From a2760ffd64ad200458ba91b8c0de1dc9894deeb2 Mon Sep 17 00:00:00 2001
From: "bert.hausmans" <bert@hausmans.nl>
Date: Tue, 5 May 2026 21:15:10 +0200
Subject: [PATCH 1/9] feat(auth): add contexts + platform.is_super_admin to
 /auth/me, factory role-category states
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Additive enrichment to MeResource — existing fields untouched, MeTest stays green.
New fields:
- contexts.available: list<'portal'|'organizer'> derived from Person + Organisation memberships
- contexts.default: precedence super_admin > organizer > portal > fallback portal
- platform.is_super_admin: bool promoted from app_roles
- organisations[].roles: 1-element array form alongside the legacy scalar role,
  forward-compatible for the multi-role pivot work tracked in TECH-PIVOT-ROLES-MULTI

UserFactory gains volunteer(), orgAdmin(), volunteerAndOrganizer(), superAdmin()
state methods — codified role categories for reuse across future workstreams.

Adds forbidden.vue placeholder (PublicLayout) for the context-failure landing in
the upcoming guard rewrite.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 api/app/Http/Resources/Api/V1/MeResource.php | 92 +++++++++++++++----
 api/database/factories/UserFactory.php       | 47 +++++++++-
 api/tests/Feature/Auth/AuthMeShapeTest.php   | 96 ++++++++++++++++++++
 apps/app/src/pages/forbidden.vue             | 23 +++++
 apps/app/typed-router.d.ts                   |  1 +
 dev-docs/BACKLOG.md                          | 32 +++++++
 6 files changed, 272 insertions(+), 19 deletions(-)
 create mode 100644 api/tests/Feature/Auth/AuthMeShapeTest.php
 create mode 100644 apps/app/src/pages/forbidden.vue

diff --git a/api/app/Http/Resources/Api/V1/MeResource.php b/api/app/Http/Resources/Api/V1/MeResource.php
index 76c1328e..1ac9b1c0 100644
--- a/api/app/Http/Resources/Api/V1/MeResource.php
+++ b/api/app/Http/Resources/Api/V1/MeResource.php
@@ -5,6 +5,7 @@ declare(strict_types=1);
 namespace App\Http\Resources\Api\V1;
 
 use App\Models\Person;
+use App\Models\User;
 use App\Services\MfaService;
 use Illuminate\Http\Request;
 use Illuminate\Http\Resources\Json\JsonResource;
@@ -13,6 +14,11 @@ final class MeResource extends JsonResource
 {
     public function toArray(Request $request): array
     {
+        /** @var User $user */
+        $user = $this->resource;
+
+        $contexts = $this->resolveContexts($user);
+
         return [
             'id' => $this->id,
             'first_name' => $this->first_name,
@@ -25,27 +31,32 @@ final class MeResource extends JsonResource
             'locale' => $this->locale,
             'avatar' => $this->avatar,
             'email_verified_at' => $this->email_verified_at?->toIso8601String(),
-            'organisations' => $this->whenLoaded('organisations', fn () =>
-                $this->organisations->map(fn ($org) => [
-                    'id' => $org->id,
-                    'name' => $org->name,
-                    'slug' => $org->slug,
-                    'role' => $org->pivot->role,
-                ])
+            'organisations' => $this->whenLoaded('organisations', fn () => $this->organisations->map(fn ($org) => [
+                'id' => $org->id,
+                'name' => $org->name,
+                'slug' => $org->slug,
+                'role' => $org->pivot->role,
+                // Forward-compatible array form. The pivot stores a single
+                // role today; B2a emits it as a 1-element array so the
+                // frontend can treat the field as multi-role from day one.
+                // Multi-role pivot resolution is tracked in BACKLOG.md as
+                // TECH-PIVOT-ROLES-MULTI (ARCH discussion, not just a
+                // schema-column expansion).
+                'roles' => [$org->pivot->role],
+            ])
             ),
             'app_roles' => $this->getRoleNames()->values()->all(),
             'permissions' => $this->getAllPermissions()->pluck('name')->values()->all(),
-            'portal_events' => $this->whenLoaded('persons', fn () =>
-                $this->persons->map(fn (Person $person) => [
-                    'event_id' => $person->event_id,
-                    'event_name' => $person->event->name,
-                    'event_slug' => $person->event->slug,
-                    'organisation_name' => $person->event->organisation->name,
-                    'person_id' => $person->id,
-                    'person_status' => $person->status,
-                    'start_date' => $person->event->start_date?->toDateString(),
-                    'end_date' => $person->event->end_date?->toDateString(),
-                ])
+            'portal_events' => $this->whenLoaded('persons', fn () => $this->persons->map(fn (Person $person) => [
+                'event_id' => $person->event_id,
+                'event_name' => $person->event->name,
+                'event_slug' => $person->event->slug,
+                'organisation_name' => $person->event->organisation->name,
+                'person_id' => $person->id,
+                'person_status' => $person->status,
+                'start_date' => $person->event->start_date?->toDateString(),
+                'end_date' => $person->event->end_date?->toDateString(),
+            ])
             ),
             'mfa' => [
                 'enabled' => $this->mfa_enabled,
@@ -53,6 +64,51 @@ final class MeResource extends JsonResource
                 'confirmed_at' => $this->mfa_confirmed_at?->toIso8601String(),
                 'setup_required' => app(MfaService::class)->isMfaRequired($this->resource) && ! $this->mfa_enabled,
             ],
+            'platform' => [
+                'is_super_admin' => $user->hasRole('super_admin'),
+            ],
+            'contexts' => $contexts,
+        ];
+    }
+
+    /**
+     * Compute available + default UI contexts for this user.
+     *
+     * - portal: user has at least one Person record (volunteer-side).
+     * - organizer: super_admin OR membership in any Organisation pivot.
+     *
+     * Default precedence: super_admin → organizer; otherwise the first
+     * available context wins (organizer before portal, mirroring the
+     * "familiar context wins on first login" rule from
+     * ARCH-CONSOLIDATION-2026-04 §4.3). When neither context is
+     * available, default falls back to 'portal' so the post-login
+     * landing logic has a safe target to resolve against.
+     *
+     * @return array{available: list<string>, default: string}
+     */
+    private function resolveContexts(User $user): array
+    {
+        $hasPortal = $user->persons->isNotEmpty();
+        $hasOrganizer = $user->hasRole('super_admin') || $user->organisations->isNotEmpty();
+
+        $available = [];
+        if ($hasPortal) {
+            $available[] = 'portal';
+        }
+        if ($hasOrganizer) {
+            $available[] = 'organizer';
+        }
+
+        $default = match (true) {
+            $user->hasRole('super_admin') => 'organizer',
+            $hasOrganizer => 'organizer',
+            $hasPortal => 'portal',
+            default => 'portal',
+        };
+
+        return [
+            'available' => $available,
+            'default' => $default,
         ];
     }
 }
diff --git a/api/database/factories/UserFactory.php b/api/database/factories/UserFactory.php
index 23719b3c..be9dec98 100644
--- a/api/database/factories/UserFactory.php
+++ b/api/database/factories/UserFactory.php
@@ -4,6 +4,8 @@ declare(strict_types=1);
 
 namespace Database\Factories;
 
+use App\Models\Organisation;
+use App\Models\Person;
 use App\Models\User;
 use Illuminate\Database\Eloquent\Factories\Factory;
 use Illuminate\Support\Facades\Hash;
@@ -23,7 +25,7 @@ final class UserFactory extends Factory
             'date_of_birth' => fake()->dateTimeBetween('-50 years', '-18 years')->format('Y-m-d'),
             'email' => fake()->unique()->safeEmail(),
             'email_verified_at' => now(),
-            'password' => static::$password ??= Hash::make('password'),
+            'password' => self::$password ??= Hash::make('password'),
             'timezone' => 'Europe/Amsterdam',
             'locale' => 'nl',
             'remember_token' => Str::random(10),
@@ -34,4 +36,47 @@ final class UserFactory extends Factory
     {
         return $this->state(fn () => ['email_verified_at' => null]);
     }
+
+    /**
+     * Volunteer-only user — has a Person record (portal context),
+     * no Spatie role, no organisation membership.
+     */
+    public function volunteer(): static
+    {
+        return $this->afterCreating(function (User $user): void {
+            Person::factory()->create(['user_id' => $user->id]);
+        });
+    }
+
+    /**
+     * Organizer-only user — attached to a fresh Organisation as `org_admin`,
+     * no Person record, no Spatie role.
+     */
+    public function orgAdmin(): static
+    {
+        return $this->afterCreating(function (User $user): void {
+            $organisation = Organisation::factory()->create();
+            $organisation->users()->attach($user, ['role' => 'org_admin']);
+        });
+    }
+
+    /**
+     * Multi-role user — has both a Person record AND organisation membership.
+     */
+    public function volunteerAndOrganizer(): static
+    {
+        return $this->volunteer()->orgAdmin();
+    }
+
+    /**
+     * Platform admin — Spatie super_admin role. No org/person attachments
+     * by default (mirrors the production case where super_admins live above
+     * the org tree).
+     */
+    public function superAdmin(): static
+    {
+        return $this->afterCreating(function (User $user): void {
+            $user->assignRole('super_admin');
+        });
+    }
 }
diff --git a/api/tests/Feature/Auth/AuthMeShapeTest.php b/api/tests/Feature/Auth/AuthMeShapeTest.php
new file mode 100644
index 00000000..b2075f78
--- /dev/null
+++ b/api/tests/Feature/Auth/AuthMeShapeTest.php
@@ -0,0 +1,96 @@
+<?php
+
+declare(strict_types=1);
+
+namespace Tests\Feature\Auth;
+
+use App\Models\User;
+use Database\Seeders\RoleSeeder;
+use Illuminate\Foundation\Testing\RefreshDatabase;
+use Laravel\Sanctum\Sanctum;
+use Tests\TestCase;
+
+class AuthMeShapeTest extends TestCase
+{
+    use RefreshDatabase;
+
+    protected function setUp(): void
+    {
+        parent::setUp();
+        $this->seed(RoleSeeder::class);
+    }
+
+    public function test_volunteer_only_user_sees_portal_context(): void
+    {
+        $user = User::factory()->volunteer()->create();
+
+        Sanctum::actingAs($user);
+
+        $response = $this->getJson('/api/v1/auth/me');
+
+        $response->assertOk()
+            ->assertJsonStructure([
+                'data' => [
+                    'platform' => ['is_super_admin'],
+                    'contexts' => ['available', 'default'],
+                ],
+            ])
+            ->assertJsonPath('data.platform.is_super_admin', false)
+            ->assertJsonPath('data.contexts.available', ['portal'])
+            ->assertJsonPath('data.contexts.default', 'portal');
+    }
+
+    public function test_organizer_only_user_sees_organizer_context(): void
+    {
+        $user = User::factory()->orgAdmin()->create();
+
+        Sanctum::actingAs($user);
+
+        $response = $this->getJson('/api/v1/auth/me');
+
+        $response->assertOk()
+            ->assertJsonPath('data.platform.is_super_admin', false)
+            ->assertJsonPath('data.contexts.available', ['organizer'])
+            ->assertJsonPath('data.contexts.default', 'organizer');
+    }
+
+    public function test_multi_role_user_sees_both_contexts_with_organizer_default(): void
+    {
+        $user = User::factory()->volunteerAndOrganizer()->create();
+
+        Sanctum::actingAs($user);
+
+        $response = $this->getJson('/api/v1/auth/me');
+
+        $response->assertOk()
+            ->assertJsonPath('data.contexts.available', ['portal', 'organizer'])
+            ->assertJsonPath('data.contexts.default', 'organizer');
+    }
+
+    public function test_super_admin_sees_organizer_context(): void
+    {
+        $user = User::factory()->superAdmin()->create();
+
+        Sanctum::actingAs($user);
+
+        $response = $this->getJson('/api/v1/auth/me');
+
+        $response->assertOk()
+            ->assertJsonPath('data.platform.is_super_admin', true)
+            ->assertJsonPath('data.contexts.available', ['organizer'])
+            ->assertJsonPath('data.contexts.default', 'organizer');
+    }
+
+    public function test_organisations_emit_roles_array_in_addition_to_scalar_role(): void
+    {
+        $user = User::factory()->orgAdmin()->create();
+
+        Sanctum::actingAs($user);
+
+        $response = $this->getJson('/api/v1/auth/me');
+
+        $response->assertOk()
+            ->assertJsonPath('data.organisations.0.role', 'org_admin')
+            ->assertJsonPath('data.organisations.0.roles', ['org_admin']);
+    }
+}
diff --git a/apps/app/src/pages/forbidden.vue b/apps/app/src/pages/forbidden.vue
new file mode 100644
index 00000000..fbdf066c
--- /dev/null
+++ b/apps/app/src/pages/forbidden.vue
@@ -0,0 +1,23 @@
+<script setup lang="ts">
+definePage({
+  name: 'forbidden',
+  meta: { layout: 'PublicLayout', public: true },
+})
+</script>
+
+<template>
+  <div class="d-flex flex-column align-center justify-center pa-12">
+    <h1 class="text-h3 mb-4">
+      Geen toegang
+    </h1>
+    <p class="text-body-1 mb-6">
+      Je hebt geen toegang tot deze pagina.
+    </p>
+    <VBtn
+      :to="{ name: 'login' }"
+      color="primary"
+    >
+      Naar inloggen
+    </VBtn>
+  </div>
+</template>
diff --git a/apps/app/typed-router.d.ts b/apps/app/typed-router.d.ts
index 46301a54..940bb6a5 100644
--- a/apps/app/typed-router.d.ts
+++ b/apps/app/typed-router.d.ts
@@ -33,6 +33,7 @@ declare module 'vue-router/auto-routes' {
     'events-id-settings': RouteRecordInfo<'events-id-settings', '/events/:id/settings', { id: ParamValue<true> }, { id: ParamValue<false> }>,
     'events-id-settings-registration-fields': RouteRecordInfo<'events-id-settings-registration-fields', '/events/:id/settings/registration-fields', { id: ParamValue<true> }, { id: ParamValue<false> }>,
     'events-id-time-slots': RouteRecordInfo<'events-id-time-slots', '/events/:id/time-slots', { id: ParamValue<true> }, { id: ParamValue<false> }>,
+    'forbidden': RouteRecordInfo<'forbidden', '/forbidden', Record<never, never>, Record<never, never>>,
     'forgot-password': RouteRecordInfo<'forgot-password', '/forgot-password', Record<never, never>, Record<never, never>>,
     'invitations-token': RouteRecordInfo<'invitations-token', '/invitations/:token', { token: ParamValue<true> }, { token: ParamValue<false> }>,
     'login': RouteRecordInfo<'login', '/login', Record<never, never>, Record<never, never>>,
diff --git a/dev-docs/BACKLOG.md b/dev-docs/BACKLOG.md
index 5a47d8da..a659aa17 100644
--- a/dev-docs/BACKLOG.md
+++ b/dev-docs/BACKLOG.md
@@ -823,6 +823,38 @@ introduceert is het natuurlijke moment.
 
 ---
 
+### TECH-PIVOT-ROLES-MULTI — Multi-role per (user, organisation) pivot
+
+**Aanleiding:** WS-3 PR-B2a maakt context-aware routing op
+`me.contexts.available` en `me.organisations[].roles`. Het pivot-veld
+`organisation_user.role` is vandaag een single string (één rol per user
+per org). De resource emit `roles` als 1-element array zodat het
+frontend-contract forward-compatible is, maar het schema ondersteunt
+nog niet meerdere rollen per relatie.
+**Wat:** Architectuur-discussie + design-document, niet een directe
+schema-uitbreiding. Te beantwoorden vragen voordat dit gepland wordt:
+
+- Spatie-permission-integratie: blijft `organisation_user.role`
+  een free-form string of komt het onder `model_has_roles` met
+  team-id = organisation_id? Spatie's "teams" feature is bedoeld voor
+  precies dit scenario.
+- Multi-role-precedence: als een user `org_admin` ÉN `event_manager` is
+  binnen dezelfde organisatie, hoe resolven policies? Hoogste
+  permissie-set? Meest restrictieve? Expliciete merge?
+- Migratie-pad: bestaande pivot-rijen (single string) → array of
+  pivot-tabel naar `model_has_roles`? Backfill-strategie?
+- Frontend impact: `organisations[].role` (scalar) blijft voorlopig
+  staan voor backward-compatibility. Wanneer mag dat veld weg?
+
+**Prioriteit:** Laag — geen blocker voor B2a, B2b of de 4 kern-workflows.
+Pas oppakken wanneer een concrete use case multi-role per (user, org)
+vereist (denkbaar: festival waarbij organizer ook als crew werkt).
+**Belangrijk:** dit is GEEN simpel "voeg een kolom toe" werk. Pak het
+niet op als drive-by tijdens een ander ticket; het verdient een eigen
+ARCH-discussie en RFC.
+
+---
+
 ### ~~TECH-02 — scopeForFestival helper op Event model~~ ✅ OPGELOST
 
 ---

From 13d7b18257f2e6197e4d4f0138f4390b53414e88 Mon Sep 17 00:00:00 2001
From: "bert.hausmans" <bert@hausmans.nl>
Date: Tue, 5 May 2026 21:18:55 +0200
Subject: [PATCH 2/9] refactor(axios): split lib/axios.ts into factory +
 default + portal-token instances
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The single axios.ts file becomes a directory with:
- factory.ts — createApiClient + the registerDefaultInterceptors /
  registerPortalTokenInterceptors seam (preserves the
  TECH-AXIOS-STORE-COUPLING decoupling — no store imports inside)
- default.ts — cookie-authenticated client (organizer + cookie-auth
  portal flows; existing 45 call sites resolve unchanged)
- portal-token.ts — Bearer-auth client for the artist-advance /
  supplier-intake flows (forward-compatible groundwork; no active
  consumers today)
- index.ts — re-exports apiClient + portalApiClient + the register* /
  createApiClient surface; the existing `import { apiClient } from
  '@/lib/axios'` continues to work directory-resolved.

The bindings plugin (plugins/3.axios-bindings.ts) now wires both
clients with a shared deps base + flavour-specific overrides. The
`getPortalToken` callback returns null until Phase E surfaces
`portalToken` on useAuthStore — no current consumers exercise the
Bearer path, so the null-return is intentional placeholder.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 apps/app/src/lib/axios/default.ts             | 10 +++
 .../src/lib/{axios.ts => axios/factory.ts}    | 84 +++++++++++++++----
 apps/app/src/lib/axios/index.ts               |  8 ++
 apps/app/src/lib/axios/portal-token.ts        | 14 ++++
 apps/app/src/plugins/3.axios-bindings.ts      | 30 +++++--
 5 files changed, 123 insertions(+), 23 deletions(-)
 create mode 100644 apps/app/src/lib/axios/default.ts
 rename apps/app/src/lib/{axios.ts => axios/factory.ts} (53%)
 create mode 100644 apps/app/src/lib/axios/index.ts
 create mode 100644 apps/app/src/lib/axios/portal-token.ts

diff --git a/apps/app/src/lib/axios/default.ts b/apps/app/src/lib/axios/default.ts
new file mode 100644
index 00000000..4c48b557
--- /dev/null
+++ b/apps/app/src/lib/axios/default.ts
@@ -0,0 +1,10 @@
+import { createApiClient } from './factory'
+
+/**
+ * Default API client — cookie-authenticated, sends X-Organisation-Id
+ * and X-Impersonate-User headers via the bindings plugin. Used by
+ * organizer + cookie-authenticated portal flows.
+ */
+const apiClient = createApiClient({ withCredentials: true })
+
+export default apiClient
diff --git a/apps/app/src/lib/axios.ts b/apps/app/src/lib/axios/factory.ts
similarity index 53%
rename from apps/app/src/lib/axios.ts
rename to apps/app/src/lib/axios/factory.ts
index 28e2f6cd..d3ec24d5 100644
--- a/apps/app/src/lib/axios.ts
+++ b/apps/app/src/lib/axios/factory.ts
@@ -3,36 +3,58 @@ import type { AxiosInstance, InternalAxiosRequestConfig } from 'axios'
 
 /**
  * Seam contract between the HTTP client and the rest of the app.
- * `lib/axios.ts` knows nothing about Pinia, stores, or routing — it
- * only invokes these callbacks. The bindings plugin
+ * Factory + register* functions know nothing about Pinia, stores, or
+ * routing — they only invoke these callbacks. The bindings plugin
  * (`plugins/3.axios-bindings.ts`) supplies the runtime closures.
+ *
+ * Originally introduced as `TECH-AXIOS-STORE-COUPLING` (closed in
+ * 53f6a7b). Preserving the seam during the WS-3 PR-B2a factory split
+ * was a deliberate decision (Bert, 2026-05-05).
  */
 export interface AxiosBindingsDeps {
-  getActiveOrgId: () => string | null
-  getImpersonationTargetUserId: () => string | null
+  getActiveOrgId?: () => string | null
+  getImpersonationTargetUserId?: () => string | null
+  getPortalToken?: () => string | null
   notify: (message: string, level: 'error' | 'warning') => void
   onAuthFail: () => void
   onImpersonationRevoked: () => void
 }
 
