diff --git a/AGENT.md b/AGENT.md
new file mode 100644
index 0000000..7c0d04a
--- /dev/null
+++ b/AGENT.md
@@ -0,0 +1,2019 @@
+# Jabali Web Hosting Panel
+
+A modern web hosting control panel built with Laravel 12, Filament v5, and Livewire 4.
+
+## Installation Requirements
+
+**Critical for mail server functionality:**
+- Fresh Debian 12/13 installation (no existing web/mail software)
+- Domain with glue records pointing to server IP (`ns1.domain.com` → IP)
+- PTR record (reverse DNS) pointing to mail hostname (`IP` → `mail.domain.com`)
+- Port 25 open (check with VPS provider)
+
+See README.md "Prerequisites" section for detailed DNS setup instructions.
+
+### Subdomain Installation
+
+The panel can be installed on a subdomain (e.g., `panel.example.com`). The installer automatically:
+
+- Extracts the root domain (`example.com`) for DNS zone creation
+- Sets nameservers as `ns1.example.com` and `ns2.example.com`
+- Creates an A record for the subdomain (`panel` → server IP)
+- Configures email at the root domain (`webmaster@example.com`)
+
+**Example:** Installing on `panel.example.com`
+```
+DNS Zone: example.com
+NS Records: ns1.example.com, ns2.example.com
+A Records: @, www, panel, mail, ns1, ns2 → server IP
+Email: webmaster@example.com
+```
+
+## Database
+
+The panel uses **SQLite** by default (not MySQL). The database file is located at:
+```
+/var/www/jabali/database/database.sqlite
+```
+
+## Quick Reference
+
+```bash
+# IMPORTANT: All artisan commands must be run from /var/www/jabali/
+cd /var/www/jabali
+
+# Development
+composer dev              # Start all dev servers (artisan, queue, pail, vite)
+composer test             # Run PHPUnit tests
+./vendor/bin/pint         # Format PHP code
+php artisan serve         # Web server only
+php artisan tinker        # Interactive REPL
+
+# Production
+php artisan migrate       # Run migrations
+php artisan config:cache  # Cache configuration
+php artisan route:cache   # Cache routes
+```
+
+## Git Workflow
+
+**Important:** Only push to git when explicitly requested by the user. Do not auto-push after commits.
+
+### Version Numbers
+
+**IMPORTANT:** Before every push, bump the `VERSION` in the `VERSION` file:
+
+```bash
+# VERSION file format:
+VERSION=0.9-rc
+
+# Bump before pushing:
+# 0.9-rc → 0.9-rc1 → 0.9-rc2 → 0.9-rc3 → ...
+```
+
+| Field | When to Bump | Format |
+|-------|--------------|--------|
+| `VERSION` | Every push | `0.9-rc`, `0.9-rc1`, `0.9-rc2`, ... |
+
+## Project Structure
+
+```
+/var/www/jabali/
+├── app/
+│   ├── Filament/
+│   │   ├── Admin/        # Admin panel (route: /admin)
+│   │   │   ├── Pages/    # Admin pages (Dashboard, Services, etc.)
+│   │   │   ├── Resources/# Admin resources (Users)
+│   │   │   └── Widgets/  # Admin widgets (Stats, Disk, Network)
+│   │   └── Jabali/       # User panel (route: /panel)
+│   │       ├── Pages/    # User pages (Domains, Email, WordPress, etc.)
+│   │       └── Widgets/  # User widgets (Stats, Disk, Domains)
+│   ├── Models/           # Eloquent models (22 models)
+│   ├── Services/         # Business logic services
+│   └── Console/Commands/ # Artisan commands
+├── bin/
+│   ├── jabali-agent      # Privileged operations daemon (runs as root)
+│   └── screenshot        # Chromium screenshot capture script
+├── config/                    # Laravel config files
+│   └── languages.php          # Supported languages configuration
+├── database/migrations/       # Database migrations
+├── lang/                      # Translation files (JSON)
+│   ├── en.json                # English (base)
+│   ├── es.json                # Spanish
+│   ├── fr.json                # French
+│   ├── ru.json                # Russian
+│   ├── pt.json                # Portuguese
+│   ├── ar.json                # Arabic (RTL)
+│   └── he.json                # Hebrew (RTL)
+└── resources/views/filament/  # Blade templates for Filament pages
+```
+
+## Architecture
+
+### Two Panels
+- **Admin Panel** (`/admin`): Server-wide management, user administration
+- **User Panel** (`/panel`): Per-user domain, email, database management
+
+### Privileged Agent
+The `bin/jabali-agent` daemon runs as root and handles operations requiring elevated privileges:
+- System user creation/deletion
+- Domain/vhost configuration
+- Email (Postfix/Dovecot) management
+- SSL certificate operations
+- Database operations
+- Backup operations
+
+Communication via Unix socket at `/var/run/jabali/agent.sock`.
+
+### Key Services
+- **AgentClient**: PHP client for communicating with jabali-agent
+- **AdminNotificationService**: System notifications (SSL, backups, quotas)
+
+### Self-Healing Services
+The `bin/jabali-health-monitor` daemon automatically monitors and restarts critical services when they fail.
+
+**Monitored Services:**
+- nginx, mariadb, jabali-agent, php-fpm
+- postfix, dovecot, named (if installed)
+- redis-server, fail2ban (if installed)
+
+**Features:**
+- Checks services every 30 seconds
+- Automatic restart on failure (up to 3 attempts)
+- Email notifications via `AdminNotificationService`
+- Systemd restart policies as backup protection
+
+**Files:**
+| File | Purpose |
+|------|---------|
+| `bin/jabali-health-monitor` | Health monitoring daemon |
+| `/etc/systemd/system/jabali-health-monitor.service` | Systemd service unit |
+| `/var/log/jabali/health-monitor.log` | Event log |
+| `/var/run/jabali/health-monitor.state` | Service state tracking |
+
+**Commands:**
+```bash
+# Check status
+systemctl status jabali-health-monitor
+
+# View logs
+journalctl -u jabali-health-monitor -f
+
+# Manual notification test
+php artisan notify:service-health down nginx --description="Web Server"
+```
+
+**Notification Setting:** `notify_service_health` in dns_settings table (Admin > Server Settings)
+
+### Admin Notifications & Monitoring
+
+The system sends email notifications to configured admin recipients for various events.
+
+**Configuration:** Admin > Server Settings > Notifications tab
+
+**Notification Types:**
+| Type | Setting | Description |
+|------|---------|-------------|
+| SSL Errors | `notify_ssl_errors` | Certificate errors and expiration warnings |
+| Backup Failures | `notify_backup_failures` | Failed scheduled backups |
+| Disk Quota | `notify_disk_quota` | Users reaching 90% quota |
+| Login Failures | `notify_login_failures` | Brute force and Fail2ban alerts |
+| SSH Logins | `notify_ssh_logins` | Successful SSH login alerts |
+| System Updates | `notify_system_updates` | Panel update availability |
+| Service Health | `notify_service_health` | Service failures and auto-restarts |
+| High Load | `notify_high_load` | Server load exceeds threshold |
+
+**Notification Log:**
+All sent notifications are logged in `notification_logs` table and viewable in Admin > Server Settings > Notifications tab.
+
+**High Load Monitoring:**
+- Monitors server load average every minute via `jabali-health-monitor`
+- Configurable threshold (default: 5.0) and duration (default: 5 minutes)
+- Sends alert when load exceeds threshold for configured duration
+- Settings: `load_threshold`, `load_alert_minutes` in dns_settings
+
+**Commands:**
+```bash
+# Manual high load notification test
+php artisan notify:high-load
+
+# Test email
+# Use "Send Test Email" button in Server Settings > Notifications
+```
+
+### Backup System
+
+The panel provides comprehensive backup functionality for both users and administrators.
+
+**Backup Types:**
+| Type | Description | Storage |
+|------|-------------|---------|
+| User Backup | Single user's domains, databases, mailboxes | `/home/{user}/backups/` |
+| Server Backup (Full) | All users as tar.gz archive | `/var/backups/jabali/` |
+| Server Backup (Incremental) | Rsync to remote destination | Remote SFTP/NFS |
+
+**Admin Backup Features:**
+- **Create Server Backup**: Backup all users or selected users
+- **Restore Backup**: Selective restore with modal UI
+- **Download Backup**: Download local backups (creates zip for directories)
+
+**Restore Options:**
+| Option | Description |
+|--------|-------------|
+| Website Files | Restore domain files to `/home/{user}/domains/` |
+| Databases | Restore MySQL databases with security sanitization |
+| MySQL Users | Restore MySQL users and their permissions |
+| Mailboxes | Restore email mailboxes and messages |
+| SSL Certificates | Restore SSL certificates for domains |
+| DNS Zones | Restore DNS zone files |
+
+**Backup Contents:**
+```
+backup_folder/
+├── manifest.json           # Backup metadata
+├── {username}.tar.gz       # Per-user archive containing:
+│   ├── files/              # Domain files
+│   │   └── {domain}/
+│   ├── mysql/              # Database dumps
+│   │   ├── {database}.sql.gz
+│   │   └── users.sql       # MySQL users and grants
+│   ├── mail/               # Mailbox data
+│   │   └── {domain}/{user}/
+│   ├── ssl/                # SSL certificates
+│   │   └── {domain}/
+│   └── dns/                # DNS zone files
+│       └── {domain}.zone
+```
+
+**Security Validations (Restore):**
+The backup restore process includes comprehensive security checks to prevent privilege escalation:
+
+| Check | Description |
+|-------|-------------|
+| Database Prefix | Only restore databases matching user's prefix (`{username}_*`) |
+| MySQL Users | Only restore users with correct prefix, block global grants |
+| SQL Sanitization | Remove DEFINER, GRANT, SET GLOBAL from dumps |
+| Domain Ownership | Verify user owns domains before restoring files/SSL/DNS |
+| Symlink Prevention | Remove dangerous symlinks pointing outside backup |
+| Path Traversal | Block `..` sequences in paths |
+| DNS Validation | Validate zone files with `named-checkzone` |
+
+**Agent Actions:**
+```
+backup.create           - Create user backup
+backup.restore          - Restore backup with selective options
+backup.get_info         - Get backup manifest/contents
+backup.create_server    - Create server-wide backup
+backup.delete           - Delete backup file
+backup.upload_remote    - Upload backup to remote destination
+backup.download_remote  - Download backup from remote
+backup.incremental      - Create incremental backup via rsync
+backup.test_destination - Test remote backup destination
+```
+
+**Download Route:**
+```
+GET /jabali-admin/backup-download?id={backup_id}  # Admin (requires is_admin)
+GET /jabali-panel/backup-download?path={base64}   # User (validates ownership)
+```
+
+**Files:**
+| File | Purpose |
+|------|---------|
+| `app/Filament/Admin/Pages/Backups.php` | Admin backup management UI |
+| `app/Filament/Jabali/Pages/Backups.php` | User backup management UI |
+| `app/Http/Controllers/BackupDownloadController.php` | Download handlers |
+| `bin/jabali-agent` | Backup/restore implementation |
+| `/var/log/jabali/agent.log` | Security audit log for blocked operations |
+
+### DNSSEC Support
+
+DNSSEC (Domain Name System Security Extensions) adds cryptographic signatures to DNS records.
+
+**Management:** Admin > Server Settings > DNS tab > DNSSEC section
+
+**Features:**
+- Enable/disable DNSSEC per domain
+- Automatic KSK (Key Signing Key) and ZSK (Zone Signing Key) generation
+- Uses ECDSAP256SHA256 algorithm
+- Auto-generates DS records for registrar configuration
+- Inline zone signing with auto-dnssec maintain
+
+**Agent Actions:**
+```
+dns.enable_dnssec   - Generate keys and sign zone
+dns.disable_dnssec  - Remove keys and unsign zone
+dns.get_dnssec_status - Check DNSSEC status and keys
+dns.get_ds_records  - Get DS records for registrar
+```
+
+**Files:**
+| Path | Description |
+|------|-------------|
+| `/etc/bind/keys/{domain}/` | DNSSEC keys directory |
+| `/etc/bind/zones/db.{domain}` | Unsigned zone file |
+| `/etc/bind/zones/db.{domain}.signed` | Signed zone file |
+
+**Setup Process:**
+1. Enable DNSSEC for domain in Server Settings
+2. Copy DS record from modal
+3. Add DS record to domain registrar
+4. Wait for DNS propagation (up to 48 hours)
+
+### Test Credentials
+| Panel | URL | Email | Password |
+|-------|-----|-------|----------|
+| Admin | `https://jabali.lan/jabali-admin` | `admin@jabali.lan` | `123123123` |
+| User | `https://jabali.lan/jabali-panel` | `user@jabali.lan` | `wjqr9t6Z#%r&@C$4` |
+
+## Models
+
+| Model | Table | Description |
+|-------|-------|-------------|
+| User | users | Panel users (system users) |
+| Domain | domains | Hosted domains |
+| EmailDomain | email_domains | Email-enabled domains |
+| Mailbox | mailboxes | Email mailboxes |
+| EmailForwarder | email_forwarders | Email forwarding rules |
+| DnsRecord | dns_records | DNS zone records |
+| DnsSetting | dns_settings | Key-value settings store |
+| SslCertificate | ssl_certificates | SSL/TLS certificates |
+| MysqlCredential | mysql_credentials | Database credentials |
+| Backup | backups | User backups |
+| BackupSchedule | backup_schedules | Scheduled backups |
+| BackupDestination | backup_destinations | Remote backup targets |
+| CronJob | cron_jobs | User cron jobs |
+| AuditLog | audit_logs | Admin audit trail |
+| NotificationLog | notification_logs | Admin notification history |
+
+## Filament Pages
+
+### Admin Panel
+- Dashboard, Services, ServerStatus, ServerSettings
+- SslManager, PhpManager, EmailSettings, DnsZones
+- Backups, AuditLogs, Fail2ban, ClamAV, Security, ServerImports
+
+### User Panel
+- Dashboard, Domains, DnsRecords, Files
+- Email, WordPress, Databases, Ssl
+- Backups, CronJobs, SshKeys, PhpSettings, Logs
+
+## Dashboard Configurations
+
+### Admin Dashboard (`/jabali-admin`)
+
+**Location:** `App\Filament\Admin\Pages\Dashboard`
+
+**Header Widgets:**
+- `DashboardStatsWidget` - Stats cards showing Users, Domains, Mailboxes, Databases, SSL Certificates
+  - Uses `<x-filament::section>` components with icon, value (bold), label
+  - Responsive: 1 col mobile, 2 cols tablet, 5 cols desktop
+
+**Schema Components:**
+- `RecentActivityTable` - Embedded audit log table via `EmbeddedTable::make()`
+
+**Header Actions:**
+- Refresh - Reloads the page
+- Setup Wizard - Onboarding modal (visible until completed)
+- Take Tour - Starts the admin panel tour
+
+**Files:**
+| File | Purpose |
+|------|---------|
+| `app/Filament/Admin/Pages/Dashboard.php` | Dashboard page class |
+| `app/Filament/Admin/Widgets/DashboardStatsWidget.php` | Stats widget |
+| `resources/views/filament/admin/widgets/dashboard-stats.blade.php` | Stats template |
+| `app/Filament/Admin/Widgets/Dashboard/RecentActivityTable.php` | Activity table widget |
+
+### User Dashboard (`/jabali-panel`)
+
+**Location:** `App\Filament\Jabali\Pages\Dashboard`
+
+**Widgets (in order):**
+1. `StatsOverview` - Stats cards showing Domains, Mailboxes, Databases, SSL Certificates
+   - Responsive: 1 col mobile, 2 cols tablet, 4 cols desktop
+2. `DiskUsageWidget` - Disk quota visualization with progress bar
+3. `DomainsWidget` - Recent domains table with SSL status
+4. `MailboxesWidget` - Recent mailboxes table
+5. `RecentBackupsWidget` - Latest backups table
+
+**Layout:** 2-column responsive grid (1 col mobile, 2 cols desktop)
+
+**Subheading:** Personalized welcome message ("Welcome back, {name}!")
+
+**Files:**
+| File | Purpose |
+|------|---------|
+| `app/Filament/Jabali/Pages/Dashboard.php` | Dashboard page class |
+| `app/Filament/Jabali/Widgets/StatsOverview.php` | Stats widget |
+| `resources/views/filament/jabali/widgets/stats-overview.blade.php` | Stats template |
+| `app/Filament/Jabali/Widgets/DiskUsageWidget.php` | Disk usage widget |
+| `app/Filament/Jabali/Widgets/DomainsWidget.php` | Domains table widget |
+| `app/Filament/Jabali/Widgets/MailboxesWidget.php` | Mailboxes table widget |
+| `app/Filament/Jabali/Widgets/RecentBackupsWidget.php` | Backups table widget |
+
+## Agent Actions
+
+The jabali-agent supports these action categories:
+
+```
+user.*        - System user management
+domain.*      - Domain/vhost operations
+wp.*          - WordPress installation/management
+email.*       - Email domain/mailbox operations
+mysql.*       - Database operations
+dns.*         - DNS zone management (includes DNSSEC)
+php.*         - PHP version management
+ssl.*         - SSL certificate operations
+backup.*      - Backup/restore operations (see Backup System section)
+service.*     - System service control
+ufw.*         - Firewall management
+file.*        - File operations
+ssh.*         - SSH key management
+cron.*        - Cron job management
+quota.*       - Disk quota management
+clamav.*      - Antivirus scanning
+metrics.*     - System metrics
+scanner.*     - Security scanning (Lynis, Nikto)
+logs.*        - Log access
+redis.*       - Redis user management
+```
+
+**Detailed Action Reference:**
+
+| Action | Parameters | Description |
+|--------|------------|-------------|
+| `dns.enable_dnssec` | `domain` | Generate keys and sign zone |
+| `dns.disable_dnssec` | `domain` | Remove keys and unsign zone |
+| `dns.get_dnssec_status` | `domain` | Check DNSSEC status and keys |
+| `dns.get_ds_records` | `domain` | Get DS records for registrar |
+| `backup.create` | `username`, `options` | Create user backup |
+| `backup.restore` | `username`, `backup_path`, `restore_*` | Restore with selective options |
+| `backup.get_info` | `backup_path` | Get backup manifest |
+| `backup.create_server` | `path`, `options` | Create server backup |
+| `backup.delete` | `path` | Delete backup |
+| `backup.upload_remote` | `local_path`, `config` | Upload to remote |
+| `backup.download_remote` | `remote_path`, `local_path`, `config` | Download from remote |
+| `backup.incremental` | `config`, `options` | Incremental rsync backup |
+| `backup.test_destination` | `config` | Test remote destination |
+| `backup.delete_remote` | `remote_path`, `config` | Delete backup from remote |
+
+## Backup System
+
+The backup system supports both user-level and server-wide backups with local and remote storage.
+
+### Backup Types
+
+| Type | Description | Storage |
+|------|-------------|---------|
+| **Full (tar.gz)** | Complete archive of all data | Local or remote |
+| **Incremental (rsync)** | Space-efficient with hard links | Remote only (SFTP/NFS) |
+
+### Remote Destinations
+
+Supported destination types:
+- **SFTP** - SSH-based file transfer to remote servers
+- **NFS** - Network File System mounts
+- **S3** - S3-compatible object storage (AWS, MinIO, etc.)
+
+### Backup Schedules & Retention
+
+Scheduled backups run via the `backups:run-schedules` artisan command (called by cron). Each schedule has:
+- **Frequency**: Hourly, daily, weekly, or monthly
+- **Retention Count**: Number of backups to keep (default: 7)
+- **Destination**: Local or remote storage
+
+**Retention Policy:**
+- Applied automatically after each backup completes
+- Deletes oldest backups beyond the retention count
+- Works for both local files and remote destinations
+- Implemented in `App\Jobs\RunServerBackup::applyRetention()`
+
+**Important:** The queue worker must be running for scheduled backups and retention:
+```bash
+systemctl status jabali-queue    # Check status
+systemctl restart jabali-queue   # Restart to pick up code changes
+```
+
+### Backup Files
+
+| Path | Description |
+|------|-------------|
+| `/var/backups/jabali/` | Default server backup location |
+| `/home/{user}/backups/` | User backup location |
+| `metadata/panel_data.json` | Panel database records (domains, mailboxes, etc.) |
+| `mysql/` | Database dumps (.sql.gz) |
+| `zones/` | DNS zone files |
+| `ssl/` | SSL certificates |
+| `mail/` | Mailbox data |
+
+### Related Models
+
+- `Backup` - Individual backup records
+- `BackupSchedule` - Schedule configuration with retention settings
+- `BackupDestination` - Remote storage configuration
+
+### Related Jobs
+
+- `RunServerBackup` - Executes backup and applies retention
+- `IndexRemoteBackups` - Indexes backups on remote destinations
+
+## Security Features
+
+### Security Page (Admin)
+
+Located at `/jabali-admin/security`, provides:
+- **Overview** - System security status and recent audit logs
+- **Firewall** - UFW rules management
+- **Fail2ban** - Intrusion prevention with jail management
+- **Antivirus** - ClamAV scanning
+- **SSH** - SSH hardening settings
+- **Vulnerability Scanner** - Security scanning tools
+
+### Security Scanning Tools
+
+| Tool | Purpose | Installation |
+|------|---------|--------------|
+| **Lynis** | System security auditing | Pre-installed |
+| **Nikto** | Web server vulnerability scanner | `/opt/nikto` (GitHub clone) |
+| **WPScan** | WordPress vulnerability scanner | Ruby gem |
+
+**Nikto Configuration:**
+- Installed from GitHub at `/opt/nikto`
+- Symlinked to `/usr/local/bin/nikto`
+- Called with full path in timeout commands (PATH restriction)
+
+**WPScan Configuration:**
+- Cache directory: `/var/www/.wpscan` (owned by www-data)
+- Run with `HOME=/var/www` environment variable
+- Version displayed without ASCII banner using `grep -i 'version'`
+
+### Audit Logs
+
+All administrative actions are logged to the `audit_logs` table.
+
+**Logged Events:**
+- Authentication (login, logout, login_failed)
+- CRUD operations on domains, mailboxes, users
+- System configuration changes
+- Security-related actions
+
+**Audit Log Retention:**
+- Configured via `audit_log_retention_days` setting (default: 90 days)
+- Pruned daily at 2:00 AM via scheduled task
+- Method: `AuditLog::prune()`
+
+**Viewing Logs:**
+- Admin Panel: Security page → Overview tab (paginated table)
+- Direct page: `/jabali-admin/audit-logs` (hidden from sidebar)
+
+### Related Files
+
+| File | Description |
+|------|-------------|
+| `app/Models/AuditLog.php` | Audit log model with prune method |
+| `app/Filament/Admin/Pages/Security.php` | Security dashboard |
+| `app/Filament/Admin/Widgets/Security/AuditLogsTable.php` | Audit logs table widget |
+| `routes/console.php` | Scheduled audit log pruning |
+
+## Code Style
+
+- PHP 8.2+ with strict types
+- Follow Laravel conventions
+- Use `DnsSetting::get()` / `DnsSetting::set()` for key-value storage
+- All privileged operations go through jabali-agent
+
+## Filament v4 UI Guidelines
+
+**CRITICAL: Build using ONLY Filament v4 native components and styles with proper spacing. Always use pure Filament native components with proper icons and colors.**
+
+### Architecture Guidelines
+
+1. **Use Filament Resources for Eloquent Models**: When data is backed by an Eloquent model, prefer creating a Filament Resource (`php artisan make:filament-resource`) over custom pages.
+
+2. **Use Tables for List Data**: When displaying list data (arrays or collections), ALWAYS use proper Filament tables via `EmbeddedTable::make()` or the `HasTable` trait.
+
+3. **Use Schema-based Pages for Complex UIs**: For pages with multiple sections, tabs, and mixed content (forms + tables + stats), use Schema-based pages with embedded table widgets.
+
+4. **Prefer Existing Patterns**: Look at existing pages in the codebase (e.g., `Security.php`, `DnsRecords.php`, `SshKeys.php`) for examples of how to implement similar features.
+
+### Absolute Rules (NO EXCEPTIONS)
+- **NO custom HTML** - Never use raw `<div>`, `<span>`, `<p>`, `<ul>` etc. in Filament pages
+- **NO inline styles** - Never use `style="..."` attributes
+- **NO custom CSS** - Never create CSS files for Filament components
+- **NO custom blade templates** - Don't create View components with custom HTML for UI elements
+- **USE Filament components** - Sections, badges, buttons, tables, infolists, stats widgets, grids
+- **USE proper icons** - Always use `->icon('heroicon-o-*')` on sections and actions
+- **USE proper colors** - Always use `->iconColor('success'|'danger'|'warning'|'gray')` for status indication
+- **USE Tailwind classes** - Only when absolutely necessary for minor adjustments
+- **MUST be responsive** - All pages must work on mobile, tablet, and desktop
+
+### Allowed Components
+Use these Filament native components exclusively:
+
+| Category | Components |
+|----------|------------|
+| Layout | `Section::make()`, `Grid::make()`, `Group::make()`, `Tabs::make()` |
+| Display | `Text::make()`, `<x-filament::badge>`, `<x-filament::icon>` |
+| Actions | `Actions::make()`, `Action::make()`, `<x-filament::button>` |
+| Forms | TextInput, Select, Toggle, FileUpload, Checkbox, etc. |
+| Data | Tables, Infolists, Stats Widgets, `EmbeddedTable::make()` |
+| Feedback | `<x-filament::modal>`, Notifications |
+
+### Tables with Array Data (IMPORTANT)
+
+When displaying list data, **ALWAYS use proper Filament tables**, not Sections or custom HTML. Use `EmbeddedTable::make()` to embed table widgets within Schema-based pages.
+
+**Creating a Self-Refreshing Table Widget:**
+
+For tables with actions that modify data (enable/disable, delete, etc.), the widget should reload its own data directly rather than dispatching events to the parent (which causes full page re-renders).
+
+```php
+<?php
+namespace App\Filament\Admin\Widgets\Security;
+
+use App\Services\Agent\AgentClient;
+use Filament\Actions\Action;
+use Filament\Actions\Concerns\InteractsWithActions;
+use Filament\Actions\Contracts\HasActions;
+use Filament\Notifications\Notification;
+use Filament\Schemas\Concerns\InteractsWithSchemas;
+use Filament\Schemas\Contracts\HasSchemas;
+use Filament\Tables\Columns\TextColumn;
+use Filament\Tables\Columns\IconColumn;
+use Filament\Tables\Concerns\InteractsWithTable;
+use Filament\Tables\Contracts\HasTable;
+use Filament\Tables\Table;
+use Livewire\Component;
+
+class MyDataTable extends Component implements HasTable, HasSchemas, HasActions
+{
+    use InteractsWithTable;
+    use InteractsWithSchemas;
+    use InteractsWithActions;
+
+    public array $items = [];  // Data passed from parent
+
+    // Reload data directly from source (agent, API, database)
+    protected function reloadData(): void
+    {
+        try {
+            $agent = new AgentClient();
+            $result = $agent->send('some.action', []);
+            if ($result['success'] ?? false) {
+                $this->items = $result['items'] ?? [];
+                $this->resetTable();  // Force table to re-render with new data
+            }
+        } catch (\Exception $e) {
+            // Keep existing data on error
+        }
+    }
+
+    public function makeFilamentTranslatableContentDriver(): ?\Filament\Support\Contracts\TranslatableContentDriver
+    {
+        return null;
+    }
+
+    public function table(Table $table): Table
+    {
+        return $table
+            ->records(fn () => $this->items)
+            ->columns([
+                TextColumn::make('name')->label(__('Name'))->searchable(),
+                IconColumn::make('enabled')
+                    ->label(__('Status'))
+                    ->boolean()
+                    ->trueIcon('heroicon-o-check-circle')
+                    ->falseIcon('heroicon-o-x-circle')
+                    ->trueColor('success')
+                    ->falseColor('gray'),
+            ])
+            ->actions([
+                Action::make('toggle')
+                    ->label(fn (array $record): string => ($record['enabled'] ?? false) ? __('Disable') : __('Enable'))
+                    ->icon(fn (array $record): string => ($record['enabled'] ?? false) ? 'heroicon-o-x-circle' : 'heroicon-o-check-circle')
+                    ->color(fn (array $record): string => ($record['enabled'] ?? false) ? 'danger' : 'success')
+                    ->action(function (array $record): void {
+                        try {
+                            $agent = new AgentClient();
+                            $result = $agent->send('item.toggle', ['id' => $record['id']]);
+
+                            if ($result['success'] ?? false) {
+                                Notification::make()
+                                    ->title(__('Status updated'))
+                                    ->success()
+                                    ->send();
+
+                                // Reload data directly - don't dispatch events to parent
+                                $this->reloadData();
+                            } else {
+                                throw new \Exception($result['error'] ?? __('Operation failed'));
+                            }
+                        } catch (\Exception $e) {
+                            Notification::make()
+                                ->title(__('Error'))
+                                ->body($e->getMessage())
+                                ->danger()
+                                ->send();
+                        }
+                    }),
+            ])
+            ->striped()
+            ->emptyStateHeading(__('No items'))
+            ->emptyStateIcon('heroicon-o-inbox');
+    }
+
+    public function render()
+    {
+        return $this->getTable()->render();
+    }
+}
+```
+
+**Embedding Table in Schema:**
+```php
+use Filament\Schemas\Components\EmbeddedTable;
+use App\Filament\Admin\Widgets\Security\MyDataTable;
+
+// In your page's schema
+Section::make(__('Data List'))
+    ->icon('heroicon-o-list-bullet')
+    ->schema([
+        EmbeddedTable::make(MyDataTable::class, ['items' => $this->items]),
+    ])
+```
+
+**Key Points:**
+- Implement `HasTable`, `HasSchemas`, and `HasActions` interfaces
+- Use `InteractsWithTable`, `InteractsWithSchemas`, and `InteractsWithActions` traits
+- Use `->records(fn () => $this->arrayData)` for array/collection data
+- Use `->query(Model::query())` for Eloquent models
+- Use `->actions([])` for row actions on array-based tables
+- Always implement `makeFilamentTranslatableContentDriver()` returning null
+- Return `$this->getTable()->render()` in render method (NOT `view('filament-tables::index')`)
+- Import actions from `Filament\Actions\Action` (NOT `Filament\Tables\Actions\Action`)
+- **After modifying data, call `$this->resetTable()` to force the table to re-render**
+- **Reload data directly in the widget rather than dispatching events to parent** (avoids full page re-renders)
+
+### Section with Icons and Colors
+Always use Section's native icon and color support:
+```php
+use Filament\Schemas\Components\Section;
+
+// Status card with icon and color
+Section::make(__('Active'))
+    ->description(__('Firewall'))
+    ->icon('heroicon-o-shield-check')
+    ->iconColor('success')  // success, danger, warning, gray
+
+// Section with header actions
+Section::make(__('Settings'))
+    ->icon('heroicon-o-cog')
+    ->headerActions([
+        Action::make('save')->label(__('Save')),
+    ])
+    ->schema([...])
+```
+
+### Responsive Grid Layout
+Use Grid with responsive column configuration:
+```php
+use Filament\Schemas\Components\Grid;
+use Filament\Schemas\Components\Section;
+
+// 3-column responsive grid for stat cards
+Grid::make(['default' => 1, 'sm' => 3])
+    ->schema([
+        Section::make(__('Active'))
+            ->description(__('Firewall'))
+            ->icon('heroicon-o-shield-check')
+            ->iconColor('success'),
+        Section::make('0')
+            ->description(__('IPs Banned'))
+            ->icon('heroicon-o-lock-closed')
+            ->iconColor('success'),
+        Section::make('0')
+            ->description(__('Threats'))
+            ->icon('heroicon-o-bug-ant')
+            ->iconColor('gray'),
+    ])
+```
+
+### Stats Overview Widget Pattern
+
+For dashboard stats (domains count, mailboxes count, etc.), use a custom Widget with `<x-filament::section>` components in a blade template.
+
+**Widget class:**
+```php
+<?php
+
+declare(strict_types=1);
+
+namespace App\Filament\Admin\Widgets;
+
+use Filament\Widgets\Widget;
+
+class DashboardStatsWidget extends Widget
+{
+    protected static ?int $sort = 1;
+    protected int|string|array $columnSpan = 'full';
+    protected string $view = 'filament.admin.widgets.dashboard-stats';
+
+    public function getStats(): array
+    {
+        return [
+            [
+                'value' => $userCount,
+                'label' => __('Users'),
+                'icon' => 'heroicon-o-users',
+                'color' => 'primary',
+            ],
+            [
+                'value' => $domainCount,
+                'label' => __('Domains'),
+                'icon' => 'heroicon-o-globe-alt',
+                'color' => 'success',
+            ],
+            // ... more stats
+        ];
+    }
+}
+```
+
+**Blade template** (`resources/views/filament/{panel}/widgets/dashboard-stats.blade.php`):
+```blade
+<x-filament-widgets::widget>
+    <style>
+        .stats-grid {
+            display: grid;
+            grid-template-columns: repeat(1, minmax(0, 1fr));
+            gap: 16px;
+        }
+        @media (min-width: 640px) {
+            .stats-grid { grid-template-columns: repeat(2, minmax(0, 1fr)); }
+        }
+        @media (min-width: 1024px) {
+            .stats-grid { grid-template-columns: repeat(5, minmax(0, 1fr)); }
+        }
+    </style>
+    <div class="stats-grid">
+        @foreach($this->getStats() as $stat)
+            <x-filament::section :icon="$stat['icon']" :icon-color="$stat['color']">
+                <x-slot name="heading">
+                    <span class="text-2xl font-bold">{{ $stat['value'] }}</span>
+                </x-slot>
+                <x-slot name="description">{{ $stat['label'] }}</x-slot>
+            </x-filament::section>
+        @endforeach
+    </div>
+</x-filament-widgets::widget>
+```
+
+**Key points:**
+- Use custom Widget extending `Filament\Widgets\Widget` with a blade view
+- Use `<x-filament::section>` for each stat card with icon and icon-color
+- Value goes in `heading` slot with bold styling, label goes in `description` slot
+- Use CSS media queries in `<style>` tag for responsive grid (Tailwind dynamic classes may not work)
+- Adjust grid columns based on number of stats (e.g., 5 cols for admin, 4 cols for user panel)
+
+### Responsive Design Verification
+
+**CRITICAL: Always test responsive design on three viewport sizes:**
+
+1. **Mobile** (375px width) - iPhone size
+2. **Tablet** (768px width) - iPad size
+3. **Desktop** (1400px width) - Standard desktop
+
+**Puppeteer viewport examples:**
+```javascript
+// Mobile
+await page.setViewport({ width: 375, height: 812 });
+
+// Tablet
+await page.setViewport({ width: 768, height: 1024 });
+
+// Desktop
+await page.setViewport({ width: 1400, height: 900 });
+```
+
+**Common responsive issues to check:**
+- Stats/cards should stack on mobile, grid on tablet/desktop
+- Tables should be scrollable on mobile
+- Navigation should collapse to hamburger menu on mobile
+- Buttons and inputs should be touch-friendly (min 44px tap target)
+- Text should not overflow or be cut off
+
+### Tabs with Dynamic Table Content (IMPORTANT)
+
+**Problem:** When using Filament's `Tabs::make()` with tables inside `View::make()`, table row actions (modals, confirmations) don't work because the action mounting breaks when nested inside the Tabs schema.
+
+**Solution:** Render the table OUTSIDE the form schema, and use a custom tabs navigation component with `wire:click` for tab switching.
+
+**1. Create a custom tabs nav component** (`resources/views/filament/{panel}/components/my-tabs-nav.blade.php`):
+```blade
+@php
+    $tabs = [
+        'first' => ['label' => __('First Tab'), 'icon' => 'heroicon-o-home'],
+        'second' => ['label' => __('Second Tab'), 'icon' => 'heroicon-o-cog'],
+        'third' => ['label' => __('Third Tab'), 'icon' => 'heroicon-o-list-bullet'],
+    ];
+@endphp
+
+<nav class="fi-tabs flex max-w-full gap-x-1 overflow-x-auto mx-auto rounded-xl bg-white p-2 shadow-sm ring-1 ring-gray-950/5 dark:bg-white/5 dark:ring-white/10" role="tablist">
+    @foreach($tabs as $key => $tab)
+        <button
+            type="button"
+            role="tab"
+            aria-selected="{{ $this->activeTab === $key ? 'true' : 'false' }}"
+            wire:click="setTab('{{ $key }}')"
+            @class([
+                'fi-tabs-item group flex items-center gap-x-2 rounded-lg px-3 py-2 text-sm font-medium outline-none transition duration-75',
+                'fi-active bg-gray-50 dark:bg-white/5' => $this->activeTab === $key,
+                'hover:bg-gray-50 focus-visible:bg-gray-50 dark:hover:bg-white/5 dark:focus-visible:bg-white/5' => $this->activeTab !== $key,
+            ])
+        >
+            <x-filament::icon
+                :icon="$tab['icon']"
+                @class([
+                    'fi-tabs-item-icon h-5 w-5 shrink-0 transition duration-75',
+                    'text-primary-600 dark:text-primary-400' => $this->activeTab === $key,
+                    'text-gray-400 group-hover:text-gray-500 group-focus-visible:text-gray-500 dark:text-gray-500 dark:group-hover:text-gray-400 dark:group-focus-visible:text-gray-400' => $this->activeTab !== $key,
+                ])
+            />
+            <span @class([
+                'fi-tabs-item-label transition duration-75',
+                'text-primary-600 dark:text-primary-400' => $this->activeTab === $key,
+                'text-gray-500 group-hover:text-gray-700 group-focus-visible:text-gray-700 dark:text-gray-400 dark:group-hover:text-gray-200 dark:group-focus-visible:text-gray-200' => $this->activeTab !== $key,
+            ])>
+                {{ $tab['label'] }}
+            </span>
+        </button>
+    @endforeach
+</nav>
+```
+
+**2. Page class:**
+```php
+<?php
+namespace App\Filament\Jabali\Pages;
+
+use Filament\Pages\Page;
+use Filament\Schemas\Components\Section;
+use Filament\Schemas\Components\View;
+use Filament\Schemas\Schema;
+use Filament\Tables\Concerns\InteractsWithTable;
+use Filament\Tables\Contracts\HasTable;
+use Filament\Tables\Table;
+use Livewire\Attributes\Url;
+
+class MyTabbedPage extends Page implements HasTable
+{
+    use InteractsWithTable;
+
+    #[Url(as: 'tab')]
+    public ?string $activeTab = 'first';
+
+    public function mount(): void
+    {
+        $this->activeTab = $this->normalizeTabName($this->activeTab);
+    }
+
+    protected function normalizeTabName(?string $tab): string
+    {
+        return match ($tab) {
+            'first', 'second', 'third' => $tab,
+            default => 'first',
+        };
+    }
+
+    protected function getForms(): array
+    {
+        return ['myForm'];
+    }
+
+    // Form renders ONLY the tabs nav (and optional info section)
+    public function myForm(Schema $schema): Schema
+    {
+        return $schema->schema([
+            Section::make(__('Page Title'))
+                ->description(__('Description of this page'))
+                ->icon('heroicon-o-information-circle')
+                ->iconColor('info'),
+            View::make('filament.jabali.components.my-tabs-nav'),
+        ]);
+    }
+
+    public function setTab(string $tab): void
+    {
+        $this->activeTab = $this->normalizeTabName($tab);
+        $this->resetTable();
+    }
+
+    // Table rendered separately - NOT inside the form schema
+    public function table(Table $table): Table
+    {
+        return match ($this->activeTab) {
+            'first' => $this->firstTable($table),
+            'second' => $this->secondTable($table),
+            'third' => $this->thirdTable($table),
+            default => $this->firstTable($table),
+        };
+    }
+
+    protected function firstTable(Table $table): Table
+    {
+        return $table
+            ->query(MyModel::query())
+            ->columns([...])
+            ->recordActions([
+                // These actions will work because table is outside the form schema
+                Action::make('edit')->modalHeading('Edit Item')->form([...])->action(...),
+                Action::make('delete')->requiresConfirmation()->action(...),
+            ]);
+    }
+}
+```
+
+**3. Blade template** - render table OUTSIDE the form with negative margin:
+```blade
+<x-filament-panels::page>
+    {{ $this->myForm }}
+
+    <div class="-mt-4">
+        {{ $this->table }}
+    </div>
+
+    <x-filament-actions::modals />
+</x-filament-panels::page>
+```
+
+**Key points:**
+- **DO NOT** put `View::make('...table')` inside `Tabs\Tab::make()->schema([])` - table actions won't work
+- Render the table DIRECTLY in the blade template with `{{ $this->table }}`
+- Use `<div class="-mt-4">` to compensate for the parent's row-gap CSS
+- Custom tabs nav uses `wire:click="setTab('tabname')"` for proper Livewire updates
+- `setTab()` normalizes the tab name and calls `$this->resetTable()` to refresh the table
+- `#[Url(as: 'tab')]` syncs the active tab with the URL query string
+
+**Examples in codebase:**
+- `app/Filament/Jabali/Pages/Email.php` - Email page with mailboxes/forwarders/catchall/logs tabs
+- `app/Filament/Jabali/Pages/Backups.php` - Backups page with local/remote/history tabs
+
+### Examples
+
+**Stats Widget (correct):**
+```php
+use Filament\Widgets\StatsOverviewWidget;
+use Filament\Widgets\StatsOverviewWidget\Stat;
+
+class MyStatsWidget extends StatsOverviewWidget
+{
+    protected function getStats(): array
+    {
+        return [
+            Stat::make('Total', 100)->icon('heroicon-o-users'),
+            Stat::make('Active', 80)->color('success'),
+        ];
+    }
+}
+```
+
+**Section with content (correct):**
+```blade
+<x-filament::section icon="heroicon-o-cog" collapsible>
+    <x-slot name="heading">Settings</x-slot>
+    <x-slot name="description">Configure options</x-slot>
+
+    {{-- Use Filament form components here --}}
+</x-filament::section>
+```
+
+**Table columns (correct):**
+```php
+TextColumn::make('status')
+    ->badge()
+    ->color(fn (string $state): string => match ($state) {
+        'active' => 'success',
+        'pending' => 'warning',
+        default => 'gray',
+    })
+```
+
+### Progress Bar Widget Pattern
+
+For displaying progress (disk usage, quotas, etc.), use a Widget with Filament Section and Tailwind-based progress bar. Use Tailwind's dynamic color classes with `@class` directive:
+
+**Widget class:**
+```php
+<?php
+
+declare(strict_types=1);
+
+namespace App\Filament\Jabali\Widgets;
+
+use Filament\Widgets\Widget;
+
+class DiskUsageWidget extends Widget
+{
+    protected static ?int $sort = 2;
+    protected int|string|array $columnSpan = 1;
+    protected string $view = 'filament.jabali.widgets.disk-usage';
+
+    public function getData(): array
+    {
+        $percent = 25.0;
+        return [
+            'used' => '2.5 GB',
+            'quota' => '10 GB',
+            'free' => '7.5 GB',
+            'percent' => $percent,
+            'has_quota' => true,
+            'home' => '/home/user',
+            'color' => $this->getColor($percent),
+        ];
+    }
+
+    protected function getColor(float $percent): string
+    {
+        if ($percent >= 90) return 'danger';
+        if ($percent >= 70) return 'warning';
+        return 'success';
+    }
+}
+```
+
+**Blade template (resources/views/filament/{panel}/widgets/disk-usage.blade.php):**
+```blade
+<x-filament-widgets::widget>
+    <x-filament::section icon="heroicon-o-circle-stack">
+        <x-slot name="heading">{{ __('Disk Usage') }}</x-slot>
+        <x-slot name="description">{{ $this->getData()['home'] }}</x-slot>
+
+        @php
+            $data = $this->getData();
+            $percent = min(100, max(0, $data['percent']));
+        @endphp
+
+        <div class="space-y-4">
+            <div>
+                <div class="flex items-center justify-between mb-2">
+                    <span class="text-sm font-medium text-gray-700 dark:text-gray-200">
+                        {{ $data['used'] }} {{ __('used') }}
+                    </span>
+                    <x-filament::badge :color="$data['color']">
+                        {{ number_format($percent, 1) }}%
+                    </x-filament::badge>
+                </div>
+                <div class="w-full h-3 bg-gray-200 rounded-full dark:bg-gray-700 overflow-hidden">
+                    <div
+                        @class([
+                            'h-full rounded-full transition-all duration-500',
+                            'bg-success-500' => $data['color'] === 'success',
+                            'bg-warning-500' => $data['color'] === 'warning',
+                            'bg-danger-500' => $data['color'] === 'danger',
+                        ])
+                        style="width: {{ $percent }}%"
+                    ></div>
+                </div>
+            </div>
+        </div>
+    </x-filament::section>
+</x-filament-widgets::widget>
+```
+
+**Key points:**
+- Use `@class` directive with conditional Tailwind classes for colors
+- Only use inline `style` for truly dynamic values like percentage width (Tailwind can't generate dynamic classes)
+- Use Filament's native `<x-filament::badge>` and `<x-filament::section>` components
+- Use Filament color names (`success`, `warning`, `danger`) for consistency
+
+### Anti-patterns (avoid)
+```blade
+{{-- BAD: Custom HTML --}}
+<div class="custom-card">
+    <h3>Title</h3>
+    <p>Content</p>
+</div>
+
+{{-- GOOD: Use Filament section --}}
+<x-filament::section>
+    <x-slot name="heading">Title</x-slot>
+    Content
+</x-filament::section>
+```
+
+```blade
+{{-- BAD: Inline styles --}}
+<div style="display: flex; gap: 1rem;">
+
+{{-- GOOD: Tailwind classes if needed --}}
+<div class="flex gap-4">
+```
+
+### Filament v4 Namespaces (IMPORTANT)
+
+Filament v4 uses `Schema` instead of `Form` for page layouts, and layout components are in different namespaces:
+
+```php
+// CORRECT Filament v4 imports
+use Filament\Schemas\Schema;                    // NOT Filament\Forms\Form
+use Filament\Schemas\Components\Tabs;           // NOT Filament\Forms\Components\Tabs
+use Filament\Schemas\Components\Grid;           // Layout components
+use Filament\Schemas\Components\Section;
+use Filament\Schemas\Components\Group;
+use Filament\Schemas\Components\Text;
+use Filament\Schemas\Components\View;
+use Filament\Schemas\Components\Actions as FormActions;
+
+// Form INPUT components stay in Forms namespace
+use Filament\Forms\Components\TextInput;
+use Filament\Forms\Components\Select;
+use Filament\Forms\Components\Toggle;
+```
+
+**Method signatures:**
+```php
+// CORRECT - Filament v4
+public function myForm(Schema $schema): Schema
+
+// WRONG - Old Filament v3 style
+public function myForm(Form $form): Form
+```
+
+### Schema-based Tabs (For Form-Only Content)
+
+Use `Filament\Schemas\Components\Tabs` within a form schema **ONLY when tabs contain form fields or static content** - NOT when tabs contain tables with row actions.
+
+**When to use Schema-based Tabs:**
+- Tabs with form inputs (TextInput, Select, Toggle, etc.)
+- Tabs with static content (Text, View with no interactive elements)
+- Settings pages where each tab is a different category of settings
+
+**When NOT to use Schema-based Tabs:**
+- Tabs with tables that have row actions (edit, delete, view modals)
+- Use the "Tabs with Dynamic Table Content" pattern above instead
+
+**Example - Settings page with form tabs:**
+```php
+public function settingsForm(Schema $schema): Schema
+{
+    return $schema->schema([
+        Tabs::make('Settings')
+            ->tabs([
+                Tabs\Tab::make(__('General'))
+                    ->icon('heroicon-o-cog')
+                    ->schema([
+                        TextInput::make('site_name')->label(__('Site Name')),
+                        Toggle::make('maintenance_mode')->label(__('Maintenance Mode')),
+                    ]),
+                Tabs\Tab::make(__('Email'))
+                    ->icon('heroicon-o-envelope')
+                    ->schema([
+                        TextInput::make('smtp_host')->label(__('SMTP Host')),
+                        TextInput::make('smtp_port')->label(__('SMTP Port')),
+                    ]),
+            ])
+            ->persistTabInQueryString(),
+    ]);
+}
+```
+
+**Key Points:**
+- `persistTabInQueryString()` syncs tab state with URL (client-side only)
+- For tables with actions, see "Tabs with Dynamic Table Content" pattern above
+
+**Text component (no label method):**
+```php
+// CORRECT - Text takes content directly
+Text::make(__('Your message here'))
+Text::make($this->someVariable)
+
+// WRONG - Text doesn't have label() or content() methods
+Text::make('name')->label('Label')->content('Content')
+```
+
+## Debugging & Verification
+
+### IMPORTANT: Always Clear Laravel Cache After Tasks
+After completing any task that modifies PHP files, views, or configuration, **ALWAYS clear Laravel cache**:
+
+```bash
+cd /var/www/jabali && php artisan optimize:clear
+```
+
+This is equivalent to running:
+```bash
+php artisan config:clear
+php artisan view:clear
+php artisan cache:clear
+php artisan route:clear
+php artisan event:clear
+```
+
+**When to clear cache:**
+- After modifying any PHP file in `app/`
+- After modifying any Blade template in `resources/views/`
+- After modifying `.env` or `config/` files
+- After adding or removing files
+- Before taking screenshots to verify changes
+
+### Always Diagnose with Artisan
+When encountering errors or unexpected behavior, use `php artisan` commands to diagnose:
+
+```bash
+# Check PHP syntax errors
+php -l app/Filament/Admin/Pages/YourPage.php
+
+# Clear all caches (do this after code changes)
+php artisan config:clear
+php artisan view:clear
+php artisan cache:clear
+php artisan route:clear
+
+# Rebuild caches for production
+php artisan config:cache
+php artisan view:cache
+php artisan route:cache
+
+# Check routes are registered
+php artisan route:list --name=filament
+
+# Debug with tinker
+php artisan tinker
+
+# Check for missing migrations
+php artisan migrate:status
+
+# View logs in real-time
+php artisan pail
+```
+
+### Common Error Patterns
+
+| Error | Cause | Fix |
+|-------|-------|-----|
+| `TypeError: must be of type X, Y given` | Wrong type hint (e.g., `Form` vs `Schema` in Filament v4) | Check method signatures match framework version |
+| `Unable to locate component` | Blade component doesn't exist | Check component name spelling and namespace |
+| `Class not found` | Missing import or autoload | Run `composer dump-autoload`, check `use` statements |
+| `View not found` | Missing blade template | Create the view file in correct location |
+
+### Screenshots for UI Verification
+Use Puppeteer scripts in `/tmp/` to take screenshots of authenticated pages. Always save screenshots to `/tmp/`:
+
+```bash
+# For authenticated admin panel pages, use Puppeteer scripts in /tmp/
+# Example: /tmp/security-overview.js
+node /tmp/security-overview.js
+
+# Then use the Read tool to view the screenshot
+# Read /tmp/security-overview.png to see the result
+```
+
+**Example Puppeteer script** (`/tmp/screenshot-page.js`):
+```javascript
+const puppeteer = require('puppeteer');
+
+(async () => {
+  const browser = await puppeteer.launch({
+    headless: 'new',
+    args: ['--no-sandbox', '--disable-setuid-sandbox', '--ignore-certificate-errors']
+  });
+  const page = await browser.newPage();
+  await page.setViewport({ width: 1600, height: 1200 });
+
+  // Login to admin panel
+  await page.goto('https://jabali.lan/jabali-admin/login', { waitUntil: 'networkidle0' });
+  await new Promise(r => setTimeout(r, 1000));
+  await page.type('input[type="email"]', 'admin@jabali.lan');
+  await page.type('input[type="password"]', '123123123');
+  await page.click('button[type="submit"]');
+  await new Promise(r => setTimeout(r, 5000));
+
+  // Navigate to target page
+  await page.goto('https://jabali.lan/jabali-admin/security', { waitUntil: 'networkidle0', timeout: 30000 });
+  await new Promise(r => setTimeout(r, 3000));
+
+  await page.screenshot({ path: '/tmp/security.png', fullPage: true });
+  await browser.close();
+})();
+```
+
+**Important:** Always save screenshots to `/tmp/` directory (e.g., `/tmp/page.png`).
+
+**When to use screenshots:**
+- After making UI/layout changes to verify they look correct
+- When debugging visual issues that are hard to diagnose from code
+- To check responsive design on different viewport sizes
+- Before committing changes to ensure nothing is visually broken
+
+**Workflow:**
+1. Make code changes
+2. Run `php -l` to check syntax
+3. Clear caches with `php artisan view:clear`
+4. Create/update Puppeteer script in `/tmp/` and run with `node`
+5. Use Read tool to view the screenshot
+
+## Testing
+
+```bash
+composer test             # Run all tests
+php artisan test --filter=ClassName  # Run specific test
+```
+
+## Common Tasks
+
+### Adding a New Filament Page
+
+1. Create page class in `app/Filament/{Panel}/Pages/`
+2. Create blade view in `resources/views/filament/{panel}/pages/`
+3. Register in panel provider if needed
+
+### Adding Agent Actions
+
+1. Add action handler in `bin/jabali-agent` (match statement)
+2. Implement function with proper validation
+3. Call from PHP:
+```php
+use App\Services\Agent\AgentClient;
+
+$client = new AgentClient();
+$response = $client->send('category.action', ['param1' => 'value1']);
+```
+
+### Agent Best Practices
+
+**Service Restart Operations:**
+When agent actions restart services (fail2ban, nginx, postfix, etc.), add a wait period before returning success. This ensures the UI gets accurate status when it reloads:
+
+```php
+function myServiceToggle(array $params): array
+{
+    // ... modify config ...
+
+    // Restart the service
+    exec('systemctl restart myservice 2>&1', $output, $code);
+
+    // Wait for service to be fully ready before returning
+    if ($code === 0) {
+        sleep(2);  // Give service time to fully start
+        exec('systemctl is-active myservice 2>/dev/null', $statusOutput);
+    }
+
+    return ['success' => $code === 0, 'error' => $code !== 0 ? implode("\n", $output) : null];
+}
+```
+
+**Fallback Data:**
+For data that may not be available from the source (e.g., descriptions from filter files), provide fallback mappings:
+
+```php
+$descriptions = [
+    'postfix-sasl' => 'Postfix SASL authentication protection',
+    'dovecot' => 'Dovecot IMAP/POP3 server protection',
+    // ... more fallbacks
+];
+
+$description = getFromSource() ?: ($descriptions[$name] ?? '');
+```
+
+### Working with Settings
+
+```php
+use App\Models\DnsSetting;
+
+// Get setting with default
+$value = DnsSetting::get('setting_key', 'default');
+
+// Set setting
+DnsSetting::set('setting_key', $value);
+```
+
+## File Paths
+
+| Path | Description |
+|------|-------------|
+| `/home/{user}/domains/{domain}/public_html` | Domain web root |
+| `/home/{user}/backups/` | User backups (tar.gz files) |
+| `/var/backups/jabali/` | Server backups (admin-created) |
+| `/var/vmail/{domain}/{user}` | Email mailbox storage |
+| `/var/run/jabali/agent.sock` | Agent socket |
+| `/var/log/jabali/agent.log` | Agent log (includes security audit) |
+| `/etc/nginx/sites-available/` | Nginx vhosts |
+| `/etc/letsencrypt/` | SSL certificates |
+| `/etc/bind/zones/` | DNS zone files |
+| `/etc/bind/keys/{domain}/` | DNSSEC keys |
+
+## Environment Variables
+
+Key `.env` settings:
+- `APP_URL` - Panel URL
+- `PANEL_DOMAIN` - Panel hostname
+- `DB_*` - Database connection
+- `MAIL_*` - Mail configuration
+
+## Dependencies
+
+- PHP 8.2+, Laravel 12, Filament 4, Livewire 3
+- Nginx, PHP-FPM, MariaDB/MySQL
+- Postfix, Dovecot, OpenDKIM
+- BIND9 (named), Certbot
+- Redis (optional caching)
+
+## Internationalization (i18n) & Translations
+
+The panel supports multiple languages with full RTL (right-to-left) support for Arabic and Hebrew.
+
+### Supported Languages
+
+| Code | Language | Native Name | Direction |
+|------|----------|-------------|-----------|
+| `en` | English | English | LTR |
+| `es` | Spanish | Español | LTR |
+| `fr` | French | Français | LTR |
+| `ru` | Russian | Русский | LTR |
+| `pt` | Portuguese | Português | LTR |
+| `ar` | Arabic | العربية | RTL |
+| `he` | Hebrew | עברית | RTL |
+
+### Configuration
+
+**Language settings:** `config/languages.php`
+
+```php
+// Get supported languages
+$languages = config('languages.supported');
+
+// Check if language is RTL
+$isRtl = config('languages.supported.ar.direction') === 'rtl';
+```
+
+### Translation Files
+
+| File | Description | Entries |
+|------|-------------|---------|
+| `lang/en.json` | English (base) | 602 |
+| `lang/es.json` | Spanish | 1171 |
+| `lang/fr.json` | French | 887 |
+| `lang/ru.json` | Russian | 887 |
+| `lang/pt.json` | Portuguese | 880 |
+| `lang/ar.json` | Arabic | 880 |
+| `lang/he.json` | Hebrew | 880 |
+
+### Using Translations
+
+**In PHP/Blade:**
+```php
+// Simple translation
+__('Dashboard')
+
+// With parameters
+__('Welcome, :name', ['name' => $user->name])
+
+// In Filament components
+TextColumn::make('status')->label(__('Status'))
+Section::make(__('Settings'))->description(__('Configure your options'))
+```
+
+**Best Practices:**
+- Always wrap user-facing strings with `__()`
+- Use English as the key: `__('Create Domain')` not `__('domain.create')`
+- Parameters use `:name` syntax for substitution
+- Keep translations concise and contextually appropriate
+
+### Adding New Translations
+
+1. **Add the English string** in your code using `__('Your string')`
+
+2. **Add translations** to each language file in `lang/`:
+
+```bash
+# Example: Adding "New Feature" translation
+# Edit each file: lang/es.json, lang/fr.json, etc.
+```
+
+```json
+{
+    "New Feature": "Nueva Función"
+}
+```
+
+3. **For bulk additions**, create entries in all language files:
+
+```php
+// lang/es.json
+{
+    "New Feature": "Nueva Función",
+    "Another String": "Otra Cadena"
+}
+
+// lang/fr.json
+{
+    "New Feature": "Nouvelle Fonctionnalité",
+    "Another String": "Une Autre Chaîne"
+}
+```
+
+### RTL Language Support
+
+Arabic and Hebrew use right-to-left text direction. Filament handles RTL automatically when the locale is set. For custom components:
+
+```blade
+{{-- Use Tailwind RTL utilities --}}
+<div class="rtl:text-right ltr:text-left">Content</div>
+<div class="rtl:mr-4 ltr:ml-4">Indented content</div>
+```
+
+### Login Page Word Clouds
+
+Both admin and user panels feature typographic word cloud backgrounds on login pages:
+
+- **Admin Panel:** "Administrator" in all supported languages (red, diagonal pattern)
+- **User Panel:** "Client Dashboard" in all supported languages (blue, diagonal pattern)
+
+The word clouds use fonts that support all scripts: `"Segoe UI", Arial, "Noto Sans", "Noto Sans Arabic", "Noto Sans Hebrew", sans-serif`
+
+### Extracting Translatable Strings
+
+To find all translatable strings in the codebase:
+
+```bash
+# Find all __() calls in PHP files
+grep -roh "__('[^']*')" app/ resources/ --include="*.php" | sort | uniq
+
+# Find all __() calls in Blade files
+grep -roh "__('[^']*')" resources/ --include="*.blade.php" | sort | uniq
+```
+
+### Language Switcher
+
+Users can change their language preference through their profile settings. The selected language is stored in the session and persists across requests.
+
+===
+
+<laravel-boost-guidelines>
+=== foundation rules ===
+
+# Laravel Boost Guidelines
+
+The Laravel Boost guidelines are specifically curated by Laravel maintainers for this application. These guidelines should be followed closely to enhance the user's satisfaction building Laravel applications.
+
+## Foundational Context
+This application is a Laravel application and its main Laravel ecosystems package & versions are below. You are an expert with them all. Ensure you abide by these specific packages & versions.
+
+- php - 8.4.16
+- filament/filament (FILAMENT) - v5
+- laravel/fortify (FORTIFY) - v1
+- laravel/framework (LARAVEL) - v12
+- laravel/prompts (PROMPTS) - v0
+- laravel/sanctum (SANCTUM) - v4
+- livewire/livewire (LIVEWIRE) - v4
+- laravel/mcp (MCP) - v0
+- laravel/pint (PINT) - v1
+- laravel/sail (SAIL) - v1
+- phpunit/phpunit (PHPUNIT) - v11
+- tailwindcss (TAILWINDCSS) - v4
+
+## Conventions
+- You must follow all existing code conventions used in this application. When creating or editing a file, check sibling files for the correct structure, approach, and naming.
+- Use descriptive names for variables and methods. For example, `isRegisteredForDiscounts`, not `discount()`.
+- Check for existing components to reuse before writing a new one.
+
+## Verification Scripts
+- Do not create verification scripts or tinker when tests cover that functionality and prove it works. Unit and feature tests are more important.
+
+## Application Structure & Architecture
+- Stick to existing directory structure; don't create new base folders without approval.
+- Do not change the application's dependencies without approval.
+
+## Frontend Bundling
+- If the user doesn't see a frontend change reflected in the UI, it could mean they need to run `npm run build`, `npm run dev`, or `composer run dev`. Ask them.
+
+## Replies
+- Be concise in your explanations - focus on what's important rather than explaining obvious details.
+
+## Documentation Files
+- You must only create documentation files if explicitly requested by the user.
+
+=== boost rules ===
+
+## Laravel Boost
+- Laravel Boost is an MCP server that comes with powerful tools designed specifically for this application. Use them.
+
+## Artisan
+- Use the `list-artisan-commands` tool when you need to call an Artisan command to double-check the available parameters.
+
+## URLs
+- Whenever you share a project URL with the user, you should use the `get-absolute-url` tool to ensure you're using the correct scheme, domain/IP, and port.
+
+## Tinker / Debugging
+- You should use the `tinker` tool when you need to execute PHP to debug code or query Eloquent models directly.
+- Use the `database-query` tool when you only need to read from the database.
+
+## Reading Browser Logs With the `browser-logs` Tool
+- You can read browser logs, errors, and exceptions using the `browser-logs` tool from Boost.
+- Only recent browser logs will be useful - ignore old logs.
+
+## Searching Documentation (Critically Important)
+- Boost comes with a powerful `search-docs` tool you should use before any other approaches when dealing with Laravel or Laravel ecosystem packages. This tool automatically passes a list of installed packages and their versions to the remote Boost API, so it returns only version-specific documentation for the user's circumstance. You should pass an array of packages to filter on if you know you need docs for particular packages.
+- The `search-docs` tool is perfect for all Laravel-related packages, including Laravel, Inertia, Livewire, Filament, Tailwind, Pest, Nova, Nightwatch, etc.
+- You must use this tool to search for Laravel ecosystem documentation before falling back to other approaches.
+- Search the documentation before making code changes to ensure we are taking the correct approach.
+- Use multiple, broad, simple, topic-based queries to start. For example: `['rate limiting', 'routing rate limiting', 'routing']`.
+- Do not add package names to queries; package information is already shared. For example, use `test resource table`, not `filament 4 test resource table`.
+
+### Available Search Syntax
+- You can and should pass multiple queries at once. The most relevant results will be returned first.
+
+1. Simple Word Searches with auto-stemming - query=authentication - finds 'authenticate' and 'auth'.
+2. Multiple Words (AND Logic) - query=rate limit - finds knowledge containing both "rate" AND "limit".
+3. Quoted Phrases (Exact Position) - query="infinite scroll" - words must be adjacent and in that order.
+4. Mixed Queries - query=middleware "rate limit" - "middleware" AND exact phrase "rate limit".
+5. Multiple Queries - queries=["authentication", "middleware"] - ANY of these terms.
+
+=== php rules ===
+
+## PHP
+
+- Always use strict typing at the head of a `.php` file: `declare(strict_types=1);`.
+- Always use curly braces for control structures, even if it has one line.
+
+### Constructors
+- Use PHP 8 constructor property promotion in `__construct()`.
+    - <code-snippet>public function __construct(public GitHub $github) { }</code-snippet>
+- Do not allow empty `__construct()` methods with zero parameters unless the constructor is private.
+
+### Type Declarations
+- Always use explicit return type declarations for methods and functions.
+- Use appropriate PHP type hints for method parameters.
+
+<code-snippet name="Explicit Return Types and Method Params" lang="php">
+protected function isAccessible(User $user, ?string $path = null): bool
+{
+    ...
+}
+</code-snippet>
+
+## Comments
+- Prefer PHPDoc blocks over inline comments. Never use comments within the code itself unless there is something very complex going on.
+
+## PHPDoc Blocks
+- Add useful array shape type definitions for arrays when appropriate.
+
+## Enums
+- Typically, keys in an Enum should be TitleCase. For example: `FavoritePerson`, `BestLake`, `Monthly`.
+
+=== tests rules ===
+
+## Test Enforcement
+
+- Every change must be programmatically tested. Write a new test or update an existing test, then run the affected tests to make sure they pass.
+- Run the minimum number of tests needed to ensure code quality and speed. Use `php artisan test --compact` with a specific filename or filter.
+
+=== laravel/core rules ===
+
+## Do Things the Laravel Way
+
+- Use `php artisan make:` commands to create new files (i.e. migrations, controllers, models, etc.). You can list available Artisan commands using the `list-artisan-commands` tool.
+- If you're creating a generic PHP class, use `php artisan make:class`.
+- Pass `--no-interaction` to all Artisan commands to ensure they work without user input. You should also pass the correct `--options` to ensure correct behavior.
+
+### Database
+- Always use proper Eloquent relationship methods with return type hints. Prefer relationship methods over raw queries or manual joins.
+- Use Eloquent models and relationships before suggesting raw database queries.
+- Avoid `DB::`; prefer `Model::query()`. Generate code that leverages Laravel's ORM capabilities rather than bypassing them.
+- Generate code that prevents N+1 query problems by using eager loading.
+- Use Laravel's query builder for very complex database operations.
+
+### Model Creation
+- When creating new models, create useful factories and seeders for them too. Ask the user if they need any other things, using `list-artisan-commands` to check the available options to `php artisan make:model`.
+
+### APIs & Eloquent Resources
+- For APIs, default to using Eloquent API Resources and API versioning unless existing API routes do not, then you should follow existing application convention.
+
+### Controllers & Validation
+- Always create Form Request classes for validation rather than inline validation in controllers. Include both validation rules and custom error messages.
+- Check sibling Form Requests to see if the application uses array or string based validation rules.
+
+### Queues
+- Use queued jobs for time-consuming operations with the `ShouldQueue` interface.
+
+### Authentication & Authorization
+- Use Laravel's built-in authentication and authorization features (gates, policies, Sanctum, etc.).
+
+### URL Generation
+- When generating links to other pages, prefer named routes and the `route()` function.
+
+### Configuration
+- Use environment variables only in configuration files - never use the `env()` function directly outside of config files. Always use `config('app.name')`, not `env('APP_NAME')`.
+
+### Testing
+- When creating models for tests, use the factories for the models. Check if the factory has custom states that can be used before manually setting up the model.
+- Faker: Use methods such as `$this->faker->word()` or `fake()->randomDigit()`. Follow existing conventions whether to use `$this->faker` or `fake()`.
+- When creating tests, make use of `php artisan make:test [options] {name}` to create a feature test, and pass `--unit` to create a unit test. Most tests should be feature tests.
+
+### Vite Error
+- If you receive an "Illuminate\Foundation\ViteException: Unable to locate file in Vite manifest" error, you can run `npm run build` or ask the user to run `npm run dev` or `composer run dev`.
+
+=== laravel/v12 rules ===
+
+## Laravel 12
+
+- Use the `search-docs` tool to get version-specific documentation.
+- Since Laravel 11, Laravel has a new streamlined file structure which this project uses.
+
+### Laravel 12 Structure
+- In Laravel 12, middleware are no longer registered in `app/Http/Kernel.php`.
+- Middleware are configured declaratively in `bootstrap/app.php` using `Application::configure()->withMiddleware()`.
+- `bootstrap/app.php` is the file to register middleware, exceptions, and routing files.
+- `bootstrap/providers.php` contains application specific service providers.
+- The `app\Console\Kernel.php` file no longer exists; use `bootstrap/app.php` or `routes/console.php` for console configuration.
+- Console commands in `app/Console/Commands/` are automatically available and do not require manual registration.
+
+### Database
+- When modifying a column, the migration must include all of the attributes that were previously defined on the column. Otherwise, they will be dropped and lost.
+- Laravel 12 allows limiting eagerly loaded records natively, without external packages: `$query->latest()->limit(10);`.
+
+### Models
+- Casts can and likely should be set in a `casts()` method on a model rather than the `$casts` property. Follow existing conventions from other models.
+
+=== livewire/core rules ===
+
+## Livewire
+
+- Use the `search-docs` tool to find exact version-specific documentation for how to write Livewire and Livewire tests.
+- Use the `php artisan make:livewire [Posts\CreatePost]` Artisan command to create new components.
+- State should live on the server, with the UI reflecting it.
+- All Livewire requests hit the Laravel backend; they're like regular HTTP requests. Always validate form data and run authorization checks in Livewire actions.
+
+## Livewire Best Practices
+- Livewire components require a single root element.
+- Use `wire:loading` and `wire:dirty` for delightful loading states.
+- Add `wire:key` in loops:
+
+    ```blade
+    @foreach ($items as $item)
+        <div wire:key="item-{{ $item->id }}">
+            {{ $item->name }}
+        </div>
+    @endforeach
+    ```
+
+- Prefer lifecycle hooks like `mount()`, `updatedFoo()` for initialization and reactive side effects:
+
+<code-snippet name="Lifecycle Hook Examples" lang="php">
+    public function mount(User $user) { $this->user = $user; }
+    public function updatedSearch() { $this->resetPage(); }
+</code-snippet>
+
+## Testing Livewire
+
+<code-snippet name="Example Livewire Component Test" lang="php">
+    Livewire::test(Counter::class)
+        ->assertSet('count', 0)
+        ->call('increment')
+        ->assertSet('count', 1)
+        ->assertSee(1)
+        ->assertStatus(200);
+</code-snippet>
+
+<code-snippet name="Testing Livewire Component Exists on Page" lang="php">
+    $this->get('/posts/create')
+    ->assertSeeLivewire(CreatePost::class);
+</code-snippet>
+
+=== pint/core rules ===
+
+## Laravel Pint Code Formatter
+
+- You must run `vendor/bin/pint --dirty` before finalizing changes to ensure your code matches the project's expected style.
+- Do not run `vendor/bin/pint --test`, simply run `vendor/bin/pint` to fix any formatting issues.
+
+=== phpunit/core rules ===
+
+## PHPUnit
+
+- This application uses PHPUnit for testing. All tests must be written as PHPUnit classes. Use `php artisan make:test --phpunit {name}` to create a new test.
+- If you see a test using "Pest", convert it to PHPUnit.
+- Every time a test has been updated, run that singular test.
+- When the tests relating to your feature are passing, ask the user if they would like to also run the entire test suite to make sure everything is still passing.
+- Tests should test all of the happy paths, failure paths, and weird paths.
+- You must not remove any tests or test files from the tests directory without approval. These are not temporary or helper files; these are core to the application.
+
+### Running Tests
+- Run the minimal number of tests, using an appropriate filter, before finalizing.
+- To run all tests: `php artisan test --compact`.
+- To run all tests in a file: `php artisan test --compact tests/Feature/ExampleTest.php`.
+- To filter on a particular test name: `php artisan test --compact --filter=testName` (recommended after making a change to a related file).
+
+=== tailwindcss/core rules ===
+
+## Tailwind CSS
+
+- Use Tailwind CSS classes to style HTML; check and use existing Tailwind conventions within the project before writing your own.
+- Offer to extract repeated patterns into components that match the project's conventions (i.e. Blade, JSX, Vue, etc.).
+- Think through class placement, order, priority, and defaults. Remove redundant classes, add classes to parent or child carefully to limit repetition, and group elements logically.
+- You can use the `search-docs` tool to get exact examples from the official documentation when needed.
+
+### Spacing
+- When listing items, use gap utilities for spacing; don't use margins.
+
+<code-snippet name="Valid Flex Gap Spacing Example" lang="html">
+    <div class="flex gap-8">
+        <div>Superior</div>
+        <div>Michigan</div>
+        <div>Erie</div>
+    </div>
+</code-snippet>
+
+### Dark Mode
+- If existing pages and components support dark mode, new pages and components must support dark mode in a similar way, typically using `dark:`.
+
+=== tailwindcss/v4 rules ===
+
+## Tailwind CSS 4
+
+- Always use Tailwind CSS v4; do not use the deprecated utilities.
+- `corePlugins` is not supported in Tailwind v4.
+- In Tailwind v4, configuration is CSS-first using the `@theme` directive — no separate `tailwind.config.js` file is needed.
+
+<code-snippet name="Extending Theme in CSS" lang="css">
+@theme {
+  --color-brand: oklch(0.72 0.11 178);
+}
+</code-snippet>
+
+- In Tailwind v4, you import Tailwind using a regular CSS `@import` statement, not using the `@tailwind` directives used in v3:
+
+<code-snippet name="Tailwind v4 Import Tailwind Diff" lang="diff">
+   - @tailwind base;
+   - @tailwind components;
+   - @tailwind utilities;
+   + @import "tailwindcss";
+</code-snippet>
+
+### Replaced Utilities
+- Tailwind v4 removed deprecated utilities. Do not use the deprecated option; use the replacement.
+- Opacity values are still numeric.
+
+| Deprecated |	Replacement |
+|------------+--------------|
+| bg-opacity-* | bg-black/* |
+| text-opacity-* | text-black/* |
+| border-opacity-* | border-black/* |
+| divide-opacity-* | divide-black/* |
+| ring-opacity-* | ring-black/* |
+| placeholder-opacity-* | placeholder-black/* |
+| flex-shrink-* | shrink-* |
+| flex-grow-* | grow-* |
+| overflow-ellipsis | text-ellipsis |
+| decoration-slice | box-decoration-slice |
+| decoration-clone | box-decoration-clone |
+
+=== filament/blueprint rules ===
+
+## Filament Blueprint
+
+You are writing Filament v5 implementation plans. Plans must be specific enough
+that an implementing agent can write code without making decisions.
+
+**Start here**: Read
+`/vendor/filament/blueprint/resources/markdown/planning/overview.md` for plan format,
+required sections, and what to clarify with the user before planning.
+
+### Filament v5 Key Namespaces
+
+| Element        | Namespace Pattern                         |
+| -------------- | ----------------------------------------- |
+| Form fields    | `Filament\Forms\Components\{Component}`   |
+| Table columns  | `Filament\Tables\Columns\{Column}`        |
+| Table filters  | `Filament\Tables\Filters\{Filter}`        |
+| Actions        | `Filament\Actions\{Action}`               |
+| Infolist       | `Filament\Infolists\Components\{Entry}`   |
+| Layout         | `Filament\Schemas\Components\{Component}` |
+| Reactive utils | `Filament\Schemas\Components\Utilities\*` |
+
+### Blueprint Planning Files
+
+When creating Filament implementation plans, reference these files:
+
+| File                 | Purpose                                |
+| -------------------- | -------------------------------------- |
+| overview.md          | Plan structure and required sections   |
+| models.md            | Model attributes, relationships, enums |
+| resources.md         | Resource specification format          |
+| custom-pages.md      | Standalone pages and resource pages    |
+| forms.md             | Form field components and validation   |
+| tables.md            | Table columns, filters, summarizers    |
+| infolists.md         | Infolist entries for View pages        |
+| schema-layouts.md    | Layout components (Section, Tabs, etc) |
+| relationships.md     | Relationship handling decisions        |
+| actions.md           | Custom actions with modals             |
+| reactive-fields.md   | Reactive fields (Get/Set)              |
+| authorization.md     | Policies and permissions               |
+| widgets.md           | Dashboard widgets                      |
+| testing.md           | Test specifications                    |
+| checklist.md         | Pre-submission checklist               |
+
+Files located at: `/vendor/filament/blueprint/resources/markdown/planning/`
+
+</laravel-boost-guidelines>
diff --git a/README.md b/README.md
index 1af758e..59bfcaa 100644
--- a/README.md
+++ b/README.md
@@ -5,7 +5,7 @@
 
