feat: migrate to multi-tenant SaaS architecture with JWT auth and BullMQ notifications

apps/admin/src/App.tsx

@@ -22,61 +22,101 @@ import { useTenant } from './lib/tenant';
 import { API_URL } from './lib/api';
 
 function ProtectedRoute({ children }: { children: React.ReactNode }) {
-    const { apiKey } = useAuth();
-    if (!apiKey) return <Navigate to="/login" replace />;
+    const { token } = useAuth();
+    if (!token) return <Navigate to="/login" replace />;
     return <>{children}</>;
 }
 
 function AppShell() {
-    const { logout, apiKey } = useAuth();
-    const { selectedOrgId, setSelectedOrgId } = useTenant();
+    const { logout, token, user } = useAuth();
+    const { selectedOrgId, setSelectedOrgId, isSubdomain, currentOrg } = useTenant();
     const [orgs, setOrgs] = React.useState<any[]>([]);
 
+    const isSuperAdmin = user?.role === 'SUPER_ADMIN' || user?.role === 'ADMIN';
+
     React.useEffect(() => {
-        if (!apiKey) return;
+        if (!token || !isSuperAdmin) return;
         fetch(`${API_URL}/v1/organizations`, {
-            headers: { 'Authorization': `Bearer ${apiKey}` }
+            headers: { 'Authorization': `Bearer ${token}` }
         }).then(r => r.json()).then(setOrgs).catch(console.error);
-    }, [apiKey]);
+    }, [token, isSuperAdmin]);
+
+    // Force org selection for Org Admin
+    React.useEffect(() => {
+        if (user?.organizationId && !isSuperAdmin) {
+            setSelectedOrgId(user.organizationId);
+        }
+    }, [user, isSuperAdmin, setSelectedOrgId]);
 
-    const navItems = [
+    const allNavItems = [
         { to: '/', label: 'Dashboard', icon: <BarChart2 className="w-4 h-4" /> },
         { to: '/analytics', label: 'Statistiques', icon: <TrendingUp className="w-4 h-4 text-amber-500" /> },
         { to: '/content', label: 'Parcours', icon: <BookOpen className="w-4 h-4" /> },
         { to: '/live-feed', label: 'Modération', icon: <Mic className="w-4 h-4 text-emerald-500" /> },
-        { to: '/clients', label: 'Clients B2B', icon: <Building2 className="w-4 h-4 text-indigo-400" /> },
-        { to: '/training', label: 'Training Lab', icon: <Activity className="w-4 h-4 text-purple-400" /> },
+        { to: '/clients', label: 'Clients B2B', icon: <Building2 className="w-4 h-4 text-indigo-400" />, superOnly: true },
+        { to: '/training', label: 'Training Lab', icon: <Activity className="w-4 h-4 text-purple-400" />, superOnly: true },
         { to: '/users', label: 'Utilisateurs', icon: <Users className="w-4 h-4" /> },
         { to: '/settings', label: 'Paramètres', icon: <Lightbulb className="w-4 h-4" /> },
     ];
+
+    const navItems = allNavItems.filter(item => !item.superOnly || isSuperAdmin);
     
+    const brandingColor = currentOrg?.brandingData?.primaryColor || '#0f172a';
+
     return (
         <div className="min-h-screen bg-gray-50 flex">
-            <aside className="w-56 bg-slate-900 text-white p-5 flex flex-col shrink-0">
-                <div className="text-lg font-bold mb-4 flex items-center gap-2"><span className="text-2xl">🎓</span>EdTech Admin</div>
-                
-                <div className="mb-8">
-                    <label className="block text-[10px] uppercase font-bold text-slate-500 tracking-wider mb-2">Organisation Active</label>
-                    <select 
-                        value={selectedOrgId || ''} 
-                        onChange={e => setSelectedOrgId(e.target.value)}
-                        className="w-full bg-slate-800 text-slate-200 text-xs px-3 py-2.5 rounded-xl outline-none focus:ring-1 focus:ring-slate-600 appearance-none cursor-pointer"
-                    >
-                        <option value="">Sélectionner...</option>
-                        {orgs.map(o => (
-                            <option key={o.id} value={o.id}>{o.name}</option>
-                        ))}
-                    </select>
+            <aside className="w-64 bg-slate-900 text-white p-6 flex flex-col shrink-0">
+                <div className="text-xl font-bold mb-8 flex items-center gap-3">
+                    {currentOrg?.brandingData?.logoUrl ? (
+                        <img src={currentOrg.brandingData.logoUrl} className="h-8 w-8 object-contain" alt="Logo" />
+                    ) : (
+                        <span className="text-2xl">🎓</span>
+                    )}
+                    <span className="truncate">{currentOrg?.name || 'EdTech Admin'}</span>
                 </div>
+                
+                {isSuperAdmin && (
+                    <div className="mb-8">
+                        <label className="block text-[10px] uppercase font-bold text-slate-500 tracking-wider mb-2">Gestion Multi-Tenant</label>
+                        <select 
+                            value={selectedOrgId || ''} 
+                            onChange={e => setSelectedOrgId(e.target.value)}
+                            className="w-full bg-slate-800 text-slate-200 text-xs px-3 py-2.5 rounded-xl outline-none focus:ring-1 focus:ring-slate-600 appearance-none cursor-pointer"
+                        >
+                            <option value="">Sélectionner une école...</option>
+                            {orgs.map(o => (
+                                <option key={o.id} value={o.id}>{o.name}</option>
+                            ))}
+                        </select>
+                    </div>
+                )}
 
                 <nav className="space-y-1 flex-1">
                     {navItems.map(n => (
-                        <Link key={n.to} to={n.to} className="flex items-center gap-3 px-3 py-2.5 rounded-xl text-sm font-medium text-slate-300 hover:text-white hover:bg-slate-800 transition">
+                        <Link 
+                            key={n.to} 
+                            to={n.to} 
+                            className="flex items-center gap-3 px-4 py-3 rounded-xl text-sm font-medium text-slate-300 hover:text-white hover:bg-white/10 transition"
+                        >
                             {n.icon}{n.label}
                         </Link>
                     ))}
                 </nav>
-                <button onClick={logout} className="text-xs text-slate-500 hover:text-white transition px-3 py-2 text-left">🔓 Se déconnecter</button>
+                
+                <div className="pt-6 mt-6 border-t border-slate-800">
+                    <div className="flex items-center gap-3 px-4 mb-4">
+                        <div className="w-8 h-8 rounded-full bg-indigo-500 flex items-center justify-center font-bold text-xs">
+                            {user?.name?.[0] || 'U'}
+                        </div>
+                        <div className="flex-1 min-w-0">
+                            <p className="text-sm font-bold truncate">{user?.name}</p>
+                            <p className="text-[10px] text-slate-500 truncate capitalize">{user?.role?.toLowerCase()}</p>
+                        </div>
+                    </div>
+                    <button onClick={logout} className="w-full flex items-center gap-3 px-4 py-2 text-xs text-slate-500 hover:text-white transition">
+                        🔓 Se déconnecter
+                    </button>
+                </div>
             </aside>
             <main className="flex-1 overflow-auto">
                 <Routes>
@@ -93,6 +133,7 @@ function AppShell() {
                     <Route path="/users" element={<UserListPage />} />
                     <Route path="/settings" element={<SettingsPage />} />
                     <Route path="/onboarding" element={<OnboardingWizard />} />
+                    <Route path="/reset-password" element={<div className="p-8">Page de réinitialisation (À implémenter)</div>} />
                 </Routes>
             </main>
         </div>

apps/admin/src/lib/api.ts

@@ -1,6 +1,10 @@
 export const API_URL = import.meta.env.VITE_API_URL || 'http://localhost:3001';
 
-export const ah = (k: string) => ({
-    'Authorization': `Bearer ${k}`,
-    'Content-Type': 'application/json'
-});
+export const ah = (token: string, orgId?: string | null) => {
+    const headers: any = {
+        'Authorization': `Bearer ${token}`,
+        'Content-Type': 'application/json'
+    };
+    if (orgId) headers['x-organization-id'] = orgId;
+    return headers;
+};

apps/admin/src/lib/auth.tsx

@@ -1,28 +1,46 @@
-import React, { useState, createContext, useContext } from 'react';
+import React, { useState, createContext, useContext, useEffect } from 'react';
+import { User } from '@repo/shared-types';
 
-const SESSION_KEY = 'edtech_admin_key';
+const SESSION_KEY = 'edtech_admin_token';
+const USER_KEY = 'edtech_admin_user';
 
-export const AuthContext = createContext<{ apiKey: string | null; login: (k: string) => void; logout: () => void; }>({ 
-    apiKey: null, 
+interface AuthContextType {
+    token: string | null;
+    user: User | null;
+    login: (token: string, user: User) => void;
+    logout: () => void;
+}
+
+export const AuthContext = createContext<AuthContextType>({ 
+    token: null, 
+    user: null,
     login: () => {}, 
     logout: () => {} 
 });
 
 export function AuthProvider({ children }: { children: React.ReactNode }) {
-    const [apiKey, setApiKey] = useState<string | null>(() => sessionStorage.getItem(SESSION_KEY));
+    const [token, setToken] = useState<string | null>(() => sessionStorage.getItem(SESSION_KEY));
+    const [user, setUser] = useState<User | null>(() => {
+        const saved = sessionStorage.getItem(USER_KEY);
+        return saved ? JSON.parse(saved) : null;
+    });
     
-    const login = (k: string) => { 
-        sessionStorage.setItem(SESSION_KEY, k); 
-        setApiKey(k); 
+    const login = (t: string, u: User) => { 
+        sessionStorage.setItem(SESSION_KEY, t); 
+        sessionStorage.setItem(USER_KEY, JSON.stringify(u));
+        setToken(t); 
+        setUser(u);
     };
     
     const logout = () => { 
         sessionStorage.removeItem(SESSION_KEY); 
-        setApiKey(null); 
+        sessionStorage.removeItem(USER_KEY);
+        setToken(null); 
+        setUser(null);
     };
     
     return (
-        <AuthContext.Provider value={{ apiKey, login, logout }}>
+        <AuthContext.Provider value={{ token, user, login, logout }}>
             {children}
         </AuthContext.Provider>
     );

apps/admin/src/lib/tenant.tsx

@@ -1,30 +1,51 @@
 import React, { useState, createContext, useContext, useEffect } from 'react';
+import { API_URL } from './api';
+import { Organization } from '@repo/shared-types';
 
 const TENANT_KEY = 'edtech_selected_org';
 
 interface TenantContextType {
     selectedOrgId: string | null;
     setSelectedOrgId: (id: string | null) => void;
+    currentOrg: Organization | null;
+    isSubdomain: boolean;
+    slug: string | null;
 }
 
 export const TenantContext = createContext<TenantContextType>({
     selectedOrgId: null,
-    setSelectedOrgId: () => {}
+    setSelectedOrgId: () => {},
+    currentOrg: null,
+    isSubdomain: false,
+    slug: null
 });
 
 export function TenantProvider({ children }: { children: React.ReactNode }) {
     const [selectedOrgId, setSelectedOrgId] = useState<string | null>(() => sessionStorage.getItem(TENANT_KEY));
+    const [currentOrg, setCurrentOrg] = useState<any | null>(null);
+    
+    // Subdomain detection logic
+    const hostname = window.location.hostname;
+    const parts = hostname.split('.');
+    const isSubdomain = parts.length > 2 && parts[0] !== 'www' && parts[0] !== 'admin';
+    const slug = isSubdomain ? parts[0] : null;
 
     useEffect(() => {
         if (selectedOrgId) {
             sessionStorage.setItem(TENANT_KEY, selectedOrgId);
+            // Fetch org details for branding
+            fetch(`${API_URL}/v1/organizations/${selectedOrgId}`)
+                .then(r => r.json())
+                .then(setCurrentOrg)
+                .catch(console.error);
         } else {
             sessionStorage.removeItem(TENANT_KEY);
+            setCurrentOrg(null);
         }
     }, [selectedOrgId]);
 
     return (
-        <TenantContext.Provider value={{ selectedOrgId, setSelectedOrgId }}>
+        <TenantContext.Provider value={{ selectedOrgId, setSelectedOrgId, currentOrg, isSubdomain, slug }}>
             {children}
         </TenantContext.Provider>
     );

apps/admin/src/pages/AnalyticsPage.tsx

@@ -10,36 +10,27 @@ import {
 } from 'lucide-react';
 import { useAuth } from '../lib/auth';
 import { useTenant } from '../lib/tenant';
-import { API_URL } from '../lib/api';
+import { API_URL, ah } from '../lib/api';
 
 const COLORS = ['#6366f1', '#10b981', '#f59e0b', '#ef4444'];
 
 export default function AnalyticsPage() {
-  const { apiKey } = useAuth();
+  const { token } = useAuth();
   const { selectedOrgId } = useTenant();
   const [usage, setUsage] = useState<any>(null);
   const [pedagogy, setPedagogy] = useState<any>(null);
   const [loading, setLoading] = useState(true);
 
   useEffect(() => {
-    if (!selectedOrgId || !apiKey) return;
+    if (!selectedOrgId || !token) return;
 
