From 28e2fc40773f33a7c24b676bc8b8decbec651576 Mon Sep 17 00:00:00 2001
From: 27180781 <37129224+27180781@users.noreply.github.com>
Date: Thu, 7 May 2026 04:56:40 +0300
Subject: [PATCH 01/60] Add files via upload

---
 captain-definition | 4 ++++
 1 file changed, 4 insertions(+)
 create mode 100644 captain-definition

diff --git a/captain-definition b/captain-definition
new file mode 100644
index 0000000..debfa9b
--- /dev/null
+++ b/captain-definition
@@ -0,0 +1,4 @@
+{
+  "schemaVersion": 2,
+  "dockerfilePath": "./Dockerfile"
+}
\ No newline at end of file

From e5f106239df185232b792b1bd25a8f0d0ad642e2 Mon Sep 17 00:00:00 2001
From: 27180781 <37129224+27180781@users.noreply.github.com>
Date: Thu, 7 May 2026 02:29:30 +0000
Subject: [PATCH 02/60] feat: redesign admin settings UI with categorized
 visual layout

Replace the generic key/value table with a structured form: settings are
grouped by category (general, auth, ads, webhook, notifications, FCM),
each with Hebrew labels and descriptions. Booleans are toggles, regex
rules have separate pattern/replace fields, and a paste-JSON helper
auto-fills FCM service account fields. A collapsible "advanced" section
preserves manual key/value entry for unknown settings.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 .../admin/settings/settings.component.html    | 216 ++++++++++--
 .../admin/settings/settings.component.scss    | 191 +++++++++++
 .../admin/settings/settings.component.ts      | 207 +++++++++++-
 .../admin/settings/settings.schema.ts         | 308 ++++++++++++++++++
 4 files changed, 881 insertions(+), 41 deletions(-)
 create mode 100644 frontend/src/app/components/admin/settings/settings.schema.ts

diff --git a/frontend/src/app/components/admin/settings/settings.component.html b/frontend/src/app/components/admin/settings/settings.component.html
index 80f3eea..0f0817a 100644
--- a/frontend/src/app/components/admin/settings/settings.component.html
+++ b/frontend/src/app/components/admin/settings/settings.component.html
@@ -1,31 +1,193 @@
-<nb-card>
-  <nb-card-header>
-    הגדרות ערוץ
-  </nb-card-header>
-
-  <nb-card-body>
-    @for (setting of settings; track setting; let i = $index) {
-      <div class="d-flex gap-2 mb-2">
-        <input nbInput fieldSize="small" type="text" [(ngModel)]="setting.key" placeholder="הגדרה">
-        <input nbInput fullWidth fieldSize="small" type="text" [(ngModel)]="setting.value" placeholder="ערך">
-        <button nbButton status="danger" size="small" (click)="removeSetting(i)">
-          <nb-icon icon="close"></nb-icon>
-          מחק
-        </button>
-      </div>
-    }
-    <div>
-      <button nbButton size="small" status="primary" (click)="settings.push({ key: '', value: '' })">
-        <nb-icon icon="plus"></nb-icon>
-        הוסף הגדרה
+<div class="settings-page">
+
+  @for (cat of schema; track cat.id) {
+    <nb-card class="settings-card">
+      <nb-card-header class="settings-card-header">
+        @if (cat.icon) {
+          <nb-icon [icon]="cat.icon"></nb-icon>
+        }
+        <span>{{ cat.title }}</span>
+      </nb-card-header>
+
+      <nb-card-body>
+        @if (cat.description) {
+          <p class="category-description">{{ cat.description }}</p>
+        }
+
+        @if (cat.id === 'fcm_json') {
+          <div class="fcm-json-paste">
+            <label class="field-label">הדבקת קובץ JSON של חשבון שירות (Service Account)</label>
+            <p class="field-description">
+              ניתן להעתיק את כל תוכן קובץ ה-JSON שהורד מ-Firebase ולהדביק כאן - השדות שלמטה ימולאו אוטומטית.
+            </p>
+            <textarea
+              nbInput
+              fullWidth
+              rows="4"
+              [(ngModel)]="fcmJsonPaste"
+              placeholder='{ "type": "service_account", ... }'>
+            </textarea>
+            @if (fcmJsonError) {
+              <div class="error-text">{{ fcmJsonError }}</div>
+            }
+            <button nbButton size="small" status="primary" class="mt-2" (click)="applyFcmJsonPaste()">
+              <nb-icon icon="flash-outline"></nb-icon>
+              מילוי אוטומטי מה-JSON
+            </button>
+          </div>
+          <hr />
+        }
+
+        @for (field of cat.fields; track field.key) {
+          @if (isFieldVisible(field)) {
+            <div class="setting-field" [class.is-toggle]="field.type === 'boolean'">
+
+              @if (field.type === 'boolean') {
+                <div class="toggle-row">
+                  <nb-toggle [(checked)]="values[field.key]">
+                    <span class="field-label">{{ field.label }}</span>
+                  </nb-toggle>
+                </div>
+                @if (field.description) {
+                  <p class="field-description toggle-description">{{ field.description }}</p>
+                }
+              } @else {
+                <label class="field-label" [attr.for]="'f-' + field.key">{{ field.label }}</label>
+                @if (field.description) {
+                  <p class="field-description">{{ field.description }}</p>
+                }
+
+                @switch (field.type) {
+                  @case ('textarea') {
+                    <textarea
+                      nbInput
+                      fullWidth
+                      rows="3"
+                      [id]="'f-' + field.key"
+                      [(ngModel)]="values[field.key]"
+                      [placeholder]="field.placeholder || ''">
+                    </textarea>
+                  }
+                  @case ('number') {
+                    <input
+                      nbInput
+                      fullWidth
+                      type="number"
+                      [id]="'f-' + field.key"
+                      [(ngModel)]="values[field.key]"
+                      [placeholder]="field.placeholder || ''">
+                  }
+                  @case ('password') {
+                    <input
+                      nbInput
+                      fullWidth
+                      type="password"
+                      autocomplete="new-password"
+                      [id]="'f-' + field.key"
+                      [(ngModel)]="values[field.key]"
+                      [placeholder]="field.placeholder || ''">
+                  }
+                  @default {
+                    <input
+                      nbInput
+                      fullWidth
+                      type="text"
+                      [id]="'f-' + field.key"
+                      [(ngModel)]="values[field.key]"
+                      [placeholder]="field.placeholder || ''">
+                  }
+                }
+              }
+            </div>
+          }
+        }
+      </nb-card-body>
+    </nb-card>
+  }
+
+  <nb-card class="settings-card">
+    <nb-card-header class="settings-card-header">
+      <nb-icon icon="swap-outline"></nb-icon>
+      <span>החלפות טקסט אוטומטיות</span>
+    </nb-card-header>
+    <nb-card-body>
+      <p class="category-description">
+        ניתן להגדיר ביטויים רגולריים (Regex) שיוחלפו אוטומטית בעת פרסום הודעות חדשות.
+        בשדה "תבנית" יש להזין את הביטוי הרגולרי, ובשדה "החלפה" את הטקסט החלופי.
+        לדוגמא: תבנית <code>(.*?\!)(.*)</code> והחלפה <code>**$1**$2</code> תדגיש כותרות הודעה.
+      </p>
+
+      @if (regexRules.length === 0) {
+        <p class="empty-state">לא הוגדרו כללי החלפה.</p>
+      }
+
+      @for (rule of regexRules; track $index; let i = $index) {
+        <div class="regex-row">
+          <div class="regex-fields">
+            <div class="regex-field">
+              <label class="field-label small">תבנית (Regex)</label>
+              <input nbInput fullWidth fieldSize="small" type="text"
+                [(ngModel)]="rule.pattern"
+                placeholder="(.*?\!)(.*)">
+            </div>
+            <div class="regex-field">
+              <label class="field-label small">החלפה</label>
+              <input nbInput fullWidth fieldSize="small" type="text"
+                [(ngModel)]="rule.replace"
+                placeholder="**$1**$2">
+            </div>
+          </div>
+          <button nbButton status="danger" size="small" ghost (click)="removeRegexRule(i)" nbTooltip="הסר כלל">
+            <nb-icon icon="trash-2-outline"></nb-icon>
+          </button>
+        </div>
+      }
+
+      <button nbButton size="small" status="primary" (click)="addRegexRule()">
+        <nb-icon icon="plus-outline"></nb-icon>
+        הוסף כלל החלפה
       </button>
+    </nb-card-body>
+  </nb-card>
+
+  <nb-accordion class="advanced-accordion">
+    <nb-accordion-item>
+      <nb-accordion-item-header>
+        <nb-icon icon="options-2-outline"></nb-icon>
+        <span class="advanced-title">הגדרות מתקדמות / מותאמות אישית</span>
+      </nb-accordion-item-header>
+      <nb-accordion-item-body>
+        <p class="category-description">
+          אזור זה מאפשר להוסיף הגדרות שאינן מופיעות בטופס למעלה (לדוגמא: הגדרות חדשות
+          שטרם נוספו לממשק). יש להזין שם הגדרה וערך באופן ידני.
+        </p>
 
-    </div>
-  </nb-card-body>
+        @if (extraSettings.length === 0) {
+          <p class="empty-state">אין הגדרות מותאמות אישית.</p>
+        }
+
+        @for (s of extraSettings; track $index; let i = $index) {
+          <div class="extra-row">
+            <input nbInput fieldSize="small" type="text" [(ngModel)]="s.key" placeholder="שם ההגדרה">
+            <input nbInput fullWidth fieldSize="small" type="text" [(ngModel)]="s.value" placeholder="ערך">
+            <button nbButton status="danger" size="small" ghost (click)="removeExtraSetting(i)" nbTooltip="הסר">
+              <nb-icon icon="trash-2-outline"></nb-icon>
+            </button>
+          </div>
+        }
+
+        <button nbButton size="small" status="primary" (click)="addExtraSetting()">
+          <nb-icon icon="plus-outline"></nb-icon>
+          הוסף הגדרה מותאמת
+        </button>
+      </nb-accordion-item-body>
+    </nb-accordion-item>
+  </nb-accordion>
 
-  <nb-card-footer>
-    <button nbButton status="primary" (click)="saveSettings()" [disabled]="setInProgress">
-      שמור
+  <div class="save-bar">
+    <button nbButton status="primary" size="medium" (click)="saveSettings()" [disabled]="setInProgress">
+      <nb-icon icon="save-outline"></nb-icon>
+      {{ setInProgress ? 'שומר...' : 'שמור שינויים' }}
     </button>
-  </nb-card-footer>
-</nb-card>
\ No newline at end of file
+  </div>
+</div>
diff --git a/frontend/src/app/components/admin/settings/settings.component.scss b/frontend/src/app/components/admin/settings/settings.component.scss
index e69de29..819ebcb 100644
--- a/frontend/src/app/components/admin/settings/settings.component.scss
+++ b/frontend/src/app/components/admin/settings/settings.component.scss
@@ -0,0 +1,191 @@
+:host {
+  display: block;
+  direction: rtl;
+}
+
+.settings-page {
+  display: flex;
+  flex-direction: column;
+  gap: 1rem;
+  padding-bottom: 5rem;
+}
+
+.settings-card {
+  margin-bottom: 0 !important;
+}
+
+.settings-card-header {
+  display: flex;
+  align-items: center;
+  gap: 0.5rem;
+  font-weight: 600;
+
+  nb-icon {
+    font-size: 1.25rem;
+  }
+}
+
+.category-description {
+  margin: 0 0 1rem;
+  font-size: 0.9rem;
+  color: var(--text-hint-color, #8f9bb3);
+  line-height: 1.5;
+
+  code {
+    background: var(--background-basic-color-2, #f7f9fc);
+    padding: 0.1rem 0.3rem;
+    border-radius: 4px;
+    font-size: 0.85em;
+    direction: ltr;
+    display: inline-block;
+  }
+}
+
+.setting-field {
+  padding: 0.85rem 0;
+  border-bottom: 1px solid var(--divider-color, #edf1f7);
+
+  &:last-child {
+    border-bottom: none;
+  }
+
+  &.is-toggle {
+    padding: 0.65rem 0;
+  }
+}
+
+.field-label {
+  display: block;
+  font-weight: 600;
+  font-size: 0.95rem;
+  margin-bottom: 0.25rem;
+  color: var(--text-basic-color);
+
+  &.small {
+    font-size: 0.85rem;
+    font-weight: 500;
+    margin-bottom: 0.2rem;
+  }
+}
+
+.field-description {
+  margin: 0 0 0.5rem;
+  font-size: 0.82rem;
+  color: var(--text-hint-color, #8f9bb3);
+  line-height: 1.4;
+}
+
+.toggle-row {
+  display: flex;
+  align-items: center;
+
+  ::ng-deep nb-toggle .toggle-label {
+    margin-inline-start: 0.5rem;
+  }
+}
+
+.toggle-description {
+  margin-top: 0.35rem;
+  margin-inline-start: 3.25rem;
+}
+
+.fcm-json-paste {
+  background: var(--background-basic-color-2, #f7f9fc);
+  padding: 1rem;
+  border-radius: 0.5rem;
+  margin-bottom: 1rem;
+
+  textarea {
+    direction: ltr;
+    font-family: monospace;
+    font-size: 0.85rem;
+  }
+
+  .error-text {
+    color: var(--color-danger-default, #ff3d71);
+    font-size: 0.85rem;
+    margin-top: 0.4rem;
+  }
+}
+
+.regex-row {
+  display: flex;
+  gap: 0.5rem;
+  align-items: flex-end;
+  padding: 0.6rem 0;
+  border-bottom: 1px solid var(--divider-color, #edf1f7);
+
+  &:last-of-type {
+    border-bottom: none;
+    margin-bottom: 0.6rem;
+  }
+}
+
+.regex-fields {
+  display: flex;
+  gap: 0.5rem;
+  flex: 1;
+  flex-wrap: wrap;
+
+  .regex-field {
+    flex: 1;
+    min-width: 180px;
+  }
+}
+
+.extra-row {
+  display: flex;
+  gap: 0.5rem;
+  align-items: center;
+  margin-bottom: 0.5rem;
+
+  input:first-of-type {
+    flex: 0 0 30%;
+  }
+}
+
+.empty-state {
+  font-size: 0.9rem;
+  color: var(--text-hint-color, #8f9bb3);
+  font-style: italic;
+  margin: 0 0 0.75rem;
+}
+
+.advanced-accordion {
+  ::ng-deep nb-accordion-item-header {
+    display: flex;
+    align-items: center;
+    gap: 0.5rem;
+  }
+
+  .advanced-title {
+    font-weight: 600;
+  }
+}
+
+.save-bar {
+  position: sticky;
+  bottom: 0;
+  background: var(--background-basic-color-1);
+  padding: 0.75rem 0;
+  border-top: 1px solid var(--divider-color, #edf1f7);
+  display: flex;
+  justify-content: flex-start;
+  z-index: 5;
+
+  button {
+    display: inline-flex;
+    align-items: center;
+    gap: 0.4rem;
+  }
+}
+
+hr {
+  border: none;
+  border-top: 1px solid var(--divider-color, #edf1f7);
+  margin: 1rem 0;
+}
+
+.mt-2 {
+  margin-top: 0.5rem;
+}
diff --git a/frontend/src/app/components/admin/settings/settings.component.ts b/frontend/src/app/components/admin/settings/settings.component.ts
index 5191a11..4bf219f 100644
--- a/frontend/src/app/components/admin/settings/settings.component.ts
+++ b/frontend/src/app/components/admin/settings/settings.component.ts
@@ -1,26 +1,63 @@
 import { Component, OnInit } from '@angular/core';
 import { AdminService } from '../../../services/admin.service';
-import { NbButtonModule, NbCardModule, NbToastrService, NbIconModule, NbInputModule } from "@nebular/theme";
+import {
+  NbButtonModule,
+  NbCardModule,
+  NbToastrService,
+  NbIconModule,
+  NbInputModule,
+  NbToggleModule,
+  NbAccordionModule,
+  NbTooltipModule,
+} from "@nebular/theme";
 
 import { FormsModule } from '@angular/forms';
+import { CommonModule } from '@angular/common';
 import { Setting } from '../../../models/setting.model';
+import {
+  SETTINGS_SCHEMA,
+  SettingsCategorySchema,
+  SettingFieldSchema,
+  FCM_JSON_KEY_MAP,
+  getAllKnownKeys,
+} from './settings.schema';
+
+interface RegexRule {
+  pattern: string;
+  replace: string;
+}
+
+interface ExtraSetting {
+  key: string;
+  value: string;
+}
 
 @Component({
   selector: 'app-settings',
   imports: [
+    CommonModule,
     NbCardModule,
     NbButtonModule,
     NbIconModule,
     NbInputModule,
-    FormsModule
-],
+    NbToggleModule,
+    NbAccordionModule,
+    NbTooltipModule,
+    FormsModule,
+  ],
   templateUrl: './settings.component.html',
   styleUrl: './settings.component.scss'
 })
 export class SettingsComponent implements OnInit {
 
-  settings: Setting[] = [];
+  schema: SettingsCategorySchema[] = SETTINGS_SCHEMA;
+  values: Record<string, any> = {};
+  regexRules: RegexRule[] = [];
+  extraSettings: ExtraSetting[] = [];
+
   setInProgress: boolean = false;
+  fcmJsonPaste: string = '';
+  fcmJsonError: string = '';
 
   constructor(
     private adminService: AdminService,
@@ -29,19 +66,161 @@ export class SettingsComponent implements OnInit {
 
   ngOnInit(): void {
     this.adminService.getSettings()
-      .then(settings => this.settings = settings || []);
+      .then(settings => this.loadFromSettings(settings || []));
   }
 
-  saveSettings() {
-    this.setInProgress = true;
-    this.adminService.setSettings(this.settings)
-      .then(() => this.tostService.success('', 'השינוים נשמרו בהצלחה!'))
-      .catch(() => this.tostService.danger('', 'שגיאה בשמירת השינוים'));
-    this.setInProgress = false;
+  private loadFromSettings(settings: Setting[]) {
+    const known = getAllKnownKeys();
+    this.values = {};
+    this.regexRules = [];
+    this.extraSettings = [];
+
+    for (const cat of this.schema) {
+      for (const f of cat.fields) {
+        if (f.type === 'boolean') this.values[f.key] = false;
+        else this.values[f.key] = '';
+      }
+    }
+
+    for (const s of settings) {
+      if (s.key === 'regex-replace') {
+        const raw = String(s.value ?? '');
+        if (raw.includes('#')) {
+          const idx = raw.indexOf('#');
+          this.regexRules.push({
+            pattern: raw.substring(0, idx),
+            replace: raw.substring(idx + 1),
+          });
+        } else if (raw) {
+          this.regexRules.push({ pattern: raw, replace: '' });
+        }
+        continue;
+      }
+
+      if (known.has(s.key)) {
+        const field = this.findField(s.key);
+        if (field?.type === 'boolean') {
+          this.values[s.key] = this.toBool(s.value);
+        } else {
+          this.values[s.key] = s.value === undefined || s.value === null ? '' : String(s.value);
+        }
+      } else {
+        this.extraSettings.push({
+          key: s.key,
+          value: s.value === undefined || s.value === null ? '' : String(s.value),
+        });
+      }
+    }
   }
 
-  removeSetting(index: number) {
-    // if (!confirm('האם אתה בטוח שברצונך למחוק את ההגדרה הזו?')) return;
-    this.settings.splice(index, 1);
+  private findField(key: string): SettingFieldSchema | undefined {
+    for (const cat of this.schema) {
+      const f = cat.fields.find(x => x.key === key);
+      if (f) return f;
+    }
+    return undefined;
+  }
+
+  private toBool(v: any): boolean {
+    if (typeof v === 'boolean') return v;
+    if (typeof v === 'number') return v !== 0;
+    if (typeof v === 'string') {
+      const s = v.toLowerCase().trim();
+      return s === '1' || s === 'true' || s === 'yes' || s === 'on';
+    }
+    return false;
+  }
+
+  isFieldVisible(field: SettingFieldSchema): boolean {
+    if (!field.hideWhen) return true;
+    return this.values[field.hideWhen.key] !== field.hideWhen.equals;
+  }
+
+  addRegexRule() {
+    this.regexRules.push({ pattern: '', replace: '' });
+  }
+
+  removeRegexRule(i: number) {
+    this.regexRules.splice(i, 1);
+  }
+
+  addExtraSetting() {
+    this.extraSettings.push({ key: '', value: '' });
+  }
+
+  removeExtraSetting(i: number) {
+    this.extraSettings.splice(i, 1);
+  }
+
+  applyFcmJsonPaste() {
+    this.fcmJsonError = '';
+    if (!this.fcmJsonPaste.trim()) return;
+    let parsed: any;
+    try {
+      parsed = JSON.parse(this.fcmJsonPaste);
+    } catch (e) {
+      this.fcmJsonError = 'JSON לא תקין';
+      return;
+    }
+
+    let count = 0;
+    for (const [jsonKey, settingKey] of Object.entries(FCM_JSON_KEY_MAP)) {
+      if (parsed[jsonKey] !== undefined) {
+        this.values[settingKey] = String(parsed[jsonKey]);
+        count++;
+      }
+    }
+
+    if (count === 0) {
+      this.fcmJsonError = 'לא נמצאו שדות מוכרים בקובץ ה-JSON';
+      return;
+    }
+
+    this.fcmJsonPaste = '';
+    this.tostService.success('', `${count} שדות מולאו אוטומטית מה-JSON`);
+  }
+
+  private buildSettingsArray(): Setting[] {
+    const out: Setting[] = [];
+
+    for (const cat of this.schema) {
+      for (const f of cat.fields) {
+        const v = this.values[f.key];
+        if (f.type === 'boolean') {
+          if (v === true) out.push({ key: f.key, value: '1' as any });
+        } else if (f.type === 'number') {
+          if (v !== '' && v !== null && v !== undefined) {
+            out.push({ key: f.key, value: String(v) as any });
+          }
+        } else {
+          if (v !== '' && v !== null && v !== undefined) {
+            out.push({ key: f.key, value: String(v) as any });
+          }
+        }
+      }
+    }
+
+    for (const r of this.regexRules) {
+      const p = (r.pattern || '').trim();
+      if (!p) continue;
+      out.push({ key: 'regex-replace', value: `${p}#${r.replace ?? ''}` as any });
+    }
+
+    for (const e of this.extraSettings) {
+      const k = (e.key || '').trim();
+      if (!k) continue;
+      out.push({ key: k, value: e.value ?? '' as any });
+    }
+
+    return out;
+  }
+
+  saveSettings() {
+    this.setInProgress = true;
+    const payload = this.buildSettingsArray();
+    this.adminService.setSettings(payload)
+      .then(() => this.tostService.success('', 'השינויים נשמרו בהצלחה!'))
+      .catch(() => this.tostService.danger('', 'שגיאה בשמירת השינויים'))
+      .finally(() => this.setInProgress = false);
   }
 }
diff --git a/frontend/src/app/components/admin/settings/settings.schema.ts b/frontend/src/app/components/admin/settings/settings.schema.ts
new file mode 100644
index 0000000..56b7897
--- /dev/null
+++ b/frontend/src/app/components/admin/settings/settings.schema.ts
@@ -0,0 +1,308 @@
+export type SettingFieldType = 'boolean' | 'text' | 'number' | 'url' | 'textarea' | 'password';
+
+export interface SettingFieldSchema {
+  key: string;
+  label: string;
+  description?: string;
+  type: SettingFieldType;
+  placeholder?: string;
+  default?: string | number | boolean;
+  hideWhen?: { key: string; equals: any };
+}
+
+export interface SettingsCategorySchema {
+  id: string;
+  title: string;
+  icon?: string;
+  description?: string;
+  fields: SettingFieldSchema[];
+}
+
+export const SETTINGS_SCHEMA: SettingsCategorySchema[] = [
+  {
+    id: 'general',
+    title: 'הגדרות כלליות',
+    icon: 'settings-2-outline',
+    fields: [
+      {
+        key: 'custom_title',
+        label: 'כותרת מותאמת אישית',
+        description: 'כותרת שתשמש לקידום האתר בתוצאות חיפוש (SEO).',
+        type: 'text',
+        placeholder: 'לדוגמא: הערוץ החדשותי שלי',
+      },
+      {
+        key: 'contact_us',
+        label: 'קישור ליצירת קשר',
+        description: 'הזנת קישור תפעיל כפתור "צור קשר" שיפנה לקישור זה.',
+        type: 'url',
+        placeholder: 'https://example.com/contact',
+      },
+      {
+        key: 'max_file_size',
+        label: 'הגבלת גודל קובץ להעלאה (MB)',
+        description: 'גודל מקסימלי בקבצים שניתן להעלות לערוץ. ברירת מחדל: 100 MB.',
+        type: 'number',
+        placeholder: '100',
+        default: 100,
+      },
+    ],
+  },
+  {
+    id: 'auth',
+    title: 'הזדהות ואבטחה',
+    icon: 'shield-outline',
+    fields: [
+      {
+        key: 'require_auth',
+        label: 'חיוב הזדהות לכניסה לערוץ',
+        description: 'משתמשים יחויבו להתחבר לפני שיוכלו לצפות בערוץ.',
+        type: 'boolean',
+      },
+      {
+        key: 'require_auth_for_view_files',
+        label: 'חיוב הזדהות לצפייה בתמונות וסרטונים',
+        description: 'גם אם הערוץ פתוח לצפייה, ניתן לחייב הזדהות לפני צפייה בקבצים.',
+        type: 'boolean',
+      },
+      {
+        key: 'api_secret_key',
+        label: 'מפתח API ליבוא הודעות',
+        description: 'מפתח סודי שיש לכלול בכותרת X-API-Key בעת קריאות יבוא הודעות.',
+        type: 'password',
+        placeholder: 'מפתח סודי חזק',
+      },
+    ],
+  },
+  {
+    id: 'views',
+    title: 'מונה צפיות',
+    icon: 'eye-outline',
+    fields: [
+      {
+        key: 'count_views',
+        label: 'הפעלת ספירת צפיות בהודעות',
+        description: 'מציג ליד כל הודעה את מספר הצפיות שנספרו עבורה.',
+        type: 'boolean',
+      },
+    ],
+  },
+  {
+    id: 'ads',
+    title: 'פרסומות',
+    icon: 'pricetags-outline',
+    fields: [
+      {
+        key: 'ad-iframe-src',
+        label: 'קישור HTML של פרסומת להטמעה',
+        description: 'הכנסת קישור תפעיל הצגת מסגרת פרסומת בערוץ.',
+        type: 'url',
+        placeholder: 'https://ad.example.com/banner.html',
+      },
+      {
+        key: 'ad-iframe-width',
+        label: 'רוחב חלון הפרסומת (פיקסלים)',
+        description: 'רוחב מומלץ: 300.',
+        type: 'number',
+        placeholder: '300',
+      },
+    ],
+  },
+  {
+    id: 'webhook',
+    title: 'וובהוק (Webhook)',
+    icon: 'link-2-outline',
+    description: 'שליחת התראה לשרת חיצוני בעת יצירה, עדכון או מחיקה של הודעות.',
+    fields: [
+      {
+        key: 'webhook_url',
+        label: 'כתובת ה-Webhook',
+        description: 'כתובת ה-URL שאליה תישלח בקשת POST בעת שינוי בהודעות.',
+        type: 'url',
+        placeholder: 'https://example.com/webhook',
+      },
+      {
+        key: 'webhook_verify_token',
+        label: 'טוקן אימות',
+        description: 'טוקן סודי שיישלח עם כל בקשה לאימות שהבקשה הגיעה ממערכת זו (מומלץ).',
+        type: 'password',
+        placeholder: 'your-secret-token',
+      },
+    ],
+  },
+  {
+    id: 'notifications',
+    title: 'התראות דחיפה (Push)',
+    icon: 'bell-outline',
+    description: 'מבוסס על שירות Firebase Cloud Messaging (FCM) של גוגל.',
+    fields: [
+      {
+        key: 'on_notification',
+        label: 'הפעלת התראות דחיפה',
+        description: 'יש להפעיל ולהזין את כל הפרטים מ-Firebase שבהמשך.',
+        type: 'boolean',
+      },
+      {
+        key: 'project_domain',
+        label: 'דומיין הפרויקט (להפניית לחיצה על התראה)',
+        description: 'כתובת ה-URL שאליה ינותב המשתמש כשילחץ על התראה.',
+        type: 'url',
+        placeholder: 'https://example.com',
+        hideWhen: { key: 'on_notification', equals: false },
+      },
+      {
+        key: 'vapid',
+        label: 'מפתח VAPID',
+        description: 'Cloud Messaging > Web Push certificates > Key pair',
+        type: 'password',
+        hideWhen: { key: 'on_notification', equals: false },
+      },
+      {
+        key: 'fcm_api_key',
+        label: 'apiKey',
+        description: 'General > SDK setup and configuration > apiKey',
+        type: 'text',
+        hideWhen: { key: 'on_notification', equals: false },
+      },
+      {
+        key: 'fcm_auth_domain',
+        label: 'authDomain',
+        description: 'General > SDK setup and configuration > authDomain',
+        type: 'text',
+        hideWhen: { key: 'on_notification', equals: false },
+      },
+      {
+        key: 'fcm_project_id',
+        label: 'projectId',
+        description: 'General > SDK setup and configuration > projectId',
+        type: 'text',
+        hideWhen: { key: 'on_notification', equals: false },
+      },
+      {
+        key: 'fcm_storage_bucket',
+        label: 'storageBucket',
+        description: 'General > SDK setup and configuration > storageBucket',
+        type: 'text',
+        hideWhen: { key: 'on_notification', equals: false },
+      },
+      {
+        key: 'fcm_messaging_sender_id',
+        label: 'messagingSenderId',
+        description: 'General > SDK setup and configuration > messagingSenderId',
+        type: 'text',
+        hideWhen: { key: 'on_notification', equals: false },
+      },
+      {
+        key: 'fcm_app_id',
+        label: 'appId',
+        description: 'General > SDK setup and configuration > appId',
+        type: 'text',
+        hideWhen: { key: 'on_notification', equals: false },
+      },
+      {
+        key: 'fcm_measurement_id',
+        label: 'measurementId',
+        description: 'General > SDK setup and configuration > measurementId',
+        type: 'text',
+        hideWhen: { key: 'on_notification', equals: false },
+      },
+    ],
+  },
+  {
+    id: 'fcm_json',
+    title: 'חשבון שירות FCM (Service Account)',
+    icon: 'file-text-outline',
+    description: 'שדות אלה מגיעים מקובץ ה-JSON שנוצר תחת serviceaccounts > Generate new private key. ניתן להדביק את כל קובץ ה-JSON בשדה הראשון לשם מילוי אוטומטי של כל השדות.',
+    fields: [
+      {
+        key: 'fcm_json_type',
+        label: 'type',
+        type: 'text',
+        hideWhen: { key: 'on_notification', equals: false },
+      },
+      {
+        key: 'fcm_json_project_id',
+        label: 'project_id',
+        type: 'text',
+        hideWhen: { key: 'on_notification', equals: false },
+      },
+      {
+        key: 'fcm_json_private_key_id',
+        label: 'private_key_id',
+        type: 'text',
+        hideWhen: { key: 'on_notification', equals: false },
+      },
+      {
+        key: 'fcm_json_private_key',
+        label: 'private_key',
+        type: 'textarea',
+        hideWhen: { key: 'on_notification', equals: false },
+      },
+      {
+        key: 'fcm_json_client_email',
+        label: 'client_email',
+        type: 'text',
+        hideWhen: { key: 'on_notification', equals: false },
+      },
+      {
+        key: 'fcm_json_client_id',
+        label: 'client_id',
+        type: 'text',
+        hideWhen: { key: 'on_notification', equals: false },
+      },
+      {
+        key: 'fcm_json_auth_uri',
+        label: 'auth_uri',
+        type: 'text',
+        hideWhen: { key: 'on_notification', equals: false },
+      },
+      {
+        key: 'fcm_json_token_uri',
+        label: 'token_uri',
+        type: 'text',
+        hideWhen: { key: 'on_notification', equals: false },
+      },
+      {
+        key: 'fcm_json_auth_provider_x509_cert_url',
+        label: 'auth_provider_x509_cert_url',
+        type: 'text',
+        hideWhen: { key: 'on_notification', equals: false },
+      },
+      {
+        key: 'fcm_json_client_x509_cert_url',
+        label: 'client_x509_cert_url',
+        type: 'text',
+        hideWhen: { key: 'on_notification', equals: false },
+      },
+      {
+        key: 'fcm_json_universe_domain',
+        label: 'universe_domain',
+        type: 'text',
+        hideWhen: { key: 'on_notification', equals: false },
+      },
+    ],
+  },
+];
+
+export const FCM_JSON_KEY_MAP: Record<string, string> = {
+  type: 'fcm_json_type',
+  project_id: 'fcm_json_project_id',
+  private_key_id: 'fcm_json_private_key_id',
+  private_key: 'fcm_json_private_key',
+  client_email: 'fcm_json_client_email',
+  client_id: 'fcm_json_client_id',
+  auth_uri: 'fcm_json_auth_uri',
+  token_uri: 'fcm_json_token_uri',
+  auth_provider_x509_cert_url: 'fcm_json_auth_provider_x509_cert_url',
+  client_x509_cert_url: 'fcm_json_client_x509_cert_url',
+  universe_domain: 'fcm_json_universe_domain',
+};
+
+export function getAllKnownKeys(): Set<string> {
+  const keys = new Set<string>();
+  for (const cat of SETTINGS_SCHEMA) {
+    for (const f of cat.fields) keys.add(f.key);
+  }
+  keys.add('regex-replace');
+  return keys;
+}

From a8d3a1ef7e5d03c354c7eea569ae927dd07bbc4a Mon Sep 17 00:00:00 2001
From: 27180781 <37129224+27180781@users.noreply.github.com>
Date: Thu, 7 May 2026 02:39:07 +0000
Subject: [PATCH 03/60] chore: trigger redeploy

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

From 72da5a4b8c8301e0405569e36641fc9dc74f43ab Mon Sep 17 00:00:00 2001
From: 27180781 <37129224+27180781@users.noreply.github.com>
Date: Thu, 7 May 2026 03:14:18 +0000
Subject: [PATCH 04/60] feat: integrate Magnet ad platform with frequency rules
 and lazy loading
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Add a dedicated admin tab "שילוב פרסומות ממגנט" where admins paste an
HTML/JS embed snippet from the Magnet ad platform. Ads render between
chat messages according to configurable rules: either every N messages
(with optional minimum time gap) or every N seconds (with optional
minimum new-messages gap).

Each ad slot is lazy-loaded with IntersectionObserver — the external
embed only fires when the user scrolls near it, and re-fires on every
re-mount so each viewer (and each scroll) gets a live ad. If the embed
produces no DOM content within 5 seconds, the slot collapses silently.

Backend exposes a new public GET /api/ads/magnet endpoint and persists
the seven magnet_* keys in the existing settings:list store.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 backend/ads.go                                |  28 ++++
 backend/main.go                               |   1 +
 backend/settings.go                           |  28 ++++
 .../admin/admin-panel.component.html          |   3 +
 .../components/admin/admin-panel.component.ts |  12 +-
 .../magnet-ads/magnet-ads.component.html      | 116 +++++++++++++++
 .../magnet-ads/magnet-ads.component.scss      |  89 +++++++++++
 .../admin/magnet-ads/magnet-ads.component.ts  | 137 +++++++++++++++++
 .../channel/chat/chat.component.html          |  28 ++--
 .../components/channel/chat/chat.component.ts |  18 ++-
 .../magnet-ad-slot.component.html             |   1 +
 .../magnet-ad-slot.component.scss             |  19 +++
 .../magnet-ad-slot.component.ts               | 126 ++++++++++++++++
 .../src/app/services/magnet-ads.service.ts    | 138 ++++++++++++++++++
 14 files changed, 731 insertions(+), 13 deletions(-)
 create mode 100644 frontend/src/app/components/admin/magnet-ads/magnet-ads.component.html
 create mode 100644 frontend/src/app/components/admin/magnet-ads/magnet-ads.component.scss
 create mode 100644 frontend/src/app/components/admin/magnet-ads/magnet-ads.component.ts
 create mode 100644 frontend/src/app/components/channel/chat/magnet-ad-slot/magnet-ad-slot.component.html
 create mode 100644 frontend/src/app/components/channel/chat/magnet-ad-slot/magnet-ad-slot.component.scss
 create mode 100644 frontend/src/app/components/channel/chat/magnet-ad-slot/magnet-ad-slot.component.ts
 create mode 100644 frontend/src/app/services/magnet-ads.service.ts

diff --git a/backend/ads.go b/backend/ads.go
index b868cb4..7d544d0 100644
--- a/backend/ads.go
+++ b/backend/ads.go
@@ -19,3 +19,31 @@ func getAdsSettings(w http.ResponseWriter, r *http.Request) {
 	w.Header().Set("Content-Type", "application/json")
 	json.NewEncoder(w).Encode(settings)
 }
+
+type MagnetAdsSettings struct {
+	Enabled              bool   `json:"enabled"`
+	Snippet              string `json:"snippet"`
+	Mode                 string `json:"mode"`
+	PerMessages          int64  `json:"perMessages"`
+	MinTimeSeconds       int64  `json:"minTimeSeconds"`
+	PerSeconds           int64  `json:"perSeconds"`
+	MinMessagesSinceLast int64  `json:"minMessagesSinceLast"`
+}
+
+func getMagnetAdsSettings(w http.ResponseWriter, r *http.Request) {
+	settings := MagnetAdsSettings{
+		Enabled:              settingConfig.MagnetEnabled,
+		Mode:                 settingConfig.MagnetMode,
+		PerMessages:          settingConfig.MagnetPerMessages,
+		MinTimeSeconds:       settingConfig.MagnetMinTimeSeconds,
+		PerSeconds:           settingConfig.MagnetPerSeconds,
+		MinMessagesSinceLast: settingConfig.MagnetMinMessagesSince,
+	}
+
+	if settings.Enabled {
+		settings.Snippet = settingConfig.MagnetSnippet
+	}
+
+	w.Header().Set("Content-Type", "application/json")
+	json.NewEncoder(w).Encode(settings)
+}
diff --git a/backend/main.go b/backend/main.go
index a33d03c..1bbeac0 100644
--- a/backend/main.go
+++ b/backend/main.go
@@ -74,6 +74,7 @@ func main() {
 		r.Get("/firebase-messaging-sw.js", getFirebaseMessagingSW)
 		r.Route("/api", func(api chi.Router) {
 			api.Get("/ads/settings", getAdsSettings)
+			api.Get("/ads/magnet", getMagnetAdsSettings)
 			api.Get("/emojis/list", getEmojisList)
 			api.Get("/channel/notifications-config", getNotificationsConfig)
 			api.Post("/channel/notifications-subscribe", subscribeNotifications)
diff --git a/backend/settings.go b/backend/settings.go
index c9286a0..4aa3d21 100644
--- a/backend/settings.go
+++ b/backend/settings.go
@@ -41,6 +41,13 @@ type SettingConfig struct {
 	MaxFileSize             int64
 	CustomTitle             string
 	ContactUs               string
+	MagnetEnabled           bool
+	MagnetSnippet           string
+	MagnetMode              string
+	MagnetPerMessages       int64
+	MagnetMinTimeSeconds    int64
+	MagnetPerSeconds        int64
+	MagnetMinMessagesSince  int64
 }
 
 type Setting struct {
@@ -186,6 +193,27 @@ func (s *Settings) ToConfig() *SettingConfig {
 
 		case "contact_us":
 			config.ContactUs = setting.GetString()
+
+		case "magnet_enabled":
+			config.MagnetEnabled = setting.GetBool()
+
+		case "magnet_snippet":
+			config.MagnetSnippet = setting.GetString()
+
+		case "magnet_mode":
+			config.MagnetMode = setting.GetString()
+
+		case "magnet_per_messages":
+			config.MagnetPerMessages = setting.GetInt()
+
+		case "magnet_min_time_seconds":
+			config.MagnetMinTimeSeconds = setting.GetInt()
+
+		case "magnet_per_seconds":
+			config.MagnetPerSeconds = setting.GetInt()
+
+		case "magnet_min_messages_since":
+			config.MagnetMinMessagesSince = setting.GetInt()
 		}
 	}
 
diff --git a/frontend/src/app/components/admin/admin-panel.component.html b/frontend/src/app/components/admin/admin-panel.component.html
index 240f739..f4bfbe8 100644
--- a/frontend/src/app/components/admin/admin-panel.component.html
+++ b/frontend/src/app/components/admin/admin-panel.component.html
@@ -31,6 +31,9 @@
             @case (statistics) {
             <app-statistics></app-statistics>
             }
+            @case (magnetAds) {
+            <app-magnet-ads></app-magnet-ads>
+            }
             }
         </div>
     </nb-card-body>
diff --git a/frontend/src/app/components/admin/admin-panel.component.ts b/frontend/src/app/components/admin/admin-panel.component.ts
index 9db0b9d..8305815 100644
--- a/frontend/src/app/components/admin/admin-panel.component.ts
+++ b/frontend/src/app/components/admin/admin-panel.component.ts
@@ -6,6 +6,7 @@ import { PrivilegDashboardComponent } from "./privileg-dashboard/privileg-dashbo
 import { ChannelInfoFormComponent } from "../channel/channel-info-form/channel-info-form.component";
 import { ReportsComponent } from "./reports/reports.component";
 import { StatisticsComponent } from "./statistics/statistics.component";
+import { MagnetAdsComponent } from "./magnet-ads/magnet-ads.component";
 
 @Component({
   selector: 'admin-dashboard',
@@ -19,7 +20,8 @@ import { StatisticsComponent } from "./statistics/statistics.component";
     PrivilegDashboardComponent,
     ChannelInfoFormComponent,
     ReportsComponent,
-    StatisticsComponent
+    StatisticsComponent,
+    MagnetAdsComponent
 ],
   templateUrl: './admin-panel.component.html',
   styleUrls: ['./admin-panel.component.scss']
@@ -34,6 +36,7 @@ export class AdminPanelComponent implements OnInit {
   readonly closedReports = "closed-reports";
   readonly allReports = "all-reports";
   readonly statistics = "statistics";
+  readonly magnetAds = "magnet-ads";
 
   selectedMenuItem = this.info;
 
@@ -59,6 +62,10 @@ export class AdminPanelComponent implements OnInit {
       title: "אימוג'ים",
       icon: 'smiling-face-outline',
     },
+    {
+      title: 'שילוב פרסומות ממגנט',
+      icon: 'pricetags-outline',
+    },
     {
       title: 'דיווחים',
       icon: 'alert-triangle-outline',
@@ -117,6 +124,9 @@ export class AdminPanelComponent implements OnInit {
         case 'bar-chart-outline':
           this.selectedMenuItem = this.statistics;
           break;
+        case 'pricetags-outline':
+          this.selectedMenuItem = this.magnetAds;
+          break;
       }
     });
   }
diff --git a/frontend/src/app/components/admin/magnet-ads/magnet-ads.component.html b/frontend/src/app/components/admin/magnet-ads/magnet-ads.component.html
new file mode 100644
index 0000000..8c7b03a
--- /dev/null
+++ b/frontend/src/app/components/admin/magnet-ads/magnet-ads.component.html
@@ -0,0 +1,116 @@
+<div class="magnet-page">
+
+  <nb-card>
+    <nb-card-header class="card-header">
+      <nb-icon icon="pricetags-outline"></nb-icon>
+      <span>שילוב פרסומות ממגנט</span>
+    </nb-card-header>
+
+    <nb-card-body>
+      <p class="intro">
+        מגנט היא פלטפורמת פרסומות חיצונית. ניתן להדביק כאן את קוד ההטמעה (HTML/JS) שקיבלתם
+        ממגנט, והוא יוצג בין ההודעות בערוץ. ההטמעה היא בצד הגולש בלבד - הפרסומת תיטען רק
+        כשהגולש גולל ומגיע אליה, וכל פעם נקראת מחדש כך שהתוכן עשוי להשתנות בכל גלילה.
+        אם אין תשובת שרת מהפרסום - לא יוצג כלום.
+      </p>
+
+      <div class="setting-block">
+        <nb-toggle [(checked)]="enabled">
+          <span class="bold">הפעלת שילוב פרסומות מגנט</span>
+        </nb-toggle>
+        <p class="hint">כיבוי יסיר לחלוטין את הצגת הפרסומות בערוץ.</p>
+      </div>
+
+      <div class="setting-block">
+        <label class="bold" for="snippet">קוד הטמעה ממגנט (HTML/JavaScript)</label>
+        <p class="hint">
+          הדביקו את קוד ההטמעה שקיבלתם ממגנט. הקוד יוטמע כפי שהוא בכל מיקום פרסומת בערוץ
+          (תגיות &lt;script&gt; ירוצו בכל הצגה).
+        </p>
+        <textarea
+          nbInput
+          fullWidth
+          id="snippet"
+          rows="8"
+          dir="ltr"
+          [(ngModel)]="snippet"
+          placeholder='<div id="magnet-ad"></div>&#10;<script src="https://magnet.example/embed.js"></script>'>
+        </textarea>
+      </div>
+    </nb-card-body>
+  </nb-card>
+
+  <nb-card>
+    <nb-card-header class="card-header">
+      <nb-icon icon="clock-outline"></nb-icon>
+      <span>תדירות הצגה</span>
+    </nb-card-header>
+
+    <nb-card-body>
+      <p class="intro">בחרו את שיטת התזמון להצגת פרסומות בין ההודעות.</p>
+
+      <div class="mode-options">
+        <nb-radio
+          name="magnet-mode"
+          value="by_messages"
+          [checked]="mode === 'by_messages'"
+          (valueChange)="mode = $any($event)">
+          הצגה לפי כמות הודעות
+        </nb-radio>
+        <nb-radio
+          name="magnet-mode"
+          value="by_time"
+          [checked]="mode === 'by_time'"
+          (valueChange)="mode = $any($event)">
+          הצגה לפי זמן
+        </nb-radio>
+      </div>
+
+      @if (mode === 'by_messages') {
+        <div class="mode-section">
+          <div class="setting-block">
+            <label class="bold" for="per-messages">הצגת פרסומת כל X הודעות</label>
+            <p class="hint">בכל X הודעות תוצג פרסומת אחת. לדוגמא: ערך 5 = פרסומת אחרי כל 5 הודעות.</p>
+            <input nbInput type="number" min="1" id="per-messages" [(ngModel)]="perMessages">
+          </div>
+
+          <div class="setting-block">
+            <label class="bold" for="min-time">החרגה: זמן מינימום בין פרסומות (שניות)</label>
+            <p class="hint">
+              גם אם עברו X הודעות, אם הפרסומת הקודמת הוצגה לפני פחות מהזמן הזה - לא תוצג שוב.
+              הזינו 0 (או השאירו ריק) כדי לבטל את ההחרגה.
+            </p>
+            <input nbInput type="number" min="0" id="min-time" [(ngModel)]="minTimeSeconds">
+          </div>
+        </div>
+      }
+
+      @if (mode === 'by_time') {
+        <div class="mode-section">
+          <div class="setting-block">
+            <label class="bold" for="per-seconds">הצגת פרסומת כל X שניות</label>
+            <p class="hint">פרסומת תוצג בערוץ אחת לכל פרק זמן. לדוגמא: ערך 60 = פרסומת בכל דקה.</p>
+            <input nbInput type="number" min="1" id="per-seconds" [(ngModel)]="perSeconds">
+          </div>
+
+          <div class="setting-block">
+            <label class="bold" for="min-msgs">החרגה: מספר מינימום הודעות חדשות מהפרסומת הקודמת</label>
+            <p class="hint">
+              גם אם עבר הזמן, אם לא נוספו לפחות X הודעות חדשות מאז הפרסומת הקודמת - לא תוצג שוב.
+              הזינו 0 (או השאירו ריק) כדי לבטל את ההחרגה.
+            </p>
+            <input nbInput type="number" min="0" id="min-msgs" [(ngModel)]="minMessagesSince">
+          </div>
+        </div>
+      }
+    </nb-card-body>
+  </nb-card>
+
+  <div class="save-bar">
+    <button nbButton status="primary" (click)="save()" [disabled]="inProgress">
+      <nb-icon icon="save-outline"></nb-icon>
+      {{ inProgress ? 'שומר...' : 'שמור הגדרות מגנט' }}
+    </button>
+  </div>
+
+</div>
diff --git a/frontend/src/app/components/admin/magnet-ads/magnet-ads.component.scss b/frontend/src/app/components/admin/magnet-ads/magnet-ads.component.scss
new file mode 100644
index 0000000..565068d
--- /dev/null
+++ b/frontend/src/app/components/admin/magnet-ads/magnet-ads.component.scss
@@ -0,0 +1,89 @@
+:host {
+  display: block;
+  direction: rtl;
+}
+
+.magnet-page {
+  display: flex;
+  flex-direction: column;
+  gap: 1rem;
+  padding-bottom: 5rem;
+}
+
+.card-header {
+  display: flex;
+  align-items: center;
+  gap: 0.5rem;
+  font-weight: 600;
+
+  nb-icon {
+    font-size: 1.25rem;
+  }
+}
+
+.intro {
+  margin: 0 0 1rem;
+  font-size: 0.9rem;
+  color: var(--text-hint-color, #8f9bb3);
+  line-height: 1.5;
+}
+
+.setting-block {
+  margin-bottom: 1.25rem;
+
+  &:last-child {
+    margin-bottom: 0;
+  }
+
+  .bold {
+    font-weight: 600;
+    display: block;
+    margin-bottom: 0.25rem;
+  }
+
+  .hint {
+    margin: 0 0 0.5rem;
+    font-size: 0.82rem;
+    color: var(--text-hint-color, #8f9bb3);
+    line-height: 1.4;
+  }
+
+  textarea {
+    font-family: monospace;
+    font-size: 0.85rem;
+  }
+
+  input[type="number"] {
+    max-width: 200px;
+  }
+}
+
+.mode-options {
+  display: flex;
+  gap: 1.5rem;
+  flex-wrap: wrap;
+  margin-bottom: 1rem;
+  padding-bottom: 1rem;
+  border-bottom: 1px solid var(--divider-color, #edf1f7);
+}
+
+.mode-section {
+  padding-top: 0.25rem;
+}
+
+.save-bar {
+  position: sticky;
+  bottom: 0;
+  background: var(--background-basic-color-1);
+  padding: 0.75rem 0;
+  border-top: 1px solid var(--divider-color, #edf1f7);
+  display: flex;
+  justify-content: flex-start;
+  z-index: 5;
+
+  button {
+    display: inline-flex;
+    align-items: center;
+    gap: 0.4rem;
+  }
+}
diff --git a/frontend/src/app/components/admin/magnet-ads/magnet-ads.component.ts b/frontend/src/app/components/admin/magnet-ads/magnet-ads.component.ts
new file mode 100644
index 0000000..21de06c
--- /dev/null
+++ b/frontend/src/app/components/admin/magnet-ads/magnet-ads.component.ts
@@ -0,0 +1,137 @@
+import { Component, OnInit } from '@angular/core';
+import { CommonModule } from '@angular/common';
+import { FormsModule } from '@angular/forms';
+import {
+  NbButtonModule,
+  NbCardModule,
+  NbIconModule,
+  NbInputModule,
+  NbRadioModule,
+  NbToastrService,
+  NbToggleModule,
+} from '@nebular/theme';
+import { AdminService } from '../../../services/admin.service';
+import { Setting } from '../../../models/setting.model';
+
+type MagnetMode = 'by_messages' | 'by_time';
+
+const MAGNET_KEYS = [
+  'magnet_enabled',
+  'magnet_snippet',
+  'magnet_mode',
+  'magnet_per_messages',
+  'magnet_min_time_seconds',
+  'magnet_per_seconds',
+  'magnet_min_messages_since',
+] as const;
+
+@Component({
+  selector: 'app-magnet-ads',
+  imports: [
+    CommonModule,
+    FormsModule,
+    NbCardModule,
+    NbButtonModule,
+    NbIconModule,
+    NbInputModule,
+    NbToggleModule,
+    NbRadioModule,
+  ],
+  templateUrl: './magnet-ads.component.html',
+  styleUrl: './magnet-ads.component.scss',
+})
+export class MagnetAdsComponent implements OnInit {
+  enabled = false;
+  snippet = '';
+  mode: MagnetMode = 'by_messages';
+  perMessages = 5;
+  minTimeSeconds = 0;
+  perSeconds = 60;
+  minMessagesSince = 0;
+
+  otherSettings: Setting[] = [];
+  inProgress = false;
+
+  constructor(
+    private adminService: AdminService,
+    private toast: NbToastrService,
+  ) {}
+
+  ngOnInit(): void {
+    this.adminService.getSettings().then(settings => this.load(settings || []));
+  }
+
+  private load(settings: Setting[]) {
+    this.otherSettings = [];
+    const known = new Set<string>(MAGNET_KEYS);
+
+    for (const s of settings) {
+      if (!known.has(s.key)) {
+        this.otherSettings.push(s);
+        continue;
+      }
+      const v = s.value;
+      switch (s.key) {
+        case 'magnet_enabled':
+          this.enabled = this.toBool(v);
+          break;
+        case 'magnet_snippet':
+          this.snippet = v == null ? '' : String(v);
+          break;
+        case 'magnet_mode':
+          this.mode = (String(v) === 'by_time' ? 'by_time' : 'by_messages');
+          break;
+        case 'magnet_per_messages':
+          this.perMessages = this.toInt(v, 5);
+          break;
+        case 'magnet_min_time_seconds':
+          this.minTimeSeconds = this.toInt(v, 0);
+          break;
+        case 'magnet_per_seconds':
+          this.perSeconds = this.toInt(v, 60);
+          break;
+        case 'magnet_min_messages_since':
+          this.minMessagesSince = this.toInt(v, 0);
+          break;
+      }
+    }
+  }
+
+  private toBool(v: any): boolean {
+    if (typeof v === 'boolean') return v;
+    if (typeof v === 'number') return v !== 0;
+    if (typeof v === 'string') {
+      const s = v.toLowerCase().trim();
+      return s === '1' || s === 'true' || s === 'yes' || s === 'on';
+    }
+    return false;
+  }
+
+  private toInt(v: any, fallback: number): number {
+    if (v === null || v === undefined || v === '') return fallback;
+    const n = parseInt(String(v), 10);
+    return isNaN(n) ? fallback : n;
+  }
+
+  save() {
+    this.inProgress = true;
+    const out: Setting[] = [...this.otherSettings];
+
+    if (this.enabled) out.push({ key: 'magnet_enabled', value: '1' as any });
+    if (this.snippet?.trim()) out.push({ key: 'magnet_snippet', value: this.snippet as any });
+    out.push({ key: 'magnet_mode', value: this.mode as any });
+
+    if (this.mode === 'by_messages') {
+      if (this.perMessages > 0) out.push({ key: 'magnet_per_messages', value: String(this.perMessages) as any });
+      if (this.minTimeSeconds > 0) out.push({ key: 'magnet_min_time_seconds', value: String(this.minTimeSeconds) as any });
+    } else {
+      if (this.perSeconds > 0) out.push({ key: 'magnet_per_seconds', value: String(this.perSeconds) as any });
+      if (this.minMessagesSince > 0) out.push({ key: 'magnet_min_messages_since', value: String(this.minMessagesSince) as any });
+    }
+
+    this.adminService.setSettings(out)
+      .then(() => this.toast.success('', 'הגדרות מגנט נשמרו בהצלחה'))
+      .catch(() => this.toast.danger('', 'שגיאה בשמירת ההגדרות'))
+      .finally(() => this.inProgress = false);
+  }
+}
diff --git a/frontend/src/app/components/channel/chat/chat.component.html b/frontend/src/app/components/channel/chat/chat.component.html
index 5ed82b7..18a9f89 100644
--- a/frontend/src/app/components/channel/chat/chat.component.html
+++ b/frontend/src/app/components/channel/chat/chat.component.html
@@ -23,18 +23,24 @@
       }
     </nb-list-item>
 
-    @for (message of messages; track message) {
-    <nb-list-item class="d-flex flex-column align-items-start">
-      <!-- last read indicator -->
-      @if (message.id === lastReadMessageId + 1) {
-      <div class="last-read-indicator">
-        <div class="line"></div>
-        <div class="last-read-indicator-text">לא נקראו</div>
-        <div class="line"></div>
-      </div>
+    @for (item of items; track item.trackKey) {
+      @if (item.kind === 'message') {
+        <nb-list-item class="d-flex flex-column align-items-start">
+          <!-- last read indicator -->
+          @if (item.message.id === lastReadMessageId + 1) {
+          <div class="last-read-indicator">
+            <div class="line"></div>
+            <div class="last-read-indicator-text">לא נקראו</div>
+            <div class="line"></div>
+          </div>
+          }
+          <app-message class="overflow-auto" [message]="item.message" [id]="item.message.id"></app-message>
+        </nb-list-item>
+      } @else {
+        <nb-list-item class="d-flex flex-column align-items-stretch magnet-ad-item">
+          <app-magnet-ad-slot [slotKey]="item.trackKey"></app-magnet-ad-slot>
+        </nb-list-item>
       }
-      <app-message class="overflow-auto" [message]="message" [id]="message.id"></app-message>
-    </nb-list-item>
     }
 
     @if (messages.length === 0) {
diff --git a/frontend/src/app/components/channel/chat/chat.component.ts b/frontend/src/app/components/channel/chat/chat.component.ts
index 5f6200d..99721c5 100644
--- a/frontend/src/app/components/channel/chat/chat.component.ts
+++ b/frontend/src/app/components/channel/chat/chat.component.ts
@@ -12,6 +12,7 @@ import {
   NbToastrService
 } from "@nebular/theme";
 import { MessageComponent } from "./message/message.component";
+import { MagnetAdSlotComponent } from "./magnet-ad-slot/magnet-ad-slot.component";
 import { firstValueFrom, interval } from 'rxjs';
 import { ChatMessage, ChatService } from '../../../services/chat.service';
 import { AuthService } from '../../../services/auth.service';
@@ -19,6 +20,7 @@ import { ActivatedRoute } from '@angular/router';
 import { NotificationsService } from '../../../services/notifications.service';
 import { User } from '../../../models/user.model';
 import { AdminService } from '../../../services/admin.service';
+import { ChatItem, MagnetAdsService } from '../../../services/magnet-ads.service';
 
 type LoadMsgOpt = {
   scrollDown?: boolean;
@@ -45,7 +47,8 @@ type ScrollOpt = {
     NbButtonModule,
     NbListModule,
     NbBadgeModule,
-    MessageComponent
+    MessageComponent,
+    MagnetAdSlotComponent
   ],
   templateUrl: './chat.component.html',
   styleUrl: './chat.component.scss'
@@ -53,6 +56,7 @@ type ScrollOpt = {
 export class ChatComponent implements OnInit, OnDestroy {
   private eventSource!: EventSource;
   messages: ChatMessage[] = [];
+  items: ChatItem[] = [];
   scheduledMessages!: ChatMessage[];
   hideScheduledMessages: boolean = false;
   userInfo?: User;
@@ -73,6 +77,7 @@ export class ChatComponent implements OnInit, OnDestroy {
     private _adminService: AdminService,
     private toastrService: NbToastrService,
     private notificationService: NotificationsService,
+    private magnetAds: MagnetAdsService,
     private zone: NgZone,
     private router: ActivatedRoute,
   ) {
@@ -131,6 +136,8 @@ export class ChatComponent implements OnInit, OnDestroy {
   ngOnInit() {
     this.chatService.getEmojisList(true);
 
+    this.magnetAds.loadSettings().then(() => this.rebuildItems());
+
     this.initializeMessageListener();
     this.keepAliveSSE();
 
@@ -172,6 +179,7 @@ export class ChatComponent implements OnInit, OnDestroy {
           if (this.hasNewMessages) break;
           this.zone.run(() => {
             this.messages.unshift(message.message);
+            this.rebuildItems();
             this.thereNewMessages = !(message.message.author === this.userInfo?.username);
             this.setLastReadMessage(message.message.id!.toString());
             if (this.userInfo?.privileges?.['writer'] && this.scheduledMessages && message.message.author === "Scheduled") {
@@ -187,11 +195,13 @@ export class ChatComponent implements OnInit, OnDestroy {
                 this.messages[index].deleted = true;
                 this.messages[index].last_edit = message.message.last_edit;
               }
+              this.rebuildItems();
             });
             break;
           };
           this.zone.run(() => {
             this.messages = this.messages.filter(m => m.id !== message.message.id);
+            this.rebuildItems();
           });
           break;
         case 'edit-message':
@@ -203,6 +213,7 @@ export class ChatComponent implements OnInit, OnDestroy {
               // TOTO: Find the closest message to attach the retrieved message to
               //  const closestIndex = this.messages.reduce
             }
+            this.rebuildItems();
           });
           break;
         case 'reaction':
@@ -223,6 +234,10 @@ export class ChatComponent implements OnInit, OnDestroy {
     clearInterval(this.subLastHeartbeat);
   }
 
+  private rebuildItems() {
+    this.items = this.magnetAds.buildItems(this.messages);
+  }
+
   async keepAliveSSE() {
     clearInterval(this.subLastHeartbeat);
     this.subLastHeartbeat = interval(10000)
@@ -313,6 +328,7 @@ export class ChatComponent implements OnInit, OnDestroy {
           this.hasOldMessages = response.length >= this.limit;
         }
         this.offset = Math.min(...this.messages.map(m => m.id!));
+        this.rebuildItems();
         setTimeout(() => {
           opt.messageId && this.scrollToId({ messageId: opt.messageId, smooth: false, mark: opt.mark });
         }, 300);
diff --git a/frontend/src/app/components/channel/chat/magnet-ad-slot/magnet-ad-slot.component.html b/frontend/src/app/components/channel/chat/magnet-ad-slot/magnet-ad-slot.component.html
new file mode 100644
index 0000000..7372252
--- /dev/null
+++ b/frontend/src/app/components/channel/chat/magnet-ad-slot/magnet-ad-slot.component.html
@@ -0,0 +1 @@
+<div #host class="magnet-ad-host" [class.collapsed]="collapsed" [attr.data-slot]="slotKey"></div>
diff --git a/frontend/src/app/components/channel/chat/magnet-ad-slot/magnet-ad-slot.component.scss b/frontend/src/app/components/channel/chat/magnet-ad-slot/magnet-ad-slot.component.scss
new file mode 100644
index 0000000..90da96a
--- /dev/null
+++ b/frontend/src/app/components/channel/chat/magnet-ad-slot/magnet-ad-slot.component.scss
@@ -0,0 +1,19 @@
+:host {
+  display: block;
+  width: 100%;
+}
+
+.magnet-ad-host {
+  display: block;
+  width: 100%;
+  min-height: 1px;
+
+  &.collapsed {
+    display: none;
+  }
+
+  ::ng-deep .magnet-ad-content {
+    display: block;
+    width: 100%;
+  }
+}
diff --git a/frontend/src/app/components/channel/chat/magnet-ad-slot/magnet-ad-slot.component.ts b/frontend/src/app/components/channel/chat/magnet-ad-slot/magnet-ad-slot.component.ts
new file mode 100644
index 0000000..4a76045
--- /dev/null
+++ b/frontend/src/app/components/channel/chat/magnet-ad-slot/magnet-ad-slot.component.ts
@@ -0,0 +1,126 @@
+import {
+  AfterViewInit,
+  Component,
+  ElementRef,
+  Input,
+  OnDestroy,
+  ViewChild,
+} from '@angular/core';
+import { MagnetAdsService } from '../../../../services/magnet-ads.service';
+
+@Component({
+  selector: 'app-magnet-ad-slot',
+  standalone: true,
+  templateUrl: './magnet-ad-slot.component.html',
+  styleUrl: './magnet-ad-slot.component.scss',
+})
+export class MagnetAdSlotComponent implements AfterViewInit, OnDestroy {
+  @Input() slotKey: string = '';
+
+  @ViewChild('host', { static: true }) hostRef!: ElementRef<HTMLDivElement>;
+
+  private observer?: IntersectionObserver;
+  private rendered = false;
+  private collapseTimer?: any;
+  collapsed = false;
+
+  constructor(private magnet: MagnetAdsService) {}
+
+  ngAfterViewInit(): void {
+    if (typeof IntersectionObserver === 'undefined') {
+      this.render();
+      return;
+    }
+
+    this.observer = new IntersectionObserver(
+      (entries) => {
+        for (const entry of entries) {
+          if (entry.isIntersecting && !this.rendered) {
+            this.render();
+            this.observer?.disconnect();
+            break;
+          }
+        }
+      },
+      { rootMargin: '200px 0px' },
+    );
+    this.observer.observe(this.hostRef.nativeElement);
+  }
+
+  ngOnDestroy(): void {
+    this.observer?.disconnect();
+    if (this.collapseTimer) clearTimeout(this.collapseTimer);
+  }
+
+  private render(): void {
+    if (this.rendered) return;
+    this.rendered = true;
+
+    const settings = this.magnet.getSettings();
+    const snippet = settings?.snippet?.trim();
+    if (!snippet) {
+      this.collapse();
+      return;
+    }
+
+    const host = this.hostRef.nativeElement;
+    host.innerHTML = '';
+
+    const container = document.createElement('div');
+    container.className = 'magnet-ad-content';
+    host.appendChild(container);
+
+    try {
+      this.injectSnippet(container, snippet);
+    } catch {
+      this.collapse();
+      return;
+    }
+
+    this.collapseTimer = setTimeout(() => this.collapseIfEmpty(), 5000);
+  }
+
+  private injectSnippet(container: HTMLElement, snippet: string): void {
+    const template = document.createElement('template');
+    template.innerHTML = snippet;
+
+    const fragment = template.content;
+    const scripts: HTMLScriptElement[] = [];
+    fragment.querySelectorAll('script').forEach((s) => {
+      scripts.push(s as HTMLScriptElement);
+    });
+
+    container.appendChild(fragment);
+
+    for (const oldScript of scripts) {
+      const newScript = document.createElement('script');
+      for (const attr of Array.from(oldScript.attributes)) {
+        newScript.setAttribute(attr.name, attr.value);
+      }
+      if (oldScript.textContent) newScript.textContent = oldScript.textContent;
+      oldScript.parentNode?.replaceChild(newScript, oldScript);
+    }
+  }
+
+  private collapseIfEmpty(): void {
+    const host = this.hostRef.nativeElement;
+    const content = host.querySelector('.magnet-ad-content') as HTMLElement | null;
+    if (!content) {
+      this.collapse();
+      return;
+    }
+    const hasMeaningfulContent =
+      content.children.length > 0 || (content.textContent?.trim().length ?? 0) > 0;
+    const hasHeight = content.offsetHeight > 0;
+
+    if (!hasMeaningfulContent || !hasHeight) {
+      this.collapse();
+    }
+  }
+
+  private collapse(): void {
+    this.collapsed = true;
+    const host = this.hostRef.nativeElement;
+    host.innerHTML = '';
+  }
+}
diff --git a/frontend/src/app/services/magnet-ads.service.ts b/frontend/src/app/services/magnet-ads.service.ts
new file mode 100644
index 0000000..e49eba8
--- /dev/null
+++ b/frontend/src/app/services/magnet-ads.service.ts
@@ -0,0 +1,138 @@
+import { Injectable } from '@angular/core';
+import { ChatMessage } from './chat.service';
+
+export interface MagnetSettings {
+  enabled: boolean;
+  snippet: string;
+  mode: 'by_messages' | 'by_time' | string;
+  perMessages: number;
+  minTimeSeconds: number;
+  perSeconds: number;
+  minMessagesSinceLast: number;
+}
+
+export type ChatItem =
+  | { kind: 'message'; message: ChatMessage; trackKey: string }
+  | { kind: 'ad'; trackKey: string };
+
+@Injectable({ providedIn: 'root' })
+export class MagnetAdsService {
+  private settings: MagnetSettings | null = null;
+  private settingsPromise: Promise<MagnetSettings | null> | null = null;
+
+  loadSettings(force = false): Promise<MagnetSettings | null> {
+    if (this.settings && !force) return Promise.resolve(this.settings);
+    if (this.settingsPromise && !force) return this.settingsPromise;
+
+    this.settingsPromise = fetch('/api/ads/magnet')
+      .then(r => r.ok ? r.json() : null)
+      .then((data: MagnetSettings | null) => {
+        this.settings = data;
+        return data;
+      })
+      .catch(() => null);
+
+    return this.settingsPromise;
+  }
+
+  getSettings(): MagnetSettings | null {
+    return this.settings;
+  }
+
+  /**
+   * Build a list of chat items (messages + ad slots) for the chat component.
+   * Input: messages array as held in chat.component (newest at index 0).
+   * Output: items in the same order (newest first), with ad slots interleaved
+   * according to the configured rules. The list is rendered by a flex-column-reverse
+   * container, so ad slots appear visually between messages in chronological order.
+   */
+  buildItems(messages: ChatMessage[]): ChatItem[] {
+    if (!messages || messages.length === 0) return [];
+
+    const s = this.settings;
+    if (!s || !s.enabled || !s.snippet?.trim()) {
+      return messages.map(m => ({
+        kind: 'message',
+        message: m,
+        trackKey: `m-${m.id}`,
+      } as ChatItem));
+    }
+
+    const chrono = [...messages].reverse();
+    const out: ChatItem[] = [];
+
+    if (s.mode === 'by_time') {
+      out.push(...this.buildByTime(chrono, s));
+    } else {
+      out.push(...this.buildByMessages(chrono, s));
+    }
+
+    return out.reverse();
+  }
+
+  private buildByMessages(chrono: ChatMessage[], s: MagnetSettings): ChatItem[] {
+    const per = Math.max(1, s.perMessages || 5);
+    const minTime = Math.max(0, s.minTimeSeconds || 0);
+    const out: ChatItem[] = [];
+
+    let countSinceLast = 0;
+    let lastAdTime: number | null = null;
+
+    for (const m of chrono) {
+      out.push({ kind: 'message', message: m, trackKey: `m-${m.id}` });
+      countSinceLast++;
+
+      if (countSinceLast >= per) {
+        const msgTime = this.toEpoch(m.timestamp);
+        const enoughTimePassed = !minTime || lastAdTime === null ||
+          (msgTime !== null && (msgTime - lastAdTime) >= minTime * 1000);
+
+        if (enoughTimePassed) {
+          out.push({ kind: 'ad', trackKey: `ad-after-${m.id}` });
+          countSinceLast = 0;
+          if (msgTime !== null) lastAdTime = msgTime;
+        }
+      }
+    }
+
+    return out;
+  }
+
+  private buildByTime(chrono: ChatMessage[], s: MagnetSettings): ChatItem[] {
+    const per = Math.max(1, s.perSeconds || 60);
+    const minMsgs = Math.max(0, s.minMessagesSinceLast || 0);
+    const out: ChatItem[] = [];
+
+    let lastAdTime: number | null = null;
+    let msgsSinceLast = 0;
+
+    for (const m of chrono) {
+      out.push({ kind: 'message', message: m, trackKey: `m-${m.id}` });
+      msgsSinceLast++;
+
+      const msgTime = this.toEpoch(m.timestamp);
+      if (msgTime === null) continue;
+
+      if (lastAdTime === null) {
+        lastAdTime = msgTime;
+        continue;
+      }
+
+      const elapsed = (msgTime - lastAdTime) / 1000;
+      if (elapsed >= per && msgsSinceLast >= minMsgs) {
+        out.push({ kind: 'ad', trackKey: `ad-after-${m.id}` });
+        lastAdTime = msgTime;
+        msgsSinceLast = 0;
+      }
+    }
+
+    return out;
+  }
+
+  private toEpoch(ts: any): number | null {
+    if (!ts) return null;
+    if (ts instanceof Date) return ts.getTime();
+    const t = new Date(ts).getTime();
+    return isNaN(t) ? null : t;
+  }
+}

From 925d900e627f2cf9cc9b7a5ec3fa7c573a789b95 Mon Sep 17 00:00:00 2001
From: 27180781 <37129224+27180781@users.noreply.github.com>
Date: Thu, 7 May 2026 03:24:26 +0000
Subject: [PATCH 05/60] feat: add Magnet click & earnings stats panel in admin

Add a publisher API key field and a stats viewer in the Magnet admin tab.
A new admin-protected endpoint GET /api/admin/magnet/stats proxies the
request to Magnet's publisher-stats function so the API key never reaches
the browser. The stats panel shows clicks and earnings (today / week /
month) in two columns with currency formatting, displays the site domain,
and has a refresh button with a last-updated timestamp. Errors from
Magnet (400 invalid key, 404 unapproved site) are surfaced in Hebrew.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 backend/ads.go                                |  42 +++++++
 backend/main.go                               |   1 +
 backend/settings.go                           |   4 +
 .../magnet-ads/magnet-ads.component.html      | 114 ++++++++++++++++++
 .../magnet-ads/magnet-ads.component.scss      | 107 ++++++++++++++++
 .../admin/magnet-ads/magnet-ads.component.ts  |  72 +++++++++++
 6 files changed, 340 insertions(+)

diff --git a/backend/ads.go b/backend/ads.go
index 7d544d0..bbda9e3 100644
--- a/backend/ads.go
+++ b/backend/ads.go
@@ -2,7 +2,10 @@ package main
 
 import (
 	"encoding/json"
+	"io"
 	"net/http"
+	"net/url"
+	"time"
 )
 
 type AdsSettings struct {
@@ -47,3 +50,42 @@ func getMagnetAdsSettings(w http.ResponseWriter, r *http.Request) {
 	w.Header().Set("Content-Type", "application/json")
 	json.NewEncoder(w).Encode(settings)
 }
+
+const magnetStatsURL = "https://rucltqmtefvlrjhbedqu.supabase.co/functions/v1/publisher-stats"
+
+var magnetStatsClient = &http.Client{Timeout: 15 * time.Second}
+
+func getMagnetStats(w http.ResponseWriter, r *http.Request) {
+	apiKey := settingConfig.MagnetApiKey
+	if apiKey == "" {
+		http.Error(w, `{"error":"missing_api_key","message":"Magnet API key is not configured"}`, http.StatusBadRequest)
+		return
+	}
+
+	q := url.Values{}
+	q.Set("k", apiKey)
+	reqURL := magnetStatsURL + "?" + q.Encode()
+
+	req, err := http.NewRequestWithContext(r.Context(), http.MethodGet, reqURL, nil)
+	if err != nil {
+		http.Error(w, `{"error":"request_build_failed"}`, http.StatusInternalServerError)
+		return
+	}
+
+	resp, err := magnetStatsClient.Do(req)
+	if err != nil {
+		http.Error(w, `{"error":"upstream_unreachable"}`, http.StatusBadGateway)
+		return
+	}
+	defer resp.Body.Close()
+
+	body, err := io.ReadAll(resp.Body)
+	if err != nil {
+		http.Error(w, `{"error":"upstream_read_failed"}`, http.StatusBadGateway)
+		return
+	}
+
+	w.Header().Set("Content-Type", "application/json")
+	w.WriteHeader(resp.StatusCode)
+	w.Write(body)
+}
diff --git a/backend/main.go b/backend/main.go
index 1bbeac0..956364a 100644
--- a/backend/main.go
+++ b/backend/main.go
@@ -104,6 +104,7 @@ func main() {
 				protected.Post("/privilegs-users/set", protectedWithPrivilege(Admin, setPrivilegeUsers))
 				protected.Get("/settings/get", protectedWithPrivilege(Admin, getSettings))
 				protected.Post("/settings/set", protectedWithPrivilege(Admin, setSettings))
+				protected.Get("/magnet/stats", protectedWithPrivilege(Admin, getMagnetStats))
 				protected.Get("/reports/get", protectedWithPrivilege(Admin, getReports))
 				protected.Post("/reports/set", protectedWithPrivilege(Admin, setReports))
 			})
diff --git a/backend/settings.go b/backend/settings.go
index 4aa3d21..aae2e46 100644
--- a/backend/settings.go
+++ b/backend/settings.go
@@ -48,6 +48,7 @@ type SettingConfig struct {
 	MagnetMinTimeSeconds    int64
 	MagnetPerSeconds        int64
 	MagnetMinMessagesSince  int64
+	MagnetApiKey            string
 }
 
 type Setting struct {
@@ -214,6 +215,9 @@ func (s *Settings) ToConfig() *SettingConfig {
 
 		case "magnet_min_messages_since":
 			config.MagnetMinMessagesSince = setting.GetInt()
+
+		case "magnet_api_key":
+			config.MagnetApiKey = setting.GetString()
 		}
 	}
 
diff --git a/frontend/src/app/components/admin/magnet-ads/magnet-ads.component.html b/frontend/src/app/components/admin/magnet-ads/magnet-ads.component.html
index 8c7b03a..cdce902 100644
--- a/frontend/src/app/components/admin/magnet-ads/magnet-ads.component.html
+++ b/frontend/src/app/components/admin/magnet-ads/magnet-ads.component.html
@@ -40,6 +40,31 @@
     </nb-card-body>
   </nb-card>
 
+  <nb-card>
+    <nb-card-header class="card-header">
+      <nb-icon icon="lock-outline"></nb-icon>
+      <span>מפתח API למגנט</span>
+    </nb-card-header>
+    <nb-card-body>
+      <div class="setting-block">
+        <label class="bold" for="api-key">מפתח API (publisher key)</label>
+        <p class="hint">
+          מפתח שניתן לכם ע"י מגנט. נדרש לצפייה בנתוני הקלקות ותגמולים. שמירת ההגדרות
+          תשמור גם את המפתח. המפתח לא נחשף לצד הלקוח - הקריאה למגנט מתבצעת מהשרת.
+        </p>
+        <input
+          nbInput
+          fullWidth
+          type="password"
+          autocomplete="new-password"
+          id="api-key"
+          dir="ltr"
+          [(ngModel)]="apiKey"
+          placeholder="d8059fc0-9bde-4270-89e4-6f485c617c41">
+      </div>
+    </nb-card-body>
+  </nb-card>
+
   <nb-card>
     <nb-card-header class="card-header">
       <nb-icon icon="clock-outline"></nb-icon>
@@ -106,6 +131,95 @@
     </nb-card-body>
   </nb-card>
 
+  <nb-card>
+    <nb-card-header class="card-header">
+      <nb-icon icon="bar-chart-2-outline"></nb-icon>
+      <span>נתוני הקלקות ותגמולים</span>
+    </nb-card-header>
+
+    <nb-card-body>
+      <p class="intro">
+        נתונים אלו מתקבלים ישירות ממגנט בזמן אמת לפי המפתח שמוגדר למעלה.
+        רק הקלקות מאושרות לתשלום נספרות. הסכומים נטו, ללא מע"מ, בש"ח.
+        "היום" מתחיל מ-00:00 שעון ישראל. "שבוע"/"חודש" = 7/30 ימים אחורה.
+        מגנט שומר תוצאות במטמון לכ-30 שניות.
+      </p>
+
+      <div class="stats-actions">
+        @if (!stats && !statsError) {
+          <button nbButton status="primary" (click)="loadStats()" [disabled]="statsLoading">
+            <nb-icon icon="bar-chart-2-outline"></nb-icon>
+            {{ statsLoading ? 'טוען...' : 'הצג נתוני הקלקות ותגמולים' }}
+          </button>
+        } @else {
+          <button nbButton status="basic" (click)="loadStats()" [disabled]="statsLoading">
+            <nb-icon icon="refresh-outline"></nb-icon>
+            {{ statsLoading ? 'מרענן...' : 'רענן' }}
+          </button>
+          @if (statsLoadedAt) {
+            <span class="stats-meta">עודכן: {{ statsLoadedAt | date:'HH:mm:ss' }}</span>
+          }
+        }
+      </div>
+
+      @if (statsError) {
+        <div class="stats-error">
+          <nb-icon icon="alert-circle-outline"></nb-icon>
+          <span>{{ statsError }}</span>
+        </div>
+      }
+
+      @if (stats && !statsError) {
+        @if (stats.site?.domain) {
+          <div class="stats-site">
+            <span class="bold">אתר:</span>
+            <a [href]="stats.site?.domain" target="_blank" rel="noopener">{{ stats.site?.domain }}</a>
+          </div>
+        }
+
+        <div class="stats-grid">
+          <div class="stats-section">
+            <div class="stats-title">
+              <nb-icon icon="navigation-2-outline"></nb-icon>
+              הקלקות
+            </div>
+            <div class="stats-row">
+              <span class="stats-label">היום</span>
+              <span class="stats-value">{{ formatNumber(stats.clicks?.today) }}</span>
+            </div>
+            <div class="stats-row">
+              <span class="stats-label">שבוע אחרון</span>
+              <span class="stats-value">{{ formatNumber(stats.clicks?.week) }}</span>
+            </div>
+            <div class="stats-row">
+              <span class="stats-label">חודש אחרון</span>
+              <span class="stats-value">{{ formatNumber(stats.clicks?.month) }}</span>
+            </div>
+          </div>
+
+          <div class="stats-section">
+            <div class="stats-title">
+              <nb-icon icon="credit-card-outline"></nb-icon>
+              תגמולים <span class="stats-currency">({{ stats.currency || 'ILS' }} - ללא מע"מ)</span>
+            </div>
+            <div class="stats-row">
+              <span class="stats-label">היום</span>
+              <span class="stats-value">{{ formatMoney(stats.earnings?.today, stats.currency) }}</span>
+            </div>
+            <div class="stats-row">
+              <span class="stats-label">שבוע אחרון</span>
+              <span class="stats-value">{{ formatMoney(stats.earnings?.week, stats.currency) }}</span>
+            </div>
+            <div class="stats-row">
+              <span class="stats-label">חודש אחרון</span>
+              <span class="stats-value">{{ formatMoney(stats.earnings?.month, stats.currency) }}</span>
+            </div>
+          </div>
+        </div>
+      }
+    </nb-card-body>
+  </nb-card>
+
   <div class="save-bar">
     <button nbButton status="primary" (click)="save()" [disabled]="inProgress">
       <nb-icon icon="save-outline"></nb-icon>
diff --git a/frontend/src/app/components/admin/magnet-ads/magnet-ads.component.scss b/frontend/src/app/components/admin/magnet-ads/magnet-ads.component.scss
index 565068d..298c082 100644
--- a/frontend/src/app/components/admin/magnet-ads/magnet-ads.component.scss
+++ b/frontend/src/app/components/admin/magnet-ads/magnet-ads.component.scss
@@ -71,6 +71,113 @@
   padding-top: 0.25rem;
 }
 
+.stats-actions {
+  display: flex;
+  align-items: center;
+  gap: 0.75rem;
+  flex-wrap: wrap;
+  margin-bottom: 1rem;
+
+  button {
+    display: inline-flex;
+    align-items: center;
+    gap: 0.4rem;
+  }
+
+  .stats-meta {
+    font-size: 0.82rem;
+    color: var(--text-hint-color, #8f9bb3);
+  }
+}
+
+.stats-error {
+  display: flex;
+  align-items: center;
+  gap: 0.5rem;
+  padding: 0.75rem 1rem;
+  background: var(--background-basic-color-2, #f7f9fc);
+  border-inline-start: 3px solid var(--color-danger-default, #ff3d71);
+  color: var(--color-danger-default, #ff3d71);
+  border-radius: 0.4rem;
+  font-size: 0.9rem;
+}
+
+.stats-site {
+  margin-bottom: 1rem;
+  font-size: 0.95rem;
+
+  .bold {
+    font-weight: 600;
+    margin-inline-end: 0.4rem;
+  }
+
+  a {
+    direction: ltr;
+    display: inline-block;
+    color: var(--color-primary-default);
+    text-decoration: none;
+
+    &:hover {
+      text-decoration: underline;
+    }
+  }
+}
+
+.stats-grid {
+  display: grid;
+  grid-template-columns: repeat(auto-fit, minmax(260px, 1fr));
+  gap: 1rem;
+}
+
+.stats-section {
+  background: var(--background-basic-color-2, #f7f9fc);
+  padding: 1rem;
+  border-radius: 0.5rem;
+
+  .stats-title {
+    display: flex;
+    align-items: center;
+    gap: 0.5rem;
+    font-weight: 600;
+    margin-bottom: 0.75rem;
+    padding-bottom: 0.5rem;
+    border-bottom: 1px solid var(--divider-color, #edf1f7);
+
+    nb-icon {
+      font-size: 1.1rem;
+    }
+
+    .stats-currency {
+      font-weight: 400;
+      font-size: 0.8rem;
+      color: var(--text-hint-color, #8f9bb3);
+      margin-inline-start: auto;
+    }
+  }
+
+  .stats-row {
+    display: flex;
+    justify-content: space-between;
+    align-items: center;
+    padding: 0.4rem 0;
+
+    & + .stats-row {
+      border-top: 1px dashed var(--divider-color, #edf1f7);
+    }
+
+    .stats-label {
+      color: var(--text-hint-color, #8f9bb3);
+      font-size: 0.9rem;
+    }
+
+    .stats-value {
+      font-weight: 600;
+      font-size: 1rem;
+      direction: ltr;
+    }
+  }
+}
+
 .save-bar {
   position: sticky;
   bottom: 0;
diff --git a/frontend/src/app/components/admin/magnet-ads/magnet-ads.component.ts b/frontend/src/app/components/admin/magnet-ads/magnet-ads.component.ts
index 21de06c..e0de604 100644
--- a/frontend/src/app/components/admin/magnet-ads/magnet-ads.component.ts
+++ b/frontend/src/app/components/admin/magnet-ads/magnet-ads.component.ts
@@ -15,6 +15,19 @@ import { Setting } from '../../../models/setting.model';
 
 type MagnetMode = 'by_messages' | 'by_time';
 
+interface MagnetStatsBucket {
+  today: number;
+  week: number;
+  month: number;
+}
+
+interface MagnetStatsResponse {
+  site?: { id?: string; domain?: string };
+  currency?: string;
+  clicks?: MagnetStatsBucket;
+  earnings?: MagnetStatsBucket;
+}
+
 const MAGNET_KEYS = [
   'magnet_enabled',
   'magnet_snippet',
@@ -23,6 +36,7 @@ const MAGNET_KEYS = [
   'magnet_min_time_seconds',
   'magnet_per_seconds',
   'magnet_min_messages_since',
+  'magnet_api_key',
 ] as const;
 
 @Component({
@@ -48,10 +62,16 @@ export class MagnetAdsComponent implements OnInit {
   minTimeSeconds = 0;
   perSeconds = 60;
   minMessagesSince = 0;
+  apiKey = '';
 
   otherSettings: Setting[] = [];
   inProgress = false;
 
+  stats: MagnetStatsResponse | null = null;
+  statsLoading = false;
+  statsError = '';
+  statsLoadedAt: Date | null = null;
+
   constructor(
     private adminService: AdminService,
     private toast: NbToastrService,
@@ -93,6 +113,9 @@ export class MagnetAdsComponent implements OnInit {
         case 'magnet_min_messages_since':
           this.minMessagesSince = this.toInt(v, 0);
           break;
+        case 'magnet_api_key':
+          this.apiKey = v == null ? '' : String(v);
+          break;
       }
     }
   }
@@ -129,9 +152,58 @@ export class MagnetAdsComponent implements OnInit {
       if (this.minMessagesSince > 0) out.push({ key: 'magnet_min_messages_since', value: String(this.minMessagesSince) as any });
     }
 
+    if (this.apiKey?.trim()) out.push({ key: 'magnet_api_key', value: this.apiKey.trim() as any });
+
     this.adminService.setSettings(out)
       .then(() => this.toast.success('', 'הגדרות מגנט נשמרו בהצלחה'))
       .catch(() => this.toast.danger('', 'שגיאה בשמירת ההגדרות'))
       .finally(() => this.inProgress = false);
   }
+
+  async loadStats() {
+    this.statsLoading = true;
+    this.statsError = '';
+
+    try {
+      const res = await fetch('/api/admin/magnet/stats', { credentials: 'include' });
+      const text = await res.text();
+      let data: any = null;
+      try { data = text ? JSON.parse(text) : null; } catch {}
+
+      if (!res.ok) {
+        if (res.status === 400) {
+          this.statsError = data?.message || 'מפתח API לא תקין או חסר. שמרו תחילה מפתח תקין ונסו שוב.';
+        } else if (res.status === 404) {
+          this.statsError = 'האתר לא נמצא במערכת מגנט או שאינו מאושר.';
+        } else if (res.status === 401 || res.status === 403) {
+          this.statsError = 'אין הרשאה לגשת לנתוני מגנט.';
+        } else {
+          this.statsError = data?.message || `שגיאה בקבלת נתונים (HTTP ${res.status})`;
+        }
+        this.stats = null;
+        return;
+      }
+
+      this.stats = data as MagnetStatsResponse;
+      this.statsLoadedAt = new Date();
+    } catch {
+      this.statsError = 'שגיאת רשת בקריאה לשרת מגנט';
+      this.stats = null;
+    } finally {
+      this.statsLoading = false;
+    }
+  }
+
+  formatMoney(n: number | undefined, currency: string | undefined): string {
+    if (n === null || n === undefined) return '-';
+    const code = (currency || 'ILS').toUpperCase();
+    const symbol = code === 'ILS' ? '₪' : code === 'USD' ? '$' : code === 'EUR' ? '€' : code + ' ';
+    const formatted = Number(n).toLocaleString('he-IL', { minimumFractionDigits: 2, maximumFractionDigits: 2 });
+    return code === 'ILS' ? `${formatted} ${symbol}` : `${symbol}${formatted}`;
+  }
+
+  formatNumber(n: number | undefined): string {
+    if (n === null || n === undefined) return '-';
+    return Number(n).toLocaleString('he-IL');
+  }
 }

From 7d877938f6d06be891068a96ba051547f85c9d1c Mon Sep 17 00:00:00 2001
From: 27180781 <37129224+27180781@users.noreply.github.com>
Date: Thu, 7 May 2026 03:36:14 +0000
Subject: [PATCH 06/60] fix: ensure chat messages render even if magnet ad
 logic fails

Add defensive fallbacks so a regression in the Magnet ad-injection logic
can never prevent regular chat messages from rendering:

- rebuildItems() now wraps buildItems() in try/catch and falls back to
  plain message items if it throws or returns an empty list while there
  are messages.
- Template renders directly from messages[] when items[] is empty,
  bypassing the ad-injection layer entirely as a safety net.
- ngOnInit catches a rejected loadSettings() promise so it cannot block
  the subsequent rebuildItems call.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 .../channel/chat/chat.component.html          | 33 ++++++++++++++-----
 .../components/channel/chat/chat.component.ts | 22 +++++++++++--
 2 files changed, 44 insertions(+), 11 deletions(-)

diff --git a/frontend/src/app/components/channel/chat/chat.component.html b/frontend/src/app/components/channel/chat/chat.component.html
index 18a9f89..cb73787 100644
--- a/frontend/src/app/components/channel/chat/chat.component.html
+++ b/frontend/src/app/components/channel/chat/chat.component.html
@@ -23,22 +23,37 @@
       }
     </nb-list-item>
 
-    @for (item of items; track item.trackKey) {
-      @if (item.kind === 'message') {
+    @if (items.length > 0) {
+      @for (item of items; track item.trackKey) {
+        @if (item.kind === 'message') {
+          <nb-list-item class="d-flex flex-column align-items-start">
+            <!-- last read indicator -->
+            @if (item.message.id === lastReadMessageId + 1) {
+            <div class="last-read-indicator">
+              <div class="line"></div>
+              <div class="last-read-indicator-text">לא נקראו</div>
+              <div class="line"></div>
+            </div>
+            }
+            <app-message class="overflow-auto" [message]="item.message" [id]="item.message.id"></app-message>
+          </nb-list-item>
+        } @else {
+          <nb-list-item class="d-flex flex-column align-items-stretch magnet-ad-item">
+            <app-magnet-ad-slot [slotKey]="item.trackKey"></app-magnet-ad-slot>
+          </nb-list-item>
+        }
+      }
+    } @else {
+      @for (message of messages; track message.id) {
         <nb-list-item class="d-flex flex-column align-items-start">
-          <!-- last read indicator -->
-          @if (item.message.id === lastReadMessageId + 1) {
+          @if (message.id === lastReadMessageId + 1) {
           <div class="last-read-indicator">
             <div class="line"></div>
             <div class="last-read-indicator-text">לא נקראו</div>
             <div class="line"></div>
           </div>
           }
-          <app-message class="overflow-auto" [message]="item.message" [id]="item.message.id"></app-message>
-        </nb-list-item>
-      } @else {
-        <nb-list-item class="d-flex flex-column align-items-stretch magnet-ad-item">
-          <app-magnet-ad-slot [slotKey]="item.trackKey"></app-magnet-ad-slot>
+          <app-message class="overflow-auto" [message]="message" [id]="message.id"></app-message>
         </nb-list-item>
       }
     }
diff --git a/frontend/src/app/components/channel/chat/chat.component.ts b/frontend/src/app/components/channel/chat/chat.component.ts
index 99721c5..b864298 100644
--- a/frontend/src/app/components/channel/chat/chat.component.ts
+++ b/frontend/src/app/components/channel/chat/chat.component.ts
@@ -136,7 +136,9 @@ export class ChatComponent implements OnInit, OnDestroy {
   ngOnInit() {
     this.chatService.getEmojisList(true);
 
-    this.magnetAds.loadSettings().then(() => this.rebuildItems());
+    this.magnetAds.loadSettings()
+      .catch(() => null)
+      .then(() => this.rebuildItems());
 
     this.initializeMessageListener();
     this.keepAliveSSE();
@@ -235,7 +237,23 @@ export class ChatComponent implements OnInit, OnDestroy {
   }
 
   private rebuildItems() {
-    this.items = this.magnetAds.buildItems(this.messages);
+    const fallback = (): ChatItem[] => this.messages.map(m => ({
+      kind: 'message',
+      message: m,
+      trackKey: `m-${m.id}`,
+    }));
+
+    try {
+      const built = this.magnetAds.buildItems(this.messages);
+      if (built.length === 0 && this.messages.length > 0) {
+        this.items = fallback();
+      } else {
+        this.items = built;
+      }
+    } catch (e) {
+      console.error('rebuildItems failed, falling back to plain messages:', e);
+      this.items = fallback();
+    }
   }
 
   async keepAliveSSE() {

From 4bf5dc5c5cd177ab6a61cdb4a70775ec5a393f03 Mon Sep 17 00:00:00 2001
From: 27180781 <37129224+27180781@users.noreply.github.com>
Date: Thu, 7 May 2026 03:56:22 +0000
Subject: [PATCH 07/60] fix: revert chat template to original messages loop,
 inject ads inline
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The previous approach replaced the @for over messages with a @for over a
new ChatItem[] union type. That introduced a subtle regression where
messages stopped rendering for some users. Restore the original
@for (message of messages; track message) loop and inject the magnet ad
slot as a sibling <nb-list-item> right after each message that should
have an ad — driven by an adSlotsAfter Set<number> of message IDs.

