From c4cea70d15b71234cb7b1ad71a58e7c7bc2ebd39 Mon Sep 17 00:00:00 2001
From: Jacob Coffee <jacob@z7x.org>
Date: Wed, 18 Mar 2026 21:26:00 -0500
Subject: [PATCH 1/6] feat: add on-site check-in, door checks, and product
 redemption system

Implements Phase 17: on-site check-in scanner with staff-facing UI,
per-product door checks, and line-item redemption with double-use
prevention. Modeled after pycon-site's DoorCheck + redemption flow.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 .../templates/django_program/manage/base.html |   5 +
 .../manage/checkin_dashboard.html             | 152 ++++
 .../manage/checkin_scanner.html               | 575 +++++++++++++
 src/django_program/manage/urls.py             |   4 +
 src/django_program/manage/views_checkin.py    | 107 +++
 src/django_program/registration/admin.py      |  63 ++
 src/django_program/registration/checkin.py    | 150 ++++
 ...016_checkin_doorcheck_productredemption.py | 176 ++++
 src/django_program/registration/models.py     |   4 +
 .../registration/services/checkin.py          | 299 +++++++
 src/django_program/registration/urls.py       |  11 +
 .../registration/views_checkin.py             | 378 +++++++++
 tests/test_registration/test_checkin.py       | 758 ++++++++++++++++++
 13 files changed, 2682 insertions(+)
 create mode 100644 src/django_program/manage/templates/django_program/manage/checkin_dashboard.html
 create mode 100644 src/django_program/manage/templates/django_program/manage/checkin_scanner.html
 create mode 100644 src/django_program/manage/views_checkin.py
 create mode 100644 src/django_program/registration/checkin.py
 create mode 100644 src/django_program/registration/migrations/0016_checkin_doorcheck_productredemption.py
 create mode 100644 src/django_program/registration/services/checkin.py
 create mode 100644 src/django_program/registration/views_checkin.py
 create mode 100644 tests/test_registration/test_checkin.py

diff --git a/src/django_program/manage/templates/django_program/manage/base.html b/src/django_program/manage/templates/django_program/manage/base.html
index a8dcb0d..d79e2bb 100644
--- a/src/django_program/manage/templates/django_program/manage/base.html
+++ b/src/django_program/manage/templates/django_program/manage/base.html
@@ -1108,6 +1108,11 @@
               <span class="sidebar-nav-icon"><svg width="16" height="16" fill="none" stroke="currentColor" stroke-width="1.5"><path d="M2 4h12M2 8h12M2 12h12"/><circle cx="5" cy="4" r="1"/><circle cx="5" cy="8" r="1"/><circle cx="5" cy="12" r="1"/></svg></span> Bulk Deals
             </a>
           </li>
+          <li>
+            <a href="{% url 'manage:checkin-dashboard' conference.slug %}" class="{% if active_nav == 'checkin' %}active{% endif %}">
+              <span class="sidebar-nav-icon"><svg width="16" height="16" fill="none" stroke="currentColor" stroke-width="1.5"><path d="M4 8l3 3 5-6"/><rect x="1.5" y="1.5" width="13" height="13" rx="2"/></svg></span> Check-in
+            </a>
+          </li>
         </ul>
       </div>
       <div class="sidebar-section">
diff --git a/src/django_program/manage/templates/django_program/manage/checkin_dashboard.html b/src/django_program/manage/templates/django_program/manage/checkin_dashboard.html
new file mode 100644
index 0000000..1c7b483
--- /dev/null
+++ b/src/django_program/manage/templates/django_program/manage/checkin_dashboard.html
@@ -0,0 +1,152 @@
+{% extends "django_program/manage/base.html" %}
+{% load humanize %}
+
+{% block title %}Check-in Dashboard{% endblock %}
+
+{% block breadcrumb %}
+<nav class="breadcrumb">
+  <a href="{% url 'manage:conference-list' %}">Conferences</a>
+  <span class="breadcrumb-separator"></span>
+  <a href="{% url 'manage:dashboard' conference.slug %}">{{ conference.name }}</a>
+  <span class="breadcrumb-separator"></span>
+  Check-in
+</nav>
+{% endblock %}
+
+{% block page_title %}
+<h1>Check-in Dashboard</h1>
+<p>Real-time check-in statistics and activity log.</p>
+{% endblock %}
+
+{% block page_actions %}
+<a href="{% url 'manage:checkin-scanner' conference.slug %}" class="btn btn-primary">
+  <svg width="16" height="16" fill="none" stroke="currentColor" stroke-width="1.5" style="vertical-align: -3px;"><path d="M1 5V2a1 1 0 011-1h3M11 1h3a1 1 0 011 1v3M15 11v3a1 1 0 01-1 1h-3M5 15H2a1 1 0 01-1-1v-3"/></svg>
+  Open Scanner
+</a>
+{% endblock %}
+
+{% block content %}
+<div class="stat-grid">
+  <div class="stat-card">
+    <div class="stat-card-value">{{ total_attendees }}</div>
+    <div class="stat-card-label">Total Attendees</div>
+  </div>
+  <div class="stat-card">
+    <div class="stat-card-value">{{ checked_in_count }}</div>
+    <div class="stat-card-label">Checked In</div>
+  </div>
+  <div class="stat-card">
+    <div class="stat-card-value">{{ check_in_rate }}%</div>
+    <div class="stat-card-label">Check-in Rate</div>
+  </div>
+  <div class="stat-card">
+    <div class="stat-card-value">{{ checkins_today }}</div>
+    <div class="stat-card-label">Today's Check-ins</div>
+  </div>
+</div>
+
+{% if checkins_by_station %}
+<h2 class="section-heading">Station Activity</h2>
+<table class="data-table" style="margin-bottom: 2rem;">
+  <thead>
+    <tr>
+      <th>Station</th>
+      <th>Check-ins</th>
+      <th>Last Check-in</th>
+    </tr>
+  </thead>
+  <tbody>
+    {% for row in checkins_by_station %}
+    <tr>
+      <td><strong>{{ row.station }}</strong></td>
+      <td>{{ row.count }}</td>
+      <td>{{ row.last_checkin|timesince }} ago</td>
+    </tr>
+    {% endfor %}
+  </tbody>
+</table>
+{% endif %}
+
+<h2 class="section-heading">Recent Check-ins</h2>
+{% if recent_checkins %}
+<table class="data-table" style="margin-bottom: 2rem;">
+  <thead>
+    <tr>
+      <th>Time</th>
+      <th>Attendee</th>
+      <th>Access Code</th>
+      <th>Station</th>
+      <th>Staff</th>
+    </tr>
+  </thead>
+  <tbody>
+    {% for ci in recent_checkins %}
+    <tr>
+      <td>{{ ci.checked_in_at|timesince }} ago</td>
+      <td>
+        {% if ci.attendee.user.get_full_name %}
+          {{ ci.attendee.user.get_full_name }}
+        {% else %}
+          {{ ci.attendee.user.username }}
+        {% endif %}
+      </td>
+      <td><span class="mono">{{ ci.attendee.access_code }}</span></td>
+      <td>{{ ci.station|default:"-" }}</td>
+      <td>
+        {% if ci.checked_in_by %}
+          {{ ci.checked_in_by.get_short_name|default:ci.checked_in_by.username }}
+        {% else %}
+          -
+        {% endif %}
+      </td>
+    </tr>
+    {% endfor %}
+  </tbody>
+</table>
+{% else %}
+<div class="empty-state" style="margin-bottom: 2rem;">
+  <p>No check-ins recorded yet.</p>
+  <p><a href="{% url 'manage:checkin-scanner' conference.slug %}">Open the scanner</a> to start checking in attendees.</p>
+</div>
+{% endif %}
+
+{% if redemption_stats %}
+<h2 class="section-heading">Product Redemptions</h2>
+<table class="data-table" style="margin-bottom: 2rem;">
+  <thead>
+    <tr>
+      <th>Product</th>
+      <th>Redemptions</th>
+    </tr>
+  </thead>
+  <tbody>
+    {% for row in redemption_stats %}
+    <tr>
+      <td>{{ row.order_line_item__description }}</td>
+      <td>{{ row.count }}</td>
+    </tr>
+    {% endfor %}
+  </tbody>
+</table>
+{% endif %}
+
+{% if door_check_counts %}
+<h2 class="section-heading">Door Checks</h2>
+<table class="data-table">
+  <thead>
+    <tr>
+      <th>Product</th>
+      <th>Door Checks</th>
+    </tr>
+  </thead>
+  <tbody>
+    {% for row in door_check_counts %}
+    <tr>
+      <td>{{ row.ticket_type__name|default:row.addon__name|default:"Unknown" }}</td>
+      <td>{{ row.count }}</td>
+    </tr>
+    {% endfor %}
+  </tbody>
+</table>
+{% endif %}
+{% endblock %}
diff --git a/src/django_program/manage/templates/django_program/manage/checkin_scanner.html b/src/django_program/manage/templates/django_program/manage/checkin_scanner.html
new file mode 100644
index 0000000..8dd0fe9
--- /dev/null
+++ b/src/django_program/manage/templates/django_program/manage/checkin_scanner.html
@@ -0,0 +1,575 @@
+{% extends "django_program/manage/base.html" %}
+
+{% block title %}Check-in Scanner{% endblock %}
+
+{% block extra_head %}
+<style>
+  .scanner-layout {
+    display: grid;
+    grid-template-columns: 1fr 1fr;
+    gap: 1.5rem;
+    align-items: start;
+  }
+
+  .scanner-input-panel {
+    grid-column: 1 / -1;
+  }
+
+  .scan-field {
+    width: 100%;
+    padding: 1rem 1.25rem;
+    font-size: 1.4rem;
+    font-family: var(--font-mono);
+    border: 2px solid var(--color-border);
+    border-radius: var(--radius-md);
+    background: var(--color-surface);
+    color: var(--color-text);
+    transition: border-color 0.2s ease, box-shadow 0.2s ease;
+    letter-spacing: 0.05em;
+  }
+  .scan-field:focus {
+    outline: none;
+    border-color: var(--color-primary);
+    box-shadow: 0 0 0 4px rgba(67, 56, 202, 0.15);
+  }
+  .scan-field::placeholder {
+    color: var(--color-text-muted);
+    font-family: var(--font-sans);
+    font-size: 1rem;
+    letter-spacing: normal;
+  }
+
+  .station-config {
+    display: flex;
+    align-items: center;
+    gap: 0.75rem;
+    margin-top: 0.75rem;
+  }
+  .station-config label {
+    font-size: 0.82rem;
+    font-weight: 600;
+    color: var(--color-text-muted);
+    white-space: nowrap;
+  }
+  .station-config input {
+    padding: 0.35rem 0.6rem;
+    border: 1px solid var(--color-border);
+    border-radius: var(--radius-sm);
+    font-size: 0.85rem;
+    font-family: var(--font-sans);
+    color: var(--color-text);
+    background: var(--color-surface);
+    max-width: 220px;
+  }
+  .station-config input:focus {
+    outline: none;
+    border-color: var(--color-primary);
+    box-shadow: 0 0 0 3px rgba(67, 56, 202, 0.1);
+  }
+
+  /* Status indicator */
+  .status-bar {
+    grid-column: 1 / -1;
+    padding: 1rem 1.25rem;
+    border-radius: var(--radius-md);
+    font-size: 1rem;
+    font-weight: 600;
+    text-align: center;
+    transition: background 0.3s ease, color 0.3s ease, opacity 0.3s ease;
+    display: none;
+  }
+  .status-bar.visible { display: block; }
+  .status-bar--success { background: var(--color-success-bg); color: var(--color-success); border: 1px solid var(--color-success); }
+  .status-bar--reentry { background: var(--color-warning-bg); color: var(--color-warning); border: 1px solid var(--color-warning-border); }
+  .status-bar--error { background: var(--color-danger-bg); color: var(--color-danger); border: 1px solid var(--color-danger); }
+
+  /* Flash overlay */
+  .scan-flash {
+    position: fixed;
+    top: 0; left: 0; right: 0; bottom: 0;
+    pointer-events: none;
+    z-index: 9999;
+    opacity: 0;
+    transition: opacity 0.15s ease;
+  }
+  .scan-flash.flash-success { background: rgba(5, 150, 105, 0.12); opacity: 1; }
+  .scan-flash.flash-error { background: rgba(220, 38, 38, 0.12); opacity: 1; }
+
+  /* Attendee display */
+  .attendee-panel {
+    display: none;
+  }
+  .attendee-panel.visible { display: block; }
+
+  .attendee-header {
+    display: flex;
+    align-items: center;
+    gap: 1rem;
+    margin-bottom: 1rem;
+    padding-bottom: 1rem;
+    border-bottom: 1px solid var(--color-border-light);
+  }
+  .attendee-name {
+    font-size: 1.3rem;
+    font-weight: 700;
+    color: var(--color-text);
+  }
+  .attendee-email {
+    font-size: 0.88rem;
+    color: var(--color-text-secondary);
+  }
+  .attendee-code {
+    font-family: var(--font-mono);
+    font-size: 0.82rem;
+    color: var(--color-text-muted);
+    background: var(--color-bg);
+    padding: 0.2rem 0.5rem;
+    border-radius: var(--radius-sm);
+    margin-left: auto;
+  }
+
+  .attendee-meta {
+    display: grid;
+    grid-template-columns: repeat(auto-fill, minmax(160px, 1fr));
+    gap: 0.6rem;
+    margin-bottom: 1rem;
+  }
+  .attendee-meta-item {
+    padding: 0.6rem 0.75rem;
+    background: var(--color-bg);
+    border: 1px solid var(--color-border-light);
+    border-radius: var(--radius-sm);
+  }
+  .attendee-meta-label {
+    font-size: 0.68rem;
+    font-weight: 700;
+    text-transform: uppercase;
+    letter-spacing: 0.06em;
+    color: var(--color-text-muted);
+  }
+  .attendee-meta-value {
+    font-size: 0.95rem;
+    font-weight: 600;
+    color: var(--color-text);
+    margin-top: 0.1rem;
+  }
+
+  /* Products / redemption list */
+  .products-panel {
+    display: none;
+  }
+  .products-panel.visible { display: block; }
+
+  .product-row {
+    display: flex;
+    align-items: center;
+    gap: 0.75rem;
+    padding: 0.65rem 0;
+    border-bottom: 1px solid var(--color-border-light);
+  }
+  .product-row:last-child { border-bottom: none; }
+
+  .product-info {
+    flex: 1;
+    min-width: 0;
+  }
+  .product-name {
+    font-size: 0.9rem;
+    font-weight: 600;
+    color: var(--color-text);
+  }
+  .product-counts {
+    font-size: 0.78rem;
+    color: var(--color-text-muted);
+    margin-top: 0.1rem;
+  }
+
+  .product-row--redeemed .product-name,
+  .product-row--redeemed .product-counts {
+    opacity: 0.45;
+    text-decoration: line-through;
+  }
+
+  .btn-redeem {
+    padding: 0.3rem 0.75rem;
+    font-size: 0.8rem;
+    font-weight: 600;
+    border: 1px solid var(--color-success);
+    background: var(--color-success-bg);
+    color: var(--color-success);
+    border-radius: var(--radius-sm);
+    cursor: pointer;
+    transition: background 0.15s ease, color 0.15s ease;
+    white-space: nowrap;
+  }
+  .btn-redeem:hover {
+    background: var(--color-success);
+    color: #ffffff;
+  }
+  .btn-redeem:disabled {
+    opacity: 0.4;
+    cursor: not-allowed;
+    background: var(--color-bg);
+    border-color: var(--color-border);
+    color: var(--color-text-muted);
+  }
+
+  .idle-message {
+    text-align: center;
+    padding: 3rem 1rem;
+    color: var(--color-text-muted);
+    font-size: 1rem;
+  }
+  .idle-message.hidden { display: none; }
+
+  @media (max-width: 768px) {
+    .scanner-layout {
+      grid-template-columns: 1fr;
+    }
+    .scan-field {
+      font-size: 1.1rem;
+      padding: 0.75rem 1rem;
+    }
+  }
+</style>
+{% endblock %}
+
+{% block breadcrumb %}
+<nav class="breadcrumb">
+  <a href="{% url 'manage:conference-list' %}">Conferences</a>
+  <span class="breadcrumb-separator"></span>
+  <a href="{% url 'manage:dashboard' conference.slug %}">{{ conference.name }}</a>
+  <span class="breadcrumb-separator"></span>
+  <a href="{% url 'manage:checkin-dashboard' conference.slug %}">Check-in</a>
+  <span class="breadcrumb-separator"></span>
+  Scanner
+</nav>
+{% endblock %}
+
+{% block page_title %}
+<h1>Check-in Scanner</h1>
+<p>Scan badges or enter access codes to check in attendees.</p>
+{% endblock %}
+
+{% block page_actions %}
+<a href="{% url 'manage:checkin-dashboard' conference.slug %}" class="btn btn-secondary">Dashboard</a>
+{% endblock %}
+
+{% block content %}
+<div class="scan-flash" id="scanFlash"></div>
+
+<div class="scanner-layout">
+  <div class="scanner-input-panel">
+    <div class="card card--static">
+      <div class="card-body">
+        <input
+          type="text"
+          id="scanInput"
+          class="scan-field"
+          placeholder="Scan badge or type access code..."
+          autocomplete="off"
+          autofocus
+        >
+        <div class="station-config">
+          <label for="stationName">Station:</label>
+          <input type="text" id="stationName" placeholder="e.g. Door A">
+        </div>
+      </div>
+    </div>
+  </div>
+
+  <div class="status-bar" id="statusBar"></div>
+
+  <div class="idle-message" id="idleMessage">
+    <p>Waiting for scan...</p>
+    <p style="font-size: 0.85rem; margin-top: 0.5rem;">Scan a badge barcode or QR code, or type an access code and press Enter.</p>
+  </div>
+
+  <div class="attendee-panel card card--static" id="attendeePanel">
+    <div class="card-body">
+      <div class="attendee-header">
+        <div>
+          <div class="attendee-name" id="attendeeName"></div>
+          <div class="attendee-email" id="attendeeEmail"></div>
+        </div>
+        <div class="attendee-code" id="attendeeCode"></div>
+      </div>
+      <div class="attendee-meta" id="attendeeMeta"></div>
+    </div>
+  </div>
+
+  <div class="products-panel card card--static" id="productsPanel">
+    <div class="card-body">
+      <h3 class="section-heading" style="margin-top: 0;">Redeemable Products</h3>
+      <div id="productsList"></div>
+      <div id="noProducts" class="empty-state" style="display:none; padding: 1.5rem;">
+        <p>No redeemable products for this attendee.</p>
+      </div>
+    </div>
+  </div>
+</div>
+{% endblock %}
+
+{% block extra_js %}
+<script>
+(function() {
+  "use strict";
+
+  const SCAN_URL = "{% url 'registration:checkin-scan' conference.slug %}";
+  const LOOKUP_BASE = "{% url 'registration:checkin-lookup' conference.slug 'PLACEHOLDER' %}";
+  const REDEEM_URL = "{% url 'registration:checkin-redeem' conference.slug %}";
+
+  function lookupUrl(accessCode) {
+    return LOOKUP_BASE.replace("PLACEHOLDER", encodeURIComponent(accessCode));
+  }
+
+  const scanInput = document.getElementById("scanInput");
+  const stationInput = document.getElementById("stationName");
+  const statusBar = document.getElementById("statusBar");
+  const scanFlash = document.getElementById("scanFlash");
+  const idleMessage = document.getElementById("idleMessage");
+  const attendeePanel = document.getElementById("attendeePanel");
+  const productsPanel = document.getElementById("productsPanel");
+  const attendeeName = document.getElementById("attendeeName");
+  const attendeeEmail = document.getElementById("attendeeEmail");
+  const attendeeCode = document.getElementById("attendeeCode");
+  const attendeeMeta = document.getElementById("attendeeMeta");
+  const productsList = document.getElementById("productsList");
+  const noProducts = document.getElementById("noProducts");
+
+  // Restore station name from localStorage
+  const savedStation = localStorage.getItem("checkin_station_name");
+  if (savedStation) {
+    stationInput.value = savedStation;
+  }
+  stationInput.addEventListener("change", function() {
+    localStorage.setItem("checkin_station_name", this.value);
+  });
+
+  function getCsrfToken() {
+    const cookie = document.cookie.split(";").find(function(c) {
+      return c.trim().startsWith("csrftoken=");
+    });
+    return cookie ? cookie.split("=")[1] : "";
+  }
+
+  function showStatus(message, type) {
+    statusBar.className = "status-bar visible status-bar--" + type;
+    statusBar.textContent = message;
+  }
+
+  function flashScreen(type) {
+    scanFlash.className = "scan-flash flash-" + type;
+    setTimeout(function() {
+      scanFlash.className = "scan-flash";
+    }, 300);
+  }
+
+  function refocusScan() {
+    scanInput.value = "";
+    scanInput.focus();
+  }
+
+  function hideResults() {
+    attendeePanel.classList.remove("visible");
+    productsPanel.classList.remove("visible");
+    idleMessage.classList.remove("hidden");
+    statusBar.classList.remove("visible");
+  }
+
+  function showResults() {
+    idleMessage.classList.add("hidden");
+    attendeePanel.classList.add("visible");
+    productsPanel.classList.add("visible");
+  }
+
+  function renderAttendee(data) {
+    attendeeName.textContent = data.name || "Unknown";
+    attendeeEmail.textContent = data.email || "";
+    attendeeCode.textContent = data.access_code || "";
+
+    var metaHtml = "";
+    if (data.ticket_type) {
+      metaHtml += '<div class="attendee-meta-item">' +
+        '<div class="attendee-meta-label">Ticket Type</div>' +
+        '<div class="attendee-meta-value">' + escapeHtml(data.ticket_type) + '</div></div>';
+    }
+    metaHtml += '<div class="attendee-meta-item">' +
+      '<div class="attendee-meta-label">Check-in Status</div>' +
+      '<div class="attendee-meta-value">' +
+      (data.checkin_count > 0
+        ? '<span class="badge badge--warning">Re-entry (#' + (data.checkin_count + 1) + ')</span>'
+        : '<span class="badge badge--active">First check-in</span>') +
+      '</div></div>';
+    metaHtml += '<div class="attendee-meta-item">' +
+      '<div class="attendee-meta-label">Previous Check-ins</div>' +
+      '<div class="attendee-meta-value">' + data.checkin_count + '</div></div>';
+    if (data.order_reference) {
+      metaHtml += '<div class="attendee-meta-item">' +
+        '<div class="attendee-meta-label">Order</div>' +
+        '<div class="attendee-meta-value mono">' + escapeHtml(data.order_reference) + '</div></div>';
+    }
+    attendeeMeta.innerHTML = metaHtml;
+  }
+
+  function renderProducts(products) {
+    productsList.innerHTML = "";
+    if (!products || products.length === 0) {
+      noProducts.style.display = "block";
+      return;
+    }
+    noProducts.style.display = "none";
+
+    products.forEach(function(p) {
+      var remaining = p.quantity - p.redeemed;
+      var isFullyRedeemed = remaining <= 0;
+      var row = document.createElement("div");
+      row.className = "product-row" + (isFullyRedeemed ? " product-row--redeemed" : "");
+
+      var info = document.createElement("div");
+      info.className = "product-info";
+      info.innerHTML = '<div class="product-name">' + escapeHtml(p.description) + '</div>' +
+        '<div class="product-counts">Qty: ' + p.quantity + ' | Redeemed: ' + p.redeemed +
+        ' | Remaining: ' + remaining + '</div>';
+      row.appendChild(info);
+
+      if (!isFullyRedeemed) {
+        var btn = document.createElement("button");
+        btn.type = "button";
+        btn.className = "btn-redeem";
+        btn.textContent = "Redeem";
+        btn.dataset.lineItemId = p.line_item_id;
+        btn.dataset.attendeeId = p.attendee_id;
+        btn.addEventListener("click", function() { redeemProduct(btn); });
+        row.appendChild(btn);
+      }
+
+      productsList.appendChild(row);
+    });
+  }
+
+  function escapeHtml(str) {
+    var div = document.createElement("div");
+    div.appendChild(document.createTextNode(str));
+    return div.innerHTML;
+  }
+
+  async function performScan(accessCode) {
+    if (!accessCode.trim()) return;
+
+    try {
+      var response = await fetch(SCAN_URL, {
+        method: "POST",
+        headers: {
+          "Content-Type": "application/json",
+          "X-CSRFToken": getCsrfToken(),
+        },
+        body: JSON.stringify({
+          access_code: accessCode.trim(),
+          station: stationInput.value.trim(),
+        }),
+      });
+
+      var data = await response.json();
+
+      if (!response.ok) {
+        showStatus(data.error || "Scan failed", "error");
+        flashScreen("error");
+        hideResults();
+        refocusScan();
+        return;
+      }
+
+      if (data.is_reentry) {
+        showStatus("Re-entry: " + (data.name || accessCode) + " (check-in #" + (data.checkin_count + 1) + ")", "reentry");
+      } else {
+        showStatus("Checked in: " + (data.name || accessCode), "success");
+      }
+      flashScreen("success");
+
+      renderAttendee(data);
+      renderProducts(data.products || []);
+      showResults();
+    } catch (err) {
+      showStatus("Network error: " + err.message, "error");
+      flashScreen("error");
+    }
+    refocusScan();
+  }
+
+  async function redeemProduct(btn) {
+    btn.disabled = true;
+    btn.textContent = "Redeeming...";
+
+    try {
+      var response = await fetch(REDEEM_URL, {
+        method: "POST",
+        headers: {
+          "Content-Type": "application/json",
+          "X-CSRFToken": getCsrfToken(),
+        },
+        body: JSON.stringify({
+          attendee_id: parseInt(btn.dataset.attendeeId, 10),
+          line_item_id: parseInt(btn.dataset.lineItemId, 10),
+          station: stationInput.value.trim(),
+        }),
+      });
+
+      var data = await response.json();
+
+      if (!response.ok) {
+        showStatus(data.error || "Redemption failed", "error");
+        flashScreen("error");
+        btn.disabled = false;
+        btn.textContent = "Redeem";
+        return;
+      }
+
+      showStatus("Redeemed: " + (data.description || "product"), "success");
+      flashScreen("success");
+
+      // Re-fetch attendee to refresh product list
+      if (attendeeCode.textContent) {
+        await refreshAttendee(attendeeCode.textContent);
+      }
+    } catch (err) {
+      showStatus("Network error: " + err.message, "error");
+      flashScreen("error");
+      btn.disabled = false;
+      btn.textContent = "Redeem";
+    }
+    refocusScan();
+  }
+
+  async function refreshAttendee(accessCode) {
+    try {
+      var response = await fetch(lookupUrl(accessCode));
+      if (!response.ok) return;
+      var data = await response.json();
+      renderAttendee(data);
+      renderProducts(data.products || []);
+    } catch (err) {
+      // Silently fail on refresh; the previous data remains visible
+    }
+  }
+
+  // Handle Enter key on scan input
+  scanInput.addEventListener("keydown", function(e) {
+    if (e.key === "Enter") {
+      e.preventDefault();
+      performScan(this.value);
+    }
+  });
+
+  // Keep scan input focused when clicking anywhere in the scanner area
+  document.addEventListener("click", function(e) {
+    if (!e.target.closest(".station-config") && !e.target.closest(".btn-redeem")) {
+      scanInput.focus();
+    }
+  });
+
+  // Initial focus
+  scanInput.focus();
+})();
+</script>
+{% endblock %}
diff --git a/src/django_program/manage/urls.py b/src/django_program/manage/urls.py
index 1910717..7c14dfd 100644
--- a/src/django_program/manage/urls.py
+++ b/src/django_program/manage/urls.py
@@ -85,6 +85,7 @@
     VoucherEditView,
     VoucherListView,
 )
+from django_program.manage.views_checkin import CheckInDashboardView, CheckInScannerView
 
