From 0ea77fec04db039b1b09a490ac18ad63ab6d230a Mon Sep 17 00:00:00 2001
From: Aziel <azielcruzado@gmail.com>
Date: Sun, 15 Feb 2026 13:02:14 -0500
Subject: [PATCH 01/12] feat(portal): introduce client portal module
 architecture

- access: Define AccessRule entity for routing and permissions.
- auth: Implement user authentication system (Domain, Application Service, and infrastructure handlers).
- repo: Add GORM repository implementation for auth persistence.
- shared: Add JWT security utilities for token generation and validation.
---
 src/clients_portal/access/domain/rule.go      |  45 +++++++
 .../auth/application/service.go               | 117 ++++++++++++++++++
 src/clients_portal/auth/domain/user.go        |  68 ++++++++++
 .../auth/infrastructure/handlers.go           | 103 +++++++++++++++
 .../auth/infrastructure/middleware.go         |  70 +++++++++++
 .../auth/repository/gorm_repo.go              |  65 ++++++++++
 src/clients_portal/shared/security/jwt.go     |  68 ++++++++++
 7 files changed, 536 insertions(+)
 create mode 100644 src/clients_portal/access/domain/rule.go
 create mode 100644 src/clients_portal/auth/application/service.go
 create mode 100644 src/clients_portal/auth/domain/user.go
 create mode 100644 src/clients_portal/auth/infrastructure/handlers.go
 create mode 100644 src/clients_portal/auth/infrastructure/middleware.go
 create mode 100644 src/clients_portal/auth/repository/gorm_repo.go
 create mode 100644 src/clients_portal/shared/security/jwt.go

diff --git a/src/clients_portal/access/domain/rule.go b/src/clients_portal/access/domain/rule.go
new file mode 100644
index 0000000..da99e5a
--- /dev/null
+++ b/src/clients_portal/access/domain/rule.go
@@ -0,0 +1,45 @@
+package domain
+
+import (
+	"time"
+
+	"github.com/google/uuid"
+)
+
+// RuleType defines how the rule is evaluated
+type RuleType string
+
+const (
+	RuleTypeRouting    RuleType = "ROUTING"    // Redirect to a specific bot
+	RuleTypePermission RuleType = "PERMISSION" // Allow/Deny feature access
+	RuleTypeLimit      RuleType = "LIMIT"      // Usage thresholds
+)
+
+// AccessRule represents a dynamic configuration for a client's workspace
+type AccessRule struct {
+	ID           string `json:"id" gorm:"primaryKey"`
+	PortalUserID string `json:"portal_user_id" gorm:"index;not null"` // Owner of the rule
+	ClientID     string `json:"client_id" gorm:"index"`               // Associated CRM Client (optional)
+
+	Type     RuleType `json:"type" gorm:"not null"`
+	TargetID string   `json:"target_id"` // ID of Bot, Channel or Feature
+
+	// Criteria (Condition for the rule to apply)
+	ConditionKey   string `json:"condition_key"`   // e.g., "phone_number", "platform"
+	ConditionValue string `json:"condition_value"` // e.g., "51999888777", "whatsapp"
+
+	Enabled   bool      `json:"enabled" gorm:"default:true"`
+	CreatedAt time.Time `json:"created_at"`
+	UpdatedAt time.Time `json:"updated_at"`
+}
+
+func NewAccessRule(portalUserID, clientID string, ruleType RuleType, targetID string) *AccessRule {
+	return &AccessRule{
+		ID:           uuid.New().String(),
+		PortalUserID: portalUserID,
+		ClientID:     clientID,
+		Type:         ruleType,
+		TargetID:     targetID,
+		Enabled:      true,
+	}
+}
diff --git a/src/clients_portal/auth/application/service.go b/src/clients_portal/auth/application/service.go
new file mode 100644
index 0000000..f62c0d7
--- /dev/null
+++ b/src/clients_portal/auth/application/service.go
@@ -0,0 +1,117 @@
+package application
+
+import (
+	"context"
+	"errors"
+
+	crmDomain "github.com/AzielCF/az-wap/clients/domain"
+	"github.com/AzielCF/az-wap/clients_portal/auth/domain"
+	portalSecurity "github.com/AzielCF/az-wap/clients_portal/shared/security"
+)
+
+type AuthService struct {
+	repo       domain.IAuthRepository
+	clientRepo crmDomain.ClientRepository
+}
+
+func NewAuthService(repo domain.IAuthRepository, clientRepo crmDomain.ClientRepository) *AuthService {
+	return &AuthService{
+		repo:       repo,
+		clientRepo: clientRepo,
+	}
+}
+
+// Login verifies credentials and returns a JWT token
+func (s *AuthService) Login(ctx context.Context, username, password string) (string, *domain.PortalUser, error) {
+	// 1. Find user
+	user, err := s.repo.GetByUsername(ctx, username)
+	if err != nil {
+		return "", nil, errors.New("invalid credentials") // Do not reveal if user exists
+	}
+
+	// 2. Verify password
+	if !portalSecurity.CheckPasswordHash(password, user.PasswordHash) {
+		return "", nil, errors.New("invalid credentials")
+	}
+
+	// 3. Generate Token
+	token, err := portalSecurity.GenerateToken(user.ID, user.ClientID, user.Role)
+	if err != nil {
+		return "", nil, errors.New("failed to generate token")
+	}
+
+	// 4. Update last_login (background)
+	go s.repo.UpdateLastLogin(context.Background(), user.ID)
+
+	return token, user, nil
+}
+
+// Register creates a new portal user
+func (s *AuthService) Register(ctx context.Context, clientID, username, password, fullName string, role domain.PortalRole) (*domain.PortalUser, error) {
+	// 1. Validate duplicates
+	existing, _ := s.repo.GetByUsername(ctx, username)
+	if existing != nil {
+		return nil, errors.New("username already exists")
+	}
+
+	// 2. Hash password
+	hash, err := portalSecurity.HashPassword(password)
+	if err != nil {
+		return nil, errors.New("failed to hash password")
+	}
+
+	// 3. Create user
+	user := domain.NewPortalUser(clientID, username, hash, role)
+	user.FullName = fullName
+
+	if err := s.repo.Create(ctx, user); err != nil {
+		return nil, err
+	}
+
+	return user, nil
+}
+
+// ValidateToken verifies a token and returns the associated user
+func (s *AuthService) ValidateToken(ctx context.Context, tokenString string) (*domain.PortalUser, error) {
+	claims, err := portalSecurity.ValidateToken(tokenString)
+	if err != nil {
+		return nil, err
+	}
+
+	// Optional: Check if user exists/active in DB
+	user, err := s.repo.GetByID(ctx, claims.UserID)
+	if err != nil {
+		return nil, errors.New("user context not found")
+	}
+
+	if !user.Active {
+		return nil, errors.New("user account is inactive")
+	}
+
+	return user, nil
+}
+
+// GetUserProfile returns a combined view of the user and their account information
+func (s *AuthService) GetUserProfile(ctx context.Context, userID string) (*domain.PortalProfile, error) {
+	// 1. Get User
+	user, err := s.repo.GetByID(ctx, userID)
+	if err != nil {
+		return nil, err
+	}
+
+	// 2. Get associated Client info from CRM
+	client, err := s.clientRepo.GetByID(ctx, user.ClientID)
+	if err != nil {
+		// If client is not found, we still return the user but with empty account info
+		return &domain.PortalProfile{
+			User:    user,
+			Account: nil,
+		}, nil
+	}
+
+	// 3. Return combined profile
+	return &domain.PortalProfile{
+		User:    user,
+		Account: client,
+	}, nil
+}
diff --git a/src/clients_portal/auth/domain/user.go b/src/clients_portal/auth/domain/user.go
new file mode 100644
index 0000000..5b76c04
--- /dev/null
+++ b/src/clients_portal/auth/domain/user.go
@@ -0,0 +1,68 @@
+package domain
+
+import (
+	"context"
+	"time"
+
+	"github.com/google/uuid"
+)
+
+// PortalRole defines the access level within the portal
+type PortalRole string
+
+const (
+	RoleOwner   PortalRole = "OWNER"   // Full access (Billing, Configuration)
+	RoleManager PortalRole = "MANAGER" // Team and channel management
+	RoleMember  PortalRole = "MEMBER"  // Read-only / Operative
+)
+
+// PortalUser represents a user who can log in to the Client Portal
+type PortalUser struct {
+	ID           string     `json:"id" gorm:"primaryKey"`
+	ClientID     string     `json:"client_id" gorm:"index"`          // Link to CRM (Optional)
+	Username     string     `json:"username" gorm:"unique;not null"` // Phone or Email
+	PasswordHash string     `json:"-"`
+	FullName     string     `json:"full_name"`
+	Role         PortalRole `json:"role" gorm:"default:'MEMBER'"`
+	Active       bool       `json:"active" gorm:"default:true"`
+	LastLoginAt  *time.Time `json:"last_login_at,omitempty"`
+	CreatedAt    time.Time  `json:"created_at"`
+	UpdatedAt    time.Time  `json:"updated_at"`
+}
+
+// PortalProfile represents a combined view of the user and their account/client info
+type PortalProfile struct {
+	User    *PortalUser `json:"user"`
+	Account any         `json:"account"` // Combined with domain.Client info
+}
+
+// NewPortalUser creates a new instance with a generated ID
+func NewPortalUser(clientID, username, passwordHash string, role PortalRole) *PortalUser {
+	return &PortalUser{
+		ID:           uuid.New().String(),
+		ClientID:     clientID,
+		Username:     username,
+		PasswordHash: passwordHash,
+		Role:         role,
+		Active:       true,
+		CreatedAt:    time.Now(),
+		UpdatedAt:    time.Now(),
+	}
+}
+
+// IAuthRepository defines the persistence for authentication
+type IAuthRepository interface {
+	Create(ctx context.Context, user *PortalUser) error
+	GetByUsername(ctx context.Context, username string) (*PortalUser, error)
+	GetByID(ctx context.Context, id string) (*PortalUser, error)
+	UpdateLastLogin(ctx context.Context, id string) error
+	ListByClient(ctx context.Context, clientID string) ([]*PortalUser, error)
+}
+
+// IAuthService defines the business logic for authentication
+type IAuthService interface {
+	Login(ctx context.Context, username, password string) (string, *PortalUser, error) // Returns Token + User
+	Register(ctx context.Context, clientID, username, password, fullName string, role PortalRole) (*PortalUser, error)
+	ValidateToken(ctx context.Context, token string) (*PortalUser, error)
+	GetUserProfile(ctx context.Context, userID string) (*PortalProfile, error)
+}
diff --git a/src/clients_portal/auth/infrastructure/handlers.go b/src/clients_portal/auth/infrastructure/handlers.go
new file mode 100644
index 0000000..aa3555b
--- /dev/null
+++ b/src/clients_portal/auth/infrastructure/handlers.go
@@ -0,0 +1,103 @@
+package infrastructure
+
+import (
+	"strings"
+
+	"github.com/AzielCF/az-wap/clients_portal/auth/application"
+	"github.com/AzielCF/az-wap/clients_portal/auth/domain"
+	"github.com/gofiber/fiber/v2"
+)
+
+type AuthHandler struct {
+	authService *application.AuthService
+}
+
+func NewAuthHandler(service *application.AuthService) *AuthHandler {
+	return &AuthHandler{authService: service}
+}
+
+// Request Models
+type LoginRequest struct {
+	Username string `json:"username"`
+	Password string `json:"password"`
+}
+
+type RegisterRequest struct {
+	ClientID string            `json:"client_id"` // Typically comes from an admin token or context
+	Username string            `json:"username"`
+	Password string            `json:"password"`
+	FullName string            `json:"full_name"`
+	Role     domain.PortalRole `json:"role"` // Optional, default MEMBER
+}
+
+// Login handles portal user authentication
+func (h *AuthHandler) Login(c *fiber.Ctx) error {
+	var req LoginRequest
+	if err := c.BodyParser(&req); err != nil {
+		return c.Status(fiber.StatusBadRequest).JSON(fiber.Map{"error": "invalid request body"})
+	}
+
+	token, user, err := h.authService.Login(c.Context(), req.Username, req.Password)
+	if err != nil {
+		return c.Status(fiber.StatusUnauthorized).JSON(fiber.Map{"error": "invalid credentials"})
+	}
+
+	return c.JSON(fiber.Map{
+		"token": token,
+		"user": fiber.Map{
+			"id":        user.ID,
+			"username":  user.Username,
+			"full_name": user.FullName,
+			"role":      user.Role,
+			"client_id": user.ClientID,
+		},
+	})
+}
+
+// Register handles new user registration (ideally protected by Admin/Owner role)
+func (h *AuthHandler) Register(c *fiber.Ctx) error {
+	var req RegisterRequest
+	if err := c.BodyParser(&req); err != nil {
+		return c.Status(fiber.StatusBadRequest).JSON(fiber.Map{"error": "invalid request body"})
+	}
+
+	// Basic validation
+	if req.Username == "" || req.Password == "" || req.ClientID == "" {
+		return c.Status(fiber.StatusBadRequest).JSON(fiber.Map{"error": "missing required fields"})
+	}
+
+	// Default role
+	if req.Role == "" {
+		req.Role = domain.RoleMember
+	}
+
+	user, err := h.authService.Register(c.Context(), req.ClientID, req.Username, req.Password, req.FullName, req.Role)
+	if err != nil {
+		if strings.Contains(err.Error(), "exists") {
+			return c.Status(fiber.StatusConflict).JSON(fiber.Map{"error": "username already exists"})
+		}
+		return c.Status(fiber.StatusInternalServerError).JSON(fiber.Map{"error": err.Error()})
+	}
+
+	return c.Status(fiber.StatusCreated).JSON(fiber.Map{
+		"message": "user created successfully",
+		"user_id": user.ID,
+	})
+}
+
+// Me returns the logged-in user information including account details
+func (h *AuthHandler) Me(c *fiber.Ctx) error {
+	// Get UserID from context (injected by middleware)
+	userID, ok := c.Locals("portal_user_id").(string)
+	if !ok {
+		return c.Status(fiber.StatusUnauthorized).JSON(fiber.Map{"error": "unauthorized"})
+	}
+
+	// Get full profile using the service
+	profile, err := h.authService.GetUserProfile(c.Context(), userID)
+	if err != nil {
+		return c.Status(fiber.StatusInternalServerError).JSON(fiber.Map{"error": "failed to fetch profile"})
+	}
+
+	return c.JSON(profile)
+}
diff --git a/src/clients_portal/auth/infrastructure/middleware.go b/src/clients_portal/auth/infrastructure/middleware.go
new file mode 100644
index 0000000..a79bcb7
--- /dev/null
+++ b/src/clients_portal/auth/infrastructure/middleware.go
@@ -0,0 +1,70 @@
+package infrastructure
+
+import (
+	"strings"
+
+	"github.com/AzielCF/az-wap/clients_portal/auth/domain"
+	portalSecurity "github.com/AzielCF/az-wap/clients_portal/shared/security"
+	"github.com/gofiber/fiber/v2"
+)
+
+// Config for middleware (future: support BetterAuth remote keys)
+type AuthConfig struct {
+	SecretKey []byte
+}
+
+// NewAuthMiddleware creates the middleware to protect portal routes
+func NewAuthMiddleware(userRepo domain.IAuthRepository) fiber.Handler {
+	return func(c *fiber.Ctx) error {
+		// 1. Extract token
+		authHeader := c.Get("Authorization")
+		if authHeader == "" {
+			return c.Status(fiber.StatusUnauthorized).JSON(fiber.Map{"error": "missing authorization header"})
+		}
+
+		parts := strings.Split(authHeader, " ")
+		if len(parts) != 2 || parts[0] != "Bearer" {
+			return c.Status(fiber.StatusUnauthorized).JSON(fiber.Map{"error": "invalid authorization format"})
+		}
+
+		tokenString := parts[1]
+
+		// 2. Validate token (This is where we would switch logic if using BetterAuth)
+		// In the future, we could validate against an external public key here.
+		claims, err := portalSecurity.ValidateToken(tokenString)
+		if err != nil {
+			return c.Status(fiber.StatusUnauthorized).JSON(fiber.Map{"error": "invalid or expired token"})
+		}
+
+		// 3. (Optional) Check user existence in our local DB
+		// If using BetterAuth, maybe "sync" the user or trust claims.
+		// For now, check DB.
+		// user, err := userRepo.GetByID(c.Context(), claims.UserID)
+		// if err != nil {
+		// 	 return c.Status(fiber.StatusUnauthorized).JSON(fiber.Map{"error": "user not found"})
+		// }
+
+		// 4. Inject context for next handlers
+		c.Locals("portal_user_id", claims.UserID)
+		c.Locals("portal_client_id", claims.ClientID)
+		c.Locals("portal_role", claims.Role)
+
+		return c.Next()
+	}
+}
+
+// RequireRole is an additional middleware for granular permissions
+func RequireRole(requiredRole domain.PortalRole) fiber.Handler {
+	return func(c *fiber.Ctx) error {
+		role, ok := c.Locals("portal_role").(domain.PortalRole)
+		if !ok {
+			return c.Status(fiber.StatusForbidden).JSON(fiber.Map{"error": "role not found in context"})
+		}
+
+		if role != requiredRole && role != domain.RoleOwner { // Owner can always do everything
+			return c.Status(fiber.StatusForbidden).JSON(fiber.Map{"error": "insufficient permissions"})
+		}
+
+		return c.Next()
+	}
+}
diff --git a/src/clients_portal/auth/repository/gorm_repo.go b/src/clients_portal/auth/repository/gorm_repo.go
new file mode 100644
index 0000000..574acd3
--- /dev/null
+++ b/src/clients_portal/auth/repository/gorm_repo.go
@@ -0,0 +1,65 @@
+package repository
+
+import (
+	"context"
+	"errors"
+	"time"
+
+	"github.com/AzielCF/az-wap/clients_portal/auth/domain"
+	"gorm.io/gorm"
+)
+
+type GormAuthRepository struct {
+	db *gorm.DB
+}
+
+func NewGormAuthRepository(db *gorm.DB) *GormAuthRepository {
+	return &GormAuthRepository{db: db}
+}
+
+// AutoMigrate ensures the table exists
+func (r *GormAuthRepository) AutoMigrate() error {
+	return r.db.AutoMigrate(&domain.PortalUser{})
+}
+
+func (r *GormAuthRepository) Create(ctx context.Context, user *domain.PortalUser) error {
+	return r.db.WithContext(ctx).Create(user).Error
+}
+
+func (r *GormAuthRepository) GetByUsername(ctx context.Context, username string) (*domain.PortalUser, error) {
+	var user domain.PortalUser
+	err := r.db.WithContext(ctx).Where("username = ?", username).First(&user).Error
+	if errors.Is(err, gorm.ErrRecordNotFound) {
+		return nil, errors.New("user not found")
+	}
+	return &user, err
+}
+
+func (r *GormAuthRepository) GetByID(ctx context.Context, id string) (*domain.PortalUser, error) {
+	var user domain.PortalUser
+	err := r.db.WithContext(ctx).Where("id = ?", id).First(&user).Error
+	if errors.Is(err, gorm.ErrRecordNotFound) {
+		return nil, errors.New("user not found")
+	}
+	return &user, err
+}
+
+func (r *GormAuthRepository) UpdateLastLogin(ctx context.Context, id string) error {
+	now := time.Now()
+	// Use Updates for efficiency
+	return r.db.WithContext(ctx).Model(&domain.PortalUser{}).
+		Where("id = ?", id).
+		Updates(map[string]interface{}{
+			"last_login_at": now,
+			"updated_at":    now,
+		}).Error
+}
+
+func (r *GormAuthRepository) ListByClient(ctx context.Context, clientID string) ([]*domain.PortalUser, error) {
+	var users []*domain.PortalUser
+	err := r.db.WithContext(ctx).
+		Where("client_id = ?", clientID).
+		Order("created_at DESC").
+		Find(&users).Error
+	return users, err
+}
diff --git a/src/clients_portal/shared/security/jwt.go b/src/clients_portal/shared/security/jwt.go
new file mode 100644
index 0000000..447a3d9
--- /dev/null
+++ b/src/clients_portal/shared/security/jwt.go
@@ -0,0 +1,68 @@
+package security
+
+import (
+	"errors"
+	"time"
+
+	"github.com/AzielCF/az-wap/clients_portal/auth/domain"
+	"github.com/golang-jwt/jwt/v5"
+	"golang.org/x/crypto/bcrypt"
+)
+
+// TODO: Move key to .env
+var JwtSecretKey = []byte("super-secret-portal-key-change-me")
+
+type PortalClaims struct {
+	UserID   string            `json:"uid"`
+	ClientID string            `json:"cid"`
+	Role     domain.PortalRole `json:"role"`
+	jwt.RegisteredClaims
+}
+
+// GenerateToken creates a new JWT for the portal user
+func GenerateToken(userID, clientID string, role domain.PortalRole) (string, error) {
+	expirationTime := time.Now().Add(24 * time.Hour) // Token valid for 1 day
+
+	claims := &PortalClaims{
+		UserID:   userID,
+		ClientID: clientID,
+		Role:     role,
+		RegisteredClaims: jwt.RegisteredClaims{
+			ExpiresAt: jwt.NewNumericDate(expirationTime),
+			IssuedAt:  jwt.NewNumericDate(time.Now()),
+			Issuer:    "az-wap-portal",
+		},
+	}
+
+	token := jwt.NewWithClaims(jwt.SigningMethodHS256, claims)
+	return token.SignedString(JwtSecretKey)
+}
+
+// ValidateToken parses and validates a JWT token
+func ValidateToken(tokenString string) (*PortalClaims, error) {
+	token, err := jwt.ParseWithClaims(tokenString, &PortalClaims{}, func(token *jwt.Token) (interface{}, error) {
+		return JwtSecretKey, nil
+	})
+
+	if err != nil {
+		return nil, err
+	}
+
+	if claims, ok := token.Claims.(*PortalClaims); ok && token.Valid {
+		return claims, nil
+	}
+
+	return nil, errors.New("invalid token")
+}
+
+// HashPassword encrypts the password using bcrypt
+func HashPassword(password string) (string, error) {
+	bytes, err := bcrypt.GenerateFromPassword([]byte(password), bcrypt.DefaultCost)
+	return string(bytes), err
+}
+
+// CheckPasswordHash verifies if the password matches the hash
+func CheckPasswordHash(password, hash string) bool {
+	err := bcrypt.CompareHashAndPassword([]byte(hash), []byte(password))
+	return err == nil
+}

From 9c055166c0c49b7164a83faa08efa1d3494ad74d Mon Sep 17 00:00:00 2001
From: Aziel <azielcruzado@gmail.com>
Date: Sun, 15 Feb 2026 13:03:32 -0500
Subject: [PATCH 02/12] feat(rest): initialize client portal authentication
 routes and middleware. Also add --basic-auth CLI flag support

---
 src/cmd/rest.go | 40 +++++++++++++++++++++++++++++++++++++++-
 1 file changed, 39 insertions(+), 1 deletion(-)

diff --git a/src/cmd/rest.go b/src/cmd/rest.go
index 21d3aaf..b522fca 100644
--- a/src/cmd/rest.go
+++ b/src/cmd/rest.go
@@ -8,7 +8,12 @@ import (
 	"syscall"
 	"time"
 
+	clientsRepo "github.com/AzielCF/az-wap/clients/repository"
+	portalAuthApp "github.com/AzielCF/az-wap/clients_portal/auth/application"
+	portalAuthInfra "github.com/AzielCF/az-wap/clients_portal/auth/infrastructure"
+	portalAuthRepo "github.com/AzielCF/az-wap/clients_portal/auth/repository"
 	coreconfig "github.com/AzielCF/az-wap/core/config"
+	coreDB "github.com/AzielCF/az-wap/core/database"
 	"github.com/AzielCF/az-wap/ui/rest"
 	"github.com/AzielCF/az-wap/ui/rest/middleware"
 	"github.com/AzielCF/az-wap/ui/websocket"
@@ -33,9 +38,15 @@ var restCmd = &cobra.Command{
 }
 
 func init() {
+	restCmd.Flags().String("basic-auth", "", "Basic auth for API (format: user:pass,user2:pass2)")
 	rootCmd.AddCommand(restCmd)
 }
-func restServer(_ *cobra.Command, _ []string) {
+func restServer(cmd *cobra.Command, _ []string) {
+	// Override basic auth if flag is provided
+	if baFlag, _ := cmd.Flags().GetString("basic-auth"); baFlag != "" {
+		coreconfig.Global.App.BasicAuth = strings.Split(baFlag, ",")
+	}
+
 	fiberConfig := fiber.Config{
 		EnableTrustedProxyCheck: true,
 		BodyLimit:               int(coreconfig.Global.Whatsapp.MaxVideoSize),
@@ -152,6 +163,33 @@ func restServer(_ *cobra.Command, _ []string) {
 	rest.InitRestMCP(apiGroup, mcpUsecase)
 	rest.InitRestHealth(apiGroup, healthUsecase)
 