-const apiClient: AxiosInstance = axios.create({
-  baseURL: import.meta.env.VITE_API_URL,
-  withCredentials: true,
-  headers: {
-    'Accept': 'application/json',
-    'Content-Type': 'application/json',
-  },
-  timeout: 30000,
-})
+export interface CreateApiClientOptions {
+  withCredentials?: boolean
+  baseURL?: string
+}
 
-export function registerInterceptors(client: AxiosInstance, deps: AxiosBindingsDeps): void {
+export function createApiClient(options: CreateApiClientOptions = {}): AxiosInstance {
+  const {
+    withCredentials = true,
+    baseURL = import.meta.env.VITE_API_URL,
+  } = options
+
+  return axios.create({
+    baseURL,
+    withCredentials,
+    headers: {
+      'Accept': 'application/json',
+      'Content-Type': 'application/json',
+    },
+    timeout: 30000,
+  })
+}
+
+/**
+ * Cookie-authenticated client interceptors. Attaches X-Organisation-Id
+ * + X-Impersonate-User on every request and routes 401/403/4xx/5xx
+ * through the deps callbacks.
+ */
+export function registerDefaultInterceptors(client: AxiosInstance, deps: AxiosBindingsDeps): void {
   client.interceptors.request.use(
     (config: InternalAxiosRequestConfig) => {
-      const orgId = deps.getActiveOrgId()
+      const orgId = deps.getActiveOrgId?.()
       if (orgId)
         config.headers['X-Organisation-Id'] = orgId
 
-      const impersonationTargetUserId = deps.getImpersonationTargetUserId()
+      const impersonationTargetUserId = deps.getImpersonationTargetUserId?.()
       if (impersonationTargetUserId)
         config.headers['X-Impersonate-User'] = impersonationTargetUserId
 
@@ -44,6 +66,34 @@ export function registerInterceptors(client: AxiosInstance, deps: AxiosBindingsD
     error => { throw error },
   )
 
+  registerSharedResponseHandler(client, deps)
+}
+
+/**
+ * Portal-token (Bearer) client interceptors. Attaches
+ * Authorization: Bearer <token> when the deps callback returns a
+ * non-null token. Does NOT attach org/impersonation headers — the
+ * Bearer flow has no organisation context.
+ */
+export function registerPortalTokenInterceptors(client: AxiosInstance, deps: AxiosBindingsDeps): void {
+  client.interceptors.request.use(
+    (config: InternalAxiosRequestConfig) => {
+      const token = deps.getPortalToken?.()
+      if (token)
+        config.headers.Authorization = `Bearer ${token}`
+
+      if (import.meta.env.DEV)
+        console.log(`🚀 ${config.method?.toUpperCase()} ${config.url}`, config.data)
+
+      return config
+    },
+    error => { throw error },
+  )
+
+  registerSharedResponseHandler(client, deps)
+}
+
+function registerSharedResponseHandler(client: AxiosInstance, deps: AxiosBindingsDeps): void {
   client.interceptors.response.use(
     response => {
       if (import.meta.env.DEV)
@@ -93,5 +143,3 @@ export function registerInterceptors(client: AxiosInstance, deps: AxiosBindingsD
     },
   )
 }
-
-export { apiClient }
diff --git a/apps/app/src/lib/axios/index.ts b/apps/app/src/lib/axios/index.ts
new file mode 100644
index 00000000..79e5e394
--- /dev/null
+++ b/apps/app/src/lib/axios/index.ts
@@ -0,0 +1,8 @@
+export { default as apiClient } from './default'
+export { default as portalApiClient } from './portal-token'
+export {
+  createApiClient,
+  registerDefaultInterceptors,
+  registerPortalTokenInterceptors,
+} from './factory'
+export type { AxiosBindingsDeps, CreateApiClientOptions } from './factory'
diff --git a/apps/app/src/lib/axios/portal-token.ts b/apps/app/src/lib/axios/portal-token.ts
new file mode 100644
index 00000000..15c66b9d
--- /dev/null
+++ b/apps/app/src/lib/axios/portal-token.ts
@@ -0,0 +1,14 @@
+import { createApiClient } from './factory'
+
+/**
+ * Portal-token API client — Bearer auth, no cookies. Used by
+ * unauthenticated artist/supplier flows where the token comes from a
+ * URL parameter (artist-advance, supplier-intake — wired post-WS-3).
+ *
+ * The Bearer token is read at request time from
+ * `useAuthStore.portalToken` via the bindings plugin's
+ * `getPortalToken` callback.
+ */
+const portalApiClient = createApiClient({ withCredentials: false })
+
+export default portalApiClient
diff --git a/apps/app/src/plugins/3.axios-bindings.ts b/apps/app/src/plugins/3.axios-bindings.ts
index b58a2e3a..dc8a200e 100644
--- a/apps/app/src/plugins/3.axios-bindings.ts
+++ b/apps/app/src/plugins/3.axios-bindings.ts
@@ -1,5 +1,10 @@
 import type { App } from 'vue'
-import { apiClient, registerInterceptors } from '@/lib/axios'
+import {
+  apiClient,
+  portalApiClient,
+  registerDefaultInterceptors,
+  registerPortalTokenInterceptors,
+} from '@/lib/axios'
 import { useAuthStore } from '@/stores/useAuthStore'
 import { useImpersonationStore } from '@/stores/useImpersonationStore'
 import { useNotificationStore } from '@/stores/useNotificationStore'
@@ -10,10 +15,9 @@ import { useOrganisationStore } from '@/stores/useOrganisationStore'
 // inside each callback (not eagerly at plugin-init), which keeps the
 // seam tolerant of any future plugin-ordering changes.
 export default function (_: App): void {
-  registerInterceptors(apiClient, {
-    getActiveOrgId: () => useOrganisationStore().activeOrganisationId,
-    getImpersonationTargetUserId: () => useImpersonationStore().targetUserId,
-    notify: (message, level) => useNotificationStore().show(message, level),
+  const sharedDeps = {
+    notify: (message: string, level: 'error' | 'warning') =>
+      useNotificationStore().show(message, level),
     onAuthFail: () => {
       const authStore = useAuthStore()
       if (authStore.isInitialized)
@@ -23,5 +27,21 @@ export default function (_: App): void {
       useImpersonationStore().clearState()
       window.location.href = '/platform'
     },
+  }
+
+  registerDefaultInterceptors(apiClient, {
+    ...sharedDeps,
+    getActiveOrgId: () => useOrganisationStore().activeOrganisationId,
+    getImpersonationTargetUserId: () => useImpersonationStore().targetUserId,
+  })
+
+  registerPortalTokenInterceptors(portalApiClient, {
+    ...sharedDeps,
+
+    getPortalToken: () => {
+      const authStore = useAuthStore() as unknown as { portalToken?: string | null }
+
+      return authStore.portalToken ?? null
+    },
   })
 }

From f2b08ecb21538a8e9d4f9b518e6e0f80d3f0554c Mon Sep 17 00:00:00 2001
From: "bert.hausmans" <bert@hausmans.nl>
Date: Tue, 5 May 2026 21:25:24 +0200
Subject: [PATCH 3/9] refactor(auth): merge usePortalAuthStore into
 useAuthStore with context-aware getters
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

usePortalAuthStore is deleted — its 114 lines were a slim wrapper over
the same /auth/me endpoint useAuthStore already consumes. The merged
store gains the full set of additions Bert specified for B2a:

State:
- availableContexts / defaultContext (from /auth/me contexts block)
- lastContext (localStorage-persisted)
- portalToken (in-memory only, for the bearer-axios flavour)

Getters: isPortalUser, isOrganizerUser, isPlatformAdmin (alias of
isSuperAdmin), showContextSwitcher, hasRole(), hasAnyRole().

Actions: login(), verifyMfa() — both return typed discriminated
unions so login.vue (Phase H) consumes results without branching on
raw API response shapes. setLastContext, setPortalToken,
resolveLandingRoute, clearAll. clearAll dynamically imports
usePortalStore.reset() to clear portal sessionStorage on session-end —
this is the canonical session-cleanup hub now that the merge has
happened.

5 source files migrated from usePortalAuthStore → useAuthStore. The
PortalLayout.spec.ts mock follows. The boundaries matrix gains a
single new edge (`stores → stores-portal`) replacing the deleted
stores-portal/usePortalAuthStore which previously owned that
cross-zone call.

Adds 16 vitest specs in src/stores/__tests__/useAuthStore.spec.ts
covering setUser context hydration, hasRole/hasAnyRole, lastContext
localStorage persistence, resolveLandingRoute precedence
(portal/organizer/super_admin/multi-role/forceContext/forbidden
fallback), portalToken state, and clearAll cleanup.

Test count 162 → 178 (16 new). Frontend lint + typecheck clean.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 apps/app/.eslintrc.cjs                        |   8 +-
 .../src/components/portal/UserAvatarMenu.vue  |   4 +-
 apps/app/src/layouts/PortalLayout.vue         |   4 +-
 .../layouts/__tests__/PortalLayout.spec.ts    |   4 +-
 apps/app/src/pages/portal/profiel.vue         |   4 +-
 apps/app/src/pages/portal/shifts/index.vue    |   4 +-
 .../src/stores/__tests__/useAuthStore.spec.ts | 233 +++++++++++++++++
 .../src/stores/portal/usePortalAuthStore.ts   | 114 ---------
 apps/app/src/stores/useAuthStore.ts           | 234 +++++++++++++++++-
 apps/app/src/types/auth.ts                    |  57 +++++
 10 files changed, 537 insertions(+), 129 deletions(-)
 create mode 100644 apps/app/src/stores/__tests__/useAuthStore.spec.ts
 delete mode 100644 apps/app/src/stores/portal/usePortalAuthStore.ts

diff --git a/apps/app/.eslintrc.cjs b/apps/app/.eslintrc.cjs
index 4c9a83d6..8da0dda4 100644
--- a/apps/app/.eslintrc.cjs
+++ b/apps/app/.eslintrc.cjs
@@ -230,7 +230,13 @@ module.exports = {
         { from: 'composables-forms', allow: ['types', 'utils', 'lib', 'composables-forms'] },
         { from: 'composables', allow: ['types', 'utils', 'lib', 'composables', 'composables-forms', 'stores', 'stores-portal'] },
         { from: 'stores-portal', allow: ['types', 'utils', 'lib', 'composables', 'composables-forms', 'stores', 'stores-portal'] },
-        { from: 'stores', allow: ['types', 'utils', 'lib', 'composables', 'composables-forms', 'stores'] },
+
+        // useAuthStore.clearAll() / .logout() invokes usePortalStore.reset()
+        // via dynamic import to clear portal sessionStorage on session-end.
+        // The merged auth store is the canonical session-cleanup hub — this
+        // edge replaces the deleted stores-portal/usePortalAuthStore which
+        // previously owned the cross-zone call (WS-3 PR-B2a).
+        { from: 'stores', allow: ['types', 'utils', 'lib', 'composables', 'composables-forms', 'stores', 'stores-portal'] },
         { from: 'navigation', allow: ['types', 'utils', 'navigation'] },
         { from: 'components-shared', allow: ['types', 'utils', 'lib', 'composables', 'composables-forms', 'components-shared'] },
         { from: 'components-portal', allow: ['types', 'utils', 'lib', 'composables', 'composables-forms', 'stores', 'stores-portal', 'components-shared', 'components-portal'] },
diff --git a/apps/app/src/components/portal/UserAvatarMenu.vue b/apps/app/src/components/portal/UserAvatarMenu.vue
index 8c7ed491..2949d239 100644
--- a/apps/app/src/components/portal/UserAvatarMenu.vue
+++ b/apps/app/src/components/portal/UserAvatarMenu.vue
@@ -1,7 +1,7 @@
 <script setup lang="ts">
-import { usePortalAuthStore } from '@/stores/portal/usePortalAuthStore'
+import { useAuthStore } from '@/stores/useAuthStore'
 
-const authStore = usePortalAuthStore()
+const authStore = useAuthStore()
 const router = useRouter()
 
 const userInitials = computed(() => {
diff --git a/apps/app/src/layouts/PortalLayout.vue b/apps/app/src/layouts/PortalLayout.vue
index 43ba3c4d..6c482b54 100644
--- a/apps/app/src/layouts/PortalLayout.vue
+++ b/apps/app/src/layouts/PortalLayout.vue
@@ -9,14 +9,14 @@
 import { useRoute, useRouter } from 'vue-router'
 import type AppLoadingIndicator from '@/components/AppLoadingIndicator.vue'
 import UserAvatarMenu from '@/components/portal/UserAvatarMenu.vue'
-import { usePortalAuthStore } from '@/stores/portal/usePortalAuthStore'
+import { useAuthStore } from '@/stores/useAuthStore'
 import { usePortalStore } from '@/stores/portal/usePortalStore'
 
 const { injectSkinClasses } = useSkins()
 
 injectSkinClasses()
 
-const authStore = usePortalAuthStore()
+const authStore = useAuthStore()
 const portal = usePortalStore()
 const route = useRoute()
 const router = useRouter()
diff --git a/apps/app/src/layouts/__tests__/PortalLayout.spec.ts b/apps/app/src/layouts/__tests__/PortalLayout.spec.ts
index 481049f0..1893045f 100644
--- a/apps/app/src/layouts/__tests__/PortalLayout.spec.ts
+++ b/apps/app/src/layouts/__tests__/PortalLayout.spec.ts
@@ -13,8 +13,8 @@ vi.mock('vue-router', async importOriginal => ({
   useRoute: () => ({ meta: {} }),
   useRouter: () => ({ push: vi.fn() }),
 }))
-vi.mock('@/stores/portal/usePortalAuthStore', () => ({
-  usePortalAuthStore: () => ({
+vi.mock('@/stores/useAuthStore', () => ({
+  useAuthStore: () => ({
     isAuthenticated: false,
     user: null,
     logout: vi.fn(),
diff --git a/apps/app/src/pages/portal/profiel.vue b/apps/app/src/pages/portal/profiel.vue
index da2c7db0..9ea7b44b 100644
--- a/apps/app/src/pages/portal/profiel.vue
+++ b/apps/app/src/pages/portal/profiel.vue
@@ -1,6 +1,6 @@
 <script setup lang="ts">
 import { isAxiosError } from 'axios'
-import { usePortalAuthStore } from '@/stores/portal/usePortalAuthStore'
+import { useAuthStore } from '@/stores/useAuthStore'
 import { usePortalStore } from '@/stores/portal/usePortalStore'
 import { useUpdatePassword, useUpdateProfile } from '@/composables/api/portal/usePortalProfile'
 import {
@@ -27,7 +27,7 @@ definePage({
   },
 })
 
-const authStore = usePortalAuthStore()
+const authStore = useAuthStore()
 const portal = usePortalStore()
 const router = useRouter()
 const route = useRoute()
diff --git a/apps/app/src/pages/portal/shifts/index.vue b/apps/app/src/pages/portal/shifts/index.vue
index 9f544b26..fc24f9f6 100644
--- a/apps/app/src/pages/portal/shifts/index.vue
+++ b/apps/app/src/pages/portal/shifts/index.vue
@@ -1,6 +1,6 @@
 <script setup lang="ts">
 import { useAllMyShifts } from '@/composables/api/portal/usePortalShifts'
-import { usePortalAuthStore } from '@/stores/portal/usePortalAuthStore'
+import { useAuthStore } from '@/stores/useAuthStore'
 import type { AllMyShiftsAssignment } from '@/types/portal-shift'
 
 definePage({
@@ -12,7 +12,7 @@ definePage({
   },
 })
 
-const auth = usePortalAuthStore()
+const auth = useAuthStore()
 const { data: eventGroups, isLoading, isError, refetch } = useAllMyShifts()
 