     const fetchData = async () => {
       setLoading(true);
       try {
+        const h = ah(token, selectedOrgId);
         const [usageRes, pedagogyRes] = await Promise.all([
-          fetch(`${API_URL}/v1/analytics/usage`, {
-            headers: { 
-              'Authorization': `Bearer ${apiKey}`,
-              'x-organization-id': selectedOrgId
-            }
-          }),
-          fetch(`${API_URL}/v1/analytics/pedagogy`, {
-            headers: { 
-              'Authorization': `Bearer ${apiKey}`,
-              'x-organization-id': selectedOrgId
-            }
-          })
+          fetch(`${API_URL}/v1/analytics/usage`, { headers: h }),
+          fetch(`${API_URL}/v1/analytics/pedagogy`, { headers: h })
         ]);
 
         if (usageRes.ok) setUsage(await usageRes.json());
@@ -52,7 +43,7 @@ export default function AnalyticsPage() {
     };
 
     fetchData();
-  }, [selectedOrgId, apiKey]);
+  }, [selectedOrgId, token]);
 
   if (!selectedOrgId) {
     return (

apps/admin/src/pages/ClientsManagementView.tsx

@@ -31,7 +31,7 @@ interface PersonalityModalProps {
 }
 
 export default function ClientsManagementView() {
-    const { apiKey } = useAuth();
+    const { token } = useAuth();
     const [clients, setClients] = useState<Organization[]>([]);
     const [loading, setLoading] = useState(true);
     const [isModalOpen, setIsModalOpen] = useState(false);
@@ -39,11 +39,12 @@ export default function ClientsManagementView() {
     const [newOrgName, setNewOrgName] = useState('');
     const [isCreating, setIsCreating] = useState(false);
     const [showGuide, setShowGuide] = useState(false);
-
+ 
     const fetchClients = async () => {
+        if (!token) return;
         try {
             const res = await fetch(`${API_URL}/v1/organizations`, {
-                headers: ah(apiKey || '')
+                headers: ah(token)
             });
             if (res.ok) {
                 const data = await res.json();
@@ -55,10 +56,10 @@ export default function ClientsManagementView() {
             setLoading(false);
         }
     };
-
+ 
     useEffect(() => {
         fetchClients();
-    }, [apiKey]);
+    }, [token]);
 
     const handleCreateOrg = async (e: React.FormEvent) => {
         e.preventDefault();
@@ -66,7 +67,7 @@ export default function ClientsManagementView() {
         try {
             const res = await fetch(`${API_URL}/v1/organizations`, {
                 method: 'POST',
-                headers: ah(apiKey || ''),
+                headers: ah(token!),
                 body: JSON.stringify({ name: newOrgName })
             });
             if (res.ok) {
@@ -81,6 +82,7 @@ export default function ClientsManagementView() {
         }
     };
 
+
     const handleEmbeddedSignup = async (orgId: string) => {
         try {
             const signupData = await launchEmbeddedSignup();
@@ -88,7 +90,7 @@ export default function ClientsManagementView() {
             // Send the received credentials to our backend
             const res = await fetch(`${API_URL}/v1/organizations/${orgId}/whatsapp-setup`, {
                 method: 'POST',
-                headers: ah(apiKey || ''),
+                headers: ah(token!),
                 body: JSON.stringify(signupData)
             });
 
@@ -296,7 +298,7 @@ export default function ClientsManagementView() {
                         try {
                             const res = await fetch(`${API_URL}/v1/organizations/${selectedOrgForPersonality.id}/personality`, {
                                 method: 'PATCH',
-                                headers: ah(apiKey || ''),
+                                headers: ah(token!),
                                 body: JSON.stringify(config)
                             });
                             if (res.ok) {

apps/admin/src/pages/DashboardPage.tsx

@@ -5,7 +5,7 @@ import { useTenant } from '../lib/tenant';
 import { API_URL } from '../lib/api';
 
 export default function DashboardPage() {
-    const { apiKey, logout } = useAuth();
+    const { token, logout } = useAuth();
     const { selectedOrgId } = useTenant();
     const [stats, setStats] = useState<any>(null);
     const [enrollments, setEnrollments] = useState<any[]>([]);
@@ -20,10 +20,7 @@ export default function DashboardPage() {
         (async () => {
             setLoading(true);
             try {
-                const h = { 
-                    'Authorization': `Bearer ${apiKey}`,
-                    'x-organization-id': selectedOrgId
-                };
+                const h = ah(token!, selectedOrgId);
                 const [sRes, eRes] = await Promise.all([
                     fetch(`${API_URL}/v1/admin/stats`, { headers: h }),
                     fetch(`${API_URL}/v1/admin/enrollments`, { headers: h })
@@ -33,7 +30,7 @@ export default function DashboardPage() {
                 setEnrollments(await eRes.json());
             } finally { setLoading(false); }
         })();
-    }, [apiKey, logout, selectedOrgId]);
+    }, [token, logout, selectedOrgId]);
 
     const exportCSV = () => {
         if (!enrollments.length) return alert('Aucune inscription.');

apps/admin/src/pages/LiveFeed.tsx

@@ -1,6 +1,8 @@
 import { useState, useEffect, useRef } from 'react';
 import { Square, Mic, Send, AlertCircle, CheckCircle2, Loader2, User, Briefcase } from 'lucide-react';
 import { useAuth } from '../lib/auth';
+import { useTenant } from '../lib/tenant';
+import { API_URL, ah } from '../lib/api';
 
 interface PendingReview {
     id: string;
@@ -28,23 +30,16 @@ export default function LiveFeed() {
     const [error, setError] = useState<string | null>(null);
     const [successMsg, setSuccessMsg] = useState<string | null>(null);
 
-    const { apiKey } = useAuth();
-    // MOCK ADMIN ID (Replace with actual auth context)
-    const ADMIN_ID = "admin_01";
-
-    // Gestion propre de l'URL de l'API (Support pour Vite, Next.js ou relative)
-    const getApiUrl = (endpoint: string) => {
-        const rawBaseUrl = import.meta.env?.VITE_API_URL || 'http://localhost:3001';
-        const baseUrl = rawBaseUrl.replace(/\/$/, '');
-        return `${baseUrl}/v1/admin${endpoint}`;
-    };
+    const { token, user } = useAuth();
+    const { selectedOrgId } = useTenant();
+    
+    const ADMIN_ID = user?.id || "admin_01";
 
     const fetchLiveFeed = async () => {
+        if (!token || !selectedOrgId) return;
         try {
-            const res = await fetch(getApiUrl('/live-feed'), {
-                headers: {
-                    'Authorization': `Bearer ${apiKey}`
-                }
+            const res = await fetch(`${API_URL}/v1/admin/live-feed`, {
+                headers: ah(token, selectedOrgId)
             });
             if (!res.ok) throw new Error('Erreur réseau');
             const data = await res.json();
@@ -58,10 +53,9 @@ export default function LiveFeed() {
 
     useEffect(() => {
         fetchLiveFeed();
-        // Polling every 30 seconds
         const interval = setInterval(fetchLiveFeed, 30000);
         return () => clearInterval(interval);
-    }, []);
+    }, [token, selectedOrgId]);
 
     const handleOverrideSuccess = (userId: string, isSkip: boolean = false) => {
         setReviews((prev: PendingReview[]) => prev.filter((r: PendingReview) => r.userId !== userId));
@@ -119,9 +113,9 @@ export default function LiveFeed() {
                             review={review}
                             adminId={ADMIN_ID}
                             onSuccess={() => handleOverrideSuccess(review.userId, false)}
-                            onSkip={() => handleOverrideSuccess(review.userId, true)} // Temporarily hide it the same way
-                            getApiUrl={getApiUrl}
-                            apiKey={apiKey || ''}
+                            onSkip={() => handleOverrideSuccess(review.userId, true)}
+                            token={token!}
+                            organizationId={selectedOrgId!}
                         />
                     ))
                 )}
@@ -134,7 +128,7 @@ export default function LiveFeed() {
 // MODERATION CARD COMPONENT
 // ----------------------------------------------------------------------
 
-function ModerationCard({ review, adminId, onSuccess, onSkip, getApiUrl, apiKey }: { key?: string | number, review: PendingReview, adminId: string, onSuccess: () => void, onSkip: () => void, getApiUrl: (path: string) => string, apiKey: string }) {
+function ModerationCard({ review, adminId, onSuccess, onSkip, token, organizationId }: { review: PendingReview, adminId: string, onSuccess: () => void, onSkip: () => void, token: string, organizationId: string }) {
     const [transcription, setTranscription] = useState('');
     const [audioBlob, setAudioBlob] = useState<Blob | null>(null);
     const [isSubmitting, setIsSubmitting] = useState(false);
@@ -142,7 +136,7 @@ function ModerationCard({ review, adminId, onSuccess, onSkip, getApiUrl, apiKey
     const [playbackRate, setPlaybackRate] = useState(1);
 
     const changeSpeed = () => {
-        const nextRates = { 1: 1.5, 1.5: 2, 2: 1 } as Record<number, number>;
+        const nextRates: Record<number, number> = { 1: 1.5, 1.5: 2, 2: 1 };
         const newRate = nextRates[playbackRate] || 1;
         setPlaybackRate(newRate);
         if (audioRef.current) {
@@ -160,15 +154,12 @@ function ModerationCard({ review, adminId, onSuccess, onSkip, getApiUrl, apiKey
         let overrideAudioUrl = "";
 
         try {
-            // 1. Upload the AudioBlob to S3/CloudFlare via an upload route
             const formData = new FormData();
             formData.append("file", audioBlob, `override-${review.userId}.webm`);
 
-            const uploadRes = await fetch(getApiUrl('/upload'), {
+            const uploadRes = await fetch(`${API_URL}/v1/admin/upload`, {
                 method: 'POST',
-                headers: {
-                    'Authorization': `Bearer ${apiKey}`
-                },
+                headers: { 'Authorization': `Bearer ${token}`, 'x-organization-id': organizationId },
                 body: formData
             });
 
@@ -176,13 +167,9 @@ function ModerationCard({ review, adminId, onSuccess, onSkip, getApiUrl, apiKey
             const uploadData = await uploadRes.json();
             overrideAudioUrl = uploadData.url;
 
-            // 2. Submit the Override Feedback
-            const feedbackRes = await fetch(getApiUrl('/override-feedback'), {
+            const feedbackRes = await fetch(`${API_URL}/v1/admin/override-feedback`, {
                 method: 'POST',
-                headers: {
-                    'Content-Type': 'application/json',
-                    'Authorization': `Bearer ${apiKey}`
-                },
+                headers: ah(token, organizationId),
                 body: JSON.stringify({
                     userId: review.userId,
                     trackId: review.trackId,
@@ -260,7 +247,7 @@ function ModerationCard({ review, adminId, onSuccess, onSkip, getApiUrl, apiKey
                         className="w-full text-sm p-3 rounded-lg border border-slate-200 focus:ring-2 focus:ring-emerald-500 focus:border-emerald-500 transition-shadow resize-none h-24"
                         placeholder="Écrivez ce que l'étudiant a dit en le traduisant correctement en français..."
                         value={transcription}
-                        onChange={(e: any) => setTranscription(e.target.value)}
+                        onChange={(e) => setTranscription(e.target.value)}
                     />
                 </div>
             </div>
@@ -308,7 +295,7 @@ function AudioRecorder({ onRecordComplete }: { onRecordComplete: (blob: Blob | n
     const [audioUrl, setAudioUrl] = useState<string | null>(null);
 
     const mediaRecorder = useRef<MediaRecorder | null>(null);
-    const audioChunks = useRef<BlobPart[]>([]);
+    const audioChunks = useRef<Blob[]>([]);
 
     const startRecording = async () => {
         try {
@@ -316,7 +303,7 @@ function AudioRecorder({ onRecordComplete }: { onRecordComplete: (blob: Blob | n
             mediaRecorder.current = new MediaRecorder(stream);
             audioChunks.current = [];
 
-            mediaRecorder.current.ondataavailable = (event: any) => {
+            mediaRecorder.current.ondataavailable = (event: BlobEvent) => {
                 audioChunks.current.push(event.data);
             };
 
@@ -340,8 +327,7 @@ function AudioRecorder({ onRecordComplete }: { onRecordComplete: (blob: Blob | n
         if (mediaRecorder.current && isRecording) {
             mediaRecorder.current.stop();
             setIsRecording(false);
-            // Stop all tracks to release mic
-            mediaRecorder.current.stream.getTracks().forEach((track: any) => track.stop());
+            mediaRecorder.current.stream.getTracks().forEach(track => track.stop());
         }
     };
 

apps/admin/src/pages/LoginPage.tsx

@@ -1,32 +1,41 @@
 import React, { useState, useEffect } from 'react';
 import { useNavigate } from 'react-router-dom';
 import { useAuth } from '../lib/auth';
+import { useTenant } from '../lib/tenant';
 import { API_URL } from '../lib/api';
 
 export default function LoginPage() {
-    const { login, apiKey } = useAuth();
+    const { login, token } = useAuth();
+    const { currentOrg, isSubdomain, slug } = useTenant();
     const navigate = useNavigate();
-    const [key, setKey] = useState('');
+    
+    const [email, setEmail] = useState('');
+    const [password, setPassword] = useState('');
     const [error, setError] = useState('');
     const [loading, setLoading] = useState(false);
 
     useEffect(() => { 
-        if (apiKey) navigate('/', { replace: true }); 
-    }, [apiKey, navigate]);
+        if (token) navigate('/', { replace: true }); 
+    }, [token, navigate]);
 
     const handleSubmit = async (e: React.FormEvent) => {
         e.preventDefault(); 
         setError(''); 
         setLoading(true);
         try {
-            const res = await fetch(`${API_URL}/v1/admin/stats`, { 
-                headers: { 'Authorization': `Bearer ${key}` } 
+            const res = await fetch(`${API_URL}/v1/auth/login`, { 
+                method: 'POST',
+                headers: { 'Content-Type': 'application/json' },
+                body: JSON.stringify({ email, password })
             });
+            
+            const data = await res.json();
+            
             if (res.ok) { 
-                login(key); 
+                login(data.token, data.user); 
                 navigate('/', { replace: true }); 
             } else {
-                setError('Clé API invalide.');
+                setError(data.message || 'Identifiants invalides.');
             }
         } catch { 
             setError('Impossible de joindre le serveur.'); 
@@ -35,24 +44,72 @@ export default function LoginPage() {
         }
     };
 