+	// --- CLIENTS PORTAL (NEW) ---
+	// 1. Initialize Portal Auth Components
+	portalAuthRepository := portalAuthRepo.NewGormAuthRepository(coreDB.GlobalDB)
+	// Inject existing CRM Client Repository
+	crmClientRepo := clientsRepo.NewClientGormRepository(coreDB.GlobalDB)
+	// Auto-migrate portal users table
+	if err := portalAuthRepository.AutoMigrate(); err != nil {
+		logrus.Errorf("Failed to migrate portal tables: %v", err)
+	}
+
+	portalAuthService := portalAuthApp.NewAuthService(portalAuthRepository, crmClientRepo)
+	portalAuthHandler := portalAuthInfra.NewAuthHandler(portalAuthService)
+	portalAuthMiddleware := portalAuthInfra.NewAuthMiddleware(portalAuthRepository)
+
+	// 2. Create API Group for Portal (Isolated from Admin)
+	portalGroup := app.Group(coreconfig.Global.App.BasePath + "/api/portal")
+
+	// Public Portal Routes (Login)
+	portalGroup.Post("/login", portalAuthHandler.Login)
+	// TODO: Register should be protected or invitation-only, currently open for initial testing or move to admin
+	// portalGroup.Post("/register", portalAuthHandler.Register)
+
+	// Protected Portal Routes
+	portalProtected := portalGroup.Group("/")
+	portalProtected.Use(portalAuthMiddleware)
+	portalProtected.Get("/me", portalAuthHandler.Me) // Logged-in user profile
+
 	// Unified Monitoring System (Multi-server aware)
 	rest.InitRestMonitoring(apiGroup, monitorStore, workspaceManager, contextCacheStore)
 

From ffacb1f0db20078d7649f185fa0003bf9d46b2e1 Mon Sep 17 00:00:00 2001
From: Aziel <azielcruzado@gmail.com>
Date: Fri, 20 Feb 2026 08:56:16 -0500
Subject: [PATCH 03/12] feat(botengine): add variant specific configurations
 including tool access and capabilities

- Added \AllowedMCPs\, \Description\, and nullable capability flags to \BotVariant\ domain model
- Implemented \SanitizeVariants\ in Bot entity to discard unnamed variants and purge empty identifiers
- Updated Create and Update usecases to call \SanitizeVariants\ before persisting
- Refactored frontend \BotFormModal.vue\ to scope capability toggles and MCP server configurations per variant
- Introduced new variant selection and inheritance flows in the UI header
---
 src/botengine/application/bot.go              |   6 +
 src/botengine/domain/bot/bot.go               |  78 +-
 src/frontend/src/components/AppModal.vue      |   9 +-
 src/frontend/src/components/AppTabModal.vue   |   4 +
 .../src/components/bots/BotFormModal.vue      | 878 ++++++++++++++++++
 5 files changed, 964 insertions(+), 11 deletions(-)
 create mode 100644 src/frontend/src/components/bots/BotFormModal.vue

diff --git a/src/botengine/application/bot.go b/src/botengine/application/bot.go
index 2923878..ec25cca 100644
--- a/src/botengine/application/bot.go
+++ b/src/botengine/application/bot.go
@@ -112,8 +112,11 @@ func (s *botService) Create(ctx context.Context, req domainBot.CreateBotRequest)
 		ChatwootCredentialID: strings.TrimSpace(req.ChatwootCredentialID),
 		ChatwootBotToken:     strings.TrimSpace(req.ChatwootBotToken),
 		Whitelist:            req.Whitelist,
+		Variants:             req.Variants,
 	}
 
+	bot.SanitizeVariants()
+
 	if err := s.repo.Create(ctx, bot); err != nil {
 		return domainBot.Bot{}, err
 	}
@@ -209,6 +212,9 @@ func (s *botService) Update(ctx context.Context, id string, req domainBot.Update
 	updated.ChatwootCredentialID = strings.TrimSpace(req.ChatwootCredentialID)
 	updated.ChatwootBotToken = strings.TrimSpace(req.ChatwootBotToken)
 	updated.Whitelist = req.Whitelist
+	updated.Variants = req.Variants
+
+	updated.SanitizeVariants()
 
 	if err := s.repo.Update(ctx, updated); err != nil {
 		return domainBot.Bot{}, err
diff --git a/src/botengine/domain/bot/bot.go b/src/botengine/domain/bot/bot.go
index 40da8ad..ec33e54 100644
--- a/src/botengine/domain/bot/bot.go
+++ b/src/botengine/domain/bot/bot.go
@@ -2,6 +2,7 @@ package bot
 
 import (
 	"context"
+	"strings"
 
 	domainHealth "github.com/AzielCF/az-wap/domains/health"
 )
@@ -39,8 +40,23 @@ type Bot struct {
 	ChatwootCredentialID string `json:"chatwoot_credential_id,omitempty"`
 	ChatwootBotToken     string `json:"chatwoot_bot_token,omitempty"`
 	// New fields added
-	ChatwootCredential ChatwootCredential `json:"chatwoot_credential,omitempty"`
-	Whitelist          []string           `json:"whitelist,omitempty"`
+	ChatwootCredential ChatwootCredential    `json:"chatwoot_credential,omitempty"`
+	Whitelist          []string              `json:"whitelist,omitempty"`
+	Variants           map[string]BotVariant `json:"variants,omitempty"`
+}
+
+type BotVariant struct {
+	Name         string   `json:"name"`
+	Description  string   `json:"description,omitempty"`
+	SystemPrompt string   `json:"system_prompt"`
+	AllowedTools []string `json:"allowed_tools,omitempty"`
+	AllowedMCPs  []string `json:"allowed_mcps,omitempty"`
+
+	AudioEnabled    *bool `json:"audio_enabled,omitempty"`
+	ImageEnabled    *bool `json:"image_enabled,omitempty"`
+	VideoEnabled    *bool `json:"video_enabled,omitempty"`
+	DocumentEnabled *bool `json:"document_enabled,omitempty"`
+	MemoryEnabled   *bool `json:"memory_enabled,omitempty"`
 }
 
 type ChatwootCredential struct {
@@ -67,9 +83,10 @@ type CreateBotRequest struct {
 	MultimodalModel string `json:"multimodal_model"`
 	CredentialID    string `json:"credential_id"`
 	// Optional Chatwoot config
-	ChatwootCredentialID string   `json:"chatwoot_credential_id"`
-	ChatwootBotToken     string   `json:"chatwoot_bot_token"`
-	Whitelist            []string `json:"whitelist"`
+	ChatwootCredentialID string                `json:"chatwoot_credential_id"`
+	ChatwootBotToken     string                `json:"chatwoot_bot_token"`
+	Whitelist            []string              `json:"whitelist"`
+	Variants             map[string]BotVariant `json:"variants"`
 }
 
 type UpdateBotRequest struct {
@@ -91,9 +108,10 @@ type UpdateBotRequest struct {
 	MultimodalModel string `json:"multimodal_model"`
 	CredentialID    string `json:"credential_id"`
 	// Optional Chatwoot config
-	ChatwootCredentialID string   `json:"chatwoot_credential_id"`
-	ChatwootBotToken     string   `json:"chatwoot_bot_token"`
-	Whitelist            []string `json:"whitelist"`
+	ChatwootCredentialID string                `json:"chatwoot_credential_id"`
+	ChatwootBotToken     string                `json:"chatwoot_bot_token"`
+	Whitelist            []string              `json:"whitelist"`
+	Variants             map[string]BotVariant `json:"variants"`
 }
 
 type IBotUsecase interface {
@@ -106,3 +124,47 @@ type IBotUsecase interface {
 	SetHealthUsecase(h domainHealth.IHealthUsecase)
 	Shutdown()
 }
+
+func (b *Bot) SanitizeVariants() {
+	if b.Variants == nil {
+		return
+	}
+
+	cleaned := make(map[string]BotVariant)
+	for key, variant := range b.Variants {
+		name := strings.TrimSpace(variant.Name)
+		if name == "" {
+			continue // Ignorar variantes sin nombre
+		}
+
+		variant.Name = name
+		variant.Description = strings.TrimSpace(variant.Description)
+		variant.SystemPrompt = strings.TrimSpace(variant.SystemPrompt)
+
+		// Clean tools string slice
+		var validTools []string
+		for _, t := range variant.AllowedTools {
+			if trimmed := strings.TrimSpace(t); trimmed != "" {
+				validTools = append(validTools, trimmed)
+			}
+		}
+		variant.AllowedTools = validTools
+
+		// Clean mcps string slice
+		var validMCPs []string
+		for _, m := range variant.AllowedMCPs {
+			if trimmed := strings.TrimSpace(m); trimmed != "" {
+				validMCPs = append(validMCPs, trimmed)
+			}
+		}
+		variant.AllowedMCPs = validMCPs
+
+		cleaned[key] = variant
+	}
+
+	if len(cleaned) == 0 {
+		b.Variants = nil
+	} else {
+		b.Variants = cleaned
+	}
+}
diff --git a/src/frontend/src/components/AppModal.vue b/src/frontend/src/components/AppModal.vue
index b441179..7a65920 100644
--- a/src/frontend/src/components/AppModal.vue
+++ b/src/frontend/src/components/AppModal.vue
@@ -19,9 +19,12 @@ function close() {
   <div v-if="modelValue" class="modal modal-open backdrop-blur-md" role="dialog">
     <div class="modal-box p-0 bg-[#0f1219] border border-white/10 shadow-[0_40px_100px_rgba(0,0,0,0.9)] flex flex-col w-[calc(100%-2rem)] sm:w-full max-h-[calc(100dvh-4rem)] sm:max-h-[85vh] transition-all duration-300 pointer-events-auto" :class="maxWidth || 'max-w-md'">
       <!-- Professional Header -->
-      <header v-if="title" class="px-8 py-6 border-b border-white/5 flex items-center justify-between bg-white/[0.02] flex-none">
-        <h3 class="font-bold text-xl uppercase tracking-tight text-white">{{ title }}</h3>
-        <button class="btn btn-ghost btn-sm btn-square text-slate-500 hover:text-white hover:bg-white/5 transition-all" @click="close">
+      <header v-if="title || $slots['header-actions']" class="px-8 py-6 border-b border-white/5 flex items-center justify-between bg-white/[0.02] flex-none">
+        <div class="flex items-center gap-6 flex-wrap">
+            <h3 v-if="title" class="font-bold text-xl uppercase tracking-tight text-white m-0">{{ title }}</h3>
+            <slot name="header-actions"></slot>
+        </div>
+        <button class="btn btn-ghost btn-sm btn-square text-slate-500 hover:text-white hover:bg-white/5 transition-all ml-4 shrink-0" @click="close">
             <svg xmlns="http://www.w3.org/2000/svg" class="h-5 w-5" fill="none" viewBox="0 0 24 24" stroke="currentColor"><path stroke-linecap="round" stroke-linejoin="round" stroke-width="2.5" d="M6 18L18 6M6 6l12 12" /></svg>
         </button>
       </header>
diff --git a/src/frontend/src/components/AppTabModal.vue b/src/frontend/src/components/AppTabModal.vue
index 74dda5f..0ad2864 100644
--- a/src/frontend/src/components/AppTabModal.vue
+++ b/src/frontend/src/components/AppTabModal.vue
@@ -33,6 +33,10 @@ function copyId(id: string) {
 
