@access-dlsu/leapify 0.260505.5 → 0.260507.1

package/dist/worker.js

@@ -1,5 +1,4 @@
-import crypto2 from 'crypto';
-import fs from 'fs';
+import { createClient } from 'contentful-management';
 
 var __create = Object.create;
 var __defProp = Object.defineProperty;
@@ -25092,14 +25091,11 @@ var errorHandler2 = (err, c) => {
 
 // node_modules/hono/dist/middleware/cors/index.js
 var cors = (options) => {
-  const defaults = {
+  const opts = {
     origin: "*",
     allowMethods: ["GET", "HEAD", "PUT", "POST", "DELETE", "PATCH"],
     allowHeaders: [],
-    exposeHeaders: []
-  };
-  const opts = {
-    ...defaults,
+    exposeHeaders: [],
     ...options
   };
   const findAllowOrigin = ((optsOrigin) => {
@@ -25332,19 +25328,11 @@ function challengePageHtml(challengeId, difficulty, originalUrl) {
       const challengeId = ${JSON.stringify(challengeId)};
       const difficulty = ${difficulty};
       const prefix = '0'.repeat(Math.ceil(difficulty / 4));
-      const data = new TextEncoder().encode(challengeId + ':');
-      const buf = new ArrayBuffer(data.byteLength + 16);
-      new Uint8Array(buf).set(data);
-      const view = new DataView(buf);
-      view.setUint32(data.length, 0);
-      view.setUint32(data.length + 4, 0);
-      view.setUint32(data.length + 8, 0);
-      view.setUint32(data.length + 12, 0);
       let nonce = 0;
       const t0 = performance.now();
       while (true) {
-        view.setUint32(data.length, nonce);
-        const hash = await crypto.subtle.digest('SHA-256', buf);
+        const input = challengeId + ':' + nonce;
+        const hash = await crypto.subtle.digest('SHA-256', new TextEncoder().encode(input));
         const hex = Array.from(new Uint8Array(hash)).map(b => b.toString(16).padStart(2, '0')).join('');
         if (hex.startsWith(prefix)) {
           const elapsed = performance.now() - t0;
@@ -62532,6 +62520,8 @@ __export(schema_exports, {
   events: () => events,
   eventsRelations: () => eventsRelations,
   faqs: () => faqs,
+  organizations: () => organizations,
+  organizationsRelations: () => organizationsRelations,
   siteConfig: () => siteConfig,
   themes: () => themes,
   themesRelations: () => themesRelations,
@@ -62558,13 +62548,26 @@ var themes = sqliteTable("themes", {
   name: text("name").notNull().unique(),
   path: text("path").notNull().unique(),
   // e.g. "/pirates-cove"
-  color: text("color"),
-  createdAt: integer2("created_at").notNull().$defaultFn(() => Math.floor(Date.now() / 1e3))
+  createdAt: integer2("created_at").notNull().$defaultFn(() => Math.floor(Date.now() / 1e3)),
+  updatedAt: integer2("updated_at").notNull().$defaultFn(() => Math.floor(Date.now() / 1e3))
 });
 var themesRelations = relations(themes, ({ many }) => ({
   events: many(events)
 }));
 
+// src/db/schema/organizations.ts
+var organizations = sqliteTable("organizations", {
+  id: text("id").primaryKey().$defaultFn(() => crypto.randomUUID().replace(/-/g, "")),
+  name: text("name").notNull().unique(),
+  acronym: text("acronym").notNull().unique(),
+  logoUrl: text("logo_url"),
+  link: text("link"),
+  createdAt: integer2("created_at").notNull().default(sql2`(unixepoch())`)
+});
+var organizationsRelations = relations(organizations, ({ many }) => ({
+  events: many(events)
+}));
+
 // src/db/schema/events.ts
 var events = sqliteTable(
   "events",
@@ -62573,23 +62576,23 @@ var events = sqliteTable(
     slug: text("slug").notNull().unique(),
     // Theme reference
     themeId: text("theme_id").references(() => themes.id),
+    // Organization reference
+    organizationId: text("organization_id").references(() => organizations.id),
     // Core event fields (maps to LinkData)
     title: text("title").notNull(),
-    org: text("org"),
-    // organizing body / college
+    description: text("description"),
     venue: text("venue"),
     dateTime: text("date_time"),
     // human-readable display string
-    startsAt: integer2("starts_at"),
-    // unix epoch (machine use)
-    endsAt: integer2("ends_at"),
     price: text("price"),
     // e.g. "Free" or "₱150"
-    backgroundColor: text("background_color"),
     backgroundImageUrl: text("background_image_url"),
-    // Extended classification
-    subtheme: text("subtheme"),
-    // freeform, e.g. "Leadership"
+    classCode: text("class_code"),
+    // e.g. "CSINTSY"
+    startTime: text("start_time"),
+    // start time string
+    endTime: text("end_time"),
+    // end time string
     isMajor: integer2("is_major", { mode: "boolean" }).notNull().default(false),
     // Slot tracking (local counter — NOT polled from Google Forms)
     maxSlots: integer2("max_slots").notNull().default(0),
@@ -62598,6 +62601,8 @@ var events = sqliteTable(
     // Google Form ID for Watch + reconciliation
     gformsUrl: text("gforms_url"),
     // informational link shown to students
+    gformsEditorUrl: text("gforms_editor_url"),
+    registrationClosesAt: integer2("registration_closes_at"),
     watchId: text("watch_id"),
     // stored after forms.watches.create
     watchExpiresAt: integer2("watch_expires_at"),
@@ -62608,8 +62613,6 @@ var events = sqliteTable(
     }).notNull().default("draft"),
     releaseAt: integer2("release_at"),
     // scheduled publish epoch
-    registrationOpensAt: integer2("registration_opens_at"),
-    registrationClosesAt: integer2("registration_closes_at"),
     // Reminder tracking
     reminder24hSent: integer2("reminder_24h_sent", { mode: "boolean" }).notNull().default(false),
     reminder1hSent: integer2("reminder_1h_sent", { mode: "boolean" }).notNull().default(false),
@@ -62625,6 +62628,7 @@ var events = sqliteTable(
       table.releaseAt
     ),
     themeIdx: index("idx_events_theme_id").on(table.themeId),
+    organizationIdx: index("idx_events_organization_id").on(table.organizationId),
     slugIdx: index("idx_events_slug").on(table.slug)
   })
 );
@@ -62632,6 +62636,10 @@ var eventsRelations = relations(events, ({ one }) => ({
   theme: one(themes, {
     fields: [events.themeId],
     references: [themes.id]
+  }),
+  organization: one(organizations, {
+    fields: [events.organizationId],
+    references: [organizations.id]
   })
 }));
 
@@ -62652,7 +62660,6 @@ var faqs = sqliteTable("faqs", {
   category: text("category"),
   // optional grouping, e.g. "Registration"
   sortOrder: integer2("sort_order").notNull().default(0),
-  isActive: integer2("is_active", { mode: "boolean" }).notNull().default(true),
   createdAt: integer2("created_at").notNull().default(sql2`(unixepoch())`),
   updatedAt: integer2("updated_at").notNull().default(sql2`(unixepoch())`)
 });
@@ -62803,12 +62810,21 @@ function createAuth(env2) {
            */
           after: async (user) => {
             const [{ total }] = await db.select({ total: count() }).from(users);
-            await db.insert(users).values({
+            const isFirstUser = total === 0;
+            const base = {
               betterAuthId: user.id,
               email: user.email,
               name: user.name ?? user.email.split("@")[0],
-              role: total === 0 ? "super_admin" : "student"
-            }).onConflictDoNothing({ target: users.betterAuthId });
+              role: isFirstUser ? "super_admin" : "student"
+            };
+            if (isFirstUser) {
+              await db.insert(users).values(base).onConflictDoUpdate({
+                target: users.betterAuthId,
+                set: { role: "super_admin" }
+              });
+            } else {
+              await db.insert(users).values(base).onConflictDoNothing({ target: users.betterAuthId });
+            }
           }
         }
       }
@@ -62816,21 +62832,280 @@ function createAuth(env2) {
   });
 }
 