 app_name = "manage"
 
@@ -272,6 +273,9 @@
         BadgeDownloadView.as_view(),
         name="badge-download",
     ),
+    # --- Check-in ---
+    path("<slug:conference_slug>/checkin/", CheckInDashboardView.as_view(), name="checkin-dashboard"),
+    path("<slug:conference_slug>/checkin/scanner/", CheckInScannerView.as_view(), name="checkin-scanner"),
     # --- Bulk Purchases ---
     path("<slug:conference_slug>/bulk-purchases/", include("django_program.manage.urls_bulk_purchases")),
     # --- Voucher Bulk Generation ---
diff --git a/src/django_program/manage/views_checkin.py b/src/django_program/manage/views_checkin.py
new file mode 100644
index 0000000..6b98213
--- /dev/null
+++ b/src/django_program/manage/views_checkin.py
@@ -0,0 +1,107 @@
+"""Check-in dashboard and scanner views for the manage app.
+
+Provides the staff-facing scanner interface for on-site check-in and a
+real-time dashboard showing check-in statistics, station activity, and
+product redemption counts.
+"""
+
+from django.db.models import Count, Max
+from django.utils import timezone
+from django.views.generic import TemplateView
+
+from django_program.manage.views import ManagePermissionMixin
+from django_program.registration.attendee import Attendee
+from django_program.registration.checkin import CheckIn, DoorCheck, ProductRedemption
+
+
+class CheckInScannerView(ManagePermissionMixin, TemplateView):
+    """Staff-facing scanner page for on-site check-in.
+
+    Renders the scanner template with conference context. All scanning
+    logic is handled client-side via the check-in API endpoints.
+    """
+
+    template_name = "django_program/manage/checkin_scanner.html"
+
+    def get_context_data(self, **kwargs: object) -> dict[str, object]:
+        """Add active_nav to the template context.
+
+        Args:
+            **kwargs: Additional context data.
+
+        Returns:
+            Template context with conference and active navigation state.
+        """
+        context = super().get_context_data(**kwargs)
+        context["active_nav"] = "checkin"
+        return context
+
+
+class CheckInDashboardView(ManagePermissionMixin, TemplateView):
+    """Real-time check-in statistics dashboard.
+
+    Displays aggregate check-in data including total attendees, check-in
+    rate, station activity breakdown, recent check-in log, and product
+    redemption statistics.
+    """
+
+    template_name = "django_program/manage/checkin_dashboard.html"
+
+    def get_context_data(self, **kwargs: object) -> dict[str, object]:
+        """Build context with check-in statistics for the dashboard.
+
+        Args:
+            **kwargs: Additional context data.
+
+        Returns:
+            Template context with attendee counts, check-in rate, station
+            activity, recent check-ins, and redemption stats.
+        """
+        context = super().get_context_data(**kwargs)
+        conference = self.conference
+        context["active_nav"] = "checkin"
+
+        total_attendees = Attendee.objects.filter(conference=conference).count()
+        checked_in_count = Attendee.objects.filter(conference=conference, checkins__isnull=False).distinct().count()
+        check_in_rate = round((checked_in_count / total_attendees * 100), 1) if total_attendees > 0 else 0
+
+        today_start = timezone.now().replace(hour=0, minute=0, second=0, microsecond=0)
+        checkins_today = CheckIn.objects.filter(conference=conference, checked_in_at__gte=today_start).count()
+
+        checkins_by_station = (
+            CheckIn.objects.filter(conference=conference)
+            .exclude(station="")
+            .values("station")
+            .annotate(count=Count("id"), last_checkin=Max("checked_in_at"))
+            .order_by("-count")
+        )
+
+        recent_checkins = (
+            CheckIn.objects.filter(conference=conference)
+            .select_related("attendee", "attendee__user", "checked_in_by")
+            .order_by("-checked_in_at")[:50]
+        )
+
+        redemption_stats = (
+            ProductRedemption.objects.filter(conference=conference)
+            .values("order_line_item__description")
+            .annotate(count=Count("id"))
+            .order_by("-count")
+        )
+
+        door_check_counts = (
+            DoorCheck.objects.filter(conference=conference)
+            .values("ticket_type__name", "addon__name")
+            .annotate(count=Count("id"))
+            .order_by("-count")
+        )
+
+        context["total_attendees"] = total_attendees
+        context["checked_in_count"] = checked_in_count
+        context["check_in_rate"] = check_in_rate
+        context["checkins_today"] = checkins_today
+        context["checkins_by_station"] = checkins_by_station
+        context["recent_checkins"] = recent_checkins
+        context["redemption_stats"] = redemption_stats
+        context["door_check_counts"] = door_check_counts
+        return context
diff --git a/src/django_program/registration/admin.py b/src/django_program/registration/admin.py
index 758554e..0531259 100644
--- a/src/django_program/registration/admin.py
+++ b/src/django_program/registration/admin.py
@@ -4,6 +4,7 @@
 from django.http import HttpRequest  # noqa: TC002
 
 from django_program.registration.badge import Badge, BadgeTemplate
+from django_program.registration.checkin import CheckIn, DoorCheck, ProductRedemption
 from django_program.registration.conditions import (
     DiscountForCategory,
     DiscountForProduct,
@@ -338,6 +339,68 @@ class DiscountForCategoryAdmin(admin.ModelAdmin):
     search_fields = ("name",)
 
