Merge branch 'main' into feature/335_csv_import_ui

2026-01-23 10:33:56 +01:00 · 2026-01-23 10:33:56 +01:00 · 465fe5a5b1
commit 465fe5a5b1
parent a15ff055cc c98ad4085a
80 changed files with 4742 additions and 6541 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -8,6 +8,27 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 ## [Unreleased]
 ### Added
 - **Roles and Permissions System (RBAC)** - Complete implementation (#345, 2026-01-08)
  - Four hardcoded permission sets: `own_data`, `read_only`, `normal_user`, `admin`
  - Database-backed roles with permission set references
  - Member resource policies with scope filtering (`:own`, `:linked`, `:all`)
  - Authorization checks via `Mv.Authorization.Checks.HasPermission`
  - System role protection (critical roles cannot be deleted)
  - Role management UI at `/admin/roles`
 - **Membership Fees System** - Full implementation
  - Membership fee types with intervals (monthly, quarterly, half_yearly, yearly)
  - Individual billing cycles per member with payment status tracking
  - Cycle generation and regeneration
  - Global membership fee settings
  - UI components for fee management
 - **Global Settings Management** - Singleton settings resource
  - Club name configuration (with environment variable support)
  - Member field visibility settings
  - Membership fee default settings
 - **Sidebar Navigation** - Replaced navbar with standard-compliant sidebar (#260, 2026-01-12)
 - **CSV Import Templates** - German and English templates (#329, 2026-01-13)
  - Template files in `priv/static/templates/`
  - CSV specification documented
 - User-Member linking with fuzzy search autocomplete (#168)
 - PostgreSQL trigram-based member search with typo tolerance
 - WCAG 2.1 AA compliant autocomplete dropdown with ARIA support
@ -19,8 +40,22 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
  - German/English translations
 - Docker secrets support via `_FILE` environment variables for all sensitive configuration (SECRET_KEY_BASE, TOKEN_SIGNING_SECRET, OIDC_CLIENT_SECRET, DATABASE_URL, DATABASE_PASSWORD)
 ### Changed
 - **Actor Handling Refactoring** (2026-01-09)
  - Standardized actor access with `current_actor/1` helper function
  - `ash_actor_opts/1` helper for consistent authorization options
  - `submit_form/3` wrapper for form submissions with actor
  - All Ash operations now properly pass `actor` parameter
 - **Error Handling Improvements** (2026-01-13)
  - Replaced `Ash.read!` with proper error handling in LiveViews
  - Consistent flash message handling for authorization errors
  - Early return patterns for unauthenticated users
 ### Fixed
 - Email validation false positive when linking user and member with identical emails (#168 Problem #4)
 - Relationship data extraction from Ash manage_relationship during validation
 - Copy button count now shows only visible selected members when filtering
 - Language headers in German `.po` files (corrected from "en" to "de")
 - Critical deny-filter bug in authorization system (2026-01-08)
 - HasPermission auto_filter and strict_check implementation (2026-01-08)
--- a/CODE_GUIDELINES.md
+++ b/CODE_GUIDELINES.md
@ -83,7 +83,18 @@ lib/
 │   ├── member.ex          # Member resource
 │   ├── custom_field_value.ex        # Custom field value resource
 │   ├── custom_field.ex   # CustomFieldValue type resource
 │   ├── setting.ex         # Global settings (singleton resource)
 │   └── email.ex           # Email custom type
 ├── membership_fees/        # MembershipFees domain
 │   ├── membership_fees.ex # Domain definition
 │   ├── membership_fee_type.ex    # Membership fee type resource
 │   ├── membership_fee_cycle.ex   # Membership fee cycle resource
 │   └── changes/           # Ash changes for membership fees
 ├── mv/authorization/       # Authorization domain
 │   ├── authorization.ex   # Domain definition
 │   ├── role.ex            # Role resource
 │   ├── permission_sets.ex # Hardcoded permission sets
 │   └── checks/            # Authorization checks
 ├── mv/                    # Core application modules
 │   ├── accounts/          # Domain-specific logic
 │   │   └── user/
@ -96,6 +107,11 @@ lib/
 │   ├── membership/        # Domain-specific logic
 │   │   └── member/
 │   │       └── validations/
 │   ├── membership_fees/   # Membership fee business logic
 │   │   ├── cycle_generator.ex  # Cycle generation algorithm
 │   │   └── calendar_cycles.ex  # Calendar cycle calculations
 │   ├── helpers.ex         # Shared helper functions (ash_actor_opts)
 │   ├── constants.ex       # Application constants (member_fields, custom_field_prefix)
 │   ├── application.ex     # OTP application
 │   ├── mailer.ex          # Email mailer
 │   ├── release.ex         # Release tasks
@ -107,7 +123,7 @@ lib/
 │   │   ├── table_components.ex
 │   │   ├── layouts.ex
 │   │   └── layouts/       # Layout templates
-│   │       ├── navbar.ex
+│   │       ├── sidebar.ex
 │   │       └── root.html.heex
 │   ├── controllers/       # HTTP controllers
 │   │   ├── auth_controller.ex
@ -116,6 +132,11 @@ lib/
 │   │   ├── error_html.ex
 │   │   ├── error_json.ex
 │   │   └── page_html/
 │   ├── helpers/           # Web layer helper modules
 │   │   ├── member_helpers.ex        # Member display utilities
 │   │   ├── membership_fee_helpers.ex # Membership fee formatting
 │   │   ├── date_formatter.ex        # Date formatting utilities
 │   │   └── field_type_formatter.ex   # Field type display formatting
 │   ├── live/              # LiveView modules
 │   │   ├── components/    # LiveView-specific components
 │   │   │   ├── search_bar_component.ex
@ -123,11 +144,16 @@ lib/
 │   │   ├── member_live/   # Member CRUD LiveViews
 │   │   ├── custom_field_value_live/ # CustomFieldValue CRUD LiveViews
 │   │   ├── custom_field_live/
-│   │   └── user_live/     # User management LiveViews
+│   │   ├── user_live/     # User management LiveViews
 │   │   ├── role_live/     # Role management LiveViews
 │   │   ├── membership_fee_type_live/ # Membership fee type LiveViews
 │   │   ├── membership_fee_settings_live.ex # Membership fee settings
 │   │   ├── global_settings_live.ex # Global settings
 │   │   └── contribution_type_live/ # Contribution types (mock-up)
 │   ├── auth_overrides.ex  # AshAuthentication overrides
 │   ├── endpoint.ex        # Phoenix endpoint
 │   ├── gettext.ex         # I18n configuration
-│   ├── live_helpers.ex    # LiveView helpers
+│   ├── live_helpers.ex    # LiveView lifecycle hooks and helpers
 │   ├── live_user_auth.ex  # LiveView authentication
 │   ├── router.ex          # Application router
 │   └── telemetry.ex       # Telemetry configuration
@ -176,7 +202,7 @@ test/
 **Module Naming:**
 - **Modules:** Use `PascalCase` with full namespace (e.g., `Mv.Accounts.User`)
- **Domains:** Top-level domains are `Mv.Accounts` and `Mv.Membership`
+- **Domains:** Top-level domains are `Mv.Accounts`, `Mv.Membership`, `Mv.MembershipFees`, and `Mv.Authorization`
 - **Resources:** Resource modules should be singular nouns (e.g., `Member`, not `Members`)
 - **Context functions:** Use `snake_case` and verb-first naming (e.g., `create_user`, `list_members`)
@ -615,7 +641,92 @@ def card(assigns) do
 end
 ```
-### 3.3 Ash Framework
+### 3.3 System Actor Pattern
 **When to Use System Actor:**
 Some operations must always run regardless of user permissions. These are **systemic operations** that are mandatory side effects:
 - **Email synchronization** (Member ↔ User)
 - **Email uniqueness validation** (data integrity requirement)
 - **Cycle generation** (if defined as mandatory side effect)
 - **Background jobs**
 - **Seeds**
 **Implementation:**
 Use `Mv.Helpers.SystemActor.get_system_actor/0` for all systemic operations:
 ```elixir
 # Good - Email sync uses system actor
 def get_linked_member(user) do
  system_actor = SystemActor.get_system_actor()
  opts = Helpers.ash_actor_opts(system_actor)
  case Ash.get(Mv.Membership.Member, id, opts) do
    {:ok, member} -> member
    {:error, _} -> nil
  end
 end
 # Bad - Using user actor for systemic operation
 def get_linked_member(user, actor) do
  opts = Helpers.ash_actor_opts(actor)  # May fail if user lacks permissions!
  # ...
 end
 ```
 **System Actor Details:**
 - System actor is a user with admin role (email: "system@mila.local")
 - Cached in Agent for performance
 - Falls back to admin user from seeds if system user doesn't exist
 - Should NEVER be used for user-initiated actions (only systemic operations)
 **User Mode vs System Mode:**
 - **User Mode**: User-initiated actions use the actual user actor, policies are enforced
 - **System Mode**: Systemic operations use system actor, bypass user permissions
 **Authorization Bootstrap Patterns:**
 Three mechanisms exist for bypassing standard authorization:
 1. **NoActor** (test only) - Allows operations without actor in test environment
   ```elixir
   # Automatically enabled in tests via config/test.exs
   # Policies use: bypass action_type(...) do authorize_if NoActor end
   member = create_member(%{name: "Test"})  # Works in tests
   ```
 2. **system_actor** (systemic operations) - Admin user for operations that must always succeed
   ```elixir
   # Good: Systemic operation
   system_actor = SystemActor.get_system_actor()
   Ash.read(Member, actor: system_actor)
   # Bad: User-initiated action
   # Never use system_actor for user-initiated actions!
   ```
 3. **authorize?: false** (bootstrap only) - Skips policies for circular dependencies
   ```elixir
   # Good: Bootstrap (seeds, SystemActor loading)
   Accounts.create_user!(%{email: admin_email}, authorize?: false)
   # Bad: User-initiated action
   Ash.destroy(member, authorize?: false)  # Never do this!
   ```
 **Decision Guide:**
 - Use **NoActor** for test fixtures (automatic via config)
 - Use **system_actor** for email sync, cycle generation, validations
 - Use **authorize?: false** only for bootstrap (seeds, circular dependencies)
 - Always document why `authorize?: false` is necessary
 **See also:** `docs/roles-and-permissions-architecture.md` (Authorization Bootstrap Patterns section)
 ### 3.4 Ash Framework
 **Resource Definition Best Practices:**
@ -818,14 +929,17 @@ end
 ```heex
 <!-- Leverage DaisyUI component classes -->
-<div class="navbar bg-base-100">
+<!-- Note: Navbar has been replaced with Sidebar (see lib/mv_web/components/layouts/sidebar.ex) -->
-  <div class="navbar-start">
+<div class="drawer lg:drawer-open">
-    <a class="btn btn-ghost text-xl">Mila</a>
+  <input id="drawer-toggle" type="checkbox" class="drawer-toggle" />
  <div class="drawer-content">
    <!-- Page content -->
  </div>
-  <div class="navbar-end">
+  <div class="drawer-side">
-    <.link navigate={~p"/members"} class="btn btn-primary">
+    <label for="drawer-toggle" class="drawer-overlay"></label>
-      Members
+    <aside class="w-64 min-h-full bg-base-200">
-    </.link>
+      <!-- Sidebar content -->
    </aside>
  </div>
 </div>
 ```
@ -1535,17 +1649,119 @@ policies do
    authorize_if always()
  end
-  # Specific permissions
+  # Use HasPermission check for role-based authorization
-  policy action_type([:read, :update]) do
+  policy action_type([:read, :update, :create, :destroy]) do
-    authorize_if relates_to_actor_via(:user)
+    authorize_if Mv.Authorization.Checks.HasPermission
  end
  policy action_type(:destroy) do
    authorize_if actor_attribute_equals(:role, :admin)
  end
 end
 ```
 **Actor Handling in LiveViews:**
 Always use the `current_actor/1` helper for consistent actor access:
 ```elixir
 # In LiveView modules
 import MvWeb.LiveHelpers, only: [current_actor: 1, ash_actor_opts: 1, submit_form: 3]
 def mount(_params, _session, socket) do
  actor = current_actor(socket)
  case Ash.read(Mv.Membership.Member, ash_actor_opts(actor)) do
    {:ok, members} ->
      {:ok, assign(socket, :members, members)}
    {:error, error} ->
      {:ok, put_flash(socket, :error, "Failed to load members")}
  end
 end
 def handle_event("save", %{"member" => params}, socket) do
  actor = current_actor(socket)
  form = AshPhoenix.Form.for_create(Mv.Membership.Member, :create)
  case submit_form(form, params, actor) do
    {:ok, member} ->
      {:noreply, push_navigate(socket, to: ~p"/members/#{member.id}")}
    {:error, form} ->
      {:noreply, assign(socket, :form, form)}
  end
 end
 ```
 **Never use bang calls (`Ash.read!`, `Ash.get!`) without error handling:**
 ```elixir
 # Bad - will crash on authorization errors
 members = Ash.read!(Mv.Membership.Member, actor: actor)
 # Good - proper error handling
 case Ash.read(Mv.Membership.Member, actor: actor) do
  {:ok, members} -> # success
  {:error, %Ash.Error.Forbidden{}} -> # handle authorization error
  {:error, error} -> # handle other errors
 end
 ```
 ### 5.1a NoActor Pattern - Test Environment Only
 **IMPORTANT:** The `Mv.Authorization.Checks.NoActor` check is **ONLY for test environment**. It must NEVER be used in production.
 **What NoActor Does:**
 - Allows CRUD operations without an actor in **test environment only**
 - Denies all operations without an actor in **production/dev** (fail-closed)
 - Uses compile-time config check to prevent accidental production use (release-safe)
 **Security Guards:**
 ```elixir
 # config/test.exs
 config :mv, :allow_no_actor_bypass, true
 # lib/mv/authorization/checks/no_actor.ex
 # Compile-time check from config (release-safe, no Mix.env)
@allow_no_actor_bypass Application.compile_env(:mv, :allow_no_actor_bypass, false)
 # Uses compile-time flag only (no runtime Mix.env needed)
 def match?(nil, _context, _opts) do
  @allow_no_actor_bypass  # true in test, false in prod/dev
 end
 ```
 **Why This Pattern Exists:**
 - Test fixtures often need to create resources without an actor
 - Production operations MUST always have an actor for security
 - Config-based guard (not Mix.env) ensures release-safety
 - Defaults to `false` (fail-closed) if config not set
 **NEVER Use NoActor in Production:**
 ```elixir
 # ❌ BAD - Don't do this in production code
 Ash.create!(Member, attrs)  # No actor - will fail in prod
 # ✅ GOOD - Use admin actor for system operations
 admin_user = get_admin_user()
 Ash.create!(Member, attrs, actor: admin_user)
 ```
 **Alternative: System Actor Pattern**
 For production system operations, use the System Actor Pattern (see Section 3.3) instead of NoActor:
 ```elixir
 # System operations in production
 system_actor = get_system_actor()
 Ash.create!(Member, attrs, actor: system_actor)
 ```
 **Testing:**
 - NoActor tests verify the compile-time config guard
 - Production safety is guaranteed by config (only set in test.exs, defaults to false)
 - See `test/mv/authorization/checks/no_actor_test.exs`
 ### 5.2 Password Security
 **Use bcrypt for Password Hashing:**
--- a/README.md
+++ b/README.md
@ -40,14 +40,16 @@ Our philosophy: **software should help people spend less time on administration
 ## 🔑 Features
 - ✅ Manage member data with ease  
- 🚧 Overview of membership fees & payment status  
+- ✅ Membership fees & payment status tracking  
- ✅ Full-text search  
+- ✅ Full-text search with fuzzy matching  
- 🚧 Sorting & filtering  
+- ✅ Sorting & filtering  
- 🚧 Roles & permissions (e.g. board, treasurer)  
+- ✅ Roles & permissions (RBAC system with 4 permission sets)  
 - ✅ Custom fields (flexible per club needs)  
 - ✅ SSO via OIDC (works with Authentik, Rauthy, Keycloak, etc.)  
 - ✅ Sidebar navigation (standard-compliant, accessible)  
 - ✅ Global settings management  
 - 🚧 Self-service & online application  
- 🚧 Accessibility, GDPR, usability improvements  
+- ✅ Accessibility improvements (WCAG 2.1 AA compliant keyboard navigation)  
 - 🚧 Email sending  
 ## 🚀 Quick Start (Development)
@ -187,8 +189,9 @@ The `OIDC_REDIRECT_URI` is auto-generated as `https://{DOMAIN}/auth/user/rauthy/
 - **Auth:** AshAuthentication (OIDC + password)
 **Code Structure:**
- `lib/accounts/` & `lib/membership/` — Ash resources and domains
+- `lib/accounts/` & `lib/membership/` & `lib/membership_fees/` & `lib/mv/authorization/` — Ash resources and domains
 - `lib/mv_web/` — Phoenix controllers, LiveViews, components  
 - `lib/mv/` — Shared helpers and business logic
 - `assets/` — Tailwind, JavaScript, static files
 📚 **Full tech stack details:** See [`CODE_GUIDELINES.md`](CODE_GUIDELINES.md)  
--- a/config/test.exs
+++ b/config/test.exs
@ -49,3 +49,7 @@ config :mv, :require_token_presence_for_authentication, false
 # Enable SQL Sandbox for async LiveView tests
 # This flag controls sync vs async behavior in CycleGenerator after_action hooks
 config :mv, :sql_sandbox, true
 # Allow operations without actor in test environment (NoActor check)
 # SECURITY: This must ONLY be true in test.exs, never in prod/dev
 config :mv, :allow_no_actor_bypass, true
--- a/docs/csv-member-import-v1.md
+++ b/docs/csv-member-import-v1.md
@ -1,7 +1,7 @@
 # CSV Member Import v1 - Implementation Plan
 **Version:** 1.0  
-**Date:** 2025-01-XX  
+**Last Updated:** 2026-01-13  
 **Status:** In Progress (Backend Complete, UI Pending)  
 **Related Documents:**
 - [Feature Roadmap](./feature-roadmap.md) - Overall feature planning
@ -733,4 +733,4 @@ end
 ---
-**End of Implementation Plan**
+**End of Implementation Plan**
--- a/docs/database-schema-readme.md
+++ b/docs/database-schema-readme.md
@ -15,10 +15,10 @@ This document provides a comprehensive overview of the Mila Membership Managemen
 | Metric | Count |
 |--------|-------|
-| **Tables** | 5 |
+| **Tables** | 9 |
-| **Domains** | 2 (Accounts, Membership) |
+| **Domains** | 4 (Accounts, Membership, MembershipFees, Authorization) |
-| **Relationships** | 3 |
+| **Relationships** | 7 |
-| **Indexes** | 15+ |
+| **Indexes** | 20+ |
 | **Triggers** | 1 (Full-text search) |
 ## Tables Overview
@ -68,16 +68,39 @@ This document provides a comprehensive overview of the Mila Membership Managemen
  - Immutable and required flags
  - Centralized custom field management
 #### `settings`
 - **Purpose:** Global application settings (singleton resource)
 - **Rows (Estimated):** 1 (singleton pattern)
 - **Key Features:**
  - Club name configuration
  - Member field visibility settings
  - Membership fee default settings
  - Environment variable support for club name
 ### Authorization Domain
 #### `roles`
 - **Purpose:** Role-based access control (RBAC)
 - **Rows (Estimated):** Low (typically 3-10 roles)
 - **Key Features:**
  - Links users to permission sets
  - System role protection
  - Four hardcoded permission sets: own_data, read_only, normal_user, admin
 ## Key Relationships
 ```
 User (0..1) ←→ (0..1) Member
-       ↓
+       ↓              ↓
-    Tokens (N)
+    Tokens (N)    CustomFieldValues (N)
       ↓                    ↓
    Role (N:1)        CustomField (1)
-Member (1) → (N) Properties
+Member (1) → (N) MembershipFeeCycles
                    ↓
-              CustomField (1)
+            MembershipFeeType (1)
 Settings (1) → MembershipFeeType (0..1)
 ```
 ### Relationship Details
@ -89,16 +112,39 @@ Member (1) → (N) Properties
   - Email synchronization when linked (User.email is source of truth)
   - `ON DELETE SET NULL` on user side (User preserved when Member deleted)
-2. **Member → Properties (1:N)**
+2. **User → Role (N:1)**
   - Many users can be assigned to one role
   - `ON DELETE RESTRICT` - cannot delete role if users are assigned
   - Role links user to permission set for authorization
 3. **Member → CustomFieldValues (1:N)**
   - One member, many custom_field_values
   - `ON DELETE CASCADE` - custom_field_values deleted with member
   - Composite unique constraint (member_id, custom_field_id)
-3. **CustomFieldValue → CustomField (N:1)**
+4. **CustomFieldValue → CustomField (N:1)**
-   - Properties reference type definition
+   - Custom field values reference type definition
   - `ON DELETE RESTRICT` - cannot delete type if in use
   - Type defines data structure
 5. **Member → MembershipFeeType (N:1, optional)**
   - Many members can be assigned to one fee type
   - `ON DELETE RESTRICT` - cannot delete fee type if members are assigned
   - Optional relationship (member can have no fee type)
 6. **Member → MembershipFeeCycles (1:N)**
   - One member, many billing cycles
   - `ON DELETE CASCADE` - cycles deleted when member deleted
   - Unique constraint (member_id, cycle_start)
 7. **MembershipFeeCycle → MembershipFeeType (N:1)**
   - Many cycles reference one fee type
   - `ON DELETE RESTRICT` - cannot delete fee type if cycles exist
 8. **Settings → MembershipFeeType (N:1, optional)**
   - Settings can reference a default fee type
   - `ON DELETE SET NULL` - if fee type is deleted, setting is cleared
 ## Important Business Rules
 ### Email Synchronization
@ -141,7 +187,6 @@ Member (1) → (N) Properties
 - `email` (B-tree) - Exact email lookups
 - `last_name` (B-tree) - Name sorting
 - `join_date` (B-tree) - Date filtering
 - `paid` (partial B-tree) - Payment status queries
 **custom_field_values:**
 - `member_id` - Member custom field value lookups
@ -168,14 +213,14 @@ Member (1) → (N) Properties
 ### Weighted Fields
 - **Weight A (highest):** first_name, last_name
 - **Weight B:** email, notes
- **Weight C:** phone_number, city, street, house_number, postal_code, custom_field_values
+- **Weight C:** city, street, house_number, postal_code, custom_field_values
 - **Weight D (lowest):** join_date, exit_date
 ### Custom Field Values in Search
 Custom field values are automatically included in the search vector:
 - All custom field values (string, integer, boolean, date, email) are aggregated and added to the search vector
 - Values are converted to text format for indexing
- Custom field values receive weight 'C' (same as phone_number, city, etc.)
+- Custom field values receive weight 'C' (same as city, etc.)
 - The search vector is automatically updated when custom field values are created, updated, or deleted via database triggers
 ### Usage Example
@ -331,7 +376,7 @@ priv/repo/migrations/
 **High Frequency:**
 - Member search (uses GIN index on search_vector)
- Member list with filters (uses indexes on join_date, paid)
+- Member list with filters (uses indexes on join_date, membership_fee_type_id)
 - User authentication (uses unique index on email/oidc_id)
 - CustomFieldValue lookups by member (uses index on member_id)
@ -350,7 +395,7 @@ priv/repo/migrations/
 1. **Use indexes:** All critical query paths have indexes
 2. **Preload relationships:** Use Ash's `load` to avoid N+1
 3. **Pagination:** Use keyset pagination (configured by default)
-4. **Partial indexes:** `members.paid` index only non-NULL values
+4. **GIN indexes:** Full-text search and fuzzy search on multiple fields
 5. **Search optimization:** Full-text search via tsvector, not LIKE
 ## Visualization
@ -464,7 +509,7 @@ mix run priv/repo/seeds.exs
 ---
-**Last Updated:** 2025-11-13  
+**Last Updated:** 2026-01-13  
-**Schema Version:** 1.1  
+**Schema Version:** 1.4  
 **Database:** PostgreSQL 17.6 (dev) / 16 (prod)
--- a/docs/database_schema.dbml
+++ b/docs/database_schema.dbml
@ -6,8 +6,8 @@
 // - https://dbdocs.io
 // - VS Code Extensions: "DBML Language" or "dbdiagram.io"
 //
-// Version: 1.3
+// Version: 1.4
-// Last Updated: 2025-12-11
+// Last Updated: 2026-01-13
 Project mila_membership_management {
  database_type: 'PostgreSQL'
@ -28,6 +28,7 @@ Project mila_membership_management {
    - **Accounts**: User authentication and session management
    - **Membership**: Club member data and custom fields
    - **MembershipFees**: Membership fee types and billing cycles
    - **Authorization**: Role-based access control (RBAC)
    ## Required PostgreSQL Extensions:
    - uuid-ossp (UUID generation)
@ -120,11 +121,9 @@ Table tokens {
 Table members {
  id uuid [pk, not null, default: `uuid_generate_v7()`, note: 'UUIDv7 primary key (sortable by creation time)']
-  first_name text [not null, note: 'Member first name (min length: 1)']
+  first_name text [null, note: 'Member first name (min length: 1 if present)']
-  last_name text [not null, note: 'Member last name (min length: 1)']
+  last_name text [null, note: 'Member last name (min length: 1 if present)']
  email text [not null, unique, note: 'Member email address (5-254 chars, validated)']
  paid boolean [null, note: 'Payment status flag']
  phone_number text [null, note: 'Contact phone number (format: +?[0-9\- ]{6,20})']
  join_date date [null, note: 'Date when member joined club (cannot be in future)']
  exit_date date [null, note: 'Date when member left club (must be after join_date)']
  notes text [null, note: 'Additional notes about member']
@ -148,7 +147,6 @@ Table members {
    email [name: 'members_email_idx', note: 'B-tree index for exact lookups']
    last_name [name: 'members_last_name_idx', note: 'B-tree index for name sorting']
    join_date [name: 'members_join_date_idx', note: 'B-tree index for date filters']
    (paid) [name: 'members_paid_idx', type: btree, note: 'Partial index WHERE paid IS NOT NULL']
    membership_fee_type_id [name: 'members_membership_fee_type_id_index', note: 'B-tree index for fee type lookups']
  }
@ -157,8 +155,8 @@ Table members {
    Core entity for membership management containing:
    - Personal information (name, email)
-    - Contact details (phone, address)
+    - Contact details (address)
-    - Membership status (join/exit dates, payment status)
+    - Membership status (join/exit dates, membership fee cycles)
    - Additional notes
    **Email Synchronization:**
@ -186,12 +184,11 @@ Table members {
    - 1:N with membership_fee_cycles - billing history
    **Validation Rules:**
-    - first_name, last_name: min 1 character
+    - first_name, last_name: optional, but if present min 1 character
-    - email: 5-254 characters, valid email format
+    - email: 5-254 characters, valid email format (required)
    - join_date: cannot be in future
    - exit_date: must be after join_date (if both present)
-    - phone_number: matches pattern ^\+?[0-9\- ]{6,20}$
+    - postal_code: exactly 5 digits (if present)
    - postal_code: exactly 5 digits
  '''
 }
@ -500,3 +497,138 @@ TableGroup membership_fees_domain {
  '''
 }
 // ============================================
 // AUTHORIZATION DOMAIN
 // ============================================
 Table roles {
  id uuid [pk, not null, default: `uuid_generate_v7()`, note: 'UUIDv7 primary key']
  name text [not null, unique, note: 'Unique role name (e.g., "Vorstand", "Admin", "Mitglied")']
  description text [null, note: 'Human-readable description of the role']
  permission_set_name text [not null, note: 'Permission set name: "own_data", "read_only", "normal_user", or "admin"']
  is_system_role boolean [not null, default: false, note: 'If true, role cannot be deleted (protects critical roles)']
  inserted_at timestamp [not null, default: `now() AT TIME ZONE 'utc'`, note: 'Creation timestamp (UTC)']
  updated_at timestamp [not null, default: `now() AT TIME ZONE 'utc'`, note: 'Last update timestamp (UTC)']
  indexes {
    name [unique, name: 'roles_unique_name_index']
  }
  Note: '''
    **Role-Based Access Control (RBAC)**
    Roles link users to permission sets. Each role references one of four hardcoded
    permission sets defined in the application code.
    **Permission Sets:**
    - `own_data`: Users can only access their own linked member data
    - `read_only`: Users can read all data but cannot modify
    - `normal_user`: Users can read and modify most data (standard permissions)
    - `admin`: Full access to all features and settings
    **System Roles:**
    - System roles (is_system_role = true) cannot be deleted
    - Protects critical roles like "Mitglied" (member) from accidental deletion
    - Only set via seed scripts or internal actions
    **Relationships:**
    - 1:N with users - users assigned to this role
    - ON DELETE RESTRICT: Cannot delete role if users are assigned
    **Constraints:**
    - `name` must be unique
    - `permission_set_name` must be a valid permission set (validated in application)
    - System roles cannot be deleted (enforced via validation)
  '''
 }
 // ============================================
 // MEMBERSHIP DOMAIN (Additional Tables)
 // ============================================
 Table settings {
  id uuid [pk, not null, default: `gen_random_uuid()`, note: 'Primary identifier']
  club_name text [not null, note: 'The name of the association/club (min length: 1)']
  member_field_visibility jsonb [null, note: 'Visibility configuration for member fields in overview (JSONB map)']
  include_joining_cycle boolean [not null, default: true, note: 'Whether to include the joining cycle in membership fee generation']
  default_membership_fee_type_id uuid [null, note: 'FK to membership_fee_types - default fee type for new members']
  inserted_at timestamp [not null, default: `now() AT TIME ZONE 'utc'`, note: 'Creation timestamp (UTC)']
  updated_at timestamp [not null, default: `now() AT TIME ZONE 'utc'`, note: 'Last update timestamp (UTC)']
  indexes {
    default_membership_fee_type_id [name: 'settings_default_membership_fee_type_id_index', note: 'B-tree index for fee type lookups']
  }
  Note: '''
    **Global Application Settings (Singleton Resource)**
    Stores global configuration for the association/club. There should only ever
    be one settings record in the database (singleton pattern).
    **Attributes:**
    - `club_name`: The name of the association/club (required, can be set via ASSOCIATION_NAME env var)
    - `member_field_visibility`: JSONB map storing visibility configuration for member fields
      (e.g., `{"street": false, "house_number": false}`). Fields not in the map default to `true`.
    - `include_joining_cycle`: When true, members pay from their joining cycle. When false,
      they pay from the next full cycle after joining.
    - `default_membership_fee_type_id`: The membership fee type automatically assigned to
      new members. Can be nil if no default is set.
    **Singleton Pattern:**
    - Only one settings record should exist
    - Designed to be read and updated, not created/destroyed via normal CRUD
    - Initial settings should be seeded
    **Environment Variable Support:**
    - `club_name` can be set via `ASSOCIATION_NAME` environment variable
    - Database values always take precedence over environment variables
    **Relationships:**
    - Optional N:1 with membership_fee_types - default fee type for new members
    - ON DELETE SET NULL: If default fee type is deleted, setting is cleared
  '''
 }
 // ============================================
 // RELATIONSHIPS (Additional)
 // ============================================
 // User → Role (N:1)
 // - Many users can be assigned to one role
 // - ON DELETE RESTRICT: Cannot delete role if users are assigned
 Ref: users.role_id > roles.id [delete: restrict]
 // Settings → MembershipFeeType (N:1, optional)
 // - Settings can reference a default membership fee type
 // - ON DELETE SET NULL: If fee type is deleted, setting is cleared
 Ref: settings.default_membership_fee_type_id > membership_fee_types.id [delete: set null]
 // ============================================
 // TABLE GROUPS (Updated)
 // ============================================
 TableGroup authorization_domain {
  roles
  Note: '''
    **Authorization Domain**
    Handles role-based access control (RBAC) with hardcoded permission sets.
    Roles link users to permission sets for authorization.
  '''
 }
 TableGroup membership_domain {
  members
  custom_field_values
  custom_fields
  settings
  Note: '''
    **Membership Domain**
    Core business logic for club membership management.
    Supports flexible, extensible member data model.
    Includes global application settings (singleton).
  '''
 }
--- a/docs/development-progress-log.md
+++ b/docs/development-progress-log.md
@ -68,7 +68,7 @@ mix phx.new mv --no-ecto --no-mailer
 **Key decisions:**
 - **Elixir 1.18.3 + OTP 27**: Latest stable versions for performance
 - **Ash Framework 3.0**: Declarative resource layer, reduces boilerplate
- **Phoenix LiveView 1.1**: Real-time UI without JavaScript complexity
+- **Phoenix LiveView 1.1.0-rc.3**: Real-time UI without JavaScript complexity
 - **Tailwind CSS 4.0**: Utility-first styling with custom build
 - **PostgreSQL 17**: Advanced features (full-text search, JSONB, citext)
 - **Bandit**: Modern HTTP server, better than Cowboy for LiveView
@ -80,14 +80,15 @@ mix phx.new mv --no-ecto --no-mailer
 **Versions pinned in `.tool-versions`:**
 - Elixir 1.18.3-otp-27
 - Erlang 27.3.4  
- Just 1.43.0
+- Just 1.46.0
 #### 4. Database Setup
 **PostgreSQL Extensions:**
 ```sql
-CREATE EXTENSION IF NOT EXISTS "uuid-ossp";  -- UUID generation
+CREATE EXTENSION IF NOT EXISTS "uuid-ossp";  -- UUID generation (via uuid_generate_v7 function)
 CREATE EXTENSION IF NOT EXISTS "citext";      -- Case-insensitive text
 CREATE EXTENSION IF NOT EXISTS "pg_trgm";     -- Trigram-based fuzzy search
 ```
 **Migration Strategy:**
@ -468,7 +469,7 @@ end
 - **Tailwind:** Utility-first, no custom CSS
 - **DaisyUI:** Pre-built components, consistent design
 - **Heroicons:** Icon library, inline SVG
- **Phoenix LiveView:** Server-rendered, minimal JavaScript
+- **Phoenix LiveView 1.1.0-rc.3:** Server-rendered, minimal JavaScript
 **Trade-offs:**
 - Larger HTML (utility classes)
@ -598,14 +599,33 @@ end
 #### Database Migrations
-**Key migrations in chronological order:**
+**Key migrations in chronological order (26 total):**
-1. `20250528163901_initial_migration.exs` - Core tables (members, custom_field_values, custom_fields)
+1. `20250421101957_initialize_extensions_1.exs` - PostgreSQL extensions (uuid-ossp, citext, pg_trgm)
-2. `20250617090641_member_fields.exs` - Member attributes expansion
+2. `20250528163901_initial_migration.exs` - Core tables (members, custom_field_values, custom_fields - originally property_types/properties)
-3. `20250620110850_add_accounts_domain.exs` - Users & tokens tables
+3. `20250617090641_member_fields.exs` - Member attributes expansion
-4. `20250912085235_AddSearchVectorToMembers.exs` - Full-text search (tsvector + GIN index)
+4. `20250617132424_member_delete.exs` - Member deletion constraints
-5. `20250926164519_member_relation.exs` - User-Member link (optional 1:1)
+5. `20250620110849_add_accounts_domain_extensions.exs` - Accounts domain extensions
-6. `20251001141005_add_trigram_to_members.exs` - Fuzzy search (pg_trgm + 6 GIN trigram indexes)
+6. `20250620110850_add_accounts_domain.exs` - Users & tokens tables
-7. `20251016130855_add_constraints_for_user_member_and_property.exs` - Email sync constraints
+7. `20250912085235_AddSearchVectorToMembers.exs` - Full-text search (tsvector + GIN index)
 8. `20250926164519_member_relation.exs` - User-Member link (optional 1:1)
 9. `20250926180341_add_unique_email_to_members.exs` - Unique email constraint on members
 10. `20251001141005_add_trigram_to_members.exs` - Fuzzy search (pg_trgm + 6 GIN trigram indexes)
 11. `20251016130855_add_constraints_for_user_member_and_property.exs` - Email sync constraints
 12. `20251113163600_rename_properties_to_custom_fields_extensions_1.exs` - Rename properties extensions
 13. `20251113163602_rename_properties_to_custom_fields.exs` - Rename property_types → custom_fields, properties → custom_field_values
 14. `20251113180429_add_slug_to_custom_fields.exs` - Add slug to custom fields
 15. `20251113183538_change_custom_field_delete_cascade.exs` - Change delete cascade behavior
 16. `20251119160509_add_show_in_overview_to_custom_fields.exs` - Add show_in_overview flag
 17. `20251127134451_add_settings_table.exs` - Create settings table (singleton)
 18. `20251201115939_add_member_field_visibility_to_settings.exs` - Add member_field_visibility JSONB to settings
 19. `20251202145404_remove_birth_date_from_members.exs` - Remove birth_date field
 20. `20251204123714_add_custom_field_values_to_search_vector.exs` - Include custom field values in search vector
 21. `20251211151449_add_membership_fees_tables.exs` - Create membership_fee_types and membership_fee_cycles tables
 22. `20251211172549_remove_immutable_from_custom_fields.exs` - Remove immutable flag from custom fields
 23. `20251211195058_add_membership_fee_settings.exs` - Add membership fee settings to settings table
 24. `20251218113900_remove_paid_from_members.exs` - Remove paid boolean from members (replaced by cycle status)
 25. `20260102155350_remove_phone_number_and_make_fields_optional.exs` - Remove phone_number, make first_name/last_name optional
 26. `20260106161215_add_authorization_domain.exs` - Create roles table and add role_id to users
 **Learning:** Ash's code generation from resources ensures schema always matches code.
@ -775,7 +795,7 @@ end
 ### Test Data Management
 **Seed Data:**
- Admin user: `admin@mv.local` / `testpassword`
+- Admin user: `admin@localhost` / `testpassword` (configurable via `ADMIN_EMAIL` env var)
 - Sample members: Hans Müller, Greta Schmidt, Friedrich Wagner
 - Linked accounts: Maria Weber, Thomas Klein
 - CustomFieldValue types: String, Date, Boolean, Email
@ -1562,7 +1582,7 @@ Effective workflow:
 This project demonstrates a modern Phoenix application built with:
 - ✅ **Ash Framework** for declarative resources and policies
- ✅ **Phoenix LiveView** for real-time, server-rendered UI
+- ✅ **Phoenix LiveView 1.1.0-rc.3** for real-time, server-rendered UI
 - ✅ **Tailwind CSS + DaisyUI** for rapid UI development
 - ✅ **PostgreSQL** with advanced features (full-text search, UUIDv7)
 - ✅ **Multi-strategy authentication** (Password + OIDC)
@ -1570,15 +1590,19 @@ This project demonstrates a modern Phoenix application built with:
 - ✅ **Flexible data model** (EAV pattern with union types)
 **Key Achievements:**
- 🎯 8 sprints completed
+- 🎯 9+ sprints completed
- 🚀 82 pull requests merged
+- 🚀 100+ pull requests merged
- ✅ Core features implemented (CRUD, search, auth, sync)
+- ✅ Core features implemented (CRUD, search, auth, sync, membership fees, roles & permissions)
 - ✅ Membership fees system (types, cycles, settings)
 - ✅ Role-based access control (RBAC) with 4 permission sets
 - ✅ Member field visibility settings
 - ✅ Sidebar navigation (WCAG 2.1 AA compliant)
 - 📚 Comprehensive documentation
 - 🔒 Security-focused (audits, validations, policies)
 - 🐳 Docker-ready for self-hosting
 **Next Steps:**
- Implement roles & permissions
+- ✅ ~~Implement roles & permissions~~ - RBAC system implemented (2026-01-08)
 - Add payment tracking
 - ✅ ~~Improve accessibility (WCAG 2.1 AA)~~ - Keyboard navigation implemented
 - Member self-service portal
@ -1586,8 +1610,150 @@ This project demonstrates a modern Phoenix application built with:
 ---
-**Document Version:** 1.3  
+## Recent Updates (2025-12-02 to 2026-01-13)
-**Last Updated:** 2025-12-02  
+
 ### Membership Fees System Implementation (2025-12-11 to 2025-12-26)
 **PR #283:** *Membership Fee - Database Schema & Ash Domain Foundation* (closes #275)
 - Created `Mv.MembershipFees` domain
 - Added `MembershipFeeType` resource with intervals (monthly, quarterly, half_yearly, yearly)
 - Added `MembershipFeeCycle` resource for individual billing cycles
 - Database migrations for membership fee tables
 **PR #284:** *Calendar Cycle Calculation Logic* (closes #276)
 - Calendar-based cycle calculation module
 - Support for different intervals
 - Cycle start/end date calculations
 - Integration with member joining dates
 **PR #290:** *Cycle Generation System* (closes #277)
 - Automatic cycle generation for members
 - Cycle regeneration when fee type changes
 - Integration with member lifecycle hooks
 - Actor-based authorization for cycle operations
 **PR #291:** *Membership Fee Type Resource & Settings* (closes #278)
 - Membership fee type CRUD operations
 - Global membership fee settings
 - Default fee type assignment
 - `include_joining_cycle` setting
 **PR #294:** *Cycle Management & Member Integration* (closes #279)
 - Member-fee type relationship
 - Cycle status tracking (unpaid, paid, suspended)
 - Member detail view integration
 - Cycle regeneration on fee type change
 **PR #304:** *Membership Fee 6 - UI Components & LiveViews* (closes #280)
 - Membership fee type management LiveViews
 - Membership fee settings LiveView
 - Cycle display in member detail view
 - Payment status indicators
 ### Custom Fields Enhancements (2025-12-11 to 2026-01-02)
 **PR #266:** *Implements search for custom fields* (closes #196)
 - Custom field search in member overview
 - Integration with full-text search
 - Custom field value filtering
 **PR #301:** *Implements validation for required custom fields* (closes #274)
 - Required custom field validation
 - Form-level validation
 - Error messages for missing required fields
 **PR #313:** *Fix hidden empty custom fields* (closes #282)
 - Fixed display of empty custom fields
 - Improved custom field visibility logic
 ### UI/UX Improvements (2025-12-03 to 2025-12-16)
 **PR #240:** *Implement dropdown to show/hide columns in member overview* (closes #209)
 - Field visibility dropdown
 - User-specific field selection
 - Integration with global settings
 **PR #247:** *Visual hierarchy for fields in member view and edit form* (closes #231)
 - Improved field grouping
 - Visual hierarchy improvements
 - Better form layout
 **PR #250:** *UX - Avoid opening member by clicking the checkbox* (closes #233)
 - Checkbox click handling
 - Prevented accidental navigation
 - Improved selection UX
 **PR #259:** *Fix small UI issues* (closes #220)
 - Various UI bug fixes
 - Accessibility improvements
 **PR #293:** *Small UX fixes* (closes #281)
 - Additional UX improvements
 - Polish and refinement
 **PR #319:** *Reduce member fields* (closes #273)
 - Removed unnecessary member fields
 - Streamlined member data model
 - Migration for field removal
 ### Roles and Permissions System (2026-01-06 to 2026-01-08)
 - ✅ **RBAC Implementation Complete** - Member Resource Policies (#345)
  - Four hardcoded permission sets: `own_data`, `read_only`, `normal_user`, `admin`
  - Role-based access control with database-backed roles
  - Member resource policies with scope filtering (`:own`, `:linked`, `:all`)
  - Authorization checks via `Mv.Authorization.Checks.HasPermission`
  - System role protection (cannot delete critical roles)
  - Comprehensive test coverage
 ### Actor Handling Refactoring (2026-01-09)
 - ✅ **Consistent Actor Access** - `current_actor/1` helper function
  - Standardized actor access across all LiveViews
  - `ash_actor_opts/1` helper for consistent authorization options
  - `submit_form/3` wrapper for form submissions with actor
  - All Ash operations now properly pass `actor` parameter
  - Error handling improvements (replaced bang calls with proper error handling)
 ### Internationalization Improvements (2026-01-13)
 - ✅ **Complete German Translations** - All UI strings translated
  - CI check for empty German translations in lint task
  - Standardized English `msgstr` entries (all empty for consistency)
  - Corrected language headers in `.po` files
  - Added missing translations for error messages
 ### Code Quality Improvements (2026-01-13)
 - ✅ **Error Handling** - Replaced `Ash.read!` with proper error handling
 - ✅ **Code Complexity** - Reduced nesting depth in `UserLive.Form`
 - ✅ **Test Infrastructure** - Role tag support in `ConnCase`
 ### CSV Import Feature (2026-01-13)
 - ✅ **CSV Templates** - Member import templates (#329)
  - German and English CSV templates
  - Template files in `priv/static/templates/`
 ### Sidebar Implementation (2026-01-12)
 - ✅ **Sidebar Navigation** - Replaced navbar with sidebar (#260)
  - Standard-compliant sidebar with comprehensive tests
  - DaisyUI drawer pattern implementation
  - Desktop expanded/collapsed states
  - Mobile overlay drawer
  - localStorage persistence for sidebar state
  - WCAG 2.1 Level AA compliant
 ### Member Field Settings (2026-01-12, PR #300, closes #223)
 - ✅ **Member Field Visibility Configuration** - Global settings for field visibility
  - JSONB-based visibility configuration in Settings resource
  - Per-field visibility toggle (show/hide in member overview)
  - Atomic updates for single field visibility changes
  - Integration with member list overview
  - User-specific field selection (takes priority over global settings)
  - Custom field visibility support
  - Default visibility: all fields visible except `exit_date` (hidden by default)
  - LiveComponent for managing member field visibility in settings page
 ---
 **Document Version:** 1.4  
 **Last Updated:** 2026-01-13  
 **Maintainer:** Development Team  
 **Status:** Living Document (update as project evolves)
--- a/docs/feature-roadmap.md
+++ b/docs/feature-roadmap.md
@ -1,8 +1,8 @@
 # Feature Roadmap & Implementation Plan
 **Project:** Mila - Membership Management System  
-**Last Updated:** 2025-11-10  
+**Last Updated:** 2026-01-13  
-**Status:** Planning Phase
+**Status:** Active Development
 ---
@ -37,17 +37,24 @@
 - [#146](https://git.local-it.org/local-it/mitgliederverwaltung/issues/146) - Translate "or" in the login screen (Low)
 - [#144](https://git.local-it.org/local-it/mitgliederverwaltung/issues/144) - Add language switch dropdown to login screen (Low)
 **Current State:**
 - ✅ **Role-based access control (RBAC)** - Implemented (2026-01-08, PR #346, closes #345)
 - ✅ **Permission system** - Four hardcoded permission sets (`own_data`, `read_only`, `normal_user`, `admin`)
 - ✅ **Database-backed roles** - Roles table with permission set references
 - ✅ **Resource policies** - Member resource policies with scope filtering
 - ✅ **Page-level authorization** - LiveView page access control
 - ✅ **System role protection** - Critical roles cannot be deleted
 **Missing Features:**
 - ❌ Role-based access control (RBAC)
 - ❌ Permission system
 - ❌ Password reset flow
 - ❌ Email verification
 - ❌ Two-factor authentication (future)
 **Related Issues:**
- [#191](https://git.local-it.org/local-it/mitgliederverwaltung/issues/191) - Implement Roles in Ash (M)
+- ✅ [#345](https://git.local-it.org/local-it/mitgliederverwaltung/issues/345) - Member Resource Policies (closed 2026-01-13)
- [#190](https://git.local-it.org/local-it/mitgliederverwaltung/issues/190) - Implement Permissions in Ash (M)
+- ✅ [#191](https://git.local-it.org/local-it/mitgliederverwaltung/issues/191) - Implement Roles in Ash (M) - Completed
- [#151](https://git.local-it.org/local-it/mitgliederverwaltung/issues/151) - Define implementation plan for roles and permissions (M) [3/7 tasks done]
+- ✅ [#190](https://git.local-it.org/local-it/mitgliederverwaltung/issues/190) - Implement Permissions in Ash (M) - Completed
 - ✅ [#151](https://git.local-it.org/local-it/mitgliederverwaltung/issues/151) - Define implementation plan for roles and permissions (M) - Completed
 ---
@ -187,23 +194,27 @@
 **Current State:**
 - ✅ Basic "paid" boolean field on members
- ✅ **UI Mock-ups for Membership Fee Types & Settings** (2025-12-02)
+- ✅ **Membership Fee Types Management** - Full CRUD implementation
- ⚠️ No payment tracking
+- ✅ **Membership Fee Cycles** - Individual billing cycles per member
 - ✅ **Membership Fee Settings** - Global settings (include_joining_cycle, default_fee_type)
 - ✅ **Cycle Generation** - Automatic cycle generation for members
 - ✅ **Payment Status Tracking** - Status per cycle (unpaid, paid, suspended)
 - ✅ **Member Fee Assignment** - Members can be assigned to fee types
 - ✅ **Cycle Regeneration** - Regenerate cycles when fee type changes
 - ✅ **UI Components** - Membership fee status in member list and detail views
 **Open Issues:**
 - [#156](https://git.local-it.org/local-it/mitgliederverwaltung/issues/156) - Set up & document testing environment for vereinfacht.digital (L, Low priority)
- [#226](https://git.local-it.org/local-it/mitgliederverwaltung/issues/226) - Payment/Membership Fee Mockup Pages (Preview)
+- ✅ [#226](https://git.local-it.org/local-it/mitgliederverwaltung/issues/226) - Payment/Membership Fee Mockup Pages (Preview) - Implemented
-**Mock-Up Pages (Non-Functional Preview):**
+**Implemented Pages:**
- `/membership_fee_types` - Membership Fee Types Management
+- `/membership_fee_types` - Membership Fee Types Management (fully functional)
- `/membership_fee_settings` - Global Membership Fee Settings
+- `/membership_fee_settings` - Global Membership Fee Settings (fully functional)
 - `/members/:id` - Member detail view with membership fee cycles
 **Missing Features:**
- ❌ Membership fee configuration
+- ❌ Payment records/transactions (external payment tracking)
 - ❌ Payment records/transactions
 - ❌ Payment history per member
 - ❌ Payment reminders
 - ❌ Payment status tracking (pending, paid, overdue)
 - ❌ Invoice generation
 - ❌ vereinfacht.digital API integration
 - ❌ SEPA direct debit support
@ -218,17 +229,18 @@
 **Current State:**
 - ✅ AshAdmin integration (basic)
- ⚠️ No user-facing admin UI
+- ✅ **Global Settings Management** - `/settings` page (singleton resource)
 - ✅ **Club/Organization profile** - Club name configuration
 - ✅ **Member Field Visibility Settings** - Configure which fields show in overview
 - ✅ **CustomFieldValue type management UI** - Full CRUD for custom fields
 - ✅ **Role Management UI** - Full CRUD for roles (`/admin/roles`)
 - ✅ **Membership Fee Settings** - Global fee settings management
 **Open Issues:**
 - [#186](https://git.local-it.org/local-it/mitgliederverwaltung/issues/186) - Create Architecture docs in Repo (S, Low priority)
 **Missing Features:**
 - ❌ Global settings management
 - ❌ Club/Organization profile
 - ❌ Email templates configuration
 - ❌ CustomFieldValue type management UI (user-facing)
 - ❌ Role and permission management UI
 - ❌ System health dashboard
 - ❌ Audit log viewer
 - ❌ Backup/restore functionality
@ -273,10 +285,12 @@
 **Current State:**
 - ✅ Seed data script
- ⚠️ No user-facing import/export
+- ✅ **CSV Import Templates** - German and English templates (#329, 2026-01-13)
  - Template files in `priv/static/templates/member_import_de.csv` and `member_import_en.csv`
  - CSV specification documented in `docs/csv-member-import-v1.md`
 **Missing Features:**
- ❌ CSV import for members
+- ❌ CSV import implementation (templates ready, import logic pending)
 - ❌ Excel import for members
 - ❌ Import validation and preview
 - ❌ Import error handling
@ -452,6 +466,7 @@ Since this is a **Phoenix LiveView** application with **Ash Framework**, we have
 | `GET` | `/auth/user/rauthy` | Initiate OIDC flow | 🔓 | - | Redirect to Rauthy |
 | `GET` | `/auth/user/rauthy/callback` | Handle OIDC callback | 🔓 | `{code, state}` | Redirect + session cookie |
 | `POST` | `/auth/user/sign_out` | Sign out user | 🔐 | - | Redirect to login |
 | `GET` | `/auth/link-oidc-account` | OIDC account linking (password verification) | 🔓 | - | LiveView form | ✅ Implemented |
 | `GET` | `/auth/user/password/reset` | Show password reset form | 🔓 | - | HTML form |
 | `POST` | `/auth/user/password/reset` | Request password reset | 🔓 | `{email}` | Success message + email sent |
 | `GET` | `/auth/user/password/reset/:token` | Show reset password form | 🔓 | - | HTML form |
@ -537,13 +552,18 @@ Since this is a **Phoenix LiveView** application with **Ash Framework**, we have
 ### 3. Custom Fields (CustomFieldValue System) Endpoints
-#### LiveView Endpoints
+#### LiveView Endpoints (✅ Implemented)
-| Mount | Purpose | Auth | Events |
+| Mount | Purpose | Auth | Events | Status |
-|-------|---------|------|--------|
+|-------|---------|------|--------|--------|
-| `/custom-fields` | List custom fields | 🛡️ | `new`, `edit`, `delete` |
+| `/settings` | Global settings (includes custom fields management) | 🔐 | `save`, `validate` | ✅ Implemented |
-| `/custom-fields/new` | Create custom field | 🛡️ | `save`, `cancel` |
+| `/custom_field_values` | List all custom field values | 🔐 | `new`, `edit`, `delete` | ✅ Implemented |
-| `/custom-fields/:id/edit` | Edit custom field | 🛡️ | `save`, `cancel`, `delete` |
+| `/custom_field_values/new` | Create custom field value | 🔐 | `save`, `cancel` | ✅ Implemented |
 | `/custom_field_values/:id` | Custom field value detail | 🔐 | `edit` | ✅ Implemented |
 | `/custom_field_values/:id/edit` | Edit custom field value | 🔐 | `save`, `cancel` | ✅ Implemented |
 | `/custom_field_values/:id/show/edit` | Edit from show page | 🔐 | `save`, `cancel` | ✅ Implemented |
 **Note:** Custom fields (definitions) are managed via LiveComponent in `/settings` page, not as separate routes.
 #### Ash Resource Actions
@ -622,63 +642,81 @@ Since this is a **Phoenix LiveView** application with **Ash Framework**, we have
 ### 6. Internationalization Endpoints
-#### HTTP Controller Endpoints
+#### HTTP Controller Endpoints (✅ Implemented)
-| Method | Route | Purpose | Auth | Request | Response |
+| Method | Route | Purpose | Auth | Request | Response | Status |
-|--------|-------|---------|------|---------|----------|
+|--------|-------|---------|------|---------|----------|--------|
-| `POST` | `/locale` | Set user locale | 🔐 | `{locale: "de"}` | Redirect with cookie |
+| `POST` | `/set_locale` | Set user locale | 🔐 | `{locale: "de"}` | Redirect with cookie | ✅ Implemented |
-| `GET` | `/locales` | List available locales | 🔓 | - | `["de", "en"]` |
+| `GET` | `/locales` | List available locales | 🔓 | - | `["de", "en"]` | ❌ Not implemented |
 **Note:** Locale is set via `/set_locale` POST endpoint and persisted in session/cookie. Supported locales: `de` (default), `en`.
