From 1271fd5b6f6d05dea7e809a87abd6817827b2602 Mon Sep 17 00:00:00 2001
From: Pixelated <hey@codemeapixel.dev>
Date: Fri, 12 Jun 2026 13:58:48 -0600
Subject: [PATCH 01/13] Update README.md

---
 .github/README.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/README.md b/.github/README.md
index af71b80..361b567 100644
--- a/.github/README.md
+++ b/.github/README.md
@@ -2,7 +2,7 @@
 
 Emberly is an open source platform for modern file storage, sharing, and identity verification. Build your digital presence with powerful tools for teams and individuals.
 
-[![Build Checks](https://github.com/EmberlyOSS/Emberly/actions/workflows/build.yml/badge.svg)](https://github.com/EmberlyOSS/Emberly/actions/workflows/build.yml) [![CodeQL Advanced](https://github.com/EmberlyOSS/Emberly/actions/workflows/codeql.yml/badge.svg)](https://github.com/EmberlyOSS/Emberly/actions/workflows/codeql.yml) ![CodeRabbit Pull Request Reviews](https://img.shields.io/coderabbit/prs/github/EmberlyOSS/Emberly?utm_source=oss&utm_medium=github&utm_campaign=EmberlyOSS%2FEmberly&labelColor=171717&color=FF570A&link=https%3A%2F%2Fcoderabbit.ai&label=CodeRabbit+Reviews)
+[![Build Checks](https://github.com/EmberlyOSS/Emberly/actions/workflows/build.yml/badge.svg)](https://github.com/EmberlyOSS/Emberly/actions/workflows/build.yml) [![CodeQL Advanced](https://github.com/EmberlyOSS/Emberly/actions/workflows/codeql.yml/badge.svg)](https://github.com/EmberlyOSS/Emberly/actions/workflows/codeql.yml) ![CodeRabbit Pull Request Reviews](https://img.shields.io/coderabbit/prs/github/EmberlyOSS/Emberly?utm_source=oss&utm_medium=github&utm_campaign=EmberlyOSS%2FEmberly&labelColor=171717&color=FF570A&link=https%3A%2F%2Fcoderabbit.ai&label=CodeRabbit+Reviews) [![FOSSA Status](https://app.fossa.com/api/projects/git%2Bgithub.com%2FEmberlyOSS%2FEmberly.svg?type=shield&issueType=security)](https://app.fossa.com/projects/git%2Bgithub.com%2FEmberlyOSS%2FEmberly?ref=badge_shield&issueType=security)
 
 ## Features
 

From 4382880b9b079d7279efb2c551f194fc858d43f1 Mon Sep 17 00:00:00 2001
From: Pixelated <hey@codemeapixel.dev>
Date: Fri, 12 Jun 2026 16:24:33 -0600
Subject: [PATCH 02/13] Update README.md

---
 .github/README.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/README.md b/.github/README.md
index 361b567..1bb39a1 100644
--- a/.github/README.md
+++ b/.github/README.md
@@ -183,7 +183,7 @@ This project adheres to the Contributor Covenant Code of Conduct. By participati
 
 ## Acknowledgments
 
-Thank you to all [contributors](https://github.com/EmberlyOSS/Emberly/graphs/contributors) who have helped make Emberly possible. We also appreciate the open source projects and communities that make this platform possible.
+Thank you to all [contributors](https://github.com/EmberlyOSS/Emberly/graphs/contributors) who have helped make Emberly possible. We also appreciate the [open source projects and communities](https://github.com/EmberlyOSS/Emberly/network/dependencies) that make Emberly possible.
 
 
 <a href="https://github.com/EmberlyOSS/Emberly/graphs/contributors">

From d03fe46145837b568d0dff602229d174a62b92f1 Mon Sep 17 00:00:00 2001
From: TheRealToxicDev <toxic.dev09@gmail.com>
Date: Sat, 13 Jun 2026 09:31:48 -0600
Subject: [PATCH 03/13] fix(stuff): remove status check and more

---
 CHANGELOG.md                                  |   43 +
 app/api/admin/integrations/test/route.ts      |  274 +-
 app/api/files/route.ts                        |  201 +-
 app/api/settings/route.ts                     |   29 +-
 app/api/status/route.ts                       |   29 +-
 .../admin/settings/settings-manager.tsx       | 5210 +++++++++--------
 .../components/layout/StatusIndicator.tsx     |   84 +-
 packages/components/layout/footer.tsx         |    3 -
 packages/lib/auth/api-auth.ts                 |   30 +-
 packages/lib/cache/session-cache.ts           |  366 +-
 packages/lib/config/index.ts                  |  392 +-
 packages/lib/events/handlers/file-expiry.ts   |   23 +
 packages/lib/files/filename.ts                |   13 +-
 packages/lib/files/security-validation.ts     |  206 +-
 packages/lib/files/upload-validation.ts       |  286 +-
 packages/lib/kener/index.ts                   |  179 +-
 packages/lib/storage/index.ts                 |   30 +-
 packages/lib/storage/quota.ts                 |  475 +-
 packages/lib/utils/index.ts                   |    4 +-
 19 files changed, 4362 insertions(+), 3515 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index ebff84e..65c11d4 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -4,6 +4,49 @@ All notable changes to this project will be documented in this file.
 
 The format is based on "Keep a Changelog" and follows [Semantic Versioning](https://semver.org/).
 
+## [2.4.6] - 2026-06-13
+
+### Security
+
+- **ReDoS — Polynomial Regular Expression Hardening**
+  - Replaced all `/\/+$/` trailing-slash regex patterns applied to user-controlled values with linear while-loop equivalents, eliminating O(n²) backtracking risk (CodeQL `js/polynomial-redos`).
+  - Affected files: `packages/lib/utils/index.ts` (`urlForHost`), `packages/lib/files/upload-validation.ts` (domain cleaning), `packages/lib/files/filename.ts` (slug trimming), `app/api/files/route.ts` (URL construction).
+  - Replaced `/^-+|-+$/g` alternation pattern in filename slug generation with pointer-based leading/trailing trim.
+- **SSRF — Integration Test Endpoint Input Validation**
+  - Discord server ID (`serverId`) now validated against snowflake format (`/^\d{17,20}$/`) before being interpolated into the Discord API URL (CodeQL `js/request-forgery`).
+  - Cloudflare account ID (`accountId`) now validated against 32-character lowercase hex format before URL construction.
+  - Both integrations return a clear validation error message rather than making an outbound request with unsanitised input.
+- **Miscellaneous CodeQL Findings Resolved**
+  - Incomplete URL substring sanitisation (alerts 6, 7) — hardened URL host checks.
+  - Shell command built from environment values (alert 16) — environment input sanitised before shell interpolation.
+  - Use of externally-controlled format string (alert 15) — format string construction tightened.
+  - Additional SSRF alerts (10–13, 17–19) addressed across various API routes.
+
+### Changed
+
+- **Status Page Integration Removed**
+  - Removed the Kener / Uptime Kuma dynamic status integration entirely. The polling logic, `/api/status` route, admin settings panel, and integration test handler have all been removed.
+  - `StatusIndicator` in the site footer is now a lightweight static link to [emberlystat.us](https://emberlystat.us) — no external API calls, no runtime failures, no "Status unknown" states.
+  - `KENER_API_KEY`, `KENER_BASE_URL`, `UPTIME_KUMA_BASE_URL`, and `UPTIME_KUMA_SLUG` environment variables are no longer used and can be removed.
+
+### Added
+
+- **CodeQL Workflow** — Automated static analysis via GitHub Actions (`/.github/workflows/codeql.yml`) now runs on push and pull request for continuous security scanning.
+- **SECURITY.md** — Added security policy documenting responsible disclosure process and supported versions.
+- **License Scan** — Added license scan report and status badge to repository.
+
+### Performance
+
+- **VirusTotal scan moved off the critical path** — VT hash lookups previously blocked the upload response for 5-10s on non-media files. The scan now runs in the background after the file is stored and the response is returned. Files detected as malicious are automatically quarantined (removed from storage, marked private) and logged.
+- **Stripe subscription sync debounce survives hot-reloads** — The per-user 5-minute Stripe sync cache (`stripeSyncCache`) was stored as a module-level variable, causing it to reset on every Next.js hot-reload in development and trigger a live Stripe API call on every upload. Moved to `globalThis` so the TTL is respected across reloads.
+- **S3 provider singleton persisted across hot-reloads** — Storage provider was re-initialized on every request in development for the same reason. Also moved to `globalThis`, eliminating redundant initialization logs and the associated config DB read per request.
+- **File buffer, storage provider, and filename generation parallelized** — `arrayBuffer()`, `getStorageProvider()`, and `getUniqueFilename()` now run concurrently with `Promise.all` instead of sequentially, removing 1-2 unnecessary round-trips from the critical path.
+- **`bcrypt.hash` moved outside the DB transaction** — Password hashing was running inside `prisma.$transaction`, blocking the database connection during a CPU-intensive operation. The hash is now computed before the transaction opens.
+
+### Fixed
+
+- **Sitemap** — Marked sitemap route as dynamic to prevent build-time errors when database is unavailable during static export.
+
 ## [2.4.5] - 2026-06-02
 
 ### Added
diff --git a/app/api/admin/integrations/test/route.ts b/app/api/admin/integrations/test/route.ts
index e45a560..ff3a6fe 100644
--- a/app/api/admin/integrations/test/route.ts
+++ b/app/api/admin/integrations/test/route.ts
@@ -5,7 +5,14 @@ import nodemailer from 'nodemailer'
 
 const logger = loggers.config
 
-type IntegrationKey = 'stripe' | 'resend' | 'cloudflare' | 'discord' | 'github' | 'kener' | 'smtp' | 'vultr'
+type IntegrationKey =
+  | 'stripe'
+  | 'resend'
+  | 'cloudflare'
+  | 'discord'
+  | 'github'
+  | 'smtp'
+  | 'vultr'
 
 interface TestIntegrationBody {
   integration: IntegrationKey
@@ -42,26 +49,6 @@ function isPrivateOrLocalHost(hostname: string): boolean {
   return false
 }
 
-function getSafeKenerOrigin(baseUrl?: string): string | null {
-  const candidate = (baseUrl && baseUrl.trim()) || 'https://emberlystat.us'
-
-  let parsed: URL
-  try {
-    parsed = new URL(candidate)
-  } catch {
-    return null
-  }
-
-  if (parsed.protocol !== 'http:' && parsed.protocol !== 'https:') return null
-  if (parsed.username || parsed.password) return null
-  if (isPrivateOrLocalHost(parsed.hostname)) return null
-
-  const allowedOrigins = new Set(['https://emberlystat.us'])
-  if (!allowedOrigins.has(parsed.origin)) return null
-
-  return parsed.origin
-}
-
 interface TestResult {
   ok: boolean
   message: string
@@ -74,11 +61,21 @@ async function testStripe(secretKey: string): Promise<TestResult> {
     const res = await fetch('https://api.stripe.com/v1/customers?limit=1', {
       headers: { Authorization: `Bearer ${secretKey}` },
     })
-    if (res.status === 401) return { ok: false, message: 'Invalid secret key', detail: 'Authentication failed' }
-    if (!res.ok) return { ok: false, message: `Stripe API error (${res.status})` }
+    if (res.status === 401)
+      return {
+        ok: false,
+        message: 'Invalid secret key',
+        detail: 'Authentication failed',
+      }
+    if (!res.ok)
+      return { ok: false, message: `Stripe API error (${res.status})` }
     return { ok: true, message: 'Connected to Stripe successfully' }
   } catch (err) {
-    return { ok: false, message: 'Failed to reach Stripe API', detail: String(err) }
+    return {
+      ok: false,
+      message: 'Failed to reach Stripe API',
+      detail: String(err),
+    }
   }
 }
 
@@ -88,47 +85,107 @@ async function testResend(apiKey: string): Promise<TestResult> {
     const res = await fetch('https://api.resend.com/domains', {
       headers: { Authorization: `Bearer ${apiKey}` },
     })
-    if (res.status === 401 || res.status === 403) return { ok: false, message: 'Invalid API key' }
-    if (!res.ok) return { ok: false, message: `Resend API error (${res.status})` }
+    if (res.status === 401 || res.status === 403)
+      return { ok: false, message: 'Invalid API key' }
+    if (!res.ok)
+      return { ok: false, message: `Resend API error (${res.status})` }
     return { ok: true, message: 'Connected to Resend successfully' }
   } catch (err) {
-    return { ok: false, message: 'Failed to reach Resend API', detail: String(err) }
+    return {
+      ok: false,
+      message: 'Failed to reach Resend API',
+      detail: String(err),
+    }
   }
 }
 
-async function testCloudflare(apiToken: string, accountId?: string): Promise<TestResult> {
+function sanitizeCloudflareAccountId(id?: string): string | null {
+  if (!id) return null
+  const trimmed = id.trim()
+  // Cloudflare account IDs are 32-char lowercase hex strings
+  if (!/^[0-9a-f]{32}$/.test(trimmed)) return null
+  return trimmed
+}
+
+async function testCloudflare(
+  apiToken: string,
+  accountId?: string
+): Promise<TestResult> {
   if (!apiToken) return { ok: false, message: 'API token is not configured' }
+  const safeAccountId = sanitizeCloudflareAccountId(accountId)
+  if (accountId && !safeAccountId) {
+    return { ok: false, message: 'Invalid Cloudflare account ID format' }
+  }
   try {
-    const url = accountId
-      ? `https://api.cloudflare.com/client/v4/accounts/${accountId}`
+    const url = safeAccountId
+      ? `https://api.cloudflare.com/client/v4/accounts/${safeAccountId}`
       : 'https://api.cloudflare.com/client/v4/user'
     const res = await fetch(url, {
-      headers: { Authorization: `Bearer ${apiToken}`, 'Content-Type': 'application/json' },
+      headers: {
+        Authorization: `Bearer ${apiToken}`,
+        'Content-Type': 'application/json',
+      },
     })
     const json = await res.json().catch(() => null)
     if (!res.ok || json?.success === false) {
-      return { ok: false, message: 'Invalid Cloudflare API token', detail: json?.errors?.[0]?.message }
+      return {
+        ok: false,
+        message: 'Invalid Cloudflare API token',
+        detail: json?.errors?.[0]?.message,
+      }
     }
     return { ok: true, message: 'Connected to Cloudflare successfully' }
   } catch (err) {
-    return { ok: false, message: 'Failed to reach Cloudflare API', detail: String(err) }
+    return {
+      ok: false,
+      message: 'Failed to reach Cloudflare API',
+      detail: String(err),
+    }
   }
 }
 
-async function testDiscord(webhookUrl: string, botToken?: string, serverId?: string): Promise<TestResult> {
+function sanitizeDiscordServerId(id?: string): string | null {
+  if (!id) return null
+  const trimmed = id.trim()
+  // Discord snowflakes are 17–20 digit integers
+  if (!/^\d{17,20}$/.test(trimmed)) return null
+  return trimmed
+}
+
+async function testDiscord(
+  webhookUrl: string,
+  botToken?: string,
+  serverId?: string
+): Promise<TestResult> {
   // Try bot token first (more informative)
-  if (botToken && serverId) {
+  const safeServerId = sanitizeDiscordServerId(serverId)
+  if (botToken && serverId && !safeServerId) {
+    return { ok: false, message: 'Invalid Discord server ID format' }
+  }
+  if (botToken && safeServerId) {
     try {
-      const res = await fetch(`https://discord.com/api/v10/guilds/${serverId}`, {
-        headers: { Authorization: `Bot ${botToken}` },
-      })
+      const res = await fetch(
+        `https://discord.com/api/v10/guilds/${safeServerId}`,
+        {
+          headers: { Authorization: `Bot ${botToken}` },
+        }
+      )
       if (res.status === 401) return { ok: false, message: 'Invalid bot token' }
-      if (res.status === 404) return { ok: false, message: 'Server not found or bot not in server' }
-      if (!res.ok) return { ok: false, message: `Discord API error (${res.status})` }
+      if (res.status === 404)
+        return { ok: false, message: 'Server not found or bot not in server' }
+      if (!res.ok)
+        return { ok: false, message: `Discord API error (${res.status})` }
       const json = await res.json().catch(() => null)
-      return { ok: true, message: `Connected to Discord — server: ${json?.name ?? serverId}` }
+      return {
+        ok: true,
+        message: `Connected to Discord — server: ${json?.name ?? safeServerId}`,
+      }
     } catch (err) {
-      return { ok: false, message: 'Failed to reach Discord API', detail: String(err) }
+      return {
+        ok: false,
+        message: 'Failed to reach Discord API',
+        detail: String(err),
+      }
     }
   }
 
@@ -143,25 +200,44 @@ async function testDiscord(webhookUrl: string, botToken?: string, serverId?: str
       }
 
       const hostname = parsed.hostname.toLowerCase()
-      const isDiscordHost = hostname === 'discord.com' || hostname === 'discordapp.com'
-      if (parsed.protocol !== 'https:' || !isDiscordHost || isPrivateOrLocalHost(hostname)) {
-        return { ok: false, message: 'Webhook URL must be a valid Discord HTTPS URL' }
+      const isDiscordHost =
+        hostname === 'discord.com' || hostname === 'discordapp.com'
+      if (
+        parsed.protocol !== 'https:' ||
+        !isDiscordHost ||
+        isPrivateOrLocalHost(hostname)
+      ) {
+        return {
+          ok: false,
+          message: 'Webhook URL must be a valid Discord HTTPS URL',
+        }
       }
 
-      const match = parsed.pathname.match(/^\/api\/webhooks\/(\d+)\/([A-Za-z0-9._-]+)$/)
+      const match = parsed.pathname.match(
+        /^\/api\/webhooks\/(\d+)\/([A-Za-z0-9._-]+)$/
+      )
       if (!match) {
-        return { ok: false, message: 'Webhook URL must match Discord webhook format' }
+        return {
+          ok: false,
+          message: 'Webhook URL must match Discord webhook format',
+        }
       }
 
       const [, webhookId, webhookToken] = match
       const safeWebhookUrl = `https://discord.com/api/webhooks/${encodeURIComponent(webhookId)}/${encodeURIComponent(webhookToken)}`
 
       const res = await fetch(safeWebhookUrl, { method: 'GET' })
-      if (res.status === 401) return { ok: false, message: 'Invalid webhook URL' }
-      if (!res.ok) return { ok: false, message: `Discord webhook error (${res.status})` }
+      if (res.status === 401)
+        return { ok: false, message: 'Invalid webhook URL' }
+      if (!res.ok)
+        return { ok: false, message: `Discord webhook error (${res.status})` }
       return { ok: true, message: 'Discord webhook is valid' }
     } catch (err) {
-      return { ok: false, message: 'Failed to reach Discord webhook', detail: String(err) }
+      return {
+        ok: false,
+        message: 'Failed to reach Discord webhook',
+        detail: String(err),
+      }
     }
   }
 
@@ -172,12 +248,14 @@ function sanitizeGitHubOrg(org?: string): string | null {
   if (!org) return null
   const trimmed = org.trim()
   // GitHub org/user name rules: alphanumeric or single hyphens, no leading/trailing hyphen, max 39 chars.
-  if (!/^[a-zA-Z0-9](?:[a-zA-Z0-9-]{0,37}[a-zA-Z0-9])?$/.test(trimmed)) return null
+  if (!/^[a-zA-Z0-9](?:[a-zA-Z0-9-]{0,37}[a-zA-Z0-9])?$/.test(trimmed))
+    return null
   return trimmed
 }
 
 async function testGitHub(pat: string, org?: string): Promise<TestResult> {
-  if (!pat) return { ok: false, message: 'Personal access token is not configured' }
+  if (!pat)
+    return { ok: false, message: 'Personal access token is not configured' }
   const safeOrg = sanitizeGitHubOrg(org)
   if (org && !safeOrg) {
     return { ok: false, message: 'Invalid GitHub organization name format' }
@@ -193,34 +271,26 @@ async function testGitHub(pat: string, org?: string): Promise<TestResult> {
         'X-GitHub-Api-Version': '2022-11-28',
       },
     })
-    if (res.status === 401) return { ok: false, message: 'Invalid personal access token' }
-    if (res.status === 404) return { ok: false, message: `Organization "${safeOrg ?? org}" not found` }
-    if (!res.ok) return { ok: false, message: `GitHub API error (${res.status})` }
-    const json = await res.json().catch(() => null)
-    return { ok: true, message: `Connected to GitHub${safeOrg ? ` — org: ${json?.name ?? safeOrg}` : ` — user: ${json?.login}`}` }
-  } catch (err) {
-    return { ok: false, message: 'Failed to reach GitHub API', detail: String(err) }
-  }
-}
-
-async function testKener(apiKey: string, baseUrl?: string): Promise<TestResult> {
-  const origin = getSafeKenerOrigin(baseUrl)
-  if (!origin) {
-    return { ok: false, message: 'Invalid Kener base URL' }
-  }
-
-  try {
-    const res = await fetch(`${origin}/api/v4/monitors`, {
-      headers: apiKey ? { Authorization: `Bearer ${apiKey}` } : {},
-      signal: AbortSignal.timeout(8000),
-    })
-    if (res.status === 401 || res.status === 403) return { ok: false, message: 'Invalid API key' }
-    if (!res.ok) return { ok: false, message: `Kener API error (${res.status})` }
+    if (res.status === 401)
+      return { ok: false, message: 'Invalid personal access token' }
+    if (res.status === 404)
+      return {
+        ok: false,
+        message: `Organization "${safeOrg ?? org}" not found`,
+      }
+    if (!res.ok)
+      return { ok: false, message: `GitHub API error (${res.status})` }
     const json = await res.json().catch(() => null)
-    const count = (json?.monitors as unknown[])?.length ?? 0
-    return { ok: true, message: `Connected to Kener — ${count} monitor${count !== 1 ? 's' : ''} found` }
+    return {
+      ok: true,
+      message: `Connected to GitHub${safeOrg ? ` — org: ${json?.name ?? safeOrg}` : ` — user: ${json?.login}`}`,
+    }
   } catch (err) {
-    return { ok: false, message: 'Failed to reach Kener instance', detail: String(err) }
+    return {
+      ok: false,
+      message: 'Failed to reach GitHub API',
+      detail: String(err),
+    }
   }
 }
 
@@ -231,17 +301,32 @@ async function testVultr(apiKey: string): Promise<TestResult> {
       headers: { Authorization: `Bearer ${apiKey}` },
       signal: AbortSignal.timeout(8000),
     })
-    if (res.status === 401 || res.status === 403) return { ok: false, message: 'Invalid API key' }
-    if (!res.ok) return { ok: false, message: `Vultr API error (${res.status})` }
+    if (res.status === 401 || res.status === 403)
+      return { ok: false, message: 'Invalid API key' }
+    if (!res.ok)
+      return { ok: false, message: `Vultr API error (${res.status})` }
     const json = await res.json().catch(() => null)
     const email = json?.account?.email
-    return { ok: true, message: `Connected to Vultr${email ? ` — ${email}` : ''}` }
+    return {
+      ok: true,
+      message: `Connected to Vultr${email ? ` — ${email}` : ''}`,
+    }
   } catch (err) {
-    return { ok: false, message: 'Failed to reach Vultr API', detail: String(err) }
+    return {
+      ok: false,
+      message: 'Failed to reach Vultr API',
+      detail: String(err),
+    }
   }
 }
 
-async function testSmtp(host: string, port: number, secure: boolean, user: string, password: string): Promise<TestResult> {
+async function testSmtp(
+  host: string,
+  port: number,
+  secure: boolean,
+  user: string,
+  password: string
+): Promise<TestResult> {
   if (!host) return { ok: false, message: 'SMTP host is not configured' }
   try {
     const transport = nodemailer.createTransport({
@@ -256,7 +341,11 @@ async function testSmtp(host: string, port: number, secure: boolean, user: strin
     transport.close()
     return { ok: true, message: `Connected to SMTP server at ${host}:${port}` }
   } catch (err) {
-    return { ok: false, message: 'Failed to connect to SMTP server', detail: String(err) }
+    return {
+      ok: false,
+      message: 'Failed to connect to SMTP server',
+      detail: String(err),
+    }
   }
 }
 
@@ -278,24 +367,28 @@ export async function POST(req: Request) {
         result = await testResend(credentials.apiKey)
         break
       case 'cloudflare':
-        result = await testCloudflare(credentials.apiToken, credentials.accountId)
+        result = await testCloudflare(
+          credentials.apiToken,
+          credentials.accountId
+        )
         break
       case 'discord':
-        result = await testDiscord(credentials.webhookUrl, credentials.botToken, credentials.serverId)
+        result = await testDiscord(
+          credentials.webhookUrl,
+          credentials.botToken,
+          credentials.serverId
+        )
         break
       case 'github':
         result = await testGitHub(credentials.pat, credentials.org)
         break
-      case 'kener':
-        result = await testKener(credentials.apiKey, credentials.baseUrl)
-        break
       case 'smtp':
         result = await testSmtp(
           credentials.host,
           Number(credentials.port) || 587,
           credentials.secure === 'true',
           credentials.user,
-          credentials.password,
+          credentials.password
         )
         break
       case 'vultr':
@@ -311,4 +404,3 @@ export async function POST(req: Request) {
     return apiError('Internal server error')
   }
 }
-
diff --git a/app/api/files/route.ts b/app/api/files/route.ts
index 0119945..7db08f8 100644
--- a/app/api/files/route.ts
+++ b/app/api/files/route.ts
@@ -20,12 +20,15 @@ import {
 import { getConfig } from '@/packages/lib/config'
 import { prisma } from '@/packages/lib/database/prisma'
 import {
-  getFileExpirationInfo,
+  getFileExpirationInfoBatch,
   scheduleFileExpiration,
 } from '@/packages/lib/events/handlers/file-expiry'
 import { getUniqueFilename } from '@/packages/lib/files/filename'
 import { validateUploadRequest } from '@/packages/lib/files/upload-validation'
-import { validateFileSecurityChecksWithVT } from '@/packages/lib/files/security-validation'
+import {
+  validateFileSecurityChecks,
+  scanWithVirusTotal,
+} from '@/packages/lib/files/security-validation'
 import { loggers } from '@/packages/lib/logger'
 import { processImageOCR } from '@/packages/lib/ocr'
 import { getStorageProvider } from '@/packages/lib/storage'
@@ -36,6 +39,9 @@ const logger = loggers.files
 export async function POST(req: Request) {
   let filePath = ''
   let userId: string | undefined
+  let storageProvider:
+    | Awaited<ReturnType<typeof getStorageProvider>>
+    | undefined
 
   try {
     // ── Auth: try squad token/API key first, then fall back to user session ──
@@ -58,6 +64,7 @@ export async function POST(req: Request) {
           role: true,
           randomizeFileUrls: true,
           preferredUploadDomain: true,
+          emailVerified: true,
         },
       })
       if (!ownerUser)
@@ -114,12 +121,13 @@ export async function POST(req: Request) {
       return apiError(result.error.issues[0].message, HTTP_STATUS.BAD_REQUEST)
     }
 
+    const fileSizeMB = bytesToMB(uploadedFile.size)
+
     // Check file size against plan upload cap and storage quota
     if (user.role !== 'ADMIN') {
       const { getPlanLimits, canUploadSize } =
         await import('@/packages/lib/storage/quota')
       const planLimits = await getPlanLimits(user.id)
-      const fileSizeMB = bytesToMB(uploadedFile.size)
 
       // Check plan upload size cap (null = unlimited for Ember/Enterprise)
       if (planLimits.uploadSizeCapMB !== null) {
@@ -158,29 +166,35 @@ export async function POST(req: Request) {
     }
 
     // Validate email verification and custom domain verification
+    // Pass preloaded user data to skip the redundant DB round-trip in validateEmailVerified
     const uploadValidation = await validateUploadRequest(
       user.id,
-      requestedDomain
+      requestedDomain,
+      { emailVerified: user.emailVerified, role: user.role }
     )
     if (!uploadValidation.valid) {
       return apiError(uploadValidation.error!, HTTP_STATUS.FORBIDDEN)
     }
 
-    const { urlSafeName, displayName } = await getUniqueFilename(
-      join('uploads', user.urlId),
-      uploadedFile.name,
-      user.randomizeFileUrls
-    )
+    // Buffer file + resolve provider and unique filename in parallel
+    const [buf, { urlSafeName, displayName }, storageProviderResolved] =
+      await Promise.all([
+        uploadedFile.arrayBuffer().then((ab) => Buffer.from(ab)),
+        getUniqueFilename(
+          join('uploads', user.urlId),
+          uploadedFile.name,
+          user.randomizeFileUrls
+        ),
+        getStorageProvider(),
+      ])
+    storageProvider = storageProviderResolved
 
     filePath = join('uploads', user.urlId, urlSafeName)
     const urlPath = `/${user.urlId}/${urlSafeName}`
 
-    const storageProvider = await getStorageProvider()
-    const bytes = await uploadedFile.arrayBuffer()
-
-    // Security check: validate file against zip bombs, malware, dangerous types, and VirusTotal
-    const securityCheck = await validateFileSecurityChecksWithVT(
-      Buffer.from(bytes),
+    // Fast local security checks only (extension, MIME, zip bomb) — no network calls
+    const securityCheck = validateFileSecurityChecks(
+      buf,
       uploadedFile.name,
       uploadedFile.type
     )
@@ -189,7 +203,6 @@ export async function POST(req: Request) {
         fileName: uploadedFile.name,
         mimeType: uploadedFile.type,
         error: securityCheck.error,
-        virusTotal: securityCheck.virusTotal,
         userId: user.id,
       })
       return apiError(
@@ -198,25 +211,7 @@ export async function POST(req: Request) {
       )
     }
 
-    if (securityCheck.virusTotal?.scanPerformed) {
-      logger.info('File scanned by VirusTotal', {
-        fileName: uploadedFile.name,
-        detected: securityCheck.virusTotal.detected,
-        detectionRatio: securityCheck.virusTotal.detectionRatio,
-        permalink: securityCheck.virusTotal.permalink,
-        userId: user.id,
-      })
-    }
-
-    if (securityCheck.warnings?.length) {
-      logger.info('File security warnings', {
-        fileName: uploadedFile.name,
-        warnings: securityCheck.warnings,
-        userId: user.id,
-      })
-    }
-
-    // carry through host headers as metadata so storage/proxy can use them
+    // Carry through host headers as metadata so storage/proxy can use them
     const meta: Record<string, string> = {}
     try {
       const reqHeaders = (req as any).headers as Headers | undefined
@@ -230,12 +225,10 @@ export async function POST(req: Request) {
       // ignore
     }
 
-    await storageProvider.uploadFile(
-      Buffer.from(bytes),
-      filePath,
-      uploadedFile.type,
-      meta
-    )
+    // Hash password before the transaction so bcrypt doesn't block DB time
+    const passwordHash = password ? await hash(password, 10) : null
+
+    await storageProvider.uploadFile(buf, filePath, uploadedFile.type, meta)
 
     const fileRecord = await prisma.$transaction(async (tx) => {
       const file = await tx.file.create({
@@ -243,10 +236,10 @@ export async function POST(req: Request) {
           name: displayName,
           urlPath,
           mimeType: uploadedFile.type,
-          size: bytesToMB(uploadedFile.size),
+          size: fileSizeMB,
           path: filePath,
           visibility: visibility,
-          password: password ? await hash(password, 10) : null,
+          password: passwordHash,
           userId: user.id,
           allowSuggestions,
         },
@@ -254,14 +247,14 @@ export async function POST(req: Request) {
 
       await tx.user.update({
         where: { id: user.id },
-        data: { storageUsed: { increment: bytesToMB(uploadedFile.size) } },
+        data: { storageUsed: { increment: fileSizeMB } },
       })
 
       // Track squad storage usage when uploaded via squad token/API key
       if (squadContext) {
         await tx.nexiumSquad.update({
           where: { id: squadContext.squadId },
-          data: { storageUsed: { increment: bytesToMB(uploadedFile.size) } },
+          data: { storageUsed: { increment: fileSizeMB } },
         })
       }
 
@@ -277,6 +270,28 @@ export async function POST(req: Request) {
       })
     }
 
+    // VirusTotal scan runs in the background after the response is sent.
+    // On detection the file is deleted from storage and marked in the DB.
+    scanWithVirusTotal(buf, uploadedFile.type, async (vtResult) => {
+      logger.warn('VirusTotal detected malware — quarantining file', {
+        fileId: fileRecord.id,
+        detectionRatio: vtResult.detectionRatio,
+        permalink: vtResult.permalink,
+        userId: user.id,
+      })
+      await Promise.allSettled([
+        storageProvider!.deleteFile(filePath),
+        prisma.file.update({
+          where: { id: fileRecord.id },
+          data: { visibility: 'PRIVATE', name: '[Quarantined]' },
+        }),
+      ])
+    }).catch((err) => {
+      logger.error('Background VirusTotal scan failed', err as Error, {
+        fileId: fileRecord.id,
+      })
+    })
+
     if (expirationDate) {
       try {
         await scheduleFileExpiration(
@@ -300,12 +315,20 @@ export async function POST(req: Request) {
     const baseUrl =
       process.env.NODE_ENV === 'development'
         ? 'http://localhost:3000'
-        : process.env.NEXTAUTH_URL?.replace(/\/$/, '') || ''
-    const fullUrl = (
+        : (process.env.NEXTAUTH_URL?.endsWith('/')
+            ? process.env.NEXTAUTH_URL.slice(0, -1)
+            : process.env.NEXTAUTH_URL) || ''
+    const trimTrailingSlashes = (s: string) => {
+      let end = s.length
+      while (end > 0 && s[end - 1] === '/') end--
+      return end === s.length ? s : s.slice(0, end)
+    }
+
+    const fullUrl = trimTrailingSlashes(
       baseUrl.startsWith('http') ? baseUrl : `https://${baseUrl}`
-    ).replace(/\/+$/, '')
+    )
 
-    const sanitizeHost = (host: string) => urlForHost(host).replace(/\/+$/, '')
+    const sanitizeHost = (host: string) => trimTrailingSlashes(urlForHost(host))
     const preferredHost = user.preferredUploadDomain
       ? sanitizeHost(user.preferredUploadDomain)
       : null
@@ -378,9 +401,8 @@ export async function POST(req: Request) {
       userId,
     })
 
-    if (filePath) {
+    if (filePath && storageProvider) {
       try {
-        const storageProvider = await getStorageProvider()
         await storageProvider.deleteFile(filePath)
         logger.info('Cleaned up file after error', { filePath })
       } catch (unlinkError) {
@@ -485,12 +507,14 @@ export async function GET(request: Request) {
         }),
       ])
 
-      const filesList = await Promise.all(
-        files.map(async (file) => {
-          const expiresAt = await getFileExpirationInfo(file.id)
-          return { ...file, hasPassword: Boolean(file.password), expiresAt }
-        })
+      const expirationMap = await getFileExpirationInfoBatch(
+        files.map((f) => f.id)
       )
+      const filesList = files.map((file) => ({
+        ...file,
+        hasPassword: Boolean(file.password),
+        expiresAt: expirationMap.get(file.id) ?? null,
+      }))
 
       return paginatedResponse<FileMetadata[]>(
         filesList as (FileMetadata & { expiresAt: Date | null })[],
@@ -580,42 +604,41 @@ export async function GET(request: Request) {
         orderBy.uploadedAt = 'desc'
     }
 
-    const total = await prisma.file.count({ where })
-
-    const files = await prisma.file.findMany({
-      where,
-      orderBy,
-      take: limit,
-      skip: offset,
-      select: {
-        id: true,
-        name: true,
-        urlPath: true,
-        mimeType: true,
-        size: true,
-        uploadedAt: true,
-        visibility: true,
-        password: true,
-        views: true,
-        downloads: true,
-        user: {
-          select: {
-            urlId: true,
+    const [total, files] = await Promise.all([
+      prisma.file.count({ where }),
+      prisma.file.findMany({
+        where,
+        orderBy,
+        take: limit,
+        skip: offset,
+        select: {
+          id: true,
+          name: true,
+          urlPath: true,
+          mimeType: true,
+          size: true,
+          uploadedAt: true,
+          visibility: true,
+          password: true,
+          views: true,
+          downloads: true,
+          user: {
+            select: {
+              urlId: true,
+            },
           },
         },
-      },
-    })
+      }),
+    ])
 
-    const filesList = (await Promise.all(
-      files.map(async (file) => {
-        const expiresAt = await getFileExpirationInfo(file.id)
-        return {
-          ...file,
-          hasPassword: Boolean(file.password),
-          expiresAt,
-        }
-      })
-    )) as (FileMetadata & { expiresAt: Date | null })[]
+    const expirationMap = await getFileExpirationInfoBatch(
+      files.map((f) => f.id)
+    )
+    const filesList = files.map((file) => ({
+      ...file,
+      hasPassword: Boolean(file.password),
+      expiresAt: expirationMap.get(file.id) ?? null,
+    })) as (FileMetadata & { expiresAt: Date | null })[]
 
     const pagination = {
       total,
diff --git a/app/api/settings/route.ts b/app/api/settings/route.ts
index d1839ec..e676458 100644
--- a/app/api/settings/route.ts
+++ b/app/api/settings/route.ts
@@ -5,7 +5,11 @@ import {
 } from '@/packages/types/dto/settings'
 
 import { HTTP_STATUS, apiError, apiResponse } from '@/packages/lib/api/response'
-import { requireAdmin, requireAuth, requireSuperAdmin } from '@/packages/lib/auth/api-auth'
+import {
+  requireAdmin,
+  requireAuth,
+  requireSuperAdmin,
+} from '@/packages/lib/auth/api-auth'
 import {
   EmberlyConfig,
   getConfig,
@@ -31,12 +35,22 @@ function maskSecretsForAdmin(config: EmberlyConfig): EmberlyConfig {
   }
   // Integrations
   const i = c.settings?.integrations ?? {}
-  if (i.stripe)     { i.stripe.secretKey = '';     i.stripe.webhookSecret = '' }
-  if (i.resend)     { i.resend.apiKey = '' }
-  if (i.cloudflare) { i.cloudflare.apiToken = '' }
-  if (i.discord)    { i.discord.botToken = '' }
-  if (i.github)     { i.github.pat = '' }
-  if (i.kener)      { i.kener.apiKey = '' }
+  if (i.stripe) {
+    i.stripe.secretKey = ''
+    i.stripe.webhookSecret = ''
+  }
+  if (i.resend) {
+    i.resend.apiKey = ''
+  }
+  if (i.cloudflare) {
+    i.cloudflare.apiToken = ''
+  }
+  if (i.discord) {
+    i.discord.botToken = ''
+  }
+  if (i.github) {
+    i.github.pat = ''
+  }
   return c as EmberlyConfig
 }
 
@@ -182,4 +196,3 @@ export async function POST(req: Request) {
     return apiError('Internal server error', HTTP_STATUS.INTERNAL_SERVER_ERROR)
   }
 }
-
diff --git a/app/api/status/route.ts b/app/api/status/route.ts
index 6950f26..8d85c82 100644
--- a/app/api/status/route.ts
+++ b/app/api/status/route.ts
@@ -1,29 +1,6 @@
-import { apiResponse } from '@/packages/lib/api/response'
-import { getKenerStatus } from '@/packages/lib/kener'
+import { apiError } from '@/packages/lib/api/response'
+import { HTTP_STATUS } from '@/packages/lib/api/response'
 
-/**
- * GET /api/status
- * Returns aggregated status from the Kener instance at emberlystat.us
- */
 export async function GET() {
-    try {
-        const summary = await getKenerStatus()
-        if (!summary) {
-            // Kener unreachable — return a graceful UNKNOWN state rather than a hard 503
-            return apiResponse({
-                page: { name: 'Emberly Status', url: 'https://emberlystat.us', status: 'UNKNOWN' },
-                activeIncidents: [],
-                activeMaintenances: [],
-            })
-        }
-        return apiResponse(summary)
-    } catch (err) {
-        console.error('Error fetching status:', err)
-        return apiResponse({
-            page: { name: 'Emberly Status', url: 'https://emberlystat.us', status: 'UNKNOWN' },
-            activeIncidents: [],
-            activeMaintenances: [],
-        })
-    }
+  return apiError('Status page integration removed', HTTP_STATUS.NOT_FOUND)
 }
-
diff --git a/packages/components/admin/settings/settings-manager.tsx b/packages/components/admin/settings/settings-manager.tsx
index f0530d6..cf15c05 100644
--- a/packages/components/admin/settings/settings-manager.tsx
+++ b/packages/components/admin/settings/settings-manager.tsx
@@ -1,4 +1,4 @@
-"use client"
+'use client'
 
 import { useCallback, useEffect, useState } from 'react'
 
@@ -12,42 +12,42 @@ import CodeMirror from '@uiw/react-codemirror'
 import DOMPurify from 'dompurify'
 import { deepEqual } from 'fast-equals'
 import {
-	AlertCircle,
-	CheckCircle2,
-	Circle,
-	Cloud,
-	Code,
-	Copy,
-	CreditCard,
-	Database,
-	ExternalLink,
-	Eye,
-	EyeOff,
-	FileCode,
-	Github,
-	Globe,
-	HardDrive,
-	Heart,
-	Image,
-	InfoIcon,
-	Key,
-	Loader2,
-	Lock,
-	Mail,
-	Palette,
-	RefreshCw,
-	RotateCcw,
-	Save,
-	Server,
-	Settings,
-	Settings2,
-	Shield,
-	Sliders,
-	Sparkles,
-	Upload,
-	Users,
-	XCircle,
-	Zap,
+  AlertCircle,
+  CheckCircle2,
+  Circle,
+  Cloud,
+  Code,
+  Copy,
+  CreditCard,
+  Database,
+  ExternalLink,
+  Eye,
+  EyeOff,
+  FileCode,
+  Github,
+  Globe,
+  HardDrive,
+  Heart,
+  Image,
+  InfoIcon,
+  Key,
+  Loader2,
+  Lock,
+  Mail,
+  Palette,
+  RefreshCw,
+  RotateCcw,
+  Save,
+  Server,
+  Settings,
+  Settings2,
+  Shield,
+  Sliders,
+  Sparkles,
+  Upload,
+  Users,
+  XCircle,
+  Zap,
 } from 'lucide-react'
 
 import { Icons } from '@/components/shared/icons'
@@ -55,20 +55,20 @@ import { AppearancePanel } from '@/components/appearance/appearance-panel'
 import { Alert, AlertDescription } from '@/components/ui/alert'
 import { Button } from '@/components/ui/button'
 import {
-	Card,
-	CardContent,
-	CardDescription,
-	CardHeader,
-	CardTitle,
+  Card,
+  CardContent,
+  CardDescription,
+  CardHeader,
+  CardTitle,
 } from '@/components/ui/card'
 import { Input } from '@/components/ui/input'
 import { Label } from '@/components/ui/label'
 import {
-	Select,
-	SelectContent,
-	SelectItem,
-	SelectTrigger,
-	SelectValue,
+  Select,
+  SelectContent,
+  SelectItem,
+  SelectTrigger,
+  SelectValue,
 } from '@/components/ui/select'
 import { Skeleton } from '@/components/ui/skeleton'
 import { Switch } from '@/components/ui/switch'
@@ -84,2301 +84,2877 @@ import { useToast } from '@/hooks/use-toast'
 import { ToastAction } from '@/components/ui/toast'
 
 // Reusable GlassCard component for consistent styling
-function GlassCard({ 
-	children, 
-	className = '',
-	gradient = true 
-}: { 
-	children: React.ReactNode
-	className?: string
-	gradient?: boolean
+function GlassCard({
+  children,
+  className = '',
+  gradient = true,
+}: {
+  children: React.ReactNode
+  className?: string
+  gradient?: boolean
 }) {
-	return (
-		<div className={cn(
-			"glass-card overflow-hidden",
-			className
-		)}>
-			{children}
-		</div>
-	)
+  return (
+    <div className={cn('glass-card overflow-hidden', className)}>
+      {children}
+    </div>
+  )
 }
 
 // Settings section card with icon and better styling
-function SettingsSection({ 
-	icon: Icon, 
-	title, 
-	description, 
-	children,
-	badge,
-	className = ''
-}: { 
-	icon: React.ElementType
-	title: string
-	description: string
-	children: React.ReactNode
-	badge?: React.ReactNode
-	className?: string
+function SettingsSection({
+  icon: Icon,
+  title,
+  description,
+  children,
+  badge,
+  className = '',
+}: {
+  icon: React.ElementType
+  title: string
+  description: string
+  children: React.ReactNode
+  badge?: React.ReactNode
+  className?: string
 }) {
-	return (
-		<GlassCard className={className}>
-			<div className="p-6 space-y-6">
-				<div className="flex items-start gap-4">
-					<div className="flex h-11 w-11 shrink-0 items-center justify-center rounded-xl bg-gradient-to-br from-primary/20 to-primary/5 border border-primary/10">
-						<Icon className="h-5 w-5 text-primary" />
-					</div>
-					<div className="flex-1 min-w-0">
-						<div className="flex items-center gap-2">
-							<h3 className="text-lg font-semibold">{title}</h3>
-							{badge}
-						</div>
-						<p className="text-sm text-muted-foreground mt-0.5">{description}</p>
-					</div>
-				</div>
-				<div className="space-y-5">
-					{children}
-				</div>
-			</div>
-		</GlassCard>
-	)
+  return (
+    <GlassCard className={className}>
+      <div className="p-6 space-y-6">
+        <div className="flex items-start gap-4">
+          <div className="flex h-11 w-11 shrink-0 items-center justify-center rounded-xl bg-gradient-to-br from-primary/20 to-primary/5 border border-primary/10">
+            <Icon className="h-5 w-5 text-primary" />
+          </div>
+          <div className="flex-1 min-w-0">
+            <div className="flex items-center gap-2">
+              <h3 className="text-lg font-semibold">{title}</h3>
+              {badge}
+            </div>
+            <p className="text-sm text-muted-foreground mt-0.5">
+              {description}
+            </p>
+          </div>
+        </div>
+        <div className="space-y-5">{children}</div>
+      </div>
+    </GlassCard>
+  )
 }
 
