABLES.Partner)
+    .where({ id: partner.id })
+    .update({ revokedAt: now, revokeReason: reason, updatedAt: now });
+  // Kill every authentication channel they hold: web sessions AND
+  // their partner-scoped API keys. Leaving ApiKey rows live meant a
+  // revoked partner retained programmatic access even though their
+  // dashboard cookie was killed.
+  await db<SessionRow>(TABLES.Session)
+    .where({ principalKind: 'partner', principalId: partner.id })
+    .whereNull('revokedAt')
+    .update({ revokedAt: now });
+  await db<ApiKeyRow>(TABLES.ApiKey)
+    .where({ partnerId: partner.id })
+    .whereNull('revokedAt')
+    .update({ revokedAt: now });
 
   if (body.data.notify) {
     const tmpl = partnerRevokedEmail(partner.name, reason);
-    await getMailer().send({
+    await getMailer().send({ db, tenantId }, {
       to: partner.email,
       subject: tmpl.subject,
       text: tmpl.text,
@@ -157,11 +209,22 @@ partnersRouter.post('/partners/:id/revoke', requireAuth, requireAdmin, async (re
     });
   }
 
+  // Network gets the revoke too — but unconditionally if Network is
+  // enabled (not gated on autoEnroll). The reasoning: autoEnroll
+  // controls whether NEW partners flow into the Network; revokes need
+  // to mirror regardless so a creator the Network thinks is active
+  // doesn't keep getting matched after the vendor cuts them off.
+  const network = await getNetworkMembership(db, tenantId);
+  if (network?.enabled) {
+    await pushPartnerRevoke(db, tenantId, partner.id);
+  }
+
   res.json({ ok: true, revokedAt: now, notified: body.data.notify });
 });
 
 /** Undo revoke — partner regains dashboard access and future attribution. */
 partnersRouter.post('/partners/:id/reinstate', requireAuth, requireAdmin, async (req, res) => {
+  const { db } = tenantOf(req);
   const partner = await db<PartnerRow>(TABLES.Partner).where({ id: req.params.id }).first();
   if (!partner) return res.status(404).json({ error: 'not_found' });
   if (!partner.revokedAt) return res.status(409).json({ error: 'not_revoked' });
@@ -172,12 +235,14 @@ partnersRouter.post('/partners/:id/reinstate', requireAuth, requireAdmin, async
   res.json({ ok: true });
 });
 
-partnersRouter.get('/partners', requireAuth, requireAdmin, async (_req, res) => {
+partnersRouter.get('/partners', requireAuth, requireAdmin, async (req, res) => {
+  const { db } = tenantOf(req);
   const partners = await db<PartnerRow>(TABLES.Partner).orderBy('createdAt', 'desc').limit(500);
   res.json({ partners });
 });
 
 partnersRouter.get('/partners/:id', requireAuth, requirePartnerOrAdmin('id'), async (req, res) => {
+  const { db } = tenantOf(req);
   const partner = await db<PartnerRow>(TABLES.Partner).where({ id: req.params.id }).first();
   if (!partner) return res.status(404).json({ error: 'not_found' });
   res.json(partner);
diff --git a/apps/api/src/routes/payouts.ts b/apps/api/src/routes/payouts.ts
index dd15077..a597c26 100644
--- a/apps/api/src/routes/payouts.ts
+++ b/apps/api/src/routes/payouts.ts
@@ -1,13 +1,14 @@
 import { Router } from 'express';
 import { TABLES, type PayoutRow } from '@openpartner/db';
-import { db } from '../db.js';
 import { requireAdmin, requireAuth, requirePartnerOrAdmin } from '../auth.js';
 import { runPayouts } from '../payouts.js';
+import { tenantOf } from '../tenancy.js';
 
 export const payoutsRouter = Router();
 
-payoutsRouter.post('/payouts/run', requireAuth, requireAdmin, async (_req, res) => {
-  const result = await runPayouts();
+payoutsRouter.post('/payouts/run', requireAuth, requireAdmin, async (req, res) => {
+  const { db, tenantId } = tenantOf(req);
+  const result = await runPayouts(db, tenantId);
   res.json(result);
 });
 
@@ -16,6 +17,7 @@ payoutsRouter.get(
   requireAuth,
   requirePartnerOrAdmin('id'),
   async (req, res) => {
+    const { db } = tenantOf(req);
     const payouts = await db<PayoutRow>(TABLES.Payout)
       .where({ partnerId: req.params.id })
       .orderBy('createdAt', 'desc')
diff --git a/apps/api/src/routes/settings.ts b/apps/api/src/routes/settings.ts
index 65d54fe..a264d6a 100644
--- a/apps/api/src/routes/settings.ts
+++ b/apps/api/src/routes/settings.ts
@@ -10,9 +10,9 @@
  */
 
 import { Router } from 'express';
+import type { Knex } from 'knex';
 import { z } from 'zod';
 import { TABLES, type ConfigRow } from '@openpartner/db';
-import { db } from '../db.js';
 import { requireAdmin, requireAuth } from '../auth.js';
 import {
   MailSettingsValidationError,
@@ -20,6 +20,18 @@ import {
   saveMailSettings,
   type MailTransportKind,
 } from '../mail-settings.js';
+import {
+  backfillPartners,
+  completeNetworkConnect,
+  getPublicNetworkMembership,
+  NetworkProxyError,
+  networkProxy,
+  saveNetworkMembership,
+  signupWithNetwork,
+} from '../network-client.js';
+import { createApiKeyRow } from '../auth.js';
+import { tenantOf } from '../tenancy.js';
+import { NETWORK_FEDERATION_SCOPES } from './api-keys.js';
 
 export const settingsRouter = Router();
 
@@ -35,8 +47,8 @@ export interface ProgramSettings {
   supportEmail: string | null;
 }
 
-async function readSettings(): Promise<ProgramSettings> {
-  const row = await db<ConfigRow>(TABLES.Config).where({ key: CONFIG_KEY }).first();
+async function readSettings(db: Knex, tenantId: string): Promise<ProgramSettings> {
+  const row = await db<ConfigRow>(TABLES.Config).where({ tenantId, key: CONFIG_KEY }).first();
   const value = (row?.value ?? {}) as Partial<ProgramSettings>;
   return {
     programName: value.programName ?? null,
@@ -45,12 +57,14 @@ async function readSettings(): Promise<ProgramSettings> {
 }
 
 /** Any authenticated caller (admin OR partner) can read — not secret. */
-settingsRouter.get('/config/program', requireAuth, async (_req, res) => {
-  res.json(await readSettings());
+settingsRouter.get('/config/program', requireAuth, async (req, res) => {
+  const { db, tenantId } = tenantOf(req);
+  res.json(await readSettings(db, tenantId));
 });
 
 /** Only admins write. Empty strings clear fields. */
 settingsRouter.post('/config/program', requireAuth, requireAdmin, async (req, res) => {
+  const { db, tenantId } = tenantOf(req);
   const body = settingsSchema.safeParse(req.body ?? {});
   if (!body.success) return res.status(400).json({ error: 'invalid_body', detail: body.error.flatten() });
 
@@ -61,8 +75,8 @@ settingsRouter.post('/config/program', requireAuth, requireAdmin, async (req, re
   const now = new Date();
   // Upsert: preserves updatedAt semantics without a separate read.
   await db<ConfigRow>(TABLES.Config)
-    .insert({ key: CONFIG_KEY, value: next as unknown as never, updatedAt: now })
-    .onConflict('key')
+    .insert({ tenantId, key: CONFIG_KEY, value: next as unknown as never, updatedAt: now })
+    .onConflict(['tenantId', 'key'])
     .merge({ value: next as unknown as never, updatedAt: now });
   res.json(next);
 });
@@ -91,16 +105,18 @@ const mailSettingsSchema = z.object({
     .optional(),
 });
 
-settingsRouter.get('/config/mail', requireAuth, requireAdmin, async (_req, res) => {
-  res.json(await getPublicMailSettings());
+settingsRouter.get('/config/mail', requireAuth, requireAdmin, async (req, res) => {
+  const { db, tenantId } = tenantOf(req);
+  res.json(await getPublicMailSettings(db, tenantId));
 });
 
 settingsRouter.post('/config/mail', requireAuth, requireAdmin, async (req, res) => {
+  const { db, tenantId } = tenantOf(req);
   const body = mailSettingsSchema.safeParse(req.body ?? {});
   if (!body.success) return res.status(400).json({ error: 'invalid_body', detail: body.error.flatten() });
 
   try {
-    await saveMailSettings({
+    await saveMailSettings(db, tenantId, {
       kind: body.data.kind as MailTransportKind,
       from: body.data.from === '' ? null : body.data.from ?? undefined,
       smtp: body.data.smtp,
@@ -112,5 +128,258 @@ settingsRouter.post('/config/mail', requireAuth, requireAdmin, async (req, res)
     }
     throw err;
   }
-  res.json(await getPublicMailSettings());
+  res.json(await getPublicMailSettings(db, tenantId));
+});
+
+// ---------- Partner signup policy ----------
+
+const partnerSignupSchema = z.object({
+  policy: z.enum(['auto_approve', 'require_review']).optional(),
+  disabled: z.boolean().optional(),
+});
+
+settingsRouter.get('/config/partner-signup', requireAuth, requireAdmin, async (req, res) => {
+  const { db, tenantId } = tenantOf(req);
+  const row = await db<ConfigRow>(TABLES.Config)
+    .where({ tenantId, key: 'partner_signup' })
+    .first();
+  const value = (row?.value ?? {}) as { policy?: string; disabled?: boolean };
+  res.json({
+    policy: value.policy === 'require_review' ? 'require_review' : 'auto_approve',
+    disabled: value.disabled === true,
+  });
+});
+
+settingsRouter.post('/config/partner-signup', requireAuth, requireAdmin, async (req, res) => {
+  const { db, tenantId } = tenantOf(req);
+  const body = partnerSignupSchema.safeParse(req.body ?? {});
+  if (!body.success) return res.status(400).json({ error: 'invalid_body', detail: body.error.flatten() });
+
+  const current = await db<ConfigRow>(TABLES.Config).where({ tenantId, key: 'partner_signup' }).first();
+  const currentValue = (current?.value ?? {}) as { policy?: string; disabled?: boolean };
+  const next = {
+    policy: body.data.policy ?? currentValue.policy ?? 'auto_approve',
+    disabled: body.data.disabled ?? currentValue.disabled ?? false,
+  };
+  const now = new Date();
+  await db<ConfigRow>(TABLES.Config)
+    .insert({ tenantId, key: 'partner_signup', value: next as unknown as never, updatedAt: now })
+    .onConflict(['tenantId', 'key'])
+    .merge({ value: next as unknown as never, updatedAt: now });
+  res.json(next);
+});
+
+// ---------- Network membership ----------
+
+const networkMembershipSchema = z.object({
+  enabled: z.boolean().optional(),
+  networkUrl: z.string().url().optional().or(z.literal('')),
+  /** Plaintext bearer issued by the Network on /vendors/register. Undefined keeps existing. */
+  vendorToken: z.string().max(500).optional(),
+  /** ApiKey.id of the scoped key the Network should call back with. */
+  scopedKeyId: z.string().nullable().optional(),
+  autoEnroll: z.boolean().optional(),
+});
+
+settingsRouter.get('/config/network', requireAuth, requireAdmin, async (req, res) => {
+  const { db, tenantId } = tenantOf(req);
+  res.json(await getPublicNetworkMembership(db, tenantId));
+});
+
+settingsRouter.post('/config/network', requireAuth, requireAdmin, async (req, res) => {
+  const { db, tenantId } = tenantOf(req);
+  const body = networkMembershipSchema.safeParse(req.body ?? {});
+  if (!body.success) return res.status(400).json({ error: 'invalid_body', detail: body.error.flatten() });
+
+  await saveNetworkMembership(db, tenantId, {
+    enabled: body.data.enabled,
+    networkUrl: body.data.networkUrl === '' ? '' : body.data.networkUrl,
+    vendorToken: body.data.vendorToken,
+    scopedKeyId: body.data.scopedKeyId,
+    autoEnroll: body.data.autoEnroll,
+  });
+  res.json(await getPublicNetworkMembership(db, tenantId));
+});
+
+/**
+ * Reconcile existing partners with the Network. Called when an admin
+ * enables Network membership after already having a partner roster.
+ *
+ * Pushes every Partner row through /partners/upsert. The Network dedups
+ * on email — so a creator who's already on the Network from another
+ * vendor returns the existing networkCreatorId, and we stamp
+ * Partner.metadata.network.preExisting=true so the admin sees who was
+ * already known.
+ *
+ * Synchronous (returns counts when done). For very large rosters the
+ * outbox + scheduler-drained retries handle Network-side timeouts so a
+ * single backfill failure doesn't lose the work.
+ */
+settingsRouter.post('/config/network/backfill', requireAuth, requireAdmin, async (req, res) => {
+  const { db, tenantId } = tenantOf(req);
+  const partners = await db('Partner')
+    .select<Array<{ id: string; email: string; name: string; createdAt: Date; activatedAt: Date | null; revokedAt: Date | null }>>(
+      'id',
+      'email',
+      'name',
+      'createdAt',
+      'activatedAt',
+      'revokedAt',
+    );
+  const result = await backfillPartners(db, tenantId, partners);
+  res.json(result);
+});
+
+// ---------- Network connect (self-serve onboarding) ----------
+
+const startConnectSchema = z.object({
+  /** Where the magic-link should send the admin back to. Defaults to
+   *  the request's origin + tenant path + /admin/network/complete. */
+  portalCallbackUrl: z.string().url().optional(),
+  /** Email to receive the confirmation link. Defaults to the calling
+   *  admin's email if a session-derived admin is calling; required for
+   *  env-bearer admins. */
+  contactEmail: z.string().email().optional(),
+  contactName: z.string().max(120).optional(),
+  /** Display name shown to creators. Defaults to tenantId on multi
+   *  hosted; on self-host the admin should pass their brand. */
+  displayName: z.string().min(1).max(120).optional(),
+  /** Where the Network can reach this instance's API. Defaults to
+   *  inferring from the request hostname + /api. */
+  instanceUrl: z.string().url().optional(),
+});
+
+settingsRouter.post('/config/network/start-connect', requireAuth, requireAdmin, async (req, res) => {
+  const { db, tenantId, tenantSlug } = (() => {
+    const t = tenantOf(req);
+    return { ...t, tenantSlug: req.tenantSlug ?? null };
+  })();
+  const body = startConnectSchema.safeParse(req.body ?? {});
+  if (!body.success) return res.status(400).json({ error: 'invalid_body', detail: body.error.flatten() });
+
+  const networkUrl = process.env.NETWORK_URL;
+  if (!networkUrl) {
+    return res.status(503).json({ error: 'network_url_not_configured', detail: 'set NETWORK_URL env to your network endpoint, e.g. https://network.openpartner.dev' });
+  }
+
+  // Resolve defaults from the request + tenant context.
+  const protoHost = `${req.protocol}://${req.get('host') ?? ''}`;
+  const tenantPath = tenantSlug ? `/t/${tenantSlug}` : '';
+  const inferredInstanceUrl = `${protoHost}${tenantPath}/api`;
+  const inferredCallback = `${protoHost}${tenantPath}/admin/network/complete`;
+
+  // Mint a fresh scoped key with the federation scope set; store the
+  // ApiKey id in network_membership so we can identify which key the
+  // Network is using and rotate it later via /vendors/me/rotate-callback-key.
+  const scoped = await createApiKeyRow(db, {
+    tenantId,
+    scopes: [...NETWORK_FEDERATION_SCOPES],
+    label: 'network_federation',
+  });
+
+  let signup;
+  try {
+    signup = await signupWithNetwork({
+      networkUrl,
+      instanceUrl: body.data.instanceUrl ?? inferredInstanceUrl,
+      scopedKey: scoped.plaintext,
+      displayName: body.data.displayName ?? (tenantSlug ? tenantSlug : 'OpenPartner instance'),
+      contactEmail: body.data.contactEmail ?? '',
+      contactName: body.data.contactName,
+      tier: process.env.OPENPARTNER_TENANCY === 'multi' ? 'hosted' : 'self_hosted',
+      portalCallbackUrl: body.data.portalCallbackUrl ?? inferredCallback,
+    });
+  } catch (err) {
+    return res.status(502).json({ error: 'network_signup_failed', detail: err instanceof Error ? err.message : String(err) });
+  }
+
+  // Stash the partial state — networkUrl + scopedKeyId + autoEnroll
+  // default true. The vendorToken comes back from completeConnect.
+  await saveNetworkMembership(db, tenantId, {
+    enabled: false, // not active until verify lands
+    networkUrl,
+    scopedKeyId: scoped.id,
+    autoEnroll: true,
+  });
+
+  res.status(202).json({ vendorId: signup.vendorId, status: 'pending', emailSent: signup.emailSent });
+});
+
+const completeConnectSchema = z.object({ ntoken: z.string().min(20) });
+
+settingsRouter.post('/config/network/complete-connect', requireAuth, requireAdmin, async (req, res) => {
+  const { db, tenantId } = tenantOf(req);
+  const body = completeConnectSchema.safeParse(req.body);
+  if (!body.success) return res.status(400).json({ error: 'invalid_body', detail: body.error.flatten() });
+
+  const networkUrl = process.env.NETWORK_URL;
+  if (!networkUrl) return res.status(503).json({ error: 'network_url_not_configured' });
+
+  let result;
+  try {
+    result = await completeNetworkConnect(networkUrl, body.data.ntoken);
+  } catch (err) {
+    return res.status(502).json({ error: 'network_verify_failed', detail: err instanceof Error ? err.message : String(err) });
+  }
+
+  await saveNetworkMembership(db, tenantId, {
+    enabled: true,
+    vendorToken: result.vendorToken,
+  });
+
+  res.json({ ok: true, vendorId: result.vendorId, displayName: result.displayName });
+});
+
+// ---------- Network proxy: offerings + partnership requests ----------
+// Admin manages their Network presence through these. Backend is the
+// only thing that can hold the vendorToken (encrypted in network_membership
+// Config), so the portal calls these routes which proxy to the Network.
+
+import type { Request, Response } from 'express';
+
+async function proxy(req: Request, res: Response, fn: (db: Knex, tenantId: string) => Promise<unknown>, successStatus = 200): Promise<void> {
+  const { db, tenantId } = tenantOf(req);
+  try {
+    const out = await fn(db, tenantId);
+    res.status(successStatus).json(out);
+  } catch (err) {
+    if (err instanceof NetworkProxyError) {
+      res.status(err.status).json({ error: 'network_call_failed', detail: err.message });
+      return;
+    }
+    throw err;
+  }
+}
+
+settingsRouter.get('/admin/network/me', requireAuth, requireAdmin, async (req, res) =>
+  proxy(req, res, (db, tenantId) => networkProxy.whoami(db, tenantId)),
+);
+
+settingsRouter.get('/admin/network/offerings', requireAuth, requireAdmin, async (req, res) =>
+  proxy(req, res, (db, tenantId) => networkProxy.listOfferings(db, tenantId)),
+);
+
+settingsRouter.post('/admin/network/offerings', requireAuth, requireAdmin, async (req, res) =>
+  proxy(req, res, (db, tenantId) => networkProxy.createOffering(db, tenantId, req.body), 201),
+);
+
+settingsRouter.patch('/admin/network/offerings/:id', requireAuth, requireAdmin, async (req, res) =>
+  proxy(req, res, (db, tenantId) => networkProxy.updateOffering(db, tenantId, req.params.id!, req.body)),
+);
+
+settingsRouter.delete('/admin/network/offerings/:id', requireAuth, requireAdmin, async (req, res) =>
+  proxy(req, res, (db, tenantId) => networkProxy.deleteOffering(db, tenantId, req.params.id!)),
+);
+
+settingsRouter.get('/admin/network/requests', requireAuth, requireAdmin, async (req, res) => {
+  const status = typeof req.query.status === 'string' ? req.query.status : undefined;
+  return proxy(req, res, (db, tenantId) => networkProxy.listRequests(db, tenantId, status));
 });
+
+settingsRouter.post('/admin/network/requests/:id/approve', requireAuth, requireAdmin, async (req, res) =>
+  proxy(req, res, (db, tenantId) => networkProxy.approveRequest(db, tenantId, req.params.id!, req.body ?? {})),
+);
+
+settingsRouter.post('/admin/network/requests/:id/reject', requireAuth, requireAdmin, async (req, res) =>
+  proxy(req, res, (db, tenantId) => networkProxy.rejectRequest(db, tenantId, req.params.id!, req.body ?? {})),
+);
diff --git a/apps/api/src/routes/signup.ts b/apps/api/src/routes/signup.ts
new file mode 100644
index 0000000..2ff5c7e
--- /dev/null
+++ b/apps/api/src/routes/signup.ts
@@ -0,0 +1,195 @@
+/**
+ * Public tenant signup. Hosted/multi-tenant only — in single-tenant mode
+ * the seeded 'default' tenant is the entire installation and the install
+ * endpoint covers first-run setup.
+ *
+ * POST /signup creates a Tenant + first Admin and emails the admin a
+ * magic-link to activate. The endpoint is unauthenticated, rate-limited
+ * by IP, and gated by slug validation:
+ *
+ *   - slug matches /^[a-z0-9-]{3,30}$/
+ *   - slug not in RESERVED_SLUGS
+ *   - slug not already taken (Tenant.slug unique)
+ *   - adminEmail not already in use under that slug (which is impossible
+ *     since the tenant is brand new, but we check anyway for symmetry)
+ *
+ * Mounted BEFORE tenantMiddleware in app.ts because there's no tenant
+ * context yet — we use the privileged `db` for the writes.
+ */
+
+import { Router } from 'express';
+import { z } from 'zod';
+import { ulid } from 'ulid';
+import { TABLES, type AdminRow, type TenantRow } from '@openpartner/db';
+import { db } from '../db.js';
+import { ipRateLimit } from '../middleware/rate-limit.js';
+import { issueMagicLink } from '../auth-sessions.js';
+import { getMailer } from '../mailer.js';
+import { adminInviteEmail, buildMagicLinkUrl } from '../email-templates.js';
+import { RESERVED_SLUGS, getTenancyMode } from '../tenancy.js';
+
+export const signupRouter = Router();
+
+const signupLimit = ipRateLimit({ name: 'signup', max: 10, windowMs: 60_000 });
+
+const signupSchema = z.object({
+  slug: z
+    .string()
+    .trim()
+    .min(3)
+    .max(30)
+    .regex(/^[a-z0-9-]+$/, 'slug must be lowercase alphanumerics or hyphens'),
+  displayName: z.string().trim().min(1).max(120),
+  adminEmail: z.string().trim().email().max(254),
+  adminName: z.string().trim().min(1).max(120),
+});
+
+class SignupGuardError extends Error {
+  constructor(public code: string) {
+    super(code);
+  }
+}
+
+signupRouter.post('/signup', signupLimit, async (req, res) => {
+  if (getTenancyMode() !== 'multi') {
+    return res.status(400).json({ error: 'signup_not_available_in_single_tenant' });
+  }
+
+  const body = signupSchema.safeParse(req.body);
+  if (!body.success) return res.status(400).json({ error: 'invalid_body', detail: body.error.flatten() });
+
+  const slug = body.data.slug.toLowerCase();
+  const adminEmail = body.data.adminEmail.toLowerCase();
+
+  if (RESERVED_SLUGS.has(slug)) {
+    return res.status(409).json({ error: 'slug_reserved' });
+  }
+
+  const tenantId = ulid();
+  const adminId = ulid();
+  const now = new Date();
+
+  try {
+    await db.transaction(async (trx) => {
+      // Re-check inside the transaction. A racing signup with the same
+      // slug would otherwise both pass the pre-check and one would hit
+      // the unique constraint as a generic 500. The unique constraint is
+      // still our final guard; this just gives us a clean error.
+      const existing = await trx<TenantRow>(TABLES.Tenant).where({ slug }).first();
+      if (existing) throw new SignupGuardError('slug_taken');
+
+      await trx<TenantRow>(TABLES.Tenant).insert({
+        id: tenantId,
+        slug,
+        displayName: body.data.displayName,
+        status: 'active',
+        metadata: { createdBy: 'signup' } as unknown as never,
+      });
+
+      await trx<AdminRow>(TABLES.Admin).insert({
+        id: adminId,
+        tenantId,
+        email: adminEmail,
+        name: body.data.adminName,
+        activatedAt: null,
+      });
+    });
+  } catch (err) {
+    if (err instanceof SignupGuardError) {
+      return res.status(409).json({ error: err.code });
+    }
+    if (typeof err === 'object' && err !== null && (err as { code?: string }).code === '23505') {
+      // Unique violation — slug got taken between the pre-check and the
+      // insert. Surface as the same 409.
+      return res.status(409).json({ error: 'slug_taken' });
+    }
+    throw err;
+  }
+
+  // Email the activation magic link. If this fails the Tenant + Admin row
+  // remain — the operator can hit /admins/:id/invite later (after first
+  // admin activates) or we can expose a dedicated "resend invite" public
+  // endpoint. We don't roll back signup on mail failure because the
+  // tenant slug is now taken and reusing it might surprise the second
+  // installer; better to leave it claimed and let them recover via mail
+  // ops than auto-release on a transient SMTP blip.
+  try {
+    const issued = await issueMagicLink(db, {
+      tenantId,
+      email: adminEmail,
+      purpose: 'admin_invite',
+      principalKind: 'admin',
+      principalId: adminId,
+    });
+    const tmpl = adminInviteEmail(body.data.adminName, buildMagicLinkUrl(issued.plaintext), body.data.displayName);
+    await getMailer().send({ db, tenantId }, {
+      to: adminEmail,
+      subject: tmpl.subject,
+      text: tmpl.text,
+      html: tmpl.html,
+      tag: 'admin_invite',
+      metadata: { purpose: 'admin_invite', adminId, signup: true },
+    });
+  } catch (err) {
+    const message = err instanceof Error ? err.message : 'mail_failed';
+    return res.status(202).json({
+      ok: true,
+      tenant: { id: tenantId, slug },
+      mailDelivered: false,
+      mailError: message,
+      createdAt: now,
+    });
+  }
+
+  // Auto-register hosted tenant with the Network. Best-effort: a
+  // network-side outage doesn't fail the signup. The admin can finish
+  // connecting later via Settings → Network → "Connect to Network".
+  let networkStatus: 'pending' | 'skipped' | 'failed' = 'skipped';
+  let networkVendorId: string | null = null;
+  const networkUrl = process.env.NETWORK_URL;
+  if (networkUrl) {
+    try {
+      const { signupWithNetwork } = await import('../network-client.js');
+      const { createApiKeyRow } = await import('../auth.js');
+      const { NETWORK_FEDERATION_SCOPES } = await import('./api-keys.js');
+      const { saveNetworkMembership } = await import('../network-client.js');
+
+      const scoped = await createApiKeyRow(db, {
+        tenantId,
+        scopes: [...NETWORK_FEDERATION_SCOPES],
+        label: 'network_federation',
+      });
+      const protoHost = `${req.protocol}://${req.get('host') ?? ''}`;
+      const signup = await signupWithNetwork({
+        networkUrl,
+        instanceUrl: `${protoHost}/t/${slug}/api`,
+        scopedKey: scoped.plaintext,
+        displayName: body.data.displayName,
+        contactEmail: adminEmail,
+        contactName: body.data.adminName,
+        tier: 'hosted',
+        portalCallbackUrl: `${protoHost}/t/${slug}/admin/network/complete`,
+      });
+      // Stash the partial state — vendorToken comes back at complete-connect.
+      await saveNetworkMembership(db, tenantId, {
+        enabled: false,
+        networkUrl,
+        scopedKeyId: scoped.id,
+        autoEnroll: true,
+      });
+      networkStatus = 'pending';
+      networkVendorId = signup.vendorId;
+    } catch (err) {
+      console.error('[signup] auto-network-register failed', err);
+      networkStatus = 'failed';
+    }
+  }
+
+  res.status(201).json({
+    ok: true,
+    tenant: { id: tenantId, slug },
+    mailDelivered: true,
+    createdAt: now,
+    network: { status: networkStatus, vendorId: networkVendorId },
+  });
+});
diff --git a/apps/api/src/routes/stripe-webhook.ts b/apps/api/src/routes/stripe-webhook.ts
index 3c89c50..34f7d7a 100644
--- a/apps/api/src/routes/stripe-webhook.ts
+++ b/apps/api/src/routes/stripe-webhook.ts
@@ -1,8 +1,18 @@
 import { Router, raw } from 'express';
+import type { Knex } from 'knex';
 import Stripe from 'stripe';
 import { ulid } from 'ulid';
-import { TABLES, type AttributionRow, type ClickRow, type CommissionRow, type EventRow, type IdentityRow, type PartnerRow, type PayoutRow } from '@openpartner/db';
-import { db } from '../db.js';
+import {
+  TABLES,
+  type AttributionRow,
+  type ClickRow,
+  type CommissionRow,
+  type EventRow,
+  type IdentityRow,
+  type PartnerRow,
+  type PayoutRow,
+} from '@openpartner/db';
+import { appDb, db } from '../db.js';
 import { attributeEvent } from '../attribution.js';
 import { persistMerchantSubscription } from './billing.js';
 
@@ -25,15 +35,22 @@ export const stripeWebhookRouter = Router();
 /**
  * Stripe webhook → raw event log.
  *
+ * Stripe events have no URL tenant — the webhook URL is platform-wide. We
+ * resolve tenantId from event metadata (every Stripe object we create is
+ * stamped with `openpartner_tenant_id`) with DB-backed fallbacks for objects
+ * that pre-date the stamping. Once resolved, the actual writes happen inside
+ * an `appDb.transaction(...)` with `SET LOCAL app.tenant_id` so RLS catches
+ * any cross-tenant mistake as a second line of defense.
+ *
  * Each Stripe event we care about becomes an immutable Event row, then goes
  * through the attribution engine. We map:
  *   - customer.created            → 'signup'
  *   - customer.subscription.created → 'subscription_created'
  *   - invoice.paid                → 'invoice_paid' (carries revenue)
  *
- * We require stripe_userId to be present in customer metadata as
- * `openpartner_user_id` — that's the bridge from Stripe's Customer to the
- * merchant's userId, which is what Identity stitches against.
+ * We require `openpartner_user_id` to be present in customer metadata as
+ * the bridge from Stripe's Customer to the merchant's userId, which is
+ * what Identity stitches against.
  */
 stripeWebhookRouter.post(
   '/webhooks/stripe',
@@ -57,66 +74,185 @@ stripeWebhookRouter.post(
     }
     if (!event) return res.status(400).json({ error: 'invalid_signature' });
 
-    const connectResult = await handleConnectEvent(event);
-    if (connectResult) return res.json({ ok: true, connect: connectResult });
-
-    const mapped = await mapStripeEvent(stripe, event);
-    if (!mapped) return res.json({ ok: true, skipped: event.type });
-
-    // Idempotency: a Stripe retry (5xx, timeout) re-delivers the same
-    // event.id. Insert with ON CONFLICT DO NOTHING on the unique
-    // partial index over externalEventId, then handle the dedupe path.
-    const eventId = ulid();
-    const inserted = await db<EventRow>(TABLES.Event)
-      .insert({
-        id: eventId,
-        userId: mapped.userId,
-        type: mapped.type,
-        value: mapped.value != null ? mapped.value.toFixed(2) : null,
-        currency: mapped.currency ?? 'USD',
-        externalEventId: event.id,
-        metadata: { stripeEventId: event.id, stripeType: event.type, ...(mapped.metadata ?? {}) },
-        ts: new Date(event.created * 1000),
-      })
-      .onConflict('externalEventId')
-      .ignore()
-      .returning('*');
-
-    if (inserted.length === 0) {
-      // Retry of a previously-processed event — the first delivery
-      // already attributed it. Return 2xx so Stripe stops retrying.
-      const existing = await db<EventRow>(TABLES.Event).where({ externalEventId: event.id }).first();
-      return res.json({ ok: true, idempotent: true, eventId: existing?.id });
+    const tenantId = await resolveTenantForEvent(event);
+    if (!tenantId) {
+      // Genuinely unresolvable — most likely a connected-account event for
+      // an account we don't recognize. 2xx so Stripe stops retrying.
+      return res.json({ ok: true, skipped: event.type, reason: 'unresolved_tenant' });
     }
 
-    // Corrective events (refund, dispute, payment_failed) are recorded for
-    // the audit trail but don't drive new attribution rows — handling those
-    // is done in mapStripeEvent before insertion (e.g. flipping the source
-    // commissions to 'reversed').
-    if (CORRECTIVE_EVENT_TYPES.has(mapped.type)) {
-      return res.json({ ok: true, eventId, corrective: mapped.type });
-    }
+    const result = await runInTenant(tenantId, async (trx) => {
+      const connectResult = await handleConnectEvent(trx, event!, tenantId);
+      if (connectResult) return { connect: connectResult };
+
+      const mapped = await mapStripeEvent(trx, stripe!, event!);
+      if (!mapped) return { skipped: event!.type };
+
+      // Idempotency: a Stripe retry (5xx, timeout) re-delivers the same
+      // event.id. Insert with ON CONFLICT DO NOTHING on the unique
+      // partial index over externalEventId, then handle the dedupe path.
+      const eventId = ulid();
+      const inserted = await trx<EventRow>(TABLES.Event)
+        .insert({
+          id: eventId,
+          tenantId,
+          userId: mapped.userId,
+          type: mapped.type,
+          value: mapped.value != null ? mapped.value.toFixed(2) : null,
+          currency: mapped.currency ?? 'USD',
+          externalEventId: event!.id,
+          metadata: { stripeEventId: event!.id, stripeType: event!.type, ...(mapped.metadata ?? {}) },
+          ts: new Date(event!.created * 1000),
+        })
+        .onConflict('externalEventId')
+        .ignore()
+        .returning('*');
+
+      if (inserted.length === 0) {
+        // Retry of a previously-processed event — the first delivery
+        // already attributed it. Return 2xx so Stripe stops retrying.
+        const existing = await trx<EventRow>(TABLES.Event).where({ externalEventId: event!.id }).first();
+        return { idempotent: true, eventId: existing?.id };
+      }
 
-    const result = await attributeEvent(db, inserted[0] as EventRow);
-    res.json({ ok: true, eventId, attribution: result });
+      // Corrective events (refund, dispute, payment_failed) are recorded for
+      // the audit trail but don't drive new attribution rows — handling those
+      // is done in mapStripeEvent before insertion (e.g. flipping the source
+      // commissions to 'reversed').
+      if (CORRECTIVE_EVENT_TYPES.has(mapped.type)) {
+        return { eventId, corrective: mapped.type };
+      }
+
+      const attribution = await attributeEvent(trx, inserted[0] as EventRow);
+      return { eventId, attribution };
+    });
+
+    res.json({ ok: true, ...result });
   },
 );
 
 const CORRECTIVE_EVENT_TYPES = new Set(['refund', 'dispute_created', 'invoice_payment_failed']);
 
+/**
+ * Run a callback inside an appDb transaction with `app.tenant_id` pinned to
+ * the given tenant. Mirrors what tenantMiddleware does for HTTP requests, but
+ * we can't use that here because Stripe webhooks have no URL tenant.
+ */
+async function runInTenant<T>(tenantId: string, fn: (trx: Knex.Transaction) => Promise<T>): Promise<T> {
+  return appDb.transaction(async (trx) => {
+    await trx.raw(`set local app.tenant_id = '${tenantId.replace(/'/g, "''")}'`);
+    return fn(trx);
+  });
+}
+
+/**
+ * Resolve which tenant an event belongs to. Strategy:
+ *
+ *   1. Read `openpartner_tenant_id` from the event object's metadata. Every
+ *      Stripe object we create is stamped with this on construction, so for
+ *      anything created post-multi-tenant deploy the lookup is constant-time.
+ *   2. For events whose payload doesn't carry our metadata (older Connect
+ *      accounts, transfers identified only by payoutId), fall back to DB
+ *      lookup via the privileged `db` (cross-tenant scan).
+ *   3. If neither yields a tenant, return null and the caller skips the
+ *      event with 2xx so Stripe stops retrying.
+ */
+async function resolveTenantForEvent(event: Stripe.Event): Promise<string | null> {
+  const obj = event.data.object as { metadata?: Record<string, string> | null };
+  const direct = obj?.metadata?.openpartner_tenant_id;
+  if (direct) return direct;
+
+  switch (event.type) {
+    case 'account.updated': {
+      const account = event.data.object as Stripe.Account;
+      const partnerId = account.metadata?.openpartner_partner_id;
+      if (partnerId) {
+        const row = await db<PartnerRow>(TABLES.Partner).where({ id: partnerId }).first(['tenantId']);
+        if (row) return row.tenantId;
+      }
+      // Last-resort: any partner with this stripeConnectAccountId.
+      const linked = await db<PartnerRow>(TABLES.Partner)
+        .where({ stripeConnectAccountId: account.id })
+        .first(['tenantId']);
+      return linked?.tenantId ?? null;
+    }
+    case 'transfer.updated':
+    case 'transfer.reversed': {
+      const transfer = event.data.object as Stripe.Transfer;
+      const payoutId = transfer.metadata?.openpartner_payout_id;
+      if (!payoutId) return null;
+      const row = await db<PayoutRow>(TABLES.Payout).where({ id: payoutId }).first(['tenantId']);
+      return row?.tenantId ?? null;
+    }
+    case 'checkout.session.completed': {
+      const session = event.data.object as Stripe.Checkout.Session;
+      // Rewardful-style merchant→customer checkout: tenant resolves via the
+      // Click row identified by client_reference_id.
+      if (session.client_reference_id) {
+        const row = await db<ClickRow>(TABLES.Click)
+          .where({ id: session.client_reference_id })
+          .first(['tenantId']);
+        if (row) return row.tenantId;
+      }
+      return null;
+    }
+    case 'customer.created':
+    case 'customer.subscription.created':
+    case 'invoice.paid':
+    case 'invoice.payment_failed':
+    case 'charge.refunded':
+    case 'charge.dispute.created': {
+      // Customer/invoice/subscription/charge events: prefer the
+      // openpartner_tenant_id stamped on the Customer's metadata. As a
+      // fallback, look the customer up locally via the Identity → Click
+      // chain — this covers Customers stitched at checkout.session.completed
+      // before the metadata-backfill API call lands.
+      const customerId = extractCustomerId(event.data.object as { customer?: unknown; id?: string });
+      if (!customerId) return null;
+      const identity = await db(TABLES.Identity)
+        .join(TABLES.Click, `${TABLES.Click}.id`, `${TABLES.Identity}.clickId`)
+        .where(`${TABLES.Identity}.userId`, customerId)
+        .first<{ tenantId: string }>(`${TABLES.Click}.tenantId as tenantId`);
+      return identity?.tenantId ?? null;
+    }
+    default:
+      return null;
+  }
+}
+
+/**
+ * Pull a customer id out of an arbitrary Stripe event object — handles the
+ * `customer` field being either a string id, an embedded Customer object,
+ * a deleted-customer marker, or absent. For customer.* events the id is on
+ * the object itself.
+ */
+function extractCustomerId(obj: { customer?: unknown; id?: string; object?: string }): string | null {
+  if (obj.object === 'customer' && obj.id) return obj.id;
+  const c = obj.customer;
+  if (typeof c === 'string') return c;
+  if (c && typeof c === 'object' && 'id' in c && typeof (c as { id: unknown }).id === 'string') {
+    return (c as { id: string }).id;
+  }
+  return null;
+}
+
 // Connect-side events. These don't produce attribution Events — they update
 // Partner (onboarding progress) and Payout (transfer resolution) rows.
-async function handleConnectEvent(event: Stripe.Event): Promise<string | null> {
+async function handleConnectEvent(
+  trx: Knex.Transaction,
+  event: Stripe.Event,
+  tenantId: string,
+): Promise<string | null> {
   switch (event.type) {
     case 'account.updated': {
       const account = event.data.object as Stripe.Account;
       const partnerId = account.metadata?.openpartner_partner_id;
       if (!partnerId) return 'account_updated_no_partner_id';
-      await db<PartnerRow>(TABLES.Partner)
+      await trx<PartnerRow>(TABLES.Partner)
         .where({ id: partnerId })
         .update({
           stripeConnectAccountId: account.id,
-          metadata: db.raw(
+          metadata: trx.raw(
             `jsonb_set(coalesce("metadata", '{}'::jsonb), '{stripe}', ?::jsonb, true)`,
             [
               JSON.stringify({
@@ -140,7 +276,7 @@ async function handleConnectEvent(event: Stripe.Event): Promise<string | null> {
       // let mapStripeEvent do attribution."
       if (session.client_reference_id) return null;
       if (session.mode === 'subscription' && typeof session.customer === 'string' && typeof session.subscription === 'string') {
-        await persistMerchantSubscription(session.customer, session.subscription);
+        await persistMerchantSubscription(trx, tenantId, session.customer, session.subscription);
         return 'merchant_subscription_persisted';
       }
       return null;
@@ -151,7 +287,7 @@ async function handleConnectEvent(event: Stripe.Event): Promise<string | null> {
       const payoutId = transfer.metadata?.openpartner_payout_id;
       if (!payoutId) return null;
       const reversed = event.type === 'transfer.reversed' || (transfer.reversed ?? false);
-      await db<PayoutRow>(TABLES.Payout).where({ id: payoutId }).update({
+      await trx<PayoutRow>(TABLES.Payout).where({ id: payoutId }).update({
         status: reversed ? 'failed' : 'paid',
         completedAt: reversed ? null : new Date(),
       });
@@ -170,7 +306,11 @@ interface MappedEvent {
   metadata?: Record<string, unknown>;
 }
 
-async function mapStripeEvent(stripe: Stripe, event: Stripe.Event): Promise<MappedEvent | null> {
+async function mapStripeEvent(
+  trx: Knex.Transaction,
+  stripe: Stripe,
+  event: Stripe.Event,
+): Promise<MappedEvent | null> {
   switch (event.type) {
     case 'checkout.session.completed': {
       // Rewardful-style flow: merchant adds client_reference_id (the cref)
@@ -182,13 +322,14 @@ async function mapStripeEvent(stripe: Stripe, event: Stripe.Event): Promise<Mapp
       const customerId = typeof session.customer === 'string' ? session.customer : session.customer?.id;
       if (!cref || !customerId) return null;
 
-      // Validate the cref points at a real Click — silently drop unknowns
-      // so a bad client_reference_id can't inflate a partner's numbers.
-      const click = await db<ClickRow>(TABLES.Click).where({ id: cref }).first();
+      // Validate the cref points at a real Click in this tenant — silently
+      // drop unknowns so a bad client_reference_id can't inflate a partner's
+      // numbers. RLS scopes the query to the resolved tenant.
+      const click = await trx<ClickRow>(TABLES.Click).where({ id: cref }).first();
       if (!click) return null;
 
-      await db<IdentityRow>(TABLES.Identity)
-        .insert({ id: ulid(), clickId: cref, userId: customerId })
+      await trx<IdentityRow>(TABLES.Identity)
+        .insert({ id: ulid(), tenantId: click.tenantId, clickId: cref, userId: customerId })
         .onConflict(['clickId', 'userId'])
         .ignore();
 
@@ -198,7 +339,7 @@ async function mapStripeEvent(stripe: Stripe, event: Stripe.Event): Promise<Mapp
       // resolveUserIdFromCustomer will fall back to the Identity table.
       try {
         await stripe.customers.update(customerId, {
-          metadata: { openpartner_user_id: customerId },
+          metadata: { openpartner_user_id: customerId, openpartner_tenant_id: click.tenantId },
         });
       } catch {
         // Non-fatal.
@@ -214,13 +355,13 @@ async function mapStripeEvent(stripe: Stripe, event: Stripe.Event): Promise<Mapp
     }
     case 'customer.subscription.created': {
       const sub = event.data.object as Stripe.Subscription;
-      const userId = sub.metadata?.openpartner_user_id ?? (await resolveUserIdFromCustomer(stripe, sub.customer));
+      const userId = sub.metadata?.openpartner_user_id ?? (await resolveUserIdFromCustomer(trx, stripe, sub.customer));
       if (!userId) return null;
       return { userId, type: 'subscription_created' };
     }
     case 'invoice.paid': {
       const invoice = event.data.object as Stripe.Invoice;
-      const userId = await resolveUserIdFromCustomer(stripe, invoice.customer);
+      const userId = await resolveUserIdFromCustomer(trx, stripe, invoice.customer);
       if (!userId) return null;
       // `charge` was moved off the Invoice type in recent SDK versions, but the
       // webhook payload still carries it on older API versions and is useful
@@ -242,7 +383,7 @@ async function mapStripeEvent(stripe: Stripe, event: Stripe.Event): Promise<Mapp
     }
     case 'charge.refunded': {
       const charge = event.data.object as Stripe.Charge;
-      const userId = await resolveUserIdFromCustomer(stripe, charge.customer);
+      const userId = await resolveUserIdFromCustomer(trx, stripe, charge.customer);
       if (!userId) return null;
       const rawInvoice = (charge as unknown as { invoice?: string | { id: string } | null }).invoice;
       const invoiceId = typeof rawInvoice === 'string' ? rawInvoice : rawInvoice?.id ?? null;
@@ -251,7 +392,7 @@ async function mapStripeEvent(stripe: Stripe, event: Stripe.Event): Promise<Mapp
       // Commissions already in 'paid' status are flagged for admin review —
       // we don't claw back funds that have already left the platform.
       const reversal = invoiceId
-        ? await reverseCommissionsForInvoice(invoiceId)
+        ? await reverseCommissionsForInvoice(trx, invoiceId)
         : { reversed: 0, alreadyPaid: 0 };
 
       return {
@@ -278,7 +419,7 @@ async function mapStripeEvent(stripe: Stripe, event: Stripe.Event): Promise<Mapp
       if (chargeId) {
         try {
           const charge = await stripe.charges.retrieve(chargeId);
-          userId = await resolveUserIdFromCustomer(stripe, charge.customer);
+          userId = await resolveUserIdFromCustomer(trx, stripe, charge.customer);
         } catch {
           // Charge might be deleted or inaccessible — log without attribution.
         }
@@ -302,7 +443,7 @@ async function mapStripeEvent(stripe: Stripe, event: Stripe.Event): Promise<Mapp
       // have fired for this invoice in the first place, so there's nothing to
       // reverse. Useful when an admin is debugging "why didn't this convert?"
       const invoice = event.data.object as Stripe.Invoice;
-      const userId = await resolveUserIdFromCustomer(stripe, invoice.customer);
+      const userId = await resolveUserIdFromCustomer(trx, stripe, invoice.customer);
       if (!userId) return null;
       return {
         userId,
@@ -328,24 +469,25 @@ async function mapStripeEvent(stripe: Stripe, event: Stripe.Event): Promise<Mapp
  * refund Event can record that admin attention is needed.
  */
 async function reverseCommissionsForInvoice(
+  trx: Knex.Transaction,
   invoiceId: string,
 ): Promise<{ reversed: number; alreadyPaid: number }> {
-  const sourceEvents = await db<EventRow>(TABLES.Event)
+  const sourceEvents = await trx<EventRow>(TABLES.Event)
     .whereRaw(`"metadata"->>'stripeInvoiceId' = ?`, [invoiceId])
     .where('type', 'invoice_paid');
   if (sourceEvents.length === 0) return { reversed: 0, alreadyPaid: 0 };
 
   const eventIds = sourceEvents.map((e) => e.id);
-  const attributions = await db<AttributionRow>(TABLES.Attribution).whereIn('eventId', eventIds);
+  const attributions = await trx<AttributionRow>(TABLES.Attribution).whereIn('eventId', eventIds);
   if (attributions.length === 0) return { reversed: 0, alreadyPaid: 0 };
   const attributionIds = attributions.map((a) => a.id);
 
-  const reversed = await db<CommissionRow>(TABLES.Commission)
+  const reversed = await trx<CommissionRow>(TABLES.Commission)
     .whereIn('attributionId', attributionIds)
     .whereIn('status', ['accrued', 'approved'])
     .update({ status: 'reversed' });
 
-  const alreadyPaidRow = (await db<CommissionRow>(TABLES.Commission)
+  const alreadyPaidRow = (await trx<CommissionRow>(TABLES.Commission)
     .whereIn('attributionId', attributionIds)
     .where('status', 'paid')
     .count('id as c')
@@ -356,6 +498,7 @@ async function reverseCommissionsForInvoice(
 }
 
 async function resolveUserIdFromCustomer(
+  trx: Knex.Transaction,
   stripe: Stripe,
   customer: string | Stripe.Customer | Stripe.DeletedCustomer | null,
 ): Promise<string | null> {
@@ -379,6 +522,6 @@ async function resolveUserIdFromCustomer(
   // Fallback: Stripe Billing flow stitches Identity rows with userId =
   // customer.id. This covers the race where invoice.paid arrives before our
   // metadata-backfill on checkout.session.completed lands on Stripe's side.
-  const identity = await db<IdentityRow>(TABLES.Identity).where({ userId: customerId }).first();
+  const identity = await trx<IdentityRow>(TABLES.Identity).where({ userId: customerId }).first();
   return identity ? customerId : null;
 }
diff --git a/apps/api/src/routes/webhooks.ts b/apps/api/src/routes/webhooks.ts
index 763a20a..b6e0a1e 100644
--- a/apps/api/src/routes/webhooks.ts
+++ b/apps/api/src/routes/webhooks.ts
@@ -6,9 +6,9 @@ import {
   type WebhookDeliveryRow,
   type WebhookEndpointRow,
 } from '@openpartner/db';
-import { db } from '../db.js';
 import { requireAdmin, requireAuth } from '../auth.js';
 import { makeSecret, redeliver } from '../webhook-dispatcher.js';
+import { tenantOf } from '../tenancy.js';
 
 export const webhooksRouter = Router();
 
@@ -38,6 +38,7 @@ const updateSchema = z.object({
 // -------- Endpoints CRUD --------
 
 webhooksRouter.post('/webhooks', requireAuth, requireAdmin, async (req, res) => {
+  const { db, tenantId } = tenantOf(req);
   const body = createSchema.safeParse(req.body);
   if (!body.success) return res.status(400).json({ error: 'invalid_body', detail: body.error.flatten() });
 
@@ -45,6 +46,7 @@ webhooksRouter.post('/webhooks', requireAuth, requireAdmin, async (req, res) =>
   const id = ulid();
   await db<WebhookEndpointRow>(TABLES.WebhookEndpoint).insert({
     id,
+    tenantId,
     url: body.data.url,
     secretPrefix: secret.prefix,
     secret: secret.plaintext,
@@ -56,18 +58,21 @@ webhooksRouter.post('/webhooks', requireAuth, requireAdmin, async (req, res) =>
   res.status(201).json({ endpoint: strip(endpoint!), secret: secret.plaintext });
 });
 
-webhooksRouter.get('/webhooks', requireAuth, requireAdmin, async (_req, res) => {
+webhooksRouter.get('/webhooks', requireAuth, requireAdmin, async (req, res) => {
+  const { db } = tenantOf(req);
   const endpoints = await db<WebhookEndpointRow>(TABLES.WebhookEndpoint).orderBy('createdAt', 'desc');
   res.json({ endpoints: endpoints.map(strip) });
 });
 
 webhooksRouter.get('/webhooks/:id', requireAuth, requireAdmin, async (req, res) => {
+  const { db } = tenantOf(req);
   const endpoint = await db<WebhookEndpointRow>(TABLES.WebhookEndpoint).where({ id: req.params.id }).first();
   if (!endpoint) return res.status(404).json({ error: 'not_found' });
   res.json({ endpoint: strip(endpoint) });
 });
 
 webhooksRouter.patch('/webhooks/:id', requireAuth, requireAdmin, async (req, res) => {
+  const { db } = tenantOf(req);
   const body = updateSchema.safeParse(req.body);
   if (!body.success) return res.status(400).json({ error: 'invalid_body', detail: body.error.flatten() });
   const existing = await db<WebhookEndpointRow>(TABLES.WebhookEndpoint).where({ id: req.params.id }).first();
@@ -85,6 +90,7 @@ webhooksRouter.patch('/webhooks/:id', requireAuth, requireAdmin, async (req, res
 });
 
 webhooksRouter.delete('/webhooks/:id', requireAuth, requireAdmin, async (req, res) => {
+  const { db } = tenantOf(req);
   // Soft-delete via active=false keeps the delivery history intact for
   // forensics. We also allow hard-delete via ?hard=1 in case an operator
   // explicitly wants the row gone.
@@ -100,6 +106,7 @@ webhooksRouter.delete('/webhooks/:id', requireAuth, requireAdmin, async (req, re
 // -------- Delivery log + retry --------
 
 webhooksRouter.get('/webhooks/:id/deliveries', requireAuth, requireAdmin, async (req, res) => {
+  const { db } = tenantOf(req);
   const deliveries = await db<WebhookDeliveryRow>(TABLES.WebhookDelivery)
     .where({ endpointId: req.params.id })
     .orderBy('createdAt', 'desc')
@@ -108,6 +115,7 @@ webhooksRouter.get('/webhooks/:id/deliveries', requireAuth, requireAdmin, async
 });
 
 webhooksRouter.post('/webhooks/:id/deliveries/:deliveryId/retry', requireAuth, requireAdmin, async (req, res) => {
+  const { db, tenantId } = tenantOf(req);
   // Verify the delivery actually belongs to this endpoint BEFORE firing
   // — the previous order re-delivered and only then checked, which
   // meant hitting /webhooks/A/.../retry with a delivery id that belonged
@@ -119,7 +127,7 @@ webhooksRouter.post('/webhooks/:id/deliveries/:deliveryId/retry', requireAuth, r
   if (!existing) return res.status(404).json({ error: 'not_found' });
   if (existing.endpointId !== req.params.id) return res.status(400).json({ error: 'endpoint_mismatch' });
 
-  const delivery = await redeliver(req.params.deliveryId!);
+  const delivery = await redeliver(tenantId, req.params.deliveryId!);
   if (!delivery) return res.status(404).json({ error: 'not_found' });
   res.json({ delivery });
 });
diff --git a/apps/api/src/scheduler.ts b/apps/api/src/scheduler.ts
index 1cb943e..f76d5d1 100644
--- a/apps/api/src/scheduler.ts
+++ b/apps/api/src/scheduler.ts
@@ -7,13 +7,20 @@
  * test, and CI runs don't fire scheduled jobs unexpectedly.
  *
  * Jobs:
- *   - usage-report: every day at 03:15 UTC. Aggregates attributed GMV since
- *                   last report and reports to Stripe Billing meters.
- *   - payouts:      every Monday at 09:00 UTC. Runs runPayouts() to issue
- *                   Stripe Connect transfers for approved commissions.
+ *   - usage-report: every day at 03:15 UTC. Per active tenant, aggregates
+ *                   attributed GMV since last report and reports to Stripe
+ *                   Billing meters.
+ *   - payouts:      every Monday at 09:00 UTC. Per active tenant, runs
+ *                   runPayouts() to issue Stripe Connect transfers for
+ *                   approved commissions.
  *
- * Both jobs are no-ops in selfhost mode — usage reporting requires a Stripe
- * subscription, and payouts only run when there are approved commissions.
+ * Both jobs are no-ops in selfhost mode for usage-report. Payouts run in
+ * every mode (a self-host operator with no approved commissions just gets
+ * an empty result).
+ *
+ * Multi-tenant: each tick iterates active tenants. For each tenant we open
+ * an `appDb.transaction` with `app.tenant_id` pinned, so the per-tenant
+ * job runs scoped to that tenant's data.
  *
  * Concurrency: croner's `protect: true` ensures a job that's still running
  * when its next tick arrives skips that tick rather than overlapping. This
@@ -21,8 +28,12 @@
  */
 
 import { Cron } from 'croner';
+import type { Knex } from 'knex';
+import { TABLES, type TenantRow } from '@openpartner/db';
+import { appDb, db } from './db.js';
 import { reportUsageToStripe } from './usage-billing.js';
 import { runPayouts } from './payouts.js';
+import { drainOutbox } from './network-client.js';
 import { getMode } from './stripe.js';
 
 interface ScheduledJob {
@@ -32,21 +43,51 @@ interface ScheduledJob {
   handler: () => Promise<unknown>;
 }
 
+/**
+ * Run `fn` once per active tenant inside a tenant-scoped appDb transaction.
+ * Failures in one tenant don't stop the iteration — each tenant gets its own
+ * try/catch and the aggregate result lists per-tenant outcomes.
+ */
+async function forEachActiveTenant<T>(
+  fn: (db: Knex, tenantId: string) => Promise<T>,
+): Promise<Array<{ tenantId: string; ok: boolean; result?: T; error?: string }>> {
+  const tenants = await db<TenantRow>(TABLES.Tenant).where({ status: 'active' }).select('id');
+  const out: Array<{ tenantId: string; ok: boolean; result?: T; error?: string }> = [];
+  for (const t of tenants) {
+    try {
+      const result = await appDb.transaction(async (trx) => {
+        await trx.raw(`set local app.tenant_id = '${t.id.replace(/'/g, "''")}'`);
+        return fn(trx, t.id);
+      });
+      out.push({ tenantId: t.id, ok: true, result });
+    } catch (err) {
+      out.push({ tenantId: t.id, ok: false, error: err instanceof Error ? err.message : String(err) });
+    }
+  }
+  return out;
+}
+
 const JOBS: ScheduledJob[] = [
   {
     name: 'usage-report',
     cronExpr: '15 3 * * *',
-    description: 'Aggregate attributed GMV and report to Stripe meters (daily 03:15 UTC)',
+    description: 'Per tenant: aggregate attributed GMV and report to Stripe meters (daily 03:15 UTC)',
     handler: async () => {
       if (getMode() === 'selfhost') return { skipped: 'selfhost' };
-      return reportUsageToStripe();
+      return forEachActiveTenant((trx, tenantId) => reportUsageToStripe(trx, tenantId));
     },
   },
   {
     name: 'payouts',
     cronExpr: '0 9 * * 1',
-    description: 'Issue Stripe Connect transfers for approved commissions (Monday 09:00 UTC)',
-    handler: async () => runPayouts(),
+    description: 'Per tenant: issue Stripe Connect transfers for approved commissions (Monday 09:00 UTC)',
+    handler: async () => forEachActiveTenant((trx, tenantId) => runPayouts(trx, tenantId)),
+  },
+  {
+    name: 'network-outbox-drain',
+    cronExpr: '*/5 * * * *',
+    description: 'Per tenant: retry failed Network pushes from NetworkOutbox (every 5 minutes)',
+    handler: async () => forEachActiveTenant((trx, tenantId) => drainOutbox(trx, tenantId)),
   },
 ];
 
diff --git a/apps/api/src/tenancy.ts b/apps/api/src/tenancy.ts
new file mode 100644
index 0000000..46b5edb
--- /dev/null
+++ b/apps/api/src/tenancy.ts
@@ -0,0 +1,252 @@
+/**
+ * Tenant resolution + per-request transaction wiring.
+ *
+ * Two tenancy modes:
+ *
+ *   single  — every request runs as tenantId = 'default' (the seeded
+ *             tenant from the multi_tenant migration). Self-host. The
+ *             same code paths and queries work; we just always use one
+ *             tenant.
+ *
+ *   multi   — tenantId resolved from the request URL (path-based for v1:
+ *             /t/<slug>/...). Reserved slugs reject. Unknown slugs 404.
+ *
+ * Each tenant-scoped request runs inside a database transaction with
+ * `SET LOCAL app.tenant_id = '<id>'`. RLS policies on every data table
+ * enforce that the response only contains rows for that tenant. The
+ * transaction is bound to `req.db`; routes use `req.db('Partner')...`
+ * instead of the module-level `db`.
+ *
+ * Public, non-tenant routes (e.g. /signup, /health, the marketing
+ * landing pages) are handled by routing them away from the tenant
+ * middleware — they use the privileged `db` directly.
+ */
+import type { Knex } from 'knex';
+import type { NextFunction, Request, Response } from 'express';
+import { DEFAULT_TENANT_ID } from '@openpartner/db';
+import { appDb } from './db.js';
+
+export type TenancyMode = 'single' | 'multi';
+
+export function getTenancyMode(): TenancyMode {
+  const m = process.env.OPENPARTNER_TENANCY ?? 'single';
+  if (m !== 'single' && m !== 'multi') {
+    throw new Error(`Invalid OPENPARTNER_TENANCY: ${m}`);
+  }
+  return m;
+}
+
+/** Reserved subdomain/path slugs that can't be claimed by a tenant. */
+export const RESERVED_SLUGS = new Set([
+  'default', // already used by single-host bootstrap
+  'www',
+  'api',
+  'app',
+  'admin',
+  'signup',
+  'login',
+  'auth',
+  'docs',
+  'help',
+  'support',
+  'status',
+  'network',
+  'static',
+  'public',
+  'platform',
+]);
+
+declare global {
+  namespace Express {
+    interface Request {
+      /** Resolved tenant ID. Always set inside the tenant middleware. */
+      tenantId?: string;
+      /** Resolved tenant slug. */
+      tenantSlug?: string;
+      /** Transaction-bound knex instance with app.tenant_id set. */
+      db?: Knex;
+      /** True when a platform admin is acting (rare; gated separately). */
+      platformAdmin?: boolean;
+    }
+  }
+}
+
+/**
+ * Convenience helper for tenant-scoped route handlers. Throws if the
+ * request didn't pass through the tenant middleware (which would be a
+ * routing bug — the handler shouldn't be there).
+ *
+ *   const { db, tenantId } = tenantOf(req);
+ *   await db('Partner').insert({ tenantId, ... });
+ */
+export function tenantOf(req: Request): { db: Knex; tenantId: string } {
+  if (!req.db || !req.tenantId) {
+    throw new Error(
+      'tenantOf called on a request without tenant context — mount tenantMiddleware before this route',
+    );
+  }
+  return { db: req.db, tenantId: req.tenantId };
+}
+
+/**
+ * Express middleware that:
+ *   1. Resolves the tenantId for the request
+ *   2. Opens a transaction on the appDb pool
+ *   3. Sets `app.tenant_id` (and `app.platform_admin` if applicable)
+ *   4. Stashes the trx as `req.db` so handlers can issue tenant-scoped queries
+ *   5. Awaits response completion before committing/rolling back
+ *
+ * Behavior depends on OPENPARTNER_TENANCY:
+ *   single → tenantId = 'default' for every request
+ *   multi  → resolveTenantFromPath(req); if no tenant, calls next() without
+ *            opening a transaction so non-tenant routes (signup, marketing)
+ *            still work.
+ */
+export async function tenantMiddleware(
+  req: Request,
+  res: Response,
+  next: NextFunction,
+): Promise<void> {
+  const mode = getTenancyMode();
+
+  let tenantId: string | null = null;
+  let tenantSlug: string | null = null;
+
+  if (mode === 'single') {
+    tenantId = DEFAULT_TENANT_ID;
+    tenantSlug = 'default';
+  } else {
+    const resolved = await resolveTenantFromPath(req);
+    if (resolved) {
+      tenantId = resolved.id;
+      tenantSlug = resolved.slug;
+    }
+  }
+
+  if (!tenantId) {
+    // No tenant scope — non-tenant routes (signup, marketing landing,
+    // /health) handle themselves. Don't open a transaction.
+    return next();
+  }
+
+  req.tenantId = tenantId;
+  if (tenantSlug) req.tenantSlug = tenantSlug;
+
+  // Open the transaction outside any callback so we can finalize it
+  // synchronously when a handler calls res.json/send/end. Committing on
+  // response 'finish' (the previous design) released the trx AFTER the
+  // client got its response, which raced any caller doing direct DB
+  // reads immediately after `await fetch(...)` — including every
+  // integration test that follows POST /partners with db('Click').insert().
+  let trx: Knex.Transaction;
+  try {
+    trx = await appDb.transaction();
+    await trx.raw(`set local app.tenant_id = '${tenantId.replace(/'/g, "''")}'`);
+    if (req.platformAdmin) {
+      await trx.raw(`set local app.platform_admin = 'on'`);
+    }
+  } catch (err) {
+    return next(err);
+  }
+  req.db = trx;
+
+  // Patch res.send/json/end so they commit (or rollback on 5xx) before
+  // any byte goes to the client. If commit fails the request becomes a
+  // 500; if it succeeds the original response is sent unchanged.
+  const origJson = res.json.bind(res);
+  const origSend = res.send.bind(res);
+  const origEnd = res.end.bind(res);
+  let finalized = false;
+
+  async function finalize(success: boolean): Promise<void> {
+    if (finalized) return;
+    finalized = true;
+    if (success) {
+      try {
+        await trx.commit();
+      } catch (err) {
+        // Commit failed after the handler succeeded — the response we're
+        // about to send is a lie. Mutate to a 500 if we still can.
+        if (!res.headersSent) {
+          res.status(500);
+          throw err;
+        }
+        // Headers already out; nothing safe to do but log.
+        console.error('[tenancy] commit failed after headers sent', err);
+      }
+    } else {
+      try {
+        await trx.rollback();
+      } catch {
+        // Best-effort rollback; ignore secondary failures.
+      }
+    }
+  }
+
+  res.json = function (body: unknown) {
+    const success = res.statusCode < 500;
+    finalize(success).then(
+      () => origJson(body),
+      (err) => {
+        if (!res.headersSent) origJson({ error: 'commit_failed', detail: err instanceof Error ? err.message : String(err) });
+      },
+    );
+    return res;
+  };
+  res.send = function (body?: unknown) {
+    const success = res.statusCode < 500;
+    finalize(success).then(
+      () => origSend(body),
+      (err) => {
+        if (!res.headersSent) origSend(`commit_failed: ${err instanceof Error ? err.message : String(err)}`);
+      },
+    );
+    return res;
+  };
+  res.end = function (chunk?: unknown, encoding?: BufferEncoding | (() => void), cb?: () => void) {
+    const success = res.statusCode < 500;
+    finalize(success).then(
+      () => (origEnd as unknown as (...a: unknown[]) => Response)(chunk, encoding, cb),
+      () => (origEnd as unknown as (...a: unknown[]) => Response)(chunk, encoding, cb),
+    );
+    return res;
+  };
+
+  // Belt and suspenders: if the client disconnects before any res.* call
+  // ran (or if Express's error path bypasses our patched methods), still
+  // release the trx so it doesn't leak.
+  res.on('close', () => {
+    if (!finalized) {
+      finalize(false).catch(() => {});
+    }
+  });
+
+  next();
+}
+
+/**
+ * Path-based tenant resolution: /t/<slug>/... → Tenant row.
+ *
+ * Returns null for non-tenant paths (no /t/ prefix) so the middleware
+ * can pass through to public routes.
+ */
+async function resolveTenantFromPath(
+  req: Request,
+): Promise<{ id: string; slug: string } | null> {
+  // Path patterns:
+  //   /t/<slug>/...    — portal under a tenant
+  //   /api/t/<slug>/...— api under a tenant (note: ingress strips /api)
+  //   anything else    — no tenant
+  const match = req.path.match(/^\/(?:t|api\/t)\/([a-z0-9-]+)(?:\/|$)/);
+  if (!match) return null;
+  const slug = match[1]!;
+
+  if (RESERVED_SLUGS.has(slug)) return null;
+
+  // Lookup goes through the privileged db pool because we need to read
+  // any tenant by slug, not just the current one. RLS would block this
+  // on the appDb pool.
+  const { db } = await import('./db.js');
+  const row = await db('Tenant').where({ slug, status: 'active' }).first(['id', 'slug']);
+  return row ? { id: row.id as string, slug: row.slug as string } : null;
+}
diff --git a/apps/api/src/usage-billing.ts b/apps/api/src/usage-billing.ts
index 12217b3..7113609 100644
--- a/apps/api/src/usage-billing.ts
+++ b/apps/api/src/usage-billing.ts
@@ -15,10 +15,14 @@
  * timestamp to define a closed period and stamp identifier accordingly. If
  * the report fails we DO NOT advance the high-water mark, so the next run
  * picks up from the same point.
+ *
+ * Multi-tenant: each tenant has its own Stripe customer + high-water mark
+ * (Config rows are tenant-scoped). The scheduler iterates tenants and calls
+ * this once per tenant; the billing route passes the request's tenant.
  */
 
+import type { Knex } from 'knex';
 import { TABLES, type EventRow } from '@openpartner/db';
-import { db } from './db.js';
 import { CONFIG_KEYS, getConfig, setConfig } from './config.js';
 import { getMode, requireStripe } from './stripe.js';
 
@@ -50,8 +54,15 @@ export interface UsageReportResult {
  * Sum attributed GMV (in dollars) for events with `ts > since` and `ts <= until`.
  * Only counts events that have at least one Attribution row (i.e. a partner
  * was credited). Refund/dispute events are excluded by event-type filter.
+ *
+ * Tenant scope is provided by the caller (req.db with app.tenant_id set, or
+ * a transaction the scheduler opened with the GUC pinned).
  */
-export async function aggregateAttributedGmv(since: Date | null, until: Date): Promise<number> {
+export async function aggregateAttributedGmv(
+  db: Knex,
+  since: Date | null,
+  until: Date,
+): Promise<number> {
   const q = db<EventRow>(TABLES.Event)
     .whereIn('type', REVENUE_EVENT_TYPES)
     .where('ts', '<=', until)
@@ -69,7 +80,7 @@ export async function aggregateAttributedGmv(since: Date | null, until: Date): P
  * and the merchant's subscription must include the metered price tied to
  * the same meter. Both are provisioned by `scripts/setup-stripe.mjs`.
  */
-export async function reportUsageToStripe(): Promise<UsageReportResult> {
+export async function reportUsageToStripe(db: Knex, tenantId: string): Promise<UsageReportResult> {
   const mode = getMode();
   const meterEventName = MODE_TO_METER[mode];
   if (!meterEventName) {
@@ -85,7 +96,7 @@ export async function reportUsageToStripe(): Promise<UsageReportResult> {
     };
   }
 
-  const customerId = await getConfig<string>(CONFIG_KEYS.StripeMerchantCustomerId);
+  const customerId = await getConfig<string>(db, tenantId, CONFIG_KEYS.StripeMerchantCustomerId);
   if (!customerId) {
     return {
       mode,
@@ -99,15 +110,15 @@ export async function reportUsageToStripe(): Promise<UsageReportResult> {
     };
   }
 
-  const lastReportedAtIso = await getConfig<string>(CONFIG_KEYS.LastUsageReportedAt);
+  const lastReportedAtIso = await getConfig<string>(db, tenantId, CONFIG_KEYS.LastUsageReportedAt);
   const rangeStart = lastReportedAtIso ? new Date(lastReportedAtIso) : null;
   const rangeEnd = new Date();
-  const amount = await aggregateAttributedGmv(rangeStart, rangeEnd);
+  const amount = await aggregateAttributedGmv(db, rangeStart, rangeEnd);
 
   if (amount <= 0) {
     // Still advance the high-water mark — we've "reported" zero usage for
     // the period and don't want to re-scan the same window forever.
-    await setConfig(CONFIG_KEYS.LastUsageReportedAt, rangeEnd.toISOString());
+    await setConfig(db, tenantId, CONFIG_KEYS.LastUsageReportedAt, rangeEnd.toISOString());
     return {
       mode,
       meterEventName,
@@ -124,8 +135,9 @@ export async function reportUsageToStripe(): Promise<UsageReportResult> {
   // identifier is Stripe's idempotency key for meter events. Tying it to the
   // window end means a re-run within the same second is deduped on Stripe's
   // side, which is what we want when an admin double-clicks the report
-  // button or a cron job retries on transient failure.
-  const identifier = `op-usage-${mode}-${rangeEnd.toISOString()}`;
+  // button or a cron job retries on transient failure. Include tenantId so
+  // two tenants reporting in the same second don't collide.
+  const identifier = `op-usage-${mode}-${tenantId}-${rangeEnd.toISOString()}`;
   await stripe.billing.meterEvents.create({
     event_name: meterEventName,
     payload: {
@@ -136,7 +148,7 @@ export async function reportUsageToStripe(): Promise<UsageReportResult> {
     timestamp: Math.floor(rangeEnd.getTime() / 1000),
   });
 
-  await setConfig(CONFIG_KEYS.LastUsageReportedAt, rangeEnd.toISOString());
+  await setConfig(db, tenantId, CONFIG_KEYS.LastUsageReportedAt, rangeEnd.toISOString());
   return {
     mode,
     meterEventName,
diff --git a/apps/api/src/webhook-dispatcher.ts b/apps/api/src/webhook-dispatcher.ts
index 5309a9f..e8a44bb 100644
--- a/apps/api/src/webhook-dispatcher.ts
+++ b/apps/api/src/webhook-dispatcher.ts
@@ -1,10 +1,10 @@
 /**
  * Outbound webhook dispatcher.
  *
- * dispatchEvent(type, data) fans out to every active endpoint subscribed
- * to `type`, writes a WebhookDelivery row per recipient, and fires the
- * HTTP POST asynchronously so the inbound request that triggered the
- * event isn't blocked on webhook RTT.
+ * dispatchEvent(tenantId, type, data) fans out to every active endpoint
+ * in `tenantId` subscribed to `type`, writes a WebhookDelivery row per
+ * recipient, and fires the HTTP POST asynchronously so the inbound
+ * request that triggered the event isn't blocked on webhook RTT.
  *
  * Signature: HMAC-SHA256 of `${timestamp}.${rawBody}` keyed on the
  * endpoint's signing secret — the same pattern Stripe uses. Receivers
@@ -16,6 +16,11 @@
  * with attempts + error, and admins can hit POST /webhooks/:id/
  * deliveries/:deliveryId/retry from the UI. A background retry cron
  * with exponential backoff is an obvious future extension.
+ *
+ * Multi-tenant: dispatch runs asynchronously after the request that
+ * triggered it has responded — so the per-request transaction is gone
+ * by the time we run. We use the privileged `db` directly and filter
+ * every query by `tenantId` explicitly.
  */
 
 import { createHmac, randomBytes } from 'node:crypto';
@@ -55,14 +60,14 @@ export function signPayload(secret: string, timestamp: string, rawBody: string):
  * AFTER their DB writes have committed, so a subscriber receiving an
  * event can safely fetch the related rows via the API.
  */
-export function dispatchEvent(event: WebhookEventType, data: unknown): void {
-  void runDispatch(event, data).catch((err) => {
+export function dispatchEvent(tenantId: string, event: WebhookEventType, data: unknown): void {
+  void runDispatch(tenantId, event, data).catch((err) => {
     console.error(`[webhook] dispatch failed: ${err instanceof Error ? err.message : String(err)}`);
   });
 }
 
-async function runDispatch(event: WebhookEventType, data: unknown): Promise<void> {
-  const endpoints = await db<WebhookEndpointRow>(TABLES.WebhookEndpoint).where({ active: true });
+async function runDispatch(tenantId: string, event: WebhookEventType, data: unknown): Promise<void> {
+  const endpoints = await db<WebhookEndpointRow>(TABLES.WebhookEndpoint).where({ tenantId, active: true });
   const matching = endpoints.filter((e) => {
     const events = Array.isArray(e.events) ? e.events : [];
     return events.includes(event) || events.includes('*');
@@ -76,15 +81,16 @@ async function runDispatch(event: WebhookEventType, data: unknown): Promise<void
     data,
   };
 
-  await Promise.all(matching.map((endpoint) => deliverOne(endpoint, envelope)));
+  await Promise.all(matching.map((endpoint) => deliverOne(tenantId, endpoint, envelope)));
 }
 
-async function deliverOne(endpoint: WebhookEndpointRow, envelope: WebhookEnvelope): Promise<void> {
+async function deliverOne(tenantId: string, endpoint: WebhookEndpointRow, envelope: WebhookEnvelope): Promise<void> {
   const deliveryId = ulid();
   const body = JSON.stringify(envelope);
 
   await db<WebhookDeliveryRow>(TABLES.WebhookDelivery).insert({
     id: deliveryId,
+    tenantId,
     endpointId: endpoint.id,
     eventId: envelope.id,
     eventType: envelope.event,
@@ -143,13 +149,19 @@ async function attemptDelivery(deliveryId: string, endpoint: WebhookEndpointRow,
   }
 }
 
-export async function redeliver(deliveryId: string): Promise<WebhookDeliveryRow | null> {
-  const delivery = await db<WebhookDeliveryRow>(TABLES.WebhookDelivery).where({ id: deliveryId }).first();
+export async function redeliver(tenantId: string, deliveryId: string): Promise<WebhookDeliveryRow | null> {
+  const delivery = await db<WebhookDeliveryRow>(TABLES.WebhookDelivery)
+    .where({ id: deliveryId, tenantId })
+    .first();
   if (!delivery) return null;
-  const endpoint = await db<WebhookEndpointRow>(TABLES.WebhookEndpoint).where({ id: delivery.endpointId }).first();
+  const endpoint = await db<WebhookEndpointRow>(TABLES.WebhookEndpoint)
+    .where({ id: delivery.endpointId, tenantId })
+    .first();
   if (!endpoint) return null;
 
   const body = typeof delivery.payload === 'string' ? delivery.payload : JSON.stringify(delivery.payload);
   await attemptDelivery(deliveryId, endpoint, body);
-  return (await db<WebhookDeliveryRow>(TABLES.WebhookDelivery).where({ id: deliveryId }).first()) ?? null;
+  return (
+    (await db<WebhookDeliveryRow>(TABLES.WebhookDelivery).where({ id: deliveryId, tenantId }).first()) ?? null
+  );
 }
diff --git a/apps/portal/src/App.tsx b/apps/portal/src/App.tsx
index 24cfff0..b5052b6 100644
--- a/apps/portal/src/App.tsx
+++ b/apps/portal/src/App.tsx
@@ -15,6 +15,9 @@ import {
   Settings,
   Mail,
   UserCog,
+  Globe,
+  Megaphone,
+  Inbox,
 } from 'lucide-react';
 import { clearApiKey, api, type Principal } from './api.js';
 import { theme } from './theme.js';
@@ -32,6 +35,10 @@ import { MagicLandingPage } from './pages/auth/MagicLanding.js';
 import { WebhooksPage } from './pages/admin/Webhooks.js';
 import { AdminSettings } from './pages/admin/Settings.js';
 import { AdminAdmins } from './pages/admin/Admins.js';
+import { AdminNetwork } from './pages/admin/Network.js';
+import { AdminNetworkComplete } from './pages/admin/NetworkComplete.js';
+import { AdminNetworkOfferings } from './pages/admin/NetworkOfferings.js';
+import { AdminNetworkRequests } from './pages/admin/NetworkRequests.js';
 import { InstallPage } from './pages/Install.js';
 import { FraudReviewPage } from './pages/FraudReview.js';
 import { useQuery } from '@tanstack/react-query';
@@ -120,6 +127,10 @@ function Shell() {
               <Route path="admin/webhooks" element={<WebhooksPage />} />
               <Route path="admin/admins" element={<AdminAdmins />} />
               <Route path="admin/settings" element={<AdminSettings />} />
+              <Route path="admin/network" element={<AdminNetwork />} />
+              <Route path="admin/network/complete" element={<AdminNetworkComplete />} />
+              <Route path="admin/network/offerings" element={<AdminNetworkOfferings />} />
+              <Route path="admin/network/requests" element={<AdminNetworkRequests />} />
             </>
           )}
 
@@ -185,6 +196,14 @@ function Sidebar({ principal }: { principal: Principal }) {
             <NavItem to="/admin/settings" icon={<Settings size={16} />}>Settings</NavItem>
           </NavSection>
         )}
+
+        {principal.role === 'admin' && (
+          <NavSection title="Network">
+            <NavItem to="/admin/network" icon={<Globe size={16} />}>Connection</NavItem>
+            <NavItem to="/admin/network/offerings" icon={<Megaphone size={16} />}>Offerings</NavItem>
+            <NavItem to="/admin/network/requests" icon={<Inbox size={16} />}>Requests</NavItem>
+          </NavSection>
+        )}
       </div>
 
       <button
diff --git a/apps/portal/src/pages/admin/Network.tsx b/apps/portal/src/pages/admin/Network.tsx
new file mode 100644
index 0000000..65e7909
--- /dev/null
+++ b/apps/portal/src/pages/admin/Network.tsx
@@ -0,0 +1,190 @@
+import { useEffect, useState } from 'react';
+import { useMutation, useQuery, useQueryClient } from '@tanstack/react-query';
+import { api, ApiError } from '../../api.js';
+import { Button, Card, ErrorBanner, Input, Label, Page } from '../../ui.js';
+
+interface NetworkMembership {
+  enabled: boolean;
+  networkUrl: string;
+  hasVendorToken: boolean;
+  scopedKeyId: string | null;
+  autoEnroll: boolean;
+}
+
+interface NetworkSelf {
+  id: string;
+  displayName: string;
+  status: string;
+  partnerCount: number;
+}
+
+interface BackfillResult {
+  total: number;
+  pushed: number;
+  queued: number;
+}
+
+export function AdminNetwork() {
+  return (
+    <Page
+      title="Network"
+      subtitle="Connect this instance to the OpenPartner Network so creators can find your program."
+    >
+      <NetworkConnection />
+    </Page>
+  );
+}
+
+function NetworkConnection() {
+  const qc = useQueryClient();
+  const { data: membership, isLoading, error } = useQuery({
+    queryKey: ['network-membership'],
+    queryFn: () => api<NetworkMembership>('/config/network'),
+  });
+
+  // Connected once enabled=true AND vendor token saved.
+  const connected = !!(membership?.enabled && membership.hasVendorToken);
+
+  return (
+    <>
+      {error && <ErrorBanner error={"Couldn't load Network settings."} />}
+      {isLoading && <Card><p>Loading…</p></Card>}
+      {membership && (
+        <>
+          {!connected ? <ConnectForm membership={membership} /> : <ConnectedPanel membership={membership} />}
+          {connected && <AutoEnrollPanel membership={membership} onChange={() => qc.invalidateQueries({ queryKey: ['network-membership'] })} />}
+          {connected && <BackfillPanel />}
+        </>
+      )}
+    </>
+  );
+}
+
+function ConnectForm({ membership }: { membership: NetworkMembership }) {
+  const qc = useQueryClient();
+  const [contactEmail, setContactEmail] = useState('');
+  const [displayName, setDisplayName] = useState('');
+  const [error, setError] = useState<string | null>(null);
+
+  const m = useMutation({
+    mutationFn: () => api('/config/network/start-connect', {
+      method: 'POST',
+      body: { contactEmail: contactEmail || undefined, displayName: displayName || undefined },
+    }),
+    onSuccess: () => qc.invalidateQueries({ queryKey: ['network-membership'] }),
+    onError: (err) => setError(err instanceof ApiError ? err.message : 'failed'),
+  });
+
+  return (
+    <Card>
+      <h3 style={{ marginTop: 0 }}>Not connected</h3>
+      <p>
+        Get matched with creators on the OpenPartner Network. We'll mint a scoped federation key for the
+        Network to call back with, then email a confirmation link to your contact address.
+      </p>
+      {membership.networkUrl && (
+        <p style={{ fontSize: 13, color: '#6b7280' }}>
+          Network: <code>{membership.networkUrl}</code>
+        </p>
+      )}
+      {error && <ErrorBanner error={error === 'network_url_not_configured' ? 'NETWORK_URL env not set on this instance.' : error} />}
+      <div style={{ marginBottom: 12 }}>
+        <Label>Contact email (where the confirmation link goes)</Label>
+        <Input value={contactEmail} onChange={(e) => setContactEmail(e.target.value)} placeholder="admin@yourbrand.com" />
+      </div>
+      <div style={{ marginBottom: 12 }}>
+        <Label>Display name (shown to creators)</Label>
+        <Input value={displayName} onChange={(e) => setDisplayName(e.target.value)} placeholder="Your brand" />
+      </div>
+      <Button onClick={() => m.mutate()} disabled={m.isPending || !contactEmail}>
+        {m.isPending ? 'Sending…' : 'Connect to Network'}
+      </Button>
+      {m.isSuccess && (
+        <p style={{ marginTop: 12, color: '#1a6b1a' }}>
+          Confirmation email sent. Click the link to finish connecting.
+        </p>
+      )}
+    </Card>
+  );
+}
+
+function ConnectedPanel({ membership }: { membership: NetworkMembership }) {
+  const { data: self } = useQuery({
+    queryKey: ['network-self'],
+    queryFn: () => api<NetworkSelf>('/admin/network/me'),
+    retry: false,
+  });
+  return (
+    <Card>
+      <h3 style={{ marginTop: 0, color: '#1a6b1a' }}>Connected ✓</h3>
+      <p>
+        Network: <code>{membership.networkUrl}</code><br />
+        {self ? (
+          <>
+            Listed as <strong>{self.displayName}</strong> · status: {self.status} · {self.partnerCount} active partners
+          </>
+        ) : (
+          <em>Loading vendor profile…</em>
+        )}
+      </p>
+    </Card>
+  );
+}
+
+function AutoEnrollPanel({ membership, onChange }: { membership: NetworkMembership; onChange: () => void }) {
+  const m = useMutation({
+    mutationFn: (autoEnroll: boolean) =>
+      api('/config/network', { method: 'POST', body: { autoEnroll } }),
+    onSuccess: onChange,
+  });
+  return (
+    <Card>
+      <h3 style={{ marginTop: 0 }}>Auto-enroll new partners</h3>
+      <p>
+        When ON, every partner created on this instance is automatically pushed to the Network. The Network
+        dedups creators by email — the same person joining you and another vendor gets a single Network
+        identity.
+      </p>
+      <label style={{ display: 'flex', alignItems: 'center', gap: 8 }}>
+        <input
+          type="checkbox"
+          checked={membership.autoEnroll}
+          disabled={m.isPending}
+          onChange={(e) => m.mutate(e.target.checked)}
+        />
+        <span>Auto-enroll on partner create + signup</span>
+      </label>
+    </Card>
+  );
+}
+
+function BackfillPanel() {
+  const [result, setResult] = useState<BackfillResult | null>(null);
+  const [error, setError] = useState<string | null>(null);
+  const m = useMutation({
+    mutationFn: () => api<BackfillResult>('/config/network/backfill', { method: 'POST', body: {} }),
+    onSuccess: (r) => { setResult(r); setError(null); },
+    onError: (err) => setError(err instanceof ApiError ? err.message : 'failed'),
+  });
+  useEffect(() => { setResult(null); }, []);
+  return (
+    <Card>
+      <h3 style={{ marginTop: 0 }}>Backfill existing partners</h3>
+      <p>
+        If you turned the Network on after onboarding partners, run this once to push the existing roster
+        through email-keyed dedup. Pre-existing creators (already on the Network from another vendor) come
+        back with a flag so you can see their cross-vendor presence.
+      </p>
+      {error && <ErrorBanner error={error} />}
+      <Button onClick={() => m.mutate()} disabled={m.isPending}>
+        {m.isPending ? 'Backfilling…' : 'Backfill now'}
+      </Button>
+      {result && (
+        <p style={{ marginTop: 12 }}>
+          Pushed <strong>{result.pushed}</strong> of <strong>{result.total}</strong>.
+          {result.queued > 0 && <> {result.queued} queued for retry.</>}
+        </p>
+      )}
+    </Card>
+  );
+}
diff --git a/apps/portal/src/pages/admin/NetworkComplete.tsx b/apps/portal/src/pages/admin/NetworkComplete.tsx
new file mode 100644
index 0000000..49137a8
--- /dev/null
+++ b/apps/portal/src/pages/admin/NetworkComplete.tsx
@@ -0,0 +1,70 @@
+import { useEffect, useRef, useState } from 'react';
+import { useNavigate, useSearchParams } from 'react-router-dom';
+import { useQueryClient } from '@tanstack/react-query';
+import { api, ApiError } from '../../api.js';
+import { Card, ErrorBanner, Page } from '../../ui.js';
+
+/**
+ * Callback page for the Network self-serve onboarding magic link.
+ *
+ * Network sends the admin to {portal}/admin/network/complete?ntoken=...
+ * after they click the email confirmation link. This page consumes the
+ * ntoken via POST /config/network/complete-connect on this instance —
+ * which round-trips it to Network /vendors/verify-and-issue-token,
+ * receives the long-lived vendorToken, and saves it to network_membership
+ * Config. After success we bounce to /admin/network where the
+ * "Connected" state shows.
+ */
+export function AdminNetworkComplete() {
+  const [params] = useSearchParams();
+  const ntoken = params.get('ntoken');
+  const [state, setState] = useState<'pending' | 'ok' | 'error'>('pending');
+  const [error, setError] = useState<string | null>(null);
+  const navigate = useNavigate();
+  const qc = useQueryClient();
+  // React StrictMode runs effects twice in dev; guard so we only burn
+  // the one-shot ntoken on the first mount.
+  const fired = useRef(false);
+
+  useEffect(() => {
+    if (fired.current) return;
+    fired.current = true;
+    if (!ntoken) {
+      setState('error');
+      setError('Missing ntoken in URL.');
+      return;
+    }
+    api('/config/network/complete-connect', { method: 'POST', body: { ntoken } })
+      .then(() => {
+        setState('ok');
+        qc.invalidateQueries({ queryKey: ['network-membership'] });
+        setTimeout(() => navigate('/admin/network', { replace: true }), 800);
+      })
+      .catch((err) => {
+        setState('error');
+        setError(err instanceof ApiError ? err.message : 'Verification failed.');
+      });
+  }, [ntoken, navigate, qc]);
+
+  return (
+    <Page title="Connecting to Network">
+      <Card>
+        {state === 'pending' && <p>Finishing connection…</p>}
+        {state === 'ok' && (
+          <p style={{ color: '#1a6b1a' }}>
+            Connected. Redirecting back to Network settings…
+          </p>
+        )}
+        {state === 'error' && (
+          <>
+            <ErrorBanner error={error} />
+            <p>
+              Magic links expire after 24 hours. Open Settings → Network and click "Connect to Network"
+              again to receive a fresh link.
+            </p>
+          </>
+        )}
+      </Card>
+    </Page>
+  );
+}
diff --git a/apps/portal/src/pages/admin/NetworkOfferings.tsx b/apps/portal/src/pages/admin/NetworkOfferings.tsx
new file mode 100644
index 0000000..7350a02
--- /dev/null
+++ b/apps/portal/src/pages/admin/NetworkOfferings.tsx
@@ -0,0 +1,217 @@
+import { useEffect, useState } from 'react';
+import { useMutation, useQuery, useQueryClient } from '@tanstack/react-query';
+import { api, ApiError } from '../../api.js';
+import { Button, Card, ErrorBanner, Input, Label, Page } from '../../ui.js';
+
+interface OfferingTerms {
+  commissionDescription?: string;
+  cookieWindowDays?: number;
+  payoutCadence?: string;
+  bonuses?: string[];
+}
+
+interface Offering {
+  id: string;
+  vendorId: string;
+  title: string;
+  description: string | null;
+  productUrl: string;
+  heroImageUrl: string | null;
+  vendorCampaignId: string;
+  terms: OfferingTerms;
+  published: boolean;
+  createdAt: string;
+  updatedAt: string;
+}
+
+interface Campaign {
+  id: string;
+  name: string;
+}
+
+export function AdminNetworkOfferings() {
+  return (
+    <Page
+      title="Network offerings"
+      subtitle="Programs you publish on the OpenPartner Network for creators to discover."
+    >
+      <CreateOfferingForm />
+      <div style={{ height: 18 }} />
+      <OfferingList />
+    </Page>
+  );
+}
+
+function OfferingList() {
+  const qc = useQueryClient();
+  const { data, isLoading, error } = useQuery({
+    queryKey: ['network-offerings'],
+    queryFn: () => api<{ offerings: Offering[] }>('/admin/network/offerings'),
+    retry: false,
+  });
+  const del = useMutation({
+    mutationFn: (id: string) => api(`/admin/network/offerings/${id}`, { method: 'DELETE' }),
+    onSuccess: () => qc.invalidateQueries({ queryKey: ['network-offerings'] }),
+  });
+  const togglePublished = useMutation({
+    mutationFn: ({ id, published }: { id: string; published: boolean }) =>
+      api(`/admin/network/offerings/${id}`, { method: 'PATCH', body: { published } }),
+    onSuccess: () => qc.invalidateQueries({ queryKey: ['network-offerings'] }),
+  });
+
+  if (error) {
+    const msg = error instanceof ApiError && error.message.includes('network_not_configured')
+      ? 'Connect to the Network first under Settings → Network.'
+      : `Couldn't load offerings: ${error instanceof Error ? error.message : String(error)}`;
+    return <ErrorBanner error={msg} />;
+  }
+  if (isLoading) return <Card><p>Loading…</p></Card>;
+  const offerings = data?.offerings ?? [];
+  if (offerings.length === 0) {
+    return <Card><p style={{ color: '#6b7280' }}>No offerings yet. Create one above.</p></Card>;
+  }
+  return (
+    <>
+      {offerings.map((o) => (
+        <Card key={o.id}>
+          <div style={{ display: 'flex', alignItems: 'baseline', gap: 12 }}>
+            <h3 style={{ marginTop: 0, marginBottom: 4, flex: 1 }}>
+              {o.title}{' '}
+              <span style={{
+                fontSize: 11,
+                padding: '2px 8px',
+                borderRadius: 12,
+                background: o.published ? '#d4f0d4' : '#fff7d4',
+                color: o.published ? '#1a6b1a' : '#8b6f00',
+              }}>
+                {o.published ? 'published' : 'draft'}
+              </span>
+            </h3>
+            <Button
+              onClick={() => togglePublished.mutate({ id: o.id, published: !o.published })}
+              disabled={togglePublished.isPending}
+              variant="secondary"
+            >
+              {o.published ? 'Unpublish' : 'Publish'}
+            </Button>
+            <Button
+              onClick={() => {
+                if (confirm(`Delete "${o.title}"?`)) del.mutate(o.id);
+              }}
+              disabled={del.isPending}
+              variant="danger"
+            >
+              Delete
+            </Button>
+          </div>
+          <p style={{ color: '#6b7280', fontSize: 13, margin: '4px 0' }}>
+            {o.terms.commissionDescription} · campaign <code>{o.vendorCampaignId}</code>
+          </p>
+          {o.description && <p>{o.description}</p>}
+          <p style={{ fontSize: 13 }}>
+            <a href={o.productUrl} target="_blank" rel="noopener noreferrer">{o.productUrl} ↗</a>
+          </p>
+        </Card>
+      ))}
+    </>
+  );
+}
+
+function CreateOfferingForm() {
+  const qc = useQueryClient();
+  const [title, setTitle] = useState('');
+  const [description, setDescription] = useState('');
+  const [productUrl, setProductUrl] = useState('');
+  const [vendorCampaignId, setVendorCampaignId] = useState('');
+  const [commissionDescription, setCommissionDescription] = useState('');
+  const [cookieWindowDays, setCookieWindowDays] = useState<number | ''>('');
+  const [error, setError] = useState<string | null>(null);
+
+  // Pull campaigns so the admin can pick from a dropdown.
+  const { data: campaigns } = useQuery({
+    queryKey: ['campaigns'],
+    queryFn: () => api<{ campaigns: Campaign[] }>('/campaigns'),
+  });
+
+  const m = useMutation({
+    mutationFn: () => api('/admin/network/offerings', {
+      method: 'POST',
+      body: {
+        title,
+        description: description || undefined,
+        productUrl,
+        vendorCampaignId,
+        terms: {
+          commissionDescription,
+          cookieWindowDays: cookieWindowDays === '' ? undefined : Number(cookieWindowDays),
+        },
+        published: true,
+      },
+    }),
+    onSuccess: () => {
+      qc.invalidateQueries({ queryKey: ['network-offerings'] });
+      setTitle(''); setDescription(''); setProductUrl(''); setVendorCampaignId('');
+      setCommissionDescription(''); setCookieWindowDays('');
+    },
+    onError: (err) => setError(err instanceof ApiError ? err.message : 'failed'),
+  });
+
+  useEffect(() => { setError(null); }, [title, productUrl, vendorCampaignId, commissionDescription]);
+
+  return (
+    <Card>
+      <h3 style={{ marginTop: 0 }}>Publish a new offering</h3>
+      {error && <ErrorBanner error={error} />}
+      <div style={{ marginBottom: 12 }}>
+        <Label>Title</Label>
+        <Input value={title} onChange={(e) => setTitle(e.target.value)} placeholder="Acme Pro — 20% recurring" />
+      </div>
+      <div style={{ marginBottom: 12 }}>
+        <Label>Description (markdown OK on the Network side)</Label>
+        <textarea
+          value={description}
+          onChange={(e) => setDescription(e.target.value)}
+          rows={3}
+          placeholder="What you sell, who it's for, why it converts."
+          style={{ width: '100%', padding: '8px 10px', border: '1px solid #d0d0c8', borderRadius: 6, fontSize: 14, fontFamily: 'inherit', resize: 'vertical' }}
+        />
+      </div>
+      <div style={{ marginBottom: 12 }}>
+        <Label>Product URL (where the share link redirects to)</Label>
+        <Input value={productUrl} onChange={(e) => setProductUrl(e.target.value)} placeholder="https://acme.example.com/pro" />
+      </div>
+      <div style={{ marginBottom: 12 }}>
+        <Label>Campaign (commission rule lives here)</Label>
+        <select
+          value={vendorCampaignId}
+          onChange={(e) => setVendorCampaignId(e.target.value)}
+          style={{ width: '100%', padding: '8px 10px', border: '1px solid #d0d0c8', borderRadius: 6, fontSize: 14, fontFamily: 'inherit' }}
+        >
+          <option value="">— pick a campaign —</option>
+          {campaigns?.campaigns.map((c) => (
+            <option key={c.id} value={c.id}>{c.name}</option>
+          ))}
+        </select>
+      </div>
+      <div style={{ marginBottom: 12 }}>
+        <Label>Commission summary (shown to creators)</Label>
+        <Input value={commissionDescription} onChange={(e) => setCommissionDescription(e.target.value)} placeholder="20% recurring on all plans" />
+      </div>
+      <div style={{ marginBottom: 12 }}>
+        <Label>Cookie window (days, optional)</Label>
+        <Input
+          type="number"
+          value={cookieWindowDays}
+          onChange={(e) => setCookieWindowDays(e.target.value === '' ? '' : Number(e.target.value))}
+          placeholder="60"
+        />
+      </div>
+      <Button
+        onClick={() => m.mutate()}
+        disabled={m.isPending || !title || !productUrl || !vendorCampaignId || !commissionDescription}
+      >
+        {m.isPending ? 'Publishing…' : 'Publish offering'}
+      </Button>
+    </Card>
+  );
+}
diff --git a/apps/portal/src/pages/admin/NetworkRequests.tsx b/apps/portal/src/pages/admin/NetworkRequests.tsx
new file mode 100644
index 0000000..c0044d2
--- /dev/null
+++ b/apps/portal/src/pages/admin/NetworkRequests.tsx
@@ -0,0 +1,149 @@
+import { useState } from 'react';
+import { useMutation, useQuery, useQueryClient } from '@tanstack/react-query';
+import { api, ApiError } from '../../api.js';
+import { Button, Card, ErrorBanner, Label, Page } from '../../ui.js';
+
+interface PartnershipRequest {
+  id: string;
+  status: 'pending' | 'approved' | 'rejected' | 'cancelled';
+  message: string | null;
+  preferredSlug: string | null;
+  createdAt: string;
+  creatorId: string;
+  creatorEmail: string;
+  creatorName: string;
+  creatorHandle: string | null;
+  creatorBio: string | null;
+  offeringId: string;
+  offeringTitle: string;
+}
+
+export function AdminNetworkRequests() {
+  const [statusFilter, setStatusFilter] = useState<'pending' | 'approved' | 'rejected' | 'cancelled'>('pending');
+  return (
+    <Page
+      title="Network requests"
+      subtitle="Creators applying to promote your offerings. Approve to provision a Partner + Link automatically."
+      actions={
+        <select
+          value={statusFilter}
+          onChange={(e) => setStatusFilter(e.target.value as typeof statusFilter)}
+          style={{ padding: '6px 10px', border: '1px solid #d0d0c8', borderRadius: 6, fontSize: 13 }}
+        >
+          <option value="pending">Pending</option>
+          <option value="approved">Approved</option>
+          <option value="rejected">Rejected</option>
+          <option value="cancelled">Cancelled</option>
+        </select>
+      }
+    >
+      <RequestList statusFilter={statusFilter} />
+    </Page>
+  );
+}
+
+function RequestList({ statusFilter }: { statusFilter: string }) {
+  const qc = useQueryClient();
+  const { data, isLoading, error } = useQuery({
+    queryKey: ['network-requests', statusFilter],
+    queryFn: () => api<{ requests: PartnershipRequest[] }>(`/admin/network/requests?status=${statusFilter}`),
+    retry: false,
+  });
+  const [actionError, setActionError] = useState<string | null>(null);
+
+  const approve = useMutation({
+    mutationFn: ({ id, decisionNote }: { id: string; decisionNote?: string }) =>
+      api(`/admin/network/requests/${id}/approve`, { method: 'POST', body: { decisionNote } }),
+    onSuccess: () => qc.invalidateQueries({ queryKey: ['network-requests'] }),
+    onError: (err) => setActionError(err instanceof ApiError ? err.message : 'failed'),
+  });
+  const reject = useMutation({
+    mutationFn: ({ id, decisionNote }: { id: string; decisionNote?: string }) =>
+      api(`/admin/network/requests/${id}/reject`, { method: 'POST', body: { decisionNote } }),
+    onSuccess: () => qc.invalidateQueries({ queryKey: ['network-requests'] }),
+    onError: (err) => setActionError(err instanceof ApiError ? err.message : 'failed'),
+  });
+
+  if (error) {
+    const msg = error instanceof ApiError && error.message.includes('network_not_configured')
+      ? 'Connect to the Network first under Settings → Network.'
+      : `Couldn't load requests: ${error instanceof Error ? error.message : String(error)}`;
+    return <ErrorBanner error={msg} />;
+  }
+  if (isLoading) return <Card><p>Loading…</p></Card>;
+  const requests = data?.requests ?? [];
+  if (requests.length === 0) {
+    return <Card><p style={{ color: '#6b7280' }}>No {statusFilter} requests.</p></Card>;
+  }
+  return (
+    <>
+      {actionError && <ErrorBanner error={actionError} />}
+      {requests.map((r) => (
+        <RequestRow
+          key={r.id}
+          request={r}
+          onApprove={(note) => approve.mutate({ id: r.id, decisionNote: note })}
+          onReject={(note) => reject.mutate({ id: r.id, decisionNote: note })}
+          busy={approve.isPending || reject.isPending}
+        />
+      ))}
+    </>
+  );
+}
+
+function RequestRow({
+  request,
+  onApprove,
+  onReject,
+  busy,
+}: {
+  request: PartnershipRequest;
+  onApprove: (note?: string) => void;
+  onReject: (note?: string) => void;
+  busy: boolean;
+}) {
+  const [note, setNote] = useState('');
+  const isPending = request.status === 'pending';
+  return (
+    <Card>
+      <div style={{ display: 'flex', alignItems: 'baseline', gap: 12 }}>
+        <h3 style={{ marginTop: 0, marginBottom: 4, flex: 1 }}>
+          {request.creatorName} {request.creatorHandle && <span style={{ color: '#6b7280', fontWeight: 400 }}>@{request.creatorHandle}</span>}
+        </h3>
+        <span style={{ fontSize: 12, color: '#6b7280' }}>
+          {new Date(request.createdAt).toLocaleDateString()}
+        </span>
+      </div>
+      <p style={{ color: '#6b7280', fontSize: 13, margin: '0 0 8px' }}>
+        {request.creatorEmail} · applying to <strong>{request.offeringTitle}</strong>
+        {request.preferredSlug && <> · prefers slug <code>/{request.preferredSlug}</code></>}
+      </p>
+      {request.creatorBio && <p style={{ fontSize: 14 }}>{request.creatorBio}</p>}
+      {request.message && (
+        <blockquote style={{ borderLeft: '3px solid #d0d0c8', paddingLeft: 12, color: '#444', fontSize: 14 }}>
+          {request.message}
+        </blockquote>
+      )}
+      {isPending && (
+        <div style={{ marginTop: 12 }}>
+          <Label>Decision note (optional)</Label>
+          <input
+            type="text"
+            value={note}
+            onChange={(e) => setNote(e.target.value)}
+            placeholder="Welcome to the program!"
+            style={{ width: '100%', padding: '8px 10px', border: '1px solid #d0d0c8', borderRadius: 6, fontSize: 14, marginBottom: 12 }}
+          />
+          <div style={{ display: 'flex', gap: 8 }}>
+            <Button onClick={() => onApprove(note || undefined)} disabled={busy}>
+              {busy ? 'Working…' : 'Approve + provision'}
+            </Button>
+            <Button onClick={() => onReject(note || undefined)} disabled={busy} variant="danger">
+              Reject
+            </Button>
+          </div>
+        </div>
+      )}
+    </Card>
+  );
+}
diff --git a/docker-compose.yml b/docker-compose.yml
index 782e923..0247e5f 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -10,8 +10,14 @@ services:
       POSTGRES_USER: openpartner
       POSTGRES_PASSWORD: openpartner
       POSTGRES_DB: openpartner
+      # Picked up by ./docker/initdb/10-app-role.sh on first boot to
+      # provision the openpartner_app RLS-bound role. Leave unset and
+      # the role is created NOLOGIN (still useful for SET ROLE in
+      # isolation tests; not for a runtime-app connection).
+      OPENPARTNER_APP_DB_PASSWORD: ${OPENPARTNER_APP_DB_PASSWORD:-}
     volumes:
       - openpartner-pg-data:/var/lib/postgresql/data
+      - ./docker/initdb:/docker-entrypoint-initdb.d:ro
     healthcheck:
       test: ["CMD-SHELL", "pg_isready -U openpartner"]
       interval: 5s
diff --git a/docker/initdb/10-app-role.sh b/docker/initdb/10-app-role.sh
new file mode 100644
index 0000000..e062f95
--- /dev/null
+++ b/docker/initdb/10-app-role.sh
@@ -0,0 +1,46 @@
+#!/usr/bin/env bash
+# Provision the openpartner_app role on first container boot.
+#
+# This runs once when the postgres container's data volume is empty
+# (the standard /docker-entrypoint-initdb.d behavior). Subsequent
+# starts do nothing — to rotate the password, recreate the volume or
+# run the migration `20260507020000_app_role.ts` against an existing
+# DB, which idempotently rotates.
+#
+# The role is created NOLOGIN if OPENPARTNER_APP_DB_PASSWORD is unset,
+# so RLS isolation can still be verified in tests via SET ROLE without
+# providing a password. For a real RLS-enforcing setup, set the env
+# var when bringing up the stack.
+#
+# DML grants are issued by the migration, not here, so this script
+# stays valid even as new tables are added.
+
+set -euo pipefail
+
+PASSWORD="${OPENPARTNER_APP_DB_PASSWORD:-}"
+
+if [ -z "$PASSWORD" ]; then
+  echo "[initdb] OPENPARTNER_APP_DB_PASSWORD unset — creating openpartner_app NOLOGIN."
+  psql -v ON_ERROR_STOP=1 --username "$POSTGRES_USER" --dbname "$POSTGRES_DB" <<-'EOSQL'
+    DO $$
+    BEGIN
+      IF NOT EXISTS (SELECT 1 FROM pg_roles WHERE rolname = 'openpartner_app') THEN
+        CREATE ROLE openpartner_app NOLOGIN;
+      END IF;
+    END
+    $$;
+EOSQL
+else
+  echo "[initdb] Creating openpartner_app with login + password from env."
+  psql -v ON_ERROR_STOP=1 -v app_pwd="$PASSWORD" --username "$POSTGRES_USER" --dbname "$POSTGRES_DB" <<-'EOSQL'
+    DO $$
+    BEGIN
+      IF NOT EXISTS (SELECT 1 FROM pg_roles WHERE rolname = 'openpartner_app') THEN
+        EXECUTE format('CREATE ROLE openpartner_app LOGIN PASSWORD %L', :'app_pwd');
+      ELSE
+        EXECUTE format('ALTER ROLE openpartner_app LOGIN PASSWORD %L', :'app_pwd');
+      END IF;
+    END
+    $$;
+EOSQL
+fi
diff --git a/docs/deploy-production.md b/docs/deploy-production.md
index 76dcc1e..06fe10a 100644
--- a/docs/deploy-production.md
+++ b/docs/deploy-production.md
@@ -102,6 +102,8 @@ Set each value with **Encrypt** checked:
 | `POSTMARK_SERVER_TOKEN` | from your Postmark dashboard |
 | `PORTAL_URL` | `https://app.openpartner.dev` (or your chosen domain) |
 | `METRICS_TOKEN` | random token if you want to gate /metrics; otherwise generate one |
+| `OPENPARTNER_APP_DB_PASSWORD` | random 32+ char string — provisions the openpartner_app role |
+| `DATABASE_URL_APP` | same host/db as DATABASE_URL but `user=openpartner_app` and `password=` the value above |
 
 For the **router** component, set:
 
@@ -186,6 +188,51 @@ Once all six pass, you're live.
 
 ## Operational notes
 
+### Multi-tenant rollout
+
+`OPENPARTNER_TENANCY=multi` switches the api from single-tenant
+self-host mode to hosted multi-tenant mode:
+
+- **URL routing.** Tenant-scoped routes live under `/t/<slug>/...`.
+  Set `app.openpartner.dev` to the api component and the portal SPA
+  reads the slug from `location.pathname`. The catch-all rewrite in
+  `static_sites.catchall_document` keeps SPA routing working under any
+  `/t/<slug>/...` path.
+- **Tenant provisioning.** Public `POST /signup` creates a tenant +
+  first admin and emails the magic link. No payment gate at v1; add
+  one downstream of `/signup` if you want to require a card on file
+  before activation.
+- **RLS engagement.** With `DATABASE_URL_APP` set to the
+  openpartner_app role, every tenant-scoped request runs in a
+  transaction with `app.tenant_id` pinned, and Row-Level Security
+  policies (see migration `20260507010000_rls_policies.ts`) drop any
+  query that crosses tenants. Without `DATABASE_URL_APP`, tenant
+  isolation falls back to app-level filtering only — fine for
+  bootstrap, not safe for production multi-tenant.
+- **Stripe webhooks.** A single `/webhooks/stripe` endpoint covers all
+  tenants. Each event resolves its tenant from `metadata.openpartner_tenant_id`
+  (every Stripe object we create is stamped with this); the handler
+  then runs in an `appDb.transaction` with `app.tenant_id` pinned. No
+  per-tenant webhook destinations needed.
+- **Reserved slugs.** `default`, `www`, `api`, `app`, `admin`,
+  `signup`, `login`, `auth`, `docs`, `help`, `support`, `status`,
+  `network`, `static`, `public`, `platform` cannot be claimed.
+  `apps/api/src/tenancy.ts` has the full list — extend it before
+  introducing any new top-level URL space.
+- **Scheduler.** `usage-report` and `payouts` iterate active tenants
+  per tick; each tenant runs in its own transaction with
+  `app.tenant_id` pinned. A single failing tenant doesn't stop the
+  others.
+
+To migrate an existing single-tenant deploy to multi:
+
+1. Run the multi-tenant migrations (already part of `pnpm migrate` —
+   they backfill every existing row to `tenantId='default'`).
+2. Set `OPENPARTNER_APP_DB_PASSWORD`, `DATABASE_URL_APP`, and flip
+   `OPENPARTNER_TENANCY=multi`.
+3. Redeploy. The default tenant remains accessible at `/t/default/`;
+   new tenants come in via `/signup`.
+
 ### Scheduled jobs
 
 The api process runs an in-process scheduler (`OPENPARTNER_ENABLE_SCHEDULER=1`):
diff --git a/docs/multi-tenant-refactor.md b/docs/multi-tenant-refactor.md
new file mode 100644
index 0000000..9eafab8
--- /dev/null
+++ b/docs/multi-tenant-refactor.md
@@ -0,0 +1,420 @@
+# Multi-tenant refactor — handoff
+
+This document is the resumption point for the multi-tenant refactor in
+progress on the `multi-tenant` branch. The foundation, the route
+refactor, helper updates, the public signup flow, and a first pass at
+test seed updates are committed. The remaining work is verifying the
+test suite end-to-end against a live Postgres, adding multi-tenant
+isolation tests, and ops/env config for hosted deploys.
+
+If you're picking this up fresh: read this whole doc, scan the commits
+on `multi-tenant`, then start with section G (new isolation tests) and
+H (env + ops). Verify tests pass against a real DB first.
+
+## TL;DR
+
+- One codebase, two tenancy modes:
+  - `OPENPARTNER_TENANCY=single` — self-host. tenantId always `'default'`.
+  - `OPENPARTNER_TENANCY=multi` — hosted. tenantId resolved from URL path.
+- Database has `tenantId` on every data table.
+- RLS enforced via `app.tenant_id` GUC + `app.platform_admin` override,
+  with FORCE so even the table owner is subject to policies.
+- Two DB roles: privileged (migrations, signup, platform tooling) and
+  `openpartner_app` (subject to RLS at runtime).
+- Per-request transaction wraps every tenant-scoped request, sets the
+  GUCs, exposes `req.db` to handlers.
+- Route refactor pending: every handler uses `req.db` + `tenantOf(req)`.
+
+## Branch state (as of pause)
+
+```
+multi-tenant
+  HEAD     feat(api): public /signup + test seed tenantId fixes
+  095fc89  feat(api): route + helper refactor for tenant-scoped req.db
+  92f570a  docs(multi-tenant): handoff guide for the in-progress refactor
+  e560b3f  feat(tenancy): add tenantOf(req) helper for route handler ergonomics
+  44f5311  feat(api): tenancy middleware + connection split (admin vs app pools)
+  b2c69ac  feat(db): multi-tenant foundation + RLS
+  ... (matches main from here)
+```
+
+`main` is unaffected — production deploys keep working off `main` until
+`multi-tenant` merges.
+
+## Architecture decisions
+
+### Tenant resolution: path-based, not subdomain
+
+`/t/<slug>/...` not `<slug>.openpartner.dev`. Reasons:
+
+- Wildcard subdomain SSL on DO App Platform requires Pro tier and has
+  domain-count limits. Path-based scales unboundedly.
+- Cookie isolation concerns aren't real for portal/api at our stage.
+  Session cookies can be path-scoped or per-tenant-named.
+- Click router cookie isolation is genuinely tenant-sensitive, but
+  solved by either (a) per-tenant cookie names (`_op_cref_<slug>`) or
+  (b) optional custom-domain CNAME for tenants that want first-party
+  cookies on their own domain.
+- Premium subdomain feel can be added later as an upgrade — most v1
+  tenants won't notice or care.
+
+URL layout in production:
+
+```
+openpartner.dev / www.openpartner.dev    → marketing site
+app.openpartner.dev/t/<slug>/...         → multi-tenant portal + admin
+app.openpartner.dev/api/...              → api (tenantId from path/auth/event metadata)
+r.openpartner.dev/<linkKey>              → click router
+network.openpartner.dev                  → Network coordinator (separate service)
+partners.<merchant>.com                  → optional custom domain per tenant
+```
+
+### Database isolation: RLS + role separation
+
+Two layers of defense:
+
+1. **App-level filtering** — every query goes through `req.db` with
+   `app.tenant_id` set; handlers either filter explicitly or rely on
+   the GUC. Primary defense.
+2. **Row-Level Security** — every tenanted table has FORCE RLS with a
+   policy matching `tenantId` to the GUC, plus a `platform_admin = 'on'`
+   override for cross-tenant tooling. Secondary defense — catches
+   missed `where()` clauses, SQL injection, compromised API keys.
+
+For RLS to actually engage, the runtime DB role must not be a superuser
+or have BYPASSRLS. Hence `openpartner_app` (provisioned by
+`20260507020000_app_role.ts` from `OPENPARTNER_APP_DB_PASSWORD`).
+Migrations continue running as the privileged role with
+`SET row_security = off`.
+
+### Two connection pools, one source of truth
+
+`apps/api/src/db.ts`:
+- `db` — privileged pool, `DATABASE_URL`. For migrations, signup,
+  platform-admin tooling, jobs that legitimately need cross-tenant access.
+- `appDb` — app pool, `DATABASE_URL_APP` (falls back to `DATABASE_URL`
+  for self-host without role separation). Connection of choice for
+  request handlers via `req.db`.
+
+If `DATABASE_URL_APP` is unset, RLS is bypassed (the app runs as the
+migration role) but app-level filtering still applies. Self-hosters
+opt into RLS by setting both env vars.
+
+### Per-request transaction
+
+`tenantMiddleware` (apps/api/src/tenancy.ts) wraps every tenant-scoped
+request in a knex transaction:
+
+1. Resolve tenantId (single → `default`, multi → `/t/<slug>/...`).
+2. `appDb.transaction(...)`.
+3. `SET LOCAL app.tenant_id = '<id>'` (and `app.platform_admin = 'on'`
+   if applicable).
+4. Stash trx as `req.db`.
+5. Handler runs, writes response.
+6. Transaction commits on `res.finish` / `close`, rolls back on error.
+
+Routes get the trx via `req.db` or — more ergonomically — the helper:
+
+```typescript
+import { tenantOf } from '../tenancy.js';
+
+router.get('/foo', async (req, res) => {
+  const { db, tenantId } = tenantOf(req);
+  const rows = await db('Partner').limit(10);
+  // inserts must include tenantId:
+  await db('Partner').insert({ id: ulid(), tenantId, ... });
+  res.json(rows);
+});
+```
+
+`tenantOf(req)` throws if the route wasn't behind `tenantMiddleware` —
+makes routing bugs loud.
+
+### Reserved slugs
+
+`apps/api/src/tenancy.ts` exports `RESERVED_SLUGS`:
+default, www, api, app, admin, signup, login, auth, docs, help, support,
+status, network, static, public, platform.
+
+These can never be claimed by a tenant. Add to this set if we introduce
+new top-level URL spaces.
+
+## What's committed (foundation)
+
+### `packages/db/migrations/20260507000000_multi_tenant.ts`
+- New `Tenant` table.
+- Seeded `'default'` tenant (id = `01J0000000DEFAULTTENANT0000`).
+- `tenantId` column on every data table, backfilled to `'default'`.
+- Per-tenant unique constraints: Partner.email, Admin.email,
+  Link.linkKey, Config.(tenantId, key).
+
+### `packages/db/migrations/20260507010000_rls_policies.ts`
+- `PlatformAdmin` table (cross-tenant Coherence support staff).
+- FORCE RLS on every tenanted table.
+- Policies match on `app.tenant_id` GUC OR `app.platform_admin = 'on'`.
+- Self-policy on `Tenant` and `PlatformAdmin` tables.
+
+### `packages/db/migrations/20260507020000_app_role.ts`
+- Provisions `openpartner_app` role from `OPENPARTNER_APP_DB_PASSWORD`.
+- Idempotent (rotates password if role exists).
+- Skipped with notice if env unset (self-host without RLS isolation).
+- Grants DML (no DDL) on every tenanted table.
+
+### `packages/db/scripts/migrate.ts`
+- Sets `row_security = off` at session start so DDL bypasses policies.
+
+### `packages/db/src/types.ts`
+- Every `Row` interface gained `tenantId: string`.
+- New `TenantRow`, `PlatformAdminRow` exports.
+- `DEFAULT_TENANT_ID` constant.
+
+### `apps/api/src/db.ts`
+- `db` (admin pool, DATABASE_URL) and `appDb` (app pool, DATABASE_URL_APP).
+
+### `apps/api/src/tenancy.ts`
+- `getTenancyMode()` reads `OPENPARTNER_TENANCY`.
+- `RESERVED_SLUGS` set.
+- `tenantMiddleware` Express middleware (transaction wrapping, GUC setup).
+- `tenantOf(req)` helper.
+- Express `Request` interface augmentation: `tenantId`, `tenantSlug`,
+  `db`, `platformAdmin`.
+
+## What's done since the original handoff
+
+- **Route refactor (section A)** — every route file under
+  `apps/api/src/routes/` uses `tenantOf(req)` and `req.db`. Inserts stamp
+  `tenantId`. Public, non-tenant routes (`install`, `metrics`, `signup`,
+  `stripe-webhook`) are mounted before `tenantMiddleware` and use the
+  privileged `db` directly.
+- **Helper refactor (section B)** — `auth-sessions`, `auth.resolvePrincipal`,
+  `attribution`, `payouts`, `usage-billing`, `webhook-dispatcher`,
+  `mailer`, `mail-settings`, `config` all take `(db, tenantId, ...)`
+  parameters. `dispatchEvent` takes `tenantId` as the first arg and uses
+  the privileged `db` (since it's fire-and-forget after the request
+  transaction commits).
+- **Mount middleware (section C)** — `tenantMiddleware` mounted in
+  `app.ts` between public mounts and tenant-scoped routes.
+- **Public signup (section D)** — `apps/api/src/routes/signup.ts` is
+  done. POST /signup creates Tenant + first Admin + magic link.
+- **Stripe webhook tenant routing (section E)** — events resolve their
+  tenant from object metadata (every Stripe object we create is now
+  stamped with `openpartner_tenant_id`); fallback resolution via
+  partnerId / payoutId / clickId for events without metadata. The
+  handler runs in `appDb.transaction(...)` with `app.tenant_id` pinned
+  so RLS catches cross-tenant mistakes.
+- **Test seed inserts (section F, partial)** — every
+  `db(TABLES.X).insert({ ... })` in `integration.test.ts`,
+  `regressions.test.ts`, `stripe-webhook.test.ts`, `webhooks.test.ts`
+  now stamps `tenantId: DEFAULT_TENANT_ID`. `OPENPARTNER_TENANCY=single`
+  added to the test env. **Not yet validated against a live DB** — do
+  this first when resuming.
+- **Scheduler tenant iteration** — `scheduler.ts` iterates
+  `forEachActiveTenant(...)` for usage-report and payouts; each tenant
+  runs in its own appDb transaction with `app.tenant_id` pinned.
+
+`pnpm typecheck` passes across the workspace.
+
+## What's left
+
+### A. Route refactor (~4–6 hours, mostly mechanical) ✅ DONE
+
+Every route file under `apps/api/src/routes/` that uses the
+module-level `db` needs:
+
+1. Drop the `import { db } from '../db.js';`.
+2. Add `import { tenantOf } from '../tenancy.js';`.
+3. Each handler: `const { db, tenantId } = tenantOf(req);`.
+4. Inserts: include `tenantId`.
+5. Inner `db.transaction(...)` wrappers can be removed — the request is
+   already in a transaction. Just use `req.db` directly.
+
+Files (alphabetical, per `apps/api/src/routes/`):
+
+- [ ] admin-overview.ts
+- [ ] admins.ts (uses issueMagicLink — see helper-refactor below)
+- [ ] api-keys.ts
+- [ ] auth.ts (uses resolveSession — see helper-refactor below)
+- [ ] billing.ts (Stripe-aware; tenantId stamped on Customer metadata)
+- [ ] campaigns.ts
+- [ ] commissions.ts
+- [ ] connect.ts (Stripe Connect onboarding; stamp tenantId on account metadata)
+- [ ] dashboard.ts
+- [ ] events.ts
+- [ ] export.ts (export only the current tenant's data)
+- [ ] fraud-review.ts
+- [ ] funnel.ts
+- [ ] identify.ts (the SDK identify endpoint — tenant inferred from cookie or path)
+- [ ] install.ts (single-mode only; multi-mode rejects)
+- [ ] links.ts
+- [ ] metrics.ts
+- [ ] partner-auth.ts (uses issueMagicLink, createSession, resolveSession)
+- [x] partners.ts (started but reverted — restart fresh)
+- [ ] payouts.ts
+- [ ] settings.ts (per-tenant Config — already (tenantId, key) primary key)
+- [ ] stripe-webhook.ts (special case — see "Stripe webhook tenant routing" below)
+- [ ] webhooks.ts
+
+### B. Shared helper refactor ✅ DONE
+
+These modules use the module-level `db` and need to accept it as a
+parameter so they can be called with `req.db`:
+
+- `apps/api/src/auth-sessions.ts` — every function takes `(db, params)`.
+  `issueMagicLink` and `createSession` also take `tenantId` for inserts.
+  Sketch in the unsuccessful first attempt is on local but reverted —
+  redo cleanly. The 5 callers will need updating in lockstep.
+- `apps/api/src/auth.ts` — `resolvePrincipal` reads ApiKey + sessions.
+  Use `req.db`. Tenant scope handled by RLS on the lookup.
+- `apps/api/src/attribution.ts` — `attributeEvent` etc. accept `db: Knex`
+  parameter; callers pass `req.db` (webhook handler) or pass the privileged
+  `db` (for back-fill jobs, with explicit `app.tenant_id` set).
+- `apps/api/src/payouts.ts` — `runPayouts(db, ...)`. Cron-driven; runs
+  per-tenant, so it needs to set `app.tenant_id` itself or accept a
+  pre-scoped trx.
+- `apps/api/src/mailer.ts`, `email-templates.ts` — likely no DB access;
+  verify and skip if so.
+
+### C. Mount `tenantMiddleware` in `app.ts` ✅ DONE
+
+After the route refactor lands. The line `app.use(tenantMiddleware);`
+goes BEFORE the tenant-scoped routes and AFTER the public-route mounts
+(stripe webhook, /health, eventually /signup and /platform/*).
+
+The current `app.ts` doesn't mount the middleware at all on this branch
+— intentional, so the existing behavior keeps working until the routes
+are ready for it.
+
+### D. Public signup flow ✅ DONE
+
+New router (`apps/api/src/routes/signup.ts`):
+
+- `POST /signup` — public, no auth required.
+- Body: `{ slug, displayName, adminEmail, adminName }`.
+- Validates: slug matches `[a-z0-9-]{3,30}`, not in `RESERVED_SLUGS`,
+  not already taken (Tenant slug unique).
+- Creates Tenant + first Admin (status='active', activatedAt=null).
+- Issues a magic link to the admin email (purpose `admin_invite`,
+  scoped to the new tenantId).
+- Returns 201 with the tenant slug (for the portal to redirect).
+- Uses the privileged `db` (no tenant context yet).
+
+Mount BEFORE `tenantMiddleware` in `app.ts`.
+
+### E. Stripe webhook tenant routing ✅ DONE
+
+`apps/api/src/routes/stripe-webhook.ts` doesn't go through
+`tenantMiddleware` — Stripe events have no URL tenant. Resolve tenant
+inside the handler from event metadata:
+
+1. Webhook deliveries identified by reading `event.data.object.metadata`
+   for `openpartner_tenant_id` (Connect events: `account.metadata`,
+   subscription/customer events: `customer.metadata`, checkout session:
+   `metadata`).
+2. Stamp `openpartner_tenant_id` on every Stripe object we create:
+   - `stripe.customers.create({ metadata: { openpartner_tenant_id, ... } })`
+     in `billing.ts`.
+   - `stripe.accounts.create({ metadata: { openpartner_tenant_id, ... } })`
+     in `connect.ts`.
+   - `stripe.checkout.sessions.create({ metadata: { openpartner_tenant_id, ... } })`.
+3. Inside the webhook handler, after resolving the tenantId, run the
+   actual processing inside `appDb.transaction(...)` with
+   `SET LOCAL app.tenant_id` so attribution/event/identity inserts land
+   in the right tenant.
+
+For events with no resolvable tenant (genuinely platform-level events),
+process them with the privileged `db` and tag accordingly.
+
+### F. Update existing tests ✅ DONE & VALIDATED
+
+Every `db(TABLES.X).insert({...})` in `integration.test.ts`,
+`regressions.test.ts`, `stripe-webhook.test.ts`, and `webhooks.test.ts`
+stamps `tenantId: DEFAULT_TENANT_ID`. Every test file sets
+`OPENPARTNER_TENANCY = 'single'`. Validated against the docker-compose
+postgres: 64/64 pre-existing tests pass.
+
+Two real bugs surfaced during validation and were fixed in the same pass:
+
+  - **Privileged db was subject to FORCE RLS** (silently zeroed every
+    cross-tenant query because `app.tenant_id` was unset). Fixed by
+    adding `bypassRls: true` support to `createDb()` (sets
+    `row_security = off` per pooled connection) and turning it on for
+    the privileged `db` in `apps/api/src/db.ts`.
+  - **`tenantMiddleware` committed the trx on `res.on('finish')`** —
+    *after* the response was sent. Tests doing `await request(...)`
+    then `await db(...)` raced the commit and saw FK violations. Fixed
+    by patching `res.json/send/end` so the trx commits/rolls back
+    *before* any byte is sent. The new flow rolls back on `res.statusCode
+    >= 500` and on `res.on('close')` if no res.* method ran.
+
+### G. New tests for multi-tenant isolation ✅ DONE
+
+`apps/api/src/__tests__/multi-tenant.test.ts` — 9 tests, all passing.
+Connects as `openpartner_app` (no BYPASSRLS) via `SET ROLE` inside the
+privileged db's transaction, then exercises the policy layer directly.
+
+Original spec preserved below for reference:
+
+- Spin up 2 tenants (`acme`, `globex`) via direct DB seed (privileged db).
+- Verify, connecting as `openpartner_app` with `app.tenant_id` set to
+  acme: cannot read globex Partner rows.
+- Verify, with `app.tenant_id` unset: cannot read any Partner rows
+  (default deny).
+- Verify, with `app.platform_admin = 'on'`: can read both tenants.
+- Verify FORCE RLS: even table owner (privileged role) is subject to
+  policies when the GUC is set.
+- Verify the WITH CHECK clause: insert with mismatched tenantId fails.
+- Verify signup: POST /signup with reserved slug → 409. With taken
+  slug → 409. With valid slug → 201 + Tenant + Admin + magic link.
+- Verify session cookies don't cross tenants: a session for tenant A
+  used on a `/t/globex/...` URL → 401.
+
+### H. Env config + ops ✅ DONE
+
+- `.env.example` add: `OPENPARTNER_TENANCY=single|multi`,
+  `OPENPARTNER_APP_DB_PASSWORD=...`, `DATABASE_URL_APP=...`.
+- `docker-compose.yml`: add an `initdb.d/` script that creates the
+  `openpartner_app` role using `OPENPARTNER_APP_DB_PASSWORD` from env.
+  Self-hosters get RLS by default in dev as a result.
+- `.do/app.yaml`: add the three new env vars, marked SECRET as needed.
+- `docs/deploy-production.md`: add a section on multi-tenant rollout.
+
+## How to resume
+
+If picking up in a fresh session, the prompt should be roughly:
+
+> Continue the multi-tenant refactor on the `multi-tenant` branch.
+> Read `docs/multi-tenant-refactor.md` first. Start with section A —
+> route refactor — and work alphabetically. Commit after each route
+> file or small group of related ones. Run typecheck after each commit.
+
+Or, more action-oriented:
+
+> Refactor `apps/api/src/routes/admins.ts` to use `req.db` and
+> `tenantOf(req)`. Update `auth-sessions.ts` to take `db: Knex` as a
+> parameter (this affects 5 callers — update them too). Verify tsc
+> passes. Then move to `apps/api/src/auth.ts`.
+
+Memory entries on the `auto-memory` system already point at this doc.
+
+## Things to watch for
+
+- **Knex transaction nesting.** The request is already in a transaction
+  via `tenantMiddleware`. `req.db.transaction(...)` works (savepoint)
+  but for most read+write groupings it's redundant — just use `req.db`
+  directly. Watch for over-zealous nesting in the refactor.
+- **Async callbacks holding the trx after response sends.** Anything
+  that calls `void db(...).update(...)` (fire and forget) needs to
+  either run synchronously inside the request or use the privileged
+  `db` so it doesn't depend on the request transaction.
+- **Migration role for in-process scheduler.** The cron jobs in
+  `scheduler.ts` (usage report, payouts) run outside any request
+  context. They should use the privileged `db` and explicitly
+  `SET LOCAL app.tenant_id` per tenant they're processing — or, more
+  cleanly, the scheduler iterates tenants and runs a transaction per
+  tenant.
+- **Existing `setConfig` callers.** Config is now `(tenantId, key)` —
+  the previous fix for jsonb serialization is fine but the API needs a
+  tenantId param now. `getConfig` likewise.
+- **`/import` and `/export` endpoints.** In multi-tenant they should
+  scope to the current tenant. In single-tenant they preserve their
+  current behavior. The mode gate is in code, not URL.
diff --git a/docs/network-protocol.md b/docs/network-protocol.md
new file mode 100644
index 0000000..c25a368
--- /dev/null
+++ b/docs/network-protocol.md
@@ -0,0 +1,215 @@
+# OpenPartner Network protocol
+
+The contract between an OpenPartner *vendor instance* (hosted tenant or
+self-hosted install) and the Network coordinator at
+`network.openpartner.dev`. The Network never shares a database with
+vendors — every interaction is REST over scoped credentials. That keeps
+data portability intact (a vendor leaving the Network loses Network
+matchmaking but keeps every Partner / Commission / Payout row) and
+keeps the Network out of the vendor's audit boundary.
+
+This doc lives in the openpartner (vendor) repo because the vendor side
+is what calls Network endpoints. The Network repo is responsible for
+implementing them.
+
+## Identities
+
+| Term | Lives in | Stable across | Notes |
+|---|---|---|---|
+| `vendorId` | Network DB | A vendor instance's lifetime | Network-issued on `/vendors/register`. |
+| `vendorPartnerId` | Vendor DB | A creator's relationship with this vendor | The `Partner.id` (ULID) on the vendor side. |
+| `networkCreatorId` | Network DB | A creator's lifetime across vendors | Email-keyed canonical identity. Same email → same id, even across tenants/vendors. |
+
+Vendors stamp `Partner.metadata.networkCreatorId` so admin UIs can show
+"this creator is on the Network" without an extra round-trip.
+
+## Auth
+
+Two credential pairs:
+
+1. **Vendor → Network** (this is what `network-client.ts` uses).
+   - Network issues a `vendorToken` on registration.
+   - Vendors send it as `Authorization: Bearer <vendorToken>` on every call.
+   - Stored encrypted in the vendor's `Config` row keyed `network_membership`.
+2. **Network → Vendor** (for matchmaking write-backs).
+   - Vendor mints a scoped key with `NETWORK_FEDERATION_SCOPES`
+     (`partners:write`, `partners:read`, `links:write`,
+     `commissions:read`) and hands it to the Network at registration.
+   - Network sends it as `Authorization: Bearer <scopedKey>` when calling
+     vendor endpoints (POST /partners, etc).
+
+Both creds are rotatable: the vendor mints a new scoped key and pushes
+it via `POST /vendors/me/rotate-callback-key`; the Network can rotate
+the vendor's bearer via `POST /vendors/me/rotate-token` returning a new
+token the vendor stores.
+
+## Endpoints (Network-side, called by vendor)
+
+### `POST /vendors/register`
+
+Vendor onboarding. Idempotent on `instanceUrl` — calling twice with the
+same URL returns the existing vendor record (with a fresh token if
+requested).
+
+```
+Headers
+  Authorization: Bearer <network-issued enrollment token>   # one-time, distributed by Network UI / dashboard
+Body
+  {
+    "instanceUrl":  "https://app.openpartner.dev/t/acme/api",   // or self-host URL + /api
+    "scopedKey":    "op_<24 hex>",                               // vendor's federation key for Network → vendor calls
+    "displayName":  "Acme Inc.",
+    "tier":         "hosted" | "self_hosted",
+    "contact":      { "email": "...", "name": "..." }
+  }
+Response 200
+  {
+    "vendorId":    "vnd_01J...",
+    "vendorToken": "vntok_<48 hex>",      // store this, send on every subsequent vendor → Network call
+    "issuedAt":    "2026-04-26T...Z"
+  }
+```
+
+Validation: `instanceUrl` must be HTTPS and reachable (Network does a
+GET `/health` from its own infra and rejects on non-200 within 5s).
+
+### `POST /partners/upsert`
+
+Called every time a vendor creates or revokes a partner (whether via
+admin invite, public `POST /partner-signup`, or federated onboarding).
+Email is the join key.
+
+```
+Headers
+  Authorization: Bearer <vendorToken>
+Body
+  {
+    "vendorPartnerId": "01J...",                  // Partner.id on the vendor side
+    "email":           "creator@example.com",
+    "name":            "Ada Creator",
+    "profile":         { ... },                   // optional, surfaced to other vendors searching
+    "joinedVendorAt":  "2026-04-26T...Z",
+    "status":          "pending" | "active" | "revoked",
+    "metadata":        { "source": "self_signup" | "admin_invite" | "backfill" }
+  }
+Response 200
+  {
+    "networkCreatorId": "crt_01J...",
+    "alreadyExisted":   true | false,             // true if Network already knew this email
+    "affiliations": [
+      { "vendorId": "vnd_...", "vendorPartnerId": "01J...", "status": "active",   "displayName": "Acme Inc." },
+      { "vendorId": "vnd_...", "vendorPartnerId": "01J...", "status": "pending",  "displayName": "Beta Co." }
+    ]
+  }
+```
+
+The `affiliations` array tells the vendor *what other programs the
+creator is in*. Vendor stores `networkCreatorId` and (optionally)
+surfaces affiliations in its admin UI ("This creator also works with
+Beta Co.").
+
+Idempotency: `(vendorId, vendorPartnerId)` is unique on the Network
+side. Re-posting the same `vendorPartnerId` updates status and bumps
+`updatedAt`.
+
+### `POST /vendors/backfill-partners`
+
+Called once when a vendor flips Network membership ON after already
+having a partner roster. Pushes existing `Partner` rows in batches.
+This is the **late-join reconciliation** path:
+
+- For partners whose email is unknown to the Network → new
+  `networkCreatorId`, single affiliation.
+- For partners whose email is already on the Network (because they
+  signed up at another Network-affiliated vendor first) → returns the
+  existing `networkCreatorId` and adds this vendor to their
+  `affiliations`. The vendor stamps `Partner.metadata.networkCreatorId`
+  + `networkPreExisting=true` so the admin can see which partners
+  already had Network presence.
+
+```
+Headers
+  Authorization: Bearer <vendorToken>
+Body
+  {
+    "partners": [
+      { "vendorPartnerId": "...", "email": "...", "name": "...", "joinedVendorAt": "...", "status": "active" },
+      ...
+    ]
+  }
+Response 200
+  {
+    "results": [
+      { "vendorPartnerId": "...", "networkCreatorId": "crt_...", "alreadyExisted": false },
+      ...
+    ]
+  }
+```
+
+Batch size: vendor sends ≤ 500 partners per call and paginates
+internally for larger rosters. Network is expected to handle this in a
+single transaction so a partial failure rolls back cleanly.
+
+### `POST /vendors/me/heartbeat`
+
+Optional liveness probe — vendor pings every 24 h with current partner
+count + last activity timestamp. Gives the Network a way to detect
+abandoned instances (and prune them from creator-facing search).
+
+```
+Headers
+  Authorization: Bearer <vendorToken>
+Body
+  { "partnerCount": 42, "lastEventAt": "2026-04-25T...Z" }
+Response 204
+```
+
+## Endpoints (Vendor-side, called by Network)
+
+These already exist in this repo, gated by `grantScope(...)`:
+
+| Network use case | Vendor endpoint | Required scope |
+|---|---|---|
+| Onboard a creator the Network matched | `POST /partners` | `partners:write` |
+| Mint a referral link for that creator | `POST /partners/:id/links` | `links:write` |
+| Show a creator their accrued earnings | `GET /partners/:id/commissions` | `commissions:read` |
+| Verify the scoped key still works | `GET /auth/introspect` | (any) |
+
+The Network uses the scoped key registered in `/vendors/register` for
+all of these. On hosted multi-tenant the URL is
+`{instanceUrl}/partners` where `instanceUrl` already includes the
+tenant path (`https://app.openpartner.dev/t/<slug>/api`).
+
+## Failure semantics
+
+Vendor → Network calls (the ones this repo makes) are **fire-and-forget
+from the request hot path**. A signup that succeeds in the vendor's DB
+must not fail because the Network is down. The vendor side:
+
+1. Tries the call with a 5s timeout.
+2. On failure, logs `[network] push failed: <reason>` and persists a
+   row in `NetworkOutbox` (a small per-vendor queue) for retry.
+3. A periodic job (in the same `scheduler.ts` cron) drains
+   `NetworkOutbox` with exponential backoff up to 24h, then drops with
+   an admin-visible alert.
+
+Network → vendor calls (the federation surface) are synchronous from
+the Network's perspective; the Network is responsible for its own retry
+on 5xx.
+
+## What this means for the openpartner-network repo
+
+Implementing this contract means building:
+
+1. Storage: `Vendor`, `Creator` (email-unique), `VendorAffiliation`
+   (vendorId × creatorId), `EnrollmentToken` (one-time, for vendor
+   registration).
+2. The four POST endpoints above.
+3. Network → vendor client (already-known shape: scoped key + REST).
+4. A vendor-facing dashboard for admins to mint enrollment tokens, see
+   live vendors, and prune abandoned ones.
+5. A creator-facing surface (search / browse vendors, see own
+   affiliations, manage profile) — but that's product, not protocol.
+
+The vendor side of this contract (this repo) will land first so the
+Network has a real client to test against.
diff --git a/packages/db/migrations/20260507000000_multi_tenant.ts b/packages/db/migrations/20260507000000_multi_tenant.ts
new file mode 100644
index 0000000..b145ee2
--- /dev/null
+++ b/packages/db/migrations/20260507000000_multi_tenant.ts
@@ -0,0 +1,188 @@
+import type { Knex } from 'knex';
+
+/**
+ * Multi-tenant foundation.
+ *
+ * One codebase, two tenancy modes:
+ *   OPENPARTNER_TENANCY=single  → self-hosters; tenantId = 'default'
+ *   OPENPARTNER_TENANCY=multi   → hosted; tenantId resolved per request
+ *
+ * Schema strategy: shared schema, tenantId column on every data table,
+ * unique-constraints scoped to (tenantId, ...) so two tenants can have a
+ * partner with the same email, an admin with the same email, etc.
+ *
+ * Backfill: every existing row gets tenantId='default'. Self-hosters
+ * upgrading via `pnpm migrate` see no behavior change — their single
+ * tenant just happens to be named 'default'.
+ *
+ * Reserved tenant slugs (cannot be claimed): default, www, api, app,
+ * admin, signup, network, dashboard, status. Reservations enforced at
+ * the application layer (POST /signup), not in the schema, so we can
+ * adjust without a migration.
+ */
+export async function up(knex: Knex): Promise<void> {
+  // ---- Tenant: the new top-level entity ---------------------------------
+  await knex.schema.createTable('Tenant', (t) => {
+    t.string('id').primary(); // ULID
+    t.string('slug').notNullable().unique(); // URL piece (acme.openpartner.app)
+    t.string('displayName').notNullable();
+    t.string('status').notNullable().defaultTo('active'); // active | suspended | cancelled
+    // Per-tenant Stripe linkage. The platform Stripe account stays single;
+    // each tenant has their own Customer + Subscription within it.
+    t.string('stripeCustomerId');
+    t.string('stripeSubscriptionId');
+    // Optional custom domain (deferred to v2 — column reserved now to avoid
+    // a follow-up migration when we wire it up).
+    t.string('customDomain').unique();
+    t.jsonb('metadata').notNullable().defaultTo('{}');
+    t.timestamp('createdAt', { useTz: true }).notNullable().defaultTo(knex.fn.now());
+    t.timestamp('updatedAt', { useTz: true }).notNullable().defaultTo(knex.fn.now());
+    t.timestamp('suspendedAt', { useTz: true });
+    t.index(['status']);
+  });
+
+  // Seed the 'default' tenant — used by self-hosters and as the bucket
+  // we backfill all existing rows into. Pre-existing self-host installs
+  // upgrade transparently because every legacy query starts filtering by
+  // tenantId='default' once the middleware lands.
+  await knex('Tenant').insert({
+    id: '01J0000000DEFAULTTENANT0000',
+    slug: 'default',
+    displayName: 'Default tenant',
+    status: 'active',
+    metadata: '{"createdBy":"migration","reason":"single-tenant default"}' as unknown as never,
+  });
+
+  // ---- Add tenantId to every data table, backfill, then NOT NULL --------
+  // We do this in three steps per table: add nullable column, backfill,
+  // alter to NOT NULL. Keeps the migration safe to run against a non-empty
+  // production DB without write-locking everything at once.
+  const TENANT_TABLES = [
+    'Partner',
+    'Campaign',
+    'Link',
+    'Click',
+    'Identity',
+    'Event',
+    'Attribution',
+    'Commission',
+    'Payout',
+    'ApiKey',
+    'Config',
+    'Admin',
+    'MagicLinkToken',
+    'Session',
+    'WebhookEndpoint',
+    'WebhookDelivery',
+  ];
+
+  for (const tbl of TENANT_TABLES) {
+    await knex.schema.alterTable(tbl, (t) => {
+      t.string('tenantId');
+    });
+    await knex.raw(`update "${tbl}" set "tenantId" = '01J0000000DEFAULTTENANT0000' where "tenantId" is null`);
+    await knex.schema.alterTable(tbl, (t) => {
+      t.string('tenantId').notNullable().alter();
+      t.foreign('tenantId').references('id').inTable('Tenant');
+      t.index(['tenantId']);
+    });
+  }
+
+  // ---- Re-scope unique constraints to be per-tenant ---------------------
+  // Two tenants must be able to have, e.g., a Partner with email
+  // 'alice@example.com'. Drop the original global uniques, replace with
+  // (tenantId, ...) composite uniques.
+
+  // Partner.email global → per-tenant
+  await knex.schema.alterTable('Partner', (t) => {
+    t.dropUnique(['email']);
+    t.unique(['tenantId', 'email']);
+  });
+
+  // Admin.email global → per-tenant
+  await knex.schema.alterTable('Admin', (t) => {
+    t.dropUnique(['email']);
+    t.unique(['tenantId', 'email']);
+  });
+
+  // Link.linkKey global → per-tenant. The router resolves a click by
+  // (host, linkKey) anyway; the host gives us tenant.
+  await knex.schema.alterTable('Link', (t) => {
+    t.dropUnique(['linkKey']);
+    t.unique(['tenantId', 'linkKey']);
+  });
+
+  // Config.key global → per-tenant. This is a real shape change for
+  // self-hosters but the migration backfills everything to 'default' so
+  // their existing config keys keep working.
+  await knex.schema.alterTable('Config', (t) => {
+    t.dropPrimary();
+    t.primary(['tenantId', 'key']);
+  });
+
+  // ApiKey.keyHash global → per-tenant. A hash collision across tenants
+  // is astronomically unlikely; the constraint just makes the intent
+  // explicit and lets us scope queries cleanly.
+  await knex.schema.alterTable('ApiKey', (t) => {
+    // ApiKey doesn't have a global unique on keyHash in the existing
+    // schema (it relies on the random length to avoid collisions), so
+    // there's nothing to drop. Add a per-tenant index for fast lookup.
+    t.index(['tenantId', 'keyHash']);
+  });
+}
+
+export async function down(knex: Knex): Promise<void> {
+  // Reversing means: restore the original global uniques, drop the
+  // per-tenant composite uniques, drop tenantId columns, drop Tenant.
+  // Self-hosters with a single 'default' tenant land back where they
+  // started; multi-tenant deployments lose isolation (don't run this in
+  // production multi-tenant mode without a separate data audit).
+
+  await knex.schema.alterTable('ApiKey', (t) => {
+    t.dropIndex(['tenantId', 'keyHash']);
+  });
+  await knex.schema.alterTable('Config', (t) => {
+    t.dropPrimary();
+    t.primary(['key']);
+  });
+  await knex.schema.alterTable('Link', (t) => {
+    t.dropUnique(['tenantId', 'linkKey']);
+    t.unique(['linkKey']);
+  });
+  await knex.schema.alterTable('Admin', (t) => {
+    t.dropUnique(['tenantId', 'email']);
+    t.unique(['email']);
+  });
+  await knex.schema.alterTable('Partner', (t) => {
+    t.dropUnique(['tenantId', 'email']);
+    t.unique(['email']);
+  });
+
+  const TENANT_TABLES = [
+    'WebhookDelivery',
+    'WebhookEndpoint',
+    'Session',
+    'MagicLinkToken',
+    'Admin',
+    'Config',
+    'ApiKey',
+    'Payout',
+    'Commission',
+    'Attribution',
+    'Event',
+    'Identity',
+    'Click',
+    'Link',
+    'Campaign',
+    'Partner',
+  ];
+  for (const tbl of TENANT_TABLES) {
+    await knex.schema.alterTable(tbl, (t) => {
+      t.dropForeign(['tenantId']);
+      t.dropIndex(['tenantId']);
+      t.dropColumn('tenantId');
+    });
+  }
+
+  await knex.schema.dropTableIfExists('Tenant');
+}
diff --git a/packages/db/migrations/20260507010000_rls_policies.ts b/packages/db/migrations/20260507010000_rls_policies.ts
new file mode 100644
index 0000000..131c42e
--- /dev/null
+++ b/packages/db/migrations/20260507010000_rls_policies.ts
@@ -0,0 +1,146 @@
+import type { Knex } from 'knex';
+
+/**
+ * Row-Level Security: defense-in-depth for tenant isolation.
+ *
+ * Application middleware sets `app.tenant_id` per request via SET LOCAL
+ * inside a transaction. Every data table has a policy that filters rows
+ * to that GUC value. Even if a developer forgets a `WHERE tenantId = ?`
+ * filter, RLS returns 0 rows.
+ *
+ * FORCE ROW LEVEL SECURITY is critical: without it, the table owner
+ * (the role running migrations and queries) bypasses policies. With
+ * FORCE, even the owner is subject to RLS at runtime. Migrations bypass
+ * via `SET row_security = off` set by the migration runner.
+ *
+ * Platform admin escape hatch: app.platform_admin = 'on' GUC matches
+ * any tenantId. Used by Coherence support tooling to read across tenants
+ * for triage. Set via SET LOCAL just like app.tenant_id, only by
+ * authenticated PlatformAdmin requests.
+ *
+ * Policy semantics:
+ *   USING       — filter on SELECT/UPDATE/DELETE
+ *   WITH CHECK  — verify on INSERT/UPDATE that the new row is in scope
+ *
+ * We use the same predicate for both so writes can't introduce rows
+ * outside the current tenant.
+ */
+export async function up(knex: Knex): Promise<void> {
+  // PlatformAdmin: separate from tenant-scoped Admin. No tenantId column;
+  // these are Coherence support staff with cross-tenant read (or write,
+  // for role='admin') access. Stored separately to make the boundary
+  // explicit — a regular Admin can never become platform-scoped without
+  // an explicit row in this table.
+  await knex.schema.createTable('PlatformAdmin', (t) => {
+    t.string('id').primary();
+    t.string('email').notNullable().unique();
+    t.string('name').notNullable();
+    t.string('role').notNullable().defaultTo('support'); // 'support' | 'admin'
+    t.timestamp('createdAt', { useTz: true }).notNullable().defaultTo(knex.fn.now());
+    t.timestamp('revokedAt', { useTz: true });
+  });
+
+  // Tables that get RLS. PlatformAdmin and Tenant are explicitly excluded
+  // — they're cross-tenant by design. knex_migrations is also excluded;
+  // the migration runner needs unrestricted access.
+  const TENANT_TABLES = [
+    'Partner',
+    'Campaign',
+    'Link',
+    'Click',
+    'Identity',
+    'Event',
+    'Attribution',
+    'Commission',
+    'Payout',
+    'ApiKey',
+    'Config',
+    'Admin',
+    'MagicLinkToken',
+    'Session',
+    'WebhookEndpoint',
+    'WebhookDelivery',
+  ];
+
+  // Policy predicate: row's tenantId matches the per-request GUC, OR
+  // the platform-admin override is on. Wrapped in COALESCE so an unset
+  // GUC returns NULL rather than erroring (current_setting raises by
+  // default for unknown names).
+  const policySql = (table: string) => `
+    create policy tenant_isolation on "${table}"
+      using (
+        "tenantId" = current_setting('app.tenant_id', true)
+        or current_setting('app.platform_admin', true) = 'on'
+      )
+      with check (
+        "tenantId" = current_setting('app.tenant_id', true)
+        or current_setting('app.platform_admin', true) = 'on'
+      )
+  `;
+
+  for (const tbl of TENANT_TABLES) {
+    await knex.raw(`alter table "${tbl}" enable row level security`);
+    await knex.raw(`alter table "${tbl}" force row level security`);
+    await knex.raw(policySql(tbl));
+  }
+
+  // Tenant table: only platform admins read across tenants. The app
+  // doesn't need to read other tenants' rows; tenancy middleware looks
+  // up the current tenant explicitly via app.tenant_id resolution.
+  // Allow reads where id matches app.tenant_id (so a tenant can see its
+  // own row) or platform_admin is on.
+  await knex.raw(`alter table "Tenant" enable row level security`);
+  await knex.raw(`alter table "Tenant" force row level security`);
+  await knex.raw(`
+    create policy tenant_self on "Tenant"
+      using (
+        id = current_setting('app.tenant_id', true)
+        or current_setting('app.platform_admin', true) = 'on'
+      )
+      with check (
+        id = current_setting('app.tenant_id', true)
+        or current_setting('app.platform_admin', true) = 'on'
+      )
+  `);
+
+  // PlatformAdmin: only readable when platform_admin GUC is on. This
+  // prevents a leaky query path from disclosing the support staff list
+  // to a tenant.
+  await knex.raw(`alter table "PlatformAdmin" enable row level security`);
+  await knex.raw(`alter table "PlatformAdmin" force row level security`);
+  await knex.raw(`
+    create policy platform_admin_self on "PlatformAdmin"
+      using (current_setting('app.platform_admin', true) = 'on')
+      with check (current_setting('app.platform_admin', true) = 'on')
+  `);
+}
+
+export async function down(knex: Knex): Promise<void> {
+  const TENANT_TABLES = [
+    'Partner',
+    'Campaign',
+    'Link',
+    'Click',
+    'Identity',
+    'Event',
+    'Attribution',
+    'Commission',
+    'Payout',
+    'ApiKey',
+    'Config',
+    'Admin',
+    'MagicLinkToken',
+    'Session',
+    'WebhookEndpoint',
+    'WebhookDelivery',
+  ];
+  for (const tbl of TENANT_TABLES) {
+    await knex.raw(`drop policy if exists tenant_isolation on "${tbl}"`);
+    await knex.raw(`alter table "${tbl}" disable row level security`);
+  }
+  await knex.raw('drop policy if exists tenant_self on "Tenant"');
+  await knex.raw('alter table "Tenant" disable row level security');
+  await knex.raw('drop policy if exists platform_admin_self on "PlatformAdmin"');
+  await knex.raw('alter table "PlatformAdmin" disable row level security');
+  await knex.schema.dropTableIfExists('PlatformAdmin');
+}
diff --git a/packages/db/migrations/20260507020000_app_role.ts b/packages/db/migrations/20260507020000_app_role.ts
new file mode 100644
index 0000000..63a979f
--- /dev/null
+++ b/packages/db/migrations/20260507020000_app_role.ts
@@ -0,0 +1,106 @@
+import type { Knex } from 'knex';
+
+/**
+ * Provision a non-superuser app role that's actually subject to RLS.
+ *
+ * Postgres bypasses RLS for superusers and BYPASSRLS roles regardless
+ * of FORCE ROW LEVEL SECURITY on the table. So RLS only protects when
+ * the app connects as a role that has neither flag.
+ *
+ * This migration creates `openpartner_app` if it doesn't exist, grants
+ * it DML on all tenanted tables, and sets it as the role the app uses
+ * at runtime (via the OPENPARTNER_APP_DB_PASSWORD env var).
+ *
+ * Migrations continue running as the cluster role (doadmin in DO,
+ * `openpartner` in dev docker-compose) — that's the role with the
+ * privileges to run DDL.
+ *
+ * If OPENPARTNER_APP_DB_PASSWORD is unset, the migration is skipped
+ * with a notice. Self-host installs that don't need RLS isolation can
+ * leave it unset and run the app as the same role as migrations
+ * (RLS is bypassed but app-level tenantId filtering still applies).
+ */
+export async function up(knex: Knex): Promise<void> {
+  const password = process.env.OPENPARTNER_APP_DB_PASSWORD;
+  if (!password) {
+    console.log('[migrate] OPENPARTNER_APP_DB_PASSWORD unset — skipping app-role provisioning');
+    console.log('[migrate]   App will run as the migration role; RLS will be bypassed (superuser).');
+    console.log('[migrate]   Set OPENPARTNER_APP_DB_PASSWORD on next migrate to enable RLS enforcement.');
+    return;
+  }
+
+  // Postgres role-management statements don't accept parameter binds — we
+  // have to inline. Reject anything that could break out of the literal.
+  if (!/^[A-Za-z0-9_\-!@#$%^&*+=.,:?/]+$/.test(password)) {
+    throw new Error(
+      'OPENPARTNER_APP_DB_PASSWORD contains characters that are not safe to inline in CREATE ROLE',
+    );
+  }
+  const literal = `'${password}'`;
+
+  // Idempotent: CREATE ROLE will fail if it exists; check first.
+  const existing = (await knex.raw(`select 1 from pg_roles where rolname = 'openpartner_app'`)) as {
+    rows: unknown[];
+  };
+  if (existing.rows.length === 0) {
+    await knex.raw(`create role openpartner_app login password ${literal}`);
+  } else {
+    await knex.raw(`alter role openpartner_app password ${literal}`);
+  }
+
+  // Grant connect + schema usage.
+  const dbName = (await knex.raw('select current_database() as n')).rows[0].n as string;
+  await knex.raw(`grant connect on database "${dbName}" to openpartner_app`);
+  await knex.raw('grant usage on schema public to openpartner_app');
+
+  // Grant DML on all tenanted tables. The app needs SELECT/INSERT/UPDATE/DELETE
+  // — DDL stays with the migration role.
+  const TENANT_TABLES = [
+    'Tenant', // app reads its own tenant via RLS
+    'Partner',
+    'Campaign',
+    'Link',
+    'Click',
+    'Identity',
+    'Event',
+    'Attribution',
+    'Commission',
+    'Payout',
+    'ApiKey',
+    'Config',
+    'Admin',
+    'MagicLinkToken',
+    'Session',
+    'WebhookEndpoint',
+    'WebhookDelivery',
+    'PlatformAdmin',
+  ];
+  for (const tbl of TENANT_TABLES) {
+    await knex.raw(`grant select, insert, update, delete on "${tbl}" to openpartner_app`);
+  }
+
+  // Sequences are also needed if any table uses serial/identity columns.
+  // None of ours do (we use ULIDs as strings), but leave the grant for
+  // future tables.
+  await knex.raw('grant usage on all sequences in schema public to openpartner_app');
+
+  // Set GUC permissions: openpartner_app needs to be able to set
+  // app.tenant_id and app.platform_admin via SET LOCAL. Custom GUCs are
+  // settable by any role by default; explicit grant not required.
+
+  console.log('[migrate] openpartner_app role ready; configure DATABASE_URL to use it.');
+}
+
+export async function down(knex: Knex): Promise<void> {
+  const exists = (await knex.raw(`select 1 from pg_roles where rolname = 'openpartner_app'`)) as {
+    rows: unknown[];
+  };
+  if (exists.rows.length === 0) return;
+  // Drop the role's privileges first, then the role itself.
+  const dbName = (await knex.raw('select current_database() as n')).rows[0].n as string;
+  await knex.raw(`revoke all privileges on all tables in schema public from openpartner_app`);
+  await knex.raw(`revoke all privileges on all sequences in schema public from openpartner_app`);
+  await knex.raw(`revoke all privileges on database "${dbName}" from openpartner_app`);
+  await knex.raw(`revoke usage on schema public from openpartner_app`);
+  await knex.raw(`drop role if exists openpartner_app`);
+}
diff --git a/packages/db/migrations/20260508000000_network_outbox.ts b/packages/db/migrations/20260508000000_network_outbox.ts
new file mode 100644
index 0000000..1fbb9d1
--- /dev/null
+++ b/packages/db/migrations/20260508000000_network_outbox.ts
@@ -0,0 +1,69 @@
+import type { Knex } from 'knex';
+
+/**
+ * NetworkOutbox: durable retry queue for vendor → Network pushes.
+ *
+ * Vendor → Network calls (creator upsert on signup, revoke, backfill
+ * batches) must never fail a vendor request when the Network is down.
+ * On HTTP failure we enqueue a row here; the in-process scheduler
+ * drains the queue with exponential backoff.
+ *
+ * Per-tenant: each outbox row carries the tenantId so a hosted
+ * deployment with N tenants doesn't entangle their retries. Drained
+ * by the scheduler iterating active tenants.
+ */
+export async function up(knex: Knex): Promise<void> {
+  await knex.schema.createTable('NetworkOutbox', (t) => {
+    t.string('id').primary(); // ULID
+    t.string('tenantId').notNullable();
+    t.foreign('tenantId').references('id').inTable('Tenant');
+    // Operation kind: 'partner_upsert' | 'partner_revoke' | 'backfill_partner'
+    // Backfill is a single partner row (we batch on send, not on enqueue,
+    // so the outbox row size stays bounded).
+    t.string('op').notNullable();
+    // Full request payload; the drainer rebuilds the HTTP call from this
+    // so we don't depend on the Partner row still existing at drain time
+    // (it might have been hard-deleted by then).
+    t.jsonb('payload').notNullable();
+    t.integer('attempts').notNullable().defaultTo(0);
+    t.timestamp('nextAttemptAt', { useTz: true }).notNullable().defaultTo(knex.fn.now());
+    t.timestamp('createdAt', { useTz: true }).notNullable().defaultTo(knex.fn.now());
+    t.timestamp('lastAttemptAt', { useTz: true });
+    t.text('lastError');
+    // 'pending' (next try due), 'dead' (gave up after max attempts)
+    t.string('status').notNullable().defaultTo('pending');
+    t.index(['tenantId', 'status', 'nextAttemptAt']);
+  });
+
+  // RLS: same per-tenant pattern as the rest of the data model.
+  await knex.raw(`alter table "NetworkOutbox" enable row level security`);
+  await knex.raw(`alter table "NetworkOutbox" force row level security`);
+  await knex.raw(`
+    create policy tenant_isolation on "NetworkOutbox"
+      using (
+        "tenantId" = current_setting('app.tenant_id', true)
+        or current_setting('app.platform_admin', true) = 'on'
+      )
+      with check (
+        "tenantId" = current_setting('app.tenant_id', true)
+        or current_setting('app.platform_admin', true) = 'on'
+      )
+  `);
+
+  // App-role grants. Idempotent — if openpartner_app doesn't exist
+  // (unset password), this is a no-op via DO block.
+  await knex.raw(`
+    do $$
+    begin
+      if exists (select 1 from pg_roles where rolname = 'openpartner_app') then
+        execute 'grant select, insert, update, delete on "NetworkOutbox" to openpartner_app';
+      end if;
+    end
+    $$;
+  `);
+}
+
+export async function down(knex: Knex): Promise<void> {
+  await knex.raw(`drop policy if exists tenant_isolation on "NetworkOutbox"`);
+  await knex.schema.dropTableIfExists('NetworkOutbox');
+}
diff --git a/packages/db/scripts/migrate.ts b/packages/db/scripts/migrate.ts
index ad5f8df..b959969 100644
--- a/packages/db/scripts/migrate.ts
+++ b/packages/db/scripts/migrate.ts
@@ -12,6 +12,12 @@ async function main(): Promise<void> {
   const sub = process.argv[2] ?? 'latest';
   const db = knex(config[process.env.NODE_ENV === 'production' ? 'production' : 'development']!);
 
+  // Migrations modify schema and seed data across tenants — they must
+  // bypass RLS. `SET row_security = off` disables policies for this
+  // session. afterCreate runs once per pooled connection, which works
+  // because migrations use a single connection from the pool.
+  await db.raw('set row_security = off');
+
   try {
     if (sub === 'latest') {
       const [batch, files] = await db.migrate.latest();
diff --git a/packages/db/src/index.ts b/packages/db/src/index.ts
index c2fca4d..105b65a 100644
--- a/packages/db/src/index.ts
+++ b/packages/db/src/index.ts
@@ -12,6 +12,17 @@ export interface DbConfig {
   connectionString: string;
   poolMin?: number;
   poolMax?: number;
+  /**
+   * If true, every connection in the pool sets `row_security = off` on
+   * acquire. Use for the privileged "admin" pool (cross-tenant work:
+   * signup, stripe webhook tenant resolution, metrics, scheduler,
+   * platform tooling, migrations). The role must be the table owner
+   * or have BYPASSRLS for this to work.
+   *
+   * Leave false for the app pool (`appDb`); RLS engagement is the
+   * whole point of that connection.
+   */
+  bypassRls?: boolean;
 }
 
 export function createDb(config: DbConfig): Knex {
@@ -22,12 +33,27 @@ export function createDb(config: DbConfig): Knex {
     pool: {
       min: config.poolMin ?? 2,
       max: config.poolMax ?? 10,
+      ...(config.bypassRls
+        ? {
+            // afterCreate runs once per pooled connection. We disable
+            // row_security so cross-tenant queries on this pool aren't
+            // silently filtered to zero rows by FORCE RLS policies.
+            afterCreate: (
+              conn: { query: (sql: string, cb: (err: Error | null) => void) => void },
+              done: (err: Error | null, conn: unknown) => void,
+            ) => {
+              conn.query('set session row_security = off', (err) => done(err, conn));
+            },
+          }
+        : {}),
     },
   });
 }
 
 // Table name constants — import these instead of hardcoding strings.
 export const TABLES = {
+  Tenant: 'Tenant',
+  PlatformAdmin: 'PlatformAdmin',
   Partner: 'Partner',
   Campaign: 'Campaign',
   Link: 'Link',
@@ -44,4 +70,5 @@ export const TABLES = {
   Session: 'Session',
   WebhookEndpoint: 'WebhookEndpoint',
   WebhookDelivery: 'WebhookDelivery',
+  NetworkOutbox: 'NetworkOutbox',
 } as const;
diff --git a/packages/db/src/types.ts b/packages/db/src/types.ts
index 92f347d..90bf565 100644
--- a/packages/db/src/types.ts
+++ b/packages/db/src/types.ts
@@ -6,6 +6,28 @@
  * between hosted and self-hosted tractable. If you add a column, update both.
  */
 
+/**
+ * Tenant: the top-level isolation boundary in multi-tenant deployments.
+ * In single-tenant (self-host) mode, every row's tenantId is the seeded
+ * 'default' tenant, so the same code paths work without changes.
+ */
+export interface TenantRow {
+  id: string;
+  slug: string;
+  displayName: string;
+  status: 'active' | 'suspended' | 'cancelled';
+  stripeCustomerId: string | null;
+  stripeSubscriptionId: string | null;
+  customDomain: string | null;
+  metadata: Record<string, unknown>;
+  createdAt: Date;
+  updatedAt: Date;
+  suspendedAt: Date | null;
+}
+
+/** ID of the seeded default tenant — used in single-host mode and during migration backfills. */
+export const DEFAULT_TENANT_ID = '01J0000000DEFAULTTENANT0000';
+
 export type CommissionRule =
   | { type: 'percent'; value: number; recurring?: boolean }
   | { type: 'fixed'; value: number; currency?: string; recurring?: boolean };
@@ -20,6 +42,7 @@ export type PayoutMethod = 'stripe_connect' | 'manual' | 'external';
 
 export interface PartnerRow {
   id: string;
+  tenantId: string;
   email: string;
   name: string;
   stripeConnectAccountId: string | null;
@@ -46,6 +69,7 @@ export type PrincipalKind = 'partner' | 'admin';
 
 export interface MagicLinkTokenRow {
   id: string;
+  tenantId: string;
   prefix: string;
   tokenHash: string;
   email: string;
@@ -59,6 +83,7 @@ export interface MagicLinkTokenRow {
 
 export interface SessionRow {
   id: string;
+  tenantId: string;
   prefix: string;
   tokenHash: string;
   principalKind: PrincipalKind;
@@ -71,6 +96,7 @@ export interface SessionRow {
 
 export interface AdminRow {
   id: string;
+  tenantId: string;
   email: string;
   name: string;
   activatedAt: Date | null;
@@ -81,8 +107,25 @@ export interface AdminRow {
   updatedAt: Date;
 }
 
+/**
+ * Platform admins are Coherence support staff who can read across all
+ * tenants for triage / debugging. Stored separately from tenant-scoped
+ * Admins. Their requests set `app.platform_admin = 'on'`, which RLS
+ * policies treat as a wildcard match.
+ */
+export interface PlatformAdminRow {
+  id: string;
+  email: string;
+  name: string;
+  /** Restrict scope: 'support' = read-only, 'admin' = read+write across tenants. */
+  role: 'support' | 'admin';
+  createdAt: Date;
+  revokedAt: Date | null;
+}
+
 export interface CampaignRow {
   id: string;
+  tenantId: string;
   name: string;
   commissionRule: CommissionRule;
   attributionWindowDays: number;
@@ -92,6 +135,7 @@ export interface CampaignRow {
 
 export interface LinkRow {
   id: string;
+  tenantId: string;
   linkKey: string;
   partnerId: string;
   campaignId: string;
@@ -103,6 +147,7 @@ export type ClickFraudFlag = 'velocity' | 'manual' | 'revoked' | null;
 
 export interface ClickRow {
   id: string;
+  tenantId: string;
   linkId: string;
   partnerId: string;
   campaignId: string;
@@ -116,6 +161,7 @@ export interface ClickRow {
 
 export interface IdentityRow {
   id: string;
+  tenantId: string;
   clickId: string;
   userId: string;
   stitchedAt: Date;
@@ -130,6 +176,7 @@ export type EventType =
 
 export interface EventRow {
   id: string;
+  tenantId: string;
   userId: string;
   type: EventType;
   value: string | null; // decimal comes back as string from pg
@@ -141,6 +188,7 @@ export interface EventRow {
 
 export interface AttributionRow {
   id: string;
+  tenantId: string;
   eventId: string;
   partnerId: string;
   campaignId: string;
@@ -152,6 +200,7 @@ export interface AttributionRow {
 
 export interface CommissionRow {
   id: string;
+  tenantId: string;
   attributionId: string;
   partnerId: string;
   amount: string; // decimal as string
@@ -163,6 +212,7 @@ export interface CommissionRow {
 }
 
 export interface ConfigRow {
+  tenantId: string;
   key: string;
   value: unknown;
   updatedAt: Date;
@@ -178,6 +228,7 @@ export type ApiScope =
 
 export interface ApiKeyRow {
   id: string;
+  tenantId: string;
   prefix: string;
   keyHash: string;
   partnerId: string | null;
@@ -200,6 +251,7 @@ export type WebhookEventType =
 
 export interface WebhookEndpointRow {
   id: string;
+  tenantId: string;
   url: string;
   secretPrefix: string;
   secret: string;
@@ -214,6 +266,7 @@ export type WebhookDeliveryStatus = 'pending' | 'delivered' | 'failed';
 
 export interface WebhookDeliveryRow {
   id: string;
+  tenantId: string;
   endpointId: string;
   eventId: string;
   eventType: WebhookEventType;
@@ -229,6 +282,7 @@ export interface WebhookDeliveryRow {
 
 export interface PayoutRow {
   id: string;
+  tenantId: string;
   partnerId: string;
   amount: string;
   currency: string;
@@ -239,3 +293,19 @@ export interface PayoutRow {
   createdAt: Date;
   completedAt: Date | null;
 }
+
+export type NetworkOutboxOp = 'partner_upsert' | 'partner_revoke' | 'backfill_partner';
+export type NetworkOutboxStatus = 'pending' | 'dead';
+
+export interface NetworkOutboxRow {
+  id: string;
+  tenantId: string;
+  op: NetworkOutboxOp;
+  payload: Record<string, unknown>;
+  attempts: number;
+  nextAttemptAt: Date;
+  createdAt: Date;
+  lastAttemptAt: Date | null;
+  lastError: string | null;
+  status: NetworkOutboxStatus;
+}

From cc8149f1e5fa623d96e431bb21fbb158dda69436 Mon Sep 17 00:00:00 2001
From: Keith <keith.fawcett@gmail.com>
Date: Mon, 27 Apr 2026 12:02:31 -0700
Subject: [PATCH 030/131] feat(network): aggregate + report Network-originated
 payout volume (#13)

Closes the metering loop on the 3% Network fee. Previously the
openpartner main repo stamped Partner.metadata.network.creatorId
when a partner came through the Network, but never aggregated the
resulting payouts or surfaced them to anyone. The Network's billing
charged the flat $29 only.

usage-billing.ts: aggregateNetworkOriginatedPayouts(db, since, until)
sums Payout.amount where Payout.status='paid' AND
Partner.metadata.network.creatorId is not null AND completedAt is in
window (since, until]. Tenant scope provided by the caller.

network-client.ts: reportNetworkPayoutsToNetwork(db, tenantId)
- Loads network_membership; bails reason='network_not_configured' if
  not enabled.
- Aggregates the period's total via the helper above, keyed off a
  Config high-water mark (CONFIG_KEYS.LastNetworkPayoutsReportedAt).
- POSTs { amountUsd, sinceIso, untilIso } to the Network's
  /vendors/me/report-payouts with the vendor token bearer.
- On 2xx, advances the high-water mark. On Network failure, leaves
  the mark untouched so the next tick re-includes the same payouts;
  the Network's identifier dedups at Stripe.
- On amount=0, advances the mark anyway (don't re-scan empty windows).

scheduler.ts: new cron 'network-payouts-report' at 03:30 UTC daily,
per active tenant via the existing forEachActiveTenant iterator.
Sits alongside usage-report (03:15) so they don't compete for the
same window.

config.ts: CONFIG_KEYS.LastNetworkPayoutsReportedAt added.

Tests (src/__tests__/network-payouts-report.test.ts, 8 cases) spin up
a local HTTP receiver acting as the Network endpoint. Cover:
- aggregateNetworkOriginatedPayouts:
  - sums only paid payouts on Network-flagged Partners
  - excludes pending; excludes payouts on direct partners
  - respects (since, until] bounds
- reportNetworkPayoutsToNetwork:
  - skips when membership not enabled
  - zero amount: skip + advance mark
  - happy path: right total, right bearer, mark advances
  - Network 5xx: NO mark advance (so retry catches it)
  - Subsequent run only includes new payouts (mark works)

90/90 vendor-side tests still pass.

Co-authored-by: Keith Fawcett <keith@brightyard.co>
Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 .../__tests__/network-payouts-report.test.ts  | 236 ++++++++++++++++++
 apps/api/src/config.ts                        |   4 +
 apps/api/src/network-client.ts                |  83 ++++++
 apps/api/src/scheduler.ts                     |   9 +-
 apps/api/src/usage-billing.ts                 |  27 ++
 5 files changed, 358 insertions(+), 1 deletion(-)
 create mode 100644 apps/api/src/__tests__/network-payouts-report.test.ts

diff --git a/apps/api/src/__tests__/network-payouts-report.test.ts b/apps/api/src/__tests__/network-payouts-report.test.ts
new file mode 100644
index 0000000..18a0737
--- /dev/null
+++ b/apps/api/src/__tests__/network-payouts-report.test.ts
@@ -0,0 +1,236 @@
+/**
+ * Vendor-side Network payout aggregation + report-to-Network flow.
+ *
+ * Spins up a local HTTP receiver acting as the Network's
+ * /vendors/me/report-payouts endpoint, configures network_membership,
+ * seeds Payout + Partner rows (some Network-originated, some not),
+ * and verifies aggregateNetworkOriginatedPayouts + the
+ * reportNetworkPayoutsToNetwork glue.
+ *
+ * Skipped if DATABASE_URL isn't set.
+ */
+
+import { createServer, type Server } from 'node:http';
+import type { AddressInfo } from 'node:net';
+import { afterAll, beforeAll, beforeEach, describe, expect, it } from 'vitest';
+import { ulid } from 'ulid';
+import { DEFAULT_TENANT_ID, TABLES } from '@openpartner/db';
+import { db } from '../db.js';
+import { aggregateNetworkOriginatedPayouts } from '../usage-billing.js';
+import { reportNetworkPayoutsToNetwork } from '../network-client.js';
+import { encryptSecret } from '../crypto.js';
+import { CONFIG_KEYS, getConfig } from '../config.js';
+
+process.env.OPENPARTNER_MODE = process.env.OPENPARTNER_MODE ?? 'selfhost';
+process.env.OPENPARTNER_TENANCY = process.env.OPENPARTNER_TENANCY ?? 'single';
+process.env.PORTAL_URL = process.env.PORTAL_URL ?? 'http://localhost:5673';
+
+const skipIntegration = !process.env.DATABASE_URL || process.env.INTEGRATION === 'skip';
+
+interface ReceivedPayout {
+  amountUsd: number;
+  sinceIso: string | null;
+  untilIso: string;
+  authorization: string | undefined;
+}
+
+let receiver: Server;
+let receiverUrl: string;
+const received: ReceivedPayout[] = [];
+let mockResponse: { status: number; body: unknown } = { status: 202, body: { accepted: true } };
+
+beforeAll(async () => {
+  if (skipIntegration) return;
+  await db.raw('select 1');
+  await new Promise<void>((resolve) => {
+    receiver = createServer((req, res) => {
+      const chunks: Buffer[] = [];
+      req.on('data', (c) => chunks.push(c));
+      req.on('end', () => {
+        const body = chunks.length ? JSON.parse(Buffer.concat(chunks).toString('utf8')) : null;
+        if (req.url === '/vendors/me/report-payouts' && req.method === 'POST') {
+          received.push({
+            amountUsd: (body as { amountUsd: number }).amountUsd,
+            sinceIso: (body as { sinceIso: string | null }).sinceIso,
+            untilIso: (body as { untilIso: string }).untilIso,
+            authorization: req.headers.authorization,
+          });
+        }
+        res.writeHead(mockResponse.status, { 'content-type': 'application/json' });
+        res.end(JSON.stringify(mockResponse.body));
+      });
+    }).listen(0, '127.0.0.1', () => {
+      const addr = receiver.address() as AddressInfo;
+      receiverUrl = `http://127.0.0.1:${addr.port}`;
+      resolve();
+    });
+  });
+});
+
+afterAll(async () => {
+  if (receiver) await new Promise<void>((r) => receiver.close(() => r()));
+  await db.destroy();
+});
+
+const TABLES_TO_CLEAN = [
+  TABLES.Payout,
+  TABLES.Partner,
+  TABLES.Config,
+];
+
+beforeEach(async () => {
+  if (skipIntegration) return;
+  for (const t of TABLES_TO_CLEAN) {
+    await db(t).whereIn('tenantId', [DEFAULT_TENANT_ID]).del();
+  }
+  received.length = 0;
+  mockResponse = { status: 202, body: { accepted: true } };
+});
+
+async function configureNetwork(opts: { enabled: boolean; url?: string }): Promise<void> {
+  const value = {
+    enabled: opts.enabled,
+    networkUrl: opts.url ?? receiverUrl,
+    vendorTokenCiphertext: encryptSecret('vntok_test'),
+    scopedKeyId: null,
+    autoEnroll: true,
+  };
+  await db(TABLES.Config)
+    .insert({ tenantId: DEFAULT_TENANT_ID, key: 'network_membership', value: value as unknown as never, updatedAt: new Date() })
+    .onConflict(['tenantId', 'key'])
+    .merge({ value: value as unknown as never, updatedAt: new Date() });
+}
+
+async function seedPartner(opts: { id?: string; networkCreatorId: string | null }): Promise<string> {
+  const id = opts.id ?? ulid();
+  const metadata = opts.networkCreatorId
+    ? { network: { creatorId: opts.networkCreatorId, preExisting: false, syncedAt: new Date().toISOString() } }
+    : {};
+  await db(TABLES.Partner).insert({
+    id,
+    tenantId: DEFAULT_TENANT_ID,
+    email: `${id}@example.test`,
+    name: 'P',
+    metadata: metadata as unknown as never,
+    activatedAt: new Date(),
+  });
+  return id;
+}
+
+async function seedPayout(opts: {
+  partnerId: string;
+  amount: number;
+  status: 'paid' | 'pending' | 'failed';
+  completedAt?: Date | null;
+}): Promise<void> {
+  await db(TABLES.Payout).insert({
+    id: ulid(),
+    tenantId: DEFAULT_TENANT_ID,
+    partnerId: opts.partnerId,
+    amount: opts.amount.toFixed(2),
+    currency: 'USD',
+    method: 'manual',
+    status: opts.status,
+    metadata: {} as unknown as never,
+    completedAt: opts.completedAt ?? (opts.status === 'paid' ? new Date() : null),
+  });
+}
+
+describe.skipIf(skipIntegration)('aggregateNetworkOriginatedPayouts', () => {
+  it('sums only paid payouts whose Partner has metadata.network.creatorId', async () => {
+    const networkPartner = await seedPartner({ networkCreatorId: 'crt_alice' });
+    const directPartner = await seedPartner({ networkCreatorId: null });
+    await seedPayout({ partnerId: networkPartner, amount: 100, status: 'paid' });
+    await seedPayout({ partnerId: networkPartner, amount: 250, status: 'paid' });
+    // Pending: doesn't count.
+    await seedPayout({ partnerId: networkPartner, amount: 999, status: 'pending', completedAt: null });
+    // Direct partner: doesn't count even if paid.
+    await seedPayout({ partnerId: directPartner, amount: 500, status: 'paid' });
+
+    const total = await aggregateNetworkOriginatedPayouts(db, null, new Date());
+    expect(total).toBe(350);
+  });
+
+  it('respects since (exclusive) + until (inclusive) bounds', async () => {
+    const p = await seedPartner({ networkCreatorId: 'crt_x' });
+    const earlier = new Date(Date.now() - 60_000);
+    const later = new Date();
+    await seedPayout({ partnerId: p, amount: 50, status: 'paid', completedAt: earlier });
+    await seedPayout({ partnerId: p, amount: 75, status: 'paid', completedAt: later });
+
+    // Window: (earlier, later] — first payout is excluded by since.
+    const total = await aggregateNetworkOriginatedPayouts(db, earlier, later);
+    expect(total).toBe(75);
+  });
+
+  it('returns 0 when no payouts in range', async () => {
+    const total = await aggregateNetworkOriginatedPayouts(db, null, new Date());
+    expect(total).toBe(0);
+  });
+});
+
+describe.skipIf(skipIntegration)('reportNetworkPayoutsToNetwork', () => {
+  it('skips when network membership not enabled', async () => {
+    // No config row → reason='network_not_configured'.
+    const r = await reportNetworkPayoutsToNetwork(db, DEFAULT_TENANT_ID);
+    expect(r.reported).toBe(false);
+    expect(r.reason).toBe('network_not_configured');
+    expect(received).toHaveLength(0);
+  });
+
+  it('skips + advances high-water mark when amount is zero', async () => {
+    await configureNetwork({ enabled: true });
+    const r = await reportNetworkPayoutsToNetwork(db, DEFAULT_TENANT_ID);
+    expect(r.reported).toBe(false);
+    expect(r.reason).toBe('no_network_payouts_in_range');
+    expect(r.amountUsd).toBe(0);
+    // High-water mark advanced.
+    const mark = await getConfig<string>(db, DEFAULT_TENANT_ID, CONFIG_KEYS.LastNetworkPayoutsReportedAt);
+    expect(mark).toBeTruthy();
+  });
+
+  it('reports the right total + sets bearer + advances high-water mark on success', async () => {
+    await configureNetwork({ enabled: true });
+    const p = await seedPartner({ networkCreatorId: 'crt_z' });
+    await seedPayout({ partnerId: p, amount: 1000, status: 'paid' });
+    await seedPayout({ partnerId: p, amount: 234.56, status: 'paid' });
+
+    const r = await reportNetworkPayoutsToNetwork(db, DEFAULT_TENANT_ID);
+    expect(r.reported).toBe(true);
+    expect(r.amountUsd).toBe(1234.56);
+    expect(received).toHaveLength(1);
+    expect(received[0]!.amountUsd).toBe(1234.56);
+    expect(received[0]!.authorization).toBe('Bearer vntok_test');
+
+    // Mark advanced.
+    const mark = await getConfig<string>(db, DEFAULT_TENANT_ID, CONFIG_KEYS.LastNetworkPayoutsReportedAt);
+    expect(mark).toBeTruthy();
+  });
+
+  it('on Network 5xx: does NOT advance high-water mark (so next tick re-reports)', async () => {
+    await configureNetwork({ enabled: true });
+    const p = await seedPartner({ networkCreatorId: 'crt_q' });
+    await seedPayout({ partnerId: p, amount: 100, status: 'paid' });
+
+    mockResponse = { status: 503, body: { error: 'unavailable' } };
+    const r = await reportNetworkPayoutsToNetwork(db, DEFAULT_TENANT_ID);
+    expect(r.reported).toBe(false);
+    expect(r.reason).toContain('network 503');
+    const mark = await getConfig<string>(db, DEFAULT_TENANT_ID, CONFIG_KEYS.LastNetworkPayoutsReportedAt);
+    expect(mark).toBeNull();
+  });
+
+  it('second consecutive successful run only includes payouts after the first run', async () => {
+    await configureNetwork({ enabled: true });
+    const p = await seedPartner({ networkCreatorId: 'crt_r' });
+    await seedPayout({ partnerId: p, amount: 50, status: 'paid' });
+
+    const r1 = await reportNetworkPayoutsToNetwork(db, DEFAULT_TENANT_ID);
+    expect(r1.amountUsd).toBe(50);
+
+    // Add a new payout post-mark, then re-run.
+    await seedPayout({ partnerId: p, amount: 25, status: 'paid' });
+    const r2 = await reportNetworkPayoutsToNetwork(db, DEFAULT_TENANT_ID);
+    expect(r2.amountUsd).toBe(25);
+  });
+});
diff --git a/apps/api/src/config.ts b/apps/api/src/config.ts
index bff68c3..1636b45 100644
--- a/apps/api/src/config.ts
+++ b/apps/api/src/config.ts
@@ -26,4 +26,8 @@ export const CONFIG_KEYS = {
   // High-water mark for usage reporting. Stored as ISO string. The next
   // run aggregates Events with ts > this value, then advances the mark.
   LastUsageReportedAt: 'stripe.merchant.lastUsageReportedAt',
+  // High-water mark for Network-originated payout reporting (separate
+  // from usage reporting because the cadence + trigger are different
+  // — payouts are weekly, usage is daily).
+  LastNetworkPayoutsReportedAt: 'network.lastPayoutsReportedAt',
 } as const;
diff --git a/apps/api/src/network-client.ts b/apps/api/src/network-client.ts
index 9ad4e3c..10a7919 100644
--- a/apps/api/src/network-client.ts
+++ b/apps/api/src/network-client.ts
@@ -451,6 +451,89 @@ export const networkProxy = {
     ),
 };
 
+// ---------- Network-originated payouts reporting ----------
+//
+// The Network bills self-hosted vendors 3% on payouts whose Partner
+// came from the marketplace. Vendor side aggregates the period's
+// Network-originated payout total and POSTs to /vendors/me/report-
+// payouts; the Network turns it into a Stripe meter event.
+//
+// Cadence: piggyback on the openpartner scheduler (daily), keyed
+// against a Config high-water mark. Hosted-tier vendors get 204'd by
+// the Network (their billing is bundled), so this is a no-op cost
+// from their perspective.
+
+export interface NetworkPayoutsReportResult {
+  rangeStart: Date | null;
+  rangeEnd: Date;
+  amountUsd: number;
+  reported: boolean;
+  reason?: string;
+}
+
+export async function reportNetworkPayoutsToNetwork(
+  db: Knex,
+  tenantId: string,
+): Promise<NetworkPayoutsReportResult> {
+  const m = await getNetworkMembership(db, tenantId);
+  const rangeEnd = new Date();
+  if (!m || !m.enabled || !m.networkUrl || !m.vendorTokenCiphertext) {
+    return { rangeStart: null, rangeEnd, amountUsd: 0, reported: false, reason: 'network_not_configured' };
+  }
+  let token: string;
+  try {
+    token = decryptSecret(m.vendorTokenCiphertext);
+  } catch {
+    return { rangeStart: null, rangeEnd, amountUsd: 0, reported: false, reason: 'token_undecryptable' };
+  }
+
+  const { CONFIG_KEYS, getConfig, setConfig } = await import('./config.js');
+  const { aggregateNetworkOriginatedPayouts } = await import('./usage-billing.js');
+
+  const lastIso = await getConfig<string>(db, tenantId, CONFIG_KEYS.LastNetworkPayoutsReportedAt);
+  const rangeStart = lastIso ? new Date(lastIso) : null;
+  const amountUsd = await aggregateNetworkOriginatedPayouts(db, rangeStart, rangeEnd);
+
+  if (amountUsd <= 0) {
+    // Advance the high-water mark anyway so we don't re-scan the
+    // same window. The Network endpoint short-circuits on 0 too,
+    // but skipping the round-trip is cheaper.
+    await setConfig(db, tenantId, CONFIG_KEYS.LastNetworkPayoutsReportedAt, rangeEnd.toISOString());
+    return { rangeStart, rangeEnd, amountUsd: 0, reported: false, reason: 'no_network_payouts_in_range' };
+  }
+
+  const url = `${m.networkUrl.replace(/\/$/, '')}/vendors/me/report-payouts`;
+  const res = await fetch(url, {
+    method: 'POST',
+    headers: {
+      'content-type': 'application/json',
+      authorization: `Bearer ${token}`,
+      'user-agent': 'OpenPartner-Vendor/1',
+    },
+    body: JSON.stringify({
+      amountUsd,
+      sinceIso: rangeStart ? rangeStart.toISOString() : null,
+      untilIso: rangeEnd.toISOString(),
+    }),
+    signal: AbortSignal.timeout(PUSH_TIMEOUT_MS),
+  });
+  if (!res.ok) {
+    const text = await res.text().catch(() => '<no body>');
+    // DON'T advance the high-water mark on Network failures — next
+    // tick re-includes this period's payouts. Same idempotency model
+    // as the meter event: the Network's identifier dedups at Stripe.
+    return {
+      rangeStart,
+      rangeEnd,
+      amountUsd,
+      reported: false,
+      reason: `network ${res.status}: ${text.slice(0, 200)}`,
+    };
+  }
+  await setConfig(db, tenantId, CONFIG_KEYS.LastNetworkPayoutsReportedAt, rangeEnd.toISOString());
+  return { rangeStart, rangeEnd, amountUsd, reported: true };
+}
+
 // ---------- outbox drain (called from scheduler.ts) ----------
 
 export async function drainOutbox(db: Knex, tenantId: string): Promise<{ drained: number; succeeded: number; dead: number }> {
diff --git a/apps/api/src/scheduler.ts b/apps/api/src/scheduler.ts
index f76d5d1..9eba841 100644
--- a/apps/api/src/scheduler.ts
+++ b/apps/api/src/scheduler.ts
@@ -33,7 +33,7 @@ import { TABLES, type TenantRow } from '@openpartner/db';
 import { appDb, db } from './db.js';
 import { reportUsageToStripe } from './usage-billing.js';
 import { runPayouts } from './payouts.js';
-import { drainOutbox } from './network-client.js';
+import { drainOutbox, reportNetworkPayoutsToNetwork } from './network-client.js';
 import { getMode } from './stripe.js';
 
 interface ScheduledJob {
@@ -89,6 +89,13 @@ const JOBS: ScheduledJob[] = [
     description: 'Per tenant: retry failed Network pushes from NetworkOutbox (every 5 minutes)',
     handler: async () => forEachActiveTenant((trx, tenantId) => drainOutbox(trx, tenantId)),
   },
+  {
+    name: 'network-payouts-report',
+    cronExpr: '30 3 * * *',
+    description: 'Per tenant: aggregate Network-originated payout volume + report to the Network for Stripe metering (daily 03:30 UTC)',
+    handler: async () =>
+      forEachActiveTenant((trx, tenantId) => reportNetworkPayoutsToNetwork(trx, tenantId)),
+  },
 ];
 
 let started = false;
diff --git a/apps/api/src/usage-billing.ts b/apps/api/src/usage-billing.ts
index 7113609..2586e44 100644
--- a/apps/api/src/usage-billing.ts
+++ b/apps/api/src/usage-billing.ts
@@ -50,6 +50,33 @@ export interface UsageReportResult {
   reason?: string;
 }
 
+/**
+ * Sum payout amounts (in dollars) for payouts whose Partner came from
+ * the OpenPartner Network — i.e., Partner.metadata.network.creatorId
+ * is set, which is stamped by network-client.ts when a partner is
+ * upserted to the Network.
+ *
+ * This is what the Network bills the vendor on (3% metered). Only
+ * 'paid' payouts count — pending / failed don't generate Network fee
+ * because no money actually moved to the partner.
+ *
+ * Tenant scope: caller provides db + GUC.
+ */
+export async function aggregateNetworkOriginatedPayouts(
+  db: Knex,
+  since: Date | null,
+  until: Date,
+): Promise<number> {
+  const q = db(TABLES.Payout)
+    .join(TABLES.Partner, `${TABLES.Partner}.id`, `${TABLES.Payout}.partnerId`)
+    .where(`${TABLES.Payout}.status`, 'paid')
+    .andWhere(`${TABLES.Payout}.completedAt`, '<=', until)
+    .andWhereRaw(`"${TABLES.Partner}"."metadata"->'network'->>'creatorId' is not null`);
+  if (since) q.andWhere(`${TABLES.Payout}.completedAt`, '>', since);
+  const rows = (await q.sum({ total: `${TABLES.Payout}.amount` })) as Array<{ total: string | null }>;
+  return Number(rows[0]?.total ?? 0);
+}
+
 /**
  * Sum attributed GMV (in dollars) for events with `ts > since` and `ts <= until`.
  * Only counts events that have at least one Attribution row (i.e. a partner

From 05a20e5b06d2c81f46ea723fa073af2b940e6b85 Mon Sep 17 00:00:00 2001
From: Keith <keith.fawcett@gmail.com>
Date: Mon, 27 Apr 2026 12:38:54 -0700
Subject: [PATCH 031/131] feat(network): vendor admin Billing page + proxy
 routes (#14)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Closes the last gap in the Network billing flow: vendor admins now
have a UI to subscribe / manage / view status. Previously they'd have
needed to curl /api/vendors/me/billing/checkout directly.

Backend (apps/api):
- network-client.ts: extends networkProxy with getBilling,
  createCheckout, openPortal — same proxy pattern as the existing
  Network admin proxies (vendor token decrypted server-side, body
  forwarded through). Returns the typed Billing payload + Stripe
  URL responses.
- routes/settings.ts: GET /admin/network/billing,
  POST /admin/network/billing/checkout (validates successUrl +
  cancelUrl), POST /admin/network/billing/portal (validates
  returnUrl). Each is a thin wrapper around networkProxy.* with
  the standard NetworkProxyError → HTTP status mapping.

Portal (apps/portal):
- pages/admin/NetworkBilling.tsx: branches on bundledWithMainPlan.
  Hosted vendors see a "bundled with Flex/Revshare" panel.
  Self-hosted see a status card (subscription state, current
  period end, $29 + 3% recap) plus EITHER a Subscribe panel
  (opens Stripe Checkout) or a Manage panel (opens Stripe Customer
  Portal). Subscribe flow surfaces specific errors when the Network
  deploy is missing STRIPE_SECRET_KEY / NETWORK_PRICE_ID /
  NETWORK_USAGE_PRICE_ID so the operator (and the vendor) know
  what's not configured.
- App.tsx: route + new "Billing" nav item in the Network section
  (uses the existing CreditCard lucide icon).

Tests (network-billing-proxy.test.ts, 9 cases): mocked HTTP receiver
acting as the Network's billing endpoints. Covers the happy path
for all three routes, body validation, missing-Network-config 503,
admin auth gate, and Network 4xx/5xx surface as 400/503.

99/99 vendor-side tests pass; portal builds clean (322 KB JS, 93 KB
gzip).

Co-authored-by: Keith Fawcett <keith@brightyard.co>
Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 .../__tests__/network-billing-proxy.test.ts   | 228 ++++++++++++++++++
 apps/api/src/network-client.ts                |  22 ++
 apps/api/src/routes/settings.ts               |  25 ++
 apps/portal/src/App.tsx                       |   3 +
 .../portal/src/pages/admin/NetworkBilling.tsx | 191 +++++++++++++++
 5 files changed, 469 insertions(+)
 create mode 100644 apps/api/src/__tests__/network-billing-proxy.test.ts
 create mode 100644 apps/portal/src/pages/admin/NetworkBilling.tsx

diff --git a/apps/api/src/__tests__/network-billing-proxy.test.ts b/apps/api/src/__tests__/network-billing-proxy.test.ts
new file mode 100644
index 0000000..f3a70c8
--- /dev/null
+++ b/apps/api/src/__tests__/network-billing-proxy.test.ts
@@ -0,0 +1,228 @@
+/**
+ * Vendor-side admin proxy routes for Network billing.
+ *
+ * Spins up a local HTTP server acting as the Network's billing
+ * endpoints (GET /vendors/me/billing, POST /vendors/me/billing/checkout,
+ * POST /vendors/me/billing/portal). Verifies the openpartner main side
+ * forwards correctly with the right bearer + body, surfaces Network
+ * errors as the right HTTP status, and gates on admin auth.
+ *
+ * Skipped if DATABASE_URL isn't set.
+ */
+
+import { createServer, type Server } from 'node:http';
+import type { AddressInfo } from 'node:net';
+import { afterAll, beforeAll, beforeEach, describe, expect, it } from 'vitest';
+import request from 'supertest';
+import { DEFAULT_TENANT_ID, TABLES } from '@openpartner/db';
+import { db } from '../db.js';
+import { createApp } from '../app.js';
+import { encryptSecret } from '../crypto.js';
+
+const ADMIN_KEY = 'op_test_billing_proxy_0123456789abcdef0123';
+process.env.ADMIN_API_KEY = ADMIN_KEY;
+process.env.OPENPARTNER_MODE = process.env.OPENPARTNER_MODE ?? 'selfhost';
+process.env.OPENPARTNER_TENANCY = process.env.OPENPARTNER_TENANCY ?? 'single';
+process.env.PORTAL_URL = process.env.PORTAL_URL ?? 'http://localhost:5673';
+
+const skipIntegration = !process.env.DATABASE_URL || process.env.INTEGRATION === 'skip';
+const app = createApp({ enableLogger: false });
+
+interface NetCall {
+  method: string;
+  path: string;
+  body: unknown;
+  authorization: string | undefined;
+}
+
+let receiver: Server;
+let receiverUrl: string;
+const calls: NetCall[] = [];
+let nextResponse: { status: number; body: unknown } = {
+  status: 200,
+  body: {
+    billingRequired: true,
+    bundledWithMainPlan: false,
+    subscriptionStatus: null,
+    stripeCustomerId: null,
+    stripeSubscriptionId: null,
+    currentPeriodEnd: null,
+    networkPriceConfigured: true,
+    networkUsagePriceConfigured: true,
+    billingEnabled: true,
+  },
+};
+
+beforeAll(async () => {
+  if (skipIntegration) return;
+  await db.raw('select 1');
+  await new Promise<void>((resolve) => {
+    receiver = createServer((req, res) => {
+      const chunks: Buffer[] = [];
+      req.on('data', (c) => chunks.push(c));
+      req.on('end', () => {
+        const body = chunks.length ? JSON.parse(Buffer.concat(chunks).toString('utf8')) : null;
+        calls.push({
+          method: req.method ?? '',
+          path: req.url ?? '',
+          body,
+          authorization: req.headers.authorization,
+        });
+        res.writeHead(nextResponse.status, { 'content-type': 'application/json' });
+        res.end(JSON.stringify(nextResponse.body));
+      });
+    }).listen(0, '127.0.0.1', () => {
+      const addr = receiver.address() as AddressInfo;
+      receiverUrl = `http://127.0.0.1:${addr.port}`;
+      resolve();
+    });
+  });
+});
+
+afterAll(async () => {
+  if (receiver) await new Promise<void>((r) => receiver.close(() => r()));
+  await db.destroy();
+});
+
+beforeEach(async () => {
+  if (skipIntegration) return;
+  await db(TABLES.Config).whereIn('tenantId', [DEFAULT_TENANT_ID]).del();
+  calls.length = 0;
+});
+
+async function configureNetwork(opts: { enabled: boolean }): Promise<void> {
+  const value = {
+    enabled: opts.enabled,
+    networkUrl: receiverUrl,
+    vendorTokenCiphertext: encryptSecret('vntok_proxytest'),
+    scopedKeyId: null,
+    autoEnroll: true,
+  };
+  await db(TABLES.Config)
+    .insert({
+      tenantId: DEFAULT_TENANT_ID,
+      key: 'network_membership',
+      value: value as unknown as never,
+      updatedAt: new Date(),
+    })
+    .onConflict(['tenantId', 'key'])
+    .merge({ value: value as unknown as never, updatedAt: new Date() });
+}
+
+describe.skipIf(skipIntegration)('GET /admin/network/billing', () => {
+  it('proxies with vendor bearer + returns Network payload', async () => {
+    await configureNetwork({ enabled: true });
+    const res = await request(app)
+      .get('/admin/network/billing')
+      .set('Authorization', `Bearer ${ADMIN_KEY}`);
+    expect(res.status).toBe(200);
+    expect(res.body.billingRequired).toBe(true);
+    expect(res.body.networkPriceConfigured).toBe(true);
+
+    const call = calls[0]!;
+    expect(call.method).toBe('GET');
+    expect(call.path).toBe('/vendors/me/billing');
+    expect(call.authorization).toBe('Bearer vntok_proxytest');
+  });
+
+  it('without Network configured: 503 network_call_failed', async () => {
+    const res = await request(app)
+      .get('/admin/network/billing')
+      .set('Authorization', `Bearer ${ADMIN_KEY}`);
+    expect(res.status).toBe(503);
+    expect(res.body.error).toBe('network_call_failed');
+    expect(calls).toHaveLength(0);
+  });
+
+  it('without admin auth: 401', async () => {
+    await configureNetwork({ enabled: true });
+    const res = await request(app).get('/admin/network/billing');
+    expect(res.status).toBe(401);
+    expect(calls).toHaveLength(0);
+  });
+
+  it('Network 5xx surfaces as 5xx network_call_failed', async () => {
+    await configureNetwork({ enabled: true });
+    nextResponse = { status: 503, body: { error: 'billing_not_configured' } };
+    const res = await request(app)
+      .get('/admin/network/billing')
+      .set('Authorization', `Bearer ${ADMIN_KEY}`);
+    expect(res.status).toBe(503);
+    expect(res.body.error).toBe('network_call_failed');
+  });
+});
+
+describe.skipIf(skipIntegration)('POST /admin/network/billing/checkout', () => {
+  it('forwards body + returns Stripe URL from Network', async () => {
+    await configureNetwork({ enabled: true });
+    nextResponse = { status: 200, body: { url: 'https://checkout.stripe.test/cs_xxx' } };
+    const res = await request(app)
+      .post('/admin/network/billing/checkout')
+      .set('Authorization', `Bearer ${ADMIN_KEY}`)
+      .send({
+        successUrl: 'https://acme.example.test/admin/network/billing?subscribed=1',
+        cancelUrl: 'https://acme.example.test/admin/network/billing',
+      });
+    expect(res.status).toBe(200);
+    expect(res.body.url).toBe('https://checkout.stripe.test/cs_xxx');
+
+    const call = calls[0]!;
+    expect(call.method).toBe('POST');
+    expect(call.path).toBe('/vendors/me/billing/checkout');
+    expect((call.body as { successUrl: string }).successUrl).toContain('subscribed=1');
+  });
+
+  it('rejects malformed body', async () => {
+    await configureNetwork({ enabled: true });
+    const res = await request(app)
+      .post('/admin/network/billing/checkout')
+      .set('Authorization', `Bearer ${ADMIN_KEY}`)
+      .send({ successUrl: 'not-a-url', cancelUrl: 'also-not' });
+    expect(res.status).toBe(400);
+    expect(res.body.error).toBe('invalid_body');
+    expect(calls).toHaveLength(0);
+  });
+
+  it('Network 400 (e.g. bundled_with_main_plan) surfaces as 400', async () => {
+    await configureNetwork({ enabled: true });
+    nextResponse = { status: 400, body: { error: 'billing_bundled_with_main_plan' } };
+    const res = await request(app)
+      .post('/admin/network/billing/checkout')
+      .set('Authorization', `Bearer ${ADMIN_KEY}`)
+      .send({
+        successUrl: 'https://acme.example.test/ok',
+        cancelUrl: 'https://acme.example.test/x',
+      });
+    expect(res.status).toBe(400);
+    expect(res.body.error).toBe('network_call_failed');
+    expect(res.body.detail).toContain('billing_bundled_with_main_plan');
+  });
+});
+
+describe.skipIf(skipIntegration)('POST /admin/network/billing/portal', () => {
+  it('forwards returnUrl + returns portal URL', async () => {
+    await configureNetwork({ enabled: true });
+    nextResponse = { status: 200, body: { url: 'https://billing-portal.stripe.test/bp_xxx' } };
+    const res = await request(app)
+      .post('/admin/network/billing/portal')
+      .set('Authorization', `Bearer ${ADMIN_KEY}`)
+      .send({ returnUrl: 'https://acme.example.test/admin/network/billing' });
+    expect(res.status).toBe(200);
+    expect(res.body.url).toBe('https://billing-portal.stripe.test/bp_xxx');
+
+    const call = calls[0]!;
+    expect(call.method).toBe('POST');
+    expect(call.path).toBe('/vendors/me/billing/portal');
+    expect((call.body as { returnUrl: string }).returnUrl).toBe('https://acme.example.test/admin/network/billing');
+  });
+
+  it('rejects malformed returnUrl', async () => {
+    await configureNetwork({ enabled: true });
+    const res = await request(app)
+      .post('/admin/network/billing/portal')
+      .set('Authorization', `Bearer ${ADMIN_KEY}`)
+      .send({ returnUrl: 'not-a-url' });
+    expect(res.status).toBe(400);
+    expect(res.body.error).toBe('invalid_body');
+  });
+});
diff --git a/apps/api/src/network-client.ts b/apps/api/src/network-client.ts
index 10a7919..b0f17af 100644
--- a/apps/api/src/network-client.ts
+++ b/apps/api/src/network-client.ts
@@ -449,6 +449,28 @@ export const networkProxy = {
       'GET',
       '/vendors/me',
     ),
+
+  // Billing — same pattern (vendor token held server-side, portal can't
+  // hit Stripe directly). Forwards body straight through; the Network's
+  // route does all validation.
+  getBilling: (db: Knex, tenantId: string) =>
+    callNetwork<{
+      billingRequired: boolean;
+      bundledWithMainPlan: boolean;
+      subscriptionStatus: string | null;
+      stripeCustomerId: string | null;
+      stripeSubscriptionId: string | null;
+      currentPeriodEnd: string | null;
+      networkPriceConfigured: boolean;
+      networkUsagePriceConfigured: boolean;
+      billingEnabled: boolean;
+    }>(db, tenantId, 'GET', '/vendors/me/billing'),
+
+  createCheckout: (db: Knex, tenantId: string, body: { successUrl: string; cancelUrl: string }) =>
+    callNetwork<{ url: string }>(db, tenantId, 'POST', '/vendors/me/billing/checkout', body),
+
+  openPortal: (db: Knex, tenantId: string, body: { returnUrl: string }) =>
+    callNetwork<{ url: string }>(db, tenantId, 'POST', '/vendors/me/billing/portal', body),
 };
 
 // ---------- Network-originated payouts reporting ----------
diff --git a/apps/api/src/routes/settings.ts b/apps/api/src/routes/settings.ts
index a264d6a..cb1a942 100644
--- a/apps/api/src/routes/settings.ts
+++ b/apps/api/src/routes/settings.ts
@@ -383,3 +383,28 @@ settingsRouter.post('/admin/network/requests/:id/approve', requireAuth, requireA
 settingsRouter.post('/admin/network/requests/:id/reject', requireAuth, requireAdmin, async (req, res) =>
   proxy(req, res, (db, tenantId) => networkProxy.rejectRequest(db, tenantId, req.params.id!, req.body ?? {})),
 );
+
+// ---------- Network billing proxy ----------
+// Self-hosted vendors subscribe to Network access ($29/mo + 3% metered)
+// from this admin surface. Hosted vendors get bundled with their main
+// Flex/Revshare subscription — the Network endpoint handles that gate
+// and we just pass the response through.
+
+settingsRouter.get('/admin/network/billing', requireAuth, requireAdmin, async (req, res) =>
+  proxy(req, res, (db, tenantId) => networkProxy.getBilling(db, tenantId)),
+);
+
+settingsRouter.post('/admin/network/billing/checkout', requireAuth, requireAdmin, async (req, res) => {
+  const body = z.object({
+    successUrl: z.string().url(),
+    cancelUrl: z.string().url(),
+  }).safeParse(req.body);
+  if (!body.success) return res.status(400).json({ error: 'invalid_body', detail: body.error.flatten() });
+  return proxy(req, res, (db, tenantId) => networkProxy.createCheckout(db, tenantId, body.data));
+});
+
+settingsRouter.post('/admin/network/billing/portal', requireAuth, requireAdmin, async (req, res) => {
+  const body = z.object({ returnUrl: z.string().url() }).safeParse(req.body);
+  if (!body.success) return res.status(400).json({ error: 'invalid_body', detail: body.error.flatten() });
+  return proxy(req, res, (db, tenantId) => networkProxy.openPortal(db, tenantId, body.data));
+});
diff --git a/apps/portal/src/App.tsx b/apps/portal/src/App.tsx
index b5052b6..57eb914 100644
--- a/apps/portal/src/App.tsx
+++ b/apps/portal/src/App.tsx
@@ -39,6 +39,7 @@ import { AdminNetwork } from './pages/admin/Network.js';
 import { AdminNetworkComplete } from './pages/admin/NetworkComplete.js';
 import { AdminNetworkOfferings } from './pages/admin/NetworkOfferings.js';
 import { AdminNetworkRequests } from './pages/admin/NetworkRequests.js';
+import { AdminNetworkBilling } from './pages/admin/NetworkBilling.js';
 import { InstallPage } from './pages/Install.js';
 import { FraudReviewPage } from './pages/FraudReview.js';
 import { useQuery } from '@tanstack/react-query';
@@ -131,6 +132,7 @@ function Shell() {
               <Route path="admin/network/complete" element={<AdminNetworkComplete />} />
               <Route path="admin/network/offerings" element={<AdminNetworkOfferings />} />
               <Route path="admin/network/requests" element={<AdminNetworkRequests />} />
+              <Route path="admin/network/billing" element={<AdminNetworkBilling />} />
             </>
           )}
 
@@ -202,6 +204,7 @@ function Sidebar({ principal }: { principal: Principal }) {
             <NavItem to="/admin/network" icon={<Globe size={16} />}>Connection</NavItem>
             <NavItem to="/admin/network/offerings" icon={<Megaphone size={16} />}>Offerings</NavItem>
             <NavItem to="/admin/network/requests" icon={<Inbox size={16} />}>Requests</NavItem>
+            <NavItem to="/admin/network/billing" icon={<CreditCard size={16} />}>Billing</NavItem>
           </NavSection>
         )}
       </div>
diff --git a/apps/portal/src/pages/admin/NetworkBilling.tsx b/apps/portal/src/pages/admin/NetworkBilling.tsx
new file mode 100644
index 0000000..bb2852b
--- /dev/null
+++ b/apps/portal/src/pages/admin/NetworkBilling.tsx
@@ -0,0 +1,191 @@
+import { useMutation, useQuery, useQueryClient } from '@tanstack/react-query';
+import { Link } from 'react-router-dom';
+import { useState } from 'react';
+import { api, ApiError } from '../../api.js';
+import { Button, Card, ErrorBanner, Page } from '../../ui.js';
+
+interface NetworkBilling {
+  billingRequired: boolean;
+  bundledWithMainPlan: boolean;
+  subscriptionStatus: string | null;
+  stripeCustomerId: string | null;
+  stripeSubscriptionId: string | null;
+  currentPeriodEnd: string | null;
+  networkPriceConfigured: boolean;
+  networkUsagePriceConfigured: boolean;
+  billingEnabled: boolean;
+}
+
+export function AdminNetworkBilling() {
+  return (
+    <Page
+      title="Network billing"
+      subtitle="$29/mo + 3% on Network-originated payouts. Self-hosted vendors only — hosted plans bundle Network access."
+    >
+      <BillingPanel />
+    </Page>
+  );
+}
+
+function BillingPanel() {
+  const { data, isLoading, error } = useQuery({
+    queryKey: ['network-billing'],
+    queryFn: () => api<NetworkBilling>('/admin/network/billing'),
+    retry: false,
+  });
+
+  if (isLoading) return <Card><p>Loading…</p></Card>;
+  if (error) {
+    const msg = error instanceof ApiError && error.message.includes('network_not_configured')
+      ? 'Connect to the Network first.'
+      : `Couldn't load billing: ${error instanceof Error ? error.message : String(error)}`;
+    return (
+      <>
+        <ErrorBanner error={msg} />
+        <Card>
+          <p>
+            Set up your Network connection under <Link to="/admin/network">Network → Connection</Link>{' '}
+            before subscribing.
+          </p>
+        </Card>
+      </>
+    );
+  }
+  if (!data) return null;
+
+  if (data.bundledWithMainPlan) {
+    return <BundledPanel />;
+  }
+  return (
+    <>
+      <StatusCard data={data} />
+      {data.subscriptionStatus === 'active' || data.subscriptionStatus === 'trialing' ? (
+        <ManagePanel />
+      ) : (
+        <SubscribePanel data={data} />
+      )}
+    </>
+  );
+}
+
+function BundledPanel() {
+  return (
+    <Card>
+      <h3 style={{ marginTop: 0 }}>Bundled with your main plan ✓</h3>
+      <p>
+        You're on a hosted plan (Flex or Revshare) on app.openpartner.dev. Network access is included
+        — no separate Network billing. The 3% on Network-originated payouts is folded into your main-plan
+        invoice.
+      </p>
+      <p style={{ color: '#6b7280', fontSize: 13 }}>
+        Switching to self-hosted later? Re-connect to the Network from your new instance and you'll get
+        the standalone billing flow ($29/mo + 3% metered).
+      </p>
+    </Card>
+  );
+}
+
+function StatusCard({ data }: { data: NetworkBilling }) {
+  const status = data.subscriptionStatus ?? 'not_subscribed';
+  const color =
+    status === 'active' || status === 'trialing' ? '#1a6b1a' :
+    status === 'past_due' || status === 'unpaid' ? '#8b6f00' :
+    status === 'canceled' ? '#8a1a1a' :
+    '#6b7280';
+  return (
+    <Card>
+      <h3 style={{ marginTop: 0 }}>Subscription</h3>
+      <p>
+        Status: <strong style={{ color }}>{status}</strong>
+        {data.stripeSubscriptionId && (
+          <> · Stripe ID: <code style={{ fontSize: 12 }}>{data.stripeSubscriptionId}</code></>
+        )}
+      </p>
+      {data.currentPeriodEnd && (
+        <p style={{ color: '#6b7280', fontSize: 13 }}>
+          Current period ends: {new Date(data.currentPeriodEnd).toLocaleDateString()}
+        </p>
+      )}
+      <p style={{ color: '#6b7280', fontSize: 13 }}>
+        $29/mo flat + 3% metered on Network-originated payouts. The metered portion is reported daily by
+        your instance — only payouts where the partner came from the marketplace count.
+      </p>
+    </Card>
+  );
+}
+
+function SubscribePanel({ data }: { data: NetworkBilling }) {
+  const [error, setError] = useState<string | null>(null);
+  const m = useMutation({
+    mutationFn: () => api<{ url: string }>('/admin/network/billing/checkout', {
+      method: 'POST',
+      body: {
+        successUrl: window.location.origin + '/admin/network/billing?subscribed=1',
+        cancelUrl: window.location.href,
+      },
+    }),
+    onSuccess: ({ url }) => { window.location.href = url; },
+    onError: (err) => setError(err instanceof ApiError ? err.message : 'failed'),
+  });
+  return (
+    <Card>
+      <h3 style={{ marginTop: 0 }}>Subscribe to Network access</h3>
+      {!data.billingEnabled && (
+        <ErrorBanner error="Stripe isn't configured on the Network deploy. Operator needs to set STRIPE_SECRET_KEY." />
+      )}
+      {data.billingEnabled && !data.networkPriceConfigured && (
+        <ErrorBanner error="The Network deploy doesn't have a price configured. Operator needs to set STRIPE_NETWORK_PRICE_ID." />
+      )}
+      {data.billingEnabled && data.networkPriceConfigured && !data.networkUsagePriceConfigured && (
+        <ErrorBanner error="The Network deploy is missing the metered price. Operator needs to set STRIPE_NETWORK_USAGE_PRICE_ID." />
+      )}
+      {error && <ErrorBanner error={error} />}
+      <p>
+        Click below to open Stripe Checkout. You'll subscribe to a single Stripe Subscription with two
+        items: the $29/mo flat fee and the 3% metered usage. We'll redirect you back here when payment
+        completes.
+      </p>
+      <Button
+        onClick={() => m.mutate()}
+        disabled={
+          m.isPending ||
+          !data.billingEnabled ||
+          !data.networkPriceConfigured ||
+          !data.networkUsagePriceConfigured
+        }
+      >
+        {m.isPending ? 'Opening Stripe…' : 'Subscribe via Stripe'}
+      </Button>
+    </Card>
+  );
+}
+
+function ManagePanel() {
+  const qc = useQueryClient();
+  const [error, setError] = useState<string | null>(null);
+  const m = useMutation({
+    mutationFn: () => api<{ url: string }>('/admin/network/billing/portal', {
+      method: 'POST',
+      body: { returnUrl: window.location.href },
+    }),
+    onSuccess: ({ url }) => { window.location.href = url; },
+    onError: (err) => setError(err instanceof ApiError ? err.message : 'failed'),
+  });
+  return (
+    <Card>
+      <h3 style={{ marginTop: 0 }}>Manage subscription</h3>
+      {error && <ErrorBanner error={error} />}
+      <p>
+        Update your card, see invoices, or cancel via Stripe's hosted Customer Portal.
+      </p>
+      <div style={{ display: 'flex', gap: 8 }}>
+        <Button onClick={() => m.mutate()} disabled={m.isPending}>
+          {m.isPending ? 'Opening Stripe…' : 'Open Stripe portal'}
+        </Button>
+        <Button variant="secondary" onClick={() => qc.invalidateQueries({ queryKey: ['network-billing'] })}>
+          Refresh
+        </Button>
+      </div>
+    </Card>
+  );
+}

From 579dbe92214c92cc79779b29fab463a59fd759cf Mon Sep 17 00:00:00 2001
From: Keith Fawcett <keith@brightyard.co>
Date: Mon, 27 Apr 2026 23:54:28 -0700
Subject: [PATCH 032/131] feat(network): partner-role Network surfaces
 (Discover, Apply, My partnerships, etc.)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Creators no longer have a separate Network portal — their home is the
vendor instance they signed up at. This adds the partner-side surfaces
that used to live at network.openpartner.dev directly into the vendor
portal so a creator on Vendor A can browse and apply to programs at
Vendors B/C/D, see all their cross-network partnerships, and edit a
single Network-wide profile.