 
+# -- Check-in admin -----------------------------------------------------------
+
+
+@admin.register(CheckIn)
+class CheckInAdmin(admin.ModelAdmin):
+    """Admin interface for viewing conference check-in records."""
+
+    list_display = ("attendee", "conference", "station", "checked_in_by", "checked_in_at")
+    list_filter = ("conference", "station")
+    search_fields = ("attendee__user__username", "attendee__user__email", "attendee__access_code")
+    readonly_fields = ("attendee", "conference", "checked_in_at", "checked_in_by", "station", "note")
+
+    def has_add_permission(self, request: HttpRequest) -> bool:  # noqa: ARG002, D102
+        return False
+
+    def has_change_permission(self, request: HttpRequest, obj: CheckIn | None = None) -> bool:  # noqa: ARG002, D102
+        return False
+
+
+@admin.register(DoorCheck)
+class DoorCheckAdmin(admin.ModelAdmin):
+    """Admin interface for viewing per-product door check records."""
+
+    list_display = ("attendee", "conference", "ticket_type", "addon", "station", "checked_by", "checked_at")
+    list_filter = ("conference", "station")
+    search_fields = ("attendee__user__username", "attendee__user__email", "attendee__access_code")
+    readonly_fields = (
+        "attendee",
+        "ticket_type",
+        "addon",
+        "conference",
+        "checked_at",
+        "checked_by",
+        "station",
+    )
+
+    def has_add_permission(self, request: HttpRequest) -> bool:  # noqa: ARG002, D102
+        return False
+
+    def has_change_permission(self, request: HttpRequest, obj: DoorCheck | None = None) -> bool:  # noqa: ARG002, D102
+        return False
+
+
+@admin.register(ProductRedemption)
+class ProductRedemptionAdmin(admin.ModelAdmin):
+    """Read-only admin for viewing product redemption audit records."""
+
+    list_display = ("attendee", "order_line_item", "conference", "redeemed_by", "redeemed_at")
+    list_filter = ("conference",)
+    search_fields = ("attendee__user__username", "attendee__user__email", "attendee__access_code")
+    readonly_fields = ("attendee", "order_line_item", "conference", "redeemed_at", "redeemed_by", "note")
+
+    def has_add_permission(self, request: HttpRequest) -> bool:  # noqa: ARG002, D102
+        return False
+
+    def has_change_permission(self, request: HttpRequest, obj: ProductRedemption | None = None) -> bool:  # noqa: ARG002, D102
+        return False
+
+    def has_delete_permission(self, request: HttpRequest, obj: ProductRedemption | None = None) -> bool:  # noqa: ARG002, D102
+        return False
+
+
 # -- Badge admin --------------------------------------------------------------
 
 
diff --git a/src/django_program/registration/checkin.py b/src/django_program/registration/checkin.py
new file mode 100644
index 0000000..eeaf94a
--- /dev/null
+++ b/src/django_program/registration/checkin.py
@@ -0,0 +1,150 @@
+"""On-site check-in and product redemption models for conference registration.
+
+Provides models for tracking attendee check-ins at the conference venue,
+per-product door checks (tutorials, meals, events), and product redemption
+to prevent double-use of purchased items.
+"""
+
+from django.conf import settings
+from django.db import models
+
+
+class CheckIn(models.Model):
+    """Records a single check-in event for an attendee at the conference.
+
+    Multiple check-ins per attendee are allowed to support re-entry scenarios
+    (e.g. leaving for lunch and returning). Each record captures who performed
+    the check-in and at which station.
+    """
+
+    attendee = models.ForeignKey(
+        "program_registration.Attendee",
+        on_delete=models.CASCADE,
+        related_name="checkins",
+    )
+    conference = models.ForeignKey(
+        "program_conference.Conference",
+        on_delete=models.CASCADE,
+        related_name="checkins",
+    )
+    checked_in_at = models.DateTimeField(auto_now_add=True)
+    checked_in_by = models.ForeignKey(
+        settings.AUTH_USER_MODEL,
+        on_delete=models.SET_NULL,
+        null=True,
+        blank=True,
+        related_name="performed_checkins",
+        help_text="Staff member who performed this check-in.",
+    )
+    station = models.CharField(
+        max_length=100,
+        blank=True,
+        default="",
+        help_text='Station identifier, e.g. "Door A", "Registration Desk 1".',
+    )
+    note = models.TextField(blank=True, default="")
+
+    class Meta:
+        ordering = ["-checked_in_at"]
+
+    def __str__(self) -> str:
+        return f"CheckIn: {self.attendee} at {self.checked_in_at}"
+
+
+class DoorCheck(models.Model):
+    """Per-product admission tracking for a specific ticket type or add-on.
+
+    Used for checking attendees into sub-events such as tutorials, meals,
+    or social events that require separate admission control beyond the
+    main conference check-in.
+    """
+
+    attendee = models.ForeignKey(
+        "program_registration.Attendee",
+        on_delete=models.CASCADE,
+        related_name="door_checks",
+    )
+    ticket_type = models.ForeignKey(
+        "program_registration.TicketType",
+        on_delete=models.CASCADE,
+        null=True,
+        blank=True,
+        related_name="door_checks",
+    )
+    addon = models.ForeignKey(
+        "program_registration.AddOn",
+        on_delete=models.CASCADE,
+        null=True,
+        blank=True,
+        related_name="door_checks",
+    )
+    conference = models.ForeignKey(
+        "program_conference.Conference",
+        on_delete=models.CASCADE,
+        related_name="door_checks",
+    )
+    checked_at = models.DateTimeField(auto_now_add=True)
+    checked_by = models.ForeignKey(
+        settings.AUTH_USER_MODEL,
+        on_delete=models.SET_NULL,
+        null=True,
+        blank=True,
+        related_name="performed_door_checks",
+        help_text="Staff member who performed this door check.",
+    )
+    station = models.CharField(
+        max_length=100,
+        blank=True,
+        default="",
+        help_text='Station identifier, e.g. "Tutorial Room 1", "Meal Hall".',
+    )
+
+    class Meta:
+        ordering = ["-checked_at"]
+
+    def __str__(self) -> str:
+        product = self.ticket_type or self.addon or "unknown"
+        return f"DoorCheck: {self.attendee} → {product} at {self.checked_at}"
+
+
+class ProductRedemption(models.Model):
+    """Tracks redemption of a purchased order line item to prevent double-use.
+
+    Each attendee can redeem a given order line item exactly once, enforced
+    by a unique constraint on ``(attendee, order_line_item)``. This covers
+    tutorials, meals, events, and any other purchasable product that should
+    only be consumed once.
+    """
+
+    attendee = models.ForeignKey(
+        "program_registration.Attendee",
+        on_delete=models.CASCADE,
+        related_name="redemptions",
+    )
+    order_line_item = models.ForeignKey(
+        "program_registration.OrderLineItem",
+        on_delete=models.CASCADE,
+        related_name="redemptions",
+    )
+    conference = models.ForeignKey(
+        "program_conference.Conference",
+        on_delete=models.CASCADE,
+        related_name="redemptions",
+    )
+    redeemed_at = models.DateTimeField(auto_now_add=True)
+    redeemed_by = models.ForeignKey(
+        settings.AUTH_USER_MODEL,
+        on_delete=models.SET_NULL,
+        null=True,
+        blank=True,
+        related_name="performed_redemptions",
+        help_text="Staff member who performed this redemption.",
+    )
+    note = models.TextField(blank=True, default="")
+
+    class Meta:
+        ordering = ["-redeemed_at"]
+        unique_together = [("attendee", "order_line_item")]
+
+    def __str__(self) -> str:
+        return f"Redemption: {self.attendee} → {self.order_line_item}"
diff --git a/src/django_program/registration/migrations/0016_checkin_doorcheck_productredemption.py b/src/django_program/registration/migrations/0016_checkin_doorcheck_productredemption.py
new file mode 100644
index 0000000..48cd436
--- /dev/null
+++ b/src/django_program/registration/migrations/0016_checkin_doorcheck_productredemption.py
@@ -0,0 +1,176 @@
+# Generated by Django 5.2.11 on 2026-03-19 02:12
+
+import django.db.models.deletion
+from django.conf import settings
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+    dependencies = [
+        ("program_conference", "0008_kpitargets"),
+        ("program_registration", "0015_addon_bulk_enabled_tickettype_bulk_enabled"),
+        migrations.swappable_dependency(settings.AUTH_USER_MODEL),
+    ]
+
+    operations = [
+        migrations.CreateModel(
+            name="CheckIn",
+            fields=[
+                ("id", models.BigAutoField(auto_created=True, primary_key=True, serialize=False, verbose_name="ID")),
+                ("checked_in_at", models.DateTimeField(auto_now_add=True)),
+                (
+                    "station",
+                    models.CharField(
+                        blank=True,
+                        default="",
+                        help_text='Station identifier, e.g. "Door A", "Registration Desk 1".',
+                        max_length=100,
+                    ),
+                ),
+                ("note", models.TextField(blank=True, default="")),
+                (
+                    "attendee",
+                    models.ForeignKey(
+                        on_delete=django.db.models.deletion.CASCADE,
+                        related_name="checkins",
+                        to="program_registration.attendee",
+                    ),
+                ),
+                (
+                    "checked_in_by",
+                    models.ForeignKey(
+                        blank=True,
+                        help_text="Staff member who performed this check-in.",
+                        null=True,
+                        on_delete=django.db.models.deletion.SET_NULL,
+                        related_name="performed_checkins",
+                        to=settings.AUTH_USER_MODEL,
+                    ),
+                ),
+                (
+                    "conference",
+                    models.ForeignKey(
+                        on_delete=django.db.models.deletion.CASCADE,
+                        related_name="checkins",
+                        to="program_conference.conference",
+                    ),
+                ),
+            ],
+            options={
+                "ordering": ["-checked_in_at"],
+            },
+        ),
+        migrations.CreateModel(
+            name="DoorCheck",
+            fields=[
+                ("id", models.BigAutoField(auto_created=True, primary_key=True, serialize=False, verbose_name="ID")),
+                ("checked_at", models.DateTimeField(auto_now_add=True)),
+                (
+                    "station",
+                    models.CharField(
+                        blank=True,
+                        default="",
+                        help_text='Station identifier, e.g. "Tutorial Room 1", "Meal Hall".',
+                        max_length=100,
+                    ),
+                ),
+                (
+                    "addon",
+                    models.ForeignKey(
+                        blank=True,
+                        null=True,
+                        on_delete=django.db.models.deletion.CASCADE,
+                        related_name="door_checks",
+                        to="program_registration.addon",
+                    ),
+                ),
+                (
+                    "attendee",
+                    models.ForeignKey(
+                        on_delete=django.db.models.deletion.CASCADE,
+                        related_name="door_checks",
+                        to="program_registration.attendee",
+                    ),
+                ),
+                (
+                    "checked_by",
+                    models.ForeignKey(
+                        blank=True,
+                        help_text="Staff member who performed this door check.",
+                        null=True,
+                        on_delete=django.db.models.deletion.SET_NULL,
+                        related_name="performed_door_checks",
+                        to=settings.AUTH_USER_MODEL,
+                    ),
+                ),
+                (
+                    "conference",
+                    models.ForeignKey(
+                        on_delete=django.db.models.deletion.CASCADE,
+                        related_name="door_checks",
+                        to="program_conference.conference",
+                    ),
+                ),
+                (
+                    "ticket_type",
+                    models.ForeignKey(
+                        blank=True,
+                        null=True,
+                        on_delete=django.db.models.deletion.CASCADE,
+                        related_name="door_checks",
+                        to="program_registration.tickettype",
+                    ),
+                ),
+            ],
+            options={
+                "ordering": ["-checked_at"],
+            },
+        ),
+        migrations.CreateModel(
+            name="ProductRedemption",
+            fields=[
+                ("id", models.BigAutoField(auto_created=True, primary_key=True, serialize=False, verbose_name="ID")),
+                ("redeemed_at", models.DateTimeField(auto_now_add=True)),
+                ("note", models.TextField(blank=True, default="")),
+                (
+                    "attendee",
+                    models.ForeignKey(
+                        on_delete=django.db.models.deletion.CASCADE,
+                        related_name="redemptions",
+                        to="program_registration.attendee",
+                    ),
+                ),
+                (
+                    "conference",
+                    models.ForeignKey(
+                        on_delete=django.db.models.deletion.CASCADE,
+                        related_name="redemptions",
+                        to="program_conference.conference",
+                    ),
+                ),
+                (
+                    "order_line_item",
+                    models.ForeignKey(
+                        on_delete=django.db.models.deletion.CASCADE,
+                        related_name="redemptions",
+                        to="program_registration.orderlineitem",
+                    ),
+                ),
+                (
+                    "redeemed_by",
+                    models.ForeignKey(
+                        blank=True,
+                        help_text="Staff member who performed this redemption.",
+                        null=True,
+                        on_delete=django.db.models.deletion.SET_NULL,
+                        related_name="performed_redemptions",
+                        to=settings.AUTH_USER_MODEL,
+                    ),
+                ),
+            ],
+            options={
+                "ordering": ["-redeemed_at"],
+                "unique_together": {("attendee", "order_line_item")},
+            },
+        ),
+    ]
diff --git a/src/django_program/registration/models.py b/src/django_program/registration/models.py
index f75a5b2..aade958 100644
--- a/src/django_program/registration/models.py
+++ b/src/django_program/registration/models.py
@@ -684,6 +684,7 @@ def __str__(self) -> str:
 # for FK/M2M fields and lazy imports for model lookups in methods.
 # Re-export badge models for convenience.
 from django_program.registration.badge import Badge, BadgeTemplate  # noqa: E402
+from django_program.registration.checkin import CheckIn, DoorCheck, ProductRedemption  # noqa: E402
 from django_program.registration.conditions import (  # noqa: E402
     DiscountForCategory,
     DiscountForProduct,
@@ -701,15 +702,18 @@ def __str__(self) -> str:
     "BadgeTemplate",
     "Cart",
     "CartItem",
+    "CheckIn",
     "Credit",
     "DiscountForCategory",
     "DiscountForProduct",
+    "DoorCheck",
     "EventProcessingException",
     "GroupMemberCondition",
     "IncludedProductCondition",
     "Order",
     "OrderLineItem",
     "Payment",
+    "ProductRedemption",
     "SpeakerCondition",
     "StripeCustomer",
     "StripeEvent",
diff --git a/src/django_program/registration/services/checkin.py b/src/django_program/registration/services/checkin.py
new file mode 100644
index 0000000..f8e6aac
--- /dev/null
+++ b/src/django_program/registration/services/checkin.py
@@ -0,0 +1,299 @@
+"""Check-in and product redemption business logic services.
+
+Provides ``CheckInService`` for attendee check-in operations (lookup, check-in,
+badge data, door checks) and ``RedemptionService`` for tracking product
+redemption (tutorials, meals, events) against purchased order line items.
+"""
+
+import logging
+from typing import TYPE_CHECKING
+
+from django.db import transaction
+from django.db.models import Count, Q
+from django.utils import timezone
+
+from django_program.registration.attendee import Attendee
+from django_program.registration.checkin import CheckIn, DoorCheck, ProductRedemption
+from django_program.registration.models import AddOn, OrderLineItem, TicketType
+
+if TYPE_CHECKING:
+    from django.contrib.auth.models import AbstractUser
+
+    from django_program.conference.models import Conference
+
+logger = logging.getLogger(__name__)
+
+
+class CheckInService:
+    """Service for attendee check-in operations at the conference venue."""
+
+    @staticmethod
+    def lookup_attendee(*, conference: Conference, access_code: str) -> Attendee:
+        """Look up an attendee by access code within a conference.
+
+        Args:
+            conference: The conference to search within.
+            access_code: The attendee's unique access code (from badge QR/barcode).
+
+        Returns:
+            The matched Attendee instance with user and order pre-loaded.
+
+        Raises:
+            Attendee.DoesNotExist: If no attendee matches the given code
+                within the specified conference.
+        """
+        return (
+            Attendee.objects.select_related("user", "conference", "order")
+            .prefetch_related("order__line_items__ticket_type", "order__line_items__addon")
+            .get(conference=conference, access_code=access_code)
+        )
+
+    @staticmethod
+    def check_in(
+        *,
+        attendee: Attendee,
+        checked_in_by: AbstractUser | None = None,
+        station: str = "",
+    ) -> CheckIn:
+        """Record a check-in for an attendee.
+
+        Creates a ``CheckIn`` record and updates the attendee's ``checked_in_at``
+        timestamp on first check-in only. Multiple check-ins are allowed to
+        support re-entry scenarios.
+
+        Args:
+            attendee: The attendee to check in.
+            checked_in_by: Staff member performing the check-in.
+            station: Identifier for the check-in station (e.g. "Door A").
+
+        Returns:
+            The created CheckIn record.
+        """
+        with transaction.atomic():
+            checkin = CheckIn.objects.create(
+                attendee=attendee,
+                conference=attendee.conference,
+                checked_in_by=checked_in_by,
+                station=station,
+            )
+            if attendee.checked_in_at is None:
+                attendee.checked_in_at = timezone.now()
+                attendee.save(update_fields=["checked_in_at", "updated_at"])
+
+        logger.info(
+            "Checked in attendee %s (access_code=%s) at station '%s'",
+            attendee.pk,
+            attendee.access_code,
+            station,
+        )
+        return checkin
+
+    @staticmethod
+    def get_badge_data(attendee: Attendee) -> dict[str, object]:
+        """Return badge display data for a checked-in attendee.
+
+        Args:
+            attendee: The attendee to get badge data for.
+
+        Returns:
+            Dict with keys: ``name``, ``email``, ``access_code``,
+            ``ticket_type``, ``checked_in``, ``first_check_in_at``,
+            ``check_in_count``, ``products``.
+        """
+        user = attendee.user
+        full_name = f"{user.first_name} {user.last_name}".strip() or str(user.username)
+
+        ticket_type_name = "General Admission"
+        products: list[dict[str, object]] = []
+
+        if attendee.order is not None:
+            for line_item in attendee.order.line_items.all():
+                if line_item.ticket_type is not None:
+                    ticket_type_name = str(line_item.ticket_type.name)
+                if line_item.addon is not None:
+                    products.append(
+                        {
+                            "id": line_item.addon_id,
+                            "name": str(line_item.addon.name),
+                            "description": str(line_item.description),
+                            "quantity": line_item.quantity,
+                        }
+                    )
+
+        check_in_count = CheckIn.objects.filter(attendee=attendee).count()
+
+        return {
+            "name": full_name,
+            "email": str(user.email),
+            "access_code": str(attendee.access_code),
+            "ticket_type": ticket_type_name,
+            "checked_in": attendee.checked_in_at is not None,
+            "first_check_in_at": attendee.checked_in_at,
+            "check_in_count": check_in_count,
+            "products": products,
+        }
+
+    @staticmethod
+    def record_door_check(
+        *,
+        attendee: Attendee,
+        ticket_type: TicketType | None = None,
+        addon: AddOn | None = None,
+        checked_by: AbstractUser | None = None,
+        station: str = "",
+    ) -> DoorCheck:
+        """Record a door check for per-product admission.
+
+        Validates that exactly one of ``ticket_type`` or ``addon`` is provided,
+        then creates a ``DoorCheck`` record for the sub-event admission.
+
+        Args:
+            attendee: The attendee being checked.
+            ticket_type: The ticket type being checked (mutually exclusive with addon).
+            addon: The add-on being checked (mutually exclusive with ticket_type).
+            checked_by: Staff member performing the check.
+            station: Identifier for the check station (e.g. "Tutorial Room 1").
+
+        Returns:
+            The created DoorCheck record.
+
+        Raises:
+            ValueError: If neither or both ``ticket_type`` and ``addon`` are provided.
+        """
+        if (ticket_type is None) == (addon is None):
+            msg = "Exactly one of ticket_type or addon must be provided."
+            raise ValueError(msg)
+
+        door_check = DoorCheck.objects.create(
+            attendee=attendee,
+            conference=attendee.conference,
+            ticket_type=ticket_type,
+            addon=addon,
+            checked_by=checked_by,
+            station=station,
+        )
+        product_label = ticket_type.name if ticket_type else addon.name  # type: ignore[union-attr]
+        logger.info(
+            "Door check for attendee %s → %s at station '%s'",
+            attendee.pk,
+            product_label,
+            station,
+        )
+        return door_check
+
+
+class RedemptionService:
+    """Service for product redemption (tutorials, meals, events).
+
+    Tracks which purchased order line items have been redeemed by an attendee,
+    preventing double-use of single-use products. Each line item can be redeemed
+    up to its purchased ``quantity``.
+    """
+
+    @staticmethod
+    def get_redeemable_products(attendee: Attendee) -> list[dict[str, object]]:
+        """List products the attendee can redeem.
+
+        Examines the attendee's order line items and checks which have not yet
+        been fully redeemed based on the ``ProductRedemption`` records.
+
+        Args:
+            attendee: The attendee to check.
+
+        Returns:
+            List of dicts with keys: ``line_item_id``, ``description``,
+            ``quantity``, ``redeemed_count``, ``remaining``,
+            ``ticket_type_id``, ``addon_id``.
+        """
+        if attendee.order is None:
+            return []
+
+        line_items = (
+            OrderLineItem.objects.filter(order=attendee.order)
+            .annotate(
+                redeemed_count=Count(
+                    "redemptions",
+                    filter=Q(redemptions__attendee=attendee),
+                ),
+            )
+            .order_by("id")
+        )
+
+        results: list[dict[str, object]] = []
+        for item in line_items:
+            redeemed = item.redeemed_count  # type: ignore[attr-defined]
+            remaining = item.quantity - redeemed
+            if remaining > 0:
+                results.append(
+                    {
+                        "line_item_id": item.pk,
+                        "description": str(item.description),
+                        "quantity": item.quantity,
+                        "redeemed_count": redeemed,
+                        "remaining": remaining,
+                        "ticket_type_id": item.ticket_type_id,
+                        "addon_id": item.addon_id,
+                    }
+                )
+
+        return results
+
+    @staticmethod
+    def redeem_product(
+        *,
+        attendee: Attendee,
+        order_line_item: OrderLineItem,
+        redeemed_by: AbstractUser | None = None,
+    ) -> ProductRedemption:
+        """Redeem a purchased product for an attendee.
+
+        Validates that the line item belongs to the attendee's order and has
+        not already been fully redeemed before creating the redemption record.
+
+        Args:
+            attendee: The attendee redeeming.
+            order_line_item: The line item being redeemed.
+            redeemed_by: Staff member performing the redemption.
+
+        Returns:
+            The created ProductRedemption record.
+
+        Raises:
+            ValueError: If the line item does not belong to the attendee's order.
+            ValueError: If the product has already been fully redeemed
+                (redeemed count >= quantity).
+        """
+        if attendee.order_id != order_line_item.order_id:
+            msg = (
+                f"Line item {order_line_item.pk} belongs to order "
+                f"{order_line_item.order_id}, not attendee's order "
+                f"{attendee.order_id}."
+            )
+            raise ValueError(msg)
+
+        redeemed_count = ProductRedemption.objects.filter(
+            attendee=attendee,
+            order_line_item=order_line_item,
+        ).count()
+
+        if redeemed_count >= order_line_item.quantity:
+            msg = (
+                f"Line item {order_line_item.pk} "
+                f"('{order_line_item.description}') is fully redeemed "
+                f"({redeemed_count}/{order_line_item.quantity})."
+            )
+            raise ValueError(msg)
+
+        redemption = ProductRedemption.objects.create(
+            attendee=attendee,
+            order_line_item=order_line_item,
+            conference=attendee.conference,
+            redeemed_by=redeemed_by,
+        )
+        logger.info(
+            "Redeemed line item %s ('%s') for attendee %s",
+            order_line_item.pk,
+            order_line_item.description,
+            attendee.pk,
+        )
+        return redemption
diff --git a/src/django_program/registration/urls.py b/src/django_program/registration/urls.py
index 3bdd25a..9cac3dc 100644
--- a/src/django_program/registration/urls.py
+++ b/src/django_program/registration/urls.py
@@ -21,6 +21,12 @@
     OrderDetailView,
     TicketSelectView,
 )
+from django_program.registration.views_checkin import (
+    LookupView,
+    OfflinePreloadView,
+    RedeemView,
+    ScanView,
+)
 from django_program.registration.webhooks import stripe_webhook
 