 A modern web hosting control panel for WordPress and general PHP hosting. Built with Laravel 12, Filament v5, Livewire 4, and Tailwind CSS v4.
 
-Version: 0.9-rc2 (release candidate)
+Version: 0.9-rc8 (release candidate)
 
 This is a release candidate. Expect rapid iteration and breaking changes until 1.0.
 
diff --git a/VERSION b/VERSION
index 1afc6e8..2e30def 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-VERSION=0.9-rc5
+VERSION=0.9-rc8
diff --git a/app/Console/Commands/CollectUserUsage.php b/app/Console/Commands/CollectUserUsage.php
new file mode 100644
index 0000000..a8dd30f
--- /dev/null
+++ b/app/Console/Commands/CollectUserUsage.php
@@ -0,0 +1,158 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Console\Commands;
+
+use App\Models\Mailbox;
+use App\Models\User;
+use App\Models\UserResourceUsage;
+use App\Models\UserSetting;
+use App\Services\Agent\AgentClient;
+use Exception;
+use Illuminate\Console\Command;
+
+class CollectUserUsage extends Command
+{
+    protected $signature = 'jabali:collect-user-usage {--user=} {--retain=90}';
+
+    protected $description = 'Collect per-user resource usage snapshots';
+
+    public function handle(): int
+    {
+        $users = User::query()
+            ->where('is_admin', false)
+            ->where('is_active', true);
+
+        $userFilter = $this->option('user');
+        if ($userFilter) {
+            $users->where(function ($query) use ($userFilter) {
+                $query->where('id', $userFilter)
+                    ->orWhere('username', $userFilter);
+            });
+        }
+
+        $users = $users->get();
+        if ($users->isEmpty()) {
+            $this->info('No users found for usage collection.');
+
+            return 0;
+        }
+
+        $agent = new AgentClient;
+        $capturedAt = now();
+
+        foreach ($users as $user) {
+            $diskBytes = $user->getDiskUsageBytes();
+            $mailBytes = (int) Mailbox::where('user_id', $user->id)->sum('quota_used_bytes');
+            $dbBytes = $this->getDatabaseUsage($agent, $user);
+            $bandwidthTotal = $this->getBandwidthTotal($agent, $user);
+            $resourceStats = $this->getUserResourceStats($agent, $user);
+            $cpuPercent = (int) round($resourceStats['cpu_percent'] ?? 0);
+            $memoryBytes = (int) ($resourceStats['memory_bytes'] ?? 0);
+            $diskIoTotal = (int) ($resourceStats['disk_io_total_bytes'] ?? 0);
+            $lastBandwidthTotal = (int) UserSetting::getForUser($user->id, 'bandwidth_total_bytes', 0);
+            $lastDiskIoTotal = (int) UserSetting::getForUser($user->id, 'disk_io_total_bytes', 0);
+            $bandwidthDelta = $bandwidthTotal >= $lastBandwidthTotal
+                ? $bandwidthTotal - $lastBandwidthTotal
+                : $bandwidthTotal;
+            $diskIoDelta = $diskIoTotal >= $lastDiskIoTotal
+                ? $diskIoTotal - $lastDiskIoTotal
+                : $diskIoTotal;
+
+            $this->storeMetric($user->id, 'disk_bytes', $diskBytes, $capturedAt);
+            $this->storeMetric($user->id, 'mail_bytes', $mailBytes, $capturedAt);
+            $this->storeMetric($user->id, 'database_bytes', $dbBytes, $capturedAt);
+            $this->storeMetric($user->id, 'bandwidth_bytes', $bandwidthDelta, $capturedAt);
+            $this->storeMetric($user->id, 'cpu_percent', $cpuPercent, $capturedAt);
+            $this->storeMetric($user->id, 'memory_bytes', $memoryBytes, $capturedAt);
+            $this->storeMetric($user->id, 'disk_io_bytes', $diskIoDelta, $capturedAt);
+
+            UserSetting::setForUser($user->id, 'bandwidth_total_bytes', $bandwidthTotal);
+            UserSetting::setForUser($user->id, 'disk_io_total_bytes', $diskIoTotal);
+
+            $this->line("Collected usage for {$user->username}");
+        }
+
+        $retainDays = (int) $this->option('retain');
+        if ($retainDays > 0) {
+            UserResourceUsage::where('captured_at', '<', now()->subDays($retainDays))->delete();
+        }
+
+        return 0;
+    }
+
+    protected function getDatabaseUsage(AgentClient $agent, User $user): int
+    {
+        try {
+            $result = $agent->mysqlListDatabases($user->username);
+            $databases = $result['databases'] ?? [];
+            $total = 0;
+
+            foreach ($databases as $database) {
+                $total += (int) ($database['size_bytes'] ?? 0);
+            }
+
+            return $total;
+        } catch (Exception $e) {
+            $this->warn("Failed to fetch database usage for {$user->username}: {$e->getMessage()}");
+        }
+
+        return 0;
+    }
+
+    protected function getBandwidthTotal(AgentClient $agent, User $user): int
+    {
+        try {
+            $result = $agent->send('usage.bandwidth_total', [
+                'username' => $user->username,
+            ]);
+
+            if ($result['success'] ?? false) {
+                return (int) ($result['total_bytes'] ?? 0);
+            }
+        } catch (Exception $e) {
+            $this->warn("Failed to fetch bandwidth usage for {$user->username}: {$e->getMessage()}");
+        }
+
+        return 0;
+    }
+
+    /**
+     * @return array{cpu_percent: float, memory_bytes: int, disk_io_total_bytes: int}
+     */
+    protected function getUserResourceStats(AgentClient $agent, User $user): array
+    {
+        try {
+            $result = $agent->send('usage.user_resources', [
+                'username' => $user->username,
+            ]);
+
+            if ($result['success'] ?? false) {
+                return [
+                    'cpu_percent' => (float) ($result['cpu_percent'] ?? 0),
+                    'memory_bytes' => (int) ($result['memory_bytes'] ?? 0),
+                    'disk_io_total_bytes' => (int) ($result['disk_io_total_bytes'] ?? 0),
+                ];
+            }
+        } catch (Exception $e) {
+            $this->warn("Failed to fetch CPU/memory/disk IO for {$user->username}: {$e->getMessage()}");
+        }
+
+        return [
+            'cpu_percent' => 0.0,
+            'memory_bytes' => 0,
+            'disk_io_total_bytes' => 0,
+        ];
+    }
+
+    protected function storeMetric(int $userId, string $metric, int $value, $capturedAt): void
+    {
+        UserResourceUsage::create([
+            'user_id' => $userId,
+            'metric' => $metric,
+            'value' => max(0, $value),
+            'captured_at' => $capturedAt,
+        ]);
+    }
+}
diff --git a/app/Filament/Admin/Pages/AutomationApi.php b/app/Filament/Admin/Pages/AutomationApi.php
new file mode 100644
index 0000000..55e50a5
--- /dev/null
+++ b/app/Filament/Admin/Pages/AutomationApi.php
@@ -0,0 +1,152 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Filament\Admin\Pages;
+
+use BackedEnum;
+use Filament\Actions\Action;
+use Filament\Actions\Concerns\InteractsWithActions;
+use Filament\Actions\Contracts\HasActions;
+use Filament\Forms\Components\CheckboxList;
+use Filament\Forms\Components\TextInput;
+use Filament\Notifications\Notification;
+use Filament\Pages\Page;
+use Filament\Support\Icons\Heroicon;
+use Filament\Tables\Columns\TextColumn;
+use Filament\Tables\Concerns\InteractsWithTable;
+use Filament\Tables\Contracts\HasTable;
+use Filament\Tables\Table;
+use Illuminate\Contracts\Support\Htmlable;
+use Illuminate\Support\Facades\Auth;
+
+class AutomationApi extends Page implements HasActions, HasTable
+{
+    use InteractsWithActions;
+    use InteractsWithTable;
+
+    protected static string|BackedEnum|null $navigationIcon = Heroicon::OutlinedKey;
+
+    protected static ?int $navigationSort = 17;
+
+    protected static ?string $slug = 'automation-api';
+
+    protected string $view = 'filament.admin.pages.automation-api';
+
+    public array $tokens = [];
+
+    public ?string $plainToken = null;
+
+    public function getTitle(): string|Htmlable
+    {
+        return __('API for Automation');
+    }
+
+    public static function getNavigationLabel(): string
+    {
+        return __('API Access');
+    }
+
+    public function mount(): void
+    {
+        $this->loadTokens();
+    }
+
+    protected function loadTokens(): void
+    {
+        $user = Auth::user();
+        if (! $user) {
+            $this->tokens = [];
+
+            return;
+        }
+
+        $this->tokens = $user->tokens()
+            ->orderByDesc('created_at')
+            ->get()
+            ->map(function ($token) {
+                return [
+                    'id' => $token->id,
+                    'name' => $token->name,
+                    'abilities' => implode(', ', $token->abilities ?? []),
+                    'last_used_at' => $token->last_used_at?->format('Y-m-d H:i') ?? __('Never'),
+                    'created_at' => $token->created_at?->format('Y-m-d H:i') ?? '',
+                ];
+            })
+            ->toArray();
+
+        $this->resetTable();
+    }
+
+    public function table(Table $table): Table
+    {
+        return $table
+            ->records(fn () => $this->tokens)
+            ->columns([
+                TextColumn::make('name')
+                    ->label(__('Token')),
+                TextColumn::make('abilities')
+                    ->label(__('Abilities'))
+                    ->wrap(),
+                TextColumn::make('last_used_at')
+                    ->label(__('Last Used')),
+                TextColumn::make('created_at')
+                    ->label(__('Created')),
+            ])
+            ->recordActions([
+                Action::make('revoke')
+                    ->label(__('Revoke'))
+                    ->icon('heroicon-o-trash')
+                    ->color('danger')
+                    ->requiresConfirmation()
+                    ->action(function (array $record): void {
+                        $user = Auth::user();
+                        if (! $user) {
+                            return;
+                        }
+                        $user->tokens()->where('id', $record['id'])->delete();
+                        Notification::make()->title(__('Token revoked'))->success()->send();
+                        $this->loadTokens();
+                    }),
+            ])
+            ->headerActions([
+                Action::make('createToken')
+                    ->label(__('Create Token'))
+                    ->icon('heroicon-o-plus-circle')
+                    ->color('primary')
+                    ->modalHeading(__('Create API Token'))
+                    ->form([
+                        TextInput::make('name')
+                            ->label(__('Token Name'))
+                            ->required(),
+                        CheckboxList::make('abilities')
+                            ->label(__('Abilities'))
+                            ->options([
+                                'automation' => __('Automation API'),
+                                'read' => __('Read Only'),
+                                'write' => __('Write'),
+                            ])
+                            ->columns(2)
+                            ->default(['automation']),
+                    ])
+                    ->action(function (array $data): void {
+                        $user = Auth::user();
+                        if (! $user) {
+                            return;
+                        }
+
+                        $abilities = $data['abilities'] ?? ['automation'];
+                        if (empty($abilities)) {
+                            $abilities = ['automation'];
+                        }
+
+                        $token = $user->createToken($data['name'], $abilities);
+                        $this->plainToken = $token->plainTextToken;
+                        Notification::make()->title(__('Token created'))->success()->send();
+                        $this->loadTokens();
+                    }),
+            ])
+            ->emptyStateHeading(__('No API tokens yet'))
+            ->emptyStateDescription(__('Create a token to access the automation API.'));
+    }
+}
diff --git a/app/Filament/Admin/Pages/DatabaseTuning.php b/app/Filament/Admin/Pages/DatabaseTuning.php
new file mode 100644
index 0000000..26a13b4
--- /dev/null
+++ b/app/Filament/Admin/Pages/DatabaseTuning.php
@@ -0,0 +1,135 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Filament\Admin\Pages;
+
+use App\Services\Agent\AgentClient;
+use BackedEnum;
+use Filament\Actions\Action;
+use Filament\Actions\Concerns\InteractsWithActions;
+use Filament\Actions\Contracts\HasActions;
+use Filament\Forms\Components\TextInput;
+use Filament\Notifications\Notification;
+use Filament\Pages\Page;
+use Filament\Support\Icons\Heroicon;
+use Filament\Tables\Columns\TextColumn;
+use Filament\Tables\Concerns\InteractsWithTable;
+use Filament\Tables\Contracts\HasTable;
+use Filament\Tables\Table;
+use Illuminate\Contracts\Support\Htmlable;
+use Illuminate\Support\Facades\DB;
+
+class DatabaseTuning extends Page implements HasActions, HasTable
+{
+    use InteractsWithActions;
+    use InteractsWithTable;
+
+    protected static string|BackedEnum|null $navigationIcon = Heroicon::OutlinedCircleStack;
+
+    protected static ?int $navigationSort = 19;
+
+    protected static ?string $slug = 'database-tuning';
+
+    protected string $view = 'filament.admin.pages.database-tuning';
+
+    public array $variables = [];
+
+    public function getTitle(): string|Htmlable
+    {
+        return __('Database Tuning');
+    }
+
+    public static function getNavigationLabel(): string
+    {
+        return __('Database Tuning');
+    }
+
+    public function mount(): void
+    {
+        $this->loadVariables();
+    }
+
+    public function loadVariables(): void
+    {
+        $names = [
+            'innodb_buffer_pool_size',
+            'max_connections',
+            'tmp_table_size',
+            'max_heap_table_size',
+            'innodb_log_file_size',
+            'innodb_flush_log_at_trx_commit',
+        ];
+
+        try {
+            $placeholders = implode("','", $names);
+            $rows = DB::connection('mysql')->select("SHOW VARIABLES WHERE Variable_name IN ('$placeholders')");
+
+            $this->variables = collect($rows)->map(function ($row) {
+                return [
+                    'name' => $row->Variable_name,
+                    'value' => $row->Value,
+                ];
+            })->toArray();
+        } catch (\Exception $e) {
+            $this->variables = [];
+            Notification::make()
+                ->title(__('Unable to load MySQL variables'))
+                ->body($e->getMessage())
+                ->warning()
+                ->send();
+        }
+
+        $this->resetTable();
+    }
+
+    public function table(Table $table): Table
+    {
+        return $table
+            ->records(fn () => $this->variables)
+            ->columns([
+                TextColumn::make('name')
+                    ->label(__('Variable'))
+                    ->fontFamily('mono'),
+                TextColumn::make('value')
+                    ->label(__('Current Value'))
+                    ->fontFamily('mono'),
+            ])
+            ->recordActions([
+                Action::make('update')
+                    ->label(__('Update'))
+                    ->icon('heroicon-o-pencil-square')
+                    ->form([
+                        TextInput::make('value')
+                            ->label(__('New Value'))
+                            ->required(),
+                    ])
+                    ->action(function (array $record, array $data): void {
+                        try {
+                            DB::connection('mysql')->statement('SET GLOBAL '.$record['name'].' = ?', [$data['value']]);
+                            try {
+                                $agent = new AgentClient;
+                                $agent->databasePersistTuning($record['name'], (string) $data['value']);
+
+                                Notification::make()
+                                    ->title(__('Variable updated'))
+                                    ->success()
+                                    ->send();
+                            } catch (\Exception $e) {
+                                Notification::make()
+                                    ->title(__('Variable updated, but not persisted'))
+                                    ->body($e->getMessage())
+                                    ->warning()
+                                    ->send();
+                            }
+                        } catch (\Exception $e) {
+                            Notification::make()->title(__('Update failed'))->body($e->getMessage())->danger()->send();
+                        }
+
+                        $this->loadVariables();
+                    }),
+            ])
+            ->emptyStateHeading(__('No variables found'))
+            ->emptyStateDescription(__('Database variables could not be loaded.'));
+    }
+}
diff --git a/app/Filament/Admin/Pages/EmailQueue.php b/app/Filament/Admin/Pages/EmailQueue.php
new file mode 100644
index 0000000..39cca5e
--- /dev/null
+++ b/app/Filament/Admin/Pages/EmailQueue.php
@@ -0,0 +1,156 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Filament\Admin\Pages;
+
+use App\Services\Agent\AgentClient;
+use BackedEnum;
+use Filament\Actions\Action;
+use Filament\Actions\Concerns\InteractsWithActions;
+use Filament\Actions\Contracts\HasActions;
+use Filament\Notifications\Notification;
+use Filament\Pages\Page;
+use Filament\Support\Icons\Heroicon;
+use Filament\Tables\Columns\TextColumn;
+use Filament\Tables\Concerns\InteractsWithTable;
+use Filament\Tables\Contracts\HasTable;
+use Filament\Tables\Table;
+use Illuminate\Contracts\Support\Htmlable;
+
+class EmailQueue extends Page implements HasActions, HasTable
+{
+    use InteractsWithActions;
+    use InteractsWithTable;
+
+    protected static string|BackedEnum|null $navigationIcon = Heroicon::OutlinedQueueList;
+
+    protected static ?int $navigationSort = 15;
+
+    protected static ?string $slug = 'email-queue';
+
+    protected string $view = 'filament.admin.pages.email-queue';
+
+    public array $queueItems = [];
+
+    protected ?AgentClient $agent = null;
+
+    public function getTitle(): string|Htmlable
+    {
+        return __('Email Queue Manager');
+    }
+
+    public static function getNavigationLabel(): string
+    {
+        return __('Email Queue');
+    }
+
+    public function mount(): void
+    {
+        $this->loadQueue();
+    }
+
+    protected function getAgent(): AgentClient
+    {
+        return $this->agent ??= new AgentClient;
+    }
+
+    public function loadQueue(): void
+    {
+        try {
+            $result = $this->getAgent()->send('mail.queue_list');
+            $this->queueItems = $result['queue'] ?? [];
+        } catch (\Exception $e) {
+            $this->queueItems = [];
+            Notification::make()
+                ->title(__('Failed to load mail queue'))
+                ->body($e->getMessage())
+                ->danger()
+                ->send();
+        }
+
+        $this->resetTable();
+    }
+
+    public function table(Table $table): Table
+    {
+        return $table
+            ->records(fn () => $this->queueItems)
+            ->columns([
+                TextColumn::make('id')
+                    ->label(__('Queue ID'))
+                    ->fontFamily('mono')
+                    ->copyable(),
+                TextColumn::make('arrival')
+                    ->label(__('Arrival')),
+                TextColumn::make('sender')
+                    ->label(__('Sender'))
+                    ->wrap()
+                    ->searchable(),
+                TextColumn::make('recipients')
+                    ->label(__('Recipients'))
+                    ->formatStateUsing(function (array $record): string {
+                        $recipients = $record['recipients'] ?? [];
+                        if (empty($recipients)) {
+                            return __('Unknown');
+                        }
+                        $first = $recipients[0] ?? '';
+                        $count = count($recipients);
+
+                        return $count > 1 ? $first.' +'.($count - 1) : $first;
+                    })
+                    ->wrap(),
+                TextColumn::make('size')
+                    ->label(__('Size'))
+                    ->formatStateUsing(fn (array $record): string => $record['size'] ?? ''),
+                TextColumn::make('status')
+                    ->label(__('Status'))
+                    ->wrap(),
+            ])
+            ->recordActions([
+                Action::make('retry')
+                    ->label(__('Retry'))
+                    ->icon('heroicon-o-arrow-path')
+                    ->color('info')
+                    ->action(function (array $record): void {
+                        try {
+                            $result = $this->getAgent()->send('mail.queue_retry', ['id' => $record['id'] ?? '']);
+                            if ($result['success'] ?? false) {
+                                Notification::make()->title(__('Message retried'))->success()->send();
+                                $this->loadQueue();
+                            } else {
+                                throw new \Exception($result['error'] ?? __('Failed to retry message'));
+                            }
+                        } catch (\Exception $e) {
+                            Notification::make()->title(__('Retry failed'))->body($e->getMessage())->danger()->send();
+                        }
+                    }),
+                Action::make('delete')
+                    ->label(__('Delete'))
+                    ->icon('heroicon-o-trash')
+                    ->color('danger')
+                    ->requiresConfirmation()
+                    ->action(function (array $record): void {
+                        try {
+                            $result = $this->getAgent()->send('mail.queue_delete', ['id' => $record['id'] ?? '']);
+                            if ($result['success'] ?? false) {
+                                Notification::make()->title(__('Message deleted'))->success()->send();
+                                $this->loadQueue();
+                            } else {
+                                throw new \Exception($result['error'] ?? __('Failed to delete message'));
+                            }
+                        } catch (\Exception $e) {
+                            Notification::make()->title(__('Delete failed'))->body($e->getMessage())->danger()->send();
+                        }
+                    }),
+            ])
+            ->emptyStateHeading(__('Mail queue is empty'))
+            ->emptyStateDescription(__('No deferred messages found.'))
+            ->headerActions([
+                Action::make('refresh')
+                    ->label(__('Refresh'))
+                    ->icon('heroicon-o-arrow-path')
+                    ->action(fn () => $this->loadQueue()),
+            ]);
+    }
+}
diff --git a/app/Filament/Admin/Pages/ResourceUsage.php b/app/Filament/Admin/Pages/ResourceUsage.php
new file mode 100644
index 0000000..5ed2f65
--- /dev/null
+++ b/app/Filament/Admin/Pages/ResourceUsage.php
@@ -0,0 +1,257 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Filament\Admin\Pages;
+
+use App\Models\User;
+use App\Models\UserResourceUsage;
+use BackedEnum;
+use Filament\Forms\Components\Select;
+use Filament\Forms\Concerns\InteractsWithForms;
+use Filament\Forms\Contracts\HasForms;
+use Filament\Pages\Page;
+use Filament\Schemas\Components\Section;
+use Filament\Schemas\Schema;
+use Filament\Support\Icons\Heroicon;
+use Illuminate\Contracts\Support\Htmlable;
+
+class ResourceUsage extends Page implements HasForms
+{
+    use InteractsWithForms;
+
+    protected static string|BackedEnum|null $navigationIcon = Heroicon::OutlinedChartBar;
+
+    protected static ?int $navigationSort = 14;
+
+    protected static ?string $slug = 'resource-usage';
+
+    protected string $view = 'filament.admin.pages.resource-usage';
+
+    public array $usageFormData = [];
+
+    public array $chartData = [];
+
+    public array $performanceChartData = [];
+
+    public bool $hasPerformanceData = false;
+
+    public ?int $cpuLimitPercent = null;
+
+    public ?float $memoryLimitGb = null;
+
+    public array $cpuStats = [];
+
+    public array $memoryStats = [];
+
+    public array $summary = [];
+
+    public function getTitle(): string|Htmlable
+    {
+        return __('Resource Usage Reports');
+    }
+
+    public static function getNavigationLabel(): string
+    {
+        return __('Resource Usage');
+    }
+
+    public function mount(): void
+    {
+        $defaultUser = User::query()->where('is_admin', false)->orderBy('name')->first();
+        $this->usageFormData = [
+            'user_id' => $defaultUser?->id,
+        ];
+
+        $this->loadUsage();
+    }
+
+    protected function getForms(): array
+    {
+        return ['usageForm'];
+    }
+
+    public function usageForm(Schema $schema): Schema
+    {
+        return $schema
+            ->statePath('usageFormData')
+            ->schema([
+                Section::make(__('Filters'))
+                    ->schema([
+                        Select::make('user_id')
+                            ->label(__('User'))
+                            ->options($this->getUserOptions())
+                            ->searchable()
+                            ->preload()
+                            ->live()
+                            ->afterStateUpdated(function () {
+                                $this->loadUsage();
+                            })
+                            ->required(),
+                    ])
+                    ->columns(1),
+            ]);
+    }
+
+    protected function getUserOptions(): array
+    {
+        return User::query()
+            ->where('is_admin', false)
+            ->orderBy('name')
+            ->pluck('name', 'id')
+            ->toArray();
+    }
+
+    protected function loadUsage(): void
+    {
+        $userId = $this->usageFormData['user_id'] ?? null;
+        $userId = $userId ? (int) $userId : null;
+        if (! $userId) {
+            $this->chartData = [];
+            $this->summary = [];
+
+            return;
+        }
+
+        $user = User::query()->with('hostingPackage')->find($userId);
+        $package = $user?->hostingPackage;
+        $this->cpuLimitPercent = $package?->cpu_limit_percent ?: null;
+        $memoryLimitMb = $package?->memory_limit_mb ?: null;
+        $this->memoryLimitGb = $memoryLimitMb ? $this->bytesToGb((int) ($memoryLimitMb * 1024 * 1024)) : null;
+
+        $usageMetrics = ['disk_bytes', 'mail_bytes', 'database_bytes', 'bandwidth_bytes'];
+        $performanceMetrics = ['cpu_percent', 'memory_bytes', 'disk_io_bytes'];
+        $metrics = array_merge($usageMetrics, $performanceMetrics);
+        $start = now()->subDays(30);
+
+        $records = UserResourceUsage::query()
+            ->where('user_id', $userId)
+            ->whereIn('metric', $metrics)
+            ->where('captured_at', '>=', $start)
+            ->orderBy('captured_at')
+            ->get();
+
+        $labels = $records
+            ->map(fn ($record) => $record->captured_at->format('Y-m-d H:00'))
+            ->unique()
+            ->values();
+
+        $grouped = $records->groupBy('metric')->map(function ($collection) {
+            return $collection->keyBy(fn ($item) => $item->captured_at->format('Y-m-d H:00'));
+        });
+
+        $series = [];
+        foreach ($usageMetrics as $metric) {
+            $series[$metric] = [];
+            foreach ($labels as $label) {
+                $value = $grouped[$metric][$label]->value ?? 0;
+                $series[$metric][] = $this->bytesToGb((int) $value);
+            }
+        }
+
+        $this->chartData = [
+            'labels' => $labels->toArray(),
+            'disk' => $series['disk_bytes'],
+            'mail' => $series['mail_bytes'],
+            'database' => $series['database_bytes'],
+            'bandwidth' => $series['bandwidth_bytes'],
+        ];
+
+        $performanceSeries = [];
+        foreach ($performanceMetrics as $metric) {
+            $performanceSeries[$metric] = [];
+            foreach ($labels as $label) {
+                $value = $grouped[$metric][$label]->value ?? 0;
+                if ($metric === 'cpu_percent') {
+                    $performanceSeries[$metric][] = (int) $value;
+                } elseif ($metric === 'memory_bytes') {
+                    $performanceSeries[$metric][] = $this->bytesToGb((int) $value);
+                } else {
+                    $performanceSeries[$metric][] = $this->bytesToMb((int) $value);
+                }
+            }
+        }
+
+        $performanceRecords = $records->whereIn('metric', $performanceMetrics);
+        $this->hasPerformanceData = $performanceRecords->isNotEmpty();
+        $this->performanceChartData = [
+            'labels' => $labels->toArray(),
+            'cpu' => $performanceSeries['cpu_percent'],
+            'memory' => $performanceSeries['memory_bytes'],
+            'disk_io' => $performanceSeries['disk_io_bytes'],
+        ];
+
+        $this->cpuStats = $this->buildPercentageStats($performanceRecords->where('metric', 'cpu_percent')->pluck('value'));
+        $this->memoryStats = $this->buildBytesStats($performanceRecords->where('metric', 'memory_bytes')->pluck('value'));
+
+        $this->summary = [
+            'disk' => $this->formatMetric($userId, 'disk_bytes'),
+            'mail' => $this->formatMetric($userId, 'mail_bytes'),
+            'database' => $this->formatMetric($userId, 'database_bytes'),
+            'bandwidth' => $this->formatMetric($userId, 'bandwidth_bytes'),
+        ];
+    }
+
+    protected function formatMetric(int $userId, string $metric): string
+    {
+        $latest = UserResourceUsage::query()
+            ->where('user_id', $userId)
+            ->where('metric', $metric)
+            ->latest('captured_at')
+            ->value('value');
+
+        if ($latest === null) {
+            return __('No data');
+        }
+
+        return number_format($this->bytesToGb((int) $latest), 2).' GB';
+    }
+
+    protected function bytesToGb(int $bytes): float
+    {
+        return round($bytes / 1024 / 1024 / 1024, 4);
+    }
+
+    protected function bytesToMb(int $bytes): float
+    {
+        return round($bytes / 1024 / 1024, 2);
+    }
+
+    /**
+     * @param  \Illuminate\Support\Collection<int, int|float>  $values
+     * @return array{avg: ?string, max: ?string}
+     */
+    protected function buildPercentageStats($values): array
+    {
+        if ($values->isEmpty()) {
+            return [
+                'avg' => null,
+                'max' => null,
+            ];
+        }
+
+        return [
+            'avg' => number_format((float) $values->avg(), 1).'%',
+            'max' => number_format((float) $values->max(), 1).'%',
+        ];
+    }
+
+    /**
+     * @param  \Illuminate\Support\Collection<int, int|float>  $values
+     * @return array{avg: ?string, max: ?string}
+     */
+    protected function buildBytesStats($values): array
+    {
+        if ($values->isEmpty()) {
+            return [
+                'avg' => null,
+                'max' => null,
+            ];
+        }
+
+        return [
+            'avg' => number_format($this->bytesToGb((int) $values->avg()), 2).' GB',
+            'max' => number_format($this->bytesToGb((int) $values->max()), 2).' GB',
+        ];
+    }
+}
diff --git a/app/Filament/Admin/Pages/Security.php b/app/Filament/Admin/Pages/Security.php
index 921cb83..085c0d0 100644
--- a/app/Filament/Admin/Pages/Security.php
+++ b/app/Filament/Admin/Pages/Security.php
@@ -5,6 +5,7 @@ declare(strict_types=1);
 namespace App\Filament\Admin\Pages;
 
 use App\Filament\Admin\Widgets\Security\BannedIpsTable;
+use App\Filament\Admin\Widgets\Security\Fail2banLogsTable;
 use App\Filament\Admin\Widgets\Security\JailsTable;
 use App\Filament\Admin\Widgets\Security\LynisResultsTable;
 use App\Filament\Admin\Widgets\Security\NiktoResultsTable;
@@ -90,6 +91,8 @@ class Security extends Page implements HasActions, HasForms, HasTable
 
     public ?int $totalBanned = null;
 
+    public array $fail2banLogs = [];
+
     public int $maxRetry = 5;
 
     public int $banTime = 600;
@@ -545,6 +548,12 @@ class Security extends Page implements HasActions, HasForms, HasTable
                         EmbeddedTable::make(BannedIpsTable::class, ['jails' => $this->jails]),
                     ])
                     ->visible(fn () => ($this->totalBanned ?? 0) > 0),
+                Section::make(__('Fail2ban Logs'))
+                    ->icon('heroicon-o-document-text')
+                    ->schema([
+                        EmbeddedTable::make(Fail2banLogsTable::class, ['logs' => $this->fail2banLogs]),
+                    ])
+                    ->collapsible(),
             ])->visible(fn () => $this->fail2banInstalled),
         ];
     }
@@ -1012,6 +1021,7 @@ class Security extends Page implements HasActions, HasForms, HasTable
             $this->jails = [];
             $this->availableJails = [];
             $this->totalBanned = null;
+            $this->fail2banLogs = [];
         } catch (Exception $e) {
             $this->fail2banInstalled = false;
             $this->fail2banRunning = false;
@@ -1019,6 +1029,7 @@ class Security extends Page implements HasActions, HasForms, HasTable
             $this->jails = [];
             $this->availableJails = [];
             $this->totalBanned = null;
+            $this->fail2banLogs = [];
         }
     }
 