+// src/auth/middleware.ts
+var SESSION_KV_PREFIX = "auth:session:";
+var SESSION_KV_TTL = 3600;
+function extractRawToken(c) {
+  const authHeader = c.req.header("Authorization");
+  if (authHeader?.startsWith("Bearer ")) return authHeader.slice(7);
+  const cookie = c.req.header("Cookie") ?? "";
+  const match2 = cookie.match(/(?:^|;\s*)better-auth\.session_token=([^;]+)/);
+  return match2?.[1] ? decodeURIComponent(match2[1]) : void 0;
+}
+async function resolveUser(env2, betterAuthUserId, betterAuthUserEmail, betterAuthUserName, betterAuthEmailVerified) {
+  const db = createDb(env2.DB);
+  let dbUser = await db.query.users.findFirst({
+    where: eq(users.betterAuthId, betterAuthUserId)
+  });
+  if (!dbUser) {
+    const [created] = await db.insert(users).values({
+      betterAuthId: betterAuthUserId,
+      email: betterAuthUserEmail,
+      name: betterAuthUserName ?? betterAuthUserEmail.split("@")[0]
+    }).onConflictDoNothing({ target: users.betterAuthId }).returning();
+    dbUser = created;
+  }
+  if (!dbUser) throw unauthorized("Failed to resolve user record");
+  return {
+    uid: betterAuthUserId,
+    dbId: dbUser.id,
+    role: dbUser.role,
+    email: betterAuthUserEmail,
+    name: betterAuthUserName ?? betterAuthUserEmail.split("@")[0],
+    emailVerified: betterAuthEmailVerified
+  };
+}
+var authMiddleware = createMiddleware(
+  async (c, next) => {
+    const rawToken = extractRawToken(c);
+    if (rawToken) {
+      const cached2 = await c.env.KV.get(
+        `${SESSION_KV_PREFIX}${rawToken}`,
+        "json"
+      );
+      if (cached2) {
+        c.set("user", cached2);
+        return next();
+      }
+    }
+    const auth = createAuth(c.env);
+    const session = await auth.api.getSession({ headers: c.req.raw.headers });
+    if (!session?.user) {
+      throw unauthorized("No valid session found");
+    }
+    if (!session.user.email.endsWith("@dlsu.edu.ph")) {
+      throw domainRestricted();
+    }
+    const leapifyUser = await resolveUser(
+      c.env,
+      session.user.id,
+      session.user.email,
+      session.user.name,
+      session.user.emailVerified
+    );
+    if (rawToken) {
+      const sessionExpiresAt = new Date(session.session.expiresAt).getTime();
+      const secondsRemaining = Math.floor((sessionExpiresAt - Date.now()) / 1e3);
+      const kvTtl = Math.max(1, Math.min(secondsRemaining, SESSION_KV_TTL));
+      await c.env.KV.put(
+        `${SESSION_KV_PREFIX}${rawToken}`,
+        JSON.stringify(leapifyUser),
+        { expirationTtl: kvTtl }
+      );
+    }
+    c.set("user", leapifyUser);
+    return next();
+  }
+);
+var optionalAuthMiddleware = createMiddleware(async (c, next) => {
+  const rawToken = extractRawToken(c);
+  if (!rawToken) {
+    c.set("user", null);
+    return next();
+  }
+  return authMiddleware(c, next);
+});
+var adminMiddleware = createMiddleware(
+  async (c, next) => {
+    const user = c.get("user");
+    if (!user || !["admin", "super_admin"].includes(user.role)) {
+      throw forbidden("Admin access required");
+    }
+    return next();
+  }
+);
+var internalMiddleware = createMiddleware(async (c, next) => {
+  const secret = c.req.header("X-Internal-Secret");
+  if (!secret || secret !== c.env.INTERNAL_API_SECRET) {
+    throw forbidden("Invalid internal secret");
+  }
+  return next();
+});
+
 // src/routes/health.ts
 var healthRoute = new Hono2();
-healthRoute.get("/", (c) => {
-  const hasSes = Boolean(c.env.SES_REGION) && Boolean(c.env.SES_ACCESS_KEY_ID) && Boolean(c.env.SES_SECRET_ACCESS_KEY);
-  const hasResend = Boolean(c.env.RESEND_API_KEY);
+async function probeResend(apiKey) {
+  const start = Date.now();
+  try {
+    const res = await fetch("https://api.resend.com/domains", {
+      headers: { Authorization: `Bearer ${apiKey}` }
+    });
+    return {
+      configured: true,
+      ok: res.ok,
+      latencyMs: Date.now() - start,
+      ...res.ok ? {} : { error: `HTTP ${res.status}` }
+    };
+  } catch (e) {
+    return {
+      configured: true,
+      ok: false,
+      latencyMs: Date.now() - start,
+      error: String(e)
+    };
+  }
+}
+async function probeSes(region, accessKeyId, secretAccessKey) {
+  const start = Date.now();
+  try {
+    if (!region || !accessKeyId || !secretAccessKey) {
+      return {
+        configured: false,
+        ok: false,
+        latencyMs: Date.now() - start,
+        error: "Missing SES credentials"
+      };
+    }
+    return {
+      configured: true,
+      ok: true,
+      latencyMs: Date.now() - start
+    };
+  } catch (e) {
+    return {
+      configured: true,
+      ok: false,
+      latencyMs: Date.now() - start,
+      error: String(e)
+    };
+  }
+}
+async function probeContentful(spaceId, accessToken, environment) {
+  const start = Date.now();
+  try {
+    const res = await fetch(
+      `https://cdn.contentful.com/spaces/${spaceId}/environments/${environment}/entries?limit=0`,
+      { headers: { Authorization: `Bearer ${accessToken}` } }
+    );
+    return {
+      configured: true,
+      ok: res.ok,
+      latencyMs: Date.now() - start,
+      ...res.ok ? {} : { error: `HTTP ${res.status}` }
+    };
+  } catch (e) {
+    return {
+      configured: true,
+      ok: false,
+      latencyMs: Date.now() - start,
+      error: String(e)
+    };
+  }
+}
+async function probeGForms(serviceAccountJson) {
+  const start = Date.now();
+  try {
+    const creds = JSON.parse(serviceAccountJson);
+    const now2 = Math.floor(Date.now() / 1e3);
+    const claims = {
+      iss: creds.client_email,
+      scope: "https://www.googleapis.com/auth/forms.responses.readonly",
+      aud: "https://oauth2.googleapis.com/token",
+      iat: now2,
+      exp: now2 + 3600
+    };
+    const header = { alg: "RS256", typ: "JWT" };
+    const encode5 = (obj) => btoa(JSON.stringify(obj)).replace(/\+/g, "-").replace(/\//g, "_").replace(/=/g, "");
+    const signingInput = `${encode5(header)}.${encode5(claims)}`;
+    const pemBody = creds.private_key.replace(/-----BEGIN PRIVATE KEY-----/, "").replace(/-----END PRIVATE KEY-----/, "").replace(/\s/g, "");
+    const keyBytes = Uint8Array.from(atob(pemBody), (c) => c.charCodeAt(0));
+    const privateKey = await crypto.subtle.importKey(
+      "pkcs8",
+      keyBytes,
+      { name: "RSASSA-PKCS1-v1_5", hash: "SHA-256" },
+      false,
+      ["sign"]
+    );
+    const signature = await crypto.subtle.sign(
+      "RSASSA-PKCS1-v1_5",
+      privateKey,
+      new TextEncoder().encode(signingInput)
+    );
+    const sigB64 = btoa(String.fromCharCode(...new Uint8Array(signature))).replace(/\+/g, "-").replace(/\//g, "_").replace(/=/g, "");
+    const jwt2 = `${signingInput}.${sigB64}`;
+    const res = await fetch("https://oauth2.googleapis.com/token", {
+      method: "POST",
+      headers: { "Content-Type": "application/x-www-form-urlencoded" },
+      body: new URLSearchParams({
+        grant_type: "urn:ietf:params:oauth:grant-type:jwt-bearer",
+        assertion: jwt2
+      })
+    });
+    return {
+      configured: true,
+      ok: res.ok,
+      latencyMs: Date.now() - start,
+      ...res.ok ? {} : { error: `HTTP ${res.status}` }
+    };
+  } catch (e) {
+    return {
+      configured: true,
+      ok: false,
+      latencyMs: Date.now() - start,
+      error: String(e)
+    };
+  }
+}
+healthRoute.get("/", async (c) => {
+  const env2 = c.env;
+  const hasSes = Boolean(env2.SES_REGION) && Boolean(env2.SES_ACCESS_KEY_ID) && Boolean(env2.SES_SECRET_ACCESS_KEY);
+  const hasResend = Boolean(env2.RESEND_API_KEY);
+  const hasContentful = Boolean(env2.CONTENTFUL_SPACE_ID) && Boolean(env2.CONTENTFUL_ACCESS_TOKEN);
+  const hasGForms = Boolean(env2.GFORMS_SERVICE_ACCOUNT_JSON);
+  const probes = [];
+  if (hasSes) {
+    probes.push(
+      probeSes(env2.SES_REGION, env2.SES_ACCESS_KEY_ID, env2.SES_SECRET_ACCESS_KEY).then(
+        (h) => ["ses", h]
+      )
+    );
+  }
+  if (hasResend) {
+    probes.push(
+      probeResend(env2.RESEND_API_KEY).then((h) => ["resend", h])
+    );
+  }
+  if (hasContentful) {
+    probes.push(
+      probeContentful(
+        env2.CONTENTFUL_SPACE_ID,
+        env2.CONTENTFUL_ACCESS_TOKEN,
+        env2.CONTENTFUL_ENVIRONMENT || "master"
+      ).then((h) => ["contentful", h])
+    );
+  }
+  if (hasGForms) {
+    probes.push(
+      probeGForms(env2.GFORMS_SERVICE_ACCOUNT_JSON).then(
+        (h) => ["gforms", h]
+      )
+    );
+  }
+  const results = await Promise.all(probes);
+  const services = {};
+  for (const [name, health] of results) {
+    services[name] = health;
+  }
+  const allOk = results.length === 0 || results.every(([, h]) => h.ok);
   return c.json({
-    status: "ok",
-    timestamp: (/* @__PURE__ */ new Date()).toISOString(),
-    providers: {
-      ses: hasSes,
-      resend: hasResend
+    data: {
+      status: allOk ? "OK" : "DEGRADED",
+      timestamp: (/* @__PURE__ */ new Date()).toISOString(),
+      services
     }
   });
 });
-healthRoute.post("/queue-burst", async (c) => {
+healthRoute.post("/queue-burst", authMiddleware, adminMiddleware, async (c) => {
   if (!c.env.EMAIL_QUEUE) {
     return c.json({ error: "Queue binding missing" }, 400);
   }
@@ -63310,106 +63585,189 @@ var GFormsService = class {
     return { expireTime: data.expireTime };
   }
 };
-
-// src/auth/middleware.ts
-var SESSION_KV_PREFIX = "auth:session:";
-var SESSION_KV_TTL = 3600;
-function extractRawToken(c) {
-  const authHeader = c.req.header("Authorization");
-  if (authHeader?.startsWith("Bearer ")) return authHeader.slice(7);
-  const cookie = c.req.header("Cookie") ?? "";
-  const match2 = cookie.match(/(?:^|;\s*)better-auth\.session_token=([^;]+)/);
-  return match2?.[1] ? decodeURIComponent(match2[1]) : void 0;
-}
-async function resolveUser(env2, betterAuthUserId, betterAuthUserEmail, betterAuthUserName, betterAuthEmailVerified) {
-  const db = createDb(env2.DB);
-  let dbUser = await db.query.users.findFirst({
-    where: eq(users.betterAuthId, betterAuthUserId)
-  });
-  if (!dbUser) {
-    const [created] = await db.insert(users).values({
-      betterAuthId: betterAuthUserId,
-      email: betterAuthUserEmail,
-      name: betterAuthUserName ?? betterAuthUserEmail.split("@")[0]
-    }).onConflictDoNothing({ target: users.betterAuthId }).returning();
-    dbUser = created;
-  }
-  if (!dbUser) throw unauthorized("Failed to resolve user record");
-  return {
-    uid: betterAuthUserId,
-    dbId: dbUser.id,
-    role: dbUser.role,
-    email: betterAuthUserEmail,
-    name: betterAuthUserName ?? betterAuthUserEmail.split("@")[0],
-    emailVerified: betterAuthEmailVerified
-  };
-}
-var authMiddleware = createMiddleware(
-  async (c, next) => {
-    const rawToken = extractRawToken(c);
-    if (rawToken) {
-      const cached2 = await c.env.KV.get(
-        `${SESSION_KV_PREFIX}${rawToken}`,
-        "json"
-      );
-      if (cached2) {
-        c.set("user", cached2);
-        return next();
+var ContentfulManagement = class {
+  client;
+  constructor(spaceId, token, environment = "master") {
+    this.client = createClient(
+      { accessToken: token },
+      {
+        type: "plain",
+        defaults: { spaceId, environmentId: environment }
       }
+    );
+  }
+  static isConfigured(spaceId, token) {
+    return !!(spaceId && token);
+  }
+  // ─── Content Types ───────────────────────────────────────────────────────
+  async getContentType(contentTypeId) {
+    try {
+      return await this.client.contentType.get({ contentTypeId });
+    } catch (err) {
+      if (err?.status === 404) return null;
+      console.warn(`[Contentful] getContentType(${contentTypeId}) error:`, err?.message ?? err);
+      return null;
     }
-    const auth = createAuth(c.env);
-    const session = await auth.api.getSession({ headers: c.req.raw.headers });
-    if (!session?.user) {
-      throw unauthorized("No valid session found");
+  }
+  async ensureContentType(contentTypeId, name, fields) {
+    const existing = await this.getContentType(contentTypeId);
+    if (!existing) {
+      console.log(`[Contentful] Creating content type ${contentTypeId}...`);
+      try {
+        const created = await this.client.contentType.createWithId(
+          { contentTypeId },
+          { name, fields, displayField: fields[0]?.id }
+        );
+        console.log(`[Contentful] Created ${contentTypeId} v${created.sys.version}`);
+        let version4 = created.sys.version;
+        for (let attempt = 0; attempt < 5; attempt++) {
+          await new Promise((r) => setTimeout(r, 3e3));
+          try {
+            const saved = await this.client.contentType.update(
+              { contentTypeId },
+              { ...created, name, fields, displayField: fields[0]?.id, sys: { ...created.sys, version: version4 } }
+            );
+            console.log(`[Contentful] Saved ${contentTypeId} \u2192 v${saved.sys.version}`);
+            await this.client.contentType.publish(
+              { contentTypeId },
+              saved
+            );
+            console.log(`[Contentful] Published ${contentTypeId}`);
+            return;
+          } catch (err) {
+            console.warn(`[Contentful] Attempt ${attempt + 1} to publish ${contentTypeId} failed:`, err?.message ?? err);
+            const refetched = await this.getContentType(contentTypeId);
+            if (refetched) version4 = refetched.sys.version ?? version4;
+          }
+        }
+        console.warn(`[Contentful] Could not publish ${contentTypeId} after retries`);
+      } catch (err) {
+        if (err?.status === 409) {
+          console.log(`[Contentful] ${contentTypeId} already exists (409), attempting to publish...`);
+          await this.tryPublishExisting(contentTypeId, name, fields);
+          return;
+        }
+        console.warn(`[Contentful] Failed to create ${contentTypeId}:`, err?.message ?? err);
+      }
+      return;
     }
-    if (!session.user.email.endsWith("@dlsu.edu.ph")) {
-      throw domainRestricted();
+    if (!existing.sys.publishedVersion || existing.sys.publishedVersion < (existing.sys.version ?? 0)) {
+      for (let attempt = 0; attempt < 3; attempt++) {
+        try {
+          await this.client.contentType.publish({ contentTypeId }, existing);
+          console.log(`[Contentful] Published ${contentTypeId}`);
+          return;
+        } catch {
+          await new Promise((r) => setTimeout(r, 2e3 * (attempt + 1)));
+        }
+      }
     }
-    const leapifyUser = await resolveUser(
-      c.env,
-      session.user.id,
-      session.user.email,
-      session.user.name,
-      session.user.emailVerified
-    );
-    if (rawToken) {
-      const sessionExpiresAt = new Date(session.session.expiresAt).getTime();
-      const secondsRemaining = Math.floor((sessionExpiresAt - Date.now()) / 1e3);
-      const kvTtl = Math.max(1, Math.min(secondsRemaining, SESSION_KV_TTL));
-      await c.env.KV.put(
-        `${SESSION_KV_PREFIX}${rawToken}`,
-        JSON.stringify(leapifyUser),
-        { expirationTtl: kvTtl }
+    const existingFieldIds = existing.fields.map((f) => f.id).sort().join(",");
+    const newFieldIds = fields.map((f) => f.id).sort().join(",");
+    if (existingFieldIds !== newFieldIds || !existing.displayField) {
+      const updated = await this.client.contentType.update(
+        { contentTypeId },
+        { ...existing, name, fields, displayField: fields[0]?.id }
       );
+      await this.client.contentType.publish({ contentTypeId }, updated);
+      console.log(`[Contentful] Updated + published ${contentTypeId}`);
     }
-    c.set("user", leapifyUser);
-    return next();
   }
-);
-var optionalAuthMiddleware = createMiddleware(async (c, next) => {
-  const rawToken = extractRawToken(c);
-  if (!rawToken) {
-    c.set("user", null);
-    return next();
+  async tryPublishExisting(contentTypeId, name, fields) {
+    for (let attempt = 0; attempt < 5; attempt++) {
+      await new Promise((r) => setTimeout(r, 3e3));
+      const existing = await this.getContentType(contentTypeId);
+      if (existing) {
+        if (!existing.sys.publishedVersion || existing.sys.publishedVersion < (existing.sys.version ?? 0)) {
+          try {
+            const saved = await this.client.contentType.update(
+              { contentTypeId },
+              { ...existing, name, fields, displayField: fields[0]?.id }
+            );
+            await this.client.contentType.publish({ contentTypeId }, saved);
+            console.log(`[Contentful] Published existing ${contentTypeId}`);
+            return;
+          } catch (err) {
+            console.warn(`[Contentful] Attempt ${attempt + 1} to publish existing ${contentTypeId}:`, err?.message ?? err);
+          }
+        } else {
+          console.log(`[Contentful] ${contentTypeId} already published`);
+          return;
+        }
+      }
+    }
+    console.warn(`[Contentful] Could not publish existing ${contentTypeId} after retries`);
   }
-  return authMiddleware(c, next);
-});
-var adminMiddleware = createMiddleware(
-  async (c, next) => {
-    const user = c.get("user");
-    if (!user || !["admin", "super_admin"].includes(user.role)) {
-      throw forbidden("Admin access required");
+  // ─── Entries ─────────────────────────────────────────────────────────────
+  async getEntry(entryId) {
+    try {
+      return await this.client.entry.get({ entryId });
+    } catch (err) {
+      if (err?.status === 404) return null;
+      return null;
     }
-    return next();
   }
-);
-var internalMiddleware = createMiddleware(async (c, next) => {
-  const secret = c.req.header("X-Internal-Secret");
-  if (!secret || secret !== c.env.INTERNAL_API_SECRET) {
-    throw forbidden("Invalid internal secret");
+  async upsertEntry(contentTypeId, entryId, fields) {
+    const existing = await this.getEntry(entryId);
+    let entry;
+    if (existing) {
+      entry = await this.client.entry.update(
+        { entryId },
+        { ...existing, fields }
+      );
+    } else {
+      entry = await this.client.entry.createWithId(
+        { entryId, contentTypeId },
+        { fields }
+      );
+    }
+    return this.client.entry.publish({ entryId }, entry);
+  }
+  async unpublishEntry(entryId) {
+    const entry = await this.getEntry(entryId);
+    if (!entry) return null;
+    return this.client.entry.unpublish({ entryId }, entry);
+  }
+  async deleteEntry(entryId) {
+    await this.client.entry.delete({ entryId });
+  }
+  // ─── Asset Uploads ────────────────────────────────────────────────────────
+  async uploadFile(_fileName, data, _contentType) {
+    const upload = await this.client.upload.create({}, { file: data });
+    return upload.sys.id;
+  }
+  async createAssetFromUpload(uploadId, title, fileName, contentType) {
+    const asset = await this.client.asset.create({}, {
+      fields: {
+        title: { "en-US": title },
+        file: {
+          "en-US": {
+            contentType,
+            fileName,
+            uploadFrom: { sys: { type: "Link", linkType: "Upload", id: uploadId } }
+          }
+        }
+      }
+    });
+    const processed = await this.client.asset.processForLocale({}, asset, "en-US");
+    const published = await this.client.asset.publish(
+      { assetId: processed.sys.id },
+      processed
+    );
+    const url2 = published.fields?.file?.["en-US"]?.url ?? "";
+    return { id: published.sys.id, url: url2 };
   }
-  return next();
-});
+  // ─── Helpers ─────────────────────────────────────────────────────────────
+  static locale(value) {
+    return { "en-US": value };
+  }
+  static entryRef(entryId) {
+    return { "en-US": { sys: { type: "Link", linkType: "Entry", id: entryId } } };
+  }
+  static assetRef(assetId) {
+    return { "en-US": { sys: { type: "Link", linkType: "Asset", id: assetId } } };
+  }
+};
 