 app_name = "registration"
@@ -32,4 +38,9 @@
     path("orders/<str:reference>/", OrderDetailView.as_view(), name="order-detail"),
     path("orders/<str:reference>/confirmation/", OrderConfirmationView.as_view(), name="order-confirmation"),
     path("webhooks/stripe/", stripe_webhook, name="stripe-webhook"),
+    # Check-in API (staff-only, JSON endpoints for scanner UI)
+    path("checkin/scan/", ScanView.as_view(), name="checkin-scan"),
+    path("checkin/lookup/<str:access_code>/", LookupView.as_view(), name="checkin-lookup"),
+    path("checkin/redeem/", RedeemView.as_view(), name="checkin-redeem"),
+    path("checkin/preload/", OfflinePreloadView.as_view(), name="checkin-preload"),
 ]
diff --git a/src/django_program/registration/views_checkin.py b/src/django_program/registration/views_checkin.py
new file mode 100644
index 0000000..59ef390
--- /dev/null
+++ b/src/django_program/registration/views_checkin.py
@@ -0,0 +1,378 @@
+"""Staff-facing JSON API views for on-site check-in and product redemption.
+
+These views power the scanner UI used by registration desk volunteers.
+All endpoints require staff or superuser authentication and are scoped
+to a conference via the ``conference_slug`` URL kwarg. POST endpoints
+are CSRF-exempt since the scanner frontend uses ``fetch()`` with JSON
+payloads.
+"""
+
+import json
+import logging
+
+from django.db.models import Prefetch
+from django.http import HttpRequest, HttpResponse, JsonResponse
+from django.shortcuts import get_object_or_404
+from django.utils import timezone
+from django.utils.decorators import method_decorator
+from django.views import View
+from django.views.decorators.csrf import csrf_exempt
+
+from django_program.conference.models import Conference
+from django_program.registration.attendee import Attendee
+from django_program.registration.models import Order, OrderLineItem
+from django_program.registration.services.checkin import CheckInService, RedemptionService
+
+logger = logging.getLogger(__name__)
+
+
+class StaffRequiredMixin:
+    """Require staff or superuser access for check-in API views.
+
+    Resolves the conference from ``conference_slug`` and stores it on
+    ``self.conference``. Returns a 403 JSON error if the user lacks
+    permission or a 404 if the conference does not exist.
+    """
+
+    conference: Conference
+
+    def dispatch(self, request: HttpRequest, *args: str, **kwargs: str) -> HttpResponse:
+        """Validate staff access and resolve conference before dispatching.
+
+        Args:
+            request: The incoming HTTP request.
+            *args: Positional URL arguments.
+            **kwargs: URL keyword arguments including ``conference_slug``.
+
+        Returns:
+            The response from the downstream view, or a 403/401 JSON error.
+        """
+        if not request.user.is_authenticated:
+            return JsonResponse({"error": "Authentication required"}, status=401)
+        if not (request.user.is_staff or request.user.is_superuser):
+            return JsonResponse({"error": "Staff access required"}, status=403)
+        self.conference = get_object_or_404(Conference, slug=kwargs.get("conference_slug"))
+        return super().dispatch(request, *args, **kwargs)  # type: ignore[misc]
+
+
+def _serialize_attendee(attendee: Attendee) -> dict[str, object]:
+    """Serialize an attendee record for JSON API responses.
+
+    Args:
+        attendee: The attendee to serialize.
+
+    Returns:
+        A dict with attendee fields suitable for JSON encoding.
+    """
+    return {
+        "id": attendee.pk,
+        "access_code": str(attendee.access_code),
+        "name": str(getattr(attendee.user, "get_full_name", lambda: "")()),
+        "email": str(getattr(attendee.user, "email", "")),
+        "checked_in": attendee.checked_in_at is not None,
+        "checked_in_at": (attendee.checked_in_at.isoformat() if attendee.checked_in_at else None),
+    }
+
+
+def _serialize_line_item(item: OrderLineItem) -> dict[str, object]:
+    """Serialize an order line item for JSON API responses.
+
+    Args:
+        item: The order line item to serialize.
+
+    Returns:
+        A dict with line item fields suitable for JSON encoding.
+    """
+    return {
+        "id": item.pk,
+        "description": str(item.description),
+        "quantity": item.quantity,
+        "ticket_type_slug": (str(item.ticket_type.slug) if item.ticket_type else None),
+        "addon_slug": str(item.addon.slug) if item.addon else None,
+    }
+
+
+def _get_ticket_type_name(order: Order | None) -> str:
+    """Extract the ticket type name from an order's line items."""
+    if order is None:
+        return ""
+    ticket_item = order.line_items.filter(ticket_type__isnull=False).select_related("ticket_type").first()
+    if ticket_item and ticket_item.ticket_type:
+        return str(ticket_item.ticket_type.name)
+    return ""
+
+
+def _parse_json_body(request: HttpRequest) -> dict[str, object] | None:
+    """Parse JSON from request body, returning None on failure."""
+    try:
+        return json.loads(request.body)  # type: ignore[no-any-return]
+    except json.JSONDecodeError, ValueError:
+        return None
+
+
+@method_decorator(csrf_exempt, name="dispatch")
+class ScanView(StaffRequiredMixin, View):
+    """Scan an attendee's access code and perform check-in.
+
+    Accepts a JSON body with ``access_code`` and records the check-in
+    via ``CheckInService``. Returns the attendee data and badge info
+    on success.
+    """
+
+    def post(self, request: HttpRequest, **kwargs: str) -> JsonResponse:  # noqa: ARG002
+        """Process a scan and check in the attendee.
+
+        Args:
+            request: The incoming HTTP request with JSON body.
+            **kwargs: URL keyword arguments (unused).
+
+        Returns:
+            JSON response with attendee data on success, or an error payload.
+        """
+        body = _parse_json_body(request)
+        if body is None:
+            return JsonResponse({"error": "Invalid JSON body"}, status=400)
+
+        access_code = str(body.get("access_code", "")).strip()
+        if not access_code:
+            return JsonResponse({"error": "access_code is required"}, status=400)
+
+        station = str(body.get("station", ""))
+
+        try:
+            attendee = CheckInService.lookup_attendee(conference=self.conference, access_code=access_code)
+        except Attendee.DoesNotExist:
+            return JsonResponse(
+                {"error": "Attendee not found", "access_code": access_code},
+                status=404,
+            )
+
+        checkin = CheckInService.check_in(
+            attendee=attendee,
+            checked_in_by=request.user,
+            station=station,
+        )
+
+        order = attendee.order
+        products = []
+        if order is not None:
+            products = [
+                _serialize_line_item(item) for item in order.line_items.select_related("ticket_type", "addon").all()
+            ]
+
+        return JsonResponse(
+            {
+                "status": "checked_in",
+                "attendee": _serialize_attendee(attendee),
+                "badge": {
+                    "name": str(getattr(attendee.user, "get_full_name", lambda: "")()),
+                    "ticket_type": _get_ticket_type_name(order),
+                },
+                "products": products,
+                "checkin_id": checkin.pk,
+                "checked_in_at": checkin.checked_in_at.isoformat(),
+            }
+        )
+
+
+class LookupView(StaffRequiredMixin, View):
+    """Look up an attendee by access code without performing check-in.
+
+    Read-only endpoint that returns attendee details, purchased products,
+    check-in status, and redeemable line items.
+    """
+
+    def get(self, request: HttpRequest, access_code: str, **kwargs: str) -> JsonResponse:  # noqa: ARG002
+        """Look up attendee data by access code.
+
+        Args:
+            request: The incoming HTTP request.
+            access_code: The attendee's access code from the URL.
+            **kwargs: URL keyword arguments (unused).
+
+        Returns:
+            JSON response with attendee data, products, and redemption status.
+        """
+        try:
+            attendee = CheckInService.lookup_attendee(conference=self.conference, access_code=access_code.strip())
+        except Attendee.DoesNotExist:
+            return JsonResponse(
+                {"error": "Attendee not found", "access_code": access_code},
+                status=404,
+            )
+
+        order = attendee.order
+        products: list[dict[str, object]] = []
+        redeemable: list[dict[str, object]] = []
+        if order is not None:
+            line_items = list(order.line_items.select_related("ticket_type", "addon").all())
+            products = [_serialize_line_item(item) for item in line_items]
+
+            redeemed_item_ids = set(attendee.redemptions.values_list("order_line_item_id", flat=True))
+            redeemable = [
+                {**_serialize_line_item(item), "redeemed": item.pk in redeemed_item_ids} for item in line_items
+            ]
+
+        return JsonResponse(
+            {
+                "attendee": {
+                    **_serialize_attendee(attendee),
+                    "ticket_type": _get_ticket_type_name(order),
+                },
+                "products": products,
+                "redeemable": redeemable,
+            }
+        )
+
+
+@method_decorator(csrf_exempt, name="dispatch")
+class RedeemView(StaffRequiredMixin, View):
+    """Redeem a purchased product (order line item) for an attendee.
+
+    Accepts a JSON body with ``access_code`` and ``line_item_id`` and
+    records the redemption via ``RedemptionService``.
+    """
+
+    def post(self, request: HttpRequest, **kwargs: str) -> JsonResponse:  # noqa: ARG002
+        """Process a product redemption.
+
+        Args:
+            request: The incoming HTTP request with JSON body.
+            **kwargs: URL keyword arguments (unused).
+
+        Returns:
+            JSON response with redemption result, or an error payload.
+        """
+        body = _parse_json_body(request)
+        if body is None:
+            return JsonResponse({"error": "Invalid JSON body"}, status=400)
+
+        access_code = str(body.get("access_code", "")).strip()
+        line_item_id = body.get("line_item_id")
+
+        if not access_code or line_item_id is None:
+            return JsonResponse({"error": "access_code and line_item_id are required"}, status=400)
+
+        try:
+            attendee = CheckInService.lookup_attendee(conference=self.conference, access_code=access_code)
+        except Attendee.DoesNotExist:
+            return JsonResponse(
+                {"error": "Attendee not found", "access_code": access_code},
+                status=404,
+            )
+
+        if attendee.order is None:
+            return JsonResponse({"error": "Attendee has no associated order"}, status=400)
+
+        try:
+            line_item = attendee.order.line_items.get(pk=line_item_id)
+        except OrderLineItem.DoesNotExist:
+            return JsonResponse(
+                {"error": "Line item not found in attendee's order", "line_item_id": line_item_id},
+                status=400,
+            )
+
+        return self._do_redeem(attendee, line_item, request)
+
+    def _do_redeem(self, attendee: Attendee, line_item: OrderLineItem, request: HttpRequest) -> JsonResponse:
+        """Execute the redemption and return the result."""
+        try:
+            redemption = RedemptionService.redeem_product(
+                attendee=attendee,
+                order_line_item=line_item,
+                redeemed_by=request.user,
+            )
+        except ValueError as exc:
+            return JsonResponse(
+                {"error": str(exc), "line_item_id": line_item.pk},
+                status=409,
+            )
+
+        return JsonResponse(
+            {
+                "status": "redeemed",
+                "redemption_id": redemption.pk,
+                "redeemed_at": redemption.redeemed_at.isoformat(),
+                "line_item": _serialize_line_item(line_item),
+                "attendee": _serialize_attendee(attendee),
+            }
+        )
+
+
+class OfflinePreloadView(StaffRequiredMixin, View):
+    """Bulk export attendee data for offline scanner fallback.
+
+    Returns a JSON array of attendee records for all paid orders in the
+    conference. Optionally filtered by ticket type slug via the
+    ``ticket_type`` query parameter.
+    """
+
+    def get(self, request: HttpRequest, **kwargs: str) -> JsonResponse:  # noqa: ARG002
+        """Return preloaded attendee data for offline scanner use.
+
+        Args:
+            request: The incoming HTTP request.
+            **kwargs: URL keyword arguments (unused).
+
+        Returns:
+            JSON response with an array of attendee records.
+        """
+        attendees = (
+            Attendee.objects.filter(
+                conference=self.conference,
+                order__isnull=False,
+                order__status=Order.Status.PAID,
+            )
+            .select_related("user", "order")
+            .prefetch_related(
+                Prefetch(
+                    "order__line_items",
+                    queryset=OrderLineItem.objects.select_related("ticket_type", "addon"),
+                ),
+                "redemptions",
+            )
+        )
+
+        ticket_type_slug = request.GET.get("ticket_type", "").strip()
+        if ticket_type_slug:
+            attendees = attendees.filter(
+                order__line_items__ticket_type__slug=ticket_type_slug,
+            ).distinct()
+
+        records = [self._serialize_preload_attendee(attendee) for attendee in attendees]
+
+        return JsonResponse(
+            {
+                "conference": str(self.conference.slug),
+                "generated_at": timezone.now().isoformat(),
+                "count": len(records),
+                "attendees": records,
+            }
+        )
+
+    @staticmethod
+    def _serialize_preload_attendee(attendee: Attendee) -> dict[str, object]:
+        """Serialize a single attendee for the preload export."""
+        order = attendee.order
+        products: list[dict[str, object]] = []
+        ticket_type_name = ""
+
+        if order is not None:
+            redeemed_item_ids = set(attendee.redemptions.values_list("order_line_item_id", flat=True))
+            for item in order.line_items.all():
+                product_data = _serialize_line_item(item)
+                product_data["redeemed"] = item.pk in redeemed_item_ids
+                products.append(product_data)
+
+                if item.ticket_type and not ticket_type_name:
+                    ticket_type_name = str(item.ticket_type.name)
+
+        return {
+            "access_code": str(attendee.access_code),
+            "name": str(getattr(attendee.user, "get_full_name", lambda: "")()),
+            "email": str(getattr(attendee.user, "email", "")),
+            "ticket_type": ticket_type_name,
+            "products": products,
+            "checked_in": attendee.checked_in_at is not None,
+            "checked_in_at": (attendee.checked_in_at.isoformat() if attendee.checked_in_at else None),
+        }
diff --git a/tests/test_registration/test_checkin.py b/tests/test_registration/test_checkin.py
new file mode 100644
index 0000000..b1061e1
--- /dev/null
+++ b/tests/test_registration/test_checkin.py
@@ -0,0 +1,758 @@
+"""Tests for on-site check-in, door checks, and product redemption."""
+
+import json
+from datetime import date
+from decimal import Decimal
+from uuid import uuid4
+
+import pytest
+from django.contrib.auth import get_user_model
+from django.db import IntegrityError
+from django.test import Client
+from django.urls import reverse
+
+from django_program.conference.models import Conference
+from django_program.registration.attendee import Attendee
+from django_program.registration.checkin import CheckIn, DoorCheck, ProductRedemption
+from django_program.registration.models import AddOn, Order, OrderLineItem, TicketType
+from django_program.registration.services.checkin import CheckInService, RedemptionService
+
+User = get_user_model()
+
+pytestmark = pytest.mark.django_db
+
+
+# -- Helpers ------------------------------------------------------------------
+
+
+def _make_conference(**kwargs: object) -> Conference:
+    defaults: dict[str, object] = {
+        "name": "TestCon",
+        "slug": f"testcon-{uuid4().hex[:6]}",
+        "start_date": date(2026, 7, 1),
+        "end_date": date(2026, 7, 5),
+    }
+    defaults.update(kwargs)
+    return Conference.objects.create(**defaults)
+
+
+def _make_user(**kwargs: object) -> object:
+    defaults: dict[str, object] = {
+        "username": f"user-{uuid4().hex[:8]}",
+        "email": f"{uuid4().hex[:8]}@test.com",
+    }
+    defaults.update(kwargs)
+    return User.objects.create_user(**defaults)
+
+
+def _make_staff_user(**kwargs: object) -> object:
+    defaults: dict[str, object] = {
+        "username": f"staff-{uuid4().hex[:8]}",
+        "email": f"{uuid4().hex[:8]}@test.com",
+        "is_staff": True,
+        "password": "testpass123",
+    }
+    defaults.update(kwargs)
+    return User.objects.create_user(**defaults)
+
+
+def _make_order(*, conference: Conference, user: object, status: str = Order.Status.PAID) -> Order:
+    return Order.objects.create(
+        conference=conference,
+        user=user,
+        status=status,
+        subtotal=Decimal("100.00"),
+        total=Decimal("100.00"),
+        reference=f"ORD-{uuid4().hex[:8].upper()}",
+    )
+
+
+def _make_ticket_type(*, conference: Conference, **kwargs: object) -> TicketType:
+    defaults: dict[str, object] = {
+        "name": "General Admission",
+        "slug": f"general-{uuid4().hex[:6]}",
+        "price": Decimal("100.00"),
+        "is_active": True,
+    }
+    defaults.update(kwargs)
+    return TicketType.objects.create(conference=conference, **defaults)
+
+
+def _make_addon(*, conference: Conference, **kwargs: object) -> AddOn:
+    defaults: dict[str, object] = {
+        "name": "Workshop",
+        "slug": f"workshop-{uuid4().hex[:6]}",
+        "price": Decimal("50.00"),
+        "is_active": True,
+    }
+    defaults.update(kwargs)
+    return AddOn.objects.create(conference=conference, **defaults)
+
+
+def _make_line_item(
+    *,
+    order: Order,
+    ticket_type: TicketType | None = None,
+    addon: AddOn | None = None,
+    quantity: int = 1,
+    description: str = "",
+) -> OrderLineItem:
+    unit_price = Decimal("100.00")
+    if ticket_type:
+        unit_price = ticket_type.price
+        description = description or str(ticket_type.name)
+    elif addon:
+        unit_price = addon.price
+        description = description or str(addon.name)
+    else:
+        description = description or "Line Item"
+    return OrderLineItem.objects.create(
+        order=order,
+        description=description,
+        quantity=quantity,
+        unit_price=unit_price,
+        line_total=unit_price * quantity,
+        ticket_type=ticket_type,
+        addon=addon,
+    )
+
+
+def _make_attendee(*, conference: Conference, user: object, order: Order | None = None) -> Attendee:
+    return Attendee.objects.create(user=user, conference=conference, order=order)
+
+
+# -- Model Tests --------------------------------------------------------------
+
+
+@pytest.mark.unit
+class TestCheckInModel:
+    """Tests for the CheckIn model."""
+
+    def test_checkin_creation(self) -> None:
+        conf = _make_conference()
+        user = _make_user()
+        attendee = _make_attendee(conference=conf, user=user)
+        checkin = CheckIn.objects.create(attendee=attendee, conference=conf)
+
+        assert checkin.pk is not None
+        assert checkin.attendee == attendee
+        assert checkin.conference == conf
+        assert checkin.checked_in_at is not None
+        assert checkin.checked_in_by is None
+        assert checkin.station == ""
+        assert checkin.note == ""
+
+    def test_checkin_str(self) -> None:
+        conf = _make_conference()
+        user = _make_user()
+        attendee = _make_attendee(conference=conf, user=user)
+        checkin = CheckIn.objects.create(attendee=attendee, conference=conf)
+
+        result = str(checkin)
+        assert "CheckIn:" in result
+        assert str(attendee) in result
+
+
+@pytest.mark.unit
+class TestDoorCheckModel:
+    """Tests for the DoorCheck model."""
+
+    def test_doorcheck_creation(self) -> None:
+        conf = _make_conference()
+        user = _make_user()
+        attendee = _make_attendee(conference=conf, user=user)
+        ticket_type = _make_ticket_type(conference=conf)
+        door_check = DoorCheck.objects.create(
+            attendee=attendee,
+            conference=conf,
+            ticket_type=ticket_type,
+        )
+
+        assert door_check.pk is not None
+        assert door_check.attendee == attendee