@@ -1039,12 +1050,16 @@ class Security extends Page implements HasActions, HasForms, HasTable
 
                 $jailsResult = $this->getAgent()->send('fail2ban.list_jails');
                 $this->availableJails = $jailsResult['jails'] ?? [];
+
+                $logsResult = $this->getAgent()->send('fail2ban.logs');
+                $this->fail2banLogs = $logsResult['logs'] ?? [];
             } else {
                 $this->fail2banRunning = false;
                 $this->fail2banVersion = '';
                 $this->jails = [];
                 $this->availableJails = [];
                 $this->totalBanned = null;
+                $this->fail2banLogs = [];
             }
         } catch (Exception $e) {
             $this->fail2banInstalled = false;
@@ -1053,6 +1068,7 @@ class Security extends Page implements HasActions, HasForms, HasTable
             $this->jails = [];
             $this->availableJails = [];
             $this->totalBanned = null;
+            $this->fail2banLogs = [];
         }
     }
 
diff --git a/app/Filament/Admin/Pages/ServerUpdates.php b/app/Filament/Admin/Pages/ServerUpdates.php
new file mode 100644
index 0000000..d5d86c5
--- /dev/null
+++ b/app/Filament/Admin/Pages/ServerUpdates.php
@@ -0,0 +1,124 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Filament\Admin\Pages;
+
+use App\Services\Agent\AgentClient;
+use BackedEnum;
+use Filament\Actions\Action;
+use Filament\Actions\Concerns\InteractsWithActions;
+use Filament\Actions\Contracts\HasActions;
+use Filament\Notifications\Notification;
+use Filament\Pages\Page;
+use Filament\Support\Icons\Heroicon;
+use Filament\Tables\Columns\TextColumn;
+use Filament\Tables\Concerns\InteractsWithTable;
+use Filament\Tables\Contracts\HasTable;
+use Filament\Tables\Table;
+use Illuminate\Contracts\Support\Htmlable;
+
+class ServerUpdates extends Page implements HasActions, HasTable
+{
+    use InteractsWithActions;
+    use InteractsWithTable;
+
+    protected static string|BackedEnum|null $navigationIcon = Heroicon::OutlinedArrowPathRoundedSquare;
+
+    protected static ?int $navigationSort = 16;
+
+    protected static ?string $slug = 'server-updates';
+
+    protected string $view = 'filament.admin.pages.server-updates';
+
+    public array $packages = [];
+
+    protected ?AgentClient $agent = null;
+
+    public function getTitle(): string|Htmlable
+    {
+        return __('Server Updates');
+    }
+
+    public static function getNavigationLabel(): string
+    {
+        return __('Server Updates');
+    }
+
+    public function mount(): void
+    {
+        $this->loadUpdates();
+    }
+
+    protected function getAgent(): AgentClient
+    {
+        return $this->agent ??= new AgentClient;
+    }
+
+    public function loadUpdates(): void
+    {
+        try {
+            $result = $this->getAgent()->updatesList();
+            $this->packages = $result['packages'] ?? [];
+        } catch (\Exception $e) {
+            $this->packages = [];
+            Notification::make()
+                ->title(__('Failed to load updates'))
+                ->body($e->getMessage())
+                ->danger()
+                ->send();
+        }
+
+        $this->resetTable();
+    }
+
+    public function runUpdates(): void
+    {
+        try {
+            $this->getAgent()->updatesRun();
+            Notification::make()
+                ->title(__('Updates completed'))
+                ->success()
+                ->send();
+        } catch (\Exception $e) {
+            Notification::make()
+                ->title(__('Update failed'))
+                ->body($e->getMessage())
+                ->danger()
+                ->send();
+        }
+
+        $this->loadUpdates();
+    }
+
+    public function table(Table $table): Table
+    {
+        return $table
+            ->records(fn () => $this->packages)
+            ->columns([
+                TextColumn::make('name')
+                    ->label(__('Package'))
+                    ->searchable(),
+                TextColumn::make('current_version')
+                    ->label(__('Current Version')),
+                TextColumn::make('new_version')
+                    ->label(__('New Version')),
+            ])
+            ->emptyStateHeading(__('No updates available'))
+            ->emptyStateDescription(__('Your system packages are up to date.'))
+            ->headerActions([
+                Action::make('refresh')
+                    ->label(__('Refresh'))
+                    ->icon('heroicon-o-arrow-path')
+                    ->action(fn () => $this->loadUpdates()),
+                Action::make('runUpdates')
+                    ->label(__('Run Updates'))
+                    ->icon('heroicon-o-arrow-path-rounded-square')
+                    ->color('primary')
+                    ->requiresConfirmation()
+                    ->modalHeading(__('Install updates'))
+                    ->modalDescription(__('This will run apt-get upgrade on the server. Continue?'))
+                    ->action(fn () => $this->runUpdates()),
+            ]);
+    }
+}
diff --git a/app/Filament/Admin/Pages/Waf.php b/app/Filament/Admin/Pages/Waf.php
new file mode 100644
index 0000000..9ac0bd5
--- /dev/null
+++ b/app/Filament/Admin/Pages/Waf.php
@@ -0,0 +1,119 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Filament\Admin\Pages;
+
+use App\Models\Setting;
+use App\Services\Agent\AgentClient;
+use BackedEnum;
+use Exception;
+use Filament\Forms\Components\Select;
+use Filament\Forms\Components\Toggle;
+use Filament\Forms\Concerns\InteractsWithForms;
+use Filament\Forms\Contracts\HasForms;
+use Filament\Notifications\Notification;
+use Filament\Pages\Page;
+use Filament\Schemas\Components\Section;
+use Filament\Support\Icons\Heroicon;
+use Illuminate\Contracts\Support\Htmlable;
+
+class Waf extends Page implements HasForms
+{
+    use InteractsWithForms;
+
+    protected static string|BackedEnum|null $navigationIcon = Heroicon::OutlinedShieldCheck;
+
+    protected static ?int $navigationSort = 20;
+
+    protected static ?string $slug = 'waf';
+
+    protected string $view = 'filament.admin.pages.waf';
+
+    public bool $wafInstalled = false;
+
+    public array $wafFormData = [];
+
+    public function getTitle(): string|Htmlable
+    {
+        return __('ModSecurity / WAF');
+    }
+
+    public static function getNavigationLabel(): string
+    {
+        return __('ModSecurity / WAF');
+    }
+
+    public function mount(): void
+    {
+        $this->wafInstalled = $this->detectWaf();
+        $this->wafFormData = [
+            'enabled' => Setting::get('waf_enabled', '0') === '1',
+            'paranoia' => Setting::get('waf_paranoia', '1'),
+            'audit_log' => Setting::get('waf_audit_log', '1') === '1',
+        ];
+    }
+
+    protected function detectWaf(): bool
+    {
+        return file_exists('/etc/nginx/modsec/main.conf') || file_exists('/etc/nginx/modsecurity.conf');
+    }
+
+    protected function getForms(): array
+    {
+        return ['wafForm'];
+    }
+
+    public function wafForm(\Filament\Schemas\Schema $schema): \Filament\Schemas\Schema
+    {
+        return $schema
+            ->statePath('wafFormData')
+            ->schema([
+                Section::make(__('WAF Settings'))
+                    ->schema([
+                        Toggle::make('enabled')
+                            ->label(__('Enable ModSecurity')),
+                        Select::make('paranoia')
+                            ->label(__('Paranoia Level'))
+                            ->options([
+                                '1' => '1 - Basic',
+                                '2' => '2 - Moderate',
+                                '3' => '3 - Strict',
+                                '4' => '4 - Very Strict',
+                            ])
+                            ->default('1'),
+                        Toggle::make('audit_log')
+                            ->label(__('Enable Audit Log')),
+                    ])
+                    ->columns(2),
+            ]);
+    }
+
+    public function saveWafSettings(): void
+    {
+        $data = $this->wafForm->getState();
+        Setting::set('waf_enabled', ! empty($data['enabled']) ? '1' : '0');
+        Setting::set('waf_paranoia', (string) ($data['paranoia'] ?? '1'));
+        Setting::set('waf_audit_log', ! empty($data['audit_log']) ? '1' : '0');
+
+        try {
+            $agent = new AgentClient;
+            $agent->wafApplySettings(
+                ! empty($data['enabled']),
+                (string) ($data['paranoia'] ?? '1'),
+                ! empty($data['audit_log'])
+            );
+
+            Notification::make()
+                ->title(__('WAF settings applied'))
+                ->success()
+                ->send();
+        } catch (Exception $e) {
+            Notification::make()
+                ->title(__('WAF settings saved, but apply failed'))
+                ->body($e->getMessage())
+                ->warning()
+                ->send();
+        }
+    }
+}
diff --git a/app/Filament/Admin/Resources/GeoBlockRules/GeoBlockRuleResource.php b/app/Filament/Admin/Resources/GeoBlockRules/GeoBlockRuleResource.php
new file mode 100644
index 0000000..d4cbe87
--- /dev/null
+++ b/app/Filament/Admin/Resources/GeoBlockRules/GeoBlockRuleResource.php
@@ -0,0 +1,60 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Filament\Admin\Resources\GeoBlockRules;
+
+use App\Filament\Admin\Resources\GeoBlockRules\Pages\CreateGeoBlockRule;
+use App\Filament\Admin\Resources\GeoBlockRules\Pages\EditGeoBlockRule;
+use App\Filament\Admin\Resources\GeoBlockRules\Pages\ListGeoBlockRules;
+use App\Filament\Admin\Resources\GeoBlockRules\Schemas\GeoBlockRuleForm;
+use App\Filament\Admin\Resources\GeoBlockRules\Tables\GeoBlockRulesTable;
+use App\Models\GeoBlockRule;
+use BackedEnum;
+use Filament\Resources\Resource;
+use Filament\Schemas\Schema;
+use Filament\Support\Icons\Heroicon;
+use Filament\Tables\Table;
+
+class GeoBlockRuleResource extends Resource
+{
+    protected static ?string $model = GeoBlockRule::class;
+
+    protected static string|BackedEnum|null $navigationIcon = Heroicon::OutlinedGlobeAlt;
+
+    protected static ?int $navigationSort = 22;
+
+    public static function getNavigationLabel(): string
+    {
+        return __('Geographic Blocking');
+    }
+
+    public static function getModelLabel(): string
+    {
+        return __('Geo Rule');
+    }
+
+    public static function getPluralModelLabel(): string
+    {
+        return __('Geo Rules');
+    }
+
+    public static function form(Schema $schema): Schema
+    {
+        return GeoBlockRuleForm::configure($schema);
+    }
+
+    public static function table(Table $table): Table
+    {
+        return GeoBlockRulesTable::configure($table);
+    }
+
+    public static function getPages(): array
+    {
+        return [
+            'index' => ListGeoBlockRules::route('/'),
+            'create' => CreateGeoBlockRule::route('/create'),
+            'edit' => EditGeoBlockRule::route('/{record}/edit'),
+        ];
+    }
+}
diff --git a/app/Filament/Admin/Resources/GeoBlockRules/Pages/CreateGeoBlockRule.php b/app/Filament/Admin/Resources/GeoBlockRules/Pages/CreateGeoBlockRule.php
new file mode 100644
index 0000000..7f7ae4c
--- /dev/null
+++ b/app/Filament/Admin/Resources/GeoBlockRules/Pages/CreateGeoBlockRule.php
@@ -0,0 +1,34 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Filament\Admin\Resources\GeoBlockRules\Pages;
+
+use App\Filament\Admin\Resources\GeoBlockRules\GeoBlockRuleResource;
+use App\Services\System\GeoBlockService;
+use Exception;
+use Filament\Notifications\Notification;
+use Filament\Resources\Pages\CreateRecord;
+
+class CreateGeoBlockRule extends CreateRecord
+{
+    protected static string $resource = GeoBlockRuleResource::class;
+
+    protected function afterCreate(): void
+    {
+        try {
+            app(GeoBlockService::class)->applyCurrentRules();
+
+            Notification::make()
+                ->title(__('Geo rules applied'))
+                ->success()
+                ->send();
+        } catch (Exception $e) {
+            Notification::make()
+                ->title(__('Geo rules apply failed'))
+                ->body($e->getMessage())
+                ->danger()
+                ->send();
+        }
+    }
+}
diff --git a/app/Filament/Admin/Resources/GeoBlockRules/Pages/EditGeoBlockRule.php b/app/Filament/Admin/Resources/GeoBlockRules/Pages/EditGeoBlockRule.php
new file mode 100644
index 0000000..48da480
--- /dev/null
+++ b/app/Filament/Admin/Resources/GeoBlockRules/Pages/EditGeoBlockRule.php
@@ -0,0 +1,48 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Filament\Admin\Resources\GeoBlockRules\Pages;
+
+use App\Filament\Admin\Resources\GeoBlockRules\GeoBlockRuleResource;
+use App\Services\System\GeoBlockService;
+use Exception;
+use Filament\Actions\DeleteAction;
+use Filament\Notifications\Notification;
+use Filament\Resources\Pages\EditRecord;
+
+class EditGeoBlockRule extends EditRecord
+{
+    protected static string $resource = GeoBlockRuleResource::class;
+
+    protected function afterSave(): void
+    {
+        $this->applyGeoRules();
+    }
+
+    protected function getHeaderActions(): array
+    {
+        return [
+            DeleteAction::make()
+                ->after(fn () => $this->applyGeoRules()),
+        ];
+    }
+
+    protected function applyGeoRules(): void
+    {
+        try {
+            app(GeoBlockService::class)->applyCurrentRules();
+
+            Notification::make()
+                ->title(__('Geo rules applied'))
+                ->success()
+                ->send();
+        } catch (Exception $e) {
+            Notification::make()
+                ->title(__('Geo rules apply failed'))
+                ->body($e->getMessage())
+                ->danger()
+                ->send();
+        }
+    }
+}
diff --git a/app/Filament/Admin/Resources/GeoBlockRules/Pages/ListGeoBlockRules.php b/app/Filament/Admin/Resources/GeoBlockRules/Pages/ListGeoBlockRules.php
new file mode 100644
index 0000000..a6a650a
--- /dev/null
+++ b/app/Filament/Admin/Resources/GeoBlockRules/Pages/ListGeoBlockRules.php
@@ -0,0 +1,21 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Filament\Admin\Resources\GeoBlockRules\Pages;
+
+use App\Filament\Admin\Resources\GeoBlockRules\GeoBlockRuleResource;
+use Filament\Actions\CreateAction;
+use Filament\Resources\Pages\ListRecords;
+
+class ListGeoBlockRules extends ListRecords
+{
+    protected static string $resource = GeoBlockRuleResource::class;
+
+    protected function getHeaderActions(): array
+    {
+        return [
+            CreateAction::make(),
+        ];
+    }
+}
diff --git a/app/Filament/Admin/Resources/GeoBlockRules/Schemas/GeoBlockRuleForm.php b/app/Filament/Admin/Resources/GeoBlockRules/Schemas/GeoBlockRuleForm.php
new file mode 100644
index 0000000..7f6cd6c
--- /dev/null
+++ b/app/Filament/Admin/Resources/GeoBlockRules/Schemas/GeoBlockRuleForm.php
@@ -0,0 +1,45 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Filament\Admin\Resources\GeoBlockRules\Schemas;
+
+use Filament\Forms\Components\Select;
+use Filament\Forms\Components\TextInput;
+use Filament\Forms\Components\Toggle;
+use Filament\Schemas\Components\Section;
+use Filament\Schemas\Schema;
+
+class GeoBlockRuleForm
+{
+    public static function configure(Schema $schema): Schema
+    {
+        return $schema
+            ->columns(1)
+            ->components([
+                Section::make(__('Geo Rule'))
+                    ->schema([
+                        TextInput::make('country_code')
+                            ->label(__('Country Code'))
+                            ->maxLength(2)
+                            ->minLength(2)
+                            ->required()
+                            ->helperText(__('Use ISO-3166 alpha-2 code (e.g., US, DE, FR).')),
+                        Select::make('action')
+                            ->label(__('Action'))
+                            ->options([
+                                'block' => __('Block'),
+                                'allow' => __('Allow'),
+                            ])
+                            ->default('block')
+                            ->required(),
+                        TextInput::make('notes')
+                            ->label(__('Notes')),
+                        Toggle::make('is_active')
+                            ->label(__('Active'))
+                            ->default(true),
+                    ])
+                    ->columns(2),
+            ]);
+    }
+}
diff --git a/app/Filament/Admin/Resources/GeoBlockRules/Tables/GeoBlockRulesTable.php b/app/Filament/Admin/Resources/GeoBlockRules/Tables/GeoBlockRulesTable.php
new file mode 100644
index 0000000..1ca9c13
--- /dev/null
+++ b/app/Filament/Admin/Resources/GeoBlockRules/Tables/GeoBlockRulesTable.php
@@ -0,0 +1,54 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Filament\Admin\Resources\GeoBlockRules\Tables;
+
+use App\Services\System\GeoBlockService;
+use Filament\Actions\DeleteAction;
+use Filament\Actions\EditAction;
+use Filament\Notifications\Notification;
+use Filament\Tables\Columns\IconColumn;
+use Filament\Tables\Columns\TextColumn;
+use Filament\Tables\Table;
+
+class GeoBlockRulesTable
+{
+    public static function configure(Table $table): Table
+    {
+        return $table
+            ->columns([
+                TextColumn::make('country_code')
+                    ->label(__('Country'))
+                    ->formatStateUsing(fn ($state) => strtoupper($state))
+                    ->searchable(),
+                TextColumn::make('action')
+                    ->label(__('Action'))
+                    ->badge()
+                    ->color(fn (string $state): string => $state === 'block' ? 'danger' : 'success'),
+                TextColumn::make('notes')
+                    ->label(__('Notes'))
+                    ->wrap(),
+                IconColumn::make('is_active')
+                    ->label(__('Active'))
+                    ->boolean(),
+            ])
+            ->recordActions([
+                EditAction::make(),
+                DeleteAction::make()
+                    ->after(function () {
+                        try {
+                            app(GeoBlockService::class)->applyCurrentRules();
+                        } catch (\Exception $e) {
+                            Notification::make()
+                                ->title(__('Geo rules sync failed'))
+                                ->body($e->getMessage())
+                                ->danger()
+                                ->send();
+                        }
+                    }),
+            ])
+            ->emptyStateHeading(__('No geo rules'))
+            ->emptyStateDescription(__('Add a country rule to allow or block traffic.'));
+    }
+}
diff --git a/app/Filament/Admin/Resources/HostingPackages/HostingPackageResource.php b/app/Filament/Admin/Resources/HostingPackages/HostingPackageResource.php
new file mode 100644
index 0000000..aa8f4b9
--- /dev/null
+++ b/app/Filament/Admin/Resources/HostingPackages/HostingPackageResource.php
@@ -0,0 +1,60 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Filament\Admin\Resources\HostingPackages;
+
+use App\Filament\Admin\Resources\HostingPackages\Pages\CreateHostingPackage;
+use App\Filament\Admin\Resources\HostingPackages\Pages\EditHostingPackage;
+use App\Filament\Admin\Resources\HostingPackages\Pages\ListHostingPackages;
+use App\Filament\Admin\Resources\HostingPackages\Schemas\HostingPackageForm;
+use App\Filament\Admin\Resources\HostingPackages\Tables\HostingPackagesTable;
+use App\Models\HostingPackage;
+use BackedEnum;
+use Filament\Resources\Resource;
+use Filament\Schemas\Schema;
+use Filament\Support\Icons\Heroicon;
+use Filament\Tables\Table;
+
+class HostingPackageResource extends Resource
+{
+    protected static ?string $model = HostingPackage::class;
+
+    protected static string|BackedEnum|null $navigationIcon = Heroicon::OutlinedCube;
+
+    protected static ?int $navigationSort = 13;
+
+    public static function getNavigationLabel(): string
+    {
+        return __('Hosting Packages');
+    }
+
+    public static function getModelLabel(): string
+    {
+        return __('Hosting Package');
+    }
+
+    public static function getPluralModelLabel(): string
+    {
+        return __('Hosting Packages');
+    }
+
+    public static function form(Schema $schema): Schema
+    {
+        return HostingPackageForm::configure($schema);
+    }
+
+    public static function table(Table $table): Table
+    {
+        return HostingPackagesTable::configure($table);
+    }
+
+    public static function getPages(): array
+    {
+        return [
+            'index' => ListHostingPackages::route('/'),
+            'create' => CreateHostingPackage::route('/create'),
+            'edit' => EditHostingPackage::route('/{record}/edit'),
+        ];
+    }
+}
diff --git a/app/Filament/Admin/Resources/HostingPackages/Pages/CreateHostingPackage.php b/app/Filament/Admin/Resources/HostingPackages/Pages/CreateHostingPackage.php
new file mode 100644
index 0000000..4f13497
--- /dev/null
+++ b/app/Filament/Admin/Resources/HostingPackages/Pages/CreateHostingPackage.php
@@ -0,0 +1,13 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Filament\Admin\Resources\HostingPackages\Pages;
+
+use App\Filament\Admin\Resources\HostingPackages\HostingPackageResource;
+use Filament\Resources\Pages\CreateRecord;
+
+class CreateHostingPackage extends CreateRecord
+{
+    protected static string $resource = HostingPackageResource::class;
+}
diff --git a/app/Filament/Admin/Resources/HostingPackages/Pages/EditHostingPackage.php b/app/Filament/Admin/Resources/HostingPackages/Pages/EditHostingPackage.php
new file mode 100644
index 0000000..d8f431b
--- /dev/null
+++ b/app/Filament/Admin/Resources/HostingPackages/Pages/EditHostingPackage.php
@@ -0,0 +1,21 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Filament\Admin\Resources\HostingPackages\Pages;
+
+use App\Filament\Admin\Resources\HostingPackages\HostingPackageResource;
+use Filament\Actions\DeleteAction;
+use Filament\Resources\Pages\EditRecord;
+
+class EditHostingPackage extends EditRecord
+{
+    protected static string $resource = HostingPackageResource::class;
+
+    protected function getHeaderActions(): array
+    {
+        return [
+            DeleteAction::make(),
+        ];
+    }
+}
diff --git a/app/Filament/Admin/Resources/HostingPackages/Pages/ListHostingPackages.php b/app/Filament/Admin/Resources/HostingPackages/Pages/ListHostingPackages.php
new file mode 100644
index 0000000..f393245
--- /dev/null
+++ b/app/Filament/Admin/Resources/HostingPackages/Pages/ListHostingPackages.php
@@ -0,0 +1,21 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Filament\Admin\Resources\HostingPackages\Pages;
+
+use App\Filament\Admin\Resources\HostingPackages\HostingPackageResource;
+use Filament\Actions\CreateAction;
+use Filament\Resources\Pages\ListRecords;
+
+class ListHostingPackages extends ListRecords
+{
+    protected static string $resource = HostingPackageResource::class;
+
+    protected function getHeaderActions(): array
+    {
+        return [
+            CreateAction::make(),
+        ];
+    }
+}
diff --git a/app/Filament/Admin/Resources/HostingPackages/Schemas/HostingPackageForm.php b/app/Filament/Admin/Resources/HostingPackages/Schemas/HostingPackageForm.php
new file mode 100644
index 0000000..4abe0b0
--- /dev/null
+++ b/app/Filament/Admin/Resources/HostingPackages/Schemas/HostingPackageForm.php
@@ -0,0 +1,87 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Filament\Admin\Resources\HostingPackages\Schemas;
+
+use Filament\Forms\Components\Textarea;
+use Filament\Forms\Components\TextInput;
+use Filament\Forms\Components\Toggle;
+use Filament\Schemas\Components\Section;
+use Filament\Schemas\Schema;
+
+class HostingPackageForm
+{
+    public static function configure(Schema $schema): Schema
+    {
+        return $schema
+            ->columns(1)
+            ->components([
+                Section::make(__('Package Details'))
+                    ->schema([
+                        TextInput::make('name')
+                            ->label(__('Name'))
+                            ->required()
+                            ->maxLength(120)
+                            ->unique(ignoreRecord: true),
+                        Textarea::make('description')
+                            ->label(__('Description'))
+                            ->rows(3)
+                            ->columnSpanFull(),
+                        Toggle::make('is_active')
+                            ->label(__('Active'))
+                            ->default(true),
+                    ])
+                    ->columns(2),
+
+                Section::make(__('Resource Limits'))
+                    ->description(__('Leave blank for unlimited.'))
+                    ->schema([
+                        TextInput::make('disk_quota_mb')
+                            ->label(__('Disk Quota (MB)'))
+                            ->numeric()
+                            ->minValue(0)
+                            ->helperText(__('Example: 10240 = 10 GB')),
+                        TextInput::make('bandwidth_gb')
+                            ->label(__('Bandwidth (GB / month)'))
+                            ->numeric()
+                            ->minValue(0),
+                        TextInput::make('domains_limit')
+                            ->label(__('Domains Limit'))
+                            ->numeric()
+                            ->minValue(0),
+                        TextInput::make('databases_limit')
+                            ->label(__('Databases Limit'))
+                            ->numeric()
+                            ->minValue(0),
+                        TextInput::make('mailboxes_limit')
+                            ->label(__('Mailboxes Limit'))
+                            ->numeric()
+                            ->minValue(0),
+                    ])
+                    ->columns(2),
+
+                Section::make(__('System Resource Limits'))
+                    ->description(__('Optional cgroup limits applied to users in this package. Leave blank for unlimited.'))
+                    ->schema([
+                        TextInput::make('cpu_limit_percent')
+                            ->label(__('CPU Limit (%)'))
+                            ->numeric()
+                            ->minValue(0)
+                            ->maxValue(100)
+                            ->helperText(__('Example: 50 = 50% CPU quota')),
+                        TextInput::make('memory_limit_mb')
+                            ->label(__('Memory Limit (MB)'))
+                            ->numeric()
+                            ->minValue(0)
+                            ->helperText(__('Example: 1024 = 1 GB RAM')),
+                        TextInput::make('io_limit_mb')
+                            ->label(__('Disk IO Limit (MB/s)'))
+                            ->numeric()
+                            ->minValue(0)
+                            ->helperText(__('Applied to read/write bandwidth')),
+                    ])
+                    ->columns(2),
+            ]);
+    }
+}
diff --git a/app/Filament/Admin/Resources/HostingPackages/Tables/HostingPackagesTable.php b/app/Filament/Admin/Resources/HostingPackages/Tables/HostingPackagesTable.php
new file mode 100644
index 0000000..9066852
--- /dev/null
+++ b/app/Filament/Admin/Resources/HostingPackages/Tables/HostingPackagesTable.php
@@ -0,0 +1,72 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Filament\Admin\Resources\HostingPackages\Tables;
+
+use Filament\Actions\DeleteAction;
+use Filament\Actions\EditAction;
+use Filament\Tables\Columns\IconColumn;
+use Filament\Tables\Columns\TextColumn;
+use Filament\Tables\Table;
+
+class HostingPackagesTable
+{
+    public static function configure(Table $table): Table
+    {
+        return $table
+            ->columns([
+                TextColumn::make('name')
+                    ->label(__('Name'))
+                    ->searchable()
+                    ->sortable(),
+                TextColumn::make('disk_quota_mb')
+                    ->label(__('Disk'))
+                    ->getStateUsing(function ($record) {
+                        $quota = $record->disk_quota_mb;
+                        if (! $quota) {
+                            return __('Unlimited');
+                        }
+
+                        return $quota >= 1024
+                            ? number_format($quota / 1024, 1).' GB'
+                            : $quota.' MB';
+                    }),
+                TextColumn::make('bandwidth_gb')
+                    ->label(__('Bandwidth'))
+                    ->getStateUsing(fn ($record) => $record->bandwidth_gb ? $record->bandwidth_gb.' GB' : __('Unlimited')),
+                TextColumn::make('domains_limit')
+                    ->label(__('Domains'))
+                    ->getStateUsing(fn ($record) => $record->domains_limit ?: __('Unlimited')),
+                TextColumn::make('databases_limit')
+                    ->label(__('Databases'))
+                    ->getStateUsing(fn ($record) => $record->databases_limit ?: __('Unlimited')),
+                TextColumn::make('mailboxes_limit')
+                    ->label(__('Mailboxes'))
+                    ->getStateUsing(fn ($record) => $record->mailboxes_limit ?: __('Unlimited')),
+                TextColumn::make('resource_limits')
+                    ->label(__('System Limits'))
+                    ->getStateUsing(function ($record) {
+                        $cpu = $record->cpu_limit_percent ? $record->cpu_limit_percent.'%' : null;
+                        $memory = $record->memory_limit_mb ? $record->memory_limit_mb.' MB' : null;
+                        $io = $record->io_limit_mb ? $record->io_limit_mb.' MB/s' : null;
+
+                        $parts = array_filter([
+                            $cpu ? __('CPU: :value', ['value' => $cpu]) : null,
+                            $memory ? __('RAM: :value', ['value' => $memory]) : null,
+                            $io ? __('IO: :value', ['value' => $io]) : null,
+                        ]);
+
+                        return ! empty($parts) ? implode(', ', $parts) : __('Unlimited');
+                    }),
+                IconColumn::make('is_active')
+                    ->label(__('Active'))
+                    ->boolean(),
+            ])
+            ->recordActions([
+                EditAction::make(),
+                DeleteAction::make(),
+            ])
+            ->defaultSort('name');
+    }
+}
diff --git a/app/Filament/Admin/Resources/Users/Pages/CreateUser.php b/app/Filament/Admin/Resources/Users/Pages/CreateUser.php
index 1293981..9f18333 100644
--- a/app/Filament/Admin/Resources/Users/Pages/CreateUser.php
+++ b/app/Filament/Admin/Resources/Users/Pages/CreateUser.php
@@ -5,24 +5,36 @@ declare(strict_types=1);
 namespace App\Filament\Admin\Resources\Users\Pages;
 
 use App\Filament\Admin\Resources\Users\UserResource;
+use App\Models\HostingPackage;
+use App\Models\UserResourceLimit;
 use App\Services\Agent\AgentClient;
 use App\Services\System\LinuxUserService;
+use App\Services\System\ResourceLimitService;
+use Exception;
 use Filament\Notifications\Notification;
 use Filament\Resources\Pages\CreateRecord;
-use Illuminate\Support\Str;
-use Exception;
 
 class CreateUser extends CreateRecord
 {
     protected static string $resource = UserResource::class;
 
+    protected ?HostingPackage $selectedPackage = null;
+
     protected function mutateFormDataBeforeCreate(array $data): array
     {
         // Generate SFTP password (same as user password or random)
-        if (!empty($data['password'])) {
+        if (! empty($data['password'])) {
             $data['sftp_password'] = $data['password'];
         }
-        
+
+        if (! empty($data['hosting_package_id'])) {
+            $this->selectedPackage = HostingPackage::find($data['hosting_package_id']);
+            $data['disk_quota_mb'] = $this->selectedPackage?->disk_quota_mb;
+        } else {
+            $this->selectedPackage = null;
+            $data['disk_quota_mb'] = null;
+        }
+
         return $data;
     }
 
@@ -32,7 +44,7 @@ class CreateUser extends CreateRecord
 
         if ($createLinuxUser) {
             try {
-                $linuxService = new LinuxUserService();
+                $linuxService = new LinuxUserService;
 
                 // Get the plain password before it was hashed
                 $password = $this->data['sftp_password'] ?? null;
@@ -47,6 +59,9 @@ class CreateUser extends CreateRecord
 
                 // Apply disk quota if enabled
                 $this->applyDiskQuota();
+
+                // Apply resource limits from package
+                $this->syncResourceLimitsFromPackage($this->selectedPackage, true);
             } catch (Exception $e) {
                 Notification::make()
                     ->title(__('Linux user creation failed'))
@@ -54,19 +69,30 @@ class CreateUser extends CreateRecord
                     ->danger()
                     ->send();
             }
+        } else {
+            // Store resource limits even if the Linux user was not created yet
+            $this->syncResourceLimitsFromPackage($this->selectedPackage, false);
+        }
+
+        if (! $this->record->hosting_package_id) {
+            Notification::make()
+                ->title(__('No hosting package selected'))
+                ->body(__('This user has unlimited resource limits.'))
+                ->warning()
+                ->send();
         }
     }
 
     protected function applyDiskQuota(): void
     {
         $quotaMb = $this->record->disk_quota_mb;
-        if (!$quotaMb || $quotaMb <= 0) {
+        if (! $quotaMb || $quotaMb <= 0) {
             return;
         }
 
         // Always try to apply quota when set
         try {
-            $agent = new AgentClient();
+            $agent = new AgentClient;
             $result = $agent->quotaSet($this->record->username, (int) $quotaMb);
 
             if ($result['success'] ?? false) {
@@ -87,4 +113,50 @@ class CreateUser extends CreateRecord
                 ->send();
         }
     }
+
+    protected function syncResourceLimitsFromPackage(?HostingPackage $package, bool $apply): void
+    {
+        if (! $this->record) {
+            return;
+        }
+
+        $cpu = $package?->cpu_limit_percent;
+        $memory = $package?->memory_limit_mb;
+        $io = $package?->io_limit_mb;
+        $hasLimits = ($cpu && $cpu > 0) || ($memory && $memory > 0) || ($io && $io > 0);
+
+        $limit = UserResourceLimit::where('user_id', $this->record->id)->first();
+
+        if (! $package || ! $hasLimits) {
+            if ($limit) {
+                $limit->fill([
+                    'cpu_limit_percent' => null,
+                    'memory_limit_mb' => null,
+                    'io_limit_mb' => null,
+                    'is_active' => false,
+                ])->save();
+
+                if ($apply) {
+                    app(ResourceLimitService::class)->clear($limit);
+                }
+            }
+
+            return;
+        }
+
+        if (! $limit) {
+            $limit = new UserResourceLimit(['user_id' => $this->record->id]);
+        }
+
+        $limit->fill([
+            'cpu_limit_percent' => $cpu,
+            'memory_limit_mb' => $memory,
+            'io_limit_mb' => $io,
+            'is_active' => true,
+        ])->save();
+
+        if ($apply) {
+            app(ResourceLimitService::class)->apply($limit);
+        }
+    }
 }
diff --git a/app/Filament/Admin/Resources/Users/Pages/EditUser.php b/app/Filament/Admin/Resources/Users/Pages/EditUser.php
index 5c5c010..f088d0a 100644
--- a/app/Filament/Admin/Resources/Users/Pages/EditUser.php
+++ b/app/Filament/Admin/Resources/Users/Pages/EditUser.php
@@ -5,8 +5,11 @@ declare(strict_types=1);
 namespace App\Filament\Admin\Resources\Users\Pages;
 
 use App\Filament\Admin\Resources\Users\UserResource;
+use App\Models\HostingPackage;
+use App\Models\UserResourceLimit;
 use App\Services\Agent\AgentClient;
 use App\Services\System\LinuxUserService;
+use App\Services\System\ResourceLimitService;
 use Exception;
 use Filament\Actions;
 use Filament\Forms\Components\Toggle;
@@ -19,6 +22,8 @@ class EditUser extends EditRecord
 
     protected ?int $originalQuota = null;
 
+    protected ?HostingPackage $selectedPackage = null;
+
     protected function mutateFormDataBeforeFill(array $data): array
     {
         $this->originalQuota = $data['disk_quota_mb'] ?? null;
@@ -26,39 +31,90 @@ class EditUser extends EditRecord
         return $data;
     }
 
+    protected function mutateFormDataBeforeSave(array $data): array
+    {
+        if (! empty($data['hosting_package_id'])) {
+            $this->selectedPackage = HostingPackage::find($data['hosting_package_id']);
+            $data['disk_quota_mb'] = $this->selectedPackage?->disk_quota_mb;
+        } else {
+            $this->selectedPackage = null;
+            $data['disk_quota_mb'] = null;
+        }
+
+        return $data;
+    }
+
     protected function afterSave(): void
     {
         $newQuota = $this->record->disk_quota_mb;
-        if ($newQuota === $this->originalQuota) {
+        if ($newQuota !== $this->originalQuota) {
+            // Always try to apply quota when changed
+            try {
+                $agent = new AgentClient;
+                $result = $agent->quotaSet($this->record->username, (int) ($newQuota ?? 0));
+
+                if ($result['success'] ?? false) {
+                    $message = $newQuota && $newQuota > 0
+                        ? __('Quota updated to :size GB', ['size' => number_format($newQuota / 1024, 1)])
+                        : __('Quota removed (unlimited)');
+
+                    Notification::make()
+                        ->title(__('Disk quota updated'))
+                        ->body($message)
+                        ->success()
+                        ->send();
+                } else {
+                    throw new Exception($result['error'] ?? __('Unknown error'));
+                }
+            } catch (Exception $e) {
+                // Show warning but don't fail - quota value is saved in database
+                Notification::make()
+                    ->title(__('Disk quota update failed'))
+                    ->body(__('Value saved but filesystem quota not applied: :error', ['error' => $e->getMessage()]))
+                    ->warning()
+                    ->send();
+            }
+        }
+
+        $this->syncResourceLimitsFromPackage($this->selectedPackage);
+    }
+
+    protected function syncResourceLimitsFromPackage(?HostingPackage $package): void
+    {
+        $cpu = $package?->cpu_limit_percent;
+        $memory = $package?->memory_limit_mb;
+        $io = $package?->io_limit_mb;
+        $hasLimits = ($cpu && $cpu > 0) || ($memory && $memory > 0) || ($io && $io > 0);
+
+        $limit = UserResourceLimit::where('user_id', $this->record->id)->first();
+
+        if (! $package || ! $hasLimits) {
+            if ($limit) {
+                $limit->fill([
+                    'cpu_limit_percent' => null,
+                    'memory_limit_mb' => null,
+                    'io_limit_mb' => null,
+                    'is_active' => false,
+                ])->save();
+
+                app(ResourceLimitService::class)->clear($limit);
+            }
+
             return;
         }
 
-        // Always try to apply quota when changed
-        try {
-            $agent = new AgentClient;
-            $result = $agent->quotaSet($this->record->username, (int) ($newQuota ?? 0));
-
-            if ($result['success'] ?? false) {
-                $message = $newQuota && $newQuota > 0
-                    ? __('Quota updated to :size GB', ['size' => number_format($newQuota / 1024, 1)])
-                    : __('Quota removed (unlimited)');
-
-                Notification::make()
-                    ->title(__('Disk quota updated'))
-                    ->body($message)
-                    ->success()
-                    ->send();
-            } else {
-                throw new Exception($result['error'] ?? __('Unknown error'));
-            }
-        } catch (Exception $e) {
-            // Show warning but don't fail - quota value is saved in database
-            Notification::make()
-                ->title(__('Disk quota update failed'))
-                ->body(__('Value saved but filesystem quota not applied: :error', ['error' => $e->getMessage()]))
-                ->warning()
-                ->send();
+        if (! $limit) {
+            $limit = new UserResourceLimit(['user_id' => $this->record->id]);
         }
+
+        $limit->fill([
+            'cpu_limit_percent' => $cpu,
+            'memory_limit_mb' => $memory,
+            'io_limit_mb' => $io,
+            'is_active' => true,
+        ])->save();
+
+        app(ResourceLimitService::class)->apply($limit);
     }
 
     protected function getHeaderActions(): array
diff --git a/app/Filament/Admin/Resources/Users/Schemas/UserForm.php b/app/Filament/Admin/Resources/Users/Schemas/UserForm.php
index 2097411..dbf2616 100644
--- a/app/Filament/Admin/Resources/Users/Schemas/UserForm.php
+++ b/app/Filament/Admin/Resources/Users/Schemas/UserForm.php
@@ -2,18 +2,15 @@
 
 namespace App\Filament\Admin\Resources\Users\Schemas;
 
-use App\Models\DnsSetting;
+use App\Models\HostingPackage;
 use Filament\Actions\Action;
 use Filament\Forms\Components\DateTimePicker;
 use Filament\Forms\Components\Placeholder;
 use Filament\Forms\Components\TextInput;
 use Filament\Forms\Components\Toggle;
-use Filament\Forms\Components\Group;
 use Filament\Schemas\Components\Section;
 use Filament\Schemas\Schema;
 use Illuminate\Support\Facades\Hash;
-use Illuminate\Support\HtmlString;
-use Illuminate\Support\Str;
 
 class UserForm
 {
@@ -29,12 +26,12 @@ class UserForm
 
         // Ensure at least one of each type
         $password = $uppercase[random_int(0, strlen($uppercase) - 1)]
-            . $lowercase[random_int(0, strlen($lowercase) - 1)]
-            . $numbers[random_int(0, strlen($numbers) - 1)]
-            . $special[random_int(0, strlen($special) - 1)];
+            .$lowercase[random_int(0, strlen($lowercase) - 1)]
+            .$numbers[random_int(0, strlen($numbers) - 1)]
+            .$special[random_int(0, strlen($special) - 1)];
 
         // Fill rest with random characters from all pools
-        $allChars = $uppercase . $lowercase . $numbers . $special;
+        $allChars = $uppercase.$lowercase.$numbers.$special;
         for ($i = 4; $i < $length; $i++) {
             $password .= $allChars[random_int(0, strlen($allChars) - 1)];
         }
@@ -125,6 +122,24 @@ class UserForm
                             ->helperText(__('Inactive users cannot log in'))
                             ->inline(false),
 
+                        Placeholder::make('package_notice')
+                            ->label(__('Hosting Package'))
+                            ->content(__('No hosting package selected. This user will have unlimited resources.'))
+                            ->visible(fn ($get) => blank($get('hosting_package_id'))),
+
+                        \Filament\Forms\Components\Select::make('hosting_package_id')
+                            ->label(__('Hosting Package'))
+                            ->searchable()
+                            ->preload()
+                            ->options(fn () => HostingPackage::query()
+                                ->where('is_active', true)
+                                ->orderBy('name')
+                                ->pluck('name', 'id')
+                                ->toArray())
+                            ->placeholder(__('Unlimited (no package)'))
+                            ->helperText(__('Assign a package to set resource limits.'))
+                            ->columnSpanFull(),
+
                         Toggle::make('create_linux_user')
                             ->label(__('Create Linux User'))
                             ->default(true)
@@ -138,68 +153,11 @@ class UserForm
                     ])
                     ->columns(4),
 
-                Section::make(__('Disk Quota'))
-                    ->schema([
-                        Placeholder::make('current_usage')
-                            ->label(__('Current Usage'))
-                            ->content(function ($record) {
-                                if (!$record) {
-                                    return __('N/A');
-                                }
-
-                                $used = $record->disk_usage_formatted;
-                                $quotaMb = $record->disk_quota_mb;
-
-                                if (!$quotaMb || $quotaMb <= 0) {
-                                    return "{$used} (" . __('Unlimited') . ")";
-                                }
-
-                                $quota = $quotaMb >= 1024
-                                    ? number_format($quotaMb / 1024, 1) . ' GB'
-                                    : $quotaMb . ' MB';
-                                $percent = $record->disk_usage_percent;
-
-                                return "{$used} / {$quota} ({$percent}%)";
-                            })
-                            ->visibleOn('edit'),
-
-                        Toggle::make('unlimited_quota')
-                            ->label(__('Unlimited Quota'))
-                            ->helperText(__('No disk space limit'))
-                            ->default(fn () => (int) DnsSetting::get('default_quota_mb', 5120) === 0)
-                            ->live()
-                            ->afterStateHydrated(function (Toggle $component, $state, $record) {
-                                if ($record) {
-                                    $component->state(!$record->disk_quota_mb || $record->disk_quota_mb <= 0);
-                                }
-                            })
-                            ->afterStateUpdated(function ($state, callable $set) {
-                                if ($state) {
-                                    $set('disk_quota_mb', 0);
-                                } else {
-                                    $set('disk_quota_mb', (int) DnsSetting::get('default_quota_mb', 5120));
-                                }
-                            })
-                            ->inline(false),
-
-                        TextInput::make('disk_quota_mb')
-                            ->label(__('Disk Quota'))
-                            ->numeric()
-                            ->minValue(1)
-                            ->default(fn () => (int) DnsSetting::get('default_quota_mb', 5120))
-                            ->helperText(fn ($state) => $state && $state > 0 ? number_format($state / 1024, 1) . ' GB' : null)
-                            ->suffix('MB')
-                            ->visible(fn ($get) => !$get('unlimited_quota'))
-                            ->required(fn ($get) => !$get('unlimited_quota')),
-                    ])
-                    ->description(fn () => !(bool) DnsSetting::get('quotas_enabled', false) ? __('Note: Quotas are currently disabled in Server Settings.') : null)
-                    ->columns(3),
-
                 Section::make(__('System Information'))
                     ->schema([
                         Placeholder::make('home_directory_display')
                             ->label(__('Home Directory'))
-                            ->content(fn ($record) => $record?->home_directory ?? '/home/' . __('username')),
+                            ->content(fn ($record) => $record?->home_directory ?? '/home/'.__('username')),
 