 ---
 ### 7. Payment & Fees Management Endpoints
-#### LiveView Endpoints (NEW - Issue #156)
+#### LiveView Endpoints (✅ Implemented)
-| Mount | Purpose | Auth | Events |
+| Mount | Purpose | Auth | Events | Status |
-|-------|---------|------|--------|
+|-------|---------|------|--------|--------|
-| `/payments` | Payment list | 🔐 | `new`, `record_payment`, `send_reminder` |
+| `/membership_fee_types` | Membership fee type list | 🔐 | `new`, `edit`, `delete` | ✅ Implemented |
-| `/payments/:id` | Payment detail | 🔐 | `edit`, `delete`, `mark_paid` |
+| `/membership_fee_types/new` | Create membership fee type | 🔐 | `save`, `cancel` | ✅ Implemented |
-| `/fees` | Fee configuration | 🛡️ | `create`, `edit`, `delete` |
+| `/membership_fee_types/:id/edit` | Edit membership fee type | 🔐 | `save`, `cancel` | ✅ Implemented |
-| `/invoices` | Invoice list | 🔐 | `generate`, `download`, `send` |
+| `/membership_fee_settings` | Global membership fee settings | 🔐 | `save` | ✅ Implemented |
 | `/contributions/member/:id` | Member contribution periods (mock-up) | 🔐 | - | ⚠️ Mock-up only |
 | `/contribution_types` | Contribution types (mock-up) | 🔐 | - | ⚠️ Mock-up only |
-#### Ash Resource Actions (NEW)
+#### Ash Resource Actions (✅ Partially Implemented)
-| Resource | Action | Purpose | Auth | Input | Output |
+| Resource | Action | Purpose | Auth | Input | Output | Status |
-|----------|--------|---------|------|-------|--------|
+|----------|--------|---------|------|-------|--------|--------|
-| `Fee` | `:create` | Create fee type | 🛡️ | `{name, amount, frequency}` | `{:ok, fee}` |
+| `MembershipFeeType` | `:create` | Create fee type | 🔐 | `{name, amount, interval, ...}` | `{:ok, fee_type}` | ✅ Implemented |
-| `Fee` | `:read` | List fees | 🔐 | - | `[%Fee{}]` |
+| `MembershipFeeType` | `:read` | List fee types | 🔐 | - | `[%MembershipFeeType{}]` | ✅ Implemented |
-| `Payment` | `:create` | Record payment | 🔐 | `{member_id, fee_id, amount, date}` | `{:ok, payment}` |
+| `MembershipFeeType` | `:update` | Update fee type (name, amount, description) | 🔐 | `{id, attrs}` | `{:ok, fee_type}` | ✅ Implemented |
-| `Payment` | `:list_by_member` | Member payment history | 🔐 | `{member_id}` | `[%Payment{}]` |
+| `MembershipFeeType` | `:destroy` | Delete fee type (if no cycles) | 🔐 | `{id}` | `{:ok, fee_type}` | ✅ Implemented |
-| `Payment` | `:mark_paid` | Mark as paid | 🔐 | `{id}` | `{:ok, payment}` |
+| `MembershipFeeCycle` | `:read` | List cycles for member | 🔐 | `{member_id}` | `[%MembershipFeeCycle{}]` | ✅ Implemented |
-| `Invoice` | `:generate` | Generate invoice | 🔐 | `{member_id, fee_id, period}` | `{:ok, invoice}` |
+| `MembershipFeeCycle` | `:update` | Update cycle status | 🔐 | `{id, status}` | `{:ok, cycle}` | ✅ Implemented |
-| `Invoice` | `:send` | Send invoice via email | 🔐 | `{id}` | `{:ok, sent}` |
+| `Payment` | `:create` | Record payment | 🔐 | `{member_id, fee_id, amount, date}` | `{:ok, payment}` | ❌ Not implemented |
-| `Payment` | `:import_vereinfacht` | Import from vereinfacht.digital | 🛡️ | `{transactions}` | `{:ok, count}` |
+| `Payment` | `:list_by_member` | Member payment history | 🔐 | `{member_id}` | `[%Payment{}]` | ❌ Not implemented |
 | `Payment` | `:mark_paid` | Mark as paid | 🔐 | `{id}` | `{:ok, payment}` | ❌ Not implemented |
 | `Invoice` | `:generate` | Generate invoice | 🔐 | `{member_id, fee_id, period}` | `{:ok, invoice}` | ❌ Not implemented |
 | `Invoice` | `:send` | Send invoice via email | 🔐 | `{id}` | `{:ok, sent}` | ❌ Not implemented |
 | `Payment` | `:import_vereinfacht` | Import from vereinfacht.digital | 🛡️ | `{transactions}` | `{:ok, count}` | ❌ Not implemented |
 ---
 ### 8. Admin Panel & Configuration Endpoints
-#### LiveView Endpoints (NEW)
+#### LiveView Endpoints (✅ Partially Implemented)
-| Mount | Purpose | Auth | Events |
+| Mount | Purpose | Auth | Events | Status |
-|-------|---------|------|--------|
+|-------|---------|------|--------|--------|
-| `/admin` | Admin dashboard | 🛡️ | - |
+| `/settings` | Global settings (club name, member fields, custom fields) | 🔐 | `save`, `validate` | ✅ Implemented |
-| `/admin/settings` | Global settings | 🛡️ | `save` |
+| `/admin/roles` | Role management | 🛡️ | `new`, `edit`, `delete` | ✅ Implemented |
-| `/admin/organization` | Organization profile | 🛡️ | `save` |
+| `/admin/roles/new` | Create role | 🛡️ | `save`, `cancel` | ✅ Implemented |
-| `/admin/email-templates` | Email template editor | 🛡️ | `create`, `edit`, `preview` |
+| `/admin/roles/:id` | Role detail view | 🛡️ | `edit` | ✅ Implemented |
-| `/admin/audit-log` | System audit log | 🛡️ | `filter`, `export` |
+| `/admin/roles/:id/edit` | Edit role | 🛡️ | `save`, `cancel` | ✅ Implemented |
 | `/admin` | Admin dashboard | 🛡️ | - | ❌ Not implemented |
 | `/admin/organization` | Organization profile | 🛡️ | `save` | ❌ Not implemented |
 | `/admin/email-templates` | Email template editor | 🛡️ | `create`, `edit`, `preview` | ❌ Not implemented |
 | `/admin/audit-log` | System audit log | 🛡️ | `filter`, `export` | ❌ Not implemented |
-#### Ash Resource Actions (NEW)
+#### Ash Resource Actions (✅ Partially Implemented)
-| Resource | Action | Purpose | Auth | Input | Output |
+| Resource | Action | Purpose | Auth | Input | Output | Status |
-|----------|--------|---------|------|-------|--------|
+|----------|--------|---------|------|-------|--------|--------|
-| `Setting` | `:get` | Get setting value | 🔐 | `{key}` | `value` |
+| `Setting` | `:read` | Get settings (singleton) | 🔐 | - | `{:ok, settings}` | ✅ Implemented |
-| `Setting` | `:set` | Set setting value | 🛡️ | `{key, value}` | `{:ok, setting}` |
+| `Setting` | `:update` | Update settings | 🔐 | `{club_name, member_field_visibility, ...}` | `{:ok, settings}` | ✅ Implemented |
-| `Setting` | `:list` | List all settings | 🛡️ | - | `[%Setting{}]` |
+| `Setting` | `:update_member_field_visibility` | Update field visibility | 🔐 | `{member_field_visibility}` | `{:ok, settings}` | ✅ Implemented |
-| `Organization` | `:read` | Get organization info | 🔐 | - | `%Organization{}` |
+| `Setting` | `:update_single_member_field_visibility` | Atomic field visibility update | 🔐 | `{field, show_in_overview}` | `{:ok, settings}` | ✅ Implemented |
-| `Organization` | `:update` | Update organization | 🛡️ | `{name, logo, ...}` | `{:ok, org}` |
+| `Setting` | `:update_membership_fee_settings` | Update fee settings | 🔐 | `{include_joining_cycle, default_membership_fee_type_id}` | `{:ok, settings}` | ✅ Implemented |
-| `AuditLog` | `:list` | List audit entries | 🛡️ | `{filters, pagination}` | `[%AuditLog{}]` |
+| `Role` | `:read` | List roles | 🛡️ | - | `[%Role{}]` | ✅ Implemented |
 | `Role` | `:create` | Create role | 🛡️ | `{name, permission_set_name, ...}` | `{:ok, role}` | ✅ Implemented |
 | `Role` | `:update` | Update role | 🛡️ | `{id, attrs}` | `{:ok, role}` | ✅ Implemented |
 | `Role` | `:destroy` | Delete role (if not system role) | 🛡️ | `{id}` | `{:ok, role}` | ✅ Implemented |
 | `Organization` | `:read` | Get organization info | 🔐 | - | `%Organization{}` | ❌ Not implemented |
 | `Organization` | `:update` | Update organization | 🛡️ | `{name, logo, ...}` | `{:ok, org}` | ❌ Not implemented |
 | `AuditLog` | `:list` | List audit entries | 🛡️ | `{filters, pagination}` | `[%AuditLog{}]` | ❌ Not implemented |
 ---
--- a/docs/membership-fee-architecture.md
+++ b/docs/membership-fee-architecture.md
@ -3,8 +3,8 @@
 **Project:** Mila - Membership Management System  
 **Feature:** Membership Fee Management  
 **Version:** 1.0  
-**Last Updated:** 2025-11-27  
+**Last Updated:** 2026-01-13  
-**Status:** Architecture Design - Ready for Implementation
+**Status:** ✅ Implemented
 ---
@ -76,6 +76,13 @@ This document defines the technical architecture for the Membership Fees system.
 - `MembershipFeeType` - Membership fee type definitions (admin-managed)
 - `MembershipFeeCycle` - Individual membership fee cycles per member
 **Public API:**
 The domain exposes code interface functions:
 - `create_membership_fee_type/1`, `list_membership_fee_types/0`, `update_membership_fee_type/2`, `destroy_membership_fee_type/1`
 - `create_membership_fee_cycle/1`, `list_membership_fee_cycles/0`, `update_membership_fee_cycle/2`, `destroy_membership_fee_cycle/1`
 **Note:** In LiveViews, direct `Ash.read`, `Ash.create`, `Ash.update`, `Ash.destroy` calls are used with `domain: Mv.MembershipFees` instead of code interface functions. This is acceptable for LiveView forms that use `AshPhoenix.Form`.
 **Extensions:**
 - Member resource extended with membership fee fields
@ -348,6 +355,9 @@ lib/
 1. MembershipFeeType index/form (admin)
 2. MembershipFeeCycle table component (member detail view)
   - Implemented as `MvWeb.MemberLive.Show.MembershipFeesComponent`
   - Displays all cycles in a table with status management
   - Allows changing cycle status, editing amounts, and regenerating cycles
 3. Settings form section (admin)
 4. Member list column (membership fee status)
--- a/docs/membership-fee-overview.md
+++ b/docs/membership-fee-overview.md
@ -3,8 +3,8 @@
 **Project:** Mila - Membership Management System  
 **Feature:** Membership Fee Management  
 **Version:** 1.0  
-**Last Updated:** 2025-11-27  
+**Last Updated:** 2026-01-13  
-**Status:** Concept - Ready for Review
+**Status:** ✅ Implemented
 ---
--- a/docs/policy-bypass-vs-haspermission.md
+++ b/docs/policy-bypass-vs-haspermission.md
@ -0,0 +1,330 @@
 # Policy Pattern: Bypass vs. HasPermission
 **Date:** 2026-01-22  
 **Status:** Implemented and Tested  
 **Applies to:** User Resource, Member Resource
 ---
 ## Summary
 For filter-based permissions (`scope :own`, `scope :linked`), we use a **two-tier authorization pattern**:
 1. **Bypass with `expr()` for READ operations** - Handles list queries via auto_filter
 2. **HasPermission for UPDATE/CREATE/DESTROY** - Uses scope from PermissionSets when record is present
 This pattern ensures that the scope concept in PermissionSets is actually used and not redundant.
 ---
 ## The Problem
 ### Initial Assumption (INCORRECT)
 > "No separate Own Credentials Bypass needed, as all permission sets already have User read/update :own. HasPermission with scope :own handles this correctly."
 This assumption was based on the idea that `HasPermission` returning `{:filter, expr(...)}` would automatically trigger Ash's `auto_filter` for list queries.
 ### Reality
 **When HasPermission returns `{:filter, expr(...)}`:**
 1. `strict_check` is called first
 2. For list queries (no record yet), `strict_check` returns `{:ok, false}`
 3. Ash **STOPS** evaluation and does **NOT** call `auto_filter`
 4. Result: List queries fail with empty results ❌
 **Example:**
 ```elixir
 # This FAILS for list queries:
 policy action_type([:read, :update]) do
  authorize_if Mv.Authorization.Checks.HasPermission
 end
 # User tries to list all users:
 Ash.read(User, actor: user)
 # Expected: Returns [user] (filtered to own record)
 # Actual: Returns [] (empty list)
 ```
 ---
 ## The Solution
 ### Pattern: Bypass for READ, HasPermission for UPDATE
 **User Resource Example:**
 ```elixir
 policies do
  # Bypass for READ (handles list queries via auto_filter)
  bypass action_type(:read) do
    description "Users can always read their own account"
    authorize_if expr(id == ^actor(:id))
  end
  # HasPermission for UPDATE (scope :own works with changesets)
  policy action_type([:read, :create, :update, :destroy]) do
    description "Check permissions from user's role and permission set"
    authorize_if Mv.Authorization.Checks.HasPermission
  end
 end
 ```
 **Why This Works:**
 | Operation | Record Available? | Method | Result |
 |-----------|-------------------|--------|--------|
 | **READ (list)** | ❌ No | `bypass` with `expr()` | Ash applies expr as SQL WHERE → ✅ Filtered list |
 | **READ (single)** | ✅ Yes | `bypass` with `expr()` | Ash evaluates expr → ✅ true/false |
 | **UPDATE** | ✅ Yes (changeset) | `HasPermission` with `scope :own` | strict_check evaluates record → ✅ Authorized |
 | **CREATE** | ✅ Yes (changeset) | `HasPermission` with `scope :own` | strict_check evaluates record → ✅ Authorized |
 | **DESTROY** | ✅ Yes | `HasPermission` with `scope :own` | strict_check evaluates record → ✅ Authorized |
 **Important: UPDATE Strategy**
 UPDATE is **NOT** a hardcoded bypass. It is controlled by **PermissionSets**:
 - All permission sets (`:own_data`, `:read_only`, `:normal_user`, `:admin`) explicitly grant `User.update :own`
 - `HasPermission` evaluates `scope :own` when a changeset with record is present
 - If a permission set is changed to remove `User.update :own`, users with that set will lose the ability to update their credentials
 - This is intentional - UPDATE is controlled by PermissionSets, not hardcoded
 **Example:** The `read_only` permission set grants `User.update :own` even though it's "read-only" for member data. This allows password changes while keeping member data read-only.
 ---
 ## Why `scope :own` Is NOT Redundant
 ### The Question
 > "If we use a bypass with `expr(id == ^actor(:id))` for READ, isn't `scope :own` in PermissionSets redundant?"
 ### The Answer: NO! ✅
 **`scope :own` is ONLY used for operations where a record is present:**
 ```elixir
 # PermissionSets.ex
 %{resource: "User", action: :read, scope: :own, granted: true},   # Not used (bypass handles it)
 %{resource: "User", action: :update, scope: :own, granted: true}, # USED by HasPermission ✅
 ```
 **Test Proof:**
 ```elixir
 # test/mv/accounts/user_policies_test.exs:82
 test "can update own email", %{user: user} do
  new_email = "updated@example.com"
  # This works via HasPermission with scope :own (NOT via bypass)
  {:ok, updated_user} =
    user
    |> Ash.Changeset.for_update(:update_user, %{email: new_email})
    |> Ash.update(actor: user)
  assert updated_user.email == Ash.CiString.new(new_email)
 end
 # ✅ Test passes - proves scope :own is used!
 ```
 ---
 ## Consistency Across Resources
 ### User Resource
 ```elixir
 # Bypass for READ list queries
 bypass action_type(:read) do
  authorize_if expr(id == ^actor(:id))
 end
 # HasPermission for UPDATE (uses scope :own from PermissionSets)
 policy action_type([:read, :create, :update, :destroy]) do
  authorize_if Mv.Authorization.Checks.HasPermission
 end
 ```
 **PermissionSets:**
 - `own_data`, `read_only`, `normal_user`: `scope :own` for read/update
 - `admin`: `scope :all` for all operations
 ### Member Resource
 ```elixir
 # Bypass for READ list queries
 bypass action_type(:read) do
  authorize_if expr(id == ^actor(:member_id))
 end
 # HasPermission for UPDATE (uses scope :linked from PermissionSets)
 policy action_type([:read, :create, :update, :destroy]) do
  authorize_if Mv.Authorization.Checks.HasPermission
 end
 ```
 **PermissionSets:**
 - `own_data`: `scope :linked` for read/update
 - `read_only`: `scope :all` for read (no update permission)
 - `normal_user`, `admin`: `scope :all` for all operations
 ---
 ## Technical Deep Dive
 ### Why Does `expr()` in Bypass Work?
 **Ash treats `expr()` natively in two contexts:**
 1. **strict_check** (single record):
   - Ash evaluates the expression against the record
   - Returns true/false based on match
 2. **auto_filter** (list queries):
   - Ash compiles the expression to SQL WHERE clause
   - Applies filter directly in database query
 **Example:**
 ```elixir
 bypass action_type(:read) do
  authorize_if expr(id == ^actor(:id))
 end
 # For list query: Ash.read(User, actor: user)
 # Compiled SQL: SELECT * FROM users WHERE id = $1 (user.id)
 # Result: [user] ✅
 ```
 ### Why Doesn't HasPermission Trigger auto_filter?
 **HasPermission.strict_check logic:**
 ```elixir
 def strict_check(actor, authorizer, _opts) do
  # ...
  case check_permission(...) do
    {:filter, filter_expr} ->
      if record do
        # Evaluate filter against record
        evaluate_filter_for_strict_check(filter_expr, actor, record, resource_name)
      else
        # No record (list query) - return false
        # Ash STOPS here, does NOT call auto_filter
        {:ok, false}
      end
  end
 end
 ```
 **Why return false instead of :unknown?**
 We tested returning `:unknown`, but Ash's policy evaluation still didn't reliably call `auto_filter`. The `bypass` with `expr()` is the only consistent solution.
 ---
 ## Design Principles
 ### 1. Consistency
 Both User and Member follow the same pattern:
 - Bypass for READ (list queries)
 - HasPermission for UPDATE/CREATE/DESTROY (with scope)
 ### 2. Scope Concept Is Essential
 PermissionSets define scopes for all operations:
 - `:own` - User can access their own records
 - `:linked` - User can access linked records (e.g., their member)
 - `:all` - User can access all records (admin)
 **These scopes are NOT redundant** - they are used for UPDATE/CREATE/DESTROY.
 ### 3. Bypass Is a Technical Workaround
 The bypass is not a design choice but a **technical necessity** due to Ash's policy evaluation behavior:
 - Ash doesn't call `auto_filter` when `strict_check` returns `false`
 - `expr()` in bypass is handled natively by Ash for both contexts
 - This is consistent with Ash's documentation and best practices
 ---
 ## Test Coverage
 ### User Resource Tests
 **File:** `test/mv/accounts/user_policies_test.exs`
 **Coverage:**
 - ✅ 31 tests: 30 passing, 1 skipped
 - ✅ All 4 permission sets: `own_data`, `read_only`, `normal_user`, `admin`
 - ✅ READ operations (list and single) via bypass
 - ✅ UPDATE operations via HasPermission with `scope :own`
 - ✅ Admin operations via HasPermission with `scope :all`
 - ✅ AshAuthentication bypass (registration/login)
 - ✅ NoActor bypass (test environment)
 **Key Tests Proving Pattern:**
 ```elixir
 # Test 1: READ list uses bypass (returns filtered list)
 test "list users returns only own user", %{user: user} do
  {:ok, users} = Ash.read(Accounts.User, actor: user, domain: Mv.Accounts)
  assert length(users) == 1  # Filtered to own user ✅
  assert hd(users).id == user.id
 end
 # Test 2: UPDATE uses HasPermission with scope :own
 test "can update own email", %{user: user} do
  {:ok, updated_user} =
    user
    |> Ash.Changeset.for_update(:update_user, %{email: "new@example.com"})
    |> Ash.update(actor: user)
  assert updated_user.email  # Uses scope :own from PermissionSets ✅
 end
 # Test 3: Admin uses HasPermission with scope :all
 test "admin can update other users", %{admin: admin, other_user: other_user} do
  {:ok, updated_user} =
    other_user
    |> Ash.Changeset.for_update(:update_user, %{email: "admin-changed@example.com"})
    |> Ash.update(actor: admin)
  assert updated_user.email  # Uses scope :all from PermissionSets ✅
 end
 ```
 ---
 ## Lessons Learned
 1. **Don't assume** that returning a filter from `strict_check` will trigger `auto_filter` - test it!
 2. **Bypass with `expr()` is necessary** for list queries with filter-based permissions
 3. **Scope concept is NOT redundant** - it's used for operations with records (UPDATE/CREATE/DESTROY)
 4. **Consistency matters** - following the same pattern across resources improves maintainability
 5. **Documentation is key** - explaining WHY the pattern exists prevents future confusion
 ---
 ## Future Considerations
 ### If Ash Changes Policy Evaluation
 If a future version of Ash reliably calls `auto_filter` when `strict_check` returns `:unknown` or `{:filter, expr}`:
 1. We could **remove** the bypass for READ
 2. Keep only the HasPermission policy for all operations
 3. Update tests to verify the new behavior
 **However, for now (Ash 3.13.1), the bypass pattern is necessary and correct.**
 ---
 ## References
 - **Ash Policy Documentation**: [https://hexdocs.pm/ash/policies.html](https://hexdocs.pm/ash/policies.html)
 - **Implementation**: `lib/accounts/user.ex` (lines 271-315)
 - **Tests**: `test/mv/accounts/user_policies_test.exs`
 - **Architecture Doc**: `docs/roles-and-permissions-architecture.md`
 - **Permission Sets**: `lib/mv/authorization/permission_sets.ex`
--- a/docs/roles-and-permissions-architecture.md
+++ b/docs/roles-and-permissions-architecture.md
@ -2,7 +2,8 @@
 **Version:** 2.0 (Clean Rewrite)  
 **Date:** 2025-01-13  
-**Status:** Ready for Implementation  
+**Last Updated:** 2026-01-13  
 **Status:** ✅ Implemented (2026-01-08, PR #346, closes #345)  
 **Related Documents:**
 - [Overview](./roles-and-permissions-overview.md) - High-level concepts for stakeholders
 - [Implementation Plan](./roles-and-permissions-implementation-plan.md) - Step-by-step implementation guide
@ -870,79 +871,166 @@ end
 **Policy Order Matters!** Ash evaluates policies top-to-bottom, first match wins.
 ---
 ## Bypass vs. HasPermission: When to Use Which?
 **Key Finding:** For filter-based permissions (`scope :own`, `scope :linked`), we use a **two-tier approach**:
 1. **Bypass with `expr()` for READ** - Handles list queries (auto_filter)
 2. **HasPermission for UPDATE/CREATE/DESTROY** - Handles operations with records
 ### Why This Pattern?
 **The Problem with HasPermission for List Queries:**
 When `HasPermission` returns `{:filter, expr(...)}` for `scope :own` or `scope :linked`:
 - `strict_check` returns `{:ok, false}` for queries without a record
 - Ash does **NOT** reliably call `auto_filter` when `strict_check` returns `false`
 - Result: List queries fail ❌
 **The Solution:**
 Use `bypass` with `expr()` directly for READ operations:
 - Ash handles `expr()` natively for both `strict_check` and `auto_filter`
 - List queries work correctly ✅
 - Single-record reads work correctly ✅
 ### Pattern Summary
 | Operation | Has Record? | Use | Why |
 |-----------|-------------|-----|-----|
 | **READ (list)** | ❌ No | `bypass` with `expr()` | Triggers auto_filter |
 | **READ (single)** | ✅ Yes | `bypass` with `expr()` | expr() evaluates to true/false |
 | **UPDATE** | ✅ Yes (changeset) | `HasPermission` | strict_check can evaluate record |
 | **CREATE** | ✅ Yes (changeset) | `HasPermission` | strict_check can evaluate record |
 | **DESTROY** | ✅ Yes | `HasPermission` | strict_check can evaluate record |
 ### Is scope :own/:linked Still Useful?
 **YES! ✅** The scope concept is essential:
 1. **Documentation** - Clearly expresses intent in PermissionSets
 2. **UPDATE/CREATE/DESTROY** - Works perfectly via HasPermission when record is present
 3. **Consistency** - All permissions are centralized in PermissionSets
 4. **Maintainability** - Easy to see what each role can do
 The bypass is a **technical workaround** for Ash's auto_filter limitation, not a replacement for the scope concept.
 ### Consistency Across Resources
 Both `User` and `Member` follow this pattern:
 - **User**: Bypass for READ (`id == ^actor(:id)`), HasPermission for UPDATE (`scope :own`)
 - **Member**: Bypass for READ (`id == ^actor(:member_id)`), HasPermission for UPDATE (`scope :linked`)
 This ensures consistent behavior and predictable authorization logic throughout the application.
 ---
 ### User Resource Policies
-**Location:** `lib/mv/accounts/user.ex`
+**Location:** `lib/accounts/user.ex`
-**Special Case:** Users can ALWAYS read/update their own credentials, regardless of role.
+**Pattern:** Bypass for READ (list queries), HasPermission for UPDATE (with scope :own).
 **Key Insight:** Bypass with `expr()` is needed ONLY for READ list queries because HasPermission's strict_check cannot properly trigger auto_filter. UPDATE operations work correctly via HasPermission because a changeset with record is available.
 ```elixir
 defmodule Mv.Accounts.User do
  use Ash.Resource, ...
  policies do
-    # SPECIAL CASE: Users can always access their own account
+    # 1. AshAuthentication Bypass (registration/login without actor)
-    # This takes precedence over permission checks
+    bypass AshAuthentication.Checks.AshAuthenticationInteraction do
-    policy action_type([:read, :update]) do
+      authorize_if always()
-      description "Users can always read and update their own account"
+    end
    # 2. NoActor Bypass (test environment only, for test fixtures)
    bypass action_type([:create, :read, :update, :destroy]) do
      authorize_if Mv.Authorization.Checks.NoActor
    end
    # 3. SPECIAL CASE: Users can always READ their own account
    # Bypass needed for list queries (expr() triggers auto_filter in Ash)
    # UPDATE is handled by HasPermission below (scope :own works with changesets)
    bypass action_type(:read) do
      description "Users can always read their own account"
      authorize_if expr(id == ^actor(:id))
    end
-    # GENERAL: Other operations require permission
+    # 4. GENERAL: Check permissions from user's role
-    # (e.g., admin reading/updating other users, admin destroying users)
+    # - :own_data → can UPDATE own user (scope :own via HasPermission)
    # - :read_only → can UPDATE own user (scope :own via HasPermission)
    # - :normal_user → can UPDATE own user (scope :own via HasPermission)
    # - :admin → can read/create/update/destroy all users (scope :all)
    policy action_type([:read, :create, :update, :destroy]) do
-      description "Check permissions from user's role"
+      description "Check permissions from user's role and permission set"
      authorize_if Mv.Authorization.Checks.HasPermission
    end
-    # DEFAULT: Forbid if no policy matched
+    # 5. DEFAULT: Ash implicitly forbids if no policy authorizes (fail-closed)
    policy action_type([:read, :create, :update, :destroy]) do
      forbid_if always()
    end
  end
  # ...
 end
 ```
 **Why Bypass for READ but not UPDATE?**
 - **READ list queries** (`Ash.read(User, actor: user)`): No record at strict_check time → HasPermission returns `{:ok, false}` → auto_filter not called → bypass with `expr()` needed ✅
 - **UPDATE operations** (`Ash.update(changeset, actor: user)`): Changeset contains record → HasPermission can evaluate `scope :own` correctly → works via HasPermission ✅
 **Permission Matrix:**
 | Action | Mitglied | Vorstand | Kassenwart | Buchhaltung | Admin |
 |--------|----------|----------|------------|-------------|-------|
-| Read own | ✅ (special) | ✅ (special) | ✅ (special) | ✅ (special) | ✅ |
+| Read own | ✅ (bypass) | ✅ (bypass) | ✅ (bypass) | ✅ (bypass) | ✅ (scope :all) |
-| Update own | ✅ (special) | ✅ (special) | ✅ (special) | ✅ (special) | ✅ |
+| Update own | ✅ (scope :own) | ✅ (scope :own) | ✅ (scope :own) | ✅ (scope :own) | ✅ (scope :all) |
-| Read others | ❌ | ❌ | ❌ | ❌ | ✅ |
+| Read others | ❌ | ❌ | ❌ | ❌ | ✅ (scope :all) |
-| Update others | ❌ | ❌ | ❌ | ❌ | ✅ |
+| Update others | ❌ | ❌ | ❌ | ❌ | ✅ (scope :all) |
-| Create | ❌ | ❌ | ❌ | ❌ | ✅ |
+| Create | ❌ | ❌ | ❌ | ❌ | ✅ (scope :all) |
-| Destroy | ❌ | ❌ | ❌ | ❌ | ✅ |
+| Destroy | ❌ | ❌ | ❌ | ❌ | ✅ (scope :all) |
 **Note:** This pattern is consistent with Member resource policies (bypass for READ, HasPermission for UPDATE).
 ### Member Resource Policies
 **Location:** `lib/mv/membership/member.ex`
-**Special Case:** Users can always READ their linked member (where `id == user.member_id`).
+**Pattern:** Bypass for READ (list queries), HasPermission for UPDATE (with scope :linked).
 **Key Insight:** Same pattern as User - bypass with `expr()` is needed ONLY for READ list queries. UPDATE operations work correctly via HasPermission because a changeset with record is available.
 ```elixir
 defmodule Mv.Membership.Member do
  use Ash.Resource, ...
  policies do
-    # SPECIAL CASE: Users can always access their linked member
+    # 1. NoActor Bypass (test environment only, for test fixtures)
-    policy action_type([:read, :update]) do
+    bypass action_type([:create, :read, :update, :destroy]) do
-      description "Users can access member linked to their account"
+      authorize_if Mv.Authorization.Checks.NoActor
      authorize_if expr(user_id == ^actor(:id))
    end
-    # GENERAL: Check permissions from role
+    # 2. SPECIAL CASE: Users can always READ their linked member
    # Bypass needed for list queries (expr() triggers auto_filter in Ash)
    # UPDATE is handled by HasPermission below (scope :linked works with changesets)
    bypass action_type(:read) do
      description "Users can always read member linked to their account"
      authorize_if expr(id == ^actor(:member_id))
    end
    # 3. GENERAL: Check permissions from role
    # - :own_data → can UPDATE linked member (scope :linked via HasPermission)
    # - :read_only → can READ all members (scope :all), no update permission
    # - :normal_user → can CRUD all members (scope :all)
    # - :admin → can CRUD all members (scope :all)
    policy action_type([:read, :create, :update, :destroy]) do
      description "Check permissions from user's role"
      authorize_if Mv.Authorization.Checks.HasPermission
    end
-    # DEFAULT: Forbid
+    # 4. DEFAULT: Ash implicitly forbids if no policy authorizes (fail-closed)
    policy action_type([:read, :create, :update, :destroy]) do
      forbid_if always()
    end
  end
  # Custom validation for email editing (see Special Cases section)
@ -956,6 +1044,11 @@ defmodule Mv.Membership.Member do
 end
 ```
 **Why Bypass for READ but not UPDATE?**
 - **READ list queries**: No record at strict_check time → bypass with `expr(id == ^actor(:member_id))` needed for auto_filter ✅
 - **UPDATE operations**: Changeset contains record → HasPermission evaluates `scope :linked` correctly ✅
 **Permission Matrix:**
 | Action | Mitglied | Vorstand | Kassenwart | Buchhaltung | Admin |
@ -1555,7 +1648,7 @@ end
 **Navbar with conditional links:**
 ```heex
-<!-- lib/mv_web/components/layouts/navbar.html.heex -->
+<!-- Note: Navbar has been replaced with Sidebar (lib/mv_web/components/layouts/sidebar.ex) -->
 <nav class="navbar">
  <!-- Always visible -->
  <.link navigate="/">Home</.link>
@ -1651,17 +1744,21 @@ end
 **Implementation:**
-Policy in `User` resource places this check BEFORE the general `HasPermission` check:
+Policy in `User` resource uses a two-tier approach:
 - **READ**: Bypass with `expr()` for list queries (auto_filter)
 - **UPDATE**: HasPermission with `scope :own` (evaluates PermissionSets)
 ```elixir
 policies do
-  # SPECIAL CASE: Takes precedence over role permissions
+  # SPECIAL CASE: Users can always READ their own account
-  policy action_type([:read, :update]) do
+  # Bypass needed for list queries (expr() triggers auto_filter in Ash)
-    description "Users can always read and update their own account"
+  bypass action_type(:read) do
    description "Users can always read their own account"
    authorize_if expr(id == ^actor(:id))
  end
-  # GENERAL: For other operations (e.g., admin reading other users)
+  # GENERAL: Check permissions from user's role
  # UPDATE uses scope :own from PermissionSets (all sets grant User.update :own)
  policy action_type([:read, :create, :update, :destroy]) do
    authorize_if Mv.Authorization.Checks.HasPermission
  end
@ -1669,10 +1766,53 @@ end
 ```
 **Why this works:**
- Ash evaluates policies top-to-bottom
+- READ bypass handles list queries correctly (auto_filter)
- First matching policy wins
+- UPDATE is handled by HasPermission with `scope :own` from PermissionSets
- Special case catches own-account access before checking permissions
+- All permission sets (`:own_data`, `:read_only`, `:normal_user`, `:admin`) grant `User.update :own`
- Even a user with `own_data` (no admin permissions) can update their credentials
+- Even a user with `read_only` (read-only for member data) can update their own credentials
 **Important:** UPDATE is NOT an unverrückbarer Spezialfall (hardcoded bypass). It is controlled by PermissionSets. If a permission set is changed to remove `User.update :own`, users with that set will lose the ability to update their credentials. See "User Credentials: Why read_only Can Still Update" below for details.
 ### 1a. User Credentials: Why read_only Can Still Update
 **Question:** If `read_only` means "read-only", why can users with this permission set still update their own credentials?
 **Answer:** The `read_only` permission set refers to **member data**, NOT user credentials. All permission sets grant `User.update :own` to allow password changes and profile updates.
 **Implementation Details:**
 1. **UPDATE is controlled by PermissionSets**, not a hardcoded bypass
 2. **All 4 permission sets** (`:own_data`, `:read_only`, `:normal_user`, `:admin`) explicitly grant:
   ```elixir
   %{resource: "User", action: :update, scope: :own, granted: true}
   ```
 3. **HasPermission** evaluates `scope :own` for UPDATE operations (when a changeset with record is present)
 4. **No special bypass** is needed for UPDATE - it works correctly via HasPermission
 **Why This Design?**
 - **Flexibility:** Permission sets can be modified to change UPDATE behavior
 - **Consistency:** All permissions are centralized in PermissionSets
 - **Clarity:** The name "read_only" refers to member data, not user credentials
 - **Maintainability:** Easy to see what each role can do in PermissionSets module
 **Warning:** If a permission set is changed to remove `User.update :own`, users with that set will **lose the ability to update their credentials**. This is intentional - UPDATE is controlled by PermissionSets, not hardcoded.
 **Example:**
 ```elixir
 # In PermissionSets.get_permissions(:read_only)
 resources: [
  # User: Can read/update own credentials only
  # IMPORTANT: "read_only" refers to member data, NOT user credentials.
  # All permission sets grant User.update :own to allow password changes.
  %{resource: "User", action: :read, scope: :own, granted: true},
  %{resource: "User", action: :update, scope: :own, granted: true},
  # Member: Can read all members, no modifications
  %{resource: "Member", action: :read, scope: :all, granted: true},
  # Note: No Member.update permission - this is the "read_only" part
 ]
 ```
 ### 2. Linked Member Email Editing
@ -2483,8 +2623,242 @@ iex> MvWeb.Authorization.can_access_page?(user, "/members/new")
 ---
 ## Authorization Bootstrap Patterns
 This section clarifies three different mechanisms for bypassing standard authorization, their purposes, and when to use each.
 ### Overview
 The codebase uses three authorization bypass mechanisms:
 1. **NoActor** - Test-only bypass (compile-time secured)
 2. **system_actor** - Admin user for systemic operations
 3. **authorize?: false** - Bootstrap bypass for circular dependencies
 **All three are necessary and serve different purposes.**
 ### 1. NoActor Check
 **Purpose:** Allows CRUD operations without actor in test environment only.
 **Implementation:**
 ```elixir
 # lib/mv/authorization/checks/no_actor.ex
@allow_no_actor_bypass Application.compile_env(:mv, :allow_no_actor_bypass, false)
 def match?(nil, _context, _opts) do
  @allow_no_actor_bypass  # true in test.exs, false elsewhere
 end
 ```
 **Security:**
 - Compile-time flag (not runtime `Mix.env()` check)
 - Default: false (fail-closed)
 - Only enabled in `config/test.exs`
 **Use Case:** Test fixtures without verbose actor setup:
 ```elixir
 # With NoActor (test environment only)
 member = create_member(%{name: "Test"})
 # Production behavior (NoActor returns false)
 member = create_member(%{name: "Test"}, actor: user)
 ```
 **Trade-off:** May mask tests that should fail without actor. Mitigated by explicit policy tests (e.g., `test/mv/accounts/user_policies_test.exs`).
 ### 2. System Actor
 **Purpose:** Admin user for systemic operations that must always succeed regardless of user permissions.
 **Implementation:**
 ```elixir
 system_actor = Mv.Helpers.SystemActor.get_system_actor()
 # => %User{email: "system@mila.local", role: %{permission_set_name: "admin"}}
 ```
 **Security:**
 - No password (hashed_password = nil) → cannot login
 - No OIDC ID (oidc_id = nil) → cannot authenticate
 - Cached in Agent for performance
 - Created automatically in test environment if missing
 **Use Cases:**
 - **Email synchronization** (User ↔ Member email sync)
 - **Email uniqueness validation** (cross-resource checks)
 - **Cycle generation** (mandatory side effect)
 - **OIDC account linking** (user not yet logged in)
 - **Cross-resource validations** (must work regardless of actor)
 **Example:**
 ```elixir
 def get_linked_member(%{member_id: id}) do
  system_actor = SystemActor.get_system_actor()
  opts = Helpers.ash_actor_opts(system_actor)
  # Email sync must work regardless of user permissions
  Ash.get(Mv.Membership.Member, id, opts)
 end
 ```
 **Why not `authorize?: false`?**
 - System actor is explicit (clear intent: "systemic operation")
 - Policies are evaluated (with admin rights)
 - Audit trail (actor.email = "system@mila.local")
 - Consistent authorization flow
 - Testable
 ### 3. authorize?: false
 **Purpose:** Skip policies for bootstrap scenarios with circular dependencies.
 **Use Cases:**
 **1. Seeds** - No admin exists yet to use as actor:
 ```elixir
 # priv/repo/seeds.exs
 Accounts.create_user!(%{email: admin_email},
  authorize?: false  # Bootstrap: no admin exists yet
 )
 ```
 **2. SystemActor Bootstrap** - Chicken-and-egg problem:
 ```elixir
 # lib/mv/helpers/system_actor.ex
 defp find_user_by_email(email) do
  # Need to find system actor, but loading requires system actor!
  Mv.Accounts.User
  |> Ash.Query.filter(email == ^email)
  |> Ash.read_one(authorize?: false)  # Bootstrap only
 end
 ```
 **3. Actor.ensure_loaded** - Circular dependency:
 ```elixir
 # lib/mv/authorization/actor.ex
 defp load_role(actor) do
  # Actor needs role for authorization,
  # but loading role requires authorization!
  Ash.load(actor, :role, authorize?: false)  # Bootstrap only
 end
 ```
 **4. assign_default_role** - User creation:
 ```elixir
 # User doesn't have actor during creation
 Mv.Authorization.Role
 |> Ash.Query.filter(name == "Mitglied")
 |> Ash.read_one(authorize?: false)  # Bootstrap only
 ```
 **Security:**
 - Very powerful - skips ALL policies
 - Use sparingly and document every usage
 - Only for bootstrap scenarios
 - All current usages are legitimate
 ### Comparison
 | Aspect | NoActor | system_actor | authorize?: false |
 |--------|---------|--------------|-------------------|
 | **Environment** | Test only | All | All |
 | **Actor** | nil | Admin user | nil |
 | **Policies** | Bypassed | Evaluated | Skipped |
 | **Audit Trail** | No | Yes (system@mila.local) | No |
 | **Use Case** | Test fixtures | Systemic operations | Bootstrap |
 | **Explicit?** | Policy bypass | Function call | Query option |
 ### Decision Guide
 **Use NoActor when:**
 - ✅ Writing test fixtures
 - ✅ Compile-time guard ensures test-only
 **Use system_actor when:**
 - ✅ Systemic operation must always succeed
 - ✅ Email synchronization
 - ✅ Cycle generation
 - ✅ Cross-resource validations
 - ✅ OIDC flows (user not logged in)
 **Use authorize?: false when:**
 - ✅ Bootstrap scenario (seeds)
 - ✅ Circular dependency (SystemActor bootstrap, Actor.ensure_loaded)
 - ⚠️ Document with comment explaining why
 **DON'T:**
 - ❌ Use `authorize?: false` for user-initiated actions
 - ❌ Use `authorize?: false` when `system_actor` would work
 - ❌ Enable NoActor outside test environment
 ### The Circular Dependency Problem
 **SystemActor Bootstrap:**
 ```
 SystemActor.get_system_actor()
  ↓ calls find_user_by_email()
  ↓ needs to query User
  ↓ User policies require actor
  ↓ but we're loading the actor!
 Solution: authorize?: false for bootstrap query
 ```
 **Actor.ensure_loaded:**
 ```
 Authorization check (HasPermission)
  ↓ needs actor.role.permission_set_name
  ↓ but role is %Ash.NotLoaded{}
  ↓ load role with Ash.load(actor, :role)
  ↓ but loading requires authorization
  ↓ which needs actor.role!
 Solution: authorize?: false for role load
 ```
 **Why this is safe:**
 - Actor is loading their OWN data (role relationship)
 - Actor already passed authentication boundary
 - Role contains no sensitive data (just permission_set reference)
 - Alternative (denormalize permission_set_name) adds complexity
 ### Examples
 **Good - system_actor for systemic operation:**
 ```elixir
 defp check_if_email_used(email) do
  system_actor = SystemActor.get_system_actor()
  opts = Helpers.ash_actor_opts(system_actor)
  # Validation must work regardless of current actor
  Ash.read(User, opts)
 end
 ```
 **Good - authorize?: false for bootstrap:**
 ```elixir
 # Seeds - no admin exists yet
 Accounts.create_user!(%{email: admin_email}, authorize?: false)
 ```
 **Bad - authorize?: false for user action:**
 ```elixir
 # WRONG: Bypasses all policies for user-initiated action
 def delete_member(member) do
  Ash.destroy(member, authorize?: false)  # ❌ Don't do this!
 end
 # CORRECT: Use actor
 def delete_member(member, actor) do
  Ash.destroy(member, actor: actor)  # ✅ Policies enforced
 end
 ```
 ---
 **Document Version:** 2.0 (Clean Rewrite)  
-**Last Updated:** 2025-01-13  
+**Last Updated:** 2026-01-23  
 **Implementation Status:** ✅ Complete (2026-01-08)  
 **Status:** Ready for Implementation  
 **Changes from V1:**
@ -2498,6 +2872,9 @@ iex> MvWeb.Authorization.can_access_page?(user, "/members/new")
 - Added comprehensive security section
 - Enhanced edge case documentation
 **Changes from V2.0:**
 - Added "Authorization Bootstrap Patterns" section explaining NoActor, system_actor, and authorize?: false
 ---
 **End of Architecture Document**
--- a/docs/roles-and-permissions-implementation-plan.md
+++ b/docs/roles-and-permissions-implementation-plan.md
@ -2,7 +2,8 @@
 **Version:** 2.0 (Clean Rewrite)  
 **Date:** 2025-01-13  
-**Status:** Ready for Implementation  
+**Last Updated:** 2026-01-13  
 **Status:** ✅ Implemented (2026-01-08, PR #346, closes #345)  
 **Related Documents:**
 - [Overview](./roles-and-permissions-overview.md) - High-level concepts
 - [Architecture](./roles-and-permissions-architecture.md) - Technical specification
@ -523,61 +524,68 @@ Add authorization policies to the Member resource using the new `HasPermission`
 **Size:** M (2 days)  
 **Dependencies:** #6 (HasPermission check)  
 **Can work in parallel:** Yes (parallel with #7, #9, #10)  
-**Assignable to:** Backend Developer
+**Assignable to:** Backend Developer  
 **Status:** ✅ **COMPLETED**
 **Description:**
-Add authorization policies to the User resource. Special case: Users can always read/update their own credentials.
+Add authorization policies to the User resource. Users can always read their own credentials (via bypass), and update their own credentials (via HasPermission with scope :own).
 **Implementation Pattern:**
 Following the same pattern as Member resource:
 - **Bypass for READ** - Handles list queries (auto_filter)
 - **HasPermission for UPDATE** - Handles updates with scope :own
 **Tasks:**
-1. Open `lib/mv/accounts/user.ex`
+1. ✅ Open `lib/accounts/user.ex`
-2. Add `policies` block
+2. ✅ Add `policies` block
-3. Add special policy: Allow user to always access their own account (before general policy)
+3. ✅ Add AshAuthentication bypass (registration/login without actor)
 4. ✅ Add NoActor bypass (test environment only)
 5. ✅ Add bypass for READ: Allow user to always read their own account
   ```elixir
-   policy action_type([:read, :update]) do
+   bypass action_type(:read) do
     description "Users can always read their own account"
     authorize_if expr(id == ^actor(:id))
   end
   ```
-4. Add general policy: Check HasPermission for all actions
+6. ✅ Add general policy: Check HasPermission for all actions (including UPDATE with scope :own)
-5. Ensure :destroy is admin-only (via HasPermission)
+7. ✅ Ensure :destroy is admin-only (via HasPermission)
-6. Preload :role relationship for actor
+8. ✅ Preload :role relationship for actor in tests
 **Policy Order:**
-1. Allow user to read/update own account (id == actor.id)
+1. ✅ AshAuthentication bypass (registration/login)
-2. Check HasPermission (for admin operations)
+2. ✅ NoActor bypass (test environment)
-3. Default: Forbid
+3. ✅ Bypass: User can READ own account (id == actor.id)
 4. ✅ HasPermission: General permission check (UPDATE uses scope :own, admin uses scope :all)
 5. ✅ Default: Ash implicitly forbids (fail-closed)
 **Why Bypass for READ but not UPDATE?**
 - **READ list queries**: No record at strict_check time → bypass with `expr()` needed for auto_filter ✅
 - **UPDATE operations**: Changeset contains record → HasPermission evaluates `scope :own` correctly ✅
 This ensures `scope :own` in PermissionSets is actually used (not redundant).