+    const brandingColor = currentOrg?.brandingData?.primaryColor || '#0f172a';
+    const logoUrl = currentOrg?.brandingData?.logoUrl;
+
     return (
-        <div className="min-h-screen bg-slate-900 flex items-center justify-center p-4">
-            <div className="bg-white rounded-2xl shadow-2xl p-8 w-full max-w-sm">
-                <div className="text-center mb-6">
-                    <div className="text-3xl mb-2">🔐</div>
-                    <h1 className="text-2xl font-bold text-slate-800">Admin Access</h1>
-                    <p className="text-sm text-slate-500 mt-1">Entrez votre ADMIN_API_KEY</p>
+        <div className="min-h-screen flex items-center justify-center p-4 bg-slate-50">
+            <div className="bg-white rounded-3xl shadow-xl p-8 w-full max-w-md border border-slate-100">
+                <div className="text-center mb-8">
+                    {logoUrl ? (
+                        <img src={logoUrl} alt="Logo" className="h-12 mx-auto mb-4 object-contain" />
+                    ) : (
+                        <div className="text-4xl mb-4">🎓</div>
+                    )}
+                    <h1 className="text-2xl font-bold text-slate-900">
+                        {currentOrg?.name || 'Xamlé Studio'}
+                    </h1>
+                    <p className="text-sm text-slate-500 mt-2">
+                        {isSubdomain ? `Espace administrateur ${currentOrg?.name || slug}` : 'Connectez-vous à votre espace EdTech'}
+                    </p>
                 </div>
-                <form onSubmit={handleSubmit} className="space-y-4">
-                    <input id="apiKey" type="password" required placeholder="sk-admin-..." value={key}
-                        onChange={e => setKey(e.target.value)}
-                        className="w-full border border-slate-200 rounded-xl px-4 py-3 text-sm outline-none focus:ring-2 focus:ring-slate-400" />
-                    {error && <p className="text-red-500 text-sm">{error}</p>}
-                    <button type="submit" disabled={loading}
-                        className="w-full bg-slate-900 hover:bg-slate-700 text-white py-3 rounded-xl font-bold text-sm transition disabled:opacity-50">
-                        {loading ? 'Vérification...' : 'Se connecter'}
+
+                <form onSubmit={handleSubmit} className="space-y-5">
+                    <div>
+                        <label className="block text-xs font-bold text-slate-400 uppercase tracking-wider mb-2">Email</label>
+                        <input 
+                            type="email" 
+                            required 
+                            placeholder="admin@ecole.com" 
+                            value={email}
+                            onChange={e => setEmail(e.target.value)}
+                            className="w-full bg-slate-50 border-none rounded-2xl px-5 py-4 text-sm outline-none focus:ring-2 focus:ring-indigo-500 transition" 
+                        />
+                    </div>
+                    
+                    <div>
+                        <label className="block text-xs font-bold text-slate-400 uppercase tracking-wider mb-2">Mot de passe</label>
+                        <input 
+                            type="password" 
+                            required 
+                            placeholder="••••••••" 
+                            value={password}
+                            onChange={e => setPassword(e.target.value)}
+                            className="w-full bg-slate-50 border-none rounded-2xl px-5 py-4 text-sm outline-none focus:ring-2 focus:ring-indigo-500 transition" 
+                        />
+                    </div>
+
+                    {error && (
+                        <div className="p-4 bg-red-50 text-red-600 rounded-2xl text-xs font-medium border border-red-100">
+                            ⚠️ {error}
+                        </div>
+                    )}
+
+                    <button 
+                        type="submit" 
+                        disabled={loading}
+                        style={{ backgroundColor: brandingColor }}
+                        className="w-full text-white py-4 rounded-2xl font-bold text-sm shadow-lg shadow-indigo-200 transition active:scale-[0.98] disabled:opacity-50"
+                    >
+                        {loading ? 'Connexion...' : 'Se connecter'}
                     </button>
                 </form>
+                
+                {!isSubdomain && (
+                    <p className="text-center text-[10px] text-slate-400 mt-8 uppercase tracking-widest font-bold">
+                        Propulsé par Xamlé Studio
+                    </p>
+                )}
             </div>
         </div>
     );

apps/admin/src/pages/TrackDaysPage.tsx

@@ -3,10 +3,10 @@ import { useParams, useNavigate } from 'react-router-dom';
 import { Plus, Edit2, Trash2, ArrowLeft, X, Save } from 'lucide-react';
 import { useAuth } from '../lib/auth';
 import { useTenant } from '../lib/tenant';
-import { API_URL } from '../lib/api';
+import { API_URL, ah } from '../lib/api';
 
 export default function TrackDaysPage() {
-    const { apiKey } = useAuth(); 
+    const { token } = useAuth(); 
     const { selectedOrgId } = useTenant();
     const { trackId } = useParams<{ trackId: string }>(); 
     const navigate = useNavigate();
@@ -16,30 +16,26 @@ export default function TrackDaysPage() {
     const [editing, setEditing] = useState<any>(null); 
     const [saving, setSaving] = useState(false);
     
-    const ah = (k: string) => ({ 
-        'Authorization': `Bearer ${k}`, 
-        'Content-Type': 'application/json',
-        ...(selectedOrgId ? { 'x-organization-id': selectedOrgId } : {})
-    });
-
     const load = async () => { 
+        if (!token || !selectedOrgId) return;
         const [tR, dR] = await Promise.all([
-            fetch(`${API_URL}/v1/admin/tracks/${trackId}`, { headers: ah(apiKey!) }), 
-            fetch(`${API_URL}/v1/admin/tracks/${trackId}/days`, { headers: ah(apiKey!) })
+            fetch(`${API_URL}/v1/admin/tracks/${trackId}`, { headers: ah(token, selectedOrgId) }), 
+            fetch(`${API_URL}/v1/admin/tracks/${trackId}/days`, { headers: ah(token, selectedOrgId) })
         ]); 
         setTrack(await tR.json()); 
         setDays(await dR.json()); 
     };
 
-    useEffect(() => { load(); }, []);
+    useEffect(() => { load(); }, [token, selectedOrgId]);
 
     const emptyDay = { dayNumber: (days.length || 0) + 1, title: '', lessonText: '', audioUrl: '', exerciseType: 'TEXT', exercisePrompt: '', validationKeyword: '' };
 
     const saveDay = async (e: React.FormEvent) => {
         e.preventDefault(); 
+        if (!token || !selectedOrgId) return;
         setSaving(true);
         const url = editing.id ? `${API_URL}/v1/admin/tracks/${trackId}/days/${editing.id}` : `${API_URL}/v1/admin/tracks/${trackId}/days`;
-        await fetch(url, { method: editing.id ? 'PUT' : 'POST', headers: ah(apiKey!), body: JSON.stringify(editing) });
+        await fetch(url, { method: editing.id ? 'PUT' : 'POST', headers: ah(token, selectedOrgId), body: JSON.stringify(editing) });
         setEditing(null); 
         load(); 
         setSaving(false);
@@ -47,7 +43,7 @@ export default function TrackDaysPage() {
 
     const del = async (dayId: string) => { 
         if (!confirm('Supprimer ce jour?')) return; 
-        await fetch(`${API_URL}/v1/admin/tracks/${trackId}/days/${dayId}`, { method: 'DELETE', headers: ah(apiKey!) }); 
+        await fetch(`${API_URL}/v1/admin/tracks/${trackId}/days/${dayId}`, { method: 'DELETE', headers: ah(token!, selectedOrgId!) }); 
         load(); 
     };
 

apps/admin/src/pages/TrackFormPage.tsx

@@ -3,10 +3,10 @@ import { useParams, useNavigate } from 'react-router-dom';
 import { ArrowLeft, Save } from 'lucide-react';
 import { useAuth } from '../lib/auth';
 import { useTenant } from '../lib/tenant';
-import { API_URL } from '../lib/api';
+import { API_URL, ah } from '../lib/api';
 
 export default function TrackFormPage() {
-    const { apiKey } = useAuth(); 
+    const { token } = useAuth(); 
     const { selectedOrgId } = useTenant();
     const { id } = useParams<{ id: string }>(); 
     const navigate = useNavigate();
@@ -17,15 +17,10 @@ export default function TrackFormPage() {
         isPremium: false, priceAmount: 0, stripePriceId: '' 
     });
     const [saving, setSaving] = useState(false);
-    const ah = (k: string) => ({ 
-        'Authorization': `Bearer ${k}`, 
-        'Content-Type': 'application/json',
-        ...(selectedOrgId ? { 'x-organization-id': selectedOrgId } : {})
-    });
 
     useEffect(() => { 
-        if (!isNew) {
-            fetch(`${API_URL}/v1/admin/tracks/${id}`, { headers: ah(apiKey!) })
+        if (!isNew && token && selectedOrgId) {
+            fetch(`${API_URL}/v1/admin/tracks/${id}`, { headers: ah(token, selectedOrgId) })
                 .then(r => r.json())
                 .then(t => setForm({ 
                     title: t.title, description: t.description || '', duration: t.duration, 
@@ -33,17 +28,18 @@ export default function TrackFormPage() {
                     stripePriceId: t.stripePriceId || '' 
                 })); 
         }
-    }, [id, apiKey, isNew]);
+    }, [id, token, selectedOrgId, isNew]);
 
     const inp = "w-full border border-slate-200 rounded-xl px-4 py-2.5 text-sm outline-none focus:ring-2 focus:ring-slate-300";
 
     const handleSubmit = async (e: React.FormEvent) => {
         e.preventDefault(); 
+        if (!token || !selectedOrgId) return;
         setSaving(true);
         const url = isNew ? `${API_URL}/v1/admin/tracks` : `${API_URL}/v1/admin/tracks/${id}`;
         await fetch(url, { 
             method: isNew ? 'POST' : 'PUT', 
-            headers: ah(apiKey!), 
+            headers: ah(token, selectedOrgId), 
             body: JSON.stringify({ 
                 ...form, 
                 priceAmount: form.priceAmount || undefined, 

apps/admin/src/pages/TrackListPage.tsx

@@ -3,36 +3,31 @@ import { useNavigate } from 'react-router-dom';
 import { BookOpen, Plus, Edit2, Trash2, ChevronRight, Building2 } from 'lucide-react';
 import { useAuth } from '../lib/auth';
 import { useTenant } from '../lib/tenant';
-import { API_URL } from '../lib/api';
+import { API_URL, ah } from '../lib/api';
 
 export default function TrackListPage() {
-    const { apiKey } = useAuth(); 
+    const { token } = useAuth(); 
     const { selectedOrgId } = useTenant();
     const navigate = useNavigate();
     const [tracks, setTracks] = useState<any[]>([]); 
     const [loading, setLoading] = useState(true);
 
-    const ah = (k: string) => ({ 
-        'Authorization': `Bearer ${k}`, 
-        'Content-Type': 'application/json',
-        ...(selectedOrgId ? { 'x-organization-id': selectedOrgId } : {})
-    });
-
     const load = async () => { 
-        const r = await fetch(`${API_URL}/v1/admin/tracks`, { headers: ah(apiKey!) }); 
+        if (!token || !selectedOrgId) return;
+        const r = await fetch(`${API_URL}/v1/admin/tracks`, { headers: ah(token, selectedOrgId) }); 
         setTracks(await r.json()); 
         setLoading(false); 
     };
 
     useEffect(() => { 
-        if (selectedOrgId || !apiKey) {
+        if (selectedOrgId && token) {
             load(); 
         }
-    }, [selectedOrgId, apiKey]);
+    }, [selectedOrgId, token]);
 
     const del = async (id: string) => { 
         if (!confirm('Supprimer ce parcours ?')) return; 
-        await fetch(`${API_URL}/v1/admin/tracks/${id}`, { method: 'DELETE', headers: ah(apiKey!) }); 
+        await fetch(`${API_URL}/v1/admin/tracks/${id}`, { method: 'DELETE', headers: ah(token!, selectedOrgId!) }); 
         load(); 
     };
 

apps/admin/src/pages/TrainingLab.tsx

@@ -1,9 +1,9 @@
 import { useState, useEffect } from 'react';
 import { useAuth } from '../lib/auth';
+import { useTenant } from '../lib/tenant';
+import { API_URL, ah } from '../lib/api';
 import { Upload, Database, Save, Activity, CheckCircle, AlertTriangle, RefreshCw, Lightbulb } from 'lucide-react';
 