 const statusConfig: Record<string, { label: string; color: string }> = {
diff --git a/apps/app/src/stores/__tests__/useAuthStore.spec.ts b/apps/app/src/stores/__tests__/useAuthStore.spec.ts
new file mode 100644
index 00000000..8d929520
--- /dev/null
+++ b/apps/app/src/stores/__tests__/useAuthStore.spec.ts
@@ -0,0 +1,233 @@
+import { beforeEach, describe, expect, it, vi } from 'vitest'
+import { createPinia, setActivePinia } from 'pinia'
+import type { MeResponse } from '@/types/auth'
+
+vi.mock('@/lib/axios', () => ({
+  apiClient: { get: vi.fn(), post: vi.fn() },
+}))
+
+vi.mock('@/utils/deviceFingerprint', () => ({
+  generateDeviceFingerprint: () => 'test-fingerprint',
+}))
+
+const useAuthStore = (await import('@/stores/useAuthStore')).useAuthStore
+
+function makeMe(overrides: Partial<MeResponse> = {}): MeResponse {
+  return {
+    id: '01ABC',
+    first_name: 'Test',
+    last_name: 'User',
+    full_name: 'Test User',
+    date_of_birth: null,
+    email: 'test@example.nl',
+    phone: null,
+    timezone: 'Europe/Amsterdam',
+    locale: 'nl',
+    avatar: null,
+    organisations: [],
+    app_roles: [],
+    permissions: [],
+    ...overrides,
+  }
+}
+
+describe('useAuthStore — context-aware additions (WS-3 PR-B2a)', () => {
+  beforeEach(() => {
+    setActivePinia(createPinia())
+    localStorage.clear()
+  })
+
+  describe('setUser populates contexts', () => {
+    it('uses backend contexts block when present', () => {
+      const store = useAuthStore()
+
+      store.setUser(makeMe({
+        contexts: { available: ['portal', 'organizer'], default: 'organizer' },
+        platform: { is_super_admin: false },
+      }))
+
+      expect(store.availableContexts).toEqual(['portal', 'organizer'])
+      expect(store.defaultContext).toBe('organizer')
+      expect(store.showContextSwitcher).toBe(true)
+    })
+
+    it('falls back to local derivation when contexts is missing', () => {
+      const store = useAuthStore()
+
+      store.setUser(makeMe({
+        organisations: [{ id: '01', name: 'Org', slug: 'org', role: 'org_admin' }],
+        app_roles: ['org_admin'],
+      }))
+
+      expect(store.availableContexts).toContain('organizer')
+      expect(store.defaultContext).toBe('organizer')
+    })
+
+    it('exposes isPortalUser / isOrganizerUser based on availableContexts', () => {
+      const store = useAuthStore()
+
+      store.setUser(makeMe({
+        contexts: { available: ['portal'], default: 'portal' },
+      }))
+
+      expect(store.isPortalUser).toBe(true)
+      expect(store.isOrganizerUser).toBe(false)
+      expect(store.showContextSwitcher).toBe(false)
+    })
+  })
+
+  describe('hasRole / hasAnyRole', () => {
+    it('checks app_roles', () => {
+      const store = useAuthStore()
+
+      store.setUser(makeMe({ app_roles: ['org_admin', 'event_manager'] }))
+
+      expect(store.hasRole('org_admin')).toBe(true)
+      expect(store.hasRole('super_admin')).toBe(false)
+      expect(store.hasAnyRole(['super_admin', 'event_manager'])).toBe(true)
+      expect(store.hasAnyRole(['super_admin', 'org_member'])).toBe(false)
+    })
+  })
+
+  describe('lastContext localStorage persistence', () => {
+    it('writes to localStorage on setLastContext', () => {
+      const store = useAuthStore()
+
+      store.setLastContext('portal')
+
+      expect(localStorage.getItem('crewli:lastContext')).toBe('portal')
+      expect(store.lastContext).toBe('portal')
+    })
+
+    it('reads from localStorage on store init', () => {
+      localStorage.setItem('crewli:lastContext', 'organizer')
+
+      const store = useAuthStore()
+
+      expect(store.lastContext).toBe('organizer')
+    })
+
+    it('rejects malformed localStorage values', () => {
+      localStorage.setItem('crewli:lastContext', 'invalid-junk')
+
+      const store = useAuthStore()
+
+      expect(store.lastContext).toBeNull()
+    })
+  })
+
+  describe('resolveLandingRoute precedence', () => {
+    it('routes to portal when only portal context is available', () => {
+      const store = useAuthStore()
+
+      store.setUser(makeMe({
+        contexts: { available: ['portal'], default: 'portal' },
+      }))
+
+      const target = store.resolveLandingRoute()
+
+      expect(target).toEqual({ path: '/portal/evenementen' })
+    })
+
+    it('routes to organizer dashboard when only organizer context is available', () => {
+      const store = useAuthStore()
+
+      store.setUser(makeMe({
+        organisations: [{ id: '01', name: 'Org', slug: 'org', role: 'org_admin' }],
+        app_roles: ['org_admin'],
+        contexts: { available: ['organizer'], default: 'organizer' },
+      }))
+
+      expect(store.resolveLandingRoute()).toEqual({ name: 'dashboard' })
+    })
+
+    it('routes to platform dashboard for super_admin without an active org', () => {
+      const store = useAuthStore()
+
+      store.setUser(makeMe({
+        organisations: [],
+        app_roles: ['super_admin'],
+        contexts: { available: ['organizer'], default: 'organizer' },
+      }))
+
+      expect(store.resolveLandingRoute()).toEqual({ name: 'platform' })
+    })
+
+    it('multi-role user — defaultContext wins when no lastContext is set', () => {
+      const store = useAuthStore()
+
+      store.setUser(makeMe({
+        organisations: [{ id: '01', name: 'Org', slug: 'org', role: 'org_admin' }],
+        app_roles: ['org_admin'],
+        contexts: { available: ['portal', 'organizer'], default: 'organizer' },
+      }))
+
+      expect(store.resolveLandingRoute()).toEqual({ name: 'dashboard' })
+    })
+
+    it('multi-role user — lastContext overrides defaultContext', () => {
+      localStorage.setItem('crewli:lastContext', 'portal')
+
+      const store = useAuthStore()
+
+      store.setUser(makeMe({
+        organisations: [{ id: '01', name: 'Org', slug: 'org', role: 'org_admin' }],
+        app_roles: ['org_admin'],
+        contexts: { available: ['portal', 'organizer'], default: 'organizer' },
+      }))
+
+      expect(store.resolveLandingRoute()).toEqual({ path: '/portal/evenementen' })
+    })
+
+    it('forceContext overrides both lastContext and defaultContext', () => {
+      const store = useAuthStore()
+
+      store.setUser(makeMe({
+        organisations: [{ id: '01', name: 'Org', slug: 'org', role: 'org_admin' }],
+        app_roles: ['org_admin'],
+        contexts: { available: ['portal', 'organizer'], default: 'organizer' },
+      }))
+      store.setLastContext('organizer')
+
+      expect(store.resolveLandingRoute('portal')).toEqual({ path: '/portal/evenementen' })
+    })
+
+    it('returns forbidden when user has no contexts available', () => {
+      const store = useAuthStore()
+
+      expect(store.resolveLandingRoute()).toEqual({ name: 'forbidden' })
+    })
+  })
+
+  describe('portalToken state', () => {
+    it('setPortalToken updates the in-memory token', () => {
+      const store = useAuthStore()
+
+      expect(store.portalToken).toBeNull()
+      store.setPortalToken('abc-token')
+      expect(store.portalToken).toBe('abc-token')
+      store.setPortalToken(null)
+      expect(store.portalToken).toBeNull()
+    })
+  })
+
+  describe('clearAll', () => {
+    it('clears state, lastContext localStorage, and portalToken', async () => {
+      const store = useAuthStore()
+
+      store.setUser(makeMe({
+        contexts: { available: ['portal'], default: 'portal' },
+      }))
+      store.setLastContext('portal')
+      store.setPortalToken('token')
+
+      await store.clearAll()
+
+      expect(store.user).toBeNull()
+      expect(store.availableContexts).toEqual([])
+      expect(store.lastContext).toBeNull()
+      expect(store.portalToken).toBeNull()
+      expect(localStorage.getItem('crewli:lastContext')).toBeNull()
+    })
+  })
+})
diff --git a/apps/app/src/stores/portal/usePortalAuthStore.ts b/apps/app/src/stores/portal/usePortalAuthStore.ts
deleted file mode 100644
index dcbc7094..00000000
--- a/apps/app/src/stores/portal/usePortalAuthStore.ts
+++ /dev/null
@@ -1,114 +0,0 @@
-import { defineStore } from 'pinia'
-import { computed, ref } from 'vue'
-import { apiClient } from '@/lib/axios'
-import type { AuthMeUser } from '@/types/portal'
-
-export const usePortalAuthStore = defineStore('portalAuth', () => {
-  const user = ref<AuthMeUser | null>(null)
-  const isInitialized = ref(false)
-
-  const isAuthenticated = computed(() => !!user.value)
-
-  function setUser(data: AuthMeUser | null) {
-    user.value = data
-  }
-
-  async function resetPortalStoresSync(): Promise<void> {
-    const { usePortalStore } = await import('@/stores/portal/usePortalStore')
-
-    usePortalStore().reset()
-  }
-
-  function clearState() {
-    user.value = null
-    void resetPortalStoresSync()
-  }
-
-  function handleUnauthorized() {
-    clearState()
-
-    // Do NOT reset isInitialized — the full page reload (below) resets all JS state.
-    // Resetting it here causes a race condition: the async 401 interceptor fires
-    // after doInitialize() sets isInitialized=true, putting the app back into
-    // a loading state that never resolves.
-
-    if (typeof window !== 'undefined') {
-      const path = window.location.pathname
-      const publicPaths = ['/login', '/wachtwoord-vergeten', '/wachtwoord-resetten', '/verify-email-change']
-      if (!publicPaths.some(p => path.startsWith(p)) && !path.startsWith('/register'))
-        window.location.href = '/login'
-    }
-  }
-
-  async function login(email: string, password: string): Promise<void> {
-    const { data } = await apiClient.post<{
-      success: boolean
-      data: { user: AuthMeUser }
-    }>('/auth/login', { email, password })
-
-    // Token is set automatically via httpOnly Set-Cookie header
-    setUser(data.data.user)
-
-    // Validate by fetching full user data
-    const ok = await fetchUser()
-    if (!ok)
-      throw new Error('Sessie kon niet worden gestart.')
-  }
-
-  async function fetchUser(): Promise<boolean> {
-    try {
-      const { data } = await apiClient.get<{ success: boolean; data: AuthMeUser }>('/auth/me')
-
-      setUser(data.data)
-
-      return true
-    }
-    catch {
-      clearState()
-
-      return false
-    }
-  }
-
-  async function logout(): Promise<void> {
-    try {
-      await apiClient.post('/auth/logout')
-    }
-    catch {
-      // Ignore network errors; still clear local session
-    }
-    clearState()
-  }
-
-  let initializePromise: Promise<void> | null = null
-
-  function initialize(): Promise<void> {
-    if (isInitialized.value)
-      return Promise.resolve()
-    if (!initializePromise)
-      initializePromise = doInitialize()
-
-    return initializePromise
-  }
-
-  async function doInitialize(): Promise<void> {
-    try {
-      await fetchUser()
-    }
-    finally {
-      isInitialized.value = true
-    }
-  }
-
-  return {
-    user,
-    isAuthenticated,
-    isInitialized,
-    setUser,
-    login,
-    logout,
-    fetchUser,
-    initialize,
-    handleUnauthorized,
-  }
-})
diff --git a/apps/app/src/stores/useAuthStore.ts b/apps/app/src/stores/useAuthStore.ts
index ef8fed32..6420df7f 100644
--- a/apps/app/src/stores/useAuthStore.ts
+++ b/apps/app/src/stores/useAuthStore.ts
@@ -1,8 +1,41 @@
 import { defineStore } from 'pinia'
 import { computed, ref } from 'vue'
+import type { RouteLocationRaw } from 'vue-router'
 import { apiClient } from '@/lib/axios'
 import { useOrganisationStore } from '@/stores/useOrganisationStore'
-import type { MeResponse, Organisation, User } from '@/types/auth'
+import { generateDeviceFingerprint } from '@/utils/deviceFingerprint'
+import type { MfaMethod } from '@/types/mfa'
+import type {
+  AuthContext,
+  ContextsBlock,
+  LoginCredentials,
+  LoginResponse,
+  LoginResult,
+  MeResponse,
+  MfaVerifyArgs,
+  MfaVerifyResult,
+  Organisation,
+  User,
+} from '@/types/auth'
+
+const LAST_CONTEXT_STORAGE_KEY = 'crewli:lastContext'
+
+function readStoredLastContext(): AuthContext | null {
+  if (typeof localStorage === 'undefined')
+    return null
+
+  const raw = localStorage.getItem(LAST_CONTEXT_STORAGE_KEY)
+
+  return raw === 'portal' || raw === 'organizer' ? raw : null
+}
+
+function writeStoredLastContext(value: AuthContext | null): void {
+  if (typeof localStorage === 'undefined')
+    return
+  if (value)
+    localStorage.setItem(LAST_CONTEXT_STORAGE_KEY, value)
+  else localStorage.removeItem(LAST_CONTEXT_STORAGE_KEY)
+}
 
 export const useAuthStore = defineStore('auth', () => {
   const user = ref<User | null>(null)
@@ -10,11 +43,20 @@ export const useAuthStore = defineStore('auth', () => {
   const appRoles = ref<string[]>([])
   const permissions = ref<string[]>([])
   const isInitialized = ref(false)
-
   const mfaSetupRequired = ref(false)
 
+  const availableContexts = ref<AuthContext[]>([])
+  const defaultContext = ref<AuthContext>('portal')
+  const lastContext = ref<AuthContext | null>(readStoredLastContext())
+  const portalToken = ref<string | null>(null)
+
   const isAuthenticated = computed(() => !!user.value)
   const isSuperAdmin = computed(() => appRoles.value?.includes('super_admin') ?? false)
+  const isPlatformAdmin = isSuperAdmin
+
+  const isPortalUser = computed(() => availableContexts.value.includes('portal'))
+  const isOrganizerUser = computed(() => availableContexts.value.includes('organizer'))
+  const showContextSwitcher = computed(() => availableContexts.value.length >= 2)
 
   const currentOrganisation = computed(() => {
     const orgStore = useOrganisationStore()
@@ -24,6 +66,14 @@ export const useAuthStore = defineStore('auth', () => {
       ?? null
   })
 
+  function hasRole(role: string): boolean {
+    return appRoles.value.includes(role)
+  }
+
+  function hasAnyRole(roles: string[]): boolean {
+    return roles.some(r => appRoles.value.includes(r))
+  }
+
   function setUser(me: MeResponse) {
     user.value = {
       id: me.id,
@@ -42,30 +92,105 @@ export const useAuthStore = defineStore('auth', () => {
     permissions.value = me.permissions
     mfaSetupRequired.value = me.mfa?.setup_required ?? false
 
+    // Context block — additive in B2a; falls back to derivation when the
+    // backend response predates the contexts enrichment (e.g. test
+    // fixtures that hand-craft a MeResponse).
+    const contexts: ContextsBlock = me.contexts ?? deriveContextsLocally(me)
+
+    availableContexts.value = contexts.available
+    defaultContext.value = contexts.default
+
     // Auto-select first organisation if none is active
     const orgStore = useOrganisationStore()
     if (!orgStore.activeOrganisationId && me.organisations.length > 0)
       orgStore.setActiveOrganisation(me.organisations[0].id)
   }
 
+  function deriveContextsLocally(me: MeResponse): ContextsBlock {
+    const isSuper = me.app_roles?.includes('super_admin') ?? false
+    const hasOrgs = (me.organisations?.length ?? 0) > 0
+
+    const available: AuthContext[] = []
+    if (hasOrgs || isSuper)
+      available.push('organizer')
+
+    const fallbackDefault: AuthContext = (hasOrgs || isSuper) ? 'organizer' : 'portal'
+
+    return { available, default: fallbackDefault }
+  }
+
   function setActiveOrganisation(id: string) {
     const orgStore = useOrganisationStore()
 
     orgStore.setActiveOrganisation(id)
   }
 
+  function setLastContext(ctx: AuthContext) {
+    lastContext.value = ctx
+    writeStoredLastContext(ctx)
+  }
+
+  function setPortalToken(token: string | null) {
+    portalToken.value = token
+  }
+
+  /**
+   * Resolve the post-login or post-context-switch landing route. A
+   * `forceContext` overrides the lastContext + defaultContext precedence
+   * (used by the context-switcher when the user explicitly chooses).
+   */
+  function resolveLandingRoute(forceContext?: AuthContext): RouteLocationRaw {
+    const ctx = forceContext ?? lastContext.value ?? defaultContext.value
+
+    if (ctx === 'portal' && availableContexts.value.includes('portal'))
+      return { path: '/portal/evenementen' }
+
+    if (ctx === 'organizer' && availableContexts.value.includes('organizer')) {
+      if (isSuperAdmin.value && organisations.value.length === 0)
+        return { name: 'platform' }
+
+      return { name: 'dashboard' }
+    }
+
+    if (availableContexts.value.includes('organizer'))
+      return { name: 'dashboard' }
+    if (availableContexts.value.includes('portal'))
+      return { path: '/portal/evenementen' }
+
+    return { name: 'forbidden' }
+  }
+
   function clearState() {
     user.value = null
     organisations.value = []
     appRoles.value = []
     permissions.value = []
     mfaSetupRequired.value = false
+    availableContexts.value = []
+    defaultContext.value = 'portal'
+    portalToken.value = null
 
     const orgStore = useOrganisationStore()
 
     orgStore.clear()
   }
 
+  /**
+   * Full reset including the lastContext localStorage preference and
+   * any portal sessionStorage state. Called on logout and 401.
+   * Cross-zone access to stores/portal is via dynamic import (the
+   * boundaries matrix forbids static `stores → stores-portal`).
+   */
+  async function clearAll(): Promise<void> {
+    clearState()
+    lastContext.value = null
+    writeStoredLastContext(null)
+
+    const { usePortalStore } = await import('@/stores/portal/usePortalStore')
+
+    usePortalStore().reset()
+  }
+
   function handleUnauthorized() {
     clearState()
 
@@ -78,7 +203,88 @@ export const useAuthStore = defineStore('auth', () => {
       window.location.href = '/login'
   }
 
-  async function logout() {
+  /**
+   * Authenticate with email + password. Returns a discriminated union
+   * the caller pattern-matches on — login.vue does not branch on raw
+   * API response shapes, only on the LoginResult kind.
+   */
+  async function login(credentials: LoginCredentials): Promise<LoginResult> {
+    try {
+      const fingerprint = generateDeviceFingerprint()
+
+      const { data } = await apiClient.post<LoginResponse>(
+        '/auth/login',
+        credentials,
+        { headers: { 'X-Device-Fingerprint': fingerprint } },
+      )
+
+      if (data.mfa_required) {
+        return {
+          kind: 'mfa-required',
+          sessionToken: data.mfa_session_token ?? '',
+          methods: (data.methods ?? []) as MfaMethod[],
+          preferredMethod: (data.preferred_method ?? 'totp') as MfaMethod,
+          expiresIn: data.expires_in ?? 600,
+        }
+      }
+
+      // Cookie has been set; populate the store from the login response's
+      // user payload. Page checks `auth.mfaSetupRequired` for routing.
+      setUser(data.data.user)
+
+      return { kind: 'authenticated' }
+    }
+    catch (err: unknown) {
+      const errorData = (err as { response?: { status?: number; data?: { message?: string; errors?: Record<string, string[]> } } }).response
+
+      if (errorData?.status === 429)
+        return { kind: 'failed', reason: 'rate_limited' }
+
+      return {
+        kind: 'failed',
+        reason: errorData?.data?.message ?? 'invalid_credentials',
+        errors: errorData?.data?.errors,
+      }
+    }
+  }
+
+  /**
+   * Verify the MFA challenge. On success, refetches /auth/me to pick up
+   * any backend-side state changes (e.g. trusted device registration).
+   */
+  async function verifyMfa(args: MfaVerifyArgs): Promise<MfaVerifyResult> {
+    try {
+      await apiClient.post('/auth/mfa/verify', {
+        mfa_session_token: args.sessionToken,
+        code: args.code,
+        method: args.method,
+        trust_device: args.trustDevice,
+        device_fingerprint: args.deviceFingerprint,
+        device_name: args.deviceName,
+      })
+
+      // Cookie set by backend on successful verify — refresh user from
+      // /auth/me. refreshUser() ignores errors silently; we re-throw
+      // here if hydration genuinely failed.
+      await refreshUser()
+
+      if (!user.value)
+        return { kind: 'failed', reason: 'hydration_failed' }
+
+      return { kind: 'authenticated' }
+    }
+    catch (err: unknown) {
+      const errorData = (err as { response?: { data?: { message?: string; errors?: Record<string, string[]> } } }).response?.data
+
+      return {
+        kind: 'failed',
+        reason: errorData?.message ?? 'invalid_code',
+        errors: errorData?.errors,
+      }
+    }
+  }
+
+  async function logout(): Promise<void> {
     try {
       await apiClient.post('/auth/logout')
     }
@@ -86,7 +292,7 @@ export const useAuthStore = defineStore('auth', () => {
       // Ignore network errors; still clear local state
     }
     finally {
-      clearState()
+      await clearAll()
     }
   }
 
@@ -105,6 +311,9 @@ export const useAuthStore = defineStore('auth', () => {
     }
   }
 
+  /** Alias kept for callers migrated from usePortalAuthStore. */
+  const fetchUser = refreshUser
+
   /**
    * Called once on app startup. Validates the httpOnly cookie by calling
    * GET /auth/me. On 401, clears everything.
@@ -144,13 +353,30 @@ export const useAuthStore = defineStore('auth', () => {
     isAuthenticated,
     isInitialized,
     isSuperAdmin,
+    isPlatformAdmin,
+    isPortalUser,
+    isOrganizerUser,
+    showContextSwitcher,
+    availableContexts,
+    defaultContext,
+    lastContext,
+    portalToken,
     currentOrganisation,
     mfaSetupRequired,
     setUser,
     setActiveOrganisation,
+    setLastContext,
+    setPortalToken,
+    resolveLandingRoute,
+    hasRole,
+    hasAnyRole,
+    login,
+    verifyMfa,
     logout,
     handleUnauthorized,
     initialize,
     refreshUser,
+    fetchUser,
+    clearAll,
   }
 })
diff --git a/apps/app/src/types/auth.ts b/apps/app/src/types/auth.ts
index 4fd5f9a2..e6d3adff 100644
--- a/apps/app/src/types/auth.ts
+++ b/apps/app/src/types/auth.ts
@@ -1,3 +1,5 @@
+import type { MfaMethod } from '@/types/mfa'
+
 export interface User {
   id: string
   first_name: string
@@ -16,6 +18,11 @@ export interface Organisation {
   name: string
   slug: string
   role: string
+
+  // Forward-compatible 1-element array form of `role`. The pivot still
+  // stores a single string today; multi-role support is tracked in
+  // BACKLOG.md as TECH-PIVOT-ROLES-MULTI.
+  roles?: string[]
 }
 
 export interface MfaUserInfo {
@@ -25,6 +32,17 @@ export interface MfaUserInfo {
   setup_required: boolean
 }
 
+export type AuthContext = 'portal' | 'organizer'
+
+export interface PlatformInfo {
+  is_super_admin: boolean
+}
+
+export interface ContextsBlock {
+  available: AuthContext[]
+  default: AuthContext
+}
+
 export interface MeResponse {
   id: string
   first_name: string
@@ -40,6 +58,8 @@ export interface MeResponse {
   app_roles: string[]
   permissions: string[]
   mfa?: MfaUserInfo
+  platform?: PlatformInfo
+  contexts?: ContextsBlock
 }
 
 export interface LoginCredentials {
@@ -61,6 +81,43 @@ export interface LoginResponse {
   mfa_setup_required?: boolean
 }
 
+/**
+ * Login outcome surfaced by useAuthStore.login() — the page consumes
+ * the discriminator and decides UI/routing. The store performs the
+ * actual API call and any state hydration; the page never owns
+ * branch logic about which API to call.
+ */
+export type LoginResult =
+  | { kind: 'authenticated' }
+  | {
+    kind: 'mfa-required'
+    sessionToken: string
+    methods: MfaMethod[]
+    preferredMethod: MfaMethod
+    expiresIn: number
+  }
+  | { kind: 'must-set-password'; userId: string }
+  | { kind: 'failed'; reason: string; errors?: Record<string, string[]> }
+
+/**
+ * MFA verification outcome surfaced by useAuthStore.verifyMfa(). The
+ * page consumes this to decide redirect vs. error display. After
+ * 'authenticated', the auth store has a valid /auth/me hydration and
+ * the page can call resolveLandingRoute().
+ */
+export type MfaVerifyResult =
+  | { kind: 'authenticated' }
+  | { kind: 'failed'; reason: string; errors?: Record<string, string[]> }
+
+export interface MfaVerifyArgs {
+  sessionToken: string
+  code: string
+  method: MfaMethod
+  trustDevice?: boolean
+  deviceFingerprint?: string
+  deviceName?: string
+}
+
 export interface ApiErrorResponse {
   success: false
   message: string

From 473b22ac9ee7f6f07309a8e5b8a633f3df5e56ee Mon Sep 17 00:00:00 2001
From: "bert.hausmans" <bert@hausmans.nl>
Date: Tue, 5 May 2026 21:32:54 +0200
Subject: [PATCH 4/9] feat(router): context-aware guards with meta-driven
 role/context resolution
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Rewrites plugins/1.router/guards.ts per ARCH-CONSOLIDATION §4.3. The
B1 portal-context carve-out is removed; portal/organizer routing is
now declarative via meta.context, role gates via meta.requiresRole.

Guard pipeline:
1. Initialize auth store on first navigation
2. Public routes pass through (authenticated user on guest-only path
   is bounced to resolveLandingRoute)
3. Auth required → /login?to=<path>
4. MFA setup gate → /account-settings?tab=security
5. requiresRole declarative check (replaces hardcoded /platform path
   prefix + isSuperAdmin)
6. Context routing — portal returns early, organizer falls through
   and sets lastContext
7. Org-selection check (organizer routes only)

Page meta updates (mechanical, idempotent):
- 4 portal pages: removed `requiresAuth: true` (auth is implicit)
- 4 pages: replaced `requiresAuth: false` with `meta.public: true`
  (registreren, wachtwoord-instellen, advance/[token],
  invitations/[token])
- 22 organizer pages: added `context: 'organizer'`
  (account-settings, events/**, organisation/form-failures/**,
  select-organisation, dashboard, events/index, members,
  organisation/{index,companies,settings})
- 8 platform pages: added `context: 'organizer'` +
  `requiresRole: 'super_admin'`
- 6 organizer pages had no definePage block — one was added with
  `context: 'organizer'`

Adds plugins/1.router/__tests__/guards.spec.ts (11 tests) covering
public passthrough, unauthenticated redirect, portal/organizer
context branching, declarative requiresRole, org-selection
redirect, MFA gate.