Service no longer builds an items array; it returns the Set directly via
computeAdSlots(). The chat component owns adSlotsAfter and recomputes it
on every message-list mutation. If computation throws, the Set stays
empty and messages render unaffected.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 .../channel/chat/chat.component.html          | 48 +++++--------
 .../components/channel/chat/chat.component.ts | 21 ++----
 .../src/app/services/magnet-ads.service.ts    | 67 +++++++------------
 3 files changed, 46 insertions(+), 90 deletions(-)

diff --git a/frontend/src/app/components/channel/chat/chat.component.html b/frontend/src/app/components/channel/chat/chat.component.html
index cb73787..df17641 100644
--- a/frontend/src/app/components/channel/chat/chat.component.html
+++ b/frontend/src/app/components/channel/chat/chat.component.html
@@ -23,39 +23,23 @@
       }
     </nb-list-item>
 
-    @if (items.length > 0) {
-      @for (item of items; track item.trackKey) {
-        @if (item.kind === 'message') {
-          <nb-list-item class="d-flex flex-column align-items-start">
-            <!-- last read indicator -->
-            @if (item.message.id === lastReadMessageId + 1) {
-            <div class="last-read-indicator">
-              <div class="line"></div>
-              <div class="last-read-indicator-text">לא נקראו</div>
-              <div class="line"></div>
-            </div>
-            }
-            <app-message class="overflow-auto" [message]="item.message" [id]="item.message.id"></app-message>
-          </nb-list-item>
-        } @else {
-          <nb-list-item class="d-flex flex-column align-items-stretch magnet-ad-item">
-            <app-magnet-ad-slot [slotKey]="item.trackKey"></app-magnet-ad-slot>
-          </nb-list-item>
-        }
-      }
-    } @else {
-      @for (message of messages; track message.id) {
-        <nb-list-item class="d-flex flex-column align-items-start">
-          @if (message.id === lastReadMessageId + 1) {
-          <div class="last-read-indicator">
-            <div class="line"></div>
-            <div class="last-read-indicator-text">לא נקראו</div>
-            <div class="line"></div>
-          </div>
-          }
-          <app-message class="overflow-auto" [message]="message" [id]="message.id"></app-message>
-        </nb-list-item>
+    @for (message of messages; track message) {
+    <nb-list-item class="d-flex flex-column align-items-start">
+      <!-- last read indicator -->
+      @if (message.id === lastReadMessageId + 1) {
+      <div class="last-read-indicator">
+        <div class="line"></div>
+        <div class="last-read-indicator-text">לא נקראו</div>
+        <div class="line"></div>
+      </div>
       }
+      <app-message class="overflow-auto" [message]="message" [id]="message.id"></app-message>
+    </nb-list-item>
+    @if (adSlotsAfter.has(message.id!)) {
+    <nb-list-item class="d-flex flex-column align-items-stretch magnet-ad-item">
+      <app-magnet-ad-slot [slotKey]="'ad-after-' + message.id"></app-magnet-ad-slot>
+    </nb-list-item>
+    }
     }
 
     @if (messages.length === 0) {
diff --git a/frontend/src/app/components/channel/chat/chat.component.ts b/frontend/src/app/components/channel/chat/chat.component.ts
index b864298..dac4c10 100644
--- a/frontend/src/app/components/channel/chat/chat.component.ts
+++ b/frontend/src/app/components/channel/chat/chat.component.ts
@@ -20,7 +20,7 @@ import { ActivatedRoute } from '@angular/router';
 import { NotificationsService } from '../../../services/notifications.service';
 import { User } from '../../../models/user.model';
 import { AdminService } from '../../../services/admin.service';
-import { ChatItem, MagnetAdsService } from '../../../services/magnet-ads.service';
+import { MagnetAdsService } from '../../../services/magnet-ads.service';
 
 type LoadMsgOpt = {
   scrollDown?: boolean;
@@ -56,7 +56,7 @@ type ScrollOpt = {
 export class ChatComponent implements OnInit, OnDestroy {
   private eventSource!: EventSource;
   messages: ChatMessage[] = [];
-  items: ChatItem[] = [];
+  adSlotsAfter: Set<number> = new Set();
   scheduledMessages!: ChatMessage[];
   hideScheduledMessages: boolean = false;
   userInfo?: User;
@@ -237,22 +237,11 @@ export class ChatComponent implements OnInit, OnDestroy {
   }
 
   private rebuildItems() {
-    const fallback = (): ChatItem[] => this.messages.map(m => ({
-      kind: 'message',
-      message: m,
-      trackKey: `m-${m.id}`,
-    }));
-
     try {
-      const built = this.magnetAds.buildItems(this.messages);
-      if (built.length === 0 && this.messages.length > 0) {
-        this.items = fallback();
-      } else {
-        this.items = built;
-      }
+      this.adSlotsAfter = this.magnetAds.computeAdSlots(this.messages);
     } catch (e) {
-      console.error('rebuildItems failed, falling back to plain messages:', e);
-      this.items = fallback();
+      console.error('computeAdSlots failed, ads will not be shown:', e);
+      this.adSlotsAfter = new Set();
     }
   }
 
diff --git a/frontend/src/app/services/magnet-ads.service.ts b/frontend/src/app/services/magnet-ads.service.ts
index e49eba8..8fabdc2 100644
--- a/frontend/src/app/services/magnet-ads.service.ts
+++ b/frontend/src/app/services/magnet-ads.service.ts
@@ -11,10 +11,6 @@ export interface MagnetSettings {
   minMessagesSinceLast: number;
 }
 
-export type ChatItem =
-  | { kind: 'message'; message: ChatMessage; trackKey: string }
-  | { kind: 'ad'; trackKey: string };
-
 @Injectable({ providedIn: 'root' })
 export class MagnetAdsService {
   private settings: MagnetSettings | null = null;
@@ -40,74 +36,63 @@ export class MagnetAdsService {
   }
 
   /**
-   * Build a list of chat items (messages + ad slots) for the chat component.
+   * Compute which message IDs should have an ad slot rendered after them.
    * Input: messages array as held in chat.component (newest at index 0).
-   * Output: items in the same order (newest first), with ad slots interleaved
-   * according to the configured rules. The list is rendered by a flex-column-reverse
-   * container, so ad slots appear visually between messages in chronological order.
+   * Output: a Set of message IDs. The chat template iterates messages and,
+   * for any message whose id is in this set, renders an <app-magnet-ad-slot>
+   * directly below it. The list is rendered by a flex-column-reverse
+   * container so the slots appear visually after the message in chronological
+   * reading order.
    */
-  buildItems(messages: ChatMessage[]): ChatItem[] {
-    if (!messages || messages.length === 0) return [];
+  computeAdSlots(messages: ChatMessage[]): Set<number> {
+    const result = new Set<number>();
+    if (!messages || messages.length === 0) return result;
 
     const s = this.settings;
-    if (!s || !s.enabled || !s.snippet?.trim()) {
-      return messages.map(m => ({
-        kind: 'message',
-        message: m,
-        trackKey: `m-${m.id}`,
-      } as ChatItem));
-    }
+    if (!s || !s.enabled || !s.snippet?.trim()) return result;
 
     const chrono = [...messages].reverse();
-    const out: ChatItem[] = [];
 
     if (s.mode === 'by_time') {
-      out.push(...this.buildByTime(chrono, s));
+      this.fillByTime(result, chrono, s);
     } else {
-      out.push(...this.buildByMessages(chrono, s));
+      this.fillByMessages(result, chrono, s);
     }
 
-    return out.reverse();
+    return result;
   }
 
-  private buildByMessages(chrono: ChatMessage[], s: MagnetSettings): ChatItem[] {
+  private fillByMessages(out: Set<number>, chrono: ChatMessage[], s: MagnetSettings): void {
     const per = Math.max(1, s.perMessages || 5);
     const minTime = Math.max(0, s.minTimeSeconds || 0);
-    const out: ChatItem[] = [];
 
     let countSinceLast = 0;
     let lastAdTime: number | null = null;
 
     for (const m of chrono) {
-      out.push({ kind: 'message', message: m, trackKey: `m-${m.id}` });
       countSinceLast++;
+      if (countSinceLast < per) continue;
 
-      if (countSinceLast >= per) {
-        const msgTime = this.toEpoch(m.timestamp);
-        const enoughTimePassed = !minTime || lastAdTime === null ||
-          (msgTime !== null && (msgTime - lastAdTime) >= minTime * 1000);
+      const msgTime = this.toEpoch(m.timestamp);
+      const enoughTimePassed = !minTime || lastAdTime === null ||
+        (msgTime !== null && (msgTime - lastAdTime) >= minTime * 1000);
 
-        if (enoughTimePassed) {
-          out.push({ kind: 'ad', trackKey: `ad-after-${m.id}` });
-          countSinceLast = 0;
-          if (msgTime !== null) lastAdTime = msgTime;
-        }
+      if (enoughTimePassed && m.id !== undefined && m.id !== null) {
+        out.add(m.id);
+        countSinceLast = 0;
+        if (msgTime !== null) lastAdTime = msgTime;
       }
     }
-
-    return out;
   }
 
-  private buildByTime(chrono: ChatMessage[], s: MagnetSettings): ChatItem[] {
+  private fillByTime(out: Set<number>, chrono: ChatMessage[], s: MagnetSettings): void {
     const per = Math.max(1, s.perSeconds || 60);
     const minMsgs = Math.max(0, s.minMessagesSinceLast || 0);
-    const out: ChatItem[] = [];
 
     let lastAdTime: number | null = null;
     let msgsSinceLast = 0;
 
     for (const m of chrono) {
-      out.push({ kind: 'message', message: m, trackKey: `m-${m.id}` });
       msgsSinceLast++;
 
       const msgTime = this.toEpoch(m.timestamp);
@@ -119,14 +104,12 @@ export class MagnetAdsService {
       }
 
       const elapsed = (msgTime - lastAdTime) / 1000;
-      if (elapsed >= per && msgsSinceLast >= minMsgs) {
-        out.push({ kind: 'ad', trackKey: `ad-after-${m.id}` });
+      if (elapsed >= per && msgsSinceLast >= minMsgs && m.id !== undefined && m.id !== null) {
+        out.add(m.id);
         lastAdTime = msgTime;
         msgsSinceLast = 0;
       }
     }
-
-    return out;
   }
 
   private toEpoch(ts: any): number | null {

From d753607e01926add087e36071641151d072ffab5 Mon Sep 17 00:00:00 2001
From: 27180781 <37129224+27180781@users.noreply.github.com>
Date: Thu, 7 May 2026 04:30:50 +0000
Subject: [PATCH 08/60] fix: revert chat component to pre-magnet state to
 restore message rendering
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Despite restoring the @for messages template loop, deployed builds were
still rendering an empty chat list with no messages, no loading spinner,
and no "no messages" placeholder — a state inconsistent with what the
template should produce. To unblock users, fully revert chat.component.ts
and chat.component.html to the pre-magnet snapshot. The magnet ads
service, slot component, admin tab, and backend endpoints remain in
place; ad injection into the chat list will be re-introduced separately
once the regression is understood.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 .../channel/chat/chat.component.html          |  5 ----
 .../components/channel/chat/chat.component.ts | 25 +------------------
 2 files changed, 1 insertion(+), 29 deletions(-)

diff --git a/frontend/src/app/components/channel/chat/chat.component.html b/frontend/src/app/components/channel/chat/chat.component.html
index df17641..5ed82b7 100644
--- a/frontend/src/app/components/channel/chat/chat.component.html
+++ b/frontend/src/app/components/channel/chat/chat.component.html
@@ -35,11 +35,6 @@
       }
       <app-message class="overflow-auto" [message]="message" [id]="message.id"></app-message>
     </nb-list-item>
-    @if (adSlotsAfter.has(message.id!)) {
-    <nb-list-item class="d-flex flex-column align-items-stretch magnet-ad-item">
-      <app-magnet-ad-slot [slotKey]="'ad-after-' + message.id"></app-magnet-ad-slot>
-    </nb-list-item>
-    }
     }
 
     @if (messages.length === 0) {
diff --git a/frontend/src/app/components/channel/chat/chat.component.ts b/frontend/src/app/components/channel/chat/chat.component.ts
index dac4c10..5f6200d 100644
--- a/frontend/src/app/components/channel/chat/chat.component.ts
+++ b/frontend/src/app/components/channel/chat/chat.component.ts
@@ -12,7 +12,6 @@ import {
   NbToastrService
 } from "@nebular/theme";
 import { MessageComponent } from "./message/message.component";
-import { MagnetAdSlotComponent } from "./magnet-ad-slot/magnet-ad-slot.component";
 import { firstValueFrom, interval } from 'rxjs';
 import { ChatMessage, ChatService } from '../../../services/chat.service';
 import { AuthService } from '../../../services/auth.service';
@@ -20,7 +19,6 @@ import { ActivatedRoute } from '@angular/router';
 import { NotificationsService } from '../../../services/notifications.service';
 import { User } from '../../../models/user.model';
 import { AdminService } from '../../../services/admin.service';
-import { MagnetAdsService } from '../../../services/magnet-ads.service';
 
 type LoadMsgOpt = {
   scrollDown?: boolean;
@@ -47,8 +45,7 @@ type ScrollOpt = {
     NbButtonModule,
     NbListModule,
     NbBadgeModule,
-    MessageComponent,
-    MagnetAdSlotComponent
+    MessageComponent
   ],
   templateUrl: './chat.component.html',
   styleUrl: './chat.component.scss'
@@ -56,7 +53,6 @@ type ScrollOpt = {
 export class ChatComponent implements OnInit, OnDestroy {
   private eventSource!: EventSource;
   messages: ChatMessage[] = [];
-  adSlotsAfter: Set<number> = new Set();
   scheduledMessages!: ChatMessage[];
   hideScheduledMessages: boolean = false;
   userInfo?: User;
@@ -77,7 +73,6 @@ export class ChatComponent implements OnInit, OnDestroy {
     private _adminService: AdminService,
     private toastrService: NbToastrService,
     private notificationService: NotificationsService,
-    private magnetAds: MagnetAdsService,
     private zone: NgZone,
     private router: ActivatedRoute,
   ) {
@@ -136,10 +131,6 @@ export class ChatComponent implements OnInit, OnDestroy {
   ngOnInit() {
     this.chatService.getEmojisList(true);
 
-    this.magnetAds.loadSettings()
-      .catch(() => null)
-      .then(() => this.rebuildItems());
-
     this.initializeMessageListener();
     this.keepAliveSSE();
 
@@ -181,7 +172,6 @@ export class ChatComponent implements OnInit, OnDestroy {
           if (this.hasNewMessages) break;
           this.zone.run(() => {
             this.messages.unshift(message.message);
-            this.rebuildItems();
             this.thereNewMessages = !(message.message.author === this.userInfo?.username);
             this.setLastReadMessage(message.message.id!.toString());
             if (this.userInfo?.privileges?.['writer'] && this.scheduledMessages && message.message.author === "Scheduled") {
@@ -197,13 +187,11 @@ export class ChatComponent implements OnInit, OnDestroy {
                 this.messages[index].deleted = true;
                 this.messages[index].last_edit = message.message.last_edit;
               }
-              this.rebuildItems();
             });
             break;
           };
           this.zone.run(() => {
             this.messages = this.messages.filter(m => m.id !== message.message.id);
-            this.rebuildItems();
           });
           break;
         case 'edit-message':
@@ -215,7 +203,6 @@ export class ChatComponent implements OnInit, OnDestroy {
               // TOTO: Find the closest message to attach the retrieved message to
               //  const closestIndex = this.messages.reduce
             }
-            this.rebuildItems();
           });
           break;
         case 'reaction':
@@ -236,15 +223,6 @@ export class ChatComponent implements OnInit, OnDestroy {
     clearInterval(this.subLastHeartbeat);
   }
 
-  private rebuildItems() {
-    try {
-      this.adSlotsAfter = this.magnetAds.computeAdSlots(this.messages);
-    } catch (e) {
-      console.error('computeAdSlots failed, ads will not be shown:', e);
-      this.adSlotsAfter = new Set();
-    }
-  }
-
   async keepAliveSSE() {
     clearInterval(this.subLastHeartbeat);
     this.subLastHeartbeat = interval(10000)
@@ -335,7 +313,6 @@ export class ChatComponent implements OnInit, OnDestroy {
           this.hasOldMessages = response.length >= this.limit;
         }
         this.offset = Math.min(...this.messages.map(m => m.id!));
-        this.rebuildItems();
         setTimeout(() => {
           opt.messageId && this.scrollToId({ messageId: opt.messageId, smooth: false, mark: opt.mark });
         }, 300);

From 85505a0c71652f59ab361acd5539fd506d053251 Mon Sep 17 00:00:00 2001
From: 27180781 <37129224+27180781@users.noreply.github.com>
Date: Thu, 7 May 2026 04:38:11 +0000
Subject: [PATCH 09/60] test: re-add MagnetAdsService injection without
 template changes

Step 1 of incremental re-introduction: add the MagnetAdsService
injection, the adSlotsAfter Set, the rebuildItems() helper, and the
ngOnInit loadSettings() call. The template is left unchanged from the
known-working revert. If the chat still renders, we know the regression
came from the template @if injection rather than the service wiring.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 .../components/channel/chat/chat.component.ts   | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)

diff --git a/frontend/src/app/components/channel/chat/chat.component.ts b/frontend/src/app/components/channel/chat/chat.component.ts
index 5f6200d..dbada67 100644
--- a/frontend/src/app/components/channel/chat/chat.component.ts
+++ b/frontend/src/app/components/channel/chat/chat.component.ts
@@ -19,6 +19,7 @@ import { ActivatedRoute } from '@angular/router';
 import { NotificationsService } from '../../../services/notifications.service';
 import { User } from '../../../models/user.model';
 import { AdminService } from '../../../services/admin.service';
+import { MagnetAdsService } from '../../../services/magnet-ads.service';
 
 type LoadMsgOpt = {
   scrollDown?: boolean;
@@ -53,6 +54,7 @@ type ScrollOpt = {
 export class ChatComponent implements OnInit, OnDestroy {
   private eventSource!: EventSource;
   messages: ChatMessage[] = [];
+  adSlotsAfter: Set<number> = new Set();
   scheduledMessages!: ChatMessage[];
   hideScheduledMessages: boolean = false;
   userInfo?: User;
@@ -73,6 +75,7 @@ export class ChatComponent implements OnInit, OnDestroy {
     private _adminService: AdminService,
     private toastrService: NbToastrService,
     private notificationService: NotificationsService,
+    private magnetAds: MagnetAdsService,
     private zone: NgZone,
     private router: ActivatedRoute,
   ) {
@@ -131,6 +134,10 @@ export class ChatComponent implements OnInit, OnDestroy {
   ngOnInit() {
     this.chatService.getEmojisList(true);
 
+    this.magnetAds.loadSettings()
+      .catch(() => null)
+      .then(() => this.rebuildItems());
+
     this.initializeMessageListener();
     this.keepAliveSSE();
 
@@ -223,6 +230,15 @@ export class ChatComponent implements OnInit, OnDestroy {
     clearInterval(this.subLastHeartbeat);
   }
 
+  private rebuildItems() {
+    try {
+      this.adSlotsAfter = this.magnetAds.computeAdSlots(this.messages);
+    } catch (e) {
+      console.error('computeAdSlots failed, ads will not be shown:', e);
+      this.adSlotsAfter = new Set();
+    }
+  }
+
   async keepAliveSSE() {
     clearInterval(this.subLastHeartbeat);
     this.subLastHeartbeat = interval(10000)
@@ -313,6 +329,7 @@ export class ChatComponent implements OnInit, OnDestroy {
           this.hasOldMessages = response.length >= this.limit;
         }
         this.offset = Math.min(...this.messages.map(m => m.id!));
+        this.rebuildItems();
         setTimeout(() => {
           opt.messageId && this.scrollToId({ messageId: opt.messageId, smooth: false, mark: opt.mark });
         }, 300);

From ad7052d0b875fc8a31e4fdbb9a0ebf35bc4ffa9a Mon Sep 17 00:00:00 2001
From: 27180781 <37129224+27180781@users.noreply.github.com>
Date: Thu, 7 May 2026 04:44:36 +0000
Subject: [PATCH 10/60] test: add @if ad-slot block in template with plain div
 placeholder

Step 2 of incremental re-introduction: add the @if (adSlotsAfter.has(...))
template block, but render a plain <div> placeholder instead of the real
<app-magnet-ad-slot> component. If messages still render with this in
place, the regression was tied to the magnet-ad-slot component (DI,
ngAfterViewInit, IntersectionObserver, etc.) rather than to the @if
template structure itself.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 frontend/src/app/components/channel/chat/chat.component.html | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/frontend/src/app/components/channel/chat/chat.component.html b/frontend/src/app/components/channel/chat/chat.component.html
index 5ed82b7..9319fb4 100644
--- a/frontend/src/app/components/channel/chat/chat.component.html
+++ b/frontend/src/app/components/channel/chat/chat.component.html
@@ -35,6 +35,11 @@
       }
       <app-message class="overflow-auto" [message]="message" [id]="message.id"></app-message>
     </nb-list-item>
+    @if (adSlotsAfter.has(message.id!)) {
+    <nb-list-item class="d-flex flex-column align-items-stretch magnet-ad-item">
+      <div data-magnet-placeholder>magnet ad placeholder</div>
+    </nb-list-item>
+    }
     }
 
     @if (messages.length === 0) {

From 289756e329daf9ac3b957f5a4d2b70530ac888a2 Mon Sep 17 00:00:00 2001
From: 27180781 <37129224+27180781@users.noreply.github.com>
Date: Thu, 7 May 2026 04:48:55 +0000
Subject: [PATCH 11/60] test: nest @if inside the existing <nb-list-item>
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Step 3 of incremental re-introduction: instead of adding a sibling
<nb-list-item> after the message item, place the ad placeholder inside
the same <nb-list-item> as the message. This avoids creating a second
projected list-item child of <nb-list> via @if, which appears to be
what blocks rendering — Nebular's <nb-list> may rely on a content-child
query that does not survive a conditional second item.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 .../app/components/channel/chat/chat.component.html    | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/frontend/src/app/components/channel/chat/chat.component.html b/frontend/src/app/components/channel/chat/chat.component.html
index 9319fb4..521afc1 100644
--- a/frontend/src/app/components/channel/chat/chat.component.html
+++ b/frontend/src/app/components/channel/chat/chat.component.html
@@ -34,12 +34,12 @@
       </div>
       }
       <app-message class="overflow-auto" [message]="message" [id]="message.id"></app-message>
+      @if (adSlotsAfter.has(message.id!)) {
+      <div class="magnet-ad-item">
+        <div data-magnet-placeholder>magnet ad placeholder</div>
+      </div>
+      }
     </nb-list-item>
-    @if (adSlotsAfter.has(message.id!)) {
-    <nb-list-item class="d-flex flex-column align-items-stretch magnet-ad-item">
-      <div data-magnet-placeholder>magnet ad placeholder</div>
-    </nb-list-item>
-    }
     }
 
     @if (messages.length === 0) {

From d6c47af0f0e05df893b7e91b8d0ec8263edeb2db Mon Sep 17 00:00:00 2001
From: 27180781 <37129224+27180781@users.noreply.github.com>
Date: Thu, 7 May 2026 04:54:02 +0000
Subject: [PATCH 12/60] feat: re-enable magnet ad slot rendering inside the
 chat list
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Now that the regression is understood (creating a sibling <nb-list-item>
via @if inside @for breaks Nebular's <nb-list> rendering), wire the real
<app-magnet-ad-slot> component back in — but place it inside the
existing <nb-list-item> rather than as a sibling. This keeps every
iteration of @for producing exactly one <nb-list-item>, which is what
<nb-list> expects.

Also re-add MagnetAdSlotComponent to ChatComponent's imports.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 frontend/src/app/components/channel/chat/chat.component.html | 2 +-
 frontend/src/app/components/channel/chat/chat.component.ts   | 4 +++-
 2 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/frontend/src/app/components/channel/chat/chat.component.html b/frontend/src/app/components/channel/chat/chat.component.html
index 521afc1..4024d1c 100644
--- a/frontend/src/app/components/channel/chat/chat.component.html
+++ b/frontend/src/app/components/channel/chat/chat.component.html
@@ -36,7 +36,7 @@
       <app-message class="overflow-auto" [message]="message" [id]="message.id"></app-message>
       @if (adSlotsAfter.has(message.id!)) {
       <div class="magnet-ad-item">
-        <div data-magnet-placeholder>magnet ad placeholder</div>
+        <app-magnet-ad-slot [slotKey]="'ad-after-' + message.id"></app-magnet-ad-slot>
       </div>
       }
     </nb-list-item>
diff --git a/frontend/src/app/components/channel/chat/chat.component.ts b/frontend/src/app/components/channel/chat/chat.component.ts
index dbada67..32f391b 100644
--- a/frontend/src/app/components/channel/chat/chat.component.ts
+++ b/frontend/src/app/components/channel/chat/chat.component.ts
@@ -12,6 +12,7 @@ import {
   NbToastrService
 } from "@nebular/theme";
 import { MessageComponent } from "./message/message.component";
+import { MagnetAdSlotComponent } from "./magnet-ad-slot/magnet-ad-slot.component";
 import { firstValueFrom, interval } from 'rxjs';
 import { ChatMessage, ChatService } from '../../../services/chat.service';
 import { AuthService } from '../../../services/auth.service';
@@ -46,7 +47,8 @@ type ScrollOpt = {
     NbButtonModule,
     NbListModule,
     NbBadgeModule,
-    MessageComponent
+    MessageComponent,
+    MagnetAdSlotComponent
   ],
   templateUrl: './chat.component.html',
   styleUrl: './chat.component.scss'

From 632210e0a98b0581f5ed4f800df1f3244604cefa Mon Sep 17 00:00:00 2001
From: 27180781 <37129224+27180781@users.noreply.github.com>
Date: Thu, 7 May 2026 05:00:14 +0000
Subject: [PATCH 13/60] feat: render magnet ad inside an admin-style message
 bubble
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Wrap the magnet ad slot in the same visual structure as a regular admin
message: channel logo on the side, channel name + 'פרסומת' label
above, and the embed itself rendered inside the same .message-card
bubble used for chat messages. Inject ChatService into the slot
component to read channelInfo for the logo and name.

The collapsed state now toggles a CSS class on the wrapper (display:
none) instead of rebuilding the DOM, which keeps the #host ViewChild
stable across renders.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 .../magnet-ad-slot.component.html             | 20 ++++++++++++++++++-
 .../magnet-ad-slot.component.scss             | 14 +++++++++----
 .../magnet-ad-slot.component.ts               |  8 +++++++-
 3 files changed, 36 insertions(+), 6 deletions(-)

diff --git a/frontend/src/app/components/channel/chat/magnet-ad-slot/magnet-ad-slot.component.html b/frontend/src/app/components/channel/chat/magnet-ad-slot/magnet-ad-slot.component.html
index 7372252..3581101 100644
--- a/frontend/src/app/components/channel/chat/magnet-ad-slot/magnet-ad-slot.component.html
+++ b/frontend/src/app/components/channel/chat/magnet-ad-slot/magnet-ad-slot.component.html
@@ -1 +1,19 @@
-<div #host class="magnet-ad-host" [class.collapsed]="collapsed" [attr.data-slot]="slotKey"></div>
+<div class="d-flex flex-row align-content-center my-1 mx-4 magnet-ad-message" [class.collapsed]="collapsed">
+  <div class="d-flex flex-column">
+    <nb-user class="pt-4" [shape]="'round'" [color]="'white'" [size]="'large'"
+      [picture]="chatService.channelInfo?.logoUrl || ''"
+      [name]="chatService.channelInfo?.name || ''"
+      onlyPicture></nb-user>
+  </div>
+  <div class="d-flex flex-column gap-1 overflow-auto">
+    <div class="d-flex flex-row gap-2 pe-1">
+      <strong class="text-black-50">{{ chatService.channelInfo?.name || '' }}</strong>
+      <small class="text-black-50">פרסומת</small>
+    </div>
+    <div class="d-flex flex-column bg-light rounded-4 border fs-5 lh-base message-card magnet-ad-card">
+      <div class="m-2">
+        <div #host class="magnet-ad-host" [attr.data-slot]="slotKey"></div>
+      </div>
+    </div>
+  </div>
+</div>
diff --git a/frontend/src/app/components/channel/chat/magnet-ad-slot/magnet-ad-slot.component.scss b/frontend/src/app/components/channel/chat/magnet-ad-slot/magnet-ad-slot.component.scss
index 90da96a..30a043e 100644
--- a/frontend/src/app/components/channel/chat/magnet-ad-slot/magnet-ad-slot.component.scss
+++ b/frontend/src/app/components/channel/chat/magnet-ad-slot/magnet-ad-slot.component.scss
@@ -3,15 +3,21 @@
   width: 100%;
 }
 
+.magnet-ad-message {
+  &.collapsed {
+    display: none !important;
+  }
+}
+
+.magnet-ad-card {
+  max-width: 80vw;
+}
+
 .magnet-ad-host {
   display: block;
   width: 100%;
   min-height: 1px;
 
-  &.collapsed {
-    display: none;
-  }
-
   ::ng-deep .magnet-ad-content {
     display: block;
     width: 100%;
diff --git a/frontend/src/app/components/channel/chat/magnet-ad-slot/magnet-ad-slot.component.ts b/frontend/src/app/components/channel/chat/magnet-ad-slot/magnet-ad-slot.component.ts
index 4a76045..5d6f301 100644
--- a/frontend/src/app/components/channel/chat/magnet-ad-slot/magnet-ad-slot.component.ts
+++ b/frontend/src/app/components/channel/chat/magnet-ad-slot/magnet-ad-slot.component.ts
@@ -6,11 +6,14 @@ import {
   OnDestroy,
   ViewChild,
 } from '@angular/core';
+import { NbUserModule } from '@nebular/theme';
 import { MagnetAdsService } from '../../../../services/magnet-ads.service';
+import { ChatService } from '../../../../services/chat.service';
 
 @Component({
   selector: 'app-magnet-ad-slot',
   standalone: true,
+  imports: [NbUserModule],
   templateUrl: './magnet-ad-slot.component.html',
   styleUrl: './magnet-ad-slot.component.scss',
 })
@@ -24,7 +27,10 @@ export class MagnetAdSlotComponent implements AfterViewInit, OnDestroy {
   private collapseTimer?: any;
   collapsed = false;
 
-  constructor(private magnet: MagnetAdsService) {}
+  constructor(
+    private magnet: MagnetAdsService,
+    public chatService: ChatService,
+  ) {}
 
   ngAfterViewInit(): void {
     if (typeof IntersectionObserver === 'undefined') {

From 7d933ec68667559c0bf8bbf74a7b58b4cf4dcfb5 Mon Sep 17 00:00:00 2001
From: 27180781 <37129224+27180781@users.noreply.github.com>
Date: Thu, 7 May 2026 05:02:50 +0000
Subject: [PATCH 14/60] feat: add analytics tag injection into <head>
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Add a new "אנליטיקס וטראקינג" category in the admin settings UI with a
textarea field for pasting any HTML/JS analytics snippet (Google
Analytics, GTM, Meta Pixel, etc.). The backend stores it under the
analytics_head settings key and serveSpaFile injects it into the
served index.html immediately before the closing </head> tag, so the
snippet runs on every page load.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 backend/main.go                                   |  4 ++++
 backend/settings.go                               |  4 ++++
 .../components/admin/settings/settings.schema.ts  | 15 +++++++++++++++
 3 files changed, 23 insertions(+)

diff --git a/backend/main.go b/backend/main.go
index 956364a..d298506 100644
--- a/backend/main.go
+++ b/backend/main.go
@@ -137,6 +137,10 @@ func serveSpaFile(w http.ResponseWriter, r *http.Request) {
 		content = bytes.ReplaceAll(content, []byte("<title></title>"), []byte(settingConfig.CustomTitle))
 	}
 
+	if settingConfig.AnalyticsHead != "" {
+		content = bytes.Replace(content, []byte("</head>"), []byte(settingConfig.AnalyticsHead+"</head>"), 1)
+	}
+
 	w.Header().Set("Content-Type", "text/html; charset=utf-8")
 	w.Write(content)
 }
diff --git a/backend/settings.go b/backend/settings.go
index aae2e46..71389f0 100644
--- a/backend/settings.go
+++ b/backend/settings.go
@@ -49,6 +49,7 @@ type SettingConfig struct {
 	MagnetPerSeconds        int64
 	MagnetMinMessagesSince  int64
 	MagnetApiKey            string
+	AnalyticsHead           string
 }
 
 type Setting struct {
@@ -218,6 +219,9 @@ func (s *Settings) ToConfig() *SettingConfig {
 
 		case "magnet_api_key":
 			config.MagnetApiKey = setting.GetString()
+
+		case "analytics_head":
+			config.AnalyticsHead = setting.GetString()
 		}
 	}
 
diff --git a/frontend/src/app/components/admin/settings/settings.schema.ts b/frontend/src/app/components/admin/settings/settings.schema.ts
index 56b7897..c2e2c82 100644
--- a/frontend/src/app/components/admin/settings/settings.schema.ts
+++ b/frontend/src/app/components/admin/settings/settings.schema.ts
@@ -48,6 +48,21 @@ export const SETTINGS_SCHEMA: SettingsCategorySchema[] = [
       },
     ],
   },
+  {
+    id: 'analytics',
+    title: 'אנליטיקס וטראקינג',
+    icon: 'activity-outline',
+    description: 'קוד שיוטמע בתוך תגית <head> בכל עמוד באתר. מתאים לתגיות Google Analytics, Google Tag Manager, Meta Pixel וכדומה.',
+    fields: [
+      {
+        key: 'analytics_head',
+        label: 'קוד אנליטיקס להטמעה ב-<head>',
+        description: 'הדביקו כאן את כל קטע ה-HTML/JS שקיבלתם משירות האנליטיקס (כולל תגיות <script>). הקוד יוזרק כמו שהוא לתוך <head> של כל עמוד.',
+        type: 'textarea',
+        placeholder: '<!-- Google tag (gtag.js) -->\n<script async src="https://www.googletagmanager.com/gtag/js?id=G-XXXXXXX"></script>\n<script>\n  window.dataLayer = window.dataLayer || [];\n  function gtag(){dataLayer.push(arguments);}\n  gtag(\'js\', new Date());\n  gtag(\'config\', \'G-XXXXXXX\');\n</script>',
+      },
+    ],
+  },
   {
     id: 'auth',
     title: 'הזדהות ואבטחה',

From 071e50bee4ac8d909facb6fb3396026505d1c83b Mon Sep 17 00:00:00 2001
From: 27180781 <37129224+27180781@users.noreply.github.com>
Date: Thu, 7 May 2026 05:17:53 +0000
Subject: [PATCH 15/60] docs: document UI redesign, magnet ads, analytics tag,
 and new endpoints

Update SET.md with the changes introduced over this work session:
- The new visual settings UI with categorized cards.
- The analytics_head setting and its head injection.
- The full Magnet ad integration (frequency rules, lazy loading, ad
  bubble rendering, stats panel) and the architectural note about why
  ads are nested inside the existing <nb-list-item> rather than as
  siblings.
- The new /api/ads/magnet and /api/admin/magnet/stats endpoints.
- A complete refreshed settings table including all magnet_* keys and
  analytics_head.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 SET.md | 84 +++++++++++++++++++++++++++++++++++++++++++++++++++++++---
 1 file changed, 81 insertions(+), 3 deletions(-)

diff --git a/SET.md b/SET.md
index 63d9d02..360afa1 100644
--- a/SET.md
+++ b/SET.md
@@ -148,6 +148,69 @@ POST https://example.com/api/import/post
 |`fcm_json_universe_domain`|
 
 
+## ממשק ניהול ההגדרות (UI חזותי)
+ממשק ההגדרות עוצב מחדש לתצוגה חזותית מסודרת במקום טבלת key/value. ההגדרות מחולקות לקטגוריות בכרטיסים נפרדים, כל הגדרה מוצגת עם תווית והסבר בעברית, ולכל סוג שדה רכיב מתאים:
+* בוליאנים מוצגים כ-toggle (כן/לא).
+* שדות מספריים, טקסט, סיסמה ו-URL מקבלים רכיבים מתאימים.
+* שדות ארוכים (כגון snippets ו-private keys) מוצגים כ-textarea.
+* שדות התלויים בהפעלת תכונה ראשית (כגון FCM) מסתתרים אוטומטית כשהתכונה מכובה.
+
+הקטגוריות הקיימות:
+* כללי
+* אנליטיקס וטראקינג
+* הזדהות ואבטחה
+* מונה צפיות
+* פרסומות (iframe סטטי בצד הערוץ)
+* וובהוק
+* התראות דחיפה (FCM)
+* חשבון שירות FCM (Service Account) - כולל אפשרות הדבקת קובץ JSON שלם עם פיצול אוטומטי לכל השדות
+* החלפות טקסט אוטומטיות (רשימה דינמית של כללי regex עם שדות תבנית והחלפה נפרדים)
+* הגדרות מתקדמות / מותאמות אישית (אזור מתקפל בתחתית עם הטבלה הישנה של key/value חופשי, לטובת הגדרות שאינן בסכמת ה-UI)
+
+תחת המכסה, השמירה ממירה את הכל בחזרה למבנה ה-API הקיים `[{key, value}]` כך שאין שינוי בהיסט ה-Redis (`settings:list`).
+
+## תג אנליטיקס בראש האתר
+ניתן להזין כל קוד HTML/JS של שירות אנליטיקס (לדוגמא Google Analytics gtag.js, Google Tag Manager, Meta Pixel וכו') תחת ההגדרה:
+`analytics_head`
+
+הקוד יוזרק על ידי השרת לתוך תגית `<head>` של ה-`index.html` בכל בקשת עמוד SPA. ההזרקה מתבצעת בצד השרת לפני שהדפדפן מקבל את ה-HTML, כך שהקוד פועל מהרגע הראשון.
+
+## שילוב פרסומות ממגנט (Magnet)
+Magnet היא פלטפורמת פרסומות חיצונית. ניתן לשלב פרסומות שלה כהודעות בתוך הערוץ. הניהול דרך לשונית ייעודית בממשק הניהול: **שילוב פרסומות ממגנט**.
+
+### זרימה ועקרונות
+* הפרסומת מוטמעת כקוד embed (HTML/JS) שמספקת מגנט.
+* כל פרסומת מתרנדרת רק כשהגולש גולל אליה (`IntersectionObserver` עם `rootMargin: 200px`), כך שהקריאה לשרת מגנט מתבצעת בזמן אמת לכל גולש בנפרד.
+* כל טעינה מחדש של הסלוט מבצעת קריאה חדשה — כל גולש יכול לקבל פרסומת אחרת ובכל גלילה גם אותה גולש יכול לראות פרסומת אחרת.
+* אם בתוך 5 שניות מההזרקה הסלוט נשאר ריק (אין DOM/אין גובה), הוא מתקפל אוטומטית (`display: none`) — נופל בשקט לכלום במקום להציג אזור ריק.
+* הפרסומת מתרנדרת בתוך בועת הודעה כמו הודעת מנהל רגילה (לוגו הערוץ + שם + תווית "פרסומת" + הקוד המוטמע בתוך `.message-card`).
+
+### תדירות הצגה
+שני מצבים בלעדיים, נבחרים דרך ה-UI:
+
+**מצב א' — לפי כמות הודעות (`magnet_mode=by_messages`)**
+* `magnet_per_messages` — הצגת פרסומת כל X הודעות (לדוגמא 5 = פרסומת אחרי כל 5 הודעות).
+* `magnet_min_time_seconds` — החרגה: גם אם עברו X הודעות, אם הפרסומת הקודמת הוצגה לפני פחות מהזמן הזה - לא תוצג שוב. 0 לביטול.
+
+**מצב ב' — לפי זמן (`magnet_mode=by_time`)**
+* `magnet_per_seconds` — הצגת פרסומת כל X שניות (לפי הפרשי הזמנים בין ההודעות).
+* `magnet_min_messages_since` — החרגה: גם אם עבר הזמן, אם לא נוספו לפחות X הודעות חדשות מאז הפרסומת הקודמת - לא תוצג שוב. 0 לביטול.
+
+### נתוני הקלקות ותגמולים
+בלשונית מגנט קיים כרטיס ייעודי לצפייה בנתוני הקלקות ותגמולים בזמן אמת ממגנט.
+* יש להזין `magnet_api_key` (publisher key שמתקבל ממגנט) ולשמור.
+* כפתור **הצג נתוני הקלקות ותגמולים** טוען את הנתונים. הקריאה למגנט מתבצעת מצד השרת בלבד דרך endpoint מוגן `GET /api/admin/magnet/stats` כך שה-API key לא נחשף לדפדפן.
+* כפתור **רענן** מבצע קריאה חדשה (מגנט שומר תוצאות במטמון לכ-30 שניות).
+* התצוגה כוללת: דומיין האתר, כמות הקלקות (היום / שבוע / חודש), ותגמולים (היום / שבוע / חודש) בפורמט מטבע.
+* "היום" מתחיל מ-00:00 שעון ישראל. "שבוע"/"חודש" = 7/30 ימים אחורה.
+* רק הקלקות מאושרות לתשלום נספרות. הסכומים נטו, ללא מע"מ.
+
+ה-endpoint שמגנט חושף:
+`GET https://rucltqmtefvlrjhbedqu.supabase.co/functions/v1/publisher-stats?k=YOUR_API_KEY`
+
+### הערה ארכיטקטורית
+ה-injection של פרסומות לתוך רשימת הצ'אט נעשה ע"י תוספת בתוך ה-`<nb-list-item>` של ההודעה (לא יצירת `<nb-list-item>` שני בכל iteration), כדי לא לשבור את ה-content children של `<nb-list>` של Nebular. ה-component `chat.component` שומר על `Set<number>` של ה-IDs של ההודעות שאחריהן יש להציג פרסומת, ומחשב מחדש את ה-Set בכל שינוי ב-`messages` (טעינה ראשונית, scroll, SSE).
+
 ## ריכוז הגדרות בממשק ניהול
 |setting        |value | הסבר |
 |---------------|------|------|
@@ -156,11 +219,26 @@ POST https://example.com/api/import/post
 |`api_secret_key`|`1`|מפתח עבור יבוא הודעות באמצעות API|
 |`webhook_url`|`https://example.com/webhook`|כתובת לשליחת וובהוק|
 |`webhook_verify_token`|`your-secret-token`|טוקן לשליחה יחד עם וובהוק|
-|`ad-iframe-src`| |קישור HTML להטמעת פרסומת|
-|`ad-iframe-width`|`300`|רוחב פרסום|
+|`ad-iframe-src`| |קישור HTML להטמעת פרסומת בעמודה הצידית|
+|`ad-iframe-width`|`300`|רוחב פרסום בעמודה הצידית|
 |`count_views`|`1`|הפעלת מונה צפיות פר הודעה|
 |`regex-replace`|`(.*?\!)(.*)#**$1**$2`|ערך של רגקס והחלפה בכדי ליצור החלפות אוטומטיות לטקסטים|
 |`on_notification`|`1`|הפעלת התראות דחיפה|
 |`max_file_size`|`50`|הגבלת משקל קבצים|
 |`custom_title`||title מותאם אישית|
-|`contact_us`|url|הפעלת כפתור צור קשר|
\ No newline at end of file
+|`contact_us`|url|הפעלת כפתור צור קשר|
+|`analytics_head`|`<script>...</script>`|קוד אנליטיקס שיוזרק לתוך תגית `<head>` של כל עמוד|
+|`magnet_enabled`|`1`|הפעלת שילוב פרסומות ממגנט בערוץ|
+|`magnet_snippet`|`<script>...</script>`|קוד הטמעה (HTML/JS) שהתקבל ממגנט|
+|`magnet_mode`|`by_messages` / `by_time`|שיטת תזמון הצגת פרסומות|
+|`magnet_per_messages`|`5`|בתזמון לפי הודעות: כל כמה הודעות להציג פרסומת|
+|`magnet_min_time_seconds`|`0`|בתזמון לפי הודעות: זמן מינימום בשניות בין פרסומות (0 = ללא החרגה)|
+|`magnet_per_seconds`|`60`|בתזמון לפי זמן: כל כמה שניות להציג פרסומת|
+|`magnet_min_messages_since`|`0`|בתזמון לפי זמן: מינימום הודעות חדשות מאז הפרסומת הקודמת (0 = ללא החרגה)|
+|`magnet_api_key`|`d8059fc0-...`|מפתח API של מגנט לשליפת נתוני הקלקות ותגמולים|
+
+## API endpoints נוספים שנוספו
+| Method | Path | הסבר |
+|--------|------|------|
+|GET|`/api/ads/magnet`|מחזיר את הגדרות מגנט הציבוריות (snippet, mode, thresholds) לקליינט. ה-snippet מוחזר רק כש-`magnet_enabled=1`. `magnet_api_key` לעולם לא מוחזר.|
+|GET|`/api/admin/magnet/stats`|Admin protected. עושה proxy ל-publisher-stats של מגנט עם ה-API key מההגדרות, כך שה-key לא נחשף לדפדפן.|
\ No newline at end of file

From edc724e764cda9d0acbd463ef9e4af03b3e0227e Mon Sep 17 00:00:00 2001
From: 27180781 <37129224+27180781@users.noreply.github.com>
Date: Thu, 7 May 2026 05:21:09 +0000
Subject: [PATCH 16/60] chore: trigger redeploy

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

From 6d55d7d556b6a904565d634ff27136ccc541fb45 Mon Sep 17 00:00:00 2001
From: Claude <noreply@anthropic.com>
Date: Sun, 17 May 2026 17:45:37 +0000
Subject: [PATCH 17/60] Add multi-tenant role system and channel management
 foundation

- Rewrite privileges.go with new GlobalRole/ChannelRole system (SuperAdmin, Owner, Moderator, Writer)
- Add channels.go with ChannelData, ChannelFeatures, and channel CRUD handlers
- Add channelMiddleware to inject channel into request context
- Channel owners can manage their users; super admin controls everything

https://claude.ai/code/session_015yWNYaVjk7ozyguKLA8vvx
---
 backend/channels.go   | 399 ++++++++++++++++++++++++++++++++++++++++++
 backend/privileges.go | 110 +++++++++---
 2 files changed, 482 insertions(+), 27 deletions(-)
 create mode 100644 backend/channels.go

diff --git a/backend/channels.go b/backend/channels.go
new file mode 100644
index 0000000..36a64cc
--- /dev/null
+++ b/backend/channels.go
@@ -0,0 +1,399 @@
+package main
+
+import (
+	"context"
+	"encoding/json"
+	"net/http"
+	"regexp"
+	"time"
+
+	"github.com/go-chi/chi"
+	"github.com/redis/go-redis/v9"
+)
+
+type ChannelFeatures struct {
+	Reactions         bool `json:"reactions"`
+	FileUploads       bool `json:"fileUploads"`
+	Reports           bool `json:"reports"`
+	Ads               bool `json:"ads"`
+	Notifications     bool `json:"notifications"`
+	RequireAuth       bool `json:"requireAuth"`
+	RequireAuthFiles  bool `json:"requireAuthFiles"`
+	CountViews        bool `json:"countViews"`
+	ScheduledMessages bool `json:"scheduledMessages"`
+	Webhook           bool `json:"webhook"`
+}
+
+type ChannelData struct {
+	Slug        string          `json:"slug"`
+	Name        string          `json:"name"`
+	Description string          `json:"description"`
+	LogoUrl     string          `json:"logoUrl"`
+	OwnerEmail  string          `json:"ownerEmail"`
+	CreatedAt   time.Time       `json:"createdAt"`
+	Features    ChannelFeatures `json:"features"`
+	ContactUs   string          `json:"contactUs"`
+}
+
+type ctxKey string
+
+const channelCtxKey ctxKey = "channel"
+
+var slugRegex = regexp.MustCompile(`^[a-z0-9][a-z0-9\-]{1,48}[a-z0-9]$`)
+
+func channelMiddleware(next http.Handler) http.Handler {
+	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		slug := chi.URLParam(r, "slug")
+		ctx := r.Context()
+
+		channel, err := dbGetChannel(ctx, slug)
+		if err != nil {
+			if err == redis.Nil {
+				http.Error(w, "Channel not found", http.StatusNotFound)
+			} else {
+				http.Error(w, "error", http.StatusInternalServerError)
+			}
+			return
+		}
+
+		ctx = context.WithValue(ctx, channelCtxKey, channel)
+		next.ServeHTTP(w, r.WithContext(ctx))
+	})
+}
+
+func channelFromCtx(r *http.Request) *ChannelData {
+	v := r.Context().Value(channelCtxKey)
+	if v == nil {
+		return nil
+	}
+	return v.(*ChannelData)
+}
+
+func channelSlugFromCtx(r *http.Request) string {
+	ch := channelFromCtx(r)
+	if ch == nil {
+		return ""
+	}
+	return ch.Slug
+}
+
+// channelIfRequireAuth middleware
+func channelIfRequireAuth(next http.Handler) http.Handler {
+	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		ch := channelFromCtx(r)
+		if ch != nil && ch.Features.RequireAuth {
+			checkLogin(next).ServeHTTP(w, r)
+		} else {
+			next.ServeHTTP(w, r)
+		}
+	})
+}
+
+// Super admin: list all channels
+func listChannels(w http.ResponseWriter, r *http.Request) {
+	ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
+	defer cancel()
+
+	channels, err := dbListChannels(ctx)
+	if err != nil {
+		http.Error(w, "error", http.StatusInternalServerError)
+		return
+	}
+
+	w.Header().Set("Content-Type", "application/json")
+	json.NewEncoder(w).Encode(channels)
+}
+
+// Super admin: create channel
+func createChannel(w http.ResponseWriter, r *http.Request) {
+	ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
+	defer cancel()
+
+	var req struct {
+		Slug       string `json:"slug"`
+		Name       string `json:"name"`
+		OwnerEmail string `json:"ownerEmail"`
+	}
+	if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
+		http.Error(w, "Invalid request body", http.StatusBadRequest)
+		return
+	}
+	defer r.Body.Close()
+
+	if !slugRegex.MatchString(req.Slug) {
+		http.Error(w, "Invalid slug: use lowercase letters, numbers, hyphens (min 3 chars)", http.StatusBadRequest)
+		return
+	}
+
+	exists, err := dbChannelExists(ctx, req.Slug)
+	if err != nil {
+		http.Error(w, "error", http.StatusInternalServerError)
+		return
+	}
+	if exists {
+		http.Error(w, "Channel already exists", http.StatusConflict)
+		return
+	}
+
+	channel := &ChannelData{
+		Slug:       req.Slug,
+		Name:       req.Name,
+		OwnerEmail: req.OwnerEmail,
+		CreatedAt:  time.Now(),
+		Features: ChannelFeatures{
+			Reactions:         true,
+			FileUploads:       true,
+			Reports:           true,
+			ScheduledMessages: true,
+		},
+	}
+
+	if err := dbCreateChannel(ctx, channel); err != nil {
+		http.Error(w, "error", http.StatusInternalServerError)
+		return
+	}
+
+	if req.OwnerEmail != "" {
+		dbAssignChannelRole(ctx, req.OwnerEmail, req.Slug, RoleOwner)
+		initializePrivilegeUsers()
+	}
+
+	w.Header().Set("Content-Type", "application/json")
+	json.NewEncoder(w).Encode(channel)
+}
+
+// Super admin: delete channel
+func deleteChannel(w http.ResponseWriter, r *http.Request) {
+	ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
+	defer cancel()
+
+	slug := chi.URLParam(r, "slug")
+
+	if err := dbDeleteChannel(ctx, slug); err != nil {
+		http.Error(w, "error", http.StatusInternalServerError)
+		return
+	}
+
+	w.Header().Set("Content-Type", "application/json")
+	json.NewEncoder(w).Encode(Response{Success: true})
+}
+
+// Super admin: update channel features
+func updateChannelFeatures(w http.ResponseWriter, r *http.Request) {
+	ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
+	defer cancel()
+
+	slug := chi.URLParam(r, "slug")
+
+	var features ChannelFeatures
+	if err := json.NewDecoder(r.Body).Decode(&features); err != nil {
+		http.Error(w, "Invalid request body", http.StatusBadRequest)
+		return
+	}
+	defer r.Body.Close()
+
+	if err := dbSetChannelFeatures(ctx, slug, &features); err != nil {
+		http.Error(w, "error", http.StatusInternalServerError)
+		return
+	}
+
+	w.Header().Set("Content-Type", "application/json")
+	json.NewEncoder(w).Encode(Response{Success: true})
+}
+
+// Super admin: get channel (including features)
+func getSuperAdminChannel(w http.ResponseWriter, r *http.Request) {
+	ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
+	defer cancel()
+
+	slug := chi.URLParam(r, "slug")
+	channel, err := dbGetChannel(ctx, slug)
+	if err != nil {
+		http.Error(w, "Channel not found", http.StatusNotFound)
+		return
+	}
+
+	w.Header().Set("Content-Type", "application/json")
+	json.NewEncoder(w).Encode(channel)
+}
+
+// Super admin: set channel users
+func superAdminSetChannelUsers(w http.ResponseWriter, r *http.Request) {
+	ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
+	defer cancel()
+
+	slug := chi.URLParam(r, "slug")
+
+	var req struct {
+		Users []struct {
+			Email string      `json:"email"`
+			Role  ChannelRole `json:"role"`
+		} `json:"users"`
+	}
+	if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
+		http.Error(w, "Invalid request body", http.StatusBadRequest)
+		return
+	}
+	defer r.Body.Close()
+
+	users, err := dbGetUsersList(ctx)
+	if err != nil {
+		http.Error(w, "error", http.StatusInternalServerError)
+		return
+	}
+
+	userMap := make(map[string]int)
+	for i, u := range users {
+		userMap[u.Email] = i
+	}
+
+	for _, ru := range req.Users {
+		if i, exists := userMap[ru.Email]; exists {
+			if users[i].ChannelRoles == nil {
+				users[i].ChannelRoles = make(map[string]ChannelRole)
+			}
+			if ru.Role == "" {
+				delete(users[i].ChannelRoles, slug)
+			} else {
+				users[i].ChannelRoles[slug] = ru.Role
+			}
+		} else if ru.Role != "" {
+			users = append(users, User{
+				Email:        ru.Email,
+				ChannelRoles: map[string]ChannelRole{slug: ru.Role},
+			})
+		}
+	}
+
+	if err := dbSetUsersList(ctx, users); err != nil {
+		http.Error(w, "error", http.StatusInternalServerError)
+		return
+	}
+	initializePrivilegeUsers()
+
+	w.Header().Set("Content-Type", "application/json")
+	json.NewEncoder(w).Encode(Response{Success: true})
+}
+
+// Super admin: get channel users
+func superAdminGetChannelUsers(w http.ResponseWriter, r *http.Request) {
+	ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
+	defer cancel()
+
+	slug := chi.URLParam(r, "slug")
+
+	users, err := dbGetUsersList(ctx)
+	if err != nil {
+		http.Error(w, "error", http.StatusInternalServerError)
+		return
+	}
+
+	type ChannelUser struct {
+		Email string      `json:"email"`
+		Role  ChannelRole `json:"role"`
+	}
+
+	var channelUsers []ChannelUser
+	for _, u := range users {
+		if u.ChannelRoles != nil {
+			if role, exists := u.ChannelRoles[slug]; exists {
+				channelUsers = append(channelUsers, ChannelUser{Email: u.Email, Role: role})
+			}
+		}
+	}
+
+	w.Header().Set("Content-Type", "application/json")
+	json.NewEncoder(w).Encode(channelUsers)
+}
+
+// Channel owner: get channel users (for this channel only)
+func getChannelUsers(w http.ResponseWriter, r *http.Request) {
+	ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
+	defer cancel()
+
+	slug := channelSlugFromCtx(r)
+
+	users, err := dbGetUsersList(ctx)
+	if err != nil {
+		http.Error(w, "error", http.StatusInternalServerError)
+		return
+	}
+
+	type ChannelUser struct {
+		Email string      `json:"email"`
+		Role  ChannelRole `json:"role"`
+	}
+
+	var channelUsers []ChannelUser
+	for _, u := range users {
+		if u.ChannelRoles != nil {
+			if role, exists := u.ChannelRoles[slug]; exists {
+				channelUsers = append(channelUsers, ChannelUser{Email: u.Email, Role: role})
+			}
+		}
+	}
+
+	w.Header().Set("Content-Type", "application/json")
+	json.NewEncoder(w).Encode(channelUsers)
+}
+
+// Channel owner: set channel users (cannot assign owner role)
+func setChannelUsers(w http.ResponseWriter, r *http.Request) {
+	ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
+	defer cancel()
+
+	slug := channelSlugFromCtx(r)
+
+	var req struct {
+		Users []struct {
+			Email string      `json:"email"`
+			Role  ChannelRole `json:"role"`
+		} `json:"users"`
+	}
+	if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
+		http.Error(w, "Invalid request body", http.StatusBadRequest)
+		return
+	}
+	defer r.Body.Close()
+
+	users, err := dbGetUsersList(ctx)
+	if err != nil {
+		http.Error(w, "error", http.StatusInternalServerError)
+		return
+	}
+
+	userMap := make(map[string]int)
+	for i, u := range users {
+		userMap[u.Email] = i
+	}
+
+	for _, ru := range req.Users {
+		if ru.Role == RoleOwner {
+			continue // owner cannot promote others to owner
+		}
+		if i, exists := userMap[ru.Email]; exists {
+			if users[i].ChannelRoles == nil {
+				users[i].ChannelRoles = make(map[string]ChannelRole)
+			}
+			if ru.Role == "" {
+				delete(users[i].ChannelRoles, slug)
+			} else {
+				users[i].ChannelRoles[slug] = ru.Role
+			}
+		} else if ru.Role != "" {
+			users = append(users, User{
+				Email:        ru.Email,
+				ChannelRoles: map[string]ChannelRole{slug: ru.Role},
+			})
+		}
+	}
+
+	if err := dbSetUsersList(ctx, users); err != nil {
+		http.Error(w, "error", http.StatusInternalServerError)
+		return
+	}
+	initializePrivilegeUsers()
+
+	w.Header().Set("Content-Type", "application/json")
+	json.NewEncoder(w).Encode(Response{Success: true})
+}
diff --git a/backend/privileges.go b/backend/privileges.go
index 88b8465..4d50e85 100644
--- a/backend/privileges.go
+++ b/backend/privileges.go
@@ -13,40 +13,56 @@ import (
 	"github.com/redis/go-redis/v9"
 )
 
-type Privilege string              //privilege type
-type Privileges map[Privilege]bool // map of privileges
-var privilegesUsers sync.Map
-var adminUsers []string = strings.Split(os.Getenv("ADMIN_USERS"), ",")
+type GlobalRole string
+type ChannelRole string
+
+const (
+	RoleSuperAdmin GlobalRole = "super_admin"
+)
 
 const (
-	Admin     Privilege = "admin"     // root privilege
-	Moderator Privilege = "moderator" // admin privilege
-	Writer    Privilege = "writer"    // can write posts
+	RoleOwner     ChannelRole = "owner"
+	RoleModerator ChannelRole = "moderator"
+	RoleWriter    ChannelRole = "writer"
 )
 
+var channelRoleLevels = map[ChannelRole]int{
+	RoleWriter:    1,
+	RoleModerator: 2,
+	RoleOwner:     3,
+}
+
+var privilegesUsers sync.Map
+var superAdminEmails []string
+
 func initializePrivilegeUsers() {
+	superAdminEmails = strings.Split(os.Getenv("ADMIN_USERS"), ",")
+
 	ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
 	defer cancel()
 
 	privilegesUsers.Clear()
 	users, err := dbGetUsersList(ctx)
 	if err != nil && err != redis.Nil {
-		panic("Failed to get users list from database: " + err.Error())
+		panic("Failed to get users list: " + err.Error())
 	}
-	existsEmails := make(map[string]bool)
-	for _, user := range users {
-		existsEmails[user.Email] = true
+
+	emailToIdx := make(map[string]int)
+	for i, u := range users {
+		emailToIdx[u.Email] = i
 	}
-	for _, admin := range adminUsers {
-		if !existsEmails[admin] {
+
+	for _, email := range superAdminEmails {
+		email = strings.TrimSpace(email)
+		if email == "" {
+			continue
+		}
+		if i, exists := emailToIdx[email]; exists {
+			users[i].GlobalRole = RoleSuperAdmin
+		} else {
 			users = append(users, User{
-				Username: "",
-				Email:    admin,
-				Privileges: Privileges{
-					Admin:     true,
-					Moderator: true,
-					Writer:    true,
-				},
+				Email:      email,
+				GlobalRole: RoleSuperAdmin,
 			})
 		}
 	}
@@ -56,16 +72,57 @@ func initializePrivilegeUsers() {
 	}
 
 	if err := dbSetUsersList(ctx, users); err != nil {
-		panic("Failed to set users list in database: " + err.Error())
+		panic("Failed to set users list: " + err.Error())
 	}
 }
 
-func (p Privileges) MarshalBinary() ([]byte, error) {
-	return json.Marshal(p)
+func isSuperAdmin(r *http.Request) bool {
+	session, _ := store.Get(r, cookieName)
+	s, ok := session.Values["user"].(Session)
+	if !ok {
+		return false
+	}
+	return s.GlobalRole == RoleSuperAdmin
+}
+
+func hasChannelRole(r *http.Request, slug string, minRole ChannelRole) bool {
+	if isSuperAdmin(r) {
+		return true
+	}
+	session, _ := store.Get(r, cookieName)
+	s, ok := session.Values["user"].(Session)
+	if !ok {
+		return false
+	}
+	if s.ChannelRoles == nil {
+		return false
+	}
+	role, exists := s.ChannelRoles[slug]
+	if !exists {
+		return false
+	}
+	return channelRoleLevels[role] >= channelRoleLevels[minRole]
+}
+
+func requireSuperAdmin(next http.Handler) http.Handler {
+	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		if !isSuperAdmin(r) {
+			http.Error(w, "Forbidden", http.StatusForbidden)
+			return
+		}
+		next.ServeHTTP(w, r)
+	})
 }
 
-func (p *Privileges) UnmarshalBinary(data []byte) error {
-	return json.Unmarshal(data, p)
+func protectedWithChannelRole(minRole ChannelRole, handler http.HandlerFunc) http.HandlerFunc {
+	return func(w http.ResponseWriter, r *http.Request) {
+		slug := channelSlugFromCtx(r)
+		if !hasChannelRole(r, slug, minRole) {
+			http.Error(w, "Forbidden", http.StatusForbidden)
+			return
+		}
+		handler(w, r)
+	}
 }
 
 func getPrivilegeUsersList(w http.ResponseWriter, r *http.Request) {
@@ -103,7 +160,6 @@ func setPrivilegeUsers(w http.ResponseWriter, r *http.Request) {
 
 	initializePrivilegeUsers()
 
-	response := Response{Success: true}
 	w.Header().Set("Content-Type", "application/json")
-	json.NewEncoder(w).Encode(response)
+	json.NewEncoder(w).Encode(Response{Success: true})
 }

From 04cac128d0187ca026f72a98b5aa629b491edb99 Mon Sep 17 00:00:00 2001
From: Claude <noreply@anthropic.com>
Date: Sun, 17 May 2026 17:48:27 +0000
Subject: [PATCH 18/60] Update auth.go Session to use new
 GlobalRole/ChannelRole system

- Replace old Privileges map with GlobalRole and ChannelRoles fields
- Update getUser to populate GlobalRole and ChannelRoles from privilegesUsers
- Update registeringEmail to accept slug for per-channel email tracking
- Remove checkPrivilege (replaced by isSuperAdmin/hasChannelRole)

https://claude.ai/code/session_015yWNYaVjk7ozyguKLA8vvx
---
 backend/auth.go | 49 +++++++++++++++++++++++++------------------------
 1 file changed, 25 insertions(+), 24 deletions(-)

diff --git a/backend/auth.go b/backend/auth.go
index 0fa5069..c3edfa6 100644
--- a/backend/auth.go
+++ b/backend/auth.go
@@ -37,12 +37,13 @@ type GoogleAuthValues struct {
 }
 
 type Session struct {
-	ID         string     `json:"id"`
-	Username   string     `json:"username"`
-	Email      string     `json:"email"`
-	PublicName string     `json:"publicName"`
-	Picture    string     `json:"picture,omitempty"`
-	Privileges Privileges `json:"privileges,omitempty"`
+	ID           string                 `json:"id"`
+	Username     string                 `json:"username"`
+	Email        string                 `json:"email"`
+	PublicName   string                 `json:"publicName"`
+	Picture      string                 `json:"picture,omitempty"`
+	GlobalRole   GlobalRole             `json:"globalRole,omitempty"`
+	ChannelRoles map[string]ChannelRole `json:"channelRoles,omitempty"`
 }
 
 type Response struct {
@@ -108,7 +109,7 @@ func login(w http.ResponseWriter, r *http.Request) {
 	}
 
 	email, _ := dyno.GetString(payload.Claims["email"])
-	go registeringEmail(email)
+	go registeringEmail("", email)
 
 	u, err := getUser(ctx, payload.Claims)
 	if err != nil {
@@ -118,12 +119,13 @@ func login(w http.ResponseWriter, r *http.Request) {
 	}
 	picture, _ := dyno.GetString(payload.Claims["picture"])
 	userSession := Session{
-		ID:         u.ID,
-		Username:   u.Username,
-		PublicName: u.PublicName,
-		Picture:    picture,
-		Privileges: u.Privileges,
-		Email:      u.Email,
+		ID:           u.ID,
+		Username:     u.Username,
+		PublicName:   u.PublicName,
+		Picture:      picture,
+		GlobalRole:   u.GlobalRole,
+		ChannelRoles: u.ChannelRoles,
+		Email:        u.Email,
 	}
 
 	session, _ := store.Get(r, cookieName)
@@ -171,17 +173,6 @@ func checkLogin(next http.Handler) http.Handler {
 	})
 }
 
-func checkPrivilege(r *http.Request, privilege Privilege) bool {
-	session, _ := store.Get(r, cookieName)
-
-	s, ok := session.Values["user"].(Session)
-	if !ok {
-		return false
-	}
-
-	return s.Privileges[privilege]
-}
-
 func getUserInfo(w http.ResponseWriter, r *http.Request) {
 	session, _ := store.Get(r, cookieName)
 	userInfo, ok := session.Values["user"].(Session)
@@ -244,3 +235,13 @@ func getUser(ctx context.Context, claims map[string]any) (*User, error) {
 
 	return &user, nil
 }
+
+func registeringEmail(slug, email string) {
+	ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
+	defer cancel()
+	if slug == "" {
+		rdb.SAdd(ctx, "registered_emails", email)
+	} else {
+		rdb.SAdd(ctx, "channel:"+slug+":registered_emails", email)
+	}
+}

From 6df0607fb25188656327725e7285de44dc2e66df Mon Sep 17 00:00:00 2001
From: Claude <noreply@anthropic.com>
Date: Sun, 17 May 2026 17:53:59 +0000
Subject: [PATCH 19/60] Rewrite all backend files for multi-tenant channel
 support

- db.go: all DB functions now channel-scoped (slug parameter), added channel CRUD
  (dbCreateChannel, dbGetChannel, dbListChannels, dbDeleteChannel, dbSetChannelFeatures)
  Settings split: per-channel (channel:{slug}:settings) + global (global:settings)
- messages.go: slug from context, SSE subscribes to events:{slug}
- settings.go: per-channel getSettings/setSettings + getGlobalSettings/setGlobalSettings
- statistics.go: per-channel SSE counters via sync.Map
- reactions.go: per-channel emojis loaded from DB per request
- report.go, scheduled.go: channel-scoped DB calls
- notifications.go: FCM stays global, subscriptions are per-channel
- ads.go, webhook.go: load per-channel config via getChannelConfig()
- api.go: API key validated from per-channel settings
- files.go: file URL includes channel slug, max size from per-channel config
- channelInfo.go: features sourced from channel context
- main.go: full routing rewrite - /api/channel/{slug}/... and /api/super-admin/...

https://claude.ai/code/session_015yWNYaVjk7ozyguKLA8vvx
---
 backend/ads.go           |  32 ++-
 backend/api.go           |  21 +-
 backend/channelInfo.go   |  47 ++---
 backend/db.go            | 427 +++++++++++++++++++++++++++++++--------
 backend/files.go         |  28 ++-
 backend/main.go          | 141 +++++++------
 backend/messages.go      |  40 ++--
 backend/notifications.go |  15 +-
 backend/reactions.go     |  54 +++--
 backend/report.go        |  13 +-
 backend/scheduled.go     |  67 +++---
 backend/settings.go      |  62 +++++-
 backend/statistics.go    |  88 ++++++--
 backend/webhook.go       |  20 +-
 14 files changed, 740 insertions(+), 315 deletions(-)

diff --git a/backend/ads.go b/backend/ads.go
index bbda9e3..b132e1f 100644
--- a/backend/ads.go
+++ b/backend/ads.go
@@ -1,6 +1,7 @@
 package main
 
 import (
+	"context"
 	"encoding/json"
 	"io"
 	"net/http"
@@ -14,9 +15,15 @@ type AdsSettings struct {
 }
 
 func getAdsSettings(w http.ResponseWriter, r *http.Request) {
+	ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
+	defer cancel()
+
+	slug := channelSlugFromCtx(r)
+	cfg := getChannelConfig(ctx, slug)
+
 	settings := AdsSettings{
-		Src:   settingConfig.AdSrc,
-		Width: settingConfig.AdWidth,
+		Src:   cfg.AdSrc,
+		Width: cfg.AdWidth,
 	}
 
 	w.Header().Set("Content-Type", "application/json")
@@ -34,17 +41,23 @@ type MagnetAdsSettings struct {
 }
 
 func getMagnetAdsSettings(w http.ResponseWriter, r *http.Request) {
+	ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
+	defer cancel()
+
+	slug := channelSlugFromCtx(r)
+	cfg := getChannelConfig(ctx, slug)
+
 	settings := MagnetAdsSettings{
-		Enabled:              settingConfig.MagnetEnabled,
-		Mode:                 settingConfig.MagnetMode,
-		PerMessages:          settingConfig.MagnetPerMessages,
-		MinTimeSeconds:       settingConfig.MagnetMinTimeSeconds,
-		PerSeconds:           settingConfig.MagnetPerSeconds,
-		MinMessagesSinceLast: settingConfig.MagnetMinMessagesSince,
+		Enabled:              cfg.MagnetEnabled,
+		Mode:                 cfg.MagnetMode,
+		PerMessages:          cfg.MagnetPerMessages,
+		MinTimeSeconds:       cfg.MagnetMinTimeSeconds,
+		PerSeconds:           cfg.MagnetPerSeconds,
+		MinMessagesSinceLast: cfg.MagnetMinMessagesSince,
 	}
 
 	if settings.Enabled {
-		settings.Snippet = settingConfig.MagnetSnippet
+		settings.Snippet = cfg.MagnetSnippet
 	}
 
 	w.Header().Set("Content-Type", "application/json")
@@ -56,6 +69,7 @@ const magnetStatsURL = "https://rucltqmtefvlrjhbedqu.supabase.co/functions/v1/pu
 var magnetStatsClient = &http.Client{Timeout: 15 * time.Second}
 
 func getMagnetStats(w http.ResponseWriter, r *http.Request) {
+	// Magnet stats uses global settingConfig
 	apiKey := settingConfig.MagnetApiKey
 	if apiKey == "" {
 		http.Error(w, `{"error":"missing_api_key","message":"Magnet API key is not configured"}`, http.StatusBadRequest)
diff --git a/backend/api.go b/backend/api.go
index a02c291..3519c07 100644
--- a/backend/api.go
+++ b/backend/api.go
@@ -6,11 +6,23 @@ import (
 	"log"
 	"net/http"
 	"time"
+
+	"github.com/go-chi/chi"
 )
 
 func addNewPost(w http.ResponseWriter, r *http.Request) {
+	slug := chi.URLParam(r, "slug")
+	if slug == "" {
+		http.Error(w, "missing slug", http.StatusBadRequest)
+		return
+	}
+
+	ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
+	defer cancel()
+
+	cfg := getChannelConfig(ctx, slug)
 	key := r.Header.Get("X-API-Key")
-	if key != settingConfig.ApiSecretKey {
+	if key != cfg.ApiSecretKey || cfg.ApiSecretKey == "" {
 		http.Error(w, "error", http.StatusBadRequest)
 		return
 	}
@@ -26,10 +38,7 @@ func addNewPost(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
-	defer cancel()
-
-	message.ID = getMessageNextId(ctx)
+	message.ID = getMessageNextId(ctx, slug)
 	message.Type = "md" //body.Type
 	message.Author = body.Author
 	message.Timestamp = body.Timestamp
@@ -37,7 +46,7 @@ func addNewPost(w http.ResponseWriter, r *http.Request) {
 	message.Views = 0
 	message.IsAds = body.IsAds
 
-	if err = setMessage(ctx, &message, false); err != nil {
+	if err = setMessage(ctx, slug, &message, false); err != nil {
 		log.Printf("Failed to set new message: %v\n", err)
 		http.Error(w, "error", http.StatusInternalServerError)
 		return
diff --git a/backend/channelInfo.go b/backend/channelInfo.go
index 9f2ef23..f003ba5 100644
--- a/backend/channelInfo.go
+++ b/backend/channelInfo.go
@@ -4,14 +4,11 @@ import (
 	"context"
 	"encoding/json"
 	"net/http"
-	"strconv"
 	"time"
-
-	"github.com/icza/dyno"
 )
 
 type Channel struct {
-	Id                      int       `json:"id"`
+	Id                      string    `json:"id"`
 	Name                    string    `json:"name"`
 	Description             string    `json:"description"`
 	CreatedAt               time.Time `json:"created_at"`
@@ -25,29 +22,26 @@ func getChannelInfo(w http.ResponseWriter, r *http.Request) {
 	ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
 	defer cancel()
 
-	amount, err := dbGetUsersAmount(ctx)
-	if err != nil {
-		http.Error(w, "error", http.StatusInternalServerError)
-		return
-	}
-
-	amount, _ = dyno.GetInteger(amount)
+	slug := channelSlugFromCtx(r)
+	ch := channelFromCtx(r)
 
-	c, err := getChannelDetails(ctx)
+	amount, err := dbGetUsersAmount(ctx, slug)
 	if err != nil {
 		http.Error(w, "error", http.StatusInternalServerError)
 		return
 	}
 
 	var channel Channel
-	channel.Id, _ = strconv.Atoi(c["id"])
-	channel.Name = c["name"]
-	channel.Description = c["description"]
-	channel.CreatedAt, _ = time.Parse(time.RFC3339, c["created_at"])
-	channel.Views = amount //strconv.Atoi(c["views"])
-	channel.LogoUrl = c["logoUrl"]
-	channel.RequireAuthForViewFiles = settingConfig.RequireAuthForViewFiles
-	channel.ContactUs = settingConfig.ContactUs
+	if ch != nil {
+		channel.Id = ch.Slug
+		channel.Name = ch.Name
+		channel.Description = ch.Description
+		channel.CreatedAt = ch.CreatedAt
+		channel.LogoUrl = ch.LogoUrl
+		channel.RequireAuthForViewFiles = ch.Features.RequireAuthFiles
+		channel.ContactUs = ch.ContactUs
+	}
+	channel.Views = amount
 
 	w.Header().Set("Content-Type", "application/json")
 	json.NewEncoder(w).Encode(channel)
@@ -57,10 +51,13 @@ func editChannelInfo(w http.ResponseWriter, r *http.Request) {
 	ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
 	defer cancel()
 
+	slug := channelSlugFromCtx(r)
+
 	type Request struct {
 		Name        string `json:"name"`
 		Description string `json:"description"`
 		LogoUrl     string `json:"logoUrl"`
+		ContactUs   string `json:"contactUs"`
 	}
 
 	var req Request
@@ -70,17 +67,13 @@ func editChannelInfo(w http.ResponseWriter, r *http.Request) {
 	}
 	defer r.Body.Close()
 
-	if _, err := rdb.HSet(ctx, "channel:1", "name", req.Name, "description", req.Description, "logoUrl", req.LogoUrl).Result(); err != nil {
+	hashKey := "channel:" + slug
+	if _, err := rdb.HSet(ctx, hashKey, "name", req.Name, "description", req.Description, "logoUrl", req.LogoUrl, "contactUs", req.ContactUs).Result(); err != nil {
 		http.Error(w, "error", http.StatusInternalServerError)
 		return
 	}
 
 	res := Response{Success: true}
+	w.Header().Set("Content-Type", "application/json")
 	json.NewEncoder(w).Encode(res)
 }
-
-func registeringEmail(email string) {
-	ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
-	defer cancel()
-	rdb.SAdd(ctx, "registered_emails", email)
-}
diff --git a/backend/db.go b/backend/db.go
index ee23fda..f6ca177 100644
--- a/backend/db.go
+++ b/backend/db.go
@@ -35,11 +35,12 @@ type Message struct {
 }
 
 type User struct {
-	ID         string     `json:"id"`
-	Username   string     `json:"username"`
-	Email      string     `json:"email"`
-	PublicName string     `json:"publicName"`
-	Privileges Privileges `json:"privileges"`
+	ID           string                 `json:"id"`
+	Username     string                 `json:"username"`
+	Email        string                 `json:"email"`
+	PublicName   string                 `json:"publicName"`
+	GlobalRole   GlobalRole             `json:"globalRole,omitempty"`
+	ChannelRoles map[string]ChannelRole `json:"channelRoles,omitempty"`
 }
 
 type PushMessage struct {
@@ -65,8 +66,8 @@ func init() {
 	log.Println("Connection to DB successful!")
 }
 
-func getMessageNextId(ctx context.Context) int {
-	id, err := rdb.Incr(ctx, "message:next_id").Result()
+func getMessageNextId(ctx context.Context, slug string) int {
+	id, err := rdb.Incr(ctx, fmt.Sprintf("channel:%s:message:next_id", slug)).Result()
 	if err != nil {
 		log.Fatalf("Failed to get id: %v\n", err)
 	}
@@ -74,13 +75,18 @@ func getMessageNextId(ctx context.Context) int {
 	return int(id)
 }
 
-func setMessage(ctx context.Context, m *Message, isUpdate bool) error {
-	messageKey := fmt.Sprintf("messages:%d", m.ID)
+func setMessage(ctx context.Context, slug string, m *Message, isUpdate bool) error {
+	messageKey := fmt.Sprintf("channel:%s:messages:%d", slug, m.ID)
 
-	for _, regex := range settingConfig.RegexReplace {
-		if !strings.HasPrefix(m.Text, "[quote-embedded#]") {
-			t := regex.Pattern.ReplaceAllString(m.Text, regex.Replace)
-			m.Text = t
+	// Load per-channel settings for regex replace
+	settings, err := dbGetSettings(ctx, slug)
+	if err == nil {
+		cfg := settings.ToConfig()
+		for _, regex := range cfg.RegexReplace {
+			if !strings.HasPrefix(m.Text, "[quote-embedded#]") {
+				t := regex.Pattern.ReplaceAllString(m.Text, regex.Replace)
+				m.Text = t
+			}
 		}
 	}
 
@@ -91,7 +97,7 @@ func setMessage(ctx context.Context, m *Message, isUpdate bool) error {
 
 	// Add message timestamp to sorted set
 	if !isUpdate {
-		if err := rdb.ZAdd(ctx, "m_times:1", redis.Z{Score: float64(m.Timestamp.Unix()), Member: messageKey}).Err(); err != nil {
+		if err := rdb.ZAdd(ctx, fmt.Sprintf("channel:%s:m_times", slug), redis.Z{Score: float64(m.Timestamp.Unix()), Member: messageKey}).Err(); err != nil {
 			return err
 		}
 	}
@@ -107,13 +113,13 @@ func setMessage(ctx context.Context, m *Message, isUpdate bool) error {
 	}
 
 	pushMessageData, _ := json.Marshal(pushMessage)
-	rdb.Publish(ctx, "events", pushMessageData)
+	rdb.Publish(ctx, fmt.Sprintf("events:%s", slug), pushMessageData)
 
 	return nil
 }
 
-func setReaction(ctx context.Context, messageId int, emoji string, userId string) error {
-	kay := fmt.Sprintf("message:%d:reactions", messageId)
+func setReaction(ctx context.Context, slug string, messageId int, emoji string, userId string) error {
+	kay := fmt.Sprintf("channel:%s:message:%d:reactions", slug, messageId)
 	userId = fmt.Sprintf("%v", userId)
 
 	react := map[string]string{
@@ -135,12 +141,12 @@ func setReaction(ctx context.Context, messageId int, emoji string, userId string
 		return err
 	}
 
-	r, err := funcGetSumReactions(ctx, messageId)
+	r, err := funcGetSumReactions(ctx, slug, messageId)
 	if err != nil {
 		return err
 	}
 
-	if err := updateMessageReactions(ctx, messageId, r); err != nil {
+	if err := updateMessageReactions(ctx, slug, messageId, r); err != nil {
 		return err
 	}
 
@@ -153,7 +159,7 @@ func setReaction(ctx context.Context, messageId int, emoji string, userId string
 	}
 
 	pushMessageData, _ := json.Marshal(pushMessage)
-	rdb.Publish(ctx, "events", pushMessageData)
+	rdb.Publish(ctx, fmt.Sprintf("events:%s", slug), pushMessageData)
 
 	return nil
 }
@@ -184,7 +190,7 @@ var getMessageRange = redis.NewScript(`
 		local batch_size = required_length - #messages
 		local stop_index = start_index + batch_size
 		local message_ids
-		
+
 		if direction == 'asc' then
 		 message_ids = redis.call('ZRANGE', time_set_key, start_index, stop_index)
 		else
@@ -198,18 +204,18 @@ var getMessageRange = redis.NewScript(`
 		for i, message_key in ipairs(message_ids) do
 			local message_data = redis.call('HGETALL', message_key)
 			local message = {}
-	
+
 			for j = 1, #message_data, 2 do
 				local key = message_data[j]
 				local value = message_data[j+1]
-	
+
 				if key == 'id' then
 					message[key] = tonumber(value)
                 elseif key == 'views' then
 					if countViews then
 						message[key] = tonumber(value)
 					else
-						message[key] = 0	
+						message[key] = 0
 					end
 				elseif key == 'deleted' then
 					message[key] = value == '1'
@@ -238,7 +244,7 @@ var getMessageRange = redis.NewScript(`
 					message[key] = value
 				end
 			end
-	
+
 			if not message['deleted'] or isAdmin then
 				table.insert(messages, message)
 			end
@@ -251,9 +257,12 @@ var getMessageRange = redis.NewScript(`
 	return cjson.encode(messages)
 `)
 
-func funcGetMessageRange(ctx context.Context, start, stop int64, isAdmin, countViews bool, direction string) ([]Message, error) {
-	offsetKeyName := fmt.Sprintf("messages:%d", start)
-	res, err := getMessageRange.Run(ctx, rdb, []string{"m_times:1", offsetKeyName}, []string{strconv.FormatInt(stop, 10), strconv.FormatBool(isAdmin), strconv.FormatBool(countViews), direction}).Result()
+func funcGetMessageRange(ctx context.Context, slug string, start, stop int64, isAdmin, countViews bool, direction string) ([]Message, error) {
+	offsetKeyName := fmt.Sprintf("channel:%s:messages:%d", slug, start)
+	res, err := getMessageRange.Run(ctx, rdb, []string{
+		fmt.Sprintf("channel:%s:m_times", slug),
+		offsetKeyName,
+	}, []string{strconv.FormatInt(stop, 10), strconv.FormatBool(isAdmin), strconv.FormatBool(countViews), direction}).Result()
 	if err != nil {
 		return []Message{}, err
 	}
@@ -283,12 +292,14 @@ var sumMessageReactions = redis.NewScript(`
 	  result[reaction] = 1
    end
     end
-  end 
+  end
   return cjson.encode(result)
 `)
 
-func funcGetSumReactions(ctx context.Context, messageId int) (Reactions, error) {
-	res, err := sumMessageReactions.Run(ctx, rdb, []string{fmt.Sprintf("message:%d:reactions", messageId)}).Result()
+func funcGetSumReactions(ctx context.Context, slug string, messageId int) (Reactions, error) {
+	res, err := sumMessageReactions.Run(ctx, rdb, []string{
+		fmt.Sprintf("channel:%s:message:%d:reactions", slug, messageId),
+	}).Result()
 	if err != nil || res == nil || res == "{}" {
 		return nil, err
 	}
@@ -302,8 +313,8 @@ func funcGetSumReactions(ctx context.Context, messageId int) (Reactions, error)
 	return reactions, nil
 }
 
-func updateMessageReactions(ctx context.Context, messageId int, reactions Reactions) error {
-	messageKey := fmt.Sprintf("messages:%d", messageId)
+func updateMessageReactions(ctx context.Context, slug string, messageId int, reactions Reactions) error {
+	messageKey := fmt.Sprintf("channel:%s:messages:%d", slug, messageId)
 
 	exists, err := rdb.Exists(ctx, messageKey).Result()
 	if err != nil {
@@ -325,8 +336,8 @@ func updateMessageReactions(ctx context.Context, messageId int, reactions Reacti
 	return nil
 }
 
-func funcDeleteMessage(ctx context.Context, id string) error {
-	msgKey := fmt.Sprintf("messages:%s", id)
+func funcDeleteMessage(ctx context.Context, slug string, id string) error {
+	msgKey := fmt.Sprintf("channel:%s:messages:%s", slug, id)
 	rdb.HSet(ctx, msgKey, "deleted", true)
 
 	var m Message
@@ -342,26 +353,30 @@ func funcDeleteMessage(ctx context.Context, id string) error {
 		M:    m,
 	}
 	pushMessageData, _ := json.Marshal(pushMessage)
-	rdb.Publish(ctx, "events", pushMessageData)
+	rdb.Publish(ctx, fmt.Sprintf("events:%s", slug), pushMessageData)
 
 	return nil
 }
 
-func addViewsToMessages(ctx context.Context, messages []Message) {
-	if !settingConfig.CountViews {
+func addViewsToMessages(ctx context.Context, slug string, countViews bool, messages []Message) {
+	if !countViews {
 		return
 	}
 	for _, m := range messages {
-		rdb.HIncrBy(ctx, fmt.Sprintf("messages:%d", m.ID), "views", 1)
+		rdb.HIncrBy(ctx, fmt.Sprintf("channel:%s:messages:%d", slug, m.ID), "views", 1)
 	}
 }
 
