Implement complete feature & security overhaul (21 items, 3 phases)

Phase 1 - Security & Data Integrity:
- Atomic member ID generation via PostgreSQL sequence (018)
- Rate limiting on signup, input sanitization (XSS prevention)
- Onboarding photo upload, document upload validation (magic bytes, MIME, size)
- RLS fix for admin role assignment without self-escalation (019)
- Email notification preferences enforcement
- Audit logging across all admin/board mutation actions
- CSV export for membership, payments, and events reports
- Member approval workflow with email notifications (020)

Phase 2 - Functionality & Monitoring:
- Directory privacy settings (022) with board-level filtering
- Document full-text search with PostgreSQL tsvector/GIN index (023)
- Cron job monitoring dashboard with manual trigger (024)
- Settings audit log tab
- Bulk email broadcast with recipient filtering and personalization (025)

Phase 3 - Feature Completeness:
- Event type filtering on events page
- RSVP deadline control for event organizers (021)

Also includes Kong CORS configuration fix.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

package-lock.json

@@ -8,29 +8,31 @@
 			"name": "monacousa-portal-2026",
 			"version": "0.0.1",
 			"dependencies": {
-				"@aws-sdk/client-s3": "^3.700.0",
+				"@aws-sdk/client-s3": "^3.971.0",
-				"@aws-sdk/s3-request-presigner": "^3.700.0",
+				"@aws-sdk/s3-request-presigner": "^3.971.0",
+				"@internationalized/date": "^3.7.0",
 				"@supabase/ssr": "^0.8.0",
 				"@supabase/supabase-js": "^2.90.1",
 				"@sveltejs/adapter-node": "^5.5.1",
 				"flag-icons": "^7.4.0",
-				"nodemailer": "^6.9.0"
+				"libphonenumber-js": "^1.12.8",
+				"nodemailer": "^6.10.0"
 			},
 			"devDependencies": {
 				"@sveltejs/adapter-auto": "^7.0.0",
-				"@sveltejs/kit": "^2.49.1",
+				"@sveltejs/kit": "^2.50.0",
 				"@sveltejs/vite-plugin-svelte": "^6.2.1",
 				"@tailwindcss/vite": "^4.1.18",
 				"bits-ui": "^2.15.4",
 				"clsx": "^2.1.1",
 				"lucide-svelte": "^0.562.0",
-				"svelte": "^5.45.6",
+				"svelte": "^5.47.0",
 				"svelte-check": "^4.3.4",
 				"tailwind-merge": "^3.4.0",
 				"tailwind-variants": "^3.2.2",
 				"tailwindcss": "^4.1.18",
 				"typescript": "^5.9.3",
-				"vite": "^7.2.6"
+				"vite": "^7.3.1"
 			}
 		},
 		"node_modules/@aws-crypto/crc32": {
@@ -1514,9 +1516,7 @@
 			"version": "3.10.1",
 			"resolved": "https://registry.npmjs.org/@internationalized/date/-/date-3.10.1.tgz",
 			"integrity": "sha512-oJrXtQiAXLvT9clCf1K4kxp3eKsQhIaZqxEyowkBcsvZDdZkbWrVmnGknxs5flTD0VGsxrxKgBCZty1EzoiMzA==",
-			"dev": true,
 			"license": "Apache-2.0",
-			"peer": true,
 			"dependencies": {
 				"@swc/helpers": "^0.5.0"
 			}
@@ -2945,9 +2945,7 @@
 			"version": "0.5.18",
 			"resolved": "https://registry.npmjs.org/@swc/helpers/-/helpers-0.5.18.tgz",
 			"integrity": "sha512-TXTnIcNJQEKwThMMqBXsZ4VGAza6bvN4pa41Rkqoio6QBKMvo+5lexeTMScGCIxtzgQJzElcvIltani+adC5PQ==",
-			"dev": true,
 			"license": "Apache-2.0",
-			"peer": true,
 			"dependencies": {
 				"tslib": "^2.8.0"
 			}
@@ -3630,6 +3628,12 @@
 				"node": ">=6"
 			}
 		},
+		"node_modules/libphonenumber-js": {
+			"version": "1.12.36",
+			"resolved": "https://registry.npmjs.org/libphonenumber-js/-/libphonenumber-js-1.12.36.tgz",
+			"integrity": "sha512-woWhKMAVx1fzzUnMCyOzglgSgf6/AFHLASdOBcchYCyvWSGWt12imw3iu2hdI5d4dGZRsNWAmWiz37sDKUPaRQ==",
+			"license": "MIT"
+		},
 		"node_modules/lightningcss": {
 			"version": "1.30.2",
 			"resolved": "https://registry.npmjs.org/lightningcss/-/lightningcss-1.30.2.tgz",

src/lib/components/layout/Sidebar.svelte

@@ -15,7 +15,10 @@
 		FolderOpen,
 		DollarSign,
 		CalendarPlus,
-		Bell
+		Bell,
+		UserCheck,
+		Timer,
+		Send
 	} from 'lucide-svelte';
 	import type { MemberWithDues } from '$lib/types/database';
 
@@ -49,6 +52,7 @@
 
 	const boardNav: NavItem[] = [
 		{ href: '/board/members', label: 'Members', icon: Users },
+		{ href: '/board/approvals', label: 'Approvals', icon: UserCheck },
 		{ href: '/board/dues', label: 'Dues Management', icon: DollarSign },
 		{ href: '/board/events', label: 'Manage Events', icon: CalendarPlus },
 		{ href: '/board/documents', label: 'Documents', icon: FileText }
@@ -57,6 +61,8 @@
 	const adminNav: NavItem[] = [
 		{ href: '/admin/members', label: 'User Management', icon: Shield },
 		{ href: '/admin/notifications', label: 'Notifications', icon: Bell },
+		{ href: '/admin/bulk-email', label: 'Bulk Email', icon: Send },
+		{ href: '/admin/cron-monitoring', label: 'Cron Jobs', icon: Timer },
 		{ href: '/admin/settings', label: 'Settings', icon: Settings }
 	];
 

src/lib/server/csv.ts

@@ -0,0 +1,40 @@
+/**
+ * CSV generation utilities for board reports.
+ */
+
+/**
+ * Escape a CSV field value.
+ * Wraps in quotes if the value contains commas, quotes, or newlines.
+ */
+export function escapeCSVField(value: unknown): string {
+	if (value === null || value === undefined) return '';
+	const str = String(value);
+	if (str.includes(',') || str.includes('"') || str.includes('\n') || str.includes('\r')) {
+		return '"' + str.replace(/"/g, '""') + '"';
+	}
+	return str;
+}
+
+/**
+ * Convert an array of objects to CSV string.
+ */
+export function arrayToCSV(
+	data: Record<string, unknown>[],
+	columns: { key: string; header: string }[]
+): string {
+	const header = columns.map((c) => escapeCSVField(c.header)).join(',');
+	const rows = data.map((row) => columns.map((c) => escapeCSVField(row[c.key])).join(','));
+	return '\ufeff' + header + '\n' + rows.join('\n');
+}
+
+/**
+ * Create a CSV Response with proper headers for browser download.
+ */
+export function csvResponse(csvContent: string, filename: string): Response {
+	return new Response(csvContent, {
+		headers: {
+			'Content-Type': 'text/csv; charset=utf-8',
+			'Content-Disposition': `attachment; filename="${filename}"`
+		}
+	});
+}

src/lib/server/dues.ts

@@ -5,6 +5,8 @@
 
 import { supabaseAdmin } from './supabase';
 import { sendTemplatedEmail } from './email';
+import { sendWithPreferenceCheck } from './notification-preferences';
+import { logAudit } from './audit';
 import type { MemberWithDues } from '$lib/types/database';
 
 // ============================================
@@ -245,15 +247,17 @@ export async function sendDuesReminder(
 		portal_url: `${baseUrl}/payments`
 	};
 
-	// Send email
+	// Send email (respecting notification preferences)
-	const result = await sendTemplatedEmail(templateKey, member.email, variables, {
+	const result = await sendWithPreferenceCheck(member.id, 'dues_reminder', () =>
+		sendTemplatedEmail(templateKey, member.email, variables, {
 			recipientId: member.id,
 			recipientName: `${member.first_name} ${member.last_name}`,
 			baseUrl
-	});
+		})
+	);
 
 	if (!result.success) {
-		return { success: false, error: result.error };
+		return { success: false, error: 'error' in result ? result.error : undefined };
 	}
 
 	// Log the reminder
@@ -321,6 +325,19 @@ export async function sendBulkReminders(
 		}
 	}
 
+	if (result.sent > 0) {
+		logAudit({
+			action: 'email.send',
+			resourceType: 'dues_reminder',
+			details: {
+				reminder_type: reminderType,
+				total_sent: result.sent,
+				total_errors: result.errors.length,
+				bulk_operation: true
+			}
+		});
+	}
+
 	return result;
 }
 
@@ -384,6 +401,18 @@ export async function processGracePeriodExpirations(
 		});
 	}
 
+	if (processed.length > 0) {
+		logAudit({
+			action: 'member.status_change',
+			resourceType: 'member',
+			details: {
+				operation: 'grace_period_expiration',
+				members_inactivated: processed.length,
+				member_ids: processed.map(m => m.id)
+			}
+		});
+	}
+
 	return { processed: processed.length, members: processed };
 }
 
@@ -788,15 +817,17 @@ export async function sendOnboardingReminder(
 		portal_url: `${baseUrl}/payments`
 	};
 
-	// Send email
+	// Send email (respecting notification preferences)
-	const result = await sendTemplatedEmail(reminderType, member.email, variables, {
+	const result = await sendWithPreferenceCheck(member.id, 'dues_reminder', () =>
+		sendTemplatedEmail(reminderType, member.email, variables, {
 			recipientId: member.id,
 			recipientName: `${member.first_name} ${member.last_name}`,
 			baseUrl
-	});
+		})
+	);
 
 	if (!result.success) {
-		return { success: false, error: result.error };
+		return { success: false, error: 'error' in result ? result.error : undefined };
 	}
 
 	// Log the reminder

src/lib/server/email.ts

@@ -1,6 +1,7 @@
 import nodemailer from 'nodemailer';
 import type { Transporter } from 'nodemailer';
 import { supabaseAdmin } from './supabase';
+import { escapeHtml } from './sanitize';
 
 export interface SmtpConfig {
 	host: string;
@@ -405,19 +406,6 @@ export function wrapInMonacoTemplate(options: {
 </html>`;
 }
 
-/**
- * Escape HTML special characters to prevent XSS in email templates.
- * Used to sanitize user-provided content before template substitution.
- */
-export function escapeHtml(str: string): string {
-	return str
-		.replace(/&/g, '&amp;')
-		.replace(/</g, '&lt;')
-		.replace(/>/g, '&gt;')
-		.replace(/"/g, '&quot;')
-		.replace(/'/g, '&#39;');
-}
-
 /**
  * Strip HTML tags from a string to create plain text version
  */

src/lib/server/event-reminders.ts

@@ -5,6 +5,7 @@
 
 import { supabaseAdmin } from './supabase';
 import { sendTemplatedEmail } from './email';
+import { sendWithPreferenceCheck } from './notification-preferences';
 
 // ============================================
 // TYPES
@@ -212,15 +213,17 @@ export async function sendEventReminder(
 		portal_url: `${baseUrl}/events/${reminder.event_id}`
 	};
 
-	// Send email
+	// Send email (respecting notification preferences)
-	const result = await sendTemplatedEmail('event_reminder_24hr', reminder.email, variables, {
+	const result = await sendWithPreferenceCheck(reminder.member_id, 'event_reminder', () =>
+		sendTemplatedEmail('event_reminder_24hr', reminder.email, variables, {
 			recipientId: reminder.member_id,
 			recipientName: `${reminder.first_name} ${reminder.last_name}`,
 			baseUrl
-	});
+		})
+	);
 
 	if (!result.success) {
-		return { success: false, error: result.error };
+		return { success: false, error: 'error' in result ? result.error : undefined };
 	}
 
 	// Log the reminder

src/lib/server/member-profile.ts

@@ -6,6 +6,7 @@
 import { uploadAvatar, deleteAvatar, isS3Enabled } from '$lib/server/storage';
 import { supabaseAdmin } from '$lib/server/supabase';
 import type { SupabaseClient } from '@supabase/supabase-js';
+import { sanitizeText } from '$lib/server/sanitize';
 
 // ────────────────────────────────────────────────────────────────
 // Types
@@ -247,21 +248,27 @@ export async function handleProfileUpdate(
 		}
 	}
 
+	// Sanitize text fields before storage
+	const firstName = sanitizeText(data.first_name, 100);
+	const lastName = sanitizeText(data.last_name, 100);
+	const phone = data.phone ? sanitizeText(data.phone, 50) : data.phone;
+	const address = data.address ? sanitizeText(data.address, 500) : data.address;
+
 	// Build the update payload
 	const updatePayload: Record<string, unknown> = {
-		first_name: data.first_name,
+		first_name: firstName,
-		last_name: data.last_name,
+		last_name: lastName,
 		nationality: data.nationality || [],
 		updated_at: new Date().toISOString()
 	};
 
 	// Only include optional fields if provided or if they are required
 	if (requireAllFields) {
-		updatePayload.phone = data.phone;
+		updatePayload.phone = phone;
-		updatePayload.address = data.address;
+		updatePayload.address = address;
 	} else {
-		updatePayload.phone = data.phone || null;
+		updatePayload.phone = phone || null;
-		updatePayload.address = data.address || null;
+		updatePayload.address = address || null;
 	}
 
 	const client = useAdmin ? supabaseAdmin : options?.supabase;

src/lib/server/notification-preferences.ts

@@ -0,0 +1,99 @@
+import { supabaseAdmin } from './supabase';
+
+/**
+ * Notification types that map to user_notification_preferences columns.
+ * The column names follow the pattern: email_{notification_type}
+ */
+export type NotificationType =
+	| 'event_rsvp_confirmation'
+	| 'event_reminder'
+	| 'event_updates'
+	| 'waitlist_promotion'
+	| 'dues_reminder'
+	| 'payment_confirmation'
+	| 'membership_updates'
+	| 'announcements'
+	| 'newsletter';
+
+/** Map from notification type to the corresponding column in user_notification_preferences */
+const COLUMN_MAP: Record<NotificationType, string> = {
+	event_rsvp_confirmation: 'email_event_rsvp_confirmation',
+	event_reminder: 'email_event_reminder',
+	event_updates: 'email_event_updates',
+	waitlist_promotion: 'email_waitlist_promotion',
+	dues_reminder: 'email_dues_reminder',
+	payment_confirmation: 'email_payment_confirmation',
+	membership_updates: 'email_membership_updates',
+	announcements: 'email_announcements',
+	newsletter: 'email_newsletter'
+};
+
+/** Critical notification types that are ALWAYS sent regardless of preferences */
+const CRITICAL_TYPES = new Set([
+	'password_reset',
+	'account_verification',
+	'member_approved',
+	'member_rejected',
+	'welcome'
+]);
+
+/**
+ * Check if a member has email notifications enabled for a given type.
+ * Returns true if enabled or if no preference record exists (opt-out model).
+ * Always returns true for critical notification types.
+ */
+export async function hasEmailNotificationEnabled(
+	memberId: string,
+	notificationType: string
+): Promise<boolean> {
+	// Critical notifications always go through
+	if (CRITICAL_TYPES.has(notificationType)) {
+		return true;
+	}
+
+	// Look up the column name for this notification type
+	const column = COLUMN_MAP[notificationType as NotificationType];
+	if (!column) {
+		// Unknown type - default to sending
+		return true;
+	}
+
+	try {
+		const { data } = await supabaseAdmin
+			.from('user_notification_preferences')
+			.select(column)
+			.eq('member_id', memberId)
+			.single();
+
+		// If no preference exists, default to enabled (opt-out model)
+		if (!data) return true;
+
+		return (data as Record<string, boolean>)[column] !== false;
+	} catch {
+		// On error, default to sending (fail open for notifications)
+		return true;
+	}
+}
+
+/**
+ * Send email only if user's notification preferences allow it.
+ * Wraps any email sending function with a preference check.
+ *
+ * @param memberId - The member to check preferences for
+ * @param notificationType - The type of notification
+ * @param sendFn - The function to call to send the email
+ * @returns The result of sendFn, or { success: true, skipped: true } if preferences disabled
+ */
+export async function sendWithPreferenceCheck<T extends { success: boolean }>(
+	memberId: string,
+	notificationType: string,
+	sendFn: () => Promise<T>
+): Promise<T | { success: true; skipped: true }> {
+	const enabled = await hasEmailNotificationEnabled(memberId, notificationType);
+
+	if (!enabled) {
+		return { success: true, skipped: true };
+	}
+
+	return sendFn();
+}

src/lib/server/registration.ts

@@ -37,7 +37,7 @@ export interface CreateMemberResult {
  *
  * Handles:
  *  - Looking up the default/pending membership status and type
- *  - Generating a sequential MUSA-YYYY-XXXX member ID
+ *  - Member ID auto-generated by database trigger (atomic sequence)
  *  - Inserting the member record
  *
  * @param data       Core registration data.
@@ -50,11 +50,10 @@ export async function createMemberRecord(
 	options?: {
 		/** Look up status by name instead of is_default. Defaults to undefined (uses is_default). */
 		statusName?: string;
-		/** Whether to generate a MUSA-YYYY-XXXX member ID. Defaults to true. */
+		/** @deprecated Member ID now auto-generated by database trigger. */
 		generateMemberId?: boolean;
 	}
 ): Promise<CreateMemberResult> {
-	const generateMemberId = options?.generateMemberId ?? true;
 	const statusName = options?.statusName;
 
