Replace the five 2FA stub methods in Settings with real implementations
that delegate to the TwoFactorAuthenticatable trait from php-tenant.
The 2FA tab now auto-enables when the User model uses the trait, and
handles the full lifecycle: enable, verify, confirm, view/regenerate
recovery codes, and disable.
Remove the orphaned BoostPurchase Livewire component and its blade
template. The /boosts route already redirects to the account usage
page's boosts tab, making this component dead code.
Update language strings: remove the old "upgrading" stub message and
add proper 2FA success/error messages.
Fixes#15Fixes#16
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Add mutators to Service and HoneypotHit models that enforce size and
structure limits on JSON fields (metadata, headers). Service.setMeta()
now validates key format. TeapotController pre-filters header count
before passing to the model.
Fixes#14
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Switch header storage from blacklist to whitelist approach, add private
IP detection for auto-block bypass, and validate referer URLs.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Add per-user rate limiting to sensitive Livewire component methods to
prevent abuse from compromised admin sessions. Introduces a reusable
HasRateLimiting trait and applies it to PlatformUser, Settings, and
WaitlistManager components.
Rate limits:
- Tier changes, verification, entitlements: 10/min per admin
- Profile updates, preferences: 20/min per user
- Password changes: 5/min per user
- Data exports: 5/min per admin
- Deletions/anonymisation: 3/min per admin
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Core\Mod\Tenant -> Core\Tenant
Part of namespace restructure to align with L1/L2 module conventions.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
