chore(cd): hardening of env settings

# Conflicts:
#	frontend/src/api/schema.d.ts
#	frontend/src/features/content/views/ContentItemDetailView.vue
#	frontend/src/features/workspaces/views/DashboardView.vue
#	shared/openapi/openapi.json

.gitea/workflows/deploy-socialize.yml

@@ -0,0 +1,75 @@
+name: deploy-socialize
+
+on:
+  push:
+    branches:
+      - main
+
+jobs:
+  image:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - name: Install Docker CLI
+        run: apt-get update && apt-get install -y docker.io
+      - name: Login to Gitea container registry
+        env:
+          REGISTRY_USER: ${{ secrets.REGISTRY_USER }}
+          REGISTRY_PASSWORD: ${{ secrets.REGISTRY_PASSWORD }}
+        run: printf '%s' "$REGISTRY_PASSWORD" | docker login git.mapachotes.com -u "$REGISTRY_USER" --password-stdin
+      - name: Build images
+        run: |
+          docker build \
+            -t git.mapachotes.com/jbourdon/socialize-api:${{ gitea.sha }} \
+            -t git.mapachotes.com/jbourdon/socialize-api:latest \
+            -f backend/src/Socialize.Api/Dockerfile .
+          docker build \
+            --build-arg VITE_API_URL=/ \
+            -t git.mapachotes.com/jbourdon/socialize-web:${{ gitea.sha }} \
+            -t git.mapachotes.com/jbourdon/socialize-web:latest \
+            -f frontend/Dockerfile .
+      - name: Push images
+        run: |
+          docker push git.mapachotes.com/jbourdon/socialize-api:${{ gitea.sha }}
+          docker push git.mapachotes.com/jbourdon/socialize-api:latest
+          docker push git.mapachotes.com/jbourdon/socialize-web:${{ gitea.sha }}
+          docker push git.mapachotes.com/jbourdon/socialize-web:latest
+
+  deploy:
+    needs: image
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - name: Install SSH client
+        run: apt-get update && apt-get install -y openssh-client
+      - name: Deploy on sobina
+        env:
+          DEPLOY_HOST: ${{ secrets.DEPLOY_HOST }}
+          DEPLOY_USER: ${{ secrets.DEPLOY_USER }}
+          DEPLOY_SSH_PRIVATE_KEY_B64: ${{ secrets.DEPLOY_SSH_PRIVATE_KEY_B64 }}
+          SOCIALIZE_IMAGE_TAG: ${{ gitea.sha }}
+        run: |
+          : "${SOCIALIZE_IMAGE_TAG:?SOCIALIZE_IMAGE_TAG is required}"
+
+          mkdir -p ~/.ssh
+          printf '%s' "$DEPLOY_SSH_PRIVATE_KEY_B64" | base64 -d > ~/.ssh/deploy_key
+          chmod 600 ~/.ssh/deploy_key
+
+          write_env_value() {
+            key="$1"
+            value="$2"
+            escaped_value="$(printf '%s' "$value" | sed "s/'/'\\\\''/g")"
+            printf "%s='%s'\n" "$key" "$escaped_value"
+          }
+
+          deploy_env="$(mktemp)"
+          {
+            write_env_value SOCIALIZE_IMAGE_TAG "$SOCIALIZE_IMAGE_TAG"
+          } > "$deploy_env"
+
+          scp -i ~/.ssh/deploy_key -o StrictHostKeyChecking=accept-new "$deploy_env" "$DEPLOY_USER@$DEPLOY_HOST:/srv/prod/socialize/.deploy.env"
+          rm -f "$deploy_env"
+          scp -i ~/.ssh/deploy_key -o StrictHostKeyChecking=accept-new deploy/compose.yml "$DEPLOY_USER@$DEPLOY_HOST:/srv/prod/socialize/compose.yml"
+
+          ssh -i ~/.ssh/deploy_key -o StrictHostKeyChecking=accept-new "$DEPLOY_USER@$DEPLOY_HOST" \
+            'test -r /etc/socialize/socialize.env && cd /srv/prod/socialize && ./deploy.sh'

.github/workflows/backend-ci.yml

@@ -1,39 +0,0 @@
-name: Backend CI/CD
-
-on:
-  push:
-    branches: 
-      - main
-
-env:
-  AZURE_WEBAPP_NAME: hutopy-backend-api
-  DOTNET_VERSION: '10.0.x'
-
-jobs:
-  build_and_deploy:
-    runs-on: ubuntu-latest
-    environment: dev
-    steps:
-
-      # Checkout the repository
-      - uses: actions/checkout@v2
-
-      # Setup .NET Core
-      - name: Setup .NET Core
-        uses: actions/setup-dotnet@v1
-        with:
-          dotnet-version: ${{ env.DOTNET_VERSION }}
-
-      # Run dotnet publish
-      - name: dotnet build and publish
-        run: |
-          cd backend
-          dotnet publish --configuration Release --artifacts-path ./publish/ Socialize.slnx
-
-      # Deploy to Azure WebApp
-      - name: Deploy to Azure WebApp
-        uses: azure/webapps-deploy@v2
-        with:
-          app-name: ${{ env.AZURE_WEBAPP_NAME }} 
-          publish-profile: ${{ secrets.AZURE_WEBAPP_PUBLISH_PROFILE }}
-          package: './backend/publish/publish/Socialize.Api/release/'

.github/workflows/frontend-ci.yml

@@ -1,38 +0,0 @@
-name: Frontend CI/CD
-
-on:
-  push:
-    branches:
-      - main 
-
-env:
-  AZURE_SWA_NAME: hutopy-portal
-
-jobs:
-  build_and_deploy:
-    runs-on: ubuntu-latest
-    steps:
-      
-      # Checkout the repository
-      - uses: actions/checkout@v2
-     
-      # Npm install
-      - name: npm install
-        run: |
-          cd frontend
-          npm install
-      
-      # Npm run build
-      - name: npm run build
-        run: |
-          cd frontend
-          npm run build
-
-      # Deploy to Azure SWA
-      - name: Deploy to Azure SWA
-        uses: azure/static-web-apps-deploy@v1
-        with:
-          action: "upload"
-          app_location: 'frontend'
-          output_location: 'dist'
-          azure_static_web_apps_api_token: ${{ secrets.AZURE_SWA_TOKEN }}

.gitignore

@@ -22,6 +22,10 @@ Thumbs.db
 # .NET
 bin/
 obj/
+**/[Bb]in/
+**/[Oo]bj/
+**/[Bb]in[\\]*
+**/[Oo]bj[\\]*
 TestResults/
 
 # Node
@@ -30,12 +34,17 @@ dist/
 .vite/
 
 # Local environment files
+.env
 *.local
 .env.local
 .env.*.local
+App_Data/
 
 # Local SSL certificates
 *.pem
 
-# Ai
+# AI agent local state
+.agents
+.agents/
 .codex
+.codex/

AGENTS.md

@@ -70,6 +70,7 @@ Update OpenAPI:
 ## Current Domain Modules
 
 - `Identity`: authentication, refresh tokens, email verification, password reset, social login.
+- `Organizations`: SaaS account ownership, billing/subscription boundary, organization membership, connectors, data mappings, and owned workspaces.
 - `Workspaces`: workspace membership, workspace settings, access scoping.
 - `Clients`: client records and primary contacts tied to workspaces.
 - `Projects`: project pipeline and client/project relationships.
@@ -78,6 +79,7 @@ Update OpenAPI:
 - `Comments`: discussion threads on reviewable work.
 - `Approvals`: review decisions and workflow state transitions.
 - `Notifications`: activity feed and unread workflow notifications.
+- `Feedback`: product feedback reports, screenshots, comments, activity, and developer review workflows.
 
 ## Task Discipline
 

README.md

@@ -1,6 +1,6 @@
 # Socialize
 
-Socialize is a workspace-based workflow application for social media content review, revision, approval, and publication readiness.
+Socialize is an organization-owned, workspace-based workflow application for social media content review, revision, approval, and publication readiness.
 
 It is not a public social network. The product is for internal teams, providers, and client approvers coordinating content work before publication.
 
@@ -76,6 +76,12 @@ http://localhost:8080
 http://<this-machine-lan-ip>:8080
 ```
 
+For preprod deployment, configure the `POSTGRES_PASSWORD`, `RESEND_API_KEY`,
+`RESEND_FROM_EMAIL`, and `JWT_SIGNING_KEY` Gitea secrets.
+The deploy workflow writes the remote `.env` file and syncs `deploy/compose.yml`
+before running the server deploy script.
+Use the raw Resend API key value for `RESEND_API_KEY`, without a `Bearer ` prefix.
+
 ## Solution
 
 ```bash

TEMPLATE_PROMPT.md

@@ -1,4 +1,7 @@
 # PROMPT TEMPLATES
+ I need you to help me write a feature. First, we need to define it, so you will ask me questions one-by-one to make sure we have a shared understanding of the scope
+  and expectating. - The feature we want is a way for your clients to report bugs/suggestions/requests from within our app. It should not be intrusive. It should allow
+  them to take a screen capture, put annotation, describe their request and/or issue. Then, as a dev, i will want to collect and review them.
 
 ## Purpose
 This document standardizes how we interact with AI coding agents (Codex, Claude, etc).

backend/.github/workflows/build.yml

@@ -1,82 +0,0 @@
-name: Build
-
-on:
-  pull_request:
-    branches: [ main ]
-    paths-ignore:
-      - '.scripts/**'
-      - .gitignore
-      - CODE_OF_CONDUCT.md
-      - LICENSE
-      - README.md
-
-  workflow_call:
-    inputs:
-      build-artifacts:
-        type: boolean
-        required: true
-        default: false
-
-jobs:
-  build:
-
-    runs-on: ubuntu-latest
-
-    steps:
-    - uses: actions/checkout@v3
-      name: Checkout code
-
-    - name: Cache NuGet packages
-      uses: actions/cache@v3
-      with:
-        path: ~/.nuget/packages
-        key: ${{ runner.os }}-nuget-${{ hashFiles('**/packages.lock.json') }}
-        restore-keys: |
-          ${{ runner.os }}-nuget-
-
-
-    - name: Install .NET
-      uses: actions/setup-dotnet@v3
-
-    - name: Restore solution
-      run: dotnet restore
-
-    - name: Build solution
-      run: dotnet build --no-restore --configuration Release
-      
-    - name: Test solution
-      run: dotnet test --no-build --configuration Release --filter "FullyQualifiedName!~AcceptanceTests"
-
-    - name: Publish website
-      if: ${{ inputs.build-artifacts == true }}
-      run: |
-        dotnet publish --configuration Release --runtime win-x86 --self-contained --output ./publish
-        cd publish
-        zip -r ./publish.zip .
-      working-directory: ./src/Web/
-
-    - name: Upload website artifact (website)
-      if: ${{ inputs.build-artifacts == true }}
-      uses: actions/upload-artifact@v3
-      with:
-        name: website
-        path: ./src/Web/publish/publish.zip
-        if-no-files-found: error
-    
-    - name: Create EF Core migrations bundle
-      if: ${{ inputs.build-artifacts == true }}
-      run: |
-        dotnet new tool-manifest
-        dotnet tool install dotnet-ef
-        dotnet ef migrations bundle --configuration Release -p ./src/Infrastructure/ -s ./src/Web/ -o efbundle.exe
-        zip -r ./efbundle.zip efbundle.exe
-      env:
-        SkipNSwag: True
-
-    - name: Upload EF Core migrations bundle artifact (efbundle)
-      if: ${{ inputs.build-artifacts == true }}
-      uses: actions/upload-artifact@v3
-      with:
-        name: efbundle
-        path: ./efbundle.zip
-        if-no-files-found: error

backend/.github/workflows/cicd.yml

@@ -1,42 +0,0 @@
-name: CICD
-
-on: 
-  push:
-    branches: [ main ]
-    paths-ignore:
-      - .gitignore
-      - CODE_OF_CONDUCT.md
-      - LICENSE
-      - README.md
-
-permissions:
-  id-token: write
-  contents: read
-
-jobs:
-
-  build:
-    uses: ./.github/workflows/build.yml
-    with:
-      build-artifacts: true
-
-  deploy-development:
-    uses: ./.github/workflows/deploy.yml
-    secrets: inherit
-    needs: [ build ]
-    with:
-      environmentName: Development
-
-  deploy-staging:
-    uses: ./.github/workflows/deploy.yml
-    secrets: inherit
-    needs: [ deploy-development ]
-    with:
-      environmentName: Staging
-
-  deploy-production:
-    uses: ./.github/workflows/deploy.yml
-    secrets: inherit
-    needs: [ deploy-staging ]
-    with:
-      environmentName: Production

backend/.github/workflows/deploy.yml

@@ -1,107 +0,0 @@
-name: Deploy
-
-on:
-  workflow_call:
-    inputs:
-      environmentName:
-        required: true
-        type: string
-
-permissions:
-  id-token: write
-  contents: read
-
-jobs:
-  
-  validate:
-     runs-on: ubuntu-latest
-     environment: ${{ inputs.environmentName }}
-
-     steps: 
-
-     - uses: actions/checkout@v3
-       name: Checkout code
-
-     - uses: azure/login@v1
-       name: Login to Azure
-       with:
-         client-id: ${{ vars.AZURE_CLIENT_ID }}
-         tenant-id: ${{ vars.AZURE_TENANT_ID }}
-         subscription-id: ${{ vars.AZURE_SUBSCRIPTION_ID }}
-
-     - if: inputs.environmentName == 'Development'
-       uses: azure/arm-deploy@v1
-       name: Run preflight validation
-       with:
-         deploymentName: ${{ github.run_number }}
-         resourceGroupName: ${{ vars.AZURE_RESOURCE_GROUP_NAME }}
-         template: ./.azure/bicep/main.bicep
-         parameters: >
-           environmentName=${{ inputs.environmentName }}
-           sqlAdministratorUsername=${{ vars.AZURE_SQL_ADMINISTRATOR_USERNAME }}
-           sqlAdministratorPassword=${{ secrets.AZURE_SQL_ADMINISTRATOR_PASSWORD }}
-           projectName=${{ vars.PROJECT_NAME }}
-         deploymentMode: Validate
-
-     - if: inputs.environmentName != 'Development'
-       uses: azure/arm-deploy@v1
-       name: Run what-if
-       with:
-         failOnStdErr: false
-         resourceGroupName: ${{ vars.AZURE_RESOURCE_GROUP_NAME }}
-         template: ./.azure/bicep/main.bicep
-         parameters: >
-           environmentName=${{ inputs.environmentName }}
-           sqlAdministratorUsername=${{ vars.AZURE_SQL_ADMINISTRATOR_USERNAME }}
-           sqlAdministratorPassword=${{ secrets.AZURE_SQL_ADMINISTRATOR_PASSWORD }}
-           projectName=${{ vars.PROJECT_NAME }}
-         additionalArguments: --what-if
- 
-  deploy:
-    needs: [ validate ]
-    runs-on: ubuntu-latest
-    environment: ${{ inputs.environmentName }}
-
-    steps:
-
-    - uses: actions/checkout@v3
-      name: Checkout code
-
-    - uses: actions/download-artifact@v3
-      name: Download artifacts
-
-    - name: Install .NET
-      uses: actions/setup-dotnet@v3
-
-    - uses: azure/login@v1
-      name: Login to Azure
-      with:
-        client-id: ${{ vars.AZURE_CLIENT_ID }}
-        tenant-id: ${{ vars.AZURE_TENANT_ID }}
-        subscription-id: ${{ vars.AZURE_SUBSCRIPTION_ID }}
-
-    - uses: azure/arm-deploy@v1
-      id: deploy
-      name: Deploy infrastructure
-      with:
-        failOnStdErr: false
-        deploymentName: ${{ github.run_number }}
-        resourceGroupName: ${{ vars.AZURE_RESOURCE_GROUP_NAME }}
-        template: ./.azure/bicep/main.bicep
-        parameters: >
-           environmentName=${{ inputs.environmentName }}
-           sqlAdministratorUsername=${{ vars.AZURE_SQL_ADMINISTRATOR_USERNAME }}
-           sqlAdministratorPassword=${{ secrets.AZURE_SQL_ADMINISTRATOR_PASSWORD }}
-           projectName=${{ vars.PROJECT_NAME }}
-
-    - name: Initialise database
-      run: |
-        unzip -o ./efbundle/efbundle.zip
-        echo '{ "ConnectionStrings": { "DefaultConnection": "" } }' > appsettings.json
-        ./efbundle.exe --connection "Server=${{ steps.deploy.outputs.sqlServerFullyQualifiedDomainName }};Initial Catalog=${{ steps.deploy.outputs.sqlDatabaseName }};Persist Security Info=False;User ID=${{ vars.AZURE_SQL_ADMINISTRATOR_USERNAME }};Password=${{ secrets.AZURE_SQL_ADMINISTRATOR_PASSWORD }};MultipleActiveResultSets=False;Encrypt=True;TrustServerCertificate=False;Connection Timeout=30;" --verbose
-
-    - uses: azure/webapps-deploy@v2
-      name: Deploy website
-      with:
-        app-name: ${{ steps.deploy.outputs.appServiceAppName }}
-        package: website/publish.zip

backend/src/Socialize.Api/Common/Domain/Entity.cs

@@ -1,4 +1,4 @@
-namespace Socialize.Common.Domain;
+namespace Socialize.Api.Common.Domain;
 
 public abstract class Entity
 {

backend/src/Socialize.Api/Data/AppDbContext.cs

@@ -1,44 +1,68 @@
+using Microsoft.EntityFrameworkCore;
 using Microsoft.AspNetCore.Identity.EntityFrameworkCore;
-using Socialize.Modules.Approvals.Data;
+using Socialize.Api.Modules.Approvals.Data;
-using Socialize.Modules.Assets.Data;
+using Socialize.Api.Modules.Assets.Data;
-using Socialize.Modules.Clients.Data;
+using Socialize.Api.Modules.Channels.Data;
-using Socialize.Modules.Comments.Data;
+using Socialize.Api.Modules.Clients.Data;
-using Socialize.Modules.ContentItems.Data;
+using Socialize.Api.Modules.Comments.Data;
-using Socialize.Modules.Identity.Data;
+using Socialize.Api.Modules.ContentItems.Data;
-using Socialize.Modules.Notifications.Data;
+using Socialize.Api.Modules.Feedback.Data;
-using Socialize.Modules.Projects.Data;
+using Socialize.Api.Modules.Identity.Data;
-using Socialize.Modules.Workspaces.Data;
+using Socialize.Api.Modules.Notifications.Data;
+using Socialize.Api.Modules.Campaigns.Data;
+using Socialize.Api.Modules.CalendarIntegrations.Data;
+using Socialize.Api.Modules.Organizations.Data;
+using Socialize.Api.Modules.Workspaces.Data;
 
-namespace Socialize.Data;
+namespace Socialize.Api.Data;
 
 public class AppDbContext(
     DbContextOptions<AppDbContext> options)
     : IdentityDbContext<User, Role, Guid>(options)
 {
+    public DbSet<Organization> Organizations => Set<Organization>();
+    public DbSet<OrganizationMembership> OrganizationMemberships => Set<OrganizationMembership>();
     public DbSet<Workspace> Workspaces => Set<Workspace>();
     public DbSet<WorkspaceInvite> WorkspaceInvites => Set<WorkspaceInvite>();
+    public DbSet<Channel> Channels => Set<Channel>();
     public DbSet<Client> Clients => Set<Client>();
-    public DbSet<Project> Projects => Set<Project>();
+    public DbSet<Campaign> Campaigns => Set<Campaign>();
     public DbSet<ContentItem> ContentItems => Set<ContentItem>();
     public DbSet<ContentItemRevision> ContentItemRevisions => Set<ContentItemRevision>();
+    public DbSet<ContentItemActivityEntry> ContentItemActivityEntries => Set<ContentItemActivityEntry>();
     public DbSet<Asset> Assets => Set<Asset>();
     public DbSet<AssetRevision> AssetRevisions => Set<AssetRevision>();
     public DbSet<Comment> Comments => Set<Comment>();
+    public DbSet<ApprovalWorkflowInstance> ApprovalWorkflowInstances => Set<ApprovalWorkflowInstance>();
     public DbSet<ApprovalRequest> ApprovalRequests => Set<ApprovalRequest>();
     public DbSet<ApprovalDecision> ApprovalDecisions => Set<ApprovalDecision>();
+    public DbSet<WorkspaceApprovalStepConfiguration> WorkspaceApprovalStepConfigurations => Set<WorkspaceApprovalStepConfiguration>();
     public DbSet<NotificationEvent> NotificationEvents => Set<NotificationEvent>();
+    public DbSet<FeedbackReport> FeedbackReports => Set<FeedbackReport>();
+    public DbSet<FeedbackTag> FeedbackTags => Set<FeedbackTag>();
+    public DbSet<FeedbackScreenshot> FeedbackScreenshots => Set<FeedbackScreenshot>();
+    public DbSet<FeedbackComment> FeedbackComments => Set<FeedbackComment>();
+    public DbSet<FeedbackActivityEntry> FeedbackActivityEntries => Set<FeedbackActivityEntry>();
+    public DbSet<CalendarSource> CalendarSources => Set<CalendarSource>();
+    public DbSet<CalendarCatalogEntry> CalendarCatalogEntries => Set<CalendarCatalogEntry>();
+    public DbSet<CalendarEvent> CalendarEvents => Set<CalendarEvent>();
+    public DbSet<UserCalendarExportFeed> UserCalendarExportFeeds => Set<UserCalendarExportFeed>();
 
-    protected override void OnModelCreating(ModelBuilder modelBuilder)
+    protected override void OnModelCreating(ModelBuilder builder)
     {
-        base.OnModelCreating(modelBuilder);
+        base.OnModelCreating(builder);
 
-        modelBuilder.ConfigureWorkspacesModule();
+        builder.ConfigureOrganizationsModule();
-        modelBuilder.ConfigureClientsModule();
+        builder.ConfigureWorkspacesModule();
-        modelBuilder.ConfigureProjectsModule();
+        builder.ConfigureChannelsModule();
-        modelBuilder.ConfigureContentItemsModule();
+        builder.ConfigureClientsModule();
-        modelBuilder.ConfigureAssetsModule();
+        builder.ConfigureCampaignsModule();
-        modelBuilder.ConfigureCommentsModule();
+        builder.ConfigureContentItemsModule();
-        modelBuilder.ConfigureApprovalsModule();
+        builder.ConfigureAssetsModule();
-        modelBuilder.ConfigureNotificationsModule();
+        builder.ConfigureCommentsModule();
+        builder.ConfigureApprovalsModule();
+        builder.ConfigureNotificationsModule();
+        builder.ConfigureFeedbackModule();
+        builder.ConfigureCalendarIntegrationsModule();
     }
 }

backend/src/Socialize.Api/DependencyInjection.cs

@@ -1,6 +1,7 @@
 using System.Text;
-using Socialize.Data;
+using Socialize.Api.Data;
-using Socialize.Infrastructure.Security;
+using Socialize.Api.Infrastructure.Security;
+using Microsoft.EntityFrameworkCore;
 using Microsoft.AspNetCore.Authentication;
 using Microsoft.AspNetCore.Authentication.Facebook;
 using Microsoft.AspNetCore.Authentication.Google;
@@ -49,7 +50,7 @@ public static class DependencyInjection
     {
         using IServiceScope scope = app.ApplicationServices.CreateScope();
         await using AppDbContext context = scope.ServiceProvider.GetRequiredService<AppDbContext>();
-        await context.Database.EnsureCreatedAsync(cancellationToken);
+        await context.Database.MigrateAsync(cancellationToken);
 
         return app;
     }
@@ -69,7 +70,6 @@ public static class DependencyInjection
         {
             authenticationBuilder.AddJwtBearer(JwtBearerDefaults.AuthenticationScheme, jwtBearerOptions =>
             {
-                jwtBearerOptions.Authority = "https://hutopy.com";
                 jwtBearerOptions.TokenValidationParameters = new TokenValidationParameters
                 {
                     ValidateIssuer = true,

backend/src/Socialize.Api/Folder.DotSettings

@@ -1,5 +0,0 @@
-<wpf:ResourceDictionary xmlns:x="http://schemas.microsoft.com/winfx/2006/xaml"
-                        xmlns:s="clr-namespace:System;assembly=mscorlib"
-                        xmlns:wpf="http://schemas.microsoft.com/winfx/2006/xaml/presentation"
-                        xml:space="preserve">
-	<s:Boolean x:Key="/Default/UserDictionary/Words/=hutopy/@EntryIndexedValue">True</s:Boolean></wpf:ResourceDictionary>

backend/src/Socialize.Api/GlobalUsings.cs

@@ -1,14 +1,2 @@
 global using FluentValidation;
-global using FastEndpoints;
 global using JetBrains.Annotations;
-global using Microsoft.EntityFrameworkCore;
-global using Socialize.Data;
-global using Socialize.Modules.Approvals.Data;
-global using Socialize.Modules.Assets.Data;
-global using Socialize.Modules.Clients.Data;
-global using Socialize.Modules.Comments.Data;
-global using Socialize.Modules.ContentItems.Data;
-global using Socialize.Modules.Identity.Data;
-global using Socialize.Modules.Notifications.Data;
-global using Socialize.Modules.Projects.Data;
-global using Socialize.Modules.Workspaces.Data;

backend/src/Socialize.Api/Infrastructure/BlobStorage/Configuration/LocalBlobStorageOptions.cs

@@ -0,0 +1,10 @@
+namespace Socialize.Api.Infrastructure.BlobStorage.Configuration;
+
+public sealed class LocalBlobStorageOptions
+{
+    public const string SectionName = "LocalBlobStorage";
+
+    public string RootPath { get; set; } = "App_Data/blob-storage";
+
+    public string RequestPath { get; set; } = "/api/storage";
+}

backend/src/Socialize.Api/Infrastructure/BlobStorage/Contracts/CommonFileNames.cs

@@ -1,4 +1,4 @@
-namespace Socialize.Infrastructure.BlobStorage.Contracts;
+namespace Socialize.Api.Infrastructure.BlobStorage.Contracts;
 
 public static class CommonFileNames
 {

backend/src/Socialize.Api/Infrastructure/BlobStorage/Contracts/ContainerNames.cs

@@ -1,8 +1,11 @@
-namespace Socialize.Infrastructure.BlobStorage.Contracts;
+namespace Socialize.Api.Infrastructure.BlobStorage.Contracts;
 
 internal static class ContainerNames
 {
     public const string Users = "users";
     public const string Clients = "clients";
+    public const string Organizations = "organizations";
+    public const string Workspaces = "workspaces";
     public const string Creators = "creators";
+    public const string Feedback = "feedback";
 }

backend/src/Socialize.Api/Infrastructure/BlobStorage/Contracts/ContentTypes.cs

@@ -1,6 +1,6 @@
 using System.Text;
 
-namespace Socialize.Infrastructure.BlobStorage.Contracts;
+namespace Socialize.Api.Infrastructure.BlobStorage.Contracts;
 
 public static class ContentTypes
 {

backend/src/Socialize.Api/Infrastructure/BlobStorage/Contracts/IBlobStorage.cs

@@ -1,4 +1,4 @@
-namespace Socialize.Infrastructure.BlobStorage.Contracts;
+namespace Socialize.Api.Infrastructure.BlobStorage.Contracts;
 
 public interface IBlobStorage
 {

backend/src/Socialize.Api/Infrastructure/BlobStorage/Contracts/SubDirectoryNames.cs

@@ -1,8 +1,9 @@
-namespace Socialize.Infrastructure.BlobStorage.Contracts;
+namespace Socialize.Api.Infrastructure.BlobStorage.Contracts;
 
 public static class SubDirectoryNames
 {
     public const string Profile = "profile";
     public const string Contents = "contents";
     public const string Albums = "albums";
+    public const string FeedbackScreenshots = "screenshots";
 }

backend/src/Socialize.Api/Infrastructure/BlobStorage/Services/AzureBlobStorage.cs

@@ -1,154 +0,0 @@
-using Azure;
-using Azure.Storage.Blobs;
-using Azure.Storage.Blobs.Models;
-using Socialize.Infrastructure.BlobStorage.Contracts;
-
-namespace Socialize.Infrastructure.BlobStorage.Services;
-
-public class AzureBlobStorage : IBlobStorage
-{
-    private const long MaxUploadSize = 10 * 1024 * 1024; // 10 MB in bytes
-
-    private readonly BlobServiceClient _blobServiceClient;
-    private readonly ILogger<AzureBlobStorage> _logger;
-
-    public AzureBlobStorage(IConfiguration configuration, ILogger<AzureBlobStorage> logger)
-    {
-        _logger = logger;
-        string? connectionString = configuration.GetConnectionString("AzureBlob");
-        _blobServiceClient = new BlobServiceClient(connectionString);
-    }
-
-    /// <summary>
-    ///     Upload a file to microsoft azure blob storage.
-    /// </summary>
-    /// <param name="containerName">The name of the container where the file is stored.</param>
-    /// <param name="blobName">The blob name (path within the container, include the file name).</param>
-    /// <param name="stream"></param>
-    /// <param name="contentType">The content type.</param>
-    /// <param name="ct">The cancellation token</param>
-    /// <returns></returns>
-    public async Task<string> UploadFileAsync(
-        string containerName,
-        string blobName,
-        Stream stream,
-        string contentType,
-        CancellationToken ct = default)
-    {
-        // Read the file stream into a memory stream to determine the length
-        // WATCH FOR MEMORY USAGE USING THE MEMORY STREAM.
-        stream.Position = 0;
-
-        // Check if the file size exceeds the maximum upload size
-        if (stream.Length > MaxUploadSize)
-        {
-            _logger.LogError(
-                $"Blob storage: File size exceeds the maximum allowed size of {MaxUploadSize} bytes.");
-            throw new InvalidOperationException(
-                $"Blob storage: File size exceeds the maximum allowed size of {MaxUploadSize} bytes.");
-        }
-
-        // Validate content type
-        if (!ContentTypes.IsAllowed(contentType, stream))
-        {
-            _logger.LogError(
-                $"Blob storage: Unsupported file type {contentType}.");
-            throw new InvalidOperationException("Unsupported file type.");
-        }
-
-        try
-        {
-            // Get a reference to a container
-            BlobContainerClient? containerClient = _blobServiceClient.GetBlobContainerClient(containerName);
-
-            // Create the container if it does not exist
-            await containerClient.CreateIfNotExistsAsync(
-                PublicAccessType.Blob,
-                cancellationToken: ct);
-
-            // Get a reference to a blob
-            BlobClient? blobClient = containerClient.GetBlobClient(blobName);
-
-            // Define the BlobHttpHeaders to include the content type
-            BlobHttpHeaders blobHttpHeaders = new() { ContentType = contentType };
-
-            // Upload the file
-            Response<BlobContentInfo>? response = await blobClient.UploadAsync(
-                stream,
-                new BlobUploadOptions { HttpHeaders = blobHttpHeaders },
-                ct);
-
-            string fileUri = blobClient.Uri.ToString();
-
-            _logger.LogInformation(
-                """
-                Blob storage: Status [   {ResponseStatus}   ] 
-                Uploaded [  {BlobName}  ] to the container [  {ContainerName}  ] 
-                with contentType [  {ContentType}  ] 
-                with a length of [   {StreamLength} bytes   ]
-                with the uri [   {FileUri}   ]
-                """,
-                response.GetRawResponse().Status.ToString(),
-                blobName,
-                containerName,
-                contentType,
-                stream.Length,
-                fileUri
-            );
-
-            // Return the URI of the uploaded blob
-            return fileUri;
-        }
-        catch (RequestFailedException ex)
-        {
-            _logger.LogError($"Blob storage: Azure Storage request failed: {ex.Message}");
-            throw;
-        }
-        catch (Exception ex)
-        {
-            _logger.LogError($"Blob storage: An error occurred: {ex.Message}");
-            throw;
-        }
-    }
-
-    /// <summary>
-    ///     Download a file to microsoft's azure blob storage.
-    /// </summary>
-    /// <param name="blobName">The blob name (path within the container).</param>
-    /// <param name="containerName">The name of the container where the file is stored. (users)</param>
-    /// <param name="ct">The cancellation token for the request</param>
-    /// <returns></returns>
-    public async Task<MemoryStream> DownloadFileAsync(
-        string containerName,
-        string blobName,
-        CancellationToken ct = default)
-    {
-        try
-        {
-            // Get a reference to a container
-            BlobContainerClient? containerClient = _blobServiceClient.GetBlobContainerClient(containerName);
-
-            // Get a reference to a blob
-            BlobClient? blobClient = containerClient.GetBlobClient(blobName);
-
-            // Download the blob to a stream
-            BlobDownloadInfo download = await blobClient.DownloadAsync(ct);
-
-            MemoryStream memoryStream = new();
-            await download.Content.CopyToAsync(memoryStream, ct);
-            memoryStream.Position = 0; // Ensure the stream is at the beginning
-
-            return memoryStream;
-        }
-        catch (RequestFailedException ex)
-        {
-            _logger.LogError($"Azure Storage request failed: {ex.Message}");
-            throw;
-        }
-        catch (Exception ex)
-        {
-            _logger.LogError($"An error occurred: {ex.Message}");
-            throw;
-        }
-    }
-}

backend/src/Socialize.Api/Infrastructure/BlobStorage/Services/LocalBlobStorage.cs

@@ -0,0 +1,142 @@
+using Microsoft.Extensions.Options;
+using Socialize.Api.Infrastructure.BlobStorage.Configuration;
+using Socialize.Api.Infrastructure.BlobStorage.Contracts;
+
+namespace Socialize.Api.Infrastructure.BlobStorage.Services;
+
+public sealed class LocalBlobStorage(
+    IWebHostEnvironment environment,
+    IHttpContextAccessor httpContextAccessor,
+    IOptions<LocalBlobStorageOptions> options,
+    ILogger<LocalBlobStorage> logger)
+    : IBlobStorage
+{
+    private const long MaxUploadSize = 10 * 1024 * 1024;
+    private const string ContentTypeMetadataSuffix = ".content-type";
+
+    private readonly LocalBlobStorageOptions _options = options.Value;
+
+    public async Task<string> UploadFileAsync(
+        string containerName,
+        string blobName,
+        Stream stream,
+        string contentType,
+        CancellationToken ct = default)
+    {
+        stream.Position = 0;
+
+        if (stream.Length > MaxUploadSize)
+        {
+            logger.LogError("Blob storage: File size exceeds the maximum allowed size of {MaxUploadSize} bytes.", MaxUploadSize);
+            throw new InvalidOperationException($"Blob storage: File size exceeds the maximum allowed size of {MaxUploadSize} bytes.");
+        }
+
+        if (!ContentTypes.IsAllowed(contentType, stream))
+        {
+            logger.LogError("Blob storage: Unsupported file type {ContentType}.", contentType);
+            throw new InvalidOperationException("Unsupported file type.");
+        }
+
+        string relativePath = GetSafeRelativePath(containerName, blobName);
+        string filePath = Path.Combine(GetRootPath(), relativePath);
+        Directory.CreateDirectory(Path.GetDirectoryName(filePath) ?? GetRootPath());
+
+        await using FileStream fileStream = File.Create(filePath);
+        await stream.CopyToAsync(fileStream, ct);
+        await File.WriteAllTextAsync(GetContentTypeMetadataPath(filePath), contentType, ct);
+
+        string fileUri = BuildPublicUrl(relativePath);
+        logger.LogInformation(
+            "Blob storage: Uploaded [{BlobName}] to local container [{ContainerName}] with contentType [{ContentType}] and uri [{FileUri}]",
+            blobName,
+            containerName,
+            contentType,
+            fileUri);
+
+        return fileUri;
+    }
+
+    public async Task<MemoryStream> DownloadFileAsync(
+        string containerName,
+        string blobName,
+        CancellationToken ct = default)
+    {
+        string filePath = Path.Combine(GetRootPath(), GetSafeRelativePath(containerName, blobName));
+
+        if (!File.Exists(filePath))
+        {
+            throw new FileNotFoundException("Blob storage: Local file was not found.", blobName);
+        }
+
+        MemoryStream memoryStream = new();
+        await using FileStream fileStream = File.OpenRead(filePath);
+        await fileStream.CopyToAsync(memoryStream, ct);
+        memoryStream.Position = 0;
+
+        return memoryStream;
+    }
+
+    internal string GetRootPath()
+    {
+        if (Path.IsPathRooted(_options.RootPath))
+        {
+            return Path.GetFullPath(_options.RootPath);
+        }
+
+        return Path.GetFullPath(Path.Combine(environment.ContentRootPath, _options.RootPath));
+    }
+
+    internal static string? ReadContentType(string filePath)
+    {
+        string metadataPath = GetContentTypeMetadataPath(filePath);
+        return File.Exists(metadataPath)
+            ? File.ReadAllText(metadataPath)
+            : null;
+    }
+
+    private static string GetContentTypeMetadataPath(string filePath)
+    {
+        return $"{filePath}{ContentTypeMetadataSuffix}";
+    }
+
+    private static string GetSafeRelativePath(string containerName, string blobName)
+    {
+        if (Path.IsPathRooted(containerName) || Path.IsPathRooted(blobName))
+        {
+            throw new InvalidOperationException("Blob storage: Blob paths must be relative.");
+        }
+
+        string[] pathParts = [containerName, .. blobName.Split([Path.DirectorySeparatorChar, Path.AltDirectorySeparatorChar])];
+        if (pathParts.Any(part => part is "" or "." or ".."))
+        {
+            throw new InvalidOperationException("Blob storage: Blob paths must not contain relative path segments.");
+        }
+
+        return Path.Combine(pathParts);
+    }
+
+    private string BuildPublicUrl(string relativePath)
+    {
+        HttpRequest? request = httpContextAccessor.HttpContext?.Request;
+        string requestPath = NormalizeRequestPath(_options.RequestPath);
+        string urlPath = $"{requestPath}/{relativePath.Replace(Path.DirectorySeparatorChar, '/')}";
+
+        if (request is null)
+        {
+            return urlPath;
+        }
+
+        return $"{request.Scheme}://{request.Host}{request.PathBase}{urlPath}";
+    }
+
+    internal static string NormalizeRequestPath(string requestPath)
+    {
+        string normalized = string.IsNullOrWhiteSpace(requestPath)
+            ? "/api/storage"
+            : requestPath.Trim();
+
+        return normalized.StartsWith("/", StringComparison.Ordinal)
+            ? normalized.TrimEnd('/')
+            : $"/{normalized.TrimEnd('/')}";
+    }
+}

backend/src/Socialize.Api/Infrastructure/Configuration/WebsiteOptions.cs

@@ -1,4 +1,4 @@
-namespace Socialize.Infrastructure.Configuration;
+namespace Socialize.Api.Infrastructure.Configuration;
 
 public class WebsiteOptions
 {

backend/src/Socialize.Api/Infrastructure/DependencyInjection.cs

@@ -1,12 +1,13 @@
-using Socialize.Infrastructure.BlobStorage.Contracts;
+using Socialize.Api.Infrastructure.BlobStorage.Contracts;
-using Socialize.Infrastructure.BlobStorage.Services;
+using Socialize.Api.Infrastructure.BlobStorage.Services;
-using Socialize.Infrastructure.Configuration;
+using Socialize.Api.Infrastructure.BlobStorage.Configuration;
-using Socialize.Infrastructure.Emailer.Configuration;
+using Socialize.Api.Infrastructure.Configuration;
-using Socialize.Infrastructure.Emailer.Contracts;
+using Socialize.Api.Infrastructure.Emailer.Configuration;
-using Socialize.Infrastructure.Emailer.Services;
+using Socialize.Api.Infrastructure.Emailer.Contracts;
-using Socialize.Infrastructure.Payments.Stripe.Configuration;
+using Socialize.Api.Infrastructure.Emailer.Services;
+using Socialize.Api.Infrastructure.Payments.Stripe.Configuration;
 