 // Setting row component for consistent layout
-function SettingRow({ 
-	label, 
-	description, 
-	children,
-	changed = false 
-}: { 
-	label: string
-	description?: string
-	children: React.ReactNode
-	changed?: boolean
+function SettingRow({
+  label,
+  description,
+  children,
+  changed = false,
+}: {
+  label: string
+  description?: string
+  children: React.ReactNode
+  changed?: boolean
 }) {
-	return (
-		<div className="flex items-center justify-between gap-4 py-1">
-			<div className="space-y-0.5 flex-1 min-w-0">
-				<div className="flex items-center gap-2">
-					<Label className="text-sm font-medium">{label}</Label>
-					{changed && (
-						<span className="flex h-2 w-2">
-							<span className="animate-ping absolute inline-flex h-2 w-2 rounded-full bg-primary opacity-75" />
-							<span className="relative inline-flex rounded-full h-2 w-2 bg-primary" />
-						</span>
-					)}
-				</div>
-				{description && (
-					<p className="text-xs text-muted-foreground">{description}</p>
-				)}
-			</div>
-			<div className="flex items-center gap-2 shrink-0">
-				{children}
-			</div>
-		</div>
-	)
+  return (
+    <div className="flex items-center justify-between gap-4 py-1">
+      <div className="space-y-0.5 flex-1 min-w-0">
+        <div className="flex items-center gap-2">
+          <Label className="text-sm font-medium">{label}</Label>
+          {changed && (
+            <span className="flex h-2 w-2">
+              <span className="animate-ping absolute inline-flex h-2 w-2 rounded-full bg-primary opacity-75" />
+              <span className="relative inline-flex rounded-full h-2 w-2 bg-primary" />
+            </span>
+          )}
+        </div>
+        {description && (
+          <p className="text-xs text-muted-foreground">{description}</p>
+        )}
+      </div>
+      <div className="flex items-center gap-2 shrink-0">{children}</div>
+    </div>
+  )
 }
 
 interface ColorConfig {
-	background: string
-	foreground: string
-	card: string
-	cardForeground: string
-	popover: string
-	popoverForeground: string
-	primary: string
-	primaryForeground: string
-	secondary: string
-	secondaryForeground: string
-	muted: string
-	mutedForeground: string
-	accent: string
-	accentForeground: string
-	destructive: string
-	destructiveForeground: string
-	border: string
-	input: string
-	ring: string
+  background: string
+  foreground: string
+  card: string
+  cardForeground: string
+  popover: string
+  popoverForeground: string
+  primary: string
+  primaryForeground: string
+  secondary: string
+  secondaryForeground: string
+  muted: string
+  mutedForeground: string
+  accent: string
+  accentForeground: string
+  destructive: string
+  destructiveForeground: string
+  border: string
+  input: string
+  ring: string
 }
 
 type SettingValue<T extends keyof EmberlyConfig['settings']> = Partial<
-	EmberlyConfig['settings'][T]
+  EmberlyConfig['settings'][T]
 >
 
 function SettingsSkeleton() {
-	return (
-		<div className="space-y-6">
-			{/* Header skeleton */}
-			<div className="glass-card p-6">
-				<div className="flex items-center gap-4">
-					<Skeleton className="h-12 w-12 rounded-xl" />
-					<div className="space-y-2">
-						<Skeleton className="h-6 w-48" />
-						<Skeleton className="h-4 w-72" />
-					</div>
-				</div>
-			</div>
-
-			{/* Tabs skeleton */}
-			<div className="flex gap-2 p-1 bg-background/80 rounded-xl border border-border/50 w-fit">
-				<Skeleton className="h-10 w-32 rounded-lg" />
-				<Skeleton className="h-10 w-32 rounded-lg" />
-				<Skeleton className="h-10 w-32 rounded-lg" />
-			</div>
-
-			{/* Cards skeleton */}
-			<div className="space-y-4">
-				{[1, 2, 3].map((i) => (
-					<div key={i} className="rounded-2xl border border-border/50 bg-background/80 p-6 space-y-6">
-						<div className="flex items-start gap-4">
-							<Skeleton className="h-11 w-11 rounded-xl shrink-0" />
-							<div className="space-y-2 flex-1">
-								<Skeleton className="h-5 w-40" />
-								<Skeleton className="h-4 w-64" />
-							</div>
-						</div>
-						<div className="space-y-5">
-							<div className="flex items-center justify-between py-1">
-								<div className="space-y-1.5">
-									<Skeleton className="h-4 w-32" />
-									<Skeleton className="h-3 w-48" />
-								</div>
-								<Skeleton className="h-6 w-12 rounded-full" />
-							</div>
-							<div className="flex items-center justify-between py-1">
-								<div className="space-y-1.5">
-									<Skeleton className="h-4 w-28" />
-									<Skeleton className="h-3 w-40" />
-								</div>
-								<Skeleton className="h-6 w-12 rounded-full" />
-							</div>
-							<div className="flex items-center justify-between py-1">
-								<div className="space-y-1.5">
-									<Skeleton className="h-4 w-36" />
-									<Skeleton className="h-3 w-52" />
-								</div>
-								<Skeleton className="h-10 w-24 rounded-lg" />
-							</div>
-						</div>
-					</div>
-				))}
-			</div>
-		</div>
-	)
+  return (
+    <div className="space-y-6">
+      {/* Header skeleton */}
+      <div className="glass-card p-6">
+        <div className="flex items-center gap-4">
+          <Skeleton className="h-12 w-12 rounded-xl" />
+          <div className="space-y-2">
+            <Skeleton className="h-6 w-48" />
+            <Skeleton className="h-4 w-72" />
+          </div>
+        </div>
+      </div>
+
+      {/* Tabs skeleton */}
+      <div className="flex gap-2 p-1 bg-background/80 rounded-xl border border-border/50 w-fit">
+        <Skeleton className="h-10 w-32 rounded-lg" />
+        <Skeleton className="h-10 w-32 rounded-lg" />
+        <Skeleton className="h-10 w-32 rounded-lg" />
+      </div>
+
+      {/* Cards skeleton */}
+      <div className="space-y-4">
+        {[1, 2, 3].map((i) => (
+          <div
+            key={i}
+            className="rounded-2xl border border-border/50 bg-background/80 p-6 space-y-6"
+          >
+            <div className="flex items-start gap-4">
+              <Skeleton className="h-11 w-11 rounded-xl shrink-0" />
+              <div className="space-y-2 flex-1">
+                <Skeleton className="h-5 w-40" />
+                <Skeleton className="h-4 w-64" />
+              </div>
+            </div>
+            <div className="space-y-5">
+              <div className="flex items-center justify-between py-1">
+                <div className="space-y-1.5">
+                  <Skeleton className="h-4 w-32" />
+                  <Skeleton className="h-3 w-48" />
+                </div>
+                <Skeleton className="h-6 w-12 rounded-full" />
+              </div>
+              <div className="flex items-center justify-between py-1">
+                <div className="space-y-1.5">
+                  <Skeleton className="h-4 w-28" />
+                  <Skeleton className="h-3 w-40" />
+                </div>
+                <Skeleton className="h-6 w-12 rounded-full" />
+              </div>
+              <div className="flex items-center justify-between py-1">
+                <div className="space-y-1.5">
+                  <Skeleton className="h-4 w-36" />
+                  <Skeleton className="h-3 w-52" />
+                </div>
+                <Skeleton className="h-10 w-24 rounded-lg" />
+              </div>
+            </div>
+          </div>
+        ))}
+      </div>
+    </div>
+  )
 }
 
 const isSafeUrl = (url: string | null): url is string => {
-	if (!url) return false
-	return url.startsWith('blob:') && /^blob:https?:\/\//.test(url)
+  if (!url) return false
+  return url.startsWith('blob:') && /^blob:https?:\/\//.test(url)
 }
 
 function SystemApiKeySection() {
-	const { toast } = useToast()
-	const [exists, setExists] = useState(false)
-	const [prefix, setPrefix] = useState<string | null>(null)
-	const [createdAt, setCreatedAt] = useState<string | null>(null)
-	const [newKey, setNewKey] = useState<string | null>(null)
-	const [showKey, setShowKey] = useState(false)
-	const [loading, setLoading] = useState(true)
-	const [generating, setGenerating] = useState(false)
-	const [revoking, setRevoking] = useState(false)
-
-	const fetchMeta = useCallback(async () => {
-		try {
-			const res = await fetch('/api/admin/system-key')
-			if (!res.ok) throw new Error('Failed to fetch')
-			const data = await res.json()
-			setExists(data.exists)
-			setPrefix(data.prefix ?? null)
-			setCreatedAt(data.createdAt ?? null)
-		} catch {
-			toast({ title: 'Error', description: 'Failed to load system key info', variant: 'destructive' })
-		} finally {
-			setLoading(false)
-		}
-	}, [toast])
-
-	useEffect(() => { fetchMeta() }, [fetchMeta])
-
-	const executeGenerate = async () => {
-		setGenerating(true)
-		setNewKey(null)
-		try {
-			const res = await fetch('/api/admin/system-key', { method: 'POST' })
-			if (!res.ok) throw new Error('Failed to generate')
-			const data = await res.json()
-			setNewKey(data.key)
-			setShowKey(true)
-			setExists(true)
-			setPrefix(data.prefix)
-			setCreatedAt(new Date().toISOString())
-			toast({ title: 'Key generated', description: 'Copy it now — it won\'t be shown again.' })
-		} catch {
-			toast({ title: 'Error', description: 'Failed to generate key', variant: 'destructive' })
-		} finally {
-			setGenerating(false)
-		}
-	}
-
-	const handleGenerate = async () => {
-		if (!exists) {
-			await executeGenerate()
-			return
-		}
-		toast({
-			title: 'Regenerate API key?',
-			description: 'This will revoke the current key. Any integrations using it will stop working.',
-			variant: 'destructive',
-			action: (
-				<ToastAction altText="Confirm regenerate" onClick={executeGenerate}>
-					Regenerate
-				</ToastAction>
-			),
-		})
-	}
-
-	const handleRevoke = () => {
-		toast({
-			title: 'Revoke system API key?',
-			description: 'Any integrations using it will stop working.',
-			variant: 'destructive',
-			action: (
-				<ToastAction
-					altText="Confirm revoke"
-					onClick={async () => {
-						setRevoking(true)
-						try {
-							const res = await fetch('/api/admin/system-key', { method: 'DELETE' })
-							if (!res.ok) throw new Error('Failed to revoke')
-							setExists(false)
-							setPrefix(null)
-							setCreatedAt(null)
-							setNewKey(null)
-							toast({ title: 'Key revoked' })
-						} catch {
-							toast({ title: 'Error', description: 'Failed to revoke key', variant: 'destructive' })
-						} finally {
-							setRevoking(false)
-						}
-					}}
-				>
-					Revoke
-				</ToastAction>
-			),
-		})
-	}
-
-	const copyKey = () => {
-		if (!newKey) return
-		navigator.clipboard.writeText(newKey)
-		toast({ title: 'Copied to clipboard' })
-	}
-
-	if (loading) {
-		return (
-			<SettingsSection icon={Key} title="System API Key" description="Manage the system-level API key for external integrations.">
-				<div className="space-y-3">
-					<Skeleton className="h-10 w-full" />
-					<Skeleton className="h-10 w-40" />
-				</div>
-			</SettingsSection>
-		)
-	}
-
-	return (
-		<SettingsSection icon={Key} title="System API Key" description="A single key for external integrations like Discord bots. Grants system-level access — treat it like a password.">
-			{newKey && (
-				<GlassCard>
-					<div className="p-4 space-y-2">
-						<p className="text-sm font-medium text-primary">New key generated — copy it now, it won&apos;t be shown again.</p>
-						<div className="flex items-center gap-2">
-							<code className="flex-1 text-xs bg-muted/50 rounded-lg px-3 py-2 font-mono break-all select-all">
-								{showKey ? newKey : '•'.repeat(newKey.length)}
-							</code>
-							<Button variant="ghost" size="icon" className="shrink-0" onClick={() => setShowKey(!showKey)}>
-								{showKey ? <EyeOff className="h-4 w-4" /> : <Eye className="h-4 w-4" />}
-							</Button>
-							<Button variant="ghost" size="icon" className="shrink-0" onClick={copyKey}>
-								<Copy className="h-4 w-4" />
-							</Button>
-						</div>
-					</div>
-				</GlassCard>
-			)}
-
-			{exists && (
-				<SettingRow label="Current Key" description={createdAt ? `Created ${new Date(createdAt).toLocaleDateString()}` : undefined}>
-					<code className="text-xs text-muted-foreground font-mono">{prefix}••••••••</code>
-				</SettingRow>
-			)}
-
-			<div className="flex items-center gap-2 pt-2">
-				<Button onClick={handleGenerate} disabled={generating || revoking} size="sm">
-					{generating ? <RefreshCw className="h-4 w-4 animate-spin mr-2" /> : <Key className="h-4 w-4 mr-2" />}
-					{exists ? 'Regenerate Key' : 'Generate Key'}
-				</Button>
-				{exists && (
-					<Button onClick={handleRevoke} disabled={revoking || generating} variant="destructive" size="sm">
-						{revoking ? <RefreshCw className="h-4 w-4 animate-spin mr-2" /> : <XCircle className="h-4 w-4 mr-2" />}
-						Revoke
-					</Button>
-				)}
-			</div>
-
-			{!exists && !newKey && (
-				<p className="text-xs text-muted-foreground">No key exists yet. Generate one to use with external integrations.</p>
-			)}
-		</SettingsSection>
-	)
+  const { toast } = useToast()
+  const [exists, setExists] = useState(false)
+  const [prefix, setPrefix] = useState<string | null>(null)
+  const [createdAt, setCreatedAt] = useState<string | null>(null)
+  const [newKey, setNewKey] = useState<string | null>(null)
+  const [showKey, setShowKey] = useState(false)
+  const [loading, setLoading] = useState(true)
+  const [generating, setGenerating] = useState(false)
+  const [revoking, setRevoking] = useState(false)
+
+  const fetchMeta = useCallback(async () => {
+    try {
+      const res = await fetch('/api/admin/system-key')
+      if (!res.ok) throw new Error('Failed to fetch')
+      const data = await res.json()
+      setExists(data.exists)
+      setPrefix(data.prefix ?? null)
+      setCreatedAt(data.createdAt ?? null)
+    } catch {
+      toast({
+        title: 'Error',
+        description: 'Failed to load system key info',
+        variant: 'destructive',
+      })
+    } finally {
+      setLoading(false)
+    }
+  }, [toast])
+
+  useEffect(() => {
+    fetchMeta()
+  }, [fetchMeta])
+
+  const executeGenerate = async () => {
+    setGenerating(true)
+    setNewKey(null)
+    try {
+      const res = await fetch('/api/admin/system-key', { method: 'POST' })
+      if (!res.ok) throw new Error('Failed to generate')
+      const data = await res.json()
+      setNewKey(data.key)
+      setShowKey(true)
+      setExists(true)
+      setPrefix(data.prefix)
+      setCreatedAt(new Date().toISOString())
+      toast({
+        title: 'Key generated',
+        description: "Copy it now — it won't be shown again.",
+      })
+    } catch {
+      toast({
+        title: 'Error',
+        description: 'Failed to generate key',
+        variant: 'destructive',
+      })
+    } finally {
+      setGenerating(false)
+    }
+  }
+
+  const handleGenerate = async () => {
+    if (!exists) {
+      await executeGenerate()
+      return
+    }
+    toast({
+      title: 'Regenerate API key?',
+      description:
+        'This will revoke the current key. Any integrations using it will stop working.',
+      variant: 'destructive',
+      action: (
+        <ToastAction altText="Confirm regenerate" onClick={executeGenerate}>
+          Regenerate
+        </ToastAction>
+      ),
+    })
+  }
+
+  const handleRevoke = () => {
+    toast({
+      title: 'Revoke system API key?',
+      description: 'Any integrations using it will stop working.',
+      variant: 'destructive',
+      action: (
+        <ToastAction
+          altText="Confirm revoke"
+          onClick={async () => {
+            setRevoking(true)
+            try {
+              const res = await fetch('/api/admin/system-key', {
+                method: 'DELETE',
+              })
+              if (!res.ok) throw new Error('Failed to revoke')
+              setExists(false)
+              setPrefix(null)
+              setCreatedAt(null)
+              setNewKey(null)
+              toast({ title: 'Key revoked' })
+            } catch {
+              toast({
+                title: 'Error',
+                description: 'Failed to revoke key',
+                variant: 'destructive',
+              })
+            } finally {
+              setRevoking(false)
+            }
+          }}
+        >
+          Revoke
+        </ToastAction>
+      ),
+    })
+  }
+
+  const copyKey = () => {
+    if (!newKey) return
+    navigator.clipboard.writeText(newKey)
+    toast({ title: 'Copied to clipboard' })
+  }
+
+  if (loading) {
+    return (
+      <SettingsSection
+        icon={Key}
+        title="System API Key"
+        description="Manage the system-level API key for external integrations."
+      >
+        <div className="space-y-3">
+          <Skeleton className="h-10 w-full" />
+          <Skeleton className="h-10 w-40" />
+        </div>
+      </SettingsSection>
+    )
+  }
+
+  return (
+    <SettingsSection
+      icon={Key}
+      title="System API Key"
+      description="A single key for external integrations like Discord bots. Grants system-level access — treat it like a password."
+    >
+      {newKey && (
+        <GlassCard>
+          <div className="p-4 space-y-2">
+            <p className="text-sm font-medium text-primary">
+              New key generated — copy it now, it won&apos;t be shown again.
+            </p>
+            <div className="flex items-center gap-2">
+              <code className="flex-1 text-xs bg-muted/50 rounded-lg px-3 py-2 font-mono break-all select-all">
+                {showKey ? newKey : '•'.repeat(newKey.length)}
+              </code>
+              <Button
+                variant="ghost"
+                size="icon"
+                className="shrink-0"
+                onClick={() => setShowKey(!showKey)}
+              >
+                {showKey ? (
+                  <EyeOff className="h-4 w-4" />
+                ) : (
+                  <Eye className="h-4 w-4" />
+                )}
+              </Button>
+              <Button
+                variant="ghost"
+                size="icon"
+                className="shrink-0"
+                onClick={copyKey}
+              >
+                <Copy className="h-4 w-4" />
+              </Button>
+            </div>
+          </div>
+        </GlassCard>
+      )}
+
+      {exists && (
+        <SettingRow
+          label="Current Key"
+          description={
+            createdAt
+              ? `Created ${new Date(createdAt).toLocaleDateString()}`
+              : undefined
+          }
+        >
+          <code className="text-xs text-muted-foreground font-mono">
+            {prefix}••••••••
+          </code>
+        </SettingRow>
+      )}
+
+      <div className="flex items-center gap-2 pt-2">
+        <Button
+          onClick={handleGenerate}
+          disabled={generating || revoking}
+          size="sm"
+        >
+          {generating ? (
+            <RefreshCw className="h-4 w-4 animate-spin mr-2" />
+          ) : (
+            <Key className="h-4 w-4 mr-2" />
+          )}
+          {exists ? 'Regenerate Key' : 'Generate Key'}
+        </Button>
+        {exists && (
+          <Button
+            onClick={handleRevoke}
+            disabled={revoking || generating}
+            variant="destructive"
+            size="sm"
+          >
+            {revoking ? (
+              <RefreshCw className="h-4 w-4 animate-spin mr-2" />
+            ) : (
+              <XCircle className="h-4 w-4 mr-2" />
+            )}
+            Revoke
+          </Button>
+        )}
+      </div>
+
+      {!exists && !newKey && (
+        <p className="text-xs text-muted-foreground">
+          No key exists yet. Generate one to use with external integrations.
+        </p>
+      )}
+    </SettingsSection>
+  )
 }
 