                         Placeholder::make('created_at_display')
                             ->label(__('Created'))
diff --git a/app/Filament/Admin/Resources/WebhookEndpoints/Pages/CreateWebhookEndpoint.php b/app/Filament/Admin/Resources/WebhookEndpoints/Pages/CreateWebhookEndpoint.php
new file mode 100644
index 0000000..8f4ae46
--- /dev/null
+++ b/app/Filament/Admin/Resources/WebhookEndpoints/Pages/CreateWebhookEndpoint.php
@@ -0,0 +1,13 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Filament\Admin\Resources\WebhookEndpoints\Pages;
+
+use App\Filament\Admin\Resources\WebhookEndpoints\WebhookEndpointResource;
+use Filament\Resources\Pages\CreateRecord;
+
+class CreateWebhookEndpoint extends CreateRecord
+{
+    protected static string $resource = WebhookEndpointResource::class;
+}
diff --git a/app/Filament/Admin/Resources/WebhookEndpoints/Pages/EditWebhookEndpoint.php b/app/Filament/Admin/Resources/WebhookEndpoints/Pages/EditWebhookEndpoint.php
new file mode 100644
index 0000000..d2ce731
--- /dev/null
+++ b/app/Filament/Admin/Resources/WebhookEndpoints/Pages/EditWebhookEndpoint.php
@@ -0,0 +1,21 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Filament\Admin\Resources\WebhookEndpoints\Pages;
+
+use App\Filament\Admin\Resources\WebhookEndpoints\WebhookEndpointResource;
+use Filament\Actions\DeleteAction;
+use Filament\Resources\Pages\EditRecord;
+
+class EditWebhookEndpoint extends EditRecord
+{
+    protected static string $resource = WebhookEndpointResource::class;
+
+    protected function getHeaderActions(): array
+    {
+        return [
+            DeleteAction::make(),
+        ];
+    }
+}
diff --git a/app/Filament/Admin/Resources/WebhookEndpoints/Pages/ListWebhookEndpoints.php b/app/Filament/Admin/Resources/WebhookEndpoints/Pages/ListWebhookEndpoints.php
new file mode 100644
index 0000000..c0689f2
--- /dev/null
+++ b/app/Filament/Admin/Resources/WebhookEndpoints/Pages/ListWebhookEndpoints.php
@@ -0,0 +1,21 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Filament\Admin\Resources\WebhookEndpoints\Pages;
+
+use App\Filament\Admin\Resources\WebhookEndpoints\WebhookEndpointResource;
+use Filament\Actions\CreateAction;
+use Filament\Resources\Pages\ListRecords;
+
+class ListWebhookEndpoints extends ListRecords
+{
+    protected static string $resource = WebhookEndpointResource::class;
+
+    protected function getHeaderActions(): array
+    {
+        return [
+            CreateAction::make(),
+        ];
+    }
+}
diff --git a/app/Filament/Admin/Resources/WebhookEndpoints/Schemas/WebhookEndpointForm.php b/app/Filament/Admin/Resources/WebhookEndpoints/Schemas/WebhookEndpointForm.php
new file mode 100644
index 0000000..63704e1
--- /dev/null
+++ b/app/Filament/Admin/Resources/WebhookEndpoints/Schemas/WebhookEndpointForm.php
@@ -0,0 +1,53 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Filament\Admin\Resources\WebhookEndpoints\Schemas;
+
+use Filament\Forms\Components\CheckboxList;
+use Filament\Forms\Components\TextInput;
+use Filament\Forms\Components\Toggle;
+use Filament\Schemas\Components\Section;
+use Filament\Schemas\Schema;
+use Illuminate\Support\Str;
+
+class WebhookEndpointForm
+{
+    public static function configure(Schema $schema): Schema
+    {
+        return $schema
+            ->columns(1)
+            ->components([
+                Section::make(__('Webhook Details'))
+                    ->schema([
+                        TextInput::make('name')
+                            ->label(__('Name'))
+                            ->required()
+                            ->maxLength(120),
+                        TextInput::make('url')
+                            ->label(__('URL'))
+                            ->url()
+                            ->required(),
+                        CheckboxList::make('events')
+                            ->label(__('Events'))
+                            ->options([
+                                'backup.completed' => __('Backup Completed'),
+                                'ssl.expiring' => __('SSL Expiring'),
+                                'migration.completed' => __('Migration Completed'),
+                                'user.suspended' => __('User Suspended'),
+                            ])
+                            ->columns(2),
+                        TextInput::make('secret_token')
+                            ->label(__('Secret Token'))
+                            ->helperText(__('Used to sign webhook payloads'))
+                            ->default(fn () => Str::random(32))
+                            ->password()
+                            ->revealable(),
+                        Toggle::make('is_active')
+                            ->label(__('Active'))
+                            ->default(true),
+                    ])
+                    ->columns(2),
+            ]);
+    }
+}
diff --git a/app/Filament/Admin/Resources/WebhookEndpoints/Tables/WebhookEndpointsTable.php b/app/Filament/Admin/Resources/WebhookEndpoints/Tables/WebhookEndpointsTable.php
new file mode 100644
index 0000000..14a64f4
--- /dev/null
+++ b/app/Filament/Admin/Resources/WebhookEndpoints/Tables/WebhookEndpointsTable.php
@@ -0,0 +1,100 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Filament\Admin\Resources\WebhookEndpoints\Tables;
+
+use App\Models\WebhookEndpoint;
+use Filament\Actions\Action;
+use Filament\Actions\DeleteAction;
+use Filament\Actions\EditAction;
+use Filament\Notifications\Notification;
+use Filament\Tables\Columns\IconColumn;
+use Filament\Tables\Columns\TextColumn;
+use Filament\Tables\Table;
+use Illuminate\Support\Facades\Http;
+use Illuminate\Support\Str;
+
+class WebhookEndpointsTable
+{
+    public static function configure(Table $table): Table
+    {
+        return $table
+            ->query(WebhookEndpoint::query())
+            ->columns([
+                TextColumn::make('name')
+                    ->label(__('Name'))
+                    ->searchable(),
+                TextColumn::make('url')
+                    ->label(__('URL'))
+                    ->limit(40)
+                    ->tooltip(fn (WebhookEndpoint $record) => $record->url),
+                TextColumn::make('events')
+                    ->label(__('Events'))
+                    ->formatStateUsing(function ($state): string {
+                        if (is_array($state)) {
+                            return implode(', ', $state);
+                        }
+
+                        return (string) $state;
+                    })
+                    ->wrap(),
+                IconColumn::make('is_active')
+                    ->label(__('Active'))
+                    ->boolean(),
+                TextColumn::make('last_triggered_at')
+                    ->label(__('Last Triggered'))
+                    ->since(),
+                TextColumn::make('last_response_code')
+                    ->label(__('Last Response')),
+            ])
+            ->recordActions([
+                Action::make('test')
+                    ->label(__('Test'))
+                    ->icon('heroicon-o-signal')
+                    ->color('info')
+                    ->action(function (WebhookEndpoint $record): void {
+                        $payload = [
+                            'event' => 'test',
+                            'timestamp' => now()->toIso8601String(),
+                            'request_id' => Str::uuid()->toString(),
+                        ];
+
+                        $headers = [];
+                        if (! empty($record->secret_token)) {
+                            $signature = hash_hmac('sha256', json_encode($payload), $record->secret_token);
+                            $headers['X-Jabali-Signature'] = $signature;
+                        }
+
+                        try {
+                            $response = Http::withHeaders($headers)->post($record->url, $payload);
+                            $record->update([
+                                'last_response_code' => $response->status(),
+                                'last_triggered_at' => now(),
+                            ]);
+
+                            Notification::make()
+                                ->title(__('Webhook delivered'))
+                                ->body(__('Status: :status', ['status' => $response->status()]))
+                                ->success()
+                                ->send();
+                        } catch (\Exception $e) {
+                            $record->update([
+                                'last_response_code' => null,
+                                'last_triggered_at' => now(),
+                            ]);
+
+                            Notification::make()
+                                ->title(__('Webhook failed'))
+                                ->body($e->getMessage())
+                                ->danger()
+                                ->send();
+                        }
+                    }),
+                EditAction::make(),
+                DeleteAction::make(),
+            ])
+            ->emptyStateHeading(__('No webhooks configured'))
+            ->emptyStateDescription(__('Add a webhook to receive system notifications.'));
+    }
+}
diff --git a/app/Filament/Admin/Resources/WebhookEndpoints/WebhookEndpointResource.php b/app/Filament/Admin/Resources/WebhookEndpoints/WebhookEndpointResource.php
new file mode 100644
index 0000000..ef62513
--- /dev/null
+++ b/app/Filament/Admin/Resources/WebhookEndpoints/WebhookEndpointResource.php
@@ -0,0 +1,60 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Filament\Admin\Resources\WebhookEndpoints;
+
+use App\Filament\Admin\Resources\WebhookEndpoints\Pages\CreateWebhookEndpoint;
+use App\Filament\Admin\Resources\WebhookEndpoints\Pages\EditWebhookEndpoint;
+use App\Filament\Admin\Resources\WebhookEndpoints\Pages\ListWebhookEndpoints;
+use App\Filament\Admin\Resources\WebhookEndpoints\Schemas\WebhookEndpointForm;
+use App\Filament\Admin\Resources\WebhookEndpoints\Tables\WebhookEndpointsTable;
+use App\Models\WebhookEndpoint;
+use BackedEnum;
+use Filament\Resources\Resource;
+use Filament\Schemas\Schema;
+use Filament\Support\Icons\Heroicon;
+use Filament\Tables\Table;
+
+class WebhookEndpointResource extends Resource
+{
+    protected static ?string $model = WebhookEndpoint::class;
+
+    protected static string|BackedEnum|null $navigationIcon = Heroicon::OutlinedBellAlert;
+
+    protected static ?int $navigationSort = 18;
+
+    public static function getNavigationLabel(): string
+    {
+        return __('Webhook Notifications');
+    }
+
+    public static function getModelLabel(): string
+    {
+        return __('Webhook');
+    }
+
+    public static function getPluralModelLabel(): string
+    {
+        return __('Webhooks');
+    }
+
+    public static function form(Schema $schema): Schema
+    {
+        return WebhookEndpointForm::configure($schema);
+    }
+
+    public static function table(Table $table): Table
+    {
+        return WebhookEndpointsTable::configure($table);
+    }
+
+    public static function getPages(): array
+    {
+        return [
+            'index' => ListWebhookEndpoints::route('/'),
+            'create' => CreateWebhookEndpoint::route('/create'),
+            'edit' => EditWebhookEndpoint::route('/{record}/edit'),
+        ];
+    }
+}
diff --git a/app/Filament/Admin/Widgets/Security/Fail2banLogsTable.php b/app/Filament/Admin/Widgets/Security/Fail2banLogsTable.php
new file mode 100644
index 0000000..b341aa8
--- /dev/null
+++ b/app/Filament/Admin/Widgets/Security/Fail2banLogsTable.php
@@ -0,0 +1,70 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Filament\Admin\Widgets\Security;
+
+use Filament\Actions\Concerns\InteractsWithActions;
+use Filament\Actions\Contracts\HasActions;
+use Filament\Schemas\Concerns\InteractsWithSchemas;
+use Filament\Schemas\Contracts\HasSchemas;
+use Filament\Tables\Columns\TextColumn;
+use Filament\Tables\Concerns\InteractsWithTable;
+use Filament\Tables\Contracts\HasTable;
+use Filament\Tables\Table;
+use Livewire\Component;
+
+class Fail2banLogsTable extends Component implements HasActions, HasSchemas, HasTable
+{
+    use InteractsWithActions;
+    use InteractsWithSchemas;
+    use InteractsWithTable;
+
+    public array $logs = [];
+
+    public function makeFilamentTranslatableContentDriver(): ?\Filament\Support\Contracts\TranslatableContentDriver
+    {
+        return null;
+    }
+
+    public function table(Table $table): Table
+    {
+        return $table
+            ->records(fn () => $this->logs)
+            ->columns([
+                TextColumn::make('time')
+                    ->label(__('Time'))
+                    ->fontFamily('mono')
+                    ->sortable(),
+                TextColumn::make('jail')
+                    ->label(__('Jail'))
+                    ->badge()
+                    ->color('gray'),
+                TextColumn::make('action')
+                    ->label(__('Action'))
+                    ->badge()
+                    ->color(fn (string $state): string => match (strtolower($state)) {
+                        'ban' => 'danger',
+                        'unban' => 'success',
+                        'found' => 'warning',
+                        default => 'gray',
+                    }),
+                TextColumn::make('ip')
+                    ->label(__('IP'))
+                    ->fontFamily('mono')
+                    ->copyable()
+                    ->placeholder('-'),
+                TextColumn::make('message')
+                    ->label(__('Message'))
+                    ->wrap(),
+            ])
+            ->emptyStateHeading(__('No log entries'))
+            ->emptyStateDescription(__('Fail2ban logs will appear here once activity is detected.'))
+            ->striped();
+    }
+
+    public function render()
+    {
+        return $this->getTable()->render();
+    }
+}
diff --git a/app/Filament/Jabali/Pages/CdnIntegration.php b/app/Filament/Jabali/Pages/CdnIntegration.php
new file mode 100644
index 0000000..acc6ebb
--- /dev/null
+++ b/app/Filament/Jabali/Pages/CdnIntegration.php
@@ -0,0 +1,171 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Filament\Jabali\Pages;
+
+use App\Filament\Concerns\HasPageTour;
+use App\Models\CloudflareZone;
+use App\Models\Domain;
+use BackedEnum;
+use Exception;
+use Filament\Actions\Action;
+use Filament\Actions\Concerns\InteractsWithActions;
+use Filament\Actions\Contracts\HasActions;
+use Filament\Forms\Components\TextInput;
+use Filament\Notifications\Notification;
+use Filament\Pages\Page;
+use Filament\Tables\Columns\IconColumn;
+use Filament\Tables\Columns\TextColumn;
+use Filament\Tables\Concerns\InteractsWithTable;
+use Filament\Tables\Contracts\HasTable;
+use Filament\Tables\Table;
+use Illuminate\Contracts\Support\Htmlable;
+use Illuminate\Support\Facades\Auth;
+use Illuminate\Support\Facades\Http;
+
+class CdnIntegration extends Page implements HasActions, HasTable
+{
+    use HasPageTour;
+    use InteractsWithActions;
+    use InteractsWithTable;
+
+    protected static string|BackedEnum|null $navigationIcon = 'heroicon-o-cloud';
+
+    protected static ?int $navigationSort = 20;
+
+    protected static ?string $slug = 'cdn-integration';
+
+    protected string $view = 'filament.jabali.pages.cdn-integration';
+
+    public function getTitle(): string|Htmlable
+    {
+        return __('CDN Integration');
+    }
+
+    public static function getNavigationLabel(): string
+    {
+        return __('CDN Integration');
+    }
+
+    public function table(Table $table): Table
+    {
+        return $table
+            ->query(Domain::query()->where('user_id', Auth::id()))
+            ->columns([
+                TextColumn::make('domain')
+                    ->label(__('Domain'))
+                    ->searchable()
+                    ->sortable(),
+                IconColumn::make('cloudflare')
+                    ->label(__('Cloudflare'))
+                    ->boolean()
+                    ->state(fn (Domain $record) => $this->getZone($record) !== null)
+                    ->trueColor('success')
+                    ->falseColor('gray'),
+            ])
+            ->recordActions([
+                Action::make('connect')
+                    ->label(__('Connect'))
+                    ->icon('heroicon-o-link')
+                    ->color('primary')
+                    ->visible(fn (Domain $record) => $this->getZone($record) === null)
+                    ->form([
+                        TextInput::make('api_token')
+                            ->label(__('Cloudflare API Token'))
+                            ->password()
+                            ->revealable()
+                            ->required(),
+                    ])
+                    ->action(function (Domain $record, array $data): void {
+                        $token = $data['api_token'];
+                        try {
+                            $zone = $this->fetchCloudflareZone($record->domain, $token);
+                            CloudflareZone::updateOrCreate(
+                                [
+                                    'user_id' => Auth::id(),
+                                    'domain_id' => $record->id,
+                                ],
+                                [
+                                    'zone_id' => $zone['id'],
+                                    'account_id' => $zone['account']['id'] ?? null,
+                                    'api_token' => $token,
+                                ]
+                            );
+
+                            Notification::make()->title(__('Cloudflare connected'))->success()->send();
+                        } catch (Exception $e) {
+                            Notification::make()->title(__('Connection failed'))->body($e->getMessage())->danger()->send();
+                        }
+                    }),
+                Action::make('purge')
+                    ->label(__('Purge Cache'))
+                    ->icon('heroicon-o-arrow-path')
+                    ->color('warning')
+                    ->visible(fn (Domain $record) => $this->getZone($record) !== null)
+                    ->requiresConfirmation()
+                    ->action(function (Domain $record): void {
+                        $zone = $this->getZone($record);
+                        if (! $zone) {
+                            return;
+                        }
+
+                        try {
+                            $response = Http::withToken($zone->api_token)
+                                ->post("https://api.cloudflare.com/client/v4/zones/{$zone->zone_id}/purge_cache", [
+                                    'purge_everything' => true,
+                                ]);
+
+                            if (! ($response->json('success') ?? false)) {
+                                throw new Exception($response->json('errors.0.message') ?? 'Cloudflare request failed');
+                            }
+
+                            Notification::make()->title(__('Cache purged'))->success()->send();
+                        } catch (Exception $e) {
+                            Notification::make()->title(__('Purge failed'))->body($e->getMessage())->danger()->send();
+                        }
+                    }),
+                Action::make('disconnect')
+                    ->label(__('Disconnect'))
+                    ->icon('heroicon-o-x-mark')
+                    ->color('gray')
+                    ->visible(fn (Domain $record) => $this->getZone($record) !== null)
+                    ->requiresConfirmation()
+                    ->action(function (Domain $record): void {
+                        $zone = $this->getZone($record);
+                        if ($zone) {
+                            $zone->delete();
+                        }
+                        Notification::make()->title(__('Cloudflare disconnected'))->success()->send();
+                    }),
+            ])
+            ->emptyStateHeading(__('No domains found'))
+            ->emptyStateDescription(__('Add a domain before connecting to a CDN'));
+    }
+
+    protected function getZone(Domain $record): ?CloudflareZone
+    {
+        return CloudflareZone::query()
+            ->where('user_id', Auth::id())
+            ->where('domain_id', $record->id)
+            ->first();
+    }
+
+    protected function fetchCloudflareZone(string $domain, string $token): array
+    {
+        $response = Http::withToken($token)->get('https://api.cloudflare.com/client/v4/zones', [
+            'name' => $domain,
+        ]);
+
+        if (! ($response->json('success') ?? false)) {
+            throw new Exception($response->json('errors.0.message') ?? 'Cloudflare request failed');
+        }
+
+        $zone = $response->json('result.0');
+        if (! $zone) {
+            throw new Exception(__('Zone not found for :domain', ['domain' => $domain]));
+        }
+
+        return $zone;
+    }
+}
diff --git a/app/Filament/Jabali/Pages/Databases.php b/app/Filament/Jabali/Pages/Databases.php
index 474c5fa..d5406c9 100644
--- a/app/Filament/Jabali/Pages/Databases.php
+++ b/app/Filament/Jabali/Pages/Databases.php
@@ -452,6 +452,17 @@ class Databases extends Page implements HasActions, HasForms, HasTable
                     ->helperText(__('This name will be used for both the database and user')),
             ])
             ->action(function (array $data): void {
+                $limit = Auth::user()?->hostingPackage?->databases_limit;
+                if ($limit && count($this->databases) >= $limit) {
+                    Notification::make()
+                        ->title(__('Database limit reached'))
+                        ->body(__('Your hosting package allows up to :limit databases.', ['limit' => $limit]))
+                        ->warning()
+                        ->send();
+
+                    return;
+                }
+
                 $name = $this->getUsername().'_'.$data['name'];
                 $password = $this->generateSecurePassword();
 
@@ -513,6 +524,17 @@ class Databases extends Page implements HasActions, HasForms, HasTable
                     ->helperText(__('Only alphanumeric characters allowed')),
             ])
             ->action(function (array $data): void {
+                $limit = Auth::user()?->hostingPackage?->databases_limit;
+                if ($limit && count($this->databases) >= $limit) {
+                    Notification::make()
+                        ->title(__('Database limit reached'))
+                        ->body(__('Your hosting package allows up to :limit databases.', ['limit' => $limit]))
+                        ->warning()
+                        ->send();
+
+                    return;
+                }
+
                 $name = $this->getUsername().'_'.$data['name'];
                 try {
                     $this->getAgent()->mysqlCreateDatabase($this->getUsername(), $name);
diff --git a/app/Filament/Jabali/Pages/Domains.php b/app/Filament/Jabali/Pages/Domains.php
index 8504df1..1dfb881 100644
--- a/app/Filament/Jabali/Pages/Domains.php
+++ b/app/Filament/Jabali/Pages/Domains.php
@@ -6,6 +6,7 @@ namespace App\Filament\Jabali\Pages;
 
 use App\Filament\Concerns\HasPageTour;
 use App\Models\Domain;
+use App\Models\DomainAlias;
 use App\Models\DomainHotlinkSetting;
 use App\Models\DomainRedirect;
 use App\Services\Agent\AgentClient;
@@ -35,12 +36,12 @@ use Filament\Tables\Table;
 use Illuminate\Contracts\Support\Htmlable;
 use Illuminate\Support\Facades\Auth;
 
-class Domains extends Page implements HasForms, HasActions, HasTable
+class Domains extends Page implements HasActions, HasForms, HasTable
 {
-    use InteractsWithForms;
-    use InteractsWithActions;
-    use InteractsWithTable;
     use HasPageTour;
+    use InteractsWithActions;
+    use InteractsWithForms;
+    use InteractsWithTable;
 
     protected static string|BackedEnum|null $navigationIcon = 'heroicon-o-globe-alt';
 
@@ -63,8 +64,9 @@ class Domains extends Page implements HasForms, HasActions, HasTable
     public function getAgent(): AgentClient
     {
         if ($this->agent === null) {
-            $this->agent = new AgentClient();
+            $this->agent = new AgentClient;
         }
+
         return $this->agent;
     }
 
@@ -83,7 +85,7 @@ class Domains extends Page implements HasForms, HasActions, HasTable
                     ->icon('heroicon-o-globe-alt')
                     ->iconColor('primary')
                     ->description(fn (Domain $record) => $record->document_root)
-                    ->url(fn (Domain $record) => 'http://' . $record->domain, shouldOpenInNewTab: true)
+                    ->url(fn (Domain $record) => 'http://'.$record->domain, shouldOpenInNewTab: true)
                     ->searchable()
                     ->sortable(),
                 IconColumn::make('is_active')
@@ -136,6 +138,28 @@ class Domains extends Page implements HasForms, HasActions, HasTable
                         ->form(fn (Domain $record) => $this->getRedirectsForm($record))
                         ->fillForm(fn (Domain $record) => $this->getRedirectsFormData($record))
                         ->action(fn (Domain $record, array $data) => $this->saveRedirects($record, $data)),
+                    Action::make('aliases')
+                        ->label(__('Aliases'))
+                        ->icon('heroicon-o-link')
+                        ->color('info')
+                        ->modalHeading(fn (Domain $record) => __('Aliases for :domain', ['domain' => $record->domain]))
+                        ->modalDescription(__('Point additional domains to the same website content.'))
+                        ->modalWidth(Width::Large)
+                        ->modalSubmitActionLabel(__('Save Aliases'))
+                        ->form(fn (Domain $record) => $this->getAliasesForm($record))
+                        ->fillForm(fn (Domain $record) => $this->getAliasesFormData($record))
+                        ->action(fn (Domain $record, array $data) => $this->saveAliases($record, $data)),
+                    Action::make('errorPages')
+                        ->label(__('Error Pages'))
+                        ->icon('heroicon-o-document-text')
+                        ->color('gray')
+                        ->modalHeading(fn (Domain $record) => __('Custom Error Pages for :domain', ['domain' => $record->domain]))
+                        ->modalDescription(__('Customize the 404, 500 and 503 pages shown to visitors.'))
+                        ->modalWidth(Width::TwoExtraLarge)
+                        ->modalSubmitActionLabel(__('Save Error Pages'))
+                        ->form(fn (Domain $record) => $this->getErrorPagesForm())
+                        ->fillForm(fn (Domain $record) => $this->getErrorPagesFormData($record))
+                        ->action(fn (Domain $record, array $data) => $this->saveErrorPages($record, $data)),
                     Action::make('hotlink')
                         ->label(__('Hotlink Protection'))
                         ->icon('heroicon-o-shield-check')
@@ -172,7 +196,7 @@ class Domains extends Page implements HasForms, HasActions, HasTable
                     ->color('danger')
                     ->requiresConfirmation()
                     ->modalHeading(__('Delete Domain'))
-                    ->modalDescription(fn (Domain $record) => __('Are you sure you want to delete') . " '{$record->domain}'? " . __('This will also delete the following associated data:'))
+                    ->modalDescription(fn (Domain $record) => __('Are you sure you want to delete')." '{$record->domain}'? ".__('This will also delete the following associated data:'))
                     ->modalIcon('heroicon-o-trash')
                     ->modalIconColor('danger')
                     ->modalSubmitActionLabel(__('Delete Domain'))
@@ -183,12 +207,12 @@ class Domains extends Page implements HasForms, HasActions, HasTable
                             ->helperText(__('Permanently delete all files in the domain folder'))
                             ->default(true),
                         Toggle::make('delete_dns')
-                            ->label(__('Delete DNS records') . ' (' . $record->dnsRecords()->count() . ')')
+                            ->label(__('Delete DNS records').' ('.$record->dnsRecords()->count().')')
                             ->helperText(__('Remove all DNS records for this domain'))
                             ->default(true)
                             ->visible(fn () => $record->dnsRecords()->exists()),
                         Toggle::make('delete_email')
-                            ->label(__('Delete email accounts') . ' (' . ($record->emailDomain?->mailboxes()->count() ?? 0) . ')')
+                            ->label(__('Delete email accounts').' ('.($record->emailDomain?->mailboxes()->count() ?? 0).')')
                             ->helperText(__('Remove all mailboxes and email configuration'))
                             ->default(true)
                             ->visible(fn () => $record->emailDomain()->exists()),
@@ -287,13 +311,13 @@ class Domains extends Page implements HasForms, HasActions, HasTable
                         ])
                         ->columns(['default' => 2, 'sm' => 3]),
                 ])
-                ->itemLabel(fn (array $state): ?string => ($state['source_path'] ?? '') . ' → ' . ($state['redirect_type'] ?? '301'))
+                ->itemLabel(fn (array $state): ?string => ($state['source_path'] ?? '').' → '.($state['redirect_type'] ?? '301'))
                 ->collapsible()
                 ->collapsed(fn () => $record->redirects()->count() > 3)
                 ->addActionLabel(__('Add Page Redirect'))
                 ->reorderable()
                 ->defaultItems(0)
-                ->visible(fn ($get) => !$get('domain_redirect_enabled')),
+                ->visible(fn ($get) => ! $get('domain_redirect_enabled')),
         ];
     }
 
@@ -370,7 +394,7 @@ class Domains extends Page implements HasForms, HasActions, HasTable
     protected function getHotlinkFormData(Domain $record): array
     {
         $setting = $record->hotlinkSetting;
-        if (!$setting) {
+        if (! $setting) {
             return [
                 'is_enabled' => false,
                 'allowed_domains' => '',
@@ -379,6 +403,7 @@ class Domains extends Page implements HasForms, HasActions, HasTable
                 'redirect_url' => '',
             ];
         }
+
         return [
             'is_enabled' => $setting->is_enabled,
             'allowed_domains' => $setting->allowed_domains,
@@ -435,13 +460,25 @@ class Domains extends Page implements HasForms, HasActions, HasTable
             ])
             ->action(function (array $data): void {
                 try {
+                    $user = Auth::user();
+                    $limit = $user?->hostingPackage?->domains_limit;
+                    if ($limit && Domain::where('user_id', $user->id)->count() >= $limit) {
+                        Notification::make()
+                            ->title(__('Domain limit reached'))
+                            ->body(__('Your hosting package allows up to :limit domains.', ['limit' => $limit]))
+                            ->warning()
+                            ->send();
+
+                        return;
+                    }
+
                     $result = $this->getAgent()->domainCreate($this->getUsername(), $data['domain']);
 
                     if ($result['success'] ?? false) {
                         Domain::create([
                             'user_id' => Auth::id(),
                             'domain' => $data['domain'],
-                            'document_root' => '/home/' . $this->getUsername() . '/domains/' . $data['domain'] . '/public_html',
+                            'document_root' => '/home/'.$this->getUsername().'/domains/'.$data['domain'].'/public_html',
                             'is_active' => true,
                             'ssl_enabled' => false,
                             'directory_index' => 'index.php index.html',
@@ -495,7 +532,7 @@ class Domains extends Page implements HasForms, HasActions, HasTable
                 $redirectsData = $data['redirects'] ?? [];
 
                 foreach ($redirectsData as $redirectData) {
-                    if (!empty($redirectData['id'])) {
+                    if (! empty($redirectData['id'])) {
                         $redirect = DomainRedirect::find($redirectData['id']);
                         if ($redirect && $redirect->domain_id === $domain->id) {
                             $redirect->update([
@@ -520,7 +557,7 @@ class Domains extends Page implements HasForms, HasActions, HasTable
                 }
 
                 // Delete removed page redirects (but not domain-wide ones which we already handled)
-                if (!empty($existingIds)) {
+                if (! empty($existingIds)) {
                     $domain->redirects()
                         ->whereNotIn('id', $existingIds)
                         ->whereNotIn('source_path', ['/*', '*', '/'])
@@ -565,7 +602,7 @@ class Domains extends Page implements HasForms, HasActions, HasTable
     {
         try {
             $setting = $domain->hotlinkSetting;
-            if (!$setting) {
+            if (! $setting) {
                 $setting = new DomainHotlinkSetting(['domain_id' => $domain->id]);
             }
 
@@ -632,7 +669,7 @@ class Domains extends Page implements HasForms, HasActions, HasTable
     public function toggleDomain(Domain $domain): void
     {
         try {
-            $newStatus = !$domain->is_active;
+            $newStatus = ! $domain->is_active;
             $result = $this->getAgent()->domainToggle($this->getUsername(), $domain->domain, $newStatus);
 
             if ($result['success'] ?? false) {
@@ -640,7 +677,7 @@ class Domains extends Page implements HasForms, HasActions, HasTable
 
                 $status = $newStatus ? __('Enabled') : __('Disabled');
                 Notification::make()
-                    ->title(__('Domain') . " {$status}")
+                    ->title(__('Domain')." {$status}")
                     ->success()
                     ->send();
             } else {
@@ -680,7 +717,7 @@ class Domains extends Page implements HasForms, HasActions, HasTable
                         }
                     }
                 } catch (Exception $e) {
-                    $errors[] = __('WordPress: ') . $e->getMessage();
+                    $errors[] = __('WordPress: ').$e->getMessage();
                 }
             }
 
@@ -695,7 +732,7 @@ class Domains extends Page implements HasForms, HasActions, HasTable
                         $domain->sslCertificate->delete();
                         $deletedItems[] = __('SSL certificate');
                     } catch (Exception $e) {
-                        $errors[] = __('SSL: ') . $e->getMessage();
+                        $errors[] = __('SSL: ').$e->getMessage();
                     }
                 }
             }
@@ -722,7 +759,7 @@ class Domains extends Page implements HasForms, HasActions, HasTable
                         $domain->emailDomain->delete();
                         $deletedItems[] = __(':count email account(s)', ['count' => $mailboxCount]);
                     } catch (Exception $e) {
-                        $errors[] = __('Email: ') . $e->getMessage();
+                        $errors[] = __('Email: ').$e->getMessage();
                     }
                 }
             }
@@ -739,7 +776,7 @@ class Domains extends Page implements HasForms, HasActions, HasTable
                         $deletedItems[] = __(':count DNS record(s)', ['count' => $dnsCount]);
                     }
                 } catch (Exception $e) {
-                    $errors[] = __('DNS: ') . $e->getMessage();
+                    $errors[] = __('DNS: ').$e->getMessage();
                 }
             }
 
@@ -758,8 +795,8 @@ class Domains extends Page implements HasForms, HasActions, HasTable
                 $domain->delete();
 
                 $message = __('Domain deleted successfully.');
-                if (!empty($deletedItems)) {
-                    $message .= ' ' . __('Also deleted: ') . implode(', ', $deletedItems);
+                if (! empty($deletedItems)) {
+                    $message .= ' '.__('Also deleted: ').implode(', ', $deletedItems);
                 }
 
                 Notification::make()
@@ -768,7 +805,7 @@ class Domains extends Page implements HasForms, HasActions, HasTable
                     ->success()
                     ->send();
 
-                if (!empty($errors)) {
+                if (! empty($errors)) {
                     Notification::make()
                         ->title(__('Some items had warnings'))
                         ->body(implode("\n", $errors))
@@ -789,7 +826,181 @@ class Domains extends Page implements HasForms, HasActions, HasTable
 
     public function openFileManager(Domain $domain): void
     {
-        $path = str_replace('/home/' . $this->getUsername() . '/', '', $domain->document_root);
+        $path = str_replace('/home/'.$this->getUsername().'/', '', $domain->document_root);
         $this->redirect(route('filament.jabali.pages.files', ['path' => $path]));
     }
+
+    protected function getAliasesForm(Domain $record): array
+    {
+        return [
+            Repeater::make('aliases')
+                ->label(__('Domain Aliases'))
+                ->schema([
+                    TextInput::make('alias')
+                        ->label(__('Alias Domain'))
+                        ->placeholder('alias-example.com')
+                        ->required()
+                        ->rule('regex:/^[a-z0-9]([a-z0-9-]*[a-z0-9])?(\\.[a-z0-9]([a-z0-9-]*[a-z0-9])?)*\\.[a-z]{2,}$/')
+                        ->helperText(__('Enter a full domain name.')),
+                ])
+                ->addActionLabel(__('Add Alias'))
+                ->columns(1)
+                ->defaultItems(0),
+        ];
+    }
+
+    protected function getAliasesFormData(Domain $record): array
+    {
+        return [
+            'aliases' => $record->aliases()
+                ->orderBy('alias')
+                ->get()
+                ->map(fn (DomainAlias $alias) => ['alias' => $alias->alias])
+                ->toArray(),
+        ];
+    }
+
+    protected function saveAliases(Domain $record, array $data): void
+    {
+        $aliases = collect($data['aliases'] ?? [])
+            ->pluck('alias')
+            ->map(fn ($alias) => strtolower(trim((string) $alias)))
+            ->filter()
+            ->unique()
+            ->values();
+
+        $existing = $record->aliases()->pluck('alias')->map(fn ($alias) => strtolower($alias));
+
+        $toAdd = $aliases->diff($existing);
+        $toRemove = $existing->diff($aliases);
+
+        $errors = [];
+
+        foreach ($toAdd as $alias) {
+            try {
+                $result = $this->getAgent()->domainAliasAdd($this->getUsername(), $record->domain, $alias);
+                if (! ($result['success'] ?? false)) {
+                    throw new Exception($result['error'] ?? 'Failed to add alias');
+                }
+                DomainAlias::firstOrCreate([
+                    'domain_id' => $record->id,
+                    'alias' => $alias,
+                ]);
+            } catch (Exception $e) {
+                $errors[] = $alias.': '.$e->getMessage();
+            }
+        }
+
+        foreach ($toRemove as $alias) {
+            try {
+                $result = $this->getAgent()->domainAliasRemove($this->getUsername(), $record->domain, $alias);
+                if (! ($result['success'] ?? false)) {
+                    throw new Exception($result['error'] ?? 'Failed to remove alias');
+                }
+                $record->aliases()->where('alias', $alias)->delete();
+            } catch (Exception $e) {
+                $errors[] = $alias.': '.$e->getMessage();
+            }
+        }
+
+        if (! empty($errors)) {
+            Notification::make()
+                ->title(__('Some aliases failed'))
+                ->body(implode("\n", $errors))
+                ->warning()
+                ->send();
+
+            return;
+        }
+
+        Notification::make()
+            ->title(__('Aliases updated'))
+            ->success()
+            ->send();
+    }
+
+    protected function getErrorPagesForm(): array
+    {
+        return [
+            Textarea::make('page_404')
+                ->label(__('404 Page (Not Found)'))
+                ->rows(6)
+                ->placeholder(__('HTML content for your 404 page')),
+            Textarea::make('page_500')
+                ->label(__('500 Page (Server Error)'))
+                ->rows(6)
+                ->placeholder(__('HTML content for your 500 page')),
+            Textarea::make('page_503')
+                ->label(__('503 Page (Maintenance)'))
+                ->rows(6)
+                ->placeholder(__('HTML content for your 503 page')),
+        ];
+    }
+
+    protected function getErrorPagesFormData(Domain $record): array
+    {
+        return [
+            'page_404' => $this->readErrorPageContent($record, '404.html'),
+            'page_500' => $this->readErrorPageContent($record, '500.html'),
+            'page_503' => $this->readErrorPageContent($record, '503.html'),
+        ];
+    }
+
+    protected function saveErrorPages(Domain $record, array $data): void
+    {
+        try {
+            $result = $this->getAgent()->domainEnsureErrorPages($this->getUsername(), $record->domain);
+            if (! ($result['success'] ?? false)) {
+                throw new Exception($result['error'] ?? 'Failed to enable error pages');
+            }
+
+            foreach (['404' => 'page_404', '500' => 'page_500', '503' => 'page_503'] as $code => $key) {
+                $content = trim((string) ($data[$key] ?? ''));
+                $path = $this->getErrorPagePath($record, "{$code}.html");
+
+                if ($content === '') {
+                    try {
+                        $this->getAgent()->fileDelete($this->getUsername(), $path);
+                    } catch (Exception) {
+                        // Ignore missing file
+                    }
+
+                    continue;
+                }
+
+                $this->getAgent()->fileWrite($this->getUsername(), $path, $content);
+            }
+
+            Notification::make()
+                ->title(__('Error pages updated'))
+                ->success()
+                ->send();
+        } catch (Exception $e) {
+            Notification::make()
+                ->title(__('Failed to update error pages'))
+                ->body($e->getMessage())
+                ->danger()
+                ->send();
+        }
+    }
+
+    protected function readErrorPageContent(Domain $record, string $filename): string
+    {
+        $path = $this->getErrorPagePath($record, $filename);
+        try {
+            $result = $this->getAgent()->fileRead($this->getUsername(), $path);
+            if ($result['success'] ?? false) {
+                return (string) base64_decode($result['content'] ?? '');
+            }
+        } catch (Exception) {
+            // ignore
+        }
+
+        return '';
+    }
+
+    protected function getErrorPagePath(Domain $record, string $filename): string
+    {
+        return "domains/{$record->domain}/public_html/{$filename}";
+    }
 }
diff --git a/app/Filament/Jabali/Pages/Email.php b/app/Filament/Jabali/Pages/Email.php
index 6fa5a36..c128cd9 100644
--- a/app/Filament/Jabali/Pages/Email.php
+++ b/app/Filament/Jabali/Pages/Email.php
@@ -11,7 +11,9 @@ use App\Models\Domain;
 use App\Models\EmailDomain;
 use App\Models\EmailForwarder;
 use App\Models\Mailbox;
+use App\Models\UserSetting;
 use App\Services\Agent\AgentClient;
+use App\Services\System\MailRoutingSyncService;
 use BackedEnum;
 use Exception;
 use Filament\Actions\Action;
@@ -65,6 +67,8 @@ class Email extends Page implements HasActions, HasForms, HasTable
 
     public string $credPassword = '';
 
+    public array $spamFormData = [];
+
     protected ?AgentClient $agent = null;
 
     public function getTitle(): string|Htmlable
@@ -76,11 +80,18 @@ class Email extends Page implements HasActions, HasForms, HasTable
     {
         // Normalize the tab value from URL
         $this->activeTab = $this->normalizeTabName($this->activeTab);
+
+        if ($this->activeTab === 'spam') {
+            $this->loadSpamSettings();
+        }
     }
 
     public function updatedActiveTab(): void
     {
         $this->activeTab = $this->normalizeTabName($this->activeTab);
+        if ($this->activeTab === 'spam') {
+            $this->loadSpamSettings();
+        }
         $this->resetTable();
     }
 
@@ -99,6 +110,7 @@ class Email extends Page implements HasActions, HasForms, HasTable
             'autoresponders', 'Autoresponders' => 'autoresponders',
             'catchall', 'catch-all', 'Catch-All' => 'catchall',
             'logs', 'Logs' => 'logs',
+            'spam', 'Spam' => 'spam',
             default => 'mailboxes',
         };
     }
@@ -111,13 +123,14 @@ class Email extends Page implements HasActions, HasForms, HasTable
             'autoresponders' => 3,
             'catchall' => 4,
             'logs' => 5,
+            'spam' => 6,
             default => 1,
         };
     }
 
     protected function getForms(): array
     {
-        return ['emailForm'];
+        return ['emailForm', 'spamForm'];
     }
 
     public function emailForm(Schema $schema): Schema
@@ -127,9 +140,37 @@ class Email extends Page implements HasActions, HasForms, HasTable
         ]);
     }
 
+    public function spamForm(Schema $schema): Schema
+    {
+        return $schema
+            ->statePath('spamFormData')
+            ->schema([
+                Section::make(__('Spam Settings'))
+                    ->schema([
+                        Textarea::make('whitelist')
+                            ->label(__('Whitelist (one per line)'))
+                            ->rows(6)
+                            ->placeholder("friend@example.com\ntrusted.com"),
+                        Textarea::make('blacklist')
+                            ->label(__('Blacklist (one per line)'))
+                            ->rows(6)
+                            ->placeholder("spam@example.com\nbad-domain.com"),
+                        TextInput::make('score')
+                            ->label(__('Spam Score Threshold'))
+                            ->numeric()
+                            ->default(6.0)
+                            ->helperText(__('Lower values are stricter, higher values are more permissive.')),
+                    ])
+                    ->columns(2),
+            ]);
+    }
+
     public function setTab(string $tab): void
     {
         $this->activeTab = $this->normalizeTabName($tab);
+        if ($this->activeTab === 'spam') {
+            $this->loadSpamSettings();
+        }
         $this->resetTable();
     }
 
@@ -170,6 +211,60 @@ class Email extends Page implements HasActions, HasForms, HasTable
         return str_shuffle($password);
     }
 
+    protected function loadSpamSettings(): void
+    {
+        $settings = UserSetting::getForUser(Auth::id(), 'spam_settings', [
+            'whitelist' => [],
+            'blacklist' => [],
+            'score' => 6.0,
+        ]);
+
+        $this->spamFormData = [
+            'whitelist' => implode("\n", $settings['whitelist'] ?? []),
+            'blacklist' => implode("\n", $settings['blacklist'] ?? []),
+            'score' => $settings['score'] ?? 6.0,
+        ];
+    }
+
+    public function saveSpamSettings(): void
+    {
+        $data = $this->spamForm->getState();
+        $whitelist = $this->linesToArray($data['whitelist'] ?? '');
+        $blacklist = $this->linesToArray($data['blacklist'] ?? '');
+        $score = isset($data['score']) && $data['score'] !== '' ? (float) $data['score'] : null;
+
+        UserSetting::setForUser(Auth::id(), 'spam_settings', [
+            'whitelist' => $whitelist,
+            'blacklist' => $blacklist,
+            'score' => $score,
+        ]);
+
+        $result = $this->getAgent()->rspamdUserSettings($this->getUsername(), $whitelist, $blacklist, $score);
+        if (! ($result['success'] ?? false)) {
+            Notification::make()
+                ->title(__('Failed to update spam settings'))
+                ->body($result['error'] ?? '')
+                ->danger()
+                ->send();
+
+            return;
+        }
+
+        Notification::make()
+            ->title(__('Spam settings updated'))
+            ->success()
+            ->send();
+    }
+
+    protected function linesToArray(string $value): array
+    {
+        return collect(preg_split('/\\r\\n|\\r|\\n/', $value))
+            ->map(fn ($line) => trim((string) $line))
+            ->filter()
+            ->values()
+            ->toArray();
+    }
+
     public function table(Table $table): Table
     {
         return match ($this->activeTab) {
@@ -178,6 +273,7 @@ class Email extends Page implements HasActions, HasForms, HasTable
             'autoresponders' => $this->autorespondersTable($table),
             'catchall' => $this->catchAllTable($table),
             'logs' => $this->emailLogsTable($table),
+            'spam' => $this->mailboxesTable($table),
             default => $this->mailboxesTable($table),
         };
     }
@@ -778,6 +874,8 @@ class Email extends Page implements HasActions, HasForms, HasTable
                 'is_active' => true,
             ]);
 
+            $this->syncMailRouting();
+
             // Generate DKIM
             try {
                 $dkimResult = $this->getAgent()->emailGenerateDkim($this->getUsername(), $domain->domain);
@@ -830,6 +928,19 @@ class Email extends Page implements HasActions, HasForms, HasTable
         return $emailDomain;
     }
 
+    protected function syncMailRouting(): void
+    {
+        try {
+            app(MailRoutingSyncService::class)->sync();
+        } catch (Exception $e) {
+            Notification::make()
+                ->title(__('Mail routing sync failed'))
+                ->body($e->getMessage())
+                ->warning()
+                ->send();
+        }
+    }
+
     protected function regenerateDnsZone(Domain $domain): void
     {
         try {
@@ -924,6 +1035,17 @@ class Email extends Page implements HasActions, HasForms, HasTable
                     ->helperText(__('Storage limit in megabytes')),
             ])
             ->action(function (array $data): void {
+                $limit = Auth::user()?->hostingPackage?->mailboxes_limit;
+                if ($limit && Mailbox::where('user_id', Auth::id())->count() >= $limit) {
+                    Notification::make()
+                        ->title(__('Mailbox limit reached'))
+                        ->body(__('Your hosting package allows up to :limit mailboxes.', ['limit' => $limit]))
+                        ->warning()
+                        ->send();
+
+                    return;
+                }
+
                 $domain = Domain::where('user_id', Auth::id())->find($data['domain_id']);
                 if (! $domain) {
                     Notification::make()->title(__('Domain not found'))->danger()->send();
@@ -965,6 +1087,8 @@ class Email extends Page implements HasActions, HasForms, HasTable
                         'is_active' => true,
                     ]);
 
+                    $this->syncMailRouting();
+
                     $this->credEmail = $email;
                     $this->credPassword = $data['password'];
 
@@ -1016,6 +1140,8 @@ class Email extends Page implements HasActions, HasForms, HasTable
             $this->getAgent()->mailboxToggle($this->getUsername(), $mailbox->email, $newStatus);
             $mailbox->update(['is_active' => $newStatus]);
 
+            $this->syncMailRouting();
+
             Notification::make()
                 ->title($newStatus ? __('Mailbox enabled') : __('Mailbox disabled'))
                 ->success()
@@ -1037,6 +1163,8 @@ class Email extends Page implements HasActions, HasForms, HasTable
 
             $mailbox->delete();
 
+            $this->syncMailRouting();
+
             Notification::make()->title(__('Mailbox deleted'))->success()->send();
         } catch (Exception $e) {
             Notification::make()->title(__('Error'))->body($e->getMessage())->danger()->send();
@@ -1122,6 +1250,8 @@ class Email extends Page implements HasActions, HasForms, HasTable
                         'is_active' => true,
                     ]);
 
+                    $this->syncMailRouting();
+
                     Notification::make()->title(__('Forwarder created'))->success()->send();
                 } catch (Exception $e) {
                     Notification::make()->title(__('Error creating forwarder'))->body($e->getMessage())->danger()->send();
@@ -1149,6 +1279,8 @@ class Email extends Page implements HasActions, HasForms, HasTable
 
             $forwarder->update(['destinations' => $destinations]);
 
+            $this->syncMailRouting();
+
             Notification::make()->title(__('Forwarder updated'))->success()->send();
         } catch (Exception $e) {
             Notification::make()->title(__('Error'))->body($e->getMessage())->danger()->send();
@@ -1173,6 +1305,8 @@ class Email extends Page implements HasActions, HasForms, HasTable
             ]);
             $forwarder->update(['is_active' => $newStatus]);
 
+            $this->syncMailRouting();
+
             Notification::make()
                 ->title($newStatus ? __('Forwarder enabled') : __('Forwarder disabled'))
                 ->success()
@@ -1192,6 +1326,8 @@ class Email extends Page implements HasActions, HasForms, HasTable
 
             $forwarder->delete();
 
+            $this->syncMailRouting();
+
             Notification::make()->title(__('Forwarder deleted'))->success()->send();
         } catch (Exception $e) {
             Notification::make()->title(__('Error'))->body($e->getMessage())->danger()->send();
@@ -1404,6 +1540,8 @@ class Email extends Page implements HasActions, HasForms, HasTable
                 'catch_all_address' => $enabled ? $address : null,
             ]);
 
+            $this->syncMailRouting();
+
             Notification::make()
                 ->title($enabled ? __('Catch-all enabled') : __('Catch-all disabled'))
                 ->success()
diff --git a/app/Filament/Jabali/Pages/GitDeployment.php b/app/Filament/Jabali/Pages/GitDeployment.php
new file mode 100644
index 0000000..ecd738b
--- /dev/null
+++ b/app/Filament/Jabali/Pages/GitDeployment.php
@@ -0,0 +1,316 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Filament\Jabali\Pages;
+
+use App\Filament\Concerns\HasPageTour;
+use App\Jobs\RunGitDeployment;
+use App\Models\Domain;
+use App\Models\GitDeployment as GitDeploymentModel;
+use App\Services\Agent\AgentClient;
+use BackedEnum;
+use Exception;
+use Filament\Actions\Action;
+use Filament\Actions\Concerns\InteractsWithActions;
+use Filament\Actions\Contracts\HasActions;
+use Filament\Forms\Components\Select;
+use Filament\Forms\Components\Textarea;
+use Filament\Forms\Components\TextInput;
+use Filament\Forms\Components\Toggle;
+use Filament\Forms\Concerns\InteractsWithForms;
+use Filament\Forms\Contracts\HasForms;
+use Filament\Notifications\Notification;
+use Filament\Pages\Page;
+use Filament\Tables\Columns\IconColumn;
+use Filament\Tables\Columns\TextColumn;
+use Filament\Tables\Concerns\InteractsWithTable;
+use Filament\Tables\Contracts\HasTable;
+use Filament\Tables\Table;
+use Illuminate\Contracts\Support\Htmlable;
+use Illuminate\Support\Facades\Auth;
+use Illuminate\Support\Str;
+
+class GitDeployment extends Page implements HasActions, HasForms, HasTable
+{
+    use HasPageTour;
+    use InteractsWithActions;
+    use InteractsWithForms;
+    use InteractsWithTable;
+
+    protected static string|BackedEnum|null $navigationIcon = 'heroicon-o-code-bracket-square';
+
+    protected static ?int $navigationSort = 16;
+
+    protected static ?string $slug = 'git-deployment';
+
+    protected string $view = 'filament.jabali.pages.git-deployment';
+
+    protected ?AgentClient $agent = null;
+
+    public ?string $deployKey = null;
+
+    public function getTitle(): string|Htmlable
+    {
+        return __('Git Deployment');
+    }
+
+    public static function getNavigationLabel(): string
+    {
+        return __('Git Deployment');
+    }
+
+    protected function getAgent(): AgentClient
+    {
+        if ($this->agent === null) {
+            $this->agent = new AgentClient;
+        }
+
+        return $this->agent;
+    }
+
+    protected function getUsername(): string
+    {
+        return Auth::user()->username;
+    }
+
+    protected function getDomainOptions(): array
+    {
+        return Domain::query()
+            ->where('user_id', Auth::id())
+            ->orderBy('domain')
+            ->pluck('domain', 'id')
+            ->toArray();
+    }
+
+    protected function getWebhookUrl(GitDeploymentModel $deployment): string
+    {
+        return url("/api/webhooks/git/{$deployment->id}/{$deployment->secret_token}");
+    }
+
+    protected function getDeployKey(): string
+    {
+        if ($this->deployKey) {
+            return $this->deployKey;
+        }
+
+        try {
+            $result = $this->getAgent()->gitGenerateKey($this->getUsername());
+            $this->deployKey = $result['public_key'] ?? '';
+        } catch (Exception) {
+            $this->deployKey = '';
+        }
+
+        return $this->deployKey ?? '';
+    }
+
+    public function table(Table $table): Table
+    {
+        return $table
+            ->query(GitDeploymentModel::query()->where('user_id', Auth::id())->with('domain'))
+            ->columns([
+                TextColumn::make('domain.domain')
+                    ->label(__('Domain'))
+                    ->searchable()
+                    ->sortable(),
+                TextColumn::make('repo_url')
+                    ->label(__('Repository'))
+                    ->limit(40)
+                    ->tooltip(fn (GitDeploymentModel $record) => $record->repo_url)
+                    ->sortable(),
+                TextColumn::make('branch')
+                    ->label(__('Branch'))
+                    ->badge()
+                    ->color('gray'),
+                IconColumn::make('auto_deploy')
+                    ->label(__('Auto Deploy'))
+                    ->boolean(),
+                TextColumn::make('last_status')
+                    ->label(__('Status'))
+                    ->badge()
+                    ->color(fn (?string $state): string => match ($state) {
+                        'success' => 'success',
+                        'failed' => 'danger',
+                        'running' => 'warning',
+                        'queued' => 'info',
+                        default => 'gray',
+                    })
+                    ->default('never'),
+                TextColumn::make('last_deployed_at')
+                    ->label(__('Last Deployed'))
+                    ->since()
+                    ->sortable(),
+            ])
+            ->recordActions([
+                Action::make('deploy')
+                    ->label(__('Deploy'))
+                    ->icon('heroicon-o-arrow-path')
+                    ->color('primary')
+                    ->action(function (GitDeploymentModel $record): void {
+                        $record->update(['last_status' => 'queued']);
+                        RunGitDeployment::dispatch($record->id);
+                        Notification::make()->title(__('Deployment queued'))->success()->send();
+                    }),
+                Action::make('webhook')
+                    ->label(__('Webhook'))
+                    ->icon('heroicon-o-link')
+                    ->color('gray')
+                    ->modalHeading(__('Webhook URL'))
+                    ->modalSubmitAction(false)
+                    ->modalCancelActionLabel(__('Close'))
+                    ->form([
+                        Textarea::make('webhook_url')
+                            ->label(__('Webhook URL'))
+                            ->rows(2)
+                            ->disabled()
+                            ->dehydrated(false),
+                        Textarea::make('deploy_key')
+                            ->label(__('Deploy Key'))
+                            ->rows(3)
+                            ->disabled()
+                            ->dehydrated(false),
+                    ])
+                    ->fillForm(fn (GitDeploymentModel $record): array => [
+                        'webhook_url' => $this->getWebhookUrl($record),
+                        'deploy_key' => $this->getDeployKey(),
+                    ]),
+                Action::make('edit')
+                    ->label(__('Edit'))
+                    ->icon('heroicon-o-pencil-square')
+                    ->color('gray')
+                    ->modalHeading(__('Edit Deployment'))
+                    ->form($this->getDeploymentForm())
+                    ->fillForm(fn (GitDeploymentModel $record): array => [
+                        'domain_id' => $record->domain_id,
+                        'repo_url' => $record->repo_url,
+                        'branch' => $record->branch,
+                        'deploy_path' => $record->deploy_path,
+                        'auto_deploy' => $record->auto_deploy,
+                        'deploy_script' => $record->deploy_script,
+                        'framework_preset' => 'custom',
+                    ])
+                    ->action(function (GitDeploymentModel $record, array $data): void {
+                        $record->update([
+                            'domain_id' => $data['domain_id'],
+                            'repo_url' => $data['repo_url'],
+                            'branch' => $data['branch'],
+                            'deploy_path' => $data['deploy_path'],
+                            'auto_deploy' => $data['auto_deploy'] ?? false,
+                            'deploy_script' => $data['deploy_script'] ?? null,
+                        ]);
+
+                        Notification::make()->title(__('Deployment updated'))->success()->send();
+                    }),
+                Action::make('delete')
+                    ->label(__('Delete'))
+                    ->icon('heroicon-o-trash')
+                    ->color('danger')
+                    ->requiresConfirmation()
+                    ->action(function (GitDeploymentModel $record): void {
+                        $record->delete();
+                        Notification::make()->title(__('Deployment deleted'))->success()->send();
+                    }),
+            ])
+            ->emptyStateHeading(__('No deployments yet'))
+            ->emptyStateDescription(__('Add a repository to deploy to your domain'))
+            ->emptyStateIcon('heroicon-o-code-bracket-square');
+    }
+
+    protected function getHeaderActions(): array
+    {
+        return [
+            Action::make('addDeployment')
+                ->label(__('Add Deployment'))
+                ->icon('heroicon-o-plus')
+                ->color('primary')
+                ->form($this->getDeploymentForm())
+                ->action(function (array $data): void {
+                    GitDeploymentModel::create([
+                        'user_id' => Auth::id(),
+                        'domain_id' => $data['domain_id'],
+                        'repo_url' => $data['repo_url'],
+                        'branch' => $data['branch'],
+                        'deploy_path' => $data['deploy_path'],
+                        'auto_deploy' => $data['auto_deploy'] ?? false,
+                        'deploy_script' => $data['deploy_script'] ?? null,
+                        'secret_token' => Str::random(40),
+                        'last_status' => 'never',
+                    ]);
+
+                    Notification::make()->title(__('Deployment created'))->success()->send();
+                    $this->resetTable();
+                }),
+            Action::make('deployKey')
+                ->label(__('Deploy Key'))
+                ->icon('heroicon-o-key')
+                ->color('gray')
+                ->modalHeading(__('SSH Deploy Key'))
+                ->modalSubmitAction(false)
+                ->modalCancelActionLabel(__('Close'))
+                ->form([
+                    Textarea::make('public_key')
+                        ->label(__('Public Key'))
+                        ->rows(3)
+                        ->disabled()
+                        ->dehydrated(false),
+                ])
+                ->fillForm(fn (): array => ['public_key' => $this->getDeployKey()]),
+        ];
+    }
+
+    protected function getDeploymentForm(): array
+    {
+        return [
+            Select::make('domain_id')
+                ->label(__('Domain'))
+                ->options($this->getDomainOptions())
+                ->searchable()
+                ->required()
+                ->live()
+                ->afterStateUpdated(function ($state, callable $set): void {
+                    if (! $state) {
+                        return;
+                    }
+                    $domain = Domain::where('id', $state)->where('user_id', Auth::id())->first();
+                    if ($domain) {
+                        $set('deploy_path', $domain->document_root);
+                    }
+                }),
+            TextInput::make('repo_url')
+                ->label(__('Repository URL'))
+                ->placeholder('git@github.com:org/repo.git')
+                ->required(),
+            TextInput::make('branch')
+                ->label(__('Branch'))
+                ->default('main')
+                ->required(),
+            TextInput::make('deploy_path')
+                ->label(__('Deploy Path'))
+                ->helperText(__('Must be inside your home directory'))
+                ->required(),
+            Select::make('framework_preset')
+                ->label(__('Framework Preset'))
+                ->options([
+                    'custom' => __('Custom'),
+                    'laravel' => __('Laravel'),
+                    'symfony' => __('Symfony'),
+                ])
+                ->default('custom')
+                ->live()
+                ->afterStateUpdated(function ($state, callable $set): void {
+                    if ($state === 'laravel') {
+                        $set('deploy_script', "composer install --no-dev --optimize-autoloader\nphp artisan migrate --force\nphp artisan config:cache\nphp artisan route:cache\nphp artisan view:cache");
+                    } elseif ($state === 'symfony') {
+                        $set('deploy_script', "composer install --no-dev --optimize-autoloader\nphp bin/console cache:clear --no-warmup\nphp bin/console cache:warmup");
+                    }
+                }),
+            Textarea::make('deploy_script')
+                ->label(__('Deploy Script (optional)'))
+                ->rows(6)
+                ->helperText(__('Run after code is deployed. Leave empty to skip.')),
+            Toggle::make('auto_deploy')
+                ->label(__('Enable auto-deploy from webhook'))
+                ->default(false),
+        ];
+    }
+}
diff --git a/app/Filament/Jabali/Pages/ImageOptimization.php b/app/Filament/Jabali/Pages/ImageOptimization.php
new file mode 100644
index 0000000..dd0cb09
--- /dev/null
+++ b/app/Filament/Jabali/Pages/ImageOptimization.php
@@ -0,0 +1,157 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Filament\Jabali\Pages;
+
+use App\Filament\Concerns\HasPageTour;
+use App\Models\Domain;
+use App\Services\Agent\AgentClient;
+use BackedEnum;
+use Exception;
+use Filament\Actions\Concerns\InteractsWithActions;
+use Filament\Actions\Contracts\HasActions;
+use Filament\Forms\Components\Select;
+use Filament\Forms\Components\TextInput;
+use Filament\Forms\Components\Toggle;
+use Filament\Forms\Concerns\InteractsWithForms;
+use Filament\Forms\Contracts\HasForms;
+use Filament\Notifications\Notification;
+use Filament\Pages\Page;
+use Filament\Schemas\Components\Section;
+use Filament\Schemas\Schema;
+use Illuminate\Contracts\Support\Htmlable;
+use Illuminate\Support\Facades\Auth;
+
+class ImageOptimization extends Page implements HasActions, HasForms
+{
+    use HasPageTour;
+    use InteractsWithActions;
+    use InteractsWithForms;
+
+    protected static string|BackedEnum|null $navigationIcon = 'heroicon-o-photo';
+
+    protected static ?int $navigationSort = 21;
+
+    protected static ?string $slug = 'image-optimization';
+
+    protected string $view = 'filament.jabali.pages.image-optimization';
+
+    protected ?AgentClient $agent = null;
+
+    public array $imageFormData = [];
+
+    public function getTitle(): string|Htmlable
+    {
+        return __('Image Optimization');
+    }
+
+    public static function getNavigationLabel(): string
+    {
+        return __('Image Optimization');
+    }
+
+    protected function getAgent(): AgentClient
+    {
+        if ($this->agent === null) {
+            $this->agent = new AgentClient;
+        }
+
+        return $this->agent;
+    }
+
+    protected function getUsername(): string
+    {
+        return Auth::user()->username;
+    }
+
+    protected function getDomainOptions(): array
+    {
+        return Domain::query()
+            ->where('user_id', Auth::id())
+            ->orderBy('domain')
+            ->pluck('domain', 'id')
+            ->toArray();
+    }
+
+    protected function getForms(): array
+    {
+        return ['imageForm'];
+    }
+
+    public function imageForm(Schema $schema): Schema
+    {
+        return $schema
+            ->statePath('imageFormData')
+            ->schema([
+                Section::make(__('Optimization Settings'))
+                    ->schema([
+                        Select::make('domain_id')
+                            ->label(__('Domain'))
+                            ->options($this->getDomainOptions())
+                            ->searchable()
+                            ->required(),
+                        TextInput::make('path')
+                            ->label(__('Custom Path (optional)'))
+                            ->helperText(__('Leave empty to optimize the selected domain root')),
+                        Toggle::make('convert_webp')
+                            ->label(__('Generate WebP copies'))
+                            ->default(false),
+                        TextInput::make('quality')
+                            ->label(__('Quality (40-95)'))
+                            ->numeric()
+                            ->default(82),
+                    ])
+                    ->columns(2),
+            ]);
+    }
+
+    public function runOptimization(): void
+    {
+        $data = $this->imageForm->getState();
+        $domainId = $data['domain_id'] ?? null;
+
+        if (! $domainId) {
+            Notification::make()->title(__('Select a domain'))->danger()->send();
+
+            return;
+        }
+
+        $domain = Domain::where('id', $domainId)->where('user_id', Auth::id())->first();
+        if (! $domain) {
+            Notification::make()->title(__('Domain not found'))->danger()->send();
+
+            return;
+        }
+
+        $path = trim((string) ($data['path'] ?? ''));
+        if ($path === '') {
+            $path = $domain->document_root;
+        }
+
+        try {
+            $result = $this->getAgent()->imageOptimize(
+                $this->getUsername(),
+                $path,
+                (bool) ($data['convert_webp'] ?? false),
+                (int) ($data['quality'] ?? 82)
+            );
+
+            if ($result['success'] ?? false) {
+                $optimized = $result['optimized'] ?? [];
+                $message = __('Optimization complete');
+                if (! empty($optimized)) {
+                    $message .= ' · JPG: '.($optimized['jpg'] ?? 0).', PNG: '.($optimized['png'] ?? 0).', WebP: '.($optimized['webp'] ?? 0);
+                }
+
+                Notification::make()->title($message)->success()->send();
+
+                return;
+            }
+
+            Notification::make()->title(__('Optimization failed'))->body($result['error'] ?? '')->danger()->send();
+        } catch (Exception $e) {
+            Notification::make()->title(__('Optimization failed'))->body($e->getMessage())->danger()->send();
+        }
+    }
+}
diff --git a/app/Filament/Jabali/Pages/Logs.php b/app/Filament/Jabali/Pages/Logs.php
index f7e9ef6..a78fa2e 100644
--- a/app/Filament/Jabali/Pages/Logs.php
+++ b/app/Filament/Jabali/Pages/Logs.php
@@ -5,6 +5,8 @@ declare(strict_types=1);
 namespace App\Filament\Jabali\Pages;
 
 use App\Filament\Concerns\HasPageTour;
+use App\Models\AuditLog;
+use App\Models\UserResourceUsage;
 use App\Services\Agent\AgentClient;
 use BackedEnum;
 use Filament\Actions\Action;
@@ -42,6 +44,9 @@ class Logs extends Page implements HasActions, HasForms
     #[Url]
     public ?string $selectedDomain = null;
 