+        assert door_check.ticket_type == ticket_type
+        assert door_check.addon is None
+        assert door_check.checked_at is not None
+
+    def test_doorcheck_str(self) -> None:
+        conf = _make_conference()
+        user = _make_user()
+        attendee = _make_attendee(conference=conf, user=user)
+        ticket_type = _make_ticket_type(conference=conf)
+        door_check = DoorCheck.objects.create(
+            attendee=attendee,
+            conference=conf,
+            ticket_type=ticket_type,
+        )
+
+        result = str(door_check)
+        assert "DoorCheck:" in result
+        assert str(attendee) in result
+
+
+@pytest.mark.unit
+class TestProductRedemptionModel:
+    """Tests for the ProductRedemption model."""
+
+    def test_redemption_creation(self) -> None:
+        conf = _make_conference()
+        user = _make_user()
+        order = _make_order(conference=conf, user=user)
+        attendee = _make_attendee(conference=conf, user=user, order=order)
+        line_item = _make_line_item(order=order, description="Tutorial Access")
+
+        redemption = ProductRedemption.objects.create(
+            attendee=attendee,
+            order_line_item=line_item,
+            conference=conf,
+        )
+
+        assert redemption.pk is not None
+        assert redemption.attendee == attendee
+        assert redemption.order_line_item == line_item
+        assert redemption.redeemed_at is not None
+        assert redemption.redeemed_by is None
+
+    def test_redemption_str(self) -> None:
+        conf = _make_conference()
+        user = _make_user()
+        order = _make_order(conference=conf, user=user)
+        attendee = _make_attendee(conference=conf, user=user, order=order)
+        line_item = _make_line_item(order=order, description="Tutorial")
+
+        redemption = ProductRedemption.objects.create(
+            attendee=attendee,
+            order_line_item=line_item,
+            conference=conf,
+        )
+
+        result = str(redemption)
+        assert "Redemption:" in result
+
+    def test_unique_together_prevents_duplicate(self) -> None:
+        conf = _make_conference()
+        user = _make_user()
+        order = _make_order(conference=conf, user=user)
+        attendee = _make_attendee(conference=conf, user=user, order=order)
+        line_item = _make_line_item(order=order, description="Tutorial")
+
+        ProductRedemption.objects.create(
+            attendee=attendee,
+            order_line_item=line_item,
+            conference=conf,
+        )
+
+        with pytest.raises(IntegrityError):
+            ProductRedemption.objects.create(
+                attendee=attendee,
+                order_line_item=line_item,
+                conference=conf,
+            )
+
+
+# -- Service Tests: CheckInService --------------------------------------------
+
+
+@pytest.mark.unit
+class TestCheckInServiceLookup:
+    """Tests for CheckInService.lookup_attendee."""
+
+    def test_lookup_returns_attendee_for_valid_code(self) -> None:
+        conf = _make_conference()
+        user = _make_user()
+        attendee = _make_attendee(conference=conf, user=user)
+
+        result = CheckInService.lookup_attendee(
+            conference=conf,
+            access_code=attendee.access_code,
+        )
+        assert result.pk == attendee.pk
+
+    def test_lookup_raises_does_not_exist_for_invalid_code(self) -> None:
+        conf = _make_conference()
+
+        with pytest.raises(Attendee.DoesNotExist):
+            CheckInService.lookup_attendee(conference=conf, access_code="ZZZZZZZZ")
+
+
+@pytest.mark.unit
+class TestCheckInServiceCheckIn:
+    """Tests for CheckInService.check_in."""
+
+    def test_check_in_creates_record(self) -> None:
+        conf = _make_conference()
+        user = _make_user()
+        attendee = _make_attendee(conference=conf, user=user)
+
+        checkin = CheckInService.check_in(attendee=attendee, station="Door A")
+
+        assert checkin.pk is not None
+        assert checkin.attendee == attendee
+        assert checkin.conference == conf
+        assert checkin.station == "Door A"
+
+    def test_check_in_sets_checked_in_at_on_first(self) -> None:
+        conf = _make_conference()
+        user = _make_user()
+        attendee = _make_attendee(conference=conf, user=user)
+
+        assert attendee.checked_in_at is None
+
+        CheckInService.check_in(attendee=attendee)
+
+        attendee.refresh_from_db()
+        assert attendee.checked_in_at is not None
+
+    def test_check_in_allows_multiple_reentry(self) -> None:
+        conf = _make_conference()
+        user = _make_user()
+        attendee = _make_attendee(conference=conf, user=user)
+
+        ci1 = CheckInService.check_in(attendee=attendee, station="Door A")
+        ci2 = CheckInService.check_in(attendee=attendee, station="Door B")
+
+        assert ci1.pk != ci2.pk
+        assert CheckIn.objects.filter(attendee=attendee).count() == 2
+
+    def test_check_in_does_not_overwrite_checked_in_at_on_reentry(self) -> None:
+        conf = _make_conference()
+        user = _make_user()
+        attendee = _make_attendee(conference=conf, user=user)
+
+        CheckInService.check_in(attendee=attendee)
+        attendee.refresh_from_db()
+        first_check_in_at = attendee.checked_in_at
+
+        CheckInService.check_in(attendee=attendee)
+        attendee.refresh_from_db()
+
+        assert attendee.checked_in_at == first_check_in_at
+
+    def test_check_in_records_staff_user(self) -> None:
+        conf = _make_conference()
+        user = _make_user()
+        staff = _make_staff_user()
+        attendee = _make_attendee(conference=conf, user=user)
+
+        checkin = CheckInService.check_in(attendee=attendee, checked_in_by=staff)
+
+        assert checkin.checked_in_by == staff
+
+
+@pytest.mark.unit
+class TestCheckInServiceBadgeData:
+    """Tests for CheckInService.get_badge_data."""
+
+    def test_badge_data_returns_correct_structure(self) -> None:
+        conf = _make_conference()
+        user = _make_user(first_name="Jane", last_name="Doe")
+        order = _make_order(conference=conf, user=user)
+        ticket_type = _make_ticket_type(conference=conf, name="Professional")
+        addon = _make_addon(conference=conf, name="Tutorial Pass")
+        _make_line_item(order=order, ticket_type=ticket_type)
+        _make_line_item(order=order, addon=addon)
+        attendee = _make_attendee(conference=conf, user=user, order=order)
+
+        CheckInService.check_in(attendee=attendee)
+        attendee.refresh_from_db()
+
+        badge = CheckInService.get_badge_data(attendee)
+
+        assert badge["name"] == "Jane Doe"
+        assert badge["email"] == str(user.email)
+        assert badge["access_code"] == str(attendee.access_code)
+        assert badge["ticket_type"] == "Professional"
+        assert badge["checked_in"] is True
+        assert badge["first_check_in_at"] is not None
+        assert badge["check_in_count"] == 1
+        assert isinstance(badge["products"], list)
+        assert len(badge["products"]) == 1  # only addons appear in products list
+
+    def test_badge_data_unchecked_attendee(self) -> None:
+        conf = _make_conference()
+        user = _make_user()
+        attendee = _make_attendee(conference=conf, user=user)
+
+        badge = CheckInService.get_badge_data(attendee)
+
+        assert badge["checked_in"] is False
+        assert badge["first_check_in_at"] is None
+        assert badge["check_in_count"] == 0
+
+
+@pytest.mark.unit
+class TestCheckInServiceDoorCheck:
+    """Tests for CheckInService.record_door_check."""
+
+    def test_door_check_with_ticket_type(self) -> None:
+        conf = _make_conference()
+        user = _make_user()
+        attendee = _make_attendee(conference=conf, user=user)
+        ticket_type = _make_ticket_type(conference=conf)
+
+        dc = CheckInService.record_door_check(
+            attendee=attendee,
+            ticket_type=ticket_type,
+            station="Tutorial Room 1",
+        )
+
+        assert dc.pk is not None
+        assert dc.ticket_type == ticket_type
+        assert dc.addon is None
+        assert dc.station == "Tutorial Room 1"
+
+    def test_door_check_with_addon(self) -> None:
+        conf = _make_conference()
+        user = _make_user()
+        attendee = _make_attendee(conference=conf, user=user)
+        addon = _make_addon(conference=conf)
+
+        dc = CheckInService.record_door_check(attendee=attendee, addon=addon)
+
+        assert dc.pk is not None
+        assert dc.addon == addon
+        assert dc.ticket_type is None
+
+    def test_door_check_raises_if_neither_provided(self) -> None:
+        conf = _make_conference()
+        user = _make_user()
+        attendee = _make_attendee(conference=conf, user=user)
+
+        with pytest.raises(ValueError, match="Exactly one"):
+            CheckInService.record_door_check(attendee=attendee)
+
+    def test_door_check_raises_if_both_provided(self) -> None:
+        conf = _make_conference()
+        user = _make_user()
+        attendee = _make_attendee(conference=conf, user=user)
+        ticket_type = _make_ticket_type(conference=conf)
+        addon = _make_addon(conference=conf)
+
+        with pytest.raises(ValueError, match="Exactly one"):
+            CheckInService.record_door_check(
+                attendee=attendee,
+                ticket_type=ticket_type,
+                addon=addon,
+            )
+
+
+# -- Service Tests: RedemptionService -----------------------------------------
+
+
+@pytest.mark.unit
+class TestRedemptionServiceGetRedeemable:
+    """Tests for RedemptionService.get_redeemable_products."""
+
+    def test_returns_items_with_remaining(self) -> None:
+        conf = _make_conference()
+        user = _make_user()
+        order = _make_order(conference=conf, user=user)
+        attendee = _make_attendee(conference=conf, user=user, order=order)
+        addon = _make_addon(conference=conf)
+        _make_line_item(order=order, addon=addon, quantity=2)
+
+        products = RedemptionService.get_redeemable_products(attendee)
+
+        assert len(products) == 1
+        assert products[0]["quantity"] == 2
+        assert products[0]["redeemed_count"] == 0
+        assert products[0]["remaining"] == 2
+
+    def test_returns_empty_for_no_order(self) -> None:
+        conf = _make_conference()
+        user = _make_user()
+        attendee = _make_attendee(conference=conf, user=user, order=None)
+
+        products = RedemptionService.get_redeemable_products(attendee)
+
+        assert products == []
+
+    def test_excludes_fully_redeemed_items(self) -> None:
+        conf = _make_conference()
+        user = _make_user()
+        order = _make_order(conference=conf, user=user)
+        attendee = _make_attendee(conference=conf, user=user, order=order)
+        line_item = _make_line_item(order=order, quantity=1, description="Single Use")
+
+        ProductRedemption.objects.create(
+            attendee=attendee,
+            order_line_item=line_item,
+            conference=conf,
+        )
+
+        products = RedemptionService.get_redeemable_products(attendee)
+
+        assert len(products) == 0
+
+
+@pytest.mark.unit
+class TestRedemptionServiceRedeem:
+    """Tests for RedemptionService.redeem_product."""
+
+    def test_redeem_creates_redemption(self) -> None:
+        conf = _make_conference()
+        user = _make_user()
+        order = _make_order(conference=conf, user=user)
+        attendee = _make_attendee(conference=conf, user=user, order=order)
+        line_item = _make_line_item(order=order, quantity=1)
+
+        redemption = RedemptionService.redeem_product(
+            attendee=attendee,
+            order_line_item=line_item,
+        )
+
+        assert redemption.pk is not None
+        assert redemption.attendee == attendee
+        assert redemption.order_line_item == line_item
+        assert redemption.conference == conf
+
+    def test_redeem_raises_for_wrong_order(self) -> None:
+        conf = _make_conference()
+        user1 = _make_user()
+        user2 = _make_user()
+        order1 = _make_order(conference=conf, user=user1)
+        order2 = _make_order(conference=conf, user=user2)
+        attendee = _make_attendee(conference=conf, user=user1, order=order1)
+        other_line_item = _make_line_item(order=order2, description="Other Order Item")
+
+        with pytest.raises(ValueError, match="not attendee's order"):
+            RedemptionService.redeem_product(
+                attendee=attendee,
+                order_line_item=other_line_item,
+            )
+
+    def test_redeem_raises_when_fully_redeemed(self) -> None:
+        conf = _make_conference()
+        user = _make_user()
+        order = _make_order(conference=conf, user=user)
+        attendee = _make_attendee(conference=conf, user=user, order=order)
+        line_item = _make_line_item(order=order, quantity=1, description="One-Time Pass")
+
+        RedemptionService.redeem_product(
+            attendee=attendee,
+            order_line_item=line_item,
+        )
+
+        with pytest.raises(ValueError, match="fully redeemed"):
+            RedemptionService.redeem_product(
+                attendee=attendee,
+                order_line_item=line_item,
+            )
+
+
+# -- View / API Tests ---------------------------------------------------------
+
+
+@pytest.mark.integration
+class TestScanView:
+    """Tests for the ScanView check-in endpoint."""
+
+    def _url(self, conference: Conference) -> str:
+        return reverse("registration:checkin-scan", args=[conference.slug])
+
+    def test_returns_401_for_anonymous(self) -> None:
+        conf = _make_conference()
+        client = Client()
+        response = client.post(
+            self._url(conf),
+            data=json.dumps({"access_code": "XXXXXXXX"}),
+            content_type="application/json",
+        )
+        assert response.status_code == 401
+
+    def test_returns_403_for_non_staff(self) -> None:
+        conf = _make_conference()
+        user = _make_user(password="testpass123")
+        client = Client()
+        client.force_login(user)
+        response = client.post(
+            self._url(conf),
+            data=json.dumps({"access_code": "XXXXXXXX"}),
+            content_type="application/json",
+        )
+        assert response.status_code == 403
+
+    def test_checks_in_attendee_successfully(self) -> None:
+        conf = _make_conference()
+        user = _make_user()
+        order = _make_order(conference=conf, user=user)
+        attendee = _make_attendee(conference=conf, user=user, order=order)
+        staff = _make_staff_user()
+
+        client = Client()
+        client.force_login(staff)
+        response = client.post(
+            self._url(conf),
+            data=json.dumps({"access_code": attendee.access_code, "station": "Door A"}),
+            content_type="application/json",
+        )
+
+        assert response.status_code == 200
+        data = response.json()
+        assert data["status"] == "checked_in"
+        assert data["attendee"]["access_code"] == attendee.access_code
+        assert data["checkin_id"] is not None
+
+    def test_returns_404_for_unknown_access_code(self) -> None:
+        conf = _make_conference()
+        staff = _make_staff_user()
+
+        client = Client()
+        client.force_login(staff)
+        response = client.post(
+            self._url(conf),
+            data=json.dumps({"access_code": "NOTFOUND"}),
+            content_type="application/json",
+        )
+
+        assert response.status_code == 404
+        assert "not found" in response.json()["error"].lower()
+
+
+@pytest.mark.integration
+class TestLookupView:
+    """Tests for the LookupView endpoint."""
+
+    def _url(self, conference: Conference, access_code: str) -> str:
+        return reverse("registration:checkin-lookup", args=[conference.slug, access_code])
+
+    def test_returns_attendee_data(self) -> None:
+        conf = _make_conference()
+        user = _make_user(first_name="Alice", last_name="Smith")
+        order = _make_order(conference=conf, user=user)
+        attendee = _make_attendee(conference=conf, user=user, order=order)
+        staff = _make_staff_user()
+
+        client = Client()
+        client.force_login(staff)
+        response = client.get(self._url(conf, attendee.access_code))
+
+        assert response.status_code == 200
+        data = response.json()
+        assert data["attendee"]["access_code"] == attendee.access_code
+        assert "products" in data
+        assert "redeemable" in data
+
+    def test_returns_404_for_unknown_code(self) -> None:
+        conf = _make_conference()
+        staff = _make_staff_user()
+
+        client = Client()
+        client.force_login(staff)
+        response = client.get(self._url(conf, "NOTFOUND"))
+
+        assert response.status_code == 404
+
+
+@pytest.mark.integration
+class TestRedeemView:
+    """Tests for the RedeemView endpoint."""
+
+    def _url(self, conference: Conference) -> str:
+        return reverse("registration:checkin-redeem", args=[conference.slug])
+
+    def test_redeems_product_successfully(self) -> None:
+        conf = _make_conference()
+        user = _make_user()
+        order = _make_order(conference=conf, user=user)
+        attendee = _make_attendee(conference=conf, user=user, order=order)
+        line_item = _make_line_item(order=order, quantity=1, description="Tutorial")
+        staff = _make_staff_user()
+
+        client = Client()
+        client.force_login(staff)
+        response = client.post(
+            self._url(conf),
+            data=json.dumps(
+                {
+                    "access_code": attendee.access_code,
+                    "line_item_id": line_item.pk,
+                }
+            ),
+            content_type="application/json",
+        )
+
+        assert response.status_code == 200
+        data = response.json()
+        assert data["status"] == "redeemed"
+        assert data["redemption_id"] is not None
+
+    def test_returns_409_for_already_redeemed(self) -> None:
+        conf = _make_conference()
+        user = _make_user()
+        order = _make_order(conference=conf, user=user)
+        attendee = _make_attendee(conference=conf, user=user, order=order)
+        line_item = _make_line_item(order=order, quantity=1, description="One-Time")
+        staff = _make_staff_user()
+
+        # Redeem once via the service directly
+        RedemptionService.redeem_product(attendee=attendee, order_line_item=line_item)
+
+        client = Client()
+        client.force_login(staff)
+        response = client.post(
+            self._url(conf),
+            data=json.dumps(
+                {
+                    "access_code": attendee.access_code,
+                    "line_item_id": line_item.pk,
+                }
+            ),
+            content_type="application/json",
+        )
+
+        assert response.status_code == 409
+        assert "fully redeemed" in response.json()["error"]
+
+
+@pytest.mark.integration
+class TestOfflinePreloadView:
+    """Tests for the OfflinePreloadView endpoint."""
+
+    def _url(self, conference: Conference) -> str:
+        return reverse("registration:checkin-preload", args=[conference.slug])
+
+    def test_returns_attendee_list(self) -> None:
+        conf = _make_conference()
+        user = _make_user()
+        order = _make_order(conference=conf, user=user, status=Order.Status.PAID)
+        _make_attendee(conference=conf, user=user, order=order)
+        staff = _make_staff_user()
+
+        client = Client()
+        client.force_login(staff)
+        response = client.get(self._url(conf))
+
+        assert response.status_code == 200
+        data = response.json()
+        assert data["count"] == 1
+        assert len(data["attendees"]) == 1
+        assert data["conference"] == str(conf.slug)
+
+    def test_filters_by_ticket_type(self) -> None:
+        conf = _make_conference()
+        ticket_a = _make_ticket_type(conference=conf, name="VIP", slug="vip")
+        ticket_b = _make_ticket_type(conference=conf, name="Standard", slug="standard")
+
+        # Attendee with VIP ticket
+        user1 = _make_user()
+        order1 = _make_order(conference=conf, user=user1)
+        _make_line_item(order=order1, ticket_type=ticket_a)
+        _make_attendee(conference=conf, user=user1, order=order1)
+
+        # Attendee with Standard ticket
+        user2 = _make_user()
+        order2 = _make_order(conference=conf, user=user2)
+        _make_line_item(order=order2, ticket_type=ticket_b)
+        _make_attendee(conference=conf, user=user2, order=order2)
+
+        staff = _make_staff_user()
+        client = Client()
+        client.force_login(staff)
+
+        response = client.get(self._url(conf), {"ticket_type": "vip"})
+
+        assert response.status_code == 200
+        data = response.json()
+        assert data["count"] == 1
+        assert data["attendees"][0]["ticket_type"] == "VIP"