-const API_URL = import.meta.env.VITE_API_URL || 'http://localhost:3001';
-
 interface TrainingData {
     id: string;
     audioUrl: string;
@@ -16,7 +16,8 @@ interface TrainingData {
 }
 
 export default function TrainingLab() {
-    const { apiKey, logout } = useAuth();
+    const { token, logout } = useAuth();
+    const { selectedOrgId } = useTenant();
     const [mode, setMode] = useState<'db' | 'upload' | 'suggestions'>('db');
     const [audios, setAudios] = useState<TrainingData[]>([]);
     const [selectedAudio, setSelectedAudio] = useState<TrainingData | null>(null);
@@ -31,10 +32,11 @@ export default function TrainingLab() {
     const [recalcResult, setRecalcResult] = useState<{ processed: number, avgRawWER: number, avgNormalizedWER: number, improvementPercent: number } | null>(null);
 
     const fetchAudios = async () => {
+        if (!token || !selectedOrgId) return;
         setLoading(true);
         try {
             const res = await fetch(`${API_URL}/v1/admin/training/audios`, {
-                headers: { 'Authorization': `Bearer ${apiKey}` }
+                headers: ah(token, selectedOrgId)
             });
             if (res.status === 401) return logout();
             const data = await res.json();
@@ -50,7 +52,7 @@ export default function TrainingLab() {
         if (mode === 'db') {
             fetchAudios();
         }
-    }, [mode, apiKey, logout]);
+    }, [mode, token, selectedOrgId, logout]);
 
     const handleSubmit = async () => {
         if (!selectedAudio || !manualCorrection.trim()) return;
@@ -59,10 +61,7 @@ export default function TrainingLab() {
         try {
             const res = await fetch(`${API_URL}/v1/admin/training/submit`, {
                 method: 'POST',
-                headers: {
-                    'Authorization': `Bearer ${apiKey}`,
-                    'Content-Type': 'application/json'
-                },
+                headers: ah(token!, selectedOrgId!),
                 body: JSON.stringify({
                     id: selectedAudio.id,
                     audioUrl: selectedAudio.audioUrl,
@@ -95,7 +94,7 @@ export default function TrainingLab() {
         setLoading(true);
         try {
             const res = await fetch(`${API_URL}/v1/admin/training/suggestions`, {
-                headers: { 'Authorization': `Bearer ${apiKey}` }
+                headers: ah(token!, selectedOrgId!)
             });
             if (res.status === 401) return logout();
             const data = await res.json();
@@ -115,7 +114,7 @@ export default function TrainingLab() {
         try {
             const res = await fetch(`${API_URL}/v1/admin/training/apply-suggestions`, {
                 method: 'POST',
-                headers: { 'Authorization': `Bearer ${apiKey}`, 'Content-Type': 'application/json' },
+                headers: ah(token!, selectedOrgId!),
                 body: JSON.stringify({ suggestions: payload })
             });
             if (res.status === 401) return logout();
@@ -134,7 +133,7 @@ export default function TrainingLab() {
         try {
             const res = await fetch(`${API_URL}/v1/admin/training/recalculate-wer`, {
                 method: 'POST',
-                headers: { 'Authorization': `Bearer ${apiKey}` }
+                headers: ah(token!, selectedOrgId!)
             });
             if (res.status === 401) return logout();
             const json = await res.json();

apps/admin/src/pages/UserListPage.tsx

@@ -2,10 +2,10 @@ import { useEffect, useState } from 'react';
 import { X, Building2, Loader2 } from 'lucide-react';
 import { useAuth } from '../lib/auth';
 import { useTenant } from '../lib/tenant';
-import { API_URL } from '../lib/api';
+import { API_URL, ah } from '../lib/api';
 
 export default function UserListPage() {
-    const { apiKey } = useAuth();
+    const { token } = useAuth();
     const { selectedOrgId } = useTenant();
     const [users, setUsers] = useState<any[]>([]); 
     const [total, setTotal] = useState(0); 
@@ -14,11 +14,7 @@ export default function UserListPage() {
     const [messages, setMessages] = useState<any[]>([]); 
     const [loadingMsg, setLoadingMsg] = useState(false);
 
-    const ah = (k: string) => ({ 
-        'Authorization': `Bearer ${k}`, 
-        'Content-Type': 'application/json',
-        ...(selectedOrgId ? { 'x-organization-id': selectedOrgId } : {})
-    });
+
 
     useEffect(() => { 
         if (!selectedOrgId) {
@@ -26,20 +22,20 @@ export default function UserListPage() {
             return;
         }
         setLoading(true);
-        fetch(`${API_URL}/v1/admin/users`, { headers: ah(apiKey!) })
+        fetch(`${API_URL}/v1/admin/users`, { headers: ah(token!, selectedOrgId) })
             .then(r => r.json())
             .then(d => { 
                 setUsers(d.users || d); 
                 setTotal(d.total || 0); 
                 setLoading(false); 
             }); 
-    }, [apiKey, selectedOrgId]);
+    }, [token, selectedOrgId]);
 
     const viewMessages = async (userId: string) => {
         setLoadingMsg(true); 
         setSelectedUser({ id: userId });
         try {
-            const res = await fetch(`${API_URL}/v1/admin/users/${userId}/messages`, { headers: ah(apiKey!) });
+            const res = await fetch(`${API_URL}/v1/admin/users/${userId}/messages`, { headers: ah(token!, selectedOrgId) });
             const data = await res.json();
             setSelectedUser(data.user);
             setMessages(data.messages || []);

apps/api/package.json

@@ -15,6 +15,7 @@
         "@bull-board/api": "^7.0.0",
         "@bull-board/fastify": "^7.0.0",
         "@fastify/cors": "^8.0.0",
+        "@fastify/jwt": "^10.0.0",
         "@fastify/multipart": "^10.0.0",
         "@fastify/rate-limit": "^9.1.0",
         "@fastify/static": "^9.1.3",
@@ -23,7 +24,9 @@
         "@repo/database": "workspace:*",
         "@repo/prompts": "workspace:*",
         "@repo/shared-types": "workspace:*",
+        "@types/bcrypt": "^6.0.0",
         "axios": "^1.13.5",
+        "bcrypt": "^6.0.0",
         "bullmq": "^5.1.0",
         "diff": "^8.0.3",
         "dotenv": "^16.6.1",

apps/api/src/index.ts

@@ -6,6 +6,7 @@ import Fastify from 'fastify';
 import fastifyStatic from '@fastify/static';
 import fastifyMultipart from '@fastify/multipart';
 import fastifyRateLimit from '@fastify/rate-limit';
+import fastifyJwt from '@fastify/jwt';
 import cors from '@fastify/cors';
 import { whatsappRoutes } from './routes/whatsapp';
 import { adminRoutes } from './routes/admin';
@@ -24,6 +25,11 @@ declare module 'fastify' {
     }
     interface FastifyRequest {
         rawBody?: Buffer;
+        user: {
+            id: string;
+            organizationId: string;
+            role: 'STUDENT' | 'ORG_MEMBER' | 'ORG_ADMIN' | 'SUPER_ADMIN' | 'ADMIN';
+        };
     }
     interface FastifyContextConfig {
         requireAuth?: boolean;
@@ -34,7 +40,7 @@ declare module 'fastify' {
 // ── Fail-fast: check critical secrets on startup ───────────────────────────────
 // Only WHATSAPP_VERIFY_TOKEN is strictly needed at startup (for Meta webhook validation).
 // All other secrets are validated lazily (guarded routes return 503 if missing).
-const REQUIRED_ENV = ['WHATSAPP_VERIFY_TOKEN'];
+const REQUIRED_ENV = ['WHATSAPP_VERIFY_TOKEN', 'JWT_SECRET'];
 const WARN_ENV = ['ADMIN_API_KEY', 'WHATSAPP_APP_SECRET'];
 
 for (const key of REQUIRED_ENV) {
@@ -60,6 +66,11 @@ const server = Fastify({
 // ── CORS ───────────────────────────────────────────────────────────────────────
 server.register(cors);
 
+// ── JWT ────────────────────────────────────────────────────────────────────────
+server.register(fastifyJwt, {
+    secret: process.env.JWT_SECRET || 'dev-secret-keep-it-secret-keep-it-safe'
+});
+
 // ── Static & Multipart ────────────────────────────────────────────────────────
 server.register(fastifyStatic, {
     root: '/tmp',
@@ -89,48 +100,69 @@ async function setupRateLimit() {
     logger.info('[RATE-LIMIT] Global rate limiting enabled (100 req / 15 min)');
 }
 
+import { authRoutes } from './routes/auth';
+
 // ── Public Routes (no auth) ────────────────────────────────────────────────────
+server.register(authRoutes, { prefix: '/v1/auth' });
 server.register(whatsappRoutes, { prefix: '/v1/whatsapp' });
 server.register(studentRoutes, { prefix: '/v1/student' });
 
 // ── Stripe Webhook (public — Stripe can't send API Key, verified by signature) ─
 server.register(stripeWebhookRoute, { prefix: '/v1/payments' });
 
-// ── Private Routes (require ADMIN_API_KEY) ─────────────────────────────────────
+// ── Private Routes (guarded by API Key or JWT) ─────────────────────────────────
 server.register(async function guardedRoutes(scope) {
     scope.addHook('onRequest', async (request, reply) => {
-        // 🚨 CORS FIX: Skip authentication for preflight OPTIONS requests
         if (request.method === 'OPTIONS') return;
 
         const apiKey = process.env.ADMIN_API_KEY;
-
-        if (!apiKey) {
-            request.log.error('ADMIN_API_KEY is not configured!');
-            return reply.code(503).send({ error: 'Service misconfigured' });
-        }
-
         const authHeader = request.headers['authorization'];
+        
         if (!authHeader || !authHeader.startsWith('Bearer ')) {
             return reply.code(401).send({ error: 'Unauthorized', message: 'Missing Authorization header' });
         }
 
         const token = authHeader.slice(7);
-        if (token !== apiKey) {
-            return reply.code(401).send({ error: 'Unauthorized', message: 'Invalid API key' });
+
+        // 1. Try Legacy API Key (Super Admin)
+        if (apiKey && token === apiKey) {
+            request.user = {
+                id: 'super-admin',
+                organizationId: request.headers['x-organization-id'] as string || 'default-org-id',
+                role: 'SUPER_ADMIN'
+            };
+        } 
+        // 2. Try JWT (Organization Admin/Member)
+        else {
+            try {
+                const decoded = await request.jwtVerify() as any;
+                request.user = decoded;
+            } catch (err) {
+                return reply.code(401).send({ error: 'Unauthorized', message: 'Invalid token or API key' });
+            }
         }
 
-        // 🏢 Multi-Tenant Context Injection
-        const orgId = request.headers['x-organization-id'] as string;
+        // 🏢 Multi-Tenant Enforcement
+        const requestedOrgId = request.headers['x-organization-id'] as string;
         
-        // Routes that REQUIRE an organization context
+        // Ensure requested Org matches User's Org (unless Super Admin)
+        if (request.user.role !== 'SUPER_ADMIN' && requestedOrgId && requestedOrgId !== request.user.organizationId) {
+            return reply.code(403).send({ error: 'Forbidden', message: 'You do not have access to this organization' });
+        }
+
+        // Auto-inject OrgId into request if missing and available in token
+        if (!requestedOrgId && request.user.organizationId) {
+            request.headers['x-organization-id'] = request.user.organizationId;
+        }
+
+        // Final check for routes requiring an organization
         const isOrgIndependentRoute = request.url.startsWith('/v1/organizations') || request.url.startsWith('/v1/internal');
-        
-        if (!orgId && !isOrgIndependentRoute) {
-            return reply.code(400).send({ error: 'Bad Request', message: 'Missing x-organization-id header' });
+        if (!request.headers['x-organization-id'] && !isOrgIndependentRoute) {
+            return reply.code(400).send({ error: 'Bad Request', message: 'Missing organization context' });
         }
 
