diff --git a/.gitattributes b/.gitattributes
new file mode 100644
index 0000000..5400e92
--- /dev/null
+++ b/.gitattributes
@@ -0,0 +1,47 @@
+# Auto detect text files and perform LF normalization
+* text=auto
+
+# Explicitly declare text files you want to always be normalized and converted to native line endings on checkout
+*.ts text eol=lf
+*.tsx text eol=lf
+*.js text eol=lf
+*.jsx text eol=lf
+*.mjs text eol=lf
+*.cjs text eol=lf
+*.json text eol=lf
+*.md text eol=lf
+*.yml text eol=lf
+*.yaml text eol=lf
+*.toml text eol=lf
+*.css text eol=lf
+*.scss text eol=lf
+*.html text eol=lf
+*.xml text eol=lf
+*.svg text eol=lf
+*.sh text eol=lf
+
+# Lock files should maintain LF
+package-lock.json text eol=lf
+bun.lockb binary
+bun.lock text eol=lf
+yarn.lock text eol=lf
+pnpm-lock.yaml text eol=lf
+
+# Denote all files that are truly binary and should not be modified
+*.png binary
+*.jpg binary
+*.jpeg binary
+*.gif binary
+*.ico binary
+*.woff binary
+*.woff2 binary
+*.ttf binary
+*.eot binary
+*.pdf binary
+*.zip binary
+*.gz binary
+
+# Windows-specific files
+*.bat text eol=crlf
+*.cmd text eol=crlf
+*.ps1 text eol=crlf
diff --git a/.gitignore b/.gitignore
index 99bf5af..097f9be 100644
--- a/.gitignore
+++ b/.gitignore
@@ -39,3 +39,17 @@ yarn-error.log*
 
 *storybook.log
 storybook-static
+
+# IDE
+.vscode/*
+!.vscode/settings.json
+!.vscode/tasks.json
+!.vscode/launch.json
+!.vscode/extensions.json
+.idea
+*.swp
+*.swo
+*~
+
+# OS
+Thumbs.db
diff --git a/apps/backend/.env.example b/apps/backend/.env.example
new file mode 100644
index 0000000..17887af
--- /dev/null
+++ b/apps/backend/.env.example
@@ -0,0 +1,15 @@
+# Database Configuration
+DATABASE_URL=postgresql://user:password@localhost:5432/eventer
+
+# Supabase Configuration
+SUPABASE_URL=https://your-project.supabase.co
+SUPABASE_KEY=your-anon-key-here
+
+# Server Configuration
+PORT=4000
+NODE_ENV=development
+
+# CORS Configuration
+# In development: http://localhost:3000
+# In production: https://your-domain.com
+CORS_ORIGIN=http://localhost:3000
diff --git a/apps/backend/api/index.ts b/apps/backend/api/index.ts
index 7e6ed74..3e5d83c 100644
--- a/apps/backend/api/index.ts
+++ b/apps/backend/api/index.ts
@@ -1,10 +1,29 @@
-// import type { VercelRequest, VercelResponse } from "@vercel/node";
+import type { VercelRequest, VercelResponse } from "@vercel/node";
 import { app } from "../src";
 
-export const config = {
-	runtime: "edge", //  Required for edge deployment
-};
+export default async function handler(req: VercelRequest, res: VercelResponse) {
+	// Convert Vercel request to Web Request
+	const url = `${req.headers["x-forwarded-proto"] || "http"}://${req.headers.host}${req.url}`;
+	const headers = new Headers();
+	Object.entries(req.headers).forEach(([key, value]) => {
+		if (value) headers.set(key, Array.isArray(value) ? value.join(", ") : value);
+	});
 
-export default async function handler(request: Request): Promise<Response> {
-	return app.handle(request);
+	const request = new Request(url, {
+		method: req.method,
+		headers,
+		body: req.method !== "GET" && req.method !== "HEAD" ? JSON.stringify(req.body) : undefined,
+	});
+
+	// Handle with Elysia
+	const response = await app.handle(request);
+
+	// Convert Web Response to Vercel Response
+	res.status(response.status);
+	response.headers.forEach((value, key) => {
+		res.setHeader(key, value);
+	});
+
+	const body = await response.text();
+	res.send(body);
 }
diff --git a/apps/backend/package.json b/apps/backend/package.json
index 24899ac..9c08e44 100644
--- a/apps/backend/package.json
+++ b/apps/backend/package.json
@@ -4,7 +4,7 @@
 	"scripts": {
 		"dev": "bun --watch src/index.ts",
 		"dev:cf": "wrangler dev",
-		"build": "bun build src/index.ts --outdir ./dist --target=node",
+		"build": "bun build src/index.ts --outdir ./dist --target=node --minify --external @supabase/supabase-js --external postgres --external drizzle-orm",
 		"start": "bun run dist/index.js",
 		"typecheck": "bun tsc --noEmit",
 		"db:migrate": "drizzle-kit migrate --config=drizzle.config.ts",
diff --git a/apps/backend/src/index.ts b/apps/backend/src/index.ts
index be6cbb5..d9839f3 100644
--- a/apps/backend/src/index.ts
+++ b/apps/backend/src/index.ts
@@ -25,13 +25,10 @@ const conditionalSwagger = () => {
 const app = new Elysia({ aot: false })
 	.use(
 		cors({
-			// origin: "https://eventer.betich.me",
-			origin: /.*\.betich\.me$/,
-			// [
-			//   /.*\.betich\.me$/,
-			//   process.env.NODE_ENV === "development" ? /localhost:\d+/ : "",
-			//   env.CORS_ORIGIN || "",
-			// ],
+			origin:
+				process.env.NODE_ENV === "production"
+					? [/^https:\/\/.*\.betich\.me$/] // Only your domain in production
+					: [env.CORS_ORIGIN, /localhost:\d+/], // Allow localhost in dev
 			credentials: true,
 			preflight: true,
 			methods: ["GET", "POST", "PUT", "DELETE", "OPTIONS"],
@@ -43,9 +40,20 @@ const app = new Elysia({ aot: false })
 	.use(userRouter)
 	.use(agendaRouter)
 	.use(authRouter)
-	.onRequest(({ set }) => {
+	.onRequest(({ request, set }) => {
 		set.headers["access-control-allow-credentials"] = "true";
-		// set.headers["access-control-allow-origin"] = "https://eventer.betich.me";
+
+		// Force HTTPS in production
+		if (process.env.NODE_ENV === "production") {
+			const proto = request.headers.get("x-forwarded-proto");
+			if (proto && proto !== "https") {
+				const url = new URL(request.url);
+				url.protocol = "https:";
+				set.status = 301;
+				set.headers.location = url.toString();
+				return;
+			}
+		}
 	});
 // .group("/api", (app) =>
 //   app
diff --git a/apps/backend/src/modules/agenda/agenda.route.ts b/apps/backend/src/modules/agenda/agenda.route.ts
index fb3f10b..6a97209 100644
--- a/apps/backend/src/modules/agenda/agenda.route.ts
+++ b/apps/backend/src/modules/agenda/agenda.route.ts
@@ -1,5 +1,6 @@
 import { Elysia, t } from "elysia";
 import { db } from "#backend/infrastructure/db";
+import { rateLimit, rateLimitPresets } from "#backend/shared/middleware/rate-limit.middleware";
 import {
 	AgendaListResponseSchema,
 	AgendaSchema,
@@ -24,6 +25,13 @@ const agendaRepository = new AgendaRepository(db);
 //TODO : Implement useGetAgenda(eventId, currentDay)
 
 export const agendaRouter = new Elysia({ prefix: "/api/agenda" })
+	// Apply moderate rate limiting to agenda endpoints (30 requests per minute)
+	.use(
+		rateLimit({
+			...rateLimitPresets.moderate,
+			message: "Too many requests to agenda API. Please slow down.",
+		})
+	)
 
 	.get(
 		"/timer",
diff --git a/apps/backend/src/modules/auth/auth.route.test.ts b/apps/backend/src/modules/auth/auth.route.test.ts
new file mode 100644
index 0000000..9a83203
--- /dev/null
+++ b/apps/backend/src/modules/auth/auth.route.test.ts
@@ -0,0 +1,360 @@
+import { beforeEach, describe, expect, it, vi } from "vitest";
+
+// ─── Hoist mock stubs so they are available inside vi.mock() factories ────────
+// vi.mock() calls are hoisted to the top of the file by Vitest, so any
+// variables referenced inside a factory must also be hoisted via vi.hoisted().
+
+const { mockGetUser, mockSetSession, mockFind, mockFindByEmail, mockCreate } = vi.hoisted(() => ({
+	mockGetUser: vi.fn(),
+	mockSetSession: vi.fn(),
+	mockFind: vi.fn(),
+	mockFindByEmail: vi.fn(),
+	mockCreate: vi.fn(),
+}));
+
+// ─── Mock all external dependencies before importing the module under test ───
+
+vi.mock("#backend/infrastructure/db", () => ({
+	db: {},
+}));
+
+vi.mock("#backend/infrastructure/db/supabase", () => ({
+	supabase: {
+		auth: {
+			getUser: mockGetUser,
+			setSession: mockSetSession,
+		},
+	},
+}));
+
+vi.mock("#backend/modules/user/user.repository", () => ({
+	UserRepository: vi.fn().mockImplementation(() => ({
+		find: mockFind,
+		findByEmail: mockFindByEmail,
+		create: mockCreate,
+	})),
+}));
+
+// Bypass the rate-limit plugin so tests are not throttled.
+vi.mock("../../shared/middleware/rate-limit.middleware", async () => {
+	const { Elysia } = await import("elysia");
+	return {
+		rateLimit: vi.fn().mockReturnValue(new Elysia()),
+		rateLimitPresets: { strict: { max: 5, duration: 60000 } },
+	};
+});
+
+// ─── Import the router under test (must be after all vi.mock() calls) ────────
+import { authRouter } from "./auth.route";
+
+// ─── Helpers ─────────────────────────────────────────────────────────────────
+
+/**
+ * Send a request to the Elysia router and return the parsed JSON response.
+ */
+async function handleRequest(
+	method: string,
+	path: string,
+	options?: { body?: unknown; headers?: Record<string, string> }
+) {
+	const request = new Request(`http://localhost${path}`, {
+		method,
+		headers: {
+			"Content-Type": "application/json",
+			...options?.headers,
+		},
+		body: options?.body !== undefined ? JSON.stringify(options.body) : undefined,
+	});
+
+	const response = await authRouter.handle(request);
+
+	let data: unknown;
+	try {
+		data = await response.json();
+	} catch {
+		data = null;
+	}
+
+	return { response, data };
+}
+
+// ─── Tests ───────────────────────────────────────────────────────────────────
+
+describe("Auth Router – GET /api/auth/session", () => {
+	beforeEach(() => {
+		vi.clearAllMocks();
+	});
+
+	it("should return { user: null } when no session cookie is present", async () => {
+		// Default mock returns undefined → reveals the missing null-guard bug.
+		const { response, data } = await handleRequest("GET", "/api/auth/session");
+
+		expect(response.status).toBe(200);
+		expect(data).toEqual({ user: null });
+	});
+
+	it("should return { user: null } when supabase returns an error", async () => {
+		mockGetUser.mockResolvedValueOnce({
+			data: { user: null },
+			error: new Error("invalid JWT"),
+		});
+
+		const { response, data } = await handleRequest("GET", "/api/auth/session", {
+			headers: { Cookie: "session=bad-token" },
+		});
+
+		expect(response.status).toBe(200);
+		expect(data).toEqual({ user: null });
+	});
+
+	it("should return { user: null } when the user is not found in the database", async () => {
+		mockGetUser.mockResolvedValueOnce({
+			data: { user: { id: "supabase-uid-1" } },
+			error: null,
+		});
+		mockFind.mockResolvedValueOnce(null);
+
+		const { response, data } = await handleRequest("GET", "/api/auth/session", {
+			headers: { Cookie: "session=valid-token" },
+		});
+
+		expect(response.status).toBe(200);
+		expect(data).toEqual({ user: null });
+	});
+
+	it("should return the user object when the session is valid and the user exists", async () => {
+		mockGetUser.mockResolvedValueOnce({
+			data: { user: { id: "supabase-uid-1" } },
+			error: null,
+		});
+		mockFind.mockResolvedValueOnce({
+			id: "db-user-id",
+			email: "alice@example.com",
+			name: "Alice",
+			avatarUrl: "https://cdn.example.com/alice.jpg",
+		});
+
+		const { response, data } = await handleRequest("GET", "/api/auth/session", {
+			headers: { Cookie: "session=valid-token" },
+		});
+
+		expect(response.status).toBe(200);
+		expect((data as Record<string, unknown>).user).toMatchObject({
+			id: "db-user-id",
+			email: "alice@example.com",
+			name: "Alice",
+			avatar_url: "https://cdn.example.com/alice.jpg",
+		});
+	});
+
+	it("should omit avatar_url from the response when the user has no avatar", async () => {
+		mockGetUser.mockResolvedValueOnce({
+			data: { user: { id: "supabase-uid-2" } },
+			error: null,
+		});
+		mockFind.mockResolvedValueOnce({
+			id: "db-user-id-2",
+			email: "bob@example.com",
+			name: "Bob",
+			avatarUrl: null,
+		});
+
+		const { data } = await handleRequest("GET", "/api/auth/session", {
+			headers: { Cookie: "session=valid-token" },
+		});
+
+		const user = (data as Record<string, unknown>).user as Record<string, unknown>;
+		expect(user).not.toHaveProperty("avatar_url");
+	});
+});
+
+// ─────────────────────────────────────────────────────────────────────────────
+
+describe("Auth Router – POST /api/auth/callback", () => {
+	beforeEach(() => {
+		vi.clearAllMocks();
+	});
+
+	const validBody = {
+		access_token: "google-access-token-abc",
+		refresh_token: "google-refresh-token-xyz",
+	};
+
+	const mockSupabaseSession = { access_token: "new-session-token" };
+
+	const mockSupabaseUser = {
+		id: "supabase-uid-99",
+		email: "carol@example.com",
+		user_metadata: {
+			full_name: "Carol",
+			avatar_url: "https://cdn.example.com/carol.jpg",
+			picture: null,
+		},
+	};
+
+	it("should create a new user and return success when the user does not exist yet", async () => {
+		mockSetSession.mockResolvedValueOnce({
+			data: { session: mockSupabaseSession, user: mockSupabaseUser },
+			error: null,
+		});
+		mockFindByEmail.mockResolvedValueOnce(null); // user doesn't exist
+		mockCreate.mockResolvedValueOnce({});
+
+		const { response, data } = await handleRequest("POST", "/api/auth/callback", {
+			body: validBody,
+		});
+
+		expect(response.status).toBe(200);
+		const res = data as Record<string, unknown>;
+		expect(res.success).toBe(true);
+		expect((res.user as Record<string, unknown>).email).toBe("carol@example.com");
+
+		expect(mockCreate).toHaveBeenCalledOnce();
+		expect(mockCreate).toHaveBeenCalledWith({
+			id: "supabase-uid-99",
+			email: "carol@example.com",
+			name: "Carol",
+			avatar_url: "https://cdn.example.com/carol.jpg",
+		});
+	});
+
+	it("should skip user creation when the user already exists", async () => {
+		mockSetSession.mockResolvedValueOnce({
+			data: { session: mockSupabaseSession, user: mockSupabaseUser },
+			error: null,
+		});
+		mockFindByEmail.mockResolvedValueOnce({
+			id: "existing-db-id",
+			email: "carol@example.com",
+		});
+
+		const { response, data } = await handleRequest("POST", "/api/auth/callback", {
+			body: validBody,
+		});
+
+		expect(response.status).toBe(200);
+		expect((data as Record<string, unknown>).success).toBe(true);
+		expect(mockCreate).not.toHaveBeenCalled();
+	});
+
+	it("should fall back to picture when avatar_url is absent in user_metadata", async () => {
+		const userWithPictureOnly = {
+			...mockSupabaseUser,
+			user_metadata: {
+				full_name: "Carol",
+				avatar_url: null,
+				picture: "https://cdn.example.com/carol-picture.jpg",
+			},
+		};
+
+		mockSetSession.mockResolvedValueOnce({
+			data: { session: mockSupabaseSession, user: userWithPictureOnly },
+			error: null,
+		});
+		mockFindByEmail.mockResolvedValueOnce(null);
+		mockCreate.mockResolvedValueOnce({});
+
+		const { data } = await handleRequest("POST", "/api/auth/callback", {
+			body: validBody,
+		});
+
+		const user = (data as Record<string, unknown>).user as Record<string, unknown>;
+		expect(user.avatar_url).toBe("https://cdn.example.com/carol-picture.jpg");
+	});
+
+	it("should not include avatar_url in the response when both avatar_url and picture are absent", async () => {
+		const userNoAvatar = {
+			...mockSupabaseUser,
+			user_metadata: { full_name: "Carol", avatar_url: null, picture: null },
+		};
+
+		mockSetSession.mockResolvedValueOnce({
+			data: { session: mockSupabaseSession, user: userNoAvatar },
+			error: null,
+		});
+		mockFindByEmail.mockResolvedValueOnce(null);
+		mockCreate.mockResolvedValueOnce({});
+
+		const { data } = await handleRequest("POST", "/api/auth/callback", {
+			body: validBody,
+		});
+
+		const user = (data as Record<string, unknown>).user as Record<string, unknown>;
+		expect(user).not.toHaveProperty("avatar_url");
+	});
+
+	it("should respond 500 when supabase.setSession returns an error", async () => {
+		mockSetSession.mockResolvedValueOnce({
+			data: { session: null, user: null },
+			error: new Error("Token expired"),
+		});
+
+		const { response } = await handleRequest("POST", "/api/auth/callback", {
+			body: validBody,
+		});
+
+		expect(response.status).toBe(500);
+	});
+
+	it("should respond 500 when the supabase user has no email", async () => {
+		mockSetSession.mockResolvedValueOnce({
+			data: {
+				session: mockSupabaseSession,
+				user: { ...mockSupabaseUser, email: null },
+			},
+			error: null,
+		});
+
+		const { response } = await handleRequest("POST", "/api/auth/callback", {
+			body: validBody,
+		});
+
+		expect(response.status).toBe(500);
+	});
+
+	/**
+	 * Validates the Elysia body schema (AuthCallbackSchema) rejects incomplete
+	 * payloads. Elysia returns 400 (not 422) for body validation failures.
+	 */
+	it("should respond 400 when refresh_token is missing from the request body", async () => {
+		const { response } = await handleRequest("POST", "/api/auth/callback", {
+			body: { access_token: "only-access" },
+		});
+
+		expect(response.status).toBe(400);
+	});
+
+	it("should respond 400 when the request body is empty", async () => {
+		const { response } = await handleRequest("POST", "/api/auth/callback", {
+			body: {},
+		});
+
+		expect(response.status).toBe(400);
+	});
+});
+
+// ─────────────────────────────────────────────────────────────────────────────
+
+describe("Auth Router – POST /api/auth/logout", () => {
+	beforeEach(() => {
+		vi.clearAllMocks();
+	});
+
+	it("should return 200 and success message when a session cookie is present", async () => {
+		const { response, data } = await handleRequest("POST", "/api/auth/logout", {
+			headers: { Cookie: "session=active-token" },
+		});
+
+		expect(response.status).toBe(200);
+		const res = data as Record<string, unknown>;
+		expect(res.success).toBe(true);
+		expect(res.message).toBe("Logged out successfully");
+	});
+
+	it("should return 400 when no session cookie is present", async () => {
+		const { response, data } = await handleRequest("POST", "/api/auth/logout");
+
+		expect(response.status).toBe(400);
+		expect((data as Record<string, unknown>).error).toBe("No session to logout");
+	});
+});
diff --git a/apps/backend/src/modules/auth/auth.route.ts b/apps/backend/src/modules/auth/auth.route.ts
index 1e49d63..d1aa31f 100644
--- a/apps/backend/src/modules/auth/auth.route.ts
+++ b/apps/backend/src/modules/auth/auth.route.ts
@@ -2,6 +2,7 @@ import { Elysia } from "elysia";
 import { db } from "#backend/infrastructure/db";
 import { supabase } from "#backend/infrastructure/db/supabase";
 import { UserRepository } from "#backend/modules/user/user.repository";
+import { rateLimit, rateLimitPresets } from "../../shared/middleware/rate-limit.middleware";
 import {
 	AuthCallbackSchema,
 	AuthResponseSchema,
@@ -13,14 +14,21 @@ import {
 const userRepository = new UserRepository(db);
 
 export const authRouter = new Elysia({ prefix: "/api/auth" })
+	// Apply strict rate limiting to all auth endpoints (5 requests per minute)
+	.use(
+		rateLimit({
+			...rateLimitPresets.strict,
+			message: "Too many authentication attempts. Please try again later.",
+		})
+	)
 	.get(
 		"/session",
 		async ({ cookie: { session } }) => {
-			if (!session) {
+			if (!session?.value) {
 				return { user: null };
 			}
 