From a68215b3537e45c8681990a4a7927e6c6d1c9a1c Mon Sep 17 00:00:00 2001
From: Jacob Coffee <jacob@z7x.org>
Date: Wed, 18 Mar 2026 21:30:58 -0500
Subject: [PATCH 2/6] fix: remove unused humanize template tag load from
 checkin dashboard

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 .../templates/django_program/manage/checkin_dashboard.html       | 1 -
 1 file changed, 1 deletion(-)

diff --git a/src/django_program/manage/templates/django_program/manage/checkin_dashboard.html b/src/django_program/manage/templates/django_program/manage/checkin_dashboard.html
index 1c7b483..393fe69 100644
--- a/src/django_program/manage/templates/django_program/manage/checkin_dashboard.html
+++ b/src/django_program/manage/templates/django_program/manage/checkin_dashboard.html
@@ -1,5 +1,4 @@
 {% extends "django_program/manage/base.html" %}
-{% load humanize %}
 
 {% block title %}Check-in Dashboard{% endblock %}
 

From e73c114af48b888557158cb87f20031d7443e7d9 Mon Sep 17 00:00:00 2001
From: Jacob Coffee <jacob@z7x.org>
Date: Wed, 18 Mar 2026 21:44:41 -0500
Subject: [PATCH 3/6] =?UTF-8?q?fix:=20address=20PR=20review=20=E2=80=94=20?=
 =?UTF-8?q?race=20conditions,=20CSRF,=20UI/API=20contract,=20unique=5Ftoge?=
 =?UTF-8?q?ther?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- Remove unique_together on ProductRedemption to allow quantity-tracked
  redemption (multiple rows per line item up to purchased quantity)
- Add select_for_update() locking in redeem_product() to prevent
  concurrent over-redemption race conditions
- Remove csrf_exempt from ScanView/RedeemView; scanner JS sends
  X-CSRFToken from cookie
- Fix scanner UI to match actual API response shapes (nested attendee
  object, redeemable list, correct field names)
- Sanitize error messages to avoid leaking internal IDs
- Validate line_item_id as integer before DB lookup

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 .../manage/checkin_scanner.html               | 95 +++++++++++--------
 src/django_program/registration/checkin.py    | 12 +--
 ...alter_productredemption_unique_together.py | 16 ++++
 .../registration/services/checkin.py          | 42 ++++----
 .../registration/views_checkin.py             | 23 +++--
 tests/test_registration/test_checkin.py       | 32 ++++---
 6 files changed, 128 insertions(+), 92 deletions(-)
 create mode 100644 src/django_program/registration/migrations/0017_alter_productredemption_unique_together.py

diff --git a/src/django_program/manage/templates/django_program/manage/checkin_scanner.html b/src/django_program/manage/templates/django_program/manage/checkin_scanner.html
index 8dd0fe9..02b0127 100644
--- a/src/django_program/manage/templates/django_program/manage/checkin_scanner.html
+++ b/src/django_program/manage/templates/django_program/manage/checkin_scanner.html
@@ -383,63 +383,64 @@ <h3 class="section-heading" style="margin-top: 0;">Redeemable Products</h3>
     productsPanel.classList.add("visible");
   }
 
-  function renderAttendee(data) {
-    attendeeName.textContent = data.name || "Unknown";
-    attendeeEmail.textContent = data.email || "";
-    attendeeCode.textContent = data.access_code || "";
+  // Track the current attendee's access code for redemption requests
+  var currentAccessCode = "";
+
+  function renderAttendee(attendee, badge) {
+    attendeeName.textContent = attendee.name || "Unknown";
+    attendeeEmail.textContent = attendee.email || "";
+    attendeeCode.textContent = attendee.access_code || "";
+    currentAccessCode = attendee.access_code || "";
+
+    var ticketType = (badge && badge.ticket_type) || attendee.ticket_type || "";
 
     var metaHtml = "";
-    if (data.ticket_type) {
+    if (ticketType) {
       metaHtml += '<div class="attendee-meta-item">' +
         '<div class="attendee-meta-label">Ticket Type</div>' +
-        '<div class="attendee-meta-value">' + escapeHtml(data.ticket_type) + '</div></div>';
+        '<div class="attendee-meta-value">' + escapeHtml(ticketType) + '</div></div>';
     }
     metaHtml += '<div class="attendee-meta-item">' +
       '<div class="attendee-meta-label">Check-in Status</div>' +
       '<div class="attendee-meta-value">' +
-      (data.checkin_count > 0
-        ? '<span class="badge badge--warning">Re-entry (#' + (data.checkin_count + 1) + ')</span>'
+      (attendee.checked_in
+        ? '<span class="badge badge--warning">Checked in</span>'
         : '<span class="badge badge--active">First check-in</span>') +
       '</div></div>';
-    metaHtml += '<div class="attendee-meta-item">' +
-      '<div class="attendee-meta-label">Previous Check-ins</div>' +
-      '<div class="attendee-meta-value">' + data.checkin_count + '</div></div>';
-    if (data.order_reference) {
+    if (attendee.checked_in_at) {
       metaHtml += '<div class="attendee-meta-item">' +
-        '<div class="attendee-meta-label">Order</div>' +
-        '<div class="attendee-meta-value mono">' + escapeHtml(data.order_reference) + '</div></div>';
+        '<div class="attendee-meta-label">Checked in at</div>' +
+        '<div class="attendee-meta-value">' + escapeHtml(new Date(attendee.checked_in_at).toLocaleString()) + '</div></div>';
     }
     attendeeMeta.innerHTML = metaHtml;
   }
 
-  function renderProducts(products) {
+  function renderProducts(redeemable) {
     productsList.innerHTML = "";
-    if (!products || products.length === 0) {
+    if (!redeemable || redeemable.length === 0) {
       noProducts.style.display = "block";
       return;
     }
     noProducts.style.display = "none";
 
-    products.forEach(function(p) {
-      var remaining = p.quantity - p.redeemed;
-      var isFullyRedeemed = remaining <= 0;
+    redeemable.forEach(function(p) {
+      var isRedeemed = !!p.redeemed;
       var row = document.createElement("div");
-      row.className = "product-row" + (isFullyRedeemed ? " product-row--redeemed" : "");
+      row.className = "product-row" + (isRedeemed ? " product-row--redeemed" : "");
 
       var info = document.createElement("div");
       info.className = "product-info";
       info.innerHTML = '<div class="product-name">' + escapeHtml(p.description) + '</div>' +
-        '<div class="product-counts">Qty: ' + p.quantity + ' | Redeemed: ' + p.redeemed +
-        ' | Remaining: ' + remaining + '</div>';
+        '<div class="product-counts">Qty: ' + p.quantity +
+        (isRedeemed ? ' | Redeemed' : ' | Available') + '</div>';
       row.appendChild(info);
 
-      if (!isFullyRedeemed) {
+      if (!isRedeemed) {
         var btn = document.createElement("button");
         btn.type = "button";
         btn.className = "btn-redeem";
         btn.textContent = "Redeem";
-        btn.dataset.lineItemId = p.line_item_id;
-        btn.dataset.attendeeId = p.attendee_id;
+        btn.dataset.lineItemId = p.id;
         btn.addEventListener("click", function() { redeemProduct(btn); });
         row.appendChild(btn);
       }
@@ -456,6 +457,7 @@ <h3 class="section-heading" style="margin-top: 0;">Redeemable Products</h3>
 
   async function performScan(accessCode) {
     if (!accessCode.trim()) return;
+    var trimmed = accessCode.trim();
 
     try {
       var response = await fetch(SCAN_URL, {
@@ -465,7 +467,7 @@ <h3 class="section-heading" style="margin-top: 0;">Redeemable Products</h3>
           "X-CSRFToken": getCsrfToken(),
         },
         body: JSON.stringify({
-          access_code: accessCode.trim(),
+          access_code: trimmed,
           station: stationInput.value.trim(),
         }),
       });
@@ -480,16 +482,23 @@ <h3 class="section-heading" style="margin-top: 0;">Redeemable Products</h3>
         return;
       }
 
-      if (data.is_reentry) {
-        showStatus("Re-entry: " + (data.name || accessCode) + " (check-in #" + (data.checkin_count + 1) + ")", "reentry");
+      var attendee = data.attendee || {};
+      var displayName = attendee.name || trimmed;
+
+      // If the attendee was already checked in before this scan, it is a re-entry
+      if (attendee.checked_in && attendee.checked_in_at && data.checked_in_at
+          && attendee.checked_in_at !== data.checked_in_at) {
+        showStatus("Re-entry: " + displayName, "reentry");
       } else {
-        showStatus("Checked in: " + (data.name || accessCode), "success");
+        showStatus("Checked in: " + displayName, "success");
       }
       flashScreen("success");
 
-      renderAttendee(data);
-      renderProducts(data.products || []);
+      renderAttendee(attendee, data.badge || null);
       showResults();
+
+      // Fetch the full lookup data to get redeemable products
+      await refreshProducts(trimmed);
     } catch (err) {
       showStatus("Network error: " + err.message, "error");
       flashScreen("error");
@@ -509,9 +518,8 @@ <h3 class="section-heading" style="margin-top: 0;">Redeemable Products</h3>
           "X-CSRFToken": getCsrfToken(),
         },
         body: JSON.stringify({
-          attendee_id: parseInt(btn.dataset.attendeeId, 10),
+          access_code: currentAccessCode,
           line_item_id: parseInt(btn.dataset.lineItemId, 10),
-          station: stationInput.value.trim(),
         }),
       });
 
@@ -528,9 +536,9 @@ <h3 class="section-heading" style="margin-top: 0;">Redeemable Products</h3>
       showStatus("Redeemed: " + (data.description || "product"), "success");
       flashScreen("success");
 
-      // Re-fetch attendee to refresh product list
-      if (attendeeCode.textContent) {
-        await refreshAttendee(attendeeCode.textContent);
+      // Re-fetch to refresh the redeemable product list
+      if (currentAccessCode) {
+        await refreshAttendee(currentAccessCode);
       }
     } catch (err) {
       showStatus("Network error: " + err.message, "error");
@@ -541,13 +549,24 @@ <h3 class="section-heading" style="margin-top: 0;">Redeemable Products</h3>
     refocusScan();
   }
 
+  async function refreshProducts(accessCode) {
+    try {
+      var response = await fetch(lookupUrl(accessCode));
+      if (!response.ok) return;
+      var data = await response.json();
+      renderProducts(data.redeemable || []);
+    } catch (err) {
+      // Silently fail on refresh; the previous data remains visible
+    }
+  }
+
   async function refreshAttendee(accessCode) {
     try {
       var response = await fetch(lookupUrl(accessCode));
       if (!response.ok) return;
       var data = await response.json();
-      renderAttendee(data);
-      renderProducts(data.products || []);
+      renderAttendee(data.attendee || {}, null);
+      renderProducts(data.redeemable || []);
     } catch (err) {
       // Silently fail on refresh; the previous data remains visible
     }
diff --git a/src/django_program/registration/checkin.py b/src/django_program/registration/checkin.py
index eeaf94a..d0c362f 100644
--- a/src/django_program/registration/checkin.py
+++ b/src/django_program/registration/checkin.py
@@ -108,12 +108,13 @@ def __str__(self) -> str:
 
 
 class ProductRedemption(models.Model):
-    """Tracks redemption of a purchased order line item to prevent double-use.
+    """Tracks redemption of a purchased order line item.
 