 <template>
   <AppModal :modelValue="modelValue" @update:modelValue="emit('update:modelValue', $event)" @close="emit('cancel')" :title="title" :maxWidth="maxWidth || 'max-w-6xl'" noPadding noScroll>
+    <template #header-actions>
+       <slot name="header-actions"></slot>
+    </template>
+    
     <div class="flex flex-col h-[calc(100dvh-4rem)] sm:h-[92vh] lg:h-[750px] w-full overflow-hidden bg-[#0b0e14]">
       <div class="flex flex-col lg:flex-row flex-1 overflow-hidden">
         <!-- Sidebar Navigation -->
diff --git a/src/frontend/src/components/bots/BotFormModal.vue b/src/frontend/src/components/bots/BotFormModal.vue
new file mode 100644
index 0000000..66e0f1f
--- /dev/null
+++ b/src/frontend/src/components/bots/BotFormModal.vue
@@ -0,0 +1,878 @@
+<script setup lang="ts">
+import { ref, watch, computed } from 'vue'
+import { useApi } from '@/composables/useApi'
+import AppTabModal from '@/components/AppTabModal.vue'
+import { 
+  Bot, 
+  Settings, 
+  Trash2, 
+  CheckCircle2, 
+  Fingerprint, 
+  Activity, 
+  Zap,
+  Lock,
+  Wrench,
+  Mic,
+  Image,
+  Video,
+  FileText,
+  Brain,
+  ShieldCheck,
+  Plus
+} from 'lucide-vue-next'
+
+const props = defineProps<{
+  modelValue: boolean
+  editingBot: any
+  credentials: any[]
+  availableModels: Record<string, any[]>
+}>()
+
+const emit = defineEmits(['update:modelValue', 'saved', 'clear-memory'])
+
+const api = useApi()
+
+const activeTab = ref('general')
+
+const newBot = ref({
+  name: '',
+  description: '',
+  system_prompt: '',
+  knowledge_base: '',
+  model: '',
+  api_key: '',
+  credential_id: '',
+  chatwoot_credential_id: '',
+  chatwoot_bot_token: '',
+  audio_enabled: true,
+  image_enabled: true,
+  video_enabled: false,
+  document_enabled: false,
+  memory_enabled: true,
+  mindset_model: '',
+  multimodal_model: '',
+  timezone: '',
+  provider: 'gemini',
+  variants: {} as Record<string, any>
+})
+
+const aiKinds = ['ai', 'gemini', 'openai', 'claude']
+const aiCredentials = computed(() => props.credentials.filter(c => aiKinds.includes(c.kind)))
+const chatwootCredentials = computed(() => props.credentials.filter(c => c.kind === 'chatwoot'))
+const multimodalModels = computed(() => {
+    const models = props.availableModels[newBot.value.provider] || []
+    return models.filter(m => m.is_multimodal)
+})
+
+// MCP Per Bot
+const botMCPServers = ref<any[]>([])
+const loadingBotMCPs = ref(false)
+const testingConnection = ref<Record<string, 'idle' | 'loading' | 'success' | 'error'>>({})
+const connectionMessages = ref<Record<string, string>>({})
+const botMCPServersSnapshot = ref<Record<string, string>>({})
+const botDataSnapshot = ref<string>('')
+const expandedServers = ref<string[]>([])
+
+const selectedVariant = ref<string>('') // '' means base bot
+
+const currentName = computed({
+  get() {
+    if (!selectedVariant.value) return newBot.value.name
+    return newBot.value.variants[selectedVariant.value]?.name || ''
+  },
+  set(val) {
+    if (!selectedVariant.value) newBot.value.name = val
+    else if (newBot.value.variants[selectedVariant.value]) {
+        newBot.value.variants[selectedVariant.value].name = val
+    }
+  }
+})
+
+const currentPrompt = computed({
+  get() {
+    if (!selectedVariant.value) return newBot.value.system_prompt
+    return newBot.value.variants[selectedVariant.value]?.system_prompt || ''
+  },
+  set(val) {
+    if (!selectedVariant.value) newBot.value.system_prompt = val
+    else if (newBot.value.variants[selectedVariant.value]) {
+        newBot.value.variants[selectedVariant.value].system_prompt = val
+    }
+  }
+})
+
+const currentDescription = computed({
+  get() {
+    if (!selectedVariant.value) return newBot.value.description
+    return newBot.value.variants[selectedVariant.value]?.description || ''
+  },
+  set(val) {
+    if (!selectedVariant.value) newBot.value.description = val
+    else if (newBot.value.variants[selectedVariant.value]) {
+        newBot.value.variants[selectedVariant.value].description = val
+    }
+  }
+})
+
+function createCapabilityProp(prop: 'memory_enabled' | 'audio_enabled' | 'image_enabled' | 'video_enabled' | 'document_enabled') {
+  return computed({
+    get() {
+      if (!selectedVariant.value) return newBot.value[prop]
+      const v = newBot.value.variants[selectedVariant.value]
+      return v && v[prop] !== undefined && v[prop] !== null ? v[prop] : newBot.value[prop]
+    },
+    set(val: boolean) {
+      if (!selectedVariant.value) {
+          (newBot.value as any)[prop] = val
+      } else if (newBot.value.variants[selectedVariant.value]) {
+          newBot.value.variants[selectedVariant.value][prop] = val
+      }
+    }
+  })
+}
+
+const currentMemoryEnabled = createCapabilityProp('memory_enabled')
+const currentAudioEnabled = createCapabilityProp('audio_enabled')
+const currentImageEnabled = createCapabilityProp('image_enabled')
+const currentVideoEnabled = createCapabilityProp('video_enabled')
+const currentDocumentEnabled = createCapabilityProp('document_enabled')
+
+function addVariant(inherit: boolean) {
+    const key = 'variant_' + Date.now()
+    if (!newBot.value.variants) {
+        newBot.value.variants = {}
+    }
+    
+    if (inherit) {
+        newBot.value.variants[key] = {
+            name: newBot.value.name + ' (Copy)',
+            description: newBot.value.description,
+            system_prompt: newBot.value.system_prompt,
+            allowed_tools: undefined, // Let it inherit all active tools initially
+            allowed_mcps: undefined // Let it inherit all active servers initially 
+        }
+    } else {
+        newBot.value.variants[key] = {
+            name: 'New Sub-Role',
+            description: '',
+            system_prompt: '',
+            allowed_tools: [],
+            allowed_mcps: [] 
+        }
+    }
+    selectedVariant.value = key
+}
+
+function deleteVariant(key: string) {
+    if (newBot.value.variants && newBot.value.variants[key]) {
+        delete newBot.value.variants[key]
+    }
+    if (selectedVariant.value === key) {
+        selectedVariant.value = ''
+    }
+}
+
+const modalTabs = computed(() => {
+    const baseTabs = [
+        { id: 'general', label: 'General Info', icon: Fingerprint },
+        { id: 'engine', label: 'Engine Logic', icon: Zap },
+        { id: 'auth', label: 'Authentication', icon: Lock },
+        { id: 'mcp', label: 'Capabilities (MCP)', icon: Wrench }
+    ]
+    if (selectedVariant.value !== '') {
+        return baseTabs.filter(t => t.id !== 'auth')
+    }
+    return baseTabs
+})
+
+watch(selectedVariant, (newVal) => {
+    if (newVal !== '' && activeTab.value === 'auth') {
+        activeTab.value = 'general'
+    }
+})
+
+// Watch for changes to initialize form
+watch(() => props.modelValue, (isOpen) => {
+    if (isOpen) {
+        initForm()
+        loadBotMCPs(props.editingBot?.id || null)
+    }
+})
+
+function initForm() {
+    activeTab.value = 'general'
+    selectedVariant.value = ''
+    if (props.editingBot) {
+        const bot = props.editingBot
+        newBot.value = {
+            name: bot.name,
+            description: bot.description,
+            system_prompt: bot.system_prompt,
+            knowledge_base: bot.knowledge_base || '',
+            model: bot.model || '',
+            api_key: bot.api_key || '',
+            credential_id: bot.credential_id || '',
+            chatwoot_credential_id: bot.chatwoot_credential_id || '',
+            chatwoot_bot_token: bot.chatwoot_bot_token || '',
+            audio_enabled: bot.audio_enabled !== false,
+            image_enabled: bot.image_enabled !== false,
+            video_enabled: !!bot.video_enabled,
+            document_enabled: !!bot.document_enabled,
+            memory_enabled: bot.memory_enabled !== false,
+            mindset_model: bot.mindset_model || '',
+            multimodal_model: bot.multimodal_model || '',
+            timezone: bot.timezone || '',
+            provider: bot.provider || 'gemini',
+            variants: bot.variants ? JSON.parse(JSON.stringify(bot.variants)) : {}
+        }
+    } else {
+        newBot.value = {
+            name: '',
+            description: '',
+            system_prompt: '',
+            knowledge_base: '',
+            model: '',
+            api_key: '',
+            credential_id: '',
+            chatwoot_credential_id: '',
+            chatwoot_bot_token: '',
+            audio_enabled: true,
+            image_enabled: true,
+            video_enabled: false,
+            document_enabled: false,
+            memory_enabled: true,
+            mindset_model: '',
+            multimodal_model: '',
+            timezone: '',
+            provider: 'gemini',
+            variants: {}
+        }
+    }
+    botDataSnapshot.value = JSON.stringify(newBot.value)
+}
+
+async function loadBotMCPs(botId: string | null) {
+  loadingBotMCPs.value = true
+  botMCPServers.value = []
+  expandedServers.value = []
+  try {
+    const endpoint = botId ? `/bots/${botId}/mcp` : '/mcp/servers'
+    const res = await api.get(endpoint)
+    const results = res.results || []
+    
+    botMCPServers.value = results.map((srv: any) => {
+      let headersMap: Record<string, string> = {}
+      if (srv.custom_headers) {
+        headersMap = { ...srv.custom_headers }
+      }
+      
+      if (srv.is_template && srv.template_config) {
+        Object.keys(srv.template_config).forEach(k => {
+          if (!headersMap[k]) headersMap[k] = ''
+        })
+      }
+
+      let urlVariables: Record<string, string> = {}
+      if (srv.url_variables) {
+        urlVariables = { ...srv.url_variables }
+      }
+      
+      const urlMatches = (srv.url || '').match(/\{([^}]+)\}/g)?.map((m: string) => m.slice(1, -1)) || []
+      urlMatches.forEach((key: string) => {
+          if (!urlVariables[key]) urlVariables[key] = ''
+      })
+
+      const missingHeaders = srv.is_template && srv.template_config && 
+                           Object.keys(srv.template_config).some(k => !headersMap[k] || headersMap[k].trim() === '');
+      const missingVars = urlMatches.some((k: string) => !urlVariables[k] || urlVariables[k].trim() === '');
+
+      const needsConfig = missingHeaders || missingVars;
+      
+      if (needsConfig && !expandedServers.value.includes(srv.id)) {
+        expandedServers.value.push(srv.id)
+      }
+
+      const mapped = { 
+        ...srv, 
+        headersMap,
+        urlVariables,
+        urlVarKeys: urlMatches,
+        botInstructions: srv.bot_instructions || '',
+        disabled_tools: srv.disabled_tools || []
+      }
+
+      botMCPServersSnapshot.value[srv.id] = getMCPCompareState(mapped)
+
+      return mapped
+    })
+  } catch (err) {
+    console.error('Failed to load MCPs', err)
+  } finally {
+    loadingBotMCPs.value = false
+  }
+}
+
+function getMCPCompareState(srv: any) {
+  return JSON.stringify({
+    enabled: !!srv.enabled,
+    disabled_tools: [...(srv.disabled_tools || [])].sort(),
+    custom_headers: Object.keys(srv.headersMap || {}).sort().reduce((obj: any, key) => {
+      obj[key] = srv.headersMap[key]
+      return obj
+    }, {}),
+    url_variables: Object.keys(srv.urlVariables || {}).sort().reduce((obj: any, key) => {
+        obj[key] = srv.urlVariables[key]
+        return obj
+    }, {}),
+    instructions: srv.botInstructions || ''
+  })
+}
+
+async function saveMCPPreference(server: any) {
+  if (!props.editingBot) return
+  const payload = {
+    enabled: server.enabled,
+    disabled_tools: server.disabled_tools || [],
+    custom_headers: server.headersMap,
+    url_variables: server.urlVariables,
+    instructions: server.botInstructions || ''
+  }
+  await api.put(`/bots/${props.editingBot.id}/mcp/${server.id}`, payload)
+}
+
+async function saveAllMCPPreferences(botId: string) {
+  const promises = botMCPServers.value
+    .filter(srv => {
+        const currentState = getMCPCompareState(srv)
+        return currentState !== botMCPServersSnapshot.value[srv.id]
+    })
+    .map(srv => {
+      const payload = {
+        enabled: srv.enabled,
+        disabled_tools: srv.disabled_tools || [],
+        custom_headers: srv.headersMap,
+        url_variables: srv.urlVariables,
+        instructions: srv.botInstructions || ''
+      }
+      return api.put(`/bots/${botId}/mcp/${srv.id}`, payload)
+    })
+  
+  if (promises.length > 0) {
+    await Promise.all(promises)
+    botMCPServers.value.forEach(srv => {
+      botMCPServersSnapshot.value[srv.id] = getMCPCompareState(srv)
+    })
+  }
+}
+
+async function testMCPConnection(server: any) {
+  if (!props.editingBot) return
+  testingConnection.value[server.id] = 'loading'
+  connectionMessages.value[server.id] = ''
+  
+  try {
+    await saveMCPPreference(server)
+    const res = await api.post(`/api/health/mcp/${server.id}/check`, {})
+    
+    if (res.results?.status === 'OK') {
+       testingConnection.value[server.id] = 'success'
+       connectionMessages.value[server.id] = 'Bridge verified and protocol synced.'
+    } else {
+       testingConnection.value[server.id] = 'error'
+       connectionMessages.value[server.id] = res.results?.last_message || 'MCP refused connection'
+    }
+  } catch (err) {
+    testingConnection.value[server.id] = 'error'
+    connectionMessages.value[server.id] = 'Failed to resolve MCP network bridge.'
+  } finally {
+    setTimeout(() => {
+        if (testingConnection.value[server.id] === 'success') {
+            testingConnection.value[server.id] = 'idle'
+        }
+    }, 5000)
+  }
+}
+
+function isServerEnabledForVariant(srvId: string) {
+  if (selectedVariant.value) {
+      const variant = newBot.value.variants[selectedVariant.value]
+      if (variant && variant.allowed_mcps !== undefined) {
+          return variant.allowed_mcps.includes(srvId)
+      }
+      return true // Defaults to inherited base server if undefined!
+  }
+  return false
+}
+
+function toggleServer(srv: any) {
+  if (selectedVariant.value) {
+      const variant = newBot.value.variants[selectedVariant.value]
+      if (variant.allowed_mcps === undefined) {
+          // Initialize active variant servers to all currently active base bot servers
+          const activeServers = botMCPServers.value.filter(s => s.enabled).map(s => s.id)
+          variant.allowed_mcps = [...activeServers]
+      }
+      
+      let allowed = [...variant.allowed_mcps]
+      if (allowed.includes(srv.id)) {
+          allowed = allowed.filter(id => id !== srv.id)
+      } else {
+          allowed.push(srv.id)
+      }
+      variant.allowed_mcps = allowed
+  } else {
+      srv.enabled = !srv.enabled
+  }
+}
+
+function toggleServerExpansion(id: string) {
+  if (expandedServers.value.includes(id)) {
+    expandedServers.value = expandedServers.value.filter(i => i !== id)
+  } else {
+    expandedServers.value.push(id)
+  }
+}
+
+function isToolDisabled(srv: any, toolName: string) {
+  if (selectedVariant.value) {
+     const variant = newBot.value.variants[selectedVariant.value]
+     if (variant && variant.allowed_tools) {
+         return !variant.allowed_tools.includes(toolName)
+     }
+     // Default for new variant is everything allowed (so not disabled) but we need to initialize
+     return false
+  }
+  return srv.disabled_tools?.includes(toolName)
+}
+
+function toggleToolForBot(srv: any, toolName: string) {
+  if (selectedVariant.value) {
+      const variant = newBot.value.variants[selectedVariant.value]
+      if (!variant.allowed_tools) {
+          // Initialize allowed tools to all tools if this is the first toggle
+          let allTools: string[] = []
+          botMCPServers.value.forEach(s => {
+              if (s.tools) {
+                 allTools.push(...s.tools.map((t: any) => t.name))
+              }
+          })
+          variant.allowed_tools = [...allTools]
+      }
+      
+      let allowed = [...variant.allowed_tools]
+      if (allowed.includes(toolName)) {
+          allowed = allowed.filter(t => t !== toolName)
+      } else {
+          allowed.push(toolName)
+      }
+      variant.allowed_tools = allowed
+      return
+  }
+
+  let disabled = [...(srv.disabled_tools || [])]
+  if (disabled.includes(toolName)) {
+    disabled = disabled.filter(t => t !== toolName)
+  } else {
+    disabled.push(toolName)
+  }
+  srv.disabled_tools = disabled
+}
+
+async function createBot() {
+  try {
+    let botId = props.editingBot?.id
+    if (props.editingBot) {
+      if (JSON.stringify(newBot.value) !== botDataSnapshot.value) {
+        await api.put(`/bots/${props.editingBot.id}`, newBot.value)
+        botDataSnapshot.value = JSON.stringify(newBot.value)
+      }
+    } else {
+      const res = await api.post('/bots', newBot.value)
+      botId = res?.results?.id
+    }
+
+    if (botId && botMCPServers.value.length > 0) {
+      await saveAllMCPPreferences(botId)
+    }
+
+    emit('saved')
+    closeModal()
+  } catch (err) {
+    alert('Failed to save bot template.')
+  }
+}
+
+function closeModal() {
+  emit('update:modelValue', false)
+}
+
+function clearMemory() {
+    if (props.editingBot) {
+        emit('clear-memory', props.editingBot.id)
+    }
+}
+</script>
+
+<template>
+  <AppTabModal 
+      :model-value="modelValue"
+      @update:model-value="emit('update:modelValue', $event)"
+      :title="editingBot ? 'Bot Configuration' : 'Compose Bot Identity'" 
+      maxWidth="max-w-[1240px]"
+      v-model:activeTab="activeTab"
+      :tabs="modalTabs"
+      :identity="{
+          name: editingBot ? editingBot.name : 'New Bot Identity',
+          subtitle: 'Identity Blueprint',
+          icon: Bot,
+          iconType: 'component'
+      }"
+      :saveText="editingBot ? 'Save Changes' : 'Create Identity'"
+      @save="createBot"
+      @cancel="closeModal"
+  >
+      <template #sidebar-bottom>
+          <div v-if="editingBot" class="pt-8 border-t border-white/5">
+              <button @click="clearMemory" class="btn-premium btn-premium-ghost text-red-400 hover:bg-red-500/10 hover:text-red-300 w-full btn-premium-sm border border-red-500/20">
+                  <Trash2 class="w-3.5 h-3.5 mr-2" />
+                  Flush Memory
+              </button>
+          </div>
+      </template>
+
+      <template #header-actions>
+          <div class="flex items-center gap-2 flex-nowrap bg-black/20 p-1.5 rounded-[2rem] border border-white/5">
+              <button 
+                  @click="selectedVariant = ''"
+                  class="px-4 py-2 rounded-[1.5rem] text-[11px] font-bold transition-all border shadow-sm flex items-center gap-2"
+                  :class="selectedVariant === '' ? 'bg-primary text-white border-primary/50 shadow-primary/20' : 'bg-transparent border-transparent text-slate-400 hover:text-white'"
+              >
+                  <Fingerprint class="w-3.5 h-3.5" />
+                  <span class="hidden sm:inline">Base Identity</span>
+              </button>
+              
+              <div v-if="newBot.variants && Object.keys(newBot.variants).length > 0" class="w-px h-5 bg-white/10 mx-1"></div>
+
+              <button 
+                  v-for="(vr, key) in (newBot.variants || {})" :key="key"
+                  @click="selectedVariant = key as string"
+                  class="px-4 py-2 rounded-[1.5rem] text-[11px] font-bold transition-all border group flex items-center gap-2 shadow-sm"
+                  :class="selectedVariant === key ? 'bg-indigo-500 text-white border-indigo-500/50 shadow-indigo-500/20' : 'bg-transparent border-transparent text-slate-400 hover:text-white'"
+              >
+                  <Bot class="w-3.5 h-3.5" />
+                  <span class="max-w-[80px] truncate hidden sm:inline">{{ vr.name || 'Unnamed' }}</span>
+                  <Trash2 
+                     @click.stop="deleteVariant(key as string)"
+                     class="w-3.5 h-3.5 ml-1 opacity-0 group-hover:opacity-100 transition-opacity hover:text-red-300 pointer-events-auto" 
+                  />
+              </button>
+              
+              <div class="dropdown dropdown-end">
+                  <div tabindex="0" role="button" class="btn btn-ghost btn-sm btn-circle text-slate-400 hover:text-white ml-1">
+                      <Plus class="w-5 h-5" />
+                  </div>
+                  <ul tabindex="0" class="dropdown-content z-[1] menu p-2 shadow-2xl bg-[#161a23] rounded-2xl w-48 border border-white/5 mt-2">
+                      <li class="menu-title px-4 py-2 text-[10px] text-slate-500 uppercase tracking-widest">New Sub-Role</li>
+                      <li><a @click="addVariant(true)" class="text-xs font-bold text-white hover:bg-white/5 rounded-xl py-3"><Brain class="w-3.5 h-3.5 text-primary mr-2"/> Inherit Base Config</a></li>
+                      <li><a @click="addVariant(false)" class="text-xs font-bold text-white hover:bg-white/5 rounded-xl py-3"><FileText class="w-3.5 h-3.5 text-slate-400 mr-2"/> Blank Scope</a></li>
+                  </ul>
+              </div>
+          </div>
+      </template>
+
+      <!-- TAB: General -->
+      <div v-if="activeTab === 'general'" class="space-y-10 animate-in fade-in slide-in-from-right-4">
+          <div class="section-title-premium text-primary/60 mt-2">
+              {{ selectedVariant === '' ? 'Core Definition' : 'Variant Definition' }}
+          </div>
+          <div class="grid grid-cols-2 gap-8">
+              <div class="form-control" :class="{ 'col-span-2': selectedVariant !== '' }">
+                  <label class="label-premium text-primary">{{ selectedVariant === '' ? 'Identity Name' : 'Sub-Role Name' }}</label>
+                  <input v-model="currentName" type="text" class="input-premium h-14 w-full text-lg font-black" :placeholder="selectedVariant === '' ? 'e.g. Sales Specialist' : 'e.g. Cashier'" />
+              </div>
+              <div class="form-control" v-if="selectedVariant === ''">
+                  <label class="label-premium">Description</label>
+                  <input v-model="currentDescription" type="text" class="input-premium h-14 w-full" placeholder="What is this bot for?" />
+              </div>
+          </div>
+          <div class="form-control -mt-6" v-if="selectedVariant !== ''">
+              <label class="label-premium">Variant Description</label>
+              <input v-model="currentDescription" type="text" class="input-premium h-14 w-full" placeholder="Internal note for this sub-role..." />
+          </div>
+
+          <div class="form-control mt-10">
+              <label class="label-premium flex items-center gap-2">
+                 {{ selectedVariant === '' ? 'Core Intelligence (System Prompt)' : 'Variant Override (System Prompt)' }}
+                 <span v-if="selectedVariant !== ''" class="px-2 py-0.5 rounded bg-indigo-500/10 text-indigo-400 text-[10px] uppercase font-black ml-2">Replaces Core Prompt</span>
+              </label>
+              <textarea v-model="currentPrompt" rows="8" class="input-premium w-full leading-relaxed text-sm p-6" placeholder="Define boundaries and mission..."></textarea>
+          </div>
+
+          <div class="form-control" v-if="selectedVariant === ''">
+              <label class="label-premium">Knowledge Context (RAG)</label>
+              <textarea v-model="newBot.knowledge_base" rows="5" class="input-premium w-full leading-relaxed text-sm p-6" placeholder="Add custom domain data..."></textarea>
+          </div>
+          
+          <div v-if="selectedVariant !== ''" class="p-6 bg-indigo-500/5 border border-indigo-500/10 rounded-2xl flex items-start gap-4">
+              <div class="w-8 h-8 rounded-full bg-indigo-500/10 flex items-center justify-center shrink-0">
+                  <Bot class="w-4 h-4 text-indigo-400" />
+              </div>
+              <div>
+                  <h4 class="text-sm font-bold text-indigo-400 mb-1">Sub-Role Mode Active</h4>
+                  <p class="text-xs text-slate-400 leading-relaxed">
+                      This system prompt will completely override the Base Identity's prompt when this variant is invoked dynamically via the API. The Base Identity's Engine capabilities, MCP tools, and Knowledge Context are still inherited unless restricted.
+                  </p>
+              </div>
+          </div>
+      </div>
+
+      <!-- TAB: Engine -->
+      <div v-if="activeTab === 'engine'" class="space-y-10 animate-in fade-in slide-in-from-right-4">
+          <template v-if="selectedVariant === ''">
+              <div class="section-title-premium text-primary/60">Model Selection</div>
+          <div class="grid grid-cols-2 gap-8">
+              <div class="form-control">
+                  <label class="label-premium">Engine Provider</label>
+                  <select v-model="newBot.provider" class="select-premium h-14 w-full text-sm font-bold uppercase transition-all">
+                      <option value="gemini">Google Gemini (Active)</option>
+                      <option value="openai">OpenAI (Experimental)</option>
+                      <option value="claude" disabled class="opacity-30">Claude (Soon)</option>
+                      <option value="ai">Legacy / Custom</option>
+                  </select>
+              </div>
+              <div class="form-control">
+                  <label class="label-premium">Core Logic Model</label>
+                  <select v-model="newBot.model" class="select-premium h-14 w-full text-sm font-bold uppercase transition-all">
+                      <option value="">(Inherit Provider Default)</option>
+                      <option v-for="m in availableModels[newBot.provider] || []" :key="m.id" :value="m.id">
+                          {{ m.name }} — {{ (m.avg_cost_in || m.avg_cost_out) ? `[$${m.avg_cost_in} / $${m.avg_cost_out}]` : '[--]' }}
+                      </option>
+                  </select>
+              </div>
+          </div>
+
+          <div class="grid grid-cols-2 gap-8 pt-8 border-t border-white/5">
+              <div class="form-control">
+                  <label class="label-premium">Mindset Analyzer</label>
+                  <select v-model="newBot.mindset_model" class="select-premium h-14 w-full text-sm font-bold uppercase">
+                      <option value="">(Inherit Logic / Lite Preferred)</option>
+                      <option v-for="m in availableModels[newBot.provider] || []" :key="m.id" :value="m.id">
+                          {{ m.name }} — {{ (m.avg_cost_in || m.avg_cost_out) ? `[$${m.avg_cost_in} / $${m.avg_cost_out}]` : '[--]' }}
+                      </option>
+                  </select>
+              </div>
+              <div class="form-control">
+                  <label class="label-premium">Vision/Multimodal Interpreter</label>
+                  <select v-model="newBot.multimodal_model" class="select-premium h-14 w-full text-sm font-bold uppercase">
+                      <option value="">(Vision Preferred)</option>
+                      <option v-for="m in multimodalModels" :key="m.id" :value="m.id">
+                          {{ m.name }} — {{ (m.avg_cost_in || m.avg_cost_out) ? `[$${m.avg_cost_in} / $${m.avg_cost_out}]` : '[--]' }}
+                      </option>
+                  </select>
+              </div>
+              </div>
+          </template>
+
+          <div class="section-title-premium text-primary/60" :class="{ 'mt-10': selectedVariant === '' }">
+              Capabilities {{ selectedVariant !== '' ? '(Variant Scope)' : '' }}
+          </div>
+          <div class="grid grid-cols-2 lg:grid-cols-5 gap-4">
+              <label class="flex items-center justify-between p-4 bg-[#161a23] border border-white/5 rounded-2xl cursor-pointer hover:border-primary transition-all group">
+                  <div class="flex items-center gap-2">
+                       <Brain class="w-4 h-4 text-slate-500 group-hover:text-primary transition-colors" />
+                       <span class="text-xs font-black uppercase text-slate-500 group-hover:text-slate-300">Memory</span>
+                  </div>
+                  <input type="checkbox" v-model="currentMemoryEnabled" class="toggle toggle-primary toggle-xs" />
+              </label>
+              <label class="flex items-center justify-between p-4 bg-[#161a23] border border-white/5 rounded-2xl cursor-pointer hover:border-primary transition-all group">
+                  <div class="flex items-center gap-2">
+                       <Mic class="w-4 h-4 text-slate-500 group-hover:text-primary transition-colors" />
+                       <span class="text-xs font-black uppercase text-slate-500 group-hover:text-slate-300">Audio</span>
+                  </div>
+                  <input type="checkbox" v-model="currentAudioEnabled" class="toggle toggle-primary toggle-xs" />
+              </label>
+              <label class="flex items-center justify-between p-4 bg-[#161a23] border border-white/5 rounded-2xl cursor-pointer hover:border-primary transition-all group">
+                  <div class="flex items-center gap-2">
+                       <Image class="w-4 h-4 text-slate-500 group-hover:text-primary transition-colors" />
+                       <span class="text-xs font-black uppercase text-slate-500 group-hover:text-slate-300">Vision</span>
+                  </div>
+                  <input type="checkbox" v-model="currentImageEnabled" class="toggle toggle-primary toggle-xs" />
+              </label>
+              <label class="flex items-center justify-between p-4 bg-[#161a23] border border-white/5 rounded-2xl cursor-pointer hover:border-indigo-400 transition-all group">
+                  <div class="flex items-center gap-2">
+                       <Video class="w-4 h-4 text-slate-500 group-hover:text-indigo-400 transition-colors" />
+                       <span class="text-xs font-black uppercase text-slate-500 group-hover:text-slate-300">Video</span>
+                  </div>
+                  <input type="checkbox" v-model="currentVideoEnabled" class="toggle toggle-info toggle-xs" />
+              </label>
+              <label class="flex items-center justify-between p-4 bg-[#161a23] border border-white/5 rounded-2xl cursor-pointer hover:border-amber-400 transition-all group">
+                  <div class="flex items-center gap-2">
+                       <FileText class="w-4 h-4 text-slate-500 group-hover:text-amber-400 transition-colors" />
+                       <span class="text-xs font-black uppercase text-slate-500 group-hover:text-slate-300">Docs</span>
+                  </div>
+                  <input type="checkbox" v-model="currentDocumentEnabled" class="toggle toggle-warning toggle-xs" />
+              </label>
+          </div>
+      </div>
+
+      <!-- TAB: Auth -->
+      <div v-if="activeTab === 'auth'" class="space-y-10 animate-in fade-in slide-in-from-right-4">
+          <div class="section-title-premium text-primary/60">Vaulted Credentials</div>
+          <div class="grid grid-cols-2 gap-8">
+              <div class="form-control">
+                  <label class="label-premium">AI Provider Key</label>
+                  <select v-model="newBot.credential_id" class="select-premium h-14 w-full text-sm font-bold uppercase">
+                      <option value="">(Manual Key Entry)</option>
+                      <option v-for="cred in aiCredentials" :key="cred.id" :value="cred.id">{{ cred.name }}</option>
+                  </select>
+              </div>
+              <div v-if="!newBot.credential_id" class="form-control">
+                  <label class="label-premium">Direct API Access Key</label>
+                  <input v-model="newBot.api_key" type="text" autocomplete="off" class="input-premium h-14 w-full font-mono text-xs" placeholder="Paste manual key..." />
+              </div>
+          </div>
+
+          <div class="grid grid-cols-2 gap-8 pt-10 border-t border-white/5">
+              <div class="form-control">
+                  <label class="label-premium">Chatwoot Credential</label>
+                  <select v-model="newBot.chatwoot_credential_id" class="select-premium h-14 w-full text-sm font-bold uppercase">
+                      <option value="">(None)</option>
+                      <option v-for="cred in chatwootCredentials" :key="cred.id" :value="cred.id">{{ cred.name }}</option>
+                  </select>
+              </div>
+              <div class="form-control">
+                  <label class="label-premium">Chatwoot Agent Token</label>
+                  <input v-model="newBot.chatwoot_bot_token" type="text" autocomplete="off" class="input-premium h-14 w-full font-mono text-xs" placeholder="Paste agent token..." />
+              </div>
+          </div>
+      </div>
+
+      <!-- TAB: MCP -->
+      <div v-if="activeTab === 'mcp'" class="space-y-10 animate-in fade-in slide-in-from-right-4">
+          <div class="section-title-premium text-primary/60 flex justify-between items-center mt-6">
+              Tool Access Registry {{ selectedVariant !== '' ? '(Variant Scope)' : '' }}
+              <span v-if="loadingBotMCPs" class="loading loading-spinner loading-xs"></span>
+          </div>
+          
+          <div v-if="selectedVariant !== ''" class="mb-4 p-4 bg-indigo-500/5 border border-indigo-500/10 rounded-2xl flex items-start gap-4">
+              <div class="w-6 h-6 rounded-full bg-indigo-500/10 flex items-center justify-center shrink-0">
+                  <Wrench class="w-3 h-3 text-indigo-400" />
+              </div>
+              <div>
+                  <h4 class="text-xs font-bold text-indigo-400 mb-1">Sub-Role Tool Scope</h4>
+                  <p class="text-[11px] text-slate-400 leading-relaxed">
+                      Toggle which tools THIS VARIANT explicitly has access to. When acting as this variant, the AI will only see the 'Allowed' tools you configure below.
+                  </p>
+              </div>
+          </div>
+
+          <div v-if="botMCPServers.length === 0" class="p-20 bg-white/[0.02] border border-dashed border-white/5 rounded-[2rem] text-center">
+              <p class="text-xs font-bold uppercase tracking-widest text-slate-600">No MCP Servers detected.</p>
+          </div>
+
+          <div v-else class="space-y-6">
+              <div v-for="srv in botMCPServers" :key="srv.id" 
+                   class="rounded-[2rem] bg-[#161a23] border transition-all"
+                   :class="srv.enabled ? 'border-primary/40' : 'border-white/5 opacity-60'">
+                  
+                  <div class="p-6 flex items-center justify-between">
+                      <div class="flex items-center gap-4">
+                           <div class="w-10 h-10 rounded-xl bg-white/5 flex items-center justify-center text-primary border border-white/10" :class="{ 'opacity-30 grayscale': selectedVariant !== '' }">
+                               <Zap class="w-5 h-5" />
+                           </div>
+                           <div class="flex flex-col" :class="{ 'opacity-30 grayscale': selectedVariant !== '' }">
+                               <div class="flex items-center gap-2">
+                                   <h6 class="text-xs font-black text-white uppercase tracking-tight">{{ srv.name }}</h6>
+                                   <div v-if="srv.is_template" class="px-1.5 py-0.5 rounded bg-amber-500/10 text-amber-500 text-xs font-black uppercase tracking-widest border border-amber-500/20">
+                                       Template
+                                   </div>
+                               </div>
+                               <span class="text-xs font-mono text-slate-600 truncate max-w-[200px]">{{ srv.url }}</span>
+                           </div>
+                      </div>
+                      <div class="flex items-center gap-4">
+               <button @click="toggleServerExpansion(srv.id)" 
+                                   class="btn-premium btn-premium-ghost btn-premium-sm px-4"
+                                   :class="{ 'bg-primary/20 text-primary border-primary/30': expandedServers.includes(srv.id) }">
+                               <Settings class="w-3 h-3" />
+                           </button>
+                           <input type="checkbox" :checked="selectedVariant !== '' ? isServerEnabledForVariant(srv.id) : srv.enabled" @change="toggleServer(srv)" class="toggle toggle-primary toggle-sm" />
+                       </div>
+                   </div>
+
+                  <div v-if="expandedServers.includes(srv.id)" class="px-6 pb-8 border-t border-white/5 pt-6 space-y-6">
+                      <div class="form-control">
+                          <label class="label-premium opacity-50">Local Instructions</label>
+                          <textarea v-model="srv.botInstructions" rows="2" class="input-premium w-full text-xs" placeholder="Guidelines for this bot..."></textarea>
+                      </div>
+
+                      <!-- Required Header Configuration for Templates -->
+                      <div v-if="(selectedVariant === '') && ((srv.is_template && srv.template_config && Object.keys(srv.template_config).length) || (srv.urlVarKeys && srv.urlVarKeys.length))" class="space-y-6 p-8 bg-amber-500/5 rounded-[2rem] border border-amber-500/10 shadow-xl">
+                          <div class="flex items-center gap-3 mb-2">
+                              <ShieldCheck class="w-4 h-4 text-amber-500" />
+                              <h5 class="text-xs font-black text-amber-500 uppercase tracking-widest">Required Configuration (Bot Specific)</h5>
+                          </div>
+                          
+                          <div class="grid grid-cols-1 gap-5">
+                              <!-- Dynamic URL Variables -->
+                              <div v-for="key in srv.urlVarKeys" :key="'var-'+key" class="form-control">
+                                  <label class="text-xs font-bold text-amber-500/50 uppercase ml-1 mb-2">Endpoint Variable: {{ key }}</label>
+                                  <input v-model="srv.urlVariables[key]" type="text" 
+                                         class="input-premium h-14 w-full bg-black/40 border-amber-500/10 text-xs text-white" 
+                                         :placeholder="'Value for {' + key + '}'" />
+                              </div>
+
+                              <div v-for="(help, key) in srv.template_config" :key="key" class="form-control">
+                                  <label class="text-xs font-bold text-amber-500/50 uppercase ml-1 mb-2">Header: {{ key }}</label>
+                                  <input v-model="srv.headersMap[key]" type="text" 
+                                         class="input-premium h-14 w-full bg-black/40 border-amber-500/10 text-xs text-white" 
+                                         :placeholder="help" />
+                              </div>
+                          </div>
+                          
+                           <div class="flex flex-col items-end gap-3 pt-2">
+                               <div v-if="connectionMessages[srv.id] && testingConnection[srv.id] === 'error'" 
+                                    class="text-xs font-bold uppercase tracking-widest text-error">
+                                   {{ connectionMessages[srv.id] }}
+                               </div>
+                               <div class="flex items-center gap-4">
+                                   <span class="text-xs font-bold text-slate-600 uppercase tracking-widest italic pr-2">Configurations will be saved with the blueprint</span>
+                                   <button @click="testMCPConnection(srv)" 
+                                           class="btn-premium btn-premium-ghost btn-premium-sm border-amber-500/20 px-6 transition-all"
+                                           :class="{
+                                              'text-amber-500 hover:bg-amber-500/10': testingConnection[srv.id] === 'idle' || !testingConnection[srv.id],
+                                              'text-success border-success/40 bg-success/5': testingConnection[srv.id] === 'success',
+                                              'text-error border-error/40 bg-error/5': testingConnection[srv.id] === 'error',
+                                              'opacity-50 cursor-wait': testingConnection[srv.id] === 'loading'
+                                           }"
+                                           :disabled="testingConnection[srv.id] === 'loading'">
+                                       <span v-if="testingConnection[srv.id] === 'loading'" class="loading loading-spinner loading-xs mr-2"></span>
+                                       <CheckCircle2 v-else-if="testingConnection[srv.id] === 'success'" class="w-3 h-3 mr-2" />
+                                       <Activity v-else class="w-3 h-3 mr-2" />
+                                       {{ testingConnection[srv.id] === 'success' ? 'Verified' : testingConnection[srv.id] === 'error' ? 'Retry Test' : 'Test Configuration' }}
+                                   </button>
+                               </div>
+                           </div>
+                      </div>
+
+                      <div v-if="srv.tools && srv.tools.length" class="grid grid-cols-1 md:grid-cols-2 gap-3">
+                          <div v-for="tool in srv.tools" :key="tool.name" 
+                               @click="toggleToolForBot(srv, tool.name)"
+                               class="flex items-center justify-between p-4 bg-black/20 border border-white/5 rounded-2xl cursor-pointer hover:bg-black/40 transition-all"
+                               :class="{ 'opacity-40 grayscale': isToolDisabled(srv, tool.name) }">
+                              <div class="flex items-center gap-3">
+                                  <Zap class="w-3 h-3 text-primary" />
+                                  <span class="text-xs font-black text-white uppercase">{{ tool.name }}</span>
+                              </div>
+                              <div class="w-5 h-5 rounded-lg flex items-center justify-center border border-white/10"
+                                   :class="!isToolDisabled(srv, tool.name) ? 'bg-primary text-white' : 'bg-transparent text-transparent'">
+                                  <CheckCircle2 class="w-3 h-3" />
+                              </div>
+                          </div>
+                      </div>
+                  </div>
+              </div>
+          </div>
+      </div>
+  </AppTabModal>
+</template>