-			const { data, error } = await supabase.auth.getUser(session.value);
+			const { data, error } = await supabase.auth.getUser(session.value as string);
 			if (error || !data.user) {
 				return { user: null };
 			}
@@ -109,7 +117,7 @@ export const authRouter = new Elysia({ prefix: "/api/auth" })
 	.post(
 		"/logout",
 		({ cookie: { session }, set }) => {
-			if (!session) {
+			if (!session?.value) {
 				set.status = 400;
 				return { error: "No session to logout" };
 			}
diff --git a/apps/backend/src/modules/event/event.repository.ts b/apps/backend/src/modules/event/event.repository.ts
index daa60cf..11164ea 100644
--- a/apps/backend/src/modules/event/event.repository.ts
+++ b/apps/backend/src/modules/event/event.repository.ts
@@ -11,16 +11,21 @@ class EventRepository {
 	async create(event: CreateEventDTO): Promise<EventType> {
 		try {
 			const id = uuidv4();
+			const startDate = new Date(event.startDate);
+			const endDate = new Date(event.endDate);
+
 			await this.db.insert(events).values({
 				...event,
 				id,
-				startDate: new Date(event.startDate), // Convert string to Date for database
-				endDate: new Date(event.endDate), // Convert string to Date for database
+				startDate,
+				endDate,
 			});
 
 			return {
 				...event,
 				id,
+				startDate,
+				endDate,
 			};
 		} catch (error) {
 			if (error instanceof Error) {
@@ -49,10 +54,10 @@ class EventRepository {
 
 	async update(id: string, event: UpdateEventDTO): Promise<EventType> {
 		try {
-			const updateData = {
+			const updateData: Partial<EventType> = {
 				...event,
-				...(event.startDate && { startDate: new Date(event.startDate) }), // Convert string to Date if provided
-				...(event.endDate && { endDate: new Date(event.endDate) }), // Convert string to Date if provided
+				startDate: new Date(event.startDate),
+				endDate: new Date(event.endDate),
 			};
 
 			const updated = await this.db
diff --git a/apps/backend/src/modules/event/event.route.ts b/apps/backend/src/modules/event/event.route.ts
index e473779..2dc49f5 100644
--- a/apps/backend/src/modules/event/event.route.ts
+++ b/apps/backend/src/modules/event/event.route.ts
@@ -1,6 +1,7 @@
-import { Elysia } from "elysia";
+import { Elysia, t } from "elysia";
 import { db } from "#backend/infrastructure/db";
 import { authMiddleware, optionalAuthMiddleware } from "#backend/shared/middleware/auth.middleware";
+import { rateLimit, rateLimitPresets } from "#backend/shared/middleware/rate-limit.middleware";
 import {
 	CreateEventSchema,
 	EventListResponseSchema,
@@ -8,12 +9,36 @@ import {
 	EventSchema,
 } from "#backend/shared/schemas";
 import { EventRepository } from "./event.repository";
-import { createEvent, listEvents } from "./services/crud-event.service";
+import { createEvent, getEventById, listEvents } from "./services/crud-event.service";
 
 const eventRepository = new EventRepository(db);
 
 export const eventRouter = new Elysia({ prefix: "/api/event" })
+	// Apply moderate rate limiting to event endpoints (30 requests per minute)
+	.use(
+		rateLimit({
+			...rateLimitPresets.moderate,
+			message: "Too many requests to event API. Please slow down.",
+		})
+	)
 	.use(optionalAuthMiddleware)
+	.get(
+		"/:id",
+		async ({ params, error }) => {
+			const event = await getEventById(eventRepository, params.id);
+			if (!event) {
+				return error(404, { error: "Event not found" });
+			}
+			return event;
+		},
+		{
+			params: t.Object({ id: t.String() }),
+			response: {
+				200: EventSchema,
+				404: t.Object({ error: t.String() }),
+			},
+		}
+	)
 	.get(
 		"/",
 		async ({ query }) => {
diff --git a/apps/backend/src/modules/event/services/crud-event.service.ts b/apps/backend/src/modules/event/services/crud-event.service.ts
index 6b2c7d8..f50c134 100644
--- a/apps/backend/src/modules/event/services/crud-event.service.ts
+++ b/apps/backend/src/modules/event/services/crud-event.service.ts
@@ -21,6 +21,7 @@ export async function listEvents(
 		startDate?: string;
 		endDate?: string;
 		location?: string;
+		createdBy?: string;
 	}
 ): Promise<EventType[]> {
 	// TODO implement query CRUD
@@ -44,11 +45,11 @@ export async function listEvents(
 		filtered = filtered.filter((event) =>
 			event.location.toLowerCase().includes(query.location.toLowerCase())
 		);
-		if (query?.createdBy) {
-			filtered = filtered.filter((event) =>
-				event.createdBy.toLowerCase().includes(query.createdBy.toLowerCase())
-			);
-		}
+	}
+	if (query?.createdBy) {
+		filtered = filtered.filter((event) =>
+			event.createdBy.toLowerCase().includes(query.createdBy.toLowerCase())
+		);
 	}
 	return filtered;
 }
diff --git a/apps/backend/src/shared/middleware/rate-limit.middleware.ts b/apps/backend/src/shared/middleware/rate-limit.middleware.ts
new file mode 100644
index 0000000..8c37a85
--- /dev/null
+++ b/apps/backend/src/shared/middleware/rate-limit.middleware.ts
@@ -0,0 +1,186 @@
+import { Elysia } from "elysia";
+
+interface RateLimitConfig {
+	/**
+	 * Maximum number of requests allowed within the duration window
+	 */
+	max: number;
+
+	/**
+	 * Time window in milliseconds
+	 */
+	duration: number;
+
+	/**
+	 * Optional custom key generator function
+	 * Defaults to using IP address
+	 */
+	generator?: (context: {
+		request: Request;
+		headers: Record<string, string | undefined>;
+	}) => string;
+
+	/**
+	 * Error message when rate limit is exceeded
+	 */
+	message?: string;
+
+	/**
+	 * Skip rate limiting based on custom logic
+	 */
+	skip?: (context: { request: Request }) => boolean;
+}
+
+interface RateLimitEntry {
+	count: number;
+	resetTime: number;
+}
+
+class RateLimiter {
+	private store: Map<string, RateLimitEntry> = new Map();
+	private cleanupInterval: Timer;
+
+	constructor() {
+		// Clean up expired entries every minute
+		this.cleanupInterval = setInterval(() => {
+			const now = Date.now();
+			for (const [key, entry] of this.store.entries()) {
+				if (entry.resetTime < now) {
+					this.store.delete(key);
+				}
+			}
+		}, 60000);
+	}
+
+	public check(
+		key: string,
+		max: number,
+		duration: number
+	): { allowed: boolean; remaining: number; resetTime: number } {
+		const now = Date.now();
+		const entry = this.store.get(key);
+
+		// No existing entry or entry has expired
+		if (!entry || entry.resetTime < now) {
+			const resetTime = now + duration;
+			this.store.set(key, { count: 1, resetTime });
+			return {
+				allowed: true,
+				remaining: max - 1,
+				resetTime,
+			};
+		}
+
+		// Increment count and check if limit exceeded
+		entry.count++;
+		this.store.set(key, entry);
+
+		return {
+			allowed: entry.count <= max,
+			remaining: Math.max(0, max - entry.count),
+			resetTime: entry.resetTime,
+		};
+	}
+
+	public destroy() {
+		clearInterval(this.cleanupInterval);
+		this.store.clear();
+	}
+}
+
+// Global rate limiter instance
+const rateLimiter = new RateLimiter();
+
+/**
+ * Rate limiting middleware for Elysia
+ *
+ * @example
+ * ```ts
+ * app.use(rateLimit({
+ *   max: 5,              // 5 requests
+ *   duration: 60000,     // per minute
+ * }))
+ * ```
+ */
+export function rateLimit(config: RateLimitConfig) {
+	const { max, duration, generator, message, skip } = config;
+
+	return new Elysia({ name: "rate-limit" }).onBeforeHandle(({ request, set, headers }) => {
+		// Skip rate limiting if custom skip function returns true
+		if (skip && skip({ request })) {
+			return;
+		}
+
+		// Generate unique key for this client
+		const key = generator ? generator({ request, headers }) : getClientIdentifier(request, headers);
+
+		// Check rate limit
+		const result = rateLimiter.check(key, max, duration);
+
+		// Set rate limit headers
+		set.headers["X-RateLimit-Limit"] = max.toString();
+		set.headers["X-RateLimit-Remaining"] = result.remaining.toString();
+		set.headers["X-RateLimit-Reset"] = new Date(result.resetTime).toISOString();
+
+		// If limit exceeded, return 429 Too Many Requests
+		if (!result.allowed) {
+			set.status = 429;
+			const retryAfter = Math.ceil((result.resetTime - Date.now()) / 1000);
+			set.headers["Retry-After"] = retryAfter.toString();
+
+			throw new Error(message || `Too many requests. Please try again in ${retryAfter} seconds.`);
+		}
+	});
+}
+
+/**
+ * Get client identifier from request
+ * Tries to use IP address from various headers, falls back to random identifier
+ */
+function getClientIdentifier(
+	request: Request,
+	headers: Record<string, string | undefined>
+): string {
+	// Try to get IP from common headers
+	const forwardedFor = headers["x-forwarded-for"];
+	if (forwardedFor) {
+		return forwardedFor.split(",")[0]?.trim() || "unknown";
+	}
+
+	const realIp = headers["x-real-ip"];
+	if (realIp) {
+		return realIp;
+	}
+
+	const cfConnectingIp = headers["cf-connecting-ip"];
+	if (cfConnectingIp) {
+		return cfConnectingIp;
+	}
+
+	// Fallback to URL+User-Agent combo if no IP available
+	const userAgent = headers["user-agent"] || "unknown";
+	return `${request.url}-${userAgent}`;
+}
+
+/**
+ * Predefined rate limit configurations
+ */
+export const rateLimitPresets = {
+	/**
+	 * Strict rate limit for sensitive operations (auth, password reset, etc.)
+	 * 5 requests per minute
+	 */
+	strict: { max: 5, duration: 60000 },
+
+	/**
+	 * Moderate rate limit for API endpoints
+	 * 30 requests per minute
+	 */
+	moderate: { max: 30, duration: 60000 },
+
+	/**
+	 * Relaxed rate limit for public endpoints
+	 * 100 requests per minute
+	 */
+	relaxed: { max: 100, duration: 60000 },
+};
diff --git a/apps/backend/vercel.json b/apps/backend/vercel.json
index 4d52424..9ea20dd 100644
--- a/apps/backend/vercel.json
+++ b/apps/backend/vercel.json
@@ -1,9 +1,16 @@
 {
 	"$schema": "https://openapi.vercel.sh/vercel.json",
 	"version": 2,
+	"rewrites": [
+		{
+			"source": "/(.*)",
+			"destination": "/api/index"
+		}
+	],
 	"functions": {
-		"api/index.ts": {
-			"memory": 512
+		"api/**/*.ts": {
+			"memory": 1024,
+			"maxDuration": 30
 		}
 	}
 }
diff --git a/apps/web/middleware.ts b/apps/web/middleware.ts
new file mode 100644
index 0000000..c2894d5
--- /dev/null
+++ b/apps/web/middleware.ts
@@ -0,0 +1,19 @@
+import type { NextRequest } from "next/server";
+import { updateSession } from "@/lib/supabase-middleware";
+
+export async function middleware(request: NextRequest) {
+	return await updateSession(request);
+}
+
+export const config = {
+	matcher: [
+		/*
+		 * Match all request paths except for the ones starting with:
+		 * - _next/static (static files)
+		 * - _next/image (image optimization files)
+		 * - favicon.ico (favicon file)
+		 * Feel free to modify this pattern to include more paths.
+		 */
+		"/((?!_next/static|_next/image|favicon.ico|.*\\.(?:svg|png|jpg|jpeg|gif|webp)$).*)",
+	],
+};
diff --git a/apps/web/next.config.js b/apps/web/next.config.js
index a795986..9cae0ad 100644
--- a/apps/web/next.config.js
+++ b/apps/web/next.config.js
@@ -1,5 +1,39 @@
 /** @type {import('next').NextConfig} */
 const nextConfig = {
+	async headers() {
+		return [
+			{
+				source: "/:path*",
+				headers: [
+					{
+						key: "X-Frame-Options",
+						value: "DENY",
+					},
+					{
+						key: "X-Content-Type-Options",
+						value: "nosniff",
+					},
+					{
+						key: "X-XSS-Protection",
+						value: "1; mode=block",
+					},
+					{
+						key: "Referrer-Policy",
+						value: "strict-origin-when-cross-origin",
+					},
+					{
+						key: "Permissions-Policy",
+						value: "camera=(), microphone=(), geolocation=()",
+					},
+					{
+						key: "Content-Security-Policy",
+						value:
+							"default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; img-src 'self' https://lh3.googleusercontent.com data:; font-src 'self' data:; connect-src 'self' https://*.supabase.co http://localhost:*;",
+					},
+				],
+			},
+		];
+	},
 	images: {
 		remotePatterns: [
 			{
diff --git a/apps/web/package.json b/apps/web/package.json
index b9a3599..70f1ea3 100644
--- a/apps/web/package.json
+++ b/apps/web/package.json
@@ -15,6 +15,8 @@
 	},
 	"dependencies": {
 		"@elysiajs/eden": "^1.3.2",
+		"@supabase/ssr": "^0.8.0",
+		"@supabase/supabase-js": "^2.97.0",
 		"@t3-oss/env-nextjs": "^0.13.7",
 		"@tailwindcss/postcss": "^4.1.11",
 		"@tanstack/react-query": "^5.83.0",
diff --git a/apps/web/src/app/auth/callback/page.tsx b/apps/web/src/app/auth/callback/page.tsx
deleted file mode 100644
index b9e97e5..0000000
--- a/apps/web/src/app/auth/callback/page.tsx
+++ /dev/null
@@ -1,5 +0,0 @@
-import { AuthCallback } from "@/modules/auth/callback/AuthCallback";
-
-export default function AuthCallbackPage() {
-	return <AuthCallback />;
-}
diff --git a/apps/web/src/app/auth/callback/route.ts b/apps/web/src/app/auth/callback/route.ts
new file mode 100644
index 0000000..e914a90
--- /dev/null
+++ b/apps/web/src/app/auth/callback/route.ts
@@ -0,0 +1,21 @@
+import { NextResponse } from "next/server";
+import { createClient } from "@/lib/supabase-server";
+
+export async function GET(request: Request) {
+	const requestUrl = new URL(request.url);
+	const code = requestUrl.searchParams.get("code");
+	const origin = requestUrl.origin;
+
+	if (code) {
+		const supabase = await createClient();
+		const { error } = await supabase.auth.exchangeCodeForSession(code);
+
+		if (error) {
+			console.error("Error exchanging code for session:", error);
+			return NextResponse.redirect(`${origin}/auth/login?error=${error.message}`);
+		}
+	}
+
+	// URL to redirect to after sign in process completes
+	return NextResponse.redirect(`${origin}/event`);
+}
diff --git a/apps/web/src/app/event/page.tsx b/apps/web/src/app/event/page.tsx
index c310e79..c58dc8b 100644
--- a/apps/web/src/app/event/page.tsx
+++ b/apps/web/src/app/event/page.tsx
@@ -1,23 +1,35 @@
 "use client";
 
-import { Clock, Menu, MoreHorizontal, Search, X } from "lucide-react";
+import {
+	Bell,
+	Check,
+	Clock,
+	Globe,
+	Lock,
+	LogOut,
+	Menu,
+	MoreHorizontal,
+	Search,
+	X,
+} from "lucide-react";
 import Image from "next/image";
-import { useParams } from "next/navigation";
+import { useParams, useRouter } from "next/navigation";
 import type React from "react";
-import { useEffect, useState } from "react";
+import { useCallback, useEffect, useRef, useState } from "react";
 import { Button } from "@/components/atoms/button";
 import { Input } from "@/components/atoms/input";
-import { getSession } from "@/lib/auth";
+import { useGetAgenda } from "@/hooks/use-get-agenda";
+import { useGetEvent } from "@/hooks/use-get-event";
+import { useSession } from "@/hooks/use-session";
+import { useSessionManager } from "@/hooks/use-session-manager";
+import { createClient } from "@/lib/supabase";
 import AgendaSection from "../../modules/event/AgendaSection";
-// Import all section components
+import ExtraSection from "../../modules/event/ExtraSection";
+import GanttSection from "../../modules/event/GanttSection";
 import OverviewSection from "../../modules/event/OverviewSection";
+import StaffSection from "../../modules/event/StaffSection";
 
-// import GanttSection from "./components/gantt-section";
-// import TeamsSection from "./components/teams-section";
-// import ExtraSection from "./components/extra-section";
-
-// Types for backend readiness
-interface Event {
+export interface EventData {
 	id: string;
 	name: string;
 	description: string;
@@ -28,126 +40,162 @@ interface Event {
 	isPublic: boolean;
 	createdAt: string;
 	updatedAt: string;
-}
-
-interface User {
-	id: string;
-	name: string;
-	email: string;
-	avatar_url?: string;
+	createdBy?: string;
 }
 
 interface NavigationItem {
 	id: string;
 	label: string;
-	component: React.ComponentType<{ eventData: Event }>;
+	component: React.ComponentType<{ eventData: EventData }>;
 	badge?: number;
 }
-// TODO: Change from static page to supabase
-// Mock event data - ready for Supabase integration
-const getEventData = (eventId: string): Event => {
-	const eventMap: Record<string, Event> = {
-		stupidhackathon9: {
-			id: "stupidhackathon9",
-			name: "Stupid Hackathon #9",
-			description: "The most ridiculous hackathon in Thailand",
-			startDate: "2025-07-26",
-			endDate: "2025-07-27",
-			location: "Bangkok, Thailand",
-			type: "hackathon",
-			isPublic: true,
-			createdAt: "2024-01-01T00:00:00Z",
-			updatedAt: "2024-01-01T00:00:00Z",
-		},
-		stupidhackathon8: {
-			id: "stupidhackathon8",
-			name: "Stupid Hackathon #8",
-			description: "Previous edition of the hackathon",
-			startDate: "2024-06-15",
-			endDate: "2024-06-17",
-			location: "Bangkok, Thailand",
-			type: "hackathon",
-			isPublic: true,
-			createdAt: "2024-01-01T00:00:00Z",
-			updatedAt: "2024-01-01T00:00:00Z",
-		},
-	};
 
-	return (
-		eventMap[eventId] || {
-			id: eventId,
-			name: "Event",
-			description: "Event description will be added here",
-			startDate: new Date().toISOString().split("T")[0] ?? "",
-			endDate: new Date(Date.now() + 86400000).toISOString().split("T")[0] ?? "",
-			location: "TBD",
-			type: "custom",
-			isPublic: true,
-			createdAt: new Date().toISOString(),
-			updatedAt: new Date().toISOString(),
-		}
-	);
+const FALLBACK_EVENT: EventData = {
+	id: "",
+	name: "Event",
+	description: "",
+	startDate: new Date().toISOString().split("T")[0] ?? "",
+	endDate: new Date(Date.now() + 86400000).toISOString().split("T")[0] ?? "",
+	location: "TBD",
+	type: "custom",
+	isPublic: true,
+	createdAt: new Date().toISOString(),
+	updatedAt: new Date().toISOString(),
 };
 
 export default function EventManagementSPA() {
 	const params = useParams();
+	const router = useRouter();
 	const eventId = params.eventId as string;
+
 	const [currentTime, setCurrentTime] = useState(new Date());
 	const [hasMounted, setHasMounted] = useState(false);
 	const [activeSection, setActiveSection] = useState("overview");
-	const [eventData] = useState<Event>(() =>
-		//setEventData
-		getEventData(eventId)
-	);
 	const [isMobileMenuOpen, setIsMobileMenuOpen] = useState(false);
-	const [user, setUser] = useState<User | null>(null);
+	const [isUserMenuOpen, setIsUserMenuOpen] = useState(false);
+	const [isNotifOpen, setIsNotifOpen] = useState(false);
+	const [isPublic, setIsPublic] = useState(true);
+	const [savedFeedback, setSavedFeedback] = useState(false);
+	const [searchQuery, setSearchQuery] = useState("");
 
-	// Navigation items - all ready for backend
-	const navigationItems: NavigationItem[] = [
-		{ id: "overview", label: "Overview", component: OverviewSection },
-		{ id: "agenda", label: "Agenda (AP)", component: AgendaSection },
-		// { id: "gantt", label: "Gantt Chart", component: GanttSection },
-		// { id: "teams", label: "Staff & Participant", component: TeamsSection },
-		// { id: "extra", label: "Extra", component: ExtraSection },
-	];
+	const userMenuRef = useRef<HTMLDivElement>(null);
+	const notifRef = useRef<HTMLDivElement>(null);
 
-	useEffect(() => {
-		setHasMounted(true);
-		const timer = setInterval(() => {
-			setCurrentTime(new Date());
-		}, 1000);
-
-		// Fetch user session
-		const fetchUser = async () => {
-			try {
-				const sessionUser = await getSession();
-				setUser(sessionUser);
-			} catch (error) {
-				console.error("Failed to fetch user session:", error);
+	const { user } = useSession();
+	const supabase = createClient();
+
+	// Fetch real event data from backend
+	const { event: backendEvent, isLoading: eventLoading } = useGetEvent(eventId);
+
+	// Build merged event data: backend fields take precedence, fall back to defaults
+	const eventData: EventData = backendEvent
+		? {
+				id: String(backendEvent.id ?? eventId),
+				name: String(backendEvent.name ?? "Event"),
+				description: String(backendEvent.description ?? ""),
+				startDate:
+					backendEvent.startDate instanceof Date
+						? ((backendEvent.startDate as Date).toISOString().split("T")[0] ?? "")
+						: (String(backendEvent.startDate ?? "").split("T")[0] ?? ""),
+				endDate:
+					backendEvent.endDate instanceof Date
+						? ((backendEvent.endDate as Date).toISOString().split("T")[0] ?? "")
+						: (String(backendEvent.endDate ?? "").split("T")[0] ?? ""),
+				location: String(backendEvent.location ?? "TBD"),
+				type: "custom",
+				isPublic,
+				createdAt: new Date().toISOString(),
+				updatedAt: new Date().toISOString(),
+				createdBy: String(backendEvent.createdBy ?? ""),
 			}
-		};
+		: { ...FALLBACK_EVENT, id: eventId, isPublic };
+
+	// Session manager for AP notation notifications
+	const { getLatestAPNotation, sessionEnds } = useSessionManager();
+	const { data: agendaData } = useGetAgenda();
 
-		fetchUser();
+	// Build notification list from late sessions
+	const notifications = sessionEnds
+		.filter((se) => se.difference > 0)
+		.sort((a, b) => b.actualEndTime.getTime() - a.actualEndTime.getTime())
+		.slice(0, 10)
+		.map((se) => {
+			const slot = (agendaData ?? []).find(
+				(s: { id: string; activity?: string }) => s.id === se.slotId
+			);
+			return {
+				id: se.slotId,
+				message: `"${slot?.activity ?? se.slotId}" ended AP+${se.difference}m late`,
+				time: se.actualEndTime,
+			};
+		});
 