Test count 178 → 189 (11 new). Lint + typecheck clean.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 apps/app/src/pages/account-settings/index.vue |   1 +
 apps/app/src/pages/dashboard/index.vue        |   6 +
 .../src/pages/events/[id]/artists/index.vue   |   1 +
 .../src/pages/events/[id]/briefings/index.vue |   1 +
 .../pages/events/[id]/crowd-lists/index.vue   |   1 +
 apps/app/src/pages/events/[id]/index.vue      |   1 +
 .../src/pages/events/[id]/persons/index.vue   |   1 +
 .../events/[id]/programmaonderdelen/index.vue |   1 +
 .../src/pages/events/[id]/sections/index.vue  |   1 +
 .../src/pages/events/[id]/settings/index.vue  |   1 +
 .../[id]/settings/registration-fields.vue     |   1 +
 .../pages/events/[id]/time-slots/index.vue    |   1 +
 apps/app/src/pages/events/index.vue           |   6 +
 apps/app/src/pages/invitations/[token].vue    |   2 +-
 apps/app/src/pages/members/index.vue          |   6 +
 apps/app/src/pages/organisation/companies.vue |   6 +
 .../pages/organisation/form-failures/[id].vue |   1 +
 .../organisation/form-failures/index.vue      |   1 +
 apps/app/src/pages/organisation/index.vue     |   6 +
 apps/app/src/pages/organisation/settings.vue  |   6 +
 .../src/pages/platform/activity-log/index.vue |   2 +
 .../src/pages/platform/form-failures/[id].vue |   2 +
 .../pages/platform/form-failures/index.vue    |   2 +
 apps/app/src/pages/platform/index.vue         |   2 +
 .../src/pages/platform/organisations/[id].vue |   2 +
 .../pages/platform/organisations/index.vue    |   2 +
 apps/app/src/pages/platform/users/[id].vue    |   2 +
 apps/app/src/pages/platform/users/index.vue   |   2 +
 apps/app/src/pages/portal/advance/[token].vue |   3 +-
 .../pages/portal/evenementen/[eventId].vue    |   1 -
 .../src/pages/portal/evenementen/index.vue    |   1 -
 apps/app/src/pages/portal/profiel.vue         |   1 -
 .../src/pages/portal/registreren/index.vue    |   2 +-
 apps/app/src/pages/portal/shifts/index.vue    |   1 -
 .../src/pages/portal/wachtwoord-instellen.vue |   2 +-
 apps/app/src/pages/select-organisation.vue    |   1 +
 .../plugins/1.router/__tests__/guards.spec.ts | 269 ++++++++++++++++++
 apps/app/src/plugins/1.router/guards.ts       | 124 ++++----
 38 files changed, 388 insertions(+), 84 deletions(-)
 create mode 100644 apps/app/src/plugins/1.router/__tests__/guards.spec.ts

diff --git a/apps/app/src/pages/account-settings/index.vue b/apps/app/src/pages/account-settings/index.vue
index 0a7e8a0c..effeb0a7 100644
--- a/apps/app/src/pages/account-settings/index.vue
+++ b/apps/app/src/pages/account-settings/index.vue
@@ -5,6 +5,7 @@ import NotificationsTab from '@/components/account-settings/NotificationsTab.vue
 
 definePage({
   meta: {
+    context: 'organizer',
     navActiveLink: 'account-settings',
   },
 })
diff --git a/apps/app/src/pages/dashboard/index.vue b/apps/app/src/pages/dashboard/index.vue
index 095949aa..d144efc7 100644
--- a/apps/app/src/pages/dashboard/index.vue
+++ b/apps/app/src/pages/dashboard/index.vue
@@ -1,6 +1,12 @@
 <script setup lang="ts">
 import { useAuthStore } from '@/stores/useAuthStore'
 
+definePage({
+  meta: {
+    context: 'organizer',
+  },
+})
+
 const authStore = useAuthStore()
 
 const stats = [
diff --git a/apps/app/src/pages/events/[id]/artists/index.vue b/apps/app/src/pages/events/[id]/artists/index.vue
index 2d552558..3fa6d1ad 100644
--- a/apps/app/src/pages/events/[id]/artists/index.vue
+++ b/apps/app/src/pages/events/[id]/artists/index.vue
@@ -3,6 +3,7 @@ import EventTabsNav from '@/components/events/EventTabsNav.vue'
 
 definePage({
   meta: {
+    context: 'organizer',
     navActiveLink: 'events',
   },
 })
diff --git a/apps/app/src/pages/events/[id]/briefings/index.vue b/apps/app/src/pages/events/[id]/briefings/index.vue
index 2d552558..3fa6d1ad 100644
--- a/apps/app/src/pages/events/[id]/briefings/index.vue
+++ b/apps/app/src/pages/events/[id]/briefings/index.vue
@@ -3,6 +3,7 @@ import EventTabsNav from '@/components/events/EventTabsNav.vue'
 
 definePage({
   meta: {
+    context: 'organizer',
     navActiveLink: 'events',
   },
 })
diff --git a/apps/app/src/pages/events/[id]/crowd-lists/index.vue b/apps/app/src/pages/events/[id]/crowd-lists/index.vue
index b505eb3c..062855dd 100644
--- a/apps/app/src/pages/events/[id]/crowd-lists/index.vue
+++ b/apps/app/src/pages/events/[id]/crowd-lists/index.vue
@@ -11,6 +11,7 @@ import type { CrowdList } from '@/types/crowdList'
 
 definePage({
   meta: {
+    context: 'organizer',
     navActiveLink: 'events',
   },
 })
diff --git a/apps/app/src/pages/events/[id]/index.vue b/apps/app/src/pages/events/[id]/index.vue
index a6d08552..91070c4d 100644
--- a/apps/app/src/pages/events/[id]/index.vue
+++ b/apps/app/src/pages/events/[id]/index.vue
@@ -8,6 +8,7 @@ import type { EventItem, EventStatus } from '@/types/event'
 
 definePage({
   meta: {
+    context: 'organizer',
     navActiveLink: 'events',
   },
 })
diff --git a/apps/app/src/pages/events/[id]/persons/index.vue b/apps/app/src/pages/events/[id]/persons/index.vue
index 5b4c9d80..2eb0e738 100644
--- a/apps/app/src/pages/events/[id]/persons/index.vue
+++ b/apps/app/src/pages/events/[id]/persons/index.vue
@@ -11,6 +11,7 @@ import type { Person, PersonStatus } from '@/types/person'
 
 definePage({
   meta: {
+    context: 'organizer',
     navActiveLink: 'events',
   },
 })
diff --git a/apps/app/src/pages/events/[id]/programmaonderdelen/index.vue b/apps/app/src/pages/events/[id]/programmaonderdelen/index.vue
index f15931c7..ffcd3e51 100644
--- a/apps/app/src/pages/events/[id]/programmaonderdelen/index.vue
+++ b/apps/app/src/pages/events/[id]/programmaonderdelen/index.vue
@@ -9,6 +9,7 @@ import type { EventItem, EventStatus } from '@/types/event'
 
 definePage({
   meta: {
+    context: 'organizer',
     navActiveLink: 'events',
   },
 })
diff --git a/apps/app/src/pages/events/[id]/sections/index.vue b/apps/app/src/pages/events/[id]/sections/index.vue
index e541c928..a4d24b1c 100644
--- a/apps/app/src/pages/events/[id]/sections/index.vue
+++ b/apps/app/src/pages/events/[id]/sections/index.vue
@@ -4,6 +4,7 @@ import SectionsShiftsPanel from '@/components/sections/SectionsShiftsPanel.vue'
 
 definePage({
   meta: {
+    context: 'organizer',
     navActiveLink: 'events',
   },
 })
diff --git a/apps/app/src/pages/events/[id]/settings/index.vue b/apps/app/src/pages/events/[id]/settings/index.vue
index 549f6d87..e839fb8f 100644
--- a/apps/app/src/pages/events/[id]/settings/index.vue
+++ b/apps/app/src/pages/events/[id]/settings/index.vue
@@ -8,6 +8,7 @@ import type { EventItem, UpdateEventPayload } from '@/types/event'
 
 definePage({
   meta: {
+    context: 'organizer',
     navActiveLink: 'events',
   },
 })
diff --git a/apps/app/src/pages/events/[id]/settings/registration-fields.vue b/apps/app/src/pages/events/[id]/settings/registration-fields.vue
index 1c834fed..dbeb5b22 100644
--- a/apps/app/src/pages/events/[id]/settings/registration-fields.vue
+++ b/apps/app/src/pages/events/[id]/settings/registration-fields.vue
@@ -19,6 +19,7 @@ import type { EventItem } from '@/types/event'
 
 definePage({
   meta: {
+    context: 'organizer',
     navActiveLink: 'events',
   },
 })
diff --git a/apps/app/src/pages/events/[id]/time-slots/index.vue b/apps/app/src/pages/events/[id]/time-slots/index.vue
index b63da391..6472e0ba 100644
--- a/apps/app/src/pages/events/[id]/time-slots/index.vue
+++ b/apps/app/src/pages/events/[id]/time-slots/index.vue
@@ -11,6 +11,7 @@ import type { EventItem } from '@/types/event'
 
 definePage({
   meta: {
+    context: 'organizer',
     navActiveLink: 'events',
   },
 })
diff --git a/apps/app/src/pages/events/index.vue b/apps/app/src/pages/events/index.vue
index ae1e0c87..475e757f 100644
--- a/apps/app/src/pages/events/index.vue
+++ b/apps/app/src/pages/events/index.vue
@@ -5,6 +5,12 @@ import { useAuthStore } from '@/stores/useAuthStore'
 import CreateEventDialog from '@/components/events/CreateEventDialog.vue'
 import type { EventItem, EventStatus } from '@/types/event'
 
+definePage({
+  meta: {
+    context: 'organizer',
+  },
+})
+
 const router = useRouter()
 const authStore = useAuthStore()
 
diff --git a/apps/app/src/pages/invitations/[token].vue b/apps/app/src/pages/invitations/[token].vue
index 7070f83b..d8d46500 100644
--- a/apps/app/src/pages/invitations/[token].vue
+++ b/apps/app/src/pages/invitations/[token].vue
@@ -11,7 +11,7 @@ import type { ApiErrorResponse } from '@/types/auth'
 definePage({
   meta: {
     layout: 'blank',
-    requiresAuth: false,
+    public: true,
   },
 })
 
diff --git a/apps/app/src/pages/members/index.vue b/apps/app/src/pages/members/index.vue
index a1bcfa3f..e355e30c 100644
--- a/apps/app/src/pages/members/index.vue
+++ b/apps/app/src/pages/members/index.vue
@@ -10,6 +10,12 @@ import { useOrganisationStore } from '@/stores/useOrganisationStore'
 import InviteMemberDialog from '@/components/members/InviteMemberDialog.vue'
 import type { Member, OrganisationRole } from '@/types/member'
 
+definePage({
+  meta: {
+    context: 'organizer',
+  },
+})
+
 const authStore = useAuthStore()
 const orgStore = useOrganisationStore()
 
diff --git a/apps/app/src/pages/organisation/companies.vue b/apps/app/src/pages/organisation/companies.vue
index 3e082cee..c22b7d79 100644
--- a/apps/app/src/pages/organisation/companies.vue
+++ b/apps/app/src/pages/organisation/companies.vue
@@ -4,6 +4,12 @@ import { useOrganisationStore } from '@/stores/useOrganisationStore'
 import CompanyDialog from '@/components/organisation/CompanyDialog.vue'
 import type { Company } from '@/types/organisation'
 
+definePage({
+  meta: {
+    context: 'organizer',
+  },
+})
+
 const orgStore = useOrganisationStore()
 
 const orgId = computed(() => orgStore.activeOrganisationId ?? '')
diff --git a/apps/app/src/pages/organisation/form-failures/[id].vue b/apps/app/src/pages/organisation/form-failures/[id].vue
index 5f54f8a2..38c2a07f 100644
--- a/apps/app/src/pages/organisation/form-failures/[id].vue
+++ b/apps/app/src/pages/organisation/form-failures/[id].vue
@@ -6,6 +6,7 @@ import { useOrganisationStore } from '@/stores/useOrganisationStore'
 
 definePage({
   meta: {
+    context: 'organizer',
     navActiveLink: 'organisation-form-failures',
   },
 })
diff --git a/apps/app/src/pages/organisation/form-failures/index.vue b/apps/app/src/pages/organisation/form-failures/index.vue
index b136f482..a776f39c 100644
--- a/apps/app/src/pages/organisation/form-failures/index.vue
+++ b/apps/app/src/pages/organisation/form-failures/index.vue
@@ -5,6 +5,7 @@ import { useOrganisationStore } from '@/stores/useOrganisationStore'
 
 definePage({
   meta: {
+    context: 'organizer',
     navActiveLink: 'organisation-form-failures',
   },
 })
diff --git a/apps/app/src/pages/organisation/index.vue b/apps/app/src/pages/organisation/index.vue
index 9cd7c7ab..14d4cdbb 100644
--- a/apps/app/src/pages/organisation/index.vue
+++ b/apps/app/src/pages/organisation/index.vue
@@ -4,6 +4,12 @@ import { useAuthStore } from '@/stores/useAuthStore'
 import EditOrganisationDialog from '@/components/organisations/EditOrganisationDialog.vue'
 import type { ActivityLogEntry, Organisation } from '@/types/organisation'
 
+definePage({
+  meta: {
+    context: 'organizer',
+  },
+})
+
 const authStore = useAuthStore()
 const router = useRouter()
 
diff --git a/apps/app/src/pages/organisation/settings.vue b/apps/app/src/pages/organisation/settings.vue
index 9bf386ce..be28b96b 100644
--- a/apps/app/src/pages/organisation/settings.vue
+++ b/apps/app/src/pages/organisation/settings.vue
@@ -8,6 +8,12 @@ import SettingsEmailTemplates from '@/components/organisation/settings/SettingsE
 import SettingsEmailLog from '@/components/organisation/settings/SettingsEmailLog.vue'
 import DangerZoneTab from '@/components/organisation/settings/DangerZoneTab.vue'
 
+definePage({
+  meta: {
+    context: 'organizer',
+  },
+})
+
 const route = useRoute()
 const router = useRouter()
 const orgStore = useOrganisationStore()
diff --git a/apps/app/src/pages/platform/activity-log/index.vue b/apps/app/src/pages/platform/activity-log/index.vue
index fc45a111..4e1fa01e 100644
--- a/apps/app/src/pages/platform/activity-log/index.vue
+++ b/apps/app/src/pages/platform/activity-log/index.vue
@@ -3,6 +3,8 @@ import { useAdminActivityLog } from '@/composables/api/useAdmin'
 
 definePage({
   meta: {
+    context: 'organizer',
+    requiresRole: 'super_admin',
     navActiveLink: 'platform-activity-log',
   },
 })
diff --git a/apps/app/src/pages/platform/form-failures/[id].vue b/apps/app/src/pages/platform/form-failures/[id].vue
index dbdb31c1..8eafc829 100644
--- a/apps/app/src/pages/platform/form-failures/[id].vue
+++ b/apps/app/src/pages/platform/form-failures/[id].vue
@@ -5,6 +5,8 @@ import FormFailureDetail from '@/components/form-failures/FormFailureDetail.vue'
 
 definePage({
   meta: {
+    context: 'organizer',
+    requiresRole: 'super_admin',
     navActiveLink: 'platform-form-failures',
   },
 })
diff --git a/apps/app/src/pages/platform/form-failures/index.vue b/apps/app/src/pages/platform/form-failures/index.vue
index c0ca6d95..37e67fb9 100644
--- a/apps/app/src/pages/platform/form-failures/index.vue
+++ b/apps/app/src/pages/platform/form-failures/index.vue
@@ -3,6 +3,8 @@ import FormFailuresTable from '@/components/form-failures/FormFailuresTable.vue'
 
 definePage({
   meta: {
+    context: 'organizer',
+    requiresRole: 'super_admin',
     navActiveLink: 'platform-form-failures',
   },
 })
diff --git a/apps/app/src/pages/platform/index.vue b/apps/app/src/pages/platform/index.vue
index a39e12d8..69bbe582 100644
--- a/apps/app/src/pages/platform/index.vue
+++ b/apps/app/src/pages/platform/index.vue
@@ -4,6 +4,8 @@ import type { BillingStatus } from '@/types/admin'
 
 definePage({
   meta: {
+    context: 'organizer',
+    requiresRole: 'super_admin',
     navActiveLink: 'platform',
   },
 })
diff --git a/apps/app/src/pages/platform/organisations/[id].vue b/apps/app/src/pages/platform/organisations/[id].vue
index 7cbb1934..db427ecd 100644
--- a/apps/app/src/pages/platform/organisations/[id].vue
+++ b/apps/app/src/pages/platform/organisations/[id].vue
@@ -16,6 +16,8 @@ import type { InviteMemberPayload, OrganisationRole } from '@/types/member'
 
 definePage({
   meta: {
+    context: 'organizer',
+    requiresRole: 'super_admin',
     navActiveLink: 'platform-organisations',
   },
 })
diff --git a/apps/app/src/pages/platform/organisations/index.vue b/apps/app/src/pages/platform/organisations/index.vue
index 3481d1f3..2df48f72 100644
--- a/apps/app/src/pages/platform/organisations/index.vue
+++ b/apps/app/src/pages/platform/organisations/index.vue
@@ -4,6 +4,8 @@ import type { AdminOrganisation, BillingStatus, CreateOrganisationPayload } from
 
 definePage({
   meta: {
+    context: 'organizer',
+    requiresRole: 'super_admin',
     navActiveLink: 'platform-organisations',
   },
 })
diff --git a/apps/app/src/pages/platform/users/[id].vue b/apps/app/src/pages/platform/users/[id].vue
index ac7069b7..ba4352e1 100644
--- a/apps/app/src/pages/platform/users/[id].vue
+++ b/apps/app/src/pages/platform/users/[id].vue
@@ -9,6 +9,8 @@ import type { UpdateAdminUserPayload } from '@/types/admin'
 
 definePage({
   meta: {
+    context: 'organizer',
+    requiresRole: 'super_admin',
     navActiveLink: 'platform-users',
   },
 })
diff --git a/apps/app/src/pages/platform/users/index.vue b/apps/app/src/pages/platform/users/index.vue
index 378ec13e..27b9b4a6 100644
--- a/apps/app/src/pages/platform/users/index.vue
+++ b/apps/app/src/pages/platform/users/index.vue
@@ -8,6 +8,8 @@ import type { AdminUser } from '@/types/admin'
 
 definePage({
   meta: {
+    context: 'organizer',
+    requiresRole: 'super_admin',
     navActiveLink: 'platform-users',
   },
 })
diff --git a/apps/app/src/pages/portal/advance/[token].vue b/apps/app/src/pages/portal/advance/[token].vue
index 28bf7dee..0ca1a670 100644
--- a/apps/app/src/pages/portal/advance/[token].vue
+++ b/apps/app/src/pages/portal/advance/[token].vue
@@ -3,8 +3,7 @@ definePage({
   name: 'artist-advance',
   meta: {
     layout: 'PortalLayout',
-    requiresAuth: false,
-    requiresToken: true,
+    public: true,
     context: 'portal',
   },
 })
diff --git a/apps/app/src/pages/portal/evenementen/[eventId].vue b/apps/app/src/pages/portal/evenementen/[eventId].vue
index df8b5b79..b4433e33 100644
--- a/apps/app/src/pages/portal/evenementen/[eventId].vue
+++ b/apps/app/src/pages/portal/evenementen/[eventId].vue
@@ -9,7 +9,6 @@ definePage({
   name: 'portal-event-detail',
   meta: {
     layout: 'PortalLayout',
-    requiresAuth: true,
     context: 'portal',
     navMode: 'event',
   },
diff --git a/apps/app/src/pages/portal/evenementen/index.vue b/apps/app/src/pages/portal/evenementen/index.vue
index a6b3aa23..d966191d 100644
--- a/apps/app/src/pages/portal/evenementen/index.vue
+++ b/apps/app/src/pages/portal/evenementen/index.vue
@@ -6,7 +6,6 @@ definePage({
   name: 'portal-evenementen',
   meta: {
     layout: 'PortalLayout',
-    requiresAuth: true,
     context: 'portal',
     navMode: 'platform',
     navTitle: 'Mijn evenementen',
diff --git a/apps/app/src/pages/portal/profiel.vue b/apps/app/src/pages/portal/profiel.vue
index 9ea7b44b..a6cd205e 100644
--- a/apps/app/src/pages/portal/profiel.vue
+++ b/apps/app/src/pages/portal/profiel.vue
@@ -20,7 +20,6 @@ definePage({
   name: 'portal-profiel',
   meta: {
     layout: 'PortalLayout',
-    requiresAuth: true,
     context: 'portal',
     navMode: 'platform',
     navTitle: 'Mijn profiel',
diff --git a/apps/app/src/pages/portal/registreren/index.vue b/apps/app/src/pages/portal/registreren/index.vue
index cbce50bf..80bfe9c5 100644
--- a/apps/app/src/pages/portal/registreren/index.vue
+++ b/apps/app/src/pages/portal/registreren/index.vue
@@ -3,7 +3,7 @@ definePage({
   name: 'volunteer-register-info',
   meta: {
     layout: 'PortalLayout',
-    requiresAuth: false,
+    public: true,
     context: 'portal',
   },
 })
diff --git a/apps/app/src/pages/portal/shifts/index.vue b/apps/app/src/pages/portal/shifts/index.vue
index fc24f9f6..12286dd4 100644
--- a/apps/app/src/pages/portal/shifts/index.vue
+++ b/apps/app/src/pages/portal/shifts/index.vue
@@ -7,7 +7,6 @@ definePage({
   name: 'portal-shifts',
   meta: {
     layout: 'PortalLayout',
-    requiresAuth: true,
     context: 'portal',
   },
 })
diff --git a/apps/app/src/pages/portal/wachtwoord-instellen.vue b/apps/app/src/pages/portal/wachtwoord-instellen.vue
index 88b7ca0b..ab10b73e 100644
--- a/apps/app/src/pages/portal/wachtwoord-instellen.vue
+++ b/apps/app/src/pages/portal/wachtwoord-instellen.vue
@@ -10,7 +10,7 @@ definePage({
   name: 'set-password',
   meta: {
     layout: 'PortalLayout',
-    requiresAuth: false,
+    public: true,
     context: 'portal',
   },
 })
diff --git a/apps/app/src/pages/select-organisation.vue b/apps/app/src/pages/select-organisation.vue
index 8c8907ed..a26d9599 100644
--- a/apps/app/src/pages/select-organisation.vue
+++ b/apps/app/src/pages/select-organisation.vue
@@ -6,6 +6,7 @@ import { useOrganisationStore } from '@/stores/useOrganisationStore'
 