From 006aede959c5060d5b287469bca057f4028eda7b Mon Sep 17 00:00:00 2001
From: Aziel <azielcruzado@gmail.com>
Date: Fri, 20 Feb 2026 09:04:04 -0500
Subject: [PATCH 04/12] feat(botengine): update gorm repository for BotVariant
 changes

---
 src/.env.example                     |  8 +++++++-
 src/botengine/repository/bot_gorm.go | 29 +++++++++++++++-------------
 2 files changed, 23 insertions(+), 14 deletions(-)

diff --git a/src/.env.example b/src/.env.example
index 3fb9aee..b6c3f16 100644
--- a/src/.env.example
+++ b/src/.env.example
@@ -25,4 +25,10 @@ VALKEY_PASSWORD=
 # Valkey database index (0-15 for standalone mode)
 VALKEY_DB=0
 # Key prefix for namespacing (useful for multi-tenant setups)
-VALKEY_KEY_PREFIX=azwap:
\ No newline at end of file
+VALKEY_KEY_PREFIX=azwap:
+
+# Portal Settings
+# Master key for internal services (Bots/Admin) to generate Magic Links
+PORTAL_INTERNAL_KEY=your_super_secret_internal_key_here
+# Shared secret for Portal JWT signing (should be different from APP_SECRET_KEY for isolation)
+PORTAL_JWT_SECRET=your_portal_specific_jwt_secret_here
\ No newline at end of file
diff --git a/src/botengine/repository/bot_gorm.go b/src/botengine/repository/bot_gorm.go
index 3b7fc26..29f03cb 100644
--- a/src/botengine/repository/bot_gorm.go
+++ b/src/botengine/repository/bot_gorm.go
@@ -23,19 +23,20 @@ type botModel struct {
 	Model                string
 	SystemPrompt         string
 	KnowledgeBase        string
-	AudioEnabled         bool           `gorm:"column:audio_enabled;not null;default:false"`
-	ImageEnabled         bool           `gorm:"column:image_enabled;not null;default:false"`
-	VideoEnabled         bool           `gorm:"column:video_enabled;not null;default:false"`
-	DocumentEnabled      bool           `gorm:"column:document_enabled;not null;default:false"`
-	MemoryEnabled        bool           `gorm:"column:memory_enabled;not null;default:false"`
-	MindsetModel         sql.NullString `gorm:"column:mindset_model"`
-	MultimodalModel      sql.NullString `gorm:"column:multimodal_model"`
-	CredentialID         sql.NullString `gorm:"column:credential_id"`
-	ChatwootCredentialID sql.NullString `gorm:"column:chatwoot_credential_id"`
-	ChatwootBotToken     sql.NullString `gorm:"column:chatwoot_bot_token"`
-	Whitelist            sql.NullString `gorm:"column:whitelist"` // CSV string
-	CreatedAt            time.Time      `gorm:"autoCreateTime"`
-	UpdatedAt            time.Time      `gorm:"autoUpdateTime"`
+	AudioEnabled         bool                            `gorm:"column:audio_enabled;not null;default:false"`
+	ImageEnabled         bool                            `gorm:"column:image_enabled;not null;default:false"`
+	VideoEnabled         bool                            `gorm:"column:video_enabled;not null;default:false"`
+	DocumentEnabled      bool                            `gorm:"column:document_enabled;not null;default:false"`
+	MemoryEnabled        bool                            `gorm:"column:memory_enabled;not null;default:false"`
+	MindsetModel         sql.NullString                  `gorm:"column:mindset_model"`
+	MultimodalModel      sql.NullString                  `gorm:"column:multimodal_model"`
+	CredentialID         sql.NullString                  `gorm:"column:credential_id"`
+	ChatwootCredentialID sql.NullString                  `gorm:"column:chatwoot_credential_id"`
+	ChatwootBotToken     sql.NullString                  `gorm:"column:chatwoot_bot_token"`
+	Whitelist            sql.NullString                  `gorm:"column:whitelist"` // CSV string
+	Variants             map[string]domainBot.BotVariant `gorm:"serializer:json"`
+	CreatedAt            time.Time                       `gorm:"autoCreateTime"`
+	UpdatedAt            time.Time                       `gorm:"autoUpdateTime"`
 }
 
 // TableName especifica el nombre de la tabla para GORM.
@@ -126,6 +127,7 @@ func toBotModel(b domainBot.Bot) botModel {
 		ChatwootCredentialID: sql.NullString{String: b.ChatwootCredentialID, Valid: b.ChatwootCredentialID != ""},
 		ChatwootBotToken:     sql.NullString{String: b.ChatwootBotToken, Valid: b.ChatwootBotToken != ""},
 		Whitelist:            sql.NullString{String: strings.Join(b.Whitelist, ","), Valid: len(b.Whitelist) > 0},
+		Variants:             b.Variants,
 	}
 }
 
@@ -157,6 +159,7 @@ func fromBotModel(m botModel) domainBot.Bot {
 		ChatwootCredentialID: nullStringValue(m.ChatwootCredentialID),
 		ChatwootBotToken:     nullStringValue(m.ChatwootBotToken),
 		Whitelist:            whitelist,
+		Variants:             m.Variants,
 	}
 }
 

From 8256766c884a161084592b8e305ee576c3d5ab03 Mon Sep 17 00:00:00 2001
From: Aziel <azielcruzado@gmail.com>
Date: Fri, 20 Feb 2026 09:08:25 -0500
Subject: [PATCH 05/12] refactor(frontend): extract BotsView logic into
 separate components

- Moved global settings modal logic into \GlobalSettingsModal.vue\
- Extracted bot list header UI into \header.vue\
- Cleaned up \BotsView.vue\ to use the new child components
---
 .../components/bots/GlobalSettingsModal.vue   |  91 +++
 src/frontend/src/components/bots/header.vue   |  31 +
 src/frontend/src/views/BotsView.vue           | 675 +-----------------
 3 files changed, 143 insertions(+), 654 deletions(-)
 create mode 100644 src/frontend/src/components/bots/GlobalSettingsModal.vue
 create mode 100644 src/frontend/src/components/bots/header.vue

diff --git a/src/frontend/src/components/bots/GlobalSettingsModal.vue b/src/frontend/src/components/bots/GlobalSettingsModal.vue
new file mode 100644
index 0000000..763b2b4
--- /dev/null
+++ b/src/frontend/src/components/bots/GlobalSettingsModal.vue
@@ -0,0 +1,91 @@
+<script setup lang="ts">
+import { ref } from 'vue'
+import AppModal from '@/components/AppModal.vue'
+import { Zap, Globe, Clock, Activity, Type } from 'lucide-vue-next'
+
+const props = defineProps<{
+  modelValue: boolean
+  settings: {
+    global_system_prompt: string
+    timezone: string
+    debounce_ms: number
+    wait_contact_idle_ms: number
+    typing_enabled: boolean
+  }
+}>()
+
+const emit = defineEmits(['update:modelValue', 'update:settings', 'save'])
+
+const timezones = [
+  { value: 'UTC', label: '(Use server default / UTC)' },
+  { value: 'America/Bogota', label: 'America/Bogota' },
+  { value: 'America/Lima', label: 'America/Lima' },
+  { value: 'America/Mexico_City', label: 'America/Mexico_City' },
+  { value: 'America/Santo_Domingo', label: 'America/Santo_Domingo (República Dominicana)' },
+  { value: 'America/Santiago', label: 'America/Santiago' },
+  { value: 'America/Argentina/Buenos_Aires', label: 'America/Argentina/Buenos_Aires' },
+  { value: 'America/Los_Angeles', label: 'America/Los_Angeles' },
+  { value: 'America/New_York', label: 'America/New_York' },
+  { value: 'Europe/Madrid', label: 'Europe/Madrid' },
+  { value: 'Europe/London', label: 'Europe/London' }
+]
+
+function emitSettingUpdate(key: string, value: any) {
+    emit('update:settings', { ...props.settings, [key]: value })
+}
+</script>
+
+<template>
+    <AppModal 
+      :model-value="modelValue" 
+      @update:model-value="emit('update:modelValue', $event)" 
+      title="Engine Global Override" 
+      maxWidth="max-w-xl"
+    >
+        <div class="space-y-8 py-4">
+            <div class="form-control">
+                <div class="flex items-center gap-2 mb-2">
+                    <Zap class="w-3 h-3 text-primary" />
+                    <label class="label-premium mb-0">Master System Prompt</label>
+                </div>
+                <textarea :value="settings.global_system_prompt" @input="emitSettingUpdate('global_system_prompt', ($event.target as HTMLTextAreaElement).value)" rows="5" class="input-premium w-full min-h-[120px] leading-relaxed text-sm" placeholder="Universal laws..."></textarea>
+            </div>
+            <div class="form-control">
+                <div class="flex items-center gap-2 mb-2">
+                    <Globe class="w-3 h-3 text-slate-400" />
+                    <label class="label-premium mb-0">AI Timezone (IANA)</label>
+                </div>
+                <select :value="settings.timezone" @change="emitSettingUpdate('timezone', ($event.target as HTMLSelectElement).value)" class="select-premium h-14 w-full text-sm font-bold uppercase">
+                    <option v-for="tz in timezones" :key="tz.value" :value="tz.value">{{ tz.label }}</option>
+                </select>
+            </div>
+            <div class="grid grid-cols-2 gap-6">
+                <div class="form-control">
+                    <div class="flex items-center gap-2 mb-2">
+                        <Clock class="w-3 h-3 text-primary" />
+                        <label class="label-premium mb-0">Response Delay (ms)</label>
+                    </div>
+                    <input :value="settings.debounce_ms" @input="emitSettingUpdate('debounce_ms', Number(($event.target as HTMLInputElement).value))" type="number" class="input-premium h-14 w-full font-mono text-sm" />
+                </div>
+                <div class="form-control">
+                    <div class="flex items-center gap-2 mb-2">
+                        <Activity class="w-3 h-3 text-primary" />
+                        <label class="label-premium mb-0">Idle Check (ms)</label>
+                    </div>
+                    <input :value="settings.wait_contact_idle_ms" @input="emitSettingUpdate('wait_contact_idle_ms', Number(($event.target as HTMLInputElement).value))" type="number" class="input-premium h-14 w-full font-mono text-sm" />
+                </div>
+            </div>
+            <label class="flex items-center justify-between h-14 bg-[#161a23] border border-white/10 rounded-xl px-6 cursor-pointer hover:border-success/40 transition-colors">
+                <div class="flex items-center gap-3">
+                    <Type class="w-4 h-4 text-success" />
+                    <span class="text-xs font-black uppercase tracking-widest text-slate-400">Emulate Typing</span>
+                </div>
+                <input type="checkbox" :checked="settings.typing_enabled" @change="emitSettingUpdate('typing_enabled', ($event.target as HTMLInputElement).checked)" class="toggle toggle-success" />
+            </label>
+        </div>
+        <template #actions>
+            <button class="btn-premium btn-premium-ghost px-8" @click="emit('update:modelValue', false)">Discard</button>
+            <button class="btn-premium btn-premium-success px-12" @click="emit('save')">Propagate Changes</button>
+        </template>
+    </AppModal>
+</template>
diff --git a/src/frontend/src/components/bots/header.vue b/src/frontend/src/components/bots/header.vue
new file mode 100644
index 0000000..8d40091
--- /dev/null
+++ b/src/frontend/src/components/bots/header.vue
@@ -0,0 +1,31 @@
+<script setup lang="ts">
+import AppPageHeader from '@/components/AppPageHeader.vue'
+import { Plus, Settings, Cpu } from 'lucide-vue-next'
+
+const emit = defineEmits<{
+  (e: 'openSettings'): void
+  (e: 'openAdd'): void
+}>()
+</script>
+
+<template>
+    <AppPageHeader title="Bots">
+      <template #breadcrumb>
+        <Cpu class="w-4 h-4 text-primary shrink-0" />
+        <span class="text-xs font-black uppercase tracking-widest text-primary">Automation Logic</span>
+        <span class="opacity-30 text-xs font-black text-slate-500">/</span>
+        <span class="text-xs font-bold uppercase tracking-widest text-slate-500">Identity Blueprints</span>
+      </template>
+
+      <template #actions>
+        <button class="btn-premium btn-premium-ghost px-8" @click="emit('openSettings')">
+           <Settings class="w-4 h-4" />
+           Engine Configuration
+        </button>
+        <button class="btn-premium btn-premium-primary px-16 h-14 w-full lg:w-auto" @click="emit('openAdd')">
+             <Plus class="w-5 h-5 mr-2" />
+             Compose Template
+        </button>
+      </template>
+    </AppPageHeader>
+</template>
\ No newline at end of file
diff --git a/src/frontend/src/views/BotsView.vue b/src/frontend/src/views/BotsView.vue
index e0b8517..0b11f99 100644
--- a/src/frontend/src/views/BotsView.vue
+++ b/src/frontend/src/views/BotsView.vue
@@ -3,31 +3,20 @@
 import { ref, onMounted, computed } from 'vue'
 import { useApi } from '@/composables/useApi'
 import AppTabModal from '@/components/AppTabModal.vue'
-import AppPageHeader from '@/components/AppPageHeader.vue'
+import BotsHeader from '@/components/bots/header.vue'
+import GlobalSettingsModal from '@/components/bots/GlobalSettingsModal.vue'
+import BotFormModal from '@/components/bots/BotFormModal.vue'
 import AppModal from '@/components/AppModal.vue'
 import ConfirmationDialog from '@/components/ConfirmationDialog.vue'
 import { 
   Bot, 
-  Settings, 
-  Plus, 
-  Cpu, 
   Trash2, 
   Edit3, 
-  CheckCircle2, 
-  Fingerprint, 
-  Activity, 
-  Globe, 
-  Clock, 
-  Type,
-  Zap,
-  Lock,
-  Wrench,
   Mic,
   Image,
   Video,
   FileText,
   Brain,
-  ShieldCheck,
   Search
 } from 'lucide-vue-next'
 
@@ -47,60 +36,15 @@ const globalSettings = ref({
   typing_enabled: true
 })
 
-const timezones = [
-  { value: 'UTC', label: '(Use server default / UTC)' },
-  { value: 'America/Bogota', label: 'America/Bogota' },
-  { value: 'America/Lima', label: 'America/Lima' },
-  { value: 'America/Mexico_City', label: 'America/Mexico_City' },
-  { value: 'America/Santo_Domingo', label: 'America/Santo_Domingo (República Dominicana)' },
-  { value: 'America/Santiago', label: 'America/Santiago' },
-  { value: 'America/Argentina/Buenos_Aires', label: 'America/Argentina/Buenos_Aires' },
-  { value: 'America/Los_Angeles', label: 'America/Los_Angeles' },
-  { value: 'America/New_York', label: 'America/New_York' },
-  { value: 'Europe/Madrid', label: 'Europe/Madrid' },
-  { value: 'Europe/London', label: 'Europe/London' }
-]
+ // timezones removed to component
 
 const aiKinds = ['ai', 'gemini', 'openai', 'claude']
 const aiCredentials = computed(() => credentials.value.filter(c => aiKinds.includes(c.kind)))
 const chatwootCredentials = computed(() => credentials.value.filter(c => c.kind === 'chatwoot'))
-const multimodalModels = computed(() => {
-    const models = availableModels.value[newBot.value.provider] || []
-    return models.filter(m => m.is_multimodal)
-})
 
-// Bot Management
+// Modal state
 const showAddBot = ref(false)
 const editingBot = ref<any>(null)
-const newBot = ref({
-  name: '',
-  description: '',
-  system_prompt: '',
-  knowledge_base: '',
-  model: '',
-  api_key: '',
-  credential_id: '',
-  chatwoot_credential_id: '',
-  chatwoot_bot_token: '',
-  audio_enabled: true,
-  image_enabled: true,
-  video_enabled: false,
-  document_enabled: false,
-  memory_enabled: true,
-  mindset_model: '',
-  multimodal_model: '',
-  timezone: '',
-  provider: 'gemini'
-})
-
-// MCP Per Bot
-const botMCPServers = ref<any[]>([])
-const loadingBotMCPs = ref(false)
-const testingConnection = ref<Record<string, 'idle' | 'loading' | 'success' | 'error'>>({})
-const connectionMessages = ref<Record<string, string>>({})
-const botMCPServersSnapshot = ref<Record<string, string>>({})
-const botDataSnapshot = ref<string>('')
-const expandedServers = ref<string[]>([])
 
 // Confirmation State
 const confirmModal = ref({
@@ -154,184 +98,6 @@ async function loadData() {
   }
 }
 
-async function loadBotMCPs(botId: string | null) {
-  loadingBotMCPs.value = true
-  botMCPServers.value = []
-  try {
-    const endpoint = botId ? `/bots/${botId}/mcp` : '/mcp/servers'
-    const res = await api.get(endpoint)
-    const results = res.results || []
-    
-    botMCPServers.value = results.map((srv: any) => {
-      let headersMap: Record<string, string> = {}
-      if (srv.custom_headers) {
-        headersMap = { ...srv.custom_headers }
-      }
-      
-      // If it's a global server (not from /bots/:id/mcp), results might have different structure
-      // or missing bot-specific fields. We normalize them here.
-      if (srv.is_template && srv.template_config) {
-        Object.keys(srv.template_config).forEach(k => {
-          if (!headersMap[k]) headersMap[k] = ''
-        })
-      }
-
-      let urlVariables: Record<string, string> = {}
-      if (srv.url_variables) {
-        urlVariables = { ...srv.url_variables }
-      }
-      
-      // Extract variables from URL pattern: {varName}
-      const urlMatches = (srv.url || '').match(/\{([^}]+)\}/g)?.map((m: string) => m.slice(1, -1)) || []
-      urlMatches.forEach((key: string) => {
-          if (!urlVariables[key]) urlVariables[key] = ''
-      })
-
-      // Logic: Auto-expand if it's a template and missing required headers OR variables
-      const missingHeaders = srv.is_template && srv.template_config && 
-                           Object.keys(srv.template_config).some(k => !headersMap[k] || headersMap[k].trim() === '');
-      const missingVars = urlMatches.some((k: string) => !urlVariables[k] || urlVariables[k].trim() === '');
-
-      const needsConfig = missingHeaders || missingVars;
-      
-      if (needsConfig && !expandedServers.value.includes(srv.id)) {
-        expandedServers.value.push(srv.id)
-      }
-
-      const mapped = { 
-        ...srv, 
-        headersMap,
-        urlVariables, // New state
-        urlVarKeys: urlMatches, // For UI iteration
-        botInstructions: srv.bot_instructions || '',
-        disabled_tools: srv.disabled_tools || []
-      }
-
-      // Store snapshot for change detection
-      botMCPServersSnapshot.value[srv.id] = getMCPCompareState(mapped)
-
-      return mapped
-    })
-  } catch (err) {
-    console.error('Failed to load MCPs', err)
-  } finally {
-    loadingBotMCPs.value = false
-  }
-}
-
-async function saveMCPPreference(server: any) {
-  if (!editingBot.value) return
-  const payload = {
-    enabled: server.enabled,
-    disabled_tools: server.disabled_tools || [],
-    custom_headers: server.headersMap,
-    url_variables: server.urlVariables,
-    instructions: server.botInstructions || ''
-  }
-  await api.put(`/bots/${editingBot.value.id}/mcp/${server.id}`, payload)
-}
-
-function getMCPCompareState(srv: any) {
-  return JSON.stringify({
-    enabled: !!srv.enabled,
-    disabled_tools: [...(srv.disabled_tools || [])].sort(),
-    custom_headers: Object.keys(srv.headersMap || {}).sort().reduce((obj: any, key) => {
-      obj[key] = srv.headersMap[key]
-      return obj
-    }, {}),
-    url_variables: Object.keys(srv.urlVariables || {}).sort().reduce((obj: any, key) => {
-        obj[key] = srv.urlVariables[key]
-        return obj
-    }, {}),
-    instructions: srv.botInstructions || ''
-  })
-}
-
-async function saveAllMCPPreferences(botId: string) {
-  const promises = botMCPServers.value
-    .filter(srv => {
-        const currentState = getMCPCompareState(srv)
-        return currentState !== botMCPServersSnapshot.value[srv.id]
-    })
-    .map(srv => {
-      const payload = {
-        enabled: srv.enabled,
-        disabled_tools: srv.disabled_tools || [],
-        custom_headers: srv.headersMap,
-        url_variables: srv.urlVariables,
-        instructions: srv.botInstructions || ''
-      }
-      return api.put(`/bots/${botId}/mcp/${srv.id}`, payload)
-    })
-  
-  if (promises.length > 0) {
-    await Promise.all(promises)
-    // Update snapshots after successful save to avoid redundant saves if modal stays open
-    botMCPServers.value.forEach(srv => {
-      botMCPServersSnapshot.value[srv.id] = getMCPCompareState(srv)
-    })
-  }
-}
-
-async function testMCPConnection(server: any) {
-  if (!editingBot.value) return
-  testingConnection.value[server.id] = 'loading'
-  connectionMessages.value[server.id] = ''
-  
-  try {
-    // 1. Save preferences first to ensure API has latest context
-    await saveMCPPreference(server)
-    
-    // 2. Trigger health check via unified health endpoint
-    const res = await api.post(`/api/health/mcp/${server.id}/check`, {})
-    
-    if (res.results?.status === 'OK') {
-       testingConnection.value[server.id] = 'success'
-       connectionMessages.value[server.id] = 'Bridge verified and protocol synced.'
-    } else {
-       testingConnection.value[server.id] = 'error'
-       connectionMessages.value[server.id] = res.results?.last_message || 'MCP refused connection'
-    }
-  } catch (err) {
-    testingConnection.value[server.id] = 'error'
-    connectionMessages.value[server.id] = 'Failed to resolve MCP network bridge.'
-  } finally {
-    // Keep the success/error state for a few seconds before resetting to idle if needed
-    // or just leave it until the user interacts again.
-    setTimeout(() => {
-        if (testingConnection.value[server.id] === 'success') {
-            testingConnection.value[server.id] = 'idle'
-        }
-    }, 5000)
-  }
-}
-
-function toggleMCPForBot(server: any) {
-  server.enabled = !server.enabled
-}
-
-function toggleServerExpansion(id: string) {
-  if (expandedServers.value.includes(id)) {
-    expandedServers.value = expandedServers.value.filter(i => i !== id)
-  } else {
-    expandedServers.value.push(id)
-  }
-}
-
-function isToolDisabled(srv: any, toolName: string) {
-  return srv.disabled_tools?.includes(toolName)
-}
-
-function toggleToolForBot(srv: any, toolName: string) {
-  let disabled = [...(srv.disabled_tools || [])]
-  if (disabled.includes(toolName)) {
-    disabled = disabled.filter(t => t !== toolName)
-  } else {
-    disabled.push(toolName)
-  }
-  srv.disabled_tools = disabled
-}
-
 async function saveGlobalSettings() {
   try {
     await api.put('/settings/ai', globalSettings.value)
@@ -341,31 +107,6 @@ async function saveGlobalSettings() {
   }
 }
 