API
- partnerProxy: server-side helpers that hit Network's existing
  /offerings + /creators/me/* routes using the vendor's encrypted
  vendorToken plus an x-act-as-vendor-partner header carrying the
  partner's vendor-local id. Network resolves the Creator via
  VendorAffiliation(vendorId, vendorPartnerId), so the same handlers
  serve both browser-creator and proxied-from-vendor cases.
- /api/network/{discover,offerings/:id,vendors/:id} (open to anyone signed in)
- /api/network/me/{affiliations,affiliations/:id/earnings,requests,
  requests/:id/cancel,profile} (partner-role only)

Portal
- pages/partner/{Discover,OfferingDetail,VendorDetail,MyAffiliations,
  MyRequests,MyProfile} matching openpartner UI patterns (Page/Card/
  Stat/StatusPill/Button).
- Sidebar gains a Network section for partners with Discover programs,
  My partnerships, My applications, Network profile.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 apps/api/src/app.ts                           |   2 +
 apps/api/src/network-client.ts                |  75 ++++++++-
 apps/api/src/routes/network-partner.ts        | 159 ++++++++++++++++++
 apps/portal/src/App.tsx                       |  29 ++++
 apps/portal/src/pages/partner/Discover.tsx    | 111 ++++++++++++
 .../src/pages/partner/MyAffiliations.tsx      |  96 +++++++++++
 apps/portal/src/pages/partner/MyProfile.tsx   | 111 ++++++++++++
 apps/portal/src/pages/partner/MyRequests.tsx  |  76 +++++++++
 .../src/pages/partner/OfferingDetail.tsx      | 134 +++++++++++++++
 .../portal/src/pages/partner/VendorDetail.tsx |  46 +++++
 10 files changed, 834 insertions(+), 5 deletions(-)
 create mode 100644 apps/api/src/routes/network-partner.ts
 create mode 100644 apps/portal/src/pages/partner/Discover.tsx
 create mode 100644 apps/portal/src/pages/partner/MyAffiliations.tsx
 create mode 100644 apps/portal/src/pages/partner/MyProfile.tsx
 create mode 100644 apps/portal/src/pages/partner/MyRequests.tsx
 create mode 100644 apps/portal/src/pages/partner/OfferingDetail.tsx
 create mode 100644 apps/portal/src/pages/partner/VendorDetail.tsx

diff --git a/apps/api/src/app.ts b/apps/api/src/app.ts
index 4baf1be..f7e2510 100644
--- a/apps/api/src/app.ts
+++ b/apps/api/src/app.ts
@@ -32,6 +32,7 @@ import { webhooksRouter } from './routes/webhooks.js';
 import { metricsRouter } from './routes/metrics.js';
 import { signupRouter } from './routes/signup.js';
 import { partnerSignupRouter } from './routes/partner-signup.js';
+import { networkPartnerRouter } from './routes/network-partner.js';
 import { tenantMiddleware } from './tenancy.js';
 
 export function createApp(options: { enableLogger?: boolean } = {}) {
@@ -143,6 +144,7 @@ export function createApp(options: { enableLogger?: boolean } = {}) {
   app.use(exportRouter);
   app.use(billingRouter);
   app.use(adminOverviewRouter);
+  app.use(networkPartnerRouter);
 
   app.use((err: Error, req: Request, res: Response, _next: NextFunction) => {
     req.log?.error({ err }, 'request_failed');
diff --git a/apps/api/src/network-client.ts b/apps/api/src/network-client.ts
index b0f17af..4aee73f 100644
--- a/apps/api/src/network-client.ts
+++ b/apps/api/src/network-client.ts
@@ -389,6 +389,7 @@ async function callNetwork<T>(
   method: 'GET' | 'POST' | 'PATCH' | 'DELETE',
   path: string,
   body?: unknown,
+  opts?: { actingVendorPartnerId?: string },
 ): Promise<T> {
   const m = await getNetworkMembership(db, tenantId);
   if (!m || !m.enabled || !m.networkUrl || !m.vendorTokenCiphertext) {
@@ -401,13 +402,20 @@ async function callNetwork<T>(
     throw new NetworkProxyError(500, `vendor_token_undecryptable: ${err instanceof Error ? err.message : String(err)}`);
   }
   const url = `${m.networkUrl.replace(/\/$/, '')}${path}`;
+  const headers: Record<string, string> = {
+    'content-type': 'application/json',
+    authorization: `Bearer ${token}`,
+    'user-agent': 'OpenPartner-Vendor/1',
+  };
+  if (opts?.actingVendorPartnerId) {
+    // Tells the Network: this call is the vendor proxying on behalf of one
+    // of its own partners. The Network resolves the Creator via
+    // VendorAffiliation(vendorId, vendorPartnerId).
+    headers['x-act-as-vendor-partner'] = opts.actingVendorPartnerId;
+  }
   const res = await fetch(url, {
     method,
-    headers: {
-      'content-type': 'application/json',
-      authorization: `Bearer ${token}`,
-      'user-agent': 'OpenPartner-Vendor/1',
-    },
+    headers,
     body: body !== undefined ? JSON.stringify(body) : undefined,
     signal: AbortSignal.timeout(PUSH_TIMEOUT_MS),
   });
@@ -473,6 +481,63 @@ export const networkProxy = {
     callNetwork<{ url: string }>(db, tenantId, 'POST', '/vendors/me/billing/portal', body),
 };
 
+// ---------- Partner-acting Network proxy ----------
+// Used by openpartner partner-role routes (/api/network/partner/*) to
+// forward calls to Network's existing /creators/me/* + /offerings + /vendors/:id
+// endpoints. Auth is the vendor bearer plus an x-act-as-vendor-partner
+// header carrying the partner's vendor-local id; Network's requireCreator
+// resolves the creator from VendorAffiliation(vendorId, vendorPartnerId).
+
+export const partnerProxy = {
+  // Discovery (public on Network — no acting header needed)
+  listOfferings: (db: Knex, tenantId: string, qs: string) =>
+    callNetwork<{ offerings: unknown[] }>(db, tenantId, 'GET', `/offerings${qs ? `?${qs}` : ''}`),
+  getOffering: (db: Knex, tenantId: string, id: string) =>
+    callNetwork<unknown>(db, tenantId, 'GET', `/offerings/${encodeURIComponent(id)}`),
+  getVendor: (db: Knex, tenantId: string, id: string) =>
+    callNetwork<unknown>(db, tenantId, 'GET', `/vendors/${encodeURIComponent(id)}`),
+
+  // Acting-as-creator (need the header)
+  applyToOffering: (db: Knex, tenantId: string, vendorPartnerId: string, id: string, body: unknown) =>
+    callNetwork<unknown>(db, tenantId, 'POST', `/offerings/${encodeURIComponent(id)}/apply`, body, {
+      actingVendorPartnerId: vendorPartnerId,
+    }),
+  listMyAffiliations: (db: Knex, tenantId: string, vendorPartnerId: string) =>
+    callNetwork<{ affiliations: unknown[] }>(db, tenantId, 'GET', '/creators/me/affiliations', undefined, {
+      actingVendorPartnerId: vendorPartnerId,
+    }),
+  getAffiliationEarnings: (db: Knex, tenantId: string, vendorPartnerId: string, affId: string) =>
+    callNetwork<unknown>(
+      db,
+      tenantId,
+      'GET',
+      `/creators/me/affiliations/${encodeURIComponent(affId)}/earnings`,
+      undefined,
+      { actingVendorPartnerId: vendorPartnerId },
+    ),
+  listMyRequests: (db: Knex, tenantId: string, vendorPartnerId: string) =>
+    callNetwork<{ requests: unknown[] }>(db, tenantId, 'GET', '/creators/me/requests', undefined, {
+      actingVendorPartnerId: vendorPartnerId,
+    }),
+  cancelRequest: (db: Knex, tenantId: string, vendorPartnerId: string, reqId: string) =>
+    callNetwork<{ ok: boolean }>(
+      db,
+      tenantId,
+      'POST',
+      `/creators/me/requests/${encodeURIComponent(reqId)}/cancel`,
+      undefined,
+      { actingVendorPartnerId: vendorPartnerId },
+    ),
+  getMyProfile: (db: Knex, tenantId: string, vendorPartnerId: string) =>
+    callNetwork<unknown>(db, tenantId, 'GET', '/creators/me', undefined, {
+      actingVendorPartnerId: vendorPartnerId,
+    }),
+  updateMyProfile: (db: Knex, tenantId: string, vendorPartnerId: string, body: unknown) =>
+    callNetwork<unknown>(db, tenantId, 'PATCH', '/creators/me', body, {
+      actingVendorPartnerId: vendorPartnerId,
+    }),
+};
+
 // ---------- Network-originated payouts reporting ----------
 //
 // The Network bills self-hosted vendors 3% on payouts whose Partner
diff --git a/apps/api/src/routes/network-partner.ts b/apps/api/src/routes/network-partner.ts
new file mode 100644
index 0000000..f15f6ea
--- /dev/null
+++ b/apps/api/src/routes/network-partner.ts
@@ -0,0 +1,159 @@
+/**
+ * Partner-role proxy onto the OpenPartner Network.
+ *
+ * The Network used to host its own creator-facing SPA. We collapsed that
+ * surface into the openpartner portal so creators have a single home (the
+ * vendor instance they signed up at). These routes are how that portal
+ * reaches Network APIs without ever leaking the vendor's bearer token to
+ * the browser — the partner's session principal authenticates locally,
+ * and we proxy server-side using the encrypted vendorToken in
+ * network_membership Config plus an x-act-as-vendor-partner header.
+ *
+ * Network's requireCreator middleware accepts that header (when paired
+ * with an active vendor bearer) and resolves the Creator via
+ * VendorAffiliation(vendorId, vendorPartnerId), so the same handler code
+ * serves both browser-creator and proxied-from-vendor cases.
+ */
+
+import { Router, type Request, type Response } from 'express';
+import { z } from 'zod';
+import type { Knex } from 'knex';
+import { requireAuth } from '../auth.js';
+import { tenantOf } from '../tenancy.js';
+import { partnerProxy, NetworkProxyError } from '../network-client.js';
+
+export const networkPartnerRouter = Router();
+
+function requirePartnerPrincipal(req: Request, res: Response): string | null {
+  const p = req.principal;
+  if (!p) {
+    res.status(401).json({ error: 'unauthorized' });
+    return null;
+  }
+  if (p.role !== 'partner' || !p.partnerId) {
+    res.status(403).json({ error: 'partner_only' });
+    return null;
+  }
+  return p.partnerId;
+}
+
+async function proxy(
+  req: Request,
+  res: Response,
+  fn: (db: Knex, tenantId: string) => Promise<unknown>,
+  successStatus = 200,
+): Promise<void> {
+  const { db, tenantId } = tenantOf(req);
+  try {
+    const out = await fn(db, tenantId);
+    res.status(successStatus).json(out);
+  } catch (err) {
+    if (err instanceof NetworkProxyError) {
+      res.status(err.status).json({ error: 'network_call_failed', detail: err.message });
+      return;
+    }
+    throw err;
+  }
+}
+
+// ---------- Public discovery (no acting partner needed) ----------
+//
+// These routes don't require partner role — anyone authenticated on the
+// vendor instance can browse. We still gate with requireAuth so we have a
+// tenant context for the vendorToken.
+
+networkPartnerRouter.get('/network/discover', requireAuth, async (req, res) => {
+  const qs = new URLSearchParams();
+  if (typeof req.query.q === 'string') qs.set('q', req.query.q);
+  if (typeof req.query.sort === 'string') qs.set('sort', req.query.sort);
+  return proxy(req, res, (db, tenantId) => partnerProxy.listOfferings(db, tenantId, qs.toString()));
+});
+
+networkPartnerRouter.get('/network/offerings/:id', requireAuth, async (req, res) =>
+  proxy(req, res, (db, tenantId) => partnerProxy.getOffering(db, tenantId, req.params.id!)),
+);
+
+networkPartnerRouter.get('/network/vendors/:id', requireAuth, async (req, res) =>
+  proxy(req, res, (db, tenantId) => partnerProxy.getVendor(db, tenantId, req.params.id!)),
+);
+
+// ---------- Acting-as-creator (partner-only) ----------
+
+const applySchema = z.object({
+  message: z.string().max(2000).optional(),
+  preferredSlug: z
+    .string()
+    .trim()
+    .min(2)
+    .max(40)
+    .regex(/^[a-zA-Z0-9_-]+$/)
+    .optional(),
+});
+
+networkPartnerRouter.post('/network/offerings/:id/apply', requireAuth, async (req, res) => {
+  const partnerId = requirePartnerPrincipal(req, res);
+  if (!partnerId) return;
+  const body = applySchema.safeParse(req.body ?? {});
+  if (!body.success) return res.status(400).json({ error: 'invalid_body', detail: body.error.flatten() });
+  return proxy(
+    req,
+    res,
+    (db, tenantId) => partnerProxy.applyToOffering(db, tenantId, partnerId, req.params.id!, body.data),
+    201,
+  );
+});
+
+networkPartnerRouter.get('/network/me/affiliations', requireAuth, async (req, res) => {
+  const partnerId = requirePartnerPrincipal(req, res);
+  if (!partnerId) return;
+  return proxy(req, res, (db, tenantId) => partnerProxy.listMyAffiliations(db, tenantId, partnerId));
+});
+
+networkPartnerRouter.get('/network/me/affiliations/:id/earnings', requireAuth, async (req, res) => {
+  const partnerId = requirePartnerPrincipal(req, res);
+  if (!partnerId) return;
+  return proxy(req, res, (db, tenantId) =>
+    partnerProxy.getAffiliationEarnings(db, tenantId, partnerId, req.params.id!),
+  );
+});
+
+networkPartnerRouter.get('/network/me/requests', requireAuth, async (req, res) => {
+  const partnerId = requirePartnerPrincipal(req, res);
+  if (!partnerId) return;
+  return proxy(req, res, (db, tenantId) => partnerProxy.listMyRequests(db, tenantId, partnerId));
+});
+
+networkPartnerRouter.post('/network/me/requests/:id/cancel', requireAuth, async (req, res) => {
+  const partnerId = requirePartnerPrincipal(req, res);
+  if (!partnerId) return;
+  return proxy(req, res, (db, tenantId) => partnerProxy.cancelRequest(db, tenantId, partnerId, req.params.id!));
+});
+
+networkPartnerRouter.get('/network/me/profile', requireAuth, async (req, res) => {
+  const partnerId = requirePartnerPrincipal(req, res);
+  if (!partnerId) return;
+  return proxy(req, res, (db, tenantId) => partnerProxy.getMyProfile(db, tenantId, partnerId));
+});
+
+const updateProfileSchema = z.object({
+  name: z.string().trim().min(1).max(120).optional(),
+  handle: z
+    .string()
+    .trim()
+    .min(2)
+    .max(40)
+    .regex(/^[a-zA-Z0-9_-]+$/)
+    .nullable()
+    .optional(),
+  avatarUrl: z.string().url().nullable().optional(),
+  bio: z.string().max(2000).nullable().optional(),
+  profile: z.record(z.unknown()).optional(),
+});
+
+networkPartnerRouter.patch('/network/me/profile', requireAuth, async (req, res) => {
+  const partnerId = requirePartnerPrincipal(req, res);
+  if (!partnerId) return;
+  const body = updateProfileSchema.safeParse(req.body ?? {});
+  if (!body.success) return res.status(400).json({ error: 'invalid_body', detail: body.error.flatten() });
+  return proxy(req, res, (db, tenantId) => partnerProxy.updateMyProfile(db, tenantId, partnerId, body.data));
+});
diff --git a/apps/portal/src/App.tsx b/apps/portal/src/App.tsx
index 57eb914..7dd37be 100644
--- a/apps/portal/src/App.tsx
+++ b/apps/portal/src/App.tsx
@@ -40,6 +40,12 @@ import { AdminNetworkComplete } from './pages/admin/NetworkComplete.js';
 import { AdminNetworkOfferings } from './pages/admin/NetworkOfferings.js';
 import { AdminNetworkRequests } from './pages/admin/NetworkRequests.js';
 import { AdminNetworkBilling } from './pages/admin/NetworkBilling.js';
+import { DiscoverPage } from './pages/partner/Discover.js';
+import { OfferingDetailPage } from './pages/partner/OfferingDetail.js';
+import { VendorDetailPage } from './pages/partner/VendorDetail.js';
+import { MyAffiliationsPage } from './pages/partner/MyAffiliations.js';
+import { MyRequestsPage } from './pages/partner/MyRequests.js';
+import { MyProfilePage } from './pages/partner/MyProfile.js';
 import { InstallPage } from './pages/Install.js';
 import { FraudReviewPage } from './pages/FraudReview.js';
 import { useQuery } from '@tanstack/react-query';
@@ -118,6 +124,20 @@ function Shell() {
           <Route path="payouts" element={<PayoutsPage principal={auth.principal} />} />
           <Route path="connect" element={<ConnectPage principal={auth.principal} />} />
 
+          {/* Network discovery — open to anyone signed in (vendor admin can browse too). */}
+          <Route path="network/discover" element={<DiscoverPage />} />
+          <Route path="network/offerings/:id" element={<OfferingDetailPage principal={auth.principal} />} />
+          <Route path="network/vendors/:id" element={<VendorDetailPage />} />
+
+          {/* Partner-only Network surfaces. */}
+          {auth.principal.role === 'partner' && (
+            <>
+              <Route path="network/affiliations" element={<MyAffiliationsPage />} />
+              <Route path="network/requests" element={<MyRequestsPage />} />
+              <Route path="network/profile" element={<MyProfilePage />} />
+            </>
+          )}
+
           {auth.principal.role === 'admin' && (
             <>
               <Route path="admin/partners" element={<AdminPartners />} />
@@ -186,6 +206,15 @@ function Sidebar({ principal }: { principal: Principal }) {
           {principal.role === 'partner' && <NavItem to="/connect" icon={<CreditCard size={16} />}>Stripe Connect</NavItem>}
         </NavSection>
 
+        {principal.role === 'partner' && (
+          <NavSection title="Network">
+            <NavItem to="/network/discover" icon={<Globe size={16} />}>Discover programs</NavItem>
+            <NavItem to="/network/affiliations" icon={<Megaphone size={16} />}>My partnerships</NavItem>
+            <NavItem to="/network/requests" icon={<Inbox size={16} />}>My applications</NavItem>
+            <NavItem to="/network/profile" icon={<UserCog size={16} />}>Network profile</NavItem>
+          </NavSection>
+        )}
+
         {principal.role === 'admin' && (
           <NavSection title="Admin">
             <NavItem to="/admin/partners" icon={<Users size={16} />}>Partners</NavItem>
diff --git a/apps/portal/src/pages/partner/Discover.tsx b/apps/portal/src/pages/partner/Discover.tsx
new file mode 100644
index 0000000..d5f0a04
--- /dev/null
+++ b/apps/portal/src/pages/partner/Discover.tsx
@@ -0,0 +1,111 @@
+import { useEffect, useState } from 'react';
+import { useQuery } from '@tanstack/react-query';
+import { Link } from 'react-router-dom';
+import { Globe } from 'lucide-react';
+import { api } from '../../api.js';
+import { Button, Card, EmptyState, ErrorBanner, Input, Label, Page, Select } from '../../ui.js';
+import { theme } from '../../theme.js';
+
+interface OfferingListItem {
+  id: string;
+  title: string;
+  description: string | null;
+  productUrl: string;
+  heroImageUrl: string | null;
+  vendorId: string;
+  vendorName: string;
+  vendorPartnerCount: number;
+  terms: { commissionDescription?: string };
+  createdAt: string;
+}
+
+export function DiscoverPage() {
+  const [q, setQ] = useState('');
+  const [debouncedQ, setDebouncedQ] = useState('');
+  const [sort, setSort] = useState<'newest' | 'popular'>('newest');
+
+  // Debounce so each keystroke doesn't hit the proxy.
+  useEffect(() => {
+    const t = window.setTimeout(() => setDebouncedQ(q.trim()), 250);
+    return () => window.clearTimeout(t);
+  }, [q]);
+
+  const params = new URLSearchParams();
+  if (debouncedQ) params.set('q', debouncedQ);
+  if (sort !== 'newest') params.set('sort', sort);
+  const qs = params.toString();
+
+  const { data, isLoading, error } = useQuery({
+    queryKey: ['network-discover', debouncedQ, sort],
+    queryFn: () => api<{ offerings: OfferingListItem[] }>(`/network/discover${qs ? '?' + qs : ''}`),
+    retry: false,
+  });
+
+  return (
+    <Page title="Discover programs" subtitle="Browse partner programs across the OpenPartner Network.">
+      <ErrorBanner error={error} />
+      <Card>
+        <div style={{ display: 'flex', gap: 12, alignItems: 'flex-end', flexWrap: 'wrap' }}>
+          <div style={{ flex: 1, minWidth: 240 }}>
+            <Label>Search</Label>
+            <Input
+              placeholder="Title or description…"
+              value={q}
+              onChange={(e) => setQ(e.target.value)}
+            />
+          </div>
+          <div style={{ minWidth: 160 }}>
+            <Label>Sort</Label>
+            <Select value={sort} onChange={(e) => setSort(e.target.value as 'newest' | 'popular')}>
+              <option value="newest">Newest</option>
+              <option value="popular">Most partners</option>
+            </Select>
+          </div>
+        </div>
+      </Card>
+
+      <div style={{ height: 18 }} />
+
+      {isLoading ? (
+        <Card>Loading…</Card>
+      ) : !data || data.offerings.length === 0 ? (
+        <EmptyState
+          title={debouncedQ ? `No matches for "${debouncedQ}"` : 'No programs yet'}
+          hint={debouncedQ ? 'Try a different keyword.' : 'Check back soon — vendors are joining the Network all the time.'}
+          icon={<Globe size={28} strokeWidth={1.25} />}
+        />
+      ) : (
+        <div style={{ display: 'grid', gridTemplateColumns: 'repeat(auto-fill, minmax(320px, 1fr))', gap: 16 }}>
+          {data.offerings.map((o) => (
+            <Card key={o.id}>
+              <div style={{ color: theme.textMuted, fontSize: 13 }}>
+                <Link to={`/network/vendors/${o.vendorId}`} style={{ color: theme.textMuted }}>{o.vendorName}</Link>
+                {o.vendorPartnerCount > 0 && (
+                  <> · {o.vendorPartnerCount} partner{o.vendorPartnerCount === 1 ? '' : 's'}</>
+                )}
+              </div>
+              <h3 style={{ marginTop: 4, marginBottom: 8 }}>
+                <Link to={`/network/offerings/${o.id}`}>{o.title}</Link>
+              </h3>
+              {o.terms?.commissionDescription && (
+                <p style={{ fontSize: 13, color: theme.textMuted, margin: '4px 0' }}>
+                  {o.terms.commissionDescription}
+                </p>
+              )}
+              {o.description && (
+                <p style={{ fontSize: 14, color: theme.text, margin: '8px 0' }}>
+                  {o.description.slice(0, 180)}{o.description.length > 180 ? '…' : ''}
+                </p>
+              )}
+              <div style={{ marginTop: 12 }}>
+                <Link to={`/network/offerings/${o.id}`}>
+                  <Button>View &amp; apply</Button>
+                </Link>
+              </div>
+            </Card>
+          ))}
+        </div>
+      )}
+    </Page>
+  );
+}
diff --git a/apps/portal/src/pages/partner/MyAffiliations.tsx b/apps/portal/src/pages/partner/MyAffiliations.tsx
new file mode 100644
index 0000000..82c7711
--- /dev/null
+++ b/apps/portal/src/pages/partner/MyAffiliations.tsx
@@ -0,0 +1,96 @@
+import { useQuery } from '@tanstack/react-query';
+import { Link } from 'react-router-dom';
+import { Globe } from 'lucide-react';
+import { api, ApiError } from '../../api.js';
+import { Card, EmptyState, ErrorBanner, Page, Stat, StatusPill, formatDate, money } from '../../ui.js';
+import { theme } from '../../theme.js';
+
+interface Affiliation {
+  id: string;
+  vendorId: string;
+  vendorPartnerId: string;
+  status: string;
+  joinedVendorAt: string;
+  vendorName: string;
+  vendorInstanceUrl: string;
+}
+
+interface Earnings {
+  partnerId: string;
+  since: string;
+  clicks: number;
+  attributedEvents: number;
+  attributedRevenue: number;
+  commissionByStatus: Record<string, number>;
+}
+
+function EarningsBlock({ aff }: { aff: Affiliation }) {
+  // Skip the federated dashboard fetch for non-active affiliations.
+  // Pending = no Partner row yet on that vendor; revoked = cut access.
+  const enabled = aff.status === 'active';
+  const { data, isLoading, error } = useQuery<Earnings, ApiError>({
+    queryKey: ['network-aff-earnings', aff.id],
+    queryFn: () => api<Earnings>(`/network/me/affiliations/${aff.id}/earnings`),
+    enabled,
+    retry: false,
+    staleTime: 60_000,
+  });
+
+  if (!enabled) {
+    return <p style={{ color: theme.textMuted, fontSize: 13 }}>Earnings appear once the partnership is active.</p>;
+  }
+  if (isLoading) return <p style={{ color: theme.textMuted, fontSize: 13 }}>Loading earnings…</p>;
+  if (error) {
+    if (error.status === 502) {
+      return <p style={{ color: theme.textMuted, fontSize: 13 }}>Vendor instance unreachable — earnings will refresh when it&apos;s back.</p>;
+    }
+    return <p style={{ color: theme.textMuted, fontSize: 13 }}>Couldn&apos;t load earnings.</p>;
+  }
+  if (!data) return null;
+  return (
+    <div style={{ display: 'flex', gap: 24, flexWrap: 'wrap', marginTop: 12 }}>
+      <Stat label="Clicks (30d)" value={data.clicks.toLocaleString()} />
+      <Stat label="Attributed events" value={data.attributedEvents.toLocaleString()} />
+      <Stat label="Revenue" value={money(data.attributedRevenue, 'USD')} />
+      {Object.entries(data.commissionByStatus ?? {}).map(([status, amount]) => (
+        <Stat key={status} label={`${status} commission`} value={money(amount, 'USD')} />
+      ))}
+    </div>
+  );
+}
+
+export function MyAffiliationsPage() {
+  const { data, isLoading, error } = useQuery({
+    queryKey: ['network-my-affiliations'],
+    queryFn: () => api<{ affiliations: Affiliation[] }>(`/network/me/affiliations`),
+    retry: false,
+  });
+
+  return (
+    <Page title="My partnerships" subtitle="Programs across the Network you&rsquo;re actively partnered with.">
+      <ErrorBanner error={error} />
+      {isLoading ? (
+        <Card>Loading…</Card>
+      ) : !data || data.affiliations.length === 0 ? (
+        <EmptyState
+          title="No partnerships yet"
+          hint="Browse and apply to programs to get started."
+          icon={<Globe size={28} strokeWidth={1.25} />}
+        />
+      ) : (
+        data.affiliations.map((a) => (
+          <Card key={a.id}>
+            <div style={{ display: 'flex', alignItems: 'baseline', gap: 12 }}>
+              <h3 style={{ marginTop: 0, marginBottom: 4, flex: 1 }}>
+                <Link to={`/network/vendors/${a.vendorId}`}>{a.vendorName}</Link>
+              </h3>
+              <StatusPill status={a.status} />
+            </div>
+            <p style={{ color: theme.textMuted, fontSize: 13 }}>Joined {formatDate(a.joinedVendorAt, { relative: true })}</p>
+            <EarningsBlock aff={a} />
+          </Card>
+        ))
+      )}
+    </Page>
+  );
+}
diff --git a/apps/portal/src/pages/partner/MyProfile.tsx b/apps/portal/src/pages/partner/MyProfile.tsx
new file mode 100644
index 0000000..0d26104
--- /dev/null
+++ b/apps/portal/src/pages/partner/MyProfile.tsx
@@ -0,0 +1,111 @@
+import { useEffect, useState } from 'react';
+import { useMutation, useQuery, useQueryClient } from '@tanstack/react-query';
+import { api } from '../../api.js';
+import { Button, Card, ErrorBanner, Input, Label, Page } from '../../ui.js';
+import { theme } from '../../theme.js';
+
+interface Profile {
+  id: string;
+  email: string;
+  name: string;
+  handle: string | null;
+  avatarUrl: string | null;
+  bio: string | null;
+  profile: Record<string, unknown> | null;
+  createdAt: string;
+}
+
+export function MyProfilePage() {
+  const qc = useQueryClient();
+  const { data, isLoading, error } = useQuery({
+    queryKey: ['network-my-profile'],
+    queryFn: () => api<Profile>(`/network/me/profile`),
+    retry: false,
+  });
+
+  const [name, setName] = useState('');
+  const [handle, setHandle] = useState('');
+  const [avatarUrl, setAvatarUrl] = useState('');
+  const [bio, setBio] = useState('');
+
+  useEffect(() => {
+    if (data) {
+      setName(data.name ?? '');
+      setHandle(data.handle ?? '');
+      setAvatarUrl(data.avatarUrl ?? '');
+      setBio(data.bio ?? '');
+    }
+  }, [data]);
+
+  const save = useMutation({
+    mutationFn: () =>
+      api(`/network/me/profile`, {
+        method: 'PATCH',
+        body: {
+          name: name || undefined,
+          handle: handle || null,
+          avatarUrl: avatarUrl || null,
+          bio: bio || null,
+        },
+      }),
+    onSuccess: () => qc.invalidateQueries({ queryKey: ['network-my-profile'] }),
+  });
+
+  return (
+    <Page title="Network profile" subtitle="How vendors see you across the OpenPartner Network.">
+      <ErrorBanner error={error} />
+      <ErrorBanner error={save.error} />
+      {isLoading ? (
+        <Card>Loading…</Card>
+      ) : data ? (
+        <Card>
+          <div style={{ display: 'grid', gap: 12, maxWidth: 520 }}>
+            <div>
+              <Label>Email</Label>
+              <Input value={data.email} disabled readOnly />
+              <p style={{ color: theme.textMuted, fontSize: 12, marginTop: 4 }}>Email is the join key across vendors and can&rsquo;t be changed here.</p>
+            </div>
+            <div>
+              <Label>Display name</Label>
+              <Input value={name} onChange={(e) => setName(e.target.value)} />
+            </div>
+            <div>
+              <Label>Handle</Label>
+              <Input
+                value={handle}
+                onChange={(e) => setHandle(e.target.value)}
+                placeholder="your-handle"
+              />
+              <p style={{ color: theme.textMuted, fontSize: 12, marginTop: 4 }}>Used as your default share-link slug.</p>
+            </div>
+            <div>
+              <Label>Avatar URL</Label>
+              <Input value={avatarUrl} onChange={(e) => setAvatarUrl(e.target.value)} placeholder="https://…" />
+            </div>
+            <div>
+              <Label>Bio</Label>
+              <textarea
+                value={bio}
+                onChange={(e) => setBio(e.target.value)}
+                rows={4}
+                style={{
+                  width: '100%',
+                  padding: '8px 10px',
+                  border: `1px solid ${theme.border}`,
+                  borderRadius: 6,
+                  fontFamily: 'inherit',
+                  fontSize: 14,
+                }}
+              />
+            </div>
+            <div>
+              <Button onClick={() => save.mutate()} disabled={save.isPending}>
+                {save.isPending ? 'Saving…' : save.isSuccess ? 'Saved' : 'Save changes'}
+              </Button>
+            </div>
+          </div>
+        </Card>
+      ) : null}
+    </Page>
+  );
+}
diff --git a/apps/portal/src/pages/partner/MyRequests.tsx b/apps/portal/src/pages/partner/MyRequests.tsx
new file mode 100644
index 0000000..2f5e90e
--- /dev/null
+++ b/apps/portal/src/pages/partner/MyRequests.tsx
@@ -0,0 +1,76 @@
+import { useMutation, useQuery, useQueryClient } from '@tanstack/react-query';
+import { Inbox } from 'lucide-react';
+import { Link } from 'react-router-dom';
+import { api } from '../../api.js';
+import { Button, Card, EmptyState, ErrorBanner, Page, StatusPill, formatDate } from '../../ui.js';
+import { theme } from '../../theme.js';
+
+interface RequestRow {
+  id: string;
+  status: 'pending' | 'approved' | 'rejected' | 'cancelled';
+  message: string | null;
+  preferredSlug: string | null;
+  decisionNote: string | null;
+  createdAt: string;
+  decidedAt: string | null;
+  offeringId: string;
+  offeringTitle: string;
+  vendorId: string;
+  vendorName: string;
+}
+
+export function MyRequestsPage() {
+  const qc = useQueryClient();
+  const { data, isLoading, error } = useQuery({
+    queryKey: ['network-my-requests'],
+    queryFn: () => api<{ requests: RequestRow[] }>(`/network/me/requests`),
+    retry: false,
+  });
+  const cancel = useMutation({
+    mutationFn: (id: string) => api(`/network/me/requests/${id}/cancel`, { method: 'POST' }),
+    onSuccess: () => qc.invalidateQueries({ queryKey: ['network-my-requests'] }),
+  });
+
+  return (
+    <Page title="My applications" subtitle="Programs you&rsquo;ve applied to across the Network.">
+      <ErrorBanner error={error} />
+      {isLoading ? (
+        <Card>Loading…</Card>
+      ) : !data || data.requests.length === 0 ? (
+        <EmptyState
+          title="No applications yet"
+          hint="Browse programs to apply."
+          icon={<Inbox size={28} strokeWidth={1.25} />}
+        />
+      ) : (
+        data.requests.map((r) => (
+          <Card key={r.id}>
+            <div style={{ display: 'flex', alignItems: 'baseline', gap: 12 }}>
+              <h3 style={{ marginTop: 0, marginBottom: 4, flex: 1 }}>
+                <Link to={`/network/offerings/${r.offeringId}`}>{r.offeringTitle}</Link>{' '}
+                <span style={{ color: theme.textMuted, fontWeight: 'normal', fontSize: 14 }}>· {r.vendorName}</span>
+              </h3>
+              <StatusPill status={r.status} />
+            </div>
+            <p style={{ color: theme.textMuted, fontSize: 13 }}>
+              Applied {formatDate(r.createdAt, { relative: true })}
+              {r.decidedAt && <> · decided {formatDate(r.decidedAt, { relative: true })}</>}
+            </p>
+            {r.decisionNote && (
+              <p style={{ color: theme.text, fontSize: 14, marginTop: 8 }}>
+                <strong>Vendor note:</strong> {r.decisionNote}
+              </p>
+            )}
+            {r.status === 'pending' && (
+              <div style={{ marginTop: 12 }}>
+                <Button variant="secondary" onClick={() => cancel.mutate(r.id)} disabled={cancel.isPending}>
+                  Cancel application
+                </Button>
+              </div>
+            )}
+          </Card>
+        ))
+      )}
+    </Page>
+  );
+}
diff --git a/apps/portal/src/pages/partner/OfferingDetail.tsx b/apps/portal/src/pages/partner/OfferingDetail.tsx
new file mode 100644
index 0000000..efda777
--- /dev/null
+++ b/apps/portal/src/pages/partner/OfferingDetail.tsx
@@ -0,0 +1,134 @@
+import { useState } from 'react';
+import { useMutation, useQuery, useQueryClient } from '@tanstack/react-query';
+import { Link, useNavigate, useParams } from 'react-router-dom';
+import { api, ApiError, type Principal } from '../../api.js';
+import { Button, Card, ErrorBanner, Input, Label, Page } from '../../ui.js';
+import { theme } from '../../theme.js';
+
+interface Offering {
+  id: string;
+  title: string;
+  description: string | null;
+  productUrl: string;
+  heroImageUrl: string | null;
+  vendorId: string;
+  vendorName: string;
+  terms: {
+    commissionDescription?: string;
+    cookieWindowDays?: number;
+    payoutCadence?: string;
+    bonuses?: string[];
+  };
+  createdAt: string;
+}
+
+export function OfferingDetailPage({ principal }: { principal: Principal }) {
+  const { id } = useParams<{ id: string }>();
+  const navigate = useNavigate();
+  const qc = useQueryClient();
+  const [message, setMessage] = useState('');
+  const [preferredSlug, setPreferredSlug] = useState('');
+
+  const { data: offering, isLoading, error } = useQuery({
+    queryKey: ['network-offering', id],
+    queryFn: () => api<Offering>(`/network/offerings/${id}`),
+    enabled: !!id,
+    retry: false,
+  });
+
+  const apply = useMutation({
+    mutationFn: () =>
+      api(`/network/offerings/${id}/apply`, {
+        method: 'POST',
+        body: { message: message || undefined, preferredSlug: preferredSlug || undefined },
+      }),
+    onSuccess: () => {
+      qc.invalidateQueries({ queryKey: ['network-my-requests'] });
+      navigate('/network/requests');
+    },
+  });
+
+  const canApply = principal.role === 'partner';
+
+  return (
+    <Page title={offering?.title ?? 'Program'} subtitle={offering?.vendorName}>
+      <ErrorBanner error={error} />
+      {isLoading && <Card>Loading…</Card>}
+      {offering && (
+        <>
+          <Card>
+            {offering.terms.commissionDescription && (
+              <p style={{ color: theme.textMuted, fontSize: 14 }}>
+                {offering.terms.commissionDescription}
+              </p>
+            )}
+            {offering.description && <p style={{ marginTop: 8 }}>{offering.description}</p>}
+            <p style={{ marginTop: 12 }}>
+              <a href={offering.productUrl} target="_blank" rel="noopener noreferrer">
+                View product →
+              </a>
+            </p>
+            <div style={{ display: 'flex', gap: 16, flexWrap: 'wrap', marginTop: 12, color: theme.textMuted, fontSize: 13 }}>
+              {offering.terms.cookieWindowDays != null && (
+                <span>Cookie window: {offering.terms.cookieWindowDays} days</span>
+              )}
+              {offering.terms.payoutCadence && <span>Payouts: {offering.terms.payoutCadence}</span>}
+            </div>
+          </Card>
+
+          <div style={{ height: 18 }} />
+
+          <Card>
+            <h3 style={{ marginTop: 0 }}>Apply to promote</h3>
+            {!canApply ? (
+              <p style={{ color: theme.textMuted }}>
+                Only partner accounts can apply. <Link to="/login">Switch accounts</Link>?
+              </p>
+            ) : (
+              <>
+                <ErrorBanner error={apply.error} />
+                {apply.error instanceof ApiError && apply.error.detail && typeof apply.error.detail === 'object' &&
+                  'detail' in (apply.error.detail as { detail?: { detail?: string } }) &&
+                  (apply.error.detail as { detail?: string }).detail === 'request_already_exists' && (
+                  <p style={{ color: theme.textMuted, fontSize: 13 }}>
+                    You already have a pending or active request for this program.
+                  </p>
+                )}
+                <div style={{ marginTop: 8 }}>
+                  <Label>Preferred share-link slug (optional)</Label>
+                  <Input
+                    placeholder="your-handle"
+                    value={preferredSlug}
+                    onChange={(e) => setPreferredSlug(e.target.value)}
+                  />
+                </div>
+                <div style={{ marginTop: 12 }}>
+                  <Label>Message to the vendor (optional)</Label>
+                  <textarea
+                    value={message}
+                    onChange={(e) => setMessage(e.target.value)}
+                    rows={4}
+                    placeholder="Why you'd be a great partner…"
+                    style={{
+                      width: '100%',
+                      padding: '8px 10px',
+                      border: `1px solid ${theme.border}`,
+                      borderRadius: 6,
+                      fontFamily: 'inherit',
+                      fontSize: 14,
+                    }}
+                  />
+                </div>
+                <div style={{ marginTop: 12 }}>
+                  <Button onClick={() => apply.mutate()} disabled={apply.isPending}>
+                    {apply.isPending ? 'Applying…' : 'Submit application'}
+                  </Button>
+                </div>
+              </>
+            )}
+          </Card>
+        </>
+      )}
+    </Page>
+  );
+}
diff --git a/apps/portal/src/pages/partner/VendorDetail.tsx b/apps/portal/src/pages/partner/VendorDetail.tsx
new file mode 100644
index 0000000..fa492ec
--- /dev/null
+++ b/apps/portal/src/pages/partner/VendorDetail.tsx
@@ -0,0 +1,46 @@
+import { useQuery } from '@tanstack/react-query';
+import { useParams } from 'react-router-dom';
+import { api } from '../../api.js';
+import { Card, ErrorBanner, Page } from '../../ui.js';
+import { theme } from '../../theme.js';
+
+interface Vendor {
+  id: string;
+  displayName: string;
+  instanceUrl: string;
+  status: string;
+  partnerCount: number;
+  description?: string | null;
+  websiteUrl?: string | null;
+  createdAt: string;
+}
+
+export function VendorDetailPage() {
+  const { id } = useParams<{ id: string }>();
+  const { data, isLoading, error } = useQuery({
+    queryKey: ['network-vendor', id],
+    queryFn: () => api<Vendor>(`/network/vendors/${id}`),
+    enabled: !!id,
+    retry: false,
+  });
+
+  return (
+    <Page title={data?.displayName ?? 'Vendor'} subtitle="Network member">
+      <ErrorBanner error={error} />
+      {isLoading && <Card>Loading…</Card>}
+      {data && (
+        <Card>
+          <div style={{ color: theme.textMuted, fontSize: 13 }}>{data.partnerCount} partner{data.partnerCount === 1 ? '' : 's'}</div>
+          {data.description && <p style={{ marginTop: 12 }}>{data.description}</p>}
+          {data.websiteUrl && (
+            <p style={{ marginTop: 12 }}>
+              <a href={data.websiteUrl} target="_blank" rel="noopener noreferrer">
+                Visit website →
+              </a>
+            </p>
+          )}
+        </Card>
+      )}
+    </Page>
+  );
+}

From c79586851fd03536f69c7b61a3fd0d289fa92cba Mon Sep 17 00:00:00 2001
From: Keith Fawcett <keith@brightyard.co>
Date: Tue, 28 Apr 2026 00:52:22 -0700
Subject: [PATCH 033/131] feat(portal): multi-tenant landing + signup; brand
 assets; URL prefix strip
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The multi-tenant build was 90% backend — `/install/status` correctly
returned `{ needsSetup: false, reason: 'multi_tenant' }`, but the
portal SPA had no routes to handle it (everything redirected to
/install) and the backend `tenantMiddleware` resolved tenant context
without stripping `/t/<slug>` from req.url, so downstream routers
mounted at root never matched. End result: app.openpartner.dev/install
loop, no way in.

Backend
- tenantMiddleware now strips /t/<slug> (and /api/t/<slug>) from
  req.url after resolution, so the existing partnersRouter.get('/...')
  registrations match cleanly.
- buildMagicLinkUrl(token, tenantSlug?) — sign-in / invite emails drop
  recipients onto /t/<slug>/auth/magic so the SPA's tenant-aware api
  client scopes the verify call. All 5 callers updated to pass slug.

Portal
- Multi-tenant routing in App.tsx based on install-status.reason: '/'
  → LandingPage, '/signup' → SignupPage, '/t/:slug/*' → Shell.
- api.ts derives tenant slug from window.location.pathname and
  prepends /t/<slug> to every fetch — single-tenant unaffected.
- NavItem uses useTenantBase() so absolute paths like '/links' route
  to '/t/<slug>/links' under multi-tenant. Sign-out + Shell login
  redirect also tenant-scoped.
- Brand: real logo-mark-green.svg in Logo() (was a gradient 'O'
  placeholder); favicons + apple-touch-icon + og-default wired in
  index.html.

Operator: still needs to set OPENPARTNER_TENANCY=multi and
DATABASE_URL_APP on App Platform for the deploy to actually run in
multi mode with RLS enforced.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 .gitignore                              |   1 +
 apps/api/src/email-templates.ts         |   8 +-
 apps/api/src/routes/admins.ts           |   8 +-
 apps/api/src/routes/partner-auth.ts     |   4 +-
 apps/api/src/routes/partner-signup.ts   |   2 +-
 apps/api/src/routes/signup.ts           |   2 +-
 apps/api/src/tenancy.ts                 |  21 ++-
 apps/portal/index.html                  |   6 +
 apps/portal/public/apple-touch-icon.png | Bin 0 -> 16365 bytes
 apps/portal/public/favicon-16x16.png    | Bin 0 -> 732 bytes
 apps/portal/public/favicon-32x32.png    | Bin 0 -> 1814 bytes
 apps/portal/public/favicon.ico          | Bin 0 -> 15406 bytes
 apps/portal/public/logo-mark-green.svg  |  10 ++
 apps/portal/public/logo-mark-white.svg  |  10 ++
 apps/portal/public/og-default.png       | Bin 0 -> 83870 bytes
 apps/portal/src/App.tsx                 |  74 +++++++----
 apps/portal/src/api.ts                  |  16 ++-
 apps/portal/src/pages/Landing.tsx       | 112 ++++++++++++++++
 apps/portal/src/pages/Signup.tsx        | 170 ++++++++++++++++++++++++
 apps/portal/src/pages/auth/Shared.tsx   |  25 ++--
 20 files changed, 410 insertions(+), 59 deletions(-)
 create mode 100644 apps/portal/public/apple-touch-icon.png
 create mode 100644 apps/portal/public/favicon-16x16.png
 create mode 100644 apps/portal/public/favicon-32x32.png
 create mode 100644 apps/portal/public/favicon.ico
 create mode 100644 apps/portal/public/logo-mark-green.svg
 create mode 100644 apps/portal/public/logo-mark-white.svg
 create mode 100644 apps/portal/public/og-default.png
 create mode 100644 apps/portal/src/pages/Landing.tsx
 create mode 100644 apps/portal/src/pages/Signup.tsx

diff --git a/.gitignore b/.gitignore
index 50315bc..97bc285 100644
--- a/.gitignore
+++ b/.gitignore
@@ -16,3 +16,4 @@ coverage
 .nyc_output
 .claude/settings.local.json
 *.tsbuildinfo
+.claude/
diff --git a/apps/api/src/email-templates.ts b/apps/api/src/email-templates.ts
index 571c5ad..69846fe 100644
--- a/apps/api/src/email-templates.ts
+++ b/apps/api/src/email-templates.ts
@@ -5,9 +5,13 @@
  * templating engine.
  */
 
-export function buildMagicLinkUrl(token: string): string {
+export function buildMagicLinkUrl(token: string, tenantSlug?: string | null): string {
   const base = (process.env.PORTAL_URL ?? 'http://localhost:5673').replace(/\/$/, '');
-  return `${base}/auth/magic?token=${encodeURIComponent(token)}`;
+  // In multi-tenant mode the SPA's auth endpoints live under /t/<slug>/.
+  // Pass the slug so the link drops the recipient on the right tenant
+  // path; the SPA's api client uses the URL prefix to scope its calls.
+  const tenantPath = tenantSlug ? `/t/${tenantSlug}` : '';
+  return `${base}${tenantPath}/auth/magic?token=${encodeURIComponent(token)}`;
 }
 
 export interface EmailTemplate {
diff --git a/apps/api/src/routes/admins.ts b/apps/api/src/routes/admins.ts
index 0ab9d0f..352cdbd 100644
--- a/apps/api/src/routes/admins.ts
+++ b/apps/api/src/routes/admins.ts
@@ -38,7 +38,7 @@ async function getProgramName(db: Knex): Promise<string | null> {
   return value.programName ?? null;
 }
 
-async function sendInvite(db: Knex, tenantId: string, admin: AdminRow): Promise<void> {
+async function sendInvite(db: Knex, tenantId: string, admin: AdminRow, tenantSlug?: string | null): Promise<void> {
   const issued = await issueMagicLink(db, {
     tenantId,
     email: admin.email,
@@ -46,7 +46,7 @@ async function sendInvite(db: Knex, tenantId: string, admin: AdminRow): Promise<
     principalKind: 'admin',
     principalId: admin.id,
   });
-  const tmpl = adminInviteEmail(admin.name, buildMagicLinkUrl(issued.plaintext), await getProgramName(db));
+  const tmpl = adminInviteEmail(admin.name, buildMagicLinkUrl(issued.plaintext, tenantSlug), await getProgramName(db));
   await getMailer().send({ db, tenantId }, {
     to: admin.email,
     subject: tmpl.subject,
@@ -80,7 +80,7 @@ adminsRouter.post('/admins', requireAuth, requireAdmin, async (req, res) => {
   const [admin] = await db<AdminRow>(TABLES.Admin)
     .insert({ id, tenantId, email, name: body.data.name, activatedAt: null })
     .returning('*');
-  await sendInvite(db, tenantId, admin as AdminRow);
+  await sendInvite(db, tenantId, admin as AdminRow, req.tenantSlug);
   res.status(201).json(admin);
 });
 
@@ -92,7 +92,7 @@ adminsRouter.post('/admins/:id/invite', requireAuth, requireAdmin, async (req, r
   if (!admin) return res.status(404).json({ error: 'not_found' });
   if (admin.revokedAt) return res.status(409).json({ error: 'admin_revoked' });
   if (admin.activatedAt) return res.status(409).json({ error: 'already_activated' });
-  await sendInvite(db, tenantId, admin);
+  await sendInvite(db, tenantId, admin, req.tenantSlug);
   res.json({ ok: true });
 });
 
diff --git a/apps/api/src/routes/partner-auth.ts b/apps/api/src/routes/partner-auth.ts
index 2b602f7..605ebfc 100644
--- a/apps/api/src/routes/partner-auth.ts
+++ b/apps/api/src/routes/partner-auth.ts
@@ -56,7 +56,7 @@ partnerAuthRouter.post('/auth/signin', mailAuthLimit, async (req, res) => {
       principalKind: 'admin',
       principalId: admin.id,
     });
-    const tmpl = adminSigninEmail(admin.name, buildMagicLinkUrl(issued.plaintext));
+    const tmpl = adminSigninEmail(admin.name, buildMagicLinkUrl(issued.plaintext, req.tenantSlug));
     await getMailer().send({ db, tenantId }, {
       to: email,
       subject: tmpl.subject,
@@ -82,7 +82,7 @@ partnerAuthRouter.post('/auth/signin', mailAuthLimit, async (req, res) => {
       principalKind: 'partner',
       principalId: partner.id,
     });
-    const tmpl = partnerSigninEmail(partner.name, buildMagicLinkUrl(issued.plaintext));
+    const tmpl = partnerSigninEmail(partner.name, buildMagicLinkUrl(issued.plaintext, req.tenantSlug));
     await getMailer().send({ db, tenantId }, {
       to: email,
       subject: tmpl.subject,
diff --git a/apps/api/src/routes/partner-signup.ts b/apps/api/src/routes/partner-signup.ts
index e55e0ac..8e4b21f 100644
--- a/apps/api/src/routes/partner-signup.ts
+++ b/apps/api/src/routes/partner-signup.ts
@@ -161,7 +161,7 @@ partnerSignupRouter.post('/partner-signup', signupLimit, async (req, res) => {
     principalKind: 'partner',
     principalId: partner.id,
   });
-  const tmpl = partnerInviteEmail(partner.name, buildMagicLinkUrl(issued.plaintext));
+  const tmpl = partnerInviteEmail(partner.name, buildMagicLinkUrl(issued.plaintext, req.tenantSlug));
   try {
     await getMailer().send({ db, tenantId }, {
       to: email,
diff --git a/apps/api/src/routes/signup.ts b/apps/api/src/routes/signup.ts
index 2ff5c7e..d77eaaa 100644
--- a/apps/api/src/routes/signup.ts
+++ b/apps/api/src/routes/signup.ts
@@ -121,7 +121,7 @@ signupRouter.post('/signup', signupLimit, async (req, res) => {
       principalKind: 'admin',
       principalId: adminId,
     });
-    const tmpl = adminInviteEmail(body.data.adminName, buildMagicLinkUrl(issued.plaintext), body.data.displayName);
+    const tmpl = adminInviteEmail(body.data.adminName, buildMagicLinkUrl(issued.plaintext, slug), body.data.displayName);
     await getMailer().send({ db, tenantId }, {
       to: adminEmail,
       subject: tmpl.subject,
diff --git a/apps/api/src/tenancy.ts b/apps/api/src/tenancy.ts
index 46b5edb..535fd8d 100644
--- a/apps/api/src/tenancy.ts
+++ b/apps/api/src/tenancy.ts
@@ -120,6 +120,10 @@ export async function tenantMiddleware(
     if (resolved) {
       tenantId = resolved.id;
       tenantSlug = resolved.slug;
+      // Strip the /t/<slug> (or /api/t/<slug>) prefix so the downstream
+      // routers — all mounted at root — match. Express respects req.url
+      // updates; req.originalUrl stays intact for logging.
+      req.url = resolved.remainder;
     }
   }
 
@@ -232,14 +236,18 @@ export async function tenantMiddleware(
  */
 async function resolveTenantFromPath(
   req: Request,
-): Promise<{ id: string; slug: string } | null> {
+): Promise<{ id: string; slug: string; remainder: string } | null> {
   // Path patterns:
   //   /t/<slug>/...    — portal under a tenant
   //   /api/t/<slug>/...— api under a tenant (note: ingress strips /api)
   //   anything else    — no tenant
-  const match = req.path.match(/^\/(?:t|api\/t)\/([a-z0-9-]+)(?:\/|$)/);
+  // We capture the prefix length so the middleware can rewrite req.url
+  // to just the post-prefix path; downstream routers — all mounted at
+  // root — then match cleanly.
+  const match = req.url.match(/^(\/(?:t|api\/t)\/[a-z0-9-]+)(\/.*)?$/);
   if (!match) return null;
-  const slug = match[1]!;
+  const prefix = match[1]!;
+  const slug = prefix.split('/').pop()!;
 
   if (RESERVED_SLUGS.has(slug)) return null;
 
@@ -248,5 +256,10 @@ async function resolveTenantFromPath(
   // on the appDb pool.
   const { db } = await import('./db.js');
   const row = await db('Tenant').where({ slug, status: 'active' }).first(['id', 'slug']);
-  return row ? { id: row.id as string, slug: row.slug as string } : null;
+  if (!row) return null;
+  return {
+    id: row.id as string,
+    slug: row.slug as string,
+    remainder: match[2] || '/',
+  };
 }
diff --git a/apps/portal/index.html b/apps/portal/index.html
index 046e2a2..c1826bf 100644
--- a/apps/portal/index.html
+++ b/apps/portal/index.html
@@ -4,6 +4,12 @@
     <meta charset="UTF-8" />
     <meta name="viewport" content="width=device-width, initial-scale=1.0" />
     <title>OpenPartner</title>
+    <link rel="icon" href="/favicon.ico" sizes="any" />
+    <link rel="icon" type="image/png" sizes="16x16" href="/favicon-16x16.png" />
+    <link rel="icon" type="image/png" sizes="32x32" href="/favicon-32x32.png" />
+    <link rel="apple-touch-icon" href="/apple-touch-icon.png" />
+    <meta property="og:title" content="OpenPartner" />
+    <meta property="og:image" content="/og-default.png" />
   </head>
   <body>
     <div id="root"></div>
diff --git a/apps/portal/public/apple-touch-icon.png b/apps/portal/public/apple-touch-icon.png
new file mode 100644
index 0000000000000000000000000000000000000000..f32a36d290eb7d4395b26262ff770b0e55173c76
GIT binary patch
literal 16365
zcmajGQ*>lq^evuroOEp4cE>h4=-9T+ifvYGbjP+jb}Du{w(XnmH^%+rzTAhZ+GE$6
zXRos#&R%D(IU|)6r4Zrq;K9Ja5M`vrRla^3|NFo~e|-x~LbHK^p@7MVi~RBgKhuLV
z%$B$ZIJk35=^zC*Th(VNtd_RX<g42!{2_53L4*<!wwK_MfD9ZfD0G&FN))pX9P^_I
z*Mw9C(ak2=dQ<vPcF~kbWtw~RcztdaD}2gyuS_0T&$;(ZoIUzoc4c_o9!&Z=Y)(8%
zC|``o7~&@hD;BgA3{9wo(v;2cFfNx;B&Z(Q{o!#*9i??uglVRQ+r#kAvYwJpT@iHT
z3EdQ2_3HR-_JzqR-4vwDR6RN`%4x~cKEUwqusS&}D*XS1L|S%OouB9bH-&`f<@3k*
z3sttbiFEQGDnGHMjP48NWBnCU{r`k8!*>Zpl4&g2iG2H-!_sEe2v<NGp}nJ0-eYQp
z`Y#t9%Rya2E*X-tnJn?dj%BR>$+rL#rU+?Gn&=B7iN~f9i})V~nrF|y1@%7+zSW2>
zCztdW27fQ%bwl!hFvX-U3(F*d*`f{!Vx?OI_VoX=6@^1%b*mka&hQ%@G0qq|iC?2G
zOiuN<g-yz@joCCyDO!&D4_;MX2OX@2sw|hrfZJx+2ap=Z_C1Q1#Fn>2S^_Yw;_z1T
zXbUl7!R0IwAoy`(*+2O+5VZdwLd?O8=g7v1<|ME`N(;dsD*}b>Xja;%Yci<+z~M(U
zCxTEt>f578UrLb4FEM+F&@|cDye<tx&?!XpC`O~tW0;`#&AGY#ETFhgWcifxI&wqx
zPl~)iSMXpRpU$v?h7%B{02nd?*j#DT+GO`G&&oBlYWx_m5Z}p&GCa%~urgz&b_nZb
zO*5Pn3mP!y7p1Y{m(DTcx!x41rI^g(Utnn4q$0YdM5T%Z^C(e;rl2DH;K)S?C`$dD
z1Or2>DQ1!DN<TTJ@CzBY!?Lgq_h9U!L%y~UwGLUKpu)IL&v^TV+&J+?CyTrwenj~*
za5gt~R+2Qcc?c|~q7RwMAo=shq_dq-ZVlXi4{CJClmUFQ`ODogH1|`9w)46zl-Af(
zAhgUkvWCt&$Bn^?`_-0=C)$Ba6N+ky2c2@imFOE}vqGOF-seRxi=VGDs&g=W!Fi;}
zI^}=G^lR+8!BBS&4%z}eRX0K>L4{Q2oDlFF89;a8eW%DRMq>T}0*oZ$r(Yt3RH<89
zMAgLHDYkZ;@B%Ie@;^;>*Xt%H5mV)iZy#CX7d?x&_tG?vLOeY`5~Ft!%7*X`FX}w6
zgFs>KG@;EUxBA_kM&W7F{i(eBUa2XW;Qld;F{*igsad2prJ^h}_e99rk~QtAwomO)
z8@WwpJ-FG0VxO3J=jn>i<!Gn|J*qAIX|b$+5PEsNB>m7?H7c1wz+xCNSeb9UogEsg
z16jWJF(%F+?<UUBE3HesUb43dOz-NE(OOAc9p<5&R9J?THI-UK<Y*93KVv_53b~^F
zHhaBncs=oK{Rq}<y@*Vcey7C26>RbB3j!e`BJxdSa@s^s4>Z_i=ejmnOg|K;UM6Z%
z12A_(Npinu+MYDz0tKlG9%b&Dki2Y&J&%q-AN84j?|mo9vSZd$_b@h0x9N+zhs+i2
zqeM2<2q_D?x+>b7h}VXI3Zh+Qj?~Cf^f`jY!7}j_QF;6sxX%2%zZCHW3dA<nf9TOr
z17@j?*^Q&=Iq3Ex#SeT17k>d{0-5h;w3|M1Qp)@S(LO4uUf`@<DMC1j4h8Qli9{xR
zSS#i@u5<pLZ1FO4TKo#^)MfQQi}7r{_)7_T*-%&+@u+~kR<c}jDw5iWQG9Pk@#8`$
zg@WhLi!_gzIX;u|n=(-Es_ChGpzbr25TLT=jpm<Ca<sEE*3Ex8PcpoZUt8_+iQe^9
zj;Im#a)4K6v-=whYtFkcd~%<*%)jfj0!#R06;0<VXS#_yS?Be6t+d%OR%Fkf8X`<3
zMlys{+{Y(QI!$K$LWXJ}UFe^K_Mzd@xV?2f)SfJE{%VOsd;mutdPB;A!Nm3=UsD<N
z_A`Z7cE8F0q3iKbAB(2Kzq#1dxpK+%oua(F+!8q^kAK)eo5w`&uTLX0ZJwAqKr&?c
zI*W<rJW#~UT(0#)GP}WRws_nM-M4|xRdud1$W!&b``Ym+&9haoP)10W%*Pm#2_sQ3
zrZ?;9@-mdR0wq#Nj_BUi#dRQ@#m*lmetHev*H%3vAiS{;h*Rfy#G!m5Va^0@1iksB
zYV57ZPMn<b_x)Som=G5BPc4s|QEEQv7Oiid7)9$6=r)2cudgo19@4~7%{h^OHONX4
zp8q{t$ISO|nj7&J+HT`Qrr2SvfEeQ@*Vf9S%-Qf@f<8%E)6LVJM}7k%Dk6`tobM_a
zL0<7p_VB6O{?X8VzJ-=8%1f+sen)p1)P7`uxym@@%|&)uxe9$cW@dvPi43XjQgW!^
zCI{NB_J)GmaJad(l#eST5}xtVpIvyNTf72Vmq1cA%UxnUti1SzKQsMti{_GkjR`T}
zI!a`3=GbT?I)S-FVymIjn(?n~19zk{Ek9sdd5trXJux_>#i$sW8sMcBDQR}`k>+}|
z$q=`qCGn$3Eg_~8`u-JZYimmm+^Q_~o?b!h*{dHo)<c>DQJuA9=4OAFlq7G`4n^1&
ztQL~=qw}uV8f;p`&62eQWW=M|i4<&f=ewTNdGd3NN+uxMj$rV1({RudF}720|ELK7
zu{Ri*lOqx(qM;Q~8wI?h9L_Zs#oz8dBRxLd^i<w-hQ~<n6Q*e7BkL}_eAY3xosi%#
z8c?J@)sszcN6puX`$FFUktqEz56?E_<%>8+a~v(YaN_6lWV5bW5KxkI-KZrGY?N$?
z3K=Ps%7#asx<7iw*e`c}tFn7z+v3{VYbq-%+mLAb3GkCs7oI($K!FH>59r~!c9C52
zPUJq}<(o1ul17sIgV)be_34{Ng|`W-%l<#izQdX8BfY#PYyYIBt*S;$QOkn{fBSxD
zAve6#&1bJG;pcQ6LNhh)k-=iL0Ay{lv9b9SQvY?<v3gmfzx{ZL%gmI8L5HONF-csR
ziQCJ-k5b7qRwEgUK5Kz;-4j`kSl6N@7@S8taT59U?5&fCHopwv5W|a+107CE!4$i&
zz!qmwG?^54fVNuiYyn>9pQS(ZHgyETQVzRKrzY@n6MLG=wBsobmJ+anvHg7@NBlgb
z?)v4(Z(}_wV7PA2^XVGB#D`5JJb2@7lTczObvbH95&yb!`=ZQo@Tob1=NQCEiVh|c
zJc)cKfNg{dYKl)!QNPGT<3ah>r7yiHfvOc_e-rC_8KGgUK<X)zU<~`0I*(!1YWAsc
zP3DPjWOI{gf;g&tS9aXmeg#j`Y`!0lN*-8mJzC#1Y-rDt6QPl~Z@9A>^5c=4IUBz=
ze=g`ONKP)7$jBQ#x)Vu~2~zFAHzRGg?nWS7>a52Rlq3fcn0W{hxcW1}eguNOY;4T>
z<F)rP_r=O4i&uq%kdET>q{NVF2O{Hm|KO_g61Fi4`Wof;xK0bzv&r2~w9JSg8$zhx
z9#0=}wy9*Z2!r3aDW}<3im6QPi$%h_+VPKo&Yohw+_G5Qw761g-FwKpLqRMA!aRyY
zy~dY|Bez@*FH4qq8Nw~PN<n-a0|9cJ@73Aup=Uz3<<)=wXrt5A_^%mg`vrtQnUZ}V
zD2GXamlBE}>+FKUPK9E{y&qx78#cf3hEroHZ-v@U2!o-vs|efQLC^b+Ezd?tOnmS1
z0NJL3%~L`pUkQ%%0!tUc6<7g%r?jnD99%1{Cjum)lB9G*)g57+8{yf}s2!nG_$-@}
z@<O{9#9C;T?RbK-2a4;CKZ1MaTMZY8#d)Y%=Q92+c*>kr!o`{<*(}YpmqDLw2EXBK
zrbN$Jau+n+%warvq{`>m9Kg80Eh68;EC~epdv{e)Il_Bh?|pJ%^-Z;G`}}>WnsIY;
z^O{VYX&N}8GHs_XWQ6UzkfT%yH^%5(6e{rUj<sy<jadnXJ5H7f?}jydMMo{WKCH)v
z_XHLlb(fa5lbsya{owrsn{;K=O$tq8m@vH*cyj8|W^+1He`eUXcSm8Lh@Z{ukcnX!
zA#))DFZGA;*!2Hl@%>%pD1+U?+nu1K+Gud-LneKgm&H>`wuKlwyS2k<&eYWO2kH2D
zMSr*2XmZ3c+g0kZm2-Lg0<q4^wlN!3H2D-Wh_#YXG~$DvmZ!rr!f$*$jS(LcY00m7
zu#+7phno>A*TbGc<#8j;v%e(3kNK-EmE>Q)D$%U${_AN(5>JW%_*`1oi99AUuUDAQ
zAZP=PFrq^or?A@LE$5yD_)!@|hqZ#oL)=n@gr+Su97G%G>uRYtTO@}XE(b?FtT!we
zXuH+Wyx;-faX>^s!3qf?HX<UvKzwVAqSUoq;{(6-Wuy^a6=!Wj(aE5=4v{z3^QHOu
zMi&MZ0G#jHr$S?u=C0Yjf!!u9#ydqrcb?2f31J&VtpV%!?!XP!s*C^NQz7TIbpOOx
znKRPfp5aAyr40H<Xzu28-i|q!cuC+>{g$e};9gDG0={YyD)^{V=8Il5T!Np};SVKn
z<~Mj!LAkGnT+lZlQI`t-E%2l*H>4#D7BS2JZ!4e8I|ET<vUdd$UNk*b3=g(N1p*4h
zpbC(580uSa*@R@INnI%VS49SOnCmwtr?20W5_w6nW9xpdoL&Ux+?yP2uwpg8N9oD-
z-b|?tIGY`6>*}!VFikqH|8vsINk=&>;xrLe8~v*>mniz{m<(NpJxUf8Bauoh?MPVU
z?YG$ZlvSCcVamBfvTV*^sV+43(l5{r8S13gD*<{LI3I0qzLjn}dQ#7hF<7lp1qOjW
zntO!~yHl&PyZ=r?m$^*yK1(i+YDx1!TuYnFwtRzgUEF3@YQOy#<VCiB-3`UQe^;sc
zAgak<!1YJ<4q~roRbh-=^E4}+v7$j6W-O-{2`*ghHE|{wCvZcDFN3f+bAN71S?n4p
zzNy0xOqBuD9;kp`hLz6TtZ-I;`gZ3Pzv@eTRU+Sro8Gb5<XfJP)c`Xd*m?X{gw8`P
zh`0X+zG|~ca&vk9QRLik!z_mQfSm=l-^0e+GkI82hkhca|4OAreYPkH%TV>e37vZ$
z+)h}qzXeocv=<Z@!PFG;MObmnwgw;dM5tKA(AMbfNZRY57#N*ki@uFFHW~A#<}|ec
zBVB&t<>C3D`OHTOY!g0;y8PP}Ol~Xe+Vuw$ipCBf!;%t+Cy$2tx5YH<<r3OYh}M9-
z+fFGbNWhaIN>4|(iXd(;OvD(m5d<5n!jSF`Vc&VIR*=Q=Cx$KsTY5y^(9@({ff_7x
z`82zs&2PLMV>**_oSuxxgxucPGJ-iO>VYH6)?T>F$UD-93(0@xnt2_Nx4PSlKf=Y*
z*jVSp;HlU$woE6^4GnG7)JVzS!<(9)&N(V0KD+jTeru`+Rbmj-3Y%?g6iMuAd$RVw
zxd7~fj>HfB#<q;s?l>2S9q0K9Ob$cLp0t2ObO~87$T`*X?yY;X(CH+?Sf&as`2k5M
zJ!h<);2mJLN<4XyXjZJGKIa2k@iST>U+?f)?=XLggBXsPoi%)_5$bNj*9$_UXX8h`
zCIv?qCDx0VgcfKcn*7#0+v9=OgF_0>KGyEZcfraDD5XH`%Tio3S!1<J3<pZKFK`ux
zk6b`Zl(tNkW7?N9289VN1)e|m^Sc}mR{>7oE>8U#>pl#P-U-mpb7>jb@eMA=Wv}<6
z=9S}S4&O@Hsh@)v3?5)AreIUl40Q1-+eQr3{j6oI7Pcw-{%GgjT)>p%LgRm8&HLDw
zz6C-c_$K|t<i|&vt{U>|>5oXcM5N&Iv3ESdeJah(8e*fn+i|=Wr|Pb^;39mKw=w#u
zud2=Jr9Avj^4Zupv4$u&v6Soc&<G_cfv7p)8LTBBTNrcs;2lGzkyLogIWB>6^~my9
z7Yci>YT}OO;`3y!#E?~;b;~X;1o}RwY05g&>{gs^i$RO|B*cvm;rxQqd%hQM8wv%~
zva@Q}&&G`q|2CCEt2(=~FTLnv8OE&Tb>uWsKu5^wGOT-O=0I0tE3%uk8x5i6feAzZ
zsUDV?;MJ}*Qb#4hD}XhA@nLvRA82@gU$JyTD|-ZqB84&s1-&Cj^dQKVFi73dpdy|t
ztZ%9Q=8h<zN`C9XUrtX`CEC(BK~x}s7q7NjWfK&;B;&Ma{_CnK_A%Hw2+&AElnbCp
zxpK;xM@4JHon~nWo$-W>Ve@o!@Z|bipKA4w$egVaYT!gzdb`B4*oahDo?D8{4JOlj
z1?>Tb%jj>2nimulOnwZnjrTzf$F5b<<@IJbXtL7Xjk-TSU@&zYB2ZYzLwxJv?>6#y
z=mLazw!MXR5O9+Nzm8>xh|m4)spNe_tRIKd+QtTb&}?CvHZN0j!je2rITHf$2I{FT
zFGdo7);?A`*%jSWeD)EhvBT$|A(Lz4?Lze}W)VRantPWtC45h;<ddw1X8I|0TD7JJ
zA6<I0hDX8qJ(@s57C9o!ljr*yj<`QE)H5_%8zxxq2UJFY)IKMX3iHw4h!hN)@f`!;
zZ24MF;?yQ`xg8PB?HOEhl6=Iu_CV<H@bcvkR4OM8R>j)jxYrQAA-9FRqG(STE!(7l
zI%jkSOv$8t^Wb1AaXKVjjfHHE?0|h}5h4sb;SOoL&tMc3pMAjHxyMpe)WXOvuLhk+
zRY)BFRWHP3z*3+(VUK`+A*c;KMa3Kj<53uuby8}&6El8<0`ZFF!AVZej|B^9gNng{
z<kBx6?EQ}`Rwb|<C_qj9l%fsma!|NGj=#<{!oYSSgGN)~mC?li?Z@)4!=sY$K&@c;
za9;&MNe#P$^PRA%UvyyacpRHUv+rgaET(>}$gwOy>mD;u1n8(eZkU$z@8Ytl+Mt6u
zx7?g4p%xUlM84QkTEA*&DrcageTxxts_iC8IIjAeGu*ATj;;~ya+HK4{zb7}!J_JU
z(P=j~y9bUXAo_Ni$1F2>Pa|b#T-p*vYEM6djj3b}&F-%C8vagp0|A`<)a|#LIpnCj
zh<Ng%5Cdb?b9s6td!df;?F3mQuBYxfY%W37aT#Twx(S#0gau1NYO1Or6?0zS0O2jP
zT&^Zvna#w&LeMz;favrJY^r<r9GnN-Uw*6^^loO+H096_6>atV4tey5sTlU0*m$-$
zW!!IoAfJpxa^l+lTGnUP7%<YReJiTWsY)iQB=)AoEwY_);FJ2V12x@Y5YHlt@&R>3
z#Ix()B|`U2jy!d+_kbWTDETsin6w+2OWaX|o5fL+uDOyjOWR81C`*&vbIXF+goVp*
z`wK$sd@Br3q~Oo*3-nQP^vo10HEdc6S<{~UZ;q;}pZrRdPlU#7)%_Q5Ce>(2OY!W&
zM*%!`5oCYuY?6db$d+cg9OaU<4eA2xKYNA_<eCn%Fr{{p<g*fCDSL<cW)8B%=dM#M
z^WJ*<**%yUYckZ)DnFcLtoAoP3@3|9_M4EOgVj9JAS<ewkkpBxo;;C#9?cFAB93Xv
zK2q2S<bQo@FEgnNbC}5HK`+&Z-qBY&=LI0$ux%Ac%UPX3Y22TiSlcX>Ql3B=Vf;PZ
zUyJmFY(tjEK04l+{o~M~EQTDoPIz;~9@?m7?SValapl;@LpIlOoSQX+xLtfJG;6$h
z;6d6YAC70(B9ASF^$YcO6dJ_N_WN*q6L*H(nbMmo+B+*kk*u(B45Gl7Mi$A;;B@J&
zL~RaYU#;eu{vqaPo}eDN-B3W|s8e6mOVaG0aM^D!6TY<Nq&q&5<%C~_p_~!Kr+bgz
z!w*bCY+ifnQ$%a^78Z^VL3Bd)_f6vLJ8!DYO-HX^o&-ca!^H*B)`}ky8LC!SVn|%%
zO~uQ$T?%&$-w9Vwjd%`s<I8XxYN&a4-&?OaS=HZ&`A{z%Ru$dICS&`5*N7F^A)v{i
z9-<NjB>YQSYg60bk`qlfqO+xIX?Tl0#LBLD_B4A1uVv=zW)Eb8s`ZCDSRFX3uOFl=
zabd!$ikHv_h^-vsc~d06u@TwVUIdNjg4bktu8xM{t)gwp^@ca2-yxkpQRPYbBgrlW
z^vc_0JSQ1C#!LQdv4oW`&pox|C5}DBlMZR+ZBzV*dyF4lo>eTab8bnNi-Yv(Q1+=&
z8H#Y5Z)*^IZiYVJ@KN8s!V%CfXD39lvpeDs+Y4}#CRSJBeLVEJXe(P&{3Zf`AmUZb
z?|k4~xZueRu^`EFh38bK^=8}T05H$o@ig{&Oc%zEgVLH~HT{E>*Xx5PBrn1SjomsZ
zLN7>3*H#0}ck(b{=nUM;*4Ywf>;DV`;coFfp5tcXCw0eSN56x-2k3Ep^~i-1ndli9
z-X^F*_4Rwf%{Ql$Hh2w0`phJ08Cvy4Xmkf_O=G17)kvD{bX;d<YACbkt@;e@^Z?@`
zn_Xc}n3&^oL24TLk8d~w<~tFpk6^l}K6h0Ik+XzzuQ`es7jhKtTLN>hc99Fr54m#C
z@Cs#OR+G7S_@K43+x2iRaZKBzNn{9S?MD8HB)wZGb2?`<C@JuzG9`We588(MPVhnh
zoP0fQT33}M^P~fnAEaI`6Tln)%fjeEQO*gX+s%SdCmGaRzff|&xuN*H&UsOmBNFp8
z;o29;lvjutR~uWX-YLH2ip4ym{*vIPiClpoj86=B3-*;oFKIn9e$wOFM`+}5{4rcF
zl*EeInMmzX@}<o9D=?wTztYs70(Z4u?xlCE2U-8zb-iim>(0+d!mHJ3k|#`~5-~2A
zU6wdy$HuLNi=w1%_fc9G$|fuIuMe64fF(Wpmv@|tF*}25)|I!|TEmqzhJ$bnmbvK(
zq&C}|kTXrm_|Bw|$L1NaDd*wVS=rk`Dui~AgcXXg$dv2cl-A!`=(mIZfJvc^Rz~C%
zv#%37YT?p0yVpmpLyk1Id7G_|14MvN^fP!BDRk<w6p6IHEx=PtH2d*)Ubs^s!km>=
z(x+Gv>4f_P#}g?GOc1BJvl~6e?0EwgUg90aMbzMj{xUxK<TjL#F-Fkmf<h$7zuJ?(
z$H}BV80S&lrSXWs{G*Z*N;Ca1SrL3a8S9J%+$aYlM|ttVG(2()UEAX+-e-qx!$+JE
zVspcsNNu%Xrg%iK0XveDizzF9zz^x53Q^q@&v}mbwNxI6)z9c*PNKBZ3D+FTBngTz
zpgHJSjZUwLID3QQt45gL#c{ElQwK5Okd+#|z9+{#hP}8j=sw-+u`2fvfacf*FpR6j
zZqS!gPkna6=DJpHMT$3%N711>2nlAJ1h%_2_!Qx7FwXuo{80HbQKo}AO0+1CF`d0S
z&5Uo=^<rtBYdDJi^LzL3<)>wIN7{D>KA2$oL9wOegvs1ZC}h_PgUw=2R0Ov0UFAna
zU3TM^eBh>jmpZ-&HT0Ezd8Pdq%?s}fB}923lLm=|x}~eGervFbhh%;$0pKnZ1xk1H
zWsqq9#+Z;;f}ND_pi9K;fUmnJY<Vd5r&1j{c03^Gh)Q*O>yWZ29E|*R<A0D0A~|+m
z?z~D$`U7AC#Wt&CcxksQ$TKoV%W9p5i|jTO>tz?tx0zRzK&4~Sta2D<s`!@1;*?Hg
zoucI$tT^_gmF@w=ZLM66Z(+|dt60ITPMlytOk)*(<{5l55K;q;hJQm=Y3_Gv80Pbo
z|1v#d;^{}vYS=NwOEy;qGmqkr_6(W`n94NR7<U2HYV2v)mE|bW($VV9G5uqaoDE27
zJ8V2~%)A;I{?OmkbgP6g_*fS&oF?L4S#@AB)=&5&BwSOAt~L#-hfqJH;$C~lvSlqZ
z(qaus8lIK1!2)1TykNC_{RAS<9-lWm(L;H==eJ_P*nzwgL#!f4&_r0=9p~yRva;Ke
z156^32e&a+i>aW4t7Tdi+L+%U%yqAg5!!b?R}2mP9LStQSBrBsY-6Rmc>Rg!#cG2s
zhZ>o7ws4Hi>NU;f{Ym4}jeKmSzB9Q;Qt)zClHC?L;X@iFoUTX6iBwYhtXsU46-d-*
z1QfUo1H%K1>M%VpgH_Z+L}RPdQ3Bq><@uM?tOtVeN-cdOZxmM(l#RZAY@mZ&E9#1f
zah)W4SsUJbbtH+QVd7s*%sd_Y>XtO%uN1Idrj;PT<?!u+R!<#xHfO%Tz(B6Fc~Iz(
zuFM65UDnA`F(VOj9~Jh}EGv4A$RTc8_w3XOebX*LbEGwdSA@{Q{DFq~CoA_?_v`vv
zV(FW@$%T)&Q5wwq$Df|N01Lm4{~A!0=#S*!<g39m+I+@OqPI;$b7SUW=vBnW%LgPG
z^yKP|>Y@aV`RY8Cx({)oQ&6*!NaTQEzFK^B!9HvC9^HVAdfdPGxAuAFFGUrwsDs7U
zW)HRoasxsck<;XBq!{-s$d-j^)<1JZDY)`(OVL6{?a1u^BF#mMnp4#uL7}n_$gL2|
z?8FsWz*GGV4rsJdAs4UUC#r9&^FG+_evFz_3zwnwtM}%-w@Er?GCd+;Fa=y|6q5-y
zqeP{&e}lKss_RctIod1~c5|qCDl^;U-_Qg-3MY6CtiofiIt@?{JeTXV^vctEX1s8C
zI*%zU(P$j@k{ec$sSk~Vs!${v6)B4i*exaKHpYJL3hQca;1K-HTD%_vO3XIEf(4CT
zXF~uI7nl*>@N?gCUf$c$4|s?aN8c^WqjJqUF1<{rW&UKDw~G8C{qZ*-V2ep4B#rIS
zP9Mr!LZ0ZviRGGZP@F5cbEAv~6f9Vw!%<lg3=9!%kIxI^{LKZZtgL*~l(uzfgOvVC
zrPS_DcboEZe{gW{{iPW?B}2!!06p}%)z&(uYy`>9j^0j3x<RH}!ZL-;JZagLe6B^H
zvXd@;I6Cgq8m9F;jTW{c--7NgQ=Dx&`3!FQAa}HxI^>GK^lnRYYIkrT`+su*RJ)VX
z!Mw}vAGlg|sfYzqf?8RcmV;*Cy7i9R_M+eO+_44-DQ+@Qz4TvId|>>a-j6WOk*alN
zY2@EEkLN=Nenq^sLmk;gpFkgX8vV`wC3k3NFeSfNpDgb^A*eIybsBMYlU}-uFRER2
zGyfCDSdpiDFBHdV_T0rClX0ShQgxMA!wD4`8*Gl$lt;6;<x}`TcHfdU?t2Y_$b31F
zu^NLa6rx?mPf$F%DLF!=ThO986b+UxQ4J(&qxrOqnB`C}yG>?oRmm3ttO5T^b=iY{
zO<aCRx^wM$G?V*p+q<Xpi|)bVt)vE&Us+4&ZlQ0k3D7rLDdf{vdA4ryOEON`Qz#QH
zr2aUyX<pkj^#8T!Wosllzj^<op*EyXi-;ahz1yzO3`)D+bQ`Dq;HR)H`>T57K~_pR
zet<_)A}n$GMbTD1v3h}BNH$oQ?xnV9K(y~fbl|CKuP6ILQvM`4$23i&4L;HLxX!&l
zP49ThQ0xkFMv#{Qerl7Foh3$OU5c$h+EUE-u)3sK19#Q)(Onksrc68>uuY1~k)CFr
zT&z8ZI(D<e0p4!e{FPqhwVC<(kbTSM4+D((I{%j59kY3ui^;#}BYM%=2_`P0bMR1E
z{aq&m{3`HL?UIP5^ELqrjT4f4MqKXkh@6#%<0mH*$)>gr@~m@{fx=Di<gs0p(1KW5
zFb2)K(Q-?@fkV%~WNvsHX4w7To;Yi3CjITe?H+r5MfmlFD($TDYW#%AoM`iZN1*hK
z@HhR`Ax%1$+2y(i-szE}OG&J%(;3xG9!a55Hh7)6PrCFsrJLY0wSQU{L^jmTE)w#-
zU7!_pnh&_bRl<}pW5fKpJoJy7GJhtBAA*To?ix>&rdQX%NWTOL|4<4ucb_;ZnLOpl
zBy{7FJpRZC9|6!nJQ+I=*aF<zPL*onHLBcR?!5Cxkuh`9!VW{t%zUa;DAb|W6IT#Q
z6q7k1G*<_kp^{mgFFD-LruqRX=6>Q~C%C^FHm{~7C*AUjtWwf6K{8~nj+p}vRX<;H
z&!e)oTHpMr>Q_#{#(AQP5OLGTtPlt%6B80C({4K0!ORx5_g1^T!>}BlP?GN7e+`2i
zNDVwGfV*EDmwdYy#c8qKUH&H0=M!Dg3>UjO2T$Z^SIJh=Q+s<m|E#ky6%p|1F|fDz
z)3k6jBzkxks_+;_+}P_Io1{hiq_0Q24UuY@qQY~^C0{@rb_Z~H2lQ@BgW;^uF5ELH
z%An4j2qc1lV4B0sdFdDbv*7y;=jcpKh2R#g{=7t6foS+GnN-D*r$hZpiNs`&YfZL+
z*^Zpj8_t%@-)PrvNwvV(%-dFDxwd_?AmLGhyf_bqZIV|0*<OUu4S>V_i7t7(m{;(<
z!dBw0fA^c3!}1LgI<OVR?gq@Uy57hI#)CklN4wTA@Vq}(y56fF{;F>k;u29u9#NKd
zM`|ek^X;VDdH;T9TY5Lsh2@sL?;jC;AUiyxIeV;x^m?7%EXqA+X$Vn$3F<60gB?L9
zVAhhpsHgV7rUVd<FpiPjLaLgcgXi#q%}6wlYu2@R{fXVm7qk?zR~Xx}p~xa~&^zB6
z)3LU{Va4yvoVYO=$}<)j`urQ;5`ma(M=$+wovJXtsV>Mnj9{NX?RRdoE8!+0>-ikv
zxIFFb%c5dAS<R&hnzo1l(#U-;6vBt4-u<b_N&AKo%(N{>w#^>(&NPKUcgKXZME}{3
zt6l-2q7+_eTUO&~63dA2Z-M*7cjBf##PQ+o3*rZ#3$2nkdv!!NA7&B~5<|)e`l)Rc
z&U{CN1NPvES@G_j1n#FlTjqx-fwo23#)uv}*ZxfGYbR}K{3kKO`47qV6OYai+YQOm
z8x-Qz)F`X_25_|NjX#PAEH<oFOnq|%>i3nQphU7DI$&~M-KVmjcqPVsCkgrQ2FB|!
z_f2|M(c4QdbBepa<<znv5-acDZY*eEtG0ADzEF9Ob#EBrJIp)*?0)X|G+uM<{-!7g
zAO;PiGS*Wbap;{Ct8c*Hk`r@eG2)nQT48*O+VD~<6r3kqD)<BT!>z8Y`l9=96*_$9
zL<9B_pH;QAR!VaU=u%g$LQ!-K4otUebl8qDO{rLqc!nr<wYNog_>J1FL4_-P+uoWX
z2UqLw1-2T&xY<{00zaaj2a=K^)jdo-R9-h`kAmRjUk-Z@NFQK3^>1HXycHpRQ0&^x
zsulL4-;^R4q8SNIp%`49jP!5v<gol(wXhnn82`|3c%^uUM=+aGEm0&)^xeh3H95z(
zoyl<&HF)kb6xRWR>N7iY({bau|M3O=*WHgFUWOs`5CDX9&l+{yg;+TC{8@O$2eKl3
zW3r|aWSM5ak?QYbw!_m)Uh+kon50&X%DA9ms>(bUHHYi91*8{KTuQ*S*p<rkesoZw
zELZT1pYe`JrY|r&cy(fv|2!2ICxp37y*cQ@MF>~K`2*rb%ec+(q;M7K*65-XKh_Nw
zm3OEp7Icxf+Y-9zZmkm}iPLOZV7o@3q)cx2!;;TvZ>T-r_4o(DRA5T?4$xqWoEunO
zU4``GKNLA?mcf7)XfL*$pgB#l%w!0M%)Z$-D8e8#oz$fn(r1nLr02!Y|3M@lx11|9
z2N0mmV<oO1{e!QN*t3(z`#XNfFy(`hq*OquB^=>4`%pXcK+SF3Fn}8*aoe3g^7svP
zQaC%p5|M@d<J{@!Y{%apP0Z&xTuJ;<4q4RZSMDR-1sg9uG%rRw#Zf2BpvwwKw6O@Q
z9zZowd_f8QEp>8?yd_}bT!`|<sBS+j?TDY_$5%rRTDr${G%4}g@!d__8SdnQNFZYo
z{#tEtkkfB7U~@F{`OzuiG2SsR{s<{Emo@Lnjl4b>lHU3><tAHE6!BOk-@Zs`n7nb8
zm_rJmC}tSH+w{XCKcd{#%GQxRk$VfiFT(d1KY_Qp*L@FggaPT<_D+dIVdC=uBagMZ
zlh?Lr6cPeJ5WCp7w~rtaUU=2PO5zYMv1RwVYAsa~qgSeVR)ZXwZLN>A0o2I*dAe8w
zz$qHpvV#k?tX!Pxx|V+DR)DhQ5QCCy26z+Jy%aD4u9Cz%e-}5_uSMm=auHVkwo(sF
zfA+A9ym93yZZ&Xdb)BqfZM@kCQ8ZLissTev+*u-mAMn*Dqh$6J*AH|S!ieU~CW>Cr
z0G4>_pqZdalDTnSTOL))><$Z5c8&RV`cknHIuu=our`ouPs>~R#Q;R_-xNI!rnVi$
zW*Usj3g~fpt$-BwwFuzC;i9|pJKHcbb4$Qe`@}Ye<~8Zt9dmBSX6}PmRJ!=7AeFU;
z7!;!t1ffUK-b0g8+YAm+KB1)&7rph7@K08m%mv<WawpGkqHQpU$uc4|8%AT-UQwm2
zbLJ}z{Qhsbx01!3W$3IE*rV$*Ut+eBn66ia#Ty)(+${pemsTFU7aFYUPwJFMVkeil
z5G;&XqLmX;HJC0>*wWzV@;I;40XCkZ>S1jLo2{Ib5{vY{#mlIX2fQ0q!P4ly!$Sru
zaaIA{AYL8EV%|Wxw8m;GtOmGJ^v2^#U`^cQtHCIhFfsFlN!AK%_N;<GJm{%s-3w+~
z;97!oEgbGuvoLF&A-i$lz|SvSG{`4rGLDfO1U-_qcdg56F26<1f}eyQ+JA4}vS}uM
z#${${8K+nKPj$BSNr&uB;XBdgV_iy)czIgJW8lq2G*K7wEPltbwIWzL)rgL8HXf|H
zfr`GMn?Us|LH<OHJ8v{_LZydKV2-cqoT!5n{6qm>z-$cT7ARpdN0mo(g&%x2<n_!Y
z^iR_FvTSD-{#P2af)rd}oT%9pDRUR0UFPZPOcIkGmt#Y@Q*U=NvDC-3u+l3zB6<5a
z^v^DV1@ELSgYDI=9kMB~tNM1tD5GxwltAk%WqvnnIwkdYTb<cQiCI@f)V1|e4#?r*
zE1|qD)93b@ucp?}-LVHMBWNZaq}W0Z(enD!vdwuuGy^N2i<W~e|KZokw58)~<w}1U
zgWjs8<d-Pva0E#B#q&-FtnALE)sZea$$I7eEpoux(E=T<!<oBo1dM$wEd#C{Erlwx
z_2P%#nRzETil<nNZ+vK-r?Oa#q9*Bsi@U;)=gKNPRgW0Vd8<553W|h-TVBU204E8z
zP_C708Rbam{qrR0Koa?vi20vtvViW!&KDzg8l>XyCN&7Rb|Xb=cu*I7-}YWkoy-^!
z`0QujTvd-E(I0iG3LP3}qvRDU9eR4BP9bK9EB!?X*phoEK3gP?P&kGhQanF9w>FcB
z+1WS0)T`261Sqn0Us{5qx+1B!SfG9oAy-a_>>RZTF#Il?d&|d{MYF>Sj#I$TdqTn@
zPkkt=J1^Jx)>tX8J;`w4u}Q_iOx+y209Sy0ZMmy{q=KY&SRAB*{(BGfVYtuv?l$Vi
z_~)y6x=Q{g)tGueN+o_-X|>A-WbZ+lQ7BLV4>UaA6@9C2yFkT6f2UdeWpP$PRDR}=
zq4h=Q0~WG*!O$CeNX@>n>aoP<u$l9!MS3S@H$}5rPe)0Jv9r8vq9IRrK*g6ENRk)$
zIDN|UqiJ7|-lNv74-EK_t2VgAIW<F*EYg&2#qFRTVqq%inp2LU(KMKQp;y*mlAW&M
zYMHYinNC#3zBU#&o=5;{Uo3BwXj5K)#e^Ui)&j%=W3b8M8lInuR!r*9mL#!&mseyn
zz9COU=v$#>>u_G7aY87S&tFv7`@_?9@NImqar6m22Olzu3yRr2Y|Muk@d5UQx2c+1
z>Y5cOSo^+p%aQ&CiK?FRq3-5wpt9PI<m}UdrB%vAht2C7#y{#2$_hA0_H%KZHs!(S
z$YVTXzgVpHZ>g<dk5XjBMZG`FP=Q#m*DdPRPE4!@*VAMYl1T?}yHn(helOEnxa<UE
z#ajklg~g3GzlE(9+HBUI#$^g>l6DC~cj7>riMKSoNI#Ejl80SVXx^KO7sHt>b)BVU
zYEP1cweDRYG8l@!YeWnmp3CU_qeZ-<FpA8KW{(fW;O=gkI2432wHAE*L#nY#0<^M1
zlZF4-d}Eh@<aM}sC60{@#=VYTQ#JiKp5h}*v1+^kh-|24M$XF7G8)|VmtJau&f+d_
z^*B~pLM7~l!%vGe@~0&bt-rDFq?&;Gh5R3p-^~_2X$TE&r&@*Y4IuWLF288Q4{X?Z
z1{&rXJvPkbNfAa*6Z6UKm+8bJgAg)5B9gBfh%!QnPd@AR-K=B!<lB^|m73*&Furff
z)!a>4+B|&GcKknXF7iUC4UZYfA6tIUk>tSV??$XynGCsU-G^(8P;;`dM{qyh;sO5(
z%HmIJ;v02xTUi}A`(4>|@Q42`Vj8Lfz`Tr7oC=zCz@Wt(_-7r-audu=n}N85h0o%&
z-LRz!nSjuBk=++%rV+`2p3VmV%~SjT)YI1PkQX14;DPdBV95Ue;}P)v(BD9TXl4D}
zL?l0u2lRTtM{gp_UcuInpRhu---#IVvTl%8KI(7$=?MiLa(a@xzCf;+kU%_?H%kGZ
zSc;7Ya*ayJ{75H?F$GYAU3%{KXX`?U@&JsTO!0-Wb2U7*>$(KxzKu1U@)a{w<ddV+
zAxCa58|=m$jK;&yq1V?B1BiRMU;2vT$_EI5)xFkU0b9%;YD-WHz97n{*ua6<nGy<X
z!#&a<Bs1PBWLDnf-htRmmk7n<w+FZD7`*6CCS*u!Y@{$R5q#ubEZexL4sp~x@gSI8
zNzX$#GiDi?n-TYL6Zx~%ge{qtu58fr!p=z0s?5Gb{5GwZz=>XjB?A47|JIipc|Fkm
zykR|saad84rFB@=xsjHC1@6=vYlm4z<&zXGW7pfGl3ou`^A7BVWI?56tmrbn*Y+zU
zcWx}c+ur+Ouvm%gG{Un?>W3n8Vn~$<55*gk6j^kGa1Zy@h?Ah~J4uHK45-U^9T#17
z)x`Rs<DGOP5e7Y-6D4WyJ%khcU%UtX$|VOfx=T42czBZi`4UyNsHS+!080xVj_;Vj
z*>{sdW97acn2=gqV(l^9`xrO|ugqkAyvoB7t#IAjq8Rj?3v%7KdA{`{C*QY(xvvaj
zs%>I7@PSGVz4FGgavq-^EUm9TS4|&PkcT^l_kgi6s_-{VpCK3@s?Ag%_E~ZKQzT=m
z+r=9uJtzDc(Dd_kZv4_lY}ov&Q=_mazEiMsRH)eSFga;pg|imF$|rF9i*W1QP|~kC
z=b`y-njs@Me)e^0y#!ASyry_a%zeM}J*9?C$Pvy}o*_^tDEBrdNuH^MRQhTh!;pPo
zqL$$PJ}!2%Nn#JPE|zTTr}~nLJSY?0^8rQ4ZRO!cJ2u5%wFXs7agrmlQE5%EM9S>u
z--B6C5zmJ>G9!Kt=ij6;%`oTsERHTAE$HK%^czjEdiuvXp^@j#{579$T(M6Ogel<J
z8KDKQ{8>yrhSVU!(lx`@z@W8hy?MfdK+1K(|6SC=bNSI1u;o~1#+z-3lhM|8-7jm*
z_Nq5AM9A$Us;qL-A))DXE^ZuwMddlg2OjJk*3v2`IAOXT`ig!VyH~<fC*A*Ulg<@~
znUQMryGIT>*wJdwWHZJp&ezoyWKVubmxv8~)-=r-CE(0?H=A&IxJ_RIerAK+1cp{(
ztYWZ2kx#u8JK$AM!U#ZGXc+DUXN#ZwPLm#a!qj`3gu|Jrmp2(SzKvTPvv@0b7{o7)
zk38lJ6kf=#Hp34c>Qd7Wc%*kcgthybGfi>m-`*{N79Z!wiie~JLaXAl9E>V>HkaZj
zTIIw;B*cp6(ltm(_x?F@%fF{&Wl@FCf#mai(<$n=YB=RmuWs2tHV}!PPMeoaJ+KIP
zi3sC<_LE8O#EV@d4EEtVZhpXt51CRfB<_nadH-Z(5mGPODKqg}u?@IX*Q@eKu@4Yw
z1!XGh*5HcNJ;O4bf9ggb?l&*auYW0UL7JWy*Yq0I>upQ(R<JQ^lb-Y>$q1SK1&1RA
zJVXT+Gc(*InSm3@R94i>BfFIQb1*Tt8dErD&x%|@$EL-*whvs%&fOxFn=rjB;i}WU
zCaIo8krH^-nynd|{1>BrhU?4*`a(=th?9l~uaQ4;&>9PO^#z!e?k#58_UalIMfpdl
zU|bAV5gU!0zo+0eB&@vJo}N(B7pzC`B+lSZg2G@j$qVouKhzt4U*PBxZ{QXw+z$_t
z72F!v&D`hv;aqn`?nVo`)0jPYtkcU6qbk>-oCmOzmm*H2eB00+IpKGGOOA@RDVnI9
zqdKDgmU`|ZyE~^wJA9_~;qo$Hk1iRmgW%geY*N>@Ncih`&fZJDlJ;)!{`5%#i}kWm
z3m2_GP1dWs&33RI26*0m5JxE*TiSRqBSbPcBxCfM<RDKuwChNNaYo?CO?U{Cs>1y5
zrDO^=`Jb2Nv0vr!u(WA6nYG~KjD<s50t4yf5>3tJh_KdVaKb`@ozqdeXp!?T{%)!y
zM->Z}>n)tF>0SoZ=i7ok&kxM_u<D3GV=nG=%9S+m0_C<6vrT)P0{dQ^Cn>6zZ>VKi
znpFYcbTtWpcLWF6>X*pd%U%{RFM-j0-@jilJO_R@`f84Z;|!ce{*ctX*2%k4OG{CE
zHzwKQDqujS(M?Ois=wZ)W}dVuA{QV3p1+1t6_{Z(4Vu=h@xw(Qy3NWIlzx0_{&Gz9
zmX>NkU0e3IDXR29BWB03RoV0O)+H&pV9s%Gz8;1<THuWw#L7=JqxH=Z8eVYaPd>ui
zQHUX-^EcHx!>?%@B+O53YF>9#7pDKrMojo^KMGSkLsbS+Q?sch^MJB>PKzieBvn#o
zpFKw|I@Tw~eq&$cctlC|my^1x-1+hu`TemZZQN^#FgH$)tO7I)`-nSP-JeqD`8wCg
zHIU&HEc{!Y(Y84qkW-oJ_>z}heu;V>$&l4V4?L2uGUZco`Ljb3mO{yMIt{-h(c+&^
znNpLA0=--|IJKhq_8D5TV>Y>H`#fM>?7@0=<&oDKqhovs$uT`ZRK8{!4lUE>>k@Yq
z+c@IeFmad4ZGwT8-gu{vtn>gLv6Vb9p8n)RfqLdkf;fA^#31>Z_zfQRbxeCpER^Of
zg1zeqD+KZLM~!LZFB#l=+FgwK4n)(4N64|g>p!6#xI5HB)=Q_c!p>NV?{i6!X=JEW
zp*K-fZOIuuC0bOU@9*(cufYpF8~^ox14f4^vfepp;5SCytgQBX2Fc4%D(EANo6vK&
z`7s&aZ8U$^v<ygg!}GmXmXdNv%>Z-DuQMd^^cT+Fa7$+$q+x%;I|}0>73`Cp+zpQF
z)YST|Q;5lG1KE;&QjDpC{FhNP^0O5S7$dJ*9hl+NyEL@bUE+n5?l<00oukN|HHmy4
zsbq)(>MS$Ky5*()!Jql#o`PH}FRteXe3{X=WGk7Z%J^j?H^-BwUo-A17RP=E&Yp~K
z*LjvVHXan&=Bi^oKob^2^9}#Uxh3@$uSwh{j=TyCY+|g%OzesuDRI1t398}5afj+h
zaW5EP#V!)B&vVp_RSHgB^nY5gGB5bwj27l#afgnPY3@Zz;VDK*o%pX2AaK$ZEP+<y
zzzhZ>N^P^x!1=4lW|8BUS!>9Y)St`blZAYcG79kUk~99sEfk-hAN;WWSqDBgVf@x@
zX2uykoTkojlYV|3pER3U7X2m2fezx-=!0;A-f;@7|Fiqn_s8mE_D}Q-ZuLXD`sOxs
zg_oOdZF6;b`Jd5ZZXX+Ye|%>m!5;U%?+HSxAh5;#HPtF5YeAiem#aFll}HRig(wG&
zzctUAJqL|t`b>BNH*J~}t_J)B?a+s}nOUM`L*$6mpMdW<xCl!CA)?<sCZB#(LL2Q=
z*GWZt@hn_h!fv@#Du>A|zICmqlq|_!VlQf~!*Lqj&6j8O<B&A&%#km_<~tu0x0cN<
z`0{Zddo7G5bqMAO)|P^B0l6PAcXwSzO#WFR6COKBek0upz@UhO!S$k<m&5HBtn5p4
zi5_Y+8f%N<@Qmj}abH^0oL+GlbSF;KJ~f)wLAA>Q!kikJke@m;t$UgPt#gB@Xl`4!
z69Fp#%@3XKFS?L2R+LZR<}}UvwG~$-^a6vFUCzpD!C{~X$#4*x^?JOw#O)TmrA>_9
zb_6?h$3-gU=E973Tez9Ue4Ia*D4WqvgIC=>xjz}dz^Z}9)xrewi`b$J`~xGTcbcuq
zqM~NV!SQk0l=C#{7sgeEwWHJZH(8@5HTg?x8GqSsa{xd9X%L}Dh7`*ctyBY#kGT8h
zVrCSXx$a8u)~*K4)s7T-j71Zd?OMhTzC<BDg4CSKF@AD)Ff^KkmSMJg=B1b;pTsk@
zuiN7S&8@CwPJxCC3le5(3Srd$!YK0fX=ZacCu;pi4dxCABi6H#4WxS@d4UVKeEv7H
z!nHRa#rii2vZdWrvV@`&*pV~IGeJY(X`#(!u=0@>1PT@<;s8|tJrlz@10`+!S27o;
zVX8Oqv_w`f9i1#3DqC@RAlx!aSFd3oEq$aE2^+n62ly&f1JoabFDk@ubYQejIRC~#
zsnrL<Y@rM)XaPMxz$AZ9>aUPDQFOLcCUelwJMZPrp1;L2XHPGj90!tU-MPSO(-{^Y
zMHd2|iL6WfLuB=IOqf54@M#)CXd!D>>#b4y-(#0`)!yC?h4R!#YkzJ0d~OiPSz;Kn
zug*lAc0LQjmF&cW`VL9=3Hx~jL21T`{4`#1ai6}hjsd%<dxE^Ei$PQM!K53){WSi^
z{w7_0%iK~{mRbOpz~I(AY}&`J8L#{OVQomTmX1??+uw?$VKix7YAQ^T9H*t+Il*7{
zUxFAC$Vvez(VvzhSEb*d<fN<>I-7wS2p(O#^nK#UwlG==_*yda*UHwRfnbl$?DgB1
zvo~Tb%czDu*)0JJ^!(1SxoQ7?LiE082&8I2FbA@AEYwpTH!s}ee!1O3G;KHkBWN@_
zhBQ?-w(G7sYZ#%Kh~Nkp2;d0q1QAgXmWYSNIn}iyhF>UZXYGr6zih2>VVKQKk7BII
z{YUTLZQeVvybEkhOL8q1r}=sV2M_aqPtzwJ0$1KFs*}N7!q<xv*5S{wRFT+(;b2uA
zE@$=&BEHFSP(}7-=ml!hURpBWK`5<?PVF6`Bq(t3ER)EB;kA0BG|1(t*{c9mkM34k
zBXFo*g^ckA$aw3=VrNp=d3ZUDECHHxNd=6g={{xu`I2cPN%?Ii9ct4m!g*y?%HH#~
z#5B8%Qr#2_xW!x`hcqT>X=~ct%1sQ7&;NG+vd}4>q`hli{<G$k^JQfw<o;;Zy#Knh
z=&E+YCEBu?HK$#NXtnA8H^k2Fjlj_+^*>wqV%qq%-G8Gh<5BPy_5YmIHg;_UTmOw#
z>C*m>usqDwOgSWAaxY8b7bILpY;PHd;6IGx9&p?Y_@Dc_znIk7_IupdT?qVep4exT
z|IbNnG>g)o5L=a0@|9KUWSR+Y&e#7riflYj>a_p4v;S{%8UJ|JYyZnK+-`0U=QRGm
zJtF?SKl@$hzr~li6yoYW{#*P#QJZP<{}%|YQ}Eg^#-yP5Etu+SCFD#R7hFV`|4=^~
zMdQLnlD{qrqma@T6BZ2lfeZ%r`FY++aqwl@hyL$P90H7^f)?~UWxV!l224gmQM_8z
HFz9~)5~(@5

literal 0
HcmV?d00001

diff --git a/apps/portal/public/favicon-16x16.png b/apps/portal/public/favicon-16x16.png
new file mode 100644
index 0000000000000000000000000000000000000000..453b9b1babe5aa07d62c9fa7f6c5dc72ea0e8636
GIT binary patch
literal 732
zcmV<20wev2P)<h;3K|Lk000e1NJLTq000mG000mO1^@s6AM^iV0007!Nkl<ZcmceT
zPe@cz6vodv?~OWYv?xZ?c{BdO#y4ZMs)aklTC|83V!IYe2#JI!Q4~=~42D=?6hRWT
zC?t?J(xOd}5r(U3oY95jyqS@lh%`q>-+T9--kXKgY+3|e?hnp6-#Onsa0&kL{9glR
zCI|d|>D>(sBT<)KPV^Ydu|Z=ge!^+o)v~Gi&U9-2ZZ^F*oHi1-(#iO}>{24+8Wo!|
z$yl!w^swM}9&6_rDNvR%;*WC4SZyYi=mLh2KcEj-!hVT1KUw|0IpplpYZ#xKDQhH7
zNx*eW6vn{=U3OW;5Q4H(?&SfKD9S94ZdsnkPTxaSr7$aSyw+EFy<n+VNU9fzL3U^j
z`lN>{MoinD(1PL1Kq6#sQ@b;~A<>R{J=P_#VNBEX=YfXs0|ZKXRa0kVn}D&fl3X~5
zh_g*ihgJcA>oxtpV7{g(%107q8X$J~oApIUD_%lgQdIQ-00AMOqExCs7{DnMb;#vn
z)rk0Q=EJ8KK(e0!Uu80h4p*I<oAU_4-D(BTAjop(TZFo{W*1n<ys;b~S}_(*TLt9~
zkb1HGNL#=2K++#*9S2Lcrc?7HzWr5E0(E?QQ=Sn3)5MB8R_*1{@+zKCJocm%;_F&o
z^s!~OAz=+5a3&LPL!@euJVk)h0>n8Y*a!y0Z%ETZSuo9EbBk_(t@Hsx=iWVP6p3nV
zux<lOL`gno&M8RstcZ&8N_n$B5S|3*kOTNz4rlxg`q2B?FIO%0j`{<kL4QzxT5Wm-
zpmGdAo&^*}U4uTQX_41HUnK9&xfBiDz@@vpTQoK{Zo9F|zLu7s>v?f<JulDK2P1FY
zS}A`Rl!|U1i9}2nL}WKF<*x>%1Eu*d00030{~#g4SpWb421!IgR09B<#3e8pc<ZGA
O0000<MNUMnLSTY}i9|{O

literal 0
HcmV?d00001

diff --git a/apps/portal/public/favicon-32x32.png b/apps/portal/public/favicon-32x32.png
new file mode 100644
index 0000000000000000000000000000000000000000..98663d0a0439952b54044e0426964ae29bb442b6
GIT binary patch
literal 1814
zcmV+x2kH2UP)<h;3K|Lk000e1NJLTq001BW001Be1^@s6b9#F8000KdNkl<ZcmeEG
zeT-Dq6+h?B%(A<HxQR=4XWrMayX?Fftw3qf)~XO~X-Pjqn{BI!fdVBVv`J$~i?s<V
zHf`)SEp5uW(k-TOE!2WiOtopHO_dt6Q4wa|?tsp`d2e<X(IB#{vorJV@!WACy11xO
z<3HToGk4DC{oUU^_X+rf$3*}a8TeQk$mMeN>2$j8LVf;`0w5ZQ`0mgx#e(w>-yJ*|
z5v4cg%n}p6>kNB&r{DLFUNsfWc>r>`1NDBvS;a|@aFJu4n|YO!Ut)cq=Q`^=&uf@k
zMCrq>^XZ~H^Du$jNC3Oafm}dhR^#Z2Gc!d*EJL6)RIB@ZH?#fith@t&m(P495^Bu?
z;TkUTD3a^~K}&dD$(uZi2y0ND9vbxrm$80sdY*G#K=dyZVw+|pmS~2(bKbn9tLyq3
zix)2*k48HOH7j|ys1r#}YG+pV5FH5fe>exg&!yKR;{5{T4>dFK1>LlJV^;E6T~8g;
z;;H8~)4rDrUqysJsY?25u`sw=74W=tJ4o6KfNNt$=O4HR)vh9+UE$}QTZ@IvhT(kH
z1|AILm5Mz6RRX+ZxX^MJo8AK8<%hluB6Mc}^17&zd{{ZS3c7AO>E{QR7LFadT<OZL
zTXsK6x{>v6FPC19B<>S{_p<$O%Ae0?78MJP4xro$2=k@HYXYbqWa{r%O&O0bEs1dW
zW=XK&`0=A{V)W3VnH;<WfYz91Dx-=hO1Te?gi!nkkh(=(-4lG`%y1!lt@0~oh+r)W
zu?HkX%X0J%W%vC<S{U##-nd&c6ALxdUeCa8!Z5Z2pdQ9jAMl99+C3EbK)F=;z6hEk
ztGGcj9K4@>P<ZL^7g54qAi8@;->w$6FFN@2;Z{lV9-`pyUe38*#m&ab0Rr9%<py;s
zW&|;)>jT6GG$Xkk-ZnJNezhV?D+R(bKkr<vT-;ZCknl@_2)~Jleabj6Fc1la!o5O>
zHM*7R-?C+kRQ9f}uE4NTeFWkMD4>To6JrqmIRk%0GgJRoF`k=QO#ntk&e*K<sS=Mb
zd`<G}K!mR;pA;bn5IO`?zpxy@|CO=jvRT&vU@5A1a#O*1BWBG1Gc(grbO(O~fZv|c
z*vKou$jH%Vf#MzncrYH1mtdNK1TKSYRqjfqT;;W%0pOg5hVltkfG~&=P*(kaH$g-u
z3>_5sOGI&dbF(#~;(~I}&3Viwm`a~k5DoSXvp^)$cnPm3832rzN)e?1QsgAlJC_~P
zPCn&aj(H}k&+kz|MK^N;AS@SzEBJIPJ#Q$c>{BI|d+t(Z`#TiK+AD)#;#!U$5KL({
z46sNgOa!k#$yC~f!jaD?eX11siLuQNfn3LINRPjYT%<<^!H;8>eUQQR@e|$8pInXO
z&duSWq07Qpzn5A1r#>(BjB+rGYdQWw?l-ZY0B=^twzkEmB+%_bh92@>bgodgvr^L$
z9|FM5t!63>YRJ=f0AP!5C3gakn0a^;Q1Ao<)g%0j`+V2gTyUKpSuclpvs|ehS;t{e
z$fZ{SK~u~~^o#2Fcn=_~aQR!VoVscMju3u@Vf-H#*yrb+ZeI6`Fg(R4*ru6@->5jY
zUo8+-6H4UXP&UM_K(kV}LI^%f1X-3CGwf4<OEt^>UPnjAMA6OOz^DH;33&_WRfLgP
z#7%)e3jyxR<<c#xkOC2^3w1~-_wc>F#&`a3S<3mEnXGMoBA;mm0e=C&nhukL^B0Wd
z981&etZv%B&@FqTVI{Zf^Aaz3-oXY2eH%e_cL?#jy8hNxs3rv6Ol;#rJQfk+smXhW
z*4B;_Mm)7svyyk|R&qx?o*GsA6bhNkClLQj5_Zdq>{Yh2!XJ@u1p<y03(n(yKJ(LJ
zZg91icQ&&0V$h_X;Eh!ZJ|8vg$Is@}04OD9*c%CG8z3I=-Jw5?c+T|-wek^vpgb?T
z#CHd`3ldKXz~AeZy@?`$WQI`1)P#s#*b5SO1EE2Jz99sBPK3b62rcKFrIvMtQ;VJa
z5tD0e(aq#<WoaS_AV&g%`%pHW=1or)n`e%rl>LM>CaS@wqRf~|;Hx2C&jCO{0aCsa
zvl4&Q;`VyYw7<>=yD6sIcgAALXF2w~`3?Zet9LFaa^h{8VRwXQl;@Nx6P<MpvPm-&
zZMtD^ingT+Do#nAj7R_s!Q_x2&#O1-ns&KhLQBh)XWHAZe0lEN)Y!XK2qR6fy`Eo5
zRS7e&iS-XOF9_hhDm7cl(Nkk`Hp``xGW*mS+6o_Fd?*0C52aG6u_;n!`}>|B7Qp-7
zXu80Q06umGrlbC>{Y?M>0RR6Z9O-@l000I_L_t&o0DAi)ZXeQ&nE(I)07*qoM6N<$
Eg21L=9{>OV

literal 0
HcmV?d00001

diff --git a/apps/portal/public/favicon.ico b/apps/portal/public/favicon.ico
new file mode 100644
index 0000000000000000000000000000000000000000..bec8ae8a6d14bb8dbb1e2f55b02c3e469185372c
GIT binary patch
literal 15406
zcmeI336NC98OI0liU+|&jT((a6Qf2g;%$t9cps>VF^L)jC{ghyViduHXhgvKh!={Y
zhFFLi(Zq|eiBu`-ax6PL^JZsf-aWg^!g5~`nEd{4w#Ub^93oI<YNqOKzt{csclFoZ
z-}iNIBGD<)InlLig0fqp|JI4b(TPN&Tes5pfx9FUqp9oOy{-L#MB>BU5{UzWp$k1q
z^%P&pUox58R!^~5?6f`s#*G`-*|zQN4O})mr;FtV6Vq-mCg}t}GxhDunryIl+6nGU
zx#94X6Wp5dg8S*yXQu1!Qs)GNGj4EF+79}pox*u_zJEq?)~uZjj*Rbr8`!5*R~v@=
zr0n2W@mpv6r>EWU9@=h6`~IPp6aJC9V=VYcJN~^XFZ_*gfd78WvUX0{{`G0cyD{Sx
zer~zpsB94I4Xy$3H8_FnykD7e{Sm<2SML-KN;&@TQ?7doup=6pns&FmV2I&KyrjM0
zRp|q`QI_jpX9XqstE;QGLB_|emX@7UZtxKN4YTs$4=gXd)bv*gtq&}}aIuy54+CaW
zye;iF_RRQ=XMlG^$_pOU*hmMp`TVzl>y-AxYtmlf)H=t1L^_1tZRuQqWtM)Tm9&HI
zl85(mQnq)&bldI<&x2K0?}n#DGPuEW@INw}&29(&C(+|YDaX4Cns-HY=uQ~x?BELI
zk7!KGHtq&&FYt^?+Ozgx{LfE0;nm_XY1`dXIsg080eXF)*7NpnV<};I-d>DRzdFYo
zn9h5r0>71M!!Aw+-$U5N-D%ewmbU$er8CpMp`~z&j}3+YD!^%->BiHON9$ANSJA-#
zp$0m!rtj45*>+3GnQ~h8WKApbtY~|Rtf_ZyD*81|O*_^!H0&PV*W$R-c4If_E;V(m
zg(JT#{TZ2P-yFu8pOs9k({m|5qs*l}|K4P-@Et>sJ!C)jszv6TJx}}eM#~TX*Rwaz
zXJ3C#d)bG+|25&Rt}bp<@3Tj{!4o|5EVpo->a|Zmf1%#>gU?~?H;-$-z%O`;?>Ew3
zIF^0y_EZ=iUV`fQFK~|mpJPv2CtS+&4gsz{@)g*#cwb;JLi^8ruK?G(=wXOuhnE0%
z4bRi;YqKb;Y8~ew18>U64{(D9_Q5?&UAD1tx1{a$1<!5rDdKIB-Fbn_9(`||zV=bs
zguxLnrAzrN=&KbU;55@V&GPn2yZ-#N>mFh1_`X(p2KNN|$me>Caalm$0c98`I1V{K
zi_<T+1;GK}7=*l!;TPO0U&XZHLuk)#P5QpvW%l>NoxqJX?V=4$H=XkjHFYZW4G($v
zD)S(FhyEh7caJL;JIimQZXWhKn(`L>f+s2GfOE8b6XB9xsk7)OpKBV=S*owj<-U#$
z&rf>ZQTlHGlWov%X`S2nL$&$n6rD8G+1@4khQ<T%H(frWzRfR_DeS7Thu;@W9sGR+
zu0A}AQjW8y>g(Zyv7TaJIx2ym#`B?k7PZR<!tSuG@W;@YC%?C&evu#N22II)N$=3<
zhpyiN*D9?u>Qm?X7xO)#qyDB&eXzR~885ub)FJZ=$Tn9xHgz49z(szo+H!t0cV?r%
zxoO+(raJlH=-<+NM?Z}-W933;AbhquEiIAWG*|eZgMHl5Q9n~hzZ-yiUf=SGd0)vh
z2|K<}b&>z+hEB#W{6gRDf2>QrftTHE1>aBbyli0bPcKzlJkBv~rbKrS!{a^rZi`PA
z6K`A%p7#w*Ej})ITJg~@8ai}nG{%Y-O8CS1__#d<JJX%F3;3|b;3R!ZH{gB`9Y3h=
z_P^5jhfV0<IJL=cc%M;I)3hUaLTL6feemadFrIbT=q&1|wUz05ukh0{jN_k2+Y)eO
zs@h_^8tk6$S;PTX8aS2dAowP*lj8GS>ohb*s6FHO#4JH`(sd8kw|<gG-?E9C2JaAk
zms;SxG!I*&Sk4Qoj84_gTsj<mHh^zBG@lYpY<(_uW6anz5D!v6Kik|~jx!Xi0N;`#
z&NFm6D(QC-`k2EUh~_+T=l77KmHJ;A_-fV_&1G~kknz1raiM9Gu2}Csi1TdP;PXuM
z;=%i5#^iFzDg27b;Oz?NPC*XO3YtzdeN;x{g^Ze$aXrOh^qwgcc9pGx>#eF{k?h2p
zKk)}0t&eZOM+364cKUg~C&1HXTJzTI1rKiF2;{YZ`9%Fw`TV|uWlrq?-2<7oLn7N?
z-Y5?52*;PLlis5_>V<E^yZjdUW_k+9FqU=s*e^@ti}aVhZ7x~A2p<*LiUukg=vV{F
zlXU0l%TvjdpoGe=qJfGADjKM0V2f!$ab6~q*|nob=QLZ4k&Psj@@FXzW_;~cyssiY
zQc0a(M@$mMu^Wkgvv-SP7kGx>_lZ+()k7S17vC*gntyb)jn2m!i2Ibw%aM~>p8|A#
z39sa8!<!6jp-|YNEgsvf`iI}n%4HC5{Td!75MQ>UyOqRS|K(fx!6GqamS=cv&O4Hr
zsH@IR4WBA!I!-B<=!G|$dc}_PO>a*9PvdM69Sw%p8SuXp-lszIIcVO&_W<Hp@=Tl+
zJN_$_Hn0n5A5U)P42_fFb*6Hm$V!f;%zw66+z$BF_$QYChH?Qj8{8wZ<PepE+Ss{K
z8gpW8_-3wsP_Hv*<k7f;v#j57<BFZLbLMnW9zkc_z_;?W$i@v^(hZMC_RrvVppl8T
zZLy~may!cBK;v!nQIB3c`YT`LGo}sHRVjbncE)VFud{@X#=9OIv(feK)$qK|4zWh$
z+>h~iyTq^msLtp!dGCbMw^!z0xd7_mKU$ZTh+lY}fgG>%{(Nan{pv_Qa<J4DbgrQD
z7NeIK+45_~Ydi{A^bn>vA75v#sNAXDi{=ZtooC@^G2?KX#hrxq{8v>~Z4IyQq&)xi
zIxpz2a|ie;+niA9Ttw&Q%0Dv}e}}In;G4)@g%f~XW6f2b89E;WH=91^Dz6x4ZAv!V
zCG8h3=bYy?V91O6Qz&)5-=jS~*%a-sDz}Cl+|iKze6D}tl|9<_+^+O3+hd%bc~`sk
zxwP$F2p;9?vbwKf+EoJ6Icd9t;Ag4kXS_}JgI%6aKiMYvbaKSxk*RCI)|A6s#`jD0
zZqt78ez`*7JG9r(zN#bs4Xk8W4l}xs5d<d!-%EM)RKBopb@l4Do8jyLoEh}em~<P<
z`Aq2o9;TwJDJI`8{1NZUjd6~JO--g>zZAJ~%WBy<x+kG~Dbc-`u#vVY+1UA%#xD~z
z_C_D`*T%nSMY&_<4D0gjwlf>_5uI6P!8uAfW$9P^M6%k2(`XOGPi;fEkLv3@?_BDZ
zC-dGp`Zho2k@CO`;bD9}->mg)jj`6bi|*9`N8YsXNvcrT*YuCpc_$c8+Y0y?M18rx
zT`X?TSpE(97h>Oe${Xl^r1FW%3yXK;UQFKr`j=_W2(M((y&US7Bg4)5W=uu{o6=n%
zLtFVd`sJygy0&u@1FI5VhDguwGQylCsa|7CKE08)$p(+kq_Mx3(a&<`@iUqSf^Gkc
z)^RVGiENCGcdBWZ9>J+RaP<t`W%7br<QbpKwU+$>@SX$yWytym;MbV%2A3&iQ|Q3~
zPk}slIhU{YR6h6}xHt#&?+`B5r+&z@2>p$c?He2&mCDnjlaCn>tEQo8cLNjgr|}7b
zUeH{~y7FjTZ}omS933???mbMO^_A#hG`QqfehQ!E^{{kyhrYdVq2>FhW9$Ef|7_%M
ztOu$5Z}5`y4j0H?40v=-;D$-$dImmMBI8JCme)+aN5M;&4Z|OqKI<!iAI4*R<Dtf8
z)sJ<yCv62}3m7MO`TVSNeR!j@7uV;EKKKM4qj?~mfbSLbpnY&D_#TSqqoHv>PqX%m
z_2D<|=yx=aE8W6pA>$T)V%j7N`0j?5Vu4lWtkJZut85zsor&f&p9CA7S?df(^WW22
z?vK@eZ}4EVy^(1N=XIBvx^<OWFTw9{R{EOm!7;AOvB|$`FEjn3`)!;F1GiG=>85@|
zN@Sme4cRr0^IgGL>8wZh5jZau9onjmY-(pNbYUH9hSr-pn^E1`e&et^%MSVjy9|Hp
zdd8TuP){++qGUciJKj%YLOp(7__WS6<85nux9uY5K4Fr6mdn|q;M&$l-J@8f^;_$K
zY&4DoALvTPfIT}L9^cpEFq$*0oo9hZc0JXc_m=#i;3L^*{C-2*e*Pfvi_^B-2VCVn
zA&xix9-V)4zKu=3BHgG>{tUda26HY&EXCZmkny#6zvwQi=RX6jC22o+v(3*c)5E5>
zhra=|hm@`Le$z4ZkJ_QL74+njDAsw>oYx9})@$CMI(%F|XA$?rX|{ha**SL?v6C$K
zUQE061OL;(Ge+~4aUah6iX`j4kx{Vr+__zuACEIn<m=!cv7d3zl<|L;cYJL5KYq1*
zSA$z+bT1*g;}OMbE!>MZEsmGC;B5M`w-eXl>%{w-ca3>;-v&6=!xv4xN_>VB;D0H1
zTz{o+VxEJsgB0VCs&iIfGo?%JZk(t!7J6?m*Z+;aC-S_=UUYSv&BVvWtTpqP$LiC>
zou3Jcu|&)Kv^RodHhfHEf9<Qg8@2c;^8FOYX^x;b_PO96@p~IXhiYu`ORyayyL7|d
z-jjjl+}r=xG|P(CDML%8#!0@c;t0*@(%r4qeWGZcbp1bpUwB@cKAk(Zx^v@&TB8TV
z@oB$=&)?Es5TEoR?qV%;!#wZYc?eeU{e*mk_}H<|$X^3rI5NKG3%3P6^vwF;SF=|h
zmL%4T(_GiP=BdTL4erJ8Q)TXhwVm;EPbgR>y~g)7;nQBEvvA}a2Tzmf`yMjfWA4%z
znvy~O1bDLOKGVKkaMB6=`_hh|kDp4eralO|%Z3b|cBSqZbLUw1TSDjt^Wf!K<J%fo
z=G)QWtp%T#B%avNwbS%h8O?i#SQ(p3#_j~fVe~HC4PMhBz`e<%Im^N;d-reRKE#>P
z8tymt;7tDl=FDFh;}pEf&n9*Y`s<!}dz@N-a(>gH$f#TeYk@zgeT>(>PyAak7qZWU
zmsZ7M>(FPp8!%gQAN_P_y$g?uzvfUb#;%uBr#OS0N!WyJ;{QI~H!F8u%L}%20PFOB
z=!@?he600O{*Cs2#k`V9Pcm7I=9=OGaLcb+h_2+D^oFmppSBh<t5r+Zj2+!mIIDEm
z#=ll~+Tr6ujfLhiFy-}Uway)UME@t?`Zpu{r|`9ixjln*YAk#{z!(qLL)#<Nb4O9}
zi*k*@80N<DUxZEvq&Hbr<Z~#tVegg?41err(OxJ2j=Uaz0r>>>o;#I8Wt}Pi|HUR_
nViP0Myi+Wu`J*x4#ON#NDjKM0prV0_1}Yk;XrQ8jvIhPKkJVY?