 export function SettingsManager() {
-	const { toast } = useToast()
-	const { data: session } = useSession()
-	const isSuperAdmin = session?.user?.role === 'SUPERADMIN'
-
-	const [savedConfig, setSavedConfig] = useState<EmberlyConfig | null>(null)
-	const [workingConfig, setWorkingConfig] = useState<EmberlyConfig | null>(null)
-	const [pendingFaviconFile, setPendingFaviconFile] = useState<File | null>(null)
-	const [faviconPreviewUrl, setFaviconPreviewUrl] = useState<string | null>(null)
-
-	const [cssEditorOpen, setCssEditorOpen] = useState(false)
-	const [htmlEditorOpen, setHtmlEditorOpen] = useState(false)
-	const [isCheckingUpdate, setIsCheckingUpdate] = useState(false)
-	const [updateInfo, setUpdateInfo] = useState<{
-		hasUpdate: boolean
-		latestVersion?: string
-		releaseUrl?: string
-	} | null>(null)
-	const [isSaving, setIsSaving] = useState(false)
-	const [intTestStates, setIntTestStates] = useState<Record<string, { loading: boolean; ok?: boolean; message?: string; detail?: string }>>({})
-	const [s3TestState, setS3TestState] = useState<{ loading: boolean; ok?: boolean; message?: string } | null>(null)
-
-	const handleIntegrationTest = async (integration: string, credentials: Record<string, string>) => {
-		setIntTestStates((s) => ({ ...s, [integration]: { loading: true } }))
-		try {
-			const res = await fetch('/api/admin/integrations/test', {
-				method: 'POST',
-				headers: { 'Content-Type': 'application/json' },
-				body: JSON.stringify({ integration, credentials }),
-			})
-			const data = await res.json()
-			setIntTestStates((s) => ({ ...s, [integration]: { loading: false, ok: data?.data?.ok, message: data?.data?.message, detail: data?.data?.detail } }))
-		} catch {
-			setIntTestStates((s) => ({ ...s, [integration]: { loading: false, ok: false, message: 'Request failed' } }))
-		}
-	}
-
-	const handleS3Test = async () => {
-		if (!workingConfig) return
-		setS3TestState({ loading: true })
-		const s3 = workingConfig.settings.general.storage.s3
-		try {
-			const res = await fetch('/api/admin/storage/test', {
-				method: 'POST',
-				headers: { 'Content-Type': 'application/json' },
-				body: JSON.stringify({
-					bucket: s3?.bucket,
-					region: s3?.region,
-					accessKeyId: s3?.accessKeyId,
-					secretAccessKey: s3?.secretAccessKey,
-					endpoint: s3?.endpoint,
-					forcePathStyle: s3?.forcePathStyle,
-				}),
-			})
-			const data = await res.json()
-			setS3TestState({ loading: false, ok: data?.data?.ok, message: data?.data?.message })
-		} catch {
-			setS3TestState({ loading: false, ok: false, message: 'Request failed' })
-		}
-	}
-
-	const hasChanges =
-		!deepEqual(savedConfig, workingConfig) || pendingFaviconFile !== null
-
-	const saveChanges = async () => {
-		if (!workingConfig) return
-
-		try {
-			setIsSaving(true)
-
-			if (pendingFaviconFile) {
-				const formData = new FormData()
-				formData.append('file', pendingFaviconFile)
-
-				const response = await fetch('/api/settings/favicon', {
-					method: 'POST',
-					body: formData,
-				})
-
-				if (!response.ok) {
-					throw new Error('Failed to upload favicon')
-				}
-
-				const newConfig = { ...workingConfig }
-				newConfig.settings.appearance.favicon = '/api/favicon'
-				setWorkingConfig(newConfig)
-
-				const link = document.querySelector(
-					"link[rel*='icon']"
-				) as HTMLLinkElement
-				if (link) {
-					link.href = '/api/favicon'
-					link.type = 'image/png'
-				}
-
-				setPendingFaviconFile(null)
-				if (faviconPreviewUrl) {
-					URL.revokeObjectURL(faviconPreviewUrl)
-					setFaviconPreviewUrl(null)
-				}
-			}
-
-			const response = await fetch('/api/settings', {
-				method: 'POST',
-				headers: {
-					'Content-Type': 'application/json',
-				},
-				body: JSON.stringify(workingConfig),
-			})
-
-			if (!response.ok) throw new Error()
-
-			setSavedConfig(JSON.parse(JSON.stringify(workingConfig)))
-
-			toast({
-				title: 'Settings updated',
-				description: 'Your changes have been saved successfully',
-			})
-		} catch (error) {
-			console.error('Failed to update settings:', error)
-			toast({
-				title: 'Failed to update settings',
-				description: 'Please try again',
-				variant: 'destructive',
-			})
-		} finally {
-			setIsSaving(false)
-		}
-	}
-
-	const discardChanges = () => {
-		if (!savedConfig) return
-
-		if (faviconPreviewUrl) {
-			URL.revokeObjectURL(faviconPreviewUrl)
-			setFaviconPreviewUrl(null)
-		}
-
-		setPendingFaviconFile(null)
-
-		setWorkingConfig(JSON.parse(JSON.stringify(savedConfig)))
-
-		toast({
-			title: 'Changes discarded',
-			description: 'All changes have been reverted to the saved state',
-		})
-	}
-
-	const handleSettingChange = useCallback(
-		<T extends keyof EmberlyConfig['settings']>(
-			section: T,
-			value: SettingValue<T>
-		) => {
-			if (!workingConfig) return
-
-			const newConfig = { ...workingConfig }
-			newConfig.settings[section] = {
-				...(newConfig.settings[section] as Record<string, unknown> ?? {}),
-				...(value as Record<string, unknown>),
-			} as EmberlyConfig['settings'][T]
-			setWorkingConfig(newConfig)
-		},
-		[workingConfig]
-	)
-
-	const isFieldChanged = useCallback(
-		<T extends keyof EmberlyConfig['settings']>(
-			section: T,
-			fieldPath: string[]
-		): boolean => {
-			if (!savedConfig || !workingConfig) return false
-
-			let savedValue: unknown = savedConfig.settings[section]
-			let workingValue: unknown = workingConfig.settings[section]
-
-			for (const field of fieldPath) {
-				if (
-					typeof savedValue !== 'object' ||
-					savedValue === null ||
-					typeof workingValue !== 'object' ||
-					workingValue === null
-				) {
-					return false
-				}
-
-				savedValue = (savedValue as Record<string, unknown>)[field]
-				workingValue = (workingValue as Record<string, unknown>)[field]
-			}
-
-			return !deepEqual(savedValue, workingValue)
-		},
-		[savedConfig, workingConfig]
-	)
-
-	const countChangedSettings = useCallback((): number => {
-		if (!savedConfig || !workingConfig) return 0
-
-		let count = 0
-
-		const { storage: _cs1, ...savedGen } = savedConfig.settings.general
-		const { storage: _cs2, ...workingGen } = workingConfig.settings.general
-		if (!deepEqual(savedGen, workingGen)) {
-			count++
-		}
-
-		if (!deepEqual(_cs1, _cs2)) {
-			count++
-		}
-
-		if (
-			!deepEqual(savedConfig.settings.appearance, workingConfig.settings.appearance)
-		) {
-			count++
-		}
-
-		if (!deepEqual(savedConfig.settings.advanced, workingConfig.settings.advanced)) {
-			count++
-		}
-
-		if (!deepEqual(savedConfig.settings.integrations, workingConfig.settings.integrations)) {
-			count++
-		}
-
-		return count
-	}, [savedConfig, workingConfig])
-
-	const getChangedSettingsGroups = useCallback((): string[] => {
-		if (!savedConfig || !workingConfig) return []
-
-		const changedGroups: string[] = []
-
-		const { storage: _cg1, ...savedGen } = savedConfig.settings.general
-		const { storage: _cg2, ...workingGen } = workingConfig.settings.general
-		if (!deepEqual(savedGen, workingGen)) {
-			changedGroups.push('General')
-		}
-
-		if (!deepEqual(_cg1, _cg2)) {
-			changedGroups.push('Storage')
-		}
-
-		if (
-			!deepEqual(savedConfig.settings.appearance, workingConfig.settings.appearance)
-		) {
-			changedGroups.push('Appearance')
-		}
-
-		if (!deepEqual(savedConfig.settings.advanced, workingConfig.settings.advanced)) {
-			changedGroups.push('Advanced')
-		}
-
-		if (!deepEqual(savedConfig.settings.integrations, workingConfig.settings.integrations)) {
-			changedGroups.push('Integrations')
-		}
-
-		return changedGroups
-	}, [savedConfig, workingConfig])
-
-	useEffect(() => {
-		const loadConfig = async () => {
-			try {
-				const response = await fetch('/api/settings')
-				const responseJson = await response.json()
-				if (responseJson?.data) {
-					const actualConfigData = responseJson.data
-					setSavedConfig(actualConfigData)
-					setWorkingConfig(JSON.parse(JSON.stringify(actualConfigData)))
-				} else {
-					console.error(
-						'Failed to load config: Invalid data structure received',
-						responseJson
-					)
-				}
-			} catch (error) {
-				console.error('Failed to load config:', error)
-			}
-		}
-		loadConfig()
-	}, [])
-
-	const handleStorageQuotaChange = (value: string) => {
-		if (!workingConfig?.settings?.general?.storage) return
-		const numValue = Number.parseInt(value)
-		if (Number.isNaN(numValue) || numValue < 0) return
-
-		handleSettingChange('general', {
-			storage: {
-				...workingConfig.settings.general.storage,
-				quotas: {
-					...workingConfig.settings.general.storage.quotas,
-					default: {
-						...workingConfig.settings.general.storage.quotas.default,
-						value: numValue,
-					},
-				},
-			},
-		})
-	}
-
-	const handleMaxUploadSizeChange = (value: string) => {
-		if (!workingConfig?.settings?.general?.storage) return
-		const numValue = Number.parseInt(value)
-		if (Number.isNaN(numValue) || numValue < 1) return
-
-		handleSettingChange('general', {
-			storage: {
-				...workingConfig.settings.general.storage,
-				maxUploadSize: {
-					...workingConfig.settings.general.storage.maxUploadSize,
-					value: numValue,
-				},
-			},
-		})
-	}
-
-	const handleCustomColorsChange = (colors: Partial<ColorConfig>) => {
-		handleSettingChange('appearance', {
-			customColors: colors,
-		})
-	}
-
-	const handleThemePresetChange = (themeId: string, backgroundEffect: string, animationSpeed: string) => {
-		handleSettingChange('appearance', {
-			theme: themeId,
-			backgroundEffect: backgroundEffect as EmberlyConfig['settings']['appearance']['backgroundEffect'],
-			animationSpeed: animationSpeed as AnimationSpeed,
-		})
-	}
-
-	/**
-	 * Save system/admin appearance directly to /api/settings (PATCH).
-	 * Used as the onSave override for AppearancePanel in admin context so it
-	 * does NOT call PUT /api/profile like the user-facing flow.
-	 */
-	const handleAdminSaveAppearance = async (themeId: string, colors: Record<string, string>): Promise<boolean> => {
-		try {
-			const response = await fetch('/api/settings', {
-				method: 'PATCH',
-				headers: { 'Content-Type': 'application/json' },
-				body: JSON.stringify({
-					section: 'appearance',
-					data: {
-						theme: themeId,
-						customColors: colors,
-					},
-				}),
-			})
-			if (!response.ok) throw new Error('Failed to save appearance')
-			const updatedConfig: EmberlyConfig = await response.json()
-			setSavedConfig(JSON.parse(JSON.stringify(updatedConfig)))
-			setWorkingConfig(JSON.parse(JSON.stringify(updatedConfig)))
-			return true
-		} catch (error) {
-			console.error('[SettingsManager] Failed to save appearance', error)
-			return false
-		}
-	}
-
-	/**
-	 * Track admin theme selections so the "Modified" badge reflects appearance changes
-	 * while the admin is previewing (before saving).
-	 */
-	const handleAdminThemeChange = useCallback((
-		themeId: string,
-		colors: Record<string, string>,
-		meta?: { backgroundEffect?: string; animationSpeed?: string }
-	) => {
-		handleSettingChange('appearance', {
-			theme: themeId,
-		backgroundEffect: (meta?.backgroundEffect || 'none') as EmberlyConfig['settings']['appearance']['backgroundEffect'],
-		animationSpeed: (meta?.animationSpeed || 'medium') as AnimationSpeed,
-			customColors: colors,
-		})
-	}, [handleSettingChange])
-
-	const checkForUpdates = async () => {
-		try {
-			setIsCheckingUpdate(true)
-			const response = await fetch('/api/updates/check')
-			if (!response.ok) throw new Error()
-			const data = await response.json()
-			setUpdateInfo(data)
-
-			toast({
-				title: data.hasUpdate ? 'Update Available' : 'No Updates Available',
-				description: data.message,
-				variant: 'default',
-			})
-		} catch {
-			toast({
-				title: 'Failed to check for updates',
-				description: 'Please try again later',
-				variant: 'destructive',
-			})
-		} finally {
-			setIsCheckingUpdate(false)
-		}
-	}
-
-	const hasFaviconChanged = useCallback(() => {
-		return pendingFaviconFile !== null
-	}, [pendingFaviconFile])
-
-	if (
-		!workingConfig ||
-		!savedConfig ||
-		!workingConfig.settings ||
-		!savedConfig.settings ||
-		!workingConfig.settings.general ||
-		!savedConfig.settings.general ||
-		!workingConfig.settings.general.storage ||
-		!savedConfig.settings.general.storage ||
-		!workingConfig.settings.appearance ||
-		!savedConfig.settings.appearance ||
-		!workingConfig.settings.advanced ||
-		!savedConfig.settings.advanced
-	) {
-		return <SettingsSkeleton />
-	}
-
-	const getFieldClasses = (
-		section: keyof EmberlyConfig['settings'],
-		fieldPath: string[]
-	) => {
-		const isChanged = isFieldChanged(section, fieldPath)
-		return isChanged ? 'border-primary/50 ring-1 ring-primary/30 bg-primary/5 transition-all' : 'transition-all'
-	}
-
-	const ChangeIndicator = () => (
-		<span className="flex h-2 w-2">
-			<span className="animate-ping absolute inline-flex h-2 w-2 rounded-full bg-primary opacity-75" />
-			<span className="relative inline-flex rounded-full h-2 w-2 bg-primary" />
-		</span>
-	)
-
-	const generalHasChanges = (() => {
-		if (!savedConfig || !workingConfig) return false
-		const { storage: _sg1, ...savedGen } = savedConfig.settings.general
-		const { storage: _sg2, ...workingGen } = workingConfig.settings.general
-		return !deepEqual(savedGen, workingGen)
-	})()
-	const storageHasChanges = !deepEqual(savedConfig?.settings.general?.storage, workingConfig?.settings.general?.storage)
-	const appearanceHasChanges = !deepEqual(savedConfig?.settings.appearance, workingConfig?.settings.appearance)
-	const advancedHasChanges = !deepEqual(savedConfig?.settings.advanced, workingConfig?.settings.advanced)
-	const integrationsHasChanges = !deepEqual(savedConfig?.settings.integrations, workingConfig?.settings.integrations)
-
-	return (
-		<div className="space-y-6 pb-32">
-			{/* Page Header - Removed as it's now in the parent page */}
-
-			{/* Admin read-only notice */}
-			{!isSuperAdmin && (
-				<div className="flex items-start gap-3 rounded-xl border border-amber-500/40 bg-amber-500/10 px-5 py-4 text-sm text-amber-700 dark:text-amber-400">
-					<Lock className="mt-0.5 h-4 w-4 shrink-0" />
-					<span>
-						<strong>Read-only mode.</strong> You can view and test settings, but saving changes and viewing secret keys requires <strong>Super Administrator</strong> access.
-					</span>
-				</div>
-			)}
-
-			{/* Main Content */}
-			<Tabs defaultValue="general" className="space-y-6">
-				{/* Improved Tab Navigation */}
-				<ScrollIndicator className="-mx-2 px-2">
-					<TabsList className="inline-flex h-12 items-center justify-start gap-1 glass-subtle p-1.5 shadow-sm">
-						<TabsTrigger 
-							value="general" 
-							className="relative inline-flex items-center gap-2 rounded-lg px-4 py-2.5 text-sm font-medium transition-all data-[state=active]:bg-background data-[state=active]:shadow-sm data-[state=active]:border-border/50"
-						>
-							<Sliders className="h-4 w-4" />
-							<span>General</span>
-							{generalHasChanges && (
-								<span className="absolute -top-1 -right-1 flex h-3 w-3">
-									<span className="animate-ping absolute inline-flex h-full w-full rounded-full bg-primary opacity-75" />
-									<span className="relative inline-flex rounded-full h-3 w-3 bg-primary" />
-								</span>
-							)}
-						</TabsTrigger>
-						<TabsTrigger 
-							value="storage" 
-							className="relative inline-flex items-center gap-2 rounded-lg px-4 py-2.5 text-sm font-medium transition-all data-[state=active]:bg-background data-[state=active]:shadow-sm data-[state=active]:border-border/50"
-						>
-							<HardDrive className="h-4 w-4" />
-							<span>Storage</span>
-							{storageHasChanges && (
-								<span className="absolute -top-1 -right-1 flex h-3 w-3">
-									<span className="animate-ping absolute inline-flex h-full w-full rounded-full bg-primary opacity-75" />
-									<span className="relative inline-flex rounded-full h-3 w-3 bg-primary" />
-								</span>
-							)}
-						</TabsTrigger>
-						<TabsTrigger 
-							value="integrations" 
-							className="relative inline-flex items-center gap-2 rounded-lg px-4 py-2.5 text-sm font-medium transition-all data-[state=active]:bg-background data-[state=active]:shadow-sm data-[state=active]:border-border/50"
-						>
-							<Key className="h-4 w-4" />
-							<span>Integrations</span>
-							{integrationsHasChanges && (
-								<span className="absolute -top-1 -right-1 flex h-3 w-3">
-									<span className="animate-ping absolute inline-flex h-full w-full rounded-full bg-primary opacity-75" />
-									<span className="relative inline-flex rounded-full h-3 w-3 bg-primary" />
-								</span>
-							)}
-						</TabsTrigger>
-						<TabsTrigger 
-							value="appearance" 
-							className="relative inline-flex items-center gap-2 rounded-lg px-4 py-2.5 text-sm font-medium transition-all data-[state=active]:bg-background data-[state=active]:shadow-sm data-[state=active]:border-border/50"
-						>
-							<Palette className="h-4 w-4" />
-							<span>Appearance</span>
-							{appearanceHasChanges && (
-								<span className="absolute -top-1 -right-1 flex h-3 w-3">
-									<span className="animate-ping absolute inline-flex h-full w-full rounded-full bg-primary opacity-75" />
-									<span className="relative inline-flex rounded-full h-3 w-3 bg-primary" />
-								</span>
-							)}
-						</TabsTrigger>
-						<TabsTrigger 
-							value="advanced" 
-							className="relative inline-flex items-center gap-2 rounded-lg px-4 py-2.5 text-sm font-medium transition-all data-[state=active]:bg-background data-[state=active]:shadow-sm data-[state=active]:border-border/50"
-						>
-							<Code className="h-4 w-4" />
-							<span>Advanced</span>
-							{advancedHasChanges && (
-								<span className="absolute -top-1 -right-1 flex h-3 w-3">
-									<span className="animate-ping absolute inline-flex h-full w-full rounded-full bg-primary opacity-75" />
-									<span className="relative inline-flex rounded-full h-3 w-3 bg-primary" />
-								</span>
-							)}
-						</TabsTrigger>
-					</TabsList>
-				</ScrollIndicator>
-
-				{/* General Settings Tab */}
-				<TabsContent value="general" className="space-y-5 mt-0">
-					{/* Instance Information */}
-					<SettingsSection
-						icon={InfoIcon}
-						title="Instance Information"
-						description="View and manage your Emberly instance details"
-						badge={
-							updateInfo?.hasUpdate && (
-								<span className="inline-flex items-center gap-1 px-2 py-0.5 rounded-full text-xs font-medium bg-primary/10 text-primary border border-primary/20">
-									<Sparkles className="h-3 w-3" />
-									Update available
-								</span>
-							)
-						}
-					>
-						<SettingRow
-							label="Current Version"
-							description={`Emberly v${pkg.version}${updateInfo ? (updateInfo.hasUpdate ? ` → ${updateInfo.latestVersion}` : ' (Latest)') : ''}`}
-						>
-							<div className="flex items-center gap-2">
-								{updateInfo?.hasUpdate && (
-									<Button variant="outline" size="sm" asChild>
-										<a
-											href={updateInfo.releaseUrl}
-											target="_blank"
-											rel="noopener noreferrer"
-											className="flex items-center gap-2"
-										>
-											<ExternalLink className="h-4 w-4" />
-											View Release
-										</a>
-									</Button>
-								)}
-								<Button 
-									onClick={checkForUpdates} 
-									disabled={isCheckingUpdate}
-									variant={updateInfo?.hasUpdate ? "default" : "outline"}
-									size="sm"
-								>
-									{isCheckingUpdate ? (
-										<>
-											<Icons.spinner className="mr-2 h-4 w-4 animate-spin" />
-											Checking...
-										</>
-									) : (
-										<>
-											<RefreshCw className="mr-2 h-4 w-4" />
-											Check Updates
-										</>
-									)}
-								</Button>
-							</div>
-						</SettingRow>
-
-						<div className="flex items-center gap-2 pt-2">
-							<Button variant="outline" size="sm" asChild className="h-9">
-								<a
-									href="https://github.com/EmberlyOSS/Emberly"
-									target="_blank"
-									rel="noopener noreferrer"
-								>
-									<Github className="mr-2 h-4 w-4" />
-									GitHub
-								</a>
-							</Button>
-							<Button variant="outline" size="sm" asChild className="h-9">
-								<a
-									href="https://ko-fi.com/codemeapixel"
-									target="_blank"
-									rel="noopener noreferrer"
-								>
-									<Heart className="mr-2 h-4 w-4 text-red-500" />
-									Sponsor
-								</a>
-							</Button>
-						</div>
-					</SettingsSection>
-
-					{/* User Management */}
-					<SettingsSection
-						icon={Users}
-						title="User Management"
-						description="Configure user registration and quota settings"
-					>
-						<SettingRow
-							label="Allow Registrations"
-							description="Enable or disable new user registrations"
-							changed={isFieldChanged('general', ['registrations', 'enabled'])}
-						>
-							<Switch
-								checked={workingConfig.settings.general.registrations.enabled}
-								onCheckedChange={(checked) =>
-									handleSettingChange('general', {
-										registrations: {
-											...workingConfig.settings.general.registrations,
-											enabled: checked,
-										},
-									})
-								}
-								className={getFieldClasses('general', ['registrations', 'enabled'])}
-							/>
-						</SettingRow>
-
-						{!workingConfig.settings.general.registrations.enabled && (
-							<div className="space-y-2 pl-0.5">
-								<Label className="text-sm font-medium">Disabled Message</Label>
-								<Input
-									placeholder="Registrations are currently disabled"
-									value={workingConfig.settings.general.registrations.disabledMessage || ''}
-									onChange={(e) =>
-										handleSettingChange('general', {
-											registrations: {
-												...workingConfig.settings.general.registrations,
-												disabledMessage: e.target.value,
-											},
-										})
-									}
-									className={cn("max-w-md", getFieldClasses('general', ['registrations', 'disabledMessage']))}
-								/>
-								<p className="text-xs text-muted-foreground">
-									Shown to users when registrations are disabled
-								</p>
-							</div>
-						)}
-
-					</SettingsSection>
-
-					{/* Credits */}
-					<SettingsSection
-						icon={Heart}
-						title="Credits & Attribution"
-						description="Manage footer credits visibility"
-					>
-						<SettingRow
-							label="Show Credits Footer"
-							description="Display Emberly credits in the footer"
-							changed={isFieldChanged('general', ['credits', 'showFooter'])}
-						>
-							<Switch
-								checked={workingConfig.settings.general.credits.showFooter}
-								onCheckedChange={(checked) =>
-									handleSettingChange('general', {
-										credits: { showFooter: checked },
-									})
-								}
-								className={getFieldClasses('general', ['credits', 'showFooter'])}
-							/>
-						</SettingRow>
-
-						{!workingConfig.settings.general.credits.showFooter && (
-							<Alert className="bg-amber-500/10 border-amber-500/20 text-amber-600 dark:text-amber-400">
-								<Heart className="h-4 w-4" />
-								<AlertDescription>
-									If you disable credits, please consider{' '}
-									<a 
-										href="https://ko-fi.com/codemeapixel" 
-										target="_blank" 
-										rel="noopener noreferrer"
-										className="underline font-medium hover:no-underline"
-									>
-										sponsoring the project
-									</a>{' '}
-									to support its development.
-								</AlertDescription>
-							</Alert>
-						)}
-					</SettingsSection>
-				</TabsContent>
-
-				{/* Storage Tab */}
-			<TabsContent value="storage" className="space-y-5 mt-0">
-				{/* User Quotas */}
-				<SettingsSection
-					icon={Users}
-					title="User Quotas"
-					description="Configure storage limits per user"
-				>
-					<SettingRow
-						label="User Quotas"
-						description="Enable storage limits per user"
-						changed={isFieldChanged('general', ['storage', 'quotas', 'enabled'])}
-					>
-						<Switch
-							checked={workingConfig.settings.general.storage.quotas.enabled}
-							onCheckedChange={(checked) =>
-								handleSettingChange('general', {
-									storage: {
-										...workingConfig.settings.general.storage,
-										quotas: {
-											...workingConfig.settings.general.storage.quotas,
-											enabled: checked,
-										},
-									},
-								})
-							}
-							className={getFieldClasses('general', ['storage', 'quotas', 'enabled'])}
-						/>
-					</SettingRow>
-
-					<div className="space-y-2 pl-0.5">
-						<div className="flex items-center gap-2">
-							<Label className="text-sm font-medium">Default Storage Quota</Label>
-							{isFieldChanged('general', ['storage', 'quotas', 'default', 'value']) && <ChangeIndicator />}
-						</div>
-						<div className="flex items-center gap-2 max-w-xs">
-							<Input
-								type="number"
-								min="0"
-								step="1"
-								value={workingConfig.settings.general.storage.quotas.default.value}
-								onChange={(e) => handleStorageQuotaChange(e.target.value)}
-								placeholder="500"
-								className={cn("flex-1", getFieldClasses('general', ['storage', 'quotas', 'default', 'value']))}
-							/>
-							<Select
-								value={workingConfig.settings.general.storage.quotas.default.unit}
-								onValueChange={(value) =>
-									handleSettingChange('general', {
-										storage: {
-											...workingConfig.settings.general.storage,
-											quotas: {
-												...workingConfig.settings.general.storage.quotas,
-												default: {
-													...workingConfig.settings.general.storage.quotas.default,
-													unit: value as 'MB' | 'GB',
-												},
-											},
-										},
-									})
-								}
-							>
-								<SelectTrigger className={cn("w-20", getFieldClasses('general', ['storage', 'quotas', 'default', 'unit']))}>
-									<SelectValue placeholder="Unit" />
-								</SelectTrigger>
-								<SelectContent>
-									<SelectItem value="MB">MB</SelectItem>
-									<SelectItem value="GB">GB</SelectItem>
-								</SelectContent>
-							</Select>
-						</div>
-					</div>
-				</SettingsSection>
-
-				{/* Storage Provider */}
-				<SettingsSection
-					icon={HardDrive}
-					title="Storage Settings"
-					description="Configure storage provider and file upload limits"
-				>
-					<SettingRow
-						label="Background OCR Processing"
-						description="Enable OCR to search text in uploaded images"
-						changed={isFieldChanged('general', ['ocr', 'enabled'])}
-					>
-						<Switch
-							checked={workingConfig.settings.general.ocr.enabled}
-							onCheckedChange={(checked) =>
-								handleSettingChange('general', {
-									ocr: { enabled: checked },
-								})
-							}
-							className={getFieldClasses('general', ['ocr', 'enabled'])}
-						/>
-					</SettingRow>
-
-					<div className="space-y-2 pl-0.5">
-						<div className="flex items-center gap-2">
-							<Label className="text-sm font-medium">Storage Provider</Label>
-							{isFieldChanged('general', ['storage', 'provider']) && <ChangeIndicator />}
-						</div>
-						<Select
-							value={workingConfig.settings.general.storage.provider}
-							onValueChange={(value) =>
-								handleSettingChange('general', {
-									storage: {
-										...workingConfig.settings.general.storage,
-										provider: value as 'local' | 's3',
-									},
-								})
-							}
-						>
-							<SelectTrigger className={cn("max-w-xs", getFieldClasses('general', ['storage', 'provider']))}>
-								<SelectValue />
-							</SelectTrigger>
-							<SelectContent>
-								<SelectItem value="local">
-									<div className="flex items-center gap-2">
-										<HardDrive className="h-4 w-4" />
-										Local Storage
-									</div>
-								</SelectItem>
-								<SelectItem value="s3">
-									<div className="flex items-center gap-2">
-										<Cloud className="h-4 w-4" />
-										S3 Storage
-									</div>
-								</SelectItem>
-							</SelectContent>
-						</Select>
-					</div>
-
-					{workingConfig.settings.general.storage.provider === 's3' && (
-						<GlassCard className="mt-4" gradient={false}>
-							<div className="p-4 space-y-4">
-								<div className="flex items-center gap-2 text-sm font-medium text-muted-foreground">
-									<Cloud className="h-4 w-4" />
-									S3 Configuration
-								</div>
-
-								<div className="grid gap-4 sm:grid-cols-2">
-									<div className="space-y-2">
-										<Label className="text-sm">Bucket Name</Label>
-										<Input
-											value={workingConfig.settings.general.storage.s3.bucket}
-											onChange={(e) =>
-												handleSettingChange('general', {
-													storage: {
-														...workingConfig.settings.general.storage,
-														s3: {
-															...workingConfig.settings.general.storage.s3,
-															bucket: e.target.value,
-														},
-													},
-												})
-											}
-											placeholder="my-bucket"
-											className={getFieldClasses('general', ['storage', 's3', 'bucket'])}
-										/>
-									</div>
-									<div className="space-y-2">
-										<Label className="text-sm">Region</Label>
-										<Input
-											value={workingConfig.settings.general.storage.s3.region}
-											onChange={(e) =>
-												handleSettingChange('general', {
-													storage: {
-														...workingConfig.settings.general.storage,
-														s3: {
-															...workingConfig.settings.general.storage.s3,
-															region: e.target.value,
-														},
-													},
-												})
-											}
-											placeholder="us-east-1"
-											className={getFieldClasses('general', ['storage', 's3', 'region'])}
-										/>
-									</div>
-									<div className="space-y-2">
-										<Label className="text-sm">Access Key ID</Label>
-										<Input
-											type="password"
-											value={workingConfig.settings.general.storage.s3.accessKeyId}
-											onChange={(e) =>
-												handleSettingChange('general', {
-													storage: {
-														...workingConfig.settings.general.storage,
-														s3: {
-															...workingConfig.settings.general.storage.s3,
-															accessKeyId: e.target.value,
-														},
-													},
-												})
-											}
-											placeholder="AKIAXXXXXXXXXXXXXXXX"
-											className={getFieldClasses('general', ['storage', 's3', 'accessKeyId'])}
-										/>
-									</div>
-									<div className="space-y-2">
-										<Label className="text-sm">Secret Access Key</Label>
-										<Input
-											type="password"
-											value={workingConfig.settings.general.storage.s3.secretAccessKey}
-											onChange={(e) =>
-												handleSettingChange('general', {
-													storage: {
-														...workingConfig.settings.general.storage,
-														s3: {
-															...workingConfig.settings.general.storage.s3,
-															secretAccessKey: e.target.value,
-														},
-													},
-												})
-											}
-											placeholder="••••••••••••••••••••"
-											className={getFieldClasses('general', ['storage', 's3', 'secretAccessKey'])}
-										/>
-									</div>
-								</div>
-
-								<div className="space-y-2">
-									<Label className="text-sm">Custom Endpoint (Optional)</Label>
-									<Input
-										value={workingConfig.settings.general.storage.s3.endpoint || ''}
-										onChange={(e) =>
-											handleSettingChange('general', {
-												storage: {
-													...workingConfig.settings.general.storage,
-													s3: {
-														...workingConfig.settings.general.storage.s3,
-														endpoint: e.target.value,
-													},
-												},
-											})
-										}
-										placeholder="https://s3.custom-domain.com"
-										className={getFieldClasses('general', ['storage', 's3', 'endpoint'])}
-									/>
-									<p className="text-xs text-muted-foreground">
-										For S3-compatible services like MinIO or DigitalOcean Spaces
-									</p>
-								</div>
-
-								<SettingRow
-									label="Force Path Style"
-									description="Enable for S3-compatible services requiring path-style URLs"
-									changed={isFieldChanged('general', ['storage', 's3', 'forcePathStyle'])}
-								>
-									<Switch
-										checked={workingConfig.settings.general.storage.s3.forcePathStyle}
-										onCheckedChange={(checked) =>
-											handleSettingChange('general', {
-												storage: {
-													...workingConfig.settings.general.storage,
-													s3: {
-														...workingConfig.settings.general.storage.s3,
-														forcePathStyle: checked,
-													},
-												},
-											})
-										}
-										className={getFieldClasses('general', ['storage', 's3', 'forcePathStyle'])}
-									/>
-								</SettingRow>
-
-								<div className="pt-3 border-t border-border/30 flex items-center justify-between gap-3">
-									<div>
-										{s3TestState && !s3TestState.loading && (
-											<span className={`text-xs flex items-center gap-1.5 ${s3TestState.ok ? 'text-green-500' : 'text-destructive'}`}>
-												{s3TestState.ok
-													? <CheckCircle2 className="h-3.5 w-3.5" />
-													: <AlertCircle className="h-3.5 w-3.5" />}
-												{s3TestState.message}
-											</span>
-										)}
-									</div>
-									<Button
-										variant="outline"
-										size="sm"
-										className="h-8 gap-1.5 shrink-0"
-										disabled={s3TestState?.loading}
-										onClick={handleS3Test}
-									>
-										{s3TestState?.loading
-											? <Loader2 className="h-3.5 w-3.5 animate-spin" />
-											: <RefreshCw className="h-3.5 w-3.5" />}
-										Test Connection
-									</Button>
-								</div>
-							</div>
-						</GlassCard>
-					)}
-
-					<div className="space-y-2 pl-0.5">
-						<div className="flex items-center gap-2">
-							<Label className="text-sm font-medium">Maximum Upload Size</Label>
-							{isFieldChanged('general', ['storage', 'maxUploadSize', 'value']) && <ChangeIndicator />}
-						</div>
-						<div className="flex items-center gap-2 max-w-xs">
-							<Input
-								type="number"
-								min="1"
-								step="1"
-								value={workingConfig.settings.general.storage.maxUploadSize.value}
-								onChange={(e) => handleMaxUploadSizeChange(e.target.value)}
-								placeholder="10"
-								className={cn("flex-1", getFieldClasses('general', ['storage', 'maxUploadSize', 'value']))}
-							/>
-							<Select
-								value={workingConfig.settings.general.storage.maxUploadSize.unit}
-								onValueChange={(value) =>
-									handleSettingChange('general', {
-										storage: {
-											...workingConfig.settings.general.storage,
-											maxUploadSize: {
-												...workingConfig.settings.general.storage.maxUploadSize,
-												unit: value as 'MB' | 'GB',
-											},
-										},
-									})
-								}
-							>
-								<SelectTrigger className={cn("w-20", getFieldClasses('general', ['storage', 'maxUploadSize', 'unit']))}>
-									<SelectValue placeholder="Unit" />
-								</SelectTrigger>
-								<SelectContent>
-									<SelectItem value="MB">MB</SelectItem>
-									<SelectItem value="GB">GB</SelectItem>
-								</SelectContent>
-							</Select>
-						</div>
-					</div>
-				</SettingsSection>
-
-				{/* Vultr Object Storage Pools */}
-				<SettingsSection
-					icon={Cloud}
-					title="Vultr Object Storage"
-					description="Regional pooled instances. Active instances enable that region on the pricing page so users can purchase storage."
-				>
-					<VultrInstanceManager />
-				</SettingsSection>
-
-				{/* Additional Storage Buckets */}
-				<SettingsSection
-					icon={Database}
-					title="Additional Storage Buckets"
-					description="Create named S3 buckets that can be assigned to specific users or squads, overriding the default storage."
-				>
-					<StorageBucketManager />
-				</SettingsSection>
-			</TabsContent>
-
-			{/* Appearance Tab */}
-				<TabsContent value="appearance" className="space-y-5 mt-0">
-					{/* Theme Colors */}
-					<SettingsSection
-						icon={Palette}
-						title="Theme & Colors"
-						description="Customize the visual appearance of your Emberly instance"
-						badge={
-							appearanceHasChanges && (
-								<span className="inline-flex items-center gap-1 px-2 py-0.5 rounded-full text-xs font-medium bg-primary/10 text-primary border border-primary/20">
-									Modified
-								</span>
-							)
-						}
-					>
-						<AppearancePanel
-							onSave={handleAdminSaveAppearance}
-							onThemeChange={handleAdminThemeChange}
-						/>
-					</SettingsSection>
-
-					{/* Favicon */}
-					<SettingsSection
-						icon={Image}
-						title="Favicon"
-						description="Upload a custom favicon for your instance"
-						badge={
-							hasFaviconChanged() && (
-								<span className="inline-flex items-center gap-1 px-2 py-0.5 rounded-full text-xs font-medium bg-amber-500/10 text-amber-600 dark:text-amber-400 border border-amber-500/20">
-									Unsaved
-								</span>
-							)
-						}
-					>
-						<div className="flex items-center justify-center w-full">
-							<label className="relative flex flex-col items-center justify-center w-full h-40 border-2 border-dashed border-border/50 rounded-xl cursor-pointer hover:bg-muted/30 hover:border-primary/30 transition-all group">
-								{(workingConfig?.settings.appearance.favicon || faviconPreviewUrl) && (
-									<div className="absolute top-3 left-3">
-										<div className="flex items-center gap-2 px-3 py-1.5 bg-background/90 backdrop-blur-sm rounded-lg border border-border/50">
-											<img
-												src={
-													isSafeUrl(faviconPreviewUrl)
-														? DOMPurify.sanitize(faviconPreviewUrl)
-														: '/api/favicon'
-												}
-												alt="Favicon"
-												className="w-5 h-5"
-											/>
-											<span className="text-xs text-muted-foreground">
-												{faviconPreviewUrl ? 'Preview (unsaved)' : 'Current'}
-											</span>
-										</div>
-									</div>
-								)}
-								<div className="flex flex-col items-center justify-center pt-5 pb-6">
-									<div className="flex h-12 w-12 items-center justify-center rounded-xl bg-primary/10 group-hover:bg-primary/20 transition-colors mb-3">
-										<Upload className="h-5 w-5 text-primary" />
-									</div>
-									<p className="text-sm font-medium">Click to upload favicon</p>
-									<p className="text-xs text-muted-foreground mt-1">PNG up to 1MB</p>
-								</div>
-								<input
-									type="file"
-									className="hidden"
-									accept="image/png"
-									onChange={async (e) => {
-										const file = e.target.files?.[0]
-										if (!file) return
-
-										if (file.size > 1024 * 1024) {
-											toast({
-												title: 'File too large',
-												description: 'Please upload a file smaller than 1MB',
-												variant: 'destructive',
-											})
-											return
-										}
-
-										if (file.type !== 'image/png') {
-											toast({
-												title: 'Invalid file type',
-												description: 'Please upload a PNG image file',
-												variant: 'destructive',
-											})
-											return
-										}
-
-										try {
-											if (faviconPreviewUrl) {
-												URL.revokeObjectURL(faviconPreviewUrl)
-											}
-
-											const previewUrl = URL.createObjectURL(file)
-											setFaviconPreviewUrl(previewUrl)
-											setPendingFaviconFile(file)
-
-											toast({
-												title: 'Favicon changed',
-												description: 'Save your changes to apply the new favicon',
-											})
-										} catch (error) {
-											console.error('Failed to handle favicon:', error)
-											toast({
-												title: 'Failed to update favicon',
-												description: 'Please try again',
-												variant: 'destructive',
-											})
-										}
-									}}
-								/>
-							</label>
-						</div>
-					</SettingsSection>
-				</TabsContent>
-
-				{/* Advanced Tab */}
-				<TabsContent value="advanced" className="space-y-5 mt-0">
-					{/* Custom CSS */}
-					<SettingsSection
-						icon={Code}
-						title="Custom CSS"
-						description="Add custom CSS styles to your instance"
-						badge={
-							isFieldChanged('advanced', ['customCSS']) && (
-								<span className="inline-flex items-center gap-1 px-2 py-0.5 rounded-full text-xs font-medium bg-primary/10 text-primary border border-primary/20">
-									Modified
-								</span>
-							)
-						}
-					>
-						<div className="space-y-3">
-							<div className="flex items-center justify-between">
-								<p className="text-sm text-muted-foreground">
-									Custom CSS will be injected into every page
-								</p>
-								<Button
-									variant={cssEditorOpen ? "default" : "outline"}
-									size="sm"
-									onClick={() => setCssEditorOpen(!cssEditorOpen)}
-								>
-									<Code className="mr-2 h-4 w-4" />
-									{cssEditorOpen ? 'Close' : 'Open Editor'}
-								</Button>
-							</div>
-							{cssEditorOpen && (
-								<GlassCard gradient={false} className="overflow-hidden">
-									<div className="p-1">
-										<CodeMirror
-											value={workingConfig.settings.advanced.customCSS}
-											height="250px"
-											extensions={[css()]}
-											onChange={(value) => {
-												handleSettingChange('advanced', {
-													customCSS: value,
-												})
-											}}
-											theme="dark"
-											className="rounded-lg overflow-hidden text-sm"
-										/>
-									</div>
-								</GlassCard>
-							)}
-						</div>
-					</SettingsSection>
-
-					{/* Custom HTML */}
-					<SettingsSection
-						icon={FileCode}
-						title="HTML Head Content"
-						description="Add custom HTML to the head section of every page"
-						badge={
-							isFieldChanged('advanced', ['customHead']) && (
-								<span className="inline-flex items-center gap-1 px-2 py-0.5 rounded-full text-xs font-medium bg-primary/10 text-primary border border-primary/20">
-									Modified
-								</span>
-							)
-						}
-					>
-						<div className="space-y-3">
-							<div className="flex items-center justify-between">
-								<p className="text-sm text-muted-foreground">
-									Add scripts, meta tags, or other HTML elements
-								</p>
-								<Button
-									variant={htmlEditorOpen ? "default" : "outline"}
-									size="sm"
-									onClick={() => setHtmlEditorOpen(!htmlEditorOpen)}
-								>
-									<FileCode className="mr-2 h-4 w-4" />
-									{htmlEditorOpen ? 'Close' : 'Open Editor'}
-								</Button>
-							</div>
-							{htmlEditorOpen && (
-								<GlassCard gradient={false} className="overflow-hidden">
-									<div className="p-1">
-										<CodeMirror
-											value={workingConfig.settings.advanced.customHead}
-											height="250px"
-											extensions={[html()]}
-											onChange={(value) => {
-												handleSettingChange('advanced', {
-													customHead: value,
-												})
-											}}
-											theme="dark"
-											className="rounded-lg overflow-hidden text-sm"
-										/>
-									</div>
-								</GlassCard>
-							)}
-						</div>
-					</SettingsSection>
-				</TabsContent>
-
-				{/* Integrations Tab */}
-				<TabsContent value="integrations" className="space-y-5 mt-0">
-					<SystemApiKeySection />
-
-					{/* Stripe */}
-					<SettingsSection
-						icon={CreditCard}
-						title="Stripe"
-						description="Payment processing. Overrides STRIPE_SECRET and STRIPE_WEBHOOK env vars."
-						badge={
-							isFieldChanged('integrations', ['stripe']) && (
-								<span className="inline-flex items-center gap-1 px-2 py-0.5 rounded-full text-xs font-medium bg-primary/10 text-primary border border-primary/20">
-									Modified
-								</span>
-							)
-						}
-					>
-						<SettingRow label="Secret Key" description="Stripe secret key (sk_live_... or sk_test_...)">
-							<Input
-								type="password"
-								placeholder="sk_live_..."
-								className="w-80 font-mono text-sm"
-								value={workingConfig?.settings.integrations?.stripe?.secretKey ?? ''}
-								onChange={(e) => handleSettingChange('integrations', {
-									stripe: {
-										...workingConfig?.settings.integrations?.stripe,
-										secretKey: e.target.value,
-									},
-								})}
-							/>
-						</SettingRow>
-						<SettingRow label="Webhook Secret" description="Signing secret for Stripe webhook events">
-							<Input
-								type="password"
-								placeholder="whsec_..."
-								className="w-80 font-mono text-sm"
-								value={workingConfig?.settings.integrations?.stripe?.webhookSecret ?? ''}
-								onChange={(e) => handleSettingChange('integrations', {
-									stripe: {
-										...workingConfig?.settings.integrations?.stripe,
-										webhookSecret: e.target.value,
-									},
-								})}
-							/>
-						</SettingRow>
-						<div className="pt-3 border-t border-border/30 flex items-center justify-between gap-3">
-							<div>
-								{intTestStates['stripe'] && !intTestStates['stripe'].loading && (
-									<span className={`text-xs flex items-center gap-1.5 ${intTestStates['stripe'].ok ? 'text-green-500' : 'text-destructive'}`}>
-										{intTestStates['stripe'].ok ? <CheckCircle2 className="h-3.5 w-3.5" /> : <AlertCircle className="h-3.5 w-3.5" />}
-										{intTestStates['stripe'].message}
-									</span>
-								)}
-							</div>
-							<Button
-								variant="outline"
-								size="sm"
-								className="h-8 gap-1.5 shrink-0"
-								disabled={intTestStates['stripe']?.loading}
-								onClick={() => handleIntegrationTest('stripe', {
-									secretKey: workingConfig?.settings.integrations?.stripe?.secretKey ?? '',
-								})}
-							>
-								{intTestStates['stripe']?.loading ? <Loader2 className="h-3.5 w-3.5 animate-spin" /> : <RefreshCw className="h-3.5 w-3.5" />}
-								Test Connection
-							</Button>
-						</div>
-					</SettingsSection>
-
-					{/* Resend / SMTP */}
-					{(() => {
-						const emailProvider = (workingConfig?.settings.integrations as Record<string, unknown>)?.emailProvider as string ?? 'resend'
-						return (
-							<>
-								<SettingsSection
-									icon={Zap}
-									title="Email"
-									description="Transactional email delivery provider and credentials."
-									badge={
-										isFieldChanged('integrations', ['resend', 'smtp', 'emailProvider']) && (
-											<span className="inline-flex items-center gap-1 px-2 py-0.5 rounded-full text-xs font-medium bg-primary/10 text-primary border border-primary/20">
-												Modified
-											</span>
-										)
-									}
-								>
-									<SettingRow label="Email Provider" description="Choose the email delivery provider">
-										<Select
-											value={emailProvider}
-											onValueChange={(value) => handleSettingChange('integrations', {
-												emailProvider: value as 'resend' | 'smtp',
-											})}
-										>
-											<SelectTrigger className="w-48 text-sm">
-												<SelectValue />
-											</SelectTrigger>
-											<SelectContent>
-												<SelectItem value="resend">Resend</SelectItem>
-												<SelectItem value="smtp">SMTP</SelectItem>
-											</SelectContent>
-										</Select>
-									</SettingRow>
-
-									{emailProvider === 'resend' && (
-										<>
-											<SettingRow label="API Key" description="Resend API key">
-												<Input
-													type="password"
-													placeholder="re_..."
-													className="w-80 font-mono text-sm"
-													value={workingConfig?.settings.integrations?.resend?.apiKey ?? ''}
-													onChange={(e) => handleSettingChange('integrations', {
-														resend: {
-															...workingConfig?.settings.integrations?.resend,
-															apiKey: e.target.value,
-														},
-													})}
-												/>
-											</SettingRow>
-											<SettingRow label="From Address" description="Sender address for outgoing emails">
-												<Input
-													placeholder="Emberly <noreply@embrly.ca>"
-													className="w-80 text-sm"
-													value={workingConfig?.settings.integrations?.resend?.emailFrom ?? ''}
-													onChange={(e) => handleSettingChange('integrations', {
-														resend: {
-															...workingConfig?.settings.integrations?.resend,
-															emailFrom: e.target.value,
-														},
-													})}
-												/>
-											</SettingRow>
-											<div className="pt-3 border-t border-border/30 flex items-center justify-between gap-3">
-												<div>
-													{intTestStates['resend'] && !intTestStates['resend'].loading && (
-														<span className={`text-xs flex items-center gap-1.5 ${intTestStates['resend'].ok ? 'text-green-500' : 'text-destructive'}`}>
-															{intTestStates['resend'].ok ? <CheckCircle2 className="h-3.5 w-3.5" /> : <AlertCircle className="h-3.5 w-3.5" />}
-															{intTestStates['resend'].message}
-														</span>
-													)}
-												</div>
-												<Button
-													variant="outline"
-													size="sm"
-													className="h-8 gap-1.5 shrink-0"
-													disabled={intTestStates['resend']?.loading}
-													onClick={() => handleIntegrationTest('resend', {
-														apiKey: workingConfig?.settings.integrations?.resend?.apiKey ?? '',
-													})}
-												>
-													{intTestStates['resend']?.loading ? <Loader2 className="h-3.5 w-3.5 animate-spin" /> : <RefreshCw className="h-3.5 w-3.5" />}
-													Test Connection
-												</Button>
-											</div>
-										</>
-									)}
-
-									{emailProvider === 'smtp' && (
-										<>
-											<SettingRow label="Host" description="SMTP server hostname">
-												<Input
-													placeholder="smtp.example.com"
-													className="w-80 font-mono text-sm"
-													value={((workingConfig?.settings.integrations as Record<string, unknown>)?.smtp as Record<string, unknown>)?.host as string ?? ''}
-													onChange={(e) => handleSettingChange('integrations', {
-														smtp: {
-															...((workingConfig?.settings.integrations as Record<string, unknown>)?.smtp as Record<string, unknown> ?? {}),
-															host: e.target.value,
-														} as EmberlyConfig['settings']['integrations']['smtp'],
-													})}
-													/>
-													</SettingRow>
-													<SettingRow label="Port" description="SMTP server port (25, 465, 587, or 2587)">
-														<Input
-															type="number"
-															placeholder="587"
-															className="w-32 font-mono text-sm"
-															value={((workingConfig?.settings.integrations as Record<string, unknown>)?.smtp as Record<string, unknown>)?.port as number ?? 587}
-															onChange={(e) => handleSettingChange('integrations', {
-																smtp: {
-																	...((workingConfig?.settings.integrations as Record<string, unknown>)?.smtp as Record<string, unknown> ?? {}),
-																	port: Number(e.target.value),
-																} as EmberlyConfig['settings']['integrations']['smtp'],
-															})}
-															/>
-														</SettingRow>
-														<SettingRow label="Secure (TLS)" description="Use TLS — enable for port 465, disable for STARTTLS">
-															<Switch
-																checked={((workingConfig?.settings.integrations as Record<string, unknown>)?.smtp as Record<string, unknown>)?.secure as boolean ?? false}
-																onCheckedChange={(checked) => handleSettingChange('integrations', {
-																	smtp: {
-																		...((workingConfig?.settings.integrations as Record<string, unknown>)?.smtp as Record<string, unknown> ?? {}),
-																		secure: checked,
-																	} as EmberlyConfig['settings']['integrations']['smtp'],
-																})}
-															/>
-														</SettingRow>
-														<SettingRow label="Username" description="SMTP authentication username">
-															<Input
-																placeholder="user@example.com"
-																className="w-80 text-sm"
-																value={((workingConfig?.settings.integrations as Record<string, unknown>)?.smtp as Record<string, unknown>)?.user as string ?? ''}
-																onChange={(e) => handleSettingChange('integrations', {
-																	smtp: {
-																		...((workingConfig?.settings.integrations as Record<string, unknown>)?.smtp as Record<string, unknown> ?? {}),
-																		user: e.target.value,
-																	} as EmberlyConfig['settings']['integrations']['smtp'],
-																})}
-															/>
-														</SettingRow>
-														<SettingRow label="Password" description="SMTP authentication password">
-															<Input
-																type="password"
-																placeholder="••••••••"
-																className="w-80 font-mono text-sm"
-																value={((workingConfig?.settings.integrations as Record<string, unknown>)?.smtp as Record<string, unknown>)?.password as string ?? ''}
-																onChange={(e) => handleSettingChange('integrations', {
-																	smtp: {
-																		...((workingConfig?.settings.integrations as Record<string, unknown>)?.smtp as Record<string, unknown> ?? {}),
-																		password: e.target.value,
-																	} as EmberlyConfig['settings']['integrations']['smtp'],
-																})}
-															/>
-														</SettingRow>
-														<SettingRow label="From Address" description="Sender address (overrides EMAIL_FROM env var)">
-															<Input
-																placeholder="Emberly <noreply@embrly.ca>"
-																className="w-80 text-sm"
-																value={((workingConfig?.settings.integrations as Record<string, unknown>)?.smtp as Record<string, unknown>)?.from as string ?? ''}
-																onChange={(e) => handleSettingChange('integrations', {
-																	smtp: {
-																		...((workingConfig?.settings.integrations as Record<string, unknown>)?.smtp as Record<string, unknown> ?? {}),
-																		from: e.target.value,
-																	} as EmberlyConfig['settings']['integrations']['smtp'],
-																})}
-															/>
-											</SettingRow>
-											<div className="pt-3 border-t border-border/30 flex items-center justify-between gap-3">
-												<div>
-													{intTestStates['smtp'] && !intTestStates['smtp'].loading && (
-														<div className="flex flex-col gap-0.5">
-															<span className={`text-xs flex items-center gap-1.5 ${intTestStates['smtp'].ok ? 'text-green-500' : 'text-destructive'}`}>
-																{intTestStates['smtp'].ok ? <CheckCircle2 className="h-3.5 w-3.5" /> : <AlertCircle className="h-3.5 w-3.5" />}
-																{intTestStates['smtp'].message}
-															</span>
-															{intTestStates['smtp'].detail && (
-																<span className="text-xs text-muted-foreground font-mono break-all">{intTestStates['smtp'].detail}</span>
-															)}
-														</div>
-													)}
-												</div>
-												<Button
-													variant="outline"
-													size="sm"
-													className="h-8 gap-1.5 shrink-0"
-													disabled={intTestStates['smtp']?.loading}
-													onClick={() => handleIntegrationTest('smtp', {
-														host: (((workingConfig?.settings.integrations as Record<string, unknown>)?.smtp as Record<string, unknown>)?.host as string) ?? '',
-														port: String((((workingConfig?.settings.integrations as Record<string, unknown>)?.smtp as Record<string, unknown>)?.port as number) ?? 587),
-														secure: String((((workingConfig?.settings.integrations as Record<string, unknown>)?.smtp as Record<string, unknown>)?.secure as boolean) ?? false),
-														user: (((workingConfig?.settings.integrations as Record<string, unknown>)?.smtp as Record<string, unknown>)?.user as string) ?? '',
-														password: (((workingConfig?.settings.integrations as Record<string, unknown>)?.smtp as Record<string, unknown>)?.password as string) ?? '',
-													})}
-												>
-													{intTestStates['smtp']?.loading ? <Loader2 className="h-3.5 w-3.5 animate-spin" /> : <RefreshCw className="h-3.5 w-3.5" />}
-													Test Connection
-												</Button>
-											</div>
-										</>
-									)}
-								</SettingsSection>
-							</>
-						)
-					})()}
-
-					{/* Cloudflare */}
-					<SettingsSection
-						icon={Cloud}
-						title="Cloudflare"
-						description="CDN, DNS, and storage. Overrides CLOUDFLARE_API_TOKEN, CLOUDFLARE_ACCOUNT_ID, and CLOUDFLARE_ZONE_ID env vars."
-						badge={
-							isFieldChanged('integrations', ['cloudflare']) && (
-								<span className="inline-flex items-center gap-1 px-2 py-0.5 rounded-full text-xs font-medium bg-primary/10 text-primary border border-primary/20">
-									Modified
-								</span>
-							)
-						}
-					>
-						<SettingRow label="API Token" description="Cloudflare API token with required permissions">
-							<Input
-								type="password"
-								placeholder="API token"
-								className="w-80 font-mono text-sm"
-								value={workingConfig?.settings.integrations?.cloudflare?.apiToken ?? ''}
-								onChange={(e) => handleSettingChange('integrations', {
-									cloudflare: {
-										...workingConfig?.settings.integrations?.cloudflare,
-										apiToken: e.target.value,
-									},
-								})}
-							/>
-						</SettingRow>
-						<SettingRow label="Account ID" description="Your Cloudflare account ID">
-							<Input
-								placeholder="Account ID"
-								className="w-80 font-mono text-sm"
-								value={workingConfig?.settings.integrations?.cloudflare?.accountId ?? ''}
-								onChange={(e) => handleSettingChange('integrations', {
-									cloudflare: {
-										...workingConfig?.settings.integrations?.cloudflare,
-										accountId: e.target.value,
-									},
-								})}
-							/>
-						</SettingRow>
-						<SettingRow label="Zone ID" description="Cloudflare zone ID for your domain">
-							<Input
-								placeholder="Zone ID"
-								className="w-80 font-mono text-sm"
-								value={workingConfig?.settings.integrations?.cloudflare?.zoneId ?? ''}
-								onChange={(e) => handleSettingChange('integrations', {
-									cloudflare: {
-										...workingConfig?.settings.integrations?.cloudflare,
-										zoneId: e.target.value,
-									},
-								})}
-							/>
-						</SettingRow>
-						<div className="pt-3 border-t border-border/30 flex items-center justify-between gap-3">
-							<div>
-								{intTestStates['cloudflare'] && !intTestStates['cloudflare'].loading && (
-									<span className={`text-xs flex items-center gap-1.5 ${intTestStates['cloudflare'].ok ? 'text-green-500' : 'text-destructive'}`}>
-										{intTestStates['cloudflare'].ok ? <CheckCircle2 className="h-3.5 w-3.5" /> : <AlertCircle className="h-3.5 w-3.5" />}
-										{intTestStates['cloudflare'].message}
-									</span>
-								)}
-							</div>
-							<Button
-								variant="outline"
-								size="sm"
-								className="h-8 gap-1.5 shrink-0"
-								disabled={intTestStates['cloudflare']?.loading}
-								onClick={() => handleIntegrationTest('cloudflare', {
-									apiToken: workingConfig?.settings.integrations?.cloudflare?.apiToken ?? '',
-									accountId: workingConfig?.settings.integrations?.cloudflare?.accountId ?? '',
-								})}
-							>
-								{intTestStates['cloudflare']?.loading ? <Loader2 className="h-3.5 w-3.5 animate-spin" /> : <RefreshCw className="h-3.5 w-3.5" />}
-								Test Connection
-							</Button>
-						</div>
-					</SettingsSection>
-
-					{/* Discord */}
-					<SettingsSection
-						icon={Shield}
-						title="Discord"
-						description="Alerts, webhooks, and supporter perks. Overrides DISCORD_WEBHOOK_URL, DISCORD_BOT_TOKEN, DISCORD_SERVER_ID, and DISCORD_SUPPORTER_ROLE env vars."
-						badge={
-							isFieldChanged('integrations', ['discord']) && (
-								<span className="inline-flex items-center gap-1 px-2 py-0.5 rounded-full text-xs font-medium bg-primary/10 text-primary border border-primary/20">
-									Modified
-								</span>
-							)
-						}
-					>
-						<SettingRow label="Admin Webhook URL" description="Webhook for admin alerts and notifications">
-							<Input
-								type="password"
-								placeholder="https://discord.com/api/webhooks/..."
-								className="w-80 font-mono text-sm"
-								value={workingConfig?.settings.integrations?.discord?.webhookUrl ?? ''}
-								onChange={(e) => handleSettingChange('integrations', {
-									discord: {
-										...workingConfig?.settings.integrations?.discord,
-										webhookUrl: e.target.value,
-									},
-								})}
-							/>
-						</SettingRow>
-						<SettingRow label="Bot Token" description="Token for your Discord bot">
-							<Input
-								type="password"
-								placeholder="Bot token"
-								className="w-80 font-mono text-sm"
-								value={workingConfig?.settings.integrations?.discord?.botToken ?? ''}
-								onChange={(e) => handleSettingChange('integrations', {
-									discord: {
-										...workingConfig?.settings.integrations?.discord,
-										botToken: e.target.value,
-									},
-								})}
-							/>
-						</SettingRow>
-						<SettingRow label="Server ID" description="Discord server (guild) ID">
-							<Input
-								placeholder="Server ID"
-								className="w-80 font-mono text-sm"
-								value={workingConfig?.settings.integrations?.discord?.serverId ?? ''}
-								onChange={(e) => handleSettingChange('integrations', {
-									discord: {
-										...workingConfig?.settings.integrations?.discord,
-										serverId: e.target.value,
-									},
-								})}
-							/>
-						</SettingRow>
-						<SettingRow label="Supporter Role ID" description="Role ID granted to active supporters">
-							<Input
-								placeholder="Role ID"
-								className="w-80 font-mono text-sm"
-								value={workingConfig?.settings.integrations?.discord?.supporterRole ?? ''}
-								onChange={(e) => handleSettingChange('integrations', {
-									discord: {
-										...workingConfig?.settings.integrations?.discord,
-										supporterRole: e.target.value,
-									},
-								})}
-							/>
-						</SettingRow>
-						<div className="pt-3 border-t border-border/30 flex items-center justify-between gap-3">
-							<div>
-								{intTestStates['discord'] && !intTestStates['discord'].loading && (
-									<span className={`text-xs flex items-center gap-1.5 ${intTestStates['discord'].ok ? 'text-green-500' : 'text-destructive'}`}>
-										{intTestStates['discord'].ok ? <CheckCircle2 className="h-3.5 w-3.5" /> : <AlertCircle className="h-3.5 w-3.5" />}
-										{intTestStates['discord'].message}
-									</span>
-								)}
-							</div>
-							<Button
-								variant="outline"
-								size="sm"
-								className="h-8 gap-1.5 shrink-0"
-								disabled={intTestStates['discord']?.loading}
-								onClick={() => handleIntegrationTest('discord', {
-									webhookUrl: workingConfig?.settings.integrations?.discord?.webhookUrl ?? '',
-									botToken: workingConfig?.settings.integrations?.discord?.botToken ?? '',
-									serverId: workingConfig?.settings.integrations?.discord?.serverId ?? '',
-								})}
-							>
-								{intTestStates['discord']?.loading ? <Loader2 className="h-3.5 w-3.5 animate-spin" /> : <RefreshCw className="h-3.5 w-3.5" />}
-								Test Connection
-							</Button>
-						</div>
-					</SettingsSection>
-
-					{/* GitHub */}
-					<SettingsSection
-						icon={Github}
-						title="GitHub"
-						description="Organization data for contributors and changelogs. Overrides GITHUB_ORG and GITHUB_PAT env vars."
-						badge={
-							isFieldChanged('integrations', ['github']) && (
-								<span className="inline-flex items-center gap-1 px-2 py-0.5 rounded-full text-xs font-medium bg-primary/10 text-primary border border-primary/20">
-									Modified
-								</span>
-							)
-						}
-					>
-						<SettingRow label="Organization" description="GitHub organization name">
-							<Input
-								placeholder="EmberlyOSS"
-								className="w-80 font-mono text-sm"
-								value={workingConfig?.settings.integrations?.github?.org ?? ''}
-								onChange={(e) => handleSettingChange('integrations', {
-									github: {
-										...workingConfig?.settings.integrations?.github,
-										org: e.target.value,
-									},
-								})}
-							/>
-						</SettingRow>
-						<SettingRow label="Personal Access Token" description="PAT for authenticated API requests">
-							<Input
-								type="password"
-								placeholder="ghp_..."
-								className="w-80 font-mono text-sm"
-								value={workingConfig?.settings.integrations?.github?.pat ?? ''}
-								onChange={(e) => handleSettingChange('integrations', {
-									github: {
-										...workingConfig?.settings.integrations?.github,
-										pat: e.target.value,
-									},
-								})}
-							/>
-						</SettingRow>
-						<div className="pt-3 border-t border-border/30 flex items-center justify-between gap-3">
-							<div>
-								{intTestStates['github'] && !intTestStates['github'].loading && (
-									<span className={`text-xs flex items-center gap-1.5 ${intTestStates['github'].ok ? 'text-green-500' : 'text-destructive'}`}>
-										{intTestStates['github'].ok ? <CheckCircle2 className="h-3.5 w-3.5" /> : <AlertCircle className="h-3.5 w-3.5" />}
-										{intTestStates['github'].message}
-									</span>
-								)}
-							</div>
-							<Button
-								variant="outline"
-								size="sm"
-								className="h-8 gap-1.5 shrink-0"
-								disabled={intTestStates['github']?.loading}
-								onClick={() => handleIntegrationTest('github', {
-									pat: workingConfig?.settings.integrations?.github?.pat ?? '',
-									org: workingConfig?.settings.integrations?.github?.org ?? '',
-								})}
-							>
-								{intTestStates['github']?.loading ? <Loader2 className="h-3.5 w-3.5 animate-spin" /> : <RefreshCw className="h-3.5 w-3.5" />}
-								Test Connection
-							</Button>
-						</div>
-					</SettingsSection>
-
-					{/* Kener */}
-					<SettingsSection
-						icon={Globe}
-						title="Kener"
-						description="Self-hosted status page (emberlystat.us). Overrides KENER_API_KEY and KENER_BASE_URL env vars."
-						badge={
-							isFieldChanged('integrations', ['kener']) && (
-								<span className="inline-flex items-center gap-1 px-2 py-0.5 rounded-full text-xs font-medium bg-primary/10 text-primary border border-primary/20">
-									Modified
-								</span>
-							)
-						}
-					>
-						<SettingRow label="API Key" description="Kener bearer token (from your Kener instance settings)">
-							<Input
-								type="password"
-								placeholder="Bearer token"
-								className="w-80 font-mono text-sm"
-								value={(workingConfig?.settings.integrations as any)?.kener?.apiKey ?? ''}
-								onChange={(e) => handleSettingChange('integrations', {
-									kener: {
-										...(workingConfig?.settings.integrations as any)?.kener,
-										apiKey: e.target.value,
-									},
-								} as any)}
-							/>
-						</SettingRow>
-						<SettingRow label="Base URL" description="Public URL of your Kener instance">
-							<Input
-								placeholder="https://emberlystat.us"
-								className="w-80 text-sm"
-								value={(workingConfig?.settings.integrations as any)?.kener?.baseUrl ?? ''}
-								onChange={(e) => handleSettingChange('integrations', {
-									kener: {
-										...(workingConfig?.settings.integrations as any)?.kener,
-										baseUrl: e.target.value,
-									},
-								} as any)}
-							/>
-						</SettingRow>
-						<div className="pt-3 border-t border-border/30 flex items-center justify-between gap-3">
-							<div>
-								{intTestStates['kener'] && !intTestStates['kener'].loading && (
-									<span className={`text-xs flex items-center gap-1.5 ${intTestStates['kener'].ok ? 'text-green-500' : 'text-destructive'}`}>
-										{intTestStates['kener'].ok ? <CheckCircle2 className="h-3.5 w-3.5" /> : <AlertCircle className="h-3.5 w-3.5" />}
-										{intTestStates['kener'].message}
-									</span>
-								)}
-							</div>
-							<Button
-								variant="outline"
-								size="sm"
-								className="h-8 gap-1.5 shrink-0"
-								disabled={intTestStates['kener']?.loading}
-								onClick={() => handleIntegrationTest('kener', {
-									apiKey: (workingConfig?.settings.integrations as any)?.kener?.apiKey ?? '',
-									baseUrl: (workingConfig?.settings.integrations as any)?.kener?.baseUrl ?? 'https://emberlystat.us',
-								})}
-							>
-								{intTestStates['kener']?.loading ? <Loader2 className="h-3.5 w-3.5 animate-spin" /> : <RefreshCw className="h-3.5 w-3.5" />}
-								Test Connection
-							</Button>
-						</div>
-					</SettingsSection>
-					{/* Vultr */}
-					<SettingsSection
-						icon={Server}
-						title="Vultr"
-						description="Object Storage API for automated bucket provisioning. Overrides the VULTR_API_KEY env var."
-						badge={
-							isFieldChanged('integrations', ['vultr']) && (
-								<span className="inline-flex items-center gap-1 px-2 py-0.5 rounded-full text-xs font-medium bg-primary/10 text-primary border border-primary/20">
-									Modified
-								</span>
-							)
-						}
-					>
-						<SettingRow label="API Key" description="Vultr API key from the Vultr customer portal">
-							<Input
-								type="password"
-								placeholder="API key"
-								className="w-80 font-mono text-sm"
-								value={(workingConfig?.settings.integrations as any)?.vultr?.apiKey ?? ''}
-								onChange={(e) => handleSettingChange('integrations', {
-									vultr: {
-										...(workingConfig?.settings.integrations as any)?.vultr,
-										apiKey: e.target.value,
-									},
-								} as any)}
-							/>
-						</SettingRow>
-						<div className="pt-3 border-t border-border/30 flex items-center justify-between gap-3">
-							<div>
-								{intTestStates['vultr'] && !intTestStates['vultr'].loading && (
-									<span className={`text-xs flex items-center gap-1.5 ${intTestStates['vultr'].ok ? 'text-green-500' : 'text-destructive'}`}>
-										{intTestStates['vultr'].ok ? <CheckCircle2 className="h-3.5 w-3.5" /> : <AlertCircle className="h-3.5 w-3.5" />}
-										{intTestStates['vultr'].message}
-									</span>
-								)}
-							</div>
-							<Button
-								variant="outline"
-								size="sm"
-								className="h-8 gap-1.5 shrink-0"
-								disabled={intTestStates['vultr']?.loading}
-								onClick={() => handleIntegrationTest('vultr', {
-									apiKey: (workingConfig?.settings.integrations as any)?.vultr?.apiKey ?? '',
-								})}
-							>
-								{intTestStates['vultr']?.loading ? <Loader2 className="h-3.5 w-3.5 animate-spin" /> : <RefreshCw className="h-3.5 w-3.5" />}
-								Test Connection
-							</Button>
-						</div>
-					</SettingsSection>
-				</TabsContent>
-			</Tabs>
-
-			{/* Floating Save Bar */}
-			{hasChanges && isSuperAdmin && (
-				<div className="fixed bottom-6 left-1/2 -translate-x-1/2 z-50 animate-in fade-in slide-in-from-bottom-4 duration-300">
-					<div className="flex items-center gap-3 px-5 py-3 bg-background/95 backdrop-blur-xl border border-border/50 rounded-2xl shadow-2xl shadow-black/20">
-						<div className="flex items-center gap-3 pr-3 border-r border-border/50">
-							<div className="flex h-8 w-8 items-center justify-center rounded-full bg-primary/10">
-								<span className="flex h-2.5 w-2.5">
-									<span className="animate-ping absolute inline-flex h-2.5 w-2.5 rounded-full bg-primary opacity-75" />
-									<span className="relative inline-flex rounded-full h-2.5 w-2.5 bg-primary" />
-								</span>
-							</div>
-							<div className="text-sm">
-								<span className="font-semibold">{countChangedSettings()}</span>
-								<span className="text-muted-foreground ml-1">
-									{countChangedSettings() === 1 ? 'section' : 'sections'} modified
-								</span>
-							</div>
-						</div>
-						<div className="flex items-center gap-2">
-							<Button
-								variant="ghost"
-								onClick={discardChanges}
-								className="h-9 px-4 rounded-xl hover:bg-destructive/10 hover:text-destructive"
-								size="sm"
-							>
-								<RotateCcw className="mr-2 h-4 w-4" />
-								Discard
-							</Button>
-							<Button
-								onClick={saveChanges}
-								disabled={isSaving}
-								className="h-9 px-5 rounded-xl bg-primary hover:bg-primary/90 shadow-lg shadow-primary/25"
-								size="sm"
-							>
-								{isSaving ? (
-									<>
-										<Icons.spinner className="mr-2 h-4 w-4 animate-spin" />
-										Saving...
-									</>
-								) : (
-									<>
-										<CheckCircle2 className="mr-2 h-4 w-4" />
-										Save Changes
-									</>
-								)}
-							</Button>
-						</div>
-					</div>
-				</div>
-			)}
-		</div>
-	)
+  const { toast } = useToast()
+  const { data: session } = useSession()
+  const isSuperAdmin = session?.user?.role === 'SUPERADMIN'
+
+  const [savedConfig, setSavedConfig] = useState<EmberlyConfig | null>(null)
+  const [workingConfig, setWorkingConfig] = useState<EmberlyConfig | null>(null)
+  const [pendingFaviconFile, setPendingFaviconFile] = useState<File | null>(
+    null
+  )
+  const [faviconPreviewUrl, setFaviconPreviewUrl] = useState<string | null>(
+    null
+  )
+
+  const [cssEditorOpen, setCssEditorOpen] = useState(false)
+  const [htmlEditorOpen, setHtmlEditorOpen] = useState(false)
+  const [isCheckingUpdate, setIsCheckingUpdate] = useState(false)
+  const [updateInfo, setUpdateInfo] = useState<{
+    hasUpdate: boolean
+    latestVersion?: string
+    releaseUrl?: string
+  } | null>(null)
+  const [isSaving, setIsSaving] = useState(false)
+  const [intTestStates, setIntTestStates] = useState<
+    Record<
+      string,
+      { loading: boolean; ok?: boolean; message?: string; detail?: string }
+    >
+  >({})
+  const [s3TestState, setS3TestState] = useState<{
+    loading: boolean
+    ok?: boolean
+    message?: string
+  } | null>(null)
+
+  const handleIntegrationTest = async (
+    integration: string,
+    credentials: Record<string, string>
+  ) => {
+    setIntTestStates((s) => ({ ...s, [integration]: { loading: true } }))
+    try {
+      const res = await fetch('/api/admin/integrations/test', {
+        method: 'POST',
+        headers: { 'Content-Type': 'application/json' },
+        body: JSON.stringify({ integration, credentials }),
+      })
+      const data = await res.json()
+      setIntTestStates((s) => ({
+        ...s,
+        [integration]: {
+          loading: false,
+          ok: data?.data?.ok,
+          message: data?.data?.message,
+          detail: data?.data?.detail,
+        },
+      }))
+    } catch {
+      setIntTestStates((s) => ({
+        ...s,
+        [integration]: { loading: false, ok: false, message: 'Request failed' },
+      }))
+    }
+  }
+
+  const handleS3Test = async () => {
+    if (!workingConfig) return
+    setS3TestState({ loading: true })
+    const s3 = workingConfig.settings.general.storage.s3
+    try {
+      const res = await fetch('/api/admin/storage/test', {
+        method: 'POST',
+        headers: { 'Content-Type': 'application/json' },
+        body: JSON.stringify({
+          bucket: s3?.bucket,
+          region: s3?.region,
+          accessKeyId: s3?.accessKeyId,
+          secretAccessKey: s3?.secretAccessKey,
+          endpoint: s3?.endpoint,
+          forcePathStyle: s3?.forcePathStyle,
+        }),
+      })
+      const data = await res.json()
+      setS3TestState({
+        loading: false,
+        ok: data?.data?.ok,
+        message: data?.data?.message,
+      })
+    } catch {
+      setS3TestState({ loading: false, ok: false, message: 'Request failed' })
+    }
+  }
+
+  const hasChanges =
+    !deepEqual(savedConfig, workingConfig) || pendingFaviconFile !== null
+
+  const saveChanges = async () => {
+    if (!workingConfig) return
+
+    try {
+      setIsSaving(true)
+
+      if (pendingFaviconFile) {
+        const formData = new FormData()
+        formData.append('file', pendingFaviconFile)
+
+        const response = await fetch('/api/settings/favicon', {
+          method: 'POST',
+          body: formData,
+        })
+
+        if (!response.ok) {
+          throw new Error('Failed to upload favicon')
+        }
+
+        const newConfig = { ...workingConfig }
+        newConfig.settings.appearance.favicon = '/api/favicon'
+        setWorkingConfig(newConfig)
+
+        const link = document.querySelector(
+          "link[rel*='icon']"
+        ) as HTMLLinkElement
+        if (link) {
+          link.href = '/api/favicon'
+          link.type = 'image/png'
+        }
+
+        setPendingFaviconFile(null)
+        if (faviconPreviewUrl) {
+          URL.revokeObjectURL(faviconPreviewUrl)
+          setFaviconPreviewUrl(null)
+        }
+      }
+
+      const response = await fetch('/api/settings', {
+        method: 'POST',
+        headers: {
+          'Content-Type': 'application/json',
+        },
+        body: JSON.stringify(workingConfig),
+      })
+
+      if (!response.ok) throw new Error()
+
+      setSavedConfig(JSON.parse(JSON.stringify(workingConfig)))
+
+      toast({
+        title: 'Settings updated',
+        description: 'Your changes have been saved successfully',
+      })
+    } catch (error) {
+      console.error('Failed to update settings:', error)
+      toast({
+        title: 'Failed to update settings',
+        description: 'Please try again',
+        variant: 'destructive',
+      })
+    } finally {
+      setIsSaving(false)
+    }
+  }
+
+  const discardChanges = () => {
+    if (!savedConfig) return
+
+    if (faviconPreviewUrl) {
+      URL.revokeObjectURL(faviconPreviewUrl)
+      setFaviconPreviewUrl(null)
+    }
+
+    setPendingFaviconFile(null)
+
+    setWorkingConfig(JSON.parse(JSON.stringify(savedConfig)))
+
+    toast({
+      title: 'Changes discarded',
+      description: 'All changes have been reverted to the saved state',
+    })
+  }
+
+  const handleSettingChange = useCallback(
+    <T extends keyof EmberlyConfig['settings']>(
+      section: T,
+      value: SettingValue<T>
+    ) => {
+      if (!workingConfig) return
+
+      const newConfig = { ...workingConfig }
+      newConfig.settings[section] = {
+        ...((newConfig.settings[section] as Record<string, unknown>) ?? {}),
+        ...(value as Record<string, unknown>),
+      } as EmberlyConfig['settings'][T]
+      setWorkingConfig(newConfig)
+    },
+    [workingConfig]
+  )
+
+  const isFieldChanged = useCallback(
+    <T extends keyof EmberlyConfig['settings']>(
+      section: T,
+      fieldPath: string[]
+    ): boolean => {
+      if (!savedConfig || !workingConfig) return false
+
+      let savedValue: unknown = savedConfig.settings[section]
+      let workingValue: unknown = workingConfig.settings[section]
+
+      for (const field of fieldPath) {
+        if (
+          typeof savedValue !== 'object' ||
+          savedValue === null ||
+          typeof workingValue !== 'object' ||
+          workingValue === null
+        ) {
+          return false
+        }
+
+        savedValue = (savedValue as Record<string, unknown>)[field]
+        workingValue = (workingValue as Record<string, unknown>)[field]
+      }
+
+      return !deepEqual(savedValue, workingValue)
+    },
+    [savedConfig, workingConfig]
+  )
+
+  const countChangedSettings = useCallback((): number => {
+    if (!savedConfig || !workingConfig) return 0
+
+    let count = 0
+
+    const { storage: _cs1, ...savedGen } = savedConfig.settings.general
+    const { storage: _cs2, ...workingGen } = workingConfig.settings.general
+    if (!deepEqual(savedGen, workingGen)) {
+      count++
+    }
+
+    if (!deepEqual(_cs1, _cs2)) {
+      count++
+    }
+
+    if (
+      !deepEqual(
+        savedConfig.settings.appearance,
+        workingConfig.settings.appearance
+      )
+    ) {
+      count++
+    }
+
+    if (
+      !deepEqual(savedConfig.settings.advanced, workingConfig.settings.advanced)
+    ) {
+      count++
+    }
+
+    if (
+      !deepEqual(
+        savedConfig.settings.integrations,
+        workingConfig.settings.integrations
+      )
+    ) {
+      count++
+    }
+
+    return count
+  }, [savedConfig, workingConfig])
+
+  const getChangedSettingsGroups = useCallback((): string[] => {
+    if (!savedConfig || !workingConfig) return []
+
+    const changedGroups: string[] = []
+
+    const { storage: _cg1, ...savedGen } = savedConfig.settings.general
+    const { storage: _cg2, ...workingGen } = workingConfig.settings.general
+    if (!deepEqual(savedGen, workingGen)) {
+      changedGroups.push('General')
+    }
+
+    if (!deepEqual(_cg1, _cg2)) {
+      changedGroups.push('Storage')
+    }
+
+    if (
+      !deepEqual(
+        savedConfig.settings.appearance,
+        workingConfig.settings.appearance
+      )
+    ) {
+      changedGroups.push('Appearance')
+    }
+
+    if (
+      !deepEqual(savedConfig.settings.advanced, workingConfig.settings.advanced)
+    ) {
+      changedGroups.push('Advanced')
+    }
+
+    if (
+      !deepEqual(
+        savedConfig.settings.integrations,
+        workingConfig.settings.integrations
+      )
+    ) {
+      changedGroups.push('Integrations')
+    }
+
+    return changedGroups
+  }, [savedConfig, workingConfig])
+
+  useEffect(() => {
+    const loadConfig = async () => {
+      try {
+        const response = await fetch('/api/settings')
+        const responseJson = await response.json()
+        if (responseJson?.data) {
+          const actualConfigData = responseJson.data
+          setSavedConfig(actualConfigData)
+          setWorkingConfig(JSON.parse(JSON.stringify(actualConfigData)))
+        } else {
+          console.error(
+            'Failed to load config: Invalid data structure received',
+            responseJson
+          )
+        }
+      } catch (error) {
+        console.error('Failed to load config:', error)
+      }
+    }
+    loadConfig()
+  }, [])
+
+  const handleStorageQuotaChange = (value: string) => {
+    if (!workingConfig?.settings?.general?.storage) return
+    const numValue = Number.parseInt(value)
+    if (Number.isNaN(numValue) || numValue < 0) return
+
+    handleSettingChange('general', {
+      storage: {
+        ...workingConfig.settings.general.storage,
+        quotas: {
+          ...workingConfig.settings.general.storage.quotas,
+          default: {
+            ...workingConfig.settings.general.storage.quotas.default,
+            value: numValue,
+          },
+        },
+      },
+    })
+  }
+
+  const handleMaxUploadSizeChange = (value: string) => {
+    if (!workingConfig?.settings?.general?.storage) return
+    const numValue = Number.parseInt(value)
+    if (Number.isNaN(numValue) || numValue < 1) return
+
+    handleSettingChange('general', {
+      storage: {
+        ...workingConfig.settings.general.storage,
+        maxUploadSize: {
+          ...workingConfig.settings.general.storage.maxUploadSize,
+          value: numValue,
+        },
+      },
+    })
+  }
+
+  const handleCustomColorsChange = (colors: Partial<ColorConfig>) => {
+    handleSettingChange('appearance', {
+      customColors: colors,
+    })
+  }
+
+  const handleThemePresetChange = (
+    themeId: string,
+    backgroundEffect: string,
+    animationSpeed: string
+  ) => {
+    handleSettingChange('appearance', {
+      theme: themeId,
+      backgroundEffect:
+        backgroundEffect as EmberlyConfig['settings']['appearance']['backgroundEffect'],
+      animationSpeed: animationSpeed as AnimationSpeed,
+    })
+  }
+
+  /**
+   * Save system/admin appearance directly to /api/settings (PATCH).
+   * Used as the onSave override for AppearancePanel in admin context so it
+   * does NOT call PUT /api/profile like the user-facing flow.
+   */
+  const handleAdminSaveAppearance = async (
+    themeId: string,
+    colors: Record<string, string>
+  ): Promise<boolean> => {
+    try {
+      const response = await fetch('/api/settings', {
+        method: 'PATCH',
+        headers: { 'Content-Type': 'application/json' },
+        body: JSON.stringify({
+          section: 'appearance',
+          data: {
+            theme: themeId,
+            customColors: colors,
+          },
+        }),
+      })
+      if (!response.ok) throw new Error('Failed to save appearance')
+      const updatedConfig: EmberlyConfig = await response.json()
+      setSavedConfig(JSON.parse(JSON.stringify(updatedConfig)))
+      setWorkingConfig(JSON.parse(JSON.stringify(updatedConfig)))
+      return true
+    } catch (error) {
+      console.error('[SettingsManager] Failed to save appearance', error)
+      return false
+    }
+  }
+
+  /**
+   * Track admin theme selections so the "Modified" badge reflects appearance changes
+   * while the admin is previewing (before saving).
+   */
+  const handleAdminThemeChange = useCallback(
+    (
+      themeId: string,
+      colors: Record<string, string>,