+	const latestAP = hasMounted ? getLatestAPNotation() : null;
+	const unreadCount = notifications.length;
+
+	const handleSignOut = async () => {
+		await supabase.auth.signOut();
+		router.push("/auth/login");
+	};
+
+	const handleSave = useCallback(() => {
+		// Sections auto-save via mutations; this triggers visual confirmation
+		setSavedFeedback(true);
+		setTimeout(() => setSavedFeedback(false), 2000);
+	}, []);
+
+	// Close dropdowns on outside click
+	useEffect(() => {
+		function handleClickOutside(e: MouseEvent) {
+			if (userMenuRef.current && !userMenuRef.current.contains(e.target as Node)) {
+				setIsUserMenuOpen(false);
+			}
+			if (notifRef.current && !notifRef.current.contains(e.target as Node)) {
+				setIsNotifOpen(false);
+			}
+		}
+		document.addEventListener("mousedown", handleClickOutside);
+		return () => document.removeEventListener("mousedown", handleClickOutside);
+	}, []);
+
+	useEffect(() => {
+		setHasMounted(true);
+		const timer = setInterval(() => setCurrentTime(new Date()), 1000);
 		return () => clearInterval(timer);
 	}, []);
 
+	// Sync isPublic from backend when it loads (default true)
+	useEffect(() => {
+		if (backendEvent) setIsPublic(true);
+	}, [backendEvent]);
+
 	const formatTime = (date: Date) => {
-		const hours = date.getHours().toString().padStart(2, "0");
-		const minutes = date.getMinutes().toString().padStart(2, "0");
-		const seconds = date.getSeconds().toString().padStart(2, "0");
-		return `${hours}:${minutes}:${seconds}`;
+		const h = date.getHours().toString().padStart(2, "0");
+		const m = date.getMinutes().toString().padStart(2, "0");
+		const s = date.getSeconds().toString().padStart(2, "0");
+		return `${h}:${m}:${s}`;
 	};
 
+	const navigationItems: NavigationItem[] = [
+		{ id: "overview", label: "Overview", component: OverviewSection },
+		{ id: "agenda", label: "Agenda (AP)", component: AgendaSection },
+		{ id: "gantt", label: "Gantt Chart", component: GanttSection },
+		{ id: "teams", label: "Staff & Participant", component: StaffSection },
+		{ id: "extra", label: "Extra", component: ExtraSection },
+	];
+
+	// Filter navigation by search
+	const filteredNavItems = searchQuery
+		? navigationItems.filter((item) => item.label.toLowerCase().includes(searchQuery.toLowerCase()))
+		: navigationItems;
+
 	const handleSectionChange = (sectionId: string) => {
 		setActiveSection(sectionId);
-		// Ready for URL state management and analytics tracking
-		// window.history.pushState({}, '', `/${eventId}/${sectionId}`)
+		window.history.replaceState({}, "", `?section=${sectionId}`);
 	};
 
-	// Get current section component
 	const currentSection = navigationItems.find((item) => item.id === activeSection);
-	const CurrentComponent = currentSection?.component || OverviewSection;
+	const CurrentComponent = currentSection?.component ?? OverviewSection;
 
 	return (
 		<div className="h-screen bg-gray-50 flex overflow-hidden">
@@ -156,27 +204,23 @@ export default function EventManagementSPA() {
 				<div
 					className="fixed inset-0 bg-black bg-opacity-50 z-40 lg:hidden"
 					onClick={() => setIsMobileMenuOpen(false)}
-					onKeyDown={(e) => {
-						if (e.key === "Escape") {
-							setIsMobileMenuOpen(false);
-						}
-					}}
+					onKeyDown={(e) => e.key === "Escape" && setIsMobileMenuOpen(false)}
 					role="button"
 					tabIndex={0}
 					aria-label="Close mobile menu"
 				/>
 			)}
 
-			{/* Left Sidebar - Now responsive */}
+			{/* Left Sidebar */}
 			<div
 				className={`
-				${isMobileMenuOpen ? "translate-x-0" : "-translate-x-full"}
-				lg:translate-x-0 fixed lg:static inset-y-0 left-0 z-50
-				w-64 bg-white border-r border-gray-200 flex flex-col h-full
-				transition-transform duration-300 ease-in-out
-			`}
+					${isMobileMenuOpen ? "translate-x-0" : "-translate-x-full"}
+					lg:translate-x-0 fixed lg:static inset-y-0 left-0 z-50
+					w-64 bg-white border-r border-gray-200 flex flex-col h-full
+					transition-transform duration-300 ease-in-out
+				`}
 			>
-				{/* Mobile close button */}
+				{/* Mobile close */}
 				<div className="lg:hidden flex justify-end p-4">
 					<button
 						type="button"
@@ -191,7 +235,7 @@ export default function EventManagementSPA() {
 				<div className="p-4 lg:p-6 border-b border-gray-200">
 					<div className="flex items-center gap-2">
 						<div className="w-8 h-8 bg-purple-600 rounded flex items-center justify-center">
-							<span className="text-white font-bold text-sm">{"E"}</span>
+							<span className="text-white font-bold text-sm">E</span>
 						</div>
 						<span className="font-bold text-xl">Eventer</span>
 					</div>
@@ -201,24 +245,29 @@ export default function EventManagementSPA() {
 				<div className="p-4 border-b border-gray-200">
 					<div className="relative">
 						<Search className="absolute left-3 top-1/2 transform -translate-y-1/2 text-gray-400 w-4 h-4" />
-						<Input placeholder="ค้นหา" className="pl-10 bg-gray-50 border-gray-200 text-sm" />
+						<Input
+							placeholder="ค้นหาเมนู"
+							className="pl-10 bg-gray-50 border-gray-200 text-sm"
+							value={searchQuery}
+							onChange={(e) => setSearchQuery(e.target.value)}
+						/>
 					</div>
 				</div>
 
 				{/* Navigation */}
 				<div className="flex-1 p-4 overflow-y-auto">
 					<div className="space-y-2">
-						<div className="text-sm font-medium text-purple-600 bg-purple-50 px-3 py-2 rounded-lg">
-							{eventData.name}
+						<div className="text-sm font-medium text-purple-600 bg-purple-50 px-3 py-2 rounded-lg truncate">
+							{eventLoading ? "Loading..." : eventData.name}
 						</div>
 						<div className="ml-4 space-y-1">
-							{navigationItems.map((item) => (
+							{filteredNavItems.map((item) => (
 								<button
 									key={item.id}
 									type="button"
 									onClick={() => {
 										handleSectionChange(item.id);
-										setIsMobileMenuOpen(false); // Close menu on mobile after selection
+										setIsMobileMenuOpen(false);
 									}}
 									className={`w-full text-left text-sm px-3 py-2 rounded cursor-pointer transition-colors ${
 										activeSection === item.id
@@ -228,7 +277,7 @@ export default function EventManagementSPA() {
 								>
 									<div className="flex items-center justify-between">
 										<span>{item.label}</span>
-										{item.badge && (
+										{item.badge !== undefined && (
 											<span className="bg-gray-200 text-gray-700 px-2 py-0.5 rounded-full text-xs">
 												{item.badge}
 											</span>
@@ -237,41 +286,54 @@ export default function EventManagementSPA() {
 								</button>
 							))}
 						</div>
-						<div className="text-sm text-gray-600 px-3 py-2 hover:bg-gray-50 rounded cursor-pointer">
+
+						{/* Notifications entry */}
+						<button
+							type="button"
+							onClick={() => setIsNotifOpen((p) => !p)}
+							className="w-full text-left text-sm text-gray-600 px-3 py-2 hover:bg-gray-50 rounded cursor-pointer"
+						>
 							การแจ้งเตือน
-							<span className="ml-2 bg-gray-200 text-gray-700 px-2 py-0.5 rounded-full text-xs">
-								0
-							</span>
-						</div>
+							{unreadCount > 0 && (
+								<span className="ml-2 bg-orange-100 text-orange-700 px-2 py-0.5 rounded-full text-xs font-medium">
+									{unreadCount}
+								</span>
+							)}
+						</button>
+
+						{/* Latest AP notation badge */}
+						{latestAP && (
+							<div
+								className={`mx-3 px-3 py-2 rounded-lg text-xs font-medium ${
+									latestAP.isLate
+										? "bg-red-50 text-red-700 border border-red-200"
+										: "bg-green-50 text-green-700 border border-green-200"
+								}`}
+							>
+								Event running: {latestAP.notation}
+							</div>
+						)}
 					</div>
 				</div>
 
-				{/* Bottom Section - Simplified for mobile */}
+				{/* Bottom Section */}
 				<div className="p-4 border-t border-gray-200 space-y-3">
 					<div className="hidden lg:block text-sm text-gray-600">
-						<div className="flex items-center gap-2 mb-2">
-							<div className="w-4 h-4 bg-gray-300 rounded-full"></div>
+						<a
+							href="mailto:support@eventer.app"
+							className="flex items-center gap-2 mb-2 hover:text-purple-600"
+						>
+							<div className="w-4 h-4 bg-gray-300 rounded-full" />
 							<span>ติดต่อซัพพอร์ต</span>
-						</div>
-						<div className="flex items-center gap-2">
-							<div className="w-4 h-4 bg-gray-300 rounded-full"></div>
+						</a>
+						<button
+							type="button"
+							onClick={() => handleSectionChange("extra")}
+							className="flex items-center gap-2 hover:text-purple-600"
+						>
+							<div className="w-4 h-4 bg-gray-300 rounded-full" />
 							<span>ตั้งค่าการใช้งาน</span>
-						</div>
-					</div>
-
-					<div className="hidden lg:block border rounded-lg p-3 bg-slate-100">
-						<div className="text-xs font-medium mb-1 text-slate-900">Used space</div>
-						<div className="text-xs mb-2 text-slate-500">
-							Your team has used 80% of your available space. Need more?
-						</div>
-						<div className="flex gap-2">
-							<Button type="button" className="text-xs h-6 px-2">
-								Dismiss
-							</Button>
-							<Button type="button" className="text-xs h-6 px-2 bg-purple-600 hover:bg-purple-700">
-								Upgrade plan
-							</Button>
-						</div>
+						</button>
 					</div>
 
 					<div className="flex items-center gap-3">
@@ -286,28 +348,46 @@ export default function EventManagementSPA() {
 						) : (
 							<div className="w-8 h-8 bg-purple-600 rounded-full flex items-center justify-center">
 								<span className="text-white font-medium text-sm">
-									{user?.name?.charAt(0)?.toUpperCase() || "U"}
+									{user?.name?.charAt(0)?.toUpperCase() ?? "U"}
 								</span>
 							</div>
 						)}
 						<div className="flex-1 min-w-0">
-							<div className="text-sm font-medium truncate">{user?.name || "Loading..."}</div>
-							<div className="text-xs text-gray-500 truncate">{user?.email || "Loading..."}</div>
+							<div className="text-sm font-medium truncate">{user?.name ?? "Loading..."}</div>
+							<div className="text-xs text-gray-500 truncate">{user?.email ?? "Loading..."}</div>
+						</div>
+
+						<div ref={userMenuRef} className="relative hidden lg:flex">
+							<Button
+								type="button"
+								className="w-6 h-6 p-0"
+								onClick={() => setIsUserMenuOpen((p) => !p)}
+							>
+								<MoreHorizontal className="w-4 h-4" />
+							</Button>
+							{isUserMenuOpen && (
+								<div className="absolute bottom-8 right-0 w-40 bg-white border border-gray-200 rounded-lg shadow-lg py-1 z-50">
+									<button
+										type="button"
+										onClick={handleSignOut}
+										className="w-full flex items-center gap-2 px-3 py-2 text-sm text-red-600 hover:bg-red-50 transition-colors"
+									>
+										<LogOut className="w-4 h-4" />
+										Sign out
+									</button>
+								</div>
+							)}
 						</div>
-						<Button type="button" className="w-6 h-6 p-0 lg:flex hidden">
-							<MoreHorizontal className="w-4 h-4" />
-						</Button>
 					</div>
 				</div>
 			</div>
 
 			{/* Main Content Area */}
 			<div className="flex-1 flex flex-col min-w-0 h-full overflow-hidden">
-				{/* Header - Mobile responsive */}
+				{/* Header */}
 				<div className="bg-white border-b border-gray-200 px-4 lg:px-6 py-3 lg:py-4 sticky top-0 z-30 flex-shrink-0">
 					<div className="flex items-center justify-between">
 						<div className="flex items-center gap-3 min-w-0 flex-1">
-							{/* Mobile menu button */}
 							<button
 								type="button"
 								onClick={() => setIsMobileMenuOpen(true)}
@@ -320,44 +400,115 @@ export default function EventManagementSPA() {
 								<div className="hidden sm:flex items-center gap-2 text-sm text-gray-500 mb-1">
 									<button
 										type="button"
-										onClick={() => {
-											window.location.href = "/";
-										}}
+										onClick={() => router.push("/")}
 										className="hover:text-purple-600 transition-colors"
 									>
 										หน้าหลัก
 									</button>
 									<span>/</span>
-									<span className="truncate">{currentSection?.label || "Overview"}</span>
+									<span className="truncate">{currentSection?.label ?? "Overview"}</span>
 								</div>
 								<h1 className="text-lg lg:text-2xl font-bold text-gray-900 truncate">
-									{eventData.name}
+									{eventLoading ? "Loading..." : eventData.name}
 								</h1>
 								<div className="text-xs lg:text-sm text-gray-500 flex items-center gap-1 mt-1">
 									<Clock className="w-3 h-3 flex-shrink-0" />
 									<span>{hasMounted ? formatTime(currentTime) : "--:--:--"}</span>
+									{latestAP && (
+										<span
+											className={`ml-2 px-1.5 py-0.5 rounded text-xs font-mono font-semibold ${
+												latestAP.isLate ? "bg-red-100 text-red-700" : "bg-green-100 text-green-700"
+											}`}
+										>
+											{latestAP.notation}
+										</span>
+									)}
 								</div>
 							</div>
 						</div>
 
 						<div className="flex items-center gap-2 lg:gap-3 flex-shrink-0">
+							{/* Notifications bell */}
+							<div ref={notifRef} className="relative">
+								<button
+									type="button"
+									onClick={() => setIsNotifOpen((p) => !p)}
+									className="relative p-2 rounded-md text-gray-500 hover:bg-gray-100 transition-colors"
+									aria-label="Notifications"
+								>
+									<Bell className="w-5 h-5" />
+									{unreadCount > 0 && (
+										<span className="absolute top-1 right-1 w-4 h-4 bg-red-500 text-white text-xs rounded-full flex items-center justify-center font-medium">
+											{unreadCount > 9 ? "9+" : unreadCount}
+										</span>
+									)}
+								</button>
+
+								{isNotifOpen && (
+									<div className="absolute top-10 right-0 w-80 bg-white border border-gray-200 rounded-xl shadow-lg z-50 overflow-hidden">
+										<div className="px-4 py-3 border-b border-gray-100 flex items-center justify-between">
+											<span className="font-semibold text-sm">การแจ้งเตือน</span>
+											{unreadCount > 0 && (
+												<span className="text-xs text-gray-500">{unreadCount} รายการ</span>
+											)}
+										</div>
+										<div className="max-h-64 overflow-y-auto">
+											{notifications.length === 0 ? (
+												<div className="px-4 py-6 text-center text-sm text-gray-400">
+													ไม่มีการแจ้งเตือน
+												</div>
+											) : (
+												notifications.map((n) => (
+													<div
+														key={n.id}
+														className="px-4 py-3 border-b border-gray-50 hover:bg-gray-50 text-sm"
+													>
+														<p className="text-gray-800">{n.message}</p>
+														<p className="text-xs text-gray-400 mt-1">
+															{n.time.toLocaleTimeString("th-TH")}
+														</p>
+													</div>
+												))
+											)}
+										</div>
+									</div>
+								)}
+							</div>
+
+							{/* Save button */}
 							<Button
 								type="button"
 								size="sm"
-								className="hidden sm:flex text-gray-700 bg-transparent border-gray-100"
+								onClick={handleSave}
+								className="hidden sm:flex items-center gap-1 text-gray-700 bg-transparent border border-gray-200 hover:bg-gray-50"
 							>
-								Save
+								{savedFeedback ? (
+									<>
+										<Check className="w-3 h-3 text-green-600" />
+										<span className="text-green-600">Saved</span>
+									</>
+								) : (
+									"Save"
+								)}
 							</Button>
+
+							{/* Public / Private toggle */}
 							<Button
 								type="button"
 								size="sm"
-								className="bg-orange-500 hover:bg-orange-600 text-white rounded-xl lg:rounded-2xl px-3 lg:px-8 py-1 lg:py-2 text-xs lg:text-sm font-medium transition-colors duration-200"
+								onClick={() => setIsPublic((p) => !p)}
+								className={`rounded-xl lg:rounded-2xl px-3 lg:px-5 py-1 lg:py-2 text-xs lg:text-sm font-medium transition-colors duration-200 flex items-center gap-1.5 ${
+									isPublic
+										? "bg-orange-500 hover:bg-orange-600 text-white"
+										: "bg-gray-700 hover:bg-gray-800 text-white"
+								}`}
 							>
-								<div className="w-3 h-3 lg:w-4 lg:h-4 mr-1 lg:mr-2 bg-white rounded-full flex-shrink-0"></div>
-								<span className="hidden sm:inline">
-									{eventData.isPublic ? "Public" : "Private"}
-								</span>
-								<span className="sm:hidden">{eventData.isPublic ? "Pub" : "Prv"}</span>
+								{isPublic ? (
+									<Globe className="w-3 h-3 lg:w-4 lg:h-4" />
+								) : (
+									<Lock className="w-3 h-3 lg:w-4 lg:h-4" />
+								)}
+								<span className="hidden sm:inline">{isPublic ? "Public" : "Private"}</span>
 							</Button>
 						</div>
 					</div>
diff --git a/apps/web/src/config/link.ts b/apps/web/src/config/link.ts
index 5ab03c1..1e6a77b 100644
--- a/apps/web/src/config/link.ts
+++ b/apps/web/src/config/link.ts
@@ -18,9 +18,9 @@ const getAppUrl = () => {
 // Generate the sign-in link dynamically at runtime
 export const getSignInLink = () => {
 	const redirectUri = encodeURIComponent(`${getAppUrl()}/auth/callback`);
-	return `https://qtrkroiyvtnwdpjscyvp.supabase.co/auth/v1/authorize?provider=google&redirect_to=${redirectUri}&scopes=email%20profile`;
+	return `${env.NEXT_PUBLIC_SUPABASE_URL}/auth/v1/authorize?provider=google&redirect_to=${redirectUri}&scopes=email%20profile`;
 };
 
 // For backward compatibility, but this will use build-time URL
 const REDIRDCT_URI = encodeURIComponent(`${getAppUrl()}/auth/callback`);
-export const SIGN_IN_LINK = `https://qtrkroiyvtnwdpjscyvp.supabase.co/auth/v1/authorize?provider=google&redirect_to=${REDIRDCT_URI}&scopes=email%20profile`;
+export const SIGN_IN_LINK = `${env.NEXT_PUBLIC_SUPABASE_URL}/auth/v1/authorize?provider=google&redirect_to=${REDIRDCT_URI}&scopes=email%20profile`;
diff --git a/apps/web/src/env.ts b/apps/web/src/env.ts
index b8b09f5..ff4385c 100644
--- a/apps/web/src/env.ts
+++ b/apps/web/src/env.ts
@@ -16,6 +16,8 @@ export const env = createEnv({
 	client: {
 		NEXT_PUBLIC_APP_URL: z.string().url().optional(),
 		NEXT_PUBLIC_BACKEND_URL: z.string().url().optional(),
+		NEXT_PUBLIC_SUPABASE_URL: z.string().url(),
+		NEXT_PUBLIC_SUPABASE_ANON_KEY: z.string().min(1),
 	},
 	/*
 	 * Due to how Next.js bundles environment variables on Edge and Client,
@@ -26,5 +28,7 @@ export const env = createEnv({
 	runtimeEnv: {
 		NEXT_PUBLIC_APP_URL: process.env.NEXT_PUBLIC_APP_URL,
 		NEXT_PUBLIC_BACKEND_URL: process.env.NEXT_PUBLIC_BACKEND_URL,
+		NEXT_PUBLIC_SUPABASE_URL: process.env.NEXT_PUBLIC_SUPABASE_URL,
+		NEXT_PUBLIC_SUPABASE_ANON_KEY: process.env.NEXT_PUBLIC_SUPABASE_ANON_KEY,
 	},
 });
diff --git a/apps/web/src/hooks/mutations/use-auth-callback.ts b/apps/web/src/hooks/mutations/use-auth-callback.ts
index 7ffd074..b1e7809 100644
--- a/apps/web/src/hooks/mutations/use-auth-callback.ts
+++ b/apps/web/src/hooks/mutations/use-auth-callback.ts
@@ -1,19 +1,28 @@
 import { useMutation } from "@tanstack/react-query";
-import { authHeaders } from "@/config/header";
 import { client } from "@/lib/client";
 
 export function useAuthCallbackMutation() {
 	return useMutation({
 		mutationKey: ["auth-callback"],
 		mutationFn: async (params: { access_token: string; refresh_token: string }) => {
-			const response = await client.api.auth.callback.post(params, {
-				headers: {
-					...authHeaders,
-				},
+			console.log("Sending auth callback with params:", {
+				access_token: params.access_token.substring(0, 20) + "...",
+				refresh_token: params.refresh_token.substring(0, 20) + "...",
+			});
+
+			const response = await client.api.auth.callback.post(params);
+
+			console.log("Auth callback response:", {
+				status: response.status,
+				data: response.data,
+				error: response.error,
 			});
 
 			if (response.status !== 200) {
-				throw new Error("Authentication failed");
+				const errorMessage = response.error?.value
+					? JSON.stringify(response.error.value)
+					: "Authentication failed";
+				throw new Error(errorMessage);
 			}
 