 // https://redis.io/docs/latest/operate/oss_and_stack/management/security/#string-escaping-and-nosql-injection
-func addSubscription(token string) error {
+func addSubscription(slug, token string) error {
 	ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
 	defer cancel()
 
-	_, err := rdb.SAdd(ctx, "subscriptions", token).Result()
+	key := "subscriptions"
+	if slug != "" {
+		key = fmt.Sprintf("channel:%s:subscriptions", slug)
+	}
+	_, err := rdb.SAdd(ctx, key, token).Result()
 	if err != nil {
 		return err
 	}
@@ -369,11 +384,15 @@ func addSubscription(token string) error {
 	return nil
 }
 
-func getSubcriptionsList() ([]string, error) {
+func getSubcriptionsList(slug string) ([]string, error) {
 	ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
 	defer cancel()
 
-	subscriptionsSet, err := rdb.SMembers(ctx, "subscriptions").Result()
+	key := "subscriptions"
+	if slug != "" {
+		key = fmt.Sprintf("channel:%s:subscriptions", slug)
+	}
+	subscriptionsSet, err := rdb.SMembers(ctx, key).Result()
 	if err != nil {
 		log.Printf("Failed to get subscriptions: %v\n", err)
 		return []string{}, err
@@ -381,33 +400,30 @@ func getSubcriptionsList() ([]string, error) {
 	return subscriptionsSet, nil
 }
 
-func getChannelDetails(ctx context.Context) (map[string]string, error) {
-	return rdb.HGetAll(ctx, "channel:1").Result()
+func getChannelDetails(ctx context.Context, slug string) (map[string]string, error) {
+	return rdb.HGetAll(ctx, fmt.Sprintf("channel:%s", slug)).Result()
 }
 
-func dbSetEmojisList(ctx context.Context, emojis []string) error {
-	// if len(emojis) == 0 {
-	// 	return fmt.Errorf("emojis list cannot be empty")
-	// }
-
+func dbSetEmojisList(ctx context.Context, slug string, emojis []string) error {
 	emojisJSON, err := json.Marshal(emojis)
 	if err != nil {
 		return fmt.Errorf("failed to marshal emojis: %v", err)
 	}
 
-	if err := rdb.Set(ctx, "emojis:list", emojisJSON, 0).Err(); err != nil {
+	key := fmt.Sprintf("channel:%s:emojis:list", slug)
+	if err := rdb.Set(ctx, key, emojisJSON, 0).Err(); err != nil {
 		return fmt.Errorf("failed to set emojis in db: %v", err)
 	}
 
 	return nil
-
 }
 
-func dbGetEmojisList(ctx context.Context) ([]string, error) {
-	emojisJSON, err := rdb.Get(ctx, "emojis:list").Result()
+func dbGetEmojisList(ctx context.Context, slug string) ([]string, error) {
+	key := fmt.Sprintf("channel:%s:emojis:list", slug)
+	emojisJSON, err := rdb.Get(ctx, key).Result()
 	if err != nil {
 		if err == redis.Nil {
-			return emojis, nil
+			return []string{}, nil
 		}
 		return nil, fmt.Errorf("failed to get emojis from db: %v", err)
 	}
@@ -449,21 +465,23 @@ func dbGetUsersList(ctx context.Context) ([]User, error) {
 	return usersList, nil
 }
 
-func dbSetSettings(ctx context.Context, settings *Settings) error {
+func dbSetSettings(ctx context.Context, slug string, settings *Settings) error {
 	jsonSettings, err := json.Marshal(settings)
 	if err != nil {
 		return fmt.Errorf("failed to marshal settings: %v", err)
 	}
 
-	if err := rdb.Set(ctx, "settings:list", jsonSettings, 0).Err(); err != nil {
+	key := fmt.Sprintf("channel:%s:settings", slug)
+	if err := rdb.Set(ctx, key, jsonSettings, 0).Err(); err != nil {
 		return fmt.Errorf("failed to set settings in db: %v", err)
 	}
 
 	return nil
 }
 
-func dbGetSettings(ctx context.Context) (Settings, error) {
-	settingsJSON, err := rdb.Get(ctx, "settings:list").Result()
+func dbGetSettings(ctx context.Context, slug string) (Settings, error) {
+	key := fmt.Sprintf("channel:%s:settings", slug)
+	settingsJSON, err := rdb.Get(ctx, key).Result()
 	if err != nil {
 		if err == redis.Nil {
 			return Settings{}, nil
@@ -479,35 +497,79 @@ func dbGetSettings(ctx context.Context) (Settings, error) {
 	return settings, nil
 }
 
-func dbGetUsersAmount(ctx context.Context) (int64, error) {
-	amount, err := rdb.SCard(ctx, "registered_emails").Result()
+// Global settings (FCM/VAPID) stored under global:settings
+func dbSetGlobalSettings(ctx context.Context, settings *Settings) error {
+	jsonSettings, err := json.Marshal(settings)
+	if err != nil {
+		return fmt.Errorf("failed to marshal global settings: %v", err)
+	}
+
+	if err := rdb.Set(ctx, "global:settings", jsonSettings, 0).Err(); err != nil {
+		return fmt.Errorf("failed to set global settings in db: %v", err)
+	}
+
+	return nil
+}
+
+func dbGetGlobalSettings(ctx context.Context) (Settings, error) {
+	settingsJSON, err := rdb.Get(ctx, "global:settings").Result()
+	if err != nil {
+		if err == redis.Nil {
+			// Fallback to legacy settings:list key
+			settingsJSON2, err2 := rdb.Get(ctx, "settings:list").Result()
+			if err2 != nil {
+				if err2 == redis.Nil {
+					return Settings{}, nil
+				}
+				return nil, fmt.Errorf("failed to get global settings from db: %v", err2)
+			}
+			settingsJSON = settingsJSON2
+		} else {
+			return nil, fmt.Errorf("failed to get global settings from db: %v", err)
+		}
+	}
+
+	var settings Settings
+	if err := json.Unmarshal([]byte(settingsJSON), &settings); err != nil {
+		return nil, fmt.Errorf("failed to unmarshal global settings: %v", err)
+	}
+
+	return settings, nil
+}
+
+func dbGetUsersAmount(ctx context.Context, slug string) (int64, error) {
+	key := fmt.Sprintf("channel:%s:registered_emails", slug)
+	amount, err := rdb.SCard(ctx, key).Result()
 	if err != nil {
 		return 0, fmt.Errorf("failed to get users amount: %v", err)
 	}
 	return amount, nil
 }
 
-func getReportNextID(ctx context.Context) (int64, error) {
-	return rdb.Incr(ctx, "report:next_id").Result()
+func getReportNextID(ctx context.Context, slug string) (int64, error) {
+	return rdb.Incr(ctx, fmt.Sprintf("channel:%s:report:next_id", slug)).Result()
 }
 
-func dbReportMessage(ctx context.Context, report *Report) error {
-	id, err := getReportNextID(ctx)
+func dbReportMessage(ctx context.Context, slug string, report *Report) error {
+	id, err := getReportNextID(ctx, slug)
 	if err != nil {
 		return err
 	}
-	reportKey := fmt.Sprintf("report:%d", id)
+	reportKey := fmt.Sprintf("channel:%s:report:%d", slug, id)
 	report.Id = id
 
 	if err := rdb.HSet(ctx, reportKey, report).Err(); err != nil {
 		return err
 	}
 
-	if err := rdb.ZAdd(ctx, "reports:list", redis.Z{Score: float64(report.CreatedAt.Unix()), Member: reportKey}).Err(); err != nil {
+	reportsListKey := fmt.Sprintf("channel:%s:reports:list", slug)
+	reportsOpenKey := fmt.Sprintf("channel:%s:reports:open", slug)
+
+	if err := rdb.ZAdd(ctx, reportsListKey, redis.Z{Score: float64(report.CreatedAt.Unix()), Member: reportKey}).Err(); err != nil {
 		return err
 	}
 
-	if err := rdb.ZAdd(ctx, "reports:open", redis.Z{Score: float64(report.CreatedAt.Unix()), Member: reportKey}).Err(); err != nil {
+	if err := rdb.ZAdd(ctx, reportsOpenKey, redis.Z{Score: float64(report.CreatedAt.Unix()), Member: reportKey}).Err(); err != nil {
 		return err
 	}
 
@@ -555,8 +617,12 @@ var getReportsScript = redis.NewScript(`
 	return cjson.encode(result)
 `)
 
-func dbGetReports(ctx context.Context, status ReportStatus) (Reports, error) {
-	jsonReports, err := getReportsScript.Run(ctx, rdb, []string{"reports:list", "reports:open", "reports:closed"}, []string{string(status), "100"}).Result()
+func dbGetReports(ctx context.Context, slug string, status ReportStatus) (Reports, error) {
+	listKey := fmt.Sprintf("channel:%s:reports:list", slug)
+	openKey := fmt.Sprintf("channel:%s:reports:open", slug)
+	closedKey := fmt.Sprintf("channel:%s:reports:closed", slug)
+
+	jsonReports, err := getReportsScript.Run(ctx, rdb, []string{listKey, openKey, closedKey}, []string{string(status), "100"}).Result()
 	if err != nil {
 		return nil, err
 	}
@@ -578,21 +644,24 @@ func dbGetReports(ctx context.Context, status ReportStatus) (Reports, error) {
 	return reports, nil
 }
 
-func dbSetReports(ctx context.Context, report *Report) error {
-	reportKey := fmt.Sprintf("report:%d", report.Id)
+func dbSetReports(ctx context.Context, slug string, report *Report) error {
+	reportKey := fmt.Sprintf("channel:%s:report:%d", slug, report.Id)
+	openKey := fmt.Sprintf("channel:%s:reports:open", slug)
+	closedKey := fmt.Sprintf("channel:%s:reports:closed", slug)
+
 	switch report.Closed {
 	case true:
-		if err := rdb.ZRem(ctx, "reports:open", reportKey).Err(); err != nil {
+		if err := rdb.ZRem(ctx, openKey, reportKey).Err(); err != nil {
 			return err
 		}
-		if err := rdb.ZAdd(ctx, "reports:closed", redis.Z{Score: float64(report.UpdatedAt.Unix()), Member: reportKey}).Err(); err != nil {
+		if err := rdb.ZAdd(ctx, closedKey, redis.Z{Score: float64(report.UpdatedAt.Unix()), Member: reportKey}).Err(); err != nil {
 			return err
 		}
 	case false:
-		if err := rdb.ZRem(ctx, "reports:closed", reportKey).Err(); err != nil {
+		if err := rdb.ZRem(ctx, closedKey, reportKey).Err(); err != nil {
 			return err
 		}
-		if err := rdb.ZAdd(ctx, "reports:open", redis.Z{Score: float64(report.UpdatedAt.Unix()), Member: reportKey}).Err(); err != nil {
+		if err := rdb.ZAdd(ctx, openKey, redis.Z{Score: float64(report.UpdatedAt.Unix()), Member: reportKey}).Err(); err != nil {
 			return err
 		}
 	}
@@ -604,14 +673,16 @@ func dbSetReports(ctx context.Context, report *Report) error {
 	return nil
 }
 
-func dbSavePeakSSEConnections(peak *PeakSSEConnections) {
+func dbSavePeakSSEConnections(slug string, peak *PeakSSEConnections) {
 	ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
 	defer cancel()
-	rdb.HSet(ctx, "peak_sse_connections", "value", peak.Value, "timestamp", peak.Timestamp.Unix())
+	key := fmt.Sprintf("channel:%s:peak_sse_connections", slug)
+	rdb.HSet(ctx, key, "value", peak.Value, "timestamp", peak.Timestamp.Unix())
 }
 
-func dbGetPeakSSEConnections(ctx context.Context) (*PeakSSEConnections, error) {
-	p, err := rdb.HGetAll(ctx, "peak_sse_connections").Result()
+func dbGetPeakSSEConnections(ctx context.Context, slug string) (*PeakSSEConnections, error) {
+	key := fmt.Sprintf("channel:%s:peak_sse_connections", slug)
+	p, err := rdb.HGetAll(ctx, key).Result()
 	if err != nil {
 		return nil, err
 	}
@@ -626,18 +697,18 @@ func dbGetPeakSSEConnections(ctx context.Context) (*PeakSSEConnections, error) {
 	return &peak, nil
 }
 
-func dbSaveSSEStatistics(amount int64) {
+func dbSaveSSEStatistics(slug string, amount int64) {
 	ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
 	defer cancel()
 
-	key := fmt.Sprintf("sse_statistics:%d:%d", time.Now().Month(), time.Now().Year())
+	key := fmt.Sprintf("channel:%s:sse_statistics:%d:%d", slug, time.Now().Month(), time.Now().Year())
 	member := fmt.Sprintf("%d&%s", amount, time.Now().Format("02-01-2006 15:04"))
 
 	rdb.ZAdd(ctx, key, redis.Z{Score: float64(time.Now().Unix()), Member: member})
 }
 
-func dbGetSSEStatistics(ctx context.Context, length int64) (*Statistics, error) {
-	key := fmt.Sprintf("sse_statistics:%d:%d", time.Now().Month(), time.Now().Year())
+func dbGetSSEStatistics(ctx context.Context, slug string, length int64) (*Statistics, error) {
+	key := fmt.Sprintf("channel:%s:sse_statistics:%d:%d", slug, time.Now().Month(), time.Now().Year())
 	result := &Statistics{
 		Data:   []int64{},
 		Labels: []string{},
@@ -666,21 +737,23 @@ func dbGetSSEStatistics(ctx context.Context, length int64) (*Statistics, error)
 	return result, nil
 }
 
-func dbSaveScheduledMessages(ctx context.Context, messages *[]Message) error {
+func dbSaveScheduledMessages(ctx context.Context, slug string, messages *[]Message) error {
 	jsonMessages, err := json.Marshal(messages)
 	if err != nil {
 		return fmt.Errorf("failed to marshal scheduled messages: %v", err)
 	}
 
-	if err := rdb.Set(ctx, "scheduled_messages:list", jsonMessages, 0).Err(); err != nil {
+	key := fmt.Sprintf("channel:%s:scheduled_messages:list", slug)
+	if err := rdb.Set(ctx, key, jsonMessages, 0).Err(); err != nil {
 		return fmt.Errorf("failed to set scheduled messages in db: %v", err)
 	}
 
 	return nil
 }
 
-func dbGetScheduledMessages(ctx context.Context) (*[]Message, error) {
-	messagesJSON, err := rdb.Get(ctx, "scheduled_messages:list").Result()
+func dbGetScheduledMessages(ctx context.Context, slug string) (*[]Message, error) {
+	key := fmt.Sprintf("channel:%s:scheduled_messages:list", slug)
+	messagesJSON, err := rdb.Get(ctx, key).Result()
 	if err != nil {
 		if err == redis.Nil {
 			return &[]Message{}, nil
@@ -695,3 +768,181 @@ func dbGetScheduledMessages(ctx context.Context) (*[]Message, error) {
 
 	return &messages, nil
 }
+
+// Channel CRUD functions
+
+func dbChannelExists(ctx context.Context, slug string) (bool, error) {
+	n, err := rdb.Exists(ctx, fmt.Sprintf("channel:%s", slug)).Result()
+	if err != nil {
+		return false, err
+	}
+	return n > 0, nil
+}
+
+func dbCreateChannel(ctx context.Context, channel *ChannelData) error {
+	hashKey := fmt.Sprintf("channel:%s", channel.Slug)
+
+	if err := rdb.HSet(ctx, hashKey,
+		"slug", channel.Slug,
+		"name", channel.Name,
+		"description", channel.Description,
+		"logoUrl", channel.LogoUrl,
+		"ownerEmail", channel.OwnerEmail,
+		"createdAt", channel.CreatedAt.Format(time.RFC3339),
+		"contactUs", channel.ContactUs,
+	).Err(); err != nil {
+		return err
+	}
+
+	featuresJSON, err := json.Marshal(channel.Features)
+	if err != nil {
+		return fmt.Errorf("failed to marshal features: %v", err)
+	}
+
+	featuresKey := fmt.Sprintf("channel:%s:features", channel.Slug)
+	if err := rdb.Set(ctx, featuresKey, featuresJSON, 0).Err(); err != nil {
+		return err
+	}
+
+	if err := rdb.ZAdd(ctx, "channels:list", redis.Z{
+		Score:  float64(channel.CreatedAt.Unix()),
+		Member: channel.Slug,
+	}).Err(); err != nil {
+		return err
+	}
+
+	return nil
+}
+
+func dbGetChannel(ctx context.Context, slug string) (*ChannelData, error) {
+	hashKey := fmt.Sprintf("channel:%s", slug)
+	h, err := rdb.HGetAll(ctx, hashKey).Result()
+	if err != nil {
+		return nil, err
+	}
+	if len(h) == 0 {
+		return nil, redis.Nil
+	}
+
+	channel := &ChannelData{
+		Slug:        h["slug"],
+		Name:        h["name"],
+		Description: h["description"],
+		LogoUrl:     h["logoUrl"],
+		OwnerEmail:  h["ownerEmail"],
+		ContactUs:   h["contactUs"],
+	}
+	if h["slug"] == "" {
+		channel.Slug = slug
+	}
+
+	if t, err := time.Parse(time.RFC3339, h["createdAt"]); err == nil {
+		channel.CreatedAt = t
+	}
+
+	// Load features
+	featuresKey := fmt.Sprintf("channel:%s:features", slug)
+	featuresJSON, err := rdb.Get(ctx, featuresKey).Result()
+	if err == nil {
+		var features ChannelFeatures
+		if err := json.Unmarshal([]byte(featuresJSON), &features); err == nil {
+			channel.Features = features
+		}
+	}
+
+	return channel, nil
+}
+
+func dbListChannels(ctx context.Context) ([]*ChannelData, error) {
+	slugs, err := rdb.ZRange(ctx, "channels:list", 0, -1).Result()
+	if err != nil {
+		return nil, err
+	}
+
+	var channels []*ChannelData
+	for _, slug := range slugs {
+		ch, err := dbGetChannel(ctx, slug)
+		if err != nil {
+			log.Printf("Failed to get channel %s: %v\n", slug, err)
+			continue
+		}
+		channels = append(channels, ch)
+	}
+
+	return channels, nil
+}
+
+func dbDeleteChannel(ctx context.Context, slug string) error {
+	// Remove from channels:list
+	if err := rdb.ZRem(ctx, "channels:list", slug).Err(); err != nil {
+		return err
+	}
+
+	// Scan and delete all channel:{slug}:* keys
+	pattern := fmt.Sprintf("channel:%s:*", slug)
+	var cursor uint64
+	for {
+		keys, nextCursor, err := rdb.Scan(ctx, cursor, pattern, 100).Result()
+		if err != nil {
+			return err
+		}
+		if len(keys) > 0 {
+			if err := rdb.Del(ctx, keys...).Err(); err != nil {
+				return err
+			}
+		}
+		cursor = nextCursor
+		if cursor == 0 {
+			break
+		}
+	}
+
+	// Delete the main channel hash
+	if err := rdb.Del(ctx, fmt.Sprintf("channel:%s", slug)).Err(); err != nil {
+		return err
+	}
+
+	return nil
+}
+
+func dbSetChannelFeatures(ctx context.Context, slug string, features *ChannelFeatures) error {
+	featuresJSON, err := json.Marshal(features)
+	if err != nil {
+		return fmt.Errorf("failed to marshal features: %v", err)
+	}
+
+	featuresKey := fmt.Sprintf("channel:%s:features", slug)
+	if err := rdb.Set(ctx, featuresKey, featuresJSON, 0).Err(); err != nil {
+		return err
+	}
+
+	return nil
+}
+
+func dbAssignChannelRole(ctx context.Context, email, slug string, role ChannelRole) error {
+	users, err := dbGetUsersList(ctx)
+	if err != nil {
+		return err
+	}
+
+	found := false
+	for i, u := range users {
+		if u.Email == email {
+			if users[i].ChannelRoles == nil {
+				users[i].ChannelRoles = make(map[string]ChannelRole)
+			}
+			users[i].ChannelRoles[slug] = role
+			found = true
+			break
+		}
+	}
+
+	if !found {
+		users = append(users, User{
+			Email:        email,
+			ChannelRoles: map[string]ChannelRole{slug: role},
+		})
+	}
+
+	return dbSetUsersList(ctx, users)
+}
diff --git a/backend/files.go b/backend/files.go
index 4a9506f..3d320c2 100644
--- a/backend/files.go
+++ b/backend/files.go
@@ -62,7 +62,13 @@ func serveFile(w http.ResponseWriter, r *http.Request) {
 }
 
 func uploadFile(w http.ResponseWriter, r *http.Request) {
-	r.Body = http.MaxBytesReader(w, r.Body, int64(settingConfig.MaxFileSize)<<20)
+	ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
+	defer cancel()
+
+	slug := channelSlugFromCtx(r)
+	cfg := getChannelConfig(ctx, slug)
+
+	r.Body = http.MaxBytesReader(w, r.Body, int64(cfg.MaxFileSize)<<20)
 
 	file, handler, err := r.FormFile("file")
 	if err != nil {
@@ -101,7 +107,7 @@ func uploadFile(w http.ResponseWriter, r *http.Request) {
 	var isDuplicateFile bool
 	testISDuplicateFilePath := filepath.Join(hashSubDir, fileHash)
 	_, err = os.Stat(testISDuplicateFilePath)
-	if err == nil { //|| !os.IsNotExist(err)
+	if err == nil {
 		isDuplicateFile = true
 	}
 
@@ -158,7 +164,7 @@ func uploadFile(w http.ResponseWriter, r *http.Request) {
 	}
 	metadataFile.Write(yamlData)
 
-	fileUrl := "/api/files/" + id
+	fileUrl := "/api/channel/" + slug + "/files/" + id
 
 	w.Header().Set("Content-Type", "application/json")
 	json.NewEncoder(w).Encode(FileResponse{
@@ -192,9 +198,16 @@ func getFavicon(w http.ResponseWriter, r *http.Request) {
 	ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
 	defer cancel()
 
-	c, err := getChannelDetails(ctx)
+	// Try to get slug from query param or use a default
+	slug := r.URL.Query().Get("slug")
+	if slug == "" {
+		http.ServeFile(w, r, "assets/favicon.ico")
+		return
+	}
+
+	c, err := getChannelDetails(ctx, slug)
 	if err != nil {
-		http.Error(w, "error", http.StatusInternalServerError)
+		http.ServeFile(w, r, "assets/favicon.ico")
 		return
 	}
 
@@ -204,6 +217,11 @@ func getFavicon(w http.ResponseWriter, r *http.Request) {
 	}
 	fileId := path.Base(logoUrl)
 
+	if len(fileId) < 4 {
+		http.ServeFile(w, r, "assets/favicon.ico")
+		return
+	}
+
 	metadataFilePath := filepath.Join(rootUploadPath, fileId[:2], fileId[2:4], fileId+".yaml")
 	metadataFile, err := os.ReadFile(metadataFilePath)
 	if err != nil {
diff --git a/backend/main.go b/backend/main.go
index d298506..849a458 100644
--- a/backend/main.go
+++ b/backend/main.go
@@ -16,27 +16,6 @@ import (
 
 var rootStaticFolder = os.Getenv("ROOT_STATIC_FOLDER")
 
-func protectedWithPrivilege(Privilege Privilege, handler http.HandlerFunc) http.HandlerFunc {
-	return func(w http.ResponseWriter, r *http.Request) {
-		if !checkPrivilege(r, Privilege) {
-			http.Error(w, "User not authorized or not privilege", http.StatusUnauthorized)
-			return
-		}
-		handler(w, r)
-	}
-}
-
-func ifRequireAuth(next http.Handler) http.Handler {
-	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		// Check every time
-		if settingConfig.RequireAuth {
-			checkLogin(next).ServeHTTP(w, r)
-		} else {
-			next.ServeHTTP(w, r)
-		}
-	})
-}
-
 func main() {
 	gob.Register(Session{})
 	initializePrivilegeUsers()
@@ -54,64 +33,92 @@ func main() {
 	r := chi.NewRouter()
 	r.Use(middleware.Logger)
 
-	// Protected with api key
-	r.Post("/api/import/post", addNewPost)
-
+	// Auth routes
 	r.Get("/auth/google", getGoogleAuthValues)
 	r.Post("/auth/login", login)
 	r.Post("/auth/logout", logout)
+
+	// Global assets
 	r.Get("/assets/favicon.ico", getFavicon)
 	r.Get("/favicon.ico", getFavicon)
+	r.Get("/firebase-messaging-sw.js", getFirebaseMessagingSW)
 
+	// User info (global, requires login)
 	r.Group(func(r chi.Router) {
 		r.Use(checkLogin)
-		r.Post("/api/reactions/set-reactions", setReactions)
-		r.Post("/api/messages/report", reportMessage)
+		r.Get("/api/user-info", getUserInfo)
 	})
 
-	r.Group(func(r chi.Router) {
-		r.Use(ifRequireAuth)
-		r.Get("/firebase-messaging-sw.js", getFirebaseMessagingSW)
-		r.Route("/api", func(api chi.Router) {
-			api.Get("/ads/settings", getAdsSettings)
-			api.Get("/ads/magnet", getMagnetAdsSettings)
-			api.Get("/emojis/list", getEmojisList)
-			api.Get("/channel/notifications-config", getNotificationsConfig)
-			api.Post("/channel/notifications-subscribe", subscribeNotifications)
-
-			api.Get("/channel/info", getChannelInfo)
-			api.Get("/messages", getMessages)
-			api.Get("/events", getEvents)
-			api.Get("/files/{fileid}", serveFile)
-			api.Get("/user-info", getUserInfo)
-
-			api.Route("/admin", func(protected chi.Router) {
-				// ⚠️ WARNING: Route not check privilege use protectedWithPrivilege to check privilege.
-
-				protected.Post("/new", protectedWithPrivilege(Writer, addMessage))
-				protected.Post("/edit-message", protectedWithPrivilege(Writer, updateMessage))
-				protected.Get("/delete-message/{id}", protectedWithPrivilege(Writer, deleteMessage))
-				protected.Post("/upload", protectedWithPrivilege(Writer, uploadFile))
-				protected.Get("/scheduled-messages/get", protectedWithPrivilege(Writer, getScheduledMessages))
-				protected.Post("/scheduled-messages/update", protectedWithPrivilege(Writer, updateScheduledMessages))
-
-				protected.Post("/edit-channel-info", protectedWithPrivilege(Moderator, editChannelInfo))
-				protected.Get("/statistics", protectedWithPrivilege(Moderator, getStatistics))
-				protected.Post("/set-emojis", protectedWithPrivilege(Moderator, setEmojis))
-
-				protected.Post("/statistics/reset", protectedWithPrivilege(Admin, resetStatistics))
-				protected.Get("/privilegs-users/get-list", protectedWithPrivilege(Admin, getPrivilegeUsersList))
-				protected.Post("/privilegs-users/set", protectedWithPrivilege(Admin, setPrivilegeUsers))
-				protected.Get("/settings/get", protectedWithPrivilege(Admin, getSettings))
-				protected.Post("/settings/set", protectedWithPrivilege(Admin, setSettings))
-				protected.Get("/magnet/stats", protectedWithPrivilege(Admin, getMagnetStats))
-				protected.Get("/reports/get", protectedWithPrivilege(Admin, getReports))
-				protected.Post("/reports/set", protectedWithPrivilege(Admin, setReports))
+	// Super admin routes
+	r.Route("/api/super-admin", func(r chi.Router) {
+		r.Use(checkLogin)
+		r.Use(requireSuperAdmin)
+
+		r.Get("/channels", listChannels)
+		r.Post("/channels/create", createChannel)
+		r.Get("/channels/{slug}", getSuperAdminChannel)
+		r.Delete("/channels/{slug}", deleteChannel)
+		r.Put("/channels/{slug}/features", updateChannelFeatures)
+		r.Get("/channels/{slug}/users", superAdminGetChannelUsers)
+		r.Post("/channels/{slug}/users", superAdminSetChannelUsers)
+		r.Get("/users/list", getPrivilegeUsersList)
+		r.Post("/users/set", setPrivilegeUsers)
+		r.Get("/global-settings/get", getGlobalSettings)
+		r.Post("/global-settings/set", setGlobalSettings)
+		r.Get("/magnet/stats", getMagnetStats)
+		r.Post("/statistics/reset", resetStatistics)
+	})
+
+	// Per-channel API import (with API key, no channel middleware needed - slug from URL)
+	r.Post("/api/channel/{slug}/import/post", addNewPost)
+
+	// Per-channel routes
+	r.Route("/api/channel/{slug}", func(r chi.Router) {
+		r.Use(channelMiddleware)
+		r.Use(channelIfRequireAuth)
+
+		r.Get("/info", getChannelInfo)
+		r.Get("/messages", getMessages)
+		r.Get("/events", getEvents)
+		r.Get("/files/{fileid}", serveFile)
+		r.Get("/emojis/list", getEmojisList)
+		r.Get("/notifications-config", getNotificationsConfig)
+		r.Get("/ads/settings", getAdsSettings)
+		r.Get("/ads/magnet", getMagnetAdsSettings)
+
+		r.Group(func(r chi.Router) {
+			r.Use(checkLogin)
+			r.Post("/notifications-subscribe", subscribeNotifications)
+			r.Post("/reactions/set-reactions", setReactions)
+			r.Post("/messages/report", reportMessage)
+			r.Get("/user-info", getUserInfo)
+
+			r.Route("/admin", func(r chi.Router) {
+				// Writer level
+				r.Post("/new", protectedWithChannelRole(RoleWriter, addMessage))
+				r.Post("/edit-message", protectedWithChannelRole(RoleWriter, updateMessage))
+				r.Get("/delete-message/{id}", protectedWithChannelRole(RoleWriter, deleteMessage))
+				r.Post("/upload", protectedWithChannelRole(RoleWriter, uploadFile))
+				r.Get("/scheduled-messages/get", protectedWithChannelRole(RoleWriter, getScheduledMessages))
+				r.Post("/scheduled-messages/update", protectedWithChannelRole(RoleWriter, updateScheduledMessages))
+
+				// Moderator level
+				r.Post("/edit-channel-info", protectedWithChannelRole(RoleModerator, editChannelInfo))
+				r.Get("/statistics", protectedWithChannelRole(RoleModerator, getStatistics))
+				r.Post("/set-emojis", protectedWithChannelRole(RoleModerator, setEmojis))
+				r.Get("/reports/get", protectedWithChannelRole(RoleModerator, getReports))
+				r.Post("/reports/set", protectedWithChannelRole(RoleModerator, setReports))
+
+				// Owner level
+				r.Get("/settings/get", protectedWithChannelRole(RoleOwner, getSettings))
+				r.Post("/settings/set", protectedWithChannelRole(RoleOwner, setSettings))
+				r.Get("/users/get", protectedWithChannelRole(RoleOwner, getChannelUsers))
+				r.Post("/users/set", protectedWithChannelRole(RoleOwner, setChannelUsers))
 			})
 		})
 	})
 
-	if settingConfig.RootStaticFolder != "" {
+	if settingConfig != nil && settingConfig.RootStaticFolder != "" {
 		r.Handle("/assets/*", http.StripPrefix("/assets/", http.FileServer(http.Dir(settingConfig.RootStaticFolder))))
 		r.NotFound(serveSpaFile)
 	}
@@ -126,6 +133,10 @@ func main() {
 }
 
 func serveSpaFile(w http.ResponseWriter, r *http.Request) {
+	if settingConfig == nil || settingConfig.RootStaticFolder == "" {
+		http.Error(w, "File not found", http.StatusNotFound)
+		return
+	}
 	htmlPath := filepath.Join(settingConfig.RootStaticFolder, "index.html")
 	content, err := os.ReadFile(htmlPath)
 	if err != nil {
diff --git a/backend/messages.go b/backend/messages.go
index 4f56b7e..41b6121 100644
--- a/backend/messages.go
+++ b/backend/messages.go
@@ -16,6 +16,9 @@ func getMessages(w http.ResponseWriter, r *http.Request) {
 	ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
 	defer cancel()
 
+	slug := channelSlugFromCtx(r)
+	ch := channelFromCtx(r)
+
 	offsetFromClient := r.URL.Query().Get("offset")
 	limitFromClient := r.URL.Query().Get("limit")
 	direction := r.URL.Query().Get("direction")
@@ -30,7 +33,10 @@ func getMessages(w http.ResponseWriter, r *http.Request) {
 		limit = 20
 	}
 
-	messages, err := funcGetMessageRange(ctx, int64(offset), int64(limit), checkPrivilege(r, Writer), settingConfig.CountViews, direction)
+	isAdmin := hasChannelRole(r, slug, RoleWriter)
+	countViews := ch != nil && ch.Features.CountViews
+
+	messages, err := funcGetMessageRange(ctx, slug, int64(offset), int64(limit), isAdmin, countViews, direction)
 	if err != nil {
 		log.Printf("Failed to get messages: %v\n", err)
 		http.Error(w, "error", http.StatusInternalServerError)
@@ -40,13 +46,15 @@ func getMessages(w http.ResponseWriter, r *http.Request) {
 	w.Header().Set("Content-Type", "application/json")
 	json.NewEncoder(w).Encode(messages)
 
-	addViewsToMessages(ctx, messages)
+	addViewsToMessages(ctx, slug, countViews, messages)
 }
 
 func addMessage(w http.ResponseWriter, r *http.Request) {
 	ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
 	defer cancel()
 
+	slug := channelSlugFromCtx(r)
+
 	var message Message
 	var err error
 	defer r.Body.Close()
@@ -61,7 +69,7 @@ func addMessage(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	message.ID = getMessageNextId(ctx)
+	message.ID = getMessageNextId(ctx, slug)
 	message.Type = body.Type
 	message.Author = user.PublicName
 	message.AuthorId = user.ID
@@ -71,14 +79,14 @@ func addMessage(w http.ResponseWriter, r *http.Request) {
 	message.Views = 0
 	message.IsAds = body.IsAds
 
-	if err = setMessage(ctx, &message, false); err != nil {
+	if err = setMessage(ctx, slug, &message, false); err != nil {
 		log.Printf("Failed to set new message: %v\n", err)
 		http.Error(w, "error", http.StatusInternalServerError)
 		return
 	}
 
-	go SendWebhook(context.Background(), "create", &message)
-	go pushFcmMessage(&message)
+	go SendWebhook(context.Background(), slug, "create", &message)
+	go pushFcmMessage(slug, &message)
 
 	w.Header().Set("Content-Type", "application/json")
 	json.NewEncoder(w).Encode(message)
@@ -88,6 +96,8 @@ func updateMessage(w http.ResponseWriter, r *http.Request) {
 	ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
 	defer cancel()
 
+	slug := channelSlugFromCtx(r)
+
 	var err error
 	defer r.Body.Close()
 
@@ -100,13 +110,13 @@ func updateMessage(w http.ResponseWriter, r *http.Request) {
 
 	body.LastEdit = time.Now()
 
-	if err := setMessage(ctx, &body, true); err != nil {
+	if err := setMessage(ctx, slug, &body, true); err != nil {
 		response := Response{Success: false}
 		json.NewEncoder(w).Encode(response)
 		return
 	}
 
-	go SendWebhook(context.Background(), "update", &body)
+	go SendWebhook(context.Background(), slug, "update", &body)
 
 	response := Response{Success: true}
 	json.NewEncoder(w).Encode(response)
@@ -116,18 +126,19 @@ func deleteMessage(w http.ResponseWriter, r *http.Request) {
 	ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
 	defer cancel()
 
+	slug := channelSlugFromCtx(r)
 	id := chi.URLParam(r, "id")
 
 	idInt, _ := strconv.Atoi(id)
 	message := Message{ID: idInt, Deleted: true}
 
-	if err := funcDeleteMessage(ctx, id); err != nil {
+	if err := funcDeleteMessage(ctx, slug, id); err != nil {
 		response := Response{Success: false}
 		json.NewEncoder(w).Encode(response)
 		return
 	}
 
-	go SendWebhook(context.Background(), "delete", &message)
+	go SendWebhook(context.Background(), slug, "delete", &message)
 
 	response := Response{Success: true}
 	json.NewEncoder(w).Encode(response)
@@ -140,6 +151,8 @@ func getEvents(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
+	slug := channelSlugFromCtx(r)
+
 	clientCtx := r.Context()
 	heartbeat := time.NewTicker(25 * time.Second)
 	defer heartbeat.Stop()
@@ -155,10 +168,11 @@ func getEvents(w http.ResponseWriter, r *http.Request) {
 	}
 	flusher.Flush()
 
-	go increaseCounterSSE()
-	defer decreaseCounterSSE()
+	go increaseCounterSSE(slug)
+	defer decreaseCounterSSE(slug)
 
-	pubsub := rdb.Subscribe(r.Context(), "events")
+	eventChannel := fmt.Sprintf("events:%s", slug)
+	pubsub := rdb.Subscribe(r.Context(), eventChannel)
 	defer pubsub.Close()
 
 	if _, err := pubsub.Receive(clientCtx); err != nil {
diff --git a/backend/notifications.go b/backend/notifications.go
index 045c691..aecfb7e 100644
--- a/backend/notifications.go
+++ b/backend/notifications.go
@@ -43,6 +43,7 @@ type NotificationsConfig struct {
 }
 
 func getNotificationsConfig(w http.ResponseWriter, r *http.Request) {
+	// Notifications config uses global FCM/VAPID settings
 	response := NotificationsConfig{
 		EnableNotifications: settingConfig.OnNotification,
 		VAPID:               settingConfig.VAPID,
@@ -121,6 +122,8 @@ func getFirebaseMessagingSW(w http.ResponseWriter, r *http.Request) {
 }
 
 func subscribeNotifications(w http.ResponseWriter, r *http.Request) {
+	slug := channelSlugFromCtx(r)
+
 	var req struct {
 		Token string `json:"token"`
 	}
@@ -135,7 +138,7 @@ func subscribeNotifications(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	if err := addSubscription(req.Token); err != nil {
+	if err := addSubscription(slug, req.Token); err != nil {
 		http.Error(w, "Failed to subscribe to notifications", http.StatusInternalServerError)
 		return
 	}
@@ -147,16 +150,15 @@ func subscribeNotifications(w http.ResponseWriter, r *http.Request) {
 	json.NewEncoder(w).Encode(response)
 }
 
-func pushFcmMessage(m *Message) {
+func pushFcmMessage(slug string, m *Message) {
 	if !settingConfig.OnNotification {
-
 		return
 	}
 
 	ctx, cancel := context.WithTimeout(context.Background(), 20*time.Second)
 	defer cancel()
 
-	list, err := getSubcriptionsList()
+	list, err := getSubcriptionsList(slug)
 	if err != nil {
 		log.Println("Failed to get subscription list:", err)
 		return
@@ -167,7 +169,7 @@ func pushFcmMessage(m *Message) {
 		return
 	}
 
-	channelName, err := getChannelDetails(ctx)
+	channelName, err := getChannelDetails(ctx, slug)
 	if err != nil {
 		log.Println("Failed to get channel details:", err)
 		return
@@ -221,8 +223,5 @@ func pushFcmMessage(m *Message) {
 		}
 		log.Printf("Push notification sent to %d tokens: \n", r.SuccessCount)
 		log.Printf("Failed to send to %d tokens: \n", r.FailureCount)
-		// for _, resp := range r.Responses {
-		// 	log.Printf("Response: %s, Error: %v\n", resp.MessageID, resp.Error)
-		// }
 	}
 }
diff --git a/backend/reactions.go b/backend/reactions.go
index 26dcc42..e15469a 100644
--- a/backend/reactions.go
+++ b/backend/reactions.go
@@ -14,28 +14,20 @@ func (r Reactions) MarshalBinary() ([]byte, error) {
 	return json.Marshal(r)
 }
 
-var emojis []string = []string{}
-
-func init() {
-	ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
-	defer cancel()
-
-	e, err := dbGetEmojisList(ctx)
+func isAllowedEmoji(ctx context.Context, slug, emoji string) bool {
+	list, err := dbGetEmojisList(ctx, slug)
 	if err != nil {
-		panic("Failed to load emojis list: " + err.Error())
+		return false
 	}
-
-	emojis = e
-}
-
-func isAllowedEmoji(emoji string) bool {
-	return slices.Contains(emojis, emoji)
+	return slices.Contains(list, emoji)
 }
 
 func setReactions(w http.ResponseWriter, r *http.Request) {
 	session, _ := store.Get(r, cookieName)
 	userId := session.Values["user"].(Session).ID
 
+	slug := channelSlugFromCtx(r)
+
 	var req struct {
 		MessageID int    `json:"messageId"`
 		Emoji     string `json:"emoji"`
@@ -46,15 +38,15 @@ func setReactions(w http.ResponseWriter, r *http.Request) {
 	}
 	defer r.Body.Close()
 
-	if req.MessageID <= 0 || !isAllowedEmoji(req.Emoji) {
+	ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
+	defer cancel()
+
+	if req.MessageID <= 0 || !isAllowedEmoji(ctx, slug, req.Emoji) {
 		http.Error(w, "Invalid message ID or reactions", http.StatusBadRequest)
 		return
 	}
 
-	ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
-	defer cancel()
-
-	if err := setReaction(ctx, req.MessageID, req.Emoji, userId); err != nil {
+	if err := setReaction(ctx, slug, req.MessageID, req.Emoji, userId); err != nil {
 		http.Error(w, "Failed to set reactions", http.StatusInternalServerError)
 		return
 	}
@@ -66,14 +58,27 @@ func setReactions(w http.ResponseWriter, r *http.Request) {
 }
 
 func getEmojisList(w http.ResponseWriter, r *http.Request) {
+	ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
+	defer cancel()
+
+	slug := channelSlugFromCtx(r)
+
+	list, err := dbGetEmojisList(ctx, slug)
+	if err != nil {
+		http.Error(w, "Failed to get emojis list", http.StatusInternalServerError)
+		return
+	}
+
 	w.Header().Set("Content-Type", "application/json")
-	json.NewEncoder(w).Encode(emojis)
+	json.NewEncoder(w).Encode(list)
 }
 
 func setEmojis(w http.ResponseWriter, r *http.Request) {
 	ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
 	defer cancel()
 
+	slug := channelSlugFromCtx(r)
+
 	req := struct {
 		Emojis []string `json:"emojis"`
 	}{}
@@ -84,18 +89,11 @@ func setEmojis(w http.ResponseWriter, r *http.Request) {
 	}
 	defer r.Body.Close()
 
-	// if len(req.Emojis) == 0 {
-	// 	http.Error(w, "No emojis provided", http.StatusBadRequest)
-	// 	return
-	// }
-
-	if err := dbSetEmojisList(ctx, req.Emojis); err != nil {
+	if err := dbSetEmojisList(ctx, slug, req.Emojis); err != nil {
 		http.Error(w, "Failed to set emojis", http.StatusInternalServerError)
 		return
 	}
 
-	emojis = req.Emojis
-
 	var res Response
 	res.Success = true
 
diff --git a/backend/report.go b/backend/report.go
index e98f8d1..6fa2b15 100644
--- a/backend/report.go
+++ b/backend/report.go
@@ -39,6 +39,8 @@ func reportMessage(w http.ResponseWriter, r *http.Request) {
 	defer cancel()
 	defer r.Body.Close()
 
+	slug := channelSlugFromCtx(r)
+
 	var report Report
 	if err := json.NewDecoder(r.Body).Decode(&report); err != nil {
 		http.Error(w, "Invalid request body", http.StatusBadRequest)
@@ -56,7 +58,7 @@ func reportMessage(w http.ResponseWriter, r *http.Request) {
 	report.ReportedEmail = s.Email
 	report.ReporterName = s.Username
 
-	if err := dbReportMessage(ctx, &report); err != nil {
+	if err := dbReportMessage(ctx, slug, &report); err != nil {
 		log.Println("Error saving report:", err)
 		http.Error(w, "Error saving report", http.StatusInternalServerError)
 		return
@@ -72,13 +74,15 @@ func getReports(w http.ResponseWriter, r *http.Request) {
 	ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
 	defer cancel()
 
+	slug := channelSlugFromCtx(r)
+
 	status := ReportStatus(r.URL.Query().Get("status"))
 	if !status.IsValid() {
 		http.Error(w, "Invalid status", http.StatusBadRequest)
 		return
 	}
 
-	reports, err := dbGetReports(ctx, status)
+	reports, err := dbGetReports(ctx, slug, status)
 	if err != nil {
 		log.Printf("Error retrieving reports: %v\n", err)
 		http.Error(w, "Error retrieving reports", http.StatusInternalServerError)
@@ -93,6 +97,9 @@ func setReports(w http.ResponseWriter, r *http.Request) {
 	ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
 	defer cancel()
 	defer r.Body.Close()
+
+	slug := channelSlugFromCtx(r)
+
 	var report Report
 	if err := json.NewDecoder(r.Body).Decode(&report); err != nil {
 		http.Error(w, "Invalid request body", http.StatusBadRequest)
@@ -101,7 +108,7 @@ func setReports(w http.ResponseWriter, r *http.Request) {
 
 	report.UpdatedAt = time.Now()
 
-	if err := dbSetReports(ctx, &report); err != nil {
+	if err := dbSetReports(ctx, slug, &report); err != nil {
 		http.Error(w, "Error saving reports", http.StatusInternalServerError)
 		return
 	}
diff --git a/backend/scheduled.go b/backend/scheduled.go
index 586db4d..ff44709 100644
--- a/backend/scheduled.go
+++ b/backend/scheduled.go
@@ -12,38 +12,47 @@ func init() {
 		ticker := time.NewTicker(1 * time.Minute)
 		defer ticker.Stop()
 		for range ticker.C {
-			ctxGet, cancelGet := context.WithTimeout(context.Background(), 5*time.Second)
-			list, err := dbGetScheduledMessages(ctxGet)
-			cancelGet()
+			ctxList, cancelList := context.WithTimeout(context.Background(), 5*time.Second)
+			channels, err := dbListChannels(ctxList)
+			cancelList()
 			if err != nil {
 				continue
 			}
 
-			now := time.Now()
-			newList := make([]Message, 0)
-			for _, msg := range *list {
-				if msg.Timestamp.Before(now) {
-					go func(m *Message) {
-						ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
-						defer cancel()
+			for _, ch := range channels {
+				slug := ch.Slug
+				ctxGet, cancelGet := context.WithTimeout(context.Background(), 5*time.Second)
+				list, err := dbGetScheduledMessages(ctxGet, slug)
+				cancelGet()
+				if err != nil {
+					continue
+				}
+
+				now := time.Now()
+				newList := make([]Message, 0)
+				for _, msg := range *list {
+					if msg.Timestamp.Before(now) {
+						go func(m *Message, s string) {
+							ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
+							defer cancel()
 
-						m.ID = getMessageNextId(ctx)
-						m.Timestamp = time.Now()
-						m.Author = "Scheduled"
-						m.AuthorId = "0"
-						setMessage(ctx, m, false)
-						go SendWebhook(context.Background(), "create", m)
-						go pushFcmMessage(m)
-					}(&msg)
-					//*list = slices.Delete(*list, i, i+1)
-				} else {
-					newList = append(newList, msg)
+							m.ID = getMessageNextId(ctx, s)
+							m.Timestamp = time.Now()
+							m.Author = "Scheduled"
+							m.AuthorId = "0"
+							setMessage(ctx, s, m, false)
+							go SendWebhook(context.Background(), s, "create", m)
+							go pushFcmMessage(s, m)
+						}(&msg, slug)
+					} else {
+						newList = append(newList, msg)
+					}
 				}
-			}
 
-			ctxSave, cancelSave := context.WithTimeout(context.Background(), 5*time.Second)
-			dbSaveScheduledMessages(ctxSave, &newList)
-			cancelSave()
+				ctxSave, cancelSave := context.WithTimeout(context.Background(), 5*time.Second)
+				dbSaveScheduledMessages(ctxSave, slug, &newList)
+				cancelSave()
+			}
 		}
 	}()
 }
@@ -52,7 +61,9 @@ func getScheduledMessages(w http.ResponseWriter, r *http.Request) {
 	ctx, cancel := context.WithTimeout(r.Context(), 5*time.Second)
 	defer cancel()
 
-	messages, err := dbGetScheduledMessages(ctx)
+	slug := channelSlugFromCtx(r)
+
+	messages, err := dbGetScheduledMessages(ctx, slug)
 	if err != nil {
 		http.Error(w, "error getting messages", http.StatusInternalServerError)
 		return
@@ -67,13 +78,15 @@ func updateScheduledMessages(w http.ResponseWriter, r *http.Request) {
 	defer cancel()
 	defer r.Body.Close()
 
+	slug := channelSlugFromCtx(r)
+
 	var messages []Message
 	if err := json.NewDecoder(r.Body).Decode(&messages); err != nil {
 		http.Error(w, "error decoding messages", http.StatusBadRequest)
 		return
 	}
 
-	if err := dbSaveScheduledMessages(ctx, &messages); err != nil {
+	if err := dbSaveScheduledMessages(ctx, slug, &messages); err != nil {
 		http.Error(w, "error saving messages", http.StatusInternalServerError)
 		return
 	}
diff --git a/backend/settings.go b/backend/settings.go
index 71389f0..3ebc3d7 100644
--- a/backend/settings.go
+++ b/backend/settings.go
@@ -57,6 +57,7 @@ type Setting struct {
 	Value any    `json:"value"`
 }
 
+// settingConfig is the global config (FCM/VAPID/global notifications)
 var settingConfig *SettingConfig
 
 type Settings []Setting
@@ -65,7 +66,7 @@ func init() {
 	ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
 	defer cancel()
 
-	s, err := dbGetSettings(ctx)
+	s, err := dbGetGlobalSettings(ctx)
 	if err != nil {
 		panic("Failed to load settings from database: " + err.Error())
 	}
@@ -243,23 +244,33 @@ func (s *Setting) GetInt() int64 {
 	return i
 }
 
+// getChannelConfig loads per-channel settings from DB and returns a SettingConfig
+func getChannelConfig(ctx context.Context, slug string) *SettingConfig {
+	s, err := dbGetSettings(ctx, slug)
+	if err != nil {
+		return &SettingConfig{FcmJson: &FcmJsonConfing{}}
+	}
+	return s.ToConfig()
+}
+
+// Per-channel settings handlers (owner level)
 func setSettings(w http.ResponseWriter, r *http.Request) {
 	ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
 	defer cancel()
 
+	slug := channelSlugFromCtx(r)
+
 	var newSettings Settings
 	if err := json.NewDecoder(r.Body).Decode(&newSettings); err != nil {
 		http.Error(w, "error decoding settings", http.StatusBadRequest)
 		return
 	}
 
-	if err := dbSetSettings(ctx, &newSettings); err != nil {
+	if err := dbSetSettings(ctx, slug, &newSettings); err != nil {
 		http.Error(w, "error saving settings", http.StatusInternalServerError)
 		return
 	}
 
-	settingConfig = newSettings.ToConfig()
-
 	res := Response{
 		Success: true,
 	}
@@ -271,7 +282,9 @@ func getSettings(w http.ResponseWriter, r *http.Request) {
 	ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
 	defer cancel()
 
-	s, err := dbGetSettings(ctx)
+	slug := channelSlugFromCtx(r)
+
+	s, err := dbGetSettings(ctx, slug)
 	if err != nil {
 		http.Error(w, "error getting settings", http.StatusInternalServerError)
 		return
@@ -280,3 +293,42 @@ func getSettings(w http.ResponseWriter, r *http.Request) {
 	w.Header().Set("Content-Type", "application/json")
 	json.NewEncoder(w).Encode(s)
 }
+
+// Global settings handlers (super admin level)
+func getGlobalSettings(w http.ResponseWriter, r *http.Request) {
+	ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
+	defer cancel()
+
+	s, err := dbGetGlobalSettings(ctx)
+	if err != nil {
+		http.Error(w, "error getting global settings", http.StatusInternalServerError)
+		return
+	}
+
+	w.Header().Set("Content-Type", "application/json")
+	json.NewEncoder(w).Encode(s)
+}
+
+func setGlobalSettings(w http.ResponseWriter, r *http.Request) {
+	ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
+	defer cancel()
+
+	var newSettings Settings
+	if err := json.NewDecoder(r.Body).Decode(&newSettings); err != nil {
+		http.Error(w, "error decoding settings", http.StatusBadRequest)
+		return
+	}
+
+	if err := dbSetGlobalSettings(ctx, &newSettings); err != nil {
+		http.Error(w, "error saving global settings", http.StatusInternalServerError)
+		return
+	}
+
+	settingConfig = newSettings.ToConfig()
+
+	res := Response{
+		Success: true,
+	}
+	w.Header().Set("Content-Type", "application/json")
+	json.NewEncoder(w).Encode(res)
+}
diff --git a/backend/statistics.go b/backend/statistics.go
index 87d905a..58ed51a 100644
--- a/backend/statistics.go
+++ b/backend/statistics.go
@@ -13,6 +13,11 @@ var openSSEConnections = atomic.Int64{}
 var peakSSEConnections = &PeakSSEConnections{}
 var peakMu = sync.Mutex{}
 
+// Per-channel SSE counters
+var channelSSEConnections sync.Map // slug -> *atomic.Int64
+var channelPeakSSE sync.Map        // slug -> *PeakSSEConnections
+var channelPeakMu sync.Map         // slug -> *sync.Mutex
+
 type PeakSSEConnections struct {
 	Value     int64     `json:"value" redis:"value"`
 	Timestamp time.Time `json:"timestamp" redis:"timestamp"`
@@ -22,14 +27,38 @@ type Statistics struct {
 	Labels []string `json:"labels"`
 }
 
+func getOrCreateChannelCounter(slug string) *atomic.Int64 {
+	v, _ := channelSSEConnections.LoadOrStore(slug, &atomic.Int64{})
+	return v.(*atomic.Int64)
+}
+
+func getOrCreateChannelPeak(slug string) (*PeakSSEConnections, *sync.Mutex) {
+	mu, _ := channelPeakMu.LoadOrStore(slug, &sync.Mutex{})
+	m := mu.(*sync.Mutex)
+
+	peak, loaded := channelPeakSSE.LoadOrStore(slug, &PeakSSEConnections{})
+	if !loaded {
+		// Try to load from DB
+		ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
+		defer cancel()
+		if p, err := dbGetPeakSSEConnections(ctx, slug); err == nil && p != nil {
+			peak = p
+			channelPeakSSE.Store(slug, p)
+		}
+	}
+	return peak.(*PeakSSEConnections), m
+}
+
 func init() {
+	// Global peak initialization (legacy - for backward compat)
 	ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
 	defer cancel()
 
-	p, _ := dbGetPeakSSEConnections(ctx)
+	// Try to load from a default channel or just use zero values
+	_ = ctx
 	peakMu.Lock()
 	defer peakMu.Unlock()
-	peakSSEConnections = p
+	// peakSSEConnections remains zero-valued if no default slug
 }
 
 func statLogger() {
@@ -37,48 +66,65 @@ func statLogger() {
 	for {
 		new := openSSEConnections.Load()
 		if old != new {
-			dbSaveSSEStatistics(new)
 			old = new
 		}
 		time.Sleep(5 * time.Minute)
 	}
 }
 
-func increaseCounterSSE() {
-	new := openSSEConnections.Add(1)
-
-	peakMu.Lock()
-	defer peakMu.Unlock()
-	if new > peakSSEConnections.Value {
-		peakSSEConnections.Value = new
-		peakSSEConnections.Timestamp = time.Now()
-		peak := *peakSSEConnections
-		go dbSavePeakSSEConnections(&peak)
+func increaseCounterSSE(slug string) {
+	// Global counter
+	openSSEConnections.Add(1)
+
+	// Per-channel counter
+	counter := getOrCreateChannelCounter(slug)
+	newVal := counter.Add(1)
+
+	peak, mu := getOrCreateChannelPeak(slug)
+	mu.Lock()
+	defer mu.Unlock()
+	if newVal > peak.Value {
+		peak.Value = newVal
+		peak.Timestamp = time.Now()
+		p := *peak
+		go dbSavePeakSSEConnections(slug, &p)
 	}
+
+	// Save stat
+	go dbSaveSSEStatistics(slug, newVal)
 }
 
-func decreaseCounterSSE() {
+func decreaseCounterSSE(slug string) {
 	openSSEConnections.Add(-1)
+
+	counter := getOrCreateChannelCounter(slug)
+	newVal := counter.Add(-1)
+	go dbSaveSSEStatistics(slug, newVal)
 }
 
 func getStatistics(w http.ResponseWriter, r *http.Request) {
 	ctx, cancel := context.WithTimeout(r.Context(), 5*time.Second)
 	defer cancel()
 
-	amount, err := dbGetUsersAmount(ctx)
+	slug := channelSlugFromCtx(r)
+
+	amount, err := dbGetUsersAmount(ctx, slug)
 	if err != nil {
 		http.Error(w, "error", http.StatusInternalServerError)
 		return
 	}
 
-	s, err := dbGetSSEStatistics(ctx, 1000)
+	s, err := dbGetSSEStatistics(ctx, slug, 1000)
 	if err != nil {
 		http.Error(w, "error", http.StatusInternalServerError)
 		return
 	}
 
-	peakMu.Lock()
-	defer peakMu.Unlock()
+	counter := getOrCreateChannelCounter(slug)
+	peak, mu := getOrCreateChannelPeak(slug)
+
+	mu.Lock()
+	defer mu.Unlock()
 
 	response := struct {
 		UsersAmount           int64               `json:"usersAmount"`
@@ -87,8 +133,8 @@ func getStatistics(w http.ResponseWriter, r *http.Request) {
 		ConnectionsStatistics Statistics          `json:"connectionsStatistics"`
 	}{
 		UsersAmount:           amount,
-		ConnectedUsersAmount:  openSSEConnections.Load(),
-		PeakSSEConnections:    peakSSEConnections,
+		ConnectedUsersAmount:  counter.Load(),
+		PeakSSEConnections:    peak,
 		ConnectionsStatistics: *s,
 	}
 
@@ -101,8 +147,6 @@ func resetStatistics(w http.ResponseWriter, r *http.Request) {
 	defer peakMu.Unlock()
 	peakSSEConnections.Value = 0
 	peakSSEConnections.Timestamp = time.Time{}
-	p := *peakSSEConnections
-	go dbSavePeakSSEConnections(&p)
 
 	var response Response
 	response.Success = true
diff --git a/backend/webhook.go b/backend/webhook.go
index bea610e..def48f5 100644
--- a/backend/webhook.go
+++ b/backend/webhook.go
@@ -10,9 +10,6 @@ import (
 	"time"
 )
 
-// var webhookURL string = os.Getenv("WEBHOOK_URL")
-// var verifyToken string = os.Getenv("WEBHOOK_VERIFY_TOKEN")
-
 type WebhookPayload struct {
 	Action      string    `json:"action"`
 	Message     Message   `json:"message"`
@@ -20,8 +17,13 @@ type WebhookPayload struct {
 	VerifyToken string    `json:"verifyToken"`
 }
 
-func SendWebhook(ctx context.Context, action string, message *Message) {
-	if settingConfig.WebhookURL == "" {
+func SendWebhook(ctx context.Context, slug string, action string, message *Message) {
+	// Load per-channel config for webhook settings
+	chCtx, cancel := context.WithTimeout(ctx, 5*time.Second)
+	defer cancel()
+
+	cfg := getChannelConfig(chCtx, slug)
+	if cfg.WebhookURL == "" {
 		return
 	}
 
@@ -29,7 +31,7 @@ func SendWebhook(ctx context.Context, action string, message *Message) {
 		Action:      action,
 		Message:     *message,
 		Timestamp:   time.Now(),
-		VerifyToken: settingConfig.VerifyToken,
+		VerifyToken: cfg.VerifyToken,
 	}
 
 	jsonData, err := json.Marshal(payload)
@@ -38,10 +40,10 @@ func SendWebhook(ctx context.Context, action string, message *Message) {
 		return
 	}
 
-	httpCtx, cancel := context.WithTimeout(ctx, 5*time.Second)
-	defer cancel()
+	httpCtx, httpCancel := context.WithTimeout(ctx, 5*time.Second)
+	defer httpCancel()
 
-	req, err := http.NewRequestWithContext(httpCtx, "POST", settingConfig.WebhookURL, bytes.NewBuffer(jsonData))
+	req, err := http.NewRequestWithContext(httpCtx, "POST", cfg.WebhookURL, bytes.NewBuffer(jsonData))
 	if err != nil {
 		log.Printf("Error creating webhook request: %v\n", err)
 		return

From 257df5820a83780bdb274a3d829b1ddbb8ed0ca5 Mon Sep 17 00:00:00 2001
From: Claude <noreply@anthropic.com>
Date: Sun, 17 May 2026 17:55:51 +0000
Subject: [PATCH 20/60] Add global Magnet ads override system for super admin

- ChannelFeatures: add MagnetLockedByAdmin bool (set by super admin only)
- db.go: add GlobalMagnetConfig struct + dbGetGlobalMagnetConfig/dbSetGlobalMagnetConfig
  stored at global:magnet:config
- ads.go: getMagnetAdsSettings now checks if channel is locked (LockAll, LockedChannels
  list, or MagnetLockedByAdmin flag) and returns global config instead of channel config
- ads.go: add getGlobalMagnetConfig/setGlobalMagnetConfig handlers for super admin
- ads.go: syncMagnetLockFlags goroutine syncs MagnetLockedByAdmin on all channels
  when super admin saves global config
- getMagnetStats now reads API key from global magnet config
- main.go: add GET/POST /api/super-admin/magnet/config routes

https://claude.ai/code/session_015yWNYaVjk7ozyguKLA8vvx
---
 backend/ads.go      | 124 +++++++++++++++++++++++++++++++++++++++-----
 backend/channels.go |  21 ++++----
 backend/db.go       |  37 +++++++++++++
 backend/main.go     |   2 +
 4 files changed, 160 insertions(+), 24 deletions(-)

diff --git a/backend/ads.go b/backend/ads.go
index b132e1f..492e7dd 100644
--- a/backend/ads.go
+++ b/backend/ads.go
@@ -6,6 +6,7 @@ import (
 	"io"
 	"net/http"
 	"net/url"
+	"slices"
 	"time"
 )
 
@@ -40,44 +41,139 @@ type MagnetAdsSettings struct {
 	MinMessagesSinceLast int64  `json:"minMessagesSinceLast"`
 }
 
+// isChannelMagnetLocked returns true if the super admin has locked magnet settings for this channel.
+func isChannelMagnetLocked(globalMagnet *GlobalMagnetConfig, ch *ChannelData) bool {
+	if globalMagnet.LockAll {
+		return true
+	}
+	if ch != nil && ch.Features.MagnetLockedByAdmin {
+		return true
+	}
+	return slices.Contains(globalMagnet.LockedChannels, ch.Slug)
+}
+
 func getMagnetAdsSettings(w http.ResponseWriter, r *http.Request) {
 	ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
 	defer cancel()
 
 	slug := channelSlugFromCtx(r)
-	cfg := getChannelConfig(ctx, slug)
+	ch := channelFromCtx(r)
 
-	settings := MagnetAdsSettings{
-		Enabled:              cfg.MagnetEnabled,
-		Mode:                 cfg.MagnetMode,
-		PerMessages:          cfg.MagnetPerMessages,
-		MinTimeSeconds:       cfg.MagnetMinTimeSeconds,
-		PerSeconds:           cfg.MagnetPerSeconds,
-		MinMessagesSinceLast: cfg.MagnetMinMessagesSince,
+	globalMagnet, err := dbGetGlobalMagnetConfig(ctx)
+	if err != nil {
+		globalMagnet = &GlobalMagnetConfig{}
 	}
 
-	if settings.Enabled {
-		settings.Snippet = cfg.MagnetSnippet
+	var settings MagnetAdsSettings
+
+	if isChannelMagnetLocked(globalMagnet, ch) {
+		// Super admin override: use global magnet config
+		settings = MagnetAdsSettings{
+			Enabled:              globalMagnet.Enabled,
+			Mode:                 globalMagnet.Mode,
+			PerMessages:          globalMagnet.PerMessages,
+			MinTimeSeconds:       globalMagnet.MinTimeSeconds,
+			PerSeconds:           globalMagnet.PerSeconds,
+			MinMessagesSinceLast: globalMagnet.MinMessagesSinceLast,
+		}
+		if settings.Enabled {
+			settings.Snippet = globalMagnet.Snippet
+		}
+	} else {
+		// Use channel's own magnet settings
+		cfg := getChannelConfig(ctx, slug)
+		settings = MagnetAdsSettings{
+			Enabled:              cfg.MagnetEnabled,
+			Mode:                 cfg.MagnetMode,
+			PerMessages:          cfg.MagnetPerMessages,
+			MinTimeSeconds:       cfg.MagnetMinTimeSeconds,
+			PerSeconds:           cfg.MagnetPerSeconds,
+			MinMessagesSinceLast: cfg.MagnetMinMessagesSince,
+		}
+		if settings.Enabled {
+			settings.Snippet = cfg.MagnetSnippet
+		}
 	}
 
 	w.Header().Set("Content-Type", "application/json")
 	json.NewEncoder(w).Encode(settings)
 }
 
+// getGlobalMagnetConfig – super admin: read global magnet config
+func getGlobalMagnetConfig(w http.ResponseWriter, r *http.Request) {
+	ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
+	defer cancel()
+
+	cfg, err := dbGetGlobalMagnetConfig(ctx)
+	if err != nil {
+		http.Error(w, "error", http.StatusInternalServerError)
+		return
+	}
+
+	w.Header().Set("Content-Type", "application/json")
+	json.NewEncoder(w).Encode(cfg)
+}
+
+// setGlobalMagnetConfig – super admin: save global magnet config + lock rules
+func setGlobalMagnetConfig(w http.ResponseWriter, r *http.Request) {
+	ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
+	defer cancel()
+
+	var cfg GlobalMagnetConfig
+	if err := json.NewDecoder(r.Body).Decode(&cfg); err != nil {
+		http.Error(w, "Invalid request body", http.StatusBadRequest)
+		return
+	}
+	defer r.Body.Close()
+
+	if err := dbSetGlobalMagnetConfig(ctx, &cfg); err != nil {
+		http.Error(w, "error", http.StatusInternalServerError)
+		return
+	}
+
+	// Sync MagnetLockedByAdmin flag on each affected channel's features
+	go syncMagnetLockFlags(&cfg)
+
+	w.Header().Set("Content-Type", "application/json")
+	json.NewEncoder(w).Encode(Response{Success: true})
+}
+
+// syncMagnetLockFlags updates MagnetLockedByAdmin on all channels based on the new global config.
+// Called in a goroutine after saving global magnet config.
+func syncMagnetLockFlags(globalMagnet *GlobalMagnetConfig) {
+	ctx, cancel := context.WithTimeout(context.Background(), 10*time.Second)
+	defer cancel()
+
+	channels, err := dbListChannels(ctx)
+	if err != nil {
+		return
+	}
+
+	for _, ch := range channels {
+		shouldLock := globalMagnet.LockAll || slices.Contains(globalMagnet.LockedChannels, ch.Slug)
+		if ch.Features.MagnetLockedByAdmin != shouldLock {
+			ch.Features.MagnetLockedByAdmin = shouldLock
+			dbSetChannelFeatures(ctx, ch.Slug, &ch.Features)
+		}
+	}
+}
+
 const magnetStatsURL = "https://rucltqmtefvlrjhbedqu.supabase.co/functions/v1/publisher-stats"
 
 var magnetStatsClient = &http.Client{Timeout: 15 * time.Second}
 
 func getMagnetStats(w http.ResponseWriter, r *http.Request) {
-	// Magnet stats uses global settingConfig
-	apiKey := settingConfig.MagnetApiKey
-	if apiKey == "" {
+	ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
+	defer cancel()
+
+	globalMagnet, err := dbGetGlobalMagnetConfig(ctx)
+	if err != nil || globalMagnet.ApiKey == "" {
 		http.Error(w, `{"error":"missing_api_key","message":"Magnet API key is not configured"}`, http.StatusBadRequest)
 		return
 	}
 
 	q := url.Values{}
-	q.Set("k", apiKey)
+	q.Set("k", globalMagnet.ApiKey)
 	reqURL := magnetStatsURL + "?" + q.Encode()
 
 	req, err := http.NewRequestWithContext(r.Context(), http.MethodGet, reqURL, nil)
diff --git a/backend/channels.go b/backend/channels.go
index 36a64cc..51395ef 100644
--- a/backend/channels.go
+++ b/backend/channels.go
@@ -12,16 +12,17 @@ import (
 )
 
 type ChannelFeatures struct {
-	Reactions         bool `json:"reactions"`
-	FileUploads       bool `json:"fileUploads"`
-	Reports           bool `json:"reports"`
-	Ads               bool `json:"ads"`
-	Notifications     bool `json:"notifications"`
-	RequireAuth       bool `json:"requireAuth"`
-	RequireAuthFiles  bool `json:"requireAuthFiles"`
-	CountViews        bool `json:"countViews"`
-	ScheduledMessages bool `json:"scheduledMessages"`
-	Webhook           bool `json:"webhook"`
+	Reactions              bool `json:"reactions"`
+	FileUploads            bool `json:"fileUploads"`
+	Reports                bool `json:"reports"`
+	Ads                    bool `json:"ads"`
+	Notifications          bool `json:"notifications"`
+	RequireAuth            bool `json:"requireAuth"`
+	RequireAuthFiles       bool `json:"requireAuthFiles"`
+	CountViews             bool `json:"countViews"`
+	ScheduledMessages      bool `json:"scheduledMessages"`
+	Webhook                bool `json:"webhook"`
+	MagnetLockedByAdmin    bool `json:"magnetLockedByAdmin"` // set by super admin, owner cannot change
 }
 
 type ChannelData struct {
diff --git a/backend/db.go b/backend/db.go
index f6ca177..9eac2a9 100644
--- a/backend/db.go
+++ b/backend/db.go
@@ -946,3 +946,40 @@ func dbAssignChannelRole(ctx context.Context, email, slug string, role ChannelRo
 
 	return dbSetUsersList(ctx, users)
 }
+
+// GlobalMagnetConfig stored at global:magnet:config
+type GlobalMagnetConfig struct {
+	Enabled              bool     `json:"enabled"`
+	Snippet              string   `json:"snippet"`
+	Mode                 string   `json:"mode"`
+	PerMessages          int64    `json:"perMessages"`
+	MinTimeSeconds       int64    `json:"minTimeSeconds"`
+	PerSeconds           int64    `json:"perSeconds"`
+	MinMessagesSinceLast int64    `json:"minMessagesSinceLast"`
+	ApiKey               string   `json:"apiKey"`
+	LockAll              bool     `json:"lockAll"`          // override ALL channels
+	LockedChannels       []string `json:"lockedChannels"`   // override specific channels
+}
+
+func dbGetGlobalMagnetConfig(ctx context.Context) (*GlobalMagnetConfig, error) {
+	data, err := rdb.Get(ctx, "global:magnet:config").Result()
+	if err != nil {
+		if err == redis.Nil {
+			return &GlobalMagnetConfig{}, nil
+		}
+		return nil, err
+	}
+	var cfg GlobalMagnetConfig
+	if err := json.Unmarshal([]byte(data), &cfg); err != nil {
+		return nil, err
+	}
+	return &cfg, nil
+}
+
+func dbSetGlobalMagnetConfig(ctx context.Context, cfg *GlobalMagnetConfig) error {
+	data, err := json.Marshal(cfg)
+	if err != nil {
+		return err
+	}
+	return rdb.Set(ctx, "global:magnet:config", data, 0).Err()
+}
diff --git a/backend/main.go b/backend/main.go
index 849a458..b8e8854 100644
--- a/backend/main.go
+++ b/backend/main.go
@@ -65,6 +65,8 @@ func main() {
 		r.Post("/users/set", setPrivilegeUsers)
 		r.Get("/global-settings/get", getGlobalSettings)
 		r.Post("/global-settings/set", setGlobalSettings)
+		r.Get("/magnet/config", getGlobalMagnetConfig)
+		r.Post("/magnet/config", setGlobalMagnetConfig)
 		r.Get("/magnet/stats", getMagnetStats)
 		r.Post("/statistics/reset", resetStatistics)
 	})

From 0fabb76b4fa791a2e0c7f2d4125359a4e03abb7f Mon Sep 17 00:00:00 2001
From: Claude <noreply@anthropic.com>
Date: Sun, 17 May 2026 17:56:14 +0000
Subject: [PATCH 21/60] Add backend/channel binary to .gitignore

https://claude.ai/code/session_015yWNYaVjk7ozyguKLA8vvx
---
 .gitignore | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.gitignore b/.gitignore
index c462de3..b462729 100644
--- a/.gitignore
+++ b/.gitignore
@@ -3,6 +3,7 @@ frontend/node_modules/
 frontend/dist/*
 package-lock.json
 backend/__debug*
+backend/channel
 caddy_data/
 redis_data/
 channel_data/*

From ea1854a3a31784d8c4fc54120f1f0f4a6b0c2572 Mon Sep 17 00:00:00 2001
From: Claude <noreply@anthropic.com>
Date: Sun, 17 May 2026 17:57:27 +0000
Subject: [PATCH 22/60] Add global iframe-ads override system for super admin
 (same pattern as Magnet)

- ChannelFeatures: add AdsLockedByAdmin bool
- db.go: add GlobalAdsConfig struct + dbGetGlobalAdsConfig/dbSetGlobalAdsConfig
  stored at global:ads:config (src, width, lockAll, lockedChannels)
- ads.go: getAdsSettings checks if channel is locked and returns global src/width
- ads.go: add getGlobalAdsConfig/setGlobalAdsConfig handlers + syncAdsLockFlags goroutine
- main.go: add GET/POST /api/super-admin/ads/config routes

https://claude.ai/code/session_015yWNYaVjk7ozyguKLA8vvx
---
 backend/ads.go      | 84 ++++++++++++++++++++++++++++++++++++++++++---
 backend/channels.go |  1 +
 backend/db.go       | 31 +++++++++++++++++
 backend/main.go     |  2 ++
 4 files changed, 114 insertions(+), 4 deletions(-)

diff --git a/backend/ads.go b/backend/ads.go
index 492e7dd..c1a4d05 100644
--- a/backend/ads.go
+++ b/backend/ads.go
@@ -15,22 +15,98 @@ type AdsSettings struct {
 	Width int64  `json:"width"`
 }
 
+// isChannelAdsLocked returns true if the super admin has locked ads settings for this channel.
+func isChannelAdsLocked(globalAds *GlobalAdsConfig, ch *ChannelData) bool {
+	if globalAds.LockAll {
+		return true
+	}
+	if ch != nil && ch.Features.AdsLockedByAdmin {
+		return true
+	}
+	return slices.Contains(globalAds.LockedChannels, ch.Slug)
+}
+
 func getAdsSettings(w http.ResponseWriter, r *http.Request) {
 	ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
 	defer cancel()
 
 	slug := channelSlugFromCtx(r)
-	cfg := getChannelConfig(ctx, slug)
+	ch := channelFromCtx(r)
 
-	settings := AdsSettings{
-		Src:   cfg.AdSrc,
-		Width: cfg.AdWidth,
+	globalAds, err := dbGetGlobalAdsConfig(ctx)
+	if err != nil {
+		globalAds = &GlobalAdsConfig{}
+	}
+
+	var settings AdsSettings
+	if isChannelAdsLocked(globalAds, ch) {
+		settings = AdsSettings{Src: globalAds.Src, Width: globalAds.Width}
+	} else {
+		cfg := getChannelConfig(ctx, slug)
+		settings = AdsSettings{Src: cfg.AdSrc, Width: cfg.AdWidth}
 	}
 
 	w.Header().Set("Content-Type", "application/json")
 	json.NewEncoder(w).Encode(settings)
 }
 
+// getGlobalAdsConfig – super admin: read global ads config
+func getGlobalAdsConfig(w http.ResponseWriter, r *http.Request) {
+	ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
+	defer cancel()
+
+	cfg, err := dbGetGlobalAdsConfig(ctx)
+	if err != nil {
+		http.Error(w, "error", http.StatusInternalServerError)
+		return
+	}
+
+	w.Header().Set("Content-Type", "application/json")
+	json.NewEncoder(w).Encode(cfg)
+}
+
+// setGlobalAdsConfig – super admin: save global ads config + lock rules
+func setGlobalAdsConfig(w http.ResponseWriter, r *http.Request) {
+	ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
+	defer cancel()
+
+	var cfg GlobalAdsConfig
+	if err := json.NewDecoder(r.Body).Decode(&cfg); err != nil {
+		http.Error(w, "Invalid request body", http.StatusBadRequest)
+		return
+	}
+	defer r.Body.Close()
+
+	if err := dbSetGlobalAdsConfig(ctx, &cfg); err != nil {
+		http.Error(w, "error", http.StatusInternalServerError)
+		return
+	}
+
+	go syncAdsLockFlags(&cfg)
+
+	w.Header().Set("Content-Type", "application/json")
+	json.NewEncoder(w).Encode(Response{Success: true})
+}
+
+// syncAdsLockFlags updates AdsLockedByAdmin on all channels based on the new global config.
+func syncAdsLockFlags(globalAds *GlobalAdsConfig) {
+	ctx, cancel := context.WithTimeout(context.Background(), 10*time.Second)
+	defer cancel()
+
+	channels, err := dbListChannels(ctx)
+	if err != nil {
+		return
+	}
+
+	for _, ch := range channels {
+		shouldLock := globalAds.LockAll || slices.Contains(globalAds.LockedChannels, ch.Slug)
+		if ch.Features.AdsLockedByAdmin != shouldLock {
+			ch.Features.AdsLockedByAdmin = shouldLock
+			dbSetChannelFeatures(ctx, ch.Slug, &ch.Features)
+		}
+	}
+}
+
 type MagnetAdsSettings struct {
 	Enabled              bool   `json:"enabled"`
 	Snippet              string `json:"snippet"`
diff --git a/backend/channels.go b/backend/channels.go
index 51395ef..b92b8d4 100644
--- a/backend/channels.go
+++ b/backend/channels.go
@@ -23,6 +23,7 @@ type ChannelFeatures struct {
 	ScheduledMessages      bool `json:"scheduledMessages"`
 	Webhook                bool `json:"webhook"`
 	MagnetLockedByAdmin    bool `json:"magnetLockedByAdmin"` // set by super admin, owner cannot change
+	AdsLockedByAdmin       bool `json:"adsLockedByAdmin"`    // set by super admin, owner cannot change
 }
 
 type ChannelData struct {
diff --git a/backend/db.go b/backend/db.go
index 9eac2a9..a390bc4 100644
--- a/backend/db.go
+++ b/backend/db.go
@@ -983,3 +983,34 @@ func dbSetGlobalMagnetConfig(ctx context.Context, cfg *GlobalMagnetConfig) error
 	}
 	return rdb.Set(ctx, "global:magnet:config", data, 0).Err()
 }
+
+// GlobalAdsConfig stored at global:ads:config
+type GlobalAdsConfig struct {
+	Src            string   `json:"src"`
+	Width          int64    `json:"width"`
+	LockAll        bool     `json:"lockAll"`        // override ALL channels
+	LockedChannels []string `json:"lockedChannels"` // override specific channels
+}
+
+func dbGetGlobalAdsConfig(ctx context.Context) (*GlobalAdsConfig, error) {
+	data, err := rdb.Get(ctx, "global:ads:config").Result()
+	if err != nil {
+		if err == redis.Nil {
+			return &GlobalAdsConfig{}, nil
+		}
+		return nil, err
+	}
+	var cfg GlobalAdsConfig
+	if err := json.Unmarshal([]byte(data), &cfg); err != nil {
+		return nil, err
+	}
+	return &cfg, nil
+}
+
+func dbSetGlobalAdsConfig(ctx context.Context, cfg *GlobalAdsConfig) error {
+	data, err := json.Marshal(cfg)
+	if err != nil {
+		return err
+	}
+	return rdb.Set(ctx, "global:ads:config", data, 0).Err()
+}
diff --git a/backend/main.go b/backend/main.go
index b8e8854..042ce8f 100644
--- a/backend/main.go
+++ b/backend/main.go
@@ -65,6 +65,8 @@ func main() {
 		r.Post("/users/set", setPrivilegeUsers)
 		r.Get("/global-settings/get", getGlobalSettings)
 		r.Post("/global-settings/set", setGlobalSettings)
+		r.Get("/ads/config", getGlobalAdsConfig)
+		r.Post("/ads/config", setGlobalAdsConfig)
 		r.Get("/magnet/config", getGlobalMagnetConfig)
 		r.Post("/magnet/config", setGlobalMagnetConfig)
 		r.Get("/magnet/stats", getMagnetStats)

From 532f35f9d64976b1eb6d6545b93fc8328693c7ce Mon Sep 17 00:00:00 2001
From: Claude <noreply@anthropic.com>
Date: Sun, 17 May 2026 18:03:10 +0000
Subject: [PATCH 23/60] Add super admin panel foundation (frontend, WIP)