-async function createBot() {
-  try {
-    let botId = editingBot.value?.id
-    if (editingBot.value) {
-      if (JSON.stringify(newBot.value) !== botDataSnapshot.value) {
-        await api.put(`/bots/${editingBot.value.id}`, newBot.value)
-        botDataSnapshot.value = JSON.stringify(newBot.value)
-      }
-    } else {
-      const res = await api.post('/bots', newBot.value)
-      botId = res?.results?.id
-    }
-
-    if (botId && botMCPServers.value.length > 0) {
-      await saveAllMCPPreferences(botId)
-    }
-
-    showAddBot.value = false
-    resetForm()
-    await loadData()
-  } catch (err) {
-    alert('Failed to save bot template.')
-  }
-}
-
 async function deleteBot(id: string) {
   confirmModal.value = {
       show: true,
@@ -404,62 +145,12 @@ async function clearBotMemory(id: string) {
 
 function openEdit(bot: any) {
   editingBot.value = bot
-  newBot.value = {
-    name: bot.name,
-    description: bot.description,
-    system_prompt: bot.system_prompt,
-    knowledge_base: bot.knowledge_base || '',
-    model: bot.model || '',
-    api_key: bot.api_key || '',
-    credential_id: bot.credential_id || '',
-    chatwoot_credential_id: bot.chatwoot_credential_id || '',
-    chatwoot_bot_token: bot.chatwoot_bot_token || '',
-    audio_enabled: bot.audio_enabled !== false,
-    image_enabled: bot.image_enabled !== false,
-    video_enabled: !!bot.video_enabled,
-    document_enabled: !!bot.document_enabled,
-    memory_enabled: bot.memory_enabled !== false,
-    mindset_model: bot.mindset_model || '',
-    multimodal_model: bot.multimodal_model || '',
-    timezone: bot.timezone || '',
-    provider: bot.provider || 'gemini'
-  }
-  expandedServers.value = []
-  loadBotMCPs(bot.id)
-  botDataSnapshot.value = JSON.stringify(newBot.value)
   showAddBot.value = true
 }
 
 function openAdd() {
-  resetForm();
-  showAddBot.value = true;
-  loadBotMCPs(null);
-}
-
-function resetForm() {
   editingBot.value = null
-  newBot.value = {
-    name: '',
-    description: '',
-    system_prompt: '',
-    knowledge_base: '',
-    model: '',
-    api_key: '',
-    credential_id: '',
-    chatwoot_credential_id: '',
-    chatwoot_bot_token: '',
-    audio_enabled: true,
-    image_enabled: true,
-    video_enabled: false,
-    document_enabled: false,
-    memory_enabled: true,
-    mindset_model: '',
-    multimodal_model: '',
-    timezone: '',
-    provider: 'gemini'
-  }
-  botMCPServers.value = []
-  botDataSnapshot.value = ''
+  showAddBot.value = true
 }
 
 onMounted(loadData)
@@ -472,25 +163,7 @@ onMounted(loadData)
 
   <div v-else class="space-y-12 animate-in fade-in duration-700 max-w-[1400px] mx-auto pb-20">
     <!-- Header -->
-    <AppPageHeader title="Bots">
-      <template #breadcrumb>
-        <Cpu class="w-4 h-4 text-primary shrink-0" />
-        <span class="text-xs font-black uppercase tracking-widest text-primary">Automation Logic</span>
-        <span class="opacity-30 text-xs font-black text-slate-500">/</span>
-        <span class="text-xs font-bold uppercase tracking-widest text-slate-500">Identity Blueprints</span>
-      </template>
-
-      <template #actions>
-        <button class="btn-premium btn-premium-ghost px-8" @click="showGlobalSettings = true">
-           <Settings class="w-4 h-4" />
-           Engine Configuration
-        </button>
-        <button class="btn-premium btn-premium-primary px-16 h-14 w-full lg:w-auto" @click="openAdd">
-             <Plus class="w-5 h-5 mr-2" />
-             Compose Template
-        </button>
-      </template>
-    </AppPageHeader>
+    <BotsHeader @openSettings="showGlobalSettings = true" @openAdd="openAdd" />
 
     <!-- Content Area -->
     <div class="px-6 lg:px-0">
@@ -504,7 +177,7 @@ onMounted(loadData)
 
         <div class="grid grid-cols-1 md:grid-cols-2 xl:grid-cols-3 gap-10">
             <!-- Add Card -->
-            <div @click="showAddBot = true; resetForm()" class="bg-[#161a23]/30 border-2 border-dashed border-white/5 hover:border-primary/30 rounded-[2.5rem] p-10 flex flex-col items-center justify-center text-center group cursor-pointer transition-all duration-500 min-h-[340px]">
+            <div @click="openAdd" class="bg-[#161a23]/30 border-2 border-dashed border-white/5 hover:border-primary/30 rounded-[2.5rem] p-10 flex flex-col items-center justify-center text-center group cursor-pointer transition-all duration-500 min-h-[340px]">
                 <div class="w-16 h-16 rounded-[1.5rem] bg-white/5 flex items-center justify-center text-slate-600 group-hover:bg-primary/10 group-hover:text-primary transition-all mb-6 border border-white/5 shadow-2xl">
                     <Plus class="w-8 h-8" />
                 </div>
@@ -563,327 +236,21 @@ onMounted(loadData)
     </div>
 
     <!-- Global Engine Modal -->
-    <AppModal v-model="showGlobalSettings" title="Engine Global Override" maxWidth="max-w-xl">
-        <div class="space-y-8 py-4">
-            <div class="form-control">
-                <div class="flex items-center gap-2 mb-2">
-                    <Zap class="w-3 h-3 text-primary" />
-                    <label class="label-premium mb-0">Master System Prompt</label>
-                </div>
-                <textarea v-model="globalSettings.global_system_prompt" rows="5" class="input-premium w-full min-h-[120px] leading-relaxed text-sm" placeholder="Universal laws..."></textarea>
-            </div>
-            <div class="form-control">
-                <div class="flex items-center gap-2 mb-2">
-                    <Globe class="w-3 h-3 text-slate-400" />
-                    <label class="label-premium mb-0">AI Timezone (IANA)</label>
-                </div>
-                <select v-model="globalSettings.timezone" class="select-premium h-14 w-full text-sm font-bold uppercase">
-                    <option v-for="tz in timezones" :key="tz.value" :value="tz.value">{{ tz.label }}</option>
-                </select>
-            </div>
-            <div class="grid grid-cols-2 gap-6">
-                <div class="form-control">
-                    <div class="flex items-center gap-2 mb-2">
-                        <Clock class="w-3 h-3 text-primary" />
-                        <label class="label-premium mb-0">Response Delay (ms)</label>
-                    </div>
-                    <input v-model.number="globalSettings.debounce_ms" type="number" class="input-premium h-14 w-full font-mono text-sm" />
-                </div>
-                <div class="form-control">
-                    <div class="flex items-center gap-2 mb-2">
-                        <Activity class="w-3 h-3 text-primary" />
-                        <label class="label-premium mb-0">Idle Check (ms)</label>
-                    </div>
-                    <input v-model.number="globalSettings.wait_contact_idle_ms" type="number" class="input-premium h-14 w-full font-mono text-sm" />
-                </div>
-            </div>
-            <label class="flex items-center justify-between h-14 bg-[#161a23] border border-white/10 rounded-xl px-6 cursor-pointer hover:border-success/40 transition-colors">
-                <div class="flex items-center gap-3">
-                    <Type class="w-4 h-4 text-success" />
-                    <span class="text-xs font-black uppercase tracking-widest text-slate-400">Emulate Typing</span>
-                </div>
-                <input type="checkbox" v-model="globalSettings.typing_enabled" class="toggle toggle-success" />
-            </label>
-        </div>
-        <template #actions>
-            <button class="btn-premium btn-premium-ghost px-8" @click="showGlobalSettings = false">Discard</button>
-            <button class="btn-premium btn-premium-success px-12" @click="saveGlobalSettings">Propagate Changes</button>
-        </template>
-    </AppModal>
+    <GlobalSettingsModal
+        v-model="showGlobalSettings"
+        v-model:settings="globalSettings"
+        @save="saveGlobalSettings"
+    />
 
     <!-- Bot Identity Modal -->
-    <AppTabModal 
-        v-model="showAddBot" 
-        :title="editingBot ? 'Bot Configuration' : 'Compose Bot Identity'" 
-        maxWidth="max-w-[1240px]"
-        v-model:activeTab="activeTab"
-        :tabs="[
-            { id: 'general', label: 'General Info', icon: Fingerprint },
-            { id: 'engine', label: 'Engine Logic', icon: Zap },
-            { id: 'auth', label: 'Authentication', icon: Lock },
-            { id: 'mcp', label: 'Capabilities (MCP)', icon: Wrench }
-        ]"
-        :identity="{
-            name: editingBot ? editingBot.name : 'New Bot Identity',
-            subtitle: 'Identity Blueprint',
-            icon: Bot,
-            iconType: 'component'
-        }"
-        :saveText="editingBot ? 'Save Changes' : 'Create Identity'"
-        @save="createBot"
-        @cancel="showAddBot = false"
-    >
-        <template #sidebar-bottom>
-            <div v-if="editingBot" class="pt-8 border-t border-white/5">
-                <button @click="clearBotMemory(editingBot.id)" class="btn-premium btn-premium-ghost text-red-400 hover:bg-red-500/10 hover:text-red-300 w-full btn-premium-sm border border-red-500/20">
-                    <Trash2 class="w-3.5 h-3.5 mr-2" />
-                    Flush Memory
-                </button>
-            </div>
-        </template>
-                    <!-- TAB: General -->
-                    <div v-if="activeTab === 'general'" class="space-y-10 animate-in fade-in slide-in-from-right-4">
-                        <div class="section-title-premium text-primary/60">Core Definition</div>
-                        <div class="grid grid-cols-2 gap-8">
-                            <div class="form-control">
-                                <label class="label-premium text-primary">Template Name</label>
-                                <input v-model="newBot.name" type="text" class="input-premium h-14 w-full text-lg font-black" placeholder="e.g. Sales Specialist" />
-                            </div>
-                            <div class="form-control">
-                                <label class="label-premium">Description</label>
-                                <input v-model="newBot.description" type="text" class="input-premium h-14 w-full" placeholder="What is this bot for?" />
-                            </div>
-                        </div>
-
-                        <div class="form-control mt-10">
-                            <label class="label-premium">Core Intelligence (System Prompt)</label>
-                            <textarea v-model="newBot.system_prompt" rows="8" class="input-premium w-full leading-relaxed text-sm p-6" placeholder="Define boundaries and mission..."></textarea>
-                        </div>
-
-                        <div class="form-control">
-                            <label class="label-premium">Knowledge Context (RAG)</label>
-                            <textarea v-model="newBot.knowledge_base" rows="5" class="input-premium w-full leading-relaxed text-sm p-6" placeholder="Add custom domain data..."></textarea>
-                        </div>
-                    </div>
-
-                    <!-- TAB: Engine -->
-                    <div v-if="activeTab === 'engine'" class="space-y-10 animate-in fade-in slide-in-from-right-4">
-                        <div class="section-title-premium text-primary/60">Model Selection</div>
-                        <div class="grid grid-cols-2 gap-8">
-                            <div class="form-control">
-                                <label class="label-premium">Engine Provider</label>
-                                <select v-model="newBot.provider" class="select-premium h-14 w-full text-sm font-bold uppercase transition-all">
-                                    <option value="gemini">Google Gemini (Active)</option>
-                                    <option value="openai">OpenAI (Experimental)</option>
-                                    <option value="claude" disabled class="opacity-30">Claude (Soon)</option>
-                                    <option value="ai">Legacy / Custom</option>
-                                </select>
-                            </div>
-                            <div class="form-control">
-                                <label class="label-premium">Core Logic Model</label>
-                                <select v-model="newBot.model" class="select-premium h-14 w-full text-sm font-bold uppercase transition-all">
-                                    <option value="">(Inherit Provider Default)</option>
-                                    <option v-for="m in availableModels[newBot.provider] || []" :key="m.id" :value="m.id">
-                                        {{ m.name }} — {{ (m.avg_cost_in || m.avg_cost_out) ? `[$${m.avg_cost_in} / $${m.avg_cost_out}]` : '[--]' }}
-                                    </option>
-                                </select>
-                            </div>
-                        </div>
-
-                        <div class="grid grid-cols-2 gap-8 pt-8 border-t border-white/5">
-                            <div class="form-control">
-                                <label class="label-premium">Mindset Analyzer</label>
-                                <select v-model="newBot.mindset_model" class="select-premium h-14 w-full text-sm font-bold uppercase">
-                                    <option value="">(Inherit Logic / Lite Preferred)</option>
-                                    <option v-for="m in availableModels[newBot.provider] || []" :key="m.id" :value="m.id">
-                                        {{ m.name }} — {{ (m.avg_cost_in || m.avg_cost_out) ? `[$${m.avg_cost_in} / $${m.avg_cost_out}]` : '[--]' }}
-                                    </option>
-                                </select>
-                            </div>
-                            <div class="form-control">
-                                <label class="label-premium">Vision/Multimodal Interpreter</label>
-                                <select v-model="newBot.multimodal_model" class="select-premium h-14 w-full text-sm font-bold uppercase">
-                                    <option value="">(Vision Preferred)</option>
-                                    <option v-for="m in multimodalModels" :key="m.id" :value="m.id">
-                                        {{ m.name }} — {{ (m.avg_cost_in || m.avg_cost_out) ? `[$${m.avg_cost_in} / $${m.avg_cost_out}]` : '[--]' }}
-                                    </option>
-                                </select>
-                            </div>
-                        </div>
-
-                        <div class="section-title-premium text-primary/60 mt-10">Capabilities</div>
-                        <div class="grid grid-cols-2 lg:grid-cols-5 gap-4">
-                            <label class="flex items-center justify-between p-4 bg-[#161a23] border border-white/5 rounded-2xl cursor-pointer hover:border-primary transition-all">
-                                <span class="text-xs font-black uppercase text-slate-500">Memory</span>
-                                <input type="checkbox" v-model="newBot.memory_enabled" class="toggle toggle-primary toggle-xs" />
-                            </label>
-                            <label class="flex items-center justify-between p-4 bg-[#161a23] border border-white/5 rounded-2xl cursor-pointer hover:border-primary transition-all">
-                                <span class="text-xs font-black uppercase text-slate-500">Audio</span>
-                                <input type="checkbox" v-model="newBot.audio_enabled" class="toggle toggle-primary toggle-xs" />
-                            </label>
-                            <label class="flex items-center justify-between p-4 bg-[#161a23] border border-white/5 rounded-2xl cursor-pointer hover:border-primary transition-all">
-                                <span class="text-xs font-black uppercase text-slate-500">Vision</span>
-                                <input type="checkbox" v-model="newBot.image_enabled" class="toggle toggle-primary toggle-xs" />
-                            </label>
-                            <label class="flex items-center justify-between p-4 bg-[#161a23] border border-white/5 rounded-2xl cursor-pointer hover:border-indigo-400 transition-all">
-                                <span class="text-xs font-black uppercase text-slate-500">Video</span>
-                                <input type="checkbox" v-model="newBot.video_enabled" class="toggle toggle-info toggle-xs" />
-                            </label>
-                            <label class="flex items-center justify-between p-4 bg-[#161a23] border border-white/5 rounded-2xl cursor-pointer hover:border-amber-400 transition-all">
-                                <span class="text-xs font-black uppercase text-slate-500">Docs</span>
-                                <input type="checkbox" v-model="newBot.document_enabled" class="toggle toggle-warning toggle-xs" />
-                            </label>
-                        </div>
-                    </div>
-
-                    <!-- TAB: Auth -->
-                    <div v-if="activeTab === 'auth'" class="space-y-10 animate-in fade-in slide-in-from-right-4">
-                        <div class="section-title-premium text-primary/60">Vaulted Credentials</div>
-                        <div class="grid grid-cols-2 gap-8">
-                            <div class="form-control">
-                                <label class="label-premium">AI Provider Key</label>
-                                <select v-model="newBot.credential_id" class="select-premium h-14 w-full text-sm font-bold uppercase">
-                                    <option value="">(Manual Key Entry)</option>
-                                    <option v-for="cred in aiCredentials" :key="cred.id" :value="cred.id">{{ cred.name }}</option>
-                                </select>
-                            </div>
-                            <div v-if="!newBot.credential_id" class="form-control">
-                                <label class="label-premium">Direct API Access Key</label>
-                                <input v-model="newBot.api_key" type="text" autocomplete="off" class="input-premium h-14 w-full font-mono text-xs" placeholder="Paste manual key..." />
-                            </div>
-                        </div>
-
-                        <div class="grid grid-cols-2 gap-8 pt-10 border-t border-white/5">
-                            <div class="form-control">
-                                <label class="label-premium">Chatwoot Credential</label>
-                                <select v-model="newBot.chatwoot_credential_id" class="select-premium h-14 w-full text-sm font-bold uppercase">
-                                    <option value="">(None)</option>
-                                    <option v-for="cred in chatwootCredentials" :key="cred.id" :value="cred.id">{{ cred.name }}</option>
-                                </select>
-                            </div>
-                            <div class="form-control">
-                                <label class="label-premium">Chatwoot Agent Token</label>
-                                <input v-model="newBot.chatwoot_bot_token" type="text" autocomplete="off" class="input-premium h-14 w-full font-mono text-xs" placeholder="Paste agent token..." />
-                            </div>
-                        </div>
-                    </div>
-
-                    <!-- TAB: MCP -->
-                    <div v-if="activeTab === 'mcp'" class="space-y-10 animate-in fade-in slide-in-from-right-4">
-                        <div class="section-title-premium text-primary/60 flex justify-between items-center">
-                            Tool Access Registry
-                            <span v-if="loadingBotMCPs" class="loading loading-spinner loading-xs"></span>
-                        </div>
-
-                        <div v-if="botMCPServers.length === 0" class="p-20 bg-white/[0.02] border border-dashed border-white/5 rounded-[2rem] text-center">
-                            <p class="text-xs font-bold uppercase tracking-widest text-slate-600">No MCP Servers detected.</p>
-                        </div>
-
-                        <div v-else class="space-y-6">
-                            <div v-for="srv in botMCPServers" :key="srv.id" 
-                                 class="rounded-[2rem] bg-[#161a23] border transition-all"
-                                 :class="srv.enabled ? 'border-primary/40' : 'border-white/5 opacity-60'">
-                                
-                                <div class="p-6 flex items-center justify-between">
-                                    <div class="flex items-center gap-4">
-                                         <div class="w-10 h-10 rounded-xl bg-white/5 flex items-center justify-center text-primary border border-white/10">
-                                             <Zap class="w-5 h-5" />
-                                         </div>
-                                         <div class="flex flex-col">
-                                             <div class="flex items-center gap-2">
-                                                 <h6 class="text-xs font-black text-white uppercase tracking-tight">{{ srv.name }}</h6>
-                                                 <div v-if="srv.is_template" class="px-1.5 py-0.5 rounded bg-amber-500/10 text-amber-500 text-xs font-black uppercase tracking-widest border border-amber-500/20">
-                                                     Template
-                                                 </div>
-                                             </div>
-                                             <span class="text-xs font-mono text-slate-600 truncate max-w-[200px]">{{ srv.url }}</span>
-                                         </div>
-                                    </div>
-                                    <div class="flex items-center gap-4">
-                                         <button @click="toggleServerExpansion(srv.id)" 
-                                                 class="btn-premium btn-premium-ghost btn-premium-sm px-4"
-                                                 :class="{ 'bg-primary/20 text-primary border-primary/30': expandedServers.includes(srv.id) }">
-                                             <Settings class="w-3 h-3" />
-                                         </button>
-                                         <input type="checkbox" :checked="srv.enabled" @change="toggleMCPForBot(srv)" class="toggle toggle-primary toggle-sm" />
-                                    </div>
-                                </div>
-
-                                <div v-if="expandedServers.includes(srv.id)" class="px-6 pb-8 border-t border-white/5 pt-6 space-y-6">
-                                    <div class="form-control">
-                                        <label class="label-premium opacity-50">Local Instructions</label>
-                                        <textarea v-model="srv.botInstructions" rows="2" class="input-premium w-full text-xs" placeholder="Guidelines for this bot..."></textarea>
-                                    </div>
-
-                                    <!-- Required Header Configuration for Templates -->
-                                    <div v-if="(srv.is_template && srv.template_config && Object.keys(srv.template_config).length) || (srv.urlVarKeys && srv.urlVarKeys.length)" class="space-y-6 p-8 bg-amber-500/5 rounded-[2rem] border border-amber-500/10 shadow-xl">
-                                        <div class="flex items-center gap-3 mb-2">
-                                            <ShieldCheck class="w-4 h-4 text-amber-500" />
-                                            <h5 class="text-xs font-black text-amber-500 uppercase tracking-widest">Required Configuration (Bot Specific)</h5>
-                                        </div>
-                                        
-                                        <div class="grid grid-cols-1 gap-5">
-                                            <!-- Dynamic URL Variables -->
-                                            <div v-for="key in srv.urlVarKeys" :key="'var-'+key" class="form-control">
-                                                <label class="text-xs font-bold text-amber-500/50 uppercase ml-1 mb-2">Endpoint Variable: {{ key }}</label>
-                                                <input v-model="srv.urlVariables[key]" type="text" 
-                                                       class="input-premium h-14 w-full bg-black/40 border-amber-500/10 text-xs text-white" 
-                                                       :placeholder="'Value for {' + key + '}'" />
-                                            </div>
-
-                                            <div v-for="(help, key) in srv.template_config" :key="key" class="form-control">
-                                                <label class="text-xs font-bold text-amber-500/50 uppercase ml-1 mb-2">Header: {{ key }}</label>
-                                                <input v-model="srv.headersMap[key]" type="text" 
-                                                       class="input-premium h-14 w-full bg-black/40 border-amber-500/10 text-xs text-white" 
-                                                       :placeholder="help" />
-                                            </div>
-                                        </div>
-                                        
-                                         <div class="flex flex-col items-end gap-3 pt-2">
-                                             <div v-if="connectionMessages[srv.id] && testingConnection[srv.id] === 'error'" 
-                                                  class="text-xs font-bold uppercase tracking-widest text-error">
-                                                 {{ connectionMessages[srv.id] }}
-                                             </div>
-                                             <div class="flex items-center gap-4">
-                                                 <span class="text-xs font-bold text-slate-600 uppercase tracking-widest italic pr-2">Configurations will be saved with the blueprint</span>
-                                                 <button @click="testMCPConnection(srv)" 
-                                                         class="btn-premium btn-premium-ghost btn-premium-sm border-amber-500/20 px-6 transition-all"
-                                                         :class="{
-                                                            'text-amber-500 hover:bg-amber-500/10': testingConnection[srv.id] === 'idle' || !testingConnection[srv.id],
-                                                            'text-success border-success/40 bg-success/5': testingConnection[srv.id] === 'success',
-                                                            'text-error border-error/40 bg-error/5': testingConnection[srv.id] === 'error',
-                                                            'opacity-50 cursor-wait': testingConnection[srv.id] === 'loading'
-                                                         }"
-                                                         :disabled="testingConnection[srv.id] === 'loading'">
-                                                     <span v-if="testingConnection[srv.id] === 'loading'" class="loading loading-spinner loading-xs mr-2"></span>
-                                                     <CheckCircle2 v-else-if="testingConnection[srv.id] === 'success'" class="w-3 h-3 mr-2" />
-                                                     <Activity v-else class="w-3 h-3 mr-2" />
-                                                     {{ testingConnection[srv.id] === 'success' ? 'Verified' : testingConnection[srv.id] === 'error' ? 'Retry Test' : 'Test Configuration' }}
-                                                 </button>
-                                             </div>
-                                         </div>
-                                    </div>
-
-                                    <div v-if="srv.tools && srv.tools.length" class="grid grid-cols-1 md:grid-cols-2 gap-3">
-                                        <div v-for="tool in srv.tools" :key="tool.name" 
-                                             @click="toggleToolForBot(srv, tool.name)"
-                                             class="flex items-center justify-between p-4 bg-black/20 border border-white/5 rounded-2xl cursor-pointer hover:bg-black/40 transition-all"
-                                             :class="{ 'opacity-40 grayscale': isToolDisabled(srv, tool.name) }">
-                                            <div class="flex items-center gap-3">
-                                                <Zap class="w-3 h-3 text-primary" />
-                                                <span class="text-xs font-black text-white uppercase">{{ tool.name }}</span>
-                                            </div>
-                                            <div class="w-5 h-5 rounded-lg flex items-center justify-center border border-white/10"
-                                                 :class="!isToolDisabled(srv, tool.name) ? 'bg-primary text-white' : 'bg-transparent text-transparent'">
-                                                <CheckCircle2 class="w-3 h-3" />
-                                            </div>
-                                        </div>
-                                    </div>
-                                </div>
-                            </div>
-                        </div>
-                    </div>
-    </AppTabModal>
+    <BotFormModal
+        v-model="showAddBot"
+        :editing-bot="editingBot"
+        :credentials="credentials"
+        :available-models="availableModels"
+        @saved="loadData"
+        @clear-memory="clearBotMemory"
+    />
 