literal 0
HcmV?d00001

diff --git a/apps/portal/public/logo-mark-green.svg b/apps/portal/public/logo-mark-green.svg
new file mode 100644
index 0000000..a0e24ce
--- /dev/null
+++ b/apps/portal/public/logo-mark-green.svg
@@ -0,0 +1,10 @@
+<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" width="313px" height="197px" viewBox="0 0 313.0373164255402 196.70089291292607">
+    <g id="59ca3855-1edd-44fc-a748-4fcf6ec69289">
+<g style="">
+		<g id="59ca3855-1edd-44fc-a748-4fcf6ec69289-child-0">
+<path style="stroke: rgb(193,193,193); stroke-opacity: 1.00; stroke-width: 0; stroke-dasharray: none; stroke-linecap: butt; stroke-dashoffset: 0; stroke-linejoin: miter; stroke-miterlimit: 4; fill: rgb(83,115,93); fill-opacity: 1.00; fill-rule: nonzero; opacity: 1;" transform="matrix(0.590126 0 0 0.590126 156.518658 98.350446) matrix(1 0 0 1 0 0)  translate(-1768.359348, 740.291985)" d="M 1843.13 -639.52 L 1843.13 -573.63 L 1767.42 -573.63 L 1766.78 -581.28 C 1766.42 -585.49 1766.13 -608.21 1766.13 -631.78 C 1766.13 -655.35 1765.79 -674.61 1765.38 -674.58 C 1764.97 -674.55 1761.71 -670.42 1758.13 -665.41 C 1750.30 -654.43 1737.33 -641.06 1727.12 -633.46 C 1711.44 -621.78 1696.25 -614.60 1676.13 -609.37 C 1665.51 -606.60 1663.22 -606.37 1646.13 -606.25 C 1630.12 -606.15 1626.23 -606.44 1617.25 -608.45 C 1579.26 -616.96 1546.57 -639.05 1525.86 -670.19 C 1510.18 -693.79 1503.13 -717.20 1503.13 -745.73 C 1503.13 -762.32 1504.28 -771.24 1508.24 -785.41 C 1514.33 -807.16 1525.94 -827.12 1542.61 -844.46 C 1555.48 -857.85 1566.71 -866.25 1581.63 -873.62 C 1601.64 -883.52 1616.35 -887.27 1639.13 -888.28 C 1661.43 -889.28 1686.22 -884.17 1704.88 -874.75 C 1724.68 -864.76 1747.86 -844.75 1759.13 -827.91 C 1762.15 -823.39 1764.86 -819.68 1765.13 -819.67 C 1765.40 -819.65 1767.86 -823.58 1770.58 -828.39 C 1778.76 -842.84 1786.91 -853.51 1799.08 -865.68 C 1811.98 -878.57 1822.20 -885.86 1838.13 -893.53 C 1857.40 -902.80 1876.52 -906.98 1899.63 -906.95 C 1936.96 -906.92 1966.12 -894.87 1992.16 -868.71 C 2013.17 -847.61 2025.55 -824.42 2031.30 -795.39 C 2034.15 -780.98 2034.37 -757.89 2031.78 -743.67 C 2026.72 -715.86 2013.70 -691.22 1993.15 -670.55 C 1968.87 -646.13 1940.78 -632.67 1907.66 -629.59 C 1890.43 -627.99 1867.63 -631.07 1848.88 -637.54 z M 1784.82 -591.28 C 1785.19 -590.90 1794.53 -590.71 1805.57 -590.86 L 1825.63 -591.13 L 1825.89 -627.38 L 1826.15 -663.63 L 1830.01 -663.63 C 1832.49 -663.63 1837.20 -662.05 1843.25 -659.19 C 1890.92 -636.65 1944.01 -645.64 1980.51 -682.46 C 1997.20 -699.29 2006.44 -715.57 2012.92 -739.54 C 2015.25 -748.18 2015.52 -750.96 2015.57 -767.63 C 2015.62 -782.35 2015.25 -787.76 2013.76 -794.13 C 2007.60 -820.41 1997.95 -838.17 1979.89 -856.40 C 1965.59 -870.85 1947.91 -881.16 1928.63 -886.30 C 1919.64 -888.70 1916.81 -888.98 1900.63 -889.05 C 1881.11 -889.14 1874.42 -888.23 1859.98 -883.55 C 1837.26 -876.20 1817.44 -862.10 1801.31 -841.84 C 1793.87 -832.49 1789.76 -826.13 1766.82 -788.45 C 1746.77 -755.52 1721.21 -714.98 1714.33 -705.17 C 1696.13 -679.27 1671.78 -665.62 1643.81 -665.64 C 1623.81 -665.65 1603.80 -673.65 1588.92 -687.59 C 1570.40 -704.92 1562.20 -725.20 1563.44 -750.57 C 1564.10 -764.09 1565.82 -771.15 1571.15 -782.13 C 1579.29 -798.91 1591.17 -810.97 1607.63 -819.15 C 1619.51 -825.05 1626.26 -826.75 1640.24 -827.36 C 1663.67 -828.38 1682.59 -821.49 1699.33 -805.85 C 1711.11 -794.84 1720.35 -777.59 1723.51 -760.74 L 1724.71 -754.34 L 1729.08 -761.24 C 1731.48 -765.03 1734.46 -769.71 1735.68 -771.63 C 1736.91 -773.55 1741.61 -781.14 1746.14 -788.48 C 1746.67 -789.34 1747.17 -790.15 1747.65 -790.91 C 1751.77 -797.58 1753.53 -800.41 1753.32 -803.08 C 1753.14 -805.35 1751.54 -807.52 1748.77 -811.84 C 1729.89 -841.35 1698.89 -862.93 1666.43 -869.14 C 1656.17 -871.10 1633.93 -871.07 1622.52 -869.08 C 1598.07 -864.82 1575.94 -853.22 1557.57 -835.04 C 1519.58 -797.43 1509.60 -741.17 1532.57 -694.08 C 1542.39 -673.95 1557.74 -656.74 1577.30 -643.92 C 1595.15 -632.22 1614.03 -625.63 1635.50 -623.60 C 1669.20 -620.40 1705.13 -634.07 1730.13 -659.60 C 1742.78 -672.51 1749.71 -682.78 1798.71 -761.13 C 1831.17 -813.03 1840.01 -824.98 1852.33 -833.63 C 1865.79 -843.09 1880.46 -847.58 1897.93 -847.61 C 1911.06 -847.63 1920.28 -845.59 1931.63 -840.14 C 1961.00 -826.03 1979.66 -794.22 1977.85 -761.33 C 1975.47 -717.83 1941.58 -683.67 1898.13 -680.98 C 1860.52 -678.64 1823.86 -703.88 1812.57 -739.88 C 1810.68 -745.89 1809.79 -746.81 1808.68 -743.88 C 1808.31 -742.92 1802.64 -733.56 1796.07 -723.08 L 1784.13 -704.03 L 1784.13 -648.00 C 1784.13 -617.18 1784.44 -591.65 1784.82 -591.28 z M 1885.63 -698.71 C 1913.10 -695.13 1941.78 -711.25 1954.18 -737.23 C 1963.16 -756.05 1961.86 -781.10 1950.95 -799.36 C 1943.26 -812.23 1929.74 -823.22 1916.08 -827.69 C 1905.39 -831.19 1888.84 -831.05 1878.40 -827.38 C 1862.88 -821.93 1855.89 -815.70 1841.03 -794.09 C 1826.55 -773.02 1826.13 -772.17 1826.13 -763.95 C 1826.13 -747.59 1832.98 -731.80 1845.62 -719.03 C 1857.26 -707.27 1870.14 -700.73 1885.63 -698.71 z M 1631.80 -684.17 C 1645.09 -681.53 1658.00 -683.15 1670.15 -688.97 C 1694.54 -700.65 1708.12 -722.91 1706.84 -749.13 C 1705.99 -766.63 1700.12 -779.71 1687.53 -792.18 C 1675.06 -804.54 1661.65 -810.06 1644.13 -810.03 C 1626.67 -810.01 1612.28 -804.43 1600.65 -793.18 C 1589.05 -781.96 1582.94 -769.73 1581.21 -754.28 C 1580.31 -746.27 1581.24 -733.93 1583.22 -727.75 C 1588.11 -712.42 1601.79 -696.70 1616.30 -689.71 C 1621.08 -687.41 1628.05 -684.92 1631.80 -684.17 z" stroke-linecap="round"></path>
+</g>
+</g>
+</g>
+
+  </svg>
\ No newline at end of file
diff --git a/apps/portal/public/logo-mark-white.svg b/apps/portal/public/logo-mark-white.svg
new file mode 100644
index 0000000..95751fa
--- /dev/null
+++ b/apps/portal/public/logo-mark-white.svg
@@ -0,0 +1,10 @@
+<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" width="313px" height="197px" viewBox="0 0 313.0373164255416 196.70089291292607">
+    <g id="419f7dec-c71b-4232-90d1-cad19e00aa72">
+<g style="">
+		<g id="419f7dec-c71b-4232-90d1-cad19e00aa72-child-0">
+<path style="stroke: rgb(193,193,193); stroke-opacity: 1.00; stroke-width: 0; stroke-dasharray: none; stroke-linecap: butt; stroke-dashoffset: 0; stroke-linejoin: miter; stroke-miterlimit: 4; fill: rgb(228,225,215); fill-opacity: 1.00; fill-rule: nonzero; opacity: 1;" transform="matrix(0.590126 0 0 0.590126 156.518658 98.350446) matrix(1 0 0 1 0 0)  translate(-512.229219, -458.33992)" d="M 587.00 592.05 L 587.00 559.11 L 592.75 561.09 C 611.50 567.56 634.30 570.64 651.53 569.04 C 684.65 565.96 712.74 552.50 737.02 528.08 C 757.57 507.41 770.59 482.77 775.65 454.96 C 778.24 440.74 778.02 417.65 775.17 403.24 C 769.42 374.21 757.04 351.02 736.03 329.92 C 709.99 303.76 680.83 291.71 643.50 291.68 C 620.39 291.65 601.27 295.83 582.00 305.10 C 566.07 312.77 555.85 320.06 542.95 332.95 C 530.78 345.12 522.63 355.79 514.45 370.24 C 511.73 375.05 509.27 378.98 509.00 378.96 C 508.73 378.95 506.02 375.24 503.00 370.72 C 491.73 353.88 468.55 333.87 448.75 323.88 C 430.09 314.46 405.30 309.35 383.00 310.35 C 360.22 311.36 345.51 315.11 325.50 325.01 C 310.58 332.38 299.35 340.78 286.48 354.17 C 269.81 371.51 258.20 391.47 252.11 413.22 C 248.15 427.39 247.00 436.31 247.00 452.90 C 247.00 481.43 254.05 504.84 269.73 528.44 C 290.44 559.58 323.13 581.67 361.12 590.18 C 370.10 592.19 373.99 592.48 390.00 592.38 C 407.09 592.26 409.38 592.03 420.00 589.26 C 440.12 584.03 455.31 576.85 470.99 565.17 C 481.20 557.57 494.17 544.20 502.00 533.22 C 505.58 528.21 508.84 524.08 509.25 524.05 C 509.66 524.02 510.00 543.28 510.00 566.85 C 510.00 590.42 510.29 613.14 510.65 617.35 L 511.29 625.00 L 549.15 625.00 L 587.00 625.00 z M 528.69 607.35 C 528.31 606.98 528.00 581.45 528.00 550.63 L 528.00 494.60 L 539.94 475.55 C 546.51 465.07 552.18 455.71 552.55 454.75 C 553.66 451.82 554.55 452.74 556.44 458.75 C 567.73 494.75 604.39 519.99 642.00 517.65 C 685.45 514.96 719.34 480.80 721.72 437.30 C 723.53 404.41 704.87 372.60 675.50 358.49 C 664.15 353.04 654.93 351.00 641.80 351.02 C 624.33 351.05 609.66 355.54 596.20 365.00 C 583.88 373.65 575.04 385.60 542.58 437.50 C 493.58 515.85 486.65 526.12 474.00 539.03 C 449.00 564.56 413.07 578.23 379.37 575.03 C 357.90 573.00 339.02 566.41 321.17 554.71 C 301.61 541.89 286.26 524.68 276.44 504.55 C 253.47 457.46 263.45 401.20 301.44 363.59 C 319.81 345.41 341.94 333.81 366.39 329.55 C 377.80 327.56 400.04 327.53 410.30 329.49 C 442.76 335.70 473.76 357.28 492.64 386.79 C 499.03 396.77 499.20 395.24 490.01 410.15 C 485.48 417.49 480.78 425.08 479.55 427.00 C 478.33 428.92 475.35 433.60 472.95 437.39 L 468.58 444.29 L 467.38 437.89 C 464.22 421.04 454.98 403.79 443.20 392.78 C 426.46 377.14 407.54 370.25 384.11 371.27 C 370.13 371.88 363.38 373.58 351.50 379.48 C 335.04 387.66 323.16 399.72 315.02 416.50 C 309.69 427.48 307.97 434.54 307.31 448.06 C 306.07 473.43 314.27 493.71 332.79 511.04 C 347.67 524.98 367.68 532.98 387.68 532.99 C 415.65 533.01 440.00 519.36 458.20 493.46 C 465.08 483.65 490.64 443.11 510.69 410.18 C 533.63 372.50 537.74 366.14 545.18 356.79 C 561.31 336.53 581.13 322.43 603.85 315.08 C 618.29 310.40 624.98 309.49 644.50 309.58 C 660.68 309.65 663.51 309.93 672.50 312.33 C 691.78 317.47 709.46 327.78 723.76 342.23 C 741.82 360.46 751.47 378.22 757.63 404.50 C 759.12 410.87 759.49 416.28 759.44 431.00 C 759.39 447.67 759.12 450.45 756.79 459.09 C 750.31 483.06 741.07 499.34 724.38 516.17 C 687.88 552.99 634.79 561.98 587.12 539.44 C 581.07 536.58 576.36 535.00 573.88 535.00 L 570.02 535.00 L 569.76 571.25 L 569.50 607.50 L 549.44 607.77 C 538.40 607.92 529.06 607.73 528.69 607.35 z M 375.67 514.46 C 371.92 513.71 364.95 511.22 360.17 508.92 C 345.66 501.93 331.98 486.21 327.09 470.88 C 325.11 464.70 324.18 452.36 325.08 444.35 C 326.81 428.90 332.92 416.67 344.52 405.45 C 356.15 394.20 370.54 388.62 388.00 388.60 C 405.52 388.57 418.93 394.09 431.40 406.45 C 443.99 418.92 449.86 432.00 450.71 449.50 C 451.99 475.72 438.41 497.98 414.02 509.66 C 401.87 515.48 388.96 517.10 375.67 514.46 z M 629.50 499.92 C 614.01 497.90 601.13 491.36 589.49 479.60 C 576.85 466.83 570.00 451.04 570.00 434.68 C 570.00 426.46 570.42 425.61 584.90 404.54 C 599.76 382.93 606.75 376.70 622.27 371.25 C 632.71 367.58 649.26 367.44 659.95 370.94 C 673.61 375.41 687.13 386.40 694.82 399.27 C 705.73 417.53 707.03 442.58 698.05 461.40 C 685.65 487.38 656.97 503.50 629.50 499.92 z" stroke-linecap="round"></path>
+</g>
+</g>
+</g>
+
+  </svg>
\ No newline at end of file
diff --git a/apps/portal/public/og-default.png b/apps/portal/public/og-default.png
new file mode 100644
index 0000000000000000000000000000000000000000..acd1e63622608560214458339c0351566cdffb55
GIT binary patch
literal 83870
zcmXtfdpy(c`~Nn_ZO&}Y#}e5nLZx!bArnPydpXY>at={SvK&f|QCmeNq=OBcoR71H
zqJz^U<Wwpohl)!0z4rcme}DAoe82Ady07bbJ+J3=-Pevg+lwQV5D*AN+~J6gD+D6Q
zgg{_tMTNmXIc6E}3H}6+JmPi+0zqr@e?T2vw=Y2;8W0B?tCMjf-#)A*`r|h&mKNVm
zygq7rC*MCXFRW^3fq#6-E^N>D{-*xYwQ;u#)bS==TU$#Tp>Je)8#zHCsI;7m#U=Ag
z<`au+>iZ_*bqf5uTlTDt#dojY{qc9|*YP8d{7nm9C9GU%d%KnYj`uonz^mY>*XFq<
zf0-T1w6N+=Bd5H96_*=GXHDPq=9h0vAA3cY4~!c88Jfj#kL?WX9+-VH_~=F9rs%cU
z(fg~4M{c+4&WgWDIy)PDuV~-wy*H6@t}a!(eeM2EpECCCR5~%;6PJVyp+>JCUDEL?
zc=_aMT;as^mnnDBZ)`STD~_e>ILZV*Exi2O4Q<#XP(|Lc!F$-U^_EJ7KP$rvdz^~3
zBt-eg4q`>$<X=fi@E+`P_&YW_UeOVH@8{d74h`bx*2UVu^GVo@8|~%rt$1p7zBat7
z-gM*N9o+4ge`5$IuF<YFJpAbIa`Wc=o*zwtE}TrASHO|HG1Cw`$CpO^=1-YehLifK
z=20=7SI2?BBd4r5Vs;Lv<AjrLsC^AB+yu|$RF<dVaN6g)1I?B5llSPwt?`uE<pJ62
z<Z8L(0cq{jCp!go3U}`x|K!%)<Ym&(@NX9c4Z)y2XCaK}1PB1ZLTCaM6DT`R7+8R?
zPqN)h5lnXt!l+mol!0%AghrY<KtlKHvvG6|<^#n9&W4emLKyj@5axgXnQ++k&$Nm+
z6#QK|6!TUdPr(b5+@Qc=VS%Bvc8ZAvyB`K*T!Rr#LY_de5nLlh=EH5Y?af+HAo*7x
zuT@4AnB4~@@&EtA6oP_MujDW52n|)LNC)>ukYjguWrVTyuG+&%zXbmK<{E@f)*&s!
zC{7gZnpBj~GxB)h&t)qYiiv_sG8EHdY?T5fSU`}J062-t5db#~W!@EGT&U;&!W~91
zck_o58vgI>#fF?~DQQCNek2eD)qs=szvJXd`Hc`?E~m?oO6gFNwh*J*n5`$k%y-oi
z14>t+q&q^u2H$M^*oZ3_zA<-uSU8I_yZiW`S{5Me;(uC#r0*aKI6z6M0rAY~2fca%
zlQ@s{5N52HAmgVPN#8_)`G|i~1O=b2wv)mW`EQ$|0)$X-oBJhzKcxC%VIW|0P=L^`
z$Hu{-47CynU4UXM&qOPV0XH5A5E85UtU{qZuH51zB3*`!5@JtZp({1xMq0ruQdJiu
z?SwMq<VjQrupLU5r+{aa0Qx2olmJcA3>iXr(G?>=*ncTZka5xp0??pCx{#hDY@>zk
zoB$ZK=Zc|qZdy&cf~WT8NZfKruUNDD8zhkn2{q*ZE2TXOOgkGW;m-fAtDJ%#gaC)Q
zP`ZW?(=}B~$6HYxP=pZ3?Ct>pMoJt$%b8u4Cd4>t`4Bqv0Q3qmwvh}oP6|muNiy^9
z?>kbHYAemMAr0v{<m?iv6#jEqh1q|(sCEmy18MI`3APpln90`_W@siuLoL-wrF_e!
zQt%yo^JgSxUKb@%^Kv9c1c9e$DCxZfkS-mX+pZ&>F9uYtk!*wWfe)PiOrTK<SxL}N
z!A!?dBNUOVJ`NCuGZB)ZT#kb<a#vy?z;`I2gT$T#50@SY9m0CTMHt_MDB7wlIS3(|
z3nO(1GhA0n7iysd(2C;@DFg`N{Xus0rQG<$gY{KHO#f{|A<w69`@F?>Ag$Oq`wq;&
znveAU%g1+;oFL4>U6H%qiGcS2BLxdFB*+w=Ad$6%;9m?J(1sAgT{jk%(~U{mwxDx$
z8gi;!*;TQ*O+$tp1s(b|wQa^~tfMJd&9`-`-s1T=#Gdn02;^84O!KnP_f805|Gvim
z)`F38VGPUvd_5D!a80>sYY_by26RN$mx)7q4zi6_w{uovtf9z^v6ng02Fgd!ADWm)
ztr<LFHuZS3(qIzNXp|WI{kXC^7k2Kh<q<fudn#_mh~xlFR){h6{^$51a3cQ~k!)N#
zknkriaz=_&%CSZ>e`ZNP3bVL&d_RdgUn0xQ980z(Wk${pVdvi=fs=OdZJI-r;ec;9
zdvP)II5}_WV4u<(lhpZ-$p(vUMoLVa43vJbU^R|!B3p5)(02&qAq54mU<flZ;S_B+
zi#&zDtVW`exnwr3CL_<#8bT}3k)|d48Ic-H?dpv+xb6T!6TSE{sf?-D_t7>k{K+H_
z;T5ONOh{d}x@#FEPNJ4fQD-SN5YX(dV!$EW1RbdzLX7&zQZ%y>3VedlAH~|jnYh&7
zeQ>}*8uRJQ3EuJlf)A-9y~CCfJ&)D%lSKbA<do`LKT5SF-8^pUzdV`8U>HFvL^CBG
zogzD}Bi1XKY_BiylmH}z{uW^8UFDmL5Y0{(B5FBn2$JrI0)Hq{5QaH~u*Xvo2JE}m
zYsA*G&ykL2s;F-BRMKqp0JQAjH5x;d#@d_F%xMZHV@dCxLM1lDXI4#}yNN-f>u()C
zjAmYe08!xI#9WSVYhSO-gApnVDENfC*3uMh6=s#N0O7Jog(!sJbNB^>cHfY5k^}*O
zPZcm`_rG=p%@*{KYc^JZ9DEfU-2|c>)vg(r(TS<9+-?5#Cu}Wxlyvz3f4goFAT^F+
zvcAtBN=H&`1(+++Cypb51WgARXd}mMq*6WKxETmZF;S*yHlEqNoNQ=qrq3ufJnVb(
zx*j>oY6x;~K$z$NyfHvl7*FBNu#L;zoK@<HkI8Sox9J_@2SxO(ASbUKIffD-41D}5
z$hezJp+<=^SN>7(H^qR2@M#TF=?ILbz~wlk7(mdHWa{HR-sluSB3s%u$XDM<!Brm%
zO|ykn31clW`H|F^;CT0a-bMU-zqRH=oxdT-jD!{4L5_I|^UZ#s84)iAq1mx<*+3Np
zqrMFRq37%)?KHo(n|J$?tUJ&Ge2O>-x-s9i#yB#4tuXRV3Rdp{>PJJx_H3foWH-9G
z>Ir}Ox%J9!^74PNSd=aF-9Ui$X@mHbd~BaL3jYx=$DYd;2KuFY9N68*>~%=LxG8iu
zc2#0-JnCVl5EdJ~H(rw9rbTj5--aC!#Cmgajce&<WPSNGV7sQHX&5}t05jW;_iV-$
zBoXCCi2V?H(y~?Pst@%!xHaGZT@aWag6ro%=o1Hur7%9~dK8}g9vY0GdIZX3iZ})%
z>0@R=zPTa3r2+TMbk|Q>zmsxA1O<0@Tm5lKBL)Y=*?t<ds;>OK9AdrK`;M_W5TX99
zEjnTg<*YF%3UHk@7*{b6TC44MI|#viUn7*h%hwo2%RB^J*1%7JaD`qabwC->)e54(
zLs~=6SZYnmHaT~IBi*z6g%SK2K}nRjeJOqAtH!+#ME_fL$5Oa6%k3<|$bg048W5z8
z)U+VyECnS-42NX&!c(LnbY+UR7;|Oeh9E1(q!R1#X}rn>-#5UCj>>H+@Jk73y=`t6
zbQnpOX3-+2QKc@{-D#yVRk}rlfiuP8L@*%2wY=R9nLS}9poExZg{O9s92C{D0!-!>
zcug<wTLOcP>=qMGDDx*2{qlzBkG_(sRI2|MYHG&V2^ZIPg(3wuN5S_HnfiN_sIYBt
zjDt|n_LPxjhS@SGxz>J~jyoc3FC6Te>NagI-feay;bLTxmbZ(VI`)VCm){zzKKmQl
zsyb405XPLJT>L8`hNm1mdU8AGJPzIP<xdHWpYwv=Ypn%|rXB(mw%vpR+M6xJAm2XF
za1YHbu`k21xa-;`Kc~{=EBo1CJi0>(17CbEGEGR-k2-LY??ox(7>j+63tKxW*F5Kt
zMl^+>(G7J1jEnzX2r|Y+S;9<2-xLmv+!hg}U&^#J{bb>G%FLhv!>AlRG>sehts&(Y
zr5q|W*&R|3^WGWi6FX;qK9VET>}qNb4DsO#8`%Xrx1u9udgzKXySqmad)G#nl)3wu
zB=f@lX|~o{oF9d|#?Mt>ppJMXT~5VFpOM$3&v5XrFLT;W3Ld>`tH#=HHH2VO5!HxP
zIx1-@UCG-w=D72E*~}LxGyepXB<^=nYP~WN=Bq$T)l!6jDX9R8vAC6F$HgTPCBC)e
zK&C^;k#?5^N{18=BQxl!rJ*+?qv${;u)~_aa!|FANCmbNgD6QZ9wEvKf27iu+i_0D
z0_YLqaAK;^_fHT^^9OAR6JZAf4Rlq2(7Im;rq39^J^Sp8Btb8PDUva!hW*hc>e!cr
zMt=ZpqpP_OcSMzS(h42iTP#lKp6Z4-Td(W6Gn-o!D{6%oFkoOrZK2ThB9B!)@3gY-
zA(_k<ht#}Xf=Iu1WZK3vT@S{Uf+20ON_x-Z=q=msB^9OeGJ%ZqA0g!T5V!4?8K%G;
zaUvU2wLo`(#Ra@tS;ZaE&61>z2{5ee*L=W`ZrC6OFV@cL#sy5l&OL@=ypb6Hu;bgw
zV2s_j{>QRHu8~Ru4+}ASIeC|qH1D7ZJ1-rz$c@bHM$<mIa5|z6%dw6I`OPL_XP(%~
z(x*ApnsUq}wSJYiUDCT@ytS-48`jL>`>F31wQPg<k76P~%w6t=vpHI8Qta;3UE%NE
zbMil&0|~UY4I?{R-`hbDtJ5Xg#|gRTYSe6vbllRNI+?dhO-?HntTHCkBFBnTPv-We
z8+-1j5O?HAm~Lj;uInj!`<`za{g^zQSSraB{nl2NiYb9$7G+4eZlCUl$~sX{F(VIj
zxkiza1bZhLD7sVB1VWqb8FTz)sLDd`H^V8!uc4$ImB=;00l^*E3b8yVm1-Fnu{K9+
z<O;F5B>9HSQuo{{UYoqzJZ;(PTbt3Di@VK9rSb8wWt<`jl_`vU2L_y$ogwL0H6j;H
zvu4kU;%r@zU`S-|I<rg2elKZ%UGE`HvbNdz<A&r03AavPnpcpmNJUy5=vMSM`yy>i
z6Kq#LwIh6bTRFcUR4lh&%9Jb{PsFFv?`(%+k@EF*!dRU((#&UTIP*d=_nsjq+Z0Oj
z%{=anqz{@aXg|yWPN+c1eaQ?{zbhB4dNi2s(hD_@M8NxZjWcmjseDmWsb>fxdZr}#
zVlRp<bA?Fz-i8wdRu|g4J0RGXX}sq*I4Wc}1fVMY@uz~OJCNrNlzwHErIwy8YFbJF
zWZ{$DD6Wxel@^Jn)N3TjAlM{&&9bT7A?o2c?Td@Nhq}$tr3v_J>XTGx9GI{EQf%Wd
zG9@a)AdF@lJ32y=V8DlT9p`VV+rCZ0J4K-Y2mC~w6*6PUoUs!M?*1xPqE|-5Bc&)^
zmJ#$EwUqv9obHgkg!??bYG@mmx{B%)aZ*!f)Q`7@NCLCtcccUuNhnIds2ao51f*07
zj}rnG6@2aQo{Ur~8sMh~Chju~Z3my<RsASv8%_3lDe@Ujq{un(;nyn|gNHZ>q1qW`
zELMT-qQBXG)o++W%&xBNH(EweO3z(nsxM&5J|>@uL?wYi9-vIp4)&eN&l6*<kfks~
z<Cu6Tz2q)7hVQP$6P!6m3BWm1M#hfuFuu~$9_yh=*AKI8FNc~*|1|4O!o2*L#K!Dd
zO8@&+W8}Y}#AHh5K^fOqdB)DR5G=?Yv|)^g8DkFMeWcojBIycigI3_JJU*4l^xFZ4
zg1!{w+mS>c`6`Ufl!39rBK%yQGmg{;7`Vc_=mADk-IO6JCeCChvQh;Yi#WU<BDes4
zB1A<UJ8ELS@9GKLb*SU?Z_+-JTa5_jovAx$E=`FVrdd+)v((b~OsSqRR4wywQZgFN
z4+V#ji~zE7hME60_O7J2eLL%mM;ePWi8m^yP$R@3AK&u_Mu^d!A_Y<15Vjs51ndB}
z?F6Qbne7ll?luVs!Jbaal+wpO)n~M>_O&39B`I&TXwR+(C<nfW5PKlRH<LVn5FNgf
zo+tEn{YM2w*?A&BQGB_~Bx=>iR)}FRuu7VlyV27Z<csp_><2ww7tEMi?CA1TUY9)I
z1{45#y;SrW#C>im<c@W9o)BnQ^XB|&!OGocX?$lfG=HL4*`IJoB`$S?*t~$zq?qKq
z0-YriEJ+Q0v7x@POTzltYG#Ti!KayY^Ey}8SI?BR(-KS641G#|0SkPYOb<w(3fVcC
zF6iy_l#9ufFx$gldW4u=TUi!2V@8^Zh0$E%nbGAX0?a(qN~{1QyIvXr1o<|+2Yo_K
z*&VRN)=Br6zJLX3gNv2*bz9a~DONtB5LfI(`dY2mai`ZocT-~qPNgd|cbh*EWj+CI
z35Q~R)2K0v)KtF|RV659S)u48cg_mws7L<wTHBBW1rM(z)noIb|C*bneil&rG`v)>
z0?VQAoJ7s`fgFq3>}9jw4eAxiOJ(qi-R8OpTlg5ZR-Fh&xh0`ghKWGK2r%y4Z3h{U
zf`HM^g3v4Xn`)r<v#Uf|M;1C<dpo0{RVvo{3H-ISkrg&|726k^(ld!CY?i@1m?B?S
z!e^z`mGxk)U-~eCr^bAdC2a?cRQP2wcgsQus-CZ5v?+bYW=a|_2Tf~46MW)!<AQdP
zouq8AmT0e6Myhoo_v0_z@e7*K^1Q~SJ4~YZCeixP%2_$vPvOZ_*knqsk}n?DB0Y`p
z4LH1nJA<T4$(@s?m*9IjV0M_cUZX{(x>#$_X3_%W{9U@Rs*|W6=l7)&z;GZm=fk`e
zlZl^3h}zYay`ZJj<v}|<@xORol3AT89ry)=QbhT*8Y$N1S|HmRnPG`^?AG<22)hYE
zOZ6CWU907h*LlLv#6<Kv`XmT?ecb`|`7(l_kF76vU+Gvdt*#UnkMMyqVNi?_$no+7
z2+jheYqpHA$UF!E^jFUV^~DH4D44=)zairey2LdV?Qh6TGp-(#<!On{3&%QY_R!AK
zmLpA`)CC0SdAbC7IYBE^^uvj@YoLjPeB1_GwM@)`qk_O#Wa@wjHA~V?09)#p@_wj~
z$4MV-j((iVlivFfg4D<E@c<Hv;!ujr-MA-H{-8+)O=)2-`cvH?`a+Smq745MYUY3t
zs;0tynkTn}hzBha-NL^>!v*?qWa=ulYT4=%JI~bab{3jPp?*<RtyX86{gts>Gdfqz
z6!ZStimD9ElVk11>8dd)z~528^e|yG_qi1t@5$(g6LvhOMl|O~OZ^vmR56gtAbLjE
zWu{RON4Is{K2pbF2G-|frnH?|)NWytVmhE&<B$p3q$m}2CPpePK!JS6%vtn>k?^y!
zU>nARdSPO6H4BGwhgRgZqm~eS@E;*cfaqMRc8#B15-8dMnY)#D8F>JI8nz2y<J|#O
z4iq#*HM3ZQaQcWK487|6(w+fNNDDZr+!OP{y%=8M9^fW7TrA}I@^TrpOxKr+t2TmH
z#4Uv&;yP|2TtGAeu{p@c1;Wttd=0{<U#G}NC}G-=6IS&C#%O*Gn#KF`c%NR7uY(Ok
z4I3lbfhkTifpHOn4ELi|(ySwOEMw~-nb(mh?Vh;Hj_8X{6UXuo2vq0d<lSGU&^x$O
zh&UbubRcX5aj;d%avgWTJIdg6Win=l!V_TQhFhlv7~da)_uFvfFhjvF<<C<6FlR1J
z<~jdhW%>;7Y!IZjlWRCSe$qXkObIbBigVlq=47FTdE2E*jwbEY3kp#3bm^qSZ!DL|
zNd6B7M~KdulENJ7o&`*Nr-%@g(1a$`?gz`JKdVu2rdeG7RWxl3P3X%*6F`W`$_=6j
zaa~gYm*t&sa>G!kjD%ahhnu6=bIdh|QKf=j9Mbcba(`p-6(VX9CF%X%$P6sk!2-Bc
zkZC=I_?T>$E!io;IP!l^+6{+bGiVLxxZ>`>UuXu$dd;RJ#lzy%6QUlulme_sVI&SJ
zW&uhgfRd)8UZ8%IWQ8jPb8bp6WIm*ODc7nr4iEKq+iMoIIeoUe^6MntqaFl@ZKEKW
zL<MK=_Q*14ciW97P|r1`^7;yP2l>A5<MbQh6qfcAGzl*+aoy$i=u0~e94Q*OZY%nX
z2C0A$l=`}l*H=YPP-Ej#TZjs(HtRTTl5G;0gCM}b%b`>;lC9@Rg$mPHlW_Gapvv3Q
zrhtB`IK%-(sBrVEFtWZNxyF`Z3*UxdJ*i`1uVByLHaV`&rZ$lR3_W>MyqoZH4359=
zhHTKAiV{Hn;2CNApF|)|;qiuByJf5y=*XEMWGK2^7m60*mesR*y|#3HE6=ixBGl2g
zT=(s|C+!hVA$|_YSk>DmQimv*cot6ET~Uk}@x7_6K7)92m2di>=X|r|gW@6x_#cK>
z@dw%Ywv3~bUmu)hcfaOB*?KE%lnXcdY3j^BaCt?2tOj9T+8QbCcvQK^?nPdfo4_=z
z-bk`6<^lC+eSRK<SnNUUTxcr0ok1LqPvs|)had5cgLIL~zrC&fyjC0pxYJN=$=E8F
zVMS+IA?eQrLFnvZ@j=)yO`Ci^p3F6puG0Ifk)aS+if5yw$6&7eGYKxv^2Ue?-ATMq
zoY4Q`tmw`ax_1HvM4sAJycoNzy-bu+%1EUmGYa$>*++^7IUMVAKkVR_fg!D-I4(91
z;x?o~Teyyg+a=XLFnOR>x&5#_Ne@)d>@Zo8RA(4*a2Yq(N=N(;EM__uP%Uv(gSELX
z4EFS1A*Ru5xF93bogH$GNcI4Jhz0q^MhfX;pSc6VSu!CXt_pF}vw)9=Rife8mFu>!
zXB?Mp0YUv~O+nhBZ>f&ublWH}dQ0UhnQPtmI~K0gRhC7X$U1@=CVm0)yi4RUl%645
zp#*ibM`FOV%|FBadN5xH@u`np4G5VYd(34uXwBM-6_y04pm5uav`J_^3}}!bMofWb
z(H7t@-PmVE93{qrfDFRjrK%zd^%|O|&j@SkSjdMs%93LT?e>y<iw^MZ5~xW~_13n*
z&RoX}`z!Lg5tic43Q%t-qq>O7i^LlWR_t320jW=)6*gk;`KWkVPtXTv7Mv)&4mh#Q
z19&g$vfJ)RDVRdg)%>&(aI;sM>mCFrn`BF7BU7+Fqrh}0qNmTmCX36^UD{2O3xSro
z`%=kFtt7(sscz~JADCxGzCJj-KtEppAL7?d<Hbn<zn5_xMr&Am70}4lNOu6teiAt{
z62>s<qXeK<Kla@<z)!O%9VnJ>7O2`zCdk}Wkh<cobr}iRf^C9gYFK@KF@%`zLCg@W
ztqAL&yAYSaeCTc`A|B*Zlky*192Nr<4JkZoWG3^#4$u9)oVm$sv-%)4mKnXu6Lrl8
zc^AV!%>-@OnJova`squ<Rx4Z=_E@-%JYK3uk9mN9XlNxe8IpwXbQn7qpzE!8W?Ey_
z+c)Zf4oUGc7`C%rbW3(|FQ<D)W&n7X`>u%tLe~8C=O(W54#?}JnFw;H?HDWt@EExx
zz=cjkhc#{I?NX$v@XaaOfg`1gWogBDuhDc6kJaTpZwgjWh@JQMePxe>Br^Ru{mB2W
zSUgT!k-5(uP=qdEdcYLs0LlY)aKAd{g=ASp&}p_yg<^e=D(u`o+!+n43N-j9f8v$p
z&wZ&UxYuzyz<v>;*%D5}GxtESR9t{0U-lrbrz0zRTdPVEv{B5)PubFMGOE_Qm(c`!
zO-=6(VJtT0T>MSuUX@A;=s!cZA7m=`cN#&fPG-tG>m|{dSW``b>0+S=VuE^lB$Q&g
z42QRU5~t{$B~VELvC{ZyLWej}YYDM{nI9oeLom)r%r;U~lPzeX5xH1RS^)Bcld|^U
z72r(U-40E{E-6QCauy<jbjQ?HH=1$X*ngJIxD7CeuZRU@YFAFlg;$4!cyxdbjL8t|
z-JaJv>4uY3RX#3%&X!2`7*pe)1!QhWrhgsNNPnrj9X!Z3@1j(Y^#!amlM)>SSjJjI
z9P=pTSXXZ+E(M@qS=X5gQCcT#IHR>yunN7;&r$ehS1~Z_o?G*NZ)|p3^uHzb1S`2P
zeku$!=!f=D(1fnA6|Pi<J3m~fJ%E;QSyj;d(IWuNSuIAKbvG5Oc)L_o5n|5PLj(!c
zr}Hc8NuHFQh@qJRgh(C#6lZ%OD*l);NPKXHq-$Zm0Y<TLrDCin)y#vUxN<LcW470u
zD&hh=x^989k`qS$qjQ$1yl8l)?z?A#gjZKNX*T@oK@Gk7J`P8BYA9@@!?YL4HG;AJ
zPCuva+?Ki{3x&9XUAS%XRJwxV&ekjacv&;Z#6h&&pMz=`LfHvl1~;T^FG2@VX#nJ>
zeO4egO+)EumQhv|J$2?|@4v(7XJZ0QPrJ&}UVdm(F4&sw7?->Uvx7g)l0n!q#y@Wt
z!r~l1cv&&}QmmAF3|~yQV~Z`J!?2StEir7AJD<0N>s;aME<^1oA@HDlQ6!X&O9EmS
zFv%W(p){t&_vXy^@mPuUh>6tL!sfi!6UK8Ug=pr@bH2Gs3mG&+sN!1H@cK;sbE$&1
z^O>=Qjd?TQ0gLs2RpVzC#=_-FQic|u&xNaMp!bqb+}C44{%;l__<aU`!|k}t4a2Sx
z;EEOP!YhOoW#@BPTov-Ee-UrHW_7eg#rC?2Fz+FW=Kdt2-9k(MJ~LgF|9F3yxc5$B
zhJrqJzz*J$+y2KM>-(pxj?<fU;MpH#`w~AYma8P`{N;)?t>x0=;1?_R&#bX}4u<KG
zZuX`p04;qmZgB>%O<Xz^FsNlg+{9<U^xPDJI=cxGJV8&u2@~H`R|tM@f_dM$3?@xf
zQv%p<a|SE0`g_*vWrsjn4yDR!E}g$~=AE-&uV2$MgVPt8>BqJu{Dsnm$ff9CtcvHi
zP8L4f8f$v%;gJla?&r>R=xS~x0Md3Meqb%)Xh_bg7R7UoO0xnq{I7K|5I(X!fxSl1
z7SHqdbk6sc$s9V_+wD-F-q#58hE|@uw=Za59Ftm-TokFTQh5{@%U-2suj1Vgk=~DT
z=Kj8_nvH6|YDy?@dM$rHMY^Zw-|G_W)>7x(yU9d-1#RPCb;7ZqABdLN#xxTdL%S>x
zK7&Yv)YIx{OQfa{;qHH42O&meiNPvGr%<cj*Hl!);Qu31zUz8Qd>s<a>L1^HGB^C-
z9XWq-p$*aY_2GUTa23dL%8@-Aq0pgQB%Ov@{$!;=yTny;7A00mA+KvoR-LS^+L6bh
zTK2+1G!2=0(tvF{-C-^qV?TvEHJ?6Rb#@ZegnGy6wUMbE3qd|RBYc(xhQzFkQcarH
zx-G&Z1AUtk=ScRW8P1LR3_bFn1I@JtXA2M9>*csu>#Z}%+X%-JD8OgUp)?AFb@wWR
z^eXSY?yN|NrZp3%0MsPW9b`ucf|K11L)81ZR+H48xPYN?`U`$}w2vRyFj9aF1f7Z|
z5Im9eRj!qK`NgG|amdjF2mSL9fSy#(=rw9n@CTI_E~?rwXF)s0fnUp%%@!3K0RpXP
zF|QEy`|fW?xLfK!X5#h%sqIu86PH4ecuv*lE2pS9?Jcg=nN{y7u;fW6td~vNt?Rvx
zMfmQ}B)j!;@^8_*=;u2Q_IzmbK*gK27+R}W23jkziZf;Yt~Y-lJsy7BSDnu$+jTW)
zWUh>$o0gr3lP#96nSsO5WfXor(1z4NJUS0kjTs2=tl~kX#o^j=6=JILpk#6r{3g!8
z`+aqFOP*B4lSvf1Zgh{?Z3VELx)}>HkkEPrgfVD}eAKlNF;OZ}X{O~B)~}}h>I19w
zZ%t`SB}<LTlyqD$XGmqH3xT3XIG+tR&E;C37y<M&GyK6F><<oqpe<TM@%VHdr%13p
zGD53Gov$~F^z2OqtqpooN01L*`e{F1goy*joC9NeAFSf{kd|woV12%t@4|XO>GQv5
z@SkSQg9Btqcg%6a33J`EvhW-aZvlXoEt6-%5LFQ37F)R1A76r}fYNj_7GKV=ot{c3
z9B`Bgfi^sxI=TDg&dxHp6Da`eE}ew2_aNG3gN}T+oo;r-s3rj<OFE;(GZd8kgT@6F
z?Yr*`JfN8P8Hs_9$;$Qu&>m3te)FO0(Ybgp)?ooqh54jK05Km%?z3a04mju!rT{yt
zL5wgoq-$xLjk>)ixkzdUzmHNWb>BvPMBv#tolM4)t6`pQ?;E4fPW)Hc^6A;Tw)z$|
zW*+ROZAr?HvX{0QB0$6F*{52^LKa|`*jnbe+vArm9PHmx0vi{{B5z)QVa^!VkzIk^
zEJ?GCYFIzM$J4}4+5b*&XO&RZLqCG8l6TbQp_HTb=}M{f0l{Y1GB-?o@lO4wC8$XR
z-_ttcw5PaM(6xb-V+J3oE+xsdT@geWK&xeb=4mUDXDsTTrXN(jF>{=4boOSXL&M*i
zKRzWf>?(0qy*uClL8RFR?jj(Yt(7rwvLeiFtehdE?kN;tonUjBc2RDYI5DjSKVd`B
z(*tG|{7lr!<v3ve$X)<3@_qC)sj**2m|vUrS-}?QzbOHI)@$dBu0a6vrQZ}Dtn#Ru
z_T7!YFesRbUrN&-gArRT9a_IPGUoaYGPLUEVL~y1pnYLS8hAp3dKnRKGbzTNXuZ$=
zS}@@06*`<vrABHu#tJpVyk|S<DJ97Rku@f@d~NBT*O-ACQ_O~O{yibCREjB@BU38^
zRzwH6b5lsE3^lU&-W_J-qO2KF|Bg-uuIlJlr{0cBz2@7vRYxPq)R5*X;c_em^Nybi
zC#mG-vShj)Sj;?7ElIZBYcFy`fK~)vpVAEoD-P1bb>Z+U>1mLTZj<Lz3C+-Y{NLVA
zBk`&izJyo8H0T4K#6F5;wk1`sKA$OG-YwJH4c201u>l;1WH#o;t=hd{NP@hVmL-uc
zf}Pf9oG+J=WyL{zjJZb2OkGVvW}lS?TA!=*`Pz0a%->DS&2Wt*EnKd<uUFB8vd#4f
zN}2A@;icGt{suC|PQITrxOB^U4xfX%kF??>0O4xpXIr=sTgi~mHrsc;5l%y)SZP^u
z5?xsi+frpfTt>-0lQB4}192~wDw1WFsy;E(v3Y*omZYs(uC#=R)IRMgwJrH#q)@X~
zGI1(00PM!ZNG)KVQcCHm)N61eTpA-mx--a`768e!a63w>ClZ8wrLIw6$6;E;tNdPy
zTgK1lRJqA$XcM_rt$Xv;k;|yqYCWVK#w#*)h#JfH*Ne?_#}J^^LF(LziOm=-5g-uv
zK7+BQId~X19SP`5hhAHAjIKHgWBrCYs*ryj%YG*NW?x3a@@yrmu=Sr({QN!1;rY{>
zxd~fcZKS%fgk7T-CpWP(A7yrO^=id;k!S3L->XU<RLS@F-caauVMF}eq+gEjhT{$j
zpe2Rr`~6@l96Qj72v1?y+%8qC?&l872EF*Fcw2&i>*HTrfM+ki9_qGg=3GmDX(tj7
z_G{x}nE6M&rAX2W+Kfy0FH@-AuD%~Yrq@t#Ht<i^*}|5$V~3U9KIbg}Up}*rKUuM$
zH3fT-s@^TWFp`hxX_WBbxH@83QW$emhdsk!QDjk@=+m?Lug~JW#n!Ja_s>ncHZsfK
z$DV?v;XffH$-kVkYZFuhSC)0Q0@o5YT?pO>orPJ^en=qrWn2umzd;_ex^mW;YgCkF
zLI#xS+JV&9oebNQ-E`ra{%r1fiYt`ZfB!0+RAcfHF&Xm8xW3=Q;K@aoriFE|cwsH;
z$#~{^jYNFmdrt_PZpJohPBl3uM~c!S$go%TBo^B8X~g?=xZ~&k1t6rXfohVt^|H3E
zyfZ%YPka^z#`vwzxSy-J`t8R=wwUQ9^M5^w%od41H+OLLI-O5)r=g5H|Nc=Ys#>4A
zgs0WSb%nnVmiOY`|MR(S*k^OK@Y{9S?8hx*32EDc{1nC9w0~%3SRTNr(%^!9*YG=P
z7=gWIM<0jVidXdh$Af-PrptKyE}{<c=O?IdhM<JHO*C4EER^7>P1c4o{)jlS{(USc
zf!@6J?bN&Tr{i$Tke<^qhZ^t1MzmQ<la{v;8c+HkJG5r4@#5dF8(U@BlC4``j=?N8
z`?|Ks^t0m*hGdki4uUKM9jf%%5?G%)<{fAeKeHFlMqY4=Xk9ly^fATzVs%-9ffdD;
z{4i2C@NSqNwCV_%P<)o)Cgxd#Jl^G0@48Zd<uYorTeRMK9{1(N1HU*PIrxCQ=QR%I
zTT9iMMXG+>Ogoqb6^(KGD!m?Rf#W^6(-z!lpC?`PZ?8cLD{{2zP3-fq%}$r0gw^~V
zlXK>=ct`e}S>T<z!#&CtOW)h(ukWPAN7nrvEv&QCBrR(WxygHtrR-kZnDsmRZT9iA
zvEy6cT-O%%E)Y~z!$MSB{&_534RnE$QIAg;=vgr|*nfXUb-lTC@MDYVDW3~&17Cg*
zzcV>Glmxgy9hJ%A@E5z6P0<>TlKx;v>e{}wZK4$rj|l%<C}1mG4k30vr+)oUDWJ-M
zZiN2UGFOyEOtBN8r||@VE15EHPFx10-NCWQ9(6e5Ih}rXX<Y7Rz5)7+`a%3e@k%eI
zrPxA+nGLu~dagSUTD)0k;tDXx-g@L2^vU7T#Y=<6O7$1M#9r2s{d`65Tl}t#W_Y;7
z!MP`C6zVD2QAS|A>fhkn$9pgBtG!_BU$2)b!SY&tU!eN?&RgaON%QOC`aUwqimK-V
zVIREXPcEK%eCUwpPu5NdYXmxUR4smv?o?QJ@r!DKRLIm^K-hEWIx9J6f9LvNNngiv
zBbVlPO+UGAvVlCenPlWK{o(BEi20T;-k@0En^r^KFspr=d-d6&W{Z-|nG?BEn3<`;
zZt?kHZ+n&Q)%|mkwF_#>ZeJoB)R<b6ga2|79<}q%VZ29Pz)1X=Yo;{Y>oYQea7g+4
z(*805h2pCxySMI&iO_AcmJSP+dtT<}q1ul;%0?UtSrN%sFYZLnJz)1)ou`xr-8_C8
ziBVQ&y7v5?&&QkNN@;6Xy>$aC-m@f%KC8EGHzNHR#*2_7!_p)H8R_{Kvd2O=w|*Ej
zX*IKEGzaIrhD<(uc06W56v1a@Oy(T?<6j%M9zL8gvF<VuUbyu}^8K`GEj*RphwpiR
zI49w0qi)M`?XI}Bx{dDz`Pb)OWz2g7v~7H7!fUK-ZN#e&<{aLf`XKrKlD*0}s4PS0
zzd0I&|82gv_JN-6OmDGWdpB`OXT5yy6-DESuQ}V*qW?u*PUHPPm~-fdSna}h<@Y_6
zE&JCOYu`63kDf1V(OUS@_;oI{?DRh2Te~9u4mT#ORgAA4^EqGseIjusXUli*M7%|T
zg(uvGQN0#8pK|8ya%=0kg6}^*tXTxgd!G?6Xk+#pn-2><=u&-s)|{liS}@VFXMJ(U
zS@#T6+MMm;h=&`EOi&1NN@>Rz+~|)He)3TG$<3C{fCKCh7pZ?oY%l@g7)4NG69KWN
zN}%#@@HGA+IN$=U^i)*Mgz>%F)snG~!b@}BbV$z9ksW$8f8vBwp}HdTtWrb}sr;QN
zFqIZN@kO1UoYJ<j(dHI>@!_xGB9W68zn6E-+e=vdR-XU41kNT^)K7KJ0c3@W-}+43
zP$Dk}ap8Sb&WHEv6I-E<x0lyq77~Vw!lCogi~CdVYyDnJe8!tUS8<r}gc3XZYp-#_
zIIgne)3(7ct-t-Zdz#Js`%xf8mu9|c`M2`uowXe4PsW7us7Gw#rM=^W#^~Xhno_m+
zzw~hRHO$*XZ_Qfv-md|#VgKXP4Yw1P`Yh%)y|%Oa2RmW@iX+{{Np8>wR27(BHSD(5
z>IGUypftW(CY9JYN}yn>D}oF{>!6ij?<Sxbq#L12ddFld!TwB13OHCcUyu5gRaSC~
zx3^kpdXXFA`B@FlY(9Z}cI&iHj?bwIXJP*E!RBU}yYcV7w~46W<@ML+K8&VFA!$di
zz-SYnf<;u1C2Vw<H7mK*WVZYm_n9;Qf~ri2dHcNZ)WqM-9A(IY>`+^rmK^iqgTLz*
zTgQ63);zpx4zP+Lv^J3*pReBQ`^~xj@)Cnk+JxHrkmMzf+Qn}fysq;b<>v}$Q)|2K
zJZW0AV}~?n9bvCXGkM`#|86B#{rerMO8T(LKJ2u%{FQh=uyDQqhLhvg+lJ|M8U^*U
zCJIWM4+qPwo`_dvO$zeaLa1kcNb{YE;@FO|+914XUAT#XG$`0mGx(f_6-QM80r4Tf
zo9b#WG9y691XZY^+hF%XgxPq^$4e3@^d6I8_J@iTtO2Ru&PC17ysX8>|B`S*j{N{7
zq*;9OOQ<7^yfKxdK2+3xtMJc-?QFBP{+<H1Z-?`N6d0{g=l%tnQ=C5CVDVOdTk;&S
z?L7Va$F1KvTk{KD?t72`$P<<ub3g&6&h2avY4zh~aAJ*m+wc6)!_c0$^tO$J*fD0$
zsAkP9TcFu)cw)|cbLfD&F=Xfn=|o6w-Sg1*jjF>?do?%Pr=4#bHa4#Yc0o?JY(dYi
z(j46;27^ABW7O;a4Ty!FJ~wvfRIMOGG3|#-SWoObqGnj?-ZySbq~L`|;ymMQxBH15
z_-E?M?hV`JnEyV1aQJfXizZJ>*{vxlVZ&qM^xwPUA`2ExI-$QhfAK6TN50fVv>iHh
zckXH6vcV|t(5<?O^(Q042m!3cC4q03by{E4jztQ@f9mn^Eg3E6=ADz*3}v854qQf5
zRwPfa|9DZ7Le{x}{ciqBfOaaqYP=RKj3NVG@D&Eb=4k)m19l?8HI?oHG;8jhXd1jE
zg$0@aL=`W8TKYP^DnuC=zn0{p3>2M@lPzcq4y(9Fm17ESqfPvKYMWx;_Ads!hK(d-
zK7`DBb08Hqw9EVaz1M4(E)RZxITEn=`ExJp)Loa3r~h6g?Z~_{b~fDWaA^1FQ~dh!
z>G<1&2<Am&y6T?hpN*gUEZSUn2<Aw~M6Ai^!<7eR1BuV1s&2MK{am8Oe?JWe%oW1T
zep6^Va;ExG7Ms8S-as6N%$rs^;n#NrggjozH~$iJTI8J==}$Z>#NzC{faIHL-qF^T
zvAy%=r`B8cUWE;HsXf43nA`k(Xl+T`@hU{fIgm`dj=Z1^f!g#Vi2;AyZ1#OLno382
zjo61-NLZ!V!QkT(-uOlN|25C#l86gX$97#``;6oEjQ#AnEOYC)PyJ?|bLQuqma5k7
z+z?&66Eu9eCfuLheTb<%ZyqY{SgH18Gz%;<++j3J?u8!<7CbA?JD-2v+u0-0uVbA=
z4V%NFbV>J~%~UBh>%IDXEO9gb!xyjko^br#kvKLqc57VS;fFG=X8%m{k9qSh^}S*O
z*sVXmbx$IJ&2dI&Wl>d}%P+qu$h=P5Ka+y72&Vx9`q)>E(Qo(i<NlmF?eFt%?hNnk
z`q#=WgrcvQ2t%iE!){a-F$yCj?j|iH4(2+Y1~z|AO%$y9zlIFuv{V+Y`kg!UPxQd|
zyU$wgniPC#TXX&JMI~y^p@{N}{n01$qO0aFJ_C{hYhX`5T{a3n42#y5{8D)D_3;jI
zLevya%H1Wx<Blk?vknaTlglBim-u?^ttH&_*9T^7gcT!Ow5U}QtdvU6DL%E|ae8o9
z%@etF;106xsrvqd*ne`I?<a^=KO0jSXS$|H)iUBhk`z5E^R<u6{gtSv;-o{XpZ3Jo
zt@jGtF<6whRUoNe{MqLeH}mCI+l7)=c+5mHo^7`B@J9XUu}gmRkv9mp>G3$%qBf1z
zW%H1=AX_Llv2w_9e4KgX?V-fbc>1OG^(meE!)M_eNB{M)_3Tn1Lmfn)Q5f@)ESyQx
zm)K_#wfJbSevJ<7@BWW@8IPeo@g=gqLd#yil)t}s^i7D;>*l4T#uJEHO<EGmdiHt%
zC(d{Og&31(op26bX4n;>B60cV6AR_h2YS-()Ymqc*+~2jA>v4<kXMM8%h)+v!OFSs
z@^Q9cTXU`ZNniU{inapF%&2dvI|WTRM6$KPF2Z)kzpeP?m-4s*@o(&nI4EKM{=EO&
zUrr#++i-Wh=J0npPOUT)fJx0iI<Oc#9$UR=uD`5jagc5Po4LuYue|hQH1^}=EK1GR
zl)dp3RXuU>q?f?_&?sGWCP!ukcCD=|II#J+AnBL0u>dVGuc*x;bmP)GlRCcn^!{?H
zQ;>;l+Z4V@r~B<&pFiO>!Ljef3&YKdBGJsh;Ny|A_B1W_g@vrT0%+(w>|Em01B-=k
zpUQhlApjB8#G@bb&TSh3TNRgY<DJp>ZksqORM^0}wQNR1Pxlla))F*AfxLM&3rU`!
zVw-WlkV#;=@NDMvpVhG!`2%r;kYoLo$WXG00Ku5MB44*Rdp+QdS5N<_1pYFnhEW)+
z+WN3DuBE~^cBHH^gUzLw=!r6Aw1&Qmmt45iy59eG_~N2SgaXOy(#ENRh%?i7PSpuA
zZoJuF2d}))g*Lq>7T1|Ne%t*in@^)3U3s@-u^}QX_rvN$q6E_*PXNezELEGnWi~Xv
zdVAnl<?}~-b~S8QVg4<E_Sm<K^x52_{8B#sj=0bjQU4>Nwom!S*zc#ED!U6(N3oJZ
z41t^jjfzZv4YWpvhCj6<(DQVee1*X_BneSDp#}Z@T!;wkOTRb@3JWOy%n_5}W#%n3
zzH6x);P;I`^tCI1uX$K=yY+UEbCtDU)xsE}X)|8c0kvWB;n4Wk@Z{jrgU9!gvgU*t
z2OZB_cwYKFaI3&_3hDC~fw_<|7&@i5(B7*k?>U^}e7a==+9P)JvBfSyX6q{FTs~y}
zTSlGnq3_vErz<Xnh5br@loQ?*T-T`my<AJ4nI68}y%q4S@YUWkO~*EuEy6ZQPbCV?
z7h5`6P>di;>DEdih%mY`Oji%+{Iyf9gf*6Zb7g>VU0E>a$zP$xTxd@f%ledN=t-!j
zG@C(_uc0XIfp+nh&BIA3RE6hZO!8EBdX&`-J7K5cb5xZ|>&06#-uVACc4-bKy(IZO
zoYL{0gAjW9P#<fZhLQjlq<bdfc?s>ceM@sA_karyi37HUyV*)82mqH3ef+v<@4er9
zpUG`}7g6_>_d0LVw4B}4l7O$=n~-gxRX5>#m1p_R*x3Xm3iA;y$>MRAgA2aze7*O4
zeSXFEbLHmh+PLK0eYeSwlp3OU{EhHuqZLj-&4))>-^O|>j*9^uwClXt4f5%fRwohF
z-Rn_Xmy|5th=WskynT6pN_?8TuMjU>mCqDsv1;h<0z*S55U0i`Q=qiMZO;1}X3gI;
zt?1E~(L?XF2<P7m9+<Dv4}1AnRSQDMaR>FRr#`>Eo!rE|qkIVtYMu=UceAsW4VR(|
z`$#;A%5Iy!?j?TGF2{UWulOs(SIWT2f;=-b1xcos24Va4D*v0i;iT8!8%ECD4XB*B
zHlsf3DM`#ZR##yrnZKgsQQCL|UJ4m{0%7CQfUd$Q!a(aI-G<*~p`Rzqc34q(23OV2
zd4h>KCs`74(Yfu?hUB+`iA}3t#%*`JJa=7Ow8uf_Pjs2W2>ZwzKWE<MpN&bF7qRf&
zwe|O0`K|gNFoHPw(8e!$YoCdXidH)XQmi;J-&yOfx&F%Hw{?p@+VNBC7Ua|aHaFf|
zw1uyY0Pi{xA`H{CfcJo=*NeFu0>muE0R`v-?SCBA-AVhd;(a4Q&7xEA&@tr^0&c2%
zFv@DLJMj@V^mP0L8?%?M6Xq`KX+tY(VT3E!EU{{7RRQXRP<DDYz{46m0~G?snUA;6
zxfa#kj1Nxy`Z8roJ|31Q$A<;zRrQyfpP)8!VJo92y6&EJm-S4A4oN1i;Cj}Z7FtDM
zx0(xEX8MmXAIUKP<=9#=wjJBA{qxV?%D13k_DTdeb-(XIOkdM$wW}BP%t^e~qF@2w
z(vDi6ff!d`U=B*J6DR!|9ssKbq32YW+oj+Pjz`*w<0xUGpa&?PAwZFje|Z5ry?uiZ
zd}tw-LFwBfQWl@P<^T)O3|W?z9f}OTh)YSstEv0F8;=P^T};xLK9?BRb|HGIH?ISn
zdJ_cf?_V@JaH=Q3$uIeI+q(3DKVxUyy01Qluveb-dA!*y7CC8keP-)`dY8m6JDE|~
z(5o&X2srL!HoBF+wW1!ow%kLUAdN1x=H9#1XA8asI)n2CoDZ(6RKkBb44he0f7=$`
zuL{)c+~viMXr5PFeJq(g_2b^!7Uz51k}qM!yz=Z`f-&2uAuB-9zk|bw{+HP&SZ-Vj
z0ku(<-kUVFUj8wu4Uyo((?K@16gkRI|L_I65<4B7F>>(xZO(9;bQ=x@l_?l_)R{u(
zuUm_s@_AvmTGq%SYUkxV7B?0LYePMX@dwx|hGmobS0<Pftzm7?B~OiBSZA1R3`iWF
zEHj+BW>|Y^BB4x2?yruF!9=kAP*c$M74ll+O(AU<`B&zypUw_rg$s$Fq{CiUG=*)<
ze7JB6{}3GLxm%YJ@+D!_Uqn4#Y;@y<2x~c<z?(SxVDAOt(Ju9!o=xWkMt>|F9&WW)
zZ9h94f6lb(HG;M}E;gipE{8d(dOg6559UV`M|{4~C?2BM^=2n>4R3+R4mjuut$e5-
zniJDjyi_Izs`9>z_@jKkRNWJ$!kUAC?afj-4e$}CObWmoGziK;0y_6p6w5|-NB}!+
z8LN-wYDWXKVJw(M;setbj%Mf%RTnL#sw)sToF*Oqtb3(Ise<f-z4f)$9df`@kAmv$
z)~>IL@a!EASjb&ejte*lI#!cge5E^tutNzPN+r|*Y@;xB!sZ#}$CtYfpq?BeDP93G
zFawldOP&7Uiy#)lGY*9ST7=@I=?rOBvE`5@9Y_H_jRNVKj_^S0qY?y5jzqhgF`K98
z=V7S{p^7nz1qrpq)R%l`K2+~oznDJXdYQPgT=v!oOk1SGD=Xl%INqj?DQ3+W3vW7^
zt5Xwr+!5)xgIrptTy`nE!Q-5>1Yj*iXJ-LL`~ket&bb^IfaW)x(>3UWD!l93Qq}#%
zMiGi&8%w40so=yjzd?6!DiskaR3FWX?YK%DTND4!y42dfb~HFRBuuoCa{Qv}`#F7q
z{$ikE^s5TVEeW_+&{gK+@i|?U3!w>fL*QVm?oS%;?8RQ1DQ(s-^^rAUr@I)3QT=T=
z+r6UXR#sx59xLSNXPLMM)IE{fexBDa%y+XBh^+6*aWiOs$T~FV3p4(_rtn;x_WG!d
zUFF5TTG3mHDXcD5V`42CAa8X_4DT{HrJCBDo5n*kb+u^v@vIRcuu|4=)DNUi+sg-L
zg<Qe-%73GA&}8&UmkzyfQmI1u$?9?jIP6oQ`>n~cPB-TN&jR!#h*n<(|2rwl$7m15
zqzzpWBESuy4$igD8a5pm+ABbtN~1QNN%$4&Sn0M~91zwT0uw&>&HL#0VT5n>eoJ2v
zhq2Wxt`_Yx$l5a${Hfe4kigQXfhx>YKoD=#-mML`Ou)x8+0_;OT2r_k-gpY}<x-hw
zvypVA(aYr!G}G*}$P^07?r)I9AjmUku;;cSJi0{f8CHxpPGGOFVcj%t^5ks+?9Md&
z6N~WU)6NVU6znXOMl*U9Ui9zwu0L+X=Kzl~IEIIfB*v__Z{7hPRJyl!W2?3H><Ciw
zEc&m31+BE1q6U;CKcnyr1;B|WKp&K?kKtK5@ju=Sr1_hXv#7xLN3p!hr=Y&{D^6RE
zh4>{EAWN41kiqjcCcg{?_2wtFRkhx6nY!6FuhK8J?+YY#LOmgR9Y;!G^y*}42ROoD
zJzwVYy_IgW<`h0by%ERzXuywAU2hWsv{Z&N>*CRu<24}aepYYXr@(jMKUa6%5#GNT
ziu;91g3_-`RfG)O5Uf(M0&V)Wn&qE`f>q^Dl^JgPOeRccyfl1XB70QoSEb49qP8p>
zCks}Rf^6#3k4Z1xiGy~+4($I+-ATlDiY<zj^6hzEGBE3fuKM?}>DfQOg6H;daZARZ
z0z0}-@>Weuh0j+jynzZ60iQ}YBL9N17$JVX7Br<7xJ)+{d7UdHT6M-N!yYXa62#lp
zNAhE<&QS<PzOP%OUg@ktg_x4!(Xp>(z{P$Ie$H9yKO0M#8FpR!V{cGydTT{8-2a~P
z^tb2z834ZdLfprnUniv<Yp3zfQe@OfR|wZA;GtAF<C9;ifi<C@K;R&0(ia|-&S=HF
zS_$eX%$v!1s_-~wvmvitFN;K#Dt}Q^ew6RQDff+TUzF=xNgxiN*H*7&R(s9$uLgk+
zS9FUI-0m4*ZGY$^>7GzSd>7na%o2P03ssW9`%GN}CqleGUUsd3GDj>4GWB_vf#Hl)
zQ}n8zqLDXHmXUiMpX?SKqIhN>IIjlXiAzNL4YIp6tCb9!!)MGq75f{(S4__Qt}C?i
zm6~dpB<Mj3X)`7)^P0E|cY7zc#m>KBoXIh)N;66PIQ)%sc5DAR^=Dy9_Yn=~Ye_)r
zZ}3Tu!cK<mc1zkPmbJ1bT{V#E-pM5p8cj>IFWeRyEY32F^TKlVUXxNmE{5CfIqN-W
z4vySU^0^rJ-tRd*=25ROlR0>3)tPap<NKxPbBt3TbSgn3+q;Dn2r>MMAF8o-^f1nh
zY7RB<=Ygugc_2^zJkYtyQ}>#(t1r`a)9_OA8npYloXt)Mh=y94^g(px(dUeqo5zLq
zAE3$Z1zFoqO2aV9{}Uen3UR<T93=tFum6vx>+q-g`~UY|Gb8ibnMvG>Xv;1XO}We7
z$&Re7OGHLUR~jOvaPQ?_Bb#f>$jC)xhwM?v{vDt1<M$8T`+mRAIj`}2J)h5mbmM9w
z9u8q+{M6o`e{%j{Og^Q;qaMkBC-&fHdF4#%-1?YY`Xq#;-=NTIaLLw28Ep>up`bC-
zM%y+h(3`E>4Vyc%p&3jAFvIu{D7Y{Q>4ZztL(mA1J?U{6z;`~JjL{GuRu$9$8NgPm
zuic&0n+xrmil1@F8+bS6{^J#xrC-y)1|-aC`A)YkR^6$cLRL9?ilhetp}e3iypEwk
z^>aMx$W^WXW+<HYoYyYooMJ6_Xx*pV=;^@V1pR`)-D4n!Xt?|3lY=ZX+11Sq3Q%WN
zijTwmwa2C_xh(#A{Q12MDbvYEilxwB_LfL1zcS?{G>(y<e+*`7P-USiEKb^s0<DO2
zf9u@jRn->bNZfsb3TF|-94pXSHA=L-8of8%6NbK7Om;oQZVz8+j1VSw)DWmp6p>ZY
zXSt#Y5UQ@P)qNf0(1xvi1c~ilR}*h67JV6QRo7KdIun_C)b!k>06xb1hz9MDAO~U!
zlQ}2%6QZPN9YECx^Zo=>EMRTx-G9LyoyARE<AF6uk2d8VXWu$RPA2_r(#KvD*@3Mk
z!)V9n{EF2AFaHffGzlkMC{itTV=9$Cidpxk%Zuc_b+v#3GGgv(ZiZO?1T@8MhjK*<
z-G^>y^^Q=py{Kl4<q_(3L%P{T;*lz|Z@y95vl~edE8@7HEoSR6Rp5=8>)@-)HW*Nw
zWQpf7bK=3fjvTUm0NBJ`M|@l650?P5@S~FG5T#!3wx?BCCMqW>X5hjQC}HXKsM{Ri
z=YGaPir?y-npyd3QmQ((<HqQe#X@!sL;NwrXqqQ^Sll@#{IPVo)u~beKxTDB1?!Gj
zc5I&vI^~qDgRC?VH)|uk_1W|ms||a=uig(w!c*yj8qC&c17471imq#HaZkqK5v_7C
zV-|#2x1sN0L(G+D?)=}o(-1cPgx64{qyV?eyC{=Cbt|nW8>A_MM*Uac)4sEi55qpA
zHri^J<9h@0{S9QY4m$;W!FUX_4uO%P%65n@)Dk2sUxy*K$%ust-a|H{O<?|88d3Ln
zWiA6LKn=<soy9|4yTKC$VosLpM@qXeW(eD-oiess$Mk$G=A>iRm8FIP;Ue=$Me7$Q
zN>#aY;~<EB@KN;y@~(>tldMMx1OFBFpgLz#s&s}SB~y%|2_C|dDN-_#QxQocP12>m
zET%Izg%SzI%(zN2NptH?9IjAMNBZW8hr&g$2SmnFn7JN9t_pjicf)E5kZTxse^G_!
zu_mzh)e*b_h<=zl;Lv<F>WZ@nMUClDxFZSnLE~;xU1g+9WaKYT*}`~PI}&$d7I(q+
zwCcxGyi$m>Z}99NA{(^Zn0r+@OYwKY$6BQ`p2wk{{<m?Z*)eQQOlcOq&kjRKhrg`r
zLkcZTjW(y`&IDe8A)1gL>mBXTZAmh|aYb67iLE07`982<yY9683CAqcPmEn&$I9?`
z#N>ZGy{rG25b5MlpPKR1bLv-V#x?N7D6dlE2u#2j!L>4%1!)*fcaySpcqoO|RM$qX
z%S2Ye#&VBRue;ju977ZxEqHX1hp24IK_i)vq8pJp8B;K4y}CT!F$JEhbo(M;g40@S
zc(1J$eORtsQu=K?A2ZjI(czDRSVkJ~Tf!s8!QdE5ZPzBbnl!YQaGh<)EEhDwh!Xi#
zdIA3;9<IiK<I!i8*Xc_{mKuNm_WY=+(g$>JTyf0%6@KCO6O7m_2@+Bt#Jh1%`aMbW
zi@oKC+!SI1UKW<mR=4Vmu=a_90S;d)1Oz|ymCBwNuv=sq^Eh1Wt_dR;?H||*+-j$h
zUi@u=D#~Uv4Y1vJm+GsdM}yHYl!OO^qC1{bw)1Q<kC~A!ES9rogO=P;m{+z8)^JA%
zdo;j#vKJdCgd`q{Q=^~pr!Y3O9L9=ZMBCB!T+3_@;<NFLDPC9T$Aw5Dj}MiZ<Z1vO
z)fmJc@QX<x3DHIJNOi>Uhn3C{uyke7@CN}E+6`VI$|+7Q3P)}V+eJ3%q_~kuOl)Hc
zC+mH~QoMRiS;3wwV@K6dVtBDh28cI9fDq_Rvnln;@rg_ZEL&3$cR2E4;PD&;Y^SE5
zw>=FbRZay`v*Y<Ut~pr?_cf`ylM+wbm-VzxR8!tFnx6QOB45gssLGeG|M!X}`XVFR
z$qdJek-gl^bi>8sm8z-}%n}}kF<i}+Jd)1_x>*<~$+x2k?9Wa%)Lni5I!QNaCm-nq
zj`SIw6sc6%U$*xKEW3J+nw5vK3+ajG>Hj?;tJeG9-UYj$yS%{JzANK!@7DUGx}IPZ
z!ISFoQN0!!4vBFmw;6RU+<^Q}(g^C9W$!4I?V#=j{qVP*&Pu)zhAOW$JPYbGO2)Cn
zumH2<p%KG<E1f~<iByXwOtR}W6!?Bj{18tUl#w-PX1ihj_Zt(=$)UKO^x_#u#beXs
zHnA)f_&Z+X&JiKTN;be1!MLiw^+b^>cizXvGGi5`=stMaVXU3?M@c@$@PKE_5~O;4
zwcYjdGaAGO!zSjiQj$hm_VP`nxyA<WFb+NzvQ3#_TT_?-9&tg&;Y0Fs;a04Jd0VUY
z;hyKhGy#;<zN^Jy@lfd8$c0S{hqOsI%q2d-UQ~hF&brvGAG!H;oT__Q%4iVe7$2D@
zipr`GQ+sPf<kadD#;b77Tvi)Gk|N@zK4WA25m+AUGxqXcKp?@zV(z~OUoZlrd-#+B
zR4?y4;aGu%#>~E^IYJjrl^pLd7=pBuBq|^ODrqF=_`oWNgD2)%_F2+~u9!blsd4yS
z^V>`$F98s3$$~|17%@&3-NM2R)d(Z7)bRYCBdakCAknPxAOywU@E|;dZP(8=Nj9ju
zlDars=AK4lpotDG(KZUFp4bXp?8-c1X5PY-D9wqHw@~5CJsD1?oS+o&kgq>M^fxo*
zlmHs1Fry{Veg&~tDhP#P-s1I+QOoa3q5Z(oFHRVbcIdxqBLy>$lte2xu|aVUL~+3?
znePc_QyKGkZ3VQA)Lm!m$Vp?6oL_aQ7-Inu4ip+ssC9BM0;$JgrBw2eVh$TORI`M~
z)e(h2RmEHKQ=|E%>rt@xi>Z$Sq<KJf=6D&cwS3a%dW$q3mvco$tT0Yn@#aqvGy_I@
zg3U7P`d3|}#25uMl>FA+49AY)Z)S>jx418M_*IJA1{qd!t&dwaG9o9UWnDhrcH%<_
zD&yk#pWnCZ2sgRj;1xi+EoU#>-8zB$l~+xGvlQl*m`SRo;8Rqx;e4e}*6Rpq)FYoc
zpbC5x!}Hi#KwBrIc{+f|TR}!3^qJkX?w?BL&SM=%!DwFmRMl(Th^F5eS<w!EuiALr
z?gEMU=~a*5(p$10qj2v_zQ^Nwb=t1>@}7Ff`WD!Iuup!ncYor>fXD!T5ScKHjvV`I
z7R-}4c4H3<8+&elcr=CyahQjC9)RQt=cE>R1Ijo^o*^G8a-=Z5qIjkjXDF_>i9OKF
z00^s_k$FRk5T~**)3dk>e1mpT=z6*?kNgjU4W3Ztq(=hO+>}R9%-~pSQ6E88=J8Qw
zmxL$`6LCd>ewG3I9Ay6Q(F8L4{RUoeKE5Q?y%Ts)4E_Speyeux&|7)&IO=6+;dQ9u
zcWW1$=fAC_^EvYba<6~g=Ma4%6=jBI1kiy)%R2;L6O)Rn(@Hhs@`?hHE8m!RHTO{A
z3FASC3KjCSQO}{d4Boog3A5thUlUPDjF_jA?5R^?PIn%YBTa1C3LxokA1gRpPqCQ_
z_kUpvBZe@Hx4zH-o888~>uRL}HWt$XHVXh*e|$+&HU15=&2hF{Z;1O1LV25R%N&7^
zAoHZpCdDozi{Xoa^afNkqt%e2DnfSk0EI3Ik9cW{8Su*jp|Nigb?UInmPDr@ZZ0-v
zsvBduAs8XVnau{>tVB9Oi{Yq^fL@pCvEnO}0@?r<`N$iA5(p<8Ei$Hmftlw-B9Qk>
z0`0ptf-x6$JPC?wfUk%ruu{v1wMh#04l}l*wz#v#sUDnIjqph?QKRV)<d0O@sb6&?
z+kZD<h2}6tv)i#Or4VC00uyE^gvPO<Bf4WOhjNAUdYbA`>9w9y+J~9vNdkueCkULk
zE1fw($K`Y>PZg(<_#dXjdr_0M#S2p4Z-%QPf9Gmf<tyy!iD5LO$&V2_E;txgusJ!{
z54Ad%)|F;d9g+lWD+k#yznYmFCsBbkRc7E9f@Zz)RF~w=!X2wCN<3-9atPYskvfU=
zHVNyLp$rE#SDW@O3()MIx*RctGNHv>FuilwGMuR;9GMJ97w2&_B2;(sV%EtBmQ}#k
zhf*_jUYu#r6*U5sK<t}v(-xpJU}}jekt5ce7q=8<zzNu-@OF8DdRMcf%eYiTKdv5V
zgR<DkaqeavwJ2cP0U9De?{%^eE+<u870ZulT><UT#aQfHZl;FkF<9ylwh^sT3Bo1z
z{dgjsCkA`=f(g_ST68?K55_Xy>cq&PUIs<U`h>EOVTh7$XXd;fJR*)g6F?v_Fbv~{
z#cUHola?8c?b)z(NM?%G`w)+c6JY~sECrWH|6VyZ{19mM??cFzRKXW`gf5ih2Rll(
z*r^iYlqCkD@Bez5UO?L=rs8FJscJdWX!P}yOO0N$FY0XHW*i>Om+w9mMIx;Qw46A3
z+hGPa>_SYXFq5*UC~ZW5C!OnXLBhz0IF30Ni#rWOcMX4FDaU(R0M#(~Nc0XqGD&yc
z4Y{<c13P>uDezF5xu&>08xU5HI_uRc;`zr~k9_QjK=nN)m=|SUk{*ad(*Y0;J{mON
zbOOa{&U4}ZZ4pbKMx!9w^9byp7c%IUMIat1qL!wVFciFfLMk|3shUlI|7|kWbi4>L
z9lTA%C^<tvLoj_1f_`>p3~+!lWHHT&Kzu(u*8=8cz2ybW`7vZO%*R_ICJC5*w`3@g
zXcC?t#W3;^FALbd8fgMuue$xK7|`&lB+`@B_liy-j!8Kd6>>lo$=Ps*l2f*<r3J8T
z!|hwM=3{KwuO7Hp(P()Z;Xh)o0~w*<k8(}G;Kopj<{if`S_?;Eg{!SU-ach}#K{hB
z%HoC`k~CWPw@G;M@ys)!PkfAvNYOh)Xo=?|sg+itROtwl6TtaO5s`I+I6GQ1U5`>e
zoaazIff_&)u&E;J2mq*^h^SlWv&UmU#q&>RP7*55fs&gXMe<5GQ`tjr&8@~Q2nwD)
zMa<vQWPzH62|EkMpM;cpaes`45w6{q&9Y%Ca_;|P48y=_@Fu2X9u~q07`<YDLQ*6q
zCZ)KfH2vVLvMej5MH+oh@&PxyOyuCEE&QKd<6#-1YQKKwbLI*8YpL*U=AH}fUSdVe
zKDDUczulZ;F%WHGW|L1kgmG&JRnsid5M?tK@E-(kaK=jV9!{dJlxCKaG(L=ftYzIi
z&57mbL98B${81LI3sAD&%jh^B-I77<(aY!w4V=c}U8yIy2jelkj!6)*rne5_h&$)3
zVfuS{sdKe2W^e29ki_&6ljFG@hovnUA>yfLhpQ+`X0BkWMfoktN1VnxaN0UN{w~X1
z0E`8O-H_jymhdEXNu%TDvkfF6GO5Ai%+3uavL+tQKOmy2h)3Z0GYplm!h;1OiB(n#
zL04`cF-L)eLKLqfBaqH7pI~rNs|rnf09JrTpG^?V6Vpc8>9c*%Mr(EoVt4>4+^&*h
za9!cyDVL2KUs}$m?>XHQ*76<5eSg+I5Q0HVzgWB~dyL58j^oim6prT#dOEC?N}6K6
zjv2~Z!sF|SFO(_`J+(RxPveWU+o@CRjaAsZ1paAJ87@#o<msRjDxE}BuJ>n+ca+>n
zB?uLX=_@YoP`m!=LQM2+>DHC$#h*T)${SOwscs<pfE;OYNN^X}T8Wux$;eG+X8MUa
zWu2r$@@*R~Tzy=HJtK)2RR{oeFT&<HL&{v%vRU#HSM0@92NoxuD~gM9g0MVp2*H$8
zz(|UIPw4iP6$ODqNboodrhFyW$$s8&sK8fe6O3GeE}Q62NQ?JxC~*Cl=q!p5WTNzH
zrwD+F<+Ub~t+$Cb8mDPV&$8kJ5$^Z<KA0`kTuO=dLVyIr%IYKNo{?V&A3PmqOEZ9|
z*c{k!TIw|*Y6A<^X>+#Il4xJ0<2>wcq=8G6H7C1nb!yj{7KJajevr_>MG9Gu49>`6
zEoMeWBGv|&Okjqu7*WBtAvbSB5p@7_Dc}ac5MU8Yo3D<eYCD24#y64eoshok+0y7w
z!W0p1qoei?NUN2+(s;UW*d<A@jDiI*tGcBGf+25Os$Nc-o=6ezmtq0QpnpvMFx^*p
z)Hbd4X9`NSi1#Q49tWypWCUVHuvjp;IL~#&kFLm?S3Xovzb*oa6|r@IWr|Qw8K(*r
zc)jI`$EqF{nO7u<Cr>!2r4o3Lv8xzqIepb93s9JfCgLP%5F|7QS+7uNhW^@Zc+wJu
zbOuSPg+_S&K&L3rbP}a<(bD0VY2S#VM7}P>h{rZ7U_6(}zN7i7)U}3I*|=g5XwhCR
z3azmUEeb|Yh>2I4koDTJ%+A*$$Y{Yzyh4CyBqTRm8{X(kFs8(mL|cfMqmVA(KN#yl
zAm|VmMxJOOhMVo=mD9&j?6jUptnfGcsf9)_hmW@f?57x;rv7Uh6dVBy+L&99Oftb8
zv(#%QiBGB^c%1I&l0OQ5#UmK6PKlwfu^>7WiKR{;>i!t~QoxjV>afqzXXdL%aU3>J
z3NI_}@ix>}VNHgxxFdKyr$an~uOOyYKBo?O%@fXlBQ-0yH&M+gM_&;oNC&^Foh6aW
zoP2Pd%0Oy}XJ(5;6oK7{KFqRSW|*UK9KOVGqGx3c1Zd6>r;mN$ZhMxbYm-PIoY8f1
z7Htb?;k{^yjZ1lckxb&hb)ANMtP?Blylz;BcoW8+%8&s=zv4u%bt&+GFXC$UO7n!1
z6qq;Yz4wuY<e3Wz^S@&Bhx1VE<M|!KW!MU)FR2-47sL|?6x#3>RaaX;&|EkIm-8{_
zg1WO4uam3}`HNun73DD~Cc68A?2(-7bqdnf1OW*8>DVC<2(%{=7(JpXrf1W_XI@nJ
zI^@th@Vn;CB5J|(7ixhDAP8xr?OPOLu08!0ZDaUQ!RcNO44?&sf6_lB86oD-EZ4|f
z9TmmvGc-d<Q(%F_7RIAPBiMLGKF~262lbZP8%)4a+T0kFbUd0c9t#@t!SGF2r2qf{
z;sR`KjM`g`29i-P1aFW@FJeqMobP>QR^+?ma$65cV;qA^#=veLiBJIc3Kne&=gd)E
zU%b3(2mr8|E6w1q<mCVyYt)kymRZxCkd&(phQQa=CVJ}k)%VDj*1jh~K#+7sHzhi9
zxpDTde6)0n;g-B09U>sr?mYahK(wgT+NkBidjw5Zg?0i$aJ#JsCmnwe7c~D72e6OB
zgk)C__6ft7!sUCTC>cvSLyBiZYc#t+<@{yRb#Cid9Jqjb!Kxuf948(a4{jf?L)|uS
zK;~v-@fBZDd?dl>DFsn*zB(m<o@GENm1c&cPn3|ai}UqzfY8-DTn?Td*Jg$hrjv>O
z{&WuP&uBO!?o}Ct+U{mY|M@8-uB-c8%F{&DM>d>I31Y4m`N|U>jnjB!{9e=DNyUki
zQ4aJSY79X-thFz$eC&atB5D=L5R&vbO7Cu~6F5uJb%bOxQF^ftezvmpH;owNTFJ&t
z8gL_B_iT|A&}Wm8LZ7%m2KfRMlrUUmw7kgoRzunN`cx2T6uicBEsRx9UzOKBhUd4)
z=sAiqrN#(gfxtiGkc|oE<)HCtlzA-7u;LuzSqCLPE(s&tKUPF_x{N+y`tfiynxcz-
z?i5ba{OZZnuF6%Uur_XZ$vufdY3$`))~qAhMKbUsq|77e_nu5esvg(5J*O_13lEkT
zJg~nlYW}pAxPhl9SqF6iX)QS(e!3|h{`$-BVf&W3I}qG!Q=B}iI}&#epW@t`n;nMW
zEp-s{diBiyS>?BwYL9D@@FUroT<9B~s0Xa%t}g`=dDl(5+(DIimrP{zCr}ykGofgM
zIHo0i$rNxnD<s(u%XEw>F6Y&YGmNQ?RQ`8e;$-NfYqKqq6ZU6<@{>T<N{wN~c8K{y
zi*!NH4YoIrr-RqL;qMmfro^OLR)6?0ilY?qjZDm8o#I;p-XD+b0D%c>UXOgEO|+WK
zBSFir-8lkj35Zi=&Ti2m*jS?;qv=gxB);$;!&SD*2X*Fy55ec751pLn181O=&q%XT
z-%7|Am4YhRi@PAEueiWiy*nJ|bnm{NqMjTaRtB;8RG++hK~E%?qdwP^k{e+8s4KTW
zq^KYZ!16Hj2Q<PknP?kSs_Ji_$VVxEY$t1r8*Ga4TFaOR?@VG$L~%s_0FU|ng;*nU
zQYV(7c>An9t^FhSXFCo<;V_eKN-IC5hXwPxiw)#*f=giD8ZZftClllL{OK@C`H&nv
zK1p{jkv`X}69;CCncC<imb{ZX0$KorZgyzT<S>=K9c$bIL#wMpb|D||Cd_syQA!U3
zMjLUdnK5wUJ*W>7`%vBEeIOniGhswFEc75G_x;kYrq>>z>p6DH21I0d1pyT&Tz(iN
zUOWs(b7{Ao?d^#%JA;S)wwG7OMVUOYLtUX5Kf^c}{P&>XNAvnn`jY0jzH%UqU9zve
zD#h6{p?888D8)AI%3!$0vcLSCk)%iMh8-VoJun0%64cZ@+d;_nnogc3BlPAGyh0Ba
z&Oic;5PeF4FbMJ6W33-GFabwA9k!ltG=MKq;a?1F99|`Ys#?O<r~h~|Pb^jl@ldQF
zW_(tKuh6(q{#>(cduH!9Ri>gZnJIh}xNsR>p4GF}Fx!w7-2+O-BG5`7_8Ian7Vzjv
zxJ{|Fs_IEDN>`IH7j9Tly8Lk2ISQm9DK=n<oLIF5j<my^a$H<~K+K?mi!{N8N2xI^
zs3zd=O?eL1s1`IC7l%MQeK>@gc!B`o#S0p%YWt(7X>K|?34}(_H7BC3ma`k3v;SI4
z;>Sc=3uw0;?JeN_!pH!zW)Wh_Ruw1yqM`Bw6+v42`0gZYsj8p(?VabovmlflE0unR
zS%b6z;c$E+J?*KW-4JL`ipiwt&%7eNAb7AX>)HGMKNsLs>_X}LuNiRBFOL?&5fC9r
z>%)(#M{<vc6K<C(TpBDejt5{XG|v?z&^(fuun7xRNS;3m>*N380e69ykm3tATx6>J
zb2o>q2$od6>NE!iXW2Tkc*z)>&T$wa$xR^=D|<BWQ5gCQ*h64m#CJG>aro(Mk;4Sa
z_~%mSlj4nf$nwLZO;1Fn8mZiO(ndR<s8VHUS7j?|<zyd7Yb1-0!C@H%oH_h<0Q{GR
zp|ugGn;D@P-tpXQ=DfG&J(d}qm?uSfpw@P3@OmFlr{_k>!U{O<1H|{ZHu}Af{pA$K
zcEiZ5ekrgrtHlM|F2>Z)WwOkrc&TUyZ3hP9`whAOJeepx;pn4Zz*;NS!K)tBV!`f_
zB_s6wf#WpEYDI~)pxktk#v6wnNRZ{C+FwQ^+Z9Z{^PFYYM(4sUp}<8?1=^xE5c6|P
z_cXf-%O{fa?c&D@(pDetSTg~r^_mU>=BejvPKkb?^R5r|#A`lRn>P>m+Um1yjT=4^
zHLAnfaJ1xdBv6Vk<+-%J9$Yx{5;e5U+R|zeMa*c4LS9TIuyJs<&#jF#<PZA<d!LK=
zeD9%9hMo^s3VSx(b6iZ2Z~NtSirYCirxy43xQd}Xh#3Aw-~|T=S}&Za3h?cz)>KJg
z#AnVUCiu(U!U4=c`6$^5{J9aNyi_VB-ltCfUP0*o{DI!Lz|d_`5uBnFk^ADOq5|Wj
z4_t)`u}!7b345-C2N1s@ob(-|`qFnlD6-R;6#`<<E+sF|{7cu`mK(H8k$JH$6D**E
zaw(n5VgYM)Sb6;wD0-u+lwIyapptw56!jMdgdU{4*@wsD^%4nU6bSBnA}TuVXeKy9
znc0m<8A#i?F6q*!m~*aQE5<Z7IJ)tX$#5TAKJ8Y{Y_=x|z)_0P2O%EJ<g}Cqa(xIY
zU_g&YsNttfMTyM$5mG6#iEwtxb&J1BOa*M~^8CN-QtVrD10QGb7Cho-=nG-#8hE28
zTvT_vjlwkl=z-CGq=y(Sh5>f}3Q`mL{<#dHJAd?V=Up$Xo(RcYpBUkWfZK)R5tjst
zk|hL@LPs&v<M3lNRsY(Z3AjtCGJ5Z4Kxe(K)O@B<e$2Z1#?J$7DImavAIy6K4)aq6
zWU>@O4pzWMw!<QbQ=(7A2SH0l$wr2q&wP(6n)|CAK*?It#fn(Z(xO9rJO$QQp$1NO
zk6fz{WrbjY`;(K|YAp)tDI3~J_%Ioc?R7tCEj-xtXp+2Hs*DZYEyP5Ap}srl<FbSH
zo$Vh*evJ2N=x+Ab+7RCnPZXlSZXt`r3%t6=TeVvZQGBa4AvsOR`}pF}`R^R^HfRZ+
zQZ}P3r{SEi)i9&INGcT{3CSi!)~&3%EMoPJfH9L-7n@!9w>pAiU|vsOJp1b(<(dDH
zg7&yHnu2S$ziRDAO+7-~xI~=*$E~+hbN|;Ukb6{U{mV(D*1d7Bh?)oDilI<yP>%6=
zbSfj|=VMYTKFh0;!p)K=a`$5_PNM)qRDqDMdQR~=7uS(Pf`PTXZX8s>WyrOAgBeCT
z^B5jbG^fG<w$dE%NDH?GR#FZ;*22s<gP`dMtbdVv{Zd%$aDbG{C<E8i^?xCNd3)d(
z=_R`wLRt<wkTXx%*^Sk58cdLdQ5K>|sWK4}X1JUd6^6nFh7_Arx&dq6+X%%f!6gWi
zQCp8C_bLq~?Bu{=`lAa3>Wff}!pkCtJP7uabYEA?6{Nb_{LfhR($-!XblkZ<#gb7z
zQA)00XW&w@)7QY4o9yEs5)K;IQw6Pji%n>35hT);mgm(g8q?B#b^q<}2&86vZXB>`
zj?yNQ<eM^6B8G24kP&m1s-G=m{jph``4IGWcWV=mj_8;ISE;IpIYnC{Pplqs8q&tt
zvc^3>g&7&EcG|16yXDSAx-Q-FXo`NG58CH|u}J@2RCji0xn(c)Qr_r|Bi66Da9h*d
z%_LtuAva#3#W))03~keHpOaz3G}Q?t$<9EKSH?Dz-taJ>TK~&+T;yIwdxQUumhOD3
z#UW^THjv_8wP(2$+c#Rd3LF}X4M_SeB5CH&S@T~vZ~cSLmnPqud{oJ$xoc2d44g6B
zACrQ1g!)<yiw(QQ+k05B%#YC$AZ@anol&lXVreJwFT}F}pyYrje0KuPyq;&)eVq!x
zXA&+t{Kl8jv}+MN5)ZLRbrJIm;&^QL5TF+a>D$t_i6yr+hVBBJF~8v*?*7T(t(=)T
zn`=_m@}o%v0tEBqT!HZ&y9<upP~>IpwxSa$z5|)T58eq;wl6YpCq>=zPm9MZ<bXh*
z$%6jR$-z^P>_gC*2bV;s+4?;B{8=5VflJ)1^I6{GItnE@C9eM#Ouxy24e|X^WN=po
zfVO+TKj(XD^xeOgE*Nd70F4#5pGuay#a<{K&utowBdk6Mp$%e~to3Ll%ZUnVYszr}
z_g4?PZx)2nm$7(*J{bakslppp5EO^Oi~p}iheKke?S1syHbeihFR}M4V$6q_DZr5Z
zz-V_VFci!(1uY(-AlAiEB-dLKJO7eHy*2vQiieV*q~D3Me}2_f{&R{T9etJ^i9DMM
z7p1^%o+%P2x_&V$k<tB?k4^%QF5^`Ph&ciJUnFixKk1}k?!Xxi&|w&bq(kDDFz@)4
z>*6s{?HN4nqO1=gS+@+@%nV125z_C~tdeJ`4NFKt`>nQt0P&g4<=r1UHmQ6p*kPPa
zbe32_LBK`-EGmJXB>BZUg`4Iar<j2<=0}`DjM>s7!9RCHO&XFwmkj>B2~Y4W@_Kls
z>#vHA-MC>-xG#8ud=ewFJCX2=1uN<|8nshb9CIq<gMzAUhfbgDOA8qeistTo4Hom>
z&s`_zN{iYe=})QnOs&B?*2WJ5__KU=0FrtuCfh#20?f0r!;zV(vP_gB+Y|`s%%f-h
z;j)aTW`_qlizlxY0;W!GGT}!LCzOZP+(lL_m78cbz-r@H{c>+=^59psf13H1=X{h;
zJoAmqyH|y*w^l_hj&Xh#`*NAYqP5A`ZztyS^V;_k0=Rub3NfmAvCtHEjBM-)DU8X4
z%;UT6a>g^0pF^q8JXR?|2s`wqJf2u!11#eqh|ArrpTKgr8kc(6U#oENcaXDgj3hC#
z|8)8D^L%xE@am(1q-HOM!`OKkxSl<Hz`Y*u*1I+fkV2UYLbh7x&8_BJewpkEWpdDf
zkKeJUl88=;i9~v>Xw)f$u=Uw=XD4PSxM@j&A#>BYQe#F7@Y<(jPi4(Qh#V~c>jw4i
zb)uNb;C6u7XoCB7)t2(H2}G%~rAOtIk~?kiAmg&k@aCk|zVok{Rl>b$;iHElgzs7{
z`}>^-d|UfgA?tqQ?BfoQ6yKKC*dtQyK-ZFpOtC{dT<5nw0#T$#(=nnGGLgrv+n&cR
zh%CUYrL=SY-KGPrNf#K&sF{L+{T0EY5;u!7MvTBDVGmDdE9fCVf69p)S}c9HGqHYY
z^kDYy;zh`O-=(GahodtV4+FrXeAYTh^LeCoWl*{g-7-ko88Nq-A^VN=uU)C<yLnM&
zL_R{wvpA^3ccD%ZQy`bVt+qpV@t|&w9Hj0|c^rHV+1%Oukr29}5I9{X_=C_NlCoI&
zz%ONk+d#~|*xic!(_PND6*m*OL#uA7-g%sk5ggjFicJXH_YRt0<Qnh`SvkG2B3Rvi
zQ)^TAOUJi)T-0W)p`5+X8GGjrQ{Rc%8H(9*bvlrM=2Hx6{+_9r9EloO{hZcVFtv|O
zr2iOd>vJ1<oK`XwGq+du_d8|)sE!dkWA&jXx61!oedr$zdReuS_HtmDOTF%y)*fl@
zPsS5mCX`rVoENfN{$|;_6Ns!9&U;ke4OZM`{&Y~YuXU(2tx6dEwxRyddijshoDNa>
zLK)MZYx-p_8%)T?3EzVmiF*l}TO5Ha-OA{LfW;^4=GpYKw{6?}euf?MT6nOKE9&8B
z^=SIyM%BxZZ<YazH#RmZBv1$LH9!WOd$7AFu@|nfUOe-oxMbv;W^g-|q^_dR@#T}U
zsR4#;{rO!eH1Jofm5o;LR`J}Q^ewfJtvS(!$mPB0;YXtk3mKha9bWa1dz3Q^FEh9%
z+zO33lpQV*M>YptJSsIdt2S!o7CK4}8mhMzB`9x}%3m%9w0y<^pZr<PXBv|nQ}|-X
z{&m!aiq&s{1O1k}N;{4DmiIg=*Tn-zchb)NDXa(Yx4!^i-kF}K&xG#c?iDWjjW&46
zuwVUf>)`n{-+`xc1((GAOSkt{fY7#gZ*Q~a)}aZ(LJ_;Nt(^;6_{beQBBtQOtxNI4
zUY)`88utCpr-9=8y6emOqnSwqn?qF@b-q9DdH7B@zNGBbtXv4(uTZ91)$B*j%}*a#
zZvB!txVv`{`foC7AuD|^CU}cDYTf@cNc7Ub-*yAxS+N9Nf{LdeoS2O#7y<Nd!T@38
ziGrA4WB@^@j2&B?NSHpNWt&y;hkpKwy2sdF74DC>hI#Zl(W(YMTkSX89(CQt4=cz?
zseBt;E0DLNx$-@#4H$d4MiM&$7n`fshb6p+`(0{+-yHK>n>`|hIG=`BseAW6a-q^F
z&szClE*`t{HDsr$VxfoVVa;I2M}08Y8M?)l*Q~z%@$Q>3=iyJoKmLsF+q4ZS0=S5n
zbhi9q0Q_E1Y3!fD-Cu$=j-THKiz7IWI@giH!JR0$3++nf6LSilYd>EmNMM3D9MK}8
zPw8E1%ROyn;+-r-`lYR0Tqa35^v=2+%}uAal$21N0_Pc@1)u~o30nfC5InFZJ@ozD
zXmhQBM2FfQ`%3CnpZTgyZ;hotqgyr%?l-I&@`k**Hsbu&5dEE(xDu7hrqxo+PKp=k
zqm}QSAN7&gT+TaRc_8H3x;0a{C9ZS=MiS}_sOS(Sc5bbYR=siBoNN|n+&Wb>RW5q9
zmVR?&vt{y@mRWGfof?4yt?;1k$HQ5d7H|7my|fHv=yzEw#Dsj`SP$Lm_wXA2d{8yy
zFG2LhHNOj4icGoTE|KA1t-QP37|f+bim}!-ZrrP0Nl)hb^*QiVOT5!aXP(vG^rm^j
z=D)k0P2t2Si5=BZ@t)+H({;HMEvGQw_gDCCLa;e7#7%%fwSr_vL#cz=rzE89i2z#d
z=0C~#r*i32A%#W0J3i~1-(mSppHuY9J41Jy57wJ@pA0OIJ_~^cHT@90!b~zq_m7!}
z6?oJpn$YIfmk!32gXFs#<7$LLor1yvBZ=Pb632oWu9Efr3hzJhNX8;6&GM368>+w1
zHK$I)Qiz=r)b(fLaVM&Olz%qf)r6*y5J#<8Ixzoe;eKa)df;wnYDn@Yw|0soBV|MD
zujfXER%QC{^_7DVvAJS`zroRDSl`;QFZc4R_I-zjZZM#|U0m!NRegW>q?0G2TP`a&
z*8X`}vjMs9SBx(%Ms=SqPaIw!lcA?~JV>tzwW+inzNtH=FnRV@UiqxRM*ppSM7PU!
zn#BGKPDQg!MoOQ5M^%2%;v3`Y^Se_6<py7O`&XZSu1VpZ+P82!*70*DtG}CpbXuvr
zbX$FBSV;jWz*2rZxcBar(3!_;Nq&Zfqtgp-gyMgGET3B1DN{)m%vVDMFKmYX+TjxO
z(^$Ef=SWuyTxwj`%n$WS+B<B*0W-^KxvbUNoEz^jFOKYvMls;z0zaTCJrZwTm?Di)
z8z3~b@sCb|tofDOj_ZHYgSJJJ(wq54z5zdoDXUWbs?p_|zp*L)K&{^N5;<vkQewn+
zTShd^v@Q}8zY2AE<1<hE5UZ+G6tdAaN@;ZYGCr6L2%}4to8v7dW<|CRLl!s|abNzx
ze$kgNRtMD=<DaA$G*2wHDMUj^RDb+b)q_8yu9nmB#V4T8ntncP)*uz;%c<I?mB?yZ
zlQ%@}-Z4|x!524Hw5%(K+Xq>lv2?QVY(&LCT(-k~$Jeq@>U^uaqX&QFMh1Q=J<YK1
z9;Da3OOOaX<6^z~@eFN^+9AQizvcH>#CkDgMTbtkf5$2z;UquQrLDN%pxT0;wl?Ii
z6*^VY6YBmi^xVF`%?ln{)zOO)JNv<vGf-sB`_>(yeSf!k725V4+IQvBMD~Ki!V=66
z+1LkFlvruT<ur@yqAp)si+_43ECsHxkGGABLguN;8ho>w5^KK5t@O~ZQ~g&$A5Rx!
zjfcy=_|vu2Ti4euf`@OI8SFMN^sO|Qz|*c&-`UGKpOUgZc(>B?Y_i=gwY1>fl7r{l
zj)Mo=B~~?Nzp|DeK<7W6{x(%UEM`r26v^uu5q&-HQFeDbvI#NLNUxJMN>&V2&SoLK
zaj!9GoqteKl8&6y{a1>opZ`LM5lRZ3W`gw1RPCKFs5$TKJxumH2_@Aw-Zjs^@nUz0
zE7X>dqesoKUv#fPZ|+BjXzb<pd(=iVlO_gE?QF-6ChzZM@KK(rZ}Ho>^$wc*PtiX@
zTn=QOjp?@d;(hY^g$S$V#k&EIMlX-ttoAaZwJMw6cDwFP#$8xDsYFxz?m}JF^gAe)
zNPQhwSuz)<tj@F7`EPE1fu@k72rAWLkU4<m>hq0584K-@Q7bv`_jXdb=HHaZ&^yoH
zb}wq|_kukH4S%6u`iX|h@ppRT#uc?ZSg?Uhe%$@R?mz8DpUBSJLfQ;Ygi2M!ozLn2
z>5n*XzIE~7IpRfC(uUx2{(x`u)z5-WP*P;<OA6P)wlWm>{a6GCFN_=1kQRzphdi>9
z?o53aZek*ND^*{gn}4vqC8)19eoD!D_z{=H(rpM*OYTuyr2`D@NU13|GHCMN6r3n=
zdwj-xMS1wa&Ri*()c?moD-?Codh3JDzHR_~l)W4>pV1klZ~CXJ#_C`v5oW#qEWtCO
zG7_3nGe5T!rJ27w)3}h+(HWBLAjna)Td@hOuEuw`f=4bWb6JD3M9@}ali{eAv?_A-
z%+Qx%x5swYvZW4LE<6=;JUWL+6Tjepox1)w;Ul$<MLgtfpp6stOqT%FcOamoW%FX0
zs{@?kr6HSluIuUNwEF2{DDoZp<$;w{;fOb@rXskOW-HNeXPE11;N!U($NJb4GWCS?
z@114ZTcWf5>e|1LSqjBrf7s)F4rCI%wbCVNYtY}-Q4*;A!Jxg!Wz^{JVqIkSBCxLU
z>7K$EdGP!Te1={sz02P4`dKL3ab;`8;SjSWc25QT)N;wIK}Yf#T6vFIw(@-0PR)7r
zLebq{$sOD3+T6p8Mz6s}TBY|Z1S+XP+9a5!+~!)IA!%!y<W<d=CuoD^zs=<=JAP5~
zg9shV%8~oQm;PiL{R^=QP^{1X3~^*upx0b_@aFTK#GJ9>mdt(gO&hQ3l4N#k2kkac
zkTaV*Krz0DgIp+9K8&ZgNp0e^oM%nW00mrV1pYS*V^E&oAG+CGPOYD*f$!DOLiVY0
zMEu!gU}nYEY)PJ}UQL@F@+o1{vd(D<5VTm*C~@*H?$n9$OzV?T-PG8{Ua)rKRJOM8
zoF#})?7fkoq~yOHNkcJUHM@RqpH`pTjg^L`oNSL_z~-*S3)YN^Q<SDykRuy#S=!p4
zNM#Lph_o$?w&pk8GBWG4=jNx+j6ASE=RBHBhPaHkIv74MIBPv+AmEvfzNcWl<qyBN
zJgyYDJp4B}XdI474j>0*9NpRZ;@W)dp9o!IzlzP4oRZtAgc)^N9_akx5upzyS#10~
zy%s!j&|+6aRXB&8b;EUEMr6u_H$6Kd(EEk#IHusDX3jI>4HStGBYE>9Pe|k4@*&8w
zm4Yw$b@KB5g`VJH?*kbh@VOkiM^~!WH&{m83VfpJthiABnai4txmCfewrQTNuYQfR
z)a=eJS4wzo-EROC#><n*3u%4_ye<j!;gNK@{Jpg1qgvbkzOVbo9*rf*4OA?zDz6Pc
zsGm;3uS>~USIsUCJpJ>!1J>8KP&71+UCcZ`5|l9PId8EL@%@{lfp{qIrJYQpA1~iM
zdbShZSEIcoVbu_ieV`HxT&jLl9zbjT>6eaK($;Pb#Cf+mn$sRlZZ1=mAAK$w-lEly
zG)~@FKrR;*7b^d#%PU`X^awj(r|YBMR-H;7G5#|<bBE)GSaxz+$;ej5qNcdk&N1H$
zUzeNFc%MbZ65xRRuT1V8X=Fqzez~$O&l)otga{n#mdllSW}}s0!q7)JKXQGo^9r+d
z)s}DNs9ZdL>Yy;@vADl!qUgqu^2+jCt~-^VrIkh>G=GVu@BL%3Jbp2&#{*N$K>GeI
zVdUh&UzKJxW{_hpbsM7ogQWnwoCPZ%c@2+Mu32O5e-qPO#RoAPN8JiIrOGJg)zIyO
zFaB1~`EEwF%oQbRyCs~4t@E)OS}M}?=f4B9-YQ+4%2#jBt6Dwh+wFj%nk`rMU!pD-
zU)e0PUEBc1r7&EGOZ;ZY^4iUf`D0?am&!a(G=?!Pq+D8>DzBNT-Wt{}of{Cbq{X~3
zrM({g-WIZ|Iy#%Uzgeo)G`-x;rdI3O00h&$g+Ucsc@<mF2JnrsI6}9IjiCNM>!70F
zNV8J)gvhc>X`05`zvQG_TP{9^cHHKTOr!y_js)cqyU!6ADM4$?Z+%q4cX!pb*X7rl
zOpM*G!<we!s^u@s2ler8OJ=~4Mv=W{b?W^2U8+JTf6S(IiOQwrVvJGcTG%{&bYJtw
z=7gVB?zt|d>bb!=)}9YmA?4e}tl+++nU0;e!R?oRpEf95sx>qU`g)X;(!p}9Wod=`
z@1ma;xCK~-n1X43lq?xhV>dfpu|#}^3)y&9@#DKyD0O>NkJY*udgp&{Key2|{rugz
ze?7M>bN16J7PdRlw=P#sz1zwC5V$`tyr~&Fo`zr0Dlsj6{gi7_eRKU)@~!yZXOC6`
zwQl}ZbNv~5@Fn2^=;so4FIAk;WTSxVr0#oJ>-k^l`uzncFs?-sVPgR7g&;qV8ET6H
zYmqHToz?CL8z@$PQ+|JL=SZMK`*wr4`c;?gZmGM8P#ldJuq;7yo_PnnOUmy&%J?lI
z)>~G8$m0M09#zV=I-35~#1HE>5~#J&WVYN`zATe)kt$4aE_m$6E4kdgB<NaJFm+*q
z!`{MM#)`q_>!914F+&0C;J>RixkkUtpnXp*17qeh+bjMJZr+VzRtn44Bjr`|_QQrY
zM>YlaU+#SNu;LaJ#!uPRYH)?T<5ad3E43q5nA;iz3SQjzH~qOI@!C`@8lwtnJE#~x
z5Ob=exU*nuwmZxgkRDOj4}STZ6|uD@$)z={tB3B!VzOW<2kRbX(~nX_ML1lY#U4yt
zTd0a=d3a{pBwxOpO>}qX*-qtNcSaJSjbXVzDie6mDEB#GFVS+ZD^2WITUOZgw@kh`
zz4~$?{b64j>dM~(u|dUJL4xRVoZm!t0uyHRAp&tLjwM7R>#2(G<gv};&hoPmq{N@_
z>H~0L@quOR&go7A;8BOrt$FvZJ91&SEkCXb(|RDz=6v&*f5RQ~P472R4U5(}_a0v0
zDcxEP6(}|<SPGT6QkE}Ry(42(+ghALaB)JJ#G#pdcF5Nwi5x&w0<4F#q9gdI8(J&3
zm(Ig4e@K3h_Zdp-7Dzd05KYQ%B)(GrQ!FT>mB6C8`LA!t;f>^c?!0@<h{8_KX}4Qv
z-d;1OttltoQeSVUC3Cu*F81;vZM1TpAN|2gdFQ`|TM9<qd0FQN-x)xN39?}<LcRIS
zpTdv_;lHapHJW@kZ?+@0Z<oSz%BzwkG0T)^X~Fxl3-^={90e$#hJ4m<8T!V<iXI^N
zWDIrMk<<HK;=df3g!}FfuhB^0YDSr6ohS+TY*Br;L!0e+znhvnm0c>}7S}1OpYK9y
zBVD`aP$Z)9>qhFhZ0wJaC~>r2($I47%0Z#uXsEHt*8V@On$cI^Y`koFIZiX2W~fg*
z&2Td2I8;{Vnl@CY0U0fwDRj!Fj^r}p<Ksj3@uT~EsF<JjTpq6245>+9t{Pnt?A@%q
z^}Rmg=uEJ}L)7|wRDZoiT3&8mUf$B5h0TEUIK1BSo!8~ONeM=d&!lau)|x6vJ6Gd{
zcJGBF3h%Ps_Y7H`A~v3D^>%EU&@<IY7eB$#9>ysVvSvrtIVfMe^n%;T)hZu*eZnsV
z*7stcX~E@LET&%NTl?h2r|0`zZd7Ci`d2$w)ZW$iK~%nlARpD-;rrXx5aUm<Gks!$
z>poL{Y$q?d>U9rZuj>6n0m%#rQ-OT*oZZ2P(M<9ojpll<*Rrtd=Z-Jo>Ob$IScN97
zzZ;~7yc47-;R>7nYHV}fsd`Dghbp*J6}D6R#>4v}c8k)Qiv_y4sdr5ac*J$Vhu2_v
zEF|NX`aBc`XOV%LaAN}M9Bq4U#@T9QsdA^9JwcQayK_|hj^;C9RK-;fS%BHzx$8S+
zCEFPDq!nL$nTwLWrXXRNRcK&Gpq(EL&|)$aUdat`m772NNfYN#yxxk}`w=+yXln6b
ztXZp=i4w9M>k;?0aE4>njUfM5R`O&uclSZHf1^U5=E%YC(_8*$X@*nXpWoS;Jb&AE
zLAKkuJ@*_Gi|BW|T}OP_bmJZA?A73nEDzilw(;n!v1QHsS6p0F(SDrYm<GxrciZyK
z@0rBroWzYQfY8v_Q|y9k9#Q^8w+9P`FP^8>B7=+drTg6c{$QLx=y-gA2Fw)6n>Gh6
za-OH&{uI1+oIFQx#h<mR6!`gMONYw#`Yx-(3F3K=ZdiJ(Qq9|93E0*1u)g!5|0>?r
zeOeRi*&9}}tTLT{t7utl$nHk1`hPCK-rKZLu4iw~q1c}n-e?P)sgR(CG(?~8onl1h
zQre2+J44qHS(_Fgzo;PuI!r6ETd9HfI+?K-4?Dnw_o$v9`)JE3BI_92S1t?`!+_2)
z$i!nMLee+eHr)(v**6eXj#;!0mHzITk|~km&h^+v_EB%=6UR~JSxFJA_nOYUe70n1
z29154CYPH_fFf`f_4~Hlvs^VIF@}#JE}hkvNp6dm9?G!ipLClH#O`F@cjmE%mvB%*
z*5|cE6pu~b9ePTPqD9lqcb~WEyUTG|lS{oGuWjU*%F9{fB5>vS^|24P94&sF!njxc
zVGOha#*w40P?D&-R*GO=@AIPLKJE9NhBho+0{AwULpQR-9!?J~jrB(7*!<Mva*}O<
zGK!u%`I&io!EV1+&{XK-=|+U8^_{aKe&C*!TrFitU$O|%&6u9~t@<4wyLjmlN_L&s
z!~$+%MyE5qBLD6^anZ25x$otDclR`2^SmuxuAOBUoMt3-R<{iI|M{20@?zt(!~QPG
z|KU2cSYoGIAhwDzXQG`Ci)tD@*VP*8G{tY;2*ETmVSam0F`AbFjgCgDItZQJ6*w#N
zkxc!cVM%x&`Zt%}&?-d!w`gl<*sZtn4>9foYB0)R#fgHk%kcb%(D`Q-OQ<H|!+b?|
zhL!Y#war%#u0i@PjqWG*2VNziTbM}3P=i;GZa73`WX(Vknv4Yxp)R$JMh57IQ?&@^
zk^N?^oXy7f`}Sw1PR;n9hM>(l8T-6*+>U*ChJ6h*DA>Q%ZoGG;z0XB=!myln&CcXC
zZ2vj^po=%(B?QnO?No71X*Y<_3Yd$-Z7Iz;iIq#A%oJHj>z8~LCQ)j=Ca;;cGFebx
z!v4J(-Ny&F@3p1ex4CxR<k@W*9|XkcvsavgySqTgztii&-bSp<Ea#tL+y+K2RNr+8
zt@6HC!A3FpoON`Wr+IP9fRIDC)1L{;U0AMFP$4Io4I9QDwTFEkxmekc|8)CaJ+bLQ
z+QmTk9tDz_FERM#VBl|0^lf9evHgtS{j3x(1U3Ld4nnz2ojUyN?;?Sk<eYgK7x?P$
zkoaQjao&yRf3x2Ii==aOP9{62XL*Ef?pzeD_1-?)tq@QTby+O$n5%jx9%#DJUcg70
zRxbagetjy6_|RReiHO}w77}w@x`nFEo!;L6Y(-gBNRtSCU%l2t@3%b9K{4)zlI~gh
zpPhfvV4g}p?Vy&w{X0nxN4L07i;0=L)aUFLtJK4QWOkf|^c5;se=4f8IoGw_H?+Kp
z$>Y0wMG4XuDR#lDP(bYAjkFXWhs&4v;NPv)woeGhVo2QaFE)jnZ;r@)x?1fRv|F!?
zTQR!$s8hZTO02d+ic)@GD2=Z=?Iw4UdH<mGH{Z*qU)DYjeKC1K?{ftakXUZRlBn+<
z2P@|<!o9CAU+ISmtYatg#kSq<?(CXeSM+1B4#r&P>l`?#)%;M?u=$tfMs;?&_-62V
z^%>ye7%V|@@emEW`B!syeR)5#GOalsOzrK~5hd<zL;BX;Yg5kYmoiy!=d4>XQ-p79
zDvQIGBrgf<R&HzSveT4qDciqFl}m?SlX9RBpcn?H*x=zeSbzOv@n{_^U8-gWjCkJj
zO7yS+&hx`bd=%fMANfIIT3fRo`jEb1If>gLyMyayPe_(dEY_&rvvH7IS5M$=ofbGi
zS9x_i2XjVg#&xE<u=6R3S5*0<j)p`CNfS;$D~WlLPC$sEUwd}(1Zd$o*P+Jw5}8kE
z^qF(_BMV)32XC0^lboE+9<Ikm)sA<bYpU}3pO0Qtb++}H+X!1%A;#2)UR)t+6VWDd
z>&h06=7D=WlfWYI+(^K(%;d|=)?@`yvgwh<FoRA<EoM%dG)Ir{1&{Ja=XVC|Y|mDW
z56yB1=addze6Ve^@sL=HD|8^r;`O#RHZ@hMGH3j%H*?;a4)mV=2FDlM*6VNl87Q51
zzPnR76LvZeLRz<7H%W7GUKa@IJXL-a^pPX;T!ovLJZ5|1{ym)jdJoGvUTDKj9(nDp
z6D9XfMMQ0o5SZlfdjBQ2KgqbvkPt>t>;MB)6tp`xk&eE0o$s%V`TI@+aXfbgkDB|#
zp^JPi(6ar!<o*sf?X^mURh3`e0@FpPOAyy`|LBux72v6<p(1p9PqyHFnH#J1)MKQQ
zHIMm=)|?;}bRTK7A<w;q5lifMD{viibtoWvffxj)funKwe_k{g=}+0@ziXIxZ-#fc
z9L>AC47+-uBzf<d8H?dlm=to^b1lNXA>TF#Vm|lDi90TJaj%-<4H87PY)vFzf91<u
zlj>jfgvM@L&2qebX;B-hG5KLm-__t=aRDNK@RR@BSJW`{S38EjF*gp~=Wdyq-*Wp?
zPR*aalT+&a-Lb64;yq-3+icldBCxal)u)ZJov!t1sLQ~7I}>tSOwq;N{>G%yOqXH_
zwG-F;Li4UaybF6(+jjDsg)nq}?Zz7%!JKYqdK%W(4{P+^Tpf}-xalL?_)R|9V8L!$
zx_IAvxvS`b0hJA)(_WX04;cYWr3(D!@S_yN*poBR`LXp%=y=s<31Jx4z+E#}eJ?S$
z*b9n&iq%^wso8n6MkSe6*g*1iGq0qid_)KQOwc^oN+htOB!OE(Z>P)HDhJK9+%_I;
z70w^S(PwU@2mautJzDQrb{dCIEu2;^U;BAG^z+a7@eUcZ&uIyYzTf7_&4Jc4@t%$~
z`t>fR!kyBz*Q%i-(UzvB7rFGl?+A)`1nmSj=W`LE^S}+dPelDLmjVJZpIg;WDLEZR
zX=tF;xD1~0#-BY&-Bz0lyC7#$R$^e%-yoW{Oz_Ef`rEPhUjN8XFOyT`p)ZfQumQQ5
zrFgx&JrDD9b|eDAhYw;tEzZ`V)ZD80e)RY0gt<Nbyqk4dvT^qRn0oJcs^9Q`{2VJI
zgiwe|l5>odEhDQEvd*wi_9&Uz9EyyL<RBv}>zspQWpk9(q0B?F$=+nI-^=^+`TQQ=
z|Ic~7UiW=p_cfl^bv>{4D({0x7J}OE1kSY<568n1!S04H6&XLX|G4i5zFuw8Su8zj
z)yysa2C;a<-h<t+$Hb)fQ#JHYV1fCn0Mk;n8!xb@(gyk6QzwpRKR5xIJYiNc@Ewg3
zYr?RV^vNC#FkIA<zYjvP9S&T$EkVA!Q=NRz`V)mPjkN<95RbGAS@O?D*EPTROwCFQ
zgN0?;_1FmGwh~od_aw-o6QnTPhfgmMAgQT7xNC`Kv|#w&fWxu7>xdp8nsAekt|q3$
z$RYC8*tCGJsG)bWz@nk<uunEu)w((R<M1FnzZZ|yt9S5+5|qgFF5YKCL{hL%l1RBn
z%EILF^s>?wz)gJRNV+9G+Nk;VrR`qL>tz@h8gt}1M={9O-Iy7mt#B~<l*SJOV*`fy
ziMX>Hkc!%$S*M>qQXm>uxg$q2-YEsPH!g1#Yowfx;94TFn(QN%n$zJlYmrdJU9Ai-
zK?Q^PX%Cwe3ejoCjFI85zr(1`xv_v6OG>={tvjM~z|@2cyoG6@7YFPW1|fat%(2R;
z8!SNl<B#zT%H|6^Ee8|-bS*e}{3wHcKeTJzvP={}=Yov#z{~zR3i|~mV5hUG)G)kd
z$BzqqCq3zC&(2;vl*>5ONDd9_9cT%|HD8ssiR74zMv`?Y2@AEP_lPGPj*^kED-I;H
z8zs!`VCd613r9xOnCrCp?(3VL<YEe8Qq0K(x8izRsR3_AeUq29cJZ3#LGyKqR{D+j
zvD(T>v}ZRZvlHJLLrLS0KSN1MN0ma=nu4MbP|Z+Z`rhYX^hoK^VkVMU!15|fY|t7;
z+HG&cZ{-IA**G$KeU=pQU3a0pJ1DP$RDmFn<j-%aMJ257)DcK~a8*#2m{K9pxEnsF
zt<p$~ki4JCP_WZ537WvCdQxNva`HIxHWv#EyB(psr?g+~TN1TY%fdLh{V*{XjiD^Z
zQwST|^md~wSC^db;cW|OkQv7tf@?JRi@>f>8ylm^zrREy5(>9D342d|_B;Z?uksNZ
zPv^R|h+J2(_1Q2vhJb*5M#5U-*~4)U$=-xv;l%eDiexupHh#Rmbsxy{I*d4-Z7r`~
z$x6{20Y~Lw++vpB#0D)e5Ni*9)m6r3m~-R6&~=i}&4J8O5<R|<frEhUpiz=CHLy7r
z>SoRwuycCcgnu;vSNy`q-1j)az94DBXG>x3-zUM9)^oBrY$jk5){Af3A4xP{bYTaY
zwSEyX0cdJGDfwDmu}uKopT=b_IwSy*#Pv-8*_$A7&5+W83RPgvkiPpYnUq-aAvUWp
z8WQv@di?$j%(<hF62E^?pqdCndmd)B2QVVJ)mz6VVHahScN*5ue#@h6=<JO^$YHp&
zaA!v7(*uQ%U)P82=uo{4EyAdDpXsaLwcMSJS7T8Cl-eCp_@P~`J0rbqB`WdCPct)8
zz|jL{B%>$)SNDIP4UXxBKVlyDA0E8~3v0UXdCO9F7dztX*8F;26MfGEpqRyvd?zjc
z6l)rKRzT;G0yf~dyM7<yWYKgmW>MZ)WjF~*pWB@IJ=BwB;@n-^pzE2tS*LW0+xlwk
zS9^h1{^i4<@uTZS19IN%M8V5`dc}VTK9l12)y^K0VK2t?&1|4ZcHqwTX2DqdsTimc
z$q?FV2rUX+=$2QGOF}pYt*f#U6!p^dw|}#BGcKlLn9F#5|2~<us@Y7m(zqV4%S$`%
zy(|t4prJEDyp*Oyy4rM=(E|dp*E|ivH|w?Fy(W%2>d-c<<=9k{eFZ{F%Kc*df=DD{
zwK1`wI~P}SrSB0=7flvP33T`4(X)CL0^u6aYgI08Zf`pE+oTw5PCdX?>6JU&N0xcF
z(vN_k=})%j9(PPjw8C3;%e7awXAclQ<ljn1v+G*x+r;Q9Z!SW?Gd4Sme`c*0O><Ro
znQkRnB8c@LH9rME!z?DPXT!89V>|cEPxmia#3*Np)R7wv#`t~H^EMsk8!0ulw>r7F
zj}c~}5Zv@b=xtN#^ZsKZ20BTSBU0!H<*K1sVNVJJT>+~3z4zAY(OaDVJh`i)sqj2;
zm9Nte<9~@YY<=w=94<QEE1wgy1PxMmlra(9{*$MZ==$a<=2p`CstF%vvGyynXUU$a
zRT0dg`^v)9`1)iF1>RjOFsiaddg4HN)t^T?=~Un;Fb*OZP*7yKM)~`uLOOyE4v1HG
z6$QJ~Q(3<6E`#7<=EhjrBjH!AB(^;zYc(hAyPW|N7>TFHb3Vd{FW3<O1pW-%eeG-4
zJ$-Hc?u+WfTGg+BzY&S&j^&jO+}fT%Rz)r|l>DYgVj0W&530`go3s$Eu82){D#Dea
zD-CU<Lm!G6&8ju+$ZbDYPDC$5!{`3Y)#AQFUo9{EIHDoWude%xb!S8OVwAIY%`5qI
zlulPV!9@M$Z_?ud6G~***K<xsd3(%1QDfPL?Ca<DkfOSbh5$0aKRA4Q$T=j|bXY0w
z)vQhmQUY)gVDv4>C?{nkq3VR(-6Sqr^8#b6YNxk)NhiSxApHal@<xH7_pObnkyPqw
ztMw<V>x{ty@S9!Mzr$t$tyZ?C*oxDs+y2~tY`eKh(XK*FDMhioV*mF1VB=%A(NT^N
z@`oPdE*PF?O~i#SEN=}poh5BG+GB6ng?@jm&FEBXL{BJV^q@j1EQk<|%Wa^3^4wnL
zMV?)Yy6mY2Xvum=RGwC!hyH!E`cTfW#%|5G)u$StWSkNU1NtOdLMS<ke6c>-y^=qQ
z@0!&OUN+ZrR(#Fr*Ce7~CR=4Rp$M;;PFUkxY&107Nmzb$)GD#1g#!f^Z3JfWX+l%D
zXD7}kw=?EWj+~grP~31Z{`f82IsN8>Yjq?CMR7d9c9j6gA`c3jQ&Hyp=1_mI!f`6E
zNFH;#8zmMbkk6gR3Jb$`H|^(cVZ#xthRa!-OUo03-=KbAr#rU5p533@;<5|ce%BPm
z%s`QstZ1#ibE8v=NJ1OQ@2**`E>}uV^c%1C0M(q*7mxrNnImN$y|(szk1E^Y$#5S3
z9~$J<d+t*=2mcl4{n8Pr*34J`N1T>)4HBOxwmYH8CB59MAM$@WsH#?cZQDP|IE`jT
z-X^~AmP8V2za=+$6mBl`cMD18{HhL*T$r)pL@jD9kGe1TuAWGGMq53rJf7lI>h>#6
z2S6YCzn{xLGC#270_rf|4t2VE&+M?s#y-F@z<caoSJ#q|6)$|og+6Z9{&{~=0L;Dc
z$qg{8u+05XfN+}B!HsiB!+oycBdLp$T|ymk!u>$Y22m)f8N-VLXKCe@+6cdrOdTNy
zp2+(wWj#daG8q9Tg0NLuASK*nJFz2l-QAvks);s1^AUR~o&xV}Bk6~_Ymk{lh4)Ac
z!H27&Jr(=sy5@@lclpk&4BtE6dxsQl#xLDgL<OwR@G-pCOk-vyI9Ko7@e7iuu3{zJ
z+v(H)!PIuSO04lPB@~fR*+qYAn6lH6C}+`td1;)TjwatB#@1b<$ZaX`6|qM)I7AJe
z3RB{rFD|6s8aGk0<m(6OlZIbwB^5P<1UxAFP&aq#TzzuIFUXk^AD(=#YtiP>jmHAI
z<W^j%<>9rxcfocR{@M<jV<ML78nfiwd>u*W`k7y&B7)-w&Vyk~sa~t_Kg>H%QYGwS
z`eONtTOraR=hUnJwS0n$k3onBL<&WtM6tlF$}P?$W_F-;wRUCeA{xV2mRM9BA{njg
zfK{ES$U6D@!g*Tp3c>J3Cxn>o-;!3l^LyA`72Nr-%Z-(gJqueoSygapkVL~!K<Fe)
z3VE8yq=J9TYEO=Ku+naRYWIED>?;VK_m=|CUscFlJOMzOQmBT1e?|cR@}-|G2=`!q
zpk<0^!;aD`*!ox}QcF|aafyxny2a_r5a55&Kj)beoKOC`HtaOAS>fU3FvcfpR-V{U
zqId1umV4haT762YDSw6I<Tn65J&(rd4OvvG(h-0Gc(0gCEysLk$kL7JM<>4DwT%#<
z7pXFO4oZ9JK3&L~K!fond4aXy;${dM25u%n?Il@DA{l`!KN_mki~*=O(uA4wm!1e1
zf(^}KNtA>#Rk)2dzu!(tT9bF=Y}Qk{5BG}vlPQa}!0<bt=_$)9K+v?SfJ_`Py<X3f
zJ&7vkPc-U?tfeH}>2B)cb~y%0Mja%+dj5WcWU@>ILR2b@bPOp3$^S5lhHl>cki$<&
zLZCX&(_?UM15ODS9jKiT+&P*O3p#24KpD#8E$K7<;5D_nGZ9iwN6@f6%}p|*K|WJB
zyXR-(QIbi2nd$DRr{*iz;0v^RIEtO?TH_AWqa*ZeC!%Rz<mkc4xs#76`bj#Xg(0}a
z8g~;1ou)O2(-KO2quuxb{SrCT^hX)8oMO*|q_Z9TVMQXE0K|TFdh3r`f#p4z!t7z{
zlXAQH(Fw7pQ>)WmW{Mw7JU^O@XX9ZwOsV5q{L|<o-oVlQ{dY<qpzVE<$7@G?QR9|g
z+(nj4b$$dA0Ecuya4MPXY{e94+~^6g%S0jODcEZwg~V{84Rp|$9=RU0|B1rf=AE#y
z?{FD8^>cvGeRIZOJaRCZ0^j`OjnN;pq|7`R=l<>1?)3v^OULgmKl<JH6K~p*C8W69
z*A#6${{5Q^1%m&VtZ0}c1p!_%(!wVbf#GsWHF<}(FG&4bOxKq4OmSYuevyJ>R-Vt_
z(ojNjP93jn6Y4sl8tbq+Gdnc#(}-MoMsoy)rdtWF&r8;=TYQnoyu&%Ko6pt3ON6-7
z5SEtj>A*~z0`dnvRo?s@{Onxm;8=By+&EVbhM(DV{-wv5J}#f$_rRvh)XZ0mGaK>w
zAFJk=N{sxfIw64KA7%LJ97($JqgZ-QH@nYJN}M4dgFkE2f0AmNICrUkjCWJUD$0KG
z@ojv-53e&EUQ@{L?%=ytcCt4S!N;Tu!^mdz^FRA+;QN!$f2FV<YT2fqf%o4l3EO3w
zF?kgvy}pO#R-<+%l(C{_TOm+H4vduy$CA%mniJY5ApqrE@{4Eco^Ntt&!oqE1=$E;
zDubmn`NHyvA|u7WD3PTMr56c(v50rVPeIH6w4cU(_b7L3vK@2G{PwtS94f;@@L9={
zjb3H0Bc*I^@)ZqqRF*#2a~#)22F)&7lA!&vW_~Woa?*d1ME(w!GE{{ghTOLrSD68d
z>k}*v3srg-mxKZHdax+gC@$LIAH8o=_kzk)kKFf<`ebG9+naLlVfrBu$Bx+)6CRqH
z>dqv}B`+7f9+Y=s8!+rfzX~G;LGZa?n@|}G!)w{@iUpe1b;!8jybHD~;*vGp-T(rT
zTsvM49?YICY$KoTcb|!`DQ&;)y&n+9;h!KGeec{aBE<Zlm*~VeOe^618Vgdw4(;_q
zVR<jRYZq=BZCcKqpOBujLZHg>LC?;!fc&NQn4ggk{!OgOxN4feTEW6MlXW)Db%Svp
zQbNT*NbxKXv)!b$Gur8c0DTdffxwdf)z0JlSl4&_y<tjU&5pe{xHZa8?lYk<&wy^Z
zTq?vIwunasDoup7%>Jj9XQ_pW@i}^{FLUE%w>k5_a`$wqCka=rAT_FDyO{yrJvvmO
zY9c!tCU<9>Q>2&gJ&=BC)2<p5O07$R4cSuT6HC+E$}mo|6M<X99nDY7iG9dWmws5C
z2Hv`(74O8vGpHz?ak>B<=EQj&YVn)uePSsO`QesRUe%2(e_rl-{Fjo#;PkF#WKn-V
zBS6G0XAwmL0|?5=zCznIuZ)B<`3b{#{{tkEDd2_|1FC4G){J34vBb<y4U2ns@t(b8
zo2vAf6uNdCjQ`NP6pYEar;?x1?PBdaMV5{}_g+UmRzzq1@!JiboB`6(u>*yKd95}5
zT1dMmyM9^qaNRx0^jjNG3f6J<U+arr^+Auo?YbrsePxc|`bUB)?ompE(q$e(*`za<
zJ#C4nZ!M$wkA&ip`*s;0ke=n$iG@oG@)Ji14c9w+AcgO?(d5T>op_~V%o@^#QoYuG
zjl@Q-MZ--w>vs9N7?9od8<4X{m{}YMPEC!w=M~J(T@<e_udW-A0=Td)v&_}CAS6hj
z-TkPSEz$qeejO4c$Rom68*m#XK*Cifaq%e@SbrxIkd(*+@u$oLeX>dJ_YFvTlDSXk
zKiMy0Lrtf1Vr}ylr+xd4`|&3;Vu3f#nlyLb76DpJt1B`AMsoVTQj_Hf!FFW}g-L+2
z^13AAvd9eEJK^pXUT_r<+&#+X&I`}E2yj4S+lDb3lbZo=tnl!3QsVTrIDTCJNRdVP
z;W``iS2x?UrnvI%L<GQL{;I4HT$?@x8r*=*nFpR+oB8|3?yshwAM-V-nD8Lh+Yh#<
zac)b=zcxn!h+||kvdnUfW@ub+1&p^^DXjQ3IZrAYG4(87I7N{A@DJ2oT>>{|GE&Ba
zaMkay60rOkiMo>A@h7qtC3D51A_;!0MSJw`V9o&P8ariC{J1i-$`I)1y~Iak2jS30
zJxwj~Vmc)ao9Qb@&#w>q@%cL*B6XDhRZE!;UqF7k;k4+ch{9;rbA4t&lLzGByI&y#
zNegrV2I*j7#;z3Epy$mr-HBkhVvnY2I54!MH2-t=$dz$@A}PYyhH{GO?W&drk?XP-
zCEV=S%cWg2H-J19-&Jit?A9I|y7qzb+G-4l1Lo7aGi6L9-Tz6}A(AdA*&g~CT|Inm
zGnn0K?5&;!xqJU8e@GdqgS>wmch|uf)j0HWCr{+hx;z@jqQf|#fwR`j{vYI&0>v&-
z>K(edo_#fMSnS!*ihNp75ItHwprVVnlO)MqF+~a_a?u+Nf(LawjQxMydx{;d00sij
zcy)rKf{lhuz1}o|obFl+j4~r7Dj&ZL{r<KAjS=Q%NlCOE+76t;NQ05{2EC)!Pb96!
z3!A#I@m*+`D99;vX8q%}A>JO}29N&UA;FBM^zOxpvx5n@P+3LPY#V(Y=xHvCuZrpN
z1P6op<*m<}7!AaW28gu&Y++=I*AIPzcI7>O*kw~MGLylP959#m=MXA=T&Z>>mOL>0
z2Ifq4-oir?HZIg+qcXjr_!bI+2X7CK@Fky8NS1n~94fkl21ltmKb_u0^!H4IiJGmx
z#M-!>)GDJtUo031Wq8X1a*G)|;qu+(eT94mDx~WXlt8mb>;vJ4CJu^U&QCtGoGmW?
zVSw2nDH0)_DFq8BySRzt;jMY?hW8o~VQXpa4@5ywv#YjOQL|h~pm{1`+^GEb9$3fR
zclD*!cCo@|AYNFaGc+XR*L?b!^3z0QF*HF0!6#!q>fP=-Xr*{`Y$pX8>`fcGoe!4F
z#peFlUwfo<ht|B;D+Is>fP#f2Xm1MFOi9q0*y;@Owl5fKZYR;u-Q{lXF&tTs(Zfln
z6cM+C;Oz3qPa3#e*diG+oJHwBo(pQCn+=nBP<f#kTNCF~!6epWm%Vf_;pV2>%*1Jy
z1&fAu>zTl%r@0;As4`13#;wKy0UFFqHV^Hg=#umAU;WB7SVjpqb%Lp;n<M44M~_;?
zHoF^+Yel>z&4d}0>NU06Scnh<5`Yv}R``C<{o*zFg5MmG&xrhFDT}iCar|@zK#$IH
zJ73f&=^40Tw*Ua^L;K?2%PPKO{1j|yK(2L{w=7>}XW)D6k5zZ@^7q)F2X`^|O#t+d
z*OalyMKiqd6`<@Qb22LbHCX+?lJkIU;JihE0eA1;Nc{U{ttyIb3-u=Q3cEgM-+=fp
zHD+NTpoef@s<~V=I*@S9g*q9+S`7%lj6wcS@g0Gs!h8z}uZ!O=E&r^V7*b5MYG1Dd
zA#Y#r{E5amPn!cRonvhIS29jFph4h7_2kNhc)%qxj&V@R@BhDA05IGaVkKN0Ya~^o
zQjPkd&u<J9Y3eZ984bGWoA`b`HU4TznL0NiOci-m9zc=?Sx1kzEzX4C8FhvsY#^w+
zt*EKBqh!^T&sk3Q`#<7Vf4??RAtf4OQkvMp{w^O_dr3u*{}$xO!@5_;-|<SSz%W|}
zJ&@3}_Qvh;M?NJt%F($a(hviw^*=8icl35NhxelAHqDH6F{_>vU+pq>{bKy075?q_
z8z1=|n5^H~%lF+H?Oa)9qxIzi%!O1YtgNFqQV*clP>H-)0zy)2>DDjWXXZ9|Yz>+X
z@^tzT?-{UsU6{7v2S5EUELeDeDpY~r(tE!0yP<o3ZZAlBWvO}daAf@|XH?&5rZUGP
zaOW*sAYpi=>YDtGpy5hf&Du=1!@*x8_xmMrSFF(R(W}Ip%Jc|0msh%P&*i_D{-m?M
z8G1|P<}go>l_hGXVB3t#9HR@5rt_5!Nee0W0#JU=ApFz_fswGZwDrpG()IUC3wO=^
zS4H}v`TFkr1$c8v`DMakl4v<V*zBEB*CzjG8)9)d_Y2d%*Y!X;gePTO%DZka!zZLN
z+C7_VK$KX<T1=B)T%>IpW%r^`^ve+`H>sqT0_*Rvy4EXq8;k9%J9%F1(Q4bk&QrCn
zka-cg0}%XR%=7tVmlg1CJoreuqWIQmc$y<FJgS$pb_z%1vO{r(@gTg)+yUoA&#8)}
zZ<ox|SerlZYkYM#_|9Iod?XKpqriaU4`f@=0x3<*ZzGIKtudv}GccgU&L8EQa#`V2
zem%&Nr*Tut>bRw`-hP%A^@)fl9cs*^P`-<fRXX|RvGa3+I;>%<$SZp6h>0slBlhP-
z#Be-a+4Q0e2+1jStt@+Lpk_N7K(jJDbrudX0JN=XiNs3ObhN!?Dd`!Lq}y^eJn&>h
ziQA8vSL$1K<jak()0JzK!kFLZXvs4}oF223&bs2Ei3$@%(iGu25Xs)w%5dNTA~4z9
zpDPU?QG0-2G9csfmm|kvR0h#Zo_veLy=NTpD!mc4wl2sg!#}Q+&i~aXMpofq?TEJm
zOo&;Wx?J8@nCDqhx_-zV4Yb^i4%m^_Te06N+$PeZ5`UWq>;W!kt77Bu;*2GJ{Lvn~
zXgzg|4aqo|+8&+6Zh0^sTg6j1LL0&N5(MX^gqrj~78NVpoGLL_>(ALi9xx#mL4>#m
z{R}zpTLxGwWPLz5HR$FCx@~b>+3N(?#VvB%htycEZpE{d&8fYhTNfq<aN*dng&`nB
zIepazO#O@A++=Q)F!!60Z~I}ud{w?x;*EN?W`6e9&!O-?5pDb4HmnsX8dco5l2L1(
zhNFZ{pk?fbP_l>U!e|fr)9I7>$iT7O<{#T)P0vSfoWAaiQE0<cM@8HFurn8x34Dgq
zJ?dA?8miVHcGV;`+8pn9S}>Uk{_D;NI=L`Y^eU)ZMhJoeGPHenob2yXBYdCa#aGDL
zXsj+s>502wHhZj|UFD;jJZ>EdN_gYp=&PkYLHEwy1|OQOZzp5=N%NDmzN4#sPtDF!
zL)j<UV3vkG+N1)__*3bz*mJPSDhh<X-OH0Pl05#xKJqVKJt}%^=vut4D&vepWxYlC
z9{41Av*c`lV#_<|<fp}Zv7lY2;mIQ)C-8(|Tzg2LWBbp3C>u7IcXZ$G>JV>ZuQ$B@
zEa*Di>-c-dnb|kd03H96pBd46ipK-h>r?H~m}P0MS?y?}D%CwECS;H7*Cp8nl>~N&
z%R`Hip4_eTEe&l9)AvJ*pVulb_};jbyS@L&RqSLMR}w8faiXkKnuGb5*JW`%&jQYl
z7fjKV#FS4>JPWaW_!hP-{p3L|wdBIdfqZWrMzJpTb9J|Uh7280pa6qMy3E>DOv6oT
zt`^_b1_+ognSueKh`6^&3XNm0peX()j!Q^SHonP}4@$<oQva?G&D8WX&Wcionq|$#
z+}duZ`3<or)hFqT<?)n43_r9MRey5djL#bB^=4!M12mqCQ1dU4s?&h9f4U$zQx2?e
z&)&wN64uiBUp$KObOERs%D$5~ym`trL*Ubx9hlMQZ}@O#acJB75oPF_N;Ty6z?O`Q
z4{u#0d*|hh38_*U3NNgUzM=cl=VzG-sloI}m<)akAhHO7|Cm;Tj-6-DC;)qPL#w*%
zVp%qIFh2gpCcmwE<i&D4s3@5_f|Jc&VD)KVaRRs+ZLXgB*t2r8+~PE*sWzR`8@AM*
zaKKYo9}WXSJDahF+|d9cq-AKLZW<0>cm<>@!N3Mx@~n2_Dx;8UhGkvvEE5VN3O~II
zwY3_hH+D_>#*XUTBT`dAO<%7nb$nKQ93}I2WG#HCyX5+;Zze!ldI7fuWFxa-WgGUh
zkwPK7VYs{J;RY}8#o*$ucAGeu<?Uq41;ws1t_sV-1evSP-oX1Bo^af7W|wsXcMPa@
z`^<f7ZEHH)ZZh&#kFt5c_9-*aJlJ6T5u`+gok(g$NnR|81Q%uB?uAT~&o^U|Wc1&|
z@!H^g&P3#=OLsfHlG!^yv!dZN1Dd|lKW?^*C@1CXD}5cSKI>xB*xuhvboL_EQ@gcF
zJMWOUOX{bTsv+C@BoGXM5t)Nw&Akw#TlN@<SU8KJ$&J=<#FKt7@bUH3M&Q&*Y;xX}
zLvVTa9JI6^Y^;+Fzvs@X__(hy!RJ2lOURc}{z{cerPBkYwgzTJ%Zg`9_bVGvHo2uo
z#2YmVqUI+<X9s6j`#FUF(U@X<ByE%-O(=FEgpyalKNS8|o8>Q&9ea))K|vfFkR^r=
z$P>W@-3LaPS#Vcbx!ltoSMj7^_(N<({P8XSgj;Ba1sIaZm9`#m_NdGY=HwN-^_s-R
z9sSa8_o~Ioan*}z&H0sbF*#<0O<>d;1NDzYY<5wxn>GeEt%8ORPXC|Z4=$$XVGzgN
zGC>;=@y*w5b~n|*#!s9+Zaj|%iC#}G2SU2@YQOiK76F~rJHOc4#^1b)_8fW51s!}T
zA+`F)YK86RV4>skQAU8n@pjWG-^=RkV*vZP%O&5wIfcdl)~EThMGYhav~pm=*Z6W^
z1C|w$prT7a7{%bKWNJifBv7+~y%a~?<;H0{8<Jn3kO`YM?unF-MYPhGP*WD)3>D3o
zMk*5BZc2E%EG|LA(&UMk(Ih3^+2%#`?PgM7g(j#7A97wkc`m>p#5gTOahTwoVi!Go
zqeWtgIF!@ARbpDY#}eisF!n)><<?>tsBDx+8Z;QpUv+q;*pvXVE~Aa#xPoj2!~F?v
zmx{BU9op6?tLXve62vJ$?!+-kA}7PL6K<A}AhunRMhW(%Xm~J=05TEP5Je$MDLAyX
z|M8k*Y6O4WeERJTlA2HkDq>ZJLMQ3TaNxVpq24^jWy<gfVAL31<#}R%Ci~C0WNBsG
z-2zN?oXWpeiWdhLYd{u(ApAL?GxFPK)ss352;2pYTAqM#qcrfZFr!&D+*`qBEXtmJ
z^L!*Ou+Gr`z6>VxL=Yv_N@b+})<~}v8DaF9rs%D4{d?n9CX>%^fFlID2%}0GrSim(
ze_#1iX!-D9{n0>Ni%W(ehr<zp>bS>%sGmPjH2A*<nz>+vbd)*nc8(>pOMc3xEP8w3
zeXSB?qS!8acKy>w^iF=$@jKW3!5oeHufIk>)CpTx4G*YrrWfE(7zt$n{{H^|zdHyj
zG@w`bOpWM`M2kpU)V9N;(ojcLe+FYZKej!(7vL(8xv1uF0l*#qDzF_``pj7+V{zl*
z!K>(H=X!F%3rC8_;KEU6n0Yfq`VEG|SO5)|bD4bvutI^0O=A!s;Ym#06c&jsi)1YS
zMvcb3Po7oifp~HiM^aa!O+W;SJeyJPnVz3j+^-ssf;abq&L;ARk#~VHi2L8FPl`Xb
z;ng{>25-56F2~U$XCDzFKT$)YCLzYR>|q6<|KRfT!~gCL3&#qh65W&8MO^T0!cgF7
z9R<R^v}kYgzW`T*ESUsMVK!Qy?++mxT+3Z2J4D)m3K{1IC&$n-{pDz{32DW{e+)AX
z>j94Sr@y?Slg#}_ycbII-}6^pyAOEkR$8CrC&GuwKUP6$AVW0v+jCgq%b(pvASlBm
z_ID5Dy(1K;Cn2hU5auny77r6YCbQ4Otklg|heF^tUuiywGUg2xndF#`2Zf*wsY4-R
zmatwlh7L%(u@;f&5f1DcmH%Tl0QCR-U{jXxDm%??Z1$zP&<_gcYDJd8BG)+q!=eMm
zqG8mOQ0;1nH3pW|`~SR|D2#&3eQ0)lXyrBZ2CgDzu3lvM_WWP<=l?Q|fQ?fFDQERy
zcuX@uTme+Soa=mG*vmtBsa0aA0V6+T^N#H>h4CALkfR<ToiBcG-Eaoi0D8cM#PnrL
z&d>*p<DrDon5sur)A{`dre3iAxBnU607c<4`>GnK+2^>sOkuC?!L}`9-`e#Z_Ejy|
zcn;OsUQNA10R;CNLLVQ`UMMKLgj=D;z5R~LMI%~GZ7_@<Oy9r@{-ccpApx8iR;nZJ
z!C<Sdktd<wl8LF(ggzH#%1IPNF;r9k1LO)I@gqV6aX5MkxX~m8pi+xePrexrFlHlZ
zC$Ta&Iw_N3;f+R9qj5I8<;PUUbVn2eWq=%;qQ!{p*Re$9S?MoZT<{tid>FvjEMPwi
z@au6G-&Mcl4a}wbZ%c^6%$9JObYTN}eqingr#Mvg`|G-gIOT#_+28j<O+cck<k(4i
zqM=OY7F6Gd1!w8}4GU0?LZF^96vj8uz#Rql+!kCO_6?TT0yaLFgdkREL~weY>jdga
ziZ1}^5}FUho{3dP&VF6OKL5}TvnP;XHn6!y%rW|Z)Dfr{ZKUXU>P%DqP0p38e3Z)A
z)oEIN0K)OR4A4VntsKg6u_!Fkg``nH0T&2^2g*_*ii^tn93o?ESN>CIz<wAJg#)VH
zo_fM>C_|lJS@LR}3q&WHp$CW^dEOOTQbV}2NaFa&8XlYm8gl~BnnIu=54P_7r@YRW
zabC06RR*s3_PU)vliiihv<6&hN@3FYUBo1lVG@v_$Kbq3FgBiFyyHI7M$Ghp6^{=&
z2Xuh{5zjRMu!v@S+{bX(!eSU42qe=tDIL{!V)DNrS*xHR!AZ;oar!&3yTBS2(HI5b
z0~~^Fdm$GqfQtmsyZ|h{<vbah3v)}tO!kbvS_Ay9td%QaB9n<xL<SH%%?0Ce8!b3=
z9aFA5djoG7jH&bnXxVsGad&(EvowI{Qgq#`lY8D9k~lq+Z5~qewh0Br2E7n?44&%b
zlYu96P=#-?>&r63o~$clq~HRPR>qkylnqTW`acd<K(2wU@((w<!N4X;)1#RdJ2#V~
zEK&jtv+5M1wS8t9s!kNVj^X}5iULfE8*kA!Whj+*C<w4|k2g_p;`90~1$%+Z`nL*Z
zy?#@;fJyZ<2sAGUgUF;mH$ki=!0!PUi5`7E5$y&qQTQX-D2w9O3am#n`7ui{JnMO<
z!)T<jdl&Kc`UToI)zk&_k%s1>5HzN)2eQ%!`G2<>XgG%70C&1)Vy?vNcj~__fZ6|s
zP&pfgo1#U5eMoa-)c3iD9gTst(!wDC=jr+J{CC~h_0^JL3x#h#Qx>(*65X!ZAAl=I
zK_;OzqET54zk&7FGZ++uAx+8{A-o$so)pQ6cWZ`Su@40Stk{5v2q|_!JPf>^J%<ZZ
zBZjB1*n=ze39~mx-6&m#L1xOpr9)vmf;DeXF&DVe!F^cq^uh4wnSi=eIe$HKUWKV?
z!b{1es|Ji+`XRU%o7Zha=}jZ32UN(3Lvfwp4Tuzo@)Y!?KEgl|2lRNrXH%Jw)+h{J
zF+KJF_U8j8jKXyBR)u}V2XE&OzPuT+Bw>;2GElicow2JeaCdI&b;c5AZAabiyRp+Y
z)PpRQv!~ncbWbK&d>}~}8b!h8aJb0Jc$)A3&$7_eUGyo@@5G^hsZ7C@cSTrwW+kca
zv!mnJH-7Zroo!zX{M-)VL?CJanlkGDQYbgn!N7vf=S-#SvsX+rweZ;2uvQ*3nV1)j
zZ$V$z(6xcI8=nwAZp!K!(ZHyQSbMH_Ah-{k93PsUq8`|dH8id-55ilU_RQNaHrIvS
zoSfy!6Wpjb_^+f-hIwiSpgt1JW8>f|H@#rINpYbdlwK5_RQFss0`vuBNW?w|W+#Y#
zgH(mEbN{dW>L;LK$)tk)H}1pUY;{g~xiFw9G|vGHw;uC$!sgFa5caO6NzkKbJq-3x
z;t0Fe`|Yclu)6~kFTgdC7n?w;%6H^lu~*QfR^8lK*r!Q)6o#!RVFLpGPkQ1kY4G24
zR-;xvceLl&adMsAq>)b4;=F9Z!P+f6K!N{#tzRTKp<_;TFmUGCUertsB_Yi;x+glB
zUHH0b4M)Xjj4?+uymSU$dOeBr?!{y(k9++*4ZmGT`d`W}VDZgZ4^|KqMj$aDK!9}(
zy{v$$$&rS+nBzEjF|Wx+ee)2RTs^0=dlZdfs_{CORhtlEf#pR70zDN%of^=W6a#Kd
zfLAoQGaDHt2Aj1ZmI~8>;x7>s-ssM<<GFZH7*?cBDAdphP}x-ISrW~v0D0Ef`?9gz
zU_8z02a&Nuppf<8wnVZjJD7S?@W|(+M0A}BRYP6O(=43-5KyV#PE|y@i5xD_AV|E1
zz3)es;bE&5z7(gohmR-$T1s~Pi%&qg^dW}SVUU-2$R$&st9T6}jN*T;P9g%%@jfH%
zXIRccWkcem#_{-Y9tc{W*FSJdnS(p{IU~OeLOQ>Nb_3_az?sS6f>WmZ3ge!_T+{fM
zSID3D@f}Bnr5yhTY2pfX+_@Hug)x1D{cfdO{KifM^xqAT@Uv#JGM{iXq~Q0W>>T0@
zS9CWNu_fdD*|s?NNagl}bhEf`G@!(zDbjtik?Wqoiul0R{TJ%~fK9ezVc`J!i8DAs
z9kU?na5o`+A4Y6^N`@>5x|2!z-=}{Eo{o3W_6;CFI@4Nn-ZPRpBbomspI&Zz$>xo*
zyC7&6C<+qx`i_A<gepqhND^Fm_&c(i?(2(hBFtdKN{3+$ZTOa<ry#f!m?cVCOdqT*
zcZEWE>yGYltf6p0<R3bi)HLjOI|{?}zw22C-pKl7Fw-*gY~Zh69+AKHRlEZ+-r%ry
z=^uABUq*9kS@jo2^z4Od$Q}DuGUWiozB19BV8icRLtDMj*uGQ=l&sxjIifk_W!%W`
z2qs-Um$Z1P0CNy-D+B{`p&kXB11Y343iv>O#I@Asb*0KbYG*>?aj{Br6Rbq~lBJ&1
zZ;vUlcHS<W_JuU41NIW0<#hHTW@Q}h^G@(&B#2-NMkrtUa>tb<o4LhnXaqDh(ZB(A
zcHIju)b%RI%t*a%LH}8qK>j`MyanlJ>jmXhC4XIcdgYlM+kT}K?{Cy!egPsJGa?e-
zaJWOVGL$>X1+C~J%XX2dI0it`sYJ5mAHOyHK`}bPcG?V)Zzf$d2fKrSvXL*|Am~ym
z)oqE5&G1XNGcR19>Xa7&>P-z!rYZ0IQlb&R7FV9p@p%O*#=(f9zU0}{_hN0$s|RBF
z8*<TE_Pr^~f681m*^M{9B96qSn@fv$&fH2znEu9o3HW&6&CG=CMg~chSf$qWH!wM@
ze#zcIQNJ*yuxw??n~4ii%8}%4r$DDo3Jzi<ov}Cr+XY8(m4C1)NSMez%^nANpu^6r
zKO2n8ZpMC5)B)ko%`*|gTg}yHc+yt*LWcgQ!<5zI2U&xDOD~!ZU4@<O_#Pd9HhORi
zS9nK}NTDUpRu`9PCUmoB>!PFh^QV+mnx^*&ZdV8o>X&X#(z^;iuDOt3freoF>mN)-
zzXih+iR?Wz|J{S2?_^>^E#}$_V&sc8%bdq9#vhGe;V1)^0tm%+yUm)kYV!H!t{hEX
zuYau`FcHvthrkG+hnaBKZ;AJ-VbitE$v|&^Gy7GrlyZUP8zBSbS-UTh)+(GRj8HYj
z;PrF$0W)=x>=~$UNMuBo%I9t8uf1G^bJq*MLMSB)a(tly3g!k4y5H0mDa2546uo|&
zc|}2HI6Nc8>K1RRSiW}~Uz$_PT8a?&!lU9Vc2u=X`ZCj(OsO>x+&6mV-{)EMIX#PB
zoy|<R8yBN@9CWz%p`k%zzpqq-&~RHa_m}!_!#{=&Z#iP6ZX$NB^g8)PFPuKnu=b1f
zXMAeqs!+|E$$G^?u-IrbWp(|&WxHJ@Oscg;w(dIY<(*&JE8xvPV~}4zW9Td`tXf<R
z4=5{0ozatjHHL>oeOJE>cy9KLG7RAt^aRhO&FZq3#C?&bbt5gZ)%NeJe>w4}7xgW<
z@k>;ZX&Jopof6_6xb3Lb#5<t#RGlbb4o=Z5wchVX6a7!^=6=kl$yD9h8Erkw$Cxh~
z=NuVl;uJ%5<f>c2#bx*SWpqrFqFPH|u1Z-x%H!Icx&MAYV18ZbnV8nKksrfb)j2~u
zSEnjxT9${csp4%Cng5uAkylxH3`8c*KD<=W&>A(d+UwFOicbw><g<vAvk+|E@#{C-
z<Xsd0Hhq|Tl$tsPk!c(c4`2GbpyO&5IVANO70<%nEk3H0QdOkZN4q1@;pb~O+EhRd
zIw|0vn4ji-H1y$tl1Hq(l!5u9587iI-dQq_EK3uV?=AXz&_`Nb)aJ5LYuS00QCC`L
z7vZE_zxHgGdvkklV}G$`tEOL;HfqmMcl3KYu>jSu-<8s5tp*S8=5(Ei9FrOgPrt<e
zm-*Mn_D2&z3#09=UT=PjOz#(SWHdb;iPrT?KSDziFHbaSM663sZ(9x>_-#}MXc+pp
z)Bk)?$zHf1$E5R;^=K(^K0@*1Uq2Injox|p<6l<`{W4{`{|#I7!F{NTN2%c7r|2KQ
zIrq}wu7KifAtuQaGr^Fm;99Dyn9l}U*7OzRJAA4OWu^6}i2hU_Fn+RyW^*=Sh)+21
z>;->?ONDF)DOAGdiR?m5)Wc$(pt9eT?k$<s{dbBW{ThM?0_pcRR{0cIC#dfBCJm-3
zjB!DbE-+)n^S9C-x!0e~kB&+{4Y{t3tE^J#v>eC=7b(lguI_&do#S|ZDVfz=ZtzaD
z;Qj2&`K$(TD|$8V#^}CU&4^;R%=Fcitf62^#B=})#~usUf}_GK@S~|{GkTXcw1~LO
zMXgJ3zI&Q!7%EfblRVT~GDRW3jC4`lb_9-EYkckr<F>#91anQu^ma&~){TU_o+pt<
z+%E-XYHd4qJ+nd-qMN)1Xfx@$oyDgG-At1xW(_k1B`Wn$9W9sVKKZ26(ozB7WKEHq
zkWAiSxN}C_H%Pi)wReU(Z8__cPHawyBxbsnSLBA~&8$z$2Bs4qDraV;JY69@M&0XA
z{}{_({@n6f<;1FGuW4n1f1!p6oZkl74ZJ^I0)gJ@a<`aC-uKU$cV;xK;VBsnhtdA8
z8;o(e5M?R@DJsz&Dc%n;yBWwbOH@W)OiRefzw#HN)NV)J7txF@LIarz*xTfTY|W;N
z2B8r!7Z_J`E<EZ%9Wk4Hlap&oGQAAatVd*JM*)R!LX30Ul!HFi*gI@66E>}xpTrs;
z>p=P&bdfxt+zRN7vmt{1t=>`|(6L7akRLQedL1X76Vm7P6g_HTijdAfKbe>MS%!4I
zKPE?t6bp?NMo4r-uB6xx`+2s=DoCg+n_&7pTEBr3<p|Vu-0v5D_T!Z}Hb1G8O&%KU
z#JeyNZpYMacn9C<b-FEd&8c{Xb|*TX-3OkLvwz|~dcRf2v|CT_z>41I!Xrb~(D_P7
zgg7<Z^tfD*$I=C1T#N(qS#S9M1Lp7(7hGNi2xoH%g+W{?{eIww{{u$e*qq4`qPjeB
zM%$#BW1C5`abX8Qc<Sy8GH)(lGY5O0M;5PDIIA|Bl%onSlSUA4KYMf+{?7Wb^hQ{`
z2WC#a`H!bf41ZtP&-@c8N;h^yR}oQZkoonSgn9446|$!6u6QH~t?Z7mLJMR)@r3=v
zqdl{d*kLn9VVvJfo{NKS^SC#@g9i>|7kW{>eEsn4HMDvZFiMAi>}X3{{bG1wh(zd6
z%=|M9D_DFiG78ztoiF=FodWD|sNLug1uz>cdxmnYC5HhCA!+NXwD`F@D7t#!JYX+6
zy)VKjxORuVV(1x=oP;}WdfZMQu8g1LchedgZfsz4#=mwaXuag4sKnsM4T71j5#^Mq
zOX{_Bej3y&3e(^>u)hW_qZod12gGjNG7Wv8Z^q8ULA)4(J-1O0yluW-U~Q&2dJ`~2
zwL{83akPkWsEvIg98}|L<+CJvtMrBiJ5oJ<?^tao#taQJHW2Oo(I-~m)vX1Sb=a+;
z7rCsv>CyD_&D4P<!Q4q6#Zv6XE6qxvq0~3kIVkf(KlC=yq&3=T+nDFi+bxA~m{A~u
z#U%?*O|U~<C?Y9t5^uZf*-@gul62A{gBCb?DNC(ELHXvsiQDd9H+~d#9alyEfn!sm
zrK1od(I`&OB9{*NB*He$v6RJoP*=b&XxLZh7K*+2leey6Tweup#KNza^22?b*h3Rp
z-<OdN{$N*s?9bkxAo$zO;pYM<^}+Y$r{<~#V`CQ)=B<#)^Qd#-+EerYs|5fd3u^Ci
z5C4v*yq)d)*kL3qxzF%(GtBJa=4{%KSC*Vo-_GXOt7$zb1{BM^Vc1U=b0u>po92zk
z*Yk~!quR>1cFO1onogZYXz|O0u!kSe6y*jFd???`PA4t9Nw$=+RM=}mVAtg~(?qC+
z#qB3`f=SfK8`$68ue0u#G%WP9Ut%mbqeCvvuo*;_?M%4=?Iri_&L?OrUD)}j@+j6}
z1N~qC4(xMiOT}Y&ZUhzn;Sq;Ih^3(IaF8NB9nxmjEi&J#q(K>vu6~D;kYkp+h%D5^
zU(H@eebRULFeB3cw6|@t06Oq`j^Uk<5{=O#E*t|h;s*0`3_TKXbk997U{tEM^`6>p
zLPWgUO(mX)MR8J`a&+{fD}|2?SsBuQ)y6_l=i{OMC=Jp0I-<G!Rork;7GI(z#$dls
zYW{+EKAmIyR}jaM94`p};f@+COecfec=g5OXToC((=eM)Ee`pgUn%306CJ44t`Tnz
zpj4GPfDbFTyPHrVXzZYx3k5%A3T$=s&)rmOo1ru7gI^+&5+?uIb{-CVdWc6ER2HGx
z>jLEJEQTgeG`!^BY*SMT_wEV3_KpOMZ9ssgLLNOBSypRmC?uraL<R{P4=5MEUb>44
zwXGuYwZHJwZq25N`G&D51?Hyw4`x9kb%43|I!SMRsb%z2nXa%kpu+y)YSkOspZ-f3
zKRzju38-v=NWgb@-8@i&a3;f6Tqg1*DY2~-Vv*g-sRFc>)t9L{aeYyH^Bi>9oUBI}
zii5A-V?=Ug!nmU3;XaZSgfR6B1dkX6Hk2MLd9~lc{hz8k6!l|UeJGC`<fP-&rb$5C
z=b0Cfa4eMWdJa$fhkz!mj!34Wux-lzq1s2XUc4`Wp~cFVho!PyGQMYv`!x#rHvb3(
z3mad%r;Bi4K!r*cKZSxicaO4U>~gbHx;d%=RC6%|fRq07d5IWuRw2R|8P6Q!jCfP9
z@QcoPL!hZXTv5;`|MBNfuNJr6fbY@RZ$9=`52&7w?do5$VjmNKSUk>=GIA4IU9j{d
z|LRMWe|j#OJ?QcJ(-jwD_Do;lWTr#)fEcvG{yh)zZDJ*N@A9FwI-l3<9qijOp3<$%
z#B_4-Ysy6Dk{lMaK;GG<Jg1^vfxJ{!#lBeZzwU)!5ytK8mknIpBryn}A*s+|T(37R
z)f{202d%Fdqm2ODT0ix|`aYs8v0@JA<I1M<0zlqR^=CDUfjnb>J_c1vGZOo1$6F;o
zj0=t>c|bd}r{!Yt>-WBO%KxSJVku3rRWr5Q{8)b9+yEF*-NnAqbz34wef=O}DXSyQ
znO``M`5i}$_|5Da-YXrKcjv(kN&?;heaE)KAGHa2c9|@`?SgllJMuZ(+PEwYxECpi
zQ>mz`&m6!@Oh8ZPYZK6tv~TTmA6EsG#P9LADkO*CbXhF_XUoIs0q|IBr&;dD(N=~R
zwQ{LS{FWoCJoTN9!U}fghMMo;^E`+5*|Jhjx?|?cS5Pd@YRozuC%9T`ax9N&%F0vL
zE9p(`hX4MUN3;9*zK^#~EDU<mtL*6{9aNhZiq1{Fffk^dSrPJ>=3<U$PUGpaL*Fz$
z5%N`d1$pYNnskDe^v1MC<Omx@h}`xisuh2}enYHY|6+xjg;WU7a4O_`0}(>(<4w3o
ziSHQXjTTb<NJWdVPK!iBQl{ROTxm~<xxyAroUKgAsqw!}ys4IV^azNP^o(Jjt0Hj~
zg__E3){2B3$yzEx7%!!nlWqQq`Y!#(h??$QosfqfK^Zle=@!3`>(`wGVs4`ruK|Tf
zkeNNYFY7cnHfxjGNNzJ9kP%`MILXSbnFAp+0P4tQ3GVr4>;`@D?WtP%n!V9n*jxqc
z;>-SF@?%-fs~r@`0sfCJckcj{*=HSe+HXBALrp_$L?v>6l~kg0j~dG<3Dem(r6FtY
z-Ue(n2sge;{$$Jp_$7?RD!@X|HT@+4K)D(9U2u9TT{nGeXxILF?s01hM280PRu2QV
zlN2wFG#{Kv9&a%bii7B{&<Jm)E&4ybMDplj<Nh7JBc^3x|C3I&OzdiT6SH==!BSx>
zj~b0JmWL8A^HNMT<9#!l-S|P+n3u3jrH~S9#Ih`Dv3)Cf;oaq@GL*=-uW$EA-1be;
z<C8n!{Uxa_{=u<W!Tb6h+=j++5hGfilG9b^9U}Z94ZbhYaTg>gOrvo?c(OZS{LAFd
zLn#jgm9SjK0Gp<{*qbw*(i;z|hPYuK(Zst;(LjxYI5x`Lbiv_wqNmAX4>54#lydsQ
z#W9Bri5-dS9IG92nX$QX*8|-WUt83r;Tp)pz*x1Ly0-iC!rErs6U1?NW@8HT6N++L
z3adwU3l9@)3;x6%9n)@X?}oDWKU}OS*z-+GWs9Jp<Ompwpj}9^&+W-@q>_pd3N{5M
z#fzDMmRBeuLSIvGG-x~&$H?@1DE;}0FX#`G%239bApxWSgrLo)09-I=&PAO!7tSPS
zhaYOWYO<b8CogX5wJklAh!$CPH7z_1m8uPj_no+FMr5Uo=$Y<4$oG_jYwB9<W&M^>
z^x9!(yI^<-W7N`q--7J-zPa266z*D5%gXJd*6$cGCex($g<si-Dg0m{PU}nqdP<~&
zG5jW%L}ERVcjR%yEX13JeGM_+vv0UOx%JDLLo67MuT8#6u$<;fxArAmuJcSu`-LzL
zXq3~GisH2R+;TlE&ztoQE0W33;^jQdqIYI?pi(!GI9(ifWlU0B3{d3nTMRHK^N$O?
zU%B{pbg<ihUs7&sc=rTt_acLJd^C6Hm5x?WCnDnB-AvATAz%Bl!N8Dfp0b<G{sOO>
z(u%LFuw44cBjKrSXaYDoYBOt_Lb@zxF~tFcM++N<+FG?P;~u&iP>N5}v7#u8SJ)Be
zNV0&e!7Ei+lokcYNu1})jFltn-I{l{U+)GbELHFk?5DUkb2y4nn%X-T?iOa7n&Tue
zAF!{BD1@=`^txo@V%uekFP@0Ji-s@?9B?QbfCXHj0P>}Yib$I$yJeei&5iPJL5el_
zn+4b|i8$H)v;FjON2Wli4g=*%p%yms$*qnhv~B&X$(#GJnDBlm`Ox|Y`8MTy3}X_O
zue{|cHz=yO;kq_8Y>|>(Q~QKL$KfyIiW=XI18*7*SNM~JJIf%HE6T=2oed_HVsxMj
zzlcdPVnPnI$lsw^q_oFCE8MP~d^{8sclmHCHB!-xhaumG-lI)$gT1Eae6O>UeJ=vB
z*pu*#=^~qN4K<<QFv?_BV8TNF_Ewhi#TZ$b4CN6kW9uq_HJ5(U$gDA5{JoelFcDD~
z&<-M5e~a>FuaF4HsEfTabEKwLUs6Vqh%6Pm0}&DNJDm<xhJJ$ZrJ~DCd#pGJ3lH=>
zpO2G|ET23DK?5DXR*M1I4vyr<Fa<?&N$H_oPF)ts0S_cG3u;v^!2q=~e05FJ+;A*`
z<vZ8Fkq-5thD|Xox5;-L4V%n;OL<Gw&#R-l7FXl}c8<b?aPoM91)F%syc9TgEd5$&
zfo1qk=u0Dch7xP`!8_*NrG1fKasjMa?CCP(cii`8fru)@;nr120WObnF58j!2#*FQ
zSaJC0NARLRdm$7HUJs^!_ZPi(^9)S(^=8&%)HS;$(VekU`hqP18QdpCMBMUk9vVF0
zLY*pvU_X#Z6`ANfLD!&#A7uBAi>Mz<7!ojV{TIdQJcoAHKMGW9jMnVf_mSm&jLv&L
z%(T}pm$d_i<ShDII<a@^Kv3WQierrK@Gg!HIglzg|MeYX9{-5o*2IN!lQBwIXv_b&
z)p66*cvjA^`(rwRdMr(4HZAE<ZFiVu%0qPSws9TzV7>XTM~f@RD&0-;EcO6J`Kk%6
z^DE4*Z&=SwzR-c2Mvgs*CZmx$EH(f>7Lr^zWcZrak#Lz1!lvP{6Fe>9lz1``;;MKh
zdYTcwY91Yz(p`Q*(DE>p483kljg&AGP>Qp$=W2Sz>YnvBrRz%Kg-Ao3{_KgC;R{)6
zWU#Zj#TR7+&^*0LgYSr;I}Wx#yW*~!Elw>oBB26Ig3(kBQIjHSz3ThJ*&K~ebcLcK
z#_c`Qgpd2dU7u;joxa=;y@%&q%4sds|4L0zD`{5N&fRtI0pouwlpD-Pix)8I%r!9=
zd@Cu)`X49ri#Hh8(n_aekCL8EpzNFK-@W|*(e>SdRDbW|_Lfb^$Q~ETDncn_@9Ww(
zBP)B89T}m>waMnXxMsGSS%mEDvPZUSkKc>lpU?O69l!tXcwXoAoadb9InO?4Ag!!a
z<L>sgaq5Xd5z3V1qNA`+FS|Uk!On8c_kn71|C~BAR*^RC2VL;xs7SN83Gc-4`(4Tb
z#dgg07|~$TVa&wG_F`_QgE-Amg*NH<xHITlELv;dO_Xp<N!5xsASCqaKWd7&#6*=J
zKixm}{uYBu|0%E@bf?9&sYa9Y6kBUsBK1`1Vy;N>E_yd-c`-e>wJA>6*Qo+ig=VWC
zC@!A-+5pBW+W?!T6q^%8<6<LlKy8Ml;d26F1qCnP>U;Dg>doLmbc5S{rN=zhGFrR%
zmgP9bCX*8=ygTa2h@1;dUs4Q)-s3xcG<3vMzc>GI_6SD`BifK4**Ab8h-TtPAB(ZR
z-cD9pofEA9_{IPUq2`7rdb5h6memc2Maj}U>7sb`f4vdf{vPv;?z6Bj>$^XpG%rMf
z=tLzW(o)1lzE1gVGYj0VcjO8lBjNl(I{BHIXohn^P7ho(8X!}`(3b>gAb+4;{%xF%
zH&uqIO<bE;pkTgq<$B^G+dwlxL)BpEx}Wz<iOX%)g&VO-n~eF>6M5Jh{m`kE(U_l}
z!ABR~eHClY>7F0~JKZTMX@7+c@-1@-m{T~_vV@`#k(|aI&(UAjD{dkC1++K(5;@;A
zztl(PjZPP_acY`u#a`;?@IGuL(qL8S*Nr8igUB_<yzZbF7sJ%H`F(qrslZ5`G><R$
zSckUky9&+Nhild+S1-{>#X{g+`tgevCO-Tc+v^N3Tk?ZU>qHa50m1!?=t&eEQuz_B
zqn^V1g4ZOzkARc`_(Rt_Dxbpi>2(aH-Ss+tZVrFM$7yG=e+bQgp+r%J2bdXEoIy0H
zGq2WI$KaMmOYeyxqR+=u#<<VSB1hj(dpouz)lQ6G!GmR;3-%YmC?d}hJ51Wrh}Euf
z8Q%-)nzcw>f3||(+PTjCb|D2A_CMBRaB)E~c5L;hskn*vbicH<&24ZS;Xy{8&ypNI
z6ZbUo6d*VJah6zMsl~n<0@Tn2Hu&c7&vlQOX%ITXdpIGTMSSrF6vb)AY6BjCV3}Dw
z9}t^kh2SFz2&-82mh&#d0}d=_q{iOy-zoxxE#O$^HAV65+O+Ze_`BHf^}O#c-_p$r
zxE-~Wq27H`^ME6jf~*WDnxF0YpAOKWk2yB%_E#66ZN;x@1%PEL;JLZjX#Zvy1}tS(
zRkwJ)=S$qGmK7bPi*G#%>jy~jU`&v_o`dN7QQJE##y{43#xn~Tmowv&-zVY&Hbh3N
zAmG24wzY6QGhZ?W+JpJ>RFn-$SzBgMc7<E+rr5)K<lSh*6HT90R`SBC-6zwPi(KmX
zw|`^hySD3vC1Z_S*^Qcf#sELl9Z6#*vBv;wo|C6CB7n3I$>}3!brjL*Jrq3<*<|g+
zhHx@#Jl4IBETkbV^KGzb*rOa%j#)Z_FUVPL;Hnb8(<-0MDGratq^-*Os24;tyV}o}
zyXxT&!vNdy<!~iWKN`)TfnbF?*#DAAB9jQNs42q%t%v4KJ&>u+X$P9ooV`PM%VT8w
zW}(HPeU87$Jms%gfdWff=H!m;3<r8>n2?=_|M~AuheMOb`HS0s=$Ck)6q)sV%mFTk
z<9wo3VKvH?Q<(gsr4yY&Vy<Q`%kU{mWC-CE;BW&>>W+ptCbuA*0fcDe{Oe*$s9bZ^
zqD8{Gv{IYO<j5zR?9<17&YUzWE|rxXgeag`7+HiLorT$}TBChe_!Bg!#+xJ%rKA5_
z85K1vs^@3cLz5eeJ$CTjTdZYvFB5Ev3xXfMAoHBEE5%IMs4r>nuOUIoRT+YOZUJuj
zLlf?tZf#4wx5aws2if}@J$}dW-_`os^*wh}%cck+DR{-3uYs*CW`oXQNDt~7Ih+nk
z^uKzAGL*h`?GL!tRY~;M&V^8kPl0gI#)95U_dH(%Tx(Hb@Jcb*9%N?r#m>>lFw^d%
zy7Y^WU${T)NJHhl)OHA<`Osieh-lFmE~4=zEfYXP#$J}4kveMRt%EfU77yF2DrzXH
z{ewB(&aGxkM(EN;pA|clR2K;X-GNf1(!#O$9~2MXKPD8~K-R2iyW7W!1TAS^NdP+y
zT;<kYk=WH+Ne1=+8tn+=lIcyqMD@(20jVN&azXk8=0J-$N~H4ZJN@f{u0LD`lc^aT
zw9e#{V5I{;e>_q#FC0yCz>|-oI!TtY=D9^(xR$|Qt_OASl7f<k;fh1iabx%ixgtPB
z54MNN|HE)W9o66&f9V5}>ZbzwX;lKDl>39P8qLH7VwqF;ws56g*DY;4ODI+m7Dw?6
zSP&m`PH0R}(8JQOG`X)$)|#zMy%_c(HN*QM7IqUlY^6nVmDEV)9R*z4X3yzFk+%VH
z5Y}=|IX}BDmWI3;0yT&GA@j4}FW!A-KrZ$qGuT)OK#Py^f$Xc7fJ-XmC!u~BHi9yX
z`^Wc<r;nXE2UqJR=|a9{nwrZ0>?eFDgPY-sDx5@_T>1-Rz*hH{fR@cP)JSs)4gMD1
zH_@VS{bvhabC_d2w=^(d{U0^t&VO(^6x)qIe`L>seC$`+h++Rzyz-Ddbu6!fJXlO^
zdZEx;I?3Gp1L0?^F^sZ^9>EEcne}1^^Di*KP1_vgvHeN|gSNT6K5J#LIpN)pceF00
zx=VLnDSUP}!ho#YEpF~N0{W;($df|;vU6>FqCG}Q9z?F>N;=Opo<*7s92Cv{G0=cy
zh&3!!-fbie-E}K6KV7jnkdVlIlm-_XroW4~KB57tbWGnQ>|-%;Mh&giFLu-us^77i
z<9j2LdZN<}^EkeRtb0$_8W=0GO{|406{PyRj=~RmD|gZ^+t@_QgHz!%7Pv)d;*0nt
zs}$f(5ryH*EBRzuU3_JSTTI`AV80hL)ZKrzMKOnoD6z{aZm1P^X^p{uI`~xQT?FL#
zDgVX@)g66V=jL!<#R`27lIjsYGRc#m#P7G1GO-Z8*WqCxf47W${EOZf%#u6;stM^2
zqjT)QT`Q~kI{lI`AP|VQsCSBe)l+ux*_?NG$Qi+d!T%sjVkR8CJp9nKX7Md9Hzt2&
z%2B6mQ$;Vu*9wv99M(p|tsUw)Ofb@kn$eTVCk78w=Y9SCS4cCa^2I}LaT^TSWUU8=
z$_cTT5AGGi?2P@XN&s?3@_`$`N*wVY&vF9dcNP24rtI%3_95)!dt3CsX)<ETZWXg6
z?;YK)(0ux-A$}Aiqs(Cd6YOk*g}#nP1BsNzcQ1oVLNLKf6mQ{q5B%u~$Un9uXQY>U
zJaQSm6vA>Y;!YZZE{A_R^>2HG2MOM763W{ZnfDIuZ`Zqv5k0jp;M-0;fDKl9^liJ7
zt*rF1Nq#v-Np(fkgv$CkyyR93xVnvNr5ndk35E^H_9@-MMBwHcm^Br%#iCE8pO;{A
zsrgTEpCj$UY9GgR1vOjiE?ZPlL=>%qM4Ju3f@|u+fX(((9D~^Gi_yEg4Ta;oPt5=1
zor-pUUCMYx5;gl^)IW%35%*deT*v-9gn;X-p^2;twhj-SqEIvokc-NnG%w!mdE03t
z4oi+9o4hbnY(zXHos{;CsrvOC_<?|xV}yw|c-g08$iQE?vSvy@C{YfE+k}~L`>WK6
zq&)p7r>LHQ4vl_U(X0>?CPJmF5=e`&_dC&f;m6qbq{C(QES%3D+koMv5fS887%GSs
z2g-7kY&aFmD;gugDS276+DoHi=uP5N(A7z)x`SB3gh3XAePaM-O@&WDuTunpBOXW&
zux<jXXEF5K;hDE%v@D{`@IrJL(R^(M5)}m$eEz=~O!~r0+#lgX*o2qq#8Va4MU82&
zkVQG+jk1wh%=m~M-<YmTtS6z(x#!rB>eh|Ix(2K`KxOkKttj&sM#joM8W2ZC$@WZ%
zt5waDOh4T};inji^2`7Ida6G}Lg%=7AqU7+VR`ONj$Cw!4xgX44a<%^WRehz)JR{r
zcubW#W!GSx;OfM^tUCzhcaqHP55Y6QjApe3Ve}>h;if+U&X9SAx=JQwke&fNv-U7~
z-S30#j#2#cb-g!{QFL2$Bh%7c%lUXNs&#w!fpfxI-Je279&5%UwhdSb6}DgqEZxH~
z6T<3Sujk!J23E|N^;7)xro${j=eA03FA(X@j-EUYEudE`Lwro&Z*nEyAF4Pf;<^QO
zDLjs}1%vJs@g&iF_>-w?K6#Iktpg3OnlusQAso?tKn!_7>?bMgC%7c*==PktF%+K?
z=X3tjQY;48S(S9#7%f%_FR#1Jjv3AOqw)zQh6-@c;wD-__h2+{vzs|NEvinOov|SX
zszUmg``@z#^G{(AKesX&O&AiI^HP=YcvK-}ZRiQo5=KA6FKZ%!1TXV>Ud011W-e3a
z@39=!u+>T2z~C2c3=5Qw4xi0W98=}YOBB(eak{0!{;2FEQ*z1)$J$OcpDIx(J1lqU
zm#~<84bXklP_N%qFE%sqQ{!yv_>)fo-X4YNJ*m55<|Nfcd<vJ(KVc=C*VG^DoU`Bp
zNxY+LDU##*&yDpFv$B4EH36#G8=5|{^Y|YDz4+v(-^<yPVmmMvI8;3E4X%uKBBLHC
zMV?+9S_7VndZtTLvY+wB)TrdWa+!F_T5HV?27iNnjw`mi<CPEwOf5(cEVw0~uy@IG
zdxmW`aF7F_g(+q^c~*Pk60rW-rM}9BhG=TjVcT`@HpVU^PmrkhU?+b$7HyaaldW@&
zmW`4T{9!eoF|Hvz=4;}@qUR#r%$VIcCfN3kY@+h5ppNpAFU4w;7fA#zY*Ji#7-4+W
zOn4xsI>x>8&OLPXx^+v}@(3v7eR!%3*=7aU8x_y5WhxRGM>WqtTK?z#c<h)MH|$*@
z{Of_Jl;N(x!pVd0Y4bcK$dGz7GRdRqHUC$r9E(;LqCl1$Zu-(&56w~P$GipExKnm-
z*~s-M?Zj#0m{URei{D2ZBlwEu$@)gmz8lSE`q`xn2PK*!<%}CeXGHJ8m7SE+A>V_C
zrDEZWu1_*KDMq~`3y(*=b@h@`XNxK{c4x`Z;(5Lmk=x4d8J3UC^p;*jGlo7gzAo~)
zm~@#uay-I>-A*3U_n|^kS|NxY!;b|?IfJjw8|Sd&+hri22L*N2x>ByF^cmf@uTD25
zRM01Dzt_k=jMmtP3Arlvqbmx3IYQ`r2CsL7HB0sIuW$yF;iL`K;jC!_h^yqNl?8gB
zZ>Gu;_i+&3_{8H-y!+<)1wYbh*@5#WA|q4873eOZLm28}5C-*CE-PA$oPDGRzV&82
zE(sz}ItQefScN^2z@*h<Uo)4MmW6{zJSA>(e)~h?Bf9hv8TW&4_#x00obo~aJ@!wM
zKMaymdn9hF;*M!168PaNtD&M+4-8aV3mxf(9mPGq5mCV_l{Myw2OOD%kMs4GRG%P%
zY~&&$l24x=3Ba}4rsu`Gm|aaG))H`_WjKg0G<WCyRgMONF!U1F?6T?m6wVKf1LlC+
zw%1b{W^o?>ILTJ#^Ua*dl)dm;Z>Ft>TX!_8VS%~QDRd+zMq}rz(#!k}1SGtTR`lPz
zo3q_&Oz{IOwgag+EU=}H1j}c-nj3Tb7tyY;u>lrvRc)UPWCKy`o0FKV+%D|a{gnUY
zkwpvJb?S#h-JT@$8y{#;_ve8<U!X&#b;ouJ=LZq4OWvzitVi`UNM&}HC0vZXX1vPn
z&d8Da>|n3+@8{>uzCa-EjRe+=`zb+6Od5vDmRI*P`z;T1O_lQc*Jcs+kHHzd#sd==
z(R@MGaVr%klpod})bV4bVj>QH=@!<z&jy>}p>kfXP8ZDADonG4ChX~>fu0-TW{p_T
zB1sND@I_1nrr&X;r@=!t$kR`SezCUeIqamv#oUwZ%jKcR!}I%U=TP>!R(CSG62YF$
z<&(<~G)Mvir*wGWBP^07mxuxGlC9A&d<4lwZW95d;(lpQ>(9suz|Oo$^d`|Sz#t~D
zsw5kGgJ<unKG<Ud)_pT0(|1tuqjI;wc?loISIRq{DPu`!3~2d7IwjwA3zJP3KWXw)
znht>vg5*babgdvoNAltTpx|eBzRwv!V&<%%G=xw!6A};kCta$a;$kOvWWU=g$V!nQ
zWKS=LbZgC0-1AfMo?9O#<hRx47Uoz87C07fl^F-|%ll&ct9u~O7~$ra)TkT60{u#m
z_eU1-b%tO*f37-EIq$tX4jt~kUt+)r^wom6Hi|Osr-Wf3RB4357;LD46V1K6#5al&
zNpP>Ty74&S0_bYxqkf2<s5MJnwxvb7l0tIzHQaHK9F&Mvo(Ck)j?|P%1^-}yg!T03
zyzby5+*b5Qh`X57ET1L;LR{0J|I&B?G)vy-(a?*j@&Z?u3=3>yS9NI()%oXyAO{LU
zh>=0+W8JE2XDEEJQcG)j`Q%7u^);c9{KRiL_@H`+!R}o0L?%akkim!Qijq}~=+hVS
zUg{t_RF0<3rJQQ<cU*}3RrNwM1J!Vw4Lpq=)$^9{i*OALEVhgViWKEyFiPtxx$rj+
zt9Ww?x0k_3MBF*(&WO8BlCl~7QVgmDF>)GMQHFrJzWBHFW5Oi)vayKo-B_wZ&iO!7
zQ?4^PeutD(ZJ~9%(0}Cu9DQvXfp*77A(O|3wz08m8($`O@wZ~YrY{e;bXJDTgE%Sd
z_1;$L#1oN1Rv7(tusyjmKO14Hu+gez1egcgW2l(M@t2kg=CpWlT3Jm7b;2VIr2B<Y
z@tRe2eFkr+x9Q-gTBS{Vc&I4jhb{NK#co%KdjU<|31WbhJVU=s+^98>B~%u=tMx59
zh~^VB#9ClA_#fp$s;P$vg28o0wOS;0RB|BJTvkj#>~xz9#XyUd|8qtJ6OzK3>!mxU
zckmj>CRh=GB_{QCM^hs?enjX^AXe+GX`mE>3LrS&-6o<DaDk~k7xY{Bv}Cd~azGfR
ztRFDA{>ih|u^Rf+Ieu33p&1tJ7(v`;D*!Sj4d~C2jHDHD#)S^ro0{=n^;0%cmRJ=G
zj+g``@-U#{OUUh14LB|FZ=5x|LdI4&Kp&w{LPAY%<5q^d)yPpXninHygh7dSUksju
zNgQoz9yRh&=SZjvV<j*y>52jOfy3*)v~{W8CGgu$x;l2)E8L@4Epj7;e(RtrUV~Vd
z2F~uDt=!Jf<uf6Ltl1`tj*j&&Z;do^J;*g^!B6B{T)nh5m%N){25(|ODRW~)Q>sJm
zhbhw_E!pN7XlX1wp&&F<RKz$N9ZuaXq#%O@%ddzi`3AGR0{Ko8nsr&4nIQ`!J!XIL
zXP&C}LUQd#VhbDEB4*67x;roBR3^g@Q{8Z(oT{BAL3*h?77lR*j!6pf7z{v}2dhkY
z$=x7aO+HN)#Ku9Ov`}d|vW^X*?q>TZAeVy{A4>WS2~Q{rLim(kXKXL0HAQz1|4J{I
z2ebeK=U;p%Wkr(Hc5~s7pBW;m8Wp*i8V9Gm3dh>Q1QekV{V#fWC}K0dOo@HstB4hl
zsg7Zcu3!#%PpnuO7Q!7zkm9~PnTBv{Q5dRlb&$UJOMp?SX_b!)**oU+?+v$X*R`E}
z_rKan6<)VC8PyZQcb44FKK6He_sM(f&jry}qQMPCJt!Azs?1Y!2~{z<eZ@lXm<Tcd
zEo@rSC>xYU2}jpfibF#=Lo=PZV#i6HB|^(^OQx;|NAZJRM)8UxZCSq{`CK%Y3N;7o
za6MN$aramI)cq8O8G(R5HVB4#h#X)e7I<Su$2QA-$~#saXeBy)#!fDT{o^`acK4w%
zDF!Vo;kOiw9Af>H-#Mz{)diW)-w=te!V*bDnL?da&ga#KH&%%skj4^nvl%rk3AKx&
zV}G@e-m`e=n{wMb{AJDU-{=KSjvu<54@ckkladm3%B~rIb7ODeQ6xL~)=C<Qsq(4O
zR4$t?OF~VGxX&T6T%>tclqQBxt4LX;E!KNhx0JfotM=KCuZM)LdWxy>tD`IF#rI?Q
z9umH^^*{k?BmOL1W!qDdR||39HJT5-`aUMUt!`t#%PL(~o%6k6LzBd^*fl=&ZTD7c
zV#9K#WZ*^Qg$f7F_8bZ#^Kl}UaQ<hpWE9?_XmTF>5&S^SOi{Ftk8A6pdu;Jg<ge%{
z3%-SbPLwo9fqi&V^th8#`Lo00wf!TpV57BtMIG$58cx<2<JlBLHH~SinOIQ-!ACN+
zSMOKYDw`F58LvyL4fy}^EjVlP7MMTSc1jcEk7-M)DePBdTbo#6wke929eegH3l#G9
zXQaWNztlW)fSvlfB=wPVNUQVJ?ZLW6Q>>4i-Ewux<-r&Z@Sdow^o)kUh>iD`N?8K#
z8R2v_N<nVpKB}zkX$?nWk>mF9O@%+m^jyQ9pWY#-33`GV3b4Sn=MwX#P-}_9_%4BV
z^)Ag1Rv@F1&pk-w#$|o$rY4UFV3q5yfNSR;55je6@r^412S`;R2)S{>UF(2<YxsZ<
ztU##pKj1r(ZtBUd{lV9^)_*(zG(fr09{;}JCco?29{#5o^S{Ag2R|{&UNZs3+t(Q~
z*O`~(H^=^UMfd-Dfc$1G0OkM0^u}*+eG~&9pa3?%XhN=c^AmC?_5V4uf5Ts648+3$
z-`4+_+5a*AHK~FCs$Re48p9i6{Nt&-u2jCE7BC?BHSvJ7|J7Zhx|{KD!n^;C(&hgo
zcmbN<zbFm(4*v(G|J%x3(*dx`0fPJwLjPUKYh?Zfe+_U=hrdxA*1wMc)VS89fWQ9M
z&i%#znm9Kq3{V$&O}A@0T+=P+?^69Y_%EOC{Il}cl^8elx&Cm2|3CBu$o`j}H^lji
z&-I$#z+We{{TKW-CIG<Sazda0<6rpvo1WLb0|1yCdOiu#`rr8f-Ms(6|DEqO{0;v9
zY_%JY?0?SpdaGRn04M=&jejV1{m9MExj8C>fRev|Z$e;Af&F%~Ew9)8?~JbDuQ%b1
zljOQg``_^Y%=Ct;*YJON<v+$J_|-GV%WsatQur@Q+zfNGr;JH&+};1Rz5dw{*ND2X
z8`H1={eN#rQhrVK8=?ZQGQFD_QZkPTy58#73lsvZ_`j#qk>I=(`2Ts`BU1fK-2Zs&
zh6>m9j)2>W&Ur}#h4uVDu)O~H2Fusj`j=Rspnt#ZKZw_n<h|to-yi#DdjZ9o#QL*%
zz+?Z5CcxW{oR`%8KS)O50UabDGPniL3`z&ZUNi_7SO7I8Pm<|HY89ITU*5K&LC0=4
zHo?Cnx7vhNobQ!({qae{`WJz&_aQJoSKS^S)CVJ*53Wd`JJn!7sMxz`(a5bXk?DPC
zvH-In!!9F#lfvjI!#OAGKfEl}FgMG)|L!fz6>M5!Y1ex8S}M&)zMAp*>b+B;A7d**
z_Yh0JS!X%wqS^dU!}802$bHS{OFF1MO`6dm8b*A)O1P~JgS{{mQ-mA?MpX>A6=#+?
zYj{>tvr#V2b<lr*`A`V^X5>fb&xq!{w(18zz)NC`j(RVo4-cm1yBmrAH88Ldme^5y
zzeG{=RYLd68h@AFtzV19U!<#5%zW+E5tyqxE^2@SdHl{?xp#H9Yu%&q-M3-dU$1{+
zK+rK3F^TrI^lqm~FE7$mV5LcCO^3g<bd4XT3vW`r<CoYH=Tgtaj@WUrK|ULOqFX_w
zru#b`l1}d?DDL^E<;(5S>EB=7pEQ&^ww~fy9G>R`?BjjSumC&sC<ZO%&Vn}=&K6mZ
zGKUA2&!vFnH>I}l+-g=b6}q4+Z973?BFm=h6dj#9*GmnqUT(xb-E%71qjX++ML@bX
ztur9}_)Q>H)JHO1{_cdD2i&V}|9DP;rNbx#?m3Wo)$a&wd;y^CB0>&p>~KbLaSqe~
zT+(uV001%~=&#(o=1Dy*3^1xy7#p%{S@Zf4daStANiT%|6h%KXW}%ua+Iw5dF@9A<
z%h8urbt;e7zPhh0b4|g+gxHUfW;CX&uB>?8r~iF(=mVX4o7RJ$mOf1OS)^*4d((pt
ztLGmX|J;Jq&-9n^DuA>~aR}W(2h(fyqP2Mi_C;Ie4Yi#%c1#kB4_7h3H4nDkNf!JH
zBJE2Q)`UMmtkxN*yJzk<M0-qIC8GBlBD+eeF%?X`=8fYv(>d^}tO_tn6q?@J<hMlv
zTHu(l$zFpe5ps2Mb2atRPRqN9OQCc(3YC$s`&k>(k5^Jm`3?K35jl<>&_vVyTPKG7
z;_D1u)HHw<ptk)*t8Y_5(^#?n%E;d$?X}Z^dM1DQ!&5JKcRZ*(=?F`*{J>Q2NlF(?
zJy+3~m}!B#w^LU4@M($3kpFvTeUowc!R^Vz<1O1gpPFG0x)RL*Qyhg-iv|%>l|64h
z#>Lt-pW%~*rhvrx{U8~Y20!bsD@)YSZ{r3{va5H*Ydn`<XRNh~WdvsU`dar4ux(x1
z*fC4X__uyLm|Hs^^g#JItcuZ(OY4Qtj?-T?)`4xN4tz?8^`Go^zR&df?0vb=P>|8O
zb^l6$^!Yl&sz1ji(3VpSom-R5Ls<f(z7x)ys+|dx-|6&y#6&zJ#I2gj{+Wt;T&tz~
zqkc?$`O~-u)_tWw&BtHCj-ekR^&9RSM6(m<j=|3(NV4waz8onLF8aDK(*Tef2KZ;h
zwB@2(eyg2#<FaXnV5O5CA#X98$U|SPW4oVzNKz2ZYP~pS$HIDP{d&5<p;)0bNpOx8
ze|n_#O=|5e(_)7!boUZeXsU&f!G<ODNNMV);HigYTay3y9Pic3<#f*Z-jxSF%=ogf
z%=Qs_;)#`C9Tx*%yFW+Ku=BQmR%z}l`-zldFC*vqang7cymCKNmVt*Xkc9N>uzw=k
zuCm2I%M>1S6?9N}VR6mP05Fo4QB2rV*%w2tM*OiccoE~KUb>k_U%LG#dekP&{3^Ej
zB{rE{NQX{Vdw+P@tDZeOncJ2`e{33CtysGlyz2KWjl9S|dZMY=9Aje?dZbpOZ{ogY
zNDCd@aNQl^S9ql&lXRB(A$0XiVBr2BepRN~y0v0pf-R89C?<Q}WbC!Lb$2Dxb@>lt
z7t8@a#!}t{4*_RBmXZwc?LRm=xH@8y$&|BliMxIKXVNHxilC9xql07nr?suRcT{{?
zTh8|co`O~K{z!R$cheJaC$*G13T4zPpK`}!wP#ddl*rnae{Q?+Co%9T)On&Ori;+U
ziMge8fqS6G?`Y>jgR(?@C{WgQ<6=+JM5xTcSBO+LR`vFiK#lEQd}gN8JFAlr|E1Ww
zfqtFgB};)uHJ)j&V`?`WzIY!LXP-UvUWi0Ei<%r*G;y}qoTJ!<qR+lYQ3PseW?V9!
z&PBrz^mWU(m>&u+I@x#l`yI6yy`3KB{mktD{E&;WWfM1A|Lau%y5{p&`?Snn3yo&6
z#gp>6*D>eQDzf3TN%gd{DKhrL8x1MaSK7O&G7rtAjv~$`oF8+DHoBkqE{uc<S=I?=
zeq0eBmI0U5^LeyVHBYR1)bG{~v-fMv6pd`idy5~Zss<`p8Ir#L!Gq2WFqz+AICXSB
zjJbQ%=|h}EcIT|&#W+WX*}7C>1J~P}zTkGRZ>`y;kakR)?4T3XER%ytvbkHESD7T+
zxfgG@?(BJ0Et|ye&J{i#r!`>-%`!WEc!zwBKGm?x>h&~}mn_#+?5}rn+jC!lJAY9R
zF_T2@%hZ~D8oipEO}SFh$~!r|#LcbTF8OoT5{jt&8e8d9nHv$r`pG7GQXr(Xv{bru
zW_Z|ZS$*L9%<1eI{&I|yZnIBL4qH{_`bhBn&iT&kU%FN=trQeqT0KIyI6aE!Pdr|J
z8`!5%;>2o$;es1f7m`V(uVDtgXper%jinN=pktKP?A@z^CkrW(-BB^m$J?>)pZnU`
zK_d|~6oejXJlZn|SI=mih1GrFsQl7|*OKaJ6uQsOE!Y@5xV`@tXirN<Lj)pik-1ur
zoA@kynU?0iTEJqN)p!srE8cvyI@QX-t}Om)GJ`DkAgJ_7(PSI*drnI87nWEmy>@4Y
z3J$En`%B}pD_E}%&uN$l5du?W-YNSh`oNQqJ>tsde3PRIN&DwL#H{LO&$hZ-t?1_J
zH{^3V@*H$RvE|382|<yv(qA{y1J5VCCd4J4*R3(1dzgxni)H7vhCMR`A^S}lHe;{o
zgiK;HoBj-Z18yHplg)E-3!V6=>brwHd|dt{y}xi09Ztn8X-d(H(u5Yz)O>HopR;6<
z@%|H6&lJo_Sd89oym;ik7-Ij~ZDIyrWA6xUs27|MWJC$p=N^u<tevktI&Il3i;EQ0
zM#09#a%)8?5N?*6e!Cfd0Vzka-m6#Q75tdyy*8g-O=&YuJl+%G28~`egzHN6mSK`s
zQx}6dkm8QTq{r0`Cd6X{a>4nSrLh{=`lLBdbAcaQKTpu8h|}jR=o^{3e6XlBt6BS#
z#S)w!z$$FPrb4M5NQ~ZuK$#x8aGtf1I(n2j*86p|mtVdoMx3Dis@@EZo=Wepek(co
zrC%QBk?<-H2e$ZTtGD6SKzi%im~@hf7uLiUK3(~&!=zV+RCD23_Sj(a#q`pYY1C>u
z0DPHv{9|Qxwm1@7G$GC8YCUULhA6{~P>A%@L+D3E*!X+4$|xKd`l0{Ure9p;k)uCM
zh#S-5=*5gahdsxf>ey<d+#o-1aQ<Qa)tb|VOqTP;TBbRcyp3!-+l6FdD?D)g_~HZ|
zcTx{t1do1g+}GbaP$EC_sqsV61jdbe$=#0O`Nsajni6s$x1x0BDO=~Xerd*m)TO@o
zMs_uyG~RH!Re2WKU$Y47&st2W^*cY1YB4(nx`axXvxrCGjIFszoF9D?me^Q(;l+~h
zyv9POI`L4yJ8zp2{Y_Jp4_*yNRc@2bu%Ktk7c{d*_apn2>JWV`h{K^3JA=(aoEf^f
zfHDx0TG(nxvkf?F{C3_Yb;Pxv*_(`A6gCFv(-I*r-u9mc1g<P}Uz!#={A{q3m5=D$
zTPF*=^m{s|IW>E{LmVjB)mUWmjFhzugIxa}-1<Z)qQqJVdGLdyLgcRU@Kl|Z#^ny;
ziO;$;>AU$NW`U9~@0fqQ95697n6`o1V>{*hbqty|lBItS1FD#`u~f)f<2j?qZJ#f>
zk}XOq2)He`#e^Sy)Xv6#u~{Bq6_=lir)KChK5L-_&|PX7FZ)GDie=Kbx}#}qe}L_~
z*|f+ND|xlQF3uB4)RE5VtWRA^3|N+v*sGf9`mK)702RH#=+)1GyIInMq-AZo{czql
z;uwQ1O1_<K8ljX45xc?}t;UQyYtx++az?c*-_H!ajk%Bqr&JP;^%}J8T1yB(H8nEa
zrV1aPd#bu*@l!&SN40Sv)A%%`xtJAW57+UkX4LQMrWVVWD@}JfJnG6Xc@2)c*F+1f
z2~?@z&3JH)6%Ufb@Z&noEnm*6Kd)B}C%1A$+K<K&bD3nXhj|qSyoj<15#=o>RY_dz
z3TXLMgS-J_?n;jPBeTC7QaAf^Jj}ITV5#_PP65~M7;29_XHX>=B21Kf>F*~8r1!f`
zN)Q|8qK5V;@s!7j=f+o3ZFD-6U!Sk*D5u28D!O)FkyFa+g#ol`aoNZ$I2>xF9p%)@
zw&$4+??|0(Jo}d5o>nKGFcOh_se1lAfY+`jjrWb8@j<=`yRw&R{!ZAG9!GNIv95dC
z8>G_fnFa0c>?8L;QuZGAegQ1)_~mS>)fek|vBQ=bZ}gR+wvE2A1Yv3Y#s2#CjfM&$
z!{NmtQpTbgXwLlQ8cImJqIwVRXB-VsbQ=#3n(^!dh~_u7qACp`$U$*DAr9Jf8F?iY
zFc+&cbefoL5f98-bujd|AG?Cu-o~o`H{?#U5qc$j(#tP5FZman#M|}RAS7l74aPi?
z3mS_E5$Nq=s}CiNjMI(!lrP9j$$jUCvgax~hx(zsSq)WK{*zYbH)xfD02d)cb&7|)
zgo(tUqv)07=K=Km<Bom!0@=n|IPd1hL#joXEH=lFvj7A__!IlBH`bE2)p1~!>RJp1
zv9jvF?Za~7t79#-l%Xe2!c_Fusw4c4iGAVAKl6&K_6G>r-ybyK%}II{8(Q08t89M6
ziNpo-uj$A`I~^!pj~2L<)<%>lyz-|F`M{rXVSSq3rO%QlJ-9};0O9h)$j&665-p#X
zp)q#5(uP(3OFo+pD89f2B~^z5n|!=Ey>*xvuom_?x>A)86qx17J5rpg2J_TQz^WP7
zZwx3N54bo^QqFS1Qek_-`@YypxAz-NY4nM5_Nqv<B`+o9MTefUuX1|6Hiu%JjbQ?P
zwxw`zzFW5Fp8|Bcv97zS0PZV?aU2-z^Ydmte`D<*9WnB2`I_z~W_%`9sCW=@Sg}i&
z{N1UFJj>Lfoj;1XA5oMrzS}wC4(hp^38GKm#tjUp+-d$u3DGGO`fBx~_i5M1u^8<P
z{<By9>LrpuW<+nS2_-*F|F;WIWod1zA3$TR@L~_IZCUzihq(>fjOIzS1J1R4d9S~7
z9#IlZ1-Zi5Bmzl4rjth)mlS@oLD`j02%Y)bfZwW=782ab@?9DF0VnyBSTH~Q(|9JY
za!Hr?8?&SimP#?$D(trd@}A#T<+&K6^J<;;hEf;g&C}bMmRK7*kt*NNTzF)YzK<RC
zp~aWF2F-#cFSM=Fl+$z>(lkoy(f4?fJ^j{FSiN>!`AAU?nos??>4(hrK3kjTe4K)u
z$ga;?d9s{HT9AQGUApB5*azf#97=n=fDlA#*T9Pu4bojqV0qst*JE||VlDjzhba$I
z7xGA~3d(~VIV=vY%@^n#)bHB#h3gKURs4GY>9);$QRXEP;sHYu(Ii<T{_NReS{`c1
zA8zAM+F$d17Q1k7TzCH~hkD|v8W(c@RHx!iwXY$Ze)RNC?CwQHdCTN#9!fd#VYZ|)
ztj*|v9z4$bNP!BXyaX~F$f2+|&jF^=a?~RuVcENZZ#S19=-=?_A<b$3_TZBjo>Y+a
zv|@B^>n@m?SFd*F_(Bt!pTp_Vmy9r73b?IIcqe~vbark`8(J*HQ>tFh&xFiQ_Ay?Z
z$zVyaaAImSZg`b~YH&I0eT0jAb+J%rKOPpas!WL3Y`n!iu496j^g3vjXu7=I9N3UG
ze{`tT@Ri}QF(zvnxqdEi)kRpHoeq?AA6w7wry#>0L*J)7wg}TmJY9I=$2L1KuXah#
zuS-|yzGq@-Jusc9DAFFeH5hU1GdplZ4n=i(PDR`1sJ1b4e%wl~A}QH^1#0sA^m5T!
z$#cTDxNV{o2NobKWXSc=V)xbCcs)r)WnL|lvbrF*J2h5VCE|=r$N*x{r~?0F_<DjZ
zeIJrW@fPn=PLZrZM;0sw7dEsknR<_v9HLyxYp5<lU>KzVXiS(XY&*Jd)oMCa1;cRB
zjl4)|4~QOYQp_JzL`6#kiVlg!FU>~rrFQn=c}TVvAJLR*sdP)vx;mE|s#(d`G<JfM
zBq!B^^KDx8crpkBcFGnK>W;Sx1D$?mouR+>LZGAT82O)V#ggW~K2Yhap_Y-y4YPd-
zh=+!!R%cGO))mKto_bVD=-1T2h1*%)Y{8ne;aDX__nLA{)sEr)hD4**L-(Z)?>JCG
z;&J7>vkgs(_vZjjYf@W=bGxn7PRprGFiAti%_9LIXlm}J4g_Ns2R!&tC)hI$gH_t%
zca!nEd>q(CU83Q5z`LSR7JJ$Ul=Z%WGxm*qqo_%pI7sDojzBpJ=-s<Xtt+iBr(Ly7
zPU87|wUiLpd?7taFAnU~$LyJV70R%Zt@(0Me`U#|p-uORe0fUH@KKvlS?uhC{9`t!
z_xch17#%e8>$sGV=OyAe;JL?RIN+2z<P#4bWZT<raFMtcO$s!$UDr-G!cOHNpX{AV
zzZ|6YGW4_@U9wR%SsY<66*_~I0g|C!+@I$!q92Jw4TU<scs81>r1avhuytpHT7!)&
zrvM^T@dHYG2JT3JSa|Z{=r-f~aID^(b2w`-6)}kP*<_-Au>nCeOs6`Tro5aDDH`Vc
zAOTkPR7rC*MJxC$m>dExvB2&JcbD25^sc8W5h8TqU=UJ!O<88N%Ctx(v5Z<_M3({r
zkIeJGW3zmgDh0I6e(_>Qmnf4k$#}9MXGs~YZBl$cSdZiGYk{KZ&w$tqC8+Uupo7>V
zEKXTzGa%@leB#RIh(BsndFn_@50`{0`-^<j=0fUXgU|+C^zcuUIsl5q11p<C4T4C}
zsK&T+;!>&Lr^%wxO7PK-mo)FJ@2Zws*#0U0XnNNL!iD_!GG#W4LZ<S0uWE|8EU)v{
z>w`LhV9sj9X#QSEH`)k2r~5InrF|2hSJowx>WiN-&b-Rjm&zzqC5z|FJ`+<u<e$@M
z9n5wE0-cRDgS&K)4@H_imJfErl(~z9Y+Om7-I^!z0W2{&W73zwVF<gYP%$z~DH=%H
z=k4<Rp1R4$84;nCSX+FLO&Nmq0+D0wuWx%;V5#7~S6R|*#*34ePz&&IboB%JvIXmb
zG0em~|NMUNiZPAIIP`~>1%q{}P97u$xa;A<fB@82O;=b9zMCF~Y{jyV;QwJ%olc6i
zu))EJtX50FjS8Tbt*9s%&+#=>0uEG}!l-w|8^d9PQ2+}n7yC_OZHQ30;{Pibz^4>g
z1R;fbzo2hcG@h~16-Iq<M<T?%M2$|=({Jv-N~-`}lm4=2@^|zp%H+(doOg53uCcT8
zf-~5V5Mh|7=JIT=M{H_RQhz`hI^pv`i}j;9h+*%e(1A&2l<iqwz`-9JaMmY!f?!V3
z#~;!w(HCTN+p|K(V3F-`5tXriAN$~Zz;m>vXGH;N3>}%>A^=&0^Be8drmYPtGd}+r
zdndF*&iL-Ne*LxN3pet;t^)yLKKNB3RxjRfutY8+RxfkMT;qwsnkzWM1iL~vCa=<b
z+G4{NtZc89nvs99Ha=j;&^w(;36aO$Yj&RmC#Xm9RE^g<%IZQ`AH7;IrGmhnbij|!
zZ3z(Gus+>gzYDopU@Bty{>mndTojE0$dU0^UBV_;R^9&FUnEE`#)c-zA=v!LQ?Afs
z;gd^7zc{jF6cKwRN15v6+u~1LNOvaK=z8UIR;63b;;sja=Pe99iQeKJfX<}EHHz=Y
zj5C&bs#>qN@oCfDHtzQuCV88~CoF@1h@uLk>d2Z<cC@0{oJcuc9n~7{=$G8@*eelE
z;Z;<$grLz+@V=kEaQDXU^`k4p)R*$XOJ!A&I!44Gi^{Yohr3>ZrNoORUzq?ILWJQG
zR>vTUMf`A-3aeMc!h{7R<kjibco(_+-E2?-8+`An$-AiPaXYIF6(SH*RmU?s6Vk0$
zLCFk1=x8hg!B{G7Jm?lYYIq5?V!DCd&rW`?gbj#Er8+Kblvf9?E`bXpDw_He<}&hg
z7$9xUc=fw{Y{N<06x8HAUc1#`<aWJ52Vg*wer%i6-TW@+UD~pl6Tn_j7aadAbUi$V
zSt>tUkP53LeS>8rN=PNvoek+eGqQePTD2vx(DYXTEASrp>BYcRv+c4JutdG=T6&%&
z4Y6)dme}OcskJGFit_aUdvT#Th@<ShJdB`gZV1oupM=Ac>+HiJ1~NKTECo360<yho
zpdmQ3vGK<G8Ucc0Kov?@QeSJkaS7|4E!WW8ZOG!tF@{cnf|Z}XwzBbEeu`F!o{Y6O
z;lu^A@=j7f<OW1fKzYxZuSrU-A5`btk4vi!FT{a8a9K9Iq%ZGJo~zEp>#$;D?=1Dz
zG9ir>b&i;u)5|JV|6oS@goYR-<UCtHC7L#?tzR@cv;ixho!*&UKm8sa)uBwY2v#GN
zCND7^8>WVsFTkYL*m|CQSpQ!1QsGW;K01+-wk-E!8(4nYh!B+4sTo!W9IZ{pXM5d`
zd{zCqO*K5s=1*VFP(#)kqg)B*0w)L=qa}5AebAwB3JAmZ?zK>^&%g@ETi75cB2n6T
z(ehMV#RCd-E#)?h_A3w6NP_jGXH@QI%L0Nrn1=3)gz$)3Fz3U387&Sq>Iq6(9Eo77
zdG0NIIIeYP;kc78d*BQk((Z%MM%vg1oHbpj?G(7=dDvjP0ZDtxLG3HqA7a6r%;WiC
zL&KAs++6X2`-=lIaESo3@$fQ<vnji*;zJ!fpV5%vlObvOgjf=VU@_aC^zb6yr(!|^
zoPL)%VwYm0Mn<)+Zo`$SOQS<rPbYLakklrH5w(+Elc5D6yYYtlWusgfb!WenhF8Q0
z5N{Ab4Re|?UpZUr!cytGkeAZc<FE!60`!IFq}sa>j2pS(f*Vn?@&tM}cQQ|0)1Lu2
zXaY+LbBcJStNEkkv3W=t4v?j9w>;mpCA;YC=OChXv>iA`JK`UlEJm}q3V(W{)l^0Z
z%4b~<-t8?9+{ISEI4v&{IFmOi&zG5c*;chm|LwNCL`JJSx8Gjl<Wm>W1H4CAB{CLi
zcr13<N<38L%83zHX?a=lUB$4j!Gt9L4ECCg{tqwl{{Y%?bw)ms?VPA4+3<`c4MdLj
zwRp*>m+VE~=f*dQrx`?_HbiK$?`s0aYOc866i>dEmgZzxUu_CsQ5GV22~S%5SdSz6
zS^1>=ie@)-UV;<(vd<v(NM|aJO3MgF2&!=C&VJ2!`p!a-Nq)2F(t+(4Y~ynU!DDDm
z*GqSuv-JlYWNnh#fI^s)iU?}N>rbuNLN=ChBC6F!pR5<4hE($=%Z4U6KpwI>72Z?$
zGsHS#NDfa9IEOAr3^jeuS!2HI8h*&}zFx#E-iGqRSinz7@nKWI4}mafmDV8L5A_*W
zSLPk@lr0SuvRQ6-Bmy-a!SB`8mbx{%FLfzjJR9mO!=CZt<QfULGoz_Js+zz<54dkm
zxY+n8xe1h?g$tB>n$&pO4_kYfK}Q$A57R<ugG;wR>s+2^?hY`6JIpS6iRv}7>K_Qf
z9eXpKdnYdpFQh?>rX0vOLzJb08H-6}WDXks-(}7uG%gokvSez3kg!^Ar2A&zf~IoA
z7E5Z_54*3$t!l~l`OU_1TqXD%=qcU+CphLcuS<iF@3ojBOA2{`+J!9c<KP4uR#M>5
zzlie84+(IQcKfYxXt7h$OegNhnuq!JrIAW0UB6t>7q>@#iFpxhby0SnYv`G>fJm5q
zs?s3f(5$X|a5$VCrg>($CeyXz=v-~H*09(>Ojq8=?0=RNzBEc}M^%zGT8yHM*Wr5p
z<|X-`a1=cMb6>CH%$ZvI;pQ~Iq*JX*1wBu2ehcD@=5!LLNHoyNq))DBi8HQklP3zA
z(a7u`0I>Ye6+8`Ed8-;1K!ACg7&X{5kue;rJnO_ZzyaGI?3A6E{FD`H_A9SMQLb10
z{%*@v#Ze3%-8l15f%bV&KqyaKWHoV0?8Mf*qh8(}@d9p_|Lq%p=j>L7dchtq6B>LG
zVDmhLNz%2<Ony41Q?Rmki|KAWb`&&<J>ire$&vi08|&$Z2EDVWSc8zA!d1WT#C+V{
zqM?p;O_wm9=xsFDR`d{YBR^8%kw~!Emqb$Uot?9Seg1lmNEQXfn2dWfX2iRdr@IRC
zwyQh4iBWZospRr={=ntrr(;(Kaw>B7^%med!TBkC3)}SmhkazN-wWzi(wryaST6eo
z&W>K;gw0R@y7XgH%z3yXF717|+5Eae_S@ciK}jVFNrq4S@$lBEk;jUm%~o6bPNW6l
zjhJo|d)cV_ck?5FTQbE@C(h?Twy_<^msT?}^_nLQeM))LpjXsF6>OCw@4&j2tJ?tU
z{uQfN%wuTk@MH5r|Fj@ykmKWgb%W!l1HRGDp@+$hP^+hsmilK7tVmULWl`l8kZHs0
z#kx%Mf<sB4Uay+}^Fdr?MMOiHW&9XL=}T&mMblIuQ}6xp*kNlyJ4)Ig^vY9u)T@7d
zdgJdSqX-fnKq_;_BqS#kq*gPt&nkz`+|794oPdvhN~4db?$r`kppbh0b|(*!?s)8E
z;SAQQUh-;=4u?&RM!ckaWsOmrYkcF?2E)+Fx+P<(v}SR7ZENY|GY3RK4dT*-p)mCp
z3A-<zyd*EDd-2(9rnuXai}Qk{#IJk34Ye8K7B5~fmB63t@~XK^!22#6-suo6Fz5sK
z5S?W^!U9_+{#>EOR&uPu9~ATYcx=p;e~^pd@1Oyk7A~W1Sj6;b<ERo-Hd@GlNChh7
zg@ziGl$KoWham9fOFuzTkI4JGQIaF*I;(EXMe;o&Kw$GfHb#F$$vwYYMh+nW;m`u?
z2my}XFP(|m2S)j{v7Qv01Z*8Ndp9St9P}Tsu}>5bk{--pK;VD5Ti$UesbJgM=ouyO
zFK}*Sb<kiDyM&?SpkJWm{{~|RPz<~NkF}f}@|7Ql7K<1!5oNA<ivaZaTIu}fPXG<T
zG6PKXYu6fp-d`UZE&&Mmz*>&+57=J?;Tj#_7hH_%Spb3r!v}cadJ2FBixJdxBV7JY
z@h<ZEmpUw9VBis-zj*x5S1sPS^KgZVQ0CBEz?j#-<^MNcz)-*&D+z<cny>&f664yR
zaBYv=NVC7V-e7i(*!A50h1dIQEdB$pFU0J~+sW9#Tmh8-0sdzaaQp8@)qF-xubzs(
z>hNB~!kAxAx$kk>^y=Fl=|moHRo1CB8Iz3QRGo*0=jzw6S5vVPRlnJ}UDf}Y-d_@h
zeBnT5Za+bf&t1A5_L^OpiTiC0g^wS#`f#1?CS85leCT`{_MVuEYv8-M<3z%ylzSJ`
z*~A~Ti4$;x?W=F$B#cw&0pD*Pdr~Zc8UAMrtyXT!<&U>m%Rcq5xow}F4Q8{iWUa6C
zC)e=!oj10g4u~Hxtl$81DN(1t|N7P8p!J;9-1((hRf-#o4fc1A0FeO43j<FudM!!z
zbX@ji{_PV1x`ICA<eAG=t#*{yVxjCsd0F7{G2!t3Cd;F9@pya}+yPB!^CL_5!%?TJ
zZ-HBl5;Ev{--`l?$_lCi7xn8^T2I!u27PVanEM%s_2o^I93YW^O$#i>=wm`er^>js
z{_NQUBc!*Q#`YE5que^F-2Y<?y+qBXhxLF_=Ed>;)lPT0P0?qe8CMGH!bjY5Et&p@
zX|l&hZ5{`YE549Amd~6gw)(g?%w0zj`pp^=Vi=_8C-(2;x=UmzMrwBGZ4)Ad7YZAI
z>)H;N2Z_UaK}Pl80t>dngh=T-eQslL-~tE1fMUZC^MI+b?GBp~|BDhHi^Wlt%dgVU
zGgY1V6A{7*A5{Ov&j14%lYT_`njWtuT`e7%X{l|NogoE_9H&q2`&s>5UAzyRXAZ}H
zKO+cFgy71!&*qzcLKb5!c|!MQsUSwCvcEnbU2eV&>-{tBCK}f=e}{x*?&4Ttu1lwI
zK+zbDaqTf}?e;Z<-nG7oYho<|Z0i$-Vt`$n$CntgFV9O7$Dcx<C_{^3^f~h<)DS<D
zj(pg|z@=L&7{O?{Jfg!UlwAMy=DpeAW6=U-3iUf^T$M3P75%2=;Rk>-k|U^~ks6*8
zvO)!f!(pXAlLZVL1R13rmC=S;RMy7?MOOS0r<)rpEk;=OTOo-j*ylSRsPJ^5#U{Gs
z4GE%(b1jb2fm^WFu`w6*RLSno8I#V7$x0?0Dw1zEx8hE}=5TIQE|rM;P3-Tz4^9Z2
z<o1Wf`os9sr?PYhz+z=^BE;SHu49=`?lnHd`nP_PcnQ^8WJo)uT%{YhC7sw8^!Nfk
z{_o2|h8Y4zHQ%mE43rw{&2$R-dSPQ{Ic1+O2@n-!LcE<mo$CTE0;9DWDp1=3Isbx5
zrSAJZCi<Jzp@$yJe>x`~j4MXNe5_V&yaEkB2pCk{P5ZSKTzoV-=N?-)V61y`Cn<Yh
zdamzz$pS;f<pkh>Yssq}+|@{{|FpTF?@-m*J9g&q4lvaCy9@X0oxd5*1&FMGc0ERW
zIuh|{0CbL4{Wt>5%KK6qryZQCTA53p7Xb4**{-1}`Fy&-xY;7nz=<?<?Y20}wJ#qN
zDk0`AE%((-DCkFb&&JjbUHBFF$?Q7(R%Re^8HXm$ues5VO_`sZzWV+~pTGA*(lk0h
zK<wMa*ZcuNL&v@9`U&kB{An+>M1OdQ%&^n2G(YL6bX}XIq&T1}Zg}Ufg3m$n85<9h
zN)c$`IkSJWb*6r>n0H4aGorkHBw6-y=}MHEyVd`S|B4j|Hv%#6Ofru4an78B)6jv|
zBeDs)^69>S%ayA%V=&pUq2Rf(z*%Mqiyl`cxO56Oo<($WcyzUFPpYI$O=Cg_#K;gF
zy02O#9Hz!yeIk=82XtfTjK=Wn8Ei_Y>iEwtS+3fzF4DLIx2WFEjZT_`X6(52r?-Bf
z^J3Y`3t4~Pxv~}NXJ)m)-N!Sn|1GWVqB^F;(TH84hP$#Y;M0XxbA{~X@LbxdHjn&M
z)2SxzEOOSx#;i-2Lx6vv>pVsumI0Uf)o#}1XYSZ^9qDS_R;@D@N!Po)eX;3vf071U
zOSRSLgr+nb3%WG;H;LcIruX94QewhO3%+5rSzYd|TxB%3?DqwbrI$JZ{H0zy$rSh~
zVYZy*Y92q(s%m?tZeL!9Md!@aWyP?2a!V#m+iCd^=R~0+Tg35Cjd}(*O5sfc1ZkR=
zb?fQ;k=o`(qwKlBRKtR1du6<q{EA{$xs`5rnN5n<>{Z?iKdQp-d*g9qG3ER<b0cf}
z@eaE{DDs<*s($HA>KtRhS$kk_(#iQC%Y{89>xSu6ivNCltN66gfLTid@dqG_@7SZ=
z|9G@K@L;7i;WGERZcS*v*R+DuAL&dXujTW;^GVR;*utrFpJkb)-h@Xb|IYw^(H~P4
zXU{L`@2>ApdFGYpGocSOGo(zS*N0!2jbCYGHZONNac^?l?kF8F={L4s_=$J>U!^3k
zZH&`ZD(NhX9xNE1x@2_>lGN=!9D9c{l;8~H5casW&{Evuwwuvt3ZAG`*+9=mL7E-?
z+H2p&rGLzL;3jbPJML<t8WC$WC&o*W|Nq*$@^~n}?_Y{6X|aY%NeN>qOGQYT%9gA%
z)=_q2NVdZ85n4#f8bV>RjAbli-x4XZ8)MCqCCgB<WEp<<8Ev1>@7o`}#(19loOABE
z_n!AT@AGgq5lgmcQy2p9@dKGp$=Q1Bp(r+5X=NA{d&1zH_x$ZFGt(s7Rnl~#^neqI
z3z4Jr{=RC$mFaSiX{oA@UGWdrD|D7MjGZ!7@{PwEy!cnDJZ2TfYf0rZ8#$Gj?u|L$
zjk(#wu9A0mSFOFRA}8z;bn++bvo{BoshbRJE)<1K^phsMvE;ZwjFj`#%*?w7sL_^F
z?l0yBH)<MBHhHI!U!!G749+qq<UQwu<Wo1>TqV4|cf)^WJnl`Xo3mywoPZ~tUoDjV
zXLWqd_nZG^)(Z=gIlD$s)K#HP&r~|~zK-gN=6aOPveHUc-%^a?aK5L@#s%#1oA8;h
z-_$pbeqty>`B3vWBc(sta2glx62W{ITfT67X1ghTOh&SO=3&j@Pl7x%GE4*!3NUT&
zj+CTgS;xNVU4rn&W|uam-a>}pLf^zv<%ihu^*Vgq&ZwOsmMs$~>Zvlf<ug53W?vO$
zRLe~rZgtb>?dk~@5%=v4-skmYy_dCD&}D?$xvhI=xHUqrFTUcI)aH4Li+r0_*WM=y
z#Uo=+Yjy2?r5|c=rWC#T+O*e~vJCf^j7NBN%L)rhcehR3=Oj^kCK+;#F0&P+4fd~m
zL2sTDN#NVle0*cXHq)IxYV~1~te{oEqVuAS7Y5JgYMAoT|3OtFOF-h;@7dADyn1Rn
zw)|zs33_SevUgVc4=o$|I!d4Ndo-w*@-zwVv)Zxwae1?Q(jy=64J;?b2bXr-nzo^E
zeJVto=&1IQS33VuUBkUeG6n0=vpcF<r>d)@+zo-93`3323Te$(raU}oY(U9$xpB{o
zVmUGKxy5H9y6xN4oY3GVIo9<SIabW2cG06RN}xAWLGZfkV4v65f<7|e3Wyn$!Mk?^
z{BVWWQEfxWwHz-e7@<H(?($-&|AUs5N;G*sy=brz#9(oQT8kU!5C@Frn^97Zd=##i
z<ciMK&?nOc^5XHwn4}IxZ_I*xMpf=o!RJ<=UbKjSnM_8jWpZKi=JXFYYQH<V)O0!Z
z9u-uOy4vnW?{0HTTdSk2h0;y-`!q})7CM|MF)c^-=zn#LyJ9`!f?<g@I=ouWdp$4u
zTo~`vuDw;O^$dPEi?ji$&DqLS{vQ_Q3(ZvTyl45`jxrw-MahcU*j+x057y;3Mo48V
z*c>iHq_O*_8hzr@ULU>IP0EXtr43Psrbib6>7#jVd8LuRbnR`=On17+ydwU4?kv$X
zkPbcfMrwoS(w93RaitYPhgSjbSiCE<xtln7)T7xI^IW6j)Vt~D#T)&U<w+M}VJq5R
zt0J2}0Kn~RJ5~P0XU5C+YrHJ5LuIq6tK!~`@lI5XQf%j}a$Fx5vUK)1jKu8_SE@9s
z^rYluo?c4V8MoY2sseTcyNOM8Z_ib{g&mkR%&l(s2*65od&(7+I;Hk<K=@-60I8Qk
z^j$-lEy?c>@U@CA9=|pXl1-bv%c8g9K%VyEUYwM*nB((TEwwR^SXCe0cP)KoF`ouw
z3Sn3oNs64|?vj}<5(1DdEpCIu8PTh8;OL3mBviy&+(lcuX}r_M41dt)rE~#;-~oQ`
zB~#tnh~8?3I^ODcZWTVRH5c}_^A*k5$r(J_nU%`3ua6Vy<J*4(Gx|kUGpsWp(E4*Q
z*>`T-Mswn_zmkHj@pi12X}XoW;#(iin-l7jem80p7UMV_TMy(UV|vap9Y>eZsY~sN
zg7ekQrSFX^59$~fERqWWB_tTD0ok#;EuzbE4$psoE}g$e#<Tm7*FnG2w-+phOsX2^
z_~RL2i!pkx!L>0=tVC^nK;hcoC~d0CHh<z|S^UMbuC-?+zODb$!<z6p?Gz4W*C)gD
zLp@w253RpU$FxV?gQc(5@}F#DcpGjBg*Bd-ejMI*qv3^RC7eT;H!WUTj{QYxs5C!9
zjFhWHhc^}u;59eyj7_>bvW&>?i3+x)g6ekXpmbVj&ZS5C6*+}s>hO@Zz0z{1-r3h#
zYq9P0#}(gc#r6miI`;~ia`te%W|=}UDFlCtJ!fP0b}3@YN*nIt|6csnw8vynh$fp|
z)9Rs>+|c>-FbZy8>`({xh#6`J?(L#i>S%8<lN6|k)q7F>TfVmtlnq3kb4z{ZI;rR<
z>Zurwfw*WEg~;QKgYvEmH+6o%JSN|{hlJqO(~;(OD7VmWYerh81soUIk@k%)*S_9Q
z4=f#@1I4Zr(E}wIgt=WDceYRWKJC|=gOv!hFWjrHufSGp;QRe24jM8qCIiY$`*N#e
z6@2ejRBhVm%72kcy@vXYB3t|D&|kTtyK+jGZW%^or$*qf(Hn@-kAiMoq3J3C(E-?E
zrO%iQQ&i(2k8ef=0Xp!6cd&qqZCBNvG3wfKh~Z+5shr55k0P*y!Hed0gwxqW&tdV}
zc_J?qv?pH>QIk$l33GXjsbEi{3fo(J5Dc~qf0>zQ3ithi@*D7X7ZJI(AN5Txr#THL
zD4ZerI4U27Up^$K`{OR3ETuWwq2_y+8Yl!TG~NMe$o;&YbFaf)cjzDN-5Du(ZHmf%
z?Z}EEMPP{6%tQMm@nl5~3!2exo8!$3+E)Rkg2_J#lbAhtY=k<M@~|xFn3!4$&~_rh
zVnrrg?QVgzcG<Yab}KNfBOC)5NINF=7M{WH3bzX!H|)GmDU4ZUfxGCZA6?7@M^n<H
zE+Z9P&vWeByxl_dQQ_Wd#9*?nWfC|ek~1bByK6l)!Rzd3SS9XM%VLd1-xRJhX*{Vf
zOAHCO85Dh7Ba)GCC0wU&Qc>f+vuhoWzRjfIxV}(Bi5vBq?j8dyh~>+d#Il3v-exo5
z_Pze3q@y%QQQ56}-LTYG&0N^XHNwk4EelPjPBw=<4yfdtd9V}rg?Nm>p&F@%iFhIP
z250N$h4rD9>9S>{Ig%KnOB30UOUGWVN~GWWnYBm|^^^Hwb4AxRJn&=m2R`;Q5a;A!
zy|!uY3#N{@BT3^?o;UXE%QET*8OaMff;qjh5SDb$p=zNu?JDkU7U7T|u?ffOCPJur
zpAw;$`?)LU+fpo!UDb?>)4#|iT5S-<jyz+!dZlN>_T}eYek_Q>{?{pStM^%9x;NFe
zC7k<2v)UO#Zm7g!uE>-IDe6u%=xEg}0m9DkKSYrE+g`*<r!VMngx=ubUAC@}yoIE%
zZn*lC0QJXH@^_twN6o=5Gyl?-2QFtcs_wfpD&Pr|^Wrq}-2%dVAU!or)iRPff#uAO
zl2#Z&P%5~K_@)$>@D3^XSjQv$bcXn`&n@C_r<eonqAN}k3_6e5EPTEkW1DYi<;Kq_
zbVSk*C!LezR+Uy%)t-Z&30HZ}v=?Pt#_Hz=n1Uac0kV2Q*73ai{`u%>H4+}@x7k{1
zTUs`#c}u(N#4_2bp9GF@-ndWUmcnZ<04=t2`UdqW2U5-7!NWiqj*MAnuG4(qKs5dy
z(HW&v%ewDGF|T`Xy-`ymRn^aJrI%WRd0y?=2N!+)iGNlA_njA|eRL62>n6R@F=`P#
zvifrw62y76!~2a2s-~isVC>A9F^j9OO0RXDyvcnRWQL%;+)FZj7lHf!vQiq3SgyVA
zxD_%41TtOh(Td23D4V^et8OT}$HK6{tMC+JLQ+Y2u`~VEzH`lvOt4FKQU=MYFG_AD
zTlnEn*FgcU-qiGQ9<{*r0u!TX7k}43BK97}uhYJG0)9b+QP1rt>s0B&uWkb=(Pa^*
z4z&z~CQ7Gd@#db*yH^!vI6NJ6qSfEyK#X;ptx+l|*IQ4b9B-Q`;1|hDa2FvgY(vwj
z_%q>BZQTigbD(xggdH9<%ZSrLDUb1hKP|uC%<6t+v8HsRaog#j**xs^2u)7FB1y5T
zl&A>D{us)g+k0cXg|FsiVQ=7}8SJ{p<*vwN+q3hYS7Xi;cyoX`Q*V<^<h-L>v(DU{
zylZb&j&w?f)cBY{+0EYmd^V)J1DilrROEW@T!bELX42veFGZamX7jyp2X^u%r_FG_
z4~72f2$sDmY-Z|`u*2zq*nTJR(aQQo3(}ePidK6?9%ns-sGpTKR^FXoOhLR!qnn%B
z4I}8WXPQ1cntQYDGaU16Xn6VVPN(w9*}&CrsxnKJ-s>*9&TD5g0BI!AJ2|kr*X66;
z@M#0BTT_o$FibG`9&Sv>YC%;M8Ko<BDp*efeI<_ZNVcEb<iHv$d(BDuDu=>9p}UO$
z;eN%fey^_~z8AEe=kvzo;sdYORR=TIM>pN(uxOK%wacZL{^9~$ue>$()<%S&ar1fi
zSE7~4Dje*h!cOtbuqMDV3FY@)GCeE<-f&^uYEXv0U+Zpj6c%|25U)4e6PM}F=#IQK
zH@E;Nr=zA0@+&$E3ljnu_?<;k;0_gYQ|T!>J4lDKo{U*j-zYtPJk5?oFz?C)Bjeq0
zMyF)=r8n^|>tdI(hfU)HB^N6Ns&4wpbiozI=WTx!&tD`hy6kUhK)7+$Bw1Z9wmsLk
z3pWJ#lWf_;yTgNI%a=c#Q4G9F#4&)f{SbnT=sA^>lRA#{`++oHky8}g8D)J`gC%nf
zr)}>3B!d~I>dC%Szhx3kaH)9KHAG`to@a*DNj|{r2<}>|#yv)`BW2Fz+iZTg5JVIr
zl((vuS7FJ+4a<(IB*~DunYz8VpW!z$9$glE+UdSzaiNT^QD+CLFRy5!7&fo@tY6rV
zNDX<5VF_tkL>Dr%`P@i}WG-4J)(uiC3?@{y)!}xJP7oTb*I9u1jNa*(f`}?MkYF2E
z=y;M45lg8;%P?J3mFEIw9rt#HW0~Q&xd*9-o`FD+midL)VX&c%w&c~ErBt=({Oz}d
z^7p+iOcfZ!?&x5OTt@6T#&=Q)?PtZ-*n9oeYCL1+Y1K|Ob0XViS;;89wn5&Z2|K+u
z4KM1ORX=Nrh;j2&FwC?~Xw88^k=npV=ID4F2&Yq*>61PZ_BBtouoszuYDbdM#$%;s
zCweqiNjtkDJ!|{q19u?!cDf4?YUEVe_7#>l>yiw+OT`E^CsjGWi}zJF%_8APYB8sa
zRC+by6(#t8+)uv&xQ@;7_U?goby-8}Ap1Etz2m*X1Y**+GDn^#j15VQ8TY(oZrCRp
zdrF)z2*{)-Bkx%`T<!yP!zS4;^qq^l#G;8D!;-wY@^pCZ-kCHq9IwgSnq6J`)Z4eC
zi@L~bHfZqabvJSOjyTaEr*Af3<+<h2B>>Q}gmMj*R-(ejkG;Alhd4oyexzP@(}Mc?
zh<;wkq63#P=Nm+pkmx(dlVVjG=9q!IUrP2N`ANRz^KH(@DK`dLbE{8BB$R;iM537^
z_7$vV_ph>mc{Q|;@~TD~HPmF)SY@8jIYV!7Hmz_~L!ZFN!0O|rY|a!sb6tBmRg7@a
zE{g5^l4!olQ<4-*G8`CdfnZwjG3`|Nntg1E;@FyjLPNcMJBQ}!r)<cJRk70wO-s04
z7}7JH2ISdr3uL#caC&+RlP(YDpI2@p+w%mKwcl9BQSnN2jd$+8w>=X~qIkC=^pCje
zng`~+%9Jc52$LJ93^|FaF)#ayi3XNGIwX7@40oUl;<h)X3_ffNk3AMNE`CVT&#G+?
z*q_7|#yckL$&^#kB7M^!yzweSe2g{DI$QMwAEkrMzZK`c_si?*hAQsL6_?4|;jce7
zPoD^^TUrw$w70*rE(n*-<Jq|;3izL9aayN`Z6@)6->KW!$jz-E>sgg1=?(V5nml(+
z4&O?gu02=fb)AJP=7CaU6)7%;&K2j0j#@^i4FxIR#R)TI-y-4|lWi+<Kc^l?n{$#F
zJ7z+-h_W@<M9|!|RmwT9?<ceSpn-|L+rA)X_db{%U_p#j#3d3VY&6+wA06P+OV8FO
zEzTf3aHk786p0U(h9jpQf+~HgQ^hOnqQ781*eg^eIhc5Y4ZQZ@nheFFle4!u714K{
zQCde2f6KUkrC&%;0&~GY_QQo|)p<UzV_-6bf;T9&=dqH)!LoXtk)#IZV?MGNJZ6m?
z>Z{82$PCGk1QeYt#0mZ|nTP#DHHGPhtqFnEryp@$*<D8rbJbMaBT|!N>Zh;g@r8d~
z`s?6{V_7<Mjh3lTWQYo4#)1Tmh&p0A*q_*61nE5WhQ$iE*jqJ)+FLCqRnNDNe?njb
zUy8!2^2P7j)7P@sb&(xDw16~tj3kMg9lwz^N6-E~!`HwBPtnP1aRWOH?%Aw=6q|{(
z1r!VoURg3V2yY;Pj*cAMtPc;!SiY+<xmmlGel=_T%08xGI@Q$AouT{T`TIn`8|^|?
zj}gq=*Q`e_Khx7EuhldyO!hfZ3N3Hk!I!O+vt*jCJ((c31_kw_lfpY;0ah4Ca*WTu
z-({scB6KWvoZPxahLa0l54X$|nSbErC*5pM18~*fN8w<w9;>*-o__Ni0Isv<^hpng
zIey!CXee%a!-T`m3j96gUUmIe=d`pE=B#=Fbzl6oFomH9GK2skTKn0OBO@&QjI-QJ
zYm@vmDO^k7Tvl3(XX>s+2;?R|bv3cC2TQ)mmS--scc|X;n-PvM+J;q*KTb-qL)Mdg
z^BzDMj|VEmXAJae)Yg*clES8Ue3J1UH`}=F{eNI_5=P2>cV6c{a&#AwZ{fpML{~0z
zOupW*noHf;MJbi`wm^M{xu~UTJmRl#bbFx@J2{9dDZS06nXy-<6`*l)v!A_d-81tb
z*HX|Jqi$1$K2E5$Zu-IbL6mhw^J>VV|7ZLC$c@-w`v<D40a#%!q(QCOgwo@W=^_At
zXBj-6!qoL$-|rgy@cQud9jX~P9ge(NUE~vI6^km8o4qxz5qCGoJ^l<=3Rz{F+ytP_
zC3<gQCpCigld1&Ubm=stIH$ZcYA10Nrc7#N-7|Yb!*BB|!CivE8CtP&MS0cpQk$eu
zT`3iN>JKWY%~=WcdsrTL1;!!1FRrw@Qg#(7>S`v~t5N!TG+Oa(7h-kxORjF*r=qk&
zq_&0pQ|_wfkBX++T6(YGgx}5Wbs1yQBa3jH<?<WL@i#YAZCzVrI?v!=%{x{Zt?^Rr
zLcO-Vdi)oXLR*08Ny2yuTJCrO2Qh0JAv|C&;e~xWuCTEy|Hrxj#P0)LY(7jdOa1*}
z2h@f$Sj{&h4$0poDLpQqU@-ASYNuRFh4+J~=&VuV{XT&}J(%$`xuAx;md9593=d*U
zT6J3V2*&&OT``RpfbX_V%=%LH>W!P&z>rejXUEs)H8(3V6s1t2ev#bV9yO};mHIZS
z`A1?+*n~`<`;^Zv8t?tCoV%onIexSo6hc~_rs)KPnsrEI1Ucj@Cq0oTni6v;Wz4Td
zS#NK~*_f~<_bJl1?2U*wcR-j6^J=ao`=rG1e5PuLq}(x;k7hIRL`}4JwUvmlBLyC3
zmQ0Rb=<&%IDig!=OmPh3uzH#@3K6O8WjB>yQgt$77-GVB<U)BlBAeK3*3!27w>#?T
zs@tK7%i=$j18VOJs1zuL9T7=5#PUdZG5s@V+gE7;g12Xs`nUW-ZOh(AQgha8d*i=N
zG^`Q?qu`>2fPum4P$<g^lDe|tv8r9;dgZRHuwZdLc~MV|IrLEaTJ58JGBbUYeW;<A
z=%MQqg4wBhCkO%7Pa<ZD(sofkfAUYo_Pzv(m3X#<mf-5V#hF!oKkor~{m*I>np8F4
z)OJ<3SwV{H9_fF&@=BW<f{O7@hQoJoigtba=;}$YH_cUw#`%qQN^as#gI=Sd%G4uK
zxE;cv6x4R-%(P78!b+)@t*<L}+LOEib51Hf<R@d<eO4kjOV%VSq-Dk3V9hAN;3Oe)
zHazsSE9TXhTTb+kw!)diFW8VL%#Pc-DY}~3=cjaiO8nA(n%{SsY$A*Iom^3FG#U^j
z#l@a;G7K;Ol2hHTF!9-w6(0Y6de-m)<%laa7RH;TdU9&o!4vB{s8N1xCS6Q=Iyopt
z6x%xGsW3;U?%=Alt(S;@pZ``!V(oLqw_)xLH>PU6{mWVMdsdf~ysv{Khqpc3wzY#z
zvJQ>c5{YM>T6Q?a!vS?4l;r8D+(^a@k(0!?0nc8cLLwb;50?GdkT?69&roy5(+wj8
z4Rq2&f;c)ZkPkDkvKtv#2utwJ3D7Gt`<N2-o*JyZro5=~7TV;LyPOYmytN~9R3n(3
z&xRZv9PM$*+>Yy_YOZ8#U6Q-|oRaqQjWqJ$En$Y?-Iw06N54y^RGxNl?W0qtUeM-C
zr}pR)l<X};1DtHPmCX(DBo?-VYH2*>Xhl$jUhhn@(`LJCf0(0{zZGkg^m9T>p7JCo
z_x9AQ@A3>8iP@UxoMs>_RMbn!XL_<vl@(Vg(`lcPy3VB<1VGqQWz$)%!DFt?!AVgW
zfbR5On(q!@m_m9X0Q6y(qL!kTj|)W#(qGxhex;U9{c1$u+P;=bvYNT!&M?)5JN(jL
z_uA-qo9#5n3UzF(O!M{eeiD`4f8awklUYgt=19p)cU?iFm};H1tFQ-&xzvy%k-5~>
zR}5dcsJuxr{K381#A@EQXW&r9`BeyBD^{}S$GFst8e#wyIfA6ZugQ6tlQ-=0x6FSO
z*&5*ffsNDOo%%Q0uW0tjgtH;p`>BihU%VXZrrs^UNjhOE1y?bb?rCCgjCA&>K59ex
z9l!tN;G7Mo1~D+3r^z7A?~=t-f6wbNH*wd4C(L*GSF@o_rJdKQNj7^2ggV8$B!o2M
z!*iqtu@9!#BptOrh%1~4prqS+gl`4`&NArd08Vj;1(u>GBsJA^tExs-(e4QDO?Aim
zjGcHOx`YLdDtGV?mvb@hO2~6PgDdS(M7zJuYq_2gB@kRdbzgQ`PvKD{*~ah@>`)KN
zII^SGCJsBED0$$49alMXebT@ykgjn_E3C1|Km4)2&4JDh@Q{~AWoQ(>z$>P@VYwbR
zS&*+3J9&+Q*Q<Fo%l$ngG0P?W&GV^=0;&8YYr~Eq<FHz#a>PMF^{|t4%G2rB^yLLE
z_$wbuZs&aK3ZtR|@zKQ;`=?nxu^B|%dsyO$$-<7o7$$k;dOTG({#8tV^a8%v+oaoU
z!X(K7bj>Te<yNhwOB-RdF5;#<*<cxzq(z;;p}zDFg3s{od0vzGXHf%};jPh`-9u}H
zcKgOC{od5<{idQ8@3b&;a?Vs#;;RVUwIy9@`=GDM8osK~E51;q^%IlGsG>{ZTDDP1
z4|yZFgCeKghWyTzJx@&QG_#1;u+@)Nr#e5<GEUH6aglzglaZ`=OyjOYbqf;FmuQu(
zh^tzP7(ZW~PYTQ*OE)EPO}Tt_4RttLX<bs->T%(jIUnqcm$q=!l$VH44u9&xs_3kb
zP22L@E1GJZJLBTSTqie6pDg-HY_Rw7&$TaMd&TFs$OT_i%#S9Se`ROMw9(WS{M1ox
zpCoLQlkwQwtPO@%bLQK9I%Ob+XM4ioV=qM{-hK}njcA%W|B{XsYS;$;k+PFZXU9II
zL~M1t#Jbvt>r-kb#lDh{@V5*u;_e+KK#X_MFIswCSzg2fcTVb+Ez-_=(L45ZEHT>|
zGr6_RCxdII{L|b&nsXv<OeI-g>2&a7gh4GN%nfIKS1u{_nVam;kmAVTO5psIC~3#A
zMPIsL@}^@y^5O0a<`uRe8((HucuLee>*7j!tl{p4{YbzvswD*naXKMhErs^OT4J?z
zHjQ$znnuGyH-3kB7tFUGAu!xecJy?|Mjft^DC61283VYJ;A;@1x7Nq9%CBbz$+Bd<
z^2({quP^(+_PZdz54laU`Z2FmPs<d%bBm_bY9IB^*~j`aRsC1hk!~l~w)2;^Xh_cV
zTCcX9hp1E#3O0vWSfCy5FB;R&?`R<ew~^UV1daRg`&-(T&<+jgQ(#zdH=yP~nJ^k1
zsT_I~SgXHTT(l4WzIlr+_1AY0ziNc}>B+Aj?=bn%|3f2OLF+xx95i5p1RJ7`q)wX&
zXk^-hX=R+~IzVRuKW}^glN<*9>WdxVr9sp!Xhf;6H6KJrnQ3>mL~q%1OSB_Xkk>JC
z{Czppa02B8vbT8}nb2Hji^>IVhrH*X1TMfe`WF`rnw@P55`gaZlS~E){c8*ZXpFz<
zU^G8nDEM0p$ZE8S_#?*_XOCtPXZqF-z@&o2qPZb7O|%a$Q-7(xMJ0N=1>`Ph1p{&%
zG$oL{zrE{!2o7um1Q!GRxPJ)_S$mtOnb}{;|8nx}3z;;*|3lED`y==-HXrTy{v-G(
z%`qUa0c@@R3jPy;0z3W`1YGkJ!N^6s7@~G<nH$pYC-rWdzs}!t^HV&C3HHZMU}k~I
zfHMD`7@B?zxc|<;Pbq*i-G!Kj&{bew-)}J!w}$<f7JmfW@<!UQf85TQ{=MiZWJ%iA
zWDZ38*Am%cPl8|mdDKI2J(#vX8vI_~z!<+>4w@>O!#FQy^4zNi3jSUXTN03xM;gGg
z0vjrHKV-Tsir|zgBpmH>pcnYfmUJYVbAcZ(m;s-s{RX-vgXUb|N1DySY;FyvPjfDy
z)lV0vZB5%A;%Td5YrR3dM%qK6l{7_Lh(8~?H5ARN_=ISn)7A~pf~DO6S!&AgFDd`r
z@aqX?|KW@N&nNgmTKo~|*IN2H7ylM%i#_`H4Xj5l-4AK9{%8~dXwxA}TU64m%?%nM
z5b~RmjOFL+Q~fjX%f6AA{?bs|Rlhl;v=0y~mK|~IvX;u${=GGCN3_8R<rmGB=N{pY
zzOA<cuMlZ)rzrSAo7G?D2O<Yn-}|J_c~H^*UbG@@_JITaJmnzAWX#+iCI9(^MvGZ|
z<&n6vccbLL9mD6GalS0;w(1>y@l5*IJW%6%m}S`Kv7^bN*mv(wg;STVgvJ}$-KDGr
zs7mDvcZ^%Tz5GNX5-~Mo@vdU3NXh<VgqptzWf@5}kl1^OR9M}9DQHQPa^9i#M^qzv
z&@4Vzl5eiJxV^FjJHIx*l-n@ho4sV!*)1GNAJts6WH)n%xnc*j7Ju!az-RC`FCQb6
ze#ncA%PW%j^lhZ37|;wH2Hu@n_ctz{d9fn8zSfAqG{0^!n$ewD?OK!Wa~X1#?ZkD~
zB_4g1hna}$iCjKB+KBR5RxSjb0?o#Rk{^D9vk$e|^Qlhp=<b{y4_fXraf#<(+q`;<
z0Qb+v3A}<P3Qt!0P*~+G=yjY;F6>HNA!WIq$8mGCXWC3Mu(3I&sK2V{c2k$b#)wQ$
z-Kw0rX_;x|(#soI3-AIk&5Q4g$bpqhI>wm;1gUc`6V6(>yN}kA?qd=ZJ*47fU9{ic
zUNxReKV$=5b>cggz3BzY&bS>*JT6g|sm%kn-5VR1oNNHCPmBW@8~=5*XPK|-oafZQ
z{iXInM2>H4$U%j3D<uz}n7P(dA4SJsW#8JOf6@}bI`h{z;bF`a&vmOmDj~3kzbdQ=
zRq*bL0QkR`itVWqUjcEq{PMv@ag&Pa<K&M$>g#e3_MpDbf$o8}y?Zc+u&UECRTZXJ
z$^~QOeXRgRReeK7^##(r0{aapGAcjo^28>8T>N|DT37C>B1JKl1KCUd9zAD`Cu3Ty
zi?K$<mhs#oKEBI`oemU>OkJH<V?%fKkM+0;-IG0McZ|tnio)lUXyHf1kd1xfL6h!B
zgDkHB{`%FBvizpLJwKMUUX&zYy36a6DG%tTtB1c=R&*6xM7}pFy=@^L=jy;Z-vF<k
zbOGW=XCd>Of|IRg4-m^!PzORlDY!n{%~cVRg{`oQV-;v1h6uKosPmT=_JwJ>wCUO7
zKihn2473C##&W^_=2Dk@*E+OMqCw7Jf@$eeu9M4$%VMdNKspJP{jT<d18Z7G|ILyH
zi;UGCtgI;kDQk(Pyy2JOqRtI3H)JOT-|T0BoqGG|`K?0=3o*5^V=18(l{Ikjm6Jz>
z%6OysCy#jwDx2}h7Al+Dt$+%nEZkX@PBo=m+R`$-x_vrKY50i#GlbBK=WT0%lJ^0H
zC>=^uiD(6=AKl2%2i|{REBYbP-QGN=nvD%H?8Ro|X{wDLo(^+d%{<HIFjcVPcK1%X
zDi|9$F!5l)bh!xgOdk5XGkYp`q5et2LaD%lV8-Pq_K#l}4GFXtl&8dpI=BeO^>V{Q
z>k_llBnO?wVaf?$qlZqNtz!TzLf%ernvme1x_$G+(bhtP(Z%!6uE-DCvmw_$dCQkP
z5!5VyA{f~|tK&xGc$PB8*~GyD!=pHp-b+-Rc}GG8(MJh@8dDcsojmc(EQ_HC-{pu7
z3Igvt8P8S6a66yzi!?&)Z4C1W@(zkdtl<>Z+inEa2GMurc92C_KOGM(Kj^A$X@vnD
z6_0Y03RD!H-n}uFG&UmxN7}9Avh$)X)A>)<sMm+6fB+9VqkczlGS5L|gAab8=-bh_
zixnBfoNerR14bCJ6|pE*KmOe=K%5O<7?Qi;q?!(xl4o*TNT%&;>IM!DprYxdj`4jv
zUg2{WCuijBu5N6c=WTI&NY2h)lbPb0{(yD=l}q)O`KBBZg~F3b?^D(1d`6>933o8z
z)gmGeW^i+1qJ(ftvkY^(l^aj0r(V>P12<&~IC8<eYXt6+Iq3Dd?+<?qO#6!U&IBBu
zrVdHnHNkT{hy8UFD<oarN=Dpm_2WP|`X?5K4*J~;G^fjm5qzXy_}E@tI18p<s~}ck
zU!%5|;lQA*KBv2i+OLjquooFg=&h`c!O8S)19hQ(dQlde-eCIhE+wzYLSNI(!*{;F
zP&Yh3+OYySQc3xs!wo*K-iCO!e(H_jGlMR(pld832j#5K^U=5>ds6$<k31?COTMw$
z3r9tZRw&uOmDJQ0ejxHN(KkEzht5FOS^E97gM7>WAm+ZHr=T=%@7i~SQ2GxuPW^fy
zJy~}@@<cLt(bC9By4yRgj1K~E=}D)iB}CslT*De@t%{upYE5Oxlg&@SH3`qF-5cv4
z+nfKPV_X)7ADIG$ul#*`3aX7NOARC(081y5VR9H2pdVGlSSZjF4Z6irqCeq9_L}wO
zN#w}C<_n#&p**q2(!z>A(cZ(1HwWCnvOVp!H(@bMxvoZcuF5FKkLWzTal&tLwfXG_
zH!d+e>3Ta1yA<2LJ=oq{pA#v2R*W5qW)W=eJ&6(53U^6&hVNGc@6E!3q>>053J=`)
zAI8kOMl(F8>0m)>K~@b_-~P2(N2b62@q6%!^bn9IA{8C0rbRx#!)WM3f(>mtPb4pu
z-J4mZdt$?=cL)zo9JhQ@ldaK2dl~;34jt}{#+2A=YTSBLFDtTpcA|yv^o6hOcM{@4
z4j&<Em<u;tIW25rCX8lNVY9t7<(3Sc<A!I{8qLZ*b1;63^R3#mRITv9UQo;IjS_ep
zaq&P4n{AuL@XRC7UMMgG8))TEHb$g-%Qf%MHZy$tt!z1B&w;r)P=xZ%lEyK;o9_PT
zzxv{b8|j)Z?<?kZ-SR_Q;UtJMXy6IpQ9%%Jn_kwwM7&6e&R-Fy*Q#rqkT9ZjFl2pk
zSM!XyV>q1BT)-1t{`K6fb&YzKl=tY)#O#wF@&`C|5{qsTqp!w(n;jbd-ZP683a1m5
zK>~aC3T2gn&M66Z4onK=OGTafnFZA&;9WzH1aET?ah}&fzd%&H+q7C~fha*kMRmz8
zCMNq~Nm9Aoe&o$JBQlj)V5>{wD3Qi4-Q4s&ggSfaW=wUMUf9#HOy;@-<{Wf<$Asgm
z%gfJ*Z+CF|v)SZr!OMt=PVUbh@KLwNu^65D^avHoM6GasoFdBZsnG;Q-NPFrp~3=%
zOf-MmYH+&84F~w4^zq?&!OO7u_fON1#jd6|I-`P$(F&y2JU8)TOeV78_{zED`fE*l
z4k}L6Y5X`ByW(^|{OG_wB%6}~tiMn~I6T%_Yoy+KfgQA%yvQ;u8o)JHbUmwX-?$po
zvm_V*^`8z2)ERBt#?Y;*qO4b+<j&ZqrhOfp-5&e3+3`#;ZXVoK@k7SQ^QIFflmiL!
zoD0z@B7LYs;Y%|8LKu`3tT*%FQP97!oH!g@v`gE9hDNqjfq)Ir$=?*{!JuIovOpwo
z@W{B=6hzrQkY#z*KF@)XcAn2vlgW;__j+v6(CCc*M26{zAtNUy<#Vgem*SwVj=*Fi
z&ECX_f9$w%o0C$y>AvwVcR5oMpICkTfyj>@peN1BMr<IYzbCfucbkEF3^sG}6yh!7
z(Ugv~T;27-_Z+lk@vF^>worB&XmvH6_9L;b%BO|ULs<Y2TdSBtnL9r^5a*NfIY8{H
zEJ!GoDTYIl@wQVtXeebXww^i;mKN_$I((nM2@S;l3?>1b0p|nWj1Am8fi!3BH0OqJ
z(pE~422B7q%ZLUYY12H(NdqAC#p@BUFYENp&JVa<ZMs8Nedh8jlBa<}2<oJ;2oTI}
z{Yr>HAOsQuLL;Q$6TiB~wxV+ARE3UL8d?IO8URnwiA9qf3d})U5`=VsJhVd?8jJP;
z5^)g%`(PN_PCE)(>}Ve#(?KnG5U7Wg`-zRA5465ITDRNJrW+cJ&!IuqU*kYK_SQH6
zw*4AsOQfH$8G@6bKW__Q0%3kXb!(izAUp)DY50TIllNP--{bt2XUpekh!xWA51a%|
zcw22)kiL*S5T1m(>L6exdf_GQ>c6b;=e+rIH9*L}t?(4Y0{?j`4a;vE2}%RW4at+c
zXc+kS^}nq4H*)_q2M}QU+iEmzX`0Za+>#rT5=u?b;N7pQp}B&#jlXQOCHViEtI@4|
z!A}qmvP!g0#$VeGq#I<UKeqV`YlEi(NciiiKWzh^ss~;Dp4KJ#mu-IO`d8`z9Na(s
zO(K)l)CgJcU;D)Gen}wu7S8|ax-kKNIW45a)&c<Dm4NoEdwCGd;QL=mq^%E7-UB>s
zYk1lMq)qZDXFDTc(ro3ZeoxF(#Dz}I^JKbU<#T`Tpc#YaC@*d3xpw?_VM23YqO8RX
zV;KL_MF~B7Ykuw}a3FVo-2SijN1#3w`zi<%4n#m*mVbr8kQ<CJd+L~<`t3A7$J#RF
zLJHKJ3g&-n0%>jr=?0RBsy_|z@LvYV0lC=l|Dh1bBpl5Fta2{@+yB{VwiIglw?fdM
z|5gZGM$_Y`gZ@$ow2l5NgYo|qdiw9Z<F`VP3;c2RzZHTE0Nf4Q>S){0|4<0J5pvi6
jsSw!l!3^bm-P}$un{*t`y{f$p{8NQrQ^~$)e((PPB&*@2

literal 0
HcmV?d00001

diff --git a/apps/portal/src/App.tsx b/apps/portal/src/App.tsx
index 7dd37be..4d63a2b 100644
--- a/apps/portal/src/App.tsx
+++ b/apps/portal/src/App.tsx
@@ -47,6 +47,8 @@ import { MyAffiliationsPage } from './pages/partner/MyAffiliations.js';
 import { MyRequestsPage } from './pages/partner/MyRequests.js';
 import { MyProfilePage } from './pages/partner/MyProfile.js';
 import { InstallPage } from './pages/Install.js';
+import { LandingPage } from './pages/Landing.js';
+import { SignupPage } from './pages/Signup.js';
 import { FraudReviewPage } from './pages/FraudReview.js';
 import { useQuery } from '@tanstack/react-query';
 
@@ -57,16 +59,19 @@ interface AuthState {
 
 interface InstallStatus {
   needsSetup: boolean;
+  reason?: 'multi_tenant';
 }
 
 export function App() {
-  // First-run gate: hit the install-status probe once at app boot. While
-  // zero admins are activated we route everything (except the magic
-  // landing, which is how the installer's own link works) to /install.
+  // First-run gate. Three modes the probe can return:
+  //   { needsSetup: true }                     — single-tenant, no admin yet
+  //   { needsSetup: false }                    — single-tenant, ready
+  //   { needsSetup: false, reason: 'multi_tenant' } — multi-tenant deploy
+  //
+  // Multi-tenant flips the routing entirely: root is the public landing,
+  // /signup creates a tenant, and the Shell only mounts under /t/<slug>/.
   const install = useQuery({
     queryKey: ['install-status'],
-    // Public endpoint — no auth required. Hand-rolled fetch so we don't
-    // drag the api() function through auth-cleanup on 401.
     queryFn: async () => {
       const r = await fetch('/api/install/status');
       return (await r.json()) as InstallStatus;
@@ -76,11 +81,22 @@ export function App() {
 
   if (install.isLoading) return null;
   const needsSetup = install.data?.needsSetup ?? false;
+  const isMultiTenant = install.data?.reason === 'multi_tenant';
 
   return (
     <BrowserRouter>
       <Routes>
-        {needsSetup ? (
+        {isMultiTenant ? (
+          <>
+            <Route path="/" element={<LandingPage />} />
+            <Route path="/signup" element={<SignupPage />} />
+            <Route path="/auth/magic" element={<MagicLandingPage />} />
+            <Route path="/t/:slug/login" element={<LoginPage />} />
+            <Route path="/t/:slug/auth/magic" element={<MagicLandingPage />} />
+            <Route path="/t/:slug/*" element={<Shell />} />
+            <Route path="*" element={<Navigate to="/" replace />} />
+          </>
+        ) : needsSetup ? (
           <>
             <Route path="/install" element={<InstallPage />} />
             <Route path="/auth/magic" element={<MagicLandingPage />} />
@@ -102,6 +118,7 @@ export function App() {
 function Shell() {
   const [auth, setAuth] = useState<AuthState>({ loading: true, principal: null });
   const location = useLocation();
+  const tenantBase = useTenantBase();
 
   useEffect(() => {
     api<Principal>('/auth/whoami')
@@ -110,7 +127,7 @@ function Shell() {
   }, []);
 
   if (auth.loading) return <CenteredMessage>Loading…</CenteredMessage>;
-  if (!auth.principal) return <Navigate to="/login" state={{ from: location }} replace />;
+  if (!auth.principal) return <Navigate to={`${tenantBase}/login`} state={{ from: location }} replace />;
 
   return (
     <div style={{ display: 'flex', minHeight: '100vh', background: theme.bg }}>
@@ -170,6 +187,7 @@ interface ProgramSettings {
 
 function Sidebar({ principal }: { principal: Principal }) {
   const nav = useNavigate();
+  const tenantBase = useTenantBase();
   const settings = useQuery({
     queryKey: ['program-settings'],
     queryFn: () => api<ProgramSettings>('/config/program'),
@@ -249,7 +267,7 @@ function Sidebar({ principal }: { principal: Principal }) {
           } catch {
             /* ignore */
           }
-          nav('/login');
+          nav(`${tenantBase}/login`);
         }}
         style={{
           display: 'flex',
@@ -378,12 +396,23 @@ function NavSection({ title, children }: { title: string; children: ReactNode })
   );
 }
 
+function useTenantBase(): string {
+  // In multi-tenant mode the Shell mounts under /t/<slug>/*. NavItem and
+  // friends pass absolute paths like "/links" — we prepend the tenant
+  // base so navigation stays scoped. Falls back to "" in single-tenant.
+  const { pathname } = useLocation();
+  const m = pathname.match(/^\/t\/([a-z0-9-]+)/);
+  return m ? `/t/${m[1]}` : '';
+}
+
 function NavItem({ to, icon, children }: { to: string; icon: ReactNode; children: ReactNode }) {
   const location = useLocation();
-  const active = location.pathname === to || (to !== '/' && location.pathname.startsWith(to));
+  const tenantBase = useTenantBase();
+  const href = to.startsWith('/') ? `${tenantBase}${to === '/' ? '' : to}` || '/' : to;
+  const active = location.pathname === href || (href !== '/' && location.pathname.startsWith(href));
   return (
     <Link
-      to={to}
+      to={href}
       style={{
         display: 'flex',
         alignItems: 'center',
@@ -415,24 +444,15 @@ function NavItem({ to, icon, children }: { to: string; icon: ReactNode; children
   );
 }
 
-function Logo() {
+function Logo({ size = 26 }: { size?: number } = {}) {
   return (
-    <div
-      style={{
-        width: 26,
-        height: 26,
-        borderRadius: 8,
-        background: `linear-gradient(135deg, ${theme.accent}, #0891b2)`,
-        display: 'flex',
-        alignItems: 'center',
-        justifyContent: 'center',
-        color: theme.accentInk,
-        fontWeight: 700,
-        fontSize: 14,
-      }}
-    >
-      O
-    </div>
+    <img
+      src="/logo-mark-green.svg"
+      alt="OpenPartner"
+      width={size}
+      height={size}
+      style={{ display: 'block' }}
+    />
   );
 }
 
diff --git a/apps/portal/src/api.ts b/apps/portal/src/api.ts
index cfc6875..d49eef0 100644
--- a/apps/portal/src/api.ts
+++ b/apps/portal/src/api.ts
@@ -12,6 +12,18 @@ export function clearApiKey(): void {
   localStorage.removeItem(KEY_STORAGE);
 }
 
+/**
+ * Pull the tenant slug from the current URL path so multi-tenant mode
+ * scopes API calls automatically. In single-tenant mode the SPA never
+ * mounts under /t/<slug>/ so this returns null and api() calls hit /api/*
+ * unchanged.
+ */
+export function currentTenantSlug(): string | null {
+  if (typeof window === 'undefined') return null;
+  const m = window.location.pathname.match(/^\/t\/([a-z0-9-]+)(?:\/|$)/);
+  return m ? m[1]! : null;
+}
+
 export async function api<T = unknown>(
   path: string,
   init: Omit<RequestInit, 'body'> & { body?: unknown } = {},
@@ -22,7 +34,9 @@ export async function api<T = unknown>(
   if (init.body !== undefined && !headers.has('content-type')) {
     headers.set('content-type', 'application/json');
   }
-  const res = await fetch(`/api${path}`, {
+  const slug = currentTenantSlug();
+  const tenantPrefix = slug ? `/t/${slug}` : '';
+  const res = await fetch(`/api${tenantPrefix}${path}`, {
     ...init,
     headers,
     credentials: 'include',
diff --git a/apps/portal/src/pages/Landing.tsx b/apps/portal/src/pages/Landing.tsx
new file mode 100644
index 0000000..0892001
--- /dev/null
+++ b/apps/portal/src/pages/Landing.tsx
@@ -0,0 +1,112 @@
+import { Link } from 'react-router-dom';
+import { ArrowRight, Globe, Receipt, ShieldCheck } from 'lucide-react';
+import { theme } from '../theme.js';
+import { Logo } from './auth/Shared.js';
+
+/**
+ * Public landing for multi-tenant deployments. The single-tenant build
+ * never mounts this — its root goes straight to the Shell. Two CTAs:
+ * create a program (signup) or sign in (you'll need a tenant slug, but
+ * if the link the operator emailed you was the magic link, you went to
+ * /t/<slug>/auth/magic and never see this page).
+ */
+export function LandingPage() {
+  return (
+    <div style={{ minHeight: '100vh', background: theme.bg, color: theme.text, display: 'flex', flexDirection: 'column' }}>
+      <header
+        style={{
+          padding: '20px 32px',
+          display: 'flex',
+          alignItems: 'center',
+          justifyContent: 'space-between',
+          borderBottom: `1px solid ${theme.borderSubtle}`,
+        }}
+      >
+        <div style={{ display: 'flex', alignItems: 'center', gap: 10 }}>
+          <Logo />
+          <div style={{ fontSize: 16, fontWeight: 600, letterSpacing: '-0.01em' }}>OpenPartner</div>
+        </div>
+        <div style={{ display: 'flex', gap: 14, alignItems: 'center', fontSize: 13 }}>
+          <a href="https://openpartner.dev" style={{ color: theme.textMuted }}>About</a>
+          <Link to="/signup">
+            <span
+              style={{
+                background: theme.accent,
+                color: theme.accentInk,
+                padding: '8px 14px',
+                borderRadius: theme.radiusSm,
+                fontSize: 13,
+                fontWeight: 600,
+              }}
+            >
+              Create a program
+            </span>
+          </Link>
+        </div>
+      </header>
+
+      <main style={{ flex: 1, display: 'flex', alignItems: 'center', justifyContent: 'center', padding: '40px 24px' }}>
+        <div style={{ maxWidth: 720, textAlign: 'center' }}>
+          <h1 style={{ fontSize: 44, lineHeight: 1.1, margin: 0, letterSpacing: '-0.02em' }}>
+            The partner program your data outlives.
+          </h1>
+          <p style={{ marginTop: 20, fontSize: 17, color: theme.textMuted, lineHeight: 1.5 }}>
+            Click → identity → revenue, surviving Safari ITP and 30-day cookie windows.
+            Your raw attribution log is exportable to CSV/JSON/SQL — leave anytime, your history comes with you.
+          </p>
+
+          <div style={{ display: 'flex', gap: 12, justifyContent: 'center', marginTop: 28, flexWrap: 'wrap' }}>
+            <Link to="/signup">
+              <span
+                style={{
+                  display: 'inline-flex',
+                  alignItems: 'center',
+                  gap: 8,
+                  background: theme.accent,
+                  color: theme.accentInk,
+                  padding: '12px 18px',
+                  borderRadius: theme.radiusSm,
+                  fontSize: 14,
+                  fontWeight: 600,
+                }}
+              >
+                Create your program <ArrowRight size={15} />
+              </span>
+            </Link>
+            <a href="https://openpartner.dev/docs" style={{ display: 'inline-flex', alignItems: 'center', padding: '12px 18px', color: theme.textMuted, fontSize: 14 }}>
+              Read the docs →
+            </a>
+          </div>
+
+          <div style={{ display: 'grid', gridTemplateColumns: 'repeat(auto-fit, minmax(200px, 1fr))', gap: 16, marginTop: 56, textAlign: 'left' }}>
+            <Pill icon={<Globe size={16} />} title="Federation built in">
+              List on the OpenPartner Network and creators across other vendors can discover and apply to your program.
+            </Pill>
+            <Pill icon={<Receipt size={16} />} title="Three-tier pricing">
+              Self-host (free), flat fee, or 3% rev share. Pick at signup. No cookie-cutter contracts.
+            </Pill>
+            <Pill icon={<ShieldCheck size={16} />} title="Your data, exportable">
+              CSV/JSON/SQL export of every raw row. The self-hosted build re-imports it cleanly.
+            </Pill>
+          </div>
+        </div>
+      </main>
+
+      <footer style={{ padding: '20px 32px', borderTop: `1px solid ${theme.borderSubtle}`, color: theme.textDim, fontSize: 12, textAlign: 'center' }}>
+        Already have a program? Open the link the operator emailed you, or visit <code>/t/&lt;your-slug&gt;/login</code>.
+      </footer>
+    </div>
+  );
+}
+
+function Pill({ icon, title, children }: { icon: React.ReactNode; title: string; children: React.ReactNode }) {
+  return (
+    <div style={{ background: theme.surface, border: `1px solid ${theme.borderSubtle}`, borderRadius: theme.radiusSm, padding: 16 }}>
+      <div style={{ display: 'flex', alignItems: 'center', gap: 8, color: theme.accent, fontSize: 13, marginBottom: 6 }}>
+        {icon}
+        <span style={{ color: theme.text, fontWeight: 600 }}>{title}</span>
+      </div>
+      <div style={{ color: theme.textMuted, fontSize: 13, lineHeight: 1.5 }}>{children}</div>
+    </div>
+  );
+}
diff --git a/apps/portal/src/pages/Signup.tsx b/apps/portal/src/pages/Signup.tsx
new file mode 100644
index 0000000..bdaeb73
--- /dev/null
+++ b/apps/portal/src/pages/Signup.tsx
@@ -0,0 +1,170 @@
+import { useState } from 'react';
+import { Link } from 'react-router-dom';
+import { ApiError } from '../api.js';
+import { theme } from '../theme.js';
+import { AuthFrame } from './auth/Shared.js';
+
+interface SignupResult {
+  ok: true;
+  tenant: { id: string; slug: string };
+  mailDelivered?: boolean;
+  mailError?: string;
+}
+
+export function SignupPage() {
+  const [slug, setSlug] = useState('');
+  const [displayName, setDisplayName] = useState('');
+  const [adminEmail, setAdminEmail] = useState('');
+  const [adminName, setAdminName] = useState('');
+  const [busy, setBusy] = useState(false);
+  const [err, setErr] = useState<string | null>(null);
+  const [result, setResult] = useState<SignupResult | null>(null);
+
+  async function submit(e: React.FormEvent) {
+    e.preventDefault();
+    setBusy(true);
+    setErr(null);
+    try {
+      // Public signup — explicit fetch so we don't pick up a stale tenant
+      // prefix from currentTenantSlug() if the user navigated here from
+      // somewhere weird. /signup is mounted before tenantMiddleware on
+      // the API side anyway.
+      const res = await fetch('/api/signup', {
+        method: 'POST',
+        headers: { 'content-type': 'application/json' },
+        body: JSON.stringify({
+          slug: slug.trim().toLowerCase(),
+          displayName: displayName.trim(),
+          adminEmail: adminEmail.trim().toLowerCase(),
+          adminName: adminName.trim(),
+        }),
+      });
+      const data = (await res.json()) as Record<string, unknown>;
+      if (!res.ok) {
+        throw new ApiError(res.status, String(data.error ?? `${res.status}`), data);
+      }
+      setResult(data as unknown as SignupResult);
+    } catch (e) {
+      const code = e instanceof ApiError ? String(e.message) : 'unknown_error';
+      setErr(friendlyError(code));
+    } finally {
+      setBusy(false);
+    }
+  }
+
+  if (result) {
+    return (
+      <AuthFrame title="Check your inbox" subtitle={`We just emailed ${adminEmail} a sign-in link.`}>
+        <div style={{ background: theme.successSoft, border: `1px solid ${theme.success}55`, padding: 14, borderRadius: theme.radiusSm, fontSize: 13, color: theme.success }}>
+          <div style={{ fontWeight: 500, marginBottom: 6 }}>Program created.</div>
+          <div style={{ color: `${theme.success}cc` }}>
+            Your slug is <code>{result.tenant.slug}</code>. The activation link is good for 15 minutes.
+          </div>
+        </div>
+        {result.mailDelivered === false && (
+          <div style={{ marginTop: 12, color: theme.danger, fontSize: 13 }}>
+            Mail send failed: {result.mailError ?? 'unknown'}. Contact support to retry.
+          </div>
+        )}
+      </AuthFrame>
+    );
+  }
+
+  return (
+    <AuthFrame title="Create your program" subtitle="One minute to provision. We'll email you a sign-in link.">
+      <form onSubmit={submit}>
+        <Field label="Program name" hint="What partners see in your portal — e.g. Acme Affiliates.">
+          <input
+            value={displayName}
+            onChange={(e) => setDisplayName(e.target.value)}
+            placeholder="Acme Affiliates"
+            required
+            style={inputStyle}
+          />
+        </Field>
+        <Field label="URL slug" hint="Lowercase letters, numbers, hyphens. Becomes app.openpartner.dev/t/<slug>/.">
+          <input
+            value={slug}
+            onChange={(e) => setSlug(e.target.value.toLowerCase().replace(/[^a-z0-9-]/g, ''))}
+            placeholder="acme"
+            pattern="[a-z0-9-]{3,40}"
+            minLength={3}
+            maxLength={40}
+            required
+            style={{ ...inputStyle, fontFamily: theme.fontMono }}
+          />
+        </Field>
+        <Field label="Your name">
+          <input
+            value={adminName}
+            onChange={(e) => setAdminName(e.target.value)}
+            placeholder="Ada Lovelace"
+            required
+            style={inputStyle}
+          />
+        </Field>
+        <Field label="Your email" hint="We'll send the activation link here.">
+          <input
+            type="email"
+            value={adminEmail}
+            onChange={(e) => setAdminEmail(e.target.value)}
+            placeholder="ada@example.com"
+            required
+            style={inputStyle}
+          />
+        </Field>
+        {err && <div style={{ color: theme.danger, fontSize: 13, marginTop: 4, marginBottom: 8 }}>{err}</div>}
+        <button type="submit" disabled={busy} style={primaryBtnStyle(busy)}>
+          {busy ? 'Creating…' : 'Create program'}
+        </button>
+        <div style={{ marginTop: 12, fontSize: 12, color: theme.textDim, textAlign: 'center' }}>
+          Already have a program? <Link to="/" style={{ color: theme.accent }}>Back to landing</Link>
+        </div>
+      </form>
+    </AuthFrame>
+  );
+}
+
+function Field({ label, hint, children }: { label: string; hint?: string; children: React.ReactNode }) {
+  return (
+    <div style={{ marginBottom: 12 }}>
+      <div style={{ fontSize: 12, color: theme.textMuted, marginBottom: 4 }}>{label}</div>
+      {children}
+      {hint && <div style={{ fontSize: 11, color: theme.textDim, marginTop: 4 }}>{hint}</div>}
+    </div>
+  );
+}
+
+function friendlyError(code: string): string {
+  if (code.includes('slug_taken')) return 'That slug is already taken. Pick another.';
+  if (code.includes('slug_reserved')) return 'That slug is reserved. Try a different one.';
+  if (code.includes('invalid_body')) return 'Some fields look invalid — check the slug format and email.';
+  if (code.includes('signup_not_available')) return 'Public signup is disabled on this deployment.';
+  return 'Something went wrong. Try again or contact support.';
+}
+
+const inputStyle: React.CSSProperties = {
+  width: '100%',
+  padding: '10px 12px',
+  fontSize: 14,
+  background: theme.surface2,
+  border: `1px solid ${theme.border}`,
+  borderRadius: theme.radiusSm,
+  color: theme.text,
+};
+
+function primaryBtnStyle(disabled: boolean): React.CSSProperties {
+  return {
+    marginTop: 6,
+    width: '100%',
+    padding: '10px 14px',
+    background: theme.accent,
+    color: theme.accentInk,
+    border: 'none',
+    borderRadius: theme.radiusSm,
+    fontSize: 14,
+    fontWeight: 600,
+    cursor: disabled ? 'not-allowed' : 'pointer',
+    opacity: disabled ? 0.5 : 1,
+  };
+}
diff --git a/apps/portal/src/pages/auth/Shared.tsx b/apps/portal/src/pages/auth/Shared.tsx
index 38aa345..e45d860 100644
--- a/apps/portal/src/pages/auth/Shared.tsx
+++ b/apps/portal/src/pages/auth/Shared.tsx
@@ -45,23 +45,14 @@ export function AuthFrame({
   );
 }
 
-export function Logo() {
+export function Logo({ size = 26 }: { size?: number } = {}) {
   return (
-    <div
-      style={{
-        width: 26,
-        height: 26,
-        borderRadius: 8,
-        background: `linear-gradient(135deg, ${theme.accent}, #0891b2)`,
-        display: 'flex',
-        alignItems: 'center',
-        justifyContent: 'center',
-        color: theme.accentInk,
-        fontWeight: 700,
-        fontSize: 14,
-      }}
-    >
-      O
-    </div>
+    <img
+      src="/logo-mark-green.svg"
+      alt="OpenPartner"
+      width={size}
+      height={size}
+      style={{ display: 'block' }}
+    />
   );
 }

From c994ba7c38fad041585a96e767305d6c23ebc55b Mon Sep 17 00:00:00 2001
From: Keith Fawcett <keith@brightyard.co>
Date: Tue, 28 Apr 2026 11:01:41 -0700
Subject: [PATCH 034/131] feat(portal): platform-level Creator account on
 multi-tenant deploy
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The Landing on app.openpartner.dev now offers two paths from day one:

- Vendors → /signup → create a tenant + admin account (existing)
- Creators → /creator/signup → create a Network Creator account

Creators get their own auth (magic-link via Network), their own Shell
at /creator/* with Discover, My partnerships, My applications, Profile.
A creator's identity is platform-wide; when they apply to a vendor's
program and the vendor approves, the existing federation flow creates
a Partner row in that vendor's tenant linked back to the same Creator.

API
- /api/creator-api/* reverse-proxies a fixed allowlist of Network
  endpoints (creator auth, /creators/me/*, /offerings, /vendors/:id,
  /offerings/:id/apply). Cookies pass through both directions, so the
  Network's `op_network_creator_session` cookie ends up scoped to
  app.openpartner.dev (Network sets it without a Domain, so the
  browser scopes it to whoever responded).
- Mounted before tenantMiddleware so it works at the bare host with
  no /t/<slug>/ prefix.

Portal
- pages/creator/{Discover,OfferingDetail,VendorDetail,MyAffiliations,
  MyRequests,MyProfile,Signup,Signin,MagicLanding,Shell}
- creator-api.ts is a thin fetch helper for /api/creator-api/* with
  cookie credentials and structured ApiError.
- Landing gains side-by-side Vendor + Creator CTA cards plus a
  "Creator sign in" link in the header.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 apps/api/src/app.ts                           |   5 +
 apps/api/src/routes/creator-portal.ts         | 112 +++++++++++
 apps/portal/src/App.tsx                       |   9 +
 apps/portal/src/pages/Landing.tsx             |  82 ++++----
 .../src/pages/creator/CreatorDiscover.tsx     |  99 ++++++++++
 .../src/pages/creator/CreatorMagicLanding.tsx |  45 +++++
 .../pages/creator/CreatorMyAffiliations.tsx   |  90 +++++++++
 .../src/pages/creator/CreatorMyProfile.tsx    | 111 +++++++++++
 .../src/pages/creator/CreatorMyRequests.tsx   |  72 +++++++
 .../pages/creator/CreatorOfferingDetail.tsx   | 131 +++++++++++++
 .../portal/src/pages/creator/CreatorShell.tsx | 184 ++++++++++++++++++
 .../src/pages/creator/CreatorSignin.tsx       |  83 ++++++++
 .../src/pages/creator/CreatorSignup.tsx       | 122 ++++++++++++
 .../src/pages/creator/CreatorVendorDetail.tsx |  46 +++++
 apps/portal/src/pages/creator/creator-api.ts  |  48 +++++
 15 files changed, 1204 insertions(+), 35 deletions(-)
 create mode 100644 apps/api/src/routes/creator-portal.ts
 create mode 100644 apps/portal/src/pages/creator/CreatorDiscover.tsx
 create mode 100644 apps/portal/src/pages/creator/CreatorMagicLanding.tsx
 create mode 100644 apps/portal/src/pages/creator/CreatorMyAffiliations.tsx
 create mode 100644 apps/portal/src/pages/creator/CreatorMyProfile.tsx
 create mode 100644 apps/portal/src/pages/creator/CreatorMyRequests.tsx
 create mode 100644 apps/portal/src/pages/creator/CreatorOfferingDetail.tsx
 create mode 100644 apps/portal/src/pages/creator/CreatorShell.tsx
 create mode 100644 apps/portal/src/pages/creator/CreatorSignin.tsx
 create mode 100644 apps/portal/src/pages/creator/CreatorSignup.tsx
 create mode 100644 apps/portal/src/pages/creator/CreatorVendorDetail.tsx
 create mode 100644 apps/portal/src/pages/creator/creator-api.ts

diff --git a/apps/api/src/app.ts b/apps/api/src/app.ts
index f7e2510..a1db448 100644
--- a/apps/api/src/app.ts
+++ b/apps/api/src/app.ts
@@ -33,6 +33,7 @@ import { metricsRouter } from './routes/metrics.js';
 import { signupRouter } from './routes/signup.js';
 import { partnerSignupRouter } from './routes/partner-signup.js';
 import { networkPartnerRouter } from './routes/network-partner.js';
+import { creatorPortalRouter } from './routes/creator-portal.js';
 import { tenantMiddleware } from './tenancy.js';
 
 export function createApp(options: { enableLogger?: boolean } = {}) {
@@ -115,6 +116,10 @@ export function createApp(options: { enableLogger?: boolean } = {}) {
   app.use(installRouter);
   app.use(signupRouter);
   app.use(metricsRouter);
+  // Creator portal is platform-level (no tenant), proxies to Network.
+  // Mount before tenantMiddleware so it's reachable from app.openpartner.dev/*
+  // without a /t/<slug>/ prefix.
+  app.use(creatorPortalRouter);
 
   // ----- Tenant scope -----
   // Everything below runs inside a per-request transaction with
diff --git a/apps/api/src/routes/creator-portal.ts b/apps/api/src/routes/creator-portal.ts
new file mode 100644
index 0000000..8c730be
--- /dev/null
+++ b/apps/api/src/routes/creator-portal.ts
@@ -0,0 +1,112 @@
+/**
+ * Platform-level Creator portal proxy.
+ *
+ * The multi-tenant deployment at app.openpartner.dev needs a creator
+ * surface that lives outside any single vendor tenant. Creators sign up
+ * here, get a Network-issued session, browse offerings across the
+ * federation, and apply. When a vendor approves, that vendor's instance
+ * federation flow creates a Partner row inside their tenant — but the
+ * creator's "home" stays here.
+ *
+ * Implementation: thin reverse proxy from /api/creator/* into the Network
+ * API. We pass cookies straight through so Network's
+ * `op_network_creator_session` cookie ends up scoped to app.openpartner.dev
+ * (Network sets the cookie without a Domain attribute, so the browser
+ * scopes it to whichever host responded — that's us). The Network already
+ * has all the Creator/magic-link/discover/apply endpoints we need; we
+ * don't duplicate any of that here.
+ *
+ * Public endpoints (no creator session needed) are also proxied so the
+ * Discover/Vendor pages render before signup.
+ */
+
+import { Router, type Request, type Response } from 'express';
+
+export const creatorPortalRouter = Router();
+
+// Whitelist: exact path match or prefix-with-glob. We only forward paths
+// the Network exposes for creator-side flows, never anything else.
+const ALLOWED_EXACT = new Set([
+  '/creators/signup',
+  '/creators/signin',
+  '/creators/verify',
+  '/creators/signout',
+  '/creators/whoami',
+  '/creators/me',
+  '/creators/me/affiliations',
+  '/creators/me/requests',
+  '/offerings',
+]);
+
+const ALLOWED_PREFIX: Array<{ prefix: string; methods: Set<string> }> = [
+  { prefix: '/offerings/', methods: new Set(['GET', 'POST']) },     // /offerings/:id, /offerings/:id/apply
+  { prefix: '/vendors/', methods: new Set(['GET']) },                // /vendors/:id (public profile)
+  { prefix: '/creators/me/affiliations/', methods: new Set(['GET']) },
+  { prefix: '/creators/me/requests/', methods: new Set(['POST']) },
+];
+
+function isAllowed(method: string, subpath: string): boolean {
+  if (ALLOWED_EXACT.has(subpath)) return true;
+  for (const { prefix, methods } of ALLOWED_PREFIX) {
+    if (subpath.startsWith(prefix) && methods.has(method)) return true;
+  }
+  return false;
+}
+
+creatorPortalRouter.all(/^\/creator-api(\/.*)?$/, async (req: Request, res: Response) => {
+  const networkUrl = process.env.NETWORK_URL;
+  if (!networkUrl) {
+    return res.status(503).json({ error: 'network_not_configured' });
+  }
+
+  const subpath = req.path.replace(/^\/creator-api/, '') || '/';
+  if (!isAllowed(req.method, subpath)) {
+    return res.status(404).json({ error: 'not_found' });
+  }
+
+  const qs = req.url.includes('?') ? req.url.slice(req.url.indexOf('?')) : '';
+  const upstreamUrl = `${networkUrl.replace(/\/$/, '')}${subpath}${qs}`;
+
+  // Forward only the bits the upstream cares about. We strip Authorization
+  // (no openpartner bearer should leak to Network) and Host (let fetch set it).
+  const headers: Record<string, string> = {};
+  const ct = req.header('content-type');
+  if (ct) headers['content-type'] = ct;
+  const cookie = req.header('cookie');
+  if (cookie) headers['cookie'] = cookie;
+  headers['user-agent'] = 'OpenPartner-CreatorPortal/1';
+  headers['x-forwarded-for'] = req.ip ?? '';
+
+  const init: RequestInit = {
+    method: req.method,
+    headers,
+    signal: AbortSignal.timeout(10_000),
+  };
+  if (req.method !== 'GET' && req.method !== 'HEAD') {
+    init.body = req.body !== undefined ? JSON.stringify(req.body) : undefined;
+  }
+
+  let upstream: globalThis.Response;
+  try {
+    upstream = await fetch(upstreamUrl, init);
+  } catch (err) {
+    return res.status(502).json({
+      error: 'network_unreachable',
+      detail: err instanceof Error ? err.message : String(err),
+    });
+  }
+
+  // Relay Set-Cookie verbatim. The cookie has no Domain attribute, so the
+  // browser scopes it to app.openpartner.dev (which is what we want).
+  const setCookie = upstream.headers.get('set-cookie');
+  if (setCookie) res.setHeader('set-cookie', setCookie);
+
+  const upstreamCt = upstream.headers.get('content-type') ?? '';
+  res.status(upstream.status);
+  if (upstreamCt.includes('application/json')) {
+    const body = await upstream.text();
+    res.type('application/json').send(body);
+  } else {
+    res.send(await upstream.text());
+  }
+});
diff --git a/apps/portal/src/App.tsx b/apps/portal/src/App.tsx
index 4d63a2b..d2cfe3a 100644
--- a/apps/portal/src/App.tsx
+++ b/apps/portal/src/App.tsx
@@ -49,6 +49,10 @@ import { MyProfilePage } from './pages/partner/MyProfile.js';
 import { InstallPage } from './pages/Install.js';
 import { LandingPage } from './pages/Landing.js';
 import { SignupPage } from './pages/Signup.js';
+import { CreatorSignupPage } from './pages/creator/CreatorSignup.js';
+import { CreatorSigninPage } from './pages/creator/CreatorSignin.js';
+import { CreatorMagicLandingPage } from './pages/creator/CreatorMagicLanding.js';
+import { CreatorShell } from './pages/creator/CreatorShell.js';
 import { FraudReviewPage } from './pages/FraudReview.js';
 import { useQuery } from '@tanstack/react-query';
 
@@ -91,6 +95,11 @@ export function App() {
             <Route path="/" element={<LandingPage />} />
             <Route path="/signup" element={<SignupPage />} />
             <Route path="/auth/magic" element={<MagicLandingPage />} />
+            {/* Platform-level Creator surfaces — separate auth from vendor admins. */}
+            <Route path="/creator/signup" element={<CreatorSignupPage />} />
+            <Route path="/creator/login" element={<CreatorSigninPage />} />
+            <Route path="/creator/auth/magic" element={<CreatorMagicLandingPage />} />
+            <Route path="/creator/*" element={<CreatorShell />} />
             <Route path="/t/:slug/login" element={<LoginPage />} />
             <Route path="/t/:slug/auth/magic" element={<MagicLandingPage />} />
             <Route path="/t/:slug/*" element={<Shell />} />
diff --git a/apps/portal/src/pages/Landing.tsx b/apps/portal/src/pages/Landing.tsx
index 0892001..67a280c 100644
--- a/apps/portal/src/pages/Landing.tsx
+++ b/apps/portal/src/pages/Landing.tsx
@@ -28,20 +28,7 @@ export function LandingPage() {
         </div>
         <div style={{ display: 'flex', gap: 14, alignItems: 'center', fontSize: 13 }}>
           <a href="https://openpartner.dev" style={{ color: theme.textMuted }}>About</a>
-          <Link to="/signup">
-            <span
-              style={{
-                background: theme.accent,
-                color: theme.accentInk,
-                padding: '8px 14px',
-                borderRadius: theme.radiusSm,
-                fontSize: 13,
-                fontWeight: 600,
-              }}
-            >
-              Create a program
-            </span>
-          </Link>
+          <Link to="/creator/login" style={{ color: theme.textMuted }}>Creator sign in</Link>
         </div>
       </header>
 
@@ -55,27 +42,25 @@ export function LandingPage() {
             Your raw attribution log is exportable to CSV/JSON/SQL — leave anytime, your history comes with you.
           </p>
 
-          <div style={{ display: 'flex', gap: 12, justifyContent: 'center', marginTop: 28, flexWrap: 'wrap' }}>
-            <Link to="/signup">
-              <span
-                style={{
-                  display: 'inline-flex',
-                  alignItems: 'center',
-                  gap: 8,
-                  background: theme.accent,
-                  color: theme.accentInk,
-                  padding: '12px 18px',
-                  borderRadius: theme.radiusSm,
-                  fontSize: 14,
-                  fontWeight: 600,
-                }}
-              >
-                Create your program <ArrowRight size={15} />
-              </span>
-            </Link>
-            <a href="https://openpartner.dev/docs" style={{ display: 'inline-flex', alignItems: 'center', padding: '12px 18px', color: theme.textMuted, fontSize: 14 }}>
-              Read the docs →
-            </a>
+          <div style={{ display: 'grid', gridTemplateColumns: 'repeat(auto-fit, minmax(280px, 1fr))', gap: 16, marginTop: 32, textAlign: 'left' }}>
+            <CtaCard
+              eyebrow="For vendors"
+              title="Run your own partner program"
+              body="Create a tenant, invite partners, track every click → signup → revenue, run payouts via Stripe Connect."
+              ctaLabel="Create your program"
+              to="/signup"
+            />
+            <CtaCard
+              eyebrow="For creators"
+              title="Browse and apply to programs"
+              body="One profile, many programs. Discover vendors across the OpenPartner Network and apply with one click."
+              ctaLabel="Sign up as a creator"
+              to="/creator/signup"
+            />
+          </div>
+
+          <div style={{ marginTop: 24, fontSize: 13, color: theme.textDim }}>
+            Already have an account? <Link to="/creator/login" style={{ color: theme.accent }}>Creator sign in</Link>
           </div>
 
           <div style={{ display: 'grid', gridTemplateColumns: 'repeat(auto-fit, minmax(200px, 1fr))', gap: 16, marginTop: 56, textAlign: 'left' }}>
@@ -99,6 +84,33 @@ export function LandingPage() {
   );
 }
 
+function CtaCard({ eyebrow, title, body, ctaLabel, to }: { eyebrow: string; title: string; body: string; ctaLabel: string; to: string }) {
+  return (
+    <div style={{ background: theme.surface, border: `1px solid ${theme.borderSubtle}`, borderRadius: theme.radiusSm, padding: 20 }}>
+      <div style={{ fontSize: 11, color: theme.accent, textTransform: 'uppercase', letterSpacing: '0.05em', marginBottom: 8 }}>{eyebrow}</div>
+      <div style={{ fontSize: 18, fontWeight: 600, marginBottom: 8 }}>{title}</div>
+      <p style={{ color: theme.textMuted, fontSize: 14, lineHeight: 1.5, marginBottom: 16 }}>{body}</p>
+      <Link to={to}>
+        <span
+          style={{
+            display: 'inline-flex',
+            alignItems: 'center',
+            gap: 6,
+            background: theme.accent,
+            color: theme.accentInk,
+            padding: '10px 14px',
+            borderRadius: theme.radiusSm,
+            fontSize: 13,
+            fontWeight: 600,
+          }}
+        >
+          {ctaLabel} <ArrowRight size={14} />
+        </span>
+      </Link>
+    </div>
+  );
+}
+
 function Pill({ icon, title, children }: { icon: React.ReactNode; title: string; children: React.ReactNode }) {
   return (
     <div style={{ background: theme.surface, border: `1px solid ${theme.borderSubtle}`, borderRadius: theme.radiusSm, padding: 16 }}>
diff --git a/apps/portal/src/pages/creator/CreatorDiscover.tsx b/apps/portal/src/pages/creator/CreatorDiscover.tsx
new file mode 100644
index 0000000..05cc50c
--- /dev/null
+++ b/apps/portal/src/pages/creator/CreatorDiscover.tsx
@@ -0,0 +1,99 @@
+import { useEffect, useState } from 'react';
+import { useQuery } from '@tanstack/react-query';
+import { Link } from 'react-router-dom';
+import { Globe } from 'lucide-react';
+import { Button, Card, EmptyState, ErrorBanner, Input, Label, Page, Select } from '../../ui.js';
+import { theme } from '../../theme.js';
+import { creatorApi } from './creator-api.js';
+
+interface OfferingListItem {
+  id: string;
+  title: string;
+  description: string | null;
+  productUrl: string;
+  vendorId: string;
+  vendorName: string;
+  vendorPartnerCount: number;
+  terms: { commissionDescription?: string };
+  createdAt: string;
+}
+
+export function CreatorDiscoverPage() {
+  const [q, setQ] = useState('');
+  const [debouncedQ, setDebouncedQ] = useState('');
+  const [sort, setSort] = useState<'newest' | 'popular'>('newest');
+
+  useEffect(() => {
+    const t = window.setTimeout(() => setDebouncedQ(q.trim()), 250);
+    return () => window.clearTimeout(t);
+  }, [q]);
+
+  const params = new URLSearchParams();
+  if (debouncedQ) params.set('q', debouncedQ);
+  if (sort !== 'newest') params.set('sort', sort);
+  const qs = params.toString();
+
+  const { data, isLoading, error } = useQuery({
+    queryKey: ['creator-discover', debouncedQ, sort],
+    queryFn: () => creatorApi<{ offerings: OfferingListItem[] }>(`/offerings${qs ? '?' + qs : ''}`),
+    retry: false,
+  });
+
+  return (
+    <Page title="Discover programs" subtitle="Partner programs across the OpenPartner Network. Apply to any.">
+      <ErrorBanner error={error} />
+      <Card>
+        <div style={{ display: 'flex', gap: 12, alignItems: 'flex-end', flexWrap: 'wrap' }}>
+          <div style={{ flex: 1, minWidth: 240 }}>
+            <Label>Search</Label>
+            <Input placeholder="Title or description…" value={q} onChange={(e) => setQ(e.target.value)} />
+          </div>
+          <div style={{ minWidth: 160 }}>
+            <Label>Sort</Label>
+            <Select value={sort} onChange={(e) => setSort(e.target.value as 'newest' | 'popular')}>
+              <option value="newest">Newest</option>
+              <option value="popular">Most partners</option>
+            </Select>
+          </div>
+        </div>
+      </Card>
+      <div style={{ height: 18 }} />
+      {isLoading ? (
+        <Card>Loading…</Card>
+      ) : !data || data.offerings.length === 0 ? (
+        <EmptyState
+          title={debouncedQ ? `No matches for "${debouncedQ}"` : 'No programs yet'}
+          hint={debouncedQ ? 'Try a different keyword.' : 'Vendors are joining all the time — check back soon.'}
+          icon={<Globe size={28} strokeWidth={1.25} />}
+        />
+      ) : (
+        <div style={{ display: 'grid', gridTemplateColumns: 'repeat(auto-fill, minmax(320px, 1fr))', gap: 16 }}>
+          {data.offerings.map((o) => (
+            <Card key={o.id}>
+              <div style={{ color: theme.textMuted, fontSize: 13 }}>
+                <Link to={`/creator/vendors/${o.vendorId}`} style={{ color: theme.textMuted }}>{o.vendorName}</Link>
+                {o.vendorPartnerCount > 0 && <> · {o.vendorPartnerCount} partner{o.vendorPartnerCount === 1 ? '' : 's'}</>}
+              </div>
+              <h3 style={{ marginTop: 4, marginBottom: 8 }}>
+                <Link to={`/creator/offerings/${o.id}`}>{o.title}</Link>
+              </h3>
+              {o.terms?.commissionDescription && (
+                <p style={{ fontSize: 13, color: theme.textMuted, margin: '4px 0' }}>{o.terms.commissionDescription}</p>
+              )}
+              {o.description && (
+                <p style={{ fontSize: 14, color: theme.text, margin: '8px 0' }}>
+                  {o.description.slice(0, 180)}{o.description.length > 180 ? '…' : ''}
+                </p>
+              )}
+              <div style={{ marginTop: 12 }}>
+                <Link to={`/creator/offerings/${o.id}`}>
+                  <Button>View &amp; apply</Button>
+                </Link>
+              </div>
+            </Card>
+          ))}
+        </div>
+      )}
+    </Page>
+  );
+}
diff --git a/apps/portal/src/pages/creator/CreatorMagicLanding.tsx b/apps/portal/src/pages/creator/CreatorMagicLanding.tsx
new file mode 100644
index 0000000..c216881
--- /dev/null
+++ b/apps/portal/src/pages/creator/CreatorMagicLanding.tsx
@@ -0,0 +1,45 @@
+import { useEffect, useState } from 'react';
+import { useNavigate, useSearchParams } from 'react-router-dom';
+import { theme } from '../../theme.js';
+import { AuthFrame } from '../auth/Shared.js';
+import { creatorApi } from './creator-api.js';
+
+export function CreatorMagicLandingPage() {
+  const [params] = useSearchParams();
+  const nav = useNavigate();
+  const [state, setState] = useState<'verifying' | 'ok' | 'failed'>('verifying');
+  const [detail, setDetail] = useState<string | null>(null);
+
+  useEffect(() => {
+    const token = params.get('token');
+    if (!token) {
+      setState('failed');
+      setDetail('No token in URL.');
+      return;
+    }
+    creatorApi<{ ok: boolean }>('/creators/verify', { method: 'POST', body: { token } })
+      .then(() => {
+        setState('ok');
+        setTimeout(() => nav('/creator', { replace: true }), 400);
+      })
+      .catch((err) => {
+        setState('failed');
+        setDetail(err?.message ?? 'Link is invalid or expired.');
+      });
+  }, [nav, params]);
+
+  return (
+    <AuthFrame title="Signing you in" subtitle="One moment…">
+      {state === 'verifying' && <div style={{ color: theme.textMuted, fontSize: 14 }}>Verifying your link…</div>}
+      {state === 'ok' && <div style={{ color: theme.success, fontSize: 14 }}>Signed in. Redirecting…</div>}
+      {state === 'failed' && (
+        <div style={{ color: theme.danger, fontSize: 14 }}>
+          {detail ?? 'Could not verify.'}
+          <div style={{ color: theme.textDim, fontSize: 13, marginTop: 10 }}>
+            Ask for a new link from <a href="/creator/login" style={{ color: theme.accent }}>the sign-in page</a>.
+          </div>
+        </div>
+      )}
+    </AuthFrame>
+  );
+}
diff --git a/apps/portal/src/pages/creator/CreatorMyAffiliations.tsx b/apps/portal/src/pages/creator/CreatorMyAffiliations.tsx
new file mode 100644
index 0000000..a441fe9
--- /dev/null
+++ b/apps/portal/src/pages/creator/CreatorMyAffiliations.tsx
@@ -0,0 +1,90 @@
+import { useQuery } from '@tanstack/react-query';
+import { Link } from 'react-router-dom';
+import { Globe } from 'lucide-react';
+import { Card, EmptyState, ErrorBanner, Page, Stat, StatusPill, formatDate, money } from '../../ui.js';
+import { theme } from '../../theme.js';
+import { creatorApi, ApiError } from './creator-api.js';
+
+interface Affiliation {
+  id: string;
+  vendorId: string;
+  vendorPartnerId: string;
+  status: string;
+  joinedVendorAt: string;
+  vendorName: string;
+  vendorInstanceUrl: string;
+}
+
+interface Earnings {
+  partnerId: string;
+  since: string;
+  clicks: number;
+  attributedEvents: number;
+  attributedRevenue: number;
+  commissionByStatus: Record<string, number>;
+}
+
+function EarningsBlock({ aff }: { aff: Affiliation }) {
+  const enabled = aff.status === 'active';
+  const { data, isLoading, error } = useQuery<Earnings, ApiError>({
+    queryKey: ['creator-aff-earnings', aff.id],
+    queryFn: () => creatorApi<Earnings>(`/creators/me/affiliations/${aff.id}/earnings`),
+    enabled,
+    retry: false,
+    staleTime: 60_000,
+  });
+
+  if (!enabled) return <p style={{ color: theme.textMuted, fontSize: 13 }}>Earnings appear once the partnership is active.</p>;
+  if (isLoading) return <p style={{ color: theme.textMuted, fontSize: 13 }}>Loading earnings…</p>;
+  if (error) {
+    if (error.status === 502) return <p style={{ color: theme.textMuted, fontSize: 13 }}>Vendor instance unreachable — earnings will refresh when it&rsquo;s back.</p>;
+    return <p style={{ color: theme.textMuted, fontSize: 13 }}>Couldn&rsquo;t load earnings.</p>;
+  }
+  if (!data) return null;
+  return (
+    <div style={{ display: 'flex', gap: 24, flexWrap: 'wrap', marginTop: 12 }}>
+      <Stat label="Clicks (30d)" value={data.clicks.toLocaleString()} />
+      <Stat label="Attributed events" value={data.attributedEvents.toLocaleString()} />
+      <Stat label="Revenue" value={money(data.attributedRevenue, 'USD')} />
+      {Object.entries(data.commissionByStatus ?? {}).map(([status, amount]) => (
+        <Stat key={status} label={`${status} commission`} value={money(amount, 'USD')} />
+      ))}
+    </div>
+  );
+}
+
+export function CreatorMyAffiliationsPage() {
+  const { data, isLoading, error } = useQuery({
+    queryKey: ['creator-my-affiliations'],
+    queryFn: () => creatorApi<{ affiliations: Affiliation[] }>('/creators/me/affiliations'),
+    retry: false,
+  });
+
+  return (
+    <Page title="My partnerships" subtitle="Programs across the Network you&rsquo;re actively partnered with.">
+      <ErrorBanner error={error} />
+      {isLoading ? (
+        <Card>Loading…</Card>
+      ) : !data || data.affiliations.length === 0 ? (
+        <EmptyState
+          title="No partnerships yet"
+          hint="Browse and apply to programs to get started."
+          icon={<Globe size={28} strokeWidth={1.25} />}
+        />
+      ) : (
+        data.affiliations.map((a) => (
+          <Card key={a.id}>
+            <div style={{ display: 'flex', alignItems: 'baseline', gap: 12 }}>
+              <h3 style={{ marginTop: 0, marginBottom: 4, flex: 1 }}>
+                <Link to={`/creator/vendors/${a.vendorId}`}>{a.vendorName}</Link>
+              </h3>
+              <StatusPill status={a.status} />
+            </div>
+            <p style={{ color: theme.textMuted, fontSize: 13 }}>Joined {formatDate(a.joinedVendorAt, { relative: true })}</p>
+            <EarningsBlock aff={a} />
+          </Card>
+        ))
+      )}
+    </Page>
+  );
+}
diff --git a/apps/portal/src/pages/creator/CreatorMyProfile.tsx b/apps/portal/src/pages/creator/CreatorMyProfile.tsx
new file mode 100644
index 0000000..a2b156d
--- /dev/null
+++ b/apps/portal/src/pages/creator/CreatorMyProfile.tsx
@@ -0,0 +1,111 @@
+import { useEffect, useState } from 'react';
+import { useMutation, useQuery, useQueryClient } from '@tanstack/react-query';
+import { Button, Card, ErrorBanner, Input, Label, Page } from '../../ui.js';
+import { theme } from '../../theme.js';
+import { creatorApi } from './creator-api.js';
+
+interface Profile {
+  id: string;
+  email: string;
+  name: string;
+  handle: string | null;
+  avatarUrl: string | null;
+  bio: string | null;
+  profile: Record<string, unknown> | null;
+  createdAt: string;
+}
+
+export function CreatorMyProfilePage() {
+  const qc = useQueryClient();
+  const { data, isLoading, error } = useQuery({
+    queryKey: ['creator-my-profile'],
+    queryFn: () => creatorApi<Profile>('/creators/me'),
+    retry: false,
+  });
+
+  const [name, setName] = useState('');
+  const [handle, setHandle] = useState('');
+  const [avatarUrl, setAvatarUrl] = useState('');
+  const [bio, setBio] = useState('');
+
+  useEffect(() => {
+    if (data) {
+      setName(data.name ?? '');
+      setHandle(data.handle ?? '');
+      setAvatarUrl(data.avatarUrl ?? '');
+      setBio(data.bio ?? '');
+    }
+  }, [data]);
+
+  const save = useMutation({
+    mutationFn: () =>
+      creatorApi('/creators/me', {
+        method: 'PATCH',
+        body: {
+          name: name || undefined,
+          handle: handle || null,
+          avatarUrl: avatarUrl || null,
+          bio: bio || null,
+        },
+      }),
+    onSuccess: () => qc.invalidateQueries({ queryKey: ['creator-my-profile'] }),
+  });
+
+  return (
+    <Page title="Profile" subtitle="How vendors see you across the Network.">
+      <ErrorBanner error={error} />
+      <ErrorBanner error={save.error} />
+      {isLoading ? (
+        <Card>Loading…</Card>
+      ) : data ? (
+        <Card>
+          <div style={{ display: 'grid', gap: 12, maxWidth: 520 }}>
+            <div>
+              <Label>Email</Label>
+              <Input value={data.email} disabled readOnly />
+              <p style={{ color: theme.textMuted, fontSize: 12, marginTop: 4 }}>
+                Email is the join key across vendors and can&rsquo;t be changed here.
+              </p>
+            </div>
+            <div>
+              <Label>Display name</Label>
+              <Input value={name} onChange={(e) => setName(e.target.value)} />
+            </div>
+            <div>
+              <Label>Handle</Label>
+              <Input value={handle} onChange={(e) => setHandle(e.target.value)} placeholder="your-handle" />
+              <p style={{ color: theme.textMuted, fontSize: 12, marginTop: 4 }}>
+                Used as your default share-link slug.
+              </p>
+            </div>
+            <div>
+              <Label>Avatar URL</Label>
+              <Input value={avatarUrl} onChange={(e) => setAvatarUrl(e.target.value)} placeholder="https://…" />
+            </div>
+            <div>
+              <Label>Bio</Label>
+              <textarea
+                value={bio}
+                onChange={(e) => setBio(e.target.value)}
+                rows={4}
+                style={{
+                  width: '100%',
+                  padding: '8px 10px',
+                  border: `1px solid ${theme.border}`,
+                  borderRadius: 6,
+                  fontFamily: 'inherit',
+                  fontSize: 14,
+                }}
+              />
+            </div>
+            <div>
+              <Button onClick={() => save.mutate()} disabled={save.isPending}>
+                {save.isPending ? 'Saving…' : save.isSuccess ? 'Saved' : 'Save changes'}
+              </Button>
+            </div>
+          </div>
+        </Card>
+      ) : null}
+    </Page>
+  );
+}
diff --git a/apps/portal/src/pages/creator/CreatorMyRequests.tsx b/apps/portal/src/pages/creator/CreatorMyRequests.tsx
new file mode 100644
index 0000000..1587c86
--- /dev/null
+++ b/apps/portal/src/pages/creator/CreatorMyRequests.tsx
@@ -0,0 +1,72 @@
+import { useMutation, useQuery, useQueryClient } from '@tanstack/react-query';
+import { Inbox } from 'lucide-react';
+import { Link } from 'react-router-dom';
+import { Button, Card, EmptyState, ErrorBanner, Page, StatusPill, formatDate } from '../../ui.js';
+import { theme } from '../../theme.js';
+import { creatorApi } from './creator-api.js';
+
+interface RequestRow {
+  id: string;
+  status: 'pending' | 'approved' | 'rejected' | 'cancelled';
+  message: string | null;
+  preferredSlug: string | null;
+  decisionNote: string | null;
+  createdAt: string;
+  decidedAt: string | null;
+  offeringId: string;
+  offeringTitle: string;
+  vendorId: string;
+  vendorName: string;
+}
+
+export function CreatorMyRequestsPage() {
+  const qc = useQueryClient();
+  const { data, isLoading, error } = useQuery({
+    queryKey: ['creator-my-requests'],
+    queryFn: () => creatorApi<{ requests: RequestRow[] }>('/creators/me/requests'),
+    retry: false,
+  });
+  const cancel = useMutation({
+    mutationFn: (id: string) => creatorApi(`/creators/me/requests/${id}/cancel`, { method: 'POST' }),
+    onSuccess: () => qc.invalidateQueries({ queryKey: ['creator-my-requests'] }),
+  });
+
+  return (
+    <Page title="My applications" subtitle="Programs you&rsquo;ve applied to across the Network.">
+      <ErrorBanner error={error} />
+      {isLoading ? (
+        <Card>Loading…</Card>
+      ) : !data || data.requests.length === 0 ? (
+        <EmptyState title="No applications yet" hint="Browse programs to apply." icon={<Inbox size={28} strokeWidth={1.25} />} />
+      ) : (
+        data.requests.map((r) => (
+          <Card key={r.id}>
+            <div style={{ display: 'flex', alignItems: 'baseline', gap: 12 }}>
+              <h3 style={{ marginTop: 0, marginBottom: 4, flex: 1 }}>
+                <Link to={`/creator/offerings/${r.offeringId}`}>{r.offeringTitle}</Link>{' '}
+                <span style={{ color: theme.textMuted, fontWeight: 'normal', fontSize: 14 }}>· {r.vendorName}</span>
+              </h3>
+              <StatusPill status={r.status} />
+            </div>
+            <p style={{ color: theme.textMuted, fontSize: 13 }}>
+              Applied {formatDate(r.createdAt, { relative: true })}
+              {r.decidedAt && <> · decided {formatDate(r.decidedAt, { relative: true })}</>}
+            </p>
+            {r.decisionNote && (
+              <p style={{ color: theme.text, fontSize: 14, marginTop: 8 }}>
+                <strong>Vendor note:</strong> {r.decisionNote}
+              </p>
+            )}
+            {r.status === 'pending' && (
+              <div style={{ marginTop: 12 }}>
+                <Button variant="secondary" onClick={() => cancel.mutate(r.id)} disabled={cancel.isPending}>
+                  Cancel application
+                </Button>
+              </div>
+            )}
+          </Card>
+        ))
+      )}
+    </Page>
+  );
+}
diff --git a/apps/portal/src/pages/creator/CreatorOfferingDetail.tsx b/apps/portal/src/pages/creator/CreatorOfferingDetail.tsx
new file mode 100644
index 0000000..fae4909
--- /dev/null
+++ b/apps/portal/src/pages/creator/CreatorOfferingDetail.tsx
@@ -0,0 +1,131 @@
+import { useState } from 'react';
+import { useMutation, useQuery, useQueryClient } from '@tanstack/react-query';
+import { Link, useNavigate, useParams } from 'react-router-dom';
+import { Button, Card, ErrorBanner, Input, Label, Page } from '../../ui.js';
+import { theme } from '../../theme.js';
+import { creatorApi, ApiError } from './creator-api.js';
+
+interface Offering {
+  id: string;
+  title: string;
+  description: string | null;
+  productUrl: string;
+  vendorId: string;
+  vendorName: string;
+  terms: {
+    commissionDescription?: string;
+    cookieWindowDays?: number;
+    payoutCadence?: string;
+    bonuses?: string[];
+  };
+  createdAt: string;
+}
+
+interface Whoami {
+  creator: { id: string; handle: string | null } | null;
+}
+
+export function CreatorOfferingDetailPage() {
+  const { id } = useParams<{ id: string }>();
+  const navigate = useNavigate();
+  const qc = useQueryClient();
+  const [message, setMessage] = useState('');
+  const [preferredSlug, setPreferredSlug] = useState('');
+
+  const { data: offering, isLoading, error } = useQuery({
+    queryKey: ['creator-offering', id],
+    queryFn: () => creatorApi<Offering>(`/offerings/${id}`),
+    enabled: !!id,
+    retry: false,
+  });
+
+  const { data: whoami } = useQuery({
+    queryKey: ['creator-whoami'],
+    queryFn: () => creatorApi<Whoami>('/creators/whoami'),
+    retry: false,
+  });
+
+  const apply = useMutation({
+    mutationFn: () =>
+      creatorApi(`/offerings/${id}/apply`, {
+        method: 'POST',
+        body: { message: message || undefined, preferredSlug: preferredSlug || undefined },
+      }),
+    onSuccess: () => {
+      qc.invalidateQueries({ queryKey: ['creator-my-requests'] });
+      navigate('/creator/requests');
+    },
+  });
+
+  return (
+    <Page title={offering?.title ?? 'Program'} subtitle={offering?.vendorName}>
+      <ErrorBanner error={error} />
+      {isLoading && <Card>Loading…</Card>}
+      {offering && (
+        <>
+          <Card>
+            {offering.terms.commissionDescription && (
+              <p style={{ color: theme.textMuted, fontSize: 14 }}>{offering.terms.commissionDescription}</p>
+            )}
+            {offering.description && <p style={{ marginTop: 8 }}>{offering.description}</p>}
+            <p style={{ marginTop: 12 }}>
+              <a href={offering.productUrl} target="_blank" rel="noopener noreferrer">View product →</a>
+            </p>
+            <div style={{ display: 'flex', gap: 16, flexWrap: 'wrap', marginTop: 12, color: theme.textMuted, fontSize: 13 }}>
+              {offering.terms.cookieWindowDays != null && <span>Cookie window: {offering.terms.cookieWindowDays} days</span>}
+              {offering.terms.payoutCadence && <span>Payouts: {offering.terms.payoutCadence}</span>}
+            </div>
+          </Card>
+
+          <div style={{ height: 18 }} />
+
+          <Card>
+            <h3 style={{ marginTop: 0 }}>Apply to promote</h3>
+            {!whoami?.creator ? (
+              <p style={{ color: theme.textMuted }}>
+                <Link to="/creator/signup" style={{ color: theme.accent }}>Sign up</Link> or <Link to="/creator/login" style={{ color: theme.accent }}>sign in</Link> to apply.
+              </p>
+            ) : (
+              <>
+                <ErrorBanner error={apply.error} />
+                {apply.error instanceof ApiError && apply.error.message === 'request_already_exists' && (
+                  <p style={{ color: theme.textMuted, fontSize: 13 }}>You already have a pending or active request for this program.</p>
+                )}
+                <div style={{ marginTop: 8 }}>
+                  <Label>Preferred share-link slug (optional)</Label>
+                  <Input
+                    placeholder={whoami.creator.handle ?? 'your-handle'}
+                    value={preferredSlug}
+                    onChange={(e) => setPreferredSlug(e.target.value)}
+                  />
+                </div>
+                <div style={{ marginTop: 12 }}>
+                  <Label>Message to the vendor (optional)</Label>
+                  <textarea
+                    value={message}
+                    onChange={(e) => setMessage(e.target.value)}
+                    rows={4}
+                    placeholder="Why you'd be a great partner…"
+                    style={{
+                      width: '100%',
+                      padding: '8px 10px',
+                      border: `1px solid ${theme.border}`,
+                      borderRadius: 6,
+                      fontFamily: 'inherit',
+                      fontSize: 14,
+                    }}
+                  />
+                </div>
+                <div style={{ marginTop: 12 }}>
+                  <Button onClick={() => apply.mutate()} disabled={apply.isPending}>
+                    {apply.isPending ? 'Applying…' : 'Submit application'}
+                  </Button>
+                </div>
+              </>
+            )}
+          </Card>
+        </>
+      )}
+    </Page>
+  );
+}
diff --git a/apps/portal/src/pages/creator/CreatorShell.tsx b/apps/portal/src/pages/creator/CreatorShell.tsx
new file mode 100644
index 0000000..be9e0cd
--- /dev/null
+++ b/apps/portal/src/pages/creator/CreatorShell.tsx
@@ -0,0 +1,184 @@
+import { useEffect, useState, type ReactNode } from 'react';
+import { Link, Navigate, Route, Routes, useLocation, useNavigate } from 'react-router-dom';
+import { useQuery } from '@tanstack/react-query';
+import { Globe, Inbox, LogOut, Megaphone, UserCog } from 'lucide-react';
+import { theme } from '../../theme.js';
+import { Logo } from '../auth/Shared.js';
+import { creatorApi } from './creator-api.js';
+import { CreatorDiscoverPage } from './CreatorDiscover.js';
+import { CreatorOfferingDetailPage } from './CreatorOfferingDetail.js';
+import { CreatorVendorDetailPage } from './CreatorVendorDetail.js';
+import { CreatorMyAffiliationsPage } from './CreatorMyAffiliations.js';
+import { CreatorMyRequestsPage } from './CreatorMyRequests.js';
+import { CreatorMyProfilePage } from './CreatorMyProfile.js';
+
+interface Whoami {
+  creator: { id: string; name: string; email: string; handle: string | null; avatarUrl: string | null; bio: string | null } | null;
+}
+
+export function CreatorShell() {
+  const [auth, setAuth] = useState<{ loading: boolean; creator: Whoami['creator'] | null }>({ loading: true, creator: null });
+  const location = useLocation();
+
+  useEffect(() => {
+    creatorApi<Whoami>('/creators/whoami')
+      .then((r) => setAuth({ loading: false, creator: r.creator }))
+      .catch(() => setAuth({ loading: false, creator: null }));
+  }, []);
+
+  if (auth.loading) {
+    return <div style={{ minHeight: '100vh', display: 'flex', alignItems: 'center', justifyContent: 'center', background: theme.bg, color: theme.textMuted }}>Loading…</div>;
+  }
+  if (!auth.creator) {
+    return <Navigate to="/creator/login" state={{ from: location }} replace />;
+  }
+
+  return (
+    <div style={{ display: 'flex', minHeight: '100vh', background: theme.bg }}>
+      <CreatorSidebar creator={auth.creator} />
+      <main style={{ flex: 1, minWidth: 0, overflow: 'auto' }}>
+        <Routes>
+          <Route index element={<Navigate to="discover" replace />} />
+          <Route path="discover" element={<CreatorDiscoverPage />} />
+          <Route path="offerings/:id" element={<CreatorOfferingDetailPage />} />
+          <Route path="vendors/:id" element={<CreatorVendorDetailPage />} />
+          <Route path="affiliations" element={<CreatorMyAffiliationsPage />} />
+          <Route path="requests" element={<CreatorMyRequestsPage />} />
+          <Route path="profile" element={<CreatorMyProfilePage />} />
+          <Route path="*" element={<Navigate to="discover" replace />} />
+        </Routes>
+      </main>
+    </div>
+  );
+}
+
+function CreatorSidebar({ creator }: { creator: NonNullable<Whoami['creator']> }) {
+  const nav = useNavigate();
+  return (
+    <aside
+      style={{
+        width: 248,
+        background: theme.sidebar,
+        borderRight: `1px solid ${theme.borderSubtle}`,
+        display: 'flex',
+        flexDirection: 'column',
+        padding: '20px 14px',
+      }}
+    >
+      <div style={{ display: 'flex', alignItems: 'center', gap: 10, padding: '4px 8px', marginBottom: 20 }}>
+        <Logo />
+        <div style={{ fontSize: 15, fontWeight: 600, letterSpacing: '-0.01em' }}>OpenPartner</div>
+      </div>
+
+      <CreatorChip creator={creator} />
+
+      <div style={{ flex: 1, display: 'flex', flexDirection: 'column', gap: 14, overflow: 'auto' }}>
+        <NavSection title="Network">
+          <CreatorNavItem to="/creator/discover" icon={<Globe size={16} />}>Discover programs</CreatorNavItem>
+          <CreatorNavItem to="/creator/affiliations" icon={<Megaphone size={16} />}>My partnerships</CreatorNavItem>
+          <CreatorNavItem to="/creator/requests" icon={<Inbox size={16} />}>My applications</CreatorNavItem>
+          <CreatorNavItem to="/creator/profile" icon={<UserCog size={16} />}>Profile</CreatorNavItem>
+        </NavSection>
+      </div>
+
+      <button
+        onClick={async () => {
+          try {
+            await creatorApi('/creators/signout', { method: 'POST' });
+          } catch {
+            /* ignore */
+          }
+          nav('/');
+        }}
+        style={{
+          display: 'flex',
+          alignItems: 'center',
+          justifyContent: 'center',
+          gap: 8,
+          marginTop: 14,
+          background: 'transparent',
+          color: theme.textMuted,
+          border: `1px solid ${theme.borderSubtle}`,
+          borderRadius: theme.radiusSm,
+          padding: '9px 12px',
+          fontSize: 13,
+          cursor: 'pointer',
+        }}
+      >
+        <LogOut size={14} />
+        Sign out
+      </button>
+    </aside>
+  );
+}
+
+function CreatorChip({ creator }: { creator: NonNullable<Whoami['creator']> }) {
+  return (
+    <div
+      style={{
+        background: theme.surface,
+        border: `1px solid ${theme.borderSubtle}`,
+        borderRadius: theme.radiusSm,
+        padding: '10px 12px',
+        marginBottom: 18,
+        display: 'flex',
+        alignItems: 'center',
+        gap: 10,
+      }}
+    >
+      <div
+        style={{
+          width: 28,
+          height: 28,
+          borderRadius: '50%',
+          background: theme.accent,
+          color: theme.accentInk,
+          display: 'flex',
+          alignItems: 'center',
+          justifyContent: 'center',
+          fontWeight: 600,
+          fontSize: 12,
+        }}
+      >
+        {creator.name.charAt(0).toUpperCase()}
+      </div>
+      <div style={{ minWidth: 0, flex: 1 }}>
+        <div style={{ fontSize: 13, fontWeight: 500, whiteSpace: 'nowrap', overflow: 'hidden', textOverflow: 'ellipsis' }}>{creator.name}</div>
+        <div style={{ fontSize: 11, color: theme.textMuted, whiteSpace: 'nowrap', overflow: 'hidden', textOverflow: 'ellipsis' }}>{creator.email}</div>
+      </div>
+    </div>
+  );
+}
+
+function NavSection({ title, children }: { title: string; children: ReactNode }) {
+  return (
+    <div>
+      <div style={{ fontSize: 11, color: theme.textDim, textTransform: 'uppercase', letterSpacing: '0.05em', padding: '0 8px', marginBottom: 6 }}>{title}</div>
+      <div style={{ display: 'flex', flexDirection: 'column', gap: 2 }}>{children}</div>
+    </div>
+  );
+}
+
+function CreatorNavItem({ to, icon, children }: { to: string; icon: ReactNode; children: ReactNode }) {
+  const location = useLocation();
+  const active = location.pathname === to || (to !== '/creator' && location.pathname.startsWith(to));
+  return (
+    <Link
+      to={to}
+      style={{
+        display: 'flex',
+        alignItems: 'center',
+        gap: 10,
+        padding: '8px 10px',
+        borderRadius: 6,
+        background: active ? theme.surface : 'transparent',
+        color: active ? theme.text : theme.textMuted,
+        fontSize: 13.5,
+        fontWeight: active ? 500 : 400,
+      }}
+    >
+      {icon}
+      <span>{children}</span>
+    </Link>
+  );
+}
diff --git a/apps/portal/src/pages/creator/CreatorSignin.tsx b/apps/portal/src/pages/creator/CreatorSignin.tsx
new file mode 100644
index 0000000..e1182d4
--- /dev/null
+++ b/apps/portal/src/pages/creator/CreatorSignin.tsx
@@ -0,0 +1,83 @@
+import { useState } from 'react';
+import { Link } from 'react-router-dom';
+import { theme } from '../../theme.js';
+import { AuthFrame } from '../auth/Shared.js';
+import { creatorApi, ApiError } from './creator-api.js';
+
+export function CreatorSigninPage() {
+  const [email, setEmail] = useState('');
+  const [busy, setBusy] = useState(false);
+  const [err, setErr] = useState<string | null>(null);
+  const [sent, setSent] = useState(false);
+
+  async function submit(e: React.FormEvent) {
+    e.preventDefault();
+    setBusy(true);
+    setErr(null);
+    try {
+      await creatorApi('/creators/signin', {
+        method: 'POST',
+        body: { email: email.trim() },
+      });
+      setSent(true);
+    } catch (e) {
+      setErr(e instanceof ApiError ? e.message : 'Something went wrong.');
+    } finally {
+      setBusy(false);
+    }
+  }
+
+  if (sent) {
+    return (
+      <AuthFrame title="Check your inbox" subtitle={`If an account exists for ${email}, we just sent a sign-in link.`}>
+        <div style={{ background: theme.successSoft, border: `1px solid ${theme.success}55`, padding: 14, borderRadius: theme.radiusSm, fontSize: 13, color: theme.success }}>
+          The link is good for 15 minutes.
+        </div>
+      </AuthFrame>
+    );
+  }
+
+  return (
+    <AuthFrame title="Creator sign in" subtitle="We&rsquo;ll email you a one-time sign-in link.">
+      <form onSubmit={submit}>
+        <div style={{ marginBottom: 12 }}>
+          <div style={{ fontSize: 12, color: theme.textMuted, marginBottom: 4 }}>Email</div>
+          <input type="email" value={email} onChange={(e) => setEmail(e.target.value)} placeholder="ada@example.com" required autoFocus style={inputStyle} />
+        </div>
+        {err && <div style={{ color: theme.danger, fontSize: 13, marginBottom: 8 }}>{err}</div>}
+        <button type="submit" disabled={busy} style={primaryBtnStyle(busy)}>
+          {busy ? 'Sending…' : 'Email me a sign-in link'}
+        </button>
+        <div style={{ marginTop: 12, fontSize: 12, color: theme.textDim, textAlign: 'center' }}>
+          New here? <Link to="/creator/signup" style={{ color: theme.accent }}>Create an account</Link> · <Link to="/" style={{ color: theme.accent }}>Home</Link>
+        </div>
+      </form>
+    </AuthFrame>
+  );
+}
+
+const inputStyle: React.CSSProperties = {
+  width: '100%',
+  padding: '10px 12px',
+  fontSize: 14,
+  background: theme.surface2,
+  border: `1px solid ${theme.border}`,
+  borderRadius: theme.radiusSm,
+  color: theme.text,
+};
+
+function primaryBtnStyle(disabled: boolean): React.CSSProperties {
+  return {
+    marginTop: 6,
+    width: '100%',
+    padding: '10px 14px',
+    background: theme.accent,
+    color: theme.accentInk,
+    border: 'none',
+    borderRadius: theme.radiusSm,
+    fontSize: 14,
+    fontWeight: 600,
+    cursor: disabled ? 'not-allowed' : 'pointer',
+    opacity: disabled ? 0.5 : 1,
+  };
+}
diff --git a/apps/portal/src/pages/creator/CreatorSignup.tsx b/apps/portal/src/pages/creator/CreatorSignup.tsx
new file mode 100644
index 0000000..84d36a0
--- /dev/null
+++ b/apps/portal/src/pages/creator/CreatorSignup.tsx
@@ -0,0 +1,122 @@
+import { useState } from 'react';
+import { Link, useNavigate } from 'react-router-dom';
+import { theme } from '../../theme.js';
+import { AuthFrame } from '../auth/Shared.js';
+import { creatorApi, ApiError } from './creator-api.js';
+
+export function CreatorSignupPage() {
+  const nav = useNavigate();
+  const [email, setEmail] = useState('');
+  const [name, setName] = useState('');
+  const [handle, setHandle] = useState('');
+  const [busy, setBusy] = useState(false);
+  const [err, setErr] = useState<string | null>(null);
+  const [sent, setSent] = useState(false);
+
+  async function submit(e: React.FormEvent) {
+    e.preventDefault();
+    setBusy(true);
+    setErr(null);
+    try {
+      await creatorApi('/creators/signup', {
+        method: 'POST',
+        body: { email: email.trim(), name: name.trim(), handle: handle.trim() || undefined },
+      });
+      setSent(true);
+    } catch (e) {
+      setErr(e instanceof ApiError ? e.message : 'Something went wrong.');
+    } finally {
+      setBusy(false);
+    }
+  }
+
+  if (sent) {
+    return (
+      <AuthFrame title="Check your inbox" subtitle={`We just emailed ${email} a sign-in link.`}>
+        <div style={{ background: theme.successSoft, border: `1px solid ${theme.success}55`, padding: 14, borderRadius: theme.radiusSm, fontSize: 13, color: theme.success }}>
+          <div style={{ fontWeight: 500, marginBottom: 6 }}>Account created.</div>
+          <div style={{ color: `${theme.success}cc` }}>
+            Click the link in the email to finish signing in. It&rsquo;s good for 15 minutes.
+          </div>
+        </div>
+      </AuthFrame>
+    );
+  }
+
+  return (
+    <AuthFrame title="Sign up as a creator" subtitle="Browse and apply to partner programs across the OpenPartner Network.">
+      <form onSubmit={submit}>
+        <Field label="Your name">
+          <input value={name} onChange={(e) => setName(e.target.value)} placeholder="Ada Lovelace" required style={inputStyle} />
+        </Field>
+        <Field label="Email" hint="We'll send your sign-in link here.">
+          <input type="email" value={email} onChange={(e) => setEmail(e.target.value)} placeholder="ada@example.com" required style={inputStyle} />
+        </Field>
+        <Field label="Handle (optional)" hint="Letters, numbers, hyphens. Used as your default share-link slug.">
+          <input
+            value={handle}
+            onChange={(e) => setHandle(e.target.value.toLowerCase().replace(/[^a-z0-9_-]/g, ''))}
+            placeholder="ada"
+            pattern="[a-zA-Z0-9_-]{2,40}"
+            style={{ ...inputStyle, fontFamily: theme.fontMono }}
+          />
+        </Field>
+        {err && <div style={{ color: theme.danger, fontSize: 13, marginTop: 4, marginBottom: 8 }}>{err}</div>}
+        <button type="submit" disabled={busy} style={primaryBtnStyle(busy)}>
+          {busy ? 'Sending…' : 'Send me a sign-in link'}
+        </button>
+        <div style={{ marginTop: 12, fontSize: 12, color: theme.textDim, textAlign: 'center' }}>
+          Already have an account? <Link to="/creator/login" style={{ color: theme.accent }}>Sign in</Link> · <Link to="/" style={{ color: theme.accent }}>Home</Link>
+        </div>
+        <div style={{ marginTop: 6, fontSize: 12, color: theme.textDim, textAlign: 'center' }}>
+          Running a program instead? <button type="button" onClick={() => nav('/signup')} style={linkBtnStyle}>Vendor signup →</button>
+        </div>
+      </form>
+    </AuthFrame>
+  );
+}
+
+function Field({ label, hint, children }: { label: string; hint?: string; children: React.ReactNode }) {
+  return (
+    <div style={{ marginBottom: 12 }}>
+      <div style={{ fontSize: 12, color: theme.textMuted, marginBottom: 4 }}>{label}</div>
+      {children}
+      {hint && <div style={{ fontSize: 11, color: theme.textDim, marginTop: 4 }}>{hint}</div>}
+    </div>
+  );
+}
+
+const inputStyle: React.CSSProperties = {
+  width: '100%',
+  padding: '10px 12px',
+  fontSize: 14,
+  background: theme.surface2,
+  border: `1px solid ${theme.border}`,
+  borderRadius: theme.radiusSm,
+  color: theme.text,
+};
+
+function primaryBtnStyle(disabled: boolean): React.CSSProperties {
+  return {
+    marginTop: 6,
+    width: '100%',
+    padding: '10px 14px',
+    background: theme.accent,
+    color: theme.accentInk,
+    border: 'none',
+    borderRadius: theme.radiusSm,
+    fontSize: 14,
+    fontWeight: 600,
+    cursor: disabled ? 'not-allowed' : 'pointer',
+    opacity: disabled ? 0.5 : 1,
+  };
+}
+
+const linkBtnStyle: React.CSSProperties = {
+  background: 'transparent',
+  border: 'none',
+  color: theme.accent,
+  cursor: 'pointer',
+  font: 'inherit',
+  padding: 0,
+};
diff --git a/apps/portal/src/pages/creator/CreatorVendorDetail.tsx b/apps/portal/src/pages/creator/CreatorVendorDetail.tsx
new file mode 100644
index 0000000..8843394
--- /dev/null
+++ b/apps/portal/src/pages/creator/CreatorVendorDetail.tsx
@@ -0,0 +1,46 @@
+import { useQuery } from '@tanstack/react-query';
+import { useParams } from 'react-router-dom';
+import { Card, ErrorBanner, Page } from '../../ui.js';
+import { theme } from '../../theme.js';
+import { creatorApi } from './creator-api.js';
+
+interface Vendor {
+  id: string;
+  displayName: string;
+  instanceUrl: string;
+  status: string;
+  partnerCount: number;
+  description?: string | null;
+  websiteUrl?: string | null;
+  createdAt: string;
+}
+
+export function CreatorVendorDetailPage() {
+  const { id } = useParams<{ id: string }>();
+  const { data, isLoading, error } = useQuery({
+    queryKey: ['creator-vendor', id],
+    queryFn: () => creatorApi<Vendor>(`/vendors/${id}`),
+    enabled: !!id,
+    retry: false,
+  });
+
+  return (
+    <Page title={data?.displayName ?? 'Vendor'} subtitle="Network member">
+      <ErrorBanner error={error} />
+      {isLoading && <Card>Loading…</Card>}
+      {data && (
+        <Card>
+          <div style={{ color: theme.textMuted, fontSize: 13 }}>
+            {data.partnerCount} partner{data.partnerCount === 1 ? '' : 's'}
+          </div>
+          {data.description && <p style={{ marginTop: 12 }}>{data.description}</p>}
+          {data.websiteUrl && (
+            <p style={{ marginTop: 12 }}>
+              <a href={data.websiteUrl} target="_blank" rel="noopener noreferrer">Visit website →</a>
+            </p>
+          )}
+        </Card>
+      )}
+    </Page>
+  );
+}
diff --git a/apps/portal/src/pages/creator/creator-api.ts b/apps/portal/src/pages/creator/creator-api.ts
new file mode 100644
index 0000000..0a1913f
--- /dev/null
+++ b/apps/portal/src/pages/creator/creator-api.ts
@@ -0,0 +1,48 @@
+/**
+ * Creator-portal API client.
+ *
+ * Backend mounts a reverse proxy at /api/creator-api/* that forwards to
+ * the Network's /creators/* + /offerings/* endpoints with cookie
+ * pass-through, so the Network's `op_network_creator_session` cookie
+ * lands on app.openpartner.dev and Just Works for subsequent calls.
+ */
+
+export class ApiError extends Error {
+  constructor(public status: number, message: string, public detail?: unknown) {
+    super(message);
+  }
+}
+
+export async function creatorApi<T = unknown>(
+  path: string,
+  init: Omit<RequestInit, 'body'> & { body?: unknown } = {},
+): Promise<T> {
+  const headers = new Headers(init.headers);
+  if (init.body !== undefined && !headers.has('content-type')) {
+    headers.set('content-type', 'application/json');
+  }
+  const res = await fetch(`/api/creator-api${path}`, {
+    ...init,
+    headers,
+    credentials: 'include',
+    body: init.body === undefined
+      ? undefined
+      : typeof init.body === 'string'
+        ? init.body
+        : JSON.stringify(init.body),
+  });
+  if (!res.ok) {
+    let detail: unknown = null;
+    try {
+      detail = await res.json();
+    } catch {
+      /* ignore */
+    }
+    const detailMsg = (detail && typeof detail === 'object' && 'error' in detail)
+      ? String((detail as { error: unknown }).error)
+      : `${res.status} ${res.statusText}`;
+    throw new ApiError(res.status, detailMsg, detail);
+  }
+  if (res.status === 204) return undefined as unknown as T;
+  return res.json() as Promise<T>;
+}

From 02230ccaa7e4ea2787126cb2d0b0c923b20a21fa Mon Sep 17 00:00:00 2001
From: Keith Fawcett <keith@brightyard.co>
Date: Tue, 28 Apr 2026 11:13:11 -0700
Subject: [PATCH 035/131] chore(portal): rename vendor CTAs from "program" to
 "brand"

Brands is the term we want for the merchant side; "vendor"/"program"
was internal language leaking into the UI. Three call sites:
Landing CtaCard, Signup AuthFrame title, and the creator-signup
cross-link.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 apps/portal/src/pages/Landing.tsx               | 4 ++--
 apps/portal/src/pages/Signup.tsx                | 2 +-
 apps/portal/src/pages/creator/CreatorSignup.tsx | 2 +-
 3 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/apps/portal/src/pages/Landing.tsx b/apps/portal/src/pages/Landing.tsx
index 67a280c..4ab6187 100644
--- a/apps/portal/src/pages/Landing.tsx
+++ b/apps/portal/src/pages/Landing.tsx
@@ -44,10 +44,10 @@ export function LandingPage() {
 
           <div style={{ display: 'grid', gridTemplateColumns: 'repeat(auto-fit, minmax(280px, 1fr))', gap: 16, marginTop: 32, textAlign: 'left' }}>
             <CtaCard
-              eyebrow="For vendors"
+              eyebrow="For brands"
               title="Run your own partner program"
               body="Create a tenant, invite partners, track every click → signup → revenue, run payouts via Stripe Connect."
-              ctaLabel="Create your program"
+              ctaLabel="Sign up as a brand"
               to="/signup"
             />
             <CtaCard
diff --git a/apps/portal/src/pages/Signup.tsx b/apps/portal/src/pages/Signup.tsx
index bdaeb73..1f8b8ec 100644
--- a/apps/portal/src/pages/Signup.tsx
+++ b/apps/portal/src/pages/Signup.tsx
@@ -71,7 +71,7 @@ export function SignupPage() {
   }
 
   return (
-    <AuthFrame title="Create your program" subtitle="One minute to provision. We'll email you a sign-in link.">
+    <AuthFrame title="Sign up as a brand" subtitle="One minute to provision your partner program. We'll email you a sign-in link.">
       <form onSubmit={submit}>
         <Field label="Program name" hint="What partners see in your portal — e.g. Acme Affiliates.">
           <input
diff --git a/apps/portal/src/pages/creator/CreatorSignup.tsx b/apps/portal/src/pages/creator/CreatorSignup.tsx
index 84d36a0..65494f6 100644
--- a/apps/portal/src/pages/creator/CreatorSignup.tsx
+++ b/apps/portal/src/pages/creator/CreatorSignup.tsx
@@ -69,7 +69,7 @@ export function CreatorSignupPage() {
           Already have an account? <Link to="/creator/login" style={{ color: theme.accent }}>Sign in</Link> · <Link to="/" style={{ color: theme.accent }}>Home</Link>
         </div>
         <div style={{ marginTop: 6, fontSize: 12, color: theme.textDim, textAlign: 'center' }}>
-          Running a program instead? <button type="button" onClick={() => nav('/signup')} style={linkBtnStyle}>Vendor signup →</button>
+          Are you a brand? <button type="button" onClick={() => nav('/signup')} style={linkBtnStyle}>Sign up as a brand →</button>
         </div>
       </form>
     </AuthFrame>

From 5dc428248a2dfa57a4fe5e5ae8554d01c58722b5 Mon Sep 17 00:00:00 2001
From: Keith Fawcett <keith@brightyard.co>
Date: Tue, 28 Apr 2026 11:21:55 -0700
Subject: [PATCH 036/131] feat(portal): rewrite Landing in marketing voice;
 unified email signin
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Landing now mirrors openpartner.dev's tone — brand+creator parity, no
engineering jargon, the same headline ("Launch a partner program. Grow
it with the Network.") and the same value-prop bullets. Two equal-
weight audience cards driving to /signup and /creator/signup.