-        if (orgId) {
-            request.log.info(`[CONTEXT] Setting Organization Context: ${orgId}`);
+        if (request.headers['x-organization-id']) {
+            request.log.info(`[CONTEXT] Setting Organization Context: ${request.headers['x-organization-id']}`);
         }
     });
 

apps/api/src/routes/auth.ts

@@ -0,0 +1,76 @@
+import { FastifyInstance } from 'fastify';
+import { z } from 'zod';
+import { AuthService } from '../services/auth';
+import { logger } from '../logger';
+
+export async function authRoutes(fastify: FastifyInstance) {
+    
+    // Login with Email/Password
+    fastify.post('/login', {
+        schema: {
+            body: z.object({
+                email: z.string().email(),
+                password: z.string()
+            })
+        }
+    }, async (request, reply) => {
+        const { email, password } = request.body as any;
+
+        const user = await AuthService.findUserByEmail(email);
+        
+        if (!user || !user.passwordHash) {
+            return reply.code(401).send({ error: 'Unauthorized', message: 'Invalid email or password' });
+        }
+
+        const isValid = await AuthService.verifyPassword(password, user.passwordHash);
+        if (!isValid) {
+            return reply.code(401).send({ error: 'Unauthorized', message: 'Invalid email or password' });
+        }
+
+        // Generate JWT
+        const token = fastify.jwt.sign({
+            id: user.id,
+            organizationId: user.organizationId,
+            role: user.role
+        });
+
+        logger.info(`[AUTH] User ${email} logged in successfully for org ${user.organization?.name}`);
+
+        return {
+            token,
+            user: {
+                id: user.id,
+                name: user.name,
+                email: user.email,
+                role: user.role,
+                organizationId: user.organizationId,
+                organization: user.organization
+            }
+        };
+    });
+
+    // Get current user profile (guarded by JWT)
+    fastify.get('/me', async (request, reply) => {
+        const { id } = request.user;
+        
+        const user = await fastify.prisma.user.findUnique({
+            where: { id },
+            include: { organization: true }
+        });
+
+        if (!user) {
+            return reply.code(404).send({ error: 'Not Found', message: 'User not found' });
+        }
+
+        return {
+            user: {
+                id: user.id,
+                name: user.name,
+                email: user.email,
+                role: user.role,
+                organizationId: user.organizationId,
+                organization: user.organization
+            }
+        };
+    });
+}

apps/api/src/routes/organizations.ts

@@ -2,8 +2,11 @@ import { FastifyInstance } from 'fastify';
 import { prisma } from '../services/prisma';
 import { z } from 'zod';
 import { logger } from '../logger';
-import { invalidateOrganizationCache } from '../services/organization';
-import { FlowConfigSchema, encrypt, decrypt } from '@repo/shared-types';
+import { scheduleEmail } from '../services/queue';
+import { decryptSecrets, encryptSecrets, invalidateOrganizationCache } from '../services/organization';
+import { FlowConfigSchema, OrganizationSchema, encrypt, decrypt } from '@repo/shared-types';
+import { AuthService } from '../services/auth';
+import { EmailService } from '../services/email';
 
 const ENCRYPTION_SECRET = process.env.ENCRYPTION_SECRET || 'default-secret-at-least-32-chars-long-!!!';
 
@@ -23,22 +26,10 @@ function decryptSecrets(org: any) {
     return org;
 }
 
-const OrganizationSchema = z.object({
-    name: z.string().min(1),
-    contactEmail: z.string().email().optional(),
-    customPrompt: z.string().optional(),
-    mode: z.enum(['EDTECH', 'WEBHOOK', 'AI_AGENT']).optional(),
-    flowConfig: FlowConfigSchema.optional(),
-    webhookUrl: z.string().url().optional().or(z.literal('')),
-    webhookSecret: z.string().optional(),
-    knowledgeBaseUrl: z.string().url().optional().or(z.literal('')),
-    systemUserToken: z.string().optional(),
-    brandingData: z.any().optional(),
-    contractSigned: z.boolean().optional(),
-    contractSignedAt: z.string().optional(),
-    contractSignerName: z.string().optional(),
-    metaVerificationStatus: z.string().optional(),
-    dailyMessageLimit: z.number().optional()
+const OrganizationCreationSchema = OrganizationSchema.extend({
+    slug: z.string().min(3).regex(/^[a-z0-9-]+$/),
+    adminEmail: z.string().email(),
+    adminName: z.string().min(2)
 });
 
 const PersonalityConfigSchema = z.object({
@@ -75,16 +66,61 @@ export async function organizationRoutes(fastify: FastifyInstance) {
         return decryptSecrets(org);
     });
 
-    // 3. Create a new organization
+    // 3. Create a new organization + First Admin
     fastify.post('/', async (req, reply) => {
-        const body = OrganizationSchema.safeParse(req.body);
+        const body = OrganizationCreationSchema.safeParse(req.body);
         if (!body.success) return reply.code(400).send({ error: body.error.flatten() });
         
-        const data = encryptSecrets(body.data);
-        const org = await prisma.organization.create({
-            data
+        const { adminEmail, adminName, slug, ...orgData } = body.data;
+
+        // Check if slug already exists
+        const existing = await prisma.organization.findUnique({ where: { slug } });
+        if (existing) return reply.code(400).send({ error: 'Slug already taken' });
+
+        const data = encryptSecrets(orgData);
+        
+        // Use a transaction to ensure both Org and User are created
+        const result = await prisma.$transaction(async (tx) => {
+            const org = await tx.organization.create({
+                data: { ...data, slug }
+            });
+
+            // Temporary password (user will reset it)
+            const tempPassword = Math.random().toString(36).slice(-10);
+            const passwordHash = await AuthService.hashPassword(tempPassword);
+
+            const user = await tx.user.create({
+                data: {
+                    email: adminEmail,
+                    name: adminName,
+                    passwordHash,
+                    role: 'ORG_ADMIN',
+                    organizationId: org.id
+                }
+            });
+
+            return { org, user, tempPassword };
+        });
+
+        // Send Welcome Email (async via BullMQ)
+        const loginUrl = `https://${slug}.xamle.studio/login`;
+        const resetUrl = `https://${slug}.xamle.studio/reset-password`;
+        
+        await scheduleEmail({
+            to: adminEmail,
+            subject: `Bienvenue chez Xamlé Studio - ${result.org.name}`,
+            params: { name: adminName, organizationName: result.org.name, loginUrl, resetUrl },
+            templateId: 1 // We'll handle mapping in the worker
+        });
+
+        return reply.code(201).send({
+            organization: decryptSecrets(result.org),
+            admin: {
+                id: result.user.id,
+                email: result.user.email,
+                tempPassword: result.tempPassword // We show it once in the response for convenience
+            }
         });
-        return reply.code(201).send(decryptSecrets(org));
     });
 
     // 4. Update organization (Branding, Prompt, etc.)

apps/api/src/services/auth.ts

@@ -0,0 +1,42 @@
+import bcrypt from 'bcrypt';
+import { prisma } from './prisma';
+import { logger } from '../logger';
+
+const SALT_ROUNDS = 10;
+
+export class AuthService {
+    /**
+     * Hashes a password using bcrypt.
+     */
+    static async hashPassword(password: string): Promise<string> {
+        return bcrypt.hash(password, SALT_ROUNDS);
+    }
+
+    /**
+     * Compares a plaintext password with a hashed password.
+     */
+    static async verifyPassword(password: string, hash: string): Promise<boolean> {
+        return bcrypt.compare(password, hash);
+    }
+
+    /**
+     * Finds a user by email and includes organization context.
+     */
+    static async findUserByEmail(email: string) {
+        return prisma.user.findUnique({
+            where: { email },
+            include: { organization: true }
+        });
+    }
+
+    /**
+     * Checks if a user is allowed to access an organization.
+     */
+    static isUserAllowedInOrg(user: any, targetOrgId: string): boolean {
+        // Super admin can access anything
+        if (user.role === 'SUPER_ADMIN') return true;
+        
+        // Org Admin/Member must match the ID
+        return user.organizationId === targetOrgId;
+    }
+}

apps/api/src/services/email.ts

@@ -0,0 +1,82 @@
+import axios from 'axios';
+import { logger } from '../logger';
+
+const BREVO_API_KEY = process.env.BREVO_API_KEY;
+const BREVO_API_URL = 'https://api.brevo.com/v3/smtp/email';
+
+export class EmailService {
+    static async sendWelcomeEmail(to: string, name: string, organizationName: string, loginUrl: string, passwordResetUrl: string) {
+        if (!BREVO_API_KEY) {
+            logger.warn('[EMAIL] BREVO_API_KEY not found. Skipping email sending.');
+            return;
+        }
+
+        try {
+            const response = await axios.post(
+                BREVO_API_URL,
+                {
+                    sender: { name: 'Xamlé Studio', email: 'contact@xamle.studio' },
+                    to: [{ email: to, name }],
+                    subject: `Bienvenue chez Xamlé Studio - ${organizationName}`,
+                    htmlContent: `
+                        <div style="font-family: sans-serif; max-width: 600px; margin: auto; padding: 20px; border: 1px solid #eee; border-radius: 10px;">
+                            <h2 style="color: #1e293b;">Bienvenue, ${name} !</h2>
+                            <p>Votre espace pour <strong>${organizationName}</strong> a été créé avec succès.</p>
+                            <p>Vous pouvez vous connecter à votre tableau de bord en cliquant sur le bouton ci-dessous :</p>
+                            <a href="${loginUrl}" style="display: inline-block; padding: 12px 24px; background-color: #059669; color: white; text-decoration: none; border-radius: 8px; font-weight: bold; margin: 20px 0;">Accéder au Dashboard</a>
+                            <p>Pour des raisons de sécurité, nous vous recommandons de configurer votre mot de passe immédiatement via ce lien :</p>
+                            <a href="${passwordResetUrl}">${passwordResetUrl}</a>
+                            <p style="color: #64748b; font-size: 0.875rem; margin-top: 40px;">L'équipe Xamlé Studio</p>
+                        </div>
+                    `
+                },
+                {
+                    headers: {
+                        'api-key': BREVO_API_KEY,
+                        'Content-Type': 'application/json'
+                    }
+                }
+            );
+
+            logger.info(`[EMAIL] Welcome email sent to ${to} (Brevo ID: ${response.data.messageId})`);
+        } catch (error: any) {
+            logger.error(`[EMAIL] Failed to send welcome email to ${to}: ${error.response?.data?.message || error.message}`);
+        }
+    }
+
+    static async sendInvitationEmail(to: string, invitedBy: string, organizationName: string, joinUrl: string) {
+        if (!BREVO_API_KEY) {
+            logger.warn('[EMAIL] BREVO_API_KEY not found. Skipping email sending.');
+            return;
+        }
+
+        try {
+            await axios.post(
+                BREVO_API_URL,
+                {
+                    sender: { name: 'Xamlé Studio', email: 'contact@xamle.studio' },
+                    to: [{ email: to }],
+                    subject: `${invitedBy} vous invite à rejoindre ${organizationName}`,
+                    htmlContent: `
+                        <div style="font-family: sans-serif; max-width: 600px; margin: auto; padding: 20px; border: 1px solid #eee; border-radius: 10px;">
+                            <h2 style="color: #1e293b;">Rejoignez votre équipe !</h2>
+                            <p><strong>${invitedBy}</strong> vous a invité à collaborer sur l'espace <strong>${organizationName}</strong>.</p>
+                            <p>Cliquez ci-dessous pour activer votre compte :</p>
+                            <a href="${joinUrl}" style="display: inline-block; padding: 12px 24px; background-color: #059669; color: white; text-decoration: none; border-radius: 8px; font-weight: bold; margin: 20px 0;">Rejoindre l'équipe</a>
+                            <p style="color: #64748b; font-size: 0.875rem; margin-top: 40px;">L'équipe Xamlé Studio</p>
+                        </div>
+                    `
+                },
+                {
+                    headers: {
+                        'api-key': BREVO_API_KEY,
+                        'Content-Type': 'application/json'
+                    }
+                }
+            );
+            logger.info(`[EMAIL] Invitation sent to ${to}`);
+        } catch (error: any) {
+            logger.error(`[EMAIL] Failed to send invitation to ${to}: ${error.response?.data?.message || error.message}`);
+        }
+    }
+}

apps/api/src/services/queue.ts

@@ -14,6 +14,21 @@ const connection = process.env.REDIS_URL
     });
 
 export const whatsappQueue = new Queue('whatsapp-queue', { connection: connection as any });
+export const notificationQueue = new Queue('notification-queue', { connection: connection as any });
+
+/** Schedule an email notification */
+export async function scheduleEmail(payload: { 
+    to: string, 
+    subject: string, 
+    templateId?: number, 
+    params?: Record<string, any>,
+    htmlContent?: string 
+}) {
+    await notificationQueue.add('send-email', payload, {
+        attempts: 3,
+        backoff: { type: 'exponential', delay: 1000 }
+    });
+}
 
 // ─── Time-Travel Context (Redis overlay for historical lesson replay) ────────
 export const redis = connection; // Shared connection for time-travel ops

apps/whatsapp-worker/src/handlers/EmailHandler.ts

@@ -0,0 +1,25 @@
+import { Job } from 'bullmq';
+import { JobHandler } from './types';
+import { logger } from '../logger';
+import { EmailService } from '../services/email';
+
+export class EmailHandler implements JobHandler {
+    async handle(job: Job<any>): Promise<void> {
+        const { to, subject, params, templateId, htmlContent } = job.data;
+        
+        logger.info(`[EMAIL_HANDLER] Processing email for ${to}`);
+
+        if (htmlContent) {
+            await EmailService.sendEmail({ to, subject, htmlContent });
+            return;
+        }
+
+        // Handle specific templates
+        if (templateId === 1) { // Welcome Email
+            const { name, organizationName, loginUrl, resetUrl } = params;
+            await EmailService.sendWelcomeEmail(to, name, organizationName, loginUrl, resetUrl);
+        } else {
+            logger.warn(`[EMAIL_HANDLER] Unknown templateId: ${templateId}`);
+        }
+    }
+}

apps/whatsapp-worker/src/index.ts

@@ -24,6 +24,7 @@ import { EnrollHandler } from './handlers/EnrollHandler';
 import { InboundHandler } from './handlers/InboundHandler';
 import { WebhookHandler } from './handlers/WebhookHandler';
 import { KBProcessor } from './handlers/KBProcessor';
+import { EmailHandler } from './handlers/EmailHandler';
 import { UsageService } from './services/usage';
 
 dotenv.config();
@@ -59,7 +60,8 @@ const handlers: Record<string, JobHandler> = {
     'enroll-user': new EnrollHandler(),
     'handle-inbound': new InboundHandler(),
     'send-webhook': new WebhookHandler(),
-    'process-kb': new KBProcessor()
+    'process-kb': new KBProcessor(),
+    'send-email': new EmailHandler()
 };
 