     <ConfirmationDialog 
         v-model="confirmModal.show"

From 426c7337c22f257c1d8368fe1882abb0d5d1a6d2 Mon Sep 17 00:00:00 2001
From: Aziel <azielcruzado@gmail.com>
Date: Tue, 24 Feb 2026 12:18:23 -0500
Subject: [PATCH 06/12] [ClientsPortal] Implement core authentication
 infrastructure and Magic Link system

---
 .../auth/application/service.go               | 315 +++++++++++++++++-
 .../auth/application/service_test.go          | 145 ++++++++
 src/clients_portal/auth/domain/user.go        |  89 ++++-
 .../auth/infrastructure/handlers.go           | 125 ++++++-
 .../auth/infrastructure/middleware.go         |  23 +-
 .../auth/repository/gorm_repo.go              |  21 ++
 src/clients_portal/http/router.go             |  75 +++++
 src/clients_portal/shared/security/jwt.go     |  44 ++-
 8 files changed, 793 insertions(+), 44 deletions(-)
 create mode 100644 src/clients_portal/auth/application/service_test.go
 create mode 100644 src/clients_portal/http/router.go

diff --git a/src/clients_portal/auth/application/service.go b/src/clients_portal/auth/application/service.go
index f62c0d7..ada8812 100644
--- a/src/clients_portal/auth/application/service.go
+++ b/src/clients_portal/auth/application/service.go
@@ -2,22 +2,39 @@ package application
 
 import (
 	"context"
+	"encoding/json"
 	"errors"
+	"fmt"
+	"time"
 
 	crmDomain "github.com/AzielCF/az-wap/clients/domain"
 	"github.com/AzielCF/az-wap/clients_portal/auth/domain"
+	"github.com/AzielCF/az-wap/clients_portal/auth/repository"
 	portalSecurity "github.com/AzielCF/az-wap/clients_portal/shared/security"
+	"github.com/AzielCF/az-wap/core/kvstore"
+	workspaceDomain "github.com/AzielCF/az-wap/workspace/domain/workspace"
+	"github.com/google/uuid"
 )
 
+// PortalAccountSummary is a lightweight DTO for admin reporting
+type PortalAccountSummary struct {
+	IsShadow bool   `json:"is_shadow"`
+	Email    string `json:"email"`
+}
+
 type AuthService struct {
-	repo       domain.IAuthRepository
-	clientRepo crmDomain.ClientRepository
+	repo          domain.IAuthRepository
+	clientRepo    crmDomain.ClientRepository
+	workspaceRepo workspaceDomain.IWorkspaceRepository
+	tokenCache    kvstore.KVStore
 }
 
-func NewAuthService(repo domain.IAuthRepository, clientRepo crmDomain.ClientRepository) *AuthService {
+func NewAuthService(repo domain.IAuthRepository, clientRepo crmDomain.ClientRepository, workspaceRepo workspaceDomain.IWorkspaceRepository, tokenCache kvstore.KVStore) *AuthService {
 	return &AuthService{
-		repo:       repo,
-		clientRepo: clientRepo,
+		repo:          repo,
+		clientRepo:    clientRepo,
+		workspaceRepo: workspaceRepo,
+		tokenCache:    tokenCache,
 	}
 }
 
@@ -26,10 +43,17 @@ func (s *AuthService) Login(ctx context.Context, username, password string) (str
 	// 1. Find user
 	user, err := s.repo.GetByUsername(ctx, username)
 	if err != nil {
-		return "", nil, errors.New("invalid credentials") // Do not reveal if user exists
+		// Even if user not found, we should ideally wait a bit to prevent timing attacks
+		return "", nil, errors.New("invalid credentials")
 	}
 
-	// 2. Verify password
+	// 2. SECURITY CHECK: Shadow users CANNOT login via password
+	// They must use Magic Link first and then set a password to set IsShadow = false
+	if user.IsShadow || user.PasswordHash == "" {
+		return "", nil, errors.New("please use the access link sent to your device to set up your account")
+	}
+
+	// 3. Verify password
 	if !portalSecurity.CheckPasswordHash(password, user.PasswordHash) {
 		return "", nil, errors.New("invalid credentials")
 	}
@@ -46,6 +70,19 @@ func (s *AuthService) Login(ctx context.Context, username, password string) (str
 	return token, user, nil
 }
 
+// IAuthService defines the business logic for authentication
+type IAuthService interface {
+	Login(ctx context.Context, username, password string) (string, *domain.PortalUser, error) // Returns Token + User
+	Register(ctx context.Context, clientID, username, password, fullName string, role domain.PortalRole) (*domain.PortalUser, error)
+	ValidateToken(ctx context.Context, token string) (*domain.PortalUser, error)
+	GetUserProfile(ctx context.Context, userID string) (*domain.PortalProfile, error)
+	UpdateProfile(ctx context.Context, userID string, email *string, fullName, password string) error
+	GenerateMagicLink(ctx context.Context, clientID, phone string) (string, error)
+	RedeemMagicLink(ctx context.Context, token string) (string, *domain.PortalUser, error)
+	CreateAccountByAdmin(ctx context.Context, clientID, email, fullName string) (*domain.PortalUser, error)
+	ListAccountsState(ctx context.Context, clientIDs []string) (map[string]PortalAccountSummary, error)
+}
+
 // Register creates a new portal user
 func (s *AuthService) Register(ctx context.Context, clientID, username, password, fullName string, role domain.PortalRole) (*domain.PortalUser, error) {
 	// 1. Validate duplicates
@@ -102,16 +139,270 @@ func (s *AuthService) GetUserProfile(ctx context.Context, userID string) (*domai
 	// 2. Get associated Client info from CRM
 	client, err := s.clientRepo.GetByID(ctx, user.ClientID)
 	if err != nil {
-		// If client is not found, we still return the user but with empty account info
+		// Log the error but proceed with user-only profile
+		fmt.Printf("[AuthService] Failed to load CRM client data for %s (Client: %s): %v\n", userID, user.ClientID, err)
 		return &domain.PortalProfile{
-			User:    user,
+			User: &domain.SafePortalUserView{
+				ID:          user.ID,
+				Email:       user.Email,
+				Phone:       user.Phone,
+				Username:    user.Username,
+				FullName:    user.FullName,
+				Role:        user.Role,
+				Active:      user.Active,
+				IsShadow:    user.IsShadow,
+				LastLoginAt: user.LastLoginAt,
+				CreatedAt:   user.CreatedAt,
+			},
 			Account: nil,
 		}, nil
 	}
 
-	// 3. Return combined profile
+	// 3. ENRICHMENT: If user data is missing, fill from Client CRM data
+	if user.FullName == "" {
+		user.FullName = client.DisplayName
+	}
+	if user.Phone == "" {
+		user.Phone = client.Phone
+	}
+	// We don't save this back to DB here, just for display
+	// 3.1 Get Workspace Count
+	workspaceCount := 0
+	if s.workspaceRepo != nil {
+		wsList, _ := s.workspaceRepo.ListClientWorkspaces(ctx, client.ID)
+		workspaceCount = len(wsList)
+	}
+
+	// 4. Return combined profile (SAFE VIEW)
 	return &domain.PortalProfile{
-		User:    user,
-		Account: client,
+		User: &domain.SafePortalUserView{
+			ID:          user.ID,
+			Email:       user.Email,
+			Phone:       user.Phone,
+			Username:    user.Username,
+			FullName:    user.FullName,
+			Role:        user.Role,
+			Active:      user.Active,
+			IsShadow:    user.IsShadow,
+			LastLoginAt: user.LastLoginAt,
+			CreatedAt:   user.CreatedAt,
+		},
+		Account: &domain.PortalAccountView{
+			DisplayName:    client.DisplayName,
+			Phone:          client.Phone,
+			Tier:           string(client.Tier),
+			Tags:           client.Tags,
+			OwnedChannels:  client.OwnedChannels,
+			Language:       client.Language,
+			Timezone:       client.Timezone,
+			Country:        client.Country,
+			WorkspaceCount: workspaceCount,
+			Metadata:       client.Metadata,
+			IsTester:       client.IsTester,
+		},
 	}, nil
 }
+
+// GenerateMagicLink creates a short-lived opaque token for passwordless login
+func (s *AuthService) GenerateMagicLink(ctx context.Context, clientID, phone string) (string, error) {
+	// 1. Check if we already have a valid link for this client
+	cacheKey := fmt.Sprintf("magic_client:%s", clientID)
+	if s.tokenCache != nil {
+		if existing, _ := s.tokenCache.Get(ctx, cacheKey); existing != "" {
+			// BUGFIX: Verify the token itself still exists in cache before returning it
+			// It might have been deleted but the mapping survived
+			if tokenData, _ := s.tokenCache.Get(ctx, fmt.Sprintf("magic_token:%s", existing)); tokenData != "" {
+				return existing, nil
+			}
+			// If not found, clean up the stale mapping and proceed to generate a new one
+			_ = s.tokenCache.Delete(ctx, cacheKey)
+		}
+	}
+
+	// 2. Find or Create Shadow User
+	var user *domain.PortalUser
+	users, _ := s.repo.ListByClient(ctx, clientID)
+	if len(users) > 0 {
+		user = users[0]
+	} else if phone != "" {
+		// Fallback to phone just in case
+		user, _ = s.repo.GetByPhone(ctx, phone)
+	}
+
+	if user == nil {
+		// Create Shadow User using ClientID for uniqueness
+		user = domain.NewShadowUser(clientID, phone, domain.RoleMember)
+		if err := s.repo.Create(ctx, user); err != nil {
+			return "", err
+		}
+	} else if user.ClientID != clientID {
+		// Link the client if it was found by phone but missing clientID
+		user.ClientID = clientID
+		_ = s.repo.Update(ctx, user)
+	}
+
+	// 3. Generate Opaque Token (Short random string)
+	token, err := portalSecurity.GenerateOpaqueToken()
+	if err != nil {
+		return "", err
+	}
+
+	// 4. Store the mapping: token -> userData
+	tokenData := map[string]string{
+		"uid": user.ID,
+		"cid": user.ClientID,
+	}
+	jsonData, _ := json.Marshal(tokenData)
+
+	if s.tokenCache != nil {
+		// Save the token data (15m)
+		_ = s.tokenCache.Set(ctx, fmt.Sprintf("magic_token:%s", token), string(jsonData), 15*time.Minute)
+		// Save the client mapping for deduplication (15m)
+		_ = s.tokenCache.Set(ctx, cacheKey, token, 15*time.Minute)
+	}
+
+	return token, nil
+}
+
+// RedeemMagicLink exchanges a short opaque token for a full session token
+func (s *AuthService) RedeemMagicLink(ctx context.Context, opaqueToken string) (string, *domain.PortalUser, error) {
+	// 1. Look up opaque token in cache
+	if s.tokenCache == nil {
+		return "", nil, errors.New("token storage unavailable")
+	}
+
+	data, err := s.tokenCache.Get(ctx, fmt.Sprintf("magic_token:%s", opaqueToken))
+	if err != nil || data == "" {
+		return "", nil, errors.New("invalid or expired magic link")
+	}
+
+	// 2. Parse User info
+	var tokenData map[string]string
+	if err := json.Unmarshal([]byte(data), &tokenData); err != nil {
+		return "", nil, errors.New("failed to process token data")
+	}
+
+	userID := tokenData["uid"]
+
+	// 3. Get User from DB
+	user, err := s.repo.GetByID(ctx, userID)
+	if err != nil {
+		return "", nil, errors.New("user not found")
+	}
+
+	// 4. Generate Session Token (Long lived JWT)
+	sessionToken, err := portalSecurity.GenerateToken(user.ID, user.ClientID, user.Role)
+	if err != nil {
+		return "", nil, err
+	}
+
+	// 5. Update login time and clean up token
+	go s.repo.UpdateLastLogin(context.Background(), user.ID)
+	_ = s.tokenCache.Delete(ctx, fmt.Sprintf("magic_token:%s", opaqueToken))
+
+	// Bugfix: Also clear the client mapping so a new link can be generated
+	if cid, ok := tokenData["cid"]; ok {
+		_ = s.tokenCache.Delete(ctx, fmt.Sprintf("magic_client:%s", cid))
+	}
+
+	return sessionToken, user, nil
+}
+
+// CreateAccountByAdmin allows an administrator to provision a portal account without a password
+func (s *AuthService) CreateAccountByAdmin(ctx context.Context, clientID, email, fullName string) (*domain.PortalUser, error) {
+	// 1. Check if user already exists for this client
+	existing, _ := s.repo.ListByClient(ctx, clientID)
+	if len(existing) > 0 {
+		return nil, errors.New("a portal account already exists for this client")
+	}
+
+	// 2. Determine username (Email if provided, otherwise shadow_ID)
+	username := email
+	if username == "" {
+		username = "shadow_" + clientID
+	}
+
+	// 3. Create a new user with no password and IsShadow true
+	var emailPtr *string
+	if email != "" {
+		emailPtr = &email
+	}
+
+	user := &domain.PortalUser{
+		ID:        uuid.New().String(),
+		ClientID:  clientID,
+		Email:     emailPtr,
+		Username:  username, // Ensure unique username
+		FullName:  fullName,
+		Role:      domain.RoleOwner,
+		Active:    true,
+		IsShadow:  true,
+		CreatedAt: time.Now(),
+		UpdatedAt: time.Now(),
+	}
+
+	if err := s.repo.Create(ctx, user); err != nil {
+		return nil, err
+	}
+
+	return user, nil
+}
+
+// ListAccountsState returns a map of ClientID -> PortalAccountSummary for specific IDs
+func (s *AuthService) ListAccountsState(ctx context.Context, clientIDs []string) (map[string]PortalAccountSummary, error) {
+	if len(clientIDs) == 0 {
+		return make(map[string]PortalAccountSummary), nil
+	}
+
+	var users []*domain.PortalUser
+	repo, ok := s.repo.(*repository.GormAuthRepository)
+	if !ok {
+		return nil, errors.New("invalid repository type")
+	}
+
+	// Updated repository to fetch only requested IDs
+	if err := repo.GetByClientIDs(ctx, clientIDs, &users); err != nil {
+		return nil, err
+	}
+
+	result := make(map[string]PortalAccountSummary)
+	for _, u := range users {
+		emailStr := ""
+		if u.Email != nil {
+			emailStr = *u.Email
+		}
+		result[u.ClientID] = PortalAccountSummary{
+			IsShadow: u.IsShadow,
+			Email:    emailStr,
+		}
+	}
+	return result, nil
+}
+
+// UpdateProfile updates user information and clears shadow status if password is set
+func (s *AuthService) UpdateProfile(ctx context.Context, userID string, email *string, fullName, password string) error {
+	user, err := s.repo.GetByID(ctx, userID)
+	if err != nil {
+		return err
+	}
+
+	if fullName != "" {
+		user.FullName = fullName
+	}
+	if email != nil {
+		user.Email = email
+	}
+
+	// If a password is provided, we hash it and the user is no longer a shadow
+	if password != "" {
+		hash, err := portalSecurity.HashPassword(password)
+		if err != nil {
+			return err
+		}
+		user.PasswordHash = hash
+		user.IsShadow = false
+	}
+
+	user.UpdatedAt = time.Now()
+	return s.repo.Update(ctx, user)
+}
diff --git a/src/clients_portal/auth/application/service_test.go b/src/clients_portal/auth/application/service_test.go
new file mode 100644
index 0000000..ef76628
--- /dev/null
+++ b/src/clients_portal/auth/application/service_test.go
@@ -0,0 +1,145 @@
+package application
+
+import (
+	"context"
+	"testing"
+	"time"
+
+	crmDomain "github.com/AzielCF/az-wap/clients/domain"
+	"github.com/AzielCF/az-wap/clients_portal/auth/domain"
+	coreconfig "github.com/AzielCF/az-wap/core/config"
+	"github.com/AzielCF/az-wap/core/kvstore"
+)
+
+// MockAuthRepository to simulate DB
+type mockAuthRepo struct {
+	users map[string]*domain.PortalUser
+}
+
+func (m *mockAuthRepo) Create(ctx context.Context, user *domain.PortalUser) error {
+	m.users[user.ID] = user
+	return nil
+}
+func (m *mockAuthRepo) GetByUsername(ctx context.Context, username string) (*domain.PortalUser, error) {
+	return nil, nil // not needed for magic link
+}
+func (m *mockAuthRepo) GetByPhone(ctx context.Context, phone string) (*domain.PortalUser, error) {
+	for _, u := range m.users {
+		if u.Phone == phone {
+			return u, nil
+		}
+	}
+	return nil, nil
+}
+func (m *mockAuthRepo) GetByID(ctx context.Context, id string) (*domain.PortalUser, error) {
+	u, ok := m.users[id]
+	if !ok {
+		return nil, nil
+	}
+	return u, nil
+}
+func (m *mockAuthRepo) UpdateLastLogin(ctx context.Context, id string) error {
+	return nil
+}
+func (m *mockAuthRepo) Update(ctx context.Context, user *domain.PortalUser) error {
+	m.users[user.ID] = user
+	return nil
+}
+func (m *mockAuthRepo) ListByClient(ctx context.Context, clientID string) ([]*domain.PortalUser, error) {
+	var results []*domain.PortalUser
+	for _, u := range m.users {
+		if u.ClientID == clientID {
+			results = append(results, u)
+		}
+	}
+	return results, nil
+}
+
+// MockCRMClientRepo
+type mockCRMClientRepo struct {
+}
+
+func (m *mockCRMClientRepo) GetByID(ctx context.Context, id string) (*crmDomain.Client, error) {
+	return &crmDomain.Client{ID: id, DisplayName: "Mock Client"}, nil
+}
+func (m *mockCRMClientRepo) Create(ctx context.Context, client *crmDomain.Client) error { return nil }
+func (m *mockCRMClientRepo) Update(ctx context.Context, client *crmDomain.Client) error { return nil }
+func (m *mockCRMClientRepo) Delete(ctx context.Context, id string) error                { return nil }
+func (m *mockCRMClientRepo) GetByPhone(ctx context.Context, phone string) (*crmDomain.Client, error) {
+	return nil, nil
+}
+func (m *mockCRMClientRepo) GetByPlatform(ctx context.Context, platformID string, platformType crmDomain.PlatformType) (*crmDomain.Client, error) {
+	return nil, nil
+}
+func (m *mockCRMClientRepo) List(ctx context.Context, filter crmDomain.ClientFilter) ([]*crmDomain.Client, error) {
+	return nil, nil
+}
+func (m *mockCRMClientRepo) ListByTier(ctx context.Context, tier crmDomain.ClientTier) ([]*crmDomain.Client, error) {
+	return nil, nil
+}
+func (m *mockCRMClientRepo) ListByTag(ctx context.Context, tag string) ([]*crmDomain.Client, error) {
+	return nil, nil
+}
+func (m *mockCRMClientRepo) Search(ctx context.Context, query string) ([]*crmDomain.Client, error) {
+	return nil, nil
+}
+func (m *mockCRMClientRepo) CountByTier(ctx context.Context) (map[crmDomain.ClientTier]int, error) {
+	return nil, nil
+}
+func (m *mockCRMClientRepo) UpdateLastInteraction(ctx context.Context, id string, t time.Time) error {
+	return nil
+}
+func (m *mockCRMClientRepo) AddTag(ctx context.Context, id string, tag string) error {
+	return nil
+}
+func (m *mockCRMClientRepo) RemoveTag(ctx context.Context, id string, tag string) error {
+	return nil
+}
+
+func TestAuthService_MagicLink_Flow(t *testing.T) {
+	// 1. Setup minimal config for JWT
+	coreconfig.Global = &coreconfig.Config{}
+	coreconfig.Global.Security.PortalJWTSecret = "test-secret"
+
+	// 2. Setup dependencies
+	repo := &mockAuthRepo{users: make(map[string]*domain.PortalUser)}
+	crmRepo := &mockCRMClientRepo{}
+	cacheStore := kvstore.NewSmartStore(nil) // In-memory
+
+	service := NewAuthService(repo, crmRepo, nil, cacheStore)
+	ctx := context.Background()
+
+	// SCENARIO 1: Generate and Redeem FIRST token
+	clientID := "client-123"
+	phone := "1234567890"
+
+	token1, err := service.GenerateMagicLink(ctx, clientID, phone)
+	if err != nil {
+		t.Fatalf("Failed to generate first magic link: %v", err)
+	}
+
+	session1, user1, err := service.RedeemMagicLink(ctx, token1)
+	if err != nil {
+		t.Fatalf("Failed to redeem first magic link: %v", err)
+	}
+	if session1 == "" || user1 == nil {
+		t.Fatalf("Expected valid session and user, got empty/nil")
+	}
+
+	// SCENARIO 2: Generate and Redeem SECOND token (This is where the user says it crashes or fails entirely)
+	// Because we cleared the cid mapping, generating another token for the SAME client should create a NEW token.
+	token2, err := service.GenerateMagicLink(ctx, clientID, phone)
+	if err != nil {
+		t.Fatalf("Failed to generate second magic link: %v", err)
+	}
+
+	session2, user2, err := service.RedeemMagicLink(ctx, token2)
+	if err != nil {
+		t.Fatalf("Failed to redeem second magic link: %v", err)
+	}
+	if session2 == "" || user2 == nil {
+		t.Fatalf("Expected valid session and user on second attempt, got empty/nil")
+	}
+
+	t.Log("Successfully generated and redeemed magic links multiple times without panicking!")
+}
diff --git a/src/clients_portal/auth/domain/user.go b/src/clients_portal/auth/domain/user.go
index 5b76c04..f599326 100644
--- a/src/clients_portal/auth/domain/user.go
+++ b/src/clients_portal/auth/domain/user.go
@@ -18,44 +18,100 @@ const (
 
 // PortalUser represents a user who can log in to the Client Portal
 type PortalUser struct {
-	ID           string     `json:"id" gorm:"primaryKey"`
-	ClientID     string     `json:"client_id" gorm:"index"`          // Link to CRM (Optional)
-	Username     string     `json:"username" gorm:"unique;not null"` // Phone or Email
-	PasswordHash string     `json:"-"`
-	FullName     string     `json:"full_name"`
-	Role         PortalRole `json:"role" gorm:"default:'MEMBER'"`
-	Active       bool       `json:"active" gorm:"default:true"`
-	LastLoginAt  *time.Time `json:"last_login_at,omitempty"`
-	CreatedAt    time.Time  `json:"created_at"`
-	UpdatedAt    time.Time  `json:"updated_at"`
+	ID       string `json:"id" gorm:"primaryKey"`
+	ClientID string `json:"client_id" gorm:"index"` // Link to CRM (Optional)
+
+	// Identity
+	Email    *string `json:"email" gorm:"unique;index"`    // Primary ID for Login (Nullable for shadow users)
+	Phone    string  `json:"phone" gorm:"index"`           // Linked phone for Magic Links (Optional)
+	Username string  `json:"username" gorm:"unique;index"` // Can be Email or Handle
+
+	PasswordHash string `json:"-"`
+	IsShadow     bool   `json:"is_shadow" gorm:"default:false"` // True if profile is incomplete (no password/email confirmed)
+
+	FullName    string     `json:"full_name"`
+	Role        PortalRole `json:"role" gorm:"default:'MEMBER'"`
+	Active      bool       `json:"active" gorm:"default:true"`
+	LastLoginAt *time.Time `json:"last_login_at"`
+	CreatedAt   time.Time  `json:"created_at"`
+	UpdatedAt   time.Time  `json:"updated_at"`
+}
+
+// PortalAccountView is a safe subset of Client CRM data for the portal
+type PortalAccountView struct {
+	DisplayName    string         `json:"display_name"`
+	Phone          string         `json:"phone"`
+	Tier           string         `json:"tier"`
+	Tags           []string       `json:"tags"`
+	OwnedChannels  []string       `json:"owned_channels"`
+	Language       string         `json:"language"`
+	Timezone       string         `json:"timezone"`
+	Country        string         `json:"country"`
+	WorkspaceCount int            `json:"workspace_count"`
+	Metadata       map[string]any `json:"metadata"`
+	IsTester       bool           `json:"is_tester"`
+}
+
+// SafePortalUserView hides internal IDs like ClientID
+type SafePortalUserView struct {
+	ID          string     `json:"id"`
+	Email       *string    `json:"email"`
+	Phone       string     `json:"phone"`
+	Username    string     `json:"username"`
+	FullName    string     `json:"full_name"`
+	Role        PortalRole `json:"role"`
+	Active      bool       `json:"active"`
+	IsShadow    bool       `json:"is_shadow"`
+	LastLoginAt *time.Time `json:"last_login_at"`
+	CreatedAt   time.Time  `json:"created_at"`
 }
 