+      meta?: { backgroundEffect?: string; animationSpeed?: string }
+    ) => {
+      handleSettingChange('appearance', {
+        theme: themeId,
+        backgroundEffect: (meta?.backgroundEffect ||
+          'none') as EmberlyConfig['settings']['appearance']['backgroundEffect'],
+        animationSpeed: (meta?.animationSpeed || 'medium') as AnimationSpeed,
+        customColors: colors,
+      })
+    },
+    [handleSettingChange]
+  )
+
+  const checkForUpdates = async () => {
+    try {
+      setIsCheckingUpdate(true)
+      const response = await fetch('/api/updates/check')
+      if (!response.ok) throw new Error()
+      const data = await response.json()
+      setUpdateInfo(data)
+
+      toast({
+        title: data.hasUpdate ? 'Update Available' : 'No Updates Available',
+        description: data.message,
+        variant: 'default',
+      })
+    } catch {
+      toast({
+        title: 'Failed to check for updates',
+        description: 'Please try again later',
+        variant: 'destructive',
+      })
+    } finally {
+      setIsCheckingUpdate(false)
+    }
+  }
+
+  const hasFaviconChanged = useCallback(() => {
+    return pendingFaviconFile !== null
+  }, [pendingFaviconFile])
+
+  if (
+    !workingConfig ||
+    !savedConfig ||
+    !workingConfig.settings ||
+    !savedConfig.settings ||
+    !workingConfig.settings.general ||
+    !savedConfig.settings.general ||
+    !workingConfig.settings.general.storage ||
+    !savedConfig.settings.general.storage ||
+    !workingConfig.settings.appearance ||
+    !savedConfig.settings.appearance ||
+    !workingConfig.settings.advanced ||
+    !savedConfig.settings.advanced
+  ) {
+    return <SettingsSkeleton />
+  }
+
+  const getFieldClasses = (
+    section: keyof EmberlyConfig['settings'],
+    fieldPath: string[]
+  ) => {
+    const isChanged = isFieldChanged(section, fieldPath)
+    return isChanged
+      ? 'border-primary/50 ring-1 ring-primary/30 bg-primary/5 transition-all'
+      : 'transition-all'
+  }
+
+  const ChangeIndicator = () => (
+    <span className="flex h-2 w-2">
+      <span className="animate-ping absolute inline-flex h-2 w-2 rounded-full bg-primary opacity-75" />
+      <span className="relative inline-flex rounded-full h-2 w-2 bg-primary" />
+    </span>
+  )
+
+  const generalHasChanges = (() => {
+    if (!savedConfig || !workingConfig) return false
+    const { storage: _sg1, ...savedGen } = savedConfig.settings.general
+    const { storage: _sg2, ...workingGen } = workingConfig.settings.general
+    return !deepEqual(savedGen, workingGen)
+  })()
+  const storageHasChanges = !deepEqual(
+    savedConfig?.settings.general?.storage,
+    workingConfig?.settings.general?.storage
+  )
+  const appearanceHasChanges = !deepEqual(
+    savedConfig?.settings.appearance,
+    workingConfig?.settings.appearance
+  )
+  const advancedHasChanges = !deepEqual(
+    savedConfig?.settings.advanced,
+    workingConfig?.settings.advanced
+  )
+  const integrationsHasChanges = !deepEqual(
+    savedConfig?.settings.integrations,
+    workingConfig?.settings.integrations
+  )
+
+  return (
+    <div className="space-y-6 pb-32">
+      {/* Page Header - Removed as it's now in the parent page */}
+
+      {/* Admin read-only notice */}
+      {!isSuperAdmin && (
+        <div className="flex items-start gap-3 rounded-xl border border-amber-500/40 bg-amber-500/10 px-5 py-4 text-sm text-amber-700 dark:text-amber-400">
+          <Lock className="mt-0.5 h-4 w-4 shrink-0" />
+          <span>
+            <strong>Read-only mode.</strong> You can view and test settings, but
+            saving changes and viewing secret keys requires{' '}
+            <strong>Super Administrator</strong> access.
+          </span>
+        </div>
+      )}
+
+      {/* Main Content */}
+      <Tabs defaultValue="general" className="space-y-6">
+        {/* Improved Tab Navigation */}
+        <ScrollIndicator className="-mx-2 px-2">
+          <TabsList className="inline-flex h-12 items-center justify-start gap-1 glass-subtle p-1.5 shadow-sm">
+            <TabsTrigger
+              value="general"
+              className="relative inline-flex items-center gap-2 rounded-lg px-4 py-2.5 text-sm font-medium transition-all data-[state=active]:bg-background data-[state=active]:shadow-sm data-[state=active]:border-border/50"
+            >
+              <Sliders className="h-4 w-4" />
+              <span>General</span>
+              {generalHasChanges && (
+                <span className="absolute -top-1 -right-1 flex h-3 w-3">
+                  <span className="animate-ping absolute inline-flex h-full w-full rounded-full bg-primary opacity-75" />
+                  <span className="relative inline-flex rounded-full h-3 w-3 bg-primary" />
+                </span>
+              )}
+            </TabsTrigger>
+            <TabsTrigger
+              value="storage"
+              className="relative inline-flex items-center gap-2 rounded-lg px-4 py-2.5 text-sm font-medium transition-all data-[state=active]:bg-background data-[state=active]:shadow-sm data-[state=active]:border-border/50"
+            >
+              <HardDrive className="h-4 w-4" />
+              <span>Storage</span>
+              {storageHasChanges && (
+                <span className="absolute -top-1 -right-1 flex h-3 w-3">
+                  <span className="animate-ping absolute inline-flex h-full w-full rounded-full bg-primary opacity-75" />
+                  <span className="relative inline-flex rounded-full h-3 w-3 bg-primary" />
+                </span>
+              )}
+            </TabsTrigger>
+            <TabsTrigger
+              value="integrations"
+              className="relative inline-flex items-center gap-2 rounded-lg px-4 py-2.5 text-sm font-medium transition-all data-[state=active]:bg-background data-[state=active]:shadow-sm data-[state=active]:border-border/50"
+            >
+              <Key className="h-4 w-4" />
+              <span>Integrations</span>
+              {integrationsHasChanges && (
+                <span className="absolute -top-1 -right-1 flex h-3 w-3">
+                  <span className="animate-ping absolute inline-flex h-full w-full rounded-full bg-primary opacity-75" />
+                  <span className="relative inline-flex rounded-full h-3 w-3 bg-primary" />
+                </span>
+              )}
+            </TabsTrigger>
+            <TabsTrigger
+              value="appearance"
+              className="relative inline-flex items-center gap-2 rounded-lg px-4 py-2.5 text-sm font-medium transition-all data-[state=active]:bg-background data-[state=active]:shadow-sm data-[state=active]:border-border/50"
+            >
+              <Palette className="h-4 w-4" />
+              <span>Appearance</span>
+              {appearanceHasChanges && (
+                <span className="absolute -top-1 -right-1 flex h-3 w-3">
+                  <span className="animate-ping absolute inline-flex h-full w-full rounded-full bg-primary opacity-75" />
+                  <span className="relative inline-flex rounded-full h-3 w-3 bg-primary" />
+                </span>
+              )}
+            </TabsTrigger>
+            <TabsTrigger
+              value="advanced"
+              className="relative inline-flex items-center gap-2 rounded-lg px-4 py-2.5 text-sm font-medium transition-all data-[state=active]:bg-background data-[state=active]:shadow-sm data-[state=active]:border-border/50"
+            >
+              <Code className="h-4 w-4" />
+              <span>Advanced</span>
+              {advancedHasChanges && (
+                <span className="absolute -top-1 -right-1 flex h-3 w-3">
+                  <span className="animate-ping absolute inline-flex h-full w-full rounded-full bg-primary opacity-75" />
+                  <span className="relative inline-flex rounded-full h-3 w-3 bg-primary" />
+                </span>
+              )}
+            </TabsTrigger>
+          </TabsList>
+        </ScrollIndicator>
+
+        {/* General Settings Tab */}
+        <TabsContent value="general" className="space-y-5 mt-0">
+          {/* Instance Information */}
+          <SettingsSection
+            icon={InfoIcon}
+            title="Instance Information"
+            description="View and manage your Emberly instance details"
+            badge={
+              updateInfo?.hasUpdate && (
+                <span className="inline-flex items-center gap-1 px-2 py-0.5 rounded-full text-xs font-medium bg-primary/10 text-primary border border-primary/20">
+                  <Sparkles className="h-3 w-3" />
+                  Update available
+                </span>
+              )
+            }
+          >
+            <SettingRow
+              label="Current Version"
+              description={`Emberly v${pkg.version}${updateInfo ? (updateInfo.hasUpdate ? ` → ${updateInfo.latestVersion}` : ' (Latest)') : ''}`}
+            >
+              <div className="flex items-center gap-2">
+                {updateInfo?.hasUpdate && (
+                  <Button variant="outline" size="sm" asChild>
+                    <a
+                      href={updateInfo.releaseUrl}
+                      target="_blank"
+                      rel="noopener noreferrer"
+                      className="flex items-center gap-2"
+                    >
+                      <ExternalLink className="h-4 w-4" />
+                      View Release
+                    </a>
+                  </Button>
+                )}
+                <Button
+                  onClick={checkForUpdates}
+                  disabled={isCheckingUpdate}
+                  variant={updateInfo?.hasUpdate ? 'default' : 'outline'}
+                  size="sm"
+                >
+                  {isCheckingUpdate ? (
+                    <>
+                      <Icons.spinner className="mr-2 h-4 w-4 animate-spin" />
+                      Checking...
+                    </>
+                  ) : (
+                    <>
+                      <RefreshCw className="mr-2 h-4 w-4" />
+                      Check Updates
+                    </>
+                  )}
+                </Button>
+              </div>
+            </SettingRow>
+
+            <div className="flex items-center gap-2 pt-2">
+              <Button variant="outline" size="sm" asChild className="h-9">
+                <a
+                  href="https://github.com/EmberlyOSS/Emberly"
+                  target="_blank"
+                  rel="noopener noreferrer"
+                >
+                  <Github className="mr-2 h-4 w-4" />
+                  GitHub
+                </a>
+              </Button>
+              <Button variant="outline" size="sm" asChild className="h-9">
+                <a
+                  href="https://ko-fi.com/codemeapixel"
+                  target="_blank"
+                  rel="noopener noreferrer"
+                >
+                  <Heart className="mr-2 h-4 w-4 text-red-500" />
+                  Sponsor
+                </a>
+              </Button>
+            </div>
+          </SettingsSection>
+
+          {/* User Management */}
+          <SettingsSection
+            icon={Users}
+            title="User Management"
+            description="Configure user registration and quota settings"
+          >
+            <SettingRow
+              label="Allow Registrations"
+              description="Enable or disable new user registrations"
+              changed={isFieldChanged('general', ['registrations', 'enabled'])}
+            >
+              <Switch
+                checked={workingConfig.settings.general.registrations.enabled}
+                onCheckedChange={(checked) =>
+                  handleSettingChange('general', {
+                    registrations: {
+                      ...workingConfig.settings.general.registrations,
+                      enabled: checked,
+                    },
+                  })
+                }
+                className={getFieldClasses('general', [
+                  'registrations',
+                  'enabled',
+                ])}
+              />
+            </SettingRow>
+
+            {!workingConfig.settings.general.registrations.enabled && (
+              <div className="space-y-2 pl-0.5">
+                <Label className="text-sm font-medium">Disabled Message</Label>
+                <Input
+                  placeholder="Registrations are currently disabled"
+                  value={
+                    workingConfig.settings.general.registrations
+                      .disabledMessage || ''
+                  }
+                  onChange={(e) =>
+                    handleSettingChange('general', {
+                      registrations: {
+                        ...workingConfig.settings.general.registrations,
+                        disabledMessage: e.target.value,
+                      },
+                    })
+                  }
+                  className={cn(
+                    'max-w-md',
+                    getFieldClasses('general', [
+                      'registrations',
+                      'disabledMessage',
+                    ])
+                  )}
+                />
+                <p className="text-xs text-muted-foreground">
+                  Shown to users when registrations are disabled
+                </p>
+              </div>
+            )}
+          </SettingsSection>
+
+          {/* Credits */}
+          <SettingsSection
+            icon={Heart}
+            title="Credits & Attribution"
+            description="Manage footer credits visibility"
+          >
+            <SettingRow
+              label="Show Credits Footer"
+              description="Display Emberly credits in the footer"
+              changed={isFieldChanged('general', ['credits', 'showFooter'])}
+            >
+              <Switch
+                checked={workingConfig.settings.general.credits.showFooter}
+                onCheckedChange={(checked) =>
+                  handleSettingChange('general', {
+                    credits: { showFooter: checked },
+                  })
+                }
+                className={getFieldClasses('general', [
+                  'credits',
+                  'showFooter',
+                ])}
+              />
+            </SettingRow>
+
+            {!workingConfig.settings.general.credits.showFooter && (
+              <Alert className="bg-amber-500/10 border-amber-500/20 text-amber-600 dark:text-amber-400">
+                <Heart className="h-4 w-4" />
+                <AlertDescription>
+                  If you disable credits, please consider{' '}
+                  <a
+                    href="https://ko-fi.com/codemeapixel"
+                    target="_blank"
+                    rel="noopener noreferrer"
+                    className="underline font-medium hover:no-underline"
+                  >
+                    sponsoring the project
+                  </a>{' '}
+                  to support its development.
+                </AlertDescription>
+              </Alert>
+            )}
+          </SettingsSection>
+        </TabsContent>
+
+        {/* Storage Tab */}
+        <TabsContent value="storage" className="space-y-5 mt-0">
+          {/* User Quotas */}
+          <SettingsSection
+            icon={Users}
+            title="User Quotas"
+            description="Configure storage limits per user"
+          >
+            <SettingRow
+              label="User Quotas"
+              description="Enable storage limits per user"
+              changed={isFieldChanged('general', [
+                'storage',
+                'quotas',
+                'enabled',
+              ])}
+            >
+              <Switch
+                checked={workingConfig.settings.general.storage.quotas.enabled}
+                onCheckedChange={(checked) =>
+                  handleSettingChange('general', {
+                    storage: {
+                      ...workingConfig.settings.general.storage,
+                      quotas: {
+                        ...workingConfig.settings.general.storage.quotas,
+                        enabled: checked,
+                      },
+                    },
+                  })
+                }
+                className={getFieldClasses('general', [
+                  'storage',
+                  'quotas',
+                  'enabled',
+                ])}
+              />
+            </SettingRow>
+
+            <div className="space-y-2 pl-0.5">
+              <div className="flex items-center gap-2">
+                <Label className="text-sm font-medium">
+                  Default Storage Quota
+                </Label>
+                {isFieldChanged('general', [
+                  'storage',
+                  'quotas',
+                  'default',
+                  'value',
+                ]) && <ChangeIndicator />}
+              </div>
+              <div className="flex items-center gap-2 max-w-xs">
+                <Input
+                  type="number"
+                  min="0"
+                  step="1"
+                  value={
+                    workingConfig.settings.general.storage.quotas.default.value
+                  }
+                  onChange={(e) => handleStorageQuotaChange(e.target.value)}
+                  placeholder="500"
+                  className={cn(
+                    'flex-1',
+                    getFieldClasses('general', [
+                      'storage',
+                      'quotas',
+                      'default',
+                      'value',
+                    ])
+                  )}
+                />
+                <Select
+                  value={
+                    workingConfig.settings.general.storage.quotas.default.unit
+                  }
+                  onValueChange={(value) =>
+                    handleSettingChange('general', {
+                      storage: {
+                        ...workingConfig.settings.general.storage,
+                        quotas: {
+                          ...workingConfig.settings.general.storage.quotas,
+                          default: {
+                            ...workingConfig.settings.general.storage.quotas
+                              .default,
+                            unit: value as 'MB' | 'GB',
+                          },
+                        },
+                      },
+                    })
+                  }
+                >
+                  <SelectTrigger
+                    className={cn(
+                      'w-20',
+                      getFieldClasses('general', [
+                        'storage',
+                        'quotas',
+                        'default',
+                        'unit',
+                      ])
+                    )}
+                  >
+                    <SelectValue placeholder="Unit" />
+                  </SelectTrigger>
+                  <SelectContent>
+                    <SelectItem value="MB">MB</SelectItem>
+                    <SelectItem value="GB">GB</SelectItem>
+                  </SelectContent>
+                </Select>
+              </div>
+            </div>
+          </SettingsSection>
+
+          {/* Storage Provider */}
+          <SettingsSection
+            icon={HardDrive}
+            title="Storage Settings"
+            description="Configure storage provider and file upload limits"
+          >
+            <SettingRow
+              label="Background OCR Processing"
+              description="Enable OCR to search text in uploaded images"
+              changed={isFieldChanged('general', ['ocr', 'enabled'])}
+            >
+              <Switch
+                checked={workingConfig.settings.general.ocr.enabled}
+                onCheckedChange={(checked) =>
+                  handleSettingChange('general', {
+                    ocr: { enabled: checked },
+                  })
+                }
+                className={getFieldClasses('general', ['ocr', 'enabled'])}
+              />
+            </SettingRow>
+
+            <div className="space-y-2 pl-0.5">
+              <div className="flex items-center gap-2">
+                <Label className="text-sm font-medium">Storage Provider</Label>
+                {isFieldChanged('general', ['storage', 'provider']) && (
+                  <ChangeIndicator />
+                )}
+              </div>
+              <Select
+                value={workingConfig.settings.general.storage.provider}
+                onValueChange={(value) =>
+                  handleSettingChange('general', {
+                    storage: {
+                      ...workingConfig.settings.general.storage,
+                      provider: value as 'local' | 's3',
+                    },
+                  })
+                }
+              >
+                <SelectTrigger
+                  className={cn(
+                    'max-w-xs',
+                    getFieldClasses('general', ['storage', 'provider'])
+                  )}
+                >
+                  <SelectValue />
+                </SelectTrigger>
+                <SelectContent>
+                  <SelectItem value="local">
+                    <div className="flex items-center gap-2">
+                      <HardDrive className="h-4 w-4" />
+                      Local Storage
+                    </div>
+                  </SelectItem>
+                  <SelectItem value="s3">
+                    <div className="flex items-center gap-2">
+                      <Cloud className="h-4 w-4" />
+                      S3 Storage
+                    </div>
+                  </SelectItem>
+                </SelectContent>
+              </Select>
+            </div>
+
+            {workingConfig.settings.general.storage.provider === 's3' && (
+              <GlassCard className="mt-4" gradient={false}>
+                <div className="p-4 space-y-4">
+                  <div className="flex items-center gap-2 text-sm font-medium text-muted-foreground">
+                    <Cloud className="h-4 w-4" />
+                    S3 Configuration
+                  </div>
+
+                  <div className="grid gap-4 sm:grid-cols-2">
+                    <div className="space-y-2">
+                      <Label className="text-sm">Bucket Name</Label>
+                      <Input
+                        value={workingConfig.settings.general.storage.s3.bucket}
+                        onChange={(e) =>
+                          handleSettingChange('general', {
+                            storage: {
+                              ...workingConfig.settings.general.storage,
+                              s3: {
+                                ...workingConfig.settings.general.storage.s3,
+                                bucket: e.target.value,
+                              },
+                            },
+                          })
+                        }
+                        placeholder="my-bucket"
+                        className={getFieldClasses('general', [
+                          'storage',
+                          's3',
+                          'bucket',
+                        ])}
+                      />
+                    </div>
+                    <div className="space-y-2">
+                      <Label className="text-sm">Region</Label>
+                      <Input
+                        value={workingConfig.settings.general.storage.s3.region}
+                        onChange={(e) =>
+                          handleSettingChange('general', {
+                            storage: {
+                              ...workingConfig.settings.general.storage,
+                              s3: {
+                                ...workingConfig.settings.general.storage.s3,
+                                region: e.target.value,
+                              },
+                            },
+                          })
+                        }
+                        placeholder="us-east-1"
+                        className={getFieldClasses('general', [
+                          'storage',
+                          's3',
+                          'region',
+                        ])}
+                      />
+                    </div>
+                    <div className="space-y-2">
+                      <Label className="text-sm">Access Key ID</Label>
+                      <Input
+                        type="password"
+                        value={
+                          workingConfig.settings.general.storage.s3.accessKeyId
+                        }
+                        onChange={(e) =>
+                          handleSettingChange('general', {
+                            storage: {
+                              ...workingConfig.settings.general.storage,
+                              s3: {
+                                ...workingConfig.settings.general.storage.s3,
+                                accessKeyId: e.target.value,
+                              },
+                            },
+                          })
+                        }
+                        placeholder="AKIAXXXXXXXXXXXXXXXX"
+                        className={getFieldClasses('general', [
+                          'storage',
+                          's3',
+                          'accessKeyId',
+                        ])}
+                      />
+                    </div>
+                    <div className="space-y-2">
+                      <Label className="text-sm">Secret Access Key</Label>
+                      <Input
+                        type="password"
+                        value={
+                          workingConfig.settings.general.storage.s3
+                            .secretAccessKey
+                        }
+                        onChange={(e) =>
+                          handleSettingChange('general', {
+                            storage: {
+                              ...workingConfig.settings.general.storage,
+                              s3: {
+                                ...workingConfig.settings.general.storage.s3,
+                                secretAccessKey: e.target.value,
+                              },
+                            },
+                          })
+                        }
+                        placeholder="••••••••••••••••••••"
+                        className={getFieldClasses('general', [
+                          'storage',
+                          's3',
+                          'secretAccessKey',
+                        ])}
+                      />
+                    </div>
+                  </div>
+
+                  <div className="space-y-2">
+                    <Label className="text-sm">
+                      Custom Endpoint (Optional)
+                    </Label>
+                    <Input
+                      value={
+                        workingConfig.settings.general.storage.s3.endpoint || ''
+                      }
+                      onChange={(e) =>
+                        handleSettingChange('general', {
+                          storage: {
+                            ...workingConfig.settings.general.storage,
+                            s3: {
+                              ...workingConfig.settings.general.storage.s3,
+                              endpoint: e.target.value,
+                            },
+                          },
+                        })
+                      }
+                      placeholder="https://s3.custom-domain.com"
+                      className={getFieldClasses('general', [
+                        'storage',
+                        's3',
+                        'endpoint',
+                      ])}
+                    />
+                    <p className="text-xs text-muted-foreground">
+                      For S3-compatible services like MinIO or DigitalOcean
+                      Spaces
+                    </p>
+                  </div>
+
+                  <SettingRow
+                    label="Force Path Style"
+                    description="Enable for S3-compatible services requiring path-style URLs"
+                    changed={isFieldChanged('general', [
+                      'storage',
+                      's3',
+                      'forcePathStyle',
+                    ])}
+                  >
+                    <Switch
+                      checked={
+                        workingConfig.settings.general.storage.s3.forcePathStyle
+                      }
+                      onCheckedChange={(checked) =>
+                        handleSettingChange('general', {
+                          storage: {
+                            ...workingConfig.settings.general.storage,
+                            s3: {
+                              ...workingConfig.settings.general.storage.s3,
+                              forcePathStyle: checked,
+                            },
+                          },
+                        })
+                      }
+                      className={getFieldClasses('general', [
+                        'storage',
+                        's3',
+                        'forcePathStyle',
+                      ])}
+                    />
+                  </SettingRow>
+
+                  <div className="pt-3 border-t border-border/30 flex items-center justify-between gap-3">
+                    <div>
+                      {s3TestState && !s3TestState.loading && (
+                        <span
+                          className={`text-xs flex items-center gap-1.5 ${s3TestState.ok ? 'text-green-500' : 'text-destructive'}`}
+                        >
+                          {s3TestState.ok ? (
+                            <CheckCircle2 className="h-3.5 w-3.5" />
+                          ) : (
+                            <AlertCircle className="h-3.5 w-3.5" />
+                          )}
+                          {s3TestState.message}
+                        </span>
+                      )}
+                    </div>
+                    <Button
+                      variant="outline"
+                      size="sm"
+                      className="h-8 gap-1.5 shrink-0"
+                      disabled={s3TestState?.loading}
+                      onClick={handleS3Test}
+                    >
+                      {s3TestState?.loading ? (
+                        <Loader2 className="h-3.5 w-3.5 animate-spin" />
+                      ) : (
+                        <RefreshCw className="h-3.5 w-3.5" />
+                      )}
+                      Test Connection
+                    </Button>
+                  </div>
+                </div>
+              </GlassCard>
+            )}
+
+            <div className="space-y-2 pl-0.5">
+              <div className="flex items-center gap-2">
+                <Label className="text-sm font-medium">
+                  Maximum Upload Size
+                </Label>
+                {isFieldChanged('general', [
+                  'storage',
+                  'maxUploadSize',
+                  'value',
+                ]) && <ChangeIndicator />}
+              </div>
+              <div className="flex items-center gap-2 max-w-xs">
+                <Input
+                  type="number"
+                  min="1"
+                  step="1"
+                  value={
+                    workingConfig.settings.general.storage.maxUploadSize.value
+                  }
+                  onChange={(e) => handleMaxUploadSizeChange(e.target.value)}
+                  placeholder="10"
+                  className={cn(
+                    'flex-1',
+                    getFieldClasses('general', [
+                      'storage',
+                      'maxUploadSize',
+                      'value',
+                    ])
+                  )}
+                />
+                <Select
+                  value={
+                    workingConfig.settings.general.storage.maxUploadSize.unit
+                  }
+                  onValueChange={(value) =>
+                    handleSettingChange('general', {
+                      storage: {
+                        ...workingConfig.settings.general.storage,
+                        maxUploadSize: {
+                          ...workingConfig.settings.general.storage
+                            .maxUploadSize,
+                          unit: value as 'MB' | 'GB',
+                        },
+                      },
+                    })
+                  }
+                >
+                  <SelectTrigger
+                    className={cn(
+                      'w-20',
+                      getFieldClasses('general', [
+                        'storage',
+                        'maxUploadSize',
+                        'unit',
+                      ])
+                    )}
+                  >
+                    <SelectValue placeholder="Unit" />
+                  </SelectTrigger>
+                  <SelectContent>
+                    <SelectItem value="MB">MB</SelectItem>
+                    <SelectItem value="GB">GB</SelectItem>
+                  </SelectContent>
+                </Select>
+              </div>
+            </div>
+          </SettingsSection>
+
+          {/* Vultr Object Storage Pools */}
+          <SettingsSection
+            icon={Cloud}
+            title="Vultr Object Storage"
+            description="Regional pooled instances. Active instances enable that region on the pricing page so users can purchase storage."
+          >
+            <VultrInstanceManager />
+          </SettingsSection>
+
+          {/* Additional Storage Buckets */}
+          <SettingsSection
+            icon={Database}
+            title="Additional Storage Buckets"
+            description="Create named S3 buckets that can be assigned to specific users or squads, overriding the default storage."
+          >
+            <StorageBucketManager />
+          </SettingsSection>
+        </TabsContent>
+
+        {/* Appearance Tab */}
+        <TabsContent value="appearance" className="space-y-5 mt-0">
+          {/* Theme Colors */}
+          <SettingsSection
+            icon={Palette}
+            title="Theme & Colors"
+            description="Customize the visual appearance of your Emberly instance"
+            badge={
+              appearanceHasChanges && (
+                <span className="inline-flex items-center gap-1 px-2 py-0.5 rounded-full text-xs font-medium bg-primary/10 text-primary border border-primary/20">
+                  Modified
+                </span>
+              )
+            }
+          >
+            <AppearancePanel
+              onSave={handleAdminSaveAppearance}
+              onThemeChange={handleAdminThemeChange}
+            />
+          </SettingsSection>
+
+          {/* Favicon */}
+          <SettingsSection
+            icon={Image}
+            title="Favicon"
+            description="Upload a custom favicon for your instance"
+            badge={
+              hasFaviconChanged() && (
+                <span className="inline-flex items-center gap-1 px-2 py-0.5 rounded-full text-xs font-medium bg-amber-500/10 text-amber-600 dark:text-amber-400 border border-amber-500/20">
+                  Unsaved
+                </span>
+              )
+            }
+          >
+            <div className="flex items-center justify-center w-full">
+              <label className="relative flex flex-col items-center justify-center w-full h-40 border-2 border-dashed border-border/50 rounded-xl cursor-pointer hover:bg-muted/30 hover:border-primary/30 transition-all group">
+                {(workingConfig?.settings.appearance.favicon ||
+                  faviconPreviewUrl) && (
+                  <div className="absolute top-3 left-3">
+                    <div className="flex items-center gap-2 px-3 py-1.5 bg-background/90 backdrop-blur-sm rounded-lg border border-border/50">
+                      <img
+                        src={
+                          isSafeUrl(faviconPreviewUrl)
+                            ? DOMPurify.sanitize(faviconPreviewUrl)
+                            : '/api/favicon'
+                        }
+                        alt="Favicon"
+                        className="w-5 h-5"
+                      />
+                      <span className="text-xs text-muted-foreground">
+                        {faviconPreviewUrl ? 'Preview (unsaved)' : 'Current'}
+                      </span>
+                    </div>
+                  </div>
+                )}
+                <div className="flex flex-col items-center justify-center pt-5 pb-6">
+                  <div className="flex h-12 w-12 items-center justify-center rounded-xl bg-primary/10 group-hover:bg-primary/20 transition-colors mb-3">
+                    <Upload className="h-5 w-5 text-primary" />
+                  </div>
+                  <p className="text-sm font-medium">Click to upload favicon</p>
+                  <p className="text-xs text-muted-foreground mt-1">
+                    PNG up to 1MB
+                  </p>
+                </div>
+                <input
+                  type="file"
+                  className="hidden"
+                  accept="image/png"
+                  onChange={async (e) => {
+                    const file = e.target.files?.[0]
+                    if (!file) return
+
+                    if (file.size > 1024 * 1024) {
+                      toast({
+                        title: 'File too large',
+                        description: 'Please upload a file smaller than 1MB',
+                        variant: 'destructive',
+                      })
+                      return
+                    }
+
+                    if (file.type !== 'image/png') {
+                      toast({
+                        title: 'Invalid file type',
+                        description: 'Please upload a PNG image file',
+                        variant: 'destructive',
+                      })
+                      return
+                    }
+
+                    try {
+                      if (faviconPreviewUrl) {
+                        URL.revokeObjectURL(faviconPreviewUrl)
+                      }
+
+                      const previewUrl = URL.createObjectURL(file)
+                      setFaviconPreviewUrl(previewUrl)
+                      setPendingFaviconFile(file)
+
+                      toast({
+                        title: 'Favicon changed',
+                        description:
+                          'Save your changes to apply the new favicon',
+                      })
+                    } catch (error) {
+                      console.error('Failed to handle favicon:', error)
+                      toast({
+                        title: 'Failed to update favicon',
+                        description: 'Please try again',
+                        variant: 'destructive',
+                      })
+                    }
+                  }}
+                />
+              </label>
+            </div>
+          </SettingsSection>
+        </TabsContent>
+
+        {/* Advanced Tab */}
+        <TabsContent value="advanced" className="space-y-5 mt-0">
+          {/* Custom CSS */}
+          <SettingsSection
+            icon={Code}
+            title="Custom CSS"
+            description="Add custom CSS styles to your instance"
+            badge={
+              isFieldChanged('advanced', ['customCSS']) && (
+                <span className="inline-flex items-center gap-1 px-2 py-0.5 rounded-full text-xs font-medium bg-primary/10 text-primary border border-primary/20">
+                  Modified
+                </span>
+              )
+            }
+          >
+            <div className="space-y-3">
+              <div className="flex items-center justify-between">
+                <p className="text-sm text-muted-foreground">
+                  Custom CSS will be injected into every page
+                </p>
+                <Button
+                  variant={cssEditorOpen ? 'default' : 'outline'}
+                  size="sm"
+                  onClick={() => setCssEditorOpen(!cssEditorOpen)}
+                >
+                  <Code className="mr-2 h-4 w-4" />
+                  {cssEditorOpen ? 'Close' : 'Open Editor'}
+                </Button>
+              </div>
+              {cssEditorOpen && (
+                <GlassCard gradient={false} className="overflow-hidden">
+                  <div className="p-1">
+                    <CodeMirror
+                      value={workingConfig.settings.advanced.customCSS}
+                      height="250px"
+                      extensions={[css()]}
+                      onChange={(value) => {
+                        handleSettingChange('advanced', {
+                          customCSS: value,
+                        })
+                      }}
+                      theme="dark"
+                      className="rounded-lg overflow-hidden text-sm"
+                    />
+                  </div>
+                </GlassCard>
+              )}
+            </div>
+          </SettingsSection>
+
+          {/* Custom HTML */}
+          <SettingsSection
+            icon={FileCode}
+            title="HTML Head Content"
+            description="Add custom HTML to the head section of every page"
+            badge={
+              isFieldChanged('advanced', ['customHead']) && (
+                <span className="inline-flex items-center gap-1 px-2 py-0.5 rounded-full text-xs font-medium bg-primary/10 text-primary border border-primary/20">
+                  Modified
+                </span>
+              )
+            }
+          >
+            <div className="space-y-3">
+              <div className="flex items-center justify-between">
+                <p className="text-sm text-muted-foreground">
+                  Add scripts, meta tags, or other HTML elements
+                </p>
+                <Button
+                  variant={htmlEditorOpen ? 'default' : 'outline'}
+                  size="sm"
+                  onClick={() => setHtmlEditorOpen(!htmlEditorOpen)}
+                >
+                  <FileCode className="mr-2 h-4 w-4" />
+                  {htmlEditorOpen ? 'Close' : 'Open Editor'}
+                </Button>
+              </div>
+              {htmlEditorOpen && (
+                <GlassCard gradient={false} className="overflow-hidden">
+                  <div className="p-1">
+                    <CodeMirror
+                      value={workingConfig.settings.advanced.customHead}
+                      height="250px"
+                      extensions={[html()]}
+                      onChange={(value) => {
+                        handleSettingChange('advanced', {
+                          customHead: value,
+                        })
+                      }}
+                      theme="dark"
+                      className="rounded-lg overflow-hidden text-sm"
+                    />
+                  </div>
+                </GlassCard>
+              )}
+            </div>
+          </SettingsSection>
+        </TabsContent>
+
+        {/* Integrations Tab */}
+        <TabsContent value="integrations" className="space-y-5 mt-0">
+          <SystemApiKeySection />
+
+          {/* Stripe */}
+          <SettingsSection
+            icon={CreditCard}
+            title="Stripe"
+            description="Payment processing. Overrides STRIPE_SECRET and STRIPE_WEBHOOK env vars."
+            badge={
+              isFieldChanged('integrations', ['stripe']) && (
+                <span className="inline-flex items-center gap-1 px-2 py-0.5 rounded-full text-xs font-medium bg-primary/10 text-primary border border-primary/20">
+                  Modified
+                </span>
+              )
+            }
+          >
+            <SettingRow
+              label="Secret Key"
+              description="Stripe secret key (sk_live_... or sk_test_...)"
+            >
+              <Input
+                type="password"
+                placeholder="sk_live_..."
+                className="w-80 font-mono text-sm"
+                value={
+                  workingConfig?.settings.integrations?.stripe?.secretKey ?? ''
+                }
+                onChange={(e) =>
+                  handleSettingChange('integrations', {
+                    stripe: {
+                      ...workingConfig?.settings.integrations?.stripe,
+                      secretKey: e.target.value,
+                    },
+                  })
+                }
+              />
+            </SettingRow>
+            <SettingRow
+              label="Webhook Secret"
+              description="Signing secret for Stripe webhook events"
+            >
+              <Input
+                type="password"
+                placeholder="whsec_..."
+                className="w-80 font-mono text-sm"
+                value={
+                  workingConfig?.settings.integrations?.stripe?.webhookSecret ??
+                  ''
+                }
+                onChange={(e) =>
+                  handleSettingChange('integrations', {
+                    stripe: {
+                      ...workingConfig?.settings.integrations?.stripe,
+                      webhookSecret: e.target.value,
+                    },
+                  })
+                }
+              />
+            </SettingRow>
+            <div className="pt-3 border-t border-border/30 flex items-center justify-between gap-3">
+              <div>
+                {intTestStates['stripe'] &&
+                  !intTestStates['stripe'].loading && (
+                    <span
+                      className={`text-xs flex items-center gap-1.5 ${intTestStates['stripe'].ok ? 'text-green-500' : 'text-destructive'}`}
+                    >
+                      {intTestStates['stripe'].ok ? (
+                        <CheckCircle2 className="h-3.5 w-3.5" />
+                      ) : (
+                        <AlertCircle className="h-3.5 w-3.5" />
+                      )}
+                      {intTestStates['stripe'].message}
+                    </span>
+                  )}
+              </div>
+              <Button
+                variant="outline"
+                size="sm"
+                className="h-8 gap-1.5 shrink-0"
+                disabled={intTestStates['stripe']?.loading}
+                onClick={() =>
+                  handleIntegrationTest('stripe', {
+                    secretKey:
+                      workingConfig?.settings.integrations?.stripe?.secretKey ??
+                      '',
+                  })
+                }
+              >
+                {intTestStates['stripe']?.loading ? (
+                  <Loader2 className="h-3.5 w-3.5 animate-spin" />
+                ) : (
+                  <RefreshCw className="h-3.5 w-3.5" />
+                )}
+                Test Connection
+              </Button>
+            </div>
+          </SettingsSection>
+
+          {/* Resend / SMTP */}
+          {(() => {
+            const emailProvider =
+              ((workingConfig?.settings.integrations as Record<string, unknown>)
+                ?.emailProvider as string) ?? 'resend'
+            return (
+              <>
+                <SettingsSection
+                  icon={Zap}
+                  title="Email"
+                  description="Transactional email delivery provider and credentials."
+                  badge={
+                    isFieldChanged('integrations', [
+                      'resend',
+                      'smtp',
+                      'emailProvider',
+                    ]) && (
+                      <span className="inline-flex items-center gap-1 px-2 py-0.5 rounded-full text-xs font-medium bg-primary/10 text-primary border border-primary/20">
+                        Modified
+                      </span>
+                    )
+                  }
+                >
+                  <SettingRow
+                    label="Email Provider"
+                    description="Choose the email delivery provider"
+                  >
+                    <Select
+                      value={emailProvider}
+                      onValueChange={(value) =>
+                        handleSettingChange('integrations', {
+                          emailProvider: value as 'resend' | 'smtp',
+                        })
+                      }
+                    >
+                      <SelectTrigger className="w-48 text-sm">
+                        <SelectValue />
+                      </SelectTrigger>
+                      <SelectContent>
+                        <SelectItem value="resend">Resend</SelectItem>
+                        <SelectItem value="smtp">SMTP</SelectItem>
+                      </SelectContent>
+                    </Select>
+                  </SettingRow>
+
+                  {emailProvider === 'resend' && (
+                    <>
+                      <SettingRow label="API Key" description="Resend API key">
+                        <Input
+                          type="password"
+                          placeholder="re_..."
+                          className="w-80 font-mono text-sm"
+                          value={
+                            workingConfig?.settings.integrations?.resend
+                              ?.apiKey ?? ''
+                          }
+                          onChange={(e) =>
+                            handleSettingChange('integrations', {
+                              resend: {
+                                ...workingConfig?.settings.integrations?.resend,
+                                apiKey: e.target.value,
+                              },
+                            })
+                          }
+                        />
+                      </SettingRow>
+                      <SettingRow
+                        label="From Address"
+                        description="Sender address for outgoing emails"
+                      >
+                        <Input
+                          placeholder="Emberly <noreply@embrly.ca>"
+                          className="w-80 text-sm"
+                          value={
+                            workingConfig?.settings.integrations?.resend
+                              ?.emailFrom ?? ''
+                          }
+                          onChange={(e) =>
+                            handleSettingChange('integrations', {
+                              resend: {
+                                ...workingConfig?.settings.integrations?.resend,
+                                emailFrom: e.target.value,
+                              },
+                            })
+                          }
+                        />
+                      </SettingRow>
+                      <div className="pt-3 border-t border-border/30 flex items-center justify-between gap-3">
+                        <div>
+                          {intTestStates['resend'] &&
+                            !intTestStates['resend'].loading && (
+                              <span
+                                className={`text-xs flex items-center gap-1.5 ${intTestStates['resend'].ok ? 'text-green-500' : 'text-destructive'}`}
+                              >
+                                {intTestStates['resend'].ok ? (
+                                  <CheckCircle2 className="h-3.5 w-3.5" />
+                                ) : (
+                                  <AlertCircle className="h-3.5 w-3.5" />
+                                )}
+                                {intTestStates['resend'].message}
+                              </span>
+                            )}
+                        </div>
+                        <Button
+                          variant="outline"
+                          size="sm"
+                          className="h-8 gap-1.5 shrink-0"
+                          disabled={intTestStates['resend']?.loading}
+                          onClick={() =>
+                            handleIntegrationTest('resend', {
+                              apiKey:
+                                workingConfig?.settings.integrations?.resend
+                                  ?.apiKey ?? '',
+                            })
+                          }
+                        >
+                          {intTestStates['resend']?.loading ? (
+                            <Loader2 className="h-3.5 w-3.5 animate-spin" />
+                          ) : (
+                            <RefreshCw className="h-3.5 w-3.5" />
+                          )}
+                          Test Connection
+                        </Button>
+                      </div>
+                    </>
+                  )}
+
+                  {emailProvider === 'smtp' && (
+                    <>
+                      <SettingRow
+                        label="Host"
+                        description="SMTP server hostname"
+                      >
+                        <Input
+                          placeholder="smtp.example.com"
+                          className="w-80 font-mono text-sm"
+                          value={
+                            ((
+                              (
+                                workingConfig?.settings.integrations as Record<
+                                  string,
+                                  unknown
+                                >
+                              )?.smtp as Record<string, unknown>
+                            )?.host as string) ?? ''
+                          }
+                          onChange={(e) =>
+                            handleSettingChange('integrations', {
+                              smtp: {
+                                ...(((
+                                  workingConfig?.settings
+                                    .integrations as Record<string, unknown>
+                                )?.smtp as Record<string, unknown>) ?? {}),
+                                host: e.target.value,
+                              } as EmberlyConfig['settings']['integrations']['smtp'],
+                            })
+                          }
+                        />
+                      </SettingRow>
+                      <SettingRow
+                        label="Port"
+                        description="SMTP server port (25, 465, 587, or 2587)"
+                      >
+                        <Input
+                          type="number"
+                          placeholder="587"
+                          className="w-32 font-mono text-sm"
+                          value={
+                            ((
+                              (
+                                workingConfig?.settings.integrations as Record<
+                                  string,
+                                  unknown
+                                >
+                              )?.smtp as Record<string, unknown>
+                            )?.port as number) ?? 587
+                          }
+                          onChange={(e) =>
+                            handleSettingChange('integrations', {
+                              smtp: {
+                                ...(((
+                                  workingConfig?.settings
+                                    .integrations as Record<string, unknown>
+                                )?.smtp as Record<string, unknown>) ?? {}),
+                                port: Number(e.target.value),
+                              } as EmberlyConfig['settings']['integrations']['smtp'],
+                            })
+                          }
+                        />
+                      </SettingRow>
+                      <SettingRow
+                        label="Secure (TLS)"
+                        description="Use TLS — enable for port 465, disable for STARTTLS"
+                      >
+                        <Switch
+                          checked={
+                            ((
+                              (
+                                workingConfig?.settings.integrations as Record<
+                                  string,
+                                  unknown
+                                >
+                              )?.smtp as Record<string, unknown>
+                            )?.secure as boolean) ?? false
+                          }
+                          onCheckedChange={(checked) =>
+                            handleSettingChange('integrations', {
+                              smtp: {
+                                ...(((
+                                  workingConfig?.settings
+                                    .integrations as Record<string, unknown>
+                                )?.smtp as Record<string, unknown>) ?? {}),
+                                secure: checked,
+                              } as EmberlyConfig['settings']['integrations']['smtp'],
+                            })
+                          }
+                        />
+                      </SettingRow>
+                      <SettingRow
+                        label="Username"
+                        description="SMTP authentication username"
+                      >
+                        <Input
+                          placeholder="user@example.com"
+                          className="w-80 text-sm"
+                          value={
+                            ((
+                              (
+                                workingConfig?.settings.integrations as Record<
+                                  string,
+                                  unknown
+                                >
+                              )?.smtp as Record<string, unknown>
+                            )?.user as string) ?? ''
+                          }
+                          onChange={(e) =>
+                            handleSettingChange('integrations', {
+                              smtp: {
+                                ...(((
+                                  workingConfig?.settings
+                                    .integrations as Record<string, unknown>
+                                )?.smtp as Record<string, unknown>) ?? {}),
+                                user: e.target.value,
+                              } as EmberlyConfig['settings']['integrations']['smtp'],
+                            })
+                          }
+                        />
+                      </SettingRow>
+                      <SettingRow
+                        label="Password"
+                        description="SMTP authentication password"
+                      >
+                        <Input
+                          type="password"
+                          placeholder="••••••••"
+                          className="w-80 font-mono text-sm"
+                          value={
+                            ((
+                              (
+                                workingConfig?.settings.integrations as Record<
+                                  string,
+                                  unknown
+                                >
+                              )?.smtp as Record<string, unknown>
+                            )?.password as string) ?? ''
+                          }
+                          onChange={(e) =>
+                            handleSettingChange('integrations', {
+                              smtp: {
+                                ...(((
+                                  workingConfig?.settings
+                                    .integrations as Record<string, unknown>
+                                )?.smtp as Record<string, unknown>) ?? {}),
+                                password: e.target.value,
+                              } as EmberlyConfig['settings']['integrations']['smtp'],
+                            })
+                          }
+                        />
+                      </SettingRow>
+                      <SettingRow
+                        label="From Address"
+                        description="Sender address (overrides EMAIL_FROM env var)"
+                      >
+                        <Input
+                          placeholder="Emberly <noreply@embrly.ca>"
+                          className="w-80 text-sm"
+                          value={
+                            ((
+                              (
+                                workingConfig?.settings.integrations as Record<
+                                  string,
+                                  unknown
+                                >
+                              )?.smtp as Record<string, unknown>
+                            )?.from as string) ?? ''
+                          }
+                          onChange={(e) =>
+                            handleSettingChange('integrations', {
+                              smtp: {
+                                ...(((
+                                  workingConfig?.settings
+                                    .integrations as Record<string, unknown>
+                                )?.smtp as Record<string, unknown>) ?? {}),
+                                from: e.target.value,
+                              } as EmberlyConfig['settings']['integrations']['smtp'],
+                            })
+                          }
+                        />
+                      </SettingRow>
+                      <div className="pt-3 border-t border-border/30 flex items-center justify-between gap-3">
+                        <div>
+                          {intTestStates['smtp'] &&
+                            !intTestStates['smtp'].loading && (
+                              <div className="flex flex-col gap-0.5">
+                                <span
+                                  className={`text-xs flex items-center gap-1.5 ${intTestStates['smtp'].ok ? 'text-green-500' : 'text-destructive'}`}
+                                >
+                                  {intTestStates['smtp'].ok ? (
+                                    <CheckCircle2 className="h-3.5 w-3.5" />
+                                  ) : (
+                                    <AlertCircle className="h-3.5 w-3.5" />
+                                  )}
+                                  {intTestStates['smtp'].message}
+                                </span>
+                                {intTestStates['smtp'].detail && (
+                                  <span className="text-xs text-muted-foreground font-mono break-all">
+                                    {intTestStates['smtp'].detail}
+                                  </span>
+                                )}
+                              </div>
+                            )}
+                        </div>
+                        <Button
+                          variant="outline"
+                          size="sm"
+                          className="h-8 gap-1.5 shrink-0"
+                          disabled={intTestStates['smtp']?.loading}
+                          onClick={() =>
+                            handleIntegrationTest('smtp', {
+                              host:
+                                ((
+                                  (
+                                    workingConfig?.settings
+                                      .integrations as Record<string, unknown>
+                                  )?.smtp as Record<string, unknown>
+                                )?.host as string) ?? '',
+                              port: String(
+                                ((
+                                  (
+                                    workingConfig?.settings
+                                      .integrations as Record<string, unknown>
+                                  )?.smtp as Record<string, unknown>
+                                )?.port as number) ?? 587
+                              ),
+                              secure: String(
+                                ((
+                                  (
+                                    workingConfig?.settings
+                                      .integrations as Record<string, unknown>
+                                  )?.smtp as Record<string, unknown>
+                                )?.secure as boolean) ?? false
+                              ),
+                              user:
+                                ((
+                                  (
+                                    workingConfig?.settings
+                                      .integrations as Record<string, unknown>
+                                  )?.smtp as Record<string, unknown>
+                                )?.user as string) ?? '',
+                              password:
+                                ((
+                                  (
+                                    workingConfig?.settings
+                                      .integrations as Record<string, unknown>
+                                  )?.smtp as Record<string, unknown>
+                                )?.password as string) ?? '',
+                            })
+                          }
+                        >
+                          {intTestStates['smtp']?.loading ? (
+                            <Loader2 className="h-3.5 w-3.5 animate-spin" />
+                          ) : (
+                            <RefreshCw className="h-3.5 w-3.5" />
+                          )}
+                          Test Connection
+                        </Button>
+                      </div>
+                    </>
+                  )}
+                </SettingsSection>
+              </>
+            )
+          })()}
+
+          {/* Cloudflare */}
+          <SettingsSection
+            icon={Cloud}
+            title="Cloudflare"
+            description="CDN, DNS, and storage. Overrides CLOUDFLARE_API_TOKEN, CLOUDFLARE_ACCOUNT_ID, and CLOUDFLARE_ZONE_ID env vars."
+            badge={
+              isFieldChanged('integrations', ['cloudflare']) && (
+                <span className="inline-flex items-center gap-1 px-2 py-0.5 rounded-full text-xs font-medium bg-primary/10 text-primary border border-primary/20">
+                  Modified
+                </span>
+              )
+            }
+          >
+            <SettingRow
+              label="API Token"
+              description="Cloudflare API token with required permissions"
+            >
+              <Input
+                type="password"
+                placeholder="API token"
+                className="w-80 font-mono text-sm"
+                value={
+                  workingConfig?.settings.integrations?.cloudflare?.apiToken ??
+                  ''
+                }
+                onChange={(e) =>
+                  handleSettingChange('integrations', {
+                    cloudflare: {
+                      ...workingConfig?.settings.integrations?.cloudflare,
+                      apiToken: e.target.value,
+                    },
+                  })
+                }
+              />
+            </SettingRow>
+            <SettingRow
+              label="Account ID"
+              description="Your Cloudflare account ID"
+            >
+              <Input
+                placeholder="Account ID"
+                className="w-80 font-mono text-sm"
+                value={
+                  workingConfig?.settings.integrations?.cloudflare?.accountId ??
+                  ''
+                }
+                onChange={(e) =>
+                  handleSettingChange('integrations', {
+                    cloudflare: {
+                      ...workingConfig?.settings.integrations?.cloudflare,
+                      accountId: e.target.value,
+                    },
+                  })
+                }
+              />
+            </SettingRow>
+            <SettingRow
+              label="Zone ID"
+              description="Cloudflare zone ID for your domain"
+            >
+              <Input
+                placeholder="Zone ID"
+                className="w-80 font-mono text-sm"
+                value={
+                  workingConfig?.settings.integrations?.cloudflare?.zoneId ?? ''
+                }
+                onChange={(e) =>
+                  handleSettingChange('integrations', {
+                    cloudflare: {
+                      ...workingConfig?.settings.integrations?.cloudflare,
+                      zoneId: e.target.value,
+                    },
+                  })
+                }
+              />
+            </SettingRow>
+            <div className="pt-3 border-t border-border/30 flex items-center justify-between gap-3">
+              <div>
+                {intTestStates['cloudflare'] &&
+                  !intTestStates['cloudflare'].loading && (
+                    <span
+                      className={`text-xs flex items-center gap-1.5 ${intTestStates['cloudflare'].ok ? 'text-green-500' : 'text-destructive'}`}
+                    >
+                      {intTestStates['cloudflare'].ok ? (
+                        <CheckCircle2 className="h-3.5 w-3.5" />
+                      ) : (
+                        <AlertCircle className="h-3.5 w-3.5" />
+                      )}
+                      {intTestStates['cloudflare'].message}
+                    </span>
+                  )}
+              </div>
+              <Button
+                variant="outline"
+                size="sm"
+                className="h-8 gap-1.5 shrink-0"
+                disabled={intTestStates['cloudflare']?.loading}
+                onClick={() =>
+                  handleIntegrationTest('cloudflare', {
+                    apiToken:
+                      workingConfig?.settings.integrations?.cloudflare
+                        ?.apiToken ?? '',
+                    accountId:
+                      workingConfig?.settings.integrations?.cloudflare
+                        ?.accountId ?? '',
+                  })
+                }
+              >
+                {intTestStates['cloudflare']?.loading ? (
+                  <Loader2 className="h-3.5 w-3.5 animate-spin" />
+                ) : (
+                  <RefreshCw className="h-3.5 w-3.5" />
+                )}
+                Test Connection
+              </Button>
+            </div>
+          </SettingsSection>
+
+          {/* Discord */}
+          <SettingsSection
+            icon={Shield}
+            title="Discord"
+            description="Alerts, webhooks, and supporter perks. Overrides DISCORD_WEBHOOK_URL, DISCORD_BOT_TOKEN, DISCORD_SERVER_ID, and DISCORD_SUPPORTER_ROLE env vars."
+            badge={
+              isFieldChanged('integrations', ['discord']) && (
+                <span className="inline-flex items-center gap-1 px-2 py-0.5 rounded-full text-xs font-medium bg-primary/10 text-primary border border-primary/20">
+                  Modified
+                </span>
+              )
+            }
+          >
+            <SettingRow
+              label="Admin Webhook URL"
+              description="Webhook for admin alerts and notifications"
+            >
+              <Input
+                type="password"
+                placeholder="https://discord.com/api/webhooks/..."
+                className="w-80 font-mono text-sm"
+                value={
+                  workingConfig?.settings.integrations?.discord?.webhookUrl ??
+                  ''
+                }
+                onChange={(e) =>
+                  handleSettingChange('integrations', {
+                    discord: {
+                      ...workingConfig?.settings.integrations?.discord,
+                      webhookUrl: e.target.value,
+                    },
+                  })
+                }
+              />
+            </SettingRow>
+            <SettingRow
+              label="Bot Token"
+              description="Token for your Discord bot"
+            >
+              <Input
+                type="password"
+                placeholder="Bot token"
+                className="w-80 font-mono text-sm"
+                value={
+                  workingConfig?.settings.integrations?.discord?.botToken ?? ''
+                }
+                onChange={(e) =>
+                  handleSettingChange('integrations', {
+                    discord: {
+                      ...workingConfig?.settings.integrations?.discord,
+                      botToken: e.target.value,
+                    },
+                  })
+                }
+              />
+            </SettingRow>
+            <SettingRow
+              label="Server ID"
+              description="Discord server (guild) ID"
+            >
+              <Input
+                placeholder="Server ID"
+                className="w-80 font-mono text-sm"
+                value={
+                  workingConfig?.settings.integrations?.discord?.serverId ?? ''
+                }
+                onChange={(e) =>
+                  handleSettingChange('integrations', {
+                    discord: {
+                      ...workingConfig?.settings.integrations?.discord,
+                      serverId: e.target.value,
+                    },
+                  })
+                }
+              />
+            </SettingRow>
+            <SettingRow
+              label="Supporter Role ID"
+              description="Role ID granted to active supporters"
+            >
+              <Input
+                placeholder="Role ID"
+                className="w-80 font-mono text-sm"
+                value={
+                  workingConfig?.settings.integrations?.discord
+                    ?.supporterRole ?? ''
+                }
+                onChange={(e) =>
+                  handleSettingChange('integrations', {
+                    discord: {
+                      ...workingConfig?.settings.integrations?.discord,
+                      supporterRole: e.target.value,
+                    },
+                  })
+                }
+              />
+            </SettingRow>
+            <div className="pt-3 border-t border-border/30 flex items-center justify-between gap-3">
+              <div>
+                {intTestStates['discord'] &&
+                  !intTestStates['discord'].loading && (
+                    <span
+                      className={`text-xs flex items-center gap-1.5 ${intTestStates['discord'].ok ? 'text-green-500' : 'text-destructive'}`}
+                    >
+                      {intTestStates['discord'].ok ? (
+                        <CheckCircle2 className="h-3.5 w-3.5" />
+                      ) : (
+                        <AlertCircle className="h-3.5 w-3.5" />
+                      )}
+                      {intTestStates['discord'].message}
+                    </span>
+                  )}
+              </div>
+              <Button
+                variant="outline"
+                size="sm"
+                className="h-8 gap-1.5 shrink-0"
+                disabled={intTestStates['discord']?.loading}
+                onClick={() =>
+                  handleIntegrationTest('discord', {
+                    webhookUrl:
+                      workingConfig?.settings.integrations?.discord
+                        ?.webhookUrl ?? '',
+                    botToken:
+                      workingConfig?.settings.integrations?.discord?.botToken ??
+                      '',
+                    serverId:
+                      workingConfig?.settings.integrations?.discord?.serverId ??
+                      '',
+                  })
+                }
+              >
+                {intTestStates['discord']?.loading ? (
+                  <Loader2 className="h-3.5 w-3.5 animate-spin" />
+                ) : (
+                  <RefreshCw className="h-3.5 w-3.5" />
+                )}
+                Test Connection
+              </Button>
+            </div>
+          </SettingsSection>
+
+          {/* GitHub */}
+          <SettingsSection
+            icon={Github}
+            title="GitHub"
+            description="Organization data for contributors and changelogs. Overrides GITHUB_ORG and GITHUB_PAT env vars."
+            badge={
+              isFieldChanged('integrations', ['github']) && (
+                <span className="inline-flex items-center gap-1 px-2 py-0.5 rounded-full text-xs font-medium bg-primary/10 text-primary border border-primary/20">
+                  Modified
+                </span>
+              )
+            }
+          >
+            <SettingRow
+              label="Organization"
+              description="GitHub organization name"
+            >
+              <Input
+                placeholder="EmberlyOSS"
+                className="w-80 font-mono text-sm"
+                value={workingConfig?.settings.integrations?.github?.org ?? ''}
+                onChange={(e) =>
+                  handleSettingChange('integrations', {
+                    github: {
+                      ...workingConfig?.settings.integrations?.github,
+                      org: e.target.value,
+                    },
+                  })
+                }
+              />
+            </SettingRow>
+            <SettingRow
+              label="Personal Access Token"
+              description="PAT for authenticated API requests"
+            >
+              <Input
+                type="password"
+                placeholder="ghp_..."
+                className="w-80 font-mono text-sm"
+                value={workingConfig?.settings.integrations?.github?.pat ?? ''}
+                onChange={(e) =>
+                  handleSettingChange('integrations', {
+                    github: {
+                      ...workingConfig?.settings.integrations?.github,
+                      pat: e.target.value,
+                    },
+                  })
+                }
+              />
+            </SettingRow>
+            <div className="pt-3 border-t border-border/30 flex items-center justify-between gap-3">
+              <div>
+                {intTestStates['github'] &&
+                  !intTestStates['github'].loading && (
+                    <span
+                      className={`text-xs flex items-center gap-1.5 ${intTestStates['github'].ok ? 'text-green-500' : 'text-destructive'}`}
+                    >
+                      {intTestStates['github'].ok ? (
+                        <CheckCircle2 className="h-3.5 w-3.5" />
+                      ) : (
+                        <AlertCircle className="h-3.5 w-3.5" />
+                      )}
+                      {intTestStates['github'].message}
+                    </span>
+                  )}
+              </div>
+              <Button
+                variant="outline"
+                size="sm"
+                className="h-8 gap-1.5 shrink-0"
+                disabled={intTestStates['github']?.loading}
+                onClick={() =>
+                  handleIntegrationTest('github', {
+                    pat:
+                      workingConfig?.settings.integrations?.github?.pat ?? '',
+                    org:
+                      workingConfig?.settings.integrations?.github?.org ?? '',
+                  })
+                }
+              >
+                {intTestStates['github']?.loading ? (
+                  <Loader2 className="h-3.5 w-3.5 animate-spin" />
+                ) : (
+                  <RefreshCw className="h-3.5 w-3.5" />
+                )}
+                Test Connection
+              </Button>
+            </div>
+          </SettingsSection>
+
+          {/* Vultr */}
+          <SettingsSection
+            icon={Server}
+            title="Vultr"
+            description="Object Storage API for automated bucket provisioning. Overrides the VULTR_API_KEY env var."
+            badge={
+              isFieldChanged('integrations', ['vultr']) && (
+                <span className="inline-flex items-center gap-1 px-2 py-0.5 rounded-full text-xs font-medium bg-primary/10 text-primary border border-primary/20">
+                  Modified
+                </span>
+              )
+            }
+          >
+            <SettingRow
+              label="API Key"
+              description="Vultr API key from the Vultr customer portal"
+            >
+              <Input
+                type="password"
+                placeholder="API key"
+                className="w-80 font-mono text-sm"
+                value={
+                  (workingConfig?.settings.integrations as any)?.vultr
+                    ?.apiKey ?? ''
+                }
+                onChange={(e) =>
+                  handleSettingChange('integrations', {
+                    vultr: {
+                      ...(workingConfig?.settings.integrations as any)?.vultr,
+                      apiKey: e.target.value,
+                    },
+                  } as any)
+                }
+              />
+            </SettingRow>
+            <div className="pt-3 border-t border-border/30 flex items-center justify-between gap-3">
+              <div>
+                {intTestStates['vultr'] && !intTestStates['vultr'].loading && (
+                  <span
+                    className={`text-xs flex items-center gap-1.5 ${intTestStates['vultr'].ok ? 'text-green-500' : 'text-destructive'}`}
+                  >
+                    {intTestStates['vultr'].ok ? (
+                      <CheckCircle2 className="h-3.5 w-3.5" />
+                    ) : (
+                      <AlertCircle className="h-3.5 w-3.5" />
+                    )}
+                    {intTestStates['vultr'].message}
+                  </span>
+                )}
+              </div>
+              <Button
+                variant="outline"
+                size="sm"
+                className="h-8 gap-1.5 shrink-0"
+                disabled={intTestStates['vultr']?.loading}
+                onClick={() =>
+                  handleIntegrationTest('vultr', {
+                    apiKey:
+                      (workingConfig?.settings.integrations as any)?.vultr
+                        ?.apiKey ?? '',
+                  })
+                }
+              >
+                {intTestStates['vultr']?.loading ? (
+                  <Loader2 className="h-3.5 w-3.5 animate-spin" />
+                ) : (
+                  <RefreshCw className="h-3.5 w-3.5" />
+                )}
+                Test Connection
+              </Button>
+            </div>
+          </SettingsSection>
+        </TabsContent>
+      </Tabs>
+
+      {/* Floating Save Bar */}
+      {hasChanges && isSuperAdmin && (
+        <div className="fixed bottom-6 left-1/2 -translate-x-1/2 z-50 animate-in fade-in slide-in-from-bottom-4 duration-300">
+          <div className="flex items-center gap-3 px-5 py-3 bg-background/95 backdrop-blur-xl border border-border/50 rounded-2xl shadow-2xl shadow-black/20">
+            <div className="flex items-center gap-3 pr-3 border-r border-border/50">
+              <div className="flex h-8 w-8 items-center justify-center rounded-full bg-primary/10">
+                <span className="flex h-2.5 w-2.5">
+                  <span className="animate-ping absolute inline-flex h-2.5 w-2.5 rounded-full bg-primary opacity-75" />
+                  <span className="relative inline-flex rounded-full h-2.5 w-2.5 bg-primary" />
+                </span>
+              </div>
+              <div className="text-sm">
+                <span className="font-semibold">{countChangedSettings()}</span>
+                <span className="text-muted-foreground ml-1">
+                  {countChangedSettings() === 1 ? 'section' : 'sections'}{' '}
+                  modified
+                </span>
+              </div>
+            </div>
+            <div className="flex items-center gap-2">
+              <Button
+                variant="ghost"
+                onClick={discardChanges}
+                className="h-9 px-4 rounded-xl hover:bg-destructive/10 hover:text-destructive"
+                size="sm"
+              >
+                <RotateCcw className="mr-2 h-4 w-4" />
+                Discard
+              </Button>
+              <Button
+                onClick={saveChanges}
+                disabled={isSaving}
+                className="h-9 px-5 rounded-xl bg-primary hover:bg-primary/90 shadow-lg shadow-primary/25"
+                size="sm"
+              >
+                {isSaving ? (
+                  <>
+                    <Icons.spinner className="mr-2 h-4 w-4 animate-spin" />
+                    Saving...
+                  </>
+                ) : (
+                  <>
+                    <CheckCircle2 className="mr-2 h-4 w-4" />
+                    Save Changes
+                  </>
+                )}
+              </Button>
+            </div>
+          </div>
+        </div>
+      )}
+    </div>
+  )
 }
diff --git a/packages/components/layout/StatusIndicator.tsx b/packages/components/layout/StatusIndicator.tsx
index da4d99f..d93eb45 100644
--- a/packages/components/layout/StatusIndicator.tsx
+++ b/packages/components/layout/StatusIndicator.tsx
@@ -1,75 +1,17 @@
-"use client"
+'use client'
 