 **Acceptance Criteria:**
- [ ] User can always read/update own credentials
+- ✅ User can always read own credentials (via bypass)
- [ ] Only admin can read/update other users
+- ✅ User can always update own credentials (via HasPermission with scope :own)
- [ ] Only admin can destroy users
+- ✅ Only admin can read/update other users (scope :all)
- [ ] Policy order is correct
+- ✅ Only admin can destroy users (scope :all)
- [ ] Actor preloads :role relationship
+- ✅ Policy order is correct (AshAuth → NoActor → Bypass READ → HasPermission)
 - ✅ Actor preloads :role relationship
 - ✅ All tests pass (30/31 pass, 1 skipped)
-**Test Strategy (TDD):**
+**Test Results:**
 **Own Data Tests (All Roles):**
 - User with :own_data can read own user record
 - User with :own_data can update own email/password
 - User with :own_data cannot read other users
 - User with :read_only can read own data
 - User with :normal_user can read own data
 - Verify special policy takes precedence
 **Admin Tests:**
 - Admin can read all users
 - Admin can update any user's credentials
 - Admin can destroy users
 - Admin has unrestricted access
 **Forbidden Tests:**
 - Non-admin cannot read other users
 - Non-admin cannot update other users
 - Non-admin cannot destroy users
 **Test File:** `test/mv/accounts/user_policies_test.exs`
 - ✅ 31 tests total: 30 passing, 1 skipped (AshAuthentication edge case)
 - ✅ Tests for all 4 permission sets: own_data, read_only, normal_user, admin
 - ✅ Tests for AshAuthentication bypass (registration/login)
 - ✅ Tests for NoActor bypass (test environment)
 - ✅ Tests verify scope :own is used for UPDATE (not redundant)
 ---
--- a/docs/roles-and-permissions-overview.md
+++ b/docs/roles-and-permissions-overview.md
@ -3,8 +3,8 @@
 **Project:** Mila - Membership Management System  
 **Feature:** Role-Based Access Control (RBAC) with Hardcoded Permission Sets  
 **Version:** 2.0  
-**Last Updated:** 2025-11-13  
+**Last Updated:** 2026-01-13  
-**Status:** Architecture Design - MVP Approach
+**Status:** ✅ Implemented (2026-01-08, PR #346, closes #345)
 ---
--- a/docs/sidebar-analysis-current-state.md
+++ b/docs/sidebar-analysis-current-state.md
@ -1,747 +0,0 @@
 # Sidebar Analysis - Current State
 **Erstellt:** 2025-12-16  
 **Status:** Analyse für Neuimplementierung  
 **Autor:** Cursor AI Assistant
 ---
 ## Executive Summary
 Die aktuelle Sidebar-Implementierung verwendet **nicht existierende Custom-CSS-Variants** (`is-drawer-close:` und `is-drawer-open:`), was zu einer defekten Implementierung führt. Die Sidebar ist strukturell basierend auf DaisyUI's Drawer-Komponente, aber die responsive und state-basierte Funktionalität ist nicht funktionsfähig.
 **Kritisches Problem:** Die im Code verwendeten Variants `is-drawer-close:*` und `is-drawer-open:*` sind **nicht in Tailwind konfiguriert**, was bedeutet, dass diese Klassen beim Build ignoriert werden.
 ---
 ## 1. Dateien-Übersicht
 ### 1.1 Hauptdateien
 | Datei | Zweck | Zeilen | Status |
 |-------|-------|--------|--------|
 | `lib/mv_web/components/layouts/sidebar.ex` | Sidebar-Komponente (Elixir) | 198 | ⚠️ Verwendet nicht existierende Variants |
 | `lib/mv_web/components/layouts/navbar.ex` | Navbar mit Sidebar-Toggle | 48 | ✅ Funktional |
 | `lib/mv_web/components/layouts.ex` | Layout-Wrapper mit Drawer | 121 | ✅ Funktional |
 | `assets/js/app.js` | JavaScript für Sidebar-Interaktivität | 272 | ✅ Umfangreiche Accessibility-Logik |
 | `assets/css/app.css` | CSS-Konfiguration | 103 | ⚠️ Keine Drawer-Variants definiert |
 | `assets/tailwind.config.js` | Tailwind-Konfiguration | 75 | ⚠️ Keine Drawer-Variants definiert |
 ### 1.2 Verwandte Dateien
 - `lib/mv_web/components/layouts/root.html.heex` - Root-Layout (minimal, keine Sidebar-Logik)
 - `priv/static/images/logo.svg` - Logo (wird vermutlich für Sidebar benötigt)
 ---
 ## 2. Aktuelle Struktur
 ### 2.1 HTML-Struktur (DaisyUI Drawer Pattern)
 ```html
 <!-- In layouts.ex -->
 <div class="drawer">
  <input id="main-drawer" type="checkbox" class="drawer-toggle" />
  <div class="drawer-content">
    <!-- Navbar mit Toggle-Button -->
    <navbar with sidebar-toggle button />
    <!-- Hauptinhalt -->
    <main>...</main>
  </div>
  <!-- Sidebar -->
  <div class="drawer-side">
    <button class="drawer-overlay" onclick="close drawer"></button>
    <nav id="main-sidebar">
      <!-- Navigation Items -->
    </nav>
  </div>
 </div>
 ```
 **Bewertung:** ✅ Korrekte DaisyUI Drawer-Struktur
 ### 2.2 Sidebar-Komponente (`sidebar.ex`)
 **Struktur:**
 ```elixir
 defmodule MvWeb.Layouts.Sidebar do
  attr :current_user, :map
  attr :club_name, :string
  def sidebar(assigns) do
    # Rendert Sidebar mit Navigation, Locale-Selector, Theme-Toggle, User-Menu
  end
 end
 ```
 **Hauptelemente:**
 1. **Drawer Overlay** - Button zum Schließen (Mobile)
 2. **Navigation Container** (`<nav id="main-sidebar">`)
 3. **Menü-Items** - Members, Users, Contributions (nested), Settings
 4. **Footer-Bereich** - Locale-Selector, Theme-Toggle, User-Menu
 ---
 ## 3. Custom CSS Variants - KRITISCHES PROBLEM
 ### 3.1 Verwendete Variants im Code
 Die Sidebar verwendet folgende Custom-Variants **extensiv**:
 ```elixir
 # Beispiele aus sidebar.ex
 "is-drawer-close:overflow-visible"
 "is-drawer-close:w-14 is-drawer-open:w-64"
 "is-drawer-close:hidden"
 "is-drawer-close:tooltip is-drawer-close:tooltip-right"
 "is-drawer-close:w-auto"
 "is-drawer-close:justify-center"
 "is-drawer-close:dropdown-end"
 ```
 **Gefundene Verwendungen:**
 - `is-drawer-close:` - 13 Instanzen in sidebar.ex
 - `is-drawer-open:` - 1 Instanz in sidebar.ex
 ### 3.2 Definition der Variants
 **❌ NICHT GEFUNDEN in:**
 - `assets/css/app.css` - Enthält nur `phx-*-loading` Variants
 - `assets/tailwind.config.js` - Enthält nur `phx-*-loading` Variants
 **Fazit:** Diese Variants existieren **nicht** und werden beim Tailwind-Build **ignoriert**!
 ### 3.3 Vorhandene Variants
 Nur folgende Custom-Variants sind tatsächlich definiert:
 ```css
 /* In app.css (Tailwind CSS 4.x Syntax) */
@custom-variant phx-click-loading (.phx-click-loading&, .phx-click-loading &);
@custom-variant phx-submit-loading (.phx-submit-loading&, .phx-submit-loading &);
@custom-variant phx-change-loading (.phx-change-loading&, .phx-change-loading &);
 ```
 ```javascript
 /* In tailwind.config.js (Tailwind 3.x Kompatibilität) */
 plugin(({addVariant}) => addVariant("phx-click-loading", [...])),
 plugin(({addVariant}) => addVariant("phx-submit-loading", [...])),
 plugin(({addVariant}) => addVariant("phx-change-loading", [...])),
 ```
 ---
 ## 4. JavaScript-Implementierung
 ### 4.1 Übersicht
 Die JavaScript-Implementierung ist **sehr umfangreich** und fokussiert auf Accessibility:
 **Datei:** `assets/js/app.js` (Zeilen 106-270)
 **Hauptfunktionalitäten:**
 1. ✅ Tabindex-Management für fokussierbare Elemente
 2. ✅ ARIA-Attribut-Management (`aria-expanded`)
 3. ✅ Keyboard-Navigation (Enter, Space, Escape)
 4. ✅ Focus-Management beim Öffnen/Schließen
 5. ✅ Dropdown-Integration
 ### 4.2 Wichtige JavaScript-Funktionen
 #### 4.2.1 Tabindex-Management
 ```javascript
 const updateSidebarTabIndex = (isOpen) => {
  const allFocusableElements = sidebar.querySelectorAll(
    'a[href], button, select, input:not([type="hidden"]), [tabindex]'
  )
  allFocusableElements.forEach(el => {
    if (isOpen) {
      // Make focusable when open
      el.removeAttribute('tabindex')
    } else {
      // Remove from tab order when closed
      el.setAttribute('tabindex', '-1')
    }
  })
 }
 ```
 **Zweck:** Verhindert, dass Nutzer mit Tab zu unsichtbaren Sidebar-Elementen springen können.
 #### 4.2.2 ARIA-Expanded Management
 ```javascript
 const updateAriaExpanded = () => {
  const isOpen = drawerToggle.checked
  sidebarToggle.setAttribute("aria-expanded", isOpen.toString())
 }
 ```
 **Zweck:** Informiert Screen-Reader über den Sidebar-Status.
 #### 4.2.3 Focus-Management
 ```javascript
 const getFirstFocusableElement = () => {
  // Priority: navigation link > other links > other focusable
  const firstNavLink = sidebar.querySelector('a[href][role="menuitem"]')
  // ... fallback logic
 }
 // On open: focus first element
 // On close: focus toggle button
 ```
 **Zweck:** Logische Fokus-Reihenfolge für Keyboard-Navigation.
 #### 4.2.4 Keyboard-Shortcuts
 ```javascript
 // ESC to close
 document.addEventListener("keydown", (e) => {
  if (e.key === "Escape" && drawerToggle.checked) {
    drawerToggle.checked = false
    sidebarToggle.focus()
  }
 })
 // Enter/Space on toggle button
 sidebarToggle.addEventListener("keydown", (e) => {
  if (e.key === "Enter" || e.key === " ") {
    // Toggle drawer and manage focus
  }
 })
 ```
 ### 4.3 LiveView Hooks
 **Definierte Hooks:**
 ```javascript
 Hooks.CopyToClipboard = { ... }  // Clipboard-Funktionalität
 Hooks.ComboBox = { ... }         // Dropdown-Prävention bei Enter
 ```
 **Sidebar-spezifisch:** Keine Hooks, nur native DOM-Events.
 ---
 ## 5. DaisyUI Dependencies
 ### 5.1 Verwendete DaisyUI-Komponenten
 | Komponente | Verwendung | Klassen |
 |------------|-----------|---------|
 | **Drawer** | Basis-Layout | `drawer`, `drawer-toggle`, `drawer-side`, `drawer-content`, `drawer-overlay` |
 | **Menu** | Navigation | `menu`, `menu-title`, `w-64` |
 | **Button** | Toggle, User-Menu | `btn`, `btn-ghost`, `btn-square`, `btn-circle` |
 | **Avatar** | User-Menu | `avatar`, `avatar-placeholder` |
 | **Dropdown** | User-Menu | `dropdown`, `dropdown-top`, `dropdown-end`, `dropdown-content` |
 | **Tooltip** | Icon-Tooltips | `tooltip`, `tooltip-right` (via `data-tip`) |
 | **Select** | Locale-Selector | `select`, `select-sm` |
 | **Toggle** | Theme-Switch | `toggle`, `theme-controller` |
 ### 5.2 Standard Tailwind-Klassen
 **Layout:**
 - `flex`, `flex-col`, `items-start`, `justify-center`
 - `gap-2`, `gap-4`, `p-4`, `mt-auto`, `w-full`, `w-64`, `min-h-full`
 **Sizing:**
 - `size-4`, `size-5`, `w-12`, `w-52`
 **Colors:**
 - `bg-base-100`, `bg-base-200`, `text-neutral-content`
 **Typography:**
 - `text-lg`, `text-sm`, `font-bold`
 **Accessibility:**
 - `sr-only`, `focus:outline-none`, `focus:ring-2`, `focus:ring-primary`
 ---
 ## 6. Toggle-Button (Navbar)
 ### 6.1 Implementierung
 **Datei:** `lib/mv_web/components/layouts/navbar.ex`
 ```elixir
 <button
  type="button"
  onclick="document.getElementById('main-drawer').checked = !document.getElementById('main-drawer').checked"
  aria-label={gettext("Toggle navigation menu")}
  aria-expanded="false"
  aria-controls="main-sidebar"
  id="sidebar-toggle"
  class="mr-2 btn btn-square btn-ghost"
 >
  <svg><!-- Layout-Panel-Left Icon --></svg>
 </button>
 ```
 **Funktionalität:**
 - ✅ Togglet Drawer-Checkbox
 - ✅ ARIA-Labels vorhanden
 - ✅ Keyboard-accessible
 - ⚠️ `aria-expanded` wird durch JavaScript aktualisiert
 **Icon:** Custom SVG (Layout-Panel-Left mit Chevron-Right)
 ---
 ## 7. Responsive Verhalten
 ### 7.1 Aktuelles Konzept (nicht funktional)
 **Versuchte Implementierung:**
 - **Desktop (collapsed):** Sidebar mit 14px Breite (`is-drawer-close:w-14`)
 - **Desktop (expanded):** Sidebar mit 64px Breite (`is-drawer-open:w-64`)
 - **Mobile:** Overlay-Drawer (DaisyUI Standard)
 ### 7.2 Problem
 Da die `is-drawer-*` Variants nicht existieren, gibt es **kein responsives Verhalten**:
 - Die Sidebar hat immer eine feste Breite von `w-64`
 - Die conditional hiding (`:hidden`, etc.) funktioniert nicht
 - Tooltips werden nicht conditional angezeigt
 ---
 ## 8. Accessibility-Features
 ### 8.1 Implementierte Features
 | Feature | Status | Implementierung |
 |---------|--------|-----------------|
 | **ARIA Labels** | ✅ | Alle interaktiven Elemente haben Labels |
 | **ARIA Roles** | ✅ | `menubar`, `menuitem`, `menu`, `button` |
 | **ARIA Expanded** | ✅ | Wird durch JS dynamisch gesetzt |
 | **ARIA Controls** | ✅ | Toggle → Sidebar verknüpft |
 | **Keyboard Navigation** | ✅ | Enter, Space, Escape, Tab |
 | **Focus Management** | ✅ | Logische Focus-Reihenfolge |
 | **Tabindex Management** | ✅ | Verhindert Focus auf hidden Elements |
 | **Screen Reader Only** | ✅ | `.sr-only` für visuelle Labels |
 | **Focus Indicators** | ✅ | `focus:ring-2 focus:ring-primary` |
 | **Skip Links** | ❌ | Nicht vorhanden |
 ### 8.2 Accessibility-Score
 **Geschätzt:** 90/100 (WCAG 2.1 Level AA konform)
 **Verbesserungspotenzial:**
 - Skip-Link zur Hauptnavigation hinzufügen
 - High-Contrast-Mode testen
 ---
 ## 9. Menü-Struktur
 ### 9.1 Navigation Items
 ```
 📋 Main Menu
 ├── 👥 Members (/members)
 ├── 👤 Users (/users)
 ├── 💰 Contributions (collapsed submenu)
 │   ├── Plans (/contribution_types)
 │   └── Settings (/contribution_settings)
 └── ⚙️ Settings (/settings)
 🔽 Footer Area (logged in only)
 ├── 🌐 Locale Selector (DE/EN)
 ├── 🌓 Theme Toggle (Light/Dark)
 └── 👤 User Menu (Dropdown)
    ├── Profile (/users/:id)
    └── Logout (/sign-out)
 ```
 ### 9.2 Conditional Rendering
 **Nicht eingeloggt:**
 - Sidebar ist leer (nur Struktur)
 - Keine Menü-Items
 **Eingeloggt:**
 - Vollständige Navigation
 - Footer-Bereich mit User-Menu
 ### 9.3 Nested Menu (Contributions)
 **Problem:** Das Contributions-Submenu ist **immer versteckt** im collapsed State:
 ```elixir
 <li class="is-drawer-close:hidden" role="none">
  <h2 class="flex items-center gap-2 menu-title">
    <.icon name="hero-currency-dollar" />
    {gettext("Contributions")}
  </h2>
  <ul role="menu">
    <li class="is-drawer-close:hidden">...</li>
    <li class="is-drawer-close:hidden">...</li>
  </ul>
 </li>
 ```
 Da `:hidden` nicht funktioniert, wird das Submenu immer angezeigt.
 ---
 ## 10. Theme-Funktionalität
 ### 10.1 Theme-Toggle
 ```elixir
 <input
  type="checkbox"
  value="dark"
  class="toggle theme-controller"
  aria-label={gettext("Toggle dark mode")}
 />
 ```
 **Funktionalität:**
 - ✅ DaisyUI `theme-controller` - automatische Theme-Umschaltung
 - ✅ Persistence durch `localStorage` (siehe root.html.heex Script)
 - ✅ Icon-Wechsel (Sun ↔ Moon)
 ### 10.2 Definierte Themes
 **Datei:** `assets/css/app.css`
 1. **Light Theme** (default)
   - Base: `oklch(98% 0 0)`
   - Primary: `oklch(70% 0.213 47.604)` (Orange/Phoenix-inspiriert)
 2. **Dark Theme**
   - Base: `oklch(30.33% 0.016 252.42)`
   - Primary: `oklch(58% 0.233 277.117)` (Purple/Elixir-inspiriert)
 ---
 ## 11. Locale-Funktionalität
 ### 11.1 Locale-Selector
 ```elixir
 <form method="post" action="/set_locale">
  <select
    id="locale-select-sidebar"
    name="locale"
    onchange="this.form.submit()"
    class="select select-sm w-full is-drawer-close:w-auto"
  >
    <option value="de">Deutsch</option>
    <option value="en">English</option>
  </select>
 </form>
 ```
 **Funktionalität:**
 - ✅ POST zu `/set_locale` Endpoint
 - ✅ CSRF-Token included
 - ✅ Auto-Submit on change
 - ✅ Accessible Label (`.sr-only`)
 ---
 ## 12. Probleme und Defekte
 ### 12.1 Kritische Probleme
 | Problem | Schweregrad | Details |
 |---------|-------------|---------|
 | **Nicht existierende CSS-Variants** | 🔴 Kritisch | `is-drawer-close:*` und `is-drawer-open:*` sind nicht definiert |
 | **Keine responsive Funktionalität** | 🔴 Kritisch | Sidebar verhält sich nicht wie geplant |
 | **Conditional Styles funktionieren nicht** | 🔴 Kritisch | Hidden/Tooltip/Width-Changes werden ignoriert |
 ### 12.2 Mittlere Probleme
 | Problem | Schweregrad | Details |
 |---------|-------------|---------|
 | **Kein Logo** | 🟡 Mittel | Logo-Element fehlt komplett in der Sidebar |
 | **Submenu immer sichtbar** | 🟡 Mittel | Contributions-Submenu sollte in collapsed State versteckt sein |
 | **Toggle-Icon statisch** | 🟡 Mittel | Icon ändert sich nicht zwischen expanded/collapsed |
 ### 12.3 Kleinere Probleme
 | Problem | Schweregrad | Details |
 |---------|-------------|---------|
 | **Code-Redundanz** | 🟢 Klein | Variants in beiden Tailwind-Configs (3.x und 4.x) |
 | **Inline-onclick Handler** | 🟢 Klein | Sollten durch JS-Events ersetzt werden |
 | **Keine Skip-Links** | 🟢 Klein | Accessibility-Verbesserung |
 ---
 ## 13. Abhängigkeiten
 ### 13.1 Externe Abhängigkeiten
 | Dependency | Version | Verwendung |
 |------------|---------|------------|
 | **DaisyUI** | Latest (vendor) | Drawer, Menu, Button, etc. |
 | **Tailwind CSS** | 4.0.9 | Utility-Klassen |
 | **Heroicons** | v2.2.0 | Icons in Navigation |
 | **Phoenix LiveView** | ~> 1.1.0 | Backend-Integration |
 ### 13.2 Interne Abhängigkeiten
 | Modul | Verwendung |
 |-------|-----------|
 | `MvWeb.Gettext` | Internationalisierung |
 | `Mv.Membership.get_settings()` | Club-Name abrufen |
 | `MvWeb.CoreComponents` | Icons, Links |
 ---
 ## 14. Code-Qualität
 ### 14.1 Positives
 - ✅ **Sehr gute Accessibility-Implementierung**
 - ✅ **Saubere Modulstruktur** (Separation of Concerns)
 - ✅ **Gute Dokumentation** (Moduledocs, Attribute docs)
 - ✅ **Internationalisierung** vollständig implementiert
 - ✅ **ARIA-Best-Practices** befolgt
 - ✅ **Keyboard-Navigation** umfassend
 ### 14.2 Verbesserungsbedarf
 - ❌ **Broken CSS-Variants** (Hauptproblem)
 - ❌ **Fehlende Tests** (keine Component-Tests gefunden)
 - ⚠️ **Inline-JavaScript** in onclick-Attributen
 - ⚠️ **Magic-IDs** (`main-drawer`, `sidebar-toggle`) hardcoded
 - ⚠️ **Komplexe JavaScript-Logik** ohne Dokumentation
 ---
 ## 15. Empfehlungen für Neuimplementierung
 ### 15.1 Sofort-Maßnahmen
 1. **CSS-Variants entfernen**
   - Alle `is-drawer-close:*` und `is-drawer-open:*` entfernen
   - Durch Standard-Tailwind oder DaisyUI-Mechanismen ersetzen
 2. **Logo hinzufügen**
   - Logo-Element als erstes Element in Sidebar
   - Konsistente Größe (32px / size-8)
 3. **Toggle-Icon implementieren**
   - Icon-Swap zwischen Chevron-Left und Chevron-Right
   - Nur auf Desktop sichtbar
 ### 15.2 Architektur-Entscheidungen
 1. **Responsive Strategie:**
   - **Mobile:** Standard DaisyUI Drawer (Overlay)
   - **Desktop:** Persistent Sidebar mit fester Breite
   - **Kein collapsing auf Desktop** (einfacher, wartbarer)
 2. **State-Management:**
   - Drawer-Checkbox für Mobile
   - Keine zusätzlichen Custom-Variants
   - Standard DaisyUI-Mechanismen verwenden
 3. **JavaScript-Refactoring:**
   - Hooks statt inline-onclick
   - Dokumentierte Funktionen
   - Unit-Tests für kritische Logik
 ### 15.3 Prioritäten
 **High Priority:**
 1. CSS-Variants-Problem lösen
 2. Logo implementieren
 3. Basic responsive Funktionalität
 **Medium Priority:**
 4. Toggle-Icon implementieren
 5. Tests schreiben
 6. JavaScript refactoren
 **Low Priority:**
 7. Skip-Links hinzufügen
 8. Code-Optimierung
 9. Performance-Tuning
 ---
 ## 16. Checkliste für Neuimplementierung
 ### 16.1 Vorbereitung
 - [ ] Alle `is-drawer-*` Klassen aus Code entfernen
 - [ ] Keine Custom-Variants in CSS/Tailwind definieren
 - [ ] DaisyUI-Dokumentation für Drawer studieren
 ### 16.2 Implementation
 - [ ] Logo-Element hinzufügen (size-8, persistent)
 - [ ] Toggle-Button mit Icon-Swap (nur Desktop)
 - [ ] Mobile: Overlay-Drawer (DaisyUI Standard)
 - [ ] Desktop: Persistent Sidebar (w-64)
 - [ ] Menü-Items mit korrekten Klassen
 - [ ] Submenu-Handling (nested `<ul>`)
 ### 16.3 Funktionalität
 - [ ] Toggle-Funktionalität auf Mobile
 - [ ] Accessibility: ARIA, Focus, Keyboard
 - [ ] Theme-Toggle funktional
 - [ ] Locale-Selector funktional
 - [ ] User-Menu-Dropdown funktional
 ### 16.4 Testing
 - [ ] Component-Tests schreiben
 - [ ] Accessibility-Tests (axe-core)
 - [ ] Keyboard-Navigation testen
 - [ ] Screen-Reader testen
 - [ ] Responsive Breakpoints testen
 ### 16.5 Dokumentation
 - [ ] Code-Kommentare aktualisieren
 - [ ] Component-Docs schreiben
 - [ ] README aktualisieren
 ---
 ## 17. Technische Details
 ### 17.1 CSS-Selektoren
 **Verwendete IDs:**
 - `#main-drawer` - Drawer-Toggle-Checkbox
 - `#main-sidebar` - Sidebar-Navigation-Container
 - `#sidebar-toggle` - Toggle-Button in Navbar
 - `#locale-select-sidebar` - Locale-Dropdown
 **Verwendete Klassen:**
 - `.drawer-side` - DaisyUI Sidebar-Container
 - `.drawer-overlay` - DaisyUI Overlay-Button
 - `.drawer-content` - DaisyUI Content-Container
 - `.menu` - DaisyUI Menu-Container
 - `.is-drawer-close:*` - ❌ NICHT DEFINIERT
 - `.is-drawer-open:*` - ❌ NICHT DEFINIERT
 ### 17.2 Event-Handler
 **JavaScript:**
 ```javascript
 drawerToggle.addEventListener("change", ...)
 sidebarToggle.addEventListener("click", ...)
 sidebarToggle.addEventListener("keydown", ...)
 document.addEventListener("keydown", ...)  // ESC handler
 ```
 **Inline (zu migrieren):**
 ```elixir
 onclick="document.getElementById('main-drawer').checked = false"
 onclick="document.getElementById('main-drawer').checked = !..."
 onchange="this.form.submit()"
 ```
 ---
 ## 18. Metriken
 ### 18.1 Code-Metriken
 | Metrik | Wert |
 |--------|------|
 | **Zeilen Code (Sidebar)** | 198 |
 | **Zeilen JavaScript** | 165 (Sidebar-spezifisch) |
 | **Zeilen CSS** | 0 (nur Tailwind-Klassen) |
 | **Anzahl Komponenten** | 1 (Sidebar) + 1 (Navbar) |
 | **Anzahl Menü-Items** | 6 (inkl. Submenu) |
 | **Anzahl Footer-Controls** | 3 (Locale, Theme, User) |
 ### 18.2 Abhängigkeits-Metriken
 | Kategorie | Anzahl |
 |-----------|--------|
 | **DaisyUI-Komponenten** | 7 |
 | **Tailwind-Utility-Klassen** | ~50 |
 | **Custom-Variants (broken)** | 2 (`is-drawer-close`, `is-drawer-open`) |
 | **JavaScript-Event-Listener** | 6 |
 | **ARIA-Attribute** | 12 |
 ---
 ## 19. Zusammenfassung
 ### 19.1 Was funktioniert
 ✅ **Sehr gute Grundlage:**
 - DaisyUI Drawer-Pattern korrekt implementiert
 - Exzellente Accessibility (ARIA, Keyboard, Focus)
 - Saubere Modulstruktur
 - Internationalisierung
 - Theme-Switching
 - JavaScript-Logik ist robust
 ### 19.2 Was nicht funktioniert
 ❌ **Kritische Defekte:**
 - CSS-Variants existieren nicht → keine responsive Funktionalität
 - Kein Logo
 - Kein Toggle-Icon-Swap
 - Submenu-Handling defekt
 ### 19.3 Nächste Schritte
 1. **CSS-Variants entfernen** (alle `is-drawer-*` Klassen)
 2. **Standard DaisyUI-Pattern verwenden** (ohne Custom-Variants)
 3. **Logo hinzufügen** (persistent, size-8)
 4. **Simplify:** Mobile = Overlay, Desktop = Persistent (keine collapsed State)
 5. **Tests schreiben** (Component + Accessibility)
 ---
 ## 20. Anhang
 ### 20.1 Verwendete CSS-Klassen (alphabetisch)
 ```
 avatar, avatar-placeholder, bg-base-100, bg-base-200, bg-neutral,
 btn, btn-circle, btn-ghost, btn-square, cursor-pointer, drawer, 
 drawer-content, drawer-overlay, drawer-side, drawer-toggle, dropdown,
 dropdown-content, dropdown-end, dropdown-top, flex, flex-col,
 focus:outline-none, focus:ring-2, focus:ring-primary,
 focus-within:outline-none, focus-within:ring-2, gap-2, gap-4,
 is-drawer-close:*, is-drawer-open:*, items-center, items-start,
 mb-2, menu, menu-sm, menu-title, min-h-full, mr-2, mt-3, mt-auto,
 p-2, p-4, rounded-box, rounded-full, select, select-sm, shadow,
 shadow-sm, size-4, size-5, sr-only, text-lg, text-neutral-content,
 text-sm, theme-controller, toggle, tooltip, tooltip-right, w-12,
 w-52, w-64, w-full, z-1
 ```
 ### 20.2 Verwendete ARIA-Attribute
 ```
 aria-busy, aria-controls, aria-describedby, aria-expanded,
 aria-haspopup, aria-hidden, aria-label, aria-labelledby,
 aria-live, role="alert", role="button", role="menu",
 role="menubar", role="menuitem", role="none", role="status"
 ```
 ### 20.3 Relevante Links
 - [DaisyUI Drawer Docs](https://daisyui.com/components/drawer/)
 - [Tailwind CSS Custom Variants](https://tailwindcss.com/docs/adding-custom-styles#adding-custom-variants)
 - [WCAG 2.1 Guidelines](https://www.w3.org/WAI/WCAG21/quickref/)
 - [Phoenix LiveView Docs](https://hexdocs.pm/phoenix_live_view/)
 ---
 **Ende des Berichts**
--- a/docs/sidebar-requirements-v2.md
+++ b/docs/sidebar-requirements-v2.md
--- a/docs/test-failures-analysis.md
+++ b/docs/test-failures-analysis.md
@ -1,233 +0,0 @@
 # Analyse der fehlschlagenden Tests
 ## Übersicht
 **Gesamtanzahl fehlschlagender Tests:** 5
 - **show_test.exs:** 1 Fehler
 - **sidebar_test.exs:** 4 Fehler
 ---
 ## Kategorisierung
 ### Kategorie 1: Test-Assertions passen nicht zur Implementierung (4 Tests)
 Diese Tests erwarten bestimmte Werte/Attribute, die in der aktuellen Implementierung anders sind oder fehlen.
 ### Kategorie 2: Datenbank-Isolation Problem (1 Test)
 Ein Test schlägt fehl, weil die Datenbank nicht korrekt isoliert ist.
 ---
 ## Detaillierte Analyse
 ### 1. `show_test.exs` - Custom Fields Sichtbarkeit
 **Test:** `does not display Custom Fields section when no custom fields exist` (Zeile 112)
 **Problem:**
 - Der Test erwartet, dass die "Custom Fields" Sektion NICHT angezeigt wird, wenn keine Custom Fields existieren
 - Die Sektion wird aber angezeigt, weil in der Datenbank noch Custom Fields von anderen Tests vorhanden sind
 **Ursache:**
 - Die LiveView lädt alle Custom Fields aus der Datenbank (Zeile 238-242 in `show.ex`)
 - Die Test-Datenbank wird nicht zwischen Tests geleert
 - Da `async: false` verwendet wird, sollten die Tests sequenziell laufen, aber Custom Fields bleiben in der Datenbank
 **Kategorie:** Datenbank-Isolation Problem
 ---
 ### 2. `sidebar_test.exs` - Settings Link
 **Test:** `T3.1: renders flat menu items with icons and labels` (Zeile 174)
 **Problem:**
 - Test erwartet `href="#"` für Settings
 - Tatsächlicher Wert: `href="/settings"`
 **Ursache:**
 - Die Implementierung verwendet einen echten Link `~p"/settings"` (Zeile 100 in `sidebar.ex`)
 - Der Test erwartet einen Placeholder-Link `href="#"`
 **Kategorie:** Test-Assertion passt nicht zur Implementierung
 ---
 ### 3. `sidebar_test.exs` - Drawer Overlay CSS-Klasse
 **Test:** `drawer overlay is present` (Zeile 747)
 **Problem:**
 - Test sucht nach exakt `class="drawer-overlay"`
 - Tatsächlicher Wert: `class="drawer-overlay lg:hidden focus:outline-none focus:ring-2 focus:ring-primary"`
 **Ursache:**
 - Der Test verwendet eine exakte String-Suche (`~s(class="drawer-overlay")`)
 - Die Implementierung hat mehrere CSS-Klassen
 **Kategorie:** Test-Assertion passt nicht zur Implementierung
 ---
 ### 4. `sidebar_test.exs` - Toggle Button ARIA-Attribut
 **Test:** `T5.2: toggle button has correct ARIA attributes` (Zeile 324)
 **Problem:**
 - Test erwartet `aria-controls="main-sidebar"` am Toggle-Button
 - Das Attribut fehlt in der Implementierung (Zeile 45-65 in `sidebar.ex`)
 **Ursache:**
 - Das `aria-controls` Attribut wurde nicht in der Implementierung hinzugefügt
 - Der Test erwartet es für bessere Accessibility
 **Kategorie:** Test-Assertion passt nicht zur Implementierung (Accessibility-Feature fehlt)
 ---
 ### 5. `sidebar_test.exs` - Contribution Settings Link
 **Test:** `sidebar structure is complete with all sections` (Zeile 501)
 **Problem:**
 - Test erwartet Link `/contribution_settings`
 - Tatsächlicher Link: `/membership_fee_settings`
 **Ursache:**
 - Der Test hat eine veraltete/inkorrekte Erwartung
 - Die Implementierung verwendet `/membership_fee_settings` (Zeile 96 in `sidebar.ex`)
 **Kategorie:** Test-Assertion passt nicht zur Implementierung (veralteter Test)
 ---
 ## Lösungsvorschläge
 ### Lösung 1: `show_test.exs` - Custom Fields Sichtbarkeit
 **Option A: Test-Datenbank bereinigen (Empfohlen)**
 - Im `setup` Block alle Custom Fields löschen, bevor der Test läuft
 - Oder: Explizit prüfen, dass keine Custom Fields existieren
 **Option B: Test anpassen**
 - Den Test so anpassen, dass er explizit alle Custom Fields löscht
 - Oder: Die LiveView-Logik ändern, um nur Custom Fields zu laden, die tatsächlich existieren
 **Empfehlung:** Option A - Im Test-Setup alle Custom Fields löschen
 ```elixir
 setup do
  # Clean up any existing custom fields
  Mv.Membership.CustomField
  |> Ash.read!()
  |> Enum.each(&Ash.destroy!/1)
  # Create test member
  {:ok, member} = ...
  %{member: member}
 end
 ```
 ---
 ### Lösung 2: `sidebar_test.exs` - Settings Link
 **Option A: Test anpassen (Empfohlen)**
 - Test ändern, um `href="/settings"` zu erwarten statt `href="#"`
 **Option B: Implementierung ändern**
 - Settings-Link zu `href="#"` ändern (nicht empfohlen, da es ein echter Link sein sollte)
 **Empfehlung:** Option A - Test anpassen
 ```elixir
 # Zeile 190 ändern von:
 assert html =~ ~s(href="#")
 # zu:
 assert html =~ ~s(href="/settings")
 ```
 ---
 ### Lösung 3: `sidebar_test.exs` - Drawer Overlay CSS-Klasse
 **Option A: Test anpassen (Empfohlen)**
 - Test ändern, um nach der Klasse in der Klasse-Liste zu suchen (mit `has_class?` Helper)
 **Option B: Regex verwenden**
 - Regex verwenden, um die Klasse zu finden
 **Empfehlung:** Option A - Test anpassen
 ```elixir
 # Zeile 752 ändern von:
 assert html =~ ~s(class="drawer-overlay")
 # zu:
 assert has_class?(html, "drawer-overlay")
 ```
 ---
 ### Lösung 4: `sidebar_test.exs` - Toggle Button ARIA-Attribut
 **Option A: Implementierung anpassen (Empfohlen)**
 - `aria-controls="main-sidebar"` zum Toggle-Button hinzufügen
 **Option B: Test anpassen**
 - Test entfernen oder als optional markieren (nicht empfohlen für Accessibility)
 **Empfehlung:** Option A - Implementierung anpassen
 ```elixir
 # In sidebar.ex Zeile 45-52, aria-controls hinzufügen:
 <button
  type="button"
  id="sidebar-toggle"
  class="hidden lg:flex ml-auto btn btn-ghost btn-sm btn-square"
  aria-label={gettext("Toggle sidebar")}
  aria-controls="main-sidebar"
  aria-expanded="true"
  onclick="toggleSidebar()"
 >
 ```
 ---
 ### Lösung 5: `sidebar_test.exs` - Contribution Settings Link
 **Option A: Test anpassen (Empfohlen)**
 - Test ändern, um `/membership_fee_settings` statt `/contribution_settings` zu erwarten
 **Option B: Link hinzufügen**
 - Einen neuen Link `/contribution_settings` hinzufügen (nicht empfohlen, da redundant)
 **Empfehlung:** Option A - Test anpassen
 ```elixir
 # Zeile 519 ändern von:
 "/contribution_settings",
 # zu:
 # Entfernen oder durch "/membership_fee_settings" ersetzen
 # (da "/membership_fee_settings" bereits in Zeile 518 vorhanden ist)
 ```
 ---
 ## Zusammenfassung der empfohlenen Änderungen
 1. **show_test.exs:** Custom Fields im Setup löschen
 2. **sidebar_test.exs (T3.1):** Settings-Link Assertion anpassen
 3. **sidebar_test.exs (drawer overlay):** CSS-Klasse-Suche mit Helper-Funktion
 4. **sidebar_test.exs (T5.2):** `aria-controls` Attribut zur Implementierung hinzufügen
 5. **sidebar_test.exs (edge cases):** Falschen Link aus erwarteter Liste entfernen
 ---
 ## Priorisierung
 1. **Hoch:** Lösung 1 (show_test.exs) - Datenbank-Isolation ist wichtig
 2. **Mittel:** Lösung 4 (ARIA-Attribut) - Accessibility-Verbesserung
 3. **Niedrig:** Lösungen 2, 3, 5 - Einfache Test-Anpassungen
--- a/docs/test-status-membership-fee-ui.md
+++ b/docs/test-status-membership-fee-ui.md
@ -1,137 +0,0 @@
 # Test Status: Membership Fee UI Components
 **Date:** 2025-01-XX  
 **Status:** Tests Written - Implementation Complete
 ## Übersicht
 Alle Tests für die Membership Fee UI-Komponenten wurden geschrieben. Die Tests sind TDD-konform geschrieben und sollten erfolgreich laufen, da die Implementation bereits vorhanden ist.
 ## Test-Dateien
 ### Helper Module Tests
 **Datei:** `test/mv_web/helpers/membership_fee_helpers_test.exs`
 - ✅ format_currency/1 formats correctly
 - ✅ format_interval/1 formats all interval types
 - ✅ format_cycle_range/2 formats date ranges correctly
 - ✅ get_last_completed_cycle/2 returns correct cycle
 - ✅ get_current_cycle/2 returns correct cycle
 - ✅ status_color/1 returns correct color classes
 - ✅ status_icon/1 returns correct icon names
 **Status:** Alle Tests sollten erfolgreich sein (Implementation vorhanden)
 **Datei:** `test/mv_web/member_live/index/membership_fee_status_test.exs`
 - ✅ load_cycles_for_members/2 efficiently loads cycles
 - ✅ get_cycle_status_for_member/2 returns correct status
 - ✅ format_cycle_status_badge/1 returns correct badge
 **Status:** Alle Tests sollten erfolgreich sein (Implementation vorhanden)
 ### Member List View Tests
 **Datei:** `test/mv_web/member_live/index_membership_fee_status_test.exs`
 - ✅ Status column displays correctly
 - ✅ Shows last completed cycle status by default
 - ✅ Toggle switches to current cycle view
 - ✅ Color coding for paid/unpaid/suspended
 - ✅ Filter "Unpaid in last cycle" works
 - ✅ Filter "Unpaid in current cycle" works
 - ✅ Handles members without cycles gracefully
 - ✅ Loads cycles efficiently without N+1 queries
 **Status:** Alle Tests sollten erfolgreich sein (Implementation vorhanden)
 ### Member Detail View Tests
 **Datei:** `test/mv_web/member_live/show_membership_fees_test.exs`
 - ✅ Cycles table displays all cycles
 - ✅ Table columns show correct data
 - ✅ Membership fee type dropdown shows only same-interval types
 - ✅ Warning displayed if different interval selected
 - ✅ Status change actions work (mark as paid/suspended/unpaid)
 - ✅ Cycle regeneration works
 - ✅ Handles members without membership fee type gracefully
 **Status:** Alle Tests sollten erfolgreich sein (Implementation vorhanden)
 ### Membership Fee Types Admin Tests
 **Datei:** `test/mv_web/live/membership_fee_type_live/index_test.exs`
 - ✅ List displays all types with correct data
 - ✅ Member count column shows correct count
 - ✅ Create button navigates to form
 - ✅ Edit button per row navigates to edit form
 - ✅ Delete button disabled if type is in use
 - ✅ Delete button works if type is not in use
 - ✅ Only admin can access
 **Status:** Alle Tests sollten erfolgreich sein (Implementation vorhanden)
 **Datei:** `test/mv_web/live/membership_fee_type_live/form_test.exs`
 - ✅ Create form works
 - ✅ Edit form loads existing type data
 - ✅ Interval field editable on create
 - ✅ Interval field grayed out on edit
 - ✅ Amount change warning displays on edit
 - ✅ Amount change warning shows correct affected member count
 - ✅ Amount change can be confirmed
 - ✅ Amount change can be cancelled
 - ✅ Validation errors display correctly
 - ✅ Only admin can access
 **Status:** Alle Tests sollten erfolgreich sein (Implementation vorhanden)
 ### Member Form Tests
 **Datei:** `test/mv_web/member_live/form_membership_fee_type_test.exs`
 - ✅ Membership fee type dropdown displays in form
 - ✅ Shows available types
 - ✅ Filters to same interval types if member has type
 - ✅ Warning displayed if different interval selected
 - ✅ Warning cleared if same interval selected
 - ✅ Form saves with selected membership fee type
 - ✅ New members get default membership fee type
 **Status:** Alle Tests sollten erfolgreich sein (Implementation vorhanden)
 ### Integration Tests
 **Datei:** `test/mv_web/member_live/membership_fee_integration_test.exs`
 - ✅ End-to-end: Create type → Assign to member → View cycles → Change status
 - ✅ End-to-end: Change member type → Cycles regenerate
 - ✅ End-to-end: Update settings → New members get default type
 - ✅ End-to-end: Delete cycle → Confirmation → Cycle deleted
 - ✅ End-to-end: Edit cycle amount → Modal → Amount updated
 **Status:** Alle Tests sollten erfolgreich sein (Implementation vorhanden)
 ## Test-Ausführung
 Alle Tests können mit folgenden Befehlen ausgeführt werden:
 ```bash
 # Alle Tests
 mix test
 # Nur Membership Fee Tests
 mix test test/mv_web/helpers/membership_fee_helpers_test.exs
 mix test test/mv_web/member_live/
 mix test test/mv_web/live/membership_fee_type_live/
 # Mit Coverage
 mix test --cover
 ```
 ## Bekannte Probleme
 Keine bekannten Probleme. Alle Tests sollten erfolgreich laufen, da die Implementation bereits vorhanden ist.
 ## Nächste Schritte
 1. ✅ Tests geschrieben
 2. ⏳ Tests ausführen und verifizieren
 3. ⏳ Eventuelle Anpassungen basierend auf Test-Ergebnissen
 4. ⏳ Code-Review durchführen
--- a/docs/umsetzung-sidebar.md
+++ b/docs/umsetzung-sidebar.md
--- a/docs/user-resource-policies-implementation-summary.md
+++ b/docs/user-resource-policies-implementation-summary.md
@ -0,0 +1,274 @@
 # User Resource Authorization Policies - Implementation Summary
 **Date:** 2026-01-22  
 **Status:** ✅ COMPLETED
 ---
 ## Overview
 Successfully implemented authorization policies for the User resource following the Bypass + HasPermission pattern, ensuring consistency with Member resource policies and proper use of the scope concept from PermissionSets.
 ---
 ## What Was Implemented
 ### 1. Policy Structure in `lib/accounts/user.ex`
 ```elixir
 policies do
  # 1. AshAuthentication Bypass
  bypass AshAuthentication.Checks.AshAuthenticationInteraction do
    authorize_if always()
  end
  # 2. NoActor Bypass (test environment only)
  bypass action_type([:create, :read, :update, :destroy]) do
    authorize_if Mv.Authorization.Checks.NoActor
  end
  # 3. Bypass for READ (list queries via auto_filter)
  bypass action_type(:read) do
    description "Users can always read their own account"
    authorize_if expr(id == ^actor(:id))
  end
  # 4. HasPermission for all operations (uses scope from PermissionSets)
  policy action_type([:read, :create, :update, :destroy]) do
    description "Check permissions from user's role and permission set"
    authorize_if Mv.Authorization.Checks.HasPermission
  end
 end
 ```
 ### 2. Test Suite in `test/mv/accounts/user_policies_test.exs`
 **Coverage:**
 - ✅ 31 tests total: 30 passing, 1 skipped
 - ✅ All 4 permission sets tested: `own_data`, `read_only`, `normal_user`, `admin`
 - ✅ READ operations (list and single record)
 - ✅ UPDATE operations (own and other users)
 - ✅ CREATE operations (admin only)
 - ✅ DESTROY operations (admin only)
 - ✅ AshAuthentication bypass (registration/login)
 - ✅ NoActor bypass (test environment)
 ---
 ## Key Design Decisions
 ### Decision 1: Bypass for READ, HasPermission for UPDATE
 **Rationale:**
 - READ list queries have no record at `strict_check` time
 - `HasPermission` returns `{:ok, false}` for queries without record
 - Ash doesn't call `auto_filter` when `strict_check` returns `false`
 - `expr()` in bypass is handled natively by Ash for `auto_filter`
 **Result:**
 - Bypass handles READ list queries ✅
 - HasPermission handles UPDATE with `scope :own` ✅
 - No redundancy - both are necessary ✅
 ### Decision 2: No Explicit `forbid_if always()`
 **Rationale:**
 - Ash implicitly forbids if no policy authorizes (fail-closed by default)
 - Explicit `forbid_if always()` at the end breaks tests
 - It would forbid valid operations that should be authorized by previous policies
 **Result:**
 - Policies rely on Ash's implicit forbid ✅
 - Tests pass with this approach ✅
 ### Decision 3: Consistency with Member Resource
 **Rationale:**
 - Member resource uses same pattern: Bypass for READ, HasPermission for UPDATE
 - Consistent patterns improve maintainability and predictability
 - Developers can understand authorization logic across resources
 **Result:**
 - User and Member follow identical pattern ✅
 - Authorization logic is consistent throughout the app ✅
 ---
 ## The Scope Concept Is NOT Redundant
 ### Initial Concern
 > "If we use a bypass with `expr(id == ^actor(:id))` for READ, isn't `scope :own` in PermissionSets redundant?"
 ### Resolution
 **NO! The scope concept is essential:**
 1. **Documentation** - `scope :own` clearly expresses intent in PermissionSets
 2. **UPDATE operations** - `scope :own` is USED by HasPermission when changeset contains record
 3. **Admin operations** - `scope :all` allows admins full access
 4. **Maintainability** - All permissions centralized in one place
 **Test Proof:**
 ```elixir
 test "can update own email", %{user: user} do
  # This works via HasPermission with scope :own (NOT bypass)
  {:ok, updated_user} =
    user
    |> Ash.Changeset.for_update(:update_user, %{email: "new@example.com"})
    |> Ash.update(actor: user)
  assert updated_user.email  # ✅ Proves scope :own is used
 end
 ```
 ---
 ## Documentation Updates
 ### 1. Created `docs/policy-bypass-vs-haspermission.md`
 Comprehensive documentation explaining:
 - Why bypass is needed for READ
 - Why HasPermission works for UPDATE
 - Technical deep dive into Ash policy evaluation
 - Test coverage proving the pattern
 - Lessons learned
 ### 2. Updated `docs/roles-and-permissions-architecture.md`
 - Added "Bypass vs. HasPermission: When to Use Which?" section
 - Updated User Resource Policies section with correct implementation
 - Updated Member Resource Policies section for consistency
 - Added pattern comparison table
 ### 3. Updated `docs/roles-and-permissions-implementation-plan.md`
 - Marked Issue #8 as COMPLETED ✅
 - Added implementation details
 - Documented why bypass is needed
 - Added test results
 ---
 ## Test Results
 ### All Relevant Tests Pass
 ```bash
 mix test test/mv/accounts/user_policies_test.exs \
         test/mv/authorization/checks/has_permission_test.exs \
         test/mv/membership/member_policies_test.exs
 # Results:
 # 75 tests: 74 passing, 1 skipped
 # ✅ User policies: 30/31 (1 skipped)
 # ✅ HasPermission check: 21/21
 # ✅ Member policies: 23/23
 ```
 ### Specific Test Coverage
 **Own Data Access (All Roles):**
 - ✅ Can read own user record (via bypass)
 - ✅ Can update own email (via HasPermission with scope :own)
 - ✅ Cannot read other users (filtered by bypass)
 - ✅ Cannot update other users (forbidden by HasPermission)
 - ✅ List returns only own user (auto_filter via bypass)
 **Admin Access:**
 - ✅ Can read all users (HasPermission with scope :all)
 - ✅ Can update other users (HasPermission with scope :all)
 - ✅ Can create users (HasPermission with scope :all)
 - ✅ Can destroy users (HasPermission with scope :all)
 **AshAuthentication:**
 - ✅ Registration works without actor
 - ✅ OIDC registration works
 - ✅ OIDC sign-in works
 **Test Environment:**
 - ✅ Operations without actor work in test environment
 - ✅ NoActor bypass correctly detects compile-time environment
 ---
 ## Files Changed
 ### Implementation
 1. ✅ `lib/accounts/user.ex` - Added policies block (lines 271-315)
 2. ✅ `lib/mv/authorization/checks/has_permission.ex` - Added User resource support in `evaluate_filter_for_strict_check`
 ### Tests
 3. ✅ `test/mv/accounts/user_policies_test.exs` - Created comprehensive test suite (435 lines)
 4. ✅ `test/mv/authorization/checks/has_permission_test.exs` - Updated to expect `false` instead of `:unknown`
 ### Documentation
 5. ✅ `docs/policy-bypass-vs-haspermission.md` - New comprehensive guide (created)
 6. ✅ `docs/roles-and-permissions-architecture.md` - Updated User and Member sections
 7. ✅ `docs/roles-and-permissions-implementation-plan.md` - Marked Issue #8 as completed
 8. ✅ `docs/user-resource-policies-implementation-summary.md` - This file (created)
 ---
 ## Lessons Learned
 ### 1. Test Before Assuming
 The initial plan assumed HasPermission with `scope :own` would be sufficient. Testing revealed that Ash's policy evaluation doesn't reliably call `auto_filter` when `strict_check` returns `false` or `:unknown`.