Sign-in is unified at /signin: one email field, no "are you a brand or
a creator" picker. Backend looks up Admin rows across all tenants and
the Network Creator by email; emails magic links for whichever match.
Always 200 silently to avoid email enumeration.

- POST /api/signin (multi-tenant only) — admin lookup across tenants +
  Network creator forward, both best-effort.
- /signin SPA page with the standard "check your inbox" success state.
- Landing header: "Sign in" link replaces the creator-only signin
  link; "Already have an account? Sign in" CTA below the audience
  cards.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 apps/api/src/app.ts               |   2 +
 apps/api/src/routes/signin.ts     |  90 +++++++++++++++++
 apps/portal/src/App.tsx           |   2 +
 apps/portal/src/pages/Landing.tsx | 163 +++++++++++++++---------------
 apps/portal/src/pages/Signin.tsx  | 105 +++++++++++++++++++
 5 files changed, 280 insertions(+), 82 deletions(-)
 create mode 100644 apps/api/src/routes/signin.ts
 create mode 100644 apps/portal/src/pages/Signin.tsx

diff --git a/apps/api/src/app.ts b/apps/api/src/app.ts
index a1db448..9fa6484 100644
--- a/apps/api/src/app.ts
+++ b/apps/api/src/app.ts
@@ -34,6 +34,7 @@ import { signupRouter } from './routes/signup.js';
 import { partnerSignupRouter } from './routes/partner-signup.js';
 import { networkPartnerRouter } from './routes/network-partner.js';
 import { creatorPortalRouter } from './routes/creator-portal.js';
+import { signinRouter } from './routes/signin.js';
 import { tenantMiddleware } from './tenancy.js';
 
 export function createApp(options: { enableLogger?: boolean } = {}) {
@@ -115,6 +116,7 @@ export function createApp(options: { enableLogger?: boolean } = {}) {
   // directly and are responsible for their own access control.
   app.use(installRouter);
   app.use(signupRouter);
+  app.use(signinRouter);
   app.use(metricsRouter);
   // Creator portal is platform-level (no tenant), proxies to Network.
   // Mount before tenantMiddleware so it's reachable from app.openpartner.dev/*
diff --git a/apps/api/src/routes/signin.ts b/apps/api/src/routes/signin.ts
new file mode 100644
index 0000000..8fad6fc
--- /dev/null
+++ b/apps/api/src/routes/signin.ts
@@ -0,0 +1,90 @@
+/**
+ * Unified email-only signin for the multi-tenant deployment.
+ *
+ * The Landing on app.openpartner.dev offers a single Sign-in entry — we
+ * don't make the user pick "brand vs creator" up front. The user enters
+ * their email; we look up which accounts they have (Admin rows across
+ * tenants for the brand side; Network Creator for the creator side) and
+ * email magic links for whichever apply. Always 200 silently to avoid
+ * email enumeration.
+ *
+ * Multi-tenant only — single-tenant deployments use the existing
+ * per-tenant /auth/signin which already knows its tenant.
+ */
+
+import { Router } from 'express';
+import { z } from 'zod';
+import { TABLES, type AdminRow, type TenantRow } from '@openpartner/db';
+import { db } from '../db.js';
+import { issueMagicLink } from '../auth-sessions.js';
+import { adminSigninEmail, buildMagicLinkUrl } from '../email-templates.js';
+import { getMailer } from '../mailer.js';
+import { getTenancyMode } from '../tenancy.js';
+
+export const signinRouter = Router();
+
+const schema = z.object({ email: z.string().trim().email() });
+
+signinRouter.post('/signin', async (req, res) => {
+  if (getTenancyMode() !== 'multi') {
+    return res.status(400).json({ error: 'use_per_tenant_signin' });
+  }
+
+  const body = schema.safeParse(req.body);
+  if (!body.success) return res.status(400).json({ error: 'invalid_email' });
+
+  const email = body.data.email.toLowerCase();
+
+  // 1) Brand admins. One person can be the admin of more than one tenant
+  // (rare, but possible) — email a link for each so they can pick which
+  // brand to sign into. Activated + non-revoked only.
+  const admins = await db<AdminRow>(TABLES.Admin)
+    .where({ email })
+    .whereNotNull('activatedAt')
+    .whereNull('revokedAt');
+
+  for (const admin of admins) {
+    try {
+      const tenant = await db<TenantRow>(TABLES.Tenant).where({ id: admin.tenantId, status: 'active' }).first();
+      if (!tenant) continue;
+      const issued = await issueMagicLink(db, {
+        tenantId: admin.tenantId,
+        email,
+        purpose: 'admin_signin',
+        principalKind: 'admin',
+        principalId: admin.id,
+      });
+      const tmpl = adminSigninEmail(admin.name, buildMagicLinkUrl(issued.plaintext, tenant.slug));
+      await getMailer().send({ db, tenantId: tenant.id }, {
+        to: email,
+        subject: tmpl.subject,
+        text: tmpl.text,
+        html: tmpl.html,
+        tag: 'admin_signin',
+        metadata: { purpose: 'admin_signin', adminId: admin.id, source: 'unified_signin' },
+      });
+    } catch (err) {
+      // Don't fail the whole signin on one mail send issue. Log and move on.
+      console.error('[signin] admin mail failed', { tenantId: admin.tenantId, err });
+    }
+  }
+
+  // 2) Network creator. Forward to the Network's /creators/signin which
+  // does its own existence-check + magic-link mail. Best-effort — if the
+  // Network is down the user just gets the brand-side link (if any).
+  const networkUrl = process.env.NETWORK_URL;
+  if (networkUrl) {
+    try {
+      await fetch(`${networkUrl.replace(/\/$/, '')}/creators/signin`, {
+        method: 'POST',
+        headers: { 'content-type': 'application/json', 'user-agent': 'OpenPartner-Signin/1' },
+        body: JSON.stringify({ email }),
+        signal: AbortSignal.timeout(5_000),
+      });
+    } catch (err) {
+      console.error('[signin] network creator signin failed', err);
+    }
+  }
+
+  res.json({ ok: true });
+});
diff --git a/apps/portal/src/App.tsx b/apps/portal/src/App.tsx
index d2cfe3a..f3d200e 100644
--- a/apps/portal/src/App.tsx
+++ b/apps/portal/src/App.tsx
@@ -49,6 +49,7 @@ import { MyProfilePage } from './pages/partner/MyProfile.js';
 import { InstallPage } from './pages/Install.js';
 import { LandingPage } from './pages/Landing.js';
 import { SignupPage } from './pages/Signup.js';
+import { SigninPage } from './pages/Signin.js';
 import { CreatorSignupPage } from './pages/creator/CreatorSignup.js';
 import { CreatorSigninPage } from './pages/creator/CreatorSignin.js';
 import { CreatorMagicLandingPage } from './pages/creator/CreatorMagicLanding.js';
@@ -94,6 +95,7 @@ export function App() {
           <>
             <Route path="/" element={<LandingPage />} />
             <Route path="/signup" element={<SignupPage />} />
+            <Route path="/signin" element={<SigninPage />} />
             <Route path="/auth/magic" element={<MagicLandingPage />} />
             {/* Platform-level Creator surfaces — separate auth from vendor admins. */}
             <Route path="/creator/signup" element={<CreatorSignupPage />} />
diff --git a/apps/portal/src/pages/Landing.tsx b/apps/portal/src/pages/Landing.tsx
index 4ab6187..5e66a1c 100644
--- a/apps/portal/src/pages/Landing.tsx
+++ b/apps/portal/src/pages/Landing.tsx
@@ -1,14 +1,12 @@
 import { Link } from 'react-router-dom';
-import { ArrowRight, Globe, Receipt, ShieldCheck } from 'lucide-react';
 import { theme } from '../theme.js';
 import { Logo } from './auth/Shared.js';
 
 /**
- * Public landing for multi-tenant deployments. The single-tenant build
- * never mounts this — its root goes straight to the Shell. Two CTAs:
- * create a program (signup) or sign in (you'll need a tenant slug, but
- * if the link the operator emailed you was the magic link, you went to
- * /t/<slug>/auth/magic and never see this page).
+ * Public landing for the multi-tenant deployment. Voice mirrors the
+ * marketing site at openpartner.dev — plain English, brand+creator
+ * parity, no engineering jargon. The marketing site sells; this
+ * landing is the door into the app.
  */
 export function LandingPage() {
   return (
@@ -26,99 +24,100 @@ export function LandingPage() {
           <Logo />
           <div style={{ fontSize: 16, fontWeight: 600, letterSpacing: '-0.01em' }}>OpenPartner</div>
         </div>
-        <div style={{ display: 'flex', gap: 14, alignItems: 'center', fontSize: 13 }}>
+        <div style={{ display: 'flex', gap: 18, alignItems: 'center', fontSize: 13 }}>
           <a href="https://openpartner.dev" style={{ color: theme.textMuted }}>About</a>
-          <Link to="/creator/login" style={{ color: theme.textMuted }}>Creator sign in</Link>
+          <a href="https://openpartner.dev/pricing" style={{ color: theme.textMuted }}>Pricing</a>
+          <Link to="/signin" style={{ color: theme.textMuted }}>Sign in</Link>
         </div>
       </header>
 
-      <main style={{ flex: 1, display: 'flex', alignItems: 'center', justifyContent: 'center', padding: '40px 24px' }}>
-        <div style={{ maxWidth: 720, textAlign: 'center' }}>
-          <h1 style={{ fontSize: 44, lineHeight: 1.1, margin: 0, letterSpacing: '-0.02em' }}>
-            The partner program your data outlives.
+      <main style={{ flex: 1, padding: '64px 24px 32px' }}>
+        <div style={{ maxWidth: 880, margin: '0 auto', textAlign: 'center' }}>
+          <div style={{ fontSize: 12, color: theme.accent, textTransform: 'uppercase', letterSpacing: '0.06em', marginBottom: 16 }}>
+            Partner program software with a built-in network
+          </div>
+          <h1 style={{ fontSize: 48, lineHeight: 1.1, margin: 0, letterSpacing: '-0.02em', fontWeight: 700 }}>
+            Launch a partner program.<br />Grow it with the Network.
           </h1>
-          <p style={{ marginTop: 20, fontSize: 17, color: theme.textMuted, lineHeight: 1.5 }}>
-            Click → identity → revenue, surviving Safari ITP and 30-day cookie windows.
-            Your raw attribution log is exportable to CSV/JSON/SQL — leave anytime, your history comes with you.
+          <p style={{ marginTop: 24, fontSize: 17, color: theme.textMuted, lineHeight: 1.55, maxWidth: 720, marginInline: 'auto' }}>
+            Brands launch affiliate, referral, and creator programs with visible commission terms and
+            direct Stripe payouts. Creators browse real offers and keep what they earn.
           </p>
+        </div>
 
-          <div style={{ display: 'grid', gridTemplateColumns: 'repeat(auto-fit, minmax(280px, 1fr))', gap: 16, marginTop: 32, textAlign: 'left' }}>
-            <CtaCard
-              eyebrow="For brands"
-              title="Run your own partner program"
-              body="Create a tenant, invite partners, track every click → signup → revenue, run payouts via Stripe Connect."
-              ctaLabel="Sign up as a brand"
-              to="/signup"
-            />
-            <CtaCard
-              eyebrow="For creators"
-              title="Browse and apply to programs"
-              body="One profile, many programs. Discover vendors across the OpenPartner Network and apply with one click."
-              ctaLabel="Sign up as a creator"
-              to="/creator/signup"
-            />
-          </div>
-
-          <div style={{ marginTop: 24, fontSize: 13, color: theme.textDim }}>
-            Already have an account? <Link to="/creator/login" style={{ color: theme.accent }}>Creator sign in</Link>
-          </div>
+        <div style={{ maxWidth: 1040, margin: '56px auto 0', display: 'grid', gridTemplateColumns: 'repeat(auto-fit, minmax(340px, 1fr))', gap: 20 }}>
+          <AudienceCard
+            eyebrow="For brands"
+            title="Partner program software for brands that want more than tracking."
+            bullets={[
+              'Track every conversion back to the partner who drove it',
+              'Set flat, percentage, or recurring commission terms',
+              'Recruit creators from the Network when you want more reach',
+              'Pay partners directly through Stripe without a middleman cut',
+            ]}
+            ctaLabel="Sign up as a brand"
+            to="/signup"
+          />
+          <AudienceCard
+            eyebrow="For creators"
+            title="A creator marketplace with real terms and direct payouts."
+            bullets={[
+              'See commission rates before you apply to any program',
+              'Browse partner offers across affiliate, referral, and creator programs',
+              'Get paid directly by brands through Stripe',
+              'No exclusivity and no platform cut on your earnings',
+            ]}
+            ctaLabel="Sign up as a creator"
+            to="/creator/signup"
+          />
+        </div>
 
-          <div style={{ display: 'grid', gridTemplateColumns: 'repeat(auto-fit, minmax(200px, 1fr))', gap: 16, marginTop: 56, textAlign: 'left' }}>
-            <Pill icon={<Globe size={16} />} title="Federation built in">
-              List on the OpenPartner Network and creators across other vendors can discover and apply to your program.
-            </Pill>
-            <Pill icon={<Receipt size={16} />} title="Three-tier pricing">
-              Self-host (free), flat fee, or 3% rev share. Pick at signup. No cookie-cutter contracts.
-            </Pill>
-            <Pill icon={<ShieldCheck size={16} />} title="Your data, exportable">
-              CSV/JSON/SQL export of every raw row. The self-hosted build re-imports it cleanly.
-            </Pill>
-          </div>
+        <div style={{ marginTop: 48, textAlign: 'center', color: theme.textDim, fontSize: 13 }}>
+          Already have an account? <Link to="/signin" style={{ color: theme.accent }}>Sign in</Link>
         </div>
       </main>
 
       <footer style={{ padding: '20px 32px', borderTop: `1px solid ${theme.borderSubtle}`, color: theme.textDim, fontSize: 12, textAlign: 'center' }}>
-        Already have a program? Open the link the operator emailed you, or visit <code>/t/&lt;your-slug&gt;/login</code>.
+        OpenPartner is open source. <a href="https://openpartner.dev" style={{ color: theme.textMuted }}>Learn more</a>
       </footer>
     </div>
   );
 }
 
-function CtaCard({ eyebrow, title, body, ctaLabel, to }: { eyebrow: string; title: string; body: string; ctaLabel: string; to: string }) {
+function AudienceCard({ eyebrow, title, bullets, ctaLabel, to }: { eyebrow: string; title: string; bullets: string[]; ctaLabel: string; to: string }) {
   return (
-    <div style={{ background: theme.surface, border: `1px solid ${theme.borderSubtle}`, borderRadius: theme.radiusSm, padding: 20 }}>
-      <div style={{ fontSize: 11, color: theme.accent, textTransform: 'uppercase', letterSpacing: '0.05em', marginBottom: 8 }}>{eyebrow}</div>
-      <div style={{ fontSize: 18, fontWeight: 600, marginBottom: 8 }}>{title}</div>
-      <p style={{ color: theme.textMuted, fontSize: 14, lineHeight: 1.5, marginBottom: 16 }}>{body}</p>
-      <Link to={to}>
-        <span
-          style={{
-            display: 'inline-flex',
-            alignItems: 'center',
-            gap: 6,
-            background: theme.accent,
-            color: theme.accentInk,
-            padding: '10px 14px',
-            borderRadius: theme.radiusSm,
-            fontSize: 13,
-            fontWeight: 600,
-          }}
-        >
-          {ctaLabel} <ArrowRight size={14} />
-        </span>
-      </Link>
-    </div>
-  );
-}
-
-function Pill({ icon, title, children }: { icon: React.ReactNode; title: string; children: React.ReactNode }) {
-  return (
-    <div style={{ background: theme.surface, border: `1px solid ${theme.borderSubtle}`, borderRadius: theme.radiusSm, padding: 16 }}>
-      <div style={{ display: 'flex', alignItems: 'center', gap: 8, color: theme.accent, fontSize: 13, marginBottom: 6 }}>
-        {icon}
-        <span style={{ color: theme.text, fontWeight: 600 }}>{title}</span>
-      </div>
-      <div style={{ color: theme.textMuted, fontSize: 13, lineHeight: 1.5 }}>{children}</div>
-    </div>
+    <Link
+      to={to}
+      style={{
+        display: 'block',
+        background: theme.surface,
+        border: `1px solid ${theme.borderSubtle}`,
+        borderRadius: 18,
+        padding: 28,
+        color: theme.text,
+        transition: 'border-color 0.18s, transform 0.18s',
+        textDecoration: 'none',
+      }}
+      onMouseEnter={(e) => {
+        e.currentTarget.style.borderColor = theme.accent;
+        e.currentTarget.style.transform = 'translateY(-2px)';
+      }}
+      onMouseLeave={(e) => {
+        e.currentTarget.style.borderColor = theme.borderSubtle;
+        e.currentTarget.style.transform = 'translateY(0)';
+      }}
+    >
+      <div style={{ fontSize: 11, color: theme.accent, textTransform: 'uppercase', letterSpacing: '0.06em', marginBottom: 10 }}>{eyebrow}</div>
+      <div style={{ fontSize: 22, fontWeight: 700, lineHeight: 1.3, marginBottom: 16, letterSpacing: '-0.01em' }}>{title}</div>
+      <ul style={{ listStyle: 'none', padding: 0, margin: '0 0 24px' }}>
+        {bullets.map((b) => (
+          <li key={b} style={{ color: theme.textMuted, fontSize: 14, padding: '6px 0 6px 20px', position: 'relative', lineHeight: 1.55 }}>
+            <span style={{ position: 'absolute', left: 0, color: theme.accent, fontWeight: 700 }}>›</span>
+            {b}
+          </li>
+        ))}
+      </ul>
+      <span style={{ color: theme.accent, fontWeight: 600, fontSize: 14 }}>{ctaLabel} →</span>
+    </Link>
   );
 }
diff --git a/apps/portal/src/pages/Signin.tsx b/apps/portal/src/pages/Signin.tsx
new file mode 100644
index 0000000..e2a8e24
--- /dev/null
+++ b/apps/portal/src/pages/Signin.tsx
@@ -0,0 +1,105 @@
+import { useState } from 'react';
+import { Link } from 'react-router-dom';
+import { theme } from '../theme.js';
+import { AuthFrame } from './auth/Shared.js';
+
+/**
+ * Email-only sign-in for the multi-tenant deployment. We don't make the
+ * user pick "brand vs creator" up front — the backend looks up which
+ * accounts they have and emails the right link(s). One email if they're
+ * just one or the other; two if they're both. Always 200 silently to
+ * avoid email enumeration.
+ */
+export function SigninPage() {
+  const [email, setEmail] = useState('');
+  const [busy, setBusy] = useState(false);
+  const [err, setErr] = useState<string | null>(null);
+  const [sent, setSent] = useState(false);
+
+  async function submit(e: React.FormEvent) {
+    e.preventDefault();
+    setBusy(true);
+    setErr(null);
+    try {
+      const res = await fetch('/api/signin', {
+        method: 'POST',
+        headers: { 'content-type': 'application/json' },
+        body: JSON.stringify({ email: email.trim() }),
+      });
+      if (!res.ok) {
+        const data = await res.json().catch(() => ({}));
+        throw new Error((data as { error?: string }).error ?? `${res.status}`);
+      }
+      setSent(true);
+    } catch (e) {
+      setErr(e instanceof Error ? e.message : 'Something went wrong.');
+    } finally {
+      setBusy(false);
+    }
+  }
+
+  if (sent) {
+    return (
+      <AuthFrame title="Check your inbox" subtitle={`If we found accounts for ${email}, we just emailed sign-in links.`}>
+        <div style={{ background: theme.successSoft, border: `1px solid ${theme.success}55`, padding: 14, borderRadius: theme.radiusSm, fontSize: 13, color: theme.success }}>
+          The link is good for 15 minutes. If you have both a brand and a creator account, you&rsquo;ll get one email for each.
+        </div>
+        <div style={{ marginTop: 12, textAlign: 'center', fontSize: 12, color: theme.textDim }}>
+          <Link to="/" style={{ color: theme.accent }}>Back to home</Link>
+        </div>
+      </AuthFrame>
+    );
+  }
+
+  return (
+    <AuthFrame title="Sign in" subtitle="Enter your email — we&rsquo;ll send you a sign-in link.">
+      <form onSubmit={submit}>
+        <div style={{ marginBottom: 12 }}>
+          <div style={{ fontSize: 12, color: theme.textMuted, marginBottom: 4 }}>Email</div>
+          <input
+            type="email"
+            value={email}
+            onChange={(e) => setEmail(e.target.value)}
+            placeholder="you@example.com"
+            required
+            autoFocus
+            style={inputStyle}
+          />
+        </div>
+        {err && <div style={{ color: theme.danger, fontSize: 13, marginBottom: 8 }}>{err}</div>}
+        <button type="submit" disabled={busy || !email} style={primaryBtnStyle(busy || !email)}>
+          {busy ? 'Sending…' : 'Email me a sign-in link'}
+        </button>
+        <div style={{ marginTop: 12, fontSize: 12, color: theme.textDim, textAlign: 'center' }}>
+          New here? <Link to="/signup" style={{ color: theme.accent }}>Sign up as a brand</Link> · <Link to="/creator/signup" style={{ color: theme.accent }}>Sign up as a creator</Link>
+        </div>
+      </form>
+    </AuthFrame>
+  );
+}
+
+const inputStyle: React.CSSProperties = {
+  width: '100%',
+  padding: '10px 12px',
+  fontSize: 14,
+  background: theme.surface2,
+  border: `1px solid ${theme.border}`,
+  borderRadius: theme.radiusSm,
+  color: theme.text,
+};
+
+function primaryBtnStyle(disabled: boolean): React.CSSProperties {
+  return {
+    marginTop: 6,
+    width: '100%',
+    padding: '10px 14px',
+    background: theme.accent,
+    color: theme.accentInk,
+    border: 'none',
+    borderRadius: theme.radiusSm,
+    fontSize: 14,
+    fontWeight: 600,
+    cursor: disabled ? 'not-allowed' : 'pointer',
+    opacity: disabled ? 0.5 : 1,
+  };
+}

From f6df77419ce93e07ee0ca5e7eee05d2dbab0bd63 Mon Sep 17 00:00:00 2001
From: Keith Fawcett <keith@brightyard.co>
Date: Tue, 28 Apr 2026 11:48:10 -0700
Subject: [PATCH 037/131] fix(portal): escape hyphen in handle/slug pattern
 attributes

Modern browsers compile the HTML pattern attribute with the v flag,
which rejects bare - between character class atoms. Both signup forms
were using [a-z0-9-]/[a-zA-Z0-9_-] which the v engine flags as
"Invalid character in character class". Escape the hyphen to keep the
intended literal-dash semantics.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 apps/portal/src/pages/Signup.tsx                | 2 +-
 apps/portal/src/pages/creator/CreatorSignup.tsx | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/apps/portal/src/pages/Signup.tsx b/apps/portal/src/pages/Signup.tsx
index 1f8b8ec..3d4de47 100644
--- a/apps/portal/src/pages/Signup.tsx
+++ b/apps/portal/src/pages/Signup.tsx
@@ -87,7 +87,7 @@ export function SignupPage() {
             value={slug}
             onChange={(e) => setSlug(e.target.value.toLowerCase().replace(/[^a-z0-9-]/g, ''))}
             placeholder="acme"
-            pattern="[a-z0-9-]{3,40}"
+            pattern="[a-z0-9\-]{3,40}"
             minLength={3}
             maxLength={40}
             required
diff --git a/apps/portal/src/pages/creator/CreatorSignup.tsx b/apps/portal/src/pages/creator/CreatorSignup.tsx
index 65494f6..cd9414b 100644
--- a/apps/portal/src/pages/creator/CreatorSignup.tsx
+++ b/apps/portal/src/pages/creator/CreatorSignup.tsx
@@ -57,7 +57,7 @@ export function CreatorSignupPage() {
             value={handle}
             onChange={(e) => setHandle(e.target.value.toLowerCase().replace(/[^a-z0-9_-]/g, ''))}
             placeholder="ada"
-            pattern="[a-zA-Z0-9_-]{2,40}"
+            pattern="[a-zA-Z0-9_\-]{2,40}"
             style={{ ...inputStyle, fontFamily: theme.fontMono }}
           />
         </Field>

From 0e01bf0183e1ba326052572ec289a123052437f7 Mon Sep 17 00:00:00 2001
From: Keith Fawcett <keith@brightyard.co>
Date: Tue, 28 Apr 2026 13:12:17 -0700
Subject: [PATCH 038/131] fix(creator-portal): split Set-Cookie + drop
 Cloudflare cookies

Two related browser-side cookie bugs in the creator-portal proxy:

1. Node fetch comma-joins multiple Set-Cookie headers when you read
   them via .get('set-cookie'), and the browser then can't parse the
   resulting blob. Use getSetCookie() so each cookie ships as its own
   header.

2. Cloudflare in front of network.openpartner.dev injects __cf_bm
   with Domain=network.openpartner.dev. Relaying that to
   app.openpartner.dev landed both Set-Cookie values mashed together
   in one header, which confused the browser enough that the real
   op_network_creator_session cookie wasn't stored at all (next
   request only carried __cf_bm). Filter Cloudflare cookies out and
   strip Domain= on whatever we do forward so it scopes to
   app.openpartner.dev cleanly.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 apps/api/src/routes/creator-portal.ts | 21 +++++++++++++++++----
 1 file changed, 17 insertions(+), 4 deletions(-)

diff --git a/apps/api/src/routes/creator-portal.ts b/apps/api/src/routes/creator-portal.ts
index 8c730be..4ae4d77 100644
--- a/apps/api/src/routes/creator-portal.ts
+++ b/apps/api/src/routes/creator-portal.ts
@@ -96,10 +96,23 @@ creatorPortalRouter.all(/^\/creator-api(\/.*)?$/, async (req: Request, res: Resp
     });
   }
 
-  // Relay Set-Cookie verbatim. The cookie has no Domain attribute, so the
-  // browser scopes it to app.openpartner.dev (which is what we want).
-  const setCookie = upstream.headers.get('set-cookie');
-  if (setCookie) res.setHeader('set-cookie', setCookie);
+  // Set-Cookie handling has two gotchas:
+  //   1. Node fetch returns multiple Set-Cookie headers comma-joined when
+  //      you call .get('set-cookie'); the browser then can't parse them.
+  //      Use getSetCookie() (Node 19.7+) to get each one separately.
+  //   2. Cloudflare in front of network.openpartner.dev injects its own
+  //      __cf_bm cookie with Domain=network.openpartner.dev — relaying
+  //      that to app.openpartner.dev confuses the browser. Filter it out.
+  // We also strip any Domain attribute on the cookies we DO forward so
+  // they scope to app.openpartner.dev (the host that responded).
+  const cookies = upstream.headers.getSetCookie?.() ?? [];
+  const forward: string[] = [];
+  for (const c of cookies) {
+    const name = c.split('=', 1)[0]?.trim() ?? '';
+    if (!name || name.startsWith('__cf') || name.startsWith('_cf')) continue;
+    forward.push(c.replace(/;\s*Domain=[^;]+/i, ''));
+  }
+  if (forward.length > 0) res.setHeader('set-cookie', forward);
 
   const upstreamCt = upstream.headers.get('content-type') ?? '';
   res.status(upstream.status);

From 596a5772a1fb7aeb6a9dd71d16a4d00eeda4e1c3 Mon Sep 17 00:00:00 2001
From: Keith Fawcett <keith@brightyard.co>
Date: Tue, 28 Apr 2026 13:20:09 -0700
Subject: [PATCH 039/131] chore(portal): brand signup is account creation, not
 program creation
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Programs (Network offerings) are configured later from admin → Network
→ Offerings. Signup just provisions the brand's tenant + first admin.
Adjust the labels accordingly:

- Subtitle: "Create your brand account…"
- "Program name" → "Brand name"
- Submit: "Create program" → "Create account"
- Success: "Program created." → "Account created."

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 apps/portal/src/pages/Signup.tsx | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/apps/portal/src/pages/Signup.tsx b/apps/portal/src/pages/Signup.tsx
index 3d4de47..cc98e3a 100644
--- a/apps/portal/src/pages/Signup.tsx
+++ b/apps/portal/src/pages/Signup.tsx
@@ -56,7 +56,7 @@ export function SignupPage() {
     return (
       <AuthFrame title="Check your inbox" subtitle={`We just emailed ${adminEmail} a sign-in link.`}>
         <div style={{ background: theme.successSoft, border: `1px solid ${theme.success}55`, padding: 14, borderRadius: theme.radiusSm, fontSize: 13, color: theme.success }}>
-          <div style={{ fontWeight: 500, marginBottom: 6 }}>Program created.</div>
+          <div style={{ fontWeight: 500, marginBottom: 6 }}>Account created.</div>
           <div style={{ color: `${theme.success}cc` }}>
             Your slug is <code>{result.tenant.slug}</code>. The activation link is good for 15 minutes.
           </div>
@@ -71,13 +71,13 @@ export function SignupPage() {
   }
 
   return (
-    <AuthFrame title="Sign up as a brand" subtitle="One minute to provision your partner program. We'll email you a sign-in link.">
+    <AuthFrame title="Sign up as a brand" subtitle="Create your brand account. We'll email you a sign-in link.">
       <form onSubmit={submit}>
-        <Field label="Program name" hint="What partners see in your portal — e.g. Acme Affiliates.">
+        <Field label="Brand name" hint="What partners see — e.g. Acme.">
           <input
             value={displayName}
             onChange={(e) => setDisplayName(e.target.value)}
-            placeholder="Acme Affiliates"
+            placeholder="Acme"
             required
             style={inputStyle}
           />
@@ -115,7 +115,7 @@ export function SignupPage() {
         </Field>
         {err && <div style={{ color: theme.danger, fontSize: 13, marginTop: 4, marginBottom: 8 }}>{err}</div>}
         <button type="submit" disabled={busy} style={primaryBtnStyle(busy)}>
-          {busy ? 'Creating…' : 'Create program'}
+          {busy ? 'Creating…' : 'Create account'}
         </button>
         <div style={{ marginTop: 12, fontSize: 12, color: theme.textDim, textAlign: 'center' }}>
           Already have a program? <Link to="/" style={{ color: theme.accent }}>Back to landing</Link>

From 113fbac5a618ec4a2d1ebdc3ba87cec8151cd207 Mon Sep 17 00:00:00 2001
From: Keith Fawcett <keith@brightyard.co>
Date: Tue, 28 Apr 2026 13:32:55 -0700
Subject: [PATCH 040/131] =?UTF-8?q?chore(deploy):=20boot-time=20secrets=5F?=
 =?UTF-8?q?probe=20=E2=80=94=20surface=20which=20envs=20populated?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Extend the existing stripe_config_probe pattern to cover every secret
the app expects (Stripe full set, Postmark, MAIL_FROM, ADMIN_API_KEY,
SECRETS_ENCRYPTION_KEY, NETWORK_URL, DATABASE_URL_APP, etc). Logs
lengths only, never values.

App Platform silently leaves SECRET envs empty when the cipher-text
blob can't decrypt — typically after a spec-pull-and-reapply where
the EV[...] string was the wrong app's. This probe makes the
"is X actually populated in the runtime container?" question a
single grep instead of a code change.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 apps/api/src/server.ts | 30 ++++++++++++++++++++++++++++++
 1 file changed, 30 insertions(+)

diff --git a/apps/api/src/server.ts b/apps/api/src/server.ts
index 4e6a97e..5bfda58 100644
--- a/apps/api/src/server.ts
+++ b/apps/api/src/server.ts
@@ -4,6 +4,36 @@ import { startScheduler } from './scheduler.js';
 const PORT = Number(process.env.API_PORT ?? 4601);
 const MODE = process.env.OPENPARTNER_MODE ?? 'selfhost';
 
+// Boot probe — log presence/length of every secret env so the run logs
+// surface which ones actually populated in the runtime container. App
+// Platform silently leaves SECRET envs empty when the cipher-text blob
+// can't decrypt (e.g. after a spec-pull-and-reapply); the only reliable
+// way to spot that is at startup. Lengths only, never values.
+console.log(JSON.stringify({
+  msg: 'secrets_probe',
+  app: 'openpartner',
+  tenancy: process.env.OPENPARTNER_TENANCY ?? 'single',
+  // Stripe
+  stripeSecretLen: (process.env.STRIPE_SECRET_KEY ?? '').length,
+  webhookSecretLen: (process.env.STRIPE_WEBHOOK_SECRET ?? '').length,
+  flatPriceIdLen: (process.env.STRIPE_FLAT_PRICE_ID ?? '').length,
+  flatUsagePriceIdLen: (process.env.STRIPE_FLAT_USAGE_PRICE_ID ?? '').length,
+  revsharePriceIdLen: (process.env.STRIPE_REVSHARE_USAGE_PRICE_ID ?? '').length,
+  networkPriceIdLen: (process.env.STRIPE_NETWORK_PRICE_ID ?? '').length,
+  networkUsagePriceIdLen: (process.env.STRIPE_NETWORK_USAGE_PRICE_ID ?? '').length,
+  // Mail
+  postmarkTokenLen: (process.env.POSTMARK_SERVER_TOKEN ?? '').length,
+  mailFromLen: (process.env.MAIL_FROM ?? '').length,
+  // Other
+  adminApiKeyLen: (process.env.ADMIN_API_KEY ?? '').length,
+  secretsEncryptionKeyLen: (process.env.SECRETS_ENCRYPTION_KEY ?? '').length,
+  metricsTokenLen: (process.env.METRICS_TOKEN ?? '').length,
+  networkUrlLen: (process.env.NETWORK_URL ?? '').length,
+  databaseUrlLen: (process.env.DATABASE_URL ?? '').length,
+  databaseUrlAppLen: (process.env.DATABASE_URL_APP ?? '').length,
+  portalUrlLen: (process.env.PORTAL_URL ?? '').length,
+}));
+
 const app = createApp();
 app.listen(PORT, () => {
   console.log(`[api] listening on :${PORT} (mode=${MODE})`);

From 53f1c3a374d8fc8dbd319b1841a20df9539ed1c2 Mon Sep 17 00:00:00 2001
From: Keith Fawcett <keith@brightyard.co>
Date: Tue, 28 Apr 2026 13:35:02 -0700
Subject: [PATCH 041/131] fix(signin): also send activation link for
 unactivated admins
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The unified /signin filtered to whereNotNull('activatedAt'), which
meant a brand whose signup email never landed (mailer misconfigured,
inbox lost it, etc.) had no self-recovery path — they couldn't sign in
because they weren't activated, and they couldn't re-signup because
the slug was taken.

Drop the activation filter and pick the magic-link purpose by state:
admin_invite (activates on consume) for new admins, admin_signin
(no-op activation, just creates session) for already-activated. Same
endpoint, same UX, signup recovery just works.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 apps/api/src/routes/signin.ts | 13 ++++++++-----
 1 file changed, 8 insertions(+), 5 deletions(-)

diff --git a/apps/api/src/routes/signin.ts b/apps/api/src/routes/signin.ts
index 8fad6fc..49556d1 100644
--- a/apps/api/src/routes/signin.ts
+++ b/apps/api/src/routes/signin.ts
@@ -37,20 +37,23 @@ signinRouter.post('/signin', async (req, res) => {
 
   // 1) Brand admins. One person can be the admin of more than one tenant
   // (rare, but possible) — email a link for each so they can pick which
-  // brand to sign into. Activated + non-revoked only.
+  // brand to sign into. We include unactivated admins so a brand whose
+  // initial activation email got lost (e.g. mailer misconfigured at
+  // signup time) can self-recover here: an admin_invite token activates
+  // the admin on consume, so signin doubles as a resend-activation flow.
   const admins = await db<AdminRow>(TABLES.Admin)
     .where({ email })
-    .whereNotNull('activatedAt')
     .whereNull('revokedAt');
 
   for (const admin of admins) {
     try {
       const tenant = await db<TenantRow>(TABLES.Tenant).where({ id: admin.tenantId, status: 'active' }).first();
       if (!tenant) continue;
+      const purpose = admin.activatedAt ? 'admin_signin' : 'admin_invite';
       const issued = await issueMagicLink(db, {
         tenantId: admin.tenantId,
         email,
-        purpose: 'admin_signin',
+        purpose,
         principalKind: 'admin',
         principalId: admin.id,
       });
@@ -60,8 +63,8 @@ signinRouter.post('/signin', async (req, res) => {
         subject: tmpl.subject,
         text: tmpl.text,
         html: tmpl.html,
-        tag: 'admin_signin',
-        metadata: { purpose: 'admin_signin', adminId: admin.id, source: 'unified_signin' },
+        tag: purpose,
+        metadata: { purpose, adminId: admin.id, source: 'unified_signin' },
       });
     } catch (err) {
       // Don't fail the whole signin on one mail send issue. Log and move on.

From f870067575af50f100f855cadc457073695fb0aa Mon Sep 17 00:00:00 2001
From: Keith Fawcett <keith@brightyard.co>
Date: Tue, 28 Apr 2026 14:48:22 -0700
Subject: [PATCH 042/131] fix(auth): magic-link verify redirects to tenant
 home, not Landing
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

In multi-tenant mode the brand magic link arrives at
/t/<slug>/auth/magic, the verify succeeds, but MagicLandingPage was
hardcoded to nav('/') after success — and / is the public Landing in
multi-tenant. So brand admins kept landing back on the marketing page
instead of their portal.

Pull the slug from the current pathname and redirect to /t/<slug>/
when present; fall back to / for single-tenant. Single-tenant behavior
unchanged.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 apps/portal/src/pages/auth/MagicLanding.tsx | 22 ++++++++++++++-------
 1 file changed, 15 insertions(+), 7 deletions(-)

diff --git a/apps/portal/src/pages/auth/MagicLanding.tsx b/apps/portal/src/pages/auth/MagicLanding.tsx
index eee484c..9dfac95 100644
--- a/apps/portal/src/pages/auth/MagicLanding.tsx
+++ b/apps/portal/src/pages/auth/MagicLanding.tsx
@@ -1,19 +1,24 @@
 import { useEffect, useState } from 'react';
-import { useNavigate, useSearchParams } from 'react-router-dom';
+import { useLocation, useNavigate, useSearchParams } from 'react-router-dom';
 import { useQueryClient } from '@tanstack/react-query';
 import { api, clearApiKey } from '../../api.js';
 import { theme } from '../../theme.js';
 import { AuthFrame } from './Shared.js';
 
 /**
- * Terminal page for an emailed magic link. URL is `/auth/magic?token=...`.
- * We POST the token to /auth/magic/verify — server sets the op_session
- * cookie on success — then redirect to the dashboard. Any leftover API
- * key in localStorage is cleared so the new session takes precedence.
+ * Terminal page for an emailed magic link. URL shapes:
+ *   single-tenant: /auth/magic?token=...
+ *   multi-tenant brand: /t/<slug>/auth/magic?token=...
+ *
+ * After verify we redirect to the right home: /t/<slug>/ for a brand
+ * link (slug pulled from the URL we landed on), or / for single-tenant.
+ * Without this, multi-tenant brand admins were getting bounced back to
+ * the public Landing because / is the Landing in multi-tenant mode.
  */
 export function MagicLandingPage() {
   const [params] = useSearchParams();
   const nav = useNavigate();
+  const location = useLocation();
   const qc = useQueryClient();
   const [state, setState] = useState<'verifying' | 'ok' | 'failed'>('verifying');
   const [detail, setDetail] = useState<string | null>(null);
@@ -25,6 +30,9 @@ export function MagicLandingPage() {
       setDetail('No token in URL.');
       return;
     }
+    const slugMatch = location.pathname.match(/^\/t\/([a-z0-9-]+)\/auth\/magic$/);
+    const home = slugMatch ? `/t/${slugMatch[1]}/` : '/';
+
     clearApiKey();
     api<{ ok: boolean }>('/auth/magic/verify', { method: 'POST', body: { token } })
       .then(() => {
@@ -35,7 +43,7 @@ export function MagicLandingPage() {
         // activated admin into the dashboard.
         qc.invalidateQueries({ queryKey: ['install-status'] });
         setState('ok');
-        setTimeout(() => nav('/', { replace: true }), 400);
+        setTimeout(() => nav(home, { replace: true }), 400);
       })
       .catch((err) => {
         setState('failed');
@@ -43,7 +51,7 @@ export function MagicLandingPage() {
           err && typeof err === 'object' && 'message' in err ? String((err as { message: unknown }).message) : 'Link is invalid or expired.',
         );
       });
-  }, [nav, params, qc]);
+  }, [nav, params, qc, location.pathname]);
 
   return (
     <AuthFrame title="Signing you in" subtitle="One moment…">

From 09c379e04e80b73e151821c7eba98e0d9cffaa6e Mon Sep 17 00:00:00 2001
From: Keith Fawcett <keith@brightyard.co>
Date: Tue, 28 Apr 2026 14:56:50 -0700
Subject: [PATCH 043/131] feat(landing): auto-redirect signed-in visitors to
 their portal
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

If you already have a brand session (op_session) or a creator session
(op_network_creator_session via the creator-portal proxy), visiting
app.openpartner.dev/ should drop you in your portal — not the public
marketing splash. New /api/session/home endpoint resolves the brand
session through the privileged db (sessions table carries tenantId),
returns { home: '/t/<slug>/' } or null. Public, no auth gate; null on
anonymous.

Landing fires both probes in parallel on mount; first match wins
(brand preferred over creator if somehow both are present). Renders an
empty shell during the check so we never flash the marketing splash
to a signed-in user.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 apps/api/src/app.ts                 |  2 ++
 apps/api/src/routes/session-home.ts | 37 ++++++++++++++++++++++++++
 apps/portal/src/pages/Landing.tsx   | 40 ++++++++++++++++++++++++++++-
 3 files changed, 78 insertions(+), 1 deletion(-)
 create mode 100644 apps/api/src/routes/session-home.ts

diff --git a/apps/api/src/app.ts b/apps/api/src/app.ts
index 9fa6484..d119707 100644
--- a/apps/api/src/app.ts
+++ b/apps/api/src/app.ts
@@ -35,6 +35,7 @@ import { partnerSignupRouter } from './routes/partner-signup.js';
 import { networkPartnerRouter } from './routes/network-partner.js';
 import { creatorPortalRouter } from './routes/creator-portal.js';
 import { signinRouter } from './routes/signin.js';
+import { sessionHomeRouter } from './routes/session-home.js';
 import { tenantMiddleware } from './tenancy.js';
 
 export function createApp(options: { enableLogger?: boolean } = {}) {
@@ -117,6 +118,7 @@ export function createApp(options: { enableLogger?: boolean } = {}) {
   app.use(installRouter);
   app.use(signupRouter);
   app.use(signinRouter);
+  app.use(sessionHomeRouter);
   app.use(metricsRouter);
   // Creator portal is platform-level (no tenant), proxies to Network.
   // Mount before tenantMiddleware so it's reachable from app.openpartner.dev/*
diff --git a/apps/api/src/routes/session-home.ts b/apps/api/src/routes/session-home.ts
new file mode 100644
index 0000000..57e4152
--- /dev/null
+++ b/apps/api/src/routes/session-home.ts
@@ -0,0 +1,37 @@
+/**
+ * Where does the current session belong?
+ *
+ * Used by the public Landing on app.openpartner.dev to auto-redirect
+ * already-signed-in visitors into their portal instead of dumping them
+ * on the marketing page. Reads the op_session cookie, resolves the
+ * session through the privileged db (no tenant context needed since
+ * sessions table carries tenantId on the row), and returns the home
+ * path the SPA should navigate to.
+ *
+ * Public — no auth gate. Returns 200 + `{ home: null }` for anonymous
+ * visitors so the Landing can render normally without a 401 in devtools.
+ */
+
+import { Router } from 'express';
+import { TABLES, type TenantRow } from '@openpartner/db';
+import { db } from '../db.js';
+import { resolveSession, SESSION_COOKIE_NAME } from '../auth-sessions.js';
+
+export const sessionHomeRouter = Router();
+
+sessionHomeRouter.get('/session/home', async (req, res) => {
+  const cookie = (req as unknown as { cookies?: Record<string, string> }).cookies?.[SESSION_COOKIE_NAME];
+  if (!cookie) return res.json({ home: null });
+
+  const session = await resolveSession(db, cookie);
+  if (!session) return res.json({ home: null });
+
+  const tenant = await db<TenantRow>(TABLES.Tenant).where({ id: session.tenantId, status: 'active' }).first();
+  if (!tenant) return res.json({ home: null });
+
+  res.json({
+    home: `/t/${tenant.slug}/`,
+    kind: session.principalKind,
+    tenantSlug: tenant.slug,
+  });
+});
diff --git a/apps/portal/src/pages/Landing.tsx b/apps/portal/src/pages/Landing.tsx
index 5e66a1c..fb7714e 100644
--- a/apps/portal/src/pages/Landing.tsx
+++ b/apps/portal/src/pages/Landing.tsx
@@ -1,4 +1,5 @@
-import { Link } from 'react-router-dom';
+import { useEffect, useState } from 'react';
+import { Link, useNavigate } from 'react-router-dom';
 import { theme } from '../theme.js';
 import { Logo } from './auth/Shared.js';
 
@@ -7,8 +8,45 @@ import { Logo } from './auth/Shared.js';
  * marketing site at openpartner.dev — plain English, brand+creator
  * parity, no engineering jargon. The marketing site sells; this
  * landing is the door into the app.
+ *
+ * Auto-redirect: on mount, probe the brand session (op_session) and the
+ * creator session (op_network_creator_session via the proxy) in parallel.
+ * If either matches, navigate the visitor straight into their portal —
+ * no point showing them the marketing splash if they're already signed in.
  */
 export function LandingPage() {
+  const nav = useNavigate();
+  const [checking, setChecking] = useState(true);
+
+  useEffect(() => {
+    let cancelled = false;
+    async function go(home: string) {
+      if (!cancelled) nav(home, { replace: true });
+    }
+    Promise.all([
+      fetch('/api/session/home', { credentials: 'include' })
+        .then((r) => (r.ok ? r.json() : { home: null }))
+        .catch(() => ({ home: null })),
+      fetch('/api/creator-api/creators/whoami', { credentials: 'include' })
+        .then((r) => (r.ok ? r.json() : { creator: null }))
+        .catch(() => ({ creator: null })),
+    ]).then(([brand, creator]: [{ home?: string | null }, { creator: unknown }]) => {
+      if (cancelled) return;
+      if (brand?.home) return go(brand.home);
+      if (creator?.creator) return go('/creator');
+      setChecking(false);
+    });
+    return () => {
+      cancelled = true;
+    };
+  }, [nav]);
+
+  if (checking) {
+    return (
+      <div style={{ minHeight: '100vh', background: theme.bg }} />
+    );
+  }
+
   return (
     <div style={{ minHeight: '100vh', background: theme.bg, color: theme.text, display: 'flex', flexDirection: 'column' }}>
       <header

From 9619e35aee435ff9b32ccc5c1d665cc76ea48864 Mon Sep 17 00:00:00 2001
From: Keith Fawcett <keith@brightyard.co>
Date: Tue, 28 Apr 2026 15:09:53 -0700
Subject: [PATCH 044/131] feat(auth): platform identity + workspace picker
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Replaces the per-tenant magic-link spray with one identity-level email,
then a picker. New /signin sends a single platform_signin token (no
tenant). Verifying it issues an op_platform_session cookie. The SPA
routes to /workspaces, which lists every Admin row matching the
verified email; user picks one and /api/workspaces/enter exchanges the
platform session for a per-tenant Session and redirects to /t/<slug>/.

If the user only admins one brand, the picker auto-skips. If they
admin many, they get a real picker — multi-brand membership has been
in the data model since the multi-tenant refactor (Admin keyed by
(tenantId, email)), it just had no UX surface until now.

Schema: new PlatformSession table (id, prefix, tokenHash, email,
expires…) — no tenantId because identity isn't tenant-scoped.

Backend
- packages/db: PlatformSession in TABLES, PlatformSessionRow type,
  'platform' added to PrincipalKind + 'platform_signin' to
  MagicLinkPurpose.
- migrations/20260508010000_platform_session.ts.
- apps/api/src/platform-sessions.ts: create/resolve/revoke + cookie
  options.
- apps/api/src/routes/platform-auth.ts: POST /auth/platform-verify,
  GET /me/workspaces, POST /workspaces/enter, POST
  /auth/platform-signout. All mounted before tenantMiddleware.
- routes/signin.ts: emits one platform_signin token instead of N
  per-tenant tokens; falls back to silent no-op if no admins match.
- routes/session-home.ts: returns home: '/workspaces' for platform
  cookies; tenant Session takes precedence if both present.

Portal
- pages/Workspaces.tsx: picker (auto-enters when there's one).
- pages/auth/PlatformMagicLanding.tsx: dedicated landing for the
  platform token (POSTs /api/auth/platform-verify, redirects to
  /workspaces).
- App.tsx multi-tenant routes: /auth/magic now mounts the platform
  landing; /t/<slug>/auth/magic still mounts the existing per-tenant
  one for any direct invite/per-tenant flow.
- New routes: /workspaces.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 apps/api/src/app.ts                           |   2 +
 apps/api/src/platform-sessions.ts             |  92 +++++++++++
 apps/api/src/routes/platform-auth.ts          | 152 ++++++++++++++++++
 apps/api/src/routes/session-home.ts           |  37 +++--
 apps/api/src/routes/signin.ts                 |  62 +++----
 apps/portal/src/App.tsx                       |   6 +-
 apps/portal/src/pages/Workspaces.tsx          | 133 +++++++++++++++
 .../src/pages/auth/PlatformMagicLanding.tsx   |  59 +++++++
 .../20260508010000_platform_session.ts        |  41 +++++
 packages/db/src/index.ts                      |   1 +
 packages/db/src/types.ts                      |  16 +-
 11 files changed, 556 insertions(+), 45 deletions(-)
 create mode 100644 apps/api/src/platform-sessions.ts
 create mode 100644 apps/api/src/routes/platform-auth.ts
 create mode 100644 apps/portal/src/pages/Workspaces.tsx
 create mode 100644 apps/portal/src/pages/auth/PlatformMagicLanding.tsx
 create mode 100644 packages/db/migrations/20260508010000_platform_session.ts

diff --git a/apps/api/src/app.ts b/apps/api/src/app.ts
index d119707..7f223c9 100644
--- a/apps/api/src/app.ts
+++ b/apps/api/src/app.ts
@@ -36,6 +36,7 @@ import { networkPartnerRouter } from './routes/network-partner.js';
 import { creatorPortalRouter } from './routes/creator-portal.js';
 import { signinRouter } from './routes/signin.js';
 import { sessionHomeRouter } from './routes/session-home.js';
+import { platformAuthRouter } from './routes/platform-auth.js';
 import { tenantMiddleware } from './tenancy.js';
 
 export function createApp(options: { enableLogger?: boolean } = {}) {
@@ -119,6 +120,7 @@ export function createApp(options: { enableLogger?: boolean } = {}) {
   app.use(signupRouter);
   app.use(signinRouter);
   app.use(sessionHomeRouter);
+  app.use(platformAuthRouter);
   app.use(metricsRouter);
   // Creator portal is platform-level (no tenant), proxies to Network.
   // Mount before tenantMiddleware so it's reachable from app.openpartner.dev/*
diff --git a/apps/api/src/platform-sessions.ts b/apps/api/src/platform-sessions.ts
new file mode 100644
index 0000000..261ff10
--- /dev/null
+++ b/apps/api/src/platform-sessions.ts
@@ -0,0 +1,92 @@
+/**
+ * Platform-identity session helpers.
+ *
+ * The multi-tenant deployment's workspace picker hangs on this: after
+ * a magic link verifies, we issue a PlatformSession instead of a regular
+ * (tenant-scoped) Session. The SPA then reads /api/me/workspaces and
+ * exchanges the platform session for a regular Session via
+ * /api/workspaces/:slug/enter.
+ *
+ * Storage table: PlatformSession (no tenantId — this is identity, not
+ * a workspace acting state).
+ *
+ * Cookie: op_platform_session, scoped to '/'.
+ */
+
+import { createHash, randomBytes, timingSafeEqual } from 'node:crypto';
+import { ulid } from 'ulid';
+import type { CookieOptions } from 'express';
+import type { Knex } from 'knex';
+import { TABLES, type PlatformSessionRow } from '@openpartner/db';
+
+export const PLATFORM_SESSION_COOKIE = 'op_platform_session';
+const TOKEN_PREFIX_LEN = 8;
+const SESSION_TTL_MS = 30 * 24 * 60 * 60 * 1000;
+
+function hash(s: string): string {
+  return createHash('sha256').update(s).digest('hex');
+}
+
+function constantTimeEqual(a: string, b: string): boolean {
+  if (a.length !== b.length) {
+    timingSafeEqual(Buffer.alloc(32), Buffer.alloc(32));
+    return false;
+  }
+  return timingSafeEqual(Buffer.from(a), Buffer.from(b));
+}
+
+export interface IssuedPlatformSession {
+  plaintext: string;
+  expiresAt: Date;
+}
+
+export async function createPlatformSession(db: Knex, email: string): Promise<IssuedPlatformSession> {
+  const raw = randomBytes(24).toString('hex');
+  const plaintext = `opsplat_${raw}`;
+  const prefix = plaintext.slice(0, TOKEN_PREFIX_LEN);
+  const tokenHash = hash(plaintext);
+  const expiresAt = new Date(Date.now() + SESSION_TTL_MS);
+  await db<PlatformSessionRow>(TABLES.PlatformSession).insert({
+    id: ulid(),
+    prefix,
+    tokenHash,
+    email: email.toLowerCase(),
+    expiresAt,
+  });
+  return { plaintext, expiresAt };
+}
+
+export async function resolvePlatformSession(db: Knex, plaintext: string): Promise<PlatformSessionRow | null> {
+  if (!plaintext || plaintext.length < TOKEN_PREFIX_LEN) return null;
+  const prefix = plaintext.slice(0, TOKEN_PREFIX_LEN);
+  const tokenHash = hash(plaintext);
+  const now = new Date();
+  const row = await db<PlatformSessionRow>(TABLES.PlatformSession)
+    .where({ prefix, tokenHash })
+    .whereNull('revokedAt')
+    .andWhere('expiresAt', '>', now)
+    .first();
+  if (!row) return null;
+  if (!constantTimeEqual(row.tokenHash, tokenHash)) return null;
+  void db<PlatformSessionRow>(TABLES.PlatformSession).where({ id: row.id }).update({ lastSeenAt: now });
+  return row;
+}
+
+export async function revokePlatformSession(db: Knex, plaintext: string): Promise<void> {
+  if (!plaintext || plaintext.length < TOKEN_PREFIX_LEN) return;
+  const prefix = plaintext.slice(0, TOKEN_PREFIX_LEN);
+  const tokenHash = hash(plaintext);
+  await db<PlatformSessionRow>(TABLES.PlatformSession)
+    .where({ prefix, tokenHash })
+    .update({ revokedAt: new Date() });
+}
+
+export function platformSessionCookieOptions(): CookieOptions {
+  return {
+    httpOnly: true,
+    secure: process.env.NODE_ENV === 'production',
+    sameSite: 'lax',
+    path: '/',
+    maxAge: SESSION_TTL_MS,
+  };
+}
diff --git a/apps/api/src/routes/platform-auth.ts b/apps/api/src/routes/platform-auth.ts
new file mode 100644
index 0000000..cf2944b
--- /dev/null
+++ b/apps/api/src/routes/platform-auth.ts
@@ -0,0 +1,152 @@
+/**
+ * Platform-identity auth: verify the unified-signin magic link, list
+ * the user's workspaces, and exchange the platform session for a
+ * tenant-scoped one.
+ *
+ * Routes here all run BEFORE tenantMiddleware (no /t/<slug>/ prefix in
+ * URLs), so they reach for the privileged `db` directly. Tenant-scoped
+ * follow-on writes (creating the per-workspace Session) open their own
+ * transaction with `app.tenant_id` set.
+ */
+
+import { Router, type Request } from 'express';
+import { z } from 'zod';
+import { TABLES, type AdminRow, type TenantRow } from '@openpartner/db';
+import { db, appDb } from '../db.js';
+import { consumeMagicLink, createSession, SESSION_COOKIE_NAME, sessionCookieOptions } from '../auth-sessions.js';
+import {
+  createPlatformSession,
+  PLATFORM_SESSION_COOKIE,
+  platformSessionCookieOptions,
+  resolvePlatformSession,
+  revokePlatformSession,
+} from '../platform-sessions.js';
+
+export const platformAuthRouter = Router();
+
+const verifySchema = z.object({ token: z.string().min(8) });
+
+// -------- Verify the platform magic-link token --------
+
+platformAuthRouter.post('/auth/platform-verify', async (req, res) => {
+  const body = verifySchema.safeParse(req.body);
+  if (!body.success) return res.status(400).json({ error: 'invalid_body', detail: body.error.flatten() });
+
+  const consumed = await consumeMagicLink(db, body.data.token);
+  if (!consumed) return res.status(400).json({ error: 'invalid_or_expired_token' });
+  const token = consumed.token;
+
+  if (token.purpose !== 'platform_signin' || token.principalKind !== 'platform') {
+    return res.status(400).json({ error: 'wrong_token_kind' });
+  }
+
+  // The token's principalId is the email; use it as the canonical identity.
+  const email = (token.email || token.principalId).toLowerCase();
+
+  const session = await createPlatformSession(db, email);
+  res.cookie(PLATFORM_SESSION_COOKIE, session.plaintext, platformSessionCookieOptions());
+
+  res.json({ ok: true, kind: 'platform', email });
+});
+
+// -------- List workspaces the platform-identity owns --------
+
+interface Workspace {
+  tenantSlug: string;
+  tenantDisplayName: string;
+  adminId: string;
+  activated: boolean;
+}
+
+function readPlatformCookie(req: Request): string | null {
+  const cookie = (req as unknown as { cookies?: Record<string, string> }).cookies?.[PLATFORM_SESSION_COOKIE];
+  return cookie ?? null;
+}
+
+platformAuthRouter.get('/me/workspaces', async (req, res) => {
+  const cookie = readPlatformCookie(req);
+  if (!cookie) return res.status(401).json({ error: 'no_platform_session' });
+
+  const session = await resolvePlatformSession(db, cookie);
+  if (!session) return res.status(401).json({ error: 'invalid_or_expired_session' });
+
+  const rows = (await db(TABLES.Admin)
+    .join(TABLES.Tenant, `${TABLES.Tenant}.id`, `${TABLES.Admin}.tenantId`)
+    .where(`${TABLES.Admin}.email`, session.email)
+    .whereNull(`${TABLES.Admin}.revokedAt`)
+    .andWhere(`${TABLES.Tenant}.status`, 'active')
+    .select(
+      `${TABLES.Tenant}.slug as tenantSlug`,
+      `${TABLES.Tenant}.displayName as tenantDisplayName`,
+      `${TABLES.Admin}.id as adminId`,
+      `${TABLES.Admin}.activatedAt as activatedAt`,
+    )) as Array<{ tenantSlug: string; tenantDisplayName: string; adminId: string; activatedAt: Date | null }>;
+
+  const workspaces: Workspace[] = rows.map((r) => ({
+    tenantSlug: r.tenantSlug,
+    tenantDisplayName: r.tenantDisplayName,
+    adminId: r.adminId,
+    activated: !!r.activatedAt,
+  }));
+
+  res.json({ email: session.email, workspaces });
+});
+
+// -------- Enter a workspace: trade platform session for a tenant Session --------
+
+const enterSchema = z.object({ slug: z.string().trim().min(1) });
+
+platformAuthRouter.post('/workspaces/enter', async (req, res) => {
+  const body = enterSchema.safeParse(req.body);
+  if (!body.success) return res.status(400).json({ error: 'invalid_body' });
+
+  const cookie = readPlatformCookie(req);
+  if (!cookie) return res.status(401).json({ error: 'no_platform_session' });
+  const platform = await resolvePlatformSession(db, cookie);
+  if (!platform) return res.status(401).json({ error: 'invalid_or_expired_session' });
+
+  const tenant = await db<TenantRow>(TABLES.Tenant).where({ slug: body.data.slug, status: 'active' }).first();
+  if (!tenant) return res.status(404).json({ error: 'tenant_not_found' });
+
+  const admin = await db<AdminRow>(TABLES.Admin)
+    .where({ tenantId: tenant.id, email: platform.email })
+    .whereNull('revokedAt')
+    .first();
+  if (!admin) return res.status(403).json({ error: 'not_a_member' });
+
+  // Activate on first entry — the platform-signin link doubles as
+  // activation if signup's invite email never landed. Aligns with the
+  // recovery path in /signin.
+  if (!admin.activatedAt) {
+    await db<AdminRow>(TABLES.Admin)
+      .where({ id: admin.id })
+      .update({ activatedAt: new Date(), updatedAt: new Date() });
+  }
+  await db<AdminRow>(TABLES.Admin).where({ id: admin.id }).update({ lastSignInAt: new Date() });
+
+  // Per-tenant Session insert needs to run with app.tenant_id set so RLS
+  // (when enabled) accepts the write. Use the appDb pool.
+  const trx = await appDb.transaction();
+  let sessionPlaintext: string;
+  try {
+    await trx.raw(`set local app.tenant_id = '${tenant.id.replace(/'/g, "''")}'`);
+    const created = await createSession(trx, { tenantId: tenant.id, principalKind: 'admin', principalId: admin.id });
+    sessionPlaintext = created.plaintext;
+    await trx.commit();
+  } catch (err) {
+    await trx.rollback();
+    throw err;
+  }
+
+  res.cookie(SESSION_COOKIE_NAME, sessionPlaintext, sessionCookieOptions());
+  res.json({ ok: true, tenantSlug: tenant.slug, home: `/t/${tenant.slug}/` });
+});
+
+// -------- Sign out the platform identity --------
+
+platformAuthRouter.post('/auth/platform-signout', async (req, res) => {
+  const cookie = readPlatformCookie(req);
+  if (cookie) await revokePlatformSession(db, cookie);
+  res.clearCookie(PLATFORM_SESSION_COOKIE, { path: '/' });
+  res.json({ ok: true });
+});
diff --git a/apps/api/src/routes/session-home.ts b/apps/api/src/routes/session-home.ts
index 57e4152..f4dfab3 100644
--- a/apps/api/src/routes/session-home.ts
+++ b/apps/api/src/routes/session-home.ts
@@ -16,22 +16,37 @@ import { Router } from 'express';
 import { TABLES, type TenantRow } from '@openpartner/db';
 import { db } from '../db.js';
 import { resolveSession, SESSION_COOKIE_NAME } from '../auth-sessions.js';
+import { PLATFORM_SESSION_COOKIE, resolvePlatformSession } from '../platform-sessions.js';
 
 export const sessionHomeRouter = Router();
 
 sessionHomeRouter.get('/session/home', async (req, res) => {
-  const cookie = (req as unknown as { cookies?: Record<string, string> }).cookies?.[SESSION_COOKIE_NAME];
-  if (!cookie) return res.json({ home: null });
+  const cookies = (req as unknown as { cookies?: Record<string, string> }).cookies ?? {};
 
-  const session = await resolveSession(db, cookie);
-  if (!session) return res.json({ home: null });
+  // Tenant session takes precedence — they've already picked a workspace.
+  const tenantCookie = cookies[SESSION_COOKIE_NAME];
+  if (tenantCookie) {
+    const session = await resolveSession(db, tenantCookie);
+    if (session) {
+      const tenant = await db<TenantRow>(TABLES.Tenant).where({ id: session.tenantId, status: 'active' }).first();
+      if (tenant) {
+        return res.json({
+          home: `/t/${tenant.slug}/`,
+          kind: session.principalKind,
+          tenantSlug: tenant.slug,
+        });
+      }
+    }
+  }
 
-  const tenant = await db<TenantRow>(TABLES.Tenant).where({ id: session.tenantId, status: 'active' }).first();
-  if (!tenant) return res.json({ home: null });
+  // Platform session = identity verified, no workspace picked yet.
+  const platformCookie = cookies[PLATFORM_SESSION_COOKIE];
+  if (platformCookie) {
+    const platform = await resolvePlatformSession(db, platformCookie);
+    if (platform) {
+      return res.json({ home: '/workspaces', kind: 'platform', email: platform.email });
+    }
+  }
 
-  res.json({
-    home: `/t/${tenant.slug}/`,
-    kind: session.principalKind,
-    tenantSlug: tenant.slug,
-  });
+  res.json({ home: null });
 });
diff --git a/apps/api/src/routes/signin.ts b/apps/api/src/routes/signin.ts
index 49556d1..4efb86e 100644
--- a/apps/api/src/routes/signin.ts
+++ b/apps/api/src/routes/signin.ts
@@ -2,11 +2,14 @@
  * Unified email-only signin for the multi-tenant deployment.
  *
  * The Landing on app.openpartner.dev offers a single Sign-in entry — we
- * don't make the user pick "brand vs creator" up front. The user enters
- * their email; we look up which accounts they have (Admin rows across
- * tenants for the brand side; Network Creator for the creator side) and
- * email magic links for whichever apply. Always 200 silently to avoid
- * email enumeration.
+ * don't make the user pick "brand vs creator" up front. Email goes in,
+ * a platform-identity magic link goes out (one email regardless of how
+ * many brands the user admins). Verifying the link issues a
+ * PlatformSession; the SPA reads /api/me/workspaces and the user picks
+ * which brand to enter. Creator signin is forwarded to the Network in
+ * parallel — same email, separate flow, separate cookie.
+ *
+ * Always 200 silently to avoid email enumeration.
  *
  * Multi-tenant only — single-tenant deployments use the existing
  * per-tenant /auth/signin which already knows its tenant.
@@ -14,7 +17,7 @@
 
 import { Router } from 'express';
 import { z } from 'zod';
-import { TABLES, type AdminRow, type TenantRow } from '@openpartner/db';
+import { TABLES, type AdminRow, DEFAULT_TENANT_ID } from '@openpartner/db';
 import { db } from '../db.js';
 import { issueMagicLink } from '../auth-sessions.js';
 import { adminSigninEmail, buildMagicLinkUrl } from '../email-templates.js';
@@ -35,46 +38,43 @@ signinRouter.post('/signin', async (req, res) => {
 
   const email = body.data.email.toLowerCase();
 
-  // 1) Brand admins. One person can be the admin of more than one tenant
-  // (rare, but possible) — email a link for each so they can pick which
-  // brand to sign into. We include unactivated admins so a brand whose
-  // initial activation email got lost (e.g. mailer misconfigured at
-  // signup time) can self-recover here: an admin_invite token activates
-  // the admin on consume, so signin doubles as a resend-activation flow.
-  const admins = await db<AdminRow>(TABLES.Admin)
+  // Brand admin path. We don't care here which tenants — only whether ANY
+  // non-revoked admin row matches. The picker after verify enumerates the
+  // workspaces and lets the user choose. Mailer best-effort; per-tenant
+  // log on failure.
+  const anyAdmin = await db<AdminRow>(TABLES.Admin)
     .where({ email })
-    .whereNull('revokedAt');
+    .whereNull('revokedAt')
+    .first();
 
-  for (const admin of admins) {
+  if (anyAdmin) {
     try {
-      const tenant = await db<TenantRow>(TABLES.Tenant).where({ id: admin.tenantId, status: 'active' }).first();
-      if (!tenant) continue;
-      const purpose = admin.activatedAt ? 'admin_signin' : 'admin_invite';
       const issued = await issueMagicLink(db, {
-        tenantId: admin.tenantId,
+        tenantId: DEFAULT_TENANT_ID, // placeholder — platform tokens aren't tenant-scoped
         email,
-        purpose,
-        principalKind: 'admin',
-        principalId: admin.id,
+        purpose: 'platform_signin',
+        principalKind: 'platform',
+        principalId: email,
       });
-      const tmpl = adminSigninEmail(admin.name, buildMagicLinkUrl(issued.plaintext, tenant.slug));
-      await getMailer().send({ db, tenantId: tenant.id }, {
+      // Tenant-less link — verify will issue a PlatformSession, the SPA
+      // routes through /workspaces to let the user pick which brand to
+      // enter.
+      const link = buildMagicLinkUrl(issued.plaintext);
+      const tmpl = adminSigninEmail(anyAdmin.name, link);
+      await getMailer().send({ db, tenantId: anyAdmin.tenantId }, {
         to: email,
         subject: tmpl.subject,
         text: tmpl.text,
         html: tmpl.html,
-        tag: purpose,
-        metadata: { purpose, adminId: admin.id, source: 'unified_signin' },
+        tag: 'platform_signin',
+        metadata: { purpose: 'platform_signin', email, source: 'unified_signin' },
       });
     } catch (err) {
-      // Don't fail the whole signin on one mail send issue. Log and move on.
-      console.error('[signin] admin mail failed', { tenantId: admin.tenantId, err });
+      console.error('[signin] platform mail failed', { email, err });
     }
   }
 
-  // 2) Network creator. Forward to the Network's /creators/signin which
-  // does its own existence-check + magic-link mail. Best-effort — if the
-  // Network is down the user just gets the brand-side link (if any).
+  // Creator side — same email, separate cookie, parallel flow. Best-effort.
   const networkUrl = process.env.NETWORK_URL;
   if (networkUrl) {
     try {
diff --git a/apps/portal/src/App.tsx b/apps/portal/src/App.tsx
index f3d200e..95a1eaa 100644
--- a/apps/portal/src/App.tsx
+++ b/apps/portal/src/App.tsx
@@ -50,6 +50,8 @@ import { InstallPage } from './pages/Install.js';
 import { LandingPage } from './pages/Landing.js';
 import { SignupPage } from './pages/Signup.js';
 import { SigninPage } from './pages/Signin.js';
+import { WorkspacesPage } from './pages/Workspaces.js';
+import { PlatformMagicLandingPage } from './pages/auth/PlatformMagicLanding.js';
 import { CreatorSignupPage } from './pages/creator/CreatorSignup.js';
 import { CreatorSigninPage } from './pages/creator/CreatorSignin.js';
 import { CreatorMagicLandingPage } from './pages/creator/CreatorMagicLanding.js';
@@ -96,7 +98,9 @@ export function App() {
             <Route path="/" element={<LandingPage />} />
             <Route path="/signup" element={<SignupPage />} />
             <Route path="/signin" element={<SigninPage />} />
-            <Route path="/auth/magic" element={<MagicLandingPage />} />
+            <Route path="/workspaces" element={<WorkspacesPage />} />
+            {/* Platform-identity magic link (one email regardless of how many brands you admin). */}
+            <Route path="/auth/magic" element={<PlatformMagicLandingPage />} />
             {/* Platform-level Creator surfaces — separate auth from vendor admins. */}
             <Route path="/creator/signup" element={<CreatorSignupPage />} />
             <Route path="/creator/login" element={<CreatorSigninPage />} />
diff --git a/apps/portal/src/pages/Workspaces.tsx b/apps/portal/src/pages/Workspaces.tsx
new file mode 100644
index 0000000..aefedd9
--- /dev/null
+++ b/apps/portal/src/pages/Workspaces.tsx
@@ -0,0 +1,133 @@
+import { useEffect, useState } from 'react';
+import { useNavigate } from 'react-router-dom';
+import { theme } from '../theme.js';
+import { Logo } from './auth/Shared.js';
+
+interface Workspace {
+  tenantSlug: string;
+  tenantDisplayName: string;
+  adminId: string;
+  activated: boolean;
+}
+
+interface WorkspacesResponse {
+  email: string;
+  workspaces: Workspace[];
+}
+
+/**
+ * Post-platform-signin picker. The platform magic-link verify creates
+ * an identity session; this page lists the brands the verified email
+ * admins and lets the user enter one. Auto-skips when there's only one
+ * workspace.
+ */
+export function WorkspacesPage() {
+  const nav = useNavigate();
+  const [data, setData] = useState<WorkspacesResponse | null>(null);
+  const [err, setErr] = useState<string | null>(null);
+  const [busySlug, setBusySlug] = useState<string | null>(null);
+
+  useEffect(() => {
+    let cancelled = false;
+    fetch('/api/me/workspaces', { credentials: 'include' })
+      .then(async (r) => {
+        if (r.status === 401) {
+          if (!cancelled) nav('/signin', { replace: true });
+          return null;
+        }
+        if (!r.ok) throw new Error(`${r.status}`);
+        return (await r.json()) as WorkspacesResponse;
+      })
+      .then((d) => {
+        if (cancelled || !d) return;
+        if (d.workspaces.length === 1) {
+          // Single brand — skip the picker.
+          enter(d.workspaces[0]!.tenantSlug);
+          return;
+        }
+        setData(d);
+      })
+      .catch((e) => setErr(e instanceof Error ? e.message : 'Could not load workspaces.'));
+    return () => {
+      cancelled = true;
+    };
+    // eslint-disable-next-line react-hooks/exhaustive-deps
+  }, [nav]);
+
+  async function enter(slug: string) {
+    setBusySlug(slug);
+    setErr(null);
+    try {
+      const r = await fetch('/api/workspaces/enter', {
+        method: 'POST',
+        headers: { 'content-type': 'application/json' },
+        credentials: 'include',
+        body: JSON.stringify({ slug }),
+      });
+      const j = (await r.json()) as { ok?: boolean; home?: string; error?: string };
+      if (!r.ok || !j.ok || !j.home) throw new Error(j.error ?? `${r.status}`);
+      nav(j.home, { replace: true });
+    } catch (e) {
+      setErr(e instanceof Error ? e.message : 'Could not enter workspace.');
+      setBusySlug(null);
+    }
+  }
+
+  if (!data && !err) {
+    return <div style={{ minHeight: '100vh', background: theme.bg }} />;
+  }
+
+  return (
+    <div style={{ minHeight: '100vh', background: theme.bg, color: theme.text, display: 'flex', alignItems: 'center', justifyContent: 'center', padding: 24 }}>
+      <div style={{ maxWidth: 460, width: '100%' }}>
+        <div style={{ display: 'flex', alignItems: 'center', gap: 10, marginBottom: 28 }}>
+          <Logo />
+          <div style={{ fontSize: 16, fontWeight: 600 }}>OpenPartner</div>
+        </div>
+        <h1 style={{ fontSize: 24, fontWeight: 700, margin: '0 0 6px', letterSpacing: '-0.01em' }}>Pick a workspace</h1>
+        <p style={{ color: theme.textMuted, fontSize: 14, marginTop: 0, marginBottom: 20 }}>
+          {data ? `Signed in as ${data.email}.` : null}
+        </p>
+        {err && <div style={{ color: theme.danger, fontSize: 13, marginBottom: 12 }}>{err}</div>}
+        <div style={{ display: 'flex', flexDirection: 'column', gap: 8 }}>
+          {data?.workspaces.map((w) => (
+            <button
+              key={w.tenantSlug}
+              onClick={() => enter(w.tenantSlug)}
+              disabled={busySlug !== null}
+              style={{
+                background: theme.surface,
+                border: `1px solid ${theme.borderSubtle}`,
+                borderRadius: theme.radiusSm,
+                padding: '14px 16px',
+                color: theme.text,
+                textAlign: 'left',
+                cursor: busySlug === null ? 'pointer' : 'wait',
+                opacity: busySlug !== null && busySlug !== w.tenantSlug ? 0.5 : 1,
+                display: 'flex',
+                alignItems: 'center',
+                justifyContent: 'space-between',
+                gap: 12,
+              }}
+            >
+              <div>
+                <div style={{ fontWeight: 600, fontSize: 14 }}>{w.tenantDisplayName}</div>
+                <div style={{ color: theme.textMuted, fontSize: 12, marginTop: 2 }}>
+                  /t/{w.tenantSlug}/{!w.activated && ' · activates on entry'}
+                </div>
+              </div>
+              <span style={{ color: theme.accent, fontSize: 13 }}>
+                {busySlug === w.tenantSlug ? 'Entering…' : 'Enter →'}
+              </span>
+            </button>
+          ))}
+        </div>
+        {data?.workspaces.length === 0 && (
+          <div style={{ color: theme.textMuted, fontSize: 14 }}>
+            You don&rsquo;t have any brand workspaces. <a href="/signup" style={{ color: theme.accent }}>Create one →</a>
+          </div>
+        )}
+      </div>
+    </div>
+  );
+}
diff --git a/apps/portal/src/pages/auth/PlatformMagicLanding.tsx b/apps/portal/src/pages/auth/PlatformMagicLanding.tsx
new file mode 100644
index 0000000..2970882
--- /dev/null
+++ b/apps/portal/src/pages/auth/PlatformMagicLanding.tsx
@@ -0,0 +1,59 @@
+import { useEffect, useState } from 'react';
+import { useNavigate, useSearchParams } from 'react-router-dom';
+import { theme } from '../../theme.js';
+import { AuthFrame } from './Shared.js';
+
+/**
+ * Multi-tenant magic-link landing for platform-identity tokens (the
+ * tokens issued by the unified /signin). Verify creates a
+ * PlatformSession; we then push the user to /workspaces, which decides
+ * whether to show the picker or auto-enter their single workspace.
+ */
+export function PlatformMagicLandingPage() {
+  const [params] = useSearchParams();
+  const nav = useNavigate();
+  const [state, setState] = useState<'verifying' | 'ok' | 'failed'>('verifying');
+  const [detail, setDetail] = useState<string | null>(null);
+
+  useEffect(() => {
+    const token = params.get('token');
+    if (!token) {
+      setState('failed');
+      setDetail('No token in URL.');
+      return;
+    }
+    fetch('/api/auth/platform-verify', {
+      method: 'POST',
+      headers: { 'content-type': 'application/json' },
+      credentials: 'include',
+      body: JSON.stringify({ token }),
+    })
+      .then(async (r) => {
+        if (!r.ok) {
+          const j = await r.json().catch(() => ({}));
+          throw new Error((j as { error?: string }).error ?? `${r.status}`);
+        }
+        setState('ok');
+        setTimeout(() => nav('/workspaces', { replace: true }), 300);
+      })
+      .catch((err) => {
+        setState('failed');
+        setDetail(err instanceof Error ? err.message : 'Link is invalid or expired.');
+      });
+  }, [nav, params]);
+
+  return (
+    <AuthFrame title="Signing you in" subtitle="One moment…">
+      {state === 'verifying' && <div style={{ color: theme.textMuted, fontSize: 14 }}>Verifying your link…</div>}
+      {state === 'ok' && <div style={{ color: theme.success, fontSize: 14 }}>Signed in. Picking your workspace…</div>}
+      {state === 'failed' && (
+        <div style={{ color: theme.danger, fontSize: 14 }}>
+          {detail ?? 'Could not verify.'}
+          <div style={{ color: theme.textDim, fontSize: 13, marginTop: 10 }}>
+            Ask for a new link from <a href="/signin" style={{ color: theme.accent }}>the sign-in page</a>.
+          </div>
+        </div>
+      )}
+    </AuthFrame>
+  );
+}
diff --git a/packages/db/migrations/20260508010000_platform_session.ts b/packages/db/migrations/20260508010000_platform_session.ts
new file mode 100644
index 0000000..ce170df
--- /dev/null
+++ b/packages/db/migrations/20260508010000_platform_session.ts
@@ -0,0 +1,41 @@
+/**
+ * PlatformSession — identity-level sessions used by the multi-tenant
+ * deployment's workspace picker.
+ *
+ * The existing Session table is per-tenant (tenantId NOT NULL, principal
+ * scoped to a single Admin/Partner row). That's the right shape for the
+ * "user is acting inside this brand" state, but it can't represent the
+ * "user has authenticated their email but hasn't picked a workspace yet"
+ * intermediate state we need for the picker.
+ *
+ * Solution: a thin parallel table keyed by email. After the platform
+ * magic link verifies, we issue a PlatformSession; the SPA reads
+ * /api/me/workspaces (which lists every Admin row matching that email),
+ * the user picks one, and /api/workspaces/:slug/enter exchanges the
+ * platform session for a regular per-tenant Session pinned to the
+ * matching Admin row.
+ *
+ * No tenantId here on purpose — RLS doesn't apply (the table holds no
+ * tenant data; just email + token bookkeeping).
+ */
+
+import type { Knex } from 'knex';
+
+export async function up(knex: Knex): Promise<void> {
+  await knex.schema.createTable('PlatformSession', (t) => {
+    t.string('id').primary();
+    t.string('prefix', 8).notNullable();
+    t.string('tokenHash').notNullable().unique();
+    t.string('email').notNullable();
+    t.timestamp('createdAt', { useTz: true }).notNullable().defaultTo(knex.fn.now());
+    t.timestamp('expiresAt', { useTz: true }).notNullable();
+    t.timestamp('lastSeenAt', { useTz: true });
+    t.timestamp('revokedAt', { useTz: true });
+    t.index(['prefix']);
+    t.index(['email']);
+  });
+}
+
+export async function down(knex: Knex): Promise<void> {
+  await knex.schema.dropTableIfExists('PlatformSession');
+}
diff --git a/packages/db/src/index.ts b/packages/db/src/index.ts
index 105b65a..c243cf0 100644
--- a/packages/db/src/index.ts
+++ b/packages/db/src/index.ts
@@ -68,6 +68,7 @@ export const TABLES = {
   Admin: 'Admin',
   MagicLinkToken: 'MagicLinkToken',
   Session: 'Session',
+  PlatformSession: 'PlatformSession',
   WebhookEndpoint: 'WebhookEndpoint',
   WebhookDelivery: 'WebhookDelivery',
   NetworkOutbox: 'NetworkOutbox',
diff --git a/packages/db/src/types.ts b/packages/db/src/types.ts
index 90bf565..93c162e 100644
--- a/packages/db/src/types.ts
+++ b/packages/db/src/types.ts
@@ -63,9 +63,10 @@ export type MagicLinkPurpose =
   | 'partner_invite'
   | 'partner_signin'
   | 'admin_invite'
-  | 'admin_signin';
+  | 'admin_signin'
+  | 'platform_signin';
 
-export type PrincipalKind = 'partner' | 'admin';
+export type PrincipalKind = 'partner' | 'admin' | 'platform';
 
 export interface MagicLinkTokenRow {
   id: string;
@@ -94,6 +95,17 @@ export interface SessionRow {
   revokedAt: Date | null;
 }
 
+export interface PlatformSessionRow {
+  id: string;
+  prefix: string;
+  tokenHash: string;
+  email: string;
+  expiresAt: Date;
+  createdAt: Date;
+  lastSeenAt: Date | null;
+  revokedAt: Date | null;
+}
+
 export interface AdminRow {
   id: string;
   tenantId: string;

From 2c100d6b4af281642fdd4b3aaaba3350b1df2452 Mon Sep 17 00:00:00 2001
From: Keith Fawcett <keith@brightyard.co>
Date: Tue, 28 Apr 2026 15:24:19 -0700
Subject: [PATCH 045/131] chore(portal): wire name + autocomplete on auth
 inputs for autofill

Browsers only surface past entries when the input has both a name
attribute and an autocomplete hint. Added name="email" /
autoComplete="email" to every email field in the auth surfaces
(Signin, Signup, Login, CreatorSignin, CreatorSignup), name="name"
on the display-name fields, autocomplete="username" on the creator
handle, and autoComplete="off" on the API-key field (we don't want
that one cached).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 apps/portal/src/pages/Signin.tsx                | 2 ++
 apps/portal/src/pages/Signup.tsx                | 4 ++++
 apps/portal/src/pages/auth/Login.tsx            | 4 ++++
 apps/portal/src/pages/creator/CreatorSignin.tsx | 2 +-
 apps/portal/src/pages/creator/CreatorSignup.tsx | 6 ++++--
 5 files changed, 15 insertions(+), 3 deletions(-)

diff --git a/apps/portal/src/pages/Signin.tsx b/apps/portal/src/pages/Signin.tsx
index e2a8e24..d856048 100644
--- a/apps/portal/src/pages/Signin.tsx
+++ b/apps/portal/src/pages/Signin.tsx
@@ -58,6 +58,8 @@ export function SigninPage() {
           <div style={{ fontSize: 12, color: theme.textMuted, marginBottom: 4 }}>Email</div>
           <input
             type="email"
+            name="email"
+            autoComplete="email"
             value={email}
             onChange={(e) => setEmail(e.target.value)}
             placeholder="you@example.com"
diff --git a/apps/portal/src/pages/Signup.tsx b/apps/portal/src/pages/Signup.tsx
index cc98e3a..c8b27b4 100644
--- a/apps/portal/src/pages/Signup.tsx
+++ b/apps/portal/src/pages/Signup.tsx
@@ -96,6 +96,8 @@ export function SignupPage() {
         </Field>
         <Field label="Your name">
           <input
+            name="name"
+            autoComplete="name"
             value={adminName}
             onChange={(e) => setAdminName(e.target.value)}
             placeholder="Ada Lovelace"
@@ -106,6 +108,8 @@ export function SignupPage() {
         <Field label="Your email" hint="We'll send the activation link here.">
           <input
             type="email"
+            name="email"
+            autoComplete="email"
             value={adminEmail}
             onChange={(e) => setAdminEmail(e.target.value)}
             placeholder="ada@example.com"
diff --git a/apps/portal/src/pages/auth/Login.tsx b/apps/portal/src/pages/auth/Login.tsx
index d45527f..4012f5b 100644
--- a/apps/portal/src/pages/auth/Login.tsx
+++ b/apps/portal/src/pages/auth/Login.tsx
@@ -88,6 +88,8 @@ function EmailTab() {
         <Mail size={15} style={{ position: 'absolute', left: 12, top: 12, color: theme.textDim, pointerEvents: 'none' }} />
         <input
           type="email"
+          name="email"
+          autoComplete="email"
           value={email}
           onChange={(e) => setEmail(e.target.value)}
           placeholder="you@example.com"
@@ -131,6 +133,8 @@ function KeyTab() {
         <KeyRound size={15} style={{ position: 'absolute', left: 12, top: 12, color: theme.textDim, pointerEvents: 'none' }} />
         <input
           type="password"
+          name="apiKey"
+          autoComplete="off"
           value={token}
           onChange={(e) => setToken(e.target.value)}
           placeholder="op_..."
diff --git a/apps/portal/src/pages/creator/CreatorSignin.tsx b/apps/portal/src/pages/creator/CreatorSignin.tsx
index e1182d4..d0eb9f9 100644
--- a/apps/portal/src/pages/creator/CreatorSignin.tsx
+++ b/apps/portal/src/pages/creator/CreatorSignin.tsx
@@ -42,7 +42,7 @@ export function CreatorSigninPage() {
       <form onSubmit={submit}>
         <div style={{ marginBottom: 12 }}>
           <div style={{ fontSize: 12, color: theme.textMuted, marginBottom: 4 }}>Email</div>
-          <input type="email" value={email} onChange={(e) => setEmail(e.target.value)} placeholder="ada@example.com" required autoFocus style={inputStyle} />
+          <input type="email" name="email" autoComplete="email" value={email} onChange={(e) => setEmail(e.target.value)} placeholder="ada@example.com" required autoFocus style={inputStyle} />
         </div>
         {err && <div style={{ color: theme.danger, fontSize: 13, marginBottom: 8 }}>{err}</div>}
         <button type="submit" disabled={busy} style={primaryBtnStyle(busy)}>
diff --git a/apps/portal/src/pages/creator/CreatorSignup.tsx b/apps/portal/src/pages/creator/CreatorSignup.tsx
index cd9414b..823fefc 100644
--- a/apps/portal/src/pages/creator/CreatorSignup.tsx
+++ b/apps/portal/src/pages/creator/CreatorSignup.tsx
@@ -47,13 +47,15 @@ export function CreatorSignupPage() {
     <AuthFrame title="Sign up as a creator" subtitle="Browse and apply to partner programs across the OpenPartner Network.">
       <form onSubmit={submit}>
         <Field label="Your name">
-          <input value={name} onChange={(e) => setName(e.target.value)} placeholder="Ada Lovelace" required style={inputStyle} />
+          <input name="name" autoComplete="name" value={name} onChange={(e) => setName(e.target.value)} placeholder="Ada Lovelace" required style={inputStyle} />
         </Field>
         <Field label="Email" hint="We'll send your sign-in link here.">
-          <input type="email" value={email} onChange={(e) => setEmail(e.target.value)} placeholder="ada@example.com" required style={inputStyle} />
+          <input type="email" name="email" autoComplete="email" value={email} onChange={(e) => setEmail(e.target.value)} placeholder="ada@example.com" required style={inputStyle} />
         </Field>
         <Field label="Handle (optional)" hint="Letters, numbers, hyphens. Used as your default share-link slug.">
           <input
+            name="handle"
+            autoComplete="username"
             value={handle}
             onChange={(e) => setHandle(e.target.value.toLowerCase().replace(/[^a-z0-9_-]/g, ''))}
             placeholder="ada"

From 2834b0f0c6b30143199fc825f491bf50d2cdfd41 Mon Sep 17 00:00:00 2001
From: Keith Fawcett <keith@brightyard.co>
Date: Tue, 28 Apr 2026 15:40:10 -0700
Subject: [PATCH 046/131] feat(signup): auto-enroll hosted brands on the
 Network with vendorToken inline
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Hosted brands signed up for the marketplace platform — the Network is
the value prop, not an opt-in feature. Skip the "Connect to Network"
step entirely: signup auto-enrolls and saves the vendorToken so
membership is `enabled: true` from t=0. Visibility is governed by
whether the brand publishes offerings, not by membership flags.

Wiring:
- network-client.signupWithNetwork accepts adminAuthToken; when set,
  passes it as Bearer to the Network's new admin fast path which
  returns { vendorToken, status: 'active' } inline.
- routes/signup.ts uses NETWORK_ADMIN_API_KEY (env) when present;
  saves membership enabled=true on the active path or enabled=false
  on the legacy email-verify fallback.
- settings.ts manual "Connect to Network" still uses the email-verify
  shape (no admin auth from the SPA).
- secrets_probe extended to surface NETWORK_ADMIN_API_KEY presence.

Operator action: set NETWORK_ADMIN_API_KEY on openpartner App Platform
= openpartner-network's ADMIN_API_KEY value. Without it, hosted signups
fall back to the email-verify flow (still works, just slower).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 apps/api/src/network-client.ts  | 22 +++++++++++----
 apps/api/src/routes/settings.ts |  6 +++-
 apps/api/src/routes/signup.ts   | 50 ++++++++++++++++++++++++---------
 apps/api/src/server.ts          |  1 +
 4 files changed, 58 insertions(+), 21 deletions(-)

diff --git a/apps/api/src/network-client.ts b/apps/api/src/network-client.ts
index 4aee73f..136245b 100644
--- a/apps/api/src/network-client.ts
+++ b/apps/api/src/network-client.ts
@@ -323,19 +323,29 @@ export interface SignupInput {
   contactName?: string;
   tier: 'hosted' | 'self_hosted';
   portalCallbackUrl: string;
+  /** When set, send as admin bearer for the fast-path signup (skips
+   *  email verify, returns vendorToken inline). Only set on hosted
+   *  tenants where the brand admin's email was already verified by
+   *  openpartner's signup. */
+  adminAuthToken?: string;
 }
 
-export interface SignupResult {
-  vendorId: string;
-  status: 'pending';
-  emailSent: boolean;
-}
+export type SignupResult =
+  | { vendorId: string; status: 'pending'; emailSent: boolean }
+  | { vendorId: string; vendorToken: string; status: 'active'; displayName: string };
 
 export async function signupWithNetwork(input: SignupInput): Promise<SignupResult> {
   const url = `${input.networkUrl.replace(/\/$/, '')}/vendors/signup`;
+  const headers: Record<string, string> = {
+    'content-type': 'application/json',
+    'user-agent': 'OpenPartner-Vendor/1',
+  };
+  if (input.adminAuthToken) {
+    headers.authorization = `Bearer ${input.adminAuthToken}`;
+  }
   const res = await fetch(url, {
     method: 'POST',
-    headers: { 'content-type': 'application/json', 'user-agent': 'OpenPartner-Vendor/1' },
+    headers,
     body: JSON.stringify({
       instanceUrl: input.instanceUrl,
       scopedKey: input.scopedKey,
diff --git a/apps/api/src/routes/settings.ts b/apps/api/src/routes/settings.ts
index cb1a942..7bcb8b2 100644
--- a/apps/api/src/routes/settings.ts
+++ b/apps/api/src/routes/settings.ts
@@ -302,7 +302,11 @@ settingsRouter.post('/config/network/start-connect', requireAuth, requireAdmin,
     autoEnroll: true,
   });
 
-  res.status(202).json({ vendorId: signup.vendorId, status: 'pending', emailSent: signup.emailSent });
+  // This is the manual "Connect to Network" button on the Settings page —
+  // never uses adminAuthToken, so the result is always the email-verify
+  // pending shape.
+  const emailSent = signup.status === 'pending' ? signup.emailSent : true;
+  res.status(202).json({ vendorId: signup.vendorId, status: 'pending', emailSent });
 });
 
 const completeConnectSchema = z.object({ ntoken: z.string().min(20) });
diff --git a/apps/api/src/routes/signup.ts b/apps/api/src/routes/signup.ts
index d77eaaa..a4f0e39 100644
--- a/apps/api/src/routes/signup.ts
+++ b/apps/api/src/routes/signup.ts
@@ -141,12 +141,22 @@ signupRouter.post('/signup', signupLimit, async (req, res) => {
     });
   }
 
-  // Auto-register hosted tenant with the Network. Best-effort: a
-  // network-side outage doesn't fail the signup. The admin can finish
-  // connecting later via Settings → Network → "Connect to Network".
-  let networkStatus: 'pending' | 'skipped' | 'failed' = 'skipped';
+  // Auto-enroll hosted brand on the Network. The hosted value prop
+  // INCLUDES partner discovery; new brands shouldn't have to find a
+  // "connect" button to use what they signed up for. Visibility is
+  // controlled by whether they publish offerings, not by membership.
+  //
+  // If NETWORK_ADMIN_API_KEY is set we take the admin fast path — Network
+  // skips its email verify (we just verified the brand admin via our own
+  // magic link in the next step) and returns the vendorToken inline so
+  // membership is `enabled: true` from t=0.
+  //
+  // Otherwise we fall back to the email-verify flow (used by self-host
+  // and any operator who didn't wire the admin key).
+  let networkStatus: 'active' | 'pending' | 'skipped' | 'failed' = 'skipped';
   let networkVendorId: string | null = null;
   const networkUrl = process.env.NETWORK_URL;
+  const networkAdminKey = process.env.NETWORK_ADMIN_API_KEY;
   if (networkUrl) {
     try {
       const { signupWithNetwork } = await import('../network-client.js');
@@ -160,7 +170,7 @@ signupRouter.post('/signup', signupLimit, async (req, res) => {
         label: 'network_federation',
       });
       const protoHost = `${req.protocol}://${req.get('host') ?? ''}`;
-      const signup = await signupWithNetwork({
+      const signupResult = await signupWithNetwork({
         networkUrl,
         instanceUrl: `${protoHost}/t/${slug}/api`,
         scopedKey: scoped.plaintext,
@@ -169,16 +179,28 @@ signupRouter.post('/signup', signupLimit, async (req, res) => {
         contactName: body.data.adminName,
         tier: 'hosted',
         portalCallbackUrl: `${protoHost}/t/${slug}/admin/network/complete`,
+        adminAuthToken: networkAdminKey,
       });
-      // Stash the partial state — vendorToken comes back at complete-connect.
-      await saveNetworkMembership(db, tenantId, {
-        enabled: false,
-        networkUrl,
-        scopedKeyId: scoped.id,
-        autoEnroll: true,
-      });
-      networkStatus = 'pending';
-      networkVendorId = signup.vendorId;
+      networkVendorId = signupResult.vendorId;
+      if (signupResult.status === 'active') {
+        await saveNetworkMembership(db, tenantId, {
+          enabled: true,
+          networkUrl,
+          vendorToken: signupResult.vendorToken,
+          scopedKeyId: scoped.id,
+          autoEnroll: true,
+        });
+        networkStatus = 'active';
+      } else {
+        // Email-verify path — vendorToken comes back at complete-connect.
+        await saveNetworkMembership(db, tenantId, {
+          enabled: false,
+          networkUrl,
+          scopedKeyId: scoped.id,
+          autoEnroll: true,
+        });
+        networkStatus = 'pending';
+      }
     } catch (err) {
       console.error('[signup] auto-network-register failed', err);
       networkStatus = 'failed';
diff --git a/apps/api/src/server.ts b/apps/api/src/server.ts
index 5bfda58..88b6a44 100644
--- a/apps/api/src/server.ts
+++ b/apps/api/src/server.ts
@@ -29,6 +29,7 @@ console.log(JSON.stringify({
   secretsEncryptionKeyLen: (process.env.SECRETS_ENCRYPTION_KEY ?? '').length,
   metricsTokenLen: (process.env.METRICS_TOKEN ?? '').length,
   networkUrlLen: (process.env.NETWORK_URL ?? '').length,
+  networkAdminKeyLen: (process.env.NETWORK_ADMIN_API_KEY ?? '').length,
   databaseUrlLen: (process.env.DATABASE_URL ?? '').length,
   databaseUrlAppLen: (process.env.DATABASE_URL_APP ?? '').length,
   portalUrlLen: (process.env.PORTAL_URL ?? '').length,

From 5beacc98612535a707e2f0431b05f7fb315f5442 Mon Sep 17 00:00:00 2001
From: Keith Fawcett <keith@brightyard.co>
Date: Tue, 28 Apr 2026 16:26:37 -0700
Subject: [PATCH 047/131] =?UTF-8?q?feat(brand):=20account=20deletion=20(GD?=
 =?UTF-8?q?PR=20right=20of=20erasure)=20=E2=80=94=20phase=201?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Two-phase soft delete for hosted brands:
  - POST /api/account/delete stamps Tenant.pendingDeletionAt + reason,
    revokes every active Session for the tenant. Admin confirms by
    typing the slug.
  - POST /api/account/restore clears it inside the 30-day grace
    window. tenantMiddleware lets the recovery routes through but
    410s every other request for a pending-delete tenant.
  - GET /api/account/deletion-status surfaces hardDeleteAt for the UI.

UI: Settings → Danger zone shows a confirm form when not pending and
the recovery banner when pending.

Creator-side proxy allowlist gains /creators/me/delete + /restore so
the platform-wide creator surface can target the new Network endpoints
through the existing reverse proxy. CreatorMyProfile gets the same
Danger zone UX.

Schema:
- migrations/20260509000000_pending_deletion adds
  Tenant.pendingDeletionAt + Tenant.deletionReason + index.
- types: TenantRow gets the two new nullable fields.

Phase 1 explicitly defers (TODOs in code):
- Stripe subscription cancellation on delete (brand keeps getting
  billed during grace; should cancel-at-period-end at least).
- Network-side vendor row revoke (Network keeps thinking we're
  federated). Needs /vendors/me/delete on the Network.
- Pending payouts / unpaid commissions guard.
- Scheduler sweep for hard delete after 30 days (manual cron until
  then).
- Data export ZIP next to delete (existing /admin/export covers
  brand side; creator-side needs a parallel endpoint).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 apps/api/src/app.ts                           |   2 +
 apps/api/src/routes/account-deletion.ts       | 120 ++++++++++++++++++
 apps/api/src/routes/creator-portal.ts         |   2 +
 apps/api/src/tenancy.ts                       |  37 +++++-
 apps/portal/src/pages/admin/Settings.tsx      | 106 ++++++++++++++++
 .../src/pages/creator/CreatorMyProfile.tsx    |  79 ++++++++++++
 .../20260509000000_pending_deletion.ts        |  24 ++++
 packages/db/src/types.ts                      |   2 +
 8 files changed, 370 insertions(+), 2 deletions(-)
 create mode 100644 apps/api/src/routes/account-deletion.ts
 create mode 100644 packages/db/migrations/20260509000000_pending_deletion.ts

diff --git a/apps/api/src/app.ts b/apps/api/src/app.ts
index 7f223c9..199152a 100644
--- a/apps/api/src/app.ts
+++ b/apps/api/src/app.ts
@@ -33,6 +33,7 @@ import { metricsRouter } from './routes/metrics.js';
 import { signupRouter } from './routes/signup.js';
 import { partnerSignupRouter } from './routes/partner-signup.js';
 import { networkPartnerRouter } from './routes/network-partner.js';
+import { accountDeletionRouter } from './routes/account-deletion.js';
 import { creatorPortalRouter } from './routes/creator-portal.js';
 import { signinRouter } from './routes/signin.js';
 import { sessionHomeRouter } from './routes/session-home.js';
@@ -156,6 +157,7 @@ export function createApp(options: { enableLogger?: boolean } = {}) {
   app.use(billingRouter);
   app.use(adminOverviewRouter);
   app.use(networkPartnerRouter);
+  app.use(accountDeletionRouter);
 
   app.use((err: Error, req: Request, res: Response, _next: NextFunction) => {
     req.log?.error({ err }, 'request_failed');
diff --git a/apps/api/src/routes/account-deletion.ts b/apps/api/src/routes/account-deletion.ts
new file mode 100644
index 0000000..848212e
--- /dev/null
+++ b/apps/api/src/routes/account-deletion.ts
@@ -0,0 +1,120 @@
+/**
+ * Brand-side account deletion. Two-phase, GDPR-aligned:
+ *
+ *   Phase 1 — soft delete: admin clicks Delete, we stamp
+ *     Tenant.pendingDeletionAt + reason, revoke all admin Sessions,
+ *     and respond. The brand is immediately locked out (the tenancy
+ *     middleware refuses requests for a tenant that's pending deletion).
+ *
+ *   Phase 2 — hard delete: a scheduler sweep finds tenants past the
+ *     30-day grace window and cascades the wipe. Until then, an admin
+ *     can call /account/restore to clear pendingDeletionAt and recover.
+ *
+ * NOT yet handled (TODOs that should land before public launch):
+ *   - Stripe subscription cancellation. Today the brand keeps getting
+ *     billed inside the grace window. Should at least set the sub to
+ *     cancel-at-period-end at delete-time.
+ *   - Network-side vendor row revoke (the Network keeps thinking we're
+ *     federated). Needs a /vendors/me/delete on the Network.
+ *   - Any pending payouts / unpaid commissions guard — right now we
+ *     allow deletion regardless. A real production gate would refuse
+ *     until the ledger is settled.
+ */
+
+import { Router } from 'express';
+import { z } from 'zod';
+import { TABLES, type TenantRow } from '@openpartner/db';
+import { db } from '../db.js';
+import { requireAdmin, requireAuth } from '../auth.js';
+import { tenantOf } from '../tenancy.js';
+
+export const accountDeletionRouter = Router();
+
+const deleteSchema = z.object({
+  confirmSlug: z.string().min(1),
+  reason: z.string().max(2000).optional(),
+});
+
+accountDeletionRouter.post('/account/delete', requireAuth, requireAdmin, async (req, res) => {
+  const { tenantId } = tenantOf(req);
+
+  // Privileged db: we're about to write to Tenant + revoke Sessions
+  // across the tenant. RLS on Tenant only allows the row's own tenant
+  // to read/write its row, so this works through req.db too — but we
+  // use the privileged pool so the Session revoke (which spans many
+  // sessions for this tenant) doesn't trip per-row policies.
+  const tenant = await db<TenantRow>(TABLES.Tenant).where({ id: tenantId }).first();
+  if (!tenant) return res.status(404).json({ error: 'tenant_not_found' });
+  if (tenant.pendingDeletionAt) {
+    return res.status(409).json({
+      error: 'already_pending_deletion',
+      pendingDeletionAt: tenant.pendingDeletionAt,
+    });
+  }
+
+  const body = deleteSchema.safeParse(req.body ?? {});
+  if (!body.success) return res.status(400).json({ error: 'invalid_body', detail: body.error.flatten() });
+
+  // Defensive: require the admin to type their own slug to confirm.
+  // Stops accidental DELETE clicks from wiping a brand.
+  if (body.data.confirmSlug !== tenant.slug) {
+    return res.status(400).json({ error: 'confirm_slug_mismatch' });
+  }
+
+  await db.transaction(async (trx) => {
+    await trx<TenantRow>(TABLES.Tenant).where({ id: tenantId }).update({
+      pendingDeletionAt: new Date(),
+      deletionReason: body.data.reason ?? null,
+      updatedAt: new Date(),
+    });
+    // Revoke every active session for this tenant — admins + partners.
+    // The next request will 401 and have to start over (or recover via
+    // /account/restore inside the grace window).
+    await trx(TABLES.Session)
+      .where({ tenantId })
+      .whereNull('revokedAt')
+      .update({ revokedAt: new Date() });
+  });
+
+  res.json({
+    ok: true,
+    pendingDeletionAt: new Date(),
+    graceWindowDays: 30,
+  });
+});
+
+accountDeletionRouter.post('/account/restore', requireAuth, requireAdmin, async (req, res) => {
+  // Note: restore is reachable because tenantMiddleware DOES let the
+  // request through during the grace window — see the explicit
+  // exemption added there. Without it, the lockout would be permanent.
+  const { tenantId } = tenantOf(req);
+
+  const tenant = await db<TenantRow>(TABLES.Tenant).where({ id: tenantId }).first();
+  if (!tenant) return res.status(404).json({ error: 'tenant_not_found' });
+  if (!tenant.pendingDeletionAt) {
+    return res.status(409).json({ error: 'not_pending_deletion' });
+  }
+
+  await db<TenantRow>(TABLES.Tenant).where({ id: tenantId }).update({
+    pendingDeletionAt: null,
+    deletionReason: null,
+    updatedAt: new Date(),
+  });
+
+  res.json({ ok: true });
+});
+
+accountDeletionRouter.get('/account/deletion-status', requireAuth, requireAdmin, async (req, res) => {
+  const { tenantId } = tenantOf(req);
+  const tenant = await db<TenantRow>(TABLES.Tenant).where({ id: tenantId }).first();
+  if (!tenant) return res.status(404).json({ error: 'tenant_not_found' });
+
+  res.json({
+    pendingDeletionAt: tenant.pendingDeletionAt,
+    deletionReason: tenant.deletionReason,
+    graceWindowDays: 30,
+    hardDeleteAt: tenant.pendingDeletionAt
+      ? new Date(tenant.pendingDeletionAt.getTime() + 30 * 24 * 60 * 60 * 1000)
+      : null,
+  });
+});
diff --git a/apps/api/src/routes/creator-portal.ts b/apps/api/src/routes/creator-portal.ts
index 4ae4d77..880447c 100644
--- a/apps/api/src/routes/creator-portal.ts
+++ b/apps/api/src/routes/creator-portal.ts
@@ -35,6 +35,8 @@ const ALLOWED_EXACT = new Set([
   '/creators/me',
   '/creators/me/affiliations',
   '/creators/me/requests',
+  '/creators/me/delete',
+  '/creators/me/restore',
   '/offerings',
 ]);
 
diff --git a/apps/api/src/tenancy.ts b/apps/api/src/tenancy.ts
index 535fd8d..2f90ff2 100644
--- a/apps/api/src/tenancy.ts
+++ b/apps/api/src/tenancy.ts
@@ -28,6 +28,17 @@ import { appDb } from './db.js';
 
 export type TenancyMode = 'single' | 'multi';
 
+/** Thrown when a tenant request hits a brand inside its deletion grace
+ *  window (and isn't on the recovery path). The middleware catches and
+ *  surfaces a 410 Gone — explicit so the SPA can show "this brand was
+ *  deleted; sign in again". */
+export class TenantPendingDeletionError extends Error {
+  constructor(public slug: string) {
+    super(`tenant_pending_deletion:${slug}`);
+    this.name = 'TenantPendingDeletionError';
+  }
+}
+
 export function getTenancyMode(): TenancyMode {
   const m = process.env.OPENPARTNER_TENANCY ?? 'single';
   if (m !== 'single' && m !== 'multi') {
@@ -116,7 +127,16 @@ export async function tenantMiddleware(
     tenantId = DEFAULT_TENANT_ID;
     tenantSlug = 'default';
   } else {
-    const resolved = await resolveTenantFromPath(req);
+    let resolved: Awaited<ReturnType<typeof resolveTenantFromPath>>;
+    try {
+      resolved = await resolveTenantFromPath(req);
+    } catch (err) {
+      if (err instanceof TenantPendingDeletionError) {
+        res.status(410).json({ error: 'tenant_pending_deletion', slug: err.slug });
+        return;
+      }
+      throw err;
+    }
     if (resolved) {
       tenantId = resolved.id;
       tenantSlug = resolved.slug;
@@ -255,8 +275,21 @@ async function resolveTenantFromPath(
   // any tenant by slug, not just the current one. RLS would block this
   // on the appDb pool.
   const { db } = await import('./db.js');
-  const row = await db('Tenant').where({ slug, status: 'active' }).first(['id', 'slug']);
+  const row = await db('Tenant').where({ slug, status: 'active' }).first(['id', 'slug', 'pendingDeletionAt']);
   if (!row) return null;
+  // Tenants in the deletion grace window are accessible only via the
+  // explicit recovery routes — anything else 410s on the way out so a
+  // browser cookie hanging around can't keep working against a deleted
+  // brand. The recovery routes use the `?recover=1` query flag the
+  // restore page sets.
+  if (row.pendingDeletionAt) {
+    const isRecoveryPath =
+      req.url.includes('/account/restore') ||
+      req.url.includes('/account/deletion-status');
+    if (!isRecoveryPath) {
+      throw new TenantPendingDeletionError(slug);
+    }
+  }
   return {
     id: row.id as string,
     slug: row.slug as string,
diff --git a/apps/portal/src/pages/admin/Settings.tsx b/apps/portal/src/pages/admin/Settings.tsx
index 4368ff4..8642ea0 100644
--- a/apps/portal/src/pages/admin/Settings.tsx
+++ b/apps/portal/src/pages/admin/Settings.tsx
@@ -25,6 +25,8 @@ export function AdminSettings() {
       <ProgramSection />
       <div style={{ height: 18 }} />
       <MailSection />
+      <div style={{ height: 18 }} />
+      <DangerZone />
     </Page>
   );
 }
@@ -269,3 +271,107 @@ function Row({ children }: { children: ReactNode }) {
 function Hint({ children }: { children: ReactNode }) {
   return <div style={{ fontSize: 12, color: theme.textDim, marginTop: 6 }}>{children}</div>;
 }
+
+// ---------- danger zone ----------
+
+interface DeletionStatus {
+  pendingDeletionAt: string | null;
+  deletionReason: string | null;
+  graceWindowDays: number;
+  hardDeleteAt: string | null;
+}
+
+function DangerZone() {
+  const qc = useQueryClient();
+  const { data, isLoading } = useQuery({
+    queryKey: ['account-deletion-status'],
+    queryFn: () => api<DeletionStatus>('/account/deletion-status'),
+  });
+
+  const [confirmSlug, setConfirmSlug] = useState('');
+  const [reason, setReason] = useState('');
+  const [showForm, setShowForm] = useState(false);
+
+  const del = useMutation({
+    mutationFn: () => api('/account/delete', { method: 'POST', body: { confirmSlug, reason: reason || undefined } }),
+    onSuccess: () => {
+      qc.invalidateQueries({ queryKey: ['account-deletion-status'] });
+      setShowForm(false);
+      setConfirmSlug('');
+      setReason('');
+    },
+  });
+
+  const restore = useMutation({
+    mutationFn: () => api('/account/restore', { method: 'POST' }),
+    onSuccess: () => qc.invalidateQueries({ queryKey: ['account-deletion-status'] }),
+  });
+
+  if (isLoading) return null;
+
+  const pending = !!data?.pendingDeletionAt;
+
+  return (
+    <Card>
+      <div style={{ display: 'flex', alignItems: 'center', gap: 10, marginBottom: 12 }}>
+        <div style={{ fontSize: 15, fontWeight: 500, color: theme.danger }}>Danger zone</div>
+      </div>
+
+      {pending ? (
+        <>
+          <div style={{ background: `${theme.danger}15`, border: `1px solid ${theme.danger}55`, padding: 14, borderRadius: 6, marginBottom: 14 }}>
+            <div style={{ fontSize: 14, fontWeight: 500, color: theme.danger }}>
+              Account scheduled for deletion
+            </div>
+            <div style={{ fontSize: 13, color: theme.textMuted, marginTop: 6 }}>
+              All data will be permanently deleted on{' '}
+              <strong>{data?.hardDeleteAt ? new Date(data.hardDeleteAt).toLocaleDateString() : '—'}</strong>.
+              You can recover any time before then.
+            </div>
+            {data?.deletionReason && (
+              <div style={{ fontSize: 12, color: theme.textDim, marginTop: 8 }}>
+                Reason on file: {data.deletionReason}
+              </div>
+            )}
+          </div>
+          <ErrorBanner error={restore.error} />
+          <Button onClick={() => restore.mutate()} disabled={restore.isPending}>
+            {restore.isPending ? 'Restoring…' : 'Recover account'}
+          </Button>
+        </>
+      ) : !showForm ? (
+        <>
+          <Hint>
+            Deleting permanently removes your brand workspace, partners, links, commissions,
+            and payouts after a 30-day grace period. You&rsquo;ll be locked out immediately;
+            inside the grace window you can recover.
+          </Hint>
+          <div style={{ marginTop: 14 }}>
+            <Button variant="secondary" onClick={() => setShowForm(true)}>Delete this account</Button>
+          </div>
+        </>
+      ) : (
+        <>
+          <Hint>Type your URL slug to confirm. This locks you out immediately.</Hint>
+          <div style={{ marginTop: 12, marginBottom: 12 }}>
+            <Label>Confirm slug</Label>
+            <Input value={confirmSlug} onChange={(e) => setConfirmSlug(e.target.value)} placeholder="your-slug" />
+          </div>
+          <div style={{ marginBottom: 14 }}>
+            <Label>Reason (optional, helps us improve)</Label>
+            <Input value={reason} onChange={(e) => setReason(e.target.value)} placeholder="Switching platforms, project ended, …" />
+          </div>
+          <ErrorBanner error={del.error} />
+          <Row>
+            <Button onClick={() => del.mutate()} disabled={del.isPending || !confirmSlug}>
+              {del.isPending ? 'Deleting…' : 'Permanently delete'}
+            </Button>
+            <Button variant="secondary" onClick={() => setShowForm(false)}>Cancel</Button>
+          </Row>
+        </>
+      )}
+    </Card>
+  );
+}
+
+
diff --git a/apps/portal/src/pages/creator/CreatorMyProfile.tsx b/apps/portal/src/pages/creator/CreatorMyProfile.tsx
index a2b156d..4b300e1 100644
--- a/apps/portal/src/pages/creator/CreatorMyProfile.tsx
+++ b/apps/portal/src/pages/creator/CreatorMyProfile.tsx
@@ -106,6 +106,85 @@ export function CreatorMyProfilePage() {
           </div>
         </Card>
       ) : null}
+      <div style={{ height: 18 }} />
+      <CreatorDangerZone email={data?.email ?? ''} pendingDeletionAt={(data as Profile & { pendingDeletionAt?: string | null })?.pendingDeletionAt ?? null} />
     </Page>
   );
 }
+
+function CreatorDangerZone({ email, pendingDeletionAt }: { email: string; pendingDeletionAt: string | null }) {
+  const qc = useQueryClient();
+  const [confirmEmail, setConfirmEmail] = useState('');
+  const [showForm, setShowForm] = useState(false);
+
+  const del = useMutation({
+    mutationFn: () => creatorApi('/creators/me/delete', { method: 'POST', body: { confirmEmail } }),
+    onSuccess: () => {
+      qc.invalidateQueries({ queryKey: ['network-my-profile'] });
+      setShowForm(false);
+      setConfirmEmail('');
+    },
+  });
+
+  const restore = useMutation({
+    mutationFn: () => creatorApi('/creators/me/restore', { method: 'POST' }),
+    onSuccess: () => qc.invalidateQueries({ queryKey: ['network-my-profile'] }),
+  });
+
+  const pending = !!pendingDeletionAt;
+  const hardDeleteAt = pendingDeletionAt
+    ? new Date(new Date(pendingDeletionAt).getTime() + 30 * 24 * 60 * 60 * 1000)
+    : null;
+
+  return (
+    <Card>
+      <div style={{ fontSize: 15, fontWeight: 500, color: theme.danger, marginBottom: 12 }}>
+        Danger zone
+      </div>
+
+      {pending ? (
+        <>
+          <div style={{ background: `${theme.danger}15`, border: `1px solid ${theme.danger}55`, padding: 14, borderRadius: 6, marginBottom: 14 }}>
+            <div style={{ fontSize: 14, fontWeight: 500, color: theme.danger }}>
+              Account scheduled for deletion
+            </div>
+            <div style={{ fontSize: 13, color: theme.textMuted, marginTop: 6 }}>
+              Permanent deletion on{' '}
+              <strong>{hardDeleteAt ? hardDeleteAt.toLocaleDateString() : '—'}</strong>.
+              You can recover any time before then.
+            </div>
+          </div>
+          <ErrorBanner error={restore.error} />
+          <Button onClick={() => restore.mutate()} disabled={restore.isPending}>
+            {restore.isPending ? 'Restoring…' : 'Recover account'}
+          </Button>
+        </>
+      ) : !showForm ? (
+        <>
+          <p style={{ color: theme.textMuted, fontSize: 13, margin: '0 0 14px' }}>
+            Deleting permanently removes your Network profile and revokes all your vendor partnerships
+            after a 30-day grace period. Past commissions on each brand stay with that brand&rsquo;s books.
+          </p>
+          <Button variant="secondary" onClick={() => setShowForm(true)}>Delete my account</Button>
+        </>
+      ) : (
+        <>
+          <p style={{ color: theme.textMuted, fontSize: 13, margin: '0 0 12px' }}>
+            Type your email to confirm. This locks you out immediately.
+          </p>
+          <div style={{ marginBottom: 14 }}>
+            <Label>Confirm email</Label>
+            <Input type="email" name="confirmEmail" value={confirmEmail} onChange={(e) => setConfirmEmail(e.target.value)} placeholder={email} />
+          </div>
+          <ErrorBanner error={del.error} />
+          <div style={{ display: 'flex', gap: 8 }}>
+            <Button onClick={() => del.mutate()} disabled={del.isPending || !confirmEmail}>
+              {del.isPending ? 'Deleting…' : 'Permanently delete'}
+            </Button>
+            <Button variant="secondary" onClick={() => setShowForm(false)}>Cancel</Button>
+          </div>
+        </>
+      )}
+    </Card>
+  );
+}
diff --git a/packages/db/migrations/20260509000000_pending_deletion.ts b/packages/db/migrations/20260509000000_pending_deletion.ts
new file mode 100644
index 0000000..f8b5d70
--- /dev/null
+++ b/packages/db/migrations/20260509000000_pending_deletion.ts
@@ -0,0 +1,24 @@
+/**
+ * Soft-delete (`pendingDeletionAt`) on Tenant for the brand-side
+ * GDPR-erasure flow. Setting the column immediately blocks access
+ * (tenantMiddleware refuses requests for tenants with the column set);
+ * a scheduler sweep hard-deletes after the 30-day grace window.
+ */
+
+import type { Knex } from 'knex';
+
+export async function up(knex: Knex): Promise<void> {
+  await knex.schema.alterTable('Tenant', (t) => {
+    t.timestamp('pendingDeletionAt', { useTz: true });
+    t.text('deletionReason');
+    t.index(['pendingDeletionAt']);
+  });
+}
+
+export async function down(knex: Knex): Promise<void> {
+  await knex.schema.alterTable('Tenant', (t) => {
+    t.dropIndex(['pendingDeletionAt']);
+    t.dropColumn('pendingDeletionAt');
+    t.dropColumn('deletionReason');
+  });
+}
diff --git a/packages/db/src/types.ts b/packages/db/src/types.ts
index 93c162e..6a772cc 100644
--- a/packages/db/src/types.ts
+++ b/packages/db/src/types.ts
@@ -23,6 +23,8 @@ export interface TenantRow {
   createdAt: Date;
   updatedAt: Date;
   suspendedAt: Date | null;
+  pendingDeletionAt: Date | null;
+  deletionReason: string | null;
 }
 
 /** ID of the seeded default tenant — used in single-host mode and during migration backfills. */

From 10c2d5aa811654fb816c99bc32295d9da9469893 Mon Sep 17 00:00:00 2001
From: Keith Fawcett <keith@brightyard.co>
Date: Tue, 28 Apr 2026 16:39:38 -0700
Subject: [PATCH 048/131] =?UTF-8?q?feat(brand):=20account-deletion=20phase?=
 =?UTF-8?q?=202=20=E2=80=94=20Stripe=20+=20Network=20+=20obligations=20+?=
 =?UTF-8?q?=20scheduler=20+=20export?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Brand-side /api/account/delete now does the full cascade:

- Pending-obligations gate: refuses with 409 + a detail body if there
  are unpaid commissions ('pending'/'approved') or in-flight payouts
  ('pending'/'processing'). Admin can override with
  forceDespiteObligations=true after the UI shows the warning.

- Stripe: subscriptions.update(sub, { cancel_at_period_end: true }) —
  brand keeps access for the rest of the current billing period
  (irrelevant in practice since soft-delete locks them out anyway),
  no double charges. Failures logged but don't block the delete.

- Network: networkProxy.deleteVendor calls /vendors/me/delete on the
  Network so the federation hub stops surfacing the brand to creators.
  Membership flag flipped to enabled=false locally.

- Restore mirrors all three: clears cancel_at_period_end, calls
  /vendors/admin-restore (which mints a fresh vendorToken), saves it
  back into network_membership.

network_membership Config gains a vendorId field, persisted at signup
so admin-restore has the id to target after the vendorToken is gone.

Scheduler:
- tenant-hard-delete cron at 04:00 UTC daily. Cascades wipes across
  every tenanted table for tenants whose pendingDeletionAt is older
  than 30 days, then drops the Tenant row.

UI:
- Settings → Danger Zone gains a "Download workspace data" link next
  to Delete (uses the existing /api/export.json).
- Creator profile gains the same "Download my data" next to its
  delete button (uses the new /api/creator-api/creators/me/export
  proxy → Network /creators/me/export).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 apps/api/src/network-client.ts                |  32 +++++
 apps/api/src/routes/account-deletion.ts       | 120 ++++++++++++++++--
 apps/api/src/routes/signup.ts                 |   2 +
 apps/api/src/scheduler.ts                     |  52 ++++++++
 apps/portal/src/pages/admin/Settings.tsx      |  21 ++-
 .../src/pages/creator/CreatorMyProfile.tsx    |  18 ++-
 6 files changed, 230 insertions(+), 15 deletions(-)

diff --git a/apps/api/src/network-client.ts b/apps/api/src/network-client.ts
index 136245b..05a1c45 100644
--- a/apps/api/src/network-client.ts
+++ b/apps/api/src/network-client.ts
@@ -37,6 +37,11 @@ export interface NetworkMembership {
   vendorTokenCiphertext: string; // encrypted bearer for vendor → Network
   scopedKeyId: string | null; // ApiKey.id of the scoped key Network calls back with
   autoEnroll: boolean;
+  /** Network's id for our vendor row. Persisted at signup so account
+   *  restore can call /vendors/admin-restore (which needs the id —
+   *  by then the vendorToken is gone). Optional for backward compat
+   *  with rows written before this field existed. */
+  vendorId?: string;
 }
 
 interface PublicNetworkMembership {
@@ -79,6 +84,7 @@ export interface SaveNetworkMembershipInput {
   vendorToken?: string;
   scopedKeyId?: string | null;
   autoEnroll?: boolean;
+  vendorId?: string;
 }
 
 export async function saveNetworkMembership(
@@ -105,6 +111,7 @@ export async function saveNetworkMembership(
           : encryptSecret(input.vendorToken),
     scopedKeyId: input.scopedKeyId === undefined ? current.scopedKeyId : input.scopedKeyId,
     autoEnroll: input.autoEnroll ?? current.autoEnroll,
+    vendorId: input.vendorId ?? current.vendorId,
   };
 
   const now = new Date();
@@ -489,8 +496,33 @@ export const networkProxy = {
 
   openPortal: (db: Knex, tenantId: string, body: { returnUrl: string }) =>
     callNetwork<{ url: string }>(db, tenantId, 'POST', '/vendors/me/billing/portal', body),
+
+  // Account deletion lifecycle. delete uses the tenant's vendorToken so
+  // the call is naturally scoped to "this vendor"; restore goes through
+  // the admin endpoint because by that point the vendorToken is gone.
+  deleteVendor: (db: Knex, tenantId: string) =>
+    callNetwork<{ ok: boolean }>(db, tenantId, 'POST', '/vendors/me/delete'),
 };
 
+export async function adminRestoreVendor(networkUrl: string, vendorId: string): Promise<{ vendorId: string; vendorToken: string }> {
+  const adminKey = process.env.NETWORK_ADMIN_API_KEY;
+  if (!adminKey) throw new Error('NETWORK_ADMIN_API_KEY not set — cannot restore vendor');
+  const url = `${networkUrl.replace(/\/$/, '')}/vendors/admin-restore`;
+  const res = await fetch(url, {
+    method: 'POST',
+    headers: {
+      'content-type': 'application/json',
+      authorization: `Bearer ${adminKey}`,
+      'user-agent': 'OpenPartner-Vendor/1',
+    },
+    body: JSON.stringify({ vendorId }),
+    signal: AbortSignal.timeout(10_000),
+  });
+  const text = await res.text();
+  if (!res.ok) throw new Error(`network restore failed (${res.status}): ${text.slice(0, 300)}`);
+  return JSON.parse(text) as { vendorId: string; vendorToken: string };
+}
+
 // ---------- Partner-acting Network proxy ----------
 // Used by openpartner partner-role routes (/api/network/partner/*) to
 // forward calls to Network's existing /creators/me/* + /offerings + /vendors/:id
diff --git a/apps/api/src/routes/account-deletion.ts b/apps/api/src/routes/account-deletion.ts
index 848212e..c4cd278 100644
--- a/apps/api/src/routes/account-deletion.ts
+++ b/apps/api/src/routes/account-deletion.ts
@@ -27,22 +27,44 @@ import { TABLES, type TenantRow } from '@openpartner/db';
 import { db } from '../db.js';
 import { requireAdmin, requireAuth } from '../auth.js';
 import { tenantOf } from '../tenancy.js';
+import { stripe } from '../stripe.js';
+import { adminRestoreVendor, getNetworkMembership, networkProxy, saveNetworkMembership, NetworkProxyError } from '../network-client.js';
 
 export const accountDeletionRouter = Router();
 
+interface PendingObligations {
+  unpaidCommissionCents: number;
+  pendingPayoutCount: number;
+}
+
+async function checkPendingObligations(tenantId: string): Promise<PendingObligations> {
+  // Commissions in 'approved' or 'pending' state are owed but unpaid.
+  const [c] = await db(TABLES.Commission)
+    .where({ tenantId })
+    .whereIn('status', ['pending', 'approved'])
+    .sum<Array<{ sum: string | null }>>({ sum: 'amountCents' });
+  // Payouts in 'pending' or 'processing' state are mid-flight and can't
+  // be rolled back without intervention.
+  const [p] = await db(TABLES.Payout)
+    .where({ tenantId })
+    .whereIn('status', ['pending', 'processing'])
+    .count<Array<{ count: string }>>({ count: '*' });
+  return {
+    unpaidCommissionCents: Number(c?.sum ?? 0),
+    pendingPayoutCount: Number(p?.count ?? 0),
+  };
+}
+
 const deleteSchema = z.object({
   confirmSlug: z.string().min(1),
   reason: z.string().max(2000).optional(),
+  /** When set, ignore the pending-payouts/unpaid-commissions guard. */
+  forceDespiteObligations: z.boolean().optional(),
 });
 
 accountDeletionRouter.post('/account/delete', requireAuth, requireAdmin, async (req, res) => {
   const { tenantId } = tenantOf(req);
 
-  // Privileged db: we're about to write to Tenant + revoke Sessions
-  // across the tenant. RLS on Tenant only allows the row's own tenant
-  // to read/write its row, so this works through req.db too — but we
-  // use the privileged pool so the Session revoke (which spans many
-  // sessions for this tenant) doesn't trip per-row policies.
   const tenant = await db<TenantRow>(TABLES.Tenant).where({ id: tenantId }).first();
   if (!tenant) return res.status(404).json({ error: 'tenant_not_found' });
   if (tenant.pendingDeletionAt) {
@@ -56,20 +78,65 @@ accountDeletionRouter.post('/account/delete', requireAuth, requireAdmin, async (
   if (!body.success) return res.status(400).json({ error: 'invalid_body', detail: body.error.flatten() });
 
   // Defensive: require the admin to type their own slug to confirm.
-  // Stops accidental DELETE clicks from wiping a brand.
   if (body.data.confirmSlug !== tenant.slug) {
     return res.status(400).json({ error: 'confirm_slug_mismatch' });
   }
 
+  // Financial obligations gate. The brand can override with
+  // forceDespiteObligations after they've seen the warning surface in
+  // the UI; without that flag, refuse so we don't strand creators.
+  const obligations = await checkPendingObligations(tenantId);
+  const hasObligations = obligations.unpaidCommissionCents > 0 || obligations.pendingPayoutCount > 0;
+  if (hasObligations && !body.data.forceDespiteObligations) {
+    return res.status(409).json({
+      error: 'pending_obligations',
+      detail: obligations,
+      hint: 'Settle these or pass forceDespiteObligations=true to delete anyway.',
+    });
+  }
+
+  // Stripe: cancel-at-period-end (not immediate) so the brand isn't
+  // charged again at renewal. They keep access for the rest of the
+  // current billing period — which is fine, because soft-delete
+  // immediately locks them out of the app anyway. The Stripe sub
+  // closing on its own is the cleanest thing for refunds + accounting.
+  if (tenant.stripeSubscriptionId && stripe) {
+    try {
+      await stripe.subscriptions.update(tenant.stripeSubscriptionId, {
+        cancel_at_period_end: true,
+        metadata: { openpartner_deletion_reason: body.data.reason ?? '' },
+      });
+    } catch (err) {
+      console.error('[account-deletion] stripe cancel failed', { tenantId, err });
+      // Don't block deletion on Stripe errors — operator can clean up
+      // billing manually if needed. Log loudly.
+    }
+  }
+
+  // Network: tell the federation hub this brand is going away. The
+  // Network marks the vendor cancelled + revokes affiliations so the
+  // creator UI hides the brand. Membership stays in our Config (with
+  // enabled=false) so a restore can re-mint a vendorToken.
+  const membership = await getNetworkMembership(db, tenantId);
+  if (membership && membership.enabled && membership.networkUrl) {
+    try {
+      await networkProxy.deleteVendor(db, tenantId);
+      await saveNetworkMembership(db, tenantId, { enabled: false });
+    } catch (err) {
+      const detail = err instanceof NetworkProxyError ? err.message : String(err);
+      console.error('[account-deletion] network delete failed', { tenantId, detail });
+      // Same reasoning as Stripe — don't block. The vendor row stays
+      // alive on Network until either the operator cleans it up or
+      // the scheduler hard-delete pass eventually purges it.
+    }
+  }
+
   await db.transaction(async (trx) => {
     await trx<TenantRow>(TABLES.Tenant).where({ id: tenantId }).update({
       pendingDeletionAt: new Date(),
       deletionReason: body.data.reason ?? null,
       updatedAt: new Date(),
     });
-    // Revoke every active session for this tenant — admins + partners.
-    // The next request will 401 and have to start over (or recover via
-    // /account/restore inside the grace window).
     await trx(TABLES.Session)
       .where({ tenantId })
       .whereNull('revokedAt')
@@ -80,13 +147,13 @@ accountDeletionRouter.post('/account/delete', requireAuth, requireAdmin, async (
     ok: true,
     pendingDeletionAt: new Date(),
     graceWindowDays: 30,
+    obligationsAtDelete: obligations,
   });
 });
 
 accountDeletionRouter.post('/account/restore', requireAuth, requireAdmin, async (req, res) => {
-  // Note: restore is reachable because tenantMiddleware DOES let the
-  // request through during the grace window — see the explicit
-  // exemption added there. Without it, the lockout would be permanent.
+  // Reachable inside the grace window because tenantMiddleware lets
+  // recovery routes through (see TenantPendingDeletionError exemption).
   const { tenantId } = tenantOf(req);
 
   const tenant = await db<TenantRow>(TABLES.Tenant).where({ id: tenantId }).first();
@@ -95,12 +162,41 @@ accountDeletionRouter.post('/account/restore', requireAuth, requireAdmin, async
     return res.status(409).json({ error: 'not_pending_deletion' });
   }
 
+  // Restore Network vendor row + grab a fresh vendorToken (the original
+  // was burned when delete fired). Needs NETWORK_ADMIN_API_KEY + the
+  // vendorId we persisted at signup. If either is missing the local
+  // restore still works; the operator can manually re-onboard the
+  // brand to the Network.
+  const membership = await getNetworkMembership(db, tenantId);
+  if (membership && membership.networkUrl && membership.vendorId && process.env.NETWORK_ADMIN_API_KEY) {
+    try {
+      const restored = await adminRestoreVendor(membership.networkUrl, membership.vendorId);
+      await saveNetworkMembership(db, tenantId, {
+        enabled: true,
+        vendorToken: restored.vendorToken,
+      });
+    } catch (err) {
+      console.error('[account-deletion] network restore failed', { tenantId, err });
+    }
+  }
+
   await db<TenantRow>(TABLES.Tenant).where({ id: tenantId }).update({
     pendingDeletionAt: null,
     deletionReason: null,
     updatedAt: new Date(),
   });
 
+  // Stripe: clear cancel_at_period_end so the brand keeps billing.
+  if (tenant.stripeSubscriptionId && stripe) {
+    try {
+      await stripe.subscriptions.update(tenant.stripeSubscriptionId, {
+        cancel_at_period_end: false,
+      });
+    } catch (err) {
+      console.error('[account-deletion] stripe uncancel failed', { tenantId, err });
+    }
+  }
+
   res.json({ ok: true });
 });
 
diff --git a/apps/api/src/routes/signup.ts b/apps/api/src/routes/signup.ts
index a4f0e39..f849dda 100644
--- a/apps/api/src/routes/signup.ts
+++ b/apps/api/src/routes/signup.ts
@@ -189,6 +189,7 @@ signupRouter.post('/signup', signupLimit, async (req, res) => {
           vendorToken: signupResult.vendorToken,
           scopedKeyId: scoped.id,
           autoEnroll: true,
+          vendorId: signupResult.vendorId,
         });
         networkStatus = 'active';
       } else {
@@ -198,6 +199,7 @@ signupRouter.post('/signup', signupLimit, async (req, res) => {
           networkUrl,
           scopedKeyId: scoped.id,
           autoEnroll: true,
+          vendorId: signupResult.vendorId,
         });
         networkStatus = 'pending';
       }
diff --git a/apps/api/src/scheduler.ts b/apps/api/src/scheduler.ts
index 9eba841..3de45fd 100644
--- a/apps/api/src/scheduler.ts
+++ b/apps/api/src/scheduler.ts
@@ -96,8 +96,60 @@ const JOBS: ScheduledJob[] = [
     handler: async () =>
       forEachActiveTenant((trx, tenantId) => reportNetworkPayoutsToNetwork(trx, tenantId)),
   },
+  {
+    name: 'tenant-hard-delete',
+    cronExpr: '0 4 * * *',
+    description: 'Hard-delete tenants whose 30-day deletion grace window has lapsed (daily 04:00 UTC)',
+    handler: async () => hardDeleteExpiredTenants(),
+  },
 ];
 
+/** Cascade-delete tenants whose pendingDeletionAt is older than the
+ *  grace window. Runs in the privileged db (we need to bypass RLS to
+ *  drop child rows in any tenant's slice). */
+async function hardDeleteExpiredTenants(): Promise<{ purged: number; tenantIds: string[] }> {
+  const cutoff = new Date(Date.now() - 30 * 24 * 60 * 60 * 1000);
+  const expired = await db<TenantRow>(TABLES.Tenant)
+    .where('pendingDeletionAt', '<', cutoff)
+    .select('id');
+  const tenantIds: string[] = [];
+  // Tenanted tables to wipe — order doesn't matter because they're
+  // all tagged with tenantId. Tenant row is dropped last.
+  const TENANTED_TABLES = [
+    TABLES.NetworkOutbox,
+    TABLES.WebhookDelivery,
+    TABLES.WebhookEndpoint,
+    TABLES.Session,
+    TABLES.MagicLinkToken,
+    TABLES.ApiKey,
+    TABLES.Config,
+    TABLES.Payout,
+    TABLES.Commission,
+    TABLES.Attribution,
+    TABLES.Event,
+    TABLES.Identity,
+    TABLES.Click,
+    TABLES.Link,
+    TABLES.Campaign,
+    TABLES.Partner,
+    TABLES.Admin,
+  ];
+  for (const t of expired) {
+    try {
+      await db.transaction(async (trx) => {
+        for (const tbl of TENANTED_TABLES) {
+          await trx(tbl).where({ tenantId: t.id }).del();
+        }
+        await trx<TenantRow>(TABLES.Tenant).where({ id: t.id }).del();
+      });
+      tenantIds.push(t.id);
+    } catch (err) {
+      console.error('[scheduler] hard-delete failed', { tenantId: t.id, err });
+    }
+  }
+  return { purged: tenantIds.length, tenantIds };
+}
+
 let started = false;
 const handles: Cron[] = [];
 
diff --git a/apps/portal/src/pages/admin/Settings.tsx b/apps/portal/src/pages/admin/Settings.tsx
index 8642ea0..47cda2d 100644
--- a/apps/portal/src/pages/admin/Settings.tsx
+++ b/apps/portal/src/pages/admin/Settings.tsx
@@ -344,9 +344,26 @@ function DangerZone() {
           <Hint>
             Deleting permanently removes your brand workspace, partners, links, commissions,
             and payouts after a 30-day grace period. You&rsquo;ll be locked out immediately;
-            inside the grace window you can recover.
+            inside the grace window you can recover. Stripe billing cancels at the end of
+            the current period.
           </Hint>
-          <div style={{ marginTop: 14 }}>
+          <div style={{ marginTop: 14, display: 'flex', gap: 8 }}>
+            <a
+              href="/api/export.json"
+              style={{
+                background: 'transparent',
+                color: theme.text,
+                border: `1px solid ${theme.borderSubtle}`,
+                borderRadius: theme.radiusSm,
+                padding: '8px 14px',
+                fontSize: 13,
+                textDecoration: 'none',
+                display: 'inline-flex',
+                alignItems: 'center',
+              }}
+            >
+              Download workspace data
+            </a>
             <Button variant="secondary" onClick={() => setShowForm(true)}>Delete this account</Button>
           </div>
         </>
diff --git a/apps/portal/src/pages/creator/CreatorMyProfile.tsx b/apps/portal/src/pages/creator/CreatorMyProfile.tsx
index 4b300e1..4600640 100644
--- a/apps/portal/src/pages/creator/CreatorMyProfile.tsx
+++ b/apps/portal/src/pages/creator/CreatorMyProfile.tsx
@@ -165,7 +165,23 @@ function CreatorDangerZone({ email, pendingDeletionAt }: { email: string; pendin
             Deleting permanently removes your Network profile and revokes all your vendor partnerships
             after a 30-day grace period. Past commissions on each brand stay with that brand&rsquo;s books.
           </p>
-          <Button variant="secondary" onClick={() => setShowForm(true)}>Delete my account</Button>
+          <div style={{ display: 'flex', gap: 8 }}>
+            <a
+              href="/api/creator-api/creators/me/export"
+              style={{
+                background: 'transparent',
+                color: theme.text,
+                border: `1px solid ${theme.borderSubtle}`,
+                borderRadius: theme.radiusSm,
+                padding: '8px 14px',
+                fontSize: 13,
+                textDecoration: 'none',
+              }}
+            >
+              Download my data
+            </a>
+            <Button variant="secondary" onClick={() => setShowForm(true)}>Delete my account</Button>
+          </div>
         </>
       ) : (
         <>

From 028b2eb87def031d7988ced373d6d4c0f33c0661 Mon Sep 17 00:00:00 2001
From: Keith Fawcett <keith@brightyard.co>
Date: Tue, 28 Apr 2026 16:49:10 -0700
Subject: [PATCH 049/131] chore: pg advisory lock on scheduler + open
 /partners/:id/revoke to scoped tokens
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Scheduler: each job tick now opens a txn, takes pg_try_advisory_xact_lock
keyed off the job name, runs the handler, commits. If another instance
holds the lock the tick skips. Removes the multi-instance double-fire
foot-gun if we ever scale beyond one App Platform instance.

Partners: /partners/:id/revoke gains grantScope('partners:write') so
the Network's federation revokePartnerOnVendor call (scoped key, not
admin token) actually reaches the handler instead of 401ing. This is
the receiving side of the creator-deletion fan-out — without it the
Network was firing revokes into the void.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 apps/api/src/routes/partners.ts |  2 +-
 apps/api/src/scheduler.ts       | 33 ++++++++++++++++++++++++++++++++-
 2 files changed, 33 insertions(+), 2 deletions(-)

diff --git a/apps/api/src/routes/partners.ts b/apps/api/src/routes/partners.ts
index deb6407..e77fc53 100644
--- a/apps/api/src/routes/partners.ts
+++ b/apps/api/src/routes/partners.ts
@@ -168,7 +168,7 @@ const revokeSchema = z.object({
  * untouched. Future attribution skips them; router flags clicks on their
  * links as 'revoked'. Sends a notification email unless notify=false.
  */
-partnersRouter.post('/partners/:id/revoke', requireAuth, requireAdmin, async (req, res) => {
+partnersRouter.post('/partners/:id/revoke', requireAuth, grantScope('partners:write'), requireAdmin, async (req, res) => {
   const { db, tenantId } = tenantOf(req);
   const body = revokeSchema.safeParse(req.body ?? {});
   if (!body.success) return res.status(400).json({ error: 'invalid_body', detail: body.error.flatten() });
diff --git a/apps/api/src/scheduler.ts b/apps/api/src/scheduler.ts
index 3de45fd..c01a3d4 100644
--- a/apps/api/src/scheduler.ts
+++ b/apps/api/src/scheduler.ts
@@ -166,11 +166,30 @@ export function startScheduler(): void {
       { name: job.name, timezone: 'UTC', protect: true },
       async () => {
         const start = Date.now();
-        console.log(`[scheduler] ${job.name} starting`);
+        // pg advisory lock keyed off the job name — guarantees only one
+        // process across the whole cluster runs the body, even if the
+        // app scales to multiple instances. Two-int form to match the
+        // 64-bit signature; use a stable hash of the name so the same
+        // job always lands on the same key.
+        const [classId, objId] = lockKeyForJob(job.name);
+        const trx = await db.transaction();
+        let acquired = false;
         try {
+          const r = (await trx.raw('select pg_try_advisory_xact_lock(?, ?) as locked', [classId, objId])) as {
+            rows: Array<{ locked: boolean }>;
+          };
+          acquired = !!r.rows[0]?.locked;
+          if (!acquired) {
+            console.log(`[scheduler] ${job.name} skipped — another instance holds the lock`);
+            await trx.rollback();
+            return;
+          }
+          console.log(`[scheduler] ${job.name} starting`);
           const result = await job.handler();
+          await trx.commit();
           console.log(`[scheduler] ${job.name} finished in ${Date.now() - start}ms`, result);
         } catch (err) {
+          await trx.rollback().catch(() => {});
           console.error(`[scheduler] ${job.name} failed`, err);
         }
       },
@@ -181,6 +200,18 @@ export function startScheduler(): void {
   started = true;
 }
 
+/** Stable two-int advisory-lock key for a job name. The xact-scoped
+ *  variant releases on commit/rollback, so we don't need explicit
+ *  unlock. Class id is fixed so all our scheduler locks share a
+ *  namespace. */
+function lockKeyForJob(name: string): [number, number] {
+  let h = 0;
+  for (let i = 0; i < name.length; i += 1) h = ((h << 5) - h + name.charCodeAt(i)) | 0;
+  // 0x534F503F = 'SCHED' magic-ish — any constant works as long as it
+  // doesn't collide with another locker on the same DB.
+  return [0x534f503f, h];
+}
+
 export function stopScheduler(): void {
   for (const h of handles) h.stop();
   handles.length = 0;

From 8da1bcd9094332a83db4fa0a9eb4131959479451 Mon Sep 17 00:00:00 2001
From: Keith Fawcett <keith@brightyard.co>
Date: Tue, 28 Apr 2026 16:58:03 -0700
Subject: [PATCH 050/131] feat(network): one-click auto-enroll for existing
 tenants + brand rename
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- Settings: "Program info" → "Brand info", "Program name" → "Brand
  name". Aligns with the marketing voice (a brand has many programs/
  offerings; the workspace is the brand, not a single program).
- Network admin subtitle: "find your program" → "list your brand …
  creators can find and apply to your programs."
- New POST /config/network/auto-enroll: backend uses
  NETWORK_ADMIN_API_KEY to skip the email-verify round trip and mint
  the vendorToken inline, same path the multi-tenant signup uses.
  Requires a session-derived admin (so we have an email to send to
  Network); env/scoped admins fall back to /start-connect.
- Network admin Not-connected card now shows "List my brand on the
  Network" as the primary action. The email-verify form is still
  available behind a "self-host?" toggle for deployments without
  the admin token.

Closes the gap noted earlier: brands created before auto-enroll-on-
signup landed can now self-fix in one click.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 apps/api/src/routes/settings.ts          | 76 +++++++++++++++++++++++-
 apps/portal/src/pages/admin/Network.tsx  | 74 ++++++++++++++++-------
 apps/portal/src/pages/admin/Settings.tsx |  8 +--
 3 files changed, 133 insertions(+), 25 deletions(-)

diff --git a/apps/api/src/routes/settings.ts b/apps/api/src/routes/settings.ts
index 7bcb8b2..06674ef 100644
--- a/apps/api/src/routes/settings.ts
+++ b/apps/api/src/routes/settings.ts
@@ -12,7 +12,7 @@
 import { Router } from 'express';
 import type { Knex } from 'knex';
 import { z } from 'zod';
-import { TABLES, type ConfigRow } from '@openpartner/db';
+import { TABLES, type AdminRow, type ConfigRow, type TenantRow } from '@openpartner/db';
 import { requireAdmin, requireAuth } from '../auth.js';
 import {
   MailSettingsValidationError,
@@ -309,6 +309,80 @@ settingsRouter.post('/config/network/start-connect', requireAuth, requireAdmin,
   res.status(202).json({ vendorId: signup.vendorId, status: 'pending', emailSent });
 });
 
+// One-click enroll for tenants that pre-date the auto-enroll-on-signup
+// flow. Uses NETWORK_ADMIN_API_KEY to skip the email-verify round trip
+// — the brand admin is already signed in here, no point re-confirming.
+// Self-host deployments without NETWORK_ADMIN_API_KEY still use the
+// /start-connect email-verify path.
+settingsRouter.post('/config/network/auto-enroll', requireAuth, requireAdmin, async (req, res) => {
+  const { db, tenantId, tenantSlug } = (() => {
+    const t = tenantOf(req);
+    return { ...t, tenantSlug: req.tenantSlug ?? null };
+  })();
+
+  const networkUrl = process.env.NETWORK_URL;
+  const adminToken = process.env.NETWORK_ADMIN_API_KEY;
+  if (!networkUrl) return res.status(503).json({ error: 'network_url_not_configured' });
+  if (!adminToken) return res.status(503).json({ error: 'admin_token_not_configured', detail: 'NETWORK_ADMIN_API_KEY required for auto-enroll' });
+
+  const tenantRow = await db<TenantRow>(TABLES.Tenant).where({ id: tenantId }).first();
+  if (!tenantRow) return res.status(404).json({ error: 'tenant_not_found' });
+
+  // Need a session-derived admin so we have a real Admin row + email.
+  // Env-bearer / scoped-key admins lack that, so they should use the
+  // manual /start-connect flow which takes contactEmail explicitly.
+  const principal = req.principal;
+  const adminId = principal?.role === 'admin' && principal.source === 'session' ? principal.adminId : null;
+  if (!adminId) return res.status(400).json({ error: 'session_admin_required', detail: 'Auto-enroll needs a logged-in admin; env/scoped admins should use start-connect with contactEmail.' });
+  const adminRow = await db<AdminRow>(TABLES.Admin).where({ id: adminId }).first();
+  const adminEmail = adminRow?.email;
+  if (!adminEmail) return res.status(400).json({ error: 'admin_email_unresolvable' });
+
+  const protoHost = `${req.protocol}://${req.get('host') ?? ''}`;
+  const tenantPath = tenantSlug ? `/t/${tenantSlug}` : '';
+  const inferredInstanceUrl = `${protoHost}${tenantPath}/api`;
+  const inferredCallback = `${protoHost}${tenantPath}/admin/network/complete`;
+
+  const scoped = await createApiKeyRow(db, {
+    tenantId,
+    scopes: [...NETWORK_FEDERATION_SCOPES],
+    label: 'network_federation',
+  });
+
+  let signup;
+  try {
+    signup = await signupWithNetwork({
+      networkUrl,
+      instanceUrl: inferredInstanceUrl,
+      scopedKey: scoped.plaintext,
+      displayName: tenantRow.displayName,
+      contactEmail: adminEmail,
+      tier: 'hosted',
+      portalCallbackUrl: inferredCallback,
+      adminAuthToken: adminToken,
+    });
+  } catch (err) {
+    return res.status(502).json({ error: 'network_signup_failed', detail: err instanceof Error ? err.message : String(err) });
+  }
+
+  if (signup.status !== 'active') {
+    // Network refused the admin auth — fall back state. Shouldn't happen
+    // in practice but surface clearly so the operator knows the env is wrong.
+    return res.status(502).json({ error: 'admin_path_rejected', detail: 'Network signup did not return active; check NETWORK_ADMIN_API_KEY' });
+  }
+
+  await saveNetworkMembership(db, tenantId, {
+    enabled: true,
+    networkUrl,
+    vendorToken: signup.vendorToken,
+    scopedKeyId: scoped.id,
+    autoEnroll: true,
+    vendorId: signup.vendorId,
+  });
+
+  res.json({ ok: true, vendorId: signup.vendorId });
+});
+
 const completeConnectSchema = z.object({ ntoken: z.string().min(20) });
 
 settingsRouter.post('/config/network/complete-connect', requireAuth, requireAdmin, async (req, res) => {
diff --git a/apps/portal/src/pages/admin/Network.tsx b/apps/portal/src/pages/admin/Network.tsx
index 65e7909..42be79d 100644
--- a/apps/portal/src/pages/admin/Network.tsx
+++ b/apps/portal/src/pages/admin/Network.tsx
@@ -28,7 +28,7 @@ export function AdminNetwork() {
   return (
     <Page
       title="Network"
-      subtitle="Connect this instance to the OpenPartner Network so creators can find your program."
+      subtitle="List your brand on the OpenPartner Network so creators can find and apply to your programs."
     >
       <NetworkConnection />
     </Page>
@@ -65,8 +65,24 @@ function ConnectForm({ membership }: { membership: NetworkMembership }) {
   const [contactEmail, setContactEmail] = useState('');
   const [displayName, setDisplayName] = useState('');
   const [error, setError] = useState<string | null>(null);
+  const [showManual, setShowManual] = useState(false);
 
-  const m = useMutation({
+  // One-click path: backend uses NETWORK_ADMIN_API_KEY to skip the
+  // email-verify round trip. Available on the hosted deployment; not
+  // on self-host (where the operator doesn't have the Network's admin
+  // key).
+  const auto = useMutation({
+    mutationFn: () => api('/config/network/auto-enroll', { method: 'POST' }),
+    onSuccess: () => qc.invalidateQueries({ queryKey: ['network-membership'] }),
+    onError: (err) => {
+      const msg = err instanceof ApiError ? err.message : 'failed';
+      // If admin token isn't configured, fall back to the manual form.
+      if (msg.includes('admin_token_not_configured')) setShowManual(true);
+      setError(msg);
+    },
+  });
+
+  const manual = useMutation({
     mutationFn: () => api('/config/network/start-connect', {
       method: 'POST',
       body: { contactEmail: contactEmail || undefined, displayName: displayName || undefined },
@@ -79,30 +95,48 @@ function ConnectForm({ membership }: { membership: NetworkMembership }) {
     <Card>
       <h3 style={{ marginTop: 0 }}>Not connected</h3>
       <p>
-        Get matched with creators on the OpenPartner Network. We'll mint a scoped federation key for the
-        Network to call back with, then email a confirmation link to your contact address.
+        Get matched with creators on the OpenPartner Network. Once connected, your published offerings
+        show up in creator discovery and applications come into your Requests queue.
       </p>
       {membership.networkUrl && (
         <p style={{ fontSize: 13, color: '#6b7280' }}>
           Network: <code>{membership.networkUrl}</code>
         </p>
       )}
-      {error && <ErrorBanner error={error === 'network_url_not_configured' ? 'NETWORK_URL env not set on this instance.' : error} />}
-      <div style={{ marginBottom: 12 }}>
-        <Label>Contact email (where the confirmation link goes)</Label>
-        <Input value={contactEmail} onChange={(e) => setContactEmail(e.target.value)} placeholder="admin@yourbrand.com" />
-      </div>
-      <div style={{ marginBottom: 12 }}>
-        <Label>Display name (shown to creators)</Label>
-        <Input value={displayName} onChange={(e) => setDisplayName(e.target.value)} placeholder="Your brand" />
-      </div>
-      <Button onClick={() => m.mutate()} disabled={m.isPending || !contactEmail}>
-        {m.isPending ? 'Sending…' : 'Connect to Network'}
-      </Button>
-      {m.isSuccess && (
-        <p style={{ marginTop: 12, color: '#1a6b1a' }}>
-          Confirmation email sent. Click the link to finish connecting.
-        </p>
+      {error && (
+        <ErrorBanner error={error === 'network_url_not_configured' ? 'NETWORK_URL env not set on this instance.' : error} />
+      )}
+      {!showManual ? (
+        <>
+          <Button onClick={() => auto.mutate()} disabled={auto.isPending}>
+            {auto.isPending ? 'Connecting…' : 'List my brand on the Network'}
+          </Button>
+          <p style={{ marginTop: 10, fontSize: 12, color: '#6b7280' }}>
+            Self-host?{' '}
+            <button type="button" onClick={() => setShowManual(true)} style={{ background: 'transparent', border: 'none', color: '#0d9488', cursor: 'pointer', padding: 0 }}>
+              Use the email-verify flow instead
+            </button>
+          </p>
+        </>
+      ) : (
+        <>
+          <div style={{ marginBottom: 12 }}>
+            <Label>Contact email (where the confirmation link goes)</Label>
+            <Input value={contactEmail} onChange={(e) => setContactEmail(e.target.value)} placeholder="admin@yourbrand.com" />
+          </div>
+          <div style={{ marginBottom: 12 }}>
+            <Label>Display name (shown to creators)</Label>
+            <Input value={displayName} onChange={(e) => setDisplayName(e.target.value)} placeholder="Your brand" />
+          </div>
+          <Button onClick={() => manual.mutate()} disabled={manual.isPending || !contactEmail}>
+            {manual.isPending ? 'Sending…' : 'Send verification email'}
+          </Button>
+          {manual.isSuccess && (
+            <p style={{ marginTop: 12, color: '#1a6b1a' }}>
+              Confirmation email sent. Click the link to finish connecting.
+            </p>
+          )}
+        </>
       )}
     </Card>
   );
diff --git a/apps/portal/src/pages/admin/Settings.tsx b/apps/portal/src/pages/admin/Settings.tsx
index 47cda2d..62ddecb 100644
--- a/apps/portal/src/pages/admin/Settings.tsx
+++ b/apps/portal/src/pages/admin/Settings.tsx
@@ -21,7 +21,7 @@ interface PublicMailSettings {
 
 export function AdminSettings() {
   return (
-    <Page title="Settings" subtitle="How the partner portal identifies your program and how it sends mail.">
+    <Page title="Settings" subtitle="How the partner portal identifies your brand and how it sends mail.">
       <ProgramSection />
       <div style={{ height: 18 }} />
       <MailSection />
@@ -66,12 +66,12 @@ function ProgramSection() {
     <Card>
       <div style={{ display: 'flex', alignItems: 'center', gap: 10, marginBottom: 16 }}>
         <SettingsIcon size={18} color={theme.accent} />
-        <div style={{ fontSize: 15, fontWeight: 500 }}>Program info</div>
+        <div style={{ fontSize: 15, fontWeight: 500 }}>Brand info</div>
       </div>
       <ErrorBanner error={error ?? mut.error} />
       <div style={{ marginBottom: 16 }}>
-        <Label>Program name</Label>
-        <Input value={programName} onChange={(e) => setProgramName(e.target.value)} placeholder="e.g. Acme Partners" maxLength={120} />
+        <Label>Brand name</Label>
+        <Input value={programName} onChange={(e) => setProgramName(e.target.value)} placeholder="e.g. Acme" maxLength={120} />
         <Hint>Shown to partners in the portal. Leave blank to fall back to "OpenPartner".</Hint>
       </div>
       <div style={{ marginBottom: 18 }}>

From 0512194f24fa9a986d275b047e18e3f2123f3475 Mon Sep 17 00:00:00 2001
From: Keith Fawcett <keith@brightyard.co>
Date: Tue, 28 Apr 2026 17:13:15 -0700
Subject: [PATCH 051/131] fix(emails): partner invite + signin emails name the
 brand
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The partner-invite/signin emails were brand-agnostic — recipients
got "You're invited to the partner program" with no clue who from.
Resolve brand name (program_settings.programName → Tenant.displayName
→ null) and interpolate into subject + body. New shared helper
brand-name.ts so partner-side callers don't duplicate the lookup.

- partnerInviteEmail subject: "You're invited to the partner program"
  → "You're invited to Acme's partner program"
- partnerSigninEmail subject: "Your partner dashboard sign-in link"
  → "Sign in to Acme"
- Both bodies interpolate the brand into the lead sentence.
- Falls back to the original generic copy when brandName is null
  (e.g. self-host without program_settings configured).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 apps/api/src/brand-name.ts            | 19 +++++++++++++++++++
 apps/api/src/email-templates.ts       | 17 ++++++++++-------
 apps/api/src/routes/partner-auth.ts   |  4 +++-
 apps/api/src/routes/partner-signup.ts |  4 +++-
 apps/api/src/routes/partners.ts       |  8 ++++++--
 5 files changed, 41 insertions(+), 11 deletions(-)
 create mode 100644 apps/api/src/brand-name.ts

diff --git a/apps/api/src/brand-name.ts b/apps/api/src/brand-name.ts
new file mode 100644
index 0000000..ff35e8f
--- /dev/null
+++ b/apps/api/src/brand-name.ts
@@ -0,0 +1,19 @@
+/**
+ * Resolve the user-facing brand name for a tenant.
+ *
+ * Priority:
+ *   1. program_settings.programName from Config (admin-set in Settings)
+ *   2. Tenant.displayName (set at signup; always populated for hosted)
+ *   3. null (callers fall back to a generic phrase)
+ */
+
+import type { Knex } from 'knex';
+import { TABLES, type ConfigRow, type TenantRow } from '@openpartner/db';
+
+export async function resolveBrandName(db: Knex, tenantId: string): Promise<string | null> {
+  const row = await db<ConfigRow>(TABLES.Config).where({ tenantId, key: 'program_settings' }).first();
+  const value = (row?.value ?? {}) as { programName?: string };
+  if (value.programName && value.programName.trim()) return value.programName.trim();
+  const tenant = await db<TenantRow>(TABLES.Tenant).where({ id: tenantId }).first();
+  return tenant?.displayName ?? null;
+}
diff --git a/apps/api/src/email-templates.ts b/apps/api/src/email-templates.ts
index 69846fe..7696d87 100644
--- a/apps/api/src/email-templates.ts
+++ b/apps/api/src/email-templates.ts
@@ -20,13 +20,14 @@ export interface EmailTemplate {
   html: string;
 }
 
-export function partnerInviteEmail(name: string, link: string): EmailTemplate {
-  const subject = `You're invited to the partner program`;
+export function partnerInviteEmail(name: string, link: string, brandName: string | null = null): EmailTemplate {
+  const brand = brandName || 'the partner program';
+  const subject = brandName ? `You're invited to ${brandName}'s partner program` : `You're invited to the partner program`;
   const text = [
     `Hi ${name},`,
     ``,
-    `You've been invited to join the partner program. Click the link below`,
-    `to accept and set up your dashboard:`,
+    `You've been invited to join ${brand}. Click the link below to accept`,
+    `and set up your dashboard:`,
     ``,
     link,
     ``,
@@ -35,12 +36,14 @@ export function partnerInviteEmail(name: string, link: string): EmailTemplate {
   return { subject, text, html: wrap(text, link, 'Accept invite') };
 }
 
-export function partnerSigninEmail(name: string, link: string): EmailTemplate {
-  const subject = `Your partner dashboard sign-in link`;
+export function partnerSigninEmail(name: string, link: string, brandName: string | null = null): EmailTemplate {
+  const subject = brandName ? `Sign in to ${brandName}` : `Your partner dashboard sign-in link`;
   const text = [
     `Hi ${name},`,
     ``,
-    `Click the link below to sign in to your partner dashboard:`,
+    brandName
+      ? `Click the link below to sign in to ${brandName}:`
+      : `Click the link below to sign in to your partner dashboard:`,
     ``,
     link,
     ``,
diff --git a/apps/api/src/routes/partner-auth.ts b/apps/api/src/routes/partner-auth.ts
index 605ebfc..20c3aa7 100644
--- a/apps/api/src/routes/partner-auth.ts
+++ b/apps/api/src/routes/partner-auth.ts
@@ -82,7 +82,9 @@ partnerAuthRouter.post('/auth/signin', mailAuthLimit, async (req, res) => {
       principalKind: 'partner',
       principalId: partner.id,
     });
-    const tmpl = partnerSigninEmail(partner.name, buildMagicLinkUrl(issued.plaintext, req.tenantSlug));
+    const { resolveBrandName } = await import('../brand-name.js');
+    const brandName = await resolveBrandName(db, tenantId);
+    const tmpl = partnerSigninEmail(partner.name, buildMagicLinkUrl(issued.plaintext, req.tenantSlug), brandName);
     await getMailer().send({ db, tenantId }, {
       to: email,
       subject: tmpl.subject,
diff --git a/apps/api/src/routes/partner-signup.ts b/apps/api/src/routes/partner-signup.ts
index 8e4b21f..61f431b 100644
--- a/apps/api/src/routes/partner-signup.ts
+++ b/apps/api/src/routes/partner-signup.ts
@@ -161,7 +161,9 @@ partnerSignupRouter.post('/partner-signup', signupLimit, async (req, res) => {
     principalKind: 'partner',
     principalId: partner.id,
   });
-  const tmpl = partnerInviteEmail(partner.name, buildMagicLinkUrl(issued.plaintext, req.tenantSlug));
+  const { resolveBrandName } = await import('../brand-name.js');
+  const brandName = await resolveBrandName(db, tenantId);
+  const tmpl = partnerInviteEmail(partner.name, buildMagicLinkUrl(issued.plaintext, req.tenantSlug), brandName);
   try {
     await getMailer().send({ db, tenantId }, {
       to: email,
diff --git a/apps/api/src/routes/partners.ts b/apps/api/src/routes/partners.ts
index e77fc53..b2bb5c4 100644
--- a/apps/api/src/routes/partners.ts
+++ b/apps/api/src/routes/partners.ts
@@ -75,7 +75,9 @@ partnersRouter.post('/partners', requireAuth, grantScope('partners:write'), requ
       principalKind: 'partner',
       principalId: id,
     });
-    const tmpl = partnerInviteEmail(body.data.name, buildMagicLinkUrl(issued.plaintext));
+    const { resolveBrandName } = await import('../brand-name.js');
+    const brandName = await resolveBrandName(db, tenantId);
+    const tmpl = partnerInviteEmail(body.data.name, buildMagicLinkUrl(issued.plaintext, req.tenantSlug), brandName);
     await getMailer().send({ db, tenantId }, {
       to: email,
       subject: tmpl.subject,
@@ -142,7 +144,9 @@ partnersRouter.post('/partners/:id/invite', requireAuth, requireAdmin, async (re
     principalKind: 'partner',
     principalId: partner.id,
   });
-  const tmpl = partnerInviteEmail(partner.name, buildMagicLinkUrl(issued.plaintext));
+  const { resolveBrandName } = await import('../brand-name.js');
+  const brandName = await resolveBrandName(db, tenantId);
+  const tmpl = partnerInviteEmail(partner.name, buildMagicLinkUrl(issued.plaintext, req.tenantSlug), brandName);
   await getMailer().send({ db, tenantId }, {
     to: partner.email,
     subject: tmpl.subject,

From 57871f4fe1881f473145588e7c153a9606bd443e Mon Sep 17 00:00:00 2001
From: Keith Fawcett <keith@brightyard.co>
Date: Tue, 28 Apr 2026 17:24:00 -0700
Subject: [PATCH 052/131] fix(portal): tenant-scope absolute Links on the
 partner Dashboard
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The Getting-started checklist's Create-link / Connect-Stripe CTAs were
hardcoded to "/links" and "/connect", so under multi-tenant the
partner ended up at app.openpartner.dev/links instead of
app.openpartner.dev/t/<slug>/links — and got either a 404 or got
bounced to the public Landing.

Lift useTenantBase() out of App.tsx into a shared util (src/tenant-
base.ts) so any page can reuse it. Dashboard wraps absolute Link
targets in a small TenantLink helper that prepends /t/<slug>/.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 apps/portal/src/App.tsx             | 10 +---------
 apps/portal/src/pages/Dashboard.tsx | 17 +++++++++++++----
 apps/portal/src/tenant-base.ts      | 13 +++++++++++++
 3 files changed, 27 insertions(+), 13 deletions(-)
 create mode 100644 apps/portal/src/tenant-base.ts

diff --git a/apps/portal/src/App.tsx b/apps/portal/src/App.tsx
index 95a1eaa..b75ee82 100644
--- a/apps/portal/src/App.tsx
+++ b/apps/portal/src/App.tsx
@@ -20,6 +20,7 @@ import {
   Inbox,
 } from 'lucide-react';
 import { clearApiKey, api, type Principal } from './api.js';
+import { useTenantBase } from './tenant-base.js';
 import { theme } from './theme.js';
 import { Dashboard } from './pages/Dashboard.js';
 import { LinksPage } from './pages/Links.js';
@@ -411,15 +412,6 @@ function NavSection({ title, children }: { title: string; children: ReactNode })
   );
 }
 
-function useTenantBase(): string {
-  // In multi-tenant mode the Shell mounts under /t/<slug>/*. NavItem and
-  // friends pass absolute paths like "/links" — we prepend the tenant
-  // base so navigation stays scoped. Falls back to "" in single-tenant.
-  const { pathname } = useLocation();
-  const m = pathname.match(/^\/t\/([a-z0-9-]+)/);
-  return m ? `/t/${m[1]}` : '';
-}
-
 function NavItem({ to, icon, children }: { to: string; icon: ReactNode; children: ReactNode }) {
   const location = useLocation();
   const tenantBase = useTenantBase();
diff --git a/apps/portal/src/pages/Dashboard.tsx b/apps/portal/src/pages/Dashboard.tsx
index ac04845..608f64a 100644
--- a/apps/portal/src/pages/Dashboard.tsx
+++ b/apps/portal/src/pages/Dashboard.tsx
@@ -13,6 +13,7 @@ import {
   Circle,
 } from 'lucide-react';
 import { api, type Principal } from '../api.js';
+import { useTenantBase } from '../tenant-base.js';
 import { theme } from '../theme.js';
 import { Avatar, Button, Card, EmptyState, ErrorBanner, Page, SectionHeading, Stat, StatusPill, money } from '../ui.js';
 
@@ -205,14 +206,22 @@ function ChecklistRow({
         <div style={{ fontSize: 12, color: theme.textDim, marginTop: 2 }}>{hint}</div>
       </div>
       {!done && (
-        <Link to={to} style={{ textDecoration: 'none' }}>
+        <TenantLink to={to} style={{ textDecoration: 'none' }}>
           <Button size="sm">{cta}</Button>
-        </Link>
+        </TenantLink>
       )}
     </div>
   );
 }
 
+/** Link that prepends the current `/t/<slug>` prefix to absolute paths
+ *  so navigation stays inside the multi-tenant brand workspace. */
+function TenantLink({ to, style, children }: { to: string; style?: React.CSSProperties; children: React.ReactNode }) {
+  const tenantBase = useTenantBase();
+  const href = to.startsWith('/') ? `${tenantBase}${to === '/' ? '' : to}` || '/' : to;
+  return <Link to={href} style={style}>{children}</Link>;
+}
+
 function ConnectNudge({ owed, connected }: { owed: number; connected: boolean }) {
   return (
     <Card>
@@ -228,9 +237,9 @@ function ConnectNudge({ owed, connected }: { owed: number; connected: boolean })
             You have {money(owed)} in commissions {connected ? 'waiting — complete onboarding to get paid.' : 'that can’t be paid out yet.'}
           </div>
         </div>
-        <Link to="/connect" style={{ textDecoration: 'none' }}>
+        <TenantLink to="/connect" style={{ textDecoration: 'none' }}>
           <Button icon={<CreditCard size={14} />}>{connected ? 'Finish onboarding' : 'Connect Stripe'}</Button>
-        </Link>
+        </TenantLink>
       </div>
     </Card>
   );
diff --git a/apps/portal/src/tenant-base.ts b/apps/portal/src/tenant-base.ts
new file mode 100644
index 0000000..b5c90bd
--- /dev/null
+++ b/apps/portal/src/tenant-base.ts
@@ -0,0 +1,13 @@
+import { useLocation } from 'react-router-dom';
+
+/**
+ * Returns the tenant URL prefix (`/t/<slug>`) when we're inside a
+ * multi-tenant route, or `''` otherwise. Anything in the SPA that
+ * builds an absolute path like `/links` should prepend this so the
+ * route stays scoped to the right brand.
+ */
+export function useTenantBase(): string {
+  const { pathname } = useLocation();
+  const m = pathname.match(/^\/t\/([a-z0-9-]+)/);
+  return m ? `/t/${m[1]}` : '';
+}

From b4d0ed8494cc32eb5d06d5c64ba736815be03ef5 Mon Sep 17 00:00:00 2001
From: Keith Fawcett <keith@brightyard.co>
Date: Tue, 28 Apr 2026 17:27:43 -0700
Subject: [PATCH 053/131] fix(portal): hide Network sub-nav until the brand is
 connected
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Offerings / Requests / Billing all hard-error without a vendorToken,
so the empty entries were just noise for brands that haven't connected
yet. Sidebar now renders only "Get connected" → /admin/network until
the membership probe shows enabled + token, then expands to the full
section. Re-uses the same /config/network query the page itself uses,
60s staleTime, no retry.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 apps/portal/src/App.tsx | 36 ++++++++++++++++++++++++++++--------
 1 file changed, 28 insertions(+), 8 deletions(-)

diff --git a/apps/portal/src/App.tsx b/apps/portal/src/App.tsx
index b75ee82..c91d0de 100644
--- a/apps/portal/src/App.tsx
+++ b/apps/portal/src/App.tsx
@@ -262,14 +262,7 @@ function Sidebar({ principal }: { principal: Principal }) {
           </NavSection>
         )}
 
-        {principal.role === 'admin' && (
-          <NavSection title="Network">
-            <NavItem to="/admin/network" icon={<Globe size={16} />}>Connection</NavItem>
-            <NavItem to="/admin/network/offerings" icon={<Megaphone size={16} />}>Offerings</NavItem>
-            <NavItem to="/admin/network/requests" icon={<Inbox size={16} />}>Requests</NavItem>
-            <NavItem to="/admin/network/billing" icon={<CreditCard size={16} />}>Billing</NavItem>
-          </NavSection>
-        )}
+        {principal.role === 'admin' && <NetworkNav />}
       </div>
 
       <button
@@ -412,6 +405,33 @@ function NavSection({ title, children }: { title: string; children: ReactNode })
   );
 }
 
+/** Network sidebar section. We only surface Offerings / Requests /
+ *  Billing once the brand is connected — those pages all error out if
+ *  there's no vendorToken, and showing dead nav entries is just noise.
+ *  Connection itself stays visible so the admin can come back to wire
+ *  it up. */
+function NetworkNav() {
+  const { data } = useQuery({
+    queryKey: ['network-membership'],
+    queryFn: () => api<{ enabled: boolean; hasVendorToken: boolean }>('/config/network'),
+    staleTime: 60_000,
+    retry: false,
+  });
+  const connected = !!(data?.enabled && data.hasVendorToken);
+  return (
+    <NavSection title="Network">
+      <NavItem to="/admin/network" icon={<Globe size={16} />}>{connected ? 'Connection' : 'Get connected'}</NavItem>
+      {connected && (
+        <>
+          <NavItem to="/admin/network/offerings" icon={<Megaphone size={16} />}>Offerings</NavItem>
+          <NavItem to="/admin/network/requests" icon={<Inbox size={16} />}>Requests</NavItem>
+          <NavItem to="/admin/network/billing" icon={<CreditCard size={16} />}>Billing</NavItem>
+        </>
+      )}
+    </NavSection>
+  );
+}
+
 function NavItem({ to, icon, children }: { to: string; icon: ReactNode; children: ReactNode }) {
   const location = useLocation();
   const tenantBase = useTenantBase();

From 8c9a00ce71409cff7f4d5eabef9448a75e78f40c Mon Sep 17 00:00:00 2001
From: Keith Fawcett <keith@brightyard.co>
Date: Tue, 28 Apr 2026 18:07:59 -0700
Subject: [PATCH 054/131] refactor(links): destinationUrl belongs to the brand,
 not the partner
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Pulls the destination URL off Link and onto Campaign so the brand owns
where partner share-links land. Partners only choose the slug;
destination is shown read-only at link-create time. Optional deep-
linking is opt-in per Campaign with an allowed-domain allowlist
(matches Tolt / Impact / Partnerize semantics).

Schema (migrations/20260510000000_campaign_destination):
- Campaign gains destinationUrl (NOT NULL after backfill) +
  deepLinkAllowedDomains (nullable comma-separated host list).
- Backfill picks the most-common Link.destinationUrl per Campaign as
  the default; Campaigns with zero Links get a placeholder the brand
  must edit.
- Link.destinationUrl flips to nullable — null means "use Campaign's".

Backend:
- POST /campaigns + new PATCH /campaigns/:id accept destinationUrl
  (required) + deepLinkAllowedDomains (optional).
- POST /partners/:id/links: destinationUrl is now optional. When
  supplied, the Campaign must have deepLinkAllowedDomains set AND the
  override host must match — otherwise destination_override_not_allowed.
- New GET /me/campaigns: partner-friendly read-only campaign list
  (id, name, destinationUrl, deepLinkAllowedDomains only — no
  commission rules / attribution settings).
- Router resolves destinationUrl with Link override winning over
  Campaign default.

Portal:
- AdminCampaigns: create form gains Destination URL (required) +
  Allowed deep-link domains (optional, comma-separated). Table column
  surfaces the destination + a "+ deep links" badge when enabled.
- Links create form: drops the destination input. Surfaces the
  Campaign's destination read-only ("Lands at <url>"). Deep-link
  override only appears when the selected Campaign permits it, with a
  prompt naming the allowed hosts.

Closes the leak you flagged: a creator approved for one program can no
longer point share-link traffic at an unrelated URL. The full "scoped
to programs they were approved for" enforcement is the natural follow-
up; this commit fixes the destination ownership half.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 apps/api/src/routes/campaigns.ts              | 53 ++++++++++
 apps/api/src/routes/links.ts                  | 44 ++++++++-
 apps/portal/src/pages/AdminCampaigns.tsx      | 39 +++++++-
 apps/portal/src/pages/Links.tsx               | 98 ++++++++++++++-----
 apps/router/src/server.ts                     | 15 ++-
 .../20260510000000_campaign_destination.ts    | 67 +++++++++++++
 packages/db/src/types.ts                      | 13 ++-
 7 files changed, 295 insertions(+), 34 deletions(-)
 create mode 100644 packages/db/migrations/20260510000000_campaign_destination.ts

diff --git a/apps/api/src/routes/campaigns.ts b/apps/api/src/routes/campaigns.ts
index 945bd4f..fc1ec5d 100644
--- a/apps/api/src/routes/campaigns.ts
+++ b/apps/api/src/routes/campaigns.ts
@@ -20,6 +20,19 @@ const createSchema = z.object({
   commissionRule: commissionRuleSchema,
   attributionWindowDays: z.number().int().min(1).max(365).optional(),
   attributionModel: z.enum(['last_click', 'first_click', 'linear', 'position']).optional(),
+  destinationUrl: z.string().url(),
+  /** Comma-separated host allowlist for partner deep-linking. Null/omitted
+   *  means partners can't override the destination. */
+  deepLinkAllowedDomains: z.string().max(1000).optional(),
+});
+
+const updateSchema = z.object({
+  name: z.string().min(1).optional(),
+  commissionRule: commissionRuleSchema.optional(),
+  attributionWindowDays: z.number().int().min(1).max(365).optional(),
+  attributionModel: z.enum(['last_click', 'first_click', 'linear', 'position']).optional(),
+  destinationUrl: z.string().url().optional(),
+  deepLinkAllowedDomains: z.string().max(1000).nullable().optional(),
 });
 
 export const campaignsRouter = Router();
@@ -30,6 +43,23 @@ campaignsRouter.get('/campaigns', requireAuth, requireAdmin, async (req, res) =>
   res.json({ campaigns });
 });
 
+/**
+ * Partner-facing campaign list — fields are limited to what a partner
+ * needs to create a Link (id, name, destinationUrl, deepLinkAllowedDomains).
+ * Commission rules + attribution settings are admin-only and stay out
+ * of the response.
+ */
+campaignsRouter.get('/me/campaigns', requireAuth, async (req, res) => {
+  if (req.principal?.role !== 'partner' && req.principal?.role !== 'admin') {
+    return res.status(403).json({ error: 'forbidden' });
+  }
+  const { db } = tenantOf(req);
+  const campaigns = (await db<CampaignRow>(TABLES.Campaign)
+    .select('id', 'name', 'destinationUrl', 'deepLinkAllowedDomains')
+    .orderBy('createdAt', 'desc')) as Array<Pick<CampaignRow, 'id' | 'name' | 'destinationUrl' | 'deepLinkAllowedDomains'>>;
+  res.json({ campaigns });
+});
+
 campaignsRouter.post('/campaigns', requireAuth, requireAdmin, async (req, res) => {
   const { db, tenantId } = tenantOf(req);
   const body = createSchema.safeParse(req.body);
@@ -44,8 +74,31 @@ campaignsRouter.post('/campaigns', requireAuth, requireAdmin, async (req, res) =
       commissionRule: body.data.commissionRule,
       attributionWindowDays: body.data.attributionWindowDays ?? 60,
       attributionModel: body.data.attributionModel ?? 'last_click',
+      destinationUrl: body.data.destinationUrl,
+      deepLinkAllowedDomains: body.data.deepLinkAllowedDomains ?? null,
     })
     .returning('*');
 
   res.status(201).json(campaign);
 });
+
+campaignsRouter.patch('/campaigns/:id', requireAuth, requireAdmin, async (req, res) => {
+  const { db } = tenantOf(req);
+  const body = updateSchema.safeParse(req.body);
+  if (!body.success) return res.status(400).json({ error: 'invalid_body', detail: body.error.flatten() });
+
+  const existing = await db<CampaignRow>(TABLES.Campaign).where({ id: req.params.id }).first();
+  if (!existing) return res.status(404).json({ error: 'not_found' });
+
+  const patch: Partial<CampaignRow> = {};
+  if (body.data.name !== undefined) patch.name = body.data.name;
+  if (body.data.commissionRule !== undefined) patch.commissionRule = body.data.commissionRule;
+  if (body.data.attributionWindowDays !== undefined) patch.attributionWindowDays = body.data.attributionWindowDays;
+  if (body.data.attributionModel !== undefined) patch.attributionModel = body.data.attributionModel;
+  if (body.data.destinationUrl !== undefined) patch.destinationUrl = body.data.destinationUrl;
+  if (body.data.deepLinkAllowedDomains !== undefined) patch.deepLinkAllowedDomains = body.data.deepLinkAllowedDomains;
+
+  await db<CampaignRow>(TABLES.Campaign).where({ id: req.params.id }).update(patch);
+  const updated = await db<CampaignRow>(TABLES.Campaign).where({ id: req.params.id }).first();
+  res.json(updated);
+});
diff --git a/apps/api/src/routes/links.ts b/apps/api/src/routes/links.ts
index 3243819..b089575 100644
--- a/apps/api/src/routes/links.ts
+++ b/apps/api/src/routes/links.ts
@@ -1,7 +1,7 @@
 import { Router } from 'express';
 import { z } from 'zod';
 import { ulid } from 'ulid';
-import { TABLES, type LinkRow } from '@openpartner/db';
+import { TABLES, type CampaignRow, type LinkRow } from '@openpartner/db';
 import { grantScope, requireAuth, requirePartnerOrAdmin } from '../auth.js';
 import { tenantOf } from '../tenancy.js';
 
@@ -12,7 +12,11 @@ const createSchema = z.object({
     .max(64)
     .regex(/^[a-zA-Z0-9_-]+$/, 'linkKey must be url-safe'),
   campaignId: z.string().min(1),
-  destinationUrl: z.string().url(),
+  /** Optional override of Campaign.destinationUrl. Allowed only when
+   *  the Campaign has deepLinkAllowedDomains set AND the override host
+   *  matches one of those domains. Otherwise rejected with
+   *  destination_override_not_allowed. */
+  destinationUrl: z.string().url().optional(),
 });
 
 export const linksRouter = Router();
@@ -33,9 +37,26 @@ linksRouter.post('/partners/:id/links', requireAuth, grantScope('links:write'),
   const partner = await db(TABLES.Partner).where({ id: req.params.id }).first();
   if (!partner) return res.status(404).json({ error: 'partner_not_found' });
 
-  const campaign = await db(TABLES.Campaign).where({ id: body.data.campaignId }).first();
+  const campaign = await db<CampaignRow>(TABLES.Campaign).where({ id: body.data.campaignId }).first();
   if (!campaign) return res.status(404).json({ error: 'campaign_not_found' });
 
+  // Destination resolution: if the partner supplied an override, the
+  // Campaign must allow deep-linking AND the override host must match
+  // the allowlist. Otherwise the Link inherits Campaign.destinationUrl
+  // (stored as null on the row → router resolves at click time).
+  let destinationOverride: string | null = null;
+  if (body.data.destinationUrl) {
+    if (!isDeepLinkAllowed(campaign, body.data.destinationUrl)) {
+      return res.status(400).json({
+        error: 'destination_override_not_allowed',
+        detail: campaign.deepLinkAllowedDomains
+          ? `Override must be on one of: ${campaign.deepLinkAllowedDomains}`
+          : 'This program does not allow custom destinations.',
+      });
+    }
+    destinationOverride = body.data.destinationUrl;
+  }
+
   const id = ulid();
   try {
     const [link] = await db<LinkRow>(TABLES.Link)
@@ -45,7 +66,7 @@ linksRouter.post('/partners/:id/links', requireAuth, grantScope('links:write'),
         linkKey: body.data.linkKey,
         partnerId: req.params.id,
         campaignId: body.data.campaignId,
-        destinationUrl: body.data.destinationUrl,
+        destinationUrl: destinationOverride,
       })
       .returning('*');
     res.status(201).json(link);
@@ -57,6 +78,21 @@ linksRouter.post('/partners/:id/links', requireAuth, grantScope('links:write'),
   }
 });
 
+function isDeepLinkAllowed(campaign: CampaignRow, url: string): boolean {
+  if (!campaign.deepLinkAllowedDomains) return false;
+  let host: string;
+  try {
+    host = new URL(url).hostname.toLowerCase();
+  } catch {
+    return false;
+  }
+  return campaign.deepLinkAllowedDomains
+    .split(',')
+    .map((s) => s.trim().toLowerCase())
+    .filter(Boolean)
+    .some((allowed) => host === allowed || host.endsWith(`.${allowed}`));
+}
+
 function isUniqueViolation(err: unknown): boolean {
   return typeof err === 'object' && err !== null && (err as { code?: string }).code === '23505';
 }
diff --git a/apps/portal/src/pages/AdminCampaigns.tsx b/apps/portal/src/pages/AdminCampaigns.tsx
index 9d837b2..4708cbc 100644
--- a/apps/portal/src/pages/AdminCampaigns.tsx
+++ b/apps/portal/src/pages/AdminCampaigns.tsx
@@ -11,6 +11,8 @@ interface Campaign {
   commissionRule: { type: string; value: number; recurring?: boolean };
   attributionWindowDays: number;
   attributionModel: string;
+  destinationUrl: string;
+  deepLinkAllowedDomains: string | null;
   createdAt: string;
 }
 
@@ -48,9 +50,15 @@ export function AdminCampaigns() {
         <EmptyState title="No campaigns yet" hint="A campaign holds the commission rule and attribution settings." icon={<Tag size={28} strokeWidth={1.25} />} />
       ) : (
         <Table
-          columns={['Name', 'Commission', 'Window', 'Model', 'Created']}
+          columns={['Name', 'Destination', 'Commission', 'Window', 'Model', 'Created']}
           rows={(campaigns.data?.campaigns ?? []).map((c) => [
             <span style={{ fontWeight: 500 }}>{c.name}</span>,
+            <span style={{ color: theme.textMuted, fontSize: 12, fontFamily: theme.fontMono }}>
+              {c.destinationUrl ? new URL(c.destinationUrl).hostname + new URL(c.destinationUrl).pathname.replace(/\/$/, '') : '—'}
+              {c.deepLinkAllowedDomains && (
+                <span style={{ color: theme.accent, fontSize: 11, marginLeft: 8 }}>+ deep links</span>
+              )}
+            </span>,
             <span>
               {c.commissionRule.type === 'percent' ? `${c.commissionRule.value}%` : `$${c.commissionRule.value} fixed`}
               {c.commissionRule.recurring && <span style={{ color: theme.textDim, fontSize: 12, marginLeft: 6 }}>(recurring)</span>}
@@ -67,6 +75,8 @@ export function AdminCampaigns() {
 
 function CreateCampaign({ onClose, onCreated }: { onClose: () => void; onCreated: () => void }) {
   const [name, setName] = useState('');
+  const [destinationUrl, setDestinationUrl] = useState('');
+  const [deepLinkDomains, setDeepLinkDomains] = useState('');
   const [ruleType, setRuleType] = useState<'percent' | 'fixed'>('percent');
   const [ruleValue, setRuleValue] = useState('20');
   const [recurring, setRecurring] = useState(true);
@@ -79,6 +89,8 @@ function CreateCampaign({ onClose, onCreated }: { onClose: () => void; onCreated
         method: 'POST',
         body: {
           name,
+          destinationUrl,
+          deepLinkAllowedDomains: deepLinkDomains.trim() || undefined,
           commissionRule: { type: ruleType, value: Number(ruleValue), recurring },
           attributionWindowDays: Number(windowDays),
           attributionModel: model,
@@ -95,6 +107,29 @@ function CreateCampaign({ onClose, onCreated }: { onClose: () => void; onCreated
         <Label>Name</Label>
         <Input value={name} onChange={(e) => setName(e.target.value)} placeholder="Default" />
       </div>
+      <div style={{ marginBottom: 14 }}>
+        <Label>Destination URL</Label>
+        <Input
+          type="url"
+          value={destinationUrl}
+          onChange={(e) => setDestinationUrl(e.target.value)}
+          placeholder="https://yourbrand.com/landing-page"
+        />
+        <div style={{ fontSize: 12, color: theme.textDim, marginTop: 4 }}>
+          Where partner share-links for this campaign land. Partners can&rsquo;t change this unless you allow deep links below.
+        </div>
+      </div>
+      <div style={{ marginBottom: 14 }}>
+        <Label>Allowed deep-link domains (optional)</Label>
+        <Input
+          value={deepLinkDomains}
+          onChange={(e) => setDeepLinkDomains(e.target.value)}
+          placeholder="yourbrand.com,docs.yourbrand.com"
+        />
+        <div style={{ fontSize: 12, color: theme.textDim, marginTop: 4 }}>
+          Comma-separated host list. Partners can override the destination on share-links as long as their override matches one of these. Leave blank to lock destinations.
+        </div>
+      </div>
       <div style={{ display: 'grid', gridTemplateColumns: '140px 1fr auto', gap: 12, marginBottom: 14, alignItems: 'end' }}>
         <div>
           <Label>Rule</Label>
@@ -128,7 +163,7 @@ function CreateCampaign({ onClose, onCreated }: { onClose: () => void; onCreated
         </div>
       </div>
       <div style={{ display: 'flex', gap: 8 }}>
-        <Button onClick={() => mut.mutate()} disabled={!name || !ruleValue || mut.isPending}>
+        <Button onClick={() => mut.mutate()} disabled={!name || !ruleValue || !destinationUrl || mut.isPending}>
           {mut.isPending ? 'Creating…' : 'Create campaign'}
         </Button>
         <Button variant="secondary" onClick={onClose}>Cancel</Button>
diff --git a/apps/portal/src/pages/Links.tsx b/apps/portal/src/pages/Links.tsx
index bec077c..80445f7 100644
--- a/apps/portal/src/pages/Links.tsx
+++ b/apps/portal/src/pages/Links.tsx
@@ -9,7 +9,7 @@ import { Avatar, Button, Card, EmptyState, ErrorBanner, Input, Label, Page, Sele
 interface LinkRow {
   id: string;
   linkKey: string;
-  destinationUrl: string;
+  destinationUrl: string | null;
   campaignId: string;
   partnerId: string;
   createdAt: string;
@@ -18,6 +18,8 @@ interface LinkRow {
 interface Campaign {
   id: string;
   name: string;
+  destinationUrl: string;
+  deepLinkAllowedDomains: string | null;
 }
 
 export function LinksPage({ principal }: { principal: Principal }) {
@@ -86,10 +88,12 @@ function PartnerLinks({ partnerId, readOnly }: { partnerId: string; readOnly: bo
     queryFn: () => api<{ links: LinkRow[] }>(`/partners/${partnerId}/links`),
   });
 
+  // Partners need this too — they pick a Program when creating a link
+  // and we surface the inherited destination. /me/campaigns is the
+  // partner-friendly read-only slice (no commission rules etc.).
   const campaigns = useQuery({
-    queryKey: ['campaigns'],
-    queryFn: () => api<{ campaigns: Campaign[] }>('/campaigns').catch(() => ({ campaigns: [] })),
-    enabled: !readOnly,
+    queryKey: ['me-campaigns'],
+    queryFn: () => api<{ campaigns: Campaign[] }>('/me/campaigns').catch(() => ({ campaigns: [] })),
   });
 
   return (
@@ -130,13 +134,22 @@ function PartnerLinks({ partnerId, readOnly }: { partnerId: string; readOnly: bo
         />
       ) : (
         <Table
-          columns={['Key', 'Destination', 'Campaign', 'Created']}
-          rows={(links.data?.links ?? []).map((l) => [
-            <code style={{ color: theme.accent }}>/r/{l.linkKey}</code>,
-            <span style={{ color: theme.textMuted }}>{l.destinationUrl}</span>,
-            <code style={{ color: theme.textDim, fontSize: 12 }}>{l.campaignId.slice(0, 8)}…</code>,
-            <span style={{ color: theme.textMuted }}>{formatDate(l.createdAt, { relative: true })}</span>,
-          ])}
+          columns={['Key', 'Destination', 'Program', 'Created']}
+          rows={(links.data?.links ?? []).map((l) => {
+            const campaign = campaigns.data?.campaigns.find((c) => c.id === l.campaignId);
+            const dest = l.destinationUrl ?? campaign?.destinationUrl ?? '—';
+            return [
+              <code style={{ color: theme.accent }}>/r/{l.linkKey}</code>,
+              <span style={{ color: theme.textMuted, fontSize: 13 }}>
+                {dest}
+                {l.destinationUrl && (
+                  <span style={{ color: theme.accent, fontSize: 11, marginLeft: 8 }}>(deep link)</span>
+                )}
+              </span>,
+              <span>{campaign?.name ?? <code style={{ color: theme.textDim, fontSize: 12 }}>{l.campaignId.slice(0, 8)}…</code>}</span>,
+              <span style={{ color: theme.textMuted }}>{formatDate(l.createdAt, { relative: true })}</span>,
+            ];
+          })}
         />
       )}
     </Page>
@@ -155,14 +168,24 @@ function CreateLink({
   onCreated: () => void;
 }) {
   const [linkKey, setLinkKey] = useState('');
-  const [destinationUrl, setDestinationUrl] = useState('');
   const [campaignId, setCampaignId] = useState(campaigns[0]?.id ?? '');
+  const [useDeepLink, setUseDeepLink] = useState(false);
+  const [destinationOverride, setDestinationOverride] = useState('');
+
+  const selectedCampaign = campaigns.find((c) => c.id === campaignId);
+  const deepLinkAllowed = !!selectedCampaign?.deepLinkAllowedDomains;
 
   const mut = useMutation({
     mutationFn: () =>
       api(`/partners/${partnerId}/links`, {
         method: 'POST',
-        body: { linkKey, destinationUrl, campaignId },
+        body: {
+          linkKey,
+          campaignId,
+          // Only send destinationUrl when the partner has explicitly
+          // opted into a deep-link override on a Campaign that allows it.
+          destinationUrl: useDeepLink && destinationOverride ? destinationOverride : undefined,
+        },
       }),
     onSuccess: onCreated,
   });
@@ -171,18 +194,8 @@ function CreateLink({
     <Card style={{ marginBottom: 16 }}>
       <div style={{ fontSize: 15, fontWeight: 500, marginBottom: 16 }}>New link</div>
       <ErrorBanner error={mut.error} />
-      <div style={{ display: 'grid', gridTemplateColumns: '1fr 2fr', gap: 14, marginBottom: 14 }}>
-        <div>
-          <Label>Link key</Label>
-          <Input value={linkKey} onChange={(e) => setLinkKey(e.target.value)} placeholder="ada" />
-        </div>
-        <div>
-          <Label>Destination URL</Label>
-          <Input value={destinationUrl} onChange={(e) => setDestinationUrl(e.target.value)} placeholder="https://…" />
-        </div>
-      </div>
-      <div style={{ marginBottom: 16 }}>
-        <Label>Campaign</Label>
+      <div style={{ marginBottom: 14 }}>
+        <Label>Program</Label>
         {campaigns.length === 0 ? (
           <Input value={campaignId} onChange={(e) => setCampaignId(e.target.value)} placeholder="campaign id (ULID)" />
         ) : (
@@ -194,9 +207,42 @@ function CreateLink({
             ))}
           </Select>
         )}
+        {selectedCampaign && (
+          <div style={{ fontSize: 12, color: theme.textMuted, marginTop: 6 }}>
+            Lands at <code style={{ color: theme.textMuted }}>{selectedCampaign.destinationUrl}</code>
+          </div>
+        )}
+      </div>
+      <div style={{ marginBottom: 14 }}>
+        <Label>Link key</Label>
+        <Input value={linkKey} onChange={(e) => setLinkKey(e.target.value)} placeholder="ada" />
+        <div style={{ fontSize: 12, color: theme.textDim, marginTop: 6 }}>
+          Becomes <code style={{ color: theme.textDim }}>/r/{linkKey || 'your-key'}</code>.
+        </div>
       </div>
+      {deepLinkAllowed && (
+        <div style={{ marginBottom: 16 }}>
+          <label style={{ display: 'flex', gap: 8, alignItems: 'center', fontSize: 13, color: theme.text, marginBottom: 8 }}>
+            <input type="checkbox" checked={useDeepLink} onChange={(e) => setUseDeepLink(e.target.checked)} />
+            Deep-link to a specific page on the brand&rsquo;s site
+          </label>
+          {useDeepLink && (
+            <>
+              <Input
+                type="url"
+                value={destinationOverride}
+                onChange={(e) => setDestinationOverride(e.target.value)}
+                placeholder={`https://${selectedCampaign?.deepLinkAllowedDomains?.split(',')[0]?.trim() ?? 'yourbrand.com'}/some/page`}
+              />
+              <div style={{ fontSize: 12, color: theme.textDim, marginTop: 6 }}>
+                Must be on: {selectedCampaign?.deepLinkAllowedDomains}
+              </div>
+            </>
+          )}
+        </div>
+      )}
       <div style={{ display: 'flex', gap: 8 }}>
-        <Button onClick={() => mut.mutate()} disabled={!linkKey || !destinationUrl || !campaignId || mut.isPending}>
+        <Button onClick={() => mut.mutate()} disabled={!linkKey || !campaignId || mut.isPending}>
           {mut.isPending ? 'Creating…' : 'Create link'}
         </Button>
         <Button variant="secondary" onClick={onClose}>
diff --git a/apps/router/src/server.ts b/apps/router/src/server.ts
index d866ea9..f0ab4b2 100644
--- a/apps/router/src/server.ts
+++ b/apps/router/src/server.ts
@@ -32,8 +32,21 @@ app.get('/r/:linkKey', async (c) => {
     | undefined;
   const partnerRevoked = !!partner?.revokedAt;
 
+  // Destination resolution: per-Link override (deep link) wins; otherwise
+  // inherit from the Campaign. This is the source-of-truth flip — brands
+  // own the destination via Campaign.destinationUrl, partners only get
+  // an override when the Campaign explicitly allows deep-linking.
+  let destinationUrl = link.destinationUrl;
+  if (!destinationUrl) {
+    const campaign = (await db('Campaign').where({ id: link.campaignId }).first()) as
+      | { destinationUrl: string }
+      | undefined;
+    if (!campaign) return c.text('Campaign not found', 410);
+    destinationUrl = campaign.destinationUrl;
+  }
+
   const clickId = ulid();
-  const destination = new URL(link.destinationUrl);
+  const destination = new URL(destinationUrl);
   destination.searchParams.set('cref', clickId);
 
   // Prefer proxy headers when they're present (we run behind Caddy /
diff --git a/packages/db/migrations/20260510000000_campaign_destination.ts b/packages/db/migrations/20260510000000_campaign_destination.ts
new file mode 100644
index 0000000..a2bffc0
--- /dev/null
+++ b/packages/db/migrations/20260510000000_campaign_destination.ts
@@ -0,0 +1,67 @@
+/**
+ * Move destinationUrl onto Campaign so the brand controls it, not the
+ * partner. Today every Link carries its own destinationUrl which means
+ * a partner can point their share link anywhere — fine for the early
+ * single-tenant model where links were admin-created, but wrong for
+ * multi-tenant where partners create their own links and the brand
+ * needs to control where traffic lands.
+ *
+ * Backfill: pick the most-common destinationUrl per Campaign as its
+ * default. (Brands almost always use one URL per Campaign anyway.)
+ *
+ * deepLinkAllowedDomains is a comma-separated allowlist; when set,
+ * partners can override the destination as long as their override
+ * matches one of the allowed hosts. Empty = partner can't override.
+ *
+ * Link.destinationUrl stays for now as an override field (NULL = use
+ * Campaign default). Lock-down to Campaign-only is a future migration
+ * once the UI lands and we're sure no caller relies on the per-Link
+ * value.
+ */
+
+import type { Knex } from 'knex';
+
+export async function up(knex: Knex): Promise<void> {
+  await knex.schema.alterTable('Campaign', (t) => {
+    t.string('destinationUrl');
+    t.string('deepLinkAllowedDomains'); // comma-separated host list; null = no overrides
+  });
+
+  // Backfill: most-common destinationUrl per Campaign. Falls back to
+  // empty string if a Campaign has zero Links (those are picked up in
+  // the manual NOT NULL conversion below).
+  await knex.raw(`
+    update "Campaign" c
+    set "destinationUrl" = (
+      select "destinationUrl" from "Link" l
+      where l."campaignId" = c.id
+      group by "destinationUrl"
+      order by count(*) desc
+      limit 1
+    )
+    where c."destinationUrl" is null
+  `);
+
+  // Any Campaign that still has no destinationUrl (no Links yet) gets
+  // a placeholder. Brand admin must edit before the Campaign is useful.
+  await knex.raw(`update "Campaign" set "destinationUrl" = 'https://example.com' where "destinationUrl" is null`);
+
+  await knex.schema.alterTable('Campaign', (t) => {
+    t.string('destinationUrl').notNullable().alter();
+  });
+
+  // Link.destinationUrl becomes nullable — null means "use Campaign's".
+  await knex.schema.alterTable('Link', (t) => {
+    t.string('destinationUrl').nullable().alter();
+  });
+}
+
+export async function down(knex: Knex): Promise<void> {
+  await knex.schema.alterTable('Link', (t) => {
+    t.string('destinationUrl').notNullable().alter();
+  });
+  await knex.schema.alterTable('Campaign', (t) => {
+    t.dropColumn('destinationUrl');
+    t.dropColumn('deepLinkAllowedDomains');
+  });
+}
diff --git a/packages/db/src/types.ts b/packages/db/src/types.ts
index 6a772cc..e14f3a7 100644
--- a/packages/db/src/types.ts
+++ b/packages/db/src/types.ts
@@ -144,6 +144,14 @@ export interface CampaignRow {
   commissionRule: CommissionRule;
   attributionWindowDays: number;
   attributionModel: AttributionModel;
+  /** Where partner share-links for this Campaign land by default. Brand
+   *  controls this; partners can only override if deepLinkAllowedDomains
+   *  is set and their override matches. */
+  destinationUrl: string;
+  /** Comma-separated host allowlist enabling per-Link destination
+   *  overrides (deep-linking to product pages). Null = partners can't
+   *  override the Campaign default. */
+  deepLinkAllowedDomains: string | null;
   createdAt: Date;
 }
 
@@ -153,7 +161,10 @@ export interface LinkRow {
   linkKey: string;
   partnerId: string;
   campaignId: string;
-  destinationUrl: string;
+  /** Override of Campaign.destinationUrl. Null = inherit. Set only when
+   *  the Campaign allows deep-linking and the partner picked a custom
+   *  destination on an allowed host. */
+  destinationUrl: string | null;
   createdAt: Date;
 }
 

From 095d497e8b455a8ffd2b10a689438f0b8c8b5ab4 Mon Sep 17 00:00:00 2001
From: Keith Fawcett <keith@brightyard.co>
Date: Tue, 28 Apr 2026 18:45:50 -0700
Subject: [PATCH 055/131] feat(programs): scope partner share-links to granted
 campaigns
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Closes the second half of the destination ownership refactor: a
partner can now only create Links for Campaigns they've been granted
access to. Two grant sources:

  - 'admin'    — brand admin assigned (default for direct invites)
  - 'offering' — auto-stamped when a Network application is approved

Schema (migrations/20260511000000_partner_campaign):
- New PartnerCampaign(id, tenantId, partnerId, campaignId, source,
  createdAt) with unique (tenantId, partnerId, campaignId), partnerId
  + campaignId indices, FK CASCADE on Partner / Campaign delete.
- Backfill: cross-product of every existing (Partner, Campaign) pair
  per tenant stamped 'admin' so current partners keep working.