 definePage({
   meta: {
+    context: 'organizer',
     layout: 'blank',
   },
 })
diff --git a/apps/app/src/plugins/1.router/__tests__/guards.spec.ts b/apps/app/src/plugins/1.router/__tests__/guards.spec.ts
new file mode 100644
index 00000000..8d9231b8
--- /dev/null
+++ b/apps/app/src/plugins/1.router/__tests__/guards.spec.ts
@@ -0,0 +1,269 @@
+import { beforeEach, describe, expect, it, vi } from 'vitest'
+import { createPinia, setActivePinia } from 'pinia'
+import type { NavigationGuard, RouteLocationNormalized, Router } from 'vue-router'
+import type { MeResponse } from '@/types/auth'
+
+vi.mock('@/lib/axios', () => ({
+  apiClient: { get: vi.fn(), post: vi.fn() },
+}))
+
+vi.mock('@/utils/deviceFingerprint', () => ({
+  generateDeviceFingerprint: () => 'test-fingerprint',
+}))
+
+const { setupGuards } = await import('@/plugins/1.router/guards')
+const { useAuthStore } = await import('@/stores/useAuthStore')
+const { useOrganisationStore } = await import('@/stores/useOrganisationStore')
+
+function captureGuard(): NavigationGuard {
+  let guard: NavigationGuard | null = null
+
+  const router = {
+    beforeEach: (fn: NavigationGuard) => {
+      guard = fn
+    },
+  } as unknown as Router
+
+  setupGuards(router)
+
+  if (!guard)
+    throw new Error('guard not captured')
+
+  return guard
+}
+
+function makeRoute(overrides: Partial<RouteLocationNormalized> = {}): RouteLocationNormalized {
+  return {
+    path: '/',
+    fullPath: '/',
+    name: undefined,
+    meta: {},
+    params: {},
+    query: {},
+    hash: '',
+    matched: [],
+    redirectedFrom: undefined,
+    ...overrides,
+  } as RouteLocationNormalized
+}
+
+function hydrate(me: Partial<MeResponse> = {}): void {
+  const auth = useAuthStore()
+
+  auth.setUser({
+    id: '01ABC',
+    first_name: 'Test',
+    last_name: 'User',
+    full_name: 'Test User',
+    date_of_birth: null,
+    email: 'test@example.nl',
+    phone: null,
+    timezone: 'Europe/Amsterdam',
+    locale: 'nl',
+    avatar: null,
+    organisations: [],
+    app_roles: [],
+    permissions: [],
+    ...me,
+  })
+
+  // initialize() is guarded by isInitialized; flip it directly so the
+  // guard's first-step initialize() short-circuits without touching
+  // the mocked apiClient.
+  ;(auth as unknown as { isInitialized: boolean }).isInitialized = true
+}
+
+describe('router guards (WS-3 PR-B2a)', () => {
+  let guard: NavigationGuard
+
+  beforeEach(() => {
+    setActivePinia(createPinia())
+    localStorage.clear()
+    guard = captureGuard()
+
+    // Default: store starts uninitialized; tests opt-in via hydrate()
+    const auth = useAuthStore()
+
+    ;(auth as unknown as { isInitialized: boolean }).isInitialized = true
+  })
+
+  it('public routes pass through', async () => {
+    const result = await guard(
+      makeRoute({ path: '/login', meta: { public: true } }),
+      makeRoute(),
+      () => {},
+    )
+
+    expect(result).toBe(true)
+  })
+
+  it('redirects unauthenticated user to login with `?to=` query', async () => {
+    const result = await guard(
+      makeRoute({ path: '/events', fullPath: '/events', meta: {} }),
+      makeRoute(),
+      () => {},
+    )
+
+    expect(result).toEqual({ name: 'login', query: { to: '/events' } })
+  })
+
+  it('portal route passes when user has portal context', async () => {
+    hydrate({
+      contexts: { available: ['portal'], default: 'portal' },
+    })
+
+    const result = await guard(
+      makeRoute({ path: '/portal/evenementen', meta: { context: 'portal' } }),
+      makeRoute(),
+      () => {},
+    )
+
+    expect(result).toBe(true)
+    expect(useAuthStore().lastContext).toBe('portal')
+  })
+
+  it('portal route forbidden for organizer-only user', async () => {
+    hydrate({
+      organisations: [{ id: '01', name: 'Org', slug: 'org', role: 'org_admin' }],
+      app_roles: ['org_admin'],
+      contexts: { available: ['organizer'], default: 'organizer' },
+    })
+
+    // Pre-select org so the guard doesn't redirect to select-organisation.
+    useOrganisationStore().setActiveOrganisation('01')
+
+    const result = await guard(
+      makeRoute({ path: '/portal/evenementen', meta: { context: 'portal' } }),
+      makeRoute(),
+      () => {},
+    )
+
+    expect(result).toEqual({ name: 'forbidden' })
+  })
+
+  it('organizer route sets lastContext to organizer for multi-role user', async () => {
+    hydrate({
+      organisations: [{ id: '01', name: 'Org', slug: 'org', role: 'org_admin' }],
+      app_roles: ['org_admin'],
+      contexts: { available: ['portal', 'organizer'], default: 'organizer' },
+    })
+    useOrganisationStore().setActiveOrganisation('01')
+
+    const result = await guard(
+      makeRoute({ path: '/events', meta: { context: 'organizer' } }),
+      makeRoute(),
+      () => {},
+    )
+
+    expect(result).toBe(true)
+    expect(useAuthStore().lastContext).toBe('organizer')
+  })
+
+  it('platform route forbidden for non-super_admin (declarative requiresRole)', async () => {
+    hydrate({
+      organisations: [{ id: '01', name: 'Org', slug: 'org', role: 'org_admin' }],
+      app_roles: ['org_admin'],
+      contexts: { available: ['organizer'], default: 'organizer' },
+    })
+    useOrganisationStore().setActiveOrganisation('01')
+
+    const result = await guard(
+      makeRoute({
+        path: '/platform/users',
+        meta: { context: 'organizer', requiresRole: 'super_admin' },
+      }),
+      makeRoute(),
+      () => {},
+    )
+
+    expect(result).toEqual({ name: 'forbidden' })
+  })
+
+  it('platform route allowed for super_admin', async () => {
+    hydrate({
+      organisations: [],
+      app_roles: ['super_admin'],
+      contexts: { available: ['organizer'], default: 'organizer' },
+    })
+
+    const result = await guard(
+      makeRoute({
+        path: '/platform/users',
+        meta: { context: 'organizer', requiresRole: 'super_admin' },
+      }),
+      makeRoute(),
+      () => {},
+    )
+
+    expect(result).toBe(true)
+  })
+
+  it('redirects to select-organisation when org user has no active org', async () => {
+    hydrate({
+      organisations: [
+        { id: '01', name: 'Org A', slug: 'a', role: 'org_admin' },
+        { id: '02', name: 'Org B', slug: 'b', role: 'org_admin' },
+      ],
+      app_roles: ['org_admin'],
+      contexts: { available: ['organizer'], default: 'organizer' },
+    })
+    useOrganisationStore().clear()
+
+    const result = await guard(
+      makeRoute({ path: '/events', fullPath: '/events', meta: { context: 'organizer' } }),
+      makeRoute(),
+      () => {},
+    )
+
+    expect(result).toEqual({ path: '/select-organisation', query: { to: '/events' } })
+  })
+
+  it('does not redirect portal-context route to select-organisation', async () => {
+    hydrate({
+      organisations: [{ id: '01', name: 'Org', slug: 'org', role: 'org_admin' }],
+      app_roles: ['org_admin'],
+      contexts: { available: ['portal', 'organizer'], default: 'organizer' },
+    })
+    useOrganisationStore().clear()
+
+    const result = await guard(
+      makeRoute({ path: '/portal/evenementen', meta: { context: 'portal' } }),
+      makeRoute(),
+      () => {},
+    )
+
+    expect(result).toBe(true)
+  })
+
+  it('redirects authenticated user away from login back to landing route', async () => {
+    hydrate({
+      contexts: { available: ['portal'], default: 'portal' },
+    })
+
+    const result = await guard(
+      makeRoute({ path: '/login', meta: { public: true } }),
+      makeRoute(),
+      () => {},
+    )
+
+    expect(result).toEqual({ path: '/portal/evenementen' })
+  })
+
+  it('MFA setup gate redirects to /account-settings when mfaSetupRequired', async () => {
+    hydrate({
+      organisations: [{ id: '01', name: 'Org', slug: 'org', role: 'org_admin' }],
+      app_roles: ['org_admin'],
+      mfa: { enabled: false, method: null, confirmed_at: null, setup_required: true },
+      contexts: { available: ['organizer'], default: 'organizer' },
+    })
+    useOrganisationStore().setActiveOrganisation('01')
+
+    const result = await guard(
+      makeRoute({ path: '/events', meta: { context: 'organizer' } }),
+      makeRoute(),
+      () => {},
+    )
+
+    expect(result).toEqual({ path: '/account-settings', query: { tab: 'security' } })
+  })
+})
diff --git a/apps/app/src/plugins/1.router/guards.ts b/apps/app/src/plugins/1.router/guards.ts
index fa1b8ee3..329402fa 100644
--- a/apps/app/src/plugins/1.router/guards.ts
+++ b/apps/app/src/plugins/1.router/guards.ts
@@ -3,109 +3,83 @@ import { useAuthStore } from '@/stores/useAuthStore'
 import { useOrganisationStore } from '@/stores/useOrganisationStore'
 
 export function setupGuards(router: Router) {
-  router.beforeEach(async (to, from) => {
+  router.beforeEach(async to => {
     const authStore = useAuthStore()
 
-    // Wait for initialization to complete (only blocks on first navigation)
+    // Step 1 — ensure store is initialized (only blocks on first navigation).
     if (!authStore.isInitialized)
       await authStore.initialize()
 
     if (import.meta.env.DEV) {
       console.log('🔒 Router Guard:', {
         to: to.path,
-        from: from.path,
         isAuthenticated: authStore.isAuthenticated,
+        context: to.meta.context,
+        requiresRole: to.meta.requiresRole,
       })
     }
 
-    const isPublic = to.meta.public === true
-
-    // Allow public routes (login, auth pages, 404) — but redirect authenticated users away from login
-    if (isPublic) {
+    // Step 2 — public routes pass through. Authenticated users hitting a
+    // guest-only public page (login, password flows) get bounced back to
+    // their landing route to avoid the awkward "log in again" dead-end.
+    if (to.meta.public === true) {
       const guestOnlyPaths = ['/login', '/forgot-password', '/reset-password', '/verify-email-change']
-      if (authStore.isAuthenticated && guestOnlyPaths.includes(to.path)) {
-        if (import.meta.env.DEV)
-          console.log('🔄 Redirecting logged-in user away from login page')
+      if (authStore.isAuthenticated && guestOnlyPaths.includes(to.path))
+        return authStore.resolveLandingRoute()
 
-        return { name: 'dashboard' }
-      }
-      if (import.meta.env.DEV)
-        console.log('✅ Public route, allowing access')
-
-      return
+      return true
     }
 
-    // Routes that opt out of auth (e.g. invitations)
-    if (to.meta.requiresAuth === false) {
-      if (import.meta.env.DEV)
-        console.log('✅ Route does not require auth')
-
-      return
-    }
-
-    // Not authenticated → redirect to login with return URL
-    if (!authStore.isAuthenticated) {
-      if (import.meta.env.DEV)
-        console.log('🚫 Not authenticated, redirecting to login')
-
-      return { path: '/login', query: { to: to.fullPath } }
-    }
-
-    // WS-3 PR-B1 carve-out: portal-context routes (volunteers, artists,
-    // crew) don't participate in the organizer's MFA / platform-role /
-    // organisation-selection checks below. PR-B2 replaces this with full
-    // context-aware guards (per ARCH-CONSOLIDATION-2026-04 §4.3).
-    if (to.meta.context === 'portal') {
-      if (import.meta.env.DEV)
-        console.log('✅ Portal-context route, allowing access (B1 carve-out)')
-
-      return
-    }
-
-    // MFA enforcement — redirect to security settings if MFA setup is required
-    if (authStore.mfaSetupRequired && to.path !== '/account-settings') {
-      if (import.meta.env.DEV)
-        console.log('🔒 MFA setup required, redirecting to security settings')
+    // Step 3 — auth required. Save target as `?to=` so we can resume after login.
+    if (!authStore.isAuthenticated)
+      return { name: 'login', query: { to: to.fullPath } }
 
+    // Step 4 — MFA setup gate. The MFA-setup flow lives in account-settings
+    // under `?tab=security`; let users reach there to complete setup.
+    if (authStore.mfaSetupRequired && to.path !== '/account-settings')
       return { path: '/account-settings', query: { tab: 'security' } }
+
+    // Step 5 — declarative role check (replaces the legacy hard-coded
+    // `path.startsWith('/platform') && !isSuperAdmin` branch).
+    if (to.meta.requiresRole) {
+      const required = Array.isArray(to.meta.requiresRole)
+        ? to.meta.requiresRole as string[]
+        : [to.meta.requiresRole as string]
+
+      if (!authStore.hasAnyRole(required))
+        return { name: 'forbidden' }
     }
 
-    // Platform admin routes — require super_admin role
-    if (to.path.startsWith('/platform')) {
-      if (!authStore.isSuperAdmin) {
-        if (import.meta.env.DEV)
-          console.log('🚫 Not a super admin, redirecting to dashboard')
+    // Step 6 — context routing. Portal-context routes don't participate
+    // in the org-selection check below; organizer-context falls through.
+    if (to.meta.context === 'portal') {
+      if (!authStore.availableContexts.includes('portal'))
+        return { name: 'forbidden' }
 
-        return { name: 'dashboard' }
-      }
+      authStore.setLastContext('portal')
 
-      // Platform routes don't require organisation selection
-      if (import.meta.env.DEV)
-        console.log('✅ Super admin access to platform route')
-
-      return
+      return true
     }
 
-    // Authenticated — check organisation selection for routes that need it
+    if (to.meta.context === 'organizer') {
+      if (!authStore.availableContexts.includes('organizer'))
+        return { name: 'forbidden' }
+
+      authStore.setLastContext('organizer')
+    }
+
+    // Step 7 — organizer-context org-selection. Skipped for portal routes
+    // (returned at Step 6), super_admin without orgs (no org to select),
+    // and the select-organisation page itself.
     const orgStore = useOrganisationStore()
     const isSelectOrgPage = to.path === '/select-organisation'
 
-    if (isSelectOrgPage) {
-      if (import.meta.env.DEV)
-        console.log('✅ Organisation selection page')
+    if (isSelectOrgPage)
+      return true
 
-      return
-    }
+    if (authStore.organisations.length > 0 && !orgStore.hasOrganisation)
+      return { path: '/select-organisation', query: { to: to.fullPath } }
 
-    // If user has organisations but none selected → redirect to selection
-    if (authStore.organisations.length > 0 && !orgStore.hasOrganisation) {
-      if (import.meta.env.DEV)
-        console.log('🔄 No organisation selected, redirecting')
-
-      return { path: '/select-organisation' }
-    }
-
-    if (import.meta.env.DEV)
-      console.log('✅ Access granted')
+    return true
   })
 }

From 209e0ef682ea461dc9a8d55e5cb800742151b604 Mon Sep 17 00:00:00 2001
From: "bert.hausmans" <bert@hausmans.nl>
Date: Tue, 5 May 2026 21:35:32 +0200
Subject: [PATCH 5/9] feat(layout): context-switcher for multi-role users
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Adds components/shared/ContextSwitcher.vue — a Vuetify menu-button
that renders only when useAuthStore.showContextSwitcher is true (i.e.
the user has both portal and organizer contexts available). Click
calls useAuthStore.setLastContext + resolveLandingRoute and pushes
the new route.

Wired into both layouts:
- PortalLayout.vue: navbar right section, before UserAvatarMenu
- DefaultLayoutWithVerticalNav.vue (organizer navbar host): before
  NavbarThemeSwitcher (OrganizerLayout.vue itself is a 10-line
  wrapper around DefaultLayoutWithVerticalNav, so the component
  wires into the actual navbar host).

Boundaries matrix update: components-shared now allows `stores` so
canonical shared chrome (ContextSwitcher, future global indicators)
can read useAuthStore directly without re-homing to
components/layout/. stores-portal stays disallowed for components-
shared by design — portal-specific state has no place in shared
chrome.

Adds 3 vitest specs covering: visibility gated by
showContextSwitcher, click invokes setLastContext + router.push.