 			return response.data;
diff --git a/apps/web/src/hooks/mutations/use-log-out.ts b/apps/web/src/hooks/mutations/use-log-out.ts
index 7ba281f..b56f369 100644
--- a/apps/web/src/hooks/mutations/use-log-out.ts
+++ b/apps/web/src/hooks/mutations/use-log-out.ts
@@ -1,7 +1,6 @@
 "use client";
 import { useMutation } from "@tanstack/react-query";
 import { useRouter } from "next/navigation";
-import { authHeaders } from "@/config/header";
 import { client } from "@/lib/client";
 
 export function useLogOutMutation() {
@@ -10,14 +9,7 @@ export function useLogOutMutation() {
 	return useMutation({
 		mutationKey: ["logout"],
 		mutationFn: async () => {
-			const response = await client.api.auth.logout.post(
-				{},
-				{
-					headers: {
-						...authHeaders,
-					},
-				}
-			);
+			const response = await client.api.auth.logout.post({});
 
 			if (response.status !== 200) {
 				throw new Error("Logout failed");
diff --git a/apps/web/src/hooks/use-get-event.ts b/apps/web/src/hooks/use-get-event.ts
new file mode 100644
index 0000000..0f72635
--- /dev/null
+++ b/apps/web/src/hooks/use-get-event.ts
@@ -0,0 +1,19 @@
+import { useQuery } from "@tanstack/react-query";
+import { client } from "@/lib/client";
+
+export function useGetEvent(eventId: string | undefined) {
+	const { data, isLoading, error } = useQuery({
+		queryKey: ["event", eventId],
+		// Eden Treaty dynamic route: GET /api/event/:id
+		// eslint-disable-next-line @typescript-eslint/no-explicit-any
+		queryFn: () => (client.api.event as any)[eventId!].get() as Promise<{ data: unknown }>,
+		enabled: !!eventId,
+	});
+
+	return {
+		// biome-ignore lint/suspicious/noExplicitAny: treaty dynamic route typing
+		event: (data as any)?.data as Record<string, unknown> | null | undefined,
+		isLoading,
+		error,
+	};
+}
diff --git a/apps/web/src/hooks/use-rate-limit.test.ts b/apps/web/src/hooks/use-rate-limit.test.ts
new file mode 100644
index 0000000..b024b3c
--- /dev/null
+++ b/apps/web/src/hooks/use-rate-limit.test.ts
@@ -0,0 +1,289 @@
+/**
+ * Unit tests for useRateLimit hook
+ *
+ * Covers:
+ *  - Allows actions under the limit
+ *  - Blocks actions once the limit is reached
+ *  - Correct remaining / resetIn state updates
+ *  - onLimitExceeded callback is invoked with the correct remaining time
+ *  - State resets automatically after the window expires
+ *  - Manual reset via the returned reset() function
+ *  - Cleanup: no state updates after the component unmounts
+ */
+import { act, renderHook } from "@testing-library/react";
+import { afterEach, beforeEach, describe, expect, it, vi } from "vitest";
+import { useRateLimit } from "./use-rate-limit";
+
+describe("useRateLimit", () => {
+	beforeEach(() => {
+		vi.useFakeTimers();
+	});
+
+	afterEach(() => {
+		vi.useRealTimers();
+		vi.clearAllMocks();
+	});
+
+	// ── Allowing actions ───────────────────────────────────────────────────
+
+	it("allows the first action and decrements remaining by 1", async () => {
+		const { result } = renderHook(() => useRateLimit({ maxAttempts: 3, windowMs: 60_000 }));
+
+		expect(result.current.isAllowed).toBe(true);
+		expect(result.current.remaining).toBe(3);
+
+		await act(async () => {
+			await result.current.execute(() => "ok");
+		});
+
+		expect(result.current.remaining).toBe(2);
+		expect(result.current.isAllowed).toBe(true);
+	});
+
+	it("returns { success: true, result } for allowed actions", async () => {
+		const { result } = renderHook(() => useRateLimit({ maxAttempts: 5, windowMs: 60_000 }));
+
+		let outcome: { success: boolean; result?: string } | undefined;
+
+		await act(async () => {
+			outcome = await result.current.execute(() => "action-result");
+		});
+
+		expect(outcome).toEqual({ success: true, result: "action-result" });
+	});
+
+	it("executes all attempts up to the limit", async () => {
+		const maxAttempts = 3;
+		const { result } = renderHook(() => useRateLimit({ maxAttempts, windowMs: 60_000 }));
+
+		for (let i = 0; i < maxAttempts; i++) {
+			// eslint-disable-next-line no-await-in-loop
+			await act(async () => {
+				const outcome = await result.current.execute(() => "ok");
+				expect(outcome.success).toBe(true);
+			});
+		}
+
+		expect(result.current.remaining).toBe(0);
+	});
+
+	// ── Blocking actions ───────────────────────────────────────────────────
+
+	it("blocks the action once the limit is exceeded and returns { success: false }", async () => {
+		const { result } = renderHook(() => useRateLimit({ maxAttempts: 2, windowMs: 60_000 }));
+
+		// Exhaust the limit
+		await act(async () => {
+			await result.current.execute(() => "first");
+			await result.current.execute(() => "second");
+		});
+
+		let outcome: { success: boolean; result?: string } | undefined;
+
+		await act(async () => {
+			outcome = await result.current.execute(() => "should-be-blocked");
+		});
+
+		expect(outcome?.success).toBe(false);
+		expect(outcome?.result).toBeUndefined();
+	});
+
+	it("sets isAllowed to false and remaining to 0 when rate limited", async () => {
+		const { result } = renderHook(() => useRateLimit({ maxAttempts: 1, windowMs: 60_000 }));
+
+		await act(async () => {
+			await result.current.execute(() => "first"); // consumes the only slot
+		});
+
+		await act(async () => {
+			await result.current.execute(() => "blocked");
+		});
+
+		expect(result.current.isAllowed).toBe(false);
+		expect(result.current.remaining).toBe(0);
+	});
+
+	it("does not execute the blocked action's callback", async () => {
+		const action = vi.fn();
+
+		const { result } = renderHook(() => useRateLimit({ maxAttempts: 1, windowMs: 60_000 }));
+
+		await act(async () => {
+			await result.current.execute(action); // allowed
+		});
+
+		await act(async () => {
+			await result.current.execute(action); // blocked
+		});
+
+		expect(action).toHaveBeenCalledTimes(1);
+	});
+
+	// ── onLimitExceeded callback ───────────────────────────────────────────
+
+	it("calls onLimitExceeded with a positive resetIn seconds value when blocked", async () => {
+		const onLimitExceeded = vi.fn();
+
+		const { result } = renderHook(() =>
+			useRateLimit({ maxAttempts: 1, windowMs: 30_000, onLimitExceeded })
+		);
+
+		// Use first attempt
+		await act(async () => {
+			await result.current.execute(() => "ok");
+		});
+
+		// Trigger rate limit
+		await act(async () => {
+			await result.current.execute(() => "blocked");
+		});
+
+		expect(onLimitExceeded).toHaveBeenCalledOnce();
+		const [resetIn] = onLimitExceeded.mock.calls[0] as [number];
+		expect(resetIn).toBeGreaterThan(0);
+		expect(resetIn).toBeLessThanOrEqual(30); // window is 30 s
+	});
+
+	it("provides a resetIn value (in seconds) that reflects the remaining window time", async () => {
+		const onLimitExceeded = vi.fn();
+
+		const { result } = renderHook(() =>
+			useRateLimit({ maxAttempts: 1, windowMs: 60_000, onLimitExceeded })
+		);
+
+		await act(async () => {
+			await result.current.execute(() => "ok");
+		});
+
+		// Advance 20 seconds into the window
+		act(() => {
+			vi.advanceTimersByTime(20_000);
+		});
+
+		await act(async () => {
+			await result.current.execute(() => "blocked");
+		});
+
+		const [resetIn] = onLimitExceeded.mock.calls[0] as [number];
+		// ~40 s remain; allow ±2 s for implementation rounding
+		expect(resetIn).toBeGreaterThanOrEqual(38);
+		expect(resetIn).toBeLessThanOrEqual(41);
+	});
+
+	// ── Auto-reset after the window ────────────────────────────────────────
+
+	it("allows actions again after the rate-limit window expires", async () => {
+		const windowMs = 5_000;
+
+		const { result } = renderHook(() => useRateLimit({ maxAttempts: 1, windowMs }));
+
+		// Exhaust the limit
+		await act(async () => {
+			await result.current.execute(() => "first");
+		});
+
+		await act(async () => {
+			await result.current.execute(() => "blocked");
+		});
+
+		expect(result.current.isAllowed).toBe(false);
+
+		// Advance past the window + the resetTimerRef timeout
+		act(() => {
+			vi.advanceTimersByTime(windowMs + 100);
+		});
+
+		// State is updated by the internal timer; trigger an execute to confirm
+		await act(async () => {
+			const outcome = await result.current.execute(() => "allowed-again");
+			expect(outcome.success).toBe(true);
+		});
+	});
+
+	// ── Manual reset ───────────────────────────────────────────────────────
+
+	it("restores full remaining and isAllowed=true after calling reset()", async () => {
+		const maxAttempts = 3;
+		const { result } = renderHook(() => useRateLimit({ maxAttempts, windowMs: 60_000 }));
+
+		// Use all attempts
+		await act(async () => {
+			for (let i = 0; i < maxAttempts; i++) {
+				await result.current.execute(() => "ok");
+			}
+		});
+
+		expect(result.current.remaining).toBe(0);
+
+		act(() => {
+			result.current.reset();
+		});
+
+		expect(result.current.isAllowed).toBe(true);
+		expect(result.current.remaining).toBe(maxAttempts);
+		expect(result.current.resetIn).toBe(0);
+	});
+
+	it("allows a new action immediately after manual reset even if the window has not expired", async () => {
+		const { result } = renderHook(() => useRateLimit({ maxAttempts: 1, windowMs: 60_000 }));
+
+		await act(async () => {
+			await result.current.execute(() => "first"); // consumes slot
+		});
+
+		act(() => {
+			result.current.reset();
+		});
+
+		await act(async () => {
+			const outcome = await result.current.execute(() => "post-reset");
+			expect(outcome.success).toBe(true);
+		});
+	});
+
+	// ── Edge cases ─────────────────────────────────────────────────────────
+
+	it("propagates exceptions thrown by the action function", async () => {
+		const { result } = renderHook(() => useRateLimit({ maxAttempts: 5, windowMs: 60_000 }));
+
+		await expect(
+			act(async () => {
+				await result.current.execute(() => {
+					throw new Error("Action failed");
+				});
+			})
+		).rejects.toThrow("Action failed");
+	});
+
+	it("handles async action functions correctly", async () => {
+		const { result } = renderHook(() => useRateLimit({ maxAttempts: 5, windowMs: 60_000 }));
+
+		const asyncAction = vi.fn().mockResolvedValue("async-result");
+
+		let outcome: { success: boolean; result?: string } | undefined;
+
+		await act(async () => {
+			outcome = await result.current.execute(asyncAction);
+		});
+
+		expect(outcome).toEqual({ success: true, result: "async-result" });
+		expect(asyncAction).toHaveBeenCalledOnce();
+	});
+
+	it("tracks attempts correctly across multiple rapid consecutive calls", async () => {
+		const maxAttempts = 3;
+		const { result } = renderHook(() => useRateLimit({ maxAttempts, windowMs: 60_000 }));
+
+		const results: boolean[] = [];
+
+		await act(async () => {
+			for (let i = 0; i < 5; i++) {
+				const { success } = await result.current.execute(() => "ok");
+				results.push(success);
+			}
+		});
+
+		// First 3 succeed, next 2 are blocked
+		expect(results).toEqual([true, true, true, false, false]);
+	});
+});
diff --git a/apps/web/src/hooks/use-rate-limit.ts b/apps/web/src/hooks/use-rate-limit.ts
new file mode 100644
index 0000000..b08c9ee
--- /dev/null
+++ b/apps/web/src/hooks/use-rate-limit.ts
@@ -0,0 +1,181 @@
+import { useCallback, useEffect, useRef, useState } from "react";
+
+interface RateLimitConfig {
+	/**
+	 * Maximum number of allowed actions within the time window
+	 */
+	maxAttempts: number;
+
+	/**
+	 * Time window in milliseconds
+	 */
+	windowMs: number;
+
+	/**
+	 * Optional callback when rate limit is exceeded
+	 */
+	onLimitExceeded?: (remainingTime: number) => void;
+}
+
+interface RateLimitState {
+	/**
+	 * Whether an action is currently allowed
+	 */
+	isAllowed: boolean;
+
+	/**
+	 * Number of remaining attempts
+	 */
+	remaining: number;
+
+	/**
+	 * Time until the rate limit resets (in seconds)
+	 */
+	resetIn: number;
+
+	/**
+	 * Execute an action with rate limiting
+	 * Returns true if the action was allowed, false if rate limited
+	 */
+	execute: <T>(action: () => T | Promise<T>) => Promise<{ success: boolean; result?: T }>;
+
+	/**
+	 * Reset the rate limiter
+	 */
+	reset: () => void;
+}
+
+/**
+ * Hook for client-side rate limiting
+ * Prevents users from performing actions too frequently
+ *
+ * @example
+ * ```tsx
+ * const { isAllowed, remaining, resetIn, execute } = useRateLimit({
+ *   maxAttempts: 5,
+ *   windowMs: 60000, // 1 minute
+ *   onLimitExceeded: (resetIn) => {
+ *     toast.error(`Too many attempts. Please wait ${resetIn} seconds.`);
+ *   }
+ * });
+ *
+ * const handleLogin = async () => {
+ *   const { success, result } = await execute(() => loginApi());
+ *   if (!success) {
+ *     console.log("Rate limited");
+ *   }
+ * };
+ * ```
+ */
+export function useRateLimit(config: RateLimitConfig): RateLimitState {
+	const { maxAttempts, windowMs, onLimitExceeded } = config;
+
+	const [isAllowed, setIsAllowed] = useState(true);
+	const [remaining, setRemaining] = useState(maxAttempts);
+	const [resetIn, setResetIn] = useState(0);
+
+	const attemptsRef = useRef<number[]>([]);
+	const resetTimerRef = useRef<NodeJS.Timeout | null>(null);
+
+	const updateState = useCallback(() => {
+		const now = Date.now();
+		const windowStart = now - windowMs;
+
+		// Remove attempts outside the current window
+		attemptsRef.current = attemptsRef.current.filter((timestamp) => timestamp > windowStart);
+
+		const currentAttempts = attemptsRef.current.length;
+		const newRemaining = Math.max(0, maxAttempts - currentAttempts);
+		const allowed = currentAttempts < maxAttempts;
+
+		setRemaining(newRemaining);
+		setIsAllowed(allowed);
+
+		if (!allowed && attemptsRef.current.length > 0) {
+			const oldestAttempt = attemptsRef.current[0];
+			if (oldestAttempt !== undefined) {
+				const resetTime = Math.ceil((oldestAttempt + windowMs - now) / 1000);
+				setResetIn(resetTime);
+			}
+		} else {
+			setResetIn(0);
+		}
+	}, [maxAttempts, windowMs]);
+
+	const execute = useCallback(
+		async <T>(action: () => T | Promise<T>): Promise<{ success: boolean; result?: T }> => {
+			const now = Date.now();
+			const windowStart = now - windowMs;
+
+			// Clean up old attempts
+			attemptsRef.current = attemptsRef.current.filter((timestamp) => timestamp > windowStart);
+
+			// Check if rate limit exceeded
+			if (attemptsRef.current.length >= maxAttempts) {
+				const oldestAttempt = attemptsRef.current[0];
+				const resetTime =
+					oldestAttempt !== undefined ? Math.ceil((oldestAttempt + windowMs - now) / 1000) : 60; // Default to 60 seconds if undefined
+
+				setIsAllowed(false);
+				setResetIn(resetTime);
+				setRemaining(0);
+
+				if (onLimitExceeded) {
+					onLimitExceeded(resetTime);
+				}
+
+				// Set up automatic state update when rate limit resets
+				if (resetTimerRef.current) {
+					clearTimeout(resetTimerRef.current);
+				}
+				resetTimerRef.current = setTimeout(() => {
+					updateState();
+				}, resetTime * 1000);
+
+				return { success: false };
+			}
+
+			// Record this attempt
+			attemptsRef.current.push(now);
+			updateState();
+
+			// Execute the action
+			try {
+				const result = await Promise.resolve(action());
+				return { success: true, result };
+			} catch (error) {
+				throw error;
+			}
+		},
+		[maxAttempts, windowMs, onLimitExceeded, updateState]
+	);
+
+	const reset = useCallback(() => {
+		attemptsRef.current = [];
+		setIsAllowed(true);
+		setRemaining(maxAttempts);
+		setResetIn(0);
+
+		if (resetTimerRef.current) {
+			clearTimeout(resetTimerRef.current);
+			resetTimerRef.current = null;
+		}
+	}, [maxAttempts]);
+
+	// Cleanup timer on unmount
+	useEffect(() => {
+		return () => {
+			if (resetTimerRef.current) {
+				clearTimeout(resetTimerRef.current);
+			}
+		};
+	}, []);
+
+	return {
+		isAllowed,
+		remaining,
+		resetIn,
+		execute,
+		reset,
+	};
+}
diff --git a/apps/web/src/hooks/use-session.ts b/apps/web/src/hooks/use-session.ts
index 6fb36fa..128e11b 100644
--- a/apps/web/src/hooks/use-session.ts
+++ b/apps/web/src/hooks/use-session.ts
@@ -1,31 +1,61 @@
 "use client";
 
-import { useQuery } from "@tanstack/react-query";
-import { authHeaders } from "@/config/header";
-import { client } from "@/lib/client";
+import type { User } from "@supabase/supabase-js";
+import { useCallback, useEffect, useState } from "react";
+import { createClient } from "@/lib/supabase";
+
+interface UserInfo {
+	id: string;
+	email: string;
+	name: string;
+	avatar_url?: string;
+}
+
+function mapUser(supabaseUser: User | null): UserInfo | null {
+	if (!supabaseUser) return null;
+	return {
+		id: supabaseUser.id,
+		email: supabaseUser.email ?? "",
+		name:
+			supabaseUser.user_metadata.full_name ??
+			supabaseUser.user_metadata.name ??
+			supabaseUser.email ??
+			"",
+		avatar_url:
+			supabaseUser.user_metadata.avatar_url ?? supabaseUser.user_metadata.picture ?? undefined,
+	};
+}
 
 export function useSession() {
-	const {
-		data: user,
-		isLoading,
-		error,
-		refetch,
-	} = useQuery({
-		queryKey: ["session"],
-		queryFn: async () => {
-			const response = await client.api.auth.session.get({
-				headers: {
-					...authHeaders,
-				},
-			});
-
-			if (!(response.status === 200)) {
-				throw new Error("Failed to fetch session");
-			}
-
-			return response?.data?.user;
-		},
-	});
-
-	return { user, isLoading, error, refetch };
+	const [user, setUser] = useState<UserInfo | null | undefined>(undefined);
+	const [isLoading, setIsLoading] = useState(true);
+
+	const supabase = createClient();
+
+	const refetch = useCallback(async () => {
+		const {
+			data: { user: supabaseUser },
+		} = await supabase.auth.getUser();
+		setUser(mapUser(supabaseUser));
+	}, [supabase]);
+
+	useEffect(() => {
+		// Get the initial session on mount
+		supabase.auth.getUser().then(({ data: { user: supabaseUser } }) => {
+			setUser(mapUser(supabaseUser));
+			setIsLoading(false);
+		});
+
+		// Keep state in sync with Supabase auth events (sign-in, sign-out, token refresh)
+		const {
+			data: { subscription },
+		} = supabase.auth.onAuthStateChange((_event, session) => {
+			setUser(mapUser(session?.user ?? null));
+			setIsLoading(false);
+		});
+
+		return () => subscription.unsubscribe();
+	}, [supabase]);
+
+	return { user, isLoading, refetch };
 }
diff --git a/apps/web/src/lib/auth.ts b/apps/web/src/lib/auth.ts
index 5b45794..3d3fc06 100644
--- a/apps/web/src/lib/auth.ts
+++ b/apps/web/src/lib/auth.ts
@@ -1,28 +1,26 @@
 "use server";
-import { authHeaders } from "@/config/header";
-import { env } from "@/env";
-import { client } from "./client";
+import { createClient } from "@/lib/supabase-server";
 
 export async function getSession() {
-	// If backend URL points to localhost, return null (not available in production)
-	if (!env.NEXT_PUBLIC_BACKEND_URL || env.NEXT_PUBLIC_BACKEND_URL.includes("localhost")) {
-		return null;
-	}
-
 	try {
-		const res = await client.api.auth.session.get({
-			headers: {
-				...authHeaders,
-			},
-		});
+		const supabase = await createClient();
+		const {
+			data: { user },
+			error,
+		} = await supabase.auth.getUser();
 