Backend:
- POST /partners accepts campaignIds (omitted = grant all current
  campaigns, preserves pre-PartnerCampaign behavior) +
  campaignGrantSource (Network sends 'offering' on approval). Inserts
  PartnerCampaign rows alongside the Partner.
- POST /partners/:id/links validates the campaignId is in the partner's
  PartnerCampaign set when called by a partner principal; admins still
  bypass (they can grant on the spot).
- GET /me/campaigns now filters via the join for partner principals;
  admins see the full list.

Phase deferred to a follow-up:
- Admin UI to grant / revoke campaign access on an existing partner
  (today's POST /partners only sets it at create time).
- "My partnerships" creator-side surface continues to call out which
  Campaign per Offering they're scoped to.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 apps/api/src/routes/campaigns.ts              | 41 +++++++++++---
 apps/api/src/routes/links.ts                  | 15 ++++++
 apps/api/src/routes/partners.ts               | 30 +++++++++++
 .../20260511000000_partner_campaign.ts        | 53 +++++++++++++++++++
 packages/db/src/index.ts                      |  1 +
 packages/db/src/types.ts                      | 12 +++++
 6 files changed, 146 insertions(+), 6 deletions(-)
 create mode 100644 packages/db/migrations/20260511000000_partner_campaign.ts

diff --git a/apps/api/src/routes/campaigns.ts b/apps/api/src/routes/campaigns.ts
index fc1ec5d..52951f8 100644
--- a/apps/api/src/routes/campaigns.ts
+++ b/apps/api/src/routes/campaigns.ts
@@ -44,19 +44,48 @@ campaignsRouter.get('/campaigns', requireAuth, requireAdmin, async (req, res) =>
 });
 
 /**
- * Partner-facing campaign list — fields are limited to what a partner
- * needs to create a Link (id, name, destinationUrl, deepLinkAllowedDomains).
+ * Partner-facing campaign list — only the Programs the calling partner
+ * was granted access to (via admin assignment or Network-offering
+ * approval). Admins see all campaigns in their tenant.
+ *
+ * Fields are limited to what a partner needs to create a Link
+ * (id, name, destinationUrl, deepLinkAllowedDomains, source).
  * Commission rules + attribution settings are admin-only and stay out
  * of the response.
  */
 campaignsRouter.get('/me/campaigns', requireAuth, async (req, res) => {
-  if (req.principal?.role !== 'partner' && req.principal?.role !== 'admin') {
+  const p = req.principal;
+  if (!p) return res.status(401).json({ error: 'unauthorized' });
+  if (p.role !== 'partner' && p.role !== 'admin') {
     return res.status(403).json({ error: 'forbidden' });
   }
   const { db } = tenantOf(req);
-  const campaigns = (await db<CampaignRow>(TABLES.Campaign)
-    .select('id', 'name', 'destinationUrl', 'deepLinkAllowedDomains')
-    .orderBy('createdAt', 'desc')) as Array<Pick<CampaignRow, 'id' | 'name' | 'destinationUrl' | 'deepLinkAllowedDomains'>>;
+
+  if (p.role === 'admin') {
+    const campaigns = (await db<CampaignRow>(TABLES.Campaign)
+      .select('id', 'name', 'destinationUrl', 'deepLinkAllowedDomains')
+      .orderBy('createdAt', 'desc')) as Array<Pick<CampaignRow, 'id' | 'name' | 'destinationUrl' | 'deepLinkAllowedDomains'>>;
+    return res.json({ campaigns });
+  }
+
+  // Partner: filter through PartnerCampaign join.
+  const campaigns = (await db(TABLES.Campaign)
+    .join(TABLES.PartnerCampaign, `${TABLES.PartnerCampaign}.campaignId`, `${TABLES.Campaign}.id`)
+    .where(`${TABLES.PartnerCampaign}.partnerId`, p.partnerId!)
+    .select(
+      `${TABLES.Campaign}.id`,
+      `${TABLES.Campaign}.name`,
+      `${TABLES.Campaign}.destinationUrl`,
+      `${TABLES.Campaign}.deepLinkAllowedDomains`,
+      `${TABLES.PartnerCampaign}.source as source`,
+    )
+    .orderBy(`${TABLES.Campaign}.createdAt`, 'desc')) as Array<{
+      id: string;
+      name: string;
+      destinationUrl: string;
+      deepLinkAllowedDomains: string | null;
+      source: 'admin' | 'offering';
+    }>;
   res.json({ campaigns });
 });
 
diff --git a/apps/api/src/routes/links.ts b/apps/api/src/routes/links.ts
index b089575..5878042 100644
--- a/apps/api/src/routes/links.ts
+++ b/apps/api/src/routes/links.ts
@@ -40,6 +40,21 @@ linksRouter.post('/partners/:id/links', requireAuth, grantScope('links:write'),
   const campaign = await db<CampaignRow>(TABLES.Campaign).where({ id: body.data.campaignId }).first();
   if (!campaign) return res.status(404).json({ error: 'campaign_not_found' });
 
+  // Partner-side: must be granted access to this Campaign via
+  // PartnerCampaign. Admins acting on a partner's behalf bypass this
+  // check (they're the ones who'd grant it anyway).
+  if (req.principal?.role === 'partner') {
+    const grant = await db(TABLES.PartnerCampaign)
+      .where({ partnerId: req.params.id, campaignId: body.data.campaignId })
+      .first();
+    if (!grant) {
+      return res.status(403).json({
+        error: 'campaign_not_granted',
+        detail: 'You don’t have access to this program. Apply through the Network or ask the brand admin to add you.',
+      });
+    }
+  }
+
   // Destination resolution: if the partner supplied an override, the
   // Campaign must allow deep-linking AND the override host must match
   // the allowlist. Otherwise the Link inherits Campaign.destinationUrl
diff --git a/apps/api/src/routes/partners.ts b/apps/api/src/routes/partners.ts
index b2bb5c4..bcf577f 100644
--- a/apps/api/src/routes/partners.ts
+++ b/apps/api/src/routes/partners.ts
@@ -17,6 +17,15 @@ const createSchema = z.object({
   // Partner row on behalf of an external creator network). Default is
   // "invite them" since that's the intent of the admin UI.
   sendInvite: z.boolean().optional(),
+  /** Programs (campaigns) this partner can create share-links for.
+   *  Omitted = grant access to ALL current campaigns (preserves the
+   *  pre-PartnerCampaign behavior). Empty array = grant nothing
+   *  (rare; admin can add later). */
+  campaignIds: z.array(z.string()).optional(),
+  /** Where the grants come from. 'offering' is what the Network
+   *  federation sends so we can tell admin assignments apart from
+   *  Network-driven ones in the audit log + UI. */
+  campaignGrantSource: z.enum(['admin', 'offering']).optional(),
 });
 
 export const partnersRouter = Router();
@@ -67,6 +76,27 @@ partnersRouter.post('/partners', requireAuth, grantScope('partners:write'), requ
     throw err;
   }
 
+  // Grant program (campaign) access. Default = all current campaigns
+  // when caller didn't specify, matching the pre-PartnerCampaign
+  // behavior so existing flows don't change shape.
+  const campaignIds = body.data.campaignIds
+    ?? ((await db(TABLES.Campaign).select('id')) as Array<{ id: string }>).map((c) => c.id);
+  if (campaignIds.length > 0) {
+    const grantSource = body.data.campaignGrantSource ?? 'admin';
+    await db(TABLES.PartnerCampaign)
+      .insert(
+        campaignIds.map((cid) => ({
+          id: `pc_${ulid()}`,
+          tenantId,
+          partnerId: id,
+          campaignId: cid,
+          source: grantSource,
+        })),
+      )
+      .onConflict(['tenantId', 'partnerId', 'campaignId'])
+      .ignore();
+  }
+
   if (sendInvite) {
     const issued = await issueMagicLink(db, {
       tenantId,
diff --git a/packages/db/migrations/20260511000000_partner_campaign.ts b/packages/db/migrations/20260511000000_partner_campaign.ts
new file mode 100644
index 0000000..7fb4457
--- /dev/null
+++ b/packages/db/migrations/20260511000000_partner_campaign.ts
@@ -0,0 +1,53 @@
+/**
+ * PartnerCampaign join — which Campaigns each Partner is allowed to
+ * create share-links for. Closes the leak where any active Partner
+ * could create a Link against any Campaign the brand had.
+ *
+ * Source field captures *why* the grant exists:
+ *   - 'admin'    : brand admin granted at invite or after the fact
+ *   - 'offering' : auto-granted by Network federation when an
+ *                  application was approved, scoped to the Offering's
+ *                  vendorCampaignId
+ *
+ * Backfill: every existing (partner, campaign) gets an 'admin' grant
+ * so current behavior is preserved. Brands wanting to lock down later
+ * can revoke per-pair via the admin UI.
+ */
+
+import type { Knex } from 'knex';
+
+export async function up(knex: Knex): Promise<void> {
+  await knex.schema.createTable('PartnerCampaign', (t) => {
+    t.string('id').primary();
+    t.string('tenantId').notNullable().references('id').inTable('Tenant');
+    t.string('partnerId').notNullable().references('id').inTable('Partner').onDelete('CASCADE');
+    t.string('campaignId').notNullable().references('id').inTable('Campaign').onDelete('CASCADE');
+    t.string('source').notNullable(); // 'admin' | 'offering'
+    t.timestamp('createdAt', { useTz: true }).notNullable().defaultTo(knex.fn.now());
+    t.unique(['tenantId', 'partnerId', 'campaignId']);
+    t.index(['partnerId']);
+    t.index(['campaignId']);
+    t.index(['tenantId']);
+  });
+
+  // Cross product backfill: every existing partner gets access to every
+  // existing Campaign in their tenant (matches today's effective
+  // behavior). Stamped 'admin' so it's clear these are operator grants,
+  // not Network-driven.
+  await knex.raw(`
+    insert into "PartnerCampaign" (id, "tenantId", "partnerId", "campaignId", source)
+    select
+      'pc_' || md5(p.id || '|' || c.id),
+      p."tenantId",
+      p.id,
+      c.id,
+      'admin'
+    from "Partner" p
+    join "Campaign" c on c."tenantId" = p."tenantId"
+    on conflict do nothing
+  `);
+}
+
+export async function down(knex: Knex): Promise<void> {
+  await knex.schema.dropTableIfExists('PartnerCampaign');
+}
diff --git a/packages/db/src/index.ts b/packages/db/src/index.ts
index c243cf0..7c17efb 100644
--- a/packages/db/src/index.ts
+++ b/packages/db/src/index.ts
@@ -56,6 +56,7 @@ export const TABLES = {
   PlatformAdmin: 'PlatformAdmin',
   Partner: 'Partner',
   Campaign: 'Campaign',
+  PartnerCampaign: 'PartnerCampaign',
   Link: 'Link',
   Click: 'Click',
   Identity: 'Identity',
diff --git a/packages/db/src/types.ts b/packages/db/src/types.ts
index e14f3a7..3e26d1f 100644
--- a/packages/db/src/types.ts
+++ b/packages/db/src/types.ts
@@ -155,6 +155,18 @@ export interface CampaignRow {
   createdAt: Date;
 }
 
+export interface PartnerCampaignRow {
+  id: string;
+  tenantId: string;
+  partnerId: string;
+  campaignId: string;
+  /** Why this grant exists. 'admin' = brand admin assignment;
+   *  'offering' = auto-granted when a Network application was approved
+   *  for the Offering tied to this Campaign. */
+  source: 'admin' | 'offering';
+  createdAt: Date;
+}
+
 export interface LinkRow {
   id: string;
   tenantId: string;

From 97b55bd6cee7fad9a2650c8c0557e7323c4fd469 Mon Sep 17 00:00:00 2001
From: Keith Fawcett <keith@brightyard.co>
Date: Tue, 28 Apr 2026 19:27:34 -0700
Subject: [PATCH 056/131] feat(programs): admin grant management UI +
 creator-side Offering hint
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Closes the two deferrals from the partner-link arc.

Brand admin
- New routes/partner-campaigns.ts:
    GET /partners/:id/campaigns                 list every campaign +
                                                granted flag + source
    POST /partners/:id/campaigns                add grants (admin source)
    DELETE /partners/:id/campaigns/:campaignId  revoke
- AdminPartners table gains a "Programs" link per row that opens a
  ProgramsDialog: checkbox per campaign, with a "via Network" badge
  on grants the federation auto-stamped (source='offering') so the
  admin doesn't accidentally undo them. Toggling fires add/remove
  optimistically; existing Links keep working post-revoke (only
  *new* Link creation is gated).

Creator
- CreatorMyAffiliations cards now show "Approved for: <Offering>, …"
  pulled from the new approvedOfferings field on the Network's
  /creators/me/affiliations response.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 apps/api/src/app.ts                           |   2 +
 apps/api/src/routes/partner-campaigns.ts      |  98 +++++++++++++++++
 apps/portal/src/pages/AdminPartners.tsx       | 102 ++++++++++++++++++
 .../pages/creator/CreatorMyAffiliations.tsx   |  12 +++
 4 files changed, 214 insertions(+)
 create mode 100644 apps/api/src/routes/partner-campaigns.ts

diff --git a/apps/api/src/app.ts b/apps/api/src/app.ts
index 199152a..69ff18f 100644
--- a/apps/api/src/app.ts
+++ b/apps/api/src/app.ts
@@ -34,6 +34,7 @@ import { signupRouter } from './routes/signup.js';
 import { partnerSignupRouter } from './routes/partner-signup.js';
 import { networkPartnerRouter } from './routes/network-partner.js';
 import { accountDeletionRouter } from './routes/account-deletion.js';
+import { partnerCampaignsRouter } from './routes/partner-campaigns.js';
 import { creatorPortalRouter } from './routes/creator-portal.js';
 import { signinRouter } from './routes/signin.js';
 import { sessionHomeRouter } from './routes/session-home.js';
@@ -158,6 +159,7 @@ export function createApp(options: { enableLogger?: boolean } = {}) {
   app.use(adminOverviewRouter);
   app.use(networkPartnerRouter);
   app.use(accountDeletionRouter);
+  app.use(partnerCampaignsRouter);
 
   app.use((err: Error, req: Request, res: Response, _next: NextFunction) => {
     req.log?.error({ err }, 'request_failed');
diff --git a/apps/api/src/routes/partner-campaigns.ts b/apps/api/src/routes/partner-campaigns.ts
new file mode 100644
index 0000000..54aa50e
--- /dev/null
+++ b/apps/api/src/routes/partner-campaigns.ts
@@ -0,0 +1,98 @@
+/**
+ * Brand-admin management of partner ↔ campaign access.
+ *
+ *   GET    /partners/:id/campaigns            list current grants + every campaign in the tenant
+ *   POST   /partners/:id/campaigns            add grants — body: { campaignIds: string[] }
+ *   DELETE /partners/:id/campaigns/:campaignId revoke a single grant
+ *
+ * Guard rails:
+ *   - source='offering' grants are still revokable, but the response
+ *     surface flags them so the admin sees they're undoing a
+ *     Network-driven grant. (We don't outright block — operators
+ *     should be able to clean up.)
+ *   - Revoking a grant doesn't delete existing Links the partner
+ *     created against that campaign. They keep working until the
+ *     Link itself is deleted; new Links are blocked by the
+ *     /partners/:id/links route's grant check.
+ */
+
+import { Router } from 'express';
+import { z } from 'zod';
+import { ulid } from 'ulid';
+import { TABLES, type CampaignRow, type PartnerCampaignRow, type PartnerRow } from '@openpartner/db';
+import { requireAdmin, requireAuth } from '../auth.js';
+import { tenantOf } from '../tenancy.js';
+
+export const partnerCampaignsRouter = Router();
+
+partnerCampaignsRouter.get('/partners/:id/campaigns', requireAuth, requireAdmin, async (req, res) => {
+  const { db } = tenantOf(req);
+  const partner = await db<PartnerRow>(TABLES.Partner).where({ id: req.params.id }).first();
+  if (!partner) return res.status(404).json({ error: 'partner_not_found' });
+
+  const campaigns = (await db<CampaignRow>(TABLES.Campaign)
+    .select('id', 'name', 'destinationUrl', 'deepLinkAllowedDomains')
+    .orderBy('createdAt', 'desc')) as Array<Pick<CampaignRow, 'id' | 'name' | 'destinationUrl' | 'deepLinkAllowedDomains'>>;
+  const grants = (await db<PartnerCampaignRow>(TABLES.PartnerCampaign)
+    .where({ partnerId: req.params.id })
+    .select('campaignId', 'source', 'createdAt')) as Array<Pick<PartnerCampaignRow, 'campaignId' | 'source' | 'createdAt'>>;
+  const grantByCampaign = new Map(grants.map((g) => [g.campaignId, g]));
+
+  // Each campaign carries its grant state so the UI can render a single
+  // checklist instead of hand-merging.
+  const result = campaigns.map((c) => ({
+    ...c,
+    granted: grantByCampaign.has(c.id),
+    grantSource: grantByCampaign.get(c.id)?.source ?? null,
+    grantedAt: grantByCampaign.get(c.id)?.createdAt ?? null,
+  }));
+
+  res.json({ campaigns: result });
+});
+
+const addSchema = z.object({
+  campaignIds: z.array(z.string().min(1)).min(1),
+});
+
+partnerCampaignsRouter.post('/partners/:id/campaigns', requireAuth, requireAdmin, async (req, res) => {
+  const { db, tenantId } = tenantOf(req);
+  const partner = await db<PartnerRow>(TABLES.Partner).where({ id: req.params.id }).first();
+  if (!partner) return res.status(404).json({ error: 'partner_not_found' });
+  const body = addSchema.safeParse(req.body);
+  if (!body.success) return res.status(400).json({ error: 'invalid_body', detail: body.error.flatten() });
+
+  // Filter to campaignIds that actually exist in the tenant — otherwise
+  // a typo would create an orphan grant.
+  const valid = (await db<CampaignRow>(TABLES.Campaign)
+    .whereIn('id', body.data.campaignIds)
+    .select('id')) as Array<{ id: string }>;
+  const validIds = new Set(valid.map((c) => c.id));
+  const toInsert = body.data.campaignIds.filter((id) => validIds.has(id));
+  if (toInsert.length === 0) {
+    return res.status(404).json({ error: 'no_valid_campaigns' });
+  }
+
+  await db(TABLES.PartnerCampaign)
+    .insert(
+      toInsert.map((cid) => ({
+        id: `pc_${ulid()}`,
+        tenantId,
+        partnerId: req.params.id,
+        campaignId: cid,
+        source: 'admin',
+      })),
+    )
+    .onConflict(['tenantId', 'partnerId', 'campaignId'])
+    .ignore();
+
+  res.status(201).json({ added: toInsert });
+});
+
+partnerCampaignsRouter.delete('/partners/:id/campaigns/:campaignId', requireAuth, requireAdmin, async (req, res) => {
+  const { db } = tenantOf(req);
+  const deleted = await db(TABLES.PartnerCampaign)
+    .where({ partnerId: req.params.id, campaignId: req.params.campaignId })
+    .del();
+  if (deleted === 0) return res.status(404).json({ error: 'grant_not_found' });
+  res.json({ ok: true });
+});
diff --git a/apps/portal/src/pages/AdminPartners.tsx b/apps/portal/src/pages/AdminPartners.tsx
index 40d9345..56bf399 100644
--- a/apps/portal/src/pages/AdminPartners.tsx
+++ b/apps/portal/src/pages/AdminPartners.tsx
@@ -20,6 +20,7 @@ export function AdminPartners() {
   const qc = useQueryClient();
   const [showCreate, setShowCreate] = useState(false);
   const [revoking, setRevoking] = useState<Partner | null>(null);
+  const [managingPrograms, setManagingPrograms] = useState<Partner | null>(null);
 
   const partners = useQuery({ queryKey: ['partners'], queryFn: () => api<{ partners: Partner[] }>('/partners') });
 
@@ -54,6 +55,12 @@ export function AdminPartners() {
           }}
         />
       )}
+      {managingPrograms && (
+        <ProgramsDialog
+          partner={managingPrograms}
+          onClose={() => setManagingPrograms(null)}
+        />
+      )}
 
       {partners.isLoading ? (
         <Card>Loading…</Card>
@@ -80,6 +87,13 @@ export function AdminPartners() {
             <div style={{ display: 'flex', gap: 6 }}>
               <Link to={`/links?partnerId=${p.id}`} style={{ color: theme.accent, fontSize: 13 }}>Links</Link>
               <span style={{ color: theme.border }}>·</span>
+              <button
+                onClick={() => setManagingPrograms(p)}
+                style={{ background: 'none', border: 'none', padding: 0, fontSize: 13, color: theme.accent, cursor: 'pointer' }}
+              >
+                Programs
+              </button>
+              <span style={{ color: theme.border }}>·</span>
               <Link to={`/payouts?partnerId=${p.id}`} style={{ color: theme.accent, fontSize: 13 }}>Payouts</Link>
               {!p.activatedAt && !p.revokedAt && (
                 <>
@@ -216,6 +230,94 @@ function RevokeDialog({
   );
 }
 
+interface CampaignGrant {
+  id: string;
+  name: string;
+  destinationUrl: string;
+  granted: boolean;
+  grantSource: 'admin' | 'offering' | null;
+}
+
+function ProgramsDialog({ partner, onClose }: { partner: Partner; onClose: () => void }) {
+  const qc = useQueryClient();
+  const { data, isLoading, error } = useQuery({
+    queryKey: ['partner-campaigns', partner.id],
+    queryFn: () => api<{ campaigns: CampaignGrant[] }>(`/partners/${partner.id}/campaigns`),
+  });
+
+  const add = useMutation({
+    mutationFn: (campaignId: string) =>
+      api(`/partners/${partner.id}/campaigns`, { method: 'POST', body: { campaignIds: [campaignId] } }),
+    onSuccess: () => qc.invalidateQueries({ queryKey: ['partner-campaigns', partner.id] }),
+  });
+  const remove = useMutation({
+    mutationFn: (campaignId: string) =>
+      api(`/partners/${partner.id}/campaigns/${campaignId}`, { method: 'DELETE' }),
+    onSuccess: () => qc.invalidateQueries({ queryKey: ['partner-campaigns', partner.id] }),
+  });
+
+  const busyId = add.isPending ? add.variables : remove.isPending ? remove.variables : null;
+
+  return (
+    <Card style={{ marginBottom: 14 }}>
+      <div style={{ display: 'flex', alignItems: 'baseline', gap: 12, marginBottom: 6 }}>
+        <div style={{ fontSize: 15, fontWeight: 500, flex: 1 }}>Programs for {partner.name}</div>
+        <button onClick={onClose} style={{ background: 'none', border: 'none', color: theme.textMuted, cursor: 'pointer', fontSize: 13 }}>
+          Close
+        </button>
+      </div>
+      <div style={{ fontSize: 13, color: theme.textMuted, marginBottom: 14 }}>
+        Toggle which programs this partner can create share-links for. Revoking a program doesn&rsquo;t remove
+        existing links — those keep working until the partner deletes them.
+      </div>
+      <ErrorBanner error={error ?? add.error ?? remove.error} />
+      {isLoading ? (
+        <div style={{ color: theme.textMuted }}>Loading…</div>
+      ) : !data || data.campaigns.length === 0 ? (
+        <div style={{ color: theme.textMuted }}>No campaigns exist yet — create one in Campaigns.</div>
+      ) : (
+        <div style={{ display: 'flex', flexDirection: 'column', gap: 8 }}>
+          {data.campaigns.map((c) => {
+            const busy = busyId === c.id;
+            return (
+              <label
+                key={c.id}
+                style={{
+                  display: 'flex',
+                  alignItems: 'center',
+                  gap: 12,
+                  padding: '10px 12px',
+                  background: c.granted ? `${theme.success}10` : theme.surface2,
+                  border: `1px solid ${c.granted ? `${theme.success}44` : theme.borderSubtle}`,
+                  borderRadius: theme.radiusSm,
+                  cursor: busy ? 'wait' : 'pointer',
+                  opacity: busy ? 0.6 : 1,
+                }}
+              >
+                <input
+                  type="checkbox"
+                  checked={c.granted}
+                  disabled={busy}
+                  onChange={(e) => (e.target.checked ? add.mutate(c.id) : remove.mutate(c.id))}
+                />
+                <div style={{ flex: 1, minWidth: 0 }}>
+                  <div style={{ fontSize: 14, fontWeight: 500 }}>{c.name}</div>
+                  <div style={{ fontSize: 12, color: theme.textMuted, fontFamily: theme.fontMono }}>{c.destinationUrl}</div>
+                </div>
+                {c.grantSource === 'offering' && (
+                  <span style={{ fontSize: 11, color: theme.accent, padding: '3px 8px', background: `${theme.accent}15`, borderRadius: 12 }}>
+                    via Network
+                  </span>
+                )}
+              </label>
+            );
+          })}
+        </div>
+      )}
+    </Card>
+  );
+}
+
 function ResendInvite({ partnerId }: { partnerId: string }) {
   const [sent, setSent] = useState(false);
   const mut = useMutation({
diff --git a/apps/portal/src/pages/creator/CreatorMyAffiliations.tsx b/apps/portal/src/pages/creator/CreatorMyAffiliations.tsx
index a441fe9..d2789f9 100644
--- a/apps/portal/src/pages/creator/CreatorMyAffiliations.tsx
+++ b/apps/portal/src/pages/creator/CreatorMyAffiliations.tsx
@@ -13,6 +13,7 @@ interface Affiliation {
   joinedVendorAt: string;
   vendorName: string;
   vendorInstanceUrl: string;
+  approvedOfferings: Array<{ id: string; title: string }>;
 }
 
 interface Earnings {
@@ -81,6 +82,17 @@ export function CreatorMyAffiliationsPage() {
               <StatusPill status={a.status} />
             </div>
             <p style={{ color: theme.textMuted, fontSize: 13 }}>Joined {formatDate(a.joinedVendorAt, { relative: true })}</p>
+            {a.approvedOfferings.length > 0 && (
+              <p style={{ color: theme.textMuted, fontSize: 13, marginTop: 4 }}>
+                Approved for:{' '}
+                {a.approvedOfferings.map((o, i) => (
+                  <span key={o.id}>
+                    {i > 0 && ', '}
+                    <Link to={`/creator/offerings/${o.id}`}>{o.title}</Link>
+                  </span>
+                ))}
+              </p>
+            )}
             <EarningsBlock aff={a} />
           </Card>
         ))

From d1118c500227df6197d818da51de1610fb988e6b Mon Sep 17 00:00:00 2001
From: Keith Fawcett <keith@brightyard.co>
Date: Tue, 28 Apr 2026 19:43:29 -0700
Subject: [PATCH 057/131] feat(onboarding): brand + creator getting-started
 checklists
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Both Dashboards now surface a "Getting started" card that auto-checks
items off as the user completes them. Card disappears entirely when
all done so it doesn't clutter the long-term experience.

Brand (admin Dashboard):
- New GET /admin/onboarding-status aggregates: brand info set,
  campaign count, network connected (membership.enabled +
  hasVendorToken), published offering count (queried via networkProxy
  when connected), non-revoked partner count.
- Six-step checklist: account created → brand info → first campaign →
  list on Network → publish first offering → invite a partner.
- Each row links to the relevant admin page; the offering step waits
  until network is connected before linking.

Creator (Discover):
- Three-step checklist driven off the existing /creators/me +
  /creators/me/requests responses (no new endpoint): pick handle, add
  bio, apply to first program.
- Profile steps link to /creator/profile; "apply" step nudges them
  toward the offering grid below.

Both checklists use the same pattern as the existing partner
GettingStarted card on the Dashboard so the visual language stays
consistent.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 apps/api/src/app.ts                           |  2 +
 apps/api/src/routes/onboarding.ts             | 85 +++++++++++++++++
 apps/portal/src/pages/Dashboard.tsx           | 95 +++++++++++++++++++
 .../src/pages/creator/CreatorDiscover.tsx     | 90 +++++++++++++++++-
 4 files changed, 271 insertions(+), 1 deletion(-)
 create mode 100644 apps/api/src/routes/onboarding.ts

diff --git a/apps/api/src/app.ts b/apps/api/src/app.ts
index 69ff18f..d6045cb 100644
--- a/apps/api/src/app.ts
+++ b/apps/api/src/app.ts
@@ -35,6 +35,7 @@ import { partnerSignupRouter } from './routes/partner-signup.js';
 import { networkPartnerRouter } from './routes/network-partner.js';
 import { accountDeletionRouter } from './routes/account-deletion.js';
 import { partnerCampaignsRouter } from './routes/partner-campaigns.js';
+import { onboardingRouter } from './routes/onboarding.js';
 import { creatorPortalRouter } from './routes/creator-portal.js';
 import { signinRouter } from './routes/signin.js';
 import { sessionHomeRouter } from './routes/session-home.js';
@@ -160,6 +161,7 @@ export function createApp(options: { enableLogger?: boolean } = {}) {
   app.use(networkPartnerRouter);
   app.use(accountDeletionRouter);
   app.use(partnerCampaignsRouter);
+  app.use(onboardingRouter);
 
   app.use((err: Error, req: Request, res: Response, _next: NextFunction) => {
     req.log?.error({ err }, 'request_failed');
diff --git a/apps/api/src/routes/onboarding.ts b/apps/api/src/routes/onboarding.ts
new file mode 100644
index 0000000..01dbcde
--- /dev/null
+++ b/apps/api/src/routes/onboarding.ts
@@ -0,0 +1,85 @@
+/**
+ * Brand admin onboarding state.
+ *
+ * Single GET that the Dashboard's "Getting started" card consumes.
+ * We aggregate counts + a Network-connected flag here so the card
+ * doesn't have to fan out four separate queries on every render.
+ *
+ * Response is intentionally booleans + small ints — every item the
+ * UI shows is something the admin can check off without the response
+ * giving them lookup IDs to chase.
+ */
+
+import { Router } from 'express';
+import { TABLES, type CampaignRow, type PartnerRow } from '@openpartner/db';
+import { requireAdmin, requireAuth } from '../auth.js';
+import { tenantOf } from '../tenancy.js';
+import { getNetworkMembership, networkProxy, NetworkProxyError } from '../network-client.js';
+
+export const onboardingRouter = Router();
+
+interface BrandOnboardingStatus {
+  brandInfoComplete: boolean;
+  campaignCount: number;
+  networkConnected: boolean;
+  offeringPublishedCount: number;
+  partnerCount: number;
+  /** True once everything actionable is done — card hides. */
+  complete: boolean;
+}
+
+onboardingRouter.get('/admin/onboarding-status', requireAuth, requireAdmin, async (req, res) => {
+  const { db, tenantId } = tenantOf(req);
+
+  // Brand info is "complete" if program_settings.programName is set OR
+  // Tenant.displayName isn't a placeholder. Today displayName is set at
+  // signup so this is effectively always true for hosted brands; we
+  // keep the field so the checkist renders the row anyway.
+  const programRow = await db(TABLES.Config).where({ key: 'program_settings' }).first();
+  const programName = ((programRow?.value as { programName?: string })?.programName ?? '').trim();
+  const brandInfoComplete = programName.length > 0;
+
+  const campaignRows = await db<CampaignRow>(TABLES.Campaign).count<Array<{ count: string }>>({ count: '*' });
+  const campaignCount = Number(campaignRows[0]?.count ?? 0);
+
+  const partnerRows = await db<PartnerRow>(TABLES.Partner)
+    .whereNull('revokedAt')
+    .count<Array<{ count: string }>>({ count: '*' });
+  const partnerCount = Number(partnerRows[0]?.count ?? 0);
+
+  const membership = await getNetworkMembership(db, tenantId);
+  const networkConnected = !!(membership?.enabled && membership.vendorTokenCiphertext);
+
+  // Offering count: only when connected. Network would 503 otherwise
+  // and we don't want a transient Network outage to block onboarding.
+  let offeringPublishedCount = 0;
+  if (networkConnected) {
+    try {
+      const r = await networkProxy.listOfferings(db, tenantId);
+      offeringPublishedCount = Array.isArray(r.offerings)
+        ? r.offerings.filter((o: unknown) => (o as { published?: boolean }).published).length
+        : 0;
+    } catch (err) {
+      if (!(err instanceof NetworkProxyError)) throw err;
+      // Leave as 0; surface as "not done yet" rather than failing the
+      // whole probe because the Network can't be reached.
+    }
+  }
+
+  const complete =
+    brandInfoComplete &&
+    campaignCount > 0 &&
+    networkConnected &&
+    offeringPublishedCount > 0 &&
+    partnerCount > 0;
+
+  const out: BrandOnboardingStatus = {
+    brandInfoComplete,
+    campaignCount,
+    networkConnected,
+    offeringPublishedCount,
+    partnerCount,
+    complete,
+  };
+  res.json(out);
+});
diff --git a/apps/portal/src/pages/Dashboard.tsx b/apps/portal/src/pages/Dashboard.tsx
index 608f64a..bdd1ff2 100644
--- a/apps/portal/src/pages/Dashboard.tsx
+++ b/apps/portal/src/pages/Dashboard.tsx
@@ -11,6 +11,7 @@ import {
   Link2,
   CheckCircle2,
   Circle,
+  ArrowRight,
 } from 'lucide-react';
 import { api, type Principal } from '../api.js';
 import { useTenantBase } from '../tenant-base.js';
@@ -338,6 +339,7 @@ function AdminDashboard() {
   return (
     <Page title="Partner Program" subtitle="Overview of every partner driving attributed revenue.">
       <ErrorBanner error={error} />
+      <BrandOnboarding />
       {isLoading || !data ? (
         <Card>Loading…</Card>
       ) : (
@@ -416,3 +418,96 @@ function MiniStat({ label, value }: { label: string; value: string }) {
     </div>
   );
 }
+
+interface BrandOnboardingStatus {
+  brandInfoComplete: boolean;
+  campaignCount: number;
+  networkConnected: boolean;
+  offeringPublishedCount: number;
+  partnerCount: number;
+  complete: boolean;
+}
+
+function BrandOnboarding() {
+  const tenantBase = useTenantBase();
+  const { data } = useQuery({
+    queryKey: ['admin-onboarding-status'],
+    queryFn: () => api<BrandOnboardingStatus>('/admin/onboarding-status'),
+    staleTime: 30_000,
+    retry: false,
+  });
+  if (!data || data.complete) return null;
+  const items = [
+    { done: true, label: 'Brand account created', href: null as string | null },
+    {
+      done: data.brandInfoComplete,
+      label: 'Set your brand name and support email',
+      href: `${tenantBase}/admin/settings`,
+    },
+    {
+      done: data.campaignCount > 0,
+      label: 'Create your first program (Campaign)',
+      hint: 'Set the destination URL and commission terms.',
+      href: `${tenantBase}/admin/campaigns`,
+    },
+    {
+      done: data.networkConnected,
+      label: 'List your brand on the OpenPartner Network',
+      hint: 'Lets creators across the federation discover and apply.',
+      href: `${tenantBase}/admin/network`,
+    },
+    {
+      done: data.offeringPublishedCount > 0,
+      label: 'Publish your first offering',
+      hint: 'The marketplace listing creators see when they browse.',
+      href: data.networkConnected ? `${tenantBase}/admin/network/offerings` : null,
+    },
+    {
+      done: data.partnerCount > 0,
+      label: 'Invite a partner — or wait for Network applications',
+      href: `${tenantBase}/admin/partners`,
+    },
+  ];
+  return (
+    <Card style={{ marginBottom: 18 }}>
+      <div style={{ fontSize: 15, fontWeight: 500, marginBottom: 4 }}>Getting started</div>
+      <div style={{ fontSize: 13, color: theme.textMuted, marginBottom: 14 }}>
+        A few one-clicks to get your brand fully set up. The card disappears when you&rsquo;re done.
+      </div>
+      <div style={{ display: 'flex', flexDirection: 'column', gap: 8 }}>
+        {items.map((it, i) => (
+          <BrandStep key={i} done={it.done} label={it.label} hint={it.hint} href={it.href} />
+        ))}
+      </div>
+    </Card>
+  );
+}
+
+function BrandStep({ done, label, hint, href }: { done: boolean; label: string; hint?: string; href: string | null }) {
+  const inner = (
+    <div
+      style={{
+        display: 'flex',
+        alignItems: 'center',
+        gap: 12,
+        padding: '10px 12px',
+        background: done ? theme.successSoft : theme.surface2,
+        border: `1px solid ${done ? `${theme.success}44` : theme.borderSubtle}`,
+        borderRadius: theme.radiusSm,
+      }}
+    >
+      <div style={{ color: done ? theme.success : theme.textDim, display: 'inline-flex' }}>
+        {done ? <CheckCircle2 size={18} /> : <Circle size={18} />}
+      </div>
+      <div style={{ flex: 1, minWidth: 0 }}>
+        <div style={{ fontSize: 14, fontWeight: 500, color: theme.text, textDecoration: done ? 'line-through' : 'none' }}>
+          {label}
+        </div>
+        {hint && !done && <div style={{ fontSize: 12, color: theme.textDim, marginTop: 2 }}>{hint}</div>}
+      </div>
+      {!done && href && <ArrowRight size={14} color={theme.textDim} />}
+    </div>
+  );
+  if (done || !href) return inner;
+  return <Link to={href} style={{ textDecoration: 'none' }}>{inner}</Link>;
+}
diff --git a/apps/portal/src/pages/creator/CreatorDiscover.tsx b/apps/portal/src/pages/creator/CreatorDiscover.tsx
index 05cc50c..774c9b4 100644
--- a/apps/portal/src/pages/creator/CreatorDiscover.tsx
+++ b/apps/portal/src/pages/creator/CreatorDiscover.tsx
@@ -1,7 +1,7 @@
 import { useEffect, useState } from 'react';
 import { useQuery } from '@tanstack/react-query';
 import { Link } from 'react-router-dom';
-import { Globe } from 'lucide-react';
+import { CheckCircle2, Circle, Globe } from 'lucide-react';
 import { Button, Card, EmptyState, ErrorBanner, Input, Label, Page, Select } from '../../ui.js';
 import { theme } from '../../theme.js';
 import { creatorApi } from './creator-api.js';
@@ -42,6 +42,7 @@ export function CreatorDiscoverPage() {
   return (
     <Page title="Discover programs" subtitle="Partner programs across the OpenPartner Network. Apply to any.">
       <ErrorBanner error={error} />
+      <CreatorOnboarding />
       <Card>
         <div style={{ display: 'flex', gap: 12, alignItems: 'flex-end', flexWrap: 'wrap' }}>
           <div style={{ flex: 1, minWidth: 240 }}>
@@ -97,3 +98,90 @@ export function CreatorDiscoverPage() {
     </Page>
   );
 }
+
+interface CreatorProfile {
+  id: string;
+  email: string;
+  name: string;
+  handle: string | null;
+  bio: string | null;
+}
+
+interface RequestRow {
+  id: string;
+  status: string;
+}
+
+/** Three-step nudge for new creators: handle, bio, first application.
+ *  Card disappears once everything's done; never shown for creators
+ *  who already filled in their profile. */
+function CreatorOnboarding() {
+  const profile = useQuery({
+    queryKey: ['creator-my-profile'],
+    queryFn: () => creatorApi<CreatorProfile>('/creators/me'),
+    staleTime: 30_000,
+    retry: false,
+  });
+  const requests = useQuery({
+    queryKey: ['creator-my-requests'],
+    queryFn: () => creatorApi<{ requests: RequestRow[] }>('/creators/me/requests'),
+    staleTime: 30_000,
+    retry: false,
+  });
+
+  if (!profile.data) return null;
+  const handleSet = !!profile.data.handle && profile.data.handle.length > 0;
+  const bioSet = !!profile.data.bio && profile.data.bio.length > 0;
+  const hasApplied = (requests.data?.requests ?? []).length > 0;
+  const complete = handleSet && bioSet && hasApplied;
+  if (complete) return null;
+
+  const items = [
+    { done: true, label: 'Account created', href: null as string | null },
+    { done: handleSet, label: 'Pick a handle', hint: 'Used as the default slug for your share links.', href: '/creator/profile' },
+    { done: bioSet, label: 'Add a short bio', hint: 'Brands see this on your applications.', href: '/creator/profile' },
+    { done: hasApplied, label: 'Apply to your first program', hint: 'Browse below and click "View & apply" on anything that fits.', href: null },
+  ];
+
+  return (
+    <Card style={{ marginBottom: 18 }}>
+      <div style={{ fontSize: 15, fontWeight: 500, marginBottom: 4 }}>Getting started</div>
+      <div style={{ fontSize: 13, color: theme.textMuted, marginBottom: 14 }}>
+        Three quick steps to put your best foot forward when applying. Card disappears when done.
+      </div>
+      <div style={{ display: 'flex', flexDirection: 'column', gap: 8 }}>
+        {items.map((it, i) => (
+          <CreatorStep key={i} done={it.done} label={it.label} hint={it.hint} href={it.href} />
+        ))}
+      </div>
+    </Card>
+  );
+}
+
+function CreatorStep({ done, label, hint, href }: { done: boolean; label: string; hint?: string; href: string | null }) {
+  const inner = (
+    <div
+      style={{
+        display: 'flex',
+        alignItems: 'center',
+        gap: 12,
+        padding: '10px 12px',
+        background: done ? theme.successSoft : theme.surface2,
+        border: `1px solid ${done ? `${theme.success}44` : theme.borderSubtle}`,
+        borderRadius: theme.radiusSm,
+      }}
+    >
+      <div style={{ color: done ? theme.success : theme.textDim, display: 'inline-flex' }}>
+        {done ? <CheckCircle2 size={18} /> : <Circle size={18} />}
+      </div>
+      <div style={{ flex: 1, minWidth: 0 }}>
+        <div style={{ fontSize: 14, fontWeight: 500, color: theme.text, textDecoration: done ? 'line-through' : 'none' }}>
+          {label}
+        </div>
+        {hint && !done && <div style={{ fontSize: 12, color: theme.textDim, marginTop: 2 }}>{hint}</div>}
+      </div>
+    </div>
+  );
+  if (done || !href) return inner;
+  return <Link to={href} style={{ textDecoration: 'none' }}>{inner}</Link>;
+}

From cd7bd775348f3aa5af605ac6bd30fbb7659074a8 Mon Sep 17 00:00:00 2001
From: Keith Fawcett <keith@brightyard.co>
Date: Tue, 28 Apr 2026 19:49:15 -0700
Subject: [PATCH 058/131] fix(network-proxy): bump timeouts past App Platform
 cold-start; surface errors
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Two related symptoms when a brand opens any /admin/network/* page:
- /admin/network/me hangs and the Connected card stays "Loading
  vendor profile…" forever.
- /admin/network/{offerings,requests,billing} return 504.

Both stem from PUSH_TIMEOUT_MS=5s on synchronous proxy calls.
Network on App Platform basic-xs spins down on idle and takes
10-20s to wake; every first-after-idle proxy call ETIMEDOUT'd
before the upstream replied.

Split the constant:
- PUSH_TIMEOUT_MS stays 5s for outbox / fire-and-forget pushes
  (the scheduler retries on the next tick anyway).
- PROXY_TIMEOUT_MS = 30s for callNetwork() — admin reads block the
  UI, so it's worth waiting.

Also bumped signupWithNetwork to 30s for the same reason: brand
clicks "List my brand", Network does row insert + Postmark mail
inside one transaction, can exceed 10s on cold start. Symptom was
the email landing but the UI showing 504.

Connected panel now distinguishes loading / loaded / error and
surfaces a Retry button instead of the indefinite "Loading vendor
profile…" we had before — at least the user can see *why* it failed.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 apps/api/src/network-client.ts          | 15 +++++++--
 apps/portal/src/pages/admin/Network.tsx | 45 +++++++++++++++++++------
 2 files changed, 47 insertions(+), 13 deletions(-)

diff --git a/apps/api/src/network-client.ts b/apps/api/src/network-client.ts
index 05a1c45..137d758 100644
--- a/apps/api/src/network-client.ts
+++ b/apps/api/src/network-client.ts
@@ -26,7 +26,13 @@ import { TABLES, type NetworkOutboxRow } from '@openpartner/db';
 import { decryptSecret, encryptSecret } from './crypto.js';
 
 const CONFIG_KEY = 'network_membership';
+// Outbox / fire-and-forget pushes — short timeout, the scheduler retries.
 const PUSH_TIMEOUT_MS = 5_000;
+// Synchronous admin proxy calls (/admin/network/*). Network can cold-start
+// from idle on App Platform basic-xs, which takes 10-20s, so a 5s budget
+// here meant every first-after-idle render of the Network admin page
+// failed with 504. Keep it generous; the request blocks the admin UI.
+const PROXY_TIMEOUT_MS = 30_000;
 const MAX_ATTEMPTS = 8; // exponential backoff: ~24h max wall time
 
 // ---------- config shape ----------
@@ -361,7 +367,12 @@ export async function signupWithNetwork(input: SignupInput): Promise<SignupResul
       contact: { email: input.contactEmail, name: input.contactName },
       portalCallbackUrl: input.portalCallbackUrl,
     }),
-    signal: AbortSignal.timeout(10_000),
+    // Network's signup is synchronous: row insert + magic-link insert +
+    // Postmark send all inside one transaction. Cold-start can push the
+    // mail send past the old 10s budget; bump to 30s so we don't ETIMEDOUT
+    // a request that ultimately succeeds (the user gets the email but
+    // sees a 502 in the UI, then double-clicks and lands on already-pending).
+    signal: AbortSignal.timeout(30_000),
   });
   const text = await res.text();
   if (!res.ok) {
@@ -434,7 +445,7 @@ async function callNetwork<T>(
     method,
     headers,
     body: body !== undefined ? JSON.stringify(body) : undefined,
-    signal: AbortSignal.timeout(PUSH_TIMEOUT_MS),
+    signal: AbortSignal.timeout(PROXY_TIMEOUT_MS),
   });
   const text = await res.text();
   if (!res.ok) {
diff --git a/apps/portal/src/pages/admin/Network.tsx b/apps/portal/src/pages/admin/Network.tsx
index 42be79d..c40e9b0 100644
--- a/apps/portal/src/pages/admin/Network.tsx
+++ b/apps/portal/src/pages/admin/Network.tsx
@@ -143,24 +143,47 @@ function ConnectForm({ membership }: { membership: NetworkMembership }) {
 }
 
 function ConnectedPanel({ membership }: { membership: NetworkMembership }) {
-  const { data: self } = useQuery({
+  const { data: self, error, isLoading, refetch, isRefetching } = useQuery({
     queryKey: ['network-self'],
     queryFn: () => api<NetworkSelf>('/admin/network/me'),
-    retry: false,
+    retry: 1,
   });
   return (
     <Card>
       <h3 style={{ marginTop: 0, color: '#1a6b1a' }}>Connected ✓</h3>
-      <p>
-        Network: <code>{membership.networkUrl}</code><br />
-        {self ? (
-          <>
-            Listed as <strong>{self.displayName}</strong> · status: {self.status} · {self.partnerCount} active partners
-          </>
-        ) : (
-          <em>Loading vendor profile…</em>
-        )}
+      <p style={{ marginBottom: 8 }}>
+        Network: <code>{membership.networkUrl}</code>
       </p>
+      {isLoading && <p style={{ color: '#6b7280', margin: 0 }}><em>Loading vendor profile…</em></p>}
+      {!isLoading && self && (
+        <p style={{ margin: 0 }}>
+          Listed as <strong>{self.displayName}</strong> · status: {self.status} · {self.partnerCount} active partners
+        </p>
+      )}
+      {!isLoading && error && (
+        <div style={{ marginTop: 6 }}>
+          <div style={{ color: '#b91c1c', fontSize: 13 }}>
+            Couldn&rsquo;t load vendor profile from the Network: {error instanceof Error ? error.message : String(error)}
+          </div>
+          <button
+            type="button"
+            onClick={() => refetch()}
+            disabled={isRefetching}
+            style={{
+              marginTop: 8,
+              background: 'transparent',
+              color: '#0d9488',
+              border: '1px solid #0d9488',
+              borderRadius: 6,
+              padding: '6px 12px',
+              fontSize: 13,
+              cursor: isRefetching ? 'wait' : 'pointer',
+            }}
+          >
+            {isRefetching ? 'Retrying…' : 'Retry'}
+          </button>
+        </div>
+      )}
     </Card>
   );
 }

From 2a85444c1765ec9d96412fb6a42c71f6d49e1382 Mon Sep 17 00:00:00 2001
From: Keith Fawcett <keith@brightyard.co>
Date: Tue, 28 Apr 2026 19:57:00 -0700
Subject: [PATCH 059/131] fix(network-membership): heal tenants with empty
 networkUrl after verify
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The 503 wasn't a timeout — it was network_not_configured because the
membership row had networkUrl='' for tenants that hit the email-verify
path without a prior /start-connect to seed the row. complete-connect
preserved current.networkUrl which was empty, callNetwork checks
!m.networkUrl and threw.

Two fixes:
- complete-connect now stamps networkUrl + vendorId explicitly on every
  call (not just on the seeded path), so future verifies always end
  up with a complete row.
- callNetwork falls back to process.env.NETWORK_URL when the membership
  row has empty networkUrl, healing existing broken tenants in place
  without anyone running a backfill.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 apps/api/src/network-client.ts  | 13 +++++++++++--
 apps/api/src/routes/settings.ts |  8 ++++++++
 2 files changed, 19 insertions(+), 2 deletions(-)

diff --git a/apps/api/src/network-client.ts b/apps/api/src/network-client.ts
index 137d758..398c07e 100644
--- a/apps/api/src/network-client.ts
+++ b/apps/api/src/network-client.ts
@@ -420,16 +420,25 @@ async function callNetwork<T>(
   opts?: { actingVendorPartnerId?: string },
 ): Promise<T> {
   const m = await getNetworkMembership(db, tenantId);
-  if (!m || !m.enabled || !m.networkUrl || !m.vendorTokenCiphertext) {
+  if (!m || !m.enabled || !m.vendorTokenCiphertext) {
     throw new NetworkProxyError(503, 'network_not_configured');
   }
+  // Fall back to process.env.NETWORK_URL when the membership row has
+  // an empty networkUrl. Some tenants ended up in this state when the
+  // email-verify path ran without a prior /start-connect to seed the
+  // row — they still have a vendorToken but no URL. Heal silently
+  // here; the next saveNetworkMembership write persists the env value.
+  const networkUrl = m.networkUrl || process.env.NETWORK_URL;
+  if (!networkUrl) {
+    throw new NetworkProxyError(503, 'network_url_unresolvable');
+  }
   let token: string;
   try {
     token = decryptSecret(m.vendorTokenCiphertext);
   } catch (err) {
     throw new NetworkProxyError(500, `vendor_token_undecryptable: ${err instanceof Error ? err.message : String(err)}`);
   }
-  const url = `${m.networkUrl.replace(/\/$/, '')}${path}`;
+  const url = `${networkUrl.replace(/\/$/, '')}${path}`;
   const headers: Record<string, string> = {
     'content-type': 'application/json',
     authorization: `Bearer ${token}`,
diff --git a/apps/api/src/routes/settings.ts b/apps/api/src/routes/settings.ts
index 06674ef..e58f1d4 100644
--- a/apps/api/src/routes/settings.ts
+++ b/apps/api/src/routes/settings.ts
@@ -400,9 +400,17 @@ settingsRouter.post('/config/network/complete-connect', requireAuth, requireAdmi
     return res.status(502).json({ error: 'network_verify_failed', detail: err instanceof Error ? err.message : String(err) });
   }
 
+  // Stamp networkUrl + vendorId explicitly on every complete-connect.
+  // Without it, brands that hit the email-verify path *before* any
+  // /start-connect call (e.g. auto-enroll fell back, then they
+  // verified directly) ended up with networkUrl='' on their membership
+  // row — and every subsequent proxy call 503'd with
+  // network_not_configured.
   await saveNetworkMembership(db, tenantId, {
     enabled: true,
+    networkUrl,
     vendorToken: result.vendorToken,
+    vendorId: result.vendorId,
   });
 
   res.json({ ok: true, vendorId: result.vendorId, displayName: result.displayName });

From 8052ead0cce2317b9e31dbc1f721f787972ddccb Mon Sep 17 00:00:00 2001
From: Keith Fawcett <keith@brightyard.co>
Date: Tue, 28 Apr 2026 20:11:02 -0700
Subject: [PATCH 060/131] fix(network-partner): graceful empty state for
 partners not pushed to Network
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

A brand admin invites Keith → Partner row exists in their tenant. But
if the brand's network_membership has autoEnroll=false (or the push
queued in NetworkOutbox and hasn't drained), no VendorAffiliation
exists for Keith on the Network side. Network's
resolveCreatorViaVendorActing returns null → 403
invalid_acting_context → partner sees a red error banner on
"My partnerships" / "My applications" / "Network profile".

Wrap the partner-acting proxies so 403/404 invalid_acting_context maps
to a typed empty payload instead of bubbling as an error:
- /me/affiliations → { affiliations: [] }  (existing empty state renders)
- /me/requests     → { requests: [] }
- /me/profile      → { notFederated: true } (page shows a "ask your
                     brand admin to enable auto-enroll + backfill"
                     message instead of a half-rendered editable form)

Doesn't fix the underlying push gap — that's still on the brand to
enable auto-enroll + click Backfill — but the partner stops seeing a
hard 403 in the meantime.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 apps/api/src/routes/network-partner.ts      | 37 +++++++++++++++++++--
 apps/portal/src/pages/partner/MyProfile.tsx | 16 +++++++--
 2 files changed, 48 insertions(+), 5 deletions(-)

diff --git a/apps/api/src/routes/network-partner.ts b/apps/api/src/routes/network-partner.ts
index f15f6ea..1895a8e 100644
--- a/apps/api/src/routes/network-partner.ts
+++ b/apps/api/src/routes/network-partner.ts
@@ -42,6 +42,12 @@ async function proxy(
   res: Response,
   fn: (db: Knex, tenantId: string) => Promise<unknown>,
   successStatus = 200,
+  /** Shape returned when the partner has no Network identity yet
+   *  (Network 403 invalid_acting_context). Lets the SPA show an empty
+   *  state instead of an error banner for the common case where the
+   *  brand exists on the Network but auto-enroll never pushed this
+   *  particular partner. */
+  notFederatedFallback?: () => unknown,
 ): Promise<void> {
   const { db, tenantId } = tenantOf(req);
   try {
@@ -49,6 +55,10 @@ async function proxy(
     res.status(successStatus).json(out);
   } catch (err) {
     if (err instanceof NetworkProxyError) {
+      if (notFederatedFallback && (err.status === 403 || err.status === 404) && err.message.includes('invalid_acting_context')) {
+        res.json(notFederatedFallback());
+        return;
+      }
       res.status(err.status).json({ error: 'network_call_failed', detail: err.message });
       return;
     }
@@ -106,7 +116,13 @@ networkPartnerRouter.post('/network/offerings/:id/apply', requireAuth, async (re
 networkPartnerRouter.get('/network/me/affiliations', requireAuth, async (req, res) => {
   const partnerId = requirePartnerPrincipal(req, res);
   if (!partnerId) return;
-  return proxy(req, res, (db, tenantId) => partnerProxy.listMyAffiliations(db, tenantId, partnerId));
+  return proxy(
+    req,
+    res,
+    (db, tenantId) => partnerProxy.listMyAffiliations(db, tenantId, partnerId),
+    200,
+    () => ({ affiliations: [] }),
+  );
 });
 
 networkPartnerRouter.get('/network/me/affiliations/:id/earnings', requireAuth, async (req, res) => {
@@ -120,7 +136,13 @@ networkPartnerRouter.get('/network/me/affiliations/:id/earnings', requireAuth, a
 networkPartnerRouter.get('/network/me/requests', requireAuth, async (req, res) => {
   const partnerId = requirePartnerPrincipal(req, res);
   if (!partnerId) return;
-  return proxy(req, res, (db, tenantId) => partnerProxy.listMyRequests(db, tenantId, partnerId));
+  return proxy(
+    req,
+    res,
+    (db, tenantId) => partnerProxy.listMyRequests(db, tenantId, partnerId),
+    200,
+    () => ({ requests: [] }),
+  );
 });
 
 networkPartnerRouter.post('/network/me/requests/:id/cancel', requireAuth, async (req, res) => {
@@ -132,7 +154,16 @@ networkPartnerRouter.post('/network/me/requests/:id/cancel', requireAuth, async
 networkPartnerRouter.get('/network/me/profile', requireAuth, async (req, res) => {
   const partnerId = requirePartnerPrincipal(req, res);
   if (!partnerId) return;
-  return proxy(req, res, (db, tenantId) => partnerProxy.getMyProfile(db, tenantId, partnerId));
+  // Profile fallback returns null instead of an empty object so the
+  // SPA can show a "not on the Network yet" message rather than a
+  // half-rendered editable form.
+  return proxy(
+    req,
+    res,
+    (db, tenantId) => partnerProxy.getMyProfile(db, tenantId, partnerId),
+    200,
+    () => ({ notFederated: true }),
+  );
 });
 
 const updateProfileSchema = z.object({
diff --git a/apps/portal/src/pages/partner/MyProfile.tsx b/apps/portal/src/pages/partner/MyProfile.tsx
index 0d26104..cfc28d8 100644
--- a/apps/portal/src/pages/partner/MyProfile.tsx
+++ b/apps/portal/src/pages/partner/MyProfile.tsx
@@ -15,11 +15,15 @@ interface Profile {
   createdAt: string;
 }
 
+interface ProfileResponse extends Partial<Profile> {
+  notFederated?: boolean;
+}
+
 export function MyProfilePage() {
   const qc = useQueryClient();
   const { data, isLoading, error } = useQuery({
     queryKey: ['network-my-profile'],
-    queryFn: () => api<Profile>(`/network/me/profile`),
+    queryFn: () => api<ProfileResponse>(`/network/me/profile`),
     retry: false,
   });
 
@@ -29,7 +33,7 @@ export function MyProfilePage() {
   const [bio, setBio] = useState('');
 
   useEffect(() => {
-    if (data) {
+    if (data && !data.notFederated) {
       setName(data.name ?? '');
       setHandle(data.handle ?? '');
       setAvatarUrl(data.avatarUrl ?? '');
@@ -57,6 +61,14 @@ export function MyProfilePage() {
       <ErrorBanner error={save.error} />
       {isLoading ? (
         <Card>Loading…</Card>
+      ) : data?.notFederated ? (
+        <Card>
+          <div style={{ fontSize: 14 }}>
+            Your brand hasn&rsquo;t pushed you to the Network yet. Ask the brand admin to enable
+            <strong> auto-enroll</strong> on Settings → Network and run <strong>Backfill</strong>;
+            once that&rsquo;s done your Network profile will appear here.
+          </div>
+        </Card>
       ) : data ? (
         <Card>
           <div style={{ display: 'grid', gap: 12, maxWidth: 520 }}>

From 6eda2bbe2c52e199f59d0da7e888690440738ac3 Mon Sep 17 00:00:00 2001
From: Keith Fawcett <keith@brightyard.co>
Date: Tue, 28 Apr 2026 20:15:16 -0700
Subject: [PATCH 061/131] fix(network-push): apply NETWORK_URL fallback in
 dispatch too
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Same root cause as the callNetwork fix: dispatch() (used by every
partner-upsert / revoke / backfill push) was checking !m.networkUrl
and silently returning null without enqueuing — meaning Network was
never even contacted, the outbox stayed empty, and the backfill UI
mis-reported the silent no-op as "queued for retry" (1 of 1 in the
brand admin's screenshot).

Fall back to process.env.NETWORK_URL when the membership row's
networkUrl is empty. Future writes via complete-connect (already fixed
last commit) will heal the row; this fix unblocks pushes immediately
on the next backfill click.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 apps/api/src/network-client.ts | 13 +++++++++++--
 1 file changed, 11 insertions(+), 2 deletions(-)

diff --git a/apps/api/src/network-client.ts b/apps/api/src/network-client.ts
index 398c07e..a979ce9 100644
--- a/apps/api/src/network-client.ts
+++ b/apps/api/src/network-client.ts
@@ -168,10 +168,19 @@ export async function dispatch<T>(
   payload: Record<string, unknown>,
 ): Promise<T | null> {
   const m = await getNetworkMembership(db, tenantId);
-  if (!m || !m.enabled || !m.networkUrl || !m.vendorTokenCiphertext) {
+  if (!m || !m.enabled || !m.vendorTokenCiphertext) {
     return null; // Network not configured for this tenant — silent no-op.
   }
 
+  // Same fallback as callNetwork: heal tenants that ended up with an
+  // empty networkUrl on their membership row (email-verify path before
+  // /start-connect was called) by reading from process.env.NETWORK_URL.
+  const networkUrl = m.networkUrl || process.env.NETWORK_URL;
+  if (!networkUrl) {
+    console.error('[network] no networkUrl on membership and NETWORK_URL env unset');
+    return null;
+  }
+
   let token: string;
   try {
     token = decryptSecret(m.vendorTokenCiphertext);
@@ -182,7 +191,7 @@ export async function dispatch<T>(
     return null;
   }
 
-  const url = endpointForOp(m.networkUrl, op);
+  const url = endpointForOp(networkUrl, op);
   try {
     const res = await fetch(url, {
       method: 'POST',

From b7e912f74705fe9ff2698ed56a57d5199c90cf0d Mon Sep 17 00:00:00 2001
From: Keith Fawcett <keith@brightyard.co>
Date: Tue, 28 Apr 2026 20:47:21 -0700
Subject: [PATCH 062/131] fix(signup): re-claim slug when no admin has
 activated yet
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Typo'd email at brand signup → activation never lands → admin row
sits with activatedAt=null forever → retry hits 'slug_taken' with no
self-recovery path. Common enough we shouldn't make people support-
ticket their way out.

Recovery: if the slug exists and ZERO admins on it have activated,
treat the new signup as a re-claim. Drop the unactivated admin rows,
their magic-link tokens, and any network_membership Config we'd
stamped on the half-onboarded brand; rewrite the Tenant.displayName
to match the new attempt; insert the new admin against the existing
tenantId. Activated admin = real conflict, still 409 slug_taken.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 apps/api/src/routes/signup.ts | 43 ++++++++++++++++++++++++++---------
 1 file changed, 32 insertions(+), 11 deletions(-)

diff --git a/apps/api/src/routes/signup.ts b/apps/api/src/routes/signup.ts
index f849dda..15f3a7b 100644
--- a/apps/api/src/routes/signup.ts
+++ b/apps/api/src/routes/signup.ts
@@ -65,8 +65,8 @@ signupRouter.post('/signup', signupLimit, async (req, res) => {
     return res.status(409).json({ error: 'slug_reserved' });
   }
 
-  const tenantId = ulid();
-  const adminId = ulid();
+  let tenantId = ulid();
+  let adminId = ulid();
   const now = new Date();
 
   try {
@@ -76,15 +76,36 @@ signupRouter.post('/signup', signupLimit, async (req, res) => {
       // the unique constraint as a generic 500. The unique constraint is
       // still our final guard; this just gives us a clean error.
       const existing = await trx<TenantRow>(TABLES.Tenant).where({ slug }).first();
-      if (existing) throw new SignupGuardError('slug_taken');
-
-      await trx<TenantRow>(TABLES.Tenant).insert({
-        id: tenantId,
-        slug,
-        displayName: body.data.displayName,
-        status: 'active',
-        metadata: { createdBy: 'signup' } as unknown as never,
-      });
+      if (existing) {
+        // Recovery path: if the slug exists but no admin has activated
+        // yet, the previous signup was abandoned (typo'd email, mailer
+        // misconfigured, etc.). Replace the unactivated admins + magic
+        // links + the network membership Config so the new email can
+        // claim the brand cleanly. If anyone has activated we still
+        // refuse — that's a real conflict.
+        const activatedExists = await trx<AdminRow>(TABLES.Admin)
+          .where({ tenantId: existing.id })
+          .whereNotNull('activatedAt')
+          .first();
+        if (activatedExists) throw new SignupGuardError('slug_taken');
+
+        tenantId = existing.id;
+        await trx<AdminRow>(TABLES.Admin).where({ tenantId }).del();
+        await trx(TABLES.MagicLinkToken).where({ tenantId }).del();
+        await trx(TABLES.Config).where({ tenantId, key: 'network_membership' }).del();
+        await trx<TenantRow>(TABLES.Tenant).where({ id: tenantId }).update({
+          displayName: body.data.displayName,
+          updatedAt: new Date(),
+        });
+      } else {
+        await trx<TenantRow>(TABLES.Tenant).insert({
+          id: tenantId,
+          slug,
+          displayName: body.data.displayName,
+          status: 'active',
+          metadata: { createdBy: 'signup' } as unknown as never,
+        });
+      }
 
       await trx<AdminRow>(TABLES.Admin).insert({
         id: adminId,

From 9d9002fc59f873fd9c65ee96981d922671e05b45 Mon Sep 17 00:00:00 2001
From: Keith Fawcett <keith@brightyard.co>
Date: Tue, 28 Apr 2026 20:50:46 -0700
Subject: [PATCH 063/131] fix(settings/onboarding): default brand name to
 Tenant.displayName
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Brand admin signs up → Tenant.displayName is set. Then they land on
Settings → Brand info and the field is empty, with the onboarding
checklist nagging them to "set your brand name". Two state sources for
the same concept: program_settings.programName (admin-set in Settings)
vs Tenant.displayName (set at signup).

Have GET /config/program fall back to Tenant.displayName when
program_settings.programName is null. Same fallback in the onboarding
status probe so the checklist row auto-checks once signup happens.
Saving the Settings page promotes the value into program_settings as
before — explicit override wins; no fallback needed at that point.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 apps/api/src/routes/onboarding.ts | 12 +++++++-----
 apps/api/src/routes/settings.ts   | 12 +++++++++++-
 2 files changed, 18 insertions(+), 6 deletions(-)

diff --git a/apps/api/src/routes/onboarding.ts b/apps/api/src/routes/onboarding.ts
index 01dbcde..721552c 100644
--- a/apps/api/src/routes/onboarding.ts
+++ b/apps/api/src/routes/onboarding.ts
@@ -31,13 +31,15 @@ interface BrandOnboardingStatus {
 onboardingRouter.get('/admin/onboarding-status', requireAuth, requireAdmin, async (req, res) => {
   const { db, tenantId } = tenantOf(req);
 
-  // Brand info is "complete" if program_settings.programName is set OR
-  // Tenant.displayName isn't a placeholder. Today displayName is set at
-  // signup so this is effectively always true for hosted brands; we
-  // keep the field so the checkist renders the row anyway.
+  // Brand info is "complete" if either program_settings.programName is
+  // explicitly set OR the Tenant has a displayName from signup. We
+  // accept the signup value because re-typing it in Settings just to
+  // satisfy a checkbox is dumb.
   const programRow = await db(TABLES.Config).where({ key: 'program_settings' }).first();
   const programName = ((programRow?.value as { programName?: string })?.programName ?? '').trim();
-  const brandInfoComplete = programName.length > 0;
+  const tenant = await db('Tenant').where({ id: tenantId }).first(['displayName']);
+  const displayName = ((tenant?.displayName as string | undefined) ?? '').trim();
+  const brandInfoComplete = programName.length > 0 || displayName.length > 0;
 
   const campaignRows = await db<CampaignRow>(TABLES.Campaign).count<Array<{ count: string }>>({ count: '*' });
   const campaignCount = Number(campaignRows[0]?.count ?? 0);
diff --git a/apps/api/src/routes/settings.ts b/apps/api/src/routes/settings.ts
index e58f1d4..9718b2f 100644
--- a/apps/api/src/routes/settings.ts
+++ b/apps/api/src/routes/settings.ts
@@ -50,8 +50,18 @@ export interface ProgramSettings {
 async function readSettings(db: Knex, tenantId: string): Promise<ProgramSettings> {
   const row = await db<ConfigRow>(TABLES.Config).where({ tenantId, key: CONFIG_KEY }).first();
   const value = (row?.value ?? {}) as Partial<ProgramSettings>;
+  // Fall back to Tenant.displayName so brand admins don't have to re-type
+  // the brand name they set at signup. Saving this page promotes the
+  // value into program_settings; until then we just surface the signup
+  // value so the UI is pre-populated and the onboarding checklist
+  // doesn't keep nagging about a thing that's effectively already set.
+  let programName = value.programName ?? null;
+  if (!programName) {
+    const tenant = await db('Tenant').where({ id: tenantId }).first(['displayName']);
+    if (tenant?.displayName) programName = tenant.displayName as string;
+  }
   return {
-    programName: value.programName ?? null,
+    programName,
     supportEmail: value.supportEmail ?? null,
   };
 }

From 9542677e1642cf58996976e439f3aa8e5df0f737 Mon Sep 17 00:00:00 2001
From: Keith Fawcett <keith@brightyard.co>
Date: Tue, 28 Apr 2026 20:57:17 -0700
Subject: [PATCH 064/131] feat(mail): brand-aware From + Reply-To on platform
 fallback; surface in UI
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Hosted brands shouldn't have to wire up email to send their first
partner invite. Default to platform Postmark with brand identity
baked into the From line:

  From: "Acme via OpenPartner" <noreply@openpartner.dev>
  Reply-To: <brand's program_settings.supportEmail if set>

Mailer rewrites From only when source='env' (platform fallback). When
the brand wired up their own SMTP/Postmark via Settings → Mail
(source='ui') we trust their From verbatim — they presumably want
their own domain. Display name is sanitized + clamped at 80 chars.

UI: replace the cryptic SECRETS_ENCRYPTION_KEY hint in Settings →
Mail with a green callout that says "Email is set up by default"
and explains the section is optional + only needed for own-domain
sending.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 apps/api/src/mailer.ts                   | 45 +++++++++++++++++++++---
 apps/portal/src/pages/admin/Settings.tsx | 25 ++++++++++---
 2 files changed, 61 insertions(+), 9 deletions(-)

diff --git a/apps/api/src/mailer.ts b/apps/api/src/mailer.ts
index 087eb7e..dac0a6d 100644
--- a/apps/api/src/mailer.ts
+++ b/apps/api/src/mailer.ts
@@ -25,6 +25,8 @@
 import type { Knex } from 'knex';
 import nodemailer from 'nodemailer';
 import { resolveMailConfig } from './mail-settings.js';
+import { resolveBrandName } from './brand-name.js';
+import { TABLES, type ConfigRow } from '@openpartner/db';
 
 export interface Message {
   to: string;
@@ -44,10 +46,43 @@ export interface Mailer {
   send(ctx: SendContext, msg: Message): Promise<void>;
 }
 
+/** Strip and quote pieces of a name for safe use in an RFC 5322 display
+ *  name. Drops control chars and double-quotes; trims to 80 chars. */
+function safeDisplayName(name: string): string {
+  return name.replace(/[\x00-\x1f"\\]/g, '').trim().slice(0, 80);
+}
+
+/** Pull the bare email address out of `"Name" <addr@host>` or `addr@host`. */
+function extractAddress(from: string): string {
+  const m = from.match(/<([^>]+)>/);
+  return (m?.[1] ?? from).trim();
+}
+
 class RoutingMailer implements Mailer {
   async send(ctx: SendContext, msg: Message): Promise<void> {
     const cfg = await resolveMailConfig(ctx.db, ctx.tenantId);
-    if (cfg.kind === 'smtp' && cfg.smtp && cfg.from) {
+
+    // Brand-aware From + Reply-To when we're using the platform fallback
+    // (source='env'). Pattern: `"Acme via OpenPartner" <noreply@openpartner.dev>`,
+    // Reply-To = the brand's support email if set. Means hosted brands
+    // get brand identity in the inbox without configuring email at all.
+    // For source='ui' (brand wired up their own provider) we trust their
+    // From and don't second-guess it.
+    let from = cfg.from ?? null;
+    let replyTo: string | undefined;
+    if (cfg.source === 'env' && from) {
+      const brandName = await resolveBrandName(ctx.db, ctx.tenantId);
+      if (brandName) {
+        from = `"${safeDisplayName(brandName)} via OpenPartner" <${extractAddress(from)}>`;
+      }
+      const supportRow = await ctx.db<ConfigRow>(TABLES.Config)
+        .where({ tenantId: ctx.tenantId, key: 'program_settings' })
+        .first();
+      const supportEmail = ((supportRow?.value as { supportEmail?: string } | undefined)?.supportEmail ?? '').trim();
+      if (supportEmail) replyTo = supportEmail;
+    }
+
+    if (cfg.kind === 'smtp' && cfg.smtp && from) {
       const transporter = nodemailer.createTransport({
         host: cfg.smtp.host,
         port: cfg.smtp.port,
@@ -58,8 +93,9 @@ class RoutingMailer implements Mailer {
             : undefined,
       });
       await transporter.sendMail({
-        from: cfg.from,
+        from,
         to: msg.to,
+        replyTo,
         subject: msg.subject,
         text: msg.text,
         html: msg.html,
@@ -67,7 +103,7 @@ class RoutingMailer implements Mailer {
       });
       return;
     }
-    if (cfg.kind === 'postmark' && cfg.postmark && cfg.from) {
+    if (cfg.kind === 'postmark' && cfg.postmark && from) {
       const res = await fetch('https://api.postmarkapp.com/email', {
         method: 'POST',
         headers: {
@@ -76,8 +112,9 @@ class RoutingMailer implements Mailer {
           'X-Postmark-Server-Token': cfg.postmark.serverToken,
         },
         body: JSON.stringify({
-          From: cfg.from,
+          From: from,
           To: msg.to,
+          ReplyTo: replyTo,
           Subject: msg.subject,
           TextBody: msg.text,
           HtmlBody: msg.html,
diff --git a/apps/portal/src/pages/admin/Settings.tsx b/apps/portal/src/pages/admin/Settings.tsx
index 62ddecb..71bf785 100644
--- a/apps/portal/src/pages/admin/Settings.tsx
+++ b/apps/portal/src/pages/admin/Settings.tsx
@@ -174,11 +174,26 @@ function MailSection() {
         <div style={{ fontSize: 15, fontWeight: 500 }}>Email delivery</div>
       </div>
       <ErrorBanner error={error ?? mut.error} />
-      <Hint>
-        Used for partner invite / sign-in emails and admin magic-links. Credentials are
-        encrypted at rest with <code>SECRETS_ENCRYPTION_KEY</code>. Leaving the UI empty
-        falls back to <code>SMTP_*</code> / <code>POSTMARK_SERVER_TOKEN</code> env vars.
-      </Hint>
+      <div
+        style={{
+          background: theme.successSoft,
+          border: `1px solid ${theme.success}55`,
+          borderRadius: theme.radiusSm,
+          padding: 12,
+          marginBottom: 14,
+        }}
+      >
+        <div style={{ fontSize: 14, fontWeight: 500, color: theme.success, marginBottom: 4 }}>
+          Email is set up by default
+        </div>
+        <div style={{ fontSize: 13, color: theme.textMuted, lineHeight: 1.55 }}>
+          Partner invites, sign-in links, and notifications send through OpenPartner&rsquo;s
+          email infrastructure as <code>&ldquo;Your brand via OpenPartner&rdquo; &lt;noreply@openpartner.dev&gt;</code>.
+          Replies go to your support email if you&rsquo;ve set one. This section is optional —
+          configure your own SMTP or Postmark only if you want emails to come from your
+          own domain.
+        </div>
+      </div>
 
       <div style={{ marginTop: 14, marginBottom: 12 }}>
         <Label>Provider</Label>

From f1aaccbef69a4a449ac8e9357b167242dc3821aa Mon Sep 17 00:00:00 2001
From: Keith Fawcett <keith@brightyard.co>
Date: Tue, 28 Apr 2026 21:04:08 -0700
Subject: [PATCH 065/131] feat(mail): fall back Reply-To to oldest activated
 admin email
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

When the platform-fallback mailer can't find a support email in
program_settings, default Reply-To to the oldest activated Admin's
email instead of leaving it unset (which silently routes replies to
hello@openpartner.dev — our inbox, not the brand's). Now a partner
who hits Reply on a sign-in email always lands on a human at the
brand, even before the admin has filled in Settings → Brand info.

Resolution order for Reply-To (platform fallback only):
  1. program_settings.supportEmail
  2. oldest activated Admin.email on the tenant
  3. unset (replies hit our hello@ inbox — only happens when no
     admin has activated yet, edge case)

Brand-configured mail (source='ui') unaffected; their From + provider
control their own routing.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 apps/api/src/mailer.ts | 15 ++++++++++++++-
 1 file changed, 14 insertions(+), 1 deletion(-)

diff --git a/apps/api/src/mailer.ts b/apps/api/src/mailer.ts
index dac0a6d..0e3cdc2 100644
--- a/apps/api/src/mailer.ts
+++ b/apps/api/src/mailer.ts
@@ -79,7 +79,20 @@ class RoutingMailer implements Mailer {
         .where({ tenantId: ctx.tenantId, key: 'program_settings' })
         .first();
       const supportEmail = ((supportRow?.value as { supportEmail?: string } | undefined)?.supportEmail ?? '').trim();
-      if (supportEmail) replyTo = supportEmail;
+      if (supportEmail) {
+        replyTo = supportEmail;
+      } else {
+        // Fallback: oldest active admin on the tenant. Means a partner
+        // hitting Reply on a sign-in email always lands on a human at
+        // the brand, even before Settings → Brand info is filled in.
+        const fallbackAdmin = await ctx.db(TABLES.Admin)
+          .where({ tenantId: ctx.tenantId })
+          .whereNotNull('activatedAt')
+          .whereNull('revokedAt')
+          .orderBy('activatedAt', 'asc')
+          .first(['email']);
+        if (fallbackAdmin?.email) replyTo = fallbackAdmin.email as string;
+      }
     }
 
     if (cfg.kind === 'smtp' && cfg.smtp && from) {

From 482c46f9f3470f3ff05515b27e1d181d68fa1d01 Mon Sep 17 00:00:00 2001
From: Keith Fawcett <keith@brightyard.co>
Date: Tue, 28 Apr 2026 21:34:56 -0700
Subject: [PATCH 066/131] feat(campaigns): optional start + end dates with
 proper lifecycle gates
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Adds Campaign.startsAt + endsAt (both nullable; null/null = runs
forever, matching pre-migration behavior). Status computed at read
time:

  Scheduled  → before startsAt
  Active     → between dates (or no bounds)
  Ended      → past endsAt

Lifecycle is enforced consistently across every gate via the new
campaign-lifecycle.ts helper:

- /me/campaigns hides scheduled + ended from partners (admins still
  see them so they can edit dates).
- POST /partners/:id/links refuses with 409 campaign_not_active when
  the campaign isn't active. Existing Links are unaffected — URLs
  intact for partner trust.
- attribution.ts skips commission accrual on events dated past
  endsAt (commissionEarnable check). Attribution row still inserts
  for analytics; just no payout. The router still 302s those clicks
  so partners' posted content keeps working.
- Campaign create + PATCH accept startsAt / endsAt as ISO datetimes;
  null clears.

UI:
- AdminCampaigns gains a Status column with colored pill (Active /
  Scheduled / Ended) and date inputs in the create form, with hints
  explaining the "links keep redirecting, commissions stop" rule.

Industry-aligned with how Impact / Partnerize / ShareASale handle
seasonal pushes — links never 404 once posted, but commissions
respect the campaign window.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 apps/api/src/attribution.ts                   | 10 ++++
 apps/api/src/campaign-lifecycle.ts            | 48 +++++++++++++++++++
 apps/api/src/routes/campaigns.ts              | 27 +++++++++--
 apps/api/src/routes/links.ts                  | 13 +++++
 apps/portal/src/pages/AdminCampaigns.tsx      | 47 +++++++++++++++++-
 .../20260512000000_campaign_lifecycle.ts      | 39 +++++++++++++++
 packages/db/src/types.ts                      |  6 +++
 7 files changed, 185 insertions(+), 5 deletions(-)
 create mode 100644 apps/api/src/campaign-lifecycle.ts
 create mode 100644 packages/db/migrations/20260512000000_campaign_lifecycle.ts

diff --git a/apps/api/src/attribution.ts b/apps/api/src/attribution.ts
index 22f300a..ef3e60e 100644
--- a/apps/api/src/attribution.ts
+++ b/apps/api/src/attribution.ts
@@ -121,6 +121,16 @@ export async function attributeEvent(
     if (insertRes.length === 0) continue; // dup — already attributed
     allDup = false;
 
+    // Commission lifecycle gate: events dated after the campaign's
+    // endsAt don't accrue. Attribution row stays for analytics — we
+    // still want to know the click → conversion path was real — just
+    // no payout. Pre-startsAt is similarly skipped (defensive; clicks
+    // shouldn't exist for a not-yet-started campaign).
+    const { commissionEarnable } = await import('./campaign-lifecycle.js');
+    if (!commissionEarnable(click.campaign, new Date(event.ts))) {
+      continue;
+    }
+
     const rule = parseCommissionRule(click.campaign.commissionRule);
     const amount = computeCommissionAmount(rule, event) * weight;
     const commissionId = ulid();
diff --git a/apps/api/src/campaign-lifecycle.ts b/apps/api/src/campaign-lifecycle.ts
new file mode 100644
index 0000000..1a4dc0e
--- /dev/null
+++ b/apps/api/src/campaign-lifecycle.ts
@@ -0,0 +1,48 @@
+/**
+ * Campaign lifecycle status — computed at read time from
+ * (startsAt, endsAt). Single source of truth for every gate:
+ *   - Link create
+ *   - Application apply / approve
+ *   - Offering visibility on the Network
+ *   - Commission attribution at event time
+ *
+ * Time-bound semantics:
+ *   - status pertains to NOW (or `at` if passed) — does the campaign
+ *     accept new activity?
+ *   - commissionEarnable(at) gates per-event accrual: an event timed
+ *     after endsAt doesn't earn even if the campaign is still
+ *     accepting writes (clock drift, retroactive imports, etc.)
+ */
+
+export type CampaignStatus = 'scheduled' | 'active' | 'ended';
+
+interface LifecycleFields {
+  startsAt: Date | string | null;
+  endsAt: Date | string | null;
+}
+
+function asDate(d: Date | string | null): Date | null {
+  if (!d) return null;
+  return d instanceof Date ? d : new Date(d);
+}
+
+export function campaignStatus(c: LifecycleFields, at: Date = new Date()): CampaignStatus {
+  const start = asDate(c.startsAt);
+  const end = asDate(c.endsAt);
+  if (start && at < start) return 'scheduled';
+  if (end && at >= end) return 'ended';
+  return 'active';
+}
+
+/** True if the campaign currently accepts new partner applications,
+ *  new Link creation, and surfaces in creator discovery. */
+export function campaignAcceptsNewActivity(c: LifecycleFields, at?: Date): boolean {
+  return campaignStatus(c, at) === 'active';
+}
+
+/** True if a commission may accrue against this campaign for an event
+ *  dated `at`. False once endsAt has passed. Lets existing Links keep
+ *  redirecting (URLs intact) while quietly stopping earnings. */
+export function commissionEarnable(c: LifecycleFields, at: Date): boolean {
+  return campaignStatus(c, at) !== 'ended';
+}
diff --git a/apps/api/src/routes/campaigns.ts b/apps/api/src/routes/campaigns.ts
index 52951f8..28e42eb 100644
--- a/apps/api/src/routes/campaigns.ts
+++ b/apps/api/src/routes/campaigns.ts
@@ -4,6 +4,7 @@ import { ulid } from 'ulid';
 import { TABLES, type CampaignRow } from '@openpartner/db';
 import { requireAdmin, requireAuth } from '../auth.js';
 import { tenantOf } from '../tenancy.js';
+import { campaignAcceptsNewActivity } from '../campaign-lifecycle.js';
 
 const commissionRuleSchema = z.discriminatedUnion('type', [
   z.object({ type: z.literal('percent'), value: z.number().positive(), recurring: z.boolean().optional() }),
@@ -24,6 +25,8 @@ const createSchema = z.object({
   /** Comma-separated host allowlist for partner deep-linking. Null/omitted
    *  means partners can't override the destination. */
   deepLinkAllowedDomains: z.string().max(1000).optional(),
+  startsAt: z.string().datetime().nullable().optional(),
+  endsAt: z.string().datetime().nullable().optional(),
 });
 
 const updateSchema = z.object({
@@ -33,6 +36,8 @@ const updateSchema = z.object({
   attributionModel: z.enum(['last_click', 'first_click', 'linear', 'position']).optional(),
   destinationUrl: z.string().url().optional(),
   deepLinkAllowedDomains: z.string().max(1000).nullable().optional(),
+  startsAt: z.string().datetime().nullable().optional(),
+  endsAt: z.string().datetime().nullable().optional(),
 });
 
 export const campaignsRouter = Router();
@@ -63,13 +68,18 @@ campaignsRouter.get('/me/campaigns', requireAuth, async (req, res) => {
 
   if (p.role === 'admin') {
     const campaigns = (await db<CampaignRow>(TABLES.Campaign)
-      .select('id', 'name', 'destinationUrl', 'deepLinkAllowedDomains')
-      .orderBy('createdAt', 'desc')) as Array<Pick<CampaignRow, 'id' | 'name' | 'destinationUrl' | 'deepLinkAllowedDomains'>>;
+      .select('id', 'name', 'destinationUrl', 'deepLinkAllowedDomains', 'startsAt', 'endsAt')
+      .orderBy('createdAt', 'desc')) as Array<
+        Pick<CampaignRow, 'id' | 'name' | 'destinationUrl' | 'deepLinkAllowedDomains' | 'startsAt' | 'endsAt'>
+      >;
     return res.json({ campaigns });
   }
 
-  // Partner: filter through PartnerCampaign join.
-  const campaigns = (await db(TABLES.Campaign)
+  // Partner: filter through PartnerCampaign join. Hide scheduled (not
+  // yet started) and ended campaigns — partners shouldn't be picking
+  // those when they create a Link. Admins see them all so they can
+  // edit dates.
+  const rows = (await db(TABLES.Campaign)
     .join(TABLES.PartnerCampaign, `${TABLES.PartnerCampaign}.campaignId`, `${TABLES.Campaign}.id`)
     .where(`${TABLES.PartnerCampaign}.partnerId`, p.partnerId!)
     .select(
@@ -77,6 +87,8 @@ campaignsRouter.get('/me/campaigns', requireAuth, async (req, res) => {
       `${TABLES.Campaign}.name`,
       `${TABLES.Campaign}.destinationUrl`,
       `${TABLES.Campaign}.deepLinkAllowedDomains`,
+      `${TABLES.Campaign}.startsAt as startsAt`,
+      `${TABLES.Campaign}.endsAt as endsAt`,
       `${TABLES.PartnerCampaign}.source as source`,
     )
     .orderBy(`${TABLES.Campaign}.createdAt`, 'desc')) as Array<{
@@ -84,8 +96,11 @@ campaignsRouter.get('/me/campaigns', requireAuth, async (req, res) => {
       name: string;
       destinationUrl: string;
       deepLinkAllowedDomains: string | null;
+      startsAt: Date | null;
+      endsAt: Date | null;
       source: 'admin' | 'offering';
     }>;
+  const campaigns = rows.filter((r) => campaignAcceptsNewActivity(r));
   res.json({ campaigns });
 });
 
@@ -105,6 +120,8 @@ campaignsRouter.post('/campaigns', requireAuth, requireAdmin, async (req, res) =
       attributionModel: body.data.attributionModel ?? 'last_click',
       destinationUrl: body.data.destinationUrl,
       deepLinkAllowedDomains: body.data.deepLinkAllowedDomains ?? null,
+      startsAt: body.data.startsAt ? new Date(body.data.startsAt) : null,
+      endsAt: body.data.endsAt ? new Date(body.data.endsAt) : null,
     })
     .returning('*');
 
@@ -126,6 +143,8 @@ campaignsRouter.patch('/campaigns/:id', requireAuth, requireAdmin, async (req, r
   if (body.data.attributionModel !== undefined) patch.attributionModel = body.data.attributionModel;
   if (body.data.destinationUrl !== undefined) patch.destinationUrl = body.data.destinationUrl;
   if (body.data.deepLinkAllowedDomains !== undefined) patch.deepLinkAllowedDomains = body.data.deepLinkAllowedDomains;
+  if (body.data.startsAt !== undefined) patch.startsAt = body.data.startsAt ? new Date(body.data.startsAt) : null;
+  if (body.data.endsAt !== undefined) patch.endsAt = body.data.endsAt ? new Date(body.data.endsAt) : null;
 
   await db<CampaignRow>(TABLES.Campaign).where({ id: req.params.id }).update(patch);
   const updated = await db<CampaignRow>(TABLES.Campaign).where({ id: req.params.id }).first();
diff --git a/apps/api/src/routes/links.ts b/apps/api/src/routes/links.ts
index 5878042..0194377 100644
--- a/apps/api/src/routes/links.ts
+++ b/apps/api/src/routes/links.ts
@@ -40,6 +40,19 @@ linksRouter.post('/partners/:id/links', requireAuth, grantScope('links:write'),
   const campaign = await db<CampaignRow>(TABLES.Campaign).where({ id: body.data.campaignId }).first();
   if (!campaign) return res.status(404).json({ error: 'campaign_not_found' });
 
+  // Lifecycle gate: scheduled or ended campaigns refuse new Link
+  // creation. Existing Links keep redirecting (URLs intact); only the
+  // create path is gated. Admins are subject to the same rule — if
+  // they want to make Links for an ended campaign they extend the
+  // endsAt first.
+  const { campaignAcceptsNewActivity, campaignStatus } = await import('../campaign-lifecycle.js');
+  if (!campaignAcceptsNewActivity(campaign)) {
+    return res.status(409).json({
+      error: 'campaign_not_active',
+      detail: `Campaign is ${campaignStatus(campaign)} — Links can be created only while the campaign is active.`,
+    });
+  }
+
   // Partner-side: must be granted access to this Campaign via
   // PartnerCampaign. Admins acting on a partner's behalf bypass this
   // check (they're the ones who'd grant it anyway).
diff --git a/apps/portal/src/pages/AdminCampaigns.tsx b/apps/portal/src/pages/AdminCampaigns.tsx
index 4708cbc..746125e 100644
--- a/apps/portal/src/pages/AdminCampaigns.tsx
+++ b/apps/portal/src/pages/AdminCampaigns.tsx
@@ -13,9 +13,18 @@ interface Campaign {
   attributionModel: string;
   destinationUrl: string;
   deepLinkAllowedDomains: string | null;
+  startsAt: string | null;
+  endsAt: string | null;
   createdAt: string;
 }
 
+type CampaignStatus = 'scheduled' | 'active' | 'ended';
+function statusOf(c: Pick<Campaign, 'startsAt' | 'endsAt'>, at: Date = new Date()): CampaignStatus {
+  if (c.startsAt && at < new Date(c.startsAt)) return 'scheduled';
+  if (c.endsAt && at >= new Date(c.endsAt)) return 'ended';
+  return 'active';
+}
+
 export function AdminCampaigns() {
   const qc = useQueryClient();
   const [showCreate, setShowCreate] = useState(false);
@@ -50,9 +59,10 @@ export function AdminCampaigns() {
         <EmptyState title="No campaigns yet" hint="A campaign holds the commission rule and attribution settings." icon={<Tag size={28} strokeWidth={1.25} />} />
       ) : (
         <Table
-          columns={['Name', 'Destination', 'Commission', 'Window', 'Model', 'Created']}
+          columns={['Name', 'Status', 'Destination', 'Commission', 'Window', 'Model', 'Created']}
           rows={(campaigns.data?.campaigns ?? []).map((c) => [
             <span style={{ fontWeight: 500 }}>{c.name}</span>,
+            <CampaignStatusPill campaign={c} />,
             <span style={{ color: theme.textMuted, fontSize: 12, fontFamily: theme.fontMono }}>
               {c.destinationUrl ? new URL(c.destinationUrl).hostname + new URL(c.destinationUrl).pathname.replace(/\/$/, '') : '—'}
               {c.deepLinkAllowedDomains && (
@@ -82,6 +92,8 @@ function CreateCampaign({ onClose, onCreated }: { onClose: () => void; onCreated
   const [recurring, setRecurring] = useState(true);
   const [windowDays, setWindowDays] = useState('60');
   const [model, setModel] = useState<'last_click' | 'first_click' | 'linear' | 'position'>('last_click');
+  const [startsAt, setStartsAt] = useState('');
+  const [endsAt, setEndsAt] = useState('');
 
   const mut = useMutation({
     mutationFn: () =>
@@ -94,6 +106,8 @@ function CreateCampaign({ onClose, onCreated }: { onClose: () => void; onCreated
           commissionRule: { type: ruleType, value: Number(ruleValue), recurring },
           attributionWindowDays: Number(windowDays),
           attributionModel: model,
+          startsAt: startsAt ? new Date(startsAt).toISOString() : null,
+          endsAt: endsAt ? new Date(endsAt).toISOString() : null,
         },
       }),
     onSuccess: onCreated,
@@ -162,6 +176,22 @@ function CreateCampaign({ onClose, onCreated }: { onClose: () => void; onCreated
           </Select>
         </div>
       </div>
+      <div style={{ display: 'grid', gridTemplateColumns: '1fr 1fr', gap: 14, marginBottom: 16 }}>
+        <div>
+          <Label>Starts (optional)</Label>
+          <Input type="datetime-local" value={startsAt} onChange={(e) => setStartsAt(e.target.value)} />
+          <div style={{ fontSize: 12, color: theme.textDim, marginTop: 4 }}>
+            Leave blank to start immediately. Before this date the campaign is hidden from creators.
+          </div>
+        </div>
+        <div>
+          <Label>Ends (optional)</Label>
+          <Input type="datetime-local" value={endsAt} onChange={(e) => setEndsAt(e.target.value)} />
+          <div style={{ fontSize: 12, color: theme.textDim, marginTop: 4 }}>
+            Leave blank to run indefinitely. Past this date existing share-links keep redirecting but no new commissions accrue.
+          </div>
+        </div>
+      </div>
       <div style={{ display: 'flex', gap: 8 }}>
         <Button onClick={() => mut.mutate()} disabled={!name || !ruleValue || !destinationUrl || mut.isPending}>
           {mut.isPending ? 'Creating…' : 'Create campaign'}
@@ -171,3 +201,18 @@ function CreateCampaign({ onClose, onCreated }: { onClose: () => void; onCreated
     </Card>
   );
 }
+
+function CampaignStatusPill({ campaign }: { campaign: Pick<Campaign, 'startsAt' | 'endsAt'> }) {
+  const status = statusOf(campaign);
+  const palette: Record<CampaignStatus, { bg: string; fg: string; label: string }> = {
+    active: { bg: theme.successSoft, fg: theme.success, label: 'Active' },
+    scheduled: { bg: `${theme.accent}15`, fg: theme.accent, label: 'Scheduled' },
+    ended: { bg: theme.surface2, fg: theme.textMuted, label: 'Ended' },
+  };
+  const { bg, fg, label } = palette[status];
+  return (
+    <span style={{ background: bg, color: fg, fontSize: 11, padding: '2px 8px', borderRadius: 12, fontWeight: 600 }}>
+      {label}
+    </span>
+  );
+}
diff --git a/packages/db/migrations/20260512000000_campaign_lifecycle.ts b/packages/db/migrations/20260512000000_campaign_lifecycle.ts
new file mode 100644
index 0000000..dfb2d5d
--- /dev/null
+++ b/packages/db/migrations/20260512000000_campaign_lifecycle.ts
@@ -0,0 +1,39 @@
+/**
+ * Optional start/end window on Campaign — for scheduled pushes,
+ * seasonal launches, holiday promos, etc. Both nullable; null/null
+ * means "runs forever," matching today's behavior.
+ *
+ * Lifecycle (computed at read time, not stored):
+ *   - Before startsAt → Scheduled (hidden from creator discovery,
+ *     new applications + Link creation refused)
+ *   - Between startsAt and endsAt (or null bounds) → Active
+ *   - After endsAt → Ended (hidden from discovery, new apps + Links
+ *     refused; existing Links keep redirecting; new commissions
+ *     don't accrue on conversions dated after endsAt)
+ *
+ * The "existing Links keep working but stop earning" rule is what
+ * separates a respectable partner platform from one creators won't
+ * trust again — see the router's destination resolver, which doesn't
+ * consult these dates (URLs always 302), and the attribution layer,
+ * which does (commissions stop).
+ */
+
+import type { Knex } from 'knex';
+
+export async function up(knex: Knex): Promise<void> {
+  await knex.schema.alterTable('Campaign', (t) => {
+    t.timestamp('startsAt', { useTz: true });
+    t.timestamp('endsAt', { useTz: true });
+    t.index(['startsAt']);
+    t.index(['endsAt']);
+  });
+}
+
+export async function down(knex: Knex): Promise<void> {
+  await knex.schema.alterTable('Campaign', (t) => {
+    t.dropIndex(['startsAt']);
+    t.dropIndex(['endsAt']);
+    t.dropColumn('startsAt');
+    t.dropColumn('endsAt');
+  });
+}
diff --git a/packages/db/src/types.ts b/packages/db/src/types.ts
index 3e26d1f..48e7b60 100644
--- a/packages/db/src/types.ts
+++ b/packages/db/src/types.ts
@@ -152,6 +152,12 @@ export interface CampaignRow {
    *  overrides (deep-linking to product pages). Null = partners can't
    *  override the Campaign default. */
   deepLinkAllowedDomains: string | null;
+  /** Optional scheduled start. Null = no start gate (active immediately). */
+  startsAt: Date | null;
+  /** Optional scheduled end. Null = runs forever. After this date the
+   *  campaign is "ended" — links keep redirecting, but no new
+   *  applications + no commission accrual on later events. */
+  endsAt: Date | null;
   createdAt: Date;
 }
 

From aa15d9c43627bfc59d6dfca333453bc29b837dd1 Mon Sep 17 00:00:00 2001
From: Keith Fawcett <keith@brightyard.co>
Date: Tue, 28 Apr 2026 21:40:20 -0700
Subject: [PATCH 067/131] feat(campaigns): 7-day-before-end notifications to
 brand + active partners
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

New daily scheduler job (09:00 UTC) sweeps Campaigns with endsAt in the
6.5–7.5d window and hasn't been notified yet. For each:

- Email the oldest activated brand admin (one, not every co-admin) with
  a "Manage campaign" link to extend the end date.
- Email every Partner with at least one Link in the campaign (the
  ones who actually promoted — passive grants get no email). They get
  a "links keep working but commissions stop" heads-up.

Idempotency:
- Campaign.endNotificationSentAt stamps after the brand+partner round.
- Same sweep also clears the flag for campaigns whose endsAt got
  pushed back past the window — admin extends, fresh reminder fires
  before the new end date.

Per-partner mail failures don't block the campaign-level stamp; we
don't want to re-spam everyone if one address bounces. Brand-side
failure does propagate so the stamp doesn't lock out a retry.

Schema:
- migrations/20260513000000_campaign_end_notification adds
  Campaign.endNotificationSentAt nullable timestamp.
- types: CampaignRow.endNotificationSentAt.

Email templates:
- campaignEndingBrandEmail (subject: '"Q4 Holiday" ends in 7 days')
- campaignEndingPartnerEmail (subject: 'Heads up — "Q4 Holiday" ends
  in 7 days')

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 apps/api/src/campaign-end-notifications.ts    | 156 ++++++++++++++++++
 apps/api/src/email-templates.ts               |  51 ++++++
 apps/api/src/scheduler.ts                     |   7 +
 ...0260513000000_campaign_end_notification.ts |  22 +++
 packages/db/src/types.ts                      |   5 +
 5 files changed, 241 insertions(+)
 create mode 100644 apps/api/src/campaign-end-notifications.ts
 create mode 100644 packages/db/migrations/20260513000000_campaign_end_notification.ts

diff --git a/apps/api/src/campaign-end-notifications.ts b/apps/api/src/campaign-end-notifications.ts
new file mode 100644
index 0000000..957e317
--- /dev/null
+++ b/apps/api/src/campaign-end-notifications.ts
@@ -0,0 +1,156 @@
+/**
+ * Daily sweep that finds campaigns ending in ~7 days and emails the
+ * brand admin + every partner that has at least one Link in the
+ * campaign. Stamps Campaign.endNotificationSentAt to make it
+ * idempotent across deploys / re-runs.
+ *
+ * "About 7 days out" is a 24h window: endsAt between (now+6.5d) and
+ * (now+7.5d). Scheduler fires daily at 09:00 UTC; the half-day padding
+ * means a clock skew or a missed run still catches everything.
+ *
+ * If the admin extends endsAt past 7.5 days from now we clear the
+ * flag so a fresh reminder fires before the new end date.
+ */
+
+import type { Knex } from 'knex';
+import { TABLES, type AdminRow, type CampaignRow, type PartnerRow, type TenantRow } from '@openpartner/db';
+import { db, appDb } from './db.js';
+import { getMailer } from './mailer.js';
+import { campaignEndingBrandEmail, campaignEndingPartnerEmail } from './email-templates.js';
+import { resolveBrandName } from './brand-name.js';
+
+const ONE_DAY_MS = 24 * 60 * 60 * 1000;
+
+interface SweepResult {
+  notified: number;
+  cleared: number;
+  errors: number;
+}
+
+export async function sweepCampaignEndNotifications(): Promise<SweepResult> {
+  const now = new Date();
+  const windowStart = new Date(now.getTime() + 6.5 * ONE_DAY_MS);
+  const windowEnd = new Date(now.getTime() + 7.5 * ONE_DAY_MS);
+
+  // Reset endNotificationSentAt on campaigns whose endsAt got pushed
+  // past the 7.5-day window — admin extended, so a future reminder
+  // should fire when the new end date approaches.
+  const { rowCount: clearedCount } = (await db.raw(
+    `update "Campaign"
+       set "endNotificationSentAt" = null
+     where "endNotificationSentAt" is not null
+       and "endsAt" is not null
+       and "endsAt" > ?`,
+    [windowEnd],
+  )) as { rowCount: number };
+  const cleared = Number(clearedCount ?? 0);
+
+  // Now find campaigns ripe for the reminder.
+  const due = await db<CampaignRow>(TABLES.Campaign)
+    .whereNotNull('endsAt')
+    .andWhere('endsAt', '>=', windowStart)
+    .andWhere('endsAt', '<', windowEnd)
+    .whereNull('endNotificationSentAt')
+    .select('*');
+
+  let notified = 0;
+  let errors = 0;
+
+  for (const campaign of due) {
+    try {
+      await notifyOne(campaign);
+      // Stamp via privileged db (cross-tenant context here in scheduler).
+      await db<CampaignRow>(TABLES.Campaign)
+        .where({ id: campaign.id })
+        .update({ endNotificationSentAt: new Date() });
+      notified += 1;
+    } catch (err) {
+      console.error('[end-notify] campaign failed', { id: campaign.id, err });
+      errors += 1;
+    }
+  }
+
+  return { notified, cleared, errors };
+}
+
+async function notifyOne(campaign: CampaignRow): Promise<void> {
+  if (!campaign.endsAt) return;
+
+  // Need a tenant-scoped trx for mailer.send (it reads tenant mail
+  // settings + brand name via the privileged-but-tenant-aware path).
+  // The scheduler runs cross-tenant so we open one per campaign.
+  const trx = await appDb.transaction();
+  try {
+    await trx.raw(`set local app.tenant_id = '${campaign.tenantId.replace(/'/g, "''")}'`);
+
+    const tenant = await trx<TenantRow>(TABLES.Tenant).where({ id: campaign.tenantId }).first();
+    const brandName = await resolveBrandName(trx, campaign.tenantId);
+
+    // Brand admin: pick the oldest activated admin to avoid spamming
+    // every co-admin. They can forward internally if needed.
+    const admin = await trx<AdminRow>(TABLES.Admin)
+      .where({ tenantId: campaign.tenantId })
+      .whereNotNull('activatedAt')
+      .whereNull('revokedAt')
+      .orderBy('activatedAt', 'asc')
+      .first();
+
+    const portalBase = (process.env.PORTAL_URL ?? '').replace(/\/$/, '');
+    const tenantSlug = tenant?.slug ?? '';
+    const tenantBase = portalBase && tenantSlug ? `${portalBase}/t/${tenantSlug}` : '';
+    const manageUrl = tenantBase ? `${tenantBase}/admin/campaigns` : '';
+
+    if (admin && manageUrl) {
+      const tmpl = campaignEndingBrandEmail(brandName, campaign.name, campaign.endsAt, manageUrl);
+      await getMailer().send({ db: trx, tenantId: campaign.tenantId }, {
+        to: admin.email,
+        subject: tmpl.subject,
+        text: tmpl.text,
+        html: tmpl.html,
+        tag: 'campaign_ending_brand',
+        metadata: { campaignId: campaign.id },
+      });
+    }
+
+    // Partners with at least one Link in this campaign. Joining
+    // through Link rather than PartnerCampaign on purpose — only
+    // partners who actually promoted should get the email; passive
+    // grants without any posted Link are noise.
+    const linkPartners = (await trx
+      .from(TABLES.Link)
+      .join(TABLES.Partner, `${TABLES.Partner}.id`, `${TABLES.Link}.partnerId`)
+      .where(`${TABLES.Link}.campaignId`, campaign.id)
+      .whereNull(`${TABLES.Partner}.revokedAt`)
+      .whereNotNull(`${TABLES.Partner}.activatedAt`)
+      .distinct(
+        `${TABLES.Partner}.id`,
+        `${TABLES.Partner}.email`,
+        `${TABLES.Partner}.name`,
+      )) as Array<Pick<PartnerRow, 'id' | 'email' | 'name'>>;
+
+    const programUrl = tenantBase ? `${tenantBase}/links` : '';
+    for (const p of linkPartners) {
+      try {
+        const tmpl = campaignEndingPartnerEmail(p.name, brandName, campaign.name, campaign.endsAt, programUrl);
+        await getMailer().send({ db: trx, tenantId: campaign.tenantId }, {
+          to: p.email,
+          subject: tmpl.subject,
+          text: tmpl.text,
+          html: tmpl.html,
+          tag: 'campaign_ending_partner',
+          metadata: { campaignId: campaign.id, partnerId: p.id },
+        });
+      } catch (err) {
+        // One partner's mail failure shouldn't block the rest. Log,
+        // continue. Stamping endNotificationSentAt at the campaign
+        // level still moves on — we don't re-try individual partners.
+        console.error('[end-notify] partner mail failed', { campaignId: campaign.id, partnerId: p.id, err });
+      }
+    }
+
+    await trx.commit();
+  } catch (err) {
+    await trx.rollback().catch(() => {});
+    throw err;
+  }
+}
diff --git a/apps/api/src/email-templates.ts b/apps/api/src/email-templates.ts
index 7696d87..8295fdf 100644
--- a/apps/api/src/email-templates.ts
+++ b/apps/api/src/email-templates.ts
@@ -114,6 +114,57 @@ export function partnerRevokedEmail(name: string, reason: string | null): EmailT
   return { subject, text, html };
 }
 
+/** Brand admin: 7-day notice that a Campaign is about to end. */
+export function campaignEndingBrandEmail(
+  brandName: string | null,
+  campaignName: string,
+  endsAt: Date,
+  manageUrl: string,
+): EmailTemplate {
+  const dateStr = endsAt.toUTCString().replace(/ \d\d:\d\d:\d\d GMT$/, '');
+  const subject = `"${campaignName}" ends in 7 days`;
+  const text = [
+    `Hi${brandName ? ` from ${brandName}` : ''},`,
+    ``,
+    `Your campaign "${campaignName}" is scheduled to end ${dateStr}.`,
+    ``,
+    `Existing share-links will keep redirecting after that date — your`,
+    `partners' posted content stays alive — but no new commissions will`,
+    `accrue on conversions dated past the end.`,
+    ``,
+    `If you'd like to keep it running, edit the end date in your admin:`,
+    ``,
+    manageUrl,
+  ].join('\n');
+  return { subject, text, html: wrap(text, manageUrl, 'Manage campaign') };
+}
+
+/** Partner: 7-day notice that a Campaign they have at least one Link
+ *  in is about to end. */
+export function campaignEndingPartnerEmail(
+  partnerName: string,
+  brandName: string | null,
+  campaignName: string,
+  endsAt: Date,
+  programUrl: string,
+): EmailTemplate {
+  const dateStr = endsAt.toUTCString().replace(/ \d\d:\d\d:\d\d GMT$/, '');
+  const fromBrand = brandName ?? 'the brand';
+  const subject = `Heads up — "${campaignName}" ends in 7 days`;
+  const text = [
+    `Hi ${partnerName},`,
+    ``,
+    `The "${campaignName}" program from ${fromBrand} ends ${dateStr}.`,
+    ``,
+    `Your existing share-links keep working past that date, but clicks`,
+    `that come in afterward won't earn commission. Worth squeezing in any`,
+    `last promotion before then.`,
+    ``,
+    programUrl,
+  ].join('\n');
+  return { subject, text, html: wrap(text, programUrl, 'View program') };
+}
+
 function wrap(text: string, cta: string, ctaLabel: string): string {
   const escaped = text
     .split('\n')
diff --git a/apps/api/src/scheduler.ts b/apps/api/src/scheduler.ts
index c01a3d4..be57f6f 100644
--- a/apps/api/src/scheduler.ts
+++ b/apps/api/src/scheduler.ts
@@ -35,6 +35,7 @@ import { reportUsageToStripe } from './usage-billing.js';
 import { runPayouts } from './payouts.js';
 import { drainOutbox, reportNetworkPayoutsToNetwork } from './network-client.js';
 import { getMode } from './stripe.js';
+import { sweepCampaignEndNotifications } from './campaign-end-notifications.js';
 
 interface ScheduledJob {
   name: string;
@@ -102,6 +103,12 @@ const JOBS: ScheduledJob[] = [
     description: 'Hard-delete tenants whose 30-day deletion grace window has lapsed (daily 04:00 UTC)',
     handler: async () => hardDeleteExpiredTenants(),
   },
+  {
+    name: 'campaign-end-notifications',
+    cronExpr: '0 9 * * *',
+    description: 'Email brand admins + participating partners ~7 days before a campaign ends (daily 09:00 UTC)',
+    handler: async () => sweepCampaignEndNotifications(),
+  },
 ];
 
 /** Cascade-delete tenants whose pendingDeletionAt is older than the
diff --git a/packages/db/migrations/20260513000000_campaign_end_notification.ts b/packages/db/migrations/20260513000000_campaign_end_notification.ts
new file mode 100644
index 0000000..0557cef
--- /dev/null
+++ b/packages/db/migrations/20260513000000_campaign_end_notification.ts
@@ -0,0 +1,22 @@
+/**
+ * Track whether the "campaign ending in 7 days" reminder has been
+ * sent — single column, single notification per Campaign so a
+ * scheduler that fires more than once a day (or after a re-deploy)
+ * doesn't re-spam everyone. Resetting (admin extends endsAt past the
+ * window) is handled by the scheduler clearing this when endsAt
+ * changes to a date >7d out.
+ */
+
+import type { Knex } from 'knex';
+
+export async function up(knex: Knex): Promise<void> {
+  await knex.schema.alterTable('Campaign', (t) => {
+    t.timestamp('endNotificationSentAt', { useTz: true });
+  });
+}
+
+export async function down(knex: Knex): Promise<void> {
+  await knex.schema.alterTable('Campaign', (t) => {
+    t.dropColumn('endNotificationSentAt');
+  });
+}
diff --git a/packages/db/src/types.ts b/packages/db/src/types.ts
index 48e7b60..56a814d 100644
--- a/packages/db/src/types.ts
+++ b/packages/db/src/types.ts
@@ -158,6 +158,11 @@ export interface CampaignRow {
    *  campaign is "ended" — links keep redirecting, but no new
    *  applications + no commission accrual on later events. */
   endsAt: Date | null;
+  /** When the "ends in 7 days" reminder was sent to brand admin +
+   *  participating partners. Null = not sent yet (or endsAt was
+   *  pushed back past the window and the flag was cleared so a fresh
+   *  reminder fires before the new end). */
+  endNotificationSentAt: Date | null;
   createdAt: Date;
 }
 

From 61f6ce3936bfb0a0f4249e5da22c05668ac46c26 Mon Sep 17 00:00:00 2001
From: Keith Fawcett <keith@brightyard.co>
Date: Tue, 28 Apr 2026 21:45:48 -0700
Subject: [PATCH 068/131] chore(campaigns): help-tooltip on Attribution model
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Adds a small ? icon next to the Attribution model label in the campaign
create form. Hover surfaces a plain-text explanation of what each
option does (last_click / first_click / linear / position) using the
native title attribute — no tooltip library, browser handles
positioning and multiline.

LabelWithHelp helper kept local to AdminCampaigns for now; if more
forms need the same affordance we can lift it into ui.tsx.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 apps/portal/src/pages/AdminCampaigns.tsx | 33 ++++++++++++++++++++++--
 1 file changed, 31 insertions(+), 2 deletions(-)

diff --git a/apps/portal/src/pages/AdminCampaigns.tsx b/apps/portal/src/pages/AdminCampaigns.tsx
index 746125e..319ba8e 100644
--- a/apps/portal/src/pages/AdminCampaigns.tsx
+++ b/apps/portal/src/pages/AdminCampaigns.tsx
@@ -1,6 +1,6 @@
 import { useState } from 'react';
 import { useMutation, useQuery, useQueryClient } from '@tanstack/react-query';
-import { Plus, Tag } from 'lucide-react';
+import { HelpCircle, Plus, Tag } from 'lucide-react';
 import { api } from '../api.js';
 import { theme } from '../theme.js';
 import { Button, Card, EmptyState, ErrorBanner, Input, Label, Page, Select, Table, formatDate } from '../ui.js';
@@ -167,7 +167,17 @@ function CreateCampaign({ onClose, onCreated }: { onClose: () => void; onCreated
           <Input type="number" value={windowDays} onChange={(e) => setWindowDays(e.target.value)} />
         </div>
         <div>
-          <Label>Attribution model</Label>
+          <LabelWithHelp
+            label="Attribution model"
+            help={[
+              'Which click gets the commission when a conversion has multiple touches in the window.',
+              '',
+              'Last click — the most recent click gets 100%. Simple, predictable, the default for most programs.',
+              'First click — the very first click gets 100%. Rewards partners who introduced the brand.',
+              'Linear — every click in the window splits the commission evenly.',
+              'Position (40 / 20 / 40) — first + last click get 40% each, middle clicks split the remaining 20%.',
+            ].join('\n')}
+          />
           <Select value={model} onChange={(e) => setModel(e.target.value as typeof model)}>
             <option value="last_click">Last click</option>
             <option value="first_click">First click</option>
@@ -202,6 +212,25 @@ function CreateCampaign({ onClose, onCreated }: { onClose: () => void; onCreated
   );
 }
 
+/** Field label with a hover-to-explain question-mark icon. Uses the
+ *  native `title` attribute so we don't need a tooltip library — the
+ *  browser handles positioning, multi-line via \n. Help text should be
+ *  plain prose; no HTML. */
+function LabelWithHelp({ label, help }: { label: string; help: string }) {
+  return (
+    <div style={{ display: 'flex', alignItems: 'center', gap: 6 }}>
+      <Label>{label}</Label>
+      <span
+        title={help}
+        aria-label={help}
+        style={{ display: 'inline-flex', alignItems: 'center', color: theme.textDim, cursor: 'help', marginBottom: 4 }}
+      >
+        <HelpCircle size={14} />
+      </span>
+    </div>
+  );
+}
+
 function CampaignStatusPill({ campaign }: { campaign: Pick<Campaign, 'startsAt' | 'endsAt'> }) {
   const status = statusOf(campaign);
   const palette: Record<CampaignStatus, { bg: string; fg: string; label: string }> = {

From c9e67d0dd7714e30212d14341ad5e79ba092c979 Mon Sep 17 00:00:00 2001
From: Keith Fawcett <keith@brightyard.co>
Date: Tue, 28 Apr 2026 21:49:09 -0700
Subject: [PATCH 069/131] chore(portal): theme the Description textarea +
 Campaign select on Offerings
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The Description <textarea> and the Campaign <select> were raw HTML
elements with hardcoded light styles (white background, off-white
border) — they popped white against the dark Shell. Re-theme:

- textarea: surface2 background, themed border + radius, theme.text
  for the typed content. Matches Input visually.
- Campaign picker: replaced raw <select> with the themed Select from
  ui.tsx (already has the right palette).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 .../src/pages/admin/NetworkOfferings.tsx      | 23 ++++++++++++-------
 1 file changed, 15 insertions(+), 8 deletions(-)

diff --git a/apps/portal/src/pages/admin/NetworkOfferings.tsx b/apps/portal/src/pages/admin/NetworkOfferings.tsx
index 7350a02..c6a4391 100644
--- a/apps/portal/src/pages/admin/NetworkOfferings.tsx
+++ b/apps/portal/src/pages/admin/NetworkOfferings.tsx
@@ -1,7 +1,8 @@
 import { useEffect, useState } from 'react';
 import { useMutation, useQuery, useQueryClient } from '@tanstack/react-query';
 import { api, ApiError } from '../../api.js';
-import { Button, Card, ErrorBanner, Input, Label, Page } from '../../ui.js';
+import { Button, Card, ErrorBanner, Input, Label, Page, Select } from '../../ui.js';
+import { theme } from '../../theme.js';
 
 interface OfferingTerms {
   commissionDescription?: string;
@@ -173,7 +174,17 @@ function CreateOfferingForm() {
           onChange={(e) => setDescription(e.target.value)}
           rows={3}
           placeholder="What you sell, who it's for, why it converts."
-          style={{ width: '100%', padding: '8px 10px', border: '1px solid #d0d0c8', borderRadius: 6, fontSize: 14, fontFamily: 'inherit', resize: 'vertical' }}
+          style={{
+            width: '100%',
+            padding: '10px 12px',
+            background: theme.surface2,
+            border: `1px solid ${theme.border}`,
+            borderRadius: theme.radiusSm,
+            color: theme.text,
+            fontSize: 14,
+            fontFamily: 'inherit',
+            resize: 'vertical',
+          }}
         />
       </div>
       <div style={{ marginBottom: 12 }}>
@@ -182,16 +193,12 @@ function CreateOfferingForm() {
       </div>
       <div style={{ marginBottom: 12 }}>
         <Label>Campaign (commission rule lives here)</Label>
-        <select
-          value={vendorCampaignId}
-          onChange={(e) => setVendorCampaignId(e.target.value)}
-          style={{ width: '100%', padding: '8px 10px', border: '1px solid #d0d0c8', borderRadius: 6, fontSize: 14, fontFamily: 'inherit' }}
-        >
+        <Select value={vendorCampaignId} onChange={(e) => setVendorCampaignId(e.target.value)}>
           <option value="">— pick a campaign —</option>
           {campaigns?.campaigns.map((c) => (
             <option key={c.id} value={c.id}>{c.name}</option>
           ))}
-        </select>
+        </Select>
       </div>
       <div style={{ marginBottom: 12 }}>
         <Label>Commission summary (shown to creators)</Label>

From 8a9f2530e58024de3749c41455cf5c10d14afc79 Mon Sep 17 00:00:00 2001
From: Keith Fawcett <keith@brightyard.co>
Date: Tue, 28 Apr 2026 22:07:07 -0700
Subject: [PATCH 070/131] feat(admin): per-partner campaign scoping at invite +
 drop offering productUrl
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Two related cleanups around the Campaign-as-source-of-truth refactor:

1. Invite-time campaign scoping. The default still grants all current
   campaigns (preserves prior behavior), but admins can now untick
   "Grant access to all current campaigns" and pick a subset. Use case:
   a VIP partner gets a unique higher-revshare campaign that other
   partners shouldn't see.

2. Offering form no longer asks for productUrl — it inherits the bound
   Campaign's destinationUrl. Same source of truth as brand-side Links.
   The picked campaign's destination is shown read-only beneath the
   select so admin sees what creators will land on.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 apps/portal/src/pages/AdminPartners.tsx       | 65 ++++++++++++++++++-
 .../src/pages/admin/NetworkOfferings.tsx      | 64 +++++++++++-------
 2 files changed, 104 insertions(+), 25 deletions(-)

diff --git a/apps/portal/src/pages/AdminPartners.tsx b/apps/portal/src/pages/AdminPartners.tsx
index 56bf399..4e78ffe 100644
--- a/apps/portal/src/pages/AdminPartners.tsx
+++ b/apps/portal/src/pages/AdminPartners.tsx
@@ -111,14 +111,47 @@ export function AdminPartners() {
   );
 }
 
+interface CreateCampaignOption {
+  id: string;
+  name: string;
+}
+
 function CreatePartner({ onClose, onCreated }: { onClose: () => void; onCreated: () => void }) {
   const [name, setName] = useState('');
   const [email, setEmail] = useState('');
+  const [grantAll, setGrantAll] = useState(true);
+  const [picked, setPicked] = useState<Set<string>>(new Set());
+
+  const campaigns = useQuery({
+    queryKey: ['me-campaigns-for-invite'],
+    queryFn: () => api<{ campaigns: CreateCampaignOption[] }>('/me/campaigns'),
+  });
+
   const mut = useMutation({
-    mutationFn: () => api<Partner>('/partners', { method: 'POST', body: { name, email } }),
+    mutationFn: () =>
+      api<Partner>('/partners', {
+        method: 'POST',
+        body: {
+          name,
+          email,
+          // Only send campaignIds when admin scoped explicitly. Omitting
+          // it preserves the legacy "grant all current campaigns"
+          // default the backend already implements.
+          campaignIds: grantAll ? undefined : Array.from(picked),
+        },
+      }),
     onSuccess: onCreated,
   });
 
+  function toggle(id: string) {
+    setPicked((prev) => {
+      const next = new Set(prev);
+      if (next.has(id)) next.delete(id);
+      else next.add(id);
+      return next;
+    });
+  }
+
   return (
     <Card style={{ marginBottom: 14 }}>
       <div style={{ fontSize: 15, fontWeight: 500, marginBottom: 6 }}>Invite a partner</div>
@@ -136,8 +169,36 @@ function CreatePartner({ onClose, onCreated }: { onClose: () => void; onCreated:
           <Input type="email" value={email} onChange={(e) => setEmail(e.target.value)} placeholder="ada@example.com" />
         </div>
       </div>
+      <div style={{ marginBottom: 14 }}>
+        <label style={{ display: 'flex', alignItems: 'center', gap: 8, fontSize: 13, color: theme.text, marginBottom: 8 }}>
+          <input type="checkbox" checked={grantAll} onChange={(e) => setGrantAll(e.target.checked)} />
+          Grant access to all current campaigns (default)
+        </label>
+        {!grantAll && (
+          <div style={{ marginTop: 8, padding: 12, background: theme.surface2, border: `1px solid ${theme.borderSubtle}`, borderRadius: theme.radiusSm }}>
+            <div style={{ fontSize: 12, color: theme.textMuted, marginBottom: 8 }}>
+              Pick the programs this partner can create share-links for. You can change this later from the partner&rsquo;s row.
+            </div>
+            {(campaigns.data?.campaigns ?? []).length === 0 ? (
+              <div style={{ fontSize: 13, color: theme.textDim }}>No campaigns yet — create one in Campaigns first.</div>
+            ) : (
+              <div style={{ display: 'flex', flexDirection: 'column', gap: 6 }}>
+                {(campaigns.data?.campaigns ?? []).map((c) => (
+                  <label key={c.id} style={{ display: 'flex', alignItems: 'center', gap: 8, fontSize: 13, color: theme.text }}>
+                    <input type="checkbox" checked={picked.has(c.id)} onChange={() => toggle(c.id)} />
+                    {c.name}
+                  </label>
+                ))}
+              </div>
+            )}
+          </div>
+        )}
+      </div>
       <div style={{ display: 'flex', gap: 8 }}>
-        <Button onClick={() => mut.mutate()} disabled={!name || !email || mut.isPending}>
+        <Button
+          onClick={() => mut.mutate()}
+          disabled={!name || !email || mut.isPending || (!grantAll && picked.size === 0)}
+        >
           {mut.isPending ? 'Sending…' : 'Send invite'}
         </Button>
         <Button variant="secondary" onClick={onClose}>Cancel</Button>
diff --git a/apps/portal/src/pages/admin/NetworkOfferings.tsx b/apps/portal/src/pages/admin/NetworkOfferings.tsx
index c6a4391..63d2813 100644
--- a/apps/portal/src/pages/admin/NetworkOfferings.tsx
+++ b/apps/portal/src/pages/admin/NetworkOfferings.tsx
@@ -28,6 +28,8 @@ interface Offering {
 interface Campaign {
   id: string;
   name: string;
+  destinationUrl: string;
+  deepLinkAllowedDomains: string | null;
 }
 
 export function AdminNetworkOfferings() {
@@ -122,42 +124,53 @@ function CreateOfferingForm() {
   const qc = useQueryClient();
   const [title, setTitle] = useState('');
   const [description, setDescription] = useState('');
-  const [productUrl, setProductUrl] = useState('');
   const [vendorCampaignId, setVendorCampaignId] = useState('');
   const [commissionDescription, setCommissionDescription] = useState('');
   const [cookieWindowDays, setCookieWindowDays] = useState<number | ''>('');
   const [error, setError] = useState<string | null>(null);
 
-  // Pull campaigns so the admin can pick from a dropdown.
+  // Pull campaigns so the admin can pick from a dropdown. Each campaign
+  // carries its destinationUrl + deep-link allowlist; the picked
+  // campaign's destination becomes the offering's productUrl on create.
+  // We don't expose a separate URL input — same source of truth as
+  // brand-side Links so creators land where the brand intended.
   const { data: campaigns } = useQuery({
     queryKey: ['campaigns'],
     queryFn: () => api<{ campaigns: Campaign[] }>('/campaigns'),
   });
 
+  const selectedCampaign = campaigns?.campaigns.find((c) => c.id === vendorCampaignId);
+
   const m = useMutation({
-    mutationFn: () => api('/admin/network/offerings', {
-      method: 'POST',
-      body: {
-        title,
-        description: description || undefined,
-        productUrl,
-        vendorCampaignId,
-        terms: {
-          commissionDescription,
-          cookieWindowDays: cookieWindowDays === '' ? undefined : Number(cookieWindowDays),
+    mutationFn: () => {
+      if (!selectedCampaign) throw new Error('campaign_required');
+      return api('/admin/network/offerings', {
+        method: 'POST',
+        body: {
+          title,
+          description: description || undefined,
+          // Inherit destination from the bound Campaign — single source
+          // of truth on the brand side. Network stores a snapshot for
+          // marketplace display.
+          productUrl: selectedCampaign.destinationUrl,
+          vendorCampaignId,
+          terms: {
+            commissionDescription,
+            cookieWindowDays: cookieWindowDays === '' ? undefined : Number(cookieWindowDays),
+          },
+          published: true,
         },
-        published: true,
-      },
-    }),
+      });
+    },
     onSuccess: () => {
       qc.invalidateQueries({ queryKey: ['network-offerings'] });
-      setTitle(''); setDescription(''); setProductUrl(''); setVendorCampaignId('');
+      setTitle(''); setDescription(''); setVendorCampaignId('');
       setCommissionDescription(''); setCookieWindowDays('');
     },
     onError: (err) => setError(err instanceof ApiError ? err.message : 'failed'),
   });
 
-  useEffect(() => { setError(null); }, [title, productUrl, vendorCampaignId, commissionDescription]);
+  useEffect(() => { setError(null); }, [title, vendorCampaignId, commissionDescription]);
 
   return (
     <Card>
@@ -188,17 +201,22 @@ function CreateOfferingForm() {
         />
       </div>
       <div style={{ marginBottom: 12 }}>
-        <Label>Product URL (where the share link redirects to)</Label>
-        <Input value={productUrl} onChange={(e) => setProductUrl(e.target.value)} placeholder="https://acme.example.com/pro" />
-      </div>
-      <div style={{ marginBottom: 12 }}>
-        <Label>Campaign (commission rule lives here)</Label>
+        <Label>Campaign (commission rule + destination URL live here)</Label>
         <Select value={vendorCampaignId} onChange={(e) => setVendorCampaignId(e.target.value)}>
           <option value="">— pick a campaign —</option>
           {campaigns?.campaigns.map((c) => (
             <option key={c.id} value={c.id}>{c.name}</option>
           ))}
         </Select>
+        {selectedCampaign && (
+          <div style={{ fontSize: 12, color: '#6b7280', marginTop: 6 }}>
+            Creators will land on{' '}
+            <a href={selectedCampaign.destinationUrl} target="_blank" rel="noopener noreferrer">
+              {selectedCampaign.destinationUrl}
+            </a>
+            {selectedCampaign.deepLinkAllowedDomains && ' (deep links allowed)'}
+          </div>
+        )}
       </div>
       <div style={{ marginBottom: 12 }}>
         <Label>Commission summary (shown to creators)</Label>
@@ -215,7 +233,7 @@ function CreateOfferingForm() {
       </div>
       <Button
         onClick={() => m.mutate()}
-        disabled={m.isPending || !title || !productUrl || !vendorCampaignId || !commissionDescription}
+        disabled={m.isPending || !title || !selectedCampaign || !commissionDescription}
       >
         {m.isPending ? 'Publishing…' : 'Publish offering'}
       </Button>

From d0bf37fe96cb04b8ce459ef32b0ecff67b807412 Mon Sep 17 00:00:00 2001
From: Keith Fawcett <keith@brightyard.co>
Date: Tue, 28 Apr 2026 22:18:05 -0700
Subject: [PATCH 071/131] feat(campaigns): optional bulk-grant to existing
 partners on create
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Adds a checkbox on the Campaign create form (off by default so VIP /
scoped campaigns stay private) and a matching grantToAllPartners flag
on POST /campaigns. When set, after the campaign is inserted we add a
PartnerCampaign row for every non-revoked partner with source='admin'.

Mirrors the invite-time snapshot semantics: includes not-yet-activated
invitees, skips revoked partners, idempotent via the unique constraint.
Only affects the current roster — new invitees still need to be granted
explicitly at invite time.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 apps/api/src/routes/campaigns.ts         | 30 ++++++++++++++++++++++++
 apps/portal/src/pages/AdminCampaigns.tsx | 16 +++++++++++++
 2 files changed, 46 insertions(+)

diff --git a/apps/api/src/routes/campaigns.ts b/apps/api/src/routes/campaigns.ts
index 28e42eb..3ce5605 100644
--- a/apps/api/src/routes/campaigns.ts
+++ b/apps/api/src/routes/campaigns.ts
@@ -27,6 +27,12 @@ const createSchema = z.object({
   deepLinkAllowedDomains: z.string().max(1000).optional(),
   startsAt: z.string().datetime().nullable().optional(),
   endsAt: z.string().datetime().nullable().optional(),
+  /** When true, after creating the campaign, also grant every existing
+   *  non-revoked partner access to it (source='admin'). Defaults to
+   *  false so VIP / scoped campaigns stay private unless the brand opts
+   *  in. New partners invited later still need to be granted explicitly
+   *  at invite time — this only covers the existing roster. */
+  grantToAllPartners: z.boolean().optional(),
 });
 
 const updateSchema = z.object({
@@ -125,6 +131,30 @@ campaignsRouter.post('/campaigns', requireAuth, requireAdmin, async (req, res) =
     })
     .returning('*');
 
+  // Optional bulk-grant to existing non-revoked partners. Mirrors the
+  // invite-time snapshot semantics (revokedAt is the only filter — we
+  // include not-yet-activated invitees so a freshly-sent invite still
+  // gets the new program).
+  if (body.data.grantToAllPartners) {
+    const partners = (await db(TABLES.Partner)
+      .whereNull('revokedAt')
+      .select('id')) as Array<{ id: string }>;
+    if (partners.length > 0) {
+      await db(TABLES.PartnerCampaign)
+        .insert(
+          partners.map((p) => ({
+            id: `pc_${ulid()}`,
+            tenantId,
+            partnerId: p.id,
+            campaignId: id,
+            source: 'admin',
+          })),
+        )
+        .onConflict(['tenantId', 'partnerId', 'campaignId'])
+        .ignore();
+    }
+  }
+
   res.status(201).json(campaign);
 });
 
diff --git a/apps/portal/src/pages/AdminCampaigns.tsx b/apps/portal/src/pages/AdminCampaigns.tsx
index 319ba8e..77937c4 100644
--- a/apps/portal/src/pages/AdminCampaigns.tsx
+++ b/apps/portal/src/pages/AdminCampaigns.tsx
@@ -94,6 +94,7 @@ function CreateCampaign({ onClose, onCreated }: { onClose: () => void; onCreated
   const [model, setModel] = useState<'last_click' | 'first_click' | 'linear' | 'position'>('last_click');
   const [startsAt, setStartsAt] = useState('');
   const [endsAt, setEndsAt] = useState('');
+  const [grantToAllPartners, setGrantToAllPartners] = useState(false);
 
   const mut = useMutation({
     mutationFn: () =>
@@ -108,6 +109,7 @@ function CreateCampaign({ onClose, onCreated }: { onClose: () => void; onCreated
           attributionModel: model,
           startsAt: startsAt ? new Date(startsAt).toISOString() : null,
           endsAt: endsAt ? new Date(endsAt).toISOString() : null,
+          grantToAllPartners: grantToAllPartners || undefined,
         },
       }),
     onSuccess: onCreated,
@@ -202,6 +204,20 @@ function CreateCampaign({ onClose, onCreated }: { onClose: () => void; onCreated
           </div>
         </div>
       </div>
+      <div style={{ marginBottom: 16 }}>
+        <label style={{ display: 'flex', alignItems: 'center', gap: 8, fontSize: 13, color: theme.text }}>
+          <input
+            type="checkbox"
+            checked={grantToAllPartners}
+            onChange={(e) => setGrantToAllPartners(e.target.checked)}
+          />
+          Also grant access to all existing partners
+        </label>
+        <div style={{ fontSize: 12, color: theme.textDim, marginTop: 4, marginLeft: 24 }}>
+          Off by default so VIP / scoped campaigns stay private. Only affects the current
+          partner roster &mdash; new invitees still need to be granted explicitly.
+        </div>
+      </div>
       <div style={{ display: 'flex', gap: 8 }}>
         <Button onClick={() => mut.mutate()} disabled={!name || !ruleValue || !destinationUrl || mut.isPending}>
           {mut.isPending ? 'Creating…' : 'Create campaign'}

From 78753ca44dc12bc7a30518fd5d6e0042fb917423 Mon Sep 17 00:00:00 2001
From: Keith Fawcett <keith@brightyard.co>
Date: Tue, 28 Apr 2026 22:21:04 -0700
Subject: [PATCH 072/131] fix(creator-portal): wrap proxy in try/catch + log
 upstream errors

The signup form was returning a generic "internal_error" because
something inside the proxy handler threw past the fetch try/catch and
hit the global Express 500 handler. The proxy subpath was nowhere in
the log line, making it hard to tell from API logs which proxy call
even broke.

Two changes:
  - outer try/catch on the whole handler returns proxy_error with the
    thrown message + logs the subpath so we can see which Network call
    failed.
  - log upstream non-2xx responses (status + truncated body) so we can
    debug Network-side failures from API logs without wiring client
    telemetry.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 apps/api/src/routes/creator-portal.ts | 128 ++++++++++++++++----------
 1 file changed, 77 insertions(+), 51 deletions(-)

diff --git a/apps/api/src/routes/creator-portal.ts b/apps/api/src/routes/creator-portal.ts
index 880447c..639a0ea 100644
--- a/apps/api/src/routes/creator-portal.ts
+++ b/apps/api/src/routes/creator-portal.ts
@@ -66,62 +66,88 @@ creatorPortalRouter.all(/^\/creator-api(\/.*)?$/, async (req: Request, res: Resp
     return res.status(404).json({ error: 'not_found' });
   }
 
-  const qs = req.url.includes('?') ? req.url.slice(req.url.indexOf('?')) : '';
-  const upstreamUrl = `${networkUrl.replace(/\/$/, '')}${subpath}${qs}`;
+  // Outer try/catch returns proxy_error instead of letting the global
+  // 500 handler swallow the cause as opaque "internal_error". Anything
+  // that throws past the fetch (header parsing, body decode, cookie
+  // splitting) lands here with the upstream subpath in the log line.
+  try {
+    const qs = req.url.includes('?') ? req.url.slice(req.url.indexOf('?')) : '';
+    const upstreamUrl = `${networkUrl.replace(/\/$/, '')}${subpath}${qs}`;
 
-  // Forward only the bits the upstream cares about. We strip Authorization
-  // (no openpartner bearer should leak to Network) and Host (let fetch set it).
-  const headers: Record<string, string> = {};
-  const ct = req.header('content-type');
-  if (ct) headers['content-type'] = ct;
-  const cookie = req.header('cookie');
-  if (cookie) headers['cookie'] = cookie;
-  headers['user-agent'] = 'OpenPartner-CreatorPortal/1';
-  headers['x-forwarded-for'] = req.ip ?? '';
+    // Forward only the bits the upstream cares about. We strip Authorization
+    // (no openpartner bearer should leak to Network) and Host (let fetch set it).
+    const headers: Record<string, string> = {};
+    const ct = req.header('content-type');
+    if (ct) headers['content-type'] = ct;
+    const cookie = req.header('cookie');
+    if (cookie) headers['cookie'] = cookie;
+    headers['user-agent'] = 'OpenPartner-CreatorPortal/1';
+    headers['x-forwarded-for'] = req.ip ?? '';
 
-  const init: RequestInit = {
-    method: req.method,
-    headers,
-    signal: AbortSignal.timeout(10_000),
-  };
-  if (req.method !== 'GET' && req.method !== 'HEAD') {
-    init.body = req.body !== undefined ? JSON.stringify(req.body) : undefined;
-  }
+    const init: RequestInit = {
+      method: req.method,
+      headers,
+      signal: AbortSignal.timeout(10_000),
+    };
+    if (req.method !== 'GET' && req.method !== 'HEAD') {
+      init.body = req.body !== undefined ? JSON.stringify(req.body) : undefined;
+    }
 
-  let upstream: globalThis.Response;
-  try {
-    upstream = await fetch(upstreamUrl, init);
-  } catch (err) {
-    return res.status(502).json({
-      error: 'network_unreachable',
-      detail: err instanceof Error ? err.message : String(err),
-    });
-  }
+    let upstream: globalThis.Response;
+    try {
+      upstream = await fetch(upstreamUrl, init);
+    } catch (err) {
+      console.error('[creator-portal] fetch failed', { subpath, err });
+      return res.status(502).json({
+        error: 'network_unreachable',
+        detail: err instanceof Error ? err.message : String(err),
+      });
+    }
 
-  // Set-Cookie handling has two gotchas:
-  //   1. Node fetch returns multiple Set-Cookie headers comma-joined when
-  //      you call .get('set-cookie'); the browser then can't parse them.
-  //      Use getSetCookie() (Node 19.7+) to get each one separately.
-  //   2. Cloudflare in front of network.openpartner.dev injects its own
-  //      __cf_bm cookie with Domain=network.openpartner.dev — relaying
-  //      that to app.openpartner.dev confuses the browser. Filter it out.
-  // We also strip any Domain attribute on the cookies we DO forward so
-  // they scope to app.openpartner.dev (the host that responded).
-  const cookies = upstream.headers.getSetCookie?.() ?? [];
-  const forward: string[] = [];
-  for (const c of cookies) {
-    const name = c.split('=', 1)[0]?.trim() ?? '';
-    if (!name || name.startsWith('__cf') || name.startsWith('_cf')) continue;
-    forward.push(c.replace(/;\s*Domain=[^;]+/i, ''));
-  }
-  if (forward.length > 0) res.setHeader('set-cookie', forward);
+    // Set-Cookie handling has two gotchas:
+    //   1. Node fetch returns multiple Set-Cookie headers comma-joined when
+    //      you call .get('set-cookie'); the browser then can't parse them.
+    //      Use getSetCookie() (Node 19.7+) to get each one separately.
+    //   2. Cloudflare in front of network.openpartner.dev injects its own
+    //      __cf_bm cookie with Domain=network.openpartner.dev — relaying
+    //      that to app.openpartner.dev confuses the browser. Filter it out.
+    // We also strip any Domain attribute on the cookies we DO forward so
+    // they scope to app.openpartner.dev (the host that responded).
+    const cookies = upstream.headers.getSetCookie?.() ?? [];
+    const forward: string[] = [];
+    for (const c of cookies) {
+      const name = c.split('=', 1)[0]?.trim() ?? '';
+      if (!name || name.startsWith('__cf') || name.startsWith('_cf')) continue;
+      forward.push(c.replace(/;\s*Domain=[^;]+/i, ''));
+    }
+    if (forward.length > 0) res.setHeader('set-cookie', forward);
 
-  const upstreamCt = upstream.headers.get('content-type') ?? '';
-  res.status(upstream.status);
-  if (upstreamCt.includes('application/json')) {
+    const upstreamCt = upstream.headers.get('content-type') ?? '';
     const body = await upstream.text();
-    res.type('application/json').send(body);
-  } else {
-    res.send(await upstream.text());
+
+    // Log non-2xx upstream responses with body so we can debug Network-side
+    // failures from API logs without needing to wire client-side telemetry.
+    // Truncate at 500 chars in case Network returns a large HTML error page.
+    if (upstream.status >= 400) {
+      console.error('[creator-portal] upstream error', {
+        method: req.method,
+        subpath,
+        status: upstream.status,
+        body: body.length > 500 ? `${body.slice(0, 500)}…(truncated)` : body,
+      });
+    }
+
+    res.status(upstream.status);
+    if (upstreamCt.includes('application/json')) {
+      res.type('application/json').send(body);
+    } else {
+      res.send(body);
+    }
+  } catch (err) {
+    console.error('[creator-portal] proxy failed', { subpath, method: req.method, err });
+    res.status(502).json({
+      error: 'proxy_error',
+      detail: err instanceof Error ? err.message : String(err),
+    });
   }
 });

From a1f833b40ada7e7337103d95d1eb3895080cc94a Mon Sep 17 00:00:00 2001
From: Keith Fawcett <keith@brightyard.co>
Date: Tue, 28 Apr 2026 23:17:54 -0700
Subject: [PATCH 073/131] feat(creator-signup): live handle availability check
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Adds a debounced (350ms) availability lookup to the creator signup
form so collisions surface inline instead of as opaque internal_error
on submit. Shows "Checking…" / "✓ Available" / "✗ Already taken" as
the field hint, and disables the submit button while checking or when
the handle is taken.

Whitelists GET /creators/handle-available in the creator-portal proxy
so the frontend can reach the upstream check. Frontend swallows proxy
errors silently (idle status), so the form still submits cleanly when
Network hasn't yet shipped the endpoint — Network's signup will reject
duplicates with a clean error once that's wired up.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 apps/api/src/routes/creator-portal.ts         |  1 +
 .../src/pages/creator/CreatorSignup.tsx       | 51 +++++++++++++++++--
 2 files changed, 48 insertions(+), 4 deletions(-)

diff --git a/apps/api/src/routes/creator-portal.ts b/apps/api/src/routes/creator-portal.ts
index 639a0ea..06d6bc4 100644
--- a/apps/api/src/routes/creator-portal.ts
+++ b/apps/api/src/routes/creator-portal.ts
@@ -37,6 +37,7 @@ const ALLOWED_EXACT = new Set([
   '/creators/me/requests',
   '/creators/me/delete',
   '/creators/me/restore',
+  '/creators/handle-available',
   '/offerings',
 ]);
 
diff --git a/apps/portal/src/pages/creator/CreatorSignup.tsx b/apps/portal/src/pages/creator/CreatorSignup.tsx
index 823fefc..28885b3 100644
--- a/apps/portal/src/pages/creator/CreatorSignup.tsx
+++ b/apps/portal/src/pages/creator/CreatorSignup.tsx
@@ -1,18 +1,49 @@
-import { useState } from 'react';
+import { useEffect, useState } from 'react';
 import { Link, useNavigate } from 'react-router-dom';
 import { theme } from '../../theme.js';
 import { AuthFrame } from '../auth/Shared.js';
 import { creatorApi, ApiError } from './creator-api.js';
 
+type HandleStatus = 'idle' | 'checking' | 'available' | 'taken';
+
 export function CreatorSignupPage() {
   const nav = useNavigate();
   const [email, setEmail] = useState('');
   const [name, setName] = useState('');
   const [handle, setHandle] = useState('');
+  const [handleStatus, setHandleStatus] = useState<HandleStatus>('idle');
   const [busy, setBusy] = useState(false);
   const [err, setErr] = useState<string | null>(null);
   const [sent, setSent] = useState(false);
 
+  // Debounced handle availability lookup. Fires 350ms after the last
+  // keystroke; bails if handle is empty (it's optional) or too short.
+  // Network 404 / proxy error → silent idle so the form still works
+  // when the upstream endpoint isn't deployed yet.
+  useEffect(() => {
+    if (handle.length < 2) {
+      setHandleStatus('idle');
+      return;
+    }
+    setHandleStatus('checking');
+    const ctrl = new AbortController();
+    const t = setTimeout(async () => {
+      try {
+        const r = await creatorApi<{ available: boolean }>(
+          `/creators/handle-available?handle=${encodeURIComponent(handle)}`,
+          { signal: ctrl.signal },
+        );
+        setHandleStatus(r.available ? 'available' : 'taken');
+      } catch {
+        setHandleStatus('idle');
+      }
+    }, 350);
+    return () => {
+      clearTimeout(t);
+      ctrl.abort();
+    };
+  }, [handle]);
+
   async function submit(e: React.FormEvent) {
     e.preventDefault();
     setBusy(true);
@@ -52,7 +83,15 @@ export function CreatorSignupPage() {
         <Field label="Email" hint="We'll send your sign-in link here.">
           <input type="email" name="email" autoComplete="email" value={email} onChange={(e) => setEmail(e.target.value)} placeholder="ada@example.com" required style={inputStyle} />
         </Field>
-        <Field label="Handle (optional)" hint="Letters, numbers, hyphens. Used as your default share-link slug.">
+        <Field
+          label="Handle (optional)"
+          hint={
+            handleStatus === 'checking' ? <span style={{ color: theme.textMuted }}>Checking…</span>
+            : handleStatus === 'available' ? <span style={{ color: theme.success }}>✓ Available</span>
+            : handleStatus === 'taken' ? <span style={{ color: theme.danger }}>✗ Already taken — pick another</span>
+            : 'Letters, numbers, hyphens. Used as your default share-link slug.'
+          }
+        >
           <input
             name="handle"
             autoComplete="username"
@@ -64,7 +103,11 @@ export function CreatorSignupPage() {
           />
         </Field>
         {err && <div style={{ color: theme.danger, fontSize: 13, marginTop: 4, marginBottom: 8 }}>{err}</div>}
-        <button type="submit" disabled={busy} style={primaryBtnStyle(busy)}>
+        <button
+          type="submit"
+          disabled={busy || handleStatus === 'taken' || handleStatus === 'checking'}
+          style={primaryBtnStyle(busy || handleStatus === 'taken' || handleStatus === 'checking')}
+        >
           {busy ? 'Sending…' : 'Send me a sign-in link'}
         </button>
         <div style={{ marginTop: 12, fontSize: 12, color: theme.textDim, textAlign: 'center' }}>
@@ -78,7 +121,7 @@ export function CreatorSignupPage() {
   );
 }
 
-function Field({ label, hint, children }: { label: string; hint?: string; children: React.ReactNode }) {
+function Field({ label, hint, children }: { label: string; hint?: React.ReactNode; children: React.ReactNode }) {
   return (
     <div style={{ marginBottom: 12 }}>
       <div style={{ fontSize: 12, color: theme.textMuted, marginBottom: 4 }}>{label}</div>

From 51d7aae241858622d5851cfe2ec166b366395bfb Mon Sep 17 00:00:00 2001
From: Keith Fawcett <keith@brightyard.co>
Date: Tue, 28 Apr 2026 23:37:36 -0700
Subject: [PATCH 074/131] chore(creator-profile): theme the Bio textarea (was
 browser-default white)

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 apps/portal/src/pages/creator/CreatorMyProfile.tsx | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/apps/portal/src/pages/creator/CreatorMyProfile.tsx b/apps/portal/src/pages/creator/CreatorMyProfile.tsx
index 4600640..4041785 100644
--- a/apps/portal/src/pages/creator/CreatorMyProfile.tsx
+++ b/apps/portal/src/pages/creator/CreatorMyProfile.tsx
@@ -90,11 +90,14 @@ export function CreatorMyProfilePage() {
                 rows={4}
                 style={{
                   width: '100%',
-                  padding: '8px 10px',
+                  padding: '10px 12px',
+                  background: theme.surface2,
                   border: `1px solid ${theme.border}`,
-                  borderRadius: 6,
+                  borderRadius: theme.radiusSm,
+                  color: theme.text,
                   fontFamily: 'inherit',
                   fontSize: 14,
+                  resize: 'vertical',
                 }}
               />
             </div>

From 5f31f426bd0093e1195eefb2afcf4f972d7c838b Mon Sep 17 00:00:00 2001
From: Keith Fawcett <keith@brightyard.co>
Date: Tue, 28 Apr 2026 23:45:06 -0700
Subject: [PATCH 075/131] fix(partners): validate campaignIds against tenant
 before grant insert
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Federation flows (Network's approve-request handler) pass an explicit
campaignIds list. When the referenced Campaign no longer exists on the
vendor's tenant — e.g. an Offering whose vendorCampaignId was deleted
or the vendor's DB was rebuilt — the PartnerCampaign FK insert raised
a raw 23505/FK-violation that surfaced as an opaque 500. Network then
returned 502 federation_failed with no actionable detail, and the
admin UI showed just "504"/"network_call_failed".

Validate before inserting: look up which of the provided campaignIds
actually exist in the tenant; if any are missing, 400 with
{ error: 'unknown_campaign_ids', missing: [...] }. The default
"grant all current campaigns" path skips this check (the IDs come
from the Campaign table itself, so they're always valid).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 apps/api/src/routes/partners.ts | 21 +++++++++++++++++++--
 1 file changed, 19 insertions(+), 2 deletions(-)

diff --git a/apps/api/src/routes/partners.ts b/apps/api/src/routes/partners.ts
index bcf577f..877618f 100644
--- a/apps/api/src/routes/partners.ts
+++ b/apps/api/src/routes/partners.ts
@@ -79,8 +79,25 @@ partnersRouter.post('/partners', requireAuth, grantScope('partners:write'), requ
   // Grant program (campaign) access. Default = all current campaigns
   // when caller didn't specify, matching the pre-PartnerCampaign
   // behavior so existing flows don't change shape.
-  const campaignIds = body.data.campaignIds
-    ?? ((await db(TABLES.Campaign).select('id')) as Array<{ id: string }>).map((c) => c.id);
+  let campaignIds: string[];
+  if (body.data.campaignIds) {
+    // Explicit list — validate that each ID exists in this tenant.
+    // Without this, a stale ID (e.g. Network Offering still references
+    // a Campaign deleted on the vendor side) hits the FK constraint
+    // and surfaces to the caller as an opaque 500. Federation flows
+    // need a clean error message back instead.
+    const existing = (await db(TABLES.Campaign)
+      .whereIn('id', body.data.campaignIds)
+      .select('id')) as Array<{ id: string }>;
+    const existingIds = new Set(existing.map((c) => c.id));
+    const missing = body.data.campaignIds.filter((cid) => !existingIds.has(cid));
+    if (missing.length > 0) {
+      return res.status(400).json({ error: 'unknown_campaign_ids', missing });
+    }
+    campaignIds = body.data.campaignIds;
+  } else {
+    campaignIds = ((await db(TABLES.Campaign).select('id')) as Array<{ id: string }>).map((c) => c.id);
+  }
   if (campaignIds.length > 0) {
     const grantSource = body.data.campaignGrantSource ?? 'admin';
     await db(TABLES.PartnerCampaign)

From ead6a4eddbfc958c1b3d529b8cb3a69d26465a17 Mon Sep 17 00:00:00 2001
From: Keith Fawcett <keith@brightyard.co>
Date: Tue, 28 Apr 2026 23:45:31 -0700
Subject: [PATCH 076/131] chore(portal): themed Textarea + sweep raw form
 elements
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Adds a Textarea component to ui.tsx mirroring Input/Select (dark
surface2 background, themed border, vertical resize). Replaces every
raw <textarea> across the portal with it — bio fields (creator +
partner profiles), application messages (creator + partner offering
detail), Network offering description, etc.

Also fixes two unthemed elements on Network requests admin page that
were leaking white browser defaults: the status-filter <select> in
the page actions, and the decision-note <input> in each request row.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 .../src/pages/admin/NetworkOfferings.tsx      | 16 ++-------------
 .../src/pages/admin/NetworkRequests.tsx       | 12 +++++------
 .../src/pages/creator/CreatorMyProfile.tsx    | 19 ++----------------
 .../pages/creator/CreatorOfferingDetail.tsx   | 12 ++---------
 apps/portal/src/pages/partner/MyProfile.tsx   | 16 ++-------------
 .../src/pages/partner/OfferingDetail.tsx      | 12 ++---------
 apps/portal/src/ui.tsx                        | 20 +++++++++++++++++++
 7 files changed, 36 insertions(+), 71 deletions(-)

diff --git a/apps/portal/src/pages/admin/NetworkOfferings.tsx b/apps/portal/src/pages/admin/NetworkOfferings.tsx
index 63d2813..6c30447 100644
--- a/apps/portal/src/pages/admin/NetworkOfferings.tsx
+++ b/apps/portal/src/pages/admin/NetworkOfferings.tsx
@@ -1,8 +1,7 @@
 import { useEffect, useState } from 'react';
 import { useMutation, useQuery, useQueryClient } from '@tanstack/react-query';
 import { api, ApiError } from '../../api.js';
-import { Button, Card, ErrorBanner, Input, Label, Page, Select } from '../../ui.js';
-import { theme } from '../../theme.js';
+import { Button, Card, ErrorBanner, Input, Label, Page, Select, Textarea } from '../../ui.js';
 
 interface OfferingTerms {
   commissionDescription?: string;
@@ -182,22 +181,11 @@ function CreateOfferingForm() {
       </div>
       <div style={{ marginBottom: 12 }}>
         <Label>Description (markdown OK on the Network side)</Label>
-        <textarea
+        <Textarea
           value={description}
           onChange={(e) => setDescription(e.target.value)}
           rows={3}
           placeholder="What you sell, who it's for, why it converts."
-          style={{
-            width: '100%',
-            padding: '10px 12px',
-            background: theme.surface2,
-            border: `1px solid ${theme.border}`,
-            borderRadius: theme.radiusSm,
-            color: theme.text,
-            fontSize: 14,
-            fontFamily: 'inherit',
-            resize: 'vertical',
-          }}
         />
       </div>
       <div style={{ marginBottom: 12 }}>
diff --git a/apps/portal/src/pages/admin/NetworkRequests.tsx b/apps/portal/src/pages/admin/NetworkRequests.tsx
index c0044d2..b8ca52e 100644
--- a/apps/portal/src/pages/admin/NetworkRequests.tsx
+++ b/apps/portal/src/pages/admin/NetworkRequests.tsx
@@ -1,7 +1,7 @@
 import { useState } from 'react';
 import { useMutation, useQuery, useQueryClient } from '@tanstack/react-query';
 import { api, ApiError } from '../../api.js';
-import { Button, Card, ErrorBanner, Label, Page } from '../../ui.js';
+import { Button, Card, ErrorBanner, Input, Label, Page, Select } from '../../ui.js';
 
 interface PartnershipRequest {
   id: string;
@@ -25,16 +25,16 @@ export function AdminNetworkRequests() {
       title="Network requests"
       subtitle="Creators applying to promote your offerings. Approve to provision a Partner + Link automatically."
       actions={
-        <select
+        <Select
           value={statusFilter}
           onChange={(e) => setStatusFilter(e.target.value as typeof statusFilter)}
-          style={{ padding: '6px 10px', border: '1px solid #d0d0c8', borderRadius: 6, fontSize: 13 }}
+          style={{ width: 'auto', padding: '6px 10px', fontSize: 13 }}
         >
           <option value="pending">Pending</option>
           <option value="approved">Approved</option>
           <option value="rejected">Rejected</option>
           <option value="cancelled">Cancelled</option>
-        </select>
+        </Select>
       }
     >
       <RequestList statusFilter={statusFilter} />
@@ -127,12 +127,12 @@ function RequestRow({
       {isPending && (
         <div style={{ marginTop: 12 }}>
           <Label>Decision note (optional)</Label>
-          <input
+          <Input
             type="text"
             value={note}
             onChange={(e) => setNote(e.target.value)}
             placeholder="Welcome to the program!"
-            style={{ width: '100%', padding: '8px 10px', border: '1px solid #d0d0c8', borderRadius: 6, fontSize: 14, marginBottom: 12 }}
+            style={{ marginBottom: 12 }}
           />
           <div style={{ display: 'flex', gap: 8 }}>
             <Button onClick={() => onApprove(note || undefined)} disabled={busy}>
diff --git a/apps/portal/src/pages/creator/CreatorMyProfile.tsx b/apps/portal/src/pages/creator/CreatorMyProfile.tsx
index 4041785..b0fee44 100644
--- a/apps/portal/src/pages/creator/CreatorMyProfile.tsx
+++ b/apps/portal/src/pages/creator/CreatorMyProfile.tsx
@@ -1,6 +1,6 @@
 import { useEffect, useState } from 'react';
 import { useMutation, useQuery, useQueryClient } from '@tanstack/react-query';
-import { Button, Card, ErrorBanner, Input, Label, Page } from '../../ui.js';
+import { Button, Card, ErrorBanner, Input, Label, Page, Textarea } from '../../ui.js';
 import { theme } from '../../theme.js';
 import { creatorApi } from './creator-api.js';
 
@@ -84,22 +84,7 @@ export function CreatorMyProfilePage() {
             </div>
             <div>
               <Label>Bio</Label>
-              <textarea
-                value={bio}
-                onChange={(e) => setBio(e.target.value)}
-                rows={4}
-                style={{
-                  width: '100%',
-                  padding: '10px 12px',
-                  background: theme.surface2,
-                  border: `1px solid ${theme.border}`,
-                  borderRadius: theme.radiusSm,
-                  color: theme.text,
-                  fontFamily: 'inherit',
-                  fontSize: 14,
-                  resize: 'vertical',
-                }}
-              />
+              <Textarea value={bio} onChange={(e) => setBio(e.target.value)} rows={4} />
             </div>
             <div>
               <Button onClick={() => save.mutate()} disabled={save.isPending}>
diff --git a/apps/portal/src/pages/creator/CreatorOfferingDetail.tsx b/apps/portal/src/pages/creator/CreatorOfferingDetail.tsx
index fae4909..7a2f221 100644
--- a/apps/portal/src/pages/creator/CreatorOfferingDetail.tsx
+++ b/apps/portal/src/pages/creator/CreatorOfferingDetail.tsx
@@ -1,7 +1,7 @@
 import { useState } from 'react';
 import { useMutation, useQuery, useQueryClient } from '@tanstack/react-query';
 import { Link, useNavigate, useParams } from 'react-router-dom';
-import { Button, Card, ErrorBanner, Input, Label, Page } from '../../ui.js';
+import { Button, Card, ErrorBanner, Input, Label, Page, Textarea } from '../../ui.js';
 import { theme } from '../../theme.js';
 import { creatorApi, ApiError } from './creator-api.js';
 
@@ -101,19 +101,11 @@ export function CreatorOfferingDetailPage() {
                 </div>
                 <div style={{ marginTop: 12 }}>
                   <Label>Message to the vendor (optional)</Label>
-                  <textarea
+                  <Textarea
                     value={message}
                     onChange={(e) => setMessage(e.target.value)}
                     rows={4}
                     placeholder="Why you'd be a great partner…"
-                    style={{
-                      width: '100%',
-                      padding: '8px 10px',
-                      border: `1px solid ${theme.border}`,
-                      borderRadius: 6,
-                      fontFamily: 'inherit',
-                      fontSize: 14,
-                    }}
                   />
                 </div>
                 <div style={{ marginTop: 12 }}>
diff --git a/apps/portal/src/pages/partner/MyProfile.tsx b/apps/portal/src/pages/partner/MyProfile.tsx
index cfc28d8..9c591aa 100644
--- a/apps/portal/src/pages/partner/MyProfile.tsx
+++ b/apps/portal/src/pages/partner/MyProfile.tsx
@@ -1,7 +1,7 @@
 import { useEffect, useState } from 'react';
 import { useMutation, useQuery, useQueryClient } from '@tanstack/react-query';
 import { api } from '../../api.js';
-import { Button, Card, ErrorBanner, Input, Label, Page } from '../../ui.js';
+import { Button, Card, ErrorBanner, Input, Label, Page, Textarea } from '../../ui.js';
 import { theme } from '../../theme.js';
 
 interface Profile {
@@ -96,19 +96,7 @@ export function MyProfilePage() {
             </div>
             <div>
               <Label>Bio</Label>
-              <textarea
-                value={bio}
-                onChange={(e) => setBio(e.target.value)}
-                rows={4}
-                style={{
-                  width: '100%',
-                  padding: '8px 10px',
-                  border: `1px solid ${theme.border}`,
-                  borderRadius: 6,
-                  fontFamily: 'inherit',
-                  fontSize: 14,
-                }}
-              />
+              <Textarea value={bio} onChange={(e) => setBio(e.target.value)} rows={4} />
             </div>
             <div>
               <Button onClick={() => save.mutate()} disabled={save.isPending}>
diff --git a/apps/portal/src/pages/partner/OfferingDetail.tsx b/apps/portal/src/pages/partner/OfferingDetail.tsx
index efda777..820690b 100644
--- a/apps/portal/src/pages/partner/OfferingDetail.tsx
+++ b/apps/portal/src/pages/partner/OfferingDetail.tsx
@@ -2,7 +2,7 @@ import { useState } from 'react';
 import { useMutation, useQuery, useQueryClient } from '@tanstack/react-query';
 import { Link, useNavigate, useParams } from 'react-router-dom';
 import { api, ApiError, type Principal } from '../../api.js';
-import { Button, Card, ErrorBanner, Input, Label, Page } from '../../ui.js';
+import { Button, Card, ErrorBanner, Input, Label, Page, Textarea } from '../../ui.js';
 import { theme } from '../../theme.js';
 
 interface Offering {
@@ -104,19 +104,11 @@ export function OfferingDetailPage({ principal }: { principal: Principal }) {
                 </div>
                 <div style={{ marginTop: 12 }}>
                   <Label>Message to the vendor (optional)</Label>
-                  <textarea
+                  <Textarea
                     value={message}
                     onChange={(e) => setMessage(e.target.value)}
                     rows={4}
                     placeholder="Why you'd be a great partner…"
-                    style={{
-                      width: '100%',
-                      padding: '8px 10px',
-                      border: `1px solid ${theme.border}`,
-                      borderRadius: 6,
-                      fontFamily: 'inherit',
-                      fontSize: 14,
-                    }}
                   />
                 </div>
                 <div style={{ marginTop: 12 }}>
diff --git a/apps/portal/src/ui.tsx b/apps/portal/src/ui.tsx
index e61b185..2e5a65a 100644
--- a/apps/portal/src/ui.tsx
+++ b/apps/portal/src/ui.tsx
@@ -282,6 +282,26 @@ export function Select(props: React.SelectHTMLAttributes<HTMLSelectElement> & {
   );
 }
 
+export function Textarea(props: React.TextareaHTMLAttributes<HTMLTextAreaElement>) {
+  return (
+    <textarea
+      {...props}
+      style={{
+        padding: '10px 12px',
+        fontSize: 14,
+        background: theme.surface2,
+        border: `1px solid ${theme.border}`,
+        borderRadius: theme.radiusSm,
+        color: theme.text,
+        width: '100%',
+        fontFamily: 'inherit',
+        resize: 'vertical',
+        ...props.style,
+      }}
+    />
+  );
+}
+
 export function Label({ children }: { children: ReactNode }) {
   return (
     <label

From 071b66bcee9a4ab9a4765c312a06ee8cb8454520 Mon Sep 17 00:00:00 2001
From: Keith Fawcett <keith@brightyard.co>
Date: Tue, 28 Apr 2026 23:56:33 -0700
Subject: [PATCH 077/131] chore(network-client): log upstream error body for
 diagnosis

callNetwork was throwing NetworkProxyError with the truncated body but
no API-log line, so chasing federation failures meant asking the user
to dig through browser devtools for the response body. Mirror what
creator-portal does: console.error the method/path/status/body for any
non-2xx upstream response (truncated to 1000 chars).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 apps/api/src/network-client.ts | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/apps/api/src/network-client.ts b/apps/api/src/network-client.ts
index a979ce9..8be5753 100644
--- a/apps/api/src/network-client.ts
+++ b/apps/api/src/network-client.ts
@@ -467,6 +467,16 @@ async function callNetwork<T>(
   });
   const text = await res.text();
   if (!res.ok) {
+    // Log the full upstream response so federation_failed / similar
+    // errors with a long detail field are visible in API logs without
+    // having to dig through browser devtools. Status ≥400 only — 2xx
+    // would be noisy.
+    console.error('[network-client] upstream error', {
+      method,
+      path,
+      status: res.status,
+      body: text.length > 1000 ? `${text.slice(0, 1000)}…(truncated)` : text,
+    });
     throw new NetworkProxyError(res.status, text.slice(0, 500) || `http_${res.status}`);
   }
   return text ? (JSON.parse(text) as T) : (null as unknown as T);

From e71e8203d586194104337121de59a2f9b7fcb9cb Mon Sep 17 00:00:00 2001
From: Keith Fawcett <keith@brightyard.co>
Date: Wed, 29 Apr 2026 00:22:57 -0700
Subject: [PATCH 078/131] fix(network-signup): instanceUrl must put /api before
 /t/<slug>
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Network registers vendor.instanceUrl during signup/connect and uses it
verbatim for federation calls back to the vendor. The path was being
built as ${host}/t/<slug>/api, which DigitalOcean App Platform routes
to the portal SPA (since the /api ingress rule only matches when /api
is the path prefix, not a middle segment) — the federation POST to
/partners hit the SPA and got a 400 instead of reaching the api.

Build it as ${host}/api/t/<slug> instead so the /api ingress rule
fires, lands at the api component, and tenancy middleware (whose
regex already accepts /api/t/<slug>/* in addition to /t/<slug>/*)
strips the prefix correctly.

Existing Vendor rows on Network still hold the broken URL — those
need a one-off UPDATE to drop /t/<slug>/api and rewrite as
/api/t/<slug>.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 apps/api/src/routes/settings.ts | 12 ++++++++++--
 apps/api/src/routes/signup.ts   |  6 +++++-
 2 files changed, 15 insertions(+), 3 deletions(-)

diff --git a/apps/api/src/routes/settings.ts b/apps/api/src/routes/settings.ts
index 9718b2f..928a0e8 100644
--- a/apps/api/src/routes/settings.ts
+++ b/apps/api/src/routes/settings.ts
@@ -275,7 +275,11 @@ settingsRouter.post('/config/network/start-connect', requireAuth, requireAdmin,
   // Resolve defaults from the request + tenant context.
   const protoHost = `${req.protocol}://${req.get('host') ?? ''}`;
   const tenantPath = tenantSlug ? `/t/${tenantSlug}` : '';
-  const inferredInstanceUrl = `${protoHost}${tenantPath}/api`;
+  // /api goes BEFORE /t/<slug> so the DO App Platform ingress
+  // (/api → api component) actually routes to us. The tenant middleware
+  // accepts both /t/<slug>/* and /api/t/<slug>/* in its regex, so the
+  // api still resolves the tenant correctly.
+  const inferredInstanceUrl = `${protoHost}${tenantSlug ? `/api/t/${tenantSlug}` : '/api'}`;
   const inferredCallback = `${protoHost}${tenantPath}/admin/network/complete`;
 
   // Mint a fresh scoped key with the federation scope set; store the
@@ -350,7 +354,11 @@ settingsRouter.post('/config/network/auto-enroll', requireAuth, requireAdmin, as
 
   const protoHost = `${req.protocol}://${req.get('host') ?? ''}`;
   const tenantPath = tenantSlug ? `/t/${tenantSlug}` : '';
-  const inferredInstanceUrl = `${protoHost}${tenantPath}/api`;
+  // /api goes BEFORE /t/<slug> so the DO App Platform ingress
+  // (/api → api component) actually routes to us. The tenant middleware
+  // accepts both /t/<slug>/* and /api/t/<slug>/* in its regex, so the
+  // api still resolves the tenant correctly.
+  const inferredInstanceUrl = `${protoHost}${tenantSlug ? `/api/t/${tenantSlug}` : '/api'}`;
   const inferredCallback = `${protoHost}${tenantPath}/admin/network/complete`;
 
   const scoped = await createApiKeyRow(db, {
diff --git a/apps/api/src/routes/signup.ts b/apps/api/src/routes/signup.ts
index 15f3a7b..cf8c587 100644
--- a/apps/api/src/routes/signup.ts
+++ b/apps/api/src/routes/signup.ts
@@ -193,7 +193,11 @@ signupRouter.post('/signup', signupLimit, async (req, res) => {
       const protoHost = `${req.protocol}://${req.get('host') ?? ''}`;
       const signupResult = await signupWithNetwork({
         networkUrl,
-        instanceUrl: `${protoHost}/t/${slug}/api`,
+        // /api comes BEFORE /t/<slug> so the DO App Platform ingress
+        // (/api → api component) actually routes to us. The tenant
+        // middleware accepts both /t/<slug>/* and /api/t/<slug>/* via
+        // its regex, so the api still resolves the tenant correctly.
+        instanceUrl: `${protoHost}/api/t/${slug}`,
         scopedKey: scoped.plaintext,
         displayName: body.data.displayName,
         contactEmail: adminEmail,

From 8ccbee212c58e5d03e09fb37a51bfceeefcf5701 Mon Sep 17 00:00:00 2001
From: Keith Fawcett <keith@brightyard.co>
Date: Wed, 29 Apr 2026 10:09:28 -0700
Subject: [PATCH 079/131] feat(router): /r/:slug/:linkKey for multi-tenant
 share links
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

linkKey is unique per (tenantId, linkKey) post the multi-tenant
migration — two tenants can both use 'keithf'. The legacy /r/:linkKey
route resolved the wrong tenant's link in that case (whichever pg
returned first). Add a /r/:slug/:linkKey route that resolves tenant
by slug, then scopes the Link query to (tenantId, linkKey).

The /r/:linkKey route stays for single-tenant deployments where
linkKey is globally unique. Multi-tenant deployments should use the
new format; Network's deriveShareUrl is updated to produce it.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 apps/router/src/server.ts | 31 ++++++++++++++++++++++++++-----
 1 file changed, 26 insertions(+), 5 deletions(-)

diff --git a/apps/router/src/server.ts b/apps/router/src/server.ts
index f0ab4b2..a00de07 100644
--- a/apps/router/src/server.ts
+++ b/apps/router/src/server.ts
@@ -1,5 +1,5 @@
 import { serve } from '@hono/node-server';
-import { Hono } from 'hono';
+import { Hono, type Context } from 'hono';
 import { ulid } from 'ulid';
 import { createHash } from 'node:crypto';
 import { createDb, TABLES, type LinkRow } from '@openpartner/db';
@@ -15,11 +15,32 @@ const db = createDb({ connectionString: process.env.DATABASE_URL! });
 
 app.get('/health', (c) => c.json({ ok: true, service: 'router' }));
 
-// Click router: /r/:linkKey → resolve → insert Click → set first-party cookie → 302.
+// Click router. Two URL shapes depending on tenancy:
+//   /r/:slug/:linkKey  — multi-tenant, slug disambiguates per-tenant
+//                        unique linkKeys. The shared share-URL format
+//                        Network's deriveShareUrl produces.
+//   /r/:linkKey        — single-tenant fallback. linkKey is globally
+//                        unique here, so no slug needed. Self-host
+//                        deployments use this.
+//
+// Both resolve → insert Click → set first-party cookie → 302.
+app.get('/r/:slug/:linkKey', async (c) => {
+  const { slug, linkKey } = c.req.param();
+  const tenant = (await db('Tenant').where({ slug, status: 'active' }).first(['id'])) as
+    | { id: string }
+    | undefined;
+  if (!tenant) return c.text('Tenant not found', 404);
+  const link = await db<LinkRow>(TABLES.Link).where({ tenantId: tenant.id, linkKey }).first();
+  return resolveLink(c, link);
+});
+
 app.get('/r/:linkKey', async (c) => {
   const linkKey = c.req.param('linkKey');
-
   const link = await db<LinkRow>(TABLES.Link).where({ linkKey }).first();
+  return resolveLink(c, link);
+});
+
+async function resolveLink(c: Context, link: LinkRow | undefined) {
   if (!link) {
     return c.text('Link not found', 404);
   }
@@ -70,7 +91,7 @@ app.get('/r/:linkKey', async (c) => {
     return c.text('Rate limited', 429);
   }
 
-  const velocityFlagged = checkVelocity(ipHash, linkKey);
+  const velocityFlagged = checkVelocity(ipHash, link.linkKey);
 
   // Precedence: revoked beats velocity — a click on a pulled partner's
   // link is not a velocity signal, it's a revoked signal.
@@ -94,7 +115,7 @@ app.get('/r/:linkKey', async (c) => {
   );
 
   return c.redirect(destination.toString(), 302);
-});
+}
 
 function hashIp(ip: string): string | null {
   if (!ip) return null;

From 70150193cd4d31896f907ea87ec1bd9229a5d072 Mon Sep 17 00:00:00 2001
From: Keith Fawcett <keith@brightyard.co>
Date: Wed, 29 Apr 2026 11:20:56 -0700
Subject: [PATCH 080/131] feat(clicks): POST /clicks for federated click
 ingestion
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Phase 1B of creator-owned share domains. Network records a click on its
own DB when traffic arrives via a creator's custom domain, then pushes
it here so brand-side attribution + analytics still see it. The
authoritative click row lives on the vendor's instance; Network's copy
is for creator-side analytics + retry source.

  - POST /clicks accepts {id, linkKey, landingUrl, ipHash, userAgent,
    referer, fraudFlag, ts}. Looks up the Link by linkKey within the
    tenant — caller can't forge attribution.
  - Idempotent on (tenantId, id): replaying the same outbox push after
    a transient 5xx returns 200 replayed=true instead of 409.
  - clicks:write scope added to NETWORK_FEDERATION_SCOPES so vendor
    signups going forward request it. Existing federation keys need a
    one-off scope update; that's a follow-up SQL.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 apps/api/src/app.ts             |  2 +
 apps/api/src/routes/api-keys.ts |  3 ++
 apps/api/src/routes/clicks.ts   | 78 +++++++++++++++++++++++++++++++++
 3 files changed, 83 insertions(+)
 create mode 100644 apps/api/src/routes/clicks.ts

diff --git a/apps/api/src/app.ts b/apps/api/src/app.ts
index d6045cb..177a104 100644
--- a/apps/api/src/app.ts
+++ b/apps/api/src/app.ts
@@ -38,6 +38,7 @@ import { partnerCampaignsRouter } from './routes/partner-campaigns.js';
 import { onboardingRouter } from './routes/onboarding.js';
 import { creatorPortalRouter } from './routes/creator-portal.js';
 import { signinRouter } from './routes/signin.js';
+import { clicksRouter } from './routes/clicks.js';
 import { sessionHomeRouter } from './routes/session-home.js';
 import { platformAuthRouter } from './routes/platform-auth.js';
 import { tenantMiddleware } from './tenancy.js';
@@ -150,6 +151,7 @@ export function createApp(options: { enableLogger?: boolean } = {}) {
   app.use(partnersRouter);
   app.use(campaignsRouter);
   app.use(linksRouter);
+  app.use(clicksRouter);
   app.use(dashboardRouter);
   app.use(apiKeysRouter);
   app.use(connectRouter);
diff --git a/apps/api/src/routes/api-keys.ts b/apps/api/src/routes/api-keys.ts
index 89dd5ba..e46a233 100644
--- a/apps/api/src/routes/api-keys.ts
+++ b/apps/api/src/routes/api-keys.ts
@@ -18,6 +18,9 @@ export const NETWORK_FEDERATION_SCOPES = [
   'partners:read',
   'links:write',
   'commissions:read',
+  // Network pushes federated clicks (creator-domain traffic) back to
+  // the vendor instance so brand-side analytics still see them.
+  'clicks:write',
 ] as const;
 
 export const apiKeysRouter = Router();
diff --git a/apps/api/src/routes/clicks.ts b/apps/api/src/routes/clicks.ts
new file mode 100644
index 0000000..6b11349
--- /dev/null
+++ b/apps/api/src/routes/clicks.ts
@@ -0,0 +1,78 @@
+/**
+ * Click ingestion endpoint for federated clicks.
+ *
+ * The OpenPartner Network records clicks on its own DB when traffic
+ * arrives via a creator's custom share domain (efficient.link/r/<slug>),
+ * then federates each click to the brand's instance so brand-side
+ * analytics + attribution still see it. This is the receiving side.
+ *
+ * Authoritative click record lives here on the vendor's instance —
+ * Network's NetworkClick is a parallel copy for creator-side analytics.
+ * The same clickId (ULID) is used in both places so attribution stitches
+ * across systems via the cref cookie set by the Network router.
+ *
+ * Idempotent on (tenantId, id) — replaying the same outbox push (e.g.,
+ * after a transient 5xx) won't double-insert. Network never invents a
+ * new id on retry, only on first record.
+ */
+
+import { Router } from 'express';
+import { z } from 'zod';
+import { TABLES, type ClickRow, type LinkRow } from '@openpartner/db';
+import { grantScope, requireAuth } from '../auth.js';
+import { tenantOf } from '../tenancy.js';
+
+const ingestSchema = z.object({
+  /** ULID minted by the federating caller (Network). Replays carry the
+   *  same id so we can dedupe via the unique primary key. */
+  id: z.string().min(20).max(40),
+  /** Resolves to a Link in this tenant. We derive partnerId + campaignId
+   *  from the Link so the caller can't forge attribution. */
+  linkKey: z.string().min(3).max(64),
+  landingUrl: z.string().url().max(2048),
+  ipHash: z.string().max(64).nullable().optional(),
+  userAgent: z.string().max(500).nullable().optional(),
+  referer: z.string().max(500).nullable().optional(),
+  fraudFlag: z.enum(['velocity', 'manual', 'revoked']).nullable().optional(),
+  /** Click timestamp from the federating caller — preserves the actual
+   *  click time even if the federation push is delayed. ISO 8601. */
+  ts: z.string().datetime(),
+});
+
+export const clicksRouter = Router();
+
+clicksRouter.post('/clicks', requireAuth, grantScope('clicks:write'), async (req, res) => {
+  const { db, tenantId } = tenantOf(req);
+  const body = ingestSchema.safeParse(req.body);
+  if (!body.success) return res.status(400).json({ error: 'invalid_body', detail: body.error.flatten() });
+
+  // Look up the Link by linkKey within this tenant. Don't trust the
+  // caller's claimed partnerId/campaignId — derive from the Link row.
+  const link = await db<LinkRow>(TABLES.Link).where({ linkKey: body.data.linkKey }).first();
+  if (!link) return res.status(404).json({ error: 'link_not_found' });
+
+  try {
+    await db<ClickRow>(TABLES.Click).insert({
+      id: body.data.id,
+      tenantId,
+      linkId: link.id,
+      partnerId: link.partnerId,
+      campaignId: link.campaignId,
+      landingUrl: body.data.landingUrl,
+      ipHash: body.data.ipHash ?? null,
+      userAgent: body.data.userAgent ?? null,
+      referer: body.data.referer ?? null,
+      fraudFlag: body.data.fraudFlag ?? null,
+      ts: new Date(body.data.ts),
+    });
+    return res.status(201).json({ ok: true, id: body.data.id });
+  } catch (err) {
+    // Replay protection: same id already inserted → 200 idempotent ok.
+    // Network's outbox retries on transient failure; the second push
+    // shouldn't error just because the first eventually wrote.
+    if (typeof err === 'object' && err !== null && (err as { code?: string }).code === '23505') {
+      return res.status(200).json({ ok: true, id: body.data.id, replayed: true });
+    }
+    throw err;
+  }
+});

From f3e3cf314baeae382491b46034811977f1e9e463 Mon Sep 17 00:00:00 2001
From: Keith Fawcett <keith@brightyard.co>
Date: Wed, 29 Apr 2026 11:35:50 -0700
Subject: [PATCH 081/131] feat(creator-portal): UI for custom domains +
 share-link management

Phase 1F (final) of creator-owned share domains.

  - Custom domains page: register a domain, see TXT + CNAME instructions
    inline, click Verify (server DNS-resolves the TXT and flips status).
    Doc note about Cloudflare flexible SSL bridging the cert gap until
    Phase 2 ships auto-Let's-Encrypt.
  - Share links page: flat list of partnerships with the live share URL
    (custom domain when verified, openpartner default otherwise),
    one-click copy, inline slug edit.
  - Sidebar restructure: a Settings section with Custom domains + Profile,
    Share links added under Network. New Link2 + Network icons.
  - creator-portal proxy whitelist additions for the new endpoints
    (POST/GET /domains, POST /domains/:id/verify, DELETE /domains/:id,
    GET /partnerships, PATCH /partnerships/:id).

Closes the Phase 1 build for creator-owned share domains. Phase 2 is
auto-cert provisioning.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 apps/api/src/routes/creator-portal.ts         |   6 +
 .../src/pages/creator/CreatorDomains.tsx      | 216 ++++++++++++++++++
 .../src/pages/creator/CreatorShareLinks.tsx   | 172 ++++++++++++++
 .../portal/src/pages/creator/CreatorShell.tsx |  10 +-
 4 files changed, 403 insertions(+), 1 deletion(-)
 create mode 100644 apps/portal/src/pages/creator/CreatorDomains.tsx
 create mode 100644 apps/portal/src/pages/creator/CreatorShareLinks.tsx

diff --git a/apps/api/src/routes/creator-portal.ts b/apps/api/src/routes/creator-portal.ts
index 06d6bc4..bfdc0f6 100644
--- a/apps/api/src/routes/creator-portal.ts
+++ b/apps/api/src/routes/creator-portal.ts
@@ -38,6 +38,8 @@ const ALLOWED_EXACT = new Set([
   '/creators/me/delete',
   '/creators/me/restore',
   '/creators/handle-available',
+  '/creators/me/domains',
+  '/creators/me/partnerships',
   '/offerings',
 ]);
 
@@ -46,6 +48,10 @@ const ALLOWED_PREFIX: Array<{ prefix: string; methods: Set<string> }> = [
   { prefix: '/vendors/', methods: new Set(['GET']) },                // /vendors/:id (public profile)
   { prefix: '/creators/me/affiliations/', methods: new Set(['GET']) },
   { prefix: '/creators/me/requests/', methods: new Set(['POST']) },
+  // Custom share-domain management — POST /verify, DELETE the domain.
+  { prefix: '/creators/me/domains/', methods: new Set(['POST', 'DELETE']) },
+  // Per-partnership slug edit (creatorSlug — the path under custom domain).
+  { prefix: '/creators/me/partnerships/', methods: new Set(['PATCH']) },
 ];
 
 function isAllowed(method: string, subpath: string): boolean {
diff --git a/apps/portal/src/pages/creator/CreatorDomains.tsx b/apps/portal/src/pages/creator/CreatorDomains.tsx
new file mode 100644
index 0000000..1ddafd3
--- /dev/null
+++ b/apps/portal/src/pages/creator/CreatorDomains.tsx
@@ -0,0 +1,216 @@
+import { useState } from 'react';
+import { useMutation, useQuery, useQueryClient } from '@tanstack/react-query';
+import { Globe } from 'lucide-react';
+import { Button, Card, EmptyState, ErrorBanner, Input, Label, Page } from '../../ui.js';
+import { theme } from '../../theme.js';
+import { creatorApi, ApiError } from './creator-api.js';
+
+type DomainStatus = 'pending' | 'verified' | 'failed';
+
+interface Instructions {
+  txt: { name: string; value: string };
+  cname: { name: string; value: string };
+}
+
+interface Domain {
+  id: string;
+  domain: string;
+  status: DomainStatus;
+  verifiedAt: string | null;
+  createdAt: string;
+  instructions: Instructions | null;
+}
+
+export function CreatorDomainsPage() {
+  const qc = useQueryClient();
+  const list = useQuery({
+    queryKey: ['creator-domains'],
+    queryFn: () => creatorApi<{ domains: Domain[] }>('/creators/me/domains'),
+    retry: false,
+  });
+
+  const [showAdd, setShowAdd] = useState(false);
+
+  return (
+    <Page
+      title="Custom domains"
+      subtitle="Use your own domain for share links instead of the default openpartner.dev URL."
+      actions={
+        <Button onClick={() => setShowAdd(true)}>Add domain</Button>
+      }
+    >
+      <ErrorBanner error={list.error} />
+      {showAdd && (
+        <AddDomainCard
+          onClose={() => setShowAdd(false)}
+          onAdded={() => {
+            setShowAdd(false);
+            qc.invalidateQueries({ queryKey: ['creator-domains'] });
+          }}
+        />
+      )}
+      {list.isLoading ? (
+        <Card>Loading…</Card>
+      ) : !list.data || list.data.domains.length === 0 ? (
+        <EmptyState
+          title="No custom domains yet"
+          hint="Point your own domain at the OpenPartner router and your share links become https://yourdomain.com/r/<program>."
+          icon={<Globe size={28} strokeWidth={1.25} />}
+        />
+      ) : (
+        list.data.domains.map((d) => <DomainCard key={d.id} domain={d} />)
+      )}
+    </Page>
+  );
+}
+
+function AddDomainCard({ onClose, onAdded }: { onClose: () => void; onAdded: () => void }) {
+  const [domain, setDomain] = useState('');
+  const mut = useMutation({
+    mutationFn: () =>
+      creatorApi<Domain>('/creators/me/domains', { method: 'POST', body: { domain: domain.trim().toLowerCase() } }),
+    onSuccess: onAdded,
+  });
+
+  return (
+    <Card style={{ marginBottom: 14 }}>
+      <div style={{ fontSize: 15, fontWeight: 500, marginBottom: 6 }}>Add a domain</div>
+      <div style={{ fontSize: 13, color: theme.textMuted, marginBottom: 14 }}>
+        Use a subdomain like <code>share.yourbrand.com</code> &mdash; bare domains can&rsquo;t CNAME at most DNS providers.
+      </div>
+      <ErrorBanner error={mut.error} />
+      <div style={{ marginBottom: 14 }}>
+        <Label>Domain</Label>
+        <Input
+          value={domain}
+          onChange={(e) => setDomain(e.target.value)}
+          placeholder="share.yourbrand.com"
+          style={{ fontFamily: theme.fontMono }}
+        />
+      </div>
+      <div style={{ display: 'flex', gap: 8 }}>
+        <Button onClick={() => mut.mutate()} disabled={!domain.trim() || mut.isPending}>
+          {mut.isPending ? 'Adding…' : 'Add domain'}
+        </Button>
+        <Button variant="secondary" onClick={onClose}>Cancel</Button>
+      </div>
+    </Card>
+  );
+}
+
+function DomainCard({ domain }: { domain: Domain }) {
+  const qc = useQueryClient();
+  const verify = useMutation({
+    mutationFn: () => creatorApi(`/creators/me/domains/${domain.id}/verify`, { method: 'POST' }),
+    onSuccess: () => qc.invalidateQueries({ queryKey: ['creator-domains'] }),
+    onError: () => qc.invalidateQueries({ queryKey: ['creator-domains'] }),
+  });
+  const remove = useMutation({
+    mutationFn: () => creatorApi(`/creators/me/domains/${domain.id}`, { method: 'DELETE' }),
+    onSuccess: () => qc.invalidateQueries({ queryKey: ['creator-domains'] }),
+  });
+
+  const verifyError = verify.error as ApiError | null;
+
+  return (
+    <Card>
+      <div style={{ display: 'flex', alignItems: 'baseline', gap: 12, marginBottom: 4 }}>
+        <h3 style={{ marginTop: 0, marginBottom: 0, flex: 1, fontFamily: theme.fontMono }}>
+          {domain.domain}
+        </h3>
+        <StatusChip status={domain.status} />
+      </div>
+      {domain.status === 'verified' ? (
+        <p style={{ color: theme.textMuted, fontSize: 13, margin: '4px 0 0' }}>
+          Verified. Share links to your programs are live at{' '}
+          <code>https://{domain.domain}/r/&lt;program&gt;</code>.
+        </p>
+      ) : (
+        <>
+          <p style={{ color: theme.textMuted, fontSize: 13, margin: '4px 0 14px' }}>
+            Add these two records at your DNS provider, then click Verify.
+          </p>
+          {domain.instructions && <DnsBlock instructions={domain.instructions} />}
+          {verifyError && <VerifyErrorBox error={verifyError} />}
+        </>
+      )}
+      <div style={{ display: 'flex', gap: 8, marginTop: 14 }}>
+        {domain.status !== 'verified' && (
+          <Button onClick={() => verify.mutate()} disabled={verify.isPending}>
+            {verify.isPending ? 'Verifying…' : 'Verify'}
+          </Button>
+        )}
+        <Button
+          variant="danger"
+          onClick={() => {
+            if (confirm(`Remove ${domain.domain}? Existing share links on this domain will stop working immediately.`)) {
+              remove.mutate();
+            }
+          }}
+          disabled={remove.isPending}
+        >
+          Remove
+        </Button>
+      </div>
+    </Card>
+  );
+}
+
+function VerifyErrorBox({ error }: { error: ApiError }) {
+  let detail: string | null = null;
+  if (error.detail && typeof error.detail === 'object' && 'detail' in error.detail) {
+    const d = (error.detail as { detail: unknown }).detail;
+    if (typeof d === 'string') detail = d;
+  }
+  return (
+    <div style={{ background: `${theme.danger}10`, border: `1px solid ${theme.danger}55`, borderRadius: theme.radiusSm, padding: 12, marginTop: 12, fontSize: 13, color: theme.danger }}>
+      {error.message}
+      {detail && (
+        <div style={{ marginTop: 6, color: `${theme.danger}cc`, fontSize: 12 }}>{detail}</div>
+      )}
+    </div>
+  );
+}
+
+function StatusChip({ status }: { status: DomainStatus }) {
+  const palette: Record<DomainStatus, { bg: string; fg: string; label: string }> = {
+    pending: { bg: `${theme.accent}15`, fg: theme.accent, label: 'Pending verification' },
+    verified: { bg: theme.successSoft, fg: theme.success, label: 'Verified' },
+    failed: { bg: `${theme.danger}15`, fg: theme.danger, label: 'Failed' },
+  };
+  const p = palette[status];
+  return (
+    <span style={{ background: p.bg, color: p.fg, fontSize: 11, padding: '3px 10px', borderRadius: 12, fontWeight: 600 }}>
+      {p.label}
+    </span>
+  );
+}
+
+function DnsBlock({ instructions }: { instructions: Instructions }) {
+  return (
+    <div style={{ display: 'flex', flexDirection: 'column', gap: 10 }}>
+      <DnsRow label="TXT" name={instructions.txt.name} value={instructions.txt.value} />
+      <DnsRow label="CNAME" name={instructions.cname.name} value={instructions.cname.value} />
+      <p style={{ color: theme.textDim, fontSize: 12, margin: 0 }}>
+        Most DNS providers don&rsquo;t allow CNAME on bare domains &mdash; use a subdomain
+        (<code>share.yourbrand.com</code>), or your provider&rsquo;s ALIAS / ANAME equivalent. While the
+        cert is provisioning, sit Cloudflare&rsquo;s flexible SSL in front (free) or accept HTTP for testing.
+      </p>
+    </div>
+  );
+}
+
+function DnsRow({ label, name, value }: { label: string; name: string; value: string }) {
+  return (
+    <div style={{ background: theme.surface2, border: `1px solid ${theme.borderSubtle}`, borderRadius: theme.radiusSm, padding: 10 }}>
+      <div style={{ fontSize: 11, color: theme.textDim, textTransform: 'uppercase', letterSpacing: '0.05em', marginBottom: 4 }}>
+        {label} record
+      </div>
+      <div style={{ fontFamily: theme.fontMono, fontSize: 13, wordBreak: 'break-all' }}>
+        <span style={{ color: theme.textMuted }}>{name}</span>
+        {' = '}
+        <span>{value}</span>
+      </div>
+    </div>
+  );
+}
diff --git a/apps/portal/src/pages/creator/CreatorShareLinks.tsx b/apps/portal/src/pages/creator/CreatorShareLinks.tsx
new file mode 100644
index 0000000..d1e06e6
--- /dev/null
+++ b/apps/portal/src/pages/creator/CreatorShareLinks.tsx
@@ -0,0 +1,172 @@
+import { useState } from 'react';
+import { useMutation, useQuery, useQueryClient } from '@tanstack/react-query';
+import { Link } from 'react-router-dom';
+import { Copy, Megaphone } from 'lucide-react';
+import { Button, Card, EmptyState, ErrorBanner, Input, Label, Page, formatDate } from '../../ui.js';
+import { theme } from '../../theme.js';
+import { creatorApi } from './creator-api.js';
+
+interface Partnership {
+  id: string;
+  vendorId: string;
+  offeringId: string;
+  creatorSlug: string;
+  publicShareUrl: string;
+  status: string;
+  createdAt: string;
+  vendorName: string;
+  offeringTitle: string | null;
+  shareUrl: string;
+  customDomain: string | null;
+}
+
+export function CreatorShareLinksPage() {
+  const list = useQuery({
+    queryKey: ['creator-partnerships'],
+    queryFn: () => creatorApi<{ partnerships: Partnership[] }>('/creators/me/partnerships'),
+    retry: false,
+  });
+
+  const verified = list.data?.partnerships ?? [];
+  const customDomain = verified[0]?.customDomain ?? null;
+
+  return (
+    <Page
+      title="Share links"
+      subtitle={
+        customDomain
+          ? `Branded with your domain ${customDomain}. Edit the slug per program below.`
+          : 'Default openpartner.dev URLs. Add a custom domain in Domains to brand them.'
+      }
+    >
+      <ErrorBanner error={list.error} />
+      {list.isLoading ? (
+        <Card>Loading…</Card>
+      ) : verified.length === 0 ? (
+        <EmptyState
+          title="No share links yet"
+          hint="Apply to a program to get your first share link."
+          icon={<Megaphone size={28} strokeWidth={1.25} />}
+        />
+      ) : (
+        verified.map((p) => <PartnershipRow key={p.id} partnership={p} />)
+      )}
+    </Page>
+  );
+}
+
+function PartnershipRow({ partnership }: { partnership: Partnership }) {
+  const qc = useQueryClient();
+  const [editing, setEditing] = useState(false);
+  const [slug, setSlug] = useState(partnership.creatorSlug);
+  const [copied, setCopied] = useState(false);
+
+  const save = useMutation({
+    mutationFn: () =>
+      creatorApi(`/creators/me/partnerships/${partnership.id}`, {
+        method: 'PATCH',
+        body: { creatorSlug: slug.trim().toLowerCase() },
+      }),
+    onSuccess: () => {
+      setEditing(false);
+      qc.invalidateQueries({ queryKey: ['creator-partnerships'] });
+    },
+  });
+
+  function copy() {
+    navigator.clipboard.writeText(partnership.shareUrl).then(
+      () => {
+        setCopied(true);
+        setTimeout(() => setCopied(false), 1500);
+      },
+      () => {/* ignore */},
+    );
+  }
+
+  return (
+    <Card>
+      <div style={{ display: 'flex', alignItems: 'baseline', gap: 12, marginBottom: 4 }}>
+        <h3 style={{ marginTop: 0, marginBottom: 0, flex: 1 }}>
+          <Link to={`/creator/vendors/${partnership.vendorId}`}>{partnership.vendorName}</Link>
+        </h3>
+        <span style={{ color: theme.textMuted, fontSize: 12 }}>
+          {formatDate(partnership.createdAt, { relative: true })}
+        </span>
+      </div>
+      {partnership.offeringTitle && (
+        <p style={{ color: theme.textMuted, fontSize: 13, margin: '0 0 12px' }}>
+          {partnership.offeringTitle}
+        </p>
+      )}
+      <div
+        style={{
+          display: 'flex',
+          alignItems: 'center',
+          gap: 8,
+          background: theme.surface2,
+          border: `1px solid ${theme.borderSubtle}`,
+          borderRadius: theme.radiusSm,
+          padding: '10px 12px',
+          marginBottom: 8,
+        }}
+      >
+        <code style={{ flex: 1, fontSize: 13, wordBreak: 'break-all' }}>{partnership.shareUrl}</code>
+        <button
+          onClick={copy}
+          style={{
+            display: 'flex',
+            alignItems: 'center',
+            gap: 6,
+            background: 'transparent',
+            border: `1px solid ${theme.borderSubtle}`,
+            borderRadius: 6,
+            padding: '6px 10px',
+            fontSize: 12,
+            color: copied ? theme.success : theme.textMuted,
+            cursor: 'pointer',
+            whiteSpace: 'nowrap',
+          }}
+        >
+          <Copy size={12} />
+          {copied ? 'Copied' : 'Copy'}
+        </button>
+      </div>
+      {editing ? (
+        <div style={{ marginTop: 12 }}>
+          <Label>Slug (path under your domain)</Label>
+          <div style={{ display: 'flex', gap: 8, alignItems: 'center', marginTop: 4 }}>
+            <Input
+              value={slug}
+              onChange={(e) => setSlug(e.target.value.toLowerCase().replace(/[^a-z0-9-]/g, ''))}
+              placeholder="program-name"
+              style={{ fontFamily: theme.fontMono, flex: 1 }}
+            />
+            <Button onClick={() => save.mutate()} disabled={save.isPending || !slug.trim() || slug === partnership.creatorSlug}>
+              {save.isPending ? 'Saving…' : 'Save'}
+            </Button>
+            <Button variant="secondary" onClick={() => { setEditing(false); setSlug(partnership.creatorSlug); }}>
+              Cancel
+            </Button>
+          </div>
+          {save.error && (
+            <div style={{ color: theme.danger, fontSize: 12, marginTop: 6 }}>
+              {save.error instanceof Error ? save.error.message : 'Failed to save'}
+            </div>
+          )}
+        </div>
+      ) : (
+        <div style={{ display: 'flex', gap: 14, alignItems: 'baseline' }}>
+          <span style={{ color: theme.textMuted, fontSize: 12 }}>
+            slug: <code>{partnership.creatorSlug}</code>
+          </span>
+          <button
+            onClick={() => setEditing(true)}
+            style={{ background: 'transparent', border: 'none', color: theme.accent, cursor: 'pointer', fontSize: 12, padding: 0 }}
+          >
+            Edit
+          </button>
+        </div>
+      )}
+    </Card>
+  );
+}
diff --git a/apps/portal/src/pages/creator/CreatorShell.tsx b/apps/portal/src/pages/creator/CreatorShell.tsx
index be9e0cd..cc9cebe 100644
--- a/apps/portal/src/pages/creator/CreatorShell.tsx
+++ b/apps/portal/src/pages/creator/CreatorShell.tsx
@@ -1,7 +1,7 @@
 import { useEffect, useState, type ReactNode } from 'react';
 import { Link, Navigate, Route, Routes, useLocation, useNavigate } from 'react-router-dom';
 import { useQuery } from '@tanstack/react-query';
-import { Globe, Inbox, LogOut, Megaphone, UserCog } from 'lucide-react';
+import { Globe, Inbox, Link2, LogOut, Megaphone, Network, UserCog } from 'lucide-react';
 import { theme } from '../../theme.js';
 import { Logo } from '../auth/Shared.js';
 import { creatorApi } from './creator-api.js';
@@ -11,6 +11,8 @@ import { CreatorVendorDetailPage } from './CreatorVendorDetail.js';
 import { CreatorMyAffiliationsPage } from './CreatorMyAffiliations.js';
 import { CreatorMyRequestsPage } from './CreatorMyRequests.js';
 import { CreatorMyProfilePage } from './CreatorMyProfile.js';
+import { CreatorShareLinksPage } from './CreatorShareLinks.js';
+import { CreatorDomainsPage } from './CreatorDomains.js';
 
 interface Whoami {
   creator: { id: string; name: string; email: string; handle: string | null; avatarUrl: string | null; bio: string | null } | null;
@@ -43,6 +45,8 @@ export function CreatorShell() {
           <Route path="offerings/:id" element={<CreatorOfferingDetailPage />} />
           <Route path="vendors/:id" element={<CreatorVendorDetailPage />} />
           <Route path="affiliations" element={<CreatorMyAffiliationsPage />} />
+          <Route path="links" element={<CreatorShareLinksPage />} />
+          <Route path="domains" element={<CreatorDomainsPage />} />
           <Route path="requests" element={<CreatorMyRequestsPage />} />
           <Route path="profile" element={<CreatorMyProfilePage />} />
           <Route path="*" element={<Navigate to="discover" replace />} />
@@ -76,7 +80,11 @@ function CreatorSidebar({ creator }: { creator: NonNullable<Whoami['creator']> }
         <NavSection title="Network">
           <CreatorNavItem to="/creator/discover" icon={<Globe size={16} />}>Discover programs</CreatorNavItem>
           <CreatorNavItem to="/creator/affiliations" icon={<Megaphone size={16} />}>My partnerships</CreatorNavItem>
+          <CreatorNavItem to="/creator/links" icon={<Link2 size={16} />}>Share links</CreatorNavItem>
           <CreatorNavItem to="/creator/requests" icon={<Inbox size={16} />}>My applications</CreatorNavItem>
+        </NavSection>
+        <NavSection title="Settings">
+          <CreatorNavItem to="/creator/domains" icon={<Network size={16} />}>Custom domains</CreatorNavItem>
           <CreatorNavItem to="/creator/profile" icon={<UserCog size={16} />}>Profile</CreatorNavItem>
         </NavSection>
       </div>

From d3fd27bb07003aa885559d4eb7154439d165f56c Mon Sep 17 00:00:00 2001
From: Keith Fawcett <keith@brightyard.co>
Date: Wed, 29 Apr 2026 13:40:46 -0700
Subject: [PATCH 082/131] feat(creator-portal): conditional CTAs based on
 per-offering myStatus
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Discover page: each offering card swaps "View & apply" → "View link"
when myStatus='approved', "View application" when 'pending', "View &
reapply" when 'rejected'. Adds an inline status indicator next to the
button (✓ Active, Awaiting brand review).

Offering detail: replaces the always-on "Apply to promote" form with
a state-driven card —
  - approved → share link inline with copy button + link to /links
  - pending → "Application pending" with link to /requests
  - rejected → "Re-apply" form with prior context
  - none / cancelled → original apply form

Approved-state share URL is fetched from /creators/me/partnerships
(not the offering itself) so it always reflects the live custom
domain.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 .../src/pages/creator/CreatorDiscover.tsx     |  29 ++-
 .../pages/creator/CreatorOfferingDetail.tsx   | 201 ++++++++++++++----
 2 files changed, 191 insertions(+), 39 deletions(-)

diff --git a/apps/portal/src/pages/creator/CreatorDiscover.tsx b/apps/portal/src/pages/creator/CreatorDiscover.tsx
index 774c9b4..5eb84dd 100644
--- a/apps/portal/src/pages/creator/CreatorDiscover.tsx
+++ b/apps/portal/src/pages/creator/CreatorDiscover.tsx
@@ -6,6 +6,8 @@ import { Button, Card, EmptyState, ErrorBanner, Input, Label, Page, Select } fro
 import { theme } from '../../theme.js';
 import { creatorApi } from './creator-api.js';
 
+type MyStatus = 'none' | 'pending' | 'approved' | 'rejected' | 'cancelled';
+
 interface OfferingListItem {
   id: string;
   title: string;
@@ -16,6 +18,7 @@ interface OfferingListItem {
   vendorPartnerCount: number;
   terms: { commissionDescription?: string };
   createdAt: string;
+  myStatus: MyStatus;
 }
 
 export function CreatorDiscoverPage() {
@@ -86,10 +89,17 @@ export function CreatorDiscoverPage() {
                   {o.description.slice(0, 180)}{o.description.length > 180 ? '…' : ''}
                 </p>
               )}
-              <div style={{ marginTop: 12 }}>
+              <div style={{ marginTop: 12, display: 'flex', alignItems: 'center', gap: 10 }}>
                 <Link to={`/creator/offerings/${o.id}`}>
-                  <Button>View &amp; apply</Button>
+                  <Button variant={o.myStatus === 'approved' || o.myStatus === 'pending' ? 'secondary' : 'primary'}>
+                    {ctaForStatus(o.myStatus)}
+                  </Button>
                 </Link>
+                {o.myStatus !== 'none' && o.myStatus !== 'rejected' && (
+                  <span style={{ fontSize: 12, color: o.myStatus === 'approved' ? theme.success : theme.textMuted }}>
+                    {o.myStatus === 'approved' ? '✓ Active' : o.myStatus === 'pending' ? 'Awaiting brand review' : null}
+                  </span>
+                )}
               </div>
             </Card>
           ))}
@@ -99,6 +109,21 @@ export function CreatorDiscoverPage() {
   );
 }
 
+function ctaForStatus(s: MyStatus): string {
+  switch (s) {
+    case 'approved':
+      return 'View link';
+    case 'pending':
+      return 'View application';
+    case 'rejected':
+      return 'View & reapply';
+    case 'cancelled':
+    case 'none':
+    default:
+      return 'View & apply';
+  }
+}
+
 interface CreatorProfile {
   id: string;
   email: string;
diff --git a/apps/portal/src/pages/creator/CreatorOfferingDetail.tsx b/apps/portal/src/pages/creator/CreatorOfferingDetail.tsx
index 7a2f221..b85824c 100644
--- a/apps/portal/src/pages/creator/CreatorOfferingDetail.tsx
+++ b/apps/portal/src/pages/creator/CreatorOfferingDetail.tsx
@@ -5,6 +5,8 @@ import { Button, Card, ErrorBanner, Input, Label, Page, Textarea } from '../../u
 import { theme } from '../../theme.js';
 import { creatorApi, ApiError } from './creator-api.js';
 
+type MyStatus = 'none' | 'pending' | 'approved' | 'rejected' | 'cancelled';
+
 interface Offering {
   id: string;
   title: string;
@@ -19,6 +21,13 @@ interface Offering {
     bonuses?: string[];
   };
   createdAt: string;
+  myStatus: MyStatus;
+}
+
+interface PartnershipForOffering {
+  id: string;
+  offeringId: string;
+  shareUrl: string;
 }
 
 interface Whoami {
@@ -79,45 +88,163 @@ export function CreatorOfferingDetailPage() {
 
           <div style={{ height: 18 }} />
 
-          <Card>
-            <h3 style={{ marginTop: 0 }}>Apply to promote</h3>
-            {!whoami?.creator ? (
-              <p style={{ color: theme.textMuted }}>
-                <Link to="/creator/signup" style={{ color: theme.accent }}>Sign up</Link> or <Link to="/creator/login" style={{ color: theme.accent }}>sign in</Link> to apply.
-              </p>
-            ) : (
-              <>
-                <ErrorBanner error={apply.error} />
-                {apply.error instanceof ApiError && apply.error.message === 'request_already_exists' && (
-                  <p style={{ color: theme.textMuted, fontSize: 13 }}>You already have a pending or active request for this program.</p>
-                )}
-                <div style={{ marginTop: 8 }}>
-                  <Label>Preferred share-link slug (optional)</Label>
-                  <Input
-                    placeholder={whoami.creator.handle ?? 'your-handle'}
-                    value={preferredSlug}
-                    onChange={(e) => setPreferredSlug(e.target.value)}
-                  />
-                </div>
-                <div style={{ marginTop: 12 }}>
-                  <Label>Message to the vendor (optional)</Label>
-                  <Textarea
-                    value={message}
-                    onChange={(e) => setMessage(e.target.value)}
-                    rows={4}
-                    placeholder="Why you'd be a great partner…"
-                  />
-                </div>
-                <div style={{ marginTop: 12 }}>
-                  <Button onClick={() => apply.mutate()} disabled={apply.isPending}>
-                    {apply.isPending ? 'Applying…' : 'Submit application'}
-                  </Button>
-                </div>
-              </>
-            )}
-          </Card>
+          <ApplyOrStatusCard
+            offering={offering}
+            whoami={whoami}
+            message={message}
+            setMessage={setMessage}
+            preferredSlug={preferredSlug}
+            setPreferredSlug={setPreferredSlug}
+            apply={apply}
+          />
         </>
       )}
     </Page>
   );
 }
+
+interface ApplyOrStatusProps {
+  offering: Offering;
+  whoami: Whoami | undefined;
+  message: string;
+  setMessage: (v: string) => void;
+  preferredSlug: string;
+  setPreferredSlug: (v: string) => void;
+  apply: ReturnType<typeof useMutation<unknown, Error, void>>;
+}
+
+function ApplyOrStatusCard({ offering, whoami, message, setMessage, preferredSlug, setPreferredSlug, apply }: ApplyOrStatusProps) {
+  // Show approved share link when active partnership exists. Hide the
+  // apply form for pending/cancelled (cancelled is rare; the creator
+  // can still re-apply through the rejected path if needed).
+  if (!whoami?.creator) {
+    return (
+      <Card>
+        <h3 style={{ marginTop: 0 }}>Apply to promote</h3>
+        <p style={{ color: theme.textMuted }}>
+          <Link to="/creator/signup" style={{ color: theme.accent }}>Sign up</Link> or <Link to="/creator/login" style={{ color: theme.accent }}>sign in</Link> to apply.
+        </p>
+      </Card>
+    );
+  }
+
+  if (offering.myStatus === 'approved') {
+    return <ApprovedCard offering={offering} />;
+  }
+
+  if (offering.myStatus === 'pending') {
+    return (
+      <Card>
+        <h3 style={{ marginTop: 0 }}>Application pending</h3>
+        <p style={{ color: theme.textMuted, fontSize: 13 }}>
+          You&rsquo;ve applied to {offering.vendorName} for this program. They&rsquo;ll review and you&rsquo;ll get an email when they decide.
+          You can track it on <Link to="/creator/requests" style={{ color: theme.accent }}>My applications</Link>.
+        </p>
+      </Card>
+    );
+  }
+
+  return (
+    <Card>
+      <h3 style={{ marginTop: 0 }}>{offering.myStatus === 'rejected' ? 'Re-apply' : 'Apply to promote'}</h3>
+      {offering.myStatus === 'rejected' && (
+        <p style={{ color: theme.textMuted, fontSize: 13, marginTop: 0 }}>
+          Your previous application was declined. You can try again with a different pitch.
+        </p>
+      )}
+      <ErrorBanner error={apply.error} />
+      {apply.error instanceof ApiError && apply.error.message === 'request_already_exists' && (
+        <p style={{ color: theme.textMuted, fontSize: 13 }}>You already have a pending or active request for this program.</p>
+      )}
+      <div style={{ marginTop: 8 }}>
+        <Label>Preferred share-link slug (optional)</Label>
+        <Input
+          placeholder={whoami.creator.handle ?? 'your-handle'}
+          value={preferredSlug}
+          onChange={(e) => setPreferredSlug(e.target.value)}
+        />
+      </div>
+      <div style={{ marginTop: 12 }}>
+        <Label>Message to the vendor (optional)</Label>
+        <Textarea
+          value={message}
+          onChange={(e) => setMessage(e.target.value)}
+          rows={4}
+          placeholder="Why you'd be a great partner…"
+        />
+      </div>
+      <div style={{ marginTop: 12 }}>
+        <Button onClick={() => apply.mutate()} disabled={apply.isPending}>
+          {apply.isPending ? 'Applying…' : 'Submit application'}
+        </Button>
+      </div>
+    </Card>
+  );
+}
+
+/** Active partnership — fetch the share URL from /creators/me/partnerships
+ *  and show it inline with a copy button. The flat partnerships endpoint
+ *  already computes shareUrl (custom domain when verified, else the
+ *  openpartner default). */
+function ApprovedCard({ offering }: { offering: Offering }) {
+  const [copied, setCopied] = useState(false);
+  const { data } = useQuery({
+    queryKey: ['creator-partnerships'],
+    queryFn: () => creatorApi<{ partnerships: PartnershipForOffering[] }>('/creators/me/partnerships'),
+    retry: false,
+  });
+  const partnership = data?.partnerships.find((p) => p.offeringId === offering.id);
+
+  function copy() {
+    if (!partnership) return;
+    navigator.clipboard.writeText(partnership.shareUrl).then(
+      () => { setCopied(true); setTimeout(() => setCopied(false), 1500); },
+      () => {/* ignore */},
+    );
+  }
+
+  return (
+    <Card>
+      <h3 style={{ marginTop: 0 }}>You&rsquo;re approved to promote this</h3>
+      <p style={{ color: theme.textMuted, fontSize: 13 }}>
+        Drop this share link on socials, in your newsletter, anywhere your audience hangs out.
+      </p>
+      {partnership ? (
+        <div
+          style={{
+            display: 'flex',
+            alignItems: 'center',
+            gap: 8,
+            background: theme.surface2,
+            border: `1px solid ${theme.borderSubtle}`,
+            borderRadius: theme.radiusSm,
+            padding: '10px 12px',
+            marginTop: 12,
+          }}
+        >
+          <code style={{ flex: 1, fontSize: 13, wordBreak: 'break-all' }}>{partnership.shareUrl}</code>
+          <button
+            onClick={copy}
+            style={{
+              background: 'transparent',
+              border: `1px solid ${theme.borderSubtle}`,
+              borderRadius: 6,
+              padding: '6px 10px',
+              fontSize: 12,
+              color: copied ? theme.success : theme.textMuted,
+              cursor: 'pointer',
+              whiteSpace: 'nowrap',
+            }}
+          >
+            {copied ? 'Copied' : 'Copy'}
+          </button>
+        </div>
+      ) : (
+        <p style={{ color: theme.textDim, fontSize: 13, marginTop: 12 }}>Loading share link…</p>
+      )}
+      <p style={{ marginTop: 12, fontSize: 12 }}>
+        <Link to="/creator/links" style={{ color: theme.accent }}>Edit slug or copy from My share links →</Link>
+      </p>
+    </Card>
+  );
+}

From 9c5b2098e08c99a60a886578946dafdb7b58e8ca Mon Sep 17 00:00:00 2001
From: Keith Fawcett <keith@brightyard.co>
Date: Wed, 29 Apr 2026 14:38:11 -0700
Subject: [PATCH 083/131] feat(creator-portal): proxy passthrough for new
 profile endpoints

Whitelists the new Network endpoints in the openpartner creator-portal
proxy:
  - /creators/me/platforms (list)
  - /creators/me/platforms/:platform (PUT upsert + DELETE)
  - /creators/by-handle/:handle (public profile lookup, no auth)

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 apps/api/src/routes/creator-portal.ts | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/apps/api/src/routes/creator-portal.ts b/apps/api/src/routes/creator-portal.ts
index bfdc0f6..04a17bd 100644
--- a/apps/api/src/routes/creator-portal.ts
+++ b/apps/api/src/routes/creator-portal.ts
@@ -40,6 +40,7 @@ const ALLOWED_EXACT = new Set([
   '/creators/handle-available',
   '/creators/me/domains',
   '/creators/me/partnerships',
+  '/creators/me/platforms',
   '/offerings',
 ]);
 
@@ -52,6 +53,11 @@ const ALLOWED_PREFIX: Array<{ prefix: string; methods: Set<string> }> = [
   { prefix: '/creators/me/domains/', methods: new Set(['POST', 'DELETE']) },
   // Per-partnership slug edit (creatorSlug — the path under custom domain).
   { prefix: '/creators/me/partnerships/', methods: new Set(['PATCH']) },
+  // Per-platform handle upsert (PUT) + delete.
+  { prefix: '/creators/me/platforms/', methods: new Set(['PUT', 'DELETE']) },
+  // Public profile lookup — no creator session required, lets brands
+  // and the open web hit /creators/by-handle/<handle> on the portal.
+  { prefix: '/creators/by-handle/', methods: new Set(['GET']) },
 ];
 
 function isAllowed(method: string, subpath: string): boolean {

From 6f2858eb24e2644d5f4ccb0c2c67fa2bfd67f826 Mon Sep 17 00:00:00 2001
From: Keith Fawcett <keith@brightyard.co>
Date: Wed, 29 Apr 2026 14:45:00 -0700
Subject: [PATCH 084/131] feat(creator-portal): Tier 1 profile editor + public
 profile page
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

CreatorMyProfile gets four new sections:
  - Audience: 22-category chip picker (tech, lifestyle, finance, etc.)
    + audience locations (ISO-3166 alpha-2, max 5) + age range bucket.
  - Portfolio: dynamic add/remove URL list (max 6) + comma-separated
    past brand collaborations.
  - Platforms: per-platform handle + self-reported follower count for
    9 known platforms (TikTok, Instagram, YouTube, X, LinkedIn,
    Substack, Twitch, podcast, website). Each row PUTs/DELETEs
    independently against /creators/me/platforms/:platform.
  - Save profile button + a "View public profile" link that opens
    the new /creators/<handle> page in a new tab.