- user.model.ts: add globalRole, channelRoles, publicName fields
- super-admin.service.ts: all super admin API calls
- super-admin.guard.ts: route guard (globalRole === super_admin only)
- super-admin/channels: channels list, channel features, channel users components
- super-admin/global-ads: global ads config component (partial)

https://claude.ai/code/session_015yWNYaVjk7ozyguKLA8vvx
---
 .../channels/channel-features.component.html  |  37 +++++
 .../channels/channel-features.component.ts    |  91 +++++++++++
 .../channels/channel-users.component.html     |  75 +++++++++
 .../channels/channel-users.component.ts       |  85 +++++++++++
 .../channels/channels-list.component.html     |  89 +++++++++++
 .../channels/channels-list.component.ts       |  87 +++++++++++
 .../global-ads/global-ads.component.ts        |  70 +++++++++
 frontend/src/app/guards/super-admin.guard.ts  |  20 +++
 frontend/src/app/models/user.model.ts         |  16 +-
 .../src/app/services/super-admin.service.ts   | 144 ++++++++++++++++++
 10 files changed, 708 insertions(+), 6 deletions(-)
 create mode 100644 frontend/src/app/components/super-admin/channels/channel-features.component.html
 create mode 100644 frontend/src/app/components/super-admin/channels/channel-features.component.ts
 create mode 100644 frontend/src/app/components/super-admin/channels/channel-users.component.html
 create mode 100644 frontend/src/app/components/super-admin/channels/channel-users.component.ts
 create mode 100644 frontend/src/app/components/super-admin/channels/channels-list.component.html
 create mode 100644 frontend/src/app/components/super-admin/channels/channels-list.component.ts
 create mode 100644 frontend/src/app/components/super-admin/global-ads/global-ads.component.ts
 create mode 100644 frontend/src/app/guards/super-admin.guard.ts
 create mode 100644 frontend/src/app/services/super-admin.service.ts

diff --git a/frontend/src/app/components/super-admin/channels/channel-features.component.html b/frontend/src/app/components/super-admin/channels/channel-features.component.html
new file mode 100644
index 0000000..477c2da
--- /dev/null
+++ b/frontend/src/app/components/super-admin/channels/channel-features.component.html
@@ -0,0 +1,37 @@
+<nb-card>
+  <nb-card-header class="d-flex align-items-center gap-2">
+    <nb-icon icon="settings-2-outline"></nb-icon>
+    <span>תכונות ערוץ: <strong>{{ slug }}</strong></span>
+  </nb-card-header>
+
+  <nb-card-body>
+    <div class="d-flex flex-column gap-3">
+      @for (config of featureConfigs; track config.key) {
+        <div class="d-flex align-items-center gap-2">
+          @if (config.adminOnly) {
+            <nb-toggle
+              [checked]="features[config.key]"
+              (checkedChange)="features[config.key] = $event"
+              [disabled]="false">
+              <span>{{ config.label }}</span>
+            </nb-toggle>
+            <span class="badge bg-warning text-dark">מנהל-על</span>
+          } @else {
+            <nb-toggle
+              [checked]="features[config.key]"
+              (checkedChange)="features[config.key] = $event">
+              <span>{{ config.label }}</span>
+            </nb-toggle>
+          }
+        </div>
+      }
+    </div>
+  </nb-card-body>
+
+  <nb-card-footer>
+    <button nbButton status="primary" (click)="save()" [disabled]="saving">
+      <nb-icon icon="save-outline"></nb-icon>
+      {{ saving ? 'שומר...' : 'שמור תכונות' }}
+    </button>
+  </nb-card-footer>
+</nb-card>
diff --git a/frontend/src/app/components/super-admin/channels/channel-features.component.ts b/frontend/src/app/components/super-admin/channels/channel-features.component.ts
new file mode 100644
index 0000000..89f3a39
--- /dev/null
+++ b/frontend/src/app/components/super-admin/channels/channel-features.component.ts
@@ -0,0 +1,91 @@
+import { Component, Input, OnInit } from '@angular/core';
+import { CommonModule } from '@angular/common';
+import { FormsModule } from '@angular/forms';
+import {
+  NbButtonModule,
+  NbCardModule,
+  NbIconModule,
+  NbToggleModule,
+  NbToastrService,
+} from '@nebular/theme';
+import { SuperAdminService, ChannelFeatures } from '../../../services/super-admin.service';
+
+interface FeatureConfig {
+  key: keyof ChannelFeatures;
+  label: string;
+  adminOnly?: boolean;
+}
+
+@Component({
+  selector: 'app-channel-features',
+  standalone: true,
+  imports: [
+    CommonModule,
+    FormsModule,
+    NbCardModule,
+    NbButtonModule,
+    NbIconModule,
+    NbToggleModule,
+  ],
+  templateUrl: './channel-features.component.html',
+})
+export class ChannelFeaturesComponent implements OnInit {
+  @Input() slug!: string;
+
+  features: ChannelFeatures = {
+    reactions: false,
+    fileUploads: false,
+    reports: false,
+    ads: false,
+    notifications: false,
+    requireAuth: false,
+    requireAuthFiles: false,
+    countViews: false,
+    scheduledMessages: false,
+    webhook: false,
+    magnetLockedByAdmin: false,
+    adsLockedByAdmin: false,
+  };
+
+  saving = false;
+
+  featureConfigs: FeatureConfig[] = [
+    { key: 'reactions', label: 'תגובות' },
+    { key: 'fileUploads', label: 'העלאת קבצים' },
+    { key: 'reports', label: 'דיווחים' },
+    { key: 'ads', label: 'פרסומות iframe' },
+    { key: 'notifications', label: 'התראות' },
+    { key: 'requireAuth', label: 'דרוש כניסה לצפייה' },
+    { key: 'requireAuthFiles', label: 'דרוש כניסה לקבצים' },
+    { key: 'countViews', label: 'ספירת צפיות' },
+    { key: 'scheduledMessages', label: 'הודעות מתוזמנות' },
+    { key: 'webhook', label: 'Webhook' },
+    { key: 'magnetLockedByAdmin', label: 'מגנט נעול ע"י מנהל-על', adminOnly: true },
+    { key: 'adsLockedByAdmin', label: 'פרסומות iframe נעולות ע"י מנהל-על', adminOnly: true },
+  ];
+
+  constructor(
+    private superAdminService: SuperAdminService,
+    private toastr: NbToastrService,
+  ) {}
+
+  ngOnInit(): void {
+    this.loadFeatures();
+  }
+
+  loadFeatures() {
+    this.superAdminService.getChannel(this.slug)
+      .then(channel => {
+        this.features = { ...channel.features };
+      })
+      .catch(() => this.toastr.danger('', 'שגיאה בטעינת תכונות הערוץ'));
+  }
+
+  save() {
+    this.saving = true;
+    this.superAdminService.updateChannelFeatures(this.slug, this.features)
+      .then(() => this.toastr.success('', 'התכונות נשמרו בהצלחה'))
+      .catch(() => this.toastr.danger('', 'שגיאה בשמירת התכונות'))
+      .finally(() => this.saving = false);
+  }
+}
diff --git a/frontend/src/app/components/super-admin/channels/channel-users.component.html b/frontend/src/app/components/super-admin/channels/channel-users.component.html
new file mode 100644
index 0000000..22a8407
--- /dev/null
+++ b/frontend/src/app/components/super-admin/channels/channel-users.component.html
@@ -0,0 +1,75 @@
+<nb-card>
+  <nb-card-header class="d-flex align-items-center justify-content-between">
+    <div class="d-flex align-items-center gap-2">
+      <nb-icon icon="people-outline"></nb-icon>
+      <span>משתמשי ערוץ: <strong>{{ slug }}</strong></span>
+    </div>
+    <button nbButton status="primary" size="small" (click)="addingUser = true" *ngIf="!addingUser">
+      <nb-icon icon="plus-outline"></nb-icon>
+      הוסף משתמש
+    </button>
+  </nb-card-header>
+
+  <nb-card-body>
+    @if (addingUser) {
+      <nb-card class="mb-3">
+        <nb-card-header>הוספת משתמש חדש</nb-card-header>
+        <nb-card-body>
+          <div class="d-flex flex-column gap-2">
+            <div>
+              <label class="field-label">כתובת אימייל</label>
+              <input nbInput fullWidth type="email" [(ngModel)]="newEmail" placeholder="user@example.com">
+            </div>
+            <div>
+              <label class="field-label">תפקיד</label>
+              <nb-select fullWidth [(ngModel)]="newRole">
+                @for (opt of roleOptions; track opt.value) {
+                  <nb-option [value]="opt.value">{{ opt.label }}</nb-option>
+                }
+              </nb-select>
+            </div>
+            <div class="d-flex gap-2">
+              <button nbButton status="primary" size="small" (click)="addUser()">
+                <nb-icon icon="checkmark-outline"></nb-icon>
+                הוסף
+              </button>
+              <button nbButton status="danger" size="small" (click)="addingUser = false; newEmail = ''">
+                <nb-icon icon="close-outline"></nb-icon>
+                ביטול
+              </button>
+            </div>
+          </div>
+        </nb-card-body>
+      </nb-card>
+    }
+
+    @if (users.length === 0) {
+      <p class="text-center text-muted">אין משתמשים בערוץ זה</p>
+    }
+
+    @for (user of users; track $index; let i = $index) {
+      <nb-card class="mb-2">
+        <nb-card-body>
+          <div class="d-flex align-items-center gap-2 flex-wrap">
+            <span class="flex-grow-1">{{ user.email }}</span>
+            <nb-select [(ngModel)]="users[i].role" size="small">
+              @for (opt of roleOptions; track opt.value) {
+                <nb-option [value]="opt.value">{{ opt.label }}</nb-option>
+              }
+            </nb-select>
+            <button nbButton status="danger" size="tiny" (click)="removeUser(i)">
+              <nb-icon icon="trash-2-outline"></nb-icon>
+            </button>
+          </div>
+        </nb-card-body>
+      </nb-card>
+    }
+  </nb-card-body>
+
+  <nb-card-footer>
+    <button nbButton status="primary" (click)="save()" [disabled]="saving">
+      <nb-icon icon="save-outline"></nb-icon>
+      {{ saving ? 'שומר...' : 'שמור שינויים' }}
+    </button>
+  </nb-card-footer>
+</nb-card>
diff --git a/frontend/src/app/components/super-admin/channels/channel-users.component.ts b/frontend/src/app/components/super-admin/channels/channel-users.component.ts
new file mode 100644
index 0000000..37e68d3
--- /dev/null
+++ b/frontend/src/app/components/super-admin/channels/channel-users.component.ts
@@ -0,0 +1,85 @@
+import { Component, Input, OnInit } from '@angular/core';
+import { CommonModule } from '@angular/common';
+import { FormsModule } from '@angular/forms';
+import {
+  NbButtonModule,
+  NbCardModule,
+  NbIconModule,
+  NbInputModule,
+  NbSelectModule,
+  NbToastrService,
+} from '@nebular/theme';
+import { SuperAdminService, ChannelUser } from '../../../services/super-admin.service';
+
+@Component({
+  selector: 'app-channel-users',
+  standalone: true,
+  imports: [
+    CommonModule,
+    FormsModule,
+    NbCardModule,
+    NbButtonModule,
+    NbInputModule,
+    NbIconModule,
+    NbSelectModule,
+  ],
+  templateUrl: './channel-users.component.html',
+})
+export class ChannelUsersComponent implements OnInit {
+  @Input() slug!: string;
+
+  users: ChannelUser[] = [];
+  saving = false;
+  addingUser = false;
+  newEmail = '';
+  newRole: 'owner' | 'moderator' | 'writer' | '' = 'moderator';
+
+  roleOptions: { value: string; label: string }[] = [
+    { value: 'owner', label: 'בעלים' },
+    { value: 'moderator', label: 'מנהל' },
+    { value: 'writer', label: 'כותב' },
+  ];
+
+  constructor(
+    private superAdminService: SuperAdminService,
+    private toastr: NbToastrService,
+  ) {}
+
+  ngOnInit(): void {
+    this.loadUsers();
+  }
+
+  loadUsers() {
+    this.superAdminService.getChannelUsers(this.slug)
+      .then(users => this.users = [...users])
+      .catch(() => this.toastr.danger('', 'שגיאה בטעינת משתמשי הערוץ'));
+  }
+
+  addUser() {
+    if (!this.newEmail) {
+      this.toastr.warning('', 'יש להזין כתובת אימייל');
+      return;
+    }
+    this.users.push({ email: this.newEmail, role: this.newRole as any });
+    this.newEmail = '';
+    this.newRole = 'moderator';
+    this.addingUser = false;
+  }
+
+  removeUser(index: number) {
+    this.users.splice(index, 1);
+  }
+
+  save() {
+    this.saving = true;
+    this.superAdminService.setChannelUsers(this.slug, this.users)
+      .then(() => this.toastr.success('', 'המשתמשים נשמרו בהצלחה'))
+      .catch(() => this.toastr.danger('', 'שגיאה בשמירת המשתמשים'))
+      .finally(() => this.saving = false);
+  }
+
+  getRoleLabel(role: string): string {
+    const opt = this.roleOptions.find(o => o.value === role);
+    return opt ? opt.label : role;
+  }
+}
diff --git a/frontend/src/app/components/super-admin/channels/channels-list.component.html b/frontend/src/app/components/super-admin/channels/channels-list.component.html
new file mode 100644
index 0000000..dc4c1af
--- /dev/null
+++ b/frontend/src/app/components/super-admin/channels/channels-list.component.html
@@ -0,0 +1,89 @@
+<nb-card>
+  <nb-card-header class="d-flex justify-content-between align-items-center">
+    <span>ניהול ערוצים</span>
+    <button nbButton status="primary" size="small" (click)="showCreateForm = true" *ngIf="!showCreateForm">
+      <nb-icon icon="plus-outline"></nb-icon>
+      ערוץ חדש
+    </button>
+  </nb-card-header>
+
+  <nb-card-body>
+    @if (showCreateForm) {
+      <nb-card class="mb-3">
+        <nb-card-header>יצירת ערוץ חדש</nb-card-header>
+        <nb-card-body>
+          <div class="d-flex flex-column gap-2">
+            <div>
+              <label class="field-label">Slug (מזהה ייחודי)</label>
+              <input nbInput fullWidth type="text" [(ngModel)]="newSlug" placeholder="my-channel">
+            </div>
+            <div>
+              <label class="field-label">שם הערוץ</label>
+              <input nbInput fullWidth type="text" [(ngModel)]="newName" placeholder="שם הערוץ">
+            </div>
+            <div>
+              <label class="field-label">אימייל הבעלים</label>
+              <input nbInput fullWidth type="email" [(ngModel)]="newOwnerEmail" placeholder="owner@example.com">
+            </div>
+            <div class="d-flex gap-2">
+              <button nbButton status="primary" size="small" (click)="createChannel()" [disabled]="creating">
+                <nb-icon icon="checkmark-outline"></nb-icon>
+                {{ creating ? 'יוצר...' : 'צור ערוץ' }}
+              </button>
+              <button nbButton status="danger" size="small" (click)="cancelCreate()">
+                <nb-icon icon="close-outline"></nb-icon>
+                ביטול
+              </button>
+            </div>
+          </div>
+        </nb-card-body>
+      </nb-card>
+    }
+
+    @if (channels.length === 0) {
+      <p class="text-center text-muted">אין ערוצים במערכת</p>
+    }
+
+    <div class="table-responsive">
+      <table class="table table-hover">
+        <thead>
+          <tr>
+            <th>Slug</th>
+            <th>שם</th>
+            <th>בעלים</th>
+            <th>נוצר בתאריך</th>
+            <th>פעולות</th>
+          </tr>
+        </thead>
+        <tbody>
+          @for (channel of channels; track channel.slug) {
+            <tr>
+              <td><code>{{ channel.slug }}</code></td>
+              <td>{{ channel.name }}</td>
+              <td>{{ channel.ownerEmail }}</td>
+              <td>{{ channel.createdAt | date:'dd/MM/yyyy' }}</td>
+              <td>
+                <div class="d-flex gap-1">
+                  <button nbButton status="info" size="tiny" (click)="editFeatures.emit(channel.slug)"
+                    title="ערוך תכונות">
+                    <nb-icon icon="settings-2-outline"></nb-icon>
+                    תכונות
+                  </button>
+                  <button nbButton status="primary" size="tiny" (click)="manageUsers.emit(channel.slug)"
+                    title="ניהול משתמשים">
+                    <nb-icon icon="people-outline"></nb-icon>
+                    משתמשים
+                  </button>
+                  <button nbButton status="danger" size="tiny" (click)="deleteChannel(channel.slug)"
+                    title="מחק ערוץ">
+                    <nb-icon icon="trash-2-outline"></nb-icon>
+                  </button>
+                </div>
+              </td>
+            </tr>
+          }
+        </tbody>
+      </table>
+    </div>
+  </nb-card-body>
+</nb-card>
diff --git a/frontend/src/app/components/super-admin/channels/channels-list.component.ts b/frontend/src/app/components/super-admin/channels/channels-list.component.ts
new file mode 100644
index 0000000..3c2451b
--- /dev/null
+++ b/frontend/src/app/components/super-admin/channels/channels-list.component.ts
@@ -0,0 +1,87 @@
+import { Component, EventEmitter, OnInit, Output } from '@angular/core';
+import { CommonModule } from '@angular/common';
+import { FormsModule } from '@angular/forms';
+import {
+  NbButtonModule,
+  NbCardModule,
+  NbIconModule,
+  NbInputModule,
+  NbToastrService,
+} from '@nebular/theme';
+import { SuperAdminService, ChannelData } from '../../../services/super-admin.service';
+
+@Component({
+  selector: 'app-channels-list',
+  standalone: true,
+  imports: [
+    CommonModule,
+    FormsModule,
+    NbCardModule,
+    NbButtonModule,
+    NbInputModule,
+    NbIconModule,
+  ],
+  templateUrl: './channels-list.component.html',
+})
+export class ChannelsListComponent implements OnInit {
+  @Output() editFeatures = new EventEmitter<string>();
+  @Output() manageUsers = new EventEmitter<string>();
+
+  channels: ChannelData[] = [];
+  showCreateForm = false;
+  newSlug = '';
+  newName = '';
+  newOwnerEmail = '';
+  creating = false;
+
+  constructor(
+    private superAdminService: SuperAdminService,
+    private toastr: NbToastrService,
+  ) {}
+
+  ngOnInit(): void {
+    this.loadChannels();
+  }
+
+  loadChannels() {
+    this.superAdminService.getChannels()
+      .then(channels => this.channels = channels)
+      .catch(() => this.toastr.danger('', 'שגיאה בטעינת ערוצים'));
+  }
+
+  createChannel() {
+    if (!this.newSlug || !this.newName || !this.newOwnerEmail) {
+      this.toastr.warning('', 'יש למלא את כל השדות');
+      return;
+    }
+    this.creating = true;
+    this.superAdminService.createChannel(this.newSlug, this.newName, this.newOwnerEmail)
+      .then(channel => {
+        this.channels.push(channel);
+        this.showCreateForm = false;
+        this.newSlug = '';
+        this.newName = '';
+        this.newOwnerEmail = '';
+        this.toastr.success('', 'הערוץ נוצר בהצלחה');
+      })
+      .catch(() => this.toastr.danger('', 'שגיאה ביצירת הערוץ'))
+      .finally(() => this.creating = false);
+  }
+
+  deleteChannel(slug: string) {
+    if (!confirm(`האם אתה בטוח שברצונך למחוק את הערוץ "${slug}"?`)) return;
+    this.superAdminService.deleteChannel(slug)
+      .then(() => {
+        this.channels = this.channels.filter(c => c.slug !== slug);
+        this.toastr.success('', 'הערוץ נמחק בהצלחה');
+      })
+      .catch(() => this.toastr.danger('', 'שגיאה במחיקת הערוץ'));
+  }
+
+  cancelCreate() {
+    this.showCreateForm = false;
+    this.newSlug = '';
+    this.newName = '';
+    this.newOwnerEmail = '';
+  }
+}
diff --git a/frontend/src/app/components/super-admin/global-ads/global-ads.component.ts b/frontend/src/app/components/super-admin/global-ads/global-ads.component.ts
new file mode 100644
index 0000000..51c1e7f
--- /dev/null
+++ b/frontend/src/app/components/super-admin/global-ads/global-ads.component.ts
@@ -0,0 +1,70 @@
+import { Component, OnInit } from '@angular/core';
+import { CommonModule } from '@angular/common';
+import { FormsModule } from '@angular/forms';
+import {
+  NbButtonModule,
+  NbCardModule,
+  NbIconModule,
+  NbInputModule,
+  NbToggleModule,
+  NbToastrService,
+} from '@nebular/theme';
+import { SuperAdminService, GlobalAdsConfig } from '../../../services/super-admin.service';
+
+@Component({
+  selector: 'app-global-ads',
+  standalone: true,
+  imports: [
+    CommonModule,
+    FormsModule,
+    NbCardModule,
+    NbButtonModule,
+    NbInputModule,
+    NbIconModule,
+    NbToggleModule,
+  ],
+  templateUrl: './global-ads.component.html',
+})
+export class GlobalAdsComponent implements OnInit {
+  config: GlobalAdsConfig = {
+    src: '',
+    width: 300,
+    lockAll: false,
+    lockedChannels: [],
+  };
+
+  saving = false;
+  newLockedChannel = '';
+
+  constructor(
+    private superAdminService: SuperAdminService,
+    private toastr: NbToastrService,
+  ) {}
+
+  ngOnInit(): void {
+    this.superAdminService.getAdsConfig()
+      .then(cfg => this.config = { ...cfg, lockedChannels: [...(cfg.lockedChannels || [])] })
+      .catch(() => this.toastr.danger('', 'שגיאה בטעינת הגדרות פרסומות'));
+  }
+
+  addLockedChannel() {
+    const slug = this.newLockedChannel.trim();
+    if (!slug) return;
+    if (!this.config.lockedChannels.includes(slug)) {
+      this.config.lockedChannels.push(slug);
+    }
+    this.newLockedChannel = '';
+  }
+
+  removeLockedChannel(slug: string) {
+    this.config.lockedChannels = this.config.lockedChannels.filter(s => s !== slug);
+  }
+
+  save() {
+    this.saving = true;
+    this.superAdminService.setAdsConfig(this.config)
+      .then(() => this.toastr.success('', 'הגדרות הפרסומות נשמרו בהצלחה'))
+      .catch(() => this.toastr.danger('', 'שגיאה בשמירת הגדרות הפרסומות'))
+      .finally(() => this.saving = false);
+  }
+}
diff --git a/frontend/src/app/guards/super-admin.guard.ts b/frontend/src/app/guards/super-admin.guard.ts
new file mode 100644
index 0000000..d351bc0
--- /dev/null
+++ b/frontend/src/app/guards/super-admin.guard.ts
@@ -0,0 +1,20 @@
+import { inject } from '@angular/core';
+import { CanActivateFn, Router } from '@angular/router';
+import { AuthService } from '../services/auth.service';
+
+export const SuperAdminGuard: CanActivateFn = async (route, state) => {
+  const router = inject(Router);
+  const authService = inject(AuthService);
+
+  try {
+    const userInfo = await authService.loadUserInfo();
+    if (userInfo?.globalRole === 'super_admin') {
+      return true;
+    }
+    router.navigate(['/']);
+    return false;
+  } catch {
+    router.navigate(['/']);
+    return false;
+  }
+};
diff --git a/frontend/src/app/models/user.model.ts b/frontend/src/app/models/user.model.ts
index 9375d19..39a5487 100644
--- a/frontend/src/app/models/user.model.ts
+++ b/frontend/src/app/models/user.model.ts
@@ -1,7 +1,11 @@
 export interface User {
-    id: string;
-    username: string;
-    picture: string;
-    privileges: Record<string, boolean>;
-    email: string;
-}
\ No newline at end of file
+  id: string;
+  username: string;
+  email: string;
+  picture: string;
+  publicName: string;
+  globalRole: string;
+  channelRoles: Record<string, string>;
+  // Legacy field for backwards compatibility
+  privileges?: Record<string, boolean>;
+}
diff --git a/frontend/src/app/services/super-admin.service.ts b/frontend/src/app/services/super-admin.service.ts
new file mode 100644
index 0000000..b73b9b8
--- /dev/null
+++ b/frontend/src/app/services/super-admin.service.ts
@@ -0,0 +1,144 @@
+import { HttpClient } from '@angular/common/http';
+import { Injectable } from '@angular/core';
+import { firstValueFrom } from 'rxjs';
+
+export interface ChannelFeatures {
+  reactions: boolean;
+  fileUploads: boolean;
+  reports: boolean;
+  ads: boolean;
+  notifications: boolean;
+  requireAuth: boolean;
+  requireAuthFiles: boolean;
+  countViews: boolean;
+  scheduledMessages: boolean;
+  webhook: boolean;
+  magnetLockedByAdmin: boolean;
+  adsLockedByAdmin: boolean;
+}
+
+export interface ChannelData {
+  slug: string;
+  name: string;
+  description: string;
+  logoUrl: string;
+  ownerEmail: string;
+  createdAt: string;
+  features: ChannelFeatures;
+  contactUs: string;
+}
+
+export interface ChannelUser {
+  email: string;
+  role: 'owner' | 'moderator' | 'writer' | '';
+}
+
+export interface GlobalAdsConfig {
+  src: string;
+  width: number;
+  lockAll: boolean;
+  lockedChannels: string[];
+}
+
+export interface GlobalMagnetConfig {
+  enabled: boolean;
+  snippet: string;
+  mode: string;
+  perMessages: number;
+  minTimeSeconds: number;
+  perSeconds: number;
+  minMessagesSinceLast: number;
+  apiKey: string;
+  lockAll: boolean;
+  lockedChannels: string[];
+}
+
+export interface SuperAdminUser {
+  id: string;
+  username: string;
+  email: string;
+  publicName: string;
+  globalRole: string;
+  channelRoles: Record<string, string>;
+}
+
+export interface Setting {
+  key: string;
+  value: any;
+}
+
+@Injectable({
+  providedIn: 'root'
+})
+export class SuperAdminService {
+
+  constructor(private http: HttpClient) {}
+
+  getChannels(): Promise<ChannelData[]> {
+    return firstValueFrom(this.http.get<ChannelData[]>('/api/super-admin/channels'));
+  }
+
+  createChannel(slug: string, name: string, ownerEmail: string): Promise<ChannelData> {
+    return firstValueFrom(this.http.post<ChannelData>('/api/super-admin/channels/create', { slug, name, ownerEmail }));
+  }
+
+  getChannel(slug: string): Promise<ChannelData> {
+    return firstValueFrom(this.http.get<ChannelData>(`/api/super-admin/channels/${slug}`));
+  }
+
+  deleteChannel(slug: string): Promise<void> {
+    return firstValueFrom(this.http.delete<void>(`/api/super-admin/channels/${slug}`));
+  }
+
+  updateChannelFeatures(slug: string, features: ChannelFeatures): Promise<void> {
+    return firstValueFrom(this.http.put<void>(`/api/super-admin/channels/${slug}/features`, features));
+  }
+
+  getChannelUsers(slug: string): Promise<ChannelUser[]> {
+    return firstValueFrom(this.http.get<ChannelUser[]>(`/api/super-admin/channels/${slug}/users`));
+  }
+
+  setChannelUsers(slug: string, users: ChannelUser[]): Promise<void> {
+    return firstValueFrom(this.http.post<void>(`/api/super-admin/channels/${slug}/users`, { users }));
+  }
+
+  getGlobalUsers(): Promise<SuperAdminUser[]> {
+    return firstValueFrom(this.http.get<SuperAdminUser[]>('/api/super-admin/users/list'));
+  }
+
+  setGlobalUsers(users: SuperAdminUser[]): Promise<void> {
+    return firstValueFrom(this.http.post<void>('/api/super-admin/users/set', { list: users }));
+  }
+
+  getGlobalSettings(): Promise<Setting[]> {
+    return firstValueFrom(this.http.get<Setting[]>('/api/super-admin/global-settings/get'));
+  }
+
+  setGlobalSettings(settings: Setting[]): Promise<void> {
+    return firstValueFrom(this.http.post<void>('/api/super-admin/global-settings/set', settings));
+  }
+
+  getAdsConfig(): Promise<GlobalAdsConfig> {
+    return firstValueFrom(this.http.get<GlobalAdsConfig>('/api/super-admin/ads/config'));
+  }
+
+  setAdsConfig(cfg: GlobalAdsConfig): Promise<void> {
+    return firstValueFrom(this.http.post<void>('/api/super-admin/ads/config', cfg));
+  }
+
+  getMagnetConfig(): Promise<GlobalMagnetConfig> {
+    return firstValueFrom(this.http.get<GlobalMagnetConfig>('/api/super-admin/magnet/config'));
+  }
+
+  setMagnetConfig(cfg: GlobalMagnetConfig): Promise<void> {
+    return firstValueFrom(this.http.post<void>('/api/super-admin/magnet/config', cfg));
+  }
+
+  getMagnetStats(): Promise<any> {
+    return firstValueFrom(this.http.get<any>('/api/super-admin/magnet/stats'));
+  }
+
+  resetStatistics(): Promise<void> {
+    return firstValueFrom(this.http.post<void>('/api/super-admin/statistics/reset', {}));
+  }
+}

From 2825add3530fa32fffb6c364dd660c6367e98b06 Mon Sep 17 00:00:00 2001
From: Claude <noreply@anthropic.com>
Date: Sun, 17 May 2026 18:07:45 +0000
Subject: [PATCH 24/60] Complete super admin panel frontend
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- super-admin-panel.component: main shell with sidebar menu (ערוצים, פרסומות iframe,
  פרסומות מגנט, משתמשים, הגדרות גלובליות, סטטיסטיקות)
- channels-list: table with create/edit-features/manage-users/delete actions
- channel-features: all 12 feature toggles with Hebrew labels (incl. lock indicators)
- channel-users: add/remove/change-role per channel, save button
- global-ads: src, width, lockAll toggle, locked channels tag input
- global-magnet: full magnet config + frequency settings + lock rules
- global-users: read-only overview of all users with role chips
- global-settings: key-value FCM/VAPID settings editor
- statistics: reset peak connections + magnet stats display
- app.routes.ts: add /super-admin route with SuperAdminGuard
- channel-header: add "פאנל מנהל-על" link for super admins
- channel.component: show input footer for super_admin + channel role holders

https://claude.ai/code/session_015yWNYaVjk7ozyguKLA8vvx
---
 frontend/src/app/app.routes.ts                |   7 ++
 .../channel-header.component.ts               |   7 ++
 .../components/channel/channel.component.html |   2 +-
 .../components/channel/channel.component.ts   |   5 +
 .../channels/channel-users.component.html     |  10 +-
 .../channels/channels-list.component.html     |  10 +-
 .../global-ads/global-ads.component.html      |  55 +++++++++
 .../global-magnet.component.html              |  90 ++++++++++++++
 .../global-magnet/global-magnet.component.ts  |  83 +++++++++++++
 .../global-settings.component.html            |  71 +++++++++++
 .../global-settings.component.ts              |  66 +++++++++++
 .../global-users/global-users.component.html  |  55 +++++++++
 .../global-users/global-users.component.ts    |  52 ++++++++
 .../super-admin-statistics.component.html     |  56 +++++++++
 .../super-admin-statistics.component.ts       |  57 +++++++++
 .../super-admin-panel.component.html          |  48 ++++++++
 .../super-admin-panel.component.scss          |  11 ++
 .../super-admin-panel.component.ts            | 112 ++++++++++++++++++
 18 files changed, 788 insertions(+), 9 deletions(-)
 create mode 100644 frontend/src/app/components/super-admin/global-ads/global-ads.component.html
 create mode 100644 frontend/src/app/components/super-admin/global-magnet/global-magnet.component.html
 create mode 100644 frontend/src/app/components/super-admin/global-magnet/global-magnet.component.ts
 create mode 100644 frontend/src/app/components/super-admin/global-settings/global-settings.component.html
 create mode 100644 frontend/src/app/components/super-admin/global-settings/global-settings.component.ts
 create mode 100644 frontend/src/app/components/super-admin/global-users/global-users.component.html
 create mode 100644 frontend/src/app/components/super-admin/global-users/global-users.component.ts
 create mode 100644 frontend/src/app/components/super-admin/statistics/super-admin-statistics.component.html
 create mode 100644 frontend/src/app/components/super-admin/statistics/super-admin-statistics.component.ts
 create mode 100644 frontend/src/app/components/super-admin/super-admin-panel.component.html
 create mode 100644 frontend/src/app/components/super-admin/super-admin-panel.component.scss
 create mode 100644 frontend/src/app/components/super-admin/super-admin-panel.component.ts

diff --git a/frontend/src/app/app.routes.ts b/frontend/src/app/app.routes.ts
index 9bb3141..c2e28ab 100644
--- a/frontend/src/app/app.routes.ts
+++ b/frontend/src/app/app.routes.ts
@@ -2,6 +2,8 @@ import { Routes } from '@angular/router';
 import { LoginComponent } from './components/login/login.component';
 import { ChannelComponent } from './components/channel/channel.component';
 import { AuthGuard } from "./services/chat-guard.guard";
+import { SuperAdminGuard } from './guards/super-admin.guard';
+import { SuperAdminPanelComponent } from './components/super-admin/super-admin-panel.component';
 
 export const routes: Routes = [
   { path: 'login', component: LoginComponent },
@@ -10,6 +12,11 @@ export const routes: Routes = [
     component: ChannelComponent,
     canActivate: [AuthGuard],
   },
+  {
+    path: 'super-admin',
+    component: SuperAdminPanelComponent,
+    canActivate: [AuthGuard, SuperAdminGuard],
+  },
   {
     path: '**',
     redirectTo: ''
diff --git a/frontend/src/app/components/channel/channel-header/channel-header.component.ts b/frontend/src/app/components/channel/channel-header/channel-header.component.ts
index 0108a40..a9cd620 100644
--- a/frontend/src/app/components/channel/channel-header/channel-header.component.ts
+++ b/frontend/src/app/components/channel/channel-header/channel-header.component.ts
@@ -40,6 +40,10 @@ export class ChannelHeaderComponent implements OnInit {
         title: 'ניהול ערוץ',
         icon: 'people-outline',
       }] : []),
+      ...(user?.globalRole === 'super_admin' ? [{
+        title: 'פאנל מנהל-על',
+        icon: 'shield-outline',
+      }] : []),
       {
         title: 'התנתק',
         icon: 'log-out',
@@ -91,6 +95,9 @@ export class ChannelHeaderComponent implements OnInit {
           case 'people-outline':
             this.dialogService.open(AdminPanelComponent, { closeOnBackdropClick: true });
             break;
+          case 'shield-outline':
+            this.router.navigate(['/super-admin']);
+            break;
         }
       });
 
diff --git a/frontend/src/app/components/channel/channel.component.html b/frontend/src/app/components/channel/channel.component.html
index c1c4bc5..a6adcf1 100644
--- a/frontend/src/app/components/channel/channel.component.html
+++ b/frontend/src/app/components/channel/channel.component.html
@@ -13,7 +13,7 @@
     </nb-layout-column>
   }
 
-  @if (userInfo?.privileges?.['writer']) {
+  @if (userInfo?.globalRole === 'super_admin' || userInfo?.privileges?.['writer'] || hasAnyRole(userInfo)) {
     <nb-layout-footer #inputForm id="inputForm" class="fixed-footer">
       <app-input-form class="w-100" (inputHeightChanged)="onInputHeightChanged()"></app-input-form>
     </nb-layout-footer>
diff --git a/frontend/src/app/components/channel/channel.component.ts b/frontend/src/app/components/channel/channel.component.ts
index 68a83f0..ed4dd14 100644
--- a/frontend/src/app/components/channel/channel.component.ts
+++ b/frontend/src/app/components/channel/channel.component.ts
@@ -63,6 +63,11 @@ export class ChannelComponent implements OnInit {
     });
   }
 
+  hasAnyRole(user: User | undefined): boolean {
+    if (!user?.channelRoles) return false;
+    return Object.keys(user.channelRoles).length > 0;
+  }
+
   onInputHeightChanged() {
     this.updateInputBottomOffset();
   }
diff --git a/frontend/src/app/components/super-admin/channels/channel-users.component.html b/frontend/src/app/components/super-admin/channels/channel-users.component.html
index 22a8407..c60ca40 100644
--- a/frontend/src/app/components/super-admin/channels/channel-users.component.html
+++ b/frontend/src/app/components/super-admin/channels/channel-users.component.html
@@ -4,10 +4,12 @@
       <nb-icon icon="people-outline"></nb-icon>
       <span>משתמשי ערוץ: <strong>{{ slug }}</strong></span>
     </div>
-    <button nbButton status="primary" size="small" (click)="addingUser = true" *ngIf="!addingUser">
-      <nb-icon icon="plus-outline"></nb-icon>
-      הוסף משתמש
-    </button>
+    @if (!addingUser) {
+      <button nbButton status="primary" size="small" (click)="addingUser = true">
+        <nb-icon icon="plus-outline"></nb-icon>
+        הוסף משתמש
+      </button>
+    }
   </nb-card-header>
 
   <nb-card-body>
diff --git a/frontend/src/app/components/super-admin/channels/channels-list.component.html b/frontend/src/app/components/super-admin/channels/channels-list.component.html
index dc4c1af..60f0531 100644
--- a/frontend/src/app/components/super-admin/channels/channels-list.component.html
+++ b/frontend/src/app/components/super-admin/channels/channels-list.component.html
@@ -1,10 +1,12 @@
 <nb-card>
   <nb-card-header class="d-flex justify-content-between align-items-center">
     <span>ניהול ערוצים</span>
-    <button nbButton status="primary" size="small" (click)="showCreateForm = true" *ngIf="!showCreateForm">
-      <nb-icon icon="plus-outline"></nb-icon>
-      ערוץ חדש
-    </button>
+    @if (!showCreateForm) {
+      <button nbButton status="primary" size="small" (click)="showCreateForm = true">
+        <nb-icon icon="plus-outline"></nb-icon>
+        ערוץ חדש
+      </button>
+    }
   </nb-card-header>
 
   <nb-card-body>
diff --git a/frontend/src/app/components/super-admin/global-ads/global-ads.component.html b/frontend/src/app/components/super-admin/global-ads/global-ads.component.html
new file mode 100644
index 0000000..f06fd57
--- /dev/null
+++ b/frontend/src/app/components/super-admin/global-ads/global-ads.component.html
@@ -0,0 +1,55 @@
+<nb-card>
+  <nb-card-header class="d-flex align-items-center gap-2">
+    <nb-icon icon="film-outline"></nb-icon>
+    <span>הגדרות פרסומות iframe גלובליות</span>
+  </nb-card-header>
+
+  <nb-card-body>
+    <div class="d-flex flex-column gap-3">
+      <div>
+        <label class="field-label">כתובת URL של הפרסומת (src)</label>
+        <input nbInput fullWidth type="text" [(ngModel)]="config.src" placeholder="https://example.com/ad.html">
+      </div>
+
+      <div>
+        <label class="field-label">רוחב הפרסומת (פיקסלים)</label>
+        <input nbInput fullWidth type="number" [(ngModel)]="config.width" placeholder="300">
+      </div>
+
+      <div>
+        <nb-toggle [(checked)]="config.lockAll">
+          <span>נעל פרסומות על כל הערוצים</span>
+        </nb-toggle>
+        <small class="text-muted d-block mt-1">כאשר מופעל, הגדרות מנהלי הערוצים מתעלמות</small>
+      </div>
+
+      <div>
+        <label class="field-label">ערוצים נעולים (ללא הגדרת פרסומות ידנית)</label>
+        <div class="d-flex gap-2 mb-2">
+          <input nbInput type="text" [(ngModel)]="newLockedChannel" placeholder="slug-of-channel"
+            (keyup.enter)="addLockedChannel()">
+          <button nbButton status="primary" size="small" (click)="addLockedChannel()">
+            <nb-icon icon="plus-outline"></nb-icon>
+            הוסף
+          </button>
+        </div>
+        <div class="d-flex flex-wrap gap-2">
+          @for (slug of config.lockedChannels; track slug) {
+            <span class="badge bg-secondary d-flex align-items-center gap-1 p-2">
+              {{ slug }}
+              <button class="btn-close btn-close-white ms-1" style="font-size: 0.6rem;"
+                (click)="removeLockedChannel(slug)"></button>
+            </span>
+          }
+        </div>
+      </div>
+    </div>
+  </nb-card-body>
+
+  <nb-card-footer>
+    <button nbButton status="primary" (click)="save()" [disabled]="saving">
+      <nb-icon icon="save-outline"></nb-icon>
+      {{ saving ? 'שומר...' : 'שמור הגדרות' }}
+    </button>
+  </nb-card-footer>
+</nb-card>
diff --git a/frontend/src/app/components/super-admin/global-magnet/global-magnet.component.html b/frontend/src/app/components/super-admin/global-magnet/global-magnet.component.html
new file mode 100644
index 0000000..6425c17
--- /dev/null
+++ b/frontend/src/app/components/super-admin/global-magnet/global-magnet.component.html
@@ -0,0 +1,90 @@
+<nb-card>
+  <nb-card-header class="d-flex align-items-center gap-2">
+    <nb-icon icon="pricetags-outline"></nb-icon>
+    <span>הגדרות פרסומות מגנט גלובליות</span>
+  </nb-card-header>
+
+  <nb-card-body>
+    <div class="d-flex flex-column gap-3">
+      <div>
+        <nb-toggle [(checked)]="config.enabled">
+          <span>הפעל מגנט</span>
+        </nb-toggle>
+      </div>
+
+      <div>
+        <label class="field-label">מפתח API</label>
+        <input nbInput fullWidth type="password" autocomplete="new-password" [(ngModel)]="config.apiKey" placeholder="magnet-api-key">
+      </div>
+
+      <div>
+        <label class="field-label">קוד Snippet</label>
+        <textarea nbInput fullWidth rows="4" [(ngModel)]="config.snippet" placeholder="<script>...</script>"></textarea>
+      </div>
+
+      <div>
+        <label class="field-label">מצב הפעלה</label>
+        <nb-select fullWidth [(ngModel)]="config.mode">
+          @for (opt of modeOptions; track opt.value) {
+            <nb-option [value]="opt.value">{{ opt.label }}</nb-option>
+          }
+        </nb-select>
+      </div>
+
+      <div>
+        <label class="field-label">כל כמה הודעות (perMessages)</label>
+        <input nbInput fullWidth type="number" [(ngModel)]="config.perMessages" placeholder="10">
+      </div>
+
+      <div>
+        <label class="field-label">זמן מינימלי בין הצגות (שניות)</label>
+        <input nbInput fullWidth type="number" [(ngModel)]="config.minTimeSeconds" placeholder="60">
+      </div>
+
+      <div>
+        <label class="field-label">כל כמה שניות (perSeconds)</label>
+        <input nbInput fullWidth type="number" [(ngModel)]="config.perSeconds" placeholder="300">
+      </div>
+
+      <div>
+        <label class="field-label">מינימום הודעות מהפעם האחרונה (minMessagesSinceLast)</label>
+        <input nbInput fullWidth type="number" [(ngModel)]="config.minMessagesSinceLast" placeholder="5">
+      </div>
+
+      <div>
+        <nb-toggle [(checked)]="config.lockAll">
+          <span>נעל מגנט על כל הערוצים</span>
+        </nb-toggle>
+        <small class="text-muted d-block mt-1">כאשר מופעל, הגדרות מנהלי הערוצים מתעלמות</small>
+      </div>
+
+      <div>
+        <label class="field-label">ערוצים נעולים</label>
+        <div class="d-flex gap-2 mb-2">
+          <input nbInput type="text" [(ngModel)]="newLockedChannel" placeholder="slug-of-channel"
+            (keyup.enter)="addLockedChannel()">
+          <button nbButton status="primary" size="small" (click)="addLockedChannel()">
+            <nb-icon icon="plus-outline"></nb-icon>
+            הוסף
+          </button>
+        </div>
+        <div class="d-flex flex-wrap gap-2">
+          @for (slug of config.lockedChannels; track slug) {
+            <span class="badge bg-secondary d-flex align-items-center gap-1 p-2">
+              {{ slug }}
+              <button class="btn-close btn-close-white ms-1" style="font-size: 0.6rem;"
+                (click)="removeLockedChannel(slug)"></button>
+            </span>
+          }
+        </div>
+      </div>
+    </div>
+  </nb-card-body>
+
+  <nb-card-footer>
+    <button nbButton status="primary" (click)="save()" [disabled]="saving">
+      <nb-icon icon="save-outline"></nb-icon>
+      {{ saving ? 'שומר...' : 'שמור הגדרות' }}
+    </button>
+  </nb-card-footer>
+</nb-card>
diff --git a/frontend/src/app/components/super-admin/global-magnet/global-magnet.component.ts b/frontend/src/app/components/super-admin/global-magnet/global-magnet.component.ts
new file mode 100644
index 0000000..6ec0004
--- /dev/null
+++ b/frontend/src/app/components/super-admin/global-magnet/global-magnet.component.ts
@@ -0,0 +1,83 @@
+import { Component, OnInit } from '@angular/core';
+import { CommonModule } from '@angular/common';
+import { FormsModule } from '@angular/forms';
+import {
+  NbButtonModule,
+  NbCardModule,
+  NbIconModule,
+  NbInputModule,
+  NbSelectModule,
+  NbToggleModule,
+  NbToastrService,
+} from '@nebular/theme';
+import { SuperAdminService, GlobalMagnetConfig } from '../../../services/super-admin.service';
+
+@Component({
+  selector: 'app-global-magnet',
+  standalone: true,
+  imports: [
+    CommonModule,
+    FormsModule,
+    NbCardModule,
+    NbButtonModule,
+    NbInputModule,
+    NbIconModule,
+    NbSelectModule,
+    NbToggleModule,
+  ],
+  templateUrl: './global-magnet.component.html',
+})
+export class GlobalMagnetComponent implements OnInit {
+  config: GlobalMagnetConfig = {
+    enabled: false,
+    snippet: '',
+    mode: 'per_messages',
+    perMessages: 10,
+    minTimeSeconds: 60,
+    perSeconds: 300,
+    minMessagesSinceLast: 5,
+    apiKey: '',
+    lockAll: false,
+    lockedChannels: [],
+  };
+
+  saving = false;
+  newLockedChannel = '';
+
+  modeOptions = [
+    { value: 'per_messages', label: 'לפי מספר הודעות' },
+    { value: 'per_seconds', label: 'לפי זמן (שניות)' },
+  ];
+
+  constructor(
+    private superAdminService: SuperAdminService,
+    private toastr: NbToastrService,
+  ) {}
+
+  ngOnInit(): void {
+    this.superAdminService.getMagnetConfig()
+      .then(cfg => this.config = { ...cfg, lockedChannels: [...(cfg.lockedChannels || [])] })
+      .catch(() => this.toastr.danger('', 'שגיאה בטעינת הגדרות מגנט'));
+  }
+
+  addLockedChannel() {
+    const slug = this.newLockedChannel.trim();
+    if (!slug) return;
+    if (!this.config.lockedChannels.includes(slug)) {
+      this.config.lockedChannels.push(slug);
+    }
+    this.newLockedChannel = '';
+  }
+
+  removeLockedChannel(slug: string) {
+    this.config.lockedChannels = this.config.lockedChannels.filter(s => s !== slug);
+  }
+
+  save() {
+    this.saving = true;
+    this.superAdminService.setMagnetConfig(this.config)
+      .then(() => this.toastr.success('', 'הגדרות מגנט נשמרו בהצלחה'))
+      .catch(() => this.toastr.danger('', 'שגיאה בשמירת הגדרות מגנט'))
+      .finally(() => this.saving = false);
+  }
+}
diff --git a/frontend/src/app/components/super-admin/global-settings/global-settings.component.html b/frontend/src/app/components/super-admin/global-settings/global-settings.component.html
new file mode 100644
index 0000000..ea1f4e4
--- /dev/null
+++ b/frontend/src/app/components/super-admin/global-settings/global-settings.component.html
@@ -0,0 +1,71 @@
+<nb-card>
+  <nb-card-header class="d-flex align-items-center justify-content-between">
+    <div class="d-flex align-items-center gap-2">
+      <nb-icon icon="settings-2-outline"></nb-icon>
+      <span>הגדרות גלובליות (FCM / VAPID)</span>
+    </div>
+    @if (!addingNew) {
+      <button nbButton status="primary" size="small" (click)="addingNew = true">
+        <nb-icon icon="plus-outline"></nb-icon>
+        הוסף הגדרה
+      </button>
+    }
+  </nb-card-header>
+
+  <nb-card-body>
+    @if (loading) {
+      <p class="text-center">טוען...</p>
+    } @else {
+      @if (addingNew) {
+        <nb-card class="mb-3">
+          <nb-card-header>הגדרה חדשה</nb-card-header>
+          <nb-card-body>
+            <div class="d-flex flex-column gap-2">
+              <div>
+                <label class="field-label">שם המפתח</label>
+                <input nbInput fullWidth type="text" [(ngModel)]="newKey" placeholder="setting-key">
+              </div>
+              <div>
+                <label class="field-label">ערך</label>
+                <input nbInput fullWidth type="text" [(ngModel)]="newValue" placeholder="ערך ההגדרה">
+              </div>
+              <div class="d-flex gap-2">
+                <button nbButton status="primary" size="small" (click)="addSetting()">
+                  <nb-icon icon="checkmark-outline"></nb-icon>
+                  הוסף
+                </button>
+                <button nbButton status="danger" size="small" (click)="addingNew = false; newKey = ''; newValue = ''">
+                  <nb-icon icon="close-outline"></nb-icon>
+                  ביטול
+                </button>
+              </div>
+            </div>
+          </nb-card-body>
+        </nb-card>
+      }
+
+      @if (settings.length === 0) {
+        <p class="text-center text-muted">אין הגדרות גלובליות</p>
+      }
+
+      @for (setting of settings; track $index; let i = $index) {
+        <div class="setting-row d-flex align-items-center gap-2 mb-2">
+          <input nbInput fieldSize="small" type="text" [(ngModel)]="settings[i].key"
+            placeholder="שם המפתח" style="width: 200px; flex-shrink: 0;">
+          <input nbInput fullWidth fieldSize="small" type="text" [(ngModel)]="settings[i].value"
+            placeholder="ערך">
+          <button nbButton status="danger" size="small" ghost (click)="removeSetting(i)">
+            <nb-icon icon="trash-2-outline"></nb-icon>
+          </button>
+        </div>
+      }
+    }
+  </nb-card-body>
+
+  <nb-card-footer>
+    <button nbButton status="primary" (click)="save()" [disabled]="saving">
+      <nb-icon icon="save-outline"></nb-icon>
+      {{ saving ? 'שומר...' : 'שמור הגדרות' }}
+    </button>
+  </nb-card-footer>
+</nb-card>
diff --git a/frontend/src/app/components/super-admin/global-settings/global-settings.component.ts b/frontend/src/app/components/super-admin/global-settings/global-settings.component.ts
new file mode 100644
index 0000000..8aa2dfc
--- /dev/null
+++ b/frontend/src/app/components/super-admin/global-settings/global-settings.component.ts
@@ -0,0 +1,66 @@
+import { Component, OnInit } from '@angular/core';
+import { CommonModule } from '@angular/common';
+import { FormsModule } from '@angular/forms';
+import {
+  NbButtonModule,
+  NbCardModule,
+  NbIconModule,
+  NbInputModule,
+  NbToastrService,
+} from '@nebular/theme';
+import { SuperAdminService, Setting } from '../../../services/super-admin.service';
+
+@Component({
+  selector: 'app-global-settings',
+  standalone: true,
+  imports: [
+    CommonModule,
+    FormsModule,
+    NbCardModule,
+    NbButtonModule,
+    NbInputModule,
+    NbIconModule,
+  ],
+  templateUrl: './global-settings.component.html',
+})
+export class GlobalSettingsComponent implements OnInit {
+  settings: Setting[] = [];
+  saving = false;
+  loading = true;
+  newKey = '';
+  newValue = '';
+  addingNew = false;
+
+  constructor(
+    private superAdminService: SuperAdminService,
+    private toastr: NbToastrService,
+  ) {}
+
+  ngOnInit(): void {
+    this.superAdminService.getGlobalSettings()
+      .then(settings => this.settings = [...(settings || [])])
+      .catch(() => this.toastr.danger('', 'שגיאה בטעינת הגדרות גלובליות'))
+      .finally(() => this.loading = false);
+  }
+
+  removeSetting(index: number) {
+    this.settings.splice(index, 1);
+  }
+
+  addSetting() {
+    const key = this.newKey.trim();
+    if (!key) return;
+    this.settings.push({ key, value: this.newValue });
+    this.newKey = '';
+    this.newValue = '';
+    this.addingNew = false;
+  }
+
+  save() {
+    this.saving = true;
+    this.superAdminService.setGlobalSettings(this.settings)
+      .then(() => this.toastr.success('', 'ההגדרות נשמרו בהצלחה'))
+      .catch(() => this.toastr.danger('', 'שגיאה בשמירת ההגדרות'))
+      .finally(() => this.saving = false);
+  }
+}
diff --git a/frontend/src/app/components/super-admin/global-users/global-users.component.html b/frontend/src/app/components/super-admin/global-users/global-users.component.html
new file mode 100644
index 0000000..bee1645
--- /dev/null
+++ b/frontend/src/app/components/super-admin/global-users/global-users.component.html
@@ -0,0 +1,55 @@
+<nb-card>
+  <nb-card-header class="d-flex align-items-center gap-2">
+    <nb-icon icon="people-outline"></nb-icon>
+    <span>משתמשים גלובליים</span>
+  </nb-card-header>
+
+  <nb-card-body>
+    @if (loading) {
+      <p class="text-center">טוען...</p>
+    } @else if (users.length === 0) {
+      <p class="text-center text-muted">אין משתמשים רשומים</p>
+    } @else {
+      <div class="table-responsive">
+        <table class="table table-hover table-sm">
+          <thead>
+            <tr>
+              <th>אימייל</th>
+              <th>שם משתמש</th>
+              <th>שם מוצג</th>
+              <th>תפקיד גלובלי</th>
+              <th>הרשאות ערוצים</th>
+            </tr>
+          </thead>
+          <tbody>
+            @for (user of users; track user.id) {
+              <tr>
+                <td>{{ user.email }}</td>
+                <td>{{ user.username }}</td>
+                <td>{{ user.publicName }}</td>
+                <td>
+                  <span class="badge"
+                    [class.bg-danger]="user.globalRole === 'super_admin'"
+                    [class.bg-primary]="user.globalRole === 'admin'"
+                    [class.bg-secondary]="user.globalRole !== 'super_admin' && user.globalRole !== 'admin'">
+                    {{ getRoleLabel(user.globalRole) }}
+                  </span>
+                </td>
+                <td>
+                  <div class="d-flex flex-wrap gap-1">
+                    @for (entry of getChannelRolesDisplay(user.channelRoles); track entry) {
+                      <span class="badge bg-info text-dark">{{ entry }}</span>
+                    }
+                    @if (!user.channelRoles || getChannelRolesDisplay(user.channelRoles).length === 0) {
+                      <span class="text-muted small">אין</span>
+                    }
+                  </div>
+                </td>
+              </tr>
+            }
+          </tbody>
+        </table>
+      </div>
+    }
+  </nb-card-body>
+</nb-card>
diff --git a/frontend/src/app/components/super-admin/global-users/global-users.component.ts b/frontend/src/app/components/super-admin/global-users/global-users.component.ts
new file mode 100644
index 0000000..ce85b23
--- /dev/null
+++ b/frontend/src/app/components/super-admin/global-users/global-users.component.ts
@@ -0,0 +1,52 @@
+import { Component, OnInit } from '@angular/core';
+import { CommonModule } from '@angular/common';
+import {
+  NbButtonModule,
+  NbCardModule,
+  NbIconModule,
+  NbToastrService,
+} from '@nebular/theme';
+import { SuperAdminService, SuperAdminUser } from '../../../services/super-admin.service';
+
+@Component({
+  selector: 'app-global-users',
+  standalone: true,
+  imports: [
+    CommonModule,
+    NbCardModule,
+    NbButtonModule,
+    NbIconModule,
+  ],
+  templateUrl: './global-users.component.html',
+})
+export class GlobalUsersComponent implements OnInit {
+  users: SuperAdminUser[] = [];
+  loading = true;
+
+  globalRoleLabels: Record<string, string> = {
+    super_admin: 'מנהל-על',
+    admin: 'מנהל',
+    user: 'משתמש',
+    '': 'רגיל',
+  };
+
+  constructor(
+    private superAdminService: SuperAdminService,
+    private toastr: NbToastrService,
+  ) {}
+
+  ngOnInit(): void {
+    this.superAdminService.getGlobalUsers()
+      .then(users => this.users = users)
+      .catch(() => this.toastr.danger('', 'שגיאה בטעינת רשימת משתמשים'))
+      .finally(() => this.loading = false);
+  }
+
+  getChannelRolesDisplay(channelRoles: Record<string, string>): string[] {
+    return Object.entries(channelRoles || {}).map(([slug, role]) => `${slug}: ${role}`);
+  }
+
+  getRoleLabel(role: string): string {
+    return this.globalRoleLabels[role] || role;
+  }
+}
diff --git a/frontend/src/app/components/super-admin/statistics/super-admin-statistics.component.html b/frontend/src/app/components/super-admin/statistics/super-admin-statistics.component.html
new file mode 100644
index 0000000..e0af10e
--- /dev/null
+++ b/frontend/src/app/components/super-admin/statistics/super-admin-statistics.component.html
@@ -0,0 +1,56 @@
+<div class="d-flex flex-column gap-3">
+  <nb-card>
+    <nb-card-header class="d-flex align-items-center gap-2">
+      <nb-icon icon="bar-chart-outline"></nb-icon>
+      <span>סטטיסטיקות מערכת</span>
+    </nb-card-header>
+    <nb-card-body>
+      <button nbButton status="danger" (click)="resetStatistics()" [disabled]="resetting">
+        <nb-icon icon="refresh-outline"></nb-icon>
+        {{ resetting ? 'מאפס...' : 'איפוס שיא חיבורים' }}
+      </button>
+      <p class="text-muted mt-2 mb-0">
+        <small>פעולה זו תאפס את שיא מספר החיבורים הו-זמניים שנרשם בשרת</small>
+      </p>
+    </nb-card-body>
+  </nb-card>
+
+  <nb-card>
+    <nb-card-header class="d-flex align-items-center justify-content-between">
+      <div class="d-flex align-items-center gap-2">
+        <nb-icon icon="pricetags-outline"></nb-icon>
+        <span>סטטיסטיקות מגנט</span>
+      </div>
+      <button nbButton size="small" status="info" ghost (click)="loadMagnetStats()" [disabled]="loadingStats">
+        <nb-icon icon="refresh-outline"></nb-icon>
+        רענן
+      </button>
+    </nb-card-header>
+    <nb-card-body>
+      @if (loadingStats) {
+        <p class="text-center">טוען...</p>
+      } @else if (!magnetStats) {
+        <p class="text-center text-muted">אין נתונים זמינים</p>
+      } @else {
+        <div class="table-responsive">
+          <table class="table table-sm table-hover">
+            <thead>
+              <tr>
+                <th>מפתח</th>
+                <th>ערך</th>
+              </tr>
+            </thead>
+            <tbody>
+              @for (entry of getStatEntries(); track entry.key) {
+                <tr>
+                  <td><code>{{ entry.key }}</code></td>
+                  <td>{{ entry.value }}</td>
+                </tr>
+              }
+            </tbody>
+          </table>
+        </div>
+      }
+    </nb-card-body>
+  </nb-card>
+</div>
diff --git a/frontend/src/app/components/super-admin/statistics/super-admin-statistics.component.ts b/frontend/src/app/components/super-admin/statistics/super-admin-statistics.component.ts
new file mode 100644
index 0000000..b0a68ed
--- /dev/null
+++ b/frontend/src/app/components/super-admin/statistics/super-admin-statistics.component.ts
@@ -0,0 +1,57 @@
+import { Component, OnInit } from '@angular/core';
+import { CommonModule } from '@angular/common';
+import {
+  NbButtonModule,
+  NbCardModule,
+  NbIconModule,
+  NbToastrService,
+} from '@nebular/theme';
+import { SuperAdminService } from '../../../services/super-admin.service';
+
+@Component({
+  selector: 'app-super-admin-statistics',
+  standalone: true,
+  imports: [
+    CommonModule,
+    NbCardModule,
+    NbButtonModule,
+    NbIconModule,
+  ],
+  templateUrl: './super-admin-statistics.component.html',
+})
+export class SuperAdminStatisticsComponent implements OnInit {
+  magnetStats: any = null;
+  loadingStats = true;
+  resetting = false;
+
+  constructor(
+    private superAdminService: SuperAdminService,
+    private toastr: NbToastrService,
+  ) {}
+
+  ngOnInit(): void {
+    this.loadMagnetStats();
+  }
+
+  loadMagnetStats() {
+    this.loadingStats = true;
+    this.superAdminService.getMagnetStats()
+      .then(stats => this.magnetStats = stats)
+      .catch(() => this.toastr.warning('', 'לא ניתן לטעון סטטיסטיקות מגנט'))
+      .finally(() => this.loadingStats = false);
+  }
+
+  resetStatistics() {
+    if (!confirm('האם אתה בטוח שברצונך לאפס את שיא החיבורים?')) return;
+    this.resetting = true;
+    this.superAdminService.resetStatistics()
+      .then(() => this.toastr.success('', 'שיא החיבורים אופס בהצלחה'))
+      .catch(() => this.toastr.danger('', 'שגיאה באיפוס הסטטיסטיקות'))
+      .finally(() => this.resetting = false);
+  }
+
+  getStatEntries(): { key: string; value: any }[] {
+    if (!this.magnetStats || typeof this.magnetStats !== 'object') return [];
+    return Object.entries(this.magnetStats).map(([key, value]) => ({ key, value }));
+  }
+}
diff --git a/frontend/src/app/components/super-admin/super-admin-panel.component.html b/frontend/src/app/components/super-admin/super-admin-panel.component.html
new file mode 100644
index 0000000..e109133
--- /dev/null
+++ b/frontend/src/app/components/super-admin/super-admin-panel.component.html
@@ -0,0 +1,48 @@
+<nb-card class="super-admin-panel-card" [size]="'giant'">
+  <nb-card-body class="d-flex flex-row">
+    <nb-menu [items]="navigationMenu" [tag]="MENU_TAG"></nb-menu>
+
+    <!-- Divider -->
+    <div class="vr text-black-50 mx-3"></div>
+
+    <div class="flex-grow-1 overflow-auto">
+      @if (selectedView === VIEW_CHANNEL_FEATURES || selectedView === VIEW_CHANNEL_USERS) {
+        <div class="mb-3">
+          <button class="btn btn-sm btn-outline-secondary" (click)="backToChannels()">
+            ← חזרה לרשימת הערוצים
+          </button>
+        </div>
+      }
+
+      @switch (selectedView) {
+        @case (VIEW_CHANNELS) {
+          <app-channels-list
+            (editFeatures)="onEditFeatures($event)"
+            (manageUsers)="onManageUsers($event)">
+          </app-channels-list>
+        }
+        @case (VIEW_CHANNEL_FEATURES) {
+          <app-channel-features [slug]="selectedChannelSlug"></app-channel-features>
+        }
+        @case (VIEW_CHANNEL_USERS) {
+          <app-channel-users [slug]="selectedChannelSlug"></app-channel-users>
+        }
+        @case (VIEW_ADS) {
+          <app-global-ads></app-global-ads>
+        }
+        @case (VIEW_MAGNET) {
+          <app-global-magnet></app-global-magnet>
+        }
+        @case (VIEW_USERS) {
+          <app-global-users></app-global-users>
+        }
+        @case (VIEW_SETTINGS) {
+          <app-global-settings></app-global-settings>
+        }
+        @case (VIEW_STATISTICS) {
+          <app-super-admin-statistics></app-super-admin-statistics>
+        }
+      }
+    </div>
+  </nb-card-body>
+</nb-card>
diff --git a/frontend/src/app/components/super-admin/super-admin-panel.component.scss b/frontend/src/app/components/super-admin/super-admin-panel.component.scss
new file mode 100644
index 0000000..9e80539
--- /dev/null
+++ b/frontend/src/app/components/super-admin/super-admin-panel.component.scss
@@ -0,0 +1,11 @@
+:host {
+  display: block;
+  width: 100%;
+  height: 100%;
+}
+
+.super-admin-panel-card {
+  height: 100%;
+  width: 100%;
+  margin: 0;
+}
diff --git a/frontend/src/app/components/super-admin/super-admin-panel.component.ts b/frontend/src/app/components/super-admin/super-admin-panel.component.ts
new file mode 100644
index 0000000..786e159
--- /dev/null
+++ b/frontend/src/app/components/super-admin/super-admin-panel.component.ts
@@ -0,0 +1,112 @@
+import { Component, OnInit } from '@angular/core';
+import { CommonModule } from '@angular/common';
+import {
+  NbCardModule,
+  NbLayoutModule,
+  NbMenuItem,
+  NbMenuModule,
+  NbMenuService,
+  NbSidebarModule,
+} from '@nebular/theme';
+import { ChannelsListComponent } from './channels/channels-list.component';
+import { ChannelFeaturesComponent } from './channels/channel-features.component';
+import { ChannelUsersComponent } from './channels/channel-users.component';
+import { GlobalAdsComponent } from './global-ads/global-ads.component';
+import { GlobalMagnetComponent } from './global-magnet/global-magnet.component';
+import { GlobalUsersComponent } from './global-users/global-users.component';
+import { GlobalSettingsComponent } from './global-settings/global-settings.component';
+import { SuperAdminStatisticsComponent } from './statistics/super-admin-statistics.component';
+
+type ViewName = 'channels' | 'channel-features' | 'channel-users' | 'ads' | 'magnet' | 'users' | 'settings' | 'statistics';
+
+@Component({
+  selector: 'app-super-admin-panel',
+  standalone: true,
+  imports: [
+    CommonModule,
+    NbLayoutModule,
+    NbSidebarModule,
+    NbMenuModule,
+    NbCardModule,
+    ChannelsListComponent,
+    ChannelFeaturesComponent,
+    ChannelUsersComponent,
+    GlobalAdsComponent,
+    GlobalMagnetComponent,
+    GlobalUsersComponent,
+    GlobalSettingsComponent,
+    SuperAdminStatisticsComponent,
+  ],
+  templateUrl: './super-admin-panel.component.html',
+  styleUrl: './super-admin-panel.component.scss',
+})
+export class SuperAdminPanelComponent implements OnInit {
+  selectedView: ViewName = 'channels';
+  selectedChannelSlug = '';
+
+  readonly MENU_TAG = 'super-admin-menu';
+
+  readonly VIEW_CHANNELS: ViewName = 'channels';
+  readonly VIEW_CHANNEL_FEATURES: ViewName = 'channel-features';
+  readonly VIEW_CHANNEL_USERS: ViewName = 'channel-users';
+  readonly VIEW_ADS: ViewName = 'ads';
+  readonly VIEW_MAGNET: ViewName = 'magnet';
+  readonly VIEW_USERS: ViewName = 'users';
+  readonly VIEW_SETTINGS: ViewName = 'settings';
+  readonly VIEW_STATISTICS: ViewName = 'statistics';
+
+  navigationMenu: NbMenuItem[] = [
+    { title: 'ערוצים', icon: 'list-outline', selected: true },
+    { title: 'פרסומות iframe', icon: 'film-outline' },
+    { title: 'פרסומות מגנט', icon: 'pricetags-outline' },
+    { title: 'משתמשים', icon: 'people-outline' },
+    { title: 'הגדרות גלובליות', icon: 'settings-2-outline' },
+    { title: 'סטטיסטיקות', icon: 'bar-chart-outline' },
+  ];
+
+  constructor(private menuService: NbMenuService) {}
+
+  ngOnInit(): void {
+    this.menuService.onItemClick().subscribe(event => {
+      this.navigationMenu.forEach(item => (item.selected = false));
+      event.item.selected = true;
+
+      switch (event.item.icon) {
+        case 'list-outline':
+          this.selectedView = this.VIEW_CHANNELS;
+          this.selectedChannelSlug = '';
+          break;
+        case 'film-outline':
+          this.selectedView = this.VIEW_ADS;
+          break;
+        case 'pricetags-outline':
+          this.selectedView = this.VIEW_MAGNET;
+          break;
+        case 'people-outline':
+          this.selectedView = this.VIEW_USERS;
+          break;
+        case 'settings-2-outline':
+          this.selectedView = this.VIEW_SETTINGS;
+          break;
+        case 'bar-chart-outline':
+          this.selectedView = this.VIEW_STATISTICS;
+          break;
+      }
+    });
+  }
+
+  onEditFeatures(slug: string) {
+    this.selectedChannelSlug = slug;
+    this.selectedView = this.VIEW_CHANNEL_FEATURES;
+  }
+
+  onManageUsers(slug: string) {
+    this.selectedChannelSlug = slug;
+    this.selectedView = this.VIEW_CHANNEL_USERS;
+  }
+
+  backToChannels() {
+    this.selectedView = this.VIEW_CHANNELS;
+    this.selectedChannelSlug = '';
+  }
+}

From 581a20f55fceeb672e6c6135a85b43359980ed72 Mon Sep 17 00:00:00 2001
From: Claude <noreply@anthropic.com>
Date: Sun, 17 May 2026 18:11:49 +0000
Subject: [PATCH 25/60] Add Cloudflare R2 storage with local fallback

- storage.go: R2 client init (aws-sdk-go-v2/s3), upload, exists-check, download helpers
  Reads env vars: R2_ACCOUNT_ID, R2_ACCESS_KEY_ID, R2_SECRET_ACCESS_KEY,
  R2_BUCKET_NAME, R2_PUBLIC_URL (optional)
- files.go: file metadata moved to Redis (key: file:{id}), YAML fallback for legacy files
  If R2 configured: uploads to R2, serves via redirect (public URL) or proxy
  If R2 not configured: local disk at /app/files/ (backward compatible)
  Deduplication by SHA-256 hash preserved for both R2 and local
- main.go: call initR2() on startup
- sample.env: document R2 env vars
- go.mod/go.sum: add aws-sdk-go-v2 dependencies

https://claude.ai/code/session_015yWNYaVjk7ozyguKLA8vvx
---
 backend/files.go   | 247 +++++++++++++++++++++++++++------------------
 backend/go.mod     |  18 ++++
 backend/go.sum     |  36 +++++++
 backend/main.go    |   1 +
 backend/storage.go |  87 ++++++++++++++++
 sample.env         |   9 +-
 6 files changed, 301 insertions(+), 97 deletions(-)
 create mode 100644 backend/storage.go

diff --git a/backend/files.go b/backend/files.go
index 3d320c2..6b557dc 100644
--- a/backend/files.go
+++ b/backend/files.go
@@ -1,12 +1,14 @@
 package main
 
 import (
+	"bytes"
 	"context"
 	"crypto/rand"
 	"crypto/sha256"
 	"encoding/hex"
 	"encoding/json"
 	"errors"
+	"fmt"
 	"io"
 	"net/http"
 	"net/url"
@@ -30,39 +32,105 @@ type FileResponse struct {
 	FileType string `json:"filetype"`
 }
 
+type FileMetadata struct {
+	ID       string `json:"id"`
+	Filename string `json:"filename"`
+	Hash     string `json:"hash"`
+	Type     string `json:"type"`
+	Delete   bool   `json:"delete"`
+}
+
 var maxBytesReader *http.MaxBytesError
 
-func serveFile(w http.ResponseWriter, r *http.Request) {
-	fileId := chi.URLParam(r, "fileid")
+// dbSaveFileMetadata stores file metadata in Redis.
+func dbSaveFileMetadata(ctx context.Context, meta *FileMetadata) error {
+	data, err := json.Marshal(meta)
+	if err != nil {
+		return err
+	}
+	return rdb.Set(ctx, "file:"+meta.ID, data, 0).Err()
+}
+
+// dbGetFileMetadata retrieves file metadata from Redis, falling back to YAML for old files.
+func dbGetFileMetadata(ctx context.Context, id string) (*FileMetadata, error) {
+	data, err := rdb.Get(ctx, "file:"+id).Result()
+	if err == nil {
+		var meta FileMetadata
+		if err := json.Unmarshal([]byte(data), &meta); err != nil {
+			return nil, err
+		}
+		return &meta, nil
+	}
 
-	metadataFilePath := filepath.Join(rootUploadPath, fileId[:2], fileId[2:4], fileId+".yaml")
-	metadataFile, err := os.ReadFile(metadataFilePath)
+	// Fallback: read from YAML (legacy local files)
+	metadataFilePath := filepath.Join(rootUploadPath, id[:2], id[2:4], id+".yaml")
+	yamlData, err := os.ReadFile(metadataFilePath)
 	if err != nil {
-		http.Error(w, "File not found", http.StatusNotFound)
-		return
+		return nil, fmt.Errorf("file not found")
 	}
+	var raw map[string]any
+	if err := yaml.Unmarshal(yamlData, &raw); err != nil {
+		return nil, err
+	}
+	deleted, _ := raw["delete"].(bool)
+	hash, _ := dyno.GetString(raw["hash"])
+	filename, _ := dyno.GetString(raw["filename"])
+	fileType, _ := dyno.GetString(raw["type"])
+	return &FileMetadata{
+		ID:       id,
+		Filename: filename,
+		Hash:     hash,
+		Type:     fileType,
+		Delete:   deleted,
+	}, nil
+}
 
-	var metaData map[string]any
-	if err := yaml.Unmarshal(metadataFile, &metaData); err != nil {
-		http.Error(w, "error", http.StatusInternalServerError)
+func serveFile(w http.ResponseWriter, r *http.Request) {
+	fileId := chi.URLParam(r, "fileid")
+	if len(fileId) < 4 {
+		http.Error(w, "File not found", http.StatusNotFound)
 		return
 	}
 
-	if delete := metaData["delete"].(bool); delete {
+	ctx, cancel := context.WithTimeout(r.Context(), 10*time.Second)
+	defer cancel()
+
+	meta, err := dbGetFileMetadata(ctx, fileId)
+	if err != nil || meta.Delete {
 		http.Error(w, "File not found", http.StatusNotFound)
 		return
 	}
 
-	fileHash, _ := dyno.GetString(metaData["hash"])
-	filePath := filepath.Join(rootUploadPath, fileHash[:2], fileHash[2:4], fileHash)
-	originalFileName, _ := dyno.GetString(metaData["filename"])
+	w.Header().Set("Content-Disposition", `attachment; filename*=UTF-8''`+url.QueryEscape(meta.Filename))
 
-	w.Header().Set("Content-Disposition", `attachment; filename*=UTF-8''`+url.QueryEscape(originalFileName))
+	if r2Enabled {
+		key := r2ObjectKey(meta.Hash)
+		if r2PublicURL != "" {
+			// Redirect to public R2 URL
+			http.Redirect(w, r, r2PublicURL+"/"+key, http.StatusFound)
+			return
+		}
+		// Proxy through backend
+		body, contentType, err := r2Download(ctx, key)
+		if err != nil {
+			http.Error(w, "File not found", http.StatusNotFound)
+			return
+		}
+		defer body.Close()
+		if contentType != nil {
+			w.Header().Set("Content-Type", *contentType)
+		}
+		io.Copy(w, body)
+		return
+	}
+
+	// Local storage fallback
+	filePath := filepath.Join(rootUploadPath, meta.Hash[:2], meta.Hash[2:4], meta.Hash)
 	http.ServeFile(w, r, filePath)
 }
 
 func uploadFile(w http.ResponseWriter, r *http.Request) {
-	ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
+	ctx, cancel := context.WithTimeout(context.Background(), 30*time.Second)
 	defer cancel()
 
 	slug := channelSlugFromCtx(r)
@@ -81,88 +149,70 @@ func uploadFile(w http.ResponseWriter, r *http.Request) {
 	}
 	defer file.Close()
 
-	if err := os.MkdirAll(rootUploadPath, os.ModePerm); err != nil {
+	// Read file into memory for hashing + type detection + upload
+	fileBytes, err := io.ReadAll(file)
+	if err != nil {
 		http.Error(w, "error", http.StatusInternalServerError)
 		return
 	}
 
-	head := make([]byte, 512)
-	file.Read(head)
-
-	t, _ := filetype.Match(head)
+	t, _ := filetype.Match(fileBytes[:min(512, len(fileBytes))])
 
-	file.Seek(0, io.SeekStart)
-	fileHash, err := generatedFileHash(file)
-	if err != nil {
-		http.Error(w, "error", http.StatusInternalServerError)
-		return
-	}
+	// Compute SHA-256 hash
+	hashBytes := sha256.Sum256(fileBytes)
+	fileHash := hex.EncodeToString(hashBytes[:])
 
-	hashSubDir := filepath.Join(rootUploadPath, fileHash[:2], fileHash[2:4])
-	if err := os.MkdirAll(hashSubDir, os.ModePerm); err != nil {
+	id := generatedRandomID(20)
+	if id == "" {
 		http.Error(w, "error", http.StatusInternalServerError)
 		return
 	}
 
-	var isDuplicateFile bool
-	testISDuplicateFilePath := filepath.Join(hashSubDir, fileHash)
-	_, err = os.Stat(testISDuplicateFilePath)
-	if err == nil {
-		isDuplicateFile = true
+	safeFilename := gozaru.Sanitize(handler.Filename)
+	contentType := t.MIME.Value
+	if contentType == "" {
+		contentType = "application/octet-stream"
 	}
 
-	if !isDuplicateFile {
-		destPath := filepath.Join(hashSubDir, fileHash)
-
-		file.Seek(0, io.SeekStart)
-		destFile, err := os.Create(destPath)
-		if err != nil {
+	if r2Enabled {
+		key := r2ObjectKey(fileHash)
+		if !r2Exists(ctx, key) {
+			if err := r2Upload(ctx, key, bytes.NewReader(fileBytes), contentType); err != nil {
+				http.Error(w, "error uploading file", http.StatusInternalServerError)
+				return
+			}
+		}
+	} else {
+		// Local storage
+		if err := os.MkdirAll(rootUploadPath, os.ModePerm); err != nil {
 			http.Error(w, "error", http.StatusInternalServerError)
 			return
 		}
-		defer destFile.Close()
-
-		if _, err := io.Copy(destFile, file); err != nil {
+		hashSubDir := filepath.Join(rootUploadPath, fileHash[:2], fileHash[2:4])
+		if err := os.MkdirAll(hashSubDir, os.ModePerm); err != nil {
 			http.Error(w, "error", http.StatusInternalServerError)
 			return
 		}
+		destPath := filepath.Join(hashSubDir, fileHash)
+		if _, err := os.Stat(destPath); os.IsNotExist(err) {
+			if err := os.WriteFile(destPath, fileBytes, 0644); err != nil {
+				http.Error(w, "error", http.StatusInternalServerError)
+				return
+			}
+		}
 	}
 
-	id := generatedRandomID(20)
-	if id == "" {
-		http.Error(w, "error", http.StatusInternalServerError)
-		return
-	}
-
-	yamlFileDir := filepath.Join(rootUploadPath, id[:2], id[2:4])
-	if err := os.MkdirAll(yamlFileDir, os.ModePerm); err != nil {
-		http.Error(w, "error", http.StatusInternalServerError)
-		return
-	}
-
-	safeFilename := gozaru.Sanitize(handler.Filename)
-
-	fileMetadata := map[string]any{
-		"id":       id,
-		"filename": safeFilename,
-		"hash":     fileHash,
-		"type":     t.MIME.Type,
-		"delete":   false,
+	meta := &FileMetadata{
+		ID:       id,
+		Filename: safeFilename,
+		Hash:     fileHash,
+		Type:     t.MIME.Type,
+		Delete:   false,
 	}
-	metadataFilePath := filepath.Join(rootUploadPath, id[:2], id[2:4], id+".yaml")
-	metadataFile, err := os.Create(metadataFilePath)
-	if err != nil {
+	if err := dbSaveFileMetadata(ctx, meta); err != nil {
 		http.Error(w, "error", http.StatusInternalServerError)
 		return
 	}
-	defer metadataFile.Close()
-
-	yamlData, err := yaml.Marshal(fileMetadata)
-	if err != nil {
-		http.Error(w, "error", http.StatusInternalServerError)
-		return
-	}
-	metadataFile.Write(yamlData)
 
 	fileUrl := "/api/channel/" + slug + "/files/" + id
 
@@ -179,26 +229,21 @@ func generatedFileHash(file io.Reader) (string, error) {
 	if _, err := io.Copy(hash, file); err != nil {
 		return "", err
 	}
-
 	return hex.EncodeToString(hash.Sum(nil)), nil
 }
 
-func generatedRandomID(len int) string {
-	b := make([]byte, len)
-	_, err := rand.Read(b)
-	if err != nil {
+func generatedRandomID(length int) string {
+	b := make([]byte, length)
+	if _, err := rand.Read(b); err != nil {
 		return ""
 	}
-
 	return hex.EncodeToString(b)
 }
 
-// TODO: Image size limitation
 func getFavicon(w http.ResponseWriter, r *http.Request) {
 	ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
 	defer cancel()
 
-	// Try to get slug from query param or use a default
 	slug := r.URL.Query().Get("slug")
 	if slug == "" {
 		http.ServeFile(w, r, "assets/favicon.ico")
@@ -213,35 +258,45 @@ func getFavicon(w http.ResponseWriter, r *http.Request) {
 
 	logoUrl := c["logoUrl"]
 	if logoUrl == "" {
-		logoUrl = "assets/favicon.ico"
-	}
-	fileId := path.Base(logoUrl)
-
-	if len(fileId) < 4 {
 		http.ServeFile(w, r, "assets/favicon.ico")
 		return
 	}
 
-	metadataFilePath := filepath.Join(rootUploadPath, fileId[:2], fileId[2:4], fileId+".yaml")
-	metadataFile, err := os.ReadFile(metadataFilePath)
-	if err != nil {
+	fileId := path.Base(logoUrl)
+	if len(fileId) < 4 {
 		http.ServeFile(w, r, "assets/favicon.ico")
 		return
 	}
 
-	var metaData map[string]any
-	if err := yaml.Unmarshal(metadataFile, &metaData); err != nil {
+	meta, err := dbGetFileMetadata(ctx, fileId)
+	if err != nil || meta.Delete {
 		http.ServeFile(w, r, "assets/favicon.ico")
 		return
 	}
 
-	if delete := metaData["delete"].(bool); delete {
-		http.ServeFile(w, r, "assets/favicon.ico")
+	if r2Enabled {
+		key := r2ObjectKey(meta.Hash)
+		if r2PublicURL != "" {
+			http.Redirect(w, r, r2PublicURL+"/"+key, http.StatusFound)
+			return
+		}
+		body, _, err := r2Download(ctx, key)
+		if err != nil {
+			http.ServeFile(w, r, "assets/favicon.ico")
+			return
+		}
+		defer body.Close()
+		io.Copy(w, body)
 		return
 	}
 
-	fileHash, _ := dyno.GetString(metaData["hash"])
-	filePath := filepath.Join(rootUploadPath, fileHash[:2], fileHash[2:4], fileHash)
-
+	filePath := filepath.Join(rootUploadPath, meta.Hash[:2], meta.Hash[2:4], meta.Hash)
 	http.ServeFile(w, r, filePath)
 }
+
+func min(a, b int) int {
+	if a < b {
+		return a
+	}
+	return b
+}
diff --git a/backend/go.mod b/backend/go.mod
index a58c270..eb6caa7 100644
--- a/backend/go.mod
+++ b/backend/go.mod
@@ -20,6 +20,24 @@ require (
 	github.com/GoogleCloudPlatform/opentelemetry-operations-go/exporter/metric v0.51.0 // indirect
 	github.com/GoogleCloudPlatform/opentelemetry-operations-go/internal/resourcemapping v0.51.0 // indirect
 	github.com/MicahParks/keyfunc v1.9.0 // indirect
+	github.com/aws/aws-sdk-go-v2 v1.41.7 // indirect
+	github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.7.10 // indirect
+	github.com/aws/aws-sdk-go-v2/config v1.32.17 // indirect
+	github.com/aws/aws-sdk-go-v2/credentials v1.19.16 // indirect
+	github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.18.23 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.23 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.23 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/v4a v1.4.24 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.13.9 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.9.15 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.23 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.19.23 // indirect
+	github.com/aws/aws-sdk-go-v2/service/s3 v1.101.0 // indirect
+	github.com/aws/aws-sdk-go-v2/service/signin v1.0.11 // indirect
+	github.com/aws/aws-sdk-go-v2/service/sso v1.30.17 // indirect
+	github.com/aws/aws-sdk-go-v2/service/ssooidc v1.35.21 // indirect
+	github.com/aws/aws-sdk-go-v2/service/sts v1.42.1 // indirect
+	github.com/aws/smithy-go v1.25.1 // indirect
 	github.com/cncf/xds/go v0.0.0-20250501225837-2ac532fd4443 // indirect
 	github.com/envoyproxy/go-control-plane/envoy v1.32.4 // indirect
 	github.com/envoyproxy/protoc-gen-validate v1.2.1 // indirect
diff --git a/backend/go.sum b/backend/go.sum
index 7bfddbc..7317c3a 100644
--- a/backend/go.sum
+++ b/backend/go.sum
@@ -34,6 +34,42 @@ github.com/MicahParks/keyfunc v1.9.0 h1:lhKd5xrFHLNOWrDc4Tyb/Q1AJ4LCzQ48GVJyVIID
 github.com/MicahParks/keyfunc v1.9.0/go.mod h1:IdnCilugA0O/99dW+/MkvlyrsX8+L8+x95xuVNtM5jw=
 github.com/appleboy/go-fcm v1.2.6 h1:TU5/+2QnmTNjWkHLe9hUB9EPJ5Bv+CegzTJI0qK0QgA=
 github.com/appleboy/go-fcm v1.2.6/go.mod h1:nvi8DgoMax8o6nwQYgO8pIXSX6iaQY7yDYvtwIGa6aI=
+github.com/aws/aws-sdk-go-v2 v1.41.7 h1:DWpAJt66FmnnaRIOT/8ASTucrvuDPZASqhhLey6tLY8=
+github.com/aws/aws-sdk-go-v2 v1.41.7/go.mod h1:4LAfZOPHNVNQEckOACQx60Y8pSRjIkNZQz1w92xpMJc=
+github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.7.10 h1:gx1AwW1Iyk9Z9dD9F4akX5gnN3QZwUB20GGKH/I+Rho=
+github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.7.10/go.mod h1:qqY157uZoqm5OXq/amuaBJyC9hgBCBQnsaWnPe905GY=
+github.com/aws/aws-sdk-go-v2/config v1.32.17 h1:FpL4/758/diKwqbytU0prpuiu60fgXKUWCpDJtApclU=
+github.com/aws/aws-sdk-go-v2/config v1.32.17/go.mod h1:OXqUMzgXytfoF9JaKkhrOYsyh72t9G+MJH8mMRaexOE=
+github.com/aws/aws-sdk-go-v2/credentials v1.19.16 h1:r3RJBuU7X9ibt8RHbMjWE6y60QbKBiII6wSrXnapxSU=
+github.com/aws/aws-sdk-go-v2/credentials v1.19.16/go.mod h1:6cx7zqDENJDbBIIWX6P8s0h6hqHC8Avbjh9Dseo27ug=
+github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.18.23 h1:UuSfcORqNSz/ey3VPRS8TcVH2Ikf0/sC+Hdj400QI6U=
+github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.18.23/go.mod h1:+G/OSGiOFnSOkYloKj/9M35s74LgVAdJBSD5lsFfqKg=
+github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.23 h1:GpT/TrnBYuE5gan2cZbTtvP+JlHsutdmlV2YfEyNde0=
+github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.23/go.mod h1:xYWD6BS9ywC5bS3sz9Xh04whO/hzK2plt2Zkyrp4JuA=
+github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.23 h1:bpd8vxhlQi2r1hiueOw02f/duEPTMK59Q4QMAoTTtTo=
+github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.23/go.mod h1:15DfR2nw+CRHIk0tqNyifu3G1YdAOy68RftkhMDDwYk=
+github.com/aws/aws-sdk-go-v2/internal/v4a v1.4.24 h1:OQqn11BtaYv1WLUowvcA30MpzIu8Ti4pcLPIIyoKZrA=
+github.com/aws/aws-sdk-go-v2/internal/v4a v1.4.24/go.mod h1:X5ZJyfwVrWA96GzPmUCWFQaEARPR7gCrpq2E92PJwAE=
+github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.13.9 h1:FLudkZLt5ci0ozzgkVo8BJGwvqNaZbTWb3UcucAateA=
+github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.13.9/go.mod h1:w7wZ/s9qK7c8g4al+UyoF1Sp/Z45UwMGcqIzLWVQHWk=
+github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.9.15 h1:ieLCO1JxUWuxTZ1cRd0GAaeX7O6cIxnwk7tc1LsQhC4=
+github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.9.15/go.mod h1:e3IzZvQ3kAWNykvE0Tr0RDZCMFInMvhku3qNpcIQXhM=
+github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.23 h1:pbrxO/kuIwgEsOPLkaHu0O+m4fNgLU8B3vxQ+72jTPw=
+github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.23/go.mod h1:/CMNUqoj46HpS3MNRDEDIwcgEnrtZlKRaHNaHxIFpNA=
+github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.19.23 h1:03xatSQO4+AM1lTAbnRg5OK528EUg744nW7F73U8DKw=
+github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.19.23/go.mod h1:M8l3mwgx5ToK7wot2sBBce/ojzgnPzZXUV445gTSyE8=
+github.com/aws/aws-sdk-go-v2/service/s3 v1.101.0 h1:etqBTKY581iwLL/H/S2sVgk3C9lAsTJFeXWFDsDcWOU=
+github.com/aws/aws-sdk-go-v2/service/s3 v1.101.0/go.mod h1:L2dcoOgS2VSgbPLvpak2NyUPsO1TBN7M45Z4H7DlRc4=
+github.com/aws/aws-sdk-go-v2/service/signin v1.0.11 h1:TdJ+HdzOBhU8+iVAOGUTU63VXopcumCOF1paFulHWZc=
+github.com/aws/aws-sdk-go-v2/service/signin v1.0.11/go.mod h1:R82ZRExE/nheo0N+T8zHPcLRTcH8MGsnR3BiVGX0TwI=
+github.com/aws/aws-sdk-go-v2/service/sso v1.30.17 h1:7byT8HUWrgoRp6sXjxtZwgOKfhss5fW6SkLBtqzgRoE=
+github.com/aws/aws-sdk-go-v2/service/sso v1.30.17/go.mod h1:xNWknVi4Ezm1vg1QsB/5EWpAJURq22uqd38U8qKvOJc=
+github.com/aws/aws-sdk-go-v2/service/ssooidc v1.35.21 h1:+1Kl1zx6bWi4X7cKi3VYh29h8BvsCoHQEQ6ST9X8w7w=
+github.com/aws/aws-sdk-go-v2/service/ssooidc v1.35.21/go.mod h1:4vIRDq+CJB2xFAXZ+YgGUTiEft7oAQlhIs71xcSeuVg=
+github.com/aws/aws-sdk-go-v2/service/sts v1.42.1 h1:F/M5Y9I3nwr2IEpshZgh1GeHpOItExNM9L1euNuh/fk=
+github.com/aws/aws-sdk-go-v2/service/sts v1.42.1/go.mod h1:mTNxImtovCOEEuD65mKW7DCsL+2gjEH+RPEAexAzAio=
+github.com/aws/smithy-go v1.25.1 h1:J8ERsGSU7d+aCmdQur5Txg6bVoYelvQJgtZehD12GkI=
+github.com/aws/smithy-go v1.25.1/go.mod h1:YE2RhdIuDbA5E5bTdciG9KrW3+TiEONeUWCqxX9i1Fc=
 github.com/boj/redistore v1.4.0 h1:PFn5Hcbmj22WGsMKGLaEn33In4+C0lX+txbAOpA3mPA=
 github.com/boj/redistore v1.4.0/go.mod h1:JeLqX+qEEBrjytalj9s+3a7o34lNmYncdPj8HeZRvYk=
 github.com/bsm/ginkgo/v2 v2.12.0 h1:Ny8MWAHyOepLGlLKYmXG4IEkioBysk6GpaRTLC8zwWs=
diff --git a/backend/main.go b/backend/main.go
index 042ce8f..43d8b23 100644
--- a/backend/main.go
+++ b/backend/main.go
@@ -18,6 +18,7 @@ var rootStaticFolder = os.Getenv("ROOT_STATIC_FOLDER")
 
 func main() {
 	gob.Register(Session{})
+	initR2()
 	initializePrivilegeUsers()
 	go statLogger()
 
diff --git a/backend/storage.go b/backend/storage.go
new file mode 100644
index 0000000..fa52b66
--- /dev/null
+++ b/backend/storage.go
@@ -0,0 +1,87 @@
+package main
+
+import (
+	"context"
+	"io"
+	"log"
+	"os"
+
+	"github.com/aws/aws-sdk-go-v2/aws"
+	"github.com/aws/aws-sdk-go-v2/config"
+	"github.com/aws/aws-sdk-go-v2/credentials"
+	"github.com/aws/aws-sdk-go-v2/service/s3"
+)
+
+var r2Client *s3.Client
+var r2Bucket string
+var r2PublicURL string
+var r2Enabled bool
+
+func initR2() {
+	accountID := os.Getenv("R2_ACCOUNT_ID")
+	accessKey := os.Getenv("R2_ACCESS_KEY_ID")
+	secretKey := os.Getenv("R2_SECRET_ACCESS_KEY")
+	r2Bucket = os.Getenv("R2_BUCKET_NAME")
+	r2PublicURL = os.Getenv("R2_PUBLIC_URL") // optional: https://pub-xxx.r2.dev
+
+	if accountID == "" || accessKey == "" || secretKey == "" || r2Bucket == "" {
+		log.Println("R2 not configured, using local file storage")
+		return
+	}
+
+	endpoint := "https://" + accountID + ".r2.cloudflarestorage.com"
+
+	cfg, err := config.LoadDefaultConfig(context.Background(),
+		config.WithCredentialsProvider(credentials.NewStaticCredentialsProvider(accessKey, secretKey, "")),
+		config.WithRegion("auto"),
+	)
+	if err != nil {
+		log.Printf("R2 config error: %v — falling back to local storage\n", err)
+		return
+	}
+
+	r2Client = s3.NewFromConfig(cfg, func(o *s3.Options) {
+		o.BaseEndpoint = aws.String(endpoint)
+		o.UsePathStyle = true
+	})
+
+	r2Enabled = true
+	log.Printf("R2 storage enabled (bucket: %s)\n", r2Bucket)
+}
+
+// r2ObjectKey returns the R2 object key for a file hash.
+func r2ObjectKey(hash string) string {
+	return "files/" + hash[:2] + "/" + hash[2:4] + "/" + hash
+}
+
+// r2Upload uploads a file to R2. Returns an error if failed.
+func r2Upload(ctx context.Context, key string, body io.Reader, contentType string) error {
+	_, err := r2Client.PutObject(ctx, &s3.PutObjectInput{
+		Bucket:      aws.String(r2Bucket),
+		Key:         aws.String(key),
+		Body:        body,
+		ContentType: aws.String(contentType),
+	})
+	return err
+}
+
+// r2Exists checks if an object already exists in R2 (deduplication).
+func r2Exists(ctx context.Context, key string) bool {
+	_, err := r2Client.HeadObject(ctx, &s3.HeadObjectInput{
+		Bucket: aws.String(r2Bucket),
+		Key:    aws.String(key),
+	})
+	return err == nil
+}
+
+// r2Download downloads an object from R2 and returns its body.
+func r2Download(ctx context.Context, key string) (io.ReadCloser, *string, error) {
+	result, err := r2Client.GetObject(ctx, &s3.GetObjectInput{
+		Bucket: aws.String(r2Bucket),
+		Key:    aws.String(key),
+	})
+	if err != nil {
+		return nil, nil, err
+	}
+	return result.Body, result.ContentType, nil
+}
diff --git a/sample.env b/sample.env
index 04e4212..1aaa9f5 100644
--- a/sample.env
+++ b/sample.env
@@ -7,4 +7,11 @@ REDIS_PROTOCOL=unix
 # Google-oauth2
 GOOGLE_CLIENT_ID=your_google_client_id
 GOOGLE_CLIENT_SECRET=your_google_client_secret
-ADMIN_USERS=example@gmail.com,example1@gmail.com
\ No newline at end of file
+ADMIN_USERS=example@gmail.com,example1@gmail.com
+
+# Cloudflare R2 Storage (optional — if not set, files stored locally in /app/files/)
+R2_ACCOUNT_ID=your_cloudflare_account_id
+R2_ACCESS_KEY_ID=your_r2_access_key_id
+R2_SECRET_ACCESS_KEY=your_r2_secret_access_key
+R2_BUCKET_NAME=your_bucket_name
+R2_PUBLIC_URL=https://pub-xxxx.r2.dev   # optional: public bucket URL for direct redirects
\ No newline at end of file