 // src/lib/middleware/rate-limit.ts
 function createRateLimitMiddleware(config3) {
@@ -63465,25 +63823,87 @@ var adminEventsRateLimit = createRateLimitMiddleware({
 var EVENTS_LIST_KV_KEY = "events:list";
 var EVENTS_ETAG_KV_KEY = "events:etag";
 var EVENTS_LIST_TTL = 300;
+var CF_EVENT_CT = "event";
+async function pushEventToContentful(env2, event) {
+  if (!ContentfulManagement.isConfigured(env2.CONTENTFUL_SPACE_ID, env2.CONTENTFUL_MANAGEMENT_TOKEN)) return;
+  const mgmt = new ContentfulManagement(
+    env2.CONTENTFUL_SPACE_ID,
+    env2.CONTENTFUL_MANAGEMENT_TOKEN,
+    env2.CONTENTFUL_ENVIRONMENT
+  );
+  try {
+    const fields = {
+      title: ContentfulManagement.locale(event.title),
+      slug: ContentfulManagement.locale(event.slug),
+      isMajor: ContentfulManagement.locale(event.isMajor),
+      maxSlots: ContentfulManagement.locale(event.maxSlots)
+    };
+    if (event.themeId) fields.theme = ContentfulManagement.entryRef(event.themeId);
+    if (event.organizationId) fields.organization = ContentfulManagement.entryRef(event.organizationId);
+    if (event.venue) fields.venue = ContentfulManagement.locale(event.venue);
+    if (event.dateTime) {
+      const parsed = new Date(event.dateTime);
+      fields.date = ContentfulManagement.locale(
+        Number.isNaN(parsed.getTime()) ? event.dateTime : parsed.toISOString()
+      );
+    }
+    if (event.price) fields.price = ContentfulManagement.locale(event.price);
+    if (event.classCode) fields.classCode = ContentfulManagement.locale(event.classCode);
+    if (event.startTime) fields.startTime = ContentfulManagement.locale(event.startTime);
+    if (event.endTime) fields.endTime = ContentfulManagement.locale(event.endTime);
+    if (event.gformsUrl) fields.gformsUrl = ContentfulManagement.locale(event.gformsUrl);
+    if (event.gformsEditorUrl) fields.gformsEditorUrl = ContentfulManagement.locale(event.gformsEditorUrl);
+    if (event.registrationClosesAt) {
+      fields.registrationClosesAt = ContentfulManagement.locale(
+        new Date(event.registrationClosesAt * 1e3).toISOString()
+      );
+    }
+    if (event.backgroundImageUrl && env2.FILES) {
+      try {
+        const imageKey = new URL(event.backgroundImageUrl).pathname.replace(/^\/api\/uploads\/images\//, "");
+        console.log(`[Contentful] Attempting image sync for event ${event.id}, key: ${imageKey}`);
+        const object2 = await env2.FILES.get(imageKey);
+        if (object2) {
+          const data = await object2.arrayBuffer();
+          const contentType = object2.httpMetadata?.contentType || "image/jpeg";
+          const fileName = imageKey.split("/").pop() || "image.jpg";
+          const uploadId = await mgmt.uploadFile(fileName, data, contentType);
+          const asset = await mgmt.createAssetFromUpload(uploadId, event.title, fileName, contentType);
+          fields.image = ContentfulManagement.assetRef(asset.id);
+          console.log(`[Contentful] Image synced for event ${event.id}, asset: ${asset.id}`);
+        } else {
+          console.warn(`[Contentful] Image not found in R2 for event ${event.id}, key: ${imageKey}`);
+        }
+      } catch (err) {
+        console.warn(`[Contentful] Failed to upload image for event ${event.id}:`, err);
+      }
+    } else if (event.backgroundImageUrl && !env2.FILES) {
+      console.warn(`[Contentful] FILES binding not available, skipping image sync for event ${event.id}`);
+    }
+    await mgmt.upsertEntry(CF_EVENT_CT, event.id, fields);
+  } catch (err) {
+    console.warn(`[Contentful] Failed to sync event ${event.id}:`, err);
+  }
+}
 var createEventSchema = external_exports.object({
   themeId: external_exports.string().min(1),
+  organizationId: external_exports.string().optional(),
   title: external_exports.string().min(1),
-  org: external_exports.string().optional(),
+  description: external_exports.string().optional(),
   venue: external_exports.string().optional(),
   dateTime: external_exports.string().optional(),
-  startsAt: external_exports.number().optional(),
-  endsAt: external_exports.number().optional(),
   price: external_exports.string().optional(),
-  backgroundColor: external_exports.string().optional(),
   backgroundImageUrl: external_exports.string().url().optional(),
-  subtheme: external_exports.string().optional(),
+  classCode: external_exports.string().optional(),
+  startTime: external_exports.string().optional(),
+  endTime: external_exports.string().optional(),
+  registrationClosesAt: external_exports.number().optional(),
   isMajor: external_exports.boolean().default(false),
   maxSlots: external_exports.number().int().min(0).default(0),
   gformsId: external_exports.string().optional(),
   gformsUrl: external_exports.string().url().optional(),
+  gformsEditorUrl: external_exports.string().url().optional(),
   releaseAt: external_exports.number().optional(),
-  registrationOpensAt: external_exports.number().optional(),
-  registrationClosesAt: external_exports.number().optional(),
   contentfulEntryId: external_exports.string().optional(),
   status: external_exports.enum(["draft", "queued", "published"]).default("draft")
 });
@@ -63491,6 +63911,42 @@ var eventsRoute = new Hono2();
 function generateSlug(title) {
   return title.toLowerCase().trim().replace(/[^\w\s-]/g, "").replace(/[\s_-]+/g, "-").replace(/^-+|-+$/g, "");
 }
+eventsRoute.get("/admin", authMiddleware, adminMiddleware, async (c) => {
+  const db = createDb(c.env.DB);
+  const data = await db.query.events.findMany({
+    with: { theme: true, organization: true },
+    orderBy: (e, { desc: desc2 }) => [desc2(e.createdAt)]
+  });
+  return c.json({ data });
+});
+eventsRoute.post("/admin/publish", authMiddleware, adminMiddleware, async (c) => {
+  const body = await c.req.json();
+  const db = createDb(c.env.DB);
+  const cache3 = new CacheService(c.env.KV);
+  if (!body.ids?.length) {
+    return c.json({ error: "ids are required" }, 400);
+  }
+  if (body.releaseAt) {
+    await db.update(events).set({ releaseAt: body.releaseAt, status: "queued" }).where(
+      sql2`${events.id} IN (${sql2.join(
+        body.ids.map((id) => sql2`${id}`),
+        sql2`, `
+      )})`
+    );
+  } else {
+    await db.update(events).set({ status: "published", publishedAt: sql2`(unixepoch())` }).where(
+      sql2`${events.id} IN (${sql2.join(
+        body.ids.map((id) => sql2`${id}`),
+        sql2`, `
+      )})`
+    );
+  }
+  await Promise.all([
+    cache3.del(EVENTS_LIST_KV_KEY),
+    cache3.del(EVENTS_ETAG_KV_KEY)
+  ]);
+  return c.json({ data: { updated: body.ids.length } });
+});
 eventsRoute.get("/", eventsListRateLimit, async (c) => {
   const db = createDb(c.env.DB);
   const cache3 = new CacheService(c.env.KV);
@@ -63509,28 +63965,28 @@ eventsRoute.get("/", eventsListRateLimit, async (c) => {
     () => db.query.events.findMany({
       where: eq(events.status, "published"),
       with: {
-        theme: true
+        theme: true,
+        organization: true
       },
       columns: {
         id: true,
         slug: true,
         themeId: true,
+        organizationId: true,
         title: true,
-        org: true,
         venue: true,
         dateTime: true,
-        startsAt: true,
-        endsAt: true,
         price: true,
-        backgroundColor: true,
         backgroundImageUrl: true,
-        subtheme: true,
+        classCode: true,
+        startTime: true,
+        endTime: true,
+        registrationClosesAt: true,
         isMajor: true,
         maxSlots: true,
         registeredSlots: true,
         gformsUrl: true,
-        registrationOpensAt: true,
-        registrationClosesAt: true,
+        gformsEditorUrl: true,
         publishedAt: true
       }
     }),
@@ -63600,6 +64056,7 @@ eventsRoute.post(
       cache3.del(EVENTS_LIST_KV_KEY),
       cache3.del(EVENTS_ETAG_KV_KEY)
     ]);
+    c.executionCtx.waitUntil(pushEventToContentful(c.env, created));
     return c.json({ data: created }, 201);
   }
 );
@@ -63618,11 +64075,57 @@ eventsRoute.patch("/:slug", authMiddleware, adminMiddleware, async (c) => {
     cache3.del(EVENTS_LIST_KV_KEY),
     cache3.del(EVENTS_ETAG_KV_KEY)
   ]);
+  c.executionCtx.waitUntil(pushEventToContentful(c.env, updated));
   return c.json({ data: updated });
 });
+eventsRoute.delete("/:slug", authMiddleware, adminMiddleware, async (c) => {
+  const { slug } = c.req.param();
+  const db = createDb(c.env.DB);
+  const cache3 = new CacheService(c.env.KV);
+  const [deleted] = await db.delete(events).where(eq(events.slug, slug)).returning();
+  if (!deleted) throw notFound("Event");
+  await Promise.all([
+    cache3.del(EVENTS_LIST_KV_KEY),
+    cache3.del(EVENTS_ETAG_KV_KEY)
+  ]);
+  return c.body(null, 204);
+});
 