 ### 2. Bypass Is Not a Workaround, It's a Pattern
 The bypass with `expr()` is not a hack or workaround - it's the **correct pattern** for filter-based authorization in Ash when dealing with list queries.
 ### 3. Scope Concept Remains Essential
 Even with bypass for READ, the scope concept in PermissionSets is essential for:
 - UPDATE/CREATE/DESTROY operations
 - Documentation and maintainability
 - Centralized permission management
 ### 4. Consistency Across Resources
 Following the same pattern (Bypass for READ, HasPermission for UPDATE) across User and Member resources makes the codebase more maintainable and predictable.
 ### 5. Documentation Is Key
 Thorough documentation explaining **WHY** the pattern exists prevents future confusion and ensures the pattern is applied correctly in future resources.
 ---
 ## Future Considerations
 ### If Adding New Resources with Filter-Based Permissions
 Follow the same pattern:
 1. Bypass with `expr()` for READ (list queries)
 2. HasPermission for UPDATE/CREATE/DESTROY (uses scope from PermissionSets)
 3. Define appropriate scopes in PermissionSets (`:own`, `:linked`, `:all`)
 ### If Ash Framework Changes
 If a future version of Ash reliably calls `auto_filter` when `strict_check` returns `:unknown`:
 1. Consider removing bypass for READ
 2. Keep only HasPermission policy
 3. Update tests to verify new behavior
 4. Update documentation
 **For now (Ash 3.13.1), the current pattern is correct and necessary.**
 ---
 ## Conclusion
 ✅ **User Resource Authorization Policies are fully implemented, tested, and documented.**
 The implementation:
 - Follows best practices for Ash policies
 - Is consistent with Member resource pattern
 - Uses the scope concept from PermissionSets effectively
 - Has comprehensive test coverage
 - Is thoroughly documented for future developers
 **Status: PRODUCTION READY** 🎉
--- a/lib/accounts/accounts.ex
+++ b/lib/accounts/accounts.ex
@ -1,6 +1,15 @@
 defmodule Mv.Accounts do
  @moduledoc """
  AshAuthentication specific domain to handle Authentication for users.
  ## Resources
  - `User` - User accounts with authentication methods (password, OIDC)
  - `Token` - Session tokens for authentication
  ## Public API
  The domain exposes these main actions:
  - User CRUD: `create_user/1`, `list_users/0`, `update_user/2`, `destroy_user/1`
  - Authentication: `create_register_with_rauthy/1`, `read_sign_in_with_rauthy/1`
  """
  use Ash.Domain,
    extensions: [AshAdmin.Domain, AshPhoenix]
--- a/lib/accounts/token.ex
+++ b/lib/accounts/token.ex
@ -1,6 +1,10 @@
 defmodule Mv.Accounts.Token do
  @moduledoc """
-  AshAuthentication specific ressource
+  AshAuthentication Token Resource for session management.
  This resource is used by AshAuthentication to manage authentication tokens
  for user sessions. Tokens are automatically created and managed by the
  authentication system.
  """
  use Ash.Resource,
    data_layer: AshPostgres.DataLayer,
--- a/lib/accounts/user.ex
+++ b/lib/accounts/user.ex
@ -5,9 +5,8 @@ defmodule Mv.Accounts.User do
  use Ash.Resource,
    domain: Mv.Accounts,
    data_layer: AshPostgres.DataLayer,
-    extensions: [AshAuthentication]
+    extensions: [AshAuthentication],
-
+    authorizers: [Ash.Policy.Authorizer]
  # authorizers: [Ash.Policy.Authorizer]
  postgres do
    table "users"
@ -267,6 +266,36 @@ defmodule Mv.Accounts.User do
    end
  end
  # Authorization Policies
  # Order matters: Most specific policies first, then general permission check
  policies do
    # AshAuthentication bypass (registration/login without actor)
    bypass AshAuthentication.Checks.AshAuthenticationInteraction do
      description "Allow AshAuthentication internal operations (registration, login)"
      authorize_if always()
    end
    # NoActor bypass (test fixtures only, see no_actor.ex)
    bypass action_type([:create, :read, :update, :destroy]) do
      description "Allow system operations without actor (test environment only)"
      authorize_if Mv.Authorization.Checks.NoActor
    end
    # READ bypass for list queries (scope :own via expr)
    bypass action_type(:read) do
      description "Users can always read their own account"
      authorize_if expr(id == ^actor(:id))
    end
    # UPDATE/DESTROY via HasPermission (evaluates PermissionSets scope)
    policy action_type([:read, :create, :update, :destroy]) do
      description "Check permissions from user's role and permission set"
      authorize_if Mv.Authorization.Checks.HasPermission
    end
    # Default: Ash implicitly forbids if no policy authorizes (fail-closed)
  end
  # Global validations - applied to all relevant actions
  validations do
    # Password strength policy: minimum 8 characters for all password-related actions
--- a/lib/accounts/user/validations/oidc_email_collision.ex
+++ b/lib/accounts/user/validations/oidc_email_collision.ex
@ -42,25 +42,29 @@ defmodule Mv.Accounts.User.Validations.OidcEmailCollision do
    if email && oidc_id && user_info do
      # Check if a user with this oidc_id already exists
      # If yes, this will be an upsert (email update), not a new registration
      # Use SystemActor for authorization during OIDC registration (no logged-in actor)
      system_actor = Mv.Helpers.SystemActor.get_system_actor()
      existing_oidc_user =
        case Mv.Accounts.User
             |> Ash.Query.filter(oidc_id == ^to_string(oidc_id))
-             |> Ash.read_one() do
+             |> Ash.read_one(actor: system_actor) do
          {:ok, user} -> user
          _ -> nil
        end
-      check_email_collision(email, oidc_id, user_info, existing_oidc_user)
+      check_email_collision(email, oidc_id, user_info, existing_oidc_user, system_actor)
    else
      :ok
    end
  end
-  defp check_email_collision(email, new_oidc_id, user_info, existing_oidc_user) do
+  defp check_email_collision(email, new_oidc_id, user_info, existing_oidc_user, system_actor) do
    # Find existing user with this email
    # Use SystemActor for authorization during OIDC registration (no logged-in actor)
    case Mv.Accounts.User
         |> Ash.Query.filter(email == ^to_string(email))
-         |> Ash.read_one() do
+         |> Ash.read_one(actor: system_actor) do
      {:ok, nil} ->
        # No user exists with this email - OK to create new user
        :ok
--- a/lib/membership/member.ex
+++ b/lib/membership/member.ex
@ -124,8 +124,9 @@ defmodule Mv.Membership.Member do
               case result do
                 {:ok, member} ->
                   if member.membership_fee_type_id && member.join_date do
-                     actor = Map.get(changeset.context, :actor)
+                     # Capture initiator for audit trail (if available)
-                     handle_cycle_generation(member, actor: actor)
+                     initiator = Map.get(changeset.context, :actor)
                     handle_cycle_generation(member, initiator: initiator)
                   end
                 {:error, _} ->
@ -196,16 +197,12 @@ defmodule Mv.Membership.Member do
                 Ash.Changeset.changing_attribute?(changeset, :membership_fee_type_id)
               if fee_type_changed && member.membership_fee_type_id && member.join_date do
-                 actor = Map.get(changeset.context, :actor)
+                 case regenerate_cycles_on_type_change(member) do
                 case regenerate_cycles_on_type_change(member, actor: actor) do
                   {:ok, notifications} ->
                     # Return notifications to Ash - they will be sent automatically after commit
                     {:ok, member, notifications}
                   {:error, reason} ->
                     require Logger
                     Logger.warning(
                       "Failed to regenerate cycles for member #{member.id}: #{inspect(reason)}"
                     )
@ -230,8 +227,9 @@ defmodule Mv.Membership.Member do
                   exit_date_changed = Ash.Changeset.changing_attribute?(changeset, :exit_date)
                   if (join_date_changed || exit_date_changed) && member.membership_fee_type_id do
-                     actor = Map.get(changeset.context, :actor)
+                     # Capture initiator for audit trail (if available)
-                     handle_cycle_generation(member, actor: actor)
+                     initiator = Map.get(changeset.context, :actor)
                     handle_cycle_generation(member, initiator: initiator)
                   end
                 {:error, _} ->
@ -409,8 +407,16 @@ defmodule Mv.Membership.Member do
        actor = Map.get(changeset.context || %{}, :actor)
        # Check the current state of the user in the database
-        # Pass actor to ensure proper authorization (User might have policies in future)
+        # Check if authorization is disabled in the parent operation's context
-        case Ash.get(Mv.Accounts.User, user_id, actor: actor) do
+        # Access private context where authorize? flag is stored
        authorize? =
          case get_in(changeset.context, [:private, :authorize?]) do
            false -> false
            _ -> true
          end
        # Pass actor and authorize? to ensure proper authorization (User might have policies in future)
        case Ash.get(Mv.Accounts.User, user_id, actor: actor, authorize?: authorize?) do
          # User is free to be linked
          {:ok, %{member_id: nil}} ->
            :ok
@ -790,37 +796,37 @@ defmodule Mv.Membership.Member do
  # Returns {:ok, notifications} or {:error, reason} where notifications are collected
  # to be sent after transaction commits
  @doc false
-  def regenerate_cycles_on_type_change(member, opts \\ []) do
+  # Uses system actor for cycle regeneration (mandatory side effect)
  def regenerate_cycles_on_type_change(member, _opts \\ []) do
    alias Mv.Helpers
    alias Mv.Helpers.SystemActor
    today = Date.utc_today()
    lock_key = :erlang.phash2(member.id)
    actor = Keyword.get(opts, :actor)
    # Use advisory lock to prevent concurrent deletion and regeneration
    # This ensures atomicity when multiple updates happen simultaneously
    if Mv.Repo.in_transaction?() do
-      regenerate_cycles_in_transaction(member, today, lock_key, actor: actor)
+      regenerate_cycles_in_transaction(member, today, lock_key)
    else
-      regenerate_cycles_new_transaction(member, today, lock_key, actor: actor)
+      regenerate_cycles_new_transaction(member, today, lock_key)
    end
  end
  # Already in transaction: use advisory lock directly
  # Returns {:ok, notifications} - notifications should be returned to after_action hook
-  defp regenerate_cycles_in_transaction(member, today, lock_key, opts) do
+  defp regenerate_cycles_in_transaction(member, today, lock_key) do
    actor = Keyword.get(opts, :actor)
    Ecto.Adapters.SQL.query!(Mv.Repo, "SELECT pg_advisory_xact_lock($1)", [lock_key])
-    do_regenerate_cycles_on_type_change(member, today, skip_lock?: true, actor: actor)
+    do_regenerate_cycles_on_type_change(member, today, skip_lock?: true)
  end
  # Not in transaction: start new transaction with advisory lock
  # Returns {:ok, notifications} - notifications should be sent by caller (e.g., via after_action)
-  defp regenerate_cycles_new_transaction(member, today, lock_key, opts) do
+  defp regenerate_cycles_new_transaction(member, today, lock_key) do
    actor = Keyword.get(opts, :actor)
    Mv.Repo.transaction(fn ->
      Ecto.Adapters.SQL.query!(Mv.Repo, "SELECT pg_advisory_xact_lock($1)", [lock_key])
-      case do_regenerate_cycles_on_type_change(member, today, skip_lock?: true, actor: actor) do
+      case do_regenerate_cycles_on_type_change(member, today, skip_lock?: true) do
        {:ok, notifications} ->
          # Return notifications - they will be sent by the caller
          notifications
@ -838,11 +844,16 @@ defmodule Mv.Membership.Member do
  # Performs the actual cycle deletion and regeneration
  # Returns {:ok, notifications} or {:error, reason}
  # notifications are collected to be sent after transaction commits
  # Uses system actor for all operations
  defp do_regenerate_cycles_on_type_change(member, today, opts) do
    alias Mv.Helpers
    alias Mv.Helpers.SystemActor
    require Ash.Query
    skip_lock? = Keyword.get(opts, :skip_lock?, false)
-    actor = Keyword.get(opts, :actor)
+    system_actor = SystemActor.get_system_actor()
    actor_opts = Helpers.ash_actor_opts(system_actor)
    # Find all unpaid cycles for this member
    # We need to check cycle_end for each cycle using its own interval
@ -852,20 +863,16 @@ defmodule Mv.Membership.Member do
      |> Ash.Query.filter(status == :unpaid)
      |> Ash.Query.load([:membership_fee_type])
-    result =
+    case Ash.read(all_unpaid_cycles_query, actor_opts) do
      if actor do
        Ash.read(all_unpaid_cycles_query, actor: actor)
      else
        Ash.read(all_unpaid_cycles_query)
      end
    case result do
      {:ok, all_unpaid_cycles} ->
        cycles_to_delete = filter_future_cycles(all_unpaid_cycles, today)
-        delete_and_regenerate_cycles(cycles_to_delete, member.id, today,
+        delete_and_regenerate_cycles(
-          skip_lock?: skip_lock?,
+          cycles_to_delete,
-          actor: actor
+          member.id,
          today,
          actor_opts,
          skip_lock?: skip_lock?
        )
      {:error, reason} ->
@ -893,26 +900,27 @@ defmodule Mv.Membership.Member do
  # Deletes future cycles and regenerates them with the new type/amount
  # Passes today to ensure consistent date across deletion and regeneration
  # Returns {:ok, notifications} or {:error, reason}
-  defp delete_and_regenerate_cycles(cycles_to_delete, member_id, today, opts) do
+  # Uses system actor for cycle generation and deletion
  defp delete_and_regenerate_cycles(cycles_to_delete, member_id, today, actor_opts, opts) do
    skip_lock? = Keyword.get(opts, :skip_lock?, false)
    actor = Keyword.get(opts, :actor)
    if Enum.empty?(cycles_to_delete) do
      # No cycles to delete, just regenerate
-      regenerate_cycles(member_id, today, skip_lock?: skip_lock?, actor: actor)
+      regenerate_cycles(member_id, today, skip_lock?: skip_lock?)
    else
-      case delete_cycles(cycles_to_delete) do
+      case delete_cycles(cycles_to_delete, actor_opts) do
-        :ok -> regenerate_cycles(member_id, today, skip_lock?: skip_lock?, actor: actor)
+        :ok -> regenerate_cycles(member_id, today, skip_lock?: skip_lock?)
        {:error, reason} -> {:error, reason}
      end
    end
  end
  # Deletes cycles and returns :ok if all succeeded, {:error, reason} otherwise
-  defp delete_cycles(cycles_to_delete) do
+  # Uses system actor for authorization to ensure deletion always works
  defp delete_cycles(cycles_to_delete, actor_opts) do
    delete_results =
      Enum.map(cycles_to_delete, fn cycle ->
-        Ash.destroy(cycle)
+        Ash.destroy(cycle, actor_opts)
      end)
    if Enum.any?(delete_results, &match?({:error, _}, &1)) do
@ -928,13 +936,11 @@ defmodule Mv.Membership.Member do
  # Returns {:ok, notifications} - notifications should be returned to after_action hook
  defp regenerate_cycles(member_id, today, opts) do
    skip_lock? = Keyword.get(opts, :skip_lock?, false)
    actor = Keyword.get(opts, :actor)
    case Mv.MembershipFees.CycleGenerator.generate_cycles_for_member(
           member_id,
           today: today,
-           skip_lock?: skip_lock?,
+           skip_lock?: skip_lock?
           actor: actor
         ) do
      {:ok, _cycles, notifications} when is_list(notifications) ->
        {:ok, notifications}
@ -948,49 +954,57 @@ defmodule Mv.Membership.Member do
  # based on environment (test vs production)
  # This function encapsulates the common logic for cycle generation
  # to avoid code duplication across different hooks
  # Uses system actor for cycle generation (mandatory side effect)
  # Captures initiator for audit trail (if available in opts)
  defp handle_cycle_generation(member, opts) do
-    actor = Keyword.get(opts, :actor)
+    initiator = Keyword.get(opts, :initiator)
    if Mv.Config.sql_sandbox?() do
-      handle_cycle_generation_sync(member, actor: actor)
+      handle_cycle_generation_sync(member, initiator)
    else
-      handle_cycle_generation_async(member, actor: actor)
+      handle_cycle_generation_async(member, initiator)
    end
  end
  # Runs cycle generation synchronously (for test environment)
-  defp handle_cycle_generation_sync(member, opts) do
+  defp handle_cycle_generation_sync(member, initiator) do
    require Logger
    actor = Keyword.get(opts, :actor)
    case Mv.MembershipFees.CycleGenerator.generate_cycles_for_member(
           member.id,
           today: Date.utc_today(),
-           actor: actor
+           initiator: initiator
         ) do
      {:ok, cycles, notifications} ->
        send_notifications_if_any(notifications)
-        log_cycle_generation_success(member, cycles, notifications, sync: true)
+
        log_cycle_generation_success(member, cycles, notifications,
          sync: true,
          initiator: initiator
        )
      {:error, reason} ->
-        log_cycle_generation_error(member, reason, sync: true)
+        log_cycle_generation_error(member, reason, sync: true, initiator: initiator)
    end
  end
  # Runs cycle generation asynchronously (for production environment)
-  defp handle_cycle_generation_async(member, opts) do
+  defp handle_cycle_generation_async(member, initiator) do
    actor = Keyword.get(opts, :actor)
    Task.Supervisor.async_nolink(Mv.TaskSupervisor, fn ->
-      case Mv.MembershipFees.CycleGenerator.generate_cycles_for_member(member.id, actor: actor) do
+      case Mv.MembershipFees.CycleGenerator.generate_cycles_for_member(member.id,
             initiator: initiator
           ) do
        {:ok, cycles, notifications} ->
          send_notifications_if_any(notifications)
-          log_cycle_generation_success(member, cycles, notifications, sync: false)
+
          log_cycle_generation_success(member, cycles, notifications,
            sync: false,
            initiator: initiator
          )
        {:error, reason} ->
-          log_cycle_generation_error(member, reason, sync: false)
+          log_cycle_generation_error(member, reason, sync: false, initiator: initiator)
      end
    end)
    |> Task.await(:infinity)
  end
  # Sends notifications if any are present
@ -1001,13 +1015,15 @@ defmodule Mv.Membership.Member do
  end
  # Logs successful cycle generation
-  defp log_cycle_generation_success(member, cycles, notifications, sync: sync?) do
+  defp log_cycle_generation_success(member, cycles, notifications,
-    require Logger
+         sync: sync?,
-
+         initiator: initiator
       ) do
    sync_label = if sync?, do: "", else: " (async)"
    initiator_info = get_initiator_info(initiator)
    Logger.debug(
-      "Successfully generated cycles for member#{sync_label}",
+      "Successfully generated cycles for member#{sync_label} (initiator: #{initiator_info})",
      member_id: member.id,
      cycles_count: length(cycles),
      notifications_count: length(notifications)
@ -1015,13 +1031,12 @@ defmodule Mv.Membership.Member do
  end
  # Logs cycle generation errors
-  defp log_cycle_generation_error(member, reason, sync: sync?) do
+  defp log_cycle_generation_error(member, reason, sync: sync?, initiator: initiator) do
    require Logger
    sync_label = if sync?, do: "", else: " (async)"
    initiator_info = get_initiator_info(initiator)
    Logger.error(
-      "Failed to generate cycles for member#{sync_label}",
+      "Failed to generate cycles for member#{sync_label} (initiator: #{initiator_info})",
      member_id: member.id,
      member_email: member.email,
      error: inspect(reason),
@ -1029,6 +1044,11 @@ defmodule Mv.Membership.Member do
    )
  end
  # Extracts initiator information for audit trail
  defp get_initiator_info(nil), do: "system"
  defp get_initiator_info(%{email: email}), do: email
  defp get_initiator_info(_), do: "unknown"
  # Helper to extract error type for structured logging
  defp error_type(%{__struct__: struct_name}), do: struct_name
  defp error_type(error) when is_atom(error), do: error
--- a/lib/membership/membership.ex
+++ b/lib/membership/membership.ex
@ -12,8 +12,8 @@ defmodule Mv.Membership do
  The domain exposes these main actions:
  - Member CRUD: `create_member/1`, `list_members/0`, `update_member/2`, `destroy_member/1`
  - Custom field value management: `create_custom_field_value/1`, `list_custom_field_values/0`, etc.
-  - Custom field management: `create_custom_field/1`, `list_custom_fields/0`, etc.
+  - Custom field management: `create_custom_field/1`, `list_custom_fields/0`, `list_required_custom_fields/0`, etc.
-  - Settings management: `get_settings/0`, `update_settings/2`
+  - Settings management: `get_settings/0`, `update_settings/2`, `update_member_field_visibility/2`, `update_single_member_field_visibility/3`
  ## Admin Interface
  The domain is configured with AshAdmin for management UI.
--- a/lib/membership_fees/membership_fees.ex
+++ b/lib/membership_fees/membership_fees.ex
@ -6,6 +6,13 @@ defmodule Mv.MembershipFees do
  - `MembershipFeeType` - Defines membership fee types with intervals and amounts
  - `MembershipFeeCycle` - Individual membership fee cycles per member
  ## Public API
  The domain exposes these main actions:
  - MembershipFeeType CRUD: `create_membership_fee_type/1`, `list_membership_fee_types/0`, `update_membership_fee_type/2`, `destroy_membership_fee_type/1`
  - MembershipFeeCycle CRUD: `create_membership_fee_cycle/1`, `list_membership_fee_cycles/0`, `update_membership_fee_cycle/2`, `destroy_membership_fee_cycle/1`
  Note: LiveViews may use direct Ash calls instead of these domain functions for performance or flexibility.
  ## Overview
  This domain handles the complete membership fee lifecycle including:
  - Fee type definitions (monthly, quarterly, half-yearly, yearly)
--- a/lib/mv/accounts/user/validations/email_not_used_by_other_member.ex
+++ b/lib/mv/accounts/user/validations/email_not_used_by_other_member.ex
@ -9,6 +9,8 @@ defmodule Mv.Accounts.User.Validations.EmailNotUsedByOtherMember do
  """
  use Ash.Resource.Validation
  require Logger
  @doc """
  Validates email uniqueness across linked User-Member pairs.
@ -73,19 +75,29 @@ defmodule Mv.Accounts.User.Validations.EmailNotUsedByOtherMember do
  end
  defp check_email_uniqueness(email, exclude_member_id) do
    alias Mv.Helpers
    alias Mv.Helpers.SystemActor
    query =
      Mv.Membership.Member
      |> Ash.Query.filter(email == ^to_string(email))
      |> maybe_exclude_id(exclude_member_id)
-    case Ash.read(query) do
+    system_actor = SystemActor.get_system_actor()
    opts = Helpers.ash_actor_opts(system_actor)
    case Ash.read(query, opts) do
      {:ok, []} ->
        :ok
      {:ok, _} ->
        {:error, field: :email, message: "is already used by another member", value: email}
-      {:error, _} ->
+      {:error, reason} ->
        Logger.warning(
          "Email uniqueness validation query failed for user email '#{email}': #{inspect(reason)}. Allowing operation to proceed (fail-open)."
        )
        :ok
    end
  end
--- a/lib/mv/application.ex
+++ b/lib/mv/application.ex
@ -14,6 +14,7 @@ defmodule Mv.Application do
      {DNSCluster, query: Application.get_env(:mv, :dns_cluster_query) || :ignore},
      {Phoenix.PubSub, name: Mv.PubSub},
      {AshAuthentication.Supervisor, otp_app: :my},
      Mv.Helpers.SystemActor,
      # Start a worker by calling: Mv.Worker.start_link(arg)
      # {Mv.Worker, arg},
      # Start to serve requests, typically the last entry
--- a/lib/mv/authorization/actor.ex
+++ b/lib/mv/authorization/actor.ex
@ -0,0 +1,99 @@
 defmodule Mv.Authorization.Actor do
  @moduledoc """
  Helper functions for ensuring User actors have required data loaded.
  ## Actor Invariant
  Authorization policies (especially HasPermission) require that the User actor
  has their `:role` relationship loaded. This module provides helpers to
  ensure this invariant is maintained across all entry points:
  - LiveView on_mount hooks
  - Plug pipelines
  - Background jobs
  - Tests
  ## Scope
  This module ONLY handles `Mv.Accounts.User` resources. Other resources with
  a `:role` field are ignored (returned as-is). This prevents accidental
  authorization bypasses and keeps the logic focused.
  ## Usage
      # In LiveView on_mount
      def ensure_user_role_loaded(_name, socket) do
        user = Actor.ensure_loaded(socket.assigns[:current_user])
        assign(socket, :current_user, user)
      end
      # In tests
      user = Actor.ensure_loaded(user)
  ## Security Note
  `ensure_loaded/1` loads the role with `authorize?: false` to avoid circular
  dependency (actor needs role loaded to be authorized, but loading role requires
  authorization). This is safe because:
  - The actor (User) is loading their OWN role (user.role relationship)
  - This load is needed FOR authorization checks to work
  - The role itself contains no sensitive data (just permission_set reference)
  - The actor is already authenticated (passed auth boundary)
  Alternative would be to denormalize permission_set_name on User, but that
  adds complexity and potential for inconsistency.
  """
  require Logger
  @doc """
  Ensures the actor (User) has their `:role` relationship loaded.
  - If actor is nil, returns nil
  - If role is already loaded, returns actor as-is
  - If role is %Ash.NotLoaded{}, loads it and returns updated actor
  - If actor is not a User, returns as-is (no-op)
  ## Examples
      iex> Actor.ensure_loaded(nil)
      nil
      iex> Actor.ensure_loaded(%User{role: %Role{}})
      %User{role: %Role{}}
      iex> Actor.ensure_loaded(%User{role: %Ash.NotLoaded{}})
      %User{role: %Role{}}  # role loaded
  """
  def ensure_loaded(nil), do: nil
  # Only handle Mv.Accounts.User - clear intention, no accidental other resources
  def ensure_loaded(%Mv.Accounts.User{role: %Ash.NotLoaded{}} = user) do
    load_role(user)
  end
  def ensure_loaded(actor), do: actor
  defp load_role(actor) do
    # SECURITY: We skip authorization here because this is a bootstrap scenario:
    # - The actor is loading their OWN role (actor.role relationship)
    # - This load is needed FOR authorization checks to work (circular dependency)
    # - The role itself contains no sensitive data (just permission_set reference)
    # - The actor is already authenticated (passed auth boundary)
    # Alternative would be to denormalize permission_set_name on User.
    case Ash.load(actor, :role, domain: Mv.Accounts, authorize?: false) do
      {:ok, loaded_actor} ->
        loaded_actor
      {:error, error} ->
        # Log error but don't crash - fail-closed for authorization
        Logger.warning(
          "Failed to load actor role: #{inspect(error)}. " <>
            "Authorization may fail if role is required."
        )
        actor
    end
  end
 end
--- a/lib/mv/authorization/authorization.ex
+++ b/lib/mv/authorization/authorization.ex
@ -7,7 +7,7 @@ defmodule Mv.Authorization do
  ## Public API
  The domain exposes these main actions:
-  - Role CRUD: `create_role/1`, `list_roles/0`, `update_role/2`, `destroy_role/1`
+  - Role CRUD: `create_role/1`, `list_roles/0`, `get_role/1`, `update_role/2`, `destroy_role/1`
  ## Admin Interface
  The domain is configured with AshAdmin for management UI.
--- a/lib/mv/authorization/checks/has_permission.ex
+++ b/lib/mv/authorization/checks/has_permission.ex
@ -8,10 +8,37 @@ defmodule Mv.Authorization.Checks.HasPermission do
  3. Finds matching permission for current resource + action
  4. Applies scope filter (:own, :linked, :all)
  ## Important: strict_check Behavior
  For filter-based scopes (`:own`, `:linked`):
  - **WITH record**: Evaluates filter against record (returns `true`/`false`)
  - **WITHOUT record** (queries/lists): Returns `false`
  **Why `false` instead of `:unknown`?**
  Ash's policy evaluation doesn't reliably call `auto_filter` when `strict_check`
  returns `:unknown`. To ensure list queries work correctly, resources **MUST** use
  bypass policies with `expr()` for READ operations (see `docs/policy-bypass-vs-haspermission.md`).
  This means `HasPermission` is **NOT** generically reusable for query authorization
  with filter scopes - it requires companion bypass policies.
  ## Usage Pattern
  See `docs/policy-bypass-vs-haspermission.md` for the two-tier pattern:
  - **READ**: `bypass` with `expr()` (handles auto_filter)
  - **UPDATE/CREATE/DESTROY**: `HasPermission` (handles scope evaluation)
  ## Usage in Ash Resource
      policies do
-        policy action_type(:read) do
+        # READ: Bypass for list queries
        bypass action_type(:read) do
          authorize_if expr(id == ^actor(:id))
        end
        # UPDATE: HasPermission for scope evaluation
        policy action_type([:update, :create, :destroy]) do
          authorize_if Mv.Authorization.Checks.HasPermission
        end
      end
@ -34,6 +61,12 @@ defmodule Mv.Authorization.Checks.HasPermission do
  All errors result in Forbidden (policy fails).
  ## Role Loading Fallback
  If the actor's `:role` relationship is `%Ash.NotLoaded{}`, this check will
  attempt to load it automatically. This provides a fallback if `on_mount` hooks
  didn't run (e.g., in non-LiveView contexts).
  ## Examples
      # In a resource policy
@ -83,6 +116,9 @@ defmodule Mv.Authorization.Checks.HasPermission do
  # Helper function to reduce nesting depth
  defp strict_check_with_permissions(actor, resource, action, record) do
    # Ensure role is loaded (fallback if on_mount didn't run)
    actor = ensure_role_loaded(actor)
    with %{role: %{permission_set_name: ps_name}} when not is_nil(ps_name) <- actor,
         {:ok, ps_atom} <- PermissionSets.permission_set_name_to_atom(ps_name),
         permissions <- PermissionSets.get_permissions(ps_atom),
@ -95,11 +131,25 @@ defmodule Mv.Authorization.Checks.HasPermission do
             resource_name
           ) do
        :authorized ->
          # For :all scope, authorize directly
          {:ok, true}
        {:filter, filter_expr} ->
-          # For strict_check on single records, evaluate the filter against the record
+          # For :own/:linked scope:
-          evaluate_filter_for_strict_check(filter_expr, actor, record, resource_name)
+          # - With a record, evaluate filter against record for strict authorization
          # - Without a record (queries/lists), return false
          #
          # NOTE: Returning false here forces the use of expr-based bypass policies.
          # This is necessary because Ash's policy evaluation doesn't reliably call auto_filter
          # when strict_check returns :unknown. Instead, resources should use bypass policies
          # with expr() directly for filter-based authorization (see User resource).
          if record do
            evaluate_filter_for_strict_check(filter_expr, actor, record, resource_name)
          else
            # No record yet (e.g., read/list queries) - deny at strict_check level
            # Resources must use expr-based bypass policies for list filtering
            {:ok, false}
          end
        false ->
          {:ok, false}
@ -224,9 +274,18 @@ defmodule Mv.Authorization.Checks.HasPermission do
  end
  # Evaluate filter expression for strict_check on single records
  # For :own scope with User resource: id == actor.id
  # For :linked scope with Member resource: id == actor.member_id
  defp evaluate_filter_for_strict_check(_filter_expr, actor, record, resource_name) do
    case {resource_name, record} do
      {"User", %{id: user_id}} when not is_nil(user_id) ->
        # Check if this user's ID matches the actor's ID (scope :own)
        if user_id == actor.id do
          {:ok, true}
        else
          {:ok, false}
        end
      {"Member", %{id: member_id}} when not is_nil(member_id) ->
        # Check if this member's ID matches the actor's member_id
        if member_id == actor.member_id do
@ -330,4 +389,10 @@ defmodule Mv.Authorization.Checks.HasPermission do
  defp get_resource_name_for_logging(_resource) do
    "unknown"
  end
  # Fallback: Load role if not loaded (in case on_mount didn't run)
  # Delegates to centralized Actor helper
  defp ensure_role_loaded(actor) do
    Mv.Authorization.Actor.ensure_loaded(actor)
  end
 end
--- a/lib/mv/authorization/checks/no_actor.ex
+++ b/lib/mv/authorization/checks/no_actor.ex
@ -42,9 +42,9 @@ defmodule Mv.Authorization.Checks.NoActor do
  use Ash.Policy.SimpleCheck
  # Compile-time check: Only allow no-actor bypass in test environment
-  @allow_no_actor_bypass Mix.env() == :test
+  # SECURITY: This must ONLY be true in test.exs, never in prod/dev
-  # Alternative (if you want to control via config):
+  # Using compile_env instead of Mix.env() for release-safety
-  # @allow_no_actor_bypass Application.compile_env(:mv, :allow_no_actor_bypass, false)
+  @allow_no_actor_bypass Application.compile_env(:mv, :allow_no_actor_bypass, false)
  @impl true
  def describe(_opts) do
@ -58,13 +58,9 @@ defmodule Mv.Authorization.Checks.NoActor do
  @impl true
  def match?(nil, _context, _opts) do
    # Actor is nil
-    if @allow_no_actor_bypass do
+    # SECURITY: Only allow if compile_env flag is set (test.exs only)
-      # Test environment: Allow all operations
+    # No runtime Mix.env() check - fail-closed by default (false)
-      true
+    @allow_no_actor_bypass
    else
      # Production/dev: Deny all operations (fail-closed for security)
      false
    end
  end
  def match?(_actor, _context, _opts) do
--- a/lib/mv/authorization/permission_sets.ex
+++ b/lib/mv/authorization/permission_sets.ex
@ -95,7 +95,9 @@ defmodule Mv.Authorization.PermissionSets do
  def get_permissions(:own_data) do
    %{
      resources: [
-        # User: Can always read/update own credentials
+        # User: Can read/update own credentials only
        # IMPORTANT: "read_only" refers to member data, NOT user credentials.
        # All permission sets grant User.update :own to allow password changes.
        %{resource: "User", action: :read, scope: :own, granted: true},
        %{resource: "User", action: :update, scope: :own, granted: true},
@ -125,6 +127,8 @@ defmodule Mv.Authorization.PermissionSets do
    %{
      resources: [
        # User: Can read/update own credentials only
        # IMPORTANT: "read_only" refers to member data, NOT user credentials.
        # All permission sets grant User.update :own to allow password changes.
        %{resource: "User", action: :read, scope: :own, granted: true},
        %{resource: "User", action: :update, scope: :own, granted: true},
@ -157,6 +161,8 @@ defmodule Mv.Authorization.PermissionSets do
    %{
      resources: [
        # User: Can read/update own credentials only
        # IMPORTANT: "read_only" refers to member data, NOT user credentials.
        # All permission sets grant User.update :own to allow password changes.
        %{resource: "User", action: :read, scope: :own, granted: true},
        %{resource: "User", action: :update, scope: :own, granted: true},
--- a/lib/mv/email_sync/changes/sync_member_email_to_user.ex
+++ b/lib/mv/email_sync/changes/sync_member_email_to_user.ex
@ -41,10 +41,8 @@ defmodule Mv.EmailSync.Changes.SyncMemberEmailToUser do
    Ash.Changeset.around_transaction(changeset, fn cs, callback ->
      result = callback.(cs)
      actor = Map.get(changeset.context, :actor)
      with {:ok, member} <- Helpers.extract_record(result),
-           linked_user <- Loader.get_linked_user(member, actor) do
+           linked_user <- Loader.get_linked_user(member) do
        Helpers.sync_email_to_linked_record(result, linked_user, new_email)
      else
        _ -> result
--- a/lib/mv/email_sync/changes/sync_user_email_to_member.ex
+++ b/lib/mv/email_sync/changes/sync_user_email_to_member.ex
@ -33,17 +33,7 @@ defmodule Mv.EmailSync.Changes.SyncUserEmailToMember do
    if Map.get(context, :syncing_email, false) do
      changeset
    else
-      # Ensure actor is in changeset context - get it from context if available
+      sync_email(changeset)
      actor = Map.get(changeset.context, :actor) || Map.get(context, :actor)
      changeset_with_actor =
        if actor && !Map.has_key?(changeset.context, :actor) do
          Ash.Changeset.put_context(changeset, :actor, actor)
        else
          changeset
        end
      sync_email(changeset_with_actor)
    end
  end
@ -52,7 +42,7 @@ defmodule Mv.EmailSync.Changes.SyncUserEmailToMember do
      result = callback.(cs)
      with {:ok, record} <- Helpers.extract_record(result),
-           {:ok, user, member} <- get_user_and_member(record, cs) do
+           {:ok, user, member} <- get_user_and_member(record) do
        # When called from Member-side, we need to update the member in the result
        # When called from User-side, we update the linked member in DB only
        case record do
@ -71,19 +61,16 @@ defmodule Mv.EmailSync.Changes.SyncUserEmailToMember do
  end
  # Retrieves user and member - works for both resource types
-  defp get_user_and_member(%Mv.Accounts.User{} = user, changeset) do
+  # Uses system actor via Loader functions
-    actor = Map.get(changeset.context, :actor)
+  defp get_user_and_member(%Mv.Accounts.User{} = user) do
-
+    case Loader.get_linked_member(user) do
    case Loader.get_linked_member(user, actor) do
      nil -> {:error, :no_member}
      member -> {:ok, user, member}
    end
  end
-  defp get_user_and_member(%Mv.Membership.Member{} = member, changeset) do
+  defp get_user_and_member(%Mv.Membership.Member{} = member) do
-    actor = Map.get(changeset.context, :actor)
+    case Loader.load_linked_user!(member) do
    case Loader.load_linked_user!(member, actor) do
      {:ok, user} -> {:ok, user, member}
      error -> error
    end
--- a/lib/mv/email_sync/loader.ex
+++ b/lib/mv/email_sync/loader.ex
@ -5,25 +5,26 @@ defmodule Mv.EmailSync.Loader do
  ## Authorization
-  This module runs systemically and accepts optional actor parameters.
+  This module runs systemically and uses the system actor for all operations.
-  When called from hooks/changes, actor is extracted from changeset context.
+  This ensures that email synchronization always works, regardless of user permissions.
  When called directly, actor should be provided for proper authorization.
-  All functions accept an optional `actor` parameter that is passed to Ash operations
+  All functions use `Mv.Helpers.SystemActor.get_system_actor/0` to bypass
-  to ensure proper authorization checks are performed.
+  user permission checks, as email sync is a mandatory side effect.
  """
  alias Mv.Helpers
  alias Mv.Helpers.SystemActor
  @doc """
  Loads the member linked to a user, returns nil if not linked or on error.
-  Accepts optional actor for authorization.
+  Uses system actor for authorization to ensure email sync always works.
  """
-  def get_linked_member(user, actor \\ nil)
+  def get_linked_member(user)
-  def get_linked_member(%{member_id: nil}, _actor), do: nil
+  def get_linked_member(%{member_id: nil}), do: nil
-  def get_linked_member(%{member_id: id}, actor) do
+  def get_linked_member(%{member_id: id}) do
-    opts = Helpers.ash_actor_opts(actor)
+    system_actor = SystemActor.get_system_actor()
    opts = Helpers.ash_actor_opts(system_actor)
    case Ash.get(Mv.Membership.Member, id, opts) do
      {:ok, member} -> member
@ -34,10 +35,11 @@ defmodule Mv.EmailSync.Loader do
  @doc """
  Loads the user linked to a member, returns nil if not linked or on error.
-  Accepts optional actor for authorization.
+  Uses system actor for authorization to ensure email sync always works.
  """
-  def get_linked_user(member, actor \\ nil) do
+  def get_linked_user(member) do
-    opts = Helpers.ash_actor_opts(actor)
+    system_actor = SystemActor.get_system_actor()
    opts = Helpers.ash_actor_opts(system_actor)
    case Ash.load(member, :user, opts) do
      {:ok, %{user: user}} -> user
@ -49,10 +51,11 @@ defmodule Mv.EmailSync.Loader do
  Loads the user linked to a member, returning an error tuple if not linked.
  Useful when a link is required for the operation.
-  Accepts optional actor for authorization.
+  Uses system actor for authorization to ensure email sync always works.
  """
-  def load_linked_user!(member, actor \\ nil) do
+  def load_linked_user!(member) do
-    opts = Helpers.ash_actor_opts(actor)
+    system_actor = SystemActor.get_system_actor()
    opts = Helpers.ash_actor_opts(system_actor)
    case Ash.load(member, :user, opts) do
      {:ok, %{user: user}} when not is_nil(user) -> {:ok, user}
--- a/lib/mv/helpers/system_actor.ex
+++ b/lib/mv/helpers/system_actor.ex
@ -0,0 +1,436 @@
 defmodule Mv.Helpers.SystemActor do
  @moduledoc """
  Provides access to the system actor for systemic operations.
  The system actor is a user with admin permissions that is used
  for operations that must always run regardless of user permissions:
  - Email synchronization
  - Email uniqueness validation
  - Cycle generation (if mandatory)
  - Background jobs
  - Seeds
  ## Usage
      # Get system actor for systemic operations
      system_actor = Mv.Helpers.SystemActor.get_system_actor()
      Ash.read(query, actor: system_actor)
  ## Implementation
  The system actor is cached in an Agent for performance. On first access,
  it attempts to load a user with email "system@mila.local" and admin role.
  If that user doesn't exist, it falls back to the admin user from seeds
  (identified by ADMIN_EMAIL environment variable or "admin@localhost").
  ## Caching
  The system actor is cached in an Agent to avoid repeated database queries.
  The cache is invalidated on application restart. For long-running applications,
  consider implementing cache invalidation on role changes.
  ## Race Conditions
  The system actor creation uses `upsert?: true` with `upsert_identity: :unique_email`
  to prevent race conditions when multiple processes try to create the system user
  simultaneously. This ensures idempotent creation and prevents database constraint errors.
  ## Security
  The system actor should NEVER be used for user-initiated actions. It is
  only for systemic operations that must bypass user permissions.
  The system user is created without a password (`hashed_password = nil`) and
  without an OIDC ID (`oidc_id = nil`) to prevent login. This ensures the
  system user cannot be used for authentication, even if credentials are
  somehow obtained.
  """
  use Agent
  require Ash.Query
  alias Mv.Config
  @doc """
  Starts the SystemActor Agent.
  This is called automatically by the application supervisor.
  The agent starts with nil state and loads the system actor lazily on first access.
  """
  def start_link(_opts) do
    # Start with nil - lazy initialization on first get_system_actor call
    # This prevents database access during application startup (important for tests)
    Agent.start_link(fn -> nil end, name: __MODULE__)
  end
  @doc """
  Returns the system actor (user with admin role).
  The system actor is cached in an Agent for performance. On first access,
  it loads the system user from the database or falls back to the admin user.
  ## Returns
  - `%Mv.Accounts.User{}` - User with admin role loaded
  - Raises if system actor cannot be found or loaded
  ## Examples
      iex> system_actor = Mv.Helpers.SystemActor.get_system_actor()
      iex> system_actor.role.permission_set_name
      "admin"
  """
  @spec get_system_actor() :: Mv.Accounts.User.t()
  def get_system_actor do
    case get_system_actor_result() do
      {:ok, actor} -> actor
      {:error, reason} -> raise "Failed to load system actor: #{inspect(reason)}"
    end
  end
  @doc """
  Returns the system actor as a result tuple.
  This variant returns `{:ok, actor}` or `{:error, reason}` instead of raising,
  which is useful for error handling in pipes or when you want to handle errors explicitly.
  ## Returns
  - `{:ok, %Mv.Accounts.User{}}` - Successfully loaded system actor
  - `{:error, term()}` - Error loading system actor
  ## Examples
      case SystemActor.get_system_actor_result() do
        {:ok, actor} -> use_actor(actor)
        {:error, reason} -> handle_error(reason)
      end
  """
  @spec get_system_actor_result() :: {:ok, Mv.Accounts.User.t()} | {:error, term()}
  def get_system_actor_result do
    # In test environment (SQL sandbox), always load directly to avoid Agent/Sandbox issues
    if Config.sql_sandbox?() do
      try do
        {:ok, load_system_actor()}
      rescue
        e -> {:error, e}
      end
    else
      try do
        result =
          Agent.get_and_update(__MODULE__, fn
            nil ->
              # Cache miss - load system actor
              try do
                actor = load_system_actor()
                {actor, actor}
              rescue
                e -> {{:error, e}, nil}
              end
            cached_actor ->
              # Cache hit - return cached actor
              {cached_actor, cached_actor}
          end)
        case result do
          {:error, reason} -> {:error, reason}
          actor -> {:ok, actor}
        end
      catch
        :exit, {:noproc, _} ->
          # Agent not started - load directly without caching
          try do
            {:ok, load_system_actor()}
          rescue
            e -> {:error, e}
          end
      end
    end
  end
  @doc """
  Invalidates the system actor cache.
  This forces a reload of the system actor on the next call to `get_system_actor/0`.
  Useful when the system user's role might have changed.
  ## Examples
      iex> Mv.Helpers.SystemActor.invalidate_cache()
      :ok
  """
  @spec invalidate_cache() :: :ok
  def invalidate_cache do
    case Process.whereis(__MODULE__) do
      nil -> :ok
      _pid -> Agent.update(__MODULE__, fn _state -> nil end)
    end
  end
  @doc """
  Returns the email address of the system user.
  This is useful for other modules that need to reference the system user
  without loading the full user record.
  ## Returns
  - `String.t()` - The system user email address ("system@mila.local")
  ## Examples
      iex> Mv.Helpers.SystemActor.system_user_email()
      "system@mila.local"
  """
  @spec system_user_email() :: String.t()
  def system_user_email, do: system_user_email_config()
  # Returns the system user email from environment variable or default
  # This allows configuration via SYSTEM_ACTOR_EMAIL env var
  @spec system_user_email_config() :: String.t()
  defp system_user_email_config do
    System.get_env("SYSTEM_ACTOR_EMAIL") || "system@mila.local"
  end
  # Loads the system actor from the database
  # First tries to find system@mila.local, then falls back to admin user
  @spec load_system_actor() :: Mv.Accounts.User.t() | no_return()
  defp load_system_actor do
    case find_user_by_email(system_user_email_config()) do
      {:ok, user} when not is_nil(user) ->
        load_user_with_role(user)
      {:ok, nil} ->
        handle_system_user_not_found("no system user or admin user found")
      {:error, _reason} = error ->
        handle_system_user_error(error)
    end
  end
  # Handles case when system user doesn't exist
  @spec handle_system_user_not_found(String.t()) :: Mv.Accounts.User.t() | no_return()
  defp handle_system_user_not_found(message) do
    case load_admin_user_fallback() do
      {:ok, admin_user} ->
        admin_user
      {:error, _} ->
        handle_fallback_error(message)
    end
  end
  # Handles database error when loading system user
  @spec handle_system_user_error(term()) :: Mv.Accounts.User.t() | no_return()
  defp handle_system_user_error(error) do
    case load_admin_user_fallback() do
      {:ok, admin_user} ->
        admin_user
      {:error, _} ->
        handle_fallback_error("Failed to load system actor: #{inspect(error)}")
    end
  end
  # Handles fallback error - creates test actor or raises
  @spec handle_fallback_error(String.t()) :: Mv.Accounts.User.t() | no_return()
  defp handle_fallback_error(message) do
    if Config.sql_sandbox?() do
      create_test_system_actor()
    else
      raise "Failed to load system actor: #{message}"
    end
  end
  # Creates a temporary admin user for tests when no system/admin user exists
  @spec create_test_system_actor() :: Mv.Accounts.User.t() | no_return()
  defp create_test_system_actor do
    alias Mv.Accounts
    alias Mv.Authorization
    admin_role = ensure_admin_role_exists()
    create_system_user_with_role(admin_role)
  end
  # Ensures admin role exists - finds or creates it
  @spec ensure_admin_role_exists() :: Mv.Authorization.Role.t() | no_return()
  defp ensure_admin_role_exists do
    case find_admin_role() do
      {:ok, role} ->
        role
      {:error, :not_found} ->
        create_admin_role_with_retry()
    end
  end
  # Finds admin role in existing roles
  @spec find_admin_role() :: {:ok, Mv.Authorization.Role.t()} | {:error, :not_found}
  defp find_admin_role do
    alias Mv.Authorization
    case Authorization.list_roles() do
      {:ok, roles} ->
        case Enum.find(roles, &(&1.permission_set_name == "admin")) do
          nil -> {:error, :not_found}
          role -> {:ok, role}
        end
      _ ->
        {:error, :not_found}
    end
  end
  # Creates admin role, handling race conditions
  @spec create_admin_role_with_retry() :: Mv.Authorization.Role.t() | no_return()
  defp create_admin_role_with_retry do
    alias Mv.Authorization
    case create_admin_role() do
      {:ok, role} ->
        role
      {:error, :already_exists} ->
        find_existing_admin_role()
      {:error, error} ->
        raise "Failed to create admin role: #{inspect(error)}"
    end
  end
  # Attempts to create admin role
  @spec create_admin_role() ::
          {:ok, Mv.Authorization.Role.t()} | {:error, :already_exists | term()}
  defp create_admin_role do
    alias Mv.Authorization
    case Authorization.create_role(%{
           name: "Admin",
           description: "Administrator with full access",
           permission_set_name: "admin"
         }) do
      {:ok, role} ->
        {:ok, role}
      {:error, %Ash.Error.Invalid{errors: [%{field: :name, message: "has already been taken"}]}} ->
        {:error, :already_exists}
      {:error, error} ->
        {:error, error}
    end
  end
  # Finds existing admin role after creation attempt failed due to race condition
  @spec find_existing_admin_role() :: Mv.Authorization.Role.t() | no_return()
  defp find_existing_admin_role do
    alias Mv.Authorization
    case Authorization.list_roles() do
      {:ok, roles} ->
        Enum.find(roles, &(&1.permission_set_name == "admin")) ||
          raise "Admin role should exist but was not found"
      _ ->
        raise "Failed to find admin role after creation attempt"
    end
  end
  # Creates system user with admin role assigned
  # SECURITY: System user is created without password (hashed_password = nil) and
  # without OIDC ID (oidc_id = nil) to prevent login. This user is ONLY for
  # internal system operations via SystemActor and should never be used for authentication.
  @spec create_system_user_with_role(Mv.Authorization.Role.t()) ::
          Mv.Accounts.User.t() | no_return()
  defp create_system_user_with_role(admin_role) do
    alias Mv.Accounts
    Accounts.create_user!(%{email: system_user_email_config()},
      upsert?: true,
      upsert_identity: :unique_email
    )
    |> Ash.Changeset.for_update(:update, %{})
    |> Ash.Changeset.manage_relationship(:role, admin_role, type: :append_and_remove)
    |> Ash.update!()
    |> Ash.load!(:role, domain: Mv.Accounts)
  end
  # Finds a user by email address
  # SECURITY: Uses authorize?: false for bootstrap lookup only.
  # This is necessary because we need to find the system/admin user before
  # we can load the system actor. If User policies require an actor, this
  # would create a chicken-and-egg problem. This is safe because:
  # 1. We only query by email (no sensitive data exposed)
  # 2. This is only used during system actor initialization (bootstrap phase)
  # 3. Once system actor is loaded, all subsequent operations use proper authorization
  @spec find_user_by_email(String.t()) :: {:ok, Mv.Accounts.User.t() | nil} | {:error, term()}
  defp find_user_by_email(email) do
    Mv.Accounts.User
    |> Ash.Query.filter(email == ^email)
    |> Ash.read_one(domain: Mv.Accounts, authorize?: false)
  end
  # Loads a user with their role preloaded (required for authorization)
  @spec load_user_with_role(Mv.Accounts.User.t()) :: Mv.Accounts.User.t() | no_return()
  defp load_user_with_role(user) do
    case Ash.load(user, :role, domain: Mv.Accounts) do
      {:ok, user_with_role} ->
        validate_admin_role(user_with_role)
      {:error, reason} ->
        raise "Failed to load role for system actor: #{inspect(reason)}"
    end
  end
  # Validates that the user has an admin role
  @spec validate_admin_role(Mv.Accounts.User.t()) :: Mv.Accounts.User.t() | no_return()
  defp validate_admin_role(%{role: %{permission_set_name: "admin"}} = user) do
    user
  end
  @spec validate_admin_role(Mv.Accounts.User.t()) :: no_return()
  defp validate_admin_role(%{role: %{permission_set_name: permission_set}}) do
    raise """
    System actor must have admin role, but has permission_set_name: #{permission_set}
    Please assign the "Admin" role to the system user.