From 21042ed209c02c0688406c9e23c28194bf0ce0a8 Mon Sep 17 00:00:00 2001
From: Claude <noreply@anthropic.com>
Date: Sun, 17 May 2026 18:23:27 +0000
Subject: [PATCH 26/60] Add storage quota system, super admin storage panel,
 and TinyPNG compression
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- Backend: storage quota tracking with per-channel and global defaults
- Backend: auto-cleanup oldest files when quota is near full
- Backend: TinyPNG API integration — compresses PNG/JPEG/WebP before upload
- Frontend (admin): channel storage panel with usage bar, warnings, auto-cleanup toggle
- Frontend (admin): TinyPNG API key field in settings (storage category)
- Frontend (super-admin): global storage quota config panel
- Frontend (super-admin): per-channel storage view with quota override and usage bar
- Frontend (super-admin): "אחסון" button in channels list to open per-channel storage
- Super admin service: added getGlobalStorageConfig/setGlobalStorageConfig/getChannelStorage/setChannelStorage

https://claude.ai/code/session_015yWNYaVjk7ozyguKLA8vvx
---
 backend/db.go                                 | 143 +++++++++++++
 backend/files.go                              | 170 +++++++++++++--
 backend/main.go                               |   6 +
 backend/settings.go                           |   4 +
 backend/storage.go                            |   9 +
 backend/storage_handlers.go                   | 202 ++++++++++++++++++
 .../admin/admin-panel.component.html          |   3 +
 .../components/admin/admin-panel.component.ts |  20 +-
 .../admin/settings/settings.schema.ts         |  14 ++
 .../admin/storage/storage.component.ts        | 122 +++++++++++
 .../channels/channels-list.component.html     |   5 +
 .../channels/channels-list.component.ts       |   1 +
 .../global-storage.component.ts               |  70 ++++++
 .../storage/super-admin-storage.component.ts  | 115 ++++++++++
 .../super-admin-panel.component.html          |  11 +-
 .../super-admin-panel.component.ts            |  18 +-
 frontend/src/app/models/channel.model.ts      |   1 +
 .../src/app/services/super-admin.service.ts   |  16 ++
 18 files changed, 910 insertions(+), 20 deletions(-)
 create mode 100644 backend/storage_handlers.go
 create mode 100644 frontend/src/app/components/admin/storage/storage.component.ts
 create mode 100644 frontend/src/app/components/super-admin/global-storage/global-storage.component.ts
 create mode 100644 frontend/src/app/components/super-admin/storage/super-admin-storage.component.ts

diff --git a/backend/db.go b/backend/db.go
index a390bc4..b9e1f5e 100644
--- a/backend/db.go
+++ b/backend/db.go
@@ -1014,3 +1014,146 @@ func dbSetGlobalAdsConfig(ctx context.Context, cfg *GlobalAdsConfig) error {
 	}
 	return rdb.Set(ctx, "global:ads:config", data, 0).Err()
 }
+
+// ─── Storage Quota & Usage ────────────────────────────────────────────────────
+
+const defaultStorageQuotaBytes = int64(5 * 1024 * 1024 * 1024) // 5 GB
+
+func dbGetGlobalStorageQuota(ctx context.Context) (int64, error) {
+	v, err := rdb.Get(ctx, "global:storage:quota_bytes").Int64()
+	if err != nil {
+		if err == redis.Nil {
+			return defaultStorageQuotaBytes, nil
+		}
+		return 0, err
+	}
+	return v, nil
+}
+
+func dbSetGlobalStorageQuota(ctx context.Context, bytes int64) error {
+	return rdb.Set(ctx, "global:storage:quota_bytes", bytes, 0).Err()
+}
+
+// dbGetChannelStorageQuota returns the quota for a channel.
+// 0 means "use global default".
+func dbGetChannelStorageQuota(ctx context.Context, slug string) (int64, error) {
+	v, err := rdb.Get(ctx, "channel:"+slug+":storage:quota_bytes").Int64()
+	if err != nil {
+		if err == redis.Nil {
+			return 0, nil // 0 = use global
+		}
+		return 0, err
+	}
+	return v, nil
+}
+
+func dbSetChannelStorageQuota(ctx context.Context, slug string, bytes int64) error {
+	if bytes == 0 {
+		return rdb.Del(ctx, "channel:"+slug+":storage:quota_bytes").Err()
+	}
+	return rdb.Set(ctx, "channel:"+slug+":storage:quota_bytes", bytes, 0).Err()
+}
+
+// dbGetEffectiveStorageQuota returns the effective quota for a channel (channel override or global default).
+func dbGetEffectiveStorageQuota(ctx context.Context, slug string) (int64, error) {
+	v, err := dbGetChannelStorageQuota(ctx, slug)
+	if err != nil {
+		return 0, err
+	}
+	if v > 0 {
+		return v, nil
+	}
+	return dbGetGlobalStorageQuota(ctx)
+}
+
+func dbGetChannelStorageUsed(ctx context.Context, slug string) (int64, error) {
+	v, err := rdb.Get(ctx, "channel:"+slug+":storage:used_bytes").Int64()
+	if err != nil {
+		if err == redis.Nil {
+			return 0, nil
+		}
+		return 0, err
+	}
+	return v, nil
+}
+
+func dbIncrChannelStorageUsed(ctx context.Context, slug string, bytes int64) error {
+	return rdb.IncrBy(ctx, "channel:"+slug+":storage:used_bytes", bytes).Err()
+}
+
+func dbDecrChannelStorageUsed(ctx context.Context, slug string, bytes int64) error {
+	return rdb.DecrBy(ctx, "channel:"+slug+":storage:used_bytes", bytes).Err()
+}
+
+// dbAddChannelFile registers a file in the channel's file tracking sorted set.
+func dbAddChannelFile(ctx context.Context, slug, fileID string, uploadedAt int64, size int64) error {
+	// member encodes fileID and size separated by ":"
+	member := fmt.Sprintf("%s:%d", fileID, size)
+	return rdb.ZAdd(ctx, "channel:"+slug+":files", redis.Z{
+		Score:  float64(uploadedAt),
+		Member: member,
+	}).Err()
+}
+
+// dbRemoveChannelFile removes a file from the channel's tracking set.
+func dbRemoveChannelFile(ctx context.Context, slug, fileID string) error {
+	// We need to find and remove the member that starts with fileID
+	members, err := rdb.ZRange(ctx, "channel:"+slug+":files", 0, -1).Result()
+	if err != nil {
+		return err
+	}
+	for _, m := range members {
+		if len(m) >= len(fileID) && m[:len(fileID)] == fileID {
+			return rdb.ZRem(ctx, "channel:"+slug+":files", m).Err()
+		}
+	}
+	return nil
+}
+
+// dbGetOldestChannelFiles returns the oldest file IDs and their sizes (oldest first).
+func dbGetOldestChannelFiles(ctx context.Context, slug string, limit int64) ([]struct{ ID string; Size int64 }, error) {
+	members, err := rdb.ZRange(ctx, "channel:"+slug+":files", 0, limit-1).Result()
+	if err != nil {
+		return nil, err
+	}
+	result := make([]struct{ ID string; Size int64 }, 0, len(members))
+	for _, m := range members {
+		// format: "fileID:size"
+		for i := len(m) - 1; i >= 0; i-- {
+			if m[i] == ':' {
+				fileID := m[:i]
+				var size int64
+				fmt.Sscanf(m[i+1:], "%d", &size)
+				result = append(result, struct{ ID string; Size int64 }{fileID, size})
+				break
+			}
+		}
+	}
+	return result, nil
+}
+
+func dbGetChannelAutoCleanup(ctx context.Context, slug string) (bool, error) {
+	v, err := rdb.Get(ctx, "channel:"+slug+":storage:auto_cleanup").Result()
+	if err != nil {
+		return false, nil
+	}
+	return v == "true", nil
+}
+
+func dbSetChannelAutoCleanup(ctx context.Context, slug string, enabled bool) error {
+	val := "false"
+	if enabled {
+		val = "true"
+	}
+	return rdb.Set(ctx, "channel:"+slug+":storage:auto_cleanup", val, 0).Err()
+}
+
+// dbIncrFileHashRefs increments the reference count for a file hash (dedup tracking).
+func dbIncrFileHashRefs(ctx context.Context, hash string) error {
+	return rdb.Incr(ctx, "file:hash:"+hash+":refs").Err()
+}
+
+// dbDecrFileHashRefs decrements ref count; returns new count.
+func dbDecrFileHashRefs(ctx context.Context, hash string) (int64, error) {
+	return rdb.Decr(ctx, "file:hash:"+hash+":refs").Result()
+}
diff --git a/backend/files.go b/backend/files.go
index 6b557dc..bda68ca 100644
--- a/backend/files.go
+++ b/backend/files.go
@@ -24,6 +24,57 @@ import (
 	"gopkg.in/yaml.v3"
 )
 
+// compressWithTinyPng compresses an image using the TinyPNG API.
+// Returns the compressed bytes, or the original bytes if compression fails or is not applicable.
+func compressWithTinyPng(ctx context.Context, apiKey string, data []byte, mimeType string) []byte {
+	// Only compress supported image types
+	switch mimeType {
+	case "image/png", "image/jpeg", "image/webp":
+	default:
+		return data
+	}
+
+	req, err := http.NewRequestWithContext(ctx, http.MethodPost, "https://api.tinify.com/shrink", bytes.NewReader(data))
+	if err != nil {
+		return data
+	}
+	req.SetBasicAuth("api", apiKey)
+	req.Header.Set("Content-Type", mimeType)
+
+	resp, err := http.DefaultClient.Do(req)
+	if err != nil || resp.StatusCode != http.StatusCreated {
+		return data
+	}
+	defer resp.Body.Close()
+
+	var result struct {
+		Output struct {
+			URL string `json:"url"`
+		} `json:"output"`
+	}
+	if err := json.NewDecoder(resp.Body).Decode(&result); err != nil || result.Output.URL == "" {
+		return data
+	}
+
+	dlReq, err := http.NewRequestWithContext(ctx, http.MethodGet, result.Output.URL, nil)
+	if err != nil {
+		return data
+	}
+	dlReq.SetBasicAuth("api", apiKey)
+
+	dlResp, err := http.DefaultClient.Do(dlReq)
+	if err != nil || dlResp.StatusCode != http.StatusOK {
+		return data
+	}
+	defer dlResp.Body.Close()
+
+	compressed, err := io.ReadAll(dlResp.Body)
+	if err != nil || len(compressed) == 0 {
+		return data
+	}
+	return compressed
+}
+
 var rootUploadPath = "/app/files/"
 
 type FileResponse struct {
@@ -33,11 +84,13 @@ type FileResponse struct {
 }
 
 type FileMetadata struct {
-	ID       string `json:"id"`
-	Filename string `json:"filename"`
-	Hash     string `json:"hash"`
-	Type     string `json:"type"`
-	Delete   bool   `json:"delete"`
+	ID          string `json:"id"`
+	Filename    string `json:"filename"`
+	Hash        string `json:"hash"`
+	Type        string `json:"type"`
+	Delete      bool   `json:"delete"`
+	Size        int64  `json:"size"`        // bytes
+	ChannelSlug string `json:"channelSlug"` // which channel owns this file
 }
 
 var maxBytesReader *http.MaxBytesError
@@ -149,7 +202,6 @@ func uploadFile(w http.ResponseWriter, r *http.Request) {
 	}
 	defer file.Close()
 
-	// Read file into memory for hashing + type detection + upload
 	fileBytes, err := io.ReadAll(file)
 	if err != nil {
 		http.Error(w, "error", http.StatusInternalServerError)
@@ -158,10 +210,21 @@ func uploadFile(w http.ResponseWriter, r *http.Request) {
 
 	t, _ := filetype.Match(fileBytes[:min(512, len(fileBytes))])
 
-	// Compute SHA-256 hash
+	// Compress images with TinyPNG if the channel has an API key configured
+	if cfg.TinyPngApiKey != "" {
+		fileBytes = compressWithTinyPng(ctx, cfg.TinyPngApiKey, fileBytes, t.MIME.Value)
+	}
+
+	fileSize := int64(len(fileBytes))
 	hashBytes := sha256.Sum256(fileBytes)
 	fileHash := hex.EncodeToString(hashBytes[:])
 
+	// Quota check + auto-cleanup
+	if err := enforceStorageQuota(ctx, slug, fileSize); err != nil {
+		http.Error(w, err.Error(), http.StatusInsufficientStorage)
+		return
+	}
+
 	id := generatedRandomID(20)
 	if id == "" {
 		http.Error(w, "error", http.StatusInternalServerError)
@@ -174,16 +237,18 @@ func uploadFile(w http.ResponseWriter, r *http.Request) {
 		contentType = "application/octet-stream"
 	}
 
+	isNewHash := true
 	if r2Enabled {
 		key := r2ObjectKey(fileHash)
-		if !r2Exists(ctx, key) {
+		if r2Exists(ctx, key) {
+			isNewHash = false
+		} else {
 			if err := r2Upload(ctx, key, bytes.NewReader(fileBytes), contentType); err != nil {
 				http.Error(w, "error uploading file", http.StatusInternalServerError)
 				return
 			}
 		}
 	} else {
-		// Local storage
 		if err := os.MkdirAll(rootUploadPath, os.ModePerm); err != nil {
 			http.Error(w, "error", http.StatusInternalServerError)
 			return
@@ -194,26 +259,36 @@ func uploadFile(w http.ResponseWriter, r *http.Request) {
 			return
 		}
 		destPath := filepath.Join(hashSubDir, fileHash)
-		if _, err := os.Stat(destPath); os.IsNotExist(err) {
+		if _, statErr := os.Stat(destPath); os.IsNotExist(statErr) {
 			if err := os.WriteFile(destPath, fileBytes, 0644); err != nil {
 				http.Error(w, "error", http.StatusInternalServerError)
 				return
 			}
+		} else {
+			isNewHash = false
 		}
 	}
+	_ = isNewHash
+
+	dbIncrFileHashRefs(ctx, fileHash)
 
 	meta := &FileMetadata{
-		ID:       id,
-		Filename: safeFilename,
-		Hash:     fileHash,
-		Type:     t.MIME.Type,
-		Delete:   false,
+		ID:          id,
+		Filename:    safeFilename,
+		Hash:        fileHash,
+		Type:        t.MIME.Type,
+		Delete:      false,
+		Size:        fileSize,
+		ChannelSlug: slug,
 	}
 	if err := dbSaveFileMetadata(ctx, meta); err != nil {
 		http.Error(w, "error", http.StatusInternalServerError)
 		return
 	}
 
+	dbIncrChannelStorageUsed(ctx, slug, fileSize)
+	dbAddChannelFile(ctx, slug, id, time.Now().Unix(), fileSize)
+
 	fileUrl := "/api/channel/" + slug + "/files/" + id
 
 	w.Header().Set("Content-Type", "application/json")
@@ -224,6 +299,71 @@ func uploadFile(w http.ResponseWriter, r *http.Request) {
 	})
 }
 
+// enforceStorageQuota checks quota and runs auto-cleanup if needed.
+// Returns error if quota is exceeded and auto-cleanup is disabled or insufficient.
+func enforceStorageQuota(ctx context.Context, slug string, newFileSize int64) error {
+	quota, err := dbGetEffectiveStorageQuota(ctx, slug)
+	if err != nil || quota == 0 {
+		return nil
+	}
+
+	used, err := dbGetChannelStorageUsed(ctx, slug)
+	if err != nil {
+		return nil
+	}
+
+	if used+newFileSize <= quota {
+		return nil // within quota
+	}
+
+	autoCleanup, _ := dbGetChannelAutoCleanup(ctx, slug)
+	if !autoCleanup {
+		return fmt.Errorf("storage quota exceeded (%d/%d bytes)", used, quota)
+	}
+
+	// Auto-cleanup: delete oldest files until we have enough space (target: 80% of quota)
+	target := int64(float64(quota) * 0.80)
+	needToFree := (used + newFileSize) - target
+
+	files, err := dbGetOldestChannelFiles(ctx, slug, 200)
+	if err != nil {
+		return fmt.Errorf("storage quota exceeded")
+	}
+
+	for _, f := range files {
+		if needToFree <= 0 {
+			break
+		}
+		deleteFileByID(ctx, slug, f.ID)
+		needToFree -= f.Size
+	}
+
+	return nil
+}
+
+// deleteFileByID marks a file as deleted, decrements storage counter, and removes from R2/disk if no more refs.
+func deleteFileByID(ctx context.Context, slug, fileID string) {
+	meta, err := dbGetFileMetadata(ctx, fileID)
+	if err != nil || meta.Delete {
+		return
+	}
+
+	meta.Delete = true
+	dbSaveFileMetadata(ctx, meta)
+	dbDecrChannelStorageUsed(ctx, slug, meta.Size)
+	dbRemoveChannelFile(ctx, slug, fileID)
+
+	// Decrement hash refs and delete from storage if no more references
+	refs, err := dbDecrFileHashRefs(ctx, meta.Hash)
+	if err == nil && refs <= 0 {
+		if r2Enabled {
+			r2Delete(ctx, r2ObjectKey(meta.Hash))
+		} else {
+			os.Remove(filepath.Join(rootUploadPath, meta.Hash[:2], meta.Hash[2:4], meta.Hash))
+		}
+	}
+}
+
 func generatedFileHash(file io.Reader) (string, error) {
 	hash := sha256.New()
 	if _, err := io.Copy(hash, file); err != nil {
diff --git a/backend/main.go b/backend/main.go
index 43d8b23..f4d0258 100644
--- a/backend/main.go
+++ b/backend/main.go
@@ -71,6 +71,10 @@ func main() {
 		r.Get("/magnet/config", getGlobalMagnetConfig)
 		r.Post("/magnet/config", setGlobalMagnetConfig)
 		r.Get("/magnet/stats", getMagnetStats)
+		r.Get("/storage/config", getSuperAdminStorageConfig)
+		r.Post("/storage/config", setSuperAdminStorageConfig)
+		r.Get("/channels/{slug}/storage", getSuperAdminChannelStorage)
+		r.Put("/channels/{slug}/storage", setSuperAdminChannelStorage)
 		r.Post("/statistics/reset", resetStatistics)
 	})
 
@@ -119,6 +123,8 @@ func main() {
 				r.Post("/settings/set", protectedWithChannelRole(RoleOwner, setSettings))
 				r.Get("/users/get", protectedWithChannelRole(RoleOwner, getChannelUsers))
 				r.Post("/users/set", protectedWithChannelRole(RoleOwner, setChannelUsers))
+				r.Get("/storage", protectedWithChannelRole(RoleOwner, getChannelStorageInfo))
+				r.Post("/storage/auto-cleanup", protectedWithChannelRole(RoleOwner, setChannelAutoCleanup))
 			})
 		})
 	})
diff --git a/backend/settings.go b/backend/settings.go
index 3ebc3d7..0158d10 100644
--- a/backend/settings.go
+++ b/backend/settings.go
@@ -50,6 +50,7 @@ type SettingConfig struct {
 	MagnetMinMessagesSince  int64
 	MagnetApiKey            string
 	AnalyticsHead           string
+	TinyPngApiKey           string
 }
 
 type Setting struct {
@@ -223,6 +224,9 @@ func (s *Settings) ToConfig() *SettingConfig {
 
 		case "analytics_head":
 			config.AnalyticsHead = setting.GetString()
+
+		case "tinypng_api_key":
+			config.TinyPngApiKey = setting.GetString()
 		}
 	}
 
diff --git a/backend/storage.go b/backend/storage.go
index fa52b66..e16cdd2 100644
--- a/backend/storage.go
+++ b/backend/storage.go
@@ -85,3 +85,12 @@ func r2Download(ctx context.Context, key string) (io.ReadCloser, *string, error)
 	}
 	return result.Body, result.ContentType, nil
 }
+
+// r2Delete removes an object from R2.
+func r2Delete(ctx context.Context, key string) error {
+	_, err := r2Client.DeleteObject(ctx, &s3.DeleteObjectInput{
+		Bucket: aws.String(r2Bucket),
+		Key:    aws.String(key),
+	})
+	return err
+}
diff --git a/backend/storage_handlers.go b/backend/storage_handlers.go
new file mode 100644
index 0000000..7055185
--- /dev/null
+++ b/backend/storage_handlers.go
@@ -0,0 +1,202 @@
+package main
+
+import (
+	"context"
+	"encoding/json"
+	"net/http"
+	"time"
+
+	"github.com/go-chi/chi"
+)
+
+// ─── Storage Info Response ────────────────────────────────────────────────────
+
+type StorageInfo struct {
+	UsedBytes   int64   `json:"usedBytes"`
+	QuotaBytes  int64   `json:"quotaBytes"`
+	UsedPercent float64 `json:"usedPercent"`
+	AutoCleanup bool    `json:"autoCleanup"`
+	// Warning levels: "ok" | "warning" (>80%) | "critical" (>90%)
+	Level string `json:"level"`
+}
+
+func buildStorageInfo(ctx context.Context, slug string) (*StorageInfo, error) {
+	quota, err := dbGetEffectiveStorageQuota(ctx, slug)
+	if err != nil {
+		return nil, err
+	}
+	used, err := dbGetChannelStorageUsed(ctx, slug)
+	if err != nil {
+		return nil, err
+	}
+	autoCleanup, _ := dbGetChannelAutoCleanup(ctx, slug)
+
+	var pct float64
+	if quota > 0 {
+		pct = float64(used) / float64(quota) * 100
+	}
+
+	level := "ok"
+	if pct >= 90 {
+		level = "critical"
+	} else if pct >= 80 {
+		level = "warning"
+	}
+
+	return &StorageInfo{
+		UsedBytes:   used,
+		QuotaBytes:  quota,
+		UsedPercent: pct,
+		AutoCleanup: autoCleanup,
+		Level:       level,
+	}, nil
+}
+
+// ─── Channel Owner Handlers ───────────────────────────────────────────────────
+
+// GET /api/channel/{slug}/admin/storage
+func getChannelStorageInfo(w http.ResponseWriter, r *http.Request) {
+	ctx, cancel := context.WithTimeout(r.Context(), 5*time.Second)
+	defer cancel()
+
+	slug := channelSlugFromCtx(r)
+	info, err := buildStorageInfo(ctx, slug)
+	if err != nil {
+		http.Error(w, "error", http.StatusInternalServerError)
+		return
+	}
+
+	w.Header().Set("Content-Type", "application/json")
+	json.NewEncoder(w).Encode(info)
+}
+
+// POST /api/channel/{slug}/admin/storage/auto-cleanup
+func setChannelAutoCleanup(w http.ResponseWriter, r *http.Request) {
+	ctx, cancel := context.WithTimeout(r.Context(), 5*time.Second)
+	defer cancel()
+
+	slug := channelSlugFromCtx(r)
+
+	var req struct {
+		Enabled bool `json:"enabled"`
+	}
+	if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
+		http.Error(w, "Invalid request body", http.StatusBadRequest)
+		return
+	}
+	defer r.Body.Close()
+
+	if err := dbSetChannelAutoCleanup(ctx, slug, req.Enabled); err != nil {
+		http.Error(w, "error", http.StatusInternalServerError)
+		return
+	}
+
+	w.Header().Set("Content-Type", "application/json")
+	json.NewEncoder(w).Encode(Response{Success: true})
+}
+
+// ─── Super Admin Handlers ─────────────────────────────────────────────────────
+
+type GlobalStorageConfig struct {
+	DefaultQuotaGB float64 `json:"defaultQuotaGb"` // in GB for display
+}
+
+// GET /api/super-admin/storage/config
+func getSuperAdminStorageConfig(w http.ResponseWriter, r *http.Request) {
+	ctx, cancel := context.WithTimeout(r.Context(), 5*time.Second)
+	defer cancel()
+
+	quotaBytes, err := dbGetGlobalStorageQuota(ctx)
+	if err != nil {
+		http.Error(w, "error", http.StatusInternalServerError)
+		return
+	}
+
+	cfg := GlobalStorageConfig{
+		DefaultQuotaGB: float64(quotaBytes) / (1024 * 1024 * 1024),
+	}
+
+	w.Header().Set("Content-Type", "application/json")
+	json.NewEncoder(w).Encode(cfg)
+}
+
+// POST /api/super-admin/storage/config
+func setSuperAdminStorageConfig(w http.ResponseWriter, r *http.Request) {
+	ctx, cancel := context.WithTimeout(r.Context(), 5*time.Second)
+	defer cancel()
+
+	var req GlobalStorageConfig
+	if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
+		http.Error(w, "Invalid request body", http.StatusBadRequest)
+		return
+	}
+	defer r.Body.Close()
+
+	bytes := int64(req.DefaultQuotaGB * 1024 * 1024 * 1024)
+	if err := dbSetGlobalStorageQuota(ctx, bytes); err != nil {
+		http.Error(w, "error", http.StatusInternalServerError)
+		return
+	}
+
+	w.Header().Set("Content-Type", "application/json")
+	json.NewEncoder(w).Encode(Response{Success: true})
+}
+
+type ChannelStorageConfig struct {
+	QuotaGB     float64     `json:"quotaGb"`     // 0 = use global
+	StorageInfo StorageInfo `json:"storageInfo"` // current usage
+}
+
+// GET /api/super-admin/channels/{slug}/storage
+func getSuperAdminChannelStorage(w http.ResponseWriter, r *http.Request) {
+	ctx, cancel := context.WithTimeout(r.Context(), 5*time.Second)
+	defer cancel()
+
+	slug := chi.URLParam(r, "slug")
+
+	quotaBytes, err := dbGetChannelStorageQuota(ctx, slug)
+	if err != nil {
+		http.Error(w, "error", http.StatusInternalServerError)
+		return
+	}
+
+	info, err := buildStorageInfo(ctx, slug)
+	if err != nil {
+		http.Error(w, "error", http.StatusInternalServerError)
+		return
+	}
+
+	cfg := ChannelStorageConfig{
+		QuotaGB:     float64(quotaBytes) / (1024 * 1024 * 1024),
+		StorageInfo: *info,
+	}
+
+	w.Header().Set("Content-Type", "application/json")
+	json.NewEncoder(w).Encode(cfg)
+}
+
+// PUT /api/super-admin/channels/{slug}/storage
+func setSuperAdminChannelStorage(w http.ResponseWriter, r *http.Request) {
+	ctx, cancel := context.WithTimeout(r.Context(), 5*time.Second)
+	defer cancel()
+
+	slug := chi.URLParam(r, "slug")
+
+	var req struct {
+		QuotaGB float64 `json:"quotaGb"` // 0 = use global
+	}
+	if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
+		http.Error(w, "Invalid request body", http.StatusBadRequest)
+		return
+	}
+	defer r.Body.Close()
+
+	bytes := int64(req.QuotaGB * 1024 * 1024 * 1024)
+	if err := dbSetChannelStorageQuota(ctx, slug, bytes); err != nil {
+		http.Error(w, "error", http.StatusInternalServerError)
+		return
+	}
+
+	w.Header().Set("Content-Type", "application/json")
+	json.NewEncoder(w).Encode(Response{Success: true})
+}
diff --git a/frontend/src/app/components/admin/admin-panel.component.html b/frontend/src/app/components/admin/admin-panel.component.html
index f4bfbe8..21f5abc 100644
--- a/frontend/src/app/components/admin/admin-panel.component.html
+++ b/frontend/src/app/components/admin/admin-panel.component.html
@@ -34,6 +34,9 @@
             @case (magnetAds) {
             <app-magnet-ads></app-magnet-ads>
             }
+            @case (storage) {
+            <app-channel-storage [slug]="channelSlug"></app-channel-storage>
+            }
             }
         </div>
     </nb-card-body>
diff --git a/frontend/src/app/components/admin/admin-panel.component.ts b/frontend/src/app/components/admin/admin-panel.component.ts
index 8305815..b64988f 100644
--- a/frontend/src/app/components/admin/admin-panel.component.ts
+++ b/frontend/src/app/components/admin/admin-panel.component.ts
@@ -1,5 +1,6 @@
 import { Component, OnInit } from "@angular/core";
 import { NbCardModule, NbLayoutModule, NbMenuItem, NbMenuModule, NbMenuService, NbSidebarModule } from "@nebular/theme";
+import { ChatService } from "../../services/chat.service";
 import { EmojisComponent } from "./emojis/emojis.component";
 import { SettingsComponent } from "./settings/settings.component";
 import { PrivilegDashboardComponent } from "./privileg-dashboard/privileg-dashboard.component";
@@ -7,6 +8,7 @@ import { ChannelInfoFormComponent } from "../channel/channel-info-form/channel-i
 import { ReportsComponent } from "./reports/reports.component";
 import { StatisticsComponent } from "./statistics/statistics.component";
 import { MagnetAdsComponent } from "./magnet-ads/magnet-ads.component";
+import { StorageComponent } from "./storage/storage.component";
 
 @Component({
   selector: 'admin-dashboard',
@@ -21,7 +23,8 @@ import { MagnetAdsComponent } from "./magnet-ads/magnet-ads.component";
     ChannelInfoFormComponent,
     ReportsComponent,
     StatisticsComponent,
-    MagnetAdsComponent
+    MagnetAdsComponent,
+    StorageComponent
 ],
   templateUrl: './admin-panel.component.html',
   styleUrls: ['./admin-panel.component.scss']
@@ -37,6 +40,7 @@ export class AdminPanelComponent implements OnInit {
   readonly allReports = "all-reports";
   readonly statistics = "statistics";
   readonly magnetAds = "magnet-ads";
+  readonly storage = "storage";
 
   selectedMenuItem = this.info;
 
@@ -66,6 +70,10 @@ export class AdminPanelComponent implements OnInit {
       title: 'שילוב פרסומות ממגנט',
       icon: 'pricetags-outline',
     },
+    {
+      title: 'אחסון',
+      icon: 'hard-drive-outline',
+    },
     {
       title: 'דיווחים',
       icon: 'alert-triangle-outline',
@@ -86,8 +94,13 @@ export class AdminPanelComponent implements OnInit {
     }
   ];
 
+  get channelSlug(): string {
+    return this.chatService.channelInfo?.slug ?? '';
+  }
+
   constructor(
-    private menuService: NbMenuService
+    private menuService: NbMenuService,
+    private chatService: ChatService
   ) { }
 
   ngOnInit(): void {
@@ -127,6 +140,9 @@ export class AdminPanelComponent implements OnInit {
         case 'pricetags-outline':
           this.selectedMenuItem = this.magnetAds;
           break;
+        case 'hard-drive-outline':
+          this.selectedMenuItem = this.storage;
+          break;
       }
     });
   }
diff --git a/frontend/src/app/components/admin/settings/settings.schema.ts b/frontend/src/app/components/admin/settings/settings.schema.ts
index c2e2c82..27ebc00 100644
--- a/frontend/src/app/components/admin/settings/settings.schema.ts
+++ b/frontend/src/app/components/admin/settings/settings.schema.ts
@@ -123,6 +123,20 @@ export const SETTINGS_SCHEMA: SettingsCategorySchema[] = [
       },
     ],
   },
+  {
+    id: 'storage',
+    title: 'אחסון ומדיה',
+    icon: 'hard-drive-outline',
+    fields: [
+      {
+        key: 'tinypng_api_key',
+        label: 'מפתח API של TinyPNG לכיווץ תמונות',
+        description: 'כשמוגדר מפתח, תמונות PNG/JPEG/WebP ייכוצו אוטומטית לפני העלאה לאחסון ויחסכו מקום. קבלו מפתח חינמי ב-tinypng.com.',
+        type: 'password',
+        placeholder: 'YOUR_TINYPNG_API_KEY',
+      },
+    ],
+  },
   {
     id: 'webhook',
     title: 'וובהוק (Webhook)',
diff --git a/frontend/src/app/components/admin/storage/storage.component.ts b/frontend/src/app/components/admin/storage/storage.component.ts
new file mode 100644
index 0000000..52c602b
--- /dev/null
+++ b/frontend/src/app/components/admin/storage/storage.component.ts
@@ -0,0 +1,122 @@
+import { Component, Input, OnInit } from '@angular/core';
+import { CommonModule } from '@angular/common';
+import { FormsModule } from '@angular/forms';
+import {
+  NbCardModule, NbButtonModule, NbToggleModule,
+  NbProgressBarModule, NbToastrService, NbAlertModule, NbIconModule
+} from '@nebular/theme';
+import { HttpClient } from '@angular/common/http';
+import { firstValueFrom } from 'rxjs';
+
+interface StorageInfo {
+  usedBytes: number;
+  quotaBytes: number;
+  usedPercent: number;
+  autoCleanup: boolean;
+  level: 'ok' | 'warning' | 'critical';
+}
+
+@Component({
+  selector: 'app-channel-storage',
+  standalone: true,
+  imports: [
+    CommonModule, FormsModule,
+    NbCardModule, NbButtonModule, NbToggleModule,
+    NbProgressBarModule, NbAlertModule, NbIconModule
+  ],
+  template: `
+    <nb-card>
+      <nb-card-header>אחסון</nb-card-header>
+      <nb-card-body>
+        @if (info) {
+          <div class="mb-3">
+            <div class="d-flex justify-content-between mb-1">
+              <span>שימוש: {{ formatBytes(info.usedBytes) }}</span>
+              <span>מתוך: {{ formatBytes(info.quotaBytes) }}</span>
+            </div>
+            <nb-progress-bar
+              [value]="info.usedPercent"
+              [status]="progressStatus()"
+              [displayValue]="true">
+            </nb-progress-bar>
+          </div>
+
+          @if (info.level === 'critical') {
+            <nb-alert status="danger" closable class="mb-3">
+              <nb-icon icon="alert-triangle-outline"></nb-icon>
+              שטח האחסון כמעט מלא! פנה מקום או הפעל ניקוי אוטומטי.
+            </nb-alert>
+          } @else if (info.level === 'warning') {
+            <nb-alert status="warning" closable class="mb-3">
+              <nb-icon icon="alert-circle-outline"></nb-icon>
+              שטח האחסון מתמלא ({{ info.usedPercent | number:'1.0-0' }}%).
+            </nb-alert>
+          }
+
+          <div class="d-flex align-items-center gap-3">
+            <nb-toggle
+              [(ngModel)]="info.autoCleanup"
+              (change)="saveAutoCleanup()">
+              ניקוי אוטומטי של מדיה ישנה
+            </nb-toggle>
+            <small class="text-muted">
+              כשהאחסון עומד לעגמור, מוחק קבצים ישנים אוטומטית כדי לפנות מקום
+            </small>
+          </div>
+        } @else {
+          <p>טוען...</p>
+        }
+      </nb-card-body>
+    </nb-card>
+  `
+})
+export class StorageComponent implements OnInit {
+  @Input() slug!: string;
+
+  info?: StorageInfo;
+
+  constructor(private http: HttpClient, private toastr: NbToastrService) {}
+
+  ngOnInit() {
+    this.load();
+  }
+
+  async load() {
+    try {
+      this.info = await firstValueFrom(
+        this.http.get<StorageInfo>(`/api/channel/${this.slug}/admin/storage`)
+      );
+    } catch {
+      this.toastr.danger('שגיאה בטעינת מידע אחסון', 'שגיאה');
+    }
+  }
+
+  async saveAutoCleanup() {
+    if (!this.info) return;
+    try {
+      await firstValueFrom(this.http.post(
+        `/api/channel/${this.slug}/admin/storage/auto-cleanup`,
+        { enabled: this.info.autoCleanup }
+      ));
+      this.toastr.success('הגדרות נשמרו', 'אחסון');
+    } catch {
+      this.toastr.danger('שגיאה בשמירה', 'שגיאה');
+    }
+  }
+
+  progressStatus(): string {
+    if (!this.info) return 'primary';
+    if (this.info.level === 'critical') return 'danger';
+    if (this.info.level === 'warning') return 'warning';
+    return 'success';
+  }
+
+  formatBytes(bytes: number): string {
+    if (bytes === 0) return '0 B';
+    const gb = bytes / (1024 ** 3);
+    if (gb >= 1) return gb.toFixed(2) + ' GB';
+    const mb = bytes / (1024 ** 2);
+    if (mb >= 1) return mb.toFixed(1) + ' MB';
+    return (bytes / 1024).toFixed(0) + ' KB';
+  }
+}
diff --git a/frontend/src/app/components/super-admin/channels/channels-list.component.html b/frontend/src/app/components/super-admin/channels/channels-list.component.html
index 60f0531..a94e472 100644
--- a/frontend/src/app/components/super-admin/channels/channels-list.component.html
+++ b/frontend/src/app/components/super-admin/channels/channels-list.component.html
@@ -76,6 +76,11 @@
                     <nb-icon icon="people-outline"></nb-icon>
                     משתמשים
                   </button>
+                  <button nbButton status="warning" size="tiny" (click)="manageStorage.emit(channel.slug)"
+                    title="ניהול אחסון">
+                    <nb-icon icon="hard-drive-outline"></nb-icon>
+                    אחסון
+                  </button>
                   <button nbButton status="danger" size="tiny" (click)="deleteChannel(channel.slug)"
                     title="מחק ערוץ">
                     <nb-icon icon="trash-2-outline"></nb-icon>
diff --git a/frontend/src/app/components/super-admin/channels/channels-list.component.ts b/frontend/src/app/components/super-admin/channels/channels-list.component.ts
index 3c2451b..94a67d7 100644
--- a/frontend/src/app/components/super-admin/channels/channels-list.component.ts
+++ b/frontend/src/app/components/super-admin/channels/channels-list.component.ts
@@ -26,6 +26,7 @@ import { SuperAdminService, ChannelData } from '../../../services/super-admin.se
 export class ChannelsListComponent implements OnInit {
   @Output() editFeatures = new EventEmitter<string>();
   @Output() manageUsers = new EventEmitter<string>();
+  @Output() manageStorage = new EventEmitter<string>();
 
   channels: ChannelData[] = [];
   showCreateForm = false;
diff --git a/frontend/src/app/components/super-admin/global-storage/global-storage.component.ts b/frontend/src/app/components/super-admin/global-storage/global-storage.component.ts
new file mode 100644
index 0000000..20fe3cb
--- /dev/null
+++ b/frontend/src/app/components/super-admin/global-storage/global-storage.component.ts
@@ -0,0 +1,70 @@
+import { Component, OnInit } from '@angular/core';
+import { CommonModule } from '@angular/common';
+import { FormsModule } from '@angular/forms';
+import {
+  NbCardModule, NbButtonModule, NbInputModule,
+  NbFormFieldModule, NbIconModule, NbToastrService
+} from '@nebular/theme';
+import { SuperAdminService } from '../../../services/super-admin.service';
+
+@Component({
+  selector: 'app-global-storage',
+  standalone: true,
+  imports: [
+    CommonModule, FormsModule,
+    NbCardModule, NbButtonModule, NbInputModule,
+    NbFormFieldModule, NbIconModule
+  ],
+  template: `
+    <nb-card>
+      <nb-card-header>הגדרות אחסון גלובליות</nb-card-header>
+      <nb-card-body>
+        <p class="text-muted mb-3">
+          ברירת המחדל הגלובלית לנפח אחסון לכל ערוץ. ניתן לשנות לכל ערוץ בנפרד מרשימת הערוצים.
+        </p>
+        <div class="d-flex align-items-center gap-3">
+          <nb-form-field>
+            <nb-icon nbPrefix icon="hard-drive-outline"></nb-icon>
+            <input nbInput type="number" min="1" step="1"
+                  [(ngModel)]="defaultQuotaGb"
+                  placeholder="נפח ברירת מחדל (GB)">
+          </nb-form-field>
+          <span class="text-muted">GB לכל ערוץ</span>
+          <button nbButton status="primary" (click)="save()" [disabled]="saving">
+            {{ saving ? 'שומר...' : 'שמור' }}
+          </button>
+        </div>
+      </nb-card-body>
+    </nb-card>
+  `
+})
+export class GlobalStorageComponent implements OnInit {
+  defaultQuotaGb = 5;
+  saving = false;
+
+  constructor(
+    private superAdminService: SuperAdminService,
+    private toastr: NbToastrService
+  ) {}
+
+  async ngOnInit() {
+    try {
+      const cfg = await this.superAdminService.getGlobalStorageConfig();
+      this.defaultQuotaGb = cfg.defaultQuotaGb;
+    } catch {
+      this.toastr.danger('שגיאה בטעינת הגדרות אחסון', 'שגיאה');
+    }
+  }
+
+  async save() {
+    this.saving = true;
+    try {
+      await this.superAdminService.setGlobalStorageConfig(this.defaultQuotaGb);
+      this.toastr.success('הגדרות אחסון נשמרו', 'אחסון');
+    } catch {
+      this.toastr.danger('שגיאה בשמירה', 'שגיאה');
+    } finally {
+      this.saving = false;
+    }
+  }
+}
diff --git a/frontend/src/app/components/super-admin/storage/super-admin-storage.component.ts b/frontend/src/app/components/super-admin/storage/super-admin-storage.component.ts
new file mode 100644
index 0000000..3a185a0
--- /dev/null
+++ b/frontend/src/app/components/super-admin/storage/super-admin-storage.component.ts
@@ -0,0 +1,115 @@
+import { Component, Input, OnInit, OnChanges } from '@angular/core';
+import { CommonModule } from '@angular/common';
+import { FormsModule } from '@angular/forms';
+import {
+  NbCardModule, NbButtonModule, NbInputModule,
+  NbFormFieldModule, NbProgressBarModule, NbToastrService, NbAlertModule, NbIconModule
+} from '@nebular/theme';
+import { SuperAdminService } from '../../../services/super-admin.service';
+
+interface ChannelStorageConfig {
+  quotaGb: number;
+  storageInfo: {
+    usedBytes: number;
+    quotaBytes: number;
+    usedPercent: number;
+    autoCleanup: boolean;
+    level: string;
+  };
+}
+
+@Component({
+  selector: 'app-super-admin-storage',
+  standalone: true,
+  imports: [
+    CommonModule, FormsModule,
+    NbCardModule, NbButtonModule, NbInputModule,
+    NbFormFieldModule, NbProgressBarModule, NbAlertModule, NbIconModule
+  ],
+  template: `
+    <nb-card>
+      <nb-card-header>אחסון — {{ slug }}</nb-card-header>
+      <nb-card-body>
+        @if (config) {
+          <!-- Usage bar -->
+          <div class="mb-3">
+            <div class="d-flex justify-content-between mb-1">
+              <span>{{ formatBytes(config.storageInfo.usedBytes) }} בשימוש</span>
+              <span>מתוך {{ formatBytes(config.storageInfo.quotaBytes) }}</span>
+            </div>
+            <nb-progress-bar
+              [value]="config.storageInfo.usedPercent"
+              [status]="progressStatus(config.storageInfo.level)"
+              [displayValue]="true">
+            </nb-progress-bar>
+            @if (config.storageInfo.autoCleanup) {
+              <small class="text-muted">ניקוי אוטומטי פעיל</small>
+            }
+          </div>
+
+          <!-- Quota override -->
+          <div class="d-flex align-items-center gap-3">
+            <nb-form-field>
+              <nb-icon nbPrefix icon="hard-drive-outline"></nb-icon>
+              <input nbInput type="number" min="0" step="0.5"
+                    [(ngModel)]="config.quotaGb"
+                    placeholder="GB (0 = ברירת מחדל גלובלית)">
+            </nb-form-field>
+            <span class="text-muted">GB (0 = ברירת מחדל גלובלית)</span>
+            <button nbButton status="primary" size="small" (click)="save()">שמור</button>
+          </div>
+        } @else {
+          <p>טוען...</p>
+        }
+      </nb-card-body>
+    </nb-card>
+  `
+})
+export class SuperAdminStorageComponent implements OnInit, OnChanges {
+  @Input() slug!: string;
+
+  config?: ChannelStorageConfig;
+
+  constructor(
+    private superAdminService: SuperAdminService,
+    private toastr: NbToastrService
+  ) {}
+
+  ngOnInit() { this.load(); }
+  ngOnChanges() { this.load(); }
+
+  async load() {
+    if (!this.slug) return;
+    try {
+      this.config = await this.superAdminService.getChannelStorage(this.slug);
+    } catch {
+      this.toastr.danger('שגיאה בטעינת מידע אחסון', 'שגיאה');
+    }
+  }
+
+  async save() {
+    if (!this.config) return;
+    try {
+      await this.superAdminService.setChannelStorage(this.slug, this.config.quotaGb);
+      this.toastr.success('קוטה עודכנה', 'אחסון');
+      this.load();
+    } catch {
+      this.toastr.danger('שגיאה בשמירה', 'שגיאה');
+    }
+  }
+
+  progressStatus(level: string): string {
+    if (level === 'critical') return 'danger';
+    if (level === 'warning') return 'warning';
+    return 'success';
+  }
+
+  formatBytes(bytes: number): string {
+    if (!bytes) return '0 B';
+    const gb = bytes / (1024 ** 3);
+    if (gb >= 1) return gb.toFixed(2) + ' GB';
+    const mb = bytes / (1024 ** 2);
+    if (mb >= 1) return mb.toFixed(1) + ' MB';
+    return (bytes / 1024).toFixed(0) + ' KB';
+  }
+}
diff --git a/frontend/src/app/components/super-admin/super-admin-panel.component.html b/frontend/src/app/components/super-admin/super-admin-panel.component.html
index e109133..d5289af 100644
--- a/frontend/src/app/components/super-admin/super-admin-panel.component.html
+++ b/frontend/src/app/components/super-admin/super-admin-panel.component.html
@@ -6,7 +6,7 @@
     <div class="vr text-black-50 mx-3"></div>
 
     <div class="flex-grow-1 overflow-auto">
-      @if (selectedView === VIEW_CHANNEL_FEATURES || selectedView === VIEW_CHANNEL_USERS) {
+      @if (selectedView === VIEW_CHANNEL_FEATURES || selectedView === VIEW_CHANNEL_USERS || selectedView === VIEW_CHANNEL_STORAGE) {
         <div class="mb-3">
           <button class="btn btn-sm btn-outline-secondary" (click)="backToChannels()">
             ← חזרה לרשימת הערוצים
@@ -18,7 +18,8 @@
         @case (VIEW_CHANNELS) {
           <app-channels-list
             (editFeatures)="onEditFeatures($event)"
-            (manageUsers)="onManageUsers($event)">
+            (manageUsers)="onManageUsers($event)"
+            (manageStorage)="onManageStorage($event)">
           </app-channels-list>
         }
         @case (VIEW_CHANNEL_FEATURES) {
@@ -27,6 +28,12 @@
         @case (VIEW_CHANNEL_USERS) {
           <app-channel-users [slug]="selectedChannelSlug"></app-channel-users>
         }
+        @case (VIEW_CHANNEL_STORAGE) {
+          <app-super-admin-storage [slug]="selectedChannelSlug"></app-super-admin-storage>
+        }
+        @case (VIEW_GLOBAL_STORAGE) {
+          <app-global-storage></app-global-storage>
+        }
         @case (VIEW_ADS) {
           <app-global-ads></app-global-ads>
         }
diff --git a/frontend/src/app/components/super-admin/super-admin-panel.component.ts b/frontend/src/app/components/super-admin/super-admin-panel.component.ts
index 786e159..382c942 100644
--- a/frontend/src/app/components/super-admin/super-admin-panel.component.ts
+++ b/frontend/src/app/components/super-admin/super-admin-panel.component.ts
@@ -16,8 +16,10 @@ import { GlobalMagnetComponent } from './global-magnet/global-magnet.component';
 import { GlobalUsersComponent } from './global-users/global-users.component';
 import { GlobalSettingsComponent } from './global-settings/global-settings.component';
 import { SuperAdminStatisticsComponent } from './statistics/super-admin-statistics.component';
+import { SuperAdminStorageComponent } from './storage/super-admin-storage.component';
+import { GlobalStorageComponent } from './global-storage/global-storage.component';
 
-type ViewName = 'channels' | 'channel-features' | 'channel-users' | 'ads' | 'magnet' | 'users' | 'settings' | 'statistics';
+type ViewName = 'channels' | 'channel-features' | 'channel-users' | 'channel-storage' | 'ads' | 'magnet' | 'users' | 'settings' | 'statistics' | 'global-storage';
 
 @Component({
   selector: 'app-super-admin-panel',
@@ -36,6 +38,8 @@ type ViewName = 'channels' | 'channel-features' | 'channel-users' | 'ads' | 'mag
     GlobalUsersComponent,
     GlobalSettingsComponent,
     SuperAdminStatisticsComponent,
+    SuperAdminStorageComponent,
+    GlobalStorageComponent,
   ],
   templateUrl: './super-admin-panel.component.html',
   styleUrl: './super-admin-panel.component.scss',
@@ -49,16 +53,19 @@ export class SuperAdminPanelComponent implements OnInit {
   readonly VIEW_CHANNELS: ViewName = 'channels';
   readonly VIEW_CHANNEL_FEATURES: ViewName = 'channel-features';
   readonly VIEW_CHANNEL_USERS: ViewName = 'channel-users';
+  readonly VIEW_CHANNEL_STORAGE: ViewName = 'channel-storage';
   readonly VIEW_ADS: ViewName = 'ads';
   readonly VIEW_MAGNET: ViewName = 'magnet';
   readonly VIEW_USERS: ViewName = 'users';
   readonly VIEW_SETTINGS: ViewName = 'settings';
   readonly VIEW_STATISTICS: ViewName = 'statistics';
+  readonly VIEW_GLOBAL_STORAGE: ViewName = 'global-storage';
 
   navigationMenu: NbMenuItem[] = [
     { title: 'ערוצים', icon: 'list-outline', selected: true },
     { title: 'פרסומות iframe', icon: 'film-outline' },
     { title: 'פרסומות מגנט', icon: 'pricetags-outline' },
+    { title: 'אחסון גלובלי', icon: 'hard-drive-outline' },
     { title: 'משתמשים', icon: 'people-outline' },
     { title: 'הגדרות גלובליות', icon: 'settings-2-outline' },
     { title: 'סטטיסטיקות', icon: 'bar-chart-outline' },
@@ -88,6 +95,10 @@ export class SuperAdminPanelComponent implements OnInit {
         case 'settings-2-outline':
           this.selectedView = this.VIEW_SETTINGS;
           break;
+        case 'hard-drive-outline':
+          this.selectedView = this.VIEW_GLOBAL_STORAGE;
+          this.selectedChannelSlug = '';
+          break;
         case 'bar-chart-outline':
           this.selectedView = this.VIEW_STATISTICS;
           break;
@@ -105,6 +116,11 @@ export class SuperAdminPanelComponent implements OnInit {
     this.selectedView = this.VIEW_CHANNEL_USERS;
   }
 
+  onManageStorage(slug: string) {
+    this.selectedChannelSlug = slug;
+    this.selectedView = this.VIEW_CHANNEL_STORAGE;
+  }
+
   backToChannels() {
     this.selectedView = this.VIEW_CHANNELS;
     this.selectedChannelSlug = '';
diff --git a/frontend/src/app/models/channel.model.ts b/frontend/src/app/models/channel.model.ts
index 8efc8e3..a21cddc 100644
--- a/frontend/src/app/models/channel.model.ts
+++ b/frontend/src/app/models/channel.model.ts
@@ -1,5 +1,6 @@
 export interface Channel {
   id?: number;
+  slug?: string;
   name?: string;
   description?: string;
   created_at?: string;
diff --git a/frontend/src/app/services/super-admin.service.ts b/frontend/src/app/services/super-admin.service.ts
index b73b9b8..fa4abbe 100644
--- a/frontend/src/app/services/super-admin.service.ts
+++ b/frontend/src/app/services/super-admin.service.ts
@@ -141,4 +141,20 @@ export class SuperAdminService {
   resetStatistics(): Promise<void> {
     return firstValueFrom(this.http.post<void>('/api/super-admin/statistics/reset', {}));
   }
+
+  getGlobalStorageConfig(): Promise<{ defaultQuotaGb: number }> {
+    return firstValueFrom(this.http.get<{ defaultQuotaGb: number }>('/api/super-admin/storage/config'));
+  }
+
+  setGlobalStorageConfig(defaultQuotaGb: number): Promise<void> {
+    return firstValueFrom(this.http.post<void>('/api/super-admin/storage/config', { defaultQuotaGb }));
+  }
+
+  getChannelStorage(slug: string): Promise<any> {
+    return firstValueFrom(this.http.get<any>(`/api/super-admin/channels/${slug}/storage`));
+  }
+
+  setChannelStorage(slug: string, quotaGb: number): Promise<void> {
+    return firstValueFrom(this.http.put<void>(`/api/super-admin/channels/${slug}/storage`, { quotaGb }));
+  }
 }

From 8fc53e7a75ac8d77bc326e18a4e8328f05bcbf74 Mon Sep 17 00:00:00 2001
From: Claude <noreply@anthropic.com>
Date: Sun, 17 May 2026 18:28:05 +0000
Subject: [PATCH 27/60] Add CHANGELOG.md documenting the multi-tenant system

https://claude.ai/code/session_015yWNYaVjk7ozyguKLA8vvx
---
 CHANGELOG.md | 265 +++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 265 insertions(+)
 create mode 100644 CHANGELOG.md

diff --git a/CHANGELOG.md b/CHANGELOG.md
new file mode 100644
index 0000000..62d25c4
--- /dev/null
+++ b/CHANGELOG.md
@@ -0,0 +1,265 @@
+# TheChannel — Multi-Tenant System — Change Log
+
+## Overview
+
+This document describes all changes made to transform TheChannel from a single-channel application into a **multi-tenant platform** where each user can own a private channel, with a central super-admin panel for full control.
+
+---
+
+## Architecture Changes
+
+### Multi-Tenant Backend (Go)
+
+All data is now stored with per-channel Redis key prefixes:
+
+| Old key pattern | New key pattern |
+|---|---|
+| `messages:{id}` | `channel:{slug}:messages:{id}` |
+| `m_times` | `channel:{slug}:m_times` |
+| `settings:list` | `channel:{slug}:settings` |
+| (none) | `global:settings` (FCM/VAPID) |
+
+A single Go backend instance and a single Redis/Kvrocks instance serve **all channels**. No new CapRover projects needed per channel.
+
+---
+
+## New Files
+
+### Backend
+
+| File | Description |
+|---|---|
+| `backend/channels.go` | Channel CRUD, features management, middleware |
+| `backend/storage.go` | Cloudflare R2 client (`initR2`, `r2Upload`, `r2Download`, `r2Delete`, `r2Exists`) |
+| `backend/storage_handlers.go` | Storage quota HTTP handlers for channel admin and super admin |
+
+### Frontend
+
+| File | Description |
+|---|---|
+| `frontend/src/app/guards/super-admin.guard.ts` | Route guard for `/super-admin` — only allows `globalRole === 'super_admin'` |
+| `frontend/src/app/services/super-admin.service.ts` | All super admin API calls |
+| `frontend/src/app/components/super-admin/super-admin-panel.component.*` | Main super admin shell |
+| `frontend/src/app/components/super-admin/channels/channels-list.component.*` | Channel list with CRUD actions |
+| `frontend/src/app/components/super-admin/channels/channel-features.component.*` | Per-channel feature toggles (12 features) |
+| `frontend/src/app/components/super-admin/channels/channel-users.component.*` | Per-channel user/role management |
+| `frontend/src/app/components/super-admin/global-ads/global-ads.component.*` | Global iframe-ads config + lock |
+| `frontend/src/app/components/super-admin/global-magnet/global-magnet.component.*` | Global Magnet ads config + frequency + lock |
+| `frontend/src/app/components/super-admin/global-users/global-users.component.*` | Read-only global user list with roles |
+| `frontend/src/app/components/super-admin/global-settings/global-settings.component.*` | Global key-value settings editor (FCM/VAPID) |
+| `frontend/src/app/components/super-admin/statistics/super-admin-statistics.component.*` | Magnet stats + statistics reset |
+| `frontend/src/app/components/super-admin/storage/super-admin-storage.component.ts` | Per-channel storage quota + usage bar (super admin view) |
+| `frontend/src/app/components/super-admin/global-storage/global-storage.component.ts` | Global default storage quota editor |
+| `frontend/src/app/components/admin/storage/storage.component.ts` | Channel admin storage view — usage bar, warnings, auto-cleanup toggle |
+
+---
+
+## Modified Files
+
+### Backend
+
+#### `backend/privileges.go` — Complete rewrite
+- New role system: `GlobalRole` (`super_admin`) and `ChannelRole` (`owner`, `moderator`, `writer`)
+- `User` struct now holds `GlobalRole` and `ChannelRoles map[string]ChannelRole`
+- Middleware: `requireSuperAdmin`, `protectedWithChannelRole`
+
+#### `backend/auth.go`
+- `Session` struct updated with `GlobalRole` and `ChannelRoles`
+- `registeringEmail(slug, email string)` — `slug=""` registers globally, slug set registers into a channel
+
+#### `backend/db.go` — Complete rewrite
+- All message/settings functions are now channel-scoped (slug prefix)
+- Channel CRUD: `dbCreateChannel`, `dbGetChannel`, `dbListChannels`, `dbDeleteChannel`, `dbSetChannelFeatures`, `dbAssignChannelRole`
+- Storage quota functions:
+  - `dbGetGlobalStorageQuota` / `dbSetGlobalStorageQuota`
+  - `dbGetChannelStorageQuota` / `dbSetChannelStorageQuota` (0 = use global)
+  - `dbGetEffectiveStorageQuota` (returns channel-specific or global default)
+  - `dbGetChannelStorageUsed` / `dbIncrChannelStorageUsed` / `dbDecrChannelStorageUsed`
+  - `dbAddChannelFile` / `dbRemoveChannelFile` (sorted set by upload timestamp)
+  - `dbGetOldestChannelFiles` (for auto-cleanup)
+  - `dbGetChannelAutoCleanup` / `dbSetChannelAutoCleanup`
+  - `dbIncrFileHashRefs` / `dbDecrFileHashRefs` (deduplication reference counter)
+- Global ads/magnet config storage: `dbGetGlobalMagnetConfig`, `dbSetGlobalMagnetConfig`, `dbGetGlobalAdsConfig`, `dbSetGlobalAdsConfig`
+
+#### `backend/files.go`
+- `FileMetadata` struct: added `Size int64` and `ChannelSlug string`
+- `dbSaveFileMetadata` / `dbGetFileMetadata` — now uses Redis JSON; YAML fallback for legacy local files
+- `uploadFile` — reads bytes to memory, checks quota, deduplicates by SHA-256 hash, increments ref counter, tracks in channel sorted set
+- `enforceStorageQuota` — checks quota before upload; runs auto-cleanup (target: 80% usage) if enabled
+- `deleteFileByID` — marks deleted, decrements storage counter, removes from R2/disk only when refs reach 0
+- **TinyPNG integration**: `compressWithTinyPng(ctx, apiKey, data, mimeType)` — compresses PNG/JPEG/WebP via TinyPNG API before upload if `tinypng_api_key` is set in channel settings
+
+#### `backend/settings.go`
+- `SettingConfig` struct: added `TinyPngApiKey string`
+- `ToConfig()`: added `"tinypng_api_key"` case
+
+#### `backend/ads.go`
+- `isChannelMagnetLocked` / `isChannelAdsLocked` — checks if super admin locked ads for this channel
+- `getMagnetAdsSettings` / `getAdsSettings` — returns global config if locked, channel config otherwise
+- `getGlobalMagnetConfig` / `setGlobalMagnetConfig` — super admin global Magnet config
+- `getGlobalAdsConfig` / `setGlobalAdsConfig` — super admin global iframe-ads config
+- `syncMagnetLockFlags` / `syncAdsLockFlags` — goroutines that update `MagnetLockedByAdmin`/`AdsLockedByAdmin` on all channels when global config changes
+
+#### `backend/main.go` — Full routing rewrite
+
+```
+/auth/google
+/auth/login
+/auth/logout
+/api/user-info
+
+/api/super-admin/*  (login + requireSuperAdmin)
+  GET  /channels
+  POST /channels/create
+  GET  /channels/{slug}
+  DELETE /channels/{slug}
+  PUT  /channels/{slug}/features
+  GET  /channels/{slug}/users
+  POST /channels/{slug}/users
+  GET  /channels/{slug}/storage
+  PUT  /channels/{slug}/storage
+  GET  /users/list
+  POST /users/set
+  GET  /global-settings/get
+  POST /global-settings/set
+  GET  /ads/config
+  POST /ads/config
+  GET  /magnet/config
+  POST /magnet/config
+  GET  /magnet/stats
+  GET  /storage/config
+  POST /storage/config
+  POST /statistics/reset
+
+/api/channel/{slug}/import/post  (API key auth)
+
+/api/channel/{slug}/*  (channelMiddleware + channelIfRequireAuth)
+  GET  /info
+  GET  /messages
+  GET  /events
+  GET  /files/{fileid}
+  POST /files
+  GET  /emojis/list
+  GET  /notifications-config
+  GET  /ads/settings
+  GET  /ads/magnet
+  (login required):
+    POST /notifications-subscribe
+    POST /reactions/set-reactions
+    POST /messages/report
+    GET  /user-info
+
+  /admin/*  (channel owner+)
+    PUT  /info
+    POST /messages
+    PUT  /messages/{id}
+    DELETE /messages/{id}
+    POST /emojis
+    GET/POST /settings
+    GET/POST /users
+    GET/PUT  /storage
+    POST /storage/auto-cleanup
+    GET/PUT  /scheduled-messages
+    GET  /statistics
+    GET/POST /reports
+```
+
+### Frontend
+
+#### `frontend/src/app/models/channel.model.ts`
+- Added `slug?: string` field
+
+#### `frontend/src/app/models/user.model.ts`
+- Added `globalRole: string` and `channelRoles: Record<string, string>`
+
+#### `frontend/src/app/app.routes.ts`
+- Added `/super-admin` route guarded by `AuthGuard` + `SuperAdminGuard`
+
+#### `frontend/src/app/components/admin/admin-panel.component.ts`
+- Added `StorageComponent` import
+- Added `"אחסון"` menu item with `hard-drive-outline` icon
+- Added `readonly storage = "storage"` constant
+- Added `channelSlug` getter via `ChatService`
+- Added `case 'hard-drive-outline'` in menu switch
+
+#### `frontend/src/app/components/admin/admin-panel.component.html`
+- Added `@case (storage)` rendering `<app-channel-storage [slug]="channelSlug">`
+
+#### `frontend/src/app/components/admin/settings/settings.schema.ts`
+- Added new category **"אחסון ומדיה"** with `tinypng_api_key` field (password type)
+
+---
+
+## Features Added
+
+### 1. Multi-Tenant Channels
+- Each user gets their own private channel with a unique slug
+- Single Go + Redis instance serves all channels
+- No CapRover project needed per channel
+
+### 2. Role System
+- **GlobalRole**: `super_admin`
+- **ChannelRole**: `owner` > `moderator` > `writer`
+- All API routes protected with appropriate role middleware
+
+### 3. Super Admin Panel (`/super-admin`)
+- Accessible only to users with `globalRole: "super_admin"`
+- **Channels**: List all channels, create, delete, edit features, manage users, manage storage
+- **Iframe Ads**: Global iframe-ad src/width with option to lock all channels or specific channels
+- **Magnet Ads**: Global Magnet config (snippet, mode, frequency settings) with lock option
+- **Global Storage**: Set the default storage quota (GB) for all channels
+- **Users**: Read-only list of all users with their global and channel roles
+- **Global Settings**: FCM/VAPID key-value editor
+- **Statistics**: View Magnet stats, reset all statistics
+
+### 4. Storage Quota System
+- Super admin sets a **global default quota** (default: 5 GB per channel)
+- Super admin can **override per-channel** from the channels list → "אחסון"
+- Channel owners see **usage bar** with color-coded status:
+  - Green (`ok`): < 80% used
+  - Orange (`warning`): 80–90% used
+  - Red (`critical`): > 90% used
+- **Auto-cleanup toggle**: When enabled, automatically deletes oldest files to reach 80% usage before new uploads, ensuring uploads always succeed
+- File deduplication: identical files (same SHA-256 hash) share one physical copy; storage only freed when last reference is removed
+
+### 5. Cloudflare R2 Storage
+- All media uploads go to R2 (S3-compatible)
+- Local disk used as fallback when R2 is not configured
+- Configure via environment variables: `R2_ACCOUNT_ID`, `R2_ACCESS_KEY_ID`, `R2_SECRET_ACCESS_KEY`, `R2_BUCKET_NAME`, `R2_PUBLIC_URL`
+- Files stored at path: `files/{hash[0:2]}/{hash[2:4]}/{hash}`
+
+### 6. TinyPNG Image Compression
+- Channel owners add their TinyPNG API key in **Admin → הגדרות → אחסון ומדיה**
+- When set, PNG/JPEG/WebP images are automatically compressed via TinyPNG API **before** upload
+- Compressed file is what gets stored and counted toward quota — saves significant space
+- Falls back silently to original file if compression fails or API is unavailable
+- Non-image files (video, documents, etc.) are never sent to TinyPNG
+
+### 7. Global Ads Override
+- Super admin can push **global iframe-ads** settings to all channels or specific channels
+- Super admin can push **global Magnet ads** settings (including frequency controls) to all channels or specific channels
+- Locked channels display the global config and cannot be overridden by channel owners
+
+---
+
+## Environment Variables
+
+Add to your `.env` / CapRover environment:
+
+```
+# Cloudflare R2
+R2_ACCOUNT_ID=your_account_id
+R2_ACCESS_KEY_ID=your_access_key_id
+R2_SECRET_ACCESS_KEY=your_secret_access_key
+R2_BUCKET_NAME=your_bucket_name
+R2_PUBLIC_URL=https://pub-xxxx.r2.dev   # optional, for direct CDN links
+```
+
+---
+
+## Dependencies Added
+
+### Go (`backend/go.mod`)
+- `github.com/aws/aws-sdk-go-v2` — AWS SDK v2 (used for R2 via S3-compatible API)
+- `github.com/aws/aws-sdk-go-v2/credentials`
+- `github.com/aws/aws-sdk-go-v2/service/s3`

From 3680779a261a57831c35d77497d8727cbf5e734a Mon Sep 17 00:00:00 2001
From: Claude <noreply@anthropic.com>
Date: Sun, 17 May 2026 18:38:45 +0000
Subject: [PATCH 28/60] Add public landing page with channel request flow
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- Public landing page at '/' with hero, how-it-works, features, and request form
- Route '/' is now the landing page; '/channel' is the auth-guarded channel app
- Visitors fill out a form (name, email, desired slug, description)
- Backend stores requests in Redis, exposed via GET /api/super-admin/channel-requests
- Super admin can approve (auto-creates channel + assigns owner) or reject requests
- Approval shows slug, owner email, and the channel link to copy and send manually
- Login redirects super_admin → /super-admin, others → /channel
- Logout navigates back to the landing page
- Super admin panel: new 'בקשות לערוצים' menu item with inline approve/reject table

https://claude.ai/code/session_015yWNYaVjk7ozyguKLA8vvx
---
 backend/channel_requests.go                   | 229 ++++++++++++++++
 backend/main.go                               |  12 +
 frontend/src/app/app.routes.ts                |   6 +-
 .../channel-header.component.ts               |  14 +-
 .../landing/landing-page.component.scss       |  56 ++++
 .../landing/landing-page.component.ts         | 253 ++++++++++++++++++
 .../app/components/login/login.component.ts   |  19 +-
 .../channel-requests.component.ts             | 246 +++++++++++++++++
 .../super-admin-panel.component.html          |   3 +
 .../super-admin-panel.component.ts            |  10 +-
 .../app/services/channel-request.service.ts   |  36 +++
 .../src/app/services/super-admin.service.ts   |  31 +++
 12 files changed, 893 insertions(+), 22 deletions(-)
 create mode 100644 backend/channel_requests.go
 create mode 100644 frontend/src/app/components/landing/landing-page.component.scss
 create mode 100644 frontend/src/app/components/landing/landing-page.component.ts
 create mode 100644 frontend/src/app/components/super-admin/channel-requests/channel-requests.component.ts
 create mode 100644 frontend/src/app/services/channel-request.service.ts

diff --git a/backend/channel_requests.go b/backend/channel_requests.go
new file mode 100644
index 0000000..f1c8533
--- /dev/null
+++ b/backend/channel_requests.go
@@ -0,0 +1,229 @@
+package main
+
+import (
+	"context"
+	"encoding/json"
+	"net/http"
+	"time"
+
+	"github.com/go-chi/chi"
+	"github.com/redis/go-redis/v9"
+)
+
+type RequestStatus string
+
+const (
+	RequestStatusPending  RequestStatus = "pending"
+	RequestStatusApproved RequestStatus = "approved"
+	RequestStatusRejected RequestStatus = "rejected"
+)
+
+type ChannelRequest struct {
+	ID           string        `json:"id"`
+	Name         string        `json:"name"`
+	Email        string        `json:"email"`
+	DesiredSlug  string        `json:"desiredSlug"`
+	Description  string        `json:"description"`
+	Status       RequestStatus `json:"status"`
+	Notes        string        `json:"notes"`        // admin notes / rejection reason
+	ApprovedSlug string        `json:"approvedSlug"` // final slug after approval
+	CreatedAt    time.Time     `json:"createdAt"`
+}
+
+func dbSaveChannelRequest(ctx context.Context, req *ChannelRequest) error {
+	data, err := json.Marshal(req)
+	if err != nil {
+		return err
+	}
+	if err := rdb.Set(ctx, "channel_request:"+req.ID, data, 0).Err(); err != nil {
+		return err
+	}
+	return rdb.ZAdd(ctx, "channel_requests:list", redis.Z{
+		Score:  float64(req.CreatedAt.Unix()),
+		Member: req.ID,
+	}).Err()
+}
+
+func dbGetChannelRequest(ctx context.Context, id string) (*ChannelRequest, error) {
+	data, err := rdb.Get(ctx, "channel_request:"+id).Result()
+	if err != nil {
+		return nil, err
+	}
+	var req ChannelRequest
+	if err := json.Unmarshal([]byte(data), &req); err != nil {
+		return nil, err
+	}
+	return &req, nil
+}
+
+func dbListChannelRequests(ctx context.Context) ([]*ChannelRequest, error) {
+	ids, err := rdb.ZRevRange(ctx, "channel_requests:list", 0, -1).Result()
+	if err != nil {
+		return nil, err
+	}
+	requests := make([]*ChannelRequest, 0, len(ids))
+	for _, id := range ids {
+		req, err := dbGetChannelRequest(ctx, id)
+		if err != nil {
+			continue
+		}
+		requests = append(requests, req)
+	}
+	return requests, nil
+}
+
+// POST /api/channel-request (public)
+func submitChannelRequest(w http.ResponseWriter, r *http.Request) {
+	ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
+	defer cancel()
+
+	var body struct {
+		Name        string `json:"name"`
+		Email       string `json:"email"`
+		DesiredSlug string `json:"desiredSlug"`
+		Description string `json:"description"`
+	}
+	if err := json.NewDecoder(r.Body).Decode(&body); err != nil {
+		http.Error(w, "invalid request body", http.StatusBadRequest)
+		return
+	}
+	if body.Name == "" || body.Email == "" || body.DesiredSlug == "" {
+		http.Error(w, "name, email, and desiredSlug are required", http.StatusBadRequest)
+		return
+	}
+
+	req := &ChannelRequest{
+		ID:          generatedRandomID(12),
+		Name:        body.Name,
+		Email:       body.Email,
+		DesiredSlug: body.DesiredSlug,
+		Description: body.Description,
+		Status:      RequestStatusPending,
+		CreatedAt:   time.Now(),
+	}
+
+	if err := dbSaveChannelRequest(ctx, req); err != nil {
+		http.Error(w, "error saving request", http.StatusInternalServerError)
+		return
+	}
+
+	w.Header().Set("Content-Type", "application/json")
+	json.NewEncoder(w).Encode(map[string]string{"status": "ok", "id": req.ID})
+}
+
+// GET /api/super-admin/channel-requests
+func listChannelRequests(w http.ResponseWriter, r *http.Request) {
+	ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
+	defer cancel()
+
+	requests, err := dbListChannelRequests(ctx)
+	if err != nil {
+		requests = []*ChannelRequest{}
+	}
+
+	w.Header().Set("Content-Type", "application/json")
+	json.NewEncoder(w).Encode(requests)
+}
+
+// POST /api/super-admin/channel-requests/{id}/approve
+func approveChannelRequest(w http.ResponseWriter, r *http.Request) {
+	ctx, cancel := context.WithTimeout(context.Background(), 10*time.Second)
+	defer cancel()
+
+	id := chi.URLParam(r, "id")
+
+	var body struct {
+		Slug  string `json:"slug"`
+		Notes string `json:"notes"`
+	}
+	if err := json.NewDecoder(r.Body).Decode(&body); err != nil {
+		http.Error(w, "invalid request body", http.StatusBadRequest)
+		return
+	}
+
+	req, err := dbGetChannelRequest(ctx, id)
+	if err != nil {
+		http.Error(w, "request not found", http.StatusNotFound)
+		return
+	}
+
+	finalSlug := body.Slug
+	if finalSlug == "" {
+		finalSlug = req.DesiredSlug
+	}
+
+	if !slugRegex.MatchString(finalSlug) {
+		http.Error(w, "invalid slug format", http.StatusBadRequest)
+		return
+	}
+
+	exists, err := dbChannelExists(ctx, finalSlug)
+	if err != nil {
+		http.Error(w, "error checking slug", http.StatusInternalServerError)
+		return
+	}
+	if exists {
+		http.Error(w, "slug already taken", http.StatusConflict)
+		return
+	}
+
+	channel := &ChannelData{
+		Slug:       finalSlug,
+		Name:       req.Name,
+		OwnerEmail: req.Email,
+		CreatedAt:  time.Now(),
+		Features: ChannelFeatures{
+			Reactions:         true,
+			FileUploads:       true,
+			Reports:           true,
+			ScheduledMessages: true,
+		},
+	}
+
+	if err := dbCreateChannel(ctx, channel); err != nil {
+		http.Error(w, "error creating channel", http.StatusInternalServerError)
+		return
+	}
+
+	dbAssignChannelRole(ctx, req.Email, finalSlug, RoleOwner)
+	initializePrivilegeUsers()
+
+	req.Status = RequestStatusApproved
+	req.ApprovedSlug = finalSlug
+	req.Notes = body.Notes
+	dbSaveChannelRequest(ctx, req)
+
+	w.Header().Set("Content-Type", "application/json")
+	json.NewEncoder(w).Encode(map[string]any{
+		"status":      "approved",
+		"channelSlug": finalSlug,
+		"channelName": channel.Name,
+		"ownerEmail":  req.Email,
+	})
+}
+
+// POST /api/super-admin/channel-requests/{id}/reject
+func rejectChannelRequest(w http.ResponseWriter, r *http.Request) {
+	ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
+	defer cancel()
+
+	id := chi.URLParam(r, "id")
+
+	var body struct {
+		Notes string `json:"notes"`
+	}
+	json.NewDecoder(r.Body).Decode(&body)
+
+	req, err := dbGetChannelRequest(ctx, id)
+	if err != nil {
+		http.Error(w, "request not found", http.StatusNotFound)
+		return
+	}
+
+	req.Status = RequestStatusRejected
+	req.Notes = body.Notes
+	dbSaveChannelRequest(ctx, req)
+
+	w.Header().Set("Content-Type", "application/json")
+	json.NewEncoder(w).Encode(map[string]string{"status": "rejected"})
+}
diff --git a/backend/main.go b/backend/main.go
index f4d0258..08ab2d8 100644
--- a/backend/main.go
+++ b/backend/main.go
@@ -78,6 +78,18 @@ func main() {
 		r.Post("/statistics/reset", resetStatistics)
 	})
 
+	// Public: submit channel request (no auth required)
+	r.Post("/api/channel-request", submitChannelRequest)
+
+	// Super admin: manage channel requests
+	r.Route("/api/super-admin", func(r chi.Router) {
+		r.Use(checkLogin)
+		r.Use(requireSuperAdmin)
+		r.Get("/channel-requests", listChannelRequests)
+		r.Post("/channel-requests/{id}/approve", approveChannelRequest)
+		r.Post("/channel-requests/{id}/reject", rejectChannelRequest)
+	})
+
 	// Per-channel API import (with API key, no channel middleware needed - slug from URL)
 	r.Post("/api/channel/{slug}/import/post", addNewPost)
 
diff --git a/frontend/src/app/app.routes.ts b/frontend/src/app/app.routes.ts
index c2e28ab..16a1b60 100644
--- a/frontend/src/app/app.routes.ts
+++ b/frontend/src/app/app.routes.ts
@@ -4,11 +4,13 @@ import { ChannelComponent } from './components/channel/channel.component';
 import { AuthGuard } from "./services/chat-guard.guard";
 import { SuperAdminGuard } from './guards/super-admin.guard';
 import { SuperAdminPanelComponent } from './components/super-admin/super-admin-panel.component';
+import { LandingPageComponent } from './components/landing/landing-page.component';
 
 export const routes: Routes = [
+  { path: '', component: LandingPageComponent },
   { path: 'login', component: LoginComponent },
   {
-    path: '',
+    path: 'channel',
     component: ChannelComponent,
     canActivate: [AuthGuard],
   },
@@ -21,4 +23,4 @@ export const routes: Routes = [
     path: '**',
     redirectTo: ''
   }
-];
\ No newline at end of file
+];
diff --git a/frontend/src/app/components/channel/channel-header/channel-header.component.ts b/frontend/src/app/components/channel/channel-header/channel-header.component.ts
index a9cd620..66d6183 100644
--- a/frontend/src/app/components/channel/channel-header/channel-header.component.ts
+++ b/frontend/src/app/components/channel/channel-header/channel-header.component.ts
@@ -108,19 +108,7 @@ export class ChannelHeaderComponent implements OnInit {
     if (await this._authService.logout()) {
       this.userInfo = undefined;
       this.userInfoChange.emit(undefined);
-      try {
-        await this._authService.loadUserInfo();
-      } catch (err: any) {
-        if (err.status === 401) {
-          this.router.navigate(['/login']);
-        }
-      }
-
-      const path = this.router.url;
-      if (path !== '/') {
-        this.router.navigate(['/']);
-      }
-
+      this.router.navigate(['/']);
     } else {
       this.toastrService.danger("", "שגיאה בהתנתקות");
     }
diff --git a/frontend/src/app/components/landing/landing-page.component.scss b/frontend/src/app/components/landing/landing-page.component.scss
new file mode 100644
index 0000000..42293a9
--- /dev/null
+++ b/frontend/src/app/components/landing/landing-page.component.scss
@@ -0,0 +1,56 @@
+:host {
+  display: block;
+}
+
+.hero {
+  background: linear-gradient(135deg, #3366ff 0%, #6610f2 100%);
+  color: white;
+  padding: 80px 0;
+  text-align: center;
+  direction: rtl;
+}
+
+.hero h1 {
+  font-size: 2.8rem;
+  font-weight: 700;
+  margin-bottom: 1rem;
+}
+
+.hero p {
+  font-size: 1.2rem;
+  opacity: 0.9;
+  margin-bottom: 2rem;
+}
+
+.section {
+  padding: 60px 0;
+  direction: rtl;
+}
+
+.section-title {
+  text-align: center;
+  margin-bottom: 2.5rem;
+  font-size: 1.8rem;
+  font-weight: 600;
+}
+
+.step-number {
+  width: 48px;
+  height: 48px;
+  border-radius: 50%;
+  background: #3366ff;
+  color: white;
+  display: flex;
+  align-items: center;
+  justify-content: center;
+  font-size: 1.2rem;
+  font-weight: 700;
+  margin: 0 auto 1rem;
+}
+
+.footer {
+  text-align: center;
+  padding: 20px;
+  color: #888;
+  font-size: 0.85rem;
+}
diff --git a/frontend/src/app/components/landing/landing-page.component.ts b/frontend/src/app/components/landing/landing-page.component.ts
new file mode 100644
index 0000000..8b828d3
--- /dev/null
+++ b/frontend/src/app/components/landing/landing-page.component.ts
@@ -0,0 +1,253 @@
+import { Component, OnInit } from '@angular/core';
+import { CommonModule } from '@angular/common';
+import { FormsModule } from '@angular/forms';
+import { RouterLink, Router } from '@angular/router';
+import {
+  NbCardModule, NbButtonModule, NbInputModule,
+  NbFormFieldModule, NbIconModule, NbAlertModule, NbSpinnerModule
+} from '@nebular/theme';
+import { AuthService } from '../../services/auth.service';
+import { ChannelRequestService } from '../../services/channel-request.service';
+
+@Component({
+  selector: 'app-landing-page',
+  standalone: true,
+  imports: [
+    CommonModule,
+    FormsModule,
+    RouterLink,
+    NbCardModule,
+    NbButtonModule,
+    NbInputModule,
+    NbFormFieldModule,
+    NbIconModule,
+    NbAlertModule,
+    NbSpinnerModule,
+  ],
+  styleUrl: './landing-page.component.scss',
+  template: `
+    <!-- Navbar -->
+    <nav class="d-flex justify-content-between align-items-center px-4 py-3 border-bottom bg-white">
+      <a nbButton status="primary" [routerLink]="['/login']">התחבר</a>
+      <span class="fw-bold fs-5">TheChannel</span>
+    </nav>
+
+    <!-- Hero Section -->
+    <section class="hero">
+      <div class="container">
+        <h1>פתחו ערוץ חדשות משלכם</h1>
+        <p>הגישו בקשה בחינם ונפתח לכם ערוץ פרטי תוך 24 שעות</p>
+        <a nbButton status="control" size="large" href="#request-form" (click)="scrollToForm($event)">
+          בקש ערוץ עכשיו
+        </a>
+      </div>
+    </section>
+
+    <!-- How it works -->
+    <section class="section bg-light">
+      <div class="container">
+        <h2 class="section-title">איך זה עובד?</h2>
+        <div class="row g-4 justify-content-center">
+          <div class="col-md-4">
+            <div class="card text-center h-100 border-0 shadow-sm p-4">
+              <div class="step-number">1</div>
+              <nb-icon icon="edit-2-outline" class="fs-1 text-primary mb-2" style="font-size:2rem"></nb-icon>
+              <h5 class="mt-2">מלא טופס</h5>
+            </div>
+          </div>
+          <div class="col-md-4">
+            <div class="card text-center h-100 border-0 shadow-sm p-4">
+              <div class="step-number">2</div>
+              <nb-icon icon="checkmark-circle-outline" class="text-primary mb-2" style="font-size:2rem"></nb-icon>
+              <h5 class="mt-2">קבל אישור</h5>
+            </div>
+          </div>
+          <div class="col-md-4">
+            <div class="card text-center h-100 border-0 shadow-sm p-4">
+              <div class="step-number">3</div>
+              <nb-icon icon="radio-outline" class="text-primary mb-2" style="font-size:2rem"></nb-icon>
+              <h5 class="mt-2">התחל לשדר</h5>
+            </div>
+          </div>
+        </div>
+      </div>
+    </section>
+
+    <!-- Features Section -->
+    <section class="section">
+      <div class="container">
+        <h2 class="section-title">מה מקבלים?</h2>
+        <div class="row g-4">
+          <div class="col-md-6">
+            <div class="card border-0 shadow-sm p-4 h-100 d-flex flex-row align-items-start gap-3">
+              <nb-icon icon="brush-outline" style="font-size:1.8rem; color:#3366ff; flex-shrink:0"></nb-icon>
+              <div>
+                <h5 class="mb-1">עיצוב מותאם אישית</h5>
+                <p class="text-muted mb-0">התאימו את הערוץ שלכם לסגנון שלכם</p>
+              </div>
+            </div>
+          </div>
+          <div class="col-md-6">
+            <div class="card border-0 shadow-sm p-4 h-100 d-flex flex-row align-items-start gap-3">
+              <nb-icon icon="settings-2-outline" style="font-size:1.8rem; color:#3366ff; flex-shrink:0"></nb-icon>
+              <div>
+                <h5 class="mb-1">ניהול קל ופשוט</h5>
+                <p class="text-muted mb-0">פאנל ניהול נוח ופשוט לשימוש</p>
+              </div>
+            </div>
+          </div>
+          <div class="col-md-6">
+            <div class="card border-0 shadow-sm p-4 h-100 d-flex flex-row align-items-start gap-3">
+              <nb-icon icon="hard-drive-outline" style="font-size:1.8rem; color:#3366ff; flex-shrink:0"></nb-icon>
+              <div>
+                <h5 class="mb-1">אחסון מדיה</h5>
+                <p class="text-muted mb-0">העלו תמונות וקבצים ישירות לערוץ</p>
+              </div>
+            </div>
+          </div>
+          <div class="col-md-6">
+            <div class="card border-0 shadow-sm p-4 h-100 d-flex flex-row align-items-start gap-3">
+              <nb-icon icon="globe-outline" style="font-size:1.8rem; color:#3366ff; flex-shrink:0"></nb-icon>
+              <div>
+                <h5 class="mb-1">ממשק בעברית</h5>
+                <p class="text-muted mb-0">מבנה RTL מלא, תמיכה מושלמת בעברית</p>
+              </div>
+            </div>
+          </div>
+        </div>
+      </div>
+    </section>
+
+    <!-- Request Form -->
+    <section class="section bg-light" id="request-form">
+      <div class="container">
+        <div class="row justify-content-center">
+          <div class="col-md-7">
+            <nb-card>
+              <nb-card-header>
+                <h4 class="mb-0">בקש ערוץ</h4>
+              </nb-card-header>
+              <nb-card-body>
+                @if (submitted) {
+                  <nb-alert status="success" [closable]="false">
+                    הבקשה נשלחה! נחזור אליך בהקדם
+                  </nb-alert>
+                } @else {
+                  @if (error) {
+                    <nb-alert status="danger" [closable]="false">{{ error }}</nb-alert>
+                  }
+                  <form (ngSubmit)="submitRequest()" #requestForm="ngForm">
+                    <div class="mb-3">
+                      <label class="form-label">שם מלא</label>
+                      <input nbInput fullWidth
+                        type="text"
+                        [(ngModel)]="reqName"
+                        name="reqName"
+                        required
+                        placeholder="שם מלא">
+                    </div>
+                    <div class="mb-3">
+                      <label class="form-label">כתובת אימייל</label>
+                      <input nbInput fullWidth
+                        type="email"
+                        [(ngModel)]="reqEmail"
+                        name="reqEmail"
+                        required
+                        placeholder="your@email.com">
+                    </div>
+                    <div class="mb-3">
+                      <label class="form-label">Slug רצוי</label>
+                      <input nbInput fullWidth
+                        type="text"
+                        [(ngModel)]="reqSlug"
+                        name="reqSlug"
+                        required
+                        placeholder="my-channel — אותיות קטנות ומקפים בלבד">
+                    </div>
+                    <div class="mb-3">
+                      <label class="form-label">תיאור מה תעשה עם הערוץ</label>
+                      <textarea nbInput fullWidth
+                        rows="4"
+                        [(ngModel)]="reqDescription"
+                        name="reqDescription"
+                        required
+                        placeholder="ספר לנו על הערוץ שלך..."></textarea>
+                    </div>
+                    <button nbButton status="primary" fullWidth type="submit"
+                      [disabled]="submitting">
+                      @if (submitting) {
+                        <nb-spinner size="small" status="control"></nb-spinner>
+                      }
+                      שלח בקשה
+                    </button>
+                  </form>
+                }
+              </nb-card-body>
+            </nb-card>
+          </div>
+        </div>
+      </div>
+    </section>
+
+    <!-- Footer -->
+    <footer class="footer">
+      <span>TheChannel &copy; 2024</span>
+    </footer>
+  `,
+})
+export class LandingPageComponent implements OnInit {
+  reqName = '';
+  reqEmail = '';
+  reqSlug = '';
+  reqDescription = '';
+  submitting = false;
+  submitted = false;
+  error = '';
+
+  constructor(
+    private authService: AuthService,
+    private channelRequestService: ChannelRequestService,
+    private router: Router,
+  ) {}
+
+  async ngOnInit() {
+    try {
+      const user = await this.authService.loadUserInfo();
+      if (user) {
+        if (user.globalRole === 'super_admin') {
+          this.router.navigate(['/super-admin']);
+        } else {
+          this.router.navigate(['/channel']);
+        }
+      }
+    } catch {
+      // Not logged in — show the landing page
+    }
+  }
+
+  scrollToForm(event: Event) {
+    event.preventDefault();
+    const el = document.getElementById('request-form');
+    if (el) {
+      el.scrollIntoView({ behavior: 'smooth' });
+    }
+  }
+
+  async submitRequest() {
+    this.error = '';
+    this.submitting = true;
+    try {
+      await this.channelRequestService.submitRequest(
+        this.reqName,
+        this.reqEmail,
+        this.reqSlug,
+        this.reqDescription,
+      );
+      this.submitted = true;
+    } catch (err: any) {
+      this.error = err?.error?.message || 'שגיאה בשליחת הבקשה. נסה שוב.';
+    } finally {
+      this.submitting = false;
+    }
+  }
+}
diff --git a/frontend/src/app/components/login/login.component.ts b/frontend/src/app/components/login/login.component.ts
index 84d6550..90bd776 100644
--- a/frontend/src/app/components/login/login.component.ts
+++ b/frontend/src/app/components/login/login.component.ts
@@ -6,9 +6,7 @@ import { AuthService } from '../../services/auth.service';
 
 @Component({
   selector: 'app-login',
-  imports: [
-    FormsModule
-],
+  imports: [FormsModule],
   templateUrl: './login.component.html',
   styleUrl: './login.component.scss'
 })
@@ -29,7 +27,7 @@ export class LoginComponent implements OnInit {
     try {
       await this._authService.loadUserInfo();
       if (this._authService.userInfo) {
-        this.router.navigate(['/']);
+        this.redirectAfterLogin();
         return;
       }
     } catch {
@@ -37,8 +35,9 @@ export class LoginComponent implements OnInit {
         if (Object.keys(params).length > 0) {
           if (params['code'] && params['state'] === localStorage.getItem('google_oauth_state')) {
             this.code = params['code'];
-            this._authService.login(this.code).then(() => {
-              this.router.navigate(['/']);
+            this._authService.login(this.code).then(async () => {
+              await this._authService.loadUserInfo();
+              this.redirectAfterLogin();
             }).catch(() => {
               this.code = '';
               this.status = 'failed';
@@ -52,6 +51,14 @@ export class LoginComponent implements OnInit {
     }
   }
 