 // ─── HTTP SERVER (Inbound Bridge) ─────────────────────────────────────────────
@@ -208,3 +210,29 @@ worker.on('completed', job => {
 worker.on('failed', (job, err) => {
     logger.error(`[WORKER] Job ${job?.id} failed: ${err.message}`);
 });
+
+const notificationWorker = new Worker('notification-queue', async (job: Job<any>) => {
+    logger.info(`[NOTIFICATION_WORKER] Processing job: ${job.name} (${job.id})`);
+    try {
+        const handler = handlers[job.name];
+        if (handler) {
+            await handler.handle(job, connection);
+        } else {
+            logger.warn(`[NOTIFICATION_WORKER] No handler found for job name: ${job.name}`);
+        }
+    } catch (err) {
+        logger.error(`[NOTIFICATION_WORKER] Job ${job.id} failed:`, err);
+        throw err;
+    }
+}, { 
+    connection: connection as any,
+    concurrency: 2
+});
+
+notificationWorker.on('completed', job => {
+    logger.info(`[NOTIFICATION_WORKER] Job ${job.id} has completed!`);
+});
+
+notificationWorker.on('failed', (job, err) => {
+    logger.error(`[NOTIFICATION_WORKER] Job ${job?.id} failed: ${err?.message}`);
+});

apps/whatsapp-worker/src/services/email.ts

@@ -0,0 +1,53 @@
+import axios from 'axios';
+import { logger } from '../logger';
+
+const BREVO_API_KEY = process.env.BREVO_API_KEY;
+const BREVO_API_URL = 'https://api.brevo.com/v3/smtp/email';
+
+export class EmailService {
+    static async sendEmail(payload: { to: string, subject: string, htmlContent: string }) {
+        if (!BREVO_API_KEY) {
+            logger.warn('[EMAIL] BREVO_API_KEY not found. Skipping email sending.');
+            return;
+        }
+
+        try {
+            const response = await axios.post(
+                BREVO_API_URL,
+                {
+                    sender: { name: 'Xamlé Studio', email: 'contact@xamle.studio' },
+                    to: [{ email: payload.to }],
+                    subject: payload.subject,
+                    htmlContent: payload.htmlContent
+                },
+                {
+                    headers: {
+                        'api-key': BREVO_API_KEY,
+                        'Content-Type': 'application/json'
+                    }
+                }
+            );
+
+            logger.info(`[EMAIL] Email sent to ${payload.to} (Brevo ID: ${response.data.messageId})`);
+        } catch (error: any) {
+            logger.error(`[EMAIL] Failed to send email to ${payload.to}: ${error.response?.data?.message || error.message}`);
+            throw error; // Re-throw to trigger BullMQ retry
+        }
+    }
+
+    /** Helper for welcome email */
+    static async sendWelcomeEmail(to: string, name: string, organizationName: string, loginUrl: string, passwordResetUrl: string) {
+        const html = `
+            <div style="font-family: sans-serif; max-width: 600px; margin: auto; padding: 20px; border: 1px solid #eee; border-radius: 10px;">
+                <h2 style="color: #1e293b;">Bienvenue, ${name} !</h2>
+                <p>Votre espace pour <strong>${organizationName}</strong> a été créé avec succès.</p>
+                <p>Vous pouvez vous connecter à votre tableau de bord en cliquant sur le bouton ci-dessous :</p>
+                <a href="${loginUrl}" style="display: inline-block; padding: 12px 24px; background-color: #059669; color: white; text-decoration: none; border-radius: 8px; font-weight: bold; margin: 20px 0;">Accéder au Dashboard</a>
+                <p>Pour des raisons de sécurité, nous vous recommandons de configurer votre mot de passe immédiatement via ce lien :</p>
+                <a href="${passwordResetUrl}">${passwordResetUrl}</a>
+                <p style="color: #64748b; font-size: 0.875rem; margin-top: 40px;">L'équipe Xamlé Studio</p>
+            </div>
+        `;
+        await this.sendEmail({ to, subject: `Bienvenue chez Xamlé Studio - ${organizationName}`, htmlContent: html });
+    }
+}

apps/whatsapp-worker/src/services/whatsapp-logic.ts

@@ -45,7 +45,9 @@ export class WhatsAppLogic {
         logger.info(`${traceId} Orchestrating Inbound: ${normalizedText}`);
 
         // 1. Find User, Enrollment & Organization
-        const user = await prisma.user.findUnique({ where: { phone } });
+        const user = await prisma.user.findFirst({ 
+            where: { phone, organizationId } 
+        });
         const activeEnrollment = user ? await prisma.enrollment.findFirst({
             where: { userId: user.id, status: 'ACTIVE' },
             include: { track: true }

packages/database/prisma/schema.prisma

@@ -8,81 +8,88 @@ datasource db {
 }
 
 model Organization {
-  id              String                @id @default(uuid())
-  name            String
-  wabaId          String?               @unique
-  systemUserToken String?
-  mode            OrganizationMode      @default(EDTECH)
-  flowConfig      Json?                 // Dynamic menus and routing for EDTECH mode
-  webhookUrl      String?               // Destination for WEBHOOK mode
-  webhookSecret   String?               // Secret for WEBHOOK mode
-  knowledgeBaseUrl String?              // PDF/Doc link for AI_AGENT mode
-  customPrompt    String?               @db.Text
-  personalityConfig Json?               // Dynamic personality variables
-  brandingData    Json?
-  stripeCustomerId String?
-  subscriptionStatus String?              @default("ACTIVE") // PENDING, ACTIVE, CANCELED, PAST_DUE
-  createdAt       DateTime              @default(now())
-  updatedAt       DateTime              @updatedAt
-  users           User[]
-  tracks          Track[]
-  phoneNumbers    WhatsAppPhoneNumber[]
-  enrollments     Enrollment[]
-  messages        Message[]
-  payments        Payment[]
-  responses       Response[]
-  progress        UserProgress[]
-  trackDays       TrackDay[]
-  businessProfiles BusinessProfile[]
-  teamMembers     TeamMember[]
-  userBadges      UserBadge[]
-  kbEntries       KnowledgeBaseEntry[]
+  id                 String                @id @default(uuid())
+  name               String
+  wabaId             String?               @unique
+  systemUserToken    String?
+  createdAt          DateTime              @default(now())
+  updatedAt          DateTime              @updatedAt
+  slug               String?               @unique // For subdomains like polytech.xamle.studio
+  brandingData       Json?
+  customPrompt       String?
+  personalityConfig  Json?
+  flowConfig         Json?
+  knowledgeBaseUrl   String?
+  mode               OrganizationMode      @default(EDTECH)
+  webhookSecret      String?
+  webhookUrl         String?
+  stripeCustomerId   String?
+  subscriptionStatus String?               @default("ACTIVE")
+  businessProfiles   BusinessProfile[]
+  enrollments        Enrollment[]
+  kbEntries          KnowledgeBaseEntry[]
+  messages           Message[]
+  payments           Payment[]
+  responses          Response[]
+  teamMembers        TeamMember[]
+  tracks             Track[]
+  trackDays          TrackDay[]
+  users              User[]
+  userBadges         UserBadge[]
+  progress           UserProgress[]
+  phoneNumbers       WhatsAppPhoneNumber[]
 }
 
 model KnowledgeBaseEntry {
-  id             String       @id @default(uuid())
+  id             String                 @id @default(uuid())
   organizationId String
-  content        String       @db.Text
-  embedding      Unsupported("vector(1536)")? // 1536 for OpenAI embeddings
+  content        String
+  embedding      Unsupported("vector")?
   metadata       Json?
-  organization   Organization @relation(fields: [organizationId], references: [id])
-  createdAt      DateTime     @default(now())
+  createdAt      DateTime               @default(now())
+  organization   Organization           @relation(fields: [organizationId], references: [id])
 
   @@index([organizationId])
 }
 
 model WhatsAppPhoneNumber {
-  id             String       @id // Meta phone_number_id
+  id             String       @id
   displayPhone   String
   organizationId String
-  organization   Organization @relation(fields: [organizationId], references: [id])
   createdAt      DateTime     @default(now())
   updatedAt      DateTime     @updatedAt
+  organization   Organization @relation(fields: [organizationId], references: [id])
 }
 
 model User {
   id              String           @id @default(uuid())
-  phone           String           @unique
+  phone           String?          // Made optional for Email-based admins
   name            String?
   role            Role             @default(STUDENT)
   language        Language         @default(FR)
   city            String?
   activity        String?
-  organizationId  String           @default("default-org-id")
   createdAt       DateTime         @default(now())
   updatedAt       DateTime         @updatedAt
+  email           String?          
+  passwordHash    String?
   currentStreak   Int              @default(0)
   longestStreak   Int              @default(0)
   lastActivityAt  DateTime?
+  organizationId  String           @default("default-org-id")
   businessProfile BusinessProfile?
-  organization    Organization     @relation(fields: [organizationId], references: [id])
   enrollments     Enrollment[]
   messages        Message[]
   payments        Payment[]
   responses       Response[]
+  organization    Organization     @relation(fields: [organizationId], references: [id])
   progress        UserProgress[]
 
+  @@unique([phone, organizationId])
+  @@unique([email, organizationId])
   @@index([organizationId])
+  @@index([phone])
+  @@index([email])
 }
 
 model BusinessProfile {
@@ -101,13 +108,13 @@ model BusinessProfile {
   financialProjections Json?
   fundingAsk           String?
   lastUpdatedFromDay   Int          @default(0)
-  organizationId       String       @default("default-org-id")
   createdAt            DateTime     @default(now())
   updatedAt            DateTime     @updatedAt
   teamMembers          Json?        @map("teamMembers")
-  teamMembersList      TeamMember[]
-  user                 User         @relation(fields: [userId], references: [id])
+  organizationId       String       @default("default-org-id")
   organization         Organization @relation(fields: [organizationId], references: [id])
+  user                 User         @relation(fields: [userId], references: [id])
+  teamMembersList      TeamMember[]
 
   @@index([organizationId])
 }
@@ -134,12 +141,12 @@ model Track {
   isPremium      Boolean        @default(false)
   priceAmount    Int?
   stripePriceId  String?
-  organizationId String         @default("default-org-id")
   createdAt      DateTime       @default(now())
   updatedAt      DateTime       @updatedAt
-  organization   Organization   @relation(fields: [organizationId], references: [id])
+  organizationId String         @default("default-org-id")
   enrollments    Enrollment[]
   payments       Payment[]
+  organization   Organization   @relation(fields: [organizationId], references: [id])
   days           TrackDay[]
   progress       UserProgress[]
 
@@ -163,11 +170,11 @@ model TrackDay {
   exerciseCriteria  Json?
   badges            Json?
   unlockCondition   String?
-  organizationId    String       @default("default-org-id")
   createdAt         DateTime     @default(now())
   updatedAt         DateTime     @updatedAt
-  track             Track        @relation(fields: [trackId], references: [id])
+  organizationId    String       @default("default-org-id")
   organization      Organization @relation(fields: [organizationId], references: [id])
+  track             Track        @relation(fields: [trackId], references: [id])
 
   @@index([organizationId])
 }
@@ -180,17 +187,17 @@ model UserProgress {
   lastInteraction    DateTime       @default(now())
   exerciseStatus     ExerciseStatus @default(PENDING)
   badges             Json?          @map("badges")
-  userBadges         UserBadge[]
   behavioralScoring  Json?
   confidenceScore    Float?
   adminTranscription String?
   overrideAudioUrl   String?
   reviewedBy         String?
-  organizationId     String         @default("default-org-id")
   createdAt          DateTime       @default(now())
   updatedAt          DateTime       @updatedAt
   iterationCount     Int            @default(0)
   aiSource           String?
+  organizationId     String         @default("default-org-id")
+  userBadges         UserBadge[]
   organization       Organization   @relation(fields: [organizationId], references: [id])
   track              Track          @relation(fields: [trackId], references: [id])
   user               User           @relation(fields: [userId], references: [id])
@@ -224,9 +231,9 @@ model Response {
   dayNumber      Int
   content        String?
   mediaUrl       String?
-  organizationId String       @default("default-org-id")
   createdAt      DateTime     @default(now())
   aiSource       String?
+  organizationId String       @default("default-org-id")
   enrollment     Enrollment   @relation(fields: [enrollmentId], references: [id], onDelete: Cascade)
   organization   Organization @relation(fields: [organizationId], references: [id])
   user           User         @relation(fields: [userId], references: [id])
@@ -242,8 +249,8 @@ model Message {
   content        String?
   mediaUrl       String?
   payload        Json?
-  organizationId String       @default("default-org-id")
   createdAt      DateTime     @default(now())
+  organizationId String       @default("default-org-id")
   organization   Organization @relation(fields: [organizationId], references: [id])
   user           User         @relation(fields: [userId], references: [id])
 