 	// Look up the membership status
@@ -92,17 +91,8 @@ export async function createMemberRecord(
 		return { success: false, error: 'System configuration error. Please contact support.' };
 	}
 
-	// Generate member ID if requested
+	// Member ID will be auto-generated by database trigger (generate_member_id)
-	let memberId: string | undefined;
+	// See migration 018_atomic_member_id_generation.sql
-	if (generateMemberId) {
-		const year = new Date().getFullYear();
-		const { count } = await supabase
-			.from('members')
-			.select('*', { count: 'exact', head: true });
-
-		const memberNumber = String((count || 0) + 1).padStart(4, '0');
-		memberId = `MUSA-${year}-${memberNumber}`;
-	}
 
 	// Create the member profile
 	const insertPayload: Record<string, unknown> = {
@@ -119,18 +109,20 @@ export async function createMemberRecord(
 		membership_type_id: typeData.id
 	};
 
-	if (memberId) {
+	// member_id is auto-generated by trigger, no need to set it
-		insertPayload.member_id = memberId;
-	}
 
-	const { error: memberError } = await supabase.from('members').insert(insertPayload);
+	const { error: memberError, data: insertedMember } = await supabase
+		.from('members')
+		.insert(insertPayload)
+		.select('member_id')
+		.single();
 
 	if (memberError) {
 		console.error('Failed to create member profile:', memberError);
 		return { success: false, error: 'Failed to create member profile. Please try again or contact support.' };
 	}
 
-	return { success: true, memberId };
+	return { success: true, memberId: insertedMember?.member_id };
 }
 
 /**

src/lib/server/sanitize.ts

@@ -0,0 +1,61 @@
+/**
+ * Centralized input sanitization utilities for preventing XSS attacks.
+ * Used at server-side input boundaries before storing or rendering user content.
+ */
+
+/**
+ * Escape HTML special characters to prevent XSS.
+ * Use for plain text fields that should never contain HTML.
+ */
+export function escapeHtml(str: string): string {
+	return str
+		.replace(/&/g, '&')
+		.replace(/</g, '&lt;')
+		.replace(/>/g, '&gt;')
+		.replace(/"/g, '&quot;')
+		.replace(/'/g, '&#39;');
+}
+
+/**
+ * Sanitize rich text by stripping dangerous HTML tags while preserving safe formatting.
+ * Allows: p, br, strong, em, ul, ol, li, h1-h6, a (with href only), blockquote, code, pre
+ * Strips: script, style, iframe, object, embed, form, input, on* attributes
+ */
+export function sanitizeRichText(html: string): string {
+	// Remove script tags and their contents
+	let cleaned = html.replace(/<script\b[^<]*(?:(?!<\/script>)<[^<]*)*<\/script>/gi, '');
+	// Remove style tags and their contents
+	cleaned = cleaned.replace(/<style\b[^<]*(?:(?!<\/style>)<[^<]*)*<\/style>/gi, '');
+	// Remove iframe, object, embed, form, input tags
+	cleaned = cleaned.replace(/<\/?(?:iframe|object|embed|form|input|textarea|select|button)\b[^>]*>/gi, '');
+	// Remove all on* event handlers (onclick, onerror, onload, etc.)
+	cleaned = cleaned.replace(/\s+on\w+\s*=\s*(?:"[^"]*"|'[^']*'|[^\s>]*)/gi, '');
+	// Remove javascript: protocol from href/src attributes
+	cleaned = cleaned.replace(/(href|src|action)\s*=\s*(?:"javascript:[^"]*"|'javascript:[^']*')/gi, '$1=""');
+	// Remove data: protocol (except data:image for inline images)
+	cleaned = cleaned.replace(/(href|src|action)\s*=\s*(?:"data:(?!image)[^"]*"|'data:(?!image)[^']*')/gi, '$1=""');
+	return cleaned;
+}
+
+/**
+ * Sanitize a URL to prevent javascript: and data: protocol injection.
+ * Returns the URL if safe, or empty string if potentially malicious.
+ */
+export function sanitizeUrl(url: string): string {
+	const trimmed = url.trim();
+	// Block javascript: protocol (case-insensitive, handles whitespace/encoding tricks)
+	if (/^\s*javascript\s*:/i.test(trimmed)) return '';
+	// Block data: protocol (except data:image)
+	if (/^\s*data\s*:(?!image\/)/i.test(trimmed)) return '';
+	// Block vbscript: protocol
+	if (/^\s*vbscript\s*:/i.test(trimmed)) return '';
+	return trimmed;
+}
+
+/**
+ * Sanitize a plain text string for safe storage.
+ * Trims whitespace and limits length.
+ */
+export function sanitizeText(str: string, maxLength: number = 10000): string {
+	return str.trim().substring(0, maxLength);
+}

src/lib/server/storage.ts

@@ -28,6 +28,62 @@ const MAGIC_BYTES: Record<string, { offset: number; bytes: number[] }[]> = {
 	]
 };
 
+/**
+ * MIME type to expected file extensions mapping.
+ * Used to validate that file content matches the declared extension.
+ */
+const MIME_TO_EXTENSIONS: Record<string, string[]> = {
+	'application/pdf': ['pdf'],
+	'application/msword': ['doc'],
+	'application/vnd.openxmlformats-officedocument.wordprocessingml.document': ['docx'],
+	'application/vnd.ms-excel': ['xls'],
+	'application/vnd.openxmlformats-officedocument.spreadsheetml.sheet': ['xlsx'],
+	'application/vnd.ms-powerpoint': ['ppt'],
+	'application/vnd.openxmlformats-officedocument.presentationml.presentation': ['pptx'],
+	'text/plain': ['txt', 'text', 'log'],
+	'text/csv': ['csv'],
+	'application/json': ['json'],
+	'image/jpeg': ['jpg', 'jpeg'],
+	'image/png': ['png'],
+	'image/webp': ['webp'],
+	'image/gif': ['gif']
+};
+
+/**
+ * Sanitize a filename to prevent path traversal and other attacks.
+ * Removes directory separators, null bytes, and other dangerous characters.
+ */
+export function sanitizeFilename(filename: string): string {
+	return filename
+		// Remove null bytes
+		.replace(/\0/g, '')
+		// Remove directory separators
+		.replace(/[\/\\]/g, '_')
+		// Remove leading dots (hidden files / directory traversal)
+		.replace(/^\.+/, '')
+		// Replace non-safe characters
+		.replace(/[^a-zA-Z0-9._-]/g, '_')
+		// Collapse multiple underscores
+		.replace(/_+/g, '_')
+		// Limit length
+		.substring(0, 255)
+		// Ensure not empty
+		|| 'unnamed_file';
+}
+
+/**
+ * Validate that file extension matches the declared MIME type.
+ */
+export function validateExtensionMatchesMime(filename: string, mimeType: string): boolean {
+	const ext = filename.split('.').pop()?.toLowerCase();
+	if (!ext) return false;
+
+	const allowedExtensions = MIME_TO_EXTENSIONS[mimeType];
+	if (!allowedExtensions) return true; // Unknown MIME type - allow
+
+	return allowedExtensions.includes(ext);
+}
+
 /**
  * Validate that a file's magic bytes match the declared MIME type.
  * Returns true if the magic bytes match, or if the type has no known magic byte signature
@@ -594,7 +650,7 @@ export async function listFiles(
 export function generateUniqueFilename(originalName: string): string {
 	const timestamp = Date.now();
 	const randomStr = Math.random().toString(36).substring(2, 8);
-	const safeName = originalName.replace(/[^a-zA-Z0-9.-]/g, '_').substring(0, 50);
+	const safeName = sanitizeFilename(originalName).substring(0, 50);
 	const ext = safeName.split('.').pop() || '';
 	const nameWithoutExt = safeName.replace(`.${ext}`, '');
 	return `${timestamp}-${randomStr}-${nameWithoutExt}.${ext}`;
@@ -792,6 +848,11 @@ export async function uploadDocument(
 		};
 	}
 
+	// Validate file extension matches declared MIME type
+	if (!validateExtensionMatchesMime(file.name, file.type)) {
+		return { success: false, error: 'File extension does not match file type. Please ensure the file has the correct extension.' };
+	}
+
 	// Validate file size (max 50MB)
 	const maxSize = 50 * 1024 * 1024;
 	if (file.size > maxSize) {
@@ -801,7 +862,7 @@ export async function uploadDocument(
 	// Generate unique storage path
 	const timestamp = Date.now();
 	const randomStr = Math.random().toString(36).substring(2, 8);
-	const safeName = file.name.replace(/[^a-zA-Z0-9.-]/g, '_').substring(0, 50);
+	const safeName = sanitizeFilename(file.name).substring(0, 50);
 	const path = options?.folder ? `${options.folder}/${timestamp}-${randomStr}-${safeName}` : `${timestamp}-${randomStr}-${safeName}`;
 
 	// Convert to ArrayBuffer

src/lib/types/database.ts

@@ -25,6 +25,7 @@ export type Database = {
 					member_since: string;
 					avatar_url: string | null;
 					notes: string | null;
+					directory_privacy: { show_email: boolean; show_phone: boolean; show_address: boolean; show_nationality: boolean } | null;
 					created_at: string;
 					updated_at: string;
 				};
@@ -44,6 +45,7 @@ export type Database = {
 					member_since?: string;
 					avatar_url?: string | null;
 					notes?: string | null;
+					directory_privacy?: { show_email: boolean; show_phone: boolean; show_address: boolean; show_nationality: boolean } | null;
 					created_at?: string;
 					updated_at?: string;
 				};
@@ -63,6 +65,7 @@ export type Database = {
 					member_since?: string;
 					avatar_url?: string | null;
 					notes?: string | null;
+					directory_privacy?: { show_email: boolean; show_phone: boolean; show_address: boolean; show_nationality: boolean } | null;
 					created_at?: string;
 					updated_at?: string;
 				};

src/routes/(app)/admin/bulk-email/+page.server.ts

@@ -0,0 +1,170 @@
+import { fail } from '@sveltejs/kit';
+import type { Actions, PageServerLoad } from './$types';
+import { supabaseAdmin } from '$lib/server/supabase';
+import { sendEmail, wrapInMonacoTemplate } from '$lib/server/email';
+import { escapeHtml } from '$lib/server/sanitize';
+import { logAudit } from '$lib/server/audit';
+
+export const load: PageServerLoad = async ({ locals }) => {
+	// Load past bulk emails
+	const { data: broadcasts } = await supabaseAdmin
+		.from('bulk_emails')
+		.select('*')
+		.order('created_at', { ascending: false })
+		.limit(20);
+
+	// Get recipient counts for filter preview
+	const { data: members } = await supabaseAdmin
+		.from('members')
+		.select('id, role, status')
+		.not('email', 'is', null);
+
+	const recipientCounts = {
+		all: members?.length || 0,
+		active: members?.filter((m: any) => m.status === 'active').length || 0,
+		board: members?.filter((m: any) => m.role === 'board' || m.role === 'admin').length || 0,
+		admin: members?.filter((m: any) => m.role === 'admin').length || 0
+	};
+
+	return {
+		broadcasts: broadcasts || [],
+		recipientCounts
+	};
+};
+
+export const actions: Actions = {
+	send: async ({ request, locals }) => {
+		const { member, session } = await locals.safeGetSession();
+		if (!member || !session) {
+			return fail(401, { error: 'Not authenticated' });
+		}
+
+		const formData = await request.formData();
+		const subject = (formData.get('subject') as string)?.trim();
+		const body = (formData.get('body') as string)?.trim();
+		const target = (formData.get('target') as string) || 'all';
+
+		if (!subject || subject.length < 3) {
+			return fail(400, { error: 'Subject must be at least 3 characters' });
+		}
+
+		if (!body || body.length < 10) {
+			return fail(400, { error: 'Email body must be at least 10 characters' });
+		}
+
+		// Build recipient query
+		let query = supabaseAdmin
+			.from('members')
+			.select('id, email, first_name, last_name, role, status');
+
+		switch (target) {
+			case 'active':
+				query = query.eq('status', 'active');
+				break;
+			case 'board':
+				query = query.in('role', ['board', 'admin']);
+				break;
+			case 'admin':
+				query = query.eq('role', 'admin');
+				break;
+			default:
+				// All members with email
+				break;
+		}
+
+		const { data: recipients } = await query.not('email', 'is', null);
+
+		if (!recipients || recipients.length === 0) {
+			return fail(400, { error: 'No recipients match the selected filter' });
+		}
+
+		// Create bulk email record
+		const { data: broadcast, error: createError } = await supabaseAdmin
+			.from('bulk_emails')
+			.insert({
+				subject: escapeHtml(subject),
+				body,
+				recipient_filter: { target },
+				total_recipients: recipients.length,
+				status: 'sending',
+				sent_by: session.user.id,
+				sent_by_name: `${member.first_name} ${member.last_name}`,
+				sent_at: new Date().toISOString()
+			})
+			.select()
+			.single();
+
+		if (createError || !broadcast) {
+			return fail(500, { error: 'Failed to create broadcast record' });
+		}
+
+		// Send emails in batches
+		let sentCount = 0;
+		let failedCount = 0;
+
+		// Convert newlines in body to <br> for HTML display
+		const htmlBody = body.replace(/\n/g, '<br>');
+
+		for (const recipient of recipients) {
+			// Personalize the email content
+			const personalizedBody = htmlBody
+				.replace(/\{\{first_name\}\}/g, escapeHtml(recipient.first_name || ''))
+				.replace(/\{\{last_name\}\}/g, escapeHtml(recipient.last_name || ''))
+				.replace(/\{\{email\}\}/g, escapeHtml(recipient.email || ''));
+
+			const emailContent = `
+				<p style="margin: 0 0 16px 0; color: #334155; line-height: 1.6;">Hi ${escapeHtml(recipient.first_name || 'Member')},</p>
+				<div style="color: #334155; line-height: 1.6;">${personalizedBody}</div>
+			`;
+
+			const result = await sendEmail({
+				to: recipient.email,
+				subject,
+				html: wrapInMonacoTemplate({
+					title: subject,
+					content: emailContent
+				}),
+				recipientId: recipient.id,
+				recipientName: `${recipient.first_name} ${recipient.last_name}`,
+				emailType: 'announcement'
+			});
+
+			if (result.success) {
+				sentCount++;
+			} else {
+				failedCount++;
+			}
+		}
+
+		// Update broadcast record with results
+		await supabaseAdmin
+			.from('bulk_emails')
+			.update({
+				sent_count: sentCount,
+				failed_count: failedCount,
+				status: failedCount === recipients.length ? 'failed' : 'completed',
+				completed_at: new Date().toISOString()
+			})
+			.eq('id', broadcast.id);
+
+		// Audit log
+		logAudit({
+			action: 'email.send',
+			resourceType: 'settings',
+			resourceId: broadcast.id,
+			userId: session.user.id,
+			userEmail: member.email,
+			details: {
+				subject,
+				target,
+				totalRecipients: recipients.length,
+				sent: sentCount,
+				failed: failedCount
+			}
+		});
+
+		return {
+			success: `Broadcast sent! ${sentCount} delivered, ${failedCount} failed out of ${recipients.length} recipients.`
+		};
+	}
+};