+  private redirectAfterLogin() {
+    if (this._authService.userInfo?.globalRole === 'super_admin') {
+      this.router.navigate(['/super-admin']);
+    } else {
+      this.router.navigate(['/channel']);
+    }
+  }
+
   login() {
     this._authService.loginWithGoogle();
   }
diff --git a/frontend/src/app/components/super-admin/channel-requests/channel-requests.component.ts b/frontend/src/app/components/super-admin/channel-requests/channel-requests.component.ts
new file mode 100644
index 0000000..e5a83f7
--- /dev/null
+++ b/frontend/src/app/components/super-admin/channel-requests/channel-requests.component.ts
@@ -0,0 +1,246 @@
+import { Component, OnInit } from '@angular/core';
+import { CommonModule } from '@angular/common';
+import { FormsModule } from '@angular/forms';
+import {
+  NbCardModule, NbButtonModule, NbInputModule,
+  NbBadgeModule, NbIconModule, NbToastrService, NbAlertModule, NbFormFieldModule
+} from '@nebular/theme';
+import { SuperAdminService, ChannelRequest } from '../../../services/super-admin.service';
+
+@Component({
+  selector: 'app-channel-requests',
+  standalone: true,
+  imports: [
+    CommonModule,
+    FormsModule,
+    NbCardModule,
+    NbButtonModule,
+    NbInputModule,
+    NbBadgeModule,
+    NbIconModule,
+    NbAlertModule,
+    NbFormFieldModule,
+  ],
+  template: `
+    <nb-card>
+      <nb-card-header>
+        <h5 class="mb-0">בקשות לפתיחת ערוץ</h5>
+      </nb-card-header>
+      <nb-card-body>
+        @if (loading) {
+          <p class="text-center">טוען...</p>
+        } @else if (requests.length === 0) {
+          <p class="text-center text-muted">אין בקשות</p>
+        } @else {
+          <div class="table-responsive" dir="rtl">
+            <table class="table table-bordered align-middle">
+              <thead class="table-light">
+                <tr>
+                  <th>שם</th>
+                  <th>אימייל</th>
+                  <th>Slug מבוקש</th>
+                  <th>תיאור</th>
+                  <th>תאריך</th>
+                  <th>סטטוס</th>
+                  <th>פעולות</th>
+                </tr>
+              </thead>
+              <tbody>
+                @for (req of requests; track req.id) {
+                  <tr>
+                    <td>{{ req.name }}</td>
+                    <td>{{ req.email }}</td>
+                    <td><code>{{ req.desiredSlug }}</code></td>
+                    <td>
+                      <span class="text-truncate d-inline-block" style="max-width:200px" [title]="req.description">
+                        {{ req.description }}
+                      </span>
+                    </td>
+                    <td>{{ req.createdAt | date:'dd/MM/yy HH:mm' }}</td>
+                    <td>
+                      @if (req.status === 'pending') {
+                        <span class="badge bg-warning text-dark">ממתין</span>
+                      } @else if (req.status === 'approved') {
+                        <span class="badge bg-success">מאושר</span>
+                        @if (req.approvedSlug) {
+                          <br><small class="text-muted">{{ req.approvedSlug }}</small>
+                        }
+                      } @else if (req.status === 'rejected') {
+                        <span class="badge bg-danger">נדחה</span>
+                      }
+                    </td>
+                    <td>
+                      @if (req.status === 'pending') {
+                        <div class="d-flex gap-2">
+                          <button nbButton status="success" size="small"
+                            (click)="startApprove(req)"
+                            [disabled]="actionId === req.id">
+                            אשר
+                          </button>
+                          <button nbButton status="danger" size="small"
+                            (click)="startReject(req)"
+                            [disabled]="actionId === req.id">
+                            דחה
+                          </button>
+                        </div>
+                      } @else {
+                        <span class="text-muted">—</span>
+                      }
+                    </td>
+                  </tr>
+
+                  <!-- Approve inline form -->
+                  @if (actionId === req.id && approveMode) {
+                    <tr class="table-success">
+                      <td colspan="7">
+                        <div class="p-3" dir="rtl">
+                          <h6 class="mb-3">אישור בקשה — {{ req.name }}</h6>
+
+                          @if (lastApproveResult && lastApproveResult.reqId === req.id) {
+                            <nb-alert status="success" [closable]="false">
+                              <p class="mb-1">✓ הערוץ נוצר בהצלחה!</p>
+                              <p class="mb-1">Slug: <strong>{{ lastApproveResult.channelSlug }}</strong></p>
+                              <p class="mb-1">אימייל הבעלים: <strong>{{ lastApproveResult.ownerEmail }}</strong></p>
+                              <p class="mb-0">שלח לו את הקישור: <code>/channel/{{ lastApproveResult.channelSlug }}</code></p>
+                            </nb-alert>
+                          } @else {
+                            <div class="row g-3">
+                              <div class="col-md-4">
+                                <label class="form-label">Slug סופי</label>
+                                <input nbInput fullWidth
+                                  type="text"
+                                  [(ngModel)]="approveSlug"
+                                  name="approveSlug"
+                                  placeholder="my-channel">
+                              </div>
+                              <div class="col-md-8">
+                                <label class="form-label">הערות (אופציונלי)</label>
+                                <textarea nbInput fullWidth
+                                  rows="2"
+                                  [(ngModel)]="approveNotes"
+                                  name="approveNotes"
+                                  placeholder="הערות לבקשה..."></textarea>
+                              </div>
+                            </div>
+                            <div class="d-flex gap-2 mt-3">
+                              <button nbButton status="success"
+                                (click)="confirmApprove()"
+                                [disabled]="!approveSlug">
+                                אשר ויצור ערוץ
+                              </button>
+                              <button nbButton status="basic" (click)="cancel()">ביטול</button>
+                            </div>
+                          }
+                        </div>
+                      </td>
+                    </tr>
+                  }
+
+                  <!-- Reject inline form -->
+                  @if (actionId === req.id && rejectMode) {
+                    <tr class="table-danger">
+                      <td colspan="7">
+                        <div class="p-3" dir="rtl">
+                          <h6 class="mb-3">דחיית בקשה — {{ req.name }}</h6>
+                          <div class="mb-3">
+                            <label class="form-label">הערות דחייה (אופציונלי)</label>
+                            <textarea nbInput fullWidth
+                              rows="2"
+                              [(ngModel)]="rejectNotes"
+                              name="rejectNotes"
+                              placeholder="סיבת הדחייה..."></textarea>
+                          </div>
+                          <div class="d-flex gap-2">
+                            <button nbButton status="danger" (click)="confirmReject()">דחה בקשה</button>
+                            <button nbButton status="basic" (click)="cancel()">ביטול</button>
+                          </div>
+                        </div>
+                      </td>
+                    </tr>
+                  }
+                }
+              </tbody>
+            </table>
+          </div>
+        }
+      </nb-card-body>
+    </nb-card>
+  `,
+})
+export class ChannelRequestsComponent implements OnInit {
+  requests: ChannelRequest[] = [];
+  loading = false;
+  actionId = '';
+  approveSlug = '';
+  approveNotes = '';
+  rejectNotes = '';
+  approveMode = false;
+  rejectMode = false;
+  lastApproveResult: { reqId: string; channelSlug: string; ownerEmail: string } | null = null;
+
+  constructor(
+    private superAdminService: SuperAdminService,
+    private toastr: NbToastrService,
+  ) {}
+
+  ngOnInit(): void {
+    this.load();
+  }
+
+  load(): void {
+    this.loading = true;
+    this.superAdminService.getChannelRequests()
+      .then(reqs => { this.requests = reqs; })
+      .catch(() => this.toastr.danger('', 'שגיאה בטעינת הבקשות'))
+      .finally(() => { this.loading = false; });
+  }
+
+  startApprove(req: ChannelRequest): void {
+    this.lastApproveResult = null;
+    this.approveMode = true;
+    this.rejectMode = false;
+    this.actionId = req.id;
+    this.approveSlug = req.desiredSlug;
+    this.approveNotes = '';
+  }
+
+  startReject(req: ChannelRequest): void {
+    this.lastApproveResult = null;
+    this.rejectMode = true;
+    this.approveMode = false;
+    this.actionId = req.id;
+    this.rejectNotes = '';
+  }
+
+  confirmApprove(): void {
+    if (!this.approveSlug) return;
+    const id = this.actionId;
+    this.superAdminService.approveChannelRequest(id, this.approveSlug, this.approveNotes)
+      .then(result => {
+        this.lastApproveResult = { reqId: id, channelSlug: result.channelSlug, ownerEmail: result.ownerEmail };
+        this.toastr.success('', 'הערוץ נוצר בהצלחה');
+        this.load();
+      })
+      .catch(() => this.toastr.danger('', 'שגיאה באישור הבקשה'));
+  }
+
+  confirmReject(): void {
+    const id = this.actionId;
+    this.superAdminService.rejectChannelRequest(id, this.rejectNotes)
+      .then(() => {
+        this.toastr.success('', 'הבקשה נדחתה');
+        this.cancel();
+        this.load();
+      })
+      .catch(() => this.toastr.danger('', 'שגיאה בדחיית הבקשה'));
+  }
+
+  cancel(): void {
+    this.actionId = '';
+    this.approveMode = false;
+    this.rejectMode = false;
+    this.approveSlug = '';
+    this.approveNotes = '';
+    this.rejectNotes = '';
+  }
+}
diff --git a/frontend/src/app/components/super-admin/super-admin-panel.component.html b/frontend/src/app/components/super-admin/super-admin-panel.component.html
index d5289af..8f6b14c 100644
--- a/frontend/src/app/components/super-admin/super-admin-panel.component.html
+++ b/frontend/src/app/components/super-admin/super-admin-panel.component.html
@@ -15,6 +15,9 @@
       }
 
       @switch (selectedView) {
+        @case (VIEW_REQUESTS) {
+          <app-channel-requests></app-channel-requests>
+        }
         @case (VIEW_CHANNELS) {
           <app-channels-list
             (editFeatures)="onEditFeatures($event)"
diff --git a/frontend/src/app/components/super-admin/super-admin-panel.component.ts b/frontend/src/app/components/super-admin/super-admin-panel.component.ts
index 382c942..5b3ebc2 100644
--- a/frontend/src/app/components/super-admin/super-admin-panel.component.ts
+++ b/frontend/src/app/components/super-admin/super-admin-panel.component.ts
@@ -18,8 +18,9 @@ import { GlobalSettingsComponent } from './global-settings/global-settings.compo
 import { SuperAdminStatisticsComponent } from './statistics/super-admin-statistics.component';
 import { SuperAdminStorageComponent } from './storage/super-admin-storage.component';
 import { GlobalStorageComponent } from './global-storage/global-storage.component';
+import { ChannelRequestsComponent } from './channel-requests/channel-requests.component';
 
-type ViewName = 'channels' | 'channel-features' | 'channel-users' | 'channel-storage' | 'ads' | 'magnet' | 'users' | 'settings' | 'statistics' | 'global-storage';
+type ViewName = 'channels' | 'channel-features' | 'channel-users' | 'channel-storage' | 'ads' | 'magnet' | 'users' | 'settings' | 'statistics' | 'global-storage' | 'requests';
 
 @Component({
   selector: 'app-super-admin-panel',
@@ -40,6 +41,7 @@ type ViewName = 'channels' | 'channel-features' | 'channel-users' | 'channel-sto
     SuperAdminStatisticsComponent,
     SuperAdminStorageComponent,
     GlobalStorageComponent,
+    ChannelRequestsComponent,
   ],
   templateUrl: './super-admin-panel.component.html',
   styleUrl: './super-admin-panel.component.scss',
@@ -60,8 +62,10 @@ export class SuperAdminPanelComponent implements OnInit {
   readonly VIEW_SETTINGS: ViewName = 'settings';
   readonly VIEW_STATISTICS: ViewName = 'statistics';
   readonly VIEW_GLOBAL_STORAGE: ViewName = 'global-storage';
+  readonly VIEW_REQUESTS: ViewName = 'requests';
 
   navigationMenu: NbMenuItem[] = [
+    { title: 'בקשות לערוצים', icon: 'inbox-outline', selected: false },
     { title: 'ערוצים', icon: 'list-outline', selected: true },
     { title: 'פרסומות iframe', icon: 'film-outline' },
     { title: 'פרסומות מגנט', icon: 'pricetags-outline' },
@@ -79,6 +83,10 @@ export class SuperAdminPanelComponent implements OnInit {
       event.item.selected = true;
 
       switch (event.item.icon) {
+        case 'inbox-outline':
+          this.selectedView = this.VIEW_REQUESTS;
+          this.selectedChannelSlug = '';
+          break;
         case 'list-outline':
           this.selectedView = this.VIEW_CHANNELS;
           this.selectedChannelSlug = '';
diff --git a/frontend/src/app/services/channel-request.service.ts b/frontend/src/app/services/channel-request.service.ts
new file mode 100644
index 0000000..167317d
--- /dev/null
+++ b/frontend/src/app/services/channel-request.service.ts
@@ -0,0 +1,36 @@
+import { HttpClient } from '@angular/common/http';
+import { Injectable } from '@angular/core';
+import { firstValueFrom } from 'rxjs';
+
+@Injectable({
+  providedIn: 'root'
+})
+export class ChannelRequestService {
+
+  constructor(private http: HttpClient) {}
+
+  submitRequest(name: string, email: string, desiredSlug: string, description: string): Promise<{ status: string; id: string }> {
+    return firstValueFrom(
+      this.http.post<{ status: string; id: string }>('/api/channel-request', { name, email, desiredSlug, description })
+    );
+  }
+
+  getChannelRequests(): Promise<any[]> {
+    return firstValueFrom(this.http.get<any[]>('/api/super-admin/channel-requests'));
+  }
+
+  approveChannelRequest(id: string, slug: string, notes: string): Promise<{ channelSlug: string; ownerEmail: string }> {
+    return firstValueFrom(
+      this.http.post<{ channelSlug: string; ownerEmail: string }>(
+        `/api/super-admin/channel-requests/${id}/approve`,
+        { slug, notes }
+      )
+    );
+  }
+
+  rejectChannelRequest(id: string, notes: string): Promise<void> {
+    return firstValueFrom(
+      this.http.post<void>(`/api/super-admin/channel-requests/${id}/reject`, { notes })
+    );
+  }
+}
diff --git a/frontend/src/app/services/super-admin.service.ts b/frontend/src/app/services/super-admin.service.ts
index fa4abbe..00f7734 100644
--- a/frontend/src/app/services/super-admin.service.ts
+++ b/frontend/src/app/services/super-admin.service.ts
@@ -157,4 +157,35 @@ export class SuperAdminService {
   setChannelStorage(slug: string, quotaGb: number): Promise<void> {
     return firstValueFrom(this.http.put<void>(`/api/super-admin/channels/${slug}/storage`, { quotaGb }));
   }
+
+  getChannelRequests(): Promise<ChannelRequest[]> {
+    return firstValueFrom(this.http.get<ChannelRequest[]>('/api/super-admin/channel-requests'));
+  }
+
+  approveChannelRequest(id: string, slug: string, notes: string): Promise<{ channelSlug: string; ownerEmail: string }> {
+    return firstValueFrom(
+      this.http.post<{ channelSlug: string; ownerEmail: string }>(
+        `/api/super-admin/channel-requests/${id}/approve`,
+        { slug, notes }
+      )
+    );
+  }
+
+  rejectChannelRequest(id: string, notes: string): Promise<void> {
+    return firstValueFrom(
+      this.http.post<void>(`/api/super-admin/channel-requests/${id}/reject`, { notes })
+    );
+  }
+}
+
+export interface ChannelRequest {
+  id: string;
+  name: string;
+  email: string;
+  desiredSlug: string;
+  description: string;
+  status: 'pending' | 'approved' | 'rejected';
+  notes: string;
+  createdAt: string;
+  approvedSlug: string;
 }

From f360334ea592ab92134aea63467abae0ce3c8c5c Mon Sep 17 00:00:00 2001
From: Claude <noreply@anthropic.com>
Date: Mon, 18 May 2026 04:44:22 +0000
Subject: [PATCH 29/60] Fix multi-tenant isolation, performance, and rate
 limiting
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Security (data isolation):
- serveFile: verify meta.ChannelSlug matches URL slug — blocks cross-channel file access
- addNewPost (/import): validate slug against slugRegex to prevent key injection

Performance (50+ concurrent channels):
- Redis pool: PoolSize=100, MinIdleConns=10, retries, timeouts (was default 10)
- dbDeleteChannel: replace O(keyspace) SCAN with targeted pipeline using known
  key names + message IDs from sorted set — O(messages) instead of O(total keys)
- Scheduled messages: maintain sorted set "scheduled:due_channels" (score=next due time)
  so the goroutine only wakes channels with pending messages, not all channels every minute
- Lua getMessageRange: add max_scan_rounds=20 guard to prevent unbounded loops on sparse data

Rate limiting:
- File uploads: 30/min per channel (burst=10) via golang.org/x/time/rate
  returns HTTP 429 when exceeded

https://claude.ai/code/session_015yWNYaVjk7ozyguKLA8vvx
---
 backend/api.go       |   4 +-
 backend/db.go        | 104 +++++++++++++++++++++++++++++++------------
 backend/files.go     |   8 ++++
 backend/go.mod       |   4 +-
 backend/go.sum       |   2 +
 backend/main.go      |   2 +-
 backend/ratelimit.go |  42 +++++++++++++++++
 backend/scheduled.go |  96 ++++++++++++++++++++++-----------------
 8 files changed, 189 insertions(+), 73 deletions(-)
 create mode 100644 backend/ratelimit.go

diff --git a/backend/api.go b/backend/api.go
index 3519c07..ccc13bb 100644
--- a/backend/api.go
+++ b/backend/api.go
@@ -12,8 +12,8 @@ import (
 
 func addNewPost(w http.ResponseWriter, r *http.Request) {
 	slug := chi.URLParam(r, "slug")
-	if slug == "" {
-		http.Error(w, "missing slug", http.StatusBadRequest)
+	if !slugRegex.MatchString(slug) {
+		http.Error(w, "invalid slug", http.StatusBadRequest)
 		return
 	}
 
diff --git a/backend/db.go b/backend/db.go
index b9e1f5e..9011a93 100644
--- a/backend/db.go
+++ b/backend/db.go
@@ -52,10 +52,16 @@ func init() {
 	ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
 	defer cancel()
 	rdb = redis.NewClient(&redis.Options{
-		Network:  redisType,
-		Addr:     redisAddr,
-		Password: redisPass,
-		DB:       0,
+		Network:      redisType,
+		Addr:         redisAddr,
+		Password:     redisPass,
+		DB:           0,
+		PoolSize:     100,             // one per active SSE connection + room for writes
+		MinIdleConns: 10,
+		MaxRetries:   3,
+		DialTimeout:  5 * time.Second,
+		ReadTimeout:  10 * time.Second,
+		WriteTimeout: 5 * time.Second,
 	})
 
 	_, err := rdb.Ping(ctx).Result()
@@ -186,7 +192,11 @@ var getMessageRange = redis.NewScript(`
 	end
 
 	local messages = {}
+	local max_scan_rounds = 20
+	local scan_rounds = 0
 	repeat
+		scan_rounds = scan_rounds + 1
+		if scan_rounds > max_scan_rounds then break end
 		local batch_size = required_length - #messages
 		local stop_index = start_index + batch_size
 		local message_ids
@@ -748,6 +758,21 @@ func dbSaveScheduledMessages(ctx context.Context, slug string, messages *[]Messa
 		return fmt.Errorf("failed to set scheduled messages in db: %v", err)
 	}
 
+	// Maintain a global sorted set of "next due time" per channel so the
+	// scheduler only wakes channels that actually have pending messages.
+	var earliest float64
+	for _, m := range *messages {
+		ts := float64(m.Timestamp.Unix())
+		if earliest == 0 || ts < earliest {
+			earliest = ts
+		}
+	}
+	if earliest > 0 {
+		rdb.ZAdd(ctx, "scheduled:due_channels", redis.Z{Score: earliest, Member: slug})
+	} else {
+		rdb.ZRem(ctx, "scheduled:due_channels", slug)
+	}
+
 	return nil
 }
 
@@ -873,32 +898,55 @@ func dbListChannels(ctx context.Context) ([]*ChannelData, error) {
 }
 
 func dbDeleteChannel(ctx context.Context, slug string) error {
-	// Remove from channels:list
-	if err := rdb.ZRem(ctx, "channels:list", slug).Err(); err != nil {
-		return err
-	}
-
-	// Scan and delete all channel:{slug}:* keys
-	pattern := fmt.Sprintf("channel:%s:*", slug)
-	var cursor uint64
-	for {
-		keys, nextCursor, err := rdb.Scan(ctx, cursor, pattern, 100).Result()
-		if err != nil {
-			return err
-		}
-		if len(keys) > 0 {
-			if err := rdb.Del(ctx, keys...).Err(); err != nil {
-				return err
-			}
-		}
-		cursor = nextCursor
-		if cursor == 0 {
-			break
+	p := slug
+
+	// Step 1: collect all message keys and reaction keys from the sorted set (avoids SCAN)
+	messageKeys, _ := rdb.ZRange(ctx, fmt.Sprintf("channel:%s:m_times", p), 0, -1).Result()
+	reactionKeys := make([]string, 0, len(messageKeys))
+	for _, mk := range messageKeys {
+		// mk is already the full key e.g. "channel:{slug}:messages:{id}"
+		// derive reaction key from it by replacing "messages:" prefix with "message:" and appending ":reactions"
+		id := strings.TrimPrefix(mk, fmt.Sprintf("channel:%s:messages:", p))
+		reactionKeys = append(reactionKeys, fmt.Sprintf("channel:%s:message:%s:reactions", p, id))
+	}
+
+	// Step 2: delete all known fixed keys in one pipeline
+	fixedKeys := []string{
+		fmt.Sprintf("channel:%s", p),
+		fmt.Sprintf("channel:%s:settings", p),
+		fmt.Sprintf("channel:%s:features", p),
+		fmt.Sprintf("channel:%s:m_times", p),
+		fmt.Sprintf("channel:%s:message:next_id", p),
+		fmt.Sprintf("channel:%s:subscriptions", p),
+		fmt.Sprintf("channel:%s:registered_emails", p),
+		fmt.Sprintf("channel:%s:emojis:list", p),
+		fmt.Sprintf("channel:%s:reports:list", p),
+		fmt.Sprintf("channel:%s:reports:open", p),
+		fmt.Sprintf("channel:%s:reports:closed", p),
+		fmt.Sprintf("channel:%s:report:next_id", p),
+		fmt.Sprintf("channel:%s:scheduled_messages:list", p),
+		fmt.Sprintf("channel:%s:sse_statistics:total", p),
+		fmt.Sprintf("channel:%s:peak_sse_connections", p),
+		fmt.Sprintf("channel:%s:storage:used_bytes", p),
+		fmt.Sprintf("channel:%s:storage:quota_bytes", p),
+		fmt.Sprintf("channel:%s:storage:auto_cleanup", p),
+		fmt.Sprintf("channel:%s:files", p),
+	}
+	allKeys := append(fixedKeys, messageKeys...)
+	allKeys = append(allKeys, reactionKeys...)
+
+	pipe := rdb.Pipeline()
+	// Delete in batches of 200 to avoid huge single commands
+	for i := 0; i < len(allKeys); i += 200 {
+		end := i + 200
+		if end > len(allKeys) {
+			end = len(allKeys)
 		}
+		pipe.Del(ctx, allKeys[i:end]...)
 	}
-
-	// Delete the main channel hash
-	if err := rdb.Del(ctx, fmt.Sprintf("channel:%s", slug)).Err(); err != nil {
+	pipe.ZRem(ctx, "channels:list", slug)
+	pipe.ZRem(ctx, "scheduled:due_channels", slug)
+	if _, err := pipe.Exec(ctx); err != nil {
 		return err
 	}
 
diff --git a/backend/files.go b/backend/files.go
index bda68ca..0ec8bcd 100644
--- a/backend/files.go
+++ b/backend/files.go
@@ -148,11 +148,19 @@ func serveFile(w http.ResponseWriter, r *http.Request) {
 	ctx, cancel := context.WithTimeout(r.Context(), 10*time.Second)
 	defer cancel()
 
+	slug := channelSlugFromCtx(r)
+
 	meta, err := dbGetFileMetadata(ctx, fileId)
 	if err != nil || meta.Delete {
 		http.Error(w, "File not found", http.StatusNotFound)
 		return
 	}
+	// Enforce channel isolation: reject if file belongs to a different channel.
+	// Legacy files with empty ChannelSlug are allowed through for backward compatibility.
+	if meta.ChannelSlug != "" && meta.ChannelSlug != slug {
+		http.Error(w, "File not found", http.StatusNotFound)
+		return
+	}
 
 	w.Header().Set("Content-Disposition", `attachment; filename*=UTF-8''`+url.QueryEscape(meta.Filename))
 
diff --git a/backend/go.mod b/backend/go.mod
index eb6caa7..b9ed5b1 100644
--- a/backend/go.mod
+++ b/backend/go.mod
@@ -1,6 +1,6 @@
 module channel
 
-go 1.24
+go 1.25.0
 
 require github.com/redis/go-redis/v9 v9.7.0
 
@@ -72,7 +72,7 @@ require (
 	golang.org/x/sync v0.14.0 // indirect
 	golang.org/x/sys v0.33.0 // indirect
 	golang.org/x/text v0.25.0 // indirect
-	golang.org/x/time v0.11.0 // indirect
+	golang.org/x/time v0.15.0 // indirect
 	google.golang.org/api v0.233.0 // indirect
 	google.golang.org/appengine/v2 v2.0.6 // indirect
 	google.golang.org/genproto v0.0.0-20250519155744-55703ea1f237 // indirect
diff --git a/backend/go.sum b/backend/go.sum
index 7317c3a..db68322 100644
--- a/backend/go.sum
+++ b/backend/go.sum
@@ -211,6 +211,8 @@ golang.org/x/text v0.25.0 h1:qVyWApTSYLk/drJRO5mDlNYskwQznZmkpV2c8q9zls4=
 golang.org/x/text v0.25.0/go.mod h1:WEdwpYrmk1qmdHvhkSTNPm3app7v4rsT8F2UD6+VHIA=
 golang.org/x/time v0.11.0 h1:/bpjEDfN9tkoN/ryeYHnv5hcMlc8ncjMcM4XBk5NWV0=
 golang.org/x/time v0.11.0/go.mod h1:CDIdPxbZBQxdj6cxyCIdrNogrJKMJ7pr37NYpMcMDSg=
+golang.org/x/time v0.15.0 h1:bbrp8t3bGUeFOx08pvsMYRTCVSMk89u4tKbNOZbp88U=
+golang.org/x/time v0.15.0/go.mod h1:Y4YMaQmXwGQZoFaVFk4YpCt4FLQMYKZe9oeV/f4MSno=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
 golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc=
diff --git a/backend/main.go b/backend/main.go
index 08ab2d8..9a25728 100644
--- a/backend/main.go
+++ b/backend/main.go
@@ -119,7 +119,7 @@ func main() {
 				r.Post("/new", protectedWithChannelRole(RoleWriter, addMessage))
 				r.Post("/edit-message", protectedWithChannelRole(RoleWriter, updateMessage))
 				r.Get("/delete-message/{id}", protectedWithChannelRole(RoleWriter, deleteMessage))
-				r.Post("/upload", protectedWithChannelRole(RoleWriter, uploadFile))
+				r.Post("/upload", protectedWithChannelRole(RoleWriter, uploadRateLimit(uploadFile)))
 				r.Get("/scheduled-messages/get", protectedWithChannelRole(RoleWriter, getScheduledMessages))
 				r.Post("/scheduled-messages/update", protectedWithChannelRole(RoleWriter, updateScheduledMessages))
 
diff --git a/backend/ratelimit.go b/backend/ratelimit.go
new file mode 100644
index 0000000..248216e
--- /dev/null
+++ b/backend/ratelimit.go
@@ -0,0 +1,42 @@
+package main
+
+import (
+	"net/http"
+	"sync"
+	"time"
+
+	"golang.org/x/time/rate"
+)
+
+// uploadLimiters stores a per-channel rate limiter for file uploads.
+// Each channel allows up to 30 uploads per minute with a burst of 10.
+var (
+	uploadLimiters   sync.Map
+	uploadLimiterMu  sync.Mutex
+)
+
+func getUploadLimiter(slug string) *rate.Limiter {
+	if v, ok := uploadLimiters.Load(slug); ok {
+		return v.(*rate.Limiter)
+	}
+	uploadLimiterMu.Lock()
+	defer uploadLimiterMu.Unlock()
+	// Double-check after lock
+	if v, ok := uploadLimiters.Load(slug); ok {
+		return v.(*rate.Limiter)
+	}
+	l := rate.NewLimiter(rate.Every(2*time.Second), 10) // 30/min, burst 10
+	uploadLimiters.Store(slug, l)
+	return l
+}
+
+func uploadRateLimit(next http.HandlerFunc) http.HandlerFunc {
+	return func(w http.ResponseWriter, r *http.Request) {
+		slug := channelSlugFromCtx(r)
+		if !getUploadLimiter(slug).Allow() {
+			http.Error(w, "too many uploads — slow down", http.StatusTooManyRequests)
+			return
+		}
+		next(w, r)
+	}
+}
diff --git a/backend/scheduled.go b/backend/scheduled.go
index ff44709..14b765e 100644
--- a/backend/scheduled.go
+++ b/backend/scheduled.go
@@ -3,8 +3,11 @@ package main
 import (
 	"context"
 	"encoding/json"
+	"fmt"
 	"net/http"
 	"time"
+
+	"github.com/redis/go-redis/v9"
 )
 
 func init() {
@@ -12,49 +15,62 @@ func init() {
 		ticker := time.NewTicker(1 * time.Minute)
 		defer ticker.Stop()
 		for range ticker.C {
-			ctxList, cancelList := context.WithTimeout(context.Background(), 5*time.Second)
-			channels, err := dbListChannels(ctxList)
-			cancelList()
-			if err != nil {
-				continue
-			}
+			runScheduledMessages()
+		}
+	}()
+}
+
+// runScheduledMessages only processes channels that have at least one message
+// due before now, using the "scheduled:due_channels" sorted set (score = earliest
+// due timestamp). This avoids querying every channel every minute.
+func runScheduledMessages() {
+	ctx, cancel := context.WithTimeout(context.Background(), 30*time.Second)
+	defer cancel()
+
+	now := float64(time.Now().Unix())
 
-			for _, ch := range channels {
-				slug := ch.Slug
-				ctxGet, cancelGet := context.WithTimeout(context.Background(), 5*time.Second)
-				list, err := dbGetScheduledMessages(ctxGet, slug)
-				cancelGet()
-				if err != nil {
-					continue
-				}
-
-				now := time.Now()
-				newList := make([]Message, 0)
-				for _, msg := range *list {
-					if msg.Timestamp.Before(now) {
-						go func(m *Message, s string) {
-							ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
-							defer cancel()
-
-							m.ID = getMessageNextId(ctx, s)
-							m.Timestamp = time.Now()
-							m.Author = "Scheduled"
-							m.AuthorId = "0"
-							setMessage(ctx, s, m, false)
-							go SendWebhook(context.Background(), s, "create", m)
-							go pushFcmMessage(s, m)
-						}(&msg, slug)
-					} else {
-						newList = append(newList, msg)
-					}
-				}
-
-				ctxSave, cancelSave := context.WithTimeout(context.Background(), 5*time.Second)
-				dbSaveScheduledMessages(ctxSave, slug, &newList)
-				cancelSave()
+	// Get all channels with at least one message due by now
+	slugs, err := rdb.ZRangeByScore(ctx, "scheduled:due_channels", &redis.ZRangeBy{
+		Min: "0",
+		Max: fmt.Sprintf("%f", now),
+	}).Result()
+	if err != nil || len(slugs) == 0 {
+		return
+	}
+
+	for _, slug := range slugs {
+		slug := slug
+		ctxGet, cancelGet := context.WithTimeout(context.Background(), 5*time.Second)
+		list, err := dbGetScheduledMessages(ctxGet, slug)
+		cancelGet()
+		if err != nil {
+			continue
+		}
+
+		nowTime := time.Now()
+		newList := make([]Message, 0)
+		for _, msg := range *list {
+			if msg.Timestamp.Before(nowTime) {
+				go func(m *Message, s string) {
+					postCtx, postCancel := context.WithTimeout(context.Background(), 5*time.Second)
+					defer postCancel()
+					m.ID = getMessageNextId(postCtx, s)
+					m.Timestamp = time.Now()
+					m.Author = "Scheduled"
+					m.AuthorId = "0"
+					setMessage(postCtx, s, m, false)
+					go SendWebhook(context.Background(), s, "create", m)
+					go pushFcmMessage(s, m)
+				}(&msg, slug)
+			} else {
+				newList = append(newList, msg)
 			}
 		}
-	}()
+
+		ctxSave, cancelSave := context.WithTimeout(context.Background(), 5*time.Second)
+		dbSaveScheduledMessages(ctxSave, slug, &newList) // also updates the sorted set
+		cancelSave()
+	}
 }
 
 func getScheduledMessages(w http.ResponseWriter, r *http.Request) {

From ccf083f121edf8d0a874602680a5527a4b5ff06b Mon Sep 17 00:00:00 2001
From: Claude <noreply@anthropic.com>
Date: Mon, 18 May 2026 04:52:16 +0000
Subject: [PATCH 30/60] Implement all scalability and performance
 recommendations
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Redis Streams (horizontal scaling):
- Replace pub/sub with Redis Streams for SSE events
  * publishEvent() uses XADD (MaxLen~1000, auto-trim)
  * getEvents() uses XREAD BLOCK with 5s timeout loop
  * Supports Last-Event-ID header: clients reconnect without missing events
  * Multiple backend instances can all serve SSE from the same stream
- Stream key: channel:{slug}:events (consistent naming convention)
- Stream keys added to dbDeleteChannel cleanup list

Redis Universal Client (Cluster/Sentinel support):
- rdb changed from *redis.Client to redis.UniversalClient
- NewUniversalClient: single addr = normal, multiple REDIS_ADDRS = cluster,
  REDIS_MASTER set = Sentinel — zero code changes needed to scale up

Pre-signed R2 URLs (backend off the file-serving path):
- r2PresignURL() generates 1-hour signed URLs via s3.NewPresignClient
- serveFile: public bucket → CDN redirect, private bucket → pre-signed URL,
  only falls back to backend proxy if presigning fails

HTTP ETags for message caching:
- touchLastModified() stores nano-timestamp on every message write/edit/delete
- getMessages returns ETag header; returns 304 Not Modified when client is current
- Eliminates redundant Lua script executions for unchanged channels

Per-user upload rate limiting:
- Rate limiter key is now userEmail:channelSlug instead of just slug
- Prevents one user from exhausting the channel's upload budget
- 30 uploads/min per user per channel (burst 10)

https://claude.ai/code/session_015yWNYaVjk7ozyguKLA8vvx
---
 backend/db.go        | 46 +++++++++++++++++++----
 backend/files.go     | 11 +++++-
 backend/messages.go  | 88 +++++++++++++++++++++++++++++++-------------
 backend/ratelimit.go | 32 ++++++++++------
 backend/storage.go   | 16 ++++++++
 5 files changed, 145 insertions(+), 48 deletions(-)

diff --git a/backend/db.go b/backend/db.go
index 9011a93..88bb44b 100644
--- a/backend/db.go
+++ b/backend/db.go
@@ -17,7 +17,7 @@ import (
 var redisType = os.Getenv("REDIS_PROTOCOL")
 var redisAddr = os.Getenv("REDIS_ADDR")
 var redisPass = os.Getenv("REDIS_PASSWORD")
-var rdb *redis.Client
+var rdb redis.UniversalClient
 
 type Message struct {
 	ID        int          `json:"id" redis:"id"`
@@ -51,12 +51,16 @@ type PushMessage struct {
 func init() {
 	ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
 	defer cancel()
-	rdb = redis.NewClient(&redis.Options{
-		Network:      redisType,
-		Addr:         redisAddr,
+	// Support single-instance, Redis Sentinel, and Redis Cluster via env vars:
+	//   REDIS_ADDRS   — comma-separated list; multiple = cluster mode
+	//   REDIS_MASTER  — master name for Sentinel
+	addrs := strings.Split(redisAddr, ",")
+	rdb = redis.NewUniversalClient(&redis.UniversalOptions{
+		Addrs:        addrs,
 		Password:     redisPass,
 		DB:           0,
-		PoolSize:     100,             // one per active SSE connection + room for writes
+		MasterName:   os.Getenv("REDIS_MASTER"),
+		PoolSize:     100,
 		MinIdleConns: 10,
 		MaxRetries:   3,
 		DialTimeout:  5 * time.Second,
@@ -72,6 +76,28 @@ func init() {
 	log.Println("Connection to DB successful!")
 }
 
+// publishEvent appends an event to the channel's Redis Stream (replaces pub/sub).
+// Streams allow multiple backend instances to serve SSE without missing events.
+// The stream is capped at ~1000 entries to avoid unbounded growth.
+func publishEvent(ctx context.Context, slug string, data []byte) {
+	rdb.XAdd(ctx, &redis.XAddArgs{
+		Stream: fmt.Sprintf("channel:%s:events", slug),
+		MaxLen: 1000,
+		Approx: true,
+		Values: map[string]interface{}{"data": string(data)},
+	})
+}
+
+// touchLastModified bumps a per-channel nano-timestamp used for HTTP ETags.
+func touchLastModified(ctx context.Context, slug string) {
+	rdb.Set(ctx, fmt.Sprintf("channel:%s:last_modified", slug), time.Now().UnixNano(), 0)
+}
+
+func getLastModified(ctx context.Context, slug string) string {
+	v, _ := rdb.Get(ctx, fmt.Sprintf("channel:%s:last_modified", slug)).Result()
+	return v
+}
+
 func getMessageNextId(ctx context.Context, slug string) int {
 	id, err := rdb.Incr(ctx, fmt.Sprintf("channel:%s:message:next_id", slug)).Result()
 	if err != nil {
@@ -119,7 +145,8 @@ func setMessage(ctx context.Context, slug string, m *Message, isUpdate bool) err
 	}
 
 	pushMessageData, _ := json.Marshal(pushMessage)
-	rdb.Publish(ctx, fmt.Sprintf("events:%s", slug), pushMessageData)
+	publishEvent(ctx, slug, pushMessageData)
+	touchLastModified(ctx, slug)
 
 	return nil
 }
@@ -165,7 +192,7 @@ func setReaction(ctx context.Context, slug string, messageId int, emoji string,
 	}
 
 	pushMessageData, _ := json.Marshal(pushMessage)
-	rdb.Publish(ctx, fmt.Sprintf("events:%s", slug), pushMessageData)
+	publishEvent(ctx, slug, pushMessageData)
 
 	return nil
 }
@@ -363,7 +390,8 @@ func funcDeleteMessage(ctx context.Context, slug string, id string) error {
 		M:    m,
 	}
 	pushMessageData, _ := json.Marshal(pushMessage)
-	rdb.Publish(ctx, fmt.Sprintf("events:%s", slug), pushMessageData)
+	publishEvent(ctx, slug, pushMessageData)
+	touchLastModified(ctx, slug)
 
 	return nil
 }
@@ -931,6 +959,8 @@ func dbDeleteChannel(ctx context.Context, slug string) error {
 		fmt.Sprintf("channel:%s:storage:quota_bytes", p),
 		fmt.Sprintf("channel:%s:storage:auto_cleanup", p),
 		fmt.Sprintf("channel:%s:files", p),
+		fmt.Sprintf("channel:%s:events", p),
+		fmt.Sprintf("channel:%s:last_modified", p),
 	}
 	allKeys := append(fixedKeys, messageKeys...)
 	allKeys = append(allKeys, reactionKeys...)
diff --git a/backend/files.go b/backend/files.go
index 0ec8bcd..2f8d9bf 100644
--- a/backend/files.go
+++ b/backend/files.go
@@ -167,11 +167,18 @@ func serveFile(w http.ResponseWriter, r *http.Request) {
 	if r2Enabled {
 		key := r2ObjectKey(meta.Hash)
 		if r2PublicURL != "" {
-			// Redirect to public R2 URL
+			// Public bucket: redirect to CDN URL (fastest, no auth needed)
 			http.Redirect(w, r, r2PublicURL+"/"+key, http.StatusFound)
 			return
 		}
-		// Proxy through backend
+		// Private bucket: generate a pre-signed URL (1-hour TTL).
+		// The client fetches directly from R2 — backend is not in the data path.
+		presignedURL, err := r2PresignURL(ctx, key, time.Hour)
+		if err == nil {
+			http.Redirect(w, r, presignedURL, http.StatusFound)
+			return
+		}
+		// Fallback: proxy through backend if presigning fails
 		body, contentType, err := r2Download(ctx, key)
 		if err != nil {
 			http.Error(w, "File not found", http.StatusNotFound)
diff --git a/backend/messages.go b/backend/messages.go
index 41b6121..58ed1d4 100644
--- a/backend/messages.go
+++ b/backend/messages.go
@@ -10,6 +10,7 @@ import (
 	"time"
 
 	"github.com/go-chi/chi"
+	"github.com/redis/go-redis/v9"
 )
 
 func getMessages(w http.ResponseWriter, r *http.Request) {
@@ -36,6 +37,16 @@ func getMessages(w http.ResponseWriter, r *http.Request) {
 	isAdmin := hasChannelRole(r, slug, RoleWriter)
 	countViews := ch != nil && ch.Features.CountViews
 
+	// ETag: skip expensive query if content hasn't changed since client's copy
+	etag := `"` + getLastModified(ctx, slug) + `"`
+	if etag != `""` {
+		w.Header().Set("ETag", etag)
+		if r.Header.Get("If-None-Match") == etag {
+			w.WriteHeader(http.StatusNotModified)
+			return
+		}
+	}
+
 	messages, err := funcGetMessageRange(ctx, slug, int64(offset), int64(limit), isAdmin, countViews, direction)
 	if err != nil {
 		log.Printf("Failed to get messages: %v\n", err)
@@ -144,6 +155,12 @@ func deleteMessage(w http.ResponseWriter, r *http.Request) {
 	json.NewEncoder(w).Encode(response)
 }
 
+// getEvents serves a Server-Sent Events stream backed by a Redis Stream.
+//
+// Using Redis Streams instead of pub/sub enables:
+//   - Horizontal scaling: multiple backend instances can all serve SSE
+//   - Reconnection: clients send Last-Event-ID to resume without missing events
+//   - Durability: stream retains the last ~1000 events (configurable in publishEvent)
 func getEvents(w http.ResponseWriter, r *http.Request) {
 	flusher, ok := w.(http.Flusher)
 	if !ok {
@@ -152,18 +169,21 @@ func getEvents(w http.ResponseWriter, r *http.Request) {
 	}
 
 	slug := channelSlugFromCtx(r)
+	streamKey := fmt.Sprintf("channel:%s:events", slug)
 
-	clientCtx := r.Context()
-	heartbeat := time.NewTicker(25 * time.Second)
-	defer heartbeat.Stop()
+	// Support SSE reconnection: browser sends Last-Event-ID with the stream entry ID
+	// from the last event it received. On fresh connect, start from "now".
+	lastID := r.Header.Get("Last-Event-ID")
+	if lastID == "" {
+		lastID = "$"
+	}
 
 	w.Header().Set("Content-Type", "text/event-stream")
 	w.Header().Set("Cache-Control", "no-cache")
 	w.Header().Set("Connection", "keep-alive")
 	w.Header().Set("X-Accel-Buffering", "no")
 
-	_, err := fmt.Fprintf(w, "data: {\"type\": \"heartbeat\"}\n\n")
-	if err != nil {
+	if _, err := fmt.Fprintf(w, "data: {\"type\": \"heartbeat\"}\n\n"); err != nil {
 		return
 	}
 	flusher.Flush()
@@ -171,37 +191,53 @@ func getEvents(w http.ResponseWriter, r *http.Request) {
 	go increaseCounterSSE(slug)
 	defer decreaseCounterSSE(slug)
 
-	eventChannel := fmt.Sprintf("events:%s", slug)
-	pubsub := rdb.Subscribe(r.Context(), eventChannel)
-	defer pubsub.Close()
-
-	if _, err := pubsub.Receive(clientCtx); err != nil {
-		http.Error(w, "Failed to subscribe to events", http.StatusInternalServerError)
-		return
-	}
+	clientCtx := r.Context()
+	lastHeartbeat := time.Now()
+	const blockDuration = 5 * time.Second
+	const heartbeatInterval = 25 * time.Second
 
-	ch := pubsub.Channel()
 	for {
-		select {
-		case <-clientCtx.Done():
+		if clientCtx.Err() != nil {
 			return
+		}
 
-		case <-heartbeat.C:
-			_, err := fmt.Fprintf(w, "data: {\"type\": \"heartbeat\"}\n\n")
-			if err != nil {
+		// Send heartbeat if it's been too long
+		if time.Since(lastHeartbeat) >= heartbeatInterval {
+			if _, err := fmt.Fprintf(w, "data: {\"type\": \"heartbeat\"}\n\n"); err != nil {
 				return
 			}
 			flusher.Flush()
+			lastHeartbeat = time.Now()
+		}
 
-		case msg, ok := <-ch:
-			if !ok {
-				return
+		// XREAD blocks until new messages arrive or timeout expires.
+		// A short block duration lets us send periodic heartbeats and check for disconnect.
+		streams, err := rdb.XRead(clientCtx, &redis.XReadArgs{
+			Streams: []string{streamKey, lastID},
+			Count:   50,
+			Block:   blockDuration,
+		}).Result()
+
+		if clientCtx.Err() != nil {
+			return
+		}
+		if err != nil {
+			// redis.Nil = block timeout with no messages; other errors: brief pause then retry
+			if err != redis.Nil {
+				time.Sleep(500 * time.Millisecond)
 			}
-			_, err := fmt.Fprintf(w, "data: %s\n\n", msg.Payload)
-			if err != nil {
-				return
+			continue
+		}
+
+		for _, stream := range streams {
+			for _, msg := range stream.Messages {
+				lastID = msg.ID
+				data, _ := msg.Values["data"].(string)
+				if _, err := fmt.Fprintf(w, "id: %s\ndata: %s\n\n", lastID, data); err != nil {
+					return
+				}
 			}
-			flusher.Flush()
 		}
+		flusher.Flush()
 	}
 }
diff --git a/backend/ratelimit.go b/backend/ratelimit.go
index 248216e..f098c31 100644
--- a/backend/ratelimit.go
+++ b/backend/ratelimit.go
@@ -8,33 +8,41 @@ import (
 	"golang.org/x/time/rate"
 )
 
-// uploadLimiters stores a per-channel rate limiter for file uploads.
-// Each channel allows up to 30 uploads per minute with a burst of 10.
+// uploadLimiters stores per-user-per-channel rate limiters for file uploads.
+// Key: "userEmail:channelSlug" — 30 uploads/min (one every 2s), burst of 10.
 var (
-	uploadLimiters   sync.Map
-	uploadLimiterMu  sync.Mutex
+	uploadLimiters sync.Map
+	uploadLimiterMu sync.Mutex
 )
 
-func getUploadLimiter(slug string) *rate.Limiter {
-	if v, ok := uploadLimiters.Load(slug); ok {
+func getUploadLimiter(key string) *rate.Limiter {
+	if v, ok := uploadLimiters.Load(key); ok {
 		return v.(*rate.Limiter)
 	}
 	uploadLimiterMu.Lock()
 	defer uploadLimiterMu.Unlock()
-	// Double-check after lock
-	if v, ok := uploadLimiters.Load(slug); ok {
+	if v, ok := uploadLimiters.Load(key); ok {
 		return v.(*rate.Limiter)
 	}
-	l := rate.NewLimiter(rate.Every(2*time.Second), 10) // 30/min, burst 10
-	uploadLimiters.Store(slug, l)
+	l := rate.NewLimiter(rate.Every(2*time.Second), 10)
+	uploadLimiters.Store(key, l)
 	return l
 }
 
 func uploadRateLimit(next http.HandlerFunc) http.HandlerFunc {
 	return func(w http.ResponseWriter, r *http.Request) {
 		slug := channelSlugFromCtx(r)
-		if !getUploadLimiter(slug).Allow() {
-			http.Error(w, "too many uploads — slow down", http.StatusTooManyRequests)
+
+		// Key by user identity so limits are per-user, not per-channel
+		session, _ := store.Get(r, cookieName)
+		user, _ := session.Values["user"].(Session)
+		key := user.Email + ":" + slug
+		if key == ":" {
+			key = slug // unauthenticated fallback (shouldn't happen, upload requires login)
+		}
+
+		if !getUploadLimiter(key).Allow() {
+			http.Error(w, "too many uploads — please slow down", http.StatusTooManyRequests)
 			return
 		}
 		next(w, r)
diff --git a/backend/storage.go b/backend/storage.go
index e16cdd2..29bb9fb 100644
--- a/backend/storage.go
+++ b/backend/storage.go
@@ -5,6 +5,7 @@ import (
 	"io"
 	"log"
 	"os"
+	"time"
 
 	"github.com/aws/aws-sdk-go-v2/aws"
 	"github.com/aws/aws-sdk-go-v2/config"
@@ -75,6 +76,7 @@ func r2Exists(ctx context.Context, key string) bool {
 }
 
 // r2Download downloads an object from R2 and returns its body.
+// Used as a fallback when neither public URL nor pre-signed URL is available.
 func r2Download(ctx context.Context, key string) (io.ReadCloser, *string, error) {
 	result, err := r2Client.GetObject(ctx, &s3.GetObjectInput{
 		Bucket: aws.String(r2Bucket),
@@ -86,6 +88,20 @@ func r2Download(ctx context.Context, key string) (io.ReadCloser, *string, error)
 	return result.Body, result.ContentType, nil
 }
 
+// r2PresignURL generates a short-lived pre-signed URL for a private R2 object.
+// The client fetches the file directly from R2, bypassing the backend entirely.
+func r2PresignURL(ctx context.Context, key string, ttl time.Duration) (string, error) {
+	presignClient := s3.NewPresignClient(r2Client)
+	req, err := presignClient.PresignGetObject(ctx, &s3.GetObjectInput{
+		Bucket: aws.String(r2Bucket),
+		Key:    aws.String(key),
+	}, s3.WithPresignExpires(ttl))
+	if err != nil {
+		return "", err
+	}
+	return req.URL, nil
+}
+
 // r2Delete removes an object from R2.
 func r2Delete(ctx context.Context, key string) error {
 	_, err := r2Client.DeleteObject(ctx, &s3.DeleteObjectInput{

From c238eba4465c89ab437317aec3f4322494550615 Mon Sep 17 00:00:00 2001
From: Claude <noreply@anthropic.com>
Date: Mon, 18 May 2026 05:10:00 +0000
Subject: [PATCH 31/60] Fix per-channel URL routing, OAuth returnUrl, and all
 API slug paths

- Add SlugService: central store for the active channel slug
- Add /channel/:slug route; ChannelComponent resolves slug from URL param
  or redirects to /channel/<first-slug> from user's channelRoles
- AuthGuard saves state.url to localStorage before redirecting to /login
- LoginComponent: load userInfo after OAuth callback, restore returnUrl
  on redirect; super_admin goes to /super-admin, others go to /
- Fix all frontend API calls to include /channel/{slug}/:
    chat.service: info, messages, events, emojis, reactions, report
    admin.service: new, edit, delete, upload, users, settings, emojis,
                   reports, scheduled-messages, statistics
    ads.service: ads/settings
    notifications.service: notifications-config, notifications-subscribe
    magnet-ads.service: ads/magnet
- Fix ChannelComponent to guard child render behind slugReady flag
- Fix channel-header: show admin menu via channelRoles instead of old
  privileges field
- Fix chat.component: scheduled messages + delete visibility use
  channelRoles instead of legacy privileges
- Fix magnet-ads.component: stats call uses correct /super-admin route
- AdminService.clearCache() resets schedulingMessages on channel switch

https://claude.ai/code/session_015yWNYaVjk7ozyguKLA8vvx
---
 frontend/src/app/app.routes.ts                |  5 +++
 .../admin/magnet-ads/magnet-ads.component.ts  |  2 +-
 .../channel-header.component.ts               |  2 +-
 .../components/channel/channel.component.html | 38 ++++++++++---------
 .../components/channel/channel.component.ts   | 33 ++++++++++++++--
 .../components/channel/chat/chat.component.ts |  6 +--
 .../app/components/login/login.component.ts   | 23 +++++++++--
 frontend/src/app/services/admin.service.ts    | 38 +++++++++++--------
 frontend/src/app/services/ads.service.ts      |  6 ++-
 frontend/src/app/services/chat-guard.guard.ts |  1 +
 frontend/src/app/services/chat.service.ts     | 21 +++++-----
 .../src/app/services/magnet-ads.service.ts    |  5 ++-
 .../src/app/services/notifications.service.ts |  6 ++-
 frontend/src/app/services/slug.service.ts     |  6 +++
 14 files changed, 134 insertions(+), 58 deletions(-)
 create mode 100644 frontend/src/app/services/slug.service.ts

diff --git a/frontend/src/app/app.routes.ts b/frontend/src/app/app.routes.ts
index c2e28ab..8c37f1d 100644
--- a/frontend/src/app/app.routes.ts
+++ b/frontend/src/app/app.routes.ts
@@ -12,6 +12,11 @@ export const routes: Routes = [
     component: ChannelComponent,
     canActivate: [AuthGuard],
   },
+  {
+    path: 'channel/:slug',
+    component: ChannelComponent,
+    canActivate: [AuthGuard],
+  },
   {
     path: 'super-admin',
     component: SuperAdminPanelComponent,
diff --git a/frontend/src/app/components/admin/magnet-ads/magnet-ads.component.ts b/frontend/src/app/components/admin/magnet-ads/magnet-ads.component.ts
index e0de604..07b24b1 100644
--- a/frontend/src/app/components/admin/magnet-ads/magnet-ads.component.ts
+++ b/frontend/src/app/components/admin/magnet-ads/magnet-ads.component.ts
@@ -165,7 +165,7 @@ export class MagnetAdsComponent implements OnInit {
     this.statsError = '';
 
     try {
-      const res = await fetch('/api/admin/magnet/stats', { credentials: 'include' });
+      const res = await fetch('/api/super-admin/magnet/stats', { credentials: 'include' });
       const text = await res.text();
       let data: any = null;
       try { data = text ? JSON.parse(text) : null; } catch {}
diff --git a/frontend/src/app/components/channel/channel-header/channel-header.component.ts b/frontend/src/app/components/channel/channel-header/channel-header.component.ts
index a9cd620..665286b 100644
--- a/frontend/src/app/components/channel/channel-header/channel-header.component.ts
+++ b/frontend/src/app/components/channel/channel-header/channel-header.component.ts
@@ -36,7 +36,7 @@ export class ChannelHeaderComponent implements OnInit {
   set userInfo(user: User | undefined) {
     this._userInfo = user;
     this.userMenu = [
-      ...((user?.privileges?.['admin'] || user?.privileges?.['moderator']) ? [{
+      ...(user?.channelRoles && Object.keys(user.channelRoles).length > 0 ? [{
         title: 'ניהול ערוץ',
         icon: 'people-outline',
       }] : []),
diff --git a/frontend/src/app/components/channel/channel.component.html b/frontend/src/app/components/channel/channel.component.html
index a6adcf1..7cad061 100644
--- a/frontend/src/app/components/channel/channel.component.html
+++ b/frontend/src/app/components/channel/channel.component.html
@@ -1,21 +1,23 @@
-<nb-layout id="container">
-  <nb-layout-header fixed>
-    <app-channel-header [(userInfo)]="userInfo" style="flex: auto;"></app-channel-header>
-  </nb-layout-header>
+@if (slugReady) {
+  <nb-layout id="container">
+    <nb-layout-header fixed>
+      <app-channel-header [(userInfo)]="userInfo" style="flex: auto;"></app-channel-header>
+    </nb-layout-header>
 
-  <nb-layout-column class="chat-column">
-    <app-chat class=""></app-chat>
-  </nb-layout-column>
-
-  @if (ad) {
-    <nb-layout-column class="ad-column d-none d-lg-flex">
-      <app-advertising [ad]="ad"></app-advertising>
+    <nb-layout-column class="chat-column">
+      <app-chat class=""></app-chat>
     </nb-layout-column>
-  }
 
-  @if (userInfo?.globalRole === 'super_admin' || userInfo?.privileges?.['writer'] || hasAnyRole(userInfo)) {
-    <nb-layout-footer #inputForm id="inputForm" class="fixed-footer">
-      <app-input-form class="w-100" (inputHeightChanged)="onInputHeightChanged()"></app-input-form>
-    </nb-layout-footer>
-  }
-</nb-layout>
+    @if (ad) {
+      <nb-layout-column class="ad-column d-none d-lg-flex">
+        <app-advertising [ad]="ad"></app-advertising>
+      </nb-layout-column>
+    }
+
+    @if (userInfo?.globalRole === 'super_admin' || hasAnyRole(userInfo)) {
+      <nb-layout-footer #inputForm id="inputForm" class="fixed-footer">
+        <app-input-form class="w-100" (inputHeightChanged)="onInputHeightChanged()"></app-input-form>
+      </nb-layout-footer>
+    }
+  </nb-layout>
+}
diff --git a/frontend/src/app/components/channel/channel.component.ts b/frontend/src/app/components/channel/channel.component.ts
index ed4dd14..40ab4b5 100644
--- a/frontend/src/app/components/channel/channel.component.ts
+++ b/frontend/src/app/components/channel/channel.component.ts
@@ -15,6 +15,10 @@ import { AuthService } from "../../services/auth.service";
 import { ChannelHeaderComponent } from "./channel-header/channel-header.component";
 import { ChatComponent } from "./chat/chat.component";
 import { User } from '../../models/user.model';
+import { ActivatedRoute, Router } from '@angular/router';
+import { SlugService } from '../../services/slug.service';
+import { AdminService } from '../../services/admin.service';
+import { ChatService } from '../../services/chat.service';
 
 @Component({
   selector: 'app-channel',
@@ -48,18 +52,41 @@ export class ChannelComponent implements OnInit {
     private adsService: AdsService,
     private _authService: AuthService,
     private renderer: Renderer2,
-    private el: ElementRef
+    private el: ElementRef,
+    private route: ActivatedRoute,
+    private router: Router,
+    private slugService: SlugService,
+    private adminService: AdminService,
+    private chatService: ChatService,
   ) { }
 
   ad: Ad = { src: '', width: 0 };
   userInfo?: User;
+  slugReady = false;
+
+  async ngOnInit(): Promise<void> {
+    let slug = this.route.snapshot.paramMap.get('slug');
+
+    if (!slug) {
+      const user = await this._authService.loadUserInfo();
+      const roles = user?.channelRoles;
+      const firstSlug = roles ? Object.keys(roles)[0] : '';
+      if (firstSlug) {
+        this.router.navigate(['/channel', firstSlug], { replaceUrl: true });
+      }
+      return;
+    }
+
+    this.slugService.slug = slug;
+    this.chatService.channelInfo = undefined;
+    this.adminService.clearCache();
+    this.slugReady = true;
 
-  ngOnInit(): void {
     this.adsService.getAds().then(ad => {
       this.ad = ad;
     });
     this._authService.loadUserInfo().then(res => {
-      this.userInfo = res
+      this.userInfo = res;
     });
   }
 
diff --git a/frontend/src/app/components/channel/chat/chat.component.ts b/frontend/src/app/components/channel/chat/chat.component.ts
index 32f391b..2a28dbb 100644
--- a/frontend/src/app/components/channel/chat/chat.component.ts
+++ b/frontend/src/app/components/channel/chat/chat.component.ts
@@ -145,7 +145,7 @@ export class ChatComponent implements OnInit, OnDestroy {
 
     this._authService.loadUserInfo().then((res) => {
       this.userInfo = res;
-      this.userInfo.privileges?.['writer'] && this.loadScheduledMessages();
+      this.userInfo.channelRoles && Object.keys(this.userInfo.channelRoles).length > 0 && this.loadScheduledMessages();
       this.notificationService.init();
     });
 
@@ -183,13 +183,13 @@ export class ChatComponent implements OnInit, OnDestroy {
             this.messages.unshift(message.message);
             this.thereNewMessages = !(message.message.author === this.userInfo?.username);
             this.setLastReadMessage(message.message.id!.toString());
-            if (this.userInfo?.privileges?.['writer'] && this.scheduledMessages && message.message.author === "Scheduled") {
+            if (this.userInfo?.channelRoles && Object.keys(this.userInfo.channelRoles).length > 0 && this.scheduledMessages && message.message.author === "Scheduled") {
               this.loadScheduledMessages(true);
             }
           });
           break;
         case 'delete-message':
-          if (this.userInfo?.privileges?.['writer']) {
+          if (this.userInfo?.channelRoles && Object.keys(this.userInfo.channelRoles).length > 0) {
             this.zone.run(() => {
               const index = this.messages.findIndex(m => m.id === message.message.id);
               if (index !== -1) {
diff --git a/frontend/src/app/components/login/login.component.ts b/frontend/src/app/components/login/login.component.ts
index 84d6550..d825f77 100644
--- a/frontend/src/app/components/login/login.component.ts
+++ b/frontend/src/app/components/login/login.component.ts
@@ -29,7 +29,7 @@ export class LoginComponent implements OnInit {
     try {
       await this._authService.loadUserInfo();
       if (this._authService.userInfo) {
-        this.router.navigate(['/']);
+        this.redirectAfterLogin();
         return;
       }
     } catch {
@@ -37,8 +37,9 @@ export class LoginComponent implements OnInit {
         if (Object.keys(params).length > 0) {
           if (params['code'] && params['state'] === localStorage.getItem('google_oauth_state')) {
             this.code = params['code'];
-            this._authService.login(this.code).then(() => {
-              this.router.navigate(['/']);
+            this._authService.login(this.code).then(async () => {
+              await this._authService.loadUserInfo();
+              this.redirectAfterLogin();
             }).catch(() => {
               this.code = '';
               this.status = 'failed';
@@ -52,6 +53,22 @@ export class LoginComponent implements OnInit {
     }
   }
 
+  private redirectAfterLogin() {
+    if (this._authService.userInfo?.globalRole === 'super_admin') {
+      this.router.navigate(['/super-admin']);
+      return;
+    }
+
+    const returnUrl = localStorage.getItem('returnUrl');
+    localStorage.removeItem('returnUrl');
+    if (returnUrl && !returnUrl.startsWith('/login')) {
+      this.router.navigateByUrl(returnUrl);
+      return;
+    }
+
+    this.router.navigate(['/']);
+  }
+
   login() {
     this._authService.loginWithGoogle();
   }
diff --git a/frontend/src/app/services/admin.service.ts b/frontend/src/app/services/admin.service.ts
index 34aa77d..4a434ae 100644
--- a/frontend/src/app/services/admin.service.ts
+++ b/frontend/src/app/services/admin.service.ts
@@ -6,6 +6,7 @@ import { ResponseResult } from '../models/response-result.model';
 import { Setting } from '../models/setting.model';
 import { Reports, Report } from '../models/report.model';
 import { Statistics } from '../models/statistics.model';
+import { SlugService } from './slug.service';
 
 export interface PrivilegeUser {
   id?: string;
@@ -35,8 +36,15 @@ export class AdminService {
 
   constructor(
     private http: HttpClient,
+    private slugService: SlugService,
   ) { }
 
+  private get slug() { return this.slugService.slug; }
+
+  clearCache() {
+    this.schedulingMessages = null;
+  }
+
   reloadSchedulingMessage() {
     this.schedulingBus.next();
   }
@@ -50,27 +58,27 @@ export class AdminService {
   }
 
   getStatistics(): Promise<Statistics> {
-    return firstValueFrom(this.http.get<Statistics>('/api/admin/statistics'));
+    return firstValueFrom(this.http.get<Statistics>(`/api/channel/${this.slug}/admin/statistics`));
   }
 
   resetPeakStatistics(): Promise<ResponseResult> {
-    return firstValueFrom(this.http.post<ResponseResult>('/api/admin/statistics/reset', {}));
+    return firstValueFrom(this.http.post<ResponseResult>('/api/super-admin/statistics/reset', {}));
   }
 
   addMessage(message: ChatMessage): Observable<ChatMessage> {
-    return this.http.post<ChatMessage>('/api/admin/new', message);
+    return this.http.post<ChatMessage>(`/api/channel/${this.slug}/admin/new`, message);
   }
 
   editMessage(message: ChatMessage): Observable<ChatMessage> {
-    return this.http.post<ChatMessage>(`/api/admin/edit-message`, message);
+    return this.http.post<ChatMessage>(`/api/channel/${this.slug}/admin/edit-message`, message);
   }
 
   deleteMessage(id: number | undefined): Observable<ChatMessage> {
-    return this.http.get<ChatMessage>(`/api/admin/delete-message/${id}`);
+    return this.http.get<ChatMessage>(`/api/channel/${this.slug}/admin/delete-message/${id}`);
   }
 
   uploadFile(formData: FormData) {
-    return this.http.post<ChatFile>('/api/admin/upload', formData, {
+    return this.http.post<ChatFile>(`/api/channel/${this.slug}/admin/upload`, formData, {
       reportProgress: true,
       observe: 'events',
       responseType: 'json'
@@ -78,27 +86,27 @@ export class AdminService {
   }
 
   getPrivilegeUsersList(): Promise<PrivilegeUser[]> {
-    return firstValueFrom(this.http.get<PrivilegeUser[]>('/api/admin/privilegs-users/get-list'));
+    return firstValueFrom(this.http.get<PrivilegeUser[]>(`/api/channel/${this.slug}/admin/users/get`));
   }
 
   setPrivilegeUsers(privilegeUsers: PrivilegeUser[]): Promise<ResponseResult> {
-    return firstValueFrom(this.http.post<ResponseResult>('/api/admin/privilegs-users/set', { list: privilegeUsers }));
+    return firstValueFrom(this.http.post<ResponseResult>(`/api/channel/${this.slug}/admin/users/set`, { list: privilegeUsers }));
   }
 
   setEmojis(emojis: string[] | undefined) {
-    return firstValueFrom(this.http.post<ResponseResult>('/api/admin/set-emojis', { emojis }));
+    return firstValueFrom(this.http.post<ResponseResult>(`/api/channel/${this.slug}/admin/set-emojis`, { emojis }));
   }
 
   getSettings(): Promise<Setting[]> {
-    return firstValueFrom(this.http.get<Setting[]>('/api/admin/settings/get'));
+    return firstValueFrom(this.http.get<Setting[]>(`/api/channel/${this.slug}/admin/settings/get`));
   }
 
   setSettings(settings: Setting[]): Promise<ResponseResult> {
-    return firstValueFrom(this.http.post<ResponseResult>('/api/admin/settings/set', settings));
+    return firstValueFrom(this.http.post<ResponseResult>(`/api/channel/${this.slug}/admin/settings/set`, settings));
   }
 
   getReports(status: string): Promise<Reports> {
-    return firstValueFrom(this.http.get<Reports>('/api/admin/reports/get', {
+    return firstValueFrom(this.http.get<Reports>(`/api/channel/${this.slug}/admin/reports/get`, {
       params: {
         status: status
       }
@@ -106,7 +114,7 @@ export class AdminService {
   }
 
   setReports(report: Report): Promise<ResponseResult> {
-    return firstValueFrom(this.http.post<ResponseResult>('/api/admin/reports/set', report));
+    return firstValueFrom(this.http.post<ResponseResult>(`/api/channel/${this.slug}/admin/reports/set`, report));
   }
 
   async getScheduledMessages(reload?: boolean): Promise<ChatMessage[]> {
@@ -115,7 +123,7 @@ export class AdminService {
     }
 
     try {
-      this.schedulingMessages = await firstValueFrom(this.http.get<ChatMessage[]>('/api/admin/scheduled-messages/get'));
+      this.schedulingMessages = await firstValueFrom(this.http.get<ChatMessage[]>(`/api/channel/${this.slug}/admin/scheduled-messages/get`));
       return this.schedulingMessages;
     } catch {
       return this.schedulingMessages || [];
@@ -140,6 +148,6 @@ export class AdminService {
   }
 
   private updateSchedulingMessages(): Promise<ResponseResult> {
-    return firstValueFrom(this.http.post<ResponseResult>('/api/admin/scheduled-messages/update', this.schedulingMessages));
+    return firstValueFrom(this.http.post<ResponseResult>(`/api/channel/${this.slug}/admin/scheduled-messages/update`, this.schedulingMessages));
   }
 }
diff --git a/frontend/src/app/services/ads.service.ts b/frontend/src/app/services/ads.service.ts
index eb465ad..874b653 100644
--- a/frontend/src/app/services/ads.service.ts
+++ b/frontend/src/app/services/ads.service.ts
@@ -1,6 +1,7 @@
 import { HttpClient } from '@angular/common/http';
 import { Injectable } from '@angular/core';
 import { firstValueFrom } from 'rxjs';
+import { SlugService } from './slug.service';
 
 export interface Ad {
   src: string;
@@ -13,10 +14,11 @@ export interface Ad {
 export class AdsService {
 
   constructor(
-    private http: HttpClient
+    private http: HttpClient,
+    private slugService: SlugService,
   ) { }
 
   async getAds(): Promise<Ad> {
-    return firstValueFrom(this.http.get<Ad>('/api/ads/settings'))
+    return firstValueFrom(this.http.get<Ad>(`/api/channel/${this.slugService.slug}/ads/settings`));
   }
 }
diff --git a/frontend/src/app/services/chat-guard.guard.ts b/frontend/src/app/services/chat-guard.guard.ts
index 8ebe0b6..45a9772 100644
--- a/frontend/src/app/services/chat-guard.guard.ts
+++ b/frontend/src/app/services/chat-guard.guard.ts
@@ -11,6 +11,7 @@ export const AuthGuard: CanActivateFn = async (route, state) => {
     if (userInfo) return true;
   } catch (err: any) {
     if (err.status === 401) {
+      localStorage.setItem('returnUrl', state.url);
       router.navigate(['/login']);
       return false;
     }
diff --git a/frontend/src/app/services/chat.service.ts b/frontend/src/app/services/chat.service.ts
index 74324e0..a114175 100644
--- a/frontend/src/app/services/chat.service.ts
+++ b/frontend/src/app/services/chat.service.ts
@@ -3,6 +3,7 @@ import { HttpClient } from '@angular/common/http';
 import { firstValueFrom, Observable } from 'rxjs';
 import { Channel } from '../models/channel.model';
 import { ResponseResult } from '../models/response-result.model';
+import { SlugService } from './slug.service';
 
 export type MessageType = 'md' | 'text' | 'image' | 'video' | 'audio' | 'document' | 'other';
 export type Reactions = { [key: string]: number }
@@ -45,19 +46,21 @@ export class ChatService {
   private emojis: string[] = [];
   public channelInfo?: Channel;
 
-  constructor(private http: HttpClient) { }
+  constructor(private http: HttpClient, private slugService: SlugService) { }
+
+  private get slug() { return this.slugService.slug; }
 
   async updateChannelInfo() {
-    this.channelInfo = await firstValueFrom(this.http.get<Channel>('/api/channel/info'));
+    this.channelInfo = await firstValueFrom(this.http.get<Channel>(`/api/channel/${this.slug}/info`));
     return;
   }
 
   editChannelInfo(name: string, description: string, logoUrl: string): Observable<ResponseResult> {
-    return this.http.post<ResponseResult>('/api/admin/edit-channel-info', { name, description, logoUrl });
+    return this.http.post<ResponseResult>(`/api/channel/${this.slug}/admin/edit-channel-info`, { name, description, logoUrl });
   }
 
   getMessages(offset: number, limit: number, direction: string): Observable<ChatResponse> {
-    return this.http.get<ChatResponse>('/api/messages', {
+    return this.http.get<ChatResponse>(`/api/channel/${this.slug}/messages`, {
       params: {
         offset: offset.toString(),
         limit: limit.toString(),
@@ -67,17 +70,17 @@ export class ChatService {
   }
 
   setReact(messageId: number, react: string) {
-    return firstValueFrom(this.http.post<ResponseResult>('/api/reactions/set-reactions', { messageId, emoji: react }));
+    return firstValueFrom(this.http.post<ResponseResult>(`/api/channel/${this.slug}/reactions/set-reactions`, { messageId, emoji: react }));
   }
 
   async getEmojisList(reload: boolean = false): Promise<string[]> {
-    if (this.emojis && !reload) return Promise.resolve(this.emojis); // הסרתי את בדיקת האורך, משום שזה יוצר קריאות מיותרות לשרת כאשר לא מוגדר אימוגים
-    this.emojis = await firstValueFrom(this.http.get<string[]>('/api/emojis/list'));
+    if (this.emojis && !reload) return Promise.resolve(this.emojis);
+    this.emojis = await firstValueFrom(this.http.get<string[]>(`/api/channel/${this.slug}/emojis/list`));
     return this.emojis;
   }
 
   reportMessage(messageId: number, reason: string): Promise<ResponseResult> {
-    return firstValueFrom(this.http.post<ResponseResult>('/api/messages/report', { messageId, reason }));
+    return firstValueFrom(this.http.post<ResponseResult>(`/api/channel/${this.slug}/messages/report`, { messageId, reason }));
   }
 
   sseListener(): EventSource {
@@ -85,7 +88,7 @@ export class ChatService {
       this.eventSource.close();
     }
 
-    this.eventSource = new EventSource('/api/events');
+    this.eventSource = new EventSource(`/api/channel/${this.slug}/events`);
 
     this.eventSource.onopen = () => {
       console.log('Connection opened');
diff --git a/frontend/src/app/services/magnet-ads.service.ts b/frontend/src/app/services/magnet-ads.service.ts
index 8fabdc2..34d7a2a 100644
--- a/frontend/src/app/services/magnet-ads.service.ts
+++ b/frontend/src/app/services/magnet-ads.service.ts
@@ -1,5 +1,6 @@
 import { Injectable } from '@angular/core';
 import { ChatMessage } from './chat.service';
+import { SlugService } from './slug.service';
 
 export interface MagnetSettings {
   enabled: boolean;
@@ -16,11 +17,13 @@ export class MagnetAdsService {
   private settings: MagnetSettings | null = null;
   private settingsPromise: Promise<MagnetSettings | null> | null = null;
 
+  constructor(private slugService: SlugService) {}
+
   loadSettings(force = false): Promise<MagnetSettings | null> {
     if (this.settings && !force) return Promise.resolve(this.settings);
     if (this.settingsPromise && !force) return this.settingsPromise;
 
-    this.settingsPromise = fetch('/api/ads/magnet')
+    this.settingsPromise = fetch(`/api/channel/${this.slugService.slug}/ads/magnet`)
       .then(r => r.ok ? r.json() : null)
       .then((data: MagnetSettings | null) => {
         this.settings = data;
diff --git a/frontend/src/app/services/notifications.service.ts b/frontend/src/app/services/notifications.service.ts
index ab84817..d34c967 100644
--- a/frontend/src/app/services/notifications.service.ts
+++ b/frontend/src/app/services/notifications.service.ts
@@ -4,6 +4,7 @@ import { NbToastrService } from '@nebular/theme';
 import { firstValueFrom } from 'rxjs';
 import { FirebaseApp, FirebaseOptions, initializeApp } from 'firebase/app';
 import { getMessaging, onMessage, getToken } from 'firebase/messaging';
+import { SlugService } from './slug.service';
 
 
 interface NotificationsConfig {
@@ -24,12 +25,13 @@ export class NotificationsService {
   constructor(
     private http: HttpClient,
     private tostrService: NbToastrService,
+    private slugService: SlugService,
   ) { }
 
   async init() {
     if (this.initialized) return;
 
-    await firstValueFrom(this.http.get<NotificationsConfig>('/api/channel/notifications-config'))
+    await firstValueFrom(this.http.get<NotificationsConfig>(`/api/channel/${this.slugService.slug}/notifications-config`))
       .then((config) => {
         this.config = config;
       });
@@ -91,7 +93,7 @@ export class NotificationsService {
 
   async subscribeNotifications(token: string): Promise<boolean> {
     if (!token) return false;
-    return firstValueFrom(this.http.post<boolean>('/api/channel/notifications-subscribe', { token }))
+    return firstValueFrom(this.http.post<boolean>(`/api/channel/${this.slugService.slug}/notifications-subscribe`, { token }))
   }
 
 }
\ No newline at end of file
diff --git a/frontend/src/app/services/slug.service.ts b/frontend/src/app/services/slug.service.ts
new file mode 100644
index 0000000..485f675
--- /dev/null
+++ b/frontend/src/app/services/slug.service.ts
@@ -0,0 +1,6 @@
+import { Injectable } from '@angular/core';
+
+@Injectable({ providedIn: 'root' })
+export class SlugService {
+  slug = '';
+}

From e3202af1cb644f489ab4e3e996bafb2d0441e711 Mon Sep 17 00:00:00 2001
From: Claude <noreply@anthropic.com>
Date: Mon, 18 May 2026 05:23:06 +0000
Subject: [PATCH 32/60] Fix three logic bugs found in flow review
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

1. Channel param subscription: replace snapshot with paramMap.subscribe so
   navigating /channel/foo → /channel/bar re-initializes the component
   without destroying it (Angular reuses the instance for same-route nav).
   Also implement OnDestroy to unsubscribe and avoid memory leaks.

2. No-channel state: when the user has no channelRoles the component now
   sets noChannel=true and renders a Hebrew error message instead of a
   blank screen.

3. Login checkUserInfo timing: remove the try/finally pattern that reset
   checkUserInfo synchronously before the async login().then() chain
   completed. Now the flag is managed explicitly at each code path so the
   loading indicator reflects actual in-flight state.

https://claude.ai/code/session_015yWNYaVjk7ozyguKLA8vvx
---
 .../components/channel/channel.component.html |  6 +++
 .../components/channel/channel.component.ts   | 27 ++++++++++++--
 .../app/components/login/login.component.ts   | 37 ++++++++++---------
 3 files changed, 49 insertions(+), 21 deletions(-)

diff --git a/frontend/src/app/components/channel/channel.component.html b/frontend/src/app/components/channel/channel.component.html
index 7cad061..033251b 100644
--- a/frontend/src/app/components/channel/channel.component.html
+++ b/frontend/src/app/components/channel/channel.component.html
@@ -1,3 +1,9 @@
+@if (noChannel) {
+  <div style="display:flex;align-items:center;justify-content:center;height:100vh;font-size:1.2rem;color:#888;">
+    אין ערוץ מוגדר עבור חשבון זה. פנה למנהל המערכת.
+  </div>
+}
+
 @if (slugReady) {
   <nb-layout id="container">
     <nb-layout-header fixed>
diff --git a/frontend/src/app/components/channel/channel.component.ts b/frontend/src/app/components/channel/channel.component.ts
index 40ab4b5..b859c52 100644
--- a/frontend/src/app/components/channel/channel.component.ts
+++ b/frontend/src/app/components/channel/channel.component.ts
@@ -1,4 +1,4 @@
-import { Component, ElementRef, OnInit, Renderer2, RendererStyleFlags2, ViewChild } from '@angular/core';
+import { Component, ElementRef, OnDestroy, OnInit, Renderer2, RendererStyleFlags2, ViewChild } from '@angular/core';
 import { AdvertisingComponent } from "./advertising/advertising.component";
 
 import { Ad, AdsService } from '../../services/ads.service';
@@ -19,6 +19,7 @@ import { ActivatedRoute, Router } from '@angular/router';
 import { SlugService } from '../../services/slug.service';
 import { AdminService } from '../../services/admin.service';
 import { ChatService } from '../../services/chat.service';
+import { Subscription } from 'rxjs';
 
 @Component({
   selector: 'app-channel',
@@ -37,7 +38,7 @@ import { ChatService } from '../../services/chat.service';
   templateUrl: './channel.component.html',
   styleUrl: './channel.component.scss'
 })
-export class ChannelComponent implements OnInit {
+export class ChannelComponent implements OnInit, OnDestroy {
 
   @ViewChild('inputForm', { static: false })
   set inputForm(element: ElementRef) {
@@ -63,9 +64,25 @@ export class ChannelComponent implements OnInit {
   ad: Ad = { src: '', width: 0 };
   userInfo?: User;
   slugReady = false;
+  noChannel = false;
+  private paramSub?: Subscription;
 
-  async ngOnInit(): Promise<void> {
-    let slug = this.route.snapshot.paramMap.get('slug');
+  ngOnInit(): void {
+    // Subscribe to paramMap so navigation between /channel/foo → /channel/bar
+    // triggers a full re-initialization without needing to destroy the component.
+    this.paramSub = this.route.paramMap.subscribe(params => {
+      const slug = params.get('slug');
+      this.initChannel(slug);
+    });
+  }
+
+  ngOnDestroy(): void {
+    this.paramSub?.unsubscribe();
+  }
+
+  private async initChannel(slug: string | null): Promise<void> {
+    this.slugReady = false;
+    this.noChannel = false;
 
     if (!slug) {
       const user = await this._authService.loadUserInfo();
@@ -73,6 +90,8 @@ export class ChannelComponent implements OnInit {
       const firstSlug = roles ? Object.keys(roles)[0] : '';
       if (firstSlug) {
         this.router.navigate(['/channel', firstSlug], { replaceUrl: true });
+      } else {
+        this.noChannel = true;
       }
       return;
     }
diff --git a/frontend/src/app/components/login/login.component.ts b/frontend/src/app/components/login/login.component.ts
index d825f77..08ec0c0 100644
--- a/frontend/src/app/components/login/login.component.ts
+++ b/frontend/src/app/components/login/login.component.ts
@@ -29,28 +29,31 @@ export class LoginComponent implements OnInit {
     try {
       await this._authService.loadUserInfo();
       if (this._authService.userInfo) {
+        this.checkUserInfo = false;
         this.redirectAfterLogin();
         return;
       }
     } catch {
-      this._route.queryParams.subscribe(params => {
-        if (Object.keys(params).length > 0) {
-          if (params['code'] && params['state'] === localStorage.getItem('google_oauth_state')) {
-            this.code = params['code'];
-            this._authService.login(this.code).then(async () => {
-              await this._authService.loadUserInfo();
-              this.redirectAfterLogin();
-            }).catch(() => {
-              this.code = '';
-              this.status = 'failed';
-              alert('התחברות נכשלה, נסה שוב');
-            });
-          }
-        }
-      });
-    } finally {
-      this.checkUserInfo = false;
+      // Not logged in — check for OAuth callback params
     }
+
+    this.checkUserInfo = false;
+
+    this._route.queryParams.subscribe(params => {
+      if (params['code'] && params['state'] === localStorage.getItem('google_oauth_state')) {
+        this.code = params['code'];
+        this.checkUserInfo = true;
+        this._authService.login(this.code).then(async () => {
+          await this._authService.loadUserInfo();
+          this.redirectAfterLogin();
+        }).catch(() => {
+          this.code = '';
+          this.status = 'failed';
+          this.checkUserInfo = false;
+          alert('התחברות נכשלה, נסה שוב');
+        });
+      }
+    });
   }
 
   private redirectAfterLogin() {

From fae823e3c7a4872e23b6d0a5c393788bd6af8edb Mon Sep 17 00:00:00 2001
From: Claude <noreply@anthropic.com>
Date: Mon, 18 May 2026 06:31:13 +0000
Subject: [PATCH 33/60] Fix offline handling: banner, reconnect, missed-message
 sync
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Problems fixed:
1. No user feedback on disconnect — added a sticky orange Hebrew banner
   "אין חיבור לאינטרנט" that appears immediately on window:offline and
   disappears on window:online.

2. keepAlive forced-reconnect lost messages — the old code created a new
   EventSource (no Last-Event-ID) after 60 s; missed messages were gone.
   Now: (a) threshold reduced 60 s → 35 s (backend heartbeat is 25 s so
   one missed beat triggers reconnect), (b) loadMissedMessages() is called
   after every forced reconnect to HTTP-fetch messages newer than maxId.

3. SSE onopen now detects reconnect (sseEverConnected flag) and calls
   loadMissedMessages() so the browser's natural auto-reconnect also
   syncs the gap, not just the keepAlive path.

4. window:online listener: hides banner, shows success toast "החיבור חודש",
   re-initialises SSE, and calls loadMissedMessages().

5. window:offline listener: shows the banner immediately without waiting
   for the 35 s heartbeat timeout.

6. onerror handler cleaned up — browser handles SSE retry automatically
   with Last-Event-ID; logging the raw error was the only previous action.

https://claude.ai/code/session_015yWNYaVjk7ozyguKLA8vvx
---
 .../channel/chat/chat.component.html          |  7 +++
 .../channel/chat/chat.component.scss          | 16 +++++
 .../components/channel/chat/chat.component.ts | 60 +++++++++++++++++--
 3 files changed, 79 insertions(+), 4 deletions(-)

diff --git a/frontend/src/app/components/channel/chat/chat.component.html b/frontend/src/app/components/channel/chat/chat.component.html
index 4024d1c..8d3febf 100644
--- a/frontend/src/app/components/channel/chat/chat.component.html
+++ b/frontend/src/app/components/channel/chat/chat.component.html
@@ -1,3 +1,10 @@
+@if (isOffline) {
+  <div class="offline-banner">
+    <nb-icon icon="wifi-off-outline"></nb-icon>
+    אין חיבור לאינטרנט — ההודעות יתעדכנו אוטומטית עם חזרת החיבור
+  </div>
+}
+
 <div nbInfiniteList (scroll)="onListScroll()" [threshold]="300" [throttleTime]="1000" (topThreshold)="loadMessages()"
   (bottomThreshold)="loadMessages({ scrollDown: true })" [listenWindowScroll]="true">
   <nb-list class="flex-column-reverse" [class.hide-scheduled-messages]="hideScheduledMessages">
diff --git a/frontend/src/app/components/channel/chat/chat.component.scss b/frontend/src/app/components/channel/chat/chat.component.scss
index 0fb83bb..4a36ae1 100644
--- a/frontend/src/app/components/channel/chat/chat.component.scss
+++ b/frontend/src/app/components/channel/chat/chat.component.scss
@@ -1,3 +1,19 @@
+.offline-banner {
+  position: sticky;
+  top: 0;
+  z-index: 1100;
+  display: flex;
+  align-items: center;
+  gap: 8px;
+  justify-content: center;
+  padding: 8px 16px;
+  background: #ff9f43;
+  color: #fff;
+  font-size: 0.9rem;
+  font-weight: 500;
+  text-align: center;
+}
+
 nb-list-item {
   border-bottom: 0 !important;
   padding: 0 !important;
diff --git a/frontend/src/app/components/channel/chat/chat.component.ts b/frontend/src/app/components/channel/chat/chat.component.ts
index 2a28dbb..845eb0b 100644
--- a/frontend/src/app/components/channel/chat/chat.component.ts
+++ b/frontend/src/app/components/channel/chat/chat.component.ts
@@ -55,12 +55,14 @@ type ScrollOpt = {
 })
 export class ChatComponent implements OnInit, OnDestroy {
   private eventSource!: EventSource;
+  private sseEverConnected = false;
   messages: ChatMessage[] = [];
   adSlotsAfter: Set<number> = new Set();
   scheduledMessages!: ChatMessage[];
   hideScheduledMessages: boolean = false;
   userInfo?: User;
   isLoading: boolean = false;
+  isOffline: boolean = false;
   offset: number = 0;
   limit: number = 20;
   hasOldMessages: boolean = true;
@@ -87,6 +89,21 @@ export class ChatComponent implements OnInit, OnDestroy {
     });
   }
 
+  @HostListener('window:online')
+  onOnline() {
+    this.zone.run(() => {
+      this.isOffline = false;
+      this.toastrService.success('החיבור חודש', '', { duration: 3000 });
+      this.initializeMessageListener();
+      this.loadMissedMessages();
+    });
+  }
+
+  @HostListener('window:offline')
+  onOffline() {
+    this.zone.run(() => { this.isOffline = true; });
+  }
+
   @HostListener('window:scroll', [])
   onWindowScroll() {
     this.onListScroll();
@@ -169,10 +186,25 @@ export class ChatComponent implements OnInit, OnDestroy {
     localStorage.setItem('lastReadMessage', id);
   }
 
-  private async initializeMessageListener() {
+  private initializeMessageListener() {
     this.eventSource = this.chatService.sseListener();
-    this.eventSource.onmessage = (event) => {
 
+    this.eventSource.onopen = () => {
+      if (this.sseEverConnected) {
+        // Reconnect after a drop — fetch messages that arrived during the gap
+        this.zone.run(() => { this.isOffline = false; });
+        this.loadMissedMessages();
+      }
+      this.sseEverConnected = true;
+      this.lastHeartbeat = Date.now();
+    };
+
+    this.eventSource.onerror = () => {
+      // Browser will auto-retry with Last-Event-ID; we just track offline state
+      // via window:online/offline and the keepAlive heartbeat.
+    };
+
+    this.eventSource.onmessage = (event) => {
       this.lastHeartbeat = Date.now();
 
       const message = JSON.parse(event.data);
@@ -243,15 +275,35 @@ export class ChatComponent implements OnInit, OnDestroy {
 
   async keepAliveSSE() {
     clearInterval(this.subLastHeartbeat);
+    // Backend sends heartbeat every 25s; if 35s pass without one the SSE is dead.
     this.subLastHeartbeat = interval(10000)
       .subscribe(() => {
-        if (Date.now() - this.lastHeartbeat > 60000) {
+        if (Date.now() - this.lastHeartbeat > 35000) {
           this.lastHeartbeat = Date.now();
           this.initializeMessageListener();
-        };
+          this.loadMissedMessages();
+        }
       });
   }
 
+  private async loadMissedMessages() {
+    if (!this.messages.length) return;
+    const maxId = Math.max(...this.messages.map(m => m.id!));
+    try {
+      const missed = await firstValueFrom(this.chatService.getMessages(maxId, this.limit, 'asc'));
+      if (missed?.length) {
+        this.zone.run(() => {
+          this.messages.unshift(...missed.reverse());
+          this.hasNewMessages = missed.length >= this.limit;
+          this.thereNewMessages = true;
+          this.rebuildItems();
+        });
+      }
+    } catch {
+      // Best-effort; will retry on the next reconnect
+    }
+  }
+
   onListScroll() {
     const distanceFromBottom = document.documentElement.scrollHeight - window.innerHeight - window.scrollY;
     this.showScrollToBottom = distanceFromBottom > 100;

From 94987641c6f557fb4f7cef9cc0b12cc73794e4c5 Mon Sep 17 00:00:00 2001
From: Claude <noreply@anthropic.com>
Date: Mon, 18 May 2026 06:40:30 +0000
Subject: [PATCH 34/60] Fix scroll jumps and message duplicates on reconnect

Problems fixed:

1. Initial-load flash-then-jump: the list was visible during the 200ms
   between first render (showing newest messages) and scrollToId (jumping
   to last-unread). Fixed with isVisible / .chat-hidden: content stays
   invisible until scroll position is resolved, then appears already in
   the right place. setLastReadMessage is now called AFTER the jump so a
   page refresh still brings the user back to the unread position.

2. Duplicate messages after reconnect: loadMissedMessages (HTTP) and the
   browser SSE auto-reconnect (Last-Event-ID) could both deliver the same
   messages. Fixed with an existing-ID Set filter in loadMissedMessages and
   a same-ID guard in the SSE new-message case.

3. Scroll anchor in loadMissedMessages: adding many messages at the visual
   bottom could shift the viewport. Fixed by capturing the topmost visible
   element's bounding rect before the unshift and calling window.scrollBy
   to compensate the delta.

4. thereNewMessages badge shown unnecessarily: if the user was already at
   the bottom when missed messages arrived the badge now stays hidden and
   the view scrolls down automatically instead.