@@ -259,9 +266,9 @@ model Payment {
   currency        String        @default("XOF")
   status          PaymentStatus @default(PENDING)
   stripeSessionId String?       @unique
-  organizationId  String        @default("default-org-id")
   createdAt       DateTime      @default(now())
   updatedAt       DateTime      @updatedAt
+  organizationId  String        @default("default-org-id")
   organization    Organization  @relation(fields: [organizationId], references: [id])
   track           Track         @relation(fields: [trackId], references: [id])
   user            User          @relation(fields: [userId], references: [id])
@@ -281,9 +288,24 @@ model TrainingData {
   updatedAt        DateTime       @updatedAt
 }
 
+model UserBadge {
+  id             String       @id @default(uuid())
+  userProgressId String
+  name           String
+  earnedAt       DateTime     @default(now())
+  organizationId String       @default("default-org-id")
+  organization   Organization @relation(fields: [organizationId], references: [id])
+  userProgress   UserProgress @relation(fields: [userProgressId], references: [id], onDelete: Cascade)
+
+  @@index([organizationId])
+}
+
 enum Role {
   STUDENT
   ADMIN
+  ORG_MEMBER
+  ORG_ADMIN
+  SUPER_ADMIN
 }
 
 enum OrganizationMode {
@@ -341,15 +363,3 @@ enum TrainingStatus {
   REVIEWED
   IGNORED
 }
-
-model UserBadge {
-  id             String       @id @default(uuid())
-  userProgressId String
-  name           String
-  earnedAt       DateTime     @default(now())
-  organizationId String       @default("default-org-id")
-  userProgress   UserProgress @relation(fields: [userProgressId], references: [id], onDelete: Cascade)
-  organization   Organization @relation(fields: [organizationId], references: [id])
-
-  @@index([organizationId])
-}

packages/shared-types/src/index.ts

@@ -1,17 +1,32 @@
 import { z } from 'zod';
 
+export const RoleSchema = z.enum(['STUDENT', 'ADMIN', 'ORG_MEMBER', 'ORG_ADMIN', 'SUPER_ADMIN']);
+export type Role = z.infer<typeof RoleSchema>;
+
 export const UserSchema = z.object({
     id: z.string().uuid(),
-    phone: z.string(),
+    phone: z.string().optional(),
+    email: z.string().email().optional(),
     name: z.string().optional(),
+    role: RoleSchema.default('STUDENT'),
     language: z.enum(['FR', 'WOLOF']).default('FR'),
     city: z.string().optional(),
     activity: z.string().optional(),
+    organizationId: z.string(),
+    organization: z.any().optional(), // Avoid circular dep for now
 });
 
 export type User = z.infer<typeof UserSchema>;
 
-export const CreateUserSchema = UserSchema.pick({ phone: true, name: true, language: true, city: true, activity: true });
+export const CreateUserSchema = UserSchema.pick({ 
+    phone: true, 
+    email: true, 
+    name: true, 
+    language: true, 
+    city: true, 
+    activity: true,
+    organizationId: true 
+});
 export type CreateUserInput = z.infer<typeof CreateUserSchema>;
 
 export const WebhookPayloadSchema = z.object({

packages/shared-types/src/organization.ts

@@ -21,3 +21,23 @@ export const FlowConfigSchema = z.object({
 
 export type FlowConfig = z.infer<typeof FlowConfigSchema>;
 export type Sector = z.infer<typeof SectorSchema>;
+
+export const OrganizationSchema = z.object({
+    name: z.string().min(1),
+    contactEmail: z.string().email().optional(),
+    customPrompt: z.string().optional(),
+    mode: z.enum(['EDTECH', 'WEBHOOK', 'AI_AGENT']).optional(),
+    flowConfig: FlowConfigSchema.optional(),
+    webhookUrl: z.string().url().optional().or(z.literal('')),
+    webhookSecret: z.string().optional(),
+    knowledgeBaseUrl: z.string().url().optional().or(z.literal('')),
+    systemUserToken: z.string().optional(),
+    brandingData: z.any().optional(),
+    contractSigned: z.boolean().optional(),
+    contractSignedAt: z.string().optional(),
+    contractSignerName: z.string().optional(),
+    metaVerificationStatus: z.string().optional(),
+    dailyMessageLimit: z.number().optional()
+});
+
+export type Organization = z.infer<typeof OrganizationSchema>;

pnpm-lock.yaml

@@ -100,6 +100,9 @@ importers:
       '@fastify/cors':
         specifier: ^8.0.0
         version: 8.5.0
+      '@fastify/jwt':
+        specifier: ^10.0.0
+        version: 10.0.0
       '@fastify/multipart':
         specifier: ^10.0.0
         version: 10.0.0
@@ -124,9 +127,15 @@ importers:
       '@repo/shared-types':
         specifier: workspace:*
         version: link:../../packages/shared-types
+      '@types/bcrypt':
+        specifier: ^6.0.0
+        version: 6.0.0
       axios:
         specifier: ^1.13.5
         version: 1.13.5
+      bcrypt:
+        specifier: ^6.0.0
+        version: 6.0.0
       bullmq:
         specifier: ^5.1.0
         version: 5.69.3
@@ -1103,6 +1112,9 @@ packages:
   '@fastify/fast-json-stringify-compiler@4.3.0':
     resolution: {integrity: sha512-aZAXGYo6m22Fk1zZzEUKBvut/CIIQe/BapEORnxiD5Qr0kPHqqI69NtEMCme74h+at72sPhbkb4ZrLd1W3KRLA==}
 
+  '@fastify/jwt@10.0.0':
+    resolution: {integrity: sha512-2Qka3NiyNNcsfejMUvyzot1T4UYIzzcbkFGDdVyrl344fRZ/WkD6VFXOoXhxe2Pzf3LpJNkoSxUM4Ru4DVgkYA==}
+
   '@fastify/merge-json-schemas@0.1.1':
     resolution: {integrity: sha512-fERDVz7topgNjtXsJTTW1JKLy0rhuLRcquYqNR9rF7OcVpCa2OVW49ZPDIhaRRCaUuvVxI+N416xUoF76HNSXA==}
 
@@ -1816,6 +1828,9 @@ packages:
   '@types/babel__traverse@7.28.0':
     resolution: {integrity: sha512-8PvcXf70gTDZBgt9ptxJ8elBeBjcLOAcOtoO/mPJjtji1+CdGbHgm77om1GrsPxsiE+uXIpNSK64UYaIwQXd4Q==}
 
+  '@types/bcrypt@6.0.0':
+    resolution: {integrity: sha512-/oJGukuH3D2+D+3H4JWLaAsJ/ji86dhRidzZ/Od7H/i8g+aCmvkeCc6Ni/f9uxGLSQVCRZkX2/lqEFG2BvWtlQ==}
+
   '@types/chai@5.2.3':
     resolution: {integrity: sha512-Mw558oeA9fFbv65/y4mHtXDs9bPnFMZAL/jxdPFUpOHHIXX91mcgEHbS5Lahr+pwZFR8A7GQleRWeI6cGFC2UA==}
 
@@ -2025,6 +2040,9 @@ packages:
   argparse@2.0.1:
     resolution: {integrity: sha512-8+9WqebbFzpX9OR+Wa6O29asIogeRMzcGtAINdpMHHyAg10f05aSFVBbcEqGf/PXw1EjAZ+q2/bEBg3DvurK3Q==}
 
+  asn1.js@5.4.1:
+    resolution: {integrity: sha512-+I//4cYPccV8LdmBLiX8CYvf9Sp3vQsrqu2QNXRcrbiWvcx/UdlFiqUJJzxRQxgsZmvhXhn4cSKeSmoFjVdupA==}
+
   assertion-error@1.1.0:
     resolution: {integrity: sha512-jgsaNduz+ndvGyFt3uSuWqvy4lCnIJiovtouQN5JZHOKCS2QuhEdbcQHFhVksz2N2U9hXJo8odG7ETyWlEeuDw==}
 
@@ -2121,10 +2139,17 @@ packages:
     resolution: {integrity: sha512-RkaJzeJKDbaDWTIPiJwubyljaEPwpVWkm9Rt5h9Nd6h7tEXTJ3VB4qxdZBioV7JO5yLUaOKwz7vDOzlncUsegw==}
     engines: {node: '>=10.0.0'}
 
+  bcrypt@6.0.0:
+    resolution: {integrity: sha512-cU8v/EGSrnH+HnxV2z0J7/blxH8gq7Xh2JFT6Aroax7UohdmiJJlxApMxtKfuI7z68NvvVcmR78k2LbT6efhRg==}
+    engines: {node: '>= 18'}
+
   binary-extensions@2.3.0:
     resolution: {integrity: sha512-Ceh+7ox5qe7LJuLHoY0feh3pHuUDHAcRUeyL2VYghZwfpkNIy/+8Ocg0a3UuSoYzavmylwuLWQOf3hl0jjMMIw==}
     engines: {node: '>=8'}
 
+  bn.js@4.12.3:
+    resolution: {integrity: sha512-fGTi3gxV/23FTYdAoUtLYp6qySe2KE3teyZitipKNRuVYcBkoP/bB3guXN/XVKUe9mxCHXnc9C4ocyz8OmgN0g==}
+
   boolbase@1.0.0:
     resolution: {integrity: sha512-JZOSA7Mo9sNGB8+UjSgzdLtokWAky1zbztM3WRLCbZ70/3cTANmQmOdR7y2g+J0e2WXywy1yS468tY+IruqEww==}
 
@@ -2429,6 +2454,9 @@ packages:
     resolution: {integrity: sha512-KIN/nDJBQRcXw0MLVhZE9iQHmG68qAVIBg9CqmUYjmQIhgij9U5MFvrqkUL5FbtyyzZuOeOt0zdeRe4UY7ct+A==}
     engines: {node: '>= 0.4'}
 
+  ecdsa-sig-formatter@1.0.11:
+    resolution: {integrity: sha512-nagl3RYrbNv6kQkeJIpt6NJZy8twLB/2vtz6yN9Z4vRKHN4/QZJIEbqohALSgwKdnksuY3k5Addp5lg8sVoVcQ==}
+
   ejs@5.0.2:
     resolution: {integrity: sha512-IpbUaI/CAW86l3f+T8zN0iggSc0LmMZLcIW5eRVStLVNCoTXkE0YlncbbH50fp8Cl6zHIky0sW2uUbhBqGw0Jw==}
     engines: {node: '>=0.12.18'}
@@ -2575,6 +2603,10 @@ packages:
   fast-json-stringify@5.16.1:
     resolution: {integrity: sha512-KAdnLvy1yu/XrRtP+LJnxbBGrhN+xXu+gt3EUvZhYGKCr3lFHq/7UFJHHFgmJKoqlh6B40bZLEv7w46B0mqn1g==}
 
+  fast-jwt@6.2.2:
+    resolution: {integrity: sha512-lzy+8JVyBOvwxjydFRBKLFVe1elRArL37pHRX1zHPt4T7FP7kNIpqauE1lOjZlD79DBzzRzQmp+28wbsY13weA==}
+    engines: {node: '>=20'}
+
   fast-levenshtein@3.0.0:
     resolution: {integrity: sha512-hKKNajm46uNmTlhHSyZkmToAc56uZJwYq7yrciZjqOxnlfQwERDQJmHPUp7m1m9wx8vgOe8IaCKZ5Kv2k1DdCQ==}
 
@@ -2598,6 +2630,10 @@ packages:
     resolution: {integrity: sha512-eRnCtTTtGZFpQCwhJiUOuxPQWRXVKYDn0b2PeHfXL6/Zi53SLAzAHfVhVWK2AryC/WH05kGfxhFIPvTF0SXQzg==}
     engines: {node: '>= 4.9.1'}
 
+  fastfall@1.5.1:
+    resolution: {integrity: sha512-KH6p+Z8AKPXnmA7+Iz2Lh8ARCMr+8WNPVludm1LGkZoD2MjY6LVnRMtTKhkdzI+jr0RzQWXKzKyBJm1zoHEL4Q==}
+    engines: {node: '>=0.10.0'}
+
   fastify-plugin@4.5.1:
     resolution: {integrity: sha512-stRHYGeuqpEZTL1Ef0Ovr2ltazUT9g844X5z/zEBFLG8RYlpDiOCIG+ATvYEp+/zmc7sN29mcIMp8gvYplYPIQ==}
 
@@ -2607,9 +2643,15 @@ packages:
   fastify@4.29.1:
     resolution: {integrity: sha512-m2kMNHIG92tSNWv+Z3UeTR9AWLLuo7KctC7mlFPtMEVrfjIhmQhkQnT9v15qA/BfVq3vvj134Y0jl9SBje3jXQ==}
 
+  fastparallel@2.4.1:
+    resolution: {integrity: sha512-qUmhxPgNHmvRjZKBFUNI0oZuuH9OlSIOXmJ98lhKPxMZZ7zS/Fi0wRHOihDSz0R1YiIOjxzOY4bq65YTcdBi2Q==}
+
   fastq@1.20.1:
     resolution: {integrity: sha512-GGToxJ/w1x32s/D2EKND7kTil4n8OVk/9mycTc4VDza13lOvpUZTGX3mFSCtV9ksdGBVzvsyAVLM6mHFThxXxw==}
 