src/routes/(app)/admin/bulk-email/+page.svelte

@@ -0,0 +1,236 @@
+<script lang="ts">
+	import { Send, Mail, Users, Shield, CheckCircle, XCircle, Clock, AlertTriangle } from 'lucide-svelte';
+	import { Input } from '$lib/components/ui/input';
+	import { Label } from '$lib/components/ui/label';
+	import { enhance } from '$app/forms';
+	import { invalidateAll } from '$app/navigation';
+
+	let { data, form } = $props();
+	const { broadcasts, recipientCounts } = data;
+
+	let isSending = $state(false);
+	let selectedTarget = $state('all');
+	let showConfirm = $state(false);
+
+	const targetOptions = [
+		{ value: 'all', label: 'All Members', count: recipientCounts.all },
+		{ value: 'active', label: 'Active Members Only', count: recipientCounts.active },
+		{ value: 'board', label: 'Board & Admins', count: recipientCounts.board },
+		{ value: 'admin', label: 'Admins Only', count: recipientCounts.admin }
+	];
+
+	const currentRecipientCount = $derived(
+		targetOptions.find(o => o.value === selectedTarget)?.count || 0
+	);
+
+	function getStatusBadge(status: string) {
+		switch (status) {
+			case 'completed':
+				return { color: 'text-green-600', bg: 'bg-green-50', label: 'Sent' };
+			case 'failed':
+				return { color: 'text-red-600', bg: 'bg-red-50', label: 'Failed' };
+			case 'sending':
+				return { color: 'text-blue-600', bg: 'bg-blue-50', label: 'Sending' };
+			default:
+				return { color: 'text-slate-500', bg: 'bg-slate-50', label: status };
+		}
+	}
+
+	function formatDate(dateStr: string): string {
+		return new Date(dateStr).toLocaleDateString('en-US', {
+			month: 'short',
+			day: 'numeric',
+			year: 'numeric',
+			hour: '2-digit',
+			minute: '2-digit'
+		});
+	}
+</script>
+
+<svelte:head>
+	<title>Bulk Email | Monaco USA</title>
+</svelte:head>
+
+<div class="space-y-6">
+	<div>
+		<h1 class="text-2xl font-bold text-slate-900">Bulk Email Broadcast</h1>
+		<p class="text-slate-500">Send announcements and newsletters to members</p>
+	</div>
+
+	{#if form?.error}
+		<div class="rounded-lg bg-red-50 border border-red-200 p-4 text-sm text-red-600">
+			<div class="flex items-center gap-2">
+				<AlertTriangle class="h-4 w-4" />
+				{form.error}
+			</div>
+		</div>
+	{/if}
+
+	{#if form?.success}
+		<div class="rounded-lg bg-green-50 border border-green-200 p-4 text-sm text-green-600">
+			<div class="flex items-center gap-2">
+				<CheckCircle class="h-4 w-4" />
+				{form.success}
+			</div>
+		</div>
+	{/if}
+
+	<!-- Compose Email -->
+	<div class="glass-card p-6">
+		<h2 class="mb-4 flex items-center gap-2 text-lg font-semibold text-slate-900">
+			<Mail class="h-5 w-5 text-monaco-600" />
+			Compose Broadcast
+		</h2>
+
+		<form
+			method="POST"
+			action="?/send"
+			use:enhance={() => {
+				isSending = true;
+				showConfirm = false;
+				return async ({ update }) => {
+					await invalidateAll();
+					await update();
+					isSending = false;
+				};
+			}}
+			class="space-y-4"
+		>
+			<!-- Recipients -->
+			<div>
+				<Label for="target">Recipients</Label>
+				<select
+					id="target"
+					name="target"
+					bind:value={selectedTarget}
+					class="mt-1 w-full rounded-lg border border-slate-200 bg-white px-3 py-2 text-sm"
+				>
+					{#each targetOptions as option}
+						<option value={option.value}>{option.label} ({option.count})</option>
+					{/each}
+				</select>
+				<p class="mt-1 text-xs text-slate-500">
+					This will send to <strong>{currentRecipientCount}</strong> recipients.
+					Email preferences will be respected (members can opt out of announcements).
+				</p>
+			</div>
+
+			<!-- Subject -->
+			<div>
+				<Label for="subject">Subject *</Label>
+				<Input
+					type="text"
+					id="subject"
+					name="subject"
+					required
+					placeholder="e.g., Monaco USA Monthly Newsletter - February 2026"
+					class="mt-1"
+				/>
+			</div>
+
+			<!-- Body -->
+			<div>
+				<Label for="body">Email Body *</Label>
+				<textarea
+					id="body"
+					name="body"
+					required
+					rows="10"
+					placeholder="Write your email content here. Use variables like first_name and last_name for personalization."
+					class="mt-1 w-full rounded-lg border border-slate-200 px-3 py-2 text-sm"
+				></textarea>
+				<p class="mt-1 text-xs text-slate-500">
+					Plain text with line breaks. Use {'{{first_name}}'} and {'{{last_name}}'} for personalization.
+				</p>
+			</div>
+
+			<!-- Send button -->
+			<div class="flex items-center gap-4 border-t border-slate-200 pt-4">
+				{#if !showConfirm}
+					<button
+						type="button"
+						onclick={() => (showConfirm = true)}
+						class="flex items-center gap-2 rounded-lg bg-monaco-600 px-6 py-2 text-sm font-medium text-white hover:bg-monaco-700"
+					>
+						<Send class="h-4 w-4" />
+						Send Broadcast
+					</button>
+				{:else}
+					<div class="flex items-center gap-3 rounded-lg bg-amber-50 border border-amber-200 px-4 py-3">
+						<AlertTriangle class="h-5 w-5 text-amber-600 shrink-0" />
+						<p class="text-sm text-amber-700">
+							Send to <strong>{currentRecipientCount}</strong> recipients? This cannot be undone.
+						</p>
+						<button
+							type="submit"
+							disabled={isSending}
+							class="shrink-0 rounded-lg bg-monaco-600 px-4 py-1.5 text-sm font-medium text-white hover:bg-monaco-700 disabled:opacity-50"
+						>
+							{isSending ? 'Sending...' : 'Confirm Send'}
+						</button>
+						<button
+							type="button"
+							onclick={() => (showConfirm = false)}
+							class="shrink-0 text-sm text-slate-500 hover:text-slate-700"
+						>
+							Cancel
+						</button>
+					</div>
+				{/if}
+			</div>
+		</form>
+	</div>
+
+	<!-- Broadcast History -->
+	<div class="glass-card p-6">
+		<h2 class="mb-4 text-lg font-semibold text-slate-900">Broadcast History</h2>
+
+		{#if broadcasts.length === 0}
+			<div class="py-12 text-center">
+				<Mail class="mx-auto h-12 w-12 text-slate-300" />
+				<p class="mt-4 text-slate-500">No broadcasts sent yet.</p>
+			</div>
+		{:else}
+			<div class="overflow-x-auto">
+				<table class="w-full text-sm">
+					<thead>
+						<tr class="border-b border-slate-200 text-left">
+							<th class="pb-3 pr-4 font-medium text-slate-600">Subject</th>
+							<th class="pb-3 pr-4 font-medium text-slate-600">Status</th>
+							<th class="pb-3 pr-4 font-medium text-slate-600">Recipients</th>
+							<th class="pb-3 pr-4 font-medium text-slate-600">Sent By</th>
+							<th class="pb-3 font-medium text-slate-600">Date</th>
+						</tr>
+					</thead>
+					<tbody class="divide-y divide-slate-100">
+						{#each broadcasts as broadcast}
+							{@const statusBadge = getStatusBadge(broadcast.status)}
+							<tr class="hover:bg-slate-50">
+								<td class="py-3 pr-4 font-medium text-slate-900 max-w-xs truncate">
+									{broadcast.subject}
+								</td>
+								<td class="py-3 pr-4">
+									<span class="inline-flex items-center rounded-full px-2 py-0.5 text-xs font-medium {statusBadge.bg} {statusBadge.color}">
+										{statusBadge.label}
+									</span>
+								</td>
+								<td class="py-3 pr-4 text-slate-600">
+									{broadcast.sent_count}/{broadcast.total_recipients}
+									{#if broadcast.failed_count > 0}
+										<span class="text-red-500 text-xs">({broadcast.failed_count} failed)</span>
+									{/if}
+								</td>
+								<td class="py-3 pr-4 text-slate-500">
+									{broadcast.sent_by_name || 'Unknown'}
+								</td>
+								<td class="py-3 text-slate-500 whitespace-nowrap">
+									{broadcast.sent_at ? formatDate(broadcast.sent_at) : formatDate(broadcast.created_at)}
+								</td>
+							</tr>
+						{/each}
+					</tbody>
+				</table>
+			</div>
+		{/if}
+	</div>
+</div>

src/routes/(app)/admin/cron-monitoring/+page.server.ts

@@ -0,0 +1,143 @@
+import { fail } from '@sveltejs/kit';
+import type { Actions, PageServerLoad } from './$types';
+import { supabaseAdmin } from '$lib/server/supabase';
+import { env } from '$env/dynamic/private';
+
+export const load: PageServerLoad = async () => {
+	// Load recent cron execution logs
+	const { data: logs } = await supabaseAdmin
+		.from('cron_execution_logs')
+		.select('*')
+		.order('started_at', { ascending: false })
+		.limit(50);
+
+	return {
+		cronLogs: logs || []
+	};
+};
+
+export const actions: Actions = {
+	runDuesReminders: async ({ url }) => {
+		const cronSecret = env.CRON_SECRET;
+		if (!cronSecret) {
+			return fail(500, { error: 'CRON_SECRET not configured' });
+		}
+
+		// Log the execution start
+		const { data: logEntry } = await supabaseAdmin
+			.from('cron_execution_logs')
+			.insert({
+				job_name: 'dues-reminders',
+				status: 'running',
+				triggered_by: 'admin-manual'
+			})
+			.select()
+			.single();
+
+		try {
+			const baseUrl = url.origin || env.SITE_URL || 'https://monacousa.org';
+			const response = await fetch(`${baseUrl}/api/cron/dues-reminders`, {
+				method: 'POST',
+				headers: {
+					'Authorization': `Bearer ${cronSecret}`
+				}
+			});
+
+			const result = await response.json();
+
+			// Update log entry
+			if (logEntry) {
+				await supabaseAdmin
+					.from('cron_execution_logs')
+					.update({
+						status: response.ok ? 'completed' : 'failed',
+						completed_at: new Date().toISOString(),
+						duration_ms: Date.now() - new Date(logEntry.started_at).getTime(),
+						result,
+						error_message: response.ok ? null : result.error
+					})
+					.eq('id', logEntry.id);
+			}
+
+			if (!response.ok) {
+				return fail(500, { error: result.error || 'Cron job failed' });
+			}
+
+			return { success: `Dues reminders completed. Sent: ${result.summary?.totalRemindersSent || 0}` };
+		} catch (error) {
+			if (logEntry) {
+				await supabaseAdmin
+					.from('cron_execution_logs')
+					.update({
+						status: 'failed',
+						completed_at: new Date().toISOString(),
+						duration_ms: Date.now() - new Date(logEntry.started_at).getTime(),
+						error_message: error instanceof Error ? error.message : 'Unknown error'
+					})
+					.eq('id', logEntry.id);
+			}
+			return fail(500, { error: error instanceof Error ? error.message : 'Failed to run cron job' });
+		}
+	},
+
+	runEventReminders: async ({ url }) => {
+		const cronSecret = env.CRON_SECRET;
+		if (!cronSecret) {
+			return fail(500, { error: 'CRON_SECRET not configured' });
+		}
+
+		const { data: logEntry } = await supabaseAdmin
+			.from('cron_execution_logs')
+			.insert({
+				job_name: 'event-reminders',
+				status: 'running',
+				triggered_by: 'admin-manual'
+			})
+			.select()
+			.single();
+
+		try {
+			const baseUrl = url.origin || env.SITE_URL || 'https://monacousa.org';
+			const response = await fetch(`${baseUrl}/api/cron/event-reminders`, {
+				method: 'POST',
+				headers: {
+					'Authorization': `Bearer ${cronSecret}`
+				}
+			});
+
+			const result = await response.json();
+
+			if (logEntry) {
+				await supabaseAdmin
+					.from('cron_execution_logs')
+					.update({
+						status: response.ok ? 'completed' : 'failed',
+						completed_at: new Date().toISOString(),
+						duration_ms: Date.now() - new Date(logEntry.started_at).getTime(),
+						result,
+						error_message: response.ok ? null : result.error
+					})
+					.eq('id', logEntry.id);
+			}
+
+			if (!response.ok) {
+				return fail(500, { error: result.error || 'Cron job failed' });
+			}
+
+			return { success: `Event reminders completed. Sent: ${result.sent || 0}` };
+		} catch (error) {
+			if (logEntry) {
+				await supabaseAdmin
+					.from('cron_execution_logs')
+					.update({
+						status: 'failed',
+						completed_at: new Date().toISOString(),
+						duration_ms: Date.now() - new Date(logEntry.started_at).getTime(),
+						error_message: error instanceof Error ? error.message : 'Unknown error'
+					})
+					.eq('id', logEntry.id);
+			}
+			return fail(500, { error: error instanceof Error ? error.message : 'Failed to run cron job' });
+		}
+	}
+};

src/routes/(app)/admin/cron-monitoring/+page.svelte

@@ -0,0 +1,241 @@
+<script lang="ts">
+	import { Timer, Play, CheckCircle, XCircle, Clock, RefreshCw, AlertTriangle } from 'lucide-svelte';
+	import { enhance } from '$app/forms';
+	import { invalidateAll } from '$app/navigation';
+
+	let { data, form } = $props();
+	const cronLogs = $derived(data.cronLogs);
+
+	let runningJob = $state<string | null>(null);
+
+	const cronJobs = [
+		{
+			id: 'dues-reminders',
+			name: 'Dues Reminders',
+			description: 'Send payment reminders to members with upcoming or overdue dues',
+			schedule: 'Daily at 9:00 AM',
+			action: '?/runDuesReminders'
+		},
+		{
+			id: 'event-reminders',
+			name: 'Event Reminders',
+			description: 'Send reminder emails 24 hours before events',
+			schedule: 'Hourly',
+			action: '?/runEventReminders'
+		}
+	];
+
+	function getStatusBadge(status: string) {
+		switch (status) {
+			case 'completed':
+				return { icon: CheckCircle, color: 'text-green-600', bg: 'bg-green-50', label: 'Completed' };
+			case 'failed':
+				return { icon: XCircle, color: 'text-red-600', bg: 'bg-red-50', label: 'Failed' };
+			case 'running':
+				return { icon: RefreshCw, color: 'text-blue-600', bg: 'bg-blue-50', label: 'Running' };
+			default:
+				return { icon: Clock, color: 'text-slate-500', bg: 'bg-slate-50', label: status };
+		}
+	}
+
+	function formatDuration(ms: number | null): string {
+		if (!ms) return '-';
+		if (ms < 1000) return `${ms}ms`;
+		if (ms < 60000) return `${(ms / 1000).toFixed(1)}s`;
+		return `${Math.floor(ms / 60000)}m ${Math.round((ms % 60000) / 1000)}s`;
+	}
+
+	function formatDate(dateStr: string): string {
+		return new Date(dateStr).toLocaleDateString('en-US', {
+			month: 'short',
+			day: 'numeric',
+			year: 'numeric',
+			hour: '2-digit',
+			minute: '2-digit'
+		});
+	}
+
+	function getLastRun(jobName: string) {
+		return cronLogs.find((log: any) => log.job_name === jobName);
+	}
+</script>
+
+<svelte:head>
+	<title>Cron Monitoring | Monaco USA</title>
+</svelte:head>
+
+<div class="space-y-6">
+	<div>
+		<h1 class="text-2xl font-bold text-slate-900">Cron Job Monitoring</h1>
+		<p class="text-slate-500">Monitor and manually trigger scheduled tasks</p>
+	</div>
+
+	{#if form?.error}
+		<div class="rounded-lg bg-red-50 border border-red-200 p-4 text-sm text-red-600">
+			<div class="flex items-center gap-2">
+				<AlertTriangle class="h-4 w-4" />
+				{form.error}
+			</div>
+		</div>
+	{/if}
+
+	{#if form?.success}
+		<div class="rounded-lg bg-green-50 border border-green-200 p-4 text-sm text-green-600">
+			<div class="flex items-center gap-2">
+				<CheckCircle class="h-4 w-4" />
+				{form.success}
+			</div>
+		</div>
+	{/if}
+
+	<!-- Cron Jobs -->
+	<div class="grid gap-4 sm:grid-cols-2">
+		{#each cronJobs as job}
+			{@const lastRun = getLastRun(job.id)}
+			{@const lastStatus = lastRun ? getStatusBadge(lastRun.status) : null}
+			<div class="glass-card p-6">
+				<div class="flex items-start justify-between">
+					<div class="flex items-center gap-3">
+						<div class="rounded-lg bg-monaco-100 p-2">
+							<Timer class="h-5 w-5 text-monaco-600" />
+						</div>
+						<div>
+							<h3 class="font-semibold text-slate-900">{job.name}</h3>
+							<p class="text-sm text-slate-500">{job.description}</p>
+						</div>
+					</div>
+				</div>
+
+				<div class="mt-4 space-y-2 text-sm">
+					<div class="flex items-center justify-between">
+						<span class="text-slate-500">Schedule:</span>
+						<span class="font-medium text-slate-700">{job.schedule}</span>
+					</div>
+					<div class="flex items-center justify-between">
+						<span class="text-slate-500">Last Run:</span>
+						{#if lastRun}
+							<span class="font-medium text-slate-700">{formatDate(lastRun.started_at)}</span>
+						{:else}
+							<span class="text-slate-400">Never</span>
+						{/if}
+					</div>
+					{#if lastStatus}
+						{@const StatusIcon = lastStatus.icon}
+						<div class="flex items-center justify-between">
+							<span class="text-slate-500">Status:</span>
+							<span class="inline-flex items-center gap-1 rounded-full px-2 py-0.5 text-xs font-medium {lastStatus.bg} {lastStatus.color}">
+								<StatusIcon class="h-3 w-3" />
+								{lastStatus.label}
+							</span>
+						</div>
+					{/if}
+					{#if lastRun?.duration_ms}
+						<div class="flex items-center justify-between">
+							<span class="text-slate-500">Duration:</span>
+							<span class="font-medium text-slate-700">{formatDuration(lastRun.duration_ms)}</span>
+						</div>
+					{/if}
+				</div>
+
+				<div class="mt-4 border-t border-slate-100 pt-4">
+					<form
+						method="POST"
+						action={job.action}
+						use:enhance={() => {
+							runningJob = job.id;
+							return async ({ update }) => {
+								await invalidateAll();
+								await update();
+								runningJob = null;
+							};
+						}}
+					>
+						<button
+							type="submit"
+							disabled={runningJob !== null}
+							class="flex w-full items-center justify-center gap-2 rounded-lg bg-monaco-600 px-4 py-2 text-sm font-medium text-white hover:bg-monaco-700 disabled:opacity-50"
+						>
+							{#if runningJob === job.id}
+								<RefreshCw class="h-4 w-4 animate-spin" />
+								Running...
+							{:else}
+								<Play class="h-4 w-4" />
+								Run Now
+							{/if}
+						</button>
+					</form>
+				</div>
+			</div>
+		{/each}
+	</div>
+
+	<!-- Execution History -->
+	<div class="glass-card p-6">
+		<h2 class="mb-4 text-lg font-semibold text-slate-900">Execution History</h2>
+
+		{#if cronLogs.length === 0}
+			<div class="py-12 text-center">
+				<Timer class="mx-auto h-12 w-12 text-slate-300" />
+				<p class="mt-4 text-slate-500">No cron executions recorded yet.</p>
+				<p class="mt-1 text-sm text-slate-400">Run a job above or wait for scheduled execution.</p>
+			</div>
+		{:else}
+			<div class="overflow-x-auto">
+				<table class="w-full text-sm">
+					<thead>
+						<tr class="border-b border-slate-200 text-left">
+							<th class="pb-3 pr-4 font-medium text-slate-600">Job</th>
+							<th class="pb-3 pr-4 font-medium text-slate-600">Status</th>
+							<th class="pb-3 pr-4 font-medium text-slate-600">Started</th>
+							<th class="pb-3 pr-4 font-medium text-slate-600">Duration</th>
+							<th class="pb-3 pr-4 font-medium text-slate-600">Triggered By</th>
+							<th class="pb-3 font-medium text-slate-600">Details</th>
+						</tr>
+					</thead>
+					<tbody class="divide-y divide-slate-100">
+						{#each cronLogs as log}
+													{@const statusBadge = getStatusBadge(log.status)}
+						{@const BadgeIcon = statusBadge.icon}
+						<tr class="hover:bg-slate-50">
+							<td class="py-3 pr-4 font-medium text-slate-900 whitespace-nowrap">
+								{log.job_name}
+							</td>
+							<td class="py-3 pr-4">
+								<span class="inline-flex items-center gap-1 rounded-full px-2 py-0.5 text-xs font-medium {statusBadge.bg} {statusBadge.color}">
+									<BadgeIcon class="h-3 w-3" />
+									{statusBadge.label}
+								</span>
+							</td>
+								<td class="py-3 pr-4 text-slate-500 whitespace-nowrap">
+									{formatDate(log.started_at)}
+								</td>
+								<td class="py-3 pr-4 text-slate-500">
+									{formatDuration(log.duration_ms)}
+								</td>
+								<td class="py-3 pr-4">
+									<span class="inline-flex items-center rounded-full px-2 py-0.5 text-xs font-medium {log.triggered_by === 'admin-manual' ? 'bg-purple-50 text-purple-700' : 'bg-slate-100 text-slate-600'}">
+										{log.triggered_by === 'admin-manual' ? 'Manual' : 'Scheduled'}
+									</span>
+								</td>
+								<td class="py-3 text-slate-500">
+									{#if log.error_message}
+										<span class="text-red-600 text-xs">{log.error_message}</span>
+									{:else if log.result?.summary}
+										<span class="text-xs">
+											Sent: {log.result.summary.totalRemindersSent || 0},
+											Errors: {log.result.summary.totalErrors || 0}
+										</span>
+									{:else if log.result?.sent !== undefined}
+										<span class="text-xs">Sent: {log.result.sent}</span>
+									{:else}
+										<span class="text-slate-400">-</span>
+									{/if}
+								</td>
+							</tr>
+						{/each}
+					</tbody>
+				</table>
+			</div>
+		{/if}
+	</div>
+</div>