-		if (res.status !== 200) {
+		if (error || !user) {
 			return null;
 		}
 
-		return res?.data?.user;
-	} catch {
-		// Silent error handling during build to prevent Vercel build failures
+		return {
+			id: user.id,
+			email: user.email ?? "",
+			name: user.user_metadata.full_name ?? user.user_metadata.name ?? user.email ?? "",
+			avatar_url: user.user_metadata.avatar_url ?? user.user_metadata.picture ?? undefined,
+		};
+	} catch (error) {
+		console.error("Session check failed:", error);
 		return null;
 	}
 }
diff --git a/apps/web/src/lib/client.ts b/apps/web/src/lib/client.ts
index ca0340f..c9f1ca4 100644
--- a/apps/web/src/lib/client.ts
+++ b/apps/web/src/lib/client.ts
@@ -21,15 +21,16 @@ const getBackendUrl = () => {
 };
 
 export const client = treaty<AppType>(getBackendUrl(), {
-	fetcher: (input, init) =>
-		fetch(input, {
+	fetcher: (input, init) => {
+		// Let Eden Treaty handle Content-Type automatically
+		const headers = new Headers(init?.headers);
+		headers.set("X-Custom-Header", "betich");
+		headers.set("Referrer-Policy", "origin-when-cross-origin");
+
+		return fetch(input, {
 			...init,
 			credentials: "include", // ✅ Send cookies
-			headers: {
-				...init?.headers,
-				"Content-Type": "application/json", // Ensure JSON content type
-				"X-Custom-Header": "betich", // Example of adding a custom header
-				"Referrer-Policy": "origin-when-cross-origin", // Set referrer policy
-			},
-		}),
+			headers,
+		});
+	},
 });
diff --git a/apps/web/src/lib/supabase-middleware.ts b/apps/web/src/lib/supabase-middleware.ts
new file mode 100644
index 0000000..ea71a50
--- /dev/null
+++ b/apps/web/src/lib/supabase-middleware.ts
@@ -0,0 +1,55 @@
+import { createServerClient } from "@supabase/ssr";
+import { type NextRequest, NextResponse } from "next/server";
+import { env } from "@/env";
+
+export async function updateSession(request: NextRequest) {
+	let supabaseResponse = NextResponse.next({
+		request,
+	});
+
+	const supabase = createServerClient(
+		env.NEXT_PUBLIC_SUPABASE_URL,
+		env.NEXT_PUBLIC_SUPABASE_ANON_KEY,
+		{
+			cookies: {
+				getAll() {
+					return request.cookies.getAll();
+				},
+				setAll(cookiesToSet) {
+					for (const { name, value } of cookiesToSet) {
+						request.cookies.set(name, value);
+					}
+					supabaseResponse = NextResponse.next({
+						request,
+					});
+					for (const { name, value, options } of cookiesToSet) {
+						supabaseResponse.cookies.set(name, value, options);
+					}
+				},
+			},
+		}
+	);
+
+	// IMPORTANT: Avoid writing any logic between createServerClient and
+	// supabase.auth.getUser(). A simple mistake could make it very hard to debug
+	// issues with users being randomly logged out.
+
+	const {
+		data: { user },
+	} = await supabase.auth.getUser();
+
+	// IMPORTANT: You *must* return the supabaseResponse object as it is. If you're
+	// creating a new response object with NextResponse.next() make sure to:
+	// 1. Pass the request in it, like so:
+	//    const myNewResponse = NextResponse.next({ request })
+	// 2. Copy over the cookies, like so:
+	//    myNewResponse.cookies.setAll(supabaseResponse.cookies.getAll())
+	// 3. Change the myNewResponse object to fit your needs, but avoid changing
+	//    the cookies!
+	// 4. Finally:
+	//    return myNewResponse
+	// If this is not done, you may be causing the browser and server to go out
+	// of sync and terminate the user's session prematurely!
+
+	return supabaseResponse;
+}
diff --git a/apps/web/src/lib/supabase-server.ts b/apps/web/src/lib/supabase-server.ts
new file mode 100644
index 0000000..1d0946a
--- /dev/null
+++ b/apps/web/src/lib/supabase-server.ts
@@ -0,0 +1,26 @@
+import { createServerClient } from "@supabase/ssr";
+import { cookies } from "next/headers";
+import { env } from "@/env";
+
+export async function createClient() {
+	const cookieStore = await cookies();
+
+	return createServerClient(env.NEXT_PUBLIC_SUPABASE_URL, env.NEXT_PUBLIC_SUPABASE_ANON_KEY, {
+		cookies: {
+			getAll() {
+				return cookieStore.getAll();
+			},
+			setAll(cookiesToSet) {
+				try {
+					for (const { name, value, options } of cookiesToSet) {
+						cookieStore.set(name, value, options);
+					}
+				} catch (error) {
+					// The `setAll` method was called from a Server Component.
+					// This can be ignored if you have middleware refreshing
+					// user sessions.
+				}
+			},
+		},
+	});
+}
diff --git a/apps/web/src/lib/supabase.ts b/apps/web/src/lib/supabase.ts
new file mode 100644
index 0000000..8641ba6
--- /dev/null
+++ b/apps/web/src/lib/supabase.ts
@@ -0,0 +1,6 @@
+import { createBrowserClient } from "@supabase/ssr";
+import { env } from "@/env";
+
+export function createClient() {
+	return createBrowserClient(env.NEXT_PUBLIC_SUPABASE_URL, env.NEXT_PUBLIC_SUPABASE_ANON_KEY);
+}
diff --git a/apps/web/src/modules/auth/callback/AuthCallback.tsx b/apps/web/src/modules/auth/callback/AuthCallback.tsx
index a7ad1f1..17839a8 100644
--- a/apps/web/src/modules/auth/callback/AuthCallback.tsx
+++ b/apps/web/src/modules/auth/callback/AuthCallback.tsx
@@ -47,7 +47,7 @@ export function AuthCallback() {
 
 							{userInfo && (
 								<div className="mt-6 p-4 bg-white rounded-lg shadow border">
-									<h3 className="text-lg font-medium text-gray-900 mb-3">Welcome!</h3>
+									<h3 className="text-lg font-medium text-gray-900 mb-3">Welcome Back!</h3>
 									<div className="space-y-2">
 										<div className="flex items-center justify-center">
 											{userInfo.avatar_url && (
@@ -65,9 +65,11 @@ export function AuthCallback() {
 											</div>
 										</div>
 									</div>
-									<p className="text-xs text-gray-400 mt-3 animate-pulse">
-										Redirecting to dashboard in a few seconds...
-									</p>
+									<div className="mt-4">
+										<Button type="button" onClick={() => router.push("/")} className="w-full">
+											Go to Home
+										</Button>
+									</div>
 								</div>
 							)}
 						</>
diff --git a/apps/web/src/modules/auth/callback/use-handle-auth-callback.test.ts b/apps/web/src/modules/auth/callback/use-handle-auth-callback.test.ts
new file mode 100644
index 0000000..695a033
--- /dev/null
+++ b/apps/web/src/modules/auth/callback/use-handle-auth-callback.test.ts
@@ -0,0 +1,260 @@
+/**
+ * Unit tests for useAuthCallback hook
+ *
+ * Covers:
+ *  - No tokens in URL hash → immediate redirect to /auth/login
+ *  - Valid tokens → submits to backend → redirects to /event on success
+ *  - Backend failure → sets error status → redirects to /auth/login
+ *  - Token extraction edge cases (malformed hash, partial tokens)
+ */
+import { act, renderHook, waitFor } from "@testing-library/react";
+import { afterEach, beforeEach, describe, expect, it, vi } from "vitest";
+
+// ─── Mocks ───────────────────────────────────────────────────────────────────
+
+const mockRouterPush = vi.fn();
+
+vi.mock("next/navigation", () => ({
+	useRouter: () => ({
+		push: mockRouterPush,
+		refresh: vi.fn(),
+	}),
+}));
+
+// The mutation function and its control handles, set per test via mockImplementation.
+const mockMutate = vi.fn();
+let capturedCallbacks: {
+	onSuccess?: (res: unknown) => void;
+	onError?: (err: Error) => void;
+} = {};
+
+vi.mock("@/hooks/mutations/use-auth-callback", () => ({
+	useAuthCallbackMutation: () => ({
+		mutate: mockMutate,
+		isPending: false,
+	}),
+}));
+
+// Helper: set window.location.hash to simulate OAuth redirect URL
+function setLocationHash(hash: string) {
+	Object.defineProperty(window, "location", {
+		writable: true,
+		value: { ...window.location, hash },
+	});
+}
+
+// ─── Import under test (must come after vi.mock calls) ───────────────────────
+import { useAuthCallback } from "./use-handle-auth-callback";
+
+// ─── Tests ───────────────────────────────────────────────────────────────────
+
+describe("useAuthCallback", () => {
+	beforeEach(() => {
+		vi.clearAllMocks();
+		capturedCallbacks = {};
+
+		// Default mutate implementation: capture the callbacks so tests can
+		// trigger onSuccess / onError imperatively.
+		mockMutate.mockImplementation(
+			(
+				_params: unknown,
+				callbacks: { onSuccess?: (res: unknown) => void; onError?: (err: Error) => void }
+			) => {
+				capturedCallbacks = callbacks ?? {};
+			}
+		);
+	});
+
+	afterEach(() => {
+		// Reset hash between tests
+		setLocationHash("");
+	});
+
+	// ── No tokens present ──────────────────────────────────────────────────
+
+	it("redirects to /auth/login immediately when the URL hash is empty", async () => {
+		setLocationHash("");
+
+		renderHook(() => useAuthCallback());
+
+		await waitFor(() => {
+			expect(mockRouterPush).toHaveBeenCalledWith("/auth/login");
+		});
+		expect(mockMutate).not.toHaveBeenCalled();
+	});
+
+	it("redirects to /auth/login when the hash contains neither access_token nor refresh_token", async () => {
+		setLocationHash("#some_other_param=value");
+
+		renderHook(() => useAuthCallback());
+
+		await waitFor(() => {
+			expect(mockRouterPush).toHaveBeenCalledWith("/auth/login");
+		});
+		expect(mockMutate).not.toHaveBeenCalled();
+	});
+
+	it("redirects to /auth/login when access_token is present but refresh_token is missing", async () => {
+		setLocationHash("#access_token=abc");
+
+		renderHook(() => useAuthCallback());
+
+		await waitFor(() => {
+			expect(mockRouterPush).toHaveBeenCalledWith("/auth/login");
+		});
+		expect(mockMutate).not.toHaveBeenCalled();
+	});
+
+	it("redirects to /auth/login when refresh_token is present but access_token is missing", async () => {
+		setLocationHash("#refresh_token=xyz");
+
+		renderHook(() => useAuthCallback());
+
+		await waitFor(() => {
+			expect(mockRouterPush).toHaveBeenCalledWith("/auth/login");
+		});
+		expect(mockMutate).not.toHaveBeenCalled();
+	});
+
+	// ── Token submission ───────────────────────────────────────────────────
+
+	it("calls mutate with the extracted tokens when both are present in the URL hash", async () => {
+		setLocationHash("#access_token=AT123&refresh_token=RT456&token_type=bearer");
+
+		renderHook(() => useAuthCallback());
+
+		await waitFor(() => {
+			expect(mockMutate).toHaveBeenCalledWith(
+				{ access_token: "AT123", refresh_token: "RT456" },
+				expect.objectContaining({ onSuccess: expect.any(Function), onError: expect.any(Function) })
+			);
+		});
+	});
+
+	// ── Success path ───────────────────────────────────────────────────────
+
+	it("sets status to 'success' and redirects to /event after a successful callback", async () => {
+		setLocationHash("#access_token=AT&refresh_token=RT");
+
+		const { result } = renderHook(() => useAuthCallback());
+
+		// Wait for the mutate call so capturedCallbacks is populated
+		await waitFor(() => expect(mockMutate).toHaveBeenCalled());
+
+		act(() => {
+			capturedCallbacks.onSuccess?.({
+				success: true,
+				message: "ok",
+				user: { id: "u1", email: "a@b.com", name: "Alice" },
+			});
+		});
+
+		await waitFor(() => {
+			expect(result.current.status).toBe("success");
+			expect(result.current.message).toBe("Authentication successful! Redirecting...");
+			expect(mockRouterPush).toHaveBeenCalledWith("/event");
+		});
+	});
+
+	it("exposes the returned userInfo on success", async () => {
+		setLocationHash("#access_token=AT&refresh_token=RT");
+
+		const { result } = renderHook(() => useAuthCallback());
+
+		await waitFor(() => expect(mockMutate).toHaveBeenCalled());
+
+		act(() => {
+			capturedCallbacks.onSuccess?.({
+				success: true,
+				message: "ok",
+				user: {
+					id: "u2",
+					email: "bob@example.com",
+					name: "Bob",
+					avatar_url: "https://cdn.example.com/bob.jpg",
+				},
+			});
+		});
+
+		await waitFor(() => {
+			expect(result.current.userInfo).toMatchObject({
+				id: "u2",
+				email: "bob@example.com",
+				name: "Bob",
+				avatar_url: "https://cdn.example.com/bob.jpg",
+			});
+		});
+	});
+
+	it("sets userInfo to null when the server response contains no user", async () => {
+		setLocationHash("#access_token=AT&refresh_token=RT");
+
+		const { result } = renderHook(() => useAuthCallback());
+
+		await waitFor(() => expect(mockMutate).toHaveBeenCalled());
+
+		act(() => {
+			capturedCallbacks.onSuccess?.({ success: true, message: "ok", user: undefined });
+		});
+
+		await waitFor(() => {
+			expect(result.current.userInfo).toBeNull();
+		});
+	});
+
+	// ── Error path ─────────────────────────────────────────────────────────
+
+	it("sets status to 'error' and shows an error message on backend failure", async () => {
+		setLocationHash("#access_token=AT&refresh_token=RT");
+
+		const { result } = renderHook(() => useAuthCallback());
+
+		await waitFor(() => expect(mockMutate).toHaveBeenCalled());
+
+		act(() => {
+			capturedCallbacks.onError?.(new Error("Token rejected"));
+		});
+
+		await waitFor(() => {
+			expect(result.current.status).toBe("error");
+			expect(result.current.message).toBe("Authentication failed. Please try again.");
+		});
+	});
+
+	it("redirects to /auth/login after a short delay on error", async () => {
+		// Use shouldAdvanceTime so waitFor's internal polling still works while
+		// we can also fast-forward the hook's 500 ms redirect timeout.
+		vi.useFakeTimers({ shouldAdvanceTime: true });
+		setLocationHash("#access_token=AT&refresh_token=RT");
+
+		renderHook(() => useAuthCallback());
+
+		await waitFor(() => expect(mockMutate).toHaveBeenCalled());
+
+		act(() => {
+			capturedCallbacks.onError?.(new Error("Server error"));
+		});
+
+		// Fast-forward past the 500 ms setTimeout inside the hook
+		await act(async () => {
+			vi.advanceTimersByTime(600);
+		});
+
+		expect(mockRouterPush).toHaveBeenCalledWith("/auth/login");
+
+		vi.useRealTimers();
+	});
+
+	// ── Initial state ──────────────────────────────────────────────────────
+
+	it("starts with status 'idle', empty message and null userInfo", () => {
+		setLocationHash("#access_token=AT&refresh_token=RT");
+
+		const { result } = renderHook(() => useAuthCallback());
+
+		// Before any async resolution the initial state should be idle
+		expect(result.current.status).toBe("idle");
+		expect(result.current.message).toBe("");
+		expect(result.current.userInfo).toBeNull();
+	});
+});
diff --git a/apps/web/src/modules/auth/callback/use-handle-auth-callback.ts b/apps/web/src/modules/auth/callback/use-handle-auth-callback.ts
index 1d51867..df281dd 100644
--- a/apps/web/src/modules/auth/callback/use-handle-auth-callback.ts
+++ b/apps/web/src/modules/auth/callback/use-handle-auth-callback.ts
@@ -51,9 +51,8 @@ export function useAuthCallback() {
 					setUserInfo(res?.user ?? null);
 					setMessage("Authentication successful! Redirecting...");
 
-					setTimeout(() => {
-						router.push("/event");
-					}, 500);
+					// Immediate redirect
+					router.push("/event");
 				},
 				onError: (error) => {
 					setStatus("error");
diff --git a/apps/web/src/modules/auth/login/AuthenticatedUserLogin.tsx b/apps/web/src/modules/auth/login/AuthenticatedUserLogin.tsx
index d4394b3..c475203 100644
--- a/apps/web/src/modules/auth/login/AuthenticatedUserLogin.tsx
+++ b/apps/web/src/modules/auth/login/AuthenticatedUserLogin.tsx
@@ -1,4 +1,7 @@
+"use client";
+
 import Image from "next/image";
+import { useRouter } from "next/navigation";
 import { Button } from "@/components/atoms/button";
 
 interface AuthenticatedUserLoginProps {
@@ -7,6 +10,7 @@ interface AuthenticatedUserLoginProps {
 	email: string;
 	id: string;
 	handleSignOut: () => void;
+	rateLimitMessage?: string;
 }
 
 export function AuthenticatedUserLogin({
@@ -15,7 +19,10 @@ export function AuthenticatedUserLogin({
 	email,
 	id,
 	handleSignOut,
+	rateLimitMessage,
 }: AuthenticatedUserLoginProps) {
+	const router = useRouter();
+
 	return (
 		<div className="min-h-screen flex items-center justify-center bg-gray-50">
 			<div className="max-w-md w-full space-y-8">
@@ -38,9 +45,19 @@ export function AuthenticatedUserLogin({
 								<p className="text-xs text-gray-400 mt-1">ID: {id}</p>
 							</div>
 						</div>
-						<Button type="button" onClick={handleSignOut} variant="destructive">
-							Sign Out
-						</Button>
+						{rateLimitMessage && (
+							<div className="mb-4 p-3 bg-red-50 border border-red-200 rounded-lg">
+								<p className="text-red-600 text-sm">⚠️ {rateLimitMessage}</p>
+							</div>
+						)}
+						<div className="flex flex-col gap-2">
+							<Button type="button" onClick={() => router.push("/event")}>
+								Go to Events
+							</Button>
+							<Button type="button" onClick={handleSignOut} variant="destructive">
+								Sign Out
+							</Button>
+						</div>
 					</div>
 				</div>
 			</div>
diff --git a/apps/web/src/modules/auth/login/LoginSection.tsx b/apps/web/src/modules/auth/login/LoginSection.tsx
index 68f0736..6dcd6c7 100644
--- a/apps/web/src/modules/auth/login/LoginSection.tsx
+++ b/apps/web/src/modules/auth/login/LoginSection.tsx
@@ -1,40 +1,88 @@
 "use client";
 
 import { useRouter } from "next/navigation";
-import { useCallback } from "react";
+import { useCallback, useEffect, useMemo, useState } from "react";
 import { Loading } from "@/components/organisms/loading/Loading";
-import { authHeaders } from "@/config/header";
-import { getSignInLink } from "@/config/link";
+import { useRateLimit } from "@/hooks/use-rate-limit";
 import { useSession } from "@/hooks/use-session";
-import { client } from "@/lib/client";
+import { createClient } from "@/lib/supabase";
 import { AuthenticatedUserLogin } from "./AuthenticatedUserLogin";
 import { UnAuthenticatedUserLogin } from "./UnauthenticatedUserLogin";
 
 export function LoginSection() {
 	const { user, isLoading, refetch } = useSession();
 	const router = useRouter();
+	const [rateLimitMessage, setRateLimitMessage] = useState<string>("");
+	const supabase = useMemo(() => createClient(), []);
 
-	const handleGoogleSignIn = useCallback(() => {
-		// Redirect to your backend's Google auth endpoint
-		router.push(getSignInLink());
-	}, [router]);
-
-	const handleSignOut = useCallback(() => {
-		client.api.auth.logout
-			.post(
-				{},
-				{
-					...authHeaders,
-				}
-			)
-			.then(() => {
-				refetch();
-				router.refresh();
-			})
-			.catch((error) => {
-				console.error("Logout failed:", error);
+	// Rate limit: 5 login attempts per minute
+	const loginRateLimit = useRateLimit({
+		maxAttempts: 5,
+		windowMs: 60000, // 1 minute
+		onLimitExceeded: (resetIn) => {
+			setRateLimitMessage(
+				`Too many login attempts. Please wait ${resetIn} seconds before trying again.`
+			);
+		},
+	});
+
+	// Rate limit: 3 logout attempts per minute
+	const logoutRateLimit = useRateLimit({
+		maxAttempts: 3,
+		windowMs: 60000, // 1 minute
+		onLimitExceeded: (resetIn) => {
+			setRateLimitMessage(
+				`Too many logout attempts. Please wait ${resetIn} seconds before trying again.`
+			);
+		},
+	});
+
+	// Clear rate limit message after it's been shown
+	useEffect(() => {
+		if (rateLimitMessage) {
+			const timer = setTimeout(() => setRateLimitMessage(""), 5000);
+			return () => clearTimeout(timer);
+		}
+	}, [rateLimitMessage]);
+
+	// Redirect authenticated users to event page
+	useEffect(() => {
+		if (!isLoading && user) {
+			router.push("/event");
+		}
+	}, [user, isLoading, router]);
+
+	const handleGoogleSignIn = useCallback(async () => {
+		const { success } = await loginRateLimit.execute(async () => {
+			const { error } = await supabase.auth.signInWithOAuth({
+				provider: "google",
+				options: {
+					redirectTo: `${window.location.origin}/auth/callback`,
+				},
 			});
-	}, [refetch, router]);
+
+			if (error) {
+				console.error("Error signing in:", error);
+				setRateLimitMessage(error.message);
+			}
+		});
+
+		if (!success && rateLimitMessage) {
+			console.warn(rateLimitMessage);
+		}
+	}, [supabase, loginRateLimit, rateLimitMessage]);
+
+	const handleSignOut = useCallback(async () => {
+		const { success } = await logoutRateLimit.execute(async () => {
+			await supabase.auth.signOut();
+			refetch();
+			router.refresh();
+		});
+
+		if (!success && rateLimitMessage) {
+			console.warn(rateLimitMessage);
+		}
+	}, [supabase, refetch, router, logoutRateLimit, rateLimitMessage]);
 
 	if (isLoading) {
 		return (
@@ -52,9 +100,15 @@ export function LoginSection() {
 				name={user.name}
 				avatarUrl={user.avatar_url}
 				handleSignOut={handleSignOut}
+				rateLimitMessage={rateLimitMessage}
 			/>
 		);
 	}
 
-	return <UnAuthenticatedUserLogin handleGoogleSignIn={handleGoogleSignIn} />;
+	return (
+		<UnAuthenticatedUserLogin
+			handleGoogleSignIn={handleGoogleSignIn}
+			rateLimitMessage={rateLimitMessage}
+		/>
+	);
 }
diff --git a/apps/web/src/modules/auth/login/UnauthenticatedUserLogin.tsx b/apps/web/src/modules/auth/login/UnauthenticatedUserLogin.tsx
index 3106bda..3ddd27d 100644
--- a/apps/web/src/modules/auth/login/UnauthenticatedUserLogin.tsx
+++ b/apps/web/src/modules/auth/login/UnauthenticatedUserLogin.tsx
@@ -20,9 +20,13 @@ const inter = Inter({
 
 interface UnAuthenticatedUserLoginProps {
 	handleGoogleSignIn: () => void;
+	rateLimitMessage?: string;
 }
 