Test count 189 → 192. Frontend lint + typecheck clean.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 apps/app/.eslintrc.cjs                        |  8 ++-
 .../src/components/shared/ContextSwitcher.vue | 53 ++++++++++++++
 .../shared/__tests__/ContextSwitcher.spec.ts  | 72 +++++++++++++++++++
 apps/app/src/layouts/PortalLayout.vue         |  4 +-
 .../DefaultLayoutWithVerticalNav.vue          |  2 +
 5 files changed, 137 insertions(+), 2 deletions(-)
 create mode 100644 apps/app/src/components/shared/ContextSwitcher.vue
 create mode 100644 apps/app/src/components/shared/__tests__/ContextSwitcher.spec.ts

diff --git a/apps/app/.eslintrc.cjs b/apps/app/.eslintrc.cjs
index 8da0dda4..7ff5661b 100644
--- a/apps/app/.eslintrc.cjs
+++ b/apps/app/.eslintrc.cjs
@@ -238,7 +238,13 @@ module.exports = {
         // previously owned the cross-zone call (WS-3 PR-B2a).
         { from: 'stores', allow: ['types', 'utils', 'lib', 'composables', 'composables-forms', 'stores', 'stores-portal'] },
         { from: 'navigation', allow: ['types', 'utils', 'navigation'] },
-        { from: 'components-shared', allow: ['types', 'utils', 'lib', 'composables', 'composables-forms', 'components-shared'] },
+
+        // components-shared may read app-wide stores (useAuthStore,
+        // useNotificationStore — not stores-portal) so canonical shared
+        // chrome (ContextSwitcher, future global indicators) can stay in
+        // components/shared/ without re-homing to components/layout/.
+        // Portal-specific state stays out of shared by design (WS-3 PR-B2a).
+        { from: 'components-shared', allow: ['types', 'utils', 'lib', 'composables', 'composables-forms', 'stores', 'components-shared'] },
         { from: 'components-portal', allow: ['types', 'utils', 'lib', 'composables', 'composables-forms', 'stores', 'stores-portal', 'components-shared', 'components-portal'] },
         { from: 'components-organizer', allow: ['types', 'utils', 'lib', 'composables', 'composables-forms', 'stores', 'components-shared', 'components-organizer'] },
         { from: 'components', allow: ['types', 'utils', 'lib', 'composables', 'composables-forms', 'stores', 'components', 'components-shared', 'components-organizer'] },
diff --git a/apps/app/src/components/shared/ContextSwitcher.vue b/apps/app/src/components/shared/ContextSwitcher.vue
new file mode 100644
index 00000000..ef46227b
--- /dev/null
+++ b/apps/app/src/components/shared/ContextSwitcher.vue
@@ -0,0 +1,53 @@
+<script setup lang="ts">
+import { useRoute, useRouter } from 'vue-router'
+import { useAuthStore } from '@/stores/useAuthStore'
+import type { AuthContext } from '@/types/auth'
+
+const route = useRoute()
+const router = useRouter()
+const authStore = useAuthStore()
+
+const currentContext = computed<AuthContext>(() =>
+  route.meta.context === 'portal' ? 'portal' : 'organizer',
+)
+
+const otherContext = computed<AuthContext>(() =>
+  currentContext.value === 'portal' ? 'organizer' : 'portal',
+)
+
+const isVisible = computed(() => authStore.showContextSwitcher)
+
+async function switchContext(target: AuthContext): Promise<void> {
+  authStore.setLastContext(target)
+
+  await router.push(authStore.resolveLandingRoute(target))
+}
+</script>
+
+<template>
+  <VMenu v-if="isVisible">
+    <template #activator="{ props: menuProps }">
+      <VBtn
+        v-bind="menuProps"
+        variant="text"
+        prepend-icon="tabler-arrows-shuffle"
+        size="small"
+      >
+        {{ currentContext === 'portal' ? 'Portal' : 'Organizer' }}
+      </VBtn>
+    </template>
+    <VList density="compact">
+      <VListItem
+        :data-test="`switch-to-${otherContext}`"
+        @click="switchContext(otherContext)"
+      >
+        <template #prepend>
+          <VIcon :icon="otherContext === 'portal' ? 'tabler-user' : 'tabler-building'" />
+        </template>
+        <VListItemTitle>
+          Wissel naar {{ otherContext === 'portal' ? 'portal' : 'organizer' }}
+        </VListItemTitle>
+      </VListItem>
+    </VList>
+  </VMenu>
+</template>
diff --git a/apps/app/src/components/shared/__tests__/ContextSwitcher.spec.ts b/apps/app/src/components/shared/__tests__/ContextSwitcher.spec.ts
new file mode 100644
index 00000000..acca214e
--- /dev/null
+++ b/apps/app/src/components/shared/__tests__/ContextSwitcher.spec.ts
@@ -0,0 +1,72 @@
+import { describe, expect, it, vi } from 'vitest'
+import { mount } from '@vue/test-utils'
+
+const mockSetLastContext = vi.fn()
+const mockResolveLandingRoute = vi.fn(() => ({ path: '/portal/evenementen' }))
+const mockPush = vi.fn()
+
+const authStoreState: Record<string, unknown> = {
+  showContextSwitcher: true,
+  setLastContext: mockSetLastContext,
+  resolveLandingRoute: mockResolveLandingRoute,
+}
+
+vi.mock('@/stores/useAuthStore', () => ({
+  useAuthStore: () => authStoreState,
+}))
+
+vi.mock('vue-router', async importOriginal => ({
+  ...(await importOriginal<typeof import('vue-router')>()),
+  useRoute: () => ({ meta: { context: 'organizer' } }),
+  useRouter: () => ({ push: mockPush }),
+}))
+
+const ContextSwitcher = (await import('../ContextSwitcher.vue')).default
+
+const stubs = {
+  VMenu: { template: '<div data-test="menu"><slot name="activator" :props="{}" /><slot /></div>' },
+  VBtn: { template: '<button><slot /></button>' },
+  VList: { template: '<div><slot /></div>' },
+  VListItem: {
+    props: ['dataTest'],
+    template: '<div :data-test="dataTest" @click="$emit(\'click\')"><slot /></div>',
+    emits: ['click'],
+  },
+  VListItemTitle: { template: '<span><slot /></span>' },
+  VIcon: true,
+}
+
+describe('ContextSwitcher', () => {
+  it('renders when showContextSwitcher is true', () => {
+    authStoreState.showContextSwitcher = true
+
+    const wrapper = mount(ContextSwitcher, { global: { stubs } })
+
+    expect(wrapper.find('[data-test="menu"]').exists()).toBe(true)
+  })
+
+  it('does not render when showContextSwitcher is false (single-context user)', () => {
+    authStoreState.showContextSwitcher = false
+
+    const wrapper = mount(ContextSwitcher, { global: { stubs } })
+
+    expect(wrapper.find('[data-test="menu"]').exists()).toBe(false)
+  })
+
+  it('clicking the alternative context calls setLastContext and router.push', async () => {
+    authStoreState.showContextSwitcher = true
+    mockSetLastContext.mockClear()
+    mockResolveLandingRoute.mockClear()
+    mockPush.mockClear()
+
+    const wrapper = mount(ContextSwitcher, { global: { stubs } })
+
+    // current context is 'organizer' (from mocked route.meta.context),
+    // so the dropdown shows 'switch-to-portal'.
+    await wrapper.find('[data-test="switch-to-portal"]').trigger('click')
+
+    expect(mockSetLastContext).toHaveBeenCalledWith('portal')
+    expect(mockResolveLandingRoute).toHaveBeenCalledWith('portal')
+    expect(mockPush).toHaveBeenCalledWith({ path: '/portal/evenementen' })
+  })
+})
diff --git a/apps/app/src/layouts/PortalLayout.vue b/apps/app/src/layouts/PortalLayout.vue
index 6c482b54..151a29ba 100644
--- a/apps/app/src/layouts/PortalLayout.vue
+++ b/apps/app/src/layouts/PortalLayout.vue
@@ -8,6 +8,7 @@
 
 import { useRoute, useRouter } from 'vue-router'
 import type AppLoadingIndicator from '@/components/AppLoadingIndicator.vue'
+import ContextSwitcher from '@/components/shared/ContextSwitcher.vue'
 import UserAvatarMenu from '@/components/portal/UserAvatarMenu.vue'
 import { useAuthStore } from '@/stores/useAuthStore'
 import { usePortalStore } from '@/stores/portal/usePortalStore'
@@ -138,8 +139,9 @@ async function logout() {
 
         <VSpacer />
 
-        <!-- Right section: Avatar menu (desktop) -->
+        <!-- Right section: context switcher + avatar menu (desktop) -->
         <div class="d-none d-md-flex align-center">
+          <ContextSwitcher class="me-2" />
           <UserAvatarMenu />
         </div>
 
diff --git a/apps/app/src/layouts/components/DefaultLayoutWithVerticalNav.vue b/apps/app/src/layouts/components/DefaultLayoutWithVerticalNav.vue
index a80c309e..f6e09810 100644
--- a/apps/app/src/layouts/components/DefaultLayoutWithVerticalNav.vue
+++ b/apps/app/src/layouts/components/DefaultLayoutWithVerticalNav.vue
@@ -11,6 +11,7 @@ import NavSearchBar from '@/layouts/components/NavSearchBar.vue'
 import NavbarShortcuts from '@/layouts/components/NavbarShortcuts.vue'
 import NavbarThemeSwitcher from '@/layouts/components/NavbarThemeSwitcher.vue'
 import UserProfile from '@/layouts/components/UserProfile.vue'
+import ContextSwitcher from '@/components/shared/ContextSwitcher.vue'
 import OrganisationSwitcher from '@/components/layout/OrganisationSwitcher.vue'
 
 // @layouts plugin
@@ -76,6 +77,7 @@ const navItems = computed(() => {
 
         <NavSearchBar class="flex-grow-1 ms-lg-n3 min-w-0" />
 
+        <ContextSwitcher class="flex-shrink-0 me-2" />
         <NavbarThemeSwitcher class="flex-shrink-0 me-2" />
         <NavbarShortcuts class="flex-shrink-0" />
         <NavBarNotifications class="flex-shrink-0 me-1" />

From 38a94c78e97699b20d87034ea8e450b02bb5d359 Mon Sep 17 00:00:00 2001
From: "bert.hausmans" <bert@hausmans.nl>
Date: Tue, 5 May 2026 21:40:32 +0200
Subject: [PATCH 6/9] feat(auth): post-login landing route resolution per
 context
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

login.vue is rewritten to consume useAuthStore.login()'s discriminated
union — no more direct apiClient calls or branching on raw API response
shapes. The page maps result.kind to UI/routing decisions only:

- mfa-required → swap to MfaChallengeCard with the typed payload
- authenticated → resolvePostLoginTarget() (?to= relative, else
  auth.resolveLandingRoute())
- must-set-password → forward-compatible placeholder route
- failed → field-level errors + rate_limit message branch

resolveLandingRoute() now returns a string path instead of
RouteLocationRaw — the typed router accepts string-paths cleanly,
removes the cast at every call site, and lets useAuthStore.spec.ts +
guards.spec.ts assert the resolved path directly.

A13-3 minimum precaution lives in a new utility:
src/utils/postLoginRedirect.ts. The relative-only check
(`startsWith('/') && !startsWith('//')`) rejects absolute, protocol-
relative, javascript:, and data: schemes. Full domain validation lands
in WS-3 PR-B2b.

6 vitest specs in utils/__tests__/postLoginRedirect.spec.ts cover the
six rejection / passthrough scenarios.

Test count 192 → 198. Lint + typecheck clean.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 .../shared/__tests__/ContextSwitcher.spec.ts  |  4 +-
 apps/app/src/pages/login.vue                  | 97 ++++++++++---------
 .../plugins/1.router/__tests__/guards.spec.ts |  2 +-
 .../src/stores/__tests__/useAuthStore.spec.ts | 14 +--
 apps/app/src/stores/useAuthStore.ts           | 20 ++--
 .../utils/__tests__/postLoginRedirect.spec.ts | 38 ++++++++
 apps/app/src/utils/postLoginRedirect.ts       | 19 ++++
 7 files changed, 127 insertions(+), 67 deletions(-)
 create mode 100644 apps/app/src/utils/__tests__/postLoginRedirect.spec.ts
 create mode 100644 apps/app/src/utils/postLoginRedirect.ts

diff --git a/apps/app/src/components/shared/__tests__/ContextSwitcher.spec.ts b/apps/app/src/components/shared/__tests__/ContextSwitcher.spec.ts
index acca214e..d9e96a55 100644
--- a/apps/app/src/components/shared/__tests__/ContextSwitcher.spec.ts
+++ b/apps/app/src/components/shared/__tests__/ContextSwitcher.spec.ts
@@ -2,7 +2,7 @@ import { describe, expect, it, vi } from 'vitest'
 import { mount } from '@vue/test-utils'
 
 const mockSetLastContext = vi.fn()
-const mockResolveLandingRoute = vi.fn(() => ({ path: '/portal/evenementen' }))
+const mockResolveLandingRoute = vi.fn(() => '/portal/evenementen')
 const mockPush = vi.fn()
 
 const authStoreState: Record<string, unknown> = {
@@ -67,6 +67,6 @@ describe('ContextSwitcher', () => {
 
     expect(mockSetLastContext).toHaveBeenCalledWith('portal')
     expect(mockResolveLandingRoute).toHaveBeenCalledWith('portal')
-    expect(mockPush).toHaveBeenCalledWith({ path: '/portal/evenementen' })
+    expect(mockPush).toHaveBeenCalledWith('/portal/evenementen')
   })
 })
diff --git a/apps/app/src/pages/login.vue b/apps/app/src/pages/login.vue
index cd245461..009535f6 100644
--- a/apps/app/src/pages/login.vue
+++ b/apps/app/src/pages/login.vue
@@ -9,11 +9,10 @@ import authV2MaskDark from '@images/pages/misc-mask-dark.png'
 import authV2MaskLight from '@images/pages/misc-mask-light.png'
 import { VNodeRenderer } from '@layouts/components/VNodeRenderer'
 import { themeConfig } from '@themeConfig'
-import { apiClient } from '@/lib/axios'
 import { useAuthStore } from '@/stores/useAuthStore'
 import { emailValidator, requiredValidator } from '@core/utils/validators'
-import { generateDeviceFingerprint } from '@/utils/deviceFingerprint'
-import type { LoginCredentials, LoginResponse } from '@/types/auth'
+import { resolvePostLoginTarget as resolvePostLoginPath } from '@/utils/postLoginRedirect'
+import type { LoginCredentials } from '@/types/auth'
 import type { MfaMethod } from '@/types/mfa'
 
 definePage({
@@ -56,58 +55,64 @@ const authThemeImg = useGenerateImageVariant(
 
 const authThemeMask = useGenerateImageVariant(authV2MaskLight, authV2MaskDark)
 
+function resolvePostLoginTarget(): string {
+  const rawTo = route.query.to ? String(route.query.to) : ''
+
+  return resolvePostLoginPath(rawTo, () => authStore.resolveLandingRoute())
+}
+
 async function handleLogin() {
   errors.value = {}
   isPending.value = true
 
   try {
-    const fingerprint = generateDeviceFingerprint()
-
-    const { data } = await apiClient.post<LoginResponse>('/auth/login', {
+    const credentials: LoginCredentials = {
       email: form.value.email,
       password: form.value.password,
-    }, {
-      headers: { 'X-Device-Fingerprint': fingerprint },
-    })
-
-    if (data.mfa_required) {
-      mfaSessionToken.value = data.mfa_session_token!
-      mfaMethods.value = (data.methods ?? []) as MfaMethod[]
-      mfaPreferredMethod.value = data.preferred_method ?? 'totp'
-      mfaExpiresIn.value = data.expires_in ?? 600
-      showMfaChallenge.value = true
-
-      return
     }
 
-    // Normal login success
-    authStore.setUser(data.data.user)
+    const result = await authStore.login(credentials)
 
-    if (data.mfa_setup_required) {
-      router.replace('/account-settings?tab=security')
+    switch (result.kind) {
+      case 'mfa-required':
+        mfaSessionToken.value = result.sessionToken
+        mfaMethods.value = result.methods
+        mfaPreferredMethod.value = result.preferredMethod
+        mfaExpiresIn.value = result.expiresIn
+        showMfaChallenge.value = true
 
-      return
-    }
+        return
 
-    const rawTo = route.query.to ? String(route.query.to) : ''
-    const redirectTo = rawTo.startsWith('/') ? rawTo : '/dashboard'
+      case 'authenticated':
+        if (authStore.mfaSetupRequired) {
+          router.replace('/account-settings?tab=security')
 
-    router.replace(redirectTo)
-  }
-  catch (err: unknown) {
-    const errorData = (err as { response?: { data?: { message?: string; errors?: Record<string, string[]> } } }).response?.data
+          return
+        }
+        router.replace(resolvePostLoginTarget())
 
-    if (errorData?.errors) {
-      errors.value = {
-        email: errorData.errors.email?.[0] ?? '',
-        password: errorData.errors.password?.[0] ?? '',
-      }
-    }
-    else if (errorData?.message) {
-      errors.value = { email: errorData.message }
-    }
-    else {
-      errors.value = { email: 'Er is een fout opgetreden. Probeer het opnieuw.' }
+        return
+
+      case 'must-set-password':
+        // Forward-compatible — backend doesn't surface this kind today.
+        // Placeholder route until the must-set-password flow is wired.
+        router.replace('/account-settings?tab=security')
+
+        return
+
+      case 'failed':
+        if (result.errors) {
+          errors.value = {
+            email: result.errors.email?.[0] ?? '',
+            password: result.errors.password?.[0] ?? '',
+          }
+        }
+        else if (result.reason === 'rate_limited') {
+          errors.value = { email: 'Te veel pogingen. Wacht even en probeer opnieuw.' }
+        }
+        else {
+          errors.value = { email: result.reason || 'Er is een fout opgetreden. Probeer het opnieuw.' }
+        }
     }
   }
   finally {
@@ -116,14 +121,10 @@ async function handleLogin() {
 }
 
 function onMfaVerified() {
-  // After MFA verify, the response sets the auth cookie. Use refreshUser()
-  // (not initialize() — that's guarded by isInitialized and returns immediately)
-  // to call GET /auth/me with the new cookie, populating the store.
+  // After MFA verify, the response sets the auth cookie. refreshUser()
+  // hydrates the store from /auth/me with the new cookie.
   authStore.refreshUser().then(() => {
-    const rawTo = route.query.to ? String(route.query.to) : ''
-    const redirectTo = rawTo.startsWith('/') ? rawTo : '/dashboard'
-
-    router.replace(redirectTo)
+    router.replace(resolvePostLoginTarget())
   })
 }
 
diff --git a/apps/app/src/plugins/1.router/__tests__/guards.spec.ts b/apps/app/src/plugins/1.router/__tests__/guards.spec.ts
index 8d9231b8..8fc58299 100644
--- a/apps/app/src/plugins/1.router/__tests__/guards.spec.ts
+++ b/apps/app/src/plugins/1.router/__tests__/guards.spec.ts
@@ -246,7 +246,7 @@ describe('router guards (WS-3 PR-B2a)', () => {
       () => {},
     )
 
-    expect(result).toEqual({ path: '/portal/evenementen' })
+    expect(result).toBe('/portal/evenementen')
   })
 
   it('MFA setup gate redirects to /account-settings when mfaSetupRequired', async () => {
diff --git a/apps/app/src/stores/__tests__/useAuthStore.spec.ts b/apps/app/src/stores/__tests__/useAuthStore.spec.ts
index 8d929520..d26290ab 100644
--- a/apps/app/src/stores/__tests__/useAuthStore.spec.ts
+++ b/apps/app/src/stores/__tests__/useAuthStore.spec.ts
@@ -126,7 +126,7 @@ describe('useAuthStore — context-aware additions (WS-3 PR-B2a)', () => {
 
       const target = store.resolveLandingRoute()
 
-      expect(target).toEqual({ path: '/portal/evenementen' })
+      expect(target).toBe('/portal/evenementen')
     })
 
     it('routes to organizer dashboard when only organizer context is available', () => {
@@ -138,7 +138,7 @@ describe('useAuthStore — context-aware additions (WS-3 PR-B2a)', () => {
         contexts: { available: ['organizer'], default: 'organizer' },
       }))
 
-      expect(store.resolveLandingRoute()).toEqual({ name: 'dashboard' })
+      expect(store.resolveLandingRoute()).toBe('/dashboard')
     })
 
     it('routes to platform dashboard for super_admin without an active org', () => {
@@ -150,7 +150,7 @@ describe('useAuthStore — context-aware additions (WS-3 PR-B2a)', () => {
         contexts: { available: ['organizer'], default: 'organizer' },
       }))
 
-      expect(store.resolveLandingRoute()).toEqual({ name: 'platform' })
+      expect(store.resolveLandingRoute()).toBe('/platform')
     })
 
     it('multi-role user — defaultContext wins when no lastContext is set', () => {
@@ -162,7 +162,7 @@ describe('useAuthStore — context-aware additions (WS-3 PR-B2a)', () => {
         contexts: { available: ['portal', 'organizer'], default: 'organizer' },
       }))
 
-      expect(store.resolveLandingRoute()).toEqual({ name: 'dashboard' })
+      expect(store.resolveLandingRoute()).toBe('/dashboard')
     })
 
     it('multi-role user — lastContext overrides defaultContext', () => {
@@ -176,7 +176,7 @@ describe('useAuthStore — context-aware additions (WS-3 PR-B2a)', () => {
         contexts: { available: ['portal', 'organizer'], default: 'organizer' },
       }))
 
-      expect(store.resolveLandingRoute()).toEqual({ path: '/portal/evenementen' })
+      expect(store.resolveLandingRoute()).toBe('/portal/evenementen')
     })
 
     it('forceContext overrides both lastContext and defaultContext', () => {
@@ -189,13 +189,13 @@ describe('useAuthStore — context-aware additions (WS-3 PR-B2a)', () => {
       }))
       store.setLastContext('organizer')
 
-      expect(store.resolveLandingRoute('portal')).toEqual({ path: '/portal/evenementen' })
+      expect(store.resolveLandingRoute('portal')).toBe('/portal/evenementen')
     })
 
     it('returns forbidden when user has no contexts available', () => {
       const store = useAuthStore()
 
-      expect(store.resolveLandingRoute()).toEqual({ name: 'forbidden' })
+      expect(store.resolveLandingRoute()).toBe('/forbidden')
     })
   })
 
diff --git a/apps/app/src/stores/useAuthStore.ts b/apps/app/src/stores/useAuthStore.ts
index 6420df7f..3522490b 100644
--- a/apps/app/src/stores/useAuthStore.ts
+++ b/apps/app/src/stores/useAuthStore.ts
@@ -1,6 +1,5 @@
 import { defineStore } from 'pinia'
 import { computed, ref } from 'vue'
-import type { RouteLocationRaw } from 'vue-router'
 import { apiClient } from '@/lib/axios'
 import { useOrganisationStore } from '@/stores/useOrganisationStore'
 import { generateDeviceFingerprint } from '@/utils/deviceFingerprint'
@@ -135,29 +134,32 @@ export const useAuthStore = defineStore('auth', () => {
   }
 
   /**
-   * Resolve the post-login or post-context-switch landing route. A
+   * Resolve the post-login or post-context-switch landing path. A
    * `forceContext` overrides the lastContext + defaultContext precedence
    * (used by the context-switcher when the user explicitly chooses).
+   *
+   * Returns a string path (not a RouteLocationRaw object) so consumers
+   * can pass it directly to the typed router without casting.
    */
-  function resolveLandingRoute(forceContext?: AuthContext): RouteLocationRaw {
+  function resolveLandingRoute(forceContext?: AuthContext): string {
     const ctx = forceContext ?? lastContext.value ?? defaultContext.value
 
     if (ctx === 'portal' && availableContexts.value.includes('portal'))
-      return { path: '/portal/evenementen' }
+      return '/portal/evenementen'
 
     if (ctx === 'organizer' && availableContexts.value.includes('organizer')) {
       if (isSuperAdmin.value && organisations.value.length === 0)
-        return { name: 'platform' }
+        return '/platform'
 