-import React, { useEffect, useState } from 'react'
-
-type KenerStatus = 'UP' | 'DOWN' | 'DEGRADED' | 'UNKNOWN'
-
-type StatusPayload = {
-    page: {
-        name: string
-        url: string
-        status: KenerStatus
-    }
-    activeIncidents: unknown[]
-    activeMaintenances: unknown[]
-}
+import React from 'react'
 
 export default function StatusIndicator() {
-    const [status, setStatus] = useState<StatusPayload | null>(null)
-    const [loading, setLoading] = useState(true)
-
-    useEffect(() => {
-        let mounted = true
-        async function fetchStatus() {
-            try {
-                const res = await fetch('/api/status')
-                const j = await res.json()
-                if (mounted) setStatus(j?.data ?? j)
-            } catch {
-                // ignore
-            } finally {
-                if (mounted) setLoading(false)
-            }
-        }
-        fetchStatus()
-        return () => { mounted = false }
-    }, [])
-
-    if (loading) return <div className="text-xs text-muted-foreground">Checking status…</div>
-    if (!status) return null
-
-    const s = status.page?.status
-
-    const mapColor = (v?: string) => {
-        switch (v) {
-            case 'UP':       return 'bg-emerald-500'
-            case 'DEGRADED': return 'bg-yellow-400'
-            case 'DOWN':     return 'bg-red-500'
-            default:         return 'bg-gray-400'
-        }
-    }
-
-    const mapLabel = (v?: string) => {
-        switch (v) {
-            case 'UP':       return 'All systems operational'
-            case 'DEGRADED': return 'Degraded performance'
-            case 'DOWN':     return 'Service disruption'
-            default:         return 'Status unknown'
-        }
-    }
-
-    return (
-        <div className="flex items-center gap-3">
-            <a
-                href="https://emberlystat.us"
-                target="_blank"
-                rel="noopener noreferrer"
-                className="inline-flex items-center gap-2 hover:opacity-80 transition-opacity"
-            >
-                <span className={`inline-block h-2.5 w-2.5 rounded-full ${mapColor(s)}${s === 'UP' ? '' : ' animate-pulse'}`} />
-                <span className="text-sm">{mapLabel(s)}</span>
-            </a>
-        </div>
-    )
+  return (
+    <a
+      href="https://emberlystat.us"
+      target="_blank"
+      rel="noopener noreferrer"
+      className="inline-flex items-center gap-2 text-sm text-muted-foreground hover:text-foreground transition-colors"
+    >
+      <span className="inline-block h-2.5 w-2.5 rounded-full bg-emerald-500" />
+      System Status
+    </a>
+  )
 }
-
diff --git a/packages/components/layout/footer.tsx b/packages/components/layout/footer.tsx
index b001f48..4d1e810 100644
--- a/packages/components/layout/footer.tsx
+++ b/packages/components/layout/footer.tsx
@@ -16,9 +16,6 @@ export function Footer() {
                 &copy; {new Date().getFullYear()} NodeByte LTD. All rights
                 reserved.
               </p>
-              <div className="hidden sm:block">
-                <StatusIndicator />
-              </div>
             </div>
 
             <div className="flex items-center gap-3">
diff --git a/packages/lib/auth/api-auth.ts b/packages/lib/auth/api-auth.ts
index 43357af..ee198c5 100644
--- a/packages/lib/auth/api-auth.ts
+++ b/packages/lib/auth/api-auth.ts
@@ -17,29 +17,19 @@ export type AuthenticatedUser = {
   role: string
   randomizeFileUrls: boolean
   preferredUploadDomain: string | null
+  emailVerified: boolean
 }
 
-/** A squad authenticated via its upload token or a named API key */
 export type AuthenticatedSquad = {
   squadId: string
   slug: string
   ownerUserId: string
-  /** Storage used in bytes */
   storageUsed: number
   storageQuotaMB: number | null
-  /** How the request was authenticated */
   authMethod: 'upload_token' | 'api_key'
-  /** ID of the NexiumSquadApiKey record (null for upload token auth) */
   apiKeyId: string | null
 }
 
-/**
- * Try to authenticate the request as a Nexium squad via:
- *   1. Squad upload token  (Bearer <token>)
- *   2. Squad API key       (Bearer nsk_…)
- *
- * Returns null if the bearer token doesn't match any squad credential.
- */
 export async function getSquadFromBearerToken(
   req: Request
 ): Promise<AuthenticatedSquad | null> {
@@ -48,8 +38,6 @@ export async function getSquadFromBearerToken(
 
   const token = authHeader.substring(7)
 
-  // ── 1. Squad upload token ────────────────────────────────────────────────
-  // Upload tokens are cuid/uuid strings (no prefix), API keys start with nsk_
   if (!token.startsWith('nsk_')) {
     const squad = await prisma.nexiumSquad.findUnique({
       where: { uploadToken: token },
@@ -146,6 +134,7 @@ export async function getAuthenticatedUser(
         role: cached.role,
         randomizeFileUrls: cached.randomizeFileUrls,
         preferredUploadDomain: cached.preferredUploadDomain,
+        emailVerified: cached.emailVerified,
       }
     }
 
@@ -163,6 +152,7 @@ export async function getAuthenticatedUser(
         preferredUploadDomain: true,
         sessionVersion: true,
         image: true,
+        emailVerified: true,
       },
     })
 
@@ -180,10 +170,11 @@ export async function getAuthenticatedUser(
         storageQuotaMB: user.storageQuotaMB,
         randomizeFileUrls: user.randomizeFileUrls,
         preferredUploadDomain: user.preferredUploadDomain,
+        emailVerified: !!user.emailVerified,
       })
     }
 
-    return user
+    return user ? { ...user, emailVerified: !!user.emailVerified } : null
   }
 
   const authHeader = req.headers.get('authorization')
@@ -208,6 +199,7 @@ export async function getAuthenticatedUser(
               role: true,
               randomizeFileUrls: true,
               preferredUploadDomain: true,
+              emailVerified: true,
             },
           },
         },
@@ -218,7 +210,10 @@ export async function getAuthenticatedUser(
           where: { id: keyRecord.id },
           data: { lastUsedAt: new Date() },
         })
-        return keyRecord.user
+        return {
+          ...keyRecord.user,
+          emailVerified: !!keyRecord.user.emailVerified,
+        }
       }
       // ebk_ prefix but not found — don't fall through to uploadToken lookup
       return null
@@ -239,6 +234,7 @@ export async function getAuthenticatedUser(
           role: cached.role,
           randomizeFileUrls: cached.randomizeFileUrls,
           preferredUploadDomain: cached.preferredUploadDomain,
+          emailVerified: cached.emailVerified,
         }
       }
     }
@@ -257,6 +253,7 @@ export async function getAuthenticatedUser(
         preferredUploadDomain: true,
         sessionVersion: true,
         image: true,
+        emailVerified: true,
       },
     })
 
@@ -277,10 +274,11 @@ export async function getAuthenticatedUser(
         storageQuotaMB: user.storageQuotaMB,
         randomizeFileUrls: user.randomizeFileUrls,
         preferredUploadDomain: user.preferredUploadDomain,
+        emailVerified: !!user.emailVerified,
       })
     }
 
-    return user
+    return user ? { ...user, emailVerified: !!user.emailVerified } : null
   }
 
   return null
diff --git a/packages/lib/cache/session-cache.ts b/packages/lib/cache/session-cache.ts
index 8e46a08..1c2e897 100644
--- a/packages/lib/cache/session-cache.ts
+++ b/packages/lib/cache/session-cache.ts
@@ -11,181 +11,205 @@ const SESSION_TTL_SECONDS = 5 * 60
 const USER_LOOKUP_TTL_SECONDS = 2 * 60
 
 export interface CachedUserSession {
-    id: string
-    email: string | null
-    name: string | null
-    role: string
-    image: string | null
-    sessionVersion: number
-    urlId: string
-    storageUsed: number
-    storageQuotaMB: number | null
-    randomizeFileUrls: boolean
-    preferredUploadDomain: string | null
+  id: string
+  email: string | null
+  name: string | null
+  role: string
+  image: string | null
+  sessionVersion: number
+  urlId: string
+  storageUsed: number
+  storageQuotaMB: number | null
+  randomizeFileUrls: boolean
+  preferredUploadDomain: string | null
+  emailVerified: boolean
 }
 
 /**
  * Redis-based session and user cache for auth lookups
  */
 export const sessionCache = {
-    /**
-     * Get cached user session data
-     */
-    async getUserSession(userId: string): Promise<CachedUserSession | null> {
-        if (!isRedisConnected()) return null
-
-        try {
-            const redis = await getRedisClient()
-            const data = await redis.get(redisKeys.userSession(userId))
-            if (!data) return null
-            return JSON.parse(data) as CachedUserSession
-        } catch (error) {
-            logger.error('Failed to get cached user session', error as Error, { userId })
-            return null
-        }
-    },
-
-    /**
-     * Cache user session data
-     */
-    async setUserSession(userId: string, session: CachedUserSession): Promise<boolean> {
-        if (!isRedisConnected()) return false
-
-        try {
-            const redis = await getRedisClient()
-            await redis.setEx(
-                redisKeys.userSession(userId),
-                SESSION_TTL_SECONDS,
-                JSON.stringify(session)
-            )
-            return true
-        } catch (error) {
-            logger.error('Failed to cache user session', error as Error, { userId })
-            return false
-        }
-    },
-
-    /**
-     * Invalidate user session cache
-     */
-    async invalidateUserSession(userId: string): Promise<boolean> {
-        if (!isRedisConnected()) return false
-
-        try {
-            const redis = await getRedisClient()
-            await redis.del(redisKeys.userSession(userId))
-            logger.debug('User session cache invalidated', { userId })
-            return true
-        } catch (error) {
-            logger.error('Failed to invalidate user session', error as Error, { userId })
-            return false
-        }
-    },
-
-    /**
-     * Cache user ID by email for fast lookups
-     */
-    async setUserByEmail(email: string, userId: string): Promise<boolean> {
-        if (!isRedisConnected()) return false
-
-        try {
-            const redis = await getRedisClient()
-            await redis.setEx(redisKeys.userByEmail(email), USER_LOOKUP_TTL_SECONDS, userId)
-            return true
-        } catch (error) {
-            logger.error('Failed to cache user by email', error as Error, { email })
-            return false
-        }
-    },
-
-    /**
-     * Get cached user ID by email
-     */
-    async getUserByEmail(email: string): Promise<string | null> {
-        if (!isRedisConnected()) return null
-
-        try {
-            const redis = await getRedisClient()
-            return await redis.get(redisKeys.userByEmail(email))
-        } catch (error) {
-            logger.error('Failed to get user by email from cache', error as Error, { email })
-            return null
-        }
-    },
-
-    /**
-     * Cache user data by upload token
-     */
-    async setUserByToken(token: string, userId: string): Promise<boolean> {
-        if (!isRedisConnected()) return false
-
-        try {
-            const redis = await getRedisClient()
-            await redis.setEx(redisKeys.userByToken(token), USER_LOOKUP_TTL_SECONDS, userId)
-            return true
-        } catch (error) {
-            logger.error('Failed to cache user by token', error as Error)
-            return false
-        }
-    },
-
-    /**
-     * Get cached user ID by upload token
-     */
-    async getUserByToken(token: string): Promise<string | null> {
-        if (!isRedisConnected()) return null
-
-        try {
-            const redis = await getRedisClient()
-            return await redis.get(redisKeys.userByToken(token))
-        } catch (error) {
-            logger.error('Failed to get user by token from cache', error as Error)
-            return null
-        }
-    },
-
-    /**
-     * Invalidate user by token cache
-     */
-    async invalidateUserByToken(token: string): Promise<boolean> {
-        if (!isRedisConnected()) return false
-
-        try {
-            const redis = await getRedisClient()
-            await redis.del(redisKeys.userByToken(token))
-            return true
-        } catch (error) {
-            logger.error('Failed to invalidate user by token cache', error as Error)
-            return false
-        }
-    },
-
-    /**
-     * Invalidate all caches for a user
-     */
-    async invalidateAllForUser(userId: string, email?: string, token?: string): Promise<void> {
-        await this.invalidateUserSession(userId)
-        if (email) {
-            await this.invalidateUserByEmail(email)
-        }
-        if (token) {
-            await this.invalidateUserByToken(token)
-        }
-    },
-
-    /**
-     * Invalidate user by email cache
-     */
-    async invalidateUserByEmail(email: string): Promise<boolean> {
-        if (!isRedisConnected()) return false
-
-        try {
-            const redis = await getRedisClient()
-            await redis.del(redisKeys.userByEmail(email))
-            return true
-        } catch (error) {
-            logger.error('Failed to invalidate user by email cache', error as Error, { email })
-            return false
-        }
-    },
+  /**
+   * Get cached user session data
+   */
+  async getUserSession(userId: string): Promise<CachedUserSession | null> {
+    if (!isRedisConnected()) return null
+
+    try {
+      const redis = await getRedisClient()
+      const data = await redis.get(redisKeys.userSession(userId))
+      if (!data) return null
+      return JSON.parse(data) as CachedUserSession
+    } catch (error) {
+      logger.error('Failed to get cached user session', error as Error, {
+        userId,
+      })
+      return null
+    }
+  },
+
+  /**
+   * Cache user session data
+   */
+  async setUserSession(
+    userId: string,
+    session: CachedUserSession
+  ): Promise<boolean> {
+    if (!isRedisConnected()) return false
+
+    try {
+      const redis = await getRedisClient()
+      await redis.setEx(
+        redisKeys.userSession(userId),
+        SESSION_TTL_SECONDS,
+        JSON.stringify(session)
+      )
+      return true
+    } catch (error) {
+      logger.error('Failed to cache user session', error as Error, { userId })
+      return false
+    }
+  },
+
+  /**
+   * Invalidate user session cache
+   */
+  async invalidateUserSession(userId: string): Promise<boolean> {
+    if (!isRedisConnected()) return false
+
+    try {
+      const redis = await getRedisClient()
+      await redis.del(redisKeys.userSession(userId))
+      logger.debug('User session cache invalidated', { userId })
+      return true
+    } catch (error) {
+      logger.error('Failed to invalidate user session', error as Error, {
+        userId,
+      })
+      return false
+    }
+  },
+
+  /**
+   * Cache user ID by email for fast lookups
+   */
+  async setUserByEmail(email: string, userId: string): Promise<boolean> {
+    if (!isRedisConnected()) return false
+
+    try {
+      const redis = await getRedisClient()
+      await redis.setEx(
+        redisKeys.userByEmail(email),
+        USER_LOOKUP_TTL_SECONDS,
+        userId
+      )
+      return true
+    } catch (error) {
+      logger.error('Failed to cache user by email', error as Error, { email })
+      return false
+    }
+  },
+
+  /**
+   * Get cached user ID by email
+   */
+  async getUserByEmail(email: string): Promise<string | null> {
+    if (!isRedisConnected()) return null
+
+    try {
+      const redis = await getRedisClient()
+      return await redis.get(redisKeys.userByEmail(email))
+    } catch (error) {
+      logger.error('Failed to get user by email from cache', error as Error, {
+        email,
+      })
+      return null
+    }
+  },
+
+  /**
+   * Cache user data by upload token
+   */
+  async setUserByToken(token: string, userId: string): Promise<boolean> {
+    if (!isRedisConnected()) return false
+
+    try {
+      const redis = await getRedisClient()
+      await redis.setEx(
+        redisKeys.userByToken(token),
+        USER_LOOKUP_TTL_SECONDS,
+        userId
+      )
+      return true
+    } catch (error) {
+      logger.error('Failed to cache user by token', error as Error)
+      return false
+    }
+  },
+
+  /**
+   * Get cached user ID by upload token
+   */
+  async getUserByToken(token: string): Promise<string | null> {
+    if (!isRedisConnected()) return null
+
+    try {
+      const redis = await getRedisClient()
+      return await redis.get(redisKeys.userByToken(token))
+    } catch (error) {
+      logger.error('Failed to get user by token from cache', error as Error)
+      return null
+    }
+  },
+
+  /**
+   * Invalidate user by token cache
+   */
+  async invalidateUserByToken(token: string): Promise<boolean> {
+    if (!isRedisConnected()) return false
+
+    try {
+      const redis = await getRedisClient()
+      await redis.del(redisKeys.userByToken(token))
+      return true
+    } catch (error) {
+      logger.error('Failed to invalidate user by token cache', error as Error)
+      return false
+    }
+  },
+
+  /**
+   * Invalidate all caches for a user
+   */
+  async invalidateAllForUser(
+    userId: string,
+    email?: string,
+    token?: string
+  ): Promise<void> {
+    await this.invalidateUserSession(userId)
+    if (email) {
+      await this.invalidateUserByEmail(email)
+    }
+    if (token) {
+      await this.invalidateUserByToken(token)
+    }
+  },
+
+  /**
+   * Invalidate user by email cache
+   */
+  async invalidateUserByEmail(email: string): Promise<boolean> {
+    if (!isRedisConnected()) return false
+
+    try {
+      const redis = await getRedisClient()
+      await redis.del(redisKeys.userByEmail(email))
+      return true
+    } catch (error) {
+      logger.error('Failed to invalidate user by email cache', error as Error, {
+        email,
+      })
+      return false
+    }
+  },
 }
diff --git a/packages/lib/config/index.ts b/packages/lib/config/index.ts
index 0e51086..d393eb8 100644
--- a/packages/lib/config/index.ts
+++ b/packages/lib/config/index.ts
@@ -7,127 +7,240 @@ import { loggers } from '@/packages/lib/logger'
 
 const logger = loggers.config
 
-export const configSchema = z.object({
-  version: z.string().optional().default('1.0.0'),
-  settings: z.object({
-    general: z.object({
-      setup: z.object({
-        completed: z.boolean().optional().default(false),
-        // Store as ISO string for JSON compatibility, not Date object
-        completedAt: z.any().nullable().optional().default(null).transform((val) => {
-          if (!val) return null
-          // If it's already a valid ISO string, keep it
-          if (typeof val === 'string') {
-            const d = new Date(val)
-            return isNaN(d.getTime()) ? null : val
-          }
-          // If it's a Date object, convert to ISO string
-          if (val instanceof Date) {
-            return isNaN(val.getTime()) ? null : val.toISOString()
-          }
-          // Handle JSON-parsed objects with a valid date property
-          if (typeof val === 'object' && val !== null) {
-            try {
-              const d = new Date(val)
-              return isNaN(d.getTime()) ? null : d.toISOString()
-            } catch {
-              return null
-            }
-          }
-          return null
-        }),
-      }).passthrough().optional().default({ completed: false, completedAt: null }),
-      registrations: z.object({
-        enabled: z.boolean().optional().default(true),
-        disabledMessage: z.string().optional().default(''),
-      }).passthrough().optional().default({ enabled: true, disabledMessage: '' }),
-      storage: z.object({
-        provider: z.enum(['local', 's3']).optional().default('local'),
-        s3: z.object({
-          bucket: z.string().optional().default(''),
-          region: z.string().optional().default(''),
-          accessKeyId: z.string().optional().default(''),
-          secretAccessKey: z.string().optional().default(''),
-          endpoint: z.string().optional(),
-          forcePathStyle: z.boolean().optional().default(false),
-        }).passthrough().optional().default({}),
-        quotas: z.object({
-          enabled: z.boolean().optional().default(false),
-          default: z.object({
-            value: z.number().optional().default(10),
-            unit: z.string().optional().default('GB'),
-          }).passthrough().optional().default({ value: 10, unit: 'GB' }),
-        }).passthrough().optional().default({ enabled: false, default: { value: 10, unit: 'GB' } }),
-        maxUploadSize: z.object({
-          value: z.number().optional().default(100),
-          unit: z.string().optional().default('MB'),
-        }).passthrough().optional().default({ value: 100, unit: 'MB' }),
-      }).passthrough().optional().default({}),
-      credits: z.object({
-        showFooter: z.boolean().optional().default(true),
-      }).passthrough().optional().default({ showFooter: true }),
-      ocr: z.object({
-        enabled: z.boolean().optional().default(true),
-      }).passthrough().optional().default({ enabled: true }),
-    }).passthrough().optional().default({}),
-    appearance: z.object({
-      theme: z.string().optional().default('default-dark'),
-      themeType: z.enum(['static', 'animated', 'gaming']).optional().default('static'),
-      backgroundEffect: z.enum(['none', 'particles', 'gradient-shift', 'waves', 'glitch', 'grid', 'parallax', 'aurora', 'stars', 'matrix']).optional().default('none'),
-      animationSpeed: z.enum(['slow', 'medium', 'fast']).optional().default('medium'),
-      enableAnimations: z.boolean().optional().default(false),
-      enableBackgroundEffect: z.boolean().optional().default(false),
-      favicon: z.string().nullable().optional().default(null),
-      customColors: z.record(z.string()).optional().default({}),
-      systemThemes: z.record(z.any()).optional().default({}),
-    }).passthrough().optional().default({}),
-    advanced: z.object({
-      customCSS: z.string().optional().default(''),
-      customHead: z.string().optional().default(''),
-    }).passthrough().optional().default({ customCSS: '', customHead: '' }),
-    integrations: z.object({
-      cloudflare: z.object({
-        apiToken: z.string().optional().default(''),
-        accountId: z.string().optional().default(''),
-        zoneId: z.string().optional().default(''),
-      }).passthrough().optional().default({}),
-      discord: z.object({
-        webhookUrl: z.string().optional().default(''),
-        botToken: z.string().optional().default(''),
-        serverId: z.string().optional().default(''),
-        supporterRole: z.string().optional().default(''),
-      }).passthrough().optional().default({}),
-      github: z.object({
-        org: z.string().optional().default('EmberlyOSS'),
-        pat: z.string().optional().default(''),
-      }).passthrough().optional().default({}),
-      kener: z.object({
-        apiKey: z.string().optional().default(''),
-        baseUrl: z.string().optional().default('https://emberlystat.us'),
-      }).passthrough().optional().default({}),
-      stripe: z.object({
-        secretKey: z.string().optional().default(''),
-        webhookSecret: z.string().optional().default(''),
-      }).passthrough().optional().default({}),
-      vultr: z.object({
-        apiKey: z.string().optional().default(''),
-      }).passthrough().optional().default({}),
-      resend: z.object({
-        apiKey: z.string().optional().default(''),
-        emailFrom: z.string().optional().default(''),
-      }).passthrough().optional().default({}),
-      emailProvider: z.enum(['resend', 'smtp']).optional().default('resend'),
-      smtp: z.object({
-        host: z.string().optional().default(''),
-        port: z.number().optional().default(587),
-        secure: z.boolean().optional().default(false),
-        user: z.string().optional().default(''),
-        password: z.string().optional().default(''),
-        from: z.string().optional().default(''),
-      }).passthrough().optional().default({}),
-    }).passthrough().optional().default({}),
-  }).passthrough().optional().default({}),
-}).passthrough()
+export const configSchema = z
+  .object({
+    version: z.string().optional().default('1.0.0'),
+    settings: z
+      .object({
+        general: z
+          .object({
+            setup: z
+              .object({
+                completed: z.boolean().optional().default(false),
+                // Store as ISO string for JSON compatibility, not Date object
+                completedAt: z
+                  .any()
+                  .nullable()
+                  .optional()
+                  .default(null)
+                  .transform((val) => {
+                    if (!val) return null
+                    // If it's already a valid ISO string, keep it
+                    if (typeof val === 'string') {
+                      const d = new Date(val)
+                      return isNaN(d.getTime()) ? null : val
+                    }
+                    // If it's a Date object, convert to ISO string
+                    if (val instanceof Date) {
+                      return isNaN(val.getTime()) ? null : val.toISOString()
+                    }
+                    // Handle JSON-parsed objects with a valid date property
+                    if (typeof val === 'object' && val !== null) {
+                      try {
+                        const d = new Date(val)
+                        return isNaN(d.getTime()) ? null : d.toISOString()
+                      } catch {
+                        return null
+                      }
+                    }
+                    return null
+                  }),
+              })
+              .passthrough()
+              .optional()
+              .default({ completed: false, completedAt: null }),
+            registrations: z
+              .object({
+                enabled: z.boolean().optional().default(true),
+                disabledMessage: z.string().optional().default(''),
+              })
+              .passthrough()
+              .optional()
+              .default({ enabled: true, disabledMessage: '' }),
+            storage: z
+              .object({
+                provider: z.enum(['local', 's3']).optional().default('local'),
+                s3: z
+                  .object({
+                    bucket: z.string().optional().default(''),
+                    region: z.string().optional().default(''),
+                    accessKeyId: z.string().optional().default(''),
+                    secretAccessKey: z.string().optional().default(''),
+                    endpoint: z.string().optional(),
+                    forcePathStyle: z.boolean().optional().default(false),
+                  })
+                  .passthrough()
+                  .optional()
+                  .default({}),
+                quotas: z
+                  .object({
+                    enabled: z.boolean().optional().default(false),
+                    default: z
+                      .object({
+                        value: z.number().optional().default(10),
+                        unit: z.string().optional().default('GB'),
+                      })
+                      .passthrough()
+                      .optional()
+                      .default({ value: 10, unit: 'GB' }),
+                  })
+                  .passthrough()
+                  .optional()
+                  .default({
+                    enabled: false,
+                    default: { value: 10, unit: 'GB' },
+                  }),
+                maxUploadSize: z
+                  .object({
+                    value: z.number().optional().default(100),
+                    unit: z.string().optional().default('MB'),
+                  })
+                  .passthrough()
+                  .optional()
+                  .default({ value: 100, unit: 'MB' }),
+              })
+              .passthrough()
+              .optional()
+              .default({}),
+            credits: z
+              .object({
+                showFooter: z.boolean().optional().default(true),
+              })
+              .passthrough()
+              .optional()
+              .default({ showFooter: true }),
+            ocr: z
+              .object({
+                enabled: z.boolean().optional().default(true),
+              })
+              .passthrough()
+              .optional()
+              .default({ enabled: true }),
+          })
+          .passthrough()
+          .optional()
+          .default({}),
+        appearance: z
+          .object({
+            theme: z.string().optional().default('default-dark'),
+            themeType: z
+              .enum(['static', 'animated', 'gaming'])
+              .optional()
+              .default('static'),
+            backgroundEffect: z
+              .enum([
+                'none',
+                'particles',
+                'gradient-shift',
+                'waves',
+                'glitch',
+                'grid',
+                'parallax',
+                'aurora',
+                'stars',
+                'matrix',
+              ])
+              .optional()
+              .default('none'),
+            animationSpeed: z
+              .enum(['slow', 'medium', 'fast'])
+              .optional()
+              .default('medium'),
+            enableAnimations: z.boolean().optional().default(false),
+            enableBackgroundEffect: z.boolean().optional().default(false),
+            favicon: z.string().nullable().optional().default(null),
+            customColors: z.record(z.string()).optional().default({}),
+            systemThemes: z.record(z.any()).optional().default({}),
+          })
+          .passthrough()
+          .optional()
+          .default({}),
+        advanced: z
+          .object({
+            customCSS: z.string().optional().default(''),
+            customHead: z.string().optional().default(''),
+          })
+          .passthrough()
+          .optional()
+          .default({ customCSS: '', customHead: '' }),
+        integrations: z
+          .object({
+            cloudflare: z
+              .object({
+                apiToken: z.string().optional().default(''),
+                accountId: z.string().optional().default(''),
+                zoneId: z.string().optional().default(''),
+              })
+              .passthrough()
+              .optional()
+              .default({}),
+            discord: z
+              .object({
+                webhookUrl: z.string().optional().default(''),
+                botToken: z.string().optional().default(''),
+                serverId: z.string().optional().default(''),
+                supporterRole: z.string().optional().default(''),
+              })
+              .passthrough()
+              .optional()
+              .default({}),
+            github: z
+              .object({
+                org: z.string().optional().default('EmberlyOSS'),
+                pat: z.string().optional().default(''),
+              })
+              .passthrough()
+              .optional()
+              .default({}),
+            stripe: z
+              .object({
+                secretKey: z.string().optional().default(''),
+                webhookSecret: z.string().optional().default(''),
+              })
+              .passthrough()
+              .optional()
+              .default({}),
+            vultr: z
+              .object({
+                apiKey: z.string().optional().default(''),
+              })
+              .passthrough()
+              .optional()
+              .default({}),
+            resend: z
+              .object({
+                apiKey: z.string().optional().default(''),
+                emailFrom: z.string().optional().default(''),
+              })
+              .passthrough()
+              .optional()
+              .default({}),
+            emailProvider: z
+              .enum(['resend', 'smtp'])
+              .optional()
+              .default('resend'),
+            smtp: z
+              .object({
+                host: z.string().optional().default(''),
+                port: z.number().optional().default(587),
+                secure: z.boolean().optional().default(false),
+                user: z.string().optional().default(''),
+                password: z.string().optional().default(''),
+                from: z.string().optional().default(''),
+              })
+              .passthrough()
+              .optional()
+              .default({}),
+          })
+          .passthrough()
+          .optional()
+          .default({}),
+      })
+      .passthrough()
+      .optional()
+      .default({}),
+  })
+  .passthrough()
 
 export type EmberlyConfig = z.infer<typeof configSchema>
 
@@ -223,10 +336,6 @@ export const DEFAULT_CONFIG: EmberlyConfig = {
         org: 'EmberlyOSS',
         pat: '',
       },
-      kener: {
-        apiKey: '',
-        baseUrl: 'https://emberlystat.us',
-      },
       stripe: {
         secretKey: '',
         webhookSecret: '',
@@ -265,7 +374,7 @@ export async function initConfig(): Promise<EmberlyConfig> {
 
     // Use safeParse and merge - never fail
     const parsed = configSchema.safeParse(configRow.value)
-    return parsed.success 
+    return parsed.success
       ? deepMerge(DEFAULT_CONFIG, parsed.data)
       : deepMerge(DEFAULT_CONFIG, configRow.value as any)
   } catch (error) {
@@ -279,12 +388,22 @@ export async function initConfig(): Promise<EmberlyConfig> {
 /**
  * Deep merge two objects, with source taking priority
  */
-function deepMerge<T extends Record<string, any>>(target: T, source: Partial<T>): T {
+function deepMerge<T extends Record<string, any>>(
+  target: T,
+  source: Partial<T>
+): T {
   const result = { ...target }
   for (const key in source) {
     if (source[key] !== undefined) {
-      if (typeof source[key] === 'object' && source[key] !== null && !Array.isArray(source[key])) {
-        result[key] = deepMerge(target[key] ?? {} as T[Extract<keyof T, string>], source[key] as T[Extract<keyof T, string>])
+      if (
+        typeof source[key] === 'object' &&
+        source[key] !== null &&
+        !Array.isArray(source[key])
+      ) {
+        result[key] = deepMerge(
+          target[key] ?? ({} as T[Extract<keyof T, string>]),
+          source[key] as T[Extract<keyof T, string>]
+        )
       } else {
         result[key] = source[key] as T[Extract<keyof T, string>]
       }
@@ -312,7 +431,7 @@ export async function getConfig(): Promise<EmberlyConfig> {
 
     // Use safeParse and merge with defaults - never fail
     const parsed = configSchema.safeParse(configRow.value)
-    const config = parsed.success 
+    const config = parsed.success
       ? deepMerge(DEFAULT_CONFIG, parsed.data)
       : deepMerge(DEFAULT_CONFIG, configRow.value as any)
 
@@ -407,10 +526,6 @@ export async function updateConfig(
             ...currentConfig.settings.integrations?.github,
             ...(newConfig.settings?.integrations?.github || {}),
           },
-          kener: {
-            ...currentConfig.settings.integrations?.kener,
-            ...(newConfig.settings?.integrations?.kener || {}),
-          },
           stripe: {
             ...currentConfig.settings.integrations?.stripe,
             ...(newConfig.settings?.integrations?.stripe || {}),
@@ -458,9 +573,12 @@ export async function updateConfig(
     }
     // Check if it's a Zod validation error
     if (error && typeof error === 'object' && 'issues' in error) {
-      console.error('[CONFIG ERROR] Zod issues:', JSON.stringify((error as any).issues, null, 2))
+      console.error(
+        '[CONFIG ERROR] Zod issues:',
+        JSON.stringify((error as any).issues, null, 2)
+      )
     }
-    logger.error('Could not save config to database', { 
+    logger.error('Could not save config to database', {
       error: error instanceof Error ? error.message : String(error),
     })
     return newConfig as EmberlyConfig
@@ -496,4 +614,4 @@ export async function updateConfigSection<
 export async function getIntegrations() {
   const config = await getConfig()
   return config.settings.integrations ?? DEFAULT_CONFIG.settings.integrations!
-}
\ No newline at end of file
+}
diff --git a/packages/lib/events/handlers/file-expiry.ts b/packages/lib/events/handlers/file-expiry.ts
index fc35c97..dea794c 100644
--- a/packages/lib/events/handlers/file-expiry.ts
+++ b/packages/lib/events/handlers/file-expiry.ts
@@ -154,3 +154,26 @@ export async function getFileExpirationInfo(
 
   return fileEvent?.scheduledAt || null
 }
+
+export async function getFileExpirationInfoBatch(
+  fileIds: string[]
+): Promise<Map<string, Date>> {
+  if (fileIds.length === 0) return new Map()
+
+  const idSet = new Set(fileIds)
+  const scheduledEvents = await events.getEvents({
+    type: 'file.schedule-expiration',
+    status: EventStatus.SCHEDULED,
+  })
+
+  const result = new Map<string, Date>()
+  for (const event of scheduledEvents) {
+    const fileId = (event.payload as Record<string, unknown>)?.fileId as
+      | string
+      | undefined
+    if (fileId && idSet.has(fileId) && event.scheduledAt) {
+      result.set(fileId, event.scheduledAt)
+    }
+  }
+  return result
+}
diff --git a/packages/lib/files/filename.ts b/packages/lib/files/filename.ts
index d573a15..8b51376 100644
--- a/packages/lib/files/filename.ts
+++ b/packages/lib/files/filename.ts
@@ -28,9 +28,6 @@ function validateAndNormalizePath(basePath: string, filename: string): string {
   }
 
   const fullPath = join(cleanBase, cleanFilename)
-  // On Windows `path.join` returns backslashes while `cleanBase` uses
-  // forward slashes. Normalize both sides to forward-slash form before
-  // comparing to avoid false positives for path traversal detection.
   const fullPathNormalized = fullPath.replace(/\\/g, '/').replace(/\/+/g, '/')
   const cleanBaseNormalized = cleanBase.replace(/\\/g, '/').replace(/\/+/g, '/')
 
@@ -98,10 +95,12 @@ export async function getUniqueFilename(
     ? originalName.slice(0, originalName.lastIndexOf('.'))
     : originalName
 