 // src/routes/users.ts
+var VALID_ROLES = ["student", "admin", "super_admin"];
 var usersRoute = new Hono2();
+usersRoute.get("/", authMiddleware, adminMiddleware, async (c) => {
+  const db = createDb(c.env.DB);
+  const data = await db.select().from(users);
+  return c.json({ data });
+});
+usersRoute.patch("/:id/role", authMiddleware, adminMiddleware, async (c) => {
+  const { id } = c.req.param();
+  const { role } = await c.req.json();
+  if (!role || !VALID_ROLES.includes(role)) {
+    throw badRequest("Role must be 'student', 'admin', or 'super_admin'.");
+  }
+  const db = createDb(c.env.DB);
+  const [updated] = await db.update(users).set({ role }).where(eq(users.id, id)).returning();
+  if (!updated) throw notFound("User");
+  return c.json({ data: updated });
+});
+usersRoute.post("/by-email", authMiddleware, adminMiddleware, async (c) => {
+  const { email: email3, role } = await c.req.json();
+  if (!email3 || !role || !VALID_ROLES.includes(role)) {
+    throw badRequest("Email and valid role ('student', 'admin', 'super_admin') are required.");
+  }
+  const db = createDb(c.env.DB);
+  const existing = await db.query.users.findFirst({
+    where: eq(users.email, email3)
+  });
+  if (existing) {
+    const [updated] = await db.update(users).set({ role }).where(eq(users.email, email3)).returning();
+    return c.json({ data: updated });
+  }
+  const [created] = await db.insert(users).values({ betterAuthId: `pending:${email3}`, email: email3, name: email3.split("@")[0], role }).returning();
+  return c.json({ data: created }, 201);
+});
 usersRoute.get("/me", optionalAuthMiddleware, async (c) => {
   const user = c.get("user");
   if (!user) return c.json({ data: null });
@@ -63631,7 +64134,11 @@ usersRoute.get("/me", optionalAuthMiddleware, async (c) => {
     where: eq(users.id, user.dbId)
   });
   if (!profile) return c.json({ data: null });
-  return c.json({ data: profile });
+  const auth = await db.query.authUser.findFirst({
+    where: eq(authUser.id, profile.betterAuthId),
+    columns: { image: true }
+  });
+  return c.json({ data: { ...profile, image: auth?.image ?? null } });
 });
 usersRoute.get("/me/bookmarks", optionalAuthMiddleware, async (c) => {
   const user = c.get("user");
@@ -63670,297 +64177,83 @@ usersRoute.delete("/me/bookmarks/:eventId", authMiddleware, async (c) => {
   return c.json({ data: { bookmarked: false } });
 });
 