    """
  end
  @spec validate_admin_role(Mv.Accounts.User.t()) :: no_return()
  defp validate_admin_role(%{role: nil}) do
    raise """
    System actor must have a role assigned, but role is nil.
    Please assign the "Admin" role to the system user.
    """
  end
  @spec validate_admin_role(term()) :: no_return()
  defp validate_admin_role(_user) do
    raise """
    System actor must have a role with admin permissions.
    Please assign the "Admin" role to the system user.
    """
  end
  # Fallback: Loads admin user from seeds (ADMIN_EMAIL env var or default)
  @spec load_admin_user_fallback() :: {:ok, Mv.Accounts.User.t()} | {:error, term()}
  defp load_admin_user_fallback do
    admin_email = System.get_env("ADMIN_EMAIL") || "admin@localhost"
    case find_user_by_email(admin_email) do
      {:ok, user} when not is_nil(user) ->
        {:ok, load_user_with_role(user)}
      {:ok, nil} ->
        {:error, :admin_user_not_found}
      {:error, _reason} = error ->
        error
    end
  end
 end
--- a/lib/mv/membership/import/member_csv.ex
+++ b/lib/mv/membership/import/member_csv.ex
@ -310,20 +310,10 @@ defmodule Mv.Membership.Import.MemberCSV do
        case process_row(row_map, line_number, custom_field_lookup, actor) do
          {:ok, _member} ->
-            {acc_inserted + 1, acc_failed, acc_errors, acc_error_count, acc_truncated?}
+            update_inserted(acc)
          {:error, error} ->
-            new_acc_failed = acc_failed + 1
+            handle_row_error(acc, error, current_error_count, max_errors)
            # Only collect errors if under limit
            {new_acc_errors, new_error_count, new_truncated?} =
              if current_error_count < max_errors do
                {[error | acc_errors], acc_error_count + 1, acc_truncated?}
              else
                {acc_errors, acc_error_count, true}
              end
            {acc_inserted, new_acc_failed, new_acc_errors, new_error_count, new_truncated?}
        end
      end)
@ -397,11 +387,9 @@ defmodule Mv.Membership.Import.MemberCSV do
  # Extracts the first error from a changeset and converts it to a MemberCSV.Error struct
  defp extract_changeset_error(changeset, csv_line_number) do
-    case Ecto.Changeset.traverse_errors(changeset, fn {msg, opts} ->
+    errors = Ecto.Changeset.traverse_errors(changeset, &format_error_message/1)
-           Enum.reduce(opts, msg, fn {key, value}, acc ->
+
-             String.replace(acc, "%{#{key}}", to_string(value))
+    case errors do
           end)
         end) do
      %{email: [message | _]} ->
        # Email-specific error
        %Error{
@ -430,6 +418,56 @@ defmodule Mv.Membership.Import.MemberCSV do
    end
  end
  # Helper function to update accumulator when row is successfully inserted
  defp update_inserted({acc_inserted, acc_failed, acc_errors, acc_error_count, acc_truncated?}) do
    {acc_inserted + 1, acc_failed, acc_errors, acc_error_count, acc_truncated?}
  end
  # Helper function to handle row error with error count limit checking
  defp handle_row_error(
         {acc_inserted, acc_failed, acc_errors, acc_error_count, acc_truncated?},
         error,
         current_error_count,
         max_errors
       ) do
    new_acc_failed = acc_failed + 1
    {new_acc_errors, new_error_count, new_truncated?} =
      collect_error_if_under_limit(
        error,
        acc_errors,
        acc_error_count,
        acc_truncated?,
        current_error_count,
        max_errors
      )
    {acc_inserted, new_acc_failed, new_acc_errors, new_error_count, new_truncated?}
  end
  # Helper function to collect error only if under limit
  defp collect_error_if_under_limit(
         error,
         acc_errors,
         acc_error_count,
         acc_truncated?,
         current_error_count,
         max_errors
       ) do
    if current_error_count < max_errors do
      {[error | acc_errors], acc_error_count + 1, acc_truncated?}
    else
      {acc_errors, acc_error_count, true}
    end
  end
  # Formats error message by replacing placeholders
  defp format_error_message({msg, opts}) do
    Enum.reduce(opts, msg, fn {key, value}, acc ->
      String.replace(acc, "%{#{key}}", to_string(value))
    end)
  end
  # Maps changeset error messages to appropriate Gettext messages
  defp gettext_error_message(message) when is_binary(message) do
    cond do
--- a/lib/mv/membership/member/validations/email_not_used_by_other_user.ex
+++ b/lib/mv/membership/member/validations/email_not_used_by_other_user.ex
@ -10,6 +10,8 @@ defmodule Mv.Membership.Member.Validations.EmailNotUsedByOtherUser do
  use Ash.Resource.Validation
  alias Mv.Helpers
  require Logger
  @doc """
  Validates email uniqueness across linked Member-User pairs.
@ -30,8 +32,7 @@ defmodule Mv.Membership.Member.Validations.EmailNotUsedByOtherUser do
  def validate(changeset, _opts, _context) do
    email_changing? = Ash.Changeset.changing_attribute?(changeset, :email)
-    actor = Map.get(changeset.context || %{}, :actor)
+    linked_user_id = get_linked_user_id(changeset.data)
    linked_user_id = get_linked_user_id(changeset.data, actor)
    is_linked? = not is_nil(linked_user_id)
    # Only validate if member is already linked AND email is changing
@ -40,19 +41,22 @@ defmodule Mv.Membership.Member.Validations.EmailNotUsedByOtherUser do
    if should_validate? do
      new_email = Ash.Changeset.get_attribute(changeset, :email)
-      check_email_uniqueness(new_email, linked_user_id, actor)
+      check_email_uniqueness(new_email, linked_user_id)
    else
      :ok
    end
  end
-  defp check_email_uniqueness(email, exclude_user_id, actor) do
+  defp check_email_uniqueness(email, exclude_user_id) do
    alias Mv.Helpers.SystemActor
    query =
      Mv.Accounts.User
      |> Ash.Query.filter(email == ^email)
      |> maybe_exclude_id(exclude_user_id)
-    opts = Helpers.ash_actor_opts(actor)
+    system_actor = SystemActor.get_system_actor()
    opts = Helpers.ash_actor_opts(system_actor)
    case Ash.read(query, opts) do
      {:ok, []} ->
@ -61,7 +65,11 @@ defmodule Mv.Membership.Member.Validations.EmailNotUsedByOtherUser do
      {:ok, _} ->
        {:error, field: :email, message: "is already used by another user", value: email}
-      {:error, _} ->
+      {:error, reason} ->
        Logger.warning(
          "Email uniqueness validation query failed for member email '#{email}': #{inspect(reason)}. Allowing operation to proceed (fail-open)."
        )
        :ok
    end
  end
@ -69,8 +77,11 @@ defmodule Mv.Membership.Member.Validations.EmailNotUsedByOtherUser do
  defp maybe_exclude_id(query, nil), do: query
  defp maybe_exclude_id(query, id), do: Ash.Query.filter(query, id != ^id)
-  defp get_linked_user_id(member_data, actor) do
+  defp get_linked_user_id(member_data) do
-    opts = Helpers.ash_actor_opts(actor)
+    alias Mv.Helpers.SystemActor
    system_actor = SystemActor.get_system_actor()
    opts = Helpers.ash_actor_opts(system_actor)
    case Ash.load(member_data, :user, opts) do
      {:ok, %{user: %{id: id}}} -> id
--- a/lib/mv/membership_fees/cycle_generator.ex
+++ b/lib/mv/membership_fees/cycle_generator.ex
@ -30,12 +30,11 @@ defmodule Mv.MembershipFees.CycleGenerator do
  ## Authorization
-  This module runs systemically and accepts optional actor parameters.
+  This module runs systemically and uses the system actor for all operations.
-  When called from hooks/changes, actor is extracted from changeset context.
+  This ensures that cycle generation always works, regardless of user permissions.
  When called directly, actor should be provided for proper authorization.
-  All functions accept an optional `actor` parameter in the `opts` keyword list
+  All functions use `Mv.Helpers.SystemActor.get_system_actor/0` to bypass
-  that is passed to Ash operations to ensure proper authorization checks are performed.
+  user permission checks, as cycle generation is a mandatory side effect.
  ## Examples
@ -47,6 +46,8 @@ defmodule Mv.MembershipFees.CycleGenerator do
  """
  alias Mv.Helpers
  alias Mv.Helpers.SystemActor
  alias Mv.Membership.Member
  alias Mv.MembershipFees.CalendarCycles
  alias Mv.MembershipFees.Changes.SetMembershipFeeStartDate
@ -86,9 +87,7 @@ defmodule Mv.MembershipFees.CycleGenerator do
  def generate_cycles_for_member(member_or_id, opts \\ [])
  def generate_cycles_for_member(member_id, opts) when is_binary(member_id) do
-    actor = Keyword.get(opts, :actor)
+    case load_member(member_id) do
    case load_member(member_id, actor: actor) do
      {:ok, member} -> generate_cycles_for_member(member, opts)
      {:error, reason} -> {:error, reason}
    end
@ -98,27 +97,25 @@ defmodule Mv.MembershipFees.CycleGenerator do
    today = Keyword.get(opts, :today, Date.utc_today())
    skip_lock? = Keyword.get(opts, :skip_lock?, false)
-    do_generate_cycles_with_lock(member, today, skip_lock?, opts)
+    do_generate_cycles_with_lock(member, today, skip_lock?)
  end
  # Generate cycles with lock handling
  # Returns {:ok, cycles, notifications} - notifications are never sent here,
  # they should be returned to the caller (e.g., via after_action hook)
-  defp do_generate_cycles_with_lock(member, today, true = _skip_lock?, opts) do
+  defp do_generate_cycles_with_lock(member, today, true = _skip_lock?) do
    # Lock already set by caller (e.g., regenerate_cycles_on_type_change)
    # Just generate cycles without additional locking
-    actor = Keyword.get(opts, :actor)
+    do_generate_cycles(member, today)
    do_generate_cycles(member, today, actor: actor)
  end
-  defp do_generate_cycles_with_lock(member, today, false, opts) do
+  defp do_generate_cycles_with_lock(member, today, false) do
    lock_key = :erlang.phash2(member.id)
    actor = Keyword.get(opts, :actor)
    Repo.transaction(fn ->
      Ecto.Adapters.SQL.query!(Repo, "SELECT pg_advisory_xact_lock($1)", [lock_key])
-      case do_generate_cycles(member, today, actor: actor) do
+      case do_generate_cycles(member, today) do
        {:ok, cycles, notifications} ->
          # Return cycles and notifications - do NOT send notifications here
          # They will be sent by the caller (e.g., via after_action hook)
@ -168,12 +165,15 @@ defmodule Mv.MembershipFees.CycleGenerator do
    # Query ALL members with fee type assigned (including inactive/left members)
    # The exit_date boundary is applied during cycle generation, not here.
    # This allows catch-up generation for members who left but are missing cycles.
    system_actor = SystemActor.get_system_actor()
    opts = Helpers.ash_actor_opts(system_actor)
    query =
      Member
      |> Ash.Query.filter(not is_nil(membership_fee_type_id))
      |> Ash.Query.filter(not is_nil(join_date))
-    case Ash.read(query) do
+    case Ash.read(query, opts) do
      {:ok, members} ->
        results = process_members_in_batches(members, batch_size, today)
        {:ok, build_results_summary(results)}
@ -235,33 +235,25 @@ defmodule Mv.MembershipFees.CycleGenerator do
  # Private functions
-  defp load_member(member_id, opts) do
+  defp load_member(member_id) do
-    actor = Keyword.get(opts, :actor)
+    system_actor = SystemActor.get_system_actor()
    opts = Helpers.ash_actor_opts(system_actor)
    query =
      Member
      |> Ash.Query.filter(id == ^member_id)
      |> Ash.Query.load([:membership_fee_type, :membership_fee_cycles])
-    result =
+    case Ash.read_one(query, opts) do
      if actor do
        Ash.read_one(query, actor: actor)
      else
        Ash.read_one(query)
      end
    case result do
      {:ok, nil} -> {:error, :member_not_found}
      {:ok, member} -> {:ok, member}
      {:error, reason} -> {:error, reason}
    end
  end
-  defp do_generate_cycles(member, today, opts) do
+  defp do_generate_cycles(member, today) do
    actor = Keyword.get(opts, :actor)
    # Reload member with relationships to ensure fresh data
-    case load_member(member.id, actor: actor) do
+    case load_member(member.id) do
      {:ok, member} ->
        cond do
          is_nil(member.membership_fee_type_id) ->
@ -271,7 +263,7 @@ defmodule Mv.MembershipFees.CycleGenerator do
            {:error, :no_join_date}
          true ->
-            generate_missing_cycles(member, today, actor: actor)
+            generate_missing_cycles(member, today)
        end
      {:error, reason} ->
@ -279,8 +271,7 @@ defmodule Mv.MembershipFees.CycleGenerator do
    end
  end
-  defp generate_missing_cycles(member, today, opts) do
+  defp generate_missing_cycles(member, today) do
    actor = Keyword.get(opts, :actor)
    fee_type = member.membership_fee_type
    interval = fee_type.interval
    amount = fee_type.amount
@ -296,7 +287,7 @@ defmodule Mv.MembershipFees.CycleGenerator do
    # Only generate if start_date <= end_date
    if start_date && Date.compare(start_date, end_date) != :gt do
      cycle_starts = generate_cycle_starts(start_date, end_date, interval)
-      create_cycles(cycle_starts, member.id, fee_type.id, amount, actor: actor)
+      create_cycles(cycle_starts, member.id, fee_type.id, amount)
    else
      {:ok, [], []}
    end
@ -391,8 +382,10 @@ defmodule Mv.MembershipFees.CycleGenerator do
    end
  end
-  defp create_cycles(cycle_starts, member_id, fee_type_id, amount, opts) do
+  defp create_cycles(cycle_starts, member_id, fee_type_id, amount) do
-    actor = Keyword.get(opts, :actor)
+    system_actor = SystemActor.get_system_actor()
    opts = Helpers.ash_actor_opts(system_actor)
    # Always use return_notifications?: true to collect notifications
    # Notifications will be returned to the caller, who is responsible for
    # sending them (e.g., via after_action hook returning {:ok, result, notifications})
@ -407,7 +400,7 @@ defmodule Mv.MembershipFees.CycleGenerator do
        }
        handle_cycle_creation_result(
-          Ash.create(MembershipFeeCycle, attrs, return_notifications?: true, actor: actor),
+          Ash.create(MembershipFeeCycle, attrs, [return_notifications?: true] ++ opts),
          cycle_start
        )
      end)
--- a/lib/mv_web.ex
+++ b/lib/mv_web.ex
@ -52,7 +52,8 @@ defmodule MvWeb do
    quote do
      use Phoenix.LiveView
-      on_mount MvWeb.LiveHelpers
+      on_mount {MvWeb.LiveHelpers, :default}
      on_mount {MvWeb.LiveHelpers, :ensure_user_role_loaded}
      unquote(html_helpers())
    end
--- a/lib/mv_web/controllers/page_controller.ex
+++ b/lib/mv_web/controllers/page_controller.ex
@ -1,4 +1,10 @@
 defmodule MvWeb.PageController do
  @moduledoc """
  Controller for rendering the homepage.
  This controller handles the root route and renders the application's
  homepage view.
  """
  use MvWeb, :controller
  def home(conn, _params) do
--- a/lib/mv_web/live/auth/link_oidc_account_live.ex
+++ b/lib/mv_web/live/auth/link_oidc_account_live.ex
@ -20,10 +20,13 @@ defmodule MvWeb.LinkOidcAccountLive do
  @impl true
  def mount(_params, session, socket) do
    # Use SystemActor for authorization during OIDC linking (user is not yet logged in)
    system_actor = Mv.Helpers.SystemActor.get_system_actor()
    with user_id when not is_nil(user_id) <- Map.get(session, "oidc_linking_user_id"),
         oidc_user_info when not is_nil(oidc_user_info) <-
           Map.get(session, "oidc_linking_user_info"),
-         {:ok, user} <- Ash.get(Mv.Accounts.User, user_id) do
+         {:ok, user} <- Ash.get(Mv.Accounts.User, user_id, actor: system_actor) do
      # Check if user is passwordless
      if passwordless?(user) do
        # Auto-link passwordless user immediately
@ -46,9 +49,12 @@ defmodule MvWeb.LinkOidcAccountLive do
  end
  defp reload_user!(user_id) do
    # Use SystemActor for authorization during OIDC linking (user is not yet logged in)
    system_actor = Mv.Helpers.SystemActor.get_system_actor()
    Mv.Accounts.User
    |> Ash.Query.filter(id == ^user_id)
-    |> Ash.read_one!()
+    |> Ash.read_one!(actor: system_actor)
  end
  defp reset_password_form(socket) do
@ -58,13 +64,16 @@ defmodule MvWeb.LinkOidcAccountLive do
  defp auto_link_passwordless_user(socket, user, oidc_user_info) do
    oidc_id = Map.get(oidc_user_info, "sub") || Map.get(oidc_user_info, "id")
    # Use SystemActor for authorization (passwordless user auto-linking)
    system_actor = Mv.Helpers.SystemActor.get_system_actor()
    case user.id
         |> reload_user!()
         |> Ash.Changeset.for_update(:link_oidc_id, %{
           oidc_id: oidc_id,
           oidc_user_info: oidc_user_info
         })
-         |> Ash.update() do
+         |> Ash.update(actor: system_actor) do
      {:ok, updated_user} ->
        Logger.info(
          "Passwordless account auto-linked to OIDC: user_id=#{updated_user.id}, oidc_id=#{oidc_id}"
@ -187,6 +196,9 @@ defmodule MvWeb.LinkOidcAccountLive do
  defp link_oidc_account(socket, user, oidc_user_info) do
    oidc_id = Map.get(oidc_user_info, "sub") || Map.get(oidc_user_info, "id")
    # Use SystemActor for authorization (user just verified password but is not yet logged in)
    system_actor = Mv.Helpers.SystemActor.get_system_actor()
    # Update the user with the OIDC ID
    case user.id
         |> reload_user!()
@ -194,7 +206,7 @@ defmodule MvWeb.LinkOidcAccountLive do
           oidc_id: oidc_id,
           oidc_user_info: oidc_user_info
         })
-         |> Ash.update() do
+         |> Ash.update(actor: system_actor) do
      {:ok, updated_user} ->
        # After successful linking, redirect to OIDC login
        # Since the user now has an oidc_id, the next OIDC login will succeed
--- a/lib/mv_web/live/contribution_period_live/show.ex
+++ b/lib/mv_web/live/contribution_period_live/show.ex
@ -1,345 +0,0 @@
 defmodule MvWeb.ContributionPeriodLive.Show do
  @moduledoc """
  Mock-up LiveView for Member Contribution Periods (Admin/Treasurer View).
  This is a preview-only page that displays the planned UI for viewing
  and managing contribution periods for a specific member.
  It shows static mock data and is not functional.
  ## Planned Features (Future Implementation)
  - Display all contribution periods for a member
  - Show period dates, interval, amount, and status
  - Quick status change (paid/unpaid/suspended)
  - Bulk marking of multiple periods
  - Notes per period
  ## Note
  This page is intentionally non-functional and serves as a UI mockup
  for the upcoming Membership Contributions feature.
  """
  use MvWeb, :live_view
  @impl true
  def mount(_params, _session, socket) do
    {:ok,
     socket
     |> assign(:page_title, gettext("Member Contributions"))
     |> assign(:member, mock_member())
     |> assign(:periods, mock_periods())
     |> assign(:selected_periods, MapSet.new())}
  end
  @impl true
  def render(assigns) do
    ~H"""
    <Layouts.app flash={@flash} current_user={@current_user}>
      <.mockup_warning />
      <.header>
        {gettext("Contributions for %{name}", name: MvWeb.Helpers.MemberHelpers.display_name(@member))}
        <:subtitle>
          {gettext("Contribution type")}:
          <span class="font-semibold">{@member.contribution_type}</span>
          · {gettext("Member since")}: <span class="font-mono">{@member.joined_at}</span>
        </:subtitle>
        <:actions>
          <.link navigate={~p"/membership_fee_settings"} class="btn btn-ghost btn-sm">
            <.icon name="hero-arrow-left" class="size-4" />
            {gettext("Back to Settings")}
          </.link>
        </:actions>
      </.header>
      <%!-- Member Info Card --%>
      <div class="mb-6 shadow card bg-base-100">
        <div class="card-body">
          <div class="grid grid-cols-2 gap-4 md:grid-cols-4">
            <div>
              <span class="text-sm text-base-content/60">{gettext("Email")}</span>
              <p class="font-medium">{@member.email}</p>
            </div>
            <div>
              <span class="text-sm text-base-content/60">{gettext("Contribution Start")}</span>
              <p class="font-mono">{@member.contribution_start}</p>
            </div>
            <div>
              <span class="text-sm text-base-content/60">{gettext("Total Contributions")}</span>
              <p class="font-semibold">{length(@periods)}</p>
            </div>
            <div>
              <span class="text-sm text-base-content/60">{gettext("Open Contributions")}</span>
              <p class="font-semibold text-error">
                {Enum.count(@periods, &(&1.status == :unpaid))}
              </p>
            </div>
          </div>
        </div>
      </div>
      <%!-- Contribution Type Change --%>
      <div class="mb-6 card bg-base-200">
        <div class="py-4 card-body">
          <div class="flex flex-wrap items-center gap-4">
            <span class="font-semibold">{gettext("Change Contribution Type")}:</span>
            <select class="w-64 select select-bordered select-sm" disabled>
              <option selected>{@member.contribution_type} (60,00 €, {gettext("Yearly")})</option>
              <option>{gettext("Reduced")} (30,00 €, {gettext("Yearly")})</option>
              <option>{gettext("Honorary")} (0,00 €, {gettext("Yearly")})</option>
            </select>
            <span
              class="text-sm text-base-content/60 cursor-help tooltip tooltip-bottom"
              data-tip={
                gettext(
                  "Members can only switch between contribution types with the same payment interval (e.g., yearly to yearly). This prevents complex period overlaps."
                )
              }
            >
              <.icon name="hero-question-mark-circle" class="inline size-4" />
              {gettext("Why are not all contribution types shown?")}
            </span>
          </div>
        </div>
      </div>
      <%!-- Bulk Actions --%>
      <div class="flex flex-wrap items-center gap-4 mb-4">
        <span class="text-sm text-base-content/60">
          {ngettext(
            "%{count} period selected",
            "%{count} periods selected",
            MapSet.size(@selected_periods),
            count: MapSet.size(@selected_periods)
          )}
        </span>
        <button class="btn btn-sm btn-success" disabled>
          <.icon name="hero-check" class="size-4" />
          {gettext("Mark as Paid")}
        </button>
        <button class="btn btn-sm btn-ghost" disabled>
          <.icon name="hero-minus-circle" class="size-4" />
          {gettext("Mark as Suspended")}
        </button>
        <button class="btn btn-sm btn-ghost" disabled>
          <.icon name="hero-x-circle" class="size-4" />
          {gettext("Mark as Unpaid")}
        </button>
      </div>
      <%!-- Periods Table --%>
      <div class="overflow-x-auto">
        <table class="table table-zebra">
          <thead>
            <tr>
              <th>
                <input type="checkbox" class="checkbox checkbox-sm" disabled />
              </th>
              <th>{gettext("Time Period")}</th>
              <th>{gettext("Interval")}</th>
              <th>{gettext("Amount")}</th>
              <th>{gettext("Status")}</th>
              <th>{gettext("Notes")}</th>
              <th>{gettext("Actions")}</th>
            </tr>
          </thead>
          <tbody>
            <tr :for={period <- @periods} class={period_row_class(period.status)}>
              <td>
                <input
                  type="checkbox"
                  class="checkbox checkbox-sm"
                  checked={MapSet.member?(@selected_periods, period.id)}
                  disabled
                />
              </td>
              <td>
                <div class="font-mono">
                  {period.period_start} – {period.period_end}
                </div>
                <div :if={period.is_current} class="mt-1 badge badge-info badge-sm">
                  {gettext("Current")}
                </div>
              </td>
              <td>
                <span class="badge badge-outline badge-sm">{format_interval(period.interval)}</span>
              </td>
              <td>
                <span class="font-mono">{format_currency(period.amount)}</span>
              </td>
              <td>
                <.status_badge status={period.status} />
              </td>
              <td>
                <span :if={period.notes} class="text-sm italic text-base-content/60">
                  {period.notes}
                </span>
                <span :if={!period.notes} class="text-base-content/30">—</span>
              </td>
              <td class="w-0 font-semibold whitespace-nowrap">
                <div class="flex gap-4">
                  <.link
                    href="#"
                    class={[
                      "cursor-not-allowed",
                      if(period.status == :paid, do: "invisible", else: "opacity-50")
                    ]}
                  >
                    {gettext("Paid")}
                  </.link>
                  <.link
                    href="#"
                    class={[
                      "cursor-not-allowed",
                      if(period.status == :suspended, do: "invisible", else: "opacity-50")
                    ]}
                  >
                    {gettext("Suspend")}
                  </.link>
                  <.link
                    href="#"
                    class={[
                      "cursor-not-allowed",
                      if(period.status != :paid, do: "invisible", else: "opacity-50")
                    ]}
                  >
                    {gettext("Reopen")}
                  </.link>
                  <.link href="#" class="opacity-50 cursor-not-allowed">
                    {gettext("Note")}
                  </.link>
                </div>
              </td>
            </tr>
          </tbody>
        </table>
      </div>
    </Layouts.app>
    """
  end
  # Mock-up warning banner component - subtle orange style
  defp mockup_warning(assigns) do
    ~H"""
    <div class="flex items-center gap-3 px-4 py-3 mb-6 border rounded-lg border-warning text-warning bg-base-100">
      <.icon name="hero-exclamation-triangle" class="size-5 shrink-0" />
      <div>
        <span class="font-semibold">{gettext("Preview Mockup")}</span>
        <span class="ml-2 text-sm text-base-content/70">
          – {gettext("This page is not functional and only displays the planned features.")}
        </span>
      </div>
    </div>
    """
  end
  # Status badge component
  attr :status, :atom, required: true
  defp status_badge(%{status: :paid} = assigns) do
    ~H"""
    <span class="gap-1 badge badge-success">
      <.icon name="hero-check-circle-mini" class="size-3" />
      {gettext("Paid")}
    </span>
    """
  end
  defp status_badge(%{status: :unpaid} = assigns) do
    ~H"""
    <span class="gap-1 badge badge-error">
      <.icon name="hero-x-circle-mini" class="size-3" />
      {gettext("Unpaid")}
    </span>
    """
  end
  defp status_badge(%{status: :suspended} = assigns) do
    ~H"""
    <span class="gap-1 badge badge-neutral">
      <.icon name="hero-pause-circle-mini" class="size-3" />
      {gettext("Suspended")}
    </span>
    """
  end
  defp period_row_class(:unpaid), do: "bg-error/5"
  defp period_row_class(:suspended), do: "bg-base-200/50"
  defp period_row_class(_), do: ""
  # Mock member data
  defp mock_member do
    %{
      id: "123",
      first_name: "Maria",
      last_name: "Weber",
      email: "maria.weber@example.de",
      contribution_type: gettext("Regular"),
      joined_at: "15.03.2021",
      contribution_start: "01.01.2021"
    }
  end
  # Mock periods data
  defp mock_periods do
    [
      %{
        id: "p1",
        period_start: "01.01.2025",
        period_end: "31.12.2025",
        interval: :yearly,
        amount: Decimal.new("60.00"),
        status: :unpaid,
        notes: nil,
        is_current: true
      },
      %{
        id: "p2",
        period_start: "01.01.2024",
        period_end: "31.12.2024",
        interval: :yearly,
        amount: Decimal.new("60.00"),
        status: :paid,
        notes: gettext("Paid via bank transfer"),
        is_current: false
      },
      %{
        id: "p3",
        period_start: "01.01.2023",
        period_end: "31.12.2023",
        interval: :yearly,
        amount: Decimal.new("50.00"),
        status: :paid,
        notes: nil,
        is_current: false
      },
      %{
        id: "p4",
        period_start: "01.01.2022",
        period_end: "31.12.2022",
        interval: :yearly,
        amount: Decimal.new("50.00"),
        status: :paid,
        notes: nil,
        is_current: false
      },
      %{
        id: "p5",
        period_start: "01.01.2021",
        period_end: "31.12.2021",
        interval: :yearly,
        amount: Decimal.new("50.00"),
        status: :suspended,
        notes: gettext("Joining year - reduced to 0"),
        is_current: false
      }
    ]
  end
  defp format_currency(%Decimal{} = amount) do
    "#{Decimal.to_string(amount)} €"
  end
  defp format_interval(:monthly), do: gettext("Monthly")
  defp format_interval(:quarterly), do: gettext("Quarterly")
  defp format_interval(:half_yearly), do: gettext("Half-yearly")
  defp format_interval(:yearly), do: gettext("Yearly")
 end
--- a/lib/mv_web/live/contribution_type_live/index.ex
+++ b/lib/mv_web/live/contribution_type_live/index.ex
@ -1,205 +0,0 @@
 defmodule MvWeb.ContributionTypeLive.Index do
  @moduledoc """
  Mock-up LiveView for Contribution Types Management (Admin).
  This is a preview-only page that displays the planned UI for managing
  contribution types. It shows static mock data and is not functional.
  ## Planned Features (Future Implementation)
  - List all contribution types
  - Display: Name, Amount, Interval, Member count
  - Create new contribution types
  - Edit existing contribution types (name, amount, description - NOT interval)
  - Delete contribution types (if no members assigned)
  ## Note
  This page is intentionally non-functional and serves as a UI mockup
  for the upcoming Membership Contributions feature.
  """
  use MvWeb, :live_view
  @impl true
  def mount(_params, _session, socket) do
    {:ok,
     socket
     |> assign(:page_title, gettext("Contribution Types"))
     |> assign(:contribution_types, mock_contribution_types())}
  end
  @impl true
  def render(assigns) do
    ~H"""
    <Layouts.app flash={@flash} current_user={@current_user}>
      <.mockup_warning />
      <.header>
        {gettext("Contribution Types")}
        <:subtitle>
          {gettext("Manage contribution types for membership fees.")}
        </:subtitle>
        <:actions>
          <button class="btn btn-primary" disabled>
            <.icon name="hero-plus" /> {gettext("New Contribution Type")}
          </button>
        </:actions>
      </.header>
      <.table id="contribution_types" rows={@contribution_types} row_id={fn ct -> "ct-#{ct.id}" end}>
        <:col :let={ct} label={gettext("Name")}>
          <span class="font-medium">{ct.name}</span>
          <p :if={ct.description} class="text-sm text-base-content/60">{ct.description}</p>
        </:col>
        <:col :let={ct} label={gettext("Amount")}>
          <span class="font-mono">{format_currency(ct.amount)}</span>
        </:col>
        <:col :let={ct} label={gettext("Interval")}>
          <span class="badge badge-outline">{format_interval(ct.interval)}</span>
        </:col>
        <:col :let={ct} label={gettext("Members")}>
          <span class="badge badge-ghost">{ct.member_count}</span>
        </:col>
        <:action :let={_ct}>
          <button class="btn btn-ghost btn-xs" disabled title={gettext("Edit")}>
            <.icon name="hero-pencil" class="size-4" />
          </button>
        </:action>
        <:action :let={ct}>
          <button
            class="btn btn-ghost btn-xs text-error"
            disabled
            title={
              if ct.member_count > 0,
                do: gettext("Cannot delete - members assigned"),
                else: gettext("Delete")
            }
          >
            <.icon name="hero-trash" class="size-4" />
          </button>
        </:action>
      </.table>
      <.info_card />
    </Layouts.app>
    """
  end
  # Mock-up warning banner component - subtle orange style
  defp mockup_warning(assigns) do
    ~H"""
    <div class="border border-warning text-warning bg-base-100 rounded-lg px-4 py-3 mb-6 flex items-center gap-3">
      <.icon name="hero-exclamation-triangle" class="size-5 shrink-0" />
      <div>
        <span class="font-semibold">{gettext("Preview Mockup")}</span>
        <span class="text-sm text-base-content/70 ml-2">
          – {gettext("This page is not functional and only displays the planned features.")}
        </span>
      </div>
    </div>
    """
  end
  # Info card explaining the contribution type concept
  defp info_card(assigns) do
    ~H"""
    <div class="card bg-base-200 mt-6">
      <div class="card-body">
        <h2 class="card-title">
          <.icon name="hero-information-circle" class="size-5" />
          {gettext("About Contribution Types")}
        </h2>
        <div class="prose prose-sm max-w-none">
          <p>
            {gettext(
              "Contribution types define different membership fee structures. Each type has a fixed cycle (monthly, quarterly, half-yearly, yearly) that cannot be changed after creation."
            )}
          </p>
          <ul>
            <li>
              <strong>{gettext("Name & Amount")}</strong>
              - {gettext("Can be changed at any time. Amount changes affect future periods only.")}
            </li>
            <li>
              <strong>{gettext("Interval")}</strong>
              - {gettext(
                "Fixed after creation. Members can only switch between types with the same interval."
              )}
            </li>
            <li>
              <strong>{gettext("Deletion")}</strong>
              - {gettext("Only possible if no members are assigned to this type.")}
            </li>
          </ul>
        </div>
      </div>
    </div>
    """
  end
  # Mock data for demonstration
  defp mock_contribution_types do
    [
      %{
        id: "1",
        name: gettext("Regular"),
        description: gettext("Standard membership fee for regular members"),
        amount: Decimal.new("60.00"),
        interval: :yearly,
        member_count: 45
      },
      %{
        id: "2",
        name: gettext("Reduced"),
        description: gettext("Reduced fee for unemployed, pensioners, or low income"),
        amount: Decimal.new("30.00"),
        interval: :yearly,
        member_count: 12
      },
      %{
        id: "3",
        name: gettext("Student"),
        description: gettext("Monthly fee for students and trainees"),
        amount: Decimal.new("5.00"),
        interval: :monthly,
        member_count: 8
      },
      %{
        id: "4",
        name: gettext("Family"),
        description: gettext("Quarterly fee for family memberships"),
        amount: Decimal.new("25.00"),
        interval: :quarterly,
        member_count: 15
      },
      %{
        id: "5",
        name: gettext("Supporting Member"),
        description: gettext("Half-yearly contribution for supporting members"),
        amount: Decimal.new("100.00"),
        interval: :half_yearly,
        member_count: 3
      },
      %{
        id: "6",
        name: gettext("Honorary"),
        description: gettext("No fee for honorary members"),
        amount: Decimal.new("0.00"),
        interval: :yearly,
        member_count: 2
      }
    ]
  end
  defp format_currency(%Decimal{} = amount) do
    "#{Decimal.to_string(amount)} €"
  end
  defp format_interval(:monthly), do: gettext("Monthly")
  defp format_interval(:quarterly), do: gettext("Quarterly")
  defp format_interval(:half_yearly), do: gettext("Half-yearly")
  defp format_interval(:yearly), do: gettext("Yearly")
 end
--- a/lib/mv_web/live/custom_field_value_live/form.ex
+++ b/lib/mv_web/live/custom_field_value_live/form.ex
@ -1,300 +0,0 @@
 defmodule MvWeb.CustomFieldValueLive.Form do
  @moduledoc """
  LiveView form for creating and editing custom field values.
  ## Features
  - Create new custom field values with member and type selection
  - Edit existing custom field values
  - Value input adapts to custom field type (string, integer, boolean, date, email)
  - Real-time validation
  ## Form Fields
  **Required:**
  - member - Select which member owns this custom field value
  - custom_field - Select the type (defines value type)
  - value - The actual value (input type depends on custom field type)
  ## Value Types
  The form dynamically renders appropriate inputs based on custom field type:
  - String: text input
  - Integer: number input
  - Boolean: checkbox
  - Date: date picker
  - Email: email input with validation
  ## Events
  - `validate` - Real-time form validation
  - `save` - Submit form (create or update custom field value)
  ## Note
  Custom field values are typically managed through the member edit form,
  not through this standalone form.
  """
  use MvWeb, :live_view
  on_mount {MvWeb.LiveHelpers, :ensure_user_role_loaded}
  import MvWeb.LiveHelpers, only: [current_actor: 1, submit_form: 3]
  @impl true
  def render(assigns) do
    ~H"""
    <Layouts.app flash={@flash} current_user={@current_user}>
      <.header>
        {@page_title}
        <:subtitle>
          {gettext("Use this form to manage Custom Field Value records in your database.")}
        </:subtitle>
      </.header>
      <.form for={@form} id="custom_field_value-form" phx-change="validate" phx-submit="save">
        <!-- Custom Field Selection -->
        <.input
          field={@form[:custom_field_id]}
          type="select"
          label={gettext("Custom field")}
          options={custom_field_options(@custom_fields)}
          prompt={gettext("Choose a custom field")}
        />
    <!-- Member Selection -->
        <.input
          field={@form[:member_id]}
          type="select"
          label={gettext("Member")}
          options={member_options(@members)}
          prompt={gettext("Choose a member")}
        />
    <!-- Value Input - handles Union type -->
        <%= if @selected_custom_field do %>
          <.union_value_input form={@form} custom_field={@selected_custom_field} />
        <% else %>
          <div class="text-sm text-gray-600">
            {gettext("Please select a custom field first")}
          </div>
        <% end %>
        <.button phx-disable-with={gettext("Saving...")} variant="primary">
          {gettext("Save Custom Field Value")}
        </.button>
        <.button navigate={return_path(@return_to, @custom_field_value)}>{gettext("Cancel")}</.button>
      </.form>
    </Layouts.app>
    """
  end
  # Helper function for Union-Value Input
  defp union_value_input(assigns) do
    # Extract the current value from the CustomFieldValue
    current_value = extract_current_value(assigns.form.data, assigns.custom_field.value_type)
    assigns = assign(assigns, :current_value, current_value)
    ~H"""
    <div class="space-y-2">
      <label class="block text-sm font-medium text-gray-700">
        {gettext("Value")}
      </label>
      <%= case @custom_field.value_type do %>
        <% :string -> %>
          <.inputs_for :let={value_form} field={@form[:value]}>
            <.input field={value_form[:value]} type="text" label="" value={@current_value} />
            <input type="hidden" name={value_form[:_union_type].name} value="string" />
          </.inputs_for>
        <% :integer -> %>
          <.inputs_for :let={value_form} field={@form[:value]}>
            <.input field={value_form[:value]} type="number" label="" value={@current_value} />
            <input type="hidden" name={value_form[:_union_type].name} value="integer" />
          </.inputs_for>
        <% :boolean -> %>
          <.inputs_for :let={value_form} field={@form[:value]}>
            <.input field={value_form[:value]} type="checkbox" label="" checked={@current_value} />
            <input type="hidden" name={value_form[:_union_type].name} value="boolean" />
          </.inputs_for>
        <% :date -> %>
          <.inputs_for :let={value_form} field={@form[:value]}>
            <.input
              field={value_form[:value]}
              type="date"
              label=""
              value={format_date_value(@current_value)}
            />
            <input type="hidden" name={value_form[:_union_type].name} value="date" />
          </.inputs_for>
        <% :email -> %>
          <.inputs_for :let={value_form} field={@form[:value]}>
            <.input field={value_form[:value]} type="email" label="" value={@current_value} />
            <input type="hidden" name={value_form[:_union_type].name} value="email" />
          </.inputs_for>
        <% _ -> %>
          <div class="text-sm text-red-600">
            {gettext("Unsupported value type: %{type}", type: @custom_field.value_type)}
          </div>
      <% end %>
    </div>
    """
  end
  # Helper function to extract the current value from the CustomFieldValue
  defp extract_current_value(
         %Mv.Membership.CustomFieldValue{value: %Ash.Union{value: value}},
         _value_type
       ) do
    value
  end
  defp extract_current_value(_data, _value_type) do
    nil
  end
  # Helper function to format Date values for HTML input
  defp format_date_value(%Date{} = date) do
    Date.to_iso8601(date)
  end
  defp format_date_value(nil), do: ""
  defp format_date_value(date) when is_binary(date) do
    case Date.from_iso8601(date) do
      {:ok, parsed_date} -> Date.to_iso8601(parsed_date)
      _ -> ""
    end
  end
  defp format_date_value(_), do: ""
  @impl true
  def mount(params, _session, socket) do
    custom_field_value =
      case params["id"] do
        nil -> nil
        id -> Ash.get!(Mv.Membership.CustomFieldValue, id) |> Ash.load!([:custom_field])
      end
    action = if is_nil(custom_field_value), do: "New", else: "Edit"
    page_title = action <> " " <> "Custom field value"
    # Load all CustomFields and Members for the selection fields
    actor = current_actor(socket)
    custom_fields = Ash.read!(Mv.Membership.CustomField, actor: actor)
    members = Ash.read!(Mv.Membership.Member, actor: actor)
    {:ok,
     socket
     |> assign(:return_to, return_to(params["return_to"]))
     |> assign(custom_field_value: custom_field_value)
     |> assign(:page_title, page_title)
     |> assign(:custom_fields, custom_fields)
     |> assign(:members, members)
     |> assign(:selected_custom_field, custom_field_value && custom_field_value.custom_field)
     |> assign_form()}
  end
  defp return_to("show"), do: "show"
  defp return_to(_), do: "index"
  @impl true
  def handle_event("validate", %{"custom_field_value" => custom_field_value_params}, socket) do
    # Find the selected CustomField
    selected_custom_field =
      case custom_field_value_params["custom_field_id"] do
        "" -> nil
        nil -> nil
        id -> Enum.find(socket.assigns.custom_fields, &(&1.id == id))
      end
    # Set the Union type based on the selected CustomField
    updated_params =
      if selected_custom_field do
        union_type = to_string(selected_custom_field.value_type)
        put_in(custom_field_value_params, ["value", "_union_type"], union_type)
      else
        custom_field_value_params
      end
    {:noreply,
     socket
     |> assign(:selected_custom_field, selected_custom_field)
     |> assign(form: AshPhoenix.Form.validate(socket.assigns.form, updated_params))}
  end
  def handle_event("save", %{"custom_field_value" => custom_field_value_params}, socket) do
    # Set the Union type based on the selected CustomField
    updated_params =
      if socket.assigns.selected_custom_field do
        union_type = to_string(socket.assigns.selected_custom_field.value_type)
        put_in(custom_field_value_params, ["value", "_union_type"], union_type)
      else
        custom_field_value_params
      end
    actor = current_actor(socket)
    case submit_form(socket.assigns.form, updated_params, actor) do
      {:ok, custom_field_value} ->
        notify_parent({:saved, custom_field_value})
        action =
          case socket.assigns.form.source.type do
            :create -> gettext("create")
            :update -> gettext("update")
            other -> to_string(other)
          end
        socket =
          socket
          |> put_flash(
            :info,
            gettext("Custom field value %{action} successfully", action: action)
          )
          |> push_navigate(to: return_path(socket.assigns.return_to, custom_field_value))
        {:noreply, socket}
      {:error, form} ->
        {:noreply, assign(socket, form: form)}
    end
  end
  defp notify_parent(msg), do: send(self(), {__MODULE__, msg})
  defp assign_form(%{assigns: %{custom_field_value: custom_field_value}} = socket) do
    form =
      if custom_field_value do
        # Determine the Union type based on the custom_field
        union_type = custom_field_value.custom_field && custom_field_value.custom_field.value_type
        params =
          if union_type do
            %{"value" => %{"_union_type" => to_string(union_type)}}
          else
            %{}
          end
        AshPhoenix.Form.for_update(custom_field_value, :update,
          as: "custom_field_value",
          params: params
        )
      else
        AshPhoenix.Form.for_create(Mv.Membership.CustomFieldValue, :create,
          as: "custom_field_value"
        )
      end
    assign(socket, form: to_form(form))
  end
  defp return_path("index", _custom_field_value), do: ~p"/custom_field_values"
  defp return_path("show", custom_field_value),
    do: ~p"/custom_field_values/#{custom_field_value.id}"
  # Helper functions for selection options
  defp custom_field_options(custom_fields) do
    Enum.map(custom_fields, &{&1.name, &1.id})
  end
  defp member_options(members) do
    Enum.map(members, &{MvWeb.Helpers.MemberHelpers.display_name(&1), &1.id})
  end
 end
--- a/lib/mv_web/live/custom_field_value_live/index.ex
+++ b/lib/mv_web/live/custom_field_value_live/index.ex
@ -1,157 +0,0 @@
 defmodule MvWeb.CustomFieldValueLive.Index do
  @moduledoc """
  LiveView for displaying and managing custom field values.
  ## Features
  - List all custom field values with their values and types
  - Show which member each custom field value belongs to
  - Display custom field information
  - Navigate to custom field value details and edit forms
  - Delete custom field values
  ## Relationships
  Each custom field value is linked to:
  - A member (the custom field value owner)
  - A custom field (defining value type and behavior)
  ## Events
  - `delete` - Remove a custom field value from the database
  ## Note
  Custom field values are typically managed through the member edit form.
  This view provides a global overview of all custom field values.
  """
  use MvWeb, :live_view
  on_mount {MvWeb.LiveHelpers, :ensure_user_role_loaded}
  import MvWeb.LiveHelpers, only: [current_actor: 1]
  @impl true
  def render(assigns) do
    ~H"""
    <Layouts.app flash={@flash} current_user={@current_user}>
      <.header>
        Listing Custom field values
        <:actions>
          <.button variant="primary" navigate={~p"/custom_field_values/new"}>
            <.icon name="hero-plus" /> New Custom field value
          </.button>
        </:actions>
      </.header>
      <.table
        id="custom_field_values"
        rows={@streams.custom_field_values}
        row_click={
          fn {_id, custom_field_value} ->
            JS.navigate(~p"/custom_field_values/#{custom_field_value}")
          end
        }
      >
        <:col :let={{_id, custom_field_value}} label="Id">{custom_field_value.id}</:col>
        <:action :let={{_id, custom_field_value}}>
          <div class="sr-only">
            <.link navigate={~p"/custom_field_values/#{custom_field_value}"}>Show</.link>
          </div>
          <.link navigate={~p"/custom_field_values/#{custom_field_value}/edit"}>Edit</.link>
        </:action>
        <:action :let={{id, custom_field_value}}>
          <.link
            phx-click={JS.push("delete", value: %{id: custom_field_value.id}) |> hide("##{id}")}
            data-confirm="Are you sure?"
          >
            Delete
          </.link>
        </:action>
      </.table>
    </Layouts.app>
    """
  end
  @impl true
  def mount(_params, _session, socket) do
    actor = current_actor(socket)
    # Early return if no actor (prevents exceptions in unauthenticated tests)
    if is_nil(actor) do
      {:ok,
       socket
       |> assign(:page_title, "Listing Custom field values")
       |> stream(:custom_field_values, [])}
    else
      case Ash.read(Mv.Membership.CustomFieldValue, actor: actor) do
        {:ok, custom_field_values} ->
          {:ok,
           socket
           |> assign(:page_title, "Listing Custom field values")
           |> stream(:custom_field_values, custom_field_values)}
        {:error, %Ash.Error.Forbidden{}} ->
          {:ok,
           socket
           |> assign(:page_title, "Listing Custom field values")
           |> stream(:custom_field_values, [])
           |> put_flash(:error, gettext("You do not have permission to view custom field values"))}
        {:error, error} ->
          {:ok,
           socket
           |> assign(:page_title, "Listing Custom field values")
           |> stream(:custom_field_values, [])
           |> put_flash(:error, format_error(error))}
      end
    end
  end
  @impl true
  def handle_event("delete", %{"id" => id}, socket) do
    actor = MvWeb.LiveHelpers.current_actor(socket)
    case Ash.get(Mv.Membership.CustomFieldValue, id, actor: actor) do
      {:ok, custom_field_value} ->
        case Ash.destroy(custom_field_value, actor: actor) do
          :ok ->
            {:noreply,
             socket
             |> stream_delete(:custom_field_values, custom_field_value)
             |> put_flash(:info, gettext("Custom field value deleted successfully"))}
          {:error, %Ash.Error.Forbidden{}} ->
            {:noreply,
             put_flash(
               socket,
               :error,
               gettext("You do not have permission to delete this custom field value")
             )}
          {:error, error} ->
            {:noreply, put_flash(socket, :error, format_error(error))}
        end
      {:error, %Ash.Error.Query.NotFound{}} ->
        {:noreply, put_flash(socket, :error, gettext("Custom field value not found"))}
      {:error, %Ash.Error.Forbidden{} = _error} ->
        {:noreply,
         put_flash(
           socket,
           :error,
           gettext("You do not have permission to access this custom field value")
         )}
      {:error, error} ->
        {:noreply, put_flash(socket, :error, format_error(error))}
    end
  end
  defp format_error(%Ash.Error.Invalid{errors: errors}) do
    Enum.map_join(errors, ", ", fn %{message: message} -> message end)
  end
  defp format_error(error) do
    inspect(error)
  end
 end
--- a/lib/mv_web/live/custom_field_value_live/show.ex
+++ b/lib/mv_web/live/custom_field_value_live/show.ex
@ -1,67 +0,0 @@
 defmodule MvWeb.CustomFieldValueLive.Show do
  @moduledoc """
  LiveView for displaying a single custom field value's details.