-  let urlSafeName = baseNameWithoutExt
-    .toLowerCase()
-    .replace(/[^a-z0-9]+/g, '-')
-    .replace(/^-+|-+$/g, '')
+  let urlSafeName = baseNameWithoutExt.toLowerCase().replace(/[^a-z0-9]+/g, '-')
+  let s = 0,
+    e = urlSafeName.length
+  while (s < e && urlSafeName[s] === '-') s++
+  while (e > s && urlSafeName[e - 1] === '-') e--
+  urlSafeName = urlSafeName.slice(s, e)
 
   if (extension) {
     urlSafeName += '.' + extension.toLowerCase()
diff --git a/packages/lib/files/security-validation.ts b/packages/lib/files/security-validation.ts
index 5236861..d36236a 100644
--- a/packages/lib/files/security-validation.ts
+++ b/packages/lib/files/security-validation.ts
@@ -9,21 +9,84 @@ import { extname } from 'path'
 import { createHash } from 'crypto'
 
 const DANGEROUS_EXTENSIONS = new Set([
-  '.exe', '.bat', '.cmd', '.com', '.scr', '.vbs', '.js', '.jse', '.vbe',
-  '.ps1', '.ps2', '.psc1', '.psc2', '.msh', '.msh1', '.msh2', '.mshxml',
-  '.msh1xml', '.msh2xml', '.elf', '.bin', '.sh', '.bash', '.csh', '.ksh',
-  '.zsh', '.pl', '.py', '.rb', '.php', '.asp', '.aspx', '.jsp', '.jspx',
-  '.cfm', '.cfc', '.docm', '.xlsm', '.pptm', '.potm', '.ppam', '.ppsm',
-  '.sldm', '.dll', '.so', '.dylib', '.o', '.a', '.lib', '.msi', '.msp',
-  '.cab', '.jar', '.class', '.lnk', '.url', '.scf', '.inf', '.reg', '.hta', '.chm',
+  '.exe',
+  '.bat',
+  '.cmd',
+  '.com',
+  '.scr',
+  '.vbs',
+  '.js',
+  '.jse',
+  '.vbe',
+  '.ps1',
+  '.ps2',
+  '.psc1',
+  '.psc2',
+  '.msh',
+  '.msh1',
+  '.msh2',
+  '.mshxml',
+  '.msh1xml',
+  '.msh2xml',
+  '.elf',
+  '.bin',
+  '.sh',
+  '.bash',
+  '.csh',
+  '.ksh',
+  '.zsh',
+  '.pl',
+  '.py',
+  '.rb',
+  '.php',
+  '.asp',
+  '.aspx',
+  '.jsp',
+  '.jspx',
+  '.cfm',
+  '.cfc',
+  '.docm',
+  '.xlsm',
+  '.pptm',
+  '.potm',
+  '.ppam',
+  '.ppsm',
+  '.sldm',
+  '.dll',
+  '.so',
+  '.dylib',
+  '.o',
+  '.a',
+  '.lib',
+  '.msi',
+  '.msp',
+  '.cab',
+  '.jar',
+  '.class',
+  '.lnk',
+  '.url',
+  '.scf',
+  '.inf',
+  '.reg',
+  '.hta',
+  '.chm',
 ])
 
 const DANGEROUS_MIME_TYPES = new Set([
-  'application/x-msdownload', 'application/x-msdos-program', 'application/x-executable',
-  'application/x-elf-executable', 'application/x-sharedlib', 'application/x-object',
-  'application/x-shellscript', 'application/x-bash', 'application/x-perl',
-  'application/x-python', 'application/x-ruby', 'application/x-php',
-  'application/x-asp', 'application/x-jsp',
+  'application/x-msdownload',
+  'application/x-msdos-program',
+  'application/x-executable',
+  'application/x-elf-executable',
+  'application/x-sharedlib',
+  'application/x-object',
+  'application/x-shellscript',
+  'application/x-bash',
+  'application/x-perl',
+  'application/x-python',
+  'application/x-ruby',
+  'application/x-php',
+  'application/x-asp',
+  'application/x-jsp',
   'application/vnd.ms-excel.addin.macroEnabled.12',
   'application/vnd.ms-word.document.macroEnabled.12',
   'application/vnd.ms-powerpoint.presentation.macroEnabled.12',
@@ -49,7 +112,10 @@ export interface VirusTotalScanResult {
 /**
  * Check for dangerous extensions and MIME types
  */
-function checkBasicSecurity(filename: string, mimeType: string): FileSecurityCheckResult {
+function checkBasicSecurity(
+  filename: string,
+  mimeType: string
+): FileSecurityCheckResult {
   const ext = extname(filename).toLowerCase()
   if (DANGEROUS_EXTENSIONS.has(ext)) {
     return {
@@ -71,7 +137,10 @@ function checkBasicSecurity(filename: string, mimeType: string): FileSecurityChe
 /**
  * Detect zip bombs by analyzing compression ratio
  */
-function checkZipBomb(buffer: Buffer, filename: string): FileSecurityCheckResult {
+function checkZipBomb(
+  buffer: Buffer,
+  filename: string
+): FileSecurityCheckResult {
   if (!filename.toLowerCase().endsWith('.zip') || buffer.length < 4) {
     return { valid: true }
   }
@@ -96,10 +165,17 @@ function checkZipBomb(buffer: Buffer, filename: string): FileSecurityCheckResult
             uncompressedTotal += uncompressedSize
 
             if (fileCount > 10000) {
-              return { valid: false, error: 'Archive contains too many files (>10k). Potential zip bomb.' }
+              return {
+                valid: false,
+                error:
+                  'Archive contains too many files (>10k). Potential zip bomb.',
+              }
             }
             if (uncompressedTotal > 50 * 1024 * 1024 * 1024) {
-              return { valid: false, error: 'Archive expands to >50GB. Potential zip bomb detected.' }
+              return {
+                valid: false,
+                error: 'Archive expands to >50GB. Potential zip bomb detected.',
+              }
             }
 
             const filenameLen = buffer.readUInt16LE(cdPos + 26)
@@ -118,7 +194,10 @@ function checkZipBomb(buffer: Buffer, filename: string): FileSecurityCheckResult
     if (buffer.length > 0 && uncompressedTotal > 0) {
       const ratio = uncompressedTotal / buffer.length
       if (ratio > 100) {
-        return { valid: false, error: `Suspicious compression ratio (${ratio.toFixed(1)}:1). Potential zip bomb.` }
+        return {
+          valid: false,
+          error: `Suspicious compression ratio (${ratio.toFixed(1)}:1). Potential zip bomb.`,
+        }
       }
     }
 
@@ -131,32 +210,51 @@ function checkZipBomb(buffer: Buffer, filename: string): FileSecurityCheckResult
 /**
  * Check VirusTotal for known malware (hash-based, no upload)
  */
-async function checkVirusTotal(buffer: Buffer, mimeType: string): Promise<VirusTotalScanResult> {
+async function checkVirusTotal(
+  buffer: Buffer,
+  mimeType: string
+): Promise<VirusTotalScanResult> {
   const apiKey = process.env.VIRUSTOTAL_API_KEY
   if (!apiKey) {
     return { scanPerformed: false, detected: false }
   }
 
   // Skip scanning images, videos, audio
-  if (mimeType.startsWith('image/') || mimeType.startsWith('video/') || mimeType.startsWith('audio/')) {
+  if (
+    mimeType.startsWith('image/') ||
+    mimeType.startsWith('video/') ||
+    mimeType.startsWith('audio/')
+  ) {
     return { scanPerformed: false, detected: false }
   }
 
   try {
     const hash = createHash('sha256').update(buffer).digest('hex')
-    const response = await fetch(`https://www.virustotal.com/api/v3/files/${hash}`, {
-      method: 'GET',
-      headers: { 'x-apikey': apiKey },
-    })
+    const response = await fetch(
+      `https://www.virustotal.com/api/v3/files/${hash}`,
+      {
+        method: 'GET',
+        headers: { 'x-apikey': apiKey },
+      }
+    )
 
     if (response.status === 404) {
       return { scanPerformed: true, detected: false }
     }
     if (response.status === 429) {
-      return { scanPerformed: false, detected: false, rateLimited: true, error: 'VirusTotal rate limit reached.' }
+      return {
+        scanPerformed: false,
+        detected: false,
+        rateLimited: true,
+        error: 'VirusTotal rate limit reached.',
+      }
     }
     if (!response.ok) {
-      return { scanPerformed: false, detected: false, error: `VirusTotal API error: ${response.statusText}` }
+      return {
+        scanPerformed: false,
+        detected: false,
+        error: `VirusTotal API error: ${response.statusText}`,
+      }
     }
 
     const data = (await response.json()) as any
@@ -166,7 +264,10 @@ async function checkVirusTotal(buffer: Buffer, mimeType: string): Promise<VirusT
     }
 
     const maliciousCount = stats.malicious || 0
-    const totalCount = Object.values(stats).reduce((a: number, b: any) => a + (typeof b === 'number' ? b : 0), 0)
+    const totalCount = Object.values(stats).reduce(
+      (a: number, b: any) => a + (typeof b === 'number' ? b : 0),
+      0
+    )
 
     return {
       scanPerformed: true,
@@ -177,32 +278,58 @@ async function checkVirusTotal(buffer: Buffer, mimeType: string): Promise<VirusT
     }
   } catch (error) {
     console.error('VirusTotal check failed:', error)
-    return { scanPerformed: false, detected: false, error: 'Failed to check VirusTotal' }
+    return {
+      scanPerformed: false,
+      detected: false,
+      error: 'Failed to check VirusTotal',
+    }
   }
 }
 
 /**
- * Main validation function: local checks + optional VirusTotal scanning
+ * Fast local-only checks (extension, MIME, zip bomb). No network calls.
+ * Run this synchronously before uploading.
  */
-export async function validateFileSecurityChecksWithVT(
+export function validateFileSecurityChecks(
   buffer: Buffer,
   filename: string,
   mimeType: string
-): Promise<FileSecurityCheckResult> {
-  // Local checks first
+): FileSecurityCheckResult {
   const basicCheck = checkBasicSecurity(filename, mimeType)
-  if (!basicCheck.valid) {
-    return basicCheck
-  }
-
+  if (!basicCheck.valid) return basicCheck
   const zipCheck = checkZipBomb(buffer, filename)
-  if (!zipCheck.valid) {
-    return zipCheck
-  }
+  if (!zipCheck.valid) return zipCheck
+  return { valid: true }
+}
 
-  // VirusTotal check
+/**
+ * VirusTotal hash lookup — network call, runs in the background after upload.
+ * On detection, calls onDetected(result) so the caller can quarantine the file.
+ */
+export async function scanWithVirusTotal(
+  buffer: Buffer,
+  mimeType: string,
+  onDetected: (result: VirusTotalScanResult) => Promise<void>
+): Promise<void> {
   const vtResult = await checkVirusTotal(buffer, mimeType)
+  if (vtResult.detected) {
+    await onDetected(vtResult)
+  }
+}
 
+/**
+ * @deprecated Use validateFileSecurityChecks + scanWithVirusTotal instead.
+ * Kept for compatibility with chunked upload routes.
+ */
+export async function validateFileSecurityChecksWithVT(
+  buffer: Buffer,
+  filename: string,
+  mimeType: string
+): Promise<FileSecurityCheckResult> {
+  const localResult = validateFileSecurityChecks(buffer, filename, mimeType)
+  if (!localResult.valid) return localResult
+
+  const vtResult = await checkVirusTotal(buffer, mimeType)
   if (vtResult.detected) {
     return {
       valid: false,
@@ -210,7 +337,6 @@ export async function validateFileSecurityChecksWithVT(
       virusTotal: vtResult,
     }
   }
-
   return {
     valid: true,
     virusTotal: vtResult.scanPerformed ? vtResult : undefined,
diff --git a/packages/lib/files/upload-validation.ts b/packages/lib/files/upload-validation.ts
index f7c397b..772e7dc 100644
--- a/packages/lib/files/upload-validation.ts
+++ b/packages/lib/files/upload-validation.ts
@@ -11,9 +11,9 @@ import { prisma } from '@/packages/lib/database/prisma'
 import { hasPermission, Permission } from '@/packages/lib/permissions'
 
 export interface UploadValidationResult {
-    valid: boolean
-    error?: string
-    errorCode?: 'EMAIL_NOT_VERIFIED' | 'DOMAIN_NOT_VERIFIED' | 'DOMAIN_NOT_FOUND'
+  valid: boolean
+  error?: string
+  errorCode?: 'EMAIL_NOT_VERIFIED' | 'DOMAIN_NOT_VERIFIED' | 'DOMAIN_NOT_FOUND'
 }
 
 /**
@@ -21,30 +21,43 @@ export interface UploadValidationResult {
  * Email verification is ALWAYS required before uploading.
  * Returns validation result with appropriate error if not verified.
  */
-export async function validateEmailVerified(userId: string): Promise<UploadValidationResult> {
-    const user = await prisma.user.findUnique({
+export async function validateEmailVerified(
+  userId: string,
+  preloaded?: { emailVerified: boolean; role: string }
+): Promise<UploadValidationResult> {
+  const userData =
+    preloaded ??
+    (await (async () => {
+      const user = await prisma.user.findUnique({
         where: { id: userId },
         select: { emailVerified: true, role: true },
-    })
-
-    if (!user) {
-        return { valid: false, error: 'User not found', errorCode: 'EMAIL_NOT_VERIFIED' }
+      })
+      if (!user) return null
+      return { emailVerified: !!user.emailVerified, role: user.role }
+    })())
+
+  if (!userData) {
+    return {
+      valid: false,
+      error: 'User not found',
+      errorCode: 'EMAIL_NOT_VERIFIED',
     }
+  }
 
-    // Admins and higher roles bypass email verification requirement
-    if (hasPermission(user.role as any, Permission.MODERATE_CONTENT)) {
-        return { valid: true }
-    }
+  // Admins and higher roles bypass email verification requirement
+  if (hasPermission(userData.role as any, Permission.MODERATE_CONTENT)) {
+    return { valid: true }
+  }
 
-    if (!user.emailVerified) {
-        return {
-            valid: false,
-            error: 'Please verify your email address before uploading files',
-            errorCode: 'EMAIL_NOT_VERIFIED',
-        }
+  if (!userData.emailVerified) {
+    return {
+      valid: false,
+      error: 'Please verify your email address before uploading files',
+      errorCode: 'EMAIL_NOT_VERIFIED',
     }
+  }
 
-    return { valid: true }
+  return { valid: true }
 }
 
 /**
@@ -53,66 +66,77 @@ export async function validateEmailVerified(userId: string): Promise<UploadValid
  * Returns validation result with appropriate error if domain is not verified.
  */
 export async function validateCustomDomain(
-    userId: string,
-    requestedDomain: string | null
+  userId: string,
+  requestedDomain: string | null
 ): Promise<UploadValidationResult> {
-    // No custom domain specified, no validation needed
-    if (!requestedDomain) {
-        return { valid: true }
-    }
-
-    // Clean domain (remove protocol/trailing slash)
-    const cleanDomain = requestedDomain
-        .replace(/^https?:\/\//, '')
-        .replace(/\/+$/, '')
-        .toLowerCase()
-
-    // Check if domain is the main app domain - no validation needed
-    const appDomain = (process.env.APP_BASE_URL || process.env.NEXTAUTH_URL || '')
-        .replace(/^https?:\/\//, '')
-        .replace(/\/+$/, '')
-        .toLowerCase()
-
-    if (cleanDomain === appDomain || cleanDomain === 'localhost' || cleanDomain.startsWith('localhost:')) {
-        return { valid: true }
-    }
-
-    // Check if this is a verified custom domain owned by the user OR one of their squads
-    const domainRecord = await prisma.customDomain.findFirst({
-        where: {
-            domain: cleanDomain,
-            OR: [
-                { userId },
-                {
-                    squad: {
-                        members: { some: { userId } },
-                    },
-                },
-            ],
-        },
-        select: {
-            verified: true,
-            domain: true,
+  // No custom domain specified, no validation needed
+  if (!requestedDomain) {
+    return { valid: true }
+  }
+
+  const trimTrailingSlashes = (s: string) => {
+    let end = s.length
+    while (end > 0 && s[end - 1] === '/') end--
+    return end === s.length ? s : s.slice(0, end)
+  }
+
+  // Clean domain (remove protocol/trailing slash)
+  const cleanDomain = trimTrailingSlashes(
+    requestedDomain.replace(/^https?:\/\//, '')
+  ).toLowerCase()
+
+  // Check if domain is the main app domain - no validation needed
+  const appDomain = trimTrailingSlashes(
+    (process.env.APP_BASE_URL || process.env.NEXTAUTH_URL || '').replace(
+      /^https?:\/\//,
+      ''
+    )
+  ).toLowerCase()
+
+  if (
+    cleanDomain === appDomain ||
+    cleanDomain === 'localhost' ||
+    cleanDomain.startsWith('localhost:')
+  ) {
+    return { valid: true }
+  }
+
+  // Check if this is a verified custom domain owned by the user OR one of their squads
+  const domainRecord = await prisma.customDomain.findFirst({
+    where: {
+      domain: cleanDomain,
+      OR: [
+        { userId },
+        {
+          squad: {
+            members: { some: { userId } },
+          },
         },
-    })
-
-    if (!domainRecord) {
-        return {
-            valid: false,
-            error: `Domain "${cleanDomain}" is not registered to your account`,
-            errorCode: 'DOMAIN_NOT_FOUND',
-        }
+      ],
+    },
+    select: {
+      verified: true,
+      domain: true,
+    },
+  })
+
+  if (!domainRecord) {
+    return {
+      valid: false,
+      error: `Domain "${cleanDomain}" is not registered to your account`,
+      errorCode: 'DOMAIN_NOT_FOUND',
     }
+  }
 
-    if (!domainRecord.verified) {
-        return {
-            valid: false,
-            error: `Domain "${cleanDomain}" has not been verified yet. Please complete domain verification first.`,
-            errorCode: 'DOMAIN_NOT_VERIFIED',
-        }
+  if (!domainRecord.verified) {
+    return {
+      valid: false,
+      error: `Domain "${cleanDomain}" has not been verified yet. Please complete domain verification first.`,
+      errorCode: 'DOMAIN_NOT_VERIFIED',
     }
+  }
 
-    return { valid: true }
+  return { valid: true }
 }
 
 /**
@@ -120,47 +144,58 @@ export async function validateCustomDomain(
  * The domain must belong to the squad itself.
  */
 export async function validateSquadCustomDomain(
-    squadId: string,
-    requestedDomain: string | null
+  squadId: string,
+  requestedDomain: string | null
 ): Promise<UploadValidationResult> {
-    if (!requestedDomain) return { valid: true }
-
-    const cleanDomain = requestedDomain
-        .replace(/^https?:\/\//, '')
-        .replace(/\/+$/, '')
-        .toLowerCase()
-
-    const appDomain = (process.env.APP_BASE_URL || process.env.NEXTAUTH_URL || '')
-        .replace(/^https?:\/\//, '')
-        .replace(/\/+$/, '')
-        .toLowerCase()
-
-    if (cleanDomain === appDomain || cleanDomain === 'localhost' || cleanDomain.startsWith('localhost:')) {
-        return { valid: true }
-    }
-
-    const domainRecord = await prisma.customDomain.findFirst({
-        where: { domain: cleanDomain, squadId },
-        select: { verified: true, domain: true },
-    })
-
-    if (!domainRecord) {
-        return {
-            valid: false,
-            error: `Domain "${cleanDomain}" is not registered to this squad`,
-            errorCode: 'DOMAIN_NOT_FOUND',
-        }
+  if (!requestedDomain) return { valid: true }
+
+  const trimTrailingSlashes = (s: string) => {
+    let end = s.length
+    while (end > 0 && s[end - 1] === '/') end--
+    return end === s.length ? s : s.slice(0, end)
+  }
+
+  const cleanDomain = trimTrailingSlashes(
+    requestedDomain.replace(/^https?:\/\//, '')
+  ).toLowerCase()
+
+  const appDomain = trimTrailingSlashes(
+    (process.env.APP_BASE_URL || process.env.NEXTAUTH_URL || '').replace(
+      /^https?:\/\//,
+      ''
+    )
+  ).toLowerCase()
+
+  if (
+    cleanDomain === appDomain ||
+    cleanDomain === 'localhost' ||
+    cleanDomain.startsWith('localhost:')
+  ) {
+    return { valid: true }
+  }
+
+  const domainRecord = await prisma.customDomain.findFirst({
+    where: { domain: cleanDomain, squadId },
+    select: { verified: true, domain: true },
+  })
+
+  if (!domainRecord) {
+    return {
+      valid: false,
+      error: `Domain "${cleanDomain}" is not registered to this squad`,
+      errorCode: 'DOMAIN_NOT_FOUND',
     }
+  }
 
-    if (!domainRecord.verified) {
-        return {
-            valid: false,
-            error: `Domain "${cleanDomain}" has not been verified yet`,
-            errorCode: 'DOMAIN_NOT_VERIFIED',
-        }
+  if (!domainRecord.verified) {
+    return {
+      valid: false,
+      error: `Domain "${cleanDomain}" has not been verified yet`,
+      errorCode: 'DOMAIN_NOT_VERIFIED',
     }
+  }
 
-    return { valid: true }
+  return { valid: true }
 }
 
 /**
@@ -168,20 +203,21 @@ export async function validateSquadCustomDomain(
  * Returns the first validation error encountered, or valid: true if all pass.
  */
 export async function validateUploadRequest(
-    userId: string,
-    requestedDomain: string | null
+  userId: string,
+  requestedDomain: string | null,
+  preloadedUser?: { emailVerified: boolean; role: string }
 ): Promise<UploadValidationResult> {
-    // Check email verification
-    const emailResult = await validateEmailVerified(userId)
-    if (!emailResult.valid) {
-        return emailResult
-    }
-
-    // Check custom domain verification
-    const domainResult = await validateCustomDomain(userId, requestedDomain)
-    if (!domainResult.valid) {
-        return domainResult
-    }
-
-    return { valid: true }
+  // Check email verification (skip DB query if caller already has user data)
+  const emailResult = await validateEmailVerified(userId, preloadedUser)
+  if (!emailResult.valid) {
+    return emailResult
+  }
+
+  // Check custom domain verification
+  const domainResult = await validateCustomDomain(userId, requestedDomain)
+  if (!domainResult.valid) {
+    return domainResult
+  }
+
+  return { valid: true }
 }
diff --git a/packages/lib/kener/index.ts b/packages/lib/kener/index.ts
index 1a01b23..5c4db60 100644
--- a/packages/lib/kener/index.ts
+++ b/packages/lib/kener/index.ts
@@ -1,178 +1 @@
-/**
- * Kener API Client
- * Fetches status data from a self-hosted Kener instance (https://kener.ing)
- *
- * API docs: https://kener.ing/docs/spec/v4
- * Configured via admin settings → integrations → kener (apiKey + baseUrl)
- */
-
-import { cache } from 'react'
-
-import { logger } from '@/packages/lib/logger'
-import { getIntegrations } from '@/packages/lib/config'
-
-// ──────────────────────────────────────────────
-// Kener API types (v4)
-// ──────────────────────────────────────────────
-
-export type KenerMonitorStatus = 'UP' | 'DOWN' | 'DEGRADED' | 'UNKNOWN'
-
-export interface KenerMonitor {
-  tag: string
-  name: string
-  description?: string
-  status: KenerMonitorStatus
-  category_name?: string
-  monitor_type?: string
-  is_hidden?: string | boolean
-  [key: string]: unknown
-}
-
-export interface KenerPageResponse {
-  page: {
-    page_path: string
-    page_title?: string
-    monitors: KenerMonitor[]
-    [key: string]: unknown
-  }
-}
-
-export interface KenerStatusSummary {
-  page: {
-    name: string
-    url: string
-    /** Aggregated overall status */
-    status: KenerMonitorStatus
-  }
-  activeIncidents: KenerIncident[]
-  activeMaintenances: KenerIncident[]
-}
-
-export interface KenerIncident {
-  id: string
-  name: string
-  status?: string
-  started?: string
-  url?: string
-}
-
-// ──────────────────────────────────────────────
-// Config helper
-// ──────────────────────────────────────────────
-
-async function getKenerConfig() {
-  const integrations = await getIntegrations()
-  const kener = integrations.kener as { apiKey?: string; baseUrl?: string } | undefined
-  return {
-    baseUrl: (kener?.baseUrl ?? process.env.KENER_BASE_URL ?? 'https://emberlystat.us').replace(/\/$/, ''),
-    apiKey: kener?.apiKey ?? process.env.KENER_API_KEY ?? '',
-  }
-}
-
-// Cache TTL: 60 s
-const CACHE_TTL = 60
-
-// ──────────────────────────────────────────────
-// Fetch helpers
-// ──────────────────────────────────────────────
-
-async function fetchKener<T>(
-  path: string,
-  config: Awaited<ReturnType<typeof getKenerConfig>>,
-): Promise<T | null> {
-  const url = `${config.baseUrl}${path}`
-  try {
-    const res = await fetch(url, {
-      headers: config.apiKey
-        ? { Authorization: `Bearer ${config.apiKey}` }
-        : {},
-      next: { revalidate: CACHE_TTL, tags: ['status'] },
-    })
-    if (!res.ok) {
-      logger.error(`Kener API error: ${res.status} ${res.statusText}`, { url })
-      return null
-    }
-    return await res.json()
-  } catch (err) {
-    logger.error('Failed to fetch from Kener', {
-      url,
-      error: err instanceof Error ? err.message : 'Unknown error',
-    })
-    return null
-  }
-}
-
-// ──────────────────────────────────────────────
-// Aggregate status from monitor list
-// ──────────────────────────────────────────────
-
-function aggregateStatus(monitors: KenerMonitor[]): KenerMonitorStatus {
-  if (monitors.length === 0) return 'UNKNOWN'
-  const visible = monitors.filter(
-    (m) => {
-      const isHidden = String(m.is_hidden).toLowerCase()
-      return m.is_hidden !== true && isHidden !== 'true' && isHidden !== 'yes'
-    },
-  )
-  // Kener v4 returns "ACTIVE"/"INACTIVE" as workflow state, not health status
-  // Map to health status: ACTIVE means UP, and we'll assume INACTIVE means DOWN
-  const statuses = visible.map((m) => {
-    const rawStatus = String(m.status ?? '').toUpperCase() as string
-    // Map Kener workflow states to health status
-    if (rawStatus === 'ACTIVE') return 'UP' as KenerMonitorStatus
-    if (rawStatus === 'INACTIVE') return 'DOWN' as KenerMonitorStatus
-    // Pass through actual health statuses if present
-    if (['UP', 'DOWN', 'DEGRADED', 'UNKNOWN'].includes(rawStatus)) return rawStatus as KenerMonitorStatus
-    return 'UNKNOWN' as KenerMonitorStatus
-  })
-  if (statuses.includes('DOWN')) return 'DOWN'
-  if (statuses.includes('DEGRADED')) return 'DEGRADED'
-  if (statuses.length > 0 && statuses.every((s) => s === 'UP')) return 'UP'
-  return 'UNKNOWN'
-}
-
-// ──────────────────────────────────────────────
-// Public API
-// ──────────────────────────────────────────────
-
-/**
- * Returns an aggregated status summary from Kener monitor list.
- * Shape is compatible with what StatusIndicator expects.
- */
-export const getKenerStatus = cache(async (): Promise<KenerStatusSummary | null> => {
-  const config = await getKenerConfig()
-  // /api/v4/monitors returns live per-monitor status; /api/v4/pages/ only returns config (no status field)
-  const data = await fetchKener<{ monitors: KenerMonitor[] }>('/api/v4/monitors', config)
-  if (!data?.monitors) return null
-
-  const status = aggregateStatus(data.monitors)
-
-  return {
-    page: {
-      name: 'Emberly Status',
-      url: config.baseUrl,
-      status,
-    },
-    activeIncidents: [],
-    activeMaintenances: [],
-  }
-})
-
-/**
- * Test Kener connectivity (used by admin integrations test endpoint).
- */
-export async function testKenerConnection(baseUrl: string, apiKey?: string): Promise<{ ok: boolean; message: string }> {
-  const url = `${baseUrl.replace(/\/$/, '')}/api/v4/monitors`
-  try {
-    const res = await fetch(url, {
-      headers: apiKey ? { Authorization: `Bearer ${apiKey}` } : {},
-      signal: AbortSignal.timeout(8000),
-    })
-    if (!res.ok) return { ok: false, message: `Kener API responded with ${res.status}` }
-    const data = await res.json()
-    const count = (data?.monitors as unknown[])?.length ?? 0
-    return { ok: true, message: `Connected — ${count} monitor${count !== 1 ? 's' : ''} found` }
-  } catch (err) {
-    return { ok: false, message: err instanceof Error ? err.message : 'Connection failed' }
-  }
-}
+// Status page integration removed — link users directly to https://emberlystat.us
diff --git a/packages/lib/storage/index.ts b/packages/lib/storage/index.ts
index 2096d7a..4f02fbd 100644
--- a/packages/lib/storage/index.ts
+++ b/packages/lib/storage/index.ts
@@ -11,7 +11,11 @@ const logger = loggers.storage
 export type { StorageProvider, RangeOptions } from './types'
 export { LocalStorageProvider, S3StorageProvider }
 
-let storageProvider: StorageProvider | null = null
+// Stored on globalThis so the singleton survives Next.js hot-reloads in dev mode
+const _g = globalThis as typeof globalThis & {
+  __storageProvider?: StorageProvider
+}
+let storageProvider: StorageProvider | null = _g.__storageProvider ?? null
 
 /** Build a provider from a StorageBucket DB record (no caching — used for per-user routing). */
 function providerFromBucket(bucket: {
@@ -70,6 +74,7 @@ export async function getStorageProvider(): Promise<StorageProvider> {
     storageProvider = new LocalStorageProvider()
   }
 
+  _g.__storageProvider = storageProvider
   return storageProvider
 }
 
@@ -78,7 +83,9 @@ export async function getStorageProvider(): Promise<StorageProvider> {
  * If the user has an assigned `storageBucketId`, returns a provider for that bucket.
  * Otherwise falls back to the global default provider.
  */
-export async function getStorageProviderForUser(userId: string): Promise<StorageProvider> {
+export async function getStorageProviderForUser(
+  userId: string
+): Promise<StorageProvider> {
   const user = await prisma.user.findUnique({
     where: { id: userId },
     select: { storageBucketId: true },
@@ -89,7 +96,11 @@ export async function getStorageProviderForUser(userId: string): Promise<Storage
       where: { id: user.storageBucketId },
     })
     if (bucket) {
-      logger.info('Using custom storage bucket for user', { userId, bucketId: bucket.id, bucketName: bucket.name })
+      logger.info('Using custom storage bucket for user', {
+        userId,
+        bucketId: bucket.id,
+        bucketName: bucket.name,
+      })
       return providerFromBucket(bucket)
     }
   }
@@ -102,7 +113,9 @@ export async function getStorageProviderForUser(userId: string): Promise<Storage
  * If the squad has an assigned `storageBucketId`, returns a provider for that bucket.
  * Otherwise falls back to the global default provider.
  */
-export async function getStorageProviderForSquad(squadId: string): Promise<StorageProvider> {
+export async function getStorageProviderForSquad(
+  squadId: string
+): Promise<StorageProvider> {
   const squad = await prisma.nexiumSquad.findUnique({
     where: { id: squadId },
     select: { storageBucketId: true },
@@ -113,7 +126,11 @@ export async function getStorageProviderForSquad(squadId: string): Promise<Stora
       where: { id: squad.storageBucketId },
     })
     if (bucket) {
-      logger.info('Using custom storage bucket for squad', { squadId, bucketId: bucket.id, bucketName: bucket.name })
+      logger.info('Using custom storage bucket for squad', {
+        squadId,
+        bucketId: bucket.id,
+        bucketName: bucket.name,
+      })
       return providerFromBucket(bucket)
     }
   }
@@ -123,6 +140,7 @@ export async function getStorageProviderForSquad(squadId: string): Promise<Stora
 
 export function invalidateStorageProvider(): void {
   storageProvider = null
+  _g.__storageProvider = undefined
 }
 
 // ---------------------------------------------------------------------------
@@ -157,4 +175,4 @@ export async function getDownloadUrl(
     return provider.getDownloadUrl(path, filename, hostOverride)
   }
   return provider.getFileUrl(path, undefined, hostOverride)
-}
\ No newline at end of file
+}
diff --git a/packages/lib/storage/quota.ts b/packages/lib/storage/quota.ts
index 6ffd847..1d9a47a 100644
--- a/packages/lib/storage/quota.ts
+++ b/packages/lib/storage/quota.ts
@@ -1,6 +1,6 @@
 /**
  * Storage quota and plan limits calculation utilities.
- * 
+ *
  * The quota system works as follows:
  * 1. User's plan determines base storage quota (Spark: 10GB, Glow: 25GB, etc.)
  * 2. Admins can override per-user quota via storageQuotaMB
@@ -11,133 +11,144 @@
  */
 
 import { prisma } from '@/packages/lib/database/prisma'
-import { calculateStorageBonusGB, calculateDomainSlotBonus } from '@/packages/lib/perks'
+import {
+  calculateStorageBonusGB,
+  calculateDomainSlotBonus,
+} from '@/packages/lib/perks'
 import { syncUserSubscriptionsFromStripe } from '@/packages/lib/stripe/billing'
 
 // Per-user TTL cache: only attempt one Stripe sync per user per 5-minute window
-const stripeSyncCache = new Map<string, number>()
+// Stored on globalThis so it survives Next.js hot-reloads in dev mode
+const _g = globalThis as typeof globalThis & {
+  __stripeSyncCache?: Map<string, number>
+}
+if (!_g.__stripeSyncCache) _g.__stripeSyncCache = new Map()
+const stripeSyncCache = _g.__stripeSyncCache
 const STRIPE_SYNC_TTL_MS = 5 * 60 * 1000
 
 export interface QuotaInfo {
-    quotaMB: number
-    usedMB: number
-    remainingMB: number
-    purchasedMB: number
-    baseQuotaMB: number
-    percentageUsed: number
+  quotaMB: number
+  usedMB: number
+  remainingMB: number
+  purchasedMB: number
+  baseQuotaMB: number
+  percentageUsed: number
 }
 
 export interface PlanLimits {
-    /** null = unlimited (Ember / Enterprise) */
-    storageQuotaGB: number | null
-    /** null = unlimited (Ember / Enterprise) */
-    uploadSizeCapMB: number | null
-    /** null = unlimited (Ember / Enterprise) */
-    customDomainsLimit: number | null
-    planName: string
+  /** null = unlimited (Ember / Enterprise) */
+  storageQuotaGB: number | null
+  /** null = unlimited (Ember / Enterprise) */
+  uploadSizeCapMB: number | null
+  /** null = unlimited (Ember / Enterprise) */
+  customDomainsLimit: number | null
+  planName: string
 }
 
 /**
  * Get the user's current plan limits.
  * Returns plan limits or defaults if no active subscription.
- * 
+ *
  * Note: an active `storage-bucket` subscription removes ALL limits.
  * A `past_due` bucket subscription reinstates normal plan quotas.
  */
 export async function getPlanLimits(userId: string): Promise<PlanLimits> {
-    // Check for an active storage-bucket-* subscription first — it removes all limits
-    const bucketSub = await prisma.subscription.findFirst({
-        where: {
-            userId,
-            status: 'active',
-            product: { slug: { startsWith: 'storage-bucket' } },
-        },
-        select: { id: true },
-    })
-
-    if (bucketSub) {
-        return {
-            storageQuotaGB: null,   // unlimited
-            uploadSizeCapMB: null,  // unlimited
-            customDomainsLimit: null,
-            planName: 'Storage Bucket (Unlimited)',
-        }
+  // Check for an active storage-bucket-* subscription first — it removes all limits
+  const bucketSub = await prisma.subscription.findFirst({
+    where: {
+      userId,
+      status: 'active',
+      product: { slug: { startsWith: 'storage-bucket' } },
+    },
+    select: { id: true },
+  })
+
+  if (bucketSub) {
+    return {
+      storageQuotaGB: null, // unlimited
+      uploadSizeCapMB: null, // unlimited
+      customDomainsLimit: null,
+      planName: 'Storage Bucket (Unlimited)',
     }
+  }
 
-    // Get user's active subscription with product details
-    const subscription = await prisma.subscription.findFirst({
-        where: {
-            userId,
-            status: 'active',
-        },
-        include: {
-            product: true,
-        },
-        orderBy: {
-            createdAt: 'desc',
-        },
-    })
-
-    if (subscription && subscription.product) {
-        return {
-            // null means unlimited — preserved as-is for Ember/Enterprise plans
-            storageQuotaGB: subscription.product.storageQuotaGB ?? null,
-            uploadSizeCapMB: subscription.product.uploadSizeCapMB ?? null,
-            customDomainsLimit: subscription.product.customDomainsLimit ?? null,
-            planName: subscription.product.name,
-        }
+  // Get user's active subscription with product details
+  const subscription = await prisma.subscription.findFirst({
+    where: {
+      userId,
+      status: 'active',
+    },
+    include: {
+      product: true,
+    },
+    orderBy: {
+      createdAt: 'desc',
+    },
+  })
+
+  if (subscription && subscription.product) {
+    return {
+      // null means unlimited — preserved as-is for Ember/Enterprise plans
+      storageQuotaGB: subscription.product.storageQuotaGB ?? null,
+      uploadSizeCapMB: subscription.product.uploadSizeCapMB ?? null,
+      customDomainsLimit: subscription.product.customDomainsLimit ?? null,
+      planName: subscription.product.name,
     }
+  }
 
-    // No active subscription in DB — attempt a one-time Stripe sync to self-heal
-    // (covers cases where the webhook was missed or not yet configured)
-    const now = Date.now()
-    const lastSync = stripeSyncCache.get(userId) ?? 0
-    if (now - lastSync > STRIPE_SYNC_TTL_MS) {
-        stripeSyncCache.set(userId, now)
-        try {
-            const userRecord = await prisma.user.findUnique({
-                where: { id: userId },
-                select: { stripeCustomerId: true },
-            })
-            if (userRecord?.stripeCustomerId) {
-                await syncUserSubscriptionsFromStripe(userId, userRecord.stripeCustomerId)
-                // Re-check after sync
-                const syncedSub = await prisma.subscription.findFirst({
-                    where: { userId, status: 'active' },
-                    include: { product: true },
-                    orderBy: { createdAt: 'desc' },
-                })
-                if (syncedSub?.product) {
-                    return {
-                        storageQuotaGB: syncedSub.product.storageQuotaGB ?? null,
-                        uploadSizeCapMB: syncedSub.product.uploadSizeCapMB ?? null,
-                        customDomainsLimit: syncedSub.product.customDomainsLimit ?? null,
-                        planName: syncedSub.product.name,
-                    }
-                }
-            }
-        } catch (err) {
-            console.warn('[getPlanLimits] Stripe subscription sync failed:', err)
+  // No active subscription in DB — attempt a one-time Stripe sync to self-heal
+  // (covers cases where the webhook was missed or not yet configured)
+  const now = Date.now()
+  const lastSync = stripeSyncCache.get(userId) ?? 0
+  if (now - lastSync > STRIPE_SYNC_TTL_MS) {
+    stripeSyncCache.set(userId, now)
+    try {
+      const userRecord = await prisma.user.findUnique({
+        where: { id: userId },
+        select: { stripeCustomerId: true },
+      })
+      if (userRecord?.stripeCustomerId) {
+        await syncUserSubscriptionsFromStripe(
+          userId,
+          userRecord.stripeCustomerId
+        )
+        // Re-check after sync
+        const syncedSub = await prisma.subscription.findFirst({
+          where: { userId, status: 'active' },
+          include: { product: true },
+          orderBy: { createdAt: 'desc' },
+        })
+        if (syncedSub?.product) {
+          return {
+            storageQuotaGB: syncedSub.product.storageQuotaGB ?? null,
+            uploadSizeCapMB: syncedSub.product.uploadSizeCapMB ?? null,
+            customDomainsLimit: syncedSub.product.customDomainsLimit ?? null,
+            planName: syncedSub.product.name,
+          }
         }
+      }
+    } catch (err) {
+      console.warn('[getPlanLimits] Stripe subscription sync failed:', err)
     }
+  }
 
-    // Default free plan (Spark)
-    return {
-        storageQuotaGB: 10,
-        uploadSizeCapMB: 500,
-        customDomainsLimit: 3,
-        planName: 'Spark (Free)',
-    }
+  // Default free plan (Spark)
+  return {
+    storageQuotaGB: 10,
+    uploadSizeCapMB: 500,
+    customDomainsLimit: 3,
+    planName: 'Spark (Free)',
+  }
 }
 
 /**
  * Get the user's custom domain count.
  */
 export async function getUserDomainCount(userId: string): Promise<number> {
-    const result = await prisma.customDomain.count({
-        where: { userId },
-    })
-    return result
+  const result = await prisma.customDomain.count({
+    where: { userId },
+  })
+  return result
 }
 
 /**
@@ -145,27 +156,27 @@ export async function getUserDomainCount(userId: string): Promise<number> {
  * Counts legacy one-off purchases as well as active yearly subscriptions.
  */
 export async function getPurchasedDomainSlots(userId: string): Promise<number> {
-    const [oneOffResult, subscriptionCount] = await Promise.all([
-        prisma.oneOffPurchase.aggregate({
-            where: {
-                userId,
-                type: 'custom_domain',
-            },
-            _sum: {
-                quantity: true,
-            },
-        }),
-        prisma.subscription.count({
-            where: {
-                userId,
-                status: { in: ['active', 'trialing'] },
-                product: {
-                    slug: { in: ['extra-domain-slot', 'extra-domain-slot-squad'] },
-                },
-            },
-        }),
-    ])
-    return (oneOffResult._sum?.quantity || 0) + subscriptionCount
+  const [oneOffResult, subscriptionCount] = await Promise.all([
+    prisma.oneOffPurchase.aggregate({
+      where: {
+        userId,
+        type: 'custom_domain',
+      },
+      _sum: {
+        quantity: true,
+      },
+    }),
+    prisma.subscription.count({
+      where: {
+        userId,
+        status: { in: ['active', 'trialing'] },
+        product: {
+          slug: { in: ['extra-domain-slot', 'extra-domain-slot-squad'] },
+        },
+      },
+    }),
+  ])
+  return (oneOffResult._sum?.quantity || 0) + subscriptionCount
 }
 
 /**
@@ -173,20 +184,20 @@ export async function getPurchasedDomainSlots(userId: string): Promise<number> {
  * Takes perk bonuses and purchased slots into account.
  */
 export async function canAddCustomDomain(userId: string): Promise<boolean> {
-    const user = await prisma.user.findUnique({
-        where: { id: userId },
-        select: { perkRoles: true },
-    })
-
-    const limits = await getPlanLimits(userId)
-    // null = unlimited plan
-    if (limits.customDomainsLimit === null) return true
-    const currentCount = await getUserDomainCount(userId)
-    const domainBonus = calculateDomainSlotBonus(user?.perkRoles || [])
-    const purchasedSlots = await getPurchasedDomainSlots(userId)
-    const totalLimit = limits.customDomainsLimit + domainBonus + purchasedSlots
-    
-    return currentCount < totalLimit
+  const user = await prisma.user.findUnique({
+    where: { id: userId },
+    select: { perkRoles: true },
+  })
+
+  const limits = await getPlanLimits(userId)
+  // null = unlimited plan
+  if (limits.customDomainsLimit === null) return true
+  const currentCount = await getUserDomainCount(userId)
+  const domainBonus = calculateDomainSlotBonus(user?.perkRoles || [])
+  const purchasedSlots = await getPurchasedDomainSlots(userId)
+  const totalLimit = limits.customDomainsLimit + domainBonus + purchasedSlots
+
+  return currentCount < totalLimit
 }
 
 /**
@@ -194,19 +205,19 @@ export async function canAddCustomDomain(userId: string): Promise<boolean> {
  * Sums up all extra_storage one-off purchases.
  */
 export async function getPurchasedStorageMB(userId: string): Promise<number> {
-    const result = await prisma.oneOffPurchase.aggregate({
-        where: {
-            userId,
-            type: 'extra_storage',
-        },
-        _sum: {
-            quantity: true,
-        },
-    })
+  const result = await prisma.oneOffPurchase.aggregate({
+    where: {
+      userId,
+      type: 'extra_storage',
+    },
+    _sum: {
+      quantity: true,
+    },
+  })
 
-    // quantity is in GB; convert to MB
-    const quantityGB = result._sum?.quantity || 0
-    return quantityGB * 1024
+  // quantity is in GB; convert to MB
+  const quantityGB = result._sum?.quantity || 0
+  return quantityGB * 1024
 }
 
 /**
@@ -216,54 +227,57 @@ export async function getPurchasedStorageMB(userId: string): Promise<number> {
  * - Plan-based storage quota
  * - Purchased additional storage
  */
-export async function getEffectiveQuotaMB(userId: string, defaultQuotaMB?: number): Promise<QuotaInfo> {
-    const user = await prisma.user.findUnique({
-        where: { id: userId },
-        select: {
-            storageUsed: true,
-            storageQuotaMB: true,
-            perkRoles: true,
-        },
-    })
+export async function getEffectiveQuotaMB(
+  userId: string,
+  defaultQuotaMB?: number
+): Promise<QuotaInfo> {
+  const user = await prisma.user.findUnique({
+    where: { id: userId },
+    select: {
+      storageUsed: true,
+      storageQuotaMB: true,
+      perkRoles: true,
+    },
+  })
 
-    if (!user) {
-        throw new Error(`User ${userId} not found`)
-    }
+  if (!user) {
+    throw new Error(`User ${userId} not found`)
+  }
 
-    const planLimits = await getPlanLimits(userId)
-    const purchasedMB = await getPurchasedStorageMB(userId)
-    
-    // Calculate perk bonuses
-    const perkStorageBonusGB = calculateStorageBonusGB(user.perkRoles || [])
-    const perkStorageBonusMB = perkStorageBonusGB * 1024
-    
-    // Priority: admin override > plan quota + perks > default quota
-    let baseQuotaMB = user.storageQuotaMB
-    if (!baseQuotaMB) {
-        if (planLimits.storageQuotaGB === null) {
-            // Unlimited plan — use a 100 TB sentinel so arithmetic still works
-            baseQuotaMB = 100 * 1024 * 1024
-        } else {
-            baseQuotaMB = (planLimits.storageQuotaGB + perkStorageBonusGB) * 1024
-        }
-    }
-    if (!baseQuotaMB && defaultQuotaMB) {
-        baseQuotaMB = defaultQuotaMB
-    }
-    
-    const quotaMB = baseQuotaMB + purchasedMB
-    const usedMB = user.storageUsed
-    const remainingMB = Math.max(0, quotaMB - usedMB)
-    const percentageUsed = quotaMB > 0 ? (usedMB / quotaMB) * 100 : 0
+  const planLimits = await getPlanLimits(userId)
+  const purchasedMB = await getPurchasedStorageMB(userId)
 
-    return {
-        quotaMB,
-        usedMB,
-        remainingMB,
-        purchasedMB,
-        baseQuotaMB,
-        percentageUsed,
+  // Calculate perk bonuses
+  const perkStorageBonusGB = calculateStorageBonusGB(user.perkRoles || [])
+  const perkStorageBonusMB = perkStorageBonusGB * 1024
+
+  // Priority: admin override > plan quota + perks > default quota
+  let baseQuotaMB = user.storageQuotaMB
+  if (!baseQuotaMB) {
+    if (planLimits.storageQuotaGB === null) {
+      // Unlimited plan — use a 100 TB sentinel so arithmetic still works
+      baseQuotaMB = 100 * 1024 * 1024
+    } else {
+      baseQuotaMB = (planLimits.storageQuotaGB + perkStorageBonusGB) * 1024
     }
+  }
+  if (!baseQuotaMB && defaultQuotaMB) {
+    baseQuotaMB = defaultQuotaMB
+  }
+
+  const quotaMB = baseQuotaMB + purchasedMB
+  const usedMB = user.storageUsed
+  const remainingMB = Math.max(0, quotaMB - usedMB)
+  const percentageUsed = quotaMB > 0 ? (usedMB / quotaMB) * 100 : 0
+
+  return {
+    quotaMB,
+    usedMB,
+    remainingMB,
+    purchasedMB,
+    baseQuotaMB,
+    percentageUsed,
+  }
 }
 
 /**
@@ -271,60 +285,63 @@ export async function getEffectiveQuotaMB(userId: string, defaultQuotaMB?: numbe
  * Validates against both storage quota AND upload size cap.
  */
 export async function canUploadSize(
-    userId: string,
-    fileSizeMB: number,
-    defaultQuotaMB?: number
+  userId: string,
+  fileSizeMB: number,
+  defaultQuotaMB?: number
 ): Promise<{ allowed: boolean; reason?: string }> {
-    const planLimits = await getPlanLimits(userId)
-    
-    // Check upload size cap (null = unlimited)
-    if (planLimits.uploadSizeCapMB !== null && fileSizeMB > planLimits.uploadSizeCapMB) {
-        return {
-            allowed: false,
-            reason: `File exceeds ${planLimits.planName} plan limit of ${planLimits.uploadSizeCapMB}MB. Upgrade your plan or purchase larger file size add-on.`,
-        }
+  const planLimits = await getPlanLimits(userId)
+
+  // Check upload size cap (null = unlimited)
+  if (
+    planLimits.uploadSizeCapMB !== null &&
+    fileSizeMB > planLimits.uploadSizeCapMB
+  ) {
+    return {
+      allowed: false,
+      reason: `File exceeds ${planLimits.planName} plan limit of ${planLimits.uploadSizeCapMB}MB. Upgrade your plan or purchase larger file size add-on.`,
     }
-    
-    // Check storage quota
-    const quota = await getEffectiveQuotaMB(userId, defaultQuotaMB)
-    const canFit = quota.usedMB + fileSizeMB <= quota.quotaMB
-    
-    if (!canFit) {
-        return {
-            allowed: false,
-            reason: `Uploading this file would exceed your storage quota. You have ${quota.remainingMB.toFixed(0)}MB remaining.`,
-        }
+  }
+
+  // Check storage quota
+  const quota = await getEffectiveQuotaMB(userId, defaultQuotaMB)
+  const canFit = quota.usedMB + fileSizeMB <= quota.quotaMB
+
+  if (!canFit) {
+    return {
+      allowed: false,
+      reason: `Uploading this file would exceed your storage quota. You have ${quota.remainingMB.toFixed(0)}MB remaining.`,
     }
-    
-    return { allowed: true }
+  }
+
+  return { allowed: true }
 }
 
 /**
  * Get a user-friendly quota message explaining current usage.
  */
 export function formatQuotaMessage(quota: QuotaInfo): string {
-    const formatMB = (mb: number): string => {
-        if (mb >= 1024) {
-            return `${(mb / 1024).toFixed(2)} GB`
-        }
-        return `${mb.toFixed(0)} MB`
+  const formatMB = (mb: number): string => {
+    if (mb >= 1024) {
+      return `${(mb / 1024).toFixed(2)} GB`
     }
+    return `${mb.toFixed(0)} MB`
+  }
 
-    const usedStr = formatMB(quota.usedMB)
-    const totalStr = formatMB(quota.quotaMB)
-    const remainingStr = formatMB(quota.remainingMB)
+  const usedStr = formatMB(quota.usedMB)
+  const totalStr = formatMB(quota.quotaMB)
+  const remainingStr = formatMB(quota.remainingMB)
 
-    let message = `You are using ${usedStr} of ${totalStr} (${quota.percentageUsed.toFixed(1)}%)`
+  let message = `You are using ${usedStr} of ${totalStr} (${quota.percentageUsed.toFixed(1)}%)`
 
-    if (quota.percentageUsed > 90) {
-        message += '. ⚠️ Storage is critically low!'
-    } else if (quota.percentageUsed > 75) {
-        message += '. Storage is getting low.'
-    }
+  if (quota.percentageUsed > 90) {
+    message += '. ⚠️ Storage is critically low!'
+  } else if (quota.percentageUsed > 75) {
+    message += '. Storage is getting low.'
+  }
 
-    if (quota.purchasedMB > 0) {
-        message += ` (${formatMB(quota.purchasedMB)} purchased)`
-    }
+  if (quota.purchasedMB > 0) {
+    message += ` (${formatMB(quota.purchasedMB)} purchased)`
+  }
 
-    return message
+  return message
 }
diff --git a/packages/lib/utils/index.ts b/packages/lib/utils/index.ts
index c61f5b1..1ec3006 100644
--- a/packages/lib/utils/index.ts
+++ b/packages/lib/utils/index.ts
@@ -27,7 +27,9 @@ export function getRelativeTime(date: Date): string {
 
 export function urlForHost(host: string): string {
   if (!host) return ''
-  const cleaned = host.replace(/\/+$/, '')
+  let end = host.length
+  while (end > 0 && host[end - 1] === '/') end--
+  const cleaned = end === host.length ? host : host.slice(0, end)
   if (cleaned.startsWith('http://') || cleaned.startsWith('https://'))
     return cleaned
 

From 46d5a24bf1ca14820bbb1b6e204ba532043f336d Mon Sep 17 00:00:00 2001
From: TheRealToxicDev <toxic.dev09@gmail.com>
Date: Sat, 13 Jun 2026 09:38:23 -0600
Subject: [PATCH 04/13] chore(bump): version

---
 CHANGELOG.md                                |  2 ++
 package.json                                |  2 +-
 packages/components/dashboard/user-list.tsx | 32 +++++++++++----------
 packages/lib/storage/sync-buckets.ts        |  6 ++--
 4 files changed, 23 insertions(+), 19 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 65c11d4..b3ddd53 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -46,6 +46,8 @@ The format is based on "Keep a Changelog" and follows [Semantic Versioning](http
 ### Fixed
 
 - **Sitemap** — Marked sitemap route as dynamic to prevent build-time errors when database is unavailable during static export.
+- **TypeScript — Logger argument types in `sync-buckets.ts`** — `BucketSyncStats` was passed directly as a `logger.info` context argument (expects `Record<string, unknown>`); fixed by spreading with `{ ...stats }`. Two `logger.warn` calls passed raw `Error` objects where a context object is expected; fixed by passing `{ error: String(err) }`.
+- **TypeScript — `PaginationData.pages` property in `user-list.tsx`** — Three references used `.pages` on the `PaginationData` type returned by `useUserManagement`, which defines the property as `pageCount`. Corrected to `.pageCount`.
 