src/routes/(app)/admin/members/+page.server.ts

@@ -2,6 +2,7 @@ import { fail } from '@sveltejs/kit';
 import type { Actions, PageServerLoad } from './$types';
 import { supabaseAdmin } from '$lib/server/supabase';
 import { sendEmail } from '$lib/server/email';
+import { logMemberAction } from '$lib/server/audit';
 
 export const load: PageServerLoad = async ({ locals, url }) => {
 	const searchQuery = url.searchParams.get('search') || '';
@@ -64,6 +65,7 @@ export const load: PageServerLoad = async ({ locals, url }) => {
 
 export const actions: Actions = {
 	updateRole: async ({ request, locals }) => {
+		const { session } = await locals.safeGetSession();
 		const formData = await request.formData();
 		const memberId = formData.get('member_id') as string;
 		const newRole = formData.get('role') as string;
@@ -76,6 +78,11 @@ export const actions: Actions = {
 			return fail(400, { error: 'Invalid role' });
 		}
 
+		// Prevent admin from changing their own role (belt-and-suspenders with RLS)
+		if (session?.user && memberId === session.user.id) {
+			return fail(403, { error: 'Cannot change your own role' });
+		}
+
 		const { error } = await locals.supabase
 			.from('members')
 			.update({ role: newRole, updated_at: new Date().toISOString() })
@@ -86,10 +93,19 @@ export const actions: Actions = {
 			return fail(500, { error: 'Failed to update role' });
 		}
 
+		if (session?.user) {
+			logMemberAction('role_change',
+				{ id: session.user.id, email: session.user.email! },
+				{ id: memberId },
+				{ new_role: newRole }
+			);
+		}
+
 		return { success: 'Role updated successfully!' };
 	},
 
 	updateStatus: async ({ request, locals }) => {
+		const { session } = await locals.safeGetSession();
 		const formData = await request.formData();
 		const memberId = formData.get('member_id') as string;
 		const statusId = formData.get('status_id') as string;
@@ -111,6 +127,14 @@ export const actions: Actions = {
 			return fail(500, { error: 'Failed to update status' });
 		}
 
+		if (session?.user) {
+			logMemberAction('status_change',
+				{ id: session.user.id, email: session.user.email! },
+				{ id: memberId },
+				{ new_status_id: statusId }
+			);
+		}
+
 		return { success: 'Status updated successfully!' };
 	},
 
@@ -174,6 +198,12 @@ export const actions: Actions = {
 			// Member is already deleted, just log this
 		}
 
+		logMemberAction('delete',
+			{ id: member.id, email: member.email! },
+			{ id: memberId },
+			{ deleted_by_admin: true }
+		);
+
 		return { success: 'Member deleted successfully!' };
 	},
 

src/routes/(app)/admin/notifications/+page.server.ts

@@ -1,6 +1,7 @@
 import { fail, redirect } from '@sveltejs/kit';
 import type { Actions, PageServerLoad } from './$types';
 import { supabaseAdmin } from '$lib/server/supabase';
+import { escapeHtml } from '$lib/server/sanitize';
 
 export const load: PageServerLoad = async ({ locals }) => {
 	const { member } = await locals.safeGetSession();
@@ -46,8 +47,8 @@ export const actions: Actions = {
 
 		const formData = await request.formData();
 		const type = formData.get('type') as string;
-		const title = formData.get('title') as string;
+		const title = escapeHtml(formData.get('title') as string);
-		const message = formData.get('message') as string;
+		const message = escapeHtml(formData.get('message') as string);
 		const link = (formData.get('link') as string) || null;
 		const recipientType = formData.get('recipient_type') as string;
 		const recipientId = formData.get('recipient_id') as string;

src/routes/(app)/admin/settings/+page.server.ts

@@ -4,6 +4,7 @@ import { testSmtpConnection, sendTemplatedEmail } from '$lib/server/email';
 import { testS3Connection, clearS3ClientCache } from '$lib/server/storage';
 import { supabaseAdmin } from '$lib/server/supabase';
 import * as poste from '$lib/server/poste';
+import { logSettingsUpdate, getRecentAuditLogs } from '$lib/server/audit';
 
 export const load: PageServerLoad = async ({ locals }) => {
 	// Load all configurable data
@@ -32,13 +33,17 @@ export const load: PageServerLoad = async ({ locals }) => {
 		settings[setting.category][setting.setting_key] = setting.setting_value;
 	}
 
+	// Load recent settings audit logs
+	const { logs: auditLogs } = await getRecentAuditLogs(50, { resourceType: 'settings' });
+
 	return {
 		membershipStatuses: membershipStatuses || [],
 		membershipTypes: membershipTypes || [],
 		eventTypes: eventTypes || [],
 		documentCategories: documentCategories || [],
 		settings,
-		emailTemplates: emailTemplates || []
+		emailTemplates: emailTemplates || [],
+		auditLogs
 	};
 };
 
@@ -317,6 +322,12 @@ export const actions: Actions = {
 				clearS3ClientCache();
 			}
 
+			logSettingsUpdate(
+				{ id: member.id, email: member.email! },
+				category,
+				{ changed_settings: settingsToUpdate.map(s => s.key) }
+			);
+
 			return { success: 'Settings updated successfully!' };
 		} catch (err) {
 			console.error('Unexpected error updating settings:', err);

src/routes/(app)/admin/settings/+page.svelte

@@ -22,7 +22,8 @@
 		Key,
 		Copy,
 		Power,
-		PowerOff
+		PowerOff,
+		ClipboardList
 	} from 'lucide-svelte';
 	import { Input } from '$lib/components/ui/input';
 	import { Label } from '$lib/components/ui/label';
@@ -30,9 +31,9 @@
 	import { invalidateAll } from '$app/navigation';
 
 	let { data, form } = $props();
-	const { membershipStatuses, membershipTypes, eventTypes, documentCategories, settings, emailTemplates } = data;
+	const { membershipStatuses, membershipTypes, eventTypes, documentCategories, settings, emailTemplates, auditLogs } = data;
 
-	type Tab = 'membership' | 'dues' | 'events' | 'documents' | 'email' | 'poste' | 'storage' | 'system';
+	type Tab = 'membership' | 'dues' | 'events' | 'documents' | 'email' | 'poste' | 'storage' | 'system' | 'audit';
 	let activeTab = $state<Tab>('membership');
 
 	let showAddStatusModal = $state(false);
@@ -83,7 +84,8 @@
 		{ id: 'email', label: 'Email', icon: Mail },
 		{ id: 'poste', label: 'Email Accounts', icon: Inbox },
 		{ id: 'storage', label: 'Storage', icon: HardDrive },
-		{ id: 'system', label: 'System', icon: Cog }
+		{ id: 'system', label: 'System', icon: Cog },
+		{ id: 'audit', label: 'Audit Log', icon: ClipboardList }
 	];
 
 	// Load mailboxes function
@@ -1344,6 +1346,81 @@
 			</div>
 		</div>
 	{/if}
+
+	{#if activeTab === 'audit'}
+		<div class="glass-card space-y-6 p-6">
+			<div>
+				<h2 class="flex items-center gap-2 text-lg font-semibold text-slate-900">
+					<ClipboardList class="h-5 w-5 text-monaco-600" />
+					Recent Settings Changes
+				</h2>
+				<p class="mt-1 text-sm text-slate-500">
+					Audit trail of recent configuration changes made by administrators.
+				</p>
+			</div>
+
+			{#if auditLogs && auditLogs.length > 0}
+				<div class="overflow-x-auto">
+					<table class="w-full text-sm">
+						<thead>
+							<tr class="border-b border-slate-200 text-left">
+								<th class="pb-3 pr-4 font-medium text-slate-600">Timestamp</th>
+								<th class="pb-3 pr-4 font-medium text-slate-600">User</th>
+								<th class="pb-3 pr-4 font-medium text-slate-600">Action</th>
+								<th class="pb-3 font-medium text-slate-600">Details</th>
+							</tr>
+						</thead>
+						<tbody class="divide-y divide-slate-100">
+							{#each auditLogs as log}
+								<tr class="hover:bg-slate-50">
+									<td class="py-3 pr-4 text-slate-500 whitespace-nowrap">
+										{new Date(log.created_at).toLocaleDateString('en-US', { month: 'short', day: 'numeric', year: 'numeric' })}
+										<span class="text-xs text-slate-400 ml-1">
+											{new Date(log.created_at).toLocaleTimeString('en-US', { hour: '2-digit', minute: '2-digit' })}
+										</span>
+									</td>
+									<td class="py-3 pr-4 text-slate-700">
+										{log.user_email || 'System'}
+									</td>
+									<td class="py-3 pr-4">
+										<span class="inline-flex items-center rounded-full bg-blue-50 px-2 py-0.5 text-xs font-medium text-blue-700">
+											{log.action}
+										</span>
+									</td>
+									<td class="py-3 text-slate-600">
+										{#if log.details}
+											{#if typeof log.details === 'object'}
+												{#if log.details.category}
+													<span class="font-medium">{log.details.category}</span>:
+												{/if}
+												{#if log.details.changes}
+													{#each Object.entries(log.details.changes) as [key, value]}
+														<span class="ml-1 text-xs">{key}={value}</span>
+													{/each}
+												{:else}
+													<span class="text-xs text-slate-400">{JSON.stringify(log.details).slice(0, 100)}</span>
+												{/if}
+											{:else}
+												{log.details}
+											{/if}
+										{:else}
+											<span class="text-slate-400">-</span>
+										{/if}
+									</td>
+								</tr>
+							{/each}
+						</tbody>
+					</table>
+				</div>
+			{:else}
+				<div class="py-12 text-center">
+					<ClipboardList class="mx-auto h-12 w-12 text-slate-300" />
+					<p class="mt-4 text-slate-500">No settings changes recorded yet.</p>
+					<p class="mt-1 text-sm text-slate-400">Changes to system settings will appear here.</p>
+				</div>
+			{/if}
+		</div>
+	{/if}
 </div>
 
 <!-- Add Status Modal -->

src/routes/(app)/board/approvals/+page.server.ts

@@ -0,0 +1,161 @@
+import { fail } from '@sveltejs/kit';
+import type { Actions, PageServerLoad } from './$types';
+import { supabaseAdmin } from '$lib/server/supabase';
+import { sendTemplatedEmail } from '$lib/server/email';
+import { logMemberAction } from '$lib/server/audit';
+
+export const load: PageServerLoad = async ({ locals }) => {
+	const { session } = await locals.safeGetSession();
+	if (!session) return { pendingMembers: [] };
+
+	// Get pending status ID
+	const { data: pendingStatus } = await locals.supabase
+		.from('membership_statuses')
+		.select('id')
+		.eq('name', 'pending')
+		.single();
+
+	if (!pendingStatus) return { pendingMembers: [] };
+
+	// Load pending members
+	const { data: pendingMembers } = await locals.supabase
+		.from('members')
+		.select(`
+			id,
+			member_id,
+			first_name,
+			last_name,
+			email,
+			phone,
+			nationality,
+			address,
+			date_of_birth,
+			created_at
+		`)
+		.eq('membership_status_id', pendingStatus.id)
+		.order('created_at', { ascending: true });
+
+	return {
+		pendingMembers: pendingMembers || []
+	};
+};
+
+export const actions: Actions = {
+	approve: async ({ request, locals }) => {
+		const { session } = await locals.safeGetSession();
+		if (!session) return fail(401, { error: 'Not authenticated' });
+
+		const formData = await request.formData();
+		const memberId = formData.get('member_id') as string;
+
+		if (!memberId) return fail(400, { error: 'Missing member ID' });
+
+		// Get active status ID
+		const { data: activeStatus } = await supabaseAdmin
+			.from('membership_statuses')
+			.select('id')
+			.eq('name', 'active')
+			.single();
+
+		if (!activeStatus) return fail(500, { error: 'Active status not found' });
+
+		// Update member status to active
+		const { error } = await supabaseAdmin
+			.from('members')
+			.update({
+				membership_status_id: activeStatus.id,
+				approved_at: new Date().toISOString(),
+				approved_by: session.user.id
+			})
+			.eq('id', memberId);
+
+		if (error) return fail(500, { error: 'Failed to approve member' });
+
+		// Get member info for email
+		const { data: member } = await supabaseAdmin
+			.from('members')
+			.select('first_name, email, member_id')
+			.eq('id', memberId)
+			.single();
+
+		// Send approval email
+		if (member) {
+			sendTemplatedEmail('member_approved', member.email, {
+				first_name: member.first_name,
+				member_id: member.member_id || ''
+			}, {
+				recipientId: memberId,
+				recipientName: member.first_name
+			});
+		}
+
+		// Audit log
+		logMemberAction('status_change',
+			{ id: session.user.id, email: session.user.email! },
+			{ id: memberId, email: member?.email },
+			{ old_status: 'pending', new_status: 'active', action: 'approved' }
+		);
+
+		return { success: true, approved: member?.first_name };
+	},
+
+	reject: async ({ request, locals }) => {
+		const { session } = await locals.safeGetSession();
+		if (!session) return fail(401, { error: 'Not authenticated' });
+
+		const formData = await request.formData();
+		const memberId = formData.get('member_id') as string;
+		const reason = formData.get('reason') as string;
+
+		if (!memberId) return fail(400, { error: 'Missing member ID' });
+
+		// Get inactive status ID
+		const { data: inactiveStatus } = await supabaseAdmin
+			.from('membership_statuses')
+			.select('id')
+			.eq('name', 'inactive')
+			.single();
+
+		if (!inactiveStatus) return fail(500, { error: 'Inactive status not found' });
+
+		// Update member status
+		const { error } = await supabaseAdmin
+			.from('members')
+			.update({
+				membership_status_id: inactiveStatus.id,
+				rejected_at: new Date().toISOString(),
+				rejected_by: session.user.id,
+				rejection_reason: reason || null
+			})
+			.eq('id', memberId);
+
+		if (error) return fail(500, { error: 'Failed to reject member' });
+
+		// Get member info for email
+		const { data: member } = await supabaseAdmin
+			.from('members')
+			.select('first_name, email')
+			.eq('id', memberId)
+			.single();
+
+		// Send rejection email
+		if (member) {
+			sendTemplatedEmail('member_rejected', member.email, {
+				first_name: member.first_name,
+				reason: reason || ''
+			}, {
+				recipientId: memberId,
+				recipientName: member.first_name
+			});
+		}
+
+		// Audit log
+		logMemberAction('status_change',
+			{ id: session.user.id, email: session.user.email! },
+			{ id: memberId, email: member?.email },
+			{ old_status: 'pending', new_status: 'inactive', action: 'rejected', reason }
+		);
+
+		return { success: true, rejected: member?.first_name };
+	}
+};