+  fastseries@1.7.2:
+    resolution: {integrity: sha512-dTPFrPGS8SNSzAt7u/CbMKCJ3s01N04s4JFbORHcmyvVfVKmbhMD1VtRbh5enGHxkaQDqWyLefiKOGGmohGDDQ==}
+
   fd-slicer@1.1.0:
     resolution: {integrity: sha512-cE1qsB/VwyQozZ+q1dGxR8LBYNZeofhEdUNGSMbQD3Gw2lAzX9Zb3uIU6Ebc/Fmyjo9AWWfnn0AUCHqtevs/8g==}
 
@@ -3034,6 +3076,9 @@ packages:
     resolution: {integrity: sha512-vqiC06CuhBTUdZH+RYl8sFrL096vA45Ok5ISO6sE/Mr1jRbGH4Csnhi8f3wKVl7x8mO4Au7Ir9D3Oyv1VYMFJw==}
     engines: {node: '>=12'}
 
+  minimalistic-assert@1.0.1:
+    resolution: {integrity: sha512-UtJcAD4yEaGtjPezWuO9wC4nwUnVH/8/Im3yEHQP4b67cXlD/Qr9hdITCU1xDbSEXg2XKNaP8jsReV7vQd00/A==}
+
   minimatch@10.2.5:
     resolution: {integrity: sha512-MULkVLfKGYDFYejP07QOurDLLQpcjk7Fw+7jXS2R2czRQzR56yHRveU5NDJEOviH+hETZKSkIk5c+T23GjFUMg==}
     engines: {node: 18 || 20 || >=22}
@@ -3058,6 +3103,9 @@ packages:
   mnemonist@0.39.6:
     resolution: {integrity: sha512-A/0v5Z59y63US00cRSLiloEIw3t5G+MiKz4BhX21FI+YBJXBOGW0ohFxTxO08dsOYlzxo87T7vGfZKYp2bcAWA==}
 
+  mnemonist@0.40.3:
+    resolution: {integrity: sha512-Vjyr90sJ23CKKH/qPAgUKicw/v6pRoamxIEDFOF8uSgFME7DqPRpHgRTejWVjkdGg5dXj0/NyxZHZ9bcjH+2uQ==}
+
   motion-dom@12.38.0:
     resolution: {integrity: sha512-pdkHLD8QYRp8VfiNLb8xIBJis1byQ9gPT3Jnh2jqfFtAsWUA3dEepDlsWe/xMpO8McV+VdpKVcp+E+TGJEtOoA==}
 
@@ -3096,6 +3144,10 @@ packages:
   node-abort-controller@3.1.1:
     resolution: {integrity: sha512-AGK2yQKIjRuqnc6VkX2Xj5d+QW8xZ87pa1UK6yA6ouUyuxfHuMP6umE5QK7UmTeOAymo+Zx1Fxiuw9rVx8taHQ==}
 
+  node-addon-api@8.7.0:
+    resolution: {integrity: sha512-9MdFxmkKaOYVTV+XVRG8ArDwwQ77XIgIPyKASB1k3JPq3M8fGQQQE3YpMOrKm6g//Ktx8ivZr8xo1Qmtqub+GA==}
+    engines: {node: ^18 || ^20 || >= 21}
+
   node-cron@4.2.1:
     resolution: {integrity: sha512-lgimEHPE/QDgFlywTd8yTR61ptugX3Qer29efeyWw2rv259HtGBNn1vZVmp8lB9uo9wC0t/AT4iGqXxia+CJFg==}
     engines: {node: '>=6.0.0'}
@@ -3118,6 +3170,10 @@ packages:
     resolution: {integrity: sha512-s+w+rBWnpTMwSFbaE0UXsRlg7hU4FjekKU4eyAih5T8nJuNZT1nNsskXpxmeqSK9UzkBl6UgRlnKc8hz8IEqOw==}
     hasBin: true
 
+  node-gyp-build@4.8.4:
+    resolution: {integrity: sha512-LA4ZjwlnUblHVgq0oBF3Jl/6h/Nvs5fzBLwdEF4nuxnFdsfajde4WfxtJr3CaiH+F6ewcIB/q4jQ4UzPyid+CQ==}
+    hasBin: true
+
   node-releases@2.0.27:
     resolution: {integrity: sha512-nmh3lCkYZ3grZvqcCH+fjmQ7X+H0OeZgP40OierEaAptX4XofMh5kwNbWh7lBduUzCcV/8kZ+NDLCwm2iorIlA==}
 
@@ -3528,6 +3584,10 @@ packages:
     resolution: {integrity: sha512-0f4Memo5QP7WQyUEAYUO3esD/XjOc3Zjjg5CPsAq1p8sIu0XPeMbHJemKA0BO7tV0X7+A0FoEpbmHXWxPyD3wQ==}
     engines: {node: '>=10'}
 
+  ret@0.5.0:
+    resolution: {integrity: sha512-I1XxrZSQ+oErkRR4jYbAyEEu2I0avBvvMM5JN+6EBprOGRCs63ENqZ3vjavq8fBw2+62G5LF5XelKwuJpcvcxw==}
+    engines: {node: '>=10'}
+
   reusify@1.1.0:
     resolution: {integrity: sha512-g6QUff04oZpHs0eG5p83rFLhHeV00ug/Yf9nZM6fLeUrPguBTkTQOdpAWWspMh55TZfVQDPaN3NQJfbVRAxdIw==}
     engines: {iojs: '>=1.0.0', node: '>=0.10.0'}
@@ -3549,6 +3609,10 @@ packages:
   safe-regex2@3.1.0:
     resolution: {integrity: sha512-RAAZAGbap2kBfbVhvmnTFv73NWLMvDGOITFYTZBAaY8eR+Ir4ef7Up/e7amo+y1+AH+3PtLkrt9mvcTsG9LXug==}
 
+  safe-regex2@5.1.1:
+    resolution: {integrity: sha512-mOSBvHGDZMuIEZMdOz/aCEYDCv0E7nfcNsIhUF+/P+xC7Hyf3FkvymqgPbg9D1EdSGu+uKbJgy09K/RKKc7kJA==}
+    hasBin: true
+
   safe-stable-stringify@2.5.0:
     resolution: {integrity: sha512-b3rppTKm9T+PsVCBEOUR46GWI7fdOs00VKZ1+9c1EWDaDMvjQc6tUwuFyIprgGgTcWoVHSKrU8H31ZHA2e0RHA==}
     engines: {node: '>=10'}
@@ -3656,6 +3720,9 @@ packages:
   std-env@3.10.0:
     resolution: {integrity: sha512-5GS12FdOZNliM5mAOxFRg7Ir0pWz8MdpYm6AY6VPkGpbA7ZzmbzNcBJQ0GPvvyWgcY7QAhCgf9Uy89I03faLkg==}
 
+  steed@1.1.3:
+    resolution: {integrity: sha512-EUkci0FAUiE4IvGTSKcDJIQ/eRUP2JJb56+fvZ4sdnguLTqIdKjSxUe138poW8mkvKWXW2sFPrgTsxqoISnmoA==}
+
   streamx@2.23.0:
     resolution: {integrity: sha512-kn+e44esVfn2Fa/O0CPFcex27fjIL6MkVae0Mm6q+E6f0hWv578YCERbv+4m02cjxvDsPKLnmxral/rR6lBMAg==}
 
@@ -4081,6 +4148,10 @@ packages:
     engines: {node: '>=0.8'}
     hasBin: true
 
+  xtend@4.0.2:
+    resolution: {integrity: sha512-LKYU1iAXJXUgAXn9URjiu+MWhyUXHsvfp7mcuYm9dSUKK0/CjtrUwFAxD82/mCWbtLsGjFIad0wIsod4zrTAEQ==}
+    engines: {node: '>=0.4'}
+
   y18n@5.0.8:
     resolution: {integrity: sha512-0pfFzegeDWJHJIAmTLRP2DwHjdF5s7jo9tuztdQxAhINCdvS+3nGINqPd00AphqJR/0LhANUS6/+7SCb98YOfA==}
     engines: {node: '>=10'}
@@ -4983,6 +5054,14 @@ snapshots:
     dependencies:
       fast-json-stringify: 5.16.1
 
+  '@fastify/jwt@10.0.0':
+    dependencies:
+      '@fastify/error': 4.2.0
+      '@lukeed/ms': 2.0.2
+      fast-jwt: 6.2.2
+      fastify-plugin: 5.1.0
+      steed: 1.1.3
+
   '@fastify/merge-json-schemas@0.1.1':
     dependencies:
       fast-deep-equal: 3.1.3
@@ -5729,6 +5808,10 @@ snapshots:
     dependencies:
       '@babel/types': 7.29.0
 
+  '@types/bcrypt@6.0.0':
+    dependencies:
+      '@types/node': 20.19.33
+
   '@types/chai@5.2.3':
     dependencies:
       '@types/deep-eql': 4.0.2
@@ -5957,6 +6040,13 @@ snapshots:
 
   argparse@2.0.1: {}
 
+  asn1.js@5.4.1:
+    dependencies:
+      bn.js: 4.12.3
+      inherits: 2.0.4
+      minimalistic-assert: 1.0.1
+      safer-buffer: 2.1.2
+
   assertion-error@1.1.0: {}
 
   assertion-error@2.0.1: {}
@@ -6041,8 +6131,15 @@ snapshots:
 
   basic-ftp@5.1.0: {}
 
+  bcrypt@6.0.0:
+    dependencies:
+      node-addon-api: 8.7.0
+      node-gyp-build: 4.8.4
+
   binary-extensions@2.3.0: {}
 
+  bn.js@4.12.3: {}
+
   boolbase@1.0.0: {}
 
   bowser@2.14.1: {}
@@ -6353,6 +6450,10 @@ snapshots:
       es-errors: 1.3.0
       gopd: 1.2.0
 
+  ecdsa-sig-formatter@1.0.11:
+    dependencies:
+      safe-buffer: 5.1.2
+
   ejs@5.0.2: {}
 
   electron-to-chromium@1.5.302: {}
@@ -6563,6 +6664,14 @@ snapshots:
       json-schema-ref-resolver: 1.0.1
       rfdc: 1.4.1
 
+  fast-jwt@6.2.2:
+    dependencies:
+      '@lukeed/ms': 2.0.2
+      asn1.js: 5.4.1
+      ecdsa-sig-formatter: 1.0.11
+      mnemonist: 0.40.3
+      safe-regex2: 5.1.1
+
   fast-levenshtein@3.0.0:
     dependencies:
       fastest-levenshtein: 1.0.16
@@ -6583,6 +6692,10 @@ snapshots:
 
   fastest-levenshtein@1.0.16: {}
 
+  fastfall@1.5.1:
+    dependencies:
+      reusify: 1.1.0
+
   fastify-plugin@4.5.1: {}
 
   fastify-plugin@5.1.0: {}
@@ -6606,10 +6719,20 @@ snapshots:
       semver: 7.7.4
       toad-cache: 3.7.0
 
+  fastparallel@2.4.1:
+    dependencies:
+      reusify: 1.1.0
+      xtend: 4.0.2
+
   fastq@1.20.1:
     dependencies:
       reusify: 1.1.0
 
+  fastseries@1.7.2:
+    dependencies:
+      reusify: 1.1.0
+      xtend: 4.0.2
+
   fd-slicer@1.1.0:
     dependencies:
       pend: 1.2.0
@@ -7010,6 +7133,8 @@ snapshots:
 
   mimic-fn@4.0.0: {}
 
+  minimalistic-assert@1.0.1: {}
+
   minimatch@10.2.5:
     dependencies:
       brace-expansion: 5.0.5
@@ -7035,6 +7160,10 @@ snapshots:
     dependencies:
       obliterator: 2.0.5
 
+  mnemonist@0.40.3:
+    dependencies:
+      obliterator: 2.0.5
+
   motion-dom@12.38.0:
     dependencies:
       motion-utils: 12.36.0
@@ -7077,6 +7206,8 @@ snapshots:
 
   node-abort-controller@3.1.1: {}
 
+  node-addon-api@8.7.0: {}
+
   node-cron@4.2.1: {}
 
   node-domexception@1.0.0: {}
@@ -7090,6 +7221,8 @@ snapshots:
       detect-libc: 2.1.2
     optional: true
 
+  node-gyp-build@4.8.4: {}
+
   node-releases@2.0.27: {}
 
   normalize-path@3.0.0: {}
@@ -7544,6 +7677,8 @@ snapshots:
 
   ret@0.4.3: {}
 
+  ret@0.5.0: {}
+
   reusify@1.1.0: {}
 
   rfdc@1.4.1: {}
@@ -7589,6 +7724,10 @@ snapshots:
     dependencies:
       ret: 0.4.3
 
+  safe-regex2@5.1.1:
+    dependencies:
+      ret: 0.5.0
+
   safe-stable-stringify@2.5.0: {}
 
   safer-buffer@2.1.2: {}
@@ -7704,6 +7843,14 @@ snapshots:
 
   std-env@3.10.0: {}
 
+  steed@1.1.3:
+    dependencies:
+      fastfall: 1.5.1
+      fastparallel: 2.4.1
+      fastq: 1.20.1
+      fastseries: 1.7.2
+      reusify: 1.1.0
+
   streamx@2.23.0:
     dependencies:
       events-universal: 1.0.1
@@ -8130,6 +8277,8 @@ snapshots:
       wmf: 1.0.2
       word: 0.3.0
 
+  xtend@4.0.2: {}
+
   y18n@5.0.8: {}
 
   yallist@3.1.1: {}