-namespace Socialize.Infrastructure;
+namespace Socialize.Api.Infrastructure;
 
 public static class DependencyInjection
 {
@@ -16,14 +17,23 @@ public static class DependencyInjection
         builder.Services.Configure<WebsiteOptions>(
             builder.Configuration.GetRequiredSection(WebsiteOptions.SectionName));
 
-        builder.Services.AddTransient<IBlobStorage, AzureBlobStorage>();
+        builder.Services.Configure<LocalBlobStorageOptions>(
+            builder.Configuration.GetSection(LocalBlobStorageOptions.SectionName));
+        builder.Services.AddTransient<LocalBlobStorage>();
+        builder.Services.AddTransient<IBlobStorage>(services => services.GetRequiredService<LocalBlobStorage>());
         builder.Services.Configure<StripeOptions>(
             builder.Configuration.GetSection(StripeOptions.ConfigurationSection));
 
         builder.Services.Configure<EmailerOptions>(
             builder.Configuration.GetSection(EmailerOptions.ConfigurationSection));
-        builder.Services.AddTransient<IEmailSender, ResendEmailSender>();
+        if (builder.Environment.IsDevelopment())
-        //builder.Services.AddTransient<IEmailSender, EmailSender>();
+        {
+            builder.Services.AddTransient<IEmailSender, LoggerEmailSender>();
+        }
+        else
+        {
+            builder.Services.AddTransient<IEmailSender, ResendEmailSender>();
+        }
 
         builder.Services.AddHttpClient();
 

backend/src/Socialize.Api/Infrastructure/Development/DevelopmentSeedExtensions.cs

@@ -1,19 +1,37 @@
+using Microsoft.EntityFrameworkCore;
 using System.Security.Claims;
-using Socialize.Infrastructure.Security;
+using Socialize.Api.Data;
-using Socialize.Modules.Identity.Contracts;
+using Socialize.Api.Infrastructure.Security;
-using Socialize.Modules.Identity.Data;
+using Socialize.Api.Modules.Identity.Contracts;
+using Socialize.Api.Modules.Identity.Data;
+using Socialize.Api.Modules.Assets.Data;
+using Socialize.Api.Modules.Approvals.Data;
+using Socialize.Api.Modules.Channels.Data;
+using Socialize.Api.Modules.Comments.Data;
+using Socialize.Api.Modules.ContentItems.Data;
+using Socialize.Api.Modules.Clients.Data;
+using Socialize.Api.Modules.Notifications.Data;
+using Socialize.Api.Modules.Campaigns.Data;
+using Socialize.Api.Modules.Organizations.Data;
+using Socialize.Api.Modules.Organizations.Services;
+using Socialize.Api.Modules.Workspaces.Data;
 using Microsoft.AspNetCore.Identity;
 using Microsoft.Extensions.Options;
 
-namespace Socialize.Infrastructure.Development;
+namespace Socialize.Api.Infrastructure.Development;
 
 public static class DevelopmentSeedExtensions
 {
+    private static readonly Guid OrganizationId = Guid.Parse("99999999-9999-9999-9999-999999999999");
     private static readonly Guid WorkspaceId = Guid.Parse("11111111-1111-1111-1111-111111111111");
+    private static readonly Guid AtlasWorkspaceId = Guid.Parse("11111111-1111-1111-1111-222222222222");
     private static readonly Guid ScopedClientId = Guid.Parse("22222222-2222-2222-2222-222222222222");
     private static readonly Guid HiddenClientId = Guid.Parse("22222222-2222-2222-2222-333333333333");
-    private static readonly Guid ScopedProjectId = Guid.Parse("33333333-3333-3333-3333-333333333333");
+    private static readonly Guid ScopedCampaignId = Guid.Parse("33333333-3333-3333-3333-333333333333");
-    private static readonly Guid HiddenProjectId = Guid.Parse("33333333-3333-3333-3333-444444444444");
+    private static readonly Guid HiddenCampaignId = Guid.Parse("33333333-3333-3333-3333-444444444444");
+    private static readonly Guid LumaInstagramChannelId = Guid.Parse("33333333-3333-3333-3333-000000000001");
+    private static readonly Guid LumaTikTokChannelId = Guid.Parse("33333333-3333-3333-3333-000000000002");
+    private static readonly Guid AtlasInstagramChannelId = Guid.Parse("33333333-3333-3333-3333-000000000003");
     private static readonly Guid ScopedContentItemId = Guid.Parse("44444444-4444-4444-4444-444444444444");
     private static readonly Guid HiddenContentItemId = Guid.Parse("44444444-4444-4444-4444-555555555555");
     private static readonly Guid ScopedAssetId = Guid.Parse("55555555-5555-5555-5555-555555555555");
@@ -41,8 +59,6 @@ public static class DevelopmentSeedExtensions
         UserManager userManager = scope.ServiceProvider.GetRequiredService<UserManager>();
         AppDbContext dbContext = scope.ServiceProvider.GetRequiredService<AppDbContext>();
 
-        await RemoveLegacyDevUserAsync(userManager);
-
         User manager = await EnsureUserAsync(
             userManager,
             id: Guid.Parse("aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa"),
@@ -91,9 +107,30 @@ public static class DevelopmentSeedExtensions
             [
                 new Claim(KnownClaims.WorkspaceScope, WorkspaceId.ToString()),
                 new Claim(KnownClaims.ClientScope, ScopedClientId.ToString()),
-                new Claim(KnownClaims.ProjectScope, ScopedProjectId.ToString()),
+                new Claim(KnownClaims.CampaignScope, ScopedCampaignId.ToString()),
             ]);
 
+        User dev = await EnsureUserAsync(
+            userManager,
+            id: Guid.Parse("dddddddd-dddd-dddd-dddd-dddddddddddd"),
+            username: "dev",
+            email: "dev@socialize.local",
+            password: "dev",
+            alias: "Socialize Dev",
+            firstname: "Jo",
+            lastname: "Bumble",
+            portraitUrl: "https://images.unsplash.com/photo-1494790108377-be9c29b29330?auto=format&fit=crop&w=200&q=80",
+            roles: [KnownRoles.Developer, KnownRoles.Administrator, KnownRoles.Manager, KnownRoles.WorkspaceMember],
+            claims:
+            [
+            ]);
+
+        await EnsureOrganizationDataAsync(
+            manager.Id,
+            dev.Id,
+            dbContext,
+            cancellationToken);
+
         await EnsureWorkspaceDataAsync(
             manager.Id,
             clientUser.Id,
@@ -104,19 +141,6 @@ public static class DevelopmentSeedExtensions
         return app;
     }
 
-    private static async Task RemoveLegacyDevUserAsync(UserManager userManager)
-    {
-        User? legacyUser = await userManager.FindByNameAsync("dev")
-                           ?? await userManager.FindByEmailAsync("dev@socialize.local");
-
-        if (legacyUser is null)
-        {
-            return;
-        }
-
-        await userManager.DeleteAsync(legacyUser);
-    }
-
     private static async Task<User> EnsureUserAsync(
         UserManager userManager,
         Guid id,
@@ -190,7 +214,7 @@ public static class DevelopmentSeedExtensions
 
         IList<Claim> existingClaims = await userManager.GetClaimsAsync(user);
         List<Claim> managedClaims = existingClaims
-            .Where(claim => claim.Type is KnownClaims.WorkspaceScope or KnownClaims.ClientScope or KnownClaims.ProjectScope or KnownClaims.Persona)
+            .Where(claim => claim.Type is KnownClaims.WorkspaceScope or KnownClaims.ClientScope or KnownClaims.CampaignScope or KnownClaims.Persona)
             .ToList();
 
         foreach (Claim claim in managedClaims)
@@ -214,6 +238,75 @@ public static class DevelopmentSeedExtensions
         return user;
     }
 
+    private static async Task EnsureOrganizationDataAsync(
+        Guid managerUserId,
+        Guid developerUserId,
+        AppDbContext dbContext,
+        CancellationToken cancellationToken)
+    {
+        Organization? organization = await dbContext.Organizations
+            .SingleOrDefaultAsync(candidate => candidate.Id == OrganizationId, cancellationToken);
+        if (organization is null)
+        {
+            organization = new Organization
+            {
+                Id = OrganizationId,
+                Name = string.Empty,
+                CreatedAt = DateTimeOffset.UtcNow,
+            };
+            dbContext.Organizations.Add(organization);
+        }
+
+        organization.Name = "Northstar Agency";
+        organization.OwnerUserId = managerUserId;
+
+        await UpsertOrganizationMembershipAsync(
+            dbContext,
+            Guid.Parse("99999999-9999-9999-9999-000000000001"),
+            OrganizationId,
+            managerUserId,
+            OrganizationRoles.Owner,
+            cancellationToken);
+
+        await UpsertOrganizationMembershipAsync(
+            dbContext,
+            Guid.Parse("99999999-9999-9999-9999-000000000002"),
+            OrganizationId,
+            developerUserId,
+            OrganizationRoles.Admin,
+            cancellationToken);
+
+        await dbContext.SaveChangesAsync(cancellationToken);
+    }
+
+    private static async Task UpsertOrganizationMembershipAsync(
+        AppDbContext dbContext,
+        Guid membershipId,
+        Guid organizationId,
+        Guid userId,
+        string role,
+        CancellationToken cancellationToken)
+    {
+        OrganizationMembership? membership = await dbContext.OrganizationMemberships
+            .SingleOrDefaultAsync(
+                candidate => candidate.OrganizationId == organizationId && candidate.UserId == userId,
+                cancellationToken);
+        if (membership is null)
+        {
+            membership = new OrganizationMembership
+            {
+                Id = membershipId,
+                OrganizationId = organizationId,
+                UserId = userId,
+                Role = role,
+                CreatedAt = DateTimeOffset.UtcNow,
+            };
+            dbContext.OrganizationMemberships.Add(membership);
+        }
+
+        membership.Role = role;
+    }
+
     private static async Task EnsureWorkspaceDataAsync(
         Guid managerUserId,
         Guid clientUserId,
@@ -221,33 +314,31 @@ public static class DevelopmentSeedExtensions
         AppDbContext dbContext,
         CancellationToken cancellationToken)
     {
-        Workspace? workspace = await dbContext.Workspaces
+        await UpsertWorkspaceAsync(
-            .SingleOrDefaultAsync(candidate => candidate.Id == WorkspaceId, cancellationToken);
+            dbContext,
-        if (workspace is null)
+            WorkspaceId,
-        {
+            OrganizationId,
-            workspace = new Workspace
+            managerUserId,
-            {
+            "Luma Coffee",
-                Id = WorkspaceId,
+            "America/Montreal",
-                Name = string.Empty,
+            "/images/seed/luma-coffee-logo.svg",
-                Slug = string.Empty,
+            cancellationToken);
-                TimeZone = string.Empty,
+        await UpsertWorkspaceAsync(
-                CreatedAt = DateTimeOffset.UtcNow,
+            dbContext,
-            };
+            AtlasWorkspaceId,
-            dbContext.Workspaces.Add(workspace);
+            OrganizationId,
-        }
+            managerUserId,
-
+            "Atlas Bakery",
-        workspace.Name = "Northstar Studio";
+            "America/Montreal",
-        workspace.Slug = "northstar-studio";
+            "/images/seed/atlas-bakery-logo.svg",
-        workspace.OwnerUserId = managerUserId;
+            cancellationToken);
-        workspace.TimeZone = "America/Montreal";
-        await dbContext.SaveChangesAsync(cancellationToken);
 
         await UpsertClientAsync(
             dbContext,
             ScopedClientId,
             "Luma Coffee",
             "Active",
-            "https://images.unsplash.com/photo-1511920170033-f8396924c348?auto=format&fit=crop&w=200&q=80",
+            "/images/seed/luma-coffee-logo.svg",
             "Sofia Martin",
             "client@socialize.local",
             WorkspaceId,
@@ -257,15 +348,15 @@ public static class DevelopmentSeedExtensions
             HiddenClientId,
             "Atlas Bakery",
             "Active",
-            "https://images.unsplash.com/photo-1509440159596-0249088772ff?auto=format&fit=crop&w=200&q=80",
+            "/images/seed/atlas-bakery-logo.svg",
             "Nina Cole",
             "nina@atlasbakery.test",
-            WorkspaceId,
+            AtlasWorkspaceId,
             cancellationToken);
 
-        await UpsertProjectAsync(
+        await UpsertCampaignAsync(
             dbContext,
-            ScopedProjectId,
+            ScopedCampaignId,
             WorkspaceId,
             ScopedClientId,
             "Spring Launch",
@@ -275,10 +366,10 @@ public static class DevelopmentSeedExtensions
             "Cross-channel launch campaign for the spring offer.",
             "Coordinate creative approvals before the final week.",
             cancellationToken);
-        await UpsertProjectAsync(
+        await UpsertCampaignAsync(
             dbContext,
-            HiddenProjectId,
+            HiddenCampaignId,
-            WorkspaceId,
+            AtlasWorkspaceId,
             HiddenClientId,
             "Summer Retention",
             "Planned",
@@ -288,16 +379,44 @@ public static class DevelopmentSeedExtensions
             "Sequence email and paid social updates together.",
             cancellationToken);
 
+        await UpsertChannelAsync(
+            dbContext,
+            LumaInstagramChannelId,
+            WorkspaceId,
+            "Luma Coffee Instagram",
+            "Instagram",
+            "@lumacoffee",
+            null,
+            cancellationToken);
+        await UpsertChannelAsync(
+            dbContext,
+            LumaTikTokChannelId,
+            WorkspaceId,
+            "Luma Coffee TikTok",
+            "TikTok",
+            "@lumacoffee",
+            null,
+            cancellationToken);
+        await UpsertChannelAsync(
+            dbContext,
+            AtlasInstagramChannelId,
+            AtlasWorkspaceId,
+            "Atlas Bakery Instagram",
+            "Instagram",
+            "@atlasbakery",
+            null,
+            cancellationToken);
+
         await UpsertContentItemAsync(
             dbContext,
             ScopedContentItemId,
             WorkspaceId,
             ScopedClientId,
-            ScopedProjectId,
+            ScopedCampaignId,
             "Spring launch hero video",
             "Fresh seasonal menu launch across Instagram and TikTok.",
-            "Instagram Reel, TikTok",
+            "Luma Coffee Instagram, Luma Coffee TikTok",
-            "In client review",
+            "In approval",
             DateTimeOffset.UtcNow.AddDays(3),
             "v3",
             3,
@@ -305,22 +424,22 @@ public static class DevelopmentSeedExtensions
         await UpsertContentItemAsync(
             dbContext,
             HiddenContentItemId,
-            WorkspaceId,
+            AtlasWorkspaceId,
             HiddenClientId,
-            HiddenProjectId,
+            HiddenCampaignId,
             "Bakery loyalty carousel",
             "Reward regular customers with a four-card retention carousel.",
-            "Instagram Carousel",
+            "Atlas Bakery Instagram",
             "Draft",
             DateTimeOffset.UtcNow.AddDays(10),
             "v1",
             1,
             cancellationToken);
 
-        await EnsureRevisionAsync(dbContext, Guid.Parse("44444444-4444-4444-4444-000000000001"), ScopedContentItemId, 1, "v1", "Spring launch hero video", "Initial draft for the seasonal menu launch.", "Instagram Reel, TikTok", "Initial concept draft.", providerUserId, DateTimeOffset.UtcNow.AddDays(-5), cancellationToken);
+        await EnsureRevisionAsync(dbContext, Guid.Parse("44444444-4444-4444-4444-000000000001"), ScopedContentItemId, 1, "v1", "Spring launch hero video", "Initial draft for the seasonal menu launch.", "Luma Coffee Instagram, Luma Coffee TikTok", "Initial concept draft.", providerUserId, DateTimeOffset.UtcNow.AddDays(-5), cancellationToken);
-        await EnsureRevisionAsync(dbContext, Guid.Parse("44444444-4444-4444-4444-000000000002"), ScopedContentItemId, 2, "v2", "Spring launch hero video", "Updated hook and transitions after internal review.", "Instagram Reel, TikTok", "Addressed internal pacing feedback.", providerUserId, DateTimeOffset.UtcNow.AddDays(-3), cancellationToken);
+        await EnsureRevisionAsync(dbContext, Guid.Parse("44444444-4444-4444-4444-000000000002"), ScopedContentItemId, 2, "v2", "Spring launch hero video", "Updated hook and transitions after internal review.", "Luma Coffee Instagram, Luma Coffee TikTok", "Addressed internal pacing feedback.", providerUserId, DateTimeOffset.UtcNow.AddDays(-3), cancellationToken);
-        await EnsureRevisionAsync(dbContext, Guid.Parse("44444444-4444-4444-4444-000000000003"), ScopedContentItemId, 3, "v3", "Spring launch hero video", "Fresh seasonal menu launch across Instagram and TikTok.", "Instagram Reel, TikTok", "Client-facing draft after copy cleanup.", providerUserId, DateTimeOffset.UtcNow.AddDays(-1), cancellationToken);
+        await EnsureRevisionAsync(dbContext, Guid.Parse("44444444-4444-4444-4444-000000000003"), ScopedContentItemId, 3, "v3", "Spring launch hero video", "Fresh seasonal menu launch across Instagram and TikTok.", "Luma Coffee Instagram, Luma Coffee TikTok", "Client-facing draft after copy cleanup.", providerUserId, DateTimeOffset.UtcNow.AddDays(-1), cancellationToken);
-        await EnsureRevisionAsync(dbContext, Guid.Parse("44444444-4444-4444-4444-000000000004"), HiddenContentItemId, 1, "v1", "Bakery loyalty carousel", "Reward regular customers with a four-card retention carousel.", "Instagram Carousel", "First draft.", managerUserId, DateTimeOffset.UtcNow.AddDays(-2), cancellationToken);
+        await EnsureRevisionAsync(dbContext, Guid.Parse("44444444-4444-4444-4444-000000000004"), HiddenContentItemId, 1, "v1", "Bakery loyalty carousel", "Reward regular customers with a four-card retention carousel.", "Atlas Bakery Instagram", "First draft.", managerUserId, DateTimeOffset.UtcNow.AddDays(-2), cancellationToken);
 
         Asset? asset = await dbContext.Assets.SingleOrDefaultAsync(candidate => candidate.Id == ScopedAssetId, cancellationToken);
         if (asset is null)
@@ -368,8 +487,6 @@ public static class DevelopmentSeedExtensions
         comment.AuthorDisplayName = "Sofia Martin";
         comment.AuthorEmail = "client@socialize.local";
         comment.Body = "Please tighten the opening three seconds and make the launch CTA more explicit.";
-        comment.IsResolved = false;
-        comment.ResolvedAt = null;
         await dbContext.SaveChangesAsync(cancellationToken);
 
         ApprovalRequest? approvalRequest = await dbContext.ApprovalRequests.SingleOrDefaultAsync(candidate => candidate.Id == ScopedApprovalRequestId, cancellationToken);
@@ -448,6 +565,38 @@ public static class DevelopmentSeedExtensions
         await dbContext.SaveChangesAsync(cancellationToken);
     }
 
+    private static async Task UpsertWorkspaceAsync(
+        AppDbContext dbContext,
+        Guid id,
+        Guid organizationId,
+        Guid ownerUserId,
+        string name,
+        string timeZone,
+        string logoUrl,
+        CancellationToken cancellationToken)
+    {
+        Workspace? workspace = await dbContext.Workspaces
+            .SingleOrDefaultAsync(candidate => candidate.Id == id, cancellationToken);
+        if (workspace is null)
+        {
+            workspace = new Workspace
+            {
+                Id = id,
+                Name = string.Empty,
+                TimeZone = string.Empty,
+                CreatedAt = DateTimeOffset.UtcNow,
+            };
+            dbContext.Workspaces.Add(workspace);
+        }
+
+        workspace.Name = name;
+        workspace.OrganizationId = organizationId;
+        workspace.OwnerUserId = ownerUserId;
+        workspace.TimeZone = timeZone;
+        workspace.LogoUrl = logoUrl;
+        await dbContext.SaveChangesAsync(cancellationToken);
+    }
+
     private static async Task UpsertClientAsync(
         AppDbContext dbContext,
         Guid id,
@@ -481,7 +630,7 @@ public static class DevelopmentSeedExtensions
         await dbContext.SaveChangesAsync(cancellationToken);
     }
 
-    private static async Task UpsertProjectAsync(
+    private static async Task UpsertCampaignAsync(
         AppDbContext dbContext,
         Guid id,
         Guid workspaceId,
@@ -494,26 +643,57 @@ public static class DevelopmentSeedExtensions
         string? notes,
         CancellationToken cancellationToken)
     {
-        Project? project = await dbContext.Projects.SingleOrDefaultAsync(candidate => candidate.Id == id, cancellationToken);
+        Campaign? campaign = await dbContext.Campaigns.SingleOrDefaultAsync(candidate => candidate.Id == id, cancellationToken);
-        if (project is null)
+        if (campaign is null)
         {
-            project = new Project
+            campaign = new Campaign
             {
                 Id = id,
                 Name = string.Empty,
                 Status = string.Empty,
                 CreatedAt = DateTimeOffset.UtcNow,
             };
-            dbContext.Projects.Add(project);
+            dbContext.Campaigns.Add(campaign);
         }
-        project.WorkspaceId = workspaceId;
+        campaign.WorkspaceId = workspaceId;
-        project.ClientId = clientId;
+        campaign.ClientId = clientId;
-        project.Name = name;
+        campaign.Name = name;
-        project.Description = description;
+        campaign.Description = description;
-        project.Notes = notes;
+        campaign.Notes = notes;
-        project.Status = status;
+        campaign.Status = status;
-        project.StartDate = startDate;
+        campaign.StartDate = startDate;
-        project.EndDate = endDate;
+        campaign.EndDate = endDate;
+        await dbContext.SaveChangesAsync(cancellationToken);
+    }
+
+    private static async Task UpsertChannelAsync(
+        AppDbContext dbContext,
+        Guid id,
+        Guid workspaceId,
+        string name,
+        string network,
+        string? handle,
+        string? externalUrl,
+        CancellationToken cancellationToken)
+    {
+        Channel? channel = await dbContext.Channels.SingleOrDefaultAsync(candidate => candidate.Id == id, cancellationToken);
+        if (channel is null)
+        {
+            channel = new Channel
+            {
+                Id = id,
+                Name = string.Empty,
+                Network = string.Empty,
+                CreatedAt = DateTimeOffset.UtcNow,
+            };
+            dbContext.Channels.Add(channel);
+        }
+
+        channel.WorkspaceId = workspaceId;
+        channel.Name = name;
+        channel.Network = network;
+        channel.Handle = handle;
+        channel.ExternalUrl = externalUrl;
         await dbContext.SaveChangesAsync(cancellationToken);
     }
 
@@ -522,7 +702,7 @@ public static class DevelopmentSeedExtensions
         Guid id,
         Guid workspaceId,
         Guid clientId,
-        Guid projectId,
+        Guid campaignId,
         string title,
         string publicationMessage,
         string publicationTargets,
@@ -549,7 +729,7 @@ public static class DevelopmentSeedExtensions
         }
         item.WorkspaceId = workspaceId;
         item.ClientId = clientId;
-        item.ProjectId = projectId;
+        item.CampaignId = campaignId;
         item.Title = title;
         item.PublicationMessage = publicationMessage;
         item.PublicationTargets = publicationTargets;

backend/src/Socialize.Api/Infrastructure/Development/DevelopmentSeedOptions.cs

@@ -1,4 +1,4 @@
-namespace Socialize.Infrastructure.Development;
+namespace Socialize.Api.Infrastructure.Development;
 
 public record DevelopmentSeedOptions
 {

backend/src/Socialize.Api/Infrastructure/Emailer/Configuration/EmailerOptions.cs

@@ -1,4 +1,4 @@
-namespace Socialize.Infrastructure.Emailer.Configuration;
+namespace Socialize.Api.Infrastructure.Emailer.Configuration;
 
 public class EmailerOptions
 {

backend/src/Socialize.Api/Infrastructure/Emailer/Contracts/IEmailSender.cs

@@ -1,4 +1,4 @@
-namespace Socialize.Infrastructure.Emailer.Contracts;
+namespace Socialize.Api.Infrastructure.Emailer.Contracts;
 
 public interface IEmailSender
 {

backend/src/Socialize.Api/Infrastructure/Emailer/Services/LoggerEmailSender.cs

@@ -1,22 +1,19 @@
-using Socialize.Infrastructure.Emailer.Contracts;
+using Socialize.Api.Infrastructure.Emailer.Contracts;
 
-namespace Socialize.Infrastructure.Emailer.Services;
+namespace Socialize.Api.Infrastructure.Emailer.Services;
 
 public class LoggerEmailSender(ILogger<IEmailSender> logger)
     : IEmailSender
 {
-    public async Task SendEmailAsync(string email, string subject, string message)
+    public Task SendEmailAsync(string email, string subject, string message)
     {
-        try
+        logger.LogInformation(
-        {
+            "Development email to {Email} with subject {Subject}:{NewLine}{Message}",
-            logger.LogInformation("Sending email to {Email} with subject: {Subject}", email, subject);
+            email,
-            await Task.Delay(1000);
+            subject,
-            logger.LogInformation("Email sent successfully to {Email}", email);
+            Environment.NewLine,
-        }
+            message);
-        catch (Exception ex)
+
-        {
+        return Task.CompletedTask;
-            logger.LogError(ex, "Failed to send email to {Email}", email);
-            throw;
-        }
     }
 }

backend/src/Socialize.Api/Infrastructure/Emailer/Services/PostmarkEmailSender.cs

@@ -1,9 +1,9 @@
-using Socialize.Infrastructure.Emailer.Configuration;
+using Socialize.Api.Infrastructure.Emailer.Configuration;
-using Socialize.Infrastructure.Emailer.Contracts;
+using Socialize.Api.Infrastructure.Emailer.Contracts;
 using Microsoft.Extensions.Options;
 using PostmarkDotNet;
 
-namespace Socialize.Infrastructure.Emailer.Services;
+namespace Socialize.Api.Infrastructure.Emailer.Services;
 
 public class PostmarkEmailSender : IEmailSender
 {

backend/src/Socialize.Api/Infrastructure/Emailer/Services/ResendEmailSender.cs

@@ -1,11 +1,11 @@
 using System.Net.Http.Headers;
 using System.Text;
 using System.Text.Json;
-using Socialize.Infrastructure.Emailer.Configuration;
+using Socialize.Api.Infrastructure.Emailer.Configuration;
-using Socialize.Infrastructure.Emailer.Contracts;
+using Socialize.Api.Infrastructure.Emailer.Contracts;
 using Microsoft.Extensions.Options;
 
-namespace Socialize.Infrastructure.Emailer.Services;
+namespace Socialize.Api.Infrastructure.Emailer.Services;
 
 public class ResendEmailSender : IEmailSender
 {
@@ -20,8 +20,24 @@ public class ResendEmailSender : IEmailSender
         _httpClient = httpClientFactory.CreateClient();
         _options = options.Value;
 
+        string apiKey = NormalizeApiKey(_options.ApiKey);
+        string fromEmail = _options.FromEmail?.Trim() ?? string.Empty;
+
+        if (string.IsNullOrWhiteSpace(apiKey))
+        {
+            throw new InvalidOperationException("Emailer:ApiKey is required when using Resend email delivery.");
+        }
+
+        if (string.IsNullOrWhiteSpace(fromEmail))
+        {
+            throw new InvalidOperationException("Emailer:FromEmail is required when using Resend email delivery.");
+        }
+
+        _options.ApiKey = apiKey;
+        _options.FromEmail = fromEmail;
+
         _httpClient.DefaultRequestHeaders.Authorization =
-            new AuthenticationHeaderValue("Bearer", _options.ApiKey);
+            new AuthenticationHeaderValue("Bearer", apiKey);
 
         _httpClient.DefaultRequestHeaders.Accept.Add(
             new MediaTypeWithQualityHeaderValue("application/json"));
@@ -43,4 +59,16 @@ public class ResendEmailSender : IEmailSender
                 $"Resend email failed: {response.StatusCode} - {body}");
         }
     }
+
+    private static string NormalizeApiKey(string? apiKey)
+    {
+        string normalized = apiKey?.Trim().Trim('"', '\'') ?? string.Empty;
+        const string bearerPrefix = "Bearer ";
+        if (normalized.StartsWith(bearerPrefix, StringComparison.OrdinalIgnoreCase))
+        {
+            normalized = normalized[bearerPrefix.Length..].Trim();
+        }
+
+        return normalized;
+    }
 }

backend/src/Socialize.Api/Infrastructure/Payments/Stripe/Configuration/StripeOptions.cs

@@ -1,6 +1,6 @@
 using System.ComponentModel.DataAnnotations;
 
-namespace Socialize.Infrastructure.Payments.Stripe.Configuration;
+namespace Socialize.Api.Infrastructure.Payments.Stripe.Configuration;
 
 public class StripeOptions
 {

backend/src/Socialize.Api/Infrastructure/Security/AccessScopeService.cs

@@ -1,9 +1,11 @@
 using System.Security.Claims;
-using Socialize.Modules.Identity.Contracts;
+using Socialize.Api.Modules.Identity.Contracts;
+using Socialize.Api.Modules.Organizations.Services;
 
-namespace Socialize.Infrastructure.Security;
+namespace Socialize.Api.Infrastructure.Security;
 
-public sealed class AccessScopeService
+public sealed class AccessScopeService(
+    OrganizationAccessService organizationAccessService)
 {
     public bool IsManager(ClaimsPrincipal user)
     {
@@ -36,21 +38,140 @@ public sealed class AccessScopeService
                || (CanAccessWorkspace(user, workspaceId) && user.GetClientScopeIds().Contains(clientId));
     }
 
-    public bool CanAccessProject(ClaimsPrincipal user, Guid workspaceId, Guid clientId, Guid projectId)
+    public bool CanAccessCampaign(ClaimsPrincipal user, Guid workspaceId, Guid clientId, Guid campaignId)
     {
         return IsManager(user)
-               || (CanAccessClient(user, workspaceId, clientId) && user.GetProjectScopeIds().Contains(projectId));
+               || (CanAccessClient(user, workspaceId, clientId) && user.GetCampaignScopeIds().Contains(campaignId));
     }
 
-    public bool CanContributeToProject(ClaimsPrincipal user, Guid workspaceId, Guid clientId, Guid projectId)
+    public bool CanContributeToCampaign(ClaimsPrincipal user, Guid workspaceId, Guid clientId, Guid campaignId)
     {
-        return IsManager(user) || (IsProvider(user) && CanAccessProject(user, workspaceId, clientId, projectId));
+        return IsManager(user) || (IsProvider(user) && CanAccessCampaign(user, workspaceId, clientId, campaignId));
     }
 
-    public bool CanReviewContent(ClaimsPrincipal user, Guid workspaceId, Guid clientId, Guid projectId)
+    public bool CanReviewContent(ClaimsPrincipal user, Guid workspaceId, Guid clientId, Guid campaignId)
     {
         return IsManager(user)
-               || IsProvider(user) && CanAccessProject(user, workspaceId, clientId, projectId)
+               || IsProvider(user) && CanAccessCampaign(user, workspaceId, clientId, campaignId)
                || IsClient(user) && CanAccessClient(user, workspaceId, clientId);
     }
+
+    public Task<IReadOnlyCollection<Guid>> GetAccessibleWorkspaceIdsAsync(
+        ClaimsPrincipal user,
+        CancellationToken ct)
+    {
+        return organizationAccessService.GetAccessibleWorkspaceIdsAsync(user, ct);
+    }
+
+    public async Task<bool> CanAccessWorkspaceAsync(
+        ClaimsPrincipal user,
+        Guid workspaceId,
+        CancellationToken ct)
+    {
+        return CanAccessWorkspace(user, workspaceId)
+               || await organizationAccessService.HasInheritedWorkspacePermissionAsync(
+                   user,
+                   workspaceId,
+                   OrganizationPermissions.AccessOwnedWorkspaces,
+                   ct);
+    }
+
+    public async Task<bool> CanManageWorkspaceAsync(
+        ClaimsPrincipal user,
+        Guid workspaceId,
+        CancellationToken ct)
+    {
+        return IsManager(user)
+               || await organizationAccessService.HasInheritedWorkspacePermissionAsync(
+                   user,
+                   workspaceId,
+                   OrganizationPermissions.ManageWorkspaces,
+                   ct);
+    }
+
+    public async Task<bool> CanCreateWorkspaceAsync(
+        ClaimsPrincipal user,
+        Guid organizationId,
+        CancellationToken ct)
+    {
+        return IsManager(user)
+               || await organizationAccessService.HasOrganizationPermissionAsync(
+                   user,
+                   organizationId,
+                   OrganizationPermissions.CreateWorkspaces,
+                   ct);
+    }
+
+    public async Task<bool> CanAccessClientAsync(
+        ClaimsPrincipal user,
+        Guid workspaceId,
+        Guid clientId,
+        CancellationToken ct)
+    {
+        if (IsManager(user) ||
+            await organizationAccessService.HasInheritedWorkspacePermissionAsync(
+                user,
+                workspaceId,
+                OrganizationPermissions.AccessOwnedWorkspaces,
+                ct))
+        {
+            return true;
+        }
+
+        return user.GetWorkspaceScopeIds().Contains(workspaceId) && user.GetClientScopeIds().Contains(clientId);
+    }
+
+    public async Task<bool> CanAccessCampaignAsync(
+        ClaimsPrincipal user,
+        Guid workspaceId,
+        Guid clientId,
+        Guid campaignId,
+        CancellationToken ct)
+    {
+        if (IsManager(user) ||
+            await organizationAccessService.HasInheritedWorkspacePermissionAsync(
+                user,
+                workspaceId,
+                OrganizationPermissions.AccessOwnedWorkspaces,
+                ct))
+        {
+            return true;
+        }
+
+        return await CanAccessClientAsync(user, workspaceId, clientId, ct) &&
+               user.GetCampaignScopeIds().Contains(campaignId);
+    }
+
+    public async Task<bool> CanContributeToCampaignAsync(
+        ClaimsPrincipal user,
+        Guid workspaceId,
+        Guid clientId,
+        Guid campaignId,
+        CancellationToken ct)
+    {
+        return IsManager(user)
+               || await organizationAccessService.HasInheritedWorkspacePermissionAsync(
+                   user,
+                   workspaceId,
+                   OrganizationPermissions.ManageWorkspaces,
+                   ct)
+               || IsProvider(user) && await CanAccessCampaignAsync(user, workspaceId, clientId, campaignId, ct);
+    }
+
+    public async Task<bool> CanReviewContentAsync(
+        ClaimsPrincipal user,
+        Guid workspaceId,
+        Guid clientId,
+        Guid campaignId,
+        CancellationToken ct)
+    {
+        return IsManager(user)
+               || await organizationAccessService.HasInheritedWorkspacePermissionAsync(
+                   user,
+                   workspaceId,
+                   OrganizationPermissions.AccessOwnedWorkspaces,
+                   ct)
+               || IsProvider(user) && await CanAccessCampaignAsync(user, workspaceId, clientId, campaignId, ct)
+               || IsClient(user) && await CanAccessClientAsync(user, workspaceId, clientId, ct);
+    }
 }

backend/src/Socialize.Api/Infrastructure/Security/ClaimsPrincipalExtensions.cs

@@ -1,6 +1,6 @@
 using System.Security.Claims;
 
-namespace Socialize.Infrastructure.Security;
+namespace Socialize.Api.Infrastructure.Security;
 
 public static class ClaimsPrincipalExtensions
 {
@@ -23,9 +23,9 @@ public static class ClaimsPrincipalExtensions
         return claims.GetScopeIds(KnownClaims.ClientScope);
     }
 