+    #[Url(as: 'tab')]
+    public string $activeTab = 'logs';
+
     public string $logType = 'access';
 
     public int $logLines = 100;
@@ -64,6 +69,7 @@ class Logs extends Page implements HasActions, HasForms
     public function mount(): void
     {
         $this->loadDomains();
+        $this->activeTab = $this->normalizeTab($this->activeTab);
 
         if (! empty($this->domains) && ! $this->selectedDomain) {
             $this->selectedDomain = $this->domains[0]['domain'] ?? null;
@@ -74,6 +80,27 @@ class Logs extends Page implements HasActions, HasForms
         }
     }
 
+    public function updatedActiveTab(): void
+    {
+        $this->activeTab = $this->normalizeTab($this->activeTab);
+        if ($this->activeTab === 'logs' && $this->selectedDomain) {
+            $this->loadLogs();
+        }
+    }
+
+    public function setTab(string $tab): void
+    {
+        $this->activeTab = $this->normalizeTab($tab);
+    }
+
+    protected function normalizeTab(?string $tab): string
+    {
+        return match ($tab) {
+            'logs', 'usage', 'activity', 'stats' => (string) $tab,
+            default => 'logs',
+        };
+    }
+
     protected function getAgent(): AgentClient
     {
         if ($this->agent === null) {
@@ -90,11 +117,15 @@ class Logs extends Page implements HasActions, HasForms
 
     protected function loadDomains(): void
     {
-        $result = $this->getAgent()->send('domain.list', [
-            'username' => $this->getUsername(),
-        ]);
+        try {
+            $result = $this->getAgent()->send('domain.list', [
+                'username' => $this->getUsername(),
+            ]);
 
-        $this->domains = ($result['success'] ?? false) ? ($result['domains'] ?? []) : [];
+            $this->domains = ($result['success'] ?? false) ? ($result['domains'] ?? []) : [];
+        } catch (\Throwable $exception) {
+            $this->domains = [];
+        }
     }
 
     public function getDomainOptions(): array
@@ -164,6 +195,66 @@ class Logs extends Page implements HasActions, HasForms
             ->send();
     }
 
+    public function getUsageChartData(): array
+    {
+        $start = now()->subDays(29)->startOfDay();
+        $end = now()->endOfDay();
+        $records = UserResourceUsage::query()
+            ->where('user_id', Auth::id())
+            ->whereBetween('captured_at', [$start, $end])
+            ->get();
+
+        $labels = [];
+        for ($i = 0; $i < 30; $i++) {
+            $labels[] = $start->copy()->addDays($i)->format('Y-m-d');
+        }
+        $index = array_flip($labels);
+
+        $metrics = ['disk_bytes', 'database_bytes', 'mail_bytes', 'bandwidth_bytes'];
+        $values = [];
+        foreach ($metrics as $metric) {
+            $values[$metric] = array_fill(0, count($labels), 0);
+        }
+
+        foreach ($records as $record) {
+            $date = $record->captured_at?->format('Y-m-d');
+            if (! $date || ! isset($index[$date])) {
+                continue;
+            }
+            $idx = $index[$date];
+            $metric = $record->metric;
+            if (! isset($values[$metric])) {
+                continue;
+            }
+            if ($metric === 'bandwidth_bytes') {
+                $values[$metric][$idx] += (int) $record->value;
+            } else {
+                $values[$metric][$idx] = max($values[$metric][$idx], (int) $record->value);
+            }
+        }
+
+        $toGb = fn (int $bytes) => round($bytes / 1024 / 1024 / 1024, 2);
+
+        return [
+            'labels' => $labels,
+            'series' => [
+                ['name' => __('Disk'), 'data' => array_map($toGb, $values['disk_bytes'])],
+                ['name' => __('Databases'), 'data' => array_map($toGb, $values['database_bytes'])],
+                ['name' => __('Mail'), 'data' => array_map($toGb, $values['mail_bytes'])],
+                ['name' => __('Bandwidth'), 'data' => array_map($toGb, $values['bandwidth_bytes'])],
+            ],
+        ];
+    }
+
+    public function getActivityLogs()
+    {
+        return AuditLog::query()
+            ->where('user_id', Auth::id())
+            ->latest()
+            ->limit(50)
+            ->get();
+    }
+
     public function generateStats(): void
     {
         if (! $this->selectedDomain) {
@@ -216,14 +307,14 @@ class Logs extends Page implements HasActions, HasForms
                 ->label(__('Generate Statistics'))
                 ->icon('heroicon-o-chart-bar')
                 ->color('primary')
-                ->visible(fn () => $this->selectedDomain !== null)
+                ->visible(fn () => $this->selectedDomain !== null && $this->activeTab === 'stats')
                 ->action(fn () => $this->generateStats()),
 
             Action::make('refreshLogs')
                 ->label(__('Refresh'))
                 ->icon('heroicon-o-arrow-path')
                 ->color('gray')
-                ->visible(fn () => $this->selectedDomain !== null)
+                ->visible(fn () => $this->selectedDomain !== null && $this->activeTab === 'logs')
                 ->action(fn () => $this->refreshLogs()),
         ];
     }
diff --git a/app/Filament/Jabali/Pages/MailingLists.php b/app/Filament/Jabali/Pages/MailingLists.php
new file mode 100644
index 0000000..6d97dd9
--- /dev/null
+++ b/app/Filament/Jabali/Pages/MailingLists.php
@@ -0,0 +1,125 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Filament\Jabali\Pages;
+
+use App\Filament\Concerns\HasPageTour;
+use App\Models\UserSetting;
+use BackedEnum;
+use Filament\Actions\Concerns\InteractsWithActions;
+use Filament\Actions\Contracts\HasActions;
+use Filament\Forms\Components\Select;
+use Filament\Forms\Components\TextInput;
+use Filament\Forms\Concerns\InteractsWithForms;
+use Filament\Forms\Contracts\HasForms;
+use Filament\Notifications\Notification;
+use Filament\Pages\Page;
+use Filament\Schemas\Components\Section;
+use Filament\Schemas\Schema;
+use Illuminate\Contracts\Support\Htmlable;
+use Illuminate\Support\Facades\Auth;
+
+class MailingLists extends Page implements HasActions, HasForms
+{
+    use HasPageTour;
+    use InteractsWithActions;
+    use InteractsWithForms;
+
+    protected static string|BackedEnum|null $navigationIcon = 'heroicon-o-paper-airplane';
+
+    protected static ?int $navigationSort = 22;
+
+    protected static ?string $slug = 'mailing-lists';
+
+    protected string $view = 'filament.jabali.pages.mailing-lists';
+
+    public array $mailingFormData = [];
+
+    public function getTitle(): string|Htmlable
+    {
+        return __('Mailing Lists');
+    }
+
+    public static function getNavigationLabel(): string
+    {
+        return __('Mailing Lists');
+    }
+
+    public function mount(): void
+    {
+        $this->mailingFormData = UserSetting::getForUser(Auth::id(), 'mailing_lists', [
+            'provider' => 'none',
+            'listmonk_url' => '',
+            'listmonk_token' => '',
+            'listmonk_list_id' => '',
+            'mailman_url' => '',
+            'mailman_admin' => '',
+        ]);
+    }
+
+    protected function getForms(): array
+    {
+        return ['mailingForm'];
+    }
+
+    public function mailingForm(Schema $schema): Schema
+    {
+        return $schema
+            ->statePath('mailingFormData')
+            ->schema([
+                Section::make(__('Provider'))
+                    ->schema([
+                        Select::make('provider')
+                            ->label(__('Mailing List Provider'))
+                            ->options([
+                                'none' => __('None'),
+                                'listmonk' => __('Listmonk'),
+                                'mailman' => __('Mailman'),
+                            ])
+                            ->default('none')
+                            ->live(),
+                    ]),
+                Section::make(__('Listmonk'))
+                    ->schema([
+                        TextInput::make('listmonk_url')
+                            ->label(__('Listmonk URL'))
+                            ->placeholder('https://lists.example.com')
+                            ->url()
+                            ->visible(fn ($get) => $get('provider') === 'listmonk'),
+                        TextInput::make('listmonk_token')
+                            ->label(__('API Token'))
+                            ->password()
+                            ->revealable()
+                            ->visible(fn ($get) => $get('provider') === 'listmonk'),
+                        TextInput::make('listmonk_list_id')
+                            ->label(__('Default List ID'))
+                            ->visible(fn ($get) => $get('provider') === 'listmonk'),
+                    ])
+                    ->columns(2),
+                Section::make(__('Mailman'))
+                    ->schema([
+                        TextInput::make('mailman_url')
+                            ->label(__('Mailman URL'))
+                            ->placeholder('https://lists.example.com/mailman')
+                            ->url()
+                            ->visible(fn ($get) => $get('provider') === 'mailman'),
+                        TextInput::make('mailman_admin')
+                            ->label(__('Mailman Admin Email'))
+                            ->email()
+                            ->visible(fn ($get) => $get('provider') === 'mailman'),
+                    ])
+                    ->columns(2),
+            ]);
+    }
+
+    public function saveSettings(): void
+    {
+        UserSetting::setForUser(Auth::id(), 'mailing_lists', $this->mailingForm->getState());
+
+        Notification::make()
+            ->title(__('Mailing list settings saved'))
+            ->success()
+            ->send();
+    }
+}
diff --git a/app/Filament/Jabali/Pages/PostgreSQL.php b/app/Filament/Jabali/Pages/PostgreSQL.php
new file mode 100644
index 0000000..a767d00
--- /dev/null
+++ b/app/Filament/Jabali/Pages/PostgreSQL.php
@@ -0,0 +1,287 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Filament\Jabali\Pages;
+
+use App\Filament\Concerns\HasPageTour;
+use App\Services\Agent\AgentClient;
+use BackedEnum;
+use Exception;
+use Filament\Actions\Action;
+use Filament\Actions\Concerns\InteractsWithActions;
+use Filament\Actions\Contracts\HasActions;
+use Filament\Forms\Components\Select;
+use Filament\Forms\Components\TextInput;
+use Filament\Forms\Concerns\InteractsWithForms;
+use Filament\Forms\Contracts\HasForms;
+use Filament\Notifications\Notification;
+use Filament\Pages\Page;
+use Filament\Tables\Columns\TextColumn;
+use Filament\Tables\Concerns\InteractsWithTable;
+use Filament\Tables\Contracts\HasTable;
+use Filament\Tables\Table;
+use Illuminate\Contracts\Support\Htmlable;
+use Illuminate\Support\Facades\Auth;
+use Illuminate\Support\Str;
+use Livewire\Attributes\Url;
+
+class PostgreSQL extends Page implements HasActions, HasForms, HasTable
+{
+    use HasPageTour;
+    use InteractsWithActions;
+    use InteractsWithForms;
+    use InteractsWithTable;
+
+    protected static string|BackedEnum|null $navigationIcon = 'heroicon-o-circle-stack';
+
+    protected static ?int $navigationSort = 19;
+
+    protected static ?string $slug = 'postgresql';
+
+    protected string $view = 'filament.jabali.pages.postgresql';
+
+    protected ?AgentClient $agent = null;
+
+    #[Url(as: 'tab')]
+    public string $activeTab = 'databases';
+
+    public array $databases = [];
+
+    public array $users = [];
+
+    public function getTitle(): string|Htmlable
+    {
+        return __('PostgreSQL');
+    }
+
+    public static function getNavigationLabel(): string
+    {
+        return __('PostgreSQL');
+    }
+
+    public function mount(): void
+    {
+        $this->activeTab = $this->normalizeTab($this->activeTab);
+        $this->loadData();
+    }
+
+    public function updatedActiveTab(): void
+    {
+        $this->activeTab = $this->normalizeTab($this->activeTab);
+        $this->loadData();
+        $this->resetTable();
+    }
+
+    protected function normalizeTab(string $tab): string
+    {
+        return in_array($tab, ['databases', 'users'], true) ? $tab : 'databases';
+    }
+
+    protected function getAgent(): AgentClient
+    {
+        if ($this->agent === null) {
+            $this->agent = new AgentClient;
+        }
+
+        return $this->agent;
+    }
+
+    protected function getUsername(): string
+    {
+        return Auth::user()->username;
+    }
+
+    protected function loadData(): void
+    {
+        if ($this->activeTab === 'users') {
+            $this->loadUsers();
+        } else {
+            $this->loadDatabases();
+        }
+    }
+
+    protected function loadDatabases(): void
+    {
+        try {
+            $result = $this->getAgent()->postgresListDatabases($this->getUsername());
+            $this->databases = $result['databases'] ?? [];
+        } catch (Exception) {
+            $this->databases = [];
+        }
+    }
+
+    protected function loadUsers(): void
+    {
+        try {
+            $result = $this->getAgent()->postgresListUsers($this->getUsername());
+            $this->users = $result['users'] ?? [];
+        } catch (Exception) {
+            $this->users = [];
+        }
+    }
+
+    protected function getUserOptions(): array
+    {
+        if (empty($this->users)) {
+            $this->loadUsers();
+        }
+
+        $options = [];
+        foreach ($this->users as $user) {
+            $options[$user['username']] = $user['username'];
+        }
+
+        return $options;
+    }
+
+    public function table(Table $table): Table
+    {
+        if ($this->activeTab === 'users') {
+            return $table
+                ->records(fn () => $this->users)
+                ->columns([
+                    TextColumn::make('username')
+                        ->label(__('User'))
+                        ->searchable(),
+                ])
+                ->recordActions([
+                    Action::make('delete')
+                        ->label(__('Delete'))
+                        ->icon('heroicon-o-trash')
+                        ->color('danger')
+                        ->requiresConfirmation()
+                        ->action(function (array $record): void {
+                            $result = $this->getAgent()->postgresDeleteUser($this->getUsername(), $record['username']);
+                            if ($result['success'] ?? false) {
+                                Notification::make()->title(__('User deleted'))->success()->send();
+                                $this->loadUsers();
+                                $this->resetTable();
+
+                                return;
+                            }
+
+                            Notification::make()->title(__('Deletion failed'))->body($result['error'] ?? '')->danger()->send();
+                        }),
+                ])
+                ->emptyStateHeading(__('No PostgreSQL users'))
+                ->emptyStateDescription(__('Create a PostgreSQL user to manage databases'));
+        }
+
+        return $table
+            ->records(fn () => $this->databases)
+            ->columns([
+                TextColumn::make('name')
+                    ->label(__('Database'))
+                    ->searchable(),
+                TextColumn::make('size_bytes')
+                    ->label(__('Size'))
+                    ->formatStateUsing(fn ($state) => $this->formatBytes((int) $state))
+                    ->color('gray'),
+            ])
+            ->recordActions([
+                Action::make('delete')
+                    ->label(__('Delete'))
+                    ->icon('heroicon-o-trash')
+                    ->color('danger')
+                    ->requiresConfirmation()
+                    ->action(function (array $record): void {
+                        $result = $this->getAgent()->postgresDeleteDatabase($this->getUsername(), $record['name']);
+                        if ($result['success'] ?? false) {
+                            Notification::make()->title(__('Database deleted'))->success()->send();
+                            $this->loadDatabases();
+                            $this->resetTable();
+
+                            return;
+                        }
+
+                        Notification::make()->title(__('Deletion failed'))->body($result['error'] ?? '')->danger()->send();
+                    }),
+            ])
+            ->emptyStateHeading(__('No PostgreSQL databases'))
+            ->emptyStateDescription(__('Create a PostgreSQL database to get started'));
+    }
+
+    protected function getHeaderActions(): array
+    {
+        return [
+            Action::make('createDatabase')
+                ->label(__('Create Database'))
+                ->icon('heroicon-o-circle-stack')
+                ->color('primary')
+                ->visible(fn () => $this->activeTab === 'databases')
+                ->form([
+                    TextInput::make('database')
+                        ->label(__('Database Name'))
+                        ->helperText(__('Use a name like :prefix_db', ['prefix' => $this->getUsername()]))
+                        ->required(),
+                    Select::make('owner')
+                        ->label(__('Owner User'))
+                        ->options($this->getUserOptions())
+                        ->required(),
+                ])
+                ->action(function (array $data): void {
+                    $result = $this->getAgent()->postgresCreateDatabase(
+                        $this->getUsername(),
+                        $data['database'],
+                        $data['owner']
+                    );
+
+                    if ($result['success'] ?? false) {
+                        Notification::make()->title(__('Database created'))->success()->send();
+                        $this->loadDatabases();
+                        $this->resetTable();
+
+                        return;
+                    }
+
+                    Notification::make()->title(__('Creation failed'))->body($result['error'] ?? '')->danger()->send();
+                }),
+            Action::make('createUser')
+                ->label(__('Create User'))
+                ->icon('heroicon-o-user-plus')
+                ->color('primary')
+                ->visible(fn () => $this->activeTab === 'users')
+                ->form([
+                    TextInput::make('db_user')
+                        ->label(__('Username'))
+                        ->helperText(__('Use a name like :prefix_user', ['prefix' => $this->getUsername()]))
+                        ->required(),
+                    TextInput::make('password')
+                        ->label(__('Password'))
+                        ->password()
+                        ->revealable()
+                        ->default(fn () => Str::random(16))
+                        ->required(),
+                ])
+                ->action(function (array $data): void {
+                    $result = $this->getAgent()->postgresCreateUser(
+                        $this->getUsername(),
+                        $data['db_user'],
+                        $data['password']
+                    );
+
+                    if ($result['success'] ?? false) {
+                        Notification::make()->title(__('User created'))->success()->send();
+                        $this->loadUsers();
+                        $this->resetTable();
+
+                        return;
+                    }
+
+                    Notification::make()->title(__('Creation failed'))->body($result['error'] ?? '')->danger()->send();
+                }),
+        ];
+    }
+
+    protected function formatBytes(int $bytes, int $precision = 2): string
+    {
+        $units = ['B', 'KB', 'MB', 'GB', 'TB'];
+        $bytes = max($bytes, 0);
+        $pow = floor(($bytes ? log($bytes) : 0) / log(1024));
+        $pow = min($pow, count($units) - 1);
+        $bytes /= pow(1024, $pow);
+
+        return round($bytes, $precision).' '.$units[$pow];
+    }
+}
diff --git a/app/Filament/Jabali/Pages/WordPress.php b/app/Filament/Jabali/Pages/WordPress.php
index cc1d11f..feaf251 100644
--- a/app/Filament/Jabali/Pages/WordPress.php
+++ b/app/Filament/Jabali/Pages/WordPress.php
@@ -4,22 +4,25 @@ declare(strict_types=1);
 
 namespace App\Filament\Jabali\Pages;
 
+use App\Filament\Concerns\HasPageTour;
 use App\Models\Domain;
 use App\Models\MysqlCredential;
 use App\Services\Agent\AgentClient;
+use BackedEnum;
+use Exception;
 use Filament\Actions\Action;
 use Filament\Actions\ActionGroup;
 use Filament\Actions\Concerns\InteractsWithActions;
 use Filament\Actions\Contracts\HasActions;
-use Filament\Forms\Components\TextInput;
 use Filament\Forms\Components\Select;
+use Filament\Forms\Components\TextInput;
 use Filament\Forms\Components\Toggle;
 use Filament\Forms\Concerns\InteractsWithForms;
 use Filament\Forms\Contracts\HasForms;
 use Filament\Infolists\Components\TextEntry;
-use Filament\Schemas\Components\Section;
 use Filament\Notifications\Notification;
 use Filament\Pages\Page;
+use Filament\Schemas\Components\Section;
 use Filament\Tables\Columns\TextColumn;
 use Filament\Tables\Columns\ViewColumn;
 use Filament\Tables\Concerns\InteractsWithTable;
@@ -28,52 +31,59 @@ use Filament\Tables\Table;
 use Illuminate\Contracts\Support\Htmlable;
 use Illuminate\Support\Facades\Auth;
 use Illuminate\Support\Facades\Crypt;
-use Illuminate\Support\Facades\Storage;
-use App\Filament\Concerns\HasPageTour;
-use BackedEnum;
-use Exception;
 
-class WordPress extends Page implements HasForms, HasActions, HasTable
+class WordPress extends Page implements HasActions, HasForms, HasTable
 {
     protected static ?string $slug = 'wordpress';
-    use InteractsWithForms;
-    use InteractsWithActions;
-    use InteractsWithTable;
-    use HasPageTour;
 
-    protected static string | BackedEnum | null $navigationIcon = 'heroicon-o-pencil-square';
+    use HasPageTour;
+    use InteractsWithActions;
+    use InteractsWithForms;
+    use InteractsWithTable;
+
+    protected static string|BackedEnum|null $navigationIcon = 'heroicon-o-pencil-square';
+
     protected static ?int $navigationSort = 4;
 
     public static function getNavigationLabel(): string
     {
         return __('WordPress');
     }
-    
+
     protected string $view = 'filament.jabali.pages.wordpress';
 
     public array $sites = [];
+
     public array $domains = [];
+
     public ?string $selectedSiteId = null;
 
     // Credentials modal
     public bool $showCredentials = false;
+
     public array $credentials = [];
 
     // Scan modal
     public bool $showScanModal = false;
+
     public array $scannedSites = [];
+
     public bool $isScanning = false;
 
     // Security scan
     public bool $showSecurityScanModal = false;
+
     public array $securityScanResults = [];
+
     public bool $isSecurityScanning = false;
+
     public ?string $scanningSiteId = null;
+
     public ?string $scanningSiteUrl = null;
 
     protected ?AgentClient $agent = null;
 
-    public function getTitle(): string | Htmlable
+    public function getTitle(): string|Htmlable
     {
         return __('WordPress Manager');
     }
@@ -81,8 +91,9 @@ class WordPress extends Page implements HasForms, HasActions, HasTable
     public function getAgent(): AgentClient
     {
         if ($this->agent === null) {
-            $this->agent = new AgentClient();
+            $this->agent = new AgentClient;
         }
+
         return $this->agent;
     }
 
@@ -199,12 +210,23 @@ class WordPress extends Page implements HasForms, HasActions, HasTable
                             TextInput::make('staging_subdomain')
                                 ->label(__('Staging Subdomain'))
                                 ->prefix('staging-')
-                                ->suffix(fn (array $record): string => '.' . ($record['domain'] ?? ''))
+                                ->suffix(fn (array $record): string => '.'.($record['domain'] ?? ''))
                                 ->default('test')
                                 ->required()
                                 ->alphaNum(),
                         ])
                         ->action(fn (array $data, array $record) => $this->createStaging($record['id'], $data['staging_subdomain'])),
+                    Action::make('pushStaging')
+                        ->label(__('Push to Production'))
+                        ->icon('heroicon-o-arrow-up-tray')
+                        ->color('warning')
+                        ->requiresConfirmation()
+                        ->visible(fn (array $record): bool => (bool) ($record['is_staging'] ?? false))
+                        ->modalHeading(__('Push Staging to Production'))
+                        ->modalDescription(__('This will replace the live site files and database with the staging version.'))
+                        ->modalIcon('heroicon-o-arrow-up-tray')
+                        ->modalIconColor('warning')
+                        ->action(fn (array $record) => $this->pushStaging($record['id'])),
                     Action::make('security')
                         ->label(__('Security Scan'))
                         ->icon('heroicon-o-shield-check')
@@ -239,7 +261,7 @@ class WordPress extends Page implements HasForms, HasActions, HasTable
 
                                 if ($result['success'] ?? false) {
                                     // Delete screenshot if exists
-                                    $screenshotPath = storage_path('app/public/screenshots/wp-' . $record['id'] . '.png');
+                                    $screenshotPath = storage_path('app/public/screenshots/wp-'.$record['id'].'.png');
                                     if (file_exists($screenshotPath)) {
                                         @unlink($screenshotPath);
                                     }
@@ -285,12 +307,12 @@ class WordPress extends Page implements HasForms, HasActions, HasTable
 
         // Ensure at least one of each required type
         $password = $lowercase[random_int(0, strlen($lowercase) - 1)]
-            . $uppercase[random_int(0, strlen($uppercase) - 1)]
-            . $numbers[random_int(0, strlen($numbers) - 1)]
-            . $special[random_int(0, strlen($special) - 1)];
+            .$uppercase[random_int(0, strlen($uppercase) - 1)]
+            .$numbers[random_int(0, strlen($numbers) - 1)]
+            .$special[random_int(0, strlen($special) - 1)];
 
         // Fill the rest with random characters from all types
-        $allChars = $lowercase . $uppercase . $numbers . $special;
+        $allChars = $lowercase.$uppercase.$numbers.$special;
         for ($i = strlen($password); $i < $length; $i++) {
             $password .= $allChars[random_int(0, strlen($allChars) - 1)];
         }
@@ -340,7 +362,7 @@ class WordPress extends Page implements HasForms, HasActions, HasTable
 
                 $options = [];
                 foreach ($this->scannedSites as $site) {
-                    $label = ($site['site_url'] ?? $site['path']) . ' (v' . ($site['version'] ?? '?') . ')';
+                    $label = ($site['site_url'] ?? $site['path']).' (v'.($site['version'] ?? '?').')';
                     $options[$site['path']] = $label;
                 }
 
@@ -365,6 +387,7 @@ class WordPress extends Page implements HasForms, HasActions, HasTable
                         ->body(__('Please select at least one site to import.'))
                         ->warning()
                         ->send();
+
                     return;
                 }
 
@@ -575,7 +598,7 @@ class WordPress extends Page implements HasForms, HasActions, HasTable
                         }
 
                         // Store MySQL credentials for phpMyAdmin SSO
-                        if (!empty($result['db_user']) && !empty($result['db_password'])) {
+                        if (! empty($result['db_user']) && ! empty($result['db_password'])) {
                             MysqlCredential::updateOrCreate(
                                 [
                                     'user_id' => Auth::id(),
@@ -689,7 +712,7 @@ class WordPress extends Page implements HasForms, HasActions, HasTable
         try {
             // Get site info to get domain
             $site = collect($this->sites)->firstWhere('id', $siteId);
-            if (!$site) {
+            if (! $site) {
                 throw new Exception(__('Site not found'));
             }
             $siteDomain = $site['domain'] ?? '';
@@ -741,7 +764,7 @@ class WordPress extends Page implements HasForms, HasActions, HasTable
                         ->send();
                 } else {
                     // Check if there are conflicting plugins
-                    if (isset($result['conflicts']) && !empty($result['conflicts'])) {
+                    if (isset($result['conflicts']) && ! empty($result['conflicts'])) {
                         $conflictNames = array_column($result['conflicts'], 'name');
                         Notification::make()
                             ->title(__('Conflicting Plugins Detected'))
@@ -875,7 +898,7 @@ class WordPress extends Page implements HasForms, HasActions, HasTable
             $result = $this->getAgent()->send('wp.create_staging', [
                 'username' => $this->getUsername(),
                 'site_id' => $siteId,
-                'subdomain' => 'staging-' . $subdomain,
+                'subdomain' => 'staging-'.$subdomain,
             ]);
 
             if ($result['success'] ?? false) {
@@ -899,6 +922,36 @@ class WordPress extends Page implements HasForms, HasActions, HasTable
         }
     }
 
+    public function pushStaging(string $stagingSiteId): void
+    {
+        try {
+            Notification::make()
+                ->title(__('Pushing staging to production...'))
+                ->body(__('This may take several minutes.'))
+                ->info()
+                ->send();
+
+            $result = $this->getAgent()->wpPushStaging($this->getUsername(), $stagingSiteId);
+
+            if ($result['success'] ?? false) {
+                Notification::make()
+                    ->title(__('Staging pushed to production'))
+                    ->success()
+                    ->send();
+                $this->loadData();
+                $this->resetTable();
+            } else {
+                throw new Exception($result['error'] ?? __('Failed to push staging site'));
+            }
+        } catch (Exception $e) {
+            Notification::make()
+                ->title(__('Push Failed'))
+                ->body($e->getMessage())
+                ->danger()
+                ->send();
+        }
+    }
+
     public function flushCache(string $siteId): void
     {
         try {
@@ -953,11 +1006,12 @@ class WordPress extends Page implements HasForms, HasActions, HasTable
     {
         // Find the site
         $site = collect($this->sites)->firstWhere('id', $siteId);
-        if (!$site) {
+        if (! $site) {
             Notification::make()
                 ->title(__('Site not found'))
                 ->danger()
                 ->send();
+
             return;
         }
 
@@ -969,6 +1023,7 @@ class WordPress extends Page implements HasForms, HasActions, HasTable
                 ->body(__('Please contact your administrator to enable security scanning.'))
                 ->warning()
                 ->send();
+
             return;
         }
 
@@ -985,12 +1040,12 @@ class WordPress extends Page implements HasForms, HasActions, HasTable
 
         // Run WPScan
         $url = $site['url'];
-        exec("wpscan --url " . escapeshellarg($url) . " --format json --no-banner 2>&1", $scanOutput, $scanCode);
+        exec('wpscan --url '.escapeshellarg($url).' --format json --no-banner 2>&1', $scanOutput, $scanCode);
 
         $jsonOutput = implode("\n", $scanOutput);
         $results = json_decode($jsonOutput, true);
 
-        if (!$results) {
+        if (! $results) {
             $this->securityScanResults = [
                 'error' => __('Failed to parse scan results'),
                 'raw_output' => $jsonOutput,
@@ -1042,7 +1097,7 @@ class WordPress extends Page implements HasForms, HasActions, HasTable
                 'vulnerabilities' => [],
             ];
 
-            if (!empty($results['version']['vulnerabilities'])) {
+            if (! empty($results['version']['vulnerabilities'])) {
                 foreach ($results['version']['vulnerabilities'] as $vuln) {
                     $parsed['vulnerabilities'][] = [
                         'type' => __('WordPress Core'),
@@ -1061,7 +1116,7 @@ class WordPress extends Page implements HasForms, HasActions, HasTable
                 'version' => $results['main_theme']['version']['number'] ?? __('Unknown'),
             ];
 
-            if (!empty($results['main_theme']['vulnerabilities'])) {
+            if (! empty($results['main_theme']['vulnerabilities'])) {
                 foreach ($results['main_theme']['vulnerabilities'] as $vuln) {
                     $parsed['vulnerabilities'][] = [
                         'type' => __('Theme: :name', ['name' => $results['main_theme']['slug']]),
@@ -1074,14 +1129,14 @@ class WordPress extends Page implements HasForms, HasActions, HasTable
         }
 
         // Plugins
-        if (!empty($results['plugins'])) {
+        if (! empty($results['plugins'])) {
             foreach ($results['plugins'] as $slug => $plugin) {
                 $parsed['plugins'][] = [
                     'name' => $slug,
                     'version' => $plugin['version']['number'] ?? __('Unknown'),
                 ];
 
-                if (!empty($plugin['vulnerabilities'])) {
+                if (! empty($plugin['vulnerabilities'])) {
                     foreach ($plugin['vulnerabilities'] as $vuln) {
                         $parsed['vulnerabilities'][] = [
                             'type' => __('Plugin: :name', ['name' => $slug]),
@@ -1095,7 +1150,7 @@ class WordPress extends Page implements HasForms, HasActions, HasTable
         }
 
         // Interesting findings
-        if (!empty($results['interesting_findings'])) {
+        if (! empty($results['interesting_findings'])) {
             foreach ($results['interesting_findings'] as $finding) {
                 $parsed['interesting_findings'][] = [
                     'type' => $finding['type'] ?? 'info',
@@ -1201,11 +1256,10 @@ class WordPress extends Page implements HasForms, HasActions, HasTable
             ->infolist([
                 Section::make(__('Discovered Sites'))
                     ->schema(
-                        collect($this->scannedSites)->map(fn ($site, $index) =>
-                            TextEntry::make("site_{$index}")
-                                ->label($site['site_url'] ?? __('WordPress Site'))
-                                ->state($site['path'])
-                                ->helperText(isset($site['version']) ? 'v' . $site['version'] : '')
+                        collect($this->scannedSites)->map(fn ($site, $index) => TextEntry::make("site_{$index}")
+                            ->label($site['site_url'] ?? __('WordPress Site'))
+                            ->state($site['path'])
+                            ->helperText(isset($site['version']) ? 'v'.$site['version'] : '')
                         )->toArray()
                     ),
             ]);
@@ -1253,7 +1307,7 @@ class WordPress extends Page implements HasForms, HasActions, HasTable
                                 ->label(__('Version'))
                                 ->state($results['wordpress_version']['number'])
                                 ->badge()
-                                ->color(match($results['wordpress_version']['status'] ?? '') {
+                                ->color(match ($results['wordpress_version']['status'] ?? '') {
                                     'insecure' => 'danger',
                                     'outdated' => 'warning',
                                     default => 'success',
@@ -1271,7 +1325,7 @@ class WordPress extends Page implements HasForms, HasActions, HasTable
                             ->helperText($vuln['fixed_in'] ? __('Fixed in: :version', ['version' => $vuln['fixed_in']]) : '')
                             ->color('danger');
                     }
-                    $schema[] = Section::make(__('Vulnerabilities Found') . " ({$vulnCount})")
+                    $schema[] = Section::make(__('Vulnerabilities Found')." ({$vulnCount})")
                         ->icon('heroicon-o-exclamation-triangle')
                         ->iconColor('danger')
                         ->schema($vulnEntries);
@@ -1283,7 +1337,7 @@ class WordPress extends Page implements HasForms, HasActions, HasTable
                 }
 
                 // Interesting findings
-                if (!empty($results['interesting_findings'])) {
+                if (! empty($results['interesting_findings'])) {
                     $findingEntries = [];
                     foreach (array_slice($results['interesting_findings'], 0, 10) as $index => $finding) {
                         $findingEntries[] = TextEntry::make("finding_{$index}")
@@ -1297,16 +1351,16 @@ class WordPress extends Page implements HasForms, HasActions, HasTable
                 }
 
                 // Detected plugins
-                if (!empty($results['plugins'])) {
+                if (! empty($results['plugins'])) {
                     $pluginEntries = [];
                     foreach ($results['plugins'] as $index => $plugin) {
                         $pluginEntries[] = TextEntry::make("plugin_{$index}")
                             ->hiddenLabel()
-                            ->state($plugin['name'] . ' v' . $plugin['version'])
+                            ->state($plugin['name'].' v'.$plugin['version'])
                             ->badge()
                             ->color('gray');
                     }
-                    $schema[] = Section::make(__('Detected Plugins') . ' (' . count($results['plugins']) . ')')
+                    $schema[] = Section::make(__('Detected Plugins').' ('.count($results['plugins']).')')
                         ->icon('heroicon-o-puzzle-piece')
                         ->collapsed()
                         ->schema($pluginEntries);
@@ -1319,11 +1373,12 @@ class WordPress extends Page implements HasForms, HasActions, HasTable
     public function captureScreenshot(string $siteId): void
     {
         $site = collect($this->sites)->firstWhere('id', $siteId);
-        if (!$site) {
+        if (! $site) {
             Notification::make()
                 ->title(__('Site not found'))
                 ->danger()
                 ->send();
+
             return;
         }
 
@@ -1332,22 +1387,23 @@ class WordPress extends Page implements HasForms, HasActions, HasTable
         try {
             // Ensure screenshots directory exists
             $screenshotDir = storage_path('app/public/screenshots');
-            if (!is_dir($screenshotDir)) {
+            if (! is_dir($screenshotDir)) {
                 mkdir($screenshotDir, 0755, true);
             }
 
-            $filename = 'wp_' . $siteId . '.png';
-            $filepath = $screenshotDir . '/' . $filename;
+            $filename = 'wp_'.$siteId.'.png';
+            $filepath = $screenshotDir.'/'.$filename;
 
             // Use screenshot wrapper script that handles Chromium crashpad issues
             $screenshotBin = base_path('bin/screenshot');
 
-            if (!file_exists($screenshotBin) || !is_executable($screenshotBin)) {
+            if (! file_exists($screenshotBin) || ! is_executable($screenshotBin)) {
                 Notification::make()
                     ->title(__('Screenshot failed'))
                     ->body(__('Screenshot script not found.'))
                     ->warning()
                     ->send();
+
                 return;
             }
 
@@ -1370,7 +1426,7 @@ class WordPress extends Page implements HasForms, HasActions, HasTable
             } else {
                 Notification::make()
                     ->title(__('Screenshot failed'))
-                    ->body(__('Could not capture screenshot. Error: ') . implode("\n", $output))
+                    ->body(__('Could not capture screenshot. Error: ').implode("\n", $output))
                     ->warning()
                     ->send();
             }
@@ -1385,12 +1441,12 @@ class WordPress extends Page implements HasForms, HasActions, HasTable
 
     public function getScreenshotUrl(string $siteId): ?string
     {
-        $filename = 'wp_' . $siteId . '.png';
-        $filepath = storage_path('app/public/screenshots/' . $filename);
+        $filename = 'wp_'.$siteId.'.png';
+        $filepath = storage_path('app/public/screenshots/'.$filename);
 
         if (file_exists($filepath)) {
             // Add timestamp to bust cache
-            return asset('storage/screenshots/' . $filename) . '?t=' . filemtime($filepath);
+            return asset('storage/screenshots/'.$filename).'?t='.filemtime($filepath);
         }
 
         return null;
@@ -1398,7 +1454,8 @@ class WordPress extends Page implements HasForms, HasActions, HasTable
 
     public function hasScreenshot(string $siteId): bool
     {
-        $filename = 'wp_' . $siteId . '.png';
-        return file_exists(storage_path('app/public/screenshots/' . $filename));
+        $filename = 'wp_'.$siteId.'.png';
+
+        return file_exists(storage_path('app/public/screenshots/'.$filename));
     }
 }
diff --git a/app/Http/Controllers/AutomationApiController.php b/app/Http/Controllers/AutomationApiController.php
new file mode 100644
index 0000000..bd406a7
--- /dev/null
+++ b/app/Http/Controllers/AutomationApiController.php
@@ -0,0 +1,153 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Http\Controllers;
+
+use App\Models\Domain;
+use App\Models\HostingPackage;
+use App\Models\User;
+use App\Models\UserResourceLimit;
+use App\Services\Agent\AgentClient;
+use App\Services\System\LinuxUserService;
+use App\Services\System\ResourceLimitService;
+use Illuminate\Http\JsonResponse;
+use Illuminate\Http\Request;
+use Illuminate\Support\Facades\Validator;
+
+class AutomationApiController extends Controller
+{
+    public function listUsers(): JsonResponse
+    {
+        $users = User::query()
+            ->where('is_admin', false)
+            ->get(['id', 'name', 'username', 'email', 'is_active', 'hosting_package_id']);
+
+        return response()->json(['users' => $users]);
+    }
+
+    public function createUser(Request $request): JsonResponse
+    {
+        $validator = Validator::make($request->all(), [
+            'name' => ['required', 'string', 'max:255'],
+            'username' => ['required', 'string', 'max:32', 'regex:/^[a-z][a-z0-9_]{0,31}$/', 'unique:users,username'],
+            'email' => ['required', 'email', 'max:255', 'unique:users,email'],
+            'password' => ['required', 'string', 'min:8'],
+            'hosting_package_id' => ['nullable', 'exists:hosting_packages,id'],
+        ]);
+
+        if ($validator->fails()) {
+            return response()->json(['errors' => $validator->errors()], 422);
+        }
+
+        $data = $validator->validated();
+        $package = null;
+        if (! empty($data['hosting_package_id'])) {
+            $package = HostingPackage::find($data['hosting_package_id']);
+        }
+
+        $user = User::create([
+            'name' => $data['name'],
+            'username' => $data['username'],
+            'email' => $data['email'],
+            'password' => $data['password'],
+            'sftp_password' => $data['password'],
+            'is_admin' => false,
+            'is_active' => true,
+            'hosting_package_id' => $package?->id,
+            'disk_quota_mb' => $package?->disk_quota_mb,
+        ]);
+
+        try {
+            $linux = new LinuxUserService;
+            $linux->createUser($user, $data['password']);
+        } catch (\Exception $e) {
+            $user->delete();
+
+            return response()->json(['error' => $e->getMessage()], 500);
+        }
+
+        if ($package && $package->disk_quota_mb) {
+            try {
+                $agent = new AgentClient;
+                $agent->quotaSet($user->username, (int) $package->disk_quota_mb);
+            } catch (\Exception) {
+                // keep user created, quota can be applied later
+            }
+        }
+
+        if ($package) {
+            $cpu = $package->cpu_limit_percent;
+            $memory = $package->memory_limit_mb;
+            $io = $package->io_limit_mb;
+            $hasLimits = ($cpu && $cpu > 0) || ($memory && $memory > 0) || ($io && $io > 0);
+
+            if ($hasLimits) {
+                $limit = UserResourceLimit::firstOrNew(['user_id' => $user->id]);
+                $limit->fill([
+                    'cpu_limit_percent' => $cpu,
+                    'memory_limit_mb' => $memory,
+                    'io_limit_mb' => $io,
+                    'is_active' => true,
+                ])->save();
+
+                try {
+                    app(ResourceLimitService::class)->apply($limit);
+                } catch (\Exception) {
+                    // cgroup apply failure shouldn't block user creation
+                }
+            }
+        }
+
+        return response()->json(['user' => $user], 201);
+    }
+
+    public function createDomain(Request $request): JsonResponse
+    {
+        $validator = Validator::make($request->all(), [
+            'username' => ['nullable', 'string'],
+            'user_id' => ['nullable', 'integer', 'exists:users,id'],
+            'domain' => ['required', 'string'],
+        ]);
+
+        if ($validator->fails()) {
+            return response()->json(['errors' => $validator->errors()], 422);
+        }
+
+        $data = $validator->validated();
+
+        $user = null;
+        if (! empty($data['user_id'])) {
+            $user = User::where('id', $data['user_id'])->where('is_admin', false)->first();
+        } elseif (! empty($data['username'])) {
+            $user = User::where('username', $data['username'])->where('is_admin', false)->first();
+        }
+
+        if (! $user) {
+            return response()->json(['error' => 'User not found'], 404);
+        }
+
+        $limit = $user->hostingPackage?->domains_limit;
+        if ($limit && Domain::where('user_id', $user->id)->count() >= $limit) {
+            return response()->json(['error' => 'Domain limit reached'], 409);
+        }
+
+        $agent = new AgentClient;
+        $result = $agent->domainCreate($user->username, $data['domain']);
+        if (! ($result['success'] ?? false)) {
+            return response()->json(['error' => $result['error'] ?? 'Domain creation failed'], 500);
+        }
+
+        $domain = Domain::create([
+            'user_id' => $user->id,
+            'domain' => $data['domain'],
+            'document_root' => '/home/'.$user->username.'/domains/'.$data['domain'].'/public_html',
+            'is_active' => true,
+            'ssl_enabled' => false,
+            'directory_index' => 'index.php index.html',
+            'page_cache_enabled' => false,
+        ]);
+
+        return response()->json(['domain' => $domain], 201);
+    }
+}
diff --git a/app/Http/Controllers/GitWebhookController.php b/app/Http/Controllers/GitWebhookController.php
new file mode 100644
index 0000000..ecb2283
--- /dev/null
+++ b/app/Http/Controllers/GitWebhookController.php
@@ -0,0 +1,28 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Http\Controllers;
+
+use App\Jobs\RunGitDeployment;
+use App\Models\GitDeployment;
+use Illuminate\Http\JsonResponse;
+use Illuminate\Http\Request;
+
+class GitWebhookController extends Controller
+{
+    public function __invoke(Request $request, GitDeployment $deployment, string $token): JsonResponse
+    {
+        if (! hash_equals($deployment->secret_token, $token)) {
+            return response()->json(['message' => 'Invalid token'], 403);
+        }
+
+        if (! $deployment->auto_deploy) {
+            return response()->json(['message' => 'Auto-deploy disabled'], 202);
+        }
+
+        RunGitDeployment::dispatch($deployment->id);
+
+        return response()->json(['message' => 'Deployment queued']);
+    }
+}
diff --git a/app/Jobs/RunGitDeployment.php b/app/Jobs/RunGitDeployment.php
new file mode 100644
index 0000000..619ce6a
--- /dev/null
+++ b/app/Jobs/RunGitDeployment.php
@@ -0,0 +1,70 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Jobs;
+
+use App\Models\GitDeployment;
+use App\Services\Agent\AgentClient;
+use Exception;
+use Illuminate\Bus\Queueable;
+use Illuminate\Contracts\Queue\ShouldQueue;
+use Illuminate\Foundation\Bus\Dispatchable;
+use Illuminate\Queue\InteractsWithQueue;
+use Illuminate\Queue\SerializesModels;
+use Illuminate\Support\Facades\Log;
+
+class RunGitDeployment implements ShouldQueue
+{
+    use Dispatchable;
+    use InteractsWithQueue;
+    use Queueable;
+    use SerializesModels;
+
+    public function __construct(public int $deploymentId) {}
+
+    public function handle(): void
+    {
+        $deployment = GitDeployment::find($this->deploymentId);
+        if (! $deployment) {
+            return;
+        }
+
+        $deployment->update([
+            'last_status' => 'running',
+            'last_error' => null,
+        ]);
+
+        $agent = new AgentClient;
+
+        try {
+            $result = $agent->send('git.deploy', [
+                'username' => $deployment->user->username,
+                'repo_url' => $deployment->repo_url,
+                'branch' => $deployment->branch,
+                'deploy_path' => $deployment->deploy_path,
+                'deploy_script' => $deployment->deploy_script,
+            ]);
+
+            if (! ($result['success'] ?? false)) {
+                throw new Exception($result['error'] ?? 'Deployment failed');
+            }
+
+            $deployment->update([
+                'last_status' => 'success',
+                'last_deployed_at' => now(),
+                'last_error' => null,
+            ]);
+        } catch (Exception $e) {
+            $deployment->update([
+                'last_status' => 'failed',
+                'last_error' => $e->getMessage(),
+            ]);
+
+            Log::error('Git deployment failed', [
+                'deployment_id' => $deployment->id,
+                'error' => $e->getMessage(),
+            ]);
+        }
+    }
+}
diff --git a/app/Models/CloudflareZone.php b/app/Models/CloudflareZone.php
new file mode 100644
index 0000000..70c0062
--- /dev/null
+++ b/app/Models/CloudflareZone.php
@@ -0,0 +1,49 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Models;
+
+use Illuminate\Database\Eloquent\Model;
+use Illuminate\Database\Eloquent\Relations\BelongsTo;
+use Illuminate\Support\Facades\Crypt;
+
+class CloudflareZone extends Model
+{
+    protected $fillable = [
+        'user_id',
+        'domain_id',
+        'zone_id',
+        'account_id',
+        'api_token',
+    ];
+
+    protected $hidden = [
+        'api_token',
+    ];
+
+    public function setApiTokenAttribute(string $value): void
+    {
+        $this->attributes['api_token'] = Crypt::encryptString($value);
+    }
+
+    public function getApiTokenAttribute(): string
+    {
+        $value = $this->attributes['api_token'] ?? '';
+        if ($value === '') {
+            return '';
+        }
+
+        return Crypt::decryptString($value);
+    }
+
+    public function user(): BelongsTo
+    {
+        return $this->belongsTo(User::class);
+    }
+
+    public function domain(): BelongsTo
+    {
+        return $this->belongsTo(Domain::class);
+    }
+}
diff --git a/app/Models/Domain.php b/app/Models/Domain.php
index 3ad5465..9873810 100644
--- a/app/Models/Domain.php
+++ b/app/Models/Domain.php
@@ -48,6 +48,9 @@ class Domain extends Model
             // Delete hotlink settings
             $domain->hotlinkSetting?->delete();
 
+            // Delete aliases
+            $domain->aliases()->delete();
+
             // Delete email domain and related records
             if ($domain->emailDomain) {
                 // Delete mailboxes (which will cascade to autoresponders)
@@ -103,6 +106,11 @@ class Domain extends Model
         return $this->hasMany(DomainRedirect::class);
     }
 
+    public function aliases(): HasMany
+    {
+        return $this->hasMany(DomainAlias::class);
+    }
+
     public function hotlinkSetting(): HasOne
     {
         return $this->hasOne(DomainHotlinkSetting::class);
diff --git a/app/Models/DomainAlias.php b/app/Models/DomainAlias.php
new file mode 100644
index 0000000..4bcee0d
--- /dev/null
+++ b/app/Models/DomainAlias.php
@@ -0,0 +1,21 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Models;
+
+use Illuminate\Database\Eloquent\Model;
+use Illuminate\Database\Eloquent\Relations\BelongsTo;
+
+class DomainAlias extends Model
+{
+    protected $fillable = [
+        'domain_id',
+        'alias',
+    ];
+
+    public function domain(): BelongsTo
+    {
+        return $this->belongsTo(Domain::class);
+    }
+}
diff --git a/app/Models/GeoBlockRule.php b/app/Models/GeoBlockRule.php
new file mode 100644
index 0000000..4e6c676
--- /dev/null
+++ b/app/Models/GeoBlockRule.php
@@ -0,0 +1,24 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Models;
+
+use Illuminate\Database\Eloquent\Factories\HasFactory;
+use Illuminate\Database\Eloquent\Model;
+
+class GeoBlockRule extends Model
+{
+    use HasFactory;
+
+    protected $fillable = [
+        'country_code',
+        'action',
+        'notes',
+        'is_active',
+    ];
+
+    protected $casts = [
+        'is_active' => 'boolean',
+    ];
+}
diff --git a/app/Models/GitDeployment.php b/app/Models/GitDeployment.php
new file mode 100644
index 0000000..8b94834
--- /dev/null
+++ b/app/Models/GitDeployment.php
@@ -0,0 +1,40 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Models;
+
+use Illuminate\Database\Eloquent\Model;
+use Illuminate\Database\Eloquent\Relations\BelongsTo;
+
+class GitDeployment extends Model
+{
+    protected $fillable = [
+        'user_id',
+        'domain_id',
+        'repo_url',
+        'branch',
+        'deploy_path',
+        'auto_deploy',
+        'deploy_script',
+        'last_status',
+        'last_deployed_at',
+        'last_error',
+        'secret_token',
+    ];
+
+    protected $casts = [
+        'auto_deploy' => 'boolean',
+        'last_deployed_at' => 'datetime',
+    ];
+
+    public function user(): BelongsTo
+    {
+        return $this->belongsTo(User::class);
+    }
+
+    public function domain(): BelongsTo
+    {
+        return $this->belongsTo(Domain::class);
+    }
+}
diff --git a/app/Models/HostingPackage.php b/app/Models/HostingPackage.php
new file mode 100644
index 0000000..62bb86b
--- /dev/null
+++ b/app/Models/HostingPackage.php
@@ -0,0 +1,37 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Models;
+
+use Illuminate\Database\Eloquent\Factories\HasFactory;
+use Illuminate\Database\Eloquent\Model;
+use Illuminate\Database\Eloquent\Relations\HasMany;
+
+class HostingPackage extends Model
+{
+    use HasFactory;
+
+    protected $fillable = [
+        'name',
+        'description',
+        'disk_quota_mb',
+        'bandwidth_gb',
+        'domains_limit',
+        'databases_limit',
+        'mailboxes_limit',
+        'cpu_limit_percent',
+        'memory_limit_mb',
+        'io_limit_mb',
+        'is_active',
+    ];
+
+    protected $casts = [
+        'is_active' => 'boolean',
+    ];
+
+    public function users(): HasMany
+    {
+        return $this->hasMany(User::class);
+    }
+}
diff --git a/app/Models/User.php b/app/Models/User.php
index 1abe61a..e47e139 100644
--- a/app/Models/User.php
+++ b/app/Models/User.php
@@ -11,10 +11,11 @@ use Illuminate\Database\Eloquent\Relations\HasMany;
 use Illuminate\Foundation\Auth\User as Authenticatable;
 use Illuminate\Notifications\Notifiable;
 use Laravel\Fortify\TwoFactorAuthenticatable;
+use Laravel\Sanctum\HasApiTokens;
 
 class User extends Authenticatable implements FilamentUser
 {
-    use HasFactory, Notifiable, TwoFactorAuthenticatable;
+    use HasApiTokens, HasFactory, Notifiable, TwoFactorAuthenticatable;
 
     protected $fillable = [
         'name',
@@ -25,6 +26,7 @@ class User extends Authenticatable implements FilamentUser
         'sftp_password',
         'is_admin',
         'is_active',
+        'hosting_package_id',
         'locale',
         'disk_quota_mb',
     ];
@@ -147,6 +149,11 @@ class User extends Authenticatable implements FilamentUser
         return $this->hasMany(Domain::class);
     }
 