-// src/services/contentful-management.ts
-var CONTENTFUL_MGMT = "https://api.contentful.com";
-var ContentfulManagement = class {
-  spaceId;
-  token;
-  environment;
-  constructor(spaceId, token, environment = "master") {
-    this.spaceId = spaceId;
-    this.token = token;
-    this.environment = environment;
-  }
-  static isConfigured(spaceId, token) {
-    return !!(spaceId && token);
-  }
-  // ─── Content Types ───────────────────────────────────────────────────────
-  /**
-   * Get a content type by ID. Returns null if not found.
-   */
-  async getContentType(contentTypeId) {
-    const res = await this.fetch(`/content_types/${contentTypeId}`);
-    if (res.status === 404) return null;
-    if (!res.ok) throw new Error(`Failed to get content type: ${res.status} ${await res.text()}`);
-    return res.json();
-  }
-  /**
-   * Create a content type. Does NOT publish it — call publishContentType() after.
-   */
-  async createContentType(contentTypeId, name, fields) {
-    const res = await this.fetch(`/content_types`, {
-      method: "POST",
-      headers: { "Content-Type": "application/json", ...this.authHeader() },
-      body: JSON.stringify({
-        sys: { id: contentTypeId, type: "ContentType" },
-        name,
-        fields
-      })
-    });
-    if (!res.ok) throw new Error(`Failed to create content type: ${res.status} ${await res.text()}`);
-    const ct = await res.json();
-    console.log(`[Contentful] Created content type ${contentTypeId}: version=${ct.sys.version}`);
-    return ct;
-  }
-  /**
-   * Update a content type. Must republish after update.
-   */
-  async updateContentType(contentTypeId, name, fields, version4) {
-    const res = await this.fetch(`/content_types/${contentTypeId}`, {
-      method: "PUT",
-      headers: {
-        "Content-Type": "application/json",
-        ...this.authHeader(),
-        "X-Contentful-Version": String(version4)
-      },
-      body: JSON.stringify({
-        sys: { id: contentTypeId, type: "ContentType" },
-        name,
-        fields
-      })
-    });
-    if (!res.ok) throw new Error(`Failed to update content type: ${res.status} ${await res.text()}`);
-    return res.json();
-  }
-  /**
-   * Publish a content type (makes it available for entries).
-   */
-  async publishContentType(contentTypeId, version4) {
-    console.log(`[Contentful] Publishing content type ${contentTypeId} with version ${version4}`);
-    const res = await this.fetch(`/content_types/${contentTypeId}/published`, {
-      method: "PUT",
-      headers: {
-        "Content-Type": "application/vnd.contentful.management.v1+json",
-        ...this.authHeader(),
-        "X-Contentful-Version": String(version4)
-      }
-    });
-    if (!res.ok) {
-      const body = await res.text();
-      console.error(`[Contentful] Publish failed: ${res.status} ${body}`);
-      throw new Error(`Failed to publish content type: ${res.status} ${body}`);
-    }
-    return res.json();
-  }
-  // ─── Entries ─────────────────────────────────────────────────────────────
-  /**
-   * Get an entry by ID. Returns null if not found.
-   */
-  async getEntry(entryId) {
-    const res = await this.fetch(`/entries/${entryId}`);
-    if (res.status === 404) return null;
-    if (!res.ok) throw new Error(`Failed to get entry: ${res.status} ${await res.text()}`);
-    return res.json();
-  }
-  /**
-   * Create a new entry. Does NOT publish — call publishEntry() after.
-   * Fields must be locale-wrapped: { "en-US": value }
-   */
-  async createEntry(contentTypeId, entryId, fields) {
-    const res = await this.fetch(`/entries?content_type=${contentTypeId}`, {
-      method: "PUT",
-      headers: {
-        "Content-Type": "application/vnd.contentful.management.v1+json",
-        ...this.authHeader(),
-        "X-Contentful-Content-Type": contentTypeId
-      },
-      body: JSON.stringify({
-        sys: { id: entryId, type: "Entry" },
-        fields
-      })
-    });
-    if (!res.ok) throw new Error(`Failed to create entry: ${res.status} ${await res.text()}`);
-    return res.json();
-  }
-  /**
-   * Update an existing entry. Must republish after update.
-   */
-  async updateEntry(entryId, fields, version4) {
-    const res = await this.fetch(`/entries/${entryId}`, {
-      method: "PUT",
-      headers: {
-        "Content-Type": "application/vnd.contentful.management.v1+json",
-        ...this.authHeader(),
-        "X-Contentful-Version": String(version4)
-      },
-      body: JSON.stringify({ fields })
-    });
-    if (!res.ok) throw new Error(`Failed to update entry: ${res.status} ${await res.text()}`);
-    return res.json();
-  }
-  /**
-   * Publish an entry (makes it available via Delivery API).
-   */
-  async publishEntry(entryId, version4) {
-    const res = await this.fetch(`/entries/${entryId}/published`, {
-      method: "PUT",
-      headers: {
-        ...this.authHeader(),
-        "X-Contentful-Version": String(version4)
-      }
-    });
-    if (!res.ok) throw new Error(`Failed to publish entry: ${res.status} ${await res.text()}`);
-    return res.json();
-  }
-  /**
-   * Upsert an entry: create if missing, update if exists, then publish.
-   */
-  async upsertEntry(contentTypeId, entryId, fields) {
-    let existing = null;
-    try {
-      existing = await Promise.race([
-        this.getEntry(entryId),
-        new Promise((_, reject) => setTimeout(() => reject(new Error("getEntry timeout")), 5e3))
-      ]);
-    } catch (err) {
-      console.warn(`[Contentful] getEntry failed (will try create): ${err}`);
-    }
-    console.log(`[Contentful] upsertEntry: existing=${existing ? "yes" : "no"}`);
-    let entry;
-    if (existing) {
-      entry = await this.updateEntry(entryId, fields, existing.sys.version ?? 1);
-    } else {
-      console.log(`[Contentful] upsertEntry: creating new entry...`);
-      entry = await this.createEntry(contentTypeId, entryId, fields);
-    }
-    console.log(`[Contentful] upsertEntry: publishing (version=${entry.sys.version})`);
-    const published = await this.publishEntry(entry.sys.id, entry.sys.version ?? 1);
-    console.log(`[Contentful] upsertEntry: published successfully`);
-    return published;
-  }
-  // ─── Content type setup ──────────────────────────────────────────────────
-  /**
-   * Ensure a content type exists and is published with the given fields.
-   * Creates it if missing, updates if fields changed.
-   */
-  async ensureContentType(contentTypeId, name, fields) {
-    const existing = await this.getContentType(contentTypeId);
-    if (!existing) {
-      const created = await this.createContentType(contentTypeId, name, fields);
-      const version4 = created.sys.version ?? 1;
-      console.log(`[Contentful] Created content type ${contentTypeId}, attempting publish with version ${version4}`);
-      try {
-        await this.publishContentType(contentTypeId, version4);
-        console.log(`[Contentful] Created and published content type: ${contentTypeId}`);
-      } catch (err) {
-        console.warn(`[Contentful] Created content type ${contentTypeId} but publish failed (entries will still work): ${err}`);
-      }
-      return;
-    }
-    const existingFieldIds = existing.fields.map((f) => f.id).sort().join(",");
-    const newFieldIds = fields.map((f) => f.id).sort().join(",");
-    if (existingFieldIds !== newFieldIds) {
-      const updated = await this.updateContentType(contentTypeId, name, fields, existing.sys.version ?? 1);
-      const fetched = await this.getContentType(contentTypeId);
-      const version4 = fetched?.sys.version ?? updated.sys.version ?? 1;
-      try {
-        await this.publishContentType(contentTypeId, version4);
-        console.log(`[Contentful] Updated and published content type: ${contentTypeId}`);
-      } catch (err) {
-        console.warn(`[Contentful] Updated content type ${contentTypeId} but publish failed: ${err}`);
-      }
-    } else if (!existing.sys.publishedVersion || existing.sys.publishedVersion < (existing.sys.version ?? 0)) {
-      try {
-        await this.publishContentType(contentTypeId, existing.sys.version ?? 1);
-        console.log(`[Contentful] Published content type: ${contentTypeId}`);
-      } catch (err) {
-        console.warn(`[Contentful] Publish failed for ${contentTypeId}: ${err}`);
-      }
-    }
-  }
-  // ─── Helpers ─────────────────────────────────────────────────────────────
-  /**
-   * Locale-wrap a value for Contentful fields.
-   */
-  static locale(value) {
-    return { "en-US": value };
-  }
-  /**
-   * Locale-wrap a reference (Link to Entry).
-   */
-  static entryRef(entryId) {
-    return { "en-US": { sys: { type: "Link", linkType: "Entry", id: entryId } } };
-  }
-  // ─── Private ─────────────────────────────────────────────────────────────
-  authHeader() {
-    return { Authorization: `Bearer ${this.token}` };
-  }
-  async fetch(path, init2) {
-    const url2 = `${CONTENTFUL_MGMT}/spaces/${this.spaceId}/environments/${this.environment}${path}`;
-    return globalThis.fetch(url2, {
-      ...init2,
-      headers: { ...this.authHeader(), ...init2?.headers }
-    });
-  }
-};
-
 // src/services/snapshot.ts
+async function batchRun(items, fn, concurrency = 5) {
+  const results = [];
+  for (let i = 0; i < items.length; i += concurrency) {
+    const batch = items.slice(i, i + concurrency);
+    const settled = await Promise.allSettled(batch.map(fn));
+    results.push(...settled);
+  }
+  return results;
+}
 async function ensureContentTypes(mgmt, config3 = {}) {
   const eventTypeId = config3.eventTypeId ?? "event";
   const themeTypeId = config3.themeTypeId ?? "theme";
   const faqTypeId = config3.faqTypeId ?? "faq";
+  const organizationTypeId = config3.organizationTypeId ?? "organization";
   await mgmt.ensureContentType(themeTypeId, "Theme", [
     { id: "name", name: "Name", type: "Symbol", required: true },
-    { id: "path", name: "Path", type: "Symbol", required: true },
-    { id: "color", name: "Color", type: "Symbol" }
+    { id: "path", name: "Path", type: "Symbol", required: true }
   ]);
   await mgmt.ensureContentType(eventTypeId, "Event", [
     { id: "title", name: "Title", type: "Symbol", required: true },
     { id: "slug", name: "Slug", type: "Symbol", required: true },
     { id: "theme", name: "Theme", type: "Link", linkType: "Entry" },
-    { id: "org", name: "Organization", type: "Symbol" },
+    { id: "organization", name: "Organization", type: "Link", linkType: "Entry" },
     { id: "venue", name: "Venue", type: "Symbol" },
-    { id: "dateTime", name: "Date/Time", type: "Symbol" },
-    { id: "startsAt", name: "Starts At", type: "Date" },
-    { id: "endsAt", name: "Ends At", type: "Date" },
+    { id: "date", name: "Date", type: "Date" },
+    { id: "startTime", name: "Start Time", type: "Symbol" },
+    { id: "endTime", name: "End Time", type: "Symbol" },
     { id: "price", name: "Price", type: "Symbol" },
-    { id: "backgroundColor", name: "Background Color", type: "Symbol" },
     { id: "image", name: "Image", type: "Link", linkType: "Asset" },
-    { id: "subtheme", name: "Subtheme", type: "Symbol" },
     { id: "isMajor", name: "Major Event", type: "Boolean" },
     { id: "maxSlots", name: "Max Slots", type: "Integer" },
     { id: "gformsUrl", name: "Google Forms URL", type: "Symbol" },
-    { id: "registrationOpensAt", name: "Registration Opens", type: "Date" },
-    { id: "registrationClosesAt", name: "Registration Closes", type: "Date" }
+    { id: "gformsEditorUrl", name: "Google Forms Editor URL", type: "Symbol" },
+    { id: "registrationClosesAt", name: "Registration Closes", type: "Date" },
+    { id: "classCode", name: "Class Code", type: "Symbol" }
+  ]);
+  await mgmt.ensureContentType(organizationTypeId, "Organization", [
+    { id: "name", name: "Name", type: "Symbol", required: true },
+    { id: "acronym", name: "Acronym", type: "Symbol", required: true },
+    { id: "logo", name: "Logo", type: "Link", linkType: "Asset" },
+    { id: "link", name: "Link", type: "Symbol" }
   ]);
   await mgmt.ensureContentType(faqTypeId, "FAQ", [
     { id: "question", name: "Question", type: "Symbol", required: true },
     { id: "answer", name: "Answer", type: "Text", required: true },
     { id: "category", name: "Category", type: "Symbol" },
-    { id: "sortOrder", name: "Sort Order", type: "Integer" },
-    { id: "isActive", name: "Active", type: "Boolean" }
+    { id: "sortOrder", name: "Sort Order", type: "Integer" }
   ]);
 }
-async function pushToContentful(db, mgmt, config3 = {}) {
+var LAST_PUSH_KV_KEY = "contentful:last_push";
+async function pushToContentful(db, mgmt, config3 = {}, kv, forceFull = false) {
   const eventTypeId = config3.eventTypeId ?? "event";
   const themeTypeId = config3.themeTypeId ?? "theme";
   const faqTypeId = config3.faqTypeId ?? "faq";
+  const organizationTypeId = config3.organizationTypeId ?? "organization";
   const result = {
     themesSynced: 0,
     eventsSynced: 0,
     faqsSynced: 0,
+    organizationsSynced: 0,
     imagesUploaded: 0,
     imagesSkipped: 0,
     errors: []
   };
+  let lastPushTs = 0;
+  if (kv && !forceFull) {
+    const stored = await kv.get(LAST_PUSH_KV_KEY);
+    if (stored) lastPushTs = Number(stored) || 0;
+  }
   try {
     const dbThemes = await db.query.themes.findMany();
     for (const theme of dbThemes) {
       try {
         await mgmt.upsertEntry(themeTypeId, theme.id, {
           name: ContentfulManagement.locale(theme.name),
-          path: ContentfulManagement.locale(theme.path),
-          color: ContentfulManagement.locale(theme.color)
+          path: ContentfulManagement.locale(theme.path)
         });
         result.themesSynced++;
       } catch (err) {
@@ -63971,57 +64264,86 @@ async function pushToContentful(db, mgmt, config3 = {}) {
     result.errors.push(`Themes fetch failed: ${err}`);
   }
   try {
-    const dbEvents = await db.query.events.findMany();
-    for (const event of dbEvents) {
+    const dbOrgs = await db.query.organizations.findMany();
+    for (const org of dbOrgs) {
       try {
         const fields = {
-          title: ContentfulManagement.locale(event.title),
-          slug: ContentfulManagement.locale(event.slug),
-          isMajor: ContentfulManagement.locale(event.isMajor),
-          maxSlots: ContentfulManagement.locale(event.maxSlots)
+          name: ContentfulManagement.locale(org.name),
+          acronym: ContentfulManagement.locale(org.acronym),
+          link: ContentfulManagement.locale(org.link)
         };
-        if (event.themeId) fields.theme = ContentfulManagement.entryRef(event.themeId);
-        if (event.org) fields.org = ContentfulManagement.locale(event.org);
-        if (event.venue) fields.venue = ContentfulManagement.locale(event.venue);
-        if (event.dateTime) fields.dateTime = ContentfulManagement.locale(event.dateTime);
-        if (event.price) fields.price = ContentfulManagement.locale(event.price);
-        if (event.backgroundColor) fields.backgroundColor = ContentfulManagement.locale(event.backgroundColor);
-        if (event.subtheme) fields.subtheme = ContentfulManagement.locale(event.subtheme);
-        if (event.gformsUrl) fields.gformsUrl = ContentfulManagement.locale(event.gformsUrl);
-        if (event.startsAt) fields.startsAt = ContentfulManagement.locale(new Date(event.startsAt * 1e3).toISOString());
-        if (event.endsAt) fields.endsAt = ContentfulManagement.locale(new Date(event.endsAt * 1e3).toISOString());
-        if (event.registrationOpensAt) fields.registrationOpensAt = ContentfulManagement.locale(new Date(event.registrationOpensAt * 1e3).toISOString());
-        if (event.registrationClosesAt) fields.registrationClosesAt = ContentfulManagement.locale(new Date(event.registrationClosesAt * 1e3).toISOString());
-        await mgmt.upsertEntry(eventTypeId, event.id, fields);
-        result.eventsSynced++;
+        await mgmt.upsertEntry(organizationTypeId, org.id, fields);
+        result.organizationsSynced++;
       } catch (err) {
-        result.errors.push(`Event ${event.id}: ${err}`);
+        result.errors.push(`Organization ${org.id}: ${err}`);
       }
     }
   } catch (err) {
-    result.errors.push(`Events fetch failed: ${err}`);
+    result.errors.push(`Organizations fetch failed: ${err}`);
   }
   try {
-    const dbFaqs = await db.query.faqs.findMany();
-    for (const faq of dbFaqs) {
-      try {
-        await mgmt.upsertEntry(faqTypeId, faq.id, {
-          question: ContentfulManagement.locale(faq.question),
-          answer: ContentfulManagement.locale(faq.answer),
-          category: ContentfulManagement.locale(faq.category),
-          sortOrder: ContentfulManagement.locale(faq.sortOrder),
-          isActive: ContentfulManagement.locale(faq.isActive)
-        });
-        result.faqsSynced++;
-      } catch (err) {
-        result.errors.push(`FAQ ${faq.id}: ${err}`);
+    const dbEvents = lastPushTs > 0 ? await db.query.events.findMany().then((all) => all.filter((e) => {
+      if (e.createdAt >= lastPushTs) return true;
+      if (e.publishedAt && e.publishedAt >= lastPushTs) return true;
+      if (!e.contentfulEntryId) return true;
+      return false;
+    })) : await db.query.events.findMany();
+    await batchRun(dbEvents, async (event) => {
+      const fields = {
+        title: ContentfulManagement.locale(event.title),
+        slug: ContentfulManagement.locale(event.slug),
+        isMajor: ContentfulManagement.locale(event.isMajor),
+        maxSlots: ContentfulManagement.locale(event.maxSlots)
+      };
+      if (event.themeId) fields.theme = ContentfulManagement.entryRef(event.themeId);
+      if (event.organizationId) fields.organization = ContentfulManagement.entryRef(event.organizationId);
+      if (event.venue) fields.venue = ContentfulManagement.locale(event.venue);
+      if (event.dateTime) {
+        const parsed = new Date(event.dateTime);
+        fields.date = ContentfulManagement.locale(
+          Number.isNaN(parsed.getTime()) ? event.dateTime : parsed.toISOString()
+        );
       }
-    }
+      if (event.price) fields.price = ContentfulManagement.locale(event.price);
+      if (event.classCode) fields.classCode = ContentfulManagement.locale(event.classCode);
+      if (event.startTime) fields.startTime = ContentfulManagement.locale(event.startTime);
+      if (event.endTime) fields.endTime = ContentfulManagement.locale(event.endTime);
+      if (event.gformsUrl) fields.gformsUrl = ContentfulManagement.locale(event.gformsUrl);
+      if (event.gformsEditorUrl) fields.gformsEditorUrl = ContentfulManagement.locale(event.gformsEditorUrl);
+      if (event.registrationClosesAt) fields.registrationClosesAt = ContentfulManagement.locale(new Date(event.registrationClosesAt * 1e3).toISOString());
+      await mgmt.upsertEntry(eventTypeId, event.id, fields);
+      if (!event.contentfulEntryId) {
+        await db.update(events).set({ contentfulEntryId: event.id }).where(eq(events.id, event.id));
+      }
+      result.eventsSynced++;
+    });
+  } catch (err) {
+    result.errors.push(`Events fetch failed: ${err}`);
+  }
+  try {
+    const dbFaqs = lastPushTs > 0 ? await db.query.faqs.findMany().then((all) => all.filter((faq) => {
+      if (faq.updatedAt >= lastPushTs) return true;
+      if (faq.createdAt >= lastPushTs) return true;
+      return false;
+    })) : await db.query.faqs.findMany();
+    await batchRun(dbFaqs, async (faq) => {
+      await mgmt.upsertEntry(faqTypeId, faq.id, {
+        question: ContentfulManagement.locale(faq.question),
+        answer: ContentfulManagement.locale(faq.answer),
+        category: ContentfulManagement.locale(faq.category),
+        sortOrder: ContentfulManagement.locale(faq.sortOrder)
+      });
+      result.faqsSynced++;
+    });
   } catch (err) {
     result.errors.push(`FAQs fetch failed: ${err}`);
   }
+  if (kv) {
+    const now2 = Math.floor(Date.now() / 1e3);
+    await kv.put(LAST_PUSH_KV_KEY, String(now2));
+  }
   console.log(
-    `[Push] Complete: ${result.themesSynced} themes, ${result.eventsSynced} events, ${result.faqsSynced} FAQs pushed to Contentful, ${result.errors.length} errors`
+    `[Push] Complete: ${result.themesSynced} themes, ${result.organizationsSynced} organizations, ${result.eventsSynced} events, ${result.faqsSynced} FAQs pushed to Contentful, ${result.errors.length} errors`
   );
   return result;
 }
@@ -64059,19 +64381,30 @@ siteConfigRoute.patch("/:key", authMiddleware, adminMiddleware, async (c) => {
   });
   return c.json({ data: { key, value } });
 });
+var SYNC_LOCK_KEY = "contentful:sync:lock";
+var SYNC_LOCK_TTL = 60;
 siteConfigRoute.post("/sync-content", authMiddleware, adminMiddleware, async (c) => {
   if (!ContentfulManagement.isConfigured(c.env.CONTENTFUL_SPACE_ID, c.env.CONTENTFUL_MANAGEMENT_TOKEN)) {
     throw serviceUnavailable("Contentful Management API credentials not configured.");
   }
-  const mgmt = new ContentfulManagement(
-    c.env.CONTENTFUL_SPACE_ID,
-    c.env.CONTENTFUL_MANAGEMENT_TOKEN,
-    c.env.CONTENTFUL_ENVIRONMENT
-  );
-  const db = createDb(c.env.DB);
-  await ensureContentTypes(mgmt, {});
-  const result = await pushToContentful(db, mgmt, {});
-  return c.json({ data: result });
+  const existingLock = await c.env.KV.get(SYNC_LOCK_KEY);
+  if (existingLock) {
+    throw conflict("A sync is already in progress. Please wait and try again.");
+  }
+  await c.env.KV.put(SYNC_LOCK_KEY, "1", { expirationTtl: SYNC_LOCK_TTL });
+  try {
+    const mgmt = new ContentfulManagement(
+      c.env.CONTENTFUL_SPACE_ID,
+      c.env.CONTENTFUL_MANAGEMENT_TOKEN,
+      c.env.CONTENTFUL_ENVIRONMENT
+    );
+    const db = createDb(c.env.DB);
+    await ensureContentTypes(mgmt, {});
+    const result = await pushToContentful(db, mgmt, {}, c.env.KV);
+    return c.json({ data: result });
+  } finally {
+    await c.env.KV.delete(SYNC_LOCK_KEY);
+  }
 });
 