 // PortalProfile represents a combined view of the user and their account/client info
 type PortalProfile struct {
-	User    *PortalUser `json:"user"`
-	Account any         `json:"account"` // Combined with domain.Client info
+	User    *SafePortalUserView `json:"user"`
+	Account *PortalAccountView  `json:"account"` // Replaced *crmDomain.Client with safe view
 }
 
-// NewPortalUser creates a new instance with a generated ID
-func NewPortalUser(clientID, username, passwordHash string, role PortalRole) *PortalUser {
+// NewPortalUser creates a new instance (Standard Registration)
+func NewPortalUser(clientID, email, passwordHash string, role PortalRole) *PortalUser {
 	return &PortalUser{
 		ID:           uuid.New().String(),
 		ClientID:     clientID,
-		Username:     username,
+		Email:        &email,
+		Username:     email, // Default username is email
 		PasswordHash: passwordHash,
 		Role:         role,
 		Active:       true,
+		IsShadow:     false,
 		CreatedAt:    time.Now(),
 		UpdatedAt:    time.Now(),
 	}
 }
 
+// NewShadowUser creates a temporary user from a Channel (e.g. WhatsApp)
+func NewShadowUser(clientID, phone string, role PortalRole) *PortalUser {
+	return &PortalUser{
+		ID:       uuid.New().String(),
+		ClientID: clientID,
+		Phone:    phone,
+		// Username left empty or generated placeholder until registration is complete
+		Username:  "shadow_" + uuid.New().String()[:8],
+		Role:      role,
+		Active:    true,
+		IsShadow:  true,
+		CreatedAt: time.Now(),
+		UpdatedAt: time.Now(),
+	}
+}
+
 // IAuthRepository defines the persistence for authentication
 type IAuthRepository interface {
 	Create(ctx context.Context, user *PortalUser) error
 	GetByUsername(ctx context.Context, username string) (*PortalUser, error)
+	GetByPhone(ctx context.Context, phone string) (*PortalUser, error)
 	GetByID(ctx context.Context, id string) (*PortalUser, error)
 	UpdateLastLogin(ctx context.Context, id string) error
+	Update(ctx context.Context, user *PortalUser) error
 	ListByClient(ctx context.Context, clientID string) ([]*PortalUser, error)
 }
 
@@ -65,4 +121,7 @@ type IAuthService interface {
 	Register(ctx context.Context, clientID, username, password, fullName string, role PortalRole) (*PortalUser, error)
 	ValidateToken(ctx context.Context, token string) (*PortalUser, error)
 	GetUserProfile(ctx context.Context, userID string) (*PortalProfile, error)
+	UpdateProfile(ctx context.Context, userID string, email *string, fullName, password string) error
+	GenerateMagicLink(ctx context.Context, clientID, phone string) (string, error)
+	RedeemMagicLink(ctx context.Context, token string) (string, *PortalUser, error)
 }
diff --git a/src/clients_portal/auth/infrastructure/handlers.go b/src/clients_portal/auth/infrastructure/handlers.go
index aa3555b..96bf4b0 100644
--- a/src/clients_portal/auth/infrastructure/handlers.go
+++ b/src/clients_portal/auth/infrastructure/handlers.go
@@ -5,6 +5,7 @@ import (
 
 	"github.com/AzielCF/az-wap/clients_portal/auth/application"
 	"github.com/AzielCF/az-wap/clients_portal/auth/domain"
+	coreconfig "github.com/AzielCF/az-wap/core/config"
 	"github.com/gofiber/fiber/v2"
 )
 
@@ -49,7 +50,6 @@ func (h *AuthHandler) Login(c *fiber.Ctx) error {
 			"username":  user.Username,
 			"full_name": user.FullName,
 			"role":      user.Role,
-			"client_id": user.ClientID,
 		},
 	})
 }
@@ -101,3 +101,126 @@ func (h *AuthHandler) Me(c *fiber.Ctx) error {
 
 	return c.JSON(profile)
 }
+
+// GenerateMagicLink creates a magic link URL for a phone number (Admin/Bot use only)
+func (h *AuthHandler) GenerateMagicLink(c *fiber.Ctx) error {
+	// 1. Security Check: Validate internal master key
+	secret := c.Get("X-Internal-Key")
+	masterKey := coreconfig.Global.Security.PortalInternalKey
+
+	if secret == "" || secret != masterKey {
+		return c.Status(fiber.StatusForbidden).JSON(fiber.Map{"error": "forbidden: invalid internal key"})
+	}
+
+	type Request struct {
+		ClientID string `json:"client_id"`
+		Phone    string `json:"phone"`
+	}
+	var req Request
+	if err := c.BodyParser(&req); err != nil {
+		return c.Status(fiber.StatusBadRequest).JSON(fiber.Map{"error": "invalid request"})
+	}
+
+	token, err := h.authService.GenerateMagicLink(c.Context(), req.ClientID, req.Phone)
+	if err != nil {
+		return c.Status(fiber.StatusInternalServerError).JSON(fiber.Map{"error": err.Error()})
+	}
+
+	// In production, this would be the full frontend URL
+	magicURL := "/auth/magic-login?token=" + token
+
+	return c.JSON(fiber.Map{
+		"token": token,
+		"url":   magicURL,
+	})
+}
+
+// RedeemMagicLink handles the exchange of magic token for session token
+func (h *AuthHandler) RedeemMagicLink(c *fiber.Ctx) error {
+	type Request struct {
+		Token string `json:"token"`
+	}
+	var req Request
+	if err := c.BodyParser(&req); err != nil {
+		return c.Status(fiber.StatusBadRequest).JSON(fiber.Map{"error": "invalid request"})
+	}
+
+	sessionToken, user, err := h.authService.RedeemMagicLink(c.Context(), req.Token)
+	if err != nil {
+		return c.Status(fiber.StatusUnauthorized).JSON(fiber.Map{"error": "invalid or expired link"})
+	}
+
+	return c.JSON(fiber.Map{
+		"token": sessionToken,
+		"user":  user,
+	})
+}
+
+// UpdateProfile handles user profile updates
+func (h *AuthHandler) UpdateProfile(c *fiber.Ctx) error {
+	userID, ok := c.Locals("portal_user_id").(string)
+	if !ok {
+		return c.Status(fiber.StatusUnauthorized).JSON(fiber.Map{"error": "unauthorized"})
+	}
+
+	type Request struct {
+		Email    string `json:"email"`
+		FullName string `json:"full_name"`
+		Password string `json:"password"`
+	}
+
+	var req Request
+	if err := c.BodyParser(&req); err != nil {
+		return c.Status(fiber.StatusBadRequest).JSON(fiber.Map{"error": "invalid request body"})
+	}
+
+	var emailPtr *string
+	if req.Email != "" {
+		emailPtr = &req.Email
+	}
+
+	err := h.authService.UpdateProfile(c.Context(), userID, emailPtr, req.FullName, req.Password)
+	if err != nil {
+		return c.Status(fiber.StatusInternalServerError).JSON(fiber.Map{"error": err.Error()})
+	}
+
+	return c.JSON(fiber.Map{"message": "profile updated successfully"})
+}
+
+// ListAccountsState allows admin to query the portal status of multiple clients
+func (h *AuthHandler) ListAccountsState(c *fiber.Ctx) error {
+	idsParam := c.Query("ids")
+	var ids []string
+	if idsParam != "" {
+		ids = strings.Split(idsParam, ",")
+	}
+
+	accounts, err := h.authService.ListAccountsState(c.Context(), ids)
+	if err != nil {
+		return c.Status(fiber.StatusInternalServerError).JSON(fiber.Map{"error": err.Error()})
+	}
+	return c.JSON(accounts)
+}
+
+// CreatePortalAccount allows admin to provision a portal account for a client
+func (h *AuthHandler) CreatePortalAccount(c *fiber.Ctx) error {
+	clientID := c.Params("id")
+	type Request struct {
+		Email    string `json:"email"`
+		FullName string `json:"full_name"`
+	}
+	var req Request
+	if err := c.BodyParser(&req); err != nil {
+		return c.Status(fiber.StatusBadRequest).JSON(fiber.Map{"error": "invalid request"})
+	}
+
+	user, err := h.authService.CreateAccountByAdmin(c.Context(), clientID, req.Email, req.FullName)
+	if err != nil {
+		return c.Status(fiber.StatusInternalServerError).JSON(fiber.Map{"error": err.Error()})
+	}
+
+	return c.JSON(fiber.Map{
+		"message": "portal account provisioned successfully",
+		"user_id": user.ID,
+	})
+}
diff --git a/src/clients_portal/auth/infrastructure/middleware.go b/src/clients_portal/auth/infrastructure/middleware.go
index a79bcb7..9d107b9 100644
--- a/src/clients_portal/auth/infrastructure/middleware.go
+++ b/src/clients_portal/auth/infrastructure/middleware.go
@@ -36,18 +36,21 @@ func NewAuthMiddleware(userRepo domain.IAuthRepository) fiber.Handler {
 			return c.Status(fiber.StatusUnauthorized).JSON(fiber.Map{"error": "invalid or expired token"})
 		}
 
-		// 3. (Optional) Check user existence in our local DB
-		// If using BetterAuth, maybe "sync" the user or trust claims.
-		// For now, check DB.
-		// user, err := userRepo.GetByID(c.Context(), claims.UserID)
-		// if err != nil {
-		// 	 return c.Status(fiber.StatusUnauthorized).JSON(fiber.Map{"error": "user not found"})
-		// }
+		// 3. Validate user existence and get fresh data
+		user, err := userRepo.GetByID(c.Context(), claims.UserID)
+		if err != nil {
+			return c.Status(fiber.StatusUnauthorized).JSON(fiber.Map{"error": "user not found or inactive"})
+		}
+
+		if !user.Active {
+			return c.Status(fiber.StatusUnauthorized).JSON(fiber.Map{"error": "account is deactivated"})
+		}
 
 		// 4. Inject context for next handlers
-		c.Locals("portal_user_id", claims.UserID)
-		c.Locals("portal_client_id", claims.ClientID)
-		c.Locals("portal_role", claims.Role)
+		c.Locals("user", user) // Crucial for feature handlers
+		c.Locals("portal_user_id", user.ID)
+		c.Locals("portal_client_id", user.ClientID)
+		c.Locals("portal_role", user.Role)
 
 		return c.Next()
 	}
diff --git a/src/clients_portal/auth/repository/gorm_repo.go b/src/clients_portal/auth/repository/gorm_repo.go
index 574acd3..fc2e9d2 100644
--- a/src/clients_portal/auth/repository/gorm_repo.go
+++ b/src/clients_portal/auth/repository/gorm_repo.go
@@ -35,6 +35,15 @@ func (r *GormAuthRepository) GetByUsername(ctx context.Context, username string)
 	return &user, err
 }
 
+func (r *GormAuthRepository) GetByPhone(ctx context.Context, phone string) (*domain.PortalUser, error) {
+	var user domain.PortalUser
+	err := r.db.WithContext(ctx).Where("phone = ?", phone).First(&user).Error
+	if errors.Is(err, gorm.ErrRecordNotFound) {
+		return nil, errors.New("user not found")
+	}
+	return &user, err
+}
+
 func (r *GormAuthRepository) GetByID(ctx context.Context, id string) (*domain.PortalUser, error) {
 	var user domain.PortalUser
 	err := r.db.WithContext(ctx).Where("id = ?", id).First(&user).Error
@@ -55,6 +64,10 @@ func (r *GormAuthRepository) UpdateLastLogin(ctx context.Context, id string) err
 		}).Error
 }
 
+func (r *GormAuthRepository) Update(ctx context.Context, user *domain.PortalUser) error {
+	return r.db.WithContext(ctx).Save(user).Error
+}
+
 func (r *GormAuthRepository) ListByClient(ctx context.Context, clientID string) ([]*domain.PortalUser, error) {
 	var users []*domain.PortalUser
 	err := r.db.WithContext(ctx).
@@ -63,3 +76,11 @@ func (r *GormAuthRepository) ListByClient(ctx context.Context, clientID string)
 		Find(&users).Error
 	return users, err
 }
+
+func (r *GormAuthRepository) GetAll(ctx context.Context, dest *[]*domain.PortalUser) error {
+	return r.db.WithContext(ctx).Find(dest).Error
+}
+
+func (r *GormAuthRepository) GetByClientIDs(ctx context.Context, clientIDs []string, dest *[]*domain.PortalUser) error {
+	return r.db.WithContext(ctx).Where("client_id IN ?", clientIDs).Find(dest).Error
+}
diff --git a/src/clients_portal/http/router.go b/src/clients_portal/http/router.go
new file mode 100644
index 0000000..f4914ac
--- /dev/null
+++ b/src/clients_portal/http/router.go
@@ -0,0 +1,75 @@
+package http
+
+import (
+	authInfra "github.com/AzielCF/az-wap/clients_portal/auth/infrastructure"
+	featuresInfra "github.com/AzielCF/az-wap/clients_portal/features/infrastructure"
+	coreConfig "github.com/AzielCF/az-wap/core/config"
+	"github.com/gofiber/fiber/v2"
+)
+
+// RegisterPortalRoutes centralizes all Client Portal route definitions.
+// It manages:
+// 1. Internal/Admin routes (via baseAPI, protected by system BasicAuth)
+// 2. Public Portal routes (via app, separated from system auth)
+// 3. Protected Portal routes (via middleware)
+func RegisterPortalRoutes(
+	app fiber.Router,
+	baseAPI fiber.Router,
+	authHandler *authInfra.AuthHandler,
+	featuresHandler *featuresInfra.FeaturesHandler,
+	portalAuthMiddleware fiber.Handler,
+) {
+	// 1. Internal Admin Routes (Attached to system API group)
+	// Used by admin dashboard relative to /api/internal
+	baseAPI.Post("/internal/clients/:id/portal-account", authHandler.CreatePortalAccount)
+	baseAPI.Get("/internal/portal-accounts", authHandler.ListAccountsState)
+	baseAPI.Post("/internal/magic-link/generate", authHandler.GenerateMagicLink)
+
+	// 2. Public Portal Routes (/api/portal)
+	// Created directly on app router to manage middleware stack independently
+	portalGroup := app.Group(coreConfig.Global.App.BasePath + "/api/portal")
+
+	portalGroup.Post("/login", authHandler.Login)
+	portalGroup.Post("/magic-link/redeem", authHandler.RedeemMagicLink)
+
+	// 3. Protected Portal Routes (Require valid Portal Token)
+	protected := portalGroup.Group("", portalAuthMiddleware)
+
+	// Auth Module Routes
+	protected.Get("/me", authHandler.Me)
+	protected.Put("/profile", authHandler.UpdateProfile)
+
+	// Features Module Routes
+	protected.Get("/reminders", featuresHandler.ListReminders)
+	protected.Get("/info", featuresHandler.GetGeneralInfo)
+	protected.Get("/owned-channels", featuresHandler.GetOwnedChannels)
+	protected.Get("/authorized-agents", featuresHandler.GetAuthorizedAgents)
+
+	// Access Rules for Channels
+	protected.Get("/owned-channels/:cid/access-rules", featuresHandler.GetChannelAccessRules)
+	protected.Post("/owned-channels/:cid/access-rules", featuresHandler.AddChannelAccessRule)
+	protected.Delete("/owned-channels/:cid/access-rules/:rid", featuresHandler.DeleteChannelAccessRule)
+	protected.Get("/owned-channels/:cid/resolve-identity", featuresHandler.ResolveIdentity)
+
+	// Edit Channel
+	protected.Put("/owned-channels/:cid/name", featuresHandler.UpdateChannelName)
+
+	// Workspace Management (ABAC restricted)
+	protected.Get("/workspaces", featuresHandler.ListWorkspaces)
+	protected.Get("/workspaces/:wid/channels", featuresHandler.ListWorkspaceChannels)
+	protected.Get("/workspaces/:wid/guests", featuresHandler.ListGuests)
+
+	wsGroup := protected.Group("/workspaces", featuresHandler.EnforceWorkspaceFeature)
+	wsGroup.Post("", featuresHandler.CreateWorkspace)
+	wsGroup.Put("/:wid", featuresHandler.UpdateWorkspace)
+	wsGroup.Delete("/:wid", featuresHandler.DeleteWorkspace)
+
+	// Workspace Channels (Write Actions)
+	wsGroup.Post("/:wid/channels/:cid", featuresHandler.LinkChannel)
+	wsGroup.Delete("/:wid/channels/:cid", featuresHandler.UnlinkChannel)
+
+	// Workspace Guests (Write Actions)
+	wsGroup.Post("/:wid/guests", featuresHandler.CreateGuest)
+	wsGroup.Put("/:wid/guests/:gid", featuresHandler.UpdateGuest)
+	wsGroup.Delete("/:wid/guests/:gid", featuresHandler.DeleteGuest)
+}
diff --git a/src/clients_portal/shared/security/jwt.go b/src/clients_portal/shared/security/jwt.go
index 447a3d9..ec67f80 100644
--- a/src/clients_portal/shared/security/jwt.go
+++ b/src/clients_portal/shared/security/jwt.go
@@ -1,16 +1,20 @@
 package security
 
 import (
+	"crypto/rand"
+	"encoding/hex"
 	"errors"
 	"time"
 
 	"github.com/AzielCF/az-wap/clients_portal/auth/domain"
+	coreconfig "github.com/AzielCF/az-wap/core/config"
 	"github.com/golang-jwt/jwt/v5"
 	"golang.org/x/crypto/bcrypt"
 )
 
-// TODO: Move key to .env
-var JwtSecretKey = []byte("super-secret-portal-key-change-me")
+func getSecretKey() []byte {
+	return []byte(coreconfig.Global.Security.PortalJWTSecret)
+}
 
 type PortalClaims struct {
 	UserID   string            `json:"uid"`
@@ -21,7 +25,7 @@ type PortalClaims struct {
 
 // GenerateToken creates a new JWT for the portal user
 func GenerateToken(userID, clientID string, role domain.PortalRole) (string, error) {
-	expirationTime := time.Now().Add(24 * time.Hour) // Token valid for 1 day
+	expirationTime := time.Now().Add(30 * time.Minute) // Short session for security
 
 	claims := &PortalClaims{
 		UserID:   userID,
@@ -35,14 +39,42 @@ func GenerateToken(userID, clientID string, role domain.PortalRole) (string, err
 	}
 
 	token := jwt.NewWithClaims(jwt.SigningMethodHS256, claims)
-	return token.SignedString(JwtSecretKey)
+	return token.SignedString(getSecretKey())
+}
+
+// GenerateMagicToken creates a short-lived (15m) token for passwordless login
+func GenerateMagicToken(userID, clientID string) (string, error) {
+	expirationTime := time.Now().Add(15 * time.Minute)
+
+	claims := &PortalClaims{
+		UserID:   userID,
+		ClientID: clientID,
+		Role:     domain.RoleMember, // Magic link users have minimal role initially
+		RegisteredClaims: jwt.RegisteredClaims{
+			ExpiresAt: jwt.NewNumericDate(expirationTime),
+			IssuedAt:  jwt.NewNumericDate(time.Now()),
+		},
+	}
+
+	token := jwt.NewWithClaims(jwt.SigningMethodHS256, claims)
+	return token.SignedString(getSecretKey())
+}
+
+// GenerateOpaqueToken creates a short, random opaque string for magic links
+func GenerateOpaqueToken() (string, error) {
+	b := make([]byte, 16) // 32 chars in hex, much shorter than JWT
+	if _, err := rand.Read(b); err != nil {
+		return "", err
+	}
+	return hex.EncodeToString(b), nil
 }
 
 // ValidateToken parses and validates a JWT token
 func ValidateToken(tokenString string) (*PortalClaims, error) {
+	// 2. Validate token (With 1m leeway for clock skew)
 	token, err := jwt.ParseWithClaims(tokenString, &PortalClaims{}, func(token *jwt.Token) (interface{}, error) {
-		return JwtSecretKey, nil
-	})
+		return getSecretKey(), nil
+	}, jwt.WithLeeway(time.Minute))
 
 	if err != nil {
 		return nil, err

From 8278754a0c4caea3885f27ecb6e49e3f101775ca Mon Sep 17 00:00:00 2001
From: Aziel <azielcruzado@gmail.com>
Date: Tue, 24 Feb 2026 12:18:46 -0500
Subject: [PATCH 07/12] [ClientsPortal] Add portal features for channel and
 workspace management

---
 .../tools/only-clients/portal_tool.go         |  76 ++
 .../features/infrastructure/handler.go        | 818 ++++++++++++++++++
 2 files changed, 894 insertions(+)
 create mode 100644 src/botengine/tools/only-clients/portal_tool.go
 create mode 100644 src/clients_portal/features/infrastructure/handler.go