-    public static IReadOnlyCollection<Guid> GetProjectScopeIds(this ClaimsPrincipal claims)
+    public static IReadOnlyCollection<Guid> GetCampaignScopeIds(this ClaimsPrincipal claims)
     {
-        return claims.GetScopeIds(KnownClaims.ProjectScope);
+        return claims.GetScopeIds(KnownClaims.CampaignScope);
     }
 
     public static string? GetPersona(this ClaimsPrincipal claims)

backend/src/Socialize.Api/Infrastructure/Security/GenerateJwtToken.cs

@@ -3,7 +3,7 @@ using System.Security.Claims;
 using System.Text;
 using Microsoft.IdentityModel.Tokens;
 
-namespace Socialize.Infrastructure.Security;
+namespace Socialize.Api.Infrastructure.Security;
 
 public static class JwtTokenHelper
 {

backend/src/Socialize.Api/Infrastructure/Security/KnownClaims.cs

@@ -1,4 +1,4 @@
-namespace Socialize.Infrastructure.Security;
+namespace Socialize.Api.Infrastructure.Security;
 
 public static class KnownClaims
 {
@@ -6,6 +6,6 @@ public static class KnownClaims
     public const string PortraitUrl = "portraitUrl";
     public const string WorkspaceScope = "workspace";
     public const string ClientScope = "client";
-    public const string ProjectScope = "project";
+    public const string CampaignScope = "campaign";
     public const string Persona = "persona";
 }

backend/src/Socialize.Api/Infrastructure/Security/MissingClaimException.cs

@@ -1,4 +1,4 @@
-namespace Socialize.Infrastructure.Security;
+namespace Socialize.Api.Infrastructure.Security;
 
 public class MissingClaimException(
     string claimName)

backend/src/Socialize.Api/Infrastructure/Security/PasswordGenerator.cs

@@ -1,7 +1,7 @@
 using System.Security.Cryptography;
 using System.Text;
 
-namespace Socialize.Infrastructure.Security;
+namespace Socialize.Api.Infrastructure.Security;
 
 // If we need to add special characters we can alternate between 2 pools.
 public static class PasswordGenerator

backend/src/Socialize.Api/Infrastructure/Security/RefreshTokenGenerator.cs

@@ -1,6 +1,6 @@
 using System.Security.Cryptography;
 
-namespace Socialize.Infrastructure.Security;
+namespace Socialize.Api.Infrastructure.Security;
 
 public static class RefreshTokenGenerator
 {

backend/src/Socialize.Api/Infrastructure/YouTube/YouTubeUrlHelper.cs

@@ -1,6 +1,6 @@
 using System.Text.RegularExpressions;
 
-namespace Socialize.Infrastructure.YouTube;
+namespace Socialize.Api.Infrastructure.YouTube;
 
 public static class YouTubeUrlHelper
 {

backend/src/Socialize.Api/Migrations/20260423061407_Initial.Designer.cs

@@ -1,942 +0,0 @@
-// <auto-generated />
-using System;
-using Microsoft.EntityFrameworkCore;
-using Microsoft.EntityFrameworkCore.Infrastructure;
-using Microsoft.EntityFrameworkCore.Migrations;
-using Microsoft.EntityFrameworkCore.Storage.ValueConversion;
-using Npgsql.EntityFrameworkCore.PostgreSQL.Metadata;
-using Socialize.Data;
-
-#nullable disable
-
-namespace Socialize.Api.Migrations
-{
-    [DbContext(typeof(AppDbContext))]
-    [Migration("20260423061407_Initial")]
-    partial class Initial
-    {
-        /// <inheritdoc />
-        protected override void BuildTargetModel(ModelBuilder modelBuilder)
-        {
-#pragma warning disable 612, 618
-            modelBuilder
-                .HasAnnotation("ProductVersion", "10.0.0")
-                .HasAnnotation("Relational:MaxIdentifierLength", 63);
-
-            NpgsqlModelBuilderExtensions.UseIdentityByDefaultColumns(modelBuilder);
-
-            modelBuilder.Entity("Microsoft.AspNetCore.Identity.IdentityRoleClaim<System.Guid>", b =>
-                {
-                    b.Property<int>("Id")
-                        .ValueGeneratedOnAdd()
-                        .HasColumnType("integer");
-
-                    NpgsqlPropertyBuilderExtensions.UseIdentityByDefaultColumn(b.Property<int>("Id"));
-
-                    b.Property<string>("ClaimType")
-                        .HasColumnType("text");
-
-                    b.Property<string>("ClaimValue")
-                        .HasColumnType("text");
-
-                    b.Property<Guid>("RoleId")
-                        .HasColumnType("uuid");
-
-                    b.HasKey("Id");
-
-                    b.HasIndex("RoleId");
-
-                    b.ToTable("AspNetRoleClaims", (string)null);
-                });
-
-            modelBuilder.Entity("Microsoft.AspNetCore.Identity.IdentityUserClaim<System.Guid>", b =>
-                {
-                    b.Property<int>("Id")
-                        .ValueGeneratedOnAdd()
-                        .HasColumnType("integer");
-
-                    NpgsqlPropertyBuilderExtensions.UseIdentityByDefaultColumn(b.Property<int>("Id"));
-
-                    b.Property<string>("ClaimType")
-                        .HasColumnType("text");
-
-                    b.Property<string>("ClaimValue")
-                        .HasColumnType("text");
-
-                    b.Property<Guid>("UserId")
-                        .HasColumnType("uuid");
-
-                    b.HasKey("Id");
-
-                    b.HasIndex("UserId");
-
-                    b.ToTable("AspNetUserClaims", (string)null);
-                });
-
-            modelBuilder.Entity("Microsoft.AspNetCore.Identity.IdentityUserLogin<System.Guid>", b =>
-                {
-                    b.Property<string>("LoginProvider")
-                        .HasColumnType("text");
-
-                    b.Property<string>("ProviderKey")
-                        .HasColumnType("text");
-
-                    b.Property<string>("ProviderDisplayName")
-                        .HasColumnType("text");
-
-                    b.Property<Guid>("UserId")
-                        .HasColumnType("uuid");
-
-                    b.HasKey("LoginProvider", "ProviderKey");
-
-                    b.HasIndex("UserId");
-
-                    b.ToTable("AspNetUserLogins", (string)null);
-                });
-
-            modelBuilder.Entity("Microsoft.AspNetCore.Identity.IdentityUserRole<System.Guid>", b =>
-                {
-                    b.Property<Guid>("UserId")
-                        .HasColumnType("uuid");
-
-                    b.Property<Guid>("RoleId")
-                        .HasColumnType("uuid");
-
-                    b.HasKey("UserId", "RoleId");
-
-                    b.HasIndex("RoleId");
-
-                    b.ToTable("AspNetUserRoles", (string)null);
-                });
-
-            modelBuilder.Entity("Microsoft.AspNetCore.Identity.IdentityUserToken<System.Guid>", b =>
-                {
-                    b.Property<Guid>("UserId")
-                        .HasColumnType("uuid");
-
-                    b.Property<string>("LoginProvider")
-                        .HasColumnType("text");
-
-                    b.Property<string>("Name")
-                        .HasColumnType("text");
-
-                    b.Property<string>("Value")
-                        .HasColumnType("text");
-
-                    b.HasKey("UserId", "LoginProvider", "Name");
-
-                    b.ToTable("AspNetUserTokens", (string)null);
-                });
-
-            modelBuilder.Entity("Socialize.Modules.Approvals.Data.ApprovalDecision", b =>
-                {
-                    b.Property<Guid>("Id")
-                        .ValueGeneratedOnAdd()
-                        .HasColumnType("uuid");
-
-                    b.Property<Guid>("ApprovalRequestId")
-                        .HasColumnType("uuid");
-
-                    b.Property<string>("Comment")
-                        .HasMaxLength(2048)
-                        .HasColumnType("character varying(2048)");
-
-                    b.Property<DateTimeOffset>("CreatedAt")
-                        .ValueGeneratedOnAdd()
-                        .HasColumnType("timestamp with time zone")
-                        .HasDefaultValueSql("CURRENT_TIMESTAMP");
-
-                    b.Property<string>("DecidedByEmail")
-                        .IsRequired()
-                        .HasMaxLength(256)
-                        .HasColumnType("character varying(256)");
-
-                    b.Property<string>("DecidedByName")
-                        .IsRequired()
-                        .HasMaxLength(256)
-                        .HasColumnType("character varying(256)");
-
-                    b.Property<Guid?>("DecidedByUserId")
-                        .HasColumnType("uuid");
-
-                    b.Property<string>("Decision")
-                        .IsRequired()
-                        .HasMaxLength(64)
-                        .HasColumnType("character varying(64)");
-
-                    b.HasKey("Id");
-
-                    b.HasIndex("ApprovalRequestId");
-
-                    b.ToTable("ApprovalDecisions", (string)null);
-                });
-
-            modelBuilder.Entity("Socialize.Modules.Approvals.Data.ApprovalRequest", b =>
-                {
-                    b.Property<Guid>("Id")
-                        .ValueGeneratedOnAdd()
-                        .HasColumnType("uuid");
-
-                    b.Property<string>("AccessToken")
-                        .IsRequired()
-                        .HasMaxLength(64)
-                        .HasColumnType("character varying(64)");
-
-                    b.Property<DateTimeOffset?>("CompletedAt")
-                        .HasColumnType("timestamp with time zone");
-
-                    b.Property<Guid>("ContentItemId")
-                        .HasColumnType("uuid");
-
-                    b.Property<DateTimeOffset?>("DueAt")
-                        .HasColumnType("timestamp with time zone");
-
-                    b.Property<Guid>("RequestedByUserId")
-                        .HasColumnType("uuid");
-
-                    b.Property<string>("ReviewerEmail")
-                        .IsRequired()
-                        .HasMaxLength(256)
-                        .HasColumnType("character varying(256)");
-
-                    b.Property<string>("ReviewerName")
-                        .IsRequired()
-                        .HasMaxLength(256)
-                        .HasColumnType("character varying(256)");
-
-                    b.Property<DateTimeOffset>("SentAt")
-                        .ValueGeneratedOnAdd()
-                        .HasColumnType("timestamp with time zone")
-                        .HasDefaultValueSql("CURRENT_TIMESTAMP");
-
-                    b.Property<string>("Stage")
-                        .IsRequired()
-                        .HasMaxLength(64)
-                        .HasColumnType("character varying(64)");
-
-                    b.Property<string>("State")
-                        .IsRequired()
-                        .HasMaxLength(64)
-                        .HasColumnType("character varying(64)");
-
-                    b.Property<Guid>("WorkspaceId")
-                        .HasColumnType("uuid");
-
-                    b.HasKey("Id");
-
-                    b.HasIndex("ContentItemId");
-
-                    b.HasIndex("ReviewerEmail");
-
-                    b.HasIndex("WorkspaceId");
-
-                    b.ToTable("ApprovalRequests", (string)null);
-                });
-
-            modelBuilder.Entity("Socialize.Modules.Assets.Data.Asset", b =>
-                {
-                    b.Property<Guid>("Id")
-                        .ValueGeneratedOnAdd()
-                        .HasColumnType("uuid");
-
-                    b.Property<string>("AssetType")
-                        .IsRequired()
-                        .HasMaxLength(64)
-                        .HasColumnType("character varying(64)");
-
-                    b.Property<Guid>("ContentItemId")
-                        .HasColumnType("uuid");
-
-                    b.Property<DateTimeOffset>("CreatedAt")
-                        .ValueGeneratedOnAdd()
-                        .HasColumnType("timestamp with time zone")
-                        .HasDefaultValueSql("CURRENT_TIMESTAMP");
-
-                    b.Property<int>("CurrentRevisionNumber")
-                        .HasColumnType("integer");
-
-                    b.Property<string>("DisplayName")
-                        .IsRequired()
-                        .HasMaxLength(256)
-                        .HasColumnType("character varying(256)");
-
-                    b.Property<string>("GoogleDriveFileId")
-                        .HasMaxLength(256)
-                        .HasColumnType("character varying(256)");
-
-                    b.Property<string>("GoogleDriveLink")
-                        .HasMaxLength(2048)
-                        .HasColumnType("character varying(2048)");
-
-                    b.Property<string>("PreviewUrl")
-                        .HasMaxLength(2048)
-                        .HasColumnType("character varying(2048)");
-
-                    b.Property<string>("SourceType")
-                        .IsRequired()
-                        .HasMaxLength(64)
-                        .HasColumnType("character varying(64)");
-
-                    b.Property<Guid>("WorkspaceId")
-                        .HasColumnType("uuid");
-
-                    b.HasKey("Id");
-
-                    b.HasIndex("ContentItemId");
-
-                    b.HasIndex("WorkspaceId");
-
-                    b.ToTable("Assets", (string)null);
-                });
-
-            modelBuilder.Entity("Socialize.Modules.Assets.Data.AssetRevision", b =>
-                {
-                    b.Property<Guid>("Id")
-                        .ValueGeneratedOnAdd()
-                        .HasColumnType("uuid");
-
-                    b.Property<Guid>("AssetId")
-                        .HasColumnType("uuid");
-
-                    b.Property<DateTimeOffset>("CreatedAt")
-                        .ValueGeneratedOnAdd()
-                        .HasColumnType("timestamp with time zone")
-                        .HasDefaultValueSql("CURRENT_TIMESTAMP");
-
-                    b.Property<Guid?>("CreatedByUserId")
-                        .HasColumnType("uuid");
-
-                    b.Property<string>("Notes")
-                        .HasMaxLength(1024)
-                        .HasColumnType("character varying(1024)");
-
-                    b.Property<string>("PreviewUrl")
-                        .HasMaxLength(2048)
-                        .HasColumnType("character varying(2048)");
-
-                    b.Property<int>("RevisionNumber")
-                        .HasColumnType("integer");
-
-                    b.Property<string>("SourceReference")
-                        .IsRequired()
-                        .HasMaxLength(2048)
-                        .HasColumnType("character varying(2048)");
-
-                    b.HasKey("Id");
-
-                    b.HasIndex("AssetId");
-
-                    b.HasIndex("AssetId", "RevisionNumber")
-                        .IsUnique();
-
-                    b.ToTable("AssetRevisions", (string)null);
-                });
-
-            modelBuilder.Entity("Socialize.Modules.Clients.Data.Client", b =>
-                {
-                    b.Property<Guid>("Id")
-                        .ValueGeneratedOnAdd()
-                        .HasColumnType("uuid");
-
-                    b.Property<DateTimeOffset>("CreatedAt")
-                        .ValueGeneratedOnAdd()
-                        .HasColumnType("timestamp with time zone")
-                        .HasDefaultValueSql("CURRENT_TIMESTAMP");
-
-                    b.Property<string>("Name")
-                        .IsRequired()
-                        .HasMaxLength(256)
-                        .HasColumnType("character varying(256)");
-
-                    b.Property<string>("PortraitUrl")
-                        .HasMaxLength(2048)
-                        .HasColumnType("character varying(2048)");
-
-                    b.Property<string>("PrimaryContactEmail")
-                        .HasMaxLength(256)
-                        .HasColumnType("character varying(256)");
-
-                    b.Property<string>("PrimaryContactName")
-                        .HasMaxLength(256)
-                        .HasColumnType("character varying(256)");
-
-                    b.Property<string>("PrimaryContactPortraitUrl")
-                        .HasMaxLength(2048)
-                        .HasColumnType("character varying(2048)");
-
-                    b.Property<string>("Status")
-                        .IsRequired()
-                        .HasMaxLength(64)
-                        .HasColumnType("character varying(64)");
-
-                    b.Property<Guid>("WorkspaceId")
-                        .HasColumnType("uuid");
-
-                    b.HasKey("Id");
-
-                    b.HasIndex("WorkspaceId");
-
-                    b.HasIndex("WorkspaceId", "Name")
-                        .IsUnique();
-
-                    b.ToTable("Clients", (string)null);
-                });
-
-            modelBuilder.Entity("Socialize.Modules.Comments.Data.Comment", b =>
-                {
-                    b.Property<Guid>("Id")
-                        .ValueGeneratedOnAdd()
-                        .HasColumnType("uuid");
-
-                    b.Property<string>("AuthorDisplayName")
-                        .IsRequired()
-                        .HasMaxLength(256)
-                        .HasColumnType("character varying(256)");
-
-                    b.Property<string>("AuthorEmail")
-                        .IsRequired()
-                        .HasMaxLength(256)
-                        .HasColumnType("character varying(256)");
-
-                    b.Property<Guid>("AuthorUserId")
-                        .HasColumnType("uuid");
-
-                    b.Property<string>("Body")
-                        .IsRequired()
-                        .HasMaxLength(4000)
-                        .HasColumnType("character varying(4000)");
-
-                    b.Property<Guid>("ContentItemId")
-                        .HasColumnType("uuid");
-
-                    b.Property<DateTimeOffset>("CreatedAt")
-                        .ValueGeneratedOnAdd()
-                        .HasColumnType("timestamp with time zone")
-                        .HasDefaultValueSql("CURRENT_TIMESTAMP");
-
-                    b.Property<bool>("IsResolved")
-                        .HasColumnType("boolean");
-
-                    b.Property<Guid?>("ParentCommentId")
-                        .HasColumnType("uuid");
-
-                    b.Property<DateTimeOffset?>("ResolvedAt")
-                        .HasColumnType("timestamp with time zone");
-
-                    b.Property<Guid>("WorkspaceId")
-                        .HasColumnType("uuid");
-
-                    b.HasKey("Id");
-
-                    b.HasIndex("ContentItemId");
-
-                    b.HasIndex("ParentCommentId");
-
-                    b.HasIndex("WorkspaceId");
-
-                    b.ToTable("Comments", (string)null);
-                });
-
-            modelBuilder.Entity("Socialize.Modules.ContentItems.Data.ContentItem", b =>
-                {
-                    b.Property<Guid>("Id")
-                        .ValueGeneratedOnAdd()
-                        .HasColumnType("uuid");
-
-                    b.Property<Guid>("ClientId")
-                        .HasColumnType("uuid");
-
-                    b.Property<DateTimeOffset>("CreatedAt")
-                        .ValueGeneratedOnAdd()
-                        .HasColumnType("timestamp with time zone")
-                        .HasDefaultValueSql("CURRENT_TIMESTAMP");
-
-                    b.Property<string>("CurrentRevisionLabel")
-                        .IsRequired()
-                        .HasMaxLength(32)
-                        .HasColumnType("character varying(32)");
-
-                    b.Property<int>("CurrentRevisionNumber")
-                        .HasColumnType("integer");
-
-                    b.Property<DateTimeOffset?>("DueDate")
-                        .HasColumnType("timestamp with time zone");
-
-                    b.Property<string>("Hashtags")
-                        .HasMaxLength(1024)
-                        .HasColumnType("character varying(1024)");
-
-                    b.Property<Guid>("ProjectId")
-                        .HasColumnType("uuid");
-
-                    b.Property<string>("PublicationMessage")
-                        .IsRequired()
-                        .HasMaxLength(4000)
-                        .HasColumnType("character varying(4000)");
-
-                    b.Property<string>("PublicationTargets")
-                        .IsRequired()
-                        .HasMaxLength(512)
-                        .HasColumnType("character varying(512)");
-
-                    b.Property<string>("Status")
-                        .IsRequired()
-                        .HasMaxLength(64)
-                        .HasColumnType("character varying(64)");
-
-                    b.Property<string>("Title")
-                        .IsRequired()
-                        .HasMaxLength(256)
-                        .HasColumnType("character varying(256)");
-
-                    b.Property<Guid>("WorkspaceId")
-                        .HasColumnType("uuid");
-
-                    b.HasKey("Id");
-
-                    b.HasIndex("ClientId");
-
-                    b.HasIndex("ProjectId");
-
-                    b.HasIndex("WorkspaceId");
-
-                    b.ToTable("ContentItems", (string)null);
-                });
-
-            modelBuilder.Entity("Socialize.Modules.ContentItems.Data.ContentItemRevision", b =>
-                {
-                    b.Property<Guid>("Id")
-                        .ValueGeneratedOnAdd()
-                        .HasColumnType("uuid");
-
-                    b.Property<string>("ChangeSummary")
-                        .HasMaxLength(1024)
-                        .HasColumnType("character varying(1024)");
-
-                    b.Property<Guid>("ContentItemId")
-                        .HasColumnType("uuid");
-
-                    b.Property<DateTimeOffset>("CreatedAt")
-                        .ValueGeneratedOnAdd()
-                        .HasColumnType("timestamp with time zone")
-                        .HasDefaultValueSql("CURRENT_TIMESTAMP");
-
-                    b.Property<Guid?>("CreatedByUserId")
-                        .HasColumnType("uuid");
-
-                    b.Property<string>("Hashtags")
-                        .HasMaxLength(1024)
-                        .HasColumnType("character varying(1024)");
-
-                    b.Property<string>("PublicationMessage")
-                        .IsRequired()
-                        .HasMaxLength(4000)
-                        .HasColumnType("character varying(4000)");
-
-                    b.Property<string>("PublicationTargets")
-                        .IsRequired()
-                        .HasMaxLength(512)
-                        .HasColumnType("character varying(512)");
-
-                    b.Property<string>("RevisionLabel")
-                        .IsRequired()
-                        .HasMaxLength(32)
-                        .HasColumnType("character varying(32)");
-
-                    b.Property<int>("RevisionNumber")
-                        .HasColumnType("integer");
-
-                    b.Property<string>("Title")
-                        .IsRequired()
-                        .HasMaxLength(256)
-                        .HasColumnType("character varying(256)");
-
-                    b.HasKey("Id");
-
-                    b.HasIndex("ContentItemId");
-
-                    b.HasIndex("ContentItemId", "RevisionNumber")
-                        .IsUnique();
-
-                    b.ToTable("ContentItemRevisions", (string)null);
-                });
-
-            modelBuilder.Entity("Socialize.Modules.Identity.Data.Role", b =>
-                {
-                    b.Property<Guid>("Id")
-                        .ValueGeneratedOnAdd()
-                        .HasColumnType("uuid");
-
-                    b.Property<string>("ConcurrencyStamp")
-                        .IsConcurrencyToken()
-                        .HasColumnType("text");
-
-                    b.Property<string>("Name")
-                        .HasMaxLength(256)
-                        .HasColumnType("character varying(256)");
-
-                    b.Property<string>("NormalizedName")
-                        .HasMaxLength(256)
-                        .HasColumnType("character varying(256)");
-
-                    b.HasKey("Id");
-
-                    b.HasIndex("NormalizedName")
-                        .IsUnique()
-                        .HasDatabaseName("RoleNameIndex");
-
-                    b.ToTable("AspNetRoles", (string)null);
-                });
-
-            modelBuilder.Entity("Socialize.Modules.Identity.Data.User", b =>
-                {
-                    b.Property<Guid>("Id")
-                        .ValueGeneratedOnAdd()
-                        .HasColumnType("uuid");
-
-                    b.Property<int>("AccessFailedCount")
-                        .HasColumnType("integer");
-
-                    b.Property<string>("Address")
-                        .HasMaxLength(256)
-                        .HasColumnType("character varying(256)");
-
-                    b.Property<string>("Alias")
-                        .HasMaxLength(256)
-                        .HasColumnType("character varying(256)");
-
-                    b.Property<DateTime?>("BirthDate")
-                        .HasColumnType("timestamp with time zone");
-
-                    b.Property<string>("ConcurrencyStamp")
-                        .IsConcurrencyToken()
-                        .HasColumnType("text");
-
-                    b.Property<string>("Email")
-                        .HasMaxLength(256)
-                        .HasColumnType("character varying(256)");
-
-                    b.Property<bool>("EmailConfirmed")
-                        .HasColumnType("boolean");
-
-                    b.Property<string>("FacebookId")
-                        .HasMaxLength(256)
-                        .HasColumnType("character varying(256)");
-
-                    b.Property<string>("Firstname")
-                        .HasMaxLength(256)
-                        .HasColumnType("character varying(256)");
-
-                    b.Property<string>("GoogleId")
-                        .HasMaxLength(256)
-                        .HasColumnType("character varying(256)");
-
-                    b.Property<string>("Lastname")
-                        .HasMaxLength(256)
-                        .HasColumnType("character varying(256)");
-
-                    b.Property<bool>("LockoutEnabled")
-                        .HasColumnType("boolean");
-
-                    b.Property<DateTimeOffset?>("LockoutEnd")
-                        .HasColumnType("timestamp with time zone");
-
-                    b.Property<string>("NormalizedEmail")
-                        .HasMaxLength(256)
-                        .HasColumnType("character varying(256)");
-
-                    b.Property<string>("NormalizedUserName")
-                        .HasMaxLength(256)
-                        .HasColumnType("character varying(256)");
-
-                    b.Property<string>("PasswordHash")
-                        .HasColumnType("text");
-
-                    b.Property<string>("PhoneNumber")
-                        .HasColumnType("text");
-
-                    b.Property<bool>("PhoneNumberConfirmed")
-                        .HasColumnType("boolean");
-
-                    b.Property<string>("PortraitUrl")
-                        .HasMaxLength(2048)
-                        .HasColumnType("character varying(2048)");
-
-                    b.Property<string>("RefreshToken")
-                        .HasMaxLength(44)
-                        .HasColumnType("character varying(44)");
-
-                    b.Property<DateTime>("RefreshTokenExpiryTime")
-                        .HasColumnType("timestamp with time zone");
-
-                    b.Property<string>("SecurityStamp")
-                        .HasColumnType("text");
-
-                    b.Property<bool>("TwoFactorEnabled")
-                        .HasColumnType("boolean");
-
-                    b.Property<string>("UserName")
-                        .HasMaxLength(256)
-                        .HasColumnType("character varying(256)");
-
-                    b.HasKey("Id");
-
-                    b.HasIndex("NormalizedEmail")
-                        .HasDatabaseName("EmailIndex");
-
-                    b.HasIndex("NormalizedUserName")
-                        .IsUnique()
-                        .HasDatabaseName("UserNameIndex");
-
-                    b.ToTable("AspNetUsers", (string)null);
-                });
-
-            modelBuilder.Entity("Socialize.Modules.Notifications.Data.NotificationEvent", b =>
-                {
-                    b.Property<Guid>("Id")
-                        .ValueGeneratedOnAdd()
-                        .HasColumnType("uuid");
-
-                    b.Property<Guid?>("ContentItemId")
-                        .HasColumnType("uuid");
-
-                    b.Property<DateTimeOffset>("CreatedAt")
-                        .ValueGeneratedOnAdd()
-                        .HasColumnType("timestamp with time zone")
-                        .HasDefaultValueSql("CURRENT_TIMESTAMP");
-
-                    b.Property<Guid>("EntityId")
-                        .HasColumnType("uuid");
-
-                    b.Property<string>("EntityType")
-                        .IsRequired()
-                        .HasMaxLength(128)
-                        .HasColumnType("character varying(128)");
-
-                    b.Property<string>("EventType")
-                        .IsRequired()
-                        .HasMaxLength(128)
-                        .HasColumnType("character varying(128)");
-
-                    b.Property<string>("Message")
-                        .IsRequired()
-                        .HasMaxLength(1024)
-                        .HasColumnType("character varying(1024)");
-
-                    b.Property<string>("MetadataJson")
-                        .HasMaxLength(4000)
-                        .HasColumnType("character varying(4000)");
-
-                    b.Property<DateTimeOffset?>("ReadAt")
-                        .HasColumnType("timestamp with time zone");
-
-                    b.Property<string>("RecipientEmail")
-                        .HasMaxLength(256)
-                        .HasColumnType("character varying(256)");
-
-                    b.Property<Guid?>("RecipientUserId")
-                        .HasColumnType("uuid");
-
-                    b.Property<Guid>("WorkspaceId")
-                        .HasColumnType("uuid");
-
-                    b.HasKey("Id");
-
-                    b.HasIndex("ContentItemId");
-
-                    b.HasIndex("CreatedAt");
-
-                    b.HasIndex("RecipientUserId");
-
-                    b.HasIndex("WorkspaceId");
-
-                    b.ToTable("NotificationEvents", (string)null);
-                });
-
-            modelBuilder.Entity("Socialize.Modules.Projects.Data.Project", b =>
-                {
-                    b.Property<Guid>("Id")
-                        .ValueGeneratedOnAdd()
-                        .HasColumnType("uuid");
-
-                    b.Property<Guid>("ClientId")
-                        .HasColumnType("uuid");
-
-                    b.Property<DateTimeOffset>("CreatedAt")
-                        .ValueGeneratedOnAdd()
-                        .HasColumnType("timestamp with time zone")
-                        .HasDefaultValueSql("CURRENT_TIMESTAMP");
-
-                    b.Property<string>("Description")
-                        .HasMaxLength(4000)
-                        .HasColumnType("character varying(4000)");
-
-                    b.Property<DateTimeOffset>("EndDate")
-                        .HasColumnType("timestamp with time zone");
-
-                    b.Property<string>("Name")
-                        .IsRequired()
-                        .HasMaxLength(256)
-                        .HasColumnType("character varying(256)");
-
-                    b.Property<string>("Notes")
-                        .HasMaxLength(4000)
-                        .HasColumnType("character varying(4000)");
-
-                    b.Property<DateTimeOffset>("StartDate")
-                        .HasColumnType("timestamp with time zone");
-
-                    b.Property<string>("Status")
-                        .IsRequired()
-                        .HasMaxLength(64)
-                        .HasColumnType("character varying(64)");
-
-                    b.Property<Guid>("WorkspaceId")
-                        .HasColumnType("uuid");
-
-                    b.HasKey("Id");
-
-                    b.HasIndex("ClientId");
-
-                    b.HasIndex("WorkspaceId");
-
-                    b.HasIndex("ClientId", "Name")
-                        .IsUnique();
-
-                    b.ToTable("Projects", (string)null);
-                });
-
-            modelBuilder.Entity("Socialize.Modules.Workspaces.Data.Workspace", b =>
-                {
-                    b.Property<Guid>("Id")
-                        .ValueGeneratedOnAdd()
-                        .HasColumnType("uuid");
-
-                    b.Property<DateTimeOffset>("CreatedAt")
-                        .ValueGeneratedOnAdd()
-                        .HasColumnType("timestamp with time zone")
-                        .HasDefaultValueSql("CURRENT_TIMESTAMP");
-
-                    b.Property<string>("Name")
-                        .IsRequired()
-                        .HasMaxLength(256)
-                        .HasColumnType("character varying(256)");
-
-                    b.Property<Guid>("OwnerUserId")
-                        .HasColumnType("uuid");
-
-                    b.Property<string>("Slug")
-                        .IsRequired()
-                        .HasMaxLength(128)
-                        .HasColumnType("character varying(128)");
-
-                    b.Property<string>("TimeZone")
-                        .IsRequired()
-                        .HasMaxLength(128)
-                        .HasColumnType("character varying(128)");
-
-                    b.HasKey("Id");
-
-                    b.HasIndex("OwnerUserId");
-
-                    b.HasIndex("Slug")
-                        .IsUnique();
-
-                    b.ToTable("Workspaces", (string)null);
-                });
-
-            modelBuilder.Entity("Socialize.Modules.Workspaces.Data.WorkspaceInvite", b =>
-                {
-                    b.Property<Guid>("Id")
-                        .ValueGeneratedOnAdd()
-                        .HasColumnType("uuid");
-
-                    b.Property<DateTimeOffset>("CreatedAt")
-                        .ValueGeneratedOnAdd()
-                        .HasColumnType("timestamp with time zone")
-                        .HasDefaultValueSql("CURRENT_TIMESTAMP");
-
-                    b.Property<string>("Email")
-                        .IsRequired()
-                        .HasMaxLength(256)
-                        .HasColumnType("character varying(256)");
-
-                    b.Property<Guid>("InvitedByUserId")
-                        .HasColumnType("uuid");
-
-                    b.Property<string>("Role")
-                        .IsRequired()
-                        .HasMaxLength(64)
-                        .HasColumnType("character varying(64)");
-
-                    b.Property<string>("Status")
-                        .IsRequired()
-                        .HasMaxLength(64)
-                        .HasColumnType("character varying(64)");
-
-                    b.Property<Guid>("WorkspaceId")
-                        .HasColumnType("uuid");
-
-                    b.HasKey("Id");
-
-                    b.HasIndex("WorkspaceId");
-
-                    b.HasIndex("WorkspaceId", "Email", "Status");
-
-                    b.ToTable("WorkspaceInvites", (string)null);
-                });
-
-            modelBuilder.Entity("Microsoft.AspNetCore.Identity.IdentityRoleClaim<System.Guid>", b =>
-                {
-                    b.HasOne("Socialize.Modules.Identity.Data.Role", null)
-                        .WithMany()
-                        .HasForeignKey("RoleId")
-                        .OnDelete(DeleteBehavior.Cascade)
-                        .IsRequired();
-                });
-
-            modelBuilder.Entity("Microsoft.AspNetCore.Identity.IdentityUserClaim<System.Guid>", b =>
-                {
-                    b.HasOne("Socialize.Modules.Identity.Data.User", null)
-                        .WithMany()
-                        .HasForeignKey("UserId")
-                        .OnDelete(DeleteBehavior.Cascade)
-                        .IsRequired();
-                });
-
-            modelBuilder.Entity("Microsoft.AspNetCore.Identity.IdentityUserLogin<System.Guid>", b =>
-                {
-                    b.HasOne("Socialize.Modules.Identity.Data.User", null)
-                        .WithMany()
-                        .HasForeignKey("UserId")
-                        .OnDelete(DeleteBehavior.Cascade)
-                        .IsRequired();
-                });
-
-            modelBuilder.Entity("Microsoft.AspNetCore.Identity.IdentityUserRole<System.Guid>", b =>
-                {
-                    b.HasOne("Socialize.Modules.Identity.Data.Role", null)
-                        .WithMany()
-                        .HasForeignKey("RoleId")
-                        .OnDelete(DeleteBehavior.Cascade)
-                        .IsRequired();
-
-                    b.HasOne("Socialize.Modules.Identity.Data.User", null)
-                        .WithMany()
-                        .HasForeignKey("UserId")
-                        .OnDelete(DeleteBehavior.Cascade)
-                        .IsRequired();
-                });
-
-            modelBuilder.Entity("Microsoft.AspNetCore.Identity.IdentityUserToken<System.Guid>", b =>
-                {
-                    b.HasOne("Socialize.Modules.Identity.Data.User", null)
-                        .WithMany()
-                        .HasForeignKey("UserId")
-                        .OnDelete(DeleteBehavior.Cascade)
-                        .IsRequired();
-                });
-#pragma warning restore 612, 618
-        }
-    }
-}