src/routes/(app)/board/approvals/+page.svelte

@@ -0,0 +1,222 @@
+<script lang="ts">
+	import {
+		UserCheck,
+		UserX,
+		Clock,
+		Mail,
+		Phone,
+		MapPin,
+		Flag,
+		Calendar
+	} from 'lucide-svelte';
+	import { Button } from '$lib/components/ui/button';
+	import { EmptyState } from '$lib/components/ui';
+	import CountryFlag from '$lib/components/ui/CountryFlag.svelte';
+	import { enhance } from '$app/forms';
+
+	let { data, form } = $props();
+
+	let rejectingId = $state<string | null>(null);
+	let rejectReason = $state('');
+	let submitting = $state(false);
+
+	const pendingCount = $derived(data.pendingMembers.length);
+
+	function formatDate(dateStr: string | null): string {
+		if (!dateStr) return 'N/A';
+		return new Date(dateStr).toLocaleDateString('en-US', {
+			year: 'numeric',
+			month: 'short',
+			day: 'numeric'
+		});
+	}
+</script>
+
+<svelte:head>
+	<title>Member Approvals | Monaco USA</title>
+</svelte:head>
+
+<div class="space-y-6">
+	<div class="flex flex-col gap-4 sm:flex-row sm:items-center sm:justify-between">
+		<div>
+			<div class="flex items-center gap-3">
+				<h1 class="text-2xl font-bold text-slate-900">Member Approvals</h1>
+				{#if pendingCount > 0}
+					<span class="inline-flex items-center rounded-full bg-yellow-100 px-2.5 py-0.5 text-sm font-medium text-yellow-800">
+						{pendingCount}
+					</span>
+				{/if}
+			</div>
+			<p class="text-slate-500">Review and approve pending membership applications</p>
+		</div>
+	</div>
+
+	{#if form?.success && form?.approved}
+		<div class="rounded-lg border border-green-200 bg-green-50 p-4">
+			<p class="text-sm font-medium text-green-800">
+				{form.approved} has been approved and notified by email.
+			</p>
+		</div>
+	{/if}
+
+	{#if form?.success && form?.rejected}
+		<div class="rounded-lg border border-red-200 bg-red-50 p-4">
+			<p class="text-sm font-medium text-red-800">
+				{form.rejected}'s application has been rejected.
+			</p>
+		</div>
+	{/if}
+
+	{#if form?.error}
+		<div class="rounded-lg border border-red-200 bg-red-50 p-4">
+			<p class="text-sm font-medium text-red-800">{form.error}</p>
+		</div>
+	{/if}
+
+	{#if pendingCount === 0}
+		<div class="glass-card p-12">
+			<EmptyState
+				icon={UserCheck}
+				title="No pending applications"
+				description="All membership applications have been reviewed. New applications will appear here."
+			/>
+		</div>
+	{:else}
+		<div class="space-y-4">
+			{#each data.pendingMembers as member}
+				<div class="glass-card p-6">
+					<div class="flex flex-col gap-4 lg:flex-row lg:items-start lg:justify-between">
+						<!-- Member Info -->
+						<div class="flex-1 space-y-3">
+							<div class="flex items-center gap-3">
+								<div class="flex h-12 w-12 items-center justify-center rounded-full bg-yellow-100 text-lg font-medium text-yellow-700">
+									{member.first_name?.[0]}{member.last_name?.[0]}
+								</div>
+								<div>
+									<h3 class="text-lg font-semibold text-slate-900">
+										{member.first_name} {member.last_name}
+									</h3>
+									<p class="text-sm text-slate-500">{member.member_id || 'ID pending'}</p>
+								</div>
+							</div>
+
+							<div class="grid grid-cols-1 gap-2 sm:grid-cols-2">
+								<div class="flex items-center gap-2 text-sm text-slate-600">
+									<Mail class="h-4 w-4 text-slate-400" />
+									<a href="mailto:{member.email}" class="hover:text-monaco-600">{member.email}</a>
+								</div>
+								{#if member.phone}
+									<div class="flex items-center gap-2 text-sm text-slate-600">
+										<Phone class="h-4 w-4 text-slate-400" />
+										{member.phone}
+									</div>
+								{/if}
+								{#if member.nationality && member.nationality.length > 0}
+									<div class="flex items-center gap-2 text-sm text-slate-600">
+										<Flag class="h-4 w-4 text-slate-400" />
+										<div class="flex items-center gap-1">
+											{#each member.nationality as code}
+												<CountryFlag {code} size="xs" />
+											{/each}
+										</div>
+									</div>
+								{/if}
+								{#if member.address}
+									<div class="flex items-center gap-2 text-sm text-slate-600">
+										<MapPin class="h-4 w-4 text-slate-400" />
+										{member.address}
+									</div>
+								{/if}
+								<div class="flex items-center gap-2 text-sm text-slate-500">
+									<Calendar class="h-4 w-4 text-slate-400" />
+									Applied: {formatDate(member.created_at)}
+								</div>
+							</div>
+						</div>
+
+						<!-- Actions -->
+						<div class="flex flex-shrink-0 items-start gap-2">
+							{#if rejectingId === member.id}
+								<!-- Reject form with reason -->
+								<form
+									method="POST"
+									action="?/reject"
+									use:enhance={() => {
+										submitting = true;
+										return async ({ update }) => {
+											submitting = false;
+											rejectingId = null;
+											rejectReason = '';
+											await update();
+										};
+									}}
+									class="flex flex-col gap-2"
+								>
+									<input type="hidden" name="member_id" value={member.id} />
+									<textarea
+										name="reason"
+										bind:value={rejectReason}
+										placeholder="Optional reason for rejection..."
+										rows="2"
+										class="w-64 rounded-lg border border-slate-200 px-3 py-2 text-sm focus:border-monaco-500 focus:outline-none focus:ring-1 focus:ring-monaco-500"
+									></textarea>
+									<div class="flex gap-2">
+										<Button
+											type="submit"
+											variant="destructive"
+											size="sm"
+											disabled={submitting}
+										>
+											<UserX class="mr-1 h-4 w-4" />
+											Confirm Reject
+										</Button>
+										<Button
+											type="button"
+											variant="outline"
+											size="sm"
+											onclick={() => { rejectingId = null; rejectReason = ''; }}
+										>
+											Cancel
+										</Button>
+									</div>
+								</form>
+							{:else}
+								<form
+									method="POST"
+									action="?/approve"
+									use:enhance={() => {
+										submitting = true;
+										return async ({ update }) => {
+											submitting = false;
+											await update();
+										};
+									}}
+								>
+									<input type="hidden" name="member_id" value={member.id} />
+									<Button
+										type="submit"
+										size="sm"
+										class="bg-green-600 hover:bg-green-700"
+										disabled={submitting}
+									>
+										<UserCheck class="mr-1 h-4 w-4" />
+										Approve
+									</Button>
+								</form>
+								<Button
+									variant="outline"
+									size="sm"
+									class="border-red-200 text-red-600 hover:bg-red-50"
+									onclick={() => { rejectingId = member.id; }}
+								>
+									<UserX class="mr-1 h-4 w-4" />
+									Reject
+								</Button>
+							{/if}
+						</div>
+					</div>
+				</div>
+			{/each}
+		</div>
+	{/if}
+</div>

src/routes/(app)/board/documents/+page.server.ts

@@ -2,6 +2,7 @@ import { fail } from '@sveltejs/kit';
 import type { Actions, PageServerLoad } from './$types';
 import { uploadDocument, deleteDocument, getSignedUrl, isS3Enabled, getActiveDocumentUrl } from '$lib/server/storage';
 import { supabaseAdmin } from '$lib/server/supabase';
+import { logDocumentAction } from '$lib/server/audit';
 
 export const load: PageServerLoad = async ({ locals, url }) => {
 	const folderId = url.searchParams.get('folder');
@@ -282,6 +283,10 @@ export const actions: Actions = {
 			return fail(400, { error: 'Title is required' });
 		}
 
+		if (title.length > 200) {
+			return fail(400, { error: 'Title must be 200 characters or less' });
+		}
+
 		// Upload using dual-storage document service (uploads to both S3 and Supabase Storage)
 		const uploadResult = await uploadDocument(file);
 
@@ -354,6 +359,12 @@ export const actions: Actions = {
 			return fail(500, { error: 'Failed to delete document' });
 		}
 
+		logDocumentAction('delete',
+			{ id: member.id, email: member.email! },
+			{ id: documentId, title: doc?.storage_path || documentId },
+			{ storage_path: doc?.storage_path }
+		);
+
 		// Delete from ALL storage backends (both S3 and Supabase Storage)
 		if (doc?.storage_path) {
 			// Use the storage_path directly
@@ -416,6 +427,12 @@ export const actions: Actions = {
 			return fail(500, { error: 'Failed to update document' });
 		}
 
+		logDocumentAction('visibility_change',
+			{ id: member.id, email: member.email! },
+			{ id: documentId },
+			{ new_visibility: visibility }
+		);
+
 		return { success: 'Visibility updated!' };
 	},
 

src/routes/(app)/board/events/[id]/edit/+page.server.ts

@@ -1,5 +1,7 @@
 import { fail, error, redirect } from '@sveltejs/kit';
 import type { Actions, PageServerLoad } from './$types';
+import { escapeHtml, sanitizeRichText } from '$lib/server/sanitize';
+import { logEventAction } from '$lib/server/audit';
 
 export const load: PageServerLoad = async ({ locals, params }) => {
 	const { member } = await locals.safeGetSession();
@@ -42,8 +44,8 @@ export const actions: Actions = {
 
 		const formData = await request.formData();
 
-		const title = formData.get('title') as string;
+		const title = escapeHtml(formData.get('title') as string);
-		const description = formData.get('description') as string;
+		const description = sanitizeRichText(formData.get('description') as string || '');
 		const eventTypeId = formData.get('event_type_id') as string;
 		const startDate = formData.get('start_date') as string;
 		const startTime = formData.get('start_time') as string;
@@ -58,6 +60,9 @@ export const actions: Actions = {
 		const nonMemberPrice = formData.get('non_member_price') as string;
 		const visibility = formData.get('visibility') as string;
 		const status = formData.get('status') as string;
+		const rsvpDeadlineEnabled = formData.get('rsvp_deadline_enabled') === 'true';
+		const rsvpDeadlineDate = formData.get('rsvp_deadline_date') as string;
+		const rsvpDeadlineTime = formData.get('rsvp_deadline_time') as string;
 
 		// Validation
 		if (!title || !startDate || !startTime || !endDate || !endTime) {
@@ -90,6 +95,10 @@ export const actions: Actions = {
 				non_member_price: isPaid && nonMemberPrice ? parseFloat(nonMemberPrice) : 0,
 				visibility: visibility || 'members',
 				status: status || 'published',
+				rsvp_deadline_enabled: rsvpDeadlineEnabled,
+				rsvp_deadline: rsvpDeadlineEnabled && rsvpDeadlineDate && rsvpDeadlineTime
+					? `${rsvpDeadlineDate}T${rsvpDeadlineTime}:00`
+					: null,
 				updated_at: new Date().toISOString()
 			})
 			.eq('id', params.id);
@@ -99,6 +108,13 @@ export const actions: Actions = {
 			return fail(500, { error: 'Failed to update event. Please try again.' });
 		}
 
+		logEventAction(
+			status === 'cancelled' ? 'cancel' : 'update',
+			{ id: member.id, email: member.email! },
+			{ id: params.id, title },
+			{ status }
+		);
+
 		return { success: 'Event updated successfully!' };
 	},
 
@@ -119,6 +135,12 @@ export const actions: Actions = {
 			return fail(500, { error: 'Failed to delete event. Please try again.' });
 		}
 
+		logEventAction('delete',
+			{ id: member.id, email: member.email! },
+			{ id: params.id },
+			{ deleted_by_admin: true }
+		);
+
 		throw redirect(303, '/board/events?deleted=true');
 	}
 };

src/routes/(app)/board/events/[id]/edit/+page.svelte

@@ -1,5 +1,5 @@
 <script lang="ts">
-	import { ArrowLeft, Save, Trash2, Calendar, MapPin, Users, DollarSign, Eye, X } from 'lucide-svelte';
+	import { ArrowLeft, Save, Trash2, Calendar, MapPin, Users, DollarSign, Eye, Clock, X } from 'lucide-svelte';
 	import { Input } from '$lib/components/ui/input';
 	import { Label } from '$lib/components/ui/label';
 	import { DatePicker } from '$lib/components/ui';
@@ -25,6 +25,15 @@
 	);
 
 	let isPaid = $state(event.is_paid || false);
+	let rsvpDeadlineEnabled = $state(event.rsvp_deadline_enabled || false);
+
+	// Parse RSVP deadline date/time
+	const rsvpDeadlineJS = event.rsvp_deadline ? new Date(event.rsvp_deadline) : null;
+	let rsvpDeadlineDate = $state<CalendarDate | undefined>(
+		rsvpDeadlineJS
+			? new CalendarDate(rsvpDeadlineJS.getFullYear(), rsvpDeadlineJS.getMonth() + 1, rsvpDeadlineJS.getDate())
+			: undefined
+	);
 
 	// Format time for input
 	function formatTimeForInput(date: Date): string {
@@ -335,6 +344,54 @@
 				</div>
 			</div>
 
+			<!-- RSVP Deadline -->
+			<div class="space-y-4">
+				<h2 class="flex items-center gap-2 text-lg font-semibold text-slate-900">
+					<Clock class="h-5 w-5 text-monaco-600" />
+					RSVP Deadline
+				</h2>
+
+				<label class="flex items-center gap-2">
+					<input
+						type="checkbox"
+						name="rsvp_deadline_enabled"
+						value="true"
+						bind:checked={rsvpDeadlineEnabled}
+						class="rounded border-slate-300"
+					/>
+					<span class="text-sm font-medium text-slate-700">Set an RSVP deadline</span>
+				</label>
+
+				{#if rsvpDeadlineEnabled}
+					<div class="grid gap-4 sm:grid-cols-2">
+						<div>
+							<Label>Deadline Date</Label>
+							<div class="mt-1">
+								<DatePicker
+									bind:value={rsvpDeadlineDate}
+									placeholder="Select deadline date"
+									name="rsvp_deadline_date"
+								/>
+							</div>
+						</div>
+
+						<div>
+							<Label for="rsvp_deadline_time">Deadline Time</Label>
+							<Input
+								type="time"
+								id="rsvp_deadline_time"
+								name="rsvp_deadline_time"
+								value={rsvpDeadlineJS ? formatTimeForInput(rsvpDeadlineJS) : '23:59'}
+								class="mt-1"
+							/>
+						</div>
+					</div>
+					<p class="text-xs text-slate-500">
+						Members will not be able to RSVP after this date and time.
+					</p>
+				{/if}
+			</div>
+
 			<!-- Actions -->
 			<div class="flex flex-col gap-4 border-t border-slate-200 pt-6 sm:flex-row sm:justify-between">
 				{#if member?.role === 'admin'}

src/routes/(app)/board/members/+page.server.ts

@@ -5,10 +5,14 @@ export const load: PageServerLoad = async ({ locals, url }) => {
 	const statusFilter = url.searchParams.get('status') || 'all';
 	const roleFilter = url.searchParams.get('role') || 'all';
 
+	// Get current member's role for privacy filtering
+	const { member } = await locals.safeGetSession();
+	const isPrivileged = member?.role === 'admin' || member?.role === 'board';
+
 	// Build the query - select only needed columns to avoid exposing sensitive fields
 	let query = locals.supabase
 		.from('members_with_dues')
-		.select('id, member_id, first_name, last_name, email, phone, role, status_name, type_name, avatar_url, created_at, nationality, address')
+		.select('id, member_id, first_name, last_name, email, phone, role, status_name, type_name, avatar_url, created_at, nationality, address, directory_privacy')
 		.order('last_name', { ascending: true });
 