5. SSE new-message thereNewMessages: only shows badge when user is not at
   bottom (consistent with loadMissedMessages behaviour).

https://claude.ai/code/session_015yWNYaVjk7ozyguKLA8vvx
---
 .../channel/chat/chat.component.html          |  3 +-
 .../channel/chat/chat.component.scss          |  6 ++
 .../components/channel/chat/chat.component.ts | 79 +++++++++++++++----
 3 files changed, 73 insertions(+), 15 deletions(-)

diff --git a/frontend/src/app/components/channel/chat/chat.component.html b/frontend/src/app/components/channel/chat/chat.component.html
index 8d3febf..8e78ae4 100644
--- a/frontend/src/app/components/channel/chat/chat.component.html
+++ b/frontend/src/app/components/channel/chat/chat.component.html
@@ -6,7 +6,8 @@
 }
 
 <div nbInfiniteList (scroll)="onListScroll()" [threshold]="300" [throttleTime]="1000" (topThreshold)="loadMessages()"
-  (bottomThreshold)="loadMessages({ scrollDown: true })" [listenWindowScroll]="true">
+  (bottomThreshold)="loadMessages({ scrollDown: true })" [listenWindowScroll]="true"
+  [class.chat-hidden]="!isVisible">
   <nb-list class="flex-column-reverse" [class.hide-scheduled-messages]="hideScheduledMessages">
 
     @for (msg of scheduledMessages; track $index) {
diff --git a/frontend/src/app/components/channel/chat/chat.component.scss b/frontend/src/app/components/channel/chat/chat.component.scss
index 4a36ae1..5a7d3f4 100644
--- a/frontend/src/app/components/channel/chat/chat.component.scss
+++ b/frontend/src/app/components/channel/chat/chat.component.scss
@@ -1,3 +1,9 @@
+// Hidden until the initial scroll-to-last-read is resolved so there is no
+// visible "flash at bottom then jump" on first load.
+.chat-hidden {
+  visibility: hidden;
+}
+
 .offline-banner {
   position: sticky;
   top: 0;
diff --git a/frontend/src/app/components/channel/chat/chat.component.ts b/frontend/src/app/components/channel/chat/chat.component.ts
index 845eb0b..9f4e9b4 100644
--- a/frontend/src/app/components/channel/chat/chat.component.ts
+++ b/frontend/src/app/components/channel/chat/chat.component.ts
@@ -63,6 +63,7 @@ export class ChatComponent implements OnInit, OnDestroy {
   userInfo?: User;
   isLoading: boolean = false;
   isOffline: boolean = false;
+  isVisible: boolean = false;   // hidden until initial scroll is resolved
   offset: number = 0;
   limit: number = 20;
   hasOldMessages: boolean = true;
@@ -168,17 +169,26 @@ export class ChatComponent implements OnInit, OnDestroy {
 
     this.loadMessages().then(() => {
       const lastReadMsg = Number(localStorage.getItem('lastReadMessage'));
-      const lastMsgId = this.messages[0].id!;
+      const lastMsgId = this.messages[0]?.id;
+      if (!lastMsgId) { this.isVisible = true; return; }
+
       if (lastReadMsg && lastReadMsg < lastMsgId) {
+        // Set the indicator BEFORE revealing the list so the line renders
+        // at the right position on first paint — no visible jump.
+        this.lastReadMessageId = lastReadMsg;
+        this.scrollToId({ messageId: lastReadMsg, smooth: false, mark: false });
+        // Wait one frame for scrollToId to finish (it may need to load more messages),
+        // then reveal. setLastReadMessage only after the user has actually seen the
+        // position — so a refresh still brings them back.
         setTimeout(() => {
-          this.scrollToId({ messageId: lastReadMsg, smooth: false, mark: false });
-          this.lastReadMessageId = lastReadMsg;
-        }, 200);
+          this.isVisible = true;
+          this.setLastReadMessage(lastMsgId.toString());
+        }, 350);
       } else {
         this.scrollToBottom(false);
+        this.isVisible = true;
+        this.setLastReadMessage(lastMsgId.toString());
       }
-
-      this.setLastReadMessage(lastMsgId.toString());
     });
   }
 
@@ -211,9 +221,10 @@ export class ChatComponent implements OnInit, OnDestroy {
       switch (message.type) {
         case 'new-message':
           if (this.hasNewMessages) break;
+          if (this.messages.some(m => m.id === message.message.id)) break; // dedup after reconnect
           this.zone.run(() => {
             this.messages.unshift(message.message);
-            this.thereNewMessages = !(message.message.author === this.userInfo?.username);
+            this.thereNewMessages = !this.isAtBottom() && !(message.message.author === this.userInfo?.username);
             this.setLastReadMessage(message.message.id!.toString());
             if (this.userInfo?.channelRoles && Object.keys(this.userInfo.channelRoles).length > 0 && this.scheduledMessages && message.message.author === "Scheduled") {
               this.loadScheduledMessages(true);
@@ -291,19 +302,59 @@ export class ChatComponent implements OnInit, OnDestroy {
     const maxId = Math.max(...this.messages.map(m => m.id!));
     try {
       const missed = await firstValueFrom(this.chatService.getMessages(maxId, this.limit, 'asc'));
-      if (missed?.length) {
-        this.zone.run(() => {
-          this.messages.unshift(...missed.reverse());
-          this.hasNewMessages = missed.length >= this.limit;
+      if (!missed?.length) return;
+
+      this.zone.run(() => {
+        // Deduplicate: SSE may have already delivered some of these via Last-Event-ID.
+        const existing = new Set(this.messages.map(m => m.id));
+        const fresh = missed.filter(m => !existing.has(m.id));
+        if (!fresh.length) return;
+
+        // Anchor the current scroll position so adding messages at the
+        // visual bottom (newest) does not shift the viewport.
+        const anchorEl = this.getScrollAnchorElement();
+        const anchorTop = anchorEl?.getBoundingClientRect().top ?? 0;
+
+        // fresh is in ascending order; reverse to prepend newest-first
+        this.messages.unshift(...[...fresh].reverse());
+        this.hasNewMessages = missed.length >= this.limit;
+        this.rebuildItems();
+
+        // Restore position relative to anchor so the user's view doesn't jump.
+        if (anchorEl) {
+          const delta = anchorEl.getBoundingClientRect().top - anchorTop;
+          window.scrollBy({ top: delta, behavior: 'instant' });
+        }
+
+        // Only flag badge if user is not already at the bottom.
+        if (this.isAtBottom()) {
+          this.thereNewMessages = false;
+          this.scrollToBottom(false);
+        } else {
           this.thereNewMessages = true;
-          this.rebuildItems();
-        });
-      }
+        }
+      });
     } catch {
       // Best-effort; will retry on the next reconnect
     }
   }
 
+  private isAtBottom(): boolean {
+    const distanceFromBottom =
+      document.documentElement.scrollHeight - window.innerHeight - window.scrollY;
+    return distanceFromBottom < 80;
+  }
+
+  private getScrollAnchorElement(): Element | null {
+    // Pick the topmost fully-visible message as the scroll anchor.
+    const items = document.querySelectorAll('nb-list-item');
+    for (const el of Array.from(items)) {
+      const rect = el.getBoundingClientRect();
+      if (rect.top >= 0 && rect.bottom <= window.innerHeight) return el;
+    }
+    return null;
+  }
+
   onListScroll() {
     const distanceFromBottom = document.documentElement.scrollHeight - window.innerHeight - window.scrollY;
     this.showScrollToBottom = distanceFromBottom > 100;

From 66006b84de433c4818740565ca0e48ac8ed2077e Mon Sep 17 00:00:00 2001
From: Claude <noreply@anthropic.com>
Date: Mon, 18 May 2026 06:59:54 +0000
Subject: [PATCH 35/60] Fix three regressions: channel switch stale state,
 empty-messages crash, scroll anchor jump

- channel.component.ts: add await Promise.resolve() between slugReady=false and
  slugReady=true so Angular CD actually destroys ChatComponent on channel switch;
  without it the same-tick toggle is collapsed and child state (isVisible, messages,
  lastReadMessageId) persists across slugs
- chat.component.ts: guard Math.max() with messages.length check to avoid -Infinity
  startId when loadMessages() is called with an empty array
- chat.component.ts: remove manual scroll-anchor/delta compensation in
  loadMissedMessages(); the browser's overflow-anchor CSS handles viewport
  preservation automatically for flex-column-reverse, and the manual scrollBy
  could cause visible jumps

https://claude.ai/code/session_015yWNYaVjk7ozyguKLA8vvx
---
 .../components/channel/channel.component.ts   |  5 +++++
 .../components/channel/chat/chat.component.ts | 21 +++++++------------
 2 files changed, 12 insertions(+), 14 deletions(-)

diff --git a/frontend/src/app/components/channel/channel.component.ts b/frontend/src/app/components/channel/channel.component.ts
index b859c52..d8198a0 100644
--- a/frontend/src/app/components/channel/channel.component.ts
+++ b/frontend/src/app/components/channel/channel.component.ts
@@ -83,6 +83,11 @@ export class ChannelComponent implements OnInit, OnDestroy {
   private async initChannel(slug: string | null): Promise<void> {
     this.slugReady = false;
     this.noChannel = false;
+    // Yield to Angular's change detection so the @if (slugReady) block
+    // actually destroys ChatComponent before we reinitialise with the new slug.
+    // Without this, false→true in the same synchronous frame is collapsed and
+    // the child is never torn down, leaving stale state (isVisible, messages, etc).
+    await Promise.resolve();
 
     if (!slug) {
       const user = await this._authService.loadUserInfo();
diff --git a/frontend/src/app/components/channel/chat/chat.component.ts b/frontend/src/app/components/channel/chat/chat.component.ts
index 9f4e9b4..2220403 100644
--- a/frontend/src/app/components/channel/chat/chat.component.ts
+++ b/frontend/src/app/components/channel/chat/chat.component.ts
@@ -310,23 +310,16 @@ export class ChatComponent implements OnInit, OnDestroy {
         const fresh = missed.filter(m => !existing.has(m.id));
         if (!fresh.length) return;
 
-        // Anchor the current scroll position so adding messages at the
-        // visual bottom (newest) does not shift the viewport.
-        const anchorEl = this.getScrollAnchorElement();
-        const anchorTop = anchorEl?.getBoundingClientRect().top ?? 0;
-
-        // fresh is in ascending order; reverse to prepend newest-first
+        // fresh is in ascending order; reverse so newest is at index 0
         this.messages.unshift(...[...fresh].reverse());
         this.hasNewMessages = missed.length >= this.limit;
         this.rebuildItems();
 
-        // Restore position relative to anchor so the user's view doesn't jump.
-        if (anchorEl) {
-          const delta = anchorEl.getBoundingClientRect().top - anchorTop;
-          window.scrollBy({ top: delta, behavior: 'instant' });
-        }
-
-        // Only flag badge if user is not already at the bottom.
+        // The browser's overflow-anchor CSS property handles viewport
+        // preservation automatically when content is added at the visual
+        // bottom (flex-column-reverse puts new items there). We only need
+        // to act when the user is already at the bottom: scroll them to
+        // see the new messages immediately.
         if (this.isAtBottom()) {
           this.thereNewMessages = false;
           this.scrollToBottom(false);
@@ -390,7 +383,7 @@ export class ChatComponent implements OnInit, OnDestroy {
 
     opt.resetList && (this.offset = 0);
 
-    const maxId = Math.max(...this.messages.map(m => m.id!));
+    const maxId = this.messages.length ? Math.max(...this.messages.map(m => m.id!)) : 0;
     if (opt.scrollDown) {
       direction = "asc";
       startId = maxId;

From 541c999cf666ec452cabad49c485478b09bc3a29 Mon Sep 17 00:00:00 2001
From: Claude <noreply@anthropic.com>
Date: Mon, 18 May 2026 07:15:29 +0000
Subject: [PATCH 36/60] Fix 9 bugs across channel management, admin panel, and
 backend reliability
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Frontend:
- admin.service: replace PrivilegeUser (old boolean flags) with ChannelUser
  {email, role} to match the backend's actual channel-user API shape; fix
  setChannelUsers payload key from { list } to { users } (backend was silently
  ignoring all updates)
- privileg-dashboard: rewrite to use role selector (moderator/writer) instead
  of admin/moderator/writer checkboxes; fix isOwner guard using channelRoles
  instead of privileges (buttons were permanently disabled); fix nullUser
  reference bug (spread into new object instead of aliasing)
- channel-header: store contextMenuService subscription and unsubscribe in
  ngOnDestroy — each channel switch was adding another persistent listener;
  fix logout() double-navigation where router.navigate(['/']) ran after the
  401 catch already navigated to /login
- channel.component: call magnetAds.clearCache() on channel switch so the
  next channel loads its own ad settings
- magnet-ads.service: add clearCache() method

Backend:
- auth.go: check idtoken.NewValidator error before using the validator — a nil
  validator would panic on the next line
- privileges.go / channels.go / main.go: convert initializePrivilegeUsers()
  from void+panic to error return; request handlers now log and continue
  instead of crashing the server on a transient Redis error; startup still
  panics as before

https://claude.ai/code/session_015yWNYaVjk7ozyguKLA8vvx
---
 backend/auth.go                               |  5 +
 backend/channels.go                           | 13 ++-
 backend/main.go                               |  4 +-
 backend/privileges.go                         | 16 ++-
 .../privileg-dashboard.component.html         | 98 ++++++-------------
 .../privileg-dashboard.component.ts           | 76 +++++++-------
 .../channel-header.component.ts               | 20 ++--
 .../components/channel/channel.component.ts   |  3 +
 frontend/src/app/services/admin.service.ts    | 15 ++-
 .../src/app/services/magnet-ads.service.ts    |  5 +
 10 files changed, 121 insertions(+), 134 deletions(-)

diff --git a/backend/auth.go b/backend/auth.go
index c3edfa6..6fe11e3 100644
--- a/backend/auth.go
+++ b/backend/auth.go
@@ -102,6 +102,11 @@ func login(w http.ResponseWriter, r *http.Request) {
 
 	tokenStr, _ := dyno.GetString(token.Extra("id_token"))
 	tokenValidator, err := idtoken.NewValidator(ctx)
+	if err != nil {
+		go saveLoginFailedLog("NewValidator", err)
+		http.Error(w, "error", http.StatusInternalServerError)
+		return
+	}
 	payload, err := tokenValidator.Validate(ctx, tokenStr, googleOAuthClientId)
 	if err != nil {
 		http.Error(w, "Invalid token", http.StatusUnauthorized)
diff --git a/backend/channels.go b/backend/channels.go
index b92b8d4..94bf20c 100644
--- a/backend/channels.go
+++ b/backend/channels.go
@@ -3,6 +3,7 @@ package main
 import (
 	"context"
 	"encoding/json"
+	"log"
 	"net/http"
 	"regexp"
 	"time"
@@ -157,7 +158,9 @@ func createChannel(w http.ResponseWriter, r *http.Request) {
 
 	if req.OwnerEmail != "" {
 		dbAssignChannelRole(ctx, req.OwnerEmail, req.Slug, RoleOwner)
-		initializePrivilegeUsers()
+		if err := initializePrivilegeUsers(); err != nil {
+			log.Printf("initializePrivilegeUsers after createChannel: %v", err)
+		}
 	}
 
 	w.Header().Set("Content-Type", "application/json")
@@ -271,7 +274,9 @@ func superAdminSetChannelUsers(w http.ResponseWriter, r *http.Request) {
 		http.Error(w, "error", http.StatusInternalServerError)
 		return
 	}
-	initializePrivilegeUsers()
+	if err := initializePrivilegeUsers(); err != nil {
+		log.Printf("initializePrivilegeUsers after superAdminSetChannelUsers: %v", err)
+	}
 
 	w.Header().Set("Content-Type", "application/json")
 	json.NewEncoder(w).Encode(Response{Success: true})
@@ -394,7 +399,9 @@ func setChannelUsers(w http.ResponseWriter, r *http.Request) {
 		http.Error(w, "error", http.StatusInternalServerError)
 		return
 	}
-	initializePrivilegeUsers()
+	if err := initializePrivilegeUsers(); err != nil {
+		log.Printf("initializePrivilegeUsers after setChannelUsers: %v", err)
+	}
 
 	w.Header().Set("Content-Type", "application/json")
 	json.NewEncoder(w).Encode(Response{Success: true})
diff --git a/backend/main.go b/backend/main.go
index f4d0258..22686a2 100644
--- a/backend/main.go
+++ b/backend/main.go
@@ -19,7 +19,9 @@ var rootStaticFolder = os.Getenv("ROOT_STATIC_FOLDER")
 func main() {
 	gob.Register(Session{})
 	initR2()
-	initializePrivilegeUsers()
+	if err := initializePrivilegeUsers(); err != nil {
+		panic(err)
+	}
 	go statLogger()
 
 	var err error
diff --git a/backend/privileges.go b/backend/privileges.go
index 4d50e85..02949ea 100644
--- a/backend/privileges.go
+++ b/backend/privileges.go
@@ -3,6 +3,7 @@ package main
 import (
 	"context"
 	"encoding/json"
+	"fmt"
 	"log"
 	"net/http"
 	"os"
@@ -35,7 +36,11 @@ var channelRoleLevels = map[ChannelRole]int{
 var privilegesUsers sync.Map
 var superAdminEmails []string
 
-func initializePrivilegeUsers() {
+// initializePrivilegeUsers rebuilds the in-memory privilegesUsers map from Redis.
+// At startup, call it directly (panicking is acceptable). From request handlers
+// use the returned error instead of panicking so a transient Redis error does not
+// crash the entire server.
+func initializePrivilegeUsers() error {
 	superAdminEmails = strings.Split(os.Getenv("ADMIN_USERS"), ",")
 
 	ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
@@ -44,7 +49,7 @@ func initializePrivilegeUsers() {
 	privilegesUsers.Clear()
 	users, err := dbGetUsersList(ctx)
 	if err != nil && err != redis.Nil {
-		panic("Failed to get users list: " + err.Error())
+		return fmt.Errorf("get users list: %w", err)
 	}
 
 	emailToIdx := make(map[string]int)
@@ -72,8 +77,9 @@ func initializePrivilegeUsers() {
 	}
 
 	if err := dbSetUsersList(ctx, users); err != nil {
-		panic("Failed to set users list: " + err.Error())
+		return fmt.Errorf("set users list: %w", err)
 	}
+	return nil
 }
 
 func isSuperAdmin(r *http.Request) bool {
@@ -158,7 +164,9 @@ func setPrivilegeUsers(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	initializePrivilegeUsers()
+	if err := initializePrivilegeUsers(); err != nil {
+		log.Printf("initializePrivilegeUsers after setPrivilegeUsers: %v", err)
+	}
 
 	w.Header().Set("Content-Type", "application/json")
 	json.NewEncoder(w).Encode(Response{Success: true})
diff --git a/frontend/src/app/components/admin/privileg-dashboard/privileg-dashboard.component.html b/frontend/src/app/components/admin/privileg-dashboard/privileg-dashboard.component.html
index c4fa38f..44b97e8 100644
--- a/frontend/src/app/components/admin/privileg-dashboard/privileg-dashboard.component.html
+++ b/frontend/src/app/components/admin/privileg-dashboard/privileg-dashboard.component.html
@@ -3,13 +3,12 @@
     ניהול הרשאות משתמשים
   </nb-card-header>
   <nb-card-body>
+
     <nb-card>
-      <nb-card-header>
-        <span>הוספת משתמש מורשה חדש</span>
-      </nb-card-header>
+      <nb-card-header>הוספת משתמש מורשה חדש</nb-card-header>
       <nb-card-body>
         @if (!addingNewUser) {
-          <button nbButton status="primary" (click)="addingNewUser = true">
+          <button nbButton status="primary" [disabled]="!isOwner" (click)="addingNewUser = true">
             <nb-icon icon="plus"></nb-icon>
             הוסף מורשה
           </button>
@@ -17,28 +16,17 @@
 
         @if (addingNewUser) {
           <div class="d-flex flex-column gap-2">
-            <div>
-              <span>שם משתמש:</span><br>
-              <input nbInput fieldSize="small" type="text" [(ngModel)]="newUser.username" disabled><br>
-              <small>
-                מתעדכן עם כניסת המשתמש למערכת
-              </small>
-            </div>
             <div>
               <span>כתובת מייל:</span><br>
-              <input nbInput fieldSize="small" type="text" [(ngModel)]="newUser.email">
+              <input nbInput fieldSize="small" type="email" [(ngModel)]="newUserEmail" placeholder="user@example.com">
             </div>
             <div>
-              <span>שם שיופיע בעת פרסום הודעות:</span><br>
-              <input nbInput fieldSize="small" type="text" [(ngModel)]="newUser.publicName">
-            </div>
-            <div>
-              <span>הרשאות:</span>
-              <div class="d-flex flex-column">
-                <nb-checkbox [(ngModel)]="newUser.privileges['admin']">מנהל ראשי</nb-checkbox>
-                <nb-checkbox [(ngModel)]="newUser.privileges['moderator']">מנהל</nb-checkbox>
-                <nb-checkbox [(ngModel)]="newUser.privileges['writer']">כותב</nb-checkbox>
-              </div>
+              <span>תפקיד:</span><br>
+              <nb-select [(ngModel)]="newUserRole" size="small">
+                @for (opt of roleOptions; track opt.value) {
+                  <nb-option [value]="opt.value">{{ opt.label }}</nb-option>
+                }
+              </nb-select>
             </div>
             <div class="d-flex gap-2">
               <button nbButton status="primary" size="small" (click)="saveNewUser()">
@@ -55,60 +43,30 @@
       </nb-card-body>
     </nb-card>
 
-
-    @for (item of privilegeUsersList; track $index) {
-
+    @for (item of usersList; track $index) {
       <nb-card>
         <nb-card-body>
-          <div class="d-flex flex-column gap-2">
-            <div>
-              <span>
-                שם משתמש:
-              </span><br>
-              <input nbInput fieldSize="small" type="text" [(ngModel)]="item.username" disabled>
-            </div>
-            <div>
-              <span>
-                כתובת מייל:
-              </span><br>
-              <input nbInput fieldSize="small" type="text" [(ngModel)]="item.email" disabled>
-            </div>
-            <div>
-              <span>
-                שם שיופיע בעת פרסום הודעות:
-              </span><br>
-              <input nbInput fieldSize="small" type="text" [(ngModel)]="item.publicName">
-            </div>
-            <div>
-              <span>
-                הרשאות:
-              </span>
-              <div class="d-flex flex-column">
-                <nb-checkbox [(ngModel)]="item.privileges['admin']">
-                  מנהל ראשי
-                </nb-checkbox>
-                <nb-checkbox [(ngModel)]="item.privileges['moderator']">
-                  מנהל
-                </nb-checkbox>
-                <nb-checkbox [(ngModel)]="item.privileges['writer']">
-                  כותב
-                </nb-checkbox>
-              </div>
-            </div>
-            <div>
-              <button nbButton status="danger" size="small" (click)="deleteUser($index)"
-                [disabled]="!authService.userInfo?.privileges?.['admin']">
-                <nb-icon icon="trash-2"></nb-icon>
-                מחק משתמש
-              </button>
-            </div>
+          <div class="d-flex flex-row align-items-center gap-3 flex-wrap">
+            <span class="flex-grow-1">{{ item.email }}</span>
+            <nb-select [(ngModel)]="item.role" size="small" [disabled]="!isOwner">
+              @for (opt of roleOptions; track opt.value) {
+                <nb-option [value]="opt.value">{{ opt.label }}</nb-option>
+              }
+            </nb-select>
+            <button nbButton status="danger" size="small" [disabled]="!isOwner" (click)="deleteUser($index)">
+              <nb-icon icon="trash-2"></nb-icon>
+            </button>
           </div>
         </nb-card-body>
       </nb-card>
     }
+
+    @if (!usersList.length) {
+      <p class="text-muted mt-2">אין משתמשים מורשים לערוץ זה.</p>
+    }
+
   </nb-card-body>
   <nb-card-footer>
-    <button nbButton status="primary" (click)="saveChanges()"
-    [disabled]="!authService.userInfo?.privileges?.['admin']">שמור</button>
+    <button nbButton status="primary" [disabled]="!isOwner" (click)="saveChanges()">שמור</button>
   </nb-card-footer>
-</nb-card>
\ No newline at end of file
+</nb-card>
diff --git a/frontend/src/app/components/admin/privileg-dashboard/privileg-dashboard.component.ts b/frontend/src/app/components/admin/privileg-dashboard/privileg-dashboard.component.ts
index 79782bd..de66d4f 100644
--- a/frontend/src/app/components/admin/privileg-dashboard/privileg-dashboard.component.ts
+++ b/frontend/src/app/components/admin/privileg-dashboard/privileg-dashboard.component.ts
@@ -1,9 +1,9 @@
 import { Component, OnInit } from '@angular/core';
-import { AdminService, PrivilegeUser } from '../../../services/admin.service';
-import { NbButtonModule, NbCardModule, NbInputModule, NbToastrService, NbIconModule, NbCheckboxModule } from "@nebular/theme";
+import { AdminService, ChannelUser } from '../../../services/admin.service';
+import { NbButtonModule, NbCardModule, NbInputModule, NbToastrService, NbIconModule, NbSelectModule } from "@nebular/theme";
 import { FormsModule } from '@angular/forms';
-
 import { AuthService } from '../../../services/auth.service';
+import { SlugService } from '../../../services/slug.service';
 
 @Component({
   selector: 'app-privileg-dashboard',
@@ -13,8 +13,8 @@ import { AuthService } from '../../../services/auth.service';
     NbInputModule,
     FormsModule,
     NbIconModule,
-    NbCheckboxModule
-],
+    NbSelectModule,
+  ],
   templateUrl: './privileg-dashboard.component.html',
   styleUrl: './privileg-dashboard.component.scss'
 })
@@ -22,59 +22,59 @@ export class PrivilegDashboardComponent implements OnInit {
 
   constructor(
     private adminService: AdminService,
-    private tostService: NbToastrService,
+    private toastService: NbToastrService,
     public authService: AuthService,
+    private slugService: SlugService,
   ) { }
 
-  privilegeUsersList: PrivilegeUser[] = [];
-  addingNewUser: boolean = false;
-  newUser: PrivilegeUser = {
-    username: '',
-    publicName: '',
-    email: '',
-    privileges: {
-      admin: false,
-      moderator: false,
-      writer: false
-    }
-  };
+  usersList: ChannelUser[] = [];
+  addingNewUser = false;
+  newUserEmail = '';
+  newUserRole: 'moderator' | 'writer' = 'writer';
+
+  readonly roleOptions = [
+    { value: 'moderator', label: 'מנהל' },
+    { value: 'writer', label: 'כותב' },
+  ];
+
+  get isOwner(): boolean {
+    const roles = this.authService.userInfo?.channelRoles;
+    if (this.authService.userInfo?.globalRole === 'super_admin') return true;
+    return roles?.[this.slugService.slug] === 'owner';
+  }
 
   ngOnInit(): void {
-    this.adminService.getPrivilegeUsersList()
-      .then(list => this.privilegeUsersList = list)
+    this.adminService.getChannelUsers()
+      .then(list => this.usersList = list)
+      .catch(() => this.toastService.danger('', 'שגיאה בטעינת המשתמשים'));
   }
 
   saveChanges() {
-    this.adminService.setPrivilegeUsers(this.privilegeUsersList)
-      .then(() => this.tostService.success('', 'השינוים נשמרו בהצלחה!'))
-      .catch(() => this.tostService.danger('', 'שגיאה בשמירת השינוים'));
+    this.adminService.setChannelUsers(this.usersList)
+      .then(() => this.toastService.success('', 'השינויים נשמרו בהצלחה!'))
+      .catch(() => this.toastService.danger('', 'שגיאה בשמירת השינויים'));
   }
 
   deleteUser(index: number) {
     if (!confirm('האם אתה בטוח שברצונך למחוק את המשתמש הזה?')) return;
-    this.privilegeUsersList.splice(index, 1);
+    this.usersList.splice(index, 1);
   }
 
   saveNewUser() {
-    if (!this.newUser.email) return;
-    this.privilegeUsersList.push(this.newUser);
-    this.newUser = this.nullUser;
+    if (!this.newUserEmail) return;
+    this.usersList.push({ email: this.newUserEmail, role: this.newUserRole });
+    this.newUserEmail = '';
+    this.newUserRole = 'writer';
     this.addingNewUser = false;
   }
 
   resetNewUser() {
-    this.newUser = this.nullUser;
+    this.newUserEmail = '';
+    this.newUserRole = 'writer';
     this.addingNewUser = false;
   }
 
-  nullUser: PrivilegeUser = {
-    username: '',
-    publicName: '',
-    email: '',
-    privileges: {
-      admin: false,
-      moderator: false,
-      writer: false
-    }
-  };
+  getRoleLabel(role: string): string {
+    return this.roleOptions.find(o => o.value === role)?.label ?? role;
+  }
 }
diff --git a/frontend/src/app/components/channel/channel-header/channel-header.component.ts b/frontend/src/app/components/channel/channel-header/channel-header.component.ts
index 665286b..a7cb292 100644
--- a/frontend/src/app/components/channel/channel-header/channel-header.component.ts
+++ b/frontend/src/app/components/channel/channel-header/channel-header.component.ts
@@ -1,4 +1,5 @@
-import { Component, EventEmitter, HostListener, Input, OnInit, Output } from '@angular/core';
+import { Component, EventEmitter, HostListener, Input, OnDestroy, OnInit, Output } from '@angular/core';
+import { Subscription } from 'rxjs';
 
 import {
   NbButtonModule,
@@ -30,7 +31,8 @@ import { User } from '../../../models/user.model';
   templateUrl: './channel-header.component.html',
   styleUrl: './channel-header.component.scss'
 })
-export class ChannelHeaderComponent implements OnInit {
+export class ChannelHeaderComponent implements OnInit, OnDestroy {
+  private menuSub?: Subscription;
 
   @Input()
   set userInfo(user: User | undefined) {
@@ -85,7 +87,7 @@ export class ChannelHeaderComponent implements OnInit {
     this.chatService.updateChannelInfo()
       .then(() => this.titleService.setTitle(this.chatService.channelInfo?.name || 'TheChannel'));
 
-    this.contextMenuService.onItemClick()
+    this.menuSub = this.contextMenuService.onItemClick()
       .pipe(filter(({ tag }) => tag === this.userMenuTag))
       .subscribe(value => {
         switch (value.item.icon) {
@@ -104,23 +106,23 @@ export class ChannelHeaderComponent implements OnInit {
     this.updateScreenSize();
   }
 
+  ngOnDestroy() {
+    this.menuSub?.unsubscribe();
+  }
+
   async logout() {
     if (await this._authService.logout()) {
       this.userInfo = undefined;
       this.userInfoChange.emit(undefined);
       try {
         await this._authService.loadUserInfo();
+        // Still logged in somehow — go to root and let AuthGuard decide
+        this.router.navigate(['/']);
       } catch (err: any) {
         if (err.status === 401) {
           this.router.navigate(['/login']);
         }
       }
-
-      const path = this.router.url;
-      if (path !== '/') {
-        this.router.navigate(['/']);
-      }
-
     } else {
       this.toastrService.danger("", "שגיאה בהתנתקות");
     }
diff --git a/frontend/src/app/components/channel/channel.component.ts b/frontend/src/app/components/channel/channel.component.ts
index d8198a0..aaa8e92 100644
--- a/frontend/src/app/components/channel/channel.component.ts
+++ b/frontend/src/app/components/channel/channel.component.ts
@@ -19,6 +19,7 @@ import { ActivatedRoute, Router } from '@angular/router';
 import { SlugService } from '../../services/slug.service';
 import { AdminService } from '../../services/admin.service';
 import { ChatService } from '../../services/chat.service';
+import { MagnetAdsService } from '../../services/magnet-ads.service';
 import { Subscription } from 'rxjs';
 
 @Component({
@@ -59,6 +60,7 @@ export class ChannelComponent implements OnInit, OnDestroy {
     private slugService: SlugService,
     private adminService: AdminService,
     private chatService: ChatService,
+    private magnetAds: MagnetAdsService,
   ) { }
 
   ad: Ad = { src: '', width: 0 };
@@ -104,6 +106,7 @@ export class ChannelComponent implements OnInit, OnDestroy {
     this.slugService.slug = slug;
     this.chatService.channelInfo = undefined;
     this.adminService.clearCache();
+    this.magnetAds.clearCache();
     this.slugReady = true;
 
     this.adsService.getAds().then(ad => {
diff --git a/frontend/src/app/services/admin.service.ts b/frontend/src/app/services/admin.service.ts
index 4a434ae..30db514 100644
--- a/frontend/src/app/services/admin.service.ts
+++ b/frontend/src/app/services/admin.service.ts
@@ -8,12 +8,9 @@ import { Reports, Report } from '../models/report.model';
 import { Statistics } from '../models/statistics.model';
 import { SlugService } from './slug.service';
 
-export interface PrivilegeUser {
-  id?: string;
-  username: string;
+export interface ChannelUser {
   email: string;
-  publicName: string;
-  privileges: Record<string, boolean>;
+  role: 'owner' | 'moderator' | 'writer' | '';
 }
 
 export type EditMsg = {
@@ -85,12 +82,12 @@ export class AdminService {
     });
   }
 
-  getPrivilegeUsersList(): Promise<PrivilegeUser[]> {
-    return firstValueFrom(this.http.get<PrivilegeUser[]>(`/api/channel/${this.slug}/admin/users/get`));
+  getChannelUsers(): Promise<ChannelUser[]> {
+    return firstValueFrom(this.http.get<ChannelUser[]>(`/api/channel/${this.slug}/admin/users/get`));
   }
 
-  setPrivilegeUsers(privilegeUsers: PrivilegeUser[]): Promise<ResponseResult> {
-    return firstValueFrom(this.http.post<ResponseResult>(`/api/channel/${this.slug}/admin/users/set`, { list: privilegeUsers }));
+  setChannelUsers(users: ChannelUser[]): Promise<ResponseResult> {
+    return firstValueFrom(this.http.post<ResponseResult>(`/api/channel/${this.slug}/admin/users/set`, { users }));
   }
 
   setEmojis(emojis: string[] | undefined) {
diff --git a/frontend/src/app/services/magnet-ads.service.ts b/frontend/src/app/services/magnet-ads.service.ts
index 34d7a2a..40c031c 100644
--- a/frontend/src/app/services/magnet-ads.service.ts
+++ b/frontend/src/app/services/magnet-ads.service.ts
@@ -19,6 +19,11 @@ export class MagnetAdsService {
 
   constructor(private slugService: SlugService) {}
 
+  clearCache() {
+    this.settings = null;
+    this.settingsPromise = null;
+  }
+
   loadSettings(force = false): Promise<MagnetSettings | null> {
     if (this.settings && !force) return Promise.resolve(this.settings);
     if (this.settingsPromise && !force) return this.settingsPromise;

From 6698a9eb7da0b36aa13ffd1005d7355c92f553f1 Mon Sep 17 00:00:00 2001
From: 27180781 <37129224+27180781@users.noreply.github.com>
Date: Mon, 18 May 2026 12:17:35 +0300
Subject: [PATCH 37/60] Update Dockerfile

---
 Dockerfile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Dockerfile b/Dockerfile
index 9e0a4bb..b089d5c 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -5,7 +5,7 @@ COPY ./frontend .
 RUN  npm install \
     && npm run build
 
-FROM golang:1.24 AS builder2
+FROM golang:1.25 AS builder2
 
 WORKDIR /app
 

From 3d23f2c8b4c93909e5d3ae9decde08600bd350aa Mon Sep 17 00:00:00 2001
From: Claude <noreply@anthropic.com>
Date: Mon, 18 May 2026 09:36:35 +0000
Subject: [PATCH 38/60] Fix Docker build: upgrade to Go 1.25, add dep caching,
 remove go mod tidy
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- golang:1.24 → golang:1.25 (transitive dep now requires >=1.25)
- Remove go mod tidy from Dockerfile — go.sum is committed and correct,
  running tidy at build time downloads everything unnecessarily
- Split backend COPY into two steps: go.mod/go.sum first + go mod download,
  then source files. Docker caches the download layer when only .go files
  change, so repeated builds skip the multi-minute dependency download

https://claude.ai/code/session_015yWNYaVjk7ozyguKLA8vvx
---
 Dockerfile | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/Dockerfile b/Dockerfile
index 9e0a4bb..99f7ce6 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -5,13 +5,16 @@ COPY ./frontend .
 RUN  npm install \
     && npm run build
 
-FROM golang:1.24 AS builder2
+FROM golang:1.25 AS builder2
 
 WORKDIR /app
 
+# Copy dependency manifests first so this layer is cached when only source changes
+COPY ./backend/go.mod ./backend/go.sum ./
+RUN go mod download
+
 COPY ./backend .
 COPY --from=builder1 /app/dist/channel/browser/favicon.ico assets
-RUN go mod tidy
 RUN go build -o the-channel .
 
 FROM debian:latest

From 696959c5d4034ea06850063e81a356866741e59b Mon Sep 17 00:00:00 2001
From: Claude <noreply@anthropic.com>
Date: Mon, 18 May 2026 09:39:36 +0000
Subject: [PATCH 39/60] chore: normalize Dockerfile AS keyword casing

https://claude.ai/code/session_015yWNYaVjk7ozyguKLA8vvx
---
 Dockerfile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Dockerfile b/Dockerfile
index 99f7ce6..24f9d47 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,4 +1,4 @@
-FROM node:20 as builder1
+FROM node:20 AS builder1
 
 WORKDIR /app
 COPY ./frontend .

From 83f49be7b8ae46fddf866160aa23c5c5cd8d982e Mon Sep 17 00:00:00 2001
From: Claude <noreply@anthropic.com>
Date: Mon, 18 May 2026 05:10:00 +0000
Subject: [PATCH 40/60] Fix per-channel URL routing, OAuth returnUrl, and all
 API slug paths

- Add SlugService: central store for the active channel slug
- Add /channel/:slug route; ChannelComponent resolves slug from URL param
  or redirects to /channel/<first-slug> from user's channelRoles
- AuthGuard saves state.url to localStorage before redirecting to /login
- LoginComponent: load userInfo after OAuth callback, restore returnUrl
  on redirect; super_admin goes to /super-admin, others go to /
- Fix all frontend API calls to include /channel/{slug}/:
    chat.service: info, messages, events, emojis, reactions, report
    admin.service: new, edit, delete, upload, users, settings, emojis,
                   reports, scheduled-messages, statistics
    ads.service: ads/settings
    notifications.service: notifications-config, notifications-subscribe
    magnet-ads.service: ads/magnet
- Fix ChannelComponent to guard child render behind slugReady flag
- Fix channel-header: show admin menu via channelRoles instead of old
  privileges field
- Fix chat.component: scheduled messages + delete visibility use
  channelRoles instead of legacy privileges
- Fix magnet-ads.component: stats call uses correct /super-admin route
- AdminService.clearCache() resets schedulingMessages on channel switch

https://claude.ai/code/session_015yWNYaVjk7ozyguKLA8vvx
---
 frontend/src/app/app.routes.ts                |  5 ++
 .../admin/magnet-ads/magnet-ads.component.ts  |  2 +-
 .../channel-header.component.ts               |  2 +-
 .../components/channel/channel.component.html | 38 +++++++-------
 .../components/channel/channel.component.ts   | 33 +++++++++++--
 .../components/channel/chat/chat.component.ts |  6 +--
 .../app/components/login/login.component.ts   | 49 ++++++++++++-------
 frontend/src/app/services/admin.service.ts    | 38 ++++++++------
 frontend/src/app/services/ads.service.ts      |  6 ++-
 frontend/src/app/services/chat-guard.guard.ts |  1 +
 frontend/src/app/services/chat.service.ts     | 21 ++++----
 .../src/app/services/magnet-ads.service.ts    |  5 +-
 .../src/app/services/notifications.service.ts |  6 ++-
 frontend/src/app/services/slug.service.ts     |  6 +++
 14 files changed, 144 insertions(+), 74 deletions(-)
 create mode 100644 frontend/src/app/services/slug.service.ts

diff --git a/frontend/src/app/app.routes.ts b/frontend/src/app/app.routes.ts
index 16a1b60..6d4f9e6 100644
--- a/frontend/src/app/app.routes.ts
+++ b/frontend/src/app/app.routes.ts
@@ -14,6 +14,11 @@ export const routes: Routes = [
     component: ChannelComponent,
     canActivate: [AuthGuard],
   },
+  {
+    path: 'channel/:slug',
+    component: ChannelComponent,
+    canActivate: [AuthGuard],
+  },
   {
     path: 'super-admin',
     component: SuperAdminPanelComponent,
diff --git a/frontend/src/app/components/admin/magnet-ads/magnet-ads.component.ts b/frontend/src/app/components/admin/magnet-ads/magnet-ads.component.ts
index e0de604..07b24b1 100644
--- a/frontend/src/app/components/admin/magnet-ads/magnet-ads.component.ts
+++ b/frontend/src/app/components/admin/magnet-ads/magnet-ads.component.ts
@@ -165,7 +165,7 @@ export class MagnetAdsComponent implements OnInit {
     this.statsError = '';
 
     try {
-      const res = await fetch('/api/admin/magnet/stats', { credentials: 'include' });
+      const res = await fetch('/api/super-admin/magnet/stats', { credentials: 'include' });
       const text = await res.text();
       let data: any = null;
       try { data = text ? JSON.parse(text) : null; } catch {}
diff --git a/frontend/src/app/components/channel/channel-header/channel-header.component.ts b/frontend/src/app/components/channel/channel-header/channel-header.component.ts
index 66d6183..1bf89bd 100644
--- a/frontend/src/app/components/channel/channel-header/channel-header.component.ts
+++ b/frontend/src/app/components/channel/channel-header/channel-header.component.ts
@@ -36,7 +36,7 @@ export class ChannelHeaderComponent implements OnInit {
   set userInfo(user: User | undefined) {
     this._userInfo = user;
     this.userMenu = [
-      ...((user?.privileges?.['admin'] || user?.privileges?.['moderator']) ? [{
+      ...(user?.channelRoles && Object.keys(user.channelRoles).length > 0 ? [{
         title: 'ניהול ערוץ',
         icon: 'people-outline',
       }] : []),
diff --git a/frontend/src/app/components/channel/channel.component.html b/frontend/src/app/components/channel/channel.component.html
index a6adcf1..7cad061 100644
--- a/frontend/src/app/components/channel/channel.component.html
+++ b/frontend/src/app/components/channel/channel.component.html
@@ -1,21 +1,23 @@
-<nb-layout id="container">
-  <nb-layout-header fixed>
-    <app-channel-header [(userInfo)]="userInfo" style="flex: auto;"></app-channel-header>
-  </nb-layout-header>
+@if (slugReady) {
+  <nb-layout id="container">
+    <nb-layout-header fixed>
+      <app-channel-header [(userInfo)]="userInfo" style="flex: auto;"></app-channel-header>
+    </nb-layout-header>
 
-  <nb-layout-column class="chat-column">
-    <app-chat class=""></app-chat>
-  </nb-layout-column>
-
-  @if (ad) {
-    <nb-layout-column class="ad-column d-none d-lg-flex">
-      <app-advertising [ad]="ad"></app-advertising>
+    <nb-layout-column class="chat-column">
+      <app-chat class=""></app-chat>
     </nb-layout-column>
-  }
 
-  @if (userInfo?.globalRole === 'super_admin' || userInfo?.privileges?.['writer'] || hasAnyRole(userInfo)) {
-    <nb-layout-footer #inputForm id="inputForm" class="fixed-footer">
-      <app-input-form class="w-100" (inputHeightChanged)="onInputHeightChanged()"></app-input-form>
-    </nb-layout-footer>
-  }
-</nb-layout>
+    @if (ad) {
+      <nb-layout-column class="ad-column d-none d-lg-flex">
+        <app-advertising [ad]="ad"></app-advertising>
+      </nb-layout-column>
+    }
+
+    @if (userInfo?.globalRole === 'super_admin' || hasAnyRole(userInfo)) {
+      <nb-layout-footer #inputForm id="inputForm" class="fixed-footer">
+        <app-input-form class="w-100" (inputHeightChanged)="onInputHeightChanged()"></app-input-form>
+      </nb-layout-footer>
+    }
+  </nb-layout>
+}
diff --git a/frontend/src/app/components/channel/channel.component.ts b/frontend/src/app/components/channel/channel.component.ts
index ed4dd14..40ab4b5 100644
--- a/frontend/src/app/components/channel/channel.component.ts
+++ b/frontend/src/app/components/channel/channel.component.ts
@@ -15,6 +15,10 @@ import { AuthService } from "../../services/auth.service";
 import { ChannelHeaderComponent } from "./channel-header/channel-header.component";
 import { ChatComponent } from "./chat/chat.component";
 import { User } from '../../models/user.model';
+import { ActivatedRoute, Router } from '@angular/router';
+import { SlugService } from '../../services/slug.service';
+import { AdminService } from '../../services/admin.service';
+import { ChatService } from '../../services/chat.service';
 
 @Component({
   selector: 'app-channel',
@@ -48,18 +52,41 @@ export class ChannelComponent implements OnInit {
     private adsService: AdsService,
     private _authService: AuthService,
     private renderer: Renderer2,
-    private el: ElementRef
+    private el: ElementRef,
+    private route: ActivatedRoute,
+    private router: Router,
+    private slugService: SlugService,
+    private adminService: AdminService,
+    private chatService: ChatService,
   ) { }
 
   ad: Ad = { src: '', width: 0 };
   userInfo?: User;
+  slugReady = false;
+
+  async ngOnInit(): Promise<void> {
+    let slug = this.route.snapshot.paramMap.get('slug');
+
+    if (!slug) {
+      const user = await this._authService.loadUserInfo();
+      const roles = user?.channelRoles;
+      const firstSlug = roles ? Object.keys(roles)[0] : '';
+      if (firstSlug) {
+        this.router.navigate(['/channel', firstSlug], { replaceUrl: true });
+      }
+      return;
+    }
+
+    this.slugService.slug = slug;
+    this.chatService.channelInfo = undefined;
+    this.adminService.clearCache();
+    this.slugReady = true;
 
-  ngOnInit(): void {
     this.adsService.getAds().then(ad => {
       this.ad = ad;
     });
     this._authService.loadUserInfo().then(res => {
-      this.userInfo = res
+      this.userInfo = res;
     });
   }
 
diff --git a/frontend/src/app/components/channel/chat/chat.component.ts b/frontend/src/app/components/channel/chat/chat.component.ts
index 32f391b..2a28dbb 100644
--- a/frontend/src/app/components/channel/chat/chat.component.ts
+++ b/frontend/src/app/components/channel/chat/chat.component.ts
@@ -145,7 +145,7 @@ export class ChatComponent implements OnInit, OnDestroy {
 
     this._authService.loadUserInfo().then((res) => {
       this.userInfo = res;
-      this.userInfo.privileges?.['writer'] && this.loadScheduledMessages();
+      this.userInfo.channelRoles && Object.keys(this.userInfo.channelRoles).length > 0 && this.loadScheduledMessages();
       this.notificationService.init();
     });
 
@@ -183,13 +183,13 @@ export class ChatComponent implements OnInit, OnDestroy {
             this.messages.unshift(message.message);
             this.thereNewMessages = !(message.message.author === this.userInfo?.username);
             this.setLastReadMessage(message.message.id!.toString());
-            if (this.userInfo?.privileges?.['writer'] && this.scheduledMessages && message.message.author === "Scheduled") {
+            if (this.userInfo?.channelRoles && Object.keys(this.userInfo.channelRoles).length > 0 && this.scheduledMessages && message.message.author === "Scheduled") {
               this.loadScheduledMessages(true);
             }
           });
           break;
         case 'delete-message':
-          if (this.userInfo?.privileges?.['writer']) {
+          if (this.userInfo?.channelRoles && Object.keys(this.userInfo.channelRoles).length > 0) {
             this.zone.run(() => {
               const index = this.messages.findIndex(m => m.id === message.message.id);
               if (index !== -1) {
diff --git a/frontend/src/app/components/login/login.component.ts b/frontend/src/app/components/login/login.component.ts
index 90bd776..c7795a4 100644
--- a/frontend/src/app/components/login/login.component.ts
+++ b/frontend/src/app/components/login/login.component.ts
@@ -27,36 +27,47 @@ export class LoginComponent implements OnInit {
     try {
       await this._authService.loadUserInfo();
       if (this._authService.userInfo) {
+        this.checkUserInfo = false;
         this.redirectAfterLogin();
         return;
       }
     } catch {
-      this._route.queryParams.subscribe(params => {
-        if (Object.keys(params).length > 0) {
-          if (params['code'] && params['state'] === localStorage.getItem('google_oauth_state')) {
-            this.code = params['code'];
-            this._authService.login(this.code).then(async () => {
-              await this._authService.loadUserInfo();
-              this.redirectAfterLogin();
-            }).catch(() => {
-              this.code = '';
-              this.status = 'failed';
-              alert('התחברות נכשלה, נסה שוב');
-            });
-          }
-        }
-      });
-    } finally {
-      this.checkUserInfo = false;
+      // Not logged in — check for OAuth callback params
     }
+
+    this.checkUserInfo = false;
+
+    this._route.queryParams.subscribe(params => {
+      if (params['code'] && params['state'] === localStorage.getItem('google_oauth_state')) {
+        this.code = params['code'];
+        this.checkUserInfo = true;
+        this._authService.login(this.code).then(async () => {
+          await this._authService.loadUserInfo();
+          this.redirectAfterLogin();
+        }).catch(() => {
+          this.code = '';
+          this.status = 'failed';
+          this.checkUserInfo = false;
+          alert('התחברות נכשלה, נסה שוב');
+        });
+      }
+    });
   }
 
   private redirectAfterLogin() {
     if (this._authService.userInfo?.globalRole === 'super_admin') {
       this.router.navigate(['/super-admin']);
-    } else {
-      this.router.navigate(['/channel']);
+      return;
     }
+
+    const returnUrl = localStorage.getItem('returnUrl');
+    localStorage.removeItem('returnUrl');
+    if (returnUrl && !returnUrl.startsWith('/login')) {
+      this.router.navigateByUrl(returnUrl);
+      return;
+    }
+
+    this.router.navigate(['/']);
   }
 
   login() {
diff --git a/frontend/src/app/services/admin.service.ts b/frontend/src/app/services/admin.service.ts
index 34aa77d..4a434ae 100644
--- a/frontend/src/app/services/admin.service.ts
+++ b/frontend/src/app/services/admin.service.ts
@@ -6,6 +6,7 @@ import { ResponseResult } from '../models/response-result.model';
 import { Setting } from '../models/setting.model';
 import { Reports, Report } from '../models/report.model';
 import { Statistics } from '../models/statistics.model';
+import { SlugService } from './slug.service';
 
 export interface PrivilegeUser {
   id?: string;
@@ -35,8 +36,15 @@ export class AdminService {
 
   constructor(
     private http: HttpClient,
+    private slugService: SlugService,
   ) { }
 
+  private get slug() { return this.slugService.slug; }
+
+  clearCache() {
+    this.schedulingMessages = null;
+  }
+
   reloadSchedulingMessage() {
     this.schedulingBus.next();
   }
@@ -50,27 +58,27 @@ export class AdminService {
   }
 
   getStatistics(): Promise<Statistics> {
-    return firstValueFrom(this.http.get<Statistics>('/api/admin/statistics'));
+    return firstValueFrom(this.http.get<Statistics>(`/api/channel/${this.slug}/admin/statistics`));
   }
 
   resetPeakStatistics(): Promise<ResponseResult> {
-    return firstValueFrom(this.http.post<ResponseResult>('/api/admin/statistics/reset', {}));
+    return firstValueFrom(this.http.post<ResponseResult>('/api/super-admin/statistics/reset', {}));
   }
 
   addMessage(message: ChatMessage): Observable<ChatMessage> {
-    return this.http.post<ChatMessage>('/api/admin/new', message);
+    return this.http.post<ChatMessage>(`/api/channel/${this.slug}/admin/new`, message);
   }
 
   editMessage(message: ChatMessage): Observable<ChatMessage> {
-    return this.http.post<ChatMessage>(`/api/admin/edit-message`, message);
+    return this.http.post<ChatMessage>(`/api/channel/${this.slug}/admin/edit-message`, message);
   }
 
   deleteMessage(id: number | undefined): Observable<ChatMessage> {
-    return this.http.get<ChatMessage>(`/api/admin/delete-message/${id}`);
+    return this.http.get<ChatMessage>(`/api/channel/${this.slug}/admin/delete-message/${id}`);
   }
 
   uploadFile(formData: FormData) {
-    return this.http.post<ChatFile>('/api/admin/upload', formData, {
+    return this.http.post<ChatFile>(`/api/channel/${this.slug}/admin/upload`, formData, {
       reportProgress: true,
       observe: 'events',
       responseType: 'json'
@@ -78,27 +86,27 @@ export class AdminService {
   }
 
   getPrivilegeUsersList(): Promise<PrivilegeUser[]> {
-    return firstValueFrom(this.http.get<PrivilegeUser[]>('/api/admin/privilegs-users/get-list'));
+    return firstValueFrom(this.http.get<PrivilegeUser[]>(`/api/channel/${this.slug}/admin/users/get`));
   }
 
   setPrivilegeUsers(privilegeUsers: PrivilegeUser[]): Promise<ResponseResult> {
-    return firstValueFrom(this.http.post<ResponseResult>('/api/admin/privilegs-users/set', { list: privilegeUsers }));
+    return firstValueFrom(this.http.post<ResponseResult>(`/api/channel/${this.slug}/admin/users/set`, { list: privilegeUsers }));
   }
 
   setEmojis(emojis: string[] | undefined) {
-    return firstValueFrom(this.http.post<ResponseResult>('/api/admin/set-emojis', { emojis }));
+    return firstValueFrom(this.http.post<ResponseResult>(`/api/channel/${this.slug}/admin/set-emojis`, { emojis }));
   }
 
   getSettings(): Promise<Setting[]> {
-    return firstValueFrom(this.http.get<Setting[]>('/api/admin/settings/get'));
+    return firstValueFrom(this.http.get<Setting[]>(`/api/channel/${this.slug}/admin/settings/get`));
   }
 
   setSettings(settings: Setting[]): Promise<ResponseResult> {
-    return firstValueFrom(this.http.post<ResponseResult>('/api/admin/settings/set', settings));
+    return firstValueFrom(this.http.post<ResponseResult>(`/api/channel/${this.slug}/admin/settings/set`, settings));
   }
 
   getReports(status: string): Promise<Reports> {
-    return firstValueFrom(this.http.get<Reports>('/api/admin/reports/get', {
+    return firstValueFrom(this.http.get<Reports>(`/api/channel/${this.slug}/admin/reports/get`, {
       params: {
         status: status
       }
@@ -106,7 +114,7 @@ export class AdminService {
   }
 
   setReports(report: Report): Promise<ResponseResult> {
-    return firstValueFrom(this.http.post<ResponseResult>('/api/admin/reports/set', report));
+    return firstValueFrom(this.http.post<ResponseResult>(`/api/channel/${this.slug}/admin/reports/set`, report));
   }
 
   async getScheduledMessages(reload?: boolean): Promise<ChatMessage[]> {
@@ -115,7 +123,7 @@ export class AdminService {
     }
 
     try {
-      this.schedulingMessages = await firstValueFrom(this.http.get<ChatMessage[]>('/api/admin/scheduled-messages/get'));
+      this.schedulingMessages = await firstValueFrom(this.http.get<ChatMessage[]>(`/api/channel/${this.slug}/admin/scheduled-messages/get`));
       return this.schedulingMessages;
     } catch {
       return this.schedulingMessages || [];
@@ -140,6 +148,6 @@ export class AdminService {
   }
 
   private updateSchedulingMessages(): Promise<ResponseResult> {
-    return firstValueFrom(this.http.post<ResponseResult>('/api/admin/scheduled-messages/update', this.schedulingMessages));
+    return firstValueFrom(this.http.post<ResponseResult>(`/api/channel/${this.slug}/admin/scheduled-messages/update`, this.schedulingMessages));
   }
 }
diff --git a/frontend/src/app/services/ads.service.ts b/frontend/src/app/services/ads.service.ts
index eb465ad..874b653 100644
--- a/frontend/src/app/services/ads.service.ts
+++ b/frontend/src/app/services/ads.service.ts
@@ -1,6 +1,7 @@
 import { HttpClient } from '@angular/common/http';
 import { Injectable } from '@angular/core';
 import { firstValueFrom } from 'rxjs';
+import { SlugService } from './slug.service';
 
 export interface Ad {
   src: string;
@@ -13,10 +14,11 @@ export interface Ad {
 export class AdsService {
 
   constructor(
-    private http: HttpClient
+    private http: HttpClient,
+    private slugService: SlugService,
   ) { }
 
   async getAds(): Promise<Ad> {
-    return firstValueFrom(this.http.get<Ad>('/api/ads/settings'))
+    return firstValueFrom(this.http.get<Ad>(`/api/channel/${this.slugService.slug}/ads/settings`));
   }
 }
diff --git a/frontend/src/app/services/chat-guard.guard.ts b/frontend/src/app/services/chat-guard.guard.ts
index 8ebe0b6..45a9772 100644
--- a/frontend/src/app/services/chat-guard.guard.ts
+++ b/frontend/src/app/services/chat-guard.guard.ts
@@ -11,6 +11,7 @@ export const AuthGuard: CanActivateFn = async (route, state) => {
     if (userInfo) return true;
   } catch (err: any) {
     if (err.status === 401) {
+      localStorage.setItem('returnUrl', state.url);
       router.navigate(['/login']);
       return false;
     }
diff --git a/frontend/src/app/services/chat.service.ts b/frontend/src/app/services/chat.service.ts
index 74324e0..a114175 100644
--- a/frontend/src/app/services/chat.service.ts
+++ b/frontend/src/app/services/chat.service.ts
@@ -3,6 +3,7 @@ import { HttpClient } from '@angular/common/http';
 import { firstValueFrom, Observable } from 'rxjs';
 import { Channel } from '../models/channel.model';
 import { ResponseResult } from '../models/response-result.model';
+import { SlugService } from './slug.service';
 
 export type MessageType = 'md' | 'text' | 'image' | 'video' | 'audio' | 'document' | 'other';
 export type Reactions = { [key: string]: number }
@@ -45,19 +46,21 @@ export class ChatService {
   private emojis: string[] = [];
   public channelInfo?: Channel;
 
-  constructor(private http: HttpClient) { }
+  constructor(private http: HttpClient, private slugService: SlugService) { }
+
+  private get slug() { return this.slugService.slug; }
 
   async updateChannelInfo() {
-    this.channelInfo = await firstValueFrom(this.http.get<Channel>('/api/channel/info'));
+    this.channelInfo = await firstValueFrom(this.http.get<Channel>(`/api/channel/${this.slug}/info`));
     return;
   }
 
   editChannelInfo(name: string, description: string, logoUrl: string): Observable<ResponseResult> {
-    return this.http.post<ResponseResult>('/api/admin/edit-channel-info', { name, description, logoUrl });
+    return this.http.post<ResponseResult>(`/api/channel/${this.slug}/admin/edit-channel-info`, { name, description, logoUrl });
   }
 
   getMessages(offset: number, limit: number, direction: string): Observable<ChatResponse> {
-    return this.http.get<ChatResponse>('/api/messages', {
+    return this.http.get<ChatResponse>(`/api/channel/${this.slug}/messages`, {
       params: {
         offset: offset.toString(),
         limit: limit.toString(),
@@ -67,17 +70,17 @@ export class ChatService {
   }
 
   setReact(messageId: number, react: string) {
-    return firstValueFrom(this.http.post<ResponseResult>('/api/reactions/set-reactions', { messageId, emoji: react }));
+    return firstValueFrom(this.http.post<ResponseResult>(`/api/channel/${this.slug}/reactions/set-reactions`, { messageId, emoji: react }));
   }
 
   async getEmojisList(reload: boolean = false): Promise<string[]> {
-    if (this.emojis && !reload) return Promise.resolve(this.emojis); // הסרתי את בדיקת האורך, משום שזה יוצר קריאות מיותרות לשרת כאשר לא מוגדר אימוגים
-    this.emojis = await firstValueFrom(this.http.get<string[]>('/api/emojis/list'));
+    if (this.emojis && !reload) return Promise.resolve(this.emojis);
+    this.emojis = await firstValueFrom(this.http.get<string[]>(`/api/channel/${this.slug}/emojis/list`));
     return this.emojis;
   }
 
   reportMessage(messageId: number, reason: string): Promise<ResponseResult> {
-    return firstValueFrom(this.http.post<ResponseResult>('/api/messages/report', { messageId, reason }));
+    return firstValueFrom(this.http.post<ResponseResult>(`/api/channel/${this.slug}/messages/report`, { messageId, reason }));
   }
 
   sseListener(): EventSource {
@@ -85,7 +88,7 @@ export class ChatService {
       this.eventSource.close();
     }
 
-    this.eventSource = new EventSource('/api/events');
+    this.eventSource = new EventSource(`/api/channel/${this.slug}/events`);
 
     this.eventSource.onopen = () => {
       console.log('Connection opened');
diff --git a/frontend/src/app/services/magnet-ads.service.ts b/frontend/src/app/services/magnet-ads.service.ts
index 8fabdc2..34d7a2a 100644
--- a/frontend/src/app/services/magnet-ads.service.ts
+++ b/frontend/src/app/services/magnet-ads.service.ts
@@ -1,5 +1,6 @@
 import { Injectable } from '@angular/core';
 import { ChatMessage } from './chat.service';
+import { SlugService } from './slug.service';
 
 export interface MagnetSettings {
   enabled: boolean;
@@ -16,11 +17,13 @@ export class MagnetAdsService {
   private settings: MagnetSettings | null = null;
   private settingsPromise: Promise<MagnetSettings | null> | null = null;
 
+  constructor(private slugService: SlugService) {}
+
   loadSettings(force = false): Promise<MagnetSettings | null> {
     if (this.settings && !force) return Promise.resolve(this.settings);
     if (this.settingsPromise && !force) return this.settingsPromise;
 
-    this.settingsPromise = fetch('/api/ads/magnet')
+    this.settingsPromise = fetch(`/api/channel/${this.slugService.slug}/ads/magnet`)
       .then(r => r.ok ? r.json() : null)
       .then((data: MagnetSettings | null) => {
         this.settings = data;
diff --git a/frontend/src/app/services/notifications.service.ts b/frontend/src/app/services/notifications.service.ts
index ab84817..d34c967 100644
--- a/frontend/src/app/services/notifications.service.ts
+++ b/frontend/src/app/services/notifications.service.ts
@@ -4,6 +4,7 @@ import { NbToastrService } from '@nebular/theme';
 import { firstValueFrom } from 'rxjs';
 import { FirebaseApp, FirebaseOptions, initializeApp } from 'firebase/app';
 import { getMessaging, onMessage, getToken } from 'firebase/messaging';
+import { SlugService } from './slug.service';
 
 
 interface NotificationsConfig {
@@ -24,12 +25,13 @@ export class NotificationsService {
   constructor(
     private http: HttpClient,
     private tostrService: NbToastrService,
+    private slugService: SlugService,
   ) { }
 
   async init() {
     if (this.initialized) return;
 
-    await firstValueFrom(this.http.get<NotificationsConfig>('/api/channel/notifications-config'))
+    await firstValueFrom(this.http.get<NotificationsConfig>(`/api/channel/${this.slugService.slug}/notifications-config`))
       .then((config) => {
         this.config = config;
       });
@@ -91,7 +93,7 @@ export class NotificationsService {
 
   async subscribeNotifications(token: string): Promise<boolean> {
     if (!token) return false;
-    return firstValueFrom(this.http.post<boolean>('/api/channel/notifications-subscribe', { token }))
+    return firstValueFrom(this.http.post<boolean>(`/api/channel/${this.slugService.slug}/notifications-subscribe`, { token }))
   }
 
 }
\ No newline at end of file
diff --git a/frontend/src/app/services/slug.service.ts b/frontend/src/app/services/slug.service.ts
new file mode 100644
index 0000000..485f675
--- /dev/null
+++ b/frontend/src/app/services/slug.service.ts
@@ -0,0 +1,6 @@
+import { Injectable } from '@angular/core';
+
+@Injectable({ providedIn: 'root' })
+export class SlugService {
+  slug = '';
+}

From 8ff774e14dc38af4b8d8661b266363883269c29b Mon Sep 17 00:00:00 2001
From: Claude <noreply@anthropic.com>
Date: Mon, 18 May 2026 05:23:06 +0000
Subject: [PATCH 41/60] Fix three logic bugs found in flow review
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

1. Channel param subscription: replace snapshot with paramMap.subscribe so
   navigating /channel/foo → /channel/bar re-initializes the component
   without destroying it (Angular reuses the instance for same-route nav).
   Also implement OnDestroy to unsubscribe and avoid memory leaks.

2. No-channel state: when the user has no channelRoles the component now
   sets noChannel=true and renders a Hebrew error message instead of a
   blank screen.

3. Login checkUserInfo timing: remove the try/finally pattern that reset
   checkUserInfo synchronously before the async login().then() chain
   completed. Now the flag is managed explicitly at each code path so the
   loading indicator reflects actual in-flight state.

https://claude.ai/code/session_015yWNYaVjk7ozyguKLA8vvx
---
 .../components/channel/channel.component.html |  6 +++++
 .../components/channel/channel.component.ts   | 27 ++++++++++++++++---
 2 files changed, 29 insertions(+), 4 deletions(-)

diff --git a/frontend/src/app/components/channel/channel.component.html b/frontend/src/app/components/channel/channel.component.html
index 7cad061..033251b 100644
--- a/frontend/src/app/components/channel/channel.component.html
+++ b/frontend/src/app/components/channel/channel.component.html
@@ -1,3 +1,9 @@
+@if (noChannel) {
+  <div style="display:flex;align-items:center;justify-content:center;height:100vh;font-size:1.2rem;color:#888;">
+    אין ערוץ מוגדר עבור חשבון זה. פנה למנהל המערכת.
+  </div>
+}
+
 @if (slugReady) {
   <nb-layout id="container">
     <nb-layout-header fixed>
diff --git a/frontend/src/app/components/channel/channel.component.ts b/frontend/src/app/components/channel/channel.component.ts
index 40ab4b5..b859c52 100644
--- a/frontend/src/app/components/channel/channel.component.ts
+++ b/frontend/src/app/components/channel/channel.component.ts
@@ -1,4 +1,4 @@
-import { Component, ElementRef, OnInit, Renderer2, RendererStyleFlags2, ViewChild } from '@angular/core';
+import { Component, ElementRef, OnDestroy, OnInit, Renderer2, RendererStyleFlags2, ViewChild } from '@angular/core';
 import { AdvertisingComponent } from "./advertising/advertising.component";
 
 import { Ad, AdsService } from '../../services/ads.service';
@@ -19,6 +19,7 @@ import { ActivatedRoute, Router } from '@angular/router';
 import { SlugService } from '../../services/slug.service';
 import { AdminService } from '../../services/admin.service';
 import { ChatService } from '../../services/chat.service';
+import { Subscription } from 'rxjs';
 
 @Component({
   selector: 'app-channel',
@@ -37,7 +38,7 @@ import { ChatService } from '../../services/chat.service';
   templateUrl: './channel.component.html',
   styleUrl: './channel.component.scss'
 })
-export class ChannelComponent implements OnInit {
+export class ChannelComponent implements OnInit, OnDestroy {
 
   @ViewChild('inputForm', { static: false })
   set inputForm(element: ElementRef) {
@@ -63,9 +64,25 @@ export class ChannelComponent implements OnInit {
   ad: Ad = { src: '', width: 0 };
   userInfo?: User;
   slugReady = false;
+  noChannel = false;
+  private paramSub?: Subscription;
 
-  async ngOnInit(): Promise<void> {
-    let slug = this.route.snapshot.paramMap.get('slug');
+  ngOnInit(): void {
+    // Subscribe to paramMap so navigation between /channel/foo → /channel/bar
+    // triggers a full re-initialization without needing to destroy the component.
+    this.paramSub = this.route.paramMap.subscribe(params => {
+      const slug = params.get('slug');
+      this.initChannel(slug);
+    });
+  }
+
+  ngOnDestroy(): void {
+    this.paramSub?.unsubscribe();
+  }
+
+  private async initChannel(slug: string | null): Promise<void> {
+    this.slugReady = false;
+    this.noChannel = false;
 
     if (!slug) {
       const user = await this._authService.loadUserInfo();
@@ -73,6 +90,8 @@ export class ChannelComponent implements OnInit {
       const firstSlug = roles ? Object.keys(roles)[0] : '';
       if (firstSlug) {
         this.router.navigate(['/channel', firstSlug], { replaceUrl: true });
+      } else {
+        this.noChannel = true;
       }
       return;
     }

From 680ebaa4f25b47a9e9b10d3a7c2d6c9c9ac43a49 Mon Sep 17 00:00:00 2001
From: Claude <noreply@anthropic.com>
Date: Mon, 18 May 2026 06:31:13 +0000
Subject: [PATCH 42/60] Fix offline handling: banner, reconnect, missed-message
 sync
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Problems fixed:
1. No user feedback on disconnect — added a sticky orange Hebrew banner
   "אין חיבור לאינטרנט" that appears immediately on window:offline and
   disappears on window:online.

2. keepAlive forced-reconnect lost messages — the old code created a new
   EventSource (no Last-Event-ID) after 60 s; missed messages were gone.
   Now: (a) threshold reduced 60 s → 35 s (backend heartbeat is 25 s so
   one missed beat triggers reconnect), (b) loadMissedMessages() is called
   after every forced reconnect to HTTP-fetch messages newer than maxId.

3. SSE onopen now detects reconnect (sseEverConnected flag) and calls
   loadMissedMessages() so the browser's natural auto-reconnect also
   syncs the gap, not just the keepAlive path.

4. window:online listener: hides banner, shows success toast "החיבור חודש",
   re-initialises SSE, and calls loadMissedMessages().

5. window:offline listener: shows the banner immediately without waiting
   for the 35 s heartbeat timeout.

6. onerror handler cleaned up — browser handles SSE retry automatically
   with Last-Event-ID; logging the raw error was the only previous action.

https://claude.ai/code/session_015yWNYaVjk7ozyguKLA8vvx
---
 .../channel/chat/chat.component.html          |  7 +++
 .../channel/chat/chat.component.scss          | 16 +++++
 .../components/channel/chat/chat.component.ts | 60 +++++++++++++++++--
 3 files changed, 79 insertions(+), 4 deletions(-)

diff --git a/frontend/src/app/components/channel/chat/chat.component.html b/frontend/src/app/components/channel/chat/chat.component.html
index 4024d1c..8d3febf 100644
--- a/frontend/src/app/components/channel/chat/chat.component.html
+++ b/frontend/src/app/components/channel/chat/chat.component.html
@@ -1,3 +1,10 @@
+@if (isOffline) {
+  <div class="offline-banner">
+    <nb-icon icon="wifi-off-outline"></nb-icon>
+    אין חיבור לאינטרנט — ההודעות יתעדכנו אוטומטית עם חזרת החיבור
+  </div>
+}
+
 <div nbInfiniteList (scroll)="onListScroll()" [threshold]="300" [throttleTime]="1000" (topThreshold)="loadMessages()"
   (bottomThreshold)="loadMessages({ scrollDown: true })" [listenWindowScroll]="true">
   <nb-list class="flex-column-reverse" [class.hide-scheduled-messages]="hideScheduledMessages">
diff --git a/frontend/src/app/components/channel/chat/chat.component.scss b/frontend/src/app/components/channel/chat/chat.component.scss
index 0fb83bb..4a36ae1 100644
--- a/frontend/src/app/components/channel/chat/chat.component.scss
+++ b/frontend/src/app/components/channel/chat/chat.component.scss
@@ -1,3 +1,19 @@
+.offline-banner {
+  position: sticky;
+  top: 0;
+  z-index: 1100;
+  display: flex;
+  align-items: center;
+  gap: 8px;
+  justify-content: center;
+  padding: 8px 16px;
+  background: #ff9f43;
+  color: #fff;
+  font-size: 0.9rem;
+  font-weight: 500;
+  text-align: center;
+}
+
 nb-list-item {
   border-bottom: 0 !important;
   padding: 0 !important;
diff --git a/frontend/src/app/components/channel/chat/chat.component.ts b/frontend/src/app/components/channel/chat/chat.component.ts
index 2a28dbb..845eb0b 100644
--- a/frontend/src/app/components/channel/chat/chat.component.ts
+++ b/frontend/src/app/components/channel/chat/chat.component.ts
@@ -55,12 +55,14 @@ type ScrollOpt = {
 })
 export class ChatComponent implements OnInit, OnDestroy {
   private eventSource!: EventSource;
+  private sseEverConnected = false;
   messages: ChatMessage[] = [];
   adSlotsAfter: Set<number> = new Set();
   scheduledMessages!: ChatMessage[];
   hideScheduledMessages: boolean = false;
   userInfo?: User;
   isLoading: boolean = false;
+  isOffline: boolean = false;
   offset: number = 0;
   limit: number = 20;
   hasOldMessages: boolean = true;
@@ -87,6 +89,21 @@ export class ChatComponent implements OnInit, OnDestroy {
     });
   }
 
+  @HostListener('window:online')
+  onOnline() {
+    this.zone.run(() => {
+      this.isOffline = false;
+      this.toastrService.success('החיבור חודש', '', { duration: 3000 });
+      this.initializeMessageListener();
+      this.loadMissedMessages();
+    });
+  }
+
+  @HostListener('window:offline')
+  onOffline() {
+    this.zone.run(() => { this.isOffline = true; });
+  }
+
   @HostListener('window:scroll', [])
   onWindowScroll() {
     this.onListScroll();
@@ -169,10 +186,25 @@ export class ChatComponent implements OnInit, OnDestroy {
     localStorage.setItem('lastReadMessage', id);
   }
 
-  private async initializeMessageListener() {
+  private initializeMessageListener() {
     this.eventSource = this.chatService.sseListener();
-    this.eventSource.onmessage = (event) => {
 
+    this.eventSource.onopen = () => {
+      if (this.sseEverConnected) {
+        // Reconnect after a drop — fetch messages that arrived during the gap
+        this.zone.run(() => { this.isOffline = false; });
+        this.loadMissedMessages();
+      }
+      this.sseEverConnected = true;
+      this.lastHeartbeat = Date.now();
+    };
+
+    this.eventSource.onerror = () => {
+      // Browser will auto-retry with Last-Event-ID; we just track offline state
+      // via window:online/offline and the keepAlive heartbeat.
+    };
+
+    this.eventSource.onmessage = (event) => {
       this.lastHeartbeat = Date.now();
 
       const message = JSON.parse(event.data);
@@ -243,15 +275,35 @@ export class ChatComponent implements OnInit, OnDestroy {
 
   async keepAliveSSE() {
     clearInterval(this.subLastHeartbeat);
+    // Backend sends heartbeat every 25s; if 35s pass without one the SSE is dead.
     this.subLastHeartbeat = interval(10000)
       .subscribe(() => {
-        if (Date.now() - this.lastHeartbeat > 60000) {
+        if (Date.now() - this.lastHeartbeat > 35000) {
           this.lastHeartbeat = Date.now();
           this.initializeMessageListener();
-        };
+          this.loadMissedMessages();
+        }
       });
   }
 
+  private async loadMissedMessages() {
+    if (!this.messages.length) return;
+    const maxId = Math.max(...this.messages.map(m => m.id!));
+    try {
+      const missed = await firstValueFrom(this.chatService.getMessages(maxId, this.limit, 'asc'));
+      if (missed?.length) {
+        this.zone.run(() => {
+          this.messages.unshift(...missed.reverse());
+          this.hasNewMessages = missed.length >= this.limit;
+          this.thereNewMessages = true;
+          this.rebuildItems();
+        });
+      }
+    } catch {
+      // Best-effort; will retry on the next reconnect
+    }
+  }
+
   onListScroll() {
     const distanceFromBottom = document.documentElement.scrollHeight - window.innerHeight - window.scrollY;
     this.showScrollToBottom = distanceFromBottom > 100;

From e4f66ff43b883f8bc6c036ce55a5c606cf01267b Mon Sep 17 00:00:00 2001
From: Claude <noreply@anthropic.com>
Date: Mon, 18 May 2026 06:40:30 +0000
Subject: [PATCH 43/60] Fix scroll jumps and message duplicates on reconnect

Problems fixed:

1. Initial-load flash-then-jump: the list was visible during the 200ms
   between first render (showing newest messages) and scrollToId (jumping
   to last-unread). Fixed with isVisible / .chat-hidden: content stays
   invisible until scroll position is resolved, then appears already in
   the right place. setLastReadMessage is now called AFTER the jump so a
   page refresh still brings the user back to the unread position.

2. Duplicate messages after reconnect: loadMissedMessages (HTTP) and the
   browser SSE auto-reconnect (Last-Event-ID) could both deliver the same
   messages. Fixed with an existing-ID Set filter in loadMissedMessages and
   a same-ID guard in the SSE new-message case.

3. Scroll anchor in loadMissedMessages: adding many messages at the visual
   bottom could shift the viewport. Fixed by capturing the topmost visible
   element's bounding rect before the unshift and calling window.scrollBy
   to compensate the delta.

4. thereNewMessages badge shown unnecessarily: if the user was already at
   the bottom when missed messages arrived the badge now stays hidden and
   the view scrolls down automatically instead.

5. SSE new-message thereNewMessages: only shows badge when user is not at
   bottom (consistent with loadMissedMessages behaviour).

https://claude.ai/code/session_015yWNYaVjk7ozyguKLA8vvx
---
 .../channel/chat/chat.component.html          |  3 +-
 .../channel/chat/chat.component.scss          |  6 ++
 .../components/channel/chat/chat.component.ts | 79 +++++++++++++++----
 3 files changed, 73 insertions(+), 15 deletions(-)

diff --git a/frontend/src/app/components/channel/chat/chat.component.html b/frontend/src/app/components/channel/chat/chat.component.html
index 8d3febf..8e78ae4 100644
--- a/frontend/src/app/components/channel/chat/chat.component.html
+++ b/frontend/src/app/components/channel/chat/chat.component.html
@@ -6,7 +6,8 @@
 }
 
 <div nbInfiniteList (scroll)="onListScroll()" [threshold]="300" [throttleTime]="1000" (topThreshold)="loadMessages()"
-  (bottomThreshold)="loadMessages({ scrollDown: true })" [listenWindowScroll]="true">
+  (bottomThreshold)="loadMessages({ scrollDown: true })" [listenWindowScroll]="true"
+  [class.chat-hidden]="!isVisible">
   <nb-list class="flex-column-reverse" [class.hide-scheduled-messages]="hideScheduledMessages">
 
     @for (msg of scheduledMessages; track $index) {
diff --git a/frontend/src/app/components/channel/chat/chat.component.scss b/frontend/src/app/components/channel/chat/chat.component.scss
index 4a36ae1..5a7d3f4 100644
--- a/frontend/src/app/components/channel/chat/chat.component.scss
+++ b/frontend/src/app/components/channel/chat/chat.component.scss
@@ -1,3 +1,9 @@
+// Hidden until the initial scroll-to-last-read is resolved so there is no
+// visible "flash at bottom then jump" on first load.
+.chat-hidden {
+  visibility: hidden;
+}
+
 .offline-banner {
   position: sticky;
   top: 0;
diff --git a/frontend/src/app/components/channel/chat/chat.component.ts b/frontend/src/app/components/channel/chat/chat.component.ts
index 845eb0b..9f4e9b4 100644
--- a/frontend/src/app/components/channel/chat/chat.component.ts
+++ b/frontend/src/app/components/channel/chat/chat.component.ts
@@ -63,6 +63,7 @@ export class ChatComponent implements OnInit, OnDestroy {
   userInfo?: User;
   isLoading: boolean = false;
   isOffline: boolean = false;
+  isVisible: boolean = false;   // hidden until initial scroll is resolved
   offset: number = 0;
   limit: number = 20;
   hasOldMessages: boolean = true;
@@ -168,17 +169,26 @@ export class ChatComponent implements OnInit, OnDestroy {
 
     this.loadMessages().then(() => {
       const lastReadMsg = Number(localStorage.getItem('lastReadMessage'));
-      const lastMsgId = this.messages[0].id!;
+      const lastMsgId = this.messages[0]?.id;
+      if (!lastMsgId) { this.isVisible = true; return; }
+
       if (lastReadMsg && lastReadMsg < lastMsgId) {
+        // Set the indicator BEFORE revealing the list so the line renders
+        // at the right position on first paint — no visible jump.
+        this.lastReadMessageId = lastReadMsg;
+        this.scrollToId({ messageId: lastReadMsg, smooth: false, mark: false });
+        // Wait one frame for scrollToId to finish (it may need to load more messages),
+        // then reveal. setLastReadMessage only after the user has actually seen the
+        // position — so a refresh still brings them back.
         setTimeout(() => {
-          this.scrollToId({ messageId: lastReadMsg, smooth: false, mark: false });
-          this.lastReadMessageId = lastReadMsg;
-        }, 200);
+          this.isVisible = true;
+          this.setLastReadMessage(lastMsgId.toString());
+        }, 350);
       } else {
         this.scrollToBottom(false);
+        this.isVisible = true;
+        this.setLastReadMessage(lastMsgId.toString());
       }
-
-      this.setLastReadMessage(lastMsgId.toString());
     });
   }
 
@@ -211,9 +221,10 @@ export class ChatComponent implements OnInit, OnDestroy {
       switch (message.type) {
         case 'new-message':
           if (this.hasNewMessages) break;
+          if (this.messages.some(m => m.id === message.message.id)) break; // dedup after reconnect
           this.zone.run(() => {
             this.messages.unshift(message.message);
-            this.thereNewMessages = !(message.message.author === this.userInfo?.username);
+            this.thereNewMessages = !this.isAtBottom() && !(message.message.author === this.userInfo?.username);
             this.setLastReadMessage(message.message.id!.toString());
             if (this.userInfo?.channelRoles && Object.keys(this.userInfo.channelRoles).length > 0 && this.scheduledMessages && message.message.author === "Scheduled") {
               this.loadScheduledMessages(true);
@@ -291,19 +302,59 @@ export class ChatComponent implements OnInit, OnDestroy {
     const maxId = Math.max(...this.messages.map(m => m.id!));
     try {
       const missed = await firstValueFrom(this.chatService.getMessages(maxId, this.limit, 'asc'));
-      if (missed?.length) {
-        this.zone.run(() => {
-          this.messages.unshift(...missed.reverse());
-          this.hasNewMessages = missed.length >= this.limit;
+      if (!missed?.length) return;
+
+      this.zone.run(() => {
+        // Deduplicate: SSE may have already delivered some of these via Last-Event-ID.
+        const existing = new Set(this.messages.map(m => m.id));
+        const fresh = missed.filter(m => !existing.has(m.id));
+        if (!fresh.length) return;
+
+        // Anchor the current scroll position so adding messages at the
+        // visual bottom (newest) does not shift the viewport.
+        const anchorEl = this.getScrollAnchorElement();
+        const anchorTop = anchorEl?.getBoundingClientRect().top ?? 0;
+
+        // fresh is in ascending order; reverse to prepend newest-first
+        this.messages.unshift(...[...fresh].reverse());
+        this.hasNewMessages = missed.length >= this.limit;
+        this.rebuildItems();
+
+        // Restore position relative to anchor so the user's view doesn't jump.
+        if (anchorEl) {
+          const delta = anchorEl.getBoundingClientRect().top - anchorTop;
+          window.scrollBy({ top: delta, behavior: 'instant' });
+        }
+
+        // Only flag badge if user is not already at the bottom.
+        if (this.isAtBottom()) {
+          this.thereNewMessages = false;
+          this.scrollToBottom(false);
+        } else {
           this.thereNewMessages = true;
-          this.rebuildItems();
-        });
-      }
+        }
+      });
     } catch {
       // Best-effort; will retry on the next reconnect
     }
   }
 
+  private isAtBottom(): boolean {
+    const distanceFromBottom =
+      document.documentElement.scrollHeight - window.innerHeight - window.scrollY;
+    return distanceFromBottom < 80;
+  }
+
+  private getScrollAnchorElement(): Element | null {
+    // Pick the topmost fully-visible message as the scroll anchor.
+    const items = document.querySelectorAll('nb-list-item');
+    for (const el of Array.from(items)) {
+      const rect = el.getBoundingClientRect();
+      if (rect.top >= 0 && rect.bottom <= window.innerHeight) return el;
+    }
+    return null;
+  }
+
   onListScroll() {
     const distanceFromBottom = document.documentElement.scrollHeight - window.innerHeight - window.scrollY;
     this.showScrollToBottom = distanceFromBottom > 100;

From 4f13ea7d78379065246a64fea9d529ec4a6227e6 Mon Sep 17 00:00:00 2001
From: Claude <noreply@anthropic.com>
Date: Mon, 18 May 2026 06:59:54 +0000
Subject: [PATCH 44/60] Fix three regressions: channel switch stale state,
 empty-messages crash, scroll anchor jump

- channel.component.ts: add await Promise.resolve() between slugReady=false and
  slugReady=true so Angular CD actually destroys ChatComponent on channel switch;
  without it the same-tick toggle is collapsed and child state (isVisible, messages,
  lastReadMessageId) persists across slugs
- chat.component.ts: guard Math.max() with messages.length check to avoid -Infinity
  startId when loadMessages() is called with an empty array
- chat.component.ts: remove manual scroll-anchor/delta compensation in
  loadMissedMessages(); the browser's overflow-anchor CSS handles viewport
  preservation automatically for flex-column-reverse, and the manual scrollBy
  could cause visible jumps

https://claude.ai/code/session_015yWNYaVjk7ozyguKLA8vvx
---
 .../components/channel/channel.component.ts   |  5 +++++
 .../components/channel/chat/chat.component.ts | 21 +++++++------------
 2 files changed, 12 insertions(+), 14 deletions(-)

diff --git a/frontend/src/app/components/channel/channel.component.ts b/frontend/src/app/components/channel/channel.component.ts
index b859c52..d8198a0 100644
--- a/frontend/src/app/components/channel/channel.component.ts
+++ b/frontend/src/app/components/channel/channel.component.ts
@@ -83,6 +83,11 @@ export class ChannelComponent implements OnInit, OnDestroy {
   private async initChannel(slug: string | null): Promise<void> {
     this.slugReady = false;
     this.noChannel = false;
+    // Yield to Angular's change detection so the @if (slugReady) block
+    // actually destroys ChatComponent before we reinitialise with the new slug.
+    // Without this, false→true in the same synchronous frame is collapsed and
+    // the child is never torn down, leaving stale state (isVisible, messages, etc).
+    await Promise.resolve();
 
     if (!slug) {
       const user = await this._authService.loadUserInfo();
diff --git a/frontend/src/app/components/channel/chat/chat.component.ts b/frontend/src/app/components/channel/chat/chat.component.ts
index 9f4e9b4..2220403 100644
--- a/frontend/src/app/components/channel/chat/chat.component.ts
+++ b/frontend/src/app/components/channel/chat/chat.component.ts
@@ -310,23 +310,16 @@ export class ChatComponent implements OnInit, OnDestroy {
         const fresh = missed.filter(m => !existing.has(m.id));
         if (!fresh.length) return;
 
-        // Anchor the current scroll position so adding messages at the
-        // visual bottom (newest) does not shift the viewport.
-        const anchorEl = this.getScrollAnchorElement();
-        const anchorTop = anchorEl?.getBoundingClientRect().top ?? 0;
-
-        // fresh is in ascending order; reverse to prepend newest-first
+        // fresh is in ascending order; reverse so newest is at index 0
         this.messages.unshift(...[...fresh].reverse());
         this.hasNewMessages = missed.length >= this.limit;
         this.rebuildItems();
 
-        // Restore position relative to anchor so the user's view doesn't jump.
-        if (anchorEl) {
-          const delta = anchorEl.getBoundingClientRect().top - anchorTop;
-          window.scrollBy({ top: delta, behavior: 'instant' });
-        }
-
-        // Only flag badge if user is not already at the bottom.
+        // The browser's overflow-anchor CSS property handles viewport
+        // preservation automatically when content is added at the visual
+        // bottom (flex-column-reverse puts new items there). We only need
+        // to act when the user is already at the bottom: scroll them to
+        // see the new messages immediately.
         if (this.isAtBottom()) {
           this.thereNewMessages = false;
           this.scrollToBottom(false);
@@ -390,7 +383,7 @@ export class ChatComponent implements OnInit, OnDestroy {
 
     opt.resetList && (this.offset = 0);
 
-    const maxId = Math.max(...this.messages.map(m => m.id!));
+    const maxId = this.messages.length ? Math.max(...this.messages.map(m => m.id!)) : 0;
     if (opt.scrollDown) {
       direction = "asc";
       startId = maxId;

From 18ac6d3ec502af6873ebee451134ad495f9f1b57 Mon Sep 17 00:00:00 2001
From: Claude <noreply@anthropic.com>
Date: Mon, 18 May 2026 07:15:29 +0000
Subject: [PATCH 45/60] Fix 9 bugs across channel management, admin panel, and
 backend reliability
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Frontend:
- admin.service: replace PrivilegeUser (old boolean flags) with ChannelUser
  {email, role} to match the backend's actual channel-user API shape; fix
  setChannelUsers payload key from { list } to { users } (backend was silently
  ignoring all updates)
- privileg-dashboard: rewrite to use role selector (moderator/writer) instead
  of admin/moderator/writer checkboxes; fix isOwner guard using channelRoles
  instead of privileges (buttons were permanently disabled); fix nullUser
  reference bug (spread into new object instead of aliasing)
- channel-header: store contextMenuService subscription and unsubscribe in
  ngOnDestroy — each channel switch was adding another persistent listener;
  fix logout() double-navigation where router.navigate(['/']) ran after the
  401 catch already navigated to /login
- channel.component: call magnetAds.clearCache() on channel switch so the
  next channel loads its own ad settings
- magnet-ads.service: add clearCache() method