backend/src/Socialize.Api/Migrations/20260423061407_Initial.cs

@@ -1,657 +0,0 @@
-using System;
-using Microsoft.EntityFrameworkCore.Migrations;
-using Npgsql.EntityFrameworkCore.PostgreSQL.Metadata;
-
-#nullable disable
-
-namespace Socialize.Api.Migrations
-{
-    /// <inheritdoc />
-    public partial class Initial : Migration
-    {
-        /// <inheritdoc />
-        protected override void Up(MigrationBuilder migrationBuilder)
-        {
-            migrationBuilder.CreateTable(
-                name: "ApprovalDecisions",
-                columns: table => new
-                {
-                    Id = table.Column<Guid>(type: "uuid", nullable: false),
-                    ApprovalRequestId = table.Column<Guid>(type: "uuid", nullable: false),
-                    Decision = table.Column<string>(type: "character varying(64)", maxLength: 64, nullable: false),
-                    Comment = table.Column<string>(type: "character varying(2048)", maxLength: 2048, nullable: true),
-                    DecidedByUserId = table.Column<Guid>(type: "uuid", nullable: true),
-                    DecidedByName = table.Column<string>(type: "character varying(256)", maxLength: 256, nullable: false),
-                    DecidedByEmail = table.Column<string>(type: "character varying(256)", maxLength: 256, nullable: false),
-                    CreatedAt = table.Column<DateTimeOffset>(type: "timestamp with time zone", nullable: false, defaultValueSql: "CURRENT_TIMESTAMP")
-                },
-                constraints: table =>
-                {
-                    table.PrimaryKey("PK_ApprovalDecisions", x => x.Id);
-                });
-
-            migrationBuilder.CreateTable(
-                name: "ApprovalRequests",
-                columns: table => new
-                {
-                    Id = table.Column<Guid>(type: "uuid", nullable: false),
-                    WorkspaceId = table.Column<Guid>(type: "uuid", nullable: false),
-                    ContentItemId = table.Column<Guid>(type: "uuid", nullable: false),
-                    Stage = table.Column<string>(type: "character varying(64)", maxLength: 64, nullable: false),
-                    ReviewerName = table.Column<string>(type: "character varying(256)", maxLength: 256, nullable: false),
-                    ReviewerEmail = table.Column<string>(type: "character varying(256)", maxLength: 256, nullable: false),
-                    RequestedByUserId = table.Column<Guid>(type: "uuid", nullable: false),
-                    DueAt = table.Column<DateTimeOffset>(type: "timestamp with time zone", nullable: true),
-                    State = table.Column<string>(type: "character varying(64)", maxLength: 64, nullable: false),
-                    AccessToken = table.Column<string>(type: "character varying(64)", maxLength: 64, nullable: false),
-                    SentAt = table.Column<DateTimeOffset>(type: "timestamp with time zone", nullable: false, defaultValueSql: "CURRENT_TIMESTAMP"),
-                    CompletedAt = table.Column<DateTimeOffset>(type: "timestamp with time zone", nullable: true)
-                },
-                constraints: table =>
-                {
-                    table.PrimaryKey("PK_ApprovalRequests", x => x.Id);
-                });
-
-            migrationBuilder.CreateTable(
-                name: "AspNetRoles",
-                columns: table => new
-                {
-                    Id = table.Column<Guid>(type: "uuid", nullable: false),
-                    Name = table.Column<string>(type: "character varying(256)", maxLength: 256, nullable: true),
-                    NormalizedName = table.Column<string>(type: "character varying(256)", maxLength: 256, nullable: true),
-                    ConcurrencyStamp = table.Column<string>(type: "text", nullable: true)
-                },
-                constraints: table =>
-                {
-                    table.PrimaryKey("PK_AspNetRoles", x => x.Id);
-                });
-
-            migrationBuilder.CreateTable(
-                name: "AspNetUsers",
-                columns: table => new
-                {
-                    Id = table.Column<Guid>(type: "uuid", nullable: false),
-                    Alias = table.Column<string>(type: "character varying(256)", maxLength: 256, nullable: true),
-                    Firstname = table.Column<string>(type: "character varying(256)", maxLength: 256, nullable: true),
-                    Lastname = table.Column<string>(type: "character varying(256)", maxLength: 256, nullable: true),
-                    BirthDate = table.Column<DateTime>(type: "timestamp with time zone", nullable: true),
-                    Address = table.Column<string>(type: "character varying(256)", maxLength: 256, nullable: true),
-                    PortraitUrl = table.Column<string>(type: "character varying(2048)", maxLength: 2048, nullable: true),
-                    GoogleId = table.Column<string>(type: "character varying(256)", maxLength: 256, nullable: true),
-                    FacebookId = table.Column<string>(type: "character varying(256)", maxLength: 256, nullable: true),
-                    RefreshToken = table.Column<string>(type: "character varying(44)", maxLength: 44, nullable: true),
-                    RefreshTokenExpiryTime = table.Column<DateTime>(type: "timestamp with time zone", nullable: false),
-                    UserName = table.Column<string>(type: "character varying(256)", maxLength: 256, nullable: true),
-                    NormalizedUserName = table.Column<string>(type: "character varying(256)", maxLength: 256, nullable: true),
-                    Email = table.Column<string>(type: "character varying(256)", maxLength: 256, nullable: true),
-                    NormalizedEmail = table.Column<string>(type: "character varying(256)", maxLength: 256, nullable: true),
-                    EmailConfirmed = table.Column<bool>(type: "boolean", nullable: false),
-                    PasswordHash = table.Column<string>(type: "text", nullable: true),
-                    SecurityStamp = table.Column<string>(type: "text", nullable: true),
-                    ConcurrencyStamp = table.Column<string>(type: "text", nullable: true),
-                    PhoneNumber = table.Column<string>(type: "text", nullable: true),
-                    PhoneNumberConfirmed = table.Column<bool>(type: "boolean", nullable: false),
-                    TwoFactorEnabled = table.Column<bool>(type: "boolean", nullable: false),
-                    LockoutEnd = table.Column<DateTimeOffset>(type: "timestamp with time zone", nullable: true),
-                    LockoutEnabled = table.Column<bool>(type: "boolean", nullable: false),
-                    AccessFailedCount = table.Column<int>(type: "integer", nullable: false)
-                },
-                constraints: table =>
-                {
-                    table.PrimaryKey("PK_AspNetUsers", x => x.Id);
-                });
-
-            migrationBuilder.CreateTable(
-                name: "AssetRevisions",
-                columns: table => new
-                {
-                    Id = table.Column<Guid>(type: "uuid", nullable: false),
-                    AssetId = table.Column<Guid>(type: "uuid", nullable: false),
-                    RevisionNumber = table.Column<int>(type: "integer", nullable: false),
-                    SourceReference = table.Column<string>(type: "character varying(2048)", maxLength: 2048, nullable: false),
-                    PreviewUrl = table.Column<string>(type: "character varying(2048)", maxLength: 2048, nullable: true),
-                    Notes = table.Column<string>(type: "character varying(1024)", maxLength: 1024, nullable: true),
-                    CreatedByUserId = table.Column<Guid>(type: "uuid", nullable: true),
-                    CreatedAt = table.Column<DateTimeOffset>(type: "timestamp with time zone", nullable: false, defaultValueSql: "CURRENT_TIMESTAMP")
-                },
-                constraints: table =>
-                {
-                    table.PrimaryKey("PK_AssetRevisions", x => x.Id);
-                });
-
-            migrationBuilder.CreateTable(
-                name: "Assets",
-                columns: table => new
-                {
-                    Id = table.Column<Guid>(type: "uuid", nullable: false),
-                    WorkspaceId = table.Column<Guid>(type: "uuid", nullable: false),
-                    ContentItemId = table.Column<Guid>(type: "uuid", nullable: false),
-                    AssetType = table.Column<string>(type: "character varying(64)", maxLength: 64, nullable: false),
-                    SourceType = table.Column<string>(type: "character varying(64)", maxLength: 64, nullable: false),
-                    DisplayName = table.Column<string>(type: "character varying(256)", maxLength: 256, nullable: false),
-                    GoogleDriveFileId = table.Column<string>(type: "character varying(256)", maxLength: 256, nullable: true),
-                    GoogleDriveLink = table.Column<string>(type: "character varying(2048)", maxLength: 2048, nullable: true),
-                    PreviewUrl = table.Column<string>(type: "character varying(2048)", maxLength: 2048, nullable: true),
-                    CurrentRevisionNumber = table.Column<int>(type: "integer", nullable: false),
-                    CreatedAt = table.Column<DateTimeOffset>(type: "timestamp with time zone", nullable: false, defaultValueSql: "CURRENT_TIMESTAMP")
-                },
-                constraints: table =>
-                {
-                    table.PrimaryKey("PK_Assets", x => x.Id);
-                });
-
-            migrationBuilder.CreateTable(
-                name: "Clients",
-                columns: table => new
-                {
-                    Id = table.Column<Guid>(type: "uuid", nullable: false),
-                    WorkspaceId = table.Column<Guid>(type: "uuid", nullable: false),
-                    Name = table.Column<string>(type: "character varying(256)", maxLength: 256, nullable: false),
-                    Status = table.Column<string>(type: "character varying(64)", maxLength: 64, nullable: false),
-                    PortraitUrl = table.Column<string>(type: "character varying(2048)", maxLength: 2048, nullable: true),
-                    PrimaryContactName = table.Column<string>(type: "character varying(256)", maxLength: 256, nullable: true),
-                    PrimaryContactEmail = table.Column<string>(type: "character varying(256)", maxLength: 256, nullable: true),
-                    PrimaryContactPortraitUrl = table.Column<string>(type: "character varying(2048)", maxLength: 2048, nullable: true),
-                    CreatedAt = table.Column<DateTimeOffset>(type: "timestamp with time zone", nullable: false, defaultValueSql: "CURRENT_TIMESTAMP")
-                },
-                constraints: table =>
-                {
-                    table.PrimaryKey("PK_Clients", x => x.Id);
-                });
-
-            migrationBuilder.CreateTable(
-                name: "Comments",
-                columns: table => new
-                {
-                    Id = table.Column<Guid>(type: "uuid", nullable: false),
-                    WorkspaceId = table.Column<Guid>(type: "uuid", nullable: false),
-                    ContentItemId = table.Column<Guid>(type: "uuid", nullable: false),
-                    ParentCommentId = table.Column<Guid>(type: "uuid", nullable: true),
-                    AuthorUserId = table.Column<Guid>(type: "uuid", nullable: false),
-                    AuthorDisplayName = table.Column<string>(type: "character varying(256)", maxLength: 256, nullable: false),
-                    AuthorEmail = table.Column<string>(type: "character varying(256)", maxLength: 256, nullable: false),
-                    Body = table.Column<string>(type: "character varying(4000)", maxLength: 4000, nullable: false),
-                    IsResolved = table.Column<bool>(type: "boolean", nullable: false),
-                    CreatedAt = table.Column<DateTimeOffset>(type: "timestamp with time zone", nullable: false, defaultValueSql: "CURRENT_TIMESTAMP"),
-                    ResolvedAt = table.Column<DateTimeOffset>(type: "timestamp with time zone", nullable: true)
-                },
-                constraints: table =>
-                {
-                    table.PrimaryKey("PK_Comments", x => x.Id);
-                });
-
-            migrationBuilder.CreateTable(
-                name: "ContentItemRevisions",
-                columns: table => new
-                {
-                    Id = table.Column<Guid>(type: "uuid", nullable: false),
-                    ContentItemId = table.Column<Guid>(type: "uuid", nullable: false),
-                    RevisionNumber = table.Column<int>(type: "integer", nullable: false),
-                    RevisionLabel = table.Column<string>(type: "character varying(32)", maxLength: 32, nullable: false),
-                    Title = table.Column<string>(type: "character varying(256)", maxLength: 256, nullable: false),
-                    PublicationMessage = table.Column<string>(type: "character varying(4000)", maxLength: 4000, nullable: false),
-                    PublicationTargets = table.Column<string>(type: "character varying(512)", maxLength: 512, nullable: false),
-                    Hashtags = table.Column<string>(type: "character varying(1024)", maxLength: 1024, nullable: true),
-                    ChangeSummary = table.Column<string>(type: "character varying(1024)", maxLength: 1024, nullable: true),
-                    CreatedByUserId = table.Column<Guid>(type: "uuid", nullable: true),
-                    CreatedAt = table.Column<DateTimeOffset>(type: "timestamp with time zone", nullable: false, defaultValueSql: "CURRENT_TIMESTAMP")
-                },
-                constraints: table =>
-                {
-                    table.PrimaryKey("PK_ContentItemRevisions", x => x.Id);
-                });
-
-            migrationBuilder.CreateTable(
-                name: "ContentItems",
-                columns: table => new
-                {
-                    Id = table.Column<Guid>(type: "uuid", nullable: false),
-                    WorkspaceId = table.Column<Guid>(type: "uuid", nullable: false),
-                    ClientId = table.Column<Guid>(type: "uuid", nullable: false),
-                    ProjectId = table.Column<Guid>(type: "uuid", nullable: false),
-                    Title = table.Column<string>(type: "character varying(256)", maxLength: 256, nullable: false),
-                    PublicationMessage = table.Column<string>(type: "character varying(4000)", maxLength: 4000, nullable: false),
-                    PublicationTargets = table.Column<string>(type: "character varying(512)", maxLength: 512, nullable: false),
-                    Hashtags = table.Column<string>(type: "character varying(1024)", maxLength: 1024, nullable: true),
-                    Status = table.Column<string>(type: "character varying(64)", maxLength: 64, nullable: false),
-                    DueDate = table.Column<DateTimeOffset>(type: "timestamp with time zone", nullable: true),
-                    CurrentRevisionLabel = table.Column<string>(type: "character varying(32)", maxLength: 32, nullable: false),
-                    CurrentRevisionNumber = table.Column<int>(type: "integer", nullable: false),
-                    CreatedAt = table.Column<DateTimeOffset>(type: "timestamp with time zone", nullable: false, defaultValueSql: "CURRENT_TIMESTAMP")
-                },
-                constraints: table =>
-                {
-                    table.PrimaryKey("PK_ContentItems", x => x.Id);
-                });
-
-            migrationBuilder.CreateTable(
-                name: "NotificationEvents",
-                columns: table => new
-                {
-                    Id = table.Column<Guid>(type: "uuid", nullable: false),
-                    WorkspaceId = table.Column<Guid>(type: "uuid", nullable: false),
-                    ContentItemId = table.Column<Guid>(type: "uuid", nullable: true),
-                    EventType = table.Column<string>(type: "character varying(128)", maxLength: 128, nullable: false),
-                    EntityType = table.Column<string>(type: "character varying(128)", maxLength: 128, nullable: false),
-                    EntityId = table.Column<Guid>(type: "uuid", nullable: false),
-                    Message = table.Column<string>(type: "character varying(1024)", maxLength: 1024, nullable: false),
-                    RecipientUserId = table.Column<Guid>(type: "uuid", nullable: true),
-                    RecipientEmail = table.Column<string>(type: "character varying(256)", maxLength: 256, nullable: true),
-                    MetadataJson = table.Column<string>(type: "character varying(4000)", maxLength: 4000, nullable: true),
-                    CreatedAt = table.Column<DateTimeOffset>(type: "timestamp with time zone", nullable: false, defaultValueSql: "CURRENT_TIMESTAMP"),
-                    ReadAt = table.Column<DateTimeOffset>(type: "timestamp with time zone", nullable: true)
-                },
-                constraints: table =>
-                {
-                    table.PrimaryKey("PK_NotificationEvents", x => x.Id);
-                });
-
-            migrationBuilder.CreateTable(
-                name: "Projects",
-                columns: table => new
-                {
-                    Id = table.Column<Guid>(type: "uuid", nullable: false),
-                    WorkspaceId = table.Column<Guid>(type: "uuid", nullable: false),
-                    ClientId = table.Column<Guid>(type: "uuid", nullable: false),
-                    Name = table.Column<string>(type: "character varying(256)", maxLength: 256, nullable: false),
-                    Description = table.Column<string>(type: "character varying(4000)", maxLength: 4000, nullable: true),
-                    Notes = table.Column<string>(type: "character varying(4000)", maxLength: 4000, nullable: true),
-                    Status = table.Column<string>(type: "character varying(64)", maxLength: 64, nullable: false),
-                    StartDate = table.Column<DateTimeOffset>(type: "timestamp with time zone", nullable: false),
-                    EndDate = table.Column<DateTimeOffset>(type: "timestamp with time zone", nullable: false),
-                    CreatedAt = table.Column<DateTimeOffset>(type: "timestamp with time zone", nullable: false, defaultValueSql: "CURRENT_TIMESTAMP")
-                },
-                constraints: table =>
-                {
-                    table.PrimaryKey("PK_Projects", x => x.Id);
-                });
-
-            migrationBuilder.CreateTable(
-                name: "WorkspaceInvites",
-                columns: table => new
-                {
-                    Id = table.Column<Guid>(type: "uuid", nullable: false),
-                    WorkspaceId = table.Column<Guid>(type: "uuid", nullable: false),
-                    Email = table.Column<string>(type: "character varying(256)", maxLength: 256, nullable: false),
-                    Role = table.Column<string>(type: "character varying(64)", maxLength: 64, nullable: false),
-                    Status = table.Column<string>(type: "character varying(64)", maxLength: 64, nullable: false),
-                    InvitedByUserId = table.Column<Guid>(type: "uuid", nullable: false),
-                    CreatedAt = table.Column<DateTimeOffset>(type: "timestamp with time zone", nullable: false, defaultValueSql: "CURRENT_TIMESTAMP")
-                },
-                constraints: table =>
-                {
-                    table.PrimaryKey("PK_WorkspaceInvites", x => x.Id);
-                });
-
-            migrationBuilder.CreateTable(
-                name: "Workspaces",
-                columns: table => new
-                {
-                    Id = table.Column<Guid>(type: "uuid", nullable: false),
-                    Name = table.Column<string>(type: "character varying(256)", maxLength: 256, nullable: false),
-                    Slug = table.Column<string>(type: "character varying(128)", maxLength: 128, nullable: false),
-                    OwnerUserId = table.Column<Guid>(type: "uuid", nullable: false),
-                    TimeZone = table.Column<string>(type: "character varying(128)", maxLength: 128, nullable: false),
-                    CreatedAt = table.Column<DateTimeOffset>(type: "timestamp with time zone", nullable: false, defaultValueSql: "CURRENT_TIMESTAMP")
-                },
-                constraints: table =>
-                {
-                    table.PrimaryKey("PK_Workspaces", x => x.Id);
-                });
-
-            migrationBuilder.CreateTable(
-                name: "AspNetRoleClaims",
-                columns: table => new
-                {
-                    Id = table.Column<int>(type: "integer", nullable: false)
-                        .Annotation("Npgsql:ValueGenerationStrategy", NpgsqlValueGenerationStrategy.IdentityByDefaultColumn),
-                    RoleId = table.Column<Guid>(type: "uuid", nullable: false),
-                    ClaimType = table.Column<string>(type: "text", nullable: true),
-                    ClaimValue = table.Column<string>(type: "text", nullable: true)
-                },
-                constraints: table =>
-                {
-                    table.PrimaryKey("PK_AspNetRoleClaims", x => x.Id);
-                    table.ForeignKey(
-                        name: "FK_AspNetRoleClaims_AspNetRoles_RoleId",
-                        column: x => x.RoleId,
-                        principalTable: "AspNetRoles",
-                        principalColumn: "Id",
-                        onDelete: ReferentialAction.Cascade);
-                });
-
-            migrationBuilder.CreateTable(
-                name: "AspNetUserClaims",
-                columns: table => new
-                {
-                    Id = table.Column<int>(type: "integer", nullable: false)
-                        .Annotation("Npgsql:ValueGenerationStrategy", NpgsqlValueGenerationStrategy.IdentityByDefaultColumn),
-                    UserId = table.Column<Guid>(type: "uuid", nullable: false),
-                    ClaimType = table.Column<string>(type: "text", nullable: true),
-                    ClaimValue = table.Column<string>(type: "text", nullable: true)
-                },
-                constraints: table =>
-                {
-                    table.PrimaryKey("PK_AspNetUserClaims", x => x.Id);
-                    table.ForeignKey(
-                        name: "FK_AspNetUserClaims_AspNetUsers_UserId",
-                        column: x => x.UserId,
-                        principalTable: "AspNetUsers",
-                        principalColumn: "Id",
-                        onDelete: ReferentialAction.Cascade);
-                });
-
-            migrationBuilder.CreateTable(
-                name: "AspNetUserLogins",
-                columns: table => new
-                {
-                    LoginProvider = table.Column<string>(type: "text", nullable: false),
-                    ProviderKey = table.Column<string>(type: "text", nullable: false),
-                    ProviderDisplayName = table.Column<string>(type: "text", nullable: true),
-                    UserId = table.Column<Guid>(type: "uuid", nullable: false)
-                },
-                constraints: table =>
-                {
-                    table.PrimaryKey("PK_AspNetUserLogins", x => new { x.LoginProvider, x.ProviderKey });
-                    table.ForeignKey(
-                        name: "FK_AspNetUserLogins_AspNetUsers_UserId",
-                        column: x => x.UserId,
-                        principalTable: "AspNetUsers",
-                        principalColumn: "Id",
-                        onDelete: ReferentialAction.Cascade);
-                });
-
-            migrationBuilder.CreateTable(
-                name: "AspNetUserRoles",
-                columns: table => new
-                {
-                    UserId = table.Column<Guid>(type: "uuid", nullable: false),
-                    RoleId = table.Column<Guid>(type: "uuid", nullable: false)
-                },
-                constraints: table =>
-                {
-                    table.PrimaryKey("PK_AspNetUserRoles", x => new { x.UserId, x.RoleId });
-                    table.ForeignKey(
-                        name: "FK_AspNetUserRoles_AspNetRoles_RoleId",
-                        column: x => x.RoleId,
-                        principalTable: "AspNetRoles",
-                        principalColumn: "Id",
-                        onDelete: ReferentialAction.Cascade);
-                    table.ForeignKey(
-                        name: "FK_AspNetUserRoles_AspNetUsers_UserId",
-                        column: x => x.UserId,
-                        principalTable: "AspNetUsers",
-                        principalColumn: "Id",
-                        onDelete: ReferentialAction.Cascade);
-                });
-
-            migrationBuilder.CreateTable(
-                name: "AspNetUserTokens",
-                columns: table => new
-                {
-                    UserId = table.Column<Guid>(type: "uuid", nullable: false),
-                    LoginProvider = table.Column<string>(type: "text", nullable: false),
-                    Name = table.Column<string>(type: "text", nullable: false),
-                    Value = table.Column<string>(type: "text", nullable: true)
-                },
-                constraints: table =>
-                {
-                    table.PrimaryKey("PK_AspNetUserTokens", x => new { x.UserId, x.LoginProvider, x.Name });
-                    table.ForeignKey(
-                        name: "FK_AspNetUserTokens_AspNetUsers_UserId",
-                        column: x => x.UserId,
-                        principalTable: "AspNetUsers",
-                        principalColumn: "Id",
-                        onDelete: ReferentialAction.Cascade);
-                });
-
-            migrationBuilder.CreateIndex(
-                name: "IX_ApprovalDecisions_ApprovalRequestId",
-                table: "ApprovalDecisions",
-                column: "ApprovalRequestId");
-
-            migrationBuilder.CreateIndex(
-                name: "IX_ApprovalRequests_ContentItemId",
-                table: "ApprovalRequests",
-                column: "ContentItemId");
-
-            migrationBuilder.CreateIndex(
-                name: "IX_ApprovalRequests_ReviewerEmail",
-                table: "ApprovalRequests",
-                column: "ReviewerEmail");
-
-            migrationBuilder.CreateIndex(
-                name: "IX_ApprovalRequests_WorkspaceId",
-                table: "ApprovalRequests",
-                column: "WorkspaceId");
-
-            migrationBuilder.CreateIndex(
-                name: "IX_AspNetRoleClaims_RoleId",
-                table: "AspNetRoleClaims",
-                column: "RoleId");
-
-            migrationBuilder.CreateIndex(
-                name: "RoleNameIndex",
-                table: "AspNetRoles",
-                column: "NormalizedName",
-                unique: true);
-
-            migrationBuilder.CreateIndex(
-                name: "IX_AspNetUserClaims_UserId",
-                table: "AspNetUserClaims",
-                column: "UserId");
-
-            migrationBuilder.CreateIndex(
-                name: "IX_AspNetUserLogins_UserId",
-                table: "AspNetUserLogins",
-                column: "UserId");
-
-            migrationBuilder.CreateIndex(
-                name: "IX_AspNetUserRoles_RoleId",
-                table: "AspNetUserRoles",
-                column: "RoleId");
-
-            migrationBuilder.CreateIndex(
-                name: "EmailIndex",
-                table: "AspNetUsers",
-                column: "NormalizedEmail");
-
-            migrationBuilder.CreateIndex(
-                name: "UserNameIndex",
-                table: "AspNetUsers",
-                column: "NormalizedUserName",
-                unique: true);
-
-            migrationBuilder.CreateIndex(
-                name: "IX_AssetRevisions_AssetId",
-                table: "AssetRevisions",
-                column: "AssetId");
-
-            migrationBuilder.CreateIndex(
-                name: "IX_AssetRevisions_AssetId_RevisionNumber",
-                table: "AssetRevisions",
-                columns: new[] { "AssetId", "RevisionNumber" },
-                unique: true);
-
-            migrationBuilder.CreateIndex(
-                name: "IX_Assets_ContentItemId",
-                table: "Assets",
-                column: "ContentItemId");
-
-            migrationBuilder.CreateIndex(
-                name: "IX_Assets_WorkspaceId",
-                table: "Assets",
-                column: "WorkspaceId");
-
-            migrationBuilder.CreateIndex(
-                name: "IX_Clients_WorkspaceId",
-                table: "Clients",
-                column: "WorkspaceId");
-
-            migrationBuilder.CreateIndex(
-                name: "IX_Clients_WorkspaceId_Name",
-                table: "Clients",
-                columns: new[] { "WorkspaceId", "Name" },
-                unique: true);
-
-            migrationBuilder.CreateIndex(
-                name: "IX_Comments_ContentItemId",
-                table: "Comments",
-                column: "ContentItemId");
-
-            migrationBuilder.CreateIndex(
-                name: "IX_Comments_ParentCommentId",
-                table: "Comments",
-                column: "ParentCommentId");
-
-            migrationBuilder.CreateIndex(
-                name: "IX_Comments_WorkspaceId",
-                table: "Comments",
-                column: "WorkspaceId");
-
-            migrationBuilder.CreateIndex(
-                name: "IX_ContentItemRevisions_ContentItemId",
-                table: "ContentItemRevisions",
-                column: "ContentItemId");
-
-            migrationBuilder.CreateIndex(
-                name: "IX_ContentItemRevisions_ContentItemId_RevisionNumber",
-                table: "ContentItemRevisions",
-                columns: new[] { "ContentItemId", "RevisionNumber" },
-                unique: true);
-
-            migrationBuilder.CreateIndex(
-                name: "IX_ContentItems_ClientId",
-                table: "ContentItems",
-                column: "ClientId");
-
-            migrationBuilder.CreateIndex(
-                name: "IX_ContentItems_ProjectId",
-                table: "ContentItems",
-                column: "ProjectId");
-
-            migrationBuilder.CreateIndex(
-                name: "IX_ContentItems_WorkspaceId",
-                table: "ContentItems",
-                column: "WorkspaceId");
-
-            migrationBuilder.CreateIndex(
-                name: "IX_NotificationEvents_ContentItemId",
-                table: "NotificationEvents",
-                column: "ContentItemId");
-
-            migrationBuilder.CreateIndex(
-                name: "IX_NotificationEvents_CreatedAt",
-                table: "NotificationEvents",
-                column: "CreatedAt");
-
-            migrationBuilder.CreateIndex(
-                name: "IX_NotificationEvents_RecipientUserId",
-                table: "NotificationEvents",
-                column: "RecipientUserId");
-
-            migrationBuilder.CreateIndex(
-                name: "IX_NotificationEvents_WorkspaceId",
-                table: "NotificationEvents",
-                column: "WorkspaceId");
-
-            migrationBuilder.CreateIndex(
-                name: "IX_Projects_ClientId",
-                table: "Projects",
-                column: "ClientId");
-
-            migrationBuilder.CreateIndex(
-                name: "IX_Projects_ClientId_Name",
-                table: "Projects",
-                columns: new[] { "ClientId", "Name" },
-                unique: true);
-
-            migrationBuilder.CreateIndex(
-                name: "IX_Projects_WorkspaceId",
-                table: "Projects",
-                column: "WorkspaceId");
-
-            migrationBuilder.CreateIndex(
-                name: "IX_WorkspaceInvites_WorkspaceId",
-                table: "WorkspaceInvites",
-                column: "WorkspaceId");
-
-            migrationBuilder.CreateIndex(
-                name: "IX_WorkspaceInvites_WorkspaceId_Email_Status",
-                table: "WorkspaceInvites",
-                columns: new[] { "WorkspaceId", "Email", "Status" });
-
-            migrationBuilder.CreateIndex(
-                name: "IX_Workspaces_OwnerUserId",
-                table: "Workspaces",
-                column: "OwnerUserId");
-
-            migrationBuilder.CreateIndex(
-                name: "IX_Workspaces_Slug",
-                table: "Workspaces",
-                column: "Slug",
-                unique: true);
-        }
-
-        /// <inheritdoc />
-        protected override void Down(MigrationBuilder migrationBuilder)
-        {
-            migrationBuilder.DropTable(
-                name: "ApprovalDecisions");
-
-            migrationBuilder.DropTable(
-                name: "ApprovalRequests");
-
-            migrationBuilder.DropTable(
-                name: "AspNetRoleClaims");
-
-            migrationBuilder.DropTable(
-                name: "AspNetUserClaims");
-
-            migrationBuilder.DropTable(
-                name: "AspNetUserLogins");
-
-            migrationBuilder.DropTable(
-                name: "AspNetUserRoles");
-
-            migrationBuilder.DropTable(
-                name: "AspNetUserTokens");
-
-            migrationBuilder.DropTable(
-                name: "AssetRevisions");
-
-            migrationBuilder.DropTable(
-                name: "Assets");
-
-            migrationBuilder.DropTable(
-                name: "Clients");
-
-            migrationBuilder.DropTable(
-                name: "Comments");
-
-            migrationBuilder.DropTable(
-                name: "ContentItemRevisions");
-
-            migrationBuilder.DropTable(
-                name: "ContentItems");
-
-            migrationBuilder.DropTable(
-                name: "NotificationEvents");
-
-            migrationBuilder.DropTable(
-                name: "Projects");
-
-            migrationBuilder.DropTable(
-                name: "WorkspaceInvites");
-
-            migrationBuilder.DropTable(
-                name: "Workspaces");
-
-            migrationBuilder.DropTable(
-                name: "AspNetRoles");
-
-            migrationBuilder.DropTable(
-                name: "AspNetUsers");
-        }
-    }
-}

backend/src/Socialize.Api/Modules/Approvals/Data/ApprovalDecision.cs

@@ -1,4 +1,4 @@
-namespace Socialize.Modules.Approvals.Data;
+namespace Socialize.Api.Modules.Approvals.Data;
 
 public class ApprovalDecision
 {

backend/src/Socialize.Api/Modules/Approvals/Data/ApprovalModelConfiguration.cs

@@ -1,13 +1,33 @@
-namespace Socialize.Modules.Approvals.Data;
+using Microsoft.EntityFrameworkCore;
+
+namespace Socialize.Api.Modules.Approvals.Data;
 
 public static class ApprovalModelConfiguration
 {
     public static ModelBuilder ConfigureApprovalsModule(this ModelBuilder modelBuilder)
     {
+        modelBuilder.Entity<ApprovalWorkflowInstance>(workflowInstance =>
+        {
+            workflowInstance.ToTable("ApprovalWorkflowInstances");
+            workflowInstance.HasKey(x => x.Id);
+            workflowInstance.Property(x => x.State).HasMaxLength(64).IsRequired();
+            workflowInstance.Property(x => x.ApprovalMode).HasMaxLength(64).IsRequired();
+            workflowInstance.Property(x => x.StartedAt)
+                .ValueGeneratedOnAdd()
+                .HasDefaultValueSql("CURRENT_TIMESTAMP");
+            workflowInstance.HasIndex(x => x.WorkspaceId);
+            workflowInstance.HasIndex(x => x.ContentItemId);
+            workflowInstance.HasIndex(x => new { x.ContentItemId, x.State })
+                .IsUnique()
+                .HasFilter("\"State\" = 'Pending'");
+        });
+
         modelBuilder.Entity<ApprovalRequest>(approvalRequest =>
         {
             approvalRequest.ToTable("ApprovalRequests");
             approvalRequest.HasKey(x => x.Id);
+            approvalRequest.Property(x => x.WorkflowStepTargetType).HasMaxLength(32);
+            approvalRequest.Property(x => x.WorkflowStepTargetValue).HasMaxLength(128);
             approvalRequest.Property(x => x.Stage).HasMaxLength(64).IsRequired();
             approvalRequest.Property(x => x.ReviewerName).HasMaxLength(256).IsRequired();
             approvalRequest.Property(x => x.ReviewerEmail).HasMaxLength(256).IsRequired();
@@ -18,6 +38,7 @@ public static class ApprovalModelConfiguration
                 .HasDefaultValueSql("CURRENT_TIMESTAMP");
             approvalRequest.HasIndex(x => x.WorkspaceId);
             approvalRequest.HasIndex(x => x.ContentItemId);
+            approvalRequest.HasIndex(x => x.WorkflowInstanceId);
             approvalRequest.HasIndex(x => x.ReviewerEmail);
         });
 
@@ -35,6 +56,21 @@ public static class ApprovalModelConfiguration
             approvalDecision.HasIndex(x => x.ApprovalRequestId);
         });
 
+        modelBuilder.Entity<WorkspaceApprovalStepConfiguration>(approvalStep =>
+        {
+            approvalStep.ToTable("WorkspaceApprovalStepConfigurations");
+            approvalStep.HasKey(x => x.Id);
+            approvalStep.Property(x => x.Name).HasMaxLength(128).IsRequired();
+            approvalStep.Property(x => x.TargetType).HasMaxLength(32).IsRequired();
+            approvalStep.Property(x => x.TargetValue).HasMaxLength(128).IsRequired();
+            approvalStep.Property(x => x.RequiredApproverCount).HasDefaultValue(1);
+            approvalStep.Property(x => x.CreatedAt)
+                .ValueGeneratedOnAdd()
+                .HasDefaultValueSql("CURRENT_TIMESTAMP");
+            approvalStep.HasIndex(x => x.WorkspaceId);
+            approvalStep.HasIndex(x => new { x.WorkspaceId, x.SortOrder }).IsUnique();
+        });
+
         return modelBuilder;
     }
 }

backend/src/Socialize.Api/Modules/Approvals/Data/ApprovalRequest.cs

@@ -1,10 +1,15 @@
-namespace Socialize.Modules.Approvals.Data;
+namespace Socialize.Api.Modules.Approvals.Data;
 
 public class ApprovalRequest
 {
     public Guid Id { get; init; }
     public Guid WorkspaceId { get; set; }
     public Guid ContentItemId { get; set; }
+    public Guid? WorkflowInstanceId { get; set; }
+    public int? WorkflowStepSortOrder { get; set; }
+    public string? WorkflowStepTargetType { get; set; }
+    public string? WorkflowStepTargetValue { get; set; }
+    public int? WorkflowStepRequiredApproverCount { get; set; }
     public required string Stage { get; set; }
     public required string ReviewerName { get; set; }
     public required string ReviewerEmail { get; set; }

backend/src/Socialize.Api/Modules/Approvals/Data/ApprovalWorkflowInstance.cs

@@ -0,0 +1,12 @@
+namespace Socialize.Api.Modules.Approvals.Data;
+
+public class ApprovalWorkflowInstance
+{
+    public Guid Id { get; init; }
+    public Guid WorkspaceId { get; set; }
+    public Guid ContentItemId { get; set; }
+    public required string State { get; set; }
+    public required string ApprovalMode { get; set; }
+    public DateTimeOffset StartedAt { get; init; }
+    public DateTimeOffset? CompletedAt { get; set; }
+}

backend/src/Socialize.Api/Modules/Approvals/Data/WorkspaceApprovalStepConfiguration.cs

@@ -0,0 +1,13 @@
+namespace Socialize.Api.Modules.Approvals.Data;
+
+public class WorkspaceApprovalStepConfiguration
+{
+    public Guid Id { get; init; }
+    public Guid WorkspaceId { get; set; }
+    public required string Name { get; set; }
+    public int SortOrder { get; set; }
+    public required string TargetType { get; set; }
+    public required string TargetValue { get; set; }
+    public int RequiredApproverCount { get; set; } = 1;
+    public DateTimeOffset CreatedAt { get; init; }
+}

backend/src/Socialize.Api/Modules/Approvals/DependencyInjection.cs

@@ -1,12 +1,14 @@
-using Socialize.Modules.Approvals.Data;
+using Socialize.Api.Modules.Approvals.Services;
 
-namespace Socialize.Modules.Approvals;
+namespace Socialize.Api.Modules.Approvals;
 
 public static class DependencyInjection
 {
     public static WebApplicationBuilder AddApprovalsModule(
         this WebApplicationBuilder builder)
     {
+        builder.Services.AddScoped<ApprovalWorkflowRuntimeService>();
+
         return builder;
     }
 }

backend/src/Socialize.Api/Modules/Approvals/Handlers/CreateApprovalRequest.cs

@@ -1,118 +0,0 @@
-using System.Security.Cryptography;
-using Socialize.Infrastructure.Security;
-using Socialize.Modules.Notifications.Contracts;
-
-namespace Socialize.Modules.Approvals.Handlers;
-
-public record CreateApprovalRequestRequest(
-    Guid WorkspaceId,
-    Guid ContentItemId,
-    string Stage,
-    string ReviewerName,
-    string ReviewerEmail,
-    DateTimeOffset? DueAt);
-
-public class CreateApprovalRequestRequestValidator
-    : Validator<CreateApprovalRequestRequest>
-{
-    public CreateApprovalRequestRequestValidator()
-    {
-        RuleFor(x => x.WorkspaceId).NotEmpty();
-        RuleFor(x => x.ContentItemId).NotEmpty();
-        RuleFor(x => x.Stage).NotEmpty().MaximumLength(64);
-        RuleFor(x => x.ReviewerName).NotEmpty().MaximumLength(256);
-        RuleFor(x => x.ReviewerEmail).NotEmpty().MaximumLength(256).EmailAddress();
-    }
-}
-
-public class CreateApprovalRequestHandler(
-    AppDbContext dbContext,
-    AccessScopeService accessScopeService,
-    INotificationEventWriter notificationEventWriter)
-    : Endpoint<CreateApprovalRequestRequest, ApprovalRequestDto>
-{
-    public override void Configure()
-    {
-        Post("/api/approvals");
-        Options(o => o.WithTags("Approvals"));
-    }
-
-    public override async Task HandleAsync(CreateApprovalRequestRequest request, CancellationToken ct)
-    {
-        ContentItem? contentItem = await dbContext.ContentItems
-            .SingleOrDefaultAsync(
-                candidate => candidate.Id == request.ContentItemId && candidate.WorkspaceId == request.WorkspaceId,
-                ct);
-
-        if (contentItem is null)
-        {
-            AddError(request => request.ContentItemId, "The selected content item does not exist in the active workspace.");
-            await SendErrorsAsync(StatusCodes.Status400BadRequest, ct);
-            return;
-        }
-
-        if (!accessScopeService.CanManageWorkspace(User, contentItem.WorkspaceId))
-        {
-            await SendForbiddenAsync(ct);
-            return;
-        }
-
-        ApprovalRequest approval = new()
-        {
-            Id = Guid.NewGuid(),
-            WorkspaceId = request.WorkspaceId,
-            ContentItemId = request.ContentItemId,
-            Stage = request.Stage.Trim(),
-            ReviewerName = request.ReviewerName.Trim(),
-            ReviewerEmail = request.ReviewerEmail.Trim(),
-            RequestedByUserId = User.GetUserId(),
-            DueAt = request.DueAt,
-            State = "Pending",
-            AccessToken = Convert.ToHexString(RandomNumberGenerator.GetBytes(16)).ToLowerInvariant(),
-            SentAt = DateTimeOffset.UtcNow,
-        };
-
-        dbContext.ApprovalRequests.Add(approval);
-
-        if (approval.Stage == "Internal")
-        {
-            contentItem.Status = "In internal review";
-        }
-        else if (approval.Stage == "Client")
-        {
-            contentItem.Status = "In client review";
-        }
-
-        await dbContext.SaveChangesAsync(ct);
-
-        await notificationEventWriter.WriteAsync(
-            new NotificationEventWriteModel(
-                approval.WorkspaceId,
-                approval.ContentItemId,
-                "approval.requested",
-                "ApprovalRequest",
-                approval.Id,
-                $"Approval requested from {approval.ReviewerName} for {contentItem.Title}.",
-                null,
-                approval.ReviewerEmail,
-                $$"""{"stage":"{{approval.Stage}}","accessToken":"{{approval.AccessToken}}"}"""),
-            ct);
-
-        ApprovalRequestDto dto = new(
-            approval.Id,
-            approval.WorkspaceId,
-            approval.ContentItemId,
-            approval.Stage,
-            approval.ReviewerName,
-            approval.ReviewerEmail,
-            approval.RequestedByUserId,
-            approval.DueAt,
-            approval.State,
-            approval.AccessToken,
-            approval.SentAt,
-            approval.CompletedAt,
-            []);
-
-        await SendAsync(dto, StatusCodes.Status201Created, ct);
-    }
-}

backend/src/Socialize.Api/Modules/Approvals/Handlers/GetApprovals.cs

@@ -1,6 +1,11 @@
-using Socialize.Infrastructure.Security;
+using FastEndpoints;
+using Microsoft.EntityFrameworkCore;
+using Socialize.Api.Data;
+using Socialize.Api.Modules.Approvals.Data;
+using Socialize.Api.Modules.ContentItems.Data;
+using Socialize.Api.Infrastructure.Security;
 