 	// Apply filters
@@ -49,8 +53,23 @@ export const load: PageServerLoad = async ({ locals, url }) => {
 		inactive: members?.filter((m: any) => m.status_name === 'inactive').length || 0
 	};
 
+	// Apply directory privacy settings (admins/board see everything)
+	const privacyFilteredMembers = isPrivileged
+		? filteredMembers
+		: filteredMembers.map((m: any) => {
+				const privacy = m.directory_privacy || { show_email: true, show_phone: true, show_address: false, show_nationality: true };
 				return {
-		members: filteredMembers,
+					...m,
+					email: privacy.show_email ? m.email : null,
+					phone: privacy.show_phone ? m.phone : null,
+					address: privacy.show_address ? m.address : null,
+					nationality: privacy.show_nationality ? m.nationality : null,
+					directory_privacy: undefined
+				};
+			});
+
+	return {
+		members: privacyFilteredMembers,
 		statuses: statuses || [],
 		stats,
 		filters: {

src/routes/(app)/board/reports/+page.server.ts

@@ -1,4 +1,4 @@
-import type { PageServerLoad, Actions } from './$types';
+import type { PageServerLoad } from './$types';
 
 export const load: PageServerLoad = async ({ locals, url }) => {
 	const reportType = url.searchParams.get('type') || 'membership';
@@ -128,14 +128,4 @@ export const load: PageServerLoad = async ({ locals, url }) => {
 	};
 };
 
-export const actions: Actions = {
+// CSV export is handled by the GET endpoint at /board/reports/export/[type]
-	exportCsv: async ({ request, locals }) => {
-		const formData = await request.formData();
-		const reportType = formData.get('report_type') as string;
-		const year = parseInt(formData.get('year') as string);
-
-		// Data will be generated client-side for CSV export
-		// This action is a placeholder for server-side export if needed
-		return { success: true };
-	}
-};

src/routes/(app)/board/reports/+page.svelte

@@ -47,42 +47,10 @@
 		});
 	}
 
-	function exportToCsv(reportType: string) {
+	function exportToCsv(type: string) {
-		let csvContent = '';
+		// Map report tab IDs to export endpoint types
-		let filename = '';
+		const exportType = type === 'dues' ? 'payments' : type;
-
+		window.location.href = `/board/reports/export/${exportType}?year=${year}`;
-		switch (reportType) {
-			case 'membership':
-				csvContent = 'Member ID,First Name,Last Name,Email,Status,Role,Dues Status,Member Since\n';
-				for (const member of members) {
-					csvContent += `"${member.member_id}","${member.first_name}","${member.last_name}","${member.email}","${member.status_display_name || ''}","${member.role}","${member.dues_status}","${member.member_since}"\n`;
-				}
-				filename = `membership-report-${year}.csv`;
-				break;
-
-			case 'dues':
-				csvContent = 'Date,Member,Amount,Method,Reference\n';
-				for (const payment of payments) {
-					csvContent += `"${payment.payment_date}","${payment.member?.first_name} ${payment.member?.last_name}","${payment.amount}","${payment.payment_method}","${payment.reference || ''}"\n`;
-				}
-				filename = `dues-report-${year}.csv`;
-				break;
-
-			case 'events':
-				csvContent = 'Date,Event,Type,Attendees,Max Capacity,Waitlist\n';
-				for (const event of events) {
-					csvContent += `"${event.start_datetime}","${event.title}","${event.event_type_name || 'General'}","${event.total_attendees}","${event.max_attendees || 'Unlimited'}","${event.waitlist_count}"\n`;
-				}
-				filename = `events-report-${year}.csv`;
-				break;
-		}
-
-		// Create and download
-		const blob = new Blob([csvContent], { type: 'text/csv;charset=utf-8;' });
-		const link = document.createElement('a');
-		link.href = URL.createObjectURL(blob);
-		link.download = filename;
-		link.click();
 	}
 
 	const reportTabs = [

src/routes/(app)/board/reports/export/[type]/+server.ts

@@ -0,0 +1,139 @@
+import { error } from '@sveltejs/kit';
+import type { RequestHandler } from './$types';
+import { supabaseAdmin } from '$lib/server/supabase';
+import { arrayToCSV, csvResponse } from '$lib/server/csv';
+
+export const GET: RequestHandler = async ({ params, locals, url }) => {
+	const { member } = await locals.safeGetSession();
+
+	if (!member || (member.role !== 'board' && member.role !== 'admin')) {
+		throw error(403, 'Unauthorized');
+	}
+
+	const reportType = params.type;
+	const year = parseInt(url.searchParams.get('year') || new Date().getFullYear().toString());
+	const today = new Date().toISOString().split('T')[0];
+
+	switch (reportType) {
+		case 'membership':
+			return await exportMembership();
+		case 'payments':
+			return await exportPayments(year);
+		case 'events':
+			return await exportEvents(year);
+		default:
+			throw error(400, 'Invalid report type');
+	}
+
+	async function exportMembership(): Promise<Response> {
+		const { data: members } = await supabaseAdmin
+			.from('members_with_dues')
+			.select('*')
+			.order('last_name', { ascending: true });
+
+		const rows = (members || []).map((m: any) => ({
+			member_id: m.member_id,
+			first_name: m.first_name,
+			last_name: m.last_name,
+			email: m.email,
+			phone: m.phone || '',
+			status: m.status_display_name || '',
+			member_type: m.membership_type_name || '',
+			role: m.role,
+			dues_status: m.dues_status,
+			member_since: m.member_since || ''
+		}));
+
+		const csv = arrayToCSV(rows, [
+			{ key: 'member_id', header: 'Member ID' },
+			{ key: 'first_name', header: 'First Name' },
+			{ key: 'last_name', header: 'Last Name' },
+			{ key: 'email', header: 'Email' },
+			{ key: 'phone', header: 'Phone' },
+			{ key: 'status', header: 'Status' },
+			{ key: 'member_type', header: 'Member Type' },
+			{ key: 'role', header: 'Role' },
+			{ key: 'dues_status', header: 'Dues Status' },
+			{ key: 'member_since', header: 'Member Since' }
+		]);
+
+		return csvResponse(csv, `membership-report-${today}.csv`);
+	}
+
+	async function exportPayments(yr: number): Promise<Response> {
+		const startOfYear = `${yr}-01-01`;
+		const endOfYear = `${yr}-12-31`;
+
+		const { data: payments } = await supabaseAdmin
+			.from('dues_payments')
+			.select(`
+				*,
+				member:members(first_name, last_name, email, member_id)
+			`)
+			.gte('payment_date', startOfYear)
+			.lte('payment_date', endOfYear)
+			.order('payment_date', { ascending: false });
+
+		const rows = (payments || []).map((p: any) => ({
+			payment_date: p.payment_date,
+			member_id: p.member?.member_id || '',
+			member_name: p.member ? `${p.member.first_name} ${p.member.last_name}` : '',
+			email: p.member?.email || '',
+			amount: p.amount,
+			payment_method: p.payment_method || '',
+			status: p.status || 'completed',
+			reference: p.reference || '',
+			notes: p.notes || ''
+		}));
+
+		const csv = arrayToCSV(rows, [
+			{ key: 'payment_date', header: 'Payment Date' },
+			{ key: 'member_id', header: 'Member ID' },
+			{ key: 'member_name', header: 'Member Name' },
+			{ key: 'email', header: 'Email' },
+			{ key: 'amount', header: 'Amount' },
+			{ key: 'payment_method', header: 'Method' },
+			{ key: 'status', header: 'Status' },
+			{ key: 'reference', header: 'Reference' },
+			{ key: 'notes', header: 'Notes' }
+		]);
+
+		return csvResponse(csv, `payments-report-${yr}.csv`);
+	}
+
+	async function exportEvents(yr: number): Promise<Response> {
+		const startOfYear = `${yr}-01-01T00:00:00`;
+		const endOfYear = `${yr}-12-31T23:59:59`;
+
+		const { data: events } = await supabaseAdmin
+			.from('events_with_counts')
+			.select('*')
+			.gte('start_datetime', startOfYear)
+			.lte('start_datetime', endOfYear)
+			.order('start_datetime', { ascending: false });
+
+		const rows = (events || []).map((e: any) => ({
+			date: e.start_datetime ? new Date(e.start_datetime).toLocaleDateString('en-US') : '',
+			title: e.title,
+			type: e.event_type_name || 'General',
+			location: e.location || '',
+			rsvp_count: e.total_attendees || 0,
+			max_capacity: e.max_attendees || 'Unlimited',
+			waitlist: e.waitlist_count || 0,
+			status: e.status || ''
+		}));
+
+		const csv = arrayToCSV(rows, [
+			{ key: 'date', header: 'Date' },
+			{ key: 'title', header: 'Title' },
+			{ key: 'type', header: 'Type' },
+			{ key: 'location', header: 'Location' },
+			{ key: 'rsvp_count', header: 'RSVP Count' },
+			{ key: 'max_capacity', header: 'Max Capacity' },
+			{ key: 'waitlist', header: 'Waitlist' },
+			{ key: 'status', header: 'Status' }
+		]);
+
+		return csvResponse(csv, `events-report-${yr}.csv`);
+	}
+};

src/routes/(app)/documents/+page.server.ts

@@ -2,19 +2,29 @@ import type { PageServerLoad } from './$types';
 import { isS3Enabled } from '$lib/server/storage';
 import { getVisibleLevels } from '$lib/server/visibility';
 
-export const load: PageServerLoad = async ({ locals, parent }) => {
+export const load: PageServerLoad = async ({ locals, parent, url }) => {
 	const { member } = await parent();
+	const searchQuery = url.searchParams.get('q') || '';
 
 	// Get visible visibility levels
 	const visibleLevels = getVisibleLevels(member?.role);
 
-	// Fetch documents with all URL columns
+	// Build query
-	const { data: documents } = await locals.supabase
+	let query = locals.supabase
 		.from('documents')
 		.select('*')
 		.in('visibility', visibleLevels)
 		.order('created_at', { ascending: false });
 
+	// Apply server-side search if query provided
+	if (searchQuery.trim()) {
+		// Use ilike for simple substring search (works without tsvector)
+		// Also try full-text search via textSearch if available
+		query = query.or(`title.ilike.%${searchQuery}%,description.ilike.%${searchQuery}%,file_name.ilike.%${searchQuery}%`);
+	}
+
+	const { data: documents } = await query;
+
 	// Fetch categories
 	const { data: categories } = await locals.supabase
 		.from('document_categories')
@@ -34,7 +44,8 @@ export const load: PageServerLoad = async ({ locals, parent }) => {
 
 	return {
 		documents: documentsWithActiveUrl,
-		categories: categories || []
+		categories: categories || [],
+		searchQuery
 	};
 };
 

src/routes/(app)/documents/+page.svelte

@@ -11,23 +11,36 @@
 		List
 	} from 'lucide-svelte';
 	import { Input } from '$lib/components/ui/input';
+	import { goto } from '$app/navigation';
+	import { page } from '$app/stores';
 
 	let { data } = $props();
 	const { documents, categories } = data;
 
-	let searchQuery = $state('');
+	let searchQuery = $state(data.searchQuery || '');
 	let selectedCategory = $state<string | null>(null);
 	let viewMode = $state<'grid' | 'list'>('grid');
 
-	// Filter documents
+	// Debounce server-side search
+	let searchTimeout: ReturnType<typeof setTimeout>;
+	function handleSearch(value: string) {
+		clearTimeout(searchTimeout);
+		searchTimeout = setTimeout(() => {
+			const params = new URLSearchParams($page.url.searchParams);
+			if (value.trim()) {
+				params.set('q', value.trim());
+			} else {
+				params.delete('q');
+			}
+			goto(`?${params.toString()}`, { replaceState: true, keepFocus: true });
+		}, 400);
+	}
+
+	// Filter documents (category is still client-side for instant feedback)
 	const filteredDocuments = $derived(
 		(documents || []).filter((doc: any) => {
-			const matchesSearch =
-				!searchQuery ||
-				doc.title.toLowerCase().includes(searchQuery.toLowerCase()) ||
-				doc.description?.toLowerCase().includes(searchQuery.toLowerCase());
 			const matchesCategory = !selectedCategory || doc.category_id === selectedCategory;
-			return matchesSearch && matchesCategory;
+			return matchesCategory;
 		})
 	);
 
@@ -99,8 +112,12 @@
 			<Search class="absolute left-3 top-1/2 h-4 w-4 -translate-y-1/2 text-slate-400" />
 			<Input
 				type="search"
-				placeholder="Search documents..."
+				placeholder="Search documents by title, description, or filename..."
-				bind:value={searchQuery}
+				value={searchQuery}
+				oninput={(e) => {
+					searchQuery = e.currentTarget.value;
+					handleSearch(e.currentTarget.value);
+				}}
 				class="h-10 w-full pl-9"
 			/>
 		</div>

src/routes/(app)/events/+page.server.ts

@@ -7,16 +7,23 @@ export const load: PageServerLoad = async ({ locals, parent }) => {
 	// Get visible events based on user role
 	const visibleLevels = getVisibleLevels(member?.role);
 
-	const { data: events } = await locals.supabase
+	const [eventsResult, eventTypesResult] = await Promise.all([
+		locals.supabase
 			.from('events_with_counts')
 			.select('*')
 			.in('visibility', visibleLevels)
 			.eq('status', 'published')
 			.gte('start_datetime', new Date().toISOString())
-		.order('start_datetime', { ascending: true });
+			.order('start_datetime', { ascending: true }),
+		locals.supabase
+			.from('event_types')
+			.select('id, name, color')
+			.order('name', { ascending: true })
+	]);
 
 	return {
-		events: events || []
+		events: eventsResult.data || [],
+		eventTypes: eventTypesResult.data || []
 	};
 };
 

src/routes/(app)/events/+page.svelte

@@ -1,13 +1,36 @@
 <script lang="ts">
-	import { Calendar, MapPin, Users, Clock, Grid, List, ChevronLeft, ChevronRight } from 'lucide-svelte';
+	import { Calendar, MapPin, Users, Clock, Grid, List, ChevronLeft, ChevronRight, Filter } from 'lucide-svelte';
 	import { Button } from '$lib/components/ui/button';
 	import type { EventWithCounts } from '$lib/types/database';
 
 	let { data } = $props();
-	const { events, member } = data;
+	const { events, member, eventTypes } = data;
 
 	let viewMode = $state<'list' | 'calendar'>('list');
 	let currentMonth = $state(new Date());
+	let selectedTypeIds = $state<Set<string>>(new Set());
+	let showFilters = $state(false);
+
+	// Filter events by selected types
+	const filteredEvents = $derived(
+		selectedTypeIds.size === 0
+			? events
+			: (events || []).filter((e: EventWithCounts) => selectedTypeIds.has(e.event_type_id))
+	);
+
+	function toggleTypeFilter(typeId: string) {
+		const next = new Set(selectedTypeIds);
+		if (next.has(typeId)) {
+			next.delete(typeId);
+		} else {
+			next.add(typeId);
+		}
+		selectedTypeIds = next;
+	}
+
+	function clearFilters() {
+		selectedTypeIds = new Set();
+	}
 
 	// Format date and time
 	function formatDateTime(dateStr: string): { date: string; time: string; weekday: string } {
@@ -67,7 +90,7 @@
 		return groups;
 	}
 
-	const groupedEvents = $derived(groupEventsByDate(events || []));
+	const groupedEvents = $derived(groupEventsByDate(filteredEvents || []));
 
 	// Calendar helpers
 	function getDaysInMonth(date: Date) {
@@ -93,7 +116,7 @@
 	function getEventsForDate(date: Date | null) {
 		if (!date) return [];
 		const dateStr = date.toDateString();
-		return (events || []).filter((e) => new Date(e.start_datetime).toDateString() === dateStr);
+		return (filteredEvents || []).filter((e: EventWithCounts) => new Date(e.start_datetime).toDateString() === dateStr);
 	}
 
 	function prevMonth() {
@@ -123,6 +146,18 @@
 		</div>
 
 		<div class="flex items-center gap-2">
+			{#if eventTypes.length > 0}
+				<button
+					onclick={() => (showFilters = !showFilters)}
+					class="flex items-center gap-1.5 rounded-lg border border-slate-200 bg-white px-3 py-2 text-sm font-medium transition-colors hover:bg-slate-50 {selectedTypeIds.size > 0 ? 'border-monaco-300 text-monaco-700' : 'text-slate-600'}"
+				>
+					<Filter class="h-4 w-4" />
+					Filter
+					{#if selectedTypeIds.size > 0}
+						<span class="rounded-full bg-monaco-100 px-1.5 py-0.5 text-xs font-bold text-monaco-700">{selectedTypeIds.size}</span>
+					{/if}
+				</button>
+			{/if}
 			<div class="flex rounded-lg border border-slate-200 bg-white p-1">
 				<button
 					onclick={() => (viewMode = 'list')}
@@ -148,6 +183,39 @@
 		</div>
 	</div>
 