-    Each attendee can redeem a given order line item exactly once, enforced
-    by a unique constraint on ``(attendee, order_line_item)``. This covers
-    tutorials, meals, events, and any other purchasable product that should
-    only be consumed once.
+    Each attendee can redeem a given order line item up to its purchased
+    ``quantity`` times. The business-layer limit is enforced by
+    ``RedemptionService.redeem_product()`` with row-level locking; no
+    unique constraint exists at the DB level so that quantity > 1 items
+    can produce multiple redemption rows.
     """
 
     attendee = models.ForeignKey(
@@ -144,7 +145,6 @@ class ProductRedemption(models.Model):
 
     class Meta:
         ordering = ["-redeemed_at"]
-        unique_together = [("attendee", "order_line_item")]
 
     def __str__(self) -> str:
         return f"Redemption: {self.attendee} → {self.order_line_item}"
diff --git a/src/django_program/registration/migrations/0017_alter_productredemption_unique_together.py b/src/django_program/registration/migrations/0017_alter_productredemption_unique_together.py
new file mode 100644
index 0000000..f2ced9b
--- /dev/null
+++ b/src/django_program/registration/migrations/0017_alter_productredemption_unique_together.py
@@ -0,0 +1,16 @@
+# Generated by Django 5.2.11 on 2026-03-19 02:41
+
+from django.db import migrations
+
+
+class Migration(migrations.Migration):
+    dependencies = [
+        ("program_registration", "0016_checkin_doorcheck_productredemption"),
+    ]
+
+    operations = [
+        migrations.AlterUniqueTogether(
+            name="productredemption",
+            unique_together=set(),
+        ),
+    ]
diff --git a/src/django_program/registration/services/checkin.py b/src/django_program/registration/services/checkin.py
index f8e6aac..d32dfb2 100644
--- a/src/django_program/registration/services/checkin.py
+++ b/src/django_program/registration/services/checkin.py
@@ -264,32 +264,30 @@ def redeem_product(
                 (redeemed count >= quantity).
         """
         if attendee.order_id != order_line_item.order_id:
-            msg = (
-                f"Line item {order_line_item.pk} belongs to order "
-                f"{order_line_item.order_id}, not attendee's order "
-                f"{attendee.order_id}."
-            )
+            msg = "Line item does not belong to the attendee's order."
             raise ValueError(msg)
 
-        redeemed_count = ProductRedemption.objects.filter(
-            attendee=attendee,
-            order_line_item=order_line_item,
-        ).count()
-
-        if redeemed_count >= order_line_item.quantity:
-            msg = (
-                f"Line item {order_line_item.pk} "
-                f"('{order_line_item.description}') is fully redeemed "
-                f"({redeemed_count}/{order_line_item.quantity})."
+        with transaction.atomic():
+            locked_item = OrderLineItem.objects.select_for_update().get(pk=order_line_item.pk)
+
+            redeemed_count = ProductRedemption.objects.filter(
+                attendee=attendee,
+                order_line_item=locked_item,
+            ).count()
+
+            if redeemed_count >= locked_item.quantity:
+                msg = (
+                    f"Product '{locked_item.description}' is fully redeemed ({redeemed_count}/{locked_item.quantity})."
+                )
+                raise ValueError(msg)
+
+            redemption = ProductRedemption.objects.create(
+                attendee=attendee,
+                order_line_item=locked_item,
+                conference=attendee.conference,
+                redeemed_by=redeemed_by,
             )
-            raise ValueError(msg)
 
-        redemption = ProductRedemption.objects.create(
-            attendee=attendee,
-            order_line_item=order_line_item,
-            conference=attendee.conference,
-            redeemed_by=redeemed_by,
-        )
         logger.info(
             "Redeemed line item %s ('%s') for attendee %s",
             order_line_item.pk,
diff --git a/src/django_program/registration/views_checkin.py b/src/django_program/registration/views_checkin.py
index 59ef390..106a33a 100644
--- a/src/django_program/registration/views_checkin.py
+++ b/src/django_program/registration/views_checkin.py
@@ -2,9 +2,8 @@
 
 These views power the scanner UI used by registration desk volunteers.
 All endpoints require staff or superuser authentication and are scoped
-to a conference via the ``conference_slug`` URL kwarg. POST endpoints
-are CSRF-exempt since the scanner frontend uses ``fetch()`` with JSON
-payloads.
+to a conference via the ``conference_slug`` URL kwarg. The scanner UI
+is responsible for including the CSRF token in POST requests.
 """
 
 import json
@@ -14,9 +13,7 @@
 from django.http import HttpRequest, HttpResponse, JsonResponse
 from django.shortcuts import get_object_or_404
 from django.utils import timezone
-from django.utils.decorators import method_decorator
 from django.views import View
-from django.views.decorators.csrf import csrf_exempt
 
 from django_program.conference.models import Conference
 from django_program.registration.attendee import Attendee
@@ -110,7 +107,6 @@ def _parse_json_body(request: HttpRequest) -> dict[str, object] | None:
         return None
 
 
-@method_decorator(csrf_exempt, name="dispatch")
 class ScanView(StaffRequiredMixin, View):
     """Scan an attendee's access code and perform check-in.
 
@@ -225,7 +221,6 @@ def get(self, request: HttpRequest, access_code: str, **kwargs: str) -> JsonResp
         )
 
 
-@method_decorator(csrf_exempt, name="dispatch")
 class RedeemView(StaffRequiredMixin, View):
     """Redeem a purchased product (order line item) for an attendee.
 
@@ -248,10 +243,14 @@ def post(self, request: HttpRequest, **kwargs: str) -> JsonResponse:  # noqa: AR
             return JsonResponse({"error": "Invalid JSON body"}, status=400)
 
         access_code = str(body.get("access_code", "")).strip()
-        line_item_id = body.get("line_item_id")
+        raw_line_item_id = body.get("line_item_id")
 
-        if not access_code or line_item_id is None:
-            return JsonResponse({"error": "access_code and line_item_id are required"}, status=400)
+        try:
+            line_item_id = int(raw_line_item_id)  # type: ignore[arg-type]
+            if not access_code:
+                raise ValueError  # noqa: TRY301
+        except TypeError, ValueError:
+            return JsonResponse({"error": "access_code and a valid integer line_item_id are required"}, status=400)
 
         try:
             attendee = CheckInService.lookup_attendee(conference=self.conference, access_code=access_code)
@@ -282,9 +281,9 @@ def _do_redeem(self, attendee: Attendee, line_item: OrderLineItem, request: Http
                 order_line_item=line_item,
                 redeemed_by=request.user,
             )
-        except ValueError as exc:
+        except ValueError:
             return JsonResponse(
-                {"error": str(exc), "line_item_id": line_item.pk},
+                {"error": "Product already fully redeemed", "line_item_id": line_item.pk},
                 status=409,
             )
 
diff --git a/tests/test_registration/test_checkin.py b/tests/test_registration/test_checkin.py
index b1061e1..00c4e8a 100644
--- a/tests/test_registration/test_checkin.py
+++ b/tests/test_registration/test_checkin.py
@@ -7,7 +7,6 @@
 
 import pytest
 from django.contrib.auth import get_user_model
-from django.db import IntegrityError
 from django.test import Client
 from django.urls import reverse
 
@@ -229,25 +228,30 @@ def test_redemption_str(self) -> None:
         result = str(redemption)
         assert "Redemption:" in result
 
-    def test_unique_together_prevents_duplicate(self) -> None:
+    def test_allows_multiple_redemptions_up_to_quantity(self) -> None:
+        """Multiple redemptions of the same line item are allowed (no DB constraint)."""
         conf = _make_conference()
         user = _make_user()
         order = _make_order(conference=conf, user=user)
-        attendee = _make_attendee(conference=conf, user=user, order=order)
-        line_item = _make_line_item(order=order, description="Tutorial")
-
+        attendee = Attendee.objects.create(user=user, conference=conf, order=order)
+        line_item = OrderLineItem.objects.create(
+            order=order,
+            description="Workshop",
+            quantity=2,
+            unit_price=Decimal("50.00"),
+            line_total=Decimal("100.00"),
+        )
         ProductRedemption.objects.create(
             attendee=attendee,
             order_line_item=line_item,
             conference=conf,
         )
-
-        with pytest.raises(IntegrityError):
-            ProductRedemption.objects.create(
-                attendee=attendee,
-                order_line_item=line_item,
-                conference=conf,
-            )
+        ProductRedemption.objects.create(
+            attendee=attendee,
+            order_line_item=line_item,
+            conference=conf,
+        )
+        assert ProductRedemption.objects.filter(attendee=attendee, order_line_item=line_item).count() == 2
 
 
 # -- Service Tests: CheckInService --------------------------------------------
@@ -515,7 +519,7 @@ def test_redeem_raises_for_wrong_order(self) -> None:
         attendee = _make_attendee(conference=conf, user=user1, order=order1)
         other_line_item = _make_line_item(order=order2, description="Other Order Item")
 
-        with pytest.raises(ValueError, match="not attendee's order"):
+        with pytest.raises(ValueError, match="does not belong"):
             RedemptionService.redeem_product(
                 attendee=attendee,
                 order_line_item=other_line_item,
@@ -702,7 +706,7 @@ def test_returns_409_for_already_redeemed(self) -> None:
         )
 
         assert response.status_code == 409
-        assert "fully redeemed" in response.json()["error"]
+        assert response.json()["error"] == "Product already fully redeemed"
 
 
 @pytest.mark.integration

From ed99d1178eff2aea490724bdd5b42a247f949b95 Mon Sep 17 00:00:00 2001
From: Jacob Coffee <jacob@z7x.org>
Date: Wed, 18 Mar 2026 22:06:13 -0500
Subject: [PATCH 4/6] =?UTF-8?q?fix:=20address=20Codex=20review=20=E2=80=94?=
 =?UTF-8?q?=20permissions,=20order=20status,=20multi-qty=20redemption?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- Align API permission check with ManagePermissionMixin (require
  change_conference perm, not just is_staff)
- Add order status validation on scan/redeem (reject refunded/cancelled),
  include PARTIALLY_REFUNDED in preload export
- Return redeemed_count/remaining instead of boolean for multi-quantity
  redemption tracking
- Filter redeemable products to add-ons only (tickets use check-in)
- Add has_delete_permission=False to CheckIn/DoorCheck admin
- Add conference validation to record_door_check()
- Fix scanner UI: session-based re-entry detection, multi-qty display,
  error banner persistence, redemption toast key, order status warning

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 .../manage/checkin_scanner.html               | 62 ++++++++++++++-----
 src/django_program/registration/admin.py      |  6 ++
 .../registration/services/checkin.py          | 25 +++++++-
 .../registration/views_checkin.py             | 50 ++++++++++++---
 tests/test_registration/test_checkin.py       |  8 ++-
 5 files changed, 124 insertions(+), 27 deletions(-)

diff --git a/src/django_program/manage/templates/django_program/manage/checkin_scanner.html b/src/django_program/manage/templates/django_program/manage/checkin_scanner.html
index 02b0127..084e081 100644
--- a/src/django_program/manage/templates/django_program/manage/checkin_scanner.html
+++ b/src/django_program/manage/templates/django_program/manage/checkin_scanner.html
@@ -184,8 +184,8 @@
     margin-top: 0.1rem;
   }
 
-  .product-row--redeemed .product-name,
-  .product-row--redeemed .product-counts {
+  .product-row--fully-redeemed .product-name,
+  .product-row--fully-redeemed .product-counts {
     opacity: 0.45;
     text-decoration: line-through;
   }
@@ -214,6 +214,17 @@
     color: var(--color-text-muted);
   }
 
+  .order-status-warning {
+    padding: 0.6rem 1rem;
+    margin-bottom: 1rem;
+    border-radius: var(--radius-sm);
+    background: var(--color-warning-bg);
+    color: var(--color-warning);
+    border: 1px solid var(--color-warning-border);
+    font-size: 0.88rem;
+    font-weight: 600;
+  }
+
   .idle-message {
     text-align: center;
     padding: 3rem 1rem;
@@ -287,6 +298,7 @@ <h1>Check-in Scanner</h1>
 
   <div class="attendee-panel card card--static" id="attendeePanel">
     <div class="card-body">
+      <div class="order-status-warning" id="orderStatusWarning" style="display:none;"></div>
       <div class="attendee-header">
         <div>
           <div class="attendee-name" id="attendeeName"></div>
@@ -386,7 +398,21 @@ <h3 class="section-heading" style="margin-top: 0;">Redeemable Products</h3>
   // Track the current attendee's access code for redemption requests
   var currentAccessCode = "";
 
-  function renderAttendee(attendee, badge) {
+  // Track scanned codes this session for re-entry detection
+  var scannedCodes = new Set();
+
+  var orderStatusWarning = document.getElementById("orderStatusWarning");
+
+  function renderOrderStatus(orderStatus) {
+    if (orderStatus && orderStatus !== "paid") {
+      orderStatusWarning.textContent = "Order status: " + orderStatus.charAt(0).toUpperCase() + orderStatus.slice(1);
+      orderStatusWarning.style.display = "block";
+    } else {
+      orderStatusWarning.style.display = "none";
+    }
+  }
+
+  function renderAttendee(attendee, badge, orderStatus) {
     attendeeName.textContent = attendee.name || "Unknown";
     attendeeEmail.textContent = attendee.email || "";
     attendeeCode.textContent = attendee.access_code || "";
@@ -413,6 +439,7 @@ <h3 class="section-heading" style="margin-top: 0;">Redeemable Products</h3>
         '<div class="attendee-meta-value">' + escapeHtml(new Date(attendee.checked_in_at).toLocaleString()) + '</div></div>';
     }
     attendeeMeta.innerHTML = metaHtml;
+    renderOrderStatus(orderStatus);
   }
 
   function renderProducts(redeemable) {
@@ -424,18 +451,21 @@ <h3 class="section-heading" style="margin-top: 0;">Redeemable Products</h3>
     noProducts.style.display = "none";
 
     redeemable.forEach(function(p) {
-      var isRedeemed = !!p.redeemed;
+      var redeemedCount = p.redeemed_count || 0;
+      var remaining = (p.remaining != null) ? p.remaining : (p.quantity - redeemedCount);
+      var fullyRedeemed = remaining <= 0;
+
       var row = document.createElement("div");
-      row.className = "product-row" + (isRedeemed ? " product-row--redeemed" : "");
+      row.className = "product-row" + (fullyRedeemed ? " product-row--fully-redeemed" : "");
 
       var info = document.createElement("div");
       info.className = "product-info";
       info.innerHTML = '<div class="product-name">' + escapeHtml(p.description) + '</div>' +
-        '<div class="product-counts">Qty: ' + p.quantity +
-        (isRedeemed ? ' | Redeemed' : ' | Available') + '</div>';
+        '<div class="product-counts">Redeemed ' + redeemedCount + '/' + p.quantity +
+        (remaining > 0 ? ' | ' + remaining + ' remaining' : ' | Fully redeemed') + '</div>';
       row.appendChild(info);
 
-      if (!isRedeemed) {
+      if (remaining > 0) {
         var btn = document.createElement("button");
         btn.type = "button";
         btn.className = "btn-redeem";
@@ -477,7 +507,6 @@ <h3 class="section-heading" style="margin-top: 0;">Redeemable Products</h3>
       if (!response.ok) {
         showStatus(data.error || "Scan failed", "error");
         flashScreen("error");
-        hideResults();
         refocusScan();
         return;
       }
@@ -485,16 +514,18 @@ <h3 class="section-heading" style="margin-top: 0;">Redeemable Products</h3>
       var attendee = data.attendee || {};
       var displayName = attendee.name || trimmed;
 
-      // If the attendee was already checked in before this scan, it is a re-entry
-      if (attendee.checked_in && attendee.checked_in_at && data.checked_in_at
-          && attendee.checked_in_at !== data.checked_in_at) {
+      // Detect re-entry: same code scanned again in this session
+      var isReentry = scannedCodes.has(trimmed);
+      scannedCodes.add(trimmed);
+
+      if (isReentry) {
         showStatus("Re-entry: " + displayName, "reentry");
       } else {
         showStatus("Checked in: " + displayName, "success");
       }
       flashScreen("success");
 
-      renderAttendee(attendee, data.badge || null);
+      renderAttendee(attendee, data.badge || null, data.order_status);
       showResults();
 
       // Fetch the full lookup data to get redeemable products
@@ -533,7 +564,8 @@ <h3 class="section-heading" style="margin-top: 0;">Redeemable Products</h3>
         return;
       }
 
-      showStatus("Redeemed: " + (data.description || "product"), "success");
+      var redeemDesc = (data.line_item && data.line_item.description) || data.description || "product";
+      showStatus("Redeemed: " + redeemDesc, "success");
       flashScreen("success");
 
       // Re-fetch to refresh the redeemable product list
@@ -565,7 +597,7 @@ <h3 class="section-heading" style="margin-top: 0;">Redeemable Products</h3>
       var response = await fetch(lookupUrl(accessCode));
       if (!response.ok) return;
       var data = await response.json();
-      renderAttendee(data.attendee || {}, null);
+      renderAttendee(data.attendee || {}, null, data.order_status);
       renderProducts(data.redeemable || []);
     } catch (err) {
       // Silently fail on refresh; the previous data remains visible
diff --git a/src/django_program/registration/admin.py b/src/django_program/registration/admin.py
index 0531259..f0bb1de 100644
--- a/src/django_program/registration/admin.py
+++ b/src/django_program/registration/admin.py
@@ -357,6 +357,9 @@ def has_add_permission(self, request: HttpRequest) -> bool:  # noqa: ARG002, D10
     def has_change_permission(self, request: HttpRequest, obj: CheckIn | None = None) -> bool:  # noqa: ARG002, D102
         return False
 
+    def has_delete_permission(self, request: HttpRequest, obj: CheckIn | None = None) -> bool:  # noqa: ARG002, D102
+        return False
+
 
 @admin.register(DoorCheck)
 class DoorCheckAdmin(admin.ModelAdmin):
@@ -381,6 +384,9 @@ def has_add_permission(self, request: HttpRequest) -> bool:  # noqa: ARG002, D10
     def has_change_permission(self, request: HttpRequest, obj: DoorCheck | None = None) -> bool:  # noqa: ARG002, D102
         return False
 
+    def has_delete_permission(self, request: HttpRequest, obj: DoorCheck | None = None) -> bool:  # noqa: ARG002, D102
+        return False
+
 
 @admin.register(ProductRedemption)
 class ProductRedemptionAdmin(admin.ModelAdmin):
diff --git a/src/django_program/registration/services/checkin.py b/src/django_program/registration/services/checkin.py
index d32dfb2..7bde949 100644
--- a/src/django_program/registration/services/checkin.py
+++ b/src/django_program/registration/services/checkin.py
@@ -14,7 +14,7 @@
 
 from django_program.registration.attendee import Attendee
 from django_program.registration.checkin import CheckIn, DoorCheck, ProductRedemption
-from django_program.registration.models import AddOn, OrderLineItem, TicketType
+from django_program.registration.models import AddOn, Order, OrderLineItem, TicketType
 
 if TYPE_CHECKING:
     from django.contrib.auth.models import AbstractUser
@@ -27,6 +27,20 @@
 class CheckInService:
     """Service for attendee check-in operations at the conference venue."""
 