-export function UnAuthenticatedUserLogin({ handleGoogleSignIn }: UnAuthenticatedUserLoginProps) {
+export function UnAuthenticatedUserLogin({
+	handleGoogleSignIn,
+	rateLimitMessage,
+}: UnAuthenticatedUserLoginProps) {
 	const [{ headerVisible, leftVisible, rightVisible }, setVisibility] = useState({
 		headerVisible: false,
 		leftVisible: false,
@@ -103,6 +107,14 @@ export function UnAuthenticatedUserLogin({ handleGoogleSignIn }: UnAuthenticated
 								</p>
 							</div>
 
+							{rateLimitMessage && (
+								<div className="mb-4 p-3 bg-red-50 border border-red-200 rounded-lg">
+									<p className={`text-red-600 text-sm ${ibmPlexSansThai.className}`}>
+										⚠️ {rateLimitMessage}
+									</p>
+								</div>
+							)}
+
 							<button
 								type="button"
 								onClick={handleGoogleSignIn}
diff --git a/apps/web/src/modules/event/AgendaSection.tsx b/apps/web/src/modules/event/AgendaSection.tsx
index d9d33f1..cbfd8ac 100644
--- a/apps/web/src/modules/event/AgendaSection.tsx
+++ b/apps/web/src/modules/event/AgendaSection.tsx
@@ -1,9 +1,9 @@
 "use client";
 
-import { Edit, GripVertical, Trash2 } from "lucide-react";
-import { useEffect, useMemo, useState } from "react";
+import { Download, Edit, GripVertical, Printer, Trash2, X } from "lucide-react";
+import { useCallback, useEffect, useMemo, useState } from "react";
+import type { EventData } from "@/app/event/page";
 import { Button } from "@/components/atoms/button";
-// shadcn dialog imports
 import {
 	Dialog,
 	DialogClose,
@@ -17,6 +17,7 @@ import { Input } from "@/components/atoms/input";
 import { useCreateAgenda } from "@/hooks/use-create-agenda";
 import { useDeleteAgenda } from "@/hooks/use-delete-agenda";
 import { useGetAgenda } from "@/hooks/use-get-agenda";
+import { useSessionManager } from "@/hooks/use-session-manager";
 import { useUpdateAgenda } from "@/hooks/use-update-agenda";
 
 type AgendaSlot = {
@@ -53,36 +54,41 @@ const agendaHeaders = [
 	"Activity",
 	"Person in Charge",
 	"Remarks",
+	"Status",
 	"Actions",
 ];
 
-export default function AgendaSection() {
-	const eventId = "static-event-1";
+export default function AgendaSection({ eventData }: { eventData: EventData }) {
+	const eventId = eventData.id;
 	const [currentDay, setCurrentDay] = useState(1);
 	const [hasMounted, setHasMounted] = useState(false);
+	const [sessionErrors, setSessionErrors] = useState<Record<string, string>>({});
+	const [endingSlots, setEndingSlots] = useState<Record<string, boolean>>({});
 
-	// Calculate event dates based on a static event (you can modify this to use props)
-	const eventStartDate = "2025-07-26"; // Day 1
 	const eventDays = useMemo(() => {
-		const startDate = new Date(eventStartDate);
-		// Assuming 3 days event, you can modify this logic
-		return Array.from({ length: 3 }, (_, i) => {
-			const date = new Date(startDate);
-			date.setDate(startDate.getDate() + i);
+		const start = new Date(eventData.startDate);
+		const end = new Date(eventData.endDate);
+		const dayCount = Math.max(1, Math.round((end.getTime() - start.getTime()) / 86400000) + 1);
+		return Array.from({ length: dayCount }, (_, i) => {
+			const date = new Date(start);
+			date.setDate(start.getDate() + i);
 			return {
 				day: i + 1,
-				date: date.toISOString().split("T")[0], // YYYY-MM-DD format
+				date: date.toISOString().split("T")[0] ?? "",
 				displayDate: date.toLocaleDateString("en-US", {
 					month: "short",
 					day: "numeric",
 				}),
 			};
 		});
-	}, []);
+	}, [eventData.startDate, eventData.endDate]);
 
 	const currentDayData = eventDays[currentDay - 1];
 
-	const { data: agendaSlots, isLoading, error, refetch } = useGetAgenda(); //eventId, currentDay - previous input
+	const { data: agendaSlots, isLoading, error, refetch } = useGetAgenda();
+
+	const { handleEndSession, handleUndoSession, getSessionEndInfo, formatAPNotation } =
+		useSessionManager();
 
 	// Dialog state
 	const [open, setOpen] = useState(false);
@@ -328,6 +334,45 @@ export default function AgendaSection() {
 		}
 	};
 
+	// AP notation helper — checks local session state first, then backend actualEndTime
+	const getAPForSlot = (slot: AgendaSlot): { notation: string; isLate: boolean } | null => {
+		const localInfo = getSessionEndInfo(slot.id);
+		if (localInfo) {
+			return {
+				notation: formatAPNotation(localInfo.difference),
+				isLate: localInfo.difference > 0,
+			};
+		}
+		if (slot.actualEndTime) {
+			const diff = Math.round(
+				(new Date(slot.actualEndTime).getTime() - new Date(slot.end).getTime()) / 60000
+			);
+			return { notation: formatAPNotation(diff), isLate: diff > 0 };
+		}
+		return null;
+	};
+
+	const handleEndSessionClick = async (slot: AgendaSlot) => {
+		setSessionErrors((prev) => ({ ...prev, [slot.id]: "" }));
+		setEndingSlots((prev) => ({ ...prev, [slot.id]: true }));
+		try {
+			await handleEndSession(slot);
+			refetch();
+		} catch (err) {
+			setSessionErrors((prev) => ({
+				...prev,
+				[slot.id]: err instanceof Error ? err.message : "Failed to end session",
+			}));
+		} finally {
+			setEndingSlots((prev) => ({ ...prev, [slot.id]: false }));
+		}
+	};
+
+	const handleUndoSessionClick = (slot: AgendaSlot) => {
+		handleUndoSession(slot);
+		refetch();
+	};
+
 	const sortedSlots = useMemo(() => {
 		if (!agendaSlots || !Array.isArray(agendaSlots)) return [];
 
@@ -411,6 +456,40 @@ export default function AgendaSection() {
 		});
 	}, [agendaSlots, currentDayData]);
 
+	const handleDownloadCSV = useCallback(() => {
+		const headers = ["Slot", "Start", "End", "Activity", "Person in Charge", "Remarks", "Status"];
+		const rows = sortedSlots.map((slot, idx) => {
+			const ap = getAPForSlot(slot);
+			const fmt = (d: string) =>
+				new Date(d).toLocaleTimeString("en-US", {
+					hour: "2-digit",
+					minute: "2-digit",
+					hour12: false,
+					timeZone: "Asia/Bangkok",
+				});
+			const esc = (s: string) => `"${s.replace(/"/g, '""')}"`;
+			return [
+				idx + 1,
+				fmt(slot.start),
+				fmt(slot.end),
+				esc(slot.activity),
+				esc(slot.personincharge),
+				esc(slot.remarks ?? ""),
+				ap ? ap.notation : "–",
+			].join(",");
+		});
+		const csv = [headers.join(","), ...rows].join("\n");
+		const blob = new Blob([csv], { type: "text/csv;charset=utf-8;" });
+		const url = URL.createObjectURL(blob);
+		const a = document.createElement("a");
+		a.href = url;
+		a.download = `agenda-day${currentDay}-${currentDayData?.date ?? ""}.csv`;
+		document.body.appendChild(a);
+		a.click();
+		document.body.removeChild(a);
+		URL.revokeObjectURL(url);
+	}, [sortedSlots, currentDay, currentDayData]);
+
 	useEffect(() => {
 		setHasMounted(true);
 	}, []);
@@ -462,6 +541,29 @@ export default function AgendaSection() {
 							))}
 						</div>
 
+						<div className="flex gap-2">
+							<Button
+								variant="outline"
+								size="sm"
+								onClick={handleDownloadCSV}
+								className="flex items-center gap-1"
+								title="Download CSV"
+							>
+								<Download className="h-4 w-4" />
+								<span className="hidden sm:inline text-sm">CSV</span>
+							</Button>
+							<Button
+								variant="outline"
+								size="sm"
+								onClick={() => window.print()}
+								className="flex items-center gap-1"
+								title="Print"
+							>
+								<Printer className="h-4 w-4" />
+								<span className="hidden sm:inline text-sm">Print</span>
+							</Button>
+						</div>
+
 						<Dialog open={open} onOpenChange={setOpen}>
 							<DialogTrigger asChild>
 								<Button variant="default" size="sm" className="w-full sm:w-auto">
@@ -733,6 +835,50 @@ export default function AgendaSection() {
 											<td className="px-6 py-4">{slot.activity}</td>
 											<td className="px-6 py-4">{slot.personincharge}</td>
 											<td className="px-6 py-4">{slot.remarks || "-"}</td>
+											<td className="px-6 py-4">
+												{(() => {
+													const ap = hasMounted ? getAPForSlot(slot) : null;
+													const isEnding = endingSlots[slot.id];
+													const err = sessionErrors[slot.id];
+													const hasLocal = !!getSessionEndInfo(slot.id);
+													if (ap) {
+														return (
+															<div className="flex flex-col gap-1">
+																<span
+																	className={`inline-flex items-center px-2 py-0.5 rounded text-xs font-mono font-bold ${ap.isLate ? "bg-red-100 text-red-700" : "bg-green-100 text-green-700"}`}
+																>
+																	{ap.notation}
+																</span>
+																{hasLocal && (
+																	<Button
+																		variant="outline"
+																		size="sm"
+																		onClick={() => handleUndoSessionClick(slot)}
+																		className="h-6 px-2 text-xs text-gray-500"
+																	>
+																		<X className="h-3 w-3 mr-1" />
+																		Undo
+																	</Button>
+																)}
+															</div>
+														);
+													}
+													return (
+														<div className="flex flex-col gap-1">
+															<Button
+																variant="outline"
+																size="sm"
+																onClick={() => handleEndSessionClick(slot)}
+																disabled={isEnding}
+																className="h-7 px-2 text-xs text-orange-700 border-orange-300 hover:bg-orange-50"
+															>
+																{isEnding ? "Ending…" : "End Session"}
+															</Button>
+															{err && <p className="text-xs text-red-500">{err}</p>}
+														</div>
+													);
+												})()}
+											</td>
 											<td className="px-6 py-4">
 												<div className="flex items-center gap-2">
 													<Button
@@ -835,6 +981,51 @@ export default function AgendaSection() {
 										</div>
 									)}
 
+									{hasMounted &&
+										(() => {
+											const ap = getAPForSlot(slot);
+											const isEnding = endingSlots[slot.id];
+											const err = sessionErrors[slot.id];
+											const hasLocal = !!getSessionEndInfo(slot.id);
+											return (
+												<div className="flex flex-wrap items-center gap-2 pt-2 border-t">
+													{ap ? (
+														<>
+															<span
+																className={`inline-flex items-center px-2 py-0.5 rounded text-xs font-mono font-bold ${ap.isLate ? "bg-red-100 text-red-700" : "bg-green-100 text-green-700"}`}
+															>
+																{ap.notation}
+															</span>
+															{hasLocal && (
+																<Button
+																	variant="outline"
+																	size="sm"
+																	onClick={() => handleUndoSessionClick(slot)}
+																	className="h-7 px-2 text-xs text-gray-500"
+																>
+																	<X className="h-3 w-3 mr-1" />
+																	Undo
+																</Button>
+															)}
+														</>
+													) : (
+														<>
+															<Button
+																variant="outline"
+																size="sm"
+																onClick={() => handleEndSessionClick(slot)}
+																disabled={isEnding}
+																className="h-7 px-2 text-xs text-orange-700 border-orange-300 hover:bg-orange-50"
+															>
+																{isEnding ? "Ending…" : "End Session"}
+															</Button>
+															{err && <p className="text-xs text-red-500">{err}</p>}
+														</>
+													)}
+												</div>
+											);
+										})()}
+
 									<div className="flex items-center justify-end gap-2 pt-2 border-t">
 										<Button
 											variant="outline"
diff --git a/apps/web/src/modules/event/ExtraSection.tsx b/apps/web/src/modules/event/ExtraSection.tsx
new file mode 100644
index 0000000..2d3bdd1
--- /dev/null
+++ b/apps/web/src/modules/event/ExtraSection.tsx
@@ -0,0 +1,152 @@
+"use client";
+
+import { useCallback, useEffect, useState } from "react";
+import type { EventData } from "@/app/event/page";
+import { Button } from "@/components/atoms/button";
+
+type Tab = "notes" | "sponsor";
+
+function formatDateTH(iso: string): string {
+	if (!iso) return "";
+	const d = new Date(iso);
+	if (Number.isNaN(d.getTime())) return iso;
+	return d.toLocaleDateString("th-TH", { year: "numeric", month: "long", day: "numeric" });
+}
+
+function buildSponsorTemplate(eventData: EventData): string {
+	const startTH = formatDateTH(eventData.startDate);
+	const endTH = formatDateTH(eventData.endDate);
+	const dateRange = startTH === endTH ? startTH : `${startTH} – ${endTH}`;
+
+	return `เรื่อง  ขอเรียนเชิญเข้าร่วมสนับสนุนกิจกรรม "${eventData.name}"
+
+เรียน  ท่านผู้สนับสนุน
+
+ด้วยคณะผู้จัดงานมีกำหนดจัดกิจกรรม "${eventData.name}" ในระหว่างวันที่ ${dateRange}
+ณ ${eventData.location || "สถานที่ TBD"}
+
+${eventData.description ? `รายละเอียดกิจกรรม:\n${eventData.description}\n\n` : ""}วัตถุประสงค์ของการจัดงานมุ่งเน้นการสร้างประโยชน์แก่ผู้เข้าร่วมและชุมชน คณะผู้จัดงานขอเรียนเชิญท่านพิจารณาให้การสนับสนุนกิจกรรมดังกล่าวในรูปแบบที่ท่านเห็นสมควร
+
+จึงเรียนมาเพื่อโปรดพิจารณา และขอขอบพระคุณเป็นอย่างสูง
+
+ขอแสดงความนับถือ
+คณะผู้จัดงาน ${eventData.name}`;
+}
+
+export default function ExtraSection({ eventData }: { eventData: EventData }) {
+	const [activeTab, setActiveTab] = useState<Tab>("notes");
+	const [notes, setNotes] = useState("");
+	const [copied, setCopied] = useState(false);
+
+	const notesKey = `eventer-notes-${eventData.id}`;
+
+	// Load notes from localStorage
+	useEffect(() => {
+		try {
+			const saved = localStorage.getItem(notesKey);
+			if (saved !== null) setNotes(saved);
+		} catch {
+			// localStorage unavailable
+		}
+	}, [notesKey]);
+
+	// Persist notes on change
+	const handleNotesChange = useCallback(
+		(e: React.ChangeEvent<HTMLTextAreaElement>) => {
+			const value = e.target.value;
+			setNotes(value);
+			try {
+				localStorage.setItem(notesKey, value);
+			} catch {
+				// localStorage unavailable
+			}
+		},
+		[notesKey]
+	);
+
+	const sponsorTemplate = buildSponsorTemplate(eventData);
+
+	const handleCopy = async () => {
+		try {
+			await navigator.clipboard.writeText(sponsorTemplate);
+			setCopied(true);
+			setTimeout(() => setCopied(false), 2000);
+		} catch {
+			// Fallback: select all in textarea
+			const el = document.getElementById("sponsor-template") as HTMLTextAreaElement | null;
+			el?.select();
+		}
+	};
+
+	return (
+		<div className="min-h-screen bg-gray-50 p-4 lg:p-8">
+			<div className="mb-6">
+				<h1 className="text-2xl lg:text-3xl font-bold">Extra</h1>
+				<p className="text-gray-600 text-sm mt-1">{eventData.name}</p>
+			</div>
+
+			{/* Tab switcher */}
+			<div className="flex gap-1 bg-gray-200 p-1 rounded-lg w-fit mb-6">
+				<button
+					type="button"
+					onClick={() => setActiveTab("notes")}
+					className={`px-4 py-1.5 rounded-md text-sm font-medium transition-colors ${activeTab === "notes" ? "bg-white shadow text-gray-900" : "text-gray-600 hover:text-gray-900"}`}
+				>
+					📝 Notes
+				</button>
+				<button
+					type="button"
+					onClick={() => setActiveTab("sponsor")}
+					className={`px-4 py-1.5 rounded-md text-sm font-medium transition-colors ${activeTab === "sponsor" ? "bg-white shadow text-gray-900" : "text-gray-600 hover:text-gray-900"}`}
+				>
+					📄 Sponsor Template
+				</button>
+			</div>
+
+			{activeTab === "notes" && (
+				<div className="bg-white rounded-lg shadow-sm border p-4">
+					<div className="flex items-center justify-between mb-3">
+						<h2 className="font-semibold text-gray-800">Event Notes</h2>
+						<span className="text-xs text-gray-400">Auto-saved</span>
+					</div>
+					<textarea
+						value={notes}
+						onChange={handleNotesChange}
+						placeholder={`Add notes for "${eventData.name}"…`}
+						rows={16}
+						className="w-full resize-y text-sm text-gray-700 placeholder:text-gray-400 border border-gray-200 rounded-md p-3 focus:outline-none focus:ring-2 focus:ring-purple-300 focus:border-transparent"
+					/>
+					<p className="text-xs text-gray-400 mt-2">Notes are saved locally in your browser.</p>
+				</div>
+			)}
+
+			{activeTab === "sponsor" && (
+				<div className="bg-white rounded-lg shadow-sm border p-4">
+					<div className="flex flex-col sm:flex-row sm:items-center sm:justify-between gap-3 mb-4">
+						<h2 className="font-semibold text-gray-800">Sponsor Template (ภาษาไทย)</h2>
+						<Button
+							variant="default"
+							size="sm"
+							onClick={handleCopy}
+							className={`w-full sm:w-auto ${copied ? "bg-green-600 hover:bg-green-700" : ""}`}
+						>
+							{copied ? "✓ Copied!" : "Copy to Clipboard"}
+						</Button>
+					</div>
+
+					<textarea
+						id="sponsor-template"
+						readOnly
+						value={sponsorTemplate}
+						rows={20}
+						className="w-full resize-y text-sm font-mono text-gray-700 border border-gray-200 rounded-md p-3 bg-gray-50 focus:outline-none focus:ring-2 focus:ring-purple-300"
+					/>
+
+					<p className="text-xs text-gray-400 mt-2">
+						Template auto-filled from event details. Edit the copied text as needed.
+					</p>
+				</div>
+			)}
+		</div>
+	);
+}
diff --git a/apps/web/src/modules/event/GanttSection.tsx b/apps/web/src/modules/event/GanttSection.tsx
new file mode 100644
index 0000000..1ffe36c
--- /dev/null
+++ b/apps/web/src/modules/event/GanttSection.tsx
@@ -0,0 +1,262 @@
+"use client";
+
+import { useEffect, useMemo, useState } from "react";
+import type { EventData } from "@/app/event/page";
+import { Button } from "@/components/atoms/button";
+import { useGetAgenda } from "@/hooks/use-get-agenda";
+
+// Deterministic hue from string
+function stringToHue(s: string): number {
+	let hash = 0;
+	for (let i = 0; i < s.length; i++) {
+		hash = s.charCodeAt(i) + ((hash << 5) - hash);
+	}
+	return Math.abs(hash) % 360;
+}
+
+function formatTime(iso: string): string {
+	return new Date(iso).toLocaleTimeString("en-US", {
+		hour: "2-digit",
+		minute: "2-digit",
+		hour12: false,
+		timeZone: "Asia/Bangkok",
+	});
+}
+
+export default function GanttSection({ eventData }: { eventData: EventData }) {
+	const [currentDay, setCurrentDay] = useState(1);
+	const [hasMounted, setHasMounted] = useState(false);
+
+	useEffect(() => {
+		setHasMounted(true);
+	}, []);
+
+	const eventDays = useMemo(() => {
+		const start = new Date(eventData.startDate);
+		const end = new Date(eventData.endDate);
+		const dayCount = Math.max(1, Math.round((end.getTime() - start.getTime()) / 86400000) + 1);
+		return Array.from({ length: dayCount }, (_, i) => {
+			const date = new Date(start);
+			date.setDate(start.getDate() + i);
+			return {
+				day: i + 1,
+				date: date.toISOString().split("T")[0] ?? "",
+				displayDate: date.toLocaleDateString("en-US", { month: "short", day: "numeric" }),
+			};
+		});
+	}, [eventData.startDate, eventData.endDate]);
+
+	const currentDayData = eventDays[currentDay - 1];
+
+	const { data: agendaSlots, isLoading, error } = useGetAgenda();
+
+	const daySlots = useMemo(() => {
+		if (!agendaSlots || !Array.isArray(agendaSlots)) return [];
+		return agendaSlots
+			.filter((s) => {
+				const date = new Date(s.start).toLocaleDateString("en-CA", {
+					timeZone: "Asia/Bangkok",
+				});
+				return date === currentDayData?.date;
+			})
+			.sort((a, b) => new Date(a.start).getTime() - new Date(b.start).getTime());
+	}, [agendaSlots, currentDayData]);
+
+	// Axis spans: round to full hours
+	const { axisStart, axisEnd, totalMinutes, hourMarks } = useMemo(() => {
+		if (daySlots.length === 0) {
+			const base = new Date();
+			base.setHours(8, 0, 0, 0);
+			const baseEnd = new Date(base);
+			baseEnd.setHours(18, 0, 0, 0);
+			return { axisStart: base, axisEnd: baseEnd, totalMinutes: 600, hourMarks: [] };
+		}
+
+		const earliest = new Date(daySlots[0]!.start);
+		earliest.setMinutes(0, 0, 0);
+
+		const latest = new Date(daySlots[daySlots.length - 1]!.end);
+		if (latest.getMinutes() > 0 || latest.getSeconds() > 0) {
+			latest.setHours(latest.getHours() + 1, 0, 0, 0);
+		}
+
+		const span = (latest.getTime() - earliest.getTime()) / 60000;
+		const marks: Date[] = [];
+		const cursor = new Date(earliest);
+		while (cursor < latest) {
+			marks.push(new Date(cursor));
+			cursor.setHours(cursor.getHours() + 1);
+		}
+
+		return { axisStart: earliest, axisEnd: latest, totalMinutes: span, hourMarks: marks };
+	}, [daySlots]);
+
+	const toPercent = (iso: string) => {
+		const ms = new Date(iso).getTime() - axisStart.getTime();
+		return Math.max(0, Math.min(100, (ms / 60000 / totalMinutes) * 100));
+	};
+
+	if (isLoading) {
+		return (
+			<div className="flex items-center justify-center min-h-screen text-purple-500">
+				Loading Gantt…
+			</div>
+		);
+	}
+
+	if (error) {
+		return (
+			<div className="flex items-center justify-center min-h-screen text-red-500 font-medium">
+				Error loading data: {error instanceof Error ? error.message : "Unknown error"}
+			</div>
+		);
+	}
+
+	return (
+		<div className="min-h-screen bg-gray-50 p-4 lg:p-8">
+			<div className="flex flex-col sm:flex-row sm:items-center sm:justify-between gap-4 mb-6">
+				<div>
+					<h1 className="text-2xl lg:text-3xl font-bold">Gantt Chart</h1>
+					<p className="text-gray-600 text-sm mt-1">
+						Day {currentDay} — {currentDayData?.displayDate}
+					</p>
+				</div>
+
+				{/* Day tabs */}
+				<div className="flex gap-2 flex-wrap">
+					{eventDays.map((d) => (
+						<Button
+							key={d.day}
+							variant={currentDay === d.day ? "default" : "outline"}
+							size="sm"
+							onClick={() => setCurrentDay(d.day)}
+							className={`flex-shrink-0 ${currentDay === d.day ? "bg-purple-600" : ""}`}
+						>
+							<div className="text-center">
+								<div className="text-xs">Day {d.day}</div>
+								<div className="text-xs opacity-75">{d.displayDate}</div>
+							</div>
+						</Button>
+					))}
+				</div>
+			</div>
+
+			{daySlots.length === 0 ? (
+				<div className="bg-white rounded-lg shadow-sm border p-12 text-center text-gray-500">
+					<div className="text-6xl mb-4">📊</div>
+					<p className="font-medium text-lg mb-2">No agenda for this day</p>
+					<p className="text-sm">Add agenda slots in the Agenda section first.</p>
+				</div>
+			) : (
+				<div className="bg-white rounded-lg shadow-sm border overflow-x-auto">
+					<div className="min-w-[600px] p-4">
+						{/* Hour labels */}
+						<div className="relative h-6 mb-1 ml-36">
+							{hourMarks.map((h) => {
+								const left = toPercent(h.toISOString());
+								return (
+									<span
+										key={h.toISOString()}
+										className="absolute text-xs text-gray-400 font-mono -translate-x-1/2"
+										style={{ left: `${left}%` }}
+									>
+										{hasMounted ? formatTime(h.toISOString()) : ""}
+									</span>
+								);
+							})}
+						</div>
+
+						{/* Grid + bars */}
+						<div className="relative">
+							{/* Vertical grid lines */}
+							{hourMarks.map((h) => {
+								const left = toPercent(h.toISOString());
+								return (
+									<div
+										key={h.toISOString()}
+										className="absolute top-0 bottom-0 border-l border-gray-100"
+										style={{ left: `calc(144px + ${left}% * (100% - 144px) / 100)` }}
+									/>
+								);
+							})}
+
+							{/* Rows */}
+							{daySlots.map((slot) => {
+								const hue = stringToHue(slot.personincharge ?? "");
+								const left = toPercent(slot.start);
+								const right = toPercent(slot.end);
+								const width = right - left;
+								const ap = slot.actualEndTime
+									? Math.round(
+											(new Date(slot.actualEndTime).getTime() - new Date(slot.end).getTime()) /
+												60000
+										)
+									: null;
+
+								return (
+									<div key={slot.id} className="flex items-center mb-2 gap-2">
+										{/* Label */}
+										<div className="w-36 flex-shrink-0 pr-2">
+											<p className="text-xs font-medium text-gray-700 truncate">{slot.activity}</p>
+											<p className="text-xs text-gray-400 truncate">{slot.personincharge}</p>
+										</div>
+
+										{/* Bar track */}
+										<div className="relative flex-1 h-8 bg-gray-100 rounded overflow-hidden">
+											<div
+												className="absolute top-0 h-full rounded flex items-center px-2 overflow-hidden"
+												style={{
+													left: `${left}%`,
+													width: `${Math.max(width, 0.5)}%`,
+													backgroundColor: `hsl(${hue}, 55%, 60%)`,
+												}}
+											>
+												<span className="text-white text-xs font-medium truncate">
+													{hasMounted ? `${formatTime(slot.start)}–${formatTime(slot.end)}` : ""}
+												</span>
+											</div>
+
+											{/* Actual end time marker */}
+											{hasMounted && slot.actualEndTime && (
+												<div
+													className="absolute top-0 h-full w-0.5 bg-red-500 z-10"
+													style={{ left: `${toPercent(slot.actualEndTime)}%` }}
+													title={`Actual end: ${formatTime(slot.actualEndTime)}${ap !== null ? ` (AP${ap >= 0 ? "+" : ""}${ap})` : ""}`}
+												/>
+											)}
+										</div>
+
+										{/* AP badge */}
+										{ap !== null && (
+											<span
+												className={`text-xs font-mono font-bold px-1.5 py-0.5 rounded flex-shrink-0 ${ap > 0 ? "bg-red-100 text-red-700" : "bg-green-100 text-green-700"}`}
+											>
+												{ap >= 0 ? `AP+${ap}` : `AP${ap}`}
+											</span>
+										)}
+									</div>
+								);
+							})}
+						</div>
+
+						{/* Legend */}
+						<div className="mt-4 pt-4 border-t flex flex-wrap gap-3">
+							{Array.from(new Set(daySlots.map((s) => s.personincharge))).map((name) => {
+								const hue = stringToHue(name ?? "");
+								return (
+									<div key={name} className="flex items-center gap-1 text-xs text-gray-600">
+										<div
+											className="w-3 h-3 rounded-sm flex-shrink-0"
+											style={{ backgroundColor: `hsl(${hue}, 55%, 60%)` }}
+										/>
+										{name}
+									</div>
+								);
+							})}
+						</div>
+					</div>
+				</div>
+			)}
+		</div>
+	);
+}
diff --git a/apps/web/src/modules/event/OverviewSection.tsx b/apps/web/src/modules/event/OverviewSection.tsx
index 335113b..7483775 100644
--- a/apps/web/src/modules/event/OverviewSection.tsx
+++ b/apps/web/src/modules/event/OverviewSection.tsx
@@ -1,32 +1,14 @@
-import { useEffect, useState } from "react";
-
-type EventData = {
-	id: string;
-	name: string;
-	startDate: string;
-	endDate: string;
-	location: string;
-};
-
-// Dummy event data for demonstration
-const eventData: EventData = {
-	id: "1",
-	name: "Stupid Hackathon 2025",
-	startDate: "2025-07-26T09:00:00",
-	endDate: "2025-07-28T17:00:00",
-	location: "Bangkok, Thailand",
-};
-
-function formatDate(dateStr: string) {
+import { useEffect, useMemo, useState } from "react";
+import type { EventData } from "@/app/event/page";
+import { useGetAgenda } from "@/hooks/use-get-agenda";
+
+function formatDateTH(dateStr: string) {
 	const date = new Date(dateStr);
-	return date.toLocaleDateString("th-TH", {
-		year: "numeric",
-		month: "short",
-		day: "numeric",
-	});
+	if (Number.isNaN(date.getTime())) return dateStr;
+	return date.toLocaleDateString("th-TH", { year: "numeric", month: "short", day: "numeric" });
 }
 