-      return { name: 'dashboard' }
+      return '/dashboard'
     }
 
     if (availableContexts.value.includes('organizer'))
-      return { name: 'dashboard' }
+      return '/dashboard'
     if (availableContexts.value.includes('portal'))
-      return { path: '/portal/evenementen' }
+      return '/portal/evenementen'
 
-    return { name: 'forbidden' }
+    return '/forbidden'
   }
 
   function clearState() {
diff --git a/apps/app/src/utils/__tests__/postLoginRedirect.spec.ts b/apps/app/src/utils/__tests__/postLoginRedirect.spec.ts
new file mode 100644
index 00000000..343df18e
--- /dev/null
+++ b/apps/app/src/utils/__tests__/postLoginRedirect.spec.ts
@@ -0,0 +1,38 @@
+import { describe, expect, it, vi } from 'vitest'
+import { resolvePostLoginTarget } from '@/utils/postLoginRedirect'
+
+describe('resolvePostLoginTarget — A13-3 minimum open-redirect guard', () => {
+  it('returns the relative ?to= path when it starts with /', () => {
+    const fallback = vi.fn(() => '/dashboard')
+    const result = resolvePostLoginTarget('/events/01ABC', fallback)
+
+    expect(result).toBe('/events/01ABC')
+    expect(fallback).not.toHaveBeenCalled()
+  })
+
+  it('falls back to the resolver when ?to= is missing', () => {
+    expect(resolvePostLoginTarget('', () => '/dashboard')).toBe('/dashboard')
+    expect(resolvePostLoginTarget(null, () => '/dashboard')).toBe('/dashboard')
+    expect(resolvePostLoginTarget(undefined, () => '/dashboard')).toBe('/dashboard')
+  })
+
+  it('rejects absolute URLs (open-redirect attempt)', () => {
+    expect(resolvePostLoginTarget('https://evil.com', () => '/dashboard')).toBe('/dashboard')
+    expect(resolvePostLoginTarget('http://evil.com/x', () => '/dashboard')).toBe('/dashboard')
+  })
+
+  it('rejects protocol-relative URLs (//evil.com)', () => {
+    expect(resolvePostLoginTarget('//evil.com', () => '/dashboard')).toBe('/dashboard')
+    expect(resolvePostLoginTarget('//evil.com/path', () => '/dashboard')).toBe('/dashboard')
+  })
+
+  it('rejects javascript: and data: schemes', () => {
+    expect(resolvePostLoginTarget('javascript:alert(1)', () => '/dashboard')).toBe('/dashboard')
+    expect(resolvePostLoginTarget('data:text/html,<script>', () => '/dashboard')).toBe('/dashboard')
+  })
+
+  it('preserves query parameters and fragments on relative paths', () => {
+    expect(resolvePostLoginTarget('/events?tab=overview#info', () => '/x'))
+      .toBe('/events?tab=overview#info')
+  })
+})
diff --git a/apps/app/src/utils/postLoginRedirect.ts b/apps/app/src/utils/postLoginRedirect.ts
new file mode 100644
index 00000000..2cafece6
--- /dev/null
+++ b/apps/app/src/utils/postLoginRedirect.ts
@@ -0,0 +1,19 @@
+/**
+ * Resolve the post-login redirect target. If the caller supplied a `?to=`
+ * query that's a same-origin relative path, honour it; otherwise fall back
+ * to the auth-store's resolveLandingRoute().
+ *
+ * The `startsWith('/')` + `!startsWith('//')` guard is the **minimum**
+ * A13-3 (open-redirect) precaution. Full domain-validation lands in
+ * WS-3 PR-B2b.
+ */
+export function resolvePostLoginTarget(
+  rawTo: string | null | undefined,
+  fallback: () => string,
+): string {
+  const to = rawTo ?? ''
+  if (to.startsWith('/') && !to.startsWith('//'))
+    return to
+
+  return fallback()
+}

From 3019095a2a0912b8d845164a19abc5d39152f9f9 Mon Sep 17 00:00:00 2001
From: "bert.hausmans" <bert@hausmans.nl>
Date: Tue, 5 May 2026 21:43:40 +0200
Subject: [PATCH 7/9] =?UTF-8?q?fix(security):=20A13-8=20=E2=80=94=20migrat?=
 =?UTF-8?q?e=20portal=20store=20to=20sessionStorage=20with=20explicit=20re?=
 =?UTF-8?q?set?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

usePortalStore now persists state in sessionStorage instead of
localStorage. Tab-close clears the session implicitly; explicit logout
+ 401 paths invoke reset() which iterates the `crewli:portal:` prefix
and removes every key (forward-compatible for future portal-namespaced
state).

Storage keys are renamed under the canonical prefix:
- crewli_portal_user_events_v1 → crewli:portal:events
- crewli_portal_active_event_id_v1 → crewli:portal:activeEventId

The single new prefix-clear function (clearStoragePrefix) replaces the
hand-listed key removals, so future portal-namespaced state additions
need no reset() change.

useAuthStore.handleUnauthorized() (the 401 interceptor target) is now
async and invokes clearAll() — the canonical session-cleanup hub —
restoring the portal-storage cleanup that the deleted
usePortalAuthStore.handleUnauthorized previously owned. The merge in
Phase E left this gap; this commit closes it.

Adds 7 vitest specs in stores/portal/__tests__/usePortalStore.spec.ts
covering: sessionStorage persistence, reset() prefix-iteration,
non-prefixed-key isolation, reactive state reset, useAuthStore.clearAll
+ handleUnauthorized integration.

Test count 198 → 205. Lint + typecheck clean.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 .../portal/__tests__/usePortalStore.spec.ts   | 135 ++++++++++++++++++
 apps/app/src/stores/portal/usePortalStore.ts  |  45 ++++--
 apps/app/src/stores/useAuthStore.ts           |   7 +-
 3 files changed, 170 insertions(+), 17 deletions(-)
 create mode 100644 apps/app/src/stores/portal/__tests__/usePortalStore.spec.ts

diff --git a/apps/app/src/stores/portal/__tests__/usePortalStore.spec.ts b/apps/app/src/stores/portal/__tests__/usePortalStore.spec.ts
new file mode 100644
index 00000000..050d8b46
--- /dev/null
+++ b/apps/app/src/stores/portal/__tests__/usePortalStore.spec.ts
@@ -0,0 +1,135 @@
+import { afterEach, beforeEach, describe, expect, it, vi } from 'vitest'
+import { createPinia, setActivePinia } from 'pinia'
+
+vi.mock('@/lib/axios', () => ({
+  apiClient: { get: vi.fn(), post: vi.fn() },
+}))
+
+const { usePortalStore } = await import('@/stores/portal/usePortalStore')
+const { useAuthStore } = await import('@/stores/useAuthStore')
+
+describe('usePortalStore — A13-8 sessionStorage migration (WS-3 PR-B2a)', () => {
+  beforeEach(() => {
+    setActivePinia(createPinia())
+    sessionStorage.clear()
+    localStorage.clear()
+  })
+
+  afterEach(() => {
+    sessionStorage.clear()
+    localStorage.clear()
+  })
+
+  describe('storage migration', () => {
+    it('persists active event id to sessionStorage with prefix', () => {
+      const store = usePortalStore()
+
+      store.userEvents.push({
+        event_id: '01EVENT',
+        event_name: 'Test',
+        organisation_name: 'Org',
+        person_status: 'approved',
+        start_date: '2026-06-01',
+        end_date: '2026-06-02',
+      })
+      store.setActiveEvent('01EVENT')
+
+      expect(sessionStorage.getItem('crewli:portal:activeEventId')).toBe('01EVENT')
+      expect(localStorage.getItem('crewli:portal:activeEventId')).toBeNull()
+    })
+
+    it('reads active event id from sessionStorage on store init', () => {
+      sessionStorage.setItem('crewli:portal:activeEventId', '01PREVIOUS')
+
+      const store = usePortalStore()
+
+      expect(store.activeEventId).toBe('01PREVIOUS')
+    })
+
+    it('reset() clears all crewli:portal: prefixed sessionStorage keys', () => {
+      sessionStorage.setItem('crewli:portal:events', '[]')
+      sessionStorage.setItem('crewli:portal:activeEventId', '01EVENT')
+      sessionStorage.setItem('crewli:portal:future-key', 'whatever')
+
+      const store = usePortalStore()
+
+      store.reset()
+
+      expect(sessionStorage.getItem('crewli:portal:events')).toBeNull()
+      expect(sessionStorage.getItem('crewli:portal:activeEventId')).toBeNull()
+      expect(sessionStorage.getItem('crewli:portal:future-key')).toBeNull()
+    })
+
+    it('reset() does NOT touch unrelated sessionStorage keys', () => {
+      sessionStorage.setItem('crewli:portal:events', '[]')
+      sessionStorage.setItem('someOtherApp:foo', 'untouched')
+      sessionStorage.setItem('analytics:trace', '01TRACE')
+
+      const store = usePortalStore()
+
+      store.reset()
+
+      expect(sessionStorage.getItem('crewli:portal:events')).toBeNull()
+      expect(sessionStorage.getItem('someOtherApp:foo')).toBe('untouched')
+      expect(sessionStorage.getItem('analytics:trace')).toBe('01TRACE')
+    })
+
+    it('reset() resets reactive state to defaults', () => {
+      const store = usePortalStore()
+
+      store.userEvents.push({
+        event_id: '01EVENT',
+        event_name: 'Test',
+        organisation_name: 'Org',
+        person_status: 'approved',
+        start_date: '2026-06-01',
+        end_date: '2026-06-02',
+      })
+      store.loadError = 'some error'
+
+      store.reset()
+
+      expect(store.userEvents).toEqual([])
+      expect(store.activeEventId).toBeNull()
+      expect(store.currentPerson).toBeNull()
+      expect(store.loadError).toBeNull()
+      expect(store.isHydrated).toBe(false)
+    })
+  })
+
+  describe('integration with useAuthStore', () => {
+    it('useAuthStore.clearAll() resets portal sessionStorage', async () => {
+      sessionStorage.setItem('crewli:portal:events', '[]')
+      sessionStorage.setItem('crewli:portal:activeEventId', '01EVENT')
+
+      const auth = useAuthStore()
+
+      await auth.clearAll()
+
+      expect(sessionStorage.getItem('crewli:portal:events')).toBeNull()
+      expect(sessionStorage.getItem('crewli:portal:activeEventId')).toBeNull()
+    })
+
+    it('useAuthStore.handleUnauthorized() resets portal sessionStorage (401 path)', async () => {
+      sessionStorage.setItem('crewli:portal:events', '[]')
+      sessionStorage.setItem('crewli:portal:activeEventId', '01EVENT')
+
+      // Stub window.location to avoid jsdom navigation errors
+      const originalLocation = window.location
+
+      Object.defineProperty(window, 'location', {
+        value: { pathname: '/portal/evenementen', href: '' },
+        writable: true,
+      })
+
+      const auth = useAuthStore()
+
+      await auth.handleUnauthorized()
+
+      expect(sessionStorage.getItem('crewli:portal:events')).toBeNull()
+      expect(sessionStorage.getItem('crewli:portal:activeEventId')).toBeNull()
+
+      Object.defineProperty(window, 'location', { value: originalLocation })
+    })
+  })
+})
diff --git a/apps/app/src/stores/portal/usePortalStore.ts b/apps/app/src/stores/portal/usePortalStore.ts
index 3c9da0d0..58107503 100644
--- a/apps/app/src/stores/portal/usePortalStore.ts
+++ b/apps/app/src/stores/portal/usePortalStore.ts
@@ -3,14 +3,18 @@ import { computed, ref } from 'vue'
 import { apiClient } from '@/lib/axios'
 import type { AuthMeUser, PortalEvent, PortalPersonPayload } from '@/types/portal'
 
-const STORAGE_EVENTS = 'crewli_portal_user_events_v1'
-const STORAGE_ACTIVE_EVENT = 'crewli_portal_active_event_id_v1'
+// A13-8 (SECURITY_AUDIT.md) — portal session state lives in
+// sessionStorage, not localStorage. Tab-close clears the session;
+// reset() also iterates the prefix to wipe explicit logout paths.
+const STORAGE_PREFIX = 'crewli:portal:'
+const STORAGE_EVENTS = `${STORAGE_PREFIX}events`
+const STORAGE_ACTIVE_EVENT = `${STORAGE_PREFIX}activeEventId`
 
 function readStoredEvents(): PortalEvent[] {
-  if (typeof localStorage === 'undefined')
+  if (typeof sessionStorage === 'undefined')
     return []
   try {
-    const raw = localStorage.getItem(STORAGE_EVENTS)
+    const raw = sessionStorage.getItem(STORAGE_EVENTS)
     if (!raw)
       return []
 
@@ -33,24 +37,38 @@ function readStoredEvents(): PortalEvent[] {
 }
 
 function writeStoredEvents(events: PortalEvent[]): void {
-  if (typeof localStorage === 'undefined')
+  if (typeof sessionStorage === 'undefined')
     return
-  localStorage.setItem(STORAGE_EVENTS, JSON.stringify(events))
+  sessionStorage.setItem(STORAGE_EVENTS, JSON.stringify(events))
 }
 
 function readStoredActiveEventId(): string | null {
-  if (typeof localStorage === 'undefined')
+  if (typeof sessionStorage === 'undefined')
     return null
 
-  return localStorage.getItem(STORAGE_ACTIVE_EVENT)
+  return sessionStorage.getItem(STORAGE_ACTIVE_EVENT)
 }
 
 function writeStoredActiveEventId(id: string | null): void {
-  if (typeof localStorage === 'undefined')
+  if (typeof sessionStorage === 'undefined')
     return
   if (id)
-    localStorage.setItem(STORAGE_ACTIVE_EVENT, id)
-  else localStorage.removeItem(STORAGE_ACTIVE_EVENT)
+    sessionStorage.setItem(STORAGE_ACTIVE_EVENT, id)
+  else sessionStorage.removeItem(STORAGE_ACTIVE_EVENT)
+}
+
+function clearStoragePrefix(): void {
+  if (typeof sessionStorage === 'undefined')
+    return
+
+  const keysToRemove: string[] = []
+  for (let i = 0; i < sessionStorage.length; i++) {
+    const key = sessionStorage.key(i)
+    if (key?.startsWith(STORAGE_PREFIX))
+      keysToRemove.push(key)
+  }
+  for (const k of keysToRemove)
+    sessionStorage.removeItem(k)
 }
 
 /**
@@ -247,10 +265,7 @@ export const usePortalStore = defineStore('portal', () => {
     loadError.value = null
     isHydrated.value = false
     hydratePromise = null
-    if (typeof localStorage !== 'undefined') {
-      localStorage.removeItem(STORAGE_EVENTS)
-      localStorage.removeItem(STORAGE_ACTIVE_EVENT)
-    }
+    clearStoragePrefix()
   }
 
   return {
diff --git a/apps/app/src/stores/useAuthStore.ts b/apps/app/src/stores/useAuthStore.ts
index 3522490b..493f753b 100644
--- a/apps/app/src/stores/useAuthStore.ts
+++ b/apps/app/src/stores/useAuthStore.ts
@@ -193,8 +193,11 @@ export const useAuthStore = defineStore('auth', () => {
     usePortalStore().reset()
   }
 
-  function handleUnauthorized() {
-    clearState()
+  async function handleUnauthorized(): Promise<void> {
+    // A13-8: clear portal sessionStorage on 401 in addition to in-memory
+    // state. clearAll() handles both via the dynamic-import seam to
+    // stores-portal.
+    await clearAll()
 
     // Do NOT reset isInitialized — the full page reload (below) resets all JS state.
     // Resetting it here causes a race condition: the async 401 interceptor fires

From eb7f3eb057b95a992434490e9a51c5c5afbfa0a2 Mon Sep 17 00:00:00 2001
From: "bert.hausmans" <bert@hausmans.nl>
Date: Tue, 5 May 2026 21:57:40 +0200
Subject: [PATCH 8/9] fix(portal): consume portal events from useAuthStore
 instead of duplicate /auth/me fetch
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The auth-store merge made portal_events available on the unified
/auth/me response (held in useAuthStore.portalEvents). usePortalStore
now sources userEvents from the auth store, eliminating the duplicate
fetch that the legacy slim usePortalAuthStore had compensated for.

Changes:
- types/auth.ts: add portal_events?: PortalEvent[] to MeResponse
- useAuthStore: add portalEvents ref, populated in setUser from
  me.portal_events, cleared in clearState
- usePortalStore: replace loadUserEventsFromApiAndStorage (which
  fetched /auth/me) with syncEventsFromAuthStore (which reads
  authStore.portalEvents). A reactive watch keeps userEvents in sync
  whenever the auth store updates (login, refresh, logout). The
  sessionStorage merge stays as offline cache + post-registration
  bridge.
- types/portal.ts: drop the now-unused AuthMeUser type — MeResponse
  is the canonical shape post-merge.

Boundaries: usePortalStore (stores-portal) statically imports
useAuthStore (stores) — already allowed by the matrix
(stores-portal allow includes stores).

Adds 4 vitest specs covering: userEvents reflects auth.portalEvents,
no apiClient.get('/auth/me') call from the portal store,
sessionStorage fallback when auth has not hydrated, reactive update
on auth.portalEvents change.

Test count 205 → 209. Lint + typecheck clean.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 .../portal/__tests__/usePortalStore.spec.ts   | 109 ++++++++++++++++++
 apps/app/src/stores/portal/usePortalStore.ts  |  53 ++++++---
 apps/app/src/stores/useAuthStore.ts           |   5 +
 apps/app/src/types/auth.ts                    |   2 +
 apps/app/src/types/portal.ts                  |  37 +-----
 5 files changed, 154 insertions(+), 52 deletions(-)

diff --git a/apps/app/src/stores/portal/__tests__/usePortalStore.spec.ts b/apps/app/src/stores/portal/__tests__/usePortalStore.spec.ts
index 050d8b46..3d5dd38c 100644
--- a/apps/app/src/stores/portal/__tests__/usePortalStore.spec.ts
+++ b/apps/app/src/stores/portal/__tests__/usePortalStore.spec.ts
@@ -97,6 +97,115 @@ describe('usePortalStore — A13-8 sessionStorage migration (WS-3 PR-B2a)', () =
     })
   })
 
+  describe('userEvents sync from useAuthStore.portalEvents', () => {
+    function makeMe(overrides = {}) {
+      return {
+        id: '01ABC',
+        first_name: 'Test',
+        last_name: 'User',
+        full_name: 'Test User',
+        date_of_birth: null,
+        email: 'test@example.nl',
+        phone: null,
+        timezone: 'Europe/Amsterdam',
+        locale: 'nl',
+        avatar: null,
+        organisations: [],
+        app_roles: [],
+        permissions: [],
+        ...overrides,
+      }
+    }
+
+    it('reflects auth.portalEvents once auth has hydrated', () => {
+      const auth = useAuthStore()
+
+      auth.setUser(makeMe({
+        portal_events: [{
+          event_id: '01EVENT',
+          event_name: 'Festival',
+          organisation_name: 'Echt Feesten',
+          person_status: 'approved',
+          start_date: '2026-06-01',
+          end_date: '2026-06-02',
+        }],
+      }))
+      ;(auth as unknown as { isInitialized: boolean }).isInitialized = true
+
+      const portal = usePortalStore()
+
+      expect(portal.userEvents).toHaveLength(1)
+      expect(portal.userEvents[0].event_id).toBe('01EVENT')
+    })
+
+    it('does NOT call apiClient.get(/auth/me) — duplicate fetch eliminated', async () => {
+      const { apiClient } = await import('@/lib/axios')
+      const getMock = apiClient.get as unknown as { mock: { calls: unknown[][] } }
+
+      getMock.mock.calls.length = 0
+
+      const auth = useAuthStore()
+
+      auth.setUser(makeMe({ portal_events: [] }))
+      ;(auth as unknown as { isInitialized: boolean }).isInitialized = true
+
+      usePortalStore()
+
+      const authMeCalls = getMock.mock.calls.filter(args =>
+        typeof args[0] === 'string' && args[0].includes('/auth/me'),
+      )
+
+      expect(authMeCalls).toHaveLength(0)
+    })
+
+    it('falls back to sessionStorage when auth has not hydrated', () => {
+      sessionStorage.setItem('crewli:portal:events', JSON.stringify([{
+        event_id: '01CACHED',
+        event_name: 'Cached',
+        organisation_name: 'Cached Org',
+        person_status: 'approved',
+        start_date: '2026-06-01',
+        end_date: '2026-06-02',
+      }]))
+
+      // Auth not hydrated → apiSucceeded=false → sessionStorage entries
+      // are preserved as fallback cache.
+      const portal = usePortalStore()
+
+      expect(portal.userEvents).toHaveLength(1)
+      expect(portal.userEvents[0].event_id).toBe('01CACHED')
+    })
+
+    it('updates userEvents reactively when auth.portalEvents changes', async () => {
+      const auth = useAuthStore()
+
+      auth.setUser(makeMe({ portal_events: [] }))
+      ;(auth as unknown as { isInitialized: boolean }).isInitialized = true
+
+      const portal = usePortalStore()
+
+      expect(portal.userEvents).toHaveLength(0)
+
+      auth.setUser(makeMe({
+        portal_events: [{
+          event_id: '01NEW',
+          event_name: 'New Event',
+          organisation_name: 'Org',
+          person_status: 'approved',
+          start_date: '2026-07-01',
+          end_date: '2026-07-02',
+        }],
+      }))
+
+      // Watcher is sync (default flush='pre'); the reactive update fires
+      // on the next microtask. Flush via Promise tick.
+      await Promise.resolve()
+
+      expect(portal.userEvents).toHaveLength(1)
+      expect(portal.userEvents[0].event_id).toBe('01NEW')
+    })
+  })
+
   describe('integration with useAuthStore', () => {
     it('useAuthStore.clearAll() resets portal sessionStorage', async () => {
       sessionStorage.setItem('crewli:portal:events', '[]')
diff --git a/apps/app/src/stores/portal/usePortalStore.ts b/apps/app/src/stores/portal/usePortalStore.ts
index 58107503..3d4050df 100644
--- a/apps/app/src/stores/portal/usePortalStore.ts
+++ b/apps/app/src/stores/portal/usePortalStore.ts
@@ -1,7 +1,8 @@
 import { defineStore } from 'pinia'
-import { computed, ref } from 'vue'
+import { computed, ref, watch } from 'vue'
 import { apiClient } from '@/lib/axios'
-import type { AuthMeUser, PortalEvent, PortalPersonPayload } from '@/types/portal'
+import { useAuthStore } from '@/stores/useAuthStore'
+import type { PortalEvent, PortalPersonPayload } from '@/types/portal'
 