 // src/routes/faqs.ts
@@ -64107,8 +64440,7 @@ async function pushFaqToContentful(env2, faq) {
       "en-US": { question: faq.question },
       answer: { "en-US": faq.answer },
       category: { "en-US": faq.category },
-      sortOrder: { "en-US": faq.sortOrder },
-      isActive: { "en-US": faq.isActive }
+      sortOrder: { "en-US": faq.sortOrder }
     });
     console.log(`[Contentful] Synced FAQ ${faq.id} successfully`);
   } catch (err) {
@@ -64121,7 +64453,6 @@ faqsRoute.get("/", async (c) => {
   const data = await cache3.getOrSet(
     FAQS_KV_KEY,
     () => db.query.faqs.findMany({
-      where: eq(faqs.isActive, true),
       orderBy: (t, { asc: asc2 }) => [asc2(t.sortOrder), asc2(t.createdAt)]
     }),
     FAQS_TTL
@@ -64159,11 +64490,9 @@ faqsRoute.delete("/:id", authMiddleware, adminMiddleware, async (c) => {
   const { id } = c.req.param();
   const db = createDb(c.env.DB);
   const cache3 = new CacheService(c.env.KV);
-  const now2 = Math.floor(Date.now() / 1e3);
-  const [deleted] = await db.update(faqs).set({ isActive: false, updatedAt: now2 }).where(eq(faqs.id, id)).returning();
+  const [deleted] = await db.delete(faqs).where(eq(faqs.id, id)).returning();
   if (!deleted) throw notFound("FAQ");
   await cache3.del(FAQS_KV_KEY);
-  c.executionCtx.waitUntil(pushFaqToContentful(c.env, deleted));
   return c.json({ data: { deleted: true } });
 });
 
@@ -64317,6 +64646,49 @@ uploadsRoute.post(
     );
   }
 );
+uploadsRoute.post(
+  "/contentful",
+  authMiddleware,
+  adminMiddleware,
+  async (c) => {
+    if (!ContentfulManagement.isConfigured(c.env.CONTENTFUL_SPACE_ID, c.env.CONTENTFUL_MANAGEMENT_TOKEN)) {
+      throw serviceUnavailable("Contentful Management API credentials not configured.");
+    }
+    let formData;
+    try {
+      formData = await c.req.formData();
+    } catch {
+      throw badRequest("Request body must be multipart/form-data.");
+    }
+    const file2 = formData.get("file");
+    if (!(file2 instanceof File)) {
+      throw badRequest('A "file" field is required.');
+    }
+    const contentType = file2.type || "application/octet-stream";
+    if (!ALLOWED_MIME_TYPES.has(contentType)) {
+      throw badRequest(`Unsupported file type "${contentType}".`);
+    }
+    if (file2.size > MAX_FILE_SIZE) {
+      throw badRequest("File exceeds 10MB limit.");
+    }
+    const mgmt = new ContentfulManagement(
+      c.env.CONTENTFUL_SPACE_ID,
+      c.env.CONTENTFUL_MANAGEMENT_TOKEN,
+      c.env.CONTENTFUL_ENVIRONMENT
+    );
+    const arrayBuffer = await file2.arrayBuffer();
+    const uploadId = await mgmt.uploadFile(file2.name, arrayBuffer, contentType);
+    const asset = await mgmt.createAssetFromUpload(uploadId, file2.name, file2.name, contentType);
+    return c.json({
+      data: {
+        assetId: asset.id,
+        url: asset.url,
+        size: file2.size,
+        contentType
+      }
+    }, 201);
+  }
+);
 function sanitizeFolder(raw2) {
   if (typeof raw2 !== "string" || !raw2.trim()) return "images";
   return raw2.trim().replace(/[^a-zA-Z0-9\-_/]/g, "").replace(/\/+/g, "/").replace(/^\/|\/$/g, "") || "images";
@@ -64333,10 +64705,43 @@ function extensionFromMime(mime) {
 }
 
 // src/routes/themes.ts
+var CF_THEME_CT = "theme";
+async function pushThemeToContentful(env2, theme) {
+  if (!ContentfulManagement.isConfigured(env2.CONTENTFUL_SPACE_ID, env2.CONTENTFUL_MANAGEMENT_TOKEN)) return;
+  const mgmt = new ContentfulManagement(
+    env2.CONTENTFUL_SPACE_ID,
+    env2.CONTENTFUL_MANAGEMENT_TOKEN,
+    env2.CONTENTFUL_ENVIRONMENT
+  );
+  try {
+    await mgmt.upsertEntry(CF_THEME_CT, theme.id, {
+      name: ContentfulManagement.locale(theme.name),
+      path: ContentfulManagement.locale(theme.path)
+    });
+  } catch (err) {
+    console.warn(`[Contentful] Failed to sync theme ${theme.id}:`, err);
+  }
+}
+async function deleteThemeFromContentful(env2, themeId) {
+  if (!ContentfulManagement.isConfigured(env2.CONTENTFUL_SPACE_ID, env2.CONTENTFUL_MANAGEMENT_TOKEN)) return;
+  const mgmt = new ContentfulManagement(
+    env2.CONTENTFUL_SPACE_ID,
+    env2.CONTENTFUL_MANAGEMENT_TOKEN,
+    env2.CONTENTFUL_ENVIRONMENT
+  );
+  try {
+    const entry = await mgmt.getEntry(themeId);
+    if (entry) {
+      await mgmt.unpublishEntry(themeId);
+      await mgmt.deleteEntry(themeId);
+    }
+  } catch (err) {
+    console.warn(`[Contentful] Failed to delete theme ${themeId} from Contentful:`, err);
+  }
+}
 var createThemeSchema = external_exports.object({
   name: external_exports.string().min(1),
-  path: external_exports.string().min(1),
-  color: external_exports.string().optional()
+  path: external_exports.string().min(1)
 });
 var themesRoute = new Hono2();
 themesRoute.get("/", async (c) => {
@@ -64354,6 +64759,7 @@ themesRoute.post(
     const db = createDb(c.env.DB);
     try {
       const [created] = await db.insert(themes).values(body).returning();
+      c.executionCtx.waitUntil(pushThemeToContentful(c.env, created));
       return c.json({ data: created }, 201);
     } catch (err) {
       if (err.message && err.message.includes("UNIQUE constraint failed")) {
@@ -64374,6 +64780,7 @@ themesRoute.patch(
     try {
       const [updated] = await db.update(themes).set(body).where(eq(themes.id, id)).returning();
       if (!updated) throw notFound("Theme");
+      c.executionCtx.waitUntil(pushThemeToContentful(c.env, updated));
       return c.json({ data: updated });
     } catch (err) {
       if (err.message && err.message.includes("UNIQUE constraint failed")) {
@@ -64388,6 +64795,67 @@ themesRoute.delete("/:id", authMiddleware, adminMiddleware, async (c) => {
   const db = createDb(c.env.DB);
   const [deleted] = await db.delete(themes).where(eq(themes.id, id)).returning();
   if (!deleted) throw notFound("Theme");
+  c.executionCtx.waitUntil(deleteThemeFromContentful(c.env, id));
+  return c.body(null, 204);
+});
+
+// src/routes/organizations.ts
+var createOrganizationSchema = external_exports.object({
+  name: external_exports.string().min(1),
+  acronym: external_exports.string().min(1),
+  logoUrl: external_exports.string().url().nullable().optional(),
+  link: external_exports.string().url().nullable().optional()
+});
+var organizationsRoute = new Hono2();
+organizationsRoute.get("/", async (c) => {
+  const db = createDb(c.env.DB);
+  const data = await db.select().from(organizations);
+  return c.json({ data });
+});
+organizationsRoute.post(
+  "/",
+  authMiddleware,
+  adminMiddleware,
+  zValidator("json", createOrganizationSchema),
+  async (c) => {
+    const body = c.req.valid("json");
+    const db = createDb(c.env.DB);
+    try {
+      const [created] = await db.insert(organizations).values(body).returning();
+      return c.json({ data: created }, 201);
+    } catch (err) {
+      if (err.message && err.message.includes("UNIQUE constraint failed")) {
+        throw conflict("An organization with this name or acronym already exists.");
+      }
+      throw err;
+    }
+  }
+);
+organizationsRoute.patch(
+  "/:id",
+  authMiddleware,
+  adminMiddleware,
+  async (c) => {
+    const { id } = c.req.param();
+    const body = await c.req.json();
+    const db = createDb(c.env.DB);
+    try {
+      const [updated] = await db.update(organizations).set(body).where(eq(organizations.id, id)).returning();
+      if (!updated) throw notFound("Organization");
+      return c.json({ data: updated });
+    } catch (err) {
+      if (err.message && err.message.includes("UNIQUE constraint failed")) {
+        throw conflict("An organization with this name or acronym already exists.");
+      }
+      throw err;
+    }
+  }
+);
+organizationsRoute.delete("/:id", authMiddleware, adminMiddleware, async (c) => {
+  const { id } = c.req.param();
+  const db = createDb(c.env.DB);
+  const [deleted] = await db.delete(organizations).where(eq(organizations.id, id)).returning();
+  if (!deleted) throw notFound("Organization");
   return c.body(null, 204);
 });
 