+	<!-- Event Type Filters -->
+	{#if showFilters && eventTypes.length > 0}
+		<div class="glass-card flex flex-wrap items-center gap-2 p-4">
+			<span class="text-sm font-medium text-slate-600">Event Type:</span>
+			{#each eventTypes as type}
+				<button
+					onclick={() => toggleTypeFilter(type.id)}
+					class="flex items-center gap-1.5 rounded-full border px-3 py-1 text-sm font-medium transition-colors {selectedTypeIds.has(type.id)
+						? 'border-transparent text-white'
+						: 'border-slate-200 bg-white text-slate-600 hover:bg-slate-50'}"
+					style={selectedTypeIds.has(type.id) ? `background-color: ${type.color || '#6b7280'}` : ''}
+				>
+					<span
+						class="h-2 w-2 rounded-full"
+						style="background-color: {type.color || '#6b7280'}"
+					></span>
+					{type.name}
+				</button>
+			{/each}
+			{#if selectedTypeIds.size > 0}
+				<button
+					onclick={clearFilters}
+					class="ml-2 text-sm text-slate-500 hover:text-slate-700"
+				>
+					Clear all
+				</button>
+			{/if}
+			<span class="ml-auto text-sm text-slate-500">
+				{filteredEvents.length} event{filteredEvents.length !== 1 ? 's' : ''}
+			</span>
+		</div>
+	{/if}
+
 	{#if viewMode === 'list'}
 		<!-- List View -->
 		<div class="space-y-6">

src/routes/(app)/events/[id]/+page.server.ts

@@ -1,6 +1,7 @@
 import { fail, error } from '@sveltejs/kit';
 import type { Actions, PageServerLoad } from './$types';
 import { sendTemplatedEmail } from '$lib/server/email';
+import { sendWithPreferenceCheck } from '$lib/server/notification-preferences';
 import { getVisibleLevels } from '$lib/server/visibility';
 
 export const load: PageServerLoad = async ({ locals, params, parent }) => {
@@ -63,6 +64,14 @@ export const actions: Actions = {
 			return fail(404, { error: 'Event not found' });
 		}
 
+		// Check RSVP deadline
+		if (event.rsvp_deadline_enabled && event.rsvp_deadline) {
+			const deadline = new Date(event.rsvp_deadline);
+			if (new Date() > deadline) {
+				return fail(400, { error: 'The RSVP deadline for this event has passed.' });
+			}
+		}
+
 		// Server-side guest count validation
 		if (event.max_guests_per_member !== null && guestCount > event.max_guests_per_member) {
 			return fail(400, {
@@ -284,7 +293,8 @@ async function promoteFromWaitlist(
 				})
 			: 'TBD';
 
-		await sendTemplatedEmail(
+		await sendWithPreferenceCheck(waitlisted.member_id, 'waitlist_promotion', () =>
+			sendTemplatedEmail(
 				'waitlist_promotion',
 				member.email,
 				{
@@ -297,6 +307,7 @@ async function promoteFromWaitlist(
 					recipientId: waitlisted.member_id,
 					recipientName: `${member.first_name} ${member.last_name}`
 				}
+			)
 		);
 
 		console.log(`Promoted member ${waitlisted.member_id} from waitlist for event ${eventId} and sent notification`);

src/routes/(app)/events/[id]/+page.svelte

@@ -58,6 +58,27 @@
 	// Check if event is in the past
 	const isPast = new Date(event?.end_datetime || '') < new Date();
 
+	// Check if RSVP deadline has passed
+	const isRsvpClosed = $derived(
+		event?.rsvp_deadline_enabled && event?.rsvp_deadline
+			? new Date() > new Date(event.rsvp_deadline)
+			: false
+	);
+
+	// Format RSVP deadline for display
+	const rsvpDeadlineDisplay = $derived(
+		event?.rsvp_deadline
+			? new Date(event.rsvp_deadline).toLocaleDateString('en-US', {
+					month: 'short',
+					day: 'numeric',
+					year: 'numeric',
+					hour: 'numeric',
+					minute: '2-digit',
+					hour12: true
+				})
+			: null
+	);
+
 	// Get type color
 	function getTypeColor(color: string | null): string {
 		return color || '#6b7280';
@@ -224,8 +245,21 @@
 						</div>
 					{/if}
 
+					{#if event.rsvp_deadline_enabled && rsvpDeadlineDisplay}
+						<p class="mb-3 text-xs text-slate-500">
+							RSVP deadline: {rsvpDeadlineDisplay}
+						</p>
+					{/if}
+
 					{#if isPast}
 						<p class="text-slate-500">This event has already ended.</p>
+					{:else if isRsvpClosed}
+						<div class="rounded-lg bg-amber-50 border border-amber-200 p-4">
+							<p class="font-medium text-amber-700">RSVPs are closed</p>
+							<p class="mt-1 text-sm text-amber-600">
+								The RSVP deadline was {rsvpDeadlineDisplay}.
+							</p>
+						</div>
 					{:else if rsvp}
 						<!-- Existing RSVP -->
 						<div

src/routes/(app)/settings/+page.server.ts

@@ -36,8 +36,21 @@ export const load: PageServerLoad = async ({ parent, locals }) => {
 		}
 	}
 
+	// Load directory privacy settings
+	const { data: privacyData } = await locals.supabase
+		.from('members')
+		.select('directory_privacy')
+		.eq('id', member.id)
+		.single();
+
 	return {
 		member,
+		directoryPrivacy: privacyData?.directory_privacy || {
+			show_email: true,
+			show_phone: true,
+			show_address: false,
+			show_nationality: true
+		},
 		notificationPrefs: notificationPrefs || {
 			email_event_rsvp_confirmation: true,
 			email_event_reminder: true,
@@ -366,5 +379,34 @@ export const actions: Actions = {
 		}
 
 		return { success: 'Monaco USA email password updated successfully!' };
+	},
+
+	updateDirectoryPrivacy: async ({ request, locals }) => {
+		const { member } = await locals.safeGetSession();
+
+		if (!member) {
+			return fail(401, { error: 'Not authenticated' });
+		}
+
+		const formData = await request.formData();
+
+		const directoryPrivacy = {
+			show_email: formData.get('show_email') === 'on',
+			show_phone: formData.get('show_phone') === 'on',
+			show_address: formData.get('show_address') === 'on',
+			show_nationality: formData.get('show_nationality') === 'on'
+		};
+
+		const { error } = await locals.supabase
+			.from('members')
+			.update({ directory_privacy: directoryPrivacy })
+			.eq('id', member.id);
+
+		if (error) {
+			console.error('Failed to update directory privacy:', error);
+			return fail(500, { error: 'Failed to update privacy settings' });
+		}
+
+		return { success: 'Directory privacy settings saved!' };
 	}
 };

src/routes/(app)/settings/+page.svelte

@@ -867,6 +867,101 @@
 				</button>
 			</div>
 		</form>
+
+		<!-- Directory Privacy -->
+		<form
+			method="POST"
+			action="?/updateDirectoryPrivacy"
+			use:enhance={() => {
+				isSubmitting = true;
+				return async ({ update }) => {
+					await invalidateAll();
+					await update();
+					isSubmitting = false;
+				};
+			}}
+			class="mt-6"
+		>
+			<div class="glass-card p-6">
+				<div class="mb-4 flex items-center gap-3">
+					<div class="flex h-10 w-10 items-center justify-center rounded-lg bg-slate-100">
+						<Eye class="h-5 w-5 text-slate-600" />
+					</div>
+					<div>
+						<h2 class="text-lg font-semibold text-slate-900">Directory Privacy</h2>
+						<p class="text-sm text-slate-500">Control what other members can see in the directory</p>
+					</div>
+				</div>
+
+				<div class="space-y-3">
+					<label class="flex items-center justify-between rounded-lg border border-slate-200 p-4">
+						<div>
+							<p class="font-medium text-slate-900">Email Address</p>
+							<p class="text-sm text-slate-500">Show your email in the member directory</p>
+						</div>
+						<input
+							type="checkbox"
+							name="show_email"
+							checked={data.directoryPrivacy?.show_email !== false}
+							class="h-4 w-4 rounded border-slate-300 text-monaco-600"
+						/>
+					</label>
+
+					<label class="flex items-center justify-between rounded-lg border border-slate-200 p-4">
+						<div>
+							<p class="font-medium text-slate-900">Phone Number</p>
+							<p class="text-sm text-slate-500">Show your phone number in the member directory</p>
+						</div>
+						<input
+							type="checkbox"
+							name="show_phone"
+							checked={data.directoryPrivacy?.show_phone !== false}
+							class="h-4 w-4 rounded border-slate-300 text-monaco-600"
+						/>
+					</label>
+
+					<label class="flex items-center justify-between rounded-lg border border-slate-200 p-4">
+						<div>
+							<p class="font-medium text-slate-900">Address</p>
+							<p class="text-sm text-slate-500">Show your address in the member directory</p>
+						</div>
+						<input
+							type="checkbox"
+							name="show_address"
+							checked={data.directoryPrivacy?.show_address === true}
+							class="h-4 w-4 rounded border-slate-300 text-monaco-600"
+						/>
+					</label>
+
+					<label class="flex items-center justify-between rounded-lg border border-slate-200 p-4">
+						<div>
+							<p class="font-medium text-slate-900">Nationality</p>
+							<p class="text-sm text-slate-500">Show your nationality flags in the member directory</p>
+						</div>
+						<input
+							type="checkbox"
+							name="show_nationality"
+							checked={data.directoryPrivacy?.show_nationality !== false}
+							class="h-4 w-4 rounded border-slate-300 text-monaco-600"
+						/>
+					</label>
+				</div>
+
+				<p class="mt-3 text-xs text-slate-400">
+					Board members and admins can always see all fields regardless of these settings.
+				</p>
+
+				<div class="mt-4 flex justify-end">
+					<button
+						type="submit"
+						disabled={isSubmitting}
+						class="rounded-lg bg-monaco-600 px-6 py-2 text-sm font-medium text-white hover:bg-monaco-700 disabled:opacity-50"
+					>
+						{isSubmitting ? 'Saving...' : 'Save Privacy Settings'}
+					</button>
+				</div>
+			</div>
+		</form>
 	{/if}
 
 	<!-- Account Tab -->

src/routes/join/+page.server.ts

@@ -1,6 +1,7 @@
 import { fail, redirect } from '@sveltejs/kit';
 import type { Actions, PageServerLoad } from './$types';
 import { createMemberRecord, cleanupAuthUser, sendWelcomeEmail } from '$lib/server/registration';
+import { checkRateLimit } from '$lib/server/rate-limit';
 
 export const load: PageServerLoad = async ({ locals, url }) => {
 	const { session } = await locals.safeGetSession();
@@ -134,6 +135,17 @@ export const actions: Actions = {
 			return fail(400, { error: 'You must accept the terms and conditions', step: 2 });
 		}
 
+		// Rate limit signup attempts by email
+		const rateLimitKey = `signup:${email}`;
+		const rateCheck = checkRateLimit(rateLimitKey, 3, 15 * 60 * 1000); // 3 attempts per 15 min
+		if (!rateCheck.allowed) {
+			const retryMinutes = Math.ceil((rateCheck.retryAfterMs || 0) / 60000);
+			return fail(429, {
+				error: `Too many signup attempts. Please try again in ${retryMinutes} minute${retryMinutes !== 1 ? 's' : ''}.`,
+				step: 2
+			});
+		}
+
 		// Create Supabase auth user
 		const { data: authData, error: authError } = await locals.supabase.auth.signUp({
 			email,
@@ -212,14 +224,27 @@ export const actions: Actions = {
 			return fail(401, { error: 'Not authenticated', step: 3 });
 		}
 
-		// For now, just proceed to next step
+		const formData = await request.formData();
-		// Avatar upload can be handled via the profile page later
+		const photoFile = formData.get('photo') as File | null;
-		// or we can add proper file handling here
 
-		return {
+		// Photo is optional during onboarding - allow skipping
-			success: true,
+		if (!photoFile || photoFile.size === 0) {
-			step: 3
+			return { success: true, step: 3 };
-		};
+		}
+
+		// Use the shared avatar upload handler (admin mode to bypass RLS)
+		const { handleAvatarUpload } = await import('$lib/server/member-profile');
+		const result = await handleAvatarUpload(
+			{ id: session.user.id },
+			photoFile,
+			{ useAdmin: true }
+		);
+
+		if (!result.success) {
+			return fail(400, { error: result.error || 'Failed to upload photo', step: 3 });
+		}
+
+		return { success: true, step: 3 };
 	},
 
 	complete: async ({ locals }) => {

supabase/docker/kong.yml

@@ -36,6 +36,34 @@ services:
         preserve_host: false
     plugins:
       - name: cors
+        config:
+          origins:
+            - https://portal.monacousa.org
+            - https://monacousa.org
+            - http://localhost:7453
+            - http://localhost:3000
+          methods:
+            - GET
+            - POST
+            - PUT
+            - PATCH
+            - DELETE
+            - OPTIONS
+          headers:
+            - Accept
+            - Accept-Version
+            - Authorization
+            - Content-Length
+            - Content-Type
+            - Date
+            - X-Auth-Token
+            - apikey
+            - x-client-info
+          exposed_headers:
+            - Content-Length
+            - Content-Range
+          credentials: true
+          max_age: 3600
 
   ## Auth Service (GoTrue)
   - name: auth-v1-open
@@ -47,6 +75,34 @@ services:
           - /auth/v1/verify
     plugins:
       - name: cors
+        config:
+          origins:
+            - https://portal.monacousa.org
+            - https://monacousa.org
+            - http://localhost:7453
+            - http://localhost:3000
+          methods:
+            - GET
+            - POST
+            - PUT
+            - PATCH
+            - DELETE
+            - OPTIONS
+          headers:
+            - Accept
+            - Accept-Version
+            - Authorization
+            - Content-Length
+            - Content-Type
+            - Date
+            - X-Auth-Token
+            - apikey
+            - x-client-info
+          exposed_headers:
+            - Content-Length
+            - Content-Range
+          credentials: true
+          max_age: 3600
 
   - name: auth-v1-open-callback
     url: http://auth:9999/callback
@@ -57,6 +113,34 @@ services:
           - /auth/v1/callback
     plugins:
       - name: cors
+        config:
+          origins:
+            - https://portal.monacousa.org
+            - https://monacousa.org
+            - http://localhost:7453
+            - http://localhost:3000
+          methods:
+            - GET
+            - POST
+            - PUT
+            - PATCH
+            - DELETE
+            - OPTIONS
+          headers:
+            - Accept
+            - Accept-Version
+            - Authorization
+            - Content-Length
+            - Content-Type
+            - Date
+            - X-Auth-Token
+            - apikey
+            - x-client-info
+          exposed_headers:
+            - Content-Length
+            - Content-Range
+          credentials: true
+          max_age: 3600
 
   - name: auth-v1-open-authorize
     url: http://auth:9999/authorize
@@ -67,6 +151,34 @@ services:
           - /auth/v1/authorize
     plugins:
       - name: cors
+        config:
+          origins:
+            - https://portal.monacousa.org
+            - https://monacousa.org
+            - http://localhost:7453
+            - http://localhost:3000
+          methods:
+            - GET
+            - POST
+            - PUT
+            - PATCH
+            - DELETE
+            - OPTIONS
+          headers:
+            - Accept
+            - Accept-Version
+            - Authorization
+            - Content-Length
+            - Content-Type
+            - Date
+            - X-Auth-Token
+            - apikey
+            - x-client-info
+          exposed_headers:
+            - Content-Length
+            - Content-Range
+          credentials: true
+          max_age: 3600
 