 ## [2.4.5] - 2026-06-02
 
diff --git a/package.json b/package.json
index 00a6a6f..6393f3c 100644
--- a/package.json
+++ b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@emberly/website",
-  "version": "2.4.4",
+  "version": "2.4.6",
   "license": "AGPL-3.0-only",
   "author": "CodeMeAPixel",
   "homepage": "https://github.com/EmberlyOSS/Emberly",
diff --git a/packages/components/dashboard/user-list.tsx b/packages/components/dashboard/user-list.tsx
index e39f250..6fa5446 100644
--- a/packages/components/dashboard/user-list.tsx
+++ b/packages/components/dashboard/user-list.tsx
@@ -2412,7 +2412,7 @@ export function UserList() {
         </DialogContent>
       </Dialog>
 
-      {pagination && pagination.pages > 1 && (
+      {pagination && pagination.pageCount > 1 && (
         <div className="flex justify-center">
           <Pagination>
             <PaginationContent>
@@ -2429,19 +2429,21 @@ export function UserList() {
                   <ChevronLeft className="h-4 w-4" />
                 </Button>
               </PaginationItem>
-              {getPaginationRange(currentPage, pagination.pages).map((p) => (
-                <PaginationItem key={p}>
-                  <PaginationLink
-                    onClick={(e: React.MouseEvent<HTMLAnchorElement>) => {
-                      e.preventDefault()
-                      fetchUsers(p)
-                    }}
-                    isActive={p === currentPage}
-                  >
-                    {p}
-                  </PaginationLink>
-                </PaginationItem>
-              ))}
+              {getPaginationRange(currentPage, pagination.pageCount).map(
+                (p) => (
+                  <PaginationItem key={p}>
+                    <PaginationLink
+                      onClick={(e: React.MouseEvent<HTMLAnchorElement>) => {
+                        e.preventDefault()
+                        fetchUsers(p)
+                      }}
+                      isActive={p === currentPage}
+                    >
+                      {p}
+                    </PaginationLink>
+                  </PaginationItem>
+                )
+              )}
               <PaginationItem>
                 <Button
                   variant="outline"
@@ -2450,7 +2452,7 @@ export function UserList() {
                     e.preventDefault()
                     fetchUsers(currentPage + 1)
                   }}
-                  disabled={currentPage === pagination.pages}
+                  disabled={currentPage === pagination.pageCount}
                 >
                   <ChevronRight className="h-4 w-4" />
                 </Button>
diff --git a/packages/lib/storage/sync-buckets.ts b/packages/lib/storage/sync-buckets.ts
index fa84864..ea940ef 100644
--- a/packages/lib/storage/sync-buckets.ts
+++ b/packages/lib/storage/sync-buckets.ts
@@ -160,7 +160,7 @@ export async function syncStorageBucketSubscriptions(): Promise<BucketSyncStats>
 
     stats.duration = Date.now() - startTime
 
-    logger.info('[Sync] Bucket synchronization completed', stats)
+    logger.info('[Sync] Bucket synchronization completed', { ...stats })
     return stats
   } catch (err) {
     logger.error('[Sync] Bucket synchronization failed', err as Error)
@@ -226,7 +226,7 @@ async function reconcileDeprovisionedBuckets(): Promise<void> {
             } catch (err) {
               logger.warn(
                 `[Sync] Failed to delete Vultr bucket ${bucket.vultrBucketName}`,
-                err as Error
+                { error: String(err) }
               )
             }
           }
@@ -266,7 +266,7 @@ async function reconcileDeprovisionedBuckets(): Promise<void> {
             } catch (deleteErr) {
               logger.warn(
                 `[Sync] Failed to delete Vultr bucket ${bucket.vultrBucketName}`,
-                deleteErr as Error
+                { error: String(deleteErr) }
               )
             }
           }

From e5da7992c6d057112a73169ba499ac0b67334fea Mon Sep 17 00:00:00 2001
From: TheRealToxicDev <toxic.dev09@gmail.com>
Date: Sat, 13 Jun 2026 09:44:01 -0600
Subject: [PATCH 05/13] fix(prisma): email validation

---
 CHANGELOG.md           | 1 +
 app/api/files/route.ts | 2 +-
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index b3ddd53..bed639a 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -48,6 +48,7 @@ The format is based on "Keep a Changelog" and follows [Semantic Versioning](http
 - **Sitemap** — Marked sitemap route as dynamic to prevent build-time errors when database is unavailable during static export.
 - **TypeScript — Logger argument types in `sync-buckets.ts`** — `BucketSyncStats` was passed directly as a `logger.info` context argument (expects `Record<string, unknown>`); fixed by spreading with `{ ...stats }`. Two `logger.warn` calls passed raw `Error` objects where a context object is expected; fixed by passing `{ error: String(err) }`.
 - **TypeScript — `PaginationData.pages` property in `user-list.tsx`** — Three references used `.pages` on the `PaginationData` type returned by `useUserManagement`, which defines the property as `pageCount`. Corrected to `.pageCount`.
+- **TypeScript — `emailVerified` type mismatch in `app/api/files/route.ts`** — Prisma returns `emailVerified: Date | null` but `AuthenticatedUser` expects `boolean`. The squad-owner user object is now spread with `emailVerified: ownerUser.emailVerified !== null` before assignment.
 
 ## [2.4.5] - 2026-06-02
 
diff --git a/app/api/files/route.ts b/app/api/files/route.ts
index 7db08f8..73bd4eb 100644
--- a/app/api/files/route.ts
+++ b/app/api/files/route.ts
@@ -69,7 +69,7 @@ export async function POST(req: Request) {
       })
       if (!ownerUser)
         return apiError('Squad owner not found', HTTP_STATUS.UNAUTHORIZED)
-      user = ownerUser
+      user = { ...ownerUser, emailVerified: ownerUser.emailVerified !== null }
       squadContext = squad
     } else {
       const auth = await requireAuth(req)

From ad610f788e194a885bc8dad4019a1e401832024a Mon Sep 17 00:00:00 2001
From: Pixelated <hey@codemeapixel.dev>
Date: Sat, 13 Jun 2026 09:46:12 -0600
Subject: [PATCH 06/13] Potential fix for pull request finding 'Unused
 variable, import, function or class'

Co-authored-by: Copilot Autofix powered by AI <223894421+github-code-quality[bot]@users.noreply.github.com>
---
 packages/lib/storage/quota.ts | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/packages/lib/storage/quota.ts b/packages/lib/storage/quota.ts
index 1d9a47a..efb4118 100644
--- a/packages/lib/storage/quota.ts
+++ b/packages/lib/storage/quota.ts
@@ -331,7 +331,7 @@ export function formatQuotaMessage(quota: QuotaInfo): string {
   const totalStr = formatMB(quota.quotaMB)
   const remainingStr = formatMB(quota.remainingMB)
 
-  let message = `You are using ${usedStr} of ${totalStr} (${quota.percentageUsed.toFixed(1)}%)`
+  let message = `You are using ${usedStr} of ${totalStr} (${quota.percentageUsed.toFixed(1)}%, ${remainingStr} remaining)`
 
   if (quota.percentageUsed > 90) {
     message += '. ⚠️ Storage is critically low!'

From 0cb8105caf353ea7fc9f1fbb1df7d7997f7745ab Mon Sep 17 00:00:00 2001
From: Pixelated <hey@codemeapixel.dev>
Date: Sat, 13 Jun 2026 09:46:26 -0600
Subject: [PATCH 07/13] Potential fix for pull request finding 'Unused
 variable, import, function or class'

Co-authored-by: Copilot Autofix powered by AI <223894421+github-code-quality[bot]@users.noreply.github.com>
---
 packages/lib/storage/quota.ts | 1 -
 1 file changed, 1 deletion(-)

diff --git a/packages/lib/storage/quota.ts b/packages/lib/storage/quota.ts
index efb4118..f8a9ae4 100644
--- a/packages/lib/storage/quota.ts
+++ b/packages/lib/storage/quota.ts
@@ -249,7 +249,6 @@ export async function getEffectiveQuotaMB(
 
   // Calculate perk bonuses
   const perkStorageBonusGB = calculateStorageBonusGB(user.perkRoles || [])
-  const perkStorageBonusMB = perkStorageBonusGB * 1024
 
   // Priority: admin override > plan quota + perks > default quota
   let baseQuotaMB = user.storageQuotaMB

From 67dccd8950179f7896cd8bfea5c76a939b01a30c Mon Sep 17 00:00:00 2001
From: Pixelated <hey@codemeapixel.dev>
Date: Sat, 13 Jun 2026 09:46:33 -0600
Subject: [PATCH 08/13] Potential fix for pull request finding 'Comparison
 between inconvertible types'

Co-authored-by: Copilot Autofix powered by AI <223894421+github-code-quality[bot]@users.noreply.github.com>
---
 packages/lib/config/index.ts | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/packages/lib/config/index.ts b/packages/lib/config/index.ts
index d393eb8..a7d28ef 100644
--- a/packages/lib/config/index.ts
+++ b/packages/lib/config/index.ts
@@ -35,7 +35,7 @@ export const configSchema = z
                       return isNaN(val.getTime()) ? null : val.toISOString()
                     }
                     // Handle JSON-parsed objects with a valid date property
-                    if (typeof val === 'object' && val !== null) {
+                    if (Object(val) === val && typeof val === 'object') {
                       try {
                         const d = new Date(val)
                         return isNaN(d.getTime()) ? null : d.toISOString()

From 7395970b9fbcf79b05d5fafdbec549155fed3ae7 Mon Sep 17 00:00:00 2001
From: Pixelated <hey@codemeapixel.dev>
Date: Sat, 13 Jun 2026 09:46:52 -0600
Subject: [PATCH 09/13] Potential fix for pull request finding 'Unused
 variable, import, function or class'

Co-authored-by: Copilot Autofix powered by AI <223894421+github-code-quality[bot]@users.noreply.github.com>
---
 app/api/settings/route.ts | 1 -
 1 file changed, 1 deletion(-)

diff --git a/app/api/settings/route.ts b/app/api/settings/route.ts
index e676458..930386d 100644
--- a/app/api/settings/route.ts
+++ b/app/api/settings/route.ts
@@ -6,7 +6,6 @@ import {
 
 import { HTTP_STATUS, apiError, apiResponse } from '@/packages/lib/api/response'
 import {
-  requireAdmin,
   requireAuth,
   requireSuperAdmin,
 } from '@/packages/lib/auth/api-auth'

From d8cf8a9542446d179b888448ec6b4d46c518a7b7 Mon Sep 17 00:00:00 2001
From: TheRealToxicDev <toxic.dev09@gmail.com>
Date: Sat, 13 Jun 2026 09:55:39 -0600
Subject: [PATCH 10/13] fix(quality): unused imports etc

---
 CHANGELOG.md                                  |   4 +
 app/(main)/[userUrlId]/[filename]/page.tsx    |   4 -
 app/(main)/auth/alpha-migration/page.tsx      | 690 +++++++++---------
 app/(main)/blog/[slug]/page.tsx               |  42 +-
 app/(main)/blog/page.tsx                      |  55 +-
 app/(main)/dashboard/bucket/page.tsx          | 145 ++--
 app/(main)/dashboard/client.tsx               |   2 +-
 app/(main)/dashboard/squads/client.tsx        | 138 +++-
 .../components/theme/theme-initializer.tsx    |  16 +-
 packages/types/react-jsx-compat.d.ts          |  17 +-
 ...e-passwords.js => hash-file-passwords.mjs} |   4 +-
 .../{migrate-config.js => migrate-config.mjs} |   3 +-
 12 files changed, 672 insertions(+), 448 deletions(-)
 rename scripts/{hash-file-passwords.js => hash-file-passwords.mjs} (95%)
 rename scripts/{migrate-config.js => migrate-config.mjs} (98%)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index bed639a..eb51713 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -49,6 +49,10 @@ The format is based on "Keep a Changelog" and follows [Semantic Versioning](http
 - **TypeScript — Logger argument types in `sync-buckets.ts`** — `BucketSyncStats` was passed directly as a `logger.info` context argument (expects `Record<string, unknown>`); fixed by spreading with `{ ...stats }`. Two `logger.warn` calls passed raw `Error` objects where a context object is expected; fixed by passing `{ error: String(err) }`.
 - **TypeScript — `PaginationData.pages` property in `user-list.tsx`** — Three references used `.pages` on the `PaginationData` type returned by `useUserManagement`, which defines the property as `pageCount`. Corrected to `.pageCount`.
 - **TypeScript — `emailVerified` type mismatch in `app/api/files/route.ts`** — Prisma returns `emailVerified: Date | null` but `AuthenticatedUser` expects `boolean`. The squad-owner user object is now spread with `emailVerified: ownerUser.emailVerified !== null` before assignment.
+- **ESLint — `require()` imports in migration scripts** — `scripts/migrate-config.js` and `scripts/hash-file-passwords.js` used CommonJS `require()`, which is forbidden by the project's ESLint config. Both converted to ESM (`import`) and renamed to `.mjs`.
+- **ESLint — Empty interfaces in `react-jsx-compat.d.ts`** — Six `interface X extends Y {}` declarations with no added members replaced with `type X = Y` aliases, satisfying `@typescript-eslint/no-empty-object-type`.
+- **ESLint — Unused variables across multiple files** — Removed or prefixed unused imports and variables flagged by `@typescript-eslint/no-unused-vars`: `Copy` in `bucket/page.tsx`, `User` in `blog/page.tsx`, `Share2`/`User` in `blog/[slug]/page.tsx`, `Footer`/`getConfig`/`providedPassword` in `[filename]/page.tsx`, `toast` in `squads/client.tsx`, `codeSent` state in `alpha-migration/page.tsx`, and `userName` parameter in `dashboard/client.tsx`.
+- **ESLint — `let` → `const` in `theme-initializer.tsx`** — `cssVariables` was declared with `let` but never reassigned; declaration moved to the single assignment site as `const`.
 
 ## [2.4.5] - 2026-06-02
 
diff --git a/app/(main)/[userUrlId]/[filename]/page.tsx b/app/(main)/[userUrlId]/[filename]/page.tsx
index 9d0cd4e..0d2dae3 100644
--- a/app/(main)/[userUrlId]/[filename]/page.tsx
+++ b/app/(main)/[userUrlId]/[filename]/page.tsx
@@ -9,7 +9,6 @@ import { getServerSession } from 'next-auth'
 
 import { ProtectedFile } from '@/packages/components/file/protected-file'
 import { DynamicBackground } from '@/packages/components/layout/dynamic-background'
-import { Footer } from '@/packages/components/layout/footer'
 import { Icons } from '@/packages/components/shared/icons'
 import {
   Avatar,
@@ -21,7 +20,6 @@ import { Card } from '@/packages/components/ui/card'
 import { Input } from '@/packages/components/ui/input'
 
 import { authOptions } from '@/packages/lib/auth'
-import { getConfig } from '@/packages/lib/config'
 import { prisma } from '@/packages/lib/database/prisma'
 import {
   buildDirectMediaMetadata,
@@ -103,7 +101,6 @@ export async function generateMetadata({
   const urlPath = `/${userUrlId}/${filename}`
   const headersList = await headers()
   const session = await getServerSession(authOptions)
-  const providedPassword = (await searchParams).password as string | undefined
 
   // Find the file
   const file = await findFileByUrlPath(userUrlId, filename, {
@@ -167,7 +164,6 @@ export default async function FilePage({
   searchParams,
 }: FilePageProps) {
   const session = await getServerSession(authOptions)
-  const config = await getConfig()
   const { userUrlId, filename } = await params
   const urlPath = `/${userUrlId}/${filename}`
   const providedPassword = (await searchParams).password as string | undefined
diff --git a/app/(main)/auth/alpha-migration/page.tsx b/app/(main)/auth/alpha-migration/page.tsx
index c0ed072..f0cc288 100644
--- a/app/(main)/auth/alpha-migration/page.tsx
+++ b/app/(main)/auth/alpha-migration/page.tsx
@@ -3,10 +3,25 @@
 import { useEffect, useState } from 'react'
 import { useSession } from 'next-auth/react'
 import { useRouter } from 'next/navigation'
-import { CheckCircle, Gift, Globe, Loader2, Mail, Send, Sparkles, Shield } from 'lucide-react'
+import {
+  CheckCircle,
+  Gift,
+  Globe,
+  Loader2,
+  Mail,
+  Send,
+  Sparkles,
+  Shield,
+} from 'lucide-react'
 
 import { Button } from '@/packages/components/ui/button'
-import { Card, CardContent, CardDescription, CardHeader, CardTitle } from '@/packages/components/ui/card'
+import {
+  Card,
+  CardContent,
+  CardDescription,
+  CardHeader,
+  CardTitle,
+} from '@/packages/components/ui/card'
 import { Input } from '@/packages/components/ui/input'
 import { Label } from '@/packages/components/ui/label'
 import { Alert, AlertDescription } from '@/packages/components/ui/alert'
@@ -14,342 +29,357 @@ import { Badge } from '@/packages/components/ui/badge'
 import { DynamicBackground } from '@/packages/components/layout/dynamic-background'
 
 export default function AlphaMigrationPage() {
-    const { data: session, status, update } = useSession()
-    const router = useRouter()
-
-    const [step, setStep] = useState<'confirm' | 'verify' | 'complete'>('confirm')
-    const [email, setEmail] = useState('')
-    const [verificationCode, setVerificationCode] = useState('')
-    const [isLoading, setIsLoading] = useState(false)
-    const [error, setError] = useState('')
-    const [success, setSuccess] = useState('')
-    const [codeSent, setCodeSent] = useState(false)
-
-    useEffect(() => {
-        if (status === 'loading') return
-
-        // Not logged in - redirect to login
-        if (!session?.user) {
-            router.push('/auth/login')
-            return
-        }
-
-        // Set current email
-        setEmail(session.user.email || '')
-    }, [session, status, router])
-
-    const handleSendVerification = async () => {
-        setIsLoading(true)
-        setError('')
-        setSuccess('')
-
-        try {
-            const response = await fetch('/api/auth/alpha-migration', {
-                method: 'POST',
-                headers: { 'Content-Type': 'application/json' },
-                body: JSON.stringify({ email, action: 'send-verification' }),
-            })
-
-            const data = await response.json()
-
-            if (!response.ok) {
-                setError(data.error || 'Failed to send verification email')
-                return
-            }
-
-            setSuccess('Verification code sent! Check your email.')
-            setCodeSent(true)
-            setStep('verify')
-        } catch {
-            setError('An error occurred. Please try again.')
-        } finally {
-            setIsLoading(false)
-        }
+  const { data: session, status, update } = useSession()
+  const router = useRouter()
+
+  const [step, setStep] = useState<'confirm' | 'verify' | 'complete'>('confirm')
+  const [email, setEmail] = useState('')
+  const [verificationCode, setVerificationCode] = useState('')
+  const [isLoading, setIsLoading] = useState(false)
+  const [error, setError] = useState('')
+  const [success, setSuccess] = useState('')
+  useEffect(() => {
+    if (status === 'loading') return
+
+    // Not logged in - redirect to login
+    if (!session?.user) {
+      router.push('/auth/login')
+      return
     }
 
-    const handleVerifyCode = async () => {
-        setIsLoading(true)
-        setError('')
-        setSuccess('')
-
-        try {
-            const response = await fetch('/api/auth/alpha-migration', {
-                method: 'POST',
-                headers: { 'Content-Type': 'application/json' },
-                body: JSON.stringify({ email, code: verificationCode, action: 'verify' }),
-            })
-
-            const data = await response.json()
-
-            if (!response.ok) {
-                setError(data.error || 'Verification failed')
-                return
-            }
-
-            setSuccess('Email verified successfully!')
-            setStep('complete')
-
-            // Refresh the session to update needsAlphaMigration flag
-            await update()
-
-            // Redirect to dashboard after a short delay
-            setTimeout(() => {
-                router.push('/dashboard')
-            }, 2000)
-        } catch {
-            setError('An error occurred. Please try again.')
-        } finally {
-            setIsLoading(false)
-        }
+    // Set current email
+    setEmail(session.user.email || '')
+  }, [session, status, router])
+
+  const handleSendVerification = async () => {
+    setIsLoading(true)
+    setError('')
+    setSuccess('')
+
+    try {
+      const response = await fetch('/api/auth/alpha-migration', {
+        method: 'POST',
+        headers: { 'Content-Type': 'application/json' },
+        body: JSON.stringify({ email, action: 'send-verification' }),
+      })
+
+      const data = await response.json()
+
+      if (!response.ok) {
+        setError(data.error || 'Failed to send verification email')
+        return
+      }
+
+      setSuccess('Verification code sent! Check your email.')
+      setStep('verify')
+    } catch {
+      setError('An error occurred. Please try again.')
+    } finally {
+      setIsLoading(false)
     }
-
-    const handleResendCode = async () => {
-        setIsLoading(true)
-        setError('')
-
-        try {
-            const response = await fetch('/api/auth/alpha-migration', {
-                method: 'POST',
-                headers: { 'Content-Type': 'application/json' },
-                body: JSON.stringify({ email, action: 'send-verification' }),
-            })
-
-            const data = await response.json()
-
-            if (!response.ok) {
-                setError(data.error || 'Failed to resend code')
-                return
-            }
-
-            setSuccess('New verification code sent!')
-        } catch {
-            setError('An error occurred. Please try again.')
-        } finally {
-            setIsLoading(false)
-        }
+  }
+
+  const handleVerifyCode = async () => {
+    setIsLoading(true)
+    setError('')
+    setSuccess('')
+
+    try {
+      const response = await fetch('/api/auth/alpha-migration', {
+        method: 'POST',
+        headers: { 'Content-Type': 'application/json' },
+        body: JSON.stringify({
+          email,
+          code: verificationCode,
+          action: 'verify',
+        }),
+      })
+
+      const data = await response.json()
+
+      if (!response.ok) {
+        setError(data.error || 'Verification failed')
+        return
+      }
+
+      setSuccess('Email verified successfully!')
+      setStep('complete')
+
+      // Refresh the session to update needsAlphaMigration flag
+      await update()
+
+      // Redirect to dashboard after a short delay
+      setTimeout(() => {
+        router.push('/dashboard')
+      }, 2000)
+    } catch {
+      setError('An error occurred. Please try again.')
+    } finally {
+      setIsLoading(false)
     }
-
-    if (status === 'loading') {
-        return (
-            <div className="min-h-screen flex items-center justify-center bg-gradient-to-br from-background via-background to-primary/5">
-                <Loader2 className="h-8 w-8 animate-spin text-primary" />
-            </div>
-        )
+  }
+
+  const handleResendCode = async () => {
+    setIsLoading(true)
+    setError('')
+
+    try {
+      const response = await fetch('/api/auth/alpha-migration', {
+        method: 'POST',
+        headers: { 'Content-Type': 'application/json' },
+        body: JSON.stringify({ email, action: 'send-verification' }),
+      })
+
+      const data = await response.json()
+
+      if (!response.ok) {
+        setError(data.error || 'Failed to resend code')
+        return
+      }
+
+      setSuccess('New verification code sent!')
+    } catch {
+      setError('An error occurred. Please try again.')
+    } finally {
+      setIsLoading(false)
     }
+  }
 
+  if (status === 'loading') {
     return (
-        <div className="min-h-screen flex items-center justify-center p-4">
-            <DynamicBackground />
-            <div className="w-full max-w-xl space-y-6">
-                {/* Hero Header */}
-                <div className="text-center space-y-3">
-                    <div className="inline-flex items-center gap-2 px-3 py-1.5 rounded-full bg-primary/10 text-primary text-sm font-medium">
-                        <Sparkles className="h-4 w-4" />
-                        Alpha Supporter
+      <div className="min-h-screen flex items-center justify-center bg-gradient-to-br from-background via-background to-primary/5">
+        <Loader2 className="h-8 w-8 animate-spin text-primary" />
+      </div>
+    )
+  }
+
+  return (
+    <div className="min-h-screen flex items-center justify-center p-4">
+      <DynamicBackground />
+      <div className="w-full max-w-xl space-y-6">
+        {/* Hero Header */}
+        <div className="text-center space-y-3">
+          <div className="inline-flex items-center gap-2 px-3 py-1.5 rounded-full bg-primary/10 text-primary text-sm font-medium">
+            <Sparkles className="h-4 w-4" />
+            Alpha Supporter
+          </div>
+          <h1 className="text-3xl font-bold tracking-tight">
+            {step === 'complete' ? 'Welcome Back!' : 'One Quick Step'}
+          </h1>
+          <p className="text-muted-foreground max-w-md mx-auto">
+            {step === 'complete'
+              ? 'Your account has been upgraded with your alpha supporter benefits.'
+              : 'Thank you for being an early supporter of Emberly. We just need to verify your email to unlock your account.'}
+          </p>
+        </div>
+
+        {/* Alpha Reward Card */}
+        {step !== 'complete' && (
+          <Card className="border-primary/20 bg-gradient-to-br from-primary/5 via-transparent to-transparent">
+            <CardContent className="p-5">
+              <div className="flex items-start gap-4">
+                <div className="p-2.5 rounded-xl bg-primary/10">
+                  <Gift className="h-6 w-6 text-primary" />
+                </div>
+                <div className="flex-1 space-y-2">
+                  <div className="flex items-center gap-2">
+                    <h3 className="font-semibold">Alpha Supporter Reward</h3>
+                    <Badge variant="secondary" className="text-xs">
+                      Free
+                    </Badge>
+                  </div>
+                  <p className="text-sm text-muted-foreground">
+                    As a thank you for being an early adopter, you&apos;ll
+                    receive{' '}
+                    <strong className="text-foreground">
+                      +1 bonus custom domain slot
+                    </strong>{' '}
+                    completely free when you verify your email.
+                  </p>
+                  <div className="flex items-center gap-4 pt-1 text-sm">
+                    <div className="flex items-center gap-1.5 text-muted-foreground">
+                      <Globe className="h-4 w-4 text-primary" />
+                      <span>Custom domain</span>
                     </div>
-                    <h1 className="text-3xl font-bold tracking-tight">
-                        {step === 'complete' ? 'Welcome Back!' : 'One Quick Step'}
-                    </h1>
-                    <p className="text-muted-foreground max-w-md mx-auto">
-                        {step === 'complete'
-                            ? 'Your account has been upgraded with your alpha supporter benefits.'
-                            : 'Thank you for being an early supporter of Emberly. We just need to verify your email to unlock your account.'}
-                    </p>
+                    <div className="flex items-center gap-1.5 text-muted-foreground">
+                      <Shield className="h-4 w-4 text-primary" />
+                      <span>Secured account</span>
+                    </div>
+                  </div>
                 </div>
-
-                {/* Alpha Reward Card */}
-                {step !== 'complete' && (
-                    <Card className="border-primary/20 bg-gradient-to-br from-primary/5 via-transparent to-transparent">
-                        <CardContent className="p-5">
-                            <div className="flex items-start gap-4">
-                                <div className="p-2.5 rounded-xl bg-primary/10">
-                                    <Gift className="h-6 w-6 text-primary" />
-                                </div>
-                                <div className="flex-1 space-y-2">
-                                    <div className="flex items-center gap-2">
-                                        <h3 className="font-semibold">Alpha Supporter Reward</h3>
-                                        <Badge variant="secondary" className="text-xs">Free</Badge>
-                                    </div>
-                                    <p className="text-sm text-muted-foreground">
-                                        As a thank you for being an early adopter, you&apos;ll receive <strong className="text-foreground">+1 bonus custom domain slot</strong> completely free when you verify your email.
-                                    </p>
-                                    <div className="flex items-center gap-4 pt-1 text-sm">
-                                        <div className="flex items-center gap-1.5 text-muted-foreground">
-                                            <Globe className="h-4 w-4 text-primary" />
-                                            <span>Custom domain</span>
-                                        </div>
-                                        <div className="flex items-center gap-1.5 text-muted-foreground">
-                                            <Shield className="h-4 w-4 text-primary" />
-                                            <span>Secured account</span>
-                                        </div>
-                                    </div>
-                                </div>
-                            </div>
-                        </CardContent>
-                    </Card>
-                )}
-
-                {/* Main Card */}
-                <Card className="shadow-lg">
-                    <CardHeader className="text-center pb-2">
-                        <div className="mx-auto p-3 rounded-full bg-primary/10 w-fit mb-3">
-                            {step === 'complete' ? (
-                                <CheckCircle className="h-8 w-8 text-green-500" />
-                            ) : (
-                                <Mail className="h-8 w-8 text-primary" />
-                            )}
-                        </div>
-                        <CardTitle className="text-xl">
-                            {step === 'complete' ? 'Migration Complete!' : 'Verify Your Email'}
-                        </CardTitle>
-                        <CardDescription>
-                            {step === 'complete'
-                                ? 'Your bonus domain slot has been added to your account.'
-                                : 'Verify your email to secure your account and claim your reward.'}
-                        </CardDescription>
-                    </CardHeader>
-
-                    <CardContent className="space-y-5 pt-2">
-                        {error && (
-                            <Alert variant="destructive">
-                                <AlertDescription>{error}</AlertDescription>
-                            </Alert>
-                        )}
-
-                        {success && step !== 'complete' && (
-                            <Alert className="border-green-500/30 bg-green-500/10">
-                                <CheckCircle className="h-4 w-4 text-green-500" />
-                                <AlertDescription className="text-green-700 dark:text-green-400">{success}</AlertDescription>
-                            </Alert>
-                        )}
-
-                        {step === 'confirm' && (
-                            <div className="space-y-4">
-                                <div className="space-y-2">
-                                    <Label htmlFor="email">Email Address</Label>
-                                    <Input
-                                        id="email"
-                                        type="email"
-                                        value={email}
-                                        onChange={(e) => setEmail(e.target.value)}
-                                        placeholder="your@email.com"
-                                        className="h-11"
-                                    />
-                                    <p className="text-xs text-muted-foreground">
-                                        We&apos;ll send a 6 digit verification code to this address.
-                                    </p>
-                                </div>
-
-                                <Button
-                                    onClick={handleSendVerification}
-                                    disabled={isLoading || !email}
-                                    className="w-full h-11"
-                                    size="lg"
-                                >
-                                    {isLoading ? (
-                                        <>
-                                            <Loader2 className="mr-2 h-4 w-4 animate-spin" />
-                                            Sending...
-                                        </>
-                                    ) : (
-                                        <>
-                                            <Send className="mr-2 h-4 w-4" />
-                                            Send Verification Code
-                                        </>
-                                    )}
-                                </Button>
-                            </div>
-                        )}
-
-                        {step === 'verify' && (
-                            <div className="space-y-4">
-                                <div className="space-y-2">
-                                    <Label htmlFor="code">Verification Code</Label>
-                                    <Input
-                                        id="code"
-                                        type="text"
-                                        value={verificationCode}
-                                        onChange={(e) => setVerificationCode(e.target.value.replace(/\D/g, ''))}
-                                        placeholder="000000"
-                                        maxLength={6}
-                                        className="h-11 text-center text-2xl tracking-[0.5em] font-mono"
-                                    />
-                                    <p className="text-xs text-muted-foreground text-center">
-                                        Enter the code sent to <strong>{email}</strong>
-                                    </p>
-                                </div>
-
-                                <Button
-                                    onClick={handleVerifyCode}
-                                    disabled={isLoading || verificationCode.length < 6}
-                                    className="w-full h-11"
-                                    size="lg"
-                                >
-                                    {isLoading ? (
-                                        <>
-                                            <Loader2 className="mr-2 h-4 w-4 animate-spin" />
-                                            Verifying...
-                                        </>
-                                    ) : (
-                                        <>
-                                            <CheckCircle className="mr-2 h-4 w-4" />
-                                            Verify & Claim Reward
-                                        </>
-                                    )}
-                                </Button>
-
-                                <div className="flex items-center justify-between pt-2">
-                                    <Button
-                                        variant="ghost"
-                                        size="sm"
-                                        onClick={() => {
-                                            setStep('confirm')
-                                            setCodeSent(false)
-                                            setVerificationCode('')
-                                        }}
-                                        disabled={isLoading}
-                                        className="text-muted-foreground"
-                                    >
-                                        Change email
-                                    </Button>
-                                    <Button
-                                        variant="ghost"
-                                        size="sm"
-                                        onClick={handleResendCode}
-                                        disabled={isLoading}
-                                        className="text-muted-foreground"
-                                    >
-                                        Resend code
-                                    </Button>
-                                </div>
-                            </div>
-                        )}
-
-                        {step === 'complete' && (
-                            <div className="text-center space-y-5">
-                                <div className="p-4 rounded-xl bg-green-500/10 border border-green-500/20">
-                                    <div className="flex items-center justify-center gap-2 text-green-600 dark:text-green-400 font-medium">
-                                        <Gift className="h-5 w-5" />
-                                        <span>+1 Custom Domain Slot Added</span>
-                                    </div>
-                                </div>
-                                <div className="flex items-center justify-center gap-2 text-muted-foreground">
-                                    <Loader2 className="h-4 w-4 animate-spin" />
-                                    <span>Redirecting to dashboard...</span>
-                                </div>
-                            </div>
-                        )}
-                    </CardContent>
-                </Card>
-
-                {/* Footer Note */}
-                {step !== 'complete' && (
-                    <p className="text-center text-xs text-muted-foreground">
-                        During our alpha stages, we didn&apos;t have email verification. This one time step ensures
-                        your account is secure and enables password recovery.
-                    </p>
-                )}
+              </div>
+            </CardContent>
+          </Card>
+        )}
+
+        {/* Main Card */}
+        <Card className="shadow-lg">
+          <CardHeader className="text-center pb-2">
+            <div className="mx-auto p-3 rounded-full bg-primary/10 w-fit mb-3">
+              {step === 'complete' ? (
+                <CheckCircle className="h-8 w-8 text-green-500" />
+              ) : (
+                <Mail className="h-8 w-8 text-primary" />
+              )}
             </div>
-        </div>
-    )
+            <CardTitle className="text-xl">
+              {step === 'complete'
+                ? 'Migration Complete!'
+                : 'Verify Your Email'}
+            </CardTitle>
+            <CardDescription>
+              {step === 'complete'
+                ? 'Your bonus domain slot has been added to your account.'
+                : 'Verify your email to secure your account and claim your reward.'}
+            </CardDescription>
+          </CardHeader>
+
+          <CardContent className="space-y-5 pt-2">
+            {error && (
+              <Alert variant="destructive">
+                <AlertDescription>{error}</AlertDescription>
+              </Alert>
+            )}
+
+            {success && step !== 'complete' && (
+              <Alert className="border-green-500/30 bg-green-500/10">
+                <CheckCircle className="h-4 w-4 text-green-500" />
+                <AlertDescription className="text-green-700 dark:text-green-400">
+                  {success}
+                </AlertDescription>
+              </Alert>
+            )}
+
+            {step === 'confirm' && (
+              <div className="space-y-4">
+                <div className="space-y-2">
+                  <Label htmlFor="email">Email Address</Label>
+                  <Input
+                    id="email"
+                    type="email"
+                    value={email}
+                    onChange={(e) => setEmail(e.target.value)}
+                    placeholder="your@email.com"
+                    className="h-11"
+                  />
+                  <p className="text-xs text-muted-foreground">
+                    We&apos;ll send a 6 digit verification code to this address.
+                  </p>
+                </div>
+
+                <Button
+                  onClick={handleSendVerification}
+                  disabled={isLoading || !email}
+                  className="w-full h-11"
+                  size="lg"
+                >
+                  {isLoading ? (
+                    <>
+                      <Loader2 className="mr-2 h-4 w-4 animate-spin" />
+                      Sending...
+                    </>
+                  ) : (
+                    <>
+                      <Send className="mr-2 h-4 w-4" />
+                      Send Verification Code
+                    </>
+                  )}
+                </Button>
+              </div>
+            )}
+
+            {step === 'verify' && (
+              <div className="space-y-4">
+                <div className="space-y-2">
+                  <Label htmlFor="code">Verification Code</Label>
+                  <Input
+                    id="code"
+                    type="text"
+                    value={verificationCode}
+                    onChange={(e) =>
+                      setVerificationCode(e.target.value.replace(/\D/g, ''))
+                    }
+                    placeholder="000000"
+                    maxLength={6}
+                    className="h-11 text-center text-2xl tracking-[0.5em] font-mono"
+                  />
+                  <p className="text-xs text-muted-foreground text-center">
+                    Enter the code sent to <strong>{email}</strong>
+                  </p>
+                </div>
+
+                <Button
+                  onClick={handleVerifyCode}
+                  disabled={isLoading || verificationCode.length < 6}
+                  className="w-full h-11"
+                  size="lg"
+                >
+                  {isLoading ? (
+                    <>
+                      <Loader2 className="mr-2 h-4 w-4 animate-spin" />
+                      Verifying...
+                    </>
+                  ) : (
+                    <>
+                      <CheckCircle className="mr-2 h-4 w-4" />
+                      Verify & Claim Reward
+                    </>
+                  )}
+                </Button>
+
+                <div className="flex items-center justify-between pt-2">
+                  <Button
+                    variant="ghost"
+                    size="sm"
+                    onClick={() => {
+                      setStep('confirm')
+                      setCodeSent(false)
+                      setVerificationCode('')
+                    }}
+                    disabled={isLoading}
+                    className="text-muted-foreground"
+                  >
+                    Change email
+                  </Button>
+                  <Button
+                    variant="ghost"
+                    size="sm"
+                    onClick={handleResendCode}
+                    disabled={isLoading}
+                    className="text-muted-foreground"
+                  >
+                    Resend code
+                  </Button>
+                </div>
+              </div>
+            )}
+
+            {step === 'complete' && (
+              <div className="text-center space-y-5">
+                <div className="p-4 rounded-xl bg-green-500/10 border border-green-500/20">
+                  <div className="flex items-center justify-center gap-2 text-green-600 dark:text-green-400 font-medium">
+                    <Gift className="h-5 w-5" />
+                    <span>+1 Custom Domain Slot Added</span>
+                  </div>
+                </div>
+                <div className="flex items-center justify-center gap-2 text-muted-foreground">
+                  <Loader2 className="h-4 w-4 animate-spin" />
+                  <span>Redirecting to dashboard...</span>
+                </div>
+              </div>
+            )}
+          </CardContent>
+        </Card>
+
+        {/* Footer Note */}
+        {step !== 'complete' && (
+          <p className="text-center text-xs text-muted-foreground">
+            During our alpha stages, we didn&apos;t have email verification.
+            This one time step ensures your account is secure and enables
+            password recovery.
+          </p>
+        )}
+      </div>
+    </div>
+  )
 }
diff --git a/app/(main)/blog/[slug]/page.tsx b/app/(main)/blog/[slug]/page.tsx
index 881f371..ab95c52 100644
--- a/app/(main)/blog/[slug]/page.tsx
+++ b/app/(main)/blog/[slug]/page.tsx
@@ -4,7 +4,7 @@ import type { Metadata } from 'next'
 
 import { format, formatDistanceToNow } from 'date-fns'
 import GithubSlugger from 'github-slugger'
-import { ArrowLeft, Calendar, User, Clock, Share2 } from 'lucide-react'
+import { ArrowLeft, Calendar, Clock } from 'lucide-react'
 
 import BlogToc, { BlogHeading } from '@/packages/components/shared/BlogToc'
 import MarkdownRenderer from '@/packages/components/shared/MarkdownRenderer'
@@ -14,7 +14,11 @@ import { getPostBySlug } from '@/packages/lib/blog'
 
 type ParamsPromise = Promise<{ slug: string }>
 
-export async function generateMetadata({ params }: { params: ParamsPromise }): Promise<Metadata> {
+export async function generateMetadata({
+  params,
+}: {
+  params: ParamsPromise
+}): Promise<Metadata> {
   const resolved = await params
   const post = await getPostBySlug(resolved.slug, true)
 
@@ -73,12 +77,20 @@ export default async function PostPage({ params }: { params: ParamsPromise }) {
   const readTime = estimateReadTime(post.content || '')
 
   return (
-    <PageShell title={post.title} subtitle={post.excerpt ?? 'Blog post'} bodyVariant="plain">
+    <PageShell
+      title={post.title}
+      subtitle={post.excerpt ?? 'Blog post'}
+      bodyVariant="plain"
+    >
       <section className="mx-auto px-4 max-w-7xl">
         {/* Back button */}
         <div className="mb-6">
           <Link href="/blog">
-            <Button variant="ghost" size="sm" className="gap-2 text-muted-foreground hover:text-foreground">
+            <Button
+              variant="ghost"
+              size="sm"
+              className="gap-2 text-muted-foreground hover:text-foreground"
+            >
               <ArrowLeft className="h-4 w-4" />
               Back to blog
             </Button>
@@ -115,7 +127,9 @@ export default async function PostPage({ params }: { params: ParamsPromise }) {
                       <div className="font-medium">
                         {post.author?.name ?? 'Unknown author'}
                       </div>
-                      <div className="text-sm text-muted-foreground">Author</div>
+                      <div className="text-sm text-muted-foreground">
+                        Author
+                      </div>
                     </div>
                   </div>
 
@@ -127,9 +141,15 @@ export default async function PostPage({ params }: { params: ParamsPromise }) {
                     {post.publishedAt && (
                       <div className="flex items-center gap-1.5">
                         <Calendar className="h-4 w-4" />
-                        <span>{format(new Date(post.publishedAt), 'MMMM d, yyyy')}</span>
+                        <span>
+                          {format(new Date(post.publishedAt), 'MMMM d, yyyy')}
+                        </span>
                         <span className="text-muted-foreground/60">
-                          ({formatDistanceToNow(new Date(post.publishedAt), { addSuffix: true })})
+                          (
+                          {formatDistanceToNow(new Date(post.publishedAt), {
+                            addSuffix: true,
+                          })}
+                          )
                         </span>
                       </div>
                     )}
@@ -157,13 +177,13 @@ export default async function PostPage({ params }: { params: ParamsPromise }) {
                 <div className="flex flex-col sm:flex-row items-center justify-between gap-4">
                   <div className="text-center sm:text-left">
                     <p className="font-medium">Enjoyed this article?</p>
-                    <p className="text-sm text-muted-foreground">Share it with others or check out more posts.</p>
+                    <p className="text-sm text-muted-foreground">
+                      Share it with others or check out more posts.
+                    </p>
                   </div>
                   <div className="flex items-center gap-3">
                     <Link href="/blog">
-                      <Button variant="outline">
-                        More posts
-                      </Button>
+                      <Button variant="outline">More posts</Button>
                     </Link>
                   </div>
                 </div>
diff --git a/app/(main)/blog/page.tsx b/app/(main)/blog/page.tsx
index 12780ab..ddfad54 100644
--- a/app/(main)/blog/page.tsx
+++ b/app/(main)/blog/page.tsx
@@ -1,7 +1,14 @@
 import Link from 'next/link'
 
 import { format, formatDistanceToNow } from 'date-fns'
-import { Calendar, User, ArrowRight, BookOpen, MessageCircle, ExternalLink, FileText } from 'lucide-react'
+import {
+  Calendar,
+  ArrowRight,
+  BookOpen,
+  MessageCircle,
+  ExternalLink,
+  FileText,
+} from 'lucide-react'
 
 import { listPosts } from '@/packages/lib/blog'
 import PageShell from '@/packages/components/layout/PageShell'
@@ -10,14 +17,19 @@ import { buildPageMetadata } from '@/packages/lib/embeds/metadata'
 
 export const metadata = buildPageMetadata({
   title: 'Blog',
-  description: 'News, tips and updates about Emberly and file sharing best practices.',
+  description:
+    'News, tips and updates about Emberly and file sharing best practices.',
 })
 
 export default async function BlogListPage() {
   const posts = await listPosts({ publishedOnly: true, limit: 20, offset: 0 })
 
   return (
-    <PageShell title="Emberly Blog" subtitle="News, tips and updates about Emberly and file sharing best practices." bodyVariant="plain">
+    <PageShell
+      title="Emberly Blog"
+      subtitle="News, tips and updates about Emberly and file sharing best practices."
+      bodyVariant="plain"
+    >
       <div className="max-w-7xl mx-auto px-4">
         <div className="grid grid-cols-1 lg:grid-cols-3 gap-8">
           {/* Main content - Blog posts */}
@@ -30,15 +42,20 @@ export default async function BlogListPage() {
                   </div>
                   <div className="space-y-1">
                     <p className="font-medium">No posts yet</p>
-                    <p className="text-sm text-muted-foreground">Check back soon for updates!</p>
+                    <p className="text-sm text-muted-foreground">
+                      Check back soon for updates!
+                    </p>
                   </div>
                 </div>
               </div>
             ) : (
               posts.map((p, index) => (
-                <Link key={p.id} href={`/blog/${p.slug}`} className="block group">
+                <Link
+                  key={p.id}
+                  href={`/blog/${p.slug}`}
+                  className="block group"
+                >
                   <article className="glass-subtle glass-hover overflow-hidden">
-
                     {/* Featured badge for first post */}
                     {index === 0 && (
                       <div className="absolute top-3 right-3 sm:top-4 sm:right-4">
@@ -88,9 +105,15 @@ export default async function BlogListPage() {
                           {p.publishedAt && (
                             <div className="flex items-center gap-1.5 text-xs sm:text-sm text-muted-foreground">
                               <Calendar className="h-3 w-3 sm:h-3.5 sm:w-3.5" />
-                              <span>{format(new Date(p.publishedAt), 'MMM d, yyyy')}</span>
+                              <span>
+                                {format(new Date(p.publishedAt), 'MMM d, yyyy')}
+                              </span>
                               <span className="text-muted-foreground/60 hidden sm:inline">
-                                ({formatDistanceToNow(new Date(p.publishedAt), { addSuffix: true })})
+                                (
+                                {formatDistanceToNow(new Date(p.publishedAt), {
+                                  addSuffix: true,
+                                })}
+                                )
                               </span>
                             </div>
                           )}
@@ -122,7 +145,9 @@ export default async function BlogListPage() {
                     <h3 className="font-semibold">About this blog</h3>
                   </div>
                   <p className="text-sm text-muted-foreground leading-relaxed">
-                    Announcements, how-to guides, and updates from the Emberly team. Stay up to date with the latest features and best practices.
+                    Announcements, how-to guides, and updates from the Emberly
+                    team. Stay up to date with the latest features and best
+                    practices.
                   </p>
                 </div>
               </div>
@@ -130,7 +155,9 @@ export default async function BlogListPage() {
               {/* Quick Links card */}
               <div className="glass-subtle overflow-hidden">
                 <div className="p-5">
-                  <h4 className="text-sm font-semibold uppercase tracking-wide text-muted-foreground mb-4">Quick Links</h4>
+                  <h4 className="text-sm font-semibold uppercase tracking-wide text-muted-foreground mb-4">
+                    Quick Links
+                  </h4>
                   <ul className="space-y-3">
                     <li>
                       <Link
@@ -168,8 +195,12 @@ export default async function BlogListPage() {
               <div className="glass-subtle overflow-hidden">
                 <div className="p-5">
                   <div className="text-center">
-                    <div className="text-3xl font-bold text-primary">{posts.length}</div>
-                    <div className="text-sm text-muted-foreground mt-1">Published articles</div>
+                    <div className="text-3xl font-bold text-primary">
+                      {posts.length}
+                    </div>
+                    <div className="text-sm text-muted-foreground mt-1">
+                      Published articles
+                    </div>
                   </div>
                 </div>
               </div>
diff --git a/app/(main)/dashboard/bucket/page.tsx b/app/(main)/dashboard/bucket/page.tsx
index b8cbc81..2bb6b20 100644
--- a/app/(main)/dashboard/bucket/page.tsx
+++ b/app/(main)/dashboard/bucket/page.tsx
@@ -1,6 +1,6 @@
 import { redirect } from 'next/navigation'
 import { getServerSession } from 'next-auth'
-import { AlertTriangle, Copy, Key, Server } from 'lucide-react'
+import { AlertTriangle, Key, Server } from 'lucide-react'
 
 import { authOptions } from '@/packages/lib/auth'
 import { prisma } from '@/packages/lib/database/prisma'
@@ -13,12 +13,26 @@ export const metadata = buildPageMetadata({
   description: 'View your dedicated S3 storage bucket credentials and status.',
 })
 