+    public function hostingPackage(): \Illuminate\Database\Eloquent\Relations\BelongsTo
+    {
+        return $this->belongsTo(HostingPackage::class);
+    }
+
     /**
      * Get disk usage in bytes.
      */
diff --git a/app/Models/UserResourceLimit.php b/app/Models/UserResourceLimit.php
new file mode 100644
index 0000000..06e3807
--- /dev/null
+++ b/app/Models/UserResourceLimit.php
@@ -0,0 +1,31 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Models;
+
+use Illuminate\Database\Eloquent\Factories\HasFactory;
+use Illuminate\Database\Eloquent\Model;
+use Illuminate\Database\Eloquent\Relations\BelongsTo;
+
+class UserResourceLimit extends Model
+{
+    use HasFactory;
+
+    protected $fillable = [
+        'user_id',
+        'cpu_limit_percent',
+        'memory_limit_mb',
+        'io_limit_mb',
+        'is_active',
+    ];
+
+    protected $casts = [
+        'is_active' => 'boolean',
+    ];
+
+    public function user(): BelongsTo
+    {
+        return $this->belongsTo(User::class);
+    }
+}
diff --git a/app/Models/UserResourceUsage.php b/app/Models/UserResourceUsage.php
new file mode 100644
index 0000000..344be64
--- /dev/null
+++ b/app/Models/UserResourceUsage.php
@@ -0,0 +1,28 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Models;
+
+use Illuminate\Database\Eloquent\Model;
+use Illuminate\Database\Eloquent\Relations\BelongsTo;
+
+class UserResourceUsage extends Model
+{
+    protected $fillable = [
+        'user_id',
+        'metric',
+        'value',
+        'captured_at',
+    ];
+
+    protected $casts = [
+        'value' => 'integer',
+        'captured_at' => 'datetime',
+    ];
+
+    public function user(): BelongsTo
+    {
+        return $this->belongsTo(User::class);
+    }
+}
diff --git a/app/Models/UserSetting.php b/app/Models/UserSetting.php
new file mode 100644
index 0000000..a5aac4c
--- /dev/null
+++ b/app/Models/UserSetting.php
@@ -0,0 +1,65 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Models;
+
+use Illuminate\Database\Eloquent\Model;
+use Illuminate\Database\Eloquent\Relations\BelongsTo;
+use Illuminate\Support\Facades\Cache;
+
+class UserSetting extends Model
+{
+    protected $fillable = [
+        'user_id',
+        'key',
+        'value',
+    ];
+
+    protected $casts = [
+        'value' => 'json',
+    ];
+
+    public function user(): BelongsTo
+    {
+        return $this->belongsTo(User::class);
+    }
+
+    public static function getForUser(int $userId, string $key, mixed $default = null): mixed
+    {
+        return Cache::remember("user_setting.{$userId}.{$key}", 3600, function () use ($userId, $key, $default) {
+            return static::query()
+                ->where('user_id', $userId)
+                ->where('key', $key)
+                ->value('value') ?? $default;
+        });
+    }
+
+    public static function setForUser(int $userId, string $key, mixed $value): void
+    {
+        static::updateOrCreate(
+            ['user_id' => $userId, 'key' => $key],
+            ['value' => $value]
+        );
+
+        Cache::forget("user_setting.{$userId}.{$key}");
+    }
+
+    public static function forgetForUser(int $userId, string $key): void
+    {
+        static::query()
+            ->where('user_id', $userId)
+            ->where('key', $key)
+            ->delete();
+
+        Cache::forget("user_setting.{$userId}.{$key}");
+    }
+
+    public static function getAllForUser(int $userId): array
+    {
+        return static::query()
+            ->where('user_id', $userId)
+            ->pluck('value', 'key')
+            ->toArray();
+    }
+}
diff --git a/app/Models/WebhookEndpoint.php b/app/Models/WebhookEndpoint.php
new file mode 100644
index 0000000..fc0dc03
--- /dev/null
+++ b/app/Models/WebhookEndpoint.php
@@ -0,0 +1,29 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Models;
+
+use Illuminate\Database\Eloquent\Factories\HasFactory;
+use Illuminate\Database\Eloquent\Model;
+
+class WebhookEndpoint extends Model
+{
+    use HasFactory;
+
+    protected $fillable = [
+        'name',
+        'url',
+        'events',
+        'is_active',
+        'secret_token',
+        'last_response_code',
+        'last_triggered_at',
+    ];
+
+    protected $casts = [
+        'events' => 'array',
+        'is_active' => 'boolean',
+        'last_triggered_at' => 'datetime',
+    ];
+}
diff --git a/app/Services/Agent/AgentClient.php b/app/Services/Agent/AgentClient.php
index 88aa61b..a0c48a1 100644
--- a/app/Services/Agent/AgentClient.php
+++ b/app/Services/Agent/AgentClient.php
@@ -227,6 +227,45 @@ class AgentClient
         return $this->send('file.list_trash', ['username' => $username]);
     }
 
+    // Git deployment
+    public function gitGenerateKey(string $username): array
+    {
+        return $this->send('git.generate_key', ['username' => $username]);
+    }
+
+    public function gitDeploy(string $username, string $repoUrl, string $branch, string $deployPath, ?string $deployScript = null): array
+    {
+        return $this->send('git.deploy', [
+            'username' => $username,
+            'repo_url' => $repoUrl,
+            'branch' => $branch,
+            'deploy_path' => $deployPath,
+            'deploy_script' => $deployScript,
+        ]);
+    }
+
+    // Spam settings (Rspamd)
+    public function rspamdUserSettings(string $username, array $whitelist = [], array $blacklist = [], ?float $score = null): array
+    {
+        return $this->send('rspamd.user_settings', [
+            'username' => $username,
+            'whitelist' => $whitelist,
+            'blacklist' => $blacklist,
+            'score' => $score,
+        ]);
+    }
+
+    // Image optimization
+    public function imageOptimize(string $username, string $path, bool $convertWebp = false, int $quality = 82): array
+    {
+        return $this->send('image.optimize', [
+            'username' => $username,
+            'path' => $path,
+            'convert_webp' => $convertWebp,
+            'quality' => $quality,
+        ]);
+    }
+
     // MySQL operations
     public function mysqlListDatabases(string $username): array
     {
@@ -293,12 +332,101 @@ class AgentClient
         return $this->send('mysql.export_database', ['username' => $username, 'database' => $database, 'output_file' => $outputFile, 'compress' => $compress]);
     }
 
+    // PostgreSQL operations
+    public function postgresListDatabases(string $username): array
+    {
+        return $this->send('postgres.list_databases', ['username' => $username]);
+    }
+
+    public function postgresListUsers(string $username): array
+    {
+        return $this->send('postgres.list_users', ['username' => $username]);
+    }
+
+    public function postgresCreateDatabase(string $username, string $database, string $owner): array
+    {
+        return $this->send('postgres.create_database', [
+            'username' => $username,
+            'database' => $database,
+            'owner' => $owner,
+        ]);
+    }
+
+    public function postgresDeleteDatabase(string $username, string $database): array
+    {
+        return $this->send('postgres.delete_database', [
+            'username' => $username,
+            'database' => $database,
+        ]);
+    }
+
+    public function postgresCreateUser(string $username, string $dbUser, string $password): array
+    {
+        return $this->send('postgres.create_user', [
+            'username' => $username,
+            'db_user' => $dbUser,
+            'password' => $password,
+        ]);
+    }
+
+    public function postgresDeleteUser(string $username, string $dbUser): array
+    {
+        return $this->send('postgres.delete_user', [
+            'username' => $username,
+            'db_user' => $dbUser,
+        ]);
+    }
+
+    public function postgresChangePassword(string $username, string $dbUser, string $password): array
+    {
+        return $this->send('postgres.change_password', [
+            'username' => $username,
+            'db_user' => $dbUser,
+            'password' => $password,
+        ]);
+    }
+
+    public function postgresGrantPrivileges(string $username, string $database, string $dbUser): array
+    {
+        return $this->send('postgres.grant_privileges', [
+            'username' => $username,
+            'database' => $database,
+            'db_user' => $dbUser,
+        ]);
+    }
+
     // Domain operations
     public function domainCreate(string $username, string $domain): array
     {
         return $this->send('domain.create', ['username' => $username, 'domain' => $domain]);
     }
 
+    public function domainAliasAdd(string $username, string $domain, string $alias): array
+    {
+        return $this->send('domain.alias_add', [
+            'username' => $username,
+            'domain' => $domain,
+            'alias' => $alias,
+        ]);
+    }
+
+    public function domainAliasRemove(string $username, string $domain, string $alias): array
+    {
+        return $this->send('domain.alias_remove', [
+            'username' => $username,
+            'domain' => $domain,
+            'alias' => $alias,
+        ]);
+    }
+
+    public function domainEnsureErrorPages(string $username, string $domain): array
+    {
+        return $this->send('domain.ensure_error_pages', [
+            'username' => $username,
+            'domain' => $domain,
+        ]);
+    }
+
     public function domainDelete(string $username, string $domain, bool $deleteFiles = false): array
     {
         return $this->send('domain.delete', ['username' => $username, 'domain' => $domain, 'delete_files' => $deleteFiles]);
@@ -360,6 +488,23 @@ class AgentClient
         return $this->send('wp.import', $params);
     }
 
+    public function wpCreateStaging(string $username, string $siteId, string $subdomain): array
+    {
+        return $this->send('wp.create_staging', [
+            'username' => $username,
+            'site_id' => $siteId,
+            'subdomain' => $subdomain,
+        ]);
+    }
+
+    public function wpPushStaging(string $username, string $stagingSiteId): array
+    {
+        return $this->send('wp.push_staging', [
+            'username' => $username,
+            'staging_site_id' => $stagingSiteId,
+        ]);
+    }
+
     // WordPress Cache Methods
     public function wpCacheEnable(string $username, string $siteId): array
     {
@@ -554,6 +699,15 @@ class AgentClient
         return $this->send('email.sync_virtual_users', ['domain' => $domain]);
     }
 
+    public function emailSyncMaps(array $domains, array $mailboxes, array $aliases): array
+    {
+        return $this->send('email.sync_maps', [
+            'domains' => $domains,
+            'mailboxes' => $mailboxes,
+            'aliases' => $aliases,
+        ]);
+    }
+
     public function emailReloadServices(): array
     {
         return $this->send('email.reload_services');
@@ -1151,4 +1305,77 @@ class AgentClient
     {
         return $this->send('scanner.get_scan_status', ['scanner' => $scanner]);
     }
+
+    // Mail queue operations
+    public function mailQueueList(): array
+    {
+        return $this->send('mail.queue_list');
+    }
+
+    public function mailQueueRetry(string $id): array
+    {
+        return $this->send('mail.queue_retry', ['id' => $id]);
+    }
+
+    public function mailQueueDelete(string $id): array
+    {
+        return $this->send('mail.queue_delete', ['id' => $id]);
+    }
+
+    // Server updates
+    public function updatesList(): array
+    {
+        return $this->send('updates.list');
+    }
+
+    public function updatesRun(): array
+    {
+        return $this->send('updates.run');
+    }
+
+    // WAF / Geo / Resource limits
+    public function wafApplySettings(bool $enabled, string $paranoia, bool $auditLog): array
+    {
+        return $this->send('waf.apply', [
+            'enabled' => $enabled,
+            'paranoia' => $paranoia,
+            'audit_log' => $auditLog,
+        ]);
+    }
+
+    public function geoApplyRules(array $rules): array
+    {
+        return $this->send('geo.apply_rules', [
+            'rules' => $rules,
+        ]);
+    }
+
+    public function cgroupApplyUserLimits(string $username, ?int $cpuLimit, ?int $memoryLimit, ?int $ioLimit, bool $isActive = true): array
+    {
+        if (! $isActive) {
+            return $this->cgroupClearUserLimits($username);
+        }
+
+        return $this->send('cgroup.apply_user_limits', [
+            'username' => $username,
+            'cpu_limit_percent' => $cpuLimit,
+            'memory_limit_mb' => $memoryLimit,
+            'io_limit_mb' => $ioLimit,
+        ]);
+    }
+
+    public function cgroupClearUserLimits(string $username): array
+    {
+        return $this->send('cgroup.clear_user_limits', [
+            'username' => $username,
+        ]);
+    }
+
+    public function databasePersistTuning(string $name, string $value): array
+    {
+        return $this->send('database.persist_tuning', [
+            'name' => $name,
+            'value' => $value,
+        ]);
+    }
 }
diff --git a/app/Services/System/GeoBlockService.php b/app/Services/System/GeoBlockService.php
new file mode 100644
index 0000000..29f5a22
--- /dev/null
+++ b/app/Services/System/GeoBlockService.php
@@ -0,0 +1,30 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Services\System;
+
+use App\Models\GeoBlockRule;
+use App\Services\Agent\AgentClient;
+
+class GeoBlockService
+{
+    public function applyCurrentRules(): void
+    {
+        $rules = GeoBlockRule::query()
+            ->where('is_active', true)
+            ->get(['country_code', 'action'])
+            ->map(static function ($rule): array {
+                return [
+                    'country_code' => strtoupper((string) $rule->country_code),
+                    'action' => $rule->action,
+                    'is_active' => true,
+                ];
+            })
+            ->values()
+            ->toArray();
+
+        $agent = new AgentClient;
+        $agent->geoApplyRules($rules);
+    }
+}
diff --git a/app/Services/System/MailRoutingSyncService.php b/app/Services/System/MailRoutingSyncService.php
new file mode 100644
index 0000000..0886d50
--- /dev/null
+++ b/app/Services/System/MailRoutingSyncService.php
@@ -0,0 +1,68 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Services\System;
+
+use App\Models\EmailDomain;
+use App\Models\EmailForwarder;
+use App\Models\Mailbox;
+use App\Services\Agent\AgentClient;
+
+class MailRoutingSyncService
+{
+    public function sync(): void
+    {
+        $domains = EmailDomain::query()
+            ->where('is_active', true)
+            ->with('domain')
+            ->get()
+            ->map(fn ($domain) => $domain->domain?->domain)
+            ->filter()
+            ->unique()
+            ->values()
+            ->toArray();
+
+        $mailboxes = Mailbox::query()
+            ->where('is_active', true)
+            ->with('emailDomain.domain')
+            ->get()
+            ->map(function (Mailbox $mailbox): array {
+                return [
+                    'email' => $mailbox->email,
+                    'path' => $mailbox->maildir_path,
+                ];
+            })
+            ->toArray();
+
+        $aliases = EmailForwarder::query()
+            ->where('is_active', true)
+            ->with('emailDomain.domain')
+            ->get()
+            ->map(function (EmailForwarder $forwarder): array {
+                return [
+                    'source' => $forwarder->email,
+                    'destinations' => $forwarder->destinations ?? [],
+                ];
+            })
+            ->toArray();
+
+        $catchAll = EmailDomain::query()
+            ->where('catch_all_enabled', true)
+            ->with('domain')
+            ->get()
+            ->map(function (EmailDomain $domain): array {
+                return [
+                    'source' => '@'.$domain->domain->domain,
+                    'destinations' => $domain->catch_all_address ? [$domain->catch_all_address] : [],
+                ];
+            })
+            ->filter(fn (array $entry) => ! empty($entry['destinations']))
+            ->toArray();
+
+        $aliases = array_merge($aliases, $catchAll);
+
+        $agent = new AgentClient;
+        $agent->emailSyncMaps($domains, $mailboxes, $aliases);
+    }
+}
diff --git a/app/Services/System/ResourceLimitService.php b/app/Services/System/ResourceLimitService.php
new file mode 100644
index 0000000..f00bbe1
--- /dev/null
+++ b/app/Services/System/ResourceLimitService.php
@@ -0,0 +1,40 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Services\System;
+
+use App\Models\UserResourceLimit;
+use App\Services\Agent\AgentClient;
+use RuntimeException;
+
+class ResourceLimitService
+{
+    public function apply(UserResourceLimit $limit): void
+    {
+        $user = $limit->user;
+        if (! $user) {
+            throw new RuntimeException('User not found for resource limit.');
+        }
+
+        $agent = new AgentClient;
+        $agent->cgroupApplyUserLimits(
+            $user->username,
+            $limit->cpu_limit_percent ? (int) $limit->cpu_limit_percent : null,
+            $limit->memory_limit_mb ? (int) $limit->memory_limit_mb : null,
+            $limit->io_limit_mb ? (int) $limit->io_limit_mb : null,
+            (bool) $limit->is_active
+        );
+    }
+
+    public function clear(UserResourceLimit $limit): void
+    {
+        $user = $limit->user;
+        if (! $user) {
+            return;
+        }
+
+        $agent = new AgentClient;
+        $agent->cgroupClearUserLimits($user->username);
+    }
+}
diff --git a/bin/jabali-agent b/bin/jabali-agent
index 3387353..26704d0 100755
--- a/bin/jabali-agent
+++ b/bin/jabali-agent
@@ -21,6 +21,14 @@ define('DKIM_KEYS_DIR', '/etc/opendkim/keys');
 define('DNSSEC_KEYS_DIR', '/etc/bind/keys');
 define('DNSSEC_ALGORITHM', 'ECDSAP256SHA256'); // Algorithm 13 - recommended for modern DNSSEC
 
+// Jabali nginx include locations
+define('JABALI_NGINX_DIR', '/etc/nginx/jabali');
+define('JABALI_NGINX_INCLUDES', '/etc/nginx/jabali/includes');
+define('JABALI_WAF_INCLUDE', '/etc/nginx/jabali/includes/waf.conf');
+define('JABALI_GEO_INCLUDE', '/etc/nginx/jabali/includes/geo.conf');
+define('JABALI_WAF_RULES', '/etc/nginx/jabali/modsecurity.conf');
+define('JABALI_GEO_HTTP_CONF', '/etc/nginx/conf.d/jabali-geoip.conf');
+
 $protectedUsers = ['root', 'www-data', 'mysql', 'postgres', 'nobody', 'ubuntu', 'debian'];
 $allowedServices = ['nginx', 'apache2', 'php-fpm', 'php8.4-fpm', 'mysql', 'mariadb', 'postfix', 'dovecot', 'bind9', 'named'];
 
@@ -419,6 +427,9 @@ function handleAction(array $request): array
         'ufw.reload' => ufwReload($params),
         'ufw.allow_service' => ufwAllowService($params),
         'domain.create' => domainCreate($params),
+        'domain.alias_add' => domainAliasAdd($params),
+        'domain.alias_remove' => domainAliasRemove($params),
+        'domain.ensure_error_pages' => domainEnsureErrorPages($params),
         'domain.delete' => domainDelete($params),
         'domain.list' => domainList($params),
         'domain.toggle' => domainToggle($params),
@@ -448,6 +459,7 @@ function handleAction(array $request): array
         'wp.toggle_debug' => wpToggleDebug($params),
         'wp.toggle_auto_update' => wpToggleAutoUpdate($params),
         'wp.create_staging' => wpCreateStaging($params),
+        'wp.push_staging' => wpPushStaging($params),
         'wp.page_cache_enable' => wpPageCacheEnable($params),
         'wp.page_cache_disable' => wpPageCacheDisable($params),
         'wp.page_cache_purge' => wpPageCachePurge($params),
@@ -478,6 +490,7 @@ function handleAction(array $request): array
         'file.restore' => fileRestore($params),
         'file.empty_trash' => fileEmptyTrash($params),
         'file.list_trash' => fileListTrash($params),
+        'image.optimize' => imageOptimize($params),
         'mysql.list_databases' => mysqlListDatabases($params),
         'mysql.create_database' => mysqlCreateDatabase($params),
         'mysql.delete_database' => mysqlDeleteDatabase($params),
@@ -491,6 +504,14 @@ function handleAction(array $request): array
         'mysql.create_master_user' => mysqlCreateMasterUser($params),
         'mysql.import_database' => mysqlImportDatabase($params),
         'mysql.export_database' => mysqlExportDatabase($params),
+        'postgres.list_databases' => postgresListDatabases($params),
+        'postgres.list_users' => postgresListUsers($params),
+        'postgres.create_database' => postgresCreateDatabase($params),
+        'postgres.delete_database' => postgresDeleteDatabase($params),
+        'postgres.create_user' => postgresCreateUser($params),
+        'postgres.delete_user' => postgresDeleteUser($params),
+        'postgres.change_password' => postgresChangePassword($params),
+        'postgres.grant_privileges' => postgresGrantPrivileges($params),
         'service.restart' => restartService($params),
         'service.reload' => reloadService($params),
         'service.status' => getServiceStatus($params),
@@ -512,11 +533,23 @@ function handleAction(array $request): array
         'php.list_versions' => phpListVersions($params),
         'php.install_wp_modules' => phpInstallWordPressModules($params),
         'ssh.generate_key' => sshGenerateKey($params),
+        'git.generate_key' => gitGenerateKey($params),
+        'git.deploy' => gitDeploy($params),
+        'rspamd.user_settings' => rspamdUserSettings($params),
+        'usage.bandwidth_total' => usageBandwidthTotal($params),
+        'usage.user_resources' => usageUserResources($params),
         'server.set_hostname' => setHostname($params),
         'server.set_upload_limits' => setUploadLimits($params),
         'server.update_bind' => updateBindConfig($params),
         'server.info' => getServerInfo($params),
         'server.create_zone' => createServerZone($params),
+        'updates.list' => updatesList($params),
+        'updates.run' => updatesRun($params),
+        'waf.apply' => wafApplySettings($params),
+        'geo.apply_rules' => geoApplyRules($params),
+        'cgroup.apply_user_limits' => cgroupApplyUserLimits($params),
+        'cgroup.clear_user_limits' => cgroupClearUserLimits($params),
+        'database.persist_tuning' => databasePersistTuning($params),
         'server.export_config' => serverExportConfig($params),
         'server.import_config' => serverImportConfig($params),
         'server.get_resolvers' => serverGetResolvers($params),
@@ -556,11 +589,16 @@ function handleAction(array $request): array
         'email.forwarder_update' => emailForwarderUpdate($params),
         'email.forwarder_toggle' => emailForwarderToggle($params),
         'email.catchall_update' => emailCatchallUpdate($params),
+        'email.sync_maps' => emailSyncMaps($params),
         'email.get_logs' => emailGetLogs($params),
         'email.autoresponder_set' => emailAutoresponderSet($params),
         'email.autoresponder_toggle' => emailAutoresponderToggle($params),
         'email.autoresponder_delete' => emailAutoresponderDelete($params),
         'email.hash_password' => emailHashPassword($params),
+        // Mail queue operations
+        'mail.queue_list' => mailQueueList($params),
+        'mail.queue_retry' => mailQueueRetry($params),
+        'mail.queue_delete' => mailQueueDelete($params),
         'service.list' => serviceList($params),
         'service.start' => serviceStart($params),
         'service.stop' => serviceStop($params),
@@ -617,6 +655,7 @@ function handleAction(array $request): array
         'fail2ban.list_jails' => fail2banListJails($params),
         'fail2ban.enable_jail' => fail2banEnableJail($params),
         'fail2ban.disable_jail' => fail2banDisableJail($params),
+        'fail2ban.logs' => fail2banLogs($params),
         // ClamAV operations
         'clamav.status' => clamavStatus($params),
         'clamav.status_light' => clamavStatusLight($params),
@@ -1059,6 +1098,9 @@ server {
     server_name DOMAIN_PLACEHOLDER www.DOMAIN_PLACEHOLDER;
     root DOCROOT_PLACEHOLDER;
 
+    include /etc/nginx/jabali/includes/waf.conf;
+    include /etc/nginx/jabali/includes/geo.conf;
+
     # Allow ACME challenge for SSL certificate issuance/renewal
     location /.well-known/acme-challenge/ {
         try_files $uri =404;
@@ -1077,6 +1119,9 @@ server {
     server_name DOMAIN_PLACEHOLDER www.DOMAIN_PLACEHOLDER;
     root DOCROOT_PLACEHOLDER;
 
+    include /etc/nginx/jabali/includes/waf.conf;
+    include /etc/nginx/jabali/includes/geo.conf;
+
     # Symlink protection - prevent following symlinks outside document root
     disable_symlinks if_not_owner from=$document_root;
 
@@ -2728,6 +2773,406 @@ function nginxGetCompressionStatus(array $params): array
     ];
 }
 
+function ensureJabaliNginxIncludeFiles(): void
+{
+    if (!is_dir(JABALI_NGINX_INCLUDES)) {
+        @mkdir(JABALI_NGINX_INCLUDES, 0755, true);
+    }
+
+    if (!file_exists(JABALI_WAF_INCLUDE)) {
+        file_put_contents(JABALI_WAF_INCLUDE, "# Managed by Jabali\n");
+    }
+
+    if (!file_exists(JABALI_GEO_INCLUDE)) {
+        file_put_contents(JABALI_GEO_INCLUDE, "# Managed by Jabali\n");
+    }
+}
+
+function ensureNginxServerIncludes(array $includeLines): array
+{
+    $files = glob('/etc/nginx/sites-enabled/*.conf') ?: [];
+    $updated = 0;
+
+    foreach ($files as $file) {
+        $content = file_get_contents($file);
+        if ($content === false) {
+            continue;
+        }
+
+        $original = $content;
+        foreach ($includeLines as $line) {
+            if (strpos($content, $line) !== false) {
+                continue;
+            }
+
+            $content = preg_replace('/(server_name[^\n]*\n)/', "$1    {$line}\n", $content);
+        }
+
+        if ($content !== $original) {
+            file_put_contents($file, $content);
+            $updated++;
+        }
+    }
+
+    return [
+        'files' => count($files),
+        'updated' => $updated,
+    ];
+}
+
+function nginxTestAndReload(): array
+{
+    exec('nginx -t 2>&1', $testOutput, $testCode);
+    if ($testCode !== 0) {
+        return ['success' => false, 'error' => 'nginx configuration test failed: ' . implode("\n", $testOutput)];
+    }
+
+    exec('systemctl reload nginx 2>&1', $output, $exitCode);
+    if ($exitCode !== 0) {
+        return ['success' => false, 'error' => 'Failed to reload nginx'];
+    }
+
+    return ['success' => true];
+}
+
+function findWafBaseConfig(): ?string
+{
+    $paths = [
+        '/etc/nginx/modsec/main.conf',
+        '/etc/nginx/modsecurity.conf',
+        '/etc/modsecurity/modsecurity.conf',
+        '/etc/modsecurity/modsecurity.conf-recommended',
+    ];
+
+    foreach ($paths as $path) {
+        if (file_exists($path)) {
+            return $path;
+        }
+    }
+
+    return null;
+}
+
+function wafApplySettings(array $params): array
+{
+    $enabled = !empty($params['enabled']);
+    $paranoia = (int) ($params['paranoia'] ?? 1);
+    $paranoia = max(1, min(4, $paranoia));
+    $auditLog = !empty($params['audit_log']);
+
+    ensureJabaliNginxIncludeFiles();
+
+    $prevInclude = file_exists(JABALI_WAF_INCLUDE) ? file_get_contents(JABALI_WAF_INCLUDE) : null;
+    $prevRules = file_exists(JABALI_WAF_RULES) ? file_get_contents(JABALI_WAF_RULES) : null;
+
+    if ($enabled) {
+        $baseConfig = findWafBaseConfig();
+        if (!$baseConfig) {
+            return ['success' => false, 'error' => 'ModSecurity base configuration not found'];
+        }
+
+        $rules = [
+            '# Managed by Jabali',
+            'Include "' . $baseConfig . '"',
+            'SecRuleEngine On',
+            'SecAuditEngine ' . ($auditLog ? 'On' : 'Off'),
+            'SecAuditLog /var/log/nginx/modsec_audit.log',
+            'SecAction "id:900000,phase:1,t:none,pass,setvar:tx.paranoia_level=' . $paranoia . '"',
+            'SecAction "id:900110,phase:1,t:none,pass,setvar:tx.executing_paranoia_level=' . $paranoia . '"',
+        ];
+
+        file_put_contents(JABALI_WAF_RULES, implode("\n", $rules) . "\n");
+
+        $include = [
+            '# Managed by Jabali',
+            'modsecurity on;',
+            'modsecurity_rules_file ' . JABALI_WAF_RULES . ';',
+        ];
+
+        file_put_contents(JABALI_WAF_INCLUDE, implode("\n", $include) . "\n");
+    } else {
+        file_put_contents(JABALI_WAF_INCLUDE, "# Managed by Jabali\nmodsecurity off;\n");
+    }
+
+    ensureNginxServerIncludes([
+        'include ' . JABALI_WAF_INCLUDE . ';',
+    ]);
+
+    $reload = nginxTestAndReload();
+    if (!($reload['success'] ?? false)) {
+        if ($prevInclude === null) {
+            @unlink(JABALI_WAF_INCLUDE);
+        } else {
+            file_put_contents(JABALI_WAF_INCLUDE, $prevInclude);
+        }
+
+        if ($prevRules === null) {
+            @unlink(JABALI_WAF_RULES);
+        } else {
+            file_put_contents(JABALI_WAF_RULES, $prevRules);
+        }
+
+        return $reload;
+    }
+
+    return ['success' => true, 'enabled' => $enabled, 'paranoia' => $paranoia, 'audit_log' => $auditLog];
+}
+
+function geoApplyRules(array $params): array
+{
+    $rules = $params['rules'] ?? [];
+    $activeRules = array_values(array_filter($rules, function ($rule) {
+        return !isset($rule['is_active']) || !empty($rule['is_active']);
+    }));
+
+    $allow = array_values(array_filter($activeRules, fn ($rule) => ($rule['action'] ?? '') === 'allow'));
+    $block = array_values(array_filter($activeRules, fn ($rule) => ($rule['action'] ?? '') === 'block'));
+
+    ensureJabaliNginxIncludeFiles();
+
+    $prevGeoHttp = file_exists(JABALI_GEO_HTTP_CONF) ? file_get_contents(JABALI_GEO_HTTP_CONF) : null;
+    $prevGeoInclude = file_exists(JABALI_GEO_INCLUDE) ? file_get_contents(JABALI_GEO_INCLUDE) : null;
+
+    if (empty($allow) && empty($block)) {
+        file_put_contents(JABALI_GEO_HTTP_CONF, "# Managed by Jabali\n# No geo rules enabled\n");
+        file_put_contents(JABALI_GEO_INCLUDE, "# Managed by Jabali\n");
+        ensureNginxServerIncludes([
+            'include ' . JABALI_GEO_INCLUDE . ';',
+        ]);
+
+        $reload = nginxTestAndReload();
+        if (!($reload['success'] ?? false)) {
+            return $reload;
+        }
+
+        return ['success' => true, 'rules' => 0];
+    }
+
+    $mmdbPaths = [
+        '/usr/share/GeoIP/GeoLite2-Country.mmdb',
+        '/usr/local/share/GeoIP/GeoLite2-Country.mmdb',
+    ];
+    $mmdb = null;
+    foreach ($mmdbPaths as $path) {
+        if (file_exists($path)) {
+            $mmdb = $path;
+            break;
+        }
+    }
+
+    if (!$mmdb) {
+        return ['success' => false, 'error' => 'GeoIP database not found'];
+    }
+
+    exec('nginx -V 2>&1', $versionOutput, $versionCode);
+    $versionText = implode(' ', $versionOutput);
+    if (strpos($versionText, 'http_geoip2_module') === false && strpos($versionText, 'ngx_http_geoip2_module') === false) {
+        return ['success' => false, 'error' => 'nginx geoip2 module not available'];
+    }
+
+    $countryVar = '$jabali_geo_country_code';
+    $mapName = !empty($allow) ? '$jabali_geo_allow' : '$jabali_geo_block';
+    $mapLines = [
+        "map {$countryVar} {$mapName} {",
+        '    default 0;',
+    ];
+
+    $ruleset = !empty($allow) ? $allow : $block;
+    foreach ($ruleset as $rule) {
+        $code = strtoupper(trim($rule['country_code'] ?? ''));
+        if ($code === '') {
+            continue;
+        }
+
+        $mapLines[] = "    {$code} 1;";
+    }
+    $mapLines[] = '}';
+
+    $httpConf = [
+        '# Managed by Jabali',
+        "geoip2 {$mmdb} {",
+        "    {$countryVar} country iso_code;",
+        '}',
+        '',
+        ...$mapLines,
+    ];
+    file_put_contents(JABALI_GEO_HTTP_CONF, implode("\n", $httpConf) . "\n");
+
+    if (!empty($allow)) {
+        $geoInclude = "# Managed by Jabali\nif ({$mapName} = 0) { return 403; }\n";
+    } else {
+        $geoInclude = "# Managed by Jabali\nif ({$mapName} = 1) { return 403; }\n";
+    }
+
+    file_put_contents(JABALI_GEO_INCLUDE, $geoInclude);
+
+    ensureNginxServerIncludes([
+        'include ' . JABALI_GEO_INCLUDE . ';',
+    ]);
+
+    $reload = nginxTestAndReload();
+    if (!($reload['success'] ?? false)) {
+        if ($prevGeoHttp === null) {
+            @unlink(JABALI_GEO_HTTP_CONF);
+        } else {
+            file_put_contents(JABALI_GEO_HTTP_CONF, $prevGeoHttp);
+        }
+
+        if ($prevGeoInclude === null) {
+            @unlink(JABALI_GEO_INCLUDE);
+        } else {
+            file_put_contents(JABALI_GEO_INCLUDE, $prevGeoInclude);
+        }
+
+        return $reload;
+    }
+
+    return ['success' => true, 'rules' => count($ruleset)];
+}
+
+function getRootBlockDevice(): ?string
+{
+    exec('findmnt -no SOURCE / 2>/dev/null', $output, $code);
+    $source = trim($output[0] ?? '');
+    if ($source === '') {
+        return null;
+    }
+
+    if (str_starts_with($source, '/dev/')) {
+        return $source;
+    }
+
+    exec('readlink -f ' . escapeshellarg($source) . ' 2>/dev/null', $resolved, $resolvedCode);
+    $resolvedPath = trim($resolved[0] ?? '');
+
+    return $resolvedPath ?: null;
+}
+
+function cgroupApplyUserLimits(array $params): array
+{
+    $username = $params['username'] ?? '';
+    if (!validateUsername($username)) {
+        return ['success' => false, 'error' => 'Invalid username format'];
+    }
+
+    exec('id -u ' . escapeshellarg($username) . ' 2>/dev/null', $uidOutput, $uidCode);
+    if ($uidCode !== 0) {
+        return ['success' => false, 'error' => 'User not found'];
+    }
+
+    $uid = trim($uidOutput[0] ?? '');
+    $slice = "user-{$uid}.slice";
+
+    $cpu = isset($params['cpu_limit_percent']) ? (int) $params['cpu_limit_percent'] : 0;
+    $memory = isset($params['memory_limit_mb']) ? (int) $params['memory_limit_mb'] : 0;
+    $io = isset($params['io_limit_mb']) ? (int) $params['io_limit_mb'] : 0;
+
+    $properties = [];
+    if ($cpu > 0) {
+        $properties[] = "CPUQuota={$cpu}%";
+    }
+    if ($memory > 0) {
+        $properties[] = "MemoryMax={$memory}M";
+    }
+    if ($io > 0) {
+        $device = getRootBlockDevice();
+        if ($device) {
+            $properties[] = "IOReadBandwidthMax={$device} {$io}M";
+            $properties[] = "IOWriteBandwidthMax={$device} {$io}M";
+        }
+    }
+
+    if (empty($properties)) {
+        return cgroupClearUserLimits(['username' => $username]);
+    }
+
+    $command = 'systemctl set-property ' . escapeshellarg($slice) . ' ' . implode(' ', array_map('escapeshellarg', $properties)) . ' 2>&1';
+    exec($command, $output, $code);
+    if ($code !== 0) {
+        return ['success' => false, 'error' => implode("\n", $output)];
+    }
+
+    exec('systemctl daemon-reload 2>&1');
+
+    return ['success' => true, 'message' => 'Resource limits applied'];
+}
+
+function cgroupClearUserLimits(array $params): array
+{
+    $username = $params['username'] ?? '';
+    if (!validateUsername($username)) {
+        return ['success' => false, 'error' => 'Invalid username format'];
+    }
+
+    exec('id -u ' . escapeshellarg($username) . ' 2>/dev/null', $uidOutput, $uidCode);
+    if ($uidCode !== 0) {
+        return ['success' => false, 'error' => 'User not found'];
+    }
+
+    $uid = trim($uidOutput[0] ?? '');
+    $slice = "user-{$uid}.slice";
+
+    exec('systemctl revert ' . escapeshellarg($slice) . ' 2>&1', $output, $code);
+    exec('systemctl daemon-reload 2>&1');
+
+    if ($code !== 0) {
+        return ['success' => false, 'error' => implode("\n", $output)];
+    }
+
+    return ['success' => true, 'message' => 'Resource limits cleared'];
+}
+
+function databasePersistTuning(array $params): array
+{
+    $name = $params['name'] ?? '';
+    $value = $params['value'] ?? '';
+
+    if (!preg_match('/^[a-zA-Z0-9_]+$/', $name)) {
+        return ['success' => false, 'error' => 'Invalid variable name'];
+    }
+
+    $configDir = '/etc/mysql/mariadb.conf.d';
+    if (!is_dir($configDir)) {
+        $configDir = '/etc/mysql/conf.d';
+    }
+
+    if (!is_dir($configDir)) {
+        return ['success' => false, 'error' => 'MySQL configuration directory not found'];
+    }
+
+    $file = $configDir . '/90-jabali-tuning.cnf';
+    $lines = file_exists($file) ? file($file, FILE_IGNORE_NEW_LINES) : [];
+
+    if (empty($lines)) {
+        $lines = ['# Managed by Jabali', '[mysqld]'];
+    }
+
+    $hasSection = false;
+    $found = false;
+    foreach ($lines as $index => $line) {
+        if (trim($line) === '[mysqld]') {
+            $hasSection = true;
+        }
+
+        if (preg_match('/^\s*' . preg_quote($name, '/') . '\s*=/i', $line)) {
+            $lines[$index] = $name . ' = ' . $value;
+            $found = true;
+        }
+    }
+
+    if (!$hasSection) {
+        $lines[] = '[mysqld]';
+    }
+
+    if (!$found) {
+        $lines[] = $name . ' = ' . $value;
+    }
+
+    file_put_contents($file, implode("\n", $lines) . "\n");
+
+    return ['success' => true, 'message' => 'Configuration persisted'];
+}
+
 // ============ MAIN ============
 
 function main(): void
@@ -3652,6 +4097,195 @@ function domainCreate(array $params): array
     ];
 }
 
+function updateVhostServerNames(string $vhostFile, callable $mutator): array
+{
+    if (!file_exists($vhostFile)) {
+        return ['success' => false, 'error' => 'Domain configuration not found'];
+    }
+
+    $original = file_get_contents($vhostFile);
+    if ($original === false) {
+        return ['success' => false, 'error' => 'Failed to read virtual host configuration'];
+    }
+
+    $updated = preg_replace_callback('/server_name\\s+([^;]+);/i', function ($matches) use ($mutator) {
+        $names = preg_split('/\\s+/', trim($matches[1]));
+        $names = array_values(array_filter($names));
+        $names = $mutator($names);
+        $names = array_values(array_unique($names));
+
+        return '    server_name ' . implode(' ', $names) . ';';
+    }, $original, -1, $count);
+
+    if ($count === 0 || $updated === null) {
+        return ['success' => false, 'error' => 'Failed to update server_name entries'];
+    }
+
+    if (file_put_contents($vhostFile, $updated) === false) {
+        return ['success' => false, 'error' => 'Failed to write virtual host configuration'];
+    }
+
+    exec("nginx -t 2>&1", $testOutput, $testCode);
+    if ($testCode !== 0) {
+        // rollback
+        file_put_contents($vhostFile, $original);
+        return ['success' => false, 'error' => 'Nginx config test failed: ' . implode("\n", $testOutput)];
+    }
+
+    exec("systemctl reload nginx 2>&1", $reloadOutput, $reloadCode);
+    if ($reloadCode !== 0) {
+        return ['success' => false, 'error' => 'Failed to reload Nginx: ' . implode("\n", $reloadOutput)];
+    }
+
+    return ['success' => true];
+}
+
+function domainAliasAdd(array $params): array
+{
+    $username = $params['username'] ?? '';
+    $domain = strtolower(trim($params['domain'] ?? ''));
+    $alias = strtolower(trim($params['alias'] ?? ''));
+
+    if (!validateUsername($username)) {
+        return ['success' => false, 'error' => 'Invalid username'];
+    }
+
+    if (!validateDomain($domain) || !validateDomain($alias)) {
+        return ['success' => false, 'error' => 'Invalid domain format'];
+    }
+
+    if ($alias === $domain || $alias === "www.{$domain}") {
+        return ['success' => false, 'error' => 'Alias cannot match the primary domain'];
+    }
+
+    $vhostFile = "/etc/nginx/sites-available/{$domain}.conf";
+
+    foreach (glob('/etc/nginx/sites-available/*.conf') as $file) {
+        if (!is_readable($file)) {
+            continue;
+        }
+        $content = file_get_contents($file);
+        if ($content === false) {
+            continue;
+        }
+        if (preg_match('/server_name\\s+[^;]*\\b' . preg_quote($alias, '/') . '\\b/i', $content) ||
+            preg_match('/server_name\\s+[^;]*\\b' . preg_quote("www.{$alias}", '/') . '\\b/i', $content)) {
+            if ($file !== $vhostFile) {
+                return ['success' => false, 'error' => 'Alias already exists on another domain'];
+            }
+        }
+    }
+
+    $result = updateVhostServerNames($vhostFile, function (array $names) use ($alias) {
+        if (!in_array($alias, $names, true)) {
+            $names[] = $alias;
+        }
+        $wwwAlias = "www.{$alias}";
+        if (!in_array($wwwAlias, $names, true)) {
+            $names[] = $wwwAlias;
+        }
+
+        return $names;
+    });
+
+    if (!($result['success'] ?? false)) {
+        return $result;
+    }
+
+    return ['success' => true, 'message' => "Alias {$alias} added to {$domain}"];
+}
+
+function domainAliasRemove(array $params): array
+{
+    $username = $params['username'] ?? '';
+    $domain = strtolower(trim($params['domain'] ?? ''));
+    $alias = strtolower(trim($params['alias'] ?? ''));
+
+    if (!validateUsername($username)) {
+        return ['success' => false, 'error' => 'Invalid username'];
+    }
+
+    if (!validateDomain($domain) || !validateDomain($alias)) {
+        return ['success' => false, 'error' => 'Invalid domain format'];
+    }
+
+    $vhostFile = "/etc/nginx/sites-available/{$domain}.conf";
+
+    $result = updateVhostServerNames($vhostFile, function (array $names) use ($alias) {
+        $wwwAlias = "www.{$alias}";
+        return array_values(array_filter($names, function ($name) use ($alias, $wwwAlias) {
+            return $name !== $alias && $name !== $wwwAlias;
+        }));
+    });
+
+    if (!($result['success'] ?? false)) {
+        return $result;
+    }
+
+    return ['success' => true, 'message' => "Alias {$alias} removed from {$domain}"];
+}
+
+function domainEnsureErrorPages(array $params): array
+{
+    $username = $params['username'] ?? '';
+    $domain = strtolower(trim($params['domain'] ?? ''));
+
+    if (!validateUsername($username)) {
+        return ['success' => false, 'error' => 'Invalid username'];
+    }
+
+    if (!validateDomain($domain)) {
+        return ['success' => false, 'error' => 'Invalid domain format'];
+    }
+
+    $vhostFile = "/etc/nginx/sites-available/{$domain}.conf";
+    if (!file_exists($vhostFile)) {
+        return ['success' => false, 'error' => 'Domain configuration not found'];
+    }
+
+    $content = file_get_contents($vhostFile);
+    if ($content === false) {
+        return ['success' => false, 'error' => 'Failed to read virtual host configuration'];
+    }
+
+    if (strpos($content, 'error_page 404') !== false) {
+        return ['success' => true, 'message' => 'Error page directives already configured'];
+    }
+
+    $snippet = <<<NGINX
+    # Custom error pages (optional)
+    error_page 404 /404.html;
+    error_page 500 502 503 504 /500.html;
+    error_page 503 /503.html;
+
+    location = /404.html { internal; }
+    location = /500.html { internal; }
+    location = /503.html { internal; }
+NGINX;
+
+    $updated = preg_replace('/(client_max_body_size\\s+[^;]+;)/', "$1\\n\\n{$snippet}", $content, 1, $count);
+    if ($count === 0 || $updated === null) {
+        return ['success' => false, 'error' => 'Failed to inject error page directives'];
+    }
+
+    if (file_put_contents($vhostFile, $updated) === false) {
+        return ['success' => false, 'error' => 'Failed to write virtual host configuration'];
+    }
+
+    exec("nginx -t 2>&1", $testOutput, $testCode);
+    if ($testCode !== 0) {
+        file_put_contents($vhostFile, $content);
+        return ['success' => false, 'error' => 'Nginx config test failed: ' . implode("\n", $testOutput)];
+    }
+
+    exec("systemctl reload nginx 2>&1", $reloadOutput, $reloadCode);
+    if ($reloadCode !== 0) {
+        return ['success' => false, 'error' => 'Failed to reload Nginx: ' . implode("\n", $reloadOutput)];
+    }
+
+    return ['success' => true, 'message' => 'Error pages enabled'];
+}
+
 function domainDelete(array $params): array
 {
     $username = $params['username'] ?? '';
@@ -6834,13 +7468,19 @@ function wpCreateStaging(array $params): array
         return ['success' => false, 'error' => 'Staging site already exists at ' . $stagingDomain];
     }
 
-    // Create staging directory
+    // Create staging directories
     $stagingDir = dirname($stagingPath);
+    $stagingLogs = "{$userHome}/domains/{$stagingDomain}/logs";
     if (!is_dir($stagingDir)) {
         mkdir($stagingDir, 0755, true);
         chown($stagingDir, $userInfo['uid']);
         chgrp($stagingDir, $userInfo['gid']);
     }
+    if (!is_dir($stagingLogs)) {
+        mkdir($stagingLogs, 0755, true);
+        chown($stagingLogs, $userInfo['uid']);
+        chgrp($stagingLogs, $userInfo['gid']);
+    }
 
     // Copy files
     exec("cp -r " . escapeshellarg($sourcePath) . " " . escapeshellarg($stagingPath) . " 2>&1", $output, $code);
@@ -6850,6 +7490,16 @@ function wpCreateStaging(array $params): array
 
     // Fix ownership
     exec("chown -R {$userInfo['uid']}:{$userInfo['gid']} " . escapeshellarg($stagingPath));
+    exec("chown -R {$userInfo['uid']}:{$userInfo['gid']} " . escapeshellarg($stagingLogs));
+
+    // Ensure Nginx can access the staging files
+    exec("setfacl -m u:www-data:x " . escapeshellarg($userHome));
+    exec("setfacl -m u:www-data:x " . escapeshellarg("{$userHome}/domains"));
+    exec("setfacl -m u:www-data:rx " . escapeshellarg($stagingDir));
+    exec("setfacl -R -m u:www-data:rx " . escapeshellarg($stagingPath));
+    exec("setfacl -R -m u:www-data:rwx " . escapeshellarg($stagingLogs));
+    exec("setfacl -R -d -m u:www-data:rx " . escapeshellarg($stagingPath));
+    exec("setfacl -R -d -m u:www-data:rwx " . escapeshellarg($stagingLogs));
 
     // Get source database credentials
     $wpConfigPath = $stagingPath . '/wp-config.php';
@@ -6867,9 +7517,16 @@ function wpCreateStaging(array $params): array
         return ['success' => false, 'error' => 'Could not read source database name'];
     }
 
-    // Create staging database
-    $stagingDbName = substr($sourceDbName . '_stg', 0, 64);
-    $stagingDbUser = $sourceDbUser; // Use same user
+    // Create staging database and user
+    $suffix = preg_replace('/[^a-zA-Z0-9_]+/', '_', $subdomain);
+    $suffix = trim((string) $suffix, '_');
+    if ($suffix === '') {
+        $suffix = 'staging';
+    }
+
+    $stagingDbName = substr($sourceDbName . '_' . $suffix . '_stg', 0, 64);
+    $stagingDbUser = substr($sourceDbUser . '_' . $suffix . '_stg', 0, 32);
+    $stagingDbPass = bin2hex(random_bytes(12));
 
     // Export and import database
     $dumpFile = "/tmp/wp_staging_{$siteId}.sql";
@@ -6880,15 +7537,28 @@ function wpCreateStaging(array $params): array
     }
 
     // Create staging database
-    exec("mysql --defaults-file=/etc/mysql/debian.cnf -e \"CREATE DATABASE IF NOT EXISTS " . escapeshellarg($stagingDbName) . " CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci\" 2>&1", $createOutput, $createCode);
+    $createDbSql = "CREATE DATABASE IF NOT EXISTS `" . addslashes($stagingDbName) . "` CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci";
+    exec("mysql --defaults-file=/etc/mysql/debian.cnf -e " . escapeshellarg($createDbSql) . " 2>&1", $createOutput, $createCode);
 
     if ($createCode !== 0) {
         unlink($dumpFile);
         return ['success' => false, 'error' => 'Failed to create staging database'];
     }
 
-    // Grant permissions
-    exec("mysql --defaults-file=/etc/mysql/debian.cnf -e \"GRANT ALL PRIVILEGES ON " . escapeshellarg($stagingDbName) . ".* TO '" . addslashes($sourceDbUser) . "'@'localhost'\" 2>&1");
+    // Create staging database user and grant permissions
+    $createUserSql = "CREATE USER IF NOT EXISTS '" . addslashes($stagingDbUser) . "'@'localhost' IDENTIFIED BY '" . addslashes($stagingDbPass) . "'";
+    exec("mysql --defaults-file=/etc/mysql/debian.cnf -e " . escapeshellarg($createUserSql) . " 2>&1", $userOutput, $userCode);
+    if ($userCode !== 0) {
+        unlink($dumpFile);
+        return ['success' => false, 'error' => 'Failed to create staging database user'];
+    }
+
+    $grantSql = "GRANT ALL PRIVILEGES ON `" . addslashes($stagingDbName) . "`.* TO '" . addslashes($stagingDbUser) . "'@'localhost'";
+    exec("mysql --defaults-file=/etc/mysql/debian.cnf -e " . escapeshellarg($grantSql) . " 2>&1", $grantOutput, $grantCode);
+    if ($grantCode !== 0) {
+        unlink($dumpFile);
+        return ['success' => false, 'error' => 'Failed to grant database privileges'];
+    }
 
     // Import database
     exec("mysql --defaults-file=/etc/mysql/debian.cnf " . escapeshellarg($stagingDbName) . " < " . escapeshellarg($dumpFile) . " 2>&1", $importOutput, $importCode);
@@ -6898,12 +7568,22 @@ function wpCreateStaging(array $params): array
         return ['success' => false, 'error' => 'Failed to import database'];
     }
 
-    // Update wp-config.php with new database
+    // Update wp-config.php with new database credentials
     $wpConfig = preg_replace(
         "/define\s*\(\s*['\"]DB_NAME['\"]\s*,\s*['\"][^'\"]+['\"]\s*\)/",
         "define('DB_NAME', '{$stagingDbName}')",
         $wpConfig
     );
+    $wpConfig = preg_replace(
+        "/define\s*\(\s*['\"]DB_USER['\"]\s*,\s*['\"][^'\"]+['\"]\s*\)/",
+        "define('DB_USER', '{$stagingDbUser}')",
+        $wpConfig
+    );
+    $wpConfig = preg_replace(
+        "/define\s*\(\s*['\"]DB_PASSWORD['\"]\s*,\s*['\"][^'\"]*['\"]\s*\)/",
+        "define('DB_PASSWORD', '{$stagingDbPass}')",
+        $wpConfig
+    );
     file_put_contents($wpConfigPath, $wpConfig);
 
     // Update URLs in staging database
@@ -6915,34 +7595,10 @@ function wpCreateStaging(array $params): array
     // Also replace without protocol
     exec("cd " . escapeshellarg($stagingPath) . " && sudo -u " . escapeshellarg($username) . " wp search-replace " . escapeshellarg($sourceDomain) . " " . escapeshellarg($stagingDomain) . " --all-tables 2>&1");
 