-namespace Socialize.Modules.Approvals.Handlers;
+namespace Socialize.Api.Modules.Approvals.Handlers;
 
 public record GetApprovalsRequest(Guid ContentItemId);
 
@@ -19,6 +24,11 @@ public record ApprovalRequestDto(
     Guid Id,
     Guid WorkspaceId,
     Guid ContentItemId,
+    Guid? WorkflowInstanceId,
+    int? WorkflowStepSortOrder,
+    string? WorkflowStepTargetType,
+    string? WorkflowStepTargetValue,
+    int? WorkflowStepRequiredApproverCount,
     string Stage,
     string ReviewerName,
     string ReviewerEmail,
@@ -51,7 +61,7 @@ public class GetApprovalsHandler(
             return;
         }
 
-        if (!accessScopeService.CanReviewContent(User, item.WorkspaceId, item.ClientId, item.ProjectId))
+        if (!await accessScopeService.CanReviewContentAsync(User, item.WorkspaceId, item.ClientId, item.CampaignId, ct))
         {
             await SendForbiddenAsync(ct);
             return;
@@ -60,6 +70,7 @@ public class GetApprovalsHandler(
         List<ApprovalRequest> approvals = await dbContext.ApprovalRequests
             .Where(approval => approval.ContentItemId == request.ContentItemId)
             .OrderByDescending(approval => approval.SentAt)
+            .ThenBy(approval => approval.WorkflowStepSortOrder)
             .ToListAsync(ct);
 
         List<Guid> approvalIds = approvals
@@ -86,6 +97,11 @@ public class GetApprovalsHandler(
                 approval.Id,
                 approval.WorkspaceId,
                 approval.ContentItemId,
+                approval.WorkflowInstanceId,
+                approval.WorkflowStepSortOrder,
+                approval.WorkflowStepTargetType,
+                approval.WorkflowStepTargetValue,
+                approval.WorkflowStepRequiredApproverCount,
                 approval.Stage,
                 approval.ReviewerName,
                 approval.ReviewerEmail,

backend/src/Socialize.Api/Modules/Approvals/Handlers/SubmitApprovalDecision.cs

@@ -1,11 +1,19 @@
-using Socialize.Infrastructure.Security;
+using FastEndpoints;
-using Socialize.Modules.Notifications.Contracts;
+using Microsoft.EntityFrameworkCore;
+using Socialize.Api.Data;
+using Socialize.Api.Infrastructure.Security;
+using Socialize.Api.Modules.ContentItems.Data;
+using Socialize.Api.Modules.ContentItems.Contracts;
+using Socialize.Api.Modules.Approvals.Data;
+using Socialize.Api.Modules.Approvals.Services;
+using Socialize.Api.Modules.Notifications.Contracts;
+using Socialize.Api.Modules.Workspaces.Data;
+using System.Text.Json;
 
-namespace Socialize.Modules.Approvals.Handlers;
+namespace Socialize.Api.Modules.Approvals.Handlers;
 
 public record SubmitApprovalDecisionRequest(
     string Decision,
-    string? Comment,
     string? ReviewerName,
     string? ReviewerEmail);
 
@@ -14,8 +22,10 @@ public class SubmitApprovalDecisionRequestValidator
 {
     public SubmitApprovalDecisionRequestValidator()
     {
-        RuleFor(x => x.Decision).NotEmpty().MaximumLength(64);
+        RuleFor(x => x.Decision)
-        RuleFor(x => x.Comment).MaximumLength(2048);
+            .NotEmpty()
+            .Equal("Approved")
+            .WithMessage("Only approved decisions are supported.");
         RuleFor(x => x.ReviewerName).MaximumLength(256);
         RuleFor(x => x.ReviewerEmail).MaximumLength(256).EmailAddress().When(x => !string.IsNullOrWhiteSpace(x.ReviewerEmail));
     }
@@ -24,6 +34,8 @@ public class SubmitApprovalDecisionRequestValidator
 public class SubmitApprovalDecisionHandler(
     AppDbContext dbContext,
     AccessScopeService accessScopeService,
+    ApprovalWorkflowRuntimeService approvalWorkflowRuntimeService,
+    IContentItemActivityWriter activityWriter,
     INotificationEventWriter notificationEventWriter)
     : Endpoint<SubmitApprovalDecisionRequest, ApprovalRequestDto>
 {
@@ -53,12 +65,19 @@ public class SubmitApprovalDecisionHandler(
         }
 
         if (User?.Identity?.IsAuthenticated == true &&
-            !accessScopeService.CanReviewContent(User, contentItem.WorkspaceId, contentItem.ClientId, contentItem.ProjectId))
+            !await accessScopeService.CanReviewContentAsync(User, contentItem.WorkspaceId, contentItem.ClientId, contentItem.CampaignId, ct))
         {
             await SendForbiddenAsync(ct);
             return;
         }
 
+        Workspace? workspace = await dbContext.Workspaces.SingleOrDefaultAsync(candidate => candidate.Id == contentItem.WorkspaceId, ct);
+        if (workspace is null)
+        {
+            await SendNotFoundAsync(ct);
+            return;
+        }
+
         string normalizedDecision = request.Decision.Trim();
         string decidedByName = User?.Identity?.IsAuthenticated == true
             ? User.GetAlias() ?? User.GetName()
@@ -72,52 +91,69 @@ public class SubmitApprovalDecisionHandler(
             Id = Guid.NewGuid(),
             ApprovalRequestId = approval.Id,
             Decision = normalizedDecision,
-            Comment = string.IsNullOrWhiteSpace(request.Comment) ? null : request.Comment.Trim(),
+            Comment = null,
             DecidedByUserId = User?.Identity?.IsAuthenticated == true ? User.GetUserId() : null,
             DecidedByName = decidedByName,
             DecidedByEmail = decidedByEmail,
             CreatedAt = DateTimeOffset.UtcNow,
         };
 
-        approval.State = normalizedDecision;
+        ApprovalWorkflowDecisionResult workflowDecisionResult = await approvalWorkflowRuntimeService
-        approval.CompletedAt = DateTimeOffset.UtcNow;
+            .ApplyWorkflowStepDecisionAsync(approval, contentItem, workspace, User!, decision, ct);
 
-        if (approval.Stage == "Internal")
+        if (!workflowDecisionResult.Succeeded)
         {
-            contentItem.Status = normalizedDecision switch
+            AddError(request => request.Decision, workflowDecisionResult.ErrorMessage ?? "The approval decision could not be recorded.");
-            {
+            await SendErrorsAsync(workflowDecisionResult.StatusCode, ct);
-                "Approved" => "Ready for client review",
+            return;
-                "Changes requested" => "Changes requested internally",
-                "Rejected" => "Rejected",
-                _ => contentItem.Status,
-            };
-        }
-        else if (approval.Stage == "Client")
-        {
-            contentItem.Status = normalizedDecision switch
-            {
-                "Approved" => "Approved",
-                "Changes requested" => "Changes requested by client",
-                "Rejected" => "Rejected",
-                _ => contentItem.Status,
-            };
         }
 
-        dbContext.ApprovalDecisions.Add(decision);
+        if (!workflowDecisionResult.IsWorkflowStep)
-        await dbContext.SaveChangesAsync(ct);
+        {
+            approval.State = normalizedDecision;
+            approval.CompletedAt = DateTimeOffset.UtcNow;
 
-        await notificationEventWriter.WriteAsync(
+            if (normalizedDecision == "Approved")
-            new NotificationEventWriteModel(
+            {
-                approval.WorkspaceId,
+                contentItem.Status = ApprovalWorkflowRules.GetFinalApprovalStatus(
-                approval.ContentItemId,
+                    workspace.SchedulePostsAutomaticallyOnApproval,
-                "approval.decision.recorded",
+                    contentItem.DueDate);
-                "ApprovalDecision",
+            }
-                decision.Id,
+
-                $"{decidedByName} recorded {normalizedDecision} for {contentItem.Title}.",
+            dbContext.ApprovalDecisions.Add(decision);
-                null,
+            await dbContext.SaveChangesAsync(ct);
-                decidedByEmail,
+
-                $$"""{"stage":"{{approval.Stage}}","status":"{{contentItem.Status}}"}"""),
+            await activityWriter.WriteAsync(
-            ct);
+                new ContentItemActivityWriteModel(
+                    approval.WorkspaceId,
+                    approval.ContentItemId,
+                    "approval.decision.recorded",
+                    "ApprovalDecision",
+                    decision.Id,
+                    $"{decidedByName} recorded {normalizedDecision} for {contentItem.Title}.",
+                    decision.DecidedByUserId,
+                    decidedByEmail,
+                    JsonSerializer.Serialize(new
+                    {
+                        stage = approval.Stage,
+                        status = contentItem.Status,
+                        decision = normalizedDecision,
+                    })),
+                ct);
+
+            await notificationEventWriter.WriteAsync(
+                new NotificationEventWriteModel(
+                    approval.WorkspaceId,
+                    approval.ContentItemId,
+                    "approval.decision.recorded",
+                    "ApprovalDecision",
+                    decision.Id,
+                    $"{decidedByName} recorded {normalizedDecision} for {contentItem.Title}.",
+                    null,
+                    decidedByEmail,
+                    $$"""{"stage":"{{approval.Stage}}","status":"{{contentItem.Status}}"}"""),
+                ct);
+        }
 
         List<ApprovalDecision> decisions = await dbContext.ApprovalDecisions
             .Where(candidate => candidate.ApprovalRequestId == approval.Id)
@@ -153,6 +189,11 @@ public class SubmitApprovalDecisionHandler(
             approval.Id,
             approval.WorkspaceId,
             approval.ContentItemId,
+            approval.WorkflowInstanceId,
+            approval.WorkflowStepSortOrder,
+            approval.WorkflowStepTargetType,
+            approval.WorkflowStepTargetValue,
+            approval.WorkflowStepRequiredApproverCount,
             approval.Stage,
             approval.ReviewerName,
             approval.ReviewerEmail,

backend/src/Socialize.Api/Modules/Approvals/Services/ApprovalStepConfigurationRules.cs

@@ -0,0 +1,56 @@
+using Socialize.Api.Modules.Identity.Contracts;
+
+namespace Socialize.Api.Modules.Approvals.Services;
+
+public static class ApprovalStepTargetTypes
+{
+    public const string Role = "Role";
+    public const string Membership = "Membership";
+    public const string Member = "Member";
+}
+
+public static class ApprovalMembershipTargets
+{
+    public const string Team = "Team";
+    public const string Client = "Client";
+}
+
+public static class ApprovalStepConfigurationRules
+{
+    public static readonly IReadOnlySet<string> AllowedTargetTypes = new HashSet<string>(StringComparer.Ordinal)
+    {
+        ApprovalStepTargetTypes.Role,
+        ApprovalStepTargetTypes.Membership,
+        ApprovalStepTargetTypes.Member,
+    };
+
+    public static readonly IReadOnlySet<string> AllowedRoleTargets = new HashSet<string>(StringComparer.Ordinal)
+    {
+        KnownRoles.Administrator,
+        KnownRoles.Manager,
+        KnownRoles.WorkspaceMember,
+        KnownRoles.Client,
+        KnownRoles.Provider,
+    };
+
+    public static readonly IReadOnlySet<string> AllowedMembershipTargets = new HashSet<string>(StringComparer.Ordinal)
+    {
+        ApprovalMembershipTargets.Team,
+        ApprovalMembershipTargets.Client,
+    };
+
+    public static bool IsValidTargetType(string? targetType)
+    {
+        return !string.IsNullOrWhiteSpace(targetType) && AllowedTargetTypes.Contains(targetType.Trim());
+    }
+
+    public static bool IsValidRoleTarget(string? targetValue)
+    {
+        return !string.IsNullOrWhiteSpace(targetValue) && AllowedRoleTargets.Contains(targetValue.Trim());
+    }
+
+    public static bool IsValidMembershipTarget(string? targetValue)
+    {
+        return !string.IsNullOrWhiteSpace(targetValue) && AllowedMembershipTargets.Contains(targetValue.Trim());
+    }
+}

backend/src/Socialize.Api/Modules/Approvals/Services/ApprovalWorkflowRules.cs

@@ -0,0 +1,97 @@
+using Socialize.Api.Modules.Identity.Contracts;
+
+namespace Socialize.Api.Modules.Approvals.Services;
+
+public static class ApprovalModes
+{
+    public const string None = "None";
+    public const string Optional = "Optional";
+    public const string Required = "Required";
+    public const string MultiLevel = "Multi-level";
+}
+
+public static class ApprovalWorkflowRules
+{
+    public static bool BlocksManualApprovedOrScheduledStatus(string approvalMode)
+    {
+        return approvalMode is ApprovalModes.Required or ApprovalModes.MultiLevel;
+    }
+
+    public static bool IsApprovalCompletionStatus(string status)
+    {
+        return status is "Approved" or "Scheduled";
+    }
+
+    public static string GetFinalApprovalStatus(bool schedulePostsAutomaticallyOnApproval, DateTimeOffset? plannedPublishDate)
+    {
+        return schedulePostsAutomaticallyOnApproval && plannedPublishDate.HasValue
+            ? "Scheduled"
+            : "Approved";
+    }
+
+    public static bool HasRequiredStepApprovals(int approvedDecisionCount, int requiredApproverCount)
+    {
+        return approvedDecisionCount >= Math.Max(1, requiredApproverCount);
+    }
+
+    public static bool CanApproveWorkflowStep(
+        bool isAdministrator,
+        bool hasWorkspaceAccess,
+        IReadOnlyCollection<string> userRoles,
+        Guid userId,
+        string? targetType,
+        string? targetValue)
+    {
+        if (isAdministrator)
+        {
+            return true;
+        }
+
+        if (!hasWorkspaceAccess ||
+            string.IsNullOrWhiteSpace(targetType) ||
+            string.IsNullOrWhiteSpace(targetValue))
+        {
+            return false;
+        }
+
+        return targetType switch
+        {
+            ApprovalStepTargetTypes.Role => userRoles.Contains(targetValue),
+            ApprovalStepTargetTypes.Membership => MatchesMembershipTarget(userRoles, targetValue),
+            ApprovalStepTargetTypes.Member => ParseMemberTargetIds(targetValue).Contains(userId),
+            _ => false,
+        };
+    }
+
+    public static IReadOnlyCollection<Guid> ParseMemberTargetIds(string? targetValue)
+    {
+        if (string.IsNullOrWhiteSpace(targetValue))
+        {
+            return [];
+        }
+
+        return targetValue
+            .Split(',', StringSplitOptions.RemoveEmptyEntries | StringSplitOptions.TrimEntries)
+            .Select(value => Guid.TryParse(value, out Guid memberUserId) ? memberUserId : Guid.Empty)
+            .Where(memberUserId => memberUserId != Guid.Empty)
+            .Distinct()
+            .ToArray();
+    }
+
+    public static string FormatMemberTargetValue(IEnumerable<Guid> memberUserIds)
+    {
+        return string.Join(",", memberUserIds.Distinct().OrderBy(memberUserId => memberUserId));
+    }
+
+    private static bool MatchesMembershipTarget(
+        IReadOnlyCollection<string> userRoles,
+        string targetValue)
+    {
+        return targetValue switch
+        {
+            ApprovalMembershipTargets.Client => userRoles.Contains(KnownRoles.Client),
+            ApprovalMembershipTargets.Team => !userRoles.Contains(KnownRoles.Client),
+            _ => false,
+        };
+    }
+}

backend/src/Socialize.Api/Modules/Approvals/Services/ApprovalWorkflowRuntimeService.cs

@@ -0,0 +1,401 @@
+using System.Security.Claims;
+using System.Security.Cryptography;
+using Microsoft.EntityFrameworkCore;
+using Socialize.Api.Data;
+using Socialize.Api.Infrastructure.Security;
+using Socialize.Api.Modules.Approvals.Data;
+using Socialize.Api.Modules.ContentItems.Data;
+using Socialize.Api.Modules.Identity.Contracts;
+using Socialize.Api.Modules.Notifications.Contracts;
+using Socialize.Api.Modules.Workspaces.Data;
+
+namespace Socialize.Api.Modules.Approvals.Services;
+
+public record ApprovalWorkflowStartResult(bool Succeeded, string? ErrorMessage);
+
+public record ApprovalWorkflowDecisionResult(
+    bool Succeeded,
+    string? ErrorMessage,
+    int StatusCode,
+    bool IsWorkflowStep);
+
+public class ApprovalWorkflowRuntimeService(
+    AppDbContext dbContext,
+    INotificationEventWriter notificationEventWriter)
+{
+    private const string PendingState = "Pending";
+    private const string ApprovedState = "Approved";
+
+    public async Task<ApprovalWorkflowStartResult> StartMultiLevelWorkflowAsync(
+        ContentItem contentItem,
+        Workspace workspace,
+        Guid requestedByUserId,
+        CancellationToken ct)
+    {
+        if (workspace.ApprovalMode != ApprovalModes.MultiLevel)
+        {
+            return new ApprovalWorkflowStartResult(false, "The workspace is not configured for multi-level approval.");
+        }
+
+        ApprovalWorkflowInstance? activeWorkflow = await dbContext.ApprovalWorkflowInstances
+            .SingleOrDefaultAsync(
+                workflow => workflow.ContentItemId == contentItem.Id && workflow.State == PendingState,
+                ct);
+        if (activeWorkflow is not null)
+        {
+            contentItem.Status = "In approval";
+            return new ApprovalWorkflowStartResult(true, null);
+        }
+
+        List<WorkspaceApprovalStepConfiguration> configuredSteps = await dbContext.WorkspaceApprovalStepConfigurations
+            .Where(step => step.WorkspaceId == workspace.Id)
+            .OrderBy(step => step.SortOrder)
+            .ThenBy(step => step.Name)
+            .ToListAsync(ct);
+
+        if (configuredSteps.Count == 0)
+        {
+            return new ApprovalWorkflowStartResult(false, "Multi-level approval requires at least one configured approval step.");
+        }
+
+        DateTimeOffset now = DateTimeOffset.UtcNow;
+        var workflowInstance = new ApprovalWorkflowInstance
+        {
+            Id = Guid.NewGuid(),
+            WorkspaceId = workspace.Id,
+            ContentItemId = contentItem.Id,
+            State = PendingState,
+            ApprovalMode = workspace.ApprovalMode,
+            StartedAt = now,
+        };
+
+        List<ApprovalRequest> workflowSteps = configuredSteps
+            .Select((step, index) => new ApprovalRequest
+            {
+                Id = Guid.NewGuid(),
+                WorkspaceId = workspace.Id,
+                ContentItemId = contentItem.Id,
+                WorkflowInstanceId = workflowInstance.Id,
+                WorkflowStepSortOrder = index,
+                WorkflowStepTargetType = step.TargetType,
+                WorkflowStepTargetValue = step.TargetValue,
+                WorkflowStepRequiredApproverCount = step.RequiredApproverCount,
+                Stage = step.Name,
+                ReviewerName = FormatStepTarget(step),
+                ReviewerEmail = string.Empty,
+                RequestedByUserId = requestedByUserId,
+                DueAt = contentItem.DueDate,
+                State = PendingState,
+                AccessToken = CreateAccessToken(),
+                SentAt = now,
+            })
+            .ToList();
+
+        dbContext.ApprovalWorkflowInstances.Add(workflowInstance);
+        dbContext.ApprovalRequests.AddRange(workflowSteps);
+        contentItem.Status = "In approval";
+
+        await dbContext.SaveChangesAsync(ct);
+        await NotifyCurrentStepApproversAsync(workflowSteps[0], contentItem, ct);
+
+        return new ApprovalWorkflowStartResult(true, null);
+    }
+
+    public async Task<ApprovalWorkflowDecisionResult> ApplyWorkflowStepDecisionAsync(
+        ApprovalRequest approval,
+        ContentItem contentItem,
+        Workspace workspace,
+        ClaimsPrincipal user,
+        ApprovalDecision decision,
+        CancellationToken ct)
+    {
+        if (!approval.WorkflowInstanceId.HasValue)
+        {
+            return new ApprovalWorkflowDecisionResult(true, null, StatusCodes.Status200OK, false);
+        }
+
+        if (user.Identity?.IsAuthenticated != true)
+        {
+            return new ApprovalWorkflowDecisionResult(false, "Multi-level approval steps require an authenticated approver.", StatusCodes.Status401Unauthorized, true);
+        }
+
+        if (!await CanApproveStepAsync(user, approval, workspace.Id, ct))
+        {
+            return new ApprovalWorkflowDecisionResult(false, "You cannot approve the current workflow step.", StatusCodes.Status403Forbidden, true);
+        }
+
+        ApprovalRequest? currentStep = await GetCurrentPendingStepAsync(approval.WorkflowInstanceId.Value, ct);
+        if (currentStep?.Id != approval.Id)
+        {
+            return new ApprovalWorkflowDecisionResult(false, "Only the current pending approval step can be approved.", StatusCodes.Status409Conflict, true);
+        }
+
+        Guid currentUserId = user.GetUserId();
+        bool alreadyApproved = await dbContext.ApprovalDecisions.AnyAsync(
+            candidate => candidate.ApprovalRequestId == approval.Id &&
+                         candidate.DecidedByUserId == currentUserId &&
+                         candidate.Decision == ApprovedState,
+            ct);
+
+        if (alreadyApproved)
+        {
+            return new ApprovalWorkflowDecisionResult(false, "You have already approved this workflow step.", StatusCodes.Status409Conflict, true);
+        }
+
+        dbContext.ApprovalDecisions.Add(decision);
+        await dbContext.SaveChangesAsync(ct);
+
+        int approvedCount = await dbContext.ApprovalDecisions
+            .Where(candidate => candidate.ApprovalRequestId == approval.Id && candidate.Decision == ApprovedState)
+            .Select(candidate => candidate.DecidedByUserId.HasValue
+                ? candidate.DecidedByUserId.Value.ToString()
+                : candidate.DecidedByEmail.ToLower())
+            .Distinct()
+            .CountAsync(ct);
+
+        int requiredApproverCount = approval.WorkflowStepRequiredApproverCount ?? 1;
+        if (!ApprovalWorkflowRules.HasRequiredStepApprovals(approvedCount, requiredApproverCount))
+        {
+            return new ApprovalWorkflowDecisionResult(true, null, StatusCodes.Status200OK, true);
+        }
+
+        approval.State = ApprovedState;
+        approval.CompletedAt = DateTimeOffset.UtcNow;
+
+        ApprovalRequest? nextStep = await dbContext.ApprovalRequests
+            .Where(candidate => candidate.WorkflowInstanceId == approval.WorkflowInstanceId &&
+                                candidate.State == PendingState &&
+                                candidate.Id != approval.Id)
+            .OrderBy(candidate => candidate.WorkflowStepSortOrder)
+            .ThenBy(candidate => candidate.SentAt)
+            .FirstOrDefaultAsync(ct);
+
+        if (nextStep is null)
+        {
+            ApprovalWorkflowInstance? workflowInstance = await dbContext.ApprovalWorkflowInstances
+                .SingleOrDefaultAsync(candidate => candidate.Id == approval.WorkflowInstanceId.Value, ct);
+            if (workflowInstance is null)
+            {
+                return new ApprovalWorkflowDecisionResult(false, "The approval workflow instance could not be found.", StatusCodes.Status404NotFound, true);
+            }
+
+            workflowInstance.State = ApprovedState;
+            workflowInstance.CompletedAt = DateTimeOffset.UtcNow;
+            contentItem.Status = ApprovalWorkflowRules.GetFinalApprovalStatus(
+                workspace.SchedulePostsAutomaticallyOnApproval,
+                contentItem.DueDate);
+        }
+
+        await dbContext.SaveChangesAsync(ct);
+
+        if (nextStep is null)
+        {
+            await NotifyPublishUsersAsync(approval, contentItem, ct);
+        }
+        else
+        {
+            await NotifyCurrentStepApproversAsync(nextStep, contentItem, ct);
+        }
+
+        return new ApprovalWorkflowDecisionResult(true, null, StatusCodes.Status200OK, true);
+    }
+
+    public async Task<bool> HasCompletedMultiLevelWorkflowAsync(Guid contentItemId, CancellationToken ct)
+    {
+        return await dbContext.ApprovalWorkflowInstances.AnyAsync(
+            workflow => workflow.ContentItemId == contentItemId && workflow.State == ApprovedState,
+            ct);
+    }
+
+    private async Task<ApprovalRequest?> GetCurrentPendingStepAsync(Guid workflowInstanceId, CancellationToken ct)
+    {
+        return await dbContext.ApprovalRequests
+            .Where(candidate => candidate.WorkflowInstanceId == workflowInstanceId && candidate.State == PendingState)
+            .OrderBy(candidate => candidate.WorkflowStepSortOrder)
+            .ThenBy(candidate => candidate.SentAt)
+            .FirstOrDefaultAsync(ct);
+    }
+
+    private async Task<bool> CanApproveStepAsync(
+        ClaimsPrincipal user,
+        ApprovalRequest approval,
+        Guid workspaceId,
+        CancellationToken ct)
+    {
+        Guid userId = user.GetUserId();
+        bool hasWorkspaceAccess = await UserHasWorkspaceAccessAsync(userId, workspaceId, ct);
+        string[] userRoles = ApprovalStepConfigurationRules.AllowedRoleTargets
+            .Where(user.IsInRole)
+            .ToArray();
+
+        return ApprovalWorkflowRules.CanApproveWorkflowStep(
+            user.IsInRole(KnownRoles.Administrator),
+            hasWorkspaceAccess,
+            userRoles,
+            userId,
+            approval.WorkflowStepTargetType,
+            approval.WorkflowStepTargetValue);
+    }
+
+    private async Task<bool> UserHasWorkspaceAccessAsync(Guid userId, Guid workspaceId, CancellationToken ct)
+    {
+        string workspaceClaimValue = workspaceId.ToString();
+        return await dbContext.UserClaims.AnyAsync(
+            claim => claim.UserId == userId &&
+                     claim.ClaimType == KnownClaims.WorkspaceScope &&
+                     claim.ClaimValue == workspaceClaimValue,
+            ct);
+    }
+
+    private async Task NotifyCurrentStepApproversAsync(
+        ApprovalRequest approval,
+        ContentItem contentItem,
+        CancellationToken ct)
+    {
+        List<ApprovalNotificationRecipient> recipients = await GetStepApproverRecipientsAsync(approval, ct);
+
+        foreach (ApprovalNotificationRecipient recipient in recipients)
+        {
+            await notificationEventWriter.WriteAsync(
+                new NotificationEventWriteModel(
+                    approval.WorkspaceId,
+                    approval.ContentItemId,
+                    "approval.step.current",
+                    "ApprovalRequest",
+                    approval.Id,
+                    $"{approval.Stage} approval is ready for {contentItem.Title}.",
+                    recipient.UserId,
+                    recipient.Email,
+                    $$"""{"stage":"{{approval.Stage}}","requiredApproverCount":{{approval.WorkflowStepRequiredApproverCount ?? 1}}}"""),
+                ct);
+        }
+    }
+
+    private async Task NotifyPublishUsersAsync(
+        ApprovalRequest approval,
+        ContentItem contentItem,
+        CancellationToken ct)
+    {
+        List<ApprovalNotificationRecipient> recipients = await GetPublishRecipientUsersAsync(approval.WorkspaceId, ct);
+
+        foreach (ApprovalNotificationRecipient recipient in recipients)
+        {
+            await notificationEventWriter.WriteAsync(
+                new NotificationEventWriteModel(
+                    approval.WorkspaceId,
+                    approval.ContentItemId,
+                    "approval.workflow.completed",
+                    "ApprovalWorkflowInstance",
+                    approval.WorkflowInstanceId!.Value,
+                    $"Final approval completed for {contentItem.Title}.",
+                    recipient.UserId,
+                    recipient.Email,
+                    $$"""{"status":"{{contentItem.Status}}"}"""),
+                ct);
+        }
+    }
+
+    private async Task<List<ApprovalNotificationRecipient>> GetStepApproverRecipientsAsync(
+        ApprovalRequest approval,
+        CancellationToken ct)
+    {
+        string? targetType = approval.WorkflowStepTargetType;
+        string? targetValue = approval.WorkflowStepTargetValue;
+        if (string.IsNullOrWhiteSpace(targetType) || string.IsNullOrWhiteSpace(targetValue))
+        {
+            return [];
+        }
+
+        return targetType switch
+        {
+            ApprovalStepTargetTypes.Member => await GetMemberRecipientsAsync(targetValue, ct),
+            ApprovalStepTargetTypes.Role => await GetRoleRecipientsAsync(approval.WorkspaceId, [targetValue], ct),
+            ApprovalStepTargetTypes.Membership => await GetMembershipRecipientsAsync(approval.WorkspaceId, targetValue, ct),
+            _ => [],
+        };
+    }
+
+    private async Task<List<ApprovalNotificationRecipient>> GetMemberRecipientsAsync(string targetValue, CancellationToken ct)
+    {
+        IReadOnlyCollection<Guid> userIds = ApprovalWorkflowRules.ParseMemberTargetIds(targetValue);
+        if (userIds.Count == 0)
+        {
+            return [];
+        }
+
+        return await dbContext.Users
+            .Where(user => userIds.Contains(user.Id))
+            .Select(user => new ApprovalNotificationRecipient(user.Id, user.Email))
+            .ToListAsync(ct);
+    }
+
+    private async Task<List<ApprovalNotificationRecipient>> GetMembershipRecipientsAsync(
+        Guid workspaceId,
+        string targetValue,
+        CancellationToken ct)
+    {
+        string[] roles = targetValue switch
+        {
+            ApprovalMembershipTargets.Client => [KnownRoles.Client],
+            ApprovalMembershipTargets.Team => [KnownRoles.Administrator, KnownRoles.Manager, KnownRoles.WorkspaceMember, KnownRoles.Provider],
+            _ => [],
+        };
+
+        return roles.Length == 0
+            ? []
+            : await GetRoleRecipientsAsync(workspaceId, roles, ct);
+    }
+
+    private async Task<List<ApprovalNotificationRecipient>> GetPublishRecipientUsersAsync(Guid workspaceId, CancellationToken ct)
+    {
+        return await GetRoleRecipientsAsync(workspaceId, [KnownRoles.Administrator, KnownRoles.Manager], ct);
+    }
+
+    private async Task<List<ApprovalNotificationRecipient>> GetRoleRecipientsAsync(
+        Guid workspaceId,
+        IReadOnlyCollection<string> roles,
+        CancellationToken ct)
+    {
+        string workspaceClaimValue = workspaceId.ToString();
+
+        return await dbContext.UserRoles
+            .Join(
+                dbContext.Roles,
+                userRole => userRole.RoleId,
+                role => role.Id,
+                (userRole, role) => new { userRole.UserId, RoleName = role.Name })
+            .Where(candidate => candidate.RoleName != null && roles.Contains(candidate.RoleName))
+            .Join(
+                dbContext.UserClaims.Where(claim =>
+                    claim.ClaimType == KnownClaims.WorkspaceScope &&
+                    claim.ClaimValue == workspaceClaimValue),
+                candidate => candidate.UserId,
+                claim => claim.UserId,
+                (candidate, _) => candidate.UserId)
+            .Distinct()
+            .Join(
+                dbContext.Users,
+                userId => userId,
+                user => user.Id,
+                (_, user) => new ApprovalNotificationRecipient(user.Id, user.Email))
+            .ToListAsync(ct);
+    }
+
+    private static string FormatStepTarget(WorkspaceApprovalStepConfiguration step)
+    {
+        return step.TargetType switch
+        {
+            ApprovalStepTargetTypes.Role => $"Role: {step.TargetValue}",
+            ApprovalStepTargetTypes.Membership => $"Membership: {step.TargetValue}",
+            ApprovalStepTargetTypes.Member => "Assigned members",
+            _ => step.TargetValue,
+        };
+    }
+
+    private static string CreateAccessToken()
+    {
+        return Convert.ToHexString(RandomNumberGenerator.GetBytes(16)).ToLowerInvariant();
+    }
+
+    private sealed record ApprovalNotificationRecipient(Guid UserId, string? Email);
+}

backend/src/Socialize.Api/Modules/Assets/Data/Asset.cs

@@ -1,4 +1,4 @@
-namespace Socialize.Modules.Assets.Data;
+namespace Socialize.Api.Modules.Assets.Data;
 
 public class Asset
 {

backend/src/Socialize.Api/Modules/Assets/Data/AssetModelConfiguration.cs

@@ -1,4 +1,6 @@
-namespace Socialize.Modules.Assets.Data;
+using Microsoft.EntityFrameworkCore;
+
+namespace Socialize.Api.Modules.Assets.Data;
 
 public static class AssetModelConfiguration
 {

backend/src/Socialize.Api/Modules/Assets/Data/AssetRevision.cs

@@ -1,4 +1,4 @@
-namespace Socialize.Modules.Assets.Data;
+namespace Socialize.Api.Modules.Assets.Data;
 
 public class AssetRevision
 {

backend/src/Socialize.Api/Modules/Assets/DependencyInjection.cs

@@ -1,6 +1,6 @@
-using Socialize.Modules.Assets.Data;
+using Socialize.Api.Modules.Assets.Data;
 
-namespace Socialize.Modules.Assets;
+namespace Socialize.Api.Modules.Assets;
 
 public static class DependencyInjection
 {

backend/src/Socialize.Api/Modules/Assets/Handlers/CreateAssetRevision.cs

@@ -1,7 +1,14 @@
-using Socialize.Infrastructure.Security;
+using FastEndpoints;
-using Socialize.Modules.Notifications.Contracts;
+using Microsoft.EntityFrameworkCore;
+using Socialize.Api.Data;
+using Socialize.Api.Infrastructure.Security;
+using Socialize.Api.Modules.Assets.Data;
+using Socialize.Api.Modules.ContentItems.Contracts;
+using Socialize.Api.Modules.ContentItems.Data;
+using Socialize.Api.Modules.Notifications.Contracts;
+using System.Text.Json;
 
-namespace Socialize.Modules.Assets.Handlers;
+namespace Socialize.Api.Modules.Assets.Handlers;
 
 public record CreateAssetRevisionRequest(
     string SourceReference,
@@ -22,6 +29,7 @@ public class CreateAssetRevisionRequestValidator
 public class CreateAssetRevisionHandler(
     AppDbContext dbContext,
     AccessScopeService accessScopeService,
+    IContentItemActivityWriter activityWriter,
     INotificationEventWriter notificationEventWriter)
     : Endpoint<CreateAssetRevisionRequest, AssetRevisionDto>
 {
@@ -46,7 +54,7 @@ public class CreateAssetRevisionHandler(
             .SingleOrDefaultAsync(candidate => candidate.Id == asset.ContentItemId, ct);
 
         if (contentItem is not null &&
-            !accessScopeService.CanContributeToProject(User, contentItem.WorkspaceId, contentItem.ClientId, contentItem.ProjectId))
+            !await accessScopeService.CanContributeToCampaignAsync(User, contentItem.WorkspaceId, contentItem.ClientId, contentItem.CampaignId, ct))
         {
             await SendForbiddenAsync(ct);
             return;
@@ -73,6 +81,25 @@ public class CreateAssetRevisionHandler(
 
         if (contentItem is not null)
         {
+            await activityWriter.WriteAsync(
+                new ContentItemActivityWriteModel(
+                    asset.WorkspaceId,
+                    asset.ContentItemId,
+                    "asset.revision.created",
+                    "AssetRevision",
+                    revision.Id,
+                    $"A new asset revision was added to {asset.DisplayName}.",
+                    User.GetUserId(),
+                    User.GetEmail(),
+                    JsonSerializer.Serialize(new
+                    {
+                        assetId = asset.Id,
+                        revisionNumber,
+                        sourceReference = revision.SourceReference,
+                        notes = revision.Notes,
+                    })),
+                ct);
+
             await notificationEventWriter.WriteAsync(
                 new NotificationEventWriteModel(
                     asset.WorkspaceId,

backend/src/Socialize.Api/Modules/Assets/Handlers/CreateGoogleDriveAsset.cs

@@ -1,7 +1,14 @@
-using Socialize.Infrastructure.Security;
+using FastEndpoints;
-using Socialize.Modules.Notifications.Contracts;
+using Microsoft.EntityFrameworkCore;
+using Socialize.Api.Data;
+using Socialize.Api.Infrastructure.Security;
+using Socialize.Api.Modules.Assets.Data;
+using Socialize.Api.Modules.ContentItems.Contracts;
+using Socialize.Api.Modules.ContentItems.Data;
+using Socialize.Api.Modules.Notifications.Contracts;
+using System.Text.Json;
 
-namespace Socialize.Modules.Assets.Handlers;
+namespace Socialize.Api.Modules.Assets.Handlers;
 
 public record CreateGoogleDriveAssetRequest(
     Guid WorkspaceId,
@@ -30,6 +37,7 @@ public class CreateGoogleDriveAssetRequestValidator
 public class CreateGoogleDriveAssetHandler(
     AppDbContext dbContext,
     AccessScopeService accessScopeService,
+    IContentItemActivityWriter activityWriter,
     INotificationEventWriter notificationEventWriter)
     : Endpoint<CreateGoogleDriveAssetRequest, AssetDto>
 {
@@ -53,7 +61,7 @@ public class CreateGoogleDriveAssetHandler(
             return;
         }
 