-function CredentialRow({ label, value, mono = true }: { label: string; value: string; mono?: boolean }) {
+function CredentialRow({
+  label,
+  value,
+  mono = true,
+}: {
+  label: string
+  value: string
+  mono?: boolean
+}) {
   return (
     <div className="flex flex-col gap-1 py-3 border-b border-border/40 last:border-0">
-      <span className="text-xs font-medium uppercase tracking-wide text-muted-foreground">{label}</span>
+      <span className="text-xs font-medium uppercase tracking-wide text-muted-foreground">
+        {label}
+      </span>
       <div className="flex items-center gap-2">
-        <span className={`text-sm text-foreground break-all ${mono ? 'font-mono' : ''}`}>{value}</span>
+        <span
+          className={`text-sm text-foreground break-all ${mono ? 'font-mono' : ''}`}
+        >
+          {value}
+        </span>
       </div>
     </div>
   )
@@ -76,10 +90,16 @@ export default async function BucketPage() {
   let autoProvisionFailed = false
 
   if (!bucket && user && activeStorageSub?.stripeSubscriptionId) {
-    const metadata = (activeStorageSub.metadata || {}) as Record<string, unknown>
-    const region = typeof metadata.location === 'string' ? metadata.location : null
-    const tierFromMetadata = typeof metadata.tier === 'string' ? metadata.tier : null
-    const tierFromSlug = activeStorageSub.product.slug?.replace('storage-bucket-', '') || null
+    const metadata = (activeStorageSub.metadata || {}) as Record<
+      string,
+      unknown
+    >
+    const region =
+      typeof metadata.location === 'string' ? metadata.location : null
+    const tierFromMetadata =
+      typeof metadata.tier === 'string' ? metadata.tier : null
+    const tierFromSlug =
+      activeStorageSub.product.slug?.replace('storage-bucket-', '') || null
 
     try {
       await provisionBucketForUserSubscription({
@@ -117,21 +137,25 @@ export default async function BucketPage() {
 
   if (!bucket) {
     return (
-      <DashboardShell header={
-        <div className="glass-card">
-          <div className="p-8">
-            <div className="flex items-center gap-3 mb-2">
-              <div className="p-2.5 rounded-xl bg-primary/20">
-                <Server className="h-5 w-5 text-primary" />
+      <DashboardShell
+        header={
+          <div className="glass-card">
+            <div className="p-8">
+              <div className="flex items-center gap-3 mb-2">
+                <div className="p-2.5 rounded-xl bg-primary/20">
+                  <Server className="h-5 w-5 text-primary" />
+                </div>
+                <h1 className="text-3xl font-bold tracking-tight">
+                  Storage Bucket
+                </h1>
               </div>
-              <h1 className="text-3xl font-bold tracking-tight">Storage Bucket</h1>
+              <p className="text-muted-foreground mt-2">
+                Dedicated S3-compatible storage with unlimited capacity.
+              </p>
             </div>
-            <p className="text-muted-foreground mt-2">
-              Dedicated S3-compatible storage with unlimited capacity.
-            </p>
           </div>
-        </div>
-      }>
+        }
+      >
         {/* No bucket assigned */}
         <div className="glass-card">
           <div className="p-10 flex flex-col items-center text-center gap-4">
@@ -142,16 +166,20 @@ export default async function BucketPage() {
               <p className="text-lg font-semibold">No bucket assigned yet</p>
               {hasStorageSubscription ? (
                 <p className="text-sm text-muted-foreground mt-1 max-w-md">
-                  Your storage subscription is active, but your bucket credentials are not visible yet.
+                  Your storage subscription is active, but your bucket
+                  credentials are not visible yet.
                   {autoProvisionFailed
                     ? ' Automatic provisioning is still pending. Please refresh in a minute, and contact support if it remains unavailable.'
                     : ' We attempted automatic provisioning for this page load. Please refresh in a few seconds.'}
                 </p>
               ) : (
                 <p className="text-sm text-muted-foreground mt-1 max-w-md">
-                  You don&apos;t have a dedicated storage bucket assigned to your account. Purchase the
-                  Storage Bucket add-on on the{' '}
-                  <a href="/pricing#user-add-ons" className="text-primary underline underline-offset-2">
+                  You don&apos;t have a dedicated storage bucket assigned to
+                  your account. Purchase the Storage Bucket add-on on the{' '}
+                  <a
+                    href="/pricing#user-add-ons"
+                    className="text-primary underline underline-offset-2"
+                  >
                     pricing page
                   </a>{' '}
                   to instantly provision your bucket.
@@ -171,30 +199,39 @@ export default async function BucketPage() {
       : `${bucket.s3AccessKeyId.slice(0, 4)}••••`
 
   return (
-    <DashboardShell header={
-      <div className="glass-card">
-        <div className="p-8">
-          <div className="flex items-center gap-3 mb-2">
-            <div className="p-2.5 rounded-xl bg-primary/20">
-              <Server className="h-5 w-5 text-primary" />
-            </div>
-            <div>
-              <h1 className="text-3xl font-bold tracking-tight">Storage Bucket</h1>
-              <p className="text-sm text-muted-foreground">{bucket.name}</p>
+    <DashboardShell
+      header={
+        <div className="glass-card">
+          <div className="p-8">
+            <div className="flex items-center gap-3 mb-2">
+              <div className="p-2.5 rounded-xl bg-primary/20">
+                <Server className="h-5 w-5 text-primary" />
+              </div>
+              <div>
+                <h1 className="text-3xl font-bold tracking-tight">
+                  Storage Bucket
+                </h1>
+                <p className="text-sm text-muted-foreground">{bucket.name}</p>
+              </div>
             </div>
+            <p className="text-muted-foreground mt-2">
+              Your dedicated S3-compatible bucket. All storage quotas and upload
+              size limits are removed while your subscription is active.
+            </p>
           </div>
-          <p className="text-muted-foreground mt-2">
-            Your dedicated S3-compatible bucket. All storage quotas and upload size limits are removed while your subscription is active.
-          </p>
         </div>
-      </div>
-    }>
+      }
+    >
       {/* Security notice */}
       <div className="flex items-start gap-3 rounded-lg border border-amber-500/40 bg-amber-500/10 px-5 py-4 text-sm text-amber-700 dark:text-amber-400">
         <AlertTriangle className="mt-0.5 h-4 w-4 shrink-0" />
         <span>
-          Keep your credentials safe. Never expose your Secret Key publicly. If you believe your credentials have been compromised, contact{' '}
-          <a href="mailto:support@embrly.ca" className="underline underline-offset-2">
+          Keep your credentials safe. Never expose your Secret Key publicly. If
+          you believe your credentials have been compromised, contact{' '}
+          <a
+            href="mailto:support@embrly.ca"
+            className="underline underline-offset-2"
+          >
             support@embrly.ca
           </a>{' '}
           immediately.
@@ -211,11 +248,23 @@ export default async function BucketPage() {
           <CredentialRow label="Bucket Name" value={bucket.s3Bucket} />
           <CredentialRow label="Region" value={bucket.s3Region} />
           <CredentialRow label="Access Key ID" value={maskedKeyId} />
-          <CredentialRow label="Secret Access Key" value="Delivered by email on assignment — contact support if needed" mono={false} />
+          <CredentialRow
+            label="Secret Access Key"
+            value="Delivered by email on assignment — contact support if needed"
+            mono={false}
+          />
           {bucket.s3ForcePathStyle !== undefined && (
-            <CredentialRow label="Path-style URLs" value={bucket.s3ForcePathStyle ? 'Enabled' : 'Disabled'} mono={false} />
+            <CredentialRow
+              label="Path-style URLs"
+              value={bucket.s3ForcePathStyle ? 'Enabled' : 'Disabled'}
+              mono={false}
+            />
           )}
-          <CredentialRow label="Provider" value="Emberly Object Storage" mono={false} />
+          <CredentialRow
+            label="Provider"
+            value="Emberly Object Storage"
+            mono={false}
+          />
         </div>
       </div>
 
@@ -224,8 +273,12 @@ export default async function BucketPage() {
         <div className="p-6">
           <h2 className="text-lg font-semibold mb-3">Need help?</h2>
           <p className="text-sm text-muted-foreground">
-            Check your email for the full credentials sent when your bucket was assigned. For troubleshooting or to rotate your access key, contact{' '}
-            <a href="mailto:support@embrly.ca" className="text-primary underline underline-offset-2">
+            Check your email for the full credentials sent when your bucket was
+            assigned. For troubleshooting or to rotate your access key, contact{' '}
+            <a
+              href="mailto:support@embrly.ca"
+              className="text-primary underline underline-offset-2"
+            >
               support@embrly.ca
             </a>
             .
diff --git a/app/(main)/dashboard/client.tsx b/app/(main)/dashboard/client.tsx
index 5381bef..6ed4701 100644
--- a/app/(main)/dashboard/client.tsx
+++ b/app/(main)/dashboard/client.tsx
@@ -75,7 +75,7 @@ const quickActions = [
 ]
 
 export function DashboardIndex({
-  userName,
+  userName: _userName,
   fileCount,
   urlCount,
   storageUsed,
diff --git a/app/(main)/dashboard/squads/client.tsx b/app/(main)/dashboard/squads/client.tsx
index 25d8f3f..c77ae11 100644
--- a/app/(main)/dashboard/squads/client.tsx
+++ b/app/(main)/dashboard/squads/client.tsx
@@ -37,7 +37,12 @@ type SquadIncomingInvite = {
     _count: { members: number }
     maxSize: number
   }
-  invitedBy: { id: string; name: string | null; image: string | null; urlId: string }
+  invitedBy: {
+    id: string
+    name: string | null
+    image: string | null
+    urlId: string
+  }
 }
 
 type Squad = {
@@ -63,26 +68,63 @@ const STATUS_COLORS: Record<string, string> = {
 
 // -- Glass card wrappers -----------------------------------------------------
 
-function GlassCard({ children, className = '' }: { children: React.ReactNode; className?: string }) {
-  return <div className={`glass-card transition-all duration-300 ${className}`}>{children}</div>
+function GlassCard({
+  children,
+  className = '',
+}: {
+  children: React.ReactNode
+  className?: string
+}) {
+  return (
+    <div className={`glass-card transition-all duration-300 ${className}`}>
+      {children}
+    </div>
+  )
 }
 
-function GlassCardHeader({ children, className = '' }: { children: React.ReactNode; className?: string }) {
-  return <div className={`flex flex-col space-y-1.5 p-6 ${className}`}>{children}</div>
+function GlassCardHeader({
+  children,
+  className = '',
+}: {
+  children: React.ReactNode
+  className?: string
+}) {
+  return (
+    <div className={`flex flex-col space-y-1.5 p-6 ${className}`}>
+      {children}
+    </div>
+  )
 }
 
-function GlassCardTitle({ children, className = '' }: { children: React.ReactNode; className?: string }) {
-  return <h3 className={`font-semibold leading-none tracking-tight text-lg ${className}`}>{children}</h3>
+function GlassCardTitle({
+  children,
+  className = '',
+}: {
+  children: React.ReactNode
+  className?: string
+}) {
+  return (
+    <h3
+      className={`font-semibold leading-none tracking-tight text-lg ${className}`}
+    >
+      {children}
+    </h3>
+  )
 }
 
-function GlassCardContent({ children, className = '' }: { children: React.ReactNode; className?: string }) {
+function GlassCardContent({
+  children,
+  className = '',
+}: {
+  children: React.ReactNode
+  className?: string
+}) {
   return <div className={`p-6 pt-0 ${className}`}>{children}</div>
 }
 
 // -- Incoming invites section -----------------------------------------------
 
 function IncomingInvites() {
-  const { toast } = useToast()
   const [invites, setInvites] = useState<SquadIncomingInvite[]>([])
   const [loaded, setLoaded] = useState(false)
 
@@ -114,7 +156,9 @@ function IncomingInvites() {
             {invites.length}
           </span>
         </div>
-        <p className="text-sm text-muted-foreground mt-1">You&apos;ve been invited to join these squads</p>
+        <p className="text-sm text-muted-foreground mt-1">
+          You&apos;ve been invited to join these squads
+        </p>
       </GlassCardHeader>
       <GlassCardContent className="space-y-3">
         {invites.map((inv) => (
@@ -174,7 +218,11 @@ function SquadsList() {
       const data = await res.json()
       setSquads(data.data?.squads ?? [])
     } catch {
-      toast({ title: 'Error', description: 'Failed to load squads', variant: 'destructive' })
+      toast({
+        title: 'Error',
+        description: 'Failed to load squads',
+        variant: 'destructive',
+      })
     } finally {
       setLoading(false)
     }
@@ -195,7 +243,9 @@ function SquadsList() {
       })
       if (!res.ok) {
         const err = await res.json().catch(() => ({}))
-        throw new Error((err as { error?: string }).error || 'Failed to create squad')
+        throw new Error(
+          (err as { error?: string }).error || 'Failed to create squad'
+        )
       }
       toast({ title: 'Squad created' })
       setNewName('')
@@ -204,7 +254,8 @@ function SquadsList() {
     } catch (err) {
       toast({
         title: 'Error',
-        description: err instanceof Error ? err.message : 'Failed to create squad',
+        description:
+          err instanceof Error ? err.message : 'Failed to create squad',
         variant: 'destructive',
       })
     } finally {
@@ -226,7 +277,8 @@ function SquadsList() {
           <div
             className="absolute inset-0 opacity-30 pointer-events-none"
             style={{
-              backgroundImage: 'radial-gradient(circle, hsl(var(--primary) / 0.08) 1px, transparent 1px)',
+              backgroundImage:
+                'radial-gradient(circle, hsl(var(--primary) / 0.08) 1px, transparent 1px)',
               backgroundSize: '20px 20px',
             }}
           />
@@ -238,13 +290,17 @@ function SquadsList() {
               <div className="flex-1 min-w-0">
                 <div className="flex items-center gap-2 flex-wrap">
                   <p className="text-sm font-semibold">Early Access</p>
-                  <Badge variant="outline" className="text-[10px] text-primary border-primary/30 bg-primary/10 h-5">
+                  <Badge
+                    variant="outline"
+                    className="text-[10px] text-primary border-primary/30 bg-primary/10 h-5"
+                  >
                     Nexium
                   </Badge>
                 </div>
                 <p className="text-xs text-muted-foreground mt-0.5">
-                  Organized hubs for your team&apos;s output — share uploads, domains, and resources with your squad.
-                  Available now for all users with public profiles.
+                  Organized hubs for your team&apos;s output — share uploads,
+                  domains, and resources with your squad. Available now for all
+                  users with public profiles.
                 </p>
               </div>
             </div>
@@ -256,7 +312,11 @@ function SquadsList() {
           <p className="text-sm text-muted-foreground">
             {squads.length} squad{squads.length !== 1 ? 's' : ''}
           </p>
-          <Button size="sm" variant="outline" onClick={() => setShowCreate(!showCreate)}>
+          <Button
+            size="sm"
+            variant="outline"
+            onClick={() => setShowCreate(!showCreate)}
+          >
             <Plus className="h-3.5 w-3.5 mr-1.5" /> New Squad
           </Button>
         </div>
@@ -272,10 +332,18 @@ function SquadsList() {
                 onKeyDown={(e) => e.key === 'Enter' && handleCreate()}
                 className="h-8 text-sm"
               />
-              <Button size="sm" onClick={handleCreate} disabled={creating || !newName.trim()}>
+              <Button
+                size="sm"
+                onClick={handleCreate}
+                disabled={creating || !newName.trim()}
+              >
                 {creating ? 'Creating...' : 'Create'}
               </Button>
-              <Button size="sm" variant="ghost" onClick={() => setShowCreate(false)}>
+              <Button
+                size="sm"
+                variant="ghost"
+                onClick={() => setShowCreate(false)}
+              >
                 Cancel
               </Button>
             </div>
@@ -284,7 +352,9 @@ function SquadsList() {
 
         {/* Squad list */}
         {loading ? (
-          <div className="py-8 text-center text-sm text-muted-foreground">Loading squads...</div>
+          <div className="py-8 text-center text-sm text-muted-foreground">
+            Loading squads...
+          </div>
         ) : squads.length === 0 ? (
           <div className="rounded-xl border border-dashed border-border/60 p-10 text-center space-y-3">
             <div className="mx-auto w-12 h-12 rounded-xl bg-primary/10 flex items-center justify-center">
@@ -292,9 +362,14 @@ function SquadsList() {
             </div>
             <p className="text-sm font-medium">No squads yet</p>
             <p className="text-xs text-muted-foreground max-w-xs mx-auto">
-              Create a squad to share uploads, domains, and resources with your team.
+              Create a squad to share uploads, domains, and resources with your
+              team.
             </p>
-            <Button size="sm" variant="outline" onClick={() => setShowCreate(true)}>
+            <Button
+              size="sm"
+              variant="outline"
+              onClick={() => setShowCreate(true)}
+            >
               <Plus className="h-3.5 w-3.5 mr-1.5" /> Create your first squad
             </Button>
           </div>
@@ -312,19 +387,25 @@ function SquadsList() {
                       {squad.name}
                     </p>
                     {squad.description && (
-                      <p className="text-xs text-muted-foreground line-clamp-1">{squad.description}</p>
+                      <p className="text-xs text-muted-foreground line-clamp-1">
+                        {squad.description}
+                      </p>
                     )}
                   </div>
                   <ChevronRight className="h-4 w-4 text-muted-foreground group-hover:text-primary transition-colors shrink-0 mt-0.5" />
                 </div>
 
                 <div className="flex items-center gap-2 flex-wrap">
-                  <Badge variant="outline" className={`text-[10px] h-5 ${STATUS_COLORS[squad.status] ?? ''}`}>
+                  <Badge
+                    variant="outline"
+                    className={`text-[10px] h-5 ${STATUS_COLORS[squad.status] ?? ''}`}
+                  >
                     {squad.status}
                   </Badge>
                   <span className="text-[11px] text-muted-foreground flex items-center gap-1">
                     <Users className="h-3 w-3" />
-                    {squad._count.members} member{squad._count.members !== 1 ? 's' : ''}
+                    {squad._count.members} member
+                    {squad._count.members !== 1 ? 's' : ''}
                   </span>
                   {!squad.isPublic && (
                     <span className="text-[11px] text-muted-foreground flex items-center gap-1">
@@ -339,7 +420,10 @@ function SquadsList() {
                     { icon: Key, label: 'API Keys' },
                     { icon: Globe, label: 'Domains' },
                   ].map(({ icon: Icon, label }) => (
-                    <span key={label} className="text-[11px] text-muted-foreground flex items-center gap-1">
+                    <span
+                      key={label}
+                      className="text-[11px] text-muted-foreground flex items-center gap-1"
+                    >
                       <Icon className="h-3 w-3" /> {label}
                     </span>
                   ))}
diff --git a/packages/components/theme/theme-initializer.tsx b/packages/components/theme/theme-initializer.tsx
index 144e7df..ed60b97 100644
--- a/packages/components/theme/theme-initializer.tsx
+++ b/packages/components/theme/theme-initializer.tsx
@@ -46,13 +46,12 @@ function generateHueColors(hue: number): Record<string, string> {
   return result
 }
 
-export async function ThemeInitializer({ 
-  userTheme, 
+export async function ThemeInitializer({
+  userTheme,
   userCustomColors,
   systemTheme,
-  systemColors 
+  systemColors,
 }: ThemeInitializerProps) {
-  let cssVariables: string
   let themeName: string
   let colorsToUse: Record<string, string> = {}
 
@@ -66,7 +65,10 @@ export async function ThemeInitializer({
     colorsToUse = systemColors || {}
 
     // If system theme is hue-based but no colors provided, generate them
-    if (systemTheme.startsWith('hue:') && Object.keys(colorsToUse).length === 0) {
+    if (
+      systemTheme.startsWith('hue:') &&
+      Object.keys(colorsToUse).length === 0
+    ) {
       const hueMatch = systemTheme.match(/hue:(\d+)/)
       if (hueMatch) {
         const hue = parseInt(hueMatch[1], 10)
@@ -89,7 +91,7 @@ export async function ThemeInitializer({
     }
   }
 
-  cssVariables = Object.entries(colorsToUse)
+  const cssVariables = Object.entries(colorsToUse)
     .map(([key, value]) => {
       const cssKey = key.replace(/[A-Z]/g, (m) => `-${m.toLowerCase()}`)
       return `--${cssKey}: ${value};`
@@ -112,4 +114,4 @@ export async function ThemeInitializer({
       }}
     />
   )
-}
\ No newline at end of file
+}
diff --git a/packages/types/react-jsx-compat.d.ts b/packages/types/react-jsx-compat.d.ts
index 1eacb09..7fdddaa 100644
--- a/packages/types/react-jsx-compat.d.ts
+++ b/packages/types/react-jsx-compat.d.ts
@@ -4,12 +4,15 @@ declare global {
   namespace JSX {
     type Element = React.JSX.Element
     type ElementType = React.JSX.ElementType
-    interface ElementClass extends React.JSX.ElementClass {}
-    interface ElementAttributesProperty extends React.JSX.ElementAttributesProperty {}
-    interface ElementChildrenAttribute extends React.JSX.ElementChildrenAttribute {}
-    type LibraryManagedAttributes<C, P> = React.JSX.LibraryManagedAttributes<C, P>
-    interface IntrinsicAttributes extends React.JSX.IntrinsicAttributes {}
-    interface IntrinsicClassAttributes<T> extends React.JSX.IntrinsicClassAttributes<T> {}
-    interface IntrinsicElements extends React.JSX.IntrinsicElements {}
+    type ElementClass = React.JSX.ElementClass
+    type ElementAttributesProperty = React.JSX.ElementAttributesProperty
+    type ElementChildrenAttribute = React.JSX.ElementChildrenAttribute
+    type LibraryManagedAttributes<C, P> = React.JSX.LibraryManagedAttributes<
+      C,
+      P
+    >
+    type IntrinsicAttributes = React.JSX.IntrinsicAttributes
+    type IntrinsicClassAttributes<T> = React.JSX.IntrinsicClassAttributes<T>
+    type IntrinsicElements = React.JSX.IntrinsicElements
   }
 }
diff --git a/scripts/hash-file-passwords.js b/scripts/hash-file-passwords.mjs
similarity index 95%
rename from scripts/hash-file-passwords.js
rename to scripts/hash-file-passwords.mjs
index 693f16e..566fc8f 100644
--- a/scripts/hash-file-passwords.js
+++ b/scripts/hash-file-passwords.mjs
@@ -5,8 +5,8 @@
  * This script should be run once to upgrade existing Emberly instances
  */
 
-const { PrismaClient } = require('@prisma/client')
-const { hash, compare } = require('bcryptjs')
+import { PrismaClient } from '@prisma/client'
+import { hash, compare } from 'bcryptjs'
 
 const prisma = new PrismaClient()
 
diff --git a/scripts/migrate-config.js b/scripts/migrate-config.mjs
similarity index 98%
rename from scripts/migrate-config.js
rename to scripts/migrate-config.mjs
index 74e8f3d..7788bec 100644
--- a/scripts/migrate-config.js
+++ b/scripts/migrate-config.mjs
@@ -1,4 +1,5 @@
-const { PrismaClient } = require('@prisma/client')
+import { PrismaClient } from '@prisma/client'
+
 const prisma = new PrismaClient()
 
 const DEFAULT_CONFIG = {

From 7a69c4cf1e5feba10c4e3444b9513685ee69f850 Mon Sep 17 00:00:00 2001
From: TheRealToxicDev <toxic.dev09@gmail.com>
Date: Sat, 13 Jun 2026 10:02:02 -0600
Subject: [PATCH 11/13] fix(quality): more stuff

---
 .github/README.md                        |  5 +----
 CHANGELOG.md                             |  9 ++++++++-
 app/api/admin/integrations/test/route.ts | 10 +++++++++-
 app/api/files/route.ts                   | 11 ++++++++++-
 app/api/settings/route.ts                |  8 ++++----
 packages/lib/cache/session-cache.ts      |  7 ++++++-
 packages/lib/files/filename.ts           |  1 +
 packages/lib/storage/quota.ts            | 22 +++++++++++++++++++---
 8 files changed, 58 insertions(+), 15 deletions(-)

diff --git a/.github/README.md b/.github/README.md
index 1bb39a1..5cd40ac 100644
--- a/.github/README.md
+++ b/.github/README.md
@@ -47,7 +47,7 @@ Emberly is an open source platform for modern file storage, sharing, and identit
 - Promo code management with configurable discounts
 - User management dashboard
 - Application review queue with multi stage triage
-- Service status monitoring via Kener integration
+- Service status page link ([emberlystat.us](https://emberlystat.us))
 - Analytics and usage reporting
 
 ## Quick Start
@@ -105,7 +105,6 @@ The application will be available at http://localhost:3000.
 **Infrastructure & Services**
 
 - [S3 compatible storage](https://aws.amazon.com/s3/) - File storage
-- [Kener](https://kener.ing/) - Status page monitoring
 - [Next.js Auth](https://next-auth.js.org/) - Authentication
 - [Sentry](https://sentry.io/) - Error tracking
 
@@ -176,7 +175,6 @@ Get help and connect with the community:
 
 This project is licensed under the GNU Affero General Public License v3 (AGPL-3.0). See the [LICENSE](LICENSE) file for details.
 
-
 ## Code of Conduct
 
 This project adheres to the Contributor Covenant Code of Conduct. By participating, you agree to uphold this code. See [CODE_OF_CONDUCT.md](CODE_OF_CONDUCT.md) for the full text.
@@ -185,7 +183,6 @@ This project adheres to the Contributor Covenant Code of Conduct. By participati
 
 Thank you to all [contributors](https://github.com/EmberlyOSS/Emberly/graphs/contributors) who have helped make Emberly possible. We also appreciate the [open source projects and communities](https://github.com/EmberlyOSS/Emberly/network/dependencies) that make Emberly possible.
 
-
 <a href="https://github.com/EmberlyOSS/Emberly/graphs/contributors">
   <img src="https://contrib.rocks/image?repo=EmberlyOSS/Emberly" alt="Contributors" />
 </a>
diff --git a/CHANGELOG.md b/CHANGELOG.md
index eb51713..3202096 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -25,7 +25,7 @@ The format is based on "Keep a Changelog" and follows [Semantic Versioning](http
 ### Changed
 
 - **Status Page Integration Removed**
-  - Removed the Kener / Uptime Kuma dynamic status integration entirely. The polling logic, `/api/status` route, admin settings panel, and integration test handler have all been removed.
+  - Removed the Kener / Uptime Kuma dynamic status integration entirely. The polling logic, `/api/status` route (now returns 404), admin settings panel, and integration test handler have all been removed.
   - `StatusIndicator` in the site footer is now a lightweight static link to [emberlystat.us](https://emberlystat.us) — no external API calls, no runtime failures, no "Status unknown" states.
   - `KENER_API_KEY`, `KENER_BASE_URL`, `UPTIME_KUMA_BASE_URL`, and `UPTIME_KUMA_SLUG` environment variables are no longer used and can be removed.
 
@@ -53,6 +53,13 @@ The format is based on "Keep a Changelog" and follows [Semantic Versioning](http
 - **ESLint — Empty interfaces in `react-jsx-compat.d.ts`** — Six `interface X extends Y {}` declarations with no added members replaced with `type X = Y` aliases, satisfying `@typescript-eslint/no-empty-object-type`.
 - **ESLint — Unused variables across multiple files** — Removed or prefixed unused imports and variables flagged by `@typescript-eslint/no-unused-vars`: `Copy` in `bucket/page.tsx`, `User` in `blog/page.tsx`, `Share2`/`User` in `blog/[slug]/page.tsx`, `Footer`/`getConfig`/`providedPassword` in `[filename]/page.tsx`, `toast` in `squads/client.tsx`, `codeSent` state in `alpha-migration/page.tsx`, and `userName` parameter in `dashboard/client.tsx`.
 - **ESLint — `let` → `const` in `theme-initializer.tsx`** — `cssVariables` was declared with `let` but never reassigned; declaration moved to the single assignment site as `const`.
+- **Integration test fetch timeouts** — `testStripe`, `testResend`, `testCloudflare`, `testDiscord` (bot + webhook), and `testGitHub` had no request timeout, allowing the admin integration-test endpoint to hang indefinitely if a provider didn't respond. All now use `AbortSignal.timeout(8000)`, consistent with the existing Vultr handler.
+- **Quarantine failure logging** — `Promise.allSettled` results in the VirusTotal quarantine path were silently discarded. Storage delete or DB update failures now log an error with the file ID so they can be investigated.
+- **Session cache `emailVerified` backfill** — Redis-cached sessions written before the `emailVerified: boolean` field was added would deserialize with `undefined`, breaking the upload auth contract. A coerce-on-read now sets `false` for any entry missing the field.
+- **Legacy `kener`/`uptimeKuma` config keys stripped from admin response** — The integration config schema uses `.passthrough()`, so old DB records containing stale Kener or Uptime Kuma keys would survive `deepMerge` and be returned to SUPERADMIN via `GET /api/settings`. `maskSecretsForAdmin` now explicitly deletes both keys before returning.
+- **Empty filename slug fallback** — Filenames composed entirely of non-ASCII/symbol characters would reduce to an empty slug after sanitization, producing broken storage paths. A `nanoid(6)` fallback is now used when the slug is empty.
+- **`storageQuotaMB = 0` admin override ignored** — `if (!baseQuotaMB)` treated an explicit zero-quota override as "unset", falling through to plan-based quota. Changed to `== null` checks so `0` is honored as a deliberate override.
+- **Storage-bucket subscription precedence missing from Stripe re-check path** — After a successful Stripe sync, `getPlanLimits` returned the latest active subscription without first checking for a `storage-bucket-*` subscription. Users with both sub types active could receive non-unlimited limits for that request. The re-check now mirrors the original early-exit logic.
 
 ## [2.4.5] - 2026-06-02
 
diff --git a/app/api/admin/integrations/test/route.ts b/app/api/admin/integrations/test/route.ts
index ff3a6fe..4f21383 100644
--- a/app/api/admin/integrations/test/route.ts
+++ b/app/api/admin/integrations/test/route.ts
@@ -60,6 +60,7 @@ async function testStripe(secretKey: string): Promise<TestResult> {
   try {
     const res = await fetch('https://api.stripe.com/v1/customers?limit=1', {
       headers: { Authorization: `Bearer ${secretKey}` },
+      signal: AbortSignal.timeout(8000),
     })
     if (res.status === 401)
       return {
@@ -84,6 +85,7 @@ async function testResend(apiKey: string): Promise<TestResult> {
   try {
     const res = await fetch('https://api.resend.com/domains', {
       headers: { Authorization: `Bearer ${apiKey}` },
+      signal: AbortSignal.timeout(8000),
     })
     if (res.status === 401 || res.status === 403)
       return { ok: false, message: 'Invalid API key' }
@@ -125,6 +127,7 @@ async function testCloudflare(
         Authorization: `Bearer ${apiToken}`,
         'Content-Type': 'application/json',
       },
+      signal: AbortSignal.timeout(8000),
     })
     const json = await res.json().catch(() => null)
     if (!res.ok || json?.success === false) {
@@ -168,6 +171,7 @@ async function testDiscord(
         `https://discord.com/api/v10/guilds/${safeServerId}`,
         {
           headers: { Authorization: `Bot ${botToken}` },
+          signal: AbortSignal.timeout(8000),
         }
       )
       if (res.status === 401) return { ok: false, message: 'Invalid bot token' }
@@ -226,7 +230,10 @@ async function testDiscord(
       const [, webhookId, webhookToken] = match
       const safeWebhookUrl = `https://discord.com/api/webhooks/${encodeURIComponent(webhookId)}/${encodeURIComponent(webhookToken)}`
 
-      const res = await fetch(safeWebhookUrl, { method: 'GET' })
+      const res = await fetch(safeWebhookUrl, {
+        method: 'GET',
+        signal: AbortSignal.timeout(8000),
+      })
       if (res.status === 401)
         return { ok: false, message: 'Invalid webhook URL' }
       if (!res.ok)
@@ -270,6 +277,7 @@ async function testGitHub(pat: string, org?: string): Promise<TestResult> {
         Accept: 'application/vnd.github+json',
         'X-GitHub-Api-Version': '2022-11-28',
       },
+      signal: AbortSignal.timeout(8000),
     })
     if (res.status === 401)
       return { ok: false, message: 'Invalid personal access token' }
diff --git a/app/api/files/route.ts b/app/api/files/route.ts
index 73bd4eb..652872e 100644
--- a/app/api/files/route.ts
+++ b/app/api/files/route.ts
@@ -279,13 +279,22 @@ export async function POST(req: Request) {
         permalink: vtResult.permalink,
         userId: user.id,
       })
-      await Promise.allSettled([
+      const results = await Promise.allSettled([
         storageProvider!.deleteFile(filePath),
         prisma.file.update({
           where: { id: fileRecord.id },
           data: { visibility: 'PRIVATE', name: '[Quarantined]' },
         }),
       ])
+      results.forEach((r, i) => {
+        if (r.status === 'rejected') {
+          logger.error(
+            `Quarantine step ${i === 0 ? 'storage delete' : 'db update'} failed`,
+            r.reason as Error,
+            { fileId: fileRecord.id }
+          )
+        }
+      })
     }).catch((err) => {
       logger.error('Background VirusTotal scan failed', err as Error, {
         fileId: fileRecord.id,
diff --git a/app/api/settings/route.ts b/app/api/settings/route.ts
index 930386d..4c01b05 100644
--- a/app/api/settings/route.ts
+++ b/app/api/settings/route.ts
@@ -5,10 +5,7 @@ import {
 } from '@/packages/types/dto/settings'
 
 import { HTTP_STATUS, apiError, apiResponse } from '@/packages/lib/api/response'
-import {
-  requireAuth,
-  requireSuperAdmin,
-} from '@/packages/lib/auth/api-auth'
+import { requireAuth, requireSuperAdmin } from '@/packages/lib/auth/api-auth'
 import {
   EmberlyConfig,
   getConfig,
@@ -50,6 +47,9 @@ function maskSecretsForAdmin(config: EmberlyConfig): EmberlyConfig {
   if (i.github) {
     i.github.pat = ''
   }
+  // Remove any stale legacy integration keys that may still live in DB config
+  delete i.kener
+  delete i.uptimeKuma
   return c as EmberlyConfig
 }
 
diff --git a/packages/lib/cache/session-cache.ts b/packages/lib/cache/session-cache.ts
index 1c2e897..37c7d5b 100644
--- a/packages/lib/cache/session-cache.ts
+++ b/packages/lib/cache/session-cache.ts
@@ -39,7 +39,12 @@ export const sessionCache = {
       const redis = await getRedisClient()
       const data = await redis.get(redisKeys.userSession(userId))
       if (!data) return null
-      return JSON.parse(data) as CachedUserSession
+      const parsed = JSON.parse(data) as CachedUserSession
+      // Coerce emailVerified for older cached entries that pre-date the boolean field
+      if (typeof parsed.emailVerified !== 'boolean') {
+        parsed.emailVerified = false
+      }
+      return parsed
     } catch (error) {
       logger.error('Failed to get cached user session', error as Error, {
         userId,
diff --git a/packages/lib/files/filename.ts b/packages/lib/files/filename.ts
index 8b51376..1eedbee 100644
--- a/packages/lib/files/filename.ts
+++ b/packages/lib/files/filename.ts
@@ -101,6 +101,7 @@ export async function getUniqueFilename(
   while (s < e && urlSafeName[s] === '-') s++
   while (e > s && urlSafeName[e - 1] === '-') e--
   urlSafeName = urlSafeName.slice(s, e)
+  if (!urlSafeName) urlSafeName = nanoid(6)
 
   if (extension) {
     urlSafeName += '.' + extension.toLowerCase()
diff --git a/packages/lib/storage/quota.ts b/packages/lib/storage/quota.ts
index f8a9ae4..2a0b414 100644
--- a/packages/lib/storage/quota.ts
+++ b/packages/lib/storage/quota.ts
@@ -112,7 +112,23 @@ export async function getPlanLimits(userId: string): Promise<PlanLimits> {
           userId,
           userRecord.stripeCustomerId
         )
-        // Re-check after sync
+        // Re-check after sync — storage-bucket subs take precedence (unlimited)
+        const syncedBucketSub = await prisma.subscription.findFirst({
+          where: {
+            userId,
+            status: 'active',
+            product: { slug: { startsWith: 'storage-bucket' } },
+          },
+          select: { id: true },
+        })
+        if (syncedBucketSub) {
+          return {
+            storageQuotaGB: null,
+            uploadSizeCapMB: null,
+            customDomainsLimit: null,
+            planName: 'Storage Bucket (Unlimited)',
+          }
+        }
         const syncedSub = await prisma.subscription.findFirst({
           where: { userId, status: 'active' },
           include: { product: true },
@@ -252,7 +268,7 @@ export async function getEffectiveQuotaMB(
 
   // Priority: admin override > plan quota + perks > default quota
   let baseQuotaMB = user.storageQuotaMB
-  if (!baseQuotaMB) {
+  if (baseQuotaMB == null) {
     if (planLimits.storageQuotaGB === null) {
       // Unlimited plan — use a 100 TB sentinel so arithmetic still works
       baseQuotaMB = 100 * 1024 * 1024
@@ -260,7 +276,7 @@ export async function getEffectiveQuotaMB(
       baseQuotaMB = (planLimits.storageQuotaGB + perkStorageBonusGB) * 1024
     }
   }
-  if (!baseQuotaMB && defaultQuotaMB) {
+  if (baseQuotaMB == null && defaultQuotaMB != null) {
     baseQuotaMB = defaultQuotaMB
   }
 

From 3d257b960fc01fb9a9c5abf54bc60b5ab92c55e1 Mon Sep 17 00:00:00 2001
From: Pixelated <hey@codemeapixel.dev>
Date: Sat, 13 Jun 2026 10:31:09 -0600
Subject: [PATCH 12/13] Potential fix for pull request finding 'Comparison
 between inconvertible types'

Co-authored-by: Copilot Autofix powered by AI <223894421+github-code-quality[bot]@users.noreply.github.com>
---
 packages/lib/storage/quota.ts | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/packages/lib/storage/quota.ts b/packages/lib/storage/quota.ts
index 2a0b414..4db3c35 100644
--- a/packages/lib/storage/quota.ts
+++ b/packages/lib/storage/quota.ts
@@ -276,7 +276,7 @@ export async function getEffectiveQuotaMB(
       baseQuotaMB = (planLimits.storageQuotaGB + perkStorageBonusGB) * 1024
     }
   }
-  if (baseQuotaMB == null && defaultQuotaMB != null) {
+  if (defaultQuotaMB != null) {
     baseQuotaMB = defaultQuotaMB
   }
 

From d42d70409166efc4ea4f27d52ebc14324088f8e6 Mon Sep 17 00:00:00 2001
From: TheRealToxicDev <toxic.dev09@gmail.com>
Date: Sat, 13 Jun 2026 10:43:04 -0600
Subject: [PATCH 13/13] fix(stuff): proxy, and more

---
 CHANGELOG.md                             |   6 ++
 app/(main)/auth/alpha-migration/page.tsx |   1 -
 proxy.ts                                 | 130 +++++++++--------------
 3 files changed, 56 insertions(+), 81 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 3202096..6d9e23f 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -60,6 +60,12 @@ The format is based on "Keep a Changelog" and follows [Semantic Versioning](http
 - **Empty filename slug fallback** — Filenames composed entirely of non-ASCII/symbol characters would reduce to an empty slug after sanitization, producing broken storage paths. A `nanoid(6)` fallback is now used when the slug is empty.
 - **`storageQuotaMB = 0` admin override ignored** — `if (!baseQuotaMB)` treated an explicit zero-quota override as "unset", falling through to plan-based quota. Changed to `== null` checks so `0` is honored as a deliberate override.
 - **Storage-bucket subscription precedence missing from Stripe re-check path** — After a successful Stripe sync, `getPlanLimits` returned the latest active subscription without first checking for a `storage-bucket-*` subscription. Users with both sub types active could receive non-unlimited limits for that request. The re-check now mirrors the original early-exit logic.
+- **`proxy.ts` — `BASE_URL`/`MAIN_HOST` recomputed per request** — `process.env.NEXT_PUBLIC_BASE_URL` was parsed with `new URL()` on every invocation. Both the base URL string and its hostname are now computed once at module load time.
+- **`proxy.ts` — Duplicate media-rewrite block eliminated** — Video/audio range-request detection logic appeared twice (before and after the auth checks). Unified into a single block that runs before `getToken()`, so media requests skip JWT verification entirely.
+- **`proxy.ts` — `VIDEO_EXTENSIONS` array → `Set`** — `VIDEO_EXTENSIONS.includes(ext)` was an O(n) linear scan on every file URL request. Converted to a module-level `Set` for O(1) lookup.
+- **`proxy.ts` — Trailing-slash strip regex replaced** — `pathname.replace(/\/$/, '')` replaced with `endsWith('/')`+`slice`, consistent with the ReDoS hardening applied elsewhere.
+- **`proxy.ts` — `getClientIP` double-read of `x-forwarded-for`** — The function read `x-forwarded-for` a second time at the fallback return if the header was already `null` at the top. Simplified to a single read with null-coalescing chain.
+- **`proxy.ts` — Noisy `console.log` removed from hot paths** — Debug logs for unverified-user blocks and password-breach redirects fired on every affected request, adding synchronous I/O overhead in the middleware layer.
 
 ## [2.4.5] - 2026-06-02
 
diff --git a/app/(main)/auth/alpha-migration/page.tsx b/app/(main)/auth/alpha-migration/page.tsx
index f0cc288..3b7bd48 100644
--- a/app/(main)/auth/alpha-migration/page.tsx
+++ b/app/(main)/auth/alpha-migration/page.tsx
@@ -333,7 +333,6 @@ export default function AlphaMigrationPage() {
                     size="sm"
                     onClick={() => {
                       setStep('confirm')
-                      setCodeSent(false)
                       setVerificationCode('')
                     }}
                     disabled={isLoading}
diff --git a/proxy.ts b/proxy.ts
index 0bba49c..59307d9 100644
--- a/proxy.ts
+++ b/proxy.ts
@@ -23,25 +23,21 @@ if (!globalThis.__nextAuthLoginContext) {
   globalThis.__nextAuthLoginContext = {}
 }
 
+// Computed once per isolate, not on every request
+const BASE_URL = process.env.NEXT_PUBLIC_BASE_URL || 'https://embrly.ca'
+const MAIN_HOST = new URL(BASE_URL).hostname
+const VIDEO_EXTENSIONS_SET = new Set(VIDEO_EXTENSIONS)
+const ALPHA_CUTOFF_DATE = new Date('2025-12-27T00:00:00.000Z')
+
 function getClientIP(request: NextRequest): string | undefined {
   const forwarded = request.headers.get('x-forwarded-for')
-  if (forwarded) {
-    return forwarded.split(',')[0]?.trim()
-  }
-
-  const realIP = request.headers.get('x-real-ip')
-  if (realIP) {
-    return realIP
-  }
-
-  const cfConnectingIP = request.headers.get('cf-connecting-ip')
-  if (cfConnectingIP) {
-    return cfConnectingIP
-  }
+  if (forwarded) return forwarded.split(',')[0]?.trim()
 
   return (
+    request.headers.get('x-real-ip') ??
+    request.headers.get('cf-connecting-ip') ??
     request.headers.get('x-client-ip') ??
-    request.headers.get('x-forwarded-for')?.split(',')[0]?.trim()
+    undefined
   )
 }
 
@@ -61,16 +57,17 @@ function getGeoInfo(request: NextRequest) {
 
 export async function proxy(request: NextRequest) {
   const pathname = request.nextUrl.pathname
+  // Trim trailing slash without regex
   const normalizedPathname =
-    pathname.length > 1 ? pathname.replace(/\/$/, '') : pathname
-  const baseUrl = process.env.NEXT_PUBLIC_BASE_URL || 'https://embrly.ca'
+    pathname.length > 1 && pathname.endsWith('/')
+      ? pathname.slice(0, -1)
+      : pathname
 
   const incomingHost = request.headers.get('host')?.replace(/:\d+$/, '')
-  const mainHost = new URL(baseUrl).hostname
 
   if (
     incomingHost &&
-    incomingHost !== mainHost &&
+    incomingHost !== MAIN_HOST &&
     incomingHost !== 'localhost'
   ) {
     if (pathname === '/') {
@@ -131,37 +128,46 @@ export async function proxy(request: NextRequest) {
     return tokenPromise
   }
 
-  const ALPHA_CUTOFF_DATE = new Date('2025-12-27T00:00:00.000Z')
   const isAlphaMigrationPage = pathname === '/auth/alpha-migration'
   const isAlphaMigrationApi = pathname === '/api/auth/alpha-migration'
   const isNextAuthRoute = pathname.startsWith('/api/auth/')
   const isApiRoute = pathname.startsWith('/api/')
 
-  if (
-    FILE_URL_PATTERN.test(pathname) &&
-    pathname === normalizedPathname &&
+  // ── File URL handling — single unified check before auth ──────────────────
+  // Covers both trailing-slash and non-trailing-slash variants via normalizedPathname.
+  // Must run before getToken() so media range requests skip JWT verification entirely.
+  const isFileUrl =
+    FILE_URL_PATTERN.test(normalizedPathname) &&
     !normalizedPathname.endsWith('/raw') &&
     !normalizedPathname.endsWith('/direct')
-  ) {
+
+  if (isFileUrl) {
     const fileExt = normalizedPathname.split('.').pop()?.toLowerCase()
     const rangeHeader = request.headers.get('range')
     const acceptHeader = request.headers.get('accept') || ''
     const isMediaRequest =
       rangeHeader != null ||
       (acceptHeader !== '' && !acceptHeader.includes('text/html'))
-    const userAgent = request.headers.get('user-agent') || ''
-    const url = new URL(request.url)
 
-    if (fileExt && VIDEO_EXTENSIONS.includes(fileExt) && isMediaRequest) {
-      url.pathname = `${pathname}/raw`
+    // Video/audio range or non-HTML requests → raw bytes.
+    // Must run before the bot handler: Discord's media proxy UA contains "discord"
+    // and would otherwise be caught by handleBotRequest.
+    if (fileExt && VIDEO_EXTENSIONS_SET.has(fileExt) && isMediaRequest) {
+      const url = new URL(request.url)
+      url.pathname = `${normalizedPathname}/raw`
       return NextResponse.rewrite(url)
     }
 
-    // Bot HTML requests fall through so the bot handler can respect the
-    // uploader's rich-embed setting.
-    if (!isBotRequest(userAgent)) {
-      url.pathname = `${pathname}/`
-      return NextResponse.rewrite(url)
+    // Non-trailing-slash, non-bot requests → rewrite to trailing slash so the
+    // file page renders correctly. Bots fall through so handleBotRequest can
+    // respect the uploader's rich-embed setting.
+    if (pathname === normalizedPathname) {
+      const userAgent = request.headers.get('user-agent') || ''
+      if (!isBotRequest(userAgent)) {
+        const url = new URL(request.url)
+        url.pathname = `${pathname}/`
+        return NextResponse.rewrite(url)
+      }
     }
   }
 
@@ -179,7 +185,7 @@ export async function proxy(request: NextRequest) {
       !isNextAuthRoute &&
       !isApiRoute
     ) {
-      return NextResponse.redirect(new URL('/auth/alpha-migration', baseUrl))
+      return NextResponse.redirect(new URL('/auth/alpha-migration', BASE_URL))
     }
   }
 
@@ -188,7 +194,7 @@ export async function proxy(request: NextRequest) {
   const isAuthPage = pathname.startsWith('/auth/')
 
   if (token) {
-    const isEmailVerified = token.emailVerified ? true : false
+    const isEmailVerified = !!token.emailVerified
 
     if (
       !isEmailVerified &&
@@ -198,10 +204,7 @@ export async function proxy(request: NextRequest) {
       !isNextAuthRoute &&
       !isApiRoute
     ) {
-      console.log(
-        `[Proxy] Unverified user ${token.email} blocked from ${pathname}`
-      )
-      return NextResponse.redirect(new URL('/auth/verify-email', baseUrl))
+      return NextResponse.redirect(new URL('/auth/verify-email', BASE_URL))
     }
   }
 
@@ -214,17 +217,11 @@ export async function proxy(request: NextRequest) {
     if (isProfileSecurityTab) {
       return NextResponse.next()
     }
-    if (isDashboardRoot) {
-      console.log(
-        `[Proxy] User ${token.email} with password breach detected, redirecting from dashboard to profile security`
-      )
-      return NextResponse.redirect(new URL('/me?tab=security', baseUrl))
-    }
-    if (isProfilePath && !request.nextUrl.searchParams.get('tab')) {
-      console.log(
-        `[Proxy] User ${token.email} with password breach detected, redirecting to security tab`
-      )
-      return NextResponse.redirect(new URL('/me?tab=security', baseUrl))
+    if (
+      isDashboardRoot ||
+      (isProfilePath && !request.nextUrl.searchParams.get('tab'))
+    ) {
+      return NextResponse.redirect(new URL('/me?tab=security', BASE_URL))
     }
   }
 
@@ -247,7 +244,7 @@ export async function proxy(request: NextRequest) {
   const ensureAuthenticated = async () => {
     const t = await getAuthToken()
     if (!t) {
-      return NextResponse.redirect(new URL('/auth/login', baseUrl))
+      return NextResponse.redirect(new URL('/auth/login', BASE_URL))
     }
     return { token: t }
   }
@@ -262,44 +259,17 @@ export async function proxy(request: NextRequest) {
     )
     if (isSuperAdminRoute) {
       if (!hasPermission(role as any, Permission.PERFORM_SUPERADMIN_ACTIONS)) {
-        return NextResponse.redirect(new URL('/dashboard', baseUrl))
+        return NextResponse.redirect(new URL('/dashboard', BASE_URL))
       }
     } else if (!hasPermission(role as any, Permission.ACCESS_ADMIN_PANEL)) {
-      return NextResponse.redirect(new URL('/dashboard', baseUrl))
+      return NextResponse.redirect(new URL('/dashboard', BASE_URL))
     }
   }
 
   if (PROTECTED_PAGE_PATHS.some((p) => pathname.startsWith(p))) {
     const t = await getAuthToken()
     if (!t) {
-      return NextResponse.redirect(new URL('/auth/login', baseUrl))
-    }
-  }
-
-  // ── Video/Audio Media Requests ─────────────────────────────────────────
-  // Must run BEFORE the bot handler. Discord's media proxy uses a UA that
-  // contains "discord", so the bot handler would catch it and serve HTML.
-  // By checking for Range headers or non-HTML Accept first, media playback
-  // requests get raw file bytes while crawlers (who send Accept: text/html)
-  // still fall through to the bot handler for OG metadata.
-  if (
-    FILE_URL_PATTERN.test(normalizedPathname) &&
-    !normalizedPathname.endsWith('/raw') &&
-    !normalizedPathname.endsWith('/direct')
-  ) {
-    const fileExt = normalizedPathname.split('.').pop()?.toLowerCase()
-    if (fileExt && VIDEO_EXTENSIONS.includes(fileExt)) {
-      const rangeHeader = request.headers.get('range')
-      const acceptHeader = request.headers.get('accept') || ''
-      const isMediaRequest =
-        rangeHeader != null ||
-        (acceptHeader !== '' && !acceptHeader.includes('text/html'))
-
-      if (isMediaRequest) {
-        const url = new URL(request.url)
-        url.pathname = `${normalizedPathname}/raw`
-        return NextResponse.rewrite(url)
-      }
+      return NextResponse.redirect(new URL('/auth/login', BASE_URL))
     }
   }