CreatorPublicProfile is a stand-alone page at /creators/:handle (no
auth — brands and the open web can browse). Shows avatar, handle,
bio, categories, platforms with total reach, audience markers,
sample work, past collaborations.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 apps/portal/src/App.tsx                       |   3 +
 .../src/pages/creator/CreatorMyProfile.tsx    | 407 ++++++++++++++++--
 .../pages/creator/CreatorPublicProfile.tsx    | 228 ++++++++++
 3 files changed, 604 insertions(+), 34 deletions(-)
 create mode 100644 apps/portal/src/pages/creator/CreatorPublicProfile.tsx

diff --git a/apps/portal/src/App.tsx b/apps/portal/src/App.tsx
index c91d0de..001ffac 100644
--- a/apps/portal/src/App.tsx
+++ b/apps/portal/src/App.tsx
@@ -57,6 +57,7 @@ import { CreatorSignupPage } from './pages/creator/CreatorSignup.js';
 import { CreatorSigninPage } from './pages/creator/CreatorSignin.js';
 import { CreatorMagicLandingPage } from './pages/creator/CreatorMagicLanding.js';
 import { CreatorShell } from './pages/creator/CreatorShell.js';
+import { CreatorPublicProfilePage } from './pages/creator/CreatorPublicProfile.js';
 import { FraudReviewPage } from './pages/FraudReview.js';
 import { useQuery } from '@tanstack/react-query';
 
@@ -107,6 +108,8 @@ export function App() {
             <Route path="/creator/login" element={<CreatorSigninPage />} />
             <Route path="/creator/auth/magic" element={<CreatorMagicLandingPage />} />
             <Route path="/creator/*" element={<CreatorShell />} />
+            {/* Public creator profiles — no auth, browsable from anywhere. */}
+            <Route path="/creators/:handle" element={<CreatorPublicProfilePage />} />
             <Route path="/t/:slug/login" element={<LoginPage />} />
             <Route path="/t/:slug/auth/magic" element={<MagicLandingPage />} />
             <Route path="/t/:slug/*" element={<Shell />} />
diff --git a/apps/portal/src/pages/creator/CreatorMyProfile.tsx b/apps/portal/src/pages/creator/CreatorMyProfile.tsx
index b0fee44..f18c0cc 100644
--- a/apps/portal/src/pages/creator/CreatorMyProfile.tsx
+++ b/apps/portal/src/pages/creator/CreatorMyProfile.tsx
@@ -1,9 +1,12 @@
 import { useEffect, useState } from 'react';
 import { useMutation, useQuery, useQueryClient } from '@tanstack/react-query';
-import { Button, Card, ErrorBanner, Input, Label, Page, Textarea } from '../../ui.js';
+import { Plus, X } from 'lucide-react';
+import { Button, Card, ErrorBanner, Input, Label, Page, Select, Textarea } from '../../ui.js';
 import { theme } from '../../theme.js';
 import { creatorApi } from './creator-api.js';
 
+type AgeRange = '13-17' | '18-24' | '25-34' | '35-44' | '45-54' | '55+';
+
 interface Profile {
   id: string;
   email: string;
@@ -12,9 +15,48 @@ interface Profile {
   avatarUrl: string | null;
   bio: string | null;
   profile: Record<string, unknown> | null;
+  categories: string[];
+  audienceLocations: string[];
+  audienceAgeRange: AgeRange | null;
+  portfolioLinks: string[];
+  pastBrands: string[];
   createdAt: string;
 }
 
+type Platform = 'tiktok' | 'instagram' | 'youtube' | 'twitter' | 'linkedin' | 'substack' | 'twitch' | 'podcast' | 'website';
+
+interface PlatformRow {
+  id: string;
+  platform: Platform;
+  handle: string;
+  profileUrl: string | null;
+  followerCount: number | null;
+  verified: boolean;
+}
+
+// Curated category list — covers the most-searched niches across
+// existing creator marketplaces. Brands filter on these in Tier 3.
+const CATEGORIES = [
+  'tech', 'business', 'finance', 'productivity', 'marketing', 'design',
+  'lifestyle', 'fitness', 'health', 'beauty', 'fashion', 'food', 'travel',
+  'gaming', 'music', 'art', 'photography', 'education', 'parenting',
+  'entertainment', 'news', 'sports',
+] as const;
+
+const AGE_RANGES: AgeRange[] = ['13-17', '18-24', '25-34', '35-44', '45-54', '55+'];
+
+const PLATFORMS: { kind: Platform; label: string; placeholder: string }[] = [
+  { kind: 'tiktok', label: 'TikTok', placeholder: 'your-handle' },
+  { kind: 'instagram', label: 'Instagram', placeholder: 'your-handle' },
+  { kind: 'youtube', label: 'YouTube', placeholder: 'your-handle' },
+  { kind: 'twitter', label: 'X / Twitter', placeholder: 'your-handle' },
+  { kind: 'linkedin', label: 'LinkedIn', placeholder: 'your-handle' },
+  { kind: 'substack', label: 'Substack', placeholder: 'subdomain' },
+  { kind: 'twitch', label: 'Twitch', placeholder: 'your-handle' },
+  { kind: 'podcast', label: 'Podcast', placeholder: 'https://feeds…' },
+  { kind: 'website', label: 'Website', placeholder: 'https://…' },
+];
+
 export function CreatorMyProfilePage() {
   const qc = useQueryClient();
   const { data, isLoading, error } = useQuery({
@@ -27,6 +69,11 @@ export function CreatorMyProfilePage() {
   const [handle, setHandle] = useState('');
   const [avatarUrl, setAvatarUrl] = useState('');
   const [bio, setBio] = useState('');
+  const [categories, setCategories] = useState<string[]>([]);
+  const [audienceLocations, setAudienceLocations] = useState<string[]>([]);
+  const [audienceAgeRange, setAudienceAgeRange] = useState<AgeRange | ''>('');
+  const [portfolioLinks, setPortfolioLinks] = useState<string[]>([]);
+  const [pastBrandsRaw, setPastBrandsRaw] = useState('');
 
   useEffect(() => {
     if (data) {
@@ -34,65 +81,143 @@ export function CreatorMyProfilePage() {
       setHandle(data.handle ?? '');
       setAvatarUrl(data.avatarUrl ?? '');
       setBio(data.bio ?? '');
+      setCategories(data.categories ?? []);
+      setAudienceLocations(data.audienceLocations ?? []);
+      setAudienceAgeRange((data.audienceAgeRange ?? '') as AgeRange | '');
+      setPortfolioLinks(data.portfolioLinks ?? []);
+      setPastBrandsRaw((data.pastBrands ?? []).join(', '));
     }
   }, [data]);
 
   const save = useMutation({
-    mutationFn: () =>
-      creatorApi('/creators/me', {
+    mutationFn: () => {
+      const pastBrands = pastBrandsRaw
+        .split(',')
+        .map((s) => s.trim())
+        .filter(Boolean);
+      return creatorApi('/creators/me', {
         method: 'PATCH',
         body: {
           name: name || undefined,
           handle: handle || null,
           avatarUrl: avatarUrl || null,
           bio: bio || null,
+          categories,
+          audienceLocations,
+          audienceAgeRange: audienceAgeRange || null,
+          portfolioLinks: portfolioLinks.filter((u) => u.trim()),
+          pastBrands,
         },
-      }),
+      });
+    },
     onSuccess: () => qc.invalidateQueries({ queryKey: ['creator-my-profile'] }),
   });
 
   return (
-    <Page title="Profile" subtitle="How vendors see you across the Network.">
+    <Page title="Profile" subtitle="How vendors see you across the Network. Richer profile = better matches.">
       <ErrorBanner error={error} />
       <ErrorBanner error={save.error} />
       {isLoading ? (
         <Card>Loading…</Card>
       ) : data ? (
-        <Card>
-          <div style={{ display: 'grid', gap: 12, maxWidth: 520 }}>
-            <div>
-              <Label>Email</Label>
-              <Input value={data.email} disabled readOnly />
-              <p style={{ color: theme.textMuted, fontSize: 12, marginTop: 4 }}>
-                Email is the join key across vendors and can&rsquo;t be changed here.
-              </p>
-            </div>
-            <div>
-              <Label>Display name</Label>
-              <Input value={name} onChange={(e) => setName(e.target.value)} />
-            </div>
-            <div>
-              <Label>Handle</Label>
-              <Input value={handle} onChange={(e) => setHandle(e.target.value)} placeholder="your-handle" />
-              <p style={{ color: theme.textMuted, fontSize: 12, marginTop: 4 }}>
-                Used as your default share-link slug.
-              </p>
+        <>
+          <Card>
+            <div style={{ fontSize: 14, fontWeight: 500, marginBottom: 12 }}>Basics</div>
+            <div style={{ display: 'grid', gap: 12, maxWidth: 520 }}>
+              <Field label="Email" hint="Email is the join key across vendors and can't be changed here.">
+                <Input value={data.email} disabled readOnly />
+              </Field>
+              <Field label="Display name">
+                <Input value={name} onChange={(e) => setName(e.target.value)} />
+              </Field>
+              <Field label="Handle" hint="Used as your default share-link slug and your /creators/<handle> URL.">
+                <Input value={handle} onChange={(e) => setHandle(e.target.value)} placeholder="your-handle" />
+              </Field>
+              <Field label="Avatar URL">
+                <Input value={avatarUrl} onChange={(e) => setAvatarUrl(e.target.value)} placeholder="https://…" />
+              </Field>
+              <Field label="Bio">
+                <Textarea value={bio} onChange={(e) => setBio(e.target.value)} rows={4} />
+              </Field>
             </div>
-            <div>
-              <Label>Avatar URL</Label>
-              <Input value={avatarUrl} onChange={(e) => setAvatarUrl(e.target.value)} placeholder="https://…" />
+          </Card>
+
+          <div style={{ height: 14 }} />
+
+          <Card>
+            <div style={{ fontSize: 14, fontWeight: 500, marginBottom: 4 }}>Audience</div>
+            <p style={{ fontSize: 13, color: theme.textMuted, margin: '0 0 14px' }}>
+              Help brands decide whether you&rsquo;re a fit. Self-reported for now &mdash; verified
+              numbers come once you connect platforms (coming soon).
+            </p>
+            <div style={{ display: 'grid', gap: 14 }}>
+              <Field label="Categories" hint="Pick the niches you create in. Brands filter by these.">
+                <CategoryChips selected={categories} onChange={setCategories} />
+              </Field>
+              <Field label="Audience locations" hint="Top countries your audience comes from. ISO-3166 alpha-2 codes (e.g. US, CA, GB), max 5, comma-separated.">
+                <CommaTokens
+                  value={audienceLocations.join(', ')}
+                  onChange={(v) => setAudienceLocations(v.split(',').map((s) => s.trim().toUpperCase()).filter((s) => /^[A-Z]{2}$/.test(s)).slice(0, 5))}
+                  placeholder="US, CA, GB"
+                />
+              </Field>
+              <Field label="Audience age range" hint="Single bucket — finer slicing comes with verified platform connections.">
+                <Select
+                  value={audienceAgeRange}
+                  onChange={(e) => setAudienceAgeRange(e.target.value as AgeRange | '')}
+                >
+                  <option value="">— pick a range —</option>
+                  {AGE_RANGES.map((r) => <option key={r} value={r}>{r}</option>)}
+                </Select>
+              </Field>
             </div>
-            <div>
-              <Label>Bio</Label>
-              <Textarea value={bio} onChange={(e) => setBio(e.target.value)} rows={4} />
+          </Card>
+
+          <div style={{ height: 14 }} />
+
+          <Card>
+            <div style={{ fontSize: 14, fontWeight: 500, marginBottom: 4 }}>Portfolio</div>
+            <p style={{ fontSize: 13, color: theme.textMuted, margin: '0 0 14px' }}>
+              A handful of links + past brand collaborations. Brands skim these to gauge fit and credibility.
+            </p>
+            <div style={{ display: 'grid', gap: 14 }}>
+              <Field label="Sample links (max 6)" hint="Best posts / videos / case studies. URLs only.">
+                <UrlList value={portfolioLinks} onChange={setPortfolioLinks} max={6} placeholder="https://…" />
+              </Field>
+              <Field label="Past brand collaborations" hint="Comma-separated. Free text — no need to be exhaustive.">
+                <Input
+                  value={pastBrandsRaw}
+                  onChange={(e) => setPastBrandsRaw(e.target.value)}
+                  placeholder="Notion, Linear, MongoDB"
+                />
+              </Field>
             </div>
-            <div>
+          </Card>
+
+          <div style={{ height: 14 }} />
+
+          <PlatformsCard />
+
+          <div style={{ height: 14 }} />
+
+          <Card>
+            <div style={{ display: 'flex', gap: 8, alignItems: 'center' }}>
               <Button onClick={() => save.mutate()} disabled={save.isPending}>
-                {save.isPending ? 'Saving…' : save.isSuccess ? 'Saved' : 'Save changes'}
+                {save.isPending ? 'Saving…' : save.isSuccess ? 'Saved' : 'Save profile'}
               </Button>
+              {data.handle && (
+                <a
+                  href={`/creators/${data.handle}`}
+                  target="_blank"
+                  rel="noopener noreferrer"
+                  style={{ color: theme.accent, fontSize: 13, marginLeft: 4 }}
+                >
+                  View public profile →
+                </a>
+              )}
             </div>
-          </div>
-        </Card>
+          </Card>
+        </>
       ) : null}
       <div style={{ height: 18 }} />
       <CreatorDangerZone email={data?.email ?? ''} pendingDeletionAt={(data as Profile & { pendingDeletionAt?: string | null })?.pendingDeletionAt ?? null} />
@@ -100,6 +225,220 @@ export function CreatorMyProfilePage() {
   );
 }
 
+function Field({ label, hint, children }: { label: string; hint?: string; children: React.ReactNode }) {
+  return (
+    <div>
+      <Label>{label}</Label>
+      {children}
+      {hint && <p style={{ color: theme.textMuted, fontSize: 12, marginTop: 4, marginBottom: 0 }}>{hint}</p>}
+    </div>
+  );
+}
+
+function CategoryChips({ selected, onChange }: { selected: string[]; onChange: (v: string[]) => void }) {
+  function toggle(c: string) {
+    onChange(selected.includes(c) ? selected.filter((x) => x !== c) : [...selected, c]);
+  }
+  return (
+    <div style={{ display: 'flex', flexWrap: 'wrap', gap: 6 }}>
+      {CATEGORIES.map((c) => {
+        const on = selected.includes(c);
+        return (
+          <button
+            key={c}
+            type="button"
+            onClick={() => toggle(c)}
+            style={{
+              padding: '5px 10px',
+              borderRadius: 14,
+              border: `1px solid ${on ? theme.accent : theme.borderSubtle}`,
+              background: on ? `${theme.accent}22` : theme.surface2,
+              color: on ? theme.accent : theme.textMuted,
+              fontSize: 12,
+              cursor: 'pointer',
+              fontWeight: on ? 500 : 400,
+            }}
+          >
+            {c}
+          </button>
+        );
+      })}
+    </div>
+  );
+}
+
+function CommaTokens({ value, onChange, placeholder }: { value: string; onChange: (v: string) => void; placeholder?: string }) {
+  return <Input value={value} onChange={(e) => onChange(e.target.value)} placeholder={placeholder} />;
+}
+
+function UrlList({ value, onChange, max, placeholder }: { value: string[]; onChange: (v: string[]) => void; max: number; placeholder: string }) {
+  function update(i: number, v: string) {
+    onChange(value.map((x, j) => (j === i ? v : x)));
+  }
+  function remove(i: number) {
+    onChange(value.filter((_, j) => j !== i));
+  }
+  function add() {
+    if (value.length >= max) return;
+    onChange([...value, '']);
+  }
+  return (
+    <div style={{ display: 'flex', flexDirection: 'column', gap: 6 }}>
+      {value.map((v, i) => (
+        <div key={i} style={{ display: 'flex', gap: 6 }}>
+          <Input value={v} onChange={(e) => update(i, e.target.value)} placeholder={placeholder} />
+          <button
+            type="button"
+            onClick={() => remove(i)}
+            style={{
+              background: 'transparent',
+              border: `1px solid ${theme.borderSubtle}`,
+              borderRadius: theme.radiusSm,
+              padding: '0 10px',
+              color: theme.textMuted,
+              cursor: 'pointer',
+            }}
+          >
+            <X size={14} />
+          </button>
+        </div>
+      ))}
+      {value.length < max && (
+        <button
+          type="button"
+          onClick={add}
+          style={{
+            display: 'inline-flex',
+            alignItems: 'center',
+            gap: 6,
+            background: 'transparent',
+            border: `1px dashed ${theme.borderSubtle}`,
+            borderRadius: theme.radiusSm,
+            padding: '8px 12px',
+            color: theme.textMuted,
+            cursor: 'pointer',
+            fontSize: 13,
+            alignSelf: 'flex-start',
+          }}
+        >
+          <Plus size={14} /> Add link
+        </button>
+      )}
+    </div>
+  );
+}
+
+/** Platforms gets its own data lifecycle — each row is a separate
+ *  PUT/DELETE on Network rather than a bulk PATCH, since users add /
+ *  remove platforms one at a time and we want optimistic per-row save
+ *  feedback. */
+function PlatformsCard() {
+  const qc = useQueryClient();
+  const list = useQuery({
+    queryKey: ['creator-my-platforms'],
+    queryFn: () => creatorApi<{ platforms: PlatformRow[] }>('/creators/me/platforms'),
+    retry: false,
+  });
+
+  return (
+    <Card>
+      <div style={{ fontSize: 14, fontWeight: 500, marginBottom: 4 }}>Platforms</div>
+      <p style={{ fontSize: 13, color: theme.textMuted, margin: '0 0 14px' }}>
+        Where you publish + your audience size on each. Self-reported &mdash; verified numbers
+        come when you connect platforms (coming soon).
+      </p>
+      {list.isLoading ? (
+        <p style={{ color: theme.textMuted, fontSize: 13 }}>Loading…</p>
+      ) : (
+        <div style={{ display: 'grid', gap: 10 }}>
+          {PLATFORMS.map((p) => {
+            const existing = list.data?.platforms.find((r) => r.platform === p.kind);
+            return (
+              <PlatformRowEditor
+                key={p.kind}
+                platform={p.kind}
+                label={p.label}
+                placeholder={p.placeholder}
+                existing={existing}
+                onChanged={() => qc.invalidateQueries({ queryKey: ['creator-my-platforms'] })}
+              />
+            );
+          })}
+        </div>
+      )}
+    </Card>
+  );
+}
+
+function PlatformRowEditor({
+  platform,
+  label,
+  placeholder,
+  existing,
+  onChanged,
+}: {
+  platform: Platform;
+  label: string;
+  placeholder: string;
+  existing?: PlatformRow;
+  onChanged: () => void;
+}) {
+  const [handle, setHandle] = useState(existing?.handle ?? '');
+  const [followerCount, setFollowerCount] = useState<number | ''>(existing?.followerCount ?? '');
+
+  useEffect(() => {
+    setHandle(existing?.handle ?? '');
+    setFollowerCount(existing?.followerCount ?? '');
+  }, [existing?.handle, existing?.followerCount]);
+
+  const save = useMutation({
+    mutationFn: () =>
+      creatorApi(`/creators/me/platforms/${platform}`, {
+        method: 'PUT',
+        body: { handle: handle.trim(), followerCount: followerCount === '' ? null : Number(followerCount) },
+      }),
+    onSuccess: onChanged,
+  });
+  const remove = useMutation({
+    mutationFn: () => creatorApi(`/creators/me/platforms/${platform}`, { method: 'DELETE' }),
+    onSuccess: onChanged,
+  });
+
+  const dirty = handle.trim() !== (existing?.handle ?? '') || (followerCount === '' ? null : Number(followerCount)) !== (existing?.followerCount ?? null);
+
+  return (
+    <div style={{ display: 'grid', gridTemplateColumns: '110px 1fr 140px auto', gap: 8, alignItems: 'center' }}>
+      <div style={{ fontSize: 13, color: theme.text }}>{label}</div>
+      <Input value={handle} onChange={(e) => setHandle(e.target.value)} placeholder={placeholder} style={{ fontFamily: theme.fontMono, fontSize: 13 }} />
+      <Input
+        type="number"
+        value={followerCount}
+        onChange={(e) => setFollowerCount(e.target.value === '' ? '' : Number(e.target.value))}
+        placeholder="followers"
+        style={{ fontSize: 13 }}
+      />
+      <div style={{ display: 'flex', gap: 6 }}>
+        <Button
+          onClick={() => save.mutate()}
+          disabled={!handle.trim() || !dirty || save.isPending}
+          variant="secondary"
+        >
+          {save.isPending ? '…' : existing ? 'Update' : 'Add'}
+        </Button>
+        {existing && (
+          <Button
+            onClick={() => remove.mutate()}
+            disabled={remove.isPending}
+            variant="danger"
+          >
+            <X size={14} />
+          </Button>
+        )}
+      </div>
+    </div>
+  );
+}
+
 function CreatorDangerZone({ email, pendingDeletionAt }: { email: string; pendingDeletionAt: string | null }) {
   const qc = useQueryClient();
   const [confirmEmail, setConfirmEmail] = useState('');
diff --git a/apps/portal/src/pages/creator/CreatorPublicProfile.tsx b/apps/portal/src/pages/creator/CreatorPublicProfile.tsx
new file mode 100644
index 0000000..2b32ce1
--- /dev/null
+++ b/apps/portal/src/pages/creator/CreatorPublicProfile.tsx
@@ -0,0 +1,228 @@
+/**
+ * Public creator profile at /creators/:handle. No signin required —
+ * brands and the open web can browse before/without applying. Hits
+ * the Network's /creators/by-handle/:handle through the openpartner
+ * proxy (which runs anonymously for that route).
+ */
+import { useQuery } from '@tanstack/react-query';
+import { Link, useParams } from 'react-router-dom';
+import { ExternalLink, Globe } from 'lucide-react';
+import { Card, ErrorBanner, EmptyState } from '../../ui.js';
+import { theme } from '../../theme.js';
+import { creatorApi, ApiError } from './creator-api.js';
+
+interface PlatformRow {
+  id: string;
+  platform: string;
+  handle: string;
+  profileUrl: string | null;
+  followerCount: number | null;
+  verified: boolean;
+}
+
+interface PublicProfile {
+  id: string;
+  name: string;
+  handle: string;
+  avatarUrl: string | null;
+  bio: string | null;
+  categories: string[];
+  audienceLocations: string[];
+  audienceAgeRange: string | null;
+  portfolioLinks: string[];
+  pastBrands: string[];
+  platforms: PlatformRow[];
+}
+
+const PLATFORM_LABELS: Record<string, string> = {
+  tiktok: 'TikTok',
+  instagram: 'Instagram',
+  youtube: 'YouTube',
+  twitter: 'X / Twitter',
+  linkedin: 'LinkedIn',
+  substack: 'Substack',
+  twitch: 'Twitch',
+  podcast: 'Podcast',
+  website: 'Website',
+};
+
+export function CreatorPublicProfilePage() {
+  const { handle } = useParams<{ handle: string }>();
+  const { data, isLoading, error } = useQuery({
+    queryKey: ['creator-public', handle],
+    queryFn: () => creatorApi<PublicProfile>(`/creators/by-handle/${encodeURIComponent(handle ?? '')}`),
+    enabled: !!handle,
+    retry: false,
+  });
+
+  if (error instanceof ApiError && error.status === 404) {
+    return (
+      <Shell>
+        <EmptyState title={`No creator @${handle}`} hint="Maybe a typo? Or they haven't filled in a handle yet." icon={<Globe size={28} strokeWidth={1.25} />} />
+      </Shell>
+    );
+  }
+  if (isLoading) {
+    return <Shell><Card>Loading…</Card></Shell>;
+  }
+  if (!data) {
+    return <Shell><ErrorBanner error={error} /></Shell>;
+  }
+
+  const totalReach = data.platforms.reduce((sum, p) => sum + (p.followerCount ?? 0), 0);
+
+  return (
+    <Shell>
+      <Card>
+        <div style={{ display: 'flex', alignItems: 'flex-start', gap: 16 }}>
+          {data.avatarUrl ? (
+            <img
+              src={data.avatarUrl}
+              alt={data.name}
+              style={{ width: 72, height: 72, borderRadius: '50%', objectFit: 'cover', background: theme.surface2 }}
+            />
+          ) : (
+            <div style={{ width: 72, height: 72, borderRadius: '50%', background: theme.accent, color: theme.accentInk, display: 'flex', alignItems: 'center', justifyContent: 'center', fontSize: 28, fontWeight: 600 }}>
+              {data.name.charAt(0).toUpperCase()}
+            </div>
+          )}
+          <div style={{ flex: 1, minWidth: 0 }}>
+            <h1 style={{ margin: 0, fontSize: 22 }}>{data.name}</h1>
+            <div style={{ color: theme.textMuted, fontSize: 13, fontFamily: theme.fontMono, marginTop: 4 }}>@{data.handle}</div>
+            {data.categories.length > 0 && (
+              <div style={{ display: 'flex', flexWrap: 'wrap', gap: 6, marginTop: 10 }}>
+                {data.categories.map((c) => (
+                  <span key={c} style={{ background: theme.surface2, color: theme.textMuted, fontSize: 11, padding: '2px 8px', borderRadius: 12 }}>
+                    {c}
+                  </span>
+                ))}
+              </div>
+            )}
+          </div>
+        </div>
+        {data.bio && <p style={{ marginTop: 16, fontSize: 14, color: theme.text, lineHeight: 1.5 }}>{data.bio}</p>}
+      </Card>
+
+      {(data.platforms.length > 0 || totalReach > 0) && (
+        <>
+          <div style={{ height: 14 }} />
+          <Card>
+            <div style={{ display: 'flex', alignItems: 'baseline', gap: 12, marginBottom: 12 }}>
+              <h3 style={{ margin: 0, fontSize: 15, fontWeight: 500 }}>Platforms</h3>
+              {totalReach > 0 && (
+                <span style={{ color: theme.textMuted, fontSize: 13 }}>
+                  Total self-reported reach: <strong style={{ color: theme.text }}>{totalReach.toLocaleString()}</strong>
+                </span>
+              )}
+            </div>
+            <div style={{ display: 'grid', gap: 8 }}>
+              {data.platforms.map((p) => (
+                <a
+                  key={p.id}
+                  href={p.profileUrl ?? '#'}
+                  target="_blank"
+                  rel="noopener noreferrer"
+                  style={{
+                    display: 'flex',
+                    alignItems: 'center',
+                    gap: 12,
+                    padding: '10px 12px',
+                    background: theme.surface2,
+                    border: `1px solid ${theme.borderSubtle}`,
+                    borderRadius: theme.radiusSm,
+                    textDecoration: 'none',
+                    color: theme.text,
+                  }}
+                >
+                  <div style={{ width: 100, fontSize: 13, color: theme.textMuted }}>
+                    {PLATFORM_LABELS[p.platform] ?? p.platform}
+                  </div>
+                  <div style={{ flex: 1, fontFamily: theme.fontMono, fontSize: 13 }}>{p.handle}</div>
+                  {p.followerCount != null && (
+                    <div style={{ fontSize: 13, color: theme.textMuted }}>
+                      {p.followerCount.toLocaleString()} followers
+                    </div>
+                  )}
+                  <ExternalLink size={14} style={{ color: theme.textDim }} />
+                </a>
+              ))}
+            </div>
+          </Card>
+        </>
+      )}
+
+      {(data.audienceLocations.length > 0 || data.audienceAgeRange) && (
+        <>
+          <div style={{ height: 14 }} />
+          <Card>
+            <h3 style={{ marginTop: 0, marginBottom: 12, fontSize: 15, fontWeight: 500 }}>Audience</h3>
+            <div style={{ display: 'flex', flexWrap: 'wrap', gap: 24 }}>
+              {data.audienceLocations.length > 0 && (
+                <Stat label="Top countries" value={data.audienceLocations.join(' · ')} />
+              )}
+              {data.audienceAgeRange && (
+                <Stat label="Age range" value={data.audienceAgeRange} />
+              )}
+            </div>
+          </Card>
+        </>
+      )}
+
+      {data.portfolioLinks.length > 0 && (
+        <>
+          <div style={{ height: 14 }} />
+          <Card>
+            <h3 style={{ marginTop: 0, marginBottom: 12, fontSize: 15, fontWeight: 500 }}>Sample work</h3>
+            <ul style={{ margin: 0, paddingLeft: 18, display: 'flex', flexDirection: 'column', gap: 6 }}>
+              {data.portfolioLinks.map((u) => (
+                <li key={u} style={{ fontSize: 13, wordBreak: 'break-all' }}>
+                  <a href={u} target="_blank" rel="noopener noreferrer" style={{ color: theme.accent }}>{u}</a>
+                </li>
+              ))}
+            </ul>
+          </Card>
+        </>
+      )}
+
+      {data.pastBrands.length > 0 && (
+        <>
+          <div style={{ height: 14 }} />
+          <Card>
+            <h3 style={{ marginTop: 0, marginBottom: 12, fontSize: 15, fontWeight: 500 }}>Past collaborations</h3>
+            <div style={{ display: 'flex', flexWrap: 'wrap', gap: 6 }}>
+              {data.pastBrands.map((b) => (
+                <span key={b} style={{ background: theme.surface2, color: theme.text, fontSize: 13, padding: '4px 10px', borderRadius: 12, border: `1px solid ${theme.borderSubtle}` }}>
+                  {b}
+                </span>
+              ))}
+            </div>
+          </Card>
+        </>
+      )}
+    </Shell>
+  );
+}
+
+function Stat({ label, value }: { label: string; value: string }) {
+  return (
+    <div>
+      <div style={{ fontSize: 11, color: theme.textDim, textTransform: 'uppercase', letterSpacing: '0.05em', marginBottom: 4 }}>
+        {label}
+      </div>
+      <div style={{ fontSize: 14, color: theme.text }}>{value}</div>
+    </div>
+  );
+}
+
+function Shell({ children }: { children: React.ReactNode }) {
+  return (
+    <div style={{ minHeight: '100vh', background: theme.bg, padding: '40px 20px' }}>
+      <div style={{ maxWidth: 720, margin: '0 auto' }}>
+        <div style={{ marginBottom: 24, fontSize: 13 }}>
+          <Link to="/" style={{ color: theme.textMuted, textDecoration: 'none' }}>← OpenPartner</Link>
+        </div>
+        {children}
+      </div>
+    </div>
+  );
+}

From e8aa29478a7a0eaa90ed95b134f946f379e1dffb Mon Sep 17 00:00:00 2001
From: Keith Fawcett <keith@brightyard.co>
Date: Wed, 29 Apr 2026 14:55:21 -0700
Subject: [PATCH 085/131] feat(network): proxy creator-directory search to
 brand admins

Adds networkProxy.discoverCreators (forwards the querystring verbatim
so we don't have to mirror Network's filter schema in two places) and
mounts /admin/network/discover/creators on settings.ts under
requireAdmin. Vendor token + scopedKey handling is unchanged.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 apps/api/src/network-client.ts  | 13 +++++++++++++
 apps/api/src/routes/settings.ts |  7 +++++++
 2 files changed, 20 insertions(+)

diff --git a/apps/api/src/network-client.ts b/apps/api/src/network-client.ts
index 8be5753..956b21c 100644
--- a/apps/api/src/network-client.ts
+++ b/apps/api/src/network-client.ts
@@ -514,6 +514,19 @@ export const networkProxy = {
       '/vendors/me',
     ),
 
+  /** Brand-side creator discovery — search the Network's creator
+   *  directory with full-text + filter params. The querystring is
+   *  forwarded verbatim, so the brand UI can pass whatever Network's
+   *  schema accepts (q, categories, locations, platforms, minFollowers,
+   *  maxFollowers, minRevenue90d, sort, limit). */
+  discoverCreators: (db: Knex, tenantId: string, querystring: string) =>
+    callNetwork<{ creators: unknown[] }>(
+      db,
+      tenantId,
+      'GET',
+      `/vendors/me/discover/creators${querystring ? `?${querystring}` : ''}`,
+    ),
+
   // Billing — same pattern (vendor token held server-side, portal can't
   // hit Stripe directly). Forwards body straight through; the Network's
   // route does all validation.
diff --git a/apps/api/src/routes/settings.ts b/apps/api/src/routes/settings.ts
index 928a0e8..21f71ab 100644
--- a/apps/api/src/routes/settings.ts
+++ b/apps/api/src/routes/settings.ts
@@ -488,6 +488,13 @@ settingsRouter.post('/admin/network/requests/:id/reject', requireAuth, requireAd
   proxy(req, res, (db, tenantId) => networkProxy.rejectRequest(db, tenantId, req.params.id!, req.body ?? {})),
 );
 
+// Brand-side creator discovery — vendor-authenticated proxy passes the
+// browser's querystring straight through to Network's directory endpoint.
+settingsRouter.get('/admin/network/discover/creators', requireAuth, requireAdmin, async (req, res) => {
+  const qs = req.url.includes('?') ? req.url.slice(req.url.indexOf('?') + 1) : '';
+  return proxy(req, res, (db, tenantId) => networkProxy.discoverCreators(db, tenantId, qs));
+});
+
 // ---------- Network billing proxy ----------
 // Self-hosted vendors subscribe to Network access ($29/mo + 3% metered)
 // from this admin surface. Hosted vendors get bundled with their main

From 141017d972f15c12f7728cbc9c8bf945d97bfcf9 Mon Sep 17 00:00:00 2001
From: Keith Fawcett <keith@brightyard.co>
Date: Wed, 29 Apr 2026 14:59:58 -0700
Subject: [PATCH 086/131] feat(admin-portal): brand-side creator discovery
 directory
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

New page /admin/network/creators in the brand admin under the Network
section. Filters: text search, categories (chip multiselect),
platforms (chip multiselect), audience locations (ISO codes),
min total followers, min 90-day revenue. Sorts by 90-day revenue,
total followers, newest, or name.

Each creator card shows avatar + handle, top 4 categories, platform
list with total reach, 90-day revenue + clicks (the unique angle vs
Modash/Aspire — actual conversion data), short bio, and a "View
profile" CTA that opens /creators/<handle> in a new tab.

Sidebar nav entry "Discover creators" appears alongside Offerings /
Requests / Billing once the brand is connected to the Network.

Closes Tier 3 of the creator-directory build.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 apps/portal/src/App.tsx                       |   3 +
 .../src/pages/admin/NetworkCreators.tsx       | 305 ++++++++++++++++++
 2 files changed, 308 insertions(+)
 create mode 100644 apps/portal/src/pages/admin/NetworkCreators.tsx

diff --git a/apps/portal/src/App.tsx b/apps/portal/src/App.tsx
index 001ffac..81b65ed 100644
--- a/apps/portal/src/App.tsx
+++ b/apps/portal/src/App.tsx
@@ -40,6 +40,7 @@ import { AdminNetwork } from './pages/admin/Network.js';
 import { AdminNetworkComplete } from './pages/admin/NetworkComplete.js';
 import { AdminNetworkOfferings } from './pages/admin/NetworkOfferings.js';
 import { AdminNetworkRequests } from './pages/admin/NetworkRequests.js';
+import { AdminNetworkCreators } from './pages/admin/NetworkCreators.js';
 import { AdminNetworkBilling } from './pages/admin/NetworkBilling.js';
 import { DiscoverPage } from './pages/partner/Discover.js';
 import { OfferingDetailPage } from './pages/partner/OfferingDetail.js';
@@ -188,6 +189,7 @@ function Shell() {
               <Route path="admin/network/complete" element={<AdminNetworkComplete />} />
               <Route path="admin/network/offerings" element={<AdminNetworkOfferings />} />
               <Route path="admin/network/requests" element={<AdminNetworkRequests />} />
+              <Route path="admin/network/creators" element={<AdminNetworkCreators />} />
               <Route path="admin/network/billing" element={<AdminNetworkBilling />} />
             </>
           )}
@@ -428,6 +430,7 @@ function NetworkNav() {
         <>
           <NavItem to="/admin/network/offerings" icon={<Megaphone size={16} />}>Offerings</NavItem>
           <NavItem to="/admin/network/requests" icon={<Inbox size={16} />}>Requests</NavItem>
+          <NavItem to="/admin/network/creators" icon={<Users size={16} />}>Discover creators</NavItem>
           <NavItem to="/admin/network/billing" icon={<CreditCard size={16} />}>Billing</NavItem>
         </>
       )}
diff --git a/apps/portal/src/pages/admin/NetworkCreators.tsx b/apps/portal/src/pages/admin/NetworkCreators.tsx
new file mode 100644
index 0000000..ccc3b82
--- /dev/null
+++ b/apps/portal/src/pages/admin/NetworkCreators.tsx
@@ -0,0 +1,305 @@
+/**
+ * Brand-side creator discovery directory.
+ *
+ * Brand admins call /admin/network/discover/creators (which proxies to
+ * Network's /vendors/me/discover/creators) and browse a filtered grid
+ * of creator cards. Each card links to the public creator profile so
+ * the admin can read the full thing before deciding to invite. Unique
+ * angle vs Modash/Aspire: we have actual conversion data per creator.
+ */
+
+import { useEffect, useMemo, useState } from 'react';
+import { useQuery } from '@tanstack/react-query';
+import { Users } from 'lucide-react';
+import { api } from '../../api.js';
+import { Button, Card, EmptyState, ErrorBanner, Input, Label, Page, Select } from '../../ui.js';
+import { theme } from '../../theme.js';
+
+interface PlatformRow {
+  id: string;
+  platform: string;
+  handle: string;
+  profileUrl: string | null;
+  followerCount: number | null;
+  verified: boolean;
+}
+
+interface DirectoryRow {
+  id: string;
+  name: string;
+  handle: string;
+  avatarUrl: string | null;
+  bio: string | null;
+  categories: string[];
+  audienceLocations: string[];
+  audienceAgeRange: string | null;
+  pastBrands: string[];
+  clicks90d: number;
+  conversions90d: number;
+  revenue90d: string;
+  commission90d: string;
+  topCategories: string[];
+  lastAggregatedAt: string | null;
+  createdAt: string;
+  platforms: PlatformRow[];
+  totalReach: number;
+}
+
+const CATEGORIES = [
+  'tech', 'business', 'finance', 'productivity', 'marketing', 'design',
+  'lifestyle', 'fitness', 'health', 'beauty', 'fashion', 'food', 'travel',
+  'gaming', 'music', 'art', 'photography', 'education', 'parenting',
+  'entertainment', 'news', 'sports',
+];
+
+const PLATFORMS = [
+  { value: 'tiktok', label: 'TikTok' },
+  { value: 'instagram', label: 'Instagram' },
+  { value: 'youtube', label: 'YouTube' },
+  { value: 'twitter', label: 'X / Twitter' },
+  { value: 'linkedin', label: 'LinkedIn' },
+  { value: 'substack', label: 'Substack' },
+  { value: 'twitch', label: 'Twitch' },
+  { value: 'podcast', label: 'Podcast' },
+  { value: 'website', label: 'Website' },
+];
+
+type SortKey = 'revenue' | 'followers' | 'newest' | 'name';
+
+export function AdminNetworkCreators() {
+  const [q, setQ] = useState('');
+  const [debouncedQ, setDebouncedQ] = useState('');
+  const [categories, setCategories] = useState<string[]>([]);
+  const [platforms, setPlatforms] = useState<string[]>([]);
+  const [locations, setLocations] = useState('');
+  const [minFollowers, setMinFollowers] = useState<number | ''>('');
+  const [minRevenue, setMinRevenue] = useState<number | ''>('');
+  const [sort, setSort] = useState<SortKey>('revenue');
+
+  useEffect(() => {
+    const t = window.setTimeout(() => setDebouncedQ(q.trim()), 250);
+    return () => window.clearTimeout(t);
+  }, [q]);
+
+  const qs = useMemo(() => {
+    const p = new URLSearchParams();
+    if (debouncedQ) p.set('q', debouncedQ);
+    if (categories.length > 0) p.set('categories', categories.join(','));
+    if (platforms.length > 0) p.set('platforms', platforms.join(','));
+    const cleanLocations = locations
+      .split(',')
+      .map((s) => s.trim().toUpperCase())
+      .filter((s) => /^[A-Z]{2}$/.test(s));
+    if (cleanLocations.length > 0) p.set('locations', cleanLocations.join(','));
+    if (minFollowers !== '' && minFollowers > 0) p.set('minFollowers', String(minFollowers));
+    if (minRevenue !== '' && minRevenue > 0) p.set('minRevenue90d', String(minRevenue));
+    if (sort !== 'revenue') p.set('sort', sort);
+    return p.toString();
+  }, [debouncedQ, categories, platforms, locations, minFollowers, minRevenue, sort]);
+
+  const list = useQuery({
+    queryKey: ['admin-discover-creators', qs],
+    queryFn: () => api<{ creators: DirectoryRow[] }>(`/admin/network/discover/creators${qs ? '?' + qs : ''}`),
+    retry: false,
+    staleTime: 30_000,
+  });
+
+  const rows = list.data?.creators ?? [];
+
+  return (
+    <Page
+      title="Discover creators"
+      subtitle="Browse the OpenPartner Network for creators who match your audience. Filter by category, platform, audience size, and past performance."
+    >
+      <ErrorBanner error={list.error} />
+      <Card>
+        <div style={{ display: 'grid', gridTemplateColumns: 'repeat(auto-fit, minmax(220px, 1fr))', gap: 14, marginBottom: 14 }}>
+          <div>
+            <Label>Search</Label>
+            <Input
+              value={q}
+              onChange={(e) => setQ(e.target.value)}
+              placeholder="Name, handle, bio…"
+            />
+          </div>
+          <div>
+            <Label>Sort</Label>
+            <Select value={sort} onChange={(e) => setSort(e.target.value as SortKey)}>
+              <option value="revenue">90-day revenue</option>
+              <option value="followers">Total followers</option>
+              <option value="newest">Newest</option>
+              <option value="name">Name (A-Z)</option>
+            </Select>
+          </div>
+          <div>
+            <Label>Min total followers</Label>
+            <Input
+              type="number"
+              value={minFollowers}
+              onChange={(e) => setMinFollowers(e.target.value === '' ? '' : Number(e.target.value))}
+              placeholder="e.g. 10000"
+            />
+          </div>
+          <div>
+            <Label>Min 90-day revenue ($)</Label>
+            <Input
+              type="number"
+              value={minRevenue}
+              onChange={(e) => setMinRevenue(e.target.value === '' ? '' : Number(e.target.value))}
+              placeholder="e.g. 500"
+            />
+          </div>
+          <div style={{ gridColumn: '1 / -1' }}>
+            <Label>Audience locations (ISO codes, comma-separated)</Label>
+            <Input
+              value={locations}
+              onChange={(e) => setLocations(e.target.value)}
+              placeholder="US, CA, GB"
+              style={{ fontFamily: theme.fontMono }}
+            />
+          </div>
+        </div>
+        <div>
+          <Label>Categories (creator must have all selected)</Label>
+          <ChipMultiSelect
+            options={CATEGORIES}
+            selected={categories}
+            onChange={setCategories}
+          />
+        </div>
+        <div style={{ marginTop: 12 }}>
+          <Label>Platforms (creator must have at least one)</Label>
+          <ChipMultiSelect
+            options={PLATFORMS.map((p) => p.value)}
+            labels={PLATFORMS.reduce<Record<string, string>>((acc, p) => { acc[p.value] = p.label; return acc; }, {})}
+            selected={platforms}
+            onChange={setPlatforms}
+          />
+        </div>
+      </Card>
+
+      <div style={{ height: 18 }} />
+
+      {list.isLoading ? (
+        <Card>Loading creators…</Card>
+      ) : rows.length === 0 ? (
+        <EmptyState
+          title="No creators match those filters"
+          hint={qs ? 'Loosen the filters, or check back as more creators join.' : 'No creators on the Network yet.'}
+          icon={<Users size={28} strokeWidth={1.25} />}
+        />
+      ) : (
+        <div style={{ display: 'grid', gridTemplateColumns: 'repeat(auto-fill, minmax(320px, 1fr))', gap: 14 }}>
+          {rows.map((r) => <CreatorCard key={r.id} creator={r} />)}
+        </div>
+      )}
+    </Page>
+  );
+}
+
+function CreatorCard({ creator }: { creator: DirectoryRow }) {
+  const revenue = Number(creator.revenue90d);
+  return (
+    <Card>
+      <div style={{ display: 'flex', alignItems: 'center', gap: 12, marginBottom: 10 }}>
+        {creator.avatarUrl ? (
+          <img src={creator.avatarUrl} alt={creator.name} style={{ width: 44, height: 44, borderRadius: '50%', objectFit: 'cover', background: theme.surface2 }} />
+        ) : (
+          <div style={{ width: 44, height: 44, borderRadius: '50%', background: theme.accent, color: theme.accentInk, display: 'flex', alignItems: 'center', justifyContent: 'center', fontSize: 18, fontWeight: 600 }}>
+            {creator.name.charAt(0).toUpperCase()}
+          </div>
+        )}
+        <div style={{ flex: 1, minWidth: 0 }}>
+          <div style={{ fontWeight: 500, whiteSpace: 'nowrap', overflow: 'hidden', textOverflow: 'ellipsis' }}>{creator.name}</div>
+          <div style={{ color: theme.textMuted, fontSize: 12, fontFamily: theme.fontMono }}>@{creator.handle}</div>
+        </div>
+      </div>
+      {creator.categories.length > 0 && (
+        <div style={{ display: 'flex', flexWrap: 'wrap', gap: 4, marginBottom: 8 }}>
+          {creator.categories.slice(0, 4).map((c) => (
+            <span key={c} style={{ background: theme.surface2, color: theme.textMuted, fontSize: 10, padding: '2px 7px', borderRadius: 10 }}>{c}</span>
+          ))}
+          {creator.categories.length > 4 && (
+            <span style={{ color: theme.textDim, fontSize: 10, padding: '2px 4px' }}>+{creator.categories.length - 4}</span>
+          )}
+        </div>
+      )}
+      {creator.platforms.length > 0 && (
+        <div style={{ fontSize: 12, color: theme.textMuted, marginBottom: 10 }}>
+          {creator.platforms.map((p) => p.platform).join(' · ')}
+          {creator.totalReach > 0 && (
+            <> · <strong style={{ color: theme.text }}>{creator.totalReach.toLocaleString()}</strong> reach</>
+          )}
+        </div>
+      )}
+      <div style={{ display: 'grid', gridTemplateColumns: '1fr 1fr', gap: 8, marginBottom: 12 }}>
+        <Stat label="90d revenue" value={revenue > 0 ? `$${revenue.toLocaleString(undefined, { maximumFractionDigits: 0 })}` : '—'} accent={revenue > 0} />
+        <Stat label="90d clicks" value={creator.clicks90d > 0 ? creator.clicks90d.toLocaleString() : '—'} />
+      </div>
+      {creator.bio && (
+        <p style={{ fontSize: 13, color: theme.textMuted, margin: '0 0 12px', display: '-webkit-box', WebkitLineClamp: 2, WebkitBoxOrient: 'vertical', overflow: 'hidden' }}>
+          {creator.bio}
+        </p>
+      )}
+      <a
+        href={`/creators/${creator.handle}`}
+        target="_blank"
+        rel="noopener noreferrer"
+        style={{ textDecoration: 'none' }}
+      >
+        <Button variant="secondary" style={{ width: '100%' }}>View profile →</Button>
+      </a>
+    </Card>
+  );
+}
+
+function Stat({ label, value, accent }: { label: string; value: string; accent?: boolean }) {
+  return (
+    <div style={{ background: theme.surface2, border: `1px solid ${theme.borderSubtle}`, borderRadius: theme.radiusSm, padding: '8px 10px' }}>
+      <div style={{ fontSize: 10, color: theme.textDim, textTransform: 'uppercase', letterSpacing: '0.05em' }}>{label}</div>
+      <div style={{ fontSize: 14, fontWeight: 500, color: accent ? theme.success : theme.text, marginTop: 2 }}>{value}</div>
+    </div>
+  );
+}
+
+function ChipMultiSelect({
+  options,
+  labels,
+  selected,
+  onChange,
+}: {
+  options: string[];
+  labels?: Record<string, string>;
+  selected: string[];
+  onChange: (v: string[]) => void;
+}) {
+  function toggle(o: string) {
+    onChange(selected.includes(o) ? selected.filter((x) => x !== o) : [...selected, o]);
+  }
+  return (
+    <div style={{ display: 'flex', flexWrap: 'wrap', gap: 6 }}>
+      {options.map((o) => {
+        const on = selected.includes(o);
+        return (
+          <button
+            key={o}
+            type="button"
+            onClick={() => toggle(o)}
+            style={{
+              padding: '4px 10px',
+              borderRadius: 14,
+              border: `1px solid ${on ? theme.accent : theme.borderSubtle}`,
+              background: on ? `${theme.accent}22` : theme.surface2,
+              color: on ? theme.accent : theme.textMuted,
+              fontSize: 12,
+              cursor: 'pointer',
+              fontWeight: on ? 500 : 400,
+            }}
+          >
+            {labels?.[o] ?? o}
+          </button>
+        );
+      })}
+    </div>
+  );
+}

From 27a3505bf173d583a0f290bb02c21bf557441a3a Mon Sep 17 00:00:00 2001
From: Keith Fawcett <keith@brightyard.co>
Date: Wed, 29 Apr 2026 15:18:16 -0700
Subject: [PATCH 087/131] fix(creator-profile): keep audience locations as raw
 text while typing

The input was filtering each keystroke through /^[A-Z]{2}$/ + slice(5)
and writing the result back to state, which means a single character
like "U" got immediately filtered out (length 1) and the input wiped
itself. Same pattern as past brands now: keep a raw string in state
while typing, only split + normalize at save time.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 .../src/pages/creator/CreatorMyProfile.tsx    | 26 ++++++++++++-------
 1 file changed, 16 insertions(+), 10 deletions(-)

diff --git a/apps/portal/src/pages/creator/CreatorMyProfile.tsx b/apps/portal/src/pages/creator/CreatorMyProfile.tsx
index f18c0cc..147c426 100644
--- a/apps/portal/src/pages/creator/CreatorMyProfile.tsx
+++ b/apps/portal/src/pages/creator/CreatorMyProfile.tsx
@@ -70,7 +70,11 @@ export function CreatorMyProfilePage() {
   const [avatarUrl, setAvatarUrl] = useState('');
   const [bio, setBio] = useState('');
   const [categories, setCategories] = useState<string[]>([]);
-  const [audienceLocations, setAudienceLocations] = useState<string[]>([]);
+  // Audience locations is kept as a raw text string while the user is
+  // typing; we only split + normalize at save. Otherwise mid-keystroke
+  // values like "U" get filtered out as not-yet-2-chars and the input
+  // wipes itself.
+  const [audienceLocationsRaw, setAudienceLocationsRaw] = useState('');
   const [audienceAgeRange, setAudienceAgeRange] = useState<AgeRange | ''>('');
   const [portfolioLinks, setPortfolioLinks] = useState<string[]>([]);
   const [pastBrandsRaw, setPastBrandsRaw] = useState('');
@@ -82,7 +86,7 @@ export function CreatorMyProfilePage() {
       setAvatarUrl(data.avatarUrl ?? '');
       setBio(data.bio ?? '');
       setCategories(data.categories ?? []);
-      setAudienceLocations(data.audienceLocations ?? []);
+      setAudienceLocationsRaw((data.audienceLocations ?? []).join(', '));
       setAudienceAgeRange((data.audienceAgeRange ?? '') as AgeRange | '');
       setPortfolioLinks(data.portfolioLinks ?? []);
       setPastBrandsRaw((data.pastBrands ?? []).join(', '));
@@ -95,6 +99,11 @@ export function CreatorMyProfilePage() {
         .split(',')
         .map((s) => s.trim())
         .filter(Boolean);
+      const audienceLocations = audienceLocationsRaw
+        .split(',')
+        .map((s) => s.trim().toUpperCase())
+        .filter((s) => /^[A-Z]{2}$/.test(s))
+        .slice(0, 5);
       return creatorApi('/creators/me', {
         method: 'PATCH',
         body: {
@@ -154,11 +163,12 @@ export function CreatorMyProfilePage() {
               <Field label="Categories" hint="Pick the niches you create in. Brands filter by these.">
                 <CategoryChips selected={categories} onChange={setCategories} />
               </Field>
-              <Field label="Audience locations" hint="Top countries your audience comes from. ISO-3166 alpha-2 codes (e.g. US, CA, GB), max 5, comma-separated.">
-                <CommaTokens
-                  value={audienceLocations.join(', ')}
-                  onChange={(v) => setAudienceLocations(v.split(',').map((s) => s.trim().toUpperCase()).filter((s) => /^[A-Z]{2}$/.test(s)).slice(0, 5))}
+              <Field label="Audience locations" hint="Top countries your audience comes from. ISO-3166 alpha-2 codes (e.g. US, CA, GB), max 5, comma-separated. Validated on save.">
+                <Input
+                  value={audienceLocationsRaw}
+                  onChange={(e) => setAudienceLocationsRaw(e.target.value)}
                   placeholder="US, CA, GB"
+                  style={{ fontFamily: theme.fontMono }}
                 />
               </Field>
               <Field label="Audience age range" hint="Single bucket — finer slicing comes with verified platform connections.">
@@ -267,10 +277,6 @@ function CategoryChips({ selected, onChange }: { selected: string[]; onChange: (
   );
 }
 
-function CommaTokens({ value, onChange, placeholder }: { value: string; onChange: (v: string) => void; placeholder?: string }) {
-  return <Input value={value} onChange={(e) => onChange(e.target.value)} placeholder={placeholder} />;
-}
-
 function UrlList({ value, onChange, max, placeholder }: { value: string[]; onChange: (v: string[]) => void; max: number; placeholder: string }) {
   function update(i: number, v: string) {
     onChange(value.map((x, j) => (j === i ? v : x)));

From 5fd70e1e820877981c0742a0ded6de264a1fde3e Mon Sep 17 00:00:00 2001
From: Keith Fawcett <keith@brightyard.co>
Date: Wed, 29 Apr 2026 15:27:06 -0700
Subject: [PATCH 088/131] chore(portal): collapsible Admin + Network sidebar
 sections
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

  - Drop the "Yours" header — its items (Dashboard, Links, Commissions,
    Payouts, Stripe Connect) are now top-of-sidebar, no header.
  - NavSection grows collapsible + storageKey props. When collapsible,
    the header becomes a button with a rotating chevron and persists
    open/closed state to localStorage under op:nav-collapsed:<key>.
  - Default closed when collapsible (matches request).
  - Apply collapsible to Admin, partner-side Network, and brand-side
    Network. storageKey disambiguates the two "Network" sections.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 apps/portal/src/App.tsx | 102 ++++++++++++++++++++++++++++++++--------
 1 file changed, 83 insertions(+), 19 deletions(-)

diff --git a/apps/portal/src/App.tsx b/apps/portal/src/App.tsx
index 81b65ed..1eb6572 100644
--- a/apps/portal/src/App.tsx
+++ b/apps/portal/src/App.tsx
@@ -18,6 +18,7 @@ import {
   Globe,
   Megaphone,
   Inbox,
+  ChevronRight,
 } from 'lucide-react';
 import { clearApiKey, api, type Principal } from './api.js';
 import { useTenantBase } from './tenant-base.js';
@@ -237,16 +238,17 @@ function Sidebar({ principal }: { principal: Principal }) {
       <PrincipalChip principal={principal} />
 
       <div style={{ flex: 1, display: 'flex', flexDirection: 'column', gap: 14, overflow: 'auto' }}>
-        <NavSection title="Yours">
+        {/* Top-level nav — no header, always visible. */}
+        <div style={{ display: 'flex', flexDirection: 'column', gap: 1 }}>
           <NavItem to="/" icon={<LayoutDashboard size={16} />}>Dashboard</NavItem>
           <NavItem to="/links" icon={<Link2 size={16} />}>Links</NavItem>
           <NavItem to="/commissions" icon={<Receipt size={16} />}>Commissions</NavItem>
           <NavItem to="/payouts" icon={<Banknote size={16} />}>Payouts</NavItem>
           {principal.role === 'partner' && <NavItem to="/connect" icon={<CreditCard size={16} />}>Stripe Connect</NavItem>}
-        </NavSection>
+        </div>
 
         {principal.role === 'partner' && (
-          <NavSection title="Network">
+          <NavSection title="Network" collapsible storageKey="partner-network">
             <NavItem to="/network/discover" icon={<Globe size={16} />}>Discover programs</NavItem>
             <NavItem to="/network/affiliations" icon={<Megaphone size={16} />}>My partnerships</NavItem>
             <NavItem to="/network/requests" icon={<Inbox size={16} />}>My applications</NavItem>
@@ -255,7 +257,7 @@ function Sidebar({ principal }: { principal: Principal }) {
         )}
 
         {principal.role === 'admin' && (
-          <NavSection title="Admin">
+          <NavSection title="Admin" collapsible storageKey="admin-admin">
             <NavItem to="/admin/partners" icon={<Users size={16} />}>Partners</NavItem>
             <NavItem to="/admin/campaigns" icon={<Tag size={16} />}>Campaigns</NavItem>
             <NavItem to="/admin/review" icon={<ShieldCheck size={16} />}>Review queue</NavItem>
@@ -390,22 +392,84 @@ function describePrincipal(p: Principal): { label: string; sublabel: string; ini
   };
 }
 
-function NavSection({ title, children }: { title: string; children: ReactNode }) {
+function NavSection({
+  title,
+  collapsible,
+  storageKey,
+  children,
+}: {
+  title: string;
+  collapsible?: boolean;
+  /** Required when collapsible — disambiguates sections that share a
+   *  title (e.g. partner-side vs brand-side "Network"). Persists the
+   *  open/closed state across page reloads. */
+  storageKey?: string;
+  children: ReactNode;
+}) {
+  // Default closed when collapsible — matches the user's stated
+  // preference. localStorage persists per storageKey across reloads.
+  const lsKey = storageKey ? `op:nav-collapsed:${storageKey}` : null;
+  const [collapsed, setCollapsed] = useState(() => {
+    if (!collapsible) return false;
+    if (typeof window === 'undefined' || !lsKey) return true;
+    const raw = window.localStorage.getItem(lsKey);
+    if (raw === '0') return false;
+    if (raw === '1') return true;
+    return true; // default-collapsed when no preference yet
+  });
+  function toggle() {
+    setCollapsed((prev) => {
+      const next = !prev;
+      if (lsKey && typeof window !== 'undefined') {
+        window.localStorage.setItem(lsKey, next ? '1' : '0');
+      }
+      return next;
+    });
+  }
+
+  const headerCommonStyle: React.CSSProperties = {
+    fontSize: 11,
+    color: theme.textDim,
+    textTransform: 'uppercase',
+    letterSpacing: '0.08em',
+    fontWeight: 600,
+    padding: '0 8px 8px',
+  };
+
   return (
     <div>
-      <div
-        style={{
-          fontSize: 11,
-          color: theme.textDim,
-          textTransform: 'uppercase',
-          letterSpacing: '0.08em',
-          fontWeight: 600,
-          padding: '0 8px 8px',
-        }}
-      >
-        {title}
-      </div>
-      <div style={{ display: 'flex', flexDirection: 'column', gap: 1 }}>{children}</div>
+      {collapsible ? (
+        <button
+          type="button"
+          onClick={toggle}
+          aria-expanded={!collapsed}
+          style={{
+            ...headerCommonStyle,
+            display: 'flex',
+            alignItems: 'center',
+            gap: 6,
+            width: '100%',
+            background: 'transparent',
+            border: 'none',
+            cursor: 'pointer',
+            font: 'inherit',
+          }}
+        >
+          <ChevronRight
+            size={11}
+            style={{
+              transform: collapsed ? 'rotate(0deg)' : 'rotate(90deg)',
+              transition: 'transform 100ms ease',
+            }}
+          />
+          {title}
+        </button>
+      ) : (
+        <div style={headerCommonStyle}>{title}</div>
+      )}
+      {!collapsed && (
+        <div style={{ display: 'flex', flexDirection: 'column', gap: 1 }}>{children}</div>
+      )}
     </div>
   );
 }
@@ -424,7 +488,7 @@ function NetworkNav() {
   });
   const connected = !!(data?.enabled && data.hasVendorToken);
   return (
-    <NavSection title="Network">
+    <NavSection title="Network" collapsible storageKey="admin-network">
       <NavItem to="/admin/network" icon={<Globe size={16} />}>{connected ? 'Connection' : 'Get connected'}</NavItem>
       {connected && (
         <>

From 74c95f9170f00f601608c9f27155a4fa6bb47edf Mon Sep 17 00:00:00 2001
From: Keith Fawcett <keith@brightyard.co>
Date: Wed, 29 Apr 2026 15:32:50 -0700
Subject: [PATCH 089/131] fix(portal): collapsible nav header inherits
 font-family only
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

`font: inherit` is a shorthand that resets fontSize/letterSpacing/
fontWeight back to UA defaults — undoing the headerCommonStyle spread.
Switch to `fontFamily: inherit` so the size, weight, and tracking
that headerCommonStyle sets stick.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 apps/portal/src/App.tsx | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/apps/portal/src/App.tsx b/apps/portal/src/App.tsx
index 1eb6572..3760df6 100644
--- a/apps/portal/src/App.tsx
+++ b/apps/portal/src/App.tsx
@@ -452,7 +452,10 @@ function NavSection({
             background: 'transparent',
             border: 'none',
             cursor: 'pointer',
-            font: 'inherit',
+            // Only inherit font-family — the `font` shorthand would
+            // reset fontSize/letterSpacing/fontWeight back to the UA
+            // defaults (16px) and undo the headerCommonStyle spread.
+            fontFamily: 'inherit',
           }}
         >
           <ChevronRight

From f04b91818a047484ddbe8ffd10f98d4d5653f479 Mon Sep 17 00:00:00 2001
From: Keith Fawcett <keith@brightyard.co>
Date: Wed, 29 Apr 2026 15:39:56 -0700
Subject: [PATCH 090/131] chore(portal): match Network admin page typography to
 rest of site
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Network admin used raw <p> + <h3> at browser-default sizes (16/18px)
and hardcoded grey hex colors — out of step with the 13/15px theme-
based body/heading pattern used everywhere else. Also missing the
14px gap between cards.

Wraps the panel siblings in a flex column with gap, sets explicit
fontSize 13 / 15 + theme.textMuted on body / titles, and swaps the
hardcoded #6b7280 / #1a6b1a / #b91c1c / #0d9488 hex strings for
theme.textMuted / theme.success / theme.danger / theme.accent so
the page picks up theme changes too.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 apps/portal/src/pages/admin/Network.tsx | 49 +++++++++++++------------
 1 file changed, 25 insertions(+), 24 deletions(-)

diff --git a/apps/portal/src/pages/admin/Network.tsx b/apps/portal/src/pages/admin/Network.tsx
index c40e9b0..04f37be 100644
--- a/apps/portal/src/pages/admin/Network.tsx
+++ b/apps/portal/src/pages/admin/Network.tsx
@@ -2,6 +2,7 @@ import { useEffect, useState } from 'react';
 import { useMutation, useQuery, useQueryClient } from '@tanstack/react-query';
 import { api, ApiError } from '../../api.js';
 import { Button, Card, ErrorBanner, Input, Label, Page } from '../../ui.js';
+import { theme } from '../../theme.js';
 
 interface NetworkMembership {
   enabled: boolean;
@@ -46,9 +47,9 @@ function NetworkConnection() {
   const connected = !!(membership?.enabled && membership.hasVendorToken);
 
   return (
-    <>
+    <div style={{ display: 'flex', flexDirection: 'column', gap: 14 }}>
       {error && <ErrorBanner error={"Couldn't load Network settings."} />}
-      {isLoading && <Card><p>Loading…</p></Card>}
+      {isLoading && <Card><p style={{ fontSize: 13, margin: 0, color: theme.textMuted }}>Loading…</p></Card>}
       {membership && (
         <>
           {!connected ? <ConnectForm membership={membership} /> : <ConnectedPanel membership={membership} />}
@@ -56,7 +57,7 @@ function NetworkConnection() {
           {connected && <BackfillPanel />}
         </>
       )}
-    </>
+    </div>
   );
 }
 
@@ -93,13 +94,13 @@ function ConnectForm({ membership }: { membership: NetworkMembership }) {
 
   return (
     <Card>
-      <h3 style={{ marginTop: 0 }}>Not connected</h3>
-      <p>
+      <h3 style={{ marginTop: 0, fontSize: 15, fontWeight: 500 }}>Not connected</h3>
+      <p style={{ fontSize: 13, color: theme.textMuted, marginTop: 0 }}>
         Get matched with creators on the OpenPartner Network. Once connected, your published offerings
         show up in creator discovery and applications come into your Requests queue.
       </p>
       {membership.networkUrl && (
-        <p style={{ fontSize: 13, color: '#6b7280' }}>
+        <p style={{ fontSize: 13, color: theme.textMuted, margin: '0 0 14px' }}>
           Network: <code>{membership.networkUrl}</code>
         </p>
       )}
@@ -111,9 +112,9 @@ function ConnectForm({ membership }: { membership: NetworkMembership }) {
           <Button onClick={() => auto.mutate()} disabled={auto.isPending}>
             {auto.isPending ? 'Connecting…' : 'List my brand on the Network'}
           </Button>
-          <p style={{ marginTop: 10, fontSize: 12, color: '#6b7280' }}>
+          <p style={{ marginTop: 10, fontSize: 12, color: theme.textDim }}>
             Self-host?{' '}
-            <button type="button" onClick={() => setShowManual(true)} style={{ background: 'transparent', border: 'none', color: '#0d9488', cursor: 'pointer', padding: 0 }}>
+            <button type="button" onClick={() => setShowManual(true)} style={{ background: 'transparent', border: 'none', color: theme.accent, cursor: 'pointer', padding: 0, font: 'inherit' }}>
               Use the email-verify flow instead
             </button>
           </p>
@@ -132,7 +133,7 @@ function ConnectForm({ membership }: { membership: NetworkMembership }) {
             {manual.isPending ? 'Sending…' : 'Send verification email'}
           </Button>
           {manual.isSuccess && (
-            <p style={{ marginTop: 12, color: '#1a6b1a' }}>
+            <p style={{ marginTop: 12, fontSize: 13, color: theme.success }}>
               Confirmation email sent. Click the link to finish connecting.
             </p>
           )}
@@ -150,19 +151,19 @@ function ConnectedPanel({ membership }: { membership: NetworkMembership }) {
   });
   return (
     <Card>
-      <h3 style={{ marginTop: 0, color: '#1a6b1a' }}>Connected ✓</h3>
-      <p style={{ marginBottom: 8 }}>
+      <h3 style={{ marginTop: 0, marginBottom: 8, fontSize: 15, fontWeight: 500, color: theme.success }}>Connected ✓</h3>
+      <p style={{ fontSize: 13, color: theme.textMuted, marginTop: 0, marginBottom: 8 }}>
         Network: <code>{membership.networkUrl}</code>
       </p>
-      {isLoading && <p style={{ color: '#6b7280', margin: 0 }}><em>Loading vendor profile…</em></p>}
+      {isLoading && <p style={{ fontSize: 13, color: theme.textMuted, margin: 0 }}><em>Loading vendor profile…</em></p>}
       {!isLoading && self && (
-        <p style={{ margin: 0 }}>
-          Listed as <strong>{self.displayName}</strong> · status: {self.status} · {self.partnerCount} active partners
+        <p style={{ fontSize: 13, color: theme.textMuted, margin: 0 }}>
+          Listed as <strong style={{ color: theme.text }}>{self.displayName}</strong> · status: {self.status} · {self.partnerCount} active partners
         </p>
       )}
       {!isLoading && error && (
         <div style={{ marginTop: 6 }}>
-          <div style={{ color: '#b91c1c', fontSize: 13 }}>
+          <div style={{ color: theme.danger, fontSize: 13 }}>
             Couldn&rsquo;t load vendor profile from the Network: {error instanceof Error ? error.message : String(error)}
           </div>
           <button
@@ -172,8 +173,8 @@ function ConnectedPanel({ membership }: { membership: NetworkMembership }) {
             style={{
               marginTop: 8,
               background: 'transparent',
-              color: '#0d9488',
-              border: '1px solid #0d9488',
+              color: theme.accent,
+              border: `1px solid ${theme.accent}`,
               borderRadius: 6,
               padding: '6px 12px',
               fontSize: 13,
@@ -196,13 +197,13 @@ function AutoEnrollPanel({ membership, onChange }: { membership: NetworkMembersh
   });
   return (
     <Card>
-      <h3 style={{ marginTop: 0 }}>Auto-enroll new partners</h3>
-      <p>
+      <h3 style={{ marginTop: 0, fontSize: 15, fontWeight: 500 }}>Auto-enroll new partners</h3>
+      <p style={{ fontSize: 13, color: theme.textMuted, marginTop: 0 }}>
         When ON, every partner created on this instance is automatically pushed to the Network. The Network
         dedups creators by email — the same person joining you and another vendor gets a single Network
         identity.
       </p>
-      <label style={{ display: 'flex', alignItems: 'center', gap: 8 }}>
+      <label style={{ display: 'flex', alignItems: 'center', gap: 8, fontSize: 13, color: theme.text }}>
         <input
           type="checkbox"
           checked={membership.autoEnroll}
@@ -226,8 +227,8 @@ function BackfillPanel() {
   useEffect(() => { setResult(null); }, []);
   return (
     <Card>
-      <h3 style={{ marginTop: 0 }}>Backfill existing partners</h3>
-      <p>
+      <h3 style={{ marginTop: 0, fontSize: 15, fontWeight: 500 }}>Backfill existing partners</h3>
+      <p style={{ fontSize: 13, color: theme.textMuted, marginTop: 0 }}>
         If you turned the Network on after onboarding partners, run this once to push the existing roster
         through email-keyed dedup. Pre-existing creators (already on the Network from another vendor) come
         back with a flag so you can see their cross-vendor presence.
@@ -237,8 +238,8 @@ function BackfillPanel() {
         {m.isPending ? 'Backfilling…' : 'Backfill now'}
       </Button>
       {result && (
-        <p style={{ marginTop: 12 }}>
-          Pushed <strong>{result.pushed}</strong> of <strong>{result.total}</strong>.
+        <p style={{ marginTop: 12, fontSize: 13, color: theme.textMuted }}>
+          Pushed <strong style={{ color: theme.text }}>{result.pushed}</strong> of <strong style={{ color: theme.text }}>{result.total}</strong>.
           {result.queued > 0 && <> {result.queued} queued for retry.</>}
         </p>
       )}

From 8f42ba4abe11b7baa1490081e909a44f84c54550 Mon Sep 17 00:00:00 2001
From: Keith Fawcett <keith@brightyard.co>
Date: Wed, 29 Apr 2026 18:02:01 -0700
Subject: [PATCH 091/131] feat(dashboard): per-Link breakdown via
 ?includeLinks=true

Adds an opt-in per-Link breakdown to /partners/:id/dashboard. When
includeLinks=true, the response includes:

  links: [{ linkKey, clicks, attributedEvents, attributedRevenue }]

Sorted by attributed revenue desc (most useful for "what's working"
comparisons). Aggregated by Link.id then surfaced as linkKey, so a
deleted-and-recreated link with the same key shows as one row tied
to the current Link.

Lets the Network federate per-channel performance back to creators
so they can see "newsletter converted at 8%, TikTok bio at 0.3%"
without N round-trips per channel.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 apps/api/src/routes/dashboard.ts | 67 +++++++++++++++++++++++++++++++-
 1 file changed, 66 insertions(+), 1 deletion(-)

diff --git a/apps/api/src/routes/dashboard.ts b/apps/api/src/routes/dashboard.ts
index 54be433..d28cb32 100644
--- a/apps/api/src/routes/dashboard.ts
+++ b/apps/api/src/routes/dashboard.ts
@@ -1,5 +1,5 @@
 import { Router } from 'express';
-import { TABLES } from '@openpartner/db';
+import { TABLES, type LinkRow } from '@openpartner/db';
 import { grantScope, requireAuth, requirePartnerOrAdmin } from '../auth.js';
 import { tenantOf } from '../tenancy.js';
 
@@ -7,12 +7,17 @@ export const dashboardRouter = Router();
 
 // Partner dashboard — top-line counts, attributed revenue, commission by status.
 // Read-optimized via denormalized partnerId on Click/Attribution/Commission.
+//
+// Optional `?includeLinks=true` adds a per-Link breakdown so the partner /
+// creator portal can show channel-level performance ("newsletter converted
+// at 8%, TikTok bio at 0.3% — focus on the newsletter").
 dashboardRouter.get('/partners/:id/dashboard', requireAuth, grantScope('partners:read'), requirePartnerOrAdmin('id'), async (req, res) => {
   const { db } = tenantOf(req);
   const partnerId = req.params.id;
   const since = req.query.since
     ? new Date(String(req.query.since))
     : new Date(Date.now() - 30 * 24 * 60 * 60 * 1000);
+  const includeLinks = req.query.includeLinks === 'true' || req.query.includeLinks === '1';
 
   const [clicksRow] = await db(TABLES.Click)
     .where({ partnerId })
@@ -40,6 +45,65 @@ dashboardRouter.get('/partners/:id/dashboard', requireAuth, grantScope('partners
     .select('status')
     .sum({ amount: 'amount' })) as Array<{ status: string; amount: string | null }>;
 
+  let links: Array<{
+    linkKey: string;
+    clicks: number;
+    attributedEvents: number;
+    attributedRevenue: number;
+  }> | undefined;
+
+  if (includeLinks) {
+    // Per-Link breakdown: clicks via Click.linkId, conversions via the
+    // attribution → event join with the same linkId. We aggregate by
+    // Link (not by linkKey directly) so a deleted-and-recreated link
+    // with the same key shows as one row tied to the current Link.
+    // Then surface linkKey for display.
+    const partnerLinks = (await db<LinkRow>(TABLES.Link)
+      .where({ partnerId })
+      .select('id', 'linkKey')) as Array<Pick<LinkRow, 'id' | 'linkKey'>>;
+    const linkIds = partnerLinks.map((l) => l.id);
+
+    if (linkIds.length > 0) {
+      const clicksByLink = (await db(TABLES.Click)
+        .whereIn('linkId', linkIds)
+        .andWhere('ts', '>=', since)
+        .groupBy('linkId')
+        .select('linkId')
+        .count<{ linkId: string; count: string }[]>({ count: '*' })) as Array<{ linkId: string; count: string }>;
+
+      // Attribution rows don't carry linkId directly — they reference clickId.
+      // Join through Click + Event to get per-link conversion + revenue.
+      const eventsByLink = (await db(TABLES.Attribution)
+        .join(TABLES.Click, `${TABLES.Click}.id`, `${TABLES.Attribution}.clickId`)
+        .join(TABLES.Event, `${TABLES.Event}.id`, `${TABLES.Attribution}.eventId`)
+        .where(`${TABLES.Attribution}.partnerId`, partnerId)
+        .andWhere(`${TABLES.Attribution}.computedAt`, '>=', since)
+        .whereIn(`${TABLES.Click}.linkId`, linkIds)
+        .groupBy(`${TABLES.Click}.linkId`)
+        .select(`${TABLES.Click}.linkId as linkId`)
+        .select(
+          db.raw(`COUNT(DISTINCT "Attribution"."eventId") as events`),
+          db.raw(`COALESCE(SUM("Event".value * "Attribution".weight), 0) as revenue`),
+        )) as Array<{ linkId: string; events: string; revenue: string }>;
+
+      const clicksMap = new Map(clicksByLink.map((c) => [c.linkId, Number(c.count)]));
+      const eventsMap = new Map(eventsByLink.map((e) => [e.linkId, { events: Number(e.events), revenue: Number(e.revenue) }]));
+
+      links = partnerLinks
+        .map((l) => ({
+          linkKey: l.linkKey,
+          clicks: clicksMap.get(l.id) ?? 0,
+          attributedEvents: eventsMap.get(l.id)?.events ?? 0,
+          attributedRevenue: eventsMap.get(l.id)?.revenue ?? 0,
+        }))
+        // Sort by attributed revenue desc, then clicks desc — most useful
+        // surface for "what's working" comparisons.
+        .sort((a, b) => b.attributedRevenue - a.attributedRevenue || b.clicks - a.clicks);
+    } else {
+      links = [];
+    }
+  }
+
   res.json({
     partnerId,
     since: since.toISOString(),
@@ -49,5 +113,6 @@ dashboardRouter.get('/partners/:id/dashboard', requireAuth, grantScope('partners
     commissionByStatus: Object.fromEntries(
       commissionByStatus.map((r) => [r.status, Number(r.amount ?? 0)]),
     ),
+    ...(links !== undefined ? { links } : {}),
   });
 });

From 267fc4bb80d1f9e49cc50c91c2adc3356c064a40 Mon Sep 17 00:00:00 2001
From: Keith Fawcett <keith@brightyard.co>
Date: Wed, 29 Apr 2026 18:07:04 -0700
Subject: [PATCH 092/131] feat(creator-portal): per-link breakdown on My
 partnerships
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Each affiliation card now requests ?includeLinks=true on its
earnings query and renders a per-Link breakdown table below the
top-line stats. Columns: link key, clicks, attributed events,
revenue, and CVR (conversion rate, highlighted in green at ≥1%).

Only shown when the creator has 2+ links with activity — single-link
partnerships keep the existing terse view. Footnote explains that
different links = different channels (newsletter vs TikTok bio etc.)
and that higher CVR = focus there.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 .../pages/creator/CreatorMyAffiliations.tsx   | 70 ++++++++++++++++---
 1 file changed, 61 insertions(+), 9 deletions(-)

diff --git a/apps/portal/src/pages/creator/CreatorMyAffiliations.tsx b/apps/portal/src/pages/creator/CreatorMyAffiliations.tsx
index d2789f9..fa8cefe 100644
--- a/apps/portal/src/pages/creator/CreatorMyAffiliations.tsx
+++ b/apps/portal/src/pages/creator/CreatorMyAffiliations.tsx
@@ -16,6 +16,13 @@ interface Affiliation {
   approvedOfferings: Array<{ id: string; title: string }>;
 }
 
+interface EarningsLink {
+  linkKey: string;
+  clicks: number;
+  attributedEvents: number;
+  attributedRevenue: number;
+}
+
 interface Earnings {
   partnerId: string;
   since: string;
@@ -23,13 +30,16 @@ interface Earnings {
   attributedEvents: number;
   attributedRevenue: number;
   commissionByStatus: Record<string, number>;
+  links?: EarningsLink[];
 }
 
 function EarningsBlock({ aff }: { aff: Affiliation }) {
   const enabled = aff.status === 'active';
   const { data, isLoading, error } = useQuery<Earnings, ApiError>({
     queryKey: ['creator-aff-earnings', aff.id],
-    queryFn: () => creatorApi<Earnings>(`/creators/me/affiliations/${aff.id}/earnings`),
+    // includeLinks=true threads through openpartner's per-Link
+    // breakdown for channel-level performance ("newsletter vs TikTok").
+    queryFn: () => creatorApi<Earnings>(`/creators/me/affiliations/${aff.id}/earnings?includeLinks=true`),
     enabled,
     retry: false,
     staleTime: 60_000,
@@ -42,15 +52,57 @@ function EarningsBlock({ aff }: { aff: Affiliation }) {
     return <p style={{ color: theme.textMuted, fontSize: 13 }}>Couldn&rsquo;t load earnings.</p>;
   }
   if (!data) return null;
+  const linksWithActivity = (data.links ?? []).filter((l) => l.clicks > 0 || l.attributedEvents > 0);
   return (
-    <div style={{ display: 'flex', gap: 24, flexWrap: 'wrap', marginTop: 12 }}>
-      <Stat label="Clicks (30d)" value={data.clicks.toLocaleString()} />
-      <Stat label="Attributed events" value={data.attributedEvents.toLocaleString()} />
-      <Stat label="Revenue" value={money(data.attributedRevenue, 'USD')} />
-      {Object.entries(data.commissionByStatus ?? {}).map(([status, amount]) => (
-        <Stat key={status} label={`${status} commission`} value={money(amount, 'USD')} />
-      ))}
-    </div>
+    <>
+      <div style={{ display: 'flex', gap: 24, flexWrap: 'wrap', marginTop: 12 }}>
+        <Stat label="Clicks (30d)" value={data.clicks.toLocaleString()} />
+        <Stat label="Attributed events" value={data.attributedEvents.toLocaleString()} />
+        <Stat label="Revenue" value={money(data.attributedRevenue, 'USD')} />
+        {Object.entries(data.commissionByStatus ?? {}).map(([status, amount]) => (
+          <Stat key={status} label={`${status} commission`} value={money(amount, 'USD')} />
+        ))}
+      </div>
+      {linksWithActivity.length > 1 && (
+        <div style={{ marginTop: 16 }}>
+          <div style={{ fontSize: 11, color: theme.textDim, textTransform: 'uppercase', letterSpacing: '0.05em', marginBottom: 8 }}>
+            By link (30d)
+          </div>
+          <div style={{ display: 'flex', flexDirection: 'column', gap: 6 }}>
+            {linksWithActivity.map((l) => {
+              const conversionRate = l.clicks > 0 ? (l.attributedEvents / l.clicks) * 100 : 0;
+              return (
+                <div
+                  key={l.linkKey}
+                  style={{
+                    display: 'grid',
+                    gridTemplateColumns: '1.4fr 1fr 1fr 1fr 1fr',
+                    gap: 8,
+                    fontSize: 13,
+                    padding: '8px 10px',
+                    background: theme.surface2,
+                    border: `1px solid ${theme.borderSubtle}`,
+                    borderRadius: theme.radiusSm,
+                    alignItems: 'center',
+                  }}
+                >
+                  <code style={{ fontSize: 12, color: theme.textMuted }}>{l.linkKey}</code>
+                  <div style={{ color: theme.textMuted }}>{l.clicks.toLocaleString()} clicks</div>
+                  <div style={{ color: theme.textMuted }}>{l.attributedEvents.toLocaleString()} events</div>
+                  <div style={{ color: theme.text }}>{money(l.attributedRevenue, 'USD')}</div>
+                  <div style={{ color: conversionRate >= 1 ? theme.success : theme.textMuted, fontWeight: conversionRate >= 1 ? 500 : 400 }}>
+                    {conversionRate.toFixed(2)}% CVR
+                  </div>
+                </div>
+              );
+            })}
+          </div>
+          <p style={{ color: theme.textDim, fontSize: 11, marginTop: 6, marginBottom: 0 }}>
+            Different links = different channels. Higher CVR means that channel converts better &mdash; focus there.
+          </p>
+        </div>
+      )}
+    </>
   );
 }
 

From 1ecd576c29e1e270f9d47b869876ec13cf414073 Mon Sep 17 00:00:00 2001
From: Keith Fawcett <keith@brightyard.co>
Date: Wed, 29 Apr 2026 18:46:22 -0700
Subject: [PATCH 093/131] feat(invite-to-apply): brand UI + creator deeplink
 handling
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Brand admin (Discover creators page):
  - Each creator card grows an "Invite" button next to "View profile"
  - Modal picks one of the brand's published offerings (auto-selects
    when there's only one) + optional pitch message
  - Posts to /admin/network/offerings/:id/invite-creator which proxies
    to Network's POST /vendors/me/offerings/:id/invitations
  - Success state: green confirmation, close

Creator portal (offering detail page):
  - When ?invitation=<token> is in the URL, fetches the invitation
    context (brand display name + pitch message)
  - Renders an accent-colored banner above the offering card
  - Pre-fills the apply form's pitch field with "Replying to your
    invitation: <brand's message>" — creator can edit before submitting
  - On successful application, fire-and-forget POST consume so the
    brand sees status update on their side
  - Expired invitation shows a danger banner but still lets the
    creator apply normally

networkProxy.inviteCreator + creator-portal proxy whitelist for
/invitations/* (GET resolver + POST consume).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 apps/api/src/network-client.ts                |  13 ++
 apps/api/src/routes/creator-portal.ts         |   3 +
 apps/api/src/routes/settings.ts               |   7 +
 .../src/pages/admin/NetworkCreators.tsx       | 155 ++++++++++++++++--
 .../pages/creator/CreatorOfferingDetail.tsx   |  70 +++++++-
 5 files changed, 234 insertions(+), 14 deletions(-)

diff --git a/apps/api/src/network-client.ts b/apps/api/src/network-client.ts
index 956b21c..419396b 100644
--- a/apps/api/src/network-client.ts
+++ b/apps/api/src/network-client.ts
@@ -527,6 +527,19 @@ export const networkProxy = {
       `/vendors/me/discover/creators${querystring ? `?${querystring}` : ''}`,
     ),
 
+  /** Invite a creator to apply to one of this vendor's offerings.
+   *  Network mints an OfferingInvitation + emails the creator a
+   *  deeplink. Idempotent per (offering, creator) — re-inviting the
+   *  same creator refreshes the token + expiry. */
+  inviteCreator: (db: Knex, tenantId: string, offeringId: string, body: { creatorId: string; message?: string }) =>
+    callNetwork<{ ok: true; expiresAt: string }>(
+      db,
+      tenantId,
+      'POST',
+      `/vendors/me/offerings/${encodeURIComponent(offeringId)}/invitations`,
+      body,
+    ),
+
   // Billing — same pattern (vendor token held server-side, portal can't
   // hit Stripe directly). Forwards body straight through; the Network's
   // route does all validation.
diff --git a/apps/api/src/routes/creator-portal.ts b/apps/api/src/routes/creator-portal.ts
index 04a17bd..0e60f8f 100644
--- a/apps/api/src/routes/creator-portal.ts
+++ b/apps/api/src/routes/creator-portal.ts
@@ -58,6 +58,9 @@ const ALLOWED_PREFIX: Array<{ prefix: string; methods: Set<string> }> = [
   // Public profile lookup — no creator session required, lets brands
   // and the open web hit /creators/by-handle/<handle> on the portal.
   { prefix: '/creators/by-handle/', methods: new Set(['GET']) },
+  // Invitation deeplink resolver (no auth) + consume (creator auth).
+  // GET /invitations/:token, POST /invitations/:token/consume
+  { prefix: '/invitations/', methods: new Set(['GET', 'POST']) },
 ];
 
 function isAllowed(method: string, subpath: string): boolean {
diff --git a/apps/api/src/routes/settings.ts b/apps/api/src/routes/settings.ts
index 21f71ab..e2f7b0b 100644
--- a/apps/api/src/routes/settings.ts
+++ b/apps/api/src/routes/settings.ts
@@ -495,6 +495,13 @@ settingsRouter.get('/admin/network/discover/creators', requireAuth, requireAdmin
   return proxy(req, res, (db, tenantId) => networkProxy.discoverCreators(db, tenantId, qs));
 });
 
+// Brand admin invites a discovered creator to apply to an offering.
+// Body is forwarded verbatim — Network validates the creatorId + offering
+// ownership.
+settingsRouter.post('/admin/network/offerings/:id/invite-creator', requireAuth, requireAdmin, async (req, res) =>
+  proxy(req, res, (db, tenantId) => networkProxy.inviteCreator(db, tenantId, req.params.id!, req.body ?? {}), 201),
+);
+
 // ---------- Network billing proxy ----------
 // Self-hosted vendors subscribe to Network access ($29/mo + 3% metered)
 // from this admin surface. Hosted vendors get bundled with their main
diff --git a/apps/portal/src/pages/admin/NetworkCreators.tsx b/apps/portal/src/pages/admin/NetworkCreators.tsx
index ccc3b82..d49d65c 100644
--- a/apps/portal/src/pages/admin/NetworkCreators.tsx
+++ b/apps/portal/src/pages/admin/NetworkCreators.tsx
@@ -9,10 +9,10 @@
  */
 
 import { useEffect, useMemo, useState } from 'react';
-import { useQuery } from '@tanstack/react-query';
+import { useMutation, useQuery } from '@tanstack/react-query';
 import { Users } from 'lucide-react';
-import { api } from '../../api.js';
-import { Button, Card, EmptyState, ErrorBanner, Input, Label, Page, Select } from '../../ui.js';
+import { api, ApiError } from '../../api.js';
+import { Button, Card, EmptyState, ErrorBanner, Input, Label, Page, Select, Textarea } from '../../ui.js';
 import { theme } from '../../theme.js';
 
 interface PlatformRow {
@@ -241,18 +241,151 @@ function CreatorCard({ creator }: { creator: DirectoryRow }) {
           {creator.bio}
         </p>
       )}
-      <a
-        href={`/creators/${creator.handle}`}
-        target="_blank"
-        rel="noopener noreferrer"
-        style={{ textDecoration: 'none' }}
-      >
-        <Button variant="secondary" style={{ width: '100%' }}>View profile →</Button>
-      </a>
+      <div style={{ display: 'flex', gap: 6 }}>
+        <a
+          href={`/creators/${creator.handle}`}
+          target="_blank"
+          rel="noopener noreferrer"
+          style={{ textDecoration: 'none', flex: 1 }}
+        >
+          <Button variant="secondary" style={{ width: '100%' }}>View profile</Button>
+        </a>
+        <InviteButton creator={creator} />
+      </div>
     </Card>
   );
 }
 
+interface OfferingOption {
+  id: string;
+  title: string;
+  published: boolean;
+}
+
+function InviteButton({ creator }: { creator: DirectoryRow }) {
+  const [open, setOpen] = useState(false);
+  return (
+    <>
+      <Button onClick={() => setOpen(true)} style={{ flex: 1 }}>Invite</Button>
+      {open && <InviteDialog creator={creator} onClose={() => setOpen(false)} />}
+    </>
+  );
+}
+
+function InviteDialog({ creator, onClose }: { creator: DirectoryRow; onClose: () => void }) {
+  const offerings = useQuery({
+    queryKey: ['admin-network-offerings'],
+    queryFn: () => api<{ offerings: OfferingOption[] }>('/admin/network/offerings'),
+    retry: false,
+  });
+  const published = (offerings.data?.offerings ?? []).filter((o) => o.published);
+
+  const [offeringId, setOfferingId] = useState('');
+  const [message, setMessage] = useState('');
+
+  // Default-select the only published offering when there's one — saves
+  // a click in the common case.
+  useEffect(() => {
+    if (!offeringId && published.length === 1) setOfferingId(published[0]!.id);
+  }, [offeringId, published]);
+
+  const send = useMutation({
+    mutationFn: () =>
+      api(`/admin/network/offerings/${offeringId}/invite-creator`, {
+        method: 'POST',
+        body: { creatorId: creator.id, message: message.trim() || undefined },
+      }),
+  });
+
+  const sent = send.isSuccess;
+
+  return (
+    <div
+      role="dialog"
+      aria-modal="true"
+      style={{
+        position: 'fixed',
+        inset: 0,
+        background: 'rgba(0,0,0,0.5)',
+        display: 'flex',
+        alignItems: 'center',
+        justifyContent: 'center',
+        zIndex: 50,
+      }}
+      onClick={(e) => { if (e.target === e.currentTarget) onClose(); }}
+    >
+      <div
+        style={{
+          background: theme.surface,
+          border: `1px solid ${theme.borderSubtle}`,
+          borderRadius: theme.radiusSm,
+          padding: 24,
+          maxWidth: 480,
+          width: '92%',
+        }}
+      >
+        <div style={{ fontSize: 15, fontWeight: 500, marginBottom: 4 }}>
+          Invite @{creator.handle}
+        </div>
+        <p style={{ fontSize: 13, color: theme.textMuted, margin: '0 0 16px' }}>
+          They&rsquo;ll get an email with a one-click link to apply to whichever offering you pick.
+        </p>
+        {sent ? (
+          <>
+            <div style={{ background: theme.successSoft, border: `1px solid ${theme.success}55`, borderRadius: theme.radiusSm, padding: 12, fontSize: 13, color: theme.success, marginBottom: 14 }}>
+              Invitation sent. They&rsquo;ll see your message + a deeplink in their inbox.
+            </div>
+            <Button onClick={onClose} variant="secondary">Close</Button>
+          </>
+        ) : (
+          <>
+            {send.error && (
+              <ErrorBanner error={
+                send.error instanceof ApiError && send.error.message === 'creator_not_found'
+                  ? 'This creator is no longer available (deleted account?).'
+                  : send.error
+              } />
+            )}
+            <div style={{ marginBottom: 14 }}>
+              <Label>Offering</Label>
+              {offerings.isLoading ? (
+                <p style={{ fontSize: 13, color: theme.textMuted, margin: '6px 0 0' }}>Loading…</p>
+              ) : published.length === 0 ? (
+                <p style={{ fontSize: 13, color: theme.textMuted, margin: '6px 0 0' }}>
+                  No published offerings yet. <a href="/admin/network/offerings" style={{ color: theme.accent }}>Create one</a>.
+                </p>
+              ) : (
+                <Select value={offeringId} onChange={(e) => setOfferingId(e.target.value)}>
+                  <option value="">— pick an offering —</option>
+                  {published.map((o) => <option key={o.id} value={o.id}>{o.title}</option>)}
+                </Select>
+              )}
+            </div>
+            <div style={{ marginBottom: 16 }}>
+              <Label>Message (optional)</Label>
+              <Textarea
+                value={message}
+                onChange={(e) => setMessage(e.target.value)}
+                rows={4}
+                placeholder="Why you'd love to have them. Specific is better than generic."
+              />
+            </div>
+            <div style={{ display: 'flex', gap: 8 }}>
+              <Button
+                onClick={() => send.mutate()}
+                disabled={!offeringId || send.isPending}
+              >
+                {send.isPending ? 'Sending…' : 'Send invitation'}
+              </Button>
+              <Button variant="secondary" onClick={onClose}>Cancel</Button>
+            </div>
+          </>
+        )}
+      </div>
+    </div>
+  );
+}
+
 function Stat({ label, value, accent }: { label: string; value: string; accent?: boolean }) {
   return (
     <div style={{ background: theme.surface2, border: `1px solid ${theme.borderSubtle}`, borderRadius: theme.radiusSm, padding: '8px 10px' }}>
diff --git a/apps/portal/src/pages/creator/CreatorOfferingDetail.tsx b/apps/portal/src/pages/creator/CreatorOfferingDetail.tsx
index b85824c..8a52432 100644
--- a/apps/portal/src/pages/creator/CreatorOfferingDetail.tsx
+++ b/apps/portal/src/pages/creator/CreatorOfferingDetail.tsx
@@ -1,10 +1,20 @@
-import { useState } from 'react';
+import { useEffect, useState } from 'react';
 import { useMutation, useQuery, useQueryClient } from '@tanstack/react-query';
-import { Link, useNavigate, useParams } from 'react-router-dom';
+import { Link, useNavigate, useParams, useSearchParams } from 'react-router-dom';
 import { Button, Card, ErrorBanner, Input, Label, Page, Textarea } from '../../ui.js';
 import { theme } from '../../theme.js';
 import { creatorApi, ApiError } from './creator-api.js';
 
+interface InvitationContext {
+  id: string;
+  offeringId: string;
+  offeringTitle: string | null;
+  vendorDisplayName: string | null;
+  message: string | null;
+  status: 'pending' | 'consumed' | 'expired';
+  expiresAt: string;
+}
+
 type MyStatus = 'none' | 'pending' | 'approved' | 'rejected' | 'cancelled';
 
 interface Offering {
@@ -36,6 +46,8 @@ interface Whoami {
 
 export function CreatorOfferingDetailPage() {
   const { id } = useParams<{ id: string }>();
+  const [searchParams] = useSearchParams();
+  const invitationToken = searchParams.get('invitation');
   const navigate = useNavigate();
   const qc = useQueryClient();
   const [message, setMessage] = useState('');
@@ -54,13 +66,43 @@ export function CreatorOfferingDetailPage() {
     retry: false,
   });
 
+  // Resolve the invitation token if present in the URL — gives us the
+  // brand's pitch + offering context so we can show a banner +
+  // pre-fill the apply form.
+  const { data: invitation } = useQuery({
+    queryKey: ['creator-invitation', invitationToken],
+    queryFn: () => creatorApi<InvitationContext>(`/invitations/${invitationToken}`),
+    enabled: !!invitationToken,
+    retry: false,
+  });
+
+  // When an invitation lands and the apply form is empty, drop the
+  // brand's message into the pitch field as a starting point. The
+  // creator can edit before submitting.
+  useEffect(() => {
+    if (invitation?.message && !message) {
+      setMessage(`Replying to your invitation: ${invitation.message}`);
+    }
+  }, [invitation?.message, message]);
+
   const apply = useMutation({
     mutationFn: () =>
       creatorApi(`/offerings/${id}/apply`, {
         method: 'POST',
         body: { message: message || undefined, preferredSlug: preferredSlug || undefined },
       }),
-    onSuccess: () => {
+    onSuccess: async () => {
+      // Best-effort consume the invitation if we came in via one — so
+      // the brand sees "Application received" status on their side.
+      // Failure here doesn't fail the application; it just leaves the
+      // invitation pending.
+      if (invitationToken && invitation?.status === 'pending') {
+        try {
+          await creatorApi(`/invitations/${invitationToken}/consume`, { method: 'POST' });
+        } catch {
+          /* fire-and-forget */
+        }
+      }
       qc.invalidateQueries({ queryKey: ['creator-my-requests'] });
       navigate('/creator/requests');
     },
@@ -70,6 +112,28 @@ export function CreatorOfferingDetailPage() {
     <Page title={offering?.title ?? 'Program'} subtitle={offering?.vendorName}>
       <ErrorBanner error={error} />
       {isLoading && <Card>Loading…</Card>}
+      {invitation && invitation.status === 'pending' && (
+        <Card style={{ marginBottom: 14, background: `${theme.accent}10`, borderColor: `${theme.accent}55` }}>
+          <div style={{ fontSize: 14, fontWeight: 500, color: theme.accent, marginBottom: 4 }}>
+            ✓ {invitation.vendorDisplayName ?? 'A brand'} invited you to apply
+          </div>
+          {invitation.message && (
+            <p style={{ fontSize: 13, color: theme.textMuted, margin: '8px 0 0', whiteSpace: 'pre-wrap' }}>
+              "{invitation.message}"
+            </p>
+          )}
+          <p style={{ fontSize: 12, color: theme.textDim, margin: '8px 0 0' }}>
+            Your pitch is pre-filled below. Edit + submit to apply.
+          </p>
+        </Card>
+      )}
+      {invitation && invitation.status === 'expired' && (
+        <Card style={{ marginBottom: 14, background: `${theme.danger}10`, borderColor: `${theme.danger}55` }}>
+          <div style={{ fontSize: 13, color: theme.danger }}>
+            This invitation expired. You can still apply normally below.
+          </div>
+        </Card>
+      )}
       {offering && (
         <>
           <Card>

From 18c08ed1bc1ad9283798ca281504ac6b08891fa9 Mon Sep 17 00:00:00 2001
From: Keith Fawcett <keith@brightyard.co>
Date: Wed, 29 Apr 2026 19:18:56 -0700
Subject: [PATCH 094/131] feat(creator-portal): "Recommended for you" strip on
 Discover
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

New section at the top of /creator/discover (above the open grid)
showing up to 5 brand-matched offerings from /creators/me/recommendations.
Each card shows vendor name, offering title, commission summary, and
a one-line "why this fits you" hint (the reasons[] from the
recommender).

Hidden when the recommender returns nothing — better to surface
nothing than padded suggestions.

Whitelisted /creators/me/recommendations on the creator-portal proxy.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 apps/api/src/routes/creator-portal.ts         |  1 +
 .../src/pages/creator/CreatorDiscover.tsx     | 64 +++++++++++++++++++
 2 files changed, 65 insertions(+)

diff --git a/apps/api/src/routes/creator-portal.ts b/apps/api/src/routes/creator-portal.ts
index 0e60f8f..bbd2f1d 100644
--- a/apps/api/src/routes/creator-portal.ts
+++ b/apps/api/src/routes/creator-portal.ts
@@ -41,6 +41,7 @@ const ALLOWED_EXACT = new Set([
   '/creators/me/domains',
   '/creators/me/partnerships',
   '/creators/me/platforms',
+  '/creators/me/recommendations',
   '/offerings',
 ]);
 
diff --git a/apps/portal/src/pages/creator/CreatorDiscover.tsx b/apps/portal/src/pages/creator/CreatorDiscover.tsx
index 5eb84dd..4c5bd4c 100644
--- a/apps/portal/src/pages/creator/CreatorDiscover.tsx
+++ b/apps/portal/src/pages/creator/CreatorDiscover.tsx
@@ -46,6 +46,7 @@ export function CreatorDiscoverPage() {
     <Page title="Discover programs" subtitle="Partner programs across the OpenPartner Network. Apply to any.">
       <ErrorBanner error={error} />
       <CreatorOnboarding />
+      <RecommendedStrip />
       <Card>
         <div style={{ display: 'flex', gap: 12, alignItems: 'flex-end', flexWrap: 'wrap' }}>
           <div style={{ flex: 1, minWidth: 240 }}>
@@ -109,6 +110,69 @@ export function CreatorDiscoverPage() {
   );
 }
 
+interface Recommendation {
+  id: string;
+  title: string;
+  description: string | null;
+  vendorId: string;
+  vendorName: string;
+  terms: { commissionDescription?: string };
+  reasons: string[];
+}
+
+/** "Recommended for you" strip above the open Discover grid. Lifts
+ *  application volume for creators who don't browse. Hidden when the
+ *  recommender has nothing to show — better than padding with noise. */
+function RecommendedStrip() {
+  const { data, isLoading } = useQuery({
+    queryKey: ['creator-recommendations'],
+    queryFn: () => creatorApi<{ recommendations: Recommendation[] }>('/creators/me/recommendations'),
+    retry: false,
+    staleTime: 5 * 60_000,
+  });
+
+  if (isLoading || !data || data.recommendations.length === 0) return null;
+
+  return (
+    <Card style={{ marginBottom: 18 }}>
+      <div style={{ fontSize: 14, fontWeight: 500, marginBottom: 4 }}>Recommended for you</div>
+      <p style={{ fontSize: 13, color: theme.textMuted, margin: '0 0 14px' }}>
+        Programs that match your profile, ranked by category overlap + commission richness.
+      </p>
+      <div style={{ display: 'grid', gridTemplateColumns: 'repeat(auto-fill, minmax(280px, 1fr))', gap: 10 }}>
+        {data.recommendations.map((r) => (
+          <Link
+            key={r.id}
+            to={`/creator/offerings/${r.id}`}
+            style={{
+              textDecoration: 'none',
+              padding: '12px 14px',
+              background: theme.surface2,
+              border: `1px solid ${theme.borderSubtle}`,
+              borderRadius: theme.radiusSm,
+              color: theme.text,
+              display: 'flex',
+              flexDirection: 'column',
+              gap: 4,
+            }}
+          >
+            <div style={{ fontSize: 11, color: theme.textMuted }}>{r.vendorName}</div>
+            <div style={{ fontSize: 14, fontWeight: 500 }}>{r.title}</div>
+            {r.terms?.commissionDescription && (
+              <div style={{ fontSize: 12, color: theme.textMuted, marginTop: 2 }}>{r.terms.commissionDescription}</div>
+            )}
+            {r.reasons.length > 0 && (
+              <div style={{ fontSize: 11, color: theme.accent, marginTop: 6 }}>
+                {r.reasons.slice(0, 2).join(' · ')}
+              </div>
+            )}
+          </Link>
+        ))}
+      </div>
+    </Card>
+  );
+}
+
 function ctaForStatus(s: MyStatus): string {
   switch (s) {
     case 'approved':

From 9eef36cd562101fe65e64e352e392a335ef2ceb3 Mon Sep 17 00:00:00 2001
From: Keith Fawcett <keith@brightyard.co>
Date: Wed, 29 Apr 2026 19:29:17 -0700
Subject: [PATCH 095/131] feat(import): partner-roster CSV importer for
 migrations
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Lets brands migrate from Impact / Rewardful / Refersion / etc. by
adapting their export to a single canonical OpenPartner format and
uploading. Multi-format auto-detection deferred — documenting one
canonical format is simpler and ships now.

Backend:
  - POST /import/partners-csv?dryRun=true|false (admin auth)
    Accepts text/csv body, parses with a minimal inline parser
    (handles quoted fields with doubled-quote escaping; rejects
    multi-line quoted fields explicitly).
  - Canonical columns: email + name required, activatedAt + metadata
    optional. New rows get access to all current campaigns by default.
  - email_taken collisions return as 'skipped', not 'invalid' — re-runs
    are idempotent on already-imported emails.
  - Per-row report with status + reason for the UI.

Portal:
  - AdminExport page grows an "Import partners from CSV" section
    below the existing exports.
  - File upload OR paste-area with collapsible canonical-format docs.
  - Two buttons: dry-run preview + commit. Result panel shows summary
    counts + per-row failures (capped at 50 rows in the UI).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 apps/api/src/app.ts                    |   2 +
 apps/api/src/routes/import-partners.ts | 224 +++++++++++++++++++++++++
 apps/portal/src/pages/AdminExport.tsx  | 129 +++++++++++++-
 3 files changed, 354 insertions(+), 1 deletion(-)
 create mode 100644 apps/api/src/routes/import-partners.ts

diff --git a/apps/api/src/app.ts b/apps/api/src/app.ts
index 177a104..2367c80 100644
--- a/apps/api/src/app.ts
+++ b/apps/api/src/app.ts
@@ -19,6 +19,7 @@ import { connectRouter } from './routes/connect.js';
 import { payoutsRouter } from './routes/payouts.js';
 import { commissionsRouter } from './routes/commissions.js';
 import { exportRouter } from './routes/export.js';
+import { importPartnersRouter } from './routes/import-partners.js';
 import { billingRouter } from './routes/billing.js';
 import { authRouter } from './routes/auth.js';
 import { partnerAuthRouter } from './routes/partner-auth.js';
@@ -158,6 +159,7 @@ export function createApp(options: { enableLogger?: boolean } = {}) {
   app.use(payoutsRouter);
   app.use(commissionsRouter);
   app.use(exportRouter);
+  app.use(importPartnersRouter);
   app.use(billingRouter);
   app.use(adminOverviewRouter);
   app.use(networkPartnerRouter);
diff --git a/apps/api/src/routes/import-partners.ts b/apps/api/src/routes/import-partners.ts
new file mode 100644
index 0000000..e2a49dd
--- /dev/null
+++ b/apps/api/src/routes/import-partners.ts
@@ -0,0 +1,224 @@
+/**
+ * Partner-roster CSV importer.
+ *
+ *   POST /import/partners-csv?dryRun=true|false
+ *   Content-Type: text/csv  (raw CSV body)
+ *
+ * Lets brands migrate from competitors (Impact, Rewardful, Refersion, etc.)
+ * by adapting their export to a single canonical OpenPartner format and
+ * uploading. Multi-format auto-detection is deferred — documenting one
+ * canonical format is simpler and ships now.
+ *
+ * Canonical CSV columns (header row required):
+ *
+ *   email           required, becomes Partner.email
+ *   name            required, becomes Partner.name
+ *   activatedAt     optional ISO datetime, defaults to now (existing
+ *                   partners come in already-activated; new invites
+ *                   should leave blank + use POST /partners with
+ *                   sendInvite=true instead)
+ *   metadata        optional JSON object string, merged into Partner.metadata
+ *
+ * Behavior:
+ *   - dryRun=true  parses + validates + returns preview + would-be results
+ *                  without writing anything
+ *   - dryRun=false (or missing) commits the import — creates Partner rows,
+ *                  granting access to ALL current campaigns by default
+ *                  (matches the per-partner default behavior elsewhere)
+ *   - Per-row email_taken collisions are reported as skipped, not errors —
+ *     re-running the import is idempotent on already-imported emails.
+ */
+
+import { Router } from 'express';
+import { ulid } from 'ulid';
+import { TABLES, type PartnerRow } from '@openpartner/db';
+import { grantScope, requireAdmin, requireAuth } from '../auth.js';
+import { tenantOf } from '../tenancy.js';
+
+export const importPartnersRouter = Router();
+
+interface RowReport {
+  row: number;
+  email: string;
+  status: 'created' | 'skipped_email_taken' | 'invalid';
+  reason?: string;
+  partnerId?: string;
+}
+
+importPartnersRouter.post(
+  '/import/partners-csv',
+  requireAuth,
+  grantScope('partners:write'),
+  requireAdmin,
+  // Read raw text body — we don't want express.json() to interpret it.
+  // The /import route already uses 256mb json limit; partner rosters are
+  // small enough that the global 1mb limit suits.
+  (req, res, next) => {
+    if (req.is('text/*') || req.is('application/csv') || req.is('text/csv')) {
+      let raw = '';
+      req.setEncoding('utf8');
+      req.on('data', (chunk) => { raw += chunk; });
+      req.on('end', () => {
+        (req as { rawCsv?: string }).rawCsv = raw;
+        next();
+      });
+    } else {
+      // Allow JSON shape `{ csv: "...." }` as a fallback for tools that
+      // can't set the content-type.
+      const csv = typeof req.body?.csv === 'string' ? req.body.csv : '';
+      (req as { rawCsv?: string }).rawCsv = csv;
+      next();
+    }
+  },
+  async (req, res) => {
+    const { db, tenantId } = tenantOf(req);
+    const csv = ((req as { rawCsv?: string }).rawCsv ?? '').trim();
+    if (!csv) return res.status(400).json({ error: 'empty_body', detail: 'POST the CSV as text/csv body' });
+
+    const dryRun = req.query.dryRun === 'true' || req.query.dryRun === '1';
+
+    let rows: Array<Record<string, string>>;
+    try {
+      rows = parseCsv(csv);
+    } catch (err) {
+      return res.status(400).json({ error: 'invalid_csv', detail: err instanceof Error ? err.message : String(err) });
+    }
+    if (rows.length === 0) return res.status(400).json({ error: 'no_rows', detail: 'CSV had a header but no data rows' });
+
+    // Pull the campaign list once — every newly-created partner gets
+    // access to all current campaigns (the same default as POST /partners
+    // when campaignIds is omitted). Done outside the loop so we don't
+    // re-query per row.
+    const allCampaigns = (await db(TABLES.Campaign).select('id')) as Array<{ id: string }>;
+    const allCampaignIds = allCampaigns.map((c) => c.id);
+
+    const report: RowReport[] = [];
+
+    for (let i = 0; i < rows.length; i += 1) {
+      const r = rows[i]!;
+      const rowNum = i + 2; // +1 for header, +1 to match human row counting
+
+      const email = (r.email ?? '').trim().toLowerCase();
+      const name = (r.name ?? '').trim();
+      if (!email || !email.includes('@')) {
+        report.push({ row: rowNum, email, status: 'invalid', reason: 'invalid_email' });
+        continue;
+      }
+      if (!name) {
+        report.push({ row: rowNum, email, status: 'invalid', reason: 'missing_name' });
+        continue;
+      }
+
+      const existing = await db<PartnerRow>(TABLES.Partner).where({ email }).first();
+      if (existing) {
+        report.push({ row: rowNum, email, status: 'skipped_email_taken', partnerId: existing.id });
+        continue;
+      }
+
+      let metadata: Record<string, unknown> = { importedFromCsv: true };
+      if (r.metadata) {
+        try {
+          const parsed = JSON.parse(r.metadata);
+          if (parsed && typeof parsed === 'object') metadata = { ...metadata, ...parsed };
+        } catch {
+          report.push({ row: rowNum, email, status: 'invalid', reason: 'metadata_not_valid_json' });
+          continue;
+        }
+      }
+
+      const activatedAt = r.activatedAt ? new Date(r.activatedAt) : new Date();
+      if (Number.isNaN(activatedAt.getTime())) {
+        report.push({ row: rowNum, email, status: 'invalid', reason: 'invalid_activatedAt' });
+        continue;
+      }
+
+      const id = ulid();
+      if (!dryRun) {
+        await db<PartnerRow>(TABLES.Partner).insert({
+          id,
+          tenantId,
+          email,
+          name,
+          metadata,
+          activatedAt,
+        });
+        if (allCampaignIds.length > 0) {
+          await db(TABLES.PartnerCampaign)
+            .insert(
+              allCampaignIds.map((cid) => ({
+                id: `pc_${ulid()}`,
+                tenantId,
+                partnerId: id,
+                campaignId: cid,
+                source: 'admin',
+              })),
+            )
+            .onConflict(['tenantId', 'partnerId', 'campaignId'])
+            .ignore();
+        }
+      }
+      report.push({ row: rowNum, email, status: 'created', partnerId: id });
+    }
+
+    const summary = {
+      total: rows.length,
+      created: report.filter((r) => r.status === 'created').length,
+      skipped: report.filter((r) => r.status === 'skipped_email_taken').length,
+      invalid: report.filter((r) => r.status === 'invalid').length,
+    };
+    res.json({ dryRun, summary, report });
+  },
+);
+
+/**
+ * Minimal CSV parser. Handles the canonical case (no quoted fields with
+ * embedded commas/newlines). Rejects anything weird so users notice
+ * the format mismatch instead of silently importing garbage.
+ */
+function parseCsv(input: string): Array<Record<string, string>> {
+  const lines = input.split(/\r?\n/).filter((l) => l.trim().length > 0);
+  if (lines.length < 2) throw new Error('expected a header row plus at least one data row');
+  const header = splitCsvLine(lines[0]!);
+  const rows: Array<Record<string, string>> = [];
+  for (let i = 1; i < lines.length; i += 1) {
+    const cells = splitCsvLine(lines[i]!);
+    if (cells.length !== header.length) {
+      throw new Error(`row ${i + 1} has ${cells.length} columns, expected ${header.length} from header`);
+    }
+    const row: Record<string, string> = {};
+    for (let j = 0; j < header.length; j += 1) {
+      row[header[j]!] = cells[j]!;
+    }
+    rows.push(row);
+  }
+  return rows;
+}
+
+/**
+ * Splits a CSV line on commas, respecting double-quoted fields with
+ * doubled-quote escaping ("Smith, John" or "she said ""hi"""). Doesn't
+ * handle multi-line quoted fields — those need a real parser, and they
+ * don't show up in partner-roster imports in practice.
+ */
+function splitCsvLine(line: string): string[] {
+  const out: string[] = [];
+  let cur = '';
+  let inQuotes = false;
+  for (let i = 0; i < line.length; i += 1) {
+    const ch = line[i]!;
+    if (inQuotes) {
+      if (ch === '"') {
+        if (line[i + 1] === '"') { cur += '"'; i += 1; }
+        else { inQuotes = false; }
+      } else {
+        cur += ch;
+      }
+    } else {
+      if (ch === ',') { out.push(cur); cur = ''; }
+      else if (ch === '"' && cur.length === 0) { inQuotes = true; }
+      else { cur += ch; }
+    }
+  }
+  out.push(cur);
+  return out.map((s) => s.trim());
+}
diff --git a/apps/portal/src/pages/AdminExport.tsx b/apps/portal/src/pages/AdminExport.tsx
index 1f6bc16..a87d2d5 100644
--- a/apps/portal/src/pages/AdminExport.tsx
+++ b/apps/portal/src/pages/AdminExport.tsx
@@ -1,4 +1,5 @@
-import { Download, FileJson, FileSpreadsheet, Archive } from 'lucide-react';
+import { useState } from 'react';
+import { Download, FileJson, FileSpreadsheet, Archive, Upload } from 'lucide-react';
 import { getApiKey } from '../api.js';
 import { theme } from '../theme.js';
 import { Button, Card, Page, SectionHeading } from '../ui.js';
@@ -91,6 +92,132 @@ export function AdminExport() {
           </tbody>
         </table>
       </Card>
+
+      <SectionHeading>Import partners from CSV</SectionHeading>
+      <PartnersCsvImporter />
     </Page>
   );
 }
+
+interface ImportReportRow {
+  row: number;
+  email: string;
+  status: 'created' | 'skipped_email_taken' | 'invalid';
+  reason?: string;
+  partnerId?: string;
+}
+interface ImportResult {
+  dryRun: boolean;
+  summary: { total: number; created: number; skipped: number; invalid: number };
+  report: ImportReportRow[];
+}
+
+function PartnersCsvImporter() {
+  const key = getApiKey() ?? '';
+  const [csv, setCsv] = useState('');
+  const [busy, setBusy] = useState(false);
+  const [result, setResult] = useState<ImportResult | null>(null);
+  const [error, setError] = useState<string | null>(null);
+
+  async function run(dryRun: boolean) {
+    setError(null);
+    setBusy(true);
+    try {
+      const res = await fetch(`/api/import/partners-csv?dryRun=${dryRun}`, {
+        method: 'POST',
+        headers: { Authorization: `Bearer ${key}`, 'Content-Type': 'text/csv' },
+        body: csv,
+      });
+      const json = await res.json();
+      if (!res.ok) {
+        setError(typeof json.detail === 'string' ? json.detail : json.error ?? 'failed');
+        setResult(null);
+      } else {
+        setResult(json as ImportResult);
+      }
+    } finally {
+      setBusy(false);
+    }
+  }
+
+  function onFile(e: React.ChangeEvent<HTMLInputElement>) {
+    const f = e.target.files?.[0];
+    if (!f) return;
+    const reader = new FileReader();
+    reader.onload = () => setCsv(String(reader.result ?? ''));
+    reader.readAsText(f);
+  }
+
+  return (
+    <Card>
+      <p style={{ fontSize: 13, color: theme.textMuted, margin: '0 0 12px' }}>
+        Migrate from Impact, Rewardful, Refersion, etc. — adapt your export to the canonical
+        format below and upload. Re-runnable: existing emails are skipped, not duplicated.
+      </p>
+      <details style={{ marginBottom: 12 }}>
+        <summary style={{ fontSize: 13, color: theme.accent, cursor: 'pointer' }}>
+          Canonical CSV format
+        </summary>
+        <pre style={{ background: theme.surface2, border: `1px solid ${theme.borderSubtle}`, borderRadius: theme.radiusSm, padding: 10, marginTop: 8, fontSize: 12, overflowX: 'auto' }}>
+{`email,name,activatedAt,metadata
+ada@example.com,Ada Lovelace,2024-01-15T00:00:00Z,"{""source"":""impact""}"
+grace@example.com,Grace Hopper,,
+`}
+        </pre>
+        <p style={{ fontSize: 12, color: theme.textMuted, margin: '8px 0 0' }}>
+          <code>email</code> + <code>name</code> required. <code>activatedAt</code> defaults to
+          now (existing partners come in already-activated). <code>metadata</code> is optional
+          JSON merged into Partner.metadata. New partners get access to all current campaigns.
+        </p>
+      </details>
+      <input
+        type="file"
+        accept=".csv,text/csv"
+        onChange={onFile}
+        style={{ marginBottom: 8, fontSize: 13, color: theme.text }}
+      />
+      <textarea
+        value={csv}
+        onChange={(e) => setCsv(e.target.value)}
+        rows={6}
+        placeholder="…or paste CSV here"
+        style={{
+          width: '100%',
+          padding: '10px 12px',
+          background: theme.surface2,
+          border: `1px solid ${theme.border}`,
+          borderRadius: theme.radiusSm,
+          color: theme.text,
+          fontFamily: theme.fontMono,
+          fontSize: 12,
+          resize: 'vertical',
+          marginBottom: 12,
+        }}
+      />
+      {error && <div style={{ color: theme.danger, fontSize: 13, marginBottom: 12 }}>{error}</div>}
+      <div style={{ display: 'flex', gap: 8, marginBottom: 12 }}>
+        <Button onClick={() => run(true)} disabled={!csv.trim() || busy} variant="secondary">
+          {busy ? 'Working…' : 'Preview (dry-run)'}
+        </Button>
+        <Button onClick={() => run(false)} disabled={!csv.trim() || busy} icon={<Upload size={14} />}>
+          {busy ? 'Importing…' : 'Import'}
+        </Button>
+      </div>
+      {result && (
+        <div style={{ background: theme.surface2, border: `1px solid ${theme.borderSubtle}`, borderRadius: theme.radiusSm, padding: 12, fontSize: 13 }}>
+          <div style={{ marginBottom: 8 }}>
+            <strong>{result.dryRun ? 'Preview' : 'Import done'}</strong> · {result.summary.total} rows ·
+            <span style={{ color: theme.success, marginLeft: 8 }}>{result.summary.created} created</span>
+            <span style={{ color: theme.textMuted, marginLeft: 8 }}>{result.summary.skipped} skipped</span>
+            {result.summary.invalid > 0 && <span style={{ color: theme.danger, marginLeft: 8 }}>{result.summary.invalid} invalid</span>}
+          </div>
+          {result.report.filter((r) => r.status !== 'created').slice(0, 50).map((r) => (
+            <div key={r.row} style={{ fontSize: 12, color: r.status === 'invalid' ? theme.danger : theme.textMuted }}>
+              row {r.row} ({r.email}): {r.status}{r.reason ? ` — ${r.reason}` : ''}
+            </div>
+          ))}
+        </div>
+      )}
+    </Card>
+  );
+}

From ed2975c3b64f09d5099f83d5a9aca7f5c6100907 Mon Sep 17 00:00:00 2001
From: Keith Fawcett <keith@brightyard.co>
Date: Wed, 29 Apr 2026 19:36:33 -0700
Subject: [PATCH 096/131] feat(coupons): coupon-code attribution path
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Unlocks DTC ecommerce as a category — many merchants prefer customers
entering codes at checkout (CREATOR15) over click-driven attribution.
Internally we synthesize a Click + Identity + Event so the existing
attribution + commission engine processes redemptions identically to
real clicked conversions.

Schema:
  - Click.linkId becomes nullable (synthetic clicks have no Link)
  - New Coupon table — one per (partnerId, campaignId), per-tenant
    unique code. RLS-isolated like every other tenant-scoped table.

API (openpartner):
  GET  /partners/:id/coupons
       List a partner's coupons (admin or the partner themselves).
  POST /partners/:id/coupons
       Mint a coupon. Code auto-generates from partner email (e.g.
       ada@example.com → ADA[4 random hex]) when caller omits it,
       else uses the explicit code.
  POST /coupons/redeem
       Brand-side conversion path. Body: {code, eventType, value,
       currency, externalEventId, userId, ts}. Idempotent on
       externalEventId — webhook retries don't double-attribute.
       Synthetic Click landingUrl=coupon://<code>, userAgent
       OpenPartner-CouponRedeem/1 for analytics + audit identifiability.

Portal (brand admin):
  - Each partner row gets a Coupons button next to Programs
  - Dialog lists existing coupons + lets admin mint new ones per
    available campaign (excludes campaigns the partner already has
    a coupon for, since each (partner, campaign) is unique)

Auto-mint on PartnerCampaign insert is deferred to a follow-up — admin
explicit creation works for v1, removes ambiguity about who owns
coupon naming when there's a custom code.

Creator-side UI to view + copy their codes lands in the next commit.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 apps/api/src/app.ts                           |   2 +
 apps/api/src/routes/coupons.ts                | 213 ++++++++++++++++++
 apps/portal/src/pages/AdminPartners.tsx       | 125 ++++++++++
 .../migrations/20260606000000_coupon_codes.ts |  63 ++++++
 packages/db/src/index.ts                      |   1 +
 packages/db/src/types.ts                      |  15 +-
 6 files changed, 418 insertions(+), 1 deletion(-)
 create mode 100644 apps/api/src/routes/coupons.ts
 create mode 100644 packages/db/migrations/20260606000000_coupon_codes.ts

diff --git a/apps/api/src/app.ts b/apps/api/src/app.ts
index 2367c80..fd0a850 100644
--- a/apps/api/src/app.ts
+++ b/apps/api/src/app.ts
@@ -20,6 +20,7 @@ import { payoutsRouter } from './routes/payouts.js';
 import { commissionsRouter } from './routes/commissions.js';
 import { exportRouter } from './routes/export.js';
 import { importPartnersRouter } from './routes/import-partners.js';
+import { couponsRouter } from './routes/coupons.js';
 import { billingRouter } from './routes/billing.js';
 import { authRouter } from './routes/auth.js';
 import { partnerAuthRouter } from './routes/partner-auth.js';
@@ -160,6 +161,7 @@ export function createApp(options: { enableLogger?: boolean } = {}) {
   app.use(commissionsRouter);
   app.use(exportRouter);
   app.use(importPartnersRouter);
+  app.use(couponsRouter);
   app.use(billingRouter);
   app.use(adminOverviewRouter);
   app.use(networkPartnerRouter);
diff --git a/apps/api/src/routes/coupons.ts b/apps/api/src/routes/coupons.ts
new file mode 100644
index 0000000..a2b22ab
--- /dev/null
+++ b/apps/api/src/routes/coupons.ts
@@ -0,0 +1,213 @@
+/**
+ * Coupon-code attribution.
+ *
+ *   GET  /partners/:id/coupons                 list a partner's coupons
+ *   POST /partners/:id/coupons                 mint a coupon (admin only)
+ *                                              body: { campaignId, code? }
+ *                                              code defaults to <handle><rand4>
+ *   POST /coupons/redeem                       brand-side conversion path
+ *                                              body: { code, eventType, value?,
+ *                                                       currency?, externalEventId,
+ *                                                       userId, ts? }
+ *                                              writes Click + Identity + Event so
+ *                                              the existing attribution engine
+ *                                              processes the redemption identically
+ *                                              to a clicked share-link conversion.
+ *
+ * Scope: one Coupon per (partner, campaign). The auto-mint on
+ * PartnerCampaign insert is wired in routes/partners.ts + the
+ * partner-campaigns add path so coupons appear without admin action.
+ */
+
+import { Router } from 'express';
+import { z } from 'zod';
+import { ulid } from 'ulid';
+import { randomBytes } from 'node:crypto';
+import {
+  TABLES,
+  type CampaignRow,
+  type ClickRow,
+  type CouponRow,
+  type EventRow,
+  type IdentityRow,
+  type PartnerRow,
+} from '@openpartner/db';
+import { grantScope, requireAdmin, requireAuth, requirePartnerOrAdmin } from '../auth.js';
+import { tenantOf } from '../tenancy.js';
+import { attributeEvent } from '../attribution.js';
+
+export const couponsRouter = Router();
+
+// ---------- List + create per partner ----------
+
+couponsRouter.get('/partners/:id/coupons', requireAuth, requirePartnerOrAdmin('id'), async (req, res) => {
+  const { db } = tenantOf(req);
+  const rows = await db<CouponRow>(TABLES.Coupon)
+    .where({ partnerId: req.params.id })
+    .orderBy('createdAt', 'asc');
+  res.json({ coupons: rows });
+});
+
+const createSchema = z.object({
+  campaignId: z.string().min(1),
+  code: z
+    .string()
+    .trim()
+    .min(3)
+    .max(40)
+    .regex(/^[A-Z0-9-]+$/, 'code must be uppercase alphanumeric (with optional hyphens)')
+    .optional(),
+});
+
+couponsRouter.post('/partners/:id/coupons', requireAuth, requireAdmin, async (req, res) => {
+  const { db, tenantId } = tenantOf(req);
+  const body = createSchema.safeParse(req.body ?? {});
+  if (!body.success) return res.status(400).json({ error: 'invalid_body', detail: body.error.flatten() });
+
+  const partner = await db<PartnerRow>(TABLES.Partner).where({ id: req.params.id }).first();
+  if (!partner) return res.status(404).json({ error: 'partner_not_found' });
+
+  const campaign = await db<CampaignRow>(TABLES.Campaign).where({ id: body.data.campaignId }).first();
+  if (!campaign) return res.status(404).json({ error: 'campaign_not_found' });
+
+  const code = body.data.code ?? defaultCode(partner.email);
+  try {
+    const id = `cpn_${ulid()}`;
+    await db<CouponRow>(TABLES.Coupon).insert({
+      id,
+      tenantId,
+      partnerId: partner.id,
+      campaignId: campaign.id,
+      code,
+    });
+    const row = await db<CouponRow>(TABLES.Coupon).where({ id }).first();
+    return res.status(201).json(row);
+  } catch (err) {
+    if (typeof err === 'object' && err !== null && (err as { code?: string }).code === '23505') {
+      return res.status(409).json({ error: 'code_taken_or_partner_already_has_one_for_this_campaign' });
+    }
+    throw err;
+  }
+});
+
+// ---------- Redeem ----------
+//
+// Brand calls this from checkout when a customer enters a coupon code.
+// We resolve the code → (partnerId, campaignId), then synthesize the
+// click → identity → event chain so the existing attribution engine
+// processes the redemption identically to a real clicked conversion.
+//
+// The synthetic Click has landingUrl=coupon://<code>, ipHash=null,
+// userAgent='OpenPartner-CouponRedeem/1' so coupon-driven attribution
+// is identifiable in the Click table for analytics + audit.
+//
+// Idempotent on Event.externalEventId — re-sending the same redemption
+// (e.g. from a webhook retry) doesn't double-attribute.
+
+const redeemSchema = z.object({
+  code: z.string().trim().min(3).max(40),
+  /** What kind of event the redemption represents. Same enum the
+   *  existing /events route accepts — signup, trial_started,
+   *  subscription_created, invoice_paid, etc. */
+  eventType: z.string().min(1).max(80),
+  value: z.number().nonnegative().optional(),
+  currency: z.string().length(3).optional(),
+  /** Required so we can dedup retries. Use the brand's checkout-session
+   *  ID, order ID, or whatever's stable. */
+  externalEventId: z.string().min(1).max(120),
+  /** The brand's internal user ID. Identity row links userId ↔
+   *  synthetic clickId so subsequent events from the same user
+   *  attribute via the standard path. */
+  userId: z.string().min(1).max(120),
+  ts: z.string().datetime().optional(),
+});
+
+couponsRouter.post('/coupons/redeem', requireAuth, grantScope('events:write'), async (req, res) => {
+  const { db, tenantId } = tenantOf(req);
+  const body = redeemSchema.safeParse(req.body ?? {});
+  if (!body.success) return res.status(400).json({ error: 'invalid_body', detail: body.error.flatten() });
+
+  // Case-insensitive lookup so customers entering keithf15a2x or
+  // KEITHF15A2X both resolve. Storage stays whatever the partner set.
+  const coupon = await db<CouponRow>(TABLES.Coupon)
+    .whereRaw('lower("code") = ?', [body.data.code.toLowerCase()])
+    .first();
+  if (!coupon) return res.status(404).json({ error: 'coupon_not_found' });
+
+  // Idempotency: same externalEventId already processed → 200 + replayed flag.
+  const existingEvent = await db<EventRow>(TABLES.Event)
+    .where({ externalEventId: body.data.externalEventId, type: body.data.eventType })
+    .first();
+  if (existingEvent) {
+    return res.status(200).json({ ok: true, replayed: true, eventId: existingEvent.id });
+  }
+
+  const ts = body.data.ts ? new Date(body.data.ts) : new Date();
+
+  // Synthesize Click + Identity + Event in one trx so the attribution
+  // engine sees a consistent picture.
+  const result = await db.transaction(async (trx) => {
+    const clickId = ulid();
+    await trx<ClickRow>(TABLES.Click).insert({
+      id: clickId,
+      tenantId,
+      linkId: null, // no Link — coupon path doesn't have one
+      partnerId: coupon.partnerId,
+      campaignId: coupon.campaignId,
+      landingUrl: `coupon://${coupon.code}`,
+      ipHash: null,
+      userAgent: 'OpenPartner-CouponRedeem/1',
+      referer: null,
+      fraudFlag: null,
+      ts,
+    });
+
+    // Reuse existing Identity for this user if present, else mint one.
+    // Same dedup pattern the /identify route uses.
+    const existingIdentity = await trx<IdentityRow>(TABLES.Identity)
+      .where({ userId: body.data.userId })
+      .first();
+    if (!existingIdentity) {
+      await trx<IdentityRow>(TABLES.Identity).insert({
+        id: ulid(),
+        tenantId,
+        clickId,
+        userId: body.data.userId,
+      });
+    }
+
+    const eventId = ulid();
+    const [eventRow] = (await trx<EventRow>(TABLES.Event)
+      .insert({
+        id: eventId,
+        tenantId,
+        userId: body.data.userId,
+        type: body.data.eventType,
+        value: body.data.value != null ? String(body.data.value) : null,
+        currency: body.data.currency ?? null,
+        externalEventId: body.data.externalEventId,
+        metadata: { source: 'coupon', code: coupon.code },
+        ts,
+      })
+      .returning('*')) as EventRow[];
+    return eventRow!;
+  });
+
+  // Attribution + commission run outside the trx — same pattern as the
+  // /events route. If they fail, the event still exists and a backlog
+  // run can catch it.
+  await attributeEvent(db, result);
+
+  res.status(201).json({ ok: true, eventId: result.id, partnerId: coupon.partnerId });
+});
+
+// ---------- Helper ----------
+
+function defaultCode(email: string): string {
+  // <local-part-stripped-of-symbols-uppercased> + 4 random chars.
+  // Example: ada.lovelace+test@example.com → ADALOVELACE + 4F2A
+  const local = email.split('@')[0] ?? 'partner';
+  const slug = local.replace(/[^A-Za-z0-9]/g, '').toUpperCase().slice(0, 12) || 'PARTNER';
+  const rand = randomBytes(2).toString('hex').toUpperCase();
+  return `${slug}${rand}`;
+}
diff --git a/apps/portal/src/pages/AdminPartners.tsx b/apps/portal/src/pages/AdminPartners.tsx
index 4e78ffe..77208b4 100644
--- a/apps/portal/src/pages/AdminPartners.tsx
+++ b/apps/portal/src/pages/AdminPartners.tsx
@@ -21,6 +21,7 @@ export function AdminPartners() {
   const [showCreate, setShowCreate] = useState(false);
   const [revoking, setRevoking] = useState<Partner | null>(null);
   const [managingPrograms, setManagingPrograms] = useState<Partner | null>(null);
+  const [managingCoupons, setManagingCoupons] = useState<Partner | null>(null);
 
   const partners = useQuery({ queryKey: ['partners'], queryFn: () => api<{ partners: Partner[] }>('/partners') });
 
@@ -61,6 +62,12 @@ export function AdminPartners() {
           onClose={() => setManagingPrograms(null)}
         />
       )}
+      {managingCoupons && (
+        <CouponsDialog
+          partner={managingCoupons}
+          onClose={() => setManagingCoupons(null)}
+        />
+      )}
 
       {partners.isLoading ? (
         <Card>Loading…</Card>
@@ -94,6 +101,13 @@ export function AdminPartners() {
                 Programs
               </button>
               <span style={{ color: theme.border }}>·</span>
+              <button
+                onClick={() => setManagingCoupons(p)}
+                style={{ background: 'none', border: 'none', padding: 0, fontSize: 13, color: theme.accent, cursor: 'pointer' }}
+              >
+                Coupons
+              </button>
+              <span style={{ color: theme.border }}>·</span>
               <Link to={`/payouts?partnerId=${p.id}`} style={{ color: theme.accent, fontSize: 13 }}>Payouts</Link>
               {!p.activatedAt && !p.revokedAt && (
                 <>
@@ -379,6 +393,117 @@ function ProgramsDialog({ partner, onClose }: { partner: Partner; onClose: () =>
   );
 }
 
+interface CouponRow {
+  id: string;
+  code: string;
+  campaignId: string;
+  createdAt: string;
+}
+
+interface CampaignBrief {
+  id: string;
+  name: string;
+}
+
+function CouponsDialog({ partner, onClose }: { partner: Partner; onClose: () => void }) {
+  const qc = useQueryClient();
+  const coupons = useQuery({
+    queryKey: ['partner-coupons', partner.id],
+    queryFn: () => api<{ coupons: CouponRow[] }>(`/partners/${partner.id}/coupons`),
+  });
+  const campaigns = useQuery({
+    queryKey: ['campaigns'],
+    queryFn: () => api<{ campaigns: CampaignBrief[] }>('/campaigns'),
+  });
+
+  const [pickedCampaign, setPickedCampaign] = useState('');
+  const [customCode, setCustomCode] = useState('');
+
+  const mint = useMutation({
+    mutationFn: () =>
+      api(`/partners/${partner.id}/coupons`, {
+        method: 'POST',
+        body: { campaignId: pickedCampaign, code: customCode.trim() ? customCode.trim().toUpperCase() : undefined },
+      }),
+    onSuccess: () => {
+      qc.invalidateQueries({ queryKey: ['partner-coupons', partner.id] });
+      setCustomCode('');
+      setPickedCampaign('');
+    },
+  });
+
+  const existingCampaignIds = new Set((coupons.data?.coupons ?? []).map((c) => c.campaignId));
+  const availableCampaigns = (campaigns.data?.campaigns ?? []).filter((c) => !existingCampaignIds.has(c.id));
+  const campaignNameById = new Map((campaigns.data?.campaigns ?? []).map((c) => [c.id, c.name]));
+
+  return (
+    <Card style={{ marginBottom: 14 }}>
+      <div style={{ display: 'flex', alignItems: 'baseline', gap: 12, marginBottom: 6 }}>
+        <div style={{ fontSize: 15, fontWeight: 500, flex: 1 }}>Coupons for {partner.name}</div>
+        <button onClick={onClose} style={{ background: 'none', border: 'none', color: theme.textMuted, cursor: 'pointer', fontSize: 13 }}>
+          Close
+        </button>
+      </div>
+      <div style={{ fontSize: 13, color: theme.textMuted, marginBottom: 14 }}>
+        Coupons attribute conversions when customers enter a code at checkout instead of clicking a share link.
+        Your site calls <code>POST /coupons/redeem</code> with the code; same downstream commission flow as click-driven attribution.
+      </div>
+      <ErrorBanner error={coupons.error ?? mint.error} />
+      {coupons.isLoading ? (
+        <p style={{ color: theme.textMuted, fontSize: 13 }}>Loading…</p>
+      ) : (
+        <>
+          {(coupons.data?.coupons ?? []).length > 0 && (
+            <div style={{ display: 'flex', flexDirection: 'column', gap: 6, marginBottom: 14 }}>
+              {(coupons.data?.coupons ?? []).map((c) => (
+                <div key={c.id} style={{ display: 'flex', alignItems: 'center', gap: 10, padding: '8px 12px', background: theme.surface2, border: `1px solid ${theme.borderSubtle}`, borderRadius: theme.radiusSm }}>
+                  <code style={{ fontSize: 14, fontWeight: 500, color: theme.text, flex: 1 }}>{c.code}</code>
+                  <span style={{ color: theme.textMuted, fontSize: 12 }}>
+                    {campaignNameById.get(c.campaignId) ?? c.campaignId}
+                  </span>
+                </div>
+              ))}
+            </div>
+          )}
+          {availableCampaigns.length > 0 ? (
+            <div style={{ display: 'grid', gridTemplateColumns: '1fr 1fr auto', gap: 8, alignItems: 'end' }}>
+              <div>
+                <Label>Campaign</Label>
+                <select
+                  value={pickedCampaign}
+                  onChange={(e) => setPickedCampaign(e.target.value)}
+                  style={{ width: '100%', padding: '8px 10px', background: theme.surface2, border: `1px solid ${theme.border}`, borderRadius: theme.radiusSm, color: theme.text, fontSize: 13 }}
+                >
+                  <option value="">— pick a campaign —</option>
+                  {availableCampaigns.map((c) => <option key={c.id} value={c.id}>{c.name}</option>)}
+                </select>
+              </div>
+              <div>
+                <Label>Code (optional)</Label>
+                <Input
+                  value={customCode}
+                  onChange={(e) => setCustomCode(e.target.value.toUpperCase().replace(/[^A-Z0-9-]/g, ''))}
+                  placeholder="auto-generates if blank"
+                  style={{ fontFamily: theme.fontMono }}
+                />
+              </div>
+              <Button onClick={() => mint.mutate()} disabled={!pickedCampaign || mint.isPending}>
+                {mint.isPending ? 'Minting…' : 'Mint coupon'}
+              </Button>
+            </div>
+          ) : (
+            <p style={{ color: theme.textMuted, fontSize: 13, margin: 0 }}>
+              {(coupons.data?.coupons ?? []).length === 0
+                ? 'No campaigns available. Create one in Campaigns first.'
+                : 'This partner has a coupon for every campaign already.'}
+            </p>
+          )}
+        </>
+      )}
+    </Card>
+  );
+}
+
 function ResendInvite({ partnerId }: { partnerId: string }) {
   const [sent, setSent] = useState(false);
   const mut = useMutation({
diff --git a/packages/db/migrations/20260606000000_coupon_codes.ts b/packages/db/migrations/20260606000000_coupon_codes.ts
new file mode 100644
index 0000000..9409b39
--- /dev/null
+++ b/packages/db/migrations/20260606000000_coupon_codes.ts
@@ -0,0 +1,63 @@
+import type { Knex } from 'knex';
+
+/**
+ * Coupon-code attribution.
+ *
+ * A coupon is the second-class attribution path: instead of a click on
+ * a partner share-link, the customer enters a code at checkout and the
+ * brand calls /coupons/redeem on conversion. Same downstream attribution
+ * + commission flow — internally we synthesize a Click + Identity + Event
+ * so the existing engine runs unchanged.
+ *
+ * v1 scope: one Coupon per (partnerId, campaignId). Auto-minted when
+ * the partner is granted access to a campaign (via PartnerCampaign
+ * insert in the application layer). No expiration, no usage cap, no
+ * per-customer dedup beyond the standard Event.externalEventId path.
+ *
+ * Code format is a-handle-or-id-suffix-with-random4 uppercased — short
+ * enough to type, recognizable enough to feel branded.
+ */
+
+export async function up(knex: Knex): Promise<void> {
+  // Click.linkId becomes nullable — coupon redemptions create a
+  // synthetic Click without a real Link (the customer entered a code,
+  // not clicked a URL). Existing rows all have a linkId; nothing to
+  // backfill.
+  await knex.schema.alterTable('Click', (t) => {
+    t.string('linkId').nullable().alter();
+  });
+
+  await knex.schema.createTable('Coupon', (t) => {
+    t.string('id').primary();
+    t.string('tenantId').notNullable();
+    t.string('partnerId').notNullable().references('id').inTable('Partner').onDelete('CASCADE');
+    t.string('campaignId').notNullable().references('id').inTable('Campaign').onDelete('CASCADE');
+    // Code is the user-facing string customers enter. Per-tenant unique
+    // so two brands' partners can both have CREATOR15. Case-insensitive
+    // lookup is enforced at the route layer.
+    t.string('code').notNullable();
+    t.timestamp('createdAt', { useTz: true }).notNullable().defaultTo(knex.fn.now());
+
+    t.unique(['tenantId', 'code']);
+    t.unique(['tenantId', 'partnerId', 'campaignId']);
+    t.index(['tenantId', 'partnerId']);
+  });
+
+  // RLS: coupons are tenant-scoped, same pattern as the rest of the
+  // multi-tenant tables. Privileged role bypasses; app role enforces
+  // the per-tenant filter via app.tenant_id GUC.
+  await knex.raw('alter table "Coupon" enable row level security');
+  await knex.raw(`
+    create policy "Coupon_tenant_isolation" on "Coupon"
+      using ("tenantId" = current_setting('app.tenant_id', true))
+      with check ("tenantId" = current_setting('app.tenant_id', true))
+  `);
+  await knex.raw('grant select, insert, update, delete on "Coupon" to openpartner_app');
+}
+
+export async function down(knex: Knex): Promise<void> {
+  await knex.schema.dropTableIfExists('Coupon');
+  // Restoring the NOT NULL is unsafe if any coupon-redemption rows
+  // already exist (their linkId is null). Leave the column nullable —
+  // application code already tolerates either shape.
+}
diff --git a/packages/db/src/index.ts b/packages/db/src/index.ts
index 7c17efb..c2205ef 100644
--- a/packages/db/src/index.ts
+++ b/packages/db/src/index.ts
@@ -73,4 +73,5 @@ export const TABLES = {
   WebhookEndpoint: 'WebhookEndpoint',
   WebhookDelivery: 'WebhookDelivery',
   NetworkOutbox: 'NetworkOutbox',
+  Coupon: 'Coupon',
 } as const;
diff --git a/packages/db/src/types.ts b/packages/db/src/types.ts
index 56a814d..ddbbfce 100644
--- a/packages/db/src/types.ts
+++ b/packages/db/src/types.ts
@@ -196,7 +196,9 @@ export type ClickFraudFlag = 'velocity' | 'manual' | 'revoked' | null;
 export interface ClickRow {
   id: string;
   tenantId: string;
-  linkId: string;
+  /** Null for synthetic clicks generated by coupon-code redemptions
+   *  (no Link involved — customer entered a code, not clicked a URL). */
+  linkId: string | null;
   partnerId: string;
   campaignId: string;
   landingUrl: string;
@@ -357,3 +359,14 @@ export interface NetworkOutboxRow {
   lastError: string | null;
   status: NetworkOutboxStatus;
 }
+
+export interface CouponRow {
+  id: string;
+  tenantId: string;
+  partnerId: string;
+  campaignId: string;
+  /** User-facing string. Per-tenant unique. Lookups are case-insensitive
+   *  but storage is whatever the creator/admin picked at mint time. */
+  code: string;
+  createdAt: Date;
+}

From 9b35101137e937b3a6d149fd5c2565fb8b3307ee Mon Sep 17 00:00:00 2001
From: Keith Fawcett <keith@brightyard.co>
Date: Wed, 29 Apr 2026 19:51:10 -0700
Subject: [PATCH 097/131] feat(coupons): auto-mint on PartnerCampaign grant
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Extracts an autoMintCouponsForGrants helper from coupons.ts and calls
it after every PartnerCampaign insertion path:

  - POST /partners (initial grant of all-or-scoped campaigns)
  - POST /partners/:id/campaigns (admin's manual add via Programs UI)
  - Federation Network → /partners (Network-driven offering approval,
    via the same POST /partners route)

Idempotent on the (tenantId, partnerId, campaignId) unique — admin-
minted coupons aren't disturbed if they already exist. On (tenantId,
code) collision (rare), retries once with a fresh random suffix; if
that also collides, drops on the floor with an error log so the
partner-grant operation itself doesn't fail.

So the new flow: a partner gets granted a campaign → they immediately
have both attribution paths (share link + coupon code) without admin
having to take a second step.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 apps/api/src/routes/coupons.ts           | 53 +++++++++++++++++++++++-
 apps/api/src/routes/partner-campaigns.ts |  6 +++
 apps/api/src/routes/partners.ts          |  6 +++
 3 files changed, 64 insertions(+), 1 deletion(-)

diff --git a/apps/api/src/routes/coupons.ts b/apps/api/src/routes/coupons.ts
index a2b22ab..f03ebe3 100644
--- a/apps/api/src/routes/coupons.ts
+++ b/apps/api/src/routes/coupons.ts
@@ -201,7 +201,7 @@ couponsRouter.post('/coupons/redeem', requireAuth, grantScope('events:write'), a
   res.status(201).json({ ok: true, eventId: result.id, partnerId: coupon.partnerId });
 });
 
-// ---------- Helper ----------
+// ---------- Helpers ----------
 
 function defaultCode(email: string): string {
   // <local-part-stripped-of-symbols-uppercased> + 4 random chars.
@@ -211,3 +211,54 @@ function defaultCode(email: string): string {
   const rand = randomBytes(2).toString('hex').toUpperCase();
   return `${slug}${rand}`;
 }
+
+/**
+ * Best-effort coupon mint after a PartnerCampaign grant. Used by:
+ *   - POST /partners (auto-grants all current campaigns by default)
+ *   - PUT /partners/:id/campaigns/:campaignId (admin grant)
+ *   - Federation Network → /partners with campaignIds (offering approval)
+ *
+ * Idempotent: skips silently if a coupon already exists for the
+ * (partnerId, campaignId) pair (admin may have minted one already).
+ * On code collision (rare, since email-derived suffixes are usually
+ * unique), retries once with a fresh suffix.
+ */
+export async function autoMintCouponsForGrants(
+  db: import('knex').Knex,
+  tenantId: string,
+  partner: { id: string; email: string },
+  campaignIds: string[],
+): Promise<void> {
+  if (campaignIds.length === 0) return;
+  for (const campaignId of campaignIds) {
+    let attempts = 0;
+    while (attempts < 2) {
+      attempts += 1;
+      const code = defaultCode(partner.email);
+      try {
+        await db<CouponRow>(TABLES.Coupon)
+          .insert({
+            id: `cpn_${ulid()}`,
+            tenantId,
+            partnerId: partner.id,
+            campaignId,
+            code,
+          })
+          .onConflict(['tenantId', 'partnerId', 'campaignId'])
+          .ignore(); // already exists for this (partner, campaign) — admin minted manually
+        break;
+      } catch (err) {
+        // Code collision (the (tenantId, code) unique constraint
+        // fired). Retry once with a fresh random suffix; defaultCode
+        // re-rolls 16 bits each call. If it still collides, drop on
+        // the floor — better to skip auto-mint than to fail the
+        // partner-grant operation.
+        if (typeof err === 'object' && err !== null && (err as { code?: string }).code === '23505' && attempts < 2) {
+          continue;
+        }
+        console.error('[coupons] auto-mint failed', { partnerId: partner.id, campaignId, err });
+        break;
+      }
+    }
+  }
+}
diff --git a/apps/api/src/routes/partner-campaigns.ts b/apps/api/src/routes/partner-campaigns.ts
index 54aa50e..437eed1 100644
--- a/apps/api/src/routes/partner-campaigns.ts
+++ b/apps/api/src/routes/partner-campaigns.ts
@@ -22,6 +22,7 @@ import { ulid } from 'ulid';
 import { TABLES, type CampaignRow, type PartnerCampaignRow, type PartnerRow } from '@openpartner/db';
 import { requireAdmin, requireAuth } from '../auth.js';
 import { tenantOf } from '../tenancy.js';
+import { autoMintCouponsForGrants } from './coupons.js';
 
 export const partnerCampaignsRouter = Router();
 
@@ -85,6 +86,11 @@ partnerCampaignsRouter.post('/partners/:id/campaigns', requireAuth, requireAdmin
     .onConflict(['tenantId', 'partnerId', 'campaignId'])
     .ignore();
 
+  // Mint default coupons alongside the grant so creators have both
+  // attribution paths (link + code) without admin doing two steps.
+  // Idempotent — pre-existing coupons aren't disturbed.
+  await autoMintCouponsForGrants(db, tenantId, { id: partner.id, email: partner.email }, toInsert);
+
   res.status(201).json({ added: toInsert });
 });
 
diff --git a/apps/api/src/routes/partners.ts b/apps/api/src/routes/partners.ts
index 877618f..0e8e5dd 100644
--- a/apps/api/src/routes/partners.ts
+++ b/apps/api/src/routes/partners.ts
@@ -8,6 +8,7 @@ import { getMailer } from '../mailer.js';
 import { buildMagicLinkUrl, partnerInviteEmail, partnerRevokedEmail } from '../email-templates.js';
 import { tenantOf } from '../tenancy.js';
 import { getNetworkMembership, pushPartnerRevoke, pushPartnerUpsert } from '../network-client.js';
+import { autoMintCouponsForGrants } from './coupons.js';
 
 const createSchema = z.object({
   email: z.string().email(),
@@ -112,6 +113,11 @@ partnersRouter.post('/partners', requireAuth, grantScope('partners:write'), requ
       )
       .onConflict(['tenantId', 'partnerId', 'campaignId'])
       .ignore();
+    // Auto-mint a default coupon per granted campaign so creators have
+    // both attribution paths (link + code) available without admin
+    // explicit action. ON CONFLICT IGNORE inside the helper means
+    // re-grants don't error.
+    await autoMintCouponsForGrants(db, tenantId, { id, email }, campaignIds);
   }
 
   if (sendInvite) {

From 413bbcca820f12c2f1111c6d8fa3205ada2ac728 Mon Sep 17 00:00:00 2001
From: Keith Fawcett <keith@brightyard.co>
Date: Wed, 29 Apr 2026 19:54:20 -0700
Subject: [PATCH 098/131] feat(creator-portal): coupon codes alongside share
 URL on Share links
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Each partnership card now shows the partner's coupon code(s) under
the share URL with its own copy button. Hidden when the partnership
has no coupons (rare — auto-mint should populate one per granted
campaign). Footnote explains "customers who enter this at checkout
get attributed to you, same commission as the share link."

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 .../src/pages/creator/CreatorShareLinks.tsx   | 64 +++++++++++++++++++
 1 file changed, 64 insertions(+)

diff --git a/apps/portal/src/pages/creator/CreatorShareLinks.tsx b/apps/portal/src/pages/creator/CreatorShareLinks.tsx
index d1e06e6..19a20b1 100644
--- a/apps/portal/src/pages/creator/CreatorShareLinks.tsx
+++ b/apps/portal/src/pages/creator/CreatorShareLinks.tsx
@@ -6,6 +6,11 @@ import { Button, Card, EmptyState, ErrorBanner, Input, Label, Page, formatDate }
 import { theme } from '../../theme.js';
 import { creatorApi } from './creator-api.js';
 
+interface Coupon {
+  code: string;
+  campaignId: string;
+}
+
 interface Partnership {
   id: string;
   vendorId: string;
@@ -18,6 +23,7 @@ interface Partnership {
   offeringTitle: string | null;
   shareUrl: string;
   customDomain: string | null;
+  coupons: Coupon[];
 }
 
 export function CreatorShareLinksPage() {
@@ -131,6 +137,21 @@ function PartnershipRow({ partnership }: { partnership: Partnership }) {
           {copied ? 'Copied' : 'Copy'}
         </button>
       </div>
+      {partnership.coupons.length > 0 && (
+        <div style={{ marginBottom: 8 }}>
+          <div style={{ fontSize: 11, color: theme.textDim, textTransform: 'uppercase', letterSpacing: '0.05em', marginBottom: 4 }}>
+            Coupon code{partnership.coupons.length > 1 ? 's' : ''}
+          </div>
+          <div style={{ display: 'flex', flexDirection: 'column', gap: 4 }}>
+            {partnership.coupons.map((c) => (
+              <CouponRow key={c.code} code={c.code} />
+            ))}
+          </div>
+          <p style={{ fontSize: 11, color: theme.textDim, margin: '6px 0 0' }}>
+            Customers who enter this code at checkout get attributed to you, same commission as the share link.
+          </p>
+        </div>
+      )}
       {editing ? (
         <div style={{ marginTop: 12 }}>
           <Label>Slug (path under your domain)</Label>
@@ -170,3 +191,46 @@ function PartnershipRow({ partnership }: { partnership: Partnership }) {
     </Card>
   );
 }
+
+function CouponRow({ code }: { code: string }) {
+  const [copied, setCopied] = useState(false);
+  function copy() {
+    navigator.clipboard.writeText(code).then(
+      () => { setCopied(true); setTimeout(() => setCopied(false), 1500); },
+      () => {/* ignore */},
+    );
+  }
+  return (
+    <div
+      style={{
+        display: 'flex',
+        alignItems: 'center',
+        gap: 8,
+        background: theme.surface2,
+        border: `1px solid ${theme.borderSubtle}`,
+        borderRadius: theme.radiusSm,
+        padding: '6px 10px',
+      }}
+    >
+      <code style={{ flex: 1, fontSize: 13, fontWeight: 500, color: theme.text, fontFamily: theme.fontMono }}>{code}</code>
+      <button
+        onClick={copy}
+        style={{
+          display: 'flex',
+          alignItems: 'center',
+          gap: 6,
+          background: 'transparent',
+          border: `1px solid ${theme.borderSubtle}`,
+          borderRadius: 6,
+          padding: '4px 8px',
+          fontSize: 11,
+          color: copied ? theme.success : theme.textMuted,
+          cursor: 'pointer',
+        }}
+      >
+        <Copy size={11} />
+        {copied ? 'Copied' : 'Copy'}
+      </button>
+    </div>
+  );
+}

From f485affaae0207728a56308e9800ad94e5710f25 Mon Sep 17 00:00:00 2001
From: Keith Fawcett <keith@brightyard.co>
Date: Wed, 29 Apr 2026 20:04:10 -0700
Subject: [PATCH 099/131] feat(stripe-webhook): auto-redeem OpenPartner coupons
 from discount events
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Removes the trust gap on coupon attribution. Brand's checkout no
longer needs to call /coupons/redeem manually — Stripe webhooks for
checkout.session.completed / invoice.paid trigger automatic redemption
when the discount references an OpenPartner Coupon code.

Flow: webhook arrives → maybeRedeemStripeCoupons inspects
session.discounts + total_details.breakdown.discounts (and the same
shapes on invoice) → for each promotion_code, fetches Stripe to get
the customer-facing code (or uses coupon.id as fallback for brands
who set Stripe Coupon IDs to match OpenPartner codes) → looks up
matching OpenPartner Coupon by code (case-insensitive) → ensures the
synthetic Click + Identity exist for (coupon.partner, customer).

Multi-touch safe: ensureCouponClickAndIdentity no-ops when the user
already has an Identity row pointing at any Click on this partner —
re-redemptions of the same code don't add a new touchpoint, but a
prior share-link click followed by a different partner's coupon
correctly adds a second touch.

Refactored coupons.ts to expose findCouponByCode +
ensureCouponClickAndIdentity as primitives so /coupons/redeem and the
webhook share the same attribution-stitching logic.

Brand setup: configure Stripe webhook endpoint pointing at
/webhooks/stripe (already exists for billing); set Stripe Coupon IDs
or PromotionCode codes to match the OpenPartner code on the partner's
Coupon row.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 apps/api/src/routes/coupons.ts        |  96 +++++++++++++++-------
 apps/api/src/routes/stripe-webhook.ts | 112 ++++++++++++++++++++++++++
 2 files changed, 180 insertions(+), 28 deletions(-)

diff --git a/apps/api/src/routes/coupons.ts b/apps/api/src/routes/coupons.ts
index f03ebe3..bf21d98 100644
--- a/apps/api/src/routes/coupons.ts
+++ b/apps/api/src/routes/coupons.ts
@@ -147,34 +147,7 @@ couponsRouter.post('/coupons/redeem', requireAuth, grantScope('events:write'), a
   // Synthesize Click + Identity + Event in one trx so the attribution
   // engine sees a consistent picture.
   const result = await db.transaction(async (trx) => {
-    const clickId = ulid();
-    await trx<ClickRow>(TABLES.Click).insert({
-      id: clickId,
-      tenantId,
-      linkId: null, // no Link — coupon path doesn't have one
-      partnerId: coupon.partnerId,
-      campaignId: coupon.campaignId,
-      landingUrl: `coupon://${coupon.code}`,
-      ipHash: null,
-      userAgent: 'OpenPartner-CouponRedeem/1',
-      referer: null,
-      fraudFlag: null,
-      ts,
-    });
-
-    // Reuse existing Identity for this user if present, else mint one.
-    // Same dedup pattern the /identify route uses.
-    const existingIdentity = await trx<IdentityRow>(TABLES.Identity)
-      .where({ userId: body.data.userId })
-      .first();
-    if (!existingIdentity) {
-      await trx<IdentityRow>(TABLES.Identity).insert({
-        id: ulid(),
-        tenantId,
-        clickId,
-        userId: body.data.userId,
-      });
-    }
+    await ensureCouponClickAndIdentity(trx, tenantId, coupon, body.data.userId, ts);
 
     const eventId = ulid();
     const [eventRow] = (await trx<EventRow>(TABLES.Event)
@@ -201,6 +174,73 @@ couponsRouter.post('/coupons/redeem', requireAuth, grantScope('events:write'), a
   res.status(201).json({ ok: true, eventId: result.id, partnerId: coupon.partnerId });
 });
 
+/**
+ * Lookup a Coupon by code (case-insensitive) within the current tenant.
+ * Used by both the /coupons/redeem route and the Stripe webhook auto-
+ * redemption path. Returns null when the code doesn't match anything in
+ * this tenant — letting the caller no-op rather than 404.
+ */
+export async function findCouponByCode(
+  db: import('knex').Knex,
+  code: string,
+): Promise<CouponRow | null> {
+  const row = await db<CouponRow>(TABLES.Coupon)
+    .whereRaw('lower("code") = ?', [code.toLowerCase()])
+    .first();
+  return row ?? null;
+}
+
+/**
+ * Ensure a synthetic coupon Click + Identity exists for the given
+ * (coupon, userId). If the user already has an Identity for any
+ * Click on this coupon's partner, no-op (the user is already
+ * attributed). Otherwise insert a fresh Click + Identity so the
+ * attribution engine credits this partner on the next Event for
+ * this user.
+ *
+ * The check is "any click for this partner" not "this exact coupon"
+ * — re-redemptions of the same code by the same user shouldn't add
+ * a new touchpoint, but a click on partner A's link followed by a
+ * coupon for partner B should add a second touch (multi-touch).
+ */
+export async function ensureCouponClickAndIdentity(
+  trx: import('knex').Knex,
+  tenantId: string,
+  coupon: CouponRow,
+  userId: string,
+  ts: Date,
+): Promise<{ clickId: string; reused: boolean }> {
+  // Has the user already been linked (via any Click) to this partner?
+  // If so, no-op — they're already attributed and adding another
+  // synthetic click would shift multi-touch weights unfairly.
+  const existing = await trx<IdentityRow>(TABLES.Identity)
+    .join(TABLES.Click, `${TABLES.Click}.id`, `${TABLES.Identity}.clickId`)
+    .where(`${TABLES.Identity}.userId`, userId)
+    .andWhere(`${TABLES.Click}.partnerId`, coupon.partnerId)
+    .first(`${TABLES.Identity}.clickId as clickId`) as { clickId: string } | undefined;
+  if (existing) return { clickId: existing.clickId, reused: true };
+
+  const clickId = ulid();
+  await trx<ClickRow>(TABLES.Click).insert({
+    id: clickId,
+    tenantId,
+    linkId: null, // no Link — coupon path doesn't have one
+    partnerId: coupon.partnerId,
+    campaignId: coupon.campaignId,
+    landingUrl: `coupon://${coupon.code}`,
+    ipHash: null,
+    userAgent: 'OpenPartner-CouponRedeem/1',
+    referer: null,
+    fraudFlag: null,
+    ts,
+  });
+  await trx<IdentityRow>(TABLES.Identity)
+    .insert({ id: ulid(), tenantId, clickId, userId })
+    .onConflict(['clickId', 'userId'])
+    .ignore();
+  return { clickId, reused: false };
+}
+
 // ---------- Helpers ----------
 
 function defaultCode(email: string): string {
diff --git a/apps/api/src/routes/stripe-webhook.ts b/apps/api/src/routes/stripe-webhook.ts
index 34f7d7a..7be7d38 100644
--- a/apps/api/src/routes/stripe-webhook.ts
+++ b/apps/api/src/routes/stripe-webhook.ts
@@ -15,6 +15,7 @@ import {
 import { appDb, db } from '../db.js';
 import { attributeEvent } from '../attribution.js';
 import { persistMerchantSubscription } from './billing.js';
+import { ensureCouponClickAndIdentity, findCouponByCode } from './coupons.js';
 
 const stripeKey = process.env.STRIPE_SECRET_KEY;
 // STRIPE_WEBHOOK_SECRET accepts either a single secret or a comma-separated
@@ -85,6 +86,16 @@ stripeWebhookRouter.post(
       const connectResult = await handleConnectEvent(trx, event!, tenantId);
       if (connectResult) return { connect: connectResult };
 
+      // Coupon auto-redemption: if the event carries a discount code that
+      // matches an OpenPartner Coupon in this tenant, ensure the synthetic
+      // Click + Identity exist BEFORE the standard attribution path runs.
+      // The next attributeEvent() call then finds the click and credits
+      // the partner — same code path as a clicked share-link conversion.
+      const redeemed = await maybeRedeemStripeCoupons(trx, stripe!, event!, tenantId);
+      if (redeemed.length > 0) {
+        console.log('[stripe-webhook] auto-redeemed coupons', { eventId: event!.id, redeemed });
+      }
+
       const mapped = await mapStripeEvent(trx, stripe!, event!);
       if (!mapped) return { skipped: event!.type };
 
@@ -525,3 +536,104 @@ async function resolveUserIdFromCustomer(
   const identity = await trx<IdentityRow>(TABLES.Identity).where({ userId: customerId }).first();
   return identity ? customerId : null;
 }
+
+/**
+ * Auto-redeem any OpenPartner Coupons referenced by discount codes on
+ * the event. Runs BEFORE the standard event mapping — synthesizes the
+ * Click + Identity for the customer so the next attribution pass
+ * credits the partner. Returns the matched codes (for logging only).
+ *
+ * Stripe events that can carry discount codes:
+ *   - checkout.session.completed (session.discounts +
+ *                                  session.total_details.breakdown.discounts)
+ *   - invoice.paid (invoice.discounts)
+ *   - customer.subscription.created (subscription.discounts) — invoice
+ *     also fires for subs so this is partly redundant; covered for
+ *     consistency.
+ *
+ * The customer-facing code lives at promotion_code.code (when set).
+ * If the discount has only a Coupon (no PromotionCode), we fall back
+ * to coupon.id — brands setting their Stripe Coupon IDs to match
+ * OpenPartner codes works without an extra Stripe API call.
+ */
+async function maybeRedeemStripeCoupons(
+  trx: Knex.Transaction,
+  stripe: Stripe,
+  event: Stripe.Event,
+  tenantId: string,
+): Promise<string[]> {
+  const obj = event.data.object as unknown as Record<string, unknown>;
+  const ts = new Date(event.created * 1000);
+
+  // Customer ID — same shape across the event types we handle.
+  const customerRaw =
+    (obj.customer as string | { id: string } | null | undefined) ??
+    (obj.customer_email as string | undefined);
+  const userId = typeof customerRaw === 'string' ? customerRaw : customerRaw?.id;
+  if (!userId) return [];
+
+  // Collect candidate codes from wherever Stripe might surface them.
+  const candidateCodes: string[] = [];
+  for (const d of extractDiscounts(event)) {
+    const code = await resolveDiscountCode(stripe, d);
+    if (code) candidateCodes.push(code);
+  }
+  if (candidateCodes.length === 0) return [];
+
+  const matched: string[] = [];
+  for (const code of candidateCodes) {
+    const coupon = await findCouponByCode(trx, code);
+    if (!coupon) continue;
+    await ensureCouponClickAndIdentity(trx, tenantId, coupon, userId, ts);
+    matched.push(coupon.code);
+  }
+  return matched;
+}
+
+interface DiscountRef {
+  coupon?: string | { id: string } | null;
+  promotion_code?: string | { id: string; code?: string } | null;
+}
+
+function extractDiscounts(event: Stripe.Event): DiscountRef[] {
+  const obj = event.data.object as unknown as Record<string, unknown>;
+  const out: DiscountRef[] = [];
+
+  // checkout.session.completed: session.discounts + total_details.breakdown.discounts
+  if (Array.isArray(obj.discounts)) {
+    for (const d of obj.discounts as Array<DiscountRef | string>) {
+      if (typeof d === 'object' && d !== null) out.push(d);
+    }
+  }
+  const totalDetails = obj.total_details as
+    | { breakdown?: { discounts?: Array<{ discount?: DiscountRef }> } }
+    | undefined;
+  if (totalDetails?.breakdown?.discounts) {
+    for (const item of totalDetails.breakdown.discounts) {
+      if (item.discount) out.push(item.discount);
+    }
+  }
+  return out;
+}
+
+async function resolveDiscountCode(stripe: Stripe, d: DiscountRef): Promise<string | null> {
+  // Prefer the customer-facing PromotionCode string.
+  if (d.promotion_code) {
+    if (typeof d.promotion_code === 'object' && d.promotion_code.code) {
+      return d.promotion_code.code;
+    }
+    const id = typeof d.promotion_code === 'string' ? d.promotion_code : d.promotion_code.id;
+    try {
+      const promo = await stripe.promotionCodes.retrieve(id);
+      if (promo.code) return promo.code;
+    } catch (err) {
+      console.error('[stripe-webhook] promotion_code retrieve failed', { id, err });
+    }
+  }
+  // Fallback: use the Coupon's Stripe ID directly. Brands who set their
+  // Stripe Coupon IDs to match OpenPartner codes don't need the API call.
+  if (d.coupon) {
+    return typeof d.coupon === 'string' ? d.coupon : d.coupon.id;
+  }
+  return null;
+}

From 4dd29f2d8292887c28a9cabc2b4c632b1717d9b5 Mon Sep 17 00:00:00 2001
From: Keith Fawcett <keith@brightyard.co>
Date: Wed, 29 Apr 2026 20:09:49 -0700
Subject: [PATCH 100/131] feat(coupons): per-code redemption + revenue stats
 (90d)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

GET /partners/:id/coupons now returns redemptions90d + revenue90d on
each row. Two batched aggregate queries (click counts grouped by
landingUrl, then revenue via Click→Attribution→Event) regardless of
how many coupons the partner has — O(1) for the common case where
partners have a handful of codes.

Coupon-driven Clicks are identifiable by landingUrl='coupon://<code>'
(the synthetic landingUrl ensureCouponClickAndIdentity sets), so the
group-by is straightforward.

Brand admin Coupons dialog now shows "N redemptions (90d)" or "unused
(90d)" per code so admins can spot codes their partners have shared
but never converted.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 apps/api/src/routes/coupons.ts          | 41 ++++++++++++++++++++++++-
 apps/portal/src/pages/AdminPartners.tsx |  7 +++++
 2 files changed, 47 insertions(+), 1 deletion(-)

diff --git a/apps/api/src/routes/coupons.ts b/apps/api/src/routes/coupons.ts
index bf21d98..70936eb 100644
--- a/apps/api/src/routes/coupons.ts
+++ b/apps/api/src/routes/coupons.ts
@@ -45,7 +45,46 @@ couponsRouter.get('/partners/:id/coupons', requireAuth, requirePartnerOrAdmin('i
   const rows = await db<CouponRow>(TABLES.Coupon)
     .where({ partnerId: req.params.id })
     .orderBy('createdAt', 'asc');
-  res.json({ coupons: rows });
+  if (rows.length === 0) return res.json({ coupons: [] });
+
+  // 90-day redemption stats per coupon. Coupon-driven Clicks are
+  // identifiable by landingUrl='coupon://<code>'. Two batched queries
+  // (one for click counts, one for revenue) keep this O(1) regardless
+  // of how many coupons the partner has.
+  const since = new Date(Date.now() - 90 * 24 * 60 * 60 * 1000);
+  const landingUrls = rows.map((r) => `coupon://${r.code}`);
+
+  const clickCounts = (await db(TABLES.Click)
+    .where({ partnerId: req.params.id })
+    .whereIn('landingUrl', landingUrls)
+    .andWhere('ts', '>=', since)
+    .groupBy('landingUrl')
+    .select('landingUrl')
+    .count<{ landingUrl: string; count: string }[]>({ count: '*' })) as Array<{ landingUrl: string; count: string }>;
+
+  const revenue = (await db(TABLES.Click)
+    .join(TABLES.Attribution, `${TABLES.Attribution}.clickId`, `${TABLES.Click}.id`)
+    .join(TABLES.Event, `${TABLES.Event}.id`, `${TABLES.Attribution}.eventId`)
+    .where(`${TABLES.Click}.partnerId`, req.params.id)
+    .whereIn(`${TABLES.Click}.landingUrl`, landingUrls)
+    .andWhere(`${TABLES.Attribution}.computedAt`, '>=', since)
+    .groupBy(`${TABLES.Click}.landingUrl`)
+    .select(`${TABLES.Click}.landingUrl as landingUrl`)
+    .select(db.raw(`COALESCE(SUM("Event".value * "Attribution".weight), 0) as revenue`))) as Array<{ landingUrl: string; revenue: string }>;
+
+  const countByUrl = new Map(clickCounts.map((r) => [r.landingUrl, Number(r.count)]));
+  const revenueByUrl = new Map(revenue.map((r) => [r.landingUrl, Number(r.revenue)]));
+
+  res.json({
+    coupons: rows.map((r) => {
+      const url = `coupon://${r.code}`;
+      return {
+        ...r,
+        redemptions90d: countByUrl.get(url) ?? 0,
+        revenue90d: revenueByUrl.get(url) ?? 0,
+      };
+    }),
+  });
 });
 
 const createSchema = z.object({
diff --git a/apps/portal/src/pages/AdminPartners.tsx b/apps/portal/src/pages/AdminPartners.tsx
index 77208b4..f11288f 100644
--- a/apps/portal/src/pages/AdminPartners.tsx
+++ b/apps/portal/src/pages/AdminPartners.tsx
@@ -398,6 +398,8 @@ interface CouponRow {
   code: string;
   campaignId: string;
   createdAt: string;
+  redemptions90d?: number;
+  revenue90d?: number;
 }
 
 interface CampaignBrief {
@@ -461,6 +463,11 @@ function CouponsDialog({ partner, onClose }: { partner: Partner; onClose: () =>
                   <span style={{ color: theme.textMuted, fontSize: 12 }}>
                     {campaignNameById.get(c.campaignId) ?? c.campaignId}
                   </span>
+                  <span style={{ color: theme.textMuted, fontSize: 11, whiteSpace: 'nowrap' }}>
+                    {(c.redemptions90d ?? 0) > 0
+                      ? `${c.redemptions90d} redemption${c.redemptions90d === 1 ? '' : 's'} (90d)`
+                      : 'unused (90d)'}
+                  </span>
                 </div>
               ))}
             </div>

From 230ed5891b156718a98902560cfba50794b4c8a1 Mon Sep 17 00:00:00 2001
From: Keith Fawcett <keith@brightyard.co>
Date: Wed, 29 Apr 2026 20:12:06 -0700
Subject: [PATCH 101/131] feat(creator-portal): per-coupon redemption + revenue
 stats
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Each coupon row on Share links now shows "N redemptions · \$X (90d)"
or "No redemptions yet (90d)". When a creator has shared codes but
seen 0 redemptions across all their codes, surface a help line:

  No redemptions yet. If you've been sharing codes, the brand may
  not have wired up the OpenPartner integration on their checkout.
  Reach out to confirm.

Closes the trust gap from the creator side — they can spot brand
integration failures on their own and dispute, instead of finding
out months later when commissions never arrive.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 .../src/pages/creator/CreatorShareLinks.tsx   | 43 +++++++++++++++----
 1 file changed, 35 insertions(+), 8 deletions(-)

diff --git a/apps/portal/src/pages/creator/CreatorShareLinks.tsx b/apps/portal/src/pages/creator/CreatorShareLinks.tsx
index 19a20b1..fee4f49 100644
--- a/apps/portal/src/pages/creator/CreatorShareLinks.tsx
+++ b/apps/portal/src/pages/creator/CreatorShareLinks.tsx
@@ -2,13 +2,15 @@ import { useState } from 'react';
 import { useMutation, useQuery, useQueryClient } from '@tanstack/react-query';
 import { Link } from 'react-router-dom';
 import { Copy, Megaphone } from 'lucide-react';
-import { Button, Card, EmptyState, ErrorBanner, Input, Label, Page, formatDate } from '../../ui.js';
+import { Button, Card, EmptyState, ErrorBanner, Input, Label, Page, formatDate, money } from '../../ui.js';
 import { theme } from '../../theme.js';
 import { creatorApi } from './creator-api.js';
 
 interface Coupon {
   code: string;
   campaignId: string;
+  redemptions90d: number;
+  revenue90d: number;
 }
 
 interface Partnership {
@@ -144,12 +146,10 @@ function PartnershipRow({ partnership }: { partnership: Partnership }) {
           </div>
           <div style={{ display: 'flex', flexDirection: 'column', gap: 4 }}>
             {partnership.coupons.map((c) => (
-              <CouponRow key={c.code} code={c.code} />
+              <CouponRow key={c.code} coupon={c} />
             ))}
           </div>
-          <p style={{ fontSize: 11, color: theme.textDim, margin: '6px 0 0' }}>
-            Customers who enter this code at checkout get attributed to you, same commission as the share link.
-          </p>
+          <CouponHelp coupons={partnership.coupons} />
         </div>
       )}
       {editing ? (
@@ -192,10 +192,10 @@ function PartnershipRow({ partnership }: { partnership: Partnership }) {
   );
 }
 
-function CouponRow({ code }: { code: string }) {
+function CouponRow({ coupon }: { coupon: Coupon }) {
   const [copied, setCopied] = useState(false);
   function copy() {
-    navigator.clipboard.writeText(code).then(
+    navigator.clipboard.writeText(coupon.code).then(
       () => { setCopied(true); setTimeout(() => setCopied(false), 1500); },
       () => {/* ignore */},
     );
@@ -212,7 +212,12 @@ function CouponRow({ code }: { code: string }) {
         padding: '6px 10px',
       }}
     >
-      <code style={{ flex: 1, fontSize: 13, fontWeight: 500, color: theme.text, fontFamily: theme.fontMono }}>{code}</code>
+      <code style={{ flex: 1, fontSize: 13, fontWeight: 500, color: theme.text, fontFamily: theme.fontMono }}>{coupon.code}</code>
+      <span style={{ color: theme.textMuted, fontSize: 11, whiteSpace: 'nowrap' }}>
+        {coupon.redemptions90d > 0
+          ? `${coupon.redemptions90d.toLocaleString()} redemption${coupon.redemptions90d === 1 ? '' : 's'} · ${money(coupon.revenue90d, 'USD')}`
+          : 'No redemptions yet (90d)'}
+      </span>
       <button
         onClick={copy}
         style={{
@@ -234,3 +239,25 @@ function CouponRow({ code }: { code: string }) {
     </div>
   );
 }
+
+/** Footnote that adapts to whether the creator's coupons are seeing
+ *  redemptions. If they've shared codes but seen 0 redemptions in 90
+ *  days, surface a hint that the brand may not have the integration
+ *  wired up — closes the trust gap from the creator side. */
+function CouponHelp({ coupons }: { coupons: Coupon[] }) {
+  const totalRedemptions = coupons.reduce((sum, c) => sum + c.redemptions90d, 0);
+  const allZero = coupons.length > 0 && totalRedemptions === 0;
+  if (allZero) {
+    return (
+      <p style={{ fontSize: 11, color: theme.textMuted, margin: '6px 0 0' }}>
+        No redemptions yet. If you&rsquo;ve been sharing codes, the brand may not have wired up
+        the OpenPartner integration on their checkout. Reach out to confirm.
+      </p>
+    );
+  }
+  return (
+    <p style={{ fontSize: 11, color: theme.textDim, margin: '6px 0 0' }}>
+      Customers who enter a code at checkout get attributed to you, same commission as the share link.
+    </p>
+  );
+}

From 4140cd9105929ecb8a3918b3fa9540c2e26694d1 Mon Sep 17 00:00:00 2001
From: Keith Fawcett <keith@brightyard.co>
Date: Wed, 29 Apr 2026 20:16:42 -0700
Subject: [PATCH 102/131] feat(coupons): integration verification gate
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Adds Tenant.couponIntegrationVerifiedAt + a hard gate on manual
coupon mints past 5 unverified coupons. Forces brands to actually
wire up /coupons/redeem (or the Stripe webhook auto-redemption) and
process at least one real redemption before they can hand out more
codes.

Stamp set inside ensureCouponClickAndIdentity (the choke point both
the manual /coupons/redeem and the Stripe webhook auto-path go
through). COALESCE preserves the original verification date on
subsequent redemptions — first-redemption timestamp is what matters,
not the most recent.

Auto-mint via PartnerCampaign grants stays gate-less — those are
system actions, not admin intent. Only the manual POST
/partners/:id/coupons checks the gate.

Brand admin Coupons dialog: 409 verification_required → renders an
explainer banner with the threshold + existing count + recovery
steps (wire up the integration, process one test redemption,
return).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 apps/api/src/routes/coupons.ts                | 39 +++++++++++++++++++
 apps/portal/src/pages/AdminPartners.tsx       | 20 +++++++++-
 ...60607000000_coupon_integration_verified.ts | 29 ++++++++++++++
 packages/db/src/types.ts                      |  4 ++
 4 files changed, 90 insertions(+), 2 deletions(-)
 create mode 100644 packages/db/migrations/20260607000000_coupon_integration_verified.ts

diff --git a/apps/api/src/routes/coupons.ts b/apps/api/src/routes/coupons.ts
index 70936eb..ddf0127 100644
--- a/apps/api/src/routes/coupons.ts
+++ b/apps/api/src/routes/coupons.ts
@@ -98,11 +98,38 @@ const createSchema = z.object({
     .optional(),
 });
 
+/** Free-trial threshold: a brand can mint up to this many coupons
+ *  manually before we require integration verification. Auto-mint on
+ *  PartnerCampaign grant doesn't trip the gate (system action, not
+ *  admin intent). */
+const COUPON_VERIFICATION_THRESHOLD = 5;
+
 couponsRouter.post('/partners/:id/coupons', requireAuth, requireAdmin, async (req, res) => {
   const { db, tenantId } = tenantOf(req);
   const body = createSchema.safeParse(req.body ?? {});
   if (!body.success) return res.status(400).json({ error: 'invalid_body', detail: body.error.flatten() });
 
+  // Verification gate: past N coupons without a successful redemption
+  // ever recorded, refuse new manual mints. Forces the brand to
+  // actually wire up /coupons/redeem (or the Stripe webhook auto-
+  // redemption path) before they hand more codes to creators that
+  // won't attribute.
+  const tenant = (await db('Tenant').where({ id: tenantId }).first(['couponIntegrationVerifiedAt'])) as
+    | { couponIntegrationVerifiedAt: Date | null }
+    | undefined;
+  if (!tenant?.couponIntegrationVerifiedAt) {
+    const countRow = (await db(TABLES.Coupon).count<{ count: string }[]>({ count: '*' })) as Array<{ count: string }>;
+    const existing = Number(countRow[0]?.count ?? 0);
+    if (existing >= COUPON_VERIFICATION_THRESHOLD) {
+      return res.status(409).json({
+        error: 'verification_required',
+        detail: `You have ${existing} coupons but no successful redemption yet. Wire up POST /coupons/redeem on your checkout — or set up a Stripe webhook pointing at /webhooks/stripe — and process one test redemption to unlock further mints. This protects creators from sharing codes that don't actually attribute.`,
+        threshold: COUPON_VERIFICATION_THRESHOLD,
+        existing,
+      });
+    }
+  }
+
   const partner = await db<PartnerRow>(TABLES.Partner).where({ id: req.params.id }).first();
   if (!partner) return res.status(404).json({ error: 'partner_not_found' });
 
@@ -277,6 +304,18 @@ export async function ensureCouponClickAndIdentity(
     .insert({ id: ulid(), tenantId, clickId, userId })
     .onConflict(['clickId', 'userId'])
     .ignore();
+
+  // Stamp the tenant's "coupon integration is verified" flag on the
+  // FIRST successful redemption ever. COALESCE preserves the original
+  // verification date on subsequent redemptions. Cross-tenant write,
+  // which means the privileged db (not RLS-scoped trx) — but we
+  // already know the tenantId came from a verified Coupon lookup.
+  await trx('Tenant')
+    .where({ id: tenantId })
+    .update({
+      couponIntegrationVerifiedAt: trx.raw('COALESCE("couponIntegrationVerifiedAt", NOW())'),
+    });
+
   return { clickId, reused: false };
 }
 
diff --git a/apps/portal/src/pages/AdminPartners.tsx b/apps/portal/src/pages/AdminPartners.tsx
index f11288f..ca11c73 100644
--- a/apps/portal/src/pages/AdminPartners.tsx
+++ b/apps/portal/src/pages/AdminPartners.tsx
@@ -2,7 +2,7 @@ import { useState } from 'react';
 import { Link } from 'react-router-dom';
 import { useMutation, useQuery, useQueryClient } from '@tanstack/react-query';
 import { Plus, Users } from 'lucide-react';
-import { api } from '../api.js';
+import { api, ApiError } from '../api.js';
 import { theme } from '../theme.js';
 import { Avatar, Button, Card, EmptyState, ErrorBanner, Input, Label, Page, StatusPill, Table, formatDate } from '../ui.js';
 
@@ -434,6 +434,12 @@ function CouponsDialog({ partner, onClose }: { partner: Partner; onClose: () =>
     },
   });
 
+  // Pull the verification gate state so the admin sees a banner when
+  // they've crossed the threshold without verifying.
+  const gateError = mint.error instanceof ApiError && mint.error.message === 'verification_required'
+    ? (mint.error.detail as { detail?: string; threshold?: number; existing?: number } | undefined)
+    : null;
+
   const existingCampaignIds = new Set((coupons.data?.coupons ?? []).map((c) => c.campaignId));
   const availableCampaigns = (campaigns.data?.campaigns ?? []).filter((c) => !existingCampaignIds.has(c.id));
   const campaignNameById = new Map((campaigns.data?.campaigns ?? []).map((c) => [c.id, c.name]));
@@ -450,7 +456,17 @@ function CouponsDialog({ partner, onClose }: { partner: Partner; onClose: () =>
         Coupons attribute conversions when customers enter a code at checkout instead of clicking a share link.
         Your site calls <code>POST /coupons/redeem</code> with the code; same downstream commission flow as click-driven attribution.
       </div>
-      <ErrorBanner error={coupons.error ?? mint.error} />
+      <ErrorBanner error={coupons.error ?? (gateError ? null : mint.error)} />
+      {gateError && (
+        <div style={{ background: `${theme.danger}10`, border: `1px solid ${theme.danger}55`, borderRadius: theme.radiusSm, padding: 12, marginBottom: 12 }}>
+          <div style={{ fontSize: 13, color: theme.danger, fontWeight: 500, marginBottom: 6 }}>
+            Verify your coupon integration before minting more
+          </div>
+          <div style={{ fontSize: 12, color: theme.text, lineHeight: 1.5 }}>
+            {gateError.detail}
+          </div>
+        </div>
+      )}
       {coupons.isLoading ? (
         <p style={{ color: theme.textMuted, fontSize: 13 }}>Loading…</p>
       ) : (
diff --git a/packages/db/migrations/20260607000000_coupon_integration_verified.ts b/packages/db/migrations/20260607000000_coupon_integration_verified.ts
new file mode 100644
index 0000000..b133c6e
--- /dev/null
+++ b/packages/db/migrations/20260607000000_coupon_integration_verified.ts
@@ -0,0 +1,29 @@
+import type { Knex } from 'knex';
+
+/**
+ * Coupon-integration verification gate.
+ *
+ * Tracks whether the brand's coupon-redemption integration has been
+ * proven to work — i.e. at least one synthetic Click was created via
+ * either /coupons/redeem or the Stripe webhook auto-redemption path.
+ *
+ * The route layer reads this to gate manual coupon mints past a
+ * small free-trial threshold. Without it, a brand could happily mint
+ * 50 coupons for partners to promote, never wire up their checkout
+ * integration, and silently stiff every partner.
+ *
+ * Stamp set on the FIRST successful coupon redemption ever; never
+ * unset. Idempotent: subsequent redemptions don't re-stamp.
+ */
+
+export async function up(knex: Knex): Promise<void> {
+  await knex.schema.alterTable('Tenant', (t) => {
+    t.timestamp('couponIntegrationVerifiedAt', { useTz: true });
+  });
+}
+
+export async function down(knex: Knex): Promise<void> {
+  await knex.schema.alterTable('Tenant', (t) => {
+    t.dropColumn('couponIntegrationVerifiedAt');
+  });
+}
diff --git a/packages/db/src/types.ts b/packages/db/src/types.ts
index ddbbfce..dd1fbcc 100644
--- a/packages/db/src/types.ts
+++ b/packages/db/src/types.ts
@@ -25,6 +25,10 @@ export interface TenantRow {
   suspendedAt: Date | null;
   pendingDeletionAt: Date | null;
   deletionReason: string | null;
+  /** Set on the FIRST successful coupon redemption (any path). Used to
+   *  gate large coupon mints behind a "you've actually wired up the
+   *  /coupons/redeem integration" check. Null = never verified. */
+  couponIntegrationVerifiedAt: Date | null;
 }
 
 /** ID of the seeded default tenant — used in single-host mode and during migration backfills. */

From b7ab4360c5a4876d0e076a7c05b2a7373b4c65a4 Mon Sep 17 00:00:00 2001
From: Keith Fawcett <keith@brightyard.co>
Date: Wed, 29 Apr 2026 20:23:27 -0700
Subject: [PATCH 103/131] chore(portal): sticky sidebar so middle nav actually
 scrolls
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The sidebar was already structured with header / flex-1 overflow-auto
middle / footer, but the <aside> itself had no height constraint —
so it grew with the main content and the inner overflow never
triggered. Logo + sign-out scrolled away with the page.

Pin the aside with position:sticky + height:100vh + top:0 on both
the brand Sidebar and the CreatorSidebar. Header (logo + chip),
middle nav (NavSections), and footer (Sign out) now stay fixed
relative to the viewport with the middle scrolling on its own.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 apps/portal/src/App.tsx                        | 7 +++++++
 apps/portal/src/pages/creator/CreatorShell.tsx | 7 +++++++
 2 files changed, 14 insertions(+)

diff --git a/apps/portal/src/App.tsx b/apps/portal/src/App.tsx
index 3760df6..0d89581 100644
--- a/apps/portal/src/App.tsx
+++ b/apps/portal/src/App.tsx
@@ -222,7 +222,14 @@ function Sidebar({ principal }: { principal: Principal }) {
   return (
     <aside
       style={{
+        // Sticky + 100vh pins the aside to the viewport so the middle
+        // nav's overflow:auto actually scrolls. Without this, the
+        // aside would grow with the main content and the inner overflow
+        // would never trigger.
         width: 248,
+        height: '100vh',
+        position: 'sticky',
+        top: 0,
         background: theme.sidebar,
         borderRight: `1px solid ${theme.borderSubtle}`,
         display: 'flex',
diff --git a/apps/portal/src/pages/creator/CreatorShell.tsx b/apps/portal/src/pages/creator/CreatorShell.tsx
index cc9cebe..443ff62 100644
--- a/apps/portal/src/pages/creator/CreatorShell.tsx
+++ b/apps/portal/src/pages/creator/CreatorShell.tsx
@@ -61,7 +61,14 @@ function CreatorSidebar({ creator }: { creator: NonNullable<Whoami['creator']> }
   return (
     <aside
       style={{
+        // Sticky + 100vh pins the aside to the viewport so the middle
+        // nav's overflow:auto actually scrolls (otherwise the aside
+        // grows with the main content and the inner overflow never
+        // triggers).
         width: 248,
+        height: '100vh',
+        position: 'sticky',
+        top: 0,
         background: theme.sidebar,
         borderRight: `1px solid ${theme.borderSubtle}`,
         display: 'flex',

From f7ec85e74ce95bb94b40cd0d77df1f52b0563828 Mon Sep 17 00:00:00 2001
From: Keith Fawcett <keith@brightyard.co>
Date: Wed, 29 Apr 2026 20:37:56 -0700
Subject: [PATCH 104/131] fix(migration): guard Coupon grant when
 openpartner_app role is absent
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

OPENPARTNER_APP_DB_PASSWORD is unset on production right now (the
app runs as the migration role and bypasses RLS), so openpartner_app
doesn't exist and the unconditional GRANT failed the migration —
refusing to start the api.

Wrap in the same DO block pattern NetworkOutbox uses: only grant if
the role actually exists. RLS policy + table creation still run
unconditionally so the migration is correct for both deployment
shapes.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 .../db/migrations/20260606000000_coupon_codes.ts    | 13 ++++++++++++-
 1 file changed, 12 insertions(+), 1 deletion(-)

diff --git a/packages/db/migrations/20260606000000_coupon_codes.ts b/packages/db/migrations/20260606000000_coupon_codes.ts
index 9409b39..0c94100 100644
--- a/packages/db/migrations/20260606000000_coupon_codes.ts
+++ b/packages/db/migrations/20260606000000_coupon_codes.ts
@@ -52,7 +52,18 @@ export async function up(knex: Knex): Promise<void> {
       using ("tenantId" = current_setting('app.tenant_id', true))
       with check ("tenantId" = current_setting('app.tenant_id', true))
   `);
-  await knex.raw('grant select, insert, update, delete on "Coupon" to openpartner_app');
+  // App-role grant. Idempotent — if openpartner_app doesn't exist
+  // (OPENPARTNER_APP_DB_PASSWORD unset; the app runs as the migration
+  // role and bypasses RLS), this is a no-op via DO block.
+  await knex.raw(`
+    do $$
+    begin
+      if exists (select 1 from pg_roles where rolname = 'openpartner_app') then
+        execute 'grant select, insert, update, delete on "Coupon" to openpartner_app';
+      end if;
+    end
+    $$;
+  `);
 }
 
 export async function down(knex: Knex): Promise<void> {

From e44928635bd6d26567eabb643106a52225618203 Mon Sep 17 00:00:00 2001
From: Keith Fawcett <keith@brightyard.co>
Date: Wed, 29 Apr 2026 22:32:25 -0700
Subject: [PATCH 105/131] fix(db): carry sslmode from DATABASE_URL to
 DATABASE_URL_APP
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

DO Managed Postgres rejects unencrypted connections, but the app pool
only picked up SSL when DATABASE_URL_APP itself contained sslmode=*. If
an operator set DATABASE_URL_APP without the param (matching the format
DO shows for DATABASE_URL in its UI, which omits sslmode), every request
500'd with "no pg_hba.conf entry … no encryption". Both URLs always
target the same cluster, so inherit the admin URL's sslmode when the app
URL is silent.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 apps/api/src/db.ts | 18 +++++++++++++++++-
 1 file changed, 17 insertions(+), 1 deletion(-)

diff --git a/apps/api/src/db.ts b/apps/api/src/db.ts
index 018ab33..8ed940e 100644
--- a/apps/api/src/db.ts
+++ b/apps/api/src/db.ts
@@ -22,12 +22,28 @@ import './env.js';
 import { createDb } from '@openpartner/db';
 
 const adminUrl = process.env.DATABASE_URL;
-const appUrl = process.env.DATABASE_URL_APP ?? adminUrl;
+const rawAppUrl = process.env.DATABASE_URL_APP ?? adminUrl;
 
 if (!adminUrl) {
   throw new Error('DATABASE_URL must be set');
 }
 
+// If the admin URL specifies sslmode but the app URL doesn't, carry it
+// across. Both URLs target the same managed cluster (the app role lives
+// alongside the admin role), so SSL requirements are identical — making
+// operators set sslmode in two places is just a footgun. DO Managed
+// Postgres rejects unencrypted connections, so a missing sslmode on the
+// app URL surfaces as a pg_hba "no encryption" error at request time.
+function inheritSslMode(appUrl: string, adminUrl: string): string {
+  if (/[?&]sslmode=/i.test(appUrl)) return appUrl;
+  const adminMode = adminUrl.match(/[?&](sslmode=[^&]+)/i);
+  if (!adminMode) return appUrl;
+  const sep = appUrl.includes('?') ? '&' : '?';
+  return `${appUrl}${sep}${adminMode[1]}`;
+}
+
+const appUrl = inheritSslMode(rawAppUrl!, adminUrl);
+
 /**
  * Privileged knex instance. Used by:
  *   - migrations (via the migrate.ts script, separately)

From 1e7a5f7eee05f6713f253a26fb8d9bfe3d03d361 Mon Sep 17 00:00:00 2001
From: Keith Fawcett <keith@brightyard.co>
Date: Wed, 29 Apr 2026 22:40:03 -0700
Subject: [PATCH 106/131] fix(db): reconcile openpartner_app role on every boot
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The app-role migration is one-shot — once knex_migrations records it as
applied, changes to OPENPARTNER_APP_DB_PASSWORD never propagate into
Postgres. Rotating the password (or setting it for the first time after
the migration already ran without it) leaves the role's stored password
out of sync with the env, and the app pool fails authentication on
every request.

Add an idempotent ensure-app-role script that the entrypoint runs after
migrations on every boot. Creates the role if missing, syncs the
password if present, re-applies grants on tables that exist. Skipped
when OPENPARTNER_APP_DB_PASSWORD is unset to preserve self-host
behavior.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 apps/api/docker-entrypoint.sh          |  13 +++
 packages/db/scripts/ensure-app-role.ts | 114 +++++++++++++++++++++++++
 packages/db/tsconfig.migrate.json      |   1 +
 3 files changed, 128 insertions(+)
 create mode 100644 packages/db/scripts/ensure-app-role.ts

diff --git a/apps/api/docker-entrypoint.sh b/apps/api/docker-entrypoint.sh
index d46c74b..e35693d 100644
--- a/apps/api/docker-entrypoint.sh
+++ b/apps/api/docker-entrypoint.sh
@@ -15,6 +15,19 @@ if [ "${OPENPARTNER_SKIP_MIGRATIONS:-0}" != "1" ]; then
     echo "[entrypoint] migration failed — refusing to start" >&2
     exit 1
   }
+
+  # Reconcile the openpartner_app role's password + grants on every boot.
+  # The original role-creation migration is one-shot; without this step,
+  # rotating OPENPARTNER_APP_DB_PASSWORD leaves Postgres out of sync and
+  # the app pool fails authentication. Noop when the env var is unset.
+  echo "[entrypoint] ensuring app-role state..."
+  (
+    cd /app/packages-db/dist-migrate \
+      && NODE_ENV=production node scripts/ensure-app-role.js
+  ) || {
+    echo "[entrypoint] app-role reconciliation failed — refusing to start" >&2
+    exit 1
+  }
 fi
 
 echo "[entrypoint] starting API on :${API_PORT:-4601}"
diff --git a/packages/db/scripts/ensure-app-role.ts b/packages/db/scripts/ensure-app-role.ts
new file mode 100644
index 0000000..5501f67
--- /dev/null
+++ b/packages/db/scripts/ensure-app-role.ts
@@ -0,0 +1,114 @@
+/**
+ * Idempotent app-role provisioning, run on every boot.
+ *
+ * The original role-creation lives in migration 20260507020000_app_role.ts
+ * — but that's a one-shot: knex_migrations marks it applied and never
+ * re-runs. So if OPENPARTNER_APP_DB_PASSWORD changes after the first
+ * apply (or was unset on first apply and set later), there's no path
+ * back into the migration. Postgres ends up with a different password
+ * than the env, and the app pool fails authentication forever.
+ *
+ * This script reconciles every boot: if the env var is set, the role
+ * exists with that exact password and has the necessary grants. Safe
+ * to run on a healthy DB — every statement is idempotent.
+ *
+ * Skipped entirely when OPENPARTNER_APP_DB_PASSWORD is unset, matching
+ * the migration's behavior so self-hosters who don't want RLS aren't
+ * forced into role management.
+ */
+
+import 'dotenv/config';
+import knex from 'knex';
+import config from '../knexfile.js';
+
+// Tables that the app role needs DML on. Mirrors the list inside the
+// app_role migration; kept in sync manually because both grow as new
+// tenanted tables land. (Coupon + NetworkOutbox got their own
+// conditional grants in their own migrations — those are also redone
+// here so a freshly-provisioned role lands fully wired.)
+const TENANT_TABLES = [
+  'Tenant',
+  'Partner',
+  'Campaign',
+  'PartnerCampaign',
+  'Link',
+  'Click',
+  'Identity',
+  'Event',
+  'Attribution',
+  'Commission',
+  'Payout',
+  'ApiKey',
+  'Config',
+  'Admin',
+  'MagicLinkToken',
+  'Session',
+  'PlatformSession',
+  'WebhookEndpoint',
+  'WebhookDelivery',
+  'PlatformAdmin',
+  'NetworkOutbox',
+  'Coupon',
+];
+
+async function main(): Promise<void> {
+  const password = process.env.OPENPARTNER_APP_DB_PASSWORD;
+  if (!password) {
+    console.log('[ensure-app-role] OPENPARTNER_APP_DB_PASSWORD unset — skipping');
+    return;
+  }
+
+  // Same allow-list as the migration. Postgres role DDL doesn't accept
+  // bind params, so we inline. Anything that could close the literal is
+  // refused up front.
+  if (!/^[A-Za-z0-9_\-!@#$%^&*+=.,:?/]+$/.test(password)) {
+    throw new Error(
+      'OPENPARTNER_APP_DB_PASSWORD contains characters that are not safe to inline in CREATE ROLE',
+    );
+  }
+  const literal = `'${password}'`;
+
+  const env = process.env.NODE_ENV === 'production' ? 'production' : 'development';
+  const db = knex(config[env]!);
+
+  try {
+    // role + password
+    const existing = (await db.raw(`select 1 from pg_roles where rolname = 'openpartner_app'`)) as {
+      rows: unknown[];
+    };
+    if (existing.rows.length === 0) {
+      await db.raw(`create role openpartner_app login password ${literal}`);
+      console.log('[ensure-app-role] created openpartner_app');
+    } else {
+      await db.raw(`alter role openpartner_app password ${literal}`);
+      console.log('[ensure-app-role] synced openpartner_app password');
+    }
+
+    // connect + schema usage
+    const dbName = (await db.raw('select current_database() as n')).rows[0].n as string;
+    await db.raw(`grant connect on database "${dbName}" to openpartner_app`);
+    await db.raw('grant usage on schema public to openpartner_app');
+
+    // DML on tenanted tables. Skip silently if a table doesn't exist yet
+    // — keeps boot-time reconciliation safe on a freshly-migrated DB
+    // where one of these tables hasn't shipped yet (e.g. running an old
+    // image against a schema older than this script's table list).
+    for (const tbl of TENANT_TABLES) {
+      const tableExists = (await db.raw(
+        `select 1 from information_schema.tables where table_schema = 'public' and table_name = ?`,
+        [tbl],
+      )) as { rows: unknown[] };
+      if (tableExists.rows.length === 0) continue;
+      await db.raw(`grant select, insert, update, delete on "${tbl}" to openpartner_app`);
+    }
+
+    await db.raw('grant usage on all sequences in schema public to openpartner_app');
+  } finally {
+    await db.destroy();
+  }
+}
+
+main().catch((err) => {
+  console.error('[ensure-app-role] failed:', err);
+  process.exit(1);
+});
diff --git a/packages/db/tsconfig.migrate.json b/packages/db/tsconfig.migrate.json
index b8402a4..526414d 100644
--- a/packages/db/tsconfig.migrate.json
+++ b/packages/db/tsconfig.migrate.json
@@ -11,6 +11,7 @@
   "include": [
     "migrations/**/*.ts",
     "scripts/migrate.ts",
+    "scripts/ensure-app-role.ts",
     "knexfile.ts"
   ]
 }

From 9db501f29b86825ff47e5818a97343464f2035cd Mon Sep 17 00:00:00 2001
From: Keith Fawcett <keith@brightyard.co>
Date: Wed, 29 Apr 2026 22:56:38 -0700
Subject: [PATCH 107/131] feat(network): heartbeat sender + local-truth
 partnerCount
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The Network protocol describes a vendor heartbeat (POST /vendors/me/
heartbeat) that pings partner count + last-event timestamp every 24h.
The handler exists on the Network side but no caller had ever shipped,
so the Network's stored partnerCount was frozen at registration time
(0), and the brand admin Network page always rendered "0 active
partners" regardless of local roster size.

Three pieces:

  * sendHeartbeat() in network-client.ts — counts non-revoked Partners
    and the most-recent Event timestamp, posts to the Network.
  * network-heartbeat scheduler entry, hourly @ :07. Hourly is overkill
    for the Network's prune logic but keeps the live data feeling
    responsive across the cluster.
  * /admin/network/me proxy now overrides the remote partnerCount with
    the local count. Means a brand admin who just added a partner sees
    the right number instantly, without waiting on the next heartbeat
    tick. The Network's stored value still gets reconciled by the
    scheduler so its own prune logic stays accurate.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 apps/api/src/network-client.ts  | 66 +++++++++++++++++++++++++++++++++
 apps/api/src/routes/settings.ts | 14 ++++++-
 apps/api/src/scheduler.ts       | 12 +++++-
 3 files changed, 90 insertions(+), 2 deletions(-)

diff --git a/apps/api/src/network-client.ts b/apps/api/src/network-client.ts
index 419396b..ac79bec 100644
--- a/apps/api/src/network-client.ts
+++ b/apps/api/src/network-client.ts
@@ -728,6 +728,72 @@ export async function reportNetworkPayoutsToNetwork(
   return { rangeStart, rangeEnd, amountUsd, reported: true };
 }
 
+// ---------- Heartbeat (Network liveness probe) ----------
+//
+// The Network uses partnerCount + lastHeartbeatAt to (a) populate the
+// vendor's "active partners" stat in admin UIs, and (b) prune abandoned
+// instances from creator-facing search after extended silence.
+//
+// Cadence: hourly via the scheduler — frequent enough that the displayed
+// count feels live to brand admins, infrequent enough to be polite to
+// the Network. Also opportunistically fired by `/admin/network/me` so a
+// brand admin who just landed on the page after a partner was added
+// sees fresh data on the next request.
+//
+// Counting: non-revoked Partners. lastEventAt is the most recent Event
+// timestamp (any kind), giving the Network signal even from tenants
+// who haven't added partners but are processing conversions.
+
+export interface HeartbeatResult {
+  sent: boolean;
+  partnerCount: number;
+  reason?: string;
+}
+
+export async function sendHeartbeat(db: Knex, tenantId: string): Promise<HeartbeatResult> {
+  const m = await getNetworkMembership(db, tenantId);
+  if (!m || !m.enabled || !m.networkUrl || !m.vendorTokenCiphertext) {
+    return { sent: false, partnerCount: 0, reason: 'network_not_configured' };
+  }
+  let token: string;
+  try {
+    token = decryptSecret(m.vendorTokenCiphertext);
+  } catch {
+    return { sent: false, partnerCount: 0, reason: 'token_undecryptable' };
+  }
+
+  const partnerRows = await db(TABLES.Partner)
+    .whereNull('revokedAt')
+    .count<Array<{ count: string }>>({ count: '*' });
+  const partnerCount = Number(partnerRows[0]?.count ?? 0);
+
+  const lastEventRow = await db(TABLES.Event)
+    .orderBy('createdAt', 'desc')
+    .first<{ createdAt: Date } | undefined>('createdAt');
+  const lastEventAt = lastEventRow?.createdAt ? new Date(lastEventRow.createdAt).toISOString() : undefined;
+
+  const url = `${m.networkUrl.replace(/\/$/, '')}/vendors/me/heartbeat`;
+  try {
+    const res = await fetch(url, {
+      method: 'POST',
+      headers: {
+        'content-type': 'application/json',
+        authorization: `Bearer ${token}`,
+        'user-agent': 'OpenPartner-Vendor/1',
+      },
+      body: JSON.stringify({ partnerCount, ...(lastEventAt ? { lastEventAt } : {}) }),
+      signal: AbortSignal.timeout(PUSH_TIMEOUT_MS),
+    });
+    if (!res.ok) {
+      const text = await res.text().catch(() => '<no body>');
+      return { sent: false, partnerCount, reason: `network ${res.status}: ${text.slice(0, 200)}` };
+    }
+    return { sent: true, partnerCount };
+  } catch (err) {
+    return { sent: false, partnerCount, reason: err instanceof Error ? err.message : String(err) };
+  }
+}
+
 // ---------- outbox drain (called from scheduler.ts) ----------
 
 export async function drainOutbox(db: Knex, tenantId: string): Promise<{ drained: number; succeeded: number; dead: number }> {
diff --git a/apps/api/src/routes/settings.ts b/apps/api/src/routes/settings.ts
index e2f7b0b..2271e4d 100644
--- a/apps/api/src/routes/settings.ts
+++ b/apps/api/src/routes/settings.ts
@@ -456,7 +456,19 @@ async function proxy(req: Request, res: Response, fn: (db: Knex, tenantId: strin
 }
 
 settingsRouter.get('/admin/network/me', requireAuth, requireAdmin, async (req, res) =>
-  proxy(req, res, (db, tenantId) => networkProxy.whoami(db, tenantId)),
+  proxy(req, res, async (db, tenantId) => {
+    // Override the Network's stored partnerCount with the local truth.
+    // Network's value updates via the hourly heartbeat job — between
+    // ticks (or before the first tick after connecting) it lags reality.
+    // The brand admin expects "active partners" to match the count they
+    // see on /admin/partners, so reconcile here.
+    const remote = await networkProxy.whoami(db, tenantId);
+    const partnerRows = await db(TABLES.Partner)
+      .whereNull('revokedAt')
+      .count<Array<{ count: string }>>({ count: '*' });
+    const partnerCount = Number(partnerRows[0]?.count ?? 0);
+    return { ...(remote as Record<string, unknown>), partnerCount };
+  }),
 );
 
 settingsRouter.get('/admin/network/offerings', requireAuth, requireAdmin, async (req, res) =>
diff --git a/apps/api/src/scheduler.ts b/apps/api/src/scheduler.ts
index be57f6f..1a37817 100644
--- a/apps/api/src/scheduler.ts
+++ b/apps/api/src/scheduler.ts
@@ -33,7 +33,7 @@ import { TABLES, type TenantRow } from '@openpartner/db';
 import { appDb, db } from './db.js';
 import { reportUsageToStripe } from './usage-billing.js';
 import { runPayouts } from './payouts.js';
-import { drainOutbox, reportNetworkPayoutsToNetwork } from './network-client.js';
+import { drainOutbox, reportNetworkPayoutsToNetwork, sendHeartbeat } from './network-client.js';
 import { getMode } from './stripe.js';
 import { sweepCampaignEndNotifications } from './campaign-end-notifications.js';
 
@@ -97,6 +97,16 @@ const JOBS: ScheduledJob[] = [
     handler: async () =>
       forEachActiveTenant((trx, tenantId) => reportNetworkPayoutsToNetwork(trx, tenantId)),
   },
+  {
+    name: 'network-heartbeat',
+    cronExpr: '7 * * * *',
+    // Hourly (offset 7 min so it doesn't pile on top of other top-of-the-hour
+    // jobs). The Network uses partnerCount + lastHeartbeatAt to populate the
+    // vendor's "active partners" stat and to detect abandoned instances —
+    // shorter interval keeps that view fresh for brand admins.
+    description: 'Per tenant: ping the Network with current partner count (hourly @ :07)',
+    handler: async () => forEachActiveTenant((trx, tenantId) => sendHeartbeat(trx, tenantId)),
+  },
   {
     name: 'tenant-hard-delete',
     cronExpr: '0 4 * * *',

From f8bc62e1d63e49bbb36f430ba07dfd9bfe084451 Mon Sep 17 00:00:00 2001
From: Keith Fawcett <keith@brightyard.co>
Date: Wed, 29 Apr 2026 23:12:02 -0700
Subject: [PATCH 108/131] feat(invite): show deeplink to brand for
 spam-fallback DM
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The invite dialog only confirmed the email was sent — if the creator's
inbox dropped it (spam, paused workflows, typo'd address) the brand had
no recourse. Surface the deeplink in the success state with a Copy
button so the brand can DM it directly when needed.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 .../src/pages/admin/NetworkCreators.tsx       | 54 +++++++++++++++++--
 1 file changed, 50 insertions(+), 4 deletions(-)

diff --git a/apps/portal/src/pages/admin/NetworkCreators.tsx b/apps/portal/src/pages/admin/NetworkCreators.tsx
index d49d65c..9d1ded6 100644
--- a/apps/portal/src/pages/admin/NetworkCreators.tsx
+++ b/apps/portal/src/pages/admin/NetworkCreators.tsx
@@ -291,13 +291,25 @@ function InviteDialog({ creator, onClose }: { creator: DirectoryRow; onClose: ()
 
   const send = useMutation({
     mutationFn: () =>
-      api(`/admin/network/offerings/${offeringId}/invite-creator`, {
-        method: 'POST',
-        body: { creatorId: creator.id, message: message.trim() || undefined },
-      }),
+      api<{ ok: boolean; expiresAt: string; deeplink?: string }>(
+        `/admin/network/offerings/${offeringId}/invite-creator`,
+        {
+          method: 'POST',
+          body: { creatorId: creator.id, message: message.trim() || undefined },
+        },
+      ),
   });
 
   const sent = send.isSuccess;
+  const deeplink = send.data?.deeplink;
+  const [copied, setCopied] = useState(false);
+  const copy = () => {
+    if (!deeplink) return;
+    navigator.clipboard.writeText(deeplink).then(() => {
+      setCopied(true);
+      setTimeout(() => setCopied(false), 1500);
+    }, () => {/* ignore */});
+  };
 
   return (
     <div
@@ -335,6 +347,40 @@ function InviteDialog({ creator, onClose }: { creator: DirectoryRow; onClose: ()
             <div style={{ background: theme.successSoft, border: `1px solid ${theme.success}55`, borderRadius: theme.radiusSm, padding: 12, fontSize: 13, color: theme.success, marginBottom: 14 }}>
               Invitation sent. They&rsquo;ll see your message + a deeplink in their inbox.
             </div>
+            {deeplink && (
+              <div style={{ marginBottom: 14 }}>
+                <Label>Deeplink (in case email lands in spam)</Label>
+                <div
+                  style={{
+                    display: 'flex',
+                    alignItems: 'center',
+                    gap: 8,
+                    background: theme.surface2,
+                    border: `1px solid ${theme.borderSubtle}`,
+                    borderRadius: theme.radiusSm,
+                    padding: '8px 10px',
+                    marginTop: 6,
+                  }}
+                >
+                  <code style={{ flex: 1, fontSize: 12, wordBreak: 'break-all' }}>{deeplink}</code>
+                  <button
+                    onClick={copy}
+                    style={{
+                      background: 'transparent',
+                      border: `1px solid ${theme.borderSubtle}`,
+                      borderRadius: 6,
+                      padding: '5px 9px',
+                      fontSize: 12,
+                      color: copied ? theme.success : theme.textMuted,
+                      cursor: 'pointer',
+                      whiteSpace: 'nowrap',
+                    }}
+                  >
+                    {copied ? 'Copied' : 'Copy'}
+                  </button>
+                </div>
+              </div>
+            )}
             <Button onClick={onClose} variant="secondary">Close</Button>
           </>
         ) : (

From e09409bb5498c3eeeaa830ed7297bf8bf44d9d08 Mon Sep 17 00:00:00 2001
From: Keith Fawcett <keith@brightyard.co>
Date: Wed, 29 Apr 2026 23:14:49 -0700
Subject: [PATCH 109/131] ci: publish @openpartner/sdk to npm on tagged
 releases
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The marketing docs tell users 'npm install @openpartner/sdk', but the
package was never actually pushed to the registry — first attempt
returns 404. Wire up a publish workflow that fires on the same v* tag
trigger as the docker push, so a tagged release ships both the docker
images and any SDK version bump in one go. Idempotent: skips when the
local SDK version is already on npm.

Provenance is enabled (--provenance + id-token: write) so the published
tarball carries a signed Sigstore attestation tying it back to this
workflow + commit. Defends against a leaked NPM_TOKEN: an attacker who
publishes from elsewhere can't forge the attestation.

Requires:
  * NPM_TOKEN secret set in GitHub repo settings (automation token from
    npmjs.com)
  * @openpartner scope claimed on npm by an account the token belongs to

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 .github/workflows/npm-publish.yml | 68 +++++++++++++++++++++++++++++++
 1 file changed, 68 insertions(+)
 create mode 100644 .github/workflows/npm-publish.yml

diff --git a/.github/workflows/npm-publish.yml b/.github/workflows/npm-publish.yml
new file mode 100644
index 0000000..3d57d87
--- /dev/null
+++ b/.github/workflows/npm-publish.yml
@@ -0,0 +1,68 @@
+name: npm publish (sdk)
+
+on:
+  push:
+    # Same tag trigger as CI's docker push — a tagged release pushes
+    # docker images AND attempts an SDK publish. The publish step is
+    # idempotent: if packages/sdk's version is already on npm, it
+    # skips. So a tag bump that doesn't touch the SDK is a no-op here.
+    tags: ['v*']
+  workflow_dispatch:
+    # Manual trigger for republish-after-failure or first-publish runs
+    # before any tag exists.
+
+jobs:
+  publish:
+    name: build + publish @openpartner/sdk
+    runs-on: ubuntu-latest
+
+    permissions:
+      contents: read
+      # Required for npm provenance (Sigstore attestations). Lets users
+      # verify the published tarball was built by this workflow on this
+      # commit — defense against compromised maintainer tokens.
+      id-token: write
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: pnpm/action-setup@v4
+        with:
+          version: 9.11.0
+
+      - uses: actions/setup-node@v4
+        with:
+          node-version: '20'
+          cache: pnpm
+          # registry-url is what enables `pnpm publish` to pick up
+          # NODE_AUTH_TOKEN below. Without it, publish 401s.
+          registry-url: 'https://registry.npmjs.org'
+
+      - run: pnpm install --frozen-lockfile
+
+      - name: Build SDK
+        run: pnpm --filter @openpartner/sdk build
+
+      - name: Skip if version already published
+        id: check
+        run: |
+          local_version=$(node -p "require('./packages/sdk/package.json').version")
+          published=$(npm view @openpartner/sdk@$local_version version 2>/dev/null || true)
+          if [ -n "$published" ]; then
+            echo "@openpartner/sdk@$local_version already on npm — skipping"
+            echo "skip=true" >> "$GITHUB_OUTPUT"
+          else
+            echo "@openpartner/sdk@$local_version not on npm yet — will publish"
+            echo "skip=false" >> "$GITHUB_OUTPUT"
+          fi
+
+      - name: Publish
+        if: steps.check.outputs.skip != 'true'
+        # --provenance generates a signed Sigstore attestation tying
+        # this tarball to this workflow run + commit SHA. Visible on
+        # npmjs.com/package as a "Provenance" badge.
+        # --no-git-checks: pnpm refuses to publish from a detached HEAD
+        # by default; tag pushes always run detached so we opt out.
+        run: pnpm --filter @openpartner/sdk publish --access public --provenance --no-git-checks
+        env:
+          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}

From c173777da5bac3b98d0fb7de21b7d04f19e3d915 Mon Sep 17 00:00:00 2001
From: Keith Fawcett <keith@brightyard.co>
Date: Wed, 29 Apr 2026 23:24:10 -0700
Subject: [PATCH 110/131] ci: switch sdk publish to npm Trusted Publishing
 (OIDC)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

npm now actively recommends Trusted Publishing over long-lived
automation tokens — the publish credential is minted per-run from
GitHub's OIDC token instead of a static secret. No NPM_TOKEN to leak,
no rotation, and the Sigstore provenance attestation comes for free
from the same id-token.