-        if (!accessScopeService.CanContributeToProject(User, contentItem.WorkspaceId, contentItem.ClientId, contentItem.ProjectId))
+        if (!await accessScopeService.CanContributeToCampaignAsync(User, contentItem.WorkspaceId, contentItem.ClientId, contentItem.CampaignId, ct))
         {
             await SendForbiddenAsync(ct);
             return;
@@ -88,6 +96,25 @@ public class CreateGoogleDriveAssetHandler(
         dbContext.AssetRevisions.Add(revision);
         await dbContext.SaveChangesAsync(ct);
 
+        await activityWriter.WriteAsync(
+            new ContentItemActivityWriteModel(
+                asset.WorkspaceId,
+                asset.ContentItemId,
+                "asset.google-drive-linked",
+                "Asset",
+                asset.Id,
+                $"Google Drive asset {asset.DisplayName} was linked to {contentItem.Title}.",
+                User.GetUserId(),
+                User.GetEmail(),
+                JsonSerializer.Serialize(new
+                {
+                    assetType = asset.AssetType,
+                    sourceType = asset.SourceType,
+                    googleDriveFileId = asset.GoogleDriveFileId,
+                    currentRevisionNumber = asset.CurrentRevisionNumber,
+                })),
+            ct);
+
         await notificationEventWriter.WriteAsync(
             new NotificationEventWriteModel(
                 asset.WorkspaceId,

backend/src/Socialize.Api/Modules/Assets/Handlers/GetAssets.cs

@@ -1,5 +1,9 @@
-using Socialize.Infrastructure.Security;
+using FastEndpoints;
-namespace Socialize.Modules.Assets.Handlers;
+using Microsoft.EntityFrameworkCore;
+using Socialize.Api.Data;
+using Socialize.Api.Infrastructure.Security;
+
+namespace Socialize.Api.Modules.Assets.Handlers;
 
 public record GetAssetsRequest(Guid ContentItemId);
 
@@ -40,7 +44,7 @@ public class GetAssetsHandler(
 
     public override async Task HandleAsync(GetAssetsRequest request, CancellationToken ct)
     {
-        ContentItem? item = await dbContext.ContentItems
+        var item = await dbContext.ContentItems
             .SingleOrDefaultAsync(candidate => candidate.Id == request.ContentItemId, ct);
         if (item is null)
         {
@@ -48,7 +52,7 @@ public class GetAssetsHandler(
             return;
         }
 
-        if (!accessScopeService.CanReviewContent(User, item.WorkspaceId, item.ClientId, item.ProjectId))
+        if (!await accessScopeService.CanReviewContentAsync(User, item.WorkspaceId, item.ClientId, item.CampaignId, ct))
         {
             await SendForbiddenAsync(ct);
             return;

backend/src/Socialize.Api/Modules/CalendarIntegrations/Data/CalendarCatalogEntry.cs

@@ -0,0 +1,18 @@
+namespace Socialize.Api.Modules.CalendarIntegrations.Data;
+
+public class CalendarCatalogEntry
+{
+    public Guid Id { get; init; }
+    public required string Title { get; set; }
+    public required string Description { get; set; }
+    public string? Country { get; set; }
+    public string? Region { get; set; }
+    public required string Language { get; set; }
+    public required string Category { get; set; }
+    public string? CultureOrReligion { get; set; }
+    public required string ProviderName { get; set; }
+    public required string SourceUrl { get; set; }
+    public required string TrustLevel { get; set; }
+    public required string DefaultColor { get; set; }
+    public DateTimeOffset CreatedAt { get; init; }
+}

backend/src/Socialize.Api/Modules/CalendarIntegrations/Data/CalendarCatalogSeed.cs

@@ -0,0 +1,53 @@
+namespace Socialize.Api.Modules.CalendarIntegrations.Data;
+
+public static class CalendarCatalogSeed
+{
+    public static readonly CalendarCatalogEntry[] Entries =
+    [
+        new()
+        {
+            Id = Guid.Parse("10000000-0000-0000-0000-000000000001"),
+            Title = "United States Public Holidays",
+            Description = "Federal public holiday calendar for the United States.",
+            Country = "US",
+            Region = null,
+            Language = "en",
+            Category = "public-holiday",
+            CultureOrReligion = null,
+            ProviderName = "Nager.Date",
+            SourceUrl = "https://date.nager.at/api/v3/PublicHolidays/2026/US",
+            TrustLevel = "Verified",
+            DefaultColor = "#2F80ED",
+        },
+        new()
+        {
+            Id = Guid.Parse("10000000-0000-0000-0000-000000000002"),
+            Title = "Canada Public Holidays",
+            Description = "Public holiday calendar for Canada.",
+            Country = "CA",
+            Region = null,
+            Language = "en",
+            Category = "public-holiday",
+            CultureOrReligion = null,
+            ProviderName = "Nager.Date",
+            SourceUrl = "https://date.nager.at/api/v3/PublicHolidays/2026/CA",
+            TrustLevel = "Verified",
+            DefaultColor = "#2F80ED",
+        },
+        new()
+        {
+            Id = Guid.Parse("10000000-0000-0000-0000-000000000003"),
+            Title = "Common Marketing Moments",
+            Description = "Common retail, awareness, and social planning moments.",
+            Country = null,
+            Region = null,
+            Language = "en",
+            Category = "marketing-moment",
+            CultureOrReligion = null,
+            ProviderName = "Socialize",
+            SourceUrl = "https://example.com/socialize/marketing-moments.ics",
+            TrustLevel = "Maintained",
+            DefaultColor = "#9B51E0",
+        },
+    ];
+}

backend/src/Socialize.Api/Modules/CalendarIntegrations/Data/CalendarEvent.cs

@@ -0,0 +1,24 @@
+namespace Socialize.Api.Modules.CalendarIntegrations.Data;
+
+public class CalendarEvent
+{
+    public Guid Id { get; init; }
+    public Guid CalendarSourceId { get; set; }
+    public required string SourceEventUid { get; set; }
+    public required string Title { get; set; }
+    public string? Description { get; set; }
+    public bool IsAllDay { get; set; }
+    public bool IsFloatingTime { get; set; }
+    public DateOnly StartDate { get; set; }
+    public DateOnly EndDate { get; set; }
+    public DateTime? StartLocalDateTime { get; set; }
+    public DateTime? EndLocalDateTime { get; set; }
+    public DateTimeOffset? StartUtc { get; set; }
+    public DateTimeOffset? EndUtc { get; set; }
+    public string? TimeZoneId { get; set; }
+    public string? RecurrenceId { get; set; }
+    public string? Location { get; set; }
+    public string? SourceUrl { get; set; }
+    public DateTimeOffset? SourceLastModifiedAt { get; set; }
+    public DateTimeOffset ImportedAt { get; set; }
+}

backend/src/Socialize.Api/Modules/CalendarIntegrations/Data/CalendarSource.cs

@@ -0,0 +1,22 @@
+namespace Socialize.Api.Modules.CalendarIntegrations.Data;
+
+public class CalendarSource
+{
+    public Guid Id { get; init; }
+    public required string Scope { get; set; }
+    public Guid? OrganizationId { get; set; }
+    public Guid? WorkspaceId { get; set; }
+    public Guid? UserId { get; set; }
+    public string? SourceUrl { get; set; }
+    public string? CatalogSourceReference { get; set; }
+    public required string DisplayTitle { get; set; }
+    public required string Color { get; set; }
+    public required string Category { get; set; }
+    public bool IsEnabled { get; set; } = true;
+    public string? InheritanceMode { get; set; }
+    public DateTimeOffset? LastSuccessfulSyncAt { get; set; }
+    public DateTimeOffset? LastAttemptedSyncAt { get; set; }
+    public string? LastSyncError { get; set; }
+    public DateTimeOffset CreatedAt { get; init; }
+    public DateTimeOffset UpdatedAt { get; set; }
+}

backend/src/Socialize.Api/Modules/CalendarIntegrations/Data/CalendarSourceModelConfiguration.cs

@@ -0,0 +1,95 @@
+using Microsoft.EntityFrameworkCore;
+
+namespace Socialize.Api.Modules.CalendarIntegrations.Data;
+
+public static class CalendarSourceModelConfiguration
+{
+    public static ModelBuilder ConfigureCalendarIntegrationsModule(this ModelBuilder modelBuilder)
+    {
+        modelBuilder.Entity<CalendarSource>(source =>
+        {
+            source.ToTable("CalendarSources");
+            source.HasKey(x => x.Id);
+            source.Property(x => x.Scope).HasMaxLength(32).IsRequired();
+            source.Property(x => x.SourceUrl).HasMaxLength(2048);
+            source.Property(x => x.CatalogSourceReference).HasMaxLength(256);
+            source.Property(x => x.DisplayTitle).HasMaxLength(256).IsRequired();
+            source.Property(x => x.Color).HasMaxLength(16).IsRequired();
+            source.Property(x => x.Category).HasMaxLength(64).IsRequired();
+            source.Property(x => x.InheritanceMode).HasMaxLength(32);
+            source.Property(x => x.LastSyncError).HasMaxLength(2048);
+            source.Property(x => x.CreatedAt)
+                .ValueGeneratedOnAdd()
+                .HasDefaultValueSql("CURRENT_TIMESTAMP");
+            source.Property(x => x.UpdatedAt)
+                .ValueGeneratedOnAdd()
+                .HasDefaultValueSql("CURRENT_TIMESTAMP");
+
+            source.HasIndex(x => x.Scope);
+            source.HasIndex(x => x.OrganizationId);
+            source.HasIndex(x => x.WorkspaceId);
+            source.HasIndex(x => x.UserId);
+        });
+
+        modelBuilder.Entity<CalendarCatalogEntry>(entry =>
+        {
+            entry.ToTable("CalendarCatalogEntries");
+            entry.HasKey(x => x.Id);
+            entry.Property(x => x.Title).HasMaxLength(256).IsRequired();
+            entry.Property(x => x.Description).HasMaxLength(1024).IsRequired();
+            entry.Property(x => x.Country).HasMaxLength(2);
+            entry.Property(x => x.Region).HasMaxLength(128);
+            entry.Property(x => x.Language).HasMaxLength(16).IsRequired();
+            entry.Property(x => x.Category).HasMaxLength(64).IsRequired();
+            entry.Property(x => x.CultureOrReligion).HasMaxLength(128);
+            entry.Property(x => x.ProviderName).HasMaxLength(128).IsRequired();
+            entry.Property(x => x.SourceUrl).HasMaxLength(2048).IsRequired();
+            entry.Property(x => x.TrustLevel).HasMaxLength(64).IsRequired();
+            entry.Property(x => x.DefaultColor).HasMaxLength(16).IsRequired();
+            entry.Property(x => x.CreatedAt)
+                .ValueGeneratedOnAdd()
+                .HasDefaultValueSql("CURRENT_TIMESTAMP");
+            entry.HasIndex(x => x.Country);
+            entry.HasIndex(x => x.Category);
+            entry.HasIndex(x => x.ProviderName);
+            entry.HasData(CalendarCatalogSeed.Entries);
+        });
+
+        modelBuilder.Entity<CalendarEvent>(calendarEvent =>
+        {
+            calendarEvent.ToTable("CalendarEvents");
+            calendarEvent.HasKey(x => x.Id);
+            calendarEvent.Property(x => x.SourceEventUid).HasMaxLength(512).IsRequired();
+            calendarEvent.Property(x => x.Title).HasMaxLength(512).IsRequired();
+            calendarEvent.Property(x => x.Description).HasMaxLength(4000);
+            calendarEvent.Property(x => x.TimeZoneId).HasMaxLength(128);
+            calendarEvent.Property(x => x.RecurrenceId).HasMaxLength(512);
+            calendarEvent.Property(x => x.Location).HasMaxLength(512);
+            calendarEvent.Property(x => x.SourceUrl).HasMaxLength(2048);
+            calendarEvent.HasIndex(x => x.CalendarSourceId);
+            calendarEvent.HasIndex(x => new { x.CalendarSourceId, x.SourceEventUid, x.StartDate }).IsUnique();
+            calendarEvent.HasOne<CalendarSource>()
+                .WithMany()
+                .HasForeignKey(x => x.CalendarSourceId)
+                .OnDelete(DeleteBehavior.Cascade);
+        });
+
+        modelBuilder.Entity<UserCalendarExportFeed>(feed =>
+        {
+            feed.ToTable("UserCalendarExportFeeds");
+            feed.HasKey(x => x.Id);
+            feed.Property(x => x.Token).HasMaxLength(96);
+            feed.Property(x => x.TokenHash).HasMaxLength(64);
+            feed.Property(x => x.CreatedAt)
+                .ValueGeneratedOnAdd()
+                .HasDefaultValueSql("CURRENT_TIMESTAMP");
+            feed.Property(x => x.UpdatedAt)
+                .ValueGeneratedOnAdd()
+                .HasDefaultValueSql("CURRENT_TIMESTAMP");
+            feed.HasIndex(x => x.UserId).IsUnique();
+            feed.HasIndex(x => x.TokenHash).IsUnique();
+        });
+
+        return modelBuilder;
+    }
+}

backend/src/Socialize.Api/Modules/CalendarIntegrations/Data/UserCalendarExportFeed.cs

@@ -0,0 +1,12 @@
+namespace Socialize.Api.Modules.CalendarIntegrations.Data;
+
+public class UserCalendarExportFeed
+{
+    public Guid Id { get; init; }
+    public Guid UserId { get; set; }
+    public string? Token { get; set; }
+    public string? TokenHash { get; set; }
+    public DateTimeOffset CreatedAt { get; init; }
+    public DateTimeOffset UpdatedAt { get; set; }
+    public DateTimeOffset? RevokedAt { get; set; }
+}

backend/src/Socialize.Api/Modules/CalendarIntegrations/DependencyInjection.cs

@@ -0,0 +1,15 @@
+namespace Socialize.Api.Modules.CalendarIntegrations;
+
+public static class DependencyInjection
+{
+    public static WebApplicationBuilder AddCalendarIntegrationsModule(this WebApplicationBuilder builder)
+    {
+        builder.Services.AddSingleton<Services.IcsCalendarParser>();
+        builder.Services.AddSingleton<Services.CalendarExportFeedBuilder>();
+        builder.Services.AddScoped<Services.CalendarExportFeedService>();
+        builder.Services.AddScoped<Services.CalendarImportSyncService>();
+        builder.Services.AddHostedService<Services.CalendarImportBackgroundService>();
+
+        return builder;
+    }
+}

backend/src/Socialize.Api/Modules/CalendarIntegrations/Handlers/CalendarSourceDtos.cs

@@ -0,0 +1,112 @@
+using Socialize.Api.Modules.CalendarIntegrations.Data;
+using Socialize.Api.Modules.CalendarIntegrations.Services;
+
+namespace Socialize.Api.Modules.CalendarIntegrations.Handlers;
+
+public record CalendarSourceDto(
+    Guid Id,
+    string Scope,
+    Guid? OrganizationId,
+    Guid? WorkspaceId,
+    Guid? UserId,
+    string? SourceUrl,
+    string? CatalogSourceReference,
+    string DisplayTitle,
+    string Color,
+    string Category,
+    bool IsEnabled,
+    string? InheritanceMode,
+    bool IsReadOnly,
+    DateTimeOffset? LastSuccessfulSyncAt,
+    DateTimeOffset? LastAttemptedSyncAt,
+    string? LastSyncError,
+    DateTimeOffset CreatedAt,
+    DateTimeOffset UpdatedAt)
+{
+    public static CalendarSourceDto FromSource(CalendarSource source, bool isReadOnly)
+    {
+        return new CalendarSourceDto(
+            source.Id,
+            source.Scope,
+            source.OrganizationId,
+            source.WorkspaceId,
+            source.UserId,
+            source.SourceUrl,
+            source.CatalogSourceReference,
+            source.DisplayTitle,
+            source.Color,
+            source.Category,
+            source.IsEnabled,
+            source.InheritanceMode,
+            isReadOnly,
+            source.LastSuccessfulSyncAt,
+            source.LastAttemptedSyncAt,
+            source.LastSyncError,
+            source.CreatedAt,
+            source.UpdatedAt);
+    }
+}
+
+public record UpsertCalendarSourceRequest(
+    string Scope,
+    Guid? OrganizationId,
+    Guid? WorkspaceId,
+    string? SourceUrl,
+    string? CatalogSourceReference,
+    string DisplayTitle,
+    string Color,
+    string Category,
+    bool IsEnabled,
+    string? InheritanceMode);
+
+public class UpsertCalendarSourceRequestValidator
+    : FastEndpoints.Validator<UpsertCalendarSourceRequest>
+{
+    public UpsertCalendarSourceRequestValidator()
+    {
+        RuleFor(x => x.Scope)
+            .NotEmpty()
+            .Must(CalendarSourceRules.IsSupportedScope)
+            .WithMessage("A valid calendar source scope should be specified.");
+
+        RuleFor(x => x.DisplayTitle).NotEmpty().MaximumLength(256);
+        RuleFor(x => x.Category).NotEmpty().MaximumLength(64);
+        RuleFor(x => x.Color)
+            .NotEmpty()
+            .Matches("^#[0-9A-Fa-f]{6}$")
+            .WithMessage("Color should be a six digit hex color, for example #2F80ED.");
+
+        RuleFor(x => x.SourceUrl)
+            .MaximumLength(2048)
+            .Must(value => string.IsNullOrWhiteSpace(value) || Uri.TryCreate(value, UriKind.Absolute, out Uri? uri) &&
+                (uri.Scheme == Uri.UriSchemeHttp || uri.Scheme == Uri.UriSchemeHttps))
+            .WithMessage("Source URL should be an absolute HTTP or HTTPS URL.");
+
+        RuleFor(x => x.CatalogSourceReference).MaximumLength(256);
+
+        RuleFor(x => x)
+            .Must(x => !string.IsNullOrWhiteSpace(x.SourceUrl) || !string.IsNullOrWhiteSpace(x.CatalogSourceReference))
+            .WithMessage("A source URL or catalog source reference should be specified.");
+
+        RuleFor(x => x)
+            .Must(x => x.Scope != CalendarSourceScopes.Organization || x.OrganizationId.HasValue)
+            .WithMessage("Organization calendar sources require an organization id.");
+
+        RuleFor(x => x)
+            .Must(x => x.Scope != CalendarSourceScopes.Workspace || x.WorkspaceId.HasValue)
+            .WithMessage("Workspace calendar sources require a workspace id.");
+
+        RuleFor(x => x)
+            .Must(x => x.Scope != CalendarSourceScopes.User || (!x.OrganizationId.HasValue && !x.WorkspaceId.HasValue))
+            .WithMessage("User calendar sources should not include organization or workspace ids.");
+
+        RuleFor(x => x)
+            .Must(x => x.Scope == CalendarSourceScopes.Organization ||
+                (!x.OrganizationId.HasValue && string.IsNullOrWhiteSpace(x.InheritanceMode)))
+            .WithMessage("Only organization calendar sources can set organization ids or inheritance modes.");
+
+        RuleFor(x => x.InheritanceMode)
+            .Must(value => string.IsNullOrWhiteSpace(value) || CalendarSourceRules.IsSupportedInheritanceMode(value))
+            .WithMessage("A valid inheritance mode should be specified.");
+    }
+}

backend/src/Socialize.Api/Modules/CalendarIntegrations/Handlers/CreateCalendarSource.cs

@@ -0,0 +1,132 @@
+using FastEndpoints;
+using Microsoft.EntityFrameworkCore;
+using Socialize.Api.Data;
+using Socialize.Api.Infrastructure.Security;
+using Socialize.Api.Modules.CalendarIntegrations.Data;
+using Socialize.Api.Modules.CalendarIntegrations.Services;
+using Socialize.Api.Modules.Organizations.Services;
+
+namespace Socialize.Api.Modules.CalendarIntegrations.Handlers;
+
+public class CreateCalendarSourceHandler(
+    AppDbContext dbContext,
+    AccessScopeService accessScopeService,
+    OrganizationAccessService organizationAccessService)
+    : Endpoint<UpsertCalendarSourceRequest, CalendarSourceDto>
+{
+    public override void Configure()
+    {
+        Post("/api/calendar-integrations/sources");
+        Options(o => o.WithTags("Calendar Integrations"));
+    }
+
+    public override async Task HandleAsync(UpsertCalendarSourceRequest request, CancellationToken ct)
+    {
+        ArgumentNullException.ThrowIfNull(request);
+
+        Guid currentUserId = User.GetUserId();
+        string scope = request.Scope.Trim();
+        Guid? organizationId = request.OrganizationId;
+        Guid? workspaceId = request.WorkspaceId;
+
+        if (!await CanCreateAsync(scope, organizationId, workspaceId, currentUserId, ct))
+        {
+            await SendForbiddenAsync(ct);
+            return;
+        }
+
+        string? sourceUrl = NormalizeOptional(request.SourceUrl);
+        string? catalogSourceReference = NormalizeOptional(request.CatalogSourceReference);
+        if (await SourceAlreadyExistsAsync(scope, organizationId, workspaceId, currentUserId, sourceUrl, catalogSourceReference, ct))
+        {
+            AddError(request => request.SourceUrl, "This calendar source has already been added.");
+            await SendErrorsAsync(cancellation: ct);
+            return;
+        }
+
+        CalendarSource source = new()
+        {
+            Id = Guid.NewGuid(),
+            Scope = scope,
+            OrganizationId = scope == CalendarSourceScopes.Organization ? organizationId : null,
+            WorkspaceId = scope == CalendarSourceScopes.Workspace ? workspaceId : null,
+            UserId = scope == CalendarSourceScopes.User ? currentUserId : null,
+            SourceUrl = sourceUrl,
+            CatalogSourceReference = catalogSourceReference,
+            DisplayTitle = request.DisplayTitle.Trim(),
+            Color = request.Color.Trim(),
+            Category = request.Category.Trim(),
+            IsEnabled = request.IsEnabled,
+            InheritanceMode = scope == CalendarSourceScopes.Organization
+                ? NormalizeOptional(request.InheritanceMode) ?? CalendarSourceInheritanceModes.Optional
+                : null,
+            UpdatedAt = DateTimeOffset.UtcNow,
+        };
+
+        dbContext.CalendarSources.Add(source);
+        await dbContext.SaveChangesAsync(ct);
+
+        await SendAsync(CalendarSourceDto.FromSource(source, isReadOnly: false), StatusCodes.Status201Created, ct);
+    }
+
+    private async Task<bool> CanCreateAsync(
+        string scope,
+        Guid? organizationId,
+        Guid? workspaceId,
+        Guid currentUserId,
+        CancellationToken ct)
+    {
+        return scope switch
+        {
+            CalendarSourceScopes.Organization when organizationId.HasValue =>
+                await dbContext.Organizations.AnyAsync(organization => organization.Id == organizationId.Value, ct) &&
+                await organizationAccessService.HasOrganizationPermissionAsync(
+                    User,
+                    organizationId.Value,
+                    OrganizationPermissions.ManageConnectors,
+                    ct),
+            CalendarSourceScopes.Workspace when workspaceId.HasValue =>
+                await dbContext.Workspaces.AnyAsync(workspace => workspace.Id == workspaceId.Value, ct) &&
+                await accessScopeService.CanManageWorkspaceAsync(User, workspaceId.Value, ct),
+            CalendarSourceScopes.User => currentUserId != Guid.Empty,
+            _ => false,
+        };
+    }
+
+    private Task<bool> SourceAlreadyExistsAsync(
+        string scope,
+        Guid? organizationId,
+        Guid? workspaceId,
+        Guid currentUserId,
+        string? sourceUrl,
+        string? catalogSourceReference,
+        CancellationToken ct)
+    {
+        IQueryable<CalendarSource> query = dbContext.CalendarSources
+            .Where(source => source.Scope == scope);
+
+        query = scope switch
+        {
+            CalendarSourceScopes.Organization => query.Where(source => source.OrganizationId == organizationId),
+            CalendarSourceScopes.Workspace => query.Where(source => source.WorkspaceId == workspaceId),
+            CalendarSourceScopes.User => query.Where(source => source.UserId == currentUserId),
+            _ => query.Where(_ => false),
+        };
+
+        string? normalizedUrl = sourceUrl?.Trim();
+        string? normalizedCatalogReference = catalogSourceReference?.Trim();
+
+        return query.AnyAsync(source =>
+            (!string.IsNullOrWhiteSpace(normalizedCatalogReference) &&
+             source.CatalogSourceReference == normalizedCatalogReference) ||
+            (!string.IsNullOrWhiteSpace(normalizedUrl) &&
+             source.SourceUrl != null &&
+             source.SourceUrl.ToUpper() == normalizedUrl.ToUpper()),
+            ct);
+    }
+
+    private static string? NormalizeOptional(string? value)
+    {
+        return string.IsNullOrWhiteSpace(value) ? null : value.Trim();
+    }
+}

backend/src/Socialize.Api/Modules/CalendarIntegrations/Handlers/DeleteCalendarSource.cs

@@ -0,0 +1,64 @@
+using FastEndpoints;
+using Microsoft.EntityFrameworkCore;
+using Socialize.Api.Data;
+using Socialize.Api.Infrastructure.Security;
+using Socialize.Api.Modules.CalendarIntegrations.Data;
+using Socialize.Api.Modules.CalendarIntegrations.Services;
+using Socialize.Api.Modules.Organizations.Services;
+
+namespace Socialize.Api.Modules.CalendarIntegrations.Handlers;
+
+public class DeleteCalendarSourceHandler(
+    AppDbContext dbContext,
+    AccessScopeService accessScopeService,
+    OrganizationAccessService organizationAccessService)
+    : EndpointWithoutRequest
+{
+    public override void Configure()
+    {
+        Delete("/api/calendar-integrations/sources/{sourceId:guid}");
+        Options(o => o.WithTags("Calendar Integrations"));
+    }
+
+    public override async Task HandleAsync(CancellationToken ct)
+    {
+        Guid sourceId = Route<Guid>("sourceId");
+        CalendarSource? source = await dbContext.CalendarSources.SingleOrDefaultAsync(candidate => candidate.Id == sourceId, ct);
+        if (source is null)
+        {
+            await SendNotFoundAsync(ct);
+            return;
+        }
+
+        if (!await CanManageExistingSourceAsync(source, User.GetUserId(), ct))
+        {
+            await SendForbiddenAsync(ct);
+            return;
+        }
+
+        dbContext.CalendarSources.Remove(source);
+        await dbContext.SaveChangesAsync(ct);
+
+        await SendNoContentAsync(ct);
+    }
+
+    private async Task<bool> CanManageExistingSourceAsync(
+        CalendarSource source,
+        Guid currentUserId,
+        CancellationToken ct)
+    {
+        return source.Scope switch
+        {
+            CalendarSourceScopes.Organization when source.OrganizationId.HasValue =>
+                await organizationAccessService.HasOrganizationPermissionAsync(
+                    User,
+                    source.OrganizationId.Value,
+                    OrganizationPermissions.ManageConnectors,
+                    ct),
+            CalendarSourceScopes.Workspace when source.WorkspaceId.HasValue =>
+                await accessScopeService.CanManageWorkspaceAsync(User, source.WorkspaceId.Value, ct),
+            CalendarSourceScopes.User => source.UserId == currentUserId,
+            _ => false,
+        };
+    }
+}

backend/src/Socialize.Api/Modules/CalendarIntegrations/Handlers/ListCalendarCatalog.cs

@@ -0,0 +1,115 @@
+using FastEndpoints;
+using Microsoft.EntityFrameworkCore;
+using Socialize.Api.Data;
+using Socialize.Api.Modules.CalendarIntegrations.Data;
+
+namespace Socialize.Api.Modules.CalendarIntegrations.Handlers;
+
+public sealed class ListCalendarCatalogRequest
+{
+    public string? Search { get; set; }
+    public string? Country { get; set; }
+    public string? Region { get; set; }
+    public string? Language { get; set; }
+    public string? Category { get; set; }
+    public string? CultureOrReligion { get; set; }
+    public string? Provider { get; set; }
+}
+
+public record CalendarCatalogEntryDto(
+    Guid Id,
+    string Title,
+    string Description,
+    string? Country,
+    string? Region,
+    string Language,
+    string Category,
+    string? CultureOrReligion,
+    string ProviderName,
+    string SourceUrl,
+    string TrustLevel,
+    string DefaultColor);
+
+public class ListCalendarCatalogHandler(AppDbContext dbContext)
+    : Endpoint<ListCalendarCatalogRequest, IReadOnlyCollection<CalendarCatalogEntryDto>>
+{
+    public override void Configure()
+    {
+        Get("/api/calendar-integrations/catalog");
+        Options(o => o.WithTags("Calendar Integrations"));
+    }
+
+    public override async Task HandleAsync(ListCalendarCatalogRequest request, CancellationToken ct)
+    {
+        ArgumentNullException.ThrowIfNull(request);
+
+        IQueryable<CalendarCatalogEntry> query = dbContext.CalendarCatalogEntries.AsQueryable();
+
+        if (!string.IsNullOrWhiteSpace(request.Search))
+        {
+            string search = request.Search.Trim().ToLowerInvariant();
+            query = query.Where(entry =>
+                entry.Title.ToLower().Contains(search) ||
+                entry.Description.ToLower().Contains(search) ||
+                entry.ProviderName.ToLower().Contains(search));
+        }
+
+        if (!string.IsNullOrWhiteSpace(request.Country))
+        {
+            string country = request.Country.Trim().ToUpperInvariant();
+            query = query.Where(entry => entry.Country == country);
+        }
+
+        if (!string.IsNullOrWhiteSpace(request.Region))
+        {
+            string region = request.Region.Trim();
+            query = query.Where(entry => entry.Region == region);
+        }
+
+        if (!string.IsNullOrWhiteSpace(request.Language))
+        {
+            string language = request.Language.Trim();
+            query = query.Where(entry => entry.Language == language);
+        }
+
+        if (!string.IsNullOrWhiteSpace(request.Category))
+        {
+            string category = request.Category.Trim();
+            query = query.Where(entry => entry.Category == category);
+        }
+
+        if (!string.IsNullOrWhiteSpace(request.CultureOrReligion))
+        {
+            string cultureOrReligion = request.CultureOrReligion.Trim();
+            query = query.Where(entry => entry.CultureOrReligion == cultureOrReligion);
+        }
+
+        if (!string.IsNullOrWhiteSpace(request.Provider))
+        {
+            string provider = request.Provider.Trim();
+            query = query.Where(entry => entry.ProviderName == provider);
+        }
+
+        CalendarCatalogEntryDto[] entries = await query
+            .OrderBy(entry => entry.Country)
+            .ThenBy(entry => entry.Category)
+            .ThenBy(entry => entry.Title)
+            .Take(100)
+            .Select(entry => new CalendarCatalogEntryDto(
+                entry.Id,
+                entry.Title,
+                entry.Description,
+                entry.Country,
+                entry.Region,
+                entry.Language,
+                entry.Category,
+                entry.CultureOrReligion,
+                entry.ProviderName,
+                entry.SourceUrl,
+                entry.TrustLevel,
+                entry.DefaultColor))
+            .ToArrayAsync(ct);
+
+        await SendOkAsync(entries, ct);
+    }
+}

backend/src/Socialize.Api/Modules/CalendarIntegrations/Handlers/ListCalendarEvents.cs

@@ -0,0 +1,133 @@
+using FastEndpoints;
+using Microsoft.EntityFrameworkCore;
+using Socialize.Api.Data;
+using Socialize.Api.Infrastructure.Security;
+using Socialize.Api.Modules.CalendarIntegrations.Data;
+using Socialize.Api.Modules.CalendarIntegrations.Services;
+
+namespace Socialize.Api.Modules.CalendarIntegrations.Handlers;
+
+public sealed class ListCalendarEventsRequest
+{
+    public Guid? WorkspaceId { get; set; }
+    public DateOnly? StartDate { get; set; }
+    public DateOnly? EndDate { get; set; }
+}
+
+public record CalendarEventDto(
+    Guid Id,
+    Guid CalendarSourceId,
+    string SourceEventUid,
+    string Title,
+    string? Description,
+    bool IsAllDay,
+    bool IsFloatingTime,
+    DateOnly StartDate,
+    DateOnly EndDate,
+    DateTime? StartLocalDateTime,
+    DateTime? EndLocalDateTime,
+    DateTimeOffset? StartUtc,
+    DateTimeOffset? EndUtc,
+    string? TimeZoneId,
+    string? RecurrenceId,
+    string? Location,
+    string? SourceUrl,
+    DateTimeOffset? SourceLastModifiedAt,
+    DateTimeOffset ImportedAt);
+
+public class ListCalendarEventsHandler(
+    AppDbContext dbContext,
+    AccessScopeService accessScopeService)
+    : Endpoint<ListCalendarEventsRequest, IReadOnlyCollection<CalendarEventDto>>
+{
+    public override void Configure()
+    {
+        Get("/api/calendar-integrations/events");
+        Options(o => o.WithTags("Calendar Integrations"));
+    }
+
+    public override async Task HandleAsync(ListCalendarEventsRequest request, CancellationToken ct)
+    {
+        ArgumentNullException.ThrowIfNull(request);
+
+        Guid currentUserId = User.GetUserId();
+        DateOnly startDate = request.StartDate ?? DateOnly.FromDateTime(DateTime.UtcNow.Date.AddMonths(-1));
+        DateOnly endDate = request.EndDate ?? DateOnly.FromDateTime(DateTime.UtcNow.Date.AddMonths(3));
+
+        if (request.WorkspaceId.HasValue &&
+            !await accessScopeService.CanAccessWorkspaceAsync(User, request.WorkspaceId.Value, ct))
+        {
+            await SendForbiddenAsync(ct);
+            return;
+        }
+
+        IQueryable<CalendarSource> visibleSources = dbContext.CalendarSources
+            .Where(source => source.IsEnabled);
+
+        if (request.WorkspaceId.HasValue)
+        {
+            Guid? organizationId = await dbContext.Workspaces
+                .Where(workspace => workspace.Id == request.WorkspaceId.Value)
+                .Select(workspace => (Guid?)workspace.OrganizationId)
+                .SingleOrDefaultAsync(ct);
+
+            if (!organizationId.HasValue)
+            {
+                await SendNotFoundAsync(ct);
+                return;
+            }
+
+            visibleSources = visibleSources.Where(source =>
+                source.Scope == CalendarSourceScopes.Organization && source.OrganizationId == organizationId ||
+                source.Scope == CalendarSourceScopes.Workspace && source.WorkspaceId == request.WorkspaceId ||
+                source.Scope == CalendarSourceScopes.User && source.UserId == currentUserId);
+        }
+        else
+        {
+            IReadOnlyCollection<Guid> workspaceIds = await accessScopeService.GetAccessibleWorkspaceIdsAsync(User, ct);
+            Guid[] organizationIds = await dbContext.Workspaces
+                .Where(workspace => workspaceIds.Contains(workspace.Id))
+                .Select(workspace => workspace.OrganizationId)
+                .Distinct()
+                .ToArrayAsync(ct);
+
+            visibleSources = visibleSources.Where(source =>
+                source.Scope == CalendarSourceScopes.Organization && source.OrganizationId.HasValue && organizationIds.Contains(source.OrganizationId.Value) ||
+                source.Scope == CalendarSourceScopes.Workspace && source.WorkspaceId.HasValue && workspaceIds.Contains(source.WorkspaceId.Value) ||
+                source.Scope == CalendarSourceScopes.User && source.UserId == currentUserId);
+        }
+
+        Guid[] sourceIds = await visibleSources
+            .Select(source => source.Id)
+            .ToArrayAsync(ct);
+
+        CalendarEventDto[] events = await dbContext.CalendarEvents
+            .Where(calendarEvent => sourceIds.Contains(calendarEvent.CalendarSourceId))
+            .Where(calendarEvent => calendarEvent.StartDate <= endDate && calendarEvent.EndDate >= startDate)
+            .OrderBy(calendarEvent => calendarEvent.StartDate)
+            .ThenBy(calendarEvent => calendarEvent.Title)
+            .Select(calendarEvent => new CalendarEventDto(
+                calendarEvent.Id,
+                calendarEvent.CalendarSourceId,
+                calendarEvent.SourceEventUid,
+                calendarEvent.Title,
+                calendarEvent.Description,
+                calendarEvent.IsAllDay,
+                calendarEvent.IsFloatingTime,
+                calendarEvent.StartDate,
+                calendarEvent.EndDate,
+                calendarEvent.StartLocalDateTime,
+                calendarEvent.EndLocalDateTime,
+                calendarEvent.StartUtc,
+                calendarEvent.EndUtc,
+                calendarEvent.TimeZoneId,
+                calendarEvent.RecurrenceId,
+                calendarEvent.Location,
+                calendarEvent.SourceUrl,
+                calendarEvent.SourceLastModifiedAt,
+                calendarEvent.ImportedAt))
+            .ToArrayAsync(ct);
+
+        await SendOkAsync(events, ct);
+    }
+}

backend/src/Socialize.Api/Modules/CalendarIntegrations/Handlers/ListCalendarSources.cs