@@ -64435,12 +64903,13 @@ function createApp(options = {}) {
   });
   app2.post(POW_VERIFY_PATH, handlePowVerify);
   app2.route("/health", healthRoute);
-  app2.route("/config", siteConfigRoute);
-  app2.route("/events", eventsRoute);
-  app2.route("/themes", themesRoute);
-  app2.route("/users", usersRoute);
-  app2.route("/faqs", faqsRoute);
-  app2.route("/uploads", uploadsRoute);
+  app2.route("/api/config", siteConfigRoute);
+  app2.route("/api/events", eventsRoute);
+  app2.route("/api/themes", themesRoute);
+  app2.route("/api/users", usersRoute);
+  app2.route("/api/organizations", organizationsRoute);
+  app2.route("/api/faqs", faqsRoute);
+  app2.route("/api/uploads", uploadsRoute);
   app2.route("/internal/gforms-webhook", gformsWebhookRoute);
   app2.onError(errorHandler2);
   app2.notFound(
@@ -64655,11 +65124,12 @@ var ResendService = class {
   }
 };
 function buildReminderEmail(event) {
+  const timeDisplay = [event.dateTime, event.startTime].filter(Boolean).join(" at ");
   return `
     <div style="font-family: sans-serif; max-width: 600px; margin: 0 auto; padding: 24px;">
       <h2 style="color: #1a1a2e;">\u{1F4C5} Reminder: ${event.title}</h2>
-      ${event.org ? `<p style="color: #666;">Organized by: <strong>${event.org}</strong></p>` : ""}
-      ${event.dateTime ? `<p>\u{1F550} <strong>${event.dateTime}</strong></p>` : ""}
+      ${event.organization ? `<p style="color: #666;">Organized by: <strong>${event.organization}</strong></p>` : ""}
+      ${timeDisplay ? `<p>\u{1F550} <strong>${timeDisplay}</strong></p>` : ""}
       ${event.venue ? `<p>\u{1F4CD} <strong>${event.venue}</strong></p>` : ""}
       <hr style="margin: 24px 0; border: none; border-top: 1px solid #eee;" />
       ${event.gformsUrl ? `<p>You registered for this event. See you there!</p>
@@ -64802,72 +65272,74 @@ function createQueueHandler(env2) {
   };
 }
 async function processJob(job, services) {
-  const { db, email: email3, gforms, env: env2 } = services;
+  const { db, email: email3, gforms } = services;
   switch (job.type) {
     case "send_email": {
-      if (!email3) throw new Error("Email provider not configured (SES credentials missing)");
+      if (!email3) throw new Error("Email provider not configured");
       const result = await email3.sendEmail(job.payload);
       console.log(`[Queue] send_email dispatched via ${result.provider} (id=${result.id})`);
       break;
     }
     case "send_reminder_email": {
-      if (!email3) throw new Error("Email provider not configured (SES credentials missing)");
+      if (!email3) throw new Error("Email provider not configured");
       const event = await db.query.events.findFirst({
-        where: eq(events.id, job.payload.eventId)
+        where: eq(events.id, job.payload.eventId),
+        with: { organization: true }
       });
       if (!event?.gformsId) break;
       const emails = await gforms.getRespondentEmails(event.gformsId);
       if (emails.length === 0) break;
       const isDay = job.payload.hoursBeforeEvent === 24;
-      const subject = isDay ? `Reminder: "${event.title}" is tomorrow!` : `Reminder: "${event.title}" starts in 1 hour!`;
-      const html2 = buildReminderEmail(event);
-      const BATCH_SIZE = 100;
+      const subject = isDay ? `Reminder: "${event.title}" is tomorrow!` : `Reminder: "${event.title}" is in 1 hour!`;
+      const html2 = buildReminderEmail({
+        title: event.title,
+        organization: event.organization?.name ?? null,
+        dateTime: event.dateTime,
+        startTime: event.startTime,
+        venue: event.venue,
+        gformsUrl: event.gformsUrl
+      });
+      const BATCH_SIZE = 50;
+      const chunks = [];
       for (let i = 0; i < emails.length; i += BATCH_SIZE) {
-        const chunk = emails.slice(i, i + BATCH_SIZE).map((to) => ({ to, subject, html: html2 }));
-        const results = await email3.sendBatch(chunk);
-        const failures = results.filter((r) => r.status === "rejected");
-        if (failures.length > 0) {
+        chunks.push(emails.slice(i, i + BATCH_SIZE));
+      }
+      const failures = [];
+      for (let i = 0; i < chunks.length; i++) {
+        const chunk = chunks[i];
+        try {
+          await email3.sendEmail({ to: chunk, subject, html: html2 });
+        } catch (err) {
+          failures.push(...chunk);
           console.error(
             `[Queue] send_reminder_email: ${failures.length}/${chunk.length} messages failed in batch ${i / BATCH_SIZE + 1}`,
-            failures.map((f) => f.reason)
+            err
           );
         }
       }
-      if (isDay) {
-        await db.update(events).set({ reminder24hSent: true }).where(eq(events.id, job.payload.eventId));
-      } else {
-        await db.update(events).set({ reminder1hSent: true }).where(eq(events.id, job.payload.eventId));
-      }
+      const field = isDay ? "reminder24hSent" : "reminder1hSent";
+      await db.update(events).set({ [field]: true }).where(eq(events.id, event.id));
       break;
     }
     case "audit_log": {
-      console.log("[Audit]", job.payload.action, job.payload.userId, job.payload.meta);
+      console.log(`[Queue] audit_log: ${job.payload.action} by ${job.payload.userId}`);
       break;
     }
-    case "notify_batch_release": {
-      console.log("[Release] Events published:", job.payload.eventIds.join(", "));
+    case "snapshot_content": {
+      console.log(`[Queue] snapshot_content triggered at ${job.payload.triggeredAt}`);
       break;
     }
-    case "renew_forms_watch": {
-      const renewed = await gforms.renewWatch(job.payload.formId, job.payload.watchId);
-      const newExpiry = Math.floor(new Date(renewed.expireTime).getTime() / 1e3);
-      await db.update(events).set({ watchExpiresAt: newExpiry }).where(eq(events.gformsId, job.payload.formId));
+    case "notify_batch_release": {
+      console.log(`[Queue] notify_batch_release: ${job.payload.eventIds.length} events released`);
       break;
     }
-    case "snapshot_content": {
-      console.log("[Snapshot] Content snapshot triggered at", job.payload.triggeredAt);
-      if (!ContentfulManagement.isConfigured(env2.CONTENTFUL_SPACE_ID, env2.CONTENTFUL_MANAGEMENT_TOKEN)) {
-        console.warn("[Snapshot] Contentful Management API credentials not configured \u2014 skipping");
-        break;
+    case "renew_forms_watch": {
+      try {
+        await gforms.renewWatch(job.payload.formId, job.payload.watchId);
+        console.log(`[Queue] renew_forms_watch: renewed watch for form ${job.payload.formId}`);
+      } catch (err) {
+        console.error(`[Queue] renew_forms_watch failed for form ${job.payload.formId}:`, err);
       }
-      const mgmt = new ContentfulManagement(
-        env2.CONTENTFUL_SPACE_ID,
-        env2.CONTENTFUL_MANAGEMENT_TOKEN,
-        env2.CONTENTFUL_ENVIRONMENT
-      );
-      await ensureContentTypes(mgmt, {});
-      const result = await pushToContentful(db, mgmt, {});
-      console.log("[Snapshot] Result:", JSON.stringify(result));
       break;
     }
   }
@@ -64944,9 +65416,12 @@ async function reconcileSlots(env2) {
 }
 
 // src/cron/reminder-emails.ts
-var SECONDS_IN_24H = 86400;
-var SECONDS_IN_1H = 3600;
-var WINDOW = 3600;
+function parseStartTimestamp(dateTime, startTime) {
+  if (!dateTime) return null;
+  const combined = startTime ? `${dateTime} ${startTime}` : dateTime;
+  const ms = Date.parse(combined);
+  return Number.isNaN(ms) ? null : Math.floor(ms / 1e3);
+}
 async function reminderEmails(env2) {
   if (!env2.EMAIL_QUEUE) {
     console.warn(
@@ -64964,17 +65439,21 @@ async function reminderEmails(env2) {
   }
   const db = createDb(env2.DB);
   const now2 = Math.floor(Date.now() / 1e3);
-  const events24h = await db.query.events.findMany({
+  const candidates24h = await db.query.events.findMany({
     where: and(
       eq(events.status, "published"),
-      eq(events.reminder24hSent, false),
-      lte(events.startsAt, now2 + SECONDS_IN_24H + WINDOW)
+      eq(events.reminder24hSent, false)
     ),
-    columns: { id: true, slug: true, startsAt: true }
+    columns: {
+      id: true,
+      dateTime: true,
+      startTime: true
+    }
   });
-  for (const event of events24h) {
-    if (!event.startsAt) continue;
-    const hoursUntil = (event.startsAt - now2) / 3600;
+  for (const event of candidates24h) {
+    const startsAt = parseStartTimestamp(event.dateTime, event.startTime);
+    if (!startsAt) continue;
+    const hoursUntil = (startsAt - now2) / 3600;
     if (hoursUntil <= 25 && hoursUntil >= 23) {
       await env2.EMAIL_QUEUE.send({
         type: "send_reminder_email",
@@ -64982,27 +65461,28 @@ async function reminderEmails(env2) {
       });
     }
   }
-  const events1h = await db.query.events.findMany({
+  const candidates1h = await db.query.events.findMany({
     where: and(
       eq(events.status, "published"),
-      eq(events.reminder1hSent, false),
-      lte(events.startsAt, now2 + SECONDS_IN_1H + WINDOW)
+      eq(events.reminder1hSent, false)
     ),
-    columns: { id: true, slug: true, startsAt: true }
+    columns: {
+      id: true,
+      dateTime: true,
+      startTime: true
+    }
   });
-  for (const event of events1h) {
-    if (!event.startsAt) continue;
-    const minutesUntil = (event.startsAt - now2) / 60;
-    if (minutesUntil <= 65 && minutesUntil >= 55) {
+  for (const event of candidates1h) {
+    const startsAt = parseStartTimestamp(event.dateTime, event.startTime);
+    if (!startsAt) continue;
+    const hoursUntil = (startsAt - now2) / 3600;
+    if (hoursUntil <= 1.5 && hoursUntil >= 0) {
       await env2.EMAIL_QUEUE.send({
         type: "send_reminder_email",
         payload: { eventId: event.id, hoursBeforeEvent: 1 }
       });
     }
   }
-  console.log(
-    `[reminder-emails] Queued ${events24h.length} 24h reminders, ${events1h.length} 1h reminders.`
-  );
 }
 