Trade: requires one-time configuration of a trusted publisher on the
package settings page at npmjs.com (provider: GitHub Actions, repo +
workflow filename) before the first publish succeeds.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 .github/workflows/npm-publish.yml | 22 ++++++++++++----------
 1 file changed, 12 insertions(+), 10 deletions(-)

diff --git a/.github/workflows/npm-publish.yml b/.github/workflows/npm-publish.yml
index 3d57d87..a534811 100644
--- a/.github/workflows/npm-publish.yml
+++ b/.github/workflows/npm-publish.yml
@@ -18,9 +18,11 @@ jobs:
 
     permissions:
       contents: read
-      # Required for npm provenance (Sigstore attestations). Lets users
-      # verify the published tarball was built by this workflow on this
-      # commit — defense against compromised maintainer tokens.
+      # Required for npm Trusted Publishing AND provenance attestations.
+      # The OIDC token GitHub mints here is what npm exchanges for a
+      # short-lived publish credential — no NPM_TOKEN secret needed —
+      # AND what Sigstore signs the tarball attestation with so users
+      # can verify the build.
       id-token: write
 
     steps:
@@ -58,11 +60,11 @@ jobs:
 
       - name: Publish
         if: steps.check.outputs.skip != 'true'
-        # --provenance generates a signed Sigstore attestation tying
-        # this tarball to this workflow run + commit SHA. Visible on
-        # npmjs.com/package as a "Provenance" badge.
-        # --no-git-checks: pnpm refuses to publish from a detached HEAD
-        # by default; tag pushes always run detached so we opt out.
+        # Trusted Publishing: no NPM_TOKEN secret. The npm CLI mints a
+        # short-lived publish credential from this workflow's OIDC token
+        # (enabled by `id-token: write` above), validated against the
+        # trusted-publisher config on npmjs.com. Provenance attestation
+        # is automatic. --no-git-checks: pnpm refuses to publish from a
+        # detached HEAD by default; tag pushes always run detached so
+        # we opt out.
         run: pnpm --filter @openpartner/sdk publish --access public --provenance --no-git-checks
-        env:
-          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}

From 106345f57687ae5500a11da5ff13bd7f24c02a5f Mon Sep 17 00:00:00 2001
From: Keith Fawcett <keith@brightyard.co>
Date: Thu, 30 Apr 2026 00:28:10 -0700
Subject: [PATCH 111/131] fix(portal): use tenant-prefixed Links across brand
 workspace
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Bare <Link to="/links?..."> built absolute paths that bypassed the
/t/<slug> prefix in multi-tenant mode, so action links on the Partners
admin and the partner cards on the Links page jumped out of the
workspace and 404'd. The Dashboard already had a private TenantLink
helper; lift it to a shared module and route every brand-workspace
link through it.

Audited every <Link> in the brand-side tree (admin + partner pages)
and swapped any with absolute paths that target tenant-scoped routes.
Top-level routes (Landing, Signin, Signup, Workspaces) and the
creator portal subtree intentionally untouched — those live outside
the tenant scope.

Tested: typecheck clean, no missing imports, manual sweep of remaining
<Link> uses confirms each is intentionally top-level.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 apps/portal/src/pages/AdminPartners.tsx       |  6 +++---
 apps/portal/src/pages/Dashboard.tsx           |  9 +--------
 apps/portal/src/pages/Links.tsx               |  6 +++---
 .../portal/src/pages/admin/NetworkBilling.tsx |  4 ++--
 apps/portal/src/pages/partner/Discover.tsx    | 10 +++++-----
 .../src/pages/partner/MyAffiliations.tsx      |  4 ++--
 apps/portal/src/pages/partner/MyRequests.tsx  |  4 ++--
 .../src/pages/partner/OfferingDetail.tsx      |  5 +++--
 apps/portal/src/tenant-link.tsx               | 19 +++++++++++++++++++
 9 files changed, 40 insertions(+), 27 deletions(-)
 create mode 100644 apps/portal/src/tenant-link.tsx

diff --git a/apps/portal/src/pages/AdminPartners.tsx b/apps/portal/src/pages/AdminPartners.tsx
index ca11c73..1dfe497 100644
--- a/apps/portal/src/pages/AdminPartners.tsx
+++ b/apps/portal/src/pages/AdminPartners.tsx
@@ -1,9 +1,9 @@
 import { useState } from 'react';
-import { Link } from 'react-router-dom';
 import { useMutation, useQuery, useQueryClient } from '@tanstack/react-query';
 import { Plus, Users } from 'lucide-react';
 import { api, ApiError } from '../api.js';
 import { theme } from '../theme.js';
+import { TenantLink } from '../tenant-link.js';
 import { Avatar, Button, Card, EmptyState, ErrorBanner, Input, Label, Page, StatusPill, Table, formatDate } from '../ui.js';
 
 interface Partner {
@@ -92,7 +92,7 @@ export function AdminPartners() {
             p.stripeConnectAccountId ? <StatusPill status="connected" /> : <span style={{ color: theme.textDim }}>—</span>,
             <span style={{ color: theme.textMuted }}>{formatDate(p.createdAt, { relative: true })}</span>,
             <div style={{ display: 'flex', gap: 6 }}>
-              <Link to={`/links?partnerId=${p.id}`} style={{ color: theme.accent, fontSize: 13 }}>Links</Link>
+              <TenantLink to={`/links?partnerId=${p.id}`} style={{ color: theme.accent, fontSize: 13 }}>Links</TenantLink>
               <span style={{ color: theme.border }}>·</span>
               <button
                 onClick={() => setManagingPrograms(p)}
@@ -108,7 +108,7 @@ export function AdminPartners() {
                 Coupons
               </button>
               <span style={{ color: theme.border }}>·</span>
-              <Link to={`/payouts?partnerId=${p.id}`} style={{ color: theme.accent, fontSize: 13 }}>Payouts</Link>
+              <TenantLink to={`/payouts?partnerId=${p.id}`} style={{ color: theme.accent, fontSize: 13 }}>Payouts</TenantLink>
               {!p.activatedAt && !p.revokedAt && (
                 <>
                   <span style={{ color: theme.border }}>·</span>
diff --git a/apps/portal/src/pages/Dashboard.tsx b/apps/portal/src/pages/Dashboard.tsx
index bdd1ff2..c8e66bf 100644
--- a/apps/portal/src/pages/Dashboard.tsx
+++ b/apps/portal/src/pages/Dashboard.tsx
@@ -15,6 +15,7 @@ import {
 } from 'lucide-react';
 import { api, type Principal } from '../api.js';
 import { useTenantBase } from '../tenant-base.js';
+import { TenantLink } from '../tenant-link.js';
 import { theme } from '../theme.js';
 import { Avatar, Button, Card, EmptyState, ErrorBanner, Page, SectionHeading, Stat, StatusPill, money } from '../ui.js';
 
@@ -215,14 +216,6 @@ function ChecklistRow({
   );
 }
 
-/** Link that prepends the current `/t/<slug>` prefix to absolute paths
- *  so navigation stays inside the multi-tenant brand workspace. */
-function TenantLink({ to, style, children }: { to: string; style?: React.CSSProperties; children: React.ReactNode }) {
-  const tenantBase = useTenantBase();
-  const href = to.startsWith('/') ? `${tenantBase}${to === '/' ? '' : to}` || '/' : to;
-  return <Link to={href} style={style}>{children}</Link>;
-}
-
 function ConnectNudge({ owed, connected }: { owed: number; connected: boolean }) {
   return (
     <Card>
diff --git a/apps/portal/src/pages/Links.tsx b/apps/portal/src/pages/Links.tsx
index 80445f7..22b9902 100644
--- a/apps/portal/src/pages/Links.tsx
+++ b/apps/portal/src/pages/Links.tsx
@@ -1,9 +1,9 @@
 import { useState } from 'react';
-import { Link } from 'react-router-dom';
 import { useMutation, useQuery, useQueryClient } from '@tanstack/react-query';
 import { Link2, Plus, ArrowRight } from 'lucide-react';
 import { api, type Principal } from '../api.js';
 import { theme } from '../theme.js';
+import { TenantLink } from '../tenant-link.js';
 import { Avatar, Button, Card, EmptyState, ErrorBanner, Input, Label, Page, Select, Table, formatDate } from '../ui.js';
 
 interface LinkRow {
@@ -49,7 +49,7 @@ function AdminLinksHub() {
       ) : (
         <div style={{ display: 'grid', gridTemplateColumns: 'repeat(auto-fill, minmax(280px, 1fr))', gap: 12 }}>
           {data?.partners.map((p) => (
-            <Link
+            <TenantLink
               key={p.id}
               to={`/links?partnerId=${p.id}`}
               style={{
@@ -71,7 +71,7 @@ function AdminLinksHub() {
                 </div>
                 <ArrowRight size={14} color={theme.textDim} />
               </div>
-            </Link>
+            </TenantLink>
           ))}
         </div>
       )}
diff --git a/apps/portal/src/pages/admin/NetworkBilling.tsx b/apps/portal/src/pages/admin/NetworkBilling.tsx
index bb2852b..4ff7c9d 100644
--- a/apps/portal/src/pages/admin/NetworkBilling.tsx
+++ b/apps/portal/src/pages/admin/NetworkBilling.tsx
@@ -1,7 +1,7 @@
 import { useMutation, useQuery, useQueryClient } from '@tanstack/react-query';
-import { Link } from 'react-router-dom';
 import { useState } from 'react';
 import { api, ApiError } from '../../api.js';
+import { TenantLink } from '../../tenant-link.js';
 import { Button, Card, ErrorBanner, Page } from '../../ui.js';
 
 interface NetworkBilling {
@@ -44,7 +44,7 @@ function BillingPanel() {
         <ErrorBanner error={msg} />
         <Card>
           <p>
-            Set up your Network connection under <Link to="/admin/network">Network → Connection</Link>{' '}
+            Set up your Network connection under <TenantLink to="/admin/network">Network → Connection</TenantLink>{' '}
             before subscribing.
           </p>
         </Card>
diff --git a/apps/portal/src/pages/partner/Discover.tsx b/apps/portal/src/pages/partner/Discover.tsx
index d5f0a04..64921e1 100644
--- a/apps/portal/src/pages/partner/Discover.tsx
+++ b/apps/portal/src/pages/partner/Discover.tsx
@@ -1,8 +1,8 @@
 import { useEffect, useState } from 'react';
 import { useQuery } from '@tanstack/react-query';
-import { Link } from 'react-router-dom';
 import { Globe } from 'lucide-react';
 import { api } from '../../api.js';
+import { TenantLink } from '../../tenant-link.js';
 import { Button, Card, EmptyState, ErrorBanner, Input, Label, Page, Select } from '../../ui.js';
 import { theme } from '../../theme.js';
 
@@ -79,13 +79,13 @@ export function DiscoverPage() {
           {data.offerings.map((o) => (
             <Card key={o.id}>
               <div style={{ color: theme.textMuted, fontSize: 13 }}>
-                <Link to={`/network/vendors/${o.vendorId}`} style={{ color: theme.textMuted }}>{o.vendorName}</Link>
+                <TenantLink to={`/network/vendors/${o.vendorId}`} style={{ color: theme.textMuted }}>{o.vendorName}</TenantLink>
                 {o.vendorPartnerCount > 0 && (
                   <> · {o.vendorPartnerCount} partner{o.vendorPartnerCount === 1 ? '' : 's'}</>
                 )}
               </div>
               <h3 style={{ marginTop: 4, marginBottom: 8 }}>
-                <Link to={`/network/offerings/${o.id}`}>{o.title}</Link>
+                <TenantLink to={`/network/offerings/${o.id}`}>{o.title}</TenantLink>
               </h3>
               {o.terms?.commissionDescription && (
                 <p style={{ fontSize: 13, color: theme.textMuted, margin: '4px 0' }}>
@@ -98,9 +98,9 @@ export function DiscoverPage() {
                 </p>
               )}
               <div style={{ marginTop: 12 }}>
-                <Link to={`/network/offerings/${o.id}`}>
+                <TenantLink to={`/network/offerings/${o.id}`}>
                   <Button>View &amp; apply</Button>
-                </Link>
+                </TenantLink>
               </div>
             </Card>
           ))}
diff --git a/apps/portal/src/pages/partner/MyAffiliations.tsx b/apps/portal/src/pages/partner/MyAffiliations.tsx
index 82c7711..109fbcc 100644
--- a/apps/portal/src/pages/partner/MyAffiliations.tsx
+++ b/apps/portal/src/pages/partner/MyAffiliations.tsx
@@ -1,7 +1,7 @@
 import { useQuery } from '@tanstack/react-query';
-import { Link } from 'react-router-dom';
 import { Globe } from 'lucide-react';
 import { api, ApiError } from '../../api.js';
+import { TenantLink } from '../../tenant-link.js';
 import { Card, EmptyState, ErrorBanner, Page, Stat, StatusPill, formatDate, money } from '../../ui.js';
 import { theme } from '../../theme.js';
 
@@ -82,7 +82,7 @@ export function MyAffiliationsPage() {
           <Card key={a.id}>
             <div style={{ display: 'flex', alignItems: 'baseline', gap: 12 }}>
               <h3 style={{ marginTop: 0, marginBottom: 4, flex: 1 }}>
-                <Link to={`/network/vendors/${a.vendorId}`}>{a.vendorName}</Link>
+                <TenantLink to={`/network/vendors/${a.vendorId}`}>{a.vendorName}</TenantLink>
               </h3>
               <StatusPill status={a.status} />
             </div>
diff --git a/apps/portal/src/pages/partner/MyRequests.tsx b/apps/portal/src/pages/partner/MyRequests.tsx
index 2f5e90e..0ad2085 100644
--- a/apps/portal/src/pages/partner/MyRequests.tsx
+++ b/apps/portal/src/pages/partner/MyRequests.tsx
@@ -1,7 +1,7 @@
 import { useMutation, useQuery, useQueryClient } from '@tanstack/react-query';
 import { Inbox } from 'lucide-react';
-import { Link } from 'react-router-dom';
 import { api } from '../../api.js';
+import { TenantLink } from '../../tenant-link.js';
 import { Button, Card, EmptyState, ErrorBanner, Page, StatusPill, formatDate } from '../../ui.js';
 import { theme } from '../../theme.js';
 
@@ -47,7 +47,7 @@ export function MyRequestsPage() {
           <Card key={r.id}>
             <div style={{ display: 'flex', alignItems: 'baseline', gap: 12 }}>
               <h3 style={{ marginTop: 0, marginBottom: 4, flex: 1 }}>
-                <Link to={`/network/offerings/${r.offeringId}`}>{r.offeringTitle}</Link>{' '}
+                <TenantLink to={`/network/offerings/${r.offeringId}`}>{r.offeringTitle}</TenantLink>{' '}
                 <span style={{ color: theme.textMuted, fontWeight: 'normal', fontSize: 14 }}>· {r.vendorName}</span>
               </h3>
               <StatusPill status={r.status} />
diff --git a/apps/portal/src/pages/partner/OfferingDetail.tsx b/apps/portal/src/pages/partner/OfferingDetail.tsx
index 820690b..3d16f49 100644
--- a/apps/portal/src/pages/partner/OfferingDetail.tsx
+++ b/apps/portal/src/pages/partner/OfferingDetail.tsx
@@ -1,7 +1,8 @@
 import { useState } from 'react';
 import { useMutation, useQuery, useQueryClient } from '@tanstack/react-query';
-import { Link, useNavigate, useParams } from 'react-router-dom';
+import { useNavigate, useParams } from 'react-router-dom';
 import { api, ApiError, type Principal } from '../../api.js';
+import { TenantLink } from '../../tenant-link.js';
 import { Button, Card, ErrorBanner, Input, Label, Page, Textarea } from '../../ui.js';
 import { theme } from '../../theme.js';
 
@@ -82,7 +83,7 @@ export function OfferingDetailPage({ principal }: { principal: Principal }) {
             <h3 style={{ marginTop: 0 }}>Apply to promote</h3>
             {!canApply ? (
               <p style={{ color: theme.textMuted }}>
-                Only partner accounts can apply. <Link to="/login">Switch accounts</Link>?
+                Only partner accounts can apply. <TenantLink to="/login">Switch accounts</TenantLink>?
               </p>
             ) : (
               <>
diff --git a/apps/portal/src/tenant-link.tsx b/apps/portal/src/tenant-link.tsx
new file mode 100644
index 0000000..5fd5a04
--- /dev/null
+++ b/apps/portal/src/tenant-link.tsx
@@ -0,0 +1,19 @@
+import { Link, type LinkProps } from 'react-router-dom';
+import { useTenantBase } from './tenant-base.js';
+
+/**
+ * Drop-in replacement for react-router's `<Link>` that prepends the
+ * current `/t/<slug>` prefix to absolute paths. Use this anywhere
+ * inside the brand workspace UI so navigation stays tenant-scoped —
+ * a bare `<Link to="/links">` would land on the global router and
+ * 404 (the routes only exist under `/t/:slug/*`).
+ *
+ * External links and relative paths pass through unchanged. All other
+ * props (className, style, onMouseEnter, etc.) forward to the
+ * underlying Link unchanged.
+ */
+export function TenantLink({ to, ...rest }: Omit<LinkProps, 'to'> & { to: string }) {
+  const tenantBase = useTenantBase();
+  const href = to.startsWith('/') ? `${tenantBase}${to === '/' ? '' : to}` || '/' : to;
+  return <Link to={href} {...rest} />;
+}

From 0ba17c191252ea1bfedf141d9030bcec855f1768 Mon Sep 17 00:00:00 2001
From: Keith Fawcett <keith@brightyard.co>
Date: Thu, 30 Apr 2026 08:18:23 -0700
Subject: [PATCH 112/131] refactor(portal): promote Programs + Coupons to
 dedicated pages
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The Partners action row had inconsistent UX: Links and Payouts
navigated to dedicated pages, while Programs and Coupons popped
inline panels above the table. Same row, two different mental models —
read as randomness rather than convention.

Move Programs and Coupons to /admin/partners/:id/programs and
/admin/partners/:id/coupons. Now every action in the row navigates,
URLs are linkable + DM-able, and the special "what mode is this row
in" beat goes away. Page bodies reuse the dialog logic verbatim, with
a back-link to the partner list and a partner name fetch via the
existing GET /partners/:id endpoint.

AdminPartners.tsx loses ~200 lines of dialog state + components.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 apps/portal/src/App.tsx                       |   4 +
 apps/portal/src/pages/AdminPartnerCoupons.tsx | 156 +++++++++++
 .../portal/src/pages/AdminPartnerPrograms.tsx | 111 ++++++++
 apps/portal/src/pages/AdminPartners.tsx       | 252 +-----------------
 4 files changed, 274 insertions(+), 249 deletions(-)
 create mode 100644 apps/portal/src/pages/AdminPartnerCoupons.tsx
 create mode 100644 apps/portal/src/pages/AdminPartnerPrograms.tsx

diff --git a/apps/portal/src/App.tsx b/apps/portal/src/App.tsx
index 0d89581..b06a9d5 100644
--- a/apps/portal/src/App.tsx
+++ b/apps/portal/src/App.tsx
@@ -29,6 +29,8 @@ import { CommissionsPage } from './pages/Commissions.js';
 import { PayoutsPage } from './pages/Payouts.js';
 import { ConnectPage } from './pages/Connect.js';
 import { AdminPartners } from './pages/AdminPartners.js';
+import { AdminPartnerPrograms } from './pages/AdminPartnerPrograms.js';
+import { AdminPartnerCoupons } from './pages/AdminPartnerCoupons.js';
 import { AdminCampaigns } from './pages/AdminCampaigns.js';
 import { AdminReview } from './pages/AdminReview.js';
 import { AdminExport } from './pages/AdminExport.js';
@@ -179,6 +181,8 @@ function Shell() {
           {auth.principal.role === 'admin' && (
             <>
               <Route path="admin/partners" element={<AdminPartners />} />
+              <Route path="admin/partners/:id/programs" element={<AdminPartnerPrograms />} />
+              <Route path="admin/partners/:id/coupons" element={<AdminPartnerCoupons />} />
               <Route path="admin/campaigns" element={<AdminCampaigns />} />
               <Route path="admin/review" element={<AdminReview />} />
               <Route path="admin/export" element={<AdminExport />} />
diff --git a/apps/portal/src/pages/AdminPartnerCoupons.tsx b/apps/portal/src/pages/AdminPartnerCoupons.tsx
new file mode 100644
index 0000000..1f50c5f
--- /dev/null
+++ b/apps/portal/src/pages/AdminPartnerCoupons.tsx
@@ -0,0 +1,156 @@
+import { useState } from 'react';
+import { useMutation, useQuery, useQueryClient } from '@tanstack/react-query';
+import { useParams } from 'react-router-dom';
+import { ArrowLeft } from 'lucide-react';
+import { api, ApiError } from '../api.js';
+import { theme } from '../theme.js';
+import { TenantLink } from '../tenant-link.js';
+import { Button, Card, ErrorBanner, Input, Label, Page } from '../ui.js';
+
+interface Partner {
+  id: string;
+  name: string;
+}
+
+interface CouponRow {
+  id: string;
+  code: string;
+  campaignId: string;
+  createdAt: string;
+  redemptions90d?: number;
+  revenue90d?: number;
+}
+
+interface CampaignBrief {
+  id: string;
+  name: string;
+}
+
+export function AdminPartnerCoupons() {
+  const { id } = useParams<{ id: string }>();
+  const partnerId = id ?? '';
+  const qc = useQueryClient();
+
+  const partner = useQuery({
+    queryKey: ['partner', partnerId],
+    queryFn: () => api<Partner>(`/partners/${partnerId}`),
+    enabled: !!partnerId,
+  });
+
+  const coupons = useQuery({
+    queryKey: ['partner-coupons', partnerId],
+    queryFn: () => api<{ coupons: CouponRow[] }>(`/partners/${partnerId}/coupons`),
+    enabled: !!partnerId,
+  });
+  const campaigns = useQuery({
+    queryKey: ['campaigns'],
+    queryFn: () => api<{ campaigns: CampaignBrief[] }>('/campaigns'),
+  });
+
+  const [pickedCampaign, setPickedCampaign] = useState('');
+  const [customCode, setCustomCode] = useState('');
+
+  const mint = useMutation({
+    mutationFn: () =>
+      api(`/partners/${partnerId}/coupons`, {
+        method: 'POST',
+        body: { campaignId: pickedCampaign, code: customCode.trim() ? customCode.trim().toUpperCase() : undefined },
+      }),
+    onSuccess: () => {
+      qc.invalidateQueries({ queryKey: ['partner-coupons', partnerId] });
+      setCustomCode('');
+      setPickedCampaign('');
+    },
+  });
+
+  const gateError = mint.error instanceof ApiError && mint.error.message === 'verification_required'
+    ? (mint.error.detail as { detail?: string; threshold?: number; existing?: number } | undefined)
+    : null;
+
+  const existingCampaignIds = new Set((coupons.data?.coupons ?? []).map((c) => c.campaignId));
+  const availableCampaigns = (campaigns.data?.campaigns ?? []).filter((c) => !existingCampaignIds.has(c.id));
+  const campaignNameById = new Map((campaigns.data?.campaigns ?? []).map((c) => [c.id, c.name]));
+  const partnerName = partner.data?.name ?? '…';
+
+  return (
+    <Page
+      title={`Coupons · ${partnerName}`}
+      subtitle="Coupons attribute conversions when customers enter a code at checkout instead of clicking a share link. Your site calls POST /coupons/redeem with the code; same downstream commission flow as click-driven attribution."
+    >
+      <div style={{ marginBottom: 14 }}>
+        <TenantLink to="/admin/partners" style={{ color: theme.textMuted, fontSize: 13, display: 'inline-flex', alignItems: 'center', gap: 6 }}>
+          <ArrowLeft size={14} /> Back to Partners
+        </TenantLink>
+      </div>
+      <ErrorBanner error={partner.error ?? coupons.error ?? (gateError ? null : mint.error)} />
+      {gateError && (
+        <div style={{ background: `${theme.danger}10`, border: `1px solid ${theme.danger}55`, borderRadius: theme.radiusSm, padding: 12, marginBottom: 12 }}>
+          <div style={{ fontSize: 13, color: theme.danger, fontWeight: 500, marginBottom: 6 }}>
+            Verify your coupon integration before minting more
+          </div>
+          <div style={{ fontSize: 12, color: theme.text, lineHeight: 1.5 }}>
+            {gateError.detail}
+          </div>
+        </div>
+      )}
+      <Card>
+        {coupons.isLoading ? (
+          <p style={{ color: theme.textMuted, fontSize: 13 }}>Loading…</p>
+        ) : (
+          <>
+            {(coupons.data?.coupons ?? []).length > 0 && (
+              <div style={{ display: 'flex', flexDirection: 'column', gap: 6, marginBottom: 14 }}>
+                {(coupons.data?.coupons ?? []).map((c) => (
+                  <div key={c.id} style={{ display: 'flex', alignItems: 'center', gap: 10, padding: '8px 12px', background: theme.surface2, border: `1px solid ${theme.borderSubtle}`, borderRadius: theme.radiusSm }}>
+                    <code style={{ fontSize: 14, fontWeight: 500, color: theme.text, flex: 1 }}>{c.code}</code>
+                    <span style={{ color: theme.textMuted, fontSize: 12 }}>
+                      {campaignNameById.get(c.campaignId) ?? c.campaignId}
+                    </span>
+                    <span style={{ color: theme.textMuted, fontSize: 11, whiteSpace: 'nowrap' }}>
+                      {(c.redemptions90d ?? 0) > 0
+                        ? `${c.redemptions90d} redemption${c.redemptions90d === 1 ? '' : 's'} (90d)`
+                        : 'unused (90d)'}
+                    </span>
+                  </div>
+                ))}
+              </div>
+            )}
+            {availableCampaigns.length > 0 ? (
+              <div style={{ display: 'grid', gridTemplateColumns: '1fr 1fr auto', gap: 8, alignItems: 'end' }}>
+                <div>
+                  <Label>Campaign</Label>
+                  <select
+                    value={pickedCampaign}
+                    onChange={(e) => setPickedCampaign(e.target.value)}
+                    style={{ width: '100%', padding: '8px 10px', background: theme.surface2, border: `1px solid ${theme.border}`, borderRadius: theme.radiusSm, color: theme.text, fontSize: 13 }}
+                  >
+                    <option value="">— pick a campaign —</option>
+                    {availableCampaigns.map((c) => <option key={c.id} value={c.id}>{c.name}</option>)}
+                  </select>
+                </div>
+                <div>
+                  <Label>Code (optional)</Label>
+                  <Input
+                    value={customCode}
+                    onChange={(e) => setCustomCode(e.target.value.toUpperCase().replace(/[^A-Z0-9-]/g, ''))}
+                    placeholder="auto-generates if blank"
+                    style={{ fontFamily: theme.fontMono }}
+                  />
+                </div>
+                <Button onClick={() => mint.mutate()} disabled={!pickedCampaign || mint.isPending}>
+                  {mint.isPending ? 'Minting…' : 'Mint coupon'}
+                </Button>
+              </div>
+            ) : (
+              <p style={{ color: theme.textMuted, fontSize: 13, margin: 0 }}>
+                {(coupons.data?.coupons ?? []).length === 0
+                  ? 'No campaigns available. Create one in Campaigns first.'
+                  : 'This partner has a coupon for every campaign already.'}
+              </p>
+            )}
+          </>
+        )}
+      </Card>
+    </Page>
+  );
+}
diff --git a/apps/portal/src/pages/AdminPartnerPrograms.tsx b/apps/portal/src/pages/AdminPartnerPrograms.tsx
new file mode 100644
index 0000000..8f776cd
--- /dev/null
+++ b/apps/portal/src/pages/AdminPartnerPrograms.tsx
@@ -0,0 +1,111 @@
+import { useMutation, useQuery, useQueryClient } from '@tanstack/react-query';
+import { useParams } from 'react-router-dom';
+import { ArrowLeft } from 'lucide-react';
+import { api } from '../api.js';
+import { theme } from '../theme.js';
+import { TenantLink } from '../tenant-link.js';
+import { Card, ErrorBanner, Page } from '../ui.js';
+
+interface Partner {
+  id: string;
+  name: string;
+}
+
+interface CampaignGrant {
+  id: string;
+  name: string;
+  destinationUrl: string;
+  granted: boolean;
+  grantSource: 'admin' | 'offering' | null;
+}
+
+export function AdminPartnerPrograms() {
+  const { id } = useParams<{ id: string }>();
+  const partnerId = id ?? '';
+  const qc = useQueryClient();
+
+  const partner = useQuery({
+    queryKey: ['partner', partnerId],
+    queryFn: () => api<Partner>(`/partners/${partnerId}`),
+    enabled: !!partnerId,
+  });
+
+  const grants = useQuery({
+    queryKey: ['partner-campaigns', partnerId],
+    queryFn: () => api<{ campaigns: CampaignGrant[] }>(`/partners/${partnerId}/campaigns`),
+    enabled: !!partnerId,
+  });
+
+  const add = useMutation({
+    mutationFn: (campaignId: string) =>
+      api(`/partners/${partnerId}/campaigns`, { method: 'POST', body: { campaignIds: [campaignId] } }),
+    onSuccess: () => qc.invalidateQueries({ queryKey: ['partner-campaigns', partnerId] }),
+  });
+  const remove = useMutation({
+    mutationFn: (campaignId: string) =>
+      api(`/partners/${partnerId}/campaigns/${campaignId}`, { method: 'DELETE' }),
+    onSuccess: () => qc.invalidateQueries({ queryKey: ['partner-campaigns', partnerId] }),
+  });
+
+  const busyId = add.isPending ? add.variables : remove.isPending ? remove.variables : null;
+  const partnerName = partner.data?.name ?? '…';
+
+  return (
+    <Page
+      title={`Programs · ${partnerName}`}
+      subtitle="Toggle which programs this partner can create share-links for. Revoking a program doesn't remove existing links — those keep working until the partner deletes them."
+    >
+      <div style={{ marginBottom: 14 }}>
+        <TenantLink to="/admin/partners" style={{ color: theme.textMuted, fontSize: 13, display: 'inline-flex', alignItems: 'center', gap: 6 }}>
+          <ArrowLeft size={14} /> Back to Partners
+        </TenantLink>
+      </div>
+      <ErrorBanner error={partner.error ?? grants.error ?? add.error ?? remove.error} />
+      <Card>
+        {grants.isLoading ? (
+          <div style={{ color: theme.textMuted }}>Loading…</div>
+        ) : !grants.data || grants.data.campaigns.length === 0 ? (
+          <div style={{ color: theme.textMuted }}>No campaigns exist yet — create one in Campaigns.</div>
+        ) : (
+          <div style={{ display: 'flex', flexDirection: 'column', gap: 8 }}>
+            {grants.data.campaigns.map((c) => {
+              const busy = busyId === c.id;
+              return (
+                <label
+                  key={c.id}
+                  style={{
+                    display: 'flex',
+                    alignItems: 'center',
+                    gap: 12,
+                    padding: '10px 12px',
+                    background: c.granted ? `${theme.success}10` : theme.surface2,
+                    border: `1px solid ${c.granted ? `${theme.success}44` : theme.borderSubtle}`,
+                    borderRadius: theme.radiusSm,
+                    cursor: busy ? 'wait' : 'pointer',
+                    opacity: busy ? 0.6 : 1,
+                  }}
+                >
+                  <input
+                    type="checkbox"
+                    checked={c.granted}
+                    disabled={busy}
+                    onChange={(e) => (e.target.checked ? add.mutate(c.id) : remove.mutate(c.id))}
+                  />
+                  <div style={{ flex: 1, minWidth: 0 }}>
+                    <div style={{ fontSize: 14, fontWeight: 500 }}>{c.name}</div>
+                    <div style={{ fontSize: 12, color: theme.textMuted, fontFamily: theme.fontMono }}>{c.destinationUrl}</div>
+                  </div>
+                  {c.grantSource === 'offering' && (
+                    <span style={{ fontSize: 11, color: theme.accent, padding: '3px 8px', background: `${theme.accent}15`, borderRadius: 12 }}>
+                      via Network
+                    </span>
+                  )}
+                </label>
+              );
+            })}
+          </div>
+        )}
+      </Card>
+    </Page>
+  );
+}
diff --git a/apps/portal/src/pages/AdminPartners.tsx b/apps/portal/src/pages/AdminPartners.tsx
index 1dfe497..8babd10 100644
--- a/apps/portal/src/pages/AdminPartners.tsx
+++ b/apps/portal/src/pages/AdminPartners.tsx
@@ -1,7 +1,7 @@
 import { useState } from 'react';
 import { useMutation, useQuery, useQueryClient } from '@tanstack/react-query';
 import { Plus, Users } from 'lucide-react';
-import { api, ApiError } from '../api.js';
+import { api } from '../api.js';
 import { theme } from '../theme.js';
 import { TenantLink } from '../tenant-link.js';
 import { Avatar, Button, Card, EmptyState, ErrorBanner, Input, Label, Page, StatusPill, Table, formatDate } from '../ui.js';
@@ -20,8 +20,6 @@ export function AdminPartners() {
   const qc = useQueryClient();
   const [showCreate, setShowCreate] = useState(false);
   const [revoking, setRevoking] = useState<Partner | null>(null);
-  const [managingPrograms, setManagingPrograms] = useState<Partner | null>(null);
-  const [managingCoupons, setManagingCoupons] = useState<Partner | null>(null);
 
   const partners = useQuery({ queryKey: ['partners'], queryFn: () => api<{ partners: Partner[] }>('/partners') });
 
@@ -56,18 +54,6 @@ export function AdminPartners() {
           }}
         />
       )}
-      {managingPrograms && (
-        <ProgramsDialog
-          partner={managingPrograms}
-          onClose={() => setManagingPrograms(null)}
-        />
-      )}
-      {managingCoupons && (
-        <CouponsDialog
-          partner={managingCoupons}
-          onClose={() => setManagingCoupons(null)}
-        />
-      )}
 
       {partners.isLoading ? (
         <Card>Loading…</Card>
@@ -94,19 +80,9 @@ export function AdminPartners() {
             <div style={{ display: 'flex', gap: 6 }}>
               <TenantLink to={`/links?partnerId=${p.id}`} style={{ color: theme.accent, fontSize: 13 }}>Links</TenantLink>
               <span style={{ color: theme.border }}>·</span>
-              <button
-                onClick={() => setManagingPrograms(p)}
-                style={{ background: 'none', border: 'none', padding: 0, fontSize: 13, color: theme.accent, cursor: 'pointer' }}
-              >
-                Programs
-              </button>
+              <TenantLink to={`/admin/partners/${p.id}/programs`} style={{ color: theme.accent, fontSize: 13 }}>Programs</TenantLink>
               <span style={{ color: theme.border }}>·</span>
-              <button
-                onClick={() => setManagingCoupons(p)}
-                style={{ background: 'none', border: 'none', padding: 0, fontSize: 13, color: theme.accent, cursor: 'pointer' }}
-              >
-                Coupons
-              </button>
+              <TenantLink to={`/admin/partners/${p.id}/coupons`} style={{ color: theme.accent, fontSize: 13 }}>Coupons</TenantLink>
               <span style={{ color: theme.border }}>·</span>
               <TenantLink to={`/payouts?partnerId=${p.id}`} style={{ color: theme.accent, fontSize: 13 }}>Payouts</TenantLink>
               {!p.activatedAt && !p.revokedAt && (
@@ -305,228 +281,6 @@ function RevokeDialog({
   );
 }
 
-interface CampaignGrant {
-  id: string;
-  name: string;
-  destinationUrl: string;
-  granted: boolean;
-  grantSource: 'admin' | 'offering' | null;
-}
-
-function ProgramsDialog({ partner, onClose }: { partner: Partner; onClose: () => void }) {
-  const qc = useQueryClient();
-  const { data, isLoading, error } = useQuery({
-    queryKey: ['partner-campaigns', partner.id],
-    queryFn: () => api<{ campaigns: CampaignGrant[] }>(`/partners/${partner.id}/campaigns`),
-  });
-
-  const add = useMutation({
-    mutationFn: (campaignId: string) =>
-      api(`/partners/${partner.id}/campaigns`, { method: 'POST', body: { campaignIds: [campaignId] } }),
-    onSuccess: () => qc.invalidateQueries({ queryKey: ['partner-campaigns', partner.id] }),
-  });
-  const remove = useMutation({
-    mutationFn: (campaignId: string) =>
-      api(`/partners/${partner.id}/campaigns/${campaignId}`, { method: 'DELETE' }),
-    onSuccess: () => qc.invalidateQueries({ queryKey: ['partner-campaigns', partner.id] }),
-  });
-
-  const busyId = add.isPending ? add.variables : remove.isPending ? remove.variables : null;
-
-  return (
-    <Card style={{ marginBottom: 14 }}>
-      <div style={{ display: 'flex', alignItems: 'baseline', gap: 12, marginBottom: 6 }}>
-        <div style={{ fontSize: 15, fontWeight: 500, flex: 1 }}>Programs for {partner.name}</div>
-        <button onClick={onClose} style={{ background: 'none', border: 'none', color: theme.textMuted, cursor: 'pointer', fontSize: 13 }}>
-          Close
-        </button>
-      </div>
-      <div style={{ fontSize: 13, color: theme.textMuted, marginBottom: 14 }}>
-        Toggle which programs this partner can create share-links for. Revoking a program doesn&rsquo;t remove
-        existing links — those keep working until the partner deletes them.
-      </div>
-      <ErrorBanner error={error ?? add.error ?? remove.error} />
-      {isLoading ? (
-        <div style={{ color: theme.textMuted }}>Loading…</div>
-      ) : !data || data.campaigns.length === 0 ? (
-        <div style={{ color: theme.textMuted }}>No campaigns exist yet — create one in Campaigns.</div>
-      ) : (
-        <div style={{ display: 'flex', flexDirection: 'column', gap: 8 }}>
-          {data.campaigns.map((c) => {
-            const busy = busyId === c.id;
-            return (
-              <label
-                key={c.id}
-                style={{
-                  display: 'flex',
-                  alignItems: 'center',
-                  gap: 12,
-                  padding: '10px 12px',
-                  background: c.granted ? `${theme.success}10` : theme.surface2,
-                  border: `1px solid ${c.granted ? `${theme.success}44` : theme.borderSubtle}`,
-                  borderRadius: theme.radiusSm,
-                  cursor: busy ? 'wait' : 'pointer',
-                  opacity: busy ? 0.6 : 1,
-                }}
-              >
-                <input
-                  type="checkbox"
-                  checked={c.granted}
-                  disabled={busy}
-                  onChange={(e) => (e.target.checked ? add.mutate(c.id) : remove.mutate(c.id))}
-                />
-                <div style={{ flex: 1, minWidth: 0 }}>
-                  <div style={{ fontSize: 14, fontWeight: 500 }}>{c.name}</div>
-                  <div style={{ fontSize: 12, color: theme.textMuted, fontFamily: theme.fontMono }}>{c.destinationUrl}</div>
-                </div>
-                {c.grantSource === 'offering' && (
-                  <span style={{ fontSize: 11, color: theme.accent, padding: '3px 8px', background: `${theme.accent}15`, borderRadius: 12 }}>
-                    via Network
-                  </span>
-                )}
-              </label>
-            );
-          })}
-        </div>
-      )}
-    </Card>
-  );
-}
-
-interface CouponRow {
-  id: string;
-  code: string;
-  campaignId: string;
-  createdAt: string;
-  redemptions90d?: number;
-  revenue90d?: number;
-}
-
-interface CampaignBrief {
-  id: string;
-  name: string;
-}
-
-function CouponsDialog({ partner, onClose }: { partner: Partner; onClose: () => void }) {
-  const qc = useQueryClient();
-  const coupons = useQuery({
-    queryKey: ['partner-coupons', partner.id],
-    queryFn: () => api<{ coupons: CouponRow[] }>(`/partners/${partner.id}/coupons`),
-  });
-  const campaigns = useQuery({
-    queryKey: ['campaigns'],
-    queryFn: () => api<{ campaigns: CampaignBrief[] }>('/campaigns'),
-  });
-
-  const [pickedCampaign, setPickedCampaign] = useState('');
-  const [customCode, setCustomCode] = useState('');
-
-  const mint = useMutation({
-    mutationFn: () =>
-      api(`/partners/${partner.id}/coupons`, {
-        method: 'POST',
-        body: { campaignId: pickedCampaign, code: customCode.trim() ? customCode.trim().toUpperCase() : undefined },
-      }),
-    onSuccess: () => {
-      qc.invalidateQueries({ queryKey: ['partner-coupons', partner.id] });
-      setCustomCode('');
-      setPickedCampaign('');
-    },
-  });
-
-  // Pull the verification gate state so the admin sees a banner when
-  // they've crossed the threshold without verifying.
-  const gateError = mint.error instanceof ApiError && mint.error.message === 'verification_required'
-    ? (mint.error.detail as { detail?: string; threshold?: number; existing?: number } | undefined)
-    : null;
-
-  const existingCampaignIds = new Set((coupons.data?.coupons ?? []).map((c) => c.campaignId));
-  const availableCampaigns = (campaigns.data?.campaigns ?? []).filter((c) => !existingCampaignIds.has(c.id));
-  const campaignNameById = new Map((campaigns.data?.campaigns ?? []).map((c) => [c.id, c.name]));
-
-  return (
-    <Card style={{ marginBottom: 14 }}>
-      <div style={{ display: 'flex', alignItems: 'baseline', gap: 12, marginBottom: 6 }}>
-        <div style={{ fontSize: 15, fontWeight: 500, flex: 1 }}>Coupons for {partner.name}</div>
-        <button onClick={onClose} style={{ background: 'none', border: 'none', color: theme.textMuted, cursor: 'pointer', fontSize: 13 }}>
-          Close
-        </button>
-      </div>
-      <div style={{ fontSize: 13, color: theme.textMuted, marginBottom: 14 }}>
-        Coupons attribute conversions when customers enter a code at checkout instead of clicking a share link.
-        Your site calls <code>POST /coupons/redeem</code> with the code; same downstream commission flow as click-driven attribution.
-      </div>
-      <ErrorBanner error={coupons.error ?? (gateError ? null : mint.error)} />
-      {gateError && (
-        <div style={{ background: `${theme.danger}10`, border: `1px solid ${theme.danger}55`, borderRadius: theme.radiusSm, padding: 12, marginBottom: 12 }}>
-          <div style={{ fontSize: 13, color: theme.danger, fontWeight: 500, marginBottom: 6 }}>
-            Verify your coupon integration before minting more
-          </div>
-          <div style={{ fontSize: 12, color: theme.text, lineHeight: 1.5 }}>
-            {gateError.detail}
-          </div>
-        </div>
-      )}
-      {coupons.isLoading ? (
-        <p style={{ color: theme.textMuted, fontSize: 13 }}>Loading…</p>
-      ) : (
-        <>
-          {(coupons.data?.coupons ?? []).length > 0 && (
-            <div style={{ display: 'flex', flexDirection: 'column', gap: 6, marginBottom: 14 }}>
-              {(coupons.data?.coupons ?? []).map((c) => (
-                <div key={c.id} style={{ display: 'flex', alignItems: 'center', gap: 10, padding: '8px 12px', background: theme.surface2, border: `1px solid ${theme.borderSubtle}`, borderRadius: theme.radiusSm }}>
-                  <code style={{ fontSize: 14, fontWeight: 500, color: theme.text, flex: 1 }}>{c.code}</code>
-                  <span style={{ color: theme.textMuted, fontSize: 12 }}>
-                    {campaignNameById.get(c.campaignId) ?? c.campaignId}
-                  </span>
-                  <span style={{ color: theme.textMuted, fontSize: 11, whiteSpace: 'nowrap' }}>
-                    {(c.redemptions90d ?? 0) > 0
-                      ? `${c.redemptions90d} redemption${c.redemptions90d === 1 ? '' : 's'} (90d)`
-                      : 'unused (90d)'}
-                  </span>
-                </div>
-              ))}
-            </div>
-          )}
-          {availableCampaigns.length > 0 ? (
-            <div style={{ display: 'grid', gridTemplateColumns: '1fr 1fr auto', gap: 8, alignItems: 'end' }}>
-              <div>
-                <Label>Campaign</Label>
-                <select
-                  value={pickedCampaign}
-                  onChange={(e) => setPickedCampaign(e.target.value)}
-                  style={{ width: '100%', padding: '8px 10px', background: theme.surface2, border: `1px solid ${theme.border}`, borderRadius: theme.radiusSm, color: theme.text, fontSize: 13 }}
-                >
-                  <option value="">— pick a campaign —</option>
-                  {availableCampaigns.map((c) => <option key={c.id} value={c.id}>{c.name}</option>)}
-                </select>
-              </div>
-              <div>
-                <Label>Code (optional)</Label>
-                <Input
-                  value={customCode}
-                  onChange={(e) => setCustomCode(e.target.value.toUpperCase().replace(/[^A-Z0-9-]/g, ''))}
-                  placeholder="auto-generates if blank"
-                  style={{ fontFamily: theme.fontMono }}
-                />
-              </div>
-              <Button onClick={() => mint.mutate()} disabled={!pickedCampaign || mint.isPending}>
-                {mint.isPending ? 'Minting…' : 'Mint coupon'}
-              </Button>
-            </div>
-          ) : (
-            <p style={{ color: theme.textMuted, fontSize: 13, margin: 0 }}>
-              {(coupons.data?.coupons ?? []).length === 0
-                ? 'No campaigns available. Create one in Campaigns first.'
-                : 'This partner has a coupon for every campaign already.'}
-            </p>
-          )}
-        </>
-      )}
-    </Card>
-  );
-}
-
 function ResendInvite({ partnerId }: { partnerId: string }) {
   const [sent, setSent] = useState(false);
   const mut = useMutation({

From 2c2abd22a0ebd13cf601eba74272ed0b58ef60ee Mon Sep 17 00:00:00 2001
From: Keith Fawcett <keith@brightyard.co>
Date: Thu, 30 Apr 2026 08:46:25 -0700
Subject: [PATCH 113/131] feat(uploads): brand logos + creator avatar uploads
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Brand logo (openpartner):
  * Tenant.logoUrl column + migration
  * POST /uploads/logo (admin auth, multipart-style raw binary body,
    image/* allowlist, 2 MB cap)
  * AdminSettings: file picker + preview replaces text-only brand info
  * Sidebar header swaps Logo() for the uploaded image when present

Creator avatar (network side already had Creator.avatarUrl):
  * Wired the avatar through the existing /api/creator-api proxy on
    openpartner with a raw-body bypass for image content-types
  * CreatorMyProfile: dropped the "paste a URL" field, replaced with
    file picker that posts to the Network upload endpoint
  * CreatorShell sidebar chip swaps the letter avatar for the image
    when present

Storage backend pluggable via OPENPARTNER_STORAGE_KIND:
  * fs (default) — local dir served at /uploads/* via express.static.
    Fine for self-hosters; ephemeral on App Platform unless you mount
    a volume.
  * s3 — any S3-compatible bucket. AWS SDK lazy-imported so self-host
    installs that don't set STORAGE_KIND=s3 don't pay the dep cost at
    runtime. Same env var shape on the Network side under NETWORK_*.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 apps/api/package.json                         |    1 +
 apps/api/src/app.ts                           |    7 +
 apps/api/src/routes/creator-portal.ts         |   24 +-
 apps/api/src/routes/settings.ts               |   24 +-
 apps/api/src/routes/uploads.ts                |   79 ++
 apps/api/src/storage.ts                       |  220 +++
 apps/portal/src/App.tsx                       |   11 +-
 apps/portal/src/api.ts                        |   16 +-
 apps/portal/src/pages/admin/Settings.tsx      |   86 ++
 .../src/pages/creator/CreatorMyProfile.tsx    |   91 +-
 .../portal/src/pages/creator/CreatorShell.tsx |   10 +-
 apps/portal/src/pages/creator/creator-api.ts  |   16 +-
 .../migrations/20260608000000_tenant_logo.ts  |   22 +
 packages/db/src/types.ts                      |    3 +
 pnpm-lock.yaml                                | 1198 +++++++++++++++++
 15 files changed, 1785 insertions(+), 23 deletions(-)
 create mode 100644 apps/api/src/routes/uploads.ts
 create mode 100644 apps/api/src/storage.ts
 create mode 100644 packages/db/migrations/20260608000000_tenant_logo.ts

diff --git a/apps/api/package.json b/apps/api/package.json
index d8710ac..fc81b8b 100644
--- a/apps/api/package.json
+++ b/apps/api/package.json
@@ -13,6 +13,7 @@
     "test": "vitest run --passWithNoTests"
   },
   "dependencies": {
+    "@aws-sdk/client-s3": "^3.665.0",
     "@openpartner/db": "workspace:*",
     "@types/cookie-parser": "^1.4.10",
     "cookie-parser": "^1.4.7",
diff --git a/apps/api/src/app.ts b/apps/api/src/app.ts
index fd0a850..892f7e8 100644
--- a/apps/api/src/app.ts
+++ b/apps/api/src/app.ts
@@ -27,6 +27,7 @@ import { partnerAuthRouter } from './routes/partner-auth.js';
 import { adminOverviewRouter } from './routes/admin-overview.js';
 import { funnelRouter } from './routes/funnel.js';
 import { settingsRouter } from './routes/settings.js';
+import { mountStaticUploads, uploadsRouter } from './routes/uploads.js';
 import { adminsRouter } from './routes/admins.js';
 import { installRouter } from './routes/install.js';
 import { fraudReviewRouter } from './routes/fraud-review.js';
@@ -118,6 +119,11 @@ export function createApp(options: { enableLogger?: boolean } = {}) {
     res.json({ ok: true, service: 'api', mode: MODE });
   });
 
+  // Static handler for FS-backed uploads (no-op when STORAGE_KIND=s3).
+  // Mounted before any auth middleware — uploaded assets are public-read
+  // by design (avatars + logos appear in unauthenticated contexts).
+  mountStaticUploads(app);
+
   // ----- Public, non-tenant routes (mounted BEFORE tenantMiddleware) -----
   // These either run before any tenant exists (install), or are platform-
   // wide (metrics scraped by Prometheus). They use the privileged db
@@ -145,6 +151,7 @@ export function createApp(options: { enableLogger?: boolean } = {}) {
   app.use(partnerSignupRouter);
   app.use(adminsRouter);
   app.use(settingsRouter);
+  app.use(uploadsRouter);
   app.use(funnelRouter);
   app.use(fraudReviewRouter);
   app.use(webhooksRouter);
diff --git a/apps/api/src/routes/creator-portal.ts b/apps/api/src/routes/creator-portal.ts
index bbd2f1d..5ca3107 100644
--- a/apps/api/src/routes/creator-portal.ts
+++ b/apps/api/src/routes/creator-portal.ts
@@ -20,10 +20,21 @@
  * Discover/Vendor pages render before signup.
  */
 
-import { Router, type Request, type Response } from 'express';
+import express, { Router, type Request, type Response } from 'express';
 
 export const creatorPortalRouter = Router();
 
+// Image-upload bodies arrive as raw binary, not JSON. The global
+// express.json() middleware ignores image content-types, so without this
+// raw parser req.body would be {} and the proxy would forward an empty
+// payload to the Network. Cap matches the Network-side limit.
+creatorPortalRouter.use(
+  express.raw({
+    type: ['image/jpeg', 'image/png', 'image/webp'],
+    limit: 2 * 1024 * 1024,
+  }),
+);
+
 // Whitelist: exact path match or prefix-with-glob. We only forward paths
 // the Network exposes for creator-side flows, never anything else.
 const ALLOWED_EXACT = new Set([
@@ -42,6 +53,7 @@ const ALLOWED_EXACT = new Set([
   '/creators/me/partnerships',
   '/creators/me/platforms',
   '/creators/me/recommendations',
+  '/creators/me/uploads/avatar',
   '/offerings',
 ]);
 
@@ -107,7 +119,15 @@ creatorPortalRouter.all(/^\/creator-api(\/.*)?$/, async (req: Request, res: Resp
       signal: AbortSignal.timeout(10_000),
     };
     if (req.method !== 'GET' && req.method !== 'HEAD') {
-      init.body = req.body !== undefined ? JSON.stringify(req.body) : undefined;
+      // Binary bodies (image uploads, populated by the express.raw
+      // middleware above) forward as-is. Everything else gets JSON
+      // serialized — the global express.json() middleware put a parsed
+      // object on req.body for application/json requests.
+      if (Buffer.isBuffer(req.body)) {
+        init.body = req.body;
+      } else if (req.body !== undefined) {
+        init.body = JSON.stringify(req.body);
+      }
     }
 
     let upstream: globalThis.Response;
diff --git a/apps/api/src/routes/settings.ts b/apps/api/src/routes/settings.ts
index 2271e4d..4acffee 100644
--- a/apps/api/src/routes/settings.ts
+++ b/apps/api/src/routes/settings.ts
@@ -42,27 +42,34 @@ const settingsSchema = z.object({
   supportEmail: z.string().trim().email().max(254).optional().or(z.literal('')),
 });
 
-export interface ProgramSettings {
+/** What we persist into the Config row. Logo lives on Tenant; everything
+ *  else is per-tenant program settings. */
+interface PersistedProgramSettings {
   programName: string | null;
   supportEmail: string | null;
 }
 
+export interface ProgramSettings extends PersistedProgramSettings {
+  logoUrl: string | null;
+}
+
 async function readSettings(db: Knex, tenantId: string): Promise<ProgramSettings> {
   const row = await db<ConfigRow>(TABLES.Config).where({ tenantId, key: CONFIG_KEY }).first();
-  const value = (row?.value ?? {}) as Partial<ProgramSettings>;
+  const value = (row?.value ?? {}) as Partial<PersistedProgramSettings>;
   // Fall back to Tenant.displayName so brand admins don't have to re-type
   // the brand name they set at signup. Saving this page promotes the
   // value into program_settings; until then we just surface the signup
   // value so the UI is pre-populated and the onboarding checklist
   // doesn't keep nagging about a thing that's effectively already set.
   let programName = value.programName ?? null;
-  if (!programName) {
-    const tenant = await db('Tenant').where({ id: tenantId }).first(['displayName']);
-    if (tenant?.displayName) programName = tenant.displayName as string;
-  }
+  // Logo lives on Tenant (set by /uploads/logo). Always read from there
+  // so the cached Config row never lags the actual upload.
+  const tenant = await db('Tenant').where({ id: tenantId }).first(['displayName', 'logoUrl']);
+  if (!programName && tenant?.displayName) programName = tenant.displayName as string;
   return {
     programName,
     supportEmail: value.supportEmail ?? null,
+    logoUrl: (tenant?.logoUrl as string | null | undefined) ?? null,
   };
 }
 
@@ -78,7 +85,7 @@ settingsRouter.post('/config/program', requireAuth, requireAdmin, async (req, re
   const body = settingsSchema.safeParse(req.body ?? {});
   if (!body.success) return res.status(400).json({ error: 'invalid_body', detail: body.error.flatten() });
 
-  const next: ProgramSettings = {
+  const next: PersistedProgramSettings = {
     programName: body.data.programName?.trim() || null,
     supportEmail: body.data.supportEmail?.trim() || null,
   };
@@ -88,7 +95,8 @@ settingsRouter.post('/config/program', requireAuth, requireAdmin, async (req, re
     .insert({ tenantId, key: CONFIG_KEY, value: next as unknown as never, updatedAt: now })
     .onConflict(['tenantId', 'key'])
     .merge({ value: next as unknown as never, updatedAt: now });
-  res.json(next);
+  // Re-hydrate so the returned shape matches GET (includes logoUrl).
+  res.json(await readSettings(db, tenantId));
 });
 
 // ---------- Mail settings ----------
diff --git a/apps/api/src/routes/uploads.ts b/apps/api/src/routes/uploads.ts
new file mode 100644
index 0000000..a95c92f
--- /dev/null
+++ b/apps/api/src/routes/uploads.ts
@@ -0,0 +1,79 @@
+import express, { Router } from 'express';
+import { TABLES } from '@openpartner/db';
+import { requireAuth, requireAdmin } from '../auth.js';
+import { tenantOf } from '../tenancy.js';
+import { fsStorageDir, getStorage, MAX_UPLOAD_BYTES, newUploadKey, UploadError, validateImageUpload } from '../storage.js';
+
+export const uploadsRouter = Router();
+
+// ---------- Brand logo upload ----------
+//
+// Single binary body: client sends the image as the raw request body,
+// Content-Type header carries the mime, X-Tenant-Slug etc are pulled
+// from the tenant middleware. Returns the public URL after writing to
+// storage AND stamping it onto the Tenant row in one transactional-ish
+// shot (file write first; if DB update fails the file is orphaned but
+// harmless — no link to anything).
+//
+// Capped at 2 MB by validateImageUpload + the express.raw limit.
+uploadsRouter.post(
+  '/uploads/logo',
+  express.raw({
+    type: ['image/jpeg', 'image/png', 'image/webp'],
+    limit: MAX_UPLOAD_BYTES,
+  }),
+  requireAuth,
+  requireAdmin,
+  async (req, res) => {
+    const { db, tenantId } = tenantOf(req);
+
+    let validated;
+    try {
+      validated = validateImageUpload(req.headers['content-type'], req.body?.length ?? 0);
+    } catch (err) {
+      if (err instanceof UploadError) return res.status(400).json({ error: err.code, detail: err.message });
+      throw err;
+    }
+    if (!Buffer.isBuffer(req.body) || req.body.length === 0) {
+      return res.status(400).json({ error: 'empty_body' });
+    }
+
+    const key = newUploadKey(`tenants/${tenantId}/logos`, validated.ext);
+    await getStorage().put(key, req.body, { contentType: validated.contentType });
+    const url = getStorage().publicUrl(key);
+
+    await db(TABLES.Tenant).where({ id: tenantId }).update({ logoUrl: url, updatedAt: new Date() });
+
+    res.json({ logoUrl: url });
+  },
+);
+
+// ---------- Static handler for FS backend ----------
+//
+// When OPENPARTNER_STORAGE_KIND=fs, files written by the route above
+// need to be served. Mount express.static on /uploads pointing at the
+// configured FS dir. No-op when on s3 (the bucket serves directly).
+//
+// Public — no auth — by design: avatars + logos are shown in
+// unauthenticated contexts (creator profile pages, brand listings on
+// the Network, etc.). The keys are random hex (16 bytes), so directory
+// enumeration isn't feasible.
+export function mountStaticUploads(app: import('express').Express): void {
+  const dir = fsStorageDir();
+  if (!dir) return;
+  app.use(
+    '/uploads',
+    express.static(dir, {
+      // Same cache header as S3 ACLs above. Keys change on every
+      // re-upload so immutable is safe.
+      maxAge: '365d',
+      immutable: true,
+      // Don't fall through to the next handler on 404 — return a clean
+      // 404 instead of attempting to interpret /uploads/<key> as
+      // something else further down the stack.
+      fallthrough: false,
+      // Don't ever serve a directory listing.
+      index: false,
+    }),
+  );
+}
diff --git a/apps/api/src/storage.ts b/apps/api/src/storage.ts
new file mode 100644
index 0000000..fc019b3
--- /dev/null
+++ b/apps/api/src/storage.ts
@@ -0,0 +1,220 @@
+/**
+ * Object storage for user-uploaded assets (brand logos, partner avatars).
+ *
+ * Two backends, picked by OPENPARTNER_STORAGE_KIND:
+ *
+ *   fs (default) — write to a local directory, served by an Express
+ *                  static handler at /uploads/*. Fine for self-hosters
+ *                  who don't have an S3-compatible store and don't want
+ *                  to provision one. Persists across restarts when the
+ *                  dir is on a docker volume; ephemeral otherwise.
+ *
+ *   s3           — write to any S3-compatible bucket. Used in our DO
+ *                  deployment with DO Spaces. The s3 client is lazy-
+ *                  imported so self-host installs that never set
+ *                  STORAGE_KIND=s3 don't pay the dependency cost.
+ *
+ * Both backends return a `publicUrl(key)` the rest of the app can stamp
+ * into JSON responses + DB columns. Switching backends is a deploy-time
+ * config change; previously-uploaded files keep their old URLs (we
+ * never rewrite stored URLs).
+ */
+
+import { promises as fs } from 'node:fs';
+import { join, resolve } from 'node:path';
+import { randomBytes } from 'node:crypto';
+
+export interface PutOptions {
+  contentType: string;
+}
+
+export interface StorageBackend {
+  /**
+   * Write `buf` to `key`. Implementations overwrite atomically when the
+   * key already exists; callers shouldn't rely on read-after-write
+   * consistency across distributed S3 backends but DO Spaces + AWS S3
+   * give us strong consistency in practice.
+   */
+  put(key: string, buf: Buffer, opts: PutOptions): Promise<void>;
+  /**
+   * Public URL for `key`. Constructed from configured base — never
+   * involves a request to the storage backend.
+   */
+  publicUrl(key: string): string;
+}
+
+// ---------- FS backend ----------
+
+class FsStorage implements StorageBackend {
+  constructor(
+    private dir: string,
+    private publicBase: string,
+  ) {}
+
+  async put(key: string, buf: Buffer, _opts: PutOptions): Promise<void> {
+    // No subdir nesting in keys (we control them) — single mkdir on the
+    // root suffices. atomic-ish: write then rename would be safer but
+    // for v1 a direct write is fine; the next overwrite supersedes.
+    await fs.mkdir(this.dir, { recursive: true });
+    await fs.writeFile(join(this.dir, key), buf);
+  }
+
+  publicUrl(key: string): string {
+    return `${this.publicBase.replace(/\/$/, '')}/${key}`;
+  }
+}
+
+// ---------- S3 backend ----------
+
+interface S3Config {
+  bucket: string;
+  region: string;
+  endpoint?: string;
+  accessKeyId: string;
+  secretAccessKey: string;
+  publicBase?: string;
+}
+
+class S3Storage implements StorageBackend {
+  // The s3 client is constructed once and re-used — internal connection
+  // pool handles concurrency. Typed as `any` because we lazy-import the
+  // SDK; carrying the real types would force a top-level import.
+  // eslint-disable-next-line @typescript-eslint/no-explicit-any
+  private clientPromise: Promise<any> | null = null;
+
+  constructor(private cfg: S3Config) {}
+
+  // eslint-disable-next-line @typescript-eslint/no-explicit-any
+  private async client(): Promise<any> {
+    if (!this.clientPromise) {
+      this.clientPromise = import('@aws-sdk/client-s3').then(
+        (mod) =>
+          new mod.S3Client({
+            region: this.cfg.region,
+            endpoint: this.cfg.endpoint,
+            // DO Spaces requires path-style URLs; AWS allows both.
+            // forcePathStyle: false works for AWS, true is needed for
+            // some on-prem MinIO setups. DO Spaces accepts either; we
+            // default to the safer path-style.
+            forcePathStyle: !!this.cfg.endpoint,
+            credentials: {
+              accessKeyId: this.cfg.accessKeyId,
+              secretAccessKey: this.cfg.secretAccessKey,
+            },
+          }),
+      );
+    }
+    return this.clientPromise;
+  }
+
+  async put(key: string, buf: Buffer, opts: PutOptions): Promise<void> {
+    const c = await this.client();
+    const { PutObjectCommand } = await import('@aws-sdk/client-s3');
+    await c.send(
+      new PutObjectCommand({
+        Bucket: this.cfg.bucket,
+        Key: key,
+        Body: buf,
+        ContentType: opts.contentType,
+        // Avatars and logos are public-read by design — they're shown
+        // in unauthenticated brand pages on the Network and inline in
+        // emails. ACL header is the cross-cloud way to set this.
+        ACL: 'public-read',
+        // 1y cache header — uploads use random keys so the URL changes
+        // on every replace. Aggressive caching is safe.
+        CacheControl: 'public, max-age=31536000, immutable',
+      }),
+    );
+  }
+
+  publicUrl(key: string): string {
+    if (this.cfg.publicBase) {
+      return `${this.cfg.publicBase.replace(/\/$/, '')}/${key}`;
+    }
+    if (this.cfg.endpoint) {
+      // Custom endpoint (DO Spaces, MinIO): URL is endpoint/bucket/key.
+      const ep = this.cfg.endpoint.replace(/\/$/, '');
+      return `${ep}/${this.cfg.bucket}/${key}`;
+    }
+    // AWS: bucket-subdomain style.
+    return `https://${this.cfg.bucket}.s3.${this.cfg.region}.amazonaws.com/${key}`;
+  }
+}
+
+// ---------- factory ----------
+
+let backend: StorageBackend | null = null;
+
+export function getStorage(): StorageBackend {
+  if (backend) return backend;
+
+  const kind = (process.env.OPENPARTNER_STORAGE_KIND ?? 'fs').toLowerCase();
+
+  if (kind === 's3') {
+    const required = ['STORAGE_S3_BUCKET', 'STORAGE_S3_REGION', 'STORAGE_S3_ACCESS_KEY_ID', 'STORAGE_S3_SECRET_ACCESS_KEY'];
+    for (const name of required) {
+      if (!process.env[`OPENPARTNER_${name}`]) {
+        throw new Error(`OPENPARTNER_STORAGE_KIND=s3 requires OPENPARTNER_${name}`);
+      }
+    }
+    backend = new S3Storage({
+      bucket: process.env.OPENPARTNER_STORAGE_S3_BUCKET!,
+      region: process.env.OPENPARTNER_STORAGE_S3_REGION!,
+      endpoint: process.env.OPENPARTNER_STORAGE_S3_ENDPOINT,
+      accessKeyId: process.env.OPENPARTNER_STORAGE_S3_ACCESS_KEY_ID!,
+      secretAccessKey: process.env.OPENPARTNER_STORAGE_S3_SECRET_ACCESS_KEY!,
+      publicBase: process.env.OPENPARTNER_STORAGE_S3_PUBLIC_BASE,
+    });
+    return backend;
+  }
+
+  // fs default. publicBase computes off API_URL when not explicitly set
+  // — saves operators from having to declare two URLs in the common case.
+  const dir = resolve(process.env.OPENPARTNER_STORAGE_FS_DIR ?? '/var/lib/openpartner/uploads');
+  const publicBase =
+    process.env.OPENPARTNER_STORAGE_FS_PUBLIC_BASE ??
+    `${(process.env.API_URL ?? 'http://localhost:4601').replace(/\/$/, '')}/uploads`;
+  backend = new FsStorage(dir, publicBase);
+  return backend;
+}
+
+export function fsStorageDir(): string | null {
+  if ((process.env.OPENPARTNER_STORAGE_KIND ?? 'fs').toLowerCase() !== 'fs') return null;
+  return resolve(process.env.OPENPARTNER_STORAGE_FS_DIR ?? '/var/lib/openpartner/uploads');
+}
+
+// ---------- helpers ----------
+
+const ALLOWED_CONTENT_TYPES = new Set(['image/jpeg', 'image/png', 'image/webp']);
+const EXT_BY_TYPE: Record<string, string> = {
+  'image/jpeg': 'jpg',
+  'image/png': 'png',
+  'image/webp': 'webp',
+};
+
+export const MAX_UPLOAD_BYTES = 2 * 1024 * 1024;
+
+export interface ValidatedUpload {
+  contentType: string;
+  ext: string;
+}
+
+export function validateImageUpload(contentType: string | undefined, byteLength: number): ValidatedUpload {
+  if (!contentType || !ALLOWED_CONTENT_TYPES.has(contentType)) {
+    throw new UploadError(`unsupported_content_type`, `Content-Type must be one of: ${[...ALLOWED_CONTENT_TYPES].join(', ')}`);
+  }
+  if (byteLength > MAX_UPLOAD_BYTES) {
+    throw new UploadError('payload_too_large', `Upload exceeds ${MAX_UPLOAD_BYTES} bytes`);
+  }
+  return { contentType, ext: EXT_BY_TYPE[contentType]! };
+}
+
+export function newUploadKey(prefix: string, ext: string): string {
+  return `${prefix}/${randomBytes(16).toString('hex')}.${ext}`;
+}
+
+export class UploadError extends Error {
+  constructor(public code: string, message: string) {
+    super(message);
+  }
+}
diff --git a/apps/portal/src/App.tsx b/apps/portal/src/App.tsx
index b06a9d5..38370d5 100644
--- a/apps/portal/src/App.tsx
+++ b/apps/portal/src/App.tsx
@@ -209,6 +209,7 @@ function Shell() {
 interface ProgramSettings {
   programName: string | null;
   supportEmail: string | null;
+  logoUrl: string | null;
 }
 
 function Sidebar({ principal }: { principal: Principal }) {
@@ -242,7 +243,15 @@ function Sidebar({ principal }: { principal: Principal }) {
       }}
     >
       <div style={{ display: 'flex', alignItems: 'center', gap: 10, padding: '4px 8px', marginBottom: 20 }}>
-        <Logo />
+        {settings.data?.logoUrl ? (
+          <img
+            src={settings.data.logoUrl}
+            alt={programName}
+            style={{ width: 26, height: 26, borderRadius: 6, objectFit: 'contain', background: theme.surface2 }}
+          />
+        ) : (
+          <Logo />
+        )}
         <div style={{ fontSize: 15, fontWeight: 600, letterSpacing: '-0.01em' }}>{programName}</div>
       </div>
 
diff --git a/apps/portal/src/api.ts b/apps/portal/src/api.ts
index d49eef0..b0918de 100644
--- a/apps/portal/src/api.ts
+++ b/apps/portal/src/api.ts
@@ -31,9 +31,15 @@ export async function api<T = unknown>(
   const key = getApiKey();
   const headers = new Headers(init.headers);
   if (key) headers.set('Authorization', `Bearer ${key}`);
-  if (init.body !== undefined && !headers.has('content-type')) {
+  // Blob/File bodies carry their own content-type and pass through as-is
+  // (used by upload endpoints). Everything else gets JSON treatment.
+  const isBinaryBody = init.body instanceof Blob;
+  if (init.body !== undefined && !isBinaryBody && !headers.has('content-type')) {
     headers.set('content-type', 'application/json');
   }
+  if (isBinaryBody && !headers.has('content-type')) {
+    headers.set('content-type', (init.body as Blob).type || 'application/octet-stream');
+  }
   const slug = currentTenantSlug();
   const tenantPrefix = slug ? `/t/${slug}` : '';
   const res = await fetch(`/api${tenantPrefix}${path}`, {
@@ -42,9 +48,11 @@ export async function api<T = unknown>(
     credentials: 'include',
     body: init.body === undefined
       ? undefined
-      : typeof init.body === 'string'
-        ? init.body
-        : JSON.stringify(init.body),
+      : isBinaryBody
+        ? (init.body as Blob)
+        : typeof init.body === 'string'
+          ? init.body
+          : JSON.stringify(init.body),
   });
   if (res.status === 401) {
     clearApiKey();
diff --git a/apps/portal/src/pages/admin/Settings.tsx b/apps/portal/src/pages/admin/Settings.tsx
index 71bf785..62d2978 100644
--- a/apps/portal/src/pages/admin/Settings.tsx
+++ b/apps/portal/src/pages/admin/Settings.tsx
@@ -8,6 +8,7 @@ import { Button, Card, ErrorBanner, Input, Label, Page, Select } from '../../ui.
 interface ProgramSettings {
   programName: string | null;
   supportEmail: string | null;
+  logoUrl: string | null;
 }
 
 type MailKind = 'smtp' | 'postmark' | 'none';
@@ -69,6 +70,7 @@ function ProgramSection() {
         <div style={{ fontSize: 15, fontWeight: 500 }}>Brand info</div>
       </div>
       <ErrorBanner error={error ?? mut.error} />
+      <LogoUploader logoUrl={data?.logoUrl ?? null} brandName={data?.programName ?? null} />
       <div style={{ marginBottom: 16 }}>
         <Label>Brand name</Label>
         <Input value={programName} onChange={(e) => setProgramName(e.target.value)} placeholder="e.g. Acme" maxLength={120} />
@@ -287,6 +289,90 @@ function Hint({ children }: { children: ReactNode }) {
   return <div style={{ fontSize: 12, color: theme.textDim, marginTop: 6 }}>{children}</div>;
 }
 
+function LogoUploader({ logoUrl, brandName }: { logoUrl: string | null; brandName: string | null }) {
+  const qc = useQueryClient();
+  const [error, setError] = useState<string | null>(null);
+  const upload = useMutation({
+    mutationFn: (file: File) =>
+      api<{ logoUrl: string }>('/uploads/logo', { method: 'POST', body: file }),
+    onSuccess: () => {
+      setError(null);
+      qc.invalidateQueries({ queryKey: ['program-settings'] });
+      qc.invalidateQueries({ queryKey: ['session-home'] });
+    },
+    onError: (err) => setError(err instanceof Error ? err.message : 'upload failed'),
+  });
+
+  const onPick = (e: React.ChangeEvent<HTMLInputElement>) => {
+    const file = e.target.files?.[0];
+    e.target.value = '';
+    if (!file) return;
+    if (file.size > 2 * 1024 * 1024) {
+      setError('Image too large — max 2 MB.');
+      return;
+    }
+    upload.mutate(file);
+  };
+
+  return (
+    <div style={{ marginBottom: 16, display: 'flex', alignItems: 'center', gap: 14 }}>
+      <div
+        style={{
+          width: 56,
+          height: 56,
+          borderRadius: theme.radiusSm,
+          background: theme.surface2,
+          border: `1px solid ${theme.borderSubtle}`,
+          display: 'flex',
+          alignItems: 'center',
+          justifyContent: 'center',
+          overflow: 'hidden',
+          flexShrink: 0,
+        }}
+      >
+        {logoUrl ? (
+          <img src={logoUrl} alt={brandName ?? 'Brand logo'} style={{ width: '100%', height: '100%', objectFit: 'contain' }} />
+        ) : (
+          <span style={{ fontSize: 22, fontWeight: 600, color: theme.accent }}>
+            {brandName?.charAt(0).toUpperCase() ?? '?'}
+          </span>
+        )}
+      </div>
+      <div style={{ flex: 1, minWidth: 0 }}>
+        <Label>Brand logo</Label>
+        <div>
+          <label style={{ display: 'inline-block' }}>
+            <input
+              type="file"
+              accept="image/jpeg,image/png,image/webp"
+              onChange={onPick}
+              style={{ display: 'none' }}
+              disabled={upload.isPending}
+            />
+            <span
+              style={{
+                display: 'inline-block',
+                padding: '6px 12px',
+                background: theme.surface2,
+                border: `1px solid ${theme.border}`,
+                borderRadius: theme.radiusSm,
+                fontSize: 13,
+                color: theme.text,
+                cursor: upload.isPending ? 'wait' : 'pointer',
+                opacity: upload.isPending ? 0.6 : 1,
+              }}
+            >
+              {upload.isPending ? 'Uploading…' : logoUrl ? 'Replace logo' : 'Upload logo'}
+            </span>
+          </label>
+        </div>
+        <Hint>PNG, JPEG, or WebP. Max 2 MB. Square images render best in the sidebar (we display ~28×28).</Hint>
+        {error && <div style={{ marginTop: 6, fontSize: 12, color: theme.danger }}>{error}</div>}
+      </div>
+    </div>
+  );
+}
+
 // ---------- danger zone ----------
 
 interface DeletionStatus {
diff --git a/apps/portal/src/pages/creator/CreatorMyProfile.tsx b/apps/portal/src/pages/creator/CreatorMyProfile.tsx
index 147c426..12ca896 100644
--- a/apps/portal/src/pages/creator/CreatorMyProfile.tsx
+++ b/apps/portal/src/pages/creator/CreatorMyProfile.tsx
@@ -142,8 +142,8 @@ export function CreatorMyProfilePage() {
               <Field label="Handle" hint="Used as your default share-link slug and your /creators/<handle> URL.">
                 <Input value={handle} onChange={(e) => setHandle(e.target.value)} placeholder="your-handle" />
               </Field>
-              <Field label="Avatar URL">
-                <Input value={avatarUrl} onChange={(e) => setAvatarUrl(e.target.value)} placeholder="https://…" />
+              <Field label="Avatar">
+                <AvatarUploader value={avatarUrl} onChange={setAvatarUrl} name={name} />
               </Field>
               <Field label="Bio">
                 <Textarea value={bio} onChange={(e) => setBio(e.target.value)} rows={4} />
@@ -245,6 +245,93 @@ function Field({ label, hint, children }: { label: string; hint?: string; childr
   );
 }
 
+function AvatarUploader({ value, onChange, name }: { value: string; onChange: (v: string) => void; name: string }) {
+  const [error, setError] = useState<string | null>(null);
+  const upload = useMutation({
+    mutationFn: (file: File) =>
+      creatorApi<{ avatarUrl: string }>('/creators/me/uploads/avatar', { method: 'POST', body: file }),
+    onSuccess: (r) => {
+      setError(null);
+      onChange(r.avatarUrl);
+    },
+    onError: (err) => setError(err instanceof Error ? err.message : 'upload failed'),
+  });
+
+  const onPick = (e: React.ChangeEvent<HTMLInputElement>) => {
+    const file = e.target.files?.[0];
+    e.target.value = '';
+    if (!file) return;
+    if (file.size > 2 * 1024 * 1024) {
+      setError('Image too large — max 2 MB.');
+      return;
+    }
+    upload.mutate(file);
+  };
+
+  return (
+    <div style={{ display: 'flex', alignItems: 'center', gap: 14 }}>
+      <div
+        style={{
+          width: 64,
+          height: 64,
+          borderRadius: '50%',
+          background: theme.surface,
+          border: `1px solid ${theme.borderSubtle}`,
+          display: 'flex',
+          alignItems: 'center',
+          justifyContent: 'center',
+          overflow: 'hidden',
+          flexShrink: 0,
+        }}
+      >
+        {value ? (
+          <img src={value} alt={name || 'Avatar'} style={{ width: '100%', height: '100%', objectFit: 'cover' }} />
+        ) : (
+          <span style={{ fontSize: 24, fontWeight: 600, color: theme.accent }}>
+            {name?.charAt(0).toUpperCase() || '?'}
+          </span>
+        )}
+      </div>
+      <div style={{ flex: 1 }}>
+        <label>
+          <input
+            type="file"
+            accept="image/jpeg,image/png,image/webp"
+            onChange={onPick}
+            style={{ display: 'none' }}
+            disabled={upload.isPending}
+          />
+          <span
+            style={{
+              display: 'inline-block',
+              padding: '6px 12px',
+              background: theme.surface,
+              border: `1px solid ${theme.border}`,
+              borderRadius: theme.radiusSm,
+              fontSize: 13,
+              color: theme.text,
+              cursor: upload.isPending ? 'wait' : 'pointer',
+              opacity: upload.isPending ? 0.6 : 1,
+            }}
+          >
+            {upload.isPending ? 'Uploading…' : value ? 'Replace' : 'Upload'}
+          </span>
+        </label>
+        {value && (
+          <button
+            onClick={() => onChange('')}
+            style={{ marginLeft: 8, background: 'transparent', border: 'none', color: theme.textMuted, fontSize: 12, cursor: 'pointer' }}
+          >
+            Remove
+          </button>
+        )}
+        <p style={{ fontSize: 12, color: theme.textMuted, margin: '6px 0 0' }}>PNG, JPEG, or WebP. Max 2 MB.</p>
+        {error && <p style={{ fontSize: 12, color: theme.danger, margin: '4px 0 0' }}>{error}</p>}
+      </div>
+    </div>
+  );
+}
+
 function CategoryChips({ selected, onChange }: { selected: string[]; onChange: (v: string[]) => void }) {
   function toggle(c: string) {
     onChange(selected.includes(c) ? selected.filter((x) => x !== c) : [...selected, c]);
diff --git a/apps/portal/src/pages/creator/CreatorShell.tsx b/apps/portal/src/pages/creator/CreatorShell.tsx
index 443ff62..45785f0 100644
--- a/apps/portal/src/pages/creator/CreatorShell.tsx
+++ b/apps/portal/src/pages/creator/CreatorShell.tsx
@@ -146,16 +146,22 @@ function CreatorChip({ creator }: { creator: NonNullable<Whoami['creator']> }) {
           width: 28,
           height: 28,
           borderRadius: '50%',
-          background: theme.accent,
+          background: creator.avatarUrl ? theme.surface : theme.accent,
           color: theme.accentInk,
           display: 'flex',
           alignItems: 'center',
           justifyContent: 'center',
           fontWeight: 600,
           fontSize: 12,
+          overflow: 'hidden',
+          flexShrink: 0,
         }}
       >
-        {creator.name.charAt(0).toUpperCase()}
+        {creator.avatarUrl ? (
+          <img src={creator.avatarUrl} alt={creator.name} style={{ width: '100%', height: '100%', objectFit: 'cover' }} />
+        ) : (
+          creator.name.charAt(0).toUpperCase()
+        )}
       </div>
       <div style={{ minWidth: 0, flex: 1 }}>
         <div style={{ fontSize: 13, fontWeight: 500, whiteSpace: 'nowrap', overflow: 'hidden', textOverflow: 'ellipsis' }}>{creator.name}</div>
diff --git a/apps/portal/src/pages/creator/creator-api.ts b/apps/portal/src/pages/creator/creator-api.ts
index 0a1913f..5bdbff7 100644
--- a/apps/portal/src/pages/creator/creator-api.ts
+++ b/apps/portal/src/pages/creator/creator-api.ts
@@ -18,18 +18,26 @@ export async function creatorApi<T = unknown>(
   init: Omit<RequestInit, 'body'> & { body?: unknown } = {},
 ): Promise<T> {
   const headers = new Headers(init.headers);
-  if (init.body !== undefined && !headers.has('content-type')) {
+  // Blob/File bodies pass through with their own content-type so
+  // upload endpoints work without JSON wrapping.
+  const isBinaryBody = init.body instanceof Blob;
+  if (init.body !== undefined && !isBinaryBody && !headers.has('content-type')) {
     headers.set('content-type', 'application/json');
   }
+  if (isBinaryBody && !headers.has('content-type')) {
+    headers.set('content-type', (init.body as Blob).type || 'application/octet-stream');
+  }
   const res = await fetch(`/api/creator-api${path}`, {
     ...init,
     headers,
     credentials: 'include',
     body: init.body === undefined
       ? undefined
-      : typeof init.body === 'string'
-        ? init.body
-        : JSON.stringify(init.body),
+      : isBinaryBody
+        ? (init.body as Blob)
+        : typeof init.body === 'string'
+          ? init.body
+          : JSON.stringify(init.body),
   });
   if (!res.ok) {
     let detail: unknown = null;
diff --git a/packages/db/migrations/20260608000000_tenant_logo.ts b/packages/db/migrations/20260608000000_tenant_logo.ts
new file mode 100644
index 0000000..8977d5f
--- /dev/null
+++ b/packages/db/migrations/20260608000000_tenant_logo.ts
@@ -0,0 +1,22 @@
+import type { Knex } from 'knex';
+
+/**
+ * Per-tenant brand logo. Stores the public URL emitted by whichever
+ * storage backend POST /uploads/logo wrote the file to (S3-compatible
+ * object store on hosted, local filesystem for self-hosters).
+ *
+ * Nullable — most tenants will start without a logo and the UI falls
+ * back to the textual displayName. No backfill needed.
+ */
+
+export async function up(knex: Knex): Promise<void> {
+  await knex.schema.alterTable('Tenant', (t) => {
+    t.string('logoUrl', 1024).nullable();
+  });
+}
+
+export async function down(knex: Knex): Promise<void> {
+  await knex.schema.alterTable('Tenant', (t) => {
+    t.dropColumn('logoUrl');
+  });
+}
diff --git a/packages/db/src/types.ts b/packages/db/src/types.ts
index dd1fbcc..3bb117a 100644
--- a/packages/db/src/types.ts
+++ b/packages/db/src/types.ts
@@ -29,6 +29,9 @@ export interface TenantRow {
    *  gate large coupon mints behind a "you've actually wired up the
    *  /coupons/redeem integration" check. Null = never verified. */
   couponIntegrationVerifiedAt: Date | null;
+  /** Public URL for the tenant's brand logo, set via the upload endpoint.
+   *  Null when the brand hasn't uploaded one — UI falls back to text. */
+  logoUrl: string | null;
 }
 
 /** ID of the seeded default tenant — used in single-host mode and during migration backfills. */
diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml
index 1204b6c..fe4606a 100644
--- a/pnpm-lock.yaml
+++ b/pnpm-lock.yaml
@@ -35,6 +35,9 @@ importers:
 
   apps/api:
     dependencies:
+      '@aws-sdk/client-s3':
+        specifier: ^3.665.0
+        version: 3.1039.0
       '@openpartner/db':
         specifier: workspace:*
         version: link:../../packages/db
@@ -243,6 +246,165 @@ packages:
   '@asamuzakjp/nwsapi@2.3.9':
     resolution: {integrity: sha512-n8GuYSrI9bF7FFZ/SjhwevlHc8xaVlb/7HmHelnc/PZXBD2ZR49NnN9sMMuDdEGPeeRQ5d0hqlSlEpgCX3Wl0Q==}
 
+  '@aws-crypto/crc32@5.2.0':
+    resolution: {integrity: sha512-nLbCWqQNgUiwwtFsen1AdzAtvuLRsQS8rYgMuxCrdKf9kOssamGLuPwyTY9wyYblNr9+1XM8v6zoDTPPSIeANg==}
+    engines: {node: '>=16.0.0'}
+
+  '@aws-crypto/crc32c@5.2.0':
+    resolution: {integrity: sha512-+iWb8qaHLYKrNvGRbiYRHSdKRWhto5XlZUEBwDjYNf+ly5SVYG6zEoYIdxvf5R3zyeP16w4PLBn3rH1xc74Rag==}
+
+  '@aws-crypto/sha1-browser@5.2.0':
+    resolution: {integrity: sha512-OH6lveCFfcDjX4dbAvCFSYUjJZjDr/3XJ3xHtjn3Oj5b9RjojQo8npoLeA/bNwkOkrSQ0wgrHzXk4tDRxGKJeg==}
+
+  '@aws-crypto/sha256-browser@5.2.0':
+    resolution: {integrity: sha512-AXfN/lGotSQwu6HNcEsIASo7kWXZ5HYWvfOmSNKDsEqC4OashTp8alTmaz+F7TC2L083SFv5RdB+qU3Vs1kZqw==}
+
+  '@aws-crypto/sha256-js@5.2.0':
+    resolution: {integrity: sha512-FFQQyu7edu4ufvIZ+OadFpHHOt+eSTBaYaki44c+akjg7qZg9oOQeLlk77F6tSYqjDAFClrHJk9tMf0HdVyOvA==}
+    engines: {node: '>=16.0.0'}
+
+  '@aws-crypto/supports-web-crypto@5.2.0':
+    resolution: {integrity: sha512-iAvUotm021kM33eCdNfwIN//F77/IADDSs58i+MDaOqFrVjZo9bAal0NK7HurRuWLLpF1iLX7gbWrjHjeo+YFg==}
+
+  '@aws-crypto/util@5.2.0':
+    resolution: {integrity: sha512-4RkU9EsI6ZpBve5fseQlGNUWKMa1RLPQ1dnjnQoe07ldfIzcsGb5hC5W0Dm7u423KWzawlrpbjXBrXCEv9zazQ==}
+
+  '@aws-sdk/client-s3@3.1039.0':
+    resolution: {integrity: sha512-PVH9v0pHYBQnBADSR/m88NgcuJcYqPXfpmkcME66vRF75Y4swwbEVVFbTBFuvxu0YcZiLFXu3lw0FDK00vEa3A==}
+    engines: {node: '>=20.0.0'}
+
+  '@aws-sdk/core@3.974.7':
+    resolution: {integrity: sha512-YhRC90ofz5oolTJZlA8voU/oUrCB2azi8Usx51k8hhB5LpWbYQMMXKUqSqkoL0Cru+RQJgWTHpAfEDDIwfUhJw==}
+    engines: {node: '>=20.0.0'}
+
+  '@aws-sdk/crc64-nvme@3.972.7':
+    resolution: {integrity: sha512-QUagVVBbC8gODCF6e1aV0mE2TXWB9Opz4k8EJFdNrujUVQm5R4AjJa1mpOqzwOuROBzqJU9zawzig7M96L8Ejg==}
+    engines: {node: '>=20.0.0'}
+
+  '@aws-sdk/credential-provider-env@3.972.33':
+    resolution: {integrity: sha512-bJV7eViSJV6GSuuN+VIdNVPdwPsNSf75BiC2v5alPrjR/OCcqgKwSZInKbDFz9mNeizldsyf67jt6YSIiv53Cw==}
+    engines: {node: '>=20.0.0'}
+
+  '@aws-sdk/credential-provider-http@3.972.35':
+    resolution: {integrity: sha512-x/BQGEIdq0oI+4WxLjKmnQvT7CnF9r8ezdGt7wXwxb7ckHXQz0Zmgxt8v3Ne0JaT3R5YefmuybHX6E8EnsDXyA==}
+    engines: {node: '>=20.0.0'}
+
+  '@aws-sdk/credential-provider-ini@3.972.37':
+    resolution: {integrity: sha512-eUTpmWfd/BKsq9medhCRcu+GRAhFP2Zrn7/2jKDHHOOjCkhrMoTp/t4cEthqFoG7gE0VGp5wUxrXTdvBCmSmJg==}
+    engines: {node: '>=20.0.0'}
+
+  '@aws-sdk/credential-provider-login@3.972.37':
+    resolution: {integrity: sha512-Ty68y8ISSC+g5Q3D0K8uAaoINwvfaOslnNpsF/LgVUxyosYXHawcK2yV4HLXDVugiTTYLQfJfcw0ce5meAGkKw==}
+    engines: {node: '>=20.0.0'}
+
+  '@aws-sdk/credential-provider-node@3.972.38':
+    resolution: {integrity: sha512-BQ9XYnBDVxR2HuV5huXYQYF/PZMTsY+EnwfGnCU2cA8Zw63XpkOtPY8WqiMIZMQCrKPQQEiFURS/o9CIolRLqg==}
+    engines: {node: '>=20.0.0'}
+
+  '@aws-sdk/credential-provider-process@3.972.33':
+    resolution: {integrity: sha512-yfjGksI9WQbdMObb0VeLXqzTLI+a0qXLJT9gCDiv0+X/xjPpI3mTz6a5FibrhpuEKIe0gSgvs3MaoFZy5cx4WA==}
+    engines: {node: '>=20.0.0'}
+
+  '@aws-sdk/credential-provider-sso@3.972.37':
+    resolution: {integrity: sha512-fpwE+20ntpp3i9Xb9vUuQfXLDKYHH+5I2V+ZG96SX1nBzrruhy10RXDgmN7t1etOz3c55stlA3TeQASUA451NQ==}
+    engines: {node: '>=20.0.0'}
+
+  '@aws-sdk/credential-provider-web-identity@3.972.37':
+    resolution: {integrity: sha512-aryawqyebf+3WhAFNHfF62rekFpYtVcVN7dQ89qnAWsa4n5hJst8qBG6gXC24WHtW7Nnhkf9ScYnjwo0Brn3bw==}
+    engines: {node: '>=20.0.0'}
+
+  '@aws-sdk/middleware-bucket-endpoint@3.972.10':
+    resolution: {integrity: sha512-Vbc2frZH7wXlMNd+ZZSXUEs/l1Sv8Jj4zUnIfwrYF5lwaLdXHZ9xx4U3rjUcaye3HRhFVc+E5DbBxpRAbB16BA==}
+    engines: {node: '>=20.0.0'}
+
+  '@aws-sdk/middleware-expect-continue@3.972.10':
+    resolution: {integrity: sha512-2Yn0f1Qiq/DjxYR3wfI3LokXnjOhFM7Ssn4LTdFDIxRMCE6I32MAsVnhPX1cUZsuVA9tiZtwwhlSLAtFGxAZlQ==}
+    engines: {node: '>=20.0.0'}
+
+  '@aws-sdk/middleware-flexible-checksums@3.974.15':
+    resolution: {integrity: sha512-j4Zp7rA1HfhDTteICnx/tPax4N/v5wmytgguXExUGyEwQ8Ug4EBA4kjp9puFAN1UZoBVpxoiXMiuTFvjaHjeEw==}
+    engines: {node: '>=20.0.0'}
+
+  '@aws-sdk/middleware-host-header@3.972.10':
+    resolution: {integrity: sha512-IJSsIMeVQ8MMCPbuh1AbltkFhLBLXn7aejzfX5YKT/VLDHn++Dcz8886tXckE+wQssyPUhaXrJhdakO2VilRhg==}
+    engines: {node: '>=20.0.0'}
+
+  '@aws-sdk/middleware-location-constraint@3.972.10':
+    resolution: {integrity: sha512-rI3NZvJcEvjoD0+0PI0iUAwlPw2IlSlhyvgBK/3WkKJQE/YiKFedd9dMN2lVacdNxPNhxL/jzQaKQdrGtQagjQ==}
+    engines: {node: '>=20.0.0'}
+
+  '@aws-sdk/middleware-logger@3.972.10':
+    resolution: {integrity: sha512-OOuGvvz1Dm20SjZo5oEBePFqxt5nf8AwkNDSyUHvD9/bfNASmstcYxFAHUowy4n6Io7mWUZ04JURZwSBvyQanQ==}
+    engines: {node: '>=20.0.0'}
+
+  '@aws-sdk/middleware-recursion-detection@3.972.11':
+    resolution: {integrity: sha512-+zz6f79Kj9V5qFK2P+D8Ehjnw4AhphAlCAsPjUqEcInA9umtSSKMrHbSagEeOIsDNuvVrH98bjRHcyQukTrhaQ==}
+    engines: {node: '>=20.0.0'}
+
+  '@aws-sdk/middleware-sdk-s3@3.972.36':
+    resolution: {integrity: sha512-YhPix+0x/MdQrb1Ug1GDKeS5fqylIy+naz800asX8II4jqfTk2KY2KhmmYCwZcky8YWtRQQwWCGdoqeAnip8Uw==}
+    engines: {node: '>=20.0.0'}
+
+  '@aws-sdk/middleware-ssec@3.972.10':
+    resolution: {integrity: sha512-Gli9A0u8EVVb+5bFDGS/QbSVg28w/wpEidg1ggVcSj65BDTdGR6punsOcVjqdiu1i42WHWo51MCvARPIIz9juw==}
+    engines: {node: '>=20.0.0'}
+
+  '@aws-sdk/middleware-user-agent@3.972.37':
+    resolution: {integrity: sha512-N1oNpdiLoVAWYD3WFBnUi3LlfoDA06ZHo4ozyjbsJNLvILzvt//0CnR8N+CZ0NWeYgVB/5V59ivixHCWCx2ALw==}
+    engines: {node: '>=20.0.0'}
+
+  '@aws-sdk/nested-clients@3.997.5':
+    resolution: {integrity: sha512-jGFr6DxtcMTmzOkG/a0jCZYv4BBDmeNYVeO+/memSoDkYCJu4Y58xviYmzwJfYyIVSts+X/BVjJm1uGBnwHEMg==}
+    engines: {node: '>=20.0.0'}
+
+  '@aws-sdk/region-config-resolver@3.972.13':
+    resolution: {integrity: sha512-CvJ2ZIjK/jVD/lbOpowBVElJyC1YxLTIJ13yM0AEo0t2v7swOzGjSA6lJGH+DwZXQhcjUjoYwc8bVYCX5MDr1A==}
+    engines: {node: '>=20.0.0'}
+
+  '@aws-sdk/signature-v4-multi-region@3.996.24':
+    resolution: {integrity: sha512-amP7tLikppN940wbBFISYqiuzVmpzMS9U3mcgtmVLjX4fdWI/SNCvrXv6ZxfVzTT4cT0rPKOLhFah2xLwzREWw==}
+    engines: {node: '>=20.0.0'}
+
+  '@aws-sdk/token-providers@3.1039.0':
+    resolution: {integrity: sha512-NMSFL2HwkAOoCeLCQiqoOq5pT3vVbSjww2QZTuYgYknVwhhv125PSDzZIcL5EYnlxuPWjEOdauZK+FspkZDVdw==}
+    engines: {node: '>=20.0.0'}
+
+  '@aws-sdk/types@3.973.8':
+    resolution: {integrity: sha512-gjlAdtHMbtR9X5iIhVUvbVcy55KnznpC6bkDUWW9z915bi0ckdUr5cjf16Kp6xq0bP5HBD2xzgbL9F9Quv5vUw==}
+    engines: {node: '>=20.0.0'}
+
+  '@aws-sdk/util-arn-parser@3.972.3':
+    resolution: {integrity: sha512-HzSD8PMFrvgi2Kserxuff5VitNq2sgf3w9qxmskKDiDTThWfVteJxuCS9JXiPIPtmCrp+7N9asfIaVhBFORllA==}
+    engines: {node: '>=20.0.0'}
+
+  '@aws-sdk/util-endpoints@3.996.8':
+    resolution: {integrity: sha512-oOZHcRDihk5iEe5V25NVWg45b3qEA8OpHWVdU/XQh8Zj4heVPAJqWvMphQnU7LkufmUo10EpvFPZuQMiFLJK3g==}
+    engines: {node: '>=20.0.0'}
+
+  '@aws-sdk/util-locate-window@3.965.5':
+    resolution: {integrity: sha512-WhlJNNINQB+9qtLtZJcpQdgZw3SCDCpXdUJP7cToGwHbCWCnRckGlc6Bx/OhWwIYFNAn+FIydY8SZ0QmVu3xTQ==}
+    engines: {node: '>=20.0.0'}
+
+  '@aws-sdk/util-user-agent-browser@3.972.10':
+    resolution: {integrity: sha512-FAzqXvfEssGdSIz8ejatan0bOdx1qefBWKF/gWmVBXIP1HkS7v/wjjaqrAGGKvyihrXTXW00/2/1nTJtxpXz7g==}
+
+  '@aws-sdk/util-user-agent-node@3.973.23':
+    resolution: {integrity: sha512-gGwq8L2Euw0aNG6Ey4EktiAo3fSCVoDy1CaBIthd+oeaKHPXUrNaApMewQ6La5Hv0lcznOtECZaNvYyc5LXXfA==}
+    engines: {node: '>=20.0.0'}
+    peerDependencies:
+      aws-crt: '>=1.0.0'
+    peerDependenciesMeta:
+      aws-crt:
+        optional: true
+
+  '@aws-sdk/xml-builder@3.972.22':
+    resolution: {integrity: sha512-PMYKKtJd70IsSG0yHrdAbxBr+ZWBKLvzFZfD3/urxgf6hXVMzuU5M+3MJ5G67RpOmLBu1fAUN65SbWuKUCOlAA==}
+    engines: {node: '>=20.0.0'}
+
+  '@aws/lambda-invoke-store@0.2.4':
+    resolution: {integrity: sha512-iY8yvjE0y651BixKNPgmv1WrQc+GZ142sb0z4gYnChDDY2YqI4P/jsSopBWrKfAt7LOJAkOXt7rC/hms+WclQQ==}
+    engines: {node: '>=18.0.0'}
+
   '@babel/code-frame@7.29.0':
     resolution: {integrity: sha512-9NhCeYjq9+3uxgdtp20LSiJXJvN0FeCtNGpJxuMFZ1Kv3cWUNb6DOhJwUvcVCzKGR66cw4njwM6hrJLqgOwbcw==}
     engines: {node: '>=6.9.0'}
@@ -757,6 +919,9 @@ packages:
     resolution: {integrity: sha512-jCs9ldd7NwzpgXDIf6P3+NrHh9/sD6CQdxHyjQI+h/6rDNo88ypBxxz45UDuZHz9r3tNz7N/VInSVoVdtXEI4A==}
     engines: {node: ^14.21.3 || >=16}
 
+  '@nodable/entities@2.1.0':
+    resolution: {integrity: sha512-nyT7T3nbMyBI/lvr6L5TyWbFJAI9FTgVRakNoBqCD+PmID8DzFrrNdLLtHMwMszOtqZa8PAOV24ZqDnQrhQINA==}
+
   '@paralleldrive/cuid2@2.3.1':
     resolution: {integrity: sha512-XO7cAxhnTZl0Yggq6jOgjiOHhbgcO4NqFqwSmQpjK3b6TEE6Uj/jfSk6wzYyemh3+I0sHirKSetjQwn5cZktFw==}
 
@@ -898,6 +1063,218 @@ packages:
   '@sinclair/typebox@0.27.10':
     resolution: {integrity: sha512-MTBk/3jGLNB2tVxv6uLlFh1iu64iYOQ2PbdOSK3NW8JZsmlaOh2q6sdtKowBhfw8QFLmYNzTW4/oK4uATIi6ZA==}
 
+  '@smithy/chunked-blob-reader-native@4.2.3':
+    resolution: {integrity: sha512-jA5k5Udn7Y5717L86h4EIv06wIr3xn8GM1qHRi/Nf31annXcXHJjBKvgztnbn2TxH3xWrPBfgwHsOwZf0UmQWw==}
+    engines: {node: '>=18.0.0'}
+
+  '@smithy/chunked-blob-reader@5.2.2':
+    resolution: {integrity: sha512-St+kVicSyayWQca+I1rGitaOEH6uKgE8IUWoYnnEX26SWdWQcL6LvMSD19Lg+vYHKdT9B2Zuu7rd3i6Wnyb/iw==}
+    engines: {node: '>=18.0.0'}
+
+  '@smithy/config-resolver@4.4.17':
+    resolution: {integrity: sha512-TzDZcAnhTyAHbXVxWZo7/tEcrIeFq20IBk8So3OLOetWpR8EwY/yEqBMBFaJMeyEiREDq4NfEl+qO3OAUD+vbQ==}
+    engines: {node: '>=18.0.0'}
+
+  '@smithy/core@3.23.17':
+    resolution: {integrity: sha512-x7BlLbUFL8NWCGjMF9C+1N5cVCxcPa7g6Tv9B4A2luWx3be3oU8hQ96wIwxe/s7OhIzvoJH73HAUSg5JXVlEtQ==}
+    engines: {node: '>=18.0.0'}
+
+  '@smithy/credential-provider-imds@4.2.14':
+    resolution: {integrity: sha512-Au28zBN48ZAoXdooGUHemuVBrkE+Ie6RPmGNIAJsFqj33Vhb6xAgRifUydZ2aY+M+KaMAETAlKk5NC5h1G7wpg==}
+    engines: {node: '>=18.0.0'}
+
+  '@smithy/eventstream-codec@4.2.14':
+    resolution: {integrity: sha512-erZq0nOIpzfeZdCyzZjdJb4nVSKLUmSkaQUVkRGQTXs30gyUGeKnrYEg+Xe1W5gE3aReS7IgsvANwVPxSzY6Pw==}
+    engines: {node: '>=18.0.0'}
+
+  '@smithy/eventstream-serde-browser@4.2.14':
+    resolution: {integrity: sha512-8IelTCtTctWRbb+0Dcy+C0aICh1qa0qWXqgjcXDmMuCvPJRnv26hiDZoAau2ILOniki65mCPKqOQs/BaWvO4CQ==}
+    engines: {node: '>=18.0.0'}
+
+  '@smithy/eventstream-serde-config-resolver@4.3.14':
+    resolution: {integrity: sha512-sqHiHpYRYo3FJlaIxD1J8PhbcmJAm7IuM16mVnwSkCToD7g00IBZzKuiLNMGmftULmEUX6/UAz8/NN5uMP8bVA==}
+    engines: {node: '>=18.0.0'}
+
+  '@smithy/eventstream-serde-node@4.2.14':
+    resolution: {integrity: sha512-Ht/8BuGlKfFTy0H3+8eEu0vdpwGztCnaLLXtpXNdQqiR7Hj4vFScU3T436vRAjATglOIPjJXronY+1WxxNLSiw==}
+    engines: {node: '>=18.0.0'}
+
+  '@smithy/eventstream-serde-universal@4.2.14':
+    resolution: {integrity: sha512-lWyt4T2XQZUZgK3tQ3Wn0w3XBvZsK/vjTuJl6bXbnGZBHH0ZUSONTYiK9TgjTTzU54xQr3DRFwpjmhp0oLm3gg==}
+    engines: {node: '>=18.0.0'}
+
+  '@smithy/fetch-http-handler@5.3.17':
+    resolution: {integrity: sha512-bXOvQzaSm6MnmLaWA1elgfQcAtN4UP3vXqV97bHuoOrHQOJiLT3ds6o9eo5bqd0TJfRFpzdGnDQdW3FACiAVdw==}
+    engines: {node: '>=18.0.0'}
+
+  '@smithy/hash-blob-browser@4.2.15':
+    resolution: {integrity: sha512-0PJ4Al3fg2nM4qKrAIxyNcApgqHAXcBkN8FeizOz69z0rb26uZ6lMESYtxegaTlXB5Hj84JfwMPavMrwDMjucA==}
+    engines: {node: '>=18.0.0'}
+
+  '@smithy/hash-node@4.2.14':
+    resolution: {integrity: sha512-8ZBDY2DD4wr+GGjTpPtiglEsqr0lUP+KHqgZcWczFf6qeZ/YRjMIOoQWVQlmwu7EtxKTd8YXD8lblmYcpBIA1g==}
+    engines: {node: '>=18.0.0'}
+
+  '@smithy/hash-stream-node@4.2.14':
+    resolution: {integrity: sha512-tw4GANWkZPb6+BdD4Fgucqzey2+r73Z/GRo9zklsCdwrnxxumUV83ZIaBDdudV4Ylazw3EPTiJZhpX42105ruQ==}
+    engines: {node: '>=18.0.0'}
+
+  '@smithy/invalid-dependency@4.2.14':
+    resolution: {integrity: sha512-c21qJiTSb25xvvOp+H2TNZzPCngrvl5vIPqPB8zQ/DmJF4QWXO19x1dWfMJZ6wZuuWUPPm0gV8C0cU3+ifcWuw==}
+    engines: {node: '>=18.0.0'}
+
+  '@smithy/is-array-buffer@2.2.0':
+    resolution: {integrity: sha512-GGP3O9QFD24uGeAXYUjwSTXARoqpZykHadOmA8G5vfJPK0/DC67qa//0qvqrJzL1xc8WQWX7/yc7fwudjPHPhA==}
+    engines: {node: '>=14.0.0'}
+
+  '@smithy/is-array-buffer@4.2.2':
+    resolution: {integrity: sha512-n6rQ4N8Jj4YTQO3YFrlgZuwKodf4zUFs7EJIWH86pSCWBaAtAGBFfCM7Wx6D2bBJ2xqFNxGBSrUWswT3M0VJow==}
+    engines: {node: '>=18.0.0'}
+
+  '@smithy/md5-js@4.2.14':
+    resolution: {integrity: sha512-V2v0vx+h0iUSNG1Alt+GNBMSLGCrl9iVsdd+Ap67HPM9PN479x12V8LkuMoKImNZxn3MXeuyUjls+/7ZACZghA==}
+    engines: {node: '>=18.0.0'}
+
+  '@smithy/middleware-content-length@4.2.14':
+    resolution: {integrity: sha512-xhHq7fX4/3lv5NHxLUk3OeEvl0xZ+Ek3qIbWaCL4f9JwgDZEclPBElljaZCAItdGPQl/kSM4LPMOpy1MYgprpw==}
+    engines: {node: '>=18.0.0'}
+
+  '@smithy/middleware-endpoint@4.4.32':
+    resolution: {integrity: sha512-ZZkgyjnJppiZbIm6Qbx92pbXYi1uzenIvGhBSCDlc7NwuAkiqSgS75j1czAD25ZLs2FjMjYy1q7gyRVWG6JA0Q==}
+    engines: {node: '>=18.0.0'}
+
+  '@smithy/middleware-retry@4.5.7':
+    resolution: {integrity: sha512-bRt6ZImqVSeTk39Nm81K20ObIiAZ3WefY7G6+iz/0tZjs4dgRRjvRX2sgsH+zi6iDCRR/aQvQofLKxxz4rPBZg==}
+    engines: {node: '>=18.0.0'}
+
+  '@smithy/middleware-serde@4.2.20':
+    resolution: {integrity: sha512-Lx9JMO9vArPtiChE3wbEZ5akMIDQpWQtlu90lhACQmNOXcGXRbaDywMHDzuDZ2OkZzP+9wQfZi3YJT9F67zTQQ==}
+    engines: {node: '>=18.0.0'}
+
+  '@smithy/middleware-stack@4.2.14':
+    resolution: {integrity: sha512-2dvkUKLuFdKsCRmOE4Mn63co0Djtsm+JMh0bYZQupN1pJwMeE8FmQmRLLzzEMN0dnNi7CDCYYH8F0EVwWiPBeA==}
+    engines: {node: '>=18.0.0'}
+
+  '@smithy/node-config-provider@4.3.14':
+    resolution: {integrity: sha512-S+gFjyo/weSVL0P1b9Ts8C/CwIfNCgUPikk3sl6QVsfE/uUuO+QsF+NsE/JkpvWqqyz1wg7HFdiaZuj5CoBMRg==}
+    engines: {node: '>=18.0.0'}
+
+  '@smithy/node-http-handler@4.6.1':
+    resolution: {integrity: sha512-iB+orM4x3xrr57X3YaXazfKnntl0LHlZB1kcXSGzMV1Tt0+YwEjGlbjk/44qEGtBzXAz6yFDzkYTKSV6Pj2HUg==}
+    engines: {node: '>=18.0.0'}
+
+  '@smithy/property-provider@4.2.14':
+    resolution: {integrity: sha512-WuM31CgfsnQ/10i7NYr0PyxqknD72Y5uMfUMVSniPjbEPceiTErb4eIqJQ+pdxNEAUEWrewrGjIRjVbVHsxZiQ==}
+    engines: {node: '>=18.0.0'}
+
+  '@smithy/protocol-http@5.3.14':
+    resolution: {integrity: sha512-dN5F8kHx8RNU0r+pCwNmFZyz6ChjMkzShy/zup6MtkRmmix4vZzJdW+di7x//b1LiynIev88FM18ie+wwPcQtQ==}
+    engines: {node: '>=18.0.0'}
+
+  '@smithy/querystring-builder@4.2.14':
+    resolution: {integrity: sha512-XYA5Z0IqTeF+5XDdh4BBmSA0HvbgVZIyv4cmOoUheDNR57K1HgBp9ukUMx3Cr3XpDHHpLBnexPE3LAtDsZkj2A==}
+    engines: {node: '>=18.0.0'}
+
+  '@smithy/querystring-parser@4.2.14':
+    resolution: {integrity: sha512-hr+YyqBD23GVvRxGGrcc/oOeNlK3PzT5Fu4dzrDXxzS1LpFiuL2PQQqKPs87M79aW7ziMs+nvB3qdw77SqE7Lw==}
+    engines: {node: '>=18.0.0'}
+
+  '@smithy/service-error-classification@4.3.1':
+    resolution: {integrity: sha512-aUQuDGh760ts/8MU+APjIZhlLPKhIIfqyzZaJikLEIMrdxFvxuLYD0WxWzaYWpmLbQlXDe9p7EWM3HsBe0K6Gw==}
+    engines: {node: '>=18.0.0'}
+
+  '@smithy/shared-ini-file-loader@4.4.9':
+    resolution: {integrity: sha512-495/V2I15SHgedSJoDPD23JuSfKAp726ZI1V0wtjB07Wh7q/0tri/0e0DLefZCHgxZonrGKt/OCTpAtP1wE1kQ==}
+    engines: {node: '>=18.0.0'}
+
+  '@smithy/signature-v4@5.3.14':
+    resolution: {integrity: sha512-1D9Y/nmlVjCeSivCbhZ7hgEpmHyY1h0GvpSZt3l0xcD9JjmjVC1CHOozS6+Gh+/ldMH8JuJ6cujObQqfayAVFA==}
+    engines: {node: '>=18.0.0'}
+
+  '@smithy/smithy-client@4.12.13':
+    resolution: {integrity: sha512-y/Pcj1V9+qG98gyu1gvftHB7rDpdh+7kIBIggs55yGm3JdtBV8GT8IFF3a1qxZ79QnaJHX9GXzvBG6tAd+czJA==}
+    engines: {node: '>=18.0.0'}
+
+  '@smithy/types@4.14.1':
+    resolution: {integrity: sha512-59b5HtSVrVR/eYNei3BUj3DCPKD/G7EtDDe7OEJE7i7FtQFugYo6MxbotS8mVJkLNVf8gYaAlEBwwtJ9HzhWSg==}
+    engines: {node: '>=18.0.0'}
+
+  '@smithy/url-parser@4.2.14':
+    resolution: {integrity: sha512-p06BiBigJ8bTA3MgnOfCtDUWnAMY0YfedO/GRpmc7p+wg3KW8vbXy1xwSu5ASy0wV7rRYtlfZOIKH4XqfhjSQQ==}
+    engines: {node: '>=18.0.0'}
+
+  '@smithy/util-base64@4.3.2':
+    resolution: {integrity: sha512-XRH6b0H/5A3SgblmMa5ErXQ2XKhfbQB+Fm/oyLZ2O2kCUrwgg55bU0RekmzAhuwOjA9qdN5VU2BprOvGGUkOOQ==}
+    engines: {node: '>=18.0.0'}
+
+  '@smithy/util-body-length-browser@4.2.2':
+    resolution: {integrity: sha512-JKCrLNOup3OOgmzeaKQwi4ZCTWlYR5H4Gm1r2uTMVBXoemo1UEghk5vtMi1xSu2ymgKVGW631e2fp9/R610ZjQ==}
+    engines: {node: '>=18.0.0'}
+
+  '@smithy/util-body-length-node@4.2.3':
+    resolution: {integrity: sha512-ZkJGvqBzMHVHE7r/hcuCxlTY8pQr1kMtdsVPs7ex4mMU+EAbcXppfo5NmyxMYi2XU49eqaz56j2gsk4dHHPG/g==}
+    engines: {node: '>=18.0.0'}
+
+  '@smithy/util-buffer-from@2.2.0':
+    resolution: {integrity: sha512-IJdWBbTcMQ6DA0gdNhh/BwrLkDR+ADW5Kr1aZmd4k3DIF6ezMV4R2NIAmT08wQJ3yUK82thHWmC/TnK/wpMMIA==}
+    engines: {node: '>=14.0.0'}
+
+  '@smithy/util-buffer-from@4.2.2':
+    resolution: {integrity: sha512-FDXD7cvUoFWwN6vtQfEta540Y/YBe5JneK3SoZg9bThSoOAC/eGeYEua6RkBgKjGa/sz6Y+DuBZj3+YEY21y4Q==}
+    engines: {node: '>=18.0.0'}
+
+  '@smithy/util-config-provider@4.2.2':
+    resolution: {integrity: sha512-dWU03V3XUprJwaUIFVv4iOnS1FC9HnMHDfUrlNDSh4315v0cWyaIErP8KiqGVbf5z+JupoVpNM7ZB3jFiTejvQ==}
+    engines: {node: '>=18.0.0'}
+
+  '@smithy/util-defaults-mode-browser@4.3.49':
+    resolution: {integrity: sha512-a5bNrdiONYB/qE2BuKegvUMd/+ZDwdg4vsNuuSzYE8qs2EYAdK9CynL+Rzn29PbPiUqoz/cbpRbcLzD5lEevHw==}
+    engines: {node: '>=18.0.0'}
+
+  '@smithy/util-defaults-mode-node@4.2.54':
+    resolution: {integrity: sha512-g1cvrJvOnzeJgEdf7AE4luI7gp6L8weE0y9a9wQUSGtjb8QRHDbCJYuE4Sy0SD9N8RrnNPFsPltAz/OSoBR9Zw==}
+    engines: {node: '>=18.0.0'}
+
+  '@smithy/util-endpoints@3.4.2':
+    resolution: {integrity: sha512-a55Tr+3OKld4TTtnT+RhKOQHyPxm3j/xL4OR83WBUhLJaKDS9dnJ7arRMOp3t31dcLhApwG9bgvrRXBHlLdIkg==}
+    engines: {node: '>=18.0.0'}
+
+  '@smithy/util-hex-encoding@4.2.2':
+    resolution: {integrity: sha512-Qcz3W5vuHK4sLQdyT93k/rfrUwdJ8/HZ+nMUOyGdpeGA1Wxt65zYwi3oEl9kOM+RswvYq90fzkNDahPS8K0OIg==}
+    engines: {node: '>=18.0.0'}
+
+  '@smithy/util-middleware@4.2.14':
+    resolution: {integrity: sha512-1Su2vj9RYNDEv/V+2E+jXkkwGsgR7dc4sfHn9Z7ruzQHJIEni9zzw5CauvRXlFJfmgcqYP8fWa0dkh2Q2YaQyw==}
+    engines: {node: '>=18.0.0'}
+
+  '@smithy/util-retry@4.3.6':
+    resolution: {integrity: sha512-p6/FO1n2KxMeQyna067i0uJ6TSbb165ZhnRtCpWh4Foxqbfc6oW+XITaL8QkFJj3KFnDe2URt4gOhgU06EP9ew==}
+    engines: {node: '>=18.0.0'}
+
+  '@smithy/util-stream@4.5.25':
+    resolution: {integrity: sha512-/PFpG4k8Ze8Ei+mMKj3oiPICYekthuzePZMgZbCqMiXIHHf4n2aZ4Ps0aSRShycFTGuj/J6XldmC0x0DwednIA==}
+    engines: {node: '>=18.0.0'}
+
+  '@smithy/util-uri-escape@4.2.2':
+    resolution: {integrity: sha512-2kAStBlvq+lTXHyAZYfJRb/DfS3rsinLiwb+69SstC9Vb0s9vNWkRwpnj918Pfi85mzi42sOqdV72OLxWAISnw==}
+    engines: {node: '>=18.0.0'}
+
+  '@smithy/util-utf8@2.3.0':
+    resolution: {integrity: sha512-R8Rdn8Hy72KKcebgLiv8jQcQkXoLMOGGv5uI1/k0l+snqkOzQ1R0ChUBCxWMlBsFMekWjq0wRudIweFs7sKT5A==}
+    engines: {node: '>=14.0.0'}
+
+  '@smithy/util-utf8@4.2.2':
+    resolution: {integrity: sha512-75MeYpjdWRe8M5E3AW0O4Cx3UadweS+cwdXjwYGBW5h/gxxnbeZ877sLPX/ZJA9GVTlL/qG0dXP29JWFCD1Ayw==}
+    engines: {node: '>=18.0.0'}
+
+  '@smithy/util-waiter@4.3.0':
+    resolution: {integrity: sha512-JyjYmLAfS+pdxF92o4yLgEoy0zhayKTw73FU1aofLWwLcJw7iSqIY2exGmMTrl/lmZugP5p/zxdFSippJDfKWA==}
+    engines: {node: '>=18.0.0'}
+
+  '@smithy/uuid@1.1.2':
+    resolution: {integrity: sha512-O/IEdcCUKkubz60tFbGA7ceITTAJsty+lBjNoorP4Z6XRqaFb/OjQjZODophEcuq68nKm6/0r+6/lLQ+XVpk8g==}
+    engines: {node: '>=18.0.0'}
+
   '@tanstack/query-core@5.100.1':
     resolution: {integrity: sha512-awvQhOO/2TrSCHE5LKKsXcvvj6WSBncwEcMFCB/ez0Qs0b17iyyivoGArNV3HFfXryZwCpnb/olsaBBKrIbtSw==}
 
@@ -1154,6 +1531,9 @@ packages:
     resolution: {integrity: sha512-ZTgYYLMOXY9qKU/57FAo8F+HA2dGX7bqGc71txDRC1rS4frdFI5R7NhluHxH6M0YItAP0sHB4uqAOcYKxO6uGA==}
     engines: {node: '>= 0.8', npm: 1.2.8000 || >= 1.4.16}
 
+  bowser@2.14.1:
+    resolution: {integrity: sha512-tzPjzCxygAKWFOJP011oxFHs57HzIhOEracIgAePE4pqB3LikALKnSzUyU4MGs9/iCEUuHlAJTjTc5M+u7YEGg==}
+
   brace-expansion@1.1.14:
     resolution: {integrity: sha512-MWPGfDxnyzKU7rNOW9SP/c50vi3xrmrua/+6hfPbCS2ABNWfx24vPidzvC7krjU/RTo235sV776ymlsMtGKj8g==}
 
@@ -1517,6 +1897,13 @@ packages:
   fast-safe-stringify@2.1.1:
     resolution: {integrity: sha512-W+KJc2dmILlPplD/H4K9l9LcAHAfPtP6BY84uVLXQ6Evcz9Lcg33Y2z1IVblT6xdY54PXYVHEv+0Wpq8Io6zkA==}
 
+  fast-xml-builder@1.1.5:
+    resolution: {integrity: sha512-4TJn/8FKLeslLAH3dnohXqE3QSoxkhvaMzepOIZytwJXZO69Bfz0HBdDHzOTOon6G59Zrk6VQ2bEiv1t61rfkA==}
+
+  fast-xml-parser@5.7.2:
+    resolution: {integrity: sha512-P7oW7tLbYnhOLQk/Gv7cZgzgMPP/XN03K02/Jy6Y/NHzyIAIpxuZIM/YqAkfiXFPxA2CTm7NtCijK9EDu09u2w==}
+    hasBin: true
+
   fdir@6.5.0:
     resolution: {integrity: sha512-tIbYtZbucOs0BRGqPJkshJUYdL+SDH7dVM8gjy+ERp3WAUjLEFJE+02kanyHtwjWOnwrKYBiwAmM0p4kLJAnXg==}
     engines: {node: '>=12.0.0'}
@@ -1984,6 +2371,10 @@ packages:
     resolution: {integrity: sha512-ak9Qy5Q7jYb2Wwcey5Fpvg2KoAc/ZIhLSLOSBmRmygPsGwkVVt0fZa0qrtMz+m6tJTAHfZQ8FnmB4MG4LWy7/w==}
     engines: {node: '>=8'}
 
+  path-expression-matcher@1.5.0:
+    resolution: {integrity: sha512-cbrerZV+6rvdQrrD+iGMcZFEiiSrbv9Tfdkvnusy6y0x0GKBXREFg/Y65GhIfm0tnLntThhzCnfKwp1WRjeCyQ==}
+    engines: {node: '>=14.0.0'}
+
   path-key@3.1.1:
     resolution: {integrity: sha512-ojmeN0qd+y0jszEtoY48r0Peq5dwMEkIlCOu6Q5f41lfkswXuKtYrhgoTpLnyIcHm24Uhqx+5Tqm2InSwLhE6Q==}
     engines: {node: '>=8'}
@@ -2353,6 +2744,9 @@ packages:
       '@types/node':
         optional: true
 
+  strnum@2.2.3:
+    resolution: {integrity: sha512-oKx6RUCuHfT3oyVjtnrmn19H1SiCqgJSg+54XqURKp5aCMbrXrhLjRN9TjuwMjiYstZ0MzDrHqkGZ5dFTKd+zg==}
+
   sucrase@3.35.1:
     resolution: {integrity: sha512-DhuTmvZWux4H1UOnWMB3sk0sbaCVOoQZjv8u1rDoTV0HTdGem9hkAZtl4JZy8P2z4Bg0nT+YMeOFyVr4zcG5Tw==}
     engines: {node: '>=16 || 14 >=14.17'}
@@ -2448,6 +2842,9 @@ packages:
   ts-interface-checker@0.1.13:
     resolution: {integrity: sha512-Y/arvbn+rrz3JCKl9C4kVNfTfSm2/mEp5FSz5EsZSANGPSlQrpRI5M4PKF+mJnE52jOO90PnPSc3Ur3bTQw0gA==}
 
+  tslib@2.8.1:
+    resolution: {integrity: sha512-oJFu94HQb+KVduSUQL7wnpmqnfmLsOA/nAh6b6EH0wCEoK0/mPeXU6c3wKDV83MkOuHPRHtSXKKU99IBazS/2w==}
+
   tsup@8.5.1:
     resolution: {integrity: sha512-xtgkqwdhpKWr3tKPmCkvYmS9xnQK3m3XgxZHwSUjvfTjp7YfXe5tT3GgWi0F2N+ZSMsOeWeZFh7ZZFg5iPhing==}
     engines: {node: '>=18'}
@@ -2678,6 +3075,453 @@ snapshots:
 
   '@asamuzakjp/nwsapi@2.3.9': {}
 
+  '@aws-crypto/crc32@5.2.0':
+    dependencies:
+      '@aws-crypto/util': 5.2.0
+      '@aws-sdk/types': 3.973.8
+      tslib: 2.8.1
+
+  '@aws-crypto/crc32c@5.2.0':
+    dependencies:
+      '@aws-crypto/util': 5.2.0
+      '@aws-sdk/types': 3.973.8
+      tslib: 2.8.1
+
+  '@aws-crypto/sha1-browser@5.2.0':
+    dependencies:
+      '@aws-crypto/supports-web-crypto': 5.2.0
+      '@aws-crypto/util': 5.2.0
+      '@aws-sdk/types': 3.973.8
+      '@aws-sdk/util-locate-window': 3.965.5
+      '@smithy/util-utf8': 2.3.0
+      tslib: 2.8.1
+
+  '@aws-crypto/sha256-browser@5.2.0':
+    dependencies:
+      '@aws-crypto/sha256-js': 5.2.0
+      '@aws-crypto/supports-web-crypto': 5.2.0
+      '@aws-crypto/util': 5.2.0
+      '@aws-sdk/types': 3.973.8
+      '@aws-sdk/util-locate-window': 3.965.5
+      '@smithy/util-utf8': 2.3.0
+      tslib: 2.8.1
+
+  '@aws-crypto/sha256-js@5.2.0':
+    dependencies:
+      '@aws-crypto/util': 5.2.0
+      '@aws-sdk/types': 3.973.8
+      tslib: 2.8.1
+
+  '@aws-crypto/supports-web-crypto@5.2.0':
+    dependencies:
+      tslib: 2.8.1
+
+  '@aws-crypto/util@5.2.0':
+    dependencies:
+      '@aws-sdk/types': 3.973.8
+      '@smithy/util-utf8': 2.3.0
+      tslib: 2.8.1
+
+  '@aws-sdk/client-s3@3.1039.0':
+    dependencies:
+      '@aws-crypto/sha1-browser': 5.2.0
+      '@aws-crypto/sha256-browser': 5.2.0
+      '@aws-crypto/sha256-js': 5.2.0
+      '@aws-sdk/core': 3.974.7
+      '@aws-sdk/credential-provider-node': 3.972.38
+      '@aws-sdk/middleware-bucket-endpoint': 3.972.10
+      '@aws-sdk/middleware-expect-continue': 3.972.10
+      '@aws-sdk/middleware-flexible-checksums': 3.974.15
+      '@aws-sdk/middleware-host-header': 3.972.10
+      '@aws-sdk/middleware-location-constraint': 3.972.10
+      '@aws-sdk/middleware-logger': 3.972.10
+      '@aws-sdk/middleware-recursion-detection': 3.972.11
+      '@aws-sdk/middleware-sdk-s3': 3.972.36
+      '@aws-sdk/middleware-ssec': 3.972.10
+      '@aws-sdk/middleware-user-agent': 3.972.37
+      '@aws-sdk/region-config-resolver': 3.972.13
+      '@aws-sdk/signature-v4-multi-region': 3.996.24
+      '@aws-sdk/types': 3.973.8
+      '@aws-sdk/util-endpoints': 3.996.8
+      '@aws-sdk/util-user-agent-browser': 3.972.10
+      '@aws-sdk/util-user-agent-node': 3.973.23
+      '@smithy/config-resolver': 4.4.17
+      '@smithy/core': 3.23.17
+      '@smithy/eventstream-serde-browser': 4.2.14
+      '@smithy/eventstream-serde-config-resolver': 4.3.14
+      '@smithy/eventstream-serde-node': 4.2.14
+      '@smithy/fetch-http-handler': 5.3.17
+      '@smithy/hash-blob-browser': 4.2.15
+      '@smithy/hash-node': 4.2.14
+      '@smithy/hash-stream-node': 4.2.14
+      '@smithy/invalid-dependency': 4.2.14
+      '@smithy/md5-js': 4.2.14
+      '@smithy/middleware-content-length': 4.2.14
+      '@smithy/middleware-endpoint': 4.4.32
+      '@smithy/middleware-retry': 4.5.7
+      '@smithy/middleware-serde': 4.2.20
+      '@smithy/middleware-stack': 4.2.14
+      '@smithy/node-config-provider': 4.3.14
+      '@smithy/node-http-handler': 4.6.1
+      '@smithy/protocol-http': 5.3.14
+      '@smithy/smithy-client': 4.12.13
+      '@smithy/types': 4.14.1
+      '@smithy/url-parser': 4.2.14
+      '@smithy/util-base64': 4.3.2
+      '@smithy/util-body-length-browser': 4.2.2
+      '@smithy/util-body-length-node': 4.2.3
+      '@smithy/util-defaults-mode-browser': 4.3.49
+      '@smithy/util-defaults-mode-node': 4.2.54
+      '@smithy/util-endpoints': 3.4.2
+      '@smithy/util-middleware': 4.2.14
+      '@smithy/util-retry': 4.3.6
+      '@smithy/util-stream': 4.5.25
+      '@smithy/util-utf8': 4.2.2
+      '@smithy/util-waiter': 4.3.0
+      tslib: 2.8.1
+    transitivePeerDependencies:
+      - aws-crt
+
+  '@aws-sdk/core@3.974.7':
+    dependencies:
+      '@aws-sdk/types': 3.973.8
+      '@aws-sdk/xml-builder': 3.972.22
+      '@smithy/core': 3.23.17
+      '@smithy/node-config-provider': 4.3.14
+      '@smithy/property-provider': 4.2.14
+      '@smithy/protocol-http': 5.3.14
+      '@smithy/signature-v4': 5.3.14
+      '@smithy/smithy-client': 4.12.13
+      '@smithy/types': 4.14.1
+      '@smithy/util-base64': 4.3.2
+      '@smithy/util-middleware': 4.2.14
+      '@smithy/util-retry': 4.3.6
+      '@smithy/util-utf8': 4.2.2
+      tslib: 2.8.1
+
+  '@aws-sdk/crc64-nvme@3.972.7':
+    dependencies:
+      '@smithy/types': 4.14.1
+      tslib: 2.8.1
+
+  '@aws-sdk/credential-provider-env@3.972.33':
+    dependencies:
+      '@aws-sdk/core': 3.974.7
+      '@aws-sdk/types': 3.973.8
+      '@smithy/property-provider': 4.2.14
+      '@smithy/types': 4.14.1
+      tslib: 2.8.1
+
+  '@aws-sdk/credential-provider-http@3.972.35':
+    dependencies:
+      '@aws-sdk/core': 3.974.7
+      '@aws-sdk/types': 3.973.8
+      '@smithy/fetch-http-handler': 5.3.17
+      '@smithy/node-http-handler': 4.6.1
+      '@smithy/property-provider': 4.2.14
+      '@smithy/protocol-http': 5.3.14
+      '@smithy/smithy-client': 4.12.13
+      '@smithy/types': 4.14.1
+      '@smithy/util-stream': 4.5.25
+      tslib: 2.8.1
+
+  '@aws-sdk/credential-provider-ini@3.972.37':
+    dependencies:
+      '@aws-sdk/core': 3.974.7
+      '@aws-sdk/credential-provider-env': 3.972.33
+      '@aws-sdk/credential-provider-http': 3.972.35
+      '@aws-sdk/credential-provider-login': 3.972.37
+      '@aws-sdk/credential-provider-process': 3.972.33
+      '@aws-sdk/credential-provider-sso': 3.972.37
+      '@aws-sdk/credential-provider-web-identity': 3.972.37
+      '@aws-sdk/nested-clients': 3.997.5
+      '@aws-sdk/types': 3.973.8
+      '@smithy/credential-provider-imds': 4.2.14
+      '@smithy/property-provider': 4.2.14
+      '@smithy/shared-ini-file-loader': 4.4.9
+      '@smithy/types': 4.14.1
+      tslib: 2.8.1
+    transitivePeerDependencies:
+      - aws-crt
+
+  '@aws-sdk/credential-provider-login@3.972.37':
+    dependencies:
+      '@aws-sdk/core': 3.974.7
+      '@aws-sdk/nested-clients': 3.997.5
+      '@aws-sdk/types': 3.973.8
+      '@smithy/property-provider': 4.2.14
+      '@smithy/protocol-http': 5.3.14
+      '@smithy/shared-ini-file-loader': 4.4.9
+      '@smithy/types': 4.14.1
+      tslib: 2.8.1
+    transitivePeerDependencies:
+      - aws-crt
+
+  '@aws-sdk/credential-provider-node@3.972.38':
+    dependencies:
+      '@aws-sdk/credential-provider-env': 3.972.33
+      '@aws-sdk/credential-provider-http': 3.972.35
+      '@aws-sdk/credential-provider-ini': 3.972.37
+      '@aws-sdk/credential-provider-process': 3.972.33
+      '@aws-sdk/credential-provider-sso': 3.972.37
+      '@aws-sdk/credential-provider-web-identity': 3.972.37
+      '@aws-sdk/types': 3.973.8
+      '@smithy/credential-provider-imds': 4.2.14
+      '@smithy/property-provider': 4.2.14
+      '@smithy/shared-ini-file-loader': 4.4.9
+      '@smithy/types': 4.14.1
+      tslib: 2.8.1
+    transitivePeerDependencies:
+      - aws-crt
+
+  '@aws-sdk/credential-provider-process@3.972.33':
+    dependencies:
+      '@aws-sdk/core': 3.974.7
+      '@aws-sdk/types': 3.973.8
+      '@smithy/property-provider': 4.2.14
+      '@smithy/shared-ini-file-loader': 4.4.9
+      '@smithy/types': 4.14.1
+      tslib: 2.8.1
+
+  '@aws-sdk/credential-provider-sso@3.972.37':
+    dependencies:
+      '@aws-sdk/core': 3.974.7
+      '@aws-sdk/nested-clients': 3.997.5
+      '@aws-sdk/token-providers': 3.1039.0
+      '@aws-sdk/types': 3.973.8
+      '@smithy/property-provider': 4.2.14
+      '@smithy/shared-ini-file-loader': 4.4.9
+      '@smithy/types': 4.14.1
+      tslib: 2.8.1
+    transitivePeerDependencies:
+      - aws-crt
+
+  '@aws-sdk/credential-provider-web-identity@3.972.37':
+    dependencies:
+      '@aws-sdk/core': 3.974.7
+      '@aws-sdk/nested-clients': 3.997.5
+      '@aws-sdk/types': 3.973.8
+      '@smithy/property-provider': 4.2.14
+      '@smithy/shared-ini-file-loader': 4.4.9
+      '@smithy/types': 4.14.1
+      tslib: 2.8.1
+    transitivePeerDependencies:
+      - aws-crt
+
+  '@aws-sdk/middleware-bucket-endpoint@3.972.10':
+    dependencies:
+      '@aws-sdk/types': 3.973.8
+      '@aws-sdk/util-arn-parser': 3.972.3
+      '@smithy/node-config-provider': 4.3.14
+      '@smithy/protocol-http': 5.3.14
+      '@smithy/types': 4.14.1
+      '@smithy/util-config-provider': 4.2.2
+      tslib: 2.8.1
+
+  '@aws-sdk/middleware-expect-continue@3.972.10':
+    dependencies:
+      '@aws-sdk/types': 3.973.8
+      '@smithy/protocol-http': 5.3.14
+      '@smithy/types': 4.14.1
+      tslib: 2.8.1
+
+  '@aws-sdk/middleware-flexible-checksums@3.974.15':
+    dependencies:
+      '@aws-crypto/crc32': 5.2.0
+      '@aws-crypto/crc32c': 5.2.0
+      '@aws-crypto/util': 5.2.0
+      '@aws-sdk/core': 3.974.7
+      '@aws-sdk/crc64-nvme': 3.972.7
+      '@aws-sdk/types': 3.973.8
+      '@smithy/is-array-buffer': 4.2.2
+      '@smithy/node-config-provider': 4.3.14
+      '@smithy/protocol-http': 5.3.14
+      '@smithy/types': 4.14.1
+      '@smithy/util-middleware': 4.2.14
+      '@smithy/util-stream': 4.5.25
+      '@smithy/util-utf8': 4.2.2
+      tslib: 2.8.1
+
+  '@aws-sdk/middleware-host-header@3.972.10':
+    dependencies:
+      '@aws-sdk/types': 3.973.8
+      '@smithy/protocol-http': 5.3.14
+      '@smithy/types': 4.14.1
+      tslib: 2.8.1
+
+  '@aws-sdk/middleware-location-constraint@3.972.10':
+    dependencies:
+      '@aws-sdk/types': 3.973.8
+      '@smithy/types': 4.14.1
+      tslib: 2.8.1
+
+  '@aws-sdk/middleware-logger@3.972.10':
+    dependencies:
+      '@aws-sdk/types': 3.973.8
+      '@smithy/types': 4.14.1
+      tslib: 2.8.1
+
+  '@aws-sdk/middleware-recursion-detection@3.972.11':
+    dependencies:
+      '@aws-sdk/types': 3.973.8
+      '@aws/lambda-invoke-store': 0.2.4
+      '@smithy/protocol-http': 5.3.14
+      '@smithy/types': 4.14.1
+      tslib: 2.8.1
+
+  '@aws-sdk/middleware-sdk-s3@3.972.36':
+    dependencies:
+      '@aws-sdk/core': 3.974.7
+      '@aws-sdk/types': 3.973.8
+      '@aws-sdk/util-arn-parser': 3.972.3
+      '@smithy/core': 3.23.17
+      '@smithy/node-config-provider': 4.3.14
+      '@smithy/protocol-http': 5.3.14
+      '@smithy/signature-v4': 5.3.14
+      '@smithy/smithy-client': 4.12.13
+      '@smithy/types': 4.14.1
+      '@smithy/util-config-provider': 4.2.2
+      '@smithy/util-middleware': 4.2.14
+      '@smithy/util-stream': 4.5.25
+      '@smithy/util-utf8': 4.2.2
+      tslib: 2.8.1
+
+  '@aws-sdk/middleware-ssec@3.972.10':
+    dependencies:
+      '@aws-sdk/types': 3.973.8
+      '@smithy/types': 4.14.1
+      tslib: 2.8.1
+
+  '@aws-sdk/middleware-user-agent@3.972.37':
+    dependencies:
+      '@aws-sdk/core': 3.974.7
+      '@aws-sdk/types': 3.973.8
+      '@aws-sdk/util-endpoints': 3.996.8
+      '@smithy/core': 3.23.17
+      '@smithy/protocol-http': 5.3.14
+      '@smithy/types': 4.14.1
+      '@smithy/util-retry': 4.3.6
+      tslib: 2.8.1
+
+  '@aws-sdk/nested-clients@3.997.5':
+    dependencies:
+      '@aws-crypto/sha256-browser': 5.2.0
+      '@aws-crypto/sha256-js': 5.2.0
+      '@aws-sdk/core': 3.974.7
+      '@aws-sdk/middleware-host-header': 3.972.10
+      '@aws-sdk/middleware-logger': 3.972.10
+      '@aws-sdk/middleware-recursion-detection': 3.972.11
+      '@aws-sdk/middleware-user-agent': 3.972.37
+      '@aws-sdk/region-config-resolver': 3.972.13
+      '@aws-sdk/signature-v4-multi-region': 3.996.24
+      '@aws-sdk/types': 3.973.8
+      '@aws-sdk/util-endpoints': 3.996.8
+      '@aws-sdk/util-user-agent-browser': 3.972.10
+      '@aws-sdk/util-user-agent-node': 3.973.23
+      '@smithy/config-resolver': 4.4.17
+      '@smithy/core': 3.23.17
+      '@smithy/fetch-http-handler': 5.3.17
+      '@smithy/hash-node': 4.2.14
+      '@smithy/invalid-dependency': 4.2.14
+      '@smithy/middleware-content-length': 4.2.14
+      '@smithy/middleware-endpoint': 4.4.32
+      '@smithy/middleware-retry': 4.5.7
+      '@smithy/middleware-serde': 4.2.20
+      '@smithy/middleware-stack': 4.2.14
+      '@smithy/node-config-provider': 4.3.14
+      '@smithy/node-http-handler': 4.6.1
+      '@smithy/protocol-http': 5.3.14
+      '@smithy/smithy-client': 4.12.13
+      '@smithy/types': 4.14.1
+      '@smithy/url-parser': 4.2.14
+      '@smithy/util-base64': 4.3.2
+      '@smithy/util-body-length-browser': 4.2.2
+      '@smithy/util-body-length-node': 4.2.3
+      '@smithy/util-defaults-mode-browser': 4.3.49
+      '@smithy/util-defaults-mode-node': 4.2.54
+      '@smithy/util-endpoints': 3.4.2
+      '@smithy/util-middleware': 4.2.14
+      '@smithy/util-retry': 4.3.6
+      '@smithy/util-utf8': 4.2.2
+      tslib: 2.8.1
+    transitivePeerDependencies:
+      - aws-crt
+
+  '@aws-sdk/region-config-resolver@3.972.13':
+    dependencies:
+      '@aws-sdk/types': 3.973.8
+      '@smithy/config-resolver': 4.4.17
+      '@smithy/node-config-provider': 4.3.14
+      '@smithy/types': 4.14.1
+      tslib: 2.8.1
+
+  '@aws-sdk/signature-v4-multi-region@3.996.24':
+    dependencies:
+      '@aws-sdk/middleware-sdk-s3': 3.972.36
+      '@aws-sdk/types': 3.973.8
+      '@smithy/protocol-http': 5.3.14
+      '@smithy/signature-v4': 5.3.14
+      '@smithy/types': 4.14.1
+      tslib: 2.8.1
+
+  '@aws-sdk/token-providers@3.1039.0':
+    dependencies:
+      '@aws-sdk/core': 3.974.7
+      '@aws-sdk/nested-clients': 3.997.5
+      '@aws-sdk/types': 3.973.8
+      '@smithy/property-provider': 4.2.14
+      '@smithy/shared-ini-file-loader': 4.4.9
+      '@smithy/types': 4.14.1
+      tslib: 2.8.1
+    transitivePeerDependencies:
+      - aws-crt
+
+  '@aws-sdk/types@3.973.8':
+    dependencies:
+      '@smithy/types': 4.14.1
+      tslib: 2.8.1
+
+  '@aws-sdk/util-arn-parser@3.972.3':
+    dependencies:
+      tslib: 2.8.1
+
+  '@aws-sdk/util-endpoints@3.996.8':
+    dependencies:
+      '@aws-sdk/types': 3.973.8
+      '@smithy/types': 4.14.1
+      '@smithy/url-parser': 4.2.14
+      '@smithy/util-endpoints': 3.4.2
+      tslib: 2.8.1
+
+  '@aws-sdk/util-locate-window@3.965.5':
+    dependencies:
+      tslib: 2.8.1
+
+  '@aws-sdk/util-user-agent-browser@3.972.10':
+    dependencies:
+      '@aws-sdk/types': 3.973.8
+      '@smithy/types': 4.14.1
+      bowser: 2.14.1
+      tslib: 2.8.1
+
+  '@aws-sdk/util-user-agent-node@3.973.23':
+    dependencies:
+      '@aws-sdk/middleware-user-agent': 3.972.37
+      '@aws-sdk/types': 3.973.8
+      '@smithy/node-config-provider': 4.3.14
+      '@smithy/types': 4.14.1
+      '@smithy/util-config-provider': 4.2.2
+      tslib: 2.8.1
+
+  '@aws-sdk/xml-builder@3.972.22':
+    dependencies:
+      '@nodable/entities': 2.1.0
+      '@smithy/types': 4.14.1
+      fast-xml-parser: 5.7.2
+      tslib: 2.8.1
+
+  '@aws/lambda-invoke-store@0.2.4': {}
+
   '@babel/code-frame@7.29.0':
     dependencies:
       '@babel/helper-validator-identifier': 7.28.5
@@ -3060,6 +3904,8 @@ snapshots:
 
   '@noble/hashes@1.8.0': {}
 
+  '@nodable/entities@2.1.0': {}
+
   '@paralleldrive/cuid2@2.3.1':
     dependencies:
       '@noble/hashes': 1.8.0
@@ -3147,6 +3993,339 @@ snapshots:
 
   '@sinclair/typebox@0.27.10': {}
 
+  '@smithy/chunked-blob-reader-native@4.2.3':
+    dependencies:
+      '@smithy/util-base64': 4.3.2
+      tslib: 2.8.1
+
+  '@smithy/chunked-blob-reader@5.2.2':
+    dependencies:
+      tslib: 2.8.1
+
+  '@smithy/config-resolver@4.4.17':
+    dependencies:
+      '@smithy/node-config-provider': 4.3.14
+      '@smithy/types': 4.14.1
+      '@smithy/util-config-provider': 4.2.2
+      '@smithy/util-endpoints': 3.4.2
+      '@smithy/util-middleware': 4.2.14
+      tslib: 2.8.1
+
+  '@smithy/core@3.23.17':
+    dependencies:
+      '@smithy/protocol-http': 5.3.14
+      '@smithy/types': 4.14.1
+      '@smithy/url-parser': 4.2.14
+      '@smithy/util-base64': 4.3.2
+      '@smithy/util-body-length-browser': 4.2.2
+      '@smithy/util-middleware': 4.2.14
+      '@smithy/util-stream': 4.5.25
+      '@smithy/util-utf8': 4.2.2
+      '@smithy/uuid': 1.1.2
+      tslib: 2.8.1
+
+  '@smithy/credential-provider-imds@4.2.14':
+    dependencies:
+      '@smithy/node-config-provider': 4.3.14
+      '@smithy/property-provider': 4.2.14
+      '@smithy/types': 4.14.1
+      '@smithy/url-parser': 4.2.14
+      tslib: 2.8.1
+
+  '@smithy/eventstream-codec@4.2.14':
+    dependencies:
+      '@aws-crypto/crc32': 5.2.0
+      '@smithy/types': 4.14.1
+      '@smithy/util-hex-encoding': 4.2.2
+      tslib: 2.8.1
+
+  '@smithy/eventstream-serde-browser@4.2.14':
+    dependencies:
+      '@smithy/eventstream-serde-universal': 4.2.14
+      '@smithy/types': 4.14.1
+      tslib: 2.8.1
+
+  '@smithy/eventstream-serde-config-resolver@4.3.14':
+    dependencies:
+      '@smithy/types': 4.14.1
+      tslib: 2.8.1
+
+  '@smithy/eventstream-serde-node@4.2.14':
+    dependencies:
+      '@smithy/eventstream-serde-universal': 4.2.14
+      '@smithy/types': 4.14.1
+      tslib: 2.8.1
+
+  '@smithy/eventstream-serde-universal@4.2.14':
+    dependencies:
+      '@smithy/eventstream-codec': 4.2.14
+      '@smithy/types': 4.14.1
+      tslib: 2.8.1
+
+  '@smithy/fetch-http-handler@5.3.17':
+    dependencies:
+      '@smithy/protocol-http': 5.3.14
+      '@smithy/querystring-builder': 4.2.14
+      '@smithy/types': 4.14.1
+      '@smithy/util-base64': 4.3.2
+      tslib: 2.8.1
+
+  '@smithy/hash-blob-browser@4.2.15':
+    dependencies:
+      '@smithy/chunked-blob-reader': 5.2.2
+      '@smithy/chunked-blob-reader-native': 4.2.3
+      '@smithy/types': 4.14.1
+      tslib: 2.8.1
+
+  '@smithy/hash-node@4.2.14':
+    dependencies:
+      '@smithy/types': 4.14.1
+      '@smithy/util-buffer-from': 4.2.2
+      '@smithy/util-utf8': 4.2.2
+      tslib: 2.8.1
+
+  '@smithy/hash-stream-node@4.2.14':
+    dependencies:
+      '@smithy/types': 4.14.1
+      '@smithy/util-utf8': 4.2.2
+      tslib: 2.8.1
+
+  '@smithy/invalid-dependency@4.2.14':
+    dependencies:
+      '@smithy/types': 4.14.1
+      tslib: 2.8.1
+
+  '@smithy/is-array-buffer@2.2.0':
+    dependencies:
+      tslib: 2.8.1
+
+  '@smithy/is-array-buffer@4.2.2':
+    dependencies:
+      tslib: 2.8.1
+
+  '@smithy/md5-js@4.2.14':
+    dependencies:
+      '@smithy/types': 4.14.1
+      '@smithy/util-utf8': 4.2.2
+      tslib: 2.8.1
+
+  '@smithy/middleware-content-length@4.2.14':
+    dependencies:
+      '@smithy/protocol-http': 5.3.14
+      '@smithy/types': 4.14.1
+      tslib: 2.8.1
+
+  '@smithy/middleware-endpoint@4.4.32':
+    dependencies:
+      '@smithy/core': 3.23.17
+      '@smithy/middleware-serde': 4.2.20
+      '@smithy/node-config-provider': 4.3.14
+      '@smithy/shared-ini-file-loader': 4.4.9
+      '@smithy/types': 4.14.1
+      '@smithy/url-parser': 4.2.14
+      '@smithy/util-middleware': 4.2.14
+      tslib: 2.8.1
+
+  '@smithy/middleware-retry@4.5.7':
+    dependencies:
+      '@smithy/core': 3.23.17
+      '@smithy/node-config-provider': 4.3.14
+      '@smithy/protocol-http': 5.3.14
+      '@smithy/service-error-classification': 4.3.1
+      '@smithy/smithy-client': 4.12.13
+      '@smithy/types': 4.14.1
+      '@smithy/util-middleware': 4.2.14
+      '@smithy/util-retry': 4.3.6
+      '@smithy/uuid': 1.1.2
+      tslib: 2.8.1
+
+  '@smithy/middleware-serde@4.2.20':
+    dependencies:
+      '@smithy/core': 3.23.17
+      '@smithy/protocol-http': 5.3.14
+      '@smithy/types': 4.14.1
+      tslib: 2.8.1
+
+  '@smithy/middleware-stack@4.2.14':
+    dependencies:
+      '@smithy/types': 4.14.1
+      tslib: 2.8.1
+
+  '@smithy/node-config-provider@4.3.14':
+    dependencies:
+      '@smithy/property-provider': 4.2.14
+      '@smithy/shared-ini-file-loader': 4.4.9
+      '@smithy/types': 4.14.1
+      tslib: 2.8.1
+
+  '@smithy/node-http-handler@4.6.1':
+    dependencies:
+      '@smithy/protocol-http': 5.3.14
+      '@smithy/querystring-builder': 4.2.14
+      '@smithy/types': 4.14.1
+      tslib: 2.8.1
+
+  '@smithy/property-provider@4.2.14':
+    dependencies:
+      '@smithy/types': 4.14.1
+      tslib: 2.8.1
+
+  '@smithy/protocol-http@5.3.14':
+    dependencies:
+      '@smithy/types': 4.14.1
+      tslib: 2.8.1
+
+  '@smithy/querystring-builder@4.2.14':
+    dependencies:
+      '@smithy/types': 4.14.1
+      '@smithy/util-uri-escape': 4.2.2
+      tslib: 2.8.1
+
+  '@smithy/querystring-parser@4.2.14':
+    dependencies:
+      '@smithy/types': 4.14.1
+      tslib: 2.8.1
+
+  '@smithy/service-error-classification@4.3.1':
+    dependencies:
+      '@smithy/types': 4.14.1
+
+  '@smithy/shared-ini-file-loader@4.4.9':
+    dependencies:
+      '@smithy/types': 4.14.1
+      tslib: 2.8.1
+
+  '@smithy/signature-v4@5.3.14':
+    dependencies:
+      '@smithy/is-array-buffer': 4.2.2
+      '@smithy/protocol-http': 5.3.14
+      '@smithy/types': 4.14.1
+      '@smithy/util-hex-encoding': 4.2.2
+      '@smithy/util-middleware': 4.2.14
+      '@smithy/util-uri-escape': 4.2.2
+      '@smithy/util-utf8': 4.2.2
+      tslib: 2.8.1
+
+  '@smithy/smithy-client@4.12.13':
+    dependencies:
+      '@smithy/core': 3.23.17
+      '@smithy/middleware-endpoint': 4.4.32
+      '@smithy/middleware-stack': 4.2.14
+      '@smithy/protocol-http': 5.3.14
+      '@smithy/types': 4.14.1
+      '@smithy/util-stream': 4.5.25
+      tslib: 2.8.1
+
+  '@smithy/types@4.14.1':
+    dependencies:
+      tslib: 2.8.1
+
+  '@smithy/url-parser@4.2.14':
+    dependencies:
+      '@smithy/querystring-parser': 4.2.14
+      '@smithy/types': 4.14.1
+      tslib: 2.8.1
+
+  '@smithy/util-base64@4.3.2':
+    dependencies:
+      '@smithy/util-buffer-from': 4.2.2
+      '@smithy/util-utf8': 4.2.2
+      tslib: 2.8.1
+
+  '@smithy/util-body-length-browser@4.2.2':
+    dependencies:
+      tslib: 2.8.1
+
+  '@smithy/util-body-length-node@4.2.3':
+    dependencies:
+      tslib: 2.8.1
+
+  '@smithy/util-buffer-from@2.2.0':
+    dependencies:
+      '@smithy/is-array-buffer': 2.2.0
+      tslib: 2.8.1
+
+  '@smithy/util-buffer-from@4.2.2':
+    dependencies:
+      '@smithy/is-array-buffer': 4.2.2
+      tslib: 2.8.1
+
+  '@smithy/util-config-provider@4.2.2':
+    dependencies:
+      tslib: 2.8.1
+
+  '@smithy/util-defaults-mode-browser@4.3.49':
+    dependencies:
+      '@smithy/property-provider': 4.2.14
+      '@smithy/smithy-client': 4.12.13
+      '@smithy/types': 4.14.1
+      tslib: 2.8.1
+
+  '@smithy/util-defaults-mode-node@4.2.54':
+    dependencies:
+      '@smithy/config-resolver': 4.4.17
+      '@smithy/credential-provider-imds': 4.2.14
+      '@smithy/node-config-provider': 4.3.14
+      '@smithy/property-provider': 4.2.14
+      '@smithy/smithy-client': 4.12.13
+      '@smithy/types': 4.14.1
+      tslib: 2.8.1
+
+  '@smithy/util-endpoints@3.4.2':
+    dependencies:
+      '@smithy/node-config-provider': 4.3.14
+      '@smithy/types': 4.14.1
+      tslib: 2.8.1
+
+  '@smithy/util-hex-encoding@4.2.2':
+    dependencies:
+      tslib: 2.8.1
+
+  '@smithy/util-middleware@4.2.14':
+    dependencies:
+      '@smithy/types': 4.14.1
+      tslib: 2.8.1
+
+  '@smithy/util-retry@4.3.6':
+    dependencies:
+      '@smithy/service-error-classification': 4.3.1
+      '@smithy/types': 4.14.1
+      tslib: 2.8.1
+
+  '@smithy/util-stream@4.5.25':
+    dependencies:
+      '@smithy/fetch-http-handler': 5.3.17
+      '@smithy/node-http-handler': 4.6.1
+      '@smithy/types': 4.14.1
+      '@smithy/util-base64': 4.3.2
+      '@smithy/util-buffer-from': 4.2.2
+      '@smithy/util-hex-encoding': 4.2.2
+      '@smithy/util-utf8': 4.2.2
+      tslib: 2.8.1
+
+  '@smithy/util-uri-escape@4.2.2':
+    dependencies:
+      tslib: 2.8.1
+
+  '@smithy/util-utf8@2.3.0':
+    dependencies:
+      '@smithy/util-buffer-from': 2.2.0
+      tslib: 2.8.1
+
+  '@smithy/util-utf8@4.2.2':
+    dependencies:
+      '@smithy/util-buffer-from': 4.2.2
+      tslib: 2.8.1
+
+  '@smithy/util-waiter@4.3.0':
+    dependencies:
+      '@smithy/types': 4.14.1
+      tslib: 2.8.1
+
+  '@smithy/uuid@1.1.2':
+    dependencies:
+      tslib: 2.8.1
+
   '@tanstack/query-core@5.100.1': {}
 
   '@tanstack/react-query@5.100.1(react@18.3.1)':
@@ -3481,6 +4660,8 @@ snapshots:
     transitivePeerDependencies:
       - supports-color
 
+  bowser@2.14.1: {}
+
   brace-expansion@1.1.14:
     dependencies:
       balanced-match: 1.0.2
@@ -3901,6 +5082,17 @@ snapshots:
 
   fast-safe-stringify@2.1.1: {}
 
+  fast-xml-builder@1.1.5:
+    dependencies:
+      path-expression-matcher: 1.5.0
+
+  fast-xml-parser@5.7.2:
+    dependencies:
+      '@nodable/entities': 2.1.0
+      fast-xml-builder: 1.1.5
+      path-expression-matcher: 1.5.0
+      strnum: 2.2.3
+
   fdir@6.5.0(picomatch@4.0.4):
     optionalDependencies:
       picomatch: 4.0.4
@@ -4314,6 +5506,8 @@ snapshots:
 
   path-exists@4.0.0: {}
 
+  path-expression-matcher@1.5.0: {}
+
   path-key@3.1.1: {}
 
   path-key@4.0.0: {}
@@ -4697,6 +5891,8 @@ snapshots:
     optionalDependencies:
       '@types/node': 20.19.39
 
+  strnum@2.2.3: {}
+
   sucrase@3.35.1:
     dependencies:
       '@jridgewell/gen-mapping': 0.3.13
@@ -4794,6 +5990,8 @@ snapshots:
 
   ts-interface-checker@0.1.13: {}
 
+  tslib@2.8.1: {}
+
   tsup@8.5.1(postcss@8.5.10)(tsx@4.21.0)(typescript@5.4.5):
     dependencies:
       bundle-require: 5.1.0(esbuild@0.27.7)

From 172493cb63a6469f5c5d62d6cb2a65180483f473 Mon Sep 17 00:00:00 2001
From: Keith Fawcett <keith@brightyard.co>
Date: Thu, 30 Apr 2026 09:53:03 -0700
Subject: [PATCH 114/131] security: address Semgrep findings before public
 release
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Real fixes:
  * crypto.ts: pass authTagLength: 16 to createDecipheriv so Node won't
    accept short GCM tags on decrypt (gcm-no-tag-length).
  * Dockerfiles (api, portal, router): add USER node / USER nginx so the
    runtime container doesn't run as root. Includes the chown -R needed
    on the portal nginx paths so cache/log/pid writes work as the
    unprivileged user. Listening ports are all >1024 already so no
    CAP_NET_BIND_SERVICE shenanigans.
  * creator-portal proxy: pin response Content-Type to application/json
    even when upstream sends something else, so a future Network
    response that returns html/plain can't end up XSS'd into a
    browser-rendered page on app.openpartner.dev.

Documented false positives (nosemgrep + comment):
  * stripe-webhook runInTenant: tenantId comes from a DB lookup of our
    own metadata, single-quotes are escaped, and Postgres SET LOCAL
    doesn't accept bind params — no SQL injection.
  * db/ssl.ts: rejectUnauthorized=false for sslmode=require is the
    documented escape hatch for managed Postgres CAs that aren't in
    Node's trust store; operators wanting full verify use
    sslmode=verify-ca / verify-full.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 apps/api/Dockerfile                   | 16 ++++++++++------
 apps/api/src/crypto.ts                |  5 ++++-
 apps/api/src/routes/creator-portal.ts |  9 ++++++++-
 apps/api/src/routes/stripe-webhook.ts |  5 +++++
 apps/portal/Dockerfile                | 16 +++++++++++++---
 apps/router/Dockerfile                | 11 ++++++++---
 packages/db/src/ssl.ts                |  6 ++++++
 7 files changed, 54 insertions(+), 14 deletions(-)

diff --git a/apps/api/Dockerfile b/apps/api/Dockerfile
index cf8e571..9889221 100644
--- a/apps/api/Dockerfile
+++ b/apps/api/Dockerfile
@@ -62,21 +62,25 @@ ENV NODE_ENV=production \
     MAIL_TRANSPORT=postmark
 WORKDIR /app
 
-# API dist + its workspace deps.
-COPY --from=builder /out/package.json ./package.json
-COPY --from=builder /out/node_modules ./node_modules
-COPY --from=builder /out/dist ./dist
+# API dist + its workspace deps. Owned by the unprivileged `node` user
+# (UID 1000) that ships with the official node:alpine image so the
+# runtime container doesn't run as root.
+COPY --from=builder --chown=node:node /out/package.json ./package.json
+COPY --from=builder --chown=node:node /out/node_modules ./node_modules
+COPY --from=builder --chown=node:node /out/dist ./dist
 
 # Migrations need the @openpartner/db package + knex bin. We ship it
 # alongside so the entrypoint can run them before API boot.
-COPY --from=builder /out/packages-db ./packages-db
+COPY --from=builder --chown=node:node /out/packages-db ./packages-db
 
 # Entrypoint runs migrations then execs the API. `exec` matters — we
 # want the node process to be PID 1 so signals (SIGTERM from Fly /
 # Docker) land on the app directly.
-COPY apps/api/docker-entrypoint.sh /usr/local/bin/openpartner-api
+COPY --chown=node:node apps/api/docker-entrypoint.sh /usr/local/bin/openpartner-api
 RUN chmod +x /usr/local/bin/openpartner-api
 
+USER node
+
 EXPOSE 4601
 HEALTHCHECK --interval=30s --timeout=5s --start-period=20s --retries=3 \
     CMD node -e "fetch('http://127.0.0.1:' + (process.env.API_PORT||4601) + '/health').then(r=>process.exit(r.ok?0:1)).catch(()=>process.exit(1))"
diff --git a/apps/api/src/crypto.ts b/apps/api/src/crypto.ts
index 029e87d..a5f05de 100644
--- a/apps/api/src/crypto.ts
+++ b/apps/api/src/crypto.ts
@@ -51,7 +51,10 @@ export function decryptSecret(envelope: string): string {
   const iv = buf.subarray(0, IV_LEN);
   const tag = buf.subarray(IV_LEN, IV_LEN + 16);
   const ct = buf.subarray(IV_LEN + 16);
-  const decipher = createDecipheriv(ALG, masterKey(), iv);
+  // authTagLength: 16 is required to refuse short tags on decrypt. Without
+  // it Node accepts any tag 4–16 bytes, which weakens GCM forgery resistance
+  // (Semgrep gcm-no-tag-length).
+  const decipher = createDecipheriv(ALG, masterKey(), iv, { authTagLength: 16 });
   decipher.setAuthTag(tag);
   return Buffer.concat([decipher.update(ct), decipher.final()]).toString('utf8');
 }
diff --git a/apps/api/src/routes/creator-portal.ts b/apps/api/src/routes/creator-portal.ts
index 5ca3107..b1f8361 100644
--- a/apps/api/src/routes/creator-portal.ts
+++ b/apps/api/src/routes/creator-portal.ts
@@ -175,10 +175,17 @@ creatorPortalRouter.all(/^\/creator-api(\/.*)?$/, async (req: Request, res: Resp
     }
 
     res.status(upstream.status);
+    // Force JSON content-type on the response. The upstream is the
+    // Network — which we control — but pinning the type here means a
+    // future Network change that returns html/plain (e.g. an error
+    // page) can't end up XSS'd into a browser-rendered page on
+    // app.openpartner.dev. All Network endpoints we proxy already
+    // return JSON; if they didn't, the body string is JSON-serialized
+    // and rendered as text by the browser regardless.
     if (upstreamCt.includes('application/json')) {
       res.type('application/json').send(body);
     } else {
-      res.send(body);
+      res.type('application/json').send(JSON.stringify({ raw: body, contentType: upstreamCt || null }));
     }
   } catch (err) {
     console.error('[creator-portal] proxy failed', { subpath, method: req.method, err });
diff --git a/apps/api/src/routes/stripe-webhook.ts b/apps/api/src/routes/stripe-webhook.ts
index 7be7d38..6355eab 100644
--- a/apps/api/src/routes/stripe-webhook.ts
+++ b/apps/api/src/routes/stripe-webhook.ts
@@ -151,6 +151,11 @@ const CORRECTIVE_EVENT_TYPES = new Set(['refund', 'dispute_created', 'invoice_pa
  */
 async function runInTenant<T>(tenantId: string, fn: (trx: Knex.Transaction) => Promise<T>): Promise<T> {
   return appDb.transaction(async (trx) => {
+    // tenantId is sourced from a DB lookup or our own metadata stamp on
+    // the Stripe object — never directly user-controlled — and single-
+    // quotes are escaped before inlining. Postgres SET LOCAL doesn't
+    // accept bind params, so the inline interpolation is required.
+    // nosemgrep: javascript.lang.security.audit.sqli.node-knex-sqli.node-knex-sqli
     await trx.raw(`set local app.tenant_id = '${tenantId.replace(/'/g, "''")}'`);
     return fn(trx);
   });
diff --git a/apps/portal/Dockerfile b/apps/portal/Dockerfile
index ce5688e..d4a9270 100644
--- a/apps/portal/Dockerfile
+++ b/apps/portal/Dockerfile
@@ -34,10 +34,20 @@ RUN pnpm --filter @openpartner/db build \
 
 FROM nginx:1.27-alpine AS runner
 RUN apk add --no-cache tini \
- && rm /etc/nginx/conf.d/default.conf
+ && rm /etc/nginx/conf.d/default.conf \
+ # Make every path nginx writes to owned by the unprivileged `nginx`
+ # user that already exists in the image. Required because we drop
+ # privileges via USER below, and nginx writes pid/cache/logs at boot.
+ # Listening on 8080 (>1024) means we don't need CAP_NET_BIND_SERVICE.
+ && chown -R nginx:nginx /var/cache/nginx /var/log/nginx /etc/nginx/conf.d /usr/share/nginx/html \
+ && touch /var/run/nginx.pid \
+ && chown nginx:nginx /var/run/nginx.pid
 ENV API_UPSTREAM=api:4601
-COPY apps/portal/nginx.conf.template /etc/nginx/templates/default.conf.template
-COPY --from=builder /repo/apps/portal/dist /usr/share/nginx/html
+COPY --chown=nginx:nginx apps/portal/nginx.conf.template /etc/nginx/templates/default.conf.template
+COPY --from=builder --chown=nginx:nginx /repo/apps/portal/dist /usr/share/nginx/html
+
+USER nginx
+
 EXPOSE 8080
 HEALTHCHECK --interval=30s --timeout=5s --start-period=5s --retries=3 \
     CMD wget -qO- http://127.0.0.1:8080/ >/dev/null || exit 1
diff --git a/apps/router/Dockerfile b/apps/router/Dockerfile
index 820a312..24ea9fc 100644
--- a/apps/router/Dockerfile
+++ b/apps/router/Dockerfile
@@ -37,9 +37,14 @@ RUN apk add --no-cache tini
 ENV NODE_ENV=production \
     ROUTER_PORT=4701
 WORKDIR /app
-COPY --from=builder /out/package.json ./package.json
-COPY --from=builder /out/node_modules ./node_modules
-COPY --from=builder /out/dist ./dist
+# chown to the unprivileged `node` user (UID 1000) shipped with the
+# official node:alpine image so the runtime container doesn't run as
+# root.
+COPY --from=builder --chown=node:node /out/package.json ./package.json
+COPY --from=builder --chown=node:node /out/node_modules ./node_modules
+COPY --from=builder --chown=node:node /out/dist ./dist
+
+USER node
 
 EXPOSE 4701
 HEALTHCHECK --interval=30s --timeout=5s --start-period=10s --retries=3 \
diff --git a/packages/db/src/ssl.ts b/packages/db/src/ssl.ts
index aa8e0c4..7bdf48f 100644
--- a/packages/db/src/ssl.ts
+++ b/packages/db/src/ssl.ts
@@ -29,6 +29,12 @@ export function sslFromConnectionString(originalUrl: string): SslResolution {
   if (lower.includes('sslmode=verify-ca') || lower.includes('sslmode=verify-full')) {
     ssl = true;
   } else if (lower.includes('sslmode=require') || lower.includes('sslmode=no-verify')) {
+    // sslmode=require maps to "encrypt-but-don't-verify-CA" because most
+    // managed Postgres providers (DO Managed PG in particular) ship a
+    // self-signed CA that isn't in Node's default trust store. Operators
+    // who want full verification opt in via sslmode=verify-ca/verify-full
+    // and supply the CA in their trust store.
+    // nosemgrep: problem-based-packs.insecure-transport.js-node.bypass-tls-verification.bypass-tls-verification
     ssl = { rejectUnauthorized: false };
   }
   // Strip sslmode + any leftover separator so pg doesn't re-derive ssl.

From f814a38a6bfad45320bdd1032829c1300d726300 Mon Sep 17 00:00:00 2001
From: Keith Fawcett <keith@brightyard.co>
Date: Thu, 30 Apr 2026 12:05:07 -0700
Subject: [PATCH 115/131] brand: GitHub social preview / OG image
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Dark theme matching the portal (bg #0b0d10, accent #2dd4bf), cream
logo on the left, wordmark + tagline on the right, MIT footer. Built
at 1280x640 — the ratio GitHub, Twitter, Slack, and Discord all
expect. SVG so it can be re-rendered cleanly when copy or accent
colors change; the social-preview slot itself takes a PNG export.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 apps/portal/public/og-preview.svg | 102 ++++++++++++++++++++++++++++++
 1 file changed, 102 insertions(+)
 create mode 100644 apps/portal/public/og-preview.svg

diff --git a/apps/portal/public/og-preview.svg b/apps/portal/public/og-preview.svg
new file mode 100644
index 0000000..16c3600
--- /dev/null
+++ b/apps/portal/public/og-preview.svg
@@ -0,0 +1,102 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+  GitHub social preview / Open Graph image for openpartner.
+
+  Renders at 1280×640 — the ratio GitHub, Twitter, Slack, and Discord
+  expect for og:image. Convert to PNG before uploading (GitHub doesn't
+  accept SVG for the social-preview slot):
+
+    inkscape og-preview.svg --export-type=png --export-width=1280 \
+      --export-filename=og-preview.png
+
+  ...or open this SVG in a browser and screenshot at 1280×640.
+
+  Theme matches the portal: bg #0b0d10, surface #14171c, accent #2dd4bf.
+  Logo path is the cream variant (logo-mark-white.svg) inlined so the
+  PNG export is self-contained.
+-->
+<svg
+  xmlns="http://www.w3.org/2000/svg"
+  viewBox="0 0 1280 640"
+  width="1280"
+  height="640"
+  font-family="-apple-system, BlinkMacSystemFont, 'Segoe UI', system-ui, sans-serif"
+>
+  <defs>
+    <radialGradient id="glow" cx="20%" cy="25%" r="65%">
+      <stop offset="0%" stop-color="#1a2530" stop-opacity="1" />
+      <stop offset="100%" stop-color="#0b0d10" stop-opacity="1" />
+    </radialGradient>
+  </defs>
+
+  <!-- Background -->
+  <rect width="1280" height="640" fill="url(#glow)" />
+
+  <!-- Subtle accent dot grid in the corner (~16 dots) -->
+  <g fill="#2dd4bf" opacity="0.12">
+    <circle cx="1148" cy="540" r="3" />
+    <circle cx="1180" cy="540" r="3" />
+    <circle cx="1212" cy="540" r="3" />
+    <circle cx="1148" cy="572" r="3" />
+    <circle cx="1180" cy="572" r="3" />
+    <circle cx="1212" cy="572" r="3" />
+  </g>
+
+  <!-- Logo (cream variant from logo-mark-white.svg).
+       Embedded as nested <svg> so the inner viewBox math is preserved. -->
+  <svg x="120" y="195" width="280" height="176" viewBox="0 0 313 197">
+    <g>
+      <path
+        fill="#E4E1D7"
+        transform="matrix(0.590126 0 0 0.590126 156.518658 98.350446) translate(-512.229219, -458.33992)"
+        d="M 587.00 592.05 L 587.00 559.11 L 592.75 561.09 C 611.50 567.56 634.30 570.64 651.53 569.04 C 684.65 565.96 712.74 552.50 737.02 528.08 C 757.57 507.41 770.59 482.77 775.65 454.96 C 778.24 440.74 778.02 417.65 775.17 403.24 C 769.42 374.21 757.04 351.02 736.03 329.92 C 709.99 303.76 680.83 291.71 643.50 291.68 C 620.39 291.65 601.27 295.83 582.00 305.10 C 566.07 312.77 555.85 320.06 542.95 332.95 C 530.78 345.12 522.63 355.79 514.45 370.24 C 511.73 375.05 509.27 378.98 509.00 378.96 C 508.73 378.95 506.02 375.24 503.00 370.72 C 491.73 353.88 468.55 333.87 448.75 323.88 C 430.09 314.46 405.30 309.35 383.00 310.35 C 360.22 311.36 345.51 315.11 325.50 325.01 C 310.58 332.38 299.35 340.78 286.48 354.17 C 269.81 371.51 258.20 391.47 252.11 413.22 C 248.15 427.39 247.00 436.31 247.00 452.90 C 247.00 481.43 254.05 504.84 269.73 528.44 C 290.44 559.58 323.13 581.67 361.12 590.18 C 370.10 592.19 373.99 592.48 390.00 592.38 C 407.09 592.26 409.38 592.03 420.00 589.26 C 440.12 584.03 455.31 576.85 470.99 565.17 C 481.20 557.57 494.17 544.20 502.00 533.22 C 505.58 528.21 508.84 524.08 509.25 524.05 C 509.66 524.02 510.00 543.28 510.00 566.85 C 510.00 590.42 510.29 613.14 510.65 617.35 L 511.29 625.00 L 549.15 625.00 L 587.00 625.00 z M 528.69 607.35 C 528.31 606.98 528.00 581.45 528.00 550.63 L 528.00 494.60 L 539.94 475.55 C 546.51 465.07 552.18 455.71 552.55 454.75 C 553.66 451.82 554.55 452.74 556.44 458.75 C 567.73 494.75 604.39 519.99 642.00 517.65 C 685.45 514.96 719.34 480.80 721.72 437.30 C 723.53 404.41 704.87 372.60 675.50 358.49 C 664.15 353.04 654.93 351.00 641.80 351.02 C 624.33 351.05 609.66 355.54 596.20 365.00 C 583.88 373.65 575.04 385.60 542.58 437.50 C 493.58 515.85 486.65 526.12 474.00 539.03 C 449.00 564.56 413.07 578.23 379.37 575.03 C 357.90 573.00 339.02 566.41 321.17 554.71 C 301.61 541.89 286.26 524.68 276.44 504.55 C 253.47 457.46 263.45 401.20 301.44 363.59 C 319.81 345.41 341.94 333.81 366.39 329.55 C 377.80 327.56 400.04 327.53 410.30 329.49 C 442.76 335.70 473.76 357.28 492.64 386.79 C 499.03 396.77 499.20 395.24 490.01 410.15 C 485.48 417.49 480.78 425.08 479.55 427.00 C 478.33 428.92 475.35 433.60 472.95 437.39 L 468.58 444.29 L 467.38 437.89 C 464.22 421.04 454.98 403.79 443.20 392.78 C 426.46 377.14 407.54 370.25 384.11 371.27 C 370.13 371.88 363.38 373.58 351.50 379.48 C 335.04 387.66 323.16 399.72 315.02 416.50 C 309.69 427.48 307.97 434.54 307.31 448.06 C 306.07 473.43 314.27 493.71 332.79 511.04 C 347.67 524.98 367.68 532.98 387.68 532.99 C 415.65 533.01 440.00 519.36 458.20 493.46 C 465.08 483.65 490.64 443.11 510.69 410.18 C 533.63 372.50 537.74 366.14 545.18 356.79 C 561.31 336.53 581.13 322.43 603.85 315.08 C 618.29 310.40 624.98 309.49 644.50 309.58 C 660.68 309.65 663.51 309.93 672.50 312.33 C 691.78 317.47 709.46 327.78 723.76 342.23 C 741.82 360.46 751.47 378.22 757.63 404.50 C 759.12 410.87 759.49 416.28 759.44 431.00 C 759.39 447.67 759.12 450.45 756.79 459.09 C 750.31 483.06 741.07 499.34 724.38 516.17 C 687.88 552.99 634.79 561.98 587.12 539.44 C 581.07 536.58 576.36 535.00 573.88 535.00 L 570.02 535.00 L 569.76 571.25 L 569.50 607.50 L 549.44 607.77 C 538.40 607.92 529.06 607.73 528.69 607.35 z M 375.67 514.46 C 371.92 513.71 364.95 511.22 360.17 508.92 C 345.66 501.93 331.98 486.21 327.09 470.88 C 325.11 464.70 324.18 452.36 325.08 444.35 C 326.81 428.90 332.92 416.67 344.52 405.45 C 356.15 394.20 370.54 388.62 388.00 388.60 C 405.52 388.57 418.93 394.09 431.40 406.45 C 443.99 418.92 449.86 432.00 450.71 449.50 C 451.99 475.72 438.41 497.98 414.02 509.66 C 401.87 515.48 388.96 517.10 375.67 514.46 z M 629.50 499.92 C 614.01 497.90 601.13 491.36 589.49 479.60 C 576.85 466.83 570.00 451.04 570.00 434.68 C 570.00 426.46 570.42 425.61 584.90 404.54 C 599.76 382.93 606.75 376.70 622.27 371.25 C 632.71 367.58 649.26 367.44 659.95 370.94 C 673.61 375.41 687.13 386.40 694.82 399.27 C 705.73 417.53 707.03 442.58 698.05 461.40 C 685.65 487.38 656.97 503.50 629.50 499.92 z"
+      />
+    </g>
+  </svg>
+
+  <!-- Wordmark + tagline, right of logo -->
+  <g transform="translate(456, 0)">
+    <!-- Wordmark -->
+    <text
+      x="0"
+      y="290"
+      fill="#e6e8eb"
+      font-size="92"
+      font-weight="700"
+      letter-spacing="-2"
+    >OpenPartner</text>
+
+    <!-- Accent rule -->
+    <rect x="0" y="312" width="68" height="4" rx="2" fill="#2dd4bf" />
+
+    <!-- Tagline -->
+    <text
+      x="0"
+      y="370"
+      fill="#9aa0a6"
+      font-size="28"
+      font-weight="400"
+      letter-spacing="-0.3"
+    >Open-source partner attribution + payouts.</text>
+
+    <!-- Sub-tagline / wedge -->
+    <text
+      x="0"
+      y="410"
+      fill="#9aa0a6"
+      font-size="28"
+      font-weight="400"
+      letter-spacing="-0.3"
+    >Click → identity → revenue. Your data, your DB.</text>
+  </g>
+
+  <!-- Footer strip -->
+  <text
+    x="120"
+    y="582"
+    fill="#5a6068"
+    font-size="20"
+    font-weight="500"
+    letter-spacing="0.5"
+  >MIT  ·  Self-host or hosted  ·  github.com/getcoherence/openpartner</text>
+</svg>

From 913497435aa140a2772a02108a7f4ab2a0613d3a Mon Sep 17 00:00:00 2001
From: Keith <keith.fawcett@gmail.com>
Date: Thu, 30 Apr 2026 12:08:10 -0700
Subject: [PATCH 116/131] Add Buy Me a Coffee funding option

Added Buy Me a Coffee funding option for keithf.
---
 .github/FUNDING.yml | 3 +++
 1 file changed, 3 insertions(+)
 create mode 100644 .github/FUNDING.yml

diff --git a/.github/FUNDING.yml b/.github/FUNDING.yml
new file mode 100644
index 0000000..2bb7b8a
--- /dev/null
+++ b/.github/FUNDING.yml
@@ -0,0 +1,3 @@
+# These are supported funding model platforms
+
+buy_me_a_coffee: keithf

From 65573abef79b89e69886d97aa8677d767fe5caf0 Mon Sep 17 00:00:00 2001
From: Keith <keith.fawcett@gmail.com>
Date: Thu, 30 Apr 2026 12:15:47 -0700
Subject: [PATCH 117/131] Update CODE_OF_CONDUCT.md

---
 CODE_OF_CONDUCT.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/CODE_OF_CONDUCT.md b/CODE_OF_CONDUCT.md
index 8077f0f..db08160 100644
--- a/CODE_OF_CONDUCT.md
+++ b/CODE_OF_CONDUCT.md
@@ -4,4 +4,4 @@ OpenPartner adopts the [Contributor Covenant v2.1](https://www.contributor-coven
 
 In short: be respectful, assume good intent, critique ideas not people, and don't be the reason someone stops contributing.
 
-Violations can be reported to `conduct@getcoherence.io`. Reports are kept confidential and we aim to respond within two business days.
+Violations can be reported to `support@getcoherence.io`. Reports are kept confidential and we aim to respond within two business days.

From 572c47f1c98bf8c953a1b4f151b0cd0953c48cce Mon Sep 17 00:00:00 2001
From: Keith Fawcett <keith@brightyard.co>
Date: Thu, 30 Apr 2026 12:16:46 -0700
Subject: [PATCH 118/131] brand(og): match marketing-site hero copy + emerald
 accent
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Earlier draft used the app-portal teal (#2dd4bf) and a generic
"open-source partner attribution" tagline. The marketing site at
openpartner.dev leads with a different positioning — emerald accent
(#16a34a), eyebrow pill, "Launch a partner program. Grow it with the
Network." headline. Bring the OG card in line so a click from
Twitter/Slack/GitHub previews lands on a visually consistent first
impression with the homepage.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 apps/portal/public/og-preview.svg | 129 +++++++++++++++---------------
 1 file changed, 65 insertions(+), 64 deletions(-)

diff --git a/apps/portal/public/og-preview.svg b/apps/portal/public/og-preview.svg
index 16c3600..86c7772 100644
--- a/apps/portal/public/og-preview.svg
+++ b/apps/portal/public/og-preview.svg
@@ -6,14 +6,12 @@
   expect for og:image. Convert to PNG before uploading (GitHub doesn't
   accept SVG for the social-preview slot):
 
-    inkscape og-preview.svg --export-type=png --export-width=1280 \
-      --export-filename=og-preview.png
+    npx -y svgexport apps/portal/public/og-preview.svg og-preview.png 1280:640
 
-  ...or open this SVG in a browser and screenshot at 1280×640.
-
-  Theme matches the portal: bg #0b0d10, surface #14171c, accent #2dd4bf.
-  Logo path is the cream variant (logo-mark-white.svg) inlined so the
-  PNG export is self-contained.
+  Mirrors the marketing site hero: emerald accent (#16a34a), the same
+  eyebrow → headline structure as openpartner.dev. Logo path is the
+  cream variant (logo-mark-white.svg) inlined so the PNG export is
+  self-contained.
 -->
 <svg
   xmlns="http://www.w3.org/2000/svg"
@@ -23,8 +21,8 @@
   font-family="-apple-system, BlinkMacSystemFont, 'Segoe UI', system-ui, sans-serif"
 >
   <defs>
-    <radialGradient id="glow" cx="20%" cy="25%" r="65%">
-      <stop offset="0%" stop-color="#1a2530" stop-opacity="1" />
+    <radialGradient id="glow" cx="80%" cy="20%" r="80%">
+      <stop offset="0%" stop-color="#102018" stop-opacity="1" />
       <stop offset="100%" stop-color="#0b0d10" stop-opacity="1" />
     </radialGradient>
   </defs>
@@ -32,70 +30,73 @@
   <!-- Background -->
   <rect width="1280" height="640" fill="url(#glow)" />
 
-  <!-- Subtle accent dot grid in the corner (~16 dots) -->
-  <g fill="#2dd4bf" opacity="0.12">
-    <circle cx="1148" cy="540" r="3" />
-    <circle cx="1180" cy="540" r="3" />
-    <circle cx="1212" cy="540" r="3" />
-    <circle cx="1148" cy="572" r="3" />
-    <circle cx="1180" cy="572" r="3" />
-    <circle cx="1212" cy="572" r="3" />
-  </g>
-
-  <!-- Logo (cream variant from logo-mark-white.svg).
-       Embedded as nested <svg> so the inner viewBox math is preserved. -->
-  <svg x="120" y="195" width="280" height="176" viewBox="0 0 313 197">
-    <g>
-      <path
-        fill="#E4E1D7"
-        transform="matrix(0.590126 0 0 0.590126 156.518658 98.350446) translate(-512.229219, -458.33992)"
-        d="M 587.00 592.05 L 587.00 559.11 L 592.75 561.09 C 611.50 567.56 634.30 570.64 651.53 569.04 C 684.65 565.96 712.74 552.50 737.02 528.08 C 757.57 507.41 770.59 482.77 775.65 454.96 C 778.24 440.74 778.02 417.65 775.17 403.24 C 769.42 374.21 757.04 351.02 736.03 329.92 C 709.99 303.76 680.83 291.71 643.50 291.68 C 620.39 291.65 601.27 295.83 582.00 305.10 C 566.07 312.77 555.85 320.06 542.95 332.95 C 530.78 345.12 522.63 355.79 514.45 370.24 C 511.73 375.05 509.27 378.98 509.00 378.96 C 508.73 378.95 506.02 375.24 503.00 370.72 C 491.73 353.88 468.55 333.87 448.75 323.88 C 430.09 314.46 405.30 309.35 383.00 310.35 C 360.22 311.36 345.51 315.11 325.50 325.01 C 310.58 332.38 299.35 340.78 286.48 354.17 C 269.81 371.51 258.20 391.47 252.11 413.22 C 248.15 427.39 247.00 436.31 247.00 452.90 C 247.00 481.43 254.05 504.84 269.73 528.44 C 290.44 559.58 323.13 581.67 361.12 590.18 C 370.10 592.19 373.99 592.48 390.00 592.38 C 407.09 592.26 409.38 592.03 420.00 589.26 C 440.12 584.03 455.31 576.85 470.99 565.17 C 481.20 557.57 494.17 544.20 502.00 533.22 C 505.58 528.21 508.84 524.08 509.25 524.05 C 509.66 524.02 510.00 543.28 510.00 566.85 C 510.00 590.42 510.29 613.14 510.65 617.35 L 511.29 625.00 L 549.15 625.00 L 587.00 625.00 z M 528.69 607.35 C 528.31 606.98 528.00 581.45 528.00 550.63 L 528.00 494.60 L 539.94 475.55 C 546.51 465.07 552.18 455.71 552.55 454.75 C 553.66 451.82 554.55 452.74 556.44 458.75 C 567.73 494.75 604.39 519.99 642.00 517.65 C 685.45 514.96 719.34 480.80 721.72 437.30 C 723.53 404.41 704.87 372.60 675.50 358.49 C 664.15 353.04 654.93 351.00 641.80 351.02 C 624.33 351.05 609.66 355.54 596.20 365.00 C 583.88 373.65 575.04 385.60 542.58 437.50 C 493.58 515.85 486.65 526.12 474.00 539.03 C 449.00 564.56 413.07 578.23 379.37 575.03 C 357.90 573.00 339.02 566.41 321.17 554.71 C 301.61 541.89 286.26 524.68 276.44 504.55 C 253.47 457.46 263.45 401.20 301.44 363.59 C 319.81 345.41 341.94 333.81 366.39 329.55 C 377.80 327.56 400.04 327.53 410.30 329.49 C 442.76 335.70 473.76 357.28 492.64 386.79 C 499.03 396.77 499.20 395.24 490.01 410.15 C 485.48 417.49 480.78 425.08 479.55 427.00 C 478.33 428.92 475.35 433.60 472.95 437.39 L 468.58 444.29 L 467.38 437.89 C 464.22 421.04 454.98 403.79 443.20 392.78 C 426.46 377.14 407.54 370.25 384.11 371.27 C 370.13 371.88 363.38 373.58 351.50 379.48 C 335.04 387.66 323.16 399.72 315.02 416.50 C 309.69 427.48 307.97 434.54 307.31 448.06 C 306.07 473.43 314.27 493.71 332.79 511.04 C 347.67 524.98 367.68 532.98 387.68 532.99 C 415.65 533.01 440.00 519.36 458.20 493.46 C 465.08 483.65 490.64 443.11 510.69 410.18 C 533.63 372.50 537.74 366.14 545.18 356.79 C 561.31 336.53 581.13 322.43 603.85 315.08 C 618.29 310.40 624.98 309.49 644.50 309.58 C 660.68 309.65 663.51 309.93 672.50 312.33 C 691.78 317.47 709.46 327.78 723.76 342.23 C 741.82 360.46 751.47 378.22 757.63 404.50 C 759.12 410.87 759.49 416.28 759.44 431.00 C 759.39 447.67 759.12 450.45 756.79 459.09 C 750.31 483.06 741.07 499.34 724.38 516.17 C 687.88 552.99 634.79 561.98 587.12 539.44 C 581.07 536.58 576.36 535.00 573.88 535.00 L 570.02 535.00 L 569.76 571.25 L 569.50 607.50 L 549.44 607.77 C 538.40 607.92 529.06 607.73 528.69 607.35 z M 375.67 514.46 C 371.92 513.71 364.95 511.22 360.17 508.92 C 345.66 501.93 331.98 486.21 327.09 470.88 C 325.11 464.70 324.18 452.36 325.08 444.35 C 326.81 428.90 332.92 416.67 344.52 405.45 C 356.15 394.20 370.54 388.62 388.00 388.60 C 405.52 388.57 418.93 394.09 431.40 406.45 C 443.99 418.92 449.86 432.00 450.71 449.50 C 451.99 475.72 438.41 497.98 414.02 509.66 C 401.87 515.48 388.96 517.10 375.67 514.46 z M 629.50 499.92 C 614.01 497.90 601.13 491.36 589.49 479.60 C 576.85 466.83 570.00 451.04 570.00 434.68 C 570.00 426.46 570.42 425.61 584.90 404.54 C 599.76 382.93 606.75 376.70 622.27 371.25 C 632.71 367.58 649.26 367.44 659.95 370.94 C 673.61 375.41 687.13 386.40 694.82 399.27 C 705.73 417.53 707.03 442.58 698.05 461.40 C 685.65 487.38 656.97 503.50 629.50 499.92 z"
-      />
-    </g>
+  <!-- Header strip: logo + wordmark, compact, top-left.
+       Logo is the cream variant inlined from logo-mark-white.svg. -->
+  <svg x="80" y="64" width="56" height="36" viewBox="0 0 313 197" preserveAspectRatio="xMidYMid meet">
+    <path
+      fill="#E4E1D7"
+      transform="matrix(0.590126 0 0 0.590126 156.518658 98.350446) translate(-512.229219, -458.33992)"
+      d="M 587.00 592.05 L 587.00 559.11 L 592.75 561.09 C 611.50 567.56 634.30 570.64 651.53 569.04 C 684.65 565.96 712.74 552.50 737.02 528.08 C 757.57 507.41 770.59 482.77 775.65 454.96 C 778.24 440.74 778.02 417.65 775.17 403.24 C 769.42 374.21 757.04 351.02 736.03 329.92 C 709.99 303.76 680.83 291.71 643.50 291.68 C 620.39 291.65 601.27 295.83 582.00 305.10 C 566.07 312.77 555.85 320.06 542.95 332.95 C 530.78 345.12 522.63 355.79 514.45 370.24 C 511.73 375.05 509.27 378.98 509.00 378.96 C 508.73 378.95 506.02 375.24 503.00 370.72 C 491.73 353.88 468.55 333.87 448.75 323.88 C 430.09 314.46 405.30 309.35 383.00 310.35 C 360.22 311.36 345.51 315.11 325.50 325.01 C 310.58 332.38 299.35 340.78 286.48 354.17 C 269.81 371.51 258.20 391.47 252.11 413.22 C 248.15 427.39 247.00 436.31 247.00 452.90 C 247.00 481.43 254.05 504.84 269.73 528.44 C 290.44 559.58 323.13 581.67 361.12 590.18 C 370.10 592.19 373.99 592.48 390.00 592.38 C 407.09 592.26 409.38 592.03 420.00 589.26 C 440.12 584.03 455.31 576.85 470.99 565.17 C 481.20 557.57 494.17 544.20 502.00 533.22 C 505.58 528.21 508.84 524.08 509.25 524.05 C 509.66 524.02 510.00 543.28 510.00 566.85 C 510.00 590.42 510.29 613.14 510.65 617.35 L 511.29 625.00 L 549.15 625.00 L 587.00 625.00 z M 528.69 607.35 C 528.31 606.98 528.00 581.45 528.00 550.63 L 528.00 494.60 L 539.94 475.55 C 546.51 465.07 552.18 455.71 552.55 454.75 C 553.66 451.82 554.55 452.74 556.44 458.75 C 567.73 494.75 604.39 519.99 642.00 517.65 C 685.45 514.96 719.34 480.80 721.72 437.30 C 723.53 404.41 704.87 372.60 675.50 358.49 C 664.15 353.04 654.93 351.00 641.80 351.02 C 624.33 351.05 609.66 355.54 596.20 365.00 C 583.88 373.65 575.04 385.60 542.58 437.50 C 493.58 515.85 486.65 526.12 474.00 539.03 C 449.00 564.56 413.07 578.23 379.37 575.03 C 357.90 573.00 339.02 566.41 321.17 554.71 C 301.61 541.89 286.26 524.68 276.44 504.55 C 253.47 457.46 263.45 401.20 301.44 363.59 C 319.81 345.41 341.94 333.81 366.39 329.55 C 377.80 327.56 400.04 327.53 410.30 329.49 C 442.76 335.70 473.76 357.28 492.64 386.79 C 499.03 396.77 499.20 395.24 490.01 410.15 C 485.48 417.49 480.78 425.08 479.55 427.00 C 478.33 428.92 475.35 433.60 472.95 437.39 L 468.58 444.29 L 467.38 437.89 C 464.22 421.04 454.98 403.79 443.20 392.78 C 426.46 377.14 407.54 370.25 384.11 371.27 C 370.13 371.88 363.38 373.58 351.50 379.48 C 335.04 387.66 323.16 399.72 315.02 416.50 C 309.69 427.48 307.97 434.54 307.31 448.06 C 306.07 473.43 314.27 493.71 332.79 511.04 C 347.67 524.98 367.68 532.98 387.68 532.99 C 415.65 533.01 440.00 519.36 458.20 493.46 C 465.08 483.65 490.64 443.11 510.69 410.18 C 533.63 372.50 537.74 366.14 545.18 356.79 C 561.31 336.53 581.13 322.43 603.85 315.08 C 618.29 310.40 624.98 309.49 644.50 309.58 C 660.68 309.65 663.51 309.93 672.50 312.33 C 691.78 317.47 709.46 327.78 723.76 342.23 C 741.82 360.46 751.47 378.22 757.63 404.50 C 759.12 410.87 759.49 416.28 759.44 431.00 C 759.39 447.67 759.12 450.45 756.79 459.09 C 750.31 483.06 741.07 499.34 724.38 516.17 C 687.88 552.99 634.79 561.98 587.12 539.44 C 581.07 536.58 576.36 535.00 573.88 535.00 L 570.02 535.00 L 569.76 571.25 L 569.50 607.50 L 549.44 607.77 C 538.40 607.92 529.06 607.73 528.69 607.35 z M 375.67 514.46 C 371.92 513.71 364.95 511.22 360.17 508.92 C 345.66 501.93 331.98 486.21 327.09 470.88 C 325.11 464.70 324.18 452.36 325.08 444.35 C 326.81 428.90 332.92 416.67 344.52 405.45 C 356.15 394.20 370.54 388.62 388.00 388.60 C 405.52 388.57 418.93 394.09 431.40 406.45 C 443.99 418.92 449.86 432.00 450.71 449.50 C 451.99 475.72 438.41 497.98 414.02 509.66 C 401.87 515.48 388.96 517.10 375.67 514.46 z M 629.50 499.92 C 614.01 497.90 601.13 491.36 589.49 479.60 C 576.85 466.83 570.00 451.04 570.00 434.68 C 570.00 426.46 570.42 425.61 584.90 404.54 C 599.76 382.93 606.75 376.70 622.27 371.25 C 632.71 367.58 649.26 367.44 659.95 370.94 C 673.61 375.41 687.13 386.40 694.82 399.27 C 705.73 417.53 707.03 442.58 698.05 461.40 C 685.65 487.38 656.97 503.50 629.50 499.92 z"
+    />
   </svg>
 
-  <!-- Wordmark + tagline, right of logo -->
-  <g transform="translate(456, 0)">
-    <!-- Wordmark -->
+  <text
+    x="148"
+    y="92"
+    fill="#e6e8eb"
+    font-size="26"
+    font-weight="600"
+    letter-spacing="-0.3"
+  >OpenPartner</text>
+
+  <!-- Eyebrow pill: matches the marketing site .eyebrow style
+       (rgba(22,163,74,0.12) bg, #16a34a text, 999px radius, uppercase). -->
+  <g transform="translate(80, 200)">
+    <rect width="552" height="40" rx="20" ry="20" fill="#16a34a" fill-opacity="0.14" />
     <text
-      x="0"
-      y="290"
-      fill="#e6e8eb"
-      font-size="92"
+      x="22"
+      y="27"
+      fill="#22c55e"
+      font-size="17"
       font-weight="700"
-      letter-spacing="-2"
-    >OpenPartner</text>
-
-    <!-- Accent rule -->
-    <rect x="0" y="312" width="68" height="4" rx="2" fill="#2dd4bf" />
+      letter-spacing="1.6"
+    >PARTNER PROGRAM SOFTWARE WITH A BUILT-IN NETWORK</text>
+  </g>
 
-    <!-- Tagline -->
-    <text
-      x="0"
-      y="370"
-      fill="#9aa0a6"
-      font-size="28"
-      font-weight="400"
-      letter-spacing="-0.3"
-    >Open-source partner attribution + payouts.</text>
+  <!-- Headline — same copy + structure as the marketing site hero -->
+  <text
+    x="80"
+    y="346"
+    fill="#e6e8eb"
+    font-size="76"
+    font-weight="700"
+    letter-spacing="-2"
+  >Launch a partner program.</text>
+  <text
+    x="80"
+    y="436"
+    fill="#e6e8eb"
+    font-size="76"
+    font-weight="700"
+    letter-spacing="-2"
+  >Grow it with the Network.</text>
 
-    <!-- Sub-tagline / wedge -->
-    <text
-      x="0"
-      y="410"
-      fill="#9aa0a6"
-      font-size="28"
-      font-weight="400"
-      letter-spacing="-0.3"
-    >Click → identity → revenue. Your data, your DB.</text>
-  </g>
+  <!-- Sub-line: tightens the value prop without being a wall of text -->
+  <text
+    x="80"
+    y="498"
+    fill="#9aa0a6"
+    font-size="24"
+    font-weight="400"
+    letter-spacing="-0.3"
+  >Affiliate, referral, and creator programs · built-in marketplace · direct Stripe payouts</text>
 
-  <!-- Footer strip -->
+  <!-- Footer -->
   <text
-    x="120"
-    y="582"
+    x="80"
+    y="595"
     fill="#5a6068"
-    font-size="20"
+    font-size="18"
     font-weight="500"
     letter-spacing="0.5"
   >MIT  ·  Self-host or hosted  ·  github.com/getcoherence/openpartner</text>

From b9a68ab53453435a20e086283762783273a970ef Mon Sep 17 00:00:00 2001
From: Keith Fawcett <keith@brightyard.co>
Date: Thu, 30 Apr 2026 12:24:02 -0700
Subject: [PATCH 119/131] docs(readme): align pricing with marketing site +
 Stripe products
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The pricing table was a stale draft from before the Flex/Revshare/
Network-add-on structure landed. Sync to what openpartner.dev/pricing
and the Stripe products (per setup-stripe.mjs) actually charge:

  * Self-hosted: Free
  * Self-hosted + Network: $29/mo + 3% on Network-originated payouts
  * Hosted — Flex: $49/mo + 1.5% of attributed GMV
  * Hosted — Revshare: 3% of attributed GMV, no monthly
  * Enterprise: Custom

Also updated the OPENPARTNER_MODE one-liner in the implementation
status block to call out the Flex / Revshare names so the env value
isn't disconnected from the marketing labels.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 README.md | 16 ++++++++++------
 1 file changed, 10 insertions(+), 6 deletions(-)

diff --git a/README.md b/README.md
index 8c367ea..5e460ad 100644
--- a/README.md
+++ b/README.md
@@ -21,15 +21,19 @@ OpenPartner fixes both.
 - Works across devices by stitching to logged-in user identity
 - Answers the questions that matter: *which creator drove this revenue?* *which content actually converted?*
 
-### Three-tier pricing
+### Pricing
 
-Pick the model that fits your business — at signup, not at year-three renewal:
+Pick the tier that fits your business — at signup, not at year-three renewal. You can move between hosted tiers anytime.
 
 | Tier | Price | Best for |
 | --- | --- | --- |
-| **Self-hosted** | Free forever | Teams who want to own their infra |
-| **Hosted — flat** | $99–$499/mo | Teams who want predictability |
-| **Hosted — revenue share** | 3% of GMV, no monthly | Teams who want to start cheaply and scale |
+| **Self-hosted** | Free | Teams who want to own their infra. Run the core on your own box. |
+| **Self-hosted + Network** | $29/mo + 3% on Network-originated payouts | Self-hosters who want creator-marketplace discovery on top of the core. |
+| **Hosted — Flex** | $49/mo + 1.5% of attributed GMV | Teams who want predictable pricing + the Network bundled in. |
+| **Hosted — Revshare** | 3% of attributed GMV, no monthly | Teams who want to start cheap and only pay when partners drive revenue. |
+| **Enterprise** | Custom | Larger programs that need dedicated infra, SLAs, or procurement support. |
+
+Self-hosted is the GitHub repo you're reading. Hosted tiers run the same code on OpenPartner infra. Full pricing details: [openpartner.dev/pricing](https://openpartner.dev/pricing).
 
 ### Your data stays yours
 
@@ -109,7 +113,7 @@ v1. End-to-end attribution, payouts, and export are working; API surface is stab
 - Program name + support email editable from the admin Settings UI (not env)
 - Mail transport (SMTP / Postmark / console) editable from the UI, SMTP passwords + Postmark tokens encrypted at rest with `SECRETS_ENCRYPTION_KEY`
 - Env vars (`SMTP_*`, `POSTMARK_*`, `MAIL_FROM`) remain as deploy-time fallbacks
-- Three deployment modes gated by `OPENPARTNER_MODE`: `selfhost`, `flat` (Stripe subscription), `revshare` (3% platform fee)
+- Three deployment modes gated by `OPENPARTNER_MODE`: `selfhost`, `flat` (Hosted Flex — $49/mo + 1.5% metered), `revshare` (Hosted Revshare — 3% metered, no monthly)
 
 **Integration surface**
 

From 1158874132cea4658444320a11dcd6e8cf5f4661 Mon Sep 17 00:00:00 2001
From: Keith Fawcett <keith@brightyard.co>
Date: Thu, 30 Apr 2026 12:28:47 -0700
Subject: [PATCH 120/131] governance: CODEOWNERS + SECURITY.md ahead of public
 flip
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

CODEOWNERS:
  * Default reviewer for everything.
  * Hard-block paths: build/CI config, the crypto/auth/db trio, the
    migrations directory, and the network-protocol contract that the
    federation builds against. Touching any of these requires explicit
    maintainer approval — same rule as the branch-protection
    "Require review from Code Owners" toggle relies on.

SECURITY.md:
  * Private vulnerability reporting URL (GitHub Security Advisories)
    plus an email fallback.
  * Acknowledgement and fix SLAs (48 hours, 7 days for critical).
  * Scope + out-of-scope so reporters know what to send and what to
    skip — keeps inbox noise out of the queue.
  * Reserves a hall-of-fame slot for opt-in reporter credit.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 .github/CODEOWNERS | 41 ++++++++++++++++++++++++++++++++++++++
 SECURITY.md        | 49 ++++++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 90 insertions(+)
 create mode 100644 .github/CODEOWNERS
 create mode 100644 SECURITY.md

diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS
new file mode 100644
index 0000000..00ed01b
--- /dev/null
+++ b/.github/CODEOWNERS
@@ -0,0 +1,41 @@
+# GitHub CODEOWNERS file.
+#
+# Lines map a path glob to a GitHub user / team. The last matching line
+# wins. When a PR touches a path, GitHub auto-requests review from the
+# matching owner(s); when the protected-branch rule "Require review from
+# Code Owners" is on, the PR can't merge without their approval.
+#
+# Keep this list short and meaningful — every entry is a hard
+# review-block. Default reviewer covers everything; specific paths
+# below add no extra owners (yet) but reserve the slots for when a
+# team forms around the repo.
+
+# Default reviewer for everything not matched below.
+*  @keithfawcett
+
+# Build, deploy, and CI configuration. Changes here affect the release
+# pipeline and supply chain — surface them clearly.
+/.github/                          @keithfawcett
+/.do/                              @keithfawcett
+/Dockerfile                        @keithfawcett
+/docker-compose*.yml               @keithfawcett
+/apps/api/Dockerfile               @keithfawcett
+/apps/portal/Dockerfile            @keithfawcett
+/apps/router/Dockerfile            @keithfawcett
+
+# Cryptography + auth + storage of secrets. Anything under here gets
+# extra eyes because a regression is hard to catch in review.
+/apps/api/src/crypto.ts            @keithfawcett
+/apps/api/src/auth.ts              @keithfawcett
+/apps/api/src/db.ts                @keithfawcett
+/apps/api/src/tenancy.ts           @keithfawcett
+/packages/db/src/ssl.ts            @keithfawcett
+
+# Database migrations. Bad migrations are the most expensive class of
+# mistake — explicitly route to the maintainer even when they're small.
+/packages/db/migrations/           @keithfawcett
+
+# Network-protocol contract. Any wire-shape change must go through the
+# maintainer because it's the federation API openpartner-network builds
+# against.
+/docs/network-protocol.md          @keithfawcett
diff --git a/SECURITY.md b/SECURITY.md
new file mode 100644
index 0000000..5d10caf
--- /dev/null
+++ b/SECURITY.md
@@ -0,0 +1,49 @@
+# Security policy
+
+## Reporting a vulnerability
+
+**Please do not open a public GitHub issue for security vulnerabilities.**
+
+Use one of these private channels instead:
+
+- **GitHub private vulnerability reporting** (preferred): <https://github.com/getcoherence/openpartner/security/advisories/new>
+- **Email**: security@openpartner.dev — replies within 48 hours.
+
+Include as much of the following as you can:
+
+- A description of the issue and its impact.
+- Steps to reproduce, ideally with a minimal proof-of-concept.
+- The commit SHA or release version you tested against.
+- Whether you intend to publish a write-up, and on what timeline.
+
+## What to expect
+
+- Acknowledgement within **48 hours**.
+- An initial assessment (severity, scope, owner) within **5 business days**.
+- For critical issues, a fix or mitigation shipped within **7 days** of acknowledgement.
+- Coordinated disclosure: we'll work with you on a timeline before any public details are shared.
+- Credit in the release notes for the fix, if you want it.
+
+## Scope
+
+In scope:
+
+- The OpenPartner application code in this repository (`apps/`, `packages/`).
+- The official Docker images published from this repository.
+- The hosted production deployment at `app.openpartner.dev` and `network.openpartner.dev`.
+- The `@openpartner/sdk` npm package published from this repository.
+
+Out of scope:
+
+- Self-hosted deployments running modified code.
+- Vulnerabilities in third-party dependencies — please report those upstream and let us know which dependency.
+- Findings that require physical access, social engineering of OpenPartner staff, or DoS / volumetric attacks.
+- Reports generated solely by automated scanners with no demonstrated impact.
+
+## Supported versions
+
+The `main` branch is the only supported version. Security fixes ship to the latest release tag.
+
+## Hall of fame
+
+We list reporters who responsibly disclose verified vulnerabilities in `SECURITY-HALL-OF-FAME.md` (created on first entry) — opt in via your report.

From 830008ca0b93f116c282b7d9a4bba51377427166 Mon Sep 17 00:00:00 2001
From: Keith Fawcett <keith@brightyard.co>
Date: Thu, 30 Apr 2026 13:15:18 -0700
Subject: [PATCH 121/131] brand(og): drop eyebrow pill, center headline

The pill repeated info that's already implicit in the headline + body
("partner program software" / "built-in network"). Removing it lets the
two-line headline breathe and improves the at-a-glance read.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 apps/portal/public/og-preview.svg | 23 +++++------------------
 1 file changed, 5 insertions(+), 18 deletions(-)

diff --git a/apps/portal/public/og-preview.svg b/apps/portal/public/og-preview.svg
index 86c7772..fed9743 100644
--- a/apps/portal/public/og-preview.svg
+++ b/apps/portal/public/og-preview.svg
@@ -49,24 +49,11 @@
     letter-spacing="-0.3"
   >OpenPartner</text>
 
-  <!-- Eyebrow pill: matches the marketing site .eyebrow style
-       (rgba(22,163,74,0.12) bg, #16a34a text, 999px radius, uppercase). -->
-  <g transform="translate(80, 200)">
-    <rect width="552" height="40" rx="20" ry="20" fill="#16a34a" fill-opacity="0.14" />
-    <text
-      x="22"
-      y="27"
-      fill="#22c55e"
-      font-size="17"
-      font-weight="700"
-      letter-spacing="1.6"
-    >PARTNER PROGRAM SOFTWARE WITH A BUILT-IN NETWORK</text>
-  </g>
-
-  <!-- Headline — same copy + structure as the marketing site hero -->
+  <!-- Headline — same copy + structure as the marketing site hero.
+       Centered vertically in the canvas now that the eyebrow's gone. -->
   <text
     x="80"
-    y="346"
+    y="288"
     fill="#e6e8eb"
     font-size="76"
     font-weight="700"
@@ -74,7 +61,7 @@
   >Launch a partner program.</text>
   <text
     x="80"
-    y="436"
+    y="378"
     fill="#e6e8eb"
     font-size="76"
     font-weight="700"
@@ -84,7 +71,7 @@
   <!-- Sub-line: tightens the value prop without being a wall of text -->
   <text
     x="80"
-    y="498"
+    y="442"
     fill="#9aa0a6"
     font-size="24"
     font-weight="400"

From a198f3c154aae70c82b911545ed5420661426823 Mon Sep 17 00:00:00 2001
From: Keith Fawcett <keith@brightyard.co>
Date: Thu, 30 Apr 2026 13:31:04 -0700
Subject: [PATCH 122/131] chore(deps): bump vite to 6 + vitest to 3 to clear
 dependabot alerts
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Three open Dependabot alerts cleared:
  * vite <= 6.4.1 path-traversal in optimized-deps .map handling
    (GHSA-4w7w-66w2-5vf9), in apps/portal direct dep + transitively
    via vitest's bundled vite
  * esbuild <= 0.24.2 dev-server cross-origin request issue
    (GHSA-67mh-4wv8-2f99), pulled in by vitest 1's bundled vite 5

Bumps:
  * apps/portal: vite ^5.4.8 -> ^6.4.2
  * workspace: vitest ^1.6.0 -> ^3.2.4 (root + 5 packages)

Both are dev-only — production runtime is the prebuilt portal/dist
served by nginx, so the dev-server vulnerabilities never reach a
deployed instance. Closing the alerts keeps the public repo's
security tab clean and stops Dependabot from filing new PRs.