@@ -0,0 +1,77 @@
+using FastEndpoints;
+using Microsoft.EntityFrameworkCore;
+using Socialize.Api.Data;
+using Socialize.Api.Infrastructure.Security;
+using Socialize.Api.Modules.CalendarIntegrations.Data;
+using Socialize.Api.Modules.CalendarIntegrations.Services;
+
+namespace Socialize.Api.Modules.CalendarIntegrations.Handlers;
+
+public record ListCalendarSourcesRequest(Guid? WorkspaceId);
+
+public class ListCalendarSourcesHandler(
+    AppDbContext dbContext,
+    AccessScopeService accessScopeService)
+    : Endpoint<ListCalendarSourcesRequest, IReadOnlyCollection<CalendarSourceDto>>
+{
+    public override void Configure()
+    {
+        Get("/api/calendar-integrations/sources");
+        Options(o => o.WithTags("Calendar Integrations"));
+    }
+
+    public override async Task HandleAsync(ListCalendarSourcesRequest request, CancellationToken ct)
+    {
+        ArgumentNullException.ThrowIfNull(request);
+
+        Guid currentUserId = User.GetUserId();
+        List<CalendarSource> sources;
+
+        if (request.WorkspaceId.HasValue)
+        {
+            var workspace = await dbContext.Workspaces
+                .Where(candidate => candidate.Id == request.WorkspaceId.Value)
+                .Select(candidate => new { candidate.Id, candidate.OrganizationId })
+                .SingleOrDefaultAsync(ct);
+
+            if (workspace is null)
+            {
+                await SendNotFoundAsync(ct);
+                return;
+            }
+
+            if (!await accessScopeService.CanAccessWorkspaceAsync(User, workspace.Id, ct))
+            {
+                await SendForbiddenAsync(ct);
+                return;
+            }
+
+            sources = await dbContext.CalendarSources
+                .Where(source =>
+                    source.Scope == CalendarSourceScopes.Organization && source.OrganizationId == workspace.OrganizationId ||
+                    source.Scope == CalendarSourceScopes.Workspace && source.WorkspaceId == workspace.Id ||
+                    source.Scope == CalendarSourceScopes.User && source.UserId == currentUserId)
+                .OrderBy(source => source.Scope)
+                .ThenBy(source => source.DisplayTitle)
+                .ToListAsync(ct);
+
+            await SendOkAsync(
+                sources
+                    .Select(source => CalendarSourceDto.FromSource(
+                        source,
+                        CalendarSourceRules.IsInheritedOrganizationSource(source, workspace.OrganizationId)))
+                    .ToArray(),
+                ct);
+            return;
+        }
+
+        sources = await dbContext.CalendarSources
+            .Where(source => source.Scope == CalendarSourceScopes.User && source.UserId == currentUserId)
+            .OrderBy(source => source.DisplayTitle)
+            .ToListAsync(ct);
+
+        await SendOkAsync(
+            sources.Select(source => CalendarSourceDto.FromSource(source, isReadOnly: false)).ToArray(),
+            ct);
+    }
+}

backend/src/Socialize.Api/Modules/CalendarIntegrations/Handlers/RefreshCalendarSource.cs

@@ -0,0 +1,65 @@
+using FastEndpoints;
+using Microsoft.EntityFrameworkCore;
+using Socialize.Api.Data;
+using Socialize.Api.Infrastructure.Security;
+using Socialize.Api.Modules.CalendarIntegrations.Data;
+using Socialize.Api.Modules.CalendarIntegrations.Services;
+using Socialize.Api.Modules.Organizations.Services;
+
+namespace Socialize.Api.Modules.CalendarIntegrations.Handlers;
+
+public class RefreshCalendarSourceHandler(
+    AppDbContext dbContext,
+    AccessScopeService accessScopeService,
+    OrganizationAccessService organizationAccessService,
+    CalendarImportSyncService syncService)
+    : EndpointWithoutRequest<CalendarSourceDto>
+{
+    public override void Configure()
+    {
+        Post("/api/calendar-integrations/sources/{sourceId:guid}/refresh");
+        Options(o => o.WithTags("Calendar Integrations"));
+    }
+
+    public override async Task HandleAsync(CancellationToken ct)
+    {
+        Guid sourceId = Route<Guid>("sourceId");
+        CalendarSource? source = await dbContext.CalendarSources.SingleOrDefaultAsync(candidate => candidate.Id == sourceId, ct);
+        if (source is null)
+        {
+            await SendNotFoundAsync(ct);
+            return;
+        }
+
+        if (!await CanManageExistingSourceAsync(source, User.GetUserId(), ct))
+        {
+            await SendForbiddenAsync(ct);
+            return;
+        }
+
+        await syncService.RefreshSourceAsync(source.Id, ct);
+        await dbContext.Entry(source).ReloadAsync(ct);
+
+        await SendOkAsync(CalendarSourceDto.FromSource(source, isReadOnly: false), ct);
+    }
+
+    private async Task<bool> CanManageExistingSourceAsync(
+        CalendarSource source,
+        Guid currentUserId,
+        CancellationToken ct)
+    {
+        return source.Scope switch
+        {
+            CalendarSourceScopes.Organization when source.OrganizationId.HasValue =>
+                await organizationAccessService.HasOrganizationPermissionAsync(
+                    User,
+                    source.OrganizationId.Value,
+                    OrganizationPermissions.ManageConnectors,
+                    ct),
+            CalendarSourceScopes.Workspace when source.WorkspaceId.HasValue =>
+                await accessScopeService.CanManageWorkspaceAsync(User, source.WorkspaceId.Value, ct),
+            CalendarSourceScopes.User => source.UserId == currentUserId,
+            _ => false,
+        };
+    }
+}

backend/src/Socialize.Api/Modules/CalendarIntegrations/Handlers/UpdateCalendarSource.cs

@@ -0,0 +1,91 @@
+using FastEndpoints;
+using Microsoft.EntityFrameworkCore;
+using Socialize.Api.Data;
+using Socialize.Api.Infrastructure.Security;
+using Socialize.Api.Modules.CalendarIntegrations.Data;
+using Socialize.Api.Modules.CalendarIntegrations.Services;
+using Socialize.Api.Modules.Organizations.Services;
+
+namespace Socialize.Api.Modules.CalendarIntegrations.Handlers;
+
+public class UpdateCalendarSourceHandler(
+    AppDbContext dbContext,
+    AccessScopeService accessScopeService,
+    OrganizationAccessService organizationAccessService)
+    : Endpoint<UpsertCalendarSourceRequest, CalendarSourceDto>
+{
+    public override void Configure()
+    {
+        Put("/api/calendar-integrations/sources/{sourceId:guid}");
+        Options(o => o.WithTags("Calendar Integrations"));
+    }
+
+    public override async Task HandleAsync(UpsertCalendarSourceRequest request, CancellationToken ct)
+    {
+        ArgumentNullException.ThrowIfNull(request);
+
+        Guid sourceId = Route<Guid>("sourceId");
+        CalendarSource? source = await dbContext.CalendarSources.SingleOrDefaultAsync(candidate => candidate.Id == sourceId, ct);
+        if (source is null)
+        {
+            await SendNotFoundAsync(ct);
+            return;
+        }
+
+        Guid currentUserId = User.GetUserId();
+        if (!await CanManageExistingSourceAsync(source, currentUserId, ct))
+        {
+            await SendForbiddenAsync(ct);
+            return;
+        }
+
+        if (source.Scope != request.Scope.Trim() ||
+            source.OrganizationId != (request.Scope == CalendarSourceScopes.Organization ? request.OrganizationId : null) ||
+            source.WorkspaceId != (request.Scope == CalendarSourceScopes.Workspace ? request.WorkspaceId : null))
+        {
+            AddError("Calendar source scope cannot be changed.");
+            await SendErrorsAsync(StatusCodes.Status409Conflict, ct);
+            return;
+        }
+
+        source.SourceUrl = NormalizeOptional(request.SourceUrl);
+        source.CatalogSourceReference = NormalizeOptional(request.CatalogSourceReference);
+        source.DisplayTitle = request.DisplayTitle.Trim();
+        source.Color = request.Color.Trim();
+        source.Category = request.Category.Trim();
+        source.IsEnabled = request.IsEnabled;
+        source.InheritanceMode = source.Scope == CalendarSourceScopes.Organization
+            ? NormalizeOptional(request.InheritanceMode) ?? CalendarSourceInheritanceModes.Optional
+            : null;
+        source.UpdatedAt = DateTimeOffset.UtcNow;
+
+        await dbContext.SaveChangesAsync(ct);
+
+        await SendOkAsync(CalendarSourceDto.FromSource(source, isReadOnly: false), ct);
+    }
+
+    private async Task<bool> CanManageExistingSourceAsync(
+        CalendarSource source,
+        Guid currentUserId,
+        CancellationToken ct)
+    {
+        return source.Scope switch
+        {
+            CalendarSourceScopes.Organization when source.OrganizationId.HasValue =>
+                await organizationAccessService.HasOrganizationPermissionAsync(
+                    User,
+                    source.OrganizationId.Value,
+                    OrganizationPermissions.ManageConnectors,
+                    ct),
+            CalendarSourceScopes.Workspace when source.WorkspaceId.HasValue =>
+                await accessScopeService.CanManageWorkspaceAsync(User, source.WorkspaceId.Value, ct),
+            CalendarSourceScopes.User => source.UserId == currentUserId,
+            _ => false,
+        };
+    }
+
+    private static string? NormalizeOptional(string? value)
+    {
+        return string.IsNullOrWhiteSpace(value) ? null : value.Trim();
+    }
+}

backend/src/Socialize.Api/Modules/CalendarIntegrations/Handlers/UserCalendarExportFeed.cs

@@ -0,0 +1,224 @@
+using FastEndpoints;
+using Microsoft.EntityFrameworkCore;
+using Socialize.Api.Data;
+using Socialize.Api.Infrastructure.Security;
+using Socialize.Api.Modules.CalendarIntegrations.Data;
+using Socialize.Api.Modules.CalendarIntegrations.Services;
+using Socialize.Api.Modules.Identity.Data;
+
+namespace Socialize.Api.Modules.CalendarIntegrations.Handlers;
+
+public record UserCalendarExportFeedDto(
+    bool IsEnabled,
+    string? FeedUrl,
+    DateTimeOffset? CreatedAt,
+    DateTimeOffset? UpdatedAt,
+    DateTimeOffset? RevokedAt);
+
+public class GetUserCalendarExportFeedHandler(AppDbContext dbContext)
+    : EndpointWithoutRequest<UserCalendarExportFeedDto>
+{
+    public override void Configure()
+    {
+        Get("/api/calendar-integrations/export-feed");
+        Options(o => o.WithTags("Calendar Integrations"));
+    }
+
+    public override async Task HandleAsync(CancellationToken ct)
+    {
+        UserCalendarExportFeed? feed = await dbContext.UserCalendarExportFeeds
+            .SingleOrDefaultAsync(candidate => candidate.UserId == User.GetUserId(), ct);
+
+        await SendAsync(UserCalendarExportFeedMapper.ToDto(feed, UserCalendarExportFeedMapper.BuildFeedUrl(feed)), cancellation: ct);
+    }
+}
+
+public class EnableUserCalendarExportFeedHandler(AppDbContext dbContext)
+    : EndpointWithoutRequest<UserCalendarExportFeedDto>
+{
+    public override void Configure()
+    {
+        Post("/api/calendar-integrations/export-feed/enable");
+        Options(o => o.WithTags("Calendar Integrations"));
+    }
+
+    public override async Task HandleAsync(CancellationToken ct)
+    {
+        Guid userId = User.GetUserId();
+        string token = CalendarExportFeedTokenService.GenerateToken();
+        string tokenHash = CalendarExportFeedTokenService.HashToken(token);
+        DateTimeOffset now = DateTimeOffset.UtcNow;
+
+        UserCalendarExportFeed? feed = await dbContext.UserCalendarExportFeeds
+            .SingleOrDefaultAsync(candidate => candidate.UserId == userId, ct);
+
+        if (feed is null)
+        {
+            feed = new UserCalendarExportFeed
+            {
+                Id = Guid.NewGuid(),
+                UserId = userId,
+                Token = token,
+                TokenHash = tokenHash,
+                UpdatedAt = now,
+            };
+            dbContext.UserCalendarExportFeeds.Add(feed);
+        }
+        else if (feed.TokenHash is null || feed.RevokedAt.HasValue)
+        {
+            feed.Token = token;
+            feed.TokenHash = tokenHash;
+            feed.RevokedAt = null;
+            feed.UpdatedAt = now;
+        }
+        else
+        {
+            token = string.Empty;
+        }
+
+        await dbContext.SaveChangesAsync(ct);
+        await SendAsync(UserCalendarExportFeedMapper.ToDto(feed, UserCalendarExportFeedMapper.BuildFeedUrl(feed, token)), cancellation: ct);
+    }
+}
+
+public class RegenerateUserCalendarExportFeedHandler(AppDbContext dbContext)
+    : EndpointWithoutRequest<UserCalendarExportFeedDto>
+{
+    public override void Configure()
+    {
+        Post("/api/calendar-integrations/export-feed/regenerate");
+        Options(o => o.WithTags("Calendar Integrations"));
+    }
+
+    public override async Task HandleAsync(CancellationToken ct)
+    {
+        Guid userId = User.GetUserId();
+        string token = CalendarExportFeedTokenService.GenerateToken();
+        DateTimeOffset now = DateTimeOffset.UtcNow;
+
+        UserCalendarExportFeed? feed = await dbContext.UserCalendarExportFeeds
+            .SingleOrDefaultAsync(candidate => candidate.UserId == userId, ct);
+
+        if (feed is null)
+        {
+            feed = new UserCalendarExportFeed
+            {
+                Id = Guid.NewGuid(),
+                UserId = userId,
+                UpdatedAt = now,
+            };
+            dbContext.UserCalendarExportFeeds.Add(feed);
+        }
+
+        feed.TokenHash = CalendarExportFeedTokenService.HashToken(token);
+        feed.Token = token;
+        feed.RevokedAt = null;
+        feed.UpdatedAt = now;
+
+        await dbContext.SaveChangesAsync(ct);
+        await SendAsync(UserCalendarExportFeedMapper.ToDto(feed, UserCalendarExportFeedMapper.BuildFeedUrl(feed, token)), cancellation: ct);
+    }
+}
+
+public class RevokeUserCalendarExportFeedHandler(AppDbContext dbContext)
+    : EndpointWithoutRequest<UserCalendarExportFeedDto>
+{
+    public override void Configure()
+    {
+        Delete("/api/calendar-integrations/export-feed");
+        Options(o => o.WithTags("Calendar Integrations"));
+    }
+
+    public override async Task HandleAsync(CancellationToken ct)
+    {
+        UserCalendarExportFeed? feed = await dbContext.UserCalendarExportFeeds
+            .SingleOrDefaultAsync(candidate => candidate.UserId == User.GetUserId(), ct);
+
+        if (feed is not null)
+        {
+            feed.TokenHash = null;
+            feed.Token = null;
+            feed.RevokedAt = DateTimeOffset.UtcNow;
+            feed.UpdatedAt = feed.RevokedAt.Value;
+            await dbContext.SaveChangesAsync(ct);
+        }
+
+        await SendAsync(UserCalendarExportFeedMapper.ToDto(feed, null), cancellation: ct);
+    }
+}
+
+public class GetUserCalendarExportFeedIcsHandler(
+    AppDbContext dbContext,
+    CalendarExportFeedService feedService)
+    : EndpointWithoutRequest
+{
+    public override void Configure()
+    {
+        AllowAnonymous();
+        Get("/api/calendar-integrations/export-feed/{token}.ics");
+        Options(o => o.WithTags("Calendar Integrations"));
+    }
+
+    public override async Task HandleAsync(CancellationToken ct)
+    {
+        string? token = Route<string?>("token");
+        if (string.IsNullOrWhiteSpace(token))
+        {
+            await SendNotFoundAsync(ct);
+            return;
+        }
+
+        string tokenHash = CalendarExportFeedTokenService.HashToken(token);
+
+        UserCalendarExportFeed? feed = await dbContext.UserCalendarExportFeeds
+            .SingleOrDefaultAsync(candidate =>
+                candidate.TokenHash == tokenHash &&
+                !candidate.RevokedAt.HasValue,
+                ct);
+
+        if (feed is null)
+        {
+            await SendNotFoundAsync(ct);
+            return;
+        }
+
+        User? user = await dbContext.Users.SingleOrDefaultAsync(candidate => candidate.Id == feed.UserId, ct);
+        if (user is null)
+        {
+            await SendNotFoundAsync(ct);
+            return;
+        }
+
+        string appBaseUrl = $"{HttpContext.Request.Scheme}://{HttpContext.Request.Host}";
+        string ics = await feedService.BuildUserFeedAsync(feed.UserId, user.Email, appBaseUrl, ct);
+
+        HttpContext.Response.ContentType = "text/calendar; charset=utf-8";
+        await HttpContext.Response.WriteAsync(ics, ct);
+    }
+}
+
+file static class UserCalendarExportFeedMapper
+{
+    public static UserCalendarExportFeedDto ToDto(UserCalendarExportFeed? feed, string? feedUrl)
+    {
+        return new UserCalendarExportFeedDto(
+            feed?.TokenHash is not null && !feed.RevokedAt.HasValue,
+            feedUrl,
+            feed?.CreatedAt,
+            feed?.UpdatedAt,
+            feed?.RevokedAt);
+    }
+
+    public static string? BuildFeedUrl(UserCalendarExportFeed? feed, string? token = null)
+    {
+        if (feed?.TokenHash is null || feed.RevokedAt.HasValue)
+        {
+            return null;
+        }
+
+        string effectiveToken = string.IsNullOrWhiteSpace(token) ? feed.Token ?? string.Empty : token;
+        return string.IsNullOrWhiteSpace(effectiveToken)
+            ? null
+            : $"/api/calendar-integrations/export-feed/{effectiveToken}.ics";
+    }
+}

backend/src/Socialize.Api/Modules/CalendarIntegrations/Services/CalendarExportFeedBuilder.cs

@@ -0,0 +1,80 @@
+using System.Text;
+
+namespace Socialize.Api.Modules.CalendarIntegrations.Services;
+
+public sealed record CalendarExportFeedEvent(
+    string Uid,
+    string Title,
+    DateTimeOffset StartsAt,
+    DateTimeOffset EndsAt,
+    bool IsAllDay,
+    string? Description,
+    string? Url);
+
+public class CalendarExportFeedBuilder
+{
+    public string Build(string calendarName, IReadOnlyCollection<CalendarExportFeedEvent> events)
+    {
+        StringBuilder builder = new();
+        builder.AppendLine("BEGIN:VCALENDAR");
+        builder.AppendLine("VERSION:2.0");
+        builder.AppendLine("PRODID:-//Socialize//User Work Calendar//EN");
+        builder.AppendLine("CALSCALE:GREGORIAN");
+        builder.AppendLine("METHOD:PUBLISH");
+        builder.AppendLine($"X-WR-CALNAME:{EscapeText(calendarName)}");
+
+        foreach (CalendarExportFeedEvent feedEvent in events.OrderBy(calendarEvent => calendarEvent.StartsAt))
+        {
+            builder.AppendLine("BEGIN:VEVENT");
+            builder.AppendLine($"UID:{EscapeText(feedEvent.Uid)}");
+            builder.AppendLine($"DTSTAMP:{FormatUtc(DateTimeOffset.UtcNow)}");
+            builder.AppendLine($"SUMMARY:{EscapeText(feedEvent.Title)}");
+
+            if (feedEvent.IsAllDay)
+            {
+                builder.AppendLine($"DTSTART;VALUE=DATE:{FormatDate(feedEvent.StartsAt)}");
+                builder.AppendLine($"DTEND;VALUE=DATE:{FormatDate(feedEvent.EndsAt)}");
+            }
+            else
+            {
+                builder.AppendLine($"DTSTART:{FormatUtc(feedEvent.StartsAt)}");
+                builder.AppendLine($"DTEND:{FormatUtc(feedEvent.EndsAt)}");
+            }
+
+            if (!string.IsNullOrWhiteSpace(feedEvent.Description))
+            {
+                builder.AppendLine($"DESCRIPTION:{EscapeText(feedEvent.Description)}");
+            }
+
+            if (!string.IsNullOrWhiteSpace(feedEvent.Url))
+            {
+                builder.AppendLine($"URL:{EscapeText(feedEvent.Url)}");
+            }
+
+            builder.AppendLine("END:VEVENT");
+        }
+
+        builder.AppendLine("END:VCALENDAR");
+        return builder.ToString();
+    }
+
+    private static string FormatDate(DateTimeOffset value)
+    {
+        return value.ToString("yyyyMMdd", System.Globalization.CultureInfo.InvariantCulture);
+    }
+
+    private static string FormatUtc(DateTimeOffset value)
+    {
+        return value.UtcDateTime.ToString("yyyyMMdd'T'HHmmss'Z'", System.Globalization.CultureInfo.InvariantCulture);
+    }
+
+    private static string EscapeText(string value)
+    {
+        return value
+            .Replace("\\", "\\\\")
+            .Replace("\r\n", "\\n")
+            .Replace("\n", "\\n")
+            .Replace(";", "\\;")
+            .Replace(",", "\\,");
+    }
+}

backend/src/Socialize.Api/Modules/CalendarIntegrations/Services/CalendarExportFeedService.cs

@@ -0,0 +1,173 @@
+using Microsoft.EntityFrameworkCore;
+using Socialize.Api.Data;
+
+namespace Socialize.Api.Modules.CalendarIntegrations.Services;
+
+public class CalendarExportFeedService(AppDbContext dbContext, CalendarExportFeedBuilder feedBuilder)
+{
+    public async Task<string> BuildUserFeedAsync(Guid userId, string? userEmail, string appBaseUrl, CancellationToken ct)
+    {
+        string normalizedEmail = userEmail?.Trim().ToUpperInvariant() ?? string.Empty;
+        Guid[] workspaceIds = await dbContext.Workspaces
+            .Where(workspace =>
+                workspace.OwnerUserId == userId ||
+                dbContext.OrganizationMemberships.Any(membership =>
+                    membership.OrganizationId == workspace.OrganizationId &&
+                    membership.UserId == userId))
+            .Select(workspace => workspace.Id)
+            .ToArrayAsync(ct);
+
+        List<CalendarExportFeedEvent> events = [];
+
+        events.AddRange(await dbContext.ContentItems
+            .Where(item => workspaceIds.Contains(item.WorkspaceId) && item.DueDate.HasValue)
+            .Join(
+                dbContext.Workspaces,
+                item => item.WorkspaceId,
+                workspace => workspace.Id,
+                (item, workspace) => new { item, workspace })
+            .Join(
+                dbContext.Clients,
+                itemWorkspace => itemWorkspace.item.ClientId,
+                client => client.Id,
+                (itemWorkspace, client) => new { itemWorkspace.item, itemWorkspace.workspace, client })
+            .Join(
+                dbContext.Campaigns,
+                itemWorkspaceClient => itemWorkspaceClient.item.CampaignId,
+                campaign => campaign.Id,
+                (itemWorkspaceClient, campaign) => new { itemWorkspaceClient.item, itemWorkspaceClient.workspace, itemWorkspaceClient.client, campaign })
+            .Select(candidate => ToContentFeedEvent(
+                candidate.item.Id,
+                candidate.item.Title,
+                candidate.item.Status,
+                candidate.item.DueDate!.Value,
+                candidate.workspace.Name,
+                candidate.client.Name,
+                candidate.campaign.Name,
+                appBaseUrl))
+            .ToListAsync(ct));
+
+        events.AddRange(await dbContext.ApprovalRequests
+            .Where(approval =>
+                approval.DueAt.HasValue &&
+                (approval.RequestedByUserId == userId ||
+                 (!string.IsNullOrEmpty(normalizedEmail) && approval.ReviewerEmail.ToUpper() == normalizedEmail)))
+            .Join(
+                dbContext.ContentItems,
+                approval => approval.ContentItemId,
+                item => item.Id,
+                (approval, item) => new { approval, item })
+            .Where(candidate => workspaceIds.Contains(candidate.approval.WorkspaceId))
+            .Join(
+                dbContext.Workspaces,
+                approvalItem => approvalItem.approval.WorkspaceId,
+                workspace => workspace.Id,
+                (approvalItem, workspace) => new { approvalItem.approval, approvalItem.item, workspace })
+            .Select(candidate => ToApprovalFeedEvent(
+                candidate.approval.Id,
+                candidate.item.Id,
+                candidate.item.Title,
+                candidate.approval.Stage,
+                candidate.approval.State,
+                candidate.approval.DueAt!.Value,
+                candidate.workspace.Name,
+                appBaseUrl))
+            .ToListAsync(ct));
+
+        events.AddRange(await dbContext.Campaigns
+            .Where(campaign => workspaceIds.Contains(campaign.WorkspaceId))
+            .Join(
+                dbContext.Workspaces,
+                campaign => campaign.WorkspaceId,
+                workspace => workspace.Id,
+                (campaign, workspace) => new { campaign, workspace })
+            .Select(candidate => ToCampaignFeedEvent(
+                candidate.campaign.Id,
+                candidate.campaign.Name,
+                candidate.campaign.Status,
+                candidate.campaign.StartDate,
+                candidate.campaign.EndDate,
+                candidate.workspace.Name,
+                appBaseUrl))
+            .ToListAsync(ct));
+
+        return feedBuilder.Build("Socialize my work", events);
+    }
+
+    private static CalendarExportFeedEvent ToContentFeedEvent(
+        Guid contentItemId,
+        string title,
+        string status,
+        DateTimeOffset dueDate,
+        string workspaceName,
+        string clientName,
+        string campaignName,
+        string appBaseUrl)
+    {
+        (DateTimeOffset start, DateTimeOffset end, bool isAllDay) = NormalizeEventTime(dueDate);
+
+        return new CalendarExportFeedEvent(
+            $"content-{contentItemId}@socialize",
+            title,
+            start,
+            end,
+            isAllDay,
+            $"Status: {status}\nWorkspace: {workspaceName}\nClient: {clientName}\nCampaign: {campaignName}",
+            $"{appBaseUrl.TrimEnd('/')}/app/content/{contentItemId}");
+    }
+
+    private static CalendarExportFeedEvent ToApprovalFeedEvent(
+        Guid approvalId,
+        Guid contentItemId,
+        string contentTitle,
+        string stage,
+        string state,
+        DateTimeOffset dueAt,
+        string workspaceName,
+        string appBaseUrl)
+    {
+        (DateTimeOffset start, DateTimeOffset end, bool isAllDay) = NormalizeEventTime(dueAt);
+
+        return new CalendarExportFeedEvent(
+            $"approval-{approvalId}@socialize",
+            $"Approval due: {contentTitle}",
+            start,
+            end,
+            isAllDay,
+            $"Stage: {stage}\nState: {state}\nWorkspace: {workspaceName}",
+            $"{appBaseUrl.TrimEnd('/')}/app/content/{contentItemId}");
+    }
+
+    private static CalendarExportFeedEvent ToCampaignFeedEvent(
+        Guid campaignId,
+        string name,
+        string status,
+        DateTimeOffset startDate,
+        DateTimeOffset endDate,
+        string workspaceName,
+        string appBaseUrl)
+    {
+        DateTimeOffset start = new(startDate.Date, startDate.Offset);
+        DateTimeOffset end = new(endDate.Date.AddDays(1), endDate.Offset);
+
+        return new CalendarExportFeedEvent(
+            $"campaign-{campaignId}@socialize",
+            $"Campaign: {name}",
+            start,
+            end <= start ? start.AddDays(1) : end,
+            true,
+            $"Status: {status}\nWorkspace: {workspaceName}",
+            $"{appBaseUrl.TrimEnd('/')}/app/campaigns/{campaignId}");
+    }
+
+    private static (DateTimeOffset Start, DateTimeOffset End, bool IsAllDay) NormalizeEventTime(DateTimeOffset value)
+    {
+        if (value.TimeOfDay == TimeSpan.Zero)
+        {
+            DateTimeOffset start = new(value.Date, value.Offset);
+            return (start, start.AddDays(1), true);
+        }
+
+        return (value, value.AddMinutes(30), false);
+    }
+}

backend/src/Socialize.Api/Modules/CalendarIntegrations/Services/CalendarExportFeedTokenService.cs

@@ -0,0 +1,27 @@
+using System.Security.Cryptography;
+
+namespace Socialize.Api.Modules.CalendarIntegrations.Services;
+
+public static class CalendarExportFeedTokenService
+{
+    public static string GenerateToken()
+    {
+        Span<byte> bytes = stackalloc byte[32];
+        RandomNumberGenerator.Fill(bytes);
+        return Base64UrlEncode(bytes);
+    }
+
+    public static string HashToken(string token)
+    {
+        byte[] bytes = SHA256.HashData(System.Text.Encoding.UTF8.GetBytes(token));
+        return Convert.ToHexString(bytes);
+    }
+
+    private static string Base64UrlEncode(ReadOnlySpan<byte> bytes)
+    {
+        return Convert.ToBase64String(bytes)
+            .TrimEnd('=')
+            .Replace('+', '-')
+            .Replace('/', '_');
+    }
+}

backend/src/Socialize.Api/Modules/CalendarIntegrations/Services/CalendarImportBackgroundService.cs

@@ -0,0 +1,34 @@
+namespace Socialize.Api.Modules.CalendarIntegrations.Services;
+
+public sealed class CalendarImportBackgroundService(
+    IServiceScopeFactory scopeFactory,
+    ILogger<CalendarImportBackgroundService> logger)
+    : BackgroundService
+{
+    protected override async Task ExecuteAsync(CancellationToken stoppingToken)
+    {
+        using PeriodicTimer timer = new(TimeSpan.FromHours(6));
+        while (!stoppingToken.IsCancellationRequested)
+        {
+            await RefreshDueSourcesAsync(stoppingToken);
+            await timer.WaitForNextTickAsync(stoppingToken);
+        }
+    }
+
+    private async Task RefreshDueSourcesAsync(CancellationToken stoppingToken)
+    {
+        try
+        {
+            using IServiceScope scope = scopeFactory.CreateScope();
+            CalendarImportSyncService syncService = scope.ServiceProvider.GetRequiredService<CalendarImportSyncService>();
+            await syncService.RefreshDueSourcesAsync(stoppingToken);
+        }
+        catch (OperationCanceledException) when (stoppingToken.IsCancellationRequested)
+        {
+        }
+        catch (Exception ex)
+        {
+            logger.LogError(ex, "Calendar import background sync failed.");
+        }
+    }
+}

backend/src/Socialize.Api/Modules/CalendarIntegrations/Services/CalendarImportSyncService.cs

@@ -0,0 +1,313 @@
+using Microsoft.EntityFrameworkCore;
+using Socialize.Api.Data;
+using Socialize.Api.Modules.CalendarIntegrations.Data;
+using System.Text.Json;
+
+namespace Socialize.Api.Modules.CalendarIntegrations.Services;
+
+public sealed class CalendarImportSyncService(
+    AppDbContext dbContext,
+    IHttpClientFactory httpClientFactory,
+    IcsCalendarParser parser)
+{
+    public async Task RefreshSourceAsync(Guid sourceId, CancellationToken ct)
+    {
+        CalendarSource? source = await dbContext.CalendarSources
+            .SingleOrDefaultAsync(candidate => candidate.Id == sourceId, ct);
+        if (source is null)
+        {
+            throw new InvalidOperationException("Calendar source was not found.");
+        }
+
+        source.LastAttemptedSyncAt = DateTimeOffset.UtcNow;
+
+        if (string.IsNullOrWhiteSpace(source.SourceUrl))
+        {
+            source.LastSyncError = "Calendar source does not have a source URL.";
+            await dbContext.SaveChangesAsync(ct);
+            return;
+        }
+
+        try
+        {
+            using HttpClient httpClient = httpClientFactory.CreateClient();
+            DateOnly rangeStart = DateOnly.FromDateTime(DateTime.UtcNow.AddYears(-1));
+            DateOnly rangeEnd = DateOnly.FromDateTime(DateTime.UtcNow.AddYears(2));
+            IReadOnlyCollection<ParsedCalendarEvent> parsedEvents = await GetParsedEventsAsync(
+                httpClient,
+                source.SourceUrl,
+                rangeStart,
+                rangeEnd,
+                ct);
+
+            await ReplaceEventsAsync(source.Id, parsedEvents, ct);
+
+            source.LastSuccessfulSyncAt = DateTimeOffset.UtcNow;
+            source.LastSyncError = null;
+            source.LastAttemptedSyncAt = source.LastSuccessfulSyncAt;
+            await dbContext.SaveChangesAsync(ct);
+        }
+        catch (HttpRequestException ex)
+        {
+            await RecordSyncFailureAsync(source, ex.Message, ct);
+        }
+        catch (FormatException ex)
+        {
+            await RecordSyncFailureAsync(source, ex.Message, ct);
+        }
+        catch (InvalidOperationException ex)
+        {
+            await RecordSyncFailureAsync(source, ex.Message, ct);
+        }
+    }
+
+    public async Task RefreshDueSourcesAsync(CancellationToken ct)
+    {
+        DateTimeOffset staleBefore = DateTimeOffset.UtcNow.AddHours(-12);
+        Guid[] sourceIds = await dbContext.CalendarSources
+            .Where(source => source.IsEnabled && source.SourceUrl != null)
+            .Where(source => source.LastAttemptedSyncAt == null || source.LastAttemptedSyncAt < staleBefore)
+            .OrderBy(source => source.LastAttemptedSyncAt)
+            .Select(source => source.Id)
+            .Take(25)
+            .ToArrayAsync(ct);
+
+        foreach (Guid sourceId in sourceIds)
+        {
+            await RefreshSourceAsync(sourceId, ct);
+        }
+    }
+
+    private async Task ReplaceEventsAsync(
+        Guid sourceId,
+        IReadOnlyCollection<ParsedCalendarEvent> parsedEvents,
+        CancellationToken ct)
+    {
+        await dbContext.CalendarEvents
+            .Where(calendarEvent => calendarEvent.CalendarSourceId == sourceId)
+            .ExecuteDeleteAsync(ct);
+
+        DateTimeOffset importedAt = DateTimeOffset.UtcNow;
+        foreach (ParsedCalendarEvent parsedEvent in parsedEvents)
+        {
+            dbContext.CalendarEvents.Add(new CalendarEvent
+            {
+                Id = Guid.NewGuid(),
+                CalendarSourceId = sourceId,
+                SourceEventUid = parsedEvent.SourceEventUid,
+                Title = parsedEvent.Title,
+                Description = parsedEvent.Description,
+                IsAllDay = parsedEvent.IsAllDay,
+                IsFloatingTime = parsedEvent.IsFloatingTime,
+                StartDate = parsedEvent.StartDate,
+                EndDate = parsedEvent.EndDate,
+                StartLocalDateTime = parsedEvent.StartLocalDateTime,
+                EndLocalDateTime = parsedEvent.EndLocalDateTime,
+                StartUtc = parsedEvent.StartUtc,
+                EndUtc = parsedEvent.EndUtc,
+                TimeZoneId = parsedEvent.TimeZoneId,
+                RecurrenceId = parsedEvent.RecurrenceId,
+                Location = parsedEvent.Location,
+                SourceUrl = parsedEvent.SourceUrl,
+                SourceLastModifiedAt = parsedEvent.SourceLastModifiedAt,
+                ImportedAt = importedAt,
+            });
+        }
+    }
+
+    private async Task<IReadOnlyCollection<ParsedCalendarEvent>> GetParsedEventsAsync(
+        HttpClient httpClient,
+        string sourceUrl,
+        DateOnly rangeStart,
+        DateOnly rangeEnd,
+        CancellationToken ct)
+    {
+        if (TryGetNagerCountryCode(sourceUrl, out string? countryCode))
+        {
+            return await GetNagerEventsAsync(httpClient, sourceUrl, countryCode!, rangeStart, rangeEnd, ct);
+        }
+
+        string content = await httpClient.GetStringAsync(sourceUrl, ct);
+        return parser.Parse(content, rangeStart, rangeEnd);
+    }
+
+    private static async Task<IReadOnlyCollection<ParsedCalendarEvent>> GetNagerEventsAsync(
+        HttpClient httpClient,
+        string sourceUrl,
+        string countryCode,
+        DateOnly rangeStart,
+        DateOnly rangeEnd,
+        CancellationToken ct)
+    {
+        List<ParsedCalendarEvent> events = [];
+        for (int year = rangeStart.Year; year <= rangeEnd.Year; year++)
+        {
+            string yearUrl = BuildNagerYearUrl(sourceUrl, countryCode, year);
+            string json = await httpClient.GetStringAsync(yearUrl, ct);
+            NagerHoliday[] holidays = JsonSerializer.Deserialize<NagerHoliday[]>(
+                json,
+                new JsonSerializerOptions(JsonSerializerDefaults.Web)) ?? [];
+
+            foreach (NagerHoliday holiday in holidays)
+            {
+                if (!DateOnly.TryParse(holiday.Date, out DateOnly date) ||
+                    date < rangeStart ||
+                    date > rangeEnd)
+                {
+                    continue;
+                }
+
+                events.Add(ToParsedEvent(
+                    $"nager-{countryCode}-{date:yyyyMMdd}-{NormalizeUidPart(holiday.Name)}",
+                    string.IsNullOrWhiteSpace(holiday.Name) ? holiday.LocalName : holiday.Name,
+                    holiday.LocalName,
+                    date,
+                    string.Join(", ", holiday.Types ?? []),
+                    yearUrl));
+            }
+
+            events.AddRange(GetSupplementalCountryEvents(countryCode, year, rangeStart, rangeEnd));
+        }
+
+        return events
+            .GroupBy(calendarEvent => calendarEvent.SourceEventUid)
+            .Select(group => group.First())
+            .OrderBy(calendarEvent => calendarEvent.StartDate)
+            .ThenBy(calendarEvent => calendarEvent.Title)
+            .ToArray();
+    }
+
+    private static ParsedCalendarEvent ToParsedEvent(
+        string uid,
+        string? title,
+        string? localName,
+        DateOnly date,
+        string? types,
+        string sourceUrl)
+    {
+        string? description = string.IsNullOrWhiteSpace(types)
+            ? localName
+            : $"{localName}\nTypes: {types}";
+
+        return new ParsedCalendarEvent(
+            uid,
+            string.IsNullOrWhiteSpace(title) ? "Untitled event" : title,
+            description,
+            IsAllDay: true,
+            IsFloatingTime: false,
+            date,
+            date.AddDays(1),
+            StartLocalDateTime: null,
+            EndLocalDateTime: null,
+            StartUtc: null,
+            EndUtc: null,
+            TimeZoneId: null,
+            RecurrenceId: null,
+            Location: null,
+            sourceUrl,
+            SourceLastModifiedAt: null);
+    }
+
+    private static IReadOnlyCollection<ParsedCalendarEvent> GetSupplementalCountryEvents(
+        string countryCode,
+        int year,
+        DateOnly rangeStart,
+        DateOnly rangeEnd)
+    {
+        if (!countryCode.Equals("CA", StringComparison.OrdinalIgnoreCase))
+        {
+            return [];
+        }
+
+        DateOnly mothersDay = NthWeekdayOfMonth(year, month: 5, DayOfWeek.Sunday, occurrence: 2);
+        if (mothersDay < rangeStart || mothersDay > rangeEnd)
+        {
+            return [];
+        }
+
+        return
+        [
+            ToParsedEvent(
+                $"socialize-ca-mothers-day-{year}",
+                "Mother's Day",
+                "Mother's Day",
+                mothersDay,
+                "Observance",
+                "socialize://calendar-observances/CA"),
+        ];
+    }
+
+    private static DateOnly NthWeekdayOfMonth(int year, int month, DayOfWeek dayOfWeek, int occurrence)
+    {
+        DateOnly date = new(year, month, 1);
+        while (date.DayOfWeek != dayOfWeek)
+        {
+            date = date.AddDays(1);
+        }
+
+        return date.AddDays((occurrence - 1) * 7);
+    }
+
+    private static bool TryGetNagerCountryCode(string sourceUrl, out string? countryCode)
+    {
+        countryCode = null;
+        if (!Uri.TryCreate(sourceUrl, UriKind.Absolute, out Uri? uri) ||
+            !uri.Host.Contains("date.nager.at", StringComparison.OrdinalIgnoreCase))
+        {
+            return false;
+        }
+
+        string[] segments = uri.AbsolutePath
+            .Split('/', StringSplitOptions.RemoveEmptyEntries | StringSplitOptions.TrimEntries);
+
+        string? candidate = segments.LastOrDefault(segment => segment.Length == 2);
+        if (candidate is null)
+        {
+            return false;
+        }
+
+        countryCode = candidate.ToUpperInvariant();
+        return true;
+    }
+
+    private static string BuildNagerYearUrl(string sourceUrl, string countryCode, int year)
+    {
+        if (Uri.TryCreate(sourceUrl, UriKind.Absolute, out Uri? uri))
+        {
+            return $"{uri.Scheme}://{uri.Host}/api/v3/PublicHolidays/{year}/{countryCode}";
+        }
+
+        return $"https://date.nager.at/api/v3/PublicHolidays/{year}/{countryCode}";
+    }
+
+    private static string NormalizeUidPart(string? value)
+    {
+        return new string((value ?? "holiday")
+            .ToLowerInvariant()
+            .Select(character => char.IsLetterOrDigit(character) ? character : '-')
+            .ToArray())
+            .Trim('-');
+    }
+
+    private async Task RecordSyncFailureAsync(
+        CalendarSource source,
+        string message,
+        CancellationToken ct)
+    {
+        source.LastSyncError = NormalizeSyncError(message);
+        await dbContext.SaveChangesAsync(ct);
+    }
+
+    public static string NormalizeSyncError(string message)
+    {
+        ArgumentNullException.ThrowIfNull(message);
+
+        return message.Length > 2048 ? message[..2048] : message;
+    }
+
+    private sealed record NagerHoliday(
+        string Date,
+        string LocalName,
+        string Name,
+        string[]? Types);
+}

backend/src/Socialize.Api/Modules/CalendarIntegrations/Services/CalendarSourceConstants.cs