  ## Features
  - Display custom field value and type
  - Show linked member
  - Show custom field definition
  - Navigate to edit form
  - Return to custom field value list
  ## Displayed Information
  - Custom field value (formatted based on type)
  - Custom field name and description
  - Member information (who owns this custom field value)
  - Custom field value metadata (ID, timestamps if added)
  ## Navigation
  - Back to custom field value list
  - Edit custom field value
  """
  use MvWeb, :live_view
  @impl true
  def render(assigns) do
    ~H"""
    <Layouts.app flash={@flash} current_user={@current_user}>
      <.header>
        Data field value {@custom_field_value.id}
        <:subtitle>This is a custom_field_value record from your database.</:subtitle>
        <:actions>
          <.button navigate={~p"/custom_field_values"}>
            <.icon name="hero-arrow-left" />
          </.button>
          <.button
            variant="primary"
            navigate={~p"/custom_field_values/#{@custom_field_value}/edit?return_to=show"}
          >
            <.icon name="hero-pencil-square" /> Edit Custom field value
          </.button>
        </:actions>
      </.header>
      <.list>
        <:item title="Id">{@custom_field_value.id}</:item>
      </.list>
    </Layouts.app>
    """
  end
  @impl true
  def mount(_params, _session, socket) do
    {:ok, socket}
  end
  @impl true
  def handle_params(%{"id" => id}, _, socket) do
    {:noreply,
     socket
     |> assign(:page_title, page_title(socket.assigns.live_action))
     |> assign(:custom_field_value, Ash.get!(Mv.Membership.CustomFieldValue, id))}
  end
  defp page_title(:show), do: "Show data field value"
  defp page_title(:edit), do: "Edit data field value"
 end
--- a/lib/mv_web/live/member_live/form.ex
+++ b/lib/mv_web/live/member_live/form.ex
@ -13,7 +13,7 @@ defmodule MvWeb.MemberLive.Form do
  ## Form Sections
  - Personal Data: Name, address, contact information, membership dates, notes
  - Custom Fields: Dynamic fields in uniform grid layout (displayed sorted by name)
-  - Payment Data: Mockup section (not editable)
+  - Membership Fee: Selection of membership fee type with interval validation
  ## Events
  - `validate` - Real-time form validation
@ -21,8 +21,6 @@ defmodule MvWeb.MemberLive.Form do
  """
  use MvWeb, :live_view
  on_mount {MvWeb.LiveHelpers, :ensure_user_role_loaded}
  import MvWeb.LiveHelpers, only: [current_actor: 1, submit_form: 3]
  alias Mv.MembershipFees
@ -295,11 +293,14 @@ defmodule MvWeb.MemberLive.Form do
          handle_save_success(socket, member)
        {:error, form} ->
-          {:noreply, assign(socket, form: form)}
+          handle_save_error(socket, form)
      end
    rescue
      _e in [Ash.Error.Forbidden, Ash.Error.Forbidden.Policy] ->
        handle_save_forbidden(socket)
      e ->
        handle_save_exception(socket, e)
    end
  end
@ -321,6 +322,13 @@ defmodule MvWeb.MemberLive.Form do
    {:noreply, socket}
  end
  defp handle_save_error(socket, form) do
    # Always show a flash message when save fails
    # Field-level validation errors are displayed in form fields, but flash provides additional feedback
    error_message = extract_error_message(form)
    {:noreply, socket |> assign(form: form) |> put_flash(:error, error_message)}
  end
  defp handle_save_forbidden(socket) do
    # Handle policy violations that aren't properly displayed in forms
    # AshPhoenix.Form doesn't implement FormData.Error protocol for Forbidden errors
@ -332,6 +340,98 @@ defmodule MvWeb.MemberLive.Form do
    {:noreply, put_flash(socket, :error, error_message)}
  end
  defp handle_save_exception(socket, exception) do
    # Handle unexpected exceptions (database errors, network issues, etc.)
    require Logger
    Logger.error("Unexpected error saving member: #{inspect(exception)}")
    action = get_action_name(socket.assigns.form.source.type)
    error_message = gettext("Failed to %{action} member.", action: action)
    {:noreply, put_flash(socket, :error, error_message)}
  end
  # Extracts a user-friendly error message from form errors
  defp extract_error_message(form) do
    source_errors = get_source_errors(form)
    cond do
      has_invalid_error?(source_errors) ->
        extract_invalid_error_message(source_errors)
      has_other_error?(source_errors) ->
        extract_other_error_message(source_errors)
      has_form_errors?(form) ->
        gettext("Please correct the errors in the form and try again.")
      true ->
        gettext("Failed to save member. Please try again.")
    end
  end
  # Checks if source errors contain an Ash.Error.Invalid
  defp has_invalid_error?([%Ash.Error.Invalid{errors: errors} | _]) when is_list(errors), do: true
  defp has_invalid_error?(_), do: false
  # Extracts message from Ash.Error.Invalid
  defp extract_invalid_error_message([%Ash.Error.Invalid{errors: errors} | _]) do
    case List.first(errors) do
      %{message: message} when is_binary(message) ->
        gettext("Validation failed: %{message}", message: message)
      %{field: field, message: message} when is_binary(message) ->
        gettext("Validation failed: %{field} %{message}", field: field, message: message)
      _ ->
        gettext("Validation failed. Please check your input.")
    end
  end
  # Checks if source errors contain other error types
  defp has_other_error?([_ | _]), do: true
  defp has_other_error?(_), do: false
  # Extracts message from other error types
  defp extract_other_error_message([error | _]) do
    cond do
      Map.has_key?(error, :message) and is_binary(error.message) ->
        error.message
      is_struct(error) ->
        extract_struct_error_message(error)
      true ->
        gettext("Failed to save member. Please try again.")
    end
  end
  # Extracts message from struct error using Ash.ErrorKind protocol
  defp extract_struct_error_message(error) do
    try do
      Ash.ErrorKind.message(error)
    rescue
      Protocol.UndefinedError -> gettext("Failed to save member. Please try again.")
    end
  end
  # Checks if form has any errors
  defp has_form_errors?(form) do
    case Map.get(form, :errors) do
      errors when is_list(errors) and errors != [] -> true
      _ -> false
    end
  end
  # Extracts source-level errors from form (Ash errors, etc.)
  defp get_source_errors(form) do
    case form.source do
      %{errors: errors} when is_list(errors) -> errors
      %Ash.Changeset{errors: errors} when is_list(errors) -> errors
      _ -> []
    end
  end
  defp get_action_name(:create), do: gettext("create")
  defp get_action_name(:update), do: gettext("update")
  defp get_action_name(other), do: to_string(other)
--- a/lib/mv_web/live/member_live/index.ex
+++ b/lib/mv_web/live/member_live/index.ex
@ -27,8 +27,6 @@ defmodule MvWeb.MemberLive.Index do
  """
  use MvWeb, :live_view
  on_mount {MvWeb.LiveHelpers, :ensure_user_role_loaded}
  require Ash.Query
  import Ash.Expr
  import MvWeb.LiveHelpers, only: [current_actor: 1]
--- a/lib/mv_web/live/member_live/show.ex
+++ b/lib/mv_web/live/member_live/show.ex
@ -12,7 +12,7 @@ defmodule MvWeb.MemberLive.Show do
  ## Sections
  - Personal Data: Name, address, contact information, membership dates, notes
  - Custom Fields: Dynamic fields in uniform grid layout (sorted by name)
-  - Payment Data: Mockup section with placeholder data
+  - Membership Fees: Tab showing all membership fee cycles with status management (via MembershipFeesComponent)
  ## Navigation
  - Back to member list
@ -22,8 +22,6 @@ defmodule MvWeb.MemberLive.Show do
  import Ash.Query
  import MvWeb.LiveHelpers, only: [current_actor: 1]
  on_mount {MvWeb.LiveHelpers, :ensure_user_role_loaded}
  alias MvWeb.Helpers.MembershipFeeHelpers
  @impl true
--- a/lib/mv_web/live/member_live/show/membership_fees_component.ex
+++ b/lib/mv_web/live/member_live/show/membership_fees_component.ex
@ -554,46 +554,55 @@ defmodule MvWeb.MemberLive.Show.MembershipFeesComponent do
  end
  def handle_event("regenerate_cycles", _params, socket) do
    socket = assign(socket, :regenerating, true)
    member = socket.assigns.member
    actor = current_actor(socket)
-    case CycleGenerator.generate_cycles_for_member(member.id, actor: actor) do
+    # SECURITY: Only admins can manually regenerate cycles via UI
-      {:ok, _new_cycles, _notifications} ->
+    # Cycle generation itself uses system actor, but UI access should be restricted
-        # Reload member with cycles
+    if actor.role && actor.role.permission_set_name == "admin" do
-        actor = current_actor(socket)
+      socket = assign(socket, :regenerating, true)
      member = socket.assigns.member
-        updated_member =
+      case CycleGenerator.generate_cycles_for_member(member.id) do
-          member
+        {:ok, _new_cycles, _notifications} ->
-          |> Ash.load!(
+          # Reload member with cycles
-            [
+          actor = current_actor(socket)
              :membership_fee_type,
              membership_fee_cycles: [:membership_fee_type]
            ],
            actor: actor
          )
-        cycles =
+          updated_member =
-          Enum.sort_by(
+            member
-            updated_member.membership_fee_cycles || [],
+            |> Ash.load!(
-            & &1.cycle_start,
+              [
-            {:desc, Date}
+                :membership_fee_type,
-          )
+                membership_fee_cycles: [:membership_fee_type]
              ],
              actor: actor
            )
-        send(self(), {:member_updated, updated_member})
+          cycles =
            Enum.sort_by(
              updated_member.membership_fee_cycles || [],
              & &1.cycle_start,
              {:desc, Date}
            )
-        {:noreply,
+          send(self(), {:member_updated, updated_member})
         socket
         |> assign(:member, updated_member)
         |> assign(:cycles, cycles)
         |> assign(:regenerating, false)
         |> put_flash(:info, gettext("Cycles regenerated successfully"))}
-      {:error, error} ->
+          {:noreply,
-        {:noreply,
+           socket
-         socket
+           |> assign(:member, updated_member)
-         |> assign(:regenerating, false)
+           |> assign(:cycles, cycles)
-         |> put_flash(:error, format_error(error))}
+           |> assign(:regenerating, false)
           |> put_flash(:info, gettext("Cycles regenerated successfully"))}
        {:error, error} ->
          {:noreply,
           socket
           |> assign(:regenerating, false)
           |> put_flash(:error, format_error(error))}
      end
    else
      {:noreply,
       socket
       |> put_flash(:error, gettext("Only administrators can regenerate cycles"))}
    end
  end
--- a/lib/mv_web/live/membership_fee_type_live/form.ex
+++ b/lib/mv_web/live/membership_fee_type_live/form.ex
@ -13,7 +13,6 @@ defmodule MvWeb.MembershipFeeTypeLive.Form do
  """
  use MvWeb, :live_view
  on_mount {MvWeb.LiveHelpers, :ensure_user_role_loaded}
  import MvWeb.LiveHelpers, only: [current_actor: 1, submit_form: 3]
  require Ash.Query
--- a/lib/mv_web/live/membership_fee_type_live/index.ex
+++ b/lib/mv_web/live/membership_fee_type_live/index.ex
@ -14,7 +14,6 @@ defmodule MvWeb.MembershipFeeTypeLive.Index do
  """
  use MvWeb, :live_view
  on_mount {MvWeb.LiveHelpers, :ensure_user_role_loaded}
  import MvWeb.LiveHelpers, only: [current_actor: 1]
  require Ash.Query
--- a/lib/mv_web/live/role_live/form.ex
+++ b/lib/mv_web/live/role_live/form.ex
@ -17,8 +17,6 @@ defmodule MvWeb.RoleLive.Form do
  import MvWeb.RoleLive.Helpers, only: [format_error: 1]
  on_mount {MvWeb.LiveHelpers, :ensure_user_role_loaded}
  @impl true
  def render(assigns) do
    ~H"""
--- a/lib/mv_web/live/role_live/index.ex
+++ b/lib/mv_web/live/role_live/index.ex
@ -24,8 +24,6 @@ defmodule MvWeb.RoleLive.Index do
  import MvWeb.RoleLive.Helpers,
    only: [format_error: 1, permission_set_badge_class: 1, opts_with_actor: 3]
  on_mount {MvWeb.LiveHelpers, :ensure_user_role_loaded}
  @impl true
  def mount(_params, _session, socket) do
    actor = socket.assigns[:current_user]
--- a/lib/mv_web/live/role_live/show.ex
+++ b/lib/mv_web/live/role_live/show.ex
@ -19,8 +19,6 @@ defmodule MvWeb.RoleLive.Show do
  import MvWeb.RoleLive.Helpers,
    only: [format_error: 1, permission_set_badge_class: 1, opts_with_actor: 3]
  on_mount {MvWeb.LiveHelpers, :ensure_user_role_loaded}
  @impl true
  def mount(%{"id" => id}, _session, socket) do
    try do
--- a/lib/mv_web/live/user_live/form.ex
+++ b/lib/mv_web/live/user_live/form.ex
@ -33,7 +33,6 @@ defmodule MvWeb.UserLive.Form do
  """
  use MvWeb, :live_view
  on_mount {MvWeb.LiveHelpers, :ensure_user_role_loaded}
  import MvWeb.LiveHelpers, only: [current_actor: 1, submit_form: 3]
  @impl true
--- a/lib/mv_web/live/user_live/index.ex
+++ b/lib/mv_web/live/user_live/index.ex
@ -23,7 +23,6 @@ defmodule MvWeb.UserLive.Index do
  use MvWeb, :live_view
  import MvWeb.TableComponents
  on_mount {MvWeb.LiveHelpers, :ensure_user_role_loaded}
  import MvWeb.LiveHelpers, only: [current_actor: 1]
  @impl true
--- a/lib/mv_web/live/user_live/show.ex
+++ b/lib/mv_web/live/user_live/show.ex
@ -26,7 +26,6 @@ defmodule MvWeb.UserLive.Show do
  """
  use MvWeb, :live_view
  on_mount {MvWeb.LiveHelpers, :ensure_user_role_loaded}
  import MvWeb.LiveHelpers, only: [current_actor: 1]
  @impl true
--- a/lib/mv_web/live_helpers.ex
+++ b/lib/mv_web/live_helpers.ex
@ -27,39 +27,17 @@ defmodule MvWeb.LiveHelpers do
  end
  defp ensure_user_role_loaded(socket) do
-    if socket.assigns[:current_user] do
+    user = socket.assigns[:current_user]
-      user = socket.assigns.current_user
+
-      user_with_role = load_user_role(user)
+    if user do
      # Use centralized Actor helper to ensure role is loaded
      user_with_role = Mv.Authorization.Actor.ensure_loaded(user)
      assign(socket, :current_user, user_with_role)
    else
      socket
    end
  end
  defp load_user_role(user) do
    case Map.get(user, :role) do
      %Ash.NotLoaded{} -> load_role_safely(user)
      nil -> load_role_safely(user)
      _role -> user
    end
  end
  defp load_role_safely(user) do
    # Use self as actor for loading own role relationship
    opts = [domain: Mv.Accounts, actor: user]
    case Ash.load(user, :role, opts) do
      {:ok, loaded_user} ->
        loaded_user
      {:error, error} ->
        # Log warning if role loading fails - this can cause authorization issues
        require Logger
        Logger.warning("Failed to load role for user #{user.id}: #{inspect(error)}")
        user
    end
  end
  @doc """
  Helper function to get the current actor (user) from socket assigns.
--- a/lib/mv_web/router.ex
+++ b/lib/mv_web/router.ex
@ -58,12 +58,6 @@ defmodule MvWeb.Router do
      live "/members/:id", MemberLive.Show, :show
      live "/members/:id/show/edit", MemberLive.Show, :edit
      live "/custom_field_values", CustomFieldValueLive.Index, :index
      live "/custom_field_values/new", CustomFieldValueLive.Form, :new
      live "/custom_field_values/:id/edit", CustomFieldValueLive.Form, :edit
      live "/custom_field_values/:id", CustomFieldValueLive.Show, :show
      live "/custom_field_values/:id/show/edit", CustomFieldValueLive.Show, :edit
      live "/users", UserLive.Index, :index
      live "/users/new", UserLive.Form, :new
      live "/users/:id/edit", UserLive.Form, :edit
@ -80,10 +74,6 @@ defmodule MvWeb.Router do
      live "/membership_fee_types/new", MembershipFeeTypeLive.Form, :new
      live "/membership_fee_types/:id/edit", MembershipFeeTypeLive.Form, :edit
      # Contribution Management (Mock-ups)
      live "/contribution_types", ContributionTypeLive.Index, :index
      live "/contributions/member/:id", ContributionPeriodLive.Show, :show
      # Role Management (Admin only)
      live "/admin/roles", RoleLive.Index, :index
      live "/admin/roles/new", RoleLive.Form, :new
--- a/priv/gettext/de/LC_MESSAGES/default.po
+++ b/priv/gettext/de/LC_MESSAGES/default.po
@ -11,7 +11,6 @@ msgstr ""
 "Language: de\n"
 #: lib/mv_web/components/core_components.ex
 #: lib/mv_web/live/contribution_period_live/show.ex
 #, elixir-autogen, elixir-format
 msgid "Actions"
 msgstr "Aktionen"
@ -37,7 +36,6 @@ msgstr "Verbindung wird wiederhergestellt"
 msgid "City"
 msgstr "Stadt"
 #: lib/mv_web/live/contribution_type_live/index.ex
 #: lib/mv_web/live/custom_field_live/index_component.ex
 #: lib/mv_web/live/member_live/index.html.heex
 #: lib/mv_web/live/member_live/show/membership_fees_component.ex
@ -47,7 +45,6 @@ msgstr "Stadt"
 msgid "Delete"
 msgstr "Löschen"
 #: lib/mv_web/live/contribution_type_live/index.ex
 #: lib/mv_web/live/custom_field_live/index_component.ex
 #: lib/mv_web/live/member_field_live/index_component.ex
 #: lib/mv_web/live/member_live/index.html.heex
@ -65,7 +62,6 @@ msgstr "Bearbeiten"
 msgid "Edit Member"
 msgstr "Mitglied bearbeiten"
 #: lib/mv_web/live/contribution_period_live/show.ex
 #: lib/mv_web/live/member_live/form.ex
 #: lib/mv_web/live/member_live/index.html.heex
 #: lib/mv_web/live/member_live/show.ex
@ -141,7 +137,6 @@ msgstr "Austrittsdatum"
 msgid "House Number"
 msgstr "Hausnummer"
 #: lib/mv_web/live/contribution_period_live/show.ex
 #: lib/mv_web/live/member_live/form.ex
 #: lib/mv_web/live/member_live/show.ex
 #: lib/mv_web/translations/member_fields.ex
@ -150,7 +145,6 @@ msgid "Notes"
 msgstr "Notizen"
 #: lib/mv_web/live/components/payment_filter_component.ex
 #: lib/mv_web/live/contribution_period_live/show.ex
 #: lib/mv_web/live/member_live/show.ex
 #: lib/mv_web/live/member_live/show/membership_fees_component.ex
 #: lib/mv_web/member_live/index/membership_fee_status.ex
@ -171,7 +165,6 @@ msgid "Save Member"
 msgstr "Mitglied speichern"
 #: lib/mv_web/live/custom_field_live/form_component.ex
 #: lib/mv_web/live/custom_field_value_live/form.ex
 #: lib/mv_web/live/global_settings_live.ex
 #: lib/mv_web/live/member_field_live/form_component.ex
 #: lib/mv_web/live/member_live/form.ex
@ -214,14 +207,12 @@ msgid "Yes"
 msgstr "Ja"
 #: lib/mv_web/live/custom_field_live/form_component.ex
 #: lib/mv_web/live/custom_field_value_live/form.ex
 #: lib/mv_web/live/member_live/form.ex
 #, elixir-autogen, elixir-format
 msgid "create"
 msgstr "erstellt"
 #: lib/mv_web/live/custom_field_live/form_component.ex
 #: lib/mv_web/live/custom_field_value_live/form.ex
 #: lib/mv_web/live/member_live/form.ex
 #, elixir-autogen, elixir-format
 msgid "update"
@ -264,7 +255,6 @@ msgstr "Ihr Passwort wurde erfolgreich zurückgesetzt"
 #: lib/mv_web/live/custom_field_live/form_component.ex
 #: lib/mv_web/live/custom_field_live/index_component.ex
 #: lib/mv_web/live/custom_field_value_live/form.ex
 #: lib/mv_web/live/member_field_live/form_component.ex
 #: lib/mv_web/live/member_live/form.ex
 #: lib/mv_web/live/member_live/show/membership_fees_component.ex
@ -275,11 +265,6 @@ msgstr "Ihr Passwort wurde erfolgreich zurückgesetzt"
 msgid "Cancel"
 msgstr "Abbrechen"
 #: lib/mv_web/live/custom_field_value_live/form.ex
 #, elixir-autogen, elixir-format
 msgid "Choose a member"
 msgstr "Mitglied auswählen"
 #: lib/mv_web/live/custom_field_live/form_component.ex
 #: lib/mv_web/live/custom_field_live/index_component.ex
 #: lib/mv_web/live/member_field_live/form_component.ex
@ -313,13 +298,7 @@ msgstr "Abmelden"
 msgid "Listing Users"
 msgstr "Benutzer*innen auflisten"
 #: lib/mv_web/live/custom_field_value_live/form.ex
 #, elixir-autogen, elixir-format
 msgid "Member"
 msgstr "Mitglied"
 #: lib/mv_web/components/layouts/sidebar.ex
 #: lib/mv_web/live/contribution_type_live/index.ex
 #: lib/mv_web/live/member_live/index.ex
 #: lib/mv_web/live/member_live/index.html.heex
 #: lib/mv_web/live/membership_fee_type_live/index.ex
@ -327,7 +306,6 @@ msgstr "Mitglied"
 msgid "Members"
 msgstr "Mitglieder"
 #: lib/mv_web/live/contribution_type_live/index.ex
 #: lib/mv_web/live/custom_field_live/form_component.ex
 #: lib/mv_web/live/custom_field_live/index_component.ex
 #: lib/mv_web/live/member_field_live/form_component.ex
@ -351,7 +329,6 @@ msgstr "Neue*r Benutzer*in"
 msgid "Not enabled"
 msgstr "Nicht aktiviert"
 #: lib/mv_web/live/contribution_period_live/show.ex
 #: lib/mv_web/live/user_live/form.ex
 #, elixir-autogen, elixir-format
 msgid "Note"
@ -401,11 +378,6 @@ msgstr "Benutzer*in anzeigen"
 msgid "This is a user record from your database."
 msgstr "Dies ist ein Benutzer*innen-Datensatz aus Ihrer Datenbank."
 #: lib/mv_web/live/custom_field_value_live/form.ex
 #, elixir-autogen, elixir-format
 msgid "Unsupported value type: %{type}"
 msgstr "Nicht unterstützter Wertetyp: %{type}"
 #: lib/mv_web/live/user_live/form.ex
 #, elixir-autogen, elixir-format
 msgid "Use this form to manage user records in your database."
@ -417,11 +389,6 @@ msgstr "Verwenden Sie dieses Formular, um Benutzer*innen-Datensätze zu verwalte
 msgid "User"
 msgstr "Benutzer*in"
 #: lib/mv_web/live/custom_field_value_live/form.ex
 #, elixir-autogen, elixir-format
 msgid "Value"
 msgstr "Wert"
 #: lib/mv_web/live/custom_field_live/form_component.ex
 #: lib/mv_web/live/member_field_live/form_component.ex
 #, elixir-autogen, elixir-format
@ -611,37 +578,12 @@ msgstr "E-Mail kann nicht aktualisiert werden: Diese E-Mail-Adresse ist bereits
 msgid "This email is already linked to a different OIDC account. Cannot link multiple OIDC providers to the same account."
 msgstr "Diese E-Mail-Adresse ist bereits mit einem anderen OIDC-Konto verknüpft. Es können nicht mehrere OIDC-Provider mit demselben Konto verknüpft werden."
 #: lib/mv_web/live/custom_field_value_live/form.ex
 #, elixir-autogen, elixir-format
 msgid "Choose a custom field"
 msgstr "Wähle ein Benutzerdefiniertes Feld"
 #: lib/mv_web/live/custom_field_value_live/form.ex
 #, elixir-autogen, elixir-format, fuzzy
 msgid "Custom field"
 msgstr "Benutzerdefinierte Felder"
 #: lib/mv_web/live/custom_field_value_live/form.ex
 #, elixir-autogen, elixir-format
 msgid "Custom field value %{action} successfully"
 msgstr "Benutzerdefinierter Feldwert erfolgreich %{action}"
 #: lib/mv_web/live/custom_field_value_live/form.ex
 #, elixir-autogen, elixir-format
 msgid "Please select a custom field first"
 msgstr "Bitte wähle zuerst ein Benutzerdefiniertes Feld"
 #: lib/mv_web/live/member_live/form.ex
 #: lib/mv_web/live/member_live/show.ex
 #, elixir-autogen, elixir-format
 msgid "Custom Fields"
 msgstr "Benutzerdefinierte Felder"
 #: lib/mv_web/live/custom_field_value_live/form.ex
 #, elixir-autogen, elixir-format, fuzzy
 msgid "Use this form to manage Custom Field Value records in your database."
 msgstr "Verwende dieses Formular, um Benutzerdefinierte Feldwerte in deiner Datenbank zu verwalten."
 #: lib/mv_web/live/custom_field_live/index_component.ex
 #, elixir-autogen, elixir-format
 msgid "%{count} member has a value assigned for this custom field."
@ -866,20 +808,6 @@ msgstr "Speichern"
 msgid "Create Member"
 msgstr "Mitglied erstellen"
 #: lib/mv_web/live/contribution_period_live/show.ex
 #, elixir-autogen, elixir-format
 msgid "%{count} period selected"
 msgid_plural "%{count} periods selected"
 msgstr[0] "%{count} Zyklus ausgewählt"
 msgstr[1] "%{count} Zyklen ausgewählt"
 #: lib/mv_web/live/contribution_type_live/index.ex
 #, elixir-autogen, elixir-format
 msgid "About Contribution Types"
 msgstr "Über Beitragsarten"
 #: lib/mv_web/live/contribution_period_live/show.ex
 #: lib/mv_web/live/contribution_type_live/index.ex
 #: lib/mv_web/live/member_live/show/membership_fees_component.ex
 #: lib/mv_web/live/membership_fee_type_live/form.ex
 #: lib/mv_web/live/membership_fee_type_live/index.ex
@ -887,54 +815,16 @@ msgstr "Über Beitragsarten"
 msgid "Amount"
 msgstr "Betrag"
 #: lib/mv_web/live/contribution_period_live/show.ex
 #: lib/mv_web/live/member_field_live/form_component.ex
 #, elixir-autogen, elixir-format
 msgid "Back to Settings"
 msgstr "Zurück zu den Einstellungen"
 #: lib/mv_web/live/contribution_type_live/index.ex
 #: lib/mv_web/live/membership_fee_type_live/index.ex
 #, elixir-autogen, elixir-format
 msgid "Can be changed at any time. Amount changes affect future periods only."
 msgstr "Kann jederzeit geändert werden. Änderungen des Betrags betreffen nur zukünftige Zyklen."
 #: lib/mv_web/live/contribution_type_live/index.ex
 #, elixir-autogen, elixir-format
 msgid "Cannot delete - members assigned"
 msgstr "Löschen nicht möglich – es sind Mitglieder zugewiesen"
 #: lib/mv_web/live/contribution_period_live/show.ex
 #, elixir-autogen, elixir-format
 msgid "Change Contribution Type"
 msgstr "Beitragsart ändern"
 #: lib/mv_web/live/contribution_period_live/show.ex
 #, elixir-autogen, elixir-format, fuzzy
 msgid "Contribution Start"
 msgstr "Beitragsbeginn"
 #: lib/mv_web/live/contribution_type_live/index.ex
 #, elixir-autogen, elixir-format, fuzzy
 msgid "Contribution Types"
 msgstr "Beitragsarten"
 #: lib/mv_web/live/contribution_period_live/show.ex
 #, elixir-autogen, elixir-format, fuzzy
 msgid "Contribution type"
 msgstr "Beitragsart"
 #: lib/mv_web/live/contribution_period_live/show.ex
 #, elixir-autogen, elixir-format, fuzzy
 msgid "Contributions for %{name}"
 msgstr "Beiträge für %{name}"
 #: lib/mv_web/live/contribution_period_live/show.ex
 #, elixir-autogen, elixir-format
 msgid "Current"
 msgstr "Aktuell"
 #: lib/mv_web/live/contribution_type_live/index.ex
 #: lib/mv_web/live/membership_fee_type_live/index.ex
 #, elixir-autogen, elixir-format, fuzzy
 msgid "Deletion"
@ -945,12 +835,6 @@ msgstr "Löschen"
 msgid "Examples"
 msgstr "Beispiele"
 #: lib/mv_web/live/contribution_type_live/index.ex
 #, elixir-autogen, elixir-format
 msgid "Family"
 msgstr "Familie"
 #: lib/mv_web/live/contribution_type_live/index.ex
 #: lib/mv_web/live/membership_fee_type_live/index.ex
 #, elixir-autogen, elixir-format
 msgid "Fixed after creation. Members can only switch between types with the same interval."
@ -962,27 +846,12 @@ msgid "Global Settings"
 msgstr "Globale Einstellungen"
 #: lib/mv_web/helpers/membership_fee_helpers.ex
 #: lib/mv_web/live/contribution_period_live/show.ex
 #: lib/mv_web/live/contribution_type_live/index.ex
 #: lib/mv_web/live/membership_fee_settings_live.ex
 #: lib/mv_web/live/membership_fee_type_live/form.ex
 #, elixir-autogen, elixir-format
 msgid "Half-yearly"
 msgstr "Halbjährlich"
 #: lib/mv_web/live/contribution_type_live/index.ex
 #, elixir-autogen, elixir-format
 msgid "Half-yearly contribution for supporting members"
 msgstr "Halbjährlicher Beitrag für Fördermitglieder"
 #: lib/mv_web/live/contribution_period_live/show.ex
 #: lib/mv_web/live/contribution_type_live/index.ex
 #, elixir-autogen, elixir-format
 msgid "Honorary"
 msgstr "Ehrenamtlich"
 #: lib/mv_web/live/contribution_period_live/show.ex
 #: lib/mv_web/live/contribution_type_live/index.ex
 #: lib/mv_web/live/member_live/show/membership_fees_component.ex
 #: lib/mv_web/live/membership_fee_type_live/form.ex
 #: lib/mv_web/live/membership_fee_type_live/index.ex
@ -995,36 +864,6 @@ msgstr "Intervall"
 msgid "Joining date"
 msgstr "Beitrittsdatum"
 #: lib/mv_web/live/contribution_period_live/show.ex
 #, elixir-autogen, elixir-format
 msgid "Joining year - reduced to 0"
 msgstr "Beitrittsjahr – auf 0 reduziert"
 #: lib/mv_web/live/contribution_type_live/index.ex
 #, elixir-autogen, elixir-format
 msgid "Manage contribution types for membership fees."
 msgstr "Beitragsarten für Mitgliedsbeiträge verwalten."
 #: lib/mv_web/live/contribution_period_live/show.ex
 #, elixir-autogen, elixir-format
 msgid "Mark as Paid"
 msgstr "Als bezahlt markieren"
 #: lib/mv_web/live/contribution_period_live/show.ex
 #, elixir-autogen, elixir-format
 msgid "Mark as Suspended"
 msgstr "Als pausiert markieren"
 #: lib/mv_web/live/contribution_period_live/show.ex
 #, elixir-autogen, elixir-format
 msgid "Mark as Unpaid"
 msgstr "Als unbezahlt markieren"
 #: lib/mv_web/live/contribution_period_live/show.ex
 #, elixir-autogen, elixir-format
 msgid "Member Contributions"
 msgstr "Mitgliedsbeiträge"
 #: lib/mv_web/live/membership_fee_settings_live.ex
 #, elixir-autogen, elixir-format
 msgid "Member pays for the year they joined"
@ -1045,131 +884,35 @@ msgstr "Mitglied zahlt ab dem nächsten vollständigen Quartal"
 msgid "Member pays from the next full year"
 msgstr "Mitglied zahlt ab dem nächsten vollständigen Jahr"
 #: lib/mv_web/live/contribution_period_live/show.ex
 #, elixir-autogen, elixir-format, fuzzy
 msgid "Member since"
 msgstr "Mitglied seit"
 #: lib/mv_web/live/contribution_period_live/show.ex
 #, elixir-autogen, elixir-format
 msgid "Members can only switch between contribution types with the same payment interval (e.g., yearly to yearly). This prevents complex period overlaps."
 msgstr "Mitglieder können nur zwischen Beitragsarten mit demselben Zahlungszyklus wechseln (z. B. jährlich zu jährlich). Dadurch werden komplexe Überlappungen vermieden."
 #: lib/mv_web/helpers/membership_fee_helpers.ex
 #: lib/mv_web/live/contribution_period_live/show.ex
 #: lib/mv_web/live/contribution_type_live/index.ex
 #: lib/mv_web/live/membership_fee_settings_live.ex
 #: lib/mv_web/live/membership_fee_type_live/form.ex
 #, elixir-autogen, elixir-format, fuzzy
 msgid "Monthly"
 msgstr "Monatlich"
 #: lib/mv_web/live/contribution_type_live/index.ex
 #, elixir-autogen, elixir-format
 msgid "Monthly fee for students and trainees"
 msgstr "Monatlicher Beitrag für Studierende und Auszubildende"
 #: lib/mv_web/live/contribution_type_live/index.ex
 #: lib/mv_web/live/membership_fee_type_live/index.ex
 #, elixir-autogen, elixir-format
 msgid "Name & Amount"
 msgstr "Name & Betrag"
 #: lib/mv_web/live/contribution_type_live/index.ex
 #, elixir-autogen, elixir-format, fuzzy
 msgid "New Contribution Type"
 msgstr "Neue Beitragsart"
 #: lib/mv_web/live/contribution_type_live/index.ex
 #, elixir-autogen, elixir-format
 msgid "No fee for honorary members"
 msgstr "Kein Beitrag für ehrenamtliche Mitglieder"
 #: lib/mv_web/live/contribution_type_live/index.ex
 #: lib/mv_web/live/membership_fee_type_live/index.ex
 #, elixir-autogen, elixir-format
 msgid "Only possible if no members are assigned to this type."
 msgstr "Nur möglich, wenn diesem Typ keine Mitglieder zugewiesen sind."
 #: lib/mv_web/live/contribution_period_live/show.ex
 #, elixir-autogen, elixir-format
 msgid "Open Contributions"
 msgstr "Offene Beiträge"
 #: lib/mv_web/live/contribution_period_live/show.ex
 #, elixir-autogen, elixir-format
 msgid "Paid via bank transfer"
 msgstr "Bezahlt durch Überweisung"
 #: lib/mv_web/live/contribution_period_live/show.ex
 #: lib/mv_web/live/contribution_type_live/index.ex
 #, elixir-autogen, elixir-format
 msgid "Preview Mockup"
 msgstr "Vorschau"
 #: lib/mv_web/helpers/membership_fee_helpers.ex
 #: lib/mv_web/live/contribution_period_live/show.ex
 #: lib/mv_web/live/contribution_type_live/index.ex
 #: lib/mv_web/live/membership_fee_settings_live.ex
 #: lib/mv_web/live/membership_fee_type_live/form.ex
 #, elixir-autogen, elixir-format
 msgid "Quarterly"
 msgstr "Vierteljährlich"
 #: lib/mv_web/live/contribution_type_live/index.ex
 #, elixir-autogen, elixir-format
 msgid "Quarterly fee for family memberships"
 msgstr "Vierteljährlicher Beitrag für Familienmitgliedschaften"
 #: lib/mv_web/live/contribution_period_live/show.ex
 #: lib/mv_web/live/contribution_type_live/index.ex
 #, elixir-autogen, elixir-format
 msgid "Reduced"
 msgstr "Reduziert"
 #: lib/mv_web/live/contribution_type_live/index.ex
 #, elixir-autogen, elixir-format
 msgid "Reduced fee for unemployed, pensioners, or low income"
 msgstr "Ermäßigter Beitrag für Arbeitslose, Rentner*innen oder Geringverdienende"
 #: lib/mv_web/live/contribution_period_live/show.ex
 #: lib/mv_web/live/contribution_type_live/index.ex
 #, elixir-autogen, elixir-format
 msgid "Regular"
 msgstr "Regulär"
 #: lib/mv_web/live/contribution_period_live/show.ex
 #, elixir-autogen, elixir-format
 msgid "Reopen"
 msgstr "Wieder öffnen"
 #: lib/mv_web/live/contribution_type_live/index.ex
 #, elixir-autogen, elixir-format
 msgid "Standard membership fee for regular members"
 msgstr "Regulärer Mitgliedsbeitrag für Vollmitglieder"
 #: lib/mv_web/live/contribution_period_live/show.ex
 #: lib/mv_web/live/member_live/show/membership_fees_component.ex
 #, elixir-autogen, elixir-format
 msgid "Status"
 msgstr "Status"
 #: lib/mv_web/live/contribution_type_live/index.ex
 #, elixir-autogen, elixir-format
 msgid "Student"
 msgstr "Student"
 #: lib/mv_web/live/contribution_type_live/index.ex
 #, elixir-autogen, elixir-format
 msgid "Supporting Member"
 msgstr "Fördermitglied"
 #: lib/mv_web/live/contribution_period_live/show.ex
 #, elixir-autogen, elixir-format
 msgid "Suspend"
 msgstr "Pausieren"
 #: lib/mv_web/live/contribution_period_live/show.ex
 #: lib/mv_web/live/member_live/show.ex
 #: lib/mv_web/live/member_live/show/membership_fees_component.ex
 #: lib/mv_web/member_live/index/membership_fee_status.ex
@ -1177,24 +920,7 @@ msgstr "Pausieren"
 msgid "Suspended"
 msgstr "Pausiert"
 #: lib/mv_web/live/contribution_period_live/show.ex
 #: lib/mv_web/live/contribution_type_live/index.ex
 #, elixir-autogen, elixir-format
 msgid "This page is not functional and only displays the planned features."
 msgstr "Diese Seite ist nicht funktionsfähig und zeigt nur geplante Funktionen."
 #: lib/mv_web/live/contribution_period_live/show.ex
 #, elixir-autogen, elixir-format
 msgid "Time Period"
 msgstr "Zeitraum"
 #: lib/mv_web/live/contribution_period_live/show.ex
 #, elixir-autogen, elixir-format
 msgid "Total Contributions"
 msgstr "Gesamtbeiträge"
 #: lib/mv_web/live/components/payment_filter_component.ex
 #: lib/mv_web/live/contribution_period_live/show.ex
 #: lib/mv_web/live/member_live/show.ex
 #: lib/mv_web/live/member_live/show/membership_fees_component.ex
 #: lib/mv_web/member_live/index/membership_fee_status.ex
@ -1202,14 +928,7 @@ msgstr "Gesamtbeiträge"
 msgid "Unpaid"
 msgstr "Unbezahlt"
 #: lib/mv_web/live/contribution_period_live/show.ex
 #, elixir-autogen, elixir-format
 msgid "Why are not all contribution types shown?"
 msgstr "Warum werden nicht alle Beitragsarten angezeigt?"
 #: lib/mv_web/helpers/membership_fee_helpers.ex
 #: lib/mv_web/live/contribution_period_live/show.ex
 #: lib/mv_web/live/contribution_type_live/index.ex
 #: lib/mv_web/live/membership_fee_settings_live.ex
 #: lib/mv_web/live/membership_fee_type_live/form.ex
 #, elixir-autogen, elixir-format, fuzzy
@ -1697,11 +1416,6 @@ msgstr "Zyklen regenerieren"
 msgid "Regenerating..."
 msgstr "Regeneriere..."
 #: lib/mv_web/live/custom_field_value_live/form.ex
 #, elixir-autogen, elixir-format, fuzzy
 msgid "Save Custom Field Value"
 msgstr "Benutzerdefinierten Feldwert speichern"
 #: lib/mv_web/live/member_field_live/form_component.ex
 #, elixir-autogen, elixir-format, fuzzy
 msgid "Save Field"
@ -1799,11 +1513,6 @@ msgstr "Jährliches Intervall – Beitrittszeitraum einbezogen"
 msgid "You are about to delete all %{count} cycles for this member."
 msgstr "Du bist dabei alle %{count} Zyklen für dieses Mitglied zu löschen."
 #: lib/mv_web/live/contribution_type_live/index.ex
 #, elixir-autogen, elixir-format, fuzzy
 msgid "Contribution types define different membership fee structures. Each type has a fixed cycle (monthly, quarterly, half-yearly, yearly) that cannot be changed after creation."
 msgstr "Beitragsarten definieren verschiedene Beitragsmodelle. Jede Art hat einen festen Zyklus (monatlich, vierteljährlich, halbjährlich, jährlich), der nach Erstellung nicht mehr geändert werden kann."
 #: lib/mv_web/live/membership_fee_type_live/index.ex
 #, elixir-autogen, elixir-format, fuzzy
 msgid "Delete Membership Fee Type"
@ -2072,16 +1781,6 @@ msgstr "Zyklus löschen"
 msgid "The cycle period will be calculated based on this date and the interval."
 msgstr "Der Zyklus wird basierend auf diesem Datum und dem Intervall berechnet."
 #: lib/mv_web/live/custom_field_value_live/index.ex
 #, elixir-autogen, elixir-format
 msgid "Custom field value deleted successfully"
 msgstr "Benutzerdefinierter Feldwert erfolgreich gelöscht"
 #: lib/mv_web/live/custom_field_value_live/index.ex
 #, elixir-autogen, elixir-format
 msgid "Custom field value not found"
 msgstr "Benutzerdefinierter Feldwert nicht gefunden"
 #: lib/mv_web/live/membership_fee_type_live/index.ex
 #, elixir-autogen, elixir-format
 msgid "Membership fee type not found"
@ -2102,11 +1801,6 @@ msgstr "Benutzer*in erfolgreich gelöscht"
 msgid "User not found"
 msgstr "Benutzer*in nicht gefunden"
 #: lib/mv_web/live/custom_field_value_live/index.ex
 #, elixir-autogen, elixir-format
 msgid "You do not have permission to access this custom field value"
 msgstr "Sie haben keine Berechtigung, auf diesen benutzerdefinierten Feldwert zuzugreifen"
 #: lib/mv_web/live/membership_fee_type_live/index.ex
 #, elixir-autogen, elixir-format
 msgid "You do not have permission to access this membership fee type"
@ -2117,11 +1811,6 @@ msgstr "Sie haben keine Berechtigung, auf diese Mitgliedsbeitragsart zuzugreifen
 msgid "You do not have permission to access this user"
 msgstr "Sie haben keine Berechtigung, auf diese*n Benutzer*in zuzugreifen"
 #: lib/mv_web/live/custom_field_value_live/index.ex
 #, elixir-autogen, elixir-format
 msgid "You do not have permission to delete this custom field value"
 msgstr "Sie haben keine Berechtigung, diesen benutzerdefinierten Feldwert zu löschen"
 #: lib/mv_web/live/membership_fee_type_live/index.ex
 #, elixir-autogen, elixir-format
 msgid "You do not have permission to delete this membership fee type"
@ -2167,11 +1856,6 @@ msgstr "Sie haben keine Berechtigung, auf dieses Mitglied zuzugreifen"
 msgid "You do not have permission to delete this member"
 msgstr "Sie haben keine Berechtigung, dieses Mitglied zu löschen"
 #: lib/mv_web/live/custom_field_value_live/index.ex
 #, elixir-autogen, elixir-format
 msgid "You do not have permission to view custom field values"
 msgstr "Sie haben keine Berechtigung, benutzerdefinierte Feldwerte anzuzeigen"
 #: lib/mv_web/live/member_live/form.ex
 #, elixir-autogen, elixir-format
 msgid "Member created successfully"
@ -2212,7 +1896,37 @@ msgstr "Beitragstypen"
 msgid "Administration"
 msgstr "Administration"
-#~ #: lib/mv_web/components/layouts/sidebar.ex
+#: lib/mv_web/live/member_live/form.ex
-#~ #, elixir-autogen, elixir-format, fuzzy
+#, elixir-autogen, elixir-format
-#~ msgid "Contributions"
+msgid "Failed to %{action} member."
-#~ msgstr "Beiträge"
+msgstr "Fehler beim %{action} des Mitglieds."
 #: lib/mv_web/live/member_live/form.ex
 #, elixir-autogen, elixir-format
 msgid "Failed to save member. Please try again."
 msgstr "Fehler beim Speichern des Mitglieds. Bitte versuchen Sie es erneut."
 #: lib/mv_web/live/member_live/form.ex
 #, elixir-autogen, elixir-format
 msgid "Please correct the errors in the form and try again."
 msgstr "Bitte korrigieren Sie die Fehler im Formular und versuchen Sie es erneut."
 #: lib/mv_web/live/member_live/form.ex
 #, elixir-autogen, elixir-format
 msgid "Validation failed. Please check your input."
 msgstr "Validierung fehlgeschlagen. Bitte überprüfen Sie Ihre Eingabe."
 #: lib/mv_web/live/member_live/form.ex
 #, elixir-autogen, elixir-format
 msgid "Validation failed: %{field} %{message}"
 msgstr "Validierung fehlgeschlagen: %{field} %{message}"
 #: lib/mv_web/live/member_live/form.ex
 #, elixir-autogen, elixir-format
 msgid "Validation failed: %{message}"
 msgstr "Validierung fehlgeschlagen: %{message}"
 #: lib/mv_web/live/member_live/show/membership_fees_component.ex
 #, elixir-autogen, elixir-format
 msgid "Only administrators can regenerate cycles"
 msgstr "Nur Administrator*innen können Zyklen regenerieren"
--- a/priv/gettext/default.pot
+++ b/priv/gettext/default.pot
@ -12,7 +12,6 @@ msgid ""
 msgstr ""
 #: lib/mv_web/components/core_components.ex
 #: lib/mv_web/live/contribution_period_live/show.ex
 #, elixir-autogen, elixir-format
 msgid "Actions"
 msgstr ""
@ -38,7 +37,6 @@ msgstr ""
 msgid "City"
 msgstr ""
 #: lib/mv_web/live/contribution_type_live/index.ex
 #: lib/mv_web/live/custom_field_live/index_component.ex
 #: lib/mv_web/live/member_live/index.html.heex
 #: lib/mv_web/live/member_live/show/membership_fees_component.ex
@ -48,7 +46,6 @@ msgstr ""
 msgid "Delete"
 msgstr ""
 #: lib/mv_web/live/contribution_type_live/index.ex
 #: lib/mv_web/live/custom_field_live/index_component.ex
 #: lib/mv_web/live/member_field_live/index_component.ex
 #: lib/mv_web/live/member_live/index.html.heex
@ -66,7 +63,6 @@ msgstr ""
 msgid "Edit Member"
 msgstr ""
 #: lib/mv_web/live/contribution_period_live/show.ex
 #: lib/mv_web/live/member_live/form.ex
 #: lib/mv_web/live/member_live/index.html.heex
 #: lib/mv_web/live/member_live/show.ex
@ -142,7 +138,6 @@ msgstr ""
 msgid "House Number"
 msgstr ""
 #: lib/mv_web/live/contribution_period_live/show.ex
 #: lib/mv_web/live/member_live/form.ex
 #: lib/mv_web/live/member_live/show.ex
 #: lib/mv_web/translations/member_fields.ex
@ -151,7 +146,6 @@ msgid "Notes"
 msgstr ""
 #: lib/mv_web/live/components/payment_filter_component.ex
 #: lib/mv_web/live/contribution_period_live/show.ex
 #: lib/mv_web/live/member_live/show.ex
 #: lib/mv_web/live/member_live/show/membership_fees_component.ex
 #: lib/mv_web/member_live/index/membership_fee_status.ex
@ -172,7 +166,6 @@ msgid "Save Member"
 msgstr ""
 #: lib/mv_web/live/custom_field_live/form_component.ex
 #: lib/mv_web/live/custom_field_value_live/form.ex
 #: lib/mv_web/live/global_settings_live.ex
 #: lib/mv_web/live/member_field_live/form_component.ex
 #: lib/mv_web/live/member_live/form.ex
@ -215,14 +208,12 @@ msgid "Yes"
 msgstr ""
 #: lib/mv_web/live/custom_field_live/form_component.ex
 #: lib/mv_web/live/custom_field_value_live/form.ex
 #: lib/mv_web/live/member_live/form.ex
 #, elixir-autogen, elixir-format
 msgid "create"
 msgstr ""
 #: lib/mv_web/live/custom_field_live/form_component.ex
 #: lib/mv_web/live/custom_field_value_live/form.ex
 #: lib/mv_web/live/member_live/form.ex
 #, elixir-autogen, elixir-format
 msgid "update"
@ -265,7 +256,6 @@ msgstr ""
 #: lib/mv_web/live/custom_field_live/form_component.ex
 #: lib/mv_web/live/custom_field_live/index_component.ex
 #: lib/mv_web/live/custom_field_value_live/form.ex
 #: lib/mv_web/live/member_field_live/form_component.ex
 #: lib/mv_web/live/member_live/form.ex
 #: lib/mv_web/live/member_live/show/membership_fees_component.ex
@ -276,11 +266,6 @@ msgstr ""
 msgid "Cancel"
 msgstr ""
 #: lib/mv_web/live/custom_field_value_live/form.ex
 #, elixir-autogen, elixir-format
 msgid "Choose a member"
 msgstr ""
 #: lib/mv_web/live/custom_field_live/form_component.ex
 #: lib/mv_web/live/custom_field_live/index_component.ex
 #: lib/mv_web/live/member_field_live/form_component.ex
@ -314,13 +299,7 @@ msgstr ""
 msgid "Listing Users"
 msgstr ""
 #: lib/mv_web/live/custom_field_value_live/form.ex
 #, elixir-autogen, elixir-format
 msgid "Member"
 msgstr ""
 #: lib/mv_web/components/layouts/sidebar.ex
 #: lib/mv_web/live/contribution_type_live/index.ex
 #: lib/mv_web/live/member_live/index.ex
 #: lib/mv_web/live/member_live/index.html.heex
 #: lib/mv_web/live/membership_fee_type_live/index.ex
@ -328,7 +307,6 @@ msgstr ""
 msgid "Members"
 msgstr ""
 #: lib/mv_web/live/contribution_type_live/index.ex
 #: lib/mv_web/live/custom_field_live/form_component.ex
 #: lib/mv_web/live/custom_field_live/index_component.ex
 #: lib/mv_web/live/member_field_live/form_component.ex
@ -352,7 +330,6 @@ msgstr ""
 msgid "Not enabled"
 msgstr ""
 #: lib/mv_web/live/contribution_period_live/show.ex
 #: lib/mv_web/live/user_live/form.ex
 #, elixir-autogen, elixir-format
 msgid "Note"
@ -402,11 +379,6 @@ msgstr ""
 msgid "This is a user record from your database."
 msgstr ""
 #: lib/mv_web/live/custom_field_value_live/form.ex
 #, elixir-autogen, elixir-format
 msgid "Unsupported value type: %{type}"
 msgstr ""
 #: lib/mv_web/live/user_live/form.ex
 #, elixir-autogen, elixir-format
 msgid "Use this form to manage user records in your database."