Verified: pnpm typecheck clean across the workspace; sdk + portal +
router tests pass on vitest 3.2.4. api tests need a Postgres connection
so they exercise on CI.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 apps/api/package.json     |   2 +-
 apps/portal/package.json  |   4 +-
 apps/router/package.json  |   2 +-
 package.json              |   2 +-
 packages/db/package.json  |   2 +-
 packages/sdk/package.json |   2 +-
 pnpm-lock.yaml            | 754 ++++++++++++++++++--------------------
 7 files changed, 355 insertions(+), 413 deletions(-)

diff --git a/apps/api/package.json b/apps/api/package.json
index fc81b8b..271872f 100644
--- a/apps/api/package.json
+++ b/apps/api/package.json
@@ -41,6 +41,6 @@
     "supertest": "^7.0.0",
     "tsx": "^4.19.0",
     "typescript": "5.4.5",
-    "vitest": "^1.6.0"
+    "vitest": "^3.2.4"
   }
 }
diff --git a/apps/portal/package.json b/apps/portal/package.json
index 84ef1ee..da56a50 100644
--- a/apps/portal/package.json
+++ b/apps/portal/package.json
@@ -23,7 +23,7 @@
     "@types/react-dom": "18.3.7",
     "@vitejs/plugin-react": "^4.3.1",
     "typescript": "5.4.5",
-    "vite": "^5.4.8",
-    "vitest": "^1.6.0"
+    "vite": "^6.4.2",
+    "vitest": "^3.2.4"
   }
 }
diff --git a/apps/router/package.json b/apps/router/package.json
index b1edad4..edcc54d 100644
--- a/apps/router/package.json
+++ b/apps/router/package.json
@@ -24,6 +24,6 @@
     "@types/pg": "^8.11.10",
     "tsx": "^4.19.0",
     "typescript": "5.4.5",
-    "vitest": "^1.6.0"
+    "vitest": "^3.2.4"
   }
 }
diff --git a/package.json b/package.json
index b69bd64..1e428ed 100644
--- a/package.json
+++ b/package.json
@@ -28,6 +28,6 @@
     "tsx": "^4.19.0",
     "typescript": "5.4.5",
     "typescript-eslint": "8",
-    "vitest": "^1.6.0"
+    "vitest": "^3.2.4"
   }
 }
diff --git a/packages/db/package.json b/packages/db/package.json
index e8184fa..98f1106 100644
--- a/packages/db/package.json
+++ b/packages/db/package.json
@@ -24,6 +24,6 @@
     "dotenv": "^16.4.5",
     "tsx": "^4.19.0",
     "typescript": "5.4.5",
-    "vitest": "^1.6.0"
+    "vitest": "^3.2.4"
   }
 }
diff --git a/packages/sdk/package.json b/packages/sdk/package.json
index a6e8d6d..dae2496 100644
--- a/packages/sdk/package.json
+++ b/packages/sdk/package.json
@@ -51,6 +51,6 @@
     "jsdom": "^29.0.2",
     "tsup": "^8.5.1",
     "typescript": "5.4.5",
-    "vitest": "^1.6.0"
+    "vitest": "^3.2.4"
   }
 }
diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml
index fe4606a..eb6a1bf 100644
--- a/pnpm-lock.yaml
+++ b/pnpm-lock.yaml
@@ -30,8 +30,8 @@ importers:
         specifier: '8'
         version: 8.59.0(eslint@9.39.4)(typescript@5.4.5)
       vitest:
-        specifier: ^1.6.0
-        version: 1.6.1(@types/node@20.19.39)(jsdom@29.0.2(@noble/hashes@1.8.0))
+        specifier: ^3.2.4
+        version: 3.2.4(@types/node@20.19.39)(jsdom@29.0.2(@noble/hashes@1.8.0))(tsx@4.21.0)
 
   apps/api:
     dependencies:
@@ -115,8 +115,8 @@ importers:
         specifier: 5.4.5
         version: 5.4.5
       vitest:
-        specifier: ^1.6.0
-        version: 1.6.1(@types/node@20.19.39)(jsdom@29.0.2(@noble/hashes@1.8.0))
+        specifier: ^3.2.4
+        version: 3.2.4(@types/node@20.19.39)(jsdom@29.0.2(@noble/hashes@1.8.0))(tsx@4.21.0)
 
   apps/portal:
     dependencies:
@@ -144,16 +144,16 @@ importers:
         version: 18.3.7(@types/react@18.3.26)
       '@vitejs/plugin-react':
         specifier: ^4.3.1
-        version: 4.7.0(vite@5.4.21(@types/node@20.19.39))
+        version: 4.7.0(vite@6.4.2(@types/node@20.19.39)(tsx@4.21.0))
       typescript:
         specifier: 5.4.5
         version: 5.4.5
       vite:
-        specifier: ^5.4.8
-        version: 5.4.21(@types/node@20.19.39)
+        specifier: ^6.4.2
+        version: 6.4.2(@types/node@20.19.39)(tsx@4.21.0)
       vitest:
-        specifier: ^1.6.0
-        version: 1.6.1(@types/node@20.19.39)(jsdom@29.0.2(@noble/hashes@1.8.0))
+        specifier: ^3.2.4
+        version: 3.2.4(@types/node@20.19.39)(jsdom@29.0.2(@noble/hashes@1.8.0))(tsx@4.21.0)
 
   apps/router:
     dependencies:
@@ -186,8 +186,8 @@ importers:
         specifier: 5.4.5
         version: 5.4.5
       vitest:
-        specifier: ^1.6.0
-        version: 1.6.1(@types/node@20.19.39)(jsdom@29.0.2(@noble/hashes@1.8.0))
+        specifier: ^3.2.4
+        version: 3.2.4(@types/node@20.19.39)(jsdom@29.0.2(@noble/hashes@1.8.0))(tsx@4.21.0)
 
   packages/db:
     dependencies:
@@ -211,8 +211,8 @@ importers:
         specifier: 5.4.5
         version: 5.4.5
       vitest:
-        specifier: ^1.6.0
-        version: 1.6.1(@types/node@20.19.39)(jsdom@29.0.2(@noble/hashes@1.8.0))
+        specifier: ^3.2.4
+        version: 3.2.4(@types/node@20.19.39)(jsdom@29.0.2(@noble/hashes@1.8.0))(tsx@4.21.0)
 
   packages/sdk:
     devDependencies:
@@ -226,8 +226,8 @@ importers:
         specifier: 5.4.5
         version: 5.4.5
       vitest:
-        specifier: ^1.6.0
-        version: 1.6.1(@types/node@20.19.39)(jsdom@29.0.2(@noble/hashes@1.8.0))
+        specifier: ^3.2.4
+        version: 3.2.4(@types/node@20.19.39)(jsdom@29.0.2(@noble/hashes@1.8.0))(tsx@4.21.0)
 
 packages:
 
@@ -528,9 +528,9 @@ packages:
     resolution: {integrity: sha512-QxULHAm7cNu72w97JUNCBFODFaXpbDg+dP8b/oWFAZ2MTRppA3U00Y2L1HqaS4J6yBqxwa/Y3nMBaxVKbB/NsA==}
     engines: {node: '>=20.19.0'}
 
-  '@esbuild/aix-ppc64@0.21.5':
-    resolution: {integrity: sha512-1SDgH6ZSPTlggy1yI6+Dbkiz8xzpHJEVAlF/AM1tHPLsf5STom9rwtjE4hKAF20FfXXNTFqEYXyJNWh1GiZedQ==}
-    engines: {node: '>=12'}
+  '@esbuild/aix-ppc64@0.25.12':
+    resolution: {integrity: sha512-Hhmwd6CInZ3dwpuGTF8fJG6yoWmsToE+vYgD4nytZVxcu1ulHpUQRAB1UJ8+N1Am3Mz4+xOByoQoSZf4D+CpkA==}
+    engines: {node: '>=18'}
     cpu: [ppc64]
     os: [aix]
 
@@ -540,9 +540,9 @@ packages:
     cpu: [ppc64]
     os: [aix]
 
-  '@esbuild/android-arm64@0.21.5':
-    resolution: {integrity: sha512-c0uX9VAUBQ7dTDCjq+wdyGLowMdtR/GoC2U5IYk/7D1H1JYC0qseD7+11iMP2mRLN9RcCMRcjC4YMclCzGwS/A==}
-    engines: {node: '>=12'}
+  '@esbuild/android-arm64@0.25.12':
+    resolution: {integrity: sha512-6AAmLG7zwD1Z159jCKPvAxZd4y/VTO0VkprYy+3N2FtJ8+BQWFXU+OxARIwA46c5tdD9SsKGZ/1ocqBS/gAKHg==}
+    engines: {node: '>=18'}
     cpu: [arm64]
     os: [android]
 
@@ -552,9 +552,9 @@ packages:
     cpu: [arm64]
     os: [android]
 
-  '@esbuild/android-arm@0.21.5':
-    resolution: {integrity: sha512-vCPvzSjpPHEi1siZdlvAlsPxXl7WbOVUBBAowWug4rJHb68Ox8KualB+1ocNvT5fjv6wpkX6o/iEpbDrf68zcg==}
-    engines: {node: '>=12'}
+  '@esbuild/android-arm@0.25.12':
+    resolution: {integrity: sha512-VJ+sKvNA/GE7Ccacc9Cha7bpS8nyzVv0jdVgwNDaR4gDMC/2TTRc33Ip8qrNYUcpkOHUT5OZ0bUcNNVZQ9RLlg==}
+    engines: {node: '>=18'}
     cpu: [arm]
     os: [android]
 
@@ -564,9 +564,9 @@ packages:
     cpu: [arm]
     os: [android]
 
-  '@esbuild/android-x64@0.21.5':
-    resolution: {integrity: sha512-D7aPRUUNHRBwHxzxRvp856rjUHRFW1SdQATKXH2hqA0kAZb1hKmi02OpYRacl0TxIGz/ZmXWlbZgjwWYaCakTA==}
-    engines: {node: '>=12'}
+  '@esbuild/android-x64@0.25.12':
+    resolution: {integrity: sha512-5jbb+2hhDHx5phYR2By8GTWEzn6I9UqR11Kwf22iKbNpYrsmRB18aX/9ivc5cabcUiAT/wM+YIZ6SG9QO6a8kg==}
+    engines: {node: '>=18'}
     cpu: [x64]
     os: [android]
 
@@ -576,9 +576,9 @@ packages:
     cpu: [x64]
     os: [android]
 
-  '@esbuild/darwin-arm64@0.21.5':
-    resolution: {integrity: sha512-DwqXqZyuk5AiWWf3UfLiRDJ5EDd49zg6O9wclZ7kUMv2WRFr4HKjXp/5t8JZ11QbQfUS6/cRCKGwYhtNAY88kQ==}
-    engines: {node: '>=12'}
+  '@esbuild/darwin-arm64@0.25.12':
+    resolution: {integrity: sha512-N3zl+lxHCifgIlcMUP5016ESkeQjLj/959RxxNYIthIg+CQHInujFuXeWbWMgnTo4cp5XVHqFPmpyu9J65C1Yg==}
+    engines: {node: '>=18'}
     cpu: [arm64]
     os: [darwin]
 
@@ -588,9 +588,9 @@ packages:
     cpu: [arm64]
     os: [darwin]
 
-  '@esbuild/darwin-x64@0.21.5':
-    resolution: {integrity: sha512-se/JjF8NlmKVG4kNIuyWMV/22ZaerB+qaSi5MdrXtd6R08kvs2qCN4C09miupktDitvh8jRFflwGFBQcxZRjbw==}
-    engines: {node: '>=12'}
+  '@esbuild/darwin-x64@0.25.12':
+    resolution: {integrity: sha512-HQ9ka4Kx21qHXwtlTUVbKJOAnmG1ipXhdWTmNXiPzPfWKpXqASVcWdnf2bnL73wgjNrFXAa3yYvBSd9pzfEIpA==}
+    engines: {node: '>=18'}
     cpu: [x64]
     os: [darwin]
 
@@ -600,9 +600,9 @@ packages:
     cpu: [x64]
     os: [darwin]
 
-  '@esbuild/freebsd-arm64@0.21.5':
-    resolution: {integrity: sha512-5JcRxxRDUJLX8JXp/wcBCy3pENnCgBR9bN6JsY4OmhfUtIHe3ZW0mawA7+RDAcMLrMIZaf03NlQiX9DGyB8h4g==}
-    engines: {node: '>=12'}
+  '@esbuild/freebsd-arm64@0.25.12':
+    resolution: {integrity: sha512-gA0Bx759+7Jve03K1S0vkOu5Lg/85dou3EseOGUes8flVOGxbhDDh/iZaoek11Y8mtyKPGF3vP8XhnkDEAmzeg==}
+    engines: {node: '>=18'}
     cpu: [arm64]
     os: [freebsd]
 
@@ -612,9 +612,9 @@ packages:
     cpu: [arm64]
     os: [freebsd]
 
-  '@esbuild/freebsd-x64@0.21.5':
-    resolution: {integrity: sha512-J95kNBj1zkbMXtHVH29bBriQygMXqoVQOQYA+ISs0/2l3T9/kj42ow2mpqerRBxDJnmkUDCaQT/dfNXWX/ZZCQ==}
-    engines: {node: '>=12'}
+  '@esbuild/freebsd-x64@0.25.12':
+    resolution: {integrity: sha512-TGbO26Yw2xsHzxtbVFGEXBFH0FRAP7gtcPE7P5yP7wGy7cXK2oO7RyOhL5NLiqTlBh47XhmIUXuGciXEqYFfBQ==}
+    engines: {node: '>=18'}
     cpu: [x64]
     os: [freebsd]
 
@@ -624,9 +624,9 @@ packages:
     cpu: [x64]
     os: [freebsd]
 
-  '@esbuild/linux-arm64@0.21.5':
-    resolution: {integrity: sha512-ibKvmyYzKsBeX8d8I7MH/TMfWDXBF3db4qM6sy+7re0YXya+K1cem3on9XgdT2EQGMu4hQyZhan7TeQ8XkGp4Q==}
-    engines: {node: '>=12'}
+  '@esbuild/linux-arm64@0.25.12':
+    resolution: {integrity: sha512-8bwX7a8FghIgrupcxb4aUmYDLp8pX06rGh5HqDT7bB+8Rdells6mHvrFHHW2JAOPZUbnjUpKTLg6ECyzvas2AQ==}
+    engines: {node: '>=18'}
     cpu: [arm64]
     os: [linux]
 
@@ -636,9 +636,9 @@ packages:
     cpu: [arm64]
     os: [linux]
 
-  '@esbuild/linux-arm@0.21.5':
-    resolution: {integrity: sha512-bPb5AHZtbeNGjCKVZ9UGqGwo8EUu4cLq68E95A53KlxAPRmUyYv2D6F0uUI65XisGOL1hBP5mTronbgo+0bFcA==}
-    engines: {node: '>=12'}
+  '@esbuild/linux-arm@0.25.12':
+    resolution: {integrity: sha512-lPDGyC1JPDou8kGcywY0YILzWlhhnRjdof3UlcoqYmS9El818LLfJJc3PXXgZHrHCAKs/Z2SeZtDJr5MrkxtOw==}
+    engines: {node: '>=18'}
     cpu: [arm]
     os: [linux]
 
@@ -648,9 +648,9 @@ packages:
     cpu: [arm]
     os: [linux]
 
-  '@esbuild/linux-ia32@0.21.5':
-    resolution: {integrity: sha512-YvjXDqLRqPDl2dvRODYmmhz4rPeVKYvppfGYKSNGdyZkA01046pLWyRKKI3ax8fbJoK5QbxblURkwK/MWY18Tg==}
-    engines: {node: '>=12'}
+  '@esbuild/linux-ia32@0.25.12':
+    resolution: {integrity: sha512-0y9KrdVnbMM2/vG8KfU0byhUN+EFCny9+8g202gYqSSVMonbsCfLjUO+rCci7pM0WBEtz+oK/PIwHkzxkyharA==}
+    engines: {node: '>=18'}
     cpu: [ia32]
     os: [linux]
 
@@ -660,9 +660,9 @@ packages:
     cpu: [ia32]
     os: [linux]
 
-  '@esbuild/linux-loong64@0.21.5':
-    resolution: {integrity: sha512-uHf1BmMG8qEvzdrzAqg2SIG/02+4/DHB6a9Kbya0XDvwDEKCoC8ZRWI5JJvNdUjtciBGFQ5PuBlpEOXQj+JQSg==}
-    engines: {node: '>=12'}
+  '@esbuild/linux-loong64@0.25.12':
+    resolution: {integrity: sha512-h///Lr5a9rib/v1GGqXVGzjL4TMvVTv+s1DPoxQdz7l/AYv6LDSxdIwzxkrPW438oUXiDtwM10o9PmwS/6Z0Ng==}
+    engines: {node: '>=18'}
     cpu: [loong64]
     os: [linux]
 
@@ -672,9 +672,9 @@ packages:
     cpu: [loong64]
     os: [linux]
 
-  '@esbuild/linux-mips64el@0.21.5':
-    resolution: {integrity: sha512-IajOmO+KJK23bj52dFSNCMsz1QP1DqM6cwLUv3W1QwyxkyIWecfafnI555fvSGqEKwjMXVLokcV5ygHW5b3Jbg==}
-    engines: {node: '>=12'}
+  '@esbuild/linux-mips64el@0.25.12':
+    resolution: {integrity: sha512-iyRrM1Pzy9GFMDLsXn1iHUm18nhKnNMWscjmp4+hpafcZjrr2WbT//d20xaGljXDBYHqRcl8HnxbX6uaA/eGVw==}
+    engines: {node: '>=18'}
     cpu: [mips64el]
     os: [linux]
 
@@ -684,9 +684,9 @@ packages:
     cpu: [mips64el]
     os: [linux]
 
-  '@esbuild/linux-ppc64@0.21.5':
-    resolution: {integrity: sha512-1hHV/Z4OEfMwpLO8rp7CvlhBDnjsC3CttJXIhBi+5Aj5r+MBvy4egg7wCbe//hSsT+RvDAG7s81tAvpL2XAE4w==}
-    engines: {node: '>=12'}
+  '@esbuild/linux-ppc64@0.25.12':
+    resolution: {integrity: sha512-9meM/lRXxMi5PSUqEXRCtVjEZBGwB7P/D4yT8UG/mwIdze2aV4Vo6U5gD3+RsoHXKkHCfSxZKzmDssVlRj1QQA==}
+    engines: {node: '>=18'}
     cpu: [ppc64]
     os: [linux]
 
@@ -696,9 +696,9 @@ packages:
     cpu: [ppc64]
     os: [linux]
 
-  '@esbuild/linux-riscv64@0.21.5':
-    resolution: {integrity: sha512-2HdXDMd9GMgTGrPWnJzP2ALSokE/0O5HhTUvWIbD3YdjME8JwvSCnNGBnTThKGEB91OZhzrJ4qIIxk/SBmyDDA==}
-    engines: {node: '>=12'}
+  '@esbuild/linux-riscv64@0.25.12':
+    resolution: {integrity: sha512-Zr7KR4hgKUpWAwb1f3o5ygT04MzqVrGEGXGLnj15YQDJErYu/BGg+wmFlIDOdJp0PmB0lLvxFIOXZgFRrdjR0w==}
+    engines: {node: '>=18'}
     cpu: [riscv64]
     os: [linux]
 
@@ -708,9 +708,9 @@ packages:
     cpu: [riscv64]
     os: [linux]
 
-  '@esbuild/linux-s390x@0.21.5':
-    resolution: {integrity: sha512-zus5sxzqBJD3eXxwvjN1yQkRepANgxE9lgOW2qLnmr8ikMTphkjgXu1HR01K4FJg8h1kEEDAqDcZQtbrRnB41A==}
-    engines: {node: '>=12'}
+  '@esbuild/linux-s390x@0.25.12':
+    resolution: {integrity: sha512-MsKncOcgTNvdtiISc/jZs/Zf8d0cl/t3gYWX8J9ubBnVOwlk65UIEEvgBORTiljloIWnBzLs4qhzPkJcitIzIg==}
+    engines: {node: '>=18'}
     cpu: [s390x]
     os: [linux]
 
@@ -720,9 +720,9 @@ packages:
     cpu: [s390x]
     os: [linux]
 
-  '@esbuild/linux-x64@0.21.5':
-    resolution: {integrity: sha512-1rYdTpyv03iycF1+BhzrzQJCdOuAOtaqHTWJZCWvijKD2N5Xu0TtVC8/+1faWqcP9iBCWOmjmhoH94dH82BxPQ==}
-    engines: {node: '>=12'}
+  '@esbuild/linux-x64@0.25.12':
+    resolution: {integrity: sha512-uqZMTLr/zR/ed4jIGnwSLkaHmPjOjJvnm6TVVitAa08SLS9Z0VM8wIRx7gWbJB5/J54YuIMInDquWyYvQLZkgw==}
+    engines: {node: '>=18'}
     cpu: [x64]
     os: [linux]
 
@@ -732,15 +732,21 @@ packages:
     cpu: [x64]
     os: [linux]
 
+  '@esbuild/netbsd-arm64@0.25.12':
+    resolution: {integrity: sha512-xXwcTq4GhRM7J9A8Gv5boanHhRa/Q9KLVmcyXHCTaM4wKfIpWkdXiMog/KsnxzJ0A1+nD+zoecuzqPmCRyBGjg==}
+    engines: {node: '>=18'}
+    cpu: [arm64]
+    os: [netbsd]
+
   '@esbuild/netbsd-arm64@0.27.7':
     resolution: {integrity: sha512-b6pqtrQdigZBwZxAn1UpazEisvwaIDvdbMbmrly7cDTMFnw/+3lVxxCTGOrkPVnsYIosJJXAsILG9XcQS+Yu6w==}
     engines: {node: '>=18'}
     cpu: [arm64]
     os: [netbsd]
 
-  '@esbuild/netbsd-x64@0.21.5':
-    resolution: {integrity: sha512-Woi2MXzXjMULccIwMnLciyZH4nCIMpWQAs049KEeMvOcNADVxo0UBIQPfSmxB3CWKedngg7sWZdLvLczpe0tLg==}
-    engines: {node: '>=12'}
+  '@esbuild/netbsd-x64@0.25.12':
+    resolution: {integrity: sha512-Ld5pTlzPy3YwGec4OuHh1aCVCRvOXdH8DgRjfDy/oumVovmuSzWfnSJg+VtakB9Cm0gxNO9BzWkj6mtO1FMXkQ==}
+    engines: {node: '>=18'}
     cpu: [x64]
     os: [netbsd]
 
@@ -750,15 +756,21 @@ packages:
     cpu: [x64]
     os: [netbsd]
 
+  '@esbuild/openbsd-arm64@0.25.12':
+    resolution: {integrity: sha512-fF96T6KsBo/pkQI950FARU9apGNTSlZGsv1jZBAlcLL1MLjLNIWPBkj5NlSz8aAzYKg+eNqknrUJ24QBybeR5A==}
+    engines: {node: '>=18'}
+    cpu: [arm64]
+    os: [openbsd]
+
   '@esbuild/openbsd-arm64@0.27.7':
     resolution: {integrity: sha512-AFuojMQTxAz75Fo8idVcqoQWEHIXFRbOc1TrVcFSgCZtQfSdc1RXgB3tjOn/krRHENUB4j00bfGjyl2mJrU37A==}
     engines: {node: '>=18'}
     cpu: [arm64]
     os: [openbsd]
 
-  '@esbuild/openbsd-x64@0.21.5':
-    resolution: {integrity: sha512-HLNNw99xsvx12lFBUwoT8EVCsSvRNDVxNpjZ7bPn947b8gJPzeHWyNVhFsaerc0n3TsbOINvRP2byTZ5LKezow==}
-    engines: {node: '>=12'}
+  '@esbuild/openbsd-x64@0.25.12':
+    resolution: {integrity: sha512-MZyXUkZHjQxUvzK7rN8DJ3SRmrVrke8ZyRusHlP+kuwqTcfWLyqMOE3sScPPyeIXN/mDJIfGXvcMqCgYKekoQw==}
+    engines: {node: '>=18'}
     cpu: [x64]
     os: [openbsd]
 
@@ -768,15 +780,21 @@ packages:
     cpu: [x64]
     os: [openbsd]
 
+  '@esbuild/openharmony-arm64@0.25.12':
+    resolution: {integrity: sha512-rm0YWsqUSRrjncSXGA7Zv78Nbnw4XL6/dzr20cyrQf7ZmRcsovpcRBdhD43Nuk3y7XIoW2OxMVvwuRvk9XdASg==}
+    engines: {node: '>=18'}
+    cpu: [arm64]
+    os: [openharmony]
+
   '@esbuild/openharmony-arm64@0.27.7':
     resolution: {integrity: sha512-+KrvYb/C8zA9CU/g0sR6w2RBw7IGc5J2BPnc3dYc5VJxHCSF1yNMxTV5LQ7GuKteQXZtspjFbiuW5/dOj7H4Yw==}
     engines: {node: '>=18'}
     cpu: [arm64]
     os: [openharmony]
 
-  '@esbuild/sunos-x64@0.21.5':
-    resolution: {integrity: sha512-6+gjmFpfy0BHU5Tpptkuh8+uw3mnrvgs+dSPQXQOv3ekbordwnzTVEb4qnIvQcYXq6gzkyTnoZ9dZG+D4garKg==}
-    engines: {node: '>=12'}
+  '@esbuild/sunos-x64@0.25.12':
+    resolution: {integrity: sha512-3wGSCDyuTHQUzt0nV7bocDy72r2lI33QL3gkDNGkod22EsYl04sMf0qLb8luNKTOmgF/eDEDP5BFNwoBKH441w==}
+    engines: {node: '>=18'}
     cpu: [x64]
     os: [sunos]
 
@@ -786,9 +804,9 @@ packages:
     cpu: [x64]
     os: [sunos]
 
-  '@esbuild/win32-arm64@0.21.5':
-    resolution: {integrity: sha512-Z0gOTd75VvXqyq7nsl93zwahcTROgqvuAcYDUr+vOv8uHhNSKROyU961kgtCD1e95IqPKSQKH7tBTslnS3tA8A==}
-    engines: {node: '>=12'}
+  '@esbuild/win32-arm64@0.25.12':
+    resolution: {integrity: sha512-rMmLrur64A7+DKlnSuwqUdRKyd3UE7oPJZmnljqEptesKM8wx9J8gx5u0+9Pq0fQQW8vqeKebwNXdfOyP+8Bsg==}
+    engines: {node: '>=18'}
     cpu: [arm64]
     os: [win32]
 
@@ -798,9 +816,9 @@ packages:
     cpu: [arm64]
     os: [win32]
 
-  '@esbuild/win32-ia32@0.21.5':
-    resolution: {integrity: sha512-SWXFF1CL2RVNMaVs+BBClwtfZSvDgtL//G/smwAc5oVK/UPu2Gu9tIaRgFmYFFKrmg3SyAjSrElf0TiJ1v8fYA==}
-    engines: {node: '>=12'}
+  '@esbuild/win32-ia32@0.25.12':
+    resolution: {integrity: sha512-HkqnmmBoCbCwxUKKNPBixiWDGCpQGVsrQfJoVGYLPT41XWF8lHuE5N6WhVia2n4o5QK5M4tYr21827fNhi4byQ==}
+    engines: {node: '>=18'}
     cpu: [ia32]
     os: [win32]
 
@@ -810,9 +828,9 @@ packages:
     cpu: [ia32]
     os: [win32]
 
-  '@esbuild/win32-x64@0.21.5':
-    resolution: {integrity: sha512-tQd/1efJuzPC6rCFwEvLtci/xNFcTZknmXs98FYDfGE4wP9ClFV98nyKrzJKVPMhdDnjzLhdUyMX4PsQAPjwIw==}
-    engines: {node: '>=12'}
+  '@esbuild/win32-x64@0.25.12':
+    resolution: {integrity: sha512-alJC0uCZpTFrSL0CCDjcgleBXPnCrEAhTBILpeAp7M/OFgoqtAetfBzX0xM00MUsVVPpVjlPuMbREqnZCXaTnA==}
+    engines: {node: '>=18'}
     cpu: [x64]
     os: [win32]
 
@@ -895,10 +913,6 @@ packages:
     resolution: {integrity: sha512-bV0Tgo9K4hfPCek+aMAn81RppFKv2ySDQeMoSZuvTASywNTnVJCArCZE2FWqpvIatKu7VMRLWlR1EazvVhDyhQ==}
     engines: {node: '>=18.18'}
 
-  '@jest/schemas@29.6.3':
-    resolution: {integrity: sha512-mo5j5X+jIZmJQveBKeS/clAueipV7KgiX1vMgCxam1RNYiqE1w62n0/tJJnHtjW8ZHcQco5gY85jA3mi0L+nSA==}
-    engines: {node: ^14.15.0 || ^16.10.0 || >=18.0.0}
-
   '@jridgewell/gen-mapping@0.3.13':
     resolution: {integrity: sha512-2kkt/7niJ6MgEPxF0bYdQ6etZaA+fQvDcLKckhy1yIQOzaoKjBBjSj63/aLVjYE3qhRt5dvM+uUyfCg6UKCBbA==}
 
@@ -1060,9 +1074,6 @@ packages:
     cpu: [x64]
     os: [win32]
 
-  '@sinclair/typebox@0.27.10':
-    resolution: {integrity: sha512-MTBk/3jGLNB2tVxv6uLlFh1iu64iYOQ2PbdOSK3NW8JZsmlaOh2q6sdtKowBhfw8QFLmYNzTW4/oK4uATIi6ZA==}
-
   '@smithy/chunked-blob-reader-native@4.2.3':
     resolution: {integrity: sha512-jA5k5Udn7Y5717L86h4EIv06wIr3xn8GM1qHRi/Nf31annXcXHJjBKvgztnbn2TxH3xWrPBfgwHsOwZf0UmQWw==}
     engines: {node: '>=18.0.0'}
@@ -1298,6 +1309,9 @@ packages:
   '@types/body-parser@1.19.6':
     resolution: {integrity: sha512-HLFeCYgz89uk22N5Qg3dvGvsv46B8GLvKKo1zKG4NybA8U2DiEO3w9lqGg29t/tfLRJpJ6iQxnVw4OnB7MoM9g==}
 
+  '@types/chai@5.2.3':
+    resolution: {integrity: sha512-Mw558oeA9fFbv65/y4mHtXDs9bPnFMZAL/jxdPFUpOHHIXX91mcgEHbS5Lahr+pwZFR8A7GQleRWeI6cGFC2UA==}
+
   '@types/connect@3.4.38':
     resolution: {integrity: sha512-K6uROf1LD88uDQqJCktA4yzL1YYAK6NgfsI0v/mTgyPKWsX1CnJ0XPSDhViejru1GcRkLWb8RlzFYJRqGUbaug==}
 
@@ -1312,6 +1326,9 @@ packages:
   '@types/cors@2.8.19':
     resolution: {integrity: sha512-mFNylyeyqN93lfe/9CSxOGREz8cpzAhH+E93xJ4xWQf62V8sQ/24reV2nyzUWM6H6Xji+GGHpkbLe7pVoUEskg==}
 
+  '@types/deep-eql@4.0.2':
+    resolution: {integrity: sha512-c9h9dVVMigMPc4bwTvC5dxqtqJZwQPePsWjPlpSOnojbor6pGqdk541lfA7AqFQr5pB1BRdq0juY9db81BwyFw==}
+
   '@types/estree@1.0.8':
     resolution: {integrity: sha512-dWHzHa2WqEXI/O1E9OjrocMTKJl2mSrEolh1Iomrv6U+JuNwaHXsXx9bLu5gG7BUWFIN0skIQJQ/L1rIex4X6w==}
 
@@ -1439,20 +1456,34 @@ packages:
     peerDependencies:
       vite: ^4.2.0 || ^5.0.0 || ^6.0.0 || ^7.0.0
 
-  '@vitest/expect@1.6.1':
-    resolution: {integrity: sha512-jXL+9+ZNIJKruofqXuuTClf44eSpcHlgj3CiuNihUF3Ioujtmc0zIa3UJOW5RjDK1YLBJZnWBlPuqhYycLioog==}
+  '@vitest/expect@3.2.4':
+    resolution: {integrity: sha512-Io0yyORnB6sikFlt8QW5K7slY4OjqNX9jmJQ02QDda8lyM6B5oNgVWoSoKPac8/kgnCUzuHQKrSLtu/uOqqrig==}
 
-  '@vitest/runner@1.6.1':
-    resolution: {integrity: sha512-3nSnYXkVkf3mXFfE7vVyPmi3Sazhb/2cfZGGs0JRzFsPFvAMBEcrweV1V1GsrstdXeKCTXlJbvnQwGWgEIHmOA==}
+  '@vitest/mocker@3.2.4':
+    resolution: {integrity: sha512-46ryTE9RZO/rfDd7pEqFl7etuyzekzEhUbTW3BvmeO/BcCMEgq59BKhek3dXDWgAj4oMK6OZi+vRr1wPW6qjEQ==}
+    peerDependencies:
+      msw: ^2.4.9
+      vite: ^5.0.0 || ^6.0.0 || ^7.0.0-0
+    peerDependenciesMeta:
+      msw:
+        optional: true
+      vite:
+        optional: true
 
-  '@vitest/snapshot@1.6.1':
-    resolution: {integrity: sha512-WvidQuWAzU2p95u8GAKlRMqMyN1yOJkGHnx3M1PL9Raf7AQ1kwLKg04ADlCa3+OXUZE7BceOhVZiuWAbzCKcUQ==}
+  '@vitest/pretty-format@3.2.4':
+    resolution: {integrity: sha512-IVNZik8IVRJRTr9fxlitMKeJeXFFFN0JaB9PHPGQ8NKQbGpfjlTx9zO4RefN8gp7eqjNy8nyK3NZmBzOPeIxtA==}
 
-  '@vitest/spy@1.6.1':
-    resolution: {integrity: sha512-MGcMmpGkZebsMZhbQKkAf9CX5zGvjkBTqf8Zx3ApYWXr3wG+QvEu2eXWfnIIWYSJExIp4V9FCKDEeygzkYrXMw==}
+  '@vitest/runner@3.2.4':
+    resolution: {integrity: sha512-oukfKT9Mk41LreEW09vt45f8wx7DordoWUZMYdY/cyAk7w5TWkTRCNZYF7sX7n2wB7jyGAl74OxgwhPgKaqDMQ==}
 
-  '@vitest/utils@1.6.1':
-    resolution: {integrity: sha512-jOrrUvXM4Av9ZWiG1EajNto0u96kWAhJ1LmPmJhXXQx/32MecEKd10pOLYgS2BQx1TgkGhloPU1ArDW2vvaY6g==}
+  '@vitest/snapshot@3.2.4':
+    resolution: {integrity: sha512-dEYtS7qQP2CjU27QBC5oUOxLE/v5eLkGqPE0ZKEIDGMs4vKWe7IjgLOeauHsR0D5YuuycGRO5oSRXnwnmA78fQ==}
+
+  '@vitest/spy@3.2.4':
+    resolution: {integrity: sha512-vAfasCOe6AIK70iP5UD11Ac4siNUNJ9i/9PZ3NKx07sG6sUxeag1LWdNrMWeKKYBLlzuK+Gn65Yd5nyL6ds+nw==}
+
+  '@vitest/utils@3.2.4':
+    resolution: {integrity: sha512-fB2V0JFrQSMsCo9HiSq3Ezpdv4iYaXRG1Sx8edX3MwxfyNn83mKiGzOcH+Fkxt4MHxr3y42fQi1oeAInqgX2QA==}
 
   abort-controller@3.0.0:
     resolution: {integrity: sha512-h8lQ8tacZYnR3vNQTgibj+tODHI5/+l06Au2Pcriv/Gmet0eaj4TwWH41sO9wnHDiQsEj19q0drzdWdeAHtweg==}
@@ -1467,10 +1498,6 @@ packages:
     peerDependencies:
       acorn: ^6.0.0 || ^7.0.0 || ^8.0.0
 
-  acorn-walk@8.3.5:
-    resolution: {integrity: sha512-HEHNfbars9v4pgpW6SO1KSPkfoS0xVOM/9UzkJltjlsHZmJasxg8aXkuZa7SMf8vKGIBhpUsPluQSqhJFCqebw==}
-    engines: {node: '>=0.4.0'}
-
   acorn@8.16.0:
     resolution: {integrity: sha512-UVJyE9MttOsBQIDKw1skb9nAwQuR5wuGD3+82K6JgJlm/Y+KI92oNsMNGZCYdDsVtRHSak0pcV5Dno5+4jh9sw==}
     engines: {node: '>=0.4.0'}
@@ -1483,10 +1510,6 @@ packages:
     resolution: {integrity: sha512-zbB9rCJAT1rbjiVDb2hqKFHNYLxgtk8NURxZ3IZwD3F6NtxbXZQCnnSi1Lkx+IDohdPlFp222wVALIheZJQSEg==}
     engines: {node: '>=8'}
 
-  ansi-styles@5.2.0:
-    resolution: {integrity: sha512-Cxwpt2SfTzTtXcfOlzGEee8O+c+MmUgGrNiBcXnuWxuFJHe6a5Hz7qwhwe5OgaSYI0IJvkLqWX1ASG+cJOkEiA==}
-    engines: {node: '>=10'}
-
   any-promise@1.3.0:
     resolution: {integrity: sha512-7UvmKalWRt1wgjL1RrGxoSJW/0QZFIegpeGvZG9kjp8vrRu55XTHbwnqq2GpXm9uLbcuhxm3IqX9OB4MZR1b2A==}
 
@@ -1499,8 +1522,9 @@ packages:
   asap@2.0.6:
     resolution: {integrity: sha512-BSHWgDSAiKs50o2Re8ppvp3seVHXSRM44cdSsT9FfNEUUZLOGWVCsiWaRPWM1Znn+mqZ1OfVZ3z3DWEzSp7hRA==}
 
-  assertion-error@1.1.0:
-    resolution: {integrity: sha512-jgsaNduz+ndvGyFt3uSuWqvy4lCnIJiovtouQN5JZHOKCS2QuhEdbcQHFhVksz2N2U9hXJo8odG7ETyWlEeuDw==}
+  assertion-error@2.0.1:
+    resolution: {integrity: sha512-Izi8RQcffqCeNVgFigKli1ssklIbpHnCYc6AknXGYoB6grJqyeby7jv12JUQgmTAnIDnbck1uxksT4dzN3PWBA==}
+    engines: {node: '>=12'}
 
   asynckit@0.4.0:
     resolution: {integrity: sha512-Oei9OH4tRh0YqU3GxhX79dM/mwVgvbZJaSNaRk+bshkj0S5cfHcgYakreBjrHwatXKbz+IoIdYLxrKim2MjW0Q==}
@@ -1578,16 +1602,17 @@ packages:
   caniuse-lite@1.0.30001790:
     resolution: {integrity: sha512-bOoxfJPyYo+ds6W0YfptaCWbFnJYjh2Y1Eow5lRv+vI2u8ganPZqNm1JwNh0t2ELQCqIWg4B3dWEusgAmsoyOw==}
 
-  chai@4.5.0:
-    resolution: {integrity: sha512-RITGBfijLkBddZvnn8jdqoTypxvqbOLYQkGGxXzeFjVHvudaPw0HNFD9x928/eUwYWd2dPCugVqspGALTZZQKw==}
-    engines: {node: '>=4'}
+  chai@5.3.3:
+    resolution: {integrity: sha512-4zNhdJD/iOjSH0A05ea+Ke6MU5mmpQcbQsSOkgdaUMJ9zTlDTD/GYlwohmIE2u0gaxHYiVHEn1Fw9mZ/ktJWgw==}
+    engines: {node: '>=18'}
 
   chalk@4.1.2:
     resolution: {integrity: sha512-oKnbhFyRIXpUuez8iBMmyEa4nbj4IOQyuhc/wy9kY7/WVPcwIO9VA668Pu8RkO7+0G76SLROeyw9CpQ061i4mA==}
     engines: {node: '>=10'}
 
-  check-error@1.0.3:
-    resolution: {integrity: sha512-iKEoDYaRmd1mxM90a2OEfWhjsjPpYPuQ+lMYsoxB126+t8fw7ySEO48nmDg5COTjxDI65/Y2OWpeEHk3ZOe8zg==}
+  check-error@2.1.3:
+    resolution: {integrity: sha512-PAJdDJusoxnwm1VwW07VWwUN1sl7smmC3OKggvndJFadxxDRyFJBX/ggnu/KE4kQAB7a3Dp8f/YXC1FlUprWmA==}
+    engines: {node: '>= 16'}
 
   chokidar@4.0.3:
     resolution: {integrity: sha512-Qgzu8kfBvo+cA4962jnP1KkS6Dop5NS6g7R5LFYJr4b8Ub94PPQXUksCw9PvXoeXPRRddRNC5C1JQUR2SMGtnA==}
@@ -1712,8 +1737,8 @@ packages:
   decimal.js@10.6.0:
     resolution: {integrity: sha512-YpgQiITW3JXGntzdUmyUR1V812Hn8T1YVXhCu+wO3OpS4eU9l4YdD3qjyiKdV6mvV29zapkMeD390UVEf2lkUg==}
 
-  deep-eql@4.1.4:
-    resolution: {integrity: sha512-SUwdGfqdKOwxCPeVYjwSyRpJ7Z+fhpwIAtmCUdZIWZ/YP5R9WAsyuSgpLVDi9bjWoN2LXHNss/dk3urXtdQxGg==}
+  deep-eql@5.0.2:
+    resolution: {integrity: sha512-h5k/5U50IJJFpzfL6nO9jaaumfjO/f2NjK/oYB2Djzm4p9L+3T9qWpZqZ2hAbLPuuYq9wrU08WQyBTL5GbPk5Q==}
     engines: {node: '>=6'}
 
   deep-is@0.1.4:
@@ -1734,10 +1759,6 @@ packages:
   dezalgo@1.0.4:
     resolution: {integrity: sha512-rXSP0bf+5n0Qonsb+SVVfNfIsimO4HEtmnIpPHY8Q1UCzKlQrDMfdobr8nJOOsRgWCyMRqeSBQzmWUMq7zvVig==}
 
-  diff-sequences@29.6.3:
-    resolution: {integrity: sha512-EjePK1srD3P08o2j4f0ExnylqRs5B9tJjcp9t1krH2qRi8CCdsYfwe9JgSLurFBWwq4uOlipzfk5fHNvwFKr8Q==}
-    engines: {node: ^14.15.0 || ^16.10.0 || >=18.0.0}
-
   dotenv@16.6.1:
     resolution: {integrity: sha512-uBq4egWHTcTt33a72vpSG0z3HnPuIl6NqYcTrKEg2azoEyl2hpW0zqlxysq2pK9HlDIHyHyakeYaYnSAwd8bow==}
     engines: {node: '>=12'}
@@ -1768,6 +1789,9 @@ packages:
     resolution: {integrity: sha512-Zf5H2Kxt2xjTvbJvP2ZWLEICxA6j+hAmMzIlypy4xcBg1vKVnx89Wy0GbS+kf5cwCVFFzdCFh2XSCFNULS6csw==}
     engines: {node: '>= 0.4'}
 
+  es-module-lexer@1.7.0:
+    resolution: {integrity: sha512-jEQoCwk8hyb2AZziIOLhDqpm5+2ww5uIE6lkO/6jcOCusfk6LhMHpXXfBLXTZ7Ydyt0j4VoUQv6uGNYbdW+kBA==}
+
   es-object-atoms@1.1.1:
     resolution: {integrity: sha512-FGgH2h8zKNim9ljj7dankFPcICIK9Cp5bm+c2gQSYePhpaG5+esrLODihIorn+Pe6FGJzWhXQotPv73jTaldXA==}
     engines: {node: '>= 0.4'}
@@ -1776,9 +1800,9 @@ packages:
     resolution: {integrity: sha512-j6vWzfrGVfyXxge+O0x5sh6cvxAog0a/4Rdd2K36zCMV5eJ+/+tOAngRO8cODMNWbVRdVlmGZQL2YS3yR8bIUA==}
     engines: {node: '>= 0.4'}
 
-  esbuild@0.21.5:
-    resolution: {integrity: sha512-mg3OPMV4hXywwpoDxu3Qda5xCKQi+vCTZq8S9J/EpkhB2HzKXq4SNFZE3+NK93JYxc8VMSep+lOUSC/RVKaBqw==}
-    engines: {node: '>=12'}
+  esbuild@0.25.12:
+    resolution: {integrity: sha512-bbPBYYrtZbkt6Os6FiTLCTFxvq4tt3JKall1vRwshA3fdVztsLAatFaZobhkBC8/BrPetoa0oksYoKXoG4ryJg==}
+    engines: {node: '>=18'}
     hasBin: true
 
   esbuild@0.27.7:
@@ -1868,9 +1892,9 @@ packages:
     resolution: {integrity: sha512-mQw+2fkQbALzQ7V0MY0IqdnXNOeTtP4r0lN9z7AAawCXgqea7bDii20AYrIBrFd/Hx0M2Ocz6S111CaFkUcb0Q==}
     engines: {node: '>=0.8.x'}
 
-  execa@8.0.1:
-    resolution: {integrity: sha512-VyhnebXciFV2DESc+p6B+y0LjSm0krU4OgJN44qFAhBY0TJ+1V61tYD2+wHusZ6F9n5K+vl8k0sTy7PEfV4qpg==}
-    engines: {node: '>=16.17'}
+  expect-type@1.3.0:
+    resolution: {integrity: sha512-knvyeauYhqjOYvQ66MznSMs83wmHrCycNEN6Ao+2AeYEfxUIkuiVxdEa1qlGEPK+We3n0THiDciYSsCcgW/DoA==}
+    engines: {node: '>=12.0.0'}
 
   express-async-errors@3.1.1:
     resolution: {integrity: sha512-h6aK1da4tpqWSbyCa3FxB/V6Ehd4EEB15zyQq9qe75OZBp0krinNKuH4rAY+S/U/2I36vdLAUFSjQJ+TFmODng==}
@@ -1967,9 +1991,6 @@ packages:
     resolution: {integrity: sha512-DyFP3BM/3YHTQOCUL/w0OZHR0lpKeGrxotcHWcqNEdnltqFwXVfhEBQ94eIo34AfQpo0rGki4cyIiftY06h2Fg==}
     engines: {node: 6.* || 8.* || >= 10.*}
 
-  get-func-name@2.0.2:
-    resolution: {integrity: sha512-8vXOvuE167CtIc3OyItco7N/dpRtBbYOsPsXCz7X/PMnlGjYjSGuZJgM1Y7mmew7BKf9BqvLX2tnOVy1BBUsxQ==}
-
   get-intrinsic@1.3.0:
     resolution: {integrity: sha512-9fSjSaos/fRIVIp+xSJlE6lfwhES7LNtKaCBIamHsjr2na1BiABJPo0mOjjz8GJDURarmCPGqaiVg5mfjb98CQ==}
     engines: {node: '>= 0.4'}
@@ -1982,10 +2003,6 @@ packages:
     resolution: {integrity: sha512-sTSfBjoXBp89JvIKIefqw7U2CCebsc74kiY6awiGogKtoSGbgjYE/G/+l9sF3MWFPNc9IcoOC4ODfKHfxFmp0g==}
     engines: {node: '>= 0.4'}
 
-  get-stream@8.0.1:
-    resolution: {integrity: sha512-VaUJspBffn/LMCJVoMvSAdmscJyS1auj5Zulnn5UoYcY531UWmdwhRWkcGKnGU93m5HSXP9LP2usOryrBtQowA==}
-    engines: {node: '>=16'}
-
   get-tsconfig@4.14.0:
     resolution: {integrity: sha512-yTb+8DXzDREzgvYmh6s9vHsSVCHeC0G3PI5bEXNBHtmshPnO+S5O7qgLEOn0I5QvMy6kpZN8K1NKGyilLb93wA==}
 
@@ -2042,10 +2059,6 @@ packages:
     resolution: {integrity: sha512-4FbRdAX+bSdmo4AUFuS0WNiPz8NgFt+r8ThgNWmlrjQjt1Q7ZR9+zTlce2859x4KSXrwIsaeTqDoKQmtP8pLmQ==}
     engines: {node: '>= 0.8'}
 
-  human-signals@5.0.0:
-    resolution: {integrity: sha512-AXcZb6vzzrFAUE61HnN4mpLqd/cSIwNQjtNWR0euPm6y0iqx3G4gOXaIDdtdDwZmhwe82LA6+zinmW4UBWVePQ==}
-    engines: {node: '>=16.17.0'}
-
   iconv-lite@0.4.24:
     resolution: {integrity: sha512-v3MXnZAcvnywkTUEZomIActle7RXXeedOR31wwl7VlyoXO4Qi9arvSenNQWne1TcRwhCL1HwLI21bEqdpj8/rA==}
     engines: {node: '>=0.10.0'}
@@ -2095,10 +2108,6 @@ packages:
   is-potential-custom-element-name@1.0.1:
     resolution: {integrity: sha512-bCYeRA2rVibKZd+s2625gGnGF/t7DSqDs4dP7CrLA1m7jKWz6pps0LpYLJN8Q64HtmPKJ1hrN3nzPNKFEKOUiQ==}
 
-  is-stream@3.0.0:
-    resolution: {integrity: sha512-LnQR4bZ9IADDRSkvpqMGvt/tEJWclzklNgSw48V5EAaAeDd6qGvN8ei6k5p0tvxSR171VmGyHuTiAOfxAbr8kA==}
-    engines: {node: ^12.20.0 || ^14.13.1 || >=16.0.0}
-
   isexe@2.0.0:
     resolution: {integrity: sha512-RHxMLp9lnKHGHRng9QFhRCMbYAcVpn69smSGcq3f36xjgVVWThj4qqLbTLlq7Ssj8B+fIQ1EuCEGI2lKsyQeIw==}
 
@@ -2193,10 +2202,6 @@ packages:
     resolution: {integrity: sha512-IXO6OCs9yg8tMKzfPZ1YmheJbZCiEsnBdcB03l0OcfK9prKnJb96siuHCr5Fl37/yo9DnKU+TLpxzTUspw9shg==}
     engines: {node: ^12.20.0 || ^14.13.1 || >=16.0.0}
 
-  local-pkg@0.5.1:
-    resolution: {integrity: sha512-9rrA30MRRP3gBD3HTGnC6cDFpaE1kVDWxWgqWJUN0RvDNAo+Nz/9GxB+nHOH0ifbVFy0hSA1V6vFDvnx54lTEQ==}
-    engines: {node: '>=14'}
-
   locate-path@6.0.0:
     resolution: {integrity: sha512-iPZK6eYjbxRu3uB4/WZ3EsEIMJFMqAoopl3R+zuq0UjcAm/MO6KCweDgPfP3elTztoKP3KtnVHxTn2NHBSDVUw==}
     engines: {node: '>=10'}
@@ -2211,8 +2216,8 @@ packages:
     resolution: {integrity: sha512-lyuxPGr/Wfhrlem2CL/UcnUc1zcqKAImBDzukY7Y5F/yQiNdko6+fRLevlw1HgMySw7f611UIY408EtxRSoK3Q==}
     hasBin: true
 
-  loupe@2.3.7:
-    resolution: {integrity: sha512-zSMINGVYkdpYSOBmLi0D1Uo7JU9nVdQKrHxC8eYlV+9YKK9WePqAlL7lSlorG/U2Fw1w0hTBmaa/jrQ3UbPHtA==}
+  loupe@3.2.1:
+    resolution: {integrity: sha512-CdzqowRJCeLU72bHvWqwRBBlLcMEtIvGrlvef74kMnV2AolS9Y8xUv1I0U/MNAWMhBlKIoyuEgoJ0t/bbwHbLQ==}
 
   lru-cache@11.3.5:
     resolution: {integrity: sha512-NxVFwLAnrd9i7KUBxC4DrUhmgjzOs+1Qm50D3oF1/oL+r1NpZ4gA7xvG0/zJ8evR7zIKn4vLf7qTNduWFtCrRw==}
@@ -2243,9 +2248,6 @@ packages:
   merge-descriptors@1.0.3:
     resolution: {integrity: sha512-gaNvAS7TZ897/rVaZ0nMtAyxNyi/pdbjbAwUpFQpN70GqnVfOiXpeUUMKRBmzXaSQ8DdTX4/0ms62r2K+hE6mQ==}
 
-  merge-stream@2.0.0:
-    resolution: {integrity: sha512-abv/qOcuPfk3URPfDzmZU1LKmuw8kT+0nIHvKrKgFrwifol/doWcdA4ZqsWQ8ENrFKkd67Mfpo/LovbIUsbt3w==}
-
   methods@1.1.2:
     resolution: {integrity: sha512-iclAHeNqNm68zFtnZ0e+1L2yUIdvzNoauKU4WBA3VvH/vPFieF7qfRlwUZU+DA9P9bPXIS90ulxoUoCH23sV2w==}
     engines: {node: '>= 0.6'}
@@ -2268,10 +2270,6 @@ packages:
     engines: {node: '>=4.0.0'}
     hasBin: true
 
-  mimic-fn@4.0.0:
-    resolution: {integrity: sha512-vqiC06CuhBTUdZH+RYl8sFrL096vA45Ok5ISO6sE/Mr1jRbGH4Csnhi8f3wKVl7x8mO4Au7Ir9D3Oyv1VYMFJw==}
-    engines: {node: '>=12'}
-
   minimatch@10.2.5:
     resolution: {integrity: sha512-MULkVLfKGYDFYejP07QOurDLLQpcjk7Fw+7jXS2R2czRQzR56yHRveU5NDJEOviH+hETZKSkIk5c+T23GjFUMg==}
     engines: {node: 18 || 20 || >=22}
@@ -2313,10 +2311,6 @@ packages:
     resolution: {integrity: sha512-Nm2XeuDwwy2wi5A+8jPWwQwNzcjNjhWdE3pVLoXEusxJqCnAPAgnBGkSmiLknbnWuOF9qraRpYZjfxqtKZ4tPw==}
     engines: {node: '>=6.0.0'}
 
-  npm-run-path@5.3.0:
-    resolution: {integrity: sha512-ppwTtiJZq0O/ai0z7yfudtBpWIoxM8yE6nHi1X47eFR2EWORqfbu6CnPlNsjeN683eT0qG6H/Pyf9fCcvjnnnQ==}
-    engines: {node: ^12.20.0 || ^14.13.1 || >=16.0.0}
-
   object-assign@4.1.1:
     resolution: {integrity: sha512-rJgTQnkUnH1sFw8yT6VSU3zD3sWmu6sZhIseY8VX+GRu3P6F7Fu+JNDoXfklElbLJSnc3FUQHVe4cU5hj+BcUg==}
     engines: {node: '>=0.10.0'}
@@ -2336,10 +2330,6 @@ packages:
   once@1.4.0:
     resolution: {integrity: sha512-lNaJgI+2Q5URQBkccEKHTQOPaXdUxnZZElQTZY0MFUAuaEqe1E+Nyvgdz/aIyNi6Z9MzO5dv1H8n58/GELp3+w==}
 
-  onetime@6.0.0:
-    resolution: {integrity: sha512-1FlR+gjXK7X+AsAHso35MnyN5KqGwJRi/31ft6x0M194ht7S+rWAvd7PHss9xSKMzE0asv1pyIHaJYq+BbacAQ==}
-    engines: {node: '>=12'}
-
   optionator@0.9.4:
     resolution: {integrity: sha512-6IpQ7mKUxRcZNLIObR0hz7lxsapSSIYNZJwXPGeF0mTVqGKFIXj1DQcMoT22S3ROcLyY/rz0PWaWZ9ayWmad9g==}
     engines: {node: '>= 0.8.0'}
@@ -2348,10 +2338,6 @@ packages:
     resolution: {integrity: sha512-TYOanM3wGwNGsZN2cVTYPArw454xnXj5qmWF1bEoAc4+cU/ol7GVh7odevjp1FNHduHc3KZMcFduxU5Xc6uJRQ==}
     engines: {node: '>=10'}
 
-  p-limit@5.0.0:
-    resolution: {integrity: sha512-/Eaoq+QyLSiXQ4lyYV23f14mZRQcXnxfHrN0vCai+ak9G0pp9iEQukIIZq5NccEvwRB8PUnZT0KsOoDCINS1qQ==}
-    engines: {node: '>=18'}
-
   p-locate@5.0.0:
     resolution: {integrity: sha512-LaNjtRWUBY++zB5nE/NwcaoMylSPk+S+ZHNB1TzdbMJMny6dynpAGt7X/tl/QYq3TIeE6nxHppbo2LGymrG5Pw==}
     engines: {node: '>=10'}
@@ -2379,24 +2365,18 @@ packages:
     resolution: {integrity: sha512-ojmeN0qd+y0jszEtoY48r0Peq5dwMEkIlCOu6Q5f41lfkswXuKtYrhgoTpLnyIcHm24Uhqx+5Tqm2InSwLhE6Q==}
     engines: {node: '>=8'}
 
-  path-key@4.0.0:
-    resolution: {integrity: sha512-haREypq7xkM7ErfgIyA0z+Bj4AGKlMSdlQE2jvJo6huWD1EdkKYV+G/T4nq0YEF2vgTT8kqMFKo1uHn950r4SQ==}
-    engines: {node: '>=12'}
-
   path-parse@1.0.7:
     resolution: {integrity: sha512-LDJzPVEEEPR+y48z93A0Ed0yXb8pAByGWo/k5YYdYgpY2/2EsOsksJrq7lOHxryrVOn1ejG6oAp8ahvOIQD8sw==}
 
   path-to-regexp@0.1.13:
     resolution: {integrity: sha512-A/AGNMFN3c8bOlvV9RreMdrv7jsmF9XIfDeCd87+I8RNg6s78BhJxMu69NEMHBSJFxKidViTEdruRwEk/WIKqA==}
 
-  pathe@1.1.2:
-    resolution: {integrity: sha512-whLdWMYL2TwI08hn8/ZqAbrVemu0LNaNNJZX73O6qaIdCTfXutsLhMkjdENX0qhsQ9uIimo4/aQOmXkoon2nDQ==}
-
   pathe@2.0.3:
     resolution: {integrity: sha512-WUjGcAqP1gQacoQe+OBJsFA7Ld4DyXuUIjZ5cc75cLHvJ7dtNsTugphxIADwspS+AraAUePCKrSVtPLFj/F88w==}
 
-  pathval@1.1.1:
-    resolution: {integrity: sha512-Dp6zGqpTdETdR63lehJYPeIOqpiNBNtc7BpWSLrOje7UaIsE5aY92r/AunQA7rsXvet3lrJ3JnZX29UPTKXyKQ==}
+  pathval@2.0.1:
+    resolution: {integrity: sha512-//nshmD55c46FuFw26xV/xFAaB5HF9Xdap7HJBBnrKdAd6/GxDBaNA1870O79+9ueg61cZLSVc+OaFlfmObYVQ==}
+    engines: {node: '>= 14.16'}
 
   pg-cloudflare@1.3.0:
     resolution: {integrity: sha512-6lswVVSztmHiRtD6I8hw4qP/nDm1EJbKMRhf3HCYaqud7frGysPv7FYJ5noZQdhQtN2xJnimfMtvQq21pdbzyQ==}
@@ -2514,10 +2494,6 @@ packages:
     resolution: {integrity: sha512-vkcDPrRZo1QZLbn5RLGPpg/WmIQ65qoWWhcGKf/b5eplkkarX0m9z8ppCat4mlOqUsWpyNuYgO3VRyrYHSzX5g==}
     engines: {node: '>= 0.8.0'}
 
-  pretty-format@29.7.0:
-    resolution: {integrity: sha512-Pdlw/oPxN+aXdmM9R00JVC9WVFoCLTKJvDVLgmJ+qAffBMxsV85l/Lu7sNx4zSzPyoL2euImuEwHhOXdEgNFZQ==}
-    engines: {node: ^14.15.0 || ^16.10.0 || >=18.0.0}
-
   process-warning@3.0.0:
     resolution: {integrity: sha512-mqn0kFRl0EoqhnL0GQ0veqFHyIN1yig9RHh/InzORTUiZHFRAur+aMtRkELNwGs9aNwKS6tg/An4NYBPGwvtzQ==}
 
@@ -2560,9 +2536,6 @@ packages:
     peerDependencies:
       react: ^18.3.1
 
-  react-is@18.3.1:
-    resolution: {integrity: sha512-/LLMVyas0ljjAtoYiPqYiL8VWXzUUdThrmU5+n20DZv+a+ClRoevUzw5JxU+Ieh5/c87ytoTBV9G1FiKfNJdmg==}
-
   react-refresh@0.17.0:
     resolution: {integrity: sha512-z6F7K9bV85EfseRCp2bzrpyQ0Gkw1uLoCel9XBVWPg/TjRj94SkJzUTGfOa4bs7iJvBWtQG0Wq7wnI0syw3EBQ==}
     engines: {node: '>=0.10.0'}
@@ -2689,10 +2662,6 @@ packages:
   siginfo@2.0.0:
     resolution: {integrity: sha512-ybx0WO1/8bSBLEWXZvEd7gMW3Sn3JFlW3TvX1nREbDLRNQNaeNN8WK0meBwPdAaOI7TtRRRJn/Es1zhrrCHu7g==}
 
-  signal-exit@4.1.0:
-    resolution: {integrity: sha512-bzyZ1e88w9O1iNJbKnOlvYTrWPDl46O1bG0D3XInv+9tkPrxrN8jUUTiFlDkkmKWgn1M6CfIA13SuGqOa9Korw==}
-    engines: {node: '>=14'}
-
   sonic-boom@3.8.1:
     resolution: {integrity: sha512-y4Z8LCDBuum+PBP3lSV7RHrXscqksve/bi0as7mhwVnBW+/wUqKT/2Kb7um8yqcFy0duYbbPxzt89Zy2nOCaxg==}
 
@@ -2724,16 +2693,12 @@ packages:
   string_decoder@1.3.0:
     resolution: {integrity: sha512-hkRX8U1WjJFd8LsDJ2yQ/wWWxaopEsABU1XfkM8A+j0+85JAGppt16cr1Whg6KIbb4okU6Mql6BOj+uup/wKeA==}
 
-  strip-final-newline@3.0.0:
-    resolution: {integrity: sha512-dOESqjYr96iWYylGObzd39EuNTa5VJxyvVAEm5Jnh7KGo75V43Hk1odPQkNDyXNmUR6k+gEiDVXnjB8HJ3crXw==}
-    engines: {node: '>=12'}
-
   strip-json-comments@3.1.1:
     resolution: {integrity: sha512-6fPc+R4ihwqP6N/aIv2f1gMH8lOVtWQHoqC4yK6oSDVVocumAsfCqjkXnqiYMhmMwS/mEHLp7Vehlt3ql6lEig==}
     engines: {node: '>=8'}
 
-  strip-literal@2.1.1:
-    resolution: {integrity: sha512-631UJ6O00eNGfMiWG78ck80dfBab8X6IVFB51jZK5Icd7XAs60Z5y7QdSd/wGIklnWvRbUNloVzhOKKmutxQ6Q==}
+  strip-literal@3.1.0:
+    resolution: {integrity: sha512-8r3mkIM/2+PpjHoOtiAW8Rg3jJLHaV7xPwG+YRGrv6FP0wwk/toTpATxWYOW0BKdWwl82VT2tFYi5DlROa0Mxg==}
 
   stripe@20.4.1:
     resolution: {integrity: sha512-axCguHItc8Sxt0HC6aSkdVRPffjYPV7EQqZRb2GkIa8FzWDycE7nHJM19C6xAIynH1Qp1/BHiopSi96jGBxT0w==}
@@ -2802,12 +2767,16 @@ packages:
     resolution: {integrity: sha512-pn99VhoACYR8nFHhxqix+uvsbXineAasWm5ojXoN8xEwK5Kd3/TrhNn1wByuD52UxWRLy8pu+kRMniEi6Eq9Zg==}
     engines: {node: '>=12.0.0'}
 
-  tinypool@0.8.4:
-    resolution: {integrity: sha512-i11VH5gS6IFeLY3gMBQ00/MmLncVP7JLXOw1vlgkytLmJK7QnEr7NXf0LBdxfmNPAeyetukOk0bOYrJrFGjYJQ==}
+  tinypool@1.1.1:
+    resolution: {integrity: sha512-Zba82s87IFq9A9XmjiX5uZA/ARWDrB03OHlq+Vw1fSdt0I+4/Kutwy8BP4Y/y/aORMo61FQ0vIb5j44vSo5Pkg==}
+    engines: {node: ^18.0.0 || >=20.0.0}
+
+  tinyrainbow@2.0.0:
+    resolution: {integrity: sha512-op4nsTR47R6p0vMUUoYl/a+ljLFVtlfaXkLQmqfLR1qHma1h/ysYk4hEXZ880bf2CYgTskvTa/e196Vd5dDQXw==}
     engines: {node: '>=14.0.0'}
 
-  tinyspy@2.2.1:
-    resolution: {integrity: sha512-KYad6Vy5VDWV4GH3fjpseMQ/XU2BhIYP7Vzd0LG44qRWm/Yt2WCOTicFdvmgo6gWaqooMQCawTtILVQJupKu7A==}
+  tinyspy@4.0.4:
+    resolution: {integrity: sha512-azl+t0z7pw/z958Gy9svOTuzqIk6xq+NSheJzn5MMWtWTFywIacg2wUlzKFGtt3cthx0r2SxMK0yzJOR0IES7Q==}
     engines: {node: '>=14.0.0'}
 
   tldts-core@7.0.28:
@@ -2873,10 +2842,6 @@ packages:
     resolution: {integrity: sha512-XleUoc9uwGXqjWwXaUTZAmzMcFZ5858QA2vvx1Ur5xIcixXIP+8LnFDgRplU30us6teqdlskFfu+ae4K79Ooew==}
     engines: {node: '>= 0.8.0'}
 
-  type-detect@4.1.0:
-    resolution: {integrity: sha512-Acylog8/luQ8L7il+geoSxhEkazvkslg7PSNKOX59mbB9cOveP5aq9h74Y7YU8yDpJwetzQQrfIwtf4Wp4LKcw==}
-    engines: {node: '>=4'}
-
   type-is@1.6.18:
     resolution: {integrity: sha512-TkRKr9sUTxEH8MdfuCSP7VizJyzRNMjj2J2do2Jr3Kym598JVdEksuzPQCnlFPW4ky9Q+iA+ma9BGm06XQBy8g==}
     engines: {node: '>= 0.6'}
@@ -2928,27 +2893,32 @@ packages:
     resolution: {integrity: sha512-BNGbWLfd0eUPabhkXUVm0j8uuvREyTh5ovRa/dyow/BqAbZJyC+5fU+IzQOzmAKzYqYRAISoRhdQr3eIZ/PXqg==}
     engines: {node: '>= 0.8'}
 
-  vite-node@1.6.1:
-    resolution: {integrity: sha512-YAXkfvGtuTzwWbDSACdJSg4A4DZiAqckWe90Zapc/sEX3XvHcw1NdurM/6od8J207tSDqNbSsgdCacBgvJKFuA==}
-    engines: {node: ^18.0.0 || >=20.0.0}
+  vite-node@3.2.4:
+    resolution: {integrity: sha512-EbKSKh+bh1E1IFxeO0pg1n4dvoOTt0UDiXMd/qn++r98+jPO1xtJilvXldeuQ8giIB5IkpjCgMleHMNEsGH6pg==}
+    engines: {node: ^18.0.0 || ^20.0.0 || >=22.0.0}
     hasBin: true
 
-  vite@5.4.21:
-    resolution: {integrity: sha512-o5a9xKjbtuhY6Bi5S3+HvbRERmouabWbyUcpXXUA1u+GNUKoROi9byOJ8M0nHbHYHkYICiMlqxkg1KkYmm25Sw==}
-    engines: {node: ^18.0.0 || >=20.0.0}
+  vite@6.4.2:
+    resolution: {integrity: sha512-2N/55r4JDJ4gdrCvGgINMy+HH3iRpNIz8K6SFwVsA+JbQScLiC+clmAxBgwiSPgcG9U15QmvqCGWzMbqda5zGQ==}
+    engines: {node: ^18.0.0 || ^20.0.0 || >=22.0.0}
     hasBin: true
     peerDependencies:
-      '@types/node': ^18.0.0 || >=20.0.0
+      '@types/node': ^18.0.0 || ^20.0.0 || >=22.0.0
+      jiti: '>=1.21.0'
       less: '*'
       lightningcss: ^1.21.0
       sass: '*'
       sass-embedded: '*'
       stylus: '*'
       sugarss: '*'
-      terser: ^5.4.0
+      terser: ^5.16.0
+      tsx: ^4.8.1
+      yaml: ^2.4.2
     peerDependenciesMeta:
       '@types/node':
         optional: true
+      jiti:
+        optional: true
       less:
         optional: true
       lightningcss:
@@ -2963,21 +2933,28 @@ packages:
         optional: true
       terser:
         optional: true
+      tsx:
+        optional: true
+      yaml:
+        optional: true
 
-  vitest@1.6.1:
-    resolution: {integrity: sha512-Ljb1cnSJSivGN0LqXd/zmDbWEM0RNNg2t1QW/XUhYl/qPqyu7CsqeWtqQXHVaJsecLPuDoak2oJcZN2QoRIOag==}
-    engines: {node: ^18.0.0 || >=20.0.0}
+  vitest@3.2.4:
+    resolution: {integrity: sha512-LUCP5ev3GURDysTWiP47wRRUpLKMOfPh+yKTx3kVIEiu5KOMeqzpnYNsKyOoVrULivR8tLcks4+lga33Whn90A==}
+    engines: {node: ^18.0.0 || ^20.0.0 || >=22.0.0}
     hasBin: true
     peerDependencies:
       '@edge-runtime/vm': '*'
-      '@types/node': ^18.0.0 || >=20.0.0
-      '@vitest/browser': 1.6.1
-      '@vitest/ui': 1.6.1
+      '@types/debug': ^4.1.12
+      '@types/node': ^18.0.0 || ^20.0.0 || >=22.0.0
+      '@vitest/browser': 3.2.4
+      '@vitest/ui': 3.2.4
       happy-dom: '*'
       jsdom: '*'
     peerDependenciesMeta:
       '@edge-runtime/vm':
         optional: true
+      '@types/debug':
+        optional: true
       '@types/node':
         optional: true
       '@vitest/browser':
@@ -3040,10 +3017,6 @@ packages:
     resolution: {integrity: sha512-rVksvsnNCdJ/ohGc6xgPwyN8eheCxsiLM8mxuE/t/mOVqJewPuO1miLpTHQiRgTKCLexL4MeAFVagts7HmNZ2Q==}
     engines: {node: '>=10'}
 
-  yocto-queue@1.2.2:
-    resolution: {integrity: sha512-4LCcse/U2MHZ63HAJVE+v71o7yOdIe4cZ70Wpf8D/IyjDKYQLV5GD46B+hSTjJsvV5PztjvHoU580EftxjDZFQ==}
-    engines: {node: '>=12.20'}
-
   zod-validation-error@4.0.2:
     resolution: {integrity: sha512-Q6/nZLe6jxuU80qb/4uJ4t5v2VEZ44lzQjPDhYJNztRQ4wyWc6VF3D3Kb/fAuPetZQnhS3hnajCf9CsWesghLQ==}
     engines: {node: '>=18.0.0'}
@@ -3662,148 +3635,157 @@ snapshots:
 
   '@csstools/css-tokenizer@4.0.0': {}
 
-  '@esbuild/aix-ppc64@0.21.5':
+  '@esbuild/aix-ppc64@0.25.12':
     optional: true
 
   '@esbuild/aix-ppc64@0.27.7':
     optional: true
 
-  '@esbuild/android-arm64@0.21.5':
+  '@esbuild/android-arm64@0.25.12':
     optional: true
 
   '@esbuild/android-arm64@0.27.7':
     optional: true
 
-  '@esbuild/android-arm@0.21.5':
+  '@esbuild/android-arm@0.25.12':
     optional: true
 
   '@esbuild/android-arm@0.27.7':
     optional: true
 
-  '@esbuild/android-x64@0.21.5':
+  '@esbuild/android-x64@0.25.12':
     optional: true
 
   '@esbuild/android-x64@0.27.7':
     optional: true
 
-  '@esbuild/darwin-arm64@0.21.5':
+  '@esbuild/darwin-arm64@0.25.12':
     optional: true
 
   '@esbuild/darwin-arm64@0.27.7':
     optional: true
 
-  '@esbuild/darwin-x64@0.21.5':
+  '@esbuild/darwin-x64@0.25.12':
     optional: true
 
   '@esbuild/darwin-x64@0.27.7':
     optional: true
 
-  '@esbuild/freebsd-arm64@0.21.5':
+  '@esbuild/freebsd-arm64@0.25.12':
     optional: true
 
   '@esbuild/freebsd-arm64@0.27.7':
     optional: true
 
-  '@esbuild/freebsd-x64@0.21.5':
+  '@esbuild/freebsd-x64@0.25.12':
     optional: true
 
   '@esbuild/freebsd-x64@0.27.7':
     optional: true
 
-  '@esbuild/linux-arm64@0.21.5':
+  '@esbuild/linux-arm64@0.25.12':
     optional: true
 
   '@esbuild/linux-arm64@0.27.7':
     optional: true
 
-  '@esbuild/linux-arm@0.21.5':
+  '@esbuild/linux-arm@0.25.12':
     optional: true
 
   '@esbuild/linux-arm@0.27.7':
     optional: true
 
-  '@esbuild/linux-ia32@0.21.5':
+  '@esbuild/linux-ia32@0.25.12':
     optional: true
 
   '@esbuild/linux-ia32@0.27.7':
     optional: true
 
-  '@esbuild/linux-loong64@0.21.5':
+  '@esbuild/linux-loong64@0.25.12':
     optional: true
 
   '@esbuild/linux-loong64@0.27.7':
     optional: true
 
-  '@esbuild/linux-mips64el@0.21.5':
+  '@esbuild/linux-mips64el@0.25.12':
     optional: true
 
   '@esbuild/linux-mips64el@0.27.7':
     optional: true
 
-  '@esbuild/linux-ppc64@0.21.5':
+  '@esbuild/linux-ppc64@0.25.12':
     optional: true
 
   '@esbuild/linux-ppc64@0.27.7':
     optional: true
 
-  '@esbuild/linux-riscv64@0.21.5':
+  '@esbuild/linux-riscv64@0.25.12':
     optional: true
 
   '@esbuild/linux-riscv64@0.27.7':
     optional: true
 
-  '@esbuild/linux-s390x@0.21.5':
+  '@esbuild/linux-s390x@0.25.12':
     optional: true
 
   '@esbuild/linux-s390x@0.27.7':
     optional: true
 
-  '@esbuild/linux-x64@0.21.5':
+  '@esbuild/linux-x64@0.25.12':
     optional: true
 
   '@esbuild/linux-x64@0.27.7':
     optional: true
 
+  '@esbuild/netbsd-arm64@0.25.12':
+    optional: true
+
   '@esbuild/netbsd-arm64@0.27.7':
     optional: true
 
-  '@esbuild/netbsd-x64@0.21.5':
+  '@esbuild/netbsd-x64@0.25.12':
     optional: true
 
   '@esbuild/netbsd-x64@0.27.7':
     optional: true
 
+  '@esbuild/openbsd-arm64@0.25.12':
+    optional: true
+
   '@esbuild/openbsd-arm64@0.27.7':
     optional: true
 
-  '@esbuild/openbsd-x64@0.21.5':
+  '@esbuild/openbsd-x64@0.25.12':
     optional: true
 
   '@esbuild/openbsd-x64@0.27.7':
     optional: true
 
+  '@esbuild/openharmony-arm64@0.25.12':
+    optional: true
+
   '@esbuild/openharmony-arm64@0.27.7':
     optional: true
 
-  '@esbuild/sunos-x64@0.21.5':
+  '@esbuild/sunos-x64@0.25.12':
     optional: true
 
   '@esbuild/sunos-x64@0.27.7':
     optional: true
 
-  '@esbuild/win32-arm64@0.21.5':
+  '@esbuild/win32-arm64@0.25.12':
     optional: true
 
   '@esbuild/win32-arm64@0.27.7':
     optional: true
 
-  '@esbuild/win32-ia32@0.21.5':
+  '@esbuild/win32-ia32@0.25.12':
     optional: true
 
   '@esbuild/win32-ia32@0.27.7':
     optional: true
 
-  '@esbuild/win32-x64@0.21.5':
+  '@esbuild/win32-x64@0.25.12':
     optional: true
 
   '@esbuild/win32-x64@0.27.7':
@@ -3879,10 +3861,6 @@ snapshots:
 
   '@humanwhocodes/retry@0.4.3': {}
 
-  '@jest/schemas@29.6.3':
-    dependencies:
-      '@sinclair/typebox': 0.27.10
-
   '@jridgewell/gen-mapping@0.3.13':
     dependencies:
       '@jridgewell/sourcemap-codec': 1.5.5
@@ -3991,8 +3969,6 @@ snapshots:
   '@rollup/rollup-win32-x64-msvc@4.60.2':
     optional: true
 
-  '@sinclair/typebox@0.27.10': {}
-
   '@smithy/chunked-blob-reader-native@4.2.3':
     dependencies:
       '@smithy/util-base64': 4.3.2
@@ -4359,6 +4335,11 @@ snapshots:
       '@types/connect': 3.4.38
       '@types/node': 20.19.39
 
+  '@types/chai@5.2.3':
+    dependencies:
+      '@types/deep-eql': 4.0.2
+      assertion-error: 2.0.1
+
   '@types/connect@3.4.38':
     dependencies:
       '@types/node': 20.19.39
@@ -4373,6 +4354,8 @@ snapshots:
     dependencies:
       '@types/node': 20.19.39
 
+  '@types/deep-eql@4.0.2': {}
+
   '@types/estree@1.0.8': {}
 
   '@types/express-serve-static-core@4.19.8':
@@ -4544,7 +4527,7 @@ snapshots:
       '@typescript-eslint/types': 8.59.0
       eslint-visitor-keys: 5.0.1
 
-  '@vitejs/plugin-react@4.7.0(vite@5.4.21(@types/node@20.19.39))':
+  '@vitejs/plugin-react@4.7.0(vite@6.4.2(@types/node@20.19.39)(tsx@4.21.0))':
     dependencies:
       '@babel/core': 7.29.0
       '@babel/plugin-transform-react-jsx-self': 7.27.1(@babel/core@7.29.0)
@@ -4552,38 +4535,51 @@ snapshots:
       '@rolldown/pluginutils': 1.0.0-beta.27
       '@types/babel__core': 7.20.5
       react-refresh: 0.17.0
-      vite: 5.4.21(@types/node@20.19.39)
+      vite: 6.4.2(@types/node@20.19.39)(tsx@4.21.0)
     transitivePeerDependencies:
       - supports-color
 
-  '@vitest/expect@1.6.1':
+  '@vitest/expect@3.2.4':
     dependencies:
-      '@vitest/spy': 1.6.1
-      '@vitest/utils': 1.6.1
-      chai: 4.5.0
+      '@types/chai': 5.2.3
+      '@vitest/spy': 3.2.4
+      '@vitest/utils': 3.2.4
+      chai: 5.3.3
+      tinyrainbow: 2.0.0
 
-  '@vitest/runner@1.6.1':
+  '@vitest/mocker@3.2.4(vite@6.4.2(@types/node@20.19.39)(tsx@4.21.0))':
     dependencies:
-      '@vitest/utils': 1.6.1
-      p-limit: 5.0.0
-      pathe: 1.1.2
+      '@vitest/spy': 3.2.4
+      estree-walker: 3.0.3
+      magic-string: 0.30.21
+    optionalDependencies:
+      vite: 6.4.2(@types/node@20.19.39)(tsx@4.21.0)
 
-  '@vitest/snapshot@1.6.1':
+  '@vitest/pretty-format@3.2.4':
     dependencies:
+      tinyrainbow: 2.0.0
+
+  '@vitest/runner@3.2.4':
+    dependencies:
+      '@vitest/utils': 3.2.4
+      pathe: 2.0.3
+      strip-literal: 3.1.0
+
+  '@vitest/snapshot@3.2.4':
+    dependencies:
+      '@vitest/pretty-format': 3.2.4
       magic-string: 0.30.21
-      pathe: 1.1.2
-      pretty-format: 29.7.0
+      pathe: 2.0.3
 
-  '@vitest/spy@1.6.1':
+  '@vitest/spy@3.2.4':
     dependencies:
-      tinyspy: 2.2.1
+      tinyspy: 4.0.4
 
-  '@vitest/utils@1.6.1':
+  '@vitest/utils@3.2.4':
     dependencies:
-      diff-sequences: 29.6.3
-      estree-walker: 3.0.3
-      loupe: 2.3.7
-      pretty-format: 29.7.0
+      '@vitest/pretty-format': 3.2.4
+      loupe: 3.2.1
+      tinyrainbow: 2.0.0
 
   abort-controller@3.0.0:
     dependencies:
@@ -4598,10 +4594,6 @@ snapshots:
     dependencies:
       acorn: 8.16.0
 
-  acorn-walk@8.3.5:
-    dependencies:
-      acorn: 8.16.0
-
   acorn@8.16.0: {}
 
   ajv@6.15.0:
@@ -4615,8 +4607,6 @@ snapshots:
     dependencies:
       color-convert: 2.0.1
 
-  ansi-styles@5.2.0: {}
-
   any-promise@1.3.0: {}
 
   argparse@2.0.1: {}
@@ -4625,7 +4615,7 @@ snapshots:
 
   asap@2.0.6: {}
 
-  assertion-error@1.1.0: {}
+  assertion-error@2.0.1: {}
 
   asynckit@0.4.0: {}
 
@@ -4707,24 +4697,20 @@ snapshots:
 
   caniuse-lite@1.0.30001790: {}
 
-  chai@4.5.0:
+  chai@5.3.3:
     dependencies:
-      assertion-error: 1.1.0
-      check-error: 1.0.3
-      deep-eql: 4.1.4
-      get-func-name: 2.0.2
-      loupe: 2.3.7
-      pathval: 1.1.1
-      type-detect: 4.1.0
+      assertion-error: 2.0.1
+      check-error: 2.1.3
+      deep-eql: 5.0.2
+      loupe: 3.2.1
+      pathval: 2.0.1
 
   chalk@4.1.2:
     dependencies:
       ansi-styles: 4.3.0
       supports-color: 7.2.0
 
-  check-error@1.0.3:
-    dependencies:
-      get-func-name: 2.0.2
+  check-error@2.1.3: {}
 
   chokidar@4.0.3:
     dependencies:
@@ -4818,9 +4804,7 @@ snapshots:
 
   decimal.js@10.6.0: {}
 
-  deep-eql@4.1.4:
-    dependencies:
-      type-detect: 4.1.0
+  deep-eql@5.0.2: {}
 
   deep-is@0.1.4: {}
 
@@ -4835,8 +4819,6 @@ snapshots:
       asap: 2.0.6
       wrappy: 1.0.2
 
-  diff-sequences@29.6.3: {}
-
   dotenv@16.6.1: {}
 
   dunder-proto@1.0.1:
@@ -4857,6 +4839,8 @@ snapshots:
 
   es-errors@1.3.0: {}
 
+  es-module-lexer@1.7.0: {}
+
   es-object-atoms@1.1.1:
     dependencies:
       es-errors: 1.3.0
@@ -4868,31 +4852,34 @@ snapshots:
       has-tostringtag: 1.0.2
       hasown: 2.0.3
 
-  esbuild@0.21.5:
+  esbuild@0.25.12:
     optionalDependencies:
-      '@esbuild/aix-ppc64': 0.21.5
-      '@esbuild/android-arm': 0.21.5
-      '@esbuild/android-arm64': 0.21.5
-      '@esbuild/android-x64': 0.21.5
-      '@esbuild/darwin-arm64': 0.21.5
-      '@esbuild/darwin-x64': 0.21.5
-      '@esbuild/freebsd-arm64': 0.21.5
-      '@esbuild/freebsd-x64': 0.21.5
-      '@esbuild/linux-arm': 0.21.5
-      '@esbuild/linux-arm64': 0.21.5
-      '@esbuild/linux-ia32': 0.21.5
-      '@esbuild/linux-loong64': 0.21.5
-      '@esbuild/linux-mips64el': 0.21.5
-      '@esbuild/linux-ppc64': 0.21.5
-      '@esbuild/linux-riscv64': 0.21.5
-      '@esbuild/linux-s390x': 0.21.5
-      '@esbuild/linux-x64': 0.21.5
-      '@esbuild/netbsd-x64': 0.21.5
-      '@esbuild/openbsd-x64': 0.21.5
-      '@esbuild/sunos-x64': 0.21.5
-      '@esbuild/win32-arm64': 0.21.5
-      '@esbuild/win32-ia32': 0.21.5
-      '@esbuild/win32-x64': 0.21.5
+      '@esbuild/aix-ppc64': 0.25.12
+      '@esbuild/android-arm': 0.25.12
+      '@esbuild/android-arm64': 0.25.12
+      '@esbuild/android-x64': 0.25.12
+      '@esbuild/darwin-arm64': 0.25.12
+      '@esbuild/darwin-x64': 0.25.12
+      '@esbuild/freebsd-arm64': 0.25.12
+      '@esbuild/freebsd-x64': 0.25.12
+      '@esbuild/linux-arm': 0.25.12
+      '@esbuild/linux-arm64': 0.25.12
+      '@esbuild/linux-ia32': 0.25.12
+      '@esbuild/linux-loong64': 0.25.12
+      '@esbuild/linux-mips64el': 0.25.12
+      '@esbuild/linux-ppc64': 0.25.12
+      '@esbuild/linux-riscv64': 0.25.12
+      '@esbuild/linux-s390x': 0.25.12
+      '@esbuild/linux-x64': 0.25.12
+      '@esbuild/netbsd-arm64': 0.25.12
+      '@esbuild/netbsd-x64': 0.25.12
+      '@esbuild/openbsd-arm64': 0.25.12
+      '@esbuild/openbsd-x64': 0.25.12
+      '@esbuild/openharmony-arm64': 0.25.12
+      '@esbuild/sunos-x64': 0.25.12
+      '@esbuild/win32-arm64': 0.25.12
+      '@esbuild/win32-ia32': 0.25.12
+      '@esbuild/win32-x64': 0.25.12
 
   esbuild@0.27.7:
     optionalDependencies:
@@ -5020,17 +5007,7 @@ snapshots:
 
   events@3.3.0: {}
 
-  execa@8.0.1:
-    dependencies:
-      cross-spawn: 7.0.6
-      get-stream: 8.0.1
-      human-signals: 5.0.0
-      is-stream: 3.0.0
-      merge-stream: 2.0.0
-      npm-run-path: 5.3.0
-      onetime: 6.0.0
-      signal-exit: 4.1.0
-      strip-final-newline: 3.0.0
+  expect-type@1.3.0: {}
 
   express-async-errors@3.1.1(express@4.22.1):
     dependencies:
@@ -5158,8 +5135,6 @@ snapshots:
 
   get-caller-file@2.0.5: {}
 
-  get-func-name@2.0.2: {}
-
   get-intrinsic@1.3.0:
     dependencies:
       call-bind-apply-helpers: 1.0.2
@@ -5180,8 +5155,6 @@ snapshots:
       dunder-proto: 1.0.1
       es-object-atoms: 1.1.1
 
-  get-stream@8.0.1: {}
-
   get-tsconfig@4.14.0:
     dependencies:
       resolve-pkg-maps: 1.0.0
@@ -5232,8 +5205,6 @@ snapshots:
       statuses: 2.0.2
       toidentifier: 1.0.1
 
-  human-signals@5.0.0: {}
-
   iconv-lite@0.4.24:
     dependencies:
       safer-buffer: 2.1.2
@@ -5269,8 +5240,6 @@ snapshots:
 
   is-potential-custom-element-name@1.0.1: {}
 
-  is-stream@3.0.0: {}
-
   isexe@2.0.0: {}
 
   joycon@3.1.1: {}
@@ -5355,11 +5324,6 @@ snapshots:
 
   load-tsconfig@0.2.5: {}
 
-  local-pkg@0.5.1:
-    dependencies:
-      mlly: 1.8.2
-      pkg-types: 1.3.1
-
   locate-path@6.0.0:
     dependencies:
       p-locate: 5.0.0
@@ -5372,9 +5336,7 @@ snapshots:
     dependencies:
       js-tokens: 4.0.0
 
-  loupe@2.3.7:
-    dependencies:
-      get-func-name: 2.0.2
+  loupe@3.2.1: {}
 
   lru-cache@11.3.5: {}
 
@@ -5398,8 +5360,6 @@ snapshots:
 
   merge-descriptors@1.0.3: {}
 
-  merge-stream@2.0.0: {}
-
   methods@1.1.2: {}
 
   mime-db@1.52.0: {}
@@ -5412,8 +5372,6 @@ snapshots:
 
   mime@2.6.0: {}
 
-  mimic-fn@4.0.0: {}
-
   minimatch@10.2.5:
     dependencies:
       brace-expansion: 5.0.5
@@ -5451,10 +5409,6 @@ snapshots:
 
   nodemailer@8.0.6: {}
 
-  npm-run-path@5.3.0:
-    dependencies:
-      path-key: 4.0.0
-
   object-assign@4.1.1: {}
 
   object-inspect@1.13.4: {}
@@ -5469,10 +5423,6 @@ snapshots:
     dependencies:
       wrappy: 1.0.2
 
-  onetime@6.0.0:
-    dependencies:
-      mimic-fn: 4.0.0
-
   optionator@0.9.4:
     dependencies:
       deep-is: 0.1.4
@@ -5486,10 +5436,6 @@ snapshots:
     dependencies:
       yocto-queue: 0.1.0
 
-  p-limit@5.0.0:
-    dependencies:
-      yocto-queue: 1.2.2
-
   p-locate@5.0.0:
     dependencies:
       p-limit: 3.1.0
@@ -5510,17 +5456,13 @@ snapshots:
 
   path-key@3.1.1: {}
 
-  path-key@4.0.0: {}
-
   path-parse@1.0.7: {}
 
   path-to-regexp@0.1.13: {}
 
-  pathe@1.1.2: {}
-
   pathe@2.0.3: {}
 
-  pathval@1.1.1: {}
+  pathval@2.0.1: {}
 
   pg-cloudflare@1.3.0:
     optional: true
@@ -5644,12 +5586,6 @@ snapshots:
 
   prelude-ls@1.2.1: {}
 
-  pretty-format@29.7.0:
-    dependencies:
-      '@jest/schemas': 29.6.3
-      ansi-styles: 5.2.0
-      react-is: 18.3.1
-
   process-warning@3.0.0: {}
 
   process-warning@5.0.0: {}
@@ -5688,8 +5624,6 @@ snapshots:
       react: 18.3.1
       scheduler: 0.23.2
 
-  react-is@18.3.1: {}
-
   react-refresh@0.17.0: {}
 
   react-router-dom@6.30.3(react-dom@18.3.1(react@18.3.1))(react@18.3.1):
@@ -5853,8 +5787,6 @@ snapshots:
 
   siginfo@2.0.0: {}
 
-  signal-exit@4.1.0: {}
-
   sonic-boom@3.8.1:
     dependencies:
       atomic-sleep: 1.0.0
@@ -5879,11 +5811,9 @@ snapshots:
     dependencies:
       safe-buffer: 5.2.1
 
-  strip-final-newline@3.0.0: {}
-
   strip-json-comments@3.1.1: {}
 
-  strip-literal@2.1.1:
+  strip-literal@3.1.0:
     dependencies:
       js-tokens: 9.0.1
 
@@ -5962,9 +5892,11 @@ snapshots:
       fdir: 6.5.0(picomatch@4.0.4)
       picomatch: 4.0.4
 
-  tinypool@0.8.4: {}
+  tinypool@1.1.1: {}
 
-  tinyspy@2.2.1: {}
+  tinyrainbow@2.0.0: {}
+
+  tinyspy@4.0.4: {}
 
   tldts-core@7.0.28: {}
 
@@ -6031,8 +5963,6 @@ snapshots:
     dependencies:
       prelude-ls: 1.2.1
 
-  type-detect@4.1.0: {}
-
   type-is@1.6.18:
     dependencies:
       media-typer: 0.3.0
@@ -6075,15 +6005,16 @@ snapshots:
 
   vary@1.1.2: {}
 
-  vite-node@1.6.1(@types/node@20.19.39):
+  vite-node@3.2.4(@types/node@20.19.39)(tsx@4.21.0):
     dependencies:
       cac: 6.7.14
       debug: 4.4.3
-      pathe: 1.1.2
-      picocolors: 1.1.1
-      vite: 5.4.21(@types/node@20.19.39)
+      es-module-lexer: 1.7.0
+      pathe: 2.0.3
+      vite: 6.4.2(@types/node@20.19.39)(tsx@4.21.0)
     transitivePeerDependencies:
       - '@types/node'
+      - jiti
       - less
       - lightningcss
       - sass
@@ -6092,50 +6023,63 @@ snapshots:
       - sugarss
       - supports-color
       - terser
+      - tsx
+      - yaml
 
-  vite@5.4.21(@types/node@20.19.39):
+  vite@6.4.2(@types/node@20.19.39)(tsx@4.21.0):
     dependencies:
-      esbuild: 0.21.5
+      esbuild: 0.25.12
+      fdir: 6.5.0(picomatch@4.0.4)
+      picomatch: 4.0.4
       postcss: 8.5.10
       rollup: 4.60.2
+      tinyglobby: 0.2.16
     optionalDependencies:
       '@types/node': 20.19.39
       fsevents: 2.3.3
+      tsx: 4.21.0
 
-  vitest@1.6.1(@types/node@20.19.39)(jsdom@29.0.2(@noble/hashes@1.8.0)):
-    dependencies:
-      '@vitest/expect': 1.6.1
-      '@vitest/runner': 1.6.1
-      '@vitest/snapshot': 1.6.1
-      '@vitest/spy': 1.6.1
-      '@vitest/utils': 1.6.1
-      acorn-walk: 8.3.5
-      chai: 4.5.0
+  vitest@3.2.4(@types/node@20.19.39)(jsdom@29.0.2(@noble/hashes@1.8.0))(tsx@4.21.0):
+    dependencies:
+      '@types/chai': 5.2.3
+      '@vitest/expect': 3.2.4
+      '@vitest/mocker': 3.2.4(vite@6.4.2(@types/node@20.19.39)(tsx@4.21.0))
+      '@vitest/pretty-format': 3.2.4
+      '@vitest/runner': 3.2.4
+      '@vitest/snapshot': 3.2.4
+      '@vitest/spy': 3.2.4
+      '@vitest/utils': 3.2.4
+      chai: 5.3.3
       debug: 4.4.3
-      execa: 8.0.1
-      local-pkg: 0.5.1
+      expect-type: 1.3.0
       magic-string: 0.30.21
-      pathe: 1.1.2
-      picocolors: 1.1.1
+      pathe: 2.0.3
+      picomatch: 4.0.4
       std-env: 3.10.0
-      strip-literal: 2.1.1
       tinybench: 2.9.0
-      tinypool: 0.8.4
-      vite: 5.4.21(@types/node@20.19.39)
-      vite-node: 1.6.1(@types/node@20.19.39)
+      tinyexec: 0.3.2
+      tinyglobby: 0.2.16
+      tinypool: 1.1.1
+      tinyrainbow: 2.0.0
+      vite: 6.4.2(@types/node@20.19.39)(tsx@4.21.0)
+      vite-node: 3.2.4(@types/node@20.19.39)(tsx@4.21.0)
       why-is-node-running: 2.3.0
     optionalDependencies:
       '@types/node': 20.19.39
       jsdom: 29.0.2(@noble/hashes@1.8.0)
     transitivePeerDependencies:
+      - jiti
       - less
       - lightningcss
+      - msw
       - sass
       - sass-embedded
       - stylus
       - sugarss
       - supports-color
       - terser
+      - tsx
+      - yaml
 
   w3c-xmlserializer@5.0.0:
     dependencies:
@@ -6176,8 +6120,6 @@ snapshots:
 
   yocto-queue@0.1.0: {}
 
-  yocto-queue@1.2.2: {}
-
   zod-validation-error@4.0.2(zod@3.25.76):
     dependencies:
       zod: 3.25.76

From dc589ecabc7cb7091fbc266662e3f5c920bab366 Mon Sep 17 00:00:00 2001
From: Keith Fawcett <keith@brightyard.co>
Date: Thu, 30 Apr 2026 13:34:49 -0700
Subject: [PATCH 123/131] chore(lint): unblock pnpm lint across the workspace
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Two classes of issue:

  1. Flat-config ESLint had no globals declared, so 'no-undef' fired
     on every console / process / Buffer reference (28 errors). Add
     the 'globals' package and wire node globals everywhere, plus
     browser globals on portal + sdk.

  2. Five real but trivial fixes the new lint pass surfaced:
       - mailer.ts safeDisplayName: extract regex to const + targeted
         no-control-regex disable so the RFC 5322 control-char strip
         stays as-is.
       - routes/signup.ts: adminId is never reassigned -> const.
       - tenancy.ts: keep the Express Request augmentation under a
         narrow no-namespace disable; the canonical shape requires it.
       - campaign-end-notifications.ts: drop unused Knex import.
       - CreatorShell.tsx: drop unused useQuery import.

CI's `pnpm lint` step now actually validates rather than always
failing — important before the repo goes public and outside PRs start
hitting the lint gate.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 apps/api/src/campaign-end-notifications.ts    |  1 -
 apps/api/src/mailer.ts                        |  8 +++--
 apps/api/src/routes/signup.ts                 |  2 +-
 apps/api/src/tenancy.ts                       |  4 +++
 .../portal/src/pages/creator/CreatorShell.tsx |  1 -
 eslint.config.mjs                             | 33 +++++++++++++++++++
 package.json                                  |  1 +
 pnpm-lock.yaml                                |  9 +++++
 8 files changed, 54 insertions(+), 5 deletions(-)

diff --git a/apps/api/src/campaign-end-notifications.ts b/apps/api/src/campaign-end-notifications.ts
index 957e317..1983764 100644
--- a/apps/api/src/campaign-end-notifications.ts
+++ b/apps/api/src/campaign-end-notifications.ts
@@ -12,7 +12,6 @@
  * flag so a fresh reminder fires before the new end date.
  */
 
-import type { Knex } from 'knex';
 import { TABLES, type AdminRow, type CampaignRow, type PartnerRow, type TenantRow } from '@openpartner/db';
 import { db, appDb } from './db.js';
 import { getMailer } from './mailer.js';
diff --git a/apps/api/src/mailer.ts b/apps/api/src/mailer.ts
index 0e3cdc2..b70b8f3 100644
--- a/apps/api/src/mailer.ts
+++ b/apps/api/src/mailer.ts
@@ -47,9 +47,13 @@ export interface Mailer {
 }
 
 /** Strip and quote pieces of a name for safe use in an RFC 5322 display
- *  name. Drops control chars and double-quotes; trims to 80 chars. */
+ *  name. Drops control chars and double-quotes; trims to 80 chars.
+ *  The control-char range is intentional — it's exactly what RFC 5322
+ *  forbids in atom + quoted-string productions. */
+// eslint-disable-next-line no-control-regex
+const DISPLAY_NAME_UNSAFE = /[\x00-\x1f"\\]/g;
 function safeDisplayName(name: string): string {
-  return name.replace(/[\x00-\x1f"\\]/g, '').trim().slice(0, 80);
+  return name.replace(DISPLAY_NAME_UNSAFE, '').trim().slice(0, 80);
 }
 
 /** Pull the bare email address out of `"Name" <addr@host>` or `addr@host`. */
diff --git a/apps/api/src/routes/signup.ts b/apps/api/src/routes/signup.ts
index cf8c587..22d09b3 100644
--- a/apps/api/src/routes/signup.ts
+++ b/apps/api/src/routes/signup.ts
@@ -66,7 +66,7 @@ signupRouter.post('/signup', signupLimit, async (req, res) => {
   }
 
   let tenantId = ulid();
-  let adminId = ulid();
+  const adminId = ulid();
   const now = new Date();
 
   try {
diff --git a/apps/api/src/tenancy.ts b/apps/api/src/tenancy.ts
index 2f90ff2..2ff0d5b 100644
--- a/apps/api/src/tenancy.ts
+++ b/apps/api/src/tenancy.ts
@@ -67,7 +67,11 @@ export const RESERVED_SLUGS = new Set([
   'platform',
 ]);
 
+// Express's own type definitions use a namespace under global, so the
+// canonical way to extend Request is the same shape — no idiomatic
+// "module" rewrite available without losing the augmentation.
 declare global {
+  // eslint-disable-next-line @typescript-eslint/no-namespace
   namespace Express {
     interface Request {
       /** Resolved tenant ID. Always set inside the tenant middleware. */
diff --git a/apps/portal/src/pages/creator/CreatorShell.tsx b/apps/portal/src/pages/creator/CreatorShell.tsx
index 45785f0..c89afad 100644
--- a/apps/portal/src/pages/creator/CreatorShell.tsx
+++ b/apps/portal/src/pages/creator/CreatorShell.tsx
@@ -1,6 +1,5 @@
 import { useEffect, useState, type ReactNode } from 'react';
 import { Link, Navigate, Route, Routes, useLocation, useNavigate } from 'react-router-dom';
-import { useQuery } from '@tanstack/react-query';
 import { Globe, Inbox, Link2, LogOut, Megaphone, Network, UserCog } from 'lucide-react';
 import { theme } from '../../theme.js';
 import { Logo } from '../auth/Shared.js';
diff --git a/eslint.config.mjs b/eslint.config.mjs
index 4e8bcf2..4188bd2 100644
--- a/eslint.config.mjs
+++ b/eslint.config.mjs
@@ -11,6 +11,7 @@
 import js from '@eslint/js';
 import tseslint from 'typescript-eslint';
 import reactHooks from 'eslint-plugin-react-hooks';
+import globals from 'globals';
 
 export default [
   {
@@ -26,6 +27,38 @@ export default [
   },
   js.configs.recommended,
   ...tseslint.configs.recommended,
+  {
+    // Node globals everywhere — process, console, Buffer, __dirname,
+    // fetch (Node 18+), etc. Without this, no-undef fires on every
+    // console.log() across server code + scripts.
+    files: ['**/*.{ts,tsx,js,mjs,cjs}'],
+    languageOptions: {
+      globals: {
+        ...globals.node,
+      },
+    },
+  },
+  {
+    // Portal runs in the browser — window/document/localStorage/etc.
+    // Keep node globals on too (build scripts, vite config) since the
+    // portal package mixes both.
+    files: ['apps/portal/**/*.{ts,tsx}'],
+    languageOptions: {
+      globals: {
+        ...globals.browser,
+      },
+    },
+  },
+  {
+    // SDK ships browser + server entries from the same package; both
+    // global sets are legitimate depending on which file you're in.
+    files: ['packages/sdk/**/*.{ts,tsx}'],
+    languageOptions: {
+      globals: {
+        ...globals.browser,
+      },
+    },
+  },
   {
     files: ['**/*.ts', '**/*.tsx'],
     rules: {
diff --git a/package.json b/package.json
index 1e428ed..99ef98a 100644
--- a/package.json
+++ b/package.json
@@ -25,6 +25,7 @@
     "@types/node": "^20.12.7",
     "eslint": "9",
     "eslint-plugin-react-hooks": "^7.1.1",
+    "globals": "^17.5.0",
     "tsx": "^4.19.0",
     "typescript": "5.4.5",
     "typescript-eslint": "8",
diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml
index eb6a1bf..86334a0 100644
--- a/pnpm-lock.yaml
+++ b/pnpm-lock.yaml
@@ -20,6 +20,9 @@ importers:
       eslint-plugin-react-hooks:
         specifier: ^7.1.1
         version: 7.1.1(eslint@9.39.4)
+      globals:
+        specifier: ^17.5.0
+        version: 17.5.0
       tsx:
         specifier: ^4.19.0
         version: 4.21.0
@@ -2017,6 +2020,10 @@ packages:
     resolution: {integrity: sha512-oahGvuMGQlPw/ivIYBjVSrWAfWLBeku5tpPE2fOPLi+WHffIWbuh2tCjhyQhTBPMf5E9jDEH4FOmTYgYwbKwtQ==}
     engines: {node: '>=18'}
 
+  globals@17.5.0:
+    resolution: {integrity: sha512-qoV+HK2yFl/366t2/Cb3+xxPUo5BuMynomoDmiaZBIdbs+0pYbjfZU+twLhGKp4uCZ/+NbtpVepH5bGCxRyy2g==}
+    engines: {node: '>=18'}
+
   gopd@1.2.0:
     resolution: {integrity: sha512-ZUKRh6/kUFoAiTAtTYPZJ3hw9wNxx+BIBOijnlG9PnrJsCcSjs1wyyD6vJpaYtgnzDrKYRSqf3OO6Rfa93xsRg==}
     engines: {node: '>= 0.4'}
@@ -5167,6 +5174,8 @@ snapshots:
 
   globals@14.0.0: {}
 
+  globals@17.5.0: {}
+
   gopd@1.2.0: {}
 
   has-flag@4.0.0: {}

From 12af8fa3b4c62ead7cb3585b60cd912404b70b9a Mon Sep 17 00:00:00 2001
From: Keith Fawcett <keith@brightyard.co>
Date: Thu, 30 Apr 2026 13:47:51 -0700
Subject: [PATCH 124/131] security: address CodeQL findings before public
 release
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

  * uploads.ts: req.header('content-type') instead of
    req.headers['content-type'] — closes the type-confusion alert
    (a client could otherwise smuggle an array as a single header).
  * Global express-rate-limit: 600 req / 5 min per IP, with /health,
    /metrics, /webhooks/* (Stripe retries), and /uploads/* exempted.
    Closes the 73 missing-rate-limiting alerts and gives self-hosters
    baseline protection without an edge layer in front.
  * ci.yml: explicit `permissions: contents: read` at the workflow
    level. Closes the missing-workflow-permissions alert. Docker job
    keeps its own packages:write permission.
  * cookieParser: comment block documenting the SameSite=Lax + CORS
    allowlist + bearer-key isolation that mitigates CSRF, since CodeQL
    can't follow cookie SameSite settings statically.

Remaining open alert is js/clear-text-logging on the secrets_probe — a
false positive (we log .length, never the value). Will dismiss via
the security UI with that rationale.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 .github/workflows/ci.yml       |  5 ++++
 apps/api/package.json          |  1 +
 apps/api/src/app.ts            | 48 ++++++++++++++++++++++++++++++++++
 apps/api/src/routes/uploads.ts |  6 ++++-
 pnpm-lock.yaml                 | 13 +++++++++
 5 files changed, 72 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 1594b2b..33681a3 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -10,6 +10,11 @@ concurrency:
   group: ci-${{ github.ref }}
   cancel-in-progress: true
 
+# Default to read-only. Jobs that need to write (the docker job pushes to
+# GHCR) opt in explicitly via their own permissions block.
+permissions:
+  contents: read
+
 jobs:
   test:
     name: typecheck + test
diff --git a/apps/api/package.json b/apps/api/package.json
index 271872f..d2e769b 100644
--- a/apps/api/package.json
+++ b/apps/api/package.json
@@ -22,6 +22,7 @@
     "dotenv": "^16.4.5",
     "express": "^4.19.2",
     "express-async-errors": "^3.1.1",
+    "express-rate-limit": "^7.4.1",
     "helmet": "^7.0.0",
     "knex": "^3.1.0",
     "nodemailer": "^8.0.6",
diff --git a/apps/api/src/app.ts b/apps/api/src/app.ts
index 892f7e8..964340a 100644
--- a/apps/api/src/app.ts
+++ b/apps/api/src/app.ts
@@ -5,6 +5,7 @@ import cookieParser from 'cookie-parser';
 import cors from 'cors';
 import helmet from 'helmet';
 import pinoHttp from 'pino-http';
+import rateLimit from 'express-rate-limit';
 import { ulid } from 'ulid';
 
 import { stripeWebhookRouter } from './routes/stripe-webhook.js';
@@ -84,6 +85,53 @@ export function createApp(options: { enableLogger?: boolean } = {}) {
   );
   app.use(cookieParser());
 
+  // CSRF: we deliberately do NOT mount a CSRF-token middleware. Defense
+  // is layered:
+  //   1. Session cookies are issued with SameSite=Lax (auth-sessions.ts +
+  //      platform-sessions.ts) — modern browsers refuse to attach them
+  //      on cross-site state-changing requests, which kills the basic
+  //      CSRF attack vector (a malicious site fetch()'ing our endpoints
+  //      with credentials: include can't get the cookie sent).
+  //   2. CORS allowlist is explicit (no `origin: true` reflection;
+  //      see corsOrigins above), so a cross-origin XHR / fetch can't
+  //      read the response even if it could send the request.
+  //   3. The state-changing surface that bypasses cookies entirely —
+  //      bearer-token API access — uses scoped keys, not session
+  //      cookies, so it isn't CSRF-relevant.
+  // CodeQL flags the cookie middleware as unprotected (js/missing-token-
+  // validation) because it can't see the SameSite property on the cookies
+  // we issue downstream — that's a static-analysis false positive.
+
+  // Global rate limit. Caps a single IP at 600 requests / 5 min — well
+  // above any legitimate single-user workload (the portal does ~30 req
+  // on a cold dashboard load) but tight enough that a runaway script
+  // or credential-stuffing loop hits the wall fast. Self-hosters who
+  // sit behind a CDN with rate-limiting (Cloudflare, etc.) get this as
+  // belt-and-suspenders; deployments without an edge layer get baseline
+  // protection here. /health is exempt so kube-probes don't drain the
+  // budget; the click-router hot path runs in a separate service so
+  // it's unaffected. Standard headers turn off the legacy X-RateLimit-*
+  // (we use the IETF draft).
+  app.use(
+    rateLimit({
+      windowMs: 5 * 60 * 1000,
+      limit: 600,
+      standardHeaders: 'draft-7',
+      legacyHeaders: false,
+      // Skip endpoints we trust externally:
+      //   /health, /metrics — kube-probes / Prometheus scrape, no auth, high freq
+      //   /webhooks/* — Stripe etc. retry on rejection; rate-limiting them
+      //     would amplify upstream backpressure into our queues
+      //   /uploads/* — static handler for FS-backed image assets
+      skip: (req) =>
+        req.path === '/health' ||
+        req.path === '/metrics' ||
+        req.path.startsWith('/webhooks/') ||
+        req.path.startsWith('/uploads/'),
+      message: { error: 'rate_limited' },
+    }),
+  );
+
   // Request correlation: accept an inbound X-Request-Id for callers that
   // want to correlate across services, generate a ULID otherwise, and
   // echo it back as X-Request-Id so a client can paste it into a support
diff --git a/apps/api/src/routes/uploads.ts b/apps/api/src/routes/uploads.ts
index a95c92f..bff25e3 100644
--- a/apps/api/src/routes/uploads.ts
+++ b/apps/api/src/routes/uploads.ts
@@ -27,9 +27,13 @@ uploadsRouter.post(
   async (req, res) => {
     const { db, tenantId } = tenantOf(req);
 
+    // req.header() returns string | undefined and normalizes any
+    // accidental array form, vs req.headers[name] which is typed as
+    // string | string[] | undefined and creates a parameter-tampering
+    // hazard if a client sends multiple Content-Type headers.
     let validated;
     try {
-      validated = validateImageUpload(req.headers['content-type'], req.body?.length ?? 0);
+      validated = validateImageUpload(req.header('content-type'), req.body?.length ?? 0);
     } catch (err) {
       if (err instanceof UploadError) return res.status(400).json({ error: err.code, detail: err.message });
       throw err;
diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml
index 86334a0..51bc8ba 100644
--- a/pnpm-lock.yaml
+++ b/pnpm-lock.yaml
@@ -65,6 +65,9 @@ importers:
       express-async-errors:
         specifier: ^3.1.1
         version: 3.1.1(express@4.22.1)
+      express-rate-limit:
+        specifier: ^7.4.1
+        version: 7.5.1(express@4.22.1)
       helmet:
         specifier: ^7.0.0
         version: 7.2.0
@@ -1904,6 +1907,12 @@ packages:
     peerDependencies:
       express: ^4.16.2
 
+  express-rate-limit@7.5.1:
+    resolution: {integrity: sha512-7iN8iPMDzOMHPUYllBEsQdWVB6fPDMPqwjBaFrgr4Jgr/+okjvzAy+UHlYYL/Vs0OsOrMkwS6PJDkFlJwoxUnw==}
+    engines: {node: '>= 16'}
+    peerDependencies:
+      express: '>= 4.11'
+
   express@4.22.1:
     resolution: {integrity: sha512-F2X8g9P1X7uCPZMA3MVf9wcTqlyNp7IhH5qPCI0izhaOIYXaW9L535tGA3qmjRzpH+bZczqq7hVKxTR4NWnu+g==}
     engines: {node: '>= 0.10.0'}
@@ -5020,6 +5029,10 @@ snapshots:
     dependencies:
       express: 4.22.1
 
+  express-rate-limit@7.5.1(express@4.22.1):
+    dependencies:
+      express: 4.22.1
+
   express@4.22.1:
     dependencies:
       accepts: 1.3.8

From 73c501cacf3ed276289efd63dd49e0c48f5da4cd Mon Sep 17 00:00:00 2001
From: Keith Fawcett <keith@brightyard.co>
Date: Thu, 30 Apr 2026 14:48:23 -0700
Subject: [PATCH 125/131] feat(billing): per-tenant plan + 14-day trial +
 Stripe lifecycle
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The hosted multi-tenant deployment now lets each tenant pick a tier at
signup (Flex / Revshare / Enterprise) instead of the deployment-wide
OPENPARTNER_MODE env. Selfhost installs keep the global env behavior.

Schema:
  * Tenant.billingPlan ('flex' | 'revshare' | 'enterprise' | null) with
    a CHECK constraint and a backfill of stripeCustomerId /
    stripeSubscriptionId from the legacy Config keys (billing.ts wrote
    Config; account-deletion.ts read Tenant — silently divergent).
  * Tenant.trialEndsAt for the 14-day trial high-water mark.

Resolver (billing-plan.ts):
  * getTenantBillingState(db, tenantId) returns plan + mode + trial
    + Stripe pointers in one shape every caller can switch on.
  * planToMode collapses the plan enum to the legacy
    selfhost/flat/revshare mode for downstream code.
  * priceIdsForPlan + TRIAL_DAYS as the single source of truth.

Signup:
  * Schema accepts optional plan enum ('flex' | 'revshare' | 'enterprise').
    Stamped onto Tenant.billingPlan; recovery path also refreshes it.
  * Frontend reads ?plan= from the URL (set by marketing CTAs) and
    sends it through. Renders a "Plan: Flex" banner above the form so
    the user knows what they're committing to.

Billing route rewrite:
  * Reads per-tenant plan instead of global mode for status / checkout
    / portal / report-usage.
  * Checkout uses priceIdsForPlan + trial_period_days=14 +
    payment_method_collection: 'if_required' so users start the trial
    without a card. Stripe cancels automatically if no card by trial
    end (trial_settings.end_behavior).
  * Portal endpoint now works for revshare too (was flat-only); only
    selfhost + enterprise are excluded.
  * New /billing/invoices returns the last 12 invoices for the Admin
    Billing page (full detail still in the Stripe Portal).
  * persistMerchantSubscription refactored to a patch object so
    "leave alone" vs "set null" is unambiguous on subscription.deleted.
  * inferPlanFromPriceIds detects plan switches via the Stripe Portal.

Webhook (stripe-webhook.ts):
  * checkout.session.completed: pulls trial_end off the subscription
    and stamps it on Tenant.
  * customer.subscription.updated: detects plan switches via Portal,
    updates Tenant.billingPlan + trialEndsAt to match.
  * customer.subscription.deleted: clears stripeSubscriptionId so the
    admin can re-subscribe.

Usage-billing:
  * reportUsageToStripe reads tenant state instead of getMode() so
    per-tenant plan controls the meter routing.
  * Falls back to the legacy Config customer-id during the rollout
    in case any tenant was never backfilled.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 apps/api/src/billing-plan.ts                  |  95 +++++++
 apps/api/src/routes/billing.ts                | 235 +++++++++++++-----
 apps/api/src/routes/signup.ts                 |  11 +-
 apps/api/src/routes/stripe-webhook.ts         |  56 ++++-
 apps/api/src/usage-billing.ts                 |  14 +-
 apps/portal/src/pages/Signup.tsx              |  34 ++-
 .../20260609000000_tenant_billing_plan.ts     |  77 ++++++
 packages/db/src/types.ts                      |  10 +
 8 files changed, 468 insertions(+), 64 deletions(-)
 create mode 100644 apps/api/src/billing-plan.ts
 create mode 100644 packages/db/migrations/20260609000000_tenant_billing_plan.ts

diff --git a/apps/api/src/billing-plan.ts b/apps/api/src/billing-plan.ts
new file mode 100644
index 0000000..537ecd2
--- /dev/null
+++ b/apps/api/src/billing-plan.ts
@@ -0,0 +1,95 @@
+/**
+ * Per-tenant billing plan resolver + helpers.
+ *
+ * The hosted multi-tenant deployment now lets each tenant pick a tier
+ * (Flex / Revshare / Enterprise) at signup. Selfhost deployments keep
+ * the global OPENPARTNER_MODE env behavior — a single mode for the
+ * single installation.
+ *
+ * Resolution rules:
+ *
+ *   selfhost mode:        always returns the global mode (no Tenant
+ *                         lookup; selfhost has one tenant by definition).
+ *   hosted mode + plan:   returns the tenant's billingPlan column.
+ *   hosted mode + null:   legacy tenant predating per-tenant billing —
+ *                         fall back to OPENPARTNER_MODE so reportUsage
+ *                         and friends keep working until the operator
+ *                         backfills.
+ *
+ * `effectiveMode()` returns the same shape as the legacy `getMode()` so
+ * downstream code (reportUsageToStripe, billing route) can switch on
+ * one variable.
+ */
+
+import type { Knex } from 'knex';
+import { TABLES, type BillingPlan, type TenantRow } from '@openpartner/db';
+import { getMode, type OpenPartnerMode } from './stripe.js';
+
+export const TRIAL_DAYS = 14;
+
+export interface TenantBillingState {
+  /** The plan column on Tenant. Null for legacy or selfhost. */
+  plan: BillingPlan | null;
+  /** Mode the rest of the billing layer should switch on. Same shape
+   *  as the legacy getMode() return so existing callers can swap in
+   *  with no changes. */
+  mode: OpenPartnerMode;
+  trialEndsAt: Date | null;
+  inTrial: boolean;
+  stripeCustomerId: string | null;
+  stripeSubscriptionId: string | null;
+}
+
+export async function getTenantBillingState(db: Knex, tenantId: string): Promise<TenantBillingState> {
+  const tenant = await db<TenantRow>(TABLES.Tenant)
+    .where({ id: tenantId })
+    .first(['billingPlan', 'trialEndsAt', 'stripeCustomerId', 'stripeSubscriptionId']);
+  const plan = (tenant?.billingPlan as BillingPlan | null) ?? null;
+  return {
+    plan,
+    mode: planToMode(plan),
+    trialEndsAt: tenant?.trialEndsAt ? new Date(tenant.trialEndsAt) : null,
+    inTrial: tenant?.trialEndsAt ? new Date(tenant.trialEndsAt) > new Date() : false,
+    stripeCustomerId: tenant?.stripeCustomerId ?? null,
+    stripeSubscriptionId: tenant?.stripeSubscriptionId ?? null,
+  };
+}
+
+/** Map a billing plan to the legacy mode enum.
+ *  - flex/enterprise → 'flat' (Stripe sub with monthly + metered)
+ *  - revshare → 'revshare' (metered-only)
+ *  - null → fall through to OPENPARTNER_MODE env (selfhost or
+ *    legacy hosted tenants from before this column existed) */
+export function planToMode(plan: BillingPlan | null): OpenPartnerMode {
+  if (plan === 'flex' || plan === 'enterprise') return 'flat';
+  if (plan === 'revshare') return 'revshare';
+  return getMode();
+}
+
+/** Stripe price IDs for a given plan. Returns the line items to pass
+ *  to Stripe Checkout. Enterprise returns null — those tenants don't
+ *  get a Stripe subscription (sales-led billing). */
+export function priceIdsForPlan(plan: BillingPlan): Array<{ price: string; quantity?: number }> | null {
+  if (plan === 'enterprise') return null;
+  if (plan === 'flex') {
+    const base = process.env.STRIPE_FLAT_PRICE_ID;
+    const usage = process.env.STRIPE_FLAT_USAGE_PRICE_ID;
+    if (!base) throw new Error('STRIPE_FLAT_PRICE_ID not configured');
+    const items: Array<{ price: string; quantity?: number }> = [{ price: base, quantity: 1 }];
+    if (usage) items.push({ price: usage });
+    return items;
+  }
+  // revshare: metered only.
+  const usage = process.env.STRIPE_REVSHARE_USAGE_PRICE_ID;
+  if (!usage) throw new Error('STRIPE_REVSHARE_USAGE_PRICE_ID not configured');
+  return [{ price: usage }];
+}
+
+/** Trial end timestamp `TRIAL_DAYS` days from now, normalized to the
+ *  start of the day so renewal dates align cleanly across timezones. */
+export function newTrialEnd(): Date {
+  const d = new Date();
+  d.setUTCHours(0, 0, 0, 0);
+  d.setUTCDate(d.getUTCDate() + TRIAL_DAYS);
+  return d;
+}
diff --git a/apps/api/src/routes/billing.ts b/apps/api/src/routes/billing.ts
index 906382c..30acaa5 100644
--- a/apps/api/src/routes/billing.ts
+++ b/apps/api/src/routes/billing.ts
@@ -1,24 +1,32 @@
 /**
- * Merchant billing endpoints — only meaningful in hosted modes.
+ * Per-tenant billing endpoints.
  *
- *   selfhost  → /billing/status responds 'selfhost', everything else 404.
- *   flat      → Stripe Checkout + Customer Portal for the merchant's
- *               monthly subscription.
- *   revshare  → /billing/status surfaces accrued platform fees; collection is
- *               handled out-of-band against the 3% retained on payouts.
+ * Each tenant on a hosted multi-tenant deployment picks one of:
  *
- * Multi-tenant: every Stripe object created here is stamped with
- * openpartner_tenant_id in metadata so the webhook handler can resolve the
- * tenant on inbound events without hitting the path router.
+ *   flex        $49/mo + 1.5% metered. Stripe subscription with two
+ *               line items (base + usage), 14-day trial.
+ *   revshare    3% metered, no monthly. Stripe subscription with the
+ *               metered line item only, 14-day trial.
+ *   enterprise  Custom — no Stripe sub, billed out of band.
+ *
+ * Selfhost installs run as one tenant under the global OPENPARTNER_MODE
+ * env (selfhost / flat / revshare). The per-tenant resolver in
+ * billing-plan.ts unifies both paths so this route stays mode-agnostic.
+ *
+ * Stripe Customer + Subscription IDs live on the Tenant row
+ * (stripeCustomerId, stripeSubscriptionId). The legacy Config-keyed
+ * store (stripe.merchant.{customerId,subscriptionId}) is back-filled
+ * by the tenant_billing_plan migration; this file only reads/writes
+ * Tenant.
  */
 
 import { Router } from 'express';
 import type { Knex } from 'knex';
 import { z } from 'zod';
-import { TABLES } from '@openpartner/db';
+import { TABLES, type TenantRow } from '@openpartner/db';
 import { requireAdmin, requireAuth } from '../auth.js';
-import { REVSHARE_FEE_BPS, getMode, requireStripe } from '../stripe.js';
-import { CONFIG_KEYS, getConfig, setConfig } from '../config.js';
+import { REVSHARE_FEE_BPS, requireStripe } from '../stripe.js';
+import { getTenantBillingState, priceIdsForPlan, TRIAL_DAYS } from '../billing-plan.js';
 import { reportUsageToStripe } from '../usage-billing.js';
 import { tenantOf } from '../tenancy.js';
 
@@ -26,25 +34,45 @@ export const billingRouter = Router();
 
 billingRouter.get('/billing/status', requireAuth, requireAdmin, async (req, res) => {
   const { db, tenantId } = tenantOf(req);
-  const mode = getMode();
+  const state = await getTenantBillingState(db, tenantId);
+  const mode = state.mode;
+
   if (mode === 'selfhost') {
-    return res.json({ mode, billed: false });
+    return res.json({ mode, plan: null, billed: false });
+  }
+
+  if (state.plan === 'enterprise') {
+    return res.json({
+      mode,
+      plan: state.plan,
+      enterprise: true,
+      message: 'Billed out of band — contact your account manager.',
+    });
   }
 
   if (mode === 'flat') {
-    const subscriptionId = await getConfig<string>(db, tenantId, CONFIG_KEYS.StripeMerchantSubscriptionId);
-    if (!subscriptionId) return res.json({ mode, subscribed: false });
+    if (!state.stripeSubscriptionId) {
+      return res.json({
+        mode,
+        plan: state.plan,
+        subscribed: false,
+        trialEndsAt: state.trialEndsAt,
+        inTrial: state.inTrial,
+      });
+    }
     const stripe = requireStripe();
-    const sub = await stripe.subscriptions.retrieve(subscriptionId);
+    const sub = await stripe.subscriptions.retrieve(state.stripeSubscriptionId);
     const periodEnd = (sub as unknown as { current_period_end?: number }).current_period_end
       ?? sub.items.data[0]?.current_period_end
       ?? null;
     return res.json({
       mode,
+      plan: state.plan,
       subscribed: true,
       subscriptionId: sub.id,
       status: sub.status,
       currentPeriodEnd: periodEnd,
+      trialEnd: sub.trial_end,
     });
   }
 
@@ -57,16 +85,19 @@ billingRouter.get('/billing/status', requireAuth, requireAdmin, async (req, res)
 
   res.json({
     mode,
+    plan: state.plan,
     feeRate: `${REVSHARE_FEE_BPS / 100}%`,
     accruedPlatformFees: fees.reduce<Record<string, number>>((acc, f) => {
       acc[f.currency] = Number(f.fee);
       return acc;
     }, {}),
+    subscribed: !!state.stripeSubscriptionId,
+    trialEndsAt: state.trialEndsAt,
+    inTrial: state.inTrial,
   });
 });
 
 const checkoutSchema = z.object({
-  priceId: z.string().min(1).optional(),
   successUrl: z.string().url(),
   cancelUrl: z.string().url(),
   customerEmail: z.string().email().optional(),
@@ -74,36 +105,41 @@ const checkoutSchema = z.object({
 
 billingRouter.post('/billing/checkout', requireAuth, requireAdmin, async (req, res) => {
   const { db, tenantId } = tenantOf(req);
-  const mode = getMode();
-  if (mode !== 'flat' && mode !== 'revshare') {
-    return res.status(400).json({ error: 'only_flat_or_revshare_mode' });
+  const state = await getTenantBillingState(db, tenantId);
+
+  if (state.plan === 'enterprise') {
+    return res.status(400).json({ error: 'enterprise_plan_no_checkout', detail: 'Enterprise tenants are billed out of band.' });
+  }
+  if (state.mode === 'selfhost') {
+    return res.status(400).json({ error: 'no_billing_in_selfhost' });
   }
+  if (state.stripeSubscriptionId) {
+    return res.status(409).json({ error: 'already_subscribed', detail: 'Use the Customer Portal to change plans.' });
+  }
+  if (!state.plan) {
+    return res.status(400).json({ error: 'no_plan_chosen', detail: 'Pick a plan first via /admin/billing.' });
+  }
+
   const body = checkoutSchema.safeParse(req.body);
   if (!body.success) return res.status(400).json({ error: 'invalid_body', detail: body.error.flatten() });
 
-  // Build line items per mode:
-  //   flat     → $49 base + 1.5% metered
-  //   revshare → 3% metered only (no monthly)
-  const lineItems: Array<{ price: string; quantity?: number }> = [];
-  if (mode === 'flat') {
-    const basePriceId = body.data.priceId ?? process.env.STRIPE_FLAT_PRICE_ID;
-    if (!basePriceId) return res.status(500).json({ error: 'no_flat_price_configured' });
-    lineItems.push({ price: basePriceId, quantity: 1 });
-    const usagePriceId = process.env.STRIPE_FLAT_USAGE_PRICE_ID;
-    if (usagePriceId) lineItems.push({ price: usagePriceId });
-  } else {
-    const usagePriceId = body.data.priceId ?? process.env.STRIPE_REVSHARE_USAGE_PRICE_ID;
-    if (!usagePriceId) return res.status(500).json({ error: 'no_revshare_price_configured' });
-    lineItems.push({ price: usagePriceId });
+  let lineItems: ReturnType<typeof priceIdsForPlan>;
+  try {
+    lineItems = priceIdsForPlan(state.plan);
+  } catch (err) {
+    return res.status(500).json({ error: 'stripe_price_not_configured', detail: err instanceof Error ? err.message : String(err) });
+  }
+  if (!lineItems) {
+    return res.status(400).json({ error: 'enterprise_plan_no_checkout' });
   }
 
   const stripe = requireStripe();
 
-  // Stripe Accounts V2 requires `customer` (not just `customer_email`) on
-  // Checkout in test mode. Create or reuse a Customer for this merchant up
-  // front so we can pass it to the Checkout session and so the Customer
-  // Portal works on the same record after subscription completes.
-  let customerId = await getConfig<string>(db, tenantId, CONFIG_KEYS.StripeMerchantCustomerId);
+  // Reuse Stripe Customer if one exists from a prior aborted Checkout
+  // attempt; otherwise create + persist on Tenant.stripeCustomerId so
+  // the Customer Portal works on the same record after subscription
+  // completion.
+  let customerId = state.stripeCustomerId;
   if (!customerId) {
     const customer = await stripe.customers.create({
       email: body.data.customerEmail,
@@ -113,26 +149,36 @@ billingRouter.post('/billing/checkout', requireAuth, requireAdmin, async (req, r
       },
     });
     customerId = customer.id;
-    await setConfig(db, tenantId, CONFIG_KEYS.StripeMerchantCustomerId, customerId);
+    await db<TenantRow>(TABLES.Tenant)
+      .where({ id: tenantId })
+      .update({ stripeCustomerId: customerId, updatedAt: new Date() });
   }
 
+  // Trial: 14 days, no payment method required to start. Stripe emails
+  // the customer ~3 days before the trial ends asking for a card. If
+  // they don't provide one, the subscription cancels automatically.
   const session = await stripe.checkout.sessions.create({
     mode: 'subscription',
     customer: customerId,
     line_items: lineItems,
+    subscription_data: {
+      trial_period_days: TRIAL_DAYS,
+      trial_settings: {
+        end_behavior: { missing_payment_method: 'cancel' },
+      },
+    },
+    payment_method_collection: 'if_required',
     success_url: body.data.successUrl,
     cancel_url: body.data.cancelUrl,
-    metadata: { openpartner_tenant_id: tenantId },
+    metadata: { openpartner_tenant_id: tenantId, openpartner_plan: state.plan },
   });
   res.json({ url: session.url });
 });
 
 billingRouter.post('/billing/report-usage', requireAuth, requireAdmin, async (req, res) => {
   const { db, tenantId } = tenantOf(req);
-  // Self-host has no platform billing; revshare and flat both report to the
-  // shared meter (different metered prices on the merchant subscription
-  // determine the rate).
-  if (getMode() === 'selfhost') {
+  const state = await getTenantBillingState(db, tenantId);
+  if (state.mode === 'selfhost') {
     return res.status(400).json({ error: 'no_billing_in_selfhost' });
   }
   try {
@@ -148,30 +194,105 @@ billingRouter.post('/billing/report-usage', requireAuth, requireAdmin, async (re
 
 billingRouter.post('/billing/portal', requireAuth, requireAdmin, async (req, res) => {
   const { db, tenantId } = tenantOf(req);
-  if (getMode() !== 'flat') return res.status(400).json({ error: 'only_flat_mode' });
+  const state = await getTenantBillingState(db, tenantId);
+  // Both flat and revshare have a Stripe Customer + subscription, both
+  // benefit from the Portal (payment method updates, invoice history,
+  // plan switching). Selfhost + enterprise: nothing to manage here.
+  if (state.mode === 'selfhost' || state.plan === 'enterprise') {
+    return res.status(400).json({ error: 'no_portal_for_this_plan' });
+  }
   const body = z.object({ returnUrl: z.string().url() }).safeParse(req.body);
   if (!body.success) return res.status(400).json({ error: 'invalid_body', detail: body.error.flatten() });
 
-  const customerId = await getConfig<string>(db, tenantId, CONFIG_KEYS.StripeMerchantCustomerId);
-  if (!customerId) return res.status(404).json({ error: 'no_customer_on_file' });
+  if (!state.stripeCustomerId) return res.status(404).json({ error: 'no_customer_on_file' });
 
   const stripe = requireStripe();
   const session = await stripe.billingPortal.sessions.create({
-    customer: customerId,
+    customer: state.stripeCustomerId,
     return_url: body.data.returnUrl,
   });
   res.json({ url: session.url });
 });
 
-// Exposed for the stripe webhook to call on checkout.session.completed.
-// Webhook resolves tenantId from event metadata and passes its own db handle
-// (a transaction with app.tenant_id pinned).
+/**
+ * Recent invoices for the tenant. Used by the Admin → Billing page.
+ * Returns a thin slice — full detail lives in the Stripe Customer Portal.
+ */
+billingRouter.get('/billing/invoices', requireAuth, requireAdmin, async (req, res) => {
+  const { db, tenantId } = tenantOf(req);
+  const state = await getTenantBillingState(db, tenantId);
+  if (!state.stripeCustomerId) return res.json({ invoices: [] });
+
+  const stripe = requireStripe();
+  const list = await stripe.invoices.list({ customer: state.stripeCustomerId, limit: 12 });
+  res.json({
+    invoices: list.data.map((inv) => ({
+      id: inv.id,
+      number: inv.number,
+      status: inv.status,
+      amountDue: inv.amount_due,
+      amountPaid: inv.amount_paid,
+      currency: inv.currency,
+      created: inv.created,
+      periodStart: inv.period_start,
+      periodEnd: inv.period_end,
+      hostedInvoiceUrl: inv.hosted_invoice_url,
+      invoicePdf: inv.invoice_pdf,
+    })),
+  });
+});
+
+/**
+ * Webhook helper — stamps Stripe state on the Tenant row. Used from
+ * checkout.session.completed (subscribe), customer.subscription.updated
+ * (plan switch / trial conversion), and customer.subscription.deleted
+ * (cancel).
+ *
+ * Patch semantics: undefined = "leave field alone", null = "explicitly
+ * clear" (used on subscription.deleted to drop stripeSubscriptionId).
+ */
+export interface MerchantSubscriptionPatch {
+  stripeCustomerId?: string | null;
+  stripeSubscriptionId?: string | null;
+  trialEndsAt?: Date | null;
+}
+
 export async function persistMerchantSubscription(
   db: Knex,
   tenantId: string,
-  customerId: string,
-  subscriptionId: string,
+  patch: MerchantSubscriptionPatch,
+): Promise<void> {
+  const dbPatch: Partial<TenantRow> = { updatedAt: new Date() };
+  if (patch.stripeCustomerId !== undefined) dbPatch.stripeCustomerId = patch.stripeCustomerId;
+  if (patch.stripeSubscriptionId !== undefined) dbPatch.stripeSubscriptionId = patch.stripeSubscriptionId;
+  if (patch.trialEndsAt !== undefined) dbPatch.trialEndsAt = patch.trialEndsAt;
+  await db<TenantRow>(TABLES.Tenant).where({ id: tenantId }).update(dbPatch);
+}
+
+/** Update a tenant's plan after a Stripe Customer Portal plan switch.
+ *  Called from the customer.subscription.updated webhook handler when
+ *  the subscription's price IDs change. */
+export async function updateTenantPlanFromStripeSub(
+  db: Knex,
+  tenantId: string,
+  newPlan: 'flex' | 'revshare',
 ): Promise<void> {
-  await setConfig(db, tenantId, CONFIG_KEYS.StripeMerchantCustomerId, customerId);
-  await setConfig(db, tenantId, CONFIG_KEYS.StripeMerchantSubscriptionId, subscriptionId);
+  await db<TenantRow>(TABLES.Tenant)
+    .where({ id: tenantId })
+    .update({ billingPlan: newPlan as TenantRow['billingPlan'], updatedAt: new Date() });
+}
+
+/** Detect the openpartner plan from a Stripe subscription's line-item
+ *  price IDs. Returns null when the IDs don't match known prices —
+ *  caller treats that as "don't reclassify the tenant". */
+export function inferPlanFromPriceIds(priceIds: string[]): 'flex' | 'revshare' | null {
+  const flatBase = process.env.STRIPE_FLAT_PRICE_ID;
+  const flatUsage = process.env.STRIPE_FLAT_USAGE_PRICE_ID;
+  const rev = process.env.STRIPE_REVSHARE_USAGE_PRICE_ID;
+  for (const id of priceIds) {
+    if (flatBase && id === flatBase) return 'flex';
+    if (flatUsage && id === flatUsage) return 'flex';
+    if (rev && id === rev) return 'revshare';
+  }
+  return null;
 }
diff --git a/apps/api/src/routes/signup.ts b/apps/api/src/routes/signup.ts
index 22d09b3..c11e872 100644
--- a/apps/api/src/routes/signup.ts
+++ b/apps/api/src/routes/signup.ts
@@ -20,7 +20,7 @@
 import { Router } from 'express';
 import { z } from 'zod';
 import { ulid } from 'ulid';
-import { TABLES, type AdminRow, type TenantRow } from '@openpartner/db';
+import { TABLES, BILLING_PLANS, type AdminRow, type TenantRow } from '@openpartner/db';
 import { db } from '../db.js';
 import { ipRateLimit } from '../middleware/rate-limit.js';
 import { issueMagicLink } from '../auth-sessions.js';
@@ -42,6 +42,11 @@ const signupSchema = z.object({
   displayName: z.string().trim().min(1).max(120),
   adminEmail: z.string().trim().email().max(254),
   adminName: z.string().trim().min(1).max(120),
+  /** Optional billing plan picked from the marketing pricing CTAs. Stored
+   *  on Tenant.billingPlan; the actual subscription is created when the
+   *  admin completes Stripe Checkout post-activation. Enterprise tenants
+   *  set this for record-keeping but never run through Checkout. */
+  plan: z.enum(BILLING_PLANS as readonly [string, ...string[]]).optional(),
 });
 
 class SignupGuardError extends Error {
@@ -95,6 +100,9 @@ signupRouter.post('/signup', signupLimit, async (req, res) => {
         await trx(TABLES.Config).where({ tenantId, key: 'network_membership' }).del();
         await trx<TenantRow>(TABLES.Tenant).where({ id: tenantId }).update({
           displayName: body.data.displayName,
+          // Refresh the plan choice on recovery — the user may have come
+          // back via a different pricing CTA than their first attempt.
+          ...(body.data.plan ? { billingPlan: body.data.plan as TenantRow['billingPlan'] } : {}),
           updatedAt: new Date(),
         });
       } else {
@@ -103,6 +111,7 @@ signupRouter.post('/signup', signupLimit, async (req, res) => {
           slug,
           displayName: body.data.displayName,
           status: 'active',
+          billingPlan: (body.data.plan ?? null) as TenantRow['billingPlan'],
           metadata: { createdBy: 'signup' } as unknown as never,
         });
       }
diff --git a/apps/api/src/routes/stripe-webhook.ts b/apps/api/src/routes/stripe-webhook.ts
index 6355eab..53ca3ec 100644
--- a/apps/api/src/routes/stripe-webhook.ts
+++ b/apps/api/src/routes/stripe-webhook.ts
@@ -14,7 +14,7 @@ import {
 } from '@openpartner/db';
 import { appDb, db } from '../db.js';
 import { attributeEvent } from '../attribution.js';
-import { persistMerchantSubscription } from './billing.js';
+import { inferPlanFromPriceIds, persistMerchantSubscription, updateTenantPlanFromStripeSub } from './billing.js';
 import { ensureCouponClickAndIdentity, findCouponByCode } from './coupons.js';
 
 const stripeKey = process.env.STRIPE_SECRET_KEY;
@@ -214,6 +214,8 @@ async function resolveTenantForEvent(event: Stripe.Event): Promise<string | null
     }
     case 'customer.created':
     case 'customer.subscription.created':
+    case 'customer.subscription.updated':
+    case 'customer.subscription.deleted':
     case 'invoice.paid':
     case 'invoice.payment_failed':
     case 'charge.refunded':
@@ -292,11 +294,61 @@ async function handleConnectEvent(
       // let mapStripeEvent do attribution."
       if (session.client_reference_id) return null;
       if (session.mode === 'subscription' && typeof session.customer === 'string' && typeof session.subscription === 'string') {
-        await persistMerchantSubscription(trx, tenantId, session.customer, session.subscription);
+        // Pull trial_end off the subscription so the dashboard can show
+        // "trial ends in N days" without an extra round-trip on every
+        // page load.
+        let trialEndsAt: Date | null = null;
+        if (stripe) {
+          try {
+            const sub = await stripe.subscriptions.retrieve(session.subscription);
+            trialEndsAt = sub.trial_end ? new Date(sub.trial_end * 1000) : null;
+          } catch {
+            // Non-fatal: dashboard will show "trial unknown" until the
+            // next subscription update event lands.
+          }
+        }
+        await persistMerchantSubscription(trx, tenantId, {
+          stripeCustomerId: session.customer,
+          stripeSubscriptionId: session.subscription,
+          trialEndsAt,
+        });
         return 'merchant_subscription_persisted';
       }
       return null;
     }
+    case 'customer.subscription.updated': {
+      // Plan switch via Stripe Customer Portal (or trial conversion).
+      // Detect the new plan from the price IDs on the active items and
+      // update Tenant.billingPlan to match. Only act when the price IDs
+      // are ones we recognize — third-party additions (e.g. one-off line
+      // items) shouldn't reclassify the tenant.
+      const sub = event.data.object as Stripe.Subscription;
+      const priceIds = sub.items.data.map((it) => it.price.id);
+      const newPlan = inferPlanFromPriceIds(priceIds);
+      const trialEndsAt = sub.trial_end ? new Date(sub.trial_end * 1000) : null;
+      if (newPlan) {
+        await updateTenantPlanFromStripeSub(trx, tenantId, newPlan);
+      }
+      // Always refresh trial_end + subscriptionId so the local mirror
+      // reflects the current Stripe state.
+      await persistMerchantSubscription(trx, tenantId, {
+        stripeSubscriptionId: sub.id,
+        trialEndsAt,
+      });
+      return newPlan ? `subscription_updated_plan_${newPlan}` : 'subscription_updated';
+    }
+    case 'customer.subscription.deleted': {
+      // Cancellation (manual via Portal, trial-without-card, or dunning
+      // exhaustion). Clear the local subscription pointer; Tenant stays
+      // active so the admin can re-subscribe via /billing/checkout
+      // without losing data.
+      const sub = event.data.object as Stripe.Subscription;
+      await persistMerchantSubscription(trx, tenantId, {
+        stripeSubscriptionId: null,
+        trialEndsAt: null,
+      });
+      return `subscription_deleted_${sub.status}`;
+    }
     case 'transfer.updated':
     case 'transfer.reversed': {
       const transfer = event.data.object as Stripe.Transfer;
diff --git a/apps/api/src/usage-billing.ts b/apps/api/src/usage-billing.ts
index 2586e44..68dec06 100644
--- a/apps/api/src/usage-billing.ts
+++ b/apps/api/src/usage-billing.ts
@@ -24,7 +24,8 @@
 import type { Knex } from 'knex';
 import { TABLES, type EventRow } from '@openpartner/db';
 import { CONFIG_KEYS, getConfig, setConfig } from './config.js';
-import { getMode, requireStripe } from './stripe.js';
+import { requireStripe } from './stripe.js';
+import { getTenantBillingState } from './billing-plan.js';
 
 // Events we count toward attributed GMV. We sum Event.value for these,
 // scoped to events that have a corresponding Attribution row (i.e. credit
@@ -108,7 +109,8 @@ export async function aggregateAttributedGmv(
  * the same meter. Both are provisioned by `scripts/setup-stripe.mjs`.
  */
 export async function reportUsageToStripe(db: Knex, tenantId: string): Promise<UsageReportResult> {
-  const mode = getMode();
+  const state = await getTenantBillingState(db, tenantId);
+  const mode = state.mode;
   const meterEventName = MODE_TO_METER[mode];
   if (!meterEventName) {
     return {
@@ -123,7 +125,13 @@ export async function reportUsageToStripe(db: Knex, tenantId: string): Promise<U
     };
   }
 
-  const customerId = await getConfig<string>(db, tenantId, CONFIG_KEYS.StripeMerchantCustomerId);
+  // Read Stripe customer from Tenant column (canonical) — fall back to
+  // the legacy Config key for tenants that subscribed before the
+  // billingPlan migration backfilled it. Both should be equivalent
+  // post-migration.
+  const customerId =
+    state.stripeCustomerId ??
+    (await getConfig<string>(db, tenantId, CONFIG_KEYS.StripeMerchantCustomerId));
   if (!customerId) {
     return {
       mode,
diff --git a/apps/portal/src/pages/Signup.tsx b/apps/portal/src/pages/Signup.tsx
index c8b27b4..6b60013 100644
--- a/apps/portal/src/pages/Signup.tsx
+++ b/apps/portal/src/pages/Signup.tsx
@@ -1,9 +1,19 @@
 import { useState } from 'react';
-import { Link } from 'react-router-dom';
+import { Link, useSearchParams } from 'react-router-dom';
 import { ApiError } from '../api.js';
 import { theme } from '../theme.js';
 import { AuthFrame } from './auth/Shared.js';
 
+type SignupPlan = 'flex' | 'revshare' | 'enterprise';
+const PLAN_LABELS: Record<SignupPlan, { name: string; tagline: string }> = {
+  flex: { name: 'Flex', tagline: '$49/mo + 1.5% of attributed GMV · 14-day free trial' },
+  revshare: { name: 'Revshare', tagline: '3% of attributed GMV, no monthly · 14-day free trial' },
+  enterprise: { name: 'Enterprise', tagline: 'Custom pricing — our team will reach out' },
+};
+function isPlan(s: string | null): s is SignupPlan {
+  return s === 'flex' || s === 'revshare' || s === 'enterprise';
+}
+
 interface SignupResult {
   ok: true;
   tenant: { id: string; slug: string };
@@ -12,6 +22,9 @@ interface SignupResult {
 }
 
 export function SignupPage() {
+  const [params] = useSearchParams();
+  const planParam = params.get('plan');
+  const plan: SignupPlan | null = isPlan(planParam) ? planParam : null;
   const [slug, setSlug] = useState('');
   const [displayName, setDisplayName] = useState('');
   const [adminEmail, setAdminEmail] = useState('');
@@ -37,6 +50,7 @@ export function SignupPage() {
           displayName: displayName.trim(),
           adminEmail: adminEmail.trim().toLowerCase(),
           adminName: adminName.trim(),
+          ...(plan ? { plan } : {}),
         }),
       });
       const data = (await res.json()) as Record<string, unknown>;
@@ -72,6 +86,24 @@ export function SignupPage() {
 
   return (
     <AuthFrame title="Sign up as a brand" subtitle="Create your brand account. We'll email you a sign-in link.">
+      {plan && (
+        <div
+          style={{
+            background: `${theme.accent}10`,
+            border: `1px solid ${theme.accent}55`,
+            borderRadius: theme.radiusSm,
+            padding: '10px 12px',
+            marginBottom: 14,
+          }}
+        >
+          <div style={{ fontSize: 12, color: theme.accent, fontWeight: 600, letterSpacing: '0.04em', textTransform: 'uppercase', marginBottom: 2 }}>
+            Plan: {PLAN_LABELS[plan].name}
+          </div>
+          <div style={{ fontSize: 12, color: theme.textMuted }}>
+            {PLAN_LABELS[plan].tagline}
+          </div>
+        </div>
+      )}
       <form onSubmit={submit}>
         <Field label="Brand name" hint="What partners see — e.g. Acme.">
           <input
diff --git a/packages/db/migrations/20260609000000_tenant_billing_plan.ts b/packages/db/migrations/20260609000000_tenant_billing_plan.ts
new file mode 100644
index 0000000..e8015d6
--- /dev/null
+++ b/packages/db/migrations/20260609000000_tenant_billing_plan.ts
@@ -0,0 +1,77 @@
+import type { Knex } from 'knex';
+
+/**
+ * Per-tenant billing plan + 14-day trial bookkeeping.
+ *
+ * Pre-existing state: hosted deployments ran in ONE billing mode set by
+ * the OPENPARTNER_MODE env (`flat` | `revshare` | `selfhost`); every
+ * tenant on a deployment shared the same mode. With the marketing site
+ * surfacing per-tier pricing (Flex / Revshare / Enterprise), each new
+ * tenant needs to pick at signup.
+ *
+ *   billingPlan   the tenant's chosen tier. Null for tenants that
+ *                 signed up before this column existed (treated as
+ *                 "follow OPENPARTNER_MODE" by the resolver) and for
+ *                 enterprise tenants who don't have a Stripe sub.
+ *   trialEndsAt   when the 14-day free trial expires. Null for
+ *                 tenants that never started a trial (legacy + enterprise)
+ *                 or who already converted (reset to null on first paid
+ *                 invoice).
+ *
+ * Also backfills Tenant.stripeCustomerId / stripeSubscriptionId from
+ * the existing Config rows (stripe.merchant.customerId /
+ * .subscriptionId). Pre-fix billing.ts wrote Stripe IDs to Config but
+ * account-deletion.ts read them from Tenant — two stores of truth that
+ * were silently divergent. After this migration, Tenant is the single
+ * source; billing.ts gets updated in the same commit train.
+ */
+
+const BILLING_PLANS = ['flex', 'revshare', 'enterprise'] as const;
+
+export async function up(knex: Knex): Promise<void> {
+  await knex.schema.alterTable('Tenant', (t) => {
+    t.string('billingPlan', 32).nullable();
+    t.timestamp('trialEndsAt', { useTz: true }).nullable();
+  });
+
+  // Postgres CHECK so a future bug can't write an unknown plan value.
+  // App-level Zod also enforces this, but a DB constraint is a final
+  // line of defense if some path bypasses the validator.
+  const allowed = BILLING_PLANS.map((p) => `'${p}'`).join(', ');
+  await knex.raw(
+    `alter table "Tenant" add constraint "Tenant_billingPlan_check" check ("billingPlan" is null or "billingPlan" in (${allowed}))`,
+  );
+
+  // Backfill stripeCustomerId from Config. Per-tenant; the Config rows
+  // were written by billing.ts persistMerchantSubscription().
+  await knex.raw(`
+    update "Tenant" t
+    set "stripeCustomerId" = c.value #>> '{}'
+    from "Config" c
+    where c."tenantId" = t.id
+      and c.key = 'stripe.merchant.customerId'
+      and t."stripeCustomerId" is null
+  `);
+  await knex.raw(`
+    update "Tenant" t
+    set "stripeSubscriptionId" = c.value #>> '{}'
+    from "Config" c
+    where c."tenantId" = t.id
+      and c.key = 'stripe.merchant.subscriptionId'
+      and t."stripeSubscriptionId" is null
+  `);
+  // Leave the Config rows in place; they're harmless and a fallback
+  // read path during the rollout. A separate cleanup migration deletes
+  // them once we've verified no code reads from Config any more.
+}
+
+export async function down(knex: Knex): Promise<void> {
+  await knex.schema.alterTable('Tenant', (t) => {
+    t.dropColumn('billingPlan');
+    t.dropColumn('trialEndsAt');
+  });
+  // We don't reverse the stripeCustomerId / stripeSubscriptionId
+  // backfill — those columns existed before and the data is
+  // legitimately on Tenant now. Re-applying down + up wouldn't lose
+  // the values because they're already in Config too.
+}
diff --git a/packages/db/src/types.ts b/packages/db/src/types.ts
index 3bb117a..6c6028d 100644
--- a/packages/db/src/types.ts
+++ b/packages/db/src/types.ts
@@ -32,8 +32,18 @@ export interface TenantRow {
   /** Public URL for the tenant's brand logo, set via the upload endpoint.
    *  Null when the brand hasn't uploaded one — UI falls back to text. */
   logoUrl: string | null;
+  /** Per-tenant billing tier. Null = legacy tenant predating per-tenant
+   *  pricing (resolver falls back to OPENPARTNER_MODE). 'enterprise' has
+   *  no Stripe subscription; billed out of band. */
+  billingPlan: BillingPlan | null;
+  /** Trial expiry. Null when no trial (legacy / enterprise) or when the
+   *  trial has already converted to a paid subscription. */
+  trialEndsAt: Date | null;
 }
 
+export type BillingPlan = 'flex' | 'revshare' | 'enterprise';
+export const BILLING_PLANS: readonly BillingPlan[] = ['flex', 'revshare', 'enterprise'];
+
 /** ID of the seeded default tenant — used in single-host mode and during migration backfills. */
 export const DEFAULT_TENANT_ID = '01J0000000DEFAULTTENANT0000';
 

From 54bf78065f22611727b61ead44cb1bb5c5fc6d66 Mon Sep 17 00:00:00 2001
From: Keith Fawcett <keith@brightyard.co>
Date: Thu, 30 Apr 2026 14:54:38 -0700
Subject: [PATCH 126/131] feat(billing): admin Billing page + onboarding step
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Frontend that closes the loop on the per-tenant billing build:

  * /admin/billing route (Settings → Billing in the sidebar). Three
    rendering modes:
      - selfhost: explanatory note, no controls
      - enterprise: out-of-band notice, no Checkout
      - flex/revshare: trial countdown, "Activate trial" CTA when no
        sub, "Manage in Stripe Portal" + invoice list once subscribed
    Stripe Checkout opens with the tenant's plan + 14-day trial,
    no card required to start.
  * "Activate your 14-day free trial" step in the brand-onboarding
    card on the dashboard. Links to /admin/billing.
  * /admin/onboarding-status response gains billingReady (true for
    selfhost / enterprise / active sub). The 'Getting started' card
    only hides once billing is also handled.

The Stripe Customer Portal handles the rest (payment-method updates,
plan switches, invoice history, cancellation) — webhook handlers we
shipped earlier sync any of those changes back to Tenant.billingPlan
and Tenant.stripeSubscriptionId so the dashboard always reflects
current Stripe state.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 apps/api/src/routes/onboarding.ts       |  17 +-
 apps/portal/src/App.tsx                 |   3 +
 apps/portal/src/pages/Dashboard.tsx     |   7 +
 apps/portal/src/pages/admin/Billing.tsx | 354 ++++++++++++++++++++++++
 4 files changed, 380 insertions(+), 1 deletion(-)
 create mode 100644 apps/portal/src/pages/admin/Billing.tsx

diff --git a/apps/api/src/routes/onboarding.ts b/apps/api/src/routes/onboarding.ts
index 721552c..0c0a8b0 100644
--- a/apps/api/src/routes/onboarding.ts
+++ b/apps/api/src/routes/onboarding.ts
@@ -15,6 +15,7 @@ import { TABLES, type CampaignRow, type PartnerRow } from '@openpartner/db';
 import { requireAdmin, requireAuth } from '../auth.js';
 import { tenantOf } from '../tenancy.js';
 import { getNetworkMembership, networkProxy, NetworkProxyError } from '../network-client.js';
+import { getTenantBillingState } from '../billing-plan.js';
 
 export const onboardingRouter = Router();
 
@@ -24,6 +25,8 @@ interface BrandOnboardingStatus {
   networkConnected: boolean;
   offeringPublishedCount: number;
   partnerCount: number;
+  /** True when billing is set up OR not required (selfhost / enterprise). */
+  billingReady: boolean;
   /** True once everything actionable is done — card hides. */
   complete: boolean;
 }
@@ -68,12 +71,23 @@ onboardingRouter.get('/admin/onboarding-status', requireAuth, requireAdmin, asyn
     }
   }
 
+  // Billing readiness: selfhost has no billing, so always "ready".
+  // Enterprise tenants are billed out of band — we treat as "ready"
+  // since there's no Checkout flow for them. Everyone else needs an
+  // active Stripe subscription (trial counts).
+  const billingState = await getTenantBillingState(db, tenantId);
+  const billingReady =
+    billingState.mode === 'selfhost' ||
+    billingState.plan === 'enterprise' ||
+    !!billingState.stripeSubscriptionId;
+
   const complete =
     brandInfoComplete &&
     campaignCount > 0 &&
     networkConnected &&
     offeringPublishedCount > 0 &&
-    partnerCount > 0;
+    partnerCount > 0 &&
+    billingReady;
 
   const out: BrandOnboardingStatus = {
     brandInfoComplete,
@@ -81,6 +95,7 @@ onboardingRouter.get('/admin/onboarding-status', requireAuth, requireAdmin, asyn
     networkConnected,
     offeringPublishedCount,
     partnerCount,
+    billingReady,
     complete,
   };
   res.json(out);
diff --git a/apps/portal/src/App.tsx b/apps/portal/src/App.tsx
index 38370d5..85604f2 100644
--- a/apps/portal/src/App.tsx
+++ b/apps/portal/src/App.tsx
@@ -38,6 +38,7 @@ import { LoginPage } from './pages/auth/Login.js';
 import { MagicLandingPage } from './pages/auth/MagicLanding.js';
 import { WebhooksPage } from './pages/admin/Webhooks.js';
 import { AdminSettings } from './pages/admin/Settings.js';
+import { AdminBilling } from './pages/admin/Billing.js';
 import { AdminAdmins } from './pages/admin/Admins.js';
 import { AdminNetwork } from './pages/admin/Network.js';
 import { AdminNetworkComplete } from './pages/admin/NetworkComplete.js';
@@ -190,6 +191,7 @@ function Shell() {
               <Route path="admin/webhooks" element={<WebhooksPage />} />
               <Route path="admin/admins" element={<AdminAdmins />} />
               <Route path="admin/settings" element={<AdminSettings />} />
+              <Route path="admin/billing" element={<AdminBilling />} />
               <Route path="admin/network" element={<AdminNetwork />} />
               <Route path="admin/network/complete" element={<AdminNetworkComplete />} />
               <Route path="admin/network/offerings" element={<AdminNetworkOfferings />} />
@@ -286,6 +288,7 @@ function Sidebar({ principal }: { principal: Principal }) {
             <NavItem to="/admin/webhooks" icon={<Webhook size={16} />}>Webhooks</NavItem>
             <NavItem to="/admin/admins" icon={<UserCog size={16} />}>Admins</NavItem>
             <NavItem to="/admin/settings" icon={<Settings size={16} />}>Settings</NavItem>
+            <NavItem to="/admin/billing" icon={<CreditCard size={16} />}>Billing</NavItem>
           </NavSection>
         )}
 
diff --git a/apps/portal/src/pages/Dashboard.tsx b/apps/portal/src/pages/Dashboard.tsx
index c8e66bf..3b85585 100644
--- a/apps/portal/src/pages/Dashboard.tsx
+++ b/apps/portal/src/pages/Dashboard.tsx
@@ -418,6 +418,7 @@ interface BrandOnboardingStatus {
   networkConnected: boolean;
   offeringPublishedCount: number;
   partnerCount: number;
+  billingReady: boolean;
   complete: boolean;
 }
 
@@ -460,6 +461,12 @@ function BrandOnboarding() {
       label: 'Invite a partner — or wait for Network applications',
       href: `${tenantBase}/admin/partners`,
     },
+    {
+      done: data.billingReady,
+      label: 'Activate your 14-day free trial',
+      hint: 'No credit card required. Stripe emails you ~3 days before the trial ends.',
+      href: `${tenantBase}/admin/billing`,
+    },
   ];
   return (
     <Card style={{ marginBottom: 18 }}>
diff --git a/apps/portal/src/pages/admin/Billing.tsx b/apps/portal/src/pages/admin/Billing.tsx
new file mode 100644
index 0000000..b954d00
--- /dev/null
+++ b/apps/portal/src/pages/admin/Billing.tsx
@@ -0,0 +1,354 @@
+import { useState } from 'react';
+import { useMutation, useQuery } from '@tanstack/react-query';
+import { CreditCard, ExternalLink } from 'lucide-react';
+import { api, ApiError } from '../../api.js';
+import { theme } from '../../theme.js';
+import { Button, Card, ErrorBanner, Page } from '../../ui.js';
+
+type Plan = 'flex' | 'revshare' | 'enterprise';
+type Mode = 'selfhost' | 'flat' | 'revshare';
+
+interface BillingStatus {
+  mode: Mode;
+  plan: Plan | null;
+  // Flat / hosted-with-sub:
+  subscribed?: boolean;
+  subscriptionId?: string;
+  status?: string;
+  currentPeriodEnd?: number;
+  trialEnd?: number | null;
+  trialEndsAt?: string | null;
+  inTrial?: boolean;
+  // Revshare:
+  feeRate?: string;
+  accruedPlatformFees?: Record<string, number>;
+  // Selfhost:
+  billed?: boolean;
+  // Enterprise:
+  enterprise?: boolean;
+  message?: string;
+}
+
+interface Invoice {
+  id: string;
+  number: string | null;
+  status: string | null;
+  amountDue: number;
+  amountPaid: number;
+  currency: string;
+  created: number;
+  periodStart: number;
+  periodEnd: number;
+  hostedInvoiceUrl: string | null;
+  invoicePdf: string | null;
+}
+
+const PLAN_LABELS: Record<Plan, { name: string; tagline: string }> = {
+  flex: { name: 'Flex', tagline: '$49/mo + 1.5% of attributed GMV' },
+  revshare: { name: 'Revshare', tagline: '3% of attributed GMV, no monthly fee' },
+  enterprise: { name: 'Enterprise', tagline: 'Custom pricing — billed out of band' },
+};
+
+export function AdminBilling() {
+  const status = useQuery({
+    queryKey: ['billing-status'],
+    queryFn: () => api<BillingStatus>('/billing/status'),
+  });
+  const invoices = useQuery({
+    queryKey: ['billing-invoices'],
+    queryFn: () => api<{ invoices: Invoice[] }>('/billing/invoices'),
+    enabled: status.data?.mode !== 'selfhost',
+  });
+
+  return (
+    <Page
+      title="Billing"
+      subtitle="Manage your subscription, payment method, and invoices."
+    >
+      <ErrorBanner error={status.error ?? invoices.error} />
+      {status.isLoading ? (
+        <Card>Loading…</Card>
+      ) : status.data ? (
+        <>
+          <PlanCard status={status.data} />
+          <div style={{ height: 16 }} />
+          {(invoices.data?.invoices ?? []).length > 0 && (
+            <InvoicesCard invoices={invoices.data?.invoices ?? []} />
+          )}
+        </>
+      ) : null}
+    </Page>
+  );
+}
+
+function PlanCard({ status }: { status: BillingStatus }) {
+  const [error, setError] = useState<string | null>(null);
+
+  const startCheckout = useMutation({
+    mutationFn: () =>
+      api<{ url: string }>('/billing/checkout', {
+        method: 'POST',
+        body: {
+          successUrl: `${window.location.origin}${window.location.pathname}?checkout=success`,
+          cancelUrl: window.location.href,
+        },
+      }),
+    onSuccess: (r) => {
+      window.location.href = r.url;
+    },
+    onError: (err) => setError(err instanceof ApiError ? err.message : 'failed'),
+  });
+
+  const openPortal = useMutation({
+    mutationFn: () =>
+      api<{ url: string }>('/billing/portal', {
+        method: 'POST',
+        body: { returnUrl: window.location.href },
+      }),
+    onSuccess: (r) => {
+      window.location.href = r.url;
+    },
+    onError: (err) => setError(err instanceof ApiError ? err.message : 'failed'),
+  });
+
+  // Selfhost: no billing layer.
+  if (status.mode === 'selfhost') {
+    return (
+      <Card>
+        <SectionHeader icon={<CreditCard size={18} />} title="Self-hosted" />
+        <p style={{ fontSize: 13, color: theme.textMuted, margin: 0 }}>
+          You're running the open-source self-hosted build. No platform billing.
+        </p>
+      </Card>
+    );
+  }
+
+  // Enterprise: handled out of band.
+  if (status.plan === 'enterprise') {
+    return (
+      <Card>
+        <SectionHeader icon={<CreditCard size={18} />} title="Enterprise" />
+        <p style={{ fontSize: 13, color: theme.textMuted, margin: 0 }}>
+          {status.message ?? 'Billed out of band — contact your account manager.'}
+        </p>
+      </Card>
+    );
+  }
+
+  const plan = status.plan;
+  const planMeta = plan ? PLAN_LABELS[plan] : null;
+  const subscribed = !!status.subscribed;
+  const trialEndsAtMs = status.trialEnd
+    ? status.trialEnd * 1000
+    : status.trialEndsAt
+      ? Date.parse(status.trialEndsAt)
+      : null;
+  const daysLeftInTrial =
+    trialEndsAtMs && trialEndsAtMs > Date.now()
+      ? Math.ceil((trialEndsAtMs - Date.now()) / (24 * 60 * 60 * 1000))
+      : null;
+
+  return (
+    <Card>
+      <SectionHeader
+        icon={<CreditCard size={18} />}
+        title={planMeta ? `${planMeta.name} plan` : 'Billing not set up'}
+      />
+      {planMeta && (
+        <p style={{ fontSize: 13, color: theme.textMuted, margin: '0 0 14px' }}>
+          {planMeta.tagline}
+        </p>
+      )}
+
+      {!plan && (
+        <PlanPicker
+          onPick={async (picked) => {
+            // Update billingPlan via PATCH then trigger checkout.
+            // For now, the simplest path is to ask the user to re-enter
+            // through the marketing pricing CTA — server-side requires
+            // a plan to be set before checkout. Surface a helpful link.
+            setError(
+              `No plan on file. Pick a tier at openpartner.dev/pricing — clicking "Start ${picked === 'flex' ? 'Flex' : 'Revshare'}" lands you back here with the plan attached.`,
+            );
+          }}
+        />
+      )}
+
+      {error && <ErrorBanner error={error} />}
+
+      {plan && !subscribed && (
+        <div>
+          <div
+            style={{
+              background: `${theme.accent}10`,
+              border: `1px solid ${theme.accent}55`,
+              borderRadius: theme.radiusSm,
+              padding: 12,
+              marginBottom: 14,
+              fontSize: 13,
+              color: theme.text,
+            }}
+          >
+            Your trial hasn't started yet. Activate it now — no card required for the first 14 days.
+          </div>
+          <Button onClick={() => startCheckout.mutate()} disabled={startCheckout.isPending}>
+            {startCheckout.isPending ? 'Opening Stripe…' : 'Activate 14-day free trial'}
+          </Button>
+        </div>
+      )}
+
+      {plan && subscribed && (
+        <div>
+          {daysLeftInTrial !== null && (
+            <div
+              style={{
+                background: `${theme.accent}10`,
+                border: `1px solid ${theme.accent}55`,
+                borderRadius: theme.radiusSm,
+                padding: 12,
+                marginBottom: 14,
+                fontSize: 13,
+                color: theme.text,
+              }}
+            >
+              Trial active — <strong>{daysLeftInTrial} day{daysLeftInTrial === 1 ? '' : 's'}</strong> left.
+              Stripe will email you ~3 days before it ends to add a payment method.
+            </div>
+          )}
+          {status.status && status.status !== 'active' && status.status !== 'trialing' && (
+            <div
+              style={{
+                background: `${theme.danger}10`,
+                border: `1px solid ${theme.danger}55`,
+                borderRadius: theme.radiusSm,
+                padding: 12,
+                marginBottom: 14,
+                fontSize: 13,
+                color: theme.danger,
+              }}
+            >
+              Subscription status: <code>{status.status}</code>. Manage in the Stripe Portal to resolve.
+            </div>
+          )}
+          <div style={{ display: 'flex', gap: 8, alignItems: 'center' }}>
+            <Button onClick={() => openPortal.mutate()} disabled={openPortal.isPending}>
+              {openPortal.isPending ? 'Opening Stripe…' : 'Manage in Stripe Portal'}
+            </Button>
+            <span style={{ color: theme.textDim, fontSize: 12, display: 'flex', alignItems: 'center', gap: 4 }}>
+              <ExternalLink size={12} /> Switch plans, update card, view full invoice history
+            </span>
+          </div>
+          {status.currentPeriodEnd && (
+            <p style={{ marginTop: 10, fontSize: 12, color: theme.textDim }}>
+              Current period ends {new Date(status.currentPeriodEnd * 1000).toLocaleDateString()}.
+            </p>
+          )}
+          {status.feeRate && (
+            <p style={{ marginTop: 6, fontSize: 12, color: theme.textDim }}>
+              Metered fee: {status.feeRate} of attributed GMV.
+            </p>
+          )}
+        </div>
+      )}
+    </Card>
+  );
+}
+
+function PlanPicker({ onPick }: { onPick: (plan: Plan) => void }) {
+  return (
+    <div style={{ display: 'grid', gridTemplateColumns: '1fr 1fr', gap: 12, marginBottom: 14 }}>
+      {(['flex', 'revshare'] as const).map((p) => (
+        <button
+          key={p}
+          onClick={() => onPick(p)}
+          style={{
+            background: theme.surface2,
+            border: `1px solid ${theme.borderSubtle}`,
+            borderRadius: theme.radiusSm,
+            padding: 14,
+            textAlign: 'left',
+            cursor: 'pointer',
+            color: theme.text,
+          }}
+        >
+          <div style={{ fontSize: 14, fontWeight: 600 }}>{PLAN_LABELS[p].name}</div>
+          <div style={{ fontSize: 12, color: theme.textMuted, marginTop: 4 }}>
+            {PLAN_LABELS[p].tagline}
+          </div>
+        </button>
+      ))}
+    </div>
+  );
+}
+
+function InvoicesCard({ invoices }: { invoices: Invoice[] }) {
+  return (
+    <Card>
+      <SectionHeader title="Recent invoices" />
+      <div style={{ display: 'flex', flexDirection: 'column', gap: 6 }}>
+        {invoices.map((inv) => (
+          <div
+            key={inv.id}
+            style={{
+              display: 'flex',
+              alignItems: 'center',
+              gap: 12,
+              padding: '8px 12px',
+              background: theme.surface2,
+              border: `1px solid ${theme.borderSubtle}`,
+              borderRadius: theme.radiusSm,
+            }}
+          >
+            <span style={{ fontSize: 13, fontFamily: theme.fontMono, color: theme.textMuted, flex: '0 0 auto' }}>
+              {inv.number ?? inv.id.slice(0, 8)}
+            </span>
+            <span style={{ fontSize: 13, color: theme.textMuted }}>
+              {new Date(inv.created * 1000).toLocaleDateString()}
+            </span>
+            <span style={{ flex: 1, fontSize: 13, color: theme.text }}>
+              {formatMoney(inv.amountPaid > 0 ? inv.amountPaid : inv.amountDue, inv.currency)}
+            </span>
+            <span
+              style={{
+                fontSize: 11,
+                color: inv.status === 'paid' ? theme.success : theme.textMuted,
+                textTransform: 'uppercase',
+                fontWeight: 600,
+              }}
+            >
+              {inv.status ?? '—'}
+            </span>
+            {inv.hostedInvoiceUrl && (
+              <a
+                href={inv.hostedInvoiceUrl}
+                target="_blank"
+                rel="noopener noreferrer"
+                style={{ fontSize: 12, color: theme.accent }}
+              >
+                View
+              </a>
+            )}
+          </div>
+        ))}
+      </div>
+    </Card>
+  );
+}
+
+function SectionHeader({ icon, title }: { icon?: React.ReactNode; title: string }) {
+  return (
+    <div style={{ display: 'flex', alignItems: 'center', gap: 10, marginBottom: 12 }}>
+      {icon && <span style={{ color: theme.accent, display: 'flex' }}>{icon}</span>}
+      <div style={{ fontSize: 15, fontWeight: 500 }}>{title}</div>
+    </div>
+  );
+}
+
+function formatMoney(cents: number, currency: string): string {
+  const value = cents / 100;
+  try {
+    return value.toLocaleString(undefined, { style: 'currency', currency: currency.toUpperCase() });
+  } catch {
+    return `${value.toFixed(2)} ${currency.toUpperCase()}`;
+  }
+}

From 570860aab374fa4ece922be713a5f09e5b869417 Mon Sep 17 00:00:00 2001
From: Keith Fawcett <keith@brightyard.co>
Date: Thu, 30 Apr 2026 15:34:38 -0700
Subject: [PATCH 127/131] feat(billing): close trial-loop hole + soft 402 gate
 + posthog
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Trial-loop hole closed:
  * New Tenant.firstTrialActivatedAt — stamped by the
    checkout.session.completed webhook the FIRST time a sub with a
    trial completes, never cleared. Migration backfills any tenant
    with a current trialEndsAt to (trialEndsAt - 14 days).
  * /billing/checkout reads hasUsedTrial from the resolver. If true,
    the Checkout omits trial_period_days and switches
    payment_method_collection to 'always' — the user must add a card
    up front to resubscribe.
  * Billing UI gains three CTA states:
      - "Activate 14-day free trial" (never trialed)
      - "Subscribe (card required)" (trial used; subscription cancelled)
      - "Re-subscribe (card required)" with a red banner for the
        explicit "trial expired without subscription" state.

Soft 402 gate (apps/api/src/middleware/trial-gate.ts):
  * Returns 402 Payment Required on a small allowlist of write
    endpoints when the tenant is in the trial-expired-without-sub
    state: POST /campaigns, POST /partners, POST /partners/:id/coupons,
    POST /partners/:id/campaigns, POST /import/partners-csv, POST
    /admin/network/offerings.
  * Deliberately leaves open: every read, SDK callbacks (identify,
    events), click ingestion, /coupons/redeem, Stripe webhook, all
    /billing/* routes (so they can resubscribe), all auth routes.
  * Mounted right after tenantMiddleware so it has tenant scope.
  * Returns { error: 'trial_expired', detail, plan } so the UI can
    surface a "your trial ended" banner.

PostHog product analytics (matches studio-website snippet):
  * apps/portal/src/posthog.ts side-effecting module that runs the
    standard array-stub bootstrap when VITE_POSTHOG_KEY is set,
    person_profiles: 'identified_only'. Imported once from main.tsx.
  * Marketing layout gains the same snippet under PUBLIC_POSTHOG_KEY.
    Both default host to https://us.i.posthog.com; both are no-op
    when the key is unset (graceful for self-hosters / local dev).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 apps/api/src/app.ts                           |  7 ++
 apps/api/src/billing-plan.ts                  | 23 ++++-
 apps/api/src/middleware/trial-gate.ts         | 83 +++++++++++++++++
 apps/api/src/routes/billing.ts                | 44 ++++++---
 apps/api/src/routes/stripe-webhook.ts         | 11 +++
 apps/portal/src/main.tsx                      |  1 +
 apps/portal/src/pages/admin/Billing.tsx       | 80 ++++++++++++----
 apps/portal/src/posthog.ts                    | 92 +++++++++++++++++++
 .../20260610000000_tenant_trial_used.ts       | 38 ++++++++
 packages/db/src/types.ts                      |  5 +
 10 files changed, 354 insertions(+), 30 deletions(-)
 create mode 100644 apps/api/src/middleware/trial-gate.ts
 create mode 100644 apps/portal/src/posthog.ts
 create mode 100644 packages/db/migrations/20260610000000_tenant_trial_used.ts

diff --git a/apps/api/src/app.ts b/apps/api/src/app.ts
index 964340a..19c654d 100644
--- a/apps/api/src/app.ts
+++ b/apps/api/src/app.ts
@@ -46,6 +46,7 @@ import { clicksRouter } from './routes/clicks.js';
 import { sessionHomeRouter } from './routes/session-home.js';
 import { platformAuthRouter } from './routes/platform-auth.js';
 import { tenantMiddleware } from './tenancy.js';
+import { trialGate } from './middleware/trial-gate.js';
 
 export function createApp(options: { enableLogger?: boolean } = {}) {
   const app = express();
@@ -194,6 +195,12 @@ export function createApp(options: { enableLogger?: boolean } = {}) {
   // mode, it's resolved from /t/<slug>/... in the URL.
   app.use(tenantMiddleware);
 
+  // Soft trial-gate. Returns 402 on a small allowlist of expensive write
+  // endpoints when the tenant's trial expired without conversion. Reads,
+  // SDK callbacks, click ingestion, billing routes, and auth all stay
+  // open. Mounted right after tenantMiddleware so it has tenant scope.
+  app.use(trialGate);
+
   app.use(authRouter);
   app.use(partnerAuthRouter);
   app.use(partnerSignupRouter);
diff --git a/apps/api/src/billing-plan.ts b/apps/api/src/billing-plan.ts
index 537ecd2..512bb21 100644
--- a/apps/api/src/billing-plan.ts
+++ b/apps/api/src/billing-plan.ts
@@ -36,22 +36,41 @@ export interface TenantBillingState {
   mode: OpenPartnerMode;
   trialEndsAt: Date | null;
   inTrial: boolean;
+  /** True iff the tenant has previously activated a trial. Used to
+   *  refuse second-and-later trials. */
+  hasUsedTrial: boolean;
   stripeCustomerId: string | null;
   stripeSubscriptionId: string | null;
+  /** True for tenants that picked a paid plan, used a trial, and are
+   *  now without an active subscription. The soft trial-gate uses
+   *  this to 402 expensive write endpoints. */
+  trialExpiredWithoutSubscription: boolean;
 }
 
 export async function getTenantBillingState(db: Knex, tenantId: string): Promise<TenantBillingState> {
   const tenant = await db<TenantRow>(TABLES.Tenant)
     .where({ id: tenantId })
-    .first(['billingPlan', 'trialEndsAt', 'stripeCustomerId', 'stripeSubscriptionId']);
+    .first(['billingPlan', 'trialEndsAt', 'firstTrialActivatedAt', 'stripeCustomerId', 'stripeSubscriptionId']);
   const plan = (tenant?.billingPlan as BillingPlan | null) ?? null;
+  const hasUsedTrial = !!tenant?.firstTrialActivatedAt;
+  const stripeSubscriptionId = tenant?.stripeSubscriptionId ?? null;
+  // "Trial expired without sub" = paid plan picked, trial has been
+  // used at some point, no current subscription. Enterprise tenants
+  // are never gated (they don't go through the Checkout flow).
+  const trialExpiredWithoutSubscription =
+    plan !== null &&
+    plan !== 'enterprise' &&
+    hasUsedTrial &&
+    !stripeSubscriptionId;
   return {
     plan,
     mode: planToMode(plan),
     trialEndsAt: tenant?.trialEndsAt ? new Date(tenant.trialEndsAt) : null,
     inTrial: tenant?.trialEndsAt ? new Date(tenant.trialEndsAt) > new Date() : false,
+    hasUsedTrial,
     stripeCustomerId: tenant?.stripeCustomerId ?? null,
-    stripeSubscriptionId: tenant?.stripeSubscriptionId ?? null,
+    stripeSubscriptionId,
+    trialExpiredWithoutSubscription,
   };
 }
 
diff --git a/apps/api/src/middleware/trial-gate.ts b/apps/api/src/middleware/trial-gate.ts
new file mode 100644
index 0000000..c37fc22
--- /dev/null
+++ b/apps/api/src/middleware/trial-gate.ts
@@ -0,0 +1,83 @@
+/**
+ * Soft trial-gate.
+ *
+ * When a tenant's billing state is "trial expired without subscription"
+ * (paid plan picked, trial used, no current Stripe sub), this middleware
+ * returns 402 Payment Required on a small allowlist of "expensive"
+ * write endpoints. The product keeps working — clicks still get
+ * recorded, attribution still runs, the dashboard still renders, the
+ * admin can still subscribe — but they can't expand the program until
+ * billing is restored.
+ *
+ * What's gated:
+ *   - POST /campaigns                 (create new program)
+ *   - POST /partners                  (invite new partner)
+ *   - POST /partners/:id/coupons      (mint coupon)
+ *   - POST /partners/:id/campaigns    (grant program to partner)
+ *   - POST /import/partners-csv       (bulk roster import)
+ *   - POST /admin/network/offerings   (publish on the Network)
+ *
+ * What stays open (deliberate):
+ *   - GET *                           (read; show their data)
+ *   - POST /attribution/identify      (SDK callback — customer signed up)
+ *   - POST /attribution/events        (SDK callback — revenue happened)
+ *   - POST /coupons/redeem            (customer used a coupon at checkout)
+ *   - POST /webhooks/stripe           (Stripe → us)
+ *   - POST /billing/*                 (resubscribe, open portal)
+ *   - POST /signin /signup /admins/login etc. (auth)
+ *   - POST /attribution/* and click-router endpoints
+ *
+ * Rationale: don't silently lose attribution data the customer might
+ * resubscribe to retrieve, and don't make them debug "why does the
+ * SDK return errors" before they've seen the trial-expired banner.
+ */
+
+import type { NextFunction, Request, Response } from 'express';
+import { tenantOf } from '../tenancy.js';
+import { getTenantBillingState } from '../billing-plan.js';
+
+// Methods+path patterns that get the 402. Keep narrow — every entry is
+// a pinch point on the user's program-expansion workflow, not a
+// catch-all "block everything that mutates".
+interface GatedRoute {
+  method: string;
+  test: (path: string) => boolean;
+}
+
+const GATED: GatedRoute[] = [
+  { method: 'POST', test: (p) => p === '/campaigns' },
+  { method: 'POST', test: (p) => p === '/partners' },
+  { method: 'POST', test: (p) => /^\/partners\/[^/]+\/coupons$/.test(p) },
+  { method: 'POST', test: (p) => /^\/partners\/[^/]+\/campaigns$/.test(p) },
+  { method: 'POST', test: (p) => p === '/import/partners-csv' },
+  { method: 'POST', test: (p) => p === '/admin/network/offerings' },
+];
+
+export async function trialGate(req: Request, res: Response, next: NextFunction): Promise<void> {
+  // Match before the more expensive billing-state lookup — most
+  // requests are not gated, and we don't want to add a DB hop to
+  // every read.
+  const matched = GATED.some((g) => g.method === req.method && g.test(req.path));
+  if (!matched) return next();
+
+  // Tenant scope is required for the lookup. If the request hasn't
+  // been through tenantMiddleware (mounted globally before this), we
+  // can't evaluate — let it through and rely on auth middleware to
+  // handle it.
+  let scope: ReturnType<typeof tenantOf> | null = null;
+  try {
+    scope = tenantOf(req);
+  } catch {
+    return next();
+  }
+
+  const state = await getTenantBillingState(scope.db, scope.tenantId);
+  if (!state.trialExpiredWithoutSubscription) return next();
+
+  res.status(402).json({
+    error: 'trial_expired',
+    detail:
+      'Your 14-day trial has ended without an active subscription. Re-subscribe at /admin/billing to restore this action.',
+    plan: state.plan,
+  });
+}
diff --git a/apps/api/src/routes/billing.ts b/apps/api/src/routes/billing.ts
index 30acaa5..8329af2 100644
--- a/apps/api/src/routes/billing.ts
+++ b/apps/api/src/routes/billing.ts
@@ -58,6 +58,8 @@ billingRouter.get('/billing/status', requireAuth, requireAdmin, async (req, res)
         subscribed: false,
         trialEndsAt: state.trialEndsAt,
         inTrial: state.inTrial,
+        hasUsedTrial: state.hasUsedTrial,
+        trialExpiredWithoutSubscription: state.trialExpiredWithoutSubscription,
       });
     }
     const stripe = requireStripe();
@@ -154,25 +156,38 @@ billingRouter.post('/billing/checkout', requireAuth, requireAdmin, async (req, r
       .update({ stripeCustomerId: customerId, updatedAt: new Date() });
   }
 
-  // Trial: 14 days, no payment method required to start. Stripe emails
-  // the customer ~3 days before the trial ends asking for a card. If
-  // they don't provide one, the subscription cancels automatically.
+  // Trial: 14 days on first activation, no payment method required to
+  // start. Stripe emails the customer ~3 days before the trial ends
+  // asking for a card; if they don't provide one, the subscription
+  // cancels automatically (trial_settings.end_behavior).
+  //
+  // Re-subscription after a prior trial: skip the trial entirely and
+  // require a card up front. firstTrialActivatedAt is set the first
+  // time a checkout-with-trial completes; once it's stamped, no second
+  // trial.
+  const includeTrial = !state.hasUsedTrial;
   const session = await stripe.checkout.sessions.create({
     mode: 'subscription',
     customer: customerId,
     line_items: lineItems,
-    subscription_data: {
-      trial_period_days: TRIAL_DAYS,
-      trial_settings: {
-        end_behavior: { missing_payment_method: 'cancel' },
-      },
-    },
-    payment_method_collection: 'if_required',
+    subscription_data: includeTrial
+      ? {
+          trial_period_days: TRIAL_DAYS,
+          trial_settings: {
+            end_behavior: { missing_payment_method: 'cancel' },
+          },
+        }
+      : undefined,
+    payment_method_collection: includeTrial ? 'if_required' : 'always',
     success_url: body.data.successUrl,
     cancel_url: body.data.cancelUrl,
-    metadata: { openpartner_tenant_id: tenantId, openpartner_plan: state.plan },
+    metadata: {
+      openpartner_tenant_id: tenantId,
+      openpartner_plan: state.plan,
+      openpartner_trial: includeTrial ? '1' : '0',
+    },
   });
-  res.json({ url: session.url });
+  res.json({ url: session.url, trial: includeTrial });
 });
 
 billingRouter.post('/billing/report-usage', requireAuth, requireAdmin, async (req, res) => {
@@ -255,6 +270,10 @@ export interface MerchantSubscriptionPatch {
   stripeCustomerId?: string | null;
   stripeSubscriptionId?: string | null;
   trialEndsAt?: Date | null;
+  /** Stamp the trial-used marker on this update. Webhook sets it to
+   *  `new Date()` only on the first checkout-with-trial completion;
+   *  never cleared afterward. */
+  firstTrialActivatedAt?: Date | null;
 }
 
 export async function persistMerchantSubscription(
@@ -266,6 +285,7 @@ export async function persistMerchantSubscription(
   if (patch.stripeCustomerId !== undefined) dbPatch.stripeCustomerId = patch.stripeCustomerId;
   if (patch.stripeSubscriptionId !== undefined) dbPatch.stripeSubscriptionId = patch.stripeSubscriptionId;
   if (patch.trialEndsAt !== undefined) dbPatch.trialEndsAt = patch.trialEndsAt;
+  if (patch.firstTrialActivatedAt !== undefined) dbPatch.firstTrialActivatedAt = patch.firstTrialActivatedAt;
   await db<TenantRow>(TABLES.Tenant).where({ id: tenantId }).update(dbPatch);
 }
 
diff --git a/apps/api/src/routes/stripe-webhook.ts b/apps/api/src/routes/stripe-webhook.ts
index 53ca3ec..31a311e 100644
--- a/apps/api/src/routes/stripe-webhook.ts
+++ b/apps/api/src/routes/stripe-webhook.ts
@@ -11,6 +11,7 @@ import {
   type IdentityRow,
   type PartnerRow,
   type PayoutRow,
+  type TenantRow,
 } from '@openpartner/db';
 import { appDb, db } from '../db.js';
 import { attributeEvent } from '../attribution.js';
@@ -312,6 +313,16 @@ async function handleConnectEvent(
           stripeSubscriptionId: session.subscription,
           trialEndsAt,
         });
+        // Stamp firstTrialActivatedAt iff this checkout actually
+        // included a trial AND we haven't stamped before. Conditional
+        // SQL update avoids overwriting on a webhook retry.
+        const startedTrial = session.metadata?.openpartner_trial === '1';
+        if (startedTrial) {
+          await trx<TenantRow>(TABLES.Tenant)
+            .where({ id: tenantId })
+            .whereNull('firstTrialActivatedAt')
+            .update({ firstTrialActivatedAt: new Date(), updatedAt: new Date() });
+        }
         return 'merchant_subscription_persisted';
       }
       return null;
diff --git a/apps/portal/src/main.tsx b/apps/portal/src/main.tsx
index 963a4ae..17277da 100644
--- a/apps/portal/src/main.tsx
+++ b/apps/portal/src/main.tsx
@@ -1,4 +1,5 @@
 import './global.css';
+import './posthog.js';
 import { StrictMode } from 'react';
 import { createRoot } from 'react-dom/client';
 import { QueryClient, QueryClientProvider } from '@tanstack/react-query';
diff --git a/apps/portal/src/pages/admin/Billing.tsx b/apps/portal/src/pages/admin/Billing.tsx
index b954d00..135622c 100644
--- a/apps/portal/src/pages/admin/Billing.tsx
+++ b/apps/portal/src/pages/admin/Billing.tsx
@@ -19,6 +19,8 @@ interface BillingStatus {
   trialEnd?: number | null;
   trialEndsAt?: string | null;
   inTrial?: boolean;
+  hasUsedTrial?: boolean;
+  trialExpiredWithoutSubscription?: boolean;
   // Revshare:
   feeRate?: string;
   accruedPlatformFees?: Record<string, number>;
@@ -178,22 +180,68 @@ function PlanCard({ status }: { status: BillingStatus }) {
 
       {plan && !subscribed && (
         <div>
-          <div
-            style={{
-              background: `${theme.accent}10`,
-              border: `1px solid ${theme.accent}55`,
-              borderRadius: theme.radiusSm,
-              padding: 12,
-              marginBottom: 14,
-              fontSize: 13,
-              color: theme.text,
-            }}
-          >
-            Your trial hasn't started yet. Activate it now — no card required for the first 14 days.
-          </div>
-          <Button onClick={() => startCheckout.mutate()} disabled={startCheckout.isPending}>
-            {startCheckout.isPending ? 'Opening Stripe…' : 'Activate 14-day free trial'}
-          </Button>
+          {status.trialExpiredWithoutSubscription ? (
+            <>
+              <div
+                style={{
+                  background: `${theme.danger}10`,
+                  border: `1px solid ${theme.danger}55`,
+                  borderRadius: theme.radiusSm,
+                  padding: 12,
+                  marginBottom: 14,
+                  fontSize: 13,
+                  color: theme.text,
+                }}
+              >
+                <strong style={{ color: theme.danger }}>Trial expired.</strong> Your 14-day free trial
+                has ended without a payment method. New programs, partners, coupons, and offerings
+                are paused until you re-subscribe — but click ingestion + attribution still run, so
+                no data is being lost.
+              </div>
+              <Button onClick={() => startCheckout.mutate()} disabled={startCheckout.isPending}>
+                {startCheckout.isPending ? 'Opening Stripe…' : 'Re-subscribe (card required)'}
+              </Button>
+            </>
+          ) : status.hasUsedTrial ? (
+            <>
+              <div
+                style={{
+                  background: `${theme.accent}10`,
+                  border: `1px solid ${theme.accent}55`,
+                  borderRadius: theme.radiusSm,
+                  padding: 12,
+                  marginBottom: 14,
+                  fontSize: 13,
+                  color: theme.text,
+                }}
+              >
+                You've previously used your free trial. Re-subscribing requires a payment method up
+                front — the trial doesn't reset.
+              </div>
+              <Button onClick={() => startCheckout.mutate()} disabled={startCheckout.isPending}>
+                {startCheckout.isPending ? 'Opening Stripe…' : 'Subscribe (card required)'}
+              </Button>
+            </>
+          ) : (
+            <>
+              <div
+                style={{
+                  background: `${theme.accent}10`,
+                  border: `1px solid ${theme.accent}55`,
+                  borderRadius: theme.radiusSm,
+                  padding: 12,
+                  marginBottom: 14,
+                  fontSize: 13,
+                  color: theme.text,
+                }}
+              >
+                Your trial hasn't started yet. Activate it now — no card required for the first 14 days.
+              </div>
+              <Button onClick={() => startCheckout.mutate()} disabled={startCheckout.isPending}>
+                {startCheckout.isPending ? 'Opening Stripe…' : 'Activate 14-day free trial'}
+              </Button>
+            </>
+          )}
         </div>
       )}
 
diff --git a/apps/portal/src/posthog.ts b/apps/portal/src/posthog.ts
new file mode 100644
index 0000000..3dc45e8
--- /dev/null
+++ b/apps/portal/src/posthog.ts
@@ -0,0 +1,92 @@
+/**
+ * PostHog product analytics — same array-stub bootstrap as
+ * studio-website (apps/studio-website/src/app/layout.tsx) so events
+ * land in the same project / dashboards.
+ *
+ * Opt-in via env: VITE_POSTHOG_KEY in .env.local (dev) or DO App
+ * Platform env (prod). Without the key, no script loads, no requests
+ * fire — graceful no-op for self-hosters and contributors.
+ *
+ * Side-effecting on import: just `import './posthog.js'` from main.tsx.
+ */
+
+declare global {
+  interface Window {
+    // eslint-disable-next-line @typescript-eslint/no-explicit-any
+    posthog?: any;
+  }
+}
+
+const KEY = import.meta.env.VITE_POSTHOG_KEY as string | undefined;
+const HOST = (import.meta.env.VITE_POSTHOG_HOST as string | undefined) ?? 'https://us.i.posthog.com';
+
+if (KEY && typeof document !== 'undefined' && typeof window !== 'undefined') {
+  // The bootstrap below is the standard PostHog array-stub: it stubs
+  // out posthog.* methods that buffer to an array, then async-loads
+  // /static/array.js which replaces the stubs and replays the buffer.
+  // Lets early code call posthog.capture() / posthog.identify() safely
+  // before the real script lands.
+  // eslint-disable-next-line @typescript-eslint/no-explicit-any
+  ((t: Document, e: any) => {
+    let p: HTMLScriptElement;
+    let r: HTMLScriptElement;
+    if (e.__SV) return;
+    window.posthog = e;
+    e._i = [];
+    e.init = function (i: string, s: { api_host: string }, a: string) {
+      function g(t2: Record<string, unknown>, e2: string) {
+        const o = e2.split('.');
+        if (o.length === 2) {
+          t2 = t2[o[0]!] as Record<string, unknown>;
+          e2 = o[1]!;
+        }
+        t2[e2] = function () {
+          (t2 as { push: (x: unknown) => void }).push(
+            // eslint-disable-next-line prefer-rest-params
+            ([e2] as unknown[]).concat(Array.prototype.slice.call(arguments, 0)),
+          );
+        };
+      }
+      p = t.createElement('script');
+      p.type = 'text/javascript';
+      p.crossOrigin = 'anonymous';
+      p.async = true;
+      p.src = s.api_host.replace(/\/$/, '') + '/static/array.js';
+      r = t.getElementsByTagName('script')[0]!;
+      r.parentNode!.insertBefore(p, r);
+      // eslint-disable-next-line @typescript-eslint/no-explicit-any
+      let u: any = e;
+      if (a !== undefined) {
+        u = e[a] = [];
+      } else {
+        a = 'posthog';
+      }
+      u.analytics = u;
+      u.init = function (i2: string, s2: unknown, a2: string) {
+        e._i.push([i2, s2, a2]);
+      };
+      u.toString = function (t2: boolean) {
+        let e2 = 'posthog';
+        if (a !== 'posthog') e2 += '.' + a;
+        if (!t2) e2 += ' (stub)';
+        return e2;
+      };
+      u.people = u.people || [];
+      const methods = [
+        'capture', 'register', 'register_once', 'ready', 'set_config', 'get_config',
+        'get_property', 'get_distinct_id', 'toString', 'opt_in_capturing',
+        'opt_out_capturing', 'has_opted_in_capturing', 'has_opted_out_capturing',
+        'clear_opt_in_out_capturing', 'startSessionRecording', 'stopSessionRecording',
+        'sessionRecordingStarted', 'getActiveMatchingSurveys', 'getSurveys',
+        'getNextSurveyStep', 'onFeatureFlags', 'onSessionId', 'getSessionId',
+        'identify', 'setPersonProperties', 'group', 'getGroups',
+        'setGroupProperties', 'reloadFeatureFlags',
+      ];
+      for (const m of methods) g(u, m);
+      u._i.push([i, s, a]);
+    };
+    e.__SV = 1;
+  })(document, window.posthog || []);
+
+  window.posthog.init(KEY, { api_host: HOST, person_profiles: 'identified_only' });
+}
diff --git a/packages/db/migrations/20260610000000_tenant_trial_used.ts b/packages/db/migrations/20260610000000_tenant_trial_used.ts
new file mode 100644
index 0000000..0cbd822
--- /dev/null
+++ b/packages/db/migrations/20260610000000_tenant_trial_used.ts
@@ -0,0 +1,38 @@
+import type { Knex } from 'knex';
+
+/**
+ * Track first trial activation so a tenant can't trial-loop.
+ *
+ * Stripe's trial mechanism doesn't enforce one-trial-per-customer; if
+ * we let a tenant cancel their trial sub and re-Checkout, our previous
+ * code would happily start another 14-day trial. firstTrialActivatedAt
+ * is stamped by the checkout.session.completed webhook the FIRST time
+ * a subscription with a trial completes. On subsequent Checkout
+ * sessions, billing.ts omits trial_period_days so the user must add
+ * a card up front.
+ *
+ * Null = never trialed. Non-null = trial used; subsequent subs are
+ * card-required.
+ */
+
+export async function up(knex: Knex): Promise<void> {
+  await knex.schema.alterTable('Tenant', (t) => {
+    t.timestamp('firstTrialActivatedAt', { useTz: true }).nullable();
+  });
+
+  // Backfill: any tenant with a current trialEndsAt has used their
+  // trial. Set firstTrialActivatedAt to (trialEndsAt - 14 days) so the
+  // value reflects when the trial began.
+  await knex.raw(`
+    update "Tenant"
+    set "firstTrialActivatedAt" = "trialEndsAt" - interval '14 days'
+    where "trialEndsAt" is not null
+      and "firstTrialActivatedAt" is null
+  `);
+}
+
+export async function down(knex: Knex): Promise<void> {
+  await knex.schema.alterTable('Tenant', (t) => {
+    t.dropColumn('firstTrialActivatedAt');
+  });
+}
diff --git a/packages/db/src/types.ts b/packages/db/src/types.ts
index 6c6028d..f9e4a1f 100644
--- a/packages/db/src/types.ts
+++ b/packages/db/src/types.ts
@@ -39,6 +39,11 @@ export interface TenantRow {
   /** Trial expiry. Null when no trial (legacy / enterprise) or when the
    *  trial has already converted to a paid subscription. */
   trialEndsAt: Date | null;
+  /** When the tenant first activated a trial. Set on the first
+   *  checkout.session.completed that includes a trial period; never
+   *  cleared. Used to refuse second-and-later trials so a user can't
+   *  trial-loop by cancelling and re-subscribing. */
+  firstTrialActivatedAt: Date | null;
 }
 
 export type BillingPlan = 'flex' | 'revshare' | 'enterprise';

From 0abe76382611d87b4e61aa1923f80f778642821a Mon Sep 17 00:00:00 2001
From: Keith Fawcett <keith@brightyard.co>
Date: Thu, 30 Apr 2026 15:42:59 -0700
Subject: [PATCH 128/131] fix(account-deletion): correct column + status enums
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

POST /account/delete 500'd with 'column "amountCents" does not exist'.
checkPendingObligations had three pre-existing bugs from when it was
first written against a planned schema that never landed:

  * Commission column: amountCents -> amount (the actual decimal(14,2)
    column from the initial schema migration). Renamed the field and
    its consumer to unpaidCommissionAmount to stop misleading future
    readers about units.
  * Commission status: 'pending' -> 'accrued'. The Commission status
    enum is accrued | approved | paid | reversed; 'pending' was never
    a valid value. Unpaid = accrued + approved (paid + reversed are
    settled).
  * Payout status: dropped 'processing' (not in the PayoutStatus
    enum, which is pending | paid | failed). Only 'pending' is mid-
    flight.

Account deletion never worked end to end because of these — the
endpoint always 500'd on the obligations check before it could run
any of the actual delete logic.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 apps/api/src/routes/account-deletion.ts | 23 ++++++++++++++---------
 1 file changed, 14 insertions(+), 9 deletions(-)

diff --git a/apps/api/src/routes/account-deletion.ts b/apps/api/src/routes/account-deletion.ts
index c4cd278..62503f4 100644
--- a/apps/api/src/routes/account-deletion.ts
+++ b/apps/api/src/routes/account-deletion.ts
@@ -33,24 +33,29 @@ import { adminRestoreVendor, getNetworkMembership, networkProxy, saveNetworkMemb
 export const accountDeletionRouter = Router();
 
 interface PendingObligations {
-  unpaidCommissionCents: number;
+  /** Sum of unpaid commission amounts (decimal, in the Commission's
+   *  currency — typically USD). Field renamed from the original
+   *  *Cents to match the actual `amount` decimal column. */
+  unpaidCommissionAmount: number;
   pendingPayoutCount: number;
 }
 
 async function checkPendingObligations(tenantId: string): Promise<PendingObligations> {
-  // Commissions in 'approved' or 'pending' state are owed but unpaid.
+  // Commissions are unpaid when status is 'accrued' (newly recorded,
+  // pending admin approval) or 'approved' (cleared but not paid out).
+  // 'paid' and 'reversed' are settled.
   const [c] = await db(TABLES.Commission)
     .where({ tenantId })
-    .whereIn('status', ['pending', 'approved'])
-    .sum<Array<{ sum: string | null }>>({ sum: 'amountCents' });
-  // Payouts in 'pending' or 'processing' state are mid-flight and can't
-  // be rolled back without intervention.
+    .whereIn('status', ['accrued', 'approved'])
+    .sum<Array<{ sum: string | null }>>({ sum: 'amount' });
+  // Payouts are mid-flight when 'pending'. 'paid' and 'failed' are
+  // resolved states. (No 'processing' status exists.)
   const [p] = await db(TABLES.Payout)
     .where({ tenantId })
-    .whereIn('status', ['pending', 'processing'])
+    .where('status', 'pending')
     .count<Array<{ count: string }>>({ count: '*' });
   return {
-    unpaidCommissionCents: Number(c?.sum ?? 0),
+    unpaidCommissionAmount: Number(c?.sum ?? 0),
     pendingPayoutCount: Number(p?.count ?? 0),
   };
 }
@@ -86,7 +91,7 @@ accountDeletionRouter.post('/account/delete', requireAuth, requireAdmin, async (
   // forceDespiteObligations after they've seen the warning surface in
   // the UI; without that flag, refuse so we don't strand creators.
   const obligations = await checkPendingObligations(tenantId);
-  const hasObligations = obligations.unpaidCommissionCents > 0 || obligations.pendingPayoutCount > 0;
+  const hasObligations = obligations.unpaidCommissionAmount > 0 || obligations.pendingPayoutCount > 0;
   if (hasObligations && !body.data.forceDespiteObligations) {
     return res.status(409).json({
       error: 'pending_obligations',

From c05fd30730f4cb08311c5117cb9cbf1f14c92716 Mon Sep 17 00:00:00 2001
From: Keith Fawcett <keith@brightyard.co>
Date: Thu, 30 Apr 2026 15:59:14 -0700
Subject: [PATCH 129/131] fix(billing): inline plan picker + posthog snippet
 hardening
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Two issues:

1. Picking a plan inline on /admin/billing was a stub — clicking Flex
   or Revshare just rendered an error redirecting to openpartner.dev/
   pricing, even though the user was already authenticated.
     * New backend endpoint POST /billing/plan that stamps Tenant.
       billingPlan when null. Refuses to overwrite an existing plan
       (those go through Stripe Customer Portal so the subscription
       price IDs change in lockstep).
     * Frontend chains: pick -> set plan -> auto-trigger Checkout in
       one click. PlanPicker accepts a `disabled` prop so it goes
       wait-cursor + 0.6 opacity during the transition.

2. PostHog wasn't firing despite the env var being set. Two suspects:
     * The TS rewrite of the array-stub bootstrap was a re-implementation
       of a snippet that has subtle function-shape requirements
       (arguments capture, push semantics). Replaced with the verbatim
       PostHog snippet injected as <script> via document.head — same
       string studio-website ships, just wrapped in a tiny Vite-aware
       loader.
     * .do/app.yaml didn't declare VITE_POSTHOG_KEY / VITE_POSTHOG_HOST
       at all, so even if set in the DO UI they may not have flowed
       into the build cleanly. Now declared with scope: BUILD_TIME so
       Vite inlines them into the bundle (Astro side gets the same
       treatment in the marketing repo).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 .do/app.yaml                            | 14 ++++
 apps/api/src/routes/billing.ts          | 33 ++++++++-
 apps/portal/src/pages/admin/Billing.tsx | 49 ++++++++++----
 apps/portal/src/posthog.ts              | 89 ++++---------------------
 4 files changed, 94 insertions(+), 91 deletions(-)

diff --git a/.do/app.yaml b/.do/app.yaml
index 34d332d..38dddf4 100644
--- a/.do/app.yaml
+++ b/.do/app.yaml
@@ -196,6 +196,20 @@ static_sites:
       pnpm --filter @openpartner/portal build
     output_dir: apps/portal/dist
     catchall_document: index.html
+    envs:
+      # PostHog product analytics. VITE_-prefixed so Vite inlines the
+      # value into the static bundle at build time. BUILD_TIME scope is
+      # required: the static site has no run-time process to read env
+      # vars from. Without this declaration the values you set in the
+      # DO UI may not flow into the build (depending on App Platform
+      # version). Same project key as studio-website for unified
+      # dashboards.
+      - key: VITE_POSTHOG_KEY
+        type: SECRET
+        scope: BUILD_TIME
+      - key: VITE_POSTHOG_HOST
+        scope: BUILD_TIME
+        value: https://us.i.posthog.com
 
 # App-level routing.
 #   /api/* → api (path stripped before forward)
diff --git a/apps/api/src/routes/billing.ts b/apps/api/src/routes/billing.ts
index 8329af2..117f483 100644
--- a/apps/api/src/routes/billing.ts
+++ b/apps/api/src/routes/billing.ts
@@ -23,7 +23,7 @@
 import { Router } from 'express';
 import type { Knex } from 'knex';
 import { z } from 'zod';
-import { TABLES, type TenantRow } from '@openpartner/db';
+import { TABLES, BILLING_PLANS, type BillingPlan, type TenantRow } from '@openpartner/db';
 import { requireAdmin, requireAuth } from '../auth.js';
 import { REVSHARE_FEE_BPS, requireStripe } from '../stripe.js';
 import { getTenantBillingState, priceIdsForPlan, TRIAL_DAYS } from '../billing-plan.js';
@@ -99,6 +99,37 @@ billingRouter.get('/billing/status', requireAuth, requireAdmin, async (req, res)
   });
 });
 
+/**
+ * Set the tenant's plan in-place when none was picked at signup
+ * (legacy tenants + anyone who signed up before the marketing
+ * pricing CTAs). Refuses to overwrite an existing plan — those go
+ * through the Stripe Customer Portal so the subscription's price
+ * IDs change in lockstep with our local mirror.
+ */
+const setPlanSchema = z.object({
+  plan: z.enum(BILLING_PLANS as readonly [string, ...string[]]),
+});
+billingRouter.post('/billing/plan', requireAuth, requireAdmin, async (req, res) => {
+  const { db, tenantId } = tenantOf(req);
+  const body = setPlanSchema.safeParse(req.body);
+  if (!body.success) return res.status(400).json({ error: 'invalid_body', detail: body.error.flatten() });
+
+  const state = await getTenantBillingState(db, tenantId);
+  if (state.plan) {
+    return res.status(409).json({
+      error: 'plan_already_set',
+      detail: 'Use the Stripe Customer Portal to switch plans on an active subscription.',
+      currentPlan: state.plan,
+    });
+  }
+
+  await db<TenantRow>(TABLES.Tenant)
+    .where({ id: tenantId })
+    .update({ billingPlan: body.data.plan as BillingPlan, updatedAt: new Date() });
+
+  res.json({ ok: true, plan: body.data.plan });
+});
+
 const checkoutSchema = z.object({
   successUrl: z.string().url(),
   cancelUrl: z.string().url(),
diff --git a/apps/portal/src/pages/admin/Billing.tsx b/apps/portal/src/pages/admin/Billing.tsx
index 135622c..f07b330 100644
--- a/apps/portal/src/pages/admin/Billing.tsx
+++ b/apps/portal/src/pages/admin/Billing.tsx
@@ -1,5 +1,5 @@
 import { useState } from 'react';
-import { useMutation, useQuery } from '@tanstack/react-query';
+import { useMutation, useQuery, useQueryClient } from '@tanstack/react-query';
 import { CreditCard, ExternalLink } from 'lucide-react';
 import { api, ApiError } from '../../api.js';
 import { theme } from '../../theme.js';
@@ -84,6 +84,7 @@ export function AdminBilling() {
 }
 
 function PlanCard({ status }: { status: BillingStatus }) {
+  const qc = useQueryClient();
   const [error, setError] = useState<string | null>(null);
 
   const startCheckout = useMutation({
@@ -101,6 +102,21 @@ function PlanCard({ status }: { status: BillingStatus }) {
     onError: (err) => setError(err instanceof ApiError ? err.message : 'failed'),
   });
 
+  // Pick a plan inline (legacy tenants + anyone signed up before the
+  // marketing pricing CTAs were live). Stamps Tenant.billingPlan, then
+  // chains immediately into Checkout so it's a single click from the
+  // user's perspective.
+  const pickPlan = useMutation({
+    mutationFn: (plan: Plan) =>
+      api<{ ok: boolean; plan: Plan }>('/billing/plan', { method: 'POST', body: { plan } }),
+    onSuccess: () => {
+      qc.invalidateQueries({ queryKey: ['billing-status'] });
+      // Auto-trigger Checkout once the plan stuck.
+      startCheckout.mutate();
+    },
+    onError: (err) => setError(err instanceof ApiError ? err.message : 'failed'),
+  });
+
   const openPortal = useMutation({
     mutationFn: () =>
       api<{ url: string }>('/billing/portal', {
@@ -163,17 +179,20 @@ function PlanCard({ status }: { status: BillingStatus }) {
       )}
 
       {!plan && (
-        <PlanPicker
-          onPick={async (picked) => {
-            // Update billingPlan via PATCH then trigger checkout.
-            // For now, the simplest path is to ask the user to re-enter
-            // through the marketing pricing CTA — server-side requires
-            // a plan to be set before checkout. Surface a helpful link.
-            setError(
-              `No plan on file. Pick a tier at openpartner.dev/pricing — clicking "Start ${picked === 'flex' ? 'Flex' : 'Revshare'}" lands you back here with the plan attached.`,
-            );
-          }}
-        />
+        <>
+          <p style={{ fontSize: 13, color: theme.textMuted, margin: '0 0 14px' }}>
+            Pick a tier to start your 14-day free trial. No card required up front.
+          </p>
+          <PlanPicker
+            disabled={pickPlan.isPending || startCheckout.isPending}
+            onPick={(picked) => pickPlan.mutate(picked)}
+          />
+          {(pickPlan.isPending || startCheckout.isPending) && (
+            <p style={{ fontSize: 12, color: theme.textMuted, marginTop: 8 }}>
+              {pickPlan.isPending ? 'Saving plan…' : 'Opening Stripe Checkout…'}
+            </p>
+          )}
+        </>
       )}
 
       {error && <ErrorBanner error={error} />}
@@ -302,20 +321,22 @@ function PlanCard({ status }: { status: BillingStatus }) {
   );
 }
 
-function PlanPicker({ onPick }: { onPick: (plan: Plan) => void }) {
+function PlanPicker({ onPick, disabled }: { onPick: (plan: Plan) => void; disabled?: boolean }) {
   return (
     <div style={{ display: 'grid', gridTemplateColumns: '1fr 1fr', gap: 12, marginBottom: 14 }}>
       {(['flex', 'revshare'] as const).map((p) => (
         <button
           key={p}
           onClick={() => onPick(p)}
+          disabled={disabled}
           style={{
             background: theme.surface2,
             border: `1px solid ${theme.borderSubtle}`,
             borderRadius: theme.radiusSm,
             padding: 14,
             textAlign: 'left',
-            cursor: 'pointer',
+            cursor: disabled ? 'wait' : 'pointer',
+            opacity: disabled ? 0.6 : 1,
             color: theme.text,
           }}
         >
diff --git a/apps/portal/src/posthog.ts b/apps/portal/src/posthog.ts
index 3dc45e8..810b97b 100644
--- a/apps/portal/src/posthog.ts
+++ b/apps/portal/src/posthog.ts
@@ -8,85 +8,22 @@
  * fire — graceful no-op for self-hosters and contributors.
  *
  * Side-effecting on import: just `import './posthog.js'` from main.tsx.
+ *
+ * The bootstrap below is the verbatim PostHog snippet, injected into
+ * <head> as a <script> element. We do this instead of re-implementing
+ * the array-stub in TypeScript because the snippet has subtle
+ * function-shape requirements (arguments capture, push semantics) that
+ * are easy to get wrong in a rewrite. Keeping it as a string ships
+ * exactly what the studio-website ships.
  */
 
-declare global {
-  interface Window {
-    // eslint-disable-next-line @typescript-eslint/no-explicit-any
-    posthog?: any;
-  }
-}
-
 const KEY = import.meta.env.VITE_POSTHOG_KEY as string | undefined;
 const HOST = (import.meta.env.VITE_POSTHOG_HOST as string | undefined) ?? 'https://us.i.posthog.com';
 
-if (KEY && typeof document !== 'undefined' && typeof window !== 'undefined') {
-  // The bootstrap below is the standard PostHog array-stub: it stubs
-  // out posthog.* methods that buffer to an array, then async-loads
-  // /static/array.js which replaces the stubs and replays the buffer.
-  // Lets early code call posthog.capture() / posthog.identify() safely
-  // before the real script lands.
-  // eslint-disable-next-line @typescript-eslint/no-explicit-any
-  ((t: Document, e: any) => {
-    let p: HTMLScriptElement;
-    let r: HTMLScriptElement;
-    if (e.__SV) return;
-    window.posthog = e;
-    e._i = [];
-    e.init = function (i: string, s: { api_host: string }, a: string) {
-      function g(t2: Record<string, unknown>, e2: string) {
-        const o = e2.split('.');
-        if (o.length === 2) {
-          t2 = t2[o[0]!] as Record<string, unknown>;
-          e2 = o[1]!;
-        }
-        t2[e2] = function () {
-          (t2 as { push: (x: unknown) => void }).push(
-            // eslint-disable-next-line prefer-rest-params
-            ([e2] as unknown[]).concat(Array.prototype.slice.call(arguments, 0)),
-          );
-        };
-      }
-      p = t.createElement('script');
-      p.type = 'text/javascript';
-      p.crossOrigin = 'anonymous';
-      p.async = true;
-      p.src = s.api_host.replace(/\/$/, '') + '/static/array.js';
-      r = t.getElementsByTagName('script')[0]!;
-      r.parentNode!.insertBefore(p, r);
-      // eslint-disable-next-line @typescript-eslint/no-explicit-any
-      let u: any = e;
-      if (a !== undefined) {
-        u = e[a] = [];
-      } else {
-        a = 'posthog';
-      }
-      u.analytics = u;
-      u.init = function (i2: string, s2: unknown, a2: string) {
-        e._i.push([i2, s2, a2]);
-      };
-      u.toString = function (t2: boolean) {
-        let e2 = 'posthog';
-        if (a !== 'posthog') e2 += '.' + a;
-        if (!t2) e2 += ' (stub)';
-        return e2;
-      };
-      u.people = u.people || [];
-      const methods = [
-        'capture', 'register', 'register_once', 'ready', 'set_config', 'get_config',
-        'get_property', 'get_distinct_id', 'toString', 'opt_in_capturing',
-        'opt_out_capturing', 'has_opted_in_capturing', 'has_opted_out_capturing',
-        'clear_opt_in_out_capturing', 'startSessionRecording', 'stopSessionRecording',
-        'sessionRecordingStarted', 'getActiveMatchingSurveys', 'getSurveys',
-        'getNextSurveyStep', 'onFeatureFlags', 'onSessionId', 'getSessionId',
-        'identify', 'setPersonProperties', 'group', 'getGroups',
-        'setGroupProperties', 'reloadFeatureFlags',
-      ];
-      for (const m of methods) g(u, m);
-      u._i.push([i, s, a]);
-    };
-    e.__SV = 1;
-  })(document, window.posthog || []);
-
-  window.posthog.init(KEY, { api_host: HOST, person_profiles: 'identified_only' });
+if (KEY && typeof document !== 'undefined') {
+  const snippet = `!function(t,e){var o,n,p,r;e.__SV||(window.posthog=e,e._i=[],e.init=function(i,s,a){function g(t,e){var o=e.split(".");2==o.length&&(t=t[o[0]],e=o[1]);t[e]=function(){t.push([e].concat(Array.prototype.slice.call(arguments,0)))}}(p=t.createElement("script")).type="text/javascript",p.crossOrigin="anonymous",p.async=!0,p.src=s.api_host.replace(/\\/$/,"")+"/static/array.js",(r=t.getElementsByTagName("script")[0]).parentNode.insertBefore(p,r);var u=e;void 0!==a?u=e[a]=[]:a="posthog";u.analytics=u;u.init=function(i,s,a){e._i.push([i,s,a])};u.toString=function(t){var e="posthog";return"posthog"!==a&&(e+="."+a),t||(e+=" (stub)"),e};u.people=u.people||[];g(u,"capture");g(u,"register");g(u,"register_once");g(u,"ready");g(u,"set_config");g(u,"get_config");g(u,"get_property");g(u,"get_distinct_id");g(u,"toString");g(u,"opt_in_capturing");g(u,"opt_out_capturing");g(u,"has_opted_in_capturing");g(u,"has_opted_out_capturing");g(u,"clear_opt_in_out_capturing");g(u,"startSessionRecording");g(u,"stopSessionRecording");g(u,"sessionRecordingStarted");g(u,"getActiveMatchingSurveys");g(u,"getSurveys");g(u,"getNextSurveyStep");g(u,"onFeatureFlags");g(u,"onSessionId");g(u,"getSessionId");g(u,"identify");g(u,"setPersonProperties");g(u,"group");g(u,"getGroups");g(u,"setGroupProperties");g(u,"reloadFeatureFlags");u._i.push([i,s,a])},e.__SV=1)}(document,window.posthog||[]);posthog.init(${JSON.stringify(KEY)},{api_host:${JSON.stringify(HOST)},person_profiles:'identified_only'});`;
+  const tag = document.createElement('script');
+  tag.type = 'text/javascript';
+  tag.text = snippet;
+  document.head.appendChild(tag);
 }

From 37ec4a0d5b542c719cbc56abb4d00967435a121a Mon Sep 17 00:00:00 2001
From: Keith Fawcett <keith@brightyard.co>
Date: Thu, 30 Apr 2026 16:06:36 -0700
Subject: [PATCH 130/131] fix(stripe-webhook): resolve tenant for merchant
 subscription events
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Two adjacent bugs in resolveTenantId, both silently dropping events
that should have updated Tenant.stripeSubscriptionId / billingPlan /
trialEndsAt:

  * checkout.session.completed only checked client_reference_id (the
    cref from a Rewardful-style merchant→customer checkout). Our
    merchant-subscription Checkout doesn't set client_reference_id,
    so the resolver returned null and the event was dropped — meaning
    the tenant's Stripe subscription was never persisted, and the
    Billing page kept showing "Activate trial" after the user had
    already completed Checkout.
  * customer.subscription.* (created/updated/deleted) only checked the
    Identity → Click chain, which doesn't include merchant-self-
    subscription Customers (those are created by us via
    stripe.customers.create with metadata.openpartner_tenant_id, never
    via attribution).

Fixes:
  * checkout.session.completed: prefer session.metadata.openpartner_
    tenant_id (which we stamp at create time in /billing/checkout).
  * customer.* events: try Tenant.stripeCustomerId first (constant-
    time indexed lookup, no Stripe API roundtrip), fall back to the
    Identity-based Rewardful path.

Recovery for the user's currently-stranded tenant: resend the missed
checkout.session.completed event from Stripe Dashboard → Developers →
Webhooks → recent deliveries → Resend, OR I can add a one-shot
/billing/sync endpoint that pulls latest state from Stripe directly.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 apps/api/src/routes/stripe-webhook.ts | 27 ++++++++++++++++++++-------
 1 file changed, 20 insertions(+), 7 deletions(-)

diff --git a/apps/api/src/routes/stripe-webhook.ts b/apps/api/src/routes/stripe-webhook.ts
index 31a311e..be605be 100644
--- a/apps/api/src/routes/stripe-webhook.ts
+++ b/apps/api/src/routes/stripe-webhook.ts
@@ -203,8 +203,14 @@ async function resolveTenantForEvent(event: Stripe.Event): Promise<string | null
     }
     case 'checkout.session.completed': {
       const session = event.data.object as Stripe.Checkout.Session;
-      // Rewardful-style merchant→customer checkout: tenant resolves via the
-      // Click row identified by client_reference_id.
+      // Merchant-subscription checkout (the brand subscribing to Flex /
+      // Revshare via /admin/billing) stamps openpartner_tenant_id on
+      // session metadata at create time. Prefer that — it's a constant-
+      // time read with no DB round-trip.
+      const metaTenantId = session.metadata?.openpartner_tenant_id;
+      if (metaTenantId) return metaTenantId;
+      // Rewardful-style merchant→customer checkout: tenant resolves via
+      // the Click row identified by client_reference_id (the cref).
       if (session.client_reference_id) {
         const row = await db<ClickRow>(TABLES.Click)
           .where({ id: session.client_reference_id })
@@ -221,13 +227,20 @@ async function resolveTenantForEvent(event: Stripe.Event): Promise<string | null
     case 'invoice.payment_failed':
     case 'charge.refunded':
     case 'charge.dispute.created': {
-      // Customer/invoice/subscription/charge events: prefer the
-      // openpartner_tenant_id stamped on the Customer's metadata. As a
-      // fallback, look the customer up locally via the Identity → Click
-      // chain — this covers Customers stitched at checkout.session.completed
-      // before the metadata-backfill API call lands.
       const customerId = extractCustomerId(event.data.object as { customer?: unknown; id?: string });
       if (!customerId) return null;
+      // First, check whether this is a merchant-self-subscription
+      // Customer (created by /billing/checkout). We persist the
+      // customer id on Tenant.stripeCustomerId on first checkout,
+      // so the lookup is a constant-time indexed read and avoids a
+      // Stripe API roundtrip to inspect Customer.metadata.
+      const tenantRow = await db('Tenant')
+        .where({ stripeCustomerId: customerId })
+        .first<{ id: string }>('id');
+      if (tenantRow) return tenantRow.id;
+      // Fallback: rewardful-style customer (came in through attribution).
+      // Resolves via the Identity → Click chain — covers Customers
+      // stitched at checkout.session.completed by the Rewardful path.
       const identity = await db(TABLES.Identity)
         .join(TABLES.Click, `${TABLES.Click}.id`, `${TABLES.Identity}.clickId`)
         .where(`${TABLES.Identity}.userId`, customerId)

From a6183eb88441be1fc7468daaea306bdd704af2e2 Mon Sep 17 00:00:00 2001
From: Keith Fawcett <keith@brightyard.co>
Date: Thu, 30 Apr 2026 18:56:59 -0700
Subject: [PATCH 131/131] feat(signup): brand/creator tab switcher above the
 form
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Previously the only way to switch between brand and creator signup was
a small text link buried below the form, and on the brand side that
link didn't even exist — landing on /signup with no way to discover
that creators have their own signup flow.

  * New SignupTabs component in auth/Shared.tsx renders a pill-style
    [Brand | Creator] strip just above the form on both signup pages.
    Active tab in the green accent (theme.accent on theme.accentInk),
    inactive in muted text. Clicking the inactive tab navigates to the
    other signup route, preserving ?plan= so a brand-side query
    survives the toggle (e.g. user lands at /signup?plan=flex from
    pricing CTA, taps Creator, taps back, plan banner is still there).
  * Submit button text now reflects what the form actually creates:
      brand   -> "Create brand account" / "Creating brand…"
      creator -> "Become a creator" / "Creating creator…"
  * Dropped the redundant "Are you a brand?" / "Are you a creator?"
    cross-link footers since the tabs handle that visibly.
  * Brand "Already have a program?" link routes to /signin instead of
    the marketing landing — the user clearly wants in, not back.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 apps/portal/src/pages/Signup.tsx              |  7 ++-
 apps/portal/src/pages/auth/Shared.tsx         | 55 +++++++++++++++++++
 .../src/pages/creator/CreatorSignup.tsx       | 21 ++-----
 3 files changed, 64 insertions(+), 19 deletions(-)

diff --git a/apps/portal/src/pages/Signup.tsx b/apps/portal/src/pages/Signup.tsx
index 6b60013..a6b1291 100644
--- a/apps/portal/src/pages/Signup.tsx
+++ b/apps/portal/src/pages/Signup.tsx
@@ -2,7 +2,7 @@ import { useState } from 'react';
 import { Link, useSearchParams } from 'react-router-dom';
 import { ApiError } from '../api.js';
 import { theme } from '../theme.js';
-import { AuthFrame } from './auth/Shared.js';
+import { AuthFrame, SignupTabs } from './auth/Shared.js';
 
 type SignupPlan = 'flex' | 'revshare' | 'enterprise';
 const PLAN_LABELS: Record<SignupPlan, { name: string; tagline: string }> = {
@@ -86,6 +86,7 @@ export function SignupPage() {
 
   return (
     <AuthFrame title="Sign up as a brand" subtitle="Create your brand account. We'll email you a sign-in link.">
+      <SignupTabs active="brand" />
       {plan && (
         <div
           style={{
@@ -151,10 +152,10 @@ export function SignupPage() {
         </Field>
         {err && <div style={{ color: theme.danger, fontSize: 13, marginTop: 4, marginBottom: 8 }}>{err}</div>}
         <button type="submit" disabled={busy} style={primaryBtnStyle(busy)}>
-          {busy ? 'Creating…' : 'Create account'}
+          {busy ? 'Creating brand…' : 'Create brand account'}
         </button>
         <div style={{ marginTop: 12, fontSize: 12, color: theme.textDim, textAlign: 'center' }}>
-          Already have a program? <Link to="/" style={{ color: theme.accent }}>Back to landing</Link>
+          Already have a program? <Link to="/signin" style={{ color: theme.accent }}>Sign in</Link>
         </div>
       </form>
     </AuthFrame>
diff --git a/apps/portal/src/pages/auth/Shared.tsx b/apps/portal/src/pages/auth/Shared.tsx
index e45d860..d15b7a8 100644
--- a/apps/portal/src/pages/auth/Shared.tsx
+++ b/apps/portal/src/pages/auth/Shared.tsx
@@ -1,4 +1,5 @@
 import type { ReactNode } from 'react';
+import { Link, useLocation } from 'react-router-dom';
 import { theme } from '../../theme.js';
 
 export function AuthFrame({
@@ -56,3 +57,57 @@ export function Logo({ size = 26 }: { size?: number } = {}) {
     />
   );
 }
+
+/**
+ * Tab strip for switching between brand and creator signup. Renders
+ * above the form on both /signup and /creator/signup. Active tab
+ * shows in the accent color; clicking the inactive tab navigates to
+ * the other signup route, preserving the query string so plan-aware
+ * marketing CTAs (?plan=flex) survive the switch.
+ */
+export function SignupTabs({ active }: { active: 'brand' | 'creator' }) {
+  const location = useLocation();
+  // Preserve search params (?plan=flex etc.) so a brand-side query
+  // stays meaningful if the user toggles to creator and back.
+  const qs = location.search;
+  const tabs = [
+    { key: 'brand' as const, label: 'Brand', href: `/signup${qs}` },
+    { key: 'creator' as const, label: 'Creator', href: `/creator/signup${qs}` },
+  ];
+  return (
+    <div
+      style={{
+        display: 'flex',
+        gap: 4,
+        padding: 4,
+        background: theme.surface2,
+        border: `1px solid ${theme.border}`,
+        borderRadius: theme.radiusSm,
+        marginBottom: 16,
+      }}
+    >
+      {tabs.map((t) => {
+        const isActive = active === t.key;
+        return (
+          <Link
+            key={t.key}
+            to={t.href}
+            style={{
+              flex: 1,
+              textAlign: 'center',
+              padding: '8px 12px',
+              borderRadius: 6,
+              fontSize: 13,
+              fontWeight: 600,
+              color: isActive ? theme.accentInk : theme.textMuted,
+              background: isActive ? theme.accent : 'transparent',
+              transition: 'background 120ms, color 120ms',
+            }}
+          >
+            {t.label}
+          </Link>
+        );
+      })}
+    </div>
+  );
+}
diff --git a/apps/portal/src/pages/creator/CreatorSignup.tsx b/apps/portal/src/pages/creator/CreatorSignup.tsx
index 28885b3..e892489 100644
--- a/apps/portal/src/pages/creator/CreatorSignup.tsx
+++ b/apps/portal/src/pages/creator/CreatorSignup.tsx
@@ -1,13 +1,12 @@
 import { useEffect, useState } from 'react';
-import { Link, useNavigate } from 'react-router-dom';
+import { Link } from 'react-router-dom';
 import { theme } from '../../theme.js';
-import { AuthFrame } from '../auth/Shared.js';
+import { AuthFrame, SignupTabs } from '../auth/Shared.js';
 import { creatorApi, ApiError } from './creator-api.js';
 
 type HandleStatus = 'idle' | 'checking' | 'available' | 'taken';
 
 export function CreatorSignupPage() {
-  const nav = useNavigate();
   const [email, setEmail] = useState('');
   const [name, setName] = useState('');
   const [handle, setHandle] = useState('');
@@ -76,6 +75,7 @@ export function CreatorSignupPage() {
 
   return (
     <AuthFrame title="Sign up as a creator" subtitle="Browse and apply to partner programs across the OpenPartner Network.">
+      <SignupTabs active="creator" />
       <form onSubmit={submit}>
         <Field label="Your name">
           <input name="name" autoComplete="name" value={name} onChange={(e) => setName(e.target.value)} placeholder="Ada Lovelace" required style={inputStyle} />
@@ -108,13 +108,10 @@ export function CreatorSignupPage() {
           disabled={busy || handleStatus === 'taken' || handleStatus === 'checking'}
           style={primaryBtnStyle(busy || handleStatus === 'taken' || handleStatus === 'checking')}
         >
-          {busy ? 'Sending…' : 'Send me a sign-in link'}
+          {busy ? 'Creating creator…' : 'Become a creator'}
         </button>
         <div style={{ marginTop: 12, fontSize: 12, color: theme.textDim, textAlign: 'center' }}>
-          Already have an account? <Link to="/creator/login" style={{ color: theme.accent }}>Sign in</Link> · <Link to="/" style={{ color: theme.accent }}>Home</Link>
-        </div>
-        <div style={{ marginTop: 6, fontSize: 12, color: theme.textDim, textAlign: 'center' }}>
-          Are you a brand? <button type="button" onClick={() => nav('/signup')} style={linkBtnStyle}>Sign up as a brand →</button>
+          Already have an account? <Link to="/creator/login" style={{ color: theme.accent }}>Sign in</Link>
         </div>
       </form>
     </AuthFrame>
@@ -157,11 +154,3 @@ function primaryBtnStyle(disabled: boolean): React.CSSProperties {
   };
 }
 
-const linkBtnStyle: React.CSSProperties = {
-  background: 'transparent',
-  border: 'none',
-  color: theme.accent,
-  cursor: 'pointer',
-  font: 'inherit',
-  padding: 0,
-};