-    // Create Nginx config for staging
-    $nginxConf = <<<NGINX
-server {
-    listen 80;
-    server_name {$stagingDomain};
-    root {$stagingPath};
-    index index.php index.html;
-
-    location / {
-        try_files \$uri \$uri/ /index.php?\$args;
-    }
-
-    location ~ \.php\$ {
-        fastcgi_pass unix:/var/run/php/php8.4-fpm-{$username}.sock;
-        fastcgi_next_upstream error timeout invalid_header http_500 http_503;
-        fastcgi_next_upstream_tries 2;
-        fastcgi_next_upstream_timeout 5s;
-        fastcgi_index index.php;
-        fastcgi_param SCRIPT_FILENAME \$document_root\$fastcgi_script_name;
-        include fastcgi_params;
-    }
-
-    location ~ /\.ht {
-        deny all;
-    }
-}
-NGINX;
-
+    // Create Nginx config for staging (includes HTTPS with snakeoil cert)
+    createFpmPool($username, false);
+    $fpmSocket = getFpmSocketPath($username);
+    $nginxConf = generateNginxVhost($stagingDomain, $stagingPath, $stagingLogs, $fpmSocket);
     file_put_contents("/etc/nginx/sites-available/{$stagingDomain}.conf", $nginxConf);
 
     if (!file_exists("/etc/nginx/sites-enabled/{$stagingDomain}.conf")) {
@@ -6961,7 +7617,7 @@ NGINX;
         'url' => $stagingUrl,
         'install_path' => $stagingPath,
         'db_name' => $stagingDbName,
-        'db_user' => $sourceDbUser,
+        'db_user' => $stagingDbUser,
         'version' => $site['version'] ?? 'Unknown',
         'is_staging' => true,
         'source_site_id' => $siteId,
@@ -6978,6 +7634,110 @@ NGINX;
     ];
 }
 
+function wpPushStaging(array $params): array
+{
+    $username = $params['username'] ?? '';
+    $stagingSiteId = $params['staging_site_id'] ?? '';
+
+    if (!validateUsername($username)) {
+        return ['success' => false, 'error' => 'Invalid username'];
+    }
+
+    $userInfo = posix_getpwnam($username);
+    if (!$userInfo) {
+        return ['success' => false, 'error' => 'User not found'];
+    }
+
+    $userHome = $userInfo['dir'];
+    $wpListFile = "{$userHome}/.wordpress_sites";
+
+    $wpSites = [];
+    if (file_exists($wpListFile)) {
+        $wpSites = json_decode(file_get_contents($wpListFile), true) ?: [];
+    }
+
+    if (!isset($wpSites[$stagingSiteId])) {
+        return ['success' => false, 'error' => 'Staging site not found'];
+    }
+
+    $stagingSite = $wpSites[$stagingSiteId];
+    if (!($stagingSite['is_staging'] ?? false)) {
+        return ['success' => false, 'error' => 'Site is not a staging environment'];
+    }
+
+    $sourceSiteId = $stagingSite['source_site_id'] ?? null;
+    if (!$sourceSiteId || !isset($wpSites[$sourceSiteId])) {
+        return ['success' => false, 'error' => 'Source site not found'];
+    }
+
+    $sourceSite = $wpSites[$sourceSiteId];
+
+    $stagingPath = $stagingSite['install_path'] ?? '';
+    $sourcePath = $sourceSite['install_path'] ?? '';
+
+    if (!$stagingPath || !is_dir($stagingPath) || !$sourcePath || !is_dir($sourcePath)) {
+        return ['success' => false, 'error' => 'Invalid site paths'];
+    }
+
+    // Sync files (exclude wp-config.php so production DB credentials remain)
+    $rsyncCmd = "rsync -a --delete --exclude " . escapeshellarg('wp-config.php') . " "
+        . escapeshellarg(rtrim($stagingPath, '/') . '/') . " "
+        . escapeshellarg(rtrim($sourcePath, '/') . '/') . " 2>&1";
+    exec($rsyncCmd, $rsyncOutput, $rsyncCode);
+    if ($rsyncCode !== 0) {
+        return ['success' => false, 'error' => 'Failed to sync files: ' . implode("\n", $rsyncOutput)];
+    }
+
+    // Read DB credentials
+    $stagingConfig = @file_get_contents($stagingPath . '/wp-config.php');
+    $sourceConfig = @file_get_contents($sourcePath . '/wp-config.php');
+    if (!$stagingConfig || !$sourceConfig) {
+        return ['success' => false, 'error' => 'Could not read wp-config.php'];
+    }
+
+    preg_match("/define\s*\(\s*['\"]DB_NAME['\"]\s*,\s*['\"]([^'\"]+)['\"]\s*\)/", $stagingConfig, $stagingDbNameMatch);
+    preg_match("/define\s*\(\s*['\"]DB_NAME['\"]\s*,\s*['\"]([^'\"]+)['\"]\s*\)/", $sourceConfig, $sourceDbNameMatch);
+
+    $stagingDbName = $stagingDbNameMatch[1] ?? '';
+    $sourceDbName = $sourceDbNameMatch[1] ?? '';
+
+    if ($stagingDbName === '' || $sourceDbName === '') {
+        return ['success' => false, 'error' => 'Failed to read database names'];
+    }
+
+    // Export staging DB and import into production DB
+    $dumpFile = "/tmp/wp_push_{$stagingSiteId}.sql";
+    exec("mysqldump --defaults-file=/etc/mysql/debian.cnf " . escapeshellarg($stagingDbName) . " > " . escapeshellarg($dumpFile) . " 2>&1", $dumpOutput, $dumpCode);
+    if ($dumpCode !== 0) {
+        return ['success' => false, 'error' => 'Failed to export staging database'];
+    }
+
+    exec("mysql --defaults-file=/etc/mysql/debian.cnf " . escapeshellarg($sourceDbName) . " < " . escapeshellarg($dumpFile) . " 2>&1", $importOutput, $importCode);
+    @unlink($dumpFile);
+
+    if ($importCode !== 0) {
+        return ['success' => false, 'error' => 'Failed to import staging database'];
+    }
+
+    // Update URLs in production database
+    $stagingUrl = $stagingSite['url'] ?? '';
+    $sourceUrl = $sourceSite['url'] ?? '';
+    $stagingDomain = $stagingSite['domain'] ?? '';
+    $sourceDomain = $sourceSite['domain'] ?? '';
+
+    if ($stagingUrl && $sourceUrl) {
+        exec("cd " . escapeshellarg($sourcePath) . " && sudo -u " . escapeshellarg($username) . " wp search-replace " . escapeshellarg($stagingUrl) . " " . escapeshellarg($sourceUrl) . " --all-tables 2>&1");
+    }
+    if ($stagingDomain && $sourceDomain) {
+        exec("cd " . escapeshellarg($sourcePath) . " && sudo -u " . escapeshellarg($username) . " wp search-replace " . escapeshellarg($stagingDomain) . " " . escapeshellarg($sourceDomain) . " --all-tables 2>&1");
+    }
+
+    // Fix ownership
+    exec("chown -R {$userInfo['uid']}:{$userInfo['gid']} " . escapeshellarg($sourcePath));
+
+    return ['success' => true, 'message' => 'Staging changes pushed to production'];
+}
+
 
 // ============ PHP SETTINGS MANAGEMENT ============
 
@@ -8220,6 +8980,70 @@ function emailSyncVirtualUsers(array $params): array
     return ['success' => true, 'message' => "Virtual users synced for {$domain}"];
 }
 
+function emailSyncMaps(array $params): array
+{
+    $domains = $params['domains'] ?? [];
+    $mailboxes = $params['mailboxes'] ?? [];
+    $aliases = $params['aliases'] ?? [];
+
+    $domainLines = ["# Managed by Jabali"];
+    foreach ($domains as $domain) {
+        $domain = strtolower(trim((string) $domain));
+        if ($domain === '' || !validateDomain($domain)) {
+            continue;
+        }
+
+        $domainLines[] = "{$domain} OK";
+    }
+
+    $mailboxLines = ["# Managed by Jabali"];
+    foreach ($mailboxes as $mailbox) {
+        $email = strtolower(trim((string) ($mailbox['email'] ?? '')));
+        $path = trim((string) ($mailbox['path'] ?? ''));
+        if ($email === '' || !filter_var($email, FILTER_VALIDATE_EMAIL)) {
+            continue;
+        }
+        if ($path === '') {
+            continue;
+        }
+
+        $mailboxLines[] = "{$email} {$path}";
+    }
+
+    $aliasLines = ["# Managed by Jabali"];
+    foreach ($aliases as $alias) {
+        $source = strtolower(trim((string) ($alias['source'] ?? '')));
+        $destinations = $alias['destinations'] ?? [];
+        if ($source === '') {
+            continue;
+        }
+
+        $destinations = array_filter(array_map('trim', (array) $destinations), fn ($dest) => filter_var($dest, FILTER_VALIDATE_EMAIL));
+        if (empty($destinations)) {
+            continue;
+        }
+
+        $aliasLines[] = $source . ' ' . implode(', ', $destinations);
+    }
+
+    file_put_contents(POSTFIX_VIRTUAL_DOMAINS, implode("\n", $domainLines) . "\n");
+    file_put_contents(POSTFIX_VIRTUAL_MAILBOXES, implode("\n", $mailboxLines) . "\n");
+    file_put_contents(POSTFIX_VIRTUAL_ALIASES, implode("\n", $aliasLines) . "\n");
+
+    exec('postmap ' . escapeshellarg(POSTFIX_VIRTUAL_DOMAINS) . ' 2>&1');
+    exec('postmap ' . escapeshellarg(POSTFIX_VIRTUAL_MAILBOXES) . ' 2>&1');
+    exec('postmap ' . escapeshellarg(POSTFIX_VIRTUAL_ALIASES) . ' 2>&1');
+
+    logger("Synced postfix maps (domains: " . count($domains) . ", mailboxes: " . count($mailboxes) . ", aliases: " . count($aliases) . ")");
+
+    return [
+        'success' => true,
+        'domains' => count($domains),
+        'mailboxes' => count($mailboxes),
+        'aliases' => count($aliases),
+    ];
+}
+
 function emailReloadServices(array $params): array
 {
     $output = [];
@@ -22677,3 +23501,730 @@ function cpanelInstallSsl(string $username, string $domain, string $certFile, st
     logger("SSL install failed for $domain: " . ($result['error'] ?? 'unknown error'));
     return false;
 }
+
+function toolExists(string $binary): bool
+{
+    $output = [];
+    $code = 1;
+    exec("command -v " . escapeshellarg($binary) . " 2>/dev/null", $output, $code);
+    return $code === 0;
+}
+
+function validateDbIdentifier(string $name): bool
+{
+    return (bool) preg_match('/^[a-zA-Z0-9_]+$/', $name);
+}
+
+function gitGenerateKey(array $params): array
+{
+    $username = $params['username'] ?? '';
+
+    if (!validateUsername($username)) {
+        return ['success' => false, 'error' => 'Invalid username'];
+    }
+
+    $userInfo = posix_getpwnam($username);
+    if (!$userInfo) {
+        return ['success' => false, 'error' => 'User not found'];
+    }
+
+    $home = $userInfo['dir'];
+    $sshDir = $home . '/.ssh';
+    $keyPath = $sshDir . '/jabali_git_deploy';
+    $pubPath = $keyPath . '.pub';
+
+    if (!is_dir($sshDir)) {
+        mkdir($sshDir, 0700, true);
+        chown($sshDir, $userInfo['uid']);
+        chgrp($sshDir, $userInfo['gid']);
+    }
+    chmod($sshDir, 0700);
+
+    if (!file_exists($keyPath) || !file_exists($pubPath)) {
+        $cmd = "ssh-keygen -t ed25519 -N '' -f " . escapeshellarg($keyPath) . " -C " . escapeshellarg("jabali-deploy-{$username}") . " 2>&1";
+        exec($cmd, $output, $code);
+        if ($code !== 0) {
+            return ['success' => false, 'error' => 'Failed to generate deploy key: ' . implode("\n", $output)];
+        }
+        chmod($keyPath, 0600);
+        chmod($pubPath, 0644);
+        chown($keyPath, $userInfo['uid']);
+        chgrp($keyPath, $userInfo['gid']);
+        chown($pubPath, $userInfo['uid']);
+        chgrp($pubPath, $userInfo['gid']);
+    }
+
+    $publicKey = trim((string) @file_get_contents($pubPath));
+    if ($publicKey === '') {
+        return ['success' => false, 'error' => 'Public key not found'];
+    }
+
+    return [
+        'success' => true,
+        'public_key' => $publicKey,
+        'private_key_path' => $keyPath,
+    ];
+}
+
+function gitDeploy(array $params): array
+{
+    $username = $params['username'] ?? '';
+    $repoUrl = trim((string) ($params['repo_url'] ?? ''));
+    $branch = trim((string) ($params['branch'] ?? 'main'));
+    $deployPath = trim((string) ($params['deploy_path'] ?? ''));
+    $deployScript = $params['deploy_script'] ?? '';
+
+    if (!validateUsername($username)) {
+        return ['success' => false, 'error' => 'Invalid username'];
+    }
+
+    if ($repoUrl === '' || $deployPath === '') {
+        return ['success' => false, 'error' => 'Repository URL and deploy path are required'];
+    }
+
+    $userInfo = posix_getpwnam($username);
+    if (!$userInfo) {
+        return ['success' => false, 'error' => 'User not found'];
+    }
+
+    $home = $userInfo['dir'];
+    if (!str_starts_with($deployPath, $home)) {
+        return ['success' => false, 'error' => 'Deploy path must be inside user home directory'];
+    }
+
+    if (!is_dir($deployPath)) {
+        mkdir($deployPath, 0755, true);
+        chown($deployPath, $userInfo['uid']);
+        chgrp($deployPath, $userInfo['gid']);
+    }
+
+    $sshKey = $home . '/.ssh/jabali_git_deploy';
+    $env = 'HOME=' . escapeshellarg($home);
+    if (file_exists($sshKey)) {
+        $sshCmd = 'ssh -i ' . escapeshellarg($sshKey) . ' -o StrictHostKeyChecking=accept-new';
+        $env .= ' GIT_SSH_COMMAND=' . escapeshellarg($sshCmd);
+    }
+
+    $output = [];
+    $code = 0;
+
+    if (!is_dir($deployPath . '/.git')) {
+        $cmd = "sudo -u " . escapeshellarg($username) . " env {$env} git clone --branch " . escapeshellarg($branch)
+            . " " . escapeshellarg($repoUrl) . " " . escapeshellarg($deployPath) . " 2>&1";
+        exec($cmd, $output, $code);
+    } else {
+        $cmdFetch = "sudo -u " . escapeshellarg($username) . " env {$env} bash -lc "
+            . escapeshellarg("cd {$deployPath} && git fetch --all --prune");
+        exec($cmdFetch . " 2>&1", $fetchOutput, $fetchCode);
+        $output = array_merge($output, $fetchOutput);
+
+        $cmdReset = "sudo -u " . escapeshellarg($username) . " env {$env} bash -lc "
+            . escapeshellarg("cd {$deployPath} && git checkout " . escapeshellarg($branch) . " && git reset --hard origin/{$branch}");
+        exec($cmdReset . " 2>&1", $resetOutput, $code);
+        $output = array_merge($output, $resetOutput);
+    }
+
+    if ($code !== 0) {
+        return ['success' => false, 'error' => implode("\n", $output)];
+    }
+
+    exec("chown -R {$userInfo['uid']}:{$userInfo['gid']} " . escapeshellarg($deployPath));
+
+    $scriptOutput = [];
+    if (is_string($deployScript) && trim($deployScript) !== '') {
+        $tmpScript = "/tmp/jabali-deploy-{$username}-" . time() . ".sh";
+        $scriptBody = "#!/usr/bin/env bash\nset -e\ncd " . escapeshellarg($deployPath) . "\n" . $deployScript . "\n";
+        file_put_contents($tmpScript, $scriptBody);
+        chmod($tmpScript, 0700);
+
+        $cmdScript = "sudo -u " . escapeshellarg($username) . " env HOME=" . escapeshellarg($home) . " bash " . escapeshellarg($tmpScript) . " 2>&1";
+        exec($cmdScript, $scriptOutput, $scriptCode);
+        @unlink($tmpScript);
+
+        if ($scriptCode !== 0) {
+            return ['success' => false, 'error' => implode("\n", $scriptOutput)];
+        }
+    }
+
+    return [
+        'success' => true,
+        'output' => $output,
+        'script_output' => $scriptOutput,
+    ];
+}
+
+function rspamdUserSettings(array $params): array
+{
+    $username = $params['username'] ?? '';
+    $whitelist = $params['whitelist'] ?? [];
+    $blacklist = $params['blacklist'] ?? [];
+    $score = $params['score'] ?? null;
+
+    if (!validateUsername($username)) {
+        return ['success' => false, 'error' => 'Invalid username'];
+    }
+
+    $whitelist = array_values(array_filter(array_map('trim', (array) $whitelist)));
+    $blacklist = array_values(array_filter(array_map('trim', (array) $blacklist)));
+
+    $confFile = '/etc/rspamd/local.d/users.conf';
+    $content = file_exists($confFile) ? (string) file_get_contents($confFile) : '';
+    $pattern = "/# BEGIN JABALI USER {$username}.*?# END JABALI USER {$username}\\n?/s";
+    $content = preg_replace($pattern, '', $content) ?? $content;
+
+    $lines = [];
+    $lines[] = "# BEGIN JABALI USER {$username}";
+    $lines[] = "{$username} {";
+    if (!empty($whitelist)) {
+        $lines[] = "    whitelist_from = [" . implode(', ', array_map(fn ($item) => '\"' . addslashes($item) . '\"', $whitelist)) . "];";
+    }
+    if (!empty($blacklist)) {
+        $lines[] = "    blacklist_from = [" . implode(', ', array_map(fn ($item) => '\"' . addslashes($item) . '\"', $blacklist)) . "];";
+    }
+    if ($score !== null && $score !== '') {
+        $lines[] = "    score = " . (float) $score . ";";
+    }
+    $lines[] = "}";
+    $lines[] = "# END JABALI USER {$username}";
+
+    $content = rtrim($content) . "\n\n" . implode("\n", $lines) . "\n";
+    if (file_put_contents($confFile, $content) === false) {
+        return ['success' => false, 'error' => 'Failed to write Rspamd config'];
+    }
+
+    exec("systemctl reload rspamd 2>&1", $reloadOutput, $reloadCode);
+    if ($reloadCode !== 0) {
+        return ['success' => false, 'error' => 'Failed to reload Rspamd: ' . implode("\n", $reloadOutput)];
+    }
+
+    return ['success' => true];
+}
+
+function usageBandwidthTotal(array $params): array
+{
+    $username = $params['username'] ?? '';
+
+    if (!validateUsername($username)) {
+        return ['success' => false, 'error' => 'Invalid username'];
+    }
+
+    $userInfo = posix_getpwnam($username);
+    if (!$userInfo) {
+        return ['success' => false, 'error' => 'User not found'];
+    }
+
+    $userHome = $userInfo['dir'];
+    $total = 0;
+
+    foreach (glob($userHome . '/domains/*/logs/access.log') as $logFile) {
+        if (!is_readable($logFile)) {
+            continue;
+        }
+        $cmd = "awk '{if ($10 ~ /^[0-9]+$/) sum+=$10} END {print sum}' " . escapeshellarg($logFile);
+        exec($cmd, $out, $code);
+        if ($code === 0 && isset($out[0])) {
+            $total += (int) trim($out[0]);
+        }
+    }
+
+    return ['success' => true, 'total_bytes' => $total];
+}
+
+function usageUserResources(array $params): array
+{
+    $username = $params['username'] ?? '';
+
+    if (!validateUsername($username)) {
+        return ['success' => false, 'error' => 'Invalid username'];
+    }
+
+    $userInfo = posix_getpwnam($username);
+    if (!$userInfo) {
+        return ['success' => false, 'error' => 'User not found'];
+    }
+
+    $uid = (int) $userInfo['uid'];
+
+    $cpuTotal = 0.0;
+    $memoryBytes = 0;
+
+    exec("ps -u " . escapeshellarg($username) . " -o %cpu=,rss= 2>/dev/null", $psOut, $psCode);
+    if ($psCode === 0) {
+        foreach ($psOut as $line) {
+            $parts = preg_split('/\\s+/', trim($line));
+            if (count($parts) < 2) {
+                continue;
+            }
+            $cpuTotal += (float) $parts[0];
+            $memoryBytes += (int) $parts[1] * 1024;
+        }
+    }
+
+    $diskRead = 0;
+    $diskWrite = 0;
+
+    foreach (glob('/proc/[0-9]*') as $procPath) {
+        $statusFile = $procPath . '/status';
+        if (!is_readable($statusFile)) {
+            continue;
+        }
+        $status = file($statusFile, FILE_IGNORE_NEW_LINES);
+        if (!$status) {
+            continue;
+        }
+
+        $matchesUid = false;
+        foreach ($status as $line) {
+            if (str_starts_with($line, 'Uid:')) {
+                $parts = preg_split('/\\s+/', trim($line));
+                $matchesUid = isset($parts[1]) && (int) $parts[1] === $uid;
+                break;
+            }
+        }
+
+        if (!$matchesUid) {
+            continue;
+        }
+
+        $ioFile = $procPath . '/io';
+        if (!is_readable($ioFile)) {
+            continue;
+        }
+
+        $ioLines = file($ioFile, FILE_IGNORE_NEW_LINES);
+        if (!$ioLines) {
+            continue;
+        }
+
+        foreach ($ioLines as $line) {
+            if (str_starts_with($line, 'read_bytes:')) {
+                $diskRead += (int) trim(substr($line, 11));
+            } elseif (str_starts_with($line, 'write_bytes:')) {
+                $diskWrite += (int) trim(substr($line, 12));
+            }
+        }
+    }
+
+    return [
+        'success' => true,
+        'cpu_percent' => round($cpuTotal, 2),
+        'memory_bytes' => $memoryBytes,
+        'disk_io_total_bytes' => $diskRead + $diskWrite,
+    ];
+}
+
+function imageOptimize(array $params): array
+{
+    $username = $params['username'] ?? '';
+    $path = $params['path'] ?? '';
+    $convertWebp = (bool) ($params['convert_webp'] ?? false);
+    $quality = (int) ($params['quality'] ?? 82);
+
+    if (!validateUsername($username)) {
+        return ['success' => false, 'error' => 'Invalid username'];
+    }
+
+    $userInfo = posix_getpwnam($username);
+    if (!$userInfo) {
+        return ['success' => false, 'error' => 'User not found'];
+    }
+
+    $userHome = $userInfo['dir'];
+    $path = $path ?: $userHome . '/domains';
+
+    if (!str_starts_with($path, $userHome)) {
+        return ['success' => false, 'error' => 'Path must be inside user home'];
+    }
+
+    if (!is_dir($path)) {
+        return ['success' => false, 'error' => 'Path not found'];
+    }
+
+    $quality = max(40, min(95, $quality));
+
+    $optimized = [
+        'jpg' => 0,
+        'png' => 0,
+        'webp' => 0,
+    ];
+
+    if (toolExists('jpegoptim')) {
+        $cmd = "find " . escapeshellarg($path) . " -type f \\( -iname '*.jpg' -o -iname '*.jpeg' \\) -print0 | xargs -0 -r jpegoptim --strip-all --max={$quality} 2>&1";
+        exec($cmd, $out, $code);
+        if ($code === 0) {
+            $optimized['jpg'] = count($out) > 0 ? count($out) : 0;
+        }
+    }
+
+    if (toolExists('optipng')) {
+        $cmd = "find " . escapeshellarg($path) . " -type f -iname '*.png' -print0 | xargs -0 -r optipng -o2 2>&1";
+        exec($cmd, $out, $code);
+        if ($code === 0) {
+            $optimized['png'] = count($out) > 0 ? count($out) : 0;
+        }
+    }
+
+    if ($convertWebp && toolExists('cwebp')) {
+        $cmd = "find " . escapeshellarg($path) . " -type f \\( -iname '*.jpg' -o -iname '*.jpeg' -o -iname '*.png' \\) -print0 | xargs -0 -r -I{} cwebp -q {$quality} {} -o {}.webp 2>&1";
+        exec($cmd, $out, $code);
+        if ($code === 0) {
+            $optimized['webp'] = count($out) > 0 ? count($out) : 0;
+        }
+    }
+
+    return ['success' => true, 'optimized' => $optimized];
+}
+
+function postgresListDatabases(array $params): array
+{
+    $username = $params['username'] ?? '';
+    if (!validateUsername($username)) {
+        return ['success' => false, 'error' => 'Invalid username'];
+    }
+
+    $sql = "SELECT datname, pg_database_size(datname) FROM pg_database WHERE datistemplate = false AND datname LIKE '" . addslashes($username) . "\\_%'";
+    exec("sudo -u postgres psql -At -c " . escapeshellarg($sql) . " 2>&1", $out, $code);
+    if ($code !== 0) {
+        return ['success' => false, 'error' => implode("\n", $out)];
+    }
+
+    $databases = [];
+    foreach ($out as $line) {
+        if (!str_contains($line, '|')) {
+            continue;
+        }
+        [$name, $size] = array_map('trim', explode('|', $line, 2));
+        $databases[] = ['name' => $name, 'size_bytes' => (int) $size];
+    }
+
+    return ['success' => true, 'databases' => $databases];
+}
+
+function postgresListUsers(array $params): array
+{
+    $username = $params['username'] ?? '';
+    if (!validateUsername($username)) {
+        return ['success' => false, 'error' => 'Invalid username'];
+    }
+
+    $sql = "SELECT usename FROM pg_user WHERE usename LIKE '" . addslashes($username) . "\\_%'";
+    exec("sudo -u postgres psql -At -c " . escapeshellarg($sql) . " 2>&1", $out, $code);
+    if ($code !== 0) {
+        return ['success' => false, 'error' => implode("\n", $out)];
+    }
+
+    $users = [];
+    foreach ($out as $line) {
+        $line = trim($line);
+        if ($line !== '') {
+            $users[] = ['username' => $line];
+        }
+    }
+
+    return ['success' => true, 'users' => $users];
+}
+
+function postgresCreateUser(array $params): array
+{
+    $username = $params['username'] ?? '';
+    $dbUser = $params['db_user'] ?? '';
+    $password = $params['password'] ?? '';
+
+    if (!validateUsername($username) || !validateDbIdentifier($dbUser)) {
+        return ['success' => false, 'error' => 'Invalid username'];
+    }
+
+    $sql = "DO $$ BEGIN IF NOT EXISTS (SELECT 1 FROM pg_roles WHERE rolname = '" . addslashes($dbUser) . "') THEN CREATE ROLE \"" . addslashes($dbUser) . "\" LOGIN PASSWORD '" . addslashes($password) . "'; END IF; END $$;";
+    exec("sudo -u postgres psql -At -c " . escapeshellarg($sql) . " 2>&1", $out, $code);
+    if ($code !== 0) {
+        return ['success' => false, 'error' => implode("\n", $out)];
+    }
+
+    return ['success' => true];
+}
+
+function postgresDeleteUser(array $params): array
+{
+    $username = $params['username'] ?? '';
+    $dbUser = $params['db_user'] ?? '';
+
+    if (!validateUsername($username) || !validateDbIdentifier($dbUser)) {
+        return ['success' => false, 'error' => 'Invalid username'];
+    }
+
+    $sql = "DROP ROLE IF EXISTS \"" . addslashes($dbUser) . "\"";
+    exec("sudo -u postgres psql -At -c " . escapeshellarg($sql) . " 2>&1", $out, $code);
+    if ($code !== 0) {
+        return ['success' => false, 'error' => implode("\n", $out)];
+    }
+
+    return ['success' => true];
+}
+
+function postgresChangePassword(array $params): array
+{
+    $username = $params['username'] ?? '';
+    $dbUser = $params['db_user'] ?? '';
+    $password = $params['password'] ?? '';
+
+    if (!validateUsername($username) || !validateDbIdentifier($dbUser)) {
+        return ['success' => false, 'error' => 'Invalid username'];
+    }
+
+    $sql = "ALTER ROLE \"" . addslashes($dbUser) . "\" WITH PASSWORD '" . addslashes($password) . "'";
+    exec("sudo -u postgres psql -At -c " . escapeshellarg($sql) . " 2>&1", $out, $code);
+    if ($code !== 0) {
+        return ['success' => false, 'error' => implode("\n", $out)];
+    }
+
+    return ['success' => true];
+}
+
+function postgresCreateDatabase(array $params): array
+{
+    $username = $params['username'] ?? '';
+    $database = $params['database'] ?? '';
+    $owner = $params['owner'] ?? '';
+
+    if (!validateUsername($username) || !validateDbIdentifier($database) || !validateDbIdentifier($owner)) {
+        return ['success' => false, 'error' => 'Invalid database name'];
+    }
+
+    $sql = "CREATE DATABASE \"" . addslashes($database) . "\" OWNER \"" . addslashes($owner) . "\"";
+    exec("sudo -u postgres psql -At -c " . escapeshellarg($sql) . " 2>&1", $out, $code);
+    if ($code !== 0) {
+        return ['success' => false, 'error' => implode("\n", $out)];
+    }
+
+    return ['success' => true];
+}
+
+function postgresDeleteDatabase(array $params): array
+{
+    $username = $params['username'] ?? '';
+    $database = $params['database'] ?? '';
+
+    if (!validateUsername($username) || !validateDbIdentifier($database)) {
+        return ['success' => false, 'error' => 'Invalid database name'];
+    }
+
+    $sql = "DROP DATABASE IF EXISTS \"" . addslashes($database) . "\"";
+    exec("sudo -u postgres psql -At -c " . escapeshellarg($sql) . " 2>&1", $out, $code);
+    if ($code !== 0) {
+        return ['success' => false, 'error' => implode("\n", $out)];
+    }
+
+    return ['success' => true];
+}
+
+function postgresGrantPrivileges(array $params): array
+{
+    $username = $params['username'] ?? '';
+    $database = $params['database'] ?? '';
+    $dbUser = $params['db_user'] ?? '';
+
+    if (!validateUsername($username) || !validateDbIdentifier($database) || !validateDbIdentifier($dbUser)) {
+        return ['success' => false, 'error' => 'Invalid database name'];
+    }
+
+    $sql = "GRANT ALL PRIVILEGES ON DATABASE \"" . addslashes($database) . "\" TO \"" . addslashes($dbUser) . "\"";
+    exec("sudo -u postgres psql -At -c " . escapeshellarg($sql) . " 2>&1", $out, $code);
+    if ($code !== 0) {
+        return ['success' => false, 'error' => implode("\n", $out)];
+    }
+
+    return ['success' => true];
+}
+
+function mailQueueList(array $params): array
+{
+    $queue = [];
+
+    // Try JSON output if available (Postfix 3.1+)
+    $jsonOutput = [];
+    exec('postqueue -j 2>/dev/null', $jsonOutput, $jsonCode);
+    if ($jsonCode === 0 && !empty($jsonOutput)) {
+        foreach ($jsonOutput as $line) {
+            $entry = json_decode($line, true);
+            if (!is_array($entry)) {
+                continue;
+            }
+            $queue[] = [
+                'id' => $entry['queue_id'] ?? '',
+                'arrival' => isset($entry['arrival_time']) ? date('Y-m-d H:i:s', (int) $entry['arrival_time']) : '',
+                'sender' => $entry['sender'] ?? '',
+                'recipients' => $entry['recipients'] ?? [],
+                'size' => isset($entry['message_size']) ? formatBytes((int) $entry['message_size']) : '',
+                'status' => $entry['status'] ?? '',
+            ];
+        }
+
+        return ['success' => true, 'queue' => $queue];
+    }
+
+    $output = [];
+    exec('postqueue -p 2>/dev/null', $output, $code);
+    if ($code !== 0) {
+        return ['success' => false, 'error' => 'Failed to read mail queue'];
+    }
+
+    if (empty($output)) {
+        return ['success' => true, 'queue' => []];
+    }
+
+    $current = null;
+    foreach ($output as $line) {
+        $trim = trim($line);
+        if ($trim === '' || str_contains($trim, 'Mail queue is empty')) {
+            if ($current) {
+                $queue[] = $current;
+                $current = null;
+            }
+            continue;
+        }
+
+        if (preg_match('/^([A-F0-9]{5,}|[A-Za-z0-9]{5,})[\*\!\-]?\s+(\d+)\s+(.+?)\s+([^\s]+)$/', $line, $matches)) {
+            if ($current) {
+                $queue[] = $current;
+            }
+            $current = [
+                'id' => $matches[1],
+                'size' => formatBytes((int) $matches[2]),
+                'arrival' => trim($matches[3]),
+                'sender' => trim($matches[4]),
+                'recipients' => [],
+                'status' => '',
+            ];
+            continue;
+        }
+
+        if ($current) {
+            if ($trim !== '') {
+                if (preg_match('/^\((.+)\)$/', $trim, $statusMatch)) {
+                    $current['status'] = $statusMatch[1];
+                } else {
+                    $current['recipients'][] = $trim;
+                }
+            }
+        }
+    }
+
+    if ($current) {
+        $queue[] = $current;
+    }
+
+    return ['success' => true, 'queue' => $queue];
+}
+
+function mailQueueRetry(array $params): array
+{
+    $id = $params['id'] ?? '';
+    if (empty($id) || !preg_match('/^[A-Za-z0-9]{5,}$/', $id)) {
+        return ['success' => false, 'error' => 'Invalid queue ID'];
+    }
+
+    exec('postqueue -i ' . escapeshellarg($id) . ' 2>&1', $output, $code);
+    if ($code !== 0) {
+        return ['success' => false, 'error' => implode("\n", $output)];
+    }
+
+    return ['success' => true];
+}
+
+function mailQueueDelete(array $params): array
+{
+    $id = $params['id'] ?? '';
+    if (empty($id) || !preg_match('/^[A-Za-z0-9]{5,}$/', $id)) {
+        return ['success' => false, 'error' => 'Invalid queue ID'];
+    }
+
+    exec('postsuper -d ' . escapeshellarg($id) . ' 2>&1', $output, $code);
+    if ($code !== 0) {
+        return ['success' => false, 'error' => implode("\n", $output)];
+    }
+
+    return ['success' => true];
+}
+
+function fail2banLogs(array $params): array
+{
+    $limit = (int) ($params['limit'] ?? 200);
+    $limit = max(20, min(500, $limit));
+    $path = '/var/log/fail2ban.log';
+
+    if (!file_exists($path)) {
+        return ['success' => true, 'logs' => []];
+    }
+
+    $output = [];
+    exec('tail -n ' . $limit . ' ' . escapeshellarg($path) . ' 2>/dev/null', $output);
+
+    $logs = [];
+    foreach ($output as $line) {
+        if (preg_match('/^(\d{4}-\d{2}-\d{2} \d{2}:\d{2}:\d{2}),\d+\s+\w+\s+\[([^\]]+)\]\s+(.+)$/', $line, $matches)) {
+            $time = $matches[1];
+            $jail = $matches[2];
+            $message = $matches[3];
+            $action = '';
+            $ip = '';
+
+            if (preg_match('/\b(Ban|Unban|Found)\s+([0-9a-fA-F:.]+)/', $message, $actionMatch)) {
+                $action = $actionMatch[1];
+                $ip = $actionMatch[2];
+            }
+
+            $logs[] = [
+                'time' => $time,
+                'jail' => $jail,
+                'action' => $action ?: 'Info',
+                'ip' => $ip,
+                'message' => $message,
+            ];
+        }
+    }
+
+    return ['success' => true, 'logs' => $logs];
+}
+
+function updatesList(array $params): array
+{
+    $output = [];
+    exec('apt list --upgradable 2>/dev/null', $output, $code);
+    if ($code !== 0) {
+        return ['success' => false, 'error' => 'Failed to list updates'];
+    }
+
+    $packages = [];
+    foreach ($output as $line) {
+        if (str_starts_with($line, 'Listing') || trim($line) === '') {
+            continue;
+        }
+
+        if (preg_match('/^([^\/]+)\/[^\s]+\s+([^\s]+)\s+[^\s]+\s+[^\s]+\s+\[upgradable from: ([^\]]+)\]/', $line, $matches)) {
+            $packages[] = [
+                'name' => $matches[1],
+                'new_version' => $matches[2],
+                'current_version' => $matches[3],
+            ];
+        }
+    }
+
+    return ['success' => true, 'packages' => $packages];
+}
+
+function updatesRun(array $params): array
+{
+    $output = [];
+    exec('apt-get update -y 2>&1', $output, $codeUpdate);
+    if ($codeUpdate !== 0) {
+        return ['success' => false, 'error' => implode("\n", $output)];
+    }
+
+    $upgradeOutput = [];
+    exec('DEBIAN_FRONTEND=noninteractive apt-get upgrade -y 2>&1', $upgradeOutput, $codeUpgrade);
+    if ($codeUpgrade !== 0) {
+        return ['success' => false, 'error' => implode("\n", $upgradeOutput)];
+    }
+
+    return ['success' => true, 'output' => array_merge($output, $upgradeOutput)];
+}
diff --git a/config/livewire.php b/config/livewire.php
index e6d8142..d2e46fc 100644
--- a/config/livewire.php
+++ b/config/livewire.php
@@ -2,6 +2,77 @@
 
 return [
 
+    /*
+    |---------------------------------------------------------------------------
+    | Component Locations
+    |---------------------------------------------------------------------------
+    |
+    | This value sets the root directories that'll be used to resolve view-based
+    | components like single and multi-file components. The make command will
+    | use the first directory in this array to add new component files to.
+    |
+    */
+
+    'component_locations' => [
+        resource_path('views/components'),
+        resource_path('views/livewire'),
+    ],
+
+    /*
+    |---------------------------------------------------------------------------
+    | Component Namespaces
+    |---------------------------------------------------------------------------
+    |
+    | This value sets default namespaces that will be used to resolve view-based
+    | components like single-file and multi-file components. These folders'll
+    | also be referenced when creating new components via the make command.
+    |
+    */
+
+    'component_namespaces' => [
+        'layouts' => resource_path('views/layouts'),
+        'pages' => resource_path('views/pages'),
+    ],
+
+    /*
+    |---------------------------------------------------------------------------
+    | Page Layout
+    |---------------------------------------------------------------------------
+    | The view that will be used as the layout when rendering a single component as
+    | an entire page via `Route::livewire('/post/create', 'pages::create-post')`.
+    | In this case, the content of pages::create-post will render into $slot.
+    |
+    */
+
+    'component_layout' => 'layouts::app',
+
+    /*
+    |---------------------------------------------------------------------------
+    | Lazy Loading Placeholder
+    |---------------------------------------------------------------------------
+    | Livewire allows you to lazy load components that would otherwise slow down
+    | the initial page load. Every component can have a custom placeholder or
+    | you can define the default placeholder view for all components below.
+    |
+    */
+
+    'component_placeholder' => null, // Example: 'placeholders::skeleton'
+
+    /*
+    |---------------------------------------------------------------------------
+    | Make Command
+    |---------------------------------------------------------------------------
+    | This value determines the default configuration for the artisan make command
+    | You can configure the component type (sfc, mfc, class) and whether to use
+    | the high-voltage (⚡) emoji as a prefix in the sfc|mfc component names.
+    |
+    */
+
+    'make_command' => [
+        'type' => 'sfc', // Options: 'sfc', 'mfc', 'class'
+        'emoji' => true, // Options: true, false
+    ],
+
     /*
     |---------------------------------------------------------------------------
     | Class Namespace
@@ -15,6 +86,19 @@ return [
 
     'class_namespace' => 'App\\Livewire',
 
+    /*
+    |---------------------------------------------------------------------------
+    | Class Path
+    |---------------------------------------------------------------------------
+    |
+    | This value is used to specify the path where Livewire component class files
+    | are created when running creation commands like `artisan make:livewire`.
+    | This path is customizable to match your projects directory structure.
+    |
+    */
+
+    'class_path' => app_path('Livewire'),
+
     /*
     |---------------------------------------------------------------------------
     | View Path
@@ -28,30 +112,6 @@ return [
 
     'view_path' => resource_path('views/livewire'),
 
-    /*
-    |---------------------------------------------------------------------------
-    | Layout
-    |---------------------------------------------------------------------------
-    | The view that will be used as the layout when rendering a single component
-    | as an entire page via `Route::get('/post/create', CreatePost::class);`.
-    | In this case, the view returned by CreatePost will render into $slot.
-    |
-    */
-
-    'layout' => 'components.layouts.app',
-
-    /*
-    |---------------------------------------------------------------------------
-    | Lazy Loading Placeholder
-    |---------------------------------------------------------------------------
-    | Livewire allows you to lazy load components that would otherwise slow down
-    | the initial page load. Every component can have a custom placeholder or
-    | you can define the default placeholder view for all components below.
-    |
-    */
-
-    'lazy_placeholder' => null,
-
     /*
     |---------------------------------------------------------------------------
     | Temporary File Uploads
@@ -64,11 +124,11 @@ return [
     */
 
     'temporary_file_upload' => [
-        'disk' => null,        // Example: 'local', 's3'              | Default: 'default'
-        'rules' => ['required', 'file', 'max:524288'], // 512MB max
-        'directory' => null,   // Example: 'tmp'                      | Default: 'livewire-tmp'
-        'middleware' => null,  // Example: 'throttle:5,1'             | Default: 'throttle:60,1'
-        'preview_mimes' => [   // Supported file types for temporary pre-signed file URLs...
+        'disk' => env('LIVEWIRE_TEMPORARY_FILE_UPLOAD_DISK'), // Example: 'local', 's3'             | Default: 'default'
+        'rules' => ['required', 'file', 'max:524288'],                                      // Example: ['file', 'mimes:png,jpg'] | Default: ['required', 'file', 'max:12288'] (12MB)
+        'directory' => null,                                  // Example: 'tmp'                     | Default: 'livewire-tmp'
+        'middleware' => null,                                 // Example: 'throttle:5,1'            | Default: 'throttle:60,1'
+        'preview_mimes' => [                                  // Supported file types for temporary pre-signed file URLs...
             'png', 'gif', 'bmp', 'svg', 'wav', 'mp4',
             'mov', 'avi', 'wmv', 'mp3', 'm4a',
             'jpg', 'jpeg', 'mpga', 'webp', 'wma',
@@ -156,7 +216,7 @@ return [
     |
     */
 
-    'smart_wire_keys' => false,
+    'smart_wire_keys' => true,
 
     /*
     |---------------------------------------------------------------------------
@@ -183,4 +243,35 @@ return [
     */
 