@ -418,11 +390,6 @@ msgstr ""
 msgid "User"
 msgstr ""
 #: lib/mv_web/live/custom_field_value_live/form.ex
 #, elixir-autogen, elixir-format
 msgid "Value"
 msgstr ""
 #: lib/mv_web/live/custom_field_live/form_component.ex
 #: lib/mv_web/live/member_field_live/form_component.ex
 #, elixir-autogen, elixir-format
@ -612,37 +579,12 @@ msgstr ""
 msgid "This email is already linked to a different OIDC account. Cannot link multiple OIDC providers to the same account."
 msgstr ""
 #: lib/mv_web/live/custom_field_value_live/form.ex
 #, elixir-autogen, elixir-format
 msgid "Choose a custom field"
 msgstr ""
 #: lib/mv_web/live/custom_field_value_live/form.ex
 #, elixir-autogen, elixir-format
 msgid "Custom field"
 msgstr ""
 #: lib/mv_web/live/custom_field_value_live/form.ex
 #, elixir-autogen, elixir-format
 msgid "Custom field value %{action} successfully"
 msgstr ""
 #: lib/mv_web/live/custom_field_value_live/form.ex
 #, elixir-autogen, elixir-format
 msgid "Please select a custom field first"
 msgstr ""
 #: lib/mv_web/live/member_live/form.ex
 #: lib/mv_web/live/member_live/show.ex
 #, elixir-autogen, elixir-format
 msgid "Custom Fields"
 msgstr ""
 #: lib/mv_web/live/custom_field_value_live/form.ex
 #, elixir-autogen, elixir-format
 msgid "Use this form to manage Custom Field Value records in your database."
 msgstr ""
 #: lib/mv_web/live/custom_field_live/index_component.ex
 #, elixir-autogen, elixir-format
 msgid "%{count} member has a value assigned for this custom field."
@ -867,20 +809,6 @@ msgstr ""
 msgid "Create Member"
 msgstr ""
 #: lib/mv_web/live/contribution_period_live/show.ex
 #, elixir-autogen, elixir-format
 msgid "%{count} period selected"
 msgid_plural "%{count} periods selected"
 msgstr[0] ""
 msgstr[1] ""
 #: lib/mv_web/live/contribution_type_live/index.ex
 #, elixir-autogen, elixir-format
 msgid "About Contribution Types"
 msgstr ""
 #: lib/mv_web/live/contribution_period_live/show.ex
 #: lib/mv_web/live/contribution_type_live/index.ex
 #: lib/mv_web/live/member_live/show/membership_fees_component.ex
 #: lib/mv_web/live/membership_fee_type_live/form.ex
 #: lib/mv_web/live/membership_fee_type_live/index.ex
@ -888,54 +816,16 @@ msgstr ""
 msgid "Amount"
 msgstr ""
 #: lib/mv_web/live/contribution_period_live/show.ex
 #: lib/mv_web/live/member_field_live/form_component.ex
 #, elixir-autogen, elixir-format
 msgid "Back to Settings"
 msgstr ""
 #: lib/mv_web/live/contribution_type_live/index.ex
 #: lib/mv_web/live/membership_fee_type_live/index.ex
 #, elixir-autogen, elixir-format
 msgid "Can be changed at any time. Amount changes affect future periods only."
 msgstr ""
 #: lib/mv_web/live/contribution_type_live/index.ex
 #, elixir-autogen, elixir-format
 msgid "Cannot delete - members assigned"
 msgstr ""
 #: lib/mv_web/live/contribution_period_live/show.ex
 #, elixir-autogen, elixir-format
 msgid "Change Contribution Type"
 msgstr ""
 #: lib/mv_web/live/contribution_period_live/show.ex
 #, elixir-autogen, elixir-format
 msgid "Contribution Start"
 msgstr ""
 #: lib/mv_web/live/contribution_type_live/index.ex
 #, elixir-autogen, elixir-format
 msgid "Contribution Types"
 msgstr ""
 #: lib/mv_web/live/contribution_period_live/show.ex
 #, elixir-autogen, elixir-format
 msgid "Contribution type"
 msgstr ""
 #: lib/mv_web/live/contribution_period_live/show.ex
 #, elixir-autogen, elixir-format
 msgid "Contributions for %{name}"
 msgstr ""
 #: lib/mv_web/live/contribution_period_live/show.ex
 #, elixir-autogen, elixir-format
 msgid "Current"
 msgstr ""
 #: lib/mv_web/live/contribution_type_live/index.ex
 #: lib/mv_web/live/membership_fee_type_live/index.ex
 #, elixir-autogen, elixir-format
 msgid "Deletion"
@ -946,12 +836,6 @@ msgstr ""
 msgid "Examples"
 msgstr ""
 #: lib/mv_web/live/contribution_type_live/index.ex
 #, elixir-autogen, elixir-format
 msgid "Family"
 msgstr ""
 #: lib/mv_web/live/contribution_type_live/index.ex
 #: lib/mv_web/live/membership_fee_type_live/index.ex
 #, elixir-autogen, elixir-format
 msgid "Fixed after creation. Members can only switch between types with the same interval."
@ -963,27 +847,12 @@ msgid "Global Settings"
 msgstr ""
 #: lib/mv_web/helpers/membership_fee_helpers.ex
 #: lib/mv_web/live/contribution_period_live/show.ex
 #: lib/mv_web/live/contribution_type_live/index.ex
 #: lib/mv_web/live/membership_fee_settings_live.ex
 #: lib/mv_web/live/membership_fee_type_live/form.ex
 #, elixir-autogen, elixir-format
 msgid "Half-yearly"
 msgstr ""
 #: lib/mv_web/live/contribution_type_live/index.ex
 #, elixir-autogen, elixir-format
 msgid "Half-yearly contribution for supporting members"
 msgstr ""
 #: lib/mv_web/live/contribution_period_live/show.ex
 #: lib/mv_web/live/contribution_type_live/index.ex
 #, elixir-autogen, elixir-format
 msgid "Honorary"
 msgstr ""
 #: lib/mv_web/live/contribution_period_live/show.ex
 #: lib/mv_web/live/contribution_type_live/index.ex
 #: lib/mv_web/live/member_live/show/membership_fees_component.ex
 #: lib/mv_web/live/membership_fee_type_live/form.ex
 #: lib/mv_web/live/membership_fee_type_live/index.ex
@ -996,36 +865,6 @@ msgstr ""
 msgid "Joining date"
 msgstr ""
 #: lib/mv_web/live/contribution_period_live/show.ex
 #, elixir-autogen, elixir-format
 msgid "Joining year - reduced to 0"
 msgstr ""
 #: lib/mv_web/live/contribution_type_live/index.ex
 #, elixir-autogen, elixir-format
 msgid "Manage contribution types for membership fees."
 msgstr ""
 #: lib/mv_web/live/contribution_period_live/show.ex
 #, elixir-autogen, elixir-format
 msgid "Mark as Paid"
 msgstr ""
 #: lib/mv_web/live/contribution_period_live/show.ex
 #, elixir-autogen, elixir-format
 msgid "Mark as Suspended"
 msgstr ""
 #: lib/mv_web/live/contribution_period_live/show.ex
 #, elixir-autogen, elixir-format
 msgid "Mark as Unpaid"
 msgstr ""
 #: lib/mv_web/live/contribution_period_live/show.ex
 #, elixir-autogen, elixir-format
 msgid "Member Contributions"
 msgstr ""
 #: lib/mv_web/live/membership_fee_settings_live.ex
 #, elixir-autogen, elixir-format
 msgid "Member pays for the year they joined"
@ -1046,131 +885,35 @@ msgstr ""
 msgid "Member pays from the next full year"
 msgstr ""
 #: lib/mv_web/live/contribution_period_live/show.ex
 #, elixir-autogen, elixir-format
 msgid "Member since"
 msgstr ""
 #: lib/mv_web/live/contribution_period_live/show.ex
 #, elixir-autogen, elixir-format
 msgid "Members can only switch between contribution types with the same payment interval (e.g., yearly to yearly). This prevents complex period overlaps."
 msgstr ""
 #: lib/mv_web/helpers/membership_fee_helpers.ex
 #: lib/mv_web/live/contribution_period_live/show.ex
 #: lib/mv_web/live/contribution_type_live/index.ex
 #: lib/mv_web/live/membership_fee_settings_live.ex
 #: lib/mv_web/live/membership_fee_type_live/form.ex
 #, elixir-autogen, elixir-format
 msgid "Monthly"
 msgstr ""
 #: lib/mv_web/live/contribution_type_live/index.ex
 #, elixir-autogen, elixir-format
 msgid "Monthly fee for students and trainees"
 msgstr ""
 #: lib/mv_web/live/contribution_type_live/index.ex
 #: lib/mv_web/live/membership_fee_type_live/index.ex
 #, elixir-autogen, elixir-format
 msgid "Name & Amount"
 msgstr ""
 #: lib/mv_web/live/contribution_type_live/index.ex
 #, elixir-autogen, elixir-format
 msgid "New Contribution Type"
 msgstr ""
 #: lib/mv_web/live/contribution_type_live/index.ex
 #, elixir-autogen, elixir-format
 msgid "No fee for honorary members"
 msgstr ""
 #: lib/mv_web/live/contribution_type_live/index.ex
 #: lib/mv_web/live/membership_fee_type_live/index.ex
 #, elixir-autogen, elixir-format
 msgid "Only possible if no members are assigned to this type."
 msgstr ""
 #: lib/mv_web/live/contribution_period_live/show.ex
 #, elixir-autogen, elixir-format
 msgid "Open Contributions"
 msgstr ""
 #: lib/mv_web/live/contribution_period_live/show.ex
 #, elixir-autogen, elixir-format
 msgid "Paid via bank transfer"
 msgstr ""
 #: lib/mv_web/live/contribution_period_live/show.ex
 #: lib/mv_web/live/contribution_type_live/index.ex
 #, elixir-autogen, elixir-format
 msgid "Preview Mockup"
 msgstr ""
 #: lib/mv_web/helpers/membership_fee_helpers.ex
 #: lib/mv_web/live/contribution_period_live/show.ex
 #: lib/mv_web/live/contribution_type_live/index.ex
 #: lib/mv_web/live/membership_fee_settings_live.ex
 #: lib/mv_web/live/membership_fee_type_live/form.ex
 #, elixir-autogen, elixir-format
 msgid "Quarterly"
 msgstr ""
 #: lib/mv_web/live/contribution_type_live/index.ex
 #, elixir-autogen, elixir-format
 msgid "Quarterly fee for family memberships"
 msgstr ""
 #: lib/mv_web/live/contribution_period_live/show.ex
 #: lib/mv_web/live/contribution_type_live/index.ex
 #, elixir-autogen, elixir-format
 msgid "Reduced"
 msgstr ""
 #: lib/mv_web/live/contribution_type_live/index.ex
 #, elixir-autogen, elixir-format
 msgid "Reduced fee for unemployed, pensioners, or low income"
 msgstr ""
 #: lib/mv_web/live/contribution_period_live/show.ex
 #: lib/mv_web/live/contribution_type_live/index.ex
 #, elixir-autogen, elixir-format
 msgid "Regular"
 msgstr ""
 #: lib/mv_web/live/contribution_period_live/show.ex
 #, elixir-autogen, elixir-format
 msgid "Reopen"
 msgstr ""
 #: lib/mv_web/live/contribution_type_live/index.ex
 #, elixir-autogen, elixir-format
 msgid "Standard membership fee for regular members"
 msgstr ""
 #: lib/mv_web/live/contribution_period_live/show.ex
 #: lib/mv_web/live/member_live/show/membership_fees_component.ex
 #, elixir-autogen, elixir-format
 msgid "Status"
 msgstr ""
 #: lib/mv_web/live/contribution_type_live/index.ex
 #, elixir-autogen, elixir-format
 msgid "Student"
 msgstr ""
 #: lib/mv_web/live/contribution_type_live/index.ex
 #, elixir-autogen, elixir-format
 msgid "Supporting Member"
 msgstr ""
 #: lib/mv_web/live/contribution_period_live/show.ex
 #, elixir-autogen, elixir-format
 msgid "Suspend"
 msgstr ""
 #: lib/mv_web/live/contribution_period_live/show.ex
 #: lib/mv_web/live/member_live/show.ex
 #: lib/mv_web/live/member_live/show/membership_fees_component.ex
 #: lib/mv_web/member_live/index/membership_fee_status.ex
@ -1178,24 +921,7 @@ msgstr ""
 msgid "Suspended"
 msgstr ""
 #: lib/mv_web/live/contribution_period_live/show.ex
 #: lib/mv_web/live/contribution_type_live/index.ex
 #, elixir-autogen, elixir-format
 msgid "This page is not functional and only displays the planned features."
 msgstr ""
 #: lib/mv_web/live/contribution_period_live/show.ex
 #, elixir-autogen, elixir-format
 msgid "Time Period"
 msgstr ""
 #: lib/mv_web/live/contribution_period_live/show.ex
 #, elixir-autogen, elixir-format
 msgid "Total Contributions"
 msgstr ""
 #: lib/mv_web/live/components/payment_filter_component.ex
 #: lib/mv_web/live/contribution_period_live/show.ex
 #: lib/mv_web/live/member_live/show.ex
 #: lib/mv_web/live/member_live/show/membership_fees_component.ex
 #: lib/mv_web/member_live/index/membership_fee_status.ex
@ -1203,14 +929,7 @@ msgstr ""
 msgid "Unpaid"
 msgstr ""
 #: lib/mv_web/live/contribution_period_live/show.ex
 #, elixir-autogen, elixir-format
 msgid "Why are not all contribution types shown?"
 msgstr ""
 #: lib/mv_web/helpers/membership_fee_helpers.ex
 #: lib/mv_web/live/contribution_period_live/show.ex
 #: lib/mv_web/live/contribution_type_live/index.ex
 #: lib/mv_web/live/membership_fee_settings_live.ex
 #: lib/mv_web/live/membership_fee_type_live/form.ex
 #, elixir-autogen, elixir-format
@ -1698,11 +1417,6 @@ msgstr ""
 msgid "Regenerating..."
 msgstr ""
 #: lib/mv_web/live/custom_field_value_live/form.ex
 #, elixir-autogen, elixir-format
 msgid "Save Custom Field Value"
 msgstr ""
 #: lib/mv_web/live/member_field_live/form_component.ex
 #, elixir-autogen, elixir-format
 msgid "Save Field"
@ -1800,11 +1514,6 @@ msgstr ""
 msgid "You are about to delete all %{count} cycles for this member."
 msgstr ""
 #: lib/mv_web/live/contribution_type_live/index.ex
 #, elixir-autogen, elixir-format
 msgid "Contribution types define different membership fee structures. Each type has a fixed cycle (monthly, quarterly, half-yearly, yearly) that cannot be changed after creation."
 msgstr ""
 #: lib/mv_web/live/membership_fee_type_live/index.ex
 #, elixir-autogen, elixir-format
 msgid "Delete Membership Fee Type"
@ -2073,16 +1782,6 @@ msgstr ""
 msgid "The cycle period will be calculated based on this date and the interval."
 msgstr ""
 #: lib/mv_web/live/custom_field_value_live/index.ex
 #, elixir-autogen, elixir-format
 msgid "Custom field value deleted successfully"
 msgstr ""
 #: lib/mv_web/live/custom_field_value_live/index.ex
 #, elixir-autogen, elixir-format
 msgid "Custom field value not found"
 msgstr ""
 #: lib/mv_web/live/membership_fee_type_live/index.ex
 #, elixir-autogen, elixir-format
 msgid "Membership fee type not found"
@ -2103,11 +1802,6 @@ msgstr ""
 msgid "User not found"
 msgstr ""
 #: lib/mv_web/live/custom_field_value_live/index.ex
 #, elixir-autogen, elixir-format
 msgid "You do not have permission to access this custom field value"
 msgstr ""
 #: lib/mv_web/live/membership_fee_type_live/index.ex
 #, elixir-autogen, elixir-format
 msgid "You do not have permission to access this membership fee type"
@ -2118,11 +1812,6 @@ msgstr ""
 msgid "You do not have permission to access this user"
 msgstr ""
 #: lib/mv_web/live/custom_field_value_live/index.ex
 #, elixir-autogen, elixir-format
 msgid "You do not have permission to delete this custom field value"
 msgstr ""
 #: lib/mv_web/live/membership_fee_type_live/index.ex
 #, elixir-autogen, elixir-format
 msgid "You do not have permission to delete this membership fee type"
@ -2168,11 +1857,6 @@ msgstr ""
 msgid "You do not have permission to delete this member"
 msgstr ""
 #: lib/mv_web/live/custom_field_value_live/index.ex
 #, elixir-autogen, elixir-format
 msgid "You do not have permission to view custom field values"
 msgstr ""
 #: lib/mv_web/live/member_live/form.ex
 #, elixir-autogen, elixir-format
 msgid "Member created successfully"
@ -2191,6 +1875,7 @@ msgstr ""
 #: lib/mv/membership/import/member_csv.ex
 #, elixir-autogen, elixir-format
 msgid "Email is required."
 msgstr ""
 #: lib/mv_web/components/layouts/sidebar.ex
 #, elixir-autogen, elixir-format
@ -2211,3 +1896,38 @@ msgstr ""
 #, elixir-autogen, elixir-format
 msgid "Administration"
 msgstr ""
 #: lib/mv_web/live/member_live/form.ex
 #, elixir-autogen, elixir-format
 msgid "Failed to %{action} member."
 msgstr ""
 #: lib/mv_web/live/member_live/form.ex
 #, elixir-autogen, elixir-format
 msgid "Failed to save member. Please try again."
 msgstr ""
 #: lib/mv_web/live/member_live/form.ex
 #, elixir-autogen, elixir-format
 msgid "Please correct the errors in the form and try again."
 msgstr ""
 #: lib/mv_web/live/member_live/form.ex
 #, elixir-autogen, elixir-format
 msgid "Validation failed. Please check your input."
 msgstr ""
 #: lib/mv_web/live/member_live/form.ex
 #, elixir-autogen, elixir-format
 msgid "Validation failed: %{field} %{message}"
 msgstr ""
 #: lib/mv_web/live/member_live/form.ex
 #, elixir-autogen, elixir-format
 msgid "Validation failed: %{message}"
 msgstr ""
 #: lib/mv_web/live/member_live/show/membership_fees_component.ex
 #, elixir-autogen, elixir-format
 msgid "Only administrators can regenerate cycles"
 msgstr ""
--- a/priv/gettext/en/LC_MESSAGES/default.po
+++ b/priv/gettext/en/LC_MESSAGES/default.po
@ -12,7 +12,6 @@ msgstr ""
 "Plural-Forms: nplurals=2; plural=(n != 1);\n"
 #: lib/mv_web/components/core_components.ex
 #: lib/mv_web/live/contribution_period_live/show.ex
 #, elixir-autogen, elixir-format
 msgid "Actions"
 msgstr ""
@ -38,7 +37,6 @@ msgstr ""
 msgid "City"
 msgstr ""
 #: lib/mv_web/live/contribution_type_live/index.ex
 #: lib/mv_web/live/custom_field_live/index_component.ex
 #: lib/mv_web/live/member_live/index.html.heex
 #: lib/mv_web/live/member_live/show/membership_fees_component.ex
@ -48,7 +46,6 @@ msgstr ""
 msgid "Delete"
 msgstr ""
 #: lib/mv_web/live/contribution_type_live/index.ex
 #: lib/mv_web/live/custom_field_live/index_component.ex
 #: lib/mv_web/live/member_field_live/index_component.ex
 #: lib/mv_web/live/member_live/index.html.heex
@ -66,7 +63,6 @@ msgstr ""
 msgid "Edit Member"
 msgstr ""
 #: lib/mv_web/live/contribution_period_live/show.ex
 #: lib/mv_web/live/member_live/form.ex
 #: lib/mv_web/live/member_live/index.html.heex
 #: lib/mv_web/live/member_live/show.ex
@ -142,7 +138,6 @@ msgstr ""
 msgid "House Number"
 msgstr ""
 #: lib/mv_web/live/contribution_period_live/show.ex
 #: lib/mv_web/live/member_live/form.ex
 #: lib/mv_web/live/member_live/show.ex
 #: lib/mv_web/translations/member_fields.ex
@ -151,7 +146,6 @@ msgid "Notes"
 msgstr ""
 #: lib/mv_web/live/components/payment_filter_component.ex
 #: lib/mv_web/live/contribution_period_live/show.ex
 #: lib/mv_web/live/member_live/show.ex
 #: lib/mv_web/live/member_live/show/membership_fees_component.ex
 #: lib/mv_web/member_live/index/membership_fee_status.ex
@ -172,7 +166,6 @@ msgid "Save Member"
 msgstr ""
 #: lib/mv_web/live/custom_field_live/form_component.ex
 #: lib/mv_web/live/custom_field_value_live/form.ex
 #: lib/mv_web/live/global_settings_live.ex
 #: lib/mv_web/live/member_field_live/form_component.ex
 #: lib/mv_web/live/member_live/form.ex
@ -215,14 +208,12 @@ msgid "Yes"
 msgstr ""
 #: lib/mv_web/live/custom_field_live/form_component.ex
 #: lib/mv_web/live/custom_field_value_live/form.ex
 #: lib/mv_web/live/member_live/form.ex
 #, elixir-autogen, elixir-format
 msgid "create"
 msgstr ""
 #: lib/mv_web/live/custom_field_live/form_component.ex
 #: lib/mv_web/live/custom_field_value_live/form.ex
 #: lib/mv_web/live/member_live/form.ex
 #, elixir-autogen, elixir-format
 msgid "update"
@ -265,7 +256,6 @@ msgstr ""
 #: lib/mv_web/live/custom_field_live/form_component.ex
 #: lib/mv_web/live/custom_field_live/index_component.ex
 #: lib/mv_web/live/custom_field_value_live/form.ex
 #: lib/mv_web/live/member_field_live/form_component.ex
 #: lib/mv_web/live/member_live/form.ex
 #: lib/mv_web/live/member_live/show/membership_fees_component.ex
@ -276,11 +266,6 @@ msgstr ""
 msgid "Cancel"
 msgstr ""
 #: lib/mv_web/live/custom_field_value_live/form.ex
 #, elixir-autogen, elixir-format
 msgid "Choose a member"
 msgstr ""
 #: lib/mv_web/live/custom_field_live/form_component.ex
 #: lib/mv_web/live/custom_field_live/index_component.ex
 #: lib/mv_web/live/member_field_live/form_component.ex
@ -314,13 +299,7 @@ msgstr ""
 msgid "Listing Users"
 msgstr ""
 #: lib/mv_web/live/custom_field_value_live/form.ex
 #, elixir-autogen, elixir-format
 msgid "Member"
 msgstr ""
 #: lib/mv_web/components/layouts/sidebar.ex
 #: lib/mv_web/live/contribution_type_live/index.ex
 #: lib/mv_web/live/member_live/index.ex
 #: lib/mv_web/live/member_live/index.html.heex
 #: lib/mv_web/live/membership_fee_type_live/index.ex
@ -328,7 +307,6 @@ msgstr ""
 msgid "Members"
 msgstr ""
 #: lib/mv_web/live/contribution_type_live/index.ex
 #: lib/mv_web/live/custom_field_live/form_component.ex
 #: lib/mv_web/live/custom_field_live/index_component.ex
 #: lib/mv_web/live/member_field_live/form_component.ex
@ -352,7 +330,6 @@ msgstr ""
 msgid "Not enabled"
 msgstr ""
 #: lib/mv_web/live/contribution_period_live/show.ex
 #: lib/mv_web/live/user_live/form.ex
 #, elixir-autogen, elixir-format, fuzzy
 msgid "Note"
@ -402,11 +379,6 @@ msgstr ""
 msgid "This is a user record from your database."
 msgstr ""
 #: lib/mv_web/live/custom_field_value_live/form.ex
 #, elixir-autogen, elixir-format
 msgid "Unsupported value type: %{type}"
 msgstr ""
 #: lib/mv_web/live/user_live/form.ex
 #, elixir-autogen, elixir-format, fuzzy
 msgid "Use this form to manage user records in your database."
@ -418,11 +390,6 @@ msgstr ""
 msgid "User"
 msgstr ""
 #: lib/mv_web/live/custom_field_value_live/form.ex
 #, elixir-autogen, elixir-format
 msgid "Value"
 msgstr ""
 #: lib/mv_web/live/custom_field_live/form_component.ex
 #: lib/mv_web/live/member_field_live/form_component.ex
 #, elixir-autogen, elixir-format
@ -612,37 +579,12 @@ msgstr ""
 msgid "This email is already linked to a different OIDC account. Cannot link multiple OIDC providers to the same account."
 msgstr ""
 #: lib/mv_web/live/custom_field_value_live/form.ex
 #, elixir-autogen, elixir-format
 msgid "Choose a custom field"
 msgstr ""
 #: lib/mv_web/live/custom_field_value_live/form.ex
 #, elixir-autogen, elixir-format
 msgid "Custom field"
 msgstr ""
 #: lib/mv_web/live/custom_field_value_live/form.ex
 #, elixir-autogen, elixir-format
 msgid "Custom field value %{action} successfully"
 msgstr ""
 #: lib/mv_web/live/custom_field_value_live/form.ex
 #, elixir-autogen, elixir-format
 msgid "Please select a custom field first"
 msgstr ""
 #: lib/mv_web/live/member_live/form.ex
 #: lib/mv_web/live/member_live/show.ex
 #, elixir-autogen, elixir-format, fuzzy
 msgid "Custom Fields"
 msgstr ""
 #: lib/mv_web/live/custom_field_value_live/form.ex
 #, elixir-autogen, elixir-format, fuzzy
 msgid "Use this form to manage Custom Field Value records in your database."
 msgstr ""
 #: lib/mv_web/live/custom_field_live/index_component.ex
 #, elixir-autogen, elixir-format
 msgid "%{count} member has a value assigned for this custom field."
@ -867,20 +809,6 @@ msgstr ""
 msgid "Create Member"
 msgstr ""
 #: lib/mv_web/live/contribution_period_live/show.ex
 #, elixir-autogen, elixir-format
 msgid "%{count} period selected"
 msgid_plural "%{count} periods selected"
 msgstr[0] ""
 msgstr[1] ""
 #: lib/mv_web/live/contribution_type_live/index.ex
 #, elixir-autogen, elixir-format
 msgid "About Contribution Types"
 msgstr ""
 #: lib/mv_web/live/contribution_period_live/show.ex
 #: lib/mv_web/live/contribution_type_live/index.ex
 #: lib/mv_web/live/member_live/show/membership_fees_component.ex
 #: lib/mv_web/live/membership_fee_type_live/form.ex
 #: lib/mv_web/live/membership_fee_type_live/index.ex
@ -888,54 +816,16 @@ msgstr ""
 msgid "Amount"
 msgstr ""
 #: lib/mv_web/live/contribution_period_live/show.ex
 #: lib/mv_web/live/member_field_live/form_component.ex
 #, elixir-autogen, elixir-format
 msgid "Back to Settings"
 msgstr ""
 #: lib/mv_web/live/contribution_type_live/index.ex
 #: lib/mv_web/live/membership_fee_type_live/index.ex
 #, elixir-autogen, elixir-format
 msgid "Can be changed at any time. Amount changes affect future periods only."
 msgstr ""
 #: lib/mv_web/live/contribution_type_live/index.ex
 #, elixir-autogen, elixir-format
 msgid "Cannot delete - members assigned"
 msgstr ""
 #: lib/mv_web/live/contribution_period_live/show.ex
 #, elixir-autogen, elixir-format
 msgid "Change Contribution Type"
 msgstr ""
 #: lib/mv_web/live/contribution_period_live/show.ex
 #, elixir-autogen, elixir-format
 msgid "Contribution Start"
 msgstr ""
 #: lib/mv_web/live/contribution_type_live/index.ex
 #, elixir-autogen, elixir-format
 msgid "Contribution Types"
 msgstr ""
 #: lib/mv_web/live/contribution_period_live/show.ex
 #, elixir-autogen, elixir-format
 msgid "Contribution type"
 msgstr ""
 #: lib/mv_web/live/contribution_period_live/show.ex
 #, elixir-autogen, elixir-format
 msgid "Contributions for %{name}"
 msgstr ""
 #: lib/mv_web/live/contribution_period_live/show.ex
 #, elixir-autogen, elixir-format
 msgid "Current"
 msgstr ""
 #: lib/mv_web/live/contribution_type_live/index.ex
 #: lib/mv_web/live/membership_fee_type_live/index.ex
 #, elixir-autogen, elixir-format, fuzzy
 msgid "Deletion"
@ -946,12 +836,6 @@ msgstr ""
 msgid "Examples"
 msgstr ""
 #: lib/mv_web/live/contribution_type_live/index.ex
 #, elixir-autogen, elixir-format
 msgid "Family"
 msgstr ""
 #: lib/mv_web/live/contribution_type_live/index.ex
 #: lib/mv_web/live/membership_fee_type_live/index.ex
 #, elixir-autogen, elixir-format
 msgid "Fixed after creation. Members can only switch between types with the same interval."
@ -963,27 +847,12 @@ msgid "Global Settings"
 msgstr ""
 #: lib/mv_web/helpers/membership_fee_helpers.ex
 #: lib/mv_web/live/contribution_period_live/show.ex
 #: lib/mv_web/live/contribution_type_live/index.ex
 #: lib/mv_web/live/membership_fee_settings_live.ex
 #: lib/mv_web/live/membership_fee_type_live/form.ex
 #, elixir-autogen, elixir-format
 msgid "Half-yearly"
 msgstr ""
 #: lib/mv_web/live/contribution_type_live/index.ex
 #, elixir-autogen, elixir-format
 msgid "Half-yearly contribution for supporting members"
 msgstr ""
 #: lib/mv_web/live/contribution_period_live/show.ex
 #: lib/mv_web/live/contribution_type_live/index.ex
 #, elixir-autogen, elixir-format
 msgid "Honorary"
 msgstr ""
 #: lib/mv_web/live/contribution_period_live/show.ex
 #: lib/mv_web/live/contribution_type_live/index.ex
 #: lib/mv_web/live/member_live/show/membership_fees_component.ex
 #: lib/mv_web/live/membership_fee_type_live/form.ex
 #: lib/mv_web/live/membership_fee_type_live/index.ex
@ -996,36 +865,6 @@ msgstr ""
 msgid "Joining date"
 msgstr ""
 #: lib/mv_web/live/contribution_period_live/show.ex
 #, elixir-autogen, elixir-format
 msgid "Joining year - reduced to 0"
 msgstr ""
 #: lib/mv_web/live/contribution_type_live/index.ex
 #, elixir-autogen, elixir-format
 msgid "Manage contribution types for membership fees."
 msgstr ""
 #: lib/mv_web/live/contribution_period_live/show.ex
 #, elixir-autogen, elixir-format
 msgid "Mark as Paid"
 msgstr ""
 #: lib/mv_web/live/contribution_period_live/show.ex
 #, elixir-autogen, elixir-format
 msgid "Mark as Suspended"
 msgstr ""
 #: lib/mv_web/live/contribution_period_live/show.ex
 #, elixir-autogen, elixir-format
 msgid "Mark as Unpaid"
 msgstr ""
 #: lib/mv_web/live/contribution_period_live/show.ex
 #, elixir-autogen, elixir-format
 msgid "Member Contributions"
 msgstr ""
 #: lib/mv_web/live/membership_fee_settings_live.ex
 #, elixir-autogen, elixir-format
 msgid "Member pays for the year they joined"
@ -1046,131 +885,35 @@ msgstr ""
 msgid "Member pays from the next full year"
 msgstr ""
 #: lib/mv_web/live/contribution_period_live/show.ex
 #, elixir-autogen, elixir-format, fuzzy
 msgid "Member since"
 msgstr ""
 #: lib/mv_web/live/contribution_period_live/show.ex
 #, elixir-autogen, elixir-format
 msgid "Members can only switch between contribution types with the same payment interval (e.g., yearly to yearly). This prevents complex period overlaps."
 msgstr ""
 #: lib/mv_web/helpers/membership_fee_helpers.ex
 #: lib/mv_web/live/contribution_period_live/show.ex
 #: lib/mv_web/live/contribution_type_live/index.ex
 #: lib/mv_web/live/membership_fee_settings_live.ex
 #: lib/mv_web/live/membership_fee_type_live/form.ex
 #, elixir-autogen, elixir-format
 msgid "Monthly"
 msgstr ""
 #: lib/mv_web/live/contribution_type_live/index.ex
 #, elixir-autogen, elixir-format
 msgid "Monthly fee for students and trainees"
 msgstr ""
 #: lib/mv_web/live/contribution_type_live/index.ex
 #: lib/mv_web/live/membership_fee_type_live/index.ex
 #, elixir-autogen, elixir-format
 msgid "Name & Amount"
 msgstr ""
 #: lib/mv_web/live/contribution_type_live/index.ex
 #, elixir-autogen, elixir-format
 msgid "New Contribution Type"
 msgstr ""
 #: lib/mv_web/live/contribution_type_live/index.ex
 #, elixir-autogen, elixir-format
 msgid "No fee for honorary members"
 msgstr ""
 #: lib/mv_web/live/contribution_type_live/index.ex
 #: lib/mv_web/live/membership_fee_type_live/index.ex
 #, elixir-autogen, elixir-format
 msgid "Only possible if no members are assigned to this type."
 msgstr ""
 #: lib/mv_web/live/contribution_period_live/show.ex
 #, elixir-autogen, elixir-format
 msgid "Open Contributions"
 msgstr ""
 #: lib/mv_web/live/contribution_period_live/show.ex
 #, elixir-autogen, elixir-format
 msgid "Paid via bank transfer"
 msgstr ""
 #: lib/mv_web/live/contribution_period_live/show.ex
 #: lib/mv_web/live/contribution_type_live/index.ex
 #, elixir-autogen, elixir-format
 msgid "Preview Mockup"
 msgstr ""
 #: lib/mv_web/helpers/membership_fee_helpers.ex
 #: lib/mv_web/live/contribution_period_live/show.ex
 #: lib/mv_web/live/contribution_type_live/index.ex
 #: lib/mv_web/live/membership_fee_settings_live.ex
 #: lib/mv_web/live/membership_fee_type_live/form.ex
 #, elixir-autogen, elixir-format
 msgid "Quarterly"
 msgstr ""
 #: lib/mv_web/live/contribution_type_live/index.ex
 #, elixir-autogen, elixir-format
 msgid "Quarterly fee for family memberships"
 msgstr ""
 #: lib/mv_web/live/contribution_period_live/show.ex
 #: lib/mv_web/live/contribution_type_live/index.ex
 #, elixir-autogen, elixir-format
 msgid "Reduced"
 msgstr ""
 #: lib/mv_web/live/contribution_type_live/index.ex
 #, elixir-autogen, elixir-format
 msgid "Reduced fee for unemployed, pensioners, or low income"
 msgstr ""
 #: lib/mv_web/live/contribution_period_live/show.ex
 #: lib/mv_web/live/contribution_type_live/index.ex
 #, elixir-autogen, elixir-format
 msgid "Regular"
 msgstr ""
 #: lib/mv_web/live/contribution_period_live/show.ex
 #, elixir-autogen, elixir-format
 msgid "Reopen"
 msgstr ""
 #: lib/mv_web/live/contribution_type_live/index.ex
 #, elixir-autogen, elixir-format
 msgid "Standard membership fee for regular members"
 msgstr ""
 #: lib/mv_web/live/contribution_period_live/show.ex
 #: lib/mv_web/live/member_live/show/membership_fees_component.ex
 #, elixir-autogen, elixir-format
 msgid "Status"
 msgstr ""
 #: lib/mv_web/live/contribution_type_live/index.ex
 #, elixir-autogen, elixir-format
 msgid "Student"
 msgstr ""
 #: lib/mv_web/live/contribution_type_live/index.ex
 #, elixir-autogen, elixir-format
 msgid "Supporting Member"
 msgstr ""
 #: lib/mv_web/live/contribution_period_live/show.ex
 #, elixir-autogen, elixir-format
 msgid "Suspend"
 msgstr ""
 #: lib/mv_web/live/contribution_period_live/show.ex
 #: lib/mv_web/live/member_live/show.ex
 #: lib/mv_web/live/member_live/show/membership_fees_component.ex
 #: lib/mv_web/member_live/index/membership_fee_status.ex
@ -1178,24 +921,7 @@ msgstr ""
 msgid "Suspended"
 msgstr ""
 #: lib/mv_web/live/contribution_period_live/show.ex
 #: lib/mv_web/live/contribution_type_live/index.ex
 #, elixir-autogen, elixir-format
 msgid "This page is not functional and only displays the planned features."
 msgstr ""
 #: lib/mv_web/live/contribution_period_live/show.ex
 #, elixir-autogen, elixir-format
 msgid "Time Period"
 msgstr ""
 #: lib/mv_web/live/contribution_period_live/show.ex
 #, elixir-autogen, elixir-format
 msgid "Total Contributions"
 msgstr ""
 #: lib/mv_web/live/components/payment_filter_component.ex
 #: lib/mv_web/live/contribution_period_live/show.ex
 #: lib/mv_web/live/member_live/show.ex
 #: lib/mv_web/live/member_live/show/membership_fees_component.ex
 #: lib/mv_web/member_live/index/membership_fee_status.ex
@ -1203,14 +929,7 @@ msgstr ""
 msgid "Unpaid"
 msgstr ""
 #: lib/mv_web/live/contribution_period_live/show.ex
 #, elixir-autogen, elixir-format
 msgid "Why are not all contribution types shown?"
 msgstr ""
 #: lib/mv_web/helpers/membership_fee_helpers.ex
 #: lib/mv_web/live/contribution_period_live/show.ex
 #: lib/mv_web/live/contribution_type_live/index.ex
 #: lib/mv_web/live/membership_fee_settings_live.ex
 #: lib/mv_web/live/membership_fee_type_live/form.ex
 #, elixir-autogen, elixir-format
@ -1698,11 +1417,6 @@ msgstr ""
 msgid "Regenerating..."
 msgstr ""
 #: lib/mv_web/live/custom_field_value_live/form.ex
 #, elixir-autogen, elixir-format, fuzzy
 msgid "Save Custom Field Value"
 msgstr ""
 #: lib/mv_web/live/member_field_live/form_component.ex
 #, elixir-autogen, elixir-format, fuzzy
 msgid "Save Field"
@ -1800,11 +1514,6 @@ msgstr ""
 msgid "You are about to delete all %{count} cycles for this member."
 msgstr ""
 #: lib/mv_web/live/contribution_type_live/index.ex
 #, elixir-autogen, elixir-format, fuzzy
 msgid "Contribution types define different membership fee structures. Each type has a fixed cycle (monthly, quarterly, half-yearly, yearly) that cannot be changed after creation."
 msgstr ""
 #: lib/mv_web/live/membership_fee_type_live/index.ex
 #, elixir-autogen, elixir-format, fuzzy
 msgid "Delete Membership Fee Type"
@ -2073,16 +1782,6 @@ msgstr ""
 msgid "The cycle period will be calculated based on this date and the interval."
 msgstr ""
 #: lib/mv_web/live/custom_field_value_live/index.ex
 #, elixir-autogen, elixir-format, fuzzy
 msgid "Custom field value deleted successfully"
 msgstr ""
 #: lib/mv_web/live/custom_field_value_live/index.ex
 #, elixir-autogen, elixir-format, fuzzy
 msgid "Custom field value not found"
 msgstr ""
 #: lib/mv_web/live/membership_fee_type_live/index.ex
 #, elixir-autogen, elixir-format, fuzzy
 msgid "Membership fee type not found"
@ -2103,11 +1802,6 @@ msgstr ""
 msgid "User not found"
 msgstr ""
 #: lib/mv_web/live/custom_field_value_live/index.ex
 #, elixir-autogen, elixir-format, fuzzy
 msgid "You do not have permission to access this custom field value"
 msgstr ""
 #: lib/mv_web/live/membership_fee_type_live/index.ex
 #, elixir-autogen, elixir-format, fuzzy
 msgid "You do not have permission to access this membership fee type"
@ -2118,11 +1812,6 @@ msgstr ""
 msgid "You do not have permission to access this user"
 msgstr ""
 #: lib/mv_web/live/custom_field_value_live/index.ex
 #, elixir-autogen, elixir-format, fuzzy
 msgid "You do not have permission to delete this custom field value"
 msgstr ""
 #: lib/mv_web/live/membership_fee_type_live/index.ex
 #, elixir-autogen, elixir-format, fuzzy
 msgid "You do not have permission to delete this membership fee type"
@ -2168,11 +1857,6 @@ msgstr ""
 msgid "You do not have permission to delete this member"
 msgstr ""
 #: lib/mv_web/live/custom_field_value_live/index.ex
 #, elixir-autogen, elixir-format, fuzzy
 msgid "You do not have permission to view custom field values"
 msgstr ""
 #: lib/mv_web/live/member_live/form.ex
 #, elixir-autogen, elixir-format
 msgid "Member created successfully"
@ -2213,12 +1897,37 @@ msgstr ""
 msgid "Administration"
 msgstr ""
-#~ #: lib/mv_web/components/layouts/sidebar.ex
+#: lib/mv_web/live/member_live/form.ex
-#~ #, elixir-autogen, elixir-format, fuzzy
+#, elixir-autogen, elixir-format
-#~ msgid "Admin"
+msgid "Failed to %{action} member."
-#~ msgstr ""
+msgstr ""
-#~ #: lib/mv_web/components/layouts/sidebar.ex
+#: lib/mv_web/live/member_live/form.ex
-#~ #, elixir-autogen, elixir-format
+#, elixir-autogen, elixir-format
-#~ msgid "Contributions"
+msgid "Failed to save member. Please try again."
-#~ msgstr ""
+msgstr ""
 #: lib/mv_web/live/member_live/form.ex
 #, elixir-autogen, elixir-format
 msgid "Please correct the errors in the form and try again."
 msgstr ""
 #: lib/mv_web/live/member_live/form.ex
 #, elixir-autogen, elixir-format
 msgid "Validation failed. Please check your input."
 msgstr ""
 #: lib/mv_web/live/member_live/form.ex
 #, elixir-autogen, elixir-format
 msgid "Validation failed: %{field} %{message}"
 msgstr ""
 #: lib/mv_web/live/member_live/form.ex
 #, elixir-autogen, elixir-format
 msgid "Validation failed: %{message}"
 msgstr ""
 #: lib/mv_web/live/member_live/show/membership_fees_component.ex
 #, elixir-autogen, elixir-format
 msgid "Only administrators can regenerate cycles"
 msgstr ""
--- a/priv/repo/seeds.exs
+++ b/priv/repo/seeds.exs
@ -9,6 +9,8 @@ alias Mv.Authorization
 alias Mv.MembershipFees.MembershipFeeType
 alias Mv.MembershipFees.CycleGenerator
 require Ash.Query
 # Create example membership fee types
 for fee_type_attrs <- [
      %{
@ -124,13 +126,10 @@ for attrs <- [
  )
 end
-# Create admin user for testing
+# Get admin email from environment variable or use default
-admin_user =
+admin_email = System.get_env("ADMIN_EMAIL") || "admin@localhost"
  Accounts.create_user!(%{email: "admin@mv.local"}, upsert?: true, upsert_identity: :unique_email)
  |> Ash.Changeset.for_update(:admin_set_password, %{password: "testpassword"})
  |> Ash.update!()
-# Create admin role and assign it to admin user
+# Create admin role (used for assigning to admin users)
 admin_role =
  case Authorization.list_roles() do
    {:ok, roles} ->
@ -154,25 +153,100 @@ admin_role =
      nil
  end
-# Assign admin role to admin user if role was created/found
+if is_nil(admin_role) do
-if admin_role do
+  raise "Failed to create or find admin role. Cannot proceed with member seeding."
-  admin_user
+end
-  |> Ash.Changeset.for_update(:update, %{})
+
-  |> Ash.Changeset.manage_relationship(:role, admin_role, type: :append_and_remove)
+# Assign admin role to user with ADMIN_EMAIL (if user exists)
-  |> Ash.update!()
+# This handles both existing users (e.g., from OIDC) and newly created users
 case Accounts.User
     |> Ash.Query.filter(email == ^admin_email)
     |> Ash.read_one(domain: Mv.Accounts, authorize?: false) do
  {:ok, existing_admin_user} when not is_nil(existing_admin_user) ->
    # User already exists (e.g., via OIDC) - assign admin role
    # Use authorize?: false for bootstrap - this is initial setup
    existing_admin_user
    |> Ash.Changeset.for_update(:update, %{})
    |> Ash.Changeset.manage_relationship(:role, admin_role, type: :append_and_remove)
    |> Ash.update!(authorize?: false)
  {:ok, nil} ->
    # User doesn't exist - create admin user with password
    # Use authorize?: false for bootstrap - no admin user exists yet to use as actor
    Accounts.create_user!(%{email: admin_email},
      upsert?: true,
      upsert_identity: :unique_email,
      authorize?: false
    )
    |> Ash.Changeset.for_update(:admin_set_password, %{password: "testpassword"})
    |> Ash.update!(authorize?: false)
    |> then(fn user ->
      user
      |> Ash.Changeset.for_update(:update, %{})
      |> Ash.Changeset.manage_relationship(:role, admin_role, type: :append_and_remove)
      |> Ash.update!(authorize?: false)
    end)
  {:error, error} ->
    raise "Failed to check for existing admin user: #{inspect(error)}"
 end
 # Load admin user with role for use as actor in member operations
 # This ensures all member operations have proper authorization
 # If admin role creation failed, we cannot proceed with member operations
 admin_user_with_role =
-  if admin_role do
+  case Accounts.User
-    admin_user
+       |> Ash.Query.filter(email == ^admin_email)
-    |> Ash.load!(:role)
+       |> Ash.read_one(domain: Mv.Accounts, authorize?: false) do
-  else
+    {:ok, user} when not is_nil(user) ->
-    raise "Failed to create or find admin role. Cannot proceed with member seeding."
+      user
      |> Ash.load!(:role, authorize?: false)
    {:ok, nil} ->
      raise "Admin user not found after creation/assignment"
    {:error, error} ->
      raise "Failed to load admin user: #{inspect(error)}"
  end
 # Create system user for systemic operations (email sync, validations, cycle generation)
 # This user is used by Mv.Helpers.SystemActor for operations that must always run
 # Email is configurable via SYSTEM_ACTOR_EMAIL environment variable
 system_user_email = Mv.Helpers.SystemActor.system_user_email()
 case Accounts.User
     |> Ash.Query.filter(email == ^system_user_email)
     |> Ash.read_one(domain: Mv.Accounts, authorize?: false) do
  {:ok, existing_system_user} when not is_nil(existing_system_user) ->
    # System user already exists - ensure it has admin role
    # Use authorize?: false for bootstrap
    existing_system_user
    |> Ash.Changeset.for_update(:update, %{})
    |> Ash.Changeset.manage_relationship(:role, admin_role, type: :append_and_remove)
    |> Ash.update!(authorize?: false)
  {:ok, nil} ->
    # System user doesn't exist - create it with admin role
    # SECURITY: System user must NOT be able to log in:
    # - No password (hashed_password = nil) - prevents password login
    # - No OIDC ID (oidc_id = nil) - prevents OIDC login
    # - This user is ONLY for internal system operations via SystemActor
    # If either hashed_password or oidc_id is set, the user could potentially log in
    # Use authorize?: false for bootstrap - system user creation happens before system actor exists
    Accounts.create_user!(%{email: system_user_email},
      upsert?: true,
      upsert_identity: :unique_email,
      authorize?: false
    )
    |> Ash.Changeset.for_update(:update, %{})
    |> Ash.Changeset.manage_relationship(:role, admin_role, type: :append_and_remove)
    |> Ash.update!(authorize?: false)
  {:error, error} ->
    # Log error but don't fail seeds - SystemActor will fall back to admin user
    IO.puts("Warning: Failed to create system user: #{inspect(error)}")
    IO.puts("SystemActor will fall back to admin user (#{admin_email})")
 end
 # Load all membership fee types for assignment
 # Sort by name to ensure deterministic order
 all_fee_types =
@ -332,9 +406,20 @@ additional_users = [
 created_users =
  Enum.map(additional_users, fn user_attrs ->
-    Accounts.create_user!(user_attrs, upsert?: true, upsert_identity: :unique_email)
+    # Use admin user as actor for additional user creation (not bootstrap)
-    |> Ash.Changeset.for_update(:admin_set_password, %{password: "testpassword"})
+    user =
-    |> Ash.update!()
+      Accounts.create_user!(user_attrs,
        upsert?: true,
        upsert_identity: :unique_email,
        actor: admin_user_with_role
      )
      |> Ash.Changeset.for_update(:admin_set_password, %{password: "testpassword"})
      |> Ash.update!(actor: admin_user_with_role)
    # Reload user to ensure all fields (including member_id) are loaded
    Accounts.User
    |> Ash.Query.filter(id == ^user.id)
    |> Ash.read_one!(domain: Mv.Accounts, actor: admin_user_with_role)
  end)
 # Create members with linked users to demonstrate the 1:1 relationship
@ -384,11 +469,13 @@ Enum.with_index(linked_members)
  member =
    if user.member_id == nil do
      # User is free, create member and link - use upsert to prevent duplicates
      # Use authorize?: false for User lookup during relationship management (bootstrap phase)
      Membership.create_member!(
        Map.put(member_attrs_without_fee_type, :user, %{id: user.id}),
        upsert?: true,
        upsert_identity: :unique_email,
-        actor: admin_user_with_role
+        actor: admin_user_with_role,
        authorize?: false
      )
    else
      # User already has a member, just create the member without linking - use upsert to prevent duplicates
@ -598,7 +685,7 @@ IO.puts("📝 Created sample data:")
 IO.puts("   - Global settings: club_name = #{default_club_name}")
 IO.puts("   - Membership fee types: 4 types (Yearly, Half-yearly, Quarterly, Monthly)")
 IO.puts("   - Custom fields: 12 fields (String, Date, Boolean, Email, + 8 realistic fields)")
-IO.puts("   - Admin user: admin@mv.local (password: testpassword)")
+IO.puts("   - Admin user: #{admin_email} (password: testpassword)")
 IO.puts("   - Sample members: Hans, Greta, Friedrich")
 IO.puts(
--- a/test/membership/member_test.exs
+++ b/test/membership/member_test.exs
@ -73,6 +73,26 @@ defmodule Mv.Membership.MemberTest do
    end
  end
  describe "Authorization" do
    @valid_attrs %{
      first_name: "John",
      last_name: "Doe",
      email: "john@example.com"
    }
    test "user without role cannot create member" do
      # Create a user without a role
      user = Mv.Fixtures.user_fixture()
      # Ensure user has no role (nil role)
      user_without_role = %{user | role: nil}
      # Attempt to create a member with user without role as actor
      # This should fail with Ash.Error.Forbidden containing a Policy error
      assert {:error, %Ash.Error.Forbidden{errors: [%Ash.Error.Forbidden.Policy{}]}} =
               Membership.create_member(@valid_attrs, actor: user_without_role)
    end
  end
  # Helper function for error evaluation
  defp error_message(errors, field) do
    errors
--- a/test/membership_fees/membership_fee_type_integration_test.exs
+++ b/test/membership_fees/membership_fee_type_integration_test.exs
@ -158,10 +158,8 @@ defmodule Mv.MembershipFees.MembershipFeeTypeIntegrationTest do
      |> Ash.update!()
      # Create a member without explicitly setting membership_fee_type_id
-      # Note: This test assumes that the Member resource automatically assigns
+      # The Member resource automatically assigns the default_membership_fee_type_id
-      # the default_membership_fee_type_id during creation. If this is not yet
+      # during creation via SetDefaultMembershipFeeType change.