   - name: auth-v1
     url: http://auth:9999/
@@ -77,6 +189,34 @@ services:
           - /auth/v1/
     plugins:
       - name: cors
+        config:
+          origins:
+            - https://portal.monacousa.org
+            - https://monacousa.org
+            - http://localhost:7453
+            - http://localhost:3000
+          methods:
+            - GET
+            - POST
+            - PUT
+            - PATCH
+            - DELETE
+            - OPTIONS
+          headers:
+            - Accept
+            - Accept-Version
+            - Authorization
+            - Content-Length
+            - Content-Type
+            - Date
+            - X-Auth-Token
+            - apikey
+            - x-client-info
+          exposed_headers:
+            - Content-Length
+            - Content-Range
+          credentials: true
+          max_age: 3600
       - name: key-auth
         config:
           hide_credentials: false
@@ -97,6 +237,34 @@ services:
           - /rest/v1/
     plugins:
       - name: cors
+        config:
+          origins:
+            - https://portal.monacousa.org
+            - https://monacousa.org
+            - http://localhost:7453
+            - http://localhost:3000
+          methods:
+            - GET
+            - POST
+            - PUT
+            - PATCH
+            - DELETE
+            - OPTIONS
+          headers:
+            - Accept
+            - Accept-Version
+            - Authorization
+            - Content-Length
+            - Content-Type
+            - Date
+            - X-Auth-Token
+            - apikey
+            - x-client-info
+          exposed_headers:
+            - Content-Length
+            - Content-Range
+          credentials: true
+          max_age: 3600
       - name: key-auth
         config:
           hide_credentials: false
@@ -117,6 +285,34 @@ services:
           - /realtime/v1/websocket
     plugins:
       - name: cors
+        config:
+          origins:
+            - https://portal.monacousa.org
+            - https://monacousa.org
+            - http://localhost:7453
+            - http://localhost:3000
+          methods:
+            - GET
+            - POST
+            - PUT
+            - PATCH
+            - DELETE
+            - OPTIONS
+          headers:
+            - Accept
+            - Accept-Version
+            - Authorization
+            - Content-Length
+            - Content-Type
+            - Date
+            - X-Auth-Token
+            - apikey
+            - x-client-info
+          exposed_headers:
+            - Content-Length
+            - Content-Range
+          credentials: true
+          max_age: 3600
       - name: key-auth
         config:
           hide_credentials: false
@@ -136,6 +332,34 @@ services:
           - /realtime/v1/
     plugins:
       - name: cors
+        config:
+          origins:
+            - https://portal.monacousa.org
+            - https://monacousa.org
+            - http://localhost:7453
+            - http://localhost:3000
+          methods:
+            - GET
+            - POST
+            - PUT
+            - PATCH
+            - DELETE
+            - OPTIONS
+          headers:
+            - Accept
+            - Accept-Version
+            - Authorization
+            - Content-Length
+            - Content-Type
+            - Date
+            - X-Auth-Token
+            - apikey
+            - x-client-info
+          exposed_headers:
+            - Content-Length
+            - Content-Range
+          credentials: true
+          max_age: 3600
       - name: key-auth
         config:
           hide_credentials: false
@@ -156,6 +380,34 @@ services:
           - /storage/v1/object/public
     plugins:
       - name: cors
+        config:
+          origins:
+            - https://portal.monacousa.org
+            - https://monacousa.org
+            - http://localhost:7453
+            - http://localhost:3000
+          methods:
+            - GET
+            - POST
+            - PUT
+            - PATCH
+            - DELETE
+            - OPTIONS
+          headers:
+            - Accept
+            - Accept-Version
+            - Authorization
+            - Content-Length
+            - Content-Type
+            - Date
+            - X-Auth-Token
+            - apikey
+            - x-client-info
+          exposed_headers:
+            - Content-Length
+            - Content-Range
+          credentials: true
+          max_age: 3600
 
   ## Storage Service - All other operations (auth required)
   - name: storage-v1
@@ -167,6 +419,34 @@ services:
           - /storage/v1/
     plugins:
       - name: cors
+        config:
+          origins:
+            - https://portal.monacousa.org
+            - https://monacousa.org
+            - http://localhost:7453
+            - http://localhost:3000
+          methods:
+            - GET
+            - POST
+            - PUT
+            - PATCH
+            - DELETE
+            - OPTIONS
+          headers:
+            - Accept
+            - Accept-Version
+            - Authorization
+            - Content-Length
+            - Content-Type
+            - Date
+            - X-Auth-Token
+            - apikey
+            - x-client-info
+          exposed_headers:
+            - Content-Length
+            - Content-Range
+          credentials: true
+          max_age: 3600
       - name: key-auth
         config:
           hide_credentials: false

supabase/migrations/018_atomic_member_id_generation.sql

@@ -0,0 +1,66 @@
+-- Fix Race Condition in Member ID Generation
+-- ============================================
+-- Problem: Current implementation uses MAX() or COUNT() which allows duplicate IDs
+-- if two registrations happen simultaneously.
+--
+-- Solution: Use PostgreSQL sequence for atomic ID generation.
+
+-- Step 1: Create sequence for member IDs
+-- Find the highest existing member number to set starting point
+DO $$
+DECLARE
+  max_num INTEGER;
+BEGIN
+  -- Extract numeric part from existing member_ids (handles both MUSA-XXXX and MUSA-YYYY-XXXX formats)
+  SELECT COALESCE(
+    MAX(
+      CAST(
+        SUBSTRING(
+          member_id FROM '[0-9]+$'  -- Get trailing digits
+        ) AS INTEGER
+      )
+    ),
+    0
+  ) INTO max_num
+  FROM public.members;
+
+  -- Create sequence starting from next available number
+  EXECUTE format('CREATE SEQUENCE IF NOT EXISTS member_id_seq START WITH %s', max_num + 1);
+END $$;
+
+-- Step 2: Replace trigger function to use sequence
+CREATE OR REPLACE FUNCTION generate_member_id()
+RETURNS TRIGGER AS $$
+DECLARE
+  next_num INTEGER;
+  current_year TEXT;
+BEGIN
+  -- Only generate if member_id is not already set
+  IF NEW.member_id IS NOT NULL THEN
+    RETURN NEW;
+  END IF;
+
+  -- Get next number from sequence (atomic operation)
+  next_num := NEXTVAL('member_id_seq');
+  current_year := EXTRACT(YEAR FROM CURRENT_DATE)::TEXT;
+
+  -- Format: MUSA-YYYY-XXXX (matches application format)
+  NEW.member_id := 'MUSA-' || current_year || '-' || LPAD(next_num::TEXT, 4, '0');
+
+  RETURN NEW;
+END;
+$$ LANGUAGE plpgsql;
+
+-- Step 3: Ensure trigger exists (should already exist from 001_initial_schema.sql)
+DROP TRIGGER IF EXISTS set_member_id ON public.members;
+CREATE TRIGGER set_member_id
+  BEFORE INSERT ON public.members
+  FOR EACH ROW
+  WHEN (NEW.member_id IS NULL)
+  EXECUTE FUNCTION generate_member_id();
+
+-- Step 4: Add index on member_id for faster lookups (if not exists)
+CREATE INDEX IF NOT EXISTS idx_members_member_id ON public.members(member_id);
+
+COMMENT ON SEQUENCE member_id_seq IS 'Atomic sequence for generating unique member IDs. Used by generate_member_id() trigger.';
+COMMENT ON FUNCTION generate_member_id() IS 'Atomically generates member IDs using NEXTVAL(member_id_seq) to prevent race conditions.';

supabase/migrations/019_fix_admin_role_assignment.sql

@@ -0,0 +1,42 @@
+-- Fix admin role assignment broken by migration 017
+-- ============================================
+-- Problem: Migration 017's WITH CHECK prevents admins from updating other members' roles
+-- because the only UPDATE policy on members requires auth.uid() = id.
+-- Solution: Replace the overly restrictive policy with a properly scoped one,
+-- and add a separate policy for admins to update any member.
+
+-- Drop the problematic policy from 017 if it exists
+DROP POLICY IF EXISTS "Users can update own profile" ON public.members;
+
+-- Also drop by the name used in 017 re-creation (same name, just being safe)
+DROP POLICY IF EXISTS "Members can update own non-role fields" ON public.members;
+
+-- Allow members to update their own non-role fields (profile info)
+CREATE POLICY "Members can update own profile"
+  ON public.members
+  FOR UPDATE
+  TO authenticated
+  USING (auth.uid() = id)
+  WITH CHECK (
+    auth.uid() = id
+    AND role = (SELECT role FROM public.members WHERE id = auth.uid())
+  );
+
+-- Allow admins to update any member (including role changes) EXCEPT their own role
+CREATE POLICY "Admins can update other members"
+  ON public.members
+  FOR UPDATE
+  TO authenticated
+  USING (
+    EXISTS (
+      SELECT 1 FROM public.members
+      WHERE id = auth.uid() AND role = 'admin'
+    )
+  )
+  WITH CHECK (
+    -- Admins can change any field on other members
+    (id != auth.uid())
+    OR
+    -- On their own record, admins can update non-role fields (role must stay the same)
+    (id = auth.uid() AND role = (SELECT role FROM public.members WHERE id = auth.uid()))
+  );

supabase/migrations/020_approval_email_templates.sql

@@ -0,0 +1,33 @@
+-- Member approval workflow enhancements
+-- ============================================
+
+-- Add approval tracking columns to members table
+ALTER TABLE public.members ADD COLUMN IF NOT EXISTS approved_at TIMESTAMPTZ;
+ALTER TABLE public.members ADD COLUMN IF NOT EXISTS approved_by UUID REFERENCES auth.users(id);
+ALTER TABLE public.members ADD COLUMN IF NOT EXISTS rejected_at TIMESTAMPTZ;
+ALTER TABLE public.members ADD COLUMN IF NOT EXISTS rejected_by UUID REFERENCES auth.users(id);
+ALTER TABLE public.members ADD COLUMN IF NOT EXISTS rejection_reason TEXT;
+
+-- Add approval email templates
+INSERT INTO public.email_templates (template_key, template_name, category, subject, body_html, body_text, is_active)
+VALUES
+  ('member_approved', 'Member Approved', 'membership', 'Welcome to Monaco USA - Membership Approved!',
+   '<h2 style="color: #22c55e; text-align: center;">Membership Approved!</h2>
+    <p style="color: #334155; line-height: 1.6;">Dear {{first_name}},</p>
+    <p style="color: #334155; line-height: 1.6;">We are pleased to inform you that your membership application to Monaco USA has been <strong>approved</strong>!</p>
+    <p style="color: #334155; line-height: 1.6;">Your member ID is: <strong>{{member_id}}</strong></p>
+    <p style="color: #334155; line-height: 1.6;">You now have full access to the member portal, including events, documents, and the member directory.</p>
+    <div style="text-align: center; margin: 24px 0;">
+      <a href="{{site_url}}/dashboard" style="background: #CE1126; color: white; padding: 12px 24px; border-radius: 8px; text-decoration: none; font-weight: bold;">Visit Your Dashboard</a>
+    </div>',
+   'Dear {{first_name}}, Your membership to Monaco USA has been approved! Your member ID is {{member_id}}.',
+   true),
+  ('member_rejected', 'Member Rejected', 'membership', 'Monaco USA - Membership Application Update',
+   '<h2 style="color: #ef4444; text-align: center;">Application Update</h2>
+    <p style="color: #334155; line-height: 1.6;">Dear {{first_name}},</p>
+    <p style="color: #334155; line-height: 1.6;">Thank you for your interest in Monaco USA. After careful review, we regret to inform you that your membership application was not approved at this time.</p>
+    <p style="color: #334155; line-height: 1.6;">{{reason}}</p>
+    <p style="color: #334155; line-height: 1.6;">If you have questions, please contact us at info@monacousa.org.</p>',
+   'Dear {{first_name}}, Thank you for your interest in Monaco USA. After review, your membership application was not approved at this time.',
+   true)
+ON CONFLICT (template_key) DO NOTHING;

supabase/migrations/021_rsvp_deadlines.sql

@@ -0,0 +1,9 @@
+-- RSVP Deadline Control
+-- ============================================
+-- Allows event organizers to set an RSVP cutoff date/time.
+
+ALTER TABLE public.events ADD COLUMN IF NOT EXISTS rsvp_deadline TIMESTAMPTZ;
+ALTER TABLE public.events ADD COLUMN IF NOT EXISTS rsvp_deadline_enabled BOOLEAN DEFAULT FALSE;
+
+COMMENT ON COLUMN public.events.rsvp_deadline IS 'Optional RSVP cutoff date/time. RSVPs are blocked after this time.';
+COMMENT ON COLUMN public.events.rsvp_deadline_enabled IS 'Whether the RSVP deadline is enforced for this event.';

supabase/migrations/022_directory_privacy.sql

@@ -0,0 +1,14 @@
+-- Migration 022: Directory Privacy Settings
+-- Adds privacy controls for member directory visibility
+
+-- Add directory_privacy JSONB column to members table
+ALTER TABLE public.members
+ADD COLUMN IF NOT EXISTS directory_privacy JSONB DEFAULT '{
+  "show_email": true,
+  "show_phone": true,
+  "show_address": false,
+  "show_nationality": true
+}'::jsonb;
+
+-- Add comment
+COMMENT ON COLUMN public.members.directory_privacy IS 'Controls which fields are visible in the member directory. Admins always see all fields.';

supabase/migrations/023_document_search.sql

@@ -0,0 +1,38 @@
+-- Migration 023: Document Full-Text Search
+-- Adds tsvector column and GIN index for fast document searching
+
+-- Add search vector column
+ALTER TABLE public.documents
+ADD COLUMN IF NOT EXISTS search_vector tsvector;
+
+-- Populate existing documents
+UPDATE public.documents
+SET search_vector = to_tsvector('english',
+  coalesce(title, '') || ' ' ||
+  coalesce(description, '') || ' ' ||
+  coalesce(file_name, '')
+);
+
+-- Create GIN index for fast full-text search
+CREATE INDEX IF NOT EXISTS idx_documents_search
+ON public.documents USING GIN (search_vector);
+
+-- Create trigger to keep search_vector updated
+CREATE OR REPLACE FUNCTION update_document_search_vector()
+RETURNS TRIGGER AS $$
+BEGIN
+  NEW.search_vector := to_tsvector('english',
+    coalesce(NEW.title, '') || ' ' ||
+    coalesce(NEW.description, '') || ' ' ||
+    coalesce(NEW.file_name, '')
+  );
+  RETURN NEW;
+END;
+$$ LANGUAGE plpgsql;
+
+DROP TRIGGER IF EXISTS trg_update_document_search ON public.documents;
+CREATE TRIGGER trg_update_document_search
+  BEFORE INSERT OR UPDATE OF title, description, file_name
+  ON public.documents
+  FOR EACH ROW
+  EXECUTE FUNCTION update_document_search_vector();

supabase/migrations/024_cron_execution_logs.sql

@@ -0,0 +1,45 @@
+-- Migration 024: Cron Execution Logs
+-- Tracks cron job execution history for monitoring
+
+CREATE TABLE IF NOT EXISTS public.cron_execution_logs (
+  id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
+  job_name TEXT NOT NULL,
+  status TEXT NOT NULL DEFAULT 'running' CHECK (status IN ('running', 'completed', 'failed')),
+  started_at TIMESTAMPTZ NOT NULL DEFAULT NOW(),
+  completed_at TIMESTAMPTZ,
+  duration_ms INTEGER,
+  result JSONB,
+  error_message TEXT,
+  triggered_by TEXT DEFAULT 'cron'
+);
+
+-- Index for quick lookups
+CREATE INDEX IF NOT EXISTS idx_cron_logs_job_name ON public.cron_execution_logs (job_name, started_at DESC);
+CREATE INDEX IF NOT EXISTS idx_cron_logs_started ON public.cron_execution_logs (started_at DESC);
+
+-- Enable RLS
+ALTER TABLE public.cron_execution_logs ENABLE ROW LEVEL SECURITY;
+
+-- Only admins can read cron logs
+CREATE POLICY "Admins can read cron logs"
+  ON public.cron_execution_logs
+  FOR SELECT
+  TO authenticated
+  USING (
+    EXISTS (
+      SELECT 1 FROM public.members
+      WHERE members.user_id = auth.uid()
+      AND members.role = 'admin'
+    )
+  );
+
+-- Service role can insert/update (for cron endpoints)
+CREATE POLICY "Service role can manage cron logs"
+  ON public.cron_execution_logs
+  FOR ALL
+  TO service_role
+  USING (true)
+  WITH CHECK (true);
+
+-- Auto-cleanup: keep only 90 days of logs
+COMMENT ON TABLE public.cron_execution_logs IS 'Tracks cron job execution history. Entries older than 90 days should be periodically purged.';

supabase/migrations/025_bulk_emails.sql

@@ -0,0 +1,44 @@
+-- Migration 025: Bulk Email Broadcasts
+-- Tracks bulk email campaigns sent to members
+
+CREATE TABLE IF NOT EXISTS public.bulk_emails (
+  id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
+  subject TEXT NOT NULL,
+  body TEXT NOT NULL,
+  recipient_filter JSONB DEFAULT '{"target": "all"}'::jsonb,
+  total_recipients INTEGER DEFAULT 0,
+  sent_count INTEGER DEFAULT 0,
+  failed_count INTEGER DEFAULT 0,
+  status TEXT NOT NULL DEFAULT 'draft' CHECK (status IN ('draft', 'sending', 'completed', 'failed')),
+  sent_by UUID REFERENCES auth.users(id),
+  sent_by_name TEXT,
+  created_at TIMESTAMPTZ DEFAULT NOW(),
+  sent_at TIMESTAMPTZ,
+  completed_at TIMESTAMPTZ
+);
+
+-- Index for listing
+CREATE INDEX IF NOT EXISTS idx_bulk_emails_created ON public.bulk_emails (created_at DESC);
+
+-- Enable RLS
+ALTER TABLE public.bulk_emails ENABLE ROW LEVEL SECURITY;
+
+-- Only admins can manage bulk emails
+CREATE POLICY "Admins can manage bulk emails"
+  ON public.bulk_emails
+  FOR ALL
+  TO authenticated
+  USING (
+    EXISTS (
+      SELECT 1 FROM public.members
+      WHERE members.user_id = auth.uid()
+      AND members.role = 'admin'
+    )
+  );
+
+CREATE POLICY "Service role full access to bulk emails"
+  ON public.bulk_emails
+  FOR ALL
+  TO service_role
+  USING (true)
+  WITH CHECK (true);