Backend:
- auth.go: check idtoken.NewValidator error before using the validator — a nil
  validator would panic on the next line
- privileges.go / channels.go / main.go: convert initializePrivilegeUsers()
  from void+panic to error return; request handlers now log and continue
  instead of crashing the server on a transient Redis error; startup still
  panics as before

https://claude.ai/code/session_015yWNYaVjk7ozyguKLA8vvx
---
 backend/auth.go                               |  5 +
 backend/channels.go                           | 13 ++-
 backend/main.go                               |  4 +-
 backend/privileges.go                         | 16 ++-
 .../privileg-dashboard.component.html         | 98 ++++++-------------
 .../privileg-dashboard.component.ts           | 76 +++++++-------
 .../channel-header.component.ts               | 22 ++++-
 .../components/channel/channel.component.ts   |  3 +
 frontend/src/app/services/admin.service.ts    | 15 ++-
 .../src/app/services/magnet-ads.service.ts    |  5 +
 10 files changed, 128 insertions(+), 129 deletions(-)

diff --git a/backend/auth.go b/backend/auth.go
index c3edfa6..6fe11e3 100644
--- a/backend/auth.go
+++ b/backend/auth.go
@@ -102,6 +102,11 @@ func login(w http.ResponseWriter, r *http.Request) {
 
 	tokenStr, _ := dyno.GetString(token.Extra("id_token"))
 	tokenValidator, err := idtoken.NewValidator(ctx)
+	if err != nil {
+		go saveLoginFailedLog("NewValidator", err)
+		http.Error(w, "error", http.StatusInternalServerError)
+		return
+	}
 	payload, err := tokenValidator.Validate(ctx, tokenStr, googleOAuthClientId)
 	if err != nil {
 		http.Error(w, "Invalid token", http.StatusUnauthorized)
diff --git a/backend/channels.go b/backend/channels.go
index b92b8d4..94bf20c 100644
--- a/backend/channels.go
+++ b/backend/channels.go
@@ -3,6 +3,7 @@ package main
 import (
 	"context"
 	"encoding/json"
+	"log"
 	"net/http"
 	"regexp"
 	"time"
@@ -157,7 +158,9 @@ func createChannel(w http.ResponseWriter, r *http.Request) {
 
 	if req.OwnerEmail != "" {
 		dbAssignChannelRole(ctx, req.OwnerEmail, req.Slug, RoleOwner)
-		initializePrivilegeUsers()
+		if err := initializePrivilegeUsers(); err != nil {
+			log.Printf("initializePrivilegeUsers after createChannel: %v", err)
+		}
 	}
 
 	w.Header().Set("Content-Type", "application/json")
@@ -271,7 +274,9 @@ func superAdminSetChannelUsers(w http.ResponseWriter, r *http.Request) {
 		http.Error(w, "error", http.StatusInternalServerError)
 		return
 	}
-	initializePrivilegeUsers()
+	if err := initializePrivilegeUsers(); err != nil {
+		log.Printf("initializePrivilegeUsers after superAdminSetChannelUsers: %v", err)
+	}
 
 	w.Header().Set("Content-Type", "application/json")
 	json.NewEncoder(w).Encode(Response{Success: true})
@@ -394,7 +399,9 @@ func setChannelUsers(w http.ResponseWriter, r *http.Request) {
 		http.Error(w, "error", http.StatusInternalServerError)
 		return
 	}
-	initializePrivilegeUsers()
+	if err := initializePrivilegeUsers(); err != nil {
+		log.Printf("initializePrivilegeUsers after setChannelUsers: %v", err)
+	}
 
 	w.Header().Set("Content-Type", "application/json")
 	json.NewEncoder(w).Encode(Response{Success: true})
diff --git a/backend/main.go b/backend/main.go
index 9a25728..5f1b76f 100644
--- a/backend/main.go
+++ b/backend/main.go
@@ -19,7 +19,9 @@ var rootStaticFolder = os.Getenv("ROOT_STATIC_FOLDER")
 func main() {
 	gob.Register(Session{})
 	initR2()
-	initializePrivilegeUsers()
+	if err := initializePrivilegeUsers(); err != nil {
+		panic(err)
+	}
 	go statLogger()
 
 	var err error
diff --git a/backend/privileges.go b/backend/privileges.go
index 4d50e85..02949ea 100644
--- a/backend/privileges.go
+++ b/backend/privileges.go
@@ -3,6 +3,7 @@ package main
 import (
 	"context"
 	"encoding/json"
+	"fmt"
 	"log"
 	"net/http"
 	"os"
@@ -35,7 +36,11 @@ var channelRoleLevels = map[ChannelRole]int{
 var privilegesUsers sync.Map
 var superAdminEmails []string
 
-func initializePrivilegeUsers() {
+// initializePrivilegeUsers rebuilds the in-memory privilegesUsers map from Redis.
+// At startup, call it directly (panicking is acceptable). From request handlers
+// use the returned error instead of panicking so a transient Redis error does not
+// crash the entire server.
+func initializePrivilegeUsers() error {
 	superAdminEmails = strings.Split(os.Getenv("ADMIN_USERS"), ",")
 
 	ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
@@ -44,7 +49,7 @@ func initializePrivilegeUsers() {
 	privilegesUsers.Clear()
 	users, err := dbGetUsersList(ctx)
 	if err != nil && err != redis.Nil {
-		panic("Failed to get users list: " + err.Error())
+		return fmt.Errorf("get users list: %w", err)
 	}
 
 	emailToIdx := make(map[string]int)
@@ -72,8 +77,9 @@ func initializePrivilegeUsers() {
 	}
 
 	if err := dbSetUsersList(ctx, users); err != nil {
-		panic("Failed to set users list: " + err.Error())
+		return fmt.Errorf("set users list: %w", err)
 	}
+	return nil
 }
 
 func isSuperAdmin(r *http.Request) bool {
@@ -158,7 +164,9 @@ func setPrivilegeUsers(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	initializePrivilegeUsers()
+	if err := initializePrivilegeUsers(); err != nil {
+		log.Printf("initializePrivilegeUsers after setPrivilegeUsers: %v", err)
+	}
 
 	w.Header().Set("Content-Type", "application/json")
 	json.NewEncoder(w).Encode(Response{Success: true})
diff --git a/frontend/src/app/components/admin/privileg-dashboard/privileg-dashboard.component.html b/frontend/src/app/components/admin/privileg-dashboard/privileg-dashboard.component.html
index c4fa38f..44b97e8 100644
--- a/frontend/src/app/components/admin/privileg-dashboard/privileg-dashboard.component.html
+++ b/frontend/src/app/components/admin/privileg-dashboard/privileg-dashboard.component.html
@@ -3,13 +3,12 @@
     ניהול הרשאות משתמשים
   </nb-card-header>
   <nb-card-body>
+
     <nb-card>
-      <nb-card-header>
-        <span>הוספת משתמש מורשה חדש</span>
-      </nb-card-header>
+      <nb-card-header>הוספת משתמש מורשה חדש</nb-card-header>
       <nb-card-body>
         @if (!addingNewUser) {
-          <button nbButton status="primary" (click)="addingNewUser = true">
+          <button nbButton status="primary" [disabled]="!isOwner" (click)="addingNewUser = true">
             <nb-icon icon="plus"></nb-icon>
             הוסף מורשה
           </button>
@@ -17,28 +16,17 @@
 
         @if (addingNewUser) {
           <div class="d-flex flex-column gap-2">
-            <div>
-              <span>שם משתמש:</span><br>
-              <input nbInput fieldSize="small" type="text" [(ngModel)]="newUser.username" disabled><br>
-              <small>
-                מתעדכן עם כניסת המשתמש למערכת
-              </small>
-            </div>
             <div>
               <span>כתובת מייל:</span><br>
-              <input nbInput fieldSize="small" type="text" [(ngModel)]="newUser.email">
+              <input nbInput fieldSize="small" type="email" [(ngModel)]="newUserEmail" placeholder="user@example.com">
             </div>
             <div>
-              <span>שם שיופיע בעת פרסום הודעות:</span><br>
-              <input nbInput fieldSize="small" type="text" [(ngModel)]="newUser.publicName">
-            </div>
-            <div>
-              <span>הרשאות:</span>
-              <div class="d-flex flex-column">
-                <nb-checkbox [(ngModel)]="newUser.privileges['admin']">מנהל ראשי</nb-checkbox>
-                <nb-checkbox [(ngModel)]="newUser.privileges['moderator']">מנהל</nb-checkbox>
-                <nb-checkbox [(ngModel)]="newUser.privileges['writer']">כותב</nb-checkbox>
-              </div>
+              <span>תפקיד:</span><br>
+              <nb-select [(ngModel)]="newUserRole" size="small">
+                @for (opt of roleOptions; track opt.value) {
+                  <nb-option [value]="opt.value">{{ opt.label }}</nb-option>
+                }
+              </nb-select>
             </div>
             <div class="d-flex gap-2">
               <button nbButton status="primary" size="small" (click)="saveNewUser()">
@@ -55,60 +43,30 @@
       </nb-card-body>
     </nb-card>
 
-
-    @for (item of privilegeUsersList; track $index) {
-
+    @for (item of usersList; track $index) {
       <nb-card>
         <nb-card-body>
-          <div class="d-flex flex-column gap-2">
-            <div>
-              <span>
-                שם משתמש:
-              </span><br>
-              <input nbInput fieldSize="small" type="text" [(ngModel)]="item.username" disabled>
-            </div>
-            <div>
-              <span>
-                כתובת מייל:
-              </span><br>
-              <input nbInput fieldSize="small" type="text" [(ngModel)]="item.email" disabled>
-            </div>
-            <div>
-              <span>
-                שם שיופיע בעת פרסום הודעות:
-              </span><br>
-              <input nbInput fieldSize="small" type="text" [(ngModel)]="item.publicName">
-            </div>
-            <div>
-              <span>
-                הרשאות:
-              </span>
-              <div class="d-flex flex-column">
-                <nb-checkbox [(ngModel)]="item.privileges['admin']">
-                  מנהל ראשי
-                </nb-checkbox>
-                <nb-checkbox [(ngModel)]="item.privileges['moderator']">
-                  מנהל
-                </nb-checkbox>
-                <nb-checkbox [(ngModel)]="item.privileges['writer']">
-                  כותב
-                </nb-checkbox>
-              </div>
-            </div>
-            <div>
-              <button nbButton status="danger" size="small" (click)="deleteUser($index)"
-                [disabled]="!authService.userInfo?.privileges?.['admin']">
-                <nb-icon icon="trash-2"></nb-icon>
-                מחק משתמש
-              </button>
-            </div>
+          <div class="d-flex flex-row align-items-center gap-3 flex-wrap">
+            <span class="flex-grow-1">{{ item.email }}</span>
+            <nb-select [(ngModel)]="item.role" size="small" [disabled]="!isOwner">
+              @for (opt of roleOptions; track opt.value) {
+                <nb-option [value]="opt.value">{{ opt.label }}</nb-option>
+              }
+            </nb-select>
+            <button nbButton status="danger" size="small" [disabled]="!isOwner" (click)="deleteUser($index)">
+              <nb-icon icon="trash-2"></nb-icon>
+            </button>
           </div>
         </nb-card-body>
       </nb-card>
     }
+
+    @if (!usersList.length) {
+      <p class="text-muted mt-2">אין משתמשים מורשים לערוץ זה.</p>
+    }
+
   </nb-card-body>
   <nb-card-footer>
-    <button nbButton status="primary" (click)="saveChanges()"
-    [disabled]="!authService.userInfo?.privileges?.['admin']">שמור</button>
+    <button nbButton status="primary" [disabled]="!isOwner" (click)="saveChanges()">שמור</button>
   </nb-card-footer>
-</nb-card>
\ No newline at end of file
+</nb-card>
diff --git a/frontend/src/app/components/admin/privileg-dashboard/privileg-dashboard.component.ts b/frontend/src/app/components/admin/privileg-dashboard/privileg-dashboard.component.ts
index 79782bd..de66d4f 100644
--- a/frontend/src/app/components/admin/privileg-dashboard/privileg-dashboard.component.ts
+++ b/frontend/src/app/components/admin/privileg-dashboard/privileg-dashboard.component.ts
@@ -1,9 +1,9 @@
 import { Component, OnInit } from '@angular/core';
-import { AdminService, PrivilegeUser } from '../../../services/admin.service';
-import { NbButtonModule, NbCardModule, NbInputModule, NbToastrService, NbIconModule, NbCheckboxModule } from "@nebular/theme";
+import { AdminService, ChannelUser } from '../../../services/admin.service';
+import { NbButtonModule, NbCardModule, NbInputModule, NbToastrService, NbIconModule, NbSelectModule } from "@nebular/theme";
 import { FormsModule } from '@angular/forms';
-
 import { AuthService } from '../../../services/auth.service';
+import { SlugService } from '../../../services/slug.service';
 
 @Component({
   selector: 'app-privileg-dashboard',
@@ -13,8 +13,8 @@ import { AuthService } from '../../../services/auth.service';
     NbInputModule,
     FormsModule,
     NbIconModule,
-    NbCheckboxModule
-],
+    NbSelectModule,
+  ],
   templateUrl: './privileg-dashboard.component.html',
   styleUrl: './privileg-dashboard.component.scss'
 })
@@ -22,59 +22,59 @@ export class PrivilegDashboardComponent implements OnInit {
 
   constructor(
     private adminService: AdminService,
-    private tostService: NbToastrService,
+    private toastService: NbToastrService,
     public authService: AuthService,
+    private slugService: SlugService,
   ) { }
 
-  privilegeUsersList: PrivilegeUser[] = [];
-  addingNewUser: boolean = false;
-  newUser: PrivilegeUser = {
-    username: '',
-    publicName: '',
-    email: '',
-    privileges: {
-      admin: false,
-      moderator: false,
-      writer: false
-    }
-  };
+  usersList: ChannelUser[] = [];
+  addingNewUser = false;
+  newUserEmail = '';
+  newUserRole: 'moderator' | 'writer' = 'writer';
+
+  readonly roleOptions = [
+    { value: 'moderator', label: 'מנהל' },
+    { value: 'writer', label: 'כותב' },
+  ];
+
+  get isOwner(): boolean {
+    const roles = this.authService.userInfo?.channelRoles;
+    if (this.authService.userInfo?.globalRole === 'super_admin') return true;
+    return roles?.[this.slugService.slug] === 'owner';
+  }
 
   ngOnInit(): void {
-    this.adminService.getPrivilegeUsersList()
-      .then(list => this.privilegeUsersList = list)
+    this.adminService.getChannelUsers()
+      .then(list => this.usersList = list)
+      .catch(() => this.toastService.danger('', 'שגיאה בטעינת המשתמשים'));
   }
 
   saveChanges() {
-    this.adminService.setPrivilegeUsers(this.privilegeUsersList)
-      .then(() => this.tostService.success('', 'השינוים נשמרו בהצלחה!'))
-      .catch(() => this.tostService.danger('', 'שגיאה בשמירת השינוים'));
+    this.adminService.setChannelUsers(this.usersList)
+      .then(() => this.toastService.success('', 'השינויים נשמרו בהצלחה!'))
+      .catch(() => this.toastService.danger('', 'שגיאה בשמירת השינויים'));
   }
 
   deleteUser(index: number) {
     if (!confirm('האם אתה בטוח שברצונך למחוק את המשתמש הזה?')) return;
-    this.privilegeUsersList.splice(index, 1);
+    this.usersList.splice(index, 1);
   }
 
   saveNewUser() {
-    if (!this.newUser.email) return;
-    this.privilegeUsersList.push(this.newUser);
-    this.newUser = this.nullUser;
+    if (!this.newUserEmail) return;
+    this.usersList.push({ email: this.newUserEmail, role: this.newUserRole });
+    this.newUserEmail = '';
+    this.newUserRole = 'writer';
     this.addingNewUser = false;
   }
 
   resetNewUser() {
-    this.newUser = this.nullUser;
+    this.newUserEmail = '';
+    this.newUserRole = 'writer';
     this.addingNewUser = false;
   }
 
-  nullUser: PrivilegeUser = {
-    username: '',
-    publicName: '',
-    email: '',
-    privileges: {
-      admin: false,
-      moderator: false,
-      writer: false
-    }
-  };
+  getRoleLabel(role: string): string {
+    return this.roleOptions.find(o => o.value === role)?.label ?? role;
+  }
 }
diff --git a/frontend/src/app/components/channel/channel-header/channel-header.component.ts b/frontend/src/app/components/channel/channel-header/channel-header.component.ts
index 1bf89bd..a7cb292 100644
--- a/frontend/src/app/components/channel/channel-header/channel-header.component.ts
+++ b/frontend/src/app/components/channel/channel-header/channel-header.component.ts
@@ -1,4 +1,5 @@
-import { Component, EventEmitter, HostListener, Input, OnInit, Output } from '@angular/core';
+import { Component, EventEmitter, HostListener, Input, OnDestroy, OnInit, Output } from '@angular/core';
+import { Subscription } from 'rxjs';
 
 import {
   NbButtonModule,
@@ -30,7 +31,8 @@ import { User } from '../../../models/user.model';
   templateUrl: './channel-header.component.html',
   styleUrl: './channel-header.component.scss'
 })
-export class ChannelHeaderComponent implements OnInit {
+export class ChannelHeaderComponent implements OnInit, OnDestroy {
+  private menuSub?: Subscription;
 
   @Input()
   set userInfo(user: User | undefined) {
@@ -85,7 +87,7 @@ export class ChannelHeaderComponent implements OnInit {
     this.chatService.updateChannelInfo()
       .then(() => this.titleService.setTitle(this.chatService.channelInfo?.name || 'TheChannel'));
 
-    this.contextMenuService.onItemClick()
+    this.menuSub = this.contextMenuService.onItemClick()
       .pipe(filter(({ tag }) => tag === this.userMenuTag))
       .subscribe(value => {
         switch (value.item.icon) {
@@ -104,11 +106,23 @@ export class ChannelHeaderComponent implements OnInit {
     this.updateScreenSize();
   }
 
+  ngOnDestroy() {
+    this.menuSub?.unsubscribe();
+  }
+
   async logout() {
     if (await this._authService.logout()) {
       this.userInfo = undefined;
       this.userInfoChange.emit(undefined);
-      this.router.navigate(['/']);
+      try {
+        await this._authService.loadUserInfo();
+        // Still logged in somehow — go to root and let AuthGuard decide
+        this.router.navigate(['/']);
+      } catch (err: any) {
+        if (err.status === 401) {
+          this.router.navigate(['/login']);
+        }
+      }
     } else {
       this.toastrService.danger("", "שגיאה בהתנתקות");
     }
diff --git a/frontend/src/app/components/channel/channel.component.ts b/frontend/src/app/components/channel/channel.component.ts
index d8198a0..aaa8e92 100644
--- a/frontend/src/app/components/channel/channel.component.ts
+++ b/frontend/src/app/components/channel/channel.component.ts
@@ -19,6 +19,7 @@ import { ActivatedRoute, Router } from '@angular/router';
 import { SlugService } from '../../services/slug.service';
 import { AdminService } from '../../services/admin.service';
 import { ChatService } from '../../services/chat.service';
+import { MagnetAdsService } from '../../services/magnet-ads.service';
 import { Subscription } from 'rxjs';
 
 @Component({
@@ -59,6 +60,7 @@ export class ChannelComponent implements OnInit, OnDestroy {
     private slugService: SlugService,
     private adminService: AdminService,
     private chatService: ChatService,
+    private magnetAds: MagnetAdsService,
   ) { }
 
   ad: Ad = { src: '', width: 0 };
@@ -104,6 +106,7 @@ export class ChannelComponent implements OnInit, OnDestroy {
     this.slugService.slug = slug;
     this.chatService.channelInfo = undefined;
     this.adminService.clearCache();
+    this.magnetAds.clearCache();
     this.slugReady = true;
 
     this.adsService.getAds().then(ad => {
diff --git a/frontend/src/app/services/admin.service.ts b/frontend/src/app/services/admin.service.ts
index 4a434ae..30db514 100644
--- a/frontend/src/app/services/admin.service.ts
+++ b/frontend/src/app/services/admin.service.ts
@@ -8,12 +8,9 @@ import { Reports, Report } from '../models/report.model';
 import { Statistics } from '../models/statistics.model';
 import { SlugService } from './slug.service';
 
-export interface PrivilegeUser {
-  id?: string;
-  username: string;
+export interface ChannelUser {
   email: string;
-  publicName: string;
-  privileges: Record<string, boolean>;
+  role: 'owner' | 'moderator' | 'writer' | '';
 }
 
 export type EditMsg = {
@@ -85,12 +82,12 @@ export class AdminService {
     });
   }
 
-  getPrivilegeUsersList(): Promise<PrivilegeUser[]> {
-    return firstValueFrom(this.http.get<PrivilegeUser[]>(`/api/channel/${this.slug}/admin/users/get`));
+  getChannelUsers(): Promise<ChannelUser[]> {
+    return firstValueFrom(this.http.get<ChannelUser[]>(`/api/channel/${this.slug}/admin/users/get`));
   }
 
-  setPrivilegeUsers(privilegeUsers: PrivilegeUser[]): Promise<ResponseResult> {
-    return firstValueFrom(this.http.post<ResponseResult>(`/api/channel/${this.slug}/admin/users/set`, { list: privilegeUsers }));
+  setChannelUsers(users: ChannelUser[]): Promise<ResponseResult> {
+    return firstValueFrom(this.http.post<ResponseResult>(`/api/channel/${this.slug}/admin/users/set`, { users }));
   }
 
   setEmojis(emojis: string[] | undefined) {
diff --git a/frontend/src/app/services/magnet-ads.service.ts b/frontend/src/app/services/magnet-ads.service.ts
index 34d7a2a..40c031c 100644
--- a/frontend/src/app/services/magnet-ads.service.ts
+++ b/frontend/src/app/services/magnet-ads.service.ts
@@ -19,6 +19,11 @@ export class MagnetAdsService {
 
   constructor(private slugService: SlugService) {}
 
+  clearCache() {
+    this.settings = null;
+    this.settingsPromise = null;
+  }
+
   loadSettings(force = false): Promise<MagnetSettings | null> {
     if (this.settings && !force) return Promise.resolve(this.settings);
     if (this.settingsPromise && !force) return this.settingsPromise;

From b83526b92f7f9f58d5bf9ebf1d836b81dc48b9e5 Mon Sep 17 00:00:00 2001
From: Claude <noreply@anthropic.com>
Date: Mon, 18 May 2026 09:36:35 +0000
Subject: [PATCH 46/60] Fix Docker build: upgrade to Go 1.25, add dep caching,
 remove go mod tidy
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- golang:1.24 → golang:1.25 (transitive dep now requires >=1.25)
- Remove go mod tidy from Dockerfile — go.sum is committed and correct,
  running tidy at build time downloads everything unnecessarily
- Split backend COPY into two steps: go.mod/go.sum first + go mod download,
  then source files. Docker caches the download layer when only .go files
  change, so repeated builds skip the multi-minute dependency download

https://claude.ai/code/session_015yWNYaVjk7ozyguKLA8vvx
---
 Dockerfile | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/Dockerfile b/Dockerfile
index b089d5c..99f7ce6 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -9,9 +9,12 @@ FROM golang:1.25 AS builder2
 
 WORKDIR /app
 
+# Copy dependency manifests first so this layer is cached when only source changes
+COPY ./backend/go.mod ./backend/go.sum ./
+RUN go mod download
+
 COPY ./backend .
 COPY --from=builder1 /app/dist/channel/browser/favicon.ico assets
-RUN go mod tidy
 RUN go build -o the-channel .
 
 FROM debian:latest

From f2adf81da24359c9f41ef832ff85fb903151ee34 Mon Sep 17 00:00:00 2001
From: Claude <noreply@anthropic.com>
Date: Mon, 18 May 2026 09:39:36 +0000
Subject: [PATCH 47/60] chore: normalize Dockerfile AS keyword casing

https://claude.ai/code/session_015yWNYaVjk7ozyguKLA8vvx
---
 Dockerfile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Dockerfile b/Dockerfile
index 99f7ce6..24f9d47 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,4 +1,4 @@
-FROM node:20 as builder1
+FROM node:20 AS builder1
 
 WORKDIR /app
 COPY ./frontend .

From 6a1f669eda37284a7371d80906d661fb4fc05da4 Mon Sep 17 00:00:00 2001
From: Claude <noreply@anthropic.com>
Date: Mon, 18 May 2026 10:33:17 +0000
Subject: [PATCH 48/60] Fix duplicate /api/super-admin route causing startup
 panic

Merge conflict left two r.Route("/api/super-admin") blocks; chi panics
on duplicate path registration. Moved channel-request admin routes into
the existing super-admin block.

https://claude.ai/code/session_015yWNYaVjk7ozyguKLA8vvx
---
 backend/main.go | 12 +++---------
 1 file changed, 3 insertions(+), 9 deletions(-)

diff --git a/backend/main.go b/backend/main.go
index 5f1b76f..0425438 100644
--- a/backend/main.go
+++ b/backend/main.go
@@ -78,20 +78,14 @@ func main() {
 		r.Get("/channels/{slug}/storage", getSuperAdminChannelStorage)
 		r.Put("/channels/{slug}/storage", setSuperAdminChannelStorage)
 		r.Post("/statistics/reset", resetStatistics)
-	})
-
-	// Public: submit channel request (no auth required)
-	r.Post("/api/channel-request", submitChannelRequest)
-
-	// Super admin: manage channel requests
-	r.Route("/api/super-admin", func(r chi.Router) {
-		r.Use(checkLogin)
-		r.Use(requireSuperAdmin)
 		r.Get("/channel-requests", listChannelRequests)
 		r.Post("/channel-requests/{id}/approve", approveChannelRequest)
 		r.Post("/channel-requests/{id}/reject", rejectChannelRequest)
 	})
 
+	// Public: submit channel request (no auth required)
+	r.Post("/api/channel-request", submitChannelRequest)
+
 	// Per-channel API import (with API key, no channel middleware needed - slug from URL)
 	r.Post("/api/channel/{slug}/import/post", addNewPost)
 

From 8efa495646d26d858b0fe2099ad2708cbcc73005 Mon Sep 17 00:00:00 2001
From: Claude <noreply@anthropic.com>
Date: Mon, 18 May 2026 11:48:31 +0000
Subject: [PATCH 49/60] Fix styling flash: suppress landing page until auth
 check completes

After Google login, redirect to /channel directly instead of / to avoid
rendering the landing page. Also suppress the landing page DOM until the
auth check resolves so logged-in users navigating to / see nothing before
the redirect fires.

https://claude.ai/code/session_015yWNYaVjk7ozyguKLA8vvx
---
 .../src/app/components/landing/landing-page.component.ts     | 5 +++++
 frontend/src/app/components/login/login.component.ts         | 2 +-
 2 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/frontend/src/app/components/landing/landing-page.component.ts b/frontend/src/app/components/landing/landing-page.component.ts
index 8b828d3..43e33a5 100644
--- a/frontend/src/app/components/landing/landing-page.component.ts
+++ b/frontend/src/app/components/landing/landing-page.component.ts
@@ -26,6 +26,7 @@ import { ChannelRequestService } from '../../services/channel-request.service';
   ],
   styleUrl: './landing-page.component.scss',
   template: `
+    @if (!isChecking) {
     <!-- Navbar -->
     <nav class="d-flex justify-content-between align-items-center px-4 py-3 border-bottom bg-white">
       <a nbButton status="primary" [routerLink]="['/login']">התחבר</a>
@@ -193,9 +194,11 @@ import { ChannelRequestService } from '../../services/channel-request.service';
     <footer class="footer">
       <span>TheChannel &copy; 2024</span>
     </footer>
+    } <!-- end @if (!isChecking) -->
   `,
 })
 export class LandingPageComponent implements OnInit {
+  isChecking = true;
   reqName = '';
   reqEmail = '';
   reqSlug = '';
@@ -219,10 +222,12 @@ export class LandingPageComponent implements OnInit {
         } else {
           this.router.navigate(['/channel']);
         }
+        return;
       }
     } catch {
       // Not logged in — show the landing page
     }
+    this.isChecking = false;
   }
 
   scrollToForm(event: Event) {
diff --git a/frontend/src/app/components/login/login.component.ts b/frontend/src/app/components/login/login.component.ts
index c7795a4..c9a6ebe 100644
--- a/frontend/src/app/components/login/login.component.ts
+++ b/frontend/src/app/components/login/login.component.ts
@@ -67,7 +67,7 @@ export class LoginComponent implements OnInit {
       return;
     }
 
-    this.router.navigate(['/']);
+    this.router.navigate(['/channel']);
   }
 
   login() {

From ee381c4cb1ffa76f295d5a268fb195534cb9b3d9 Mon Sep 17 00:00:00 2001
From: Claude <noreply@anthropic.com>
Date: Mon, 18 May 2026 11:53:47 +0000
Subject: [PATCH 50/60] Remove bootstrap-icons npm package (loaded via CDN)

The icon font is imported from jsDelivr CDN in styles.scss; the local
npm package only installed ~60 MB of SVG files that were causing
"no space left on device" failures on the Caprover build server.

https://claude.ai/code/session_015yWNYaVjk7ozyguKLA8vvx
---
 frontend/package-lock.json | 17 -----------------
 frontend/package.json      |  1 -
 2 files changed, 18 deletions(-)

diff --git a/frontend/package-lock.json b/frontend/package-lock.json
index cc82ce0..2af4dc8 100644
--- a/frontend/package-lock.json
+++ b/frontend/package-lock.json
@@ -28,7 +28,6 @@
         "@popperjs/core": "^2.11.8",
         "angular-markdown-editor": "^3.1.1",
         "bootstrap": "^5.3.3",
-        "bootstrap-icons": "^1.11.3",
         "chart.js": "^4.3.0",
         "chartjs-plugin-zoom": "^2.2.0",
         "eva-icons": "^1.1.3",
@@ -5405,22 +5404,6 @@
         "@popperjs/core": "^2.11.8"
       }
     },
-    "node_modules/bootstrap-icons": {
-      "version": "1.13.1",
-      "resolved": "https://registry.npmjs.org/bootstrap-icons/-/bootstrap-icons-1.13.1.tgz",
-      "integrity": "sha512-ijombt4v6bv5CLeXvRWKy7CuM3TRTuPEuGaGKvTV5cz65rQSY8RQ2JcHt6b90cBBAC7s8fsf2EkQDldzCoXUjw==",
-      "funding": [
-        {
-          "type": "github",
-          "url": "https://github.com/sponsors/twbs"
-        },
-        {
-          "type": "opencollective",
-          "url": "https://opencollective.com/bootstrap"
-        }
-      ],
-      "license": "MIT"
-    },
     "node_modules/bootstrap-markdown": {
       "version": "2.10.0",
       "resolved": "git+ssh://git@github.com/refactory-id/bootstrap-markdown.git#a496d34b9bd34451c8315a850472f794c8df7d53",
diff --git a/frontend/package.json b/frontend/package.json
index 293730c..a8a2b13 100644
--- a/frontend/package.json
+++ b/frontend/package.json
@@ -30,7 +30,6 @@
     "@popperjs/core": "^2.11.8",
     "angular-markdown-editor": "^3.1.1",
     "bootstrap": "^5.3.3",
-    "bootstrap-icons": "^1.11.3",
     "chart.js": "^4.3.0",
     "chartjs-plugin-zoom": "^2.2.0",
     "eva-icons": "^1.1.3",

From ff052c85cbc88fd5d0d230d54f6c864d3cfa9607 Mon Sep 17 00:00:00 2001
From: Claude <noreply@anthropic.com>
Date: Mon, 18 May 2026 12:04:54 +0000
Subject: [PATCH 51/60] chore: trigger redeploy after disk cleanup

https://claude.ai/code/session_015yWNYaVjk7ozyguKLA8vvx

From 920f31e16ec1b284cac3e6f38a84f249c85dd60a Mon Sep 17 00:00:00 2001
From: Claude <noreply@anthropic.com>
Date: Mon, 18 May 2026 12:13:11 +0000
Subject: [PATCH 52/60] Fix super-admin panel: wrap with nb-layout for Nebular
 theme to apply
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

nb-card and nb-menu were rendered without nb-layout, so Nebular's CSS
custom properties were never initialised — components appeared completely
unstyled. Replace the card-based root with a proper nb-layout/nb-sidebar
structure that mirrors how the channel view is built.

https://claude.ai/code/session_015yWNYaVjk7ozyguKLA8vvx
---
 .../super-admin-panel.component.html          | 107 +++++++++---------
 .../super-admin-panel.component.scss          |   6 -
 .../super-admin-panel.component.ts            |   4 +-
 3 files changed, 55 insertions(+), 62 deletions(-)

diff --git a/frontend/src/app/components/super-admin/super-admin-panel.component.html b/frontend/src/app/components/super-admin/super-admin-panel.component.html
index 8f6b14c..25d400f 100644
--- a/frontend/src/app/components/super-admin/super-admin-panel.component.html
+++ b/frontend/src/app/components/super-admin/super-admin-panel.component.html
@@ -1,58 +1,57 @@
-<nb-card class="super-admin-panel-card" [size]="'giant'">
-  <nb-card-body class="d-flex flex-row">
+<nb-layout>
+  <nb-layout-header fixed>
+    <span style="font-weight: 600; font-size: 1.1rem;">ניהול מערכת</span>
+  </nb-layout-header>
+
+  <nb-sidebar right>
     <nb-menu [items]="navigationMenu" [tag]="MENU_TAG"></nb-menu>
+  </nb-sidebar>
 
-    <!-- Divider -->
-    <div class="vr text-black-50 mx-3"></div>
+  <nb-layout-column>
+    @if (selectedView === VIEW_CHANNEL_FEATURES || selectedView === VIEW_CHANNEL_USERS || selectedView === VIEW_CHANNEL_STORAGE) {
+      <div class="mb-3">
+        <button nbButton size="small" appearance="outline" (click)="backToChannels()">← חזרה לרשימת הערוצים</button>
+      </div>
+    }
 
-    <div class="flex-grow-1 overflow-auto">
-      @if (selectedView === VIEW_CHANNEL_FEATURES || selectedView === VIEW_CHANNEL_USERS || selectedView === VIEW_CHANNEL_STORAGE) {
-        <div class="mb-3">
-          <button class="btn btn-sm btn-outline-secondary" (click)="backToChannels()">
-            ← חזרה לרשימת הערוצים
-          </button>
-        </div>
+    @switch (selectedView) {
+      @case (VIEW_REQUESTS) {
+        <app-channel-requests></app-channel-requests>
       }
-
-      @switch (selectedView) {
-        @case (VIEW_REQUESTS) {
-          <app-channel-requests></app-channel-requests>
-        }
-        @case (VIEW_CHANNELS) {
-          <app-channels-list
-            (editFeatures)="onEditFeatures($event)"
-            (manageUsers)="onManageUsers($event)"
-            (manageStorage)="onManageStorage($event)">
-          </app-channels-list>
-        }
-        @case (VIEW_CHANNEL_FEATURES) {
-          <app-channel-features [slug]="selectedChannelSlug"></app-channel-features>
-        }
-        @case (VIEW_CHANNEL_USERS) {
-          <app-channel-users [slug]="selectedChannelSlug"></app-channel-users>
-        }
-        @case (VIEW_CHANNEL_STORAGE) {
-          <app-super-admin-storage [slug]="selectedChannelSlug"></app-super-admin-storage>
-        }
-        @case (VIEW_GLOBAL_STORAGE) {
-          <app-global-storage></app-global-storage>
-        }
-        @case (VIEW_ADS) {
-          <app-global-ads></app-global-ads>
-        }
-        @case (VIEW_MAGNET) {
-          <app-global-magnet></app-global-magnet>
-        }
-        @case (VIEW_USERS) {
-          <app-global-users></app-global-users>
-        }
-        @case (VIEW_SETTINGS) {
-          <app-global-settings></app-global-settings>
-        }
-        @case (VIEW_STATISTICS) {
-          <app-super-admin-statistics></app-super-admin-statistics>
-        }
-      }
-    </div>
-  </nb-card-body>
-</nb-card>
+      @case (VIEW_CHANNELS) {
+        <app-channels-list
+          (editFeatures)="onEditFeatures($event)"
+          (manageUsers)="onManageUsers($event)"
+          (manageStorage)="onManageStorage($event)">
+        </app-channels-list>
+      }
+      @case (VIEW_CHANNEL_FEATURES) {
+        <app-channel-features [slug]="selectedChannelSlug"></app-channel-features>
+      }
+      @case (VIEW_CHANNEL_USERS) {
+        <app-channel-users [slug]="selectedChannelSlug"></app-channel-users>
+      }
+      @case (VIEW_CHANNEL_STORAGE) {
+        <app-super-admin-storage [slug]="selectedChannelSlug"></app-super-admin-storage>
+      }
+      @case (VIEW_GLOBAL_STORAGE) {
+        <app-global-storage></app-global-storage>
+      }
+      @case (VIEW_ADS) {
+        <app-global-ads></app-global-ads>
+      }
+      @case (VIEW_MAGNET) {
+        <app-global-magnet></app-global-magnet>
+      }
+      @case (VIEW_USERS) {
+        <app-global-users></app-global-users>
+      }
+      @case (VIEW_SETTINGS) {
+        <app-global-settings></app-global-settings>
+      }
+      @case (VIEW_STATISTICS) {
+        <app-super-admin-statistics></app-super-admin-statistics>
+      }
+    }
+  </nb-layout-column>
+</nb-layout>
diff --git a/frontend/src/app/components/super-admin/super-admin-panel.component.scss b/frontend/src/app/components/super-admin/super-admin-panel.component.scss
index 9e80539..d4b2347 100644
--- a/frontend/src/app/components/super-admin/super-admin-panel.component.scss
+++ b/frontend/src/app/components/super-admin/super-admin-panel.component.scss
@@ -3,9 +3,3 @@
   width: 100%;
   height: 100%;
 }
-
-.super-admin-panel-card {
-  height: 100%;
-  width: 100%;
-  margin: 0;
-}
diff --git a/frontend/src/app/components/super-admin/super-admin-panel.component.ts b/frontend/src/app/components/super-admin/super-admin-panel.component.ts
index 5b3ebc2..99ac06b 100644
--- a/frontend/src/app/components/super-admin/super-admin-panel.component.ts
+++ b/frontend/src/app/components/super-admin/super-admin-panel.component.ts
@@ -1,7 +1,7 @@
 import { Component, OnInit } from '@angular/core';
 import { CommonModule } from '@angular/common';
 import {
-  NbCardModule,
+  NbButtonModule,
   NbLayoutModule,
   NbMenuItem,
   NbMenuModule,
@@ -30,7 +30,7 @@ type ViewName = 'channels' | 'channel-features' | 'channel-users' | 'channel-sto
     NbLayoutModule,
     NbSidebarModule,
     NbMenuModule,
-    NbCardModule,
+    NbButtonModule,
     ChannelsListComponent,
     ChannelFeaturesComponent,
     ChannelUsersComponent,

From b029d71f797f4117d6caf9fcb9473623e7a776e7 Mon Sep 17 00:00:00 2001
From: Claude <noreply@anthropic.com>
Date: Mon, 18 May 2026 12:20:55 +0000
Subject: [PATCH 53/60] Add logout button to super-admin panel header

https://claude.ai/code/session_015yWNYaVjk7ozyguKLA8vvx
---
 .../super-admin-panel.component.html          |  8 +++++++-
 .../super-admin-panel.component.ts            | 20 ++++++++++++++++++-
 2 files changed, 26 insertions(+), 2 deletions(-)

diff --git a/frontend/src/app/components/super-admin/super-admin-panel.component.html b/frontend/src/app/components/super-admin/super-admin-panel.component.html
index 25d400f..ad62d49 100644
--- a/frontend/src/app/components/super-admin/super-admin-panel.component.html
+++ b/frontend/src/app/components/super-admin/super-admin-panel.component.html
@@ -1,6 +1,12 @@
 <nb-layout>
   <nb-layout-header fixed>
-    <span style="font-weight: 600; font-size: 1.1rem;">ניהול מערכת</span>
+    <div style="display:flex; justify-content:space-between; align-items:center; width:100%;">
+      <button nbButton ghost status="basic" (click)="logout()">
+        <nb-icon icon="log-out-outline"></nb-icon>
+        התנתק
+      </button>
+      <span style="font-weight: 600; font-size: 1.1rem;">ניהול מערכת</span>
+    </div>
   </nb-layout-header>
 
   <nb-sidebar right>
diff --git a/frontend/src/app/components/super-admin/super-admin-panel.component.ts b/frontend/src/app/components/super-admin/super-admin-panel.component.ts
index 99ac06b..9be3d0b 100644
--- a/frontend/src/app/components/super-admin/super-admin-panel.component.ts
+++ b/frontend/src/app/components/super-admin/super-admin-panel.component.ts
@@ -2,12 +2,16 @@ import { Component, OnInit } from '@angular/core';
 import { CommonModule } from '@angular/common';
 import {
   NbButtonModule,
+  NbIconModule,
   NbLayoutModule,
   NbMenuItem,
   NbMenuModule,
   NbMenuService,
   NbSidebarModule,
+  NbToastrService,
 } from '@nebular/theme';
+import { Router } from '@angular/router';
+import { AuthService } from '../../services/auth.service';
 import { ChannelsListComponent } from './channels/channels-list.component';
 import { ChannelFeaturesComponent } from './channels/channel-features.component';
 import { ChannelUsersComponent } from './channels/channel-users.component';
@@ -31,6 +35,7 @@ type ViewName = 'channels' | 'channel-features' | 'channel-users' | 'channel-sto
     NbSidebarModule,
     NbMenuModule,
     NbButtonModule,
+    NbIconModule,
     ChannelsListComponent,
     ChannelFeaturesComponent,
     ChannelUsersComponent,
@@ -75,7 +80,20 @@ export class SuperAdminPanelComponent implements OnInit {
     { title: 'סטטיסטיקות', icon: 'bar-chart-outline' },
   ];
 
-  constructor(private menuService: NbMenuService) {}
+  constructor(
+    private menuService: NbMenuService,
+    private authService: AuthService,
+    private router: Router,
+    private toastr: NbToastrService,
+  ) {}
+
+  async logout() {
+    if (await this.authService.logout()) {
+      this.router.navigate(['/login']);
+    } else {
+      this.toastr.danger('', 'שגיאה בהתנתקות');
+    }
+  }
 
   ngOnInit(): void {
     this.menuService.onItemClick().subscribe(event => {

From 51f4e30561ebefbff8360c5e5290921d5848f499 Mon Sep 17 00:00:00 2001
From: Claude <noreply@anthropic.com>
Date: Mon, 18 May 2026 12:30:13 +0000
Subject: [PATCH 54/60] Fix ngModel binding in create-channel form: add name
 attributes

Without name attributes, Angular's ngModel may not update the component
property, causing the validation check to see empty values even when the
user has typed into the fields. Also surface the actual backend error
message in the toastr so slug-format errors are visible.

https://claude.ai/code/session_015yWNYaVjk7ozyguKLA8vvx
---
 .../super-admin/channels/channels-list.component.html       | 6 +++---
 .../super-admin/channels/channels-list.component.ts         | 2 +-
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/frontend/src/app/components/super-admin/channels/channels-list.component.html b/frontend/src/app/components/super-admin/channels/channels-list.component.html
index a94e472..16ee3c7 100644
--- a/frontend/src/app/components/super-admin/channels/channels-list.component.html
+++ b/frontend/src/app/components/super-admin/channels/channels-list.component.html
@@ -17,15 +17,15 @@
           <div class="d-flex flex-column gap-2">
             <div>
               <label class="field-label">Slug (מזהה ייחודי)</label>
-              <input nbInput fullWidth type="text" [(ngModel)]="newSlug" placeholder="my-channel">
+              <input nbInput fullWidth type="text" name="newSlug" [(ngModel)]="newSlug" placeholder="my-channel">
             </div>
             <div>
               <label class="field-label">שם הערוץ</label>
-              <input nbInput fullWidth type="text" [(ngModel)]="newName" placeholder="שם הערוץ">
+              <input nbInput fullWidth type="text" name="newName" [(ngModel)]="newName" placeholder="שם הערוץ">
             </div>
             <div>
               <label class="field-label">אימייל הבעלים</label>
-              <input nbInput fullWidth type="email" [(ngModel)]="newOwnerEmail" placeholder="owner@example.com">
+              <input nbInput fullWidth type="email" name="newOwnerEmail" [(ngModel)]="newOwnerEmail" placeholder="owner@example.com">
             </div>
             <div class="d-flex gap-2">
               <button nbButton status="primary" size="small" (click)="createChannel()" [disabled]="creating">
diff --git a/frontend/src/app/components/super-admin/channels/channels-list.component.ts b/frontend/src/app/components/super-admin/channels/channels-list.component.ts
index 94a67d7..5765349 100644
--- a/frontend/src/app/components/super-admin/channels/channels-list.component.ts
+++ b/frontend/src/app/components/super-admin/channels/channels-list.component.ts
@@ -65,7 +65,7 @@ export class ChannelsListComponent implements OnInit {
         this.newOwnerEmail = '';
         this.toastr.success('', 'הערוץ נוצר בהצלחה');
       })
-      .catch(() => this.toastr.danger('', 'שגיאה ביצירת הערוץ'))
+      .catch((err) => this.toastr.danger(err?.error || '', 'שגיאה ביצירת הערוץ'))
       .finally(() => this.creating = false);
   }
 

From 6b1460557e835ef39b86207f47bf72566bd2dfce Mon Sep 17 00:00:00 2001
From: Claude <noreply@anthropic.com>
Date: Mon, 18 May 2026 12:37:05 +0000
Subject: [PATCH 55/60] Show channel request form for users without channel
 access

Instead of a plain text message, users without any channel role see a
proper Nebular-styled form pre-filled with their name/email, along with
a logout button in the header.

https://claude.ai/code/session_015yWNYaVjk7ozyguKLA8vvx
---
 .../components/channel/channel.component.html | 62 ++++++++++++++++++-
 .../components/channel/channel.component.scss | 12 ++++
 .../components/channel/channel.component.ts   | 55 +++++++++++++---
 3 files changed, 119 insertions(+), 10 deletions(-)

diff --git a/frontend/src/app/components/channel/channel.component.html b/frontend/src/app/components/channel/channel.component.html
index 033251b..0790d17 100644
--- a/frontend/src/app/components/channel/channel.component.html
+++ b/frontend/src/app/components/channel/channel.component.html
@@ -1,7 +1,63 @@
 @if (noChannel) {
-  <div style="display:flex;align-items:center;justify-content:center;height:100vh;font-size:1.2rem;color:#888;">
-    אין ערוץ מוגדר עבור חשבון זה. פנה למנהל המערכת.
-  </div>
+  <nb-layout>
+    <nb-layout-header fixed>
+      <div style="display:flex; justify-content:space-between; align-items:center; width:100%;">
+        <button nbButton ghost status="basic" (click)="logout()">
+          <nb-icon icon="log-out-outline"></nb-icon>
+          התנתק
+        </button>
+        <span style="font-weight:600; font-size:1.1rem;">TheChannel</span>
+      </div>
+    </nb-layout-header>
+
+    <nb-layout-column>
+      <div class="no-channel-container">
+        <nb-card class="request-card">
+          <nb-card-header>
+            <h5 class="mb-0">בקשת פתיחת ערוץ</h5>
+          </nb-card-header>
+          <nb-card-body>
+            @if (reqSubmitted) {
+              <div style="text-align:center; padding: 2rem 0;">
+                <nb-icon icon="checkmark-circle-2-outline" style="font-size:3rem; color:#00d68f;"></nb-icon>
+                <p style="margin-top:1rem; font-size:1.1rem;">הבקשה נשלחה בהצלחה!</p>
+                <p style="color:#888;">נחזור אליך בהקדם לאחר בדיקת הבקשה.</p>
+              </div>
+            } @else {
+              <p style="color:#888; margin-bottom:1.5rem;">
+                אין ערוץ מוגדר עבור החשבון שלך. מלא את הטופס ונפתח לך ערוץ.
+              </p>
+              <div class="d-flex flex-column gap-3">
+                <div>
+                  <label class="form-label">שם מלא</label>
+                  <input nbInput fullWidth type="text" name="reqName" [(ngModel)]="reqName" placeholder="שם מלא">
+                </div>
+                <div>
+                  <label class="form-label">כתובת אימייל</label>
+                  <input nbInput fullWidth type="email" name="reqEmail" [(ngModel)]="reqEmail" placeholder="your@email.com">
+                </div>
+                <div>
+                  <label class="form-label">Slug רצוי לערוץ</label>
+                  <input nbInput fullWidth type="text" name="reqSlug" [(ngModel)]="reqSlug" placeholder="my-channel — אותיות קטנות ומקפים בלבד">
+                </div>
+                <div>
+                  <label class="form-label">תיאור הערוץ</label>
+                  <textarea nbInput fullWidth rows="4" name="reqDescription" [(ngModel)]="reqDescription"
+                    placeholder="ספר לנו על הערוץ שלך..."></textarea>
+                </div>
+                <button nbButton status="primary" fullWidth (click)="submitChannelRequest()" [disabled]="reqSubmitting">
+                  @if (reqSubmitting) {
+                    <nb-spinner size="small" status="control"></nb-spinner>
+                  }
+                  שלח בקשה
+                </button>
+              </div>
+            }
+          </nb-card-body>
+        </nb-card>
+      </div>
+    </nb-layout-column>
+  </nb-layout>
 }
 
 @if (slugReady) {
diff --git a/frontend/src/app/components/channel/channel.component.scss b/frontend/src/app/components/channel/channel.component.scss
index 96e7244..35c5741 100644
--- a/frontend/src/app/components/channel/channel.component.scss
+++ b/frontend/src/app/components/channel/channel.component.scss
@@ -1,6 +1,18 @@
 @use '../../../themes' as *;
 @use "sass:meta";
 
+.no-channel-container {
+  display: flex;
+  justify-content: center;
+  align-items: flex-start;
+  padding: 2rem 1rem;
+}
+
+.request-card {
+  width: 100%;
+  max-width: 520px;
+}
+
 nb-layout-column.chat-column {
 }
 
diff --git a/frontend/src/app/components/channel/channel.component.ts b/frontend/src/app/components/channel/channel.component.ts
index aaa8e92..7557d05 100644
--- a/frontend/src/app/components/channel/channel.component.ts
+++ b/frontend/src/app/components/channel/channel.component.ts
@@ -1,14 +1,19 @@
 import { Component, ElementRef, OnDestroy, OnInit, Renderer2, RendererStyleFlags2, ViewChild } from '@angular/core';
+import { FormsModule } from '@angular/forms';
 import { AdvertisingComponent } from "./advertising/advertising.component";
 
 import { Ad, AdsService } from '../../services/ads.service';
 import {
   NbButtonModule,
+  NbCardModule,
   NbIconModule,
+  NbInputModule,
   NbLayoutModule,
   NbListModule,
   NbMenuModule,
   NbSidebarModule,
+  NbSpinnerModule,
+  NbToastrService,
 } from "@nebular/theme";
 import { InputFormComponent } from "./chat/input-form/input-form.component";
 import { AuthService } from "../../services/auth.service";
@@ -20,13 +25,18 @@ import { SlugService } from '../../services/slug.service';
 import { AdminService } from '../../services/admin.service';
 import { ChatService } from '../../services/chat.service';
 import { MagnetAdsService } from '../../services/magnet-ads.service';
+import { ChannelRequestService } from '../../services/channel-request.service';
 import { Subscription } from 'rxjs';
 
 @Component({
   selector: 'app-channel',
   imports: [
+    FormsModule,
     AdvertisingComponent,
     NbLayoutModule,
+    NbCardModule,
+    NbInputModule,
+    NbSpinnerModule,
     InputFormComponent,
     ChannelHeaderComponent,
     NbButtonModule,
@@ -35,7 +45,7 @@ import { Subscription } from 'rxjs';
     NbSidebarModule,
     NbListModule,
     ChatComponent
-],
+  ],
   templateUrl: './channel.component.html',
   styleUrl: './channel.component.scss'
 })
@@ -61,6 +71,8 @@ export class ChannelComponent implements OnInit, OnDestroy {
     private adminService: AdminService,
     private chatService: ChatService,
     private magnetAds: MagnetAdsService,
+    private channelRequestService: ChannelRequestService,
+    private toastr: NbToastrService,
   ) { }
 
   ad: Ad = { src: '', width: 0 };
@@ -69,9 +81,15 @@ export class ChannelComponent implements OnInit, OnDestroy {
   noChannel = false;
   private paramSub?: Subscription;
 
+  // Channel request form state
+  reqName = '';
+  reqEmail = '';
+  reqSlug = '';
+  reqDescription = '';
+  reqSubmitting = false;
+  reqSubmitted = false;
+
   ngOnInit(): void {
-    // Subscribe to paramMap so navigation between /channel/foo → /channel/bar
-    // triggers a full re-initialization without needing to destroy the component.
     this.paramSub = this.route.paramMap.subscribe(params => {
       const slug = params.get('slug');
       this.initChannel(slug);
@@ -85,10 +103,6 @@ export class ChannelComponent implements OnInit, OnDestroy {
   private async initChannel(slug: string | null): Promise<void> {
     this.slugReady = false;
     this.noChannel = false;
-    // Yield to Angular's change detection so the @if (slugReady) block
-    // actually destroys ChatComponent before we reinitialise with the new slug.
-    // Without this, false→true in the same synchronous frame is collapsed and
-    // the child is never torn down, leaving stale state (isVisible, messages, etc).
     await Promise.resolve();
 
     if (!slug) {
@@ -98,6 +112,9 @@ export class ChannelComponent implements OnInit, OnDestroy {
       if (firstSlug) {
         this.router.navigate(['/channel', firstSlug], { replaceUrl: true });
       } else {
+        this.userInfo = user ?? undefined;
+        this.reqName = user?.publicName || '';
+        this.reqEmail = user?.email || '';
         this.noChannel = true;
       }
       return;
@@ -117,6 +134,30 @@ export class ChannelComponent implements OnInit, OnDestroy {
     });
   }
 
+  async submitChannelRequest(): Promise<void> {
+    if (!this.reqName || !this.reqEmail || !this.reqSlug || !this.reqDescription) {
+      this.toastr.warning('', 'יש למלא את כל השדות');
+      return;
+    }
+    this.reqSubmitting = true;
+    try {
+      await this.channelRequestService.submitRequest(this.reqName, this.reqEmail, this.reqSlug, this.reqDescription);
+      this.reqSubmitted = true;
+    } catch {
+      this.toastr.danger('', 'שגיאה בשליחת הבקשה, נסה שוב');
+    } finally {
+      this.reqSubmitting = false;
+    }
+  }
+
+  async logout(): Promise<void> {
+    if (await this._authService.logout()) {
+      this.router.navigate(['/login']);
+    } else {
+      this.toastr.danger('', 'שגיאה בהתנתקות');
+    }
+  }
+
   hasAnyRole(user: User | undefined): boolean {
     if (!user?.channelRoles) return false;
     return Object.keys(user.channelRoles).length > 0;

From 71c8a128d1db075803653258867b66cafc012213 Mon Sep 17 00:00:00 2001
From: Claude <noreply@anthropic.com>
Date: Mon, 18 May 2026 12:43:20 +0000
Subject: [PATCH 56/60] Fix channel request approval: auto-lowercase slug
 before submitting

The slug regex requires lowercase only. Pre-fill converts the desired slug
to lowercase and replaces invalid chars with hyphens. Typing also forces
lowercase. Also surface the actual backend error message in the toast.

https://claude.ai/code/session_015yWNYaVjk7ozyguKLA8vvx
---
 .../channel-requests/channel-requests.component.ts         | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/frontend/src/app/components/super-admin/channel-requests/channel-requests.component.ts b/frontend/src/app/components/super-admin/channel-requests/channel-requests.component.ts
index e5a83f7..7b4527f 100644
--- a/frontend/src/app/components/super-admin/channel-requests/channel-requests.component.ts
+++ b/frontend/src/app/components/super-admin/channel-requests/channel-requests.component.ts
@@ -111,7 +111,8 @@ import { SuperAdminService, ChannelRequest } from '../../../services/super-admin
                                   type="text"
                                   [(ngModel)]="approveSlug"
                                   name="approveSlug"
-                                  placeholder="my-channel">
+                                  placeholder="my-channel"
+                                  (input)="approveSlug = approveSlug.toLowerCase()">
                               </div>
                               <div class="col-md-8">
                                 <label class="form-label">הערות (אופציונלי)</label>
@@ -200,7 +201,7 @@ export class ChannelRequestsComponent implements OnInit {
     this.approveMode = true;
     this.rejectMode = false;
     this.actionId = req.id;
-    this.approveSlug = req.desiredSlug;
+    this.approveSlug = req.desiredSlug.toLowerCase().replace(/[^a-z0-9-]/g, '-');
     this.approveNotes = '';
   }
 
@@ -221,7 +222,7 @@ export class ChannelRequestsComponent implements OnInit {
         this.toastr.success('', 'הערוץ נוצר בהצלחה');
         this.load();
       })
-      .catch(() => this.toastr.danger('', 'שגיאה באישור הבקשה'));
+      .catch((err) => this.toastr.danger(err?.error || '', 'שגיאה באישור הבקשה'));
   }
 
   confirmReject(): void {

From 80111ad6c82f49581ba3396787748fa9231a5b8b Mon Sep 17 00:00:00 2001
From: Claude <noreply@anthropic.com>
Date: Mon, 18 May 2026 12:54:50 +0000
Subject: [PATCH 57/60] Add Enter-sends-message setting and paste-image support

- New channel setting 'enter_sends_message': Enter sends, Ctrl+Enter
  inserts a newline (Shift+Enter still inserts a newline regardless)
- Pasting an image from clipboard auto-uploads it and embeds the link,
  same as attaching a file via the paperclip button

https://claude.ai/code/session_015yWNYaVjk7ozyguKLA8vvx
---
 .../admin/settings/settings.schema.ts         |  7 +++
 .../chat/input-form/input-form.component.html |  1 +
 .../chat/input-form/input-form.component.ts   | 45 +++++++++++++++++++
 3 files changed, 53 insertions(+)

diff --git a/frontend/src/app/components/admin/settings/settings.schema.ts b/frontend/src/app/components/admin/settings/settings.schema.ts
index 27ebc00..06cafa9 100644
--- a/frontend/src/app/components/admin/settings/settings.schema.ts
+++ b/frontend/src/app/components/admin/settings/settings.schema.ts
@@ -46,6 +46,13 @@ export const SETTINGS_SCHEMA: SettingsCategorySchema[] = [
         placeholder: '100',
         default: 100,
       },
+      {
+        key: 'enter_sends_message',
+        label: 'Enter שולח הודעה',
+        description: 'לחיצה על Enter תשלח את ההודעה. לחיצה על Ctrl+Enter תוריד שורה.',
+        type: 'boolean',
+        default: false,
+      },
     ],
   },
   {
diff --git a/frontend/src/app/components/channel/chat/input-form/input-form.component.html b/frontend/src/app/components/channel/chat/input-form/input-form.component.html
index 3162557..da0633f 100644
--- a/frontend/src/app/components/channel/chat/input-form/input-form.component.html
+++ b/frontend/src/app/components/channel/chat/input-form/input-form.component.html
@@ -60,6 +60,7 @@
                     (resized)="inputHeightChanged.emit($event)" [minRows]="1" [maxRows]="6"
                     [maxlength]="maxMessageLength" [disabled]="showMarkdownPreview || isSending"
                     class="bg-transparent border-0 flex-grow-1 fs-5" [(ngModel)]="input" (input)="checkScrollbar()"
+                    (keydown)="onKeydown($event)" (paste)="onPaste($event)"
                     style="resize: none"></textarea>
                 <div class="d-flex flex-row align-self-end">
                     @if (message?.id != undefined) {
diff --git a/frontend/src/app/components/channel/chat/input-form/input-form.component.ts b/frontend/src/app/components/channel/chat/input-form/input-form.component.ts
index 7cec8b9..6dde701 100644
--- a/frontend/src/app/components/channel/chat/input-form/input-form.component.ts
+++ b/frontend/src/app/components/channel/chat/input-form/input-form.component.ts
@@ -59,6 +59,7 @@ export class InputFormComponent implements OnInit, OnDestroy {
   isSending: boolean = false;
   showMarkdownPreview: boolean = false;
   hasScrollbar: boolean = false;
+  enterSendsMessage: boolean = false;
   private subscription!: Subscription;
 
   @ViewChild('inputTextArea') inputTextArea!: ElementRef<HTMLTextAreaElement>;
@@ -76,6 +77,11 @@ export class InputFormComponent implements OnInit, OnDestroy {
       this.input = this.message.text || '';
     }
 
+    this.adminService.getSettings().then(settings => {
+      const s = settings.find(s => s.key === 'enter_sends_message');
+      this.enterSendsMessage = s?.value === true || s?.value === 'true';
+    }).catch(() => {});
+
     this.subscription = this.adminService.messageEditObservable.subscribe((edit?: EditMsg) => {
       if (edit?.isScheduling) {
         this.schedulingMessage = edit.message?.timestamp;
@@ -279,6 +285,45 @@ export class InputFormComponent implements OnInit, OnDestroy {
     }
   }
 
+  onKeydown(event: KeyboardEvent) {
+    if (!this.enterSendsMessage) return;
+    if (event.key !== 'Enter') return;
+
+    if (event.ctrlKey || event.metaKey) {
+      // Ctrl+Enter → insert newline at cursor
+      event.preventDefault();
+      const ta = this.inputTextArea.nativeElement;
+      const start = ta.selectionStart;
+      const end = ta.selectionEnd;
+      this.input = this.input.substring(0, start) + '\n' + this.input.substring(end);
+      setTimeout(() => { ta.selectionStart = ta.selectionEnd = start + 1; });
+    } else if (!event.shiftKey) {
+      // Enter alone → send
+      event.preventDefault();
+      this.sendMessage();
+    }
+  }
+
+  onPaste(event: ClipboardEvent) {
+    const items = event.clipboardData?.items;
+    if (!items) return;
+    for (let i = 0; i < items.length; i++) {
+      if (items[i].type.startsWith('image/')) {
+        const file = items[i].getAsFile();
+        if (!file) continue;
+        event.preventDefault();
+        const attachment: Attachment = { file };
+        const idx = this.attachments.push(attachment) - 1;
+        const reader = new FileReader();
+        reader.readAsDataURL(file);
+        reader.onload = (e) => {
+          if (e.target) this.attachments[idx].url = e.target.result as string;
+        };
+        this.uploadFile(this.attachments[idx]);
+      }
+    }
+  }
+
   applyFormat(format: 'bold' | 'italic' | 'underline' | 'code') {
     const textArea = this.inputTextArea.nativeElement;
     const start = textArea.selectionStart;

From 28fec5adab737287910df0340e1d1b7428337ddc Mon Sep 17 00:00:00 2001
From: Claude <noreply@anthropic.com>
Date: Mon, 18 May 2026 12:57:19 +0000
Subject: [PATCH 58/60] Fix TS2367: cast value comparison to any for boolean
 setting check

https://claude.ai/code/session_015yWNYaVjk7ozyguKLA8vvx
---
 .../components/channel/chat/input-form/input-form.component.ts  | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/frontend/src/app/components/channel/chat/input-form/input-form.component.ts b/frontend/src/app/components/channel/chat/input-form/input-form.component.ts
index 6dde701..77383e1 100644
--- a/frontend/src/app/components/channel/chat/input-form/input-form.component.ts
+++ b/frontend/src/app/components/channel/chat/input-form/input-form.component.ts
@@ -79,7 +79,7 @@ export class InputFormComponent implements OnInit, OnDestroy {
 
     this.adminService.getSettings().then(settings => {
       const s = settings.find(s => s.key === 'enter_sends_message');
-      this.enterSendsMessage = s?.value === true || s?.value === 'true';
+      this.enterSendsMessage = s?.value === 'true' || s?.value === true as any;
     }).catch(() => {});
 
     this.subscription = this.adminService.messageEditObservable.subscribe((edit?: EditMsg) => {

From 00694601bca2202d0e4a4b84af37dc65df05f276 Mon Sep 17 00:00:00 2001
From: Claude <noreply@anthropic.com>
Date: Mon, 18 May 2026 13:07:46 +0000
Subject: [PATCH 59/60] Fix 'Enter sends message' setting not working

The boolean value was being saved as '1' but checked against 'true'.
Also fixes reactivity: setting is now stored on AdminService and updated
immediately when settings are saved, so no page reload is needed.

https://claude.ai/code/session_015yWNYaVjk7ozyguKLA8vvx
---
 .../components/admin/settings/settings.component.ts    | 10 ++++++++--
 .../channel/chat/input-form/input-form.component.ts    |  8 +-------
 frontend/src/app/services/admin.service.ts             |  2 ++
 3 files changed, 11 insertions(+), 9 deletions(-)

diff --git a/frontend/src/app/components/admin/settings/settings.component.ts b/frontend/src/app/components/admin/settings/settings.component.ts
index 4bf219f..5b26f36 100644
--- a/frontend/src/app/components/admin/settings/settings.component.ts
+++ b/frontend/src/app/components/admin/settings/settings.component.ts
@@ -66,7 +66,10 @@ export class SettingsComponent implements OnInit {
 
   ngOnInit(): void {
     this.adminService.getSettings()
-      .then(settings => this.loadFromSettings(settings || []));
+      .then(settings => {
+        this.loadFromSettings(settings || []);
+        this.adminService.enterSendsMessage = this.toBool(this.values['enter_sends_message']);
+      });
   }
 
   private loadFromSettings(settings: Setting[]) {
@@ -219,7 +222,10 @@ export class SettingsComponent implements OnInit {
     this.setInProgress = true;
     const payload = this.buildSettingsArray();
     this.adminService.setSettings(payload)
-      .then(() => this.tostService.success('', 'השינויים נשמרו בהצלחה!'))
+      .then(() => {
+        this.adminService.enterSendsMessage = this.toBool(this.values['enter_sends_message']);
+        this.tostService.success('', 'השינויים נשמרו בהצלחה!');
+      })
       .catch(() => this.tostService.danger('', 'שגיאה בשמירת השינויים'))
       .finally(() => this.setInProgress = false);
   }
diff --git a/frontend/src/app/components/channel/chat/input-form/input-form.component.ts b/frontend/src/app/components/channel/chat/input-form/input-form.component.ts
index 77383e1..01a90e6 100644
--- a/frontend/src/app/components/channel/chat/input-form/input-form.component.ts
+++ b/frontend/src/app/components/channel/chat/input-form/input-form.component.ts
@@ -59,7 +59,6 @@ export class InputFormComponent implements OnInit, OnDestroy {
   isSending: boolean = false;
   showMarkdownPreview: boolean = false;
   hasScrollbar: boolean = false;
-  enterSendsMessage: boolean = false;
   private subscription!: Subscription;
 
   @ViewChild('inputTextArea') inputTextArea!: ElementRef<HTMLTextAreaElement>;
@@ -77,11 +76,6 @@ export class InputFormComponent implements OnInit, OnDestroy {
       this.input = this.message.text || '';
     }
 
-    this.adminService.getSettings().then(settings => {
-      const s = settings.find(s => s.key === 'enter_sends_message');
-      this.enterSendsMessage = s?.value === 'true' || s?.value === true as any;
-    }).catch(() => {});
-
     this.subscription = this.adminService.messageEditObservable.subscribe((edit?: EditMsg) => {
       if (edit?.isScheduling) {
         this.schedulingMessage = edit.message?.timestamp;
@@ -286,7 +280,7 @@ export class InputFormComponent implements OnInit, OnDestroy {
   }
 
   onKeydown(event: KeyboardEvent) {
-    if (!this.enterSendsMessage) return;
+    if (!this.adminService.enterSendsMessage) return;
     if (event.key !== 'Enter') return;
 
     if (event.ctrlKey || event.metaKey) {
diff --git a/frontend/src/app/services/admin.service.ts b/frontend/src/app/services/admin.service.ts
index 30db514..69e0356 100644
--- a/frontend/src/app/services/admin.service.ts
+++ b/frontend/src/app/services/admin.service.ts
@@ -31,6 +31,8 @@ export class AdminService {
 
   private schedulingMessages: ChatMessage[] | null = null;
 
+  enterSendsMessage: boolean = false;
+
   constructor(
     private http: HttpClient,
     private slugService: SlugService,

From 834d81d0e770c8067392fe3e12dc96b1324206a9 Mon Sep 17 00:00:00 2001
From: Claude <noreply@anthropic.com>
Date: Mon, 18 May 2026 19:04:22 +0000
Subject: [PATCH 60/60] Move FCM config to super-admin global settings,
 per-channel toggle only

Channel admins now see only an on/off toggle for push notifications.
All FCM credentials (VAPID, Firebase SDK config, service account JSON)
are configured once in the super-admin global settings panel.

Backend reads on_notification per-channel so each channel can opt in/out
independently while sharing the same Firebase project credentials.

https://claude.ai/code/session_015yWNYaVjk7ozyguKLA8vvx
---
 backend/notifications.go                      |  14 +-
 .../admin/settings/settings.schema.ts         | 144 +--------------
 .../global-settings.component.html            | 174 +++++++++++++-----
 .../global-settings.component.ts              | 119 +++++++++---
 4 files changed, 232 insertions(+), 219 deletions(-)

diff --git a/backend/notifications.go b/backend/notifications.go
index aecfb7e..15a2eb8 100644
--- a/backend/notifications.go
+++ b/backend/notifications.go
@@ -43,9 +43,14 @@ type NotificationsConfig struct {
 }
 
 func getNotificationsConfig(w http.ResponseWriter, r *http.Request) {
-	// Notifications config uses global FCM/VAPID settings
+	slug := channelSlugFromCtx(r)
+	ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
+	defer cancel()
+
+	channelCfg := getChannelConfig(ctx, slug)
+
 	response := NotificationsConfig{
-		EnableNotifications: settingConfig.OnNotification,
+		EnableNotifications: settingConfig.OnNotification && channelCfg.OnNotification,
 		VAPID:               settingConfig.VAPID,
 		FirebaseConfig: FirebaseConfig{
 			ApiKey:            settingConfig.FcmApiKey,
@@ -158,6 +163,11 @@ func pushFcmMessage(slug string, m *Message) {
 	ctx, cancel := context.WithTimeout(context.Background(), 20*time.Second)
 	defer cancel()
 
+	channelCfg := getChannelConfig(ctx, slug)
+	if !channelCfg.OnNotification {
+		return
+	}
+
 	list, err := getSubcriptionsList(slug)
 	if err != nil {
 		log.Println("Failed to get subscription list:", err)
diff --git a/frontend/src/app/components/admin/settings/settings.schema.ts b/frontend/src/app/components/admin/settings/settings.schema.ts
index 06cafa9..d7d6da0 100644
--- a/frontend/src/app/components/admin/settings/settings.schema.ts
+++ b/frontend/src/app/components/admin/settings/settings.schema.ts
@@ -170,152 +170,14 @@ export const SETTINGS_SCHEMA: SettingsCategorySchema[] = [
     id: 'notifications',
     title: 'התראות דחיפה (Push)',
     icon: 'bell-outline',
-    description: 'מבוסס על שירות Firebase Cloud Messaging (FCM) של גוגל.',
+    description: 'שליחת התראה לנייד/דפדפן בעת פרסום הודעה חדשה. תשתית ה-FCM מוגדרת על ידי מנהל המערכת.',
     fields: [
       {
         key: 'on_notification',
-        label: 'הפעלת התראות דחיפה',
-        description: 'יש להפעיל ולהזין את כל הפרטים מ-Firebase שבהמשך.',
+        label: 'הפעלת התראות דחיפה בערוץ זה',
+        description: 'מנויי הערוץ יקבלו התראת Push בכל הודעה חדשה.',
         type: 'boolean',
       },
-      {
-        key: 'project_domain',
-        label: 'דומיין הפרויקט (להפניית לחיצה על התראה)',
-        description: 'כתובת ה-URL שאליה ינותב המשתמש כשילחץ על התראה.',
-        type: 'url',
-        placeholder: 'https://example.com',
-        hideWhen: { key: 'on_notification', equals: false },
-      },
-      {
-        key: 'vapid',
-        label: 'מפתח VAPID',
-        description: 'Cloud Messaging > Web Push certificates > Key pair',
-        type: 'password',
-        hideWhen: { key: 'on_notification', equals: false },
-      },
-      {
-        key: 'fcm_api_key',
-        label: 'apiKey',
-        description: 'General > SDK setup and configuration > apiKey',
-        type: 'text',
-        hideWhen: { key: 'on_notification', equals: false },
-      },
-      {
-        key: 'fcm_auth_domain',
-        label: 'authDomain',
-        description: 'General > SDK setup and configuration > authDomain',
-        type: 'text',
-        hideWhen: { key: 'on_notification', equals: false },
-      },
-      {
-        key: 'fcm_project_id',
-        label: 'projectId',
-        description: 'General > SDK setup and configuration > projectId',
-        type: 'text',
-        hideWhen: { key: 'on_notification', equals: false },
-      },
-      {
-        key: 'fcm_storage_bucket',
-        label: 'storageBucket',
-        description: 'General > SDK setup and configuration > storageBucket',
-        type: 'text',
-        hideWhen: { key: 'on_notification', equals: false },
-      },
-      {
-        key: 'fcm_messaging_sender_id',
-        label: 'messagingSenderId',
-        description: 'General > SDK setup and configuration > messagingSenderId',
-        type: 'text',
-        hideWhen: { key: 'on_notification', equals: false },
-      },
-      {
-        key: 'fcm_app_id',
-        label: 'appId',
-        description: 'General > SDK setup and configuration > appId',
-        type: 'text',
-        hideWhen: { key: 'on_notification', equals: false },
-      },
-      {
-        key: 'fcm_measurement_id',
-        label: 'measurementId',
-        description: 'General > SDK setup and configuration > measurementId',
-        type: 'text',
-        hideWhen: { key: 'on_notification', equals: false },
-      },
-    ],
-  },
-  {
-    id: 'fcm_json',
-    title: 'חשבון שירות FCM (Service Account)',
-    icon: 'file-text-outline',
-    description: 'שדות אלה מגיעים מקובץ ה-JSON שנוצר תחת serviceaccounts > Generate new private key. ניתן להדביק את כל קובץ ה-JSON בשדה הראשון לשם מילוי אוטומטי של כל השדות.',
-    fields: [
-      {
-        key: 'fcm_json_type',
-        label: 'type',
-        type: 'text',
-        hideWhen: { key: 'on_notification', equals: false },
-      },
-      {
-        key: 'fcm_json_project_id',
-        label: 'project_id',
-        type: 'text',
-        hideWhen: { key: 'on_notification', equals: false },
-      },
-      {
-        key: 'fcm_json_private_key_id',
-        label: 'private_key_id',
-        type: 'text',
-        hideWhen: { key: 'on_notification', equals: false },
-      },
-      {
-        key: 'fcm_json_private_key',
-        label: 'private_key',
-        type: 'textarea',
-        hideWhen: { key: 'on_notification', equals: false },
-      },
-      {
-        key: 'fcm_json_client_email',
-        label: 'client_email',
-        type: 'text',
-        hideWhen: { key: 'on_notification', equals: false },
-      },
-      {
-        key: 'fcm_json_client_id',
-        label: 'client_id',
-        type: 'text',
-        hideWhen: { key: 'on_notification', equals: false },
-      },
-      {
-        key: 'fcm_json_auth_uri',
-        label: 'auth_uri',
-        type: 'text',
-        hideWhen: { key: 'on_notification', equals: false },
-      },
-      {
-        key: 'fcm_json_token_uri',
-        label: 'token_uri',
-        type: 'text',
-        hideWhen: { key: 'on_notification', equals: false },
-      },
-      {
-        key: 'fcm_json_auth_provider_x509_cert_url',
-        label: 'auth_provider_x509_cert_url',
-        type: 'text',
-        hideWhen: { key: 'on_notification', equals: false },
-      },
-      {
-        key: 'fcm_json_client_x509_cert_url',
-        label: 'client_x509_cert_url',
-        type: 'text',
-        hideWhen: { key: 'on_notification', equals: false },
-      },
-      {
-        key: 'fcm_json_universe_domain',
-        label: 'universe_domain',
-        type: 'text',
-        hideWhen: { key: 'on_notification', equals: false },
-      },
     ],
   },
 ];
diff --git a/frontend/src/app/components/super-admin/global-settings/global-settings.component.html b/frontend/src/app/components/super-admin/global-settings/global-settings.component.html
index ea1f4e4..6636c25 100644
--- a/frontend/src/app/components/super-admin/global-settings/global-settings.component.html
+++ b/frontend/src/app/components/super-admin/global-settings/global-settings.component.html
@@ -1,69 +1,149 @@
 <nb-card>
-  <nb-card-header class="d-flex align-items-center justify-content-between">
+  <nb-card-header>
     <div class="d-flex align-items-center gap-2">
       <nb-icon icon="settings-2-outline"></nb-icon>
-      <span>הגדרות גלובליות (FCM / VAPID)</span>
+      <span>הגדרות גלובליות</span>
     </div>
-    @if (!addingNew) {
-      <button nbButton status="primary" size="small" (click)="addingNew = true">
-        <nb-icon icon="plus-outline"></nb-icon>
-        הוסף הגדרה
-      </button>
-    }
   </nb-card-header>
 
   <nb-card-body>
     @if (loading) {
       <p class="text-center">טוען...</p>
     } @else {
-      @if (addingNew) {
-        <nb-card class="mb-3">
-          <nb-card-header>הגדרה חדשה</nb-card-header>
-          <nb-card-body>
-            <div class="d-flex flex-column gap-2">
-              <div>
-                <label class="field-label">שם המפתח</label>
-                <input nbInput fullWidth type="text" [(ngModel)]="newKey" placeholder="setting-key">
+
+      <!-- Push Notifications Section -->
+      <nb-accordion>
+        <nb-accordion-item [expanded]="true">
+          <nb-accordion-item-header>
+            <nb-icon icon="bell-outline" class="me-2"></nb-icon>
+            התראות דחיפה (Push) — Firebase FCM
+          </nb-accordion-item-header>
+          <nb-accordion-item-body>
+            <p class="text-muted small mb-3">
+              הגדרות אלה משותפות לכל הערוצים במערכת. כל מנהל ערוץ יכול להפעיל/לכבות את ההתראות בנפרד בהגדרות הערוץ שלו.
+            </p>
+
+            <div class="mb-3">
+              <nb-toggle [(checked)]="values['on_notification']">
+                הפעלת תשתית התראות דחיפה
+              </nb-toggle>
+              <div class="text-muted small mt-1">יש להפעיל ולמלא את כל פרטי Firebase שבהמשך.</div>
+            </div>
+
+            @if (values['on_notification']) {
+              <div class="row g-3 mb-3">
+                <div class="col-12">
+                  <label class="form-label">דומיין הפרויקט (להפניית לחיצה על התראה)</label>
+                  <input nbInput fullWidth type="url" [(ngModel)]="values['project_domain']" placeholder="https://example.com">
+                </div>
+                <div class="col-12">
+                  <label class="form-label">מפתח VAPID</label>
+                  <input nbInput fullWidth type="password" [(ngModel)]="values['vapid']" placeholder="Cloud Messaging → Web Push certificates → Key pair">
+                </div>
               </div>
-              <div>
-                <label class="field-label">ערך</label>
-                <input nbInput fullWidth type="text" [(ngModel)]="newValue" placeholder="ערך ההגדרה">
+
+              <h6 class="mt-3 mb-2">Firebase SDK Config</h6>
+              <div class="row g-2 mb-3">
+                <div class="col-md-6">
+                  <label class="form-label">apiKey</label>
+                  <input nbInput fullWidth type="text" [(ngModel)]="values['fcm_api_key']">
+                </div>
+                <div class="col-md-6">
+                  <label class="form-label">authDomain</label>
+                  <input nbInput fullWidth type="text" [(ngModel)]="values['fcm_auth_domain']">
+                </div>
+                <div class="col-md-6">
+                  <label class="form-label">projectId</label>
+                  <input nbInput fullWidth type="text" [(ngModel)]="values['fcm_project_id']">
+                </div>
+                <div class="col-md-6">
+                  <label class="form-label">storageBucket</label>
+                  <input nbInput fullWidth type="text" [(ngModel)]="values['fcm_storage_bucket']">
+                </div>
+                <div class="col-md-6">
+                  <label class="form-label">messagingSenderId</label>
+                  <input nbInput fullWidth type="text" [(ngModel)]="values['fcm_messaging_sender_id']">
+                </div>
+                <div class="col-md-6">
+                  <label class="form-label">appId</label>
+                  <input nbInput fullWidth type="text" [(ngModel)]="values['fcm_app_id']">
+                </div>
+                <div class="col-md-6">
+                  <label class="form-label">measurementId</label>
+                  <input nbInput fullWidth type="text" [(ngModel)]="values['fcm_measurement_id']">
+                </div>
               </div>
-              <div class="d-flex gap-2">
-                <button nbButton status="primary" size="small" (click)="addSetting()">
-                  <nb-icon icon="checkmark-outline"></nb-icon>
-                  הוסף
-                </button>
-                <button nbButton status="danger" size="small" (click)="addingNew = false; newKey = ''; newValue = ''">
-                  <nb-icon icon="close-outline"></nb-icon>
-                  ביטול
+
+              <h6 class="mt-3 mb-2">Service Account (FCM JSON)</h6>
+              <p class="text-muted small">
+                ניתן להדביק את כל קובץ ה-JSON מ-serviceaccounts → Generate new private key לשם מילוי אוטומטי.
+              </p>
+              <div class="mb-2">
+                <textarea nbInput fullWidth rows="4" [(ngModel)]="fcmJsonPaste"
+                  placeholder="הדבק כאן את תוכן קובץ ה-JSON..."></textarea>
+                @if (fcmJsonError) {
+                  <div class="text-danger small mt-1">{{ fcmJsonError }}</div>
+                }
+                <button nbButton status="info" size="small" class="mt-2" (click)="applyFcmJsonPaste()" [disabled]="!fcmJsonPaste.trim()">
+                  מלא אוטומטית מ-JSON
                 </button>
               </div>
-            </div>
-          </nb-card-body>
-        </nb-card>
-      }
 
-      @if (settings.length === 0) {
-        <p class="text-center text-muted">אין הגדרות גלובליות</p>
-      }
-
-      @for (setting of settings; track $index; let i = $index) {
-        <div class="setting-row d-flex align-items-center gap-2 mb-2">
-          <input nbInput fieldSize="small" type="text" [(ngModel)]="settings[i].key"
-            placeholder="שם המפתח" style="width: 200px; flex-shrink: 0;">
-          <input nbInput fullWidth fieldSize="small" type="text" [(ngModel)]="settings[i].value"
-            placeholder="ערך">
-          <button nbButton status="danger" size="small" ghost (click)="removeSetting(i)">
-            <nb-icon icon="trash-2-outline"></nb-icon>
-          </button>
-        </div>
-      }
+              <div class="row g-2">
+                <div class="col-md-6">
+                  <label class="form-label">type</label>
+                  <input nbInput fullWidth type="text" [(ngModel)]="values['fcm_json_type']">
+                </div>
+                <div class="col-md-6">
+                  <label class="form-label">project_id</label>
+                  <input nbInput fullWidth type="text" [(ngModel)]="values['fcm_json_project_id']">
+                </div>
+                <div class="col-md-6">
+                  <label class="form-label">private_key_id</label>
+                  <input nbInput fullWidth type="text" [(ngModel)]="values['fcm_json_private_key_id']">
+                </div>
+                <div class="col-md-6">
+                  <label class="form-label">client_email</label>
+                  <input nbInput fullWidth type="text" [(ngModel)]="values['fcm_json_client_email']">
+                </div>
+                <div class="col-md-6">
+                  <label class="form-label">client_id</label>
+                  <input nbInput fullWidth type="text" [(ngModel)]="values['fcm_json_client_id']">
+                </div>
+                <div class="col-md-6">
+                  <label class="form-label">universe_domain</label>
+                  <input nbInput fullWidth type="text" [(ngModel)]="values['fcm_json_universe_domain']">
+                </div>
+                <div class="col-12">
+                  <label class="form-label">private_key</label>
+                  <textarea nbInput fullWidth rows="4" [(ngModel)]="values['fcm_json_private_key']" placeholder="-----BEGIN RSA PRIVATE KEY-----"></textarea>
+                </div>
+                <div class="col-12">
+                  <label class="form-label">auth_uri</label>
+                  <input nbInput fullWidth type="text" [(ngModel)]="values['fcm_json_auth_uri']">
+                </div>
+                <div class="col-12">
+                  <label class="form-label">token_uri</label>
+                  <input nbInput fullWidth type="text" [(ngModel)]="values['fcm_json_token_uri']">
+                </div>
+                <div class="col-12">
+                  <label class="form-label">auth_provider_x509_cert_url</label>
+                  <input nbInput fullWidth type="text" [(ngModel)]="values['fcm_json_auth_provider_x509_cert_url']">
+                </div>
+                <div class="col-12">
+                  <label class="form-label">client_x509_cert_url</label>
+                  <input nbInput fullWidth type="text" [(ngModel)]="values['fcm_json_client_x509_cert_url']">
+                </div>
+              </div>
+            }
+          </nb-accordion-item-body>
+        </nb-accordion-item>
+      </nb-accordion>
     }
   </nb-card-body>
 
   <nb-card-footer>
-    <button nbButton status="primary" (click)="save()" [disabled]="saving">
+    <button nbButton status="primary" (click)="save()" [disabled]="saving || loading">
       <nb-icon icon="save-outline"></nb-icon>
       {{ saving ? 'שומר...' : 'שמור הגדרות' }}
     </button>
diff --git a/frontend/src/app/components/super-admin/global-settings/global-settings.component.ts b/frontend/src/app/components/super-admin/global-settings/global-settings.component.ts
index 8aa2dfc..7943424 100644
--- a/frontend/src/app/components/super-admin/global-settings/global-settings.component.ts
+++ b/frontend/src/app/components/super-admin/global-settings/global-settings.component.ts
@@ -2,34 +2,38 @@ import { Component, OnInit } from '@angular/core';
 import { CommonModule } from '@angular/common';
 import { FormsModule } from '@angular/forms';
 import {
-  NbButtonModule,
-  NbCardModule,
-  NbIconModule,
-  NbInputModule,
-  NbToastrService,
+  NbButtonModule, NbCardModule, NbIconModule, NbInputModule,
+  NbToastrService, NbToggleModule, NbAccordionModule,
 } from '@nebular/theme';
 import { SuperAdminService, Setting } from '../../../services/super-admin.service';
 
+// FCM JSON key map for autofill
+const FCM_JSON_KEY_MAP: Record<string, string> = {
+  type: 'fcm_json_type',
+  project_id: 'fcm_json_project_id',
+  private_key_id: 'fcm_json_private_key_id',
+  private_key: 'fcm_json_private_key',
+  client_email: 'fcm_json_client_email',
+  client_id: 'fcm_json_client_id',
+  auth_uri: 'fcm_json_auth_uri',
+  token_uri: 'fcm_json_token_uri',
+  auth_provider_x509_cert_url: 'fcm_json_auth_provider_x509_cert_url',
+  client_x509_cert_url: 'fcm_json_client_x509_cert_url',
+  universe_domain: 'fcm_json_universe_domain',
+};
+
 @Component({
   selector: 'app-global-settings',
   standalone: true,
-  imports: [
-    CommonModule,
-    FormsModule,
-    NbCardModule,
-    NbButtonModule,
-    NbInputModule,
-    NbIconModule,
-  ],
+  imports: [CommonModule, FormsModule, NbCardModule, NbButtonModule, NbInputModule, NbIconModule, NbToggleModule, NbAccordionModule],
   templateUrl: './global-settings.component.html',
 })
 export class GlobalSettingsComponent implements OnInit {
-  settings: Setting[] = [];
+  values: Record<string, any> = {};
   saving = false;
   loading = true;
-  newKey = '';
-  newValue = '';
-  addingNew = false;
+  fcmJsonPaste = '';
+  fcmJsonError = '';
 
   constructor(
     private superAdminService: SuperAdminService,
@@ -38,27 +42,84 @@ export class GlobalSettingsComponent implements OnInit {
 
   ngOnInit(): void {
     this.superAdminService.getGlobalSettings()
-      .then(settings => this.settings = [...(settings || [])])
+      .then(settings => this.loadFromSettings(settings || []))
       .catch(() => this.toastr.danger('', 'שגיאה בטעינת הגדרות גלובליות'))
       .finally(() => this.loading = false);
   }
 
-  removeSetting(index: number) {
-    this.settings.splice(index, 1);
+  private loadFromSettings(settings: Setting[]): void {
+    // Initialize defaults
+    this.values = {
+      on_notification: false,
+      project_domain: '',
+      vapid: '',
+      fcm_api_key: '', fcm_auth_domain: '', fcm_project_id: '',
+      fcm_storage_bucket: '', fcm_messaging_sender_id: '', fcm_app_id: '', fcm_measurement_id: '',
+      fcm_json_type: '', fcm_json_project_id: '', fcm_json_private_key_id: '',
+      fcm_json_private_key: '', fcm_json_client_email: '', fcm_json_client_id: '',
+      fcm_json_auth_uri: '', fcm_json_token_uri: '',
+      fcm_json_auth_provider_x509_cert_url: '', fcm_json_client_x509_cert_url: '',
+      fcm_json_universe_domain: '',
+    };
+    for (const s of settings) {
+      if (s.key === 'on_notification') {
+        this.values[s.key] = this.toBool(s.value);
+      } else if (s.key in this.values) {
+        this.values[s.key] = s.value ?? '';
+      }
+    }
+  }
+
+  private toBool(v: any): boolean {
+    if (typeof v === 'boolean') return v;
+    if (typeof v === 'string') {
+      const s = v.toLowerCase().trim();
+      return s === '1' || s === 'true' || s === 'yes' || s === 'on';
+    }
+    return false;
+  }
+
+  private buildSettingsArray(): Setting[] {
+    const out: Setting[] = [];
+    if (this.values['on_notification'] === true) {
+      out.push({ key: 'on_notification', value: '1' as any });
+    }
+    const textKeys = [
+      'project_domain', 'vapid',
+      'fcm_api_key', 'fcm_auth_domain', 'fcm_project_id',
+      'fcm_storage_bucket', 'fcm_messaging_sender_id', 'fcm_app_id', 'fcm_measurement_id',
+      'fcm_json_type', 'fcm_json_project_id', 'fcm_json_private_key_id',
+      'fcm_json_private_key', 'fcm_json_client_email', 'fcm_json_client_id',
+      'fcm_json_auth_uri', 'fcm_json_token_uri',
+      'fcm_json_auth_provider_x509_cert_url', 'fcm_json_client_x509_cert_url',
+      'fcm_json_universe_domain',
+    ];
+    for (const k of textKeys) {
+      const v = this.values[k];
+      if (v && v !== '') out.push({ key: k, value: v });
+    }
+    return out;
   }
 
-  addSetting() {
-    const key = this.newKey.trim();
-    if (!key) return;
-    this.settings.push({ key, value: this.newValue });
-    this.newKey = '';
-    this.newValue = '';
-    this.addingNew = false;
+  applyFcmJsonPaste(): void {
+    this.fcmJsonError = '';
+    if (!this.fcmJsonPaste.trim()) return;
+    let parsed: any;
+    try { parsed = JSON.parse(this.fcmJsonPaste); } catch {
+      this.fcmJsonError = 'JSON לא תקין'; return;
+    }
+    let count = 0;
+    for (const [jsonKey, settingKey] of Object.entries(FCM_JSON_KEY_MAP)) {
+      if (parsed[jsonKey] !== undefined) { this.values[settingKey] = String(parsed[jsonKey]); count++; }
+    }
+    if (count === 0) { this.fcmJsonError = 'לא נמצאו שדות מוכרים ב-JSON'; return; }
+    this.fcmJsonPaste = '';
+    this.toastr.success('', `${count} שדות מולאו אוטומטית`);
   }
 
-  save() {
+  save(): void {
     this.saving = true;
-    this.superAdminService.setGlobalSettings(this.settings)
+    this.superAdminService.setGlobalSettings(this.buildSettingsArray())
       .then(() => this.toastr.success('', 'ההגדרות נשמרו בהצלחה'))
       .catch(() => this.toastr.danger('', 'שגיאה בשמירת ההגדרות'))
       .finally(() => this.saving = false);