+    ACTIVE_ORDER_STATUSES = {Order.Status.PAID, Order.Status.PARTIALLY_REFUNDED}
+
+    @staticmethod
+    def validate_order_status(attendee: Attendee) -> str | None:
+        """Check if the attendee has a valid order for check-in.
+
+        Returns None if valid, or an error message string if not.
+        """
+        if attendee.order is None:
+            return "Attendee has no associated order."
+        if attendee.order.status not in CheckInService.ACTIVE_ORDER_STATUSES:
+            return f"Order status is '{attendee.order.get_status_display()}' — check-in not allowed."
+        return None
+
     @staticmethod
     def lookup_attendee(*, conference: Conference, access_code: str) -> Attendee:
         """Look up an attendee by access code within a conference.
@@ -164,6 +178,13 @@ def record_door_check(
             msg = "Exactly one of ticket_type or addon must be provided."
             raise ValueError(msg)
 
+        if ticket_type is not None and ticket_type.conference_id != attendee.conference_id:
+            msg = "Ticket type does not belong to the attendee's conference."
+            raise ValueError(msg)
+        if addon is not None and addon.conference_id != attendee.conference_id:
+            msg = "Add-on does not belong to the attendee's conference."
+            raise ValueError(msg)
+
         door_check = DoorCheck.objects.create(
             attendee=attendee,
             conference=attendee.conference,
@@ -209,7 +230,7 @@ def get_redeemable_products(attendee: Attendee) -> list[dict[str, object]]:
             return []
 
         line_items = (
-            OrderLineItem.objects.filter(order=attendee.order)
+            OrderLineItem.objects.filter(order=attendee.order, addon__isnull=False)
             .annotate(
                 redeemed_count=Count(
                     "redemptions",
diff --git a/src/django_program/registration/views_checkin.py b/src/django_program/registration/views_checkin.py
index 106a33a..741466f 100644
--- a/src/django_program/registration/views_checkin.py
+++ b/src/django_program/registration/views_checkin.py
@@ -9,7 +9,7 @@
 import json
 import logging
 
-from django.db.models import Prefetch
+from django.db.models import Count, Prefetch
 from django.http import HttpRequest, HttpResponse, JsonResponse
 from django.shortcuts import get_object_or_404
 from django.utils import timezone
@@ -46,7 +46,7 @@ def dispatch(self, request: HttpRequest, *args: str, **kwargs: str) -> HttpRespo
         """
         if not request.user.is_authenticated:
             return JsonResponse({"error": "Authentication required"}, status=401)
-        if not (request.user.is_staff or request.user.is_superuser):
+        if not (request.user.is_superuser or request.user.has_perm("program_conference.change_conference")):
             return JsonResponse({"error": "Staff access required"}, status=403)
         self.conference = get_object_or_404(Conference, slug=kwargs.get("conference_slug"))
         return super().dispatch(request, *args, **kwargs)  # type: ignore[misc]
@@ -143,6 +143,17 @@ def post(self, request: HttpRequest, **kwargs: str) -> JsonResponse:  # noqa: AR
                 status=404,
             )
 
+        status_error = CheckInService.validate_order_status(attendee)
+        if status_error is not None:
+            return JsonResponse(
+                {
+                    "error": status_error,
+                    "access_code": access_code,
+                    "order_status": str(attendee.order.status) if attendee.order else None,
+                },
+                status=409,
+            )
+
         checkin = CheckInService.check_in(
             attendee=attendee,
             checked_in_by=request.user,
@@ -204,9 +215,18 @@ def get(self, request: HttpRequest, access_code: str, **kwargs: str) -> JsonResp
             line_items = list(order.line_items.select_related("ticket_type", "addon").all())
             products = [_serialize_line_item(item) for item in line_items]
 
-            redeemed_item_ids = set(attendee.redemptions.values_list("order_line_item_id", flat=True))
+            redeemed_counts: dict[int, int] = {}
+            for r in attendee.redemptions.values("order_line_item_id").annotate(count=Count("id")):
+                redeemed_counts[r["order_line_item_id"]] = r["count"]
+
             redeemable = [
-                {**_serialize_line_item(item), "redeemed": item.pk in redeemed_item_ids} for item in line_items
+                {
+                    **_serialize_line_item(item),
+                    "redeemed_count": redeemed_counts.get(item.pk, 0),
+                    "remaining": item.quantity - redeemed_counts.get(item.pk, 0),
+                }
+                for item in line_items
+                if item.addon_id is not None
             ]
 
         return JsonResponse(
@@ -217,6 +237,7 @@ def get(self, request: HttpRequest, access_code: str, **kwargs: str) -> JsonResp
                 },
                 "products": products,
                 "redeemable": redeemable,
+                "order_status": str(attendee.order.status) if attendee.order else None,
             }
         )
 
@@ -260,8 +281,16 @@ def post(self, request: HttpRequest, **kwargs: str) -> JsonResponse:  # noqa: AR
                 status=404,
             )
 
-        if attendee.order is None:
-            return JsonResponse({"error": "Attendee has no associated order"}, status=400)
+        status_error = CheckInService.validate_order_status(attendee)
+        if status_error is not None:
+            return JsonResponse(
+                {
+                    "error": status_error,
+                    "access_code": access_code,
+                    "order_status": str(attendee.order.status) if attendee.order else None,
+                },
+                status=409,
+            )
 
         try:
             line_item = attendee.order.line_items.get(pk=line_item_id)
@@ -320,7 +349,7 @@ def get(self, request: HttpRequest, **kwargs: str) -> JsonResponse:  # noqa: ARG
             Attendee.objects.filter(
                 conference=self.conference,
                 order__isnull=False,
-                order__status=Order.Status.PAID,
+                order__status__in=[Order.Status.PAID, Order.Status.PARTIALLY_REFUNDED],
             )
             .select_related("user", "order")
             .prefetch_related(
@@ -357,10 +386,13 @@ def _serialize_preload_attendee(attendee: Attendee) -> dict[str, object]:
         ticket_type_name = ""
 
         if order is not None:
-            redeemed_item_ids = set(attendee.redemptions.values_list("order_line_item_id", flat=True))
+            redeemed_counts: dict[int, int] = {}
+            for r in attendee.redemptions.values("order_line_item_id").annotate(count=Count("id")):
+                redeemed_counts[r["order_line_item_id"]] = r["count"]
             for item in order.line_items.all():
                 product_data = _serialize_line_item(item)
-                product_data["redeemed"] = item.pk in redeemed_item_ids
+                product_data["redeemed_count"] = redeemed_counts.get(item.pk, 0)
+                product_data["remaining"] = item.quantity - redeemed_counts.get(item.pk, 0)
                 products.append(product_data)
 
                 if item.ticket_type and not ticket_type_name:
diff --git a/tests/test_registration/test_checkin.py b/tests/test_registration/test_checkin.py
index 00c4e8a..571f327 100644
--- a/tests/test_registration/test_checkin.py
+++ b/tests/test_registration/test_checkin.py
@@ -45,6 +45,9 @@ def _make_user(**kwargs: object) -> object:
 
 
 def _make_staff_user(**kwargs: object) -> object:
+    """Create a staff user with the change_conference permission required by check-in API."""
+    from django.contrib.auth.models import Permission
+
     defaults: dict[str, object] = {
         "username": f"staff-{uuid4().hex[:8]}",
         "email": f"{uuid4().hex[:8]}@test.com",
@@ -52,7 +55,10 @@ def _make_staff_user(**kwargs: object) -> object:
         "password": "testpass123",
     }
     defaults.update(kwargs)
-    return User.objects.create_user(**defaults)
+    user = User.objects.create_user(**defaults)
+    perm = Permission.objects.get(content_type__app_label="program_conference", codename="change_conference")
+    user.user_permissions.add(perm)
+    return user
 
 
 def _make_order(*, conference: Conference, user: object, status: str = Order.Status.PAID) -> Order:

From 6c69e95c05eaa8a5bad61952c625895552e3cef9 Mon Sep 17 00:00:00 2001
From: Jacob Coffee <jacob@z7x.org>
Date: Wed, 18 Mar 2026 22:15:17 -0500
Subject: [PATCH 5/6] fix: N+1 preload query, add manage dashboard/scanner view
 tests

- Use prefetched redemptions in Python instead of per-attendee annotated
  queries in OfflinePreloadView
- Add 6 tests for manage:checkin-dashboard and manage:checkin-scanner
  (permission checks, 200 responses, context stats)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 .../registration/views_checkin.py             |  5 +-
 tests/test_registration/test_checkin.py       | 67 +++++++++++++++++++
 2 files changed, 70 insertions(+), 2 deletions(-)

diff --git a/src/django_program/registration/views_checkin.py b/src/django_program/registration/views_checkin.py
index 741466f..86b5a8f 100644
--- a/src/django_program/registration/views_checkin.py
+++ b/src/django_program/registration/views_checkin.py
@@ -386,9 +386,10 @@ def _serialize_preload_attendee(attendee: Attendee) -> dict[str, object]:
         ticket_type_name = ""
 
         if order is not None:
+            # Use prefetched redemptions to avoid N+1 queries
             redeemed_counts: dict[int, int] = {}
-            for r in attendee.redemptions.values("order_line_item_id").annotate(count=Count("id")):
-                redeemed_counts[r["order_line_item_id"]] = r["count"]
+            for redemption in attendee.redemptions.all():
+                redeemed_counts[redemption.order_line_item_id] = redeemed_counts.get(redemption.order_line_item_id, 0) + 1
             for item in order.line_items.all():
                 product_data = _serialize_line_item(item)
                 product_data["redeemed_count"] = redeemed_counts.get(item.pk, 0)
diff --git a/tests/test_registration/test_checkin.py b/tests/test_registration/test_checkin.py
index 571f327..e35e1fc 100644
--- a/tests/test_registration/test_checkin.py
+++ b/tests/test_registration/test_checkin.py
@@ -766,3 +766,70 @@ def test_filters_by_ticket_type(self) -> None:
         data = response.json()
         assert data["count"] == 1
         assert data["attendees"][0]["ticket_type"] == "VIP"
+
+
+# -- Manage Dashboard/Scanner View Tests -------------------------------------
+
+
+@pytest.mark.integration
+class TestCheckInDashboardView:
+    """Tests for the manage check-in dashboard."""
+
+    def _url(self, conference: Conference) -> str:
+        return reverse("manage:checkin-dashboard", args=[conference.slug])
+
+    def test_anonymous_redirected(self) -> None:
+        conf = _make_conference()
+        client = Client()
+        response = client.get(self._url(conf))
+        assert response.status_code == 302
+
+    def test_non_permitted_user_denied(self) -> None:
+        conf = _make_conference()
+        user = _make_user(password="testpass123")
+        client = Client()
+        client.force_login(user)
+        response = client.get(self._url(conf))
+        assert response.status_code == 403
+
+    def test_staff_with_permission_gets_200(self) -> None:
+        conf = _make_conference()
+        staff = _make_staff_user()
+        client = Client()
+        client.force_login(staff)
+        response = client.get(self._url(conf))
+        assert response.status_code == 200
+
+    def test_context_contains_stats(self) -> None:
+        conf = _make_conference()
+        user = _make_user()
+        Attendee.objects.create(user=user, conference=conf)
+        staff = _make_staff_user()
+        client = Client()
+        client.force_login(staff)
+        response = client.get(self._url(conf))
+        assert response.context["total_attendees"] == 1
+        assert response.context["checked_in_count"] == 0
+        assert response.context["check_in_rate"] == 0
+
+
+@pytest.mark.integration
+class TestCheckInScannerView:
+    """Tests for the manage scanner page."""
+
+    def _url(self, conference: Conference) -> str:
+        return reverse("manage:checkin-scanner", args=[conference.slug])
+
+    def test_anonymous_redirected(self) -> None:
+        conf = _make_conference()
+        client = Client()
+        response = client.get(self._url(conf))
+        assert response.status_code == 302
+
+    def test_staff_with_permission_gets_200(self) -> None:
+        conf = _make_conference()
+        staff = _make_staff_user()
+        client = Client()
+        client.force_login(staff)
+        response = client.get(self._url(conf))
+        assert response.status_code == 200

From 12fd4507ba0464c2b39f4bb67894bcac12dcc9d5 Mon Sep 17 00:00:00 2001
From: Jacob Coffee <jacob@z7x.org>
Date: Wed, 18 Mar 2026 22:17:15 -0500
Subject: [PATCH 6/6] fix: use prefetched data, add order_status to scan
 response, normalize except syntax

- Use prefetched line items from lookup_attendee() instead of redundant
  select_related() queries in ScanView and LookupView
- Include order_status in scan success response for UI warning display
- Use _get_ticket_type_name() with prefetched iteration instead of filter query
- Normalize except syntax to tuple form for tooling compatibility

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 .../registration/views_checkin.py               | 17 ++++++++---------
 1 file changed, 8 insertions(+), 9 deletions(-)

diff --git a/src/django_program/registration/views_checkin.py b/src/django_program/registration/views_checkin.py
index 86b5a8f..381d7e7 100644
--- a/src/django_program/registration/views_checkin.py
+++ b/src/django_program/registration/views_checkin.py
@@ -90,12 +90,12 @@ def _serialize_line_item(item: OrderLineItem) -> dict[str, object]:
 
 
 def _get_ticket_type_name(order: Order | None) -> str:
-    """Extract the ticket type name from an order's line items."""
+    """Extract the ticket type name from an order's prefetched line items."""
     if order is None:
         return ""
-    ticket_item = order.line_items.filter(ticket_type__isnull=False).select_related("ticket_type").first()
-    if ticket_item and ticket_item.ticket_type:
-        return str(ticket_item.ticket_type.name)
+    for item in order.line_items.all():
+        if item.ticket_type is not None:
+            return str(item.ticket_type.name)
     return ""
 
 
@@ -103,7 +103,7 @@ def _parse_json_body(request: HttpRequest) -> dict[str, object] | None:
     """Parse JSON from request body, returning None on failure."""
     try:
         return json.loads(request.body)  # type: ignore[no-any-return]
-    except json.JSONDecodeError, ValueError:
+    except (json.JSONDecodeError, ValueError):
         return None
 
 
@@ -163,9 +163,7 @@ def post(self, request: HttpRequest, **kwargs: str) -> JsonResponse:  # noqa: AR
         order = attendee.order
         products = []
         if order is not None:
-            products = [
-                _serialize_line_item(item) for item in order.line_items.select_related("ticket_type", "addon").all()
-            ]
+            products = [_serialize_line_item(item) for item in order.line_items.all()]
 
         return JsonResponse(
             {
@@ -176,6 +174,7 @@ def post(self, request: HttpRequest, **kwargs: str) -> JsonResponse:  # noqa: AR
                     "ticket_type": _get_ticket_type_name(order),
                 },
                 "products": products,
+                "order_status": str(order.status) if order else None,
                 "checkin_id": checkin.pk,
                 "checked_in_at": checkin.checked_in_at.isoformat(),
             }
@@ -212,7 +211,7 @@ def get(self, request: HttpRequest, access_code: str, **kwargs: str) -> JsonResp
         products: list[dict[str, object]] = []
         redeemable: list[dict[str, object]] = []
         if order is not None:
-            line_items = list(order.line_items.select_related("ticket_type", "addon").all())
+            line_items = list(order.line_items.all())
             products = [_serialize_line_item(item) for item in line_items]
 
             redeemed_counts: dict[int, int] = {}