 // A13-8 (SECURITY_AUDIT.md) — portal session state lives in
 // sessionStorage, not localStorage. Tab-close clears the session;
@@ -133,8 +134,10 @@ export const usePortalStore = defineStore('portal', () => {
   }
 
   /**
-   * Call after successful public registration so the volunteer sees the event on the dashboard.
-   * TODO: replace with `portal_events` from GET /auth/me when the API exposes it.
+   * Call after successful public registration so the volunteer sees the
+   * event on the dashboard before /auth/me has had a chance to refresh.
+   * The sessionStorage entry bridges the gap until the next
+   * useAuthStore.refreshUser() picks up the new portal_events row.
    */
   function savePendingEventFromRegistration(event: PortalEvent): void {
     const merged = mergeEvents([], [...readStoredEvents(), ...userEvents.value, event], false)
@@ -147,26 +150,27 @@ export const usePortalStore = defineStore('portal', () => {
     }
   }
 
-  async function loadUserEventsFromApiAndStorage(): Promise<void> {
+  /**
+   * Sync userEvents from the unified /auth/me response (held in
+   * useAuthStore.portalEvents). Replaces the legacy duplicate
+   * apiClient.get('/auth/me') call — the auth store is now the single
+   * source of truth for portal_events.
+   */
+  function syncEventsFromAuthStore(): void {
     isLoadingEvents.value = true
     loadError.value = null
     try {
+      const authStore = useAuthStore()
       const stored = readStoredEvents()
-      let apiEvents: PortalEvent[] = []
-      let apiSucceeded = false
-      try {
-        const { data } = await apiClient.get<{ success: boolean; data: AuthMeUser }>('/auth/me')
 
-        apiEvents = data.data.portal_events ?? []
-        apiSucceeded = true
-      }
-      catch {
-        // /auth/me failed — still show locally stored registrations
-      }
-      userEvents.value = mergeEvents(apiEvents, stored, apiSucceeded)
+      // When auth has hydrated successfully, /auth/me's portal_events
+      // is canonical; otherwise we fall back to sessionStorage cache.
+      const apiSucceeded = authStore.isInitialized && authStore.isAuthenticated
+
+      userEvents.value = mergeEvents(authStore.portalEvents, stored, apiSucceeded)
       persistEvents()
     }
-    catch (e) {
+    catch {
       loadError.value = 'Kon je evenementen niet laden.'
       userEvents.value = readStoredEvents()
     }
@@ -231,7 +235,7 @@ export const usePortalStore = defineStore('portal', () => {
   let hydratePromise: Promise<void> | null = null
 
   async function hydrateAfterAuth(): Promise<void> {
-    await loadUserEventsFromApiAndStorage()
+    syncEventsFromAuthStore()
     resolveActiveEventId()
     await fetchCurrentPerson()
     isHydrated.value = true
@@ -250,6 +254,19 @@ export const usePortalStore = defineStore('portal', () => {
     return hydratePromise
   }
 
+  // React to auth-store changes: as soon as useAuthStore.portalEvents
+  // updates (login, refresh, logout), keep userEvents in sync. This
+  // replaces the old "fetch /auth/me from inside the portal store"
+  // flow — the auth store is now the single source of truth and the
+  // portal store is a derived view + sessionStorage cache.
+  const authStore = useAuthStore()
+
+  watch(
+    () => [authStore.portalEvents, authStore.isInitialized, authStore.isAuthenticated] as const,
+    () => syncEventsFromAuthStore(),
+    { immediate: true, deep: true },
+  )
+
   function setActiveEvent(eventId: string): void {
     if (!userEvents.value.some(e => e.event_id === eventId))
       return
diff --git a/apps/app/src/stores/useAuthStore.ts b/apps/app/src/stores/useAuthStore.ts
index 493f753b..37eb526c 100644
--- a/apps/app/src/stores/useAuthStore.ts
+++ b/apps/app/src/stores/useAuthStore.ts
@@ -16,6 +16,7 @@ import type {
   Organisation,
   User,
 } from '@/types/auth'
+import type { PortalEvent } from '@/types/portal'
 
 const LAST_CONTEXT_STORAGE_KEY = 'crewli:lastContext'
 
@@ -41,6 +42,7 @@ export const useAuthStore = defineStore('auth', () => {
   const organisations = ref<Organisation[]>([])
   const appRoles = ref<string[]>([])
   const permissions = ref<string[]>([])
+  const portalEvents = ref<PortalEvent[]>([])
   const isInitialized = ref(false)
   const mfaSetupRequired = ref(false)
 
@@ -89,6 +91,7 @@ export const useAuthStore = defineStore('auth', () => {
     organisations.value = me.organisations
     appRoles.value = me.app_roles
     permissions.value = me.permissions
+    portalEvents.value = me.portal_events ?? []
     mfaSetupRequired.value = me.mfa?.setup_required ?? false
 
     // Context block — additive in B2a; falls back to derivation when the
@@ -167,6 +170,7 @@ export const useAuthStore = defineStore('auth', () => {
     organisations.value = []
     appRoles.value = []
     permissions.value = []
+    portalEvents.value = []
     mfaSetupRequired.value = false
     availableContexts.value = []
     defaultContext.value = 'portal'
@@ -355,6 +359,7 @@ export const useAuthStore = defineStore('auth', () => {
     organisations,
     appRoles,
     permissions,
+    portalEvents,
     isAuthenticated,
     isInitialized,
     isSuperAdmin,
diff --git a/apps/app/src/types/auth.ts b/apps/app/src/types/auth.ts
index e6d3adff..898435ac 100644
--- a/apps/app/src/types/auth.ts
+++ b/apps/app/src/types/auth.ts
@@ -1,4 +1,5 @@
 import type { MfaMethod } from '@/types/mfa'
+import type { PortalEvent } from '@/types/portal'
 
 export interface User {
   id: string
@@ -57,6 +58,7 @@ export interface MeResponse {
   organisations: Organisation[]
   app_roles: string[]
   permissions: string[]
+  portal_events?: PortalEvent[]
   mfa?: MfaUserInfo
   platform?: PlatformInfo
   contexts?: ContextsBlock
diff --git a/apps/app/src/types/portal.ts b/apps/app/src/types/portal.ts
index 00450188..547e04d7 100644
--- a/apps/app/src/types/portal.ts
+++ b/apps/app/src/types/portal.ts
@@ -1,14 +1,14 @@
 /**
  * Volunteer-facing event context for the portal.
- * Populated from GET /auth/me when the API adds `portal_events`, merged with
- * locally stored events (e.g. after public registration).
+ * Sourced from /auth/me's `portal_events` block (held by useAuthStore)
+ * and merged with sessionStorage entries (e.g. after public registration).
  */
 export interface PortalEvent {
   event_id: string
   event_name: string
   organisation_name: string
 
-  /** Present when the row was saved from the public registration flow */
+  // Present when the row was saved from the public registration flow.
   organisation_id?: string
   person_id?: string | null
   person_status: string
@@ -16,37 +16,6 @@ export interface PortalEvent {
   end_date: string
 }
 
-/** GET /auth/me — extend when backend adds portal_events */
-export interface AuthMeUser {
-  id: string
-  first_name: string
-  last_name: string
-  full_name: string
-  email: string
-  timezone?: string
-  locale?: string
-  avatar?: string | null
-  email_verified_at?: string | null
-  organisations?: Array<{
-    id: string
-    name: string
-    slug: string
-    role: string
-  }>
-  app_roles?: string[]
-
-  /** Present on login (`UserResource`); `/auth/me` uses `app_roles` */
-  roles?: string[]
-  permissions?: string[]
-  portal_events?: PortalEvent[]
-  mfa?: {
-    enabled: boolean
-    method: 'totp' | 'email' | null
-    confirmed_at: string | null
-    setup_required: boolean
-  }
-}
-
 /** GET /portal/me?event_id= — person payload (subset used by dashboard) */
 export interface PortalPersonPayload {
   id: string

From b191fbe91759136d21e5dba7104243d1b0d1550f Mon Sep 17 00:00:00 2001
From: "bert.hausmans" <bert@hausmans.nl>
Date: Tue, 5 May 2026 22:01:32 +0200
Subject: [PATCH 9/9] refactor(auth): migrate MfaChallengeCard to
 useAuthStore.verifyMfa
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The card consumed the API directly via useVerifyMfa() (TanStack Query
mutation). Per Decision F's intent (store owns business logic, the
component consumes typed results), the card now calls
useAuthStore.verifyMfa() and pattern-matches on the MfaVerifyResult
discriminated union.

Changes:
- MfaChallengeCard: drop useVerifyMfa import; call authStore.verifyMfa
  with camelCase args (sessionToken, trustDevice, deviceFingerprint,
  deviceName); local isVerifying ref replaces verifyMutation.isPending.
  On result.kind === 'authenticated' emit `verified` (no payload —
  the store has already refreshed user state); on 'failed' surface
  result.reason with a generic fallback.
- emit signature: `verified: [data: unknown]` → `verified: []`.
- login.vue: onMfaVerified no longer calls authStore.refreshUser —
  authStore.verifyMfa() refreshes internally. Page just routes to
  resolvePostLoginTarget().

Adds 4 vitest specs in components/auth/__tests__/MfaChallengeCard.spec.ts
covering: success path emits `verified` with camelCase args, failure
path shows reason and suppresses emit, trustDevice toggle honours
fingerprint + device name, fallback message when reason is empty.

Test count 209 → 213. Lint + typecheck clean.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 .../src/components/auth/MfaChallengeCard.vue  |  38 +++--
 .../auth/__tests__/MfaChallengeCard.spec.ts   | 161 ++++++++++++++++++
 apps/app/src/pages/login.vue                  |   8 +-
 3 files changed, 187 insertions(+), 20 deletions(-)
 create mode 100644 apps/app/src/components/auth/__tests__/MfaChallengeCard.spec.ts

diff --git a/apps/app/src/components/auth/MfaChallengeCard.vue b/apps/app/src/components/auth/MfaChallengeCard.vue
index d675c28c..2d88cd01 100644
--- a/apps/app/src/components/auth/MfaChallengeCard.vue
+++ b/apps/app/src/components/auth/MfaChallengeCard.vue
@@ -1,5 +1,6 @@
 <script setup lang="ts">
-import { useSendMfaEmailCode, useVerifyMfa } from '@/composables/api/useMfa'
+import { useSendMfaEmailCode } from '@/composables/api/useMfa'
+import { useAuthStore } from '@/stores/useAuthStore'
 import { generateDeviceFingerprint, getDeviceName } from '@/utils/deviceFingerprint'
 import type { MfaMethod } from '@/types/mfa'
 
@@ -11,12 +12,13 @@ const props = defineProps<{
 }>()
 
 const emit = defineEmits<{
-  verified: [data: unknown]
+  verified: []
   cancelled: []
 }>()
 
-const verifyMutation = useVerifyMfa()
+const authStore = useAuthStore()
 const sendEmailMutation = useSendMfaEmailCode()
+const isVerifying = ref(false)
 
 const selectedMethod = ref<string>(props.preferredMethod)
 const otpCode = ref('')
@@ -93,25 +95,31 @@ async function handleVerify() {
   if (!code)
     return
 
+  isVerifying.value = true
+
   try {
-    const data = await verifyMutation.mutateAsync({
-      mfa_session_token: props.mfaSessionToken,
+    const result = await authStore.verifyMfa({
+      sessionToken: props.mfaSessionToken,
       code,
       method: selectedMethod.value as MfaMethod,
-      trust_device: trustDevice.value || undefined,
-      device_fingerprint: trustDevice.value ? generateDeviceFingerprint() : undefined,
-      device_name: trustDevice.value ? getDeviceName() : undefined,
+      trustDevice: trustDevice.value || undefined,
+      deviceFingerprint: trustDevice.value ? generateDeviceFingerprint() : undefined,
+      deviceName: trustDevice.value ? getDeviceName() : undefined,
     })
 
-    emit('verified', data)
-  }
-  catch (err: unknown) {
-    const ax = err as { response?: { data?: { message?: string } } }
+    if (result.kind === 'authenticated') {
+      emit('verified')
 
-    errorMessage.value = ax.response?.data?.message ?? 'Verificatie mislukt. Probeer het opnieuw.'
+      return
+    }
+
+    errorMessage.value = result.reason || 'Verificatie mislukt. Probeer het opnieuw.'
     otpCode.value = ''
     backupCode.value = ''
   }
+  finally {
+    isVerifying.value = false
+  }
 }
 </script>
 
@@ -193,7 +201,7 @@ async function handleVerify() {
             </p>
             <VOtpInput
               v-model="otpCode"
-              :disabled="verifyMutation.isPending.value || timeLeft <= 0"
+              :disabled="isVerifying || timeLeft <= 0"
               type="number"
               class="pa-0"
               @finish="onOtpFinish"
@@ -230,7 +238,7 @@ async function handleVerify() {
             <VBtn
               block
               type="submit"
-              :loading="verifyMutation.isPending.value"
+              :loading="isVerifying"
               :disabled="timeLeft <= 0"
             >
               Verifi&euml;ren
diff --git a/apps/app/src/components/auth/__tests__/MfaChallengeCard.spec.ts b/apps/app/src/components/auth/__tests__/MfaChallengeCard.spec.ts
new file mode 100644
index 00000000..fbed77fd
--- /dev/null
+++ b/apps/app/src/components/auth/__tests__/MfaChallengeCard.spec.ts
@@ -0,0 +1,161 @@
+import { afterEach, beforeEach, describe, expect, it, vi } from 'vitest'
+import { mount } from '@vue/test-utils'
+import { nextTick } from 'vue'
+import type { MfaVerifyResult } from '@/types/auth'
+
+const mockVerifyMfa = vi.fn<(args: unknown) => Promise<MfaVerifyResult>>()
+const mockSendEmailMutateAsync = vi.fn()
+
+vi.mock('@/stores/useAuthStore', () => ({
+  useAuthStore: () => ({
+    verifyMfa: mockVerifyMfa,
+  }),
+}))
+
+vi.mock('@/composables/api/useMfa', () => ({
+  useSendMfaEmailCode: () => ({
+    mutateAsync: mockSendEmailMutateAsync,
+    isPending: { value: false },
+  }),
+}))
+
+vi.mock('@/utils/deviceFingerprint', () => ({
+  generateDeviceFingerprint: () => 'fp-test',
+  getDeviceName: () => 'Chrome on macOS',
+}))
+
+const MfaChallengeCard = (await import('../MfaChallengeCard.vue')).default
+
+const stubs = {
+  VCard: { template: '<div><slot /></div>' },
+  VCardText: { template: '<div><slot /></div>' },
+  VChip: { template: '<span><slot /></span>' },
+  VTabs: { template: '<div><slot /></div>' },
+  VTab: { template: '<button><slot /></button>' },
+  VAlert: { template: '<div data-test="alert"><slot /></div>' },
+  VForm: { template: '<form><slot /></form>' },
+  VRow: { template: '<div><slot /></div>' },
+  VCol: { template: '<div><slot /></div>' },
+  VOtpInput: {
+    name: 'VOtpInput',
+    props: ['modelValue', 'disabled'],
+    emits: ['update:modelValue', 'finish'],
+    template: '<input data-test="otp" />',
+  },
+  AppTextField: {
+    props: ['modelValue'],
+    emits: ['update:modelValue'],
+    template: '<input data-test="backup" />',
+  },
+  VCheckbox: {
+    name: 'VCheckbox',
+    props: ['modelValue', 'label'],
+    emits: ['update:modelValue'],
+    template: '<input type="checkbox" data-test="trust" />',
+  },
+  VBtn: { template: '<button data-test="verify-btn"><slot /></button>' },
+  VIcon: true,
+}
+
+describe('MfaChallengeCard — useAuthStore.verifyMfa migration (WS-3 PR-B2a)', () => {
+  beforeEach(() => {
+    mockVerifyMfa.mockReset()
+    mockSendEmailMutateAsync.mockReset()
+  })
+
+  afterEach(() => {
+    vi.useRealTimers()
+  })
+
+  function makeWrapper() {
+    return mount(MfaChallengeCard, {
+      props: {
+        mfaSessionToken: 'session-abc',
+        methods: ['totp'],
+        preferredMethod: 'totp',
+        expiresIn: 600,
+      },
+      global: {
+        stubs,
+        mocks: {
+          $vuetify: { display: { smAndUp: true } },
+        },
+      },
+    })
+  }
+
+  async function triggerVerify(wrapper: ReturnType<typeof makeWrapper>, code: string) {
+    const otp = wrapper.findComponent({ name: 'VOtpInput' })
+
+    otp.vm.$emit('finish', code)
+    await nextTick()
+    await nextTick()
+  }
+
+  it('calls authStore.verifyMfa with camelCase args and emits `verified` on success', async () => {
+    mockVerifyMfa.mockResolvedValue({ kind: 'authenticated' })
+
+    const wrapper = makeWrapper()
+
+    await triggerVerify(wrapper, '123456')
+
+    expect(mockVerifyMfa).toHaveBeenCalledTimes(1)
+    expect(mockVerifyMfa).toHaveBeenCalledWith({
+      sessionToken: 'session-abc',
+      code: '123456',
+      method: 'totp',
+      trustDevice: undefined,
+      deviceFingerprint: undefined,
+      deviceName: undefined,
+    })
+
+    expect(wrapper.emitted('verified')).toHaveLength(1)
+    expect(wrapper.emitted('verified')?.[0]).toEqual([])
+  })
+
+  it('displays the result.reason on failure and does NOT emit verified', async () => {
+    mockVerifyMfa.mockResolvedValue({
+      kind: 'failed',
+      reason: 'Code is incorrect.',
+    })
+
+    const wrapper = makeWrapper()
+
+    await triggerVerify(wrapper, '999999')
+
+    expect(wrapper.text()).toContain('Code is incorrect.')
+    expect(wrapper.emitted('verified')).toBeUndefined()
+  })
+
+  it('honours trustDevice flag with fingerprint + device name', async () => {
+    mockVerifyMfa.mockResolvedValue({ kind: 'authenticated' })
+
+    const wrapper = makeWrapper()
+    const trust = wrapper.findComponent({ name: 'VCheckbox' })
+
+    trust.vm.$emit('update:modelValue', true)
+    await nextTick()
+
+    await triggerVerify(wrapper, '123456')
+
+    expect(mockVerifyMfa).toHaveBeenCalledWith({
+      sessionToken: 'session-abc',
+      code: '123456',
+      method: 'totp',
+      trustDevice: true,
+      deviceFingerprint: 'fp-test',
+      deviceName: 'Chrome on macOS',
+    })
+  })
+
+  it('uses a generic fallback message when result.reason is empty', async () => {
+    mockVerifyMfa.mockResolvedValue({ kind: 'failed', reason: '' })
+
+    const wrapper = makeWrapper()
+
+    await triggerVerify(wrapper, '999999')
+
+    expect(wrapper.text()).toContain('Verificatie mislukt')
+    expect(wrapper.emitted('verified')).toBeUndefined()
+  })
+})
diff --git a/apps/app/src/pages/login.vue b/apps/app/src/pages/login.vue
index 009535f6..42ecb448 100644
--- a/apps/app/src/pages/login.vue
+++ b/apps/app/src/pages/login.vue
@@ -121,11 +121,9 @@ async function handleLogin() {
 }
 
 function onMfaVerified() {
-  // After MFA verify, the response sets the auth cookie. refreshUser()
-  // hydrates the store from /auth/me with the new cookie.
-  authStore.refreshUser().then(() => {
-    router.replace(resolvePostLoginTarget())
-  })
+  // useAuthStore.verifyMfa() already refreshed the store post-cookie;
+  // the page just needs to route to the resolved landing target.
+  router.replace(resolvePostLoginTarget())
 }
 
 function onMfaCancelled() {