@@ -0,0 +1,14 @@
+namespace Socialize.Api.Modules.CalendarIntegrations.Services;
+
+public static class CalendarSourceScopes
+{
+    public const string Organization = "Organization";
+    public const string Workspace = "Workspace";
+    public const string User = "User";
+}
+
+public static class CalendarSourceInheritanceModes
+{
+    public const string Required = "Required";
+    public const string Optional = "Optional";
+}

backend/src/Socialize.Api/Modules/CalendarIntegrations/Services/CalendarSourceRules.cs

@@ -0,0 +1,51 @@
+using Socialize.Api.Modules.CalendarIntegrations.Data;
+
+namespace Socialize.Api.Modules.CalendarIntegrations.Services;
+
+public static class CalendarSourceRules
+{
+    public static readonly string[] SupportedScopes =
+    [
+        CalendarSourceScopes.Organization,
+        CalendarSourceScopes.Workspace,
+        CalendarSourceScopes.User,
+    ];
+
+    public static readonly string[] SupportedInheritanceModes =
+    [
+        CalendarSourceInheritanceModes.Required,
+        CalendarSourceInheritanceModes.Optional,
+    ];
+
+    public static bool IsSupportedScope(string? scope)
+    {
+        return SupportedScopes.Contains(scope?.Trim(), StringComparer.Ordinal);
+    }
+
+    public static bool IsSupportedInheritanceMode(string? inheritanceMode)
+    {
+        return SupportedInheritanceModes.Contains(inheritanceMode?.Trim(), StringComparer.Ordinal);
+    }
+
+    public static bool IsInheritedOrganizationSource(CalendarSource source, Guid workspaceOrganizationId)
+    {
+        return source.Scope == CalendarSourceScopes.Organization &&
+               source.OrganizationId == workspaceOrganizationId;
+    }
+
+    public static bool CanManageScope(
+        string scope,
+        bool canManageOrganizationCalendars,
+        bool canManageWorkspaceCalendars,
+        Guid currentUserId,
+        Guid? sourceUserId)
+    {
+        return scope switch
+        {
+            CalendarSourceScopes.Organization => canManageOrganizationCalendars,
+            CalendarSourceScopes.Workspace => canManageWorkspaceCalendars,
+            CalendarSourceScopes.User => sourceUserId == currentUserId,
+            _ => false,
+        };
+    }
+}

backend/src/Socialize.Api/Modules/CalendarIntegrations/Services/IcsCalendarParser.cs

@@ -0,0 +1,414 @@
+using System.Globalization;
+
+namespace Socialize.Api.Modules.CalendarIntegrations.Services;
+
+public record ParsedCalendarEvent(
+    string SourceEventUid,
+    string Title,
+    string? Description,
+    bool IsAllDay,
+    bool IsFloatingTime,
+    DateOnly StartDate,
+    DateOnly EndDate,
+    DateTime? StartLocalDateTime,
+    DateTime? EndLocalDateTime,
+    DateTimeOffset? StartUtc,
+    DateTimeOffset? EndUtc,
+    string? TimeZoneId,
+    string? RecurrenceId,
+    string? Location,
+    string? SourceUrl,
+    DateTimeOffset? SourceLastModifiedAt);
+
+internal record IcsDateTimeValue(
+    bool IsAllDay,
+    bool IsFloatingTime,
+    DateOnly Date,
+    DateTime? LocalDateTime,
+    DateTimeOffset? UtcDateTime,
+    string? TimeZoneId);
+
+internal sealed record IcsRawEvent(
+    string Uid,
+    string Title,
+    string? Description,
+    IcsDateTimeValue Start,
+    IcsDateTimeValue? End,
+    string? RRule,
+    string? Location,
+    string? SourceUrl,
+    DateTimeOffset? LastModifiedAt);
+
+public sealed class IcsCalendarParser
+{
+    public IReadOnlyCollection<ParsedCalendarEvent> Parse(
+        string content,
+        DateOnly rangeStart,
+        DateOnly rangeEnd)
+    {
+        ArgumentNullException.ThrowIfNull(content);
+
+        List<ParsedCalendarEvent> events = [];
+        foreach (IcsRawEvent rawEvent in ReadRawEvents(content))
+        {
+            events.AddRange(Expand(rawEvent, rangeStart, rangeEnd));
+        }
+
+        return events
+            .OrderBy(calendarEvent => calendarEvent.StartDate)
+            .ThenBy(calendarEvent => calendarEvent.Title)
+            .ToArray();
+    }
+
+    private static IEnumerable<IcsRawEvent> ReadRawEvents(string content)
+    {
+        List<string> lines = UnfoldLines(content).ToList();
+        for (int index = 0; index < lines.Count; index++)
+        {
+            if (!lines[index].Equals("BEGIN:VEVENT", StringComparison.OrdinalIgnoreCase))
+            {
+                continue;
+            }
+
+            Dictionary<string, List<(Dictionary<string, string> Parameters, string Value)>> properties =
+                new(StringComparer.OrdinalIgnoreCase);
+
+            index++;
+            for (; index < lines.Count && !lines[index].Equals("END:VEVENT", StringComparison.OrdinalIgnoreCase); index++)
+            {
+                ParseProperty(lines[index], properties);
+            }
+
+            if (!TryGetFirst(properties, "DTSTART", out var startProperty))
+            {
+                continue;
+            }
+
+            IcsDateTimeValue start = ParseDateTimeValue(startProperty.Value, startProperty.Parameters);
+            IcsDateTimeValue? end = TryGetFirst(properties, "DTEND", out var endProperty)
+                ? ParseDateTimeValue(endProperty.Value, endProperty.Parameters)
+                : null;
+
+            string uid = TryGetFirst(properties, "UID", out var uidProperty)
+                ? uidProperty.Value
+                : $"{start.Date:yyyyMMdd}:{GetText(properties, "SUMMARY") ?? "calendar-event"}";
+
+            yield return new IcsRawEvent(
+                uid,
+                GetText(properties, "SUMMARY") ?? "Untitled event",
+                GetText(properties, "DESCRIPTION"),
+                start,
+                end,
+                GetText(properties, "RRULE"),
+                GetText(properties, "LOCATION"),
+                GetText(properties, "URL"),
+                TryGetFirst(properties, "LAST-MODIFIED", out var lastModified)
+                    ? ParseDateTimeValue(lastModified.Value, lastModified.Parameters).UtcDateTime
+                    : null);
+        }
+    }
+
+    private static IEnumerable<string> UnfoldLines(string content)
+    {
+        string? current = null;
+        using StringReader reader = new(content.Replace("\r\n", "\n", StringComparison.Ordinal).Replace('\r', '\n'));
+        while (reader.ReadLine() is { } line)
+        {
+            if ((line.StartsWith(' ') || line.StartsWith('\t')) && current is not null)
+            {
+                current += line[1..];
+                continue;
+            }
+
+            if (current is not null)
+            {
+                yield return current;
+            }
+
+            current = line;
+        }
+
+        if (current is not null)
+        {
+            yield return current;
+        }
+    }
+
+    private static void ParseProperty(
+        string line,
+        Dictionary<string, List<(Dictionary<string, string> Parameters, string Value)>> properties)
+    {
+        int separatorIndex = line.IndexOf(':', StringComparison.Ordinal);
+        if (separatorIndex < 0)
+        {
+            return;
+        }
+
+        string nameAndParameters = line[..separatorIndex];
+        string value = UnescapeText(line[(separatorIndex + 1)..]);
+        string[] nameParts = nameAndParameters.Split(';');
+        string name = nameParts[0];
+        Dictionary<string, string> parameters = new(StringComparer.OrdinalIgnoreCase);
+        foreach (string parameterPart in nameParts.Skip(1))
+        {
+            int equalsIndex = parameterPart.IndexOf('=', StringComparison.Ordinal);
+            if (equalsIndex > 0)
+            {
+                parameters[parameterPart[..equalsIndex]] = parameterPart[(equalsIndex + 1)..].Trim('"');
+            }
+        }
+
+        if (!properties.TryGetValue(name, out var values))
+        {
+            values = [];
+            properties[name] = values;
+        }
+
+        values.Add((parameters, value));
+    }
+
+    private static string UnescapeText(string value)
+    {
+        return value
+            .Replace("\\n", "\n", StringComparison.OrdinalIgnoreCase)
+            .Replace("\\,", ",", StringComparison.Ordinal)
+            .Replace("\\;", ";", StringComparison.Ordinal)
+            .Replace("\\\\", "\\", StringComparison.Ordinal);
+    }
+
+    private static bool TryGetFirst(
+        Dictionary<string, List<(Dictionary<string, string> Parameters, string Value)>> properties,
+        string key,
+        out (Dictionary<string, string> Parameters, string Value) value)
+    {
+        if (properties.TryGetValue(key, out var values) && values.Count > 0)
+        {
+            value = values[0];
+            return true;
+        }
+
+        value = default;
+        return false;
+    }
+
+    private static string? GetText(
+        Dictionary<string, List<(Dictionary<string, string> Parameters, string Value)>> properties,
+        string key)
+    {
+        return TryGetFirst(properties, key, out var value) ? value.Value : null;
+    }
+
+    private static IcsDateTimeValue ParseDateTimeValue(
+        string value,
+        Dictionary<string, string> parameters)
+    {
+        bool isAllDay = parameters.TryGetValue("VALUE", out string? valueType) &&
+                        valueType.Equals("DATE", StringComparison.OrdinalIgnoreCase);
+
+        if (isAllDay || value.Length == 8)
+        {
+            DateOnly date = DateOnly.ParseExact(value, "yyyyMMdd", CultureInfo.InvariantCulture);
+            return new IcsDateTimeValue(true, false, date, null, null, null);
+        }
+
+        bool utc = value.EndsWith('Z');
+        string parseValue = utc ? value[..^1] : value;
+        DateTime local = DateTime.ParseExact(parseValue, "yyyyMMdd'T'HHmmss", CultureInfo.InvariantCulture);
+        if (utc)
+        {
+            DateTimeOffset utcValue = new(DateTime.SpecifyKind(local, DateTimeKind.Utc));
+            return new IcsDateTimeValue(false, false, DateOnly.FromDateTime(local), local, utcValue, "UTC");
+        }
+
+        string? timeZoneId = parameters.GetValueOrDefault("TZID");
+        bool floating = string.IsNullOrWhiteSpace(timeZoneId);
+        return new IcsDateTimeValue(
+            false,
+            floating,
+            DateOnly.FromDateTime(local),
+            local,
+            TryConvertToUtc(local, timeZoneId),
+            timeZoneId);
+    }
+
+    private static DateTimeOffset? TryConvertToUtc(DateTime localDateTime, string? timeZoneId)
+    {
+        if (string.IsNullOrWhiteSpace(timeZoneId))
+        {
+            return null;
+        }
+
+        try
+        {
+            TimeZoneInfo timeZone = TimeZoneInfo.FindSystemTimeZoneById(timeZoneId);
+            DateTime unspecified = DateTime.SpecifyKind(localDateTime, DateTimeKind.Unspecified);
+            return TimeZoneInfo.ConvertTimeToUtc(unspecified, timeZone);
+        }
+        catch (TimeZoneNotFoundException)
+        {
+            return null;
+        }
+        catch (InvalidTimeZoneException)
+        {
+            return null;
+        }
+    }
+
+    private static IEnumerable<ParsedCalendarEvent> Expand(
+        IcsRawEvent rawEvent,
+        DateOnly rangeStart,
+        DateOnly rangeEnd)
+    {
+        TimeSpan duration = GetDuration(rawEvent.Start, rawEvent.End);
+        IReadOnlyCollection<DateOnly> starts = ExpandStartDates(rawEvent, rangeStart, rangeEnd);
+        foreach (DateOnly startDate in starts)
+        {
+            int dayOffset = startDate.DayNumber - rawEvent.Start.Date.DayNumber;
+            IcsDateTimeValue occurrenceStart = Shift(rawEvent.Start, dayOffset);
+            IcsDateTimeValue occurrenceEnd = rawEvent.End is null
+                ? ShiftByDuration(occurrenceStart, duration)
+                : Shift(rawEvent.End, dayOffset);
+
+            yield return new ParsedCalendarEvent(
+                rawEvent.Uid,
+                rawEvent.Title,
+                rawEvent.Description,
+                occurrenceStart.IsAllDay,
+                occurrenceStart.IsFloatingTime,
+                occurrenceStart.Date,
+                occurrenceEnd.Date,
+                occurrenceStart.LocalDateTime,
+                occurrenceEnd.LocalDateTime,
+                occurrenceStart.UtcDateTime,
+                occurrenceEnd.UtcDateTime,
+                occurrenceStart.TimeZoneId,
+                rawEvent.RRule is null ? null : rawEvent.Uid,
+                rawEvent.Location,
+                rawEvent.SourceUrl,
+                rawEvent.LastModifiedAt);
+        }
+    }
+
+    private static TimeSpan GetDuration(IcsDateTimeValue start, IcsDateTimeValue? end)
+    {
+        if (end is null)
+        {
+            return start.IsAllDay ? TimeSpan.FromDays(1) : TimeSpan.Zero;
+        }
+
+        if (start.IsAllDay)
+        {
+            return TimeSpan.FromDays(Math.Max(1, end.Date.DayNumber - start.Date.DayNumber));
+        }
+
+        if (start.LocalDateTime.HasValue && end.LocalDateTime.HasValue)
+        {
+            return end.LocalDateTime.Value - start.LocalDateTime.Value;
+        }
+
+        return TimeSpan.Zero;
+    }
+
+    private static IReadOnlyCollection<DateOnly> ExpandStartDates(
+        IcsRawEvent rawEvent,
+        DateOnly rangeStart,
+        DateOnly rangeEnd)
+    {
+        if (string.IsNullOrWhiteSpace(rawEvent.RRule))
+        {
+            return IsInRange(rawEvent.Start.Date, rangeStart, rangeEnd) ? [rawEvent.Start.Date] : [];
+        }
+
+        Dictionary<string, string> rule = rawEvent.RRule
+            .Split(';', StringSplitOptions.RemoveEmptyEntries | StringSplitOptions.TrimEntries)
+            .Select(part => part.Split('=', 2))
+            .Where(parts => parts.Length == 2)
+            .ToDictionary(parts => parts[0], parts => parts[1], StringComparer.OrdinalIgnoreCase);
+
+        string frequency = rule.GetValueOrDefault("FREQ", "DAILY");
+        int interval = int.TryParse(rule.GetValueOrDefault("INTERVAL"), out int parsedInterval)
+            ? Math.Max(1, parsedInterval)
+            : 1;
+        int? count = int.TryParse(rule.GetValueOrDefault("COUNT"), out int parsedCount) ? parsedCount : null;
+        DateOnly? until = TryParseUntil(rule.GetValueOrDefault("UNTIL"));
+        List<DateOnly> dates = [];
+
+        DateOnly current = rawEvent.Start.Date;
+        for (int occurrence = 1; occurrence <= (count ?? 500); occurrence++)
+        {
+            if (until.HasValue && current > until.Value)
+            {
+                break;
+            }
+
+            if (current > rangeEnd)
+            {
+                break;
+            }
+
+            if (IsInRange(current, rangeStart, rangeEnd))
+            {
+                dates.Add(current);
+            }
+
+            current = frequency.ToUpperInvariant() switch
+            {
+                "YEARLY" => current.AddYears(interval),
+                "MONTHLY" => current.AddMonths(interval),
+                "WEEKLY" => current.AddDays(7 * interval),
+                _ => current.AddDays(interval),
+            };
+        }
+
+        return dates;
+    }
+
+    private static DateOnly? TryParseUntil(string? value)
+    {
+        if (string.IsNullOrWhiteSpace(value))
+        {
+            return null;
+        }
+
+        string dateValue = value.EndsWith('Z') ? value[..^1] : value;
+        if (dateValue.Length >= 8 &&
+            DateOnly.TryParseExact(dateValue[..8], "yyyyMMdd", CultureInfo.InvariantCulture, DateTimeStyles.None, out DateOnly date))
+        {
+            return date;
+        }
+
+        return null;
+    }
+
+    private static bool IsInRange(DateOnly value, DateOnly rangeStart, DateOnly rangeEnd)
+    {
+        return value >= rangeStart && value <= rangeEnd;
+    }
+
+    private static IcsDateTimeValue Shift(IcsDateTimeValue value, int dayOffset)
+    {
+        return value with
+        {
+            Date = value.Date.AddDays(dayOffset),
+            LocalDateTime = value.LocalDateTime?.AddDays(dayOffset),
+            UtcDateTime = value.UtcDateTime?.AddDays(dayOffset),
+        };
+    }
+
+    private static IcsDateTimeValue ShiftByDuration(IcsDateTimeValue value, TimeSpan duration)
+    {
+        if (value.IsAllDay)
+        {
+            return value with { Date = value.Date.AddDays(Math.Max(1, (int)duration.TotalDays)) };
+        }
+
+        return value with
+        {
+            Date = value.LocalDateTime.HasValue
+                ? DateOnly.FromDateTime(value.LocalDateTime.Value.Add(duration))
+                : value.Date,
+            LocalDateTime = value.LocalDateTime?.Add(duration),
+            UtcDateTime = value.UtcDateTime?.Add(duration),
+        };
+    }
+}

backend/src/Socialize.Api/Modules/Campaigns/Data/Campaign.cs

@@ -1,6 +1,6 @@
-namespace Socialize.Modules.Projects.Data;
+namespace Socialize.Api.Modules.Campaigns.Data;
 
-public class Project
+public class Campaign
 {
     public Guid Id { get; init; }
     public Guid WorkspaceId { get; set; }

backend/src/Socialize.Api/Modules/Campaigns/Data/CampaignModelConfiguration.cs

@@ -0,0 +1,27 @@
+using Microsoft.EntityFrameworkCore;
+
+namespace Socialize.Api.Modules.Campaigns.Data;
+
+public static class CampaignModelConfiguration
+{
+    public static ModelBuilder ConfigureCampaignsModule(this ModelBuilder modelBuilder)
+    {
+        modelBuilder.Entity<Campaign>(campaign =>
+        {
+            campaign.ToTable("Campaigns");
+            campaign.HasKey(x => x.Id);
+            campaign.Property(x => x.Name).HasMaxLength(256).IsRequired();
+            campaign.Property(x => x.Description).HasMaxLength(4000);
+            campaign.Property(x => x.Notes).HasMaxLength(4000);
+            campaign.Property(x => x.Status).HasMaxLength(64).IsRequired();
+            campaign.Property(x => x.CreatedAt)
+                .ValueGeneratedOnAdd()
+                .HasDefaultValueSql("CURRENT_TIMESTAMP");
+            campaign.HasIndex(x => new { x.ClientId, x.Name }).IsUnique();
+            campaign.HasIndex(x => x.WorkspaceId);
+            campaign.HasIndex(x => x.ClientId);
+        });
+
+        return modelBuilder;
+    }
+}

backend/src/Socialize.Api/Modules/Campaigns/DependencyInjection.cs

@@ -0,0 +1,12 @@
+using Socialize.Api.Modules.Campaigns.Data;
+
+namespace Socialize.Api.Modules.Campaigns;
+
+public static class DependencyInjection
+{
+    public static WebApplicationBuilder AddCampaignsModule(
+        this WebApplicationBuilder builder)
+    {
+        return builder;
+    }
+}

backend/src/Socialize.Api/Modules/Campaigns/Handlers/CreateCampaign.cs

@@ -1,7 +1,12 @@
-using Socialize.Infrastructure.Security;
+using FastEndpoints;
-namespace Socialize.Modules.Projects.Handlers;
+using Microsoft.EntityFrameworkCore;
+using Socialize.Api.Data;
+using Socialize.Api.Infrastructure.Security;
+using Socialize.Api.Modules.Campaigns.Data;
 
-public record CreateProjectRequest(
+namespace Socialize.Api.Modules.Campaigns.Handlers;
+
+public record CreateCampaignRequest(
     Guid WorkspaceId,
     Guid ClientId,
     string Name,
@@ -10,10 +15,10 @@ public record CreateProjectRequest(
     string? Description,
     string? Notes);
 
-public class CreateProjectRequestValidator
+public class CreateCampaignRequestValidator
-    : Validator<CreateProjectRequest>
+    : Validator<CreateCampaignRequest>
 {
-    public CreateProjectRequestValidator()
+    public CreateCampaignRequestValidator()
     {
         RuleFor(x => x.WorkspaceId).NotEmpty();
         RuleFor(x => x.ClientId).NotEmpty();
@@ -27,20 +32,20 @@ public class CreateProjectRequestValidator
     }
 }
 
-public class CreateProjectHandler(
+public class CreateCampaignHandler(
     AppDbContext dbContext,
     AccessScopeService accessScopeService)
-    : Endpoint<CreateProjectRequest, ProjectDto>
+    : Endpoint<CreateCampaignRequest, CampaignDto>
 {
     public override void Configure()
     {
-        Post("/api/projects");
+        Post("/api/campaigns");
-        Options(o => o.WithTags("Projects"));
+        Options(o => o.WithTags("Campaigns"));
     }
 
-    public override async Task HandleAsync(CreateProjectRequest request, CancellationToken ct)
+    public override async Task HandleAsync(CreateCampaignRequest request, CancellationToken ct)
     {
-        if (!accessScopeService.CanManageWorkspace(User, request.WorkspaceId))
+        if (!await accessScopeService.CanManageWorkspaceAsync(User, request.WorkspaceId, ct))
         {
             await SendForbiddenAsync(ct);
             return;
@@ -70,19 +75,19 @@ public class CreateProjectHandler(
 
         string normalizedName = request.Name.Trim();
 
-        bool duplicateProject = await dbContext.Projects
+        bool duplicateCampaign = await dbContext.Campaigns
             .AnyAsync(
-                project => project.ClientId == request.ClientId && project.Name == normalizedName,
+                campaign => campaign.ClientId == request.ClientId && campaign.Name == normalizedName,
                 ct);
 
-        if (duplicateProject)
+        if (duplicateCampaign)
         {
-            AddError(request => request.Name, "A project with this name already exists for the selected client.");
+            AddError(request => request.Name, "A campaign with this name already exists for the selected client.");
             await SendErrorsAsync(StatusCodes.Status409Conflict, ct);
             return;
         }
 
-        Project project = new()
+        Campaign campaign = new()
         {
             Id = Guid.NewGuid(),
             WorkspaceId = request.WorkspaceId,
@@ -96,19 +101,19 @@ public class CreateProjectHandler(
             CreatedAt = DateTimeOffset.UtcNow,
         };
 
-        dbContext.Projects.Add(project);
+        dbContext.Campaigns.Add(campaign);
         await dbContext.SaveChangesAsync(ct);
 
-        ProjectDto dto = new(
+        CampaignDto dto = new(
-            project.Id,
+            campaign.Id,
-            project.WorkspaceId,
+            campaign.WorkspaceId,
-            project.ClientId,
+            campaign.ClientId,
-            project.Name,
+            campaign.Name,
-            project.Description,
+            campaign.Description,
-            project.Notes,
+            campaign.Notes,
-            project.Status,
+            campaign.Status,
-            project.StartDate,
+            campaign.StartDate,
-            project.EndDate);
+            campaign.EndDate);
 
         await SendAsync(dto, StatusCodes.Status201Created, ct);
     }

backend/src/Socialize.Api/Modules/Campaigns/Handlers/GetCampaigns.cs

@@ -0,0 +1,82 @@
+using FastEndpoints;
+using Microsoft.EntityFrameworkCore;
+using Socialize.Api.Data;
+using Socialize.Api.Infrastructure.Security;
+using Socialize.Api.Modules.Campaigns.Data;
+
+namespace Socialize.Api.Modules.Campaigns.Handlers;
+
+public record GetCampaignsRequest(Guid? WorkspaceId, Guid? ClientId);
+
+public record CampaignDto(
+    Guid Id,
+    Guid WorkspaceId,
+    Guid ClientId,
+    string Name,
+    string? Description,
+    string? Notes,
+    string Status,
+    DateTimeOffset StartDate,
+    DateTimeOffset EndDate);
+
+public class GetCampaignsHandler(
+    AppDbContext dbContext,
+    AccessScopeService accessScopeService)
+    : Endpoint<GetCampaignsRequest, IReadOnlyCollection<CampaignDto>>
+{
+    public override void Configure()
+    {
+        Get("/api/campaigns");
+        Options(o => o.WithTags("Campaigns"));
+    }
+
+    public override async Task HandleAsync(GetCampaignsRequest request, CancellationToken ct)
+    {
+        IQueryable<Campaign> query = dbContext.Campaigns.AsQueryable();
+
+        if (!accessScopeService.IsManager(User))
+        {
+            IReadOnlyCollection<Guid> workspaceScopeIds = await accessScopeService.GetAccessibleWorkspaceIdsAsync(User, ct);
+            IReadOnlyCollection<Guid> clientScopeIds = User.GetClientScopeIds();
+            IReadOnlyCollection<Guid> campaignScopeIds = User.GetCampaignScopeIds();
+
+            query = query.Where(campaign => workspaceScopeIds.Contains(campaign.WorkspaceId));
+
+            if (clientScopeIds.Count > 0)
+            {
+                query = query.Where(campaign => clientScopeIds.Contains(campaign.ClientId));
+            }
+
+            if (campaignScopeIds.Count > 0)
+            {
+                query = query.Where(campaign => campaignScopeIds.Contains(campaign.Id));
+            }
+        }
+
+        if (request.ClientId.HasValue)
+        {
+            query = query.Where(campaign => campaign.ClientId == request.ClientId.Value);
+        }
+
+        if (request.WorkspaceId.HasValue)
+        {
+            query = query.Where(campaign => campaign.WorkspaceId == request.WorkspaceId.Value);
+        }
+
+        List<CampaignDto> campaigns = await query
+            .OrderBy(campaign => campaign.Name)
+            .Select(campaign => new CampaignDto(
+                campaign.Id,
+                campaign.WorkspaceId,
+                campaign.ClientId,
+                campaign.Name,
+                campaign.Description,
+                campaign.Notes,
+                campaign.Status,
+                campaign.StartDate,
+                campaign.EndDate))
+            .ToListAsync(ct);
+
+        await SendOkAsync(campaigns, ct);
+    }
+}

backend/src/Socialize.Api/Modules/Channels/Data/Channel.cs

@@ -0,0 +1,12 @@
+namespace Socialize.Api.Modules.Channels.Data;
+
+public class Channel
+{
+    public Guid Id { get; init; }
+    public Guid WorkspaceId { get; set; }
+    public required string Name { get; set; }
+    public required string Network { get; set; }
+    public string? Handle { get; set; }
+    public string? ExternalUrl { get; set; }
+    public DateTimeOffset CreatedAt { get; init; }
+}

backend/src/Socialize.Api/Modules/Channels/Data/ChannelModelConfiguration.cs

@@ -0,0 +1,26 @@
+using Microsoft.EntityFrameworkCore;
+
+namespace Socialize.Api.Modules.Channels.Data;
+
+public static class ChannelModelConfiguration
+{
+    public static ModelBuilder ConfigureChannelsModule(this ModelBuilder modelBuilder)
+    {
+        modelBuilder.Entity<Channel>(channel =>
+        {
+            channel.ToTable("Channels");
+            channel.HasKey(x => x.Id);
+            channel.Property(x => x.Name).HasMaxLength(256).IsRequired();
+            channel.Property(x => x.Network).HasMaxLength(64).IsRequired();
+            channel.Property(x => x.Handle).HasMaxLength(256);
+            channel.Property(x => x.ExternalUrl).HasMaxLength(2048);
+            channel.Property(x => x.CreatedAt)
+                .ValueGeneratedOnAdd()
+                .HasDefaultValueSql("CURRENT_TIMESTAMP");
+            channel.HasIndex(x => x.WorkspaceId);
+            channel.HasIndex(x => new { x.WorkspaceId, x.Network, x.Name }).IsUnique();
+        });
+
+        return modelBuilder;
+    }
+}

backend/src/Socialize.Api/Modules/Channels/DependencyInjection.cs

@@ -0,0 +1,10 @@
+namespace Socialize.Api.Modules.Channels;
+
+public static class DependencyInjection
+{
+    public static WebApplicationBuilder AddChannelsModule(
+        this WebApplicationBuilder builder)
+    {
+        return builder;
+    }
+}

backend/src/Socialize.Api/Modules/Channels/Handlers/ChannelDtos.cs

@@ -0,0 +1,10 @@
+namespace Socialize.Api.Modules.Channels.Handlers;
+
+public record ChannelDto(
+    Guid Id,
+    Guid WorkspaceId,
+    string Name,
+    string Network,
+    string? Handle,
+    string? ExternalUrl,
+    DateTimeOffset CreatedAt);

backend/src/Socialize.Api/Modules/Channels/Handlers/CreateChannel.cs

@@ -0,0 +1,115 @@
+using FastEndpoints;
+using Microsoft.EntityFrameworkCore;
+using Socialize.Api.Data;
+using Socialize.Api.Infrastructure.Security;
+using Socialize.Api.Modules.Channels.Data;
+
+namespace Socialize.Api.Modules.Channels.Handlers;
+
+public record CreateChannelRequest(
+    Guid WorkspaceId,
+    string Name,
+    string Network,
+    string? Handle,
+    string? ExternalUrl);
+
+public class CreateChannelRequestValidator
+    : Validator<CreateChannelRequest>
+{
+    private static readonly string[] AllowedNetworks =
+    [
+        "Instagram",
+        "TikTok",
+        "Facebook",
+        "LinkedIn",
+        "YouTube",
+        "X",
+        "Reddit",
+        "Website",
+    ];
+
+    public CreateChannelRequestValidator()
+    {
+        RuleFor(x => x.WorkspaceId).NotEmpty();
+        RuleFor(x => x.Name).NotEmpty().MaximumLength(256);
+        RuleFor(x => x.Network).NotEmpty().Must(network => AllowedNetworks.Contains(network))
+            .WithMessage("Selected network is invalid.");
+        RuleFor(x => x.Handle).MaximumLength(256);
+        RuleFor(x => x.ExternalUrl).MaximumLength(2048);
+    }
+}
+
+public class CreateChannelHandler(
+    AppDbContext dbContext,
+    AccessScopeService accessScopeService)
+    : Endpoint<CreateChannelRequest, ChannelDto>
+{
+    public override void Configure()
+    {
+        Post("/api/channels");
+        Options(o => o.WithTags("Channels"));
+    }
+
+    public override async Task HandleAsync(CreateChannelRequest request, CancellationToken ct)
+    {
+        if (!await accessScopeService.CanManageWorkspaceAsync(User, request.WorkspaceId, ct))
+        {
+            await SendForbiddenAsync(ct);
+            return;
+        }
+
+        bool workspaceExists = await dbContext.Workspaces
+            .AnyAsync(workspace => workspace.Id == request.WorkspaceId, ct);
+
+        if (!workspaceExists)
+        {
+            AddError(request => request.WorkspaceId, "The selected workspace does not exist.");
+            await SendErrorsAsync(StatusCodes.Status400BadRequest, ct);
+            return;
+        }
+
+        string normalizedName = request.Name.Trim();
+        string normalizedNetwork = request.Network.Trim();
+        string? normalizedHandle = request.Handle?.Trim();
+        string? normalizedExternalUrl = request.ExternalUrl?.Trim();
+
+        bool duplicateChannel = await dbContext.Channels
+            .AnyAsync(
+                channel => channel.WorkspaceId == request.WorkspaceId
+                    && channel.Network == normalizedNetwork
+                    && channel.Name == normalizedName,
+                ct);
+
+        if (duplicateChannel)
+        {
+            AddError(request => request.Name, "A channel with this name already exists for the selected network.");
+            await SendErrorsAsync(StatusCodes.Status409Conflict, ct);
+            return;
+        }
+
+        Channel channel = new()
+        {
+            Id = Guid.NewGuid(),
+            WorkspaceId = request.WorkspaceId,
+            Name = normalizedName,
+            Network = normalizedNetwork,
+            Handle = string.IsNullOrWhiteSpace(normalizedHandle) ? null : normalizedHandle,
+            ExternalUrl = string.IsNullOrWhiteSpace(normalizedExternalUrl) ? null : normalizedExternalUrl,
+            CreatedAt = DateTimeOffset.UtcNow,
+        };
+
+        dbContext.Channels.Add(channel);
+        await dbContext.SaveChangesAsync(ct);
+
+        ChannelDto dto = new(
+            channel.Id,
+            channel.WorkspaceId,
+            channel.Name,
+            channel.Network,
+            channel.Handle,
+            channel.ExternalUrl,
+            channel.CreatedAt);
+
+        await SendAsync(dto, StatusCodes.Status201Created, ct);
+    }
+}

backend/src/Socialize.Api/Modules/Channels/Handlers/GetChannels.cs

@@ -0,0 +1,52 @@
+using FastEndpoints;
+using Microsoft.EntityFrameworkCore;
+using Socialize.Api.Data;
+using Socialize.Api.Infrastructure.Security;
+using Socialize.Api.Modules.Channels.Data;
+
+namespace Socialize.Api.Modules.Channels.Handlers;
+
+public record GetChannelsRequest(Guid? WorkspaceId);
+
+public class GetChannelsHandler(
+    AppDbContext dbContext,
+    AccessScopeService accessScopeService)
+    : Endpoint<GetChannelsRequest, IReadOnlyCollection<ChannelDto>>
+{
+    public override void Configure()
+    {
+        Get("/api/channels");
+        Options(o => o.WithTags("Channels"));
+    }
+
+    public override async Task HandleAsync(GetChannelsRequest request, CancellationToken ct)
+    {
+        IQueryable<Channel> query = dbContext.Channels.AsQueryable();
+
+        if (!accessScopeService.IsManager(User))
+        {
+            IReadOnlyCollection<Guid> workspaceScopeIds = await accessScopeService.GetAccessibleWorkspaceIdsAsync(User, ct);
+            query = query.Where(channel => workspaceScopeIds.Contains(channel.WorkspaceId));
+        }
+
+        if (request.WorkspaceId.HasValue)
+        {
+            query = query.Where(channel => channel.WorkspaceId == request.WorkspaceId.Value);
+        }
+
+        List<ChannelDto> channels = await query
+            .OrderBy(channel => channel.Network)
+            .ThenBy(channel => channel.Name)
+            .Select(channel => new ChannelDto(
+                channel.Id,
+                channel.WorkspaceId,
+                channel.Name,
+                channel.Network,
+                channel.Handle,
+                channel.ExternalUrl,
+                channel.CreatedAt))
+            .ToListAsync(ct);
+
+        await SendOkAsync(channels, ct);
+    }
+}