-function formatTime(date: Date) {
+function formatTimeTH(date: Date) {
 	return date.toLocaleTimeString("th-TH", {
 		hour: "2-digit",
 		minute: "2-digit",
@@ -34,19 +16,76 @@ function formatTime(date: Date) {
 	});
 }
 
-function OverviewSection() {
+function OverviewSection({ eventData }: { eventData: EventData }) {
 	const [currentTime, setCurrentTime] = useState(new Date());
 	const [hasMounted, setHasMounted] = useState(false);
 
+	const { data: agendaSlots } = useGetAgenda();
+
 	useEffect(() => {
 		setHasMounted(true);
 		const interval = setInterval(() => setCurrentTime(new Date()), 1000);
 		return () => clearInterval(interval);
 	}, []);
 
+	// Derive current and next activity from agenda
+	const { currentActivity, nextActivity, progressPercent } = useMemo(() => {
+		if (!agendaSlots || agendaSlots.length === 0) {
+			return { currentActivity: null, nextActivity: null, progressPercent: 0 };
+		}
+
+		const now = currentTime.getTime();
+		const sorted = [...agendaSlots].sort(
+			(a, b) => new Date(a.start).getTime() - new Date(b.start).getTime()
+		);
+
+		let current = null;
+		let next = null;
+		let progress = 0;
+
+		for (let i = 0; i < sorted.length; i++) {
+			const slot = sorted[i];
+			if (!slot) continue;
+			const start = new Date(slot.start).getTime();
+			const end = new Date(slot.end).getTime();
+
+			if (now >= start && now <= end) {
+				current = slot;
+				progress = Math.min(100, Math.round(((now - start) / (end - start)) * 100));
+				next = sorted[i + 1] ?? null;
+				break;
+			}
+
+			if (now < start) {
+				next = slot;
+				break;
+			}
+		}
+
+		return { currentActivity: current, nextActivity: next, progressPercent: progress };
+	}, [agendaSlots, currentTime]);
+
+	// Event duration progress (whole event)
+	const eventProgress = useMemo(() => {
+		if (!hasMounted) return 0;
+		const start = new Date(eventData.startDate).getTime();
+		const end = new Date(eventData.endDate).getTime();
+		const now = currentTime.getTime();
+		if (now <= start) return 0;
+		if (now >= end) return 100;
+		return Math.round(((now - start) / (end - start)) * 100);
+	}, [eventData.startDate, eventData.endDate, currentTime, hasMounted]);
+
+	const formatSlotTime = (isoStr: string) =>
+		new Date(isoStr).toLocaleTimeString("th-TH", {
+			hour: "2-digit",
+			minute: "2-digit",
+			timeZone: "Asia/Bangkok",
+		});
+
 	return (
-		<div className="p-4 lg:p-8 space-y-4 lg:space-y">
-			{/* Tabs - Mobile responsive */}
+		<div className="p-4 lg:p-8 space-y-4 overflow-y-auto h-full">
+			{/* Tabs */}
 			<div className="flex border-b border-gray-200 overflow-x-auto">
 				<button
 					type="button"
@@ -62,24 +101,36 @@ function OverviewSection() {
 				</button>
 			</div>
 
-			{/* Hero Section - Mobile responsive */}
+			{/* Hero banner */}
 			<div
 				className="rounded-xl lg:rounded-2xl p-4 lg:p-6 xl:p-8 text-white relative overflow-hidden"
-				style={{
-					background: "linear-gradient(135deg, #8B5CF6 0%, #A855F7 50%, #C084FC 100%)",
-				}}
+				style={{ background: "linear-gradient(135deg, #8B5CF6 0%, #A855F7 50%, #C084FC 100%)" }}
 			>
 				<div className="relative z-10 flex flex-col lg:flex-row lg:items-start lg:justify-between gap-4 lg:gap-6">
 					<div className="flex-1">
 						<h2 className="text-xl lg:text-2xl xl:text-3xl font-bold mb-2">{eventData.name}</h2>
 						<p className="text-purple-100 mb-1 text-sm lg:text-base">
-							{formatDate(eventData.startDate)} - {formatDate(eventData.endDate)}
-						</p>
-						<p className="text-purple-100 mb-4 lg:mb-6 xl:mb-8 text-sm lg:text-base">
-							{eventData.location}
+							{formatDateTH(eventData.startDate)} &mdash; {formatDateTH(eventData.endDate)}
 						</p>
+						<p className="text-purple-100 mb-1 text-sm lg:text-base">{eventData.location}</p>
+						{eventData.description && (
+							<p className="text-purple-200 text-sm mt-2 mb-4 max-w-lg">{eventData.description}</p>
+						)}
+
+						{/* Event progress bar */}
+						<div className="mb-4">
+							<div className="flex justify-between text-xs text-purple-200 mb-1">
+								<span>ความคืบหน้าของงาน</span>
+								<span>{eventProgress}%</span>
+							</div>
+							<div className="w-full bg-white/20 rounded-full h-1.5">
+								<div
+									className="bg-white h-1.5 rounded-full transition-all duration-1000"
+									style={{ width: `${eventProgress}%` }}
+								/>
+							</div>
+						</div>
 
-						{/* AP Timer Button - Mobile responsive */}
 						<button
 							type="button"
 							className="w-full sm:w-auto hover:bg-white/30 text-white border border-white/30 backdrop-blur-sm bg-orange-500 rounded-xl lg:rounded-2xl px-4 py-2 lg:py-3 text-sm lg:text-base font-medium transition-colors duration-200"
@@ -91,40 +142,100 @@ function OverviewSection() {
 						</button>
 					</div>
 
-					{/* Time Card - Mobile responsive */}
+					{/* Time card */}
 					<div className="bg-white rounded-xl lg:rounded-2xl p-4 lg:p-6 text-gray-900 w-full lg:w-80">
 						<div className="text-center mb-4">
 							<div className="text-xs text-gray-500 mb-2">เวลาปัจจุบัน</div>
-							<div className="text-2xl lg:text-3xl xl:text-4xl font-bold">
-								{hasMounted ? formatTime(currentTime) : "--:--:--"}
+							<div className="text-2xl lg:text-3xl xl:text-4xl font-bold font-mono">
+								{hasMounted ? formatTimeTH(currentTime) : "--:--:--"}
 							</div>
 						</div>
 
-						{/* Progress Bar */}
-						<div className="mb-4">
-							<div className="flex justify-between text-xs text-gray-500 mb-2">
-								<span>--:--</span>
-								<span>--:--</span>
+						{/* Current slot progress */}
+						{currentActivity ? (
+							<div className="mb-4">
+								<div className="flex justify-between text-xs text-gray-500 mb-1">
+									<span>{formatSlotTime(currentActivity.start)}</span>
+									<span>{formatSlotTime(currentActivity.end)}</span>
+								</div>
+								<div className="w-full bg-gray-200 rounded-full h-2">
+									<div
+										className="bg-orange-500 h-2 rounded-full transition-all duration-1000"
+										style={{ width: `${progressPercent}%` }}
+									/>
+								</div>
+								<div className="text-center text-xs text-gray-500 mt-1">
+									{progressPercent}% เสร็จแล้ว
+								</div>
 							</div>
-							<div className="w-full bg-gray-200 rounded-full h-2">
-								<div className="bg-orange-500 h-2 rounded-full" style={{ width: "0%" }}></div>
+						) : (
+							<div className="mb-4">
+								<div className="flex justify-between text-xs text-gray-500 mb-1">
+									<span>--:--</span>
+									<span>--:--</span>
+								</div>
+								<div className="w-full bg-gray-200 rounded-full h-2">
+									<div className="bg-orange-500 h-2 rounded-full" style={{ width: "0%" }} />
+								</div>
 							</div>
-						</div>
+						)}
 
-						{/* Event Info - Mobile responsive */}
+						{/* Current / Next */}
 						<div className="grid grid-cols-1 sm:grid-cols-2 gap-3 lg:gap-4 text-xs lg:text-sm">
-							<div className="text-center sm:text-left">
+							<div>
 								<div className="text-gray-500 mb-1">กิจกรรมปัจจุบัน</div>
-								<div className="font-medium">No Schedule</div>
+								<div className="font-medium text-purple-700 truncate">
+									{currentActivity ? currentActivity.activity : "ไม่มีกิจกรรม"}
+								</div>
 							</div>
-							<div className="text-center sm:text-left">
+							<div>
 								<div className="text-gray-500 mb-1">กิจกรรมต่อไป</div>
-								<div className="font-medium">No Schedule</div>
+								<div className="font-medium truncate">
+									{nextActivity ? nextActivity.activity : "ไม่มีกิจกรรม"}
+								</div>
 							</div>
 						</div>
 					</div>
 				</div>
 			</div>
+
+			{/* Agenda quick-view */}
+			{agendaSlots && agendaSlots.length > 0 && (
+				<div className="bg-white rounded-xl border border-gray-200 overflow-hidden">
+					<div className="px-4 py-3 border-b border-gray-100 font-semibold text-sm text-gray-700">
+						กิจกรรมวันนี้
+					</div>
+					<div className="divide-y divide-gray-50">
+						{agendaSlots
+							.sort((a, b) => new Date(a.start).getTime() - new Date(b.start).getTime())
+							.slice(0, 6)
+							.map((slot) => {
+								const isActive = currentActivity?.id === slot.id;
+								return (
+									<div
+										key={slot.id}
+										className={`flex items-center gap-3 px-4 py-3 text-sm ${isActive ? "bg-purple-50" : ""}`}
+									>
+										<div
+											className={`w-2 h-2 rounded-full flex-shrink-0 ${isActive ? "bg-purple-600 animate-pulse" : "bg-gray-300"}`}
+										/>
+										<span className="text-gray-500 font-mono text-xs w-12 flex-shrink-0">
+											{formatSlotTime(slot.start)}
+										</span>
+										<span
+											className={`flex-1 truncate ${isActive ? "text-purple-800 font-medium" : "text-gray-700"}`}
+										>
+											{slot.activity}
+										</span>
+										<span className="text-gray-400 text-xs flex-shrink-0">
+											{slot.personincharge}
+										</span>
+									</div>
+								);
+							})}
+					</div>
+				</div>
+			)}
 		</div>
 	);
 }
diff --git a/apps/web/src/modules/event/StaffSection.tsx b/apps/web/src/modules/event/StaffSection.tsx
new file mode 100644
index 0000000..f4e3d06
--- /dev/null
+++ b/apps/web/src/modules/event/StaffSection.tsx
@@ -0,0 +1,137 @@
+"use client";
+
+import { useMemo } from "react";
+import type { EventData } from "@/app/event/page";
+import { useGetAgenda } from "@/hooks/use-get-agenda";
+
+interface StaffMember {
+	name: string;
+	activities: { activity: string; start: string; end: string }[];
+}
+
+// Deterministic hue from a string
+function stringToHue(s: string): number {
+	let hash = 0;
+	for (let i = 0; i < s.length; i++) {
+		hash = s.charCodeAt(i) + ((hash << 5) - hash);
+	}
+	return Math.abs(hash) % 360;
+}
+
+function formatTime(iso: string): string {
+	return new Date(iso).toLocaleTimeString("en-US", {
+		hour: "2-digit",
+		minute: "2-digit",
+		hour12: false,
+		timeZone: "Asia/Bangkok",
+	});
+}
+
+export default function StaffSection({ eventData }: { eventData: EventData }) {
+	const { data: agendaSlots, isLoading, error } = useGetAgenda();
+
+	const staffRoster = useMemo((): StaffMember[] => {
+		if (!agendaSlots || !Array.isArray(agendaSlots)) return [];
+
+		const filtered = agendaSlots.filter((s) => s.eventId === eventData.id);
+		const map = new Map<string, StaffMember>();
+
+		for (const slot of filtered) {
+			const name = slot.personincharge?.trim();
+			if (!name) continue;
+			if (!map.has(name)) {
+				map.set(name, { name, activities: [] });
+			}
+			map.get(name)!.activities.push({
+				activity: slot.activity,
+				start: slot.start,
+				end: slot.end,
+			});
+		}
+
+		return Array.from(map.values()).sort((a, b) => a.name.localeCompare(b.name));
+	}, [agendaSlots, eventData.id]);
+
+	if (isLoading) {
+		return (
+			<div className="flex items-center justify-center min-h-screen text-purple-500">
+				Loading staff…
+			</div>
+		);
+	}
+
+	if (error) {
+		return (
+			<div className="flex items-center justify-center min-h-screen text-red-500 font-medium">
+				Error loading staff: {error instanceof Error ? error.message : "Unknown error"}
+			</div>
+		);
+	}
+
+	return (
+		<div className="min-h-screen bg-gray-50 p-4 lg:p-8">
+			<div className="mb-6">
+				<h1 className="text-2xl lg:text-3xl font-bold">Staff</h1>
+				<p className="text-gray-600 text-sm mt-1">
+					{staffRoster.length} person{staffRoster.length !== 1 ? "s" : ""} derived from agenda —{" "}
+					{eventData.name}
+				</p>
+			</div>
+
+			{staffRoster.length === 0 ? (
+				<div className="bg-white rounded-lg shadow-sm border p-12 text-center text-gray-500">
+					<div className="text-6xl mb-4">👥</div>
+					<p className="font-medium text-lg mb-2">No staff found</p>
+					<p className="text-sm">Add agenda slots with a Person in Charge to populate this list.</p>
+				</div>
+			) : (
+				<div className="grid grid-cols-1 md:grid-cols-2 xl:grid-cols-3 gap-4">
+					{staffRoster.map((member) => {
+						const hue = stringToHue(member.name);
+						return (
+							<div
+								key={member.name}
+								className="bg-white rounded-lg shadow-sm border overflow-hidden"
+							>
+								{/* Color strip */}
+								<div className="h-2" style={{ backgroundColor: `hsl(${hue}, 60%, 55%)` }} />
+								<div className="p-4">
+									<div className="flex items-center justify-between mb-3">
+										<div className="flex items-center gap-3">
+											<div
+												className="w-10 h-10 rounded-full flex items-center justify-center text-white font-bold text-base flex-shrink-0"
+												style={{ backgroundColor: `hsl(${hue}, 55%, 50%)` }}
+											>
+												{member.name.charAt(0).toUpperCase()}
+											</div>
+											<div>
+												<p className="font-semibold text-sm">{member.name}</p>
+												<p className="text-xs text-gray-500">
+													{member.activities.length} activit
+													{member.activities.length !== 1 ? "ies" : "y"}
+												</p>
+											</div>
+										</div>
+									</div>
+
+									<ul className="space-y-2">
+										{member.activities
+											.sort((a, b) => new Date(a.start).getTime() - new Date(b.start).getTime())
+											.map((act, i) => (
+												<li key={i} className="flex items-start gap-2 text-xs">
+													<span className="font-mono text-gray-400 flex-shrink-0 pt-0.5">
+														{formatTime(act.start)}–{formatTime(act.end)}
+													</span>
+													<span className="text-gray-700">{act.activity}</span>
+												</li>
+											))}
+									</ul>
+								</div>
+							</div>
+						);
+					})}
+				</div>
+			)}
+		</div>
+	);
+}
diff --git a/bun.lock b/bun.lock
index 469d27a..3c5725c 100644
--- a/bun.lock
+++ b/bun.lock
@@ -1,5 +1,6 @@
 {
   "lockfileVersion": 1,
+  "configVersion": 0,
   "workspaces": {
     "": {
       "name": "eventer",
@@ -51,6 +52,8 @@
       "version": "0.1.0",
       "dependencies": {
         "@elysiajs/eden": "^1.3.2",
+        "@supabase/ssr": "^0.8.0",
+        "@supabase/supabase-js": "^2.97.0",
         "@t3-oss/env-nextjs": "^0.13.7",
         "@tailwindcss/postcss": "^4.1.11",
         "@tanstack/react-query": "^5.83.0",
@@ -604,6 +607,8 @@
 