     'release_token' => 'a',
+
+    /*
+    |---------------------------------------------------------------------------
+    | CSP Safe
+    |---------------------------------------------------------------------------
+    |
+    | This config is used to determine if Livewire will use the CSP-safe version
+    | of Alpine in its bundle. This is useful for applications that are using
+    | strict Content Security Policy (CSP) to protect against XSS attacks.
+    |
+    */
+
+    'csp_safe' => false,
+
+    /*
+    |---------------------------------------------------------------------------
+    | Payload Guards
+    |---------------------------------------------------------------------------
+    |
+    | These settings protect against malicious or oversized payloads that could
+    | cause denial of service. The default values should feel reasonable for
+    | most web applications. Each can be set to null to disable the limit.
+    |
+    */
+
+    'payload' => [
+        'max_size' => 1024 * 1024,   // 1MB - maximum request payload size in bytes
+        'max_nesting_depth' => 10,   // Maximum depth of dot-notation property paths
+        'max_calls' => 50,           // Maximum method calls per request
+        'max_components' => 20,      // Maximum components per batch request
+    ],
 ];
diff --git a/database/migrations/2026_01_27_000002_create_user_resource_usages_table.php b/database/migrations/2026_01_27_000002_create_user_resource_usages_table.php
new file mode 100644
index 0000000..7fdf41d
--- /dev/null
+++ b/database/migrations/2026_01_27_000002_create_user_resource_usages_table.php
@@ -0,0 +1,29 @@
+<?php
+
+declare(strict_types=1);
+
+use Illuminate\Database\Migrations\Migration;
+use Illuminate\Database\Schema\Blueprint;
+use Illuminate\Support\Facades\Schema;
+
+return new class extends Migration
+{
+    public function up(): void
+    {
+        Schema::create('user_resource_usages', function (Blueprint $table) {
+            $table->id();
+            $table->foreignId('user_id')->constrained()->cascadeOnDelete();
+            $table->string('metric', 50);
+            $table->unsignedBigInteger('value');
+            $table->timestamp('captured_at')->index();
+            $table->timestamps();
+
+            $table->index(['user_id', 'metric', 'captured_at']);
+        });
+    }
+
+    public function down(): void
+    {
+        Schema::dropIfExists('user_resource_usages');
+    }
+};
diff --git a/database/migrations/2026_01_27_050000_create_user_settings_table.php b/database/migrations/2026_01_27_050000_create_user_settings_table.php
new file mode 100644
index 0000000..ab76c5c
--- /dev/null
+++ b/database/migrations/2026_01_27_050000_create_user_settings_table.php
@@ -0,0 +1,28 @@
+<?php
+
+declare(strict_types=1);
+
+use Illuminate\Database\Migrations\Migration;
+use Illuminate\Database\Schema\Blueprint;
+use Illuminate\Support\Facades\Schema;
+
+return new class extends Migration
+{
+    public function up(): void
+    {
+        Schema::create('user_settings', function (Blueprint $table) {
+            $table->id();
+            $table->foreignId('user_id')->constrained()->cascadeOnDelete();
+            $table->string('key', 100);
+            $table->json('value')->nullable();
+            $table->timestamps();
+
+            $table->unique(['user_id', 'key']);
+        });
+    }
+
+    public function down(): void
+    {
+        Schema::dropIfExists('user_settings');
+    }
+};
diff --git a/database/migrations/2026_01_27_060000_create_domain_aliases_table.php b/database/migrations/2026_01_27_060000_create_domain_aliases_table.php
new file mode 100644
index 0000000..878aec5
--- /dev/null
+++ b/database/migrations/2026_01_27_060000_create_domain_aliases_table.php
@@ -0,0 +1,28 @@
+<?php
+
+declare(strict_types=1);
+
+use Illuminate\Database\Migrations\Migration;
+use Illuminate\Database\Schema\Blueprint;
+use Illuminate\Support\Facades\Schema;
+
+return new class extends Migration
+{
+    public function up(): void
+    {
+        Schema::create('domain_aliases', function (Blueprint $table) {
+            $table->id();
+            $table->foreignId('domain_id')->constrained()->cascadeOnDelete();
+            $table->string('alias');
+            $table->timestamps();
+
+            $table->unique(['domain_id', 'alias']);
+            $table->index('alias');
+        });
+    }
+
+    public function down(): void
+    {
+        Schema::dropIfExists('domain_aliases');
+    }
+};
diff --git a/database/migrations/2026_01_27_070000_create_git_deployments_table.php b/database/migrations/2026_01_27_070000_create_git_deployments_table.php
new file mode 100644
index 0000000..33748e5
--- /dev/null
+++ b/database/migrations/2026_01_27_070000_create_git_deployments_table.php
@@ -0,0 +1,36 @@
+<?php
+
+declare(strict_types=1);
+
+use Illuminate\Database\Migrations\Migration;
+use Illuminate\Database\Schema\Blueprint;
+use Illuminate\Support\Facades\Schema;
+
+return new class extends Migration
+{
+    public function up(): void
+    {
+        Schema::create('git_deployments', function (Blueprint $table) {
+            $table->id();
+            $table->foreignId('user_id')->constrained()->cascadeOnDelete();
+            $table->foreignId('domain_id')->constrained()->cascadeOnDelete();
+            $table->string('repo_url');
+            $table->string('branch')->default('main');
+            $table->string('deploy_path');
+            $table->boolean('auto_deploy')->default(false);
+            $table->text('deploy_script')->nullable();
+            $table->string('last_status')->nullable();
+            $table->timestamp('last_deployed_at')->nullable();
+            $table->text('last_error')->nullable();
+            $table->string('secret_token', 80)->unique();
+            $table->timestamps();
+
+            $table->index(['user_id', 'domain_id']);
+        });
+    }
+
+    public function down(): void
+    {
+        Schema::dropIfExists('git_deployments');
+    }
+};
diff --git a/database/migrations/2026_01_27_073000_create_cloudflare_zones_table.php b/database/migrations/2026_01_27_073000_create_cloudflare_zones_table.php
new file mode 100644
index 0000000..9d21fee
--- /dev/null
+++ b/database/migrations/2026_01_27_073000_create_cloudflare_zones_table.php
@@ -0,0 +1,30 @@
+<?php
+
+declare(strict_types=1);
+
+use Illuminate\Database\Migrations\Migration;
+use Illuminate\Database\Schema\Blueprint;
+use Illuminate\Support\Facades\Schema;
+
+return new class extends Migration
+{
+    public function up(): void
+    {
+        Schema::create('cloudflare_zones', function (Blueprint $table) {
+            $table->id();
+            $table->foreignId('user_id')->constrained()->cascadeOnDelete();
+            $table->foreignId('domain_id')->constrained()->cascadeOnDelete();
+            $table->string('zone_id');
+            $table->string('account_id')->nullable();
+            $table->text('api_token');
+            $table->timestamps();
+
+            $table->unique(['user_id', 'domain_id']);
+        });
+    }
+
+    public function down(): void
+    {
+        Schema::dropIfExists('cloudflare_zones');
+    }
+};
diff --git a/database/migrations/2026_01_27_080000_create_hosting_packages_table.php b/database/migrations/2026_01_27_080000_create_hosting_packages_table.php
new file mode 100644
index 0000000..d498fbe
--- /dev/null
+++ b/database/migrations/2026_01_27_080000_create_hosting_packages_table.php
@@ -0,0 +1,31 @@
+<?php
+
+declare(strict_types=1);
+
+use Illuminate\Database\Migrations\Migration;
+use Illuminate\Database\Schema\Blueprint;
+use Illuminate\Support\Facades\Schema;
+
+return new class extends Migration
+{
+    public function up(): void
+    {
+        Schema::create('hosting_packages', function (Blueprint $table) {
+            $table->id();
+            $table->string('name')->unique();
+            $table->text('description')->nullable();
+            $table->unsignedInteger('disk_quota_mb')->nullable();
+            $table->unsignedInteger('bandwidth_gb')->nullable();
+            $table->unsignedInteger('domains_limit')->nullable();
+            $table->unsignedInteger('databases_limit')->nullable();
+            $table->unsignedInteger('mailboxes_limit')->nullable();
+            $table->boolean('is_active')->default(true);
+            $table->timestamps();
+        });
+    }
+
+    public function down(): void
+    {
+        Schema::dropIfExists('hosting_packages');
+    }
+};
diff --git a/database/migrations/2026_01_27_080500_add_hosting_package_id_to_users_table.php b/database/migrations/2026_01_27_080500_add_hosting_package_id_to_users_table.php
new file mode 100644
index 0000000..33a6083
--- /dev/null
+++ b/database/migrations/2026_01_27_080500_add_hosting_package_id_to_users_table.php
@@ -0,0 +1,29 @@
+<?php
+
+declare(strict_types=1);
+
+use Illuminate\Database\Migrations\Migration;
+use Illuminate\Database\Schema\Blueprint;
+use Illuminate\Support\Facades\Schema;
+
+return new class extends Migration
+{
+    public function up(): void
+    {
+        Schema::table('users', function (Blueprint $table) {
+            $table->foreignId('hosting_package_id')
+                ->nullable()
+                ->constrained('hosting_packages')
+                ->nullOnDelete()
+                ->after('is_active');
+        });
+    }
+
+    public function down(): void
+    {
+        Schema::table('users', function (Blueprint $table) {
+            $table->dropForeign(['hosting_package_id']);
+            $table->dropColumn('hosting_package_id');
+        });
+    }
+};
diff --git a/database/migrations/2026_01_27_081000_create_webhook_endpoints_table.php b/database/migrations/2026_01_27_081000_create_webhook_endpoints_table.php
new file mode 100644
index 0000000..253055e
--- /dev/null
+++ b/database/migrations/2026_01_27_081000_create_webhook_endpoints_table.php
@@ -0,0 +1,30 @@
+<?php
+
+declare(strict_types=1);
+
+use Illuminate\Database\Migrations\Migration;
+use Illuminate\Database\Schema\Blueprint;
+use Illuminate\Support\Facades\Schema;
+
+return new class extends Migration
+{
+    public function up(): void
+    {
+        Schema::create('webhook_endpoints', function (Blueprint $table) {
+            $table->id();
+            $table->string('name');
+            $table->string('url');
+            $table->json('events')->nullable();
+            $table->string('secret_token')->nullable();
+            $table->boolean('is_active')->default(true);
+            $table->unsignedInteger('last_response_code')->nullable();
+            $table->timestamp('last_triggered_at')->nullable();
+            $table->timestamps();
+        });
+    }
+
+    public function down(): void
+    {
+        Schema::dropIfExists('webhook_endpoints');
+    }
+};
diff --git a/database/migrations/2026_01_27_081500_create_user_resource_limits_table.php b/database/migrations/2026_01_27_081500_create_user_resource_limits_table.php
new file mode 100644
index 0000000..ff64183
--- /dev/null
+++ b/database/migrations/2026_01_27_081500_create_user_resource_limits_table.php
@@ -0,0 +1,28 @@
+<?php
+
+declare(strict_types=1);
+
+use Illuminate\Database\Migrations\Migration;
+use Illuminate\Database\Schema\Blueprint;
+use Illuminate\Support\Facades\Schema;
+
+return new class extends Migration
+{
+    public function up(): void
+    {
+        Schema::create('user_resource_limits', function (Blueprint $table) {
+            $table->id();
+            $table->foreignId('user_id')->constrained()->cascadeOnDelete();
+            $table->unsignedInteger('cpu_limit_percent')->nullable();
+            $table->unsignedInteger('memory_limit_mb')->nullable();
+            $table->unsignedInteger('io_limit_mb')->nullable();
+            $table->boolean('is_active')->default(true);
+            $table->timestamps();
+        });
+    }
+
+    public function down(): void
+    {
+        Schema::dropIfExists('user_resource_limits');
+    }
+};
diff --git a/database/migrations/2026_01_27_082000_create_geo_block_rules_table.php b/database/migrations/2026_01_27_082000_create_geo_block_rules_table.php
new file mode 100644
index 0000000..832103c
--- /dev/null
+++ b/database/migrations/2026_01_27_082000_create_geo_block_rules_table.php
@@ -0,0 +1,27 @@
+<?php
+
+declare(strict_types=1);
+
+use Illuminate\Database\Migrations\Migration;
+use Illuminate\Database\Schema\Blueprint;
+use Illuminate\Support\Facades\Schema;
+
+return new class extends Migration
+{
+    public function up(): void
+    {
+        Schema::create('geo_block_rules', function (Blueprint $table) {
+            $table->id();
+            $table->string('country_code', 2);
+            $table->enum('action', ['allow', 'block'])->default('block');
+            $table->string('notes')->nullable();
+            $table->boolean('is_active')->default(true);
+            $table->timestamps();
+        });
+    }
+
+    public function down(): void
+    {
+        Schema::dropIfExists('geo_block_rules');
+    }
+};
diff --git a/database/migrations/2026_01_27_090000_add_resource_limits_to_hosting_packages_table.php b/database/migrations/2026_01_27_090000_add_resource_limits_to_hosting_packages_table.php
new file mode 100644
index 0000000..e9db764
--- /dev/null
+++ b/database/migrations/2026_01_27_090000_add_resource_limits_to_hosting_packages_table.php
@@ -0,0 +1,26 @@
+<?php
+
+declare(strict_types=1);
+
+use Illuminate\Database\Migrations\Migration;
+use Illuminate\Database\Schema\Blueprint;
+use Illuminate\Support\Facades\Schema;
+
+return new class extends Migration
+{
+    public function up(): void
+    {
+        Schema::table('hosting_packages', function (Blueprint $table) {
+            $table->unsignedInteger('cpu_limit_percent')->nullable()->after('mailboxes_limit');
+            $table->unsignedInteger('memory_limit_mb')->nullable()->after('cpu_limit_percent');
+            $table->unsignedInteger('io_limit_mb')->nullable()->after('memory_limit_mb');
+        });
+    }
+
+    public function down(): void
+    {
+        Schema::table('hosting_packages', function (Blueprint $table) {
+            $table->dropColumn(['cpu_limit_percent', 'memory_limit_mb', 'io_limit_mb']);
+        });
+    }
+};
diff --git a/resources/views/filament/admin/pages/automation-api.blade.php b/resources/views/filament/admin/pages/automation-api.blade.php
new file mode 100644
index 0000000..e9e713e
--- /dev/null
+++ b/resources/views/filament/admin/pages/automation-api.blade.php
@@ -0,0 +1,30 @@
+<x-filament-panels::page>
+    @if($plainToken)
+        <x-filament::section icon="heroicon-o-key" icon-color="success">
+            <x-slot name="heading">{{ __('New Token') }}</x-slot>
+            <x-slot name="description">{{ __('Copy this token now. You will not be able to see it again.') }}</x-slot>
+
+            <div class="rounded-lg border border-gray-200 bg-white p-4 dark:border-white/10 dark:bg-white/5">
+                <p class="text-xs text-gray-500 dark:text-gray-400">{{ __('API Token') }}</p>
+                <p class="mt-2 break-all font-mono text-sm text-gray-900 dark:text-white">{{ $plainToken }}</p>
+            </div>
+        </x-filament::section>
+    @endif
+
+    <x-filament::section icon="heroicon-o-document-text" class="mt-6">
+        <x-slot name="heading">{{ __('Automation API Endpoints') }}</x-slot>
+        <x-slot name="description">{{ __('Use these endpoints with a token that has the automation ability.') }}</x-slot>
+
+        <div class="space-y-2 text-sm text-gray-700 dark:text-gray-300">
+            <div><span class="font-mono">GET</span> /api/automation/users</div>
+            <div><span class="font-mono">POST</span> /api/automation/users</div>
+            <div><span class="font-mono">POST</span> /api/automation/domains</div>
+        </div>
+    </x-filament::section>
+
+    <div class="mt-6">
+        {{ $this->table }}
+    </div>
+
+    <x-filament-actions::modals />
+</x-filament-panels::page>
diff --git a/resources/views/filament/admin/pages/database-tuning.blade.php b/resources/views/filament/admin/pages/database-tuning.blade.php
new file mode 100644
index 0000000..29be4b3
--- /dev/null
+++ b/resources/views/filament/admin/pages/database-tuning.blade.php
@@ -0,0 +1,14 @@
+<x-filament-panels::page>
+    <x-filament::section icon="heroicon-o-exclamation-triangle" icon-color="warning">
+        <x-slot name="heading">{{ __('Runtime Changes') }}</x-slot>
+        <x-slot name="description">
+            {{ __('Changes apply immediately but may reset after a database restart. Persisting configuration will be added in a later step.') }}
+        </x-slot>
+    </x-filament::section>
+
+    <div class="mt-6">
+        {{ $this->table }}
+    </div>
+
+    <x-filament-actions::modals />
+</x-filament-panels::page>
diff --git a/resources/views/filament/admin/pages/email-queue.blade.php b/resources/views/filament/admin/pages/email-queue.blade.php
new file mode 100644
index 0000000..d166217
--- /dev/null
+++ b/resources/views/filament/admin/pages/email-queue.blade.php
@@ -0,0 +1,5 @@
+<x-filament-panels::page>
+    {{ $this->table }}
+
+    <x-filament-actions::modals />
+</x-filament-panels::page>
diff --git a/resources/views/filament/admin/pages/resource-usage.blade.php b/resources/views/filament/admin/pages/resource-usage.blade.php
new file mode 100644
index 0000000..bf7ee3a
--- /dev/null
+++ b/resources/views/filament/admin/pages/resource-usage.blade.php
@@ -0,0 +1,383 @@
+<x-filament-panels::page>
+    @once
+        @vite('resources/js/server-charts.js')
+    @endonce
+    {{ $this->usageForm }}
+
+    @php($hasRealData = !empty($chartData) && !empty($chartData['labels']))
+
+    @if(! $hasRealData)
+        <x-filament::section class="mt-6">
+            <div class="flex flex-col items-center justify-center py-10">
+                <div class="mb-3 rounded-full bg-gray-100 p-3 dark:bg-gray-500/20">
+                    <x-filament::icon icon="heroicon-o-chart-bar" class="h-6 w-6 text-gray-500 dark:text-gray-400" />
+                </div>
+                <h3 class="text-base font-semibold text-gray-950 dark:text-white">
+                    {{ __('No usage data yet') }}
+                </h3>
+                <p class="mt-1 text-sm text-gray-500 dark:text-gray-400">
+                    {{ __('Usage snapshots are collected hourly. Data will appear after the first collection run.') }}
+                </p>
+            </div>
+        </x-filament::section>
+    @else
+        <div class="mt-6 space-y-6">
+            <x-filament::section icon="heroicon-o-square-3-stack-3d" icon-color="primary">
+                <x-slot name="heading">{{ __('Latest Snapshot') }}</x-slot>
+                <div class="grid gap-4 sm:grid-cols-2 lg:grid-cols-4">
+                    <div class="rounded-lg border border-gray-200 bg-white p-4 dark:border-white/10 dark:bg-white/5">
+                        <p class="text-sm text-gray-500 dark:text-gray-400">{{ __('Disk') }}</p>
+                        <p class="text-lg font-semibold text-gray-950 dark:text-white">{{ $summary['disk'] ?? __('No data') }}</p>
+                    </div>
+                    <div class="rounded-lg border border-gray-200 bg-white p-4 dark:border-white/10 dark:bg-white/5">
+                        <p class="text-sm text-gray-500 dark:text-gray-400">{{ __('Mail') }}</p>
+                        <p class="text-lg font-semibold text-gray-950 dark:text-white">{{ $summary['mail'] ?? __('No data') }}</p>
+                    </div>
+                    <div class="rounded-lg border border-gray-200 bg-white p-4 dark:border-white/10 dark:bg-white/5">
+                        <p class="text-sm text-gray-500 dark:text-gray-400">{{ __('Databases') }}</p>
+                        <p class="text-lg font-semibold text-gray-950 dark:text-white">{{ $summary['database'] ?? __('No data') }}</p>
+                    </div>
+                    <div class="rounded-lg border border-gray-200 bg-white p-4 dark:border-white/10 dark:bg-white/5">
+                        <p class="text-sm text-gray-500 dark:text-gray-400">{{ __('Bandwidth (last hour)') }}</p>
+                        <p class="text-lg font-semibold text-gray-950 dark:text-white">{{ $summary['bandwidth'] ?? __('No data') }}</p>
+                    </div>
+                </div>
+            </x-filament::section>
+
+            <x-filament::section icon="heroicon-o-chart-bar" icon-color="success">
+                <x-slot name="heading">{{ __('Resource Usage (Last 30 Days)') }}</x-slot>
+                <x-slot name="description">{{ __('Historical snapshots collected hourly.') }}</x-slot>
+
+                <div
+                    wire:key="resource-usage-chart-{{ $usageFormData['user_id'] ?? 'none' }}"
+                    x-data="{
+                        chart: null,
+                        init() {
+                            let data = @js($chartData);
+
+                            const boot = () => {
+                                const element = this.$refs.chart ?? this.$el;
+                                if (!window.echarts || !data.labels?.length || !element) {
+                                    return false;
+                                }
+
+                                if (this.chart) {
+                                    this.chart.dispose();
+                                }
+
+                                this.chart = window.echarts.init(element);
+                                this.chart.setOption({
+                                    tooltip: { trigger: 'axis' },
+                                    legend: {
+                                        data: ['Disk', 'Mail', 'Databases', 'Bandwidth'],
+                                        bottom: 0,
+                                    },
+                                    grid: { left: '3%', right: '4%', bottom: '12%', containLabel: true },
+                                    xAxis: {
+                                        type: 'category',
+                                        data: data.labels,
+                                        axisLabel: {
+                                            formatter: (value) => value.slice(5),
+                                        },
+                                    },
+                                    yAxis: {
+                                        type: 'value',
+                                        axisLabel: { formatter: '{value} GB' },
+                                    },
+                                    series: [
+                                        { name: 'Disk', type: 'line', smooth: true, data: data.disk, areaStyle: {} },
+                                        { name: 'Mail', type: 'line', smooth: true, data: data.mail, areaStyle: {} },
+                                        { name: 'Databases', type: 'line', smooth: true, data: data.database, areaStyle: {} },
+                                        { name: 'Bandwidth', type: 'line', smooth: true, data: data.bandwidth, areaStyle: {} },
+                                    ],
+                                });
+                                window.addEventListener('resize', () => this.chart?.resize());
+                                requestAnimationFrame(() => this.chart?.resize());
+                                setTimeout(() => this.chart?.resize(), 150);
+                                return true;
+                            };
+
+                            if (!boot()) {
+                                const interval = setInterval(() => {
+                                    if (boot()) {
+                                        clearInterval(interval);
+                                    }
+                                }, 200);
+                            }
+                        }
+                    }"
+                    x-init="init"
+                    class="w-full"
+                    wire:ignore
+                >
+                    <div x-ref="chart" class="h-80 w-full" style="height: 320px;"></div>
+                </div>
+            </x-filament::section>
+
+            @if($hasPerformanceData)
+                <div class="grid gap-6 lg:grid-cols-2">
+                    <x-filament::section icon="heroicon-o-cpu-chip" icon-color="info">
+                        <x-slot name="heading">{{ __('CPU Usage (Last 30 Days)') }}</x-slot>
+                        <x-slot name="description">{{ __('Average CPU percent per snapshot.') }}</x-slot>
+
+                        <div class="mb-4 flex flex-wrap gap-4 text-sm text-gray-600 dark:text-gray-300">
+                            <div>
+                                <span class="font-semibold text-gray-900 dark:text-white">{{ __('Limit') }}:</span>
+                                {{ $cpuLimitPercent ? $cpuLimitPercent . '%' : __('Unlimited') }}
+                            </div>
+                            <div>
+                                <span class="font-semibold text-gray-900 dark:text-white">{{ __('Average') }}:</span>
+                                {{ $cpuStats['avg'] ?? __('No data') }}
+                            </div>
+                            <div>
+                                <span class="font-semibold text-gray-900 dark:text-white">{{ __('Peak') }}:</span>
+                                {{ $cpuStats['max'] ?? __('No data') }}
+                            </div>
+                        </div>
+
+                        <div
+                            x-data="{
+                                chart: null,
+                                init() {
+                                    const data = @js($performanceChartData);
+                                    const limit = @js($cpuLimitPercent);
+                                    const boot = () => {
+                                        const element = this.$refs.chart ?? this.$el;
+                                        if (!window.echarts || !data.labels?.length || !element) {
+                                            return false;
+                                        }
+
+                                        if (this.chart) {
+                                            this.chart.dispose();
+                                        }
+
+                                        const series = [
+                                            { name: 'CPU', type: 'line', smooth: true, data: data.cpu, areaStyle: {} },
+                                        ];
+
+                                        if (limit) {
+                                            series.push({
+                                                name: 'Limit',
+                                                type: 'line',
+                                                data: data.labels.map(() => limit),
+                                                lineStyle: { type: 'dashed', width: 2, color: '#ef4444' },
+                                                symbol: 'none',
+                                            });
+                                        }
+
+                                        this.chart = window.echarts.init(element);
+                                        this.chart.setOption({
+                                            tooltip: { trigger: 'axis' },
+                                            legend: { data: series.map(item => item.name), bottom: 0 },
+                                            grid: { left: '3%', right: '4%', bottom: 50, containLabel: true },
+                                            xAxis: {
+                                                type: 'category',
+                                                data: data.labels,
+                                                axisLabel: {
+                                                    formatter: (value) => value.slice(5),
+                                                    margin: 12,
+                                                },
+                                            },
+                                            yAxis: {
+                                                type: 'value',
+                                                axisLabel: { formatter: '{value}%' },
+                                            },
+                                            series,
+                                        });
+                                        window.addEventListener('resize', () => this.chart?.resize());
+                                        requestAnimationFrame(() => this.chart?.resize());
+                                        setTimeout(() => this.chart?.resize(), 150);
+                                        return true;
+                                    };
+
+                                    if (!boot()) {
+                                        const interval = setInterval(() => {
+                                            if (boot()) {
+                                                clearInterval(interval);
+                                            }
+                                        }, 200);
+                                    }
+                                }
+                            }"
+                            x-init="init"
+                            class="w-full"
+                            wire:ignore
+                        >
+                            <div x-ref="chart" class="h-80 w-full" style="height: 320px;"></div>
+                        </div>
+                    </x-filament::section>
+
+                    <x-filament::section icon="heroicon-o-circle-stack" icon-color="warning">
+                        <x-slot name="heading">{{ __('Memory Usage (Last 30 Days)') }}</x-slot>
+                        <x-slot name="description">{{ __('Resident memory per snapshot.') }}</x-slot>
+
+                        <div class="mb-4 flex flex-wrap gap-4 text-sm text-gray-600 dark:text-gray-300">
+                            <div>
+                                <span class="font-semibold text-gray-900 dark:text-white">{{ __('Limit') }}:</span>
+                                {{ $memoryLimitGb ? number_format($memoryLimitGb, 2) . ' GB' : __('Unlimited') }}
+                            </div>
+                            <div>
+                                <span class="font-semibold text-gray-900 dark:text-white">{{ __('Average') }}:</span>
+                                {{ $memoryStats['avg'] ?? __('No data') }}
+                            </div>
+                            <div>
+                                <span class="font-semibold text-gray-900 dark:text-white">{{ __('Peak') }}:</span>
+                                {{ $memoryStats['max'] ?? __('No data') }}
+                            </div>
+                        </div>
+
+                        <div
+                            x-data="{
+                                chart: null,
+                                init() {
+                                    const data = @js($performanceChartData);
+                                    const limit = @js($memoryLimitGb);
+                                    const boot = () => {
+                                        const element = this.$refs.chart ?? this.$el;
+                                        if (!window.echarts || !data.labels?.length || !element) {
+                                            return false;
+                                        }
+
+                                        if (this.chart) {
+                                            this.chart.dispose();
+                                        }
+
+                                        const series = [
+                                            { name: 'Memory', type: 'line', smooth: true, data: data.memory, areaStyle: {} },
+                                        ];
+
+                                        if (limit) {
+                                            series.push({
+                                                name: 'Limit',
+                                                type: 'line',
+                                                data: data.labels.map(() => limit),
+                                                lineStyle: { type: 'dashed', width: 2, color: '#ef4444' },
+                                                symbol: 'none',
+                                            });
+                                        }
+
+                                        this.chart = window.echarts.init(element);
+                                        this.chart.setOption({
+                                            tooltip: { trigger: 'axis' },
+                                            legend: { data: series.map(item => item.name), bottom: 0 },
+                                            grid: { left: '3%', right: '4%', bottom: 50, containLabel: true },
+                                            xAxis: {
+                                                type: 'category',
+                                                data: data.labels,
+                                                axisLabel: {
+                                                    formatter: (value) => value.slice(5),
+                                                    margin: 12,
+                                                },
+                                            },
+                                            yAxis: {
+                                                type: 'value',
+                                                axisLabel: { formatter: '{value} GB' },
+                                            },
+                                            series,
+                                        });
+                                        window.addEventListener('resize', () => this.chart?.resize());
+                                        requestAnimationFrame(() => this.chart?.resize());
+                                        setTimeout(() => this.chart?.resize(), 150);
+                                        return true;
+                                    };
+
+                                    if (!boot()) {
+                                        const interval = setInterval(() => {
+                                            if (boot()) {
+                                                clearInterval(interval);
+                                            }
+                                        }, 200);
+                                    }
+                                }
+                            }"
+                            x-init="init"
+                            class="w-full"
+                            wire:ignore
+                        >
+                            <div x-ref="chart" class="h-80 w-full" style="height: 320px;"></div>
+                        </div>
+                    </x-filament::section>
+
+                    <x-filament::section icon="heroicon-o-arrow-path-rounded-square" icon-color="primary">
+                        <x-slot name="heading">{{ __('Disk IO (Last 30 Days)') }}</x-slot>
+                        <x-slot name="description">{{ __('Read/write MB per snapshot.') }}</x-slot>
+
+                        <div
+                            x-data="{
+                                chart: null,
+                                init() {
+                                    const data = @js($performanceChartData);
+                                    const boot = () => {
+                                        const element = this.$refs.chart ?? this.$el;
+                                        if (!window.echarts || !data.labels?.length || !element) {
+                                            return false;
+                                        }
+
+                                        if (this.chart) {
+                                            this.chart.dispose();
+                                        }
+
+                                        this.chart = window.echarts.init(element);
+                                        this.chart.setOption({
+                                            tooltip: { trigger: 'axis' },
+                                            legend: { data: ['Disk IO'], bottom: 0 },
+                                            grid: { left: '3%', right: '4%', bottom: 50, containLabel: true },
+                                            xAxis: {
+                                                type: 'category',
+                                                data: data.labels,
+                                                axisLabel: {
+                                                    formatter: (value) => value.slice(5),
+                                                    margin: 12,
+                                                },
+                                            },
+                                            yAxis: {
+                                                type: 'value',
+                                                axisLabel: { formatter: '{value} MB' },
+                                            },
+                                            series: [
+                                                { name: 'Disk IO', type: 'line', smooth: true, data: data.disk_io, areaStyle: {} },
+                                            ],
+                                        });
+                                        window.addEventListener('resize', () => this.chart?.resize());
+                                        requestAnimationFrame(() => this.chart?.resize());
+                                        setTimeout(() => this.chart?.resize(), 150);
+                                        return true;
+                                    };
+
+                                    if (!boot()) {
+                                        const interval = setInterval(() => {
+                                            if (boot()) {
+                                                clearInterval(interval);
+                                            }
+                                        }, 200);
+                                    }
+                                }
+                            }"
+                            x-init="init"
+                            class="w-full"
+                            wire:ignore
+                        >
+                            <div x-ref="chart" class="h-80 w-full" style="height: 320px;"></div>
+                        </div>
+                    </x-filament::section>
+
+                </div>
+            @else
+                <x-filament::section icon="heroicon-o-cpu-chip" icon-color="info">
+                    <x-slot name="heading">{{ __('CPU, Memory & Disk IO') }}</x-slot>
+                    <div class="flex flex-col items-center justify-center py-10 text-center">
+                        <div class="mb-3 rounded-full bg-gray-100 p-3 dark:bg-gray-500/20">
+                            <x-filament::icon icon="heroicon-o-cpu-chip" class="h-6 w-6 text-gray-500 dark:text-gray-400" />
+                        </div>
+                        <h3 class="text-base font-semibold text-gray-950 dark:text-white">
+                            {{ __('No performance data yet') }}
+                        </h3>
+                        <p class="mt-1 text-sm text-gray-500 dark:text-gray-400">
+                            {{ __('CPU, memory, and disk IO snapshots will appear after the next collection run.') }}
+                        </p>
+                    </div>
+                </x-filament::section>
+            @endif
+        </div>
+    @endif
+</x-filament-panels::page>
diff --git a/resources/views/filament/admin/pages/server-updates.blade.php b/resources/views/filament/admin/pages/server-updates.blade.php
new file mode 100644
index 0000000..d166217
--- /dev/null
+++ b/resources/views/filament/admin/pages/server-updates.blade.php
@@ -0,0 +1,5 @@
+<x-filament-panels::page>
+    {{ $this->table }}
+
+    <x-filament-actions::modals />
+</x-filament-panels::page>
diff --git a/resources/views/filament/admin/pages/waf.blade.php b/resources/views/filament/admin/pages/waf.blade.php
new file mode 100644
index 0000000..e70e004
--- /dev/null
+++ b/resources/views/filament/admin/pages/waf.blade.php
@@ -0,0 +1,21 @@
+<x-filament-panels::page>
+    @if(! $wafInstalled)
+        <x-filament::section icon="heroicon-o-exclamation-triangle" icon-color="warning">
+            <x-slot name="heading">{{ __('ModSecurity not detected') }}</x-slot>
+            <x-slot name="description">
+                {{ __('Install ModSecurity on the server to enable WAF controls. Settings can be saved now and applied later.') }}
+            </x-slot>
+        </x-filament::section>
+    @endif
+
+    <div class="mt-6">
+        {{ $this->wafForm }}
+        <div class="mt-4">
+            <x-filament::button wire:click="saveWafSettings" icon="heroicon-o-check">
+                {{ __('Save WAF Settings') }}
+            </x-filament::button>
+        </div>
+    </div>
+
+    <x-filament-actions::modals />
+</x-filament-panels::page>
diff --git a/resources/views/filament/jabali/components/email-tabs-nav.blade.php b/resources/views/filament/jabali/components/email-tabs-nav.blade.php
index 8f7b6a9..5e3d97a 100644
--- a/resources/views/filament/jabali/components/email-tabs-nav.blade.php
+++ b/resources/views/filament/jabali/components/email-tabs-nav.blade.php
@@ -5,6 +5,7 @@
         'autoresponders' => ['label' => __('Autoresponders'), 'icon' => 'heroicon-o-clock'],
         'catchall' => ['label' => __('Catch-All'), 'icon' => 'heroicon-o-inbox-stack'],
         'logs' => ['label' => __('Logs'), 'icon' => 'heroicon-o-document-text'],
+        'spam' => ['label' => __('Spam Settings'), 'icon' => 'heroicon-o-shield-check'],
     ];
 @endphp
 
diff --git a/resources/views/filament/jabali/pages/cdn-integration.blade.php b/resources/views/filament/jabali/pages/cdn-integration.blade.php
new file mode 100644
index 0000000..d166217
--- /dev/null
+++ b/resources/views/filament/jabali/pages/cdn-integration.blade.php
@@ -0,0 +1,5 @@
+<x-filament-panels::page>
+    {{ $this->table }}
+
+    <x-filament-actions::modals />
+</x-filament-panels::page>
diff --git a/resources/views/filament/jabali/pages/email.blade.php b/resources/views/filament/jabali/pages/email.blade.php
index 45ab588..6de8e31 100644
--- a/resources/views/filament/jabali/pages/email.blade.php
+++ b/resources/views/filament/jabali/pages/email.blade.php
@@ -3,9 +3,21 @@
 
     {{ $this->emailForm }}
 
-    <div class="-mt-4">
-        {{ $this->table }}
-    </div>
+    @if($activeTab === 'spam')
+        <div class="mt-4">
+            {{ $this->spamForm }}
+
+            <div class="mt-6">
+                <x-filament::button wire:click="saveSpamSettings" icon="heroicon-o-check" color="primary">
+                    {{ __('Save Spam Settings') }}
+                </x-filament::button>
+            </div>
+        </div>
+    @else
+        <div class="-mt-4">
+            {{ $this->table }}
+        </div>
+    @endif
 
     <x-filament-actions::modals />
 </x-filament-panels::page>
diff --git a/resources/views/filament/jabali/pages/git-deployment.blade.php b/resources/views/filament/jabali/pages/git-deployment.blade.php
new file mode 100644
index 0000000..d166217
--- /dev/null
+++ b/resources/views/filament/jabali/pages/git-deployment.blade.php
@@ -0,0 +1,5 @@
+<x-filament-panels::page>
+    {{ $this->table }}
+
+    <x-filament-actions::modals />
+</x-filament-panels::page>
diff --git a/resources/views/filament/jabali/pages/image-optimization.blade.php b/resources/views/filament/jabali/pages/image-optimization.blade.php
new file mode 100644
index 0000000..e123adb
--- /dev/null
+++ b/resources/views/filament/jabali/pages/image-optimization.blade.php
@@ -0,0 +1,11 @@
+<x-filament-panels::page>
+    {{ $this->imageForm }}
+
+    <div class="mt-6">
+        <x-filament::button color="primary" wire:click="runOptimization" icon="heroicon-o-bolt">
+            {{ __('Run Optimization') }}
+        </x-filament::button>
+    </div>
+
+    <x-filament-actions::modals />
+</x-filament-panels::page>
diff --git a/resources/views/filament/jabali/pages/logs.blade.php b/resources/views/filament/jabali/pages/logs.blade.php
index cab6c17..a637198 100644
--- a/resources/views/filament/jabali/pages/logs.blade.php
+++ b/resources/views/filament/jabali/pages/logs.blade.php
@@ -1,138 +1,275 @@
 <x-filament-panels::page>
-    @if(count($this->getDomainOptions()) > 0)
-        {{-- Domain Selector --}}
-        <x-filament::section
-            icon="heroicon-o-globe-alt"
-            icon-color="primary"
-        >
-            <x-slot name="heading">
-                {{ __('Select Domain') }}
-            </x-slot>
-            <x-slot name="description">
-                {{ __('Choose the domain you want to view logs for.') }}
-            </x-slot>
+    @php
+        $tabs = [
+            'logs' => ['label' => __('Logs'), 'icon' => 'heroicon-o-document-text'],
+            'stats' => ['label' => __('Statistics'), 'icon' => 'heroicon-o-chart-bar'],
+            'usage' => ['label' => __('Resource Usage'), 'icon' => 'heroicon-o-chart-pie'],
+            'activity' => ['label' => __('Activity Log'), 'icon' => 'heroicon-o-clipboard-document-list'],
+        ];
+    @endphp
 
-            <div class="max-w-md">
-                <x-filament::input.wrapper>
-                    <x-filament::input.select wire:model.live="selectedDomain">
-                        @foreach($this->getDomainOptions() as $value => $label)
-                            <option value="{{ $value }}">{{ $label }}</option>
-                        @endforeach
-                    </x-filament::input.select>
-                </x-filament::input.wrapper>
+    <nav class="fi-tabs flex max-w-full gap-x-1 overflow-x-auto mx-auto rounded-xl bg-white p-2 shadow-sm ring-1 ring-gray-950/5 dark:bg-white/5 dark:ring-white/10" role="tablist">
+        @foreach($tabs as $key => $tab)
+            <button
+                type="button"
+                role="tab"
+                aria-selected="{{ $activeTab === $key ? 'true' : 'false' }}"
+                wire:click="setTab('{{ $key }}')"
+                @class([
+                    'fi-tabs-item group flex items-center gap-x-2 rounded-lg px-3 py-2 text-sm font-medium outline-none transition duration-75',
+                    'fi-active bg-gray-50 dark:bg-white/5' => $activeTab === $key,
+                    'hover:bg-gray-50 focus-visible:bg-gray-50 dark:hover:bg-white/5 dark:focus-visible:bg-white/5' => $activeTab !== $key,
+                ])
+            >
+                <x-filament::icon
+                    :icon="$tab['icon']"
+                    @class([
+                        'fi-tabs-item-icon h-5 w-5 shrink-0 transition duration-75',
+                        'text-primary-600 dark:text-primary-400' => $activeTab === $key,
+                        'text-gray-400 group-hover:text-gray-500 group-focus-visible:text-gray-500 dark:text-gray-500 dark:group-hover:text-gray-400 dark:group-focus-visible:text-gray-400' => $activeTab !== $key,
+                    ])
+                />
+                <span @class([
+                    'fi-tabs-item-label transition duration-75',
+                    'text-primary-600 dark:text-primary-400' => $activeTab === $key,
+                    'text-gray-500 group-hover:text-gray-700 group-focus-visible:text-gray-700 dark:text-gray-400 dark:group-hover:text-gray-200 dark:group-focus-visible:text-gray-200' => $activeTab !== $key,
+                ])>
+                    {{ $tab['label'] }}
+                </span>
+            </button>
+        @endforeach
+    </nav>
+
+    @if(in_array($activeTab, ['logs', 'stats'], true))
+        @if(count($this->getDomainOptions()) > 0)
+            <x-filament::section icon="heroicon-o-globe-alt" icon-color="primary" class="mt-4">
+                <x-slot name="heading">
+                    {{ __('Select Domain') }}
+                </x-slot>
+                <x-slot name="description">
+                    {{ __('Choose the domain you want to view logs for.') }}
+                </x-slot>
+
+                <div class="max-w-md">
+                    <x-filament::input.wrapper>
+                        <x-filament::input.select wire:model.live="selectedDomain">
+                            @foreach($this->getDomainOptions() as $value => $label)
+                                <option value="{{ $value }}">{{ $label }}</option>
+                            @endforeach
+                        </x-filament::input.select>
+                    </x-filament::input.wrapper>
+                </div>
+            </x-filament::section>
+
+            @if($selectedDomain)
+                @if($activeTab === 'stats')
+                    @if($statsGenerated)
+                        <x-filament::section icon="heroicon-o-check-circle" icon-color="success" class="mt-4">
+                            <x-slot name="heading">
+                                {{ __('Statistics Report Ready') }}
+                            </x-slot>
+                            <x-slot name="description">
+                                {{ __('Traffic analysis report has been generated for :domain', ['domain' => $selectedDomain]) }}
+                            </x-slot>
+
+                            <x-filament::button
+                                :href="$statsUrl"
+                                tag="a"
+                                target="_blank"
+                                icon="heroicon-o-arrow-top-right-on-square"
+                            >
+                                {{ __('View Report') }}
+                            </x-filament::button>
+                        </x-filament::section>
+                    @endif
+                @endif
+
+                @if($activeTab === 'logs')
+                    <x-filament::section icon="heroicon-o-document-text" class="mt-4">
+                        <x-slot name="heading">
+                            {{ __('Log Viewer') }}
+                        </x-slot>
+                        <x-slot name="description">
+                            {{ __('Viewing :type for :domain', ['type' => $logType === 'access' ? __('access log') : __('error log'), 'domain' => $selectedDomain]) }}
+                            @if(!empty($logInfo))
+                                ({{ $logInfo['file_size'] ?? '' }}, {{ __(':lines lines', ['lines' => $logInfo['lines'] ?? 100]) }})
+                            @endif
+                        </x-slot>
+
+                        <div class="flex flex-wrap items-center gap-2 gap-y-2 mb-4">
+                            <x-filament::button
+                                wire:click="setLogType('access')"
+                                :color="$logType === 'access' ? 'primary' : 'gray'"
+                                :outlined="$logType !== 'access'"
+                                size="sm"
+                                icon="heroicon-o-arrow-right-circle"
+                            >
+                                {{ __('Access Log') }}
+                            </x-filament::button>
+
+                            <x-filament::button
+                                wire:click="setLogType('error')"
+                                :color="$logType === 'error' ? 'danger' : 'gray'"
+                                :outlined="$logType !== 'error'"
+                                size="sm"
+                                icon="heroicon-o-exclamation-triangle"
+                            >
+                                {{ __('Error Log') }}
+                            </x-filament::button>
+                        </div>
+
+                        @if($logContent)
+                            <div class="fi-input-wrp rounded-lg shadow-sm ring-1 ring-gray-950/10 dark:ring-white/20 overflow-hidden">
+                                <textarea
+                                    readonly
+                                    rows="25"
+                                    class="w-full border-0 bg-gray-50 dark:bg-gray-900 text-gray-700 dark:text-gray-300 resize-none focus:ring-0"
+                                    style="font-family: ui-monospace, SFMono-Regular, 'SF Mono', Menlo, Consolas, monospace; font-size: 12px; line-height: 1.5;"
+                                >{{ $logContent }}</textarea>
+                            </div>
+                        @else
+                            <x-filament::section compact>
+                                <x-slot name="heading">
+                                    {{ __('No Log Entries') }}
+                                </x-slot>
+                                <x-slot name="description">
+                                    {{ $logType === 'access'
+                                        ? __('No access log entries found. Logs will appear after visitors access your site.')
+                                        : __('No error log entries found. This is good - your site has no errors.') }}
+                                </x-slot>
+                            </x-filament::section>
+                        @endif
+                    </x-filament::section>
+                @endif
+            @endif
+        @else
+            <x-filament::section class="mt-4">
+                <div class="flex flex-col items-center justify-center py-12">
+                    <div class="mb-4 rounded-full bg-gray-100 p-3 dark:bg-gray-500/20">
+                        <x-filament::icon icon="heroicon-o-globe-alt" class="h-6 w-6 text-gray-500 dark:text-gray-400" />
+                    </div>
+                    <h3 class="text-base font-semibold text-gray-950 dark:text-white">
+                        {{ __('No Domains Yet') }}
+                    </h3>
+                    <p class="mt-1 text-sm text-gray-500 dark:text-gray-400">
+                        {{ __('Add a domain first to view logs and statistics.') }}
+                    </p>
+                    <div class="mt-6">
+                        <x-filament::button href="{{ route('filament.jabali.pages.domains') }}" tag="a">
+                            {{ __('Add Domain') }}
+                        </x-filament::button>
+                    </div>
+                </div>
+            </x-filament::section>
+        @endif
+    @endif
+
+    @if($activeTab === 'usage')
+        @php($usageData = $this->getUsageChartData())
+        <x-filament::section class="mt-4" icon="heroicon-o-chart-pie">
+            <x-slot name="heading">{{ __('Resource Usage (Last 30 Days)') }}</x-slot>
+            <x-slot name="description">{{ __('Historical usage snapshots collected hourly.') }}</x-slot>
+
+            <div
+                x-data="{
+                    chart: null,
+                    init() {
+                        const data = @js($usageData);
+                        const isDemo = Boolean(data.demo);
+                        const boot = () => {
+                            const element = this.$refs.chart ?? this.$el;
+                            if (!window.echarts || !element) {
+                                return false;
+                            }
+
+                            if (this.chart) {
+                                this.chart.dispose();
+                            }
+
+                            this.chart = window.echarts.init(element);
+                            this.chart.setOption({
+                                tooltip: { trigger: 'axis' },
+                                legend: { data: data.series.map(s => s.name) },
+                                grid: { left: '3%', right: '3%', bottom: 50, containLabel: true },
+                                xAxis: {
+                                    type: 'category',
+                                    data: data.labels,
+                                    axisLabel: {
+                                        formatter: (value) => value.slice(5),
+                                        margin: 12,
+                                    },
+                                },
+                                yAxis: {
+                                    type: 'value',
+                                    axisLabel: { formatter: '{value} GB' },
+                                },
+                                series: data.series.map((series) => ({
+                                    name: series.name,
+                                    type: 'line',
+                                    smooth: true,
+                                    areaStyle: {},
+                                    data: series.data,
+                                })),
+                            });
+                            window.addEventListener('resize', () => this.chart?.resize());
+                            requestAnimationFrame(() => this.chart?.resize());
+                            setTimeout(() => this.chart?.resize(), 150);
+                            return true;
+                        };
+
+                        if (!boot()) {
+                            const interval = setInterval(() => {
+                                if (boot()) {
+                                    clearInterval(interval);
+                                }
+                            }, 200);
+                        }
+                    },
+                    }"
+                x-init="init"
+                class="w-full"
+                wire:ignore
+            >
+                <div x-ref="chart" class="h-80 w-full" style="height: 320px;"></div>
             </div>
         </x-filament::section>
 
-        @if($selectedDomain)
-            {{-- Statistics Banner (shown when generated) --}}
-            @if($statsGenerated)
-                <x-filament::section
-                    icon="heroicon-o-check-circle"
-                    icon-color="success"
-                >
-                    <x-slot name="heading">
-                        {{ __('Statistics Report Ready') }}
-                    </x-slot>
-                    <x-slot name="description">
-                        {{ __('Traffic analysis report has been generated for :domain', ['domain' => $selectedDomain]) }}
-                    </x-slot>
+    @endif
 
-                    <x-filament::button
-                        :href="$statsUrl"
-                        tag="a"
-                        target="_blank"
-                        icon="heroicon-o-arrow-top-right-on-square"
-                    >
-                        {{ __('View Report') }}
-                    </x-filament::button>
-                </x-filament::section>
-            @endif
+    @if($activeTab === 'activity')
+        <x-filament::section class="mt-4" icon="heroicon-o-clipboard-document-list">
+            <x-slot name="heading">{{ __('Activity Log') }}</x-slot>
+            <x-slot name="description">{{ __('Recent actions performed in your account.') }}</x-slot>
 
-            {{-- Log Viewer --}}
-            <x-filament::section
-                icon="heroicon-o-document-text"
-            >
-                <x-slot name="heading">
-                    {{ __('Log Viewer') }}
-                </x-slot>
-                <x-slot name="description">
-                    {{ __('Viewing :type for :domain', ['type' => $logType === 'access' ? __('access log') : __('error log'), 'domain' => $selectedDomain]) }}
-                    @if(!empty($logInfo))
-                        ({{ $logInfo['file_size'] ?? '' }}, {{ __(':lines lines', ['lines' => $logInfo['lines'] ?? 100]) }})
-                    @endif
-                </x-slot>
-
-                {{-- Log Type Buttons --}}
-                <div class="flex flex-wrap items-center gap-2 gap-y-2 mb-4">
-                    <x-filament::button
-                        wire:click="setLogType('access')"
-                        :color="$logType === 'access' ? 'primary' : 'gray'"
-                        :outlined="$logType !== 'access'"
-                        size="sm"
-                        icon="heroicon-o-arrow-right-circle"
-                    >
-                        {{ __('Access Log') }}
-                    </x-filament::button>
-
-                    <x-filament::button
-                        wire:click="setLogType('error')"
-                        :color="$logType === 'error' ? 'danger' : 'gray'"
-                        :outlined="$logType !== 'error'"
-                        size="sm"
-                        icon="heroicon-o-exclamation-triangle"
-                    >
-                        {{ __('Error Log') }}
-                    </x-filament::button>
-                </div>
-
-                {{-- Log Content --}}
-                @if($logContent)
-                    <div class="fi-input-wrp rounded-lg shadow-sm ring-1 ring-gray-950/10 dark:ring-white/20 overflow-hidden">
-                        <textarea
-                            readonly
-                            rows="25"
-                            class="w-full border-0 bg-gray-50 dark:bg-gray-900 text-gray-700 dark:text-gray-300 resize-none focus:ring-0"
-                            style="font-family: ui-monospace, SFMono-Regular, 'SF Mono', Menlo, Consolas, monospace; font-size: 12px; line-height: 1.5;"
-                        >{{ $logContent }}</textarea>
-                    </div>
-                @else
-                    <x-filament::section compact>
-                        <x-slot name="heading">
-                            {{ __('No Log Entries') }}
-                        </x-slot>
-                        <x-slot name="description">
-                            {{ $logType === 'access'
-                                ? __('No access log entries found. Logs will appear after visitors access your site.')
-                                : __('No error log entries found. This is good - your site has no errors.') }}
-                        </x-slot>
-                    </x-filament::section>
-                @endif
-            </x-filament::section>
-        @endif
-    @else
-        {{-- No Domains Empty State --}}
-        <x-filament::section>
-            <div class="flex flex-col items-center justify-center py-12">
-                <div class="mb-4 rounded-full bg-gray-100 p-3 dark:bg-gray-500/20">
-                    <x-filament::icon
-                        icon="heroicon-o-globe-alt"
-                        class="h-6 w-6 text-gray-500 dark:text-gray-400"
-                    />
-                </div>
-                <h3 class="text-base font-semibold text-gray-950 dark:text-white">
-                    {{ __('No Domains Yet') }}
-                </h3>
-                <p class="mt-1 text-sm text-gray-500 dark:text-gray-400">
-                    {{ __('Add a domain first to view logs and statistics.') }}
-                </p>
-                <div class="mt-6">
-                    <x-filament::button
-                        href="{{ route('filament.jabali.pages.domains') }}"
-                        tag="a"
-                    >
-                        {{ __('Add Domain') }}
-                    </x-filament::button>
-                </div>
+            <div class="overflow-x-auto">
+                <table class="min-w-full divide-y divide-gray-200 dark:divide-gray-700">
+                    <thead class="bg-gray-50 dark:bg-gray-800">
+                        <tr>
+                            <th class="px-4 py-3 text-left text-xs font-medium text-gray-500 uppercase">{{ __('Time') }}</th>
+                            <th class="px-4 py-3 text-left text-xs font-medium text-gray-500 uppercase">{{ __('Category') }}</th>
+                            <th class="px-4 py-3 text-left text-xs font-medium text-gray-500 uppercase">{{ __('Action') }}</th>
+                            <th class="px-4 py-3 text-left text-xs font-medium text-gray-500 uppercase">{{ __('Description') }}</th>
+                            <th class="px-4 py-3 text-left text-xs font-medium text-gray-500 uppercase">{{ __('IP') }}</th>
+                        </tr>
+                    </thead>
+                    <tbody class="divide-y divide-gray-200 dark:divide-gray-700">
+                        @forelse($this->getActivityLogs() as $log)
+                            <tr>
+                                <td class="px-4 py-3 text-sm text-gray-600 dark:text-gray-300">{{ $log->created_at?->format('Y-m-d H:i') }}</td>
+                                <td class="px-4 py-3 text-sm text-gray-600 dark:text-gray-300">{{ $log->category }}</td>
+                                <td class="px-4 py-3 text-sm text-gray-600 dark:text-gray-300">{{ $log->action }}</td>
+                                <td class="px-4 py-3 text-sm text-gray-600 dark:text-gray-300">{{ $log->description }}</td>
+                                <td class="px-4 py-3 text-sm text-gray-600 dark:text-gray-300">{{ $log->ip_address }}</td>
+                            </tr>
+                        @empty
+                            <tr>
+                                <td colspan="5" class="px-4 py-6 text-center text-sm text-gray-500">
+                                    {{ __('No activity recorded yet.') }}
+                                </td>
+                            </tr>
+                        @endforelse
+                    </tbody>
+                </table>
             </div>
         </x-filament::section>
     @endif
diff --git a/resources/views/filament/jabali/pages/mailing-lists.blade.php b/resources/views/filament/jabali/pages/mailing-lists.blade.php
new file mode 100644
index 0000000..bd568c1
--- /dev/null
+++ b/resources/views/filament/jabali/pages/mailing-lists.blade.php
@@ -0,0 +1,16 @@
+<x-filament-panels::page>
+    <x-filament::section>
+        <x-slot name="heading">{{ __('Mailing Lists') }}</x-slot>
+        <x-slot name="description">{{ __('Connect a mailing list provider or store settings for your administrator to configure.') }}</x-slot>
+
+        {{ $this->mailingForm }}
+
+        <div class="mt-6">
+            <x-filament::button wire:click="saveSettings" icon="heroicon-o-check" color="primary">
+                {{ __('Save Settings') }}
+            </x-filament::button>
+        </div>
+    </x-filament::section>
+
+    <x-filament-actions::modals />
+</x-filament-panels::page>
diff --git a/resources/views/filament/jabali/pages/postgresql.blade.php b/resources/views/filament/jabali/pages/postgresql.blade.php
new file mode 100644
index 0000000..e96fc64
--- /dev/null
+++ b/resources/views/filament/jabali/pages/postgresql.blade.php
@@ -0,0 +1,46 @@
+<x-filament-panels::page>
+    @php
+        $tabs = [
+            'databases' => ['label' => __('Databases'), 'icon' => 'heroicon-o-circle-stack'],
+            'users' => ['label' => __('Users'), 'icon' => 'heroicon-o-users'],
+        ];
+    @endphp
+
+    <nav class="fi-tabs flex max-w-full gap-x-1 overflow-x-auto mx-auto rounded-xl bg-white p-2 shadow-sm ring-1 ring-gray-950/5 dark:bg-white/5 dark:ring-white/10" role="tablist">
+        @foreach($tabs as $key => $tab)
+            <button
+                type="button"
+                role="tab"
+                aria-selected="{{ $activeTab === $key ? 'true' : 'false' }}"
+                wire:click="$set('activeTab', '{{ $key }}')"
+                @class([
+                    'fi-tabs-item group flex items-center gap-x-2 rounded-lg px-3 py-2 text-sm font-medium outline-none transition duration-75',
+                    'fi-active bg-gray-50 dark:bg-white/5' => $activeTab === $key,
+                    'hover:bg-gray-50 focus-visible:bg-gray-50 dark:hover:bg-white/5 dark:focus-visible:bg-white/5' => $activeTab !== $key,
+                ])
+            >
+                <x-filament::icon
+                    :icon="$tab['icon']"
+                    @class([
+                        'fi-tabs-item-icon h-5 w-5 shrink-0 transition duration-75',
+                        'text-primary-600 dark:text-primary-400' => $activeTab === $key,
+                        'text-gray-400 group-hover:text-gray-500 group-focus-visible:text-gray-500 dark:text-gray-500 dark:group-hover:text-gray-400 dark:group-focus-visible:text-gray-400' => $activeTab !== $key,
+                    ])
+                />
+                <span @class([
+                    'fi-tabs-item-label transition duration-75',
+                    'text-primary-600 dark:text-primary-400' => $activeTab === $key,
+                    'text-gray-500 group-hover:text-gray-700 group-focus-visible:text-gray-700 dark:text-gray-400 dark:group-hover:text-gray-200 dark:group-focus-visible:text-gray-200' => $activeTab !== $key,
+                ])>
+                    {{ $tab['label'] }}
+                </span>
+            </button>
+        @endforeach
+    </nav>
+
+    <div class="mt-4">
+        {{ $this->table }}
+    </div>
+
+    <x-filament-actions::modals />
+</x-filament-panels::page>
diff --git a/routes/api.php b/routes/api.php
index 508ac91..bfbe6b2 100644
--- a/routes/api.php
+++ b/routes/api.php
@@ -1,9 +1,11 @@
 <?php
 
-use Illuminate\Http\Request;
-use Illuminate\Support\Facades\Route;
-use Illuminate\Support\Facades\Cache;
+use App\Http\Controllers\AutomationApiController;
+use App\Http\Controllers\GitWebhookController;
 use App\Services\Agent\AgentClient;
+use Illuminate\Http\Request;
+use Illuminate\Support\Facades\Cache;
+use Illuminate\Support\Facades\Route;
 
 Route::get('/user', function (Request $request) {
     return $request->user();
@@ -13,14 +15,14 @@ Route::post('/phpmyadmin/verify-token', function (Request $request) {
     $token = $request->input('token');
 
     // Use Cache::get() which handles the prefix automatically
-    $data = Cache::get('phpmyadmin_token_' . $token);
+    $data = Cache::get('phpmyadmin_token_'.$token);
 
-    if (!$data) {
+    if (! $data) {
         return response()->json(['error' => 'Invalid token'], 401);
     }
 
     // Delete token after use (single use)
-    Cache::forget('phpmyadmin_token_' . $token);
+    Cache::forget('phpmyadmin_token_'.$token);
 
     return response()->json($data);
 });
@@ -29,7 +31,7 @@ Route::post('/phpmyadmin/verify-token', function (Request $request) {
 Route::post('/internal/page-cache', function (Request $request) {
     // Only allow requests from localhost
     $clientIp = $request->ip();
-    if (!in_array($clientIp, ['127.0.0.1', '::1', 'localhost'])) {
+    if (! in_array($clientIp, ['127.0.0.1', '::1', 'localhost'])) {
         return response()->json(['error' => 'Forbidden'], 403);
     }
 
@@ -52,13 +54,13 @@ Route::post('/internal/page-cache', function (Request $request) {
         $query->where('domain', $domain);
     })->first();
 
-    if (!$user) {
+    if (! $user) {
         return response()->json(['error' => 'Domain not found'], 404);
     }
 
     // Verify the secret by checking wp-config.php
     $wpConfigPath = "/home/{$user->username}/domains/{$domain}/public_html/wp-config.php";
-    if (!file_exists($wpConfigPath)) {
+    if (! file_exists($wpConfigPath)) {
         return response()->json(['error' => 'WordPress not found'], 404);
     }
 
@@ -74,7 +76,7 @@ Route::post('/internal/page-cache', function (Request $request) {
     }
 
     try {
-        $agent = new AgentClient();
+        $agent = new AgentClient;
 
         if ($enabled) {
             $result = $agent->send('wp.page_cache_enable', [
@@ -98,7 +100,7 @@ Route::post('/internal/page-cache', function (Request $request) {
 Route::post('/internal/page-cache-purge', function (Request $request) {
     // Only allow requests from localhost
     $clientIp = $request->ip();
-    if (!in_array($clientIp, ['127.0.0.1', '::1', 'localhost'])) {
+    if (! in_array($clientIp, ['127.0.0.1', '::1', 'localhost'])) {
         return response()->json(['error' => 'Forbidden'], 403);
     }
 
@@ -121,13 +123,13 @@ Route::post('/internal/page-cache-purge', function (Request $request) {
         $query->where('domain', $domain);
     })->first();
 
-    if (!$user) {
+    if (! $user) {
         return response()->json(['error' => 'Domain not found'], 404);
     }
 
     // Verify the secret by checking wp-config.php
     $wpConfigPath = "/home/{$user->username}/domains/{$domain}/public_html/wp-config.php";
-    if (!file_exists($wpConfigPath)) {
+    if (! file_exists($wpConfigPath)) {
         return response()->json(['error' => 'WordPress not found'], 404);
     }
 
@@ -143,7 +145,7 @@ Route::post('/internal/page-cache-purge', function (Request $request) {
     }
 
     try {
-        $agent = new AgentClient();
+        $agent = new AgentClient;
 
         if ($purgeAll || empty($paths)) {
             // Purge entire domain cache
@@ -163,3 +165,13 @@ Route::post('/internal/page-cache-purge', function (Request $request) {
         return response()->json(['error' => $e->getMessage()], 500);
     }
 });
+
+Route::post('/webhooks/git/{deployment}/{token}', GitWebhookController::class);
+
+Route::middleware(['auth:sanctum', 'abilities:automation'])
+    ->prefix('automation')
+    ->group(function () {
+        Route::get('/users', [AutomationApiController::class, 'listUsers']);
+        Route::post('/users', [AutomationApiController::class, 'createUser']);
+        Route::post('/domains', [AutomationApiController::class, 'createDomain']);
+    });
diff --git a/routes/console.php b/routes/console.php
index 8c031bb..7bbedfe 100644
--- a/routes/console.php
+++ b/routes/console.php
@@ -66,6 +66,13 @@ Schedule::command('jabali:sync-mailbox-quotas')
     ->runInBackground()
     ->appendOutputTo(storage_path('logs/mailbox-quota-sync.log'));
 
+// User Resource Usage - runs hourly to capture per-user usage history
+Schedule::command('jabali:collect-user-usage')
+    ->hourly()
+    ->withoutOverlapping()
+    ->runInBackground()
+    ->appendOutputTo(storage_path('logs/user-usage.log'));
+
 // Audit Log Rotation - runs daily to prune old audit logs (default: 90 days retention)
 Schedule::call(function () {
     $deleted = AuditLog::prune();
diff --git a/tests/Feature/ResourceUsageChartsTest.php b/tests/Feature/ResourceUsageChartsTest.php
new file mode 100644
index 0000000..77e6147
--- /dev/null
+++ b/tests/Feature/ResourceUsageChartsTest.php
@@ -0,0 +1,55 @@
+<?php
+
+declare(strict_types=1);
+
+namespace Tests\Feature;
+
+use App\Models\User;
+use App\Models\UserResourceUsage;
+use Illuminate\Foundation\Testing\RefreshDatabase;
+use Tests\TestCase;
+
+class ResourceUsageChartsTest extends TestCase
+{
+    use RefreshDatabase;
+
+    public function test_admin_resource_usage_page_renders_chart_with_data(): void
+    {
+        $admin = User::factory()->admin()->create();
+        $user = User::factory()->create();
+
+        $metrics = ['disk_bytes', 'mail_bytes', 'database_bytes', 'bandwidth_bytes'];
+        foreach ($metrics as $metric) {
+            UserResourceUsage::create([
+                'user_id' => $user->id,
+                'metric' => $metric,
+                'value' => 1024 * 1024 * 250,
+                'captured_at' => now(),
+            ]);
+        }
+
+        $response = $this->actingAs($admin, 'admin')->get('/jabali-admin/resource-usage');
+
+        $response->assertStatus(200);
+        $response->assertSee('Resource Usage (Last 30 Days)');
+        $response->assertSee('resource-usage-chart-', false);
+    }
+
+    public function test_user_logs_usage_tab_renders_chart(): void
+    {
+        $user = User::factory()->create();
+
+        UserResourceUsage::create([
+            'user_id' => $user->id,
+            'metric' => 'disk_bytes',
+            'value' => 1024 * 1024 * 250,
+            'captured_at' => now(),
+        ]);
+
+        $response = $this->actingAs($user)->get('/jabali-panel/logs?tab=usage');
+
+        $response->assertStatus(200);
+        $response->assertSee('Resource Usage (Last 30 Days)');
+        $response->assertSee('x-ref="chart"', false);
+    }
+}