      # implemented, this test will fail initially (which is expected in TDD).
      # For now, we skip this test as the auto-assignment feature is not yet implemented.
      {:ok, member} =
        Ash.create(Member, %{
          first_name: "Test",
@ -169,10 +167,8 @@ defmodule Mv.MembershipFees.MembershipFeeTypeIntegrationTest do
          email: "test.member.#{System.unique_integer([:positive])}@example.com"
        })
-      # TODO: When auto-assignment is implemented, uncomment this assertion
+      # Verify that the default membership fee type was automatically assigned
-      # assert member.membership_fee_type_id == fee_type.id
+      assert member.membership_fee_type_id == fee_type.id
      # For now, we just verify the member was created successfully
      assert %Member{} = member
    end
    test "include_joining_cycle is used during cycle generation" do
--- a/test/mv/accounts/user_policies_test.exs
+++ b/test/mv/accounts/user_policies_test.exs
@ -0,0 +1,424 @@
 defmodule Mv.Accounts.UserPoliciesTest do
  @moduledoc """
  Tests for User resource authorization policies.
  Tests all 4 permission sets (own_data, read_only, normal_user, admin)
  and verifies that policies correctly enforce access control based on
  user roles and permission sets.
  """
  # async: false because we need database commits to be visible across queries
  use Mv.DataCase, async: false
  alias Mv.Accounts
  alias Mv.Authorization
  require Ash.Query
  # Helper to create a role with a specific permission set
  defp create_role_with_permission_set(permission_set_name) do
    role_name = "Test Role #{permission_set_name} #{System.unique_integer([:positive])}"
    case Authorization.create_role(%{
           name: role_name,
           description: "Test role for #{permission_set_name}",
           permission_set_name: permission_set_name
         }) do
      {:ok, role} -> role
      {:error, error} -> raise "Failed to create role: #{inspect(error)}"
    end
  end
  # Helper to create a user with a specific permission set
  # Returns user with role preloaded (required for authorization)
  defp create_user_with_permission_set(permission_set_name) do
    # Create role with permission set
    role = create_role_with_permission_set(permission_set_name)
    # Create user
    {:ok, user} =
      Accounts.User
      |> Ash.Changeset.for_create(:register_with_password, %{
        email: "user#{System.unique_integer([:positive])}@example.com",
        password: "testpassword123"
      })
      |> Ash.create()
    # Assign role to user
    {:ok, user} =
      user
      |> Ash.Changeset.for_update(:update, %{})
      |> Ash.Changeset.manage_relationship(:role, role, type: :append_and_remove)
      |> Ash.update()
    # Reload user with role preloaded (critical for authorization!)
    {:ok, user_with_role} = Ash.load(user, :role, domain: Mv.Accounts)
    user_with_role
  end
  # Helper to create another user (for testing access to other users)
  defp create_other_user do
    create_user_with_permission_set("own_data")
  end
  # Shared test setup for permission sets with scope :own access
  defp setup_user_with_own_access(permission_set) do
    user = create_user_with_permission_set(permission_set)
    other_user = create_other_user()
    # Reload user to ensure role is preloaded
    {:ok, user} = Ash.get(Accounts.User, user.id, domain: Mv.Accounts, load: [:role])
    %{user: user, other_user: other_user}
  end
  describe "own_data permission set (Mitglied)" do
    setup do
      setup_user_with_own_access("own_data")
    end
    test "can read own user record", %{user: user} do
      {:ok, fetched_user} =
        Ash.get(Accounts.User, user.id, actor: user, domain: Mv.Accounts)
      assert fetched_user.id == user.id
    end
    test "can update own email", %{user: user} do
      new_email = "updated#{System.unique_integer([:positive])}@example.com"
      {:ok, updated_user} =
        user
        |> Ash.Changeset.for_update(:update_user, %{email: new_email})
        |> Ash.update(actor: user)
      assert updated_user.email == Ash.CiString.new(new_email)
    end
    test "cannot read other users (returns not found due to auto_filter)", %{
      user: user,
      other_user: other_user
    } do
      # Note: With auto_filter policies, when a user tries to read a user that doesn't
      # match the filter (id == actor.id), Ash returns NotFound, not Forbidden.
      # This is the expected behavior - the filter makes the record "invisible" to the user.
      assert_raise Ash.Error.Invalid, fn ->
        Ash.get!(Accounts.User, other_user.id, actor: user, domain: Mv.Accounts)
      end
    end
    test "cannot update other users (returns forbidden)", %{user: user, other_user: other_user} do
      assert_raise Ash.Error.Forbidden, fn ->
        other_user
        |> Ash.Changeset.for_update(:update_user, %{email: "hacked@example.com"})
        |> Ash.update!(actor: user)
      end
    end
    test "list users returns only own user", %{user: user} do
      {:ok, users} = Ash.read(Accounts.User, actor: user, domain: Mv.Accounts)
      # Should only return the own user (scope :own filters)
      assert length(users) == 1
      assert hd(users).id == user.id
    end
    test "cannot create user (returns forbidden)", %{user: user} do
      assert_raise Ash.Error.Forbidden, fn ->
        Accounts.User
        |> Ash.Changeset.for_create(:create_user, %{
          email: "new#{System.unique_integer([:positive])}@example.com"
        })
        |> Ash.create!(actor: user)
      end
    end
    test "cannot destroy user (returns forbidden)", %{user: user} do
      assert_raise Ash.Error.Forbidden, fn ->
        Ash.destroy!(user, actor: user)
      end
    end
  end
  describe "read_only permission set (Vorstand/Buchhaltung)" do
    setup do
      setup_user_with_own_access("read_only")
    end
    test "can read own user record", %{user: user} do
      {:ok, fetched_user} =
        Ash.get(Accounts.User, user.id, actor: user, domain: Mv.Accounts)
      assert fetched_user.id == user.id
    end
    test "can update own email", %{user: user} do
      new_email = "updated#{System.unique_integer([:positive])}@example.com"
      {:ok, updated_user} =
        user
        |> Ash.Changeset.for_update(:update_user, %{email: new_email})
        |> Ash.update(actor: user)
      assert updated_user.email == Ash.CiString.new(new_email)
    end
    test "cannot read other users (returns not found due to auto_filter)", %{
      user: user,
      other_user: other_user
    } do
      # Note: With auto_filter policies, when a user tries to read a user that doesn't
      # match the filter (id == actor.id), Ash returns NotFound, not Forbidden.
      # This is the expected behavior - the filter makes the record "invisible" to the user.
      assert_raise Ash.Error.Invalid, fn ->
        Ash.get!(Accounts.User, other_user.id, actor: user, domain: Mv.Accounts)
      end
    end
    test "cannot update other users (returns forbidden)", %{user: user, other_user: other_user} do
      assert_raise Ash.Error.Forbidden, fn ->
        other_user
        |> Ash.Changeset.for_update(:update_user, %{email: "hacked@example.com"})
        |> Ash.update!(actor: user)
      end
    end
    test "list users returns only own user", %{user: user} do
      {:ok, users} = Ash.read(Accounts.User, actor: user, domain: Mv.Accounts)
      # Should only return the own user (scope :own filters)
      assert length(users) == 1
      assert hd(users).id == user.id
    end
    test "cannot create user (returns forbidden)", %{user: user} do
      assert_raise Ash.Error.Forbidden, fn ->
        Accounts.User
        |> Ash.Changeset.for_create(:create_user, %{
          email: "new#{System.unique_integer([:positive])}@example.com"
        })
        |> Ash.create!(actor: user)
      end
    end
    test "cannot destroy user (returns forbidden)", %{user: user} do
      assert_raise Ash.Error.Forbidden, fn ->
        Ash.destroy!(user, actor: user)
      end
    end
  end
  describe "normal_user permission set (Kassenwart)" do
    setup do
      setup_user_with_own_access("normal_user")
    end
    test "can read own user record", %{user: user} do
      {:ok, fetched_user} =
        Ash.get(Accounts.User, user.id, actor: user, domain: Mv.Accounts)
      assert fetched_user.id == user.id
    end
    test "can update own email", %{user: user} do
      new_email = "updated#{System.unique_integer([:positive])}@example.com"
      {:ok, updated_user} =
        user
        |> Ash.Changeset.for_update(:update_user, %{email: new_email})
        |> Ash.update(actor: user)
      assert updated_user.email == Ash.CiString.new(new_email)
    end
    test "cannot read other users (returns not found due to auto_filter)", %{
      user: user,
      other_user: other_user
    } do
      # Note: With auto_filter policies, when a user tries to read a user that doesn't
      # match the filter (id == actor.id), Ash returns NotFound, not Forbidden.
      # This is the expected behavior - the filter makes the record "invisible" to the user.
      assert_raise Ash.Error.Invalid, fn ->
        Ash.get!(Accounts.User, other_user.id, actor: user, domain: Mv.Accounts)
      end
    end
    test "cannot update other users (returns forbidden)", %{user: user, other_user: other_user} do
      assert_raise Ash.Error.Forbidden, fn ->
        other_user
        |> Ash.Changeset.for_update(:update_user, %{email: "hacked@example.com"})
        |> Ash.update!(actor: user)
      end
    end
    test "list users returns only own user", %{user: user} do
      {:ok, users} = Ash.read(Accounts.User, actor: user, domain: Mv.Accounts)
      # Should only return the own user (scope :own filters)
      assert length(users) == 1
      assert hd(users).id == user.id
    end
    test "cannot create user (returns forbidden)", %{user: user} do
      assert_raise Ash.Error.Forbidden, fn ->
        Accounts.User
        |> Ash.Changeset.for_create(:create_user, %{
          email: "new#{System.unique_integer([:positive])}@example.com"
        })
        |> Ash.create!(actor: user)
      end
    end
    test "cannot destroy user (returns forbidden)", %{user: user} do
      assert_raise Ash.Error.Forbidden, fn ->
        Ash.destroy!(user, actor: user)
      end
    end
  end
  describe "admin permission set" do
    setup do
      user = create_user_with_permission_set("admin")
      other_user = create_other_user()
      # Reload user to ensure role is preloaded
      {:ok, user} = Ash.get(Accounts.User, user.id, domain: Mv.Accounts, load: [:role])
      %{user: user, other_user: other_user}
    end
    test "can read all users", %{user: user, other_user: other_user} do
      {:ok, users} = Ash.read(Accounts.User, actor: user, domain: Mv.Accounts)
      # Should return all users (scope :all)
      user_ids = Enum.map(users, & &1.id)
      assert user.id in user_ids
      assert other_user.id in user_ids
    end
    test "can read other users", %{user: user, other_user: other_user} do
      {:ok, fetched_user} =
        Ash.get(Accounts.User, other_user.id, actor: user, domain: Mv.Accounts)
      assert fetched_user.id == other_user.id
    end
    test "can update other users", %{user: user, other_user: other_user} do
      new_email = "adminupdated#{System.unique_integer([:positive])}@example.com"
      {:ok, updated_user} =
        other_user
        |> Ash.Changeset.for_update(:update_user, %{email: new_email})
        |> Ash.update(actor: user)
      assert updated_user.email == Ash.CiString.new(new_email)
    end
    test "can create user", %{user: user} do
      {:ok, new_user} =
        Accounts.User
        |> Ash.Changeset.for_create(:create_user, %{
          email: "new#{System.unique_integer([:positive])}@example.com"
        })
        |> Ash.create(actor: user)
      assert new_user.email
    end
    test "can destroy user", %{user: user, other_user: other_user} do
      :ok = Ash.destroy(other_user, actor: user)
      # Verify user is deleted
      assert {:error, _} = Ash.get(Accounts.User, other_user.id, domain: Mv.Accounts)
    end
  end
  describe "AshAuthentication bypass" do
    test "register_with_password works without actor" do
      # Registration should work without actor (AshAuthentication bypass)
      {:ok, user} =
        Accounts.User
        |> Ash.Changeset.for_create(:register_with_password, %{
          email: "register#{System.unique_integer([:positive])}@example.com",
          password: "testpassword123"
        })
        |> Ash.create()
      assert user.email
    end
    test "register_with_rauthy works with OIDC user_info" do
      # OIDC registration should work (AshAuthentication bypass)
      user_info = %{
        "sub" => "oidc_sub_#{System.unique_integer([:positive])}",
        "email" => "oidc#{System.unique_integer([:positive])}@example.com"
      }
      oauth_tokens = %{access_token: "token", refresh_token: "refresh"}
      {:ok, user} =
        Accounts.User
        |> Ash.Changeset.for_create(:register_with_rauthy, %{
          user_info: user_info,
          oauth_tokens: oauth_tokens
        })
        |> Ash.create()
      assert user.email
      assert user.oidc_id == user_info["sub"]
    end
    test "sign_in_with_rauthy works with OIDC user_info" do
      # First create a user with OIDC ID
      user_info_create = %{
        "sub" => "oidc_sub_#{System.unique_integer([:positive])}",
        "email" => "oidc#{System.unique_integer([:positive])}@example.com"
      }
      oauth_tokens = %{access_token: "token", refresh_token: "refresh"}
      {:ok, user} =
        Accounts.User
        |> Ash.Changeset.for_create(:register_with_rauthy, %{
          user_info: user_info_create,
          oauth_tokens: oauth_tokens
        })
        |> Ash.create()
      # Now test sign_in_with_rauthy (should work via AshAuthentication bypass)
      {:ok, signed_in_user} =
        Accounts.User
        |> Ash.Query.for_read(:sign_in_with_rauthy, %{
          user_info: user_info_create,
          oauth_tokens: oauth_tokens
        })
        |> Ash.read_one()
      assert signed_in_user.id == user.id
    end
    # NOTE: get_by_subject is tested implicitly via AshAuthentication's JWT flow.
    # Direct testing via Ash.Query.for_read(:get_by_subject) doesn't properly
    # simulate the AshAuthentication context and would require mocking JWT tokens.
    # The AshAuthentication bypass policy ensures this action works correctly
    # when called through the proper authentication flow (sign_in, token refresh, etc.).
    # Integration tests that use actual JWT tokens cover this functionality.
  end
  describe "test environment bypass (NoActor)" do
    test "operations without actor are allowed in test environment" do
      # In test environment, NoActor check should allow operations
      {:ok, user} =
        Accounts.User
        |> Ash.Changeset.for_create(:create_user, %{
          email: "noactor#{System.unique_integer([:positive])}@example.com"
        })
        |> Ash.create()
      assert user.email
      # Read should also work
      {:ok, fetched_user} = Ash.get(Accounts.User, user.id, domain: Mv.Accounts)
      assert fetched_user.id == user.id
    end
  end
 end
--- a/test/mv/authorization/actor_test.exs
+++ b/test/mv/authorization/actor_test.exs
@ -0,0 +1,84 @@
 defmodule Mv.Authorization.ActorTest do
  @moduledoc """
  Tests for the Actor helper module.
  """
  use Mv.DataCase, async: false
  alias Mv.Accounts
  alias Mv.Authorization.Actor
  describe "ensure_loaded/1" do
    test "returns nil when actor is nil" do
      assert Actor.ensure_loaded(nil) == nil
    end
    test "returns actor as-is when role is already loaded" do
      # Create user with role
      {:ok, user} =
        Accounts.User
        |> Ash.Changeset.for_create(:register_with_password, %{
          email: "test#{System.unique_integer([:positive])}@example.com",
          password: "testpassword123"
        })
        |> Ash.create()
      # Load role
      {:ok, user_with_role} = Ash.load(user, :role, domain: Mv.Accounts)
      # Should return as-is (no additional load)
      result = Actor.ensure_loaded(user_with_role)
      assert result.id == user.id
      assert result.role != %Ash.NotLoaded{}
    end
    test "loads role when it's NotLoaded" do
      # Create a role first
      {:ok, role} =
        Mv.Authorization.Role
        |> Ash.Changeset.for_create(:create_role, %{
          name: "Test Role #{System.unique_integer([:positive])}",
          description: "Test role",
          permission_set_name: "own_data"
        })
        |> Ash.create()
      # Create user with role
      {:ok, user} =
        Accounts.User
        |> Ash.Changeset.for_create(:register_with_password, %{
          email: "test#{System.unique_integer([:positive])}@example.com",
          password: "testpassword123"
        })
        |> Ash.create()
      # Assign role to user
      {:ok, user_with_role} =
        user
        |> Ash.Changeset.for_update(:update, %{})
        |> Ash.Changeset.manage_relationship(:role, role, type: :append_and_remove)
        |> Ash.update()
      # Fetch user again WITHOUT loading role (simulates "role not preloaded" scenario)
      {:ok, user_without_role_loaded} =
        Ash.get(Accounts.User, user_with_role.id, domain: Mv.Accounts)
      # User has role as NotLoaded (relationship not preloaded)
      assert match?(%Ash.NotLoaded{}, user_without_role_loaded.role)
      # ensure_loaded should load it
      result = Actor.ensure_loaded(user_without_role_loaded)
      assert result.id == user.id
      refute match?(%Ash.NotLoaded{}, result.role)
      assert result.role.id == role.id
    end
    test "returns non-User actors as-is (no-op)" do
      # Create a plain map (not Mv.Accounts.User)
      other_actor = %{id: "fake", role: %Ash.NotLoaded{field: :role}}
      # Should return as-is (pattern match doesn't apply to non-User)
      result = Actor.ensure_loaded(other_actor)
      assert result == other_actor
    end
  end
 end
--- a/test/mv/authorization/checks/has_permission_test.exs
+++ b/test/mv/authorization/checks/has_permission_test.exs
@ -76,8 +76,10 @@ defmodule Mv.Authorization.Checks.HasPermissionTest do
      {:ok, result} = HasPermission.strict_check(own_data_user, authorizer, [])
-      # Should return :unknown for :own scope (needs filter)
+      # Should return false for :own scope without record
-      assert result == :unknown
+      # This prevents bypassing expr-based filters in bypass policies
      # The actual filtering is done via bypass policies with expr(id == ^actor(:id))
      assert result == false
    end
  end
@ -104,14 +106,16 @@ defmodule Mv.Authorization.Checks.HasPermissionTest do
  end
  describe "strict_check/3 - Scope :own" do
-    test "actor with scope :own returns :unknown (needs filter)" do
+    test "actor with scope :own returns false (needs bypass policy with expr filter)" do
      user = create_actor("user-123", "own_data")
      authorizer = create_authorizer(Mv.Accounts.User, :read)
      {:ok, result} = HasPermission.strict_check(user, authorizer, [])
-      # Should return :unknown for :own scope (needs filter via auto_filter)
+      # Should return false for :own scope without record
-      assert result == :unknown
+      # This prevents bypassing expr-based filters in bypass policies
      # The actual filtering is done via bypass policies with expr(id == ^actor(:id))
      assert result == false
    end
  end
@ -270,4 +274,44 @@ defmodule Mv.Authorization.Checks.HasPermissionTest do
      end
    end
  end
  describe "strict_check/3 - Role Loading Fallback" do
    test "returns false if role is NotLoaded and cannot be loaded" do
      # Create actor with NotLoaded role
      # In real scenario, ensure_role_loaded would attempt to load via Ash.load
      # For this test, we use a simple map to verify the pattern matching works
      actor = %{
        id: "user-123",
        role: %Ash.NotLoaded{}
      }
      authorizer = create_authorizer(Mv.Accounts.User, :read)
      # Should handle NotLoaded pattern and return false
      # (In real scenario, ensure_role_loaded would attempt to load, but for this test
      # we just verify the pattern matching works correctly)
      {:ok, result} = HasPermission.strict_check(actor, authorizer, [])
      assert result == false
    end
    test "returns false if role is nil" do
      actor = %{
        id: "user-123",
        role: nil
      }
      authorizer = create_authorizer(Mv.Accounts.User, :read)
      {:ok, result} = HasPermission.strict_check(actor, authorizer, [])
      assert result == false
    end
    test "works correctly when role is already loaded" do
      actor = create_actor("user-123", "admin")
      authorizer = create_authorizer(Mv.Accounts.User, :read)
      {:ok, result} = HasPermission.strict_check(actor, authorizer, [])
      assert result == true
    end
  end
 end
--- a/test/mv/authorization/checks/no_actor_test.exs
+++ b/test/mv/authorization/checks/no_actor_test.exs
@ -0,0 +1,52 @@
 defmodule Mv.Authorization.Checks.NoActorTest do
  @moduledoc """
  Tests for the NoActor Ash Policy Check.
  This check allows actions without an actor ONLY in test environment.
  In production/dev, all operations without an actor are denied.
  """
  use ExUnit.Case, async: true
  alias Mv.Authorization.Checks.NoActor
  describe "match?/3" do
    test "returns true when actor is nil in test environment" do
      # In test environment (config :allow_no_actor_bypass = true), NoActor allows operations
      result = NoActor.match?(nil, %{}, [])
      assert result == true
    end
    test "returns false when actor is present" do
      actor = %{id: "user-123"}
      result = NoActor.match?(actor, %{}, [])
      assert result == false
    end
    test "uses compile-time config (not runtime Mix.env)" do
      # The @allow_no_actor_bypass is set via Application.compile_env at compile time
      # In test.exs: config :mv, :allow_no_actor_bypass, true
      # In prod/dev: not set (defaults to false)
      # This ensures the check is release-safe (no runtime Mix.env dependency)
      result = NoActor.match?(nil, %{}, [])
      # In test environment (as compiled), should allow
      assert result == true
      # Note: We cannot test "production mode" here because the flag is compile-time.
      # Production safety is guaranteed by:
      # 1. Config only set in test.exs
      # 2. Default is false (fail-closed)
      # 3. No runtime environment checks
    end
  end
  describe "describe/1" do
    test "returns description based on compile-time config" do
      description = NoActor.describe([])
      assert is_binary(description)
      # In test environment (compiled with :allow_no_actor_bypass = true)
      assert description =~ "test environment"
    end
  end
 end
--- a/test/mv/helpers/system_actor_test.exs
+++ b/test/mv/helpers/system_actor_test.exs
@ -0,0 +1,362 @@
 defmodule Mv.Helpers.SystemActorTest do
  @moduledoc """
  Tests for the SystemActor helper module.
  """
  use Mv.DataCase, async: false
  alias Mv.Helpers.SystemActor
  alias Mv.Authorization
  alias Mv.Accounts
  require Ash.Query
  # Helper function to ensure admin role exists
  defp ensure_admin_role do
    case Authorization.list_roles() do
      {:ok, roles} ->
        case Enum.find(roles, &(&1.permission_set_name == "admin")) do
          nil ->
            {:ok, role} =
              Authorization.create_role(%{
                name: "Admin",
                description: "Administrator with full access",
                permission_set_name: "admin"
              })
            role
          role ->
            role
        end
      _ ->
        {:ok, role} =
          Authorization.create_role(%{
            name: "Admin",
            description: "Administrator with full access",
            permission_set_name: "admin"
          })
        role
    end
  end
  # Helper function to ensure system user exists with admin role
  defp ensure_system_user(admin_role) do
    case Accounts.User
         |> Ash.Query.filter(email == ^"system@mila.local")
         |> Ash.read_one(domain: Mv.Accounts) do
      {:ok, user} when not is_nil(user) ->
        user
        |> Ash.Changeset.for_update(:update, %{})
        |> Ash.Changeset.manage_relationship(:role, admin_role, type: :append_and_remove)
        |> Ash.update!()
        |> Ash.load!(:role, domain: Mv.Accounts)
      _ ->
        Accounts.create_user!(%{email: "system@mila.local"},
          upsert?: true,
          upsert_identity: :unique_email
        )
        |> Ash.Changeset.for_update(:update, %{})
        |> Ash.Changeset.manage_relationship(:role, admin_role, type: :append_and_remove)
        |> Ash.update!()
        |> Ash.load!(:role, domain: Mv.Accounts)
    end
  end
  # Helper function to ensure admin user exists with admin role
  defp ensure_admin_user(admin_role) do
    admin_email = System.get_env("ADMIN_EMAIL") || "admin@localhost"
    case Accounts.User
         |> Ash.Query.filter(email == ^admin_email)
         |> Ash.read_one(domain: Mv.Accounts) do
      {:ok, user} when not is_nil(user) ->
        user
        |> Ash.Changeset.for_update(:update, %{})
        |> Ash.Changeset.manage_relationship(:role, admin_role, type: :append_and_remove)
        |> Ash.update!()
        |> Ash.load!(:role, domain: Mv.Accounts)
      _ ->
        Accounts.create_user!(%{email: admin_email},
          upsert?: true,
          upsert_identity: :unique_email
        )
        |> Ash.Changeset.for_update(:update, %{})
        |> Ash.Changeset.manage_relationship(:role, admin_role, type: :append_and_remove)
        |> Ash.update!()
        |> Ash.load!(:role, domain: Mv.Accounts)
    end
  end
  setup do
    admin_role = ensure_admin_role()
    system_user = ensure_system_user(admin_role)
    admin_user = ensure_admin_user(admin_role)
    # Invalidate cache to ensure fresh load
    SystemActor.invalidate_cache()
    %{admin_role: admin_role, system_user: system_user, admin_user: admin_user}
  end
  describe "get_system_actor/0" do
    test "returns system user with admin role", %{system_user: _system_user} do
      system_actor = SystemActor.get_system_actor()
      assert %Mv.Accounts.User{} = system_actor
      assert to_string(system_actor.email) == "system@mila.local"
      assert system_actor.role != nil
      assert system_actor.role.permission_set_name == "admin"
    end
    test "falls back to admin user if system user doesn't exist", %{admin_user: _admin_user} do
      # Delete system user if it exists
      case Accounts.User
           |> Ash.Query.filter(email == ^"system@mila.local")
           |> Ash.read_one(domain: Mv.Accounts) do
        {:ok, user} when not is_nil(user) ->
          Ash.destroy!(user, domain: Mv.Accounts)
        _ ->
          :ok
      end
      # Invalidate cache to force reload
      SystemActor.invalidate_cache()
      # Should fall back to admin user
      system_actor = SystemActor.get_system_actor()
      assert %Mv.Accounts.User{} = system_actor
      assert system_actor.role != nil
      assert system_actor.role.permission_set_name == "admin"
      # Should be admin user, not system user
      assert to_string(system_actor.email) != "system@mila.local"
    end
    test "caches system actor for performance" do
      # First call
      actor1 = SystemActor.get_system_actor()
      # Second call should return cached actor (same struct)
      actor2 = SystemActor.get_system_actor()
      # Should be the same struct (cached)
      assert actor1.id == actor2.id
    end
    test "creates system user in test environment if none exists", %{admin_role: _admin_role} do
      # In test environment, system actor should auto-create if missing
      # Delete all users to test auto-creation
      case Accounts.User
           |> Ash.Query.filter(email == ^"system@mila.local")
           |> Ash.read_one(domain: Mv.Accounts) do
        {:ok, user} when not is_nil(user) ->
          Ash.destroy!(user, domain: Mv.Accounts)
        _ ->
          :ok
      end
      admin_email = System.get_env("ADMIN_EMAIL") || "admin@localhost"
      case Accounts.User
           |> Ash.Query.filter(email == ^admin_email)
           |> Ash.read_one(domain: Mv.Accounts) do
        {:ok, user} when not is_nil(user) ->
          Ash.destroy!(user, domain: Mv.Accounts)
        _ ->
          :ok
      end
      # Invalidate cache
      SystemActor.invalidate_cache()
      # Should auto-create system user in test environment
      system_actor = SystemActor.get_system_actor()
      assert %Mv.Accounts.User{} = system_actor
      assert to_string(system_actor.email) == "system@mila.local"
      assert system_actor.role != nil
      assert system_actor.role.permission_set_name == "admin"
    end
  end
  describe "invalidate_cache/0" do
    test "forces reload of system actor on next call" do
      # Get initial actor
      actor1 = SystemActor.get_system_actor()
      # Invalidate cache
      :ok = SystemActor.invalidate_cache()
      # Next call should reload (but should be same user)
      actor2 = SystemActor.get_system_actor()
      # Should be same user (same ID)
      assert actor1.id == actor2.id
    end
  end
  describe "get_system_actor_result/0" do
    test "returns ok tuple with system actor" do
      assert {:ok, actor} = SystemActor.get_system_actor_result()
      assert %Mv.Accounts.User{} = actor
      assert actor.role.permission_set_name == "admin"
    end
    test "returns error tuple when system actor cannot be loaded" do
      # Delete all users to force error
      case Accounts.User
           |> Ash.Query.filter(email == ^"system@mila.local")
           |> Ash.read_one(domain: Mv.Accounts) do
        {:ok, user} when not is_nil(user) ->
          Ash.destroy!(user, domain: Mv.Accounts)
        _ ->
          :ok
      end
      admin_email = System.get_env("ADMIN_EMAIL") || "admin@localhost"
      case Accounts.User
           |> Ash.Query.filter(email == ^admin_email)
           |> Ash.read_one(domain: Mv.Accounts) do
        {:ok, user} when not is_nil(user) ->
          Ash.destroy!(user, domain: Mv.Accounts)
        _ ->
          :ok
      end
      SystemActor.invalidate_cache()
      # In test environment, it should auto-create, so this should succeed
      # But if it fails, we should get an error tuple
      result = SystemActor.get_system_actor_result()
      # Should either succeed (auto-created) or return error
      assert match?({:ok, _}, result) or match?({:error, _}, result)
    end
  end
  describe "system_user_email/0" do
    test "returns the system user email address" do
      assert SystemActor.system_user_email() == "system@mila.local"
    end
  end
  describe "edge cases" do
    test "raises error if admin user has no role", %{admin_user: admin_user} do
      # Remove role from admin user
      admin_user
      |> Ash.Changeset.for_update(:update, %{})
      |> Ash.Changeset.manage_relationship(:role, nil, type: :append_and_remove)
      |> Ash.update!()
      # Delete system user to force fallback
      case Accounts.User
           |> Ash.Query.filter(email == ^"system@mila.local")
           |> Ash.read_one(domain: Mv.Accounts) do
        {:ok, user} when not is_nil(user) ->
          Ash.destroy!(user, domain: Mv.Accounts)
        _ ->
          :ok
      end
      SystemActor.invalidate_cache()
      # Should raise error because admin user has no role
      assert_raise RuntimeError, ~r/System actor must have a role assigned/, fn ->
        SystemActor.get_system_actor()
      end
    end
    test "handles concurrent calls without race conditions" do
      # Delete system user and admin user to force creation
      case Accounts.User
           |> Ash.Query.filter(email == ^"system@mila.local")
           |> Ash.read_one(domain: Mv.Accounts) do
        {:ok, user} when not is_nil(user) ->
          Ash.destroy!(user, domain: Mv.Accounts)
        _ ->
          :ok
      end
      admin_email = System.get_env("ADMIN_EMAIL") || "admin@localhost"
      case Accounts.User
           |> Ash.Query.filter(email == ^admin_email)
           |> Ash.read_one(domain: Mv.Accounts) do
        {:ok, user} when not is_nil(user) ->
          Ash.destroy!(user, domain: Mv.Accounts)
        _ ->
          :ok
      end
      SystemActor.invalidate_cache()
      # Call get_system_actor concurrently from multiple processes
      tasks =
        for _ <- 1..10 do
          Task.async(fn -> SystemActor.get_system_actor() end)
        end
      results = Task.await_many(tasks, :infinity)
      # All should succeed and return the same actor
      assert length(results) == 10
      assert Enum.all?(results, &(&1.role.permission_set_name == "admin"))
      assert Enum.all?(results, fn actor -> to_string(actor.email) == "system@mila.local" end)
      # All should have the same ID (same user)
      ids = Enum.map(results, & &1.id)
      assert Enum.uniq(ids) |> length() == 1
    end
    test "raises error if system user has wrong role", %{system_user: system_user} do
      # Create a non-admin role (using read_only as it's a valid permission set)
      {:ok, read_only_role} =
        Authorization.create_role(%{
          name: "Read Only Role",
          description: "Read-only access",
          permission_set_name: "read_only"
        })
      # Assign wrong role to system user
      system_user
      |> Ash.Changeset.for_update(:update, %{})
      |> Ash.Changeset.manage_relationship(:role, read_only_role, type: :append_and_remove)
      |> Ash.update!()
      SystemActor.invalidate_cache()
      # Should raise error because system user doesn't have admin role
      assert_raise RuntimeError, ~r/System actor must have admin role/, fn ->
        SystemActor.get_system_actor()
      end
    end
    test "raises error if system user has no role", %{system_user: system_user} do
      # Remove role from system user
      system_user
      |> Ash.Changeset.for_update(:update, %{})
      |> Ash.Changeset.manage_relationship(:role, nil, type: :append_and_remove)
      |> Ash.update!()
      SystemActor.invalidate_cache()
      # Should raise error because system user has no role
      assert_raise RuntimeError, ~r/System actor must have a role assigned/, fn ->
        SystemActor.get_system_actor()
      end
    end
  end
 end
--- a/test/mv/membership/import/member_csv_test.exs
+++ b/test/mv/membership/import/member_csv_test.exs
@ -404,7 +404,7 @@ defmodule Mv.Membership.Import.MemberCSVTest do
      assert chunk_result.inserted == 0
      assert chunk_result.failed == 10
-      assert length(chunk_result.errors) == 0
+      assert chunk_result.errors == []
    end
    test "error capping with mixed success and failure" do
--- a/test/mv_web/live/profile_navigation_test.exs
+++ b/test/mv_web/live/profile_navigation_test.exs
@ -146,8 +146,6 @@ defmodule MvWeb.ProfileNavigationTest do
      "/",
      "/members",
      "/members/new",
      "/custom_field_values",
      "/custom_field_values/new",
      "/users",
      "/users/new"
    ]
--- a/test/mv_web/live/role_live/show_test.exs
+++ b/test/mv_web/live/role_live/show_test.exs
@ -0,0 +1,274 @@
 defmodule MvWeb.RoleLive.ShowTest do
  @moduledoc """
  Tests for the role show page.
  Tests cover:
  - Displaying role information
  - System role badge display
  - User count display
  - Navigation
  - Error handling
  - Delete functionality
  """
  use MvWeb.ConnCase, async: false
  import Phoenix.LiveViewTest
  require Ash.Query
  use Gettext, backend: MvWeb.Gettext
  alias Mv.Authorization
  alias Mv.Authorization.Role
  # Helper to create a role
  defp create_role(attrs \\ %{}) do
    default_attrs = %{
      name: "Test Role #{System.unique_integer([:positive])}",
      description: "Test description",
      permission_set_name: "read_only"
    }
    attrs = Map.merge(default_attrs, attrs)
    case Authorization.create_role(attrs) do
      {:ok, role} -> role
      {:error, error} -> raise "Failed to create role: #{inspect(error)}"
    end
  end
  # Helper to create admin user with admin role
  defp create_admin_user(conn) do
    # Create admin role
    admin_role =
      case Authorization.list_roles() do
        {:ok, roles} ->
          case Enum.find(roles, &(&1.name == "Admin")) do
            nil ->
              # Create admin role if it doesn't exist
              create_role(%{
                name: "Admin",
                description: "Administrator with full access",
                permission_set_name: "admin"
              })
            role ->
              role
          end
        _ ->
          # Create admin role if list_roles fails
          create_role(%{
            name: "Admin",
            description: "Administrator with full access",
            permission_set_name: "admin"
          })
      end
    # Create user
    {:ok, user} =
      Mv.Accounts.User
      |> Ash.Changeset.for_create(:register_with_password, %{
        email: "admin#{System.unique_integer([:positive])}@mv.local",
        password: "testpassword123"
      })
      |> Ash.create()
    # Assign admin role using manage_relationship
    {:ok, user} =
      user
      |> Ash.Changeset.for_update(:update, %{})
      |> Ash.Changeset.manage_relationship(:role, admin_role, type: :append_and_remove)
      |> Ash.update()
    # Load role for authorization checks (must be loaded for can?/3 to work)
    user_with_role = Ash.load!(user, :role, domain: Mv.Accounts)
    # Store user with role in session for LiveView
    conn = conn_with_password_user(conn, user_with_role)
    {conn, user_with_role, admin_role}
  end
  describe "mount and display" do
    setup %{conn: conn} do
      {conn, _user, _admin_role} = create_admin_user(conn)
      %{conn: conn}
    end
    test "mounts successfully with valid role ID", %{conn: conn} do
      role = create_role()
      {:ok, _view, html} = live(conn, "/admin/roles/#{role.id}")
      assert html =~ role.name
    end
    test "displays role name", %{conn: conn} do
      role = create_role(%{name: "Test Role Name"})
      {:ok, _view, html} = live(conn, "/admin/roles/#{role.id}")
      assert html =~ "Test Role Name"
      assert html =~ gettext("Name")
    end
    test "displays role description when present", %{conn: conn} do
      role = create_role(%{description: "This is a test description"})
      {:ok, _view, html} = live(conn, "/admin/roles/#{role.id}")
      assert html =~ "This is a test description"
      assert html =~ gettext("Description")
    end
    test "displays 'No description' when description is missing", %{conn: conn} do
      role = create_role(%{description: nil})
      {:ok, _view, html} = live(conn, "/admin/roles/#{role.id}")
      assert html =~ gettext("No description")
    end
    test "displays permission set name", %{conn: conn} do
      role = create_role(%{permission_set_name: "read_only"})
      {:ok, _view, html} = live(conn, "/admin/roles/#{role.id}")
      assert html =~ "read_only"
      assert html =~ gettext("Permission Set")
    end
    test "displays system role badge when is_system_role is true", %{conn: conn} do
      system_role =
        Role
        |> Ash.Changeset.for_create(:create_role, %{
          name: "System Role",
          permission_set_name: "own_data"
        })
        |> Ash.Changeset.force_change_attribute(:is_system_role, true)
        |> Ash.create!()
      {:ok, _view, html} = live(conn, "/admin/roles/#{system_role.id}")
      assert html =~ gettext("System Role")
      assert html =~ gettext("Yes")
    end
    test "displays non-system role badge when is_system_role is false", %{conn: conn} do
      role = create_role()
      {:ok, _view, html} = live(conn, "/admin/roles/#{role.id}")
      assert html =~ gettext("System Role")
      assert html =~ gettext("No")
    end
    test "displays user count", %{conn: conn} do
      role = create_role()
      {:ok, _view, html} = live(conn, "/admin/roles/#{role.id}")
      # User count should be displayed (might be 0 or more)
      assert html =~ gettext("User") || html =~ "0" || html =~ "users"
    end
  end
  describe "navigation" do
    setup %{conn: conn} do
      {conn, _user, _admin_role} = create_admin_user(conn)
      %{conn: conn}
    end
    test "back button navigates to role list", %{conn: conn} do
      role = create_role()
      {:ok, view, _html} = live(conn, "/admin/roles/#{role.id}")
      assert {:error, {:live_redirect, %{to: to}}} =
               view
               |> element(
                 "a[aria-label='#{gettext("Back to roles list")}'], button[aria-label='#{gettext("Back to roles list")}']"
               )
               |> render_click()
      assert to == "/admin/roles"
    end
    test "edit button navigates to edit form", %{conn: conn} do
      role = create_role()
      {:ok, view, _html} = live(conn, "/admin/roles/#{role.id}")
      assert {:error, {:live_redirect, %{to: to}}} =
               view
               |> element(
                 "a[href='/admin/roles/#{role.id}/edit'], button[href='/admin/roles/#{role.id}/edit']"
               )
               |> render_click()
      assert to == "/admin/roles/#{role.id}/edit"
    end
  end
  describe "error handling" do
    setup %{conn: conn} do
      {conn, _user, _admin_role} = create_admin_user(conn)
      %{conn: conn}
    end
    test "redirects to role list with error for invalid role ID", %{conn: conn} do
      invalid_id = Ecto.UUID.generate()
      # Should redirect to index with error message
      result = live(conn, "/admin/roles/#{invalid_id}")
      assert match?({:error, {:redirect, %{to: "/admin/roles"}}}, result) or
               match?({:error, {:live_redirect, %{to: "/admin/roles"}}}, result)
    end
  end
  describe "delete functionality" do
    setup %{conn: conn} do
      {conn, _user, _admin_role} = create_admin_user(conn)
      %{conn: conn}
    end
    test "delete button is not shown for system roles", %{conn: conn} do
      system_role =
        Role
        |> Ash.Changeset.for_create(:create_role, %{
          name: "System Role",
          permission_set_name: "own_data"
        })
        |> Ash.Changeset.force_change_attribute(:is_system_role, true)
        |> Ash.create!()
      {:ok, _view, html} = live(conn, "/admin/roles/#{system_role.id}")
      # Delete button should not be visible for system roles
      refute html =~ ~r/Delete.*Role.*#{system_role.id}/i
    end
    test "delete button is shown for non-system roles", %{conn: conn} do
      role = create_role()
      {:ok, _view, html} = live(conn, "/admin/roles/#{role.id}")
      # Delete button should be visible for non-system roles
      assert html =~ gettext("Delete Role") || html =~ "delete"
    end
  end
  describe "page title" do
    setup %{conn: conn} do
      {conn, _user, _admin_role} = create_admin_user(conn)
      %{conn: conn}
    end
    test "sets correct page title", %{conn: conn} do
      role = create_role()
      {:ok, _view, html} = live(conn, "/admin/roles/#{role.id}")
      # Check that page title is set (might be in title tag or header)
      assert html =~ gettext("Show Role") || html =~ role.name
    end
  end
 end
--- a/test/mv_web/live/user_live/show_test.exs
+++ b/test/mv_web/live/user_live/show_test.exs
@ -0,0 +1,155 @@
 defmodule MvWeb.UserLive.ShowTest do
  @moduledoc """
  Tests for the user show page.
  Tests cover:
  - Displaying user information
  - Authentication status display
  - Linked member display
  - Navigation
  - Error handling
  """
  use MvWeb.ConnCase, async: true
  import Phoenix.LiveViewTest
  require Ash.Query
  use Gettext, backend: MvWeb.Gettext
  alias Mv.Membership.Member
  setup do
    # Create test user
    user = create_test_user(%{email: "test@example.com", oidc_id: "test123"})
    %{user: user}
  end
  describe "mount and display" do
    test "mounts successfully with valid user ID", %{conn: conn, user: user} do
      conn = conn_with_oidc_user(conn)
      {:ok, _view, html} = live(conn, ~p"/users/#{user.id}")
      assert html =~ to_string(user.email)
    end
    test "displays user email", %{conn: conn, user: user} do
      conn = conn_with_oidc_user(conn)
      {:ok, _view, html} = live(conn, ~p"/users/#{user.id}")
      assert html =~ to_string(user.email)
      assert html =~ gettext("Email")
    end
    test "displays password authentication status when enabled", %{conn: conn} do
      user = create_test_user(%{email: "password-user@example.com", password: "test123"})
      conn = conn_with_oidc_user(conn)
      {:ok, _view, html} = live(conn, ~p"/users/#{user.id}")
      assert html =~ gettext("Password Authentication")
      assert html =~ gettext("Enabled")
    end
    test "displays password authentication status when not enabled", %{conn: conn} do
      # User without password (only OIDC) - create user with OIDC only
      user =
        create_test_user(%{
          email: "oidc-only#{System.unique_integer([:positive])}@example.com",
          oidc_id: "oidc#{System.unique_integer([:positive])}",
          hashed_password: nil
        })
      conn = conn_with_oidc_user(conn)
      {:ok, _view, html} = live(conn, ~p"/users/#{user.id}")
      assert html =~ gettext("Password Authentication")
      assert html =~ gettext("Not enabled")
    end
    test "displays linked member when present", %{conn: conn} do
      # Create member
      {:ok, member} =
        Member
        |> Ash.Changeset.for_create(:create_member, %{
          first_name: "Alice",
          last_name: "Smith",
          email: "alice@example.com"
        })
        |> Ash.create()
      # Create user and link to member
      user = create_test_user(%{email: "user@example.com"})
      {:ok, _updated_user} =
        user
        |> Ash.Changeset.for_update(:update, %{})
        |> Ash.Changeset.manage_relationship(:member, member, type: :append_and_remove)
        |> Ash.update()
      conn = conn_with_oidc_user(conn)
      {:ok, _view, html} = live(conn, ~p"/users/#{user.id}")
      assert html =~ gettext("Linked Member")
      assert html =~ "Alice Smith"
      assert html =~ ~r/href="[^"]*\/members\/#{member.id}"/
    end
    test "displays 'No member linked' when no member is linked", %{conn: conn, user: user} do
      conn = conn_with_oidc_user(conn)
      {:ok, _view, html} = live(conn, ~p"/users/#{user.id}")
      assert html =~ gettext("Linked Member")
      assert html =~ gettext("No member linked")
    end
  end
  describe "navigation" do
    test "back button navigates to user list", %{conn: conn, user: user} do
      conn = conn_with_oidc_user(conn)
      {:ok, view, _html} = live(conn, ~p"/users/#{user.id}")
      assert {:error, {:live_redirect, %{to: to}}} =
               view
               |> element(
                 "a[aria-label='#{gettext("Back to users list")}'], button[aria-label='#{gettext("Back to users list")}']"
               )
               |> render_click()
      assert to == "/users"
    end
    test "edit button navigates to edit form", %{conn: conn, user: user} do
      conn = conn_with_oidc_user(conn)
      {:ok, view, _html} = live(conn, ~p"/users/#{user.id}")
      assert {:error, {:live_redirect, %{to: to}}} =
               view
               |> element(
                 "a[href='/users/#{user.id}/edit?return_to=show'], button[href='/users/#{user.id}/edit?return_to=show']"
               )
               |> render_click()
      assert to == "/users/#{user.id}/edit?return_to=show"
    end
  end
  describe "error handling" do
    test "raises exception for invalid user ID", %{conn: conn} do
      invalid_id = Ecto.UUID.generate()
      conn = conn_with_oidc_user(conn)
      # The mount function uses Ash.get! which will raise an exception
      # This is expected behavior - the LiveView doesn't handle this case
      assert_raise Ash.Error.Invalid, fn ->
        live(conn, ~p"/users/#{invalid_id}")
      end
    end
  end
  describe "page title" do
    test "sets correct page title", %{conn: conn, user: user} do
      conn = conn_with_oidc_user(conn)
      {:ok, _view, html} = live(conn, ~p"/users/#{user.id}")
      # Check that page title is set (might be in title tag or header)
      assert html =~ gettext("Show User") || html =~ to_string(user.email)
    end
  end
 end
--- a/test/mv_web/member_live/form_error_handling_test.exs
+++ b/test/mv_web/member_live/form_error_handling_test.exs
@ -0,0 +1,143 @@
 defmodule MvWeb.MemberLive.FormErrorHandlingTest do
  @moduledoc """
  Tests for error handling in the member form, specifically flash message display.
  """
  use MvWeb.ConnCase, async: false
  import Phoenix.LiveViewTest
  alias Mv.Membership.Member
  require Ash.Query
  describe "error handling - flash messages" do
    test "shows flash message when member creation fails with validation error", %{conn: conn} do
      # Create a member with the same email to trigger uniqueness error
      {:ok, _existing_member} =
        Member
        |> Ash.Changeset.for_create(:create_member, %{
          first_name: "Existing",
          last_name: "Member",
          email: "duplicate@example.com"
        })
        |> Ash.create()
      conn = conn_with_oidc_user(conn)
      {:ok, view, _html} = live(conn, "/members/new")
      # Try to create member with duplicate email
      form_data = %{
        "member[first_name]" => "New",
        "member[last_name]" => "Member",
        "member[email]" => "duplicate@example.com"
      }
      html =
        view
        |> form("#member-form", form_data)
        |> render_submit()
      # Should show flash error message
      assert has_element?(view, "#flash-group")
      assert html =~ "error" or html =~ "Error" or html =~ "Fehler" or
               html =~ "failed" or html =~ "fehlgeschlagen" or
               html =~ "Validation failed" or html =~ "Validierung fehlgeschlagen"
    end
    test "shows flash message when member creation fails with missing required fields", %{
      conn: conn
    } do
      conn = conn_with_oidc_user(conn)
      {:ok, view, _html} = live(conn, "/members/new")
      # Submit form with missing required fields (e.g., email)
      form_data = %{
        "member[first_name]" => "Test",
        "member[last_name]" => "User"
        # email is missing
      }
      html =
        view
        |> form("#member-form", form_data)
        |> render_submit()
      # Should show flash error message
      assert has_element?(view, "#flash-group")
      assert html =~ "error" or html =~ "Error" or html =~ "Fehler" or
               html =~ "failed" or html =~ "fehlgeschlagen" or
               html =~ "Validation failed" or html =~ "Validierung fehlgeschlagen" or
               html =~ "Please correct" or html =~ "Bitte korrigieren"
    end
    test "shows flash message when member update fails", %{conn: conn} do
      # Create a member to edit
      {:ok, member} =
        Member
        |> Ash.Changeset.for_create(:create_member, %{
          first_name: "Original",
          last_name: "Member",
          email: "original@example.com"
        })
        |> Ash.create()
      # Create another member with different email
      {:ok, _other_member} =
        Member
        |> Ash.Changeset.for_create(:create_member, %{
          first_name: "Other",
          last_name: "Member",
          email: "other@example.com"
        })
        |> Ash.create()
      conn = conn_with_oidc_user(conn)
      {:ok, view, _html} = live(conn, "/members/#{member.id}/edit")
      # Try to update with duplicate email
      form_data = %{
        "member[first_name]" => "Updated",
        "member[last_name]" => "Member",
        "member[email]" => "other@example.com"
      }
      html =
        view
        |> form("#member-form", form_data)
        |> render_submit()
      # Should show flash error message
      assert has_element?(view, "#flash-group")
      assert html =~ "error" or html =~ "Error" or html =~ "Fehler" or
               html =~ "failed" or html =~ "fehlgeschlagen" or
               html =~ "Validation failed" or html =~ "Validierung fehlgeschlagen"
    end
    test "form still displays field-level validation errors when flash message is shown", %{
      conn: conn
    } do
      conn = conn_with_oidc_user(conn)
      {:ok, view, _html} = live(conn, "/members/new")
      # Submit form with invalid email format
      form_data = %{
        "member[first_name]" => "Test",
        "member[last_name]" => "User",
        "member[email]" => "invalid-email-format"
      }
      html =
        view
        |> form("#member-form", form_data)
        |> render_submit()
      # Should show both flash message and field-level error
      assert has_element?(view, "#flash-group")
      # Field-level errors should also be visible in the form
      assert html =~ "email" or html =~ "Email"
    end
  end
 end