     "@supabase/realtime-js": ["@supabase/realtime-js@2.11.15", "", { "dependencies": { "@supabase/node-fetch": "^2.6.13", "@types/phoenix": "^1.6.6", "@types/ws": "^8.18.1", "isows": "^1.0.7", "ws": "^8.18.2" } }, "sha512-HQKRnwAqdVqJW/P9TjKVK+/ETpW4yQ8tyDPPtRMKOH4Uh3vQD74vmj353CYs8+YwVBKubeUOOEpI9CT8mT4obw=="],
 
+    "@supabase/ssr": ["@supabase/ssr@0.8.0", "", { "dependencies": { "cookie": "^1.0.2" }, "peerDependencies": { "@supabase/supabase-js": "^2.76.1" } }, "sha512-/PKk8kNFSs8QvvJ2vOww1mF5/c5W8y42duYtXvkOSe+yZKRgTTZywYG2l41pjhNomqESZCpZtXuWmYjFRMV+dw=="],
+
     "@supabase/storage-js": ["@supabase/storage-js@2.7.1", "", { "dependencies": { "@supabase/node-fetch": "^2.6.14" } }, "sha512-asYHcyDR1fKqrMpytAS1zjyEfvxuOIp1CIXX7ji4lHHcJKqyk+sLl/Vxgm4sN6u8zvuUtae9e4kDxQP2qrwWBA=="],
 
     "@supabase/supabase-js": ["@supabase/supabase-js@2.52.1", "", { "dependencies": { "@supabase/auth-js": "2.71.1", "@supabase/functions-js": "2.4.5", "@supabase/node-fetch": "2.6.15", "@supabase/postgrest-js": "1.19.4", "@supabase/realtime-js": "2.11.15", "@supabase/storage-js": "2.7.1" } }, "sha512-IxYljprgl381j4SuFrW4JimjTb59WJ98DqxhMvEOJjpGJWuZ7kwttIWn7E4NBnvkYwZ948zJkJ7dSI6B0oO0Xw=="],
@@ -874,7 +879,7 @@
 
     "buffer-from": ["buffer-from@1.1.2", "", {}, "sha512-E+XQCRwSbaaiChtv6k6Dwgc+bx+Bs6vuKJHHl5kox/BaKbhiXzqQOwK4cO22yElGp2OCmjwVhT3HmxgyPGnJfQ=="],
 
-    "bun-types": ["bun-types@1.2.19", "", { "dependencies": { "@types/node": "*" }, "peerDependencies": { "@types/react": "^19" } }, "sha512-uAOTaZSPuYsWIXRpj7o56Let0g/wjihKCkeRqUBhlLVM/Bt+Fj9xTo+LhC1OV1XDaGkz4hNC80et5xgy+9KTHQ=="],
+    "bun-types": ["bun-types@1.3.9", "", { "dependencies": { "@types/node": "*" } }, "sha512-+UBWWOakIP4Tswh0Bt0QD0alpTY8cb5hvgiYeWCMet9YukHbzuruIEeXC2D7nMJPB12kbh8C7XJykSexEqGKJg=="],
 
     "cac": ["cac@6.7.14", "", {}, "sha512-b6Ilus+c3RrdDk+JhLKUAQfzzgLEPy6wcXqS7f/xe1EETvsDP6GORG7SFuOs6cID5YkqchW/LXZbX5bc8j7ZcQ=="],
 
@@ -1296,6 +1301,8 @@
 
     "husky": ["husky@9.1.7", "", { "bin": { "husky": "bin.js" } }, "sha512-5gs5ytaNjBrh5Ow3zrvdUUY+0VxIuWVL4i9irt6friV+BqdCfmV11CQTWMiBYWHbXhco+J1kHfTOUkePhCDvMA=="],
 
+    "iceberg-js": ["iceberg-js@0.8.1", "", {}, "sha512-1dhVQZXhcHje7798IVM+xoo/1ZdVfzOMIc8/rgVSijRK38EDqOJoGula9N/8ZI5RD8QTxNQtK/Gozpr+qUqRRA=="],
+
     "iconv-lite": ["iconv-lite@0.6.3", "", { "dependencies": { "safer-buffer": ">= 2.1.2 < 3.0.0" } }, "sha512-4fCk79wshMdzMp2rH06qWrJE4iolqLhCUH+OiuIgU++RB0+94NlDL81atO7GX55uUKueo0txHNtvEyI6D7WdMw=="],
 
     "ieee754": ["ieee754@1.2.1", "", {}, "sha512-dcyqhDvX1C46lXZcVqCpK+FtMRQVdIMN6/Df5js2zouUsqG7I6sFxitIC+7KYK29KdXOLHdu9zL4sFnoVQnqaA=="],
@@ -2168,6 +2175,8 @@
 
     "@eslint/eslintrc/globals": ["globals@14.0.0", "", {}, "sha512-oahGvuMGQlPw/ivIYBjVSrWAfWLBeku5tpPE2fOPLi+WHffIWbuh2tCjhyQhTBPMf5E9jDEH4FOmTYgYwbKwtQ=="],
 
+    "@eventer/backend/@supabase/supabase-js": ["@supabase/supabase-js@2.97.0", "", { "dependencies": { "@supabase/auth-js": "2.97.0", "@supabase/functions-js": "2.97.0", "@supabase/postgrest-js": "2.97.0", "@supabase/realtime-js": "2.97.0", "@supabase/storage-js": "2.97.0" } }, "sha512-kTD91rZNO4LvRUHv4x3/4hNmsEd2ofkYhuba2VMUPRVef1RCmnHtm7rIws38Fg0yQnOSZOplQzafn0GSiy6GVg=="],
+
     "@eventer/backend/typescript": ["typescript@5.8.3", "", { "bin": { "tsc": "bin/tsc", "tsserver": "bin/tsserver" } }, "sha512-p1diW6TqL9L07nNxvRMM7hMMw4c5XOo/1ibL4aAIGmSAt9slTE1Xgw5KWuof2uTOvCg9BY7ZRi+GaF+7sfgPeQ=="],
 
     "@eventer/backend/vitest": ["vitest@3.2.4", "", { "dependencies": { "@types/chai": "^5.2.2", "@vitest/expect": "3.2.4", "@vitest/mocker": "3.2.4", "@vitest/pretty-format": "^3.2.4", "@vitest/runner": "3.2.4", "@vitest/snapshot": "3.2.4", "@vitest/spy": "3.2.4", "@vitest/utils": "3.2.4", "chai": "^5.2.0", "debug": "^4.4.1", "expect-type": "^1.2.1", "magic-string": "^0.30.17", "pathe": "^2.0.3", "picomatch": "^4.0.2", "std-env": "^3.9.0", "tinybench": "^2.9.0", "tinyexec": "^0.3.2", "tinyglobby": "^0.2.14", "tinypool": "^1.1.1", "tinyrainbow": "^2.0.0", "vite": "^5.0.0 || ^6.0.0 || ^7.0.0-0", "vite-node": "3.2.4", "why-is-node-running": "^2.3.0" }, "peerDependencies": { "@edge-runtime/vm": "*", "@types/debug": "^4.1.12", "@types/node": "^18.0.0 || ^20.0.0 || >=22.0.0", "@vitest/browser": "3.2.4", "@vitest/ui": "3.2.4", "happy-dom": "*", "jsdom": "*" }, "optionalPeers": ["@edge-runtime/vm", "@types/debug", "@types/node", "@vitest/browser", "@vitest/ui", "happy-dom", "jsdom"], "bin": { "vitest": "vitest.mjs" } }, "sha512-LUCP5ev3GURDysTWiP47wRRUpLKMOfPh+yKTx3kVIEiu5KOMeqzpnYNsKyOoVrULivR8tLcks4+lga33Whn90A=="],
@@ -2410,6 +2419,8 @@
 
     "vitest/vite": ["vite@5.4.19", "", { "dependencies": { "esbuild": "^0.21.3", "postcss": "^8.4.43", "rollup": "^4.20.0" }, "optionalDependencies": { "fsevents": "~2.3.3" }, "peerDependencies": { "@types/node": "^18.0.0 || >=20.0.0", "less": "*", "lightningcss": "^1.21.0", "sass": "*", "sass-embedded": "*", "stylus": "*", "sugarss": "*", "terser": "^5.4.0" }, "optionalPeers": ["@types/node", "less", "lightningcss", "sass", "sass-embedded", "stylus", "sugarss", "terser"], "bin": { "vite": "bin/vite.js" } }, "sha512-qO3aKv3HoQC8QKiNSTuUM1l9o/XX3+c+VTgLHbJWHZGeTPVAg2XwazI9UWzoxjIJCGCV2zU60uqMzjeLZuULqA=="],
 
+    "web/@supabase/supabase-js": ["@supabase/supabase-js@2.97.0", "", { "dependencies": { "@supabase/auth-js": "2.97.0", "@supabase/functions-js": "2.97.0", "@supabase/postgrest-js": "2.97.0", "@supabase/realtime-js": "2.97.0", "@supabase/storage-js": "2.97.0" } }, "sha512-kTD91rZNO4LvRUHv4x3/4hNmsEd2ofkYhuba2VMUPRVef1RCmnHtm7rIws38Fg0yQnOSZOplQzafn0GSiy6GVg=="],
+
     "web/dotenv": ["dotenv@17.2.1", "", {}, "sha512-kQhDYKZecqnM0fCnzI5eIv5L4cAe/iRI+HqMbO/hbRdTAeXDG+M9FjipUxNfbARuEg4iHIbhnhs78BCHNbSxEQ=="],
 
     "wrangler/esbuild": ["esbuild@0.25.4", "", { "optionalDependencies": { "@esbuild/aix-ppc64": "0.25.4", "@esbuild/android-arm": "0.25.4", "@esbuild/android-arm64": "0.25.4", "@esbuild/android-x64": "0.25.4", "@esbuild/darwin-arm64": "0.25.4", "@esbuild/darwin-x64": "0.25.4", "@esbuild/freebsd-arm64": "0.25.4", "@esbuild/freebsd-x64": "0.25.4", "@esbuild/linux-arm": "0.25.4", "@esbuild/linux-arm64": "0.25.4", "@esbuild/linux-ia32": "0.25.4", "@esbuild/linux-loong64": "0.25.4", "@esbuild/linux-mips64el": "0.25.4", "@esbuild/linux-ppc64": "0.25.4", "@esbuild/linux-riscv64": "0.25.4", "@esbuild/linux-s390x": "0.25.4", "@esbuild/linux-x64": "0.25.4", "@esbuild/netbsd-arm64": "0.25.4", "@esbuild/netbsd-x64": "0.25.4", "@esbuild/openbsd-arm64": "0.25.4", "@esbuild/openbsd-x64": "0.25.4", "@esbuild/sunos-x64": "0.25.4", "@esbuild/win32-arm64": "0.25.4", "@esbuild/win32-ia32": "0.25.4", "@esbuild/win32-x64": "0.25.4" }, "bin": { "esbuild": "bin/esbuild" } }, "sha512-8pgjLUcUjcgDg+2Q4NYXnPbo/vncAY4UmyaCm0jZevERqCHZIaWwdJHkf8XQtu4AxSKCdvrUbT0XUr1IdZzI8Q=="],
@@ -2468,6 +2479,16 @@
 
     "@esbuild-kit/core-utils/esbuild/@esbuild/win32-x64": ["@esbuild/win32-x64@0.18.20", "", { "os": "win32", "cpu": "x64" }, "sha512-kTdfRcSiDfQca/y9QIkng02avJ+NCaQvrMejlsB3RRv5sE9rRoeBPISaZpKxHELzRxZyLvNts1P27W3wV+8geQ=="],
 
+    "@eventer/backend/@supabase/supabase-js/@supabase/auth-js": ["@supabase/auth-js@2.97.0", "", { "dependencies": { "tslib": "2.8.1" } }, "sha512-2Og/1lqp+AIavr8qS2X04aSl8RBY06y4LrtIAGxat06XoXYiDxKNQMQzWDAKm1EyZFZVRNH48DO5YvIZ7la5fQ=="],
+
+    "@eventer/backend/@supabase/supabase-js/@supabase/functions-js": ["@supabase/functions-js@2.97.0", "", { "dependencies": { "tslib": "2.8.1" } }, "sha512-fSaA0ZeBUS9hMgpGZt5shIZvfs3Mvx2ZdajQT4kv/whubqDBAp3GU5W8iIXy21MRvKmO2NpAj8/Q6y+ZkZyF/w=="],
+
+    "@eventer/backend/@supabase/supabase-js/@supabase/postgrest-js": ["@supabase/postgrest-js@2.97.0", "", { "dependencies": { "tslib": "2.8.1" } }, "sha512-g4Ps0eaxZZurvfv/KGoo2XPZNpyNtjth9aW8eho9LZWM0bUuBtxPZw3ZQ6ERSpEGogshR+XNgwlSPIwcuHCNww=="],
+
+    "@eventer/backend/@supabase/supabase-js/@supabase/realtime-js": ["@supabase/realtime-js@2.97.0", "", { "dependencies": { "@types/phoenix": "^1.6.6", "@types/ws": "^8.18.1", "tslib": "2.8.1", "ws": "^8.18.2" } }, "sha512-37Jw0NLaFP0CZd7qCan97D1zWutPrTSpgWxAw6Yok59JZoxp4IIKMrPeftJ3LZHmf+ILQOPy3i0pRDHM9FY36Q=="],
+
+    "@eventer/backend/@supabase/supabase-js/@supabase/storage-js": ["@supabase/storage-js@2.97.0", "", { "dependencies": { "iceberg-js": "^0.8.1", "tslib": "2.8.1" } }, "sha512-9f6NniSBfuMxOWKwEFb+RjJzkfMdJUwv9oHuFJKfe/5VJR8cd90qw68m6Hn0ImGtwG37TUO+QHtoOechxRJ1Yg=="],
+
     "@eventer/backend/vitest/@vitest/expect": ["@vitest/expect@3.2.4", "", { "dependencies": { "@types/chai": "^5.2.2", "@vitest/spy": "3.2.4", "@vitest/utils": "3.2.4", "chai": "^5.2.0", "tinyrainbow": "^2.0.0" } }, "sha512-Io0yyORnB6sikFlt8QW5K7slY4OjqNX9jmJQ02QDda8lyM6B5oNgVWoSoKPac8/kgnCUzuHQKrSLtu/uOqqrig=="],
 
     "@eventer/backend/vitest/@vitest/runner": ["@vitest/runner@3.2.4", "", { "dependencies": { "@vitest/utils": "3.2.4", "pathe": "^2.0.3", "strip-literal": "^3.0.0" } }, "sha512-oukfKT9Mk41LreEW09vt45f8wx7DordoWUZMYdY/cyAk7w5TWkTRCNZYF7sX7n2wB7jyGAl74OxgwhPgKaqDMQ=="],
@@ -2654,6 +2675,16 @@
 
     "vitest/vite/esbuild": ["esbuild@0.21.5", "", { "optionalDependencies": { "@esbuild/aix-ppc64": "0.21.5", "@esbuild/android-arm": "0.21.5", "@esbuild/android-arm64": "0.21.5", "@esbuild/android-x64": "0.21.5", "@esbuild/darwin-arm64": "0.21.5", "@esbuild/darwin-x64": "0.21.5", "@esbuild/freebsd-arm64": "0.21.5", "@esbuild/freebsd-x64": "0.21.5", "@esbuild/linux-arm": "0.21.5", "@esbuild/linux-arm64": "0.21.5", "@esbuild/linux-ia32": "0.21.5", "@esbuild/linux-loong64": "0.21.5", "@esbuild/linux-mips64el": "0.21.5", "@esbuild/linux-ppc64": "0.21.5", "@esbuild/linux-riscv64": "0.21.5", "@esbuild/linux-s390x": "0.21.5", "@esbuild/linux-x64": "0.21.5", "@esbuild/netbsd-x64": "0.21.5", "@esbuild/openbsd-x64": "0.21.5", "@esbuild/sunos-x64": "0.21.5", "@esbuild/win32-arm64": "0.21.5", "@esbuild/win32-ia32": "0.21.5", "@esbuild/win32-x64": "0.21.5" }, "bin": { "esbuild": "bin/esbuild" } }, "sha512-mg3OPMV4hXywwpoDxu3Qda5xCKQi+vCTZq8S9J/EpkhB2HzKXq4SNFZE3+NK93JYxc8VMSep+lOUSC/RVKaBqw=="],
 
+    "web/@supabase/supabase-js/@supabase/auth-js": ["@supabase/auth-js@2.97.0", "", { "dependencies": { "tslib": "2.8.1" } }, "sha512-2Og/1lqp+AIavr8qS2X04aSl8RBY06y4LrtIAGxat06XoXYiDxKNQMQzWDAKm1EyZFZVRNH48DO5YvIZ7la5fQ=="],
+
+    "web/@supabase/supabase-js/@supabase/functions-js": ["@supabase/functions-js@2.97.0", "", { "dependencies": { "tslib": "2.8.1" } }, "sha512-fSaA0ZeBUS9hMgpGZt5shIZvfs3Mvx2ZdajQT4kv/whubqDBAp3GU5W8iIXy21MRvKmO2NpAj8/Q6y+ZkZyF/w=="],
+
+    "web/@supabase/supabase-js/@supabase/postgrest-js": ["@supabase/postgrest-js@2.97.0", "", { "dependencies": { "tslib": "2.8.1" } }, "sha512-g4Ps0eaxZZurvfv/KGoo2XPZNpyNtjth9aW8eho9LZWM0bUuBtxPZw3ZQ6ERSpEGogshR+XNgwlSPIwcuHCNww=="],
+
+    "web/@supabase/supabase-js/@supabase/realtime-js": ["@supabase/realtime-js@2.97.0", "", { "dependencies": { "@types/phoenix": "^1.6.6", "@types/ws": "^8.18.1", "tslib": "2.8.1", "ws": "^8.18.2" } }, "sha512-37Jw0NLaFP0CZd7qCan97D1zWutPrTSpgWxAw6Yok59JZoxp4IIKMrPeftJ3LZHmf+ILQOPy3i0pRDHM9FY36Q=="],
+
+    "web/@supabase/supabase-js/@supabase/storage-js": ["@supabase/storage-js@2.97.0", "", { "dependencies": { "iceberg-js": "^0.8.1", "tslib": "2.8.1" } }, "sha512-9f6NniSBfuMxOWKwEFb+RjJzkfMdJUwv9oHuFJKfe/5VJR8cd90qw68m6Hn0ImGtwG37TUO+QHtoOechxRJ1Yg=="],
+
     "wrangler/esbuild/@esbuild/aix-ppc64": ["@esbuild/aix-ppc64@0.25.4", "", { "os": "aix", "cpu": "ppc64" }, "sha512-1VCICWypeQKhVbE9oW/sJaAmjLxhVqacdkvPLEjwlttjfwENRSClS8EjBz0KzRyFSCPDIkuXW34Je/vk7zdB7Q=="],
 
     "wrangler/esbuild/@esbuild/android-arm": ["@esbuild/android-arm@0.25.4", "", { "os": "android", "cpu": "arm" }, "sha512-QNdQEps7DfFwE3hXiU4BZeOV68HHzYwGd0Nthhd3uCkkEKK7/R6MTgM0P7H7FAs5pU/DIWsviMmEGxEoxIZ+ZQ=="],
diff --git a/turbo.json b/turbo.json
index d12a460..7837deb 100644
--- a/turbo.json
+++ b/turbo.json
@@ -5,7 +5,7 @@
 		"build": {
 			"dependsOn": ["^build"],
 			"inputs": ["$TURBO_DEFAULT$", ".env*"],
-			"outputs": [".next/**", "!.next/cache/**"]
+			"outputs": [".next/**", "!.next/cache/**", "dist/**"]
 		},
 		"lint": {
 			"dependsOn": ["^lint"]
diff --git a/vercel.json b/vercel.json
new file mode 100644
index 0000000..43fda22
--- /dev/null
+++ b/vercel.json
@@ -0,0 +1,8 @@
+{
+	"$schema": "https://openapi.vercel.sh/vercel.json",
+	"buildCommand": "bun install && bun run build --filter=web",
+	"devCommand": "bun run dev --filter=web",
+	"installCommand": "bun install",
+	"framework": "nextjs",
+	"outputDirectory": "apps/web/.next"
+}