 // src/cron/lifecycle-check.ts
@@ -65018,7 +65498,6 @@ async function lifecycleCheck(env2, ctx) {
   if (!siteEndsAt || snapshotCompleted) return;
   if (now2 >= siteEndsAt) {
     console.log("[lifecycle-check] siteEndsAt passed \u2014 triggering content snapshot.");
-    await db.update(siteConfig).set({ value: "true", updatedAt: now2 }).where(eq(siteConfig.key, "snapshot_completed"));
     if (env2.EMAIL_QUEUE) {
       ctx.waitUntil(
         env2.EMAIL_QUEUE.send({ type: "snapshot_content", payload: { triggeredAt: now2 } })
@@ -65056,73 +65535,183 @@ async function renewWatches(env2) {
   }
   console.log(`[renew-watches] Renewed ${renewed}/${watchEvents.length} watches.`);
 }
-function readMigrationFiles(config3) {
-  const migrationFolderTo = config3.migrationsFolder;
-  const migrationQueries = [];
-  const journalPath = `${migrationFolderTo}/meta/_journal.json`;
-  if (!fs.existsSync(journalPath)) {
-    throw new Error(`Can't find meta/_journal.json file`);
-  }
-  const journalAsString = fs.readFileSync(`${migrationFolderTo}/meta/_journal.json`).toString();
-  const journal = JSON.parse(journalAsString);
-  for (const journalEntry of journal.entries) {
-    const migrationPath = `${migrationFolderTo}/${journalEntry.tag}.sql`;
+
+// src/db/migrate.ts
+var PATCH_STATEMENTS = [
+  `ALTER TABLE "themes" ADD COLUMN "updated_at" integer NOT NULL DEFAULT (unixepoch())`,
+  `ALTER TABLE "events" ADD COLUMN "organization_id" text`,
+  `ALTER TABLE "events" ADD COLUMN "class_code" text`,
+  `ALTER TABLE "events" ADD COLUMN "start_time" text`,
+  `ALTER TABLE "events" ADD COLUMN "end_time" text`,
+  `CREATE INDEX IF NOT EXISTS "idx_events_organization_id" ON "events" ("organization_id")`
+];
+var CREATE_STATEMENTS = [
+  // Better Auth: user
+  `CREATE TABLE IF NOT EXISTS "user" (
+    "id" text PRIMARY KEY NOT NULL,
+    "name" text NOT NULL,
+    "email" text NOT NULL,
+    "email_verified" integer DEFAULT false NOT NULL,
+    "image" text,
+    "created_at" integer DEFAULT (cast(unixepoch('subsecond') * 1000 as integer)) NOT NULL,
+    "updated_at" integer DEFAULT (cast(unixepoch('subsecond') * 1000 as integer)) NOT NULL
+  )`,
+  `CREATE UNIQUE INDEX IF NOT EXISTS "user_email_unique" ON "user" ("email")`,
+  // Better Auth: session
+  `CREATE TABLE IF NOT EXISTS "session" (
+    "id" text PRIMARY KEY NOT NULL,
+    "expires_at" integer NOT NULL,
+    "token" text NOT NULL,
+    "created_at" integer DEFAULT (cast(unixepoch('subsecond') * 1000 as integer)) NOT NULL,
+    "updated_at" integer DEFAULT (cast(unixepoch('subsecond') * 1000 as integer)) NOT NULL,
+    "ip_address" text,
+    "user_agent" text,
+    "user_id" text NOT NULL,
+    FOREIGN KEY ("user_id") REFERENCES "user"("id") ON UPDATE no action ON DELETE cascade
+  )`,
+  `CREATE UNIQUE INDEX IF NOT EXISTS "session_token_unique" ON "session" ("token")`,
+  `CREATE INDEX IF NOT EXISTS "session_userId_idx" ON "session" ("user_id")`,
+  // Better Auth: account
+  `CREATE TABLE IF NOT EXISTS "account" (
+    "id" text PRIMARY KEY NOT NULL,
+    "account_id" text NOT NULL,
+    "provider_id" text NOT NULL,
+    "user_id" text NOT NULL,
+    "access_token" text,
+    "refresh_token" text,
+    "id_token" text,
+    "access_token_expires_at" integer,
+    "refresh_token_expires_at" integer,
+    "scope" text,
+    "password" text,
+    "created_at" integer DEFAULT (cast(unixepoch('subsecond') * 1000 as integer)) NOT NULL,
+    "updated_at" integer DEFAULT (cast(unixepoch('subsecond') * 1000 as integer)) NOT NULL,
+    FOREIGN KEY ("user_id") REFERENCES "user"("id") ON UPDATE no action ON DELETE cascade
+  )`,
+  `CREATE INDEX IF NOT EXISTS "account_userId_idx" ON "account" ("user_id")`,
+  // Better Auth: verification
+  `CREATE TABLE IF NOT EXISTS "verification" (
+    "id" text PRIMARY KEY NOT NULL,
+    "identifier" text NOT NULL,
+    "value" text NOT NULL,
+    "expires_at" integer NOT NULL,
+    "created_at" integer DEFAULT (cast(unixepoch('subsecond') * 1000 as integer)),
+    "updated_at" integer DEFAULT (cast(unixepoch('subsecond') * 1000 as integer))
+  )`,
+  `CREATE INDEX IF NOT EXISTS "verification_identifier_idx" ON "verification" ("identifier")`,
+  // App: users
+  `CREATE TABLE IF NOT EXISTS "users" (
+    "id" text PRIMARY KEY NOT NULL,
+    "better_auth_id" text NOT NULL,
+    "email" text NOT NULL,
+    "name" text NOT NULL,
+    "role" text DEFAULT 'student' NOT NULL,
+    "created_at" integer DEFAULT (unixepoch()) NOT NULL
+  )`,
+  `CREATE UNIQUE INDEX IF NOT EXISTS "users_better_auth_id_unique" ON "users" ("better_auth_id")`,
+  `CREATE UNIQUE INDEX IF NOT EXISTS "users_email_unique" ON "users" ("email")`,
+  // App: organizations (before events, due to FK)
+  `CREATE TABLE IF NOT EXISTS "organizations" (
+    "id" text PRIMARY KEY NOT NULL,
+    "name" text NOT NULL,
+    "acronym" text NOT NULL,
+    "logo_url" text,
+    "link" text,
+    "created_at" integer DEFAULT (unixepoch()) NOT NULL
+  )`,
+  `CREATE UNIQUE INDEX IF NOT EXISTS "organizations_name_unique" ON "organizations" ("name")`,
+  `CREATE UNIQUE INDEX IF NOT EXISTS "organizations_acronym_unique" ON "organizations" ("acronym")`,
+  // App: themes (before events, due to FK)
+  `CREATE TABLE IF NOT EXISTS "themes" (
+    "id" text PRIMARY KEY NOT NULL,
+    "name" text NOT NULL,
+    "path" text NOT NULL,
+    "created_at" integer NOT NULL,
+    "updated_at" integer NOT NULL DEFAULT (unixepoch())
+  )`,
+  `CREATE UNIQUE INDEX IF NOT EXISTS "themes_name_unique" ON "themes" ("name")`,
+  `CREATE UNIQUE INDEX IF NOT EXISTS "themes_path_unique" ON "themes" ("path")`,
+  // App: events
+  `CREATE TABLE IF NOT EXISTS "events" (
+    "id" text PRIMARY KEY NOT NULL,
+    "slug" text NOT NULL,
+    "theme_id" text,
+    "organization_id" text,
+    "title" text NOT NULL,
+    "description" text,
+    "venue" text,
+    "date_time" text,
+    "price" text,
+    "background_image_url" text,
+    "class_code" text,
+    "start_time" text,
+    "end_time" text,
+    "is_major" integer DEFAULT false NOT NULL,
+    "max_slots" integer DEFAULT 0 NOT NULL,
+    "registered_slots" integer DEFAULT 0 NOT NULL,
+    "gforms_id" text,
+    "gforms_url" text,
+    "gforms_editor_url" text,
+    "registration_closes_at" integer,
+    "watch_id" text,
+    "watch_expires_at" integer,
+    "status" text DEFAULT 'draft' NOT NULL,
+    "release_at" integer,
+    "reminder_24h_sent" integer DEFAULT false NOT NULL,
+    "reminder_1h_sent" integer DEFAULT false NOT NULL,
+    "contentful_entry_id" text,
+    "created_at" integer DEFAULT (unixepoch()) NOT NULL,
+    "published_at" integer,
+    FOREIGN KEY ("theme_id") REFERENCES "themes"("id") ON UPDATE no action ON DELETE set null,
+    FOREIGN KEY ("organization_id") REFERENCES "organizations"("id") ON UPDATE no action ON DELETE set null
+  )`,
+  `CREATE UNIQUE INDEX IF NOT EXISTS "events_slug_unique" ON "events" ("slug")`,
+  `CREATE INDEX IF NOT EXISTS "idx_events_status_release" ON "events" ("status", "release_at")`,
+  `CREATE INDEX IF NOT EXISTS "idx_events_theme_id" ON "events" ("theme_id")`,
+  `CREATE INDEX IF NOT EXISTS "idx_events_organization_id" ON "events" ("organization_id")`,
+  `CREATE INDEX IF NOT EXISTS "idx_events_slug" ON "events" ("slug")`,
+  // App: faqs
+  `CREATE TABLE IF NOT EXISTS "faqs" (
+    "id" text PRIMARY KEY NOT NULL,
+    "question" text NOT NULL,
+    "answer" text NOT NULL,
+    "category" text,
+    "sort_order" integer DEFAULT 0 NOT NULL,
+    "created_at" integer DEFAULT (unixepoch()) NOT NULL,
+    "updated_at" integer DEFAULT (unixepoch()) NOT NULL
+  )`,
+  // App: site_config
+  `CREATE TABLE IF NOT EXISTS "site_config" (
+    "key" text PRIMARY KEY NOT NULL,
+    "value" text NOT NULL,
+    "updated_at" integer DEFAULT (unixepoch()) NOT NULL
+  )`,
+  // App: bookmarks
+  `CREATE TABLE IF NOT EXISTS "bookmarks" (
+    "id" text PRIMARY KEY NOT NULL,
+    "user_id" text NOT NULL,
+    "event_id" text NOT NULL,
+    "created_at" integer DEFAULT (unixepoch()) NOT NULL,
+    FOREIGN KEY ("user_id") REFERENCES "users"("id") ON UPDATE no action ON DELETE cascade,
+    FOREIGN KEY ("event_id") REFERENCES "events"("id") ON UPDATE no action ON DELETE cascade
+  )`,
+  `CREATE UNIQUE INDEX IF NOT EXISTS "idx_bookmarks_user_event" ON "bookmarks" ("user_id", "event_id")`
+];
+async function ensureDatabase(d1) {
+  const { results } = await d1.prepare("SELECT name FROM sqlite_master WHERE type='table' AND name='user'").all();
+  if (results.length === 0) {
+    for (const sql3 of CREATE_STATEMENTS) {
+      await d1.prepare(sql3).run();
+    }
+  }
+  for (const sql3 of PATCH_STATEMENTS) {
     try {
-      const query = fs.readFileSync(`${migrationFolderTo}/${journalEntry.tag}.sql`).toString();
-      const result = query.split("--> statement-breakpoint").map((it) => {
-        return it;
-      });
-      migrationQueries.push({
-        sql: result,
-        bps: journalEntry.breakpoints,
-        folderMillis: journalEntry.when,
-        hash: crypto2.createHash("sha256").update(query).digest("hex")
-      });
-    } catch {
-      throw new Error(`No file ${migrationPath} found in ${migrationFolderTo} folder`);
-    }
-  }
-  return migrationQueries;
-}
-
-// node_modules/drizzle-orm/d1/migrator.js
-async function migrate(db, config3) {
-  const migrations = readMigrationFiles(config3);
-  const migrationsTable = config3.migrationsTable ?? "__drizzle_migrations";
-  const migrationTableCreate = sql2`
-		CREATE TABLE IF NOT EXISTS ${sql2.identifier(migrationsTable)} (
-			id SERIAL PRIMARY KEY,
-			hash text NOT NULL,
-			created_at numeric
-		)
-	`;
-  await db.session.run(migrationTableCreate);
-  const dbMigrations = await db.values(
-    sql2`SELECT id, hash, created_at FROM ${sql2.identifier(migrationsTable)} ORDER BY created_at DESC LIMIT 1`
-  );
-  const lastDbMigration = dbMigrations[0] ?? void 0;
-  const statementToBatch = [];
-  for (const migration of migrations) {
-    if (!lastDbMigration || Number(lastDbMigration[2]) < migration.folderMillis) {
-      for (const stmt of migration.sql) {
-        statementToBatch.push(db.run(sql2.raw(stmt)));
-      }
-      statementToBatch.push(
-        db.run(
-          sql2`INSERT INTO ${sql2.identifier(migrationsTable)} ("hash", "created_at") VALUES(${sql2.raw(`'${migration.hash}'`)}, ${sql2.raw(`${migration.folderMillis}`)})`
-        )
-      );
+      await d1.prepare(sql3).run();
+    } catch (err) {
+      if (err?.message?.includes("duplicate column")) continue;
+      throw err;
     }
   }
-  if (statementToBatch.length > 0) {
-    await db.session.batch(statementToBatch);
-  }
-}
-
-// src/db/migrate.ts
-async function ensureDatabase(d1, migrationsFolder = "./drizzle") {
-  const db = createDb(d1);
-  await migrate(db, { migrationsFolder });
 }
 
 // src/index.ts
@@ -65154,7 +65743,7 @@ function createLeapify(options = {}) {
       if (options.autoMigrate && !migrated) {
         migrated = true;
         try {
-          await ensureDatabase(env2.DB, options.migrationsFolder);
+          await ensureDatabase(env2.DB);
         } catch (err) {
           console.error("[leapify] Auto-migration failed:", err);
         }