diff --git a/src/botengine/tools/only-clients/portal_tool.go b/src/botengine/tools/only-clients/portal_tool.go
new file mode 100644
index 0000000..83cfdf6
--- /dev/null
+++ b/src/botengine/tools/only-clients/portal_tool.go
@@ -0,0 +1,76 @@
+package onlyclients
+
+import (
+	"context"
+	"fmt"
+
+	"github.com/AzielCF/az-wap/botengine/domain"
+	domainMCP "github.com/AzielCF/az-wap/botengine/domain/mcp"
+	coreconfig "github.com/AzielCF/az-wap/core/config"
+)
+
+// GetPortalLinkTool allows a registered client to get their portal access link
+func (t *ClientTools) GetPortalLinkTool() *domain.NativeTool {
+	return &domain.NativeTool{
+		IsVisible: IsClientRegistered,
+		Tool: domainMCP.Tool{
+			Name:        "get_portal_access_link",
+			Description: "Generates a secure, temporary magic link for the user to access their client portal. Use this ONLY when the user asks for 'access', 'portal', 'link to my account', or similar. If the user is not a registered client, it will fail.",
+			InputSchema: map[string]interface{}{
+				"type":       "object",
+				"properties": map[string]interface{}{},
+				"required":   []string{},
+			},
+		},
+		Handler: func(ctx context.Context, ctxData map[string]interface{}, args map[string]interface{}) (map[string]interface{}, error) {
+			// 1. Get client ID from context (Already verified by IsVisible)
+			clientID := ""
+			phone := ""
+
+			if cc, ok := ctxData["client_context"].(*domain.ClientContext); ok && cc != nil {
+				clientID = cc.ClientID
+				phone = cc.Phone
+			}
+
+			// Fallback if context is somehow missing (safety)
+			if clientID == "" {
+				if metadata, ok := ctxData["metadata"].(map[string]any); ok {
+					if cID, ok := metadata["client_id"].(string); ok {
+						clientID = cID
+					}
+					if ph, ok := metadata["phone"].(string); ok {
+						phone = ph
+					}
+				}
+			}
+
+			if clientID == "" {
+				return map[string]interface{}{
+					"success": false,
+					"message": "I couldn't identify your client profile. Access denied.",
+				}, nil
+			}
+
+			// 2. Generate Magic Link via AuthService
+			token, err := t.authService.GenerateMagicLink(ctx, clientID, phone)
+			if err != nil {
+				return nil, fmt.Errorf("failed to generate portal link: %w", err)
+			}
+
+			// 3. Build the final URL
+			portalURL := coreconfig.Global.App.PortalURL
+			if portalURL == "" {
+				// Fallback to local server if no dedicated portal URL is set
+				portalURL = fmt.Sprintf("%s/portal", coreconfig.Global.App.BaseUrl)
+			}
+
+			accessLink := fmt.Sprintf("%s/auth/redeem?token=%s", portalURL, token)
+
+			return map[string]interface{}{
+				"success": true,
+				"message": fmt.Sprintf("Access link generated: %s (Expires in 15m). Please send this link to the user.", accessLink),
+				"link":    accessLink,
+			}, nil
+		},
+	}
+}
diff --git a/src/clients_portal/features/infrastructure/handler.go b/src/clients_portal/features/infrastructure/handler.go
new file mode 100644
index 0000000..b0aaab8
--- /dev/null
+++ b/src/clients_portal/features/infrastructure/handler.go
@@ -0,0 +1,818 @@
+package infrastructure
+
+import (
+	"context"
+	"sort"
+	"strings"
+	"time"
+
+	"github.com/AzielCF/az-wap/botengine/domain/bot"
+	clientsApp "github.com/AzielCF/az-wap/clients/application"
+	clientsDomain "github.com/AzielCF/az-wap/clients/domain"
+	portalDomain "github.com/AzielCF/az-wap/clients_portal/auth/domain"
+	domainNewsletter "github.com/AzielCF/az-wap/domains/newsletter"
+	"github.com/AzielCF/az-wap/pkg/utils"
+	"github.com/AzielCF/az-wap/workspace"
+	"github.com/AzielCF/az-wap/workspace/domain/channel"
+	"github.com/AzielCF/az-wap/workspace/domain/common"
+	wsDomain "github.com/AzielCF/az-wap/workspace/domain/workspace"
+	wsRepo "github.com/AzielCF/az-wap/workspace/repository"
+	wsUsecase "github.com/AzielCF/az-wap/workspace/usecase"
+	"github.com/gofiber/fiber/v2"
+)
+
+type FeaturesHandler struct {
+	subService    *clientsApp.SubscriptionService
+	clientService *clientsApp.ClientService
+	newsletter    domainNewsletter.INewsletterUsecase
+	wsRepo        wsRepo.IWorkspaceRepository
+	botUsecase    bot.IBotUsecase
+	wsUc          *wsUsecase.WorkspaceUsecase
+	wm            *workspace.Manager
+}
+
+func NewFeaturesHandler(
+	subService *clientsApp.SubscriptionService,
+	clientService *clientsApp.ClientService,
+	newsletter domainNewsletter.INewsletterUsecase,
+	wsRepo wsRepo.IWorkspaceRepository,
+	botUsecase bot.IBotUsecase,
+	wsUc *wsUsecase.WorkspaceUsecase,
+	wm *workspace.Manager,
+) *FeaturesHandler {
+	return &FeaturesHandler{
+		subService:    subService,
+		clientService: clientService,
+		newsletter:    newsletter,
+		wsRepo:        wsRepo,
+		botUsecase:    botUsecase,
+		wsUc:          wsUc,
+		wm:            wm,
+	}
+}
+
+func (h *FeaturesHandler) EnforceWorkspaceFeature(c *fiber.Ctx) error {
+	user, ok := c.Locals("user").(*portalDomain.PortalUser)
+	if !ok || user == nil {
+		return c.Status(fiber.StatusUnauthorized).JSON(fiber.Map{"error": "Unauthorized"})
+	}
+
+	client, err := h.clientService.GetByID(c.Context(), user.ClientID)
+	if err != nil {
+		return c.Status(fiber.StatusInternalServerError).JSON(fiber.Map{"error": "client not found"})
+	}
+
+	if !client.HasTag(clientsDomain.TagEnableWorkspaces) && !client.IsVIP() {
+		return c.Status(fiber.StatusForbidden).JSON(fiber.Map{"error": "Workspaces management not allowed for this account"})
+	}
+
+	return c.Next()
+}
+
+type ReminderView struct {
+	ID             string    `json:"id"`
+	Text           string    `json:"text"`
+	ScheduledAt    time.Time `json:"scheduled_at"`
+	Status         string    `json:"status"`
+	RecurrenceDays string    `json:"recurrence_days,omitempty"`
+	ChannelType    string    `json:"channel_type"`
+	BotName        string    `json:"bot_name"`
+}
+
+func (h *FeaturesHandler) ListReminders(c *fiber.Ctx) error {
+	user, ok := c.Locals("user").(*portalDomain.PortalUser)
+	if !ok || user == nil {
+		return c.Status(fiber.StatusUnauthorized).JSON(fiber.Map{"error": "Unauthorized"})
+	}
+
+	ctxStd := context.Background()
+
+	subs, err := h.subService.ListByClient(ctxStd, user.ClientID)
+	if err != nil {
+		return c.Status(fiber.StatusInternalServerError).JSON(fiber.Map{"error": "Failed to fetch subscriptions"})
+	}
+
+	var allReminders []ReminderView = make([]ReminderView, 0)
+
+	for _, sub := range subs {
+		if !sub.IsActive() {
+			continue
+		}
+
+		ch, err := h.wsRepo.GetChannel(ctxStd, sub.ChannelID)
+		botName := "Asistente"
+		channelType := "desconocido"
+		if err == nil {
+			channelType = string(ch.Type)
+			if ch.Config.BotID != "" {
+				if b, errBot := h.botUsecase.GetByID(ctxStd, ch.Config.BotID); errBot == nil {
+					botName = b.Name
+				} else {
+					botName = ch.Name
+				}
+			} else {
+				botName = ch.Name
+			}
+		}
+
+		posts, err := h.newsletter.ListScheduled(ctxStd, sub.ChannelID)
+		if err != nil {
+			continue
+		}
+
+		for _, p := range posts {
+			allReminders = append(allReminders, ReminderView{
+				ID:             p.ID,
+				Text:           p.Text,
+				ScheduledAt:    p.ScheduledAt,
+				Status:         string(p.Status),
+				RecurrenceDays: p.RecurrenceDays,
+				ChannelType:    channelType,
+				BotName:        botName,
+			})
+		}
+	}
+
+	sort.Slice(allReminders, func(i, j int) bool {
+		return allReminders[i].ScheduledAt.Before(allReminders[j].ScheduledAt)
+	})
+
+	return c.JSON(allReminders)
+}
+
+type SubscriptionInfo struct {
+	ChannelType    string `json:"channel_type"`
+	BotName        string `json:"bot_name"`
+	BotDescription string `json:"bot_description,omitempty"`
+	Phone          string `json:"phone,omitempty"`
+}
+
+func (h *FeaturesHandler) GetGeneralInfo(c *fiber.Ctx) error {
+	user, ok := c.Locals("user").(*portalDomain.PortalUser)
+	if !ok || user == nil {
+		return c.Status(fiber.StatusUnauthorized).JSON(fiber.Map{"error": "Unauthorized"})
+	}
+
+	ctxStd := context.Background()
+
+	subs, err := h.subService.ListByClient(ctxStd, user.ClientID)
+	if err != nil {
+		return c.Status(fiber.StatusInternalServerError).JSON(fiber.Map{"error": "Failed to fetch subscriptions"})
+	}
+
+	var activeSubs []SubscriptionInfo = make([]SubscriptionInfo, 0)
+	for _, sub := range subs {
+		if !sub.IsActive() {
+			continue
+		}
+
+		ch, err := h.wsRepo.GetChannel(ctxStd, sub.ChannelID)
+		if err == nil {
+			botID := ch.Config.BotID
+			// Priority: Subscription override > Channel config
+			if sub.CustomBotID != "" {
+				botID = sub.CustomBotID
+			}
+
+			botName := ch.Name
+			botDesc := ""
+			if botID != "" {
+				if b, errBot := h.botUsecase.GetByID(ctxStd, botID); errBot == nil {
+					botName = b.Name
+					botDesc = b.Description
+				}
+			}
+
+			phone := ""
+			if ch.Type == "whatsapp" {
+				// We prioritize ExternalRef if it looks like a phone, otherwise we could look in Settings
+				if ch.ExternalRef != "" && !strings.Contains(ch.ExternalRef, "-") && len(ch.ExternalRef) <= 15 {
+					phone = ch.ExternalRef
+				} else {
+					// Check if phone exists in settings
+					if p, ok := ch.Config.Settings["phone"].(string); ok {
+						phone = p
+					}
+				}
+			}
+
+			activeSubs = append(activeSubs, SubscriptionInfo{
+				ChannelType:    string(ch.Type),
+				BotName:        botName,
+				BotDescription: botDesc,
+				Phone:          phone,
+			})
+		}
+	}
+
+	return c.JSON(fiber.Map{
+		"subscriptions": activeSubs,
+	})
+}
+
+// GetOwnedChannels returns the channels owned by this client regardless of subscription
+func (h *FeaturesHandler) GetOwnedChannels(c *fiber.Ctx) error {
+	user, ok := c.Locals("user").(*portalDomain.PortalUser)
+	if !ok || user == nil {
+		return c.Status(fiber.StatusUnauthorized).JSON(fiber.Map{"error": "Unauthorized"})
+	}
+
+	ctxStd := context.Background()
+
+	channels, err := h.wsRepo.ListChannelsByOwnerID(ctxStd, user.ClientID)
+	if err != nil {
+		return c.Status(fiber.StatusInternalServerError).JSON(fiber.Map{"error": "Failed to fetch owned channels"})
+	}
+
+	type SafeChannel struct {
+		ID              string  `json:"id"`
+		Name            string  `json:"name"`
+		Type            string  `json:"type"`
+		Status          string  `json:"status"`
+		BotName         string  `json:"bot_name,omitempty"`
+		BotDescription  string  `json:"bot_description,omitempty"`
+		AccumulatedCost float64 `json:"accumulated_cost,omitempty"`
+	}
+
+	// 1. Get all active subscriptions for this client to find bot overrides
+	subs, err := h.subService.ListByClient(ctxStd, user.ClientID)
+	subBotMap := make(map[string]string) // ChannelID -> BotID
+	if err == nil {
+		for _, s := range subs {
+			if s.IsActive() && s.CustomBotID != "" {
+				subBotMap[s.ChannelID] = s.CustomBotID
+			}
+		}
+	}
+
+	var safeChannels []SafeChannel
+	for _, ch := range channels {
+		sc := SafeChannel{
+			ID:     ch.ID,
+			Name:   ch.Name,
+			Type:   string(ch.Type),
+			Status: string(ch.Status),
+		}
+
+		// 2. Determine Bot ID (Subscription override > Channel config)
+		botID := ch.Config.BotID
+		if sBotID, ok := subBotMap[ch.ID]; ok {
+			botID = sBotID
+		}
+
+		if botID != "" {
+			if b, errBot := h.botUsecase.GetByID(ctxStd, botID); errBot == nil {
+				sc.BotName = b.Name
+				sc.BotDescription = b.Description
+			}
+		}
+
+		client, err := h.clientService.GetByID(ctxStd, user.ClientID)
+		if err == nil && client.IsTester {
+			sc.AccumulatedCost = ch.AccumulatedCost
+		}
+
+		safeChannels = append(safeChannels, sc)
+	}
+
+	return c.JSON(safeChannels)
+}
+
+func (h *FeaturesHandler) GetAuthorizedAgents(c *fiber.Ctx) error {
+	user, ok := c.Locals("user").(*portalDomain.PortalUser)
+	if !ok || user == nil {
+		return c.Status(fiber.StatusUnauthorized).JSON(fiber.Map{"error": "Unauthorized"})
+	}
+
+	client, err := h.clientService.GetByID(c.Context(), user.ClientID)
+	if err != nil {
+		return c.Status(fiber.StatusInternalServerError).JSON(fiber.Map{"error": "client not found"})
+	}
+
+	var agents []fiber.Map
+	for _, botID := range client.AllowedBots {
+		// Use botUsecase to get the human readable bot name, fallback to ID
+		bot, err := h.botUsecase.GetByID(c.Context(), botID)
+		name := botID
+		desc := ""
+		capabilities := fiber.Map{
+			"audio":    false,
+			"image":    false,
+			"video":    false,
+			"document": false,
+		}
+		if err == nil && bot.ID != "" {
+			name = bot.Name
+			desc = bot.Description
+			capabilities["audio"] = bot.AudioEnabled
+			capabilities["image"] = bot.ImageEnabled
+			capabilities["video"] = bot.VideoEnabled
+			capabilities["document"] = bot.DocumentEnabled
+		}
+		agents = append(agents, fiber.Map{
+			"id":           botID,
+			"name":         name,
+			"description":  desc,
+			"capabilities": capabilities,
+		})
+	}
+
+	if agents == nil {
+		agents = []fiber.Map{}
+	}
+
+	return c.JSON(agents)
+}
+
+// Access Rules for portal
+
+func (h *FeaturesHandler) GetChannelAccessRules(c *fiber.Ctx) error {
+	user, ok := c.Locals("user").(*portalDomain.PortalUser)
+	if !ok || user == nil {
+		return c.Status(fiber.StatusUnauthorized).JSON(fiber.Map{"error": "Unauthorized"})
+	}
+
+	cid := c.Params("cid")
+	// Verify possession
+	ch, err := h.wsRepo.GetChannel(c.Context(), cid)
+	if err != nil || ch.OwnerID != user.ClientID {
+		return c.Status(fiber.StatusForbidden).JSON(fiber.Map{"error": "forbidden"})
+	}
+
+	rules, err := h.wsUc.GetAccessRules(c.Context(), cid)
+	if err != nil {
+		return c.Status(fiber.StatusInternalServerError).JSON(fiber.Map{"error": err.Error()})
+	}
+
+	type SafeRule struct {
+		ID       string `json:"id"`
+		Identity string `json:"identity"`
+		Action   string `json:"action"`
+		Label    string `json:"label"`
+	}
+
+	var safeRules []SafeRule
+	for _, r := range rules {
+		identity := r.Identity
+		if idx := strings.Index(identity, "@"); idx != -1 {
+			identity = identity[:idx]
+		}
+		safeRules = append(safeRules, SafeRule{
+			ID:       r.ID,
+			Identity: identity,
+			Action:   string(r.Action),
+			Label:    r.Label,
+		})
+	}
+
+	return c.JSON(safeRules)
+}
+
+func (h *FeaturesHandler) UpdateChannelName(c *fiber.Ctx) error {
+	user, ok := c.Locals("user").(*portalDomain.PortalUser)
+	if !ok || user == nil {
+		return c.Status(fiber.StatusUnauthorized).JSON(fiber.Map{"error": "Unauthorized"})
+	}
+
+	cid := c.Params("cid")
+	ch, err := h.wsRepo.GetChannel(c.Context(), cid)
+	if err != nil || ch.OwnerID != user.ClientID {
+		return c.Status(fiber.StatusForbidden).JSON(fiber.Map{"error": "forbidden"})
+	}
+
+	var req struct {
+		Name string `json:"name"`
+	}
+	if err := c.BodyParser(&req); err != nil {
+		return c.Status(fiber.StatusBadRequest).JSON(fiber.Map{"error": "invalid request"})
+	}
+	if req.Name == "" {
+		return c.Status(fiber.StatusBadRequest).JSON(fiber.Map{"error": "name is required"})
+	}
+
+	ch.Name = req.Name
+	if err := h.wsRepo.UpdateChannel(c.Context(), ch); err != nil {
+		return c.Status(fiber.StatusInternalServerError).JSON(fiber.Map{"error": "could not update channel"})
+	}
+
+	return c.JSON(fiber.Map{"status": "updated", "name": ch.Name})
+}
+
+func (h *FeaturesHandler) AddChannelAccessRule(c *fiber.Ctx) error {
+	user, ok := c.Locals("user").(*portalDomain.PortalUser)
+	if !ok || user == nil {
+		return c.Status(fiber.StatusUnauthorized).JSON(fiber.Map{"error": "Unauthorized"})
+	}
+
+	cid := c.Params("cid")
+	ch, err := h.wsRepo.GetChannel(c.Context(), cid)
+	if err != nil || ch.OwnerID != user.ClientID {
+		return c.Status(fiber.StatusForbidden).JSON(fiber.Map{"error": "forbidden"})
+	}
+
+	var req struct {
+		Identity string              `json:"identity"`
+		Action   common.AccessAction `json:"action"`
+		Label    string              `json:"label"`
+	}
+
+	if err := c.BodyParser(&req); err != nil {
+		return c.Status(fiber.StatusBadRequest).JSON(fiber.Map{"error": err.Error()})
+	}
+
+	if req.Identity == "" || req.Action == "" {
+		return c.Status(fiber.StatusBadRequest).JSON(fiber.Map{"error": "identity and action are required"})
+	}
+
+	adapter, ok := h.wm.GetAdapter(cid)
+	if ok {
+		resolved, err := adapter.ResolveIdentity(c.Context(), req.Identity)
+		if err == nil && resolved != "" {
+			req.Identity = resolved
+		}
+	} else if string(ch.Type) == "whatsapp" {
+		if !strings.Contains(req.Identity, "@") {
+			phoneNumber := strings.TrimLeft(req.Identity, "+")
+			phoneNumber = strings.ReplaceAll(phoneNumber, " ", "")
+			phoneNumber = strings.ReplaceAll(phoneNumber, "-", "")
+			req.Identity = phoneNumber + "@s.whatsapp.net"
+		}
+	}
+
+	err = h.wsUc.AddAccessRule(c.Context(), cid, req.Identity, req.Action, req.Label)
+	if err != nil {
+		if err == common.ErrDuplicateRule {
+			return c.Status(fiber.StatusConflict).JSON(fiber.Map{"error": "duplicate_entry"})
+		}
+		return c.Status(fiber.StatusInternalServerError).JSON(fiber.Map{"error": err.Error()})
+	}
+
+	return c.JSON(fiber.Map{"status": "created", "resolved_identity": req.Identity})
+}
+
+func (h *FeaturesHandler) DeleteChannelAccessRule(c *fiber.Ctx) error {
+	user, ok := c.Locals("user").(*portalDomain.PortalUser)
+	if !ok || user == nil {
+		return c.Status(fiber.StatusUnauthorized).JSON(fiber.Map{"error": "Unauthorized"})
+	}
+
+	cid := c.Params("cid")
+	rid := c.Params("rid")
+
+	ch, err := h.wsRepo.GetChannel(c.Context(), cid)
+	if err != nil || ch.OwnerID != user.ClientID {
+		return c.Status(fiber.StatusForbidden).JSON(fiber.Map{"error": "forbidden"})
+	}
+
+	if err := h.wsUc.DeleteAccessRule(c.Context(), rid); err != nil {
+		return c.Status(fiber.StatusInternalServerError).JSON(fiber.Map{"error": err.Error()})
+	}
+	return c.SendStatus(fiber.StatusNoContent)
+}
+
+func (h *FeaturesHandler) ResolveIdentity(c *fiber.Ctx) error {
+	user, ok := c.Locals("user").(*portalDomain.PortalUser)
+	if !ok || user == nil {
+		return c.Status(fiber.StatusUnauthorized).JSON(fiber.Map{"error": "Unauthorized"})
+	}
+
+	cid := c.Params("cid")
+	ch, err := h.wsRepo.GetChannel(c.Context(), cid)
+	if err != nil || ch.OwnerID != user.ClientID {
+		return c.Status(fiber.StatusForbidden).JSON(fiber.Map{"error": "forbidden"})
+	}
+
+	identity := c.Query("identity")
+	if identity == "" {
+		return c.Status(fiber.StatusBadRequest).JSON(fiber.Map{"error": "identity is required"})
+	}
+
+	adapter, ok := h.wm.GetAdapter(cid)
+	if !ok {
+		return c.Status(fiber.StatusServiceUnavailable).JSON(fiber.Map{"error": "channel adapter not running"})
+	}
+
+	resolved, err := adapter.ResolveIdentity(c.Context(), identity)
+	if err != nil {
+		return c.Status(fiber.StatusNotFound).JSON(fiber.Map{"error": "could_not_resolve"})
+	}
+
+	phone := ""
+	if !strings.Contains(identity, "@") {
+		phone = identity
+	}
+
+	name := ""
+	if contact, err := adapter.GetContact(c.Context(), resolved); err == nil {
+		name = contact.Name
+	}
+	return c.JSON(fiber.Map{
+		"resolved_identity": resolved,
+		"phone":             phone,
+		"name":              name,
+		"status":            "verified",
+	})
+}
+
+// --- Client Workspace Handlers ---
+
+func (h *FeaturesHandler) ListWorkspaces(c *fiber.Ctx) error {
+	user, ok := c.Locals("user").(*portalDomain.PortalUser)
+	if !ok || user == nil {
+		return c.Status(fiber.StatusUnauthorized).JSON(fiber.Map{"error": "Unauthorized"})
+	}
+
+	workspaces, err := h.wsUc.ListClientWorkspaces(c.Context(), user.ClientID)
+	if err != nil {
+		return c.Status(fiber.StatusInternalServerError).JSON(fiber.Map{"error": err.Error()})
+	}
+
+	if workspaces == nil {
+		workspaces = []wsDomain.ClientWorkspace{}
+	}
+
+	return c.JSON(workspaces)
+}
+
+func (h *FeaturesHandler) CreateWorkspace(c *fiber.Ctx) error {
+	user, ok := c.Locals("user").(*portalDomain.PortalUser)
+	if !ok || user == nil {
+		return c.Status(fiber.StatusUnauthorized).JSON(fiber.Map{"error": "Unauthorized"})
+	}
+
+	var req struct {
+		Name        string `json:"name"`
+		Description string `json:"description"`
+	}
+	if err := c.BodyParser(&req); err != nil {
+		return c.Status(fiber.StatusBadRequest).JSON(fiber.Map{"error": "invalid request"})
+	}
+
+	ws, err := h.wsUc.CreateClientWorkspace(c.Context(), user.ClientID, req.Name, req.Description)
+	if err != nil {
+		return c.Status(fiber.StatusInternalServerError).JSON(fiber.Map{"error": err.Error()})
+	}
+
+	return c.Status(fiber.StatusCreated).JSON(ws)
+}
+
+func (h *FeaturesHandler) UpdateWorkspace(c *fiber.Ctx) error {
+	user, ok := c.Locals("user").(*portalDomain.PortalUser)
+	if !ok || user == nil {
+		return c.Status(fiber.StatusUnauthorized).JSON(fiber.Map{"error": "Unauthorized"})
+	}
+
+	wid := c.Params("wid")
+	var req struct {
+		Name        string `json:"name"`
+		Description string `json:"description"`
+	}
+	if err := c.BodyParser(&req); err != nil {
+		return c.Status(fiber.StatusBadRequest).JSON(fiber.Map{"error": "invalid request"})
+	}
+
+	// Verify ownership
+	ws, err := h.wsRepo.GetClientWorkspace(c.Context(), wid)
+	if err != nil || ws.OwnerID != user.ClientID {
+		return c.Status(fiber.StatusForbidden).JSON(fiber.Map{"error": "forbidden"})
+	}
+
+	ws.Name = req.Name
+	ws.Description = req.Description
+	ws.UpdatedAt = time.Now().UTC()
+
+	if err := h.wsRepo.UpdateClientWorkspace(c.Context(), ws); err != nil {
+		return c.Status(fiber.StatusInternalServerError).JSON(fiber.Map{"error": err.Error()})
+	}
+
+	return c.JSON(ws)
+}
+
+func (h *FeaturesHandler) DeleteWorkspace(c *fiber.Ctx) error {
+	user, ok := c.Locals("user").(*portalDomain.PortalUser)
+	if !ok || user == nil {
+		return c.Status(fiber.StatusUnauthorized).JSON(fiber.Map{"error": "Unauthorized"})
+	}
+
+	wid := c.Params("wid")
+	// Verify ownership
+	ws, err := h.wsRepo.GetClientWorkspace(c.Context(), wid)
+	if err != nil || ws.OwnerID != user.ClientID {
+		return c.Status(fiber.StatusForbidden).JSON(fiber.Map{"error": "forbidden"})
+	}
+
+	if err := h.wsUc.DeleteClientWorkspace(c.Context(), wid); err != nil {
+		return c.Status(fiber.StatusInternalServerError).JSON(fiber.Map{"error": err.Error()})
+	}
+
+	return c.SendStatus(fiber.StatusNoContent)
+}
+
+// --- Workspace Channels ---
+
+func (h *FeaturesHandler) ListWorkspaceChannels(c *fiber.Ctx) error {
+	user, ok := c.Locals("user").(*portalDomain.PortalUser)
+	if !ok || user == nil {
+		return c.Status(fiber.StatusUnauthorized).JSON(fiber.Map{"error": "Unauthorized"})
+	}
+
+	wid := c.Params("wid")
+	// Verify ownership
+	ws, err := h.wsRepo.GetClientWorkspace(c.Context(), wid)
+	if err != nil || ws.OwnerID != user.ClientID {
+		return c.Status(fiber.StatusForbidden).JSON(fiber.Map{"error": "forbidden"})
+	}
+
+	channels, err := h.wsRepo.ListChannelsInClientWorkspace(c.Context(), wid)
+	if err != nil {
+		return c.Status(fiber.StatusInternalServerError).JSON(fiber.Map{"error": err.Error()})
+	}
+
+	if channels == nil {
+		channels = []channel.Channel{}
+	}
+
+	return c.JSON(channels)
+}
+
+func (h *FeaturesHandler) LinkChannel(c *fiber.Ctx) error {
+	user, ok := c.Locals("user").(*portalDomain.PortalUser)
+	if !ok || user == nil {
+		return c.Status(fiber.StatusUnauthorized).JSON(fiber.Map{"error": "Unauthorized"})
+	}
+
+	wid := c.Params("wid")
+	cid := c.Params("cid")
+
+	// Verify ownership of both
+	ws, err := h.wsRepo.GetClientWorkspace(c.Context(), wid)
+	if err != nil || ws.OwnerID != user.ClientID {
+		return c.Status(fiber.StatusForbidden).JSON(fiber.Map{"error": "forbidden (workspace)"})
+	}
+
+	ch, err := h.wsRepo.GetChannel(c.Context(), cid)
+	if err != nil || ch.OwnerID != user.ClientID {
+		return c.Status(fiber.StatusForbidden).JSON(fiber.Map{"error": "forbidden (channel)"})
+	}
+
+	if err := h.wsUc.LinkChannelToClientWorkspace(c.Context(), wid, cid); err != nil {
+		return c.Status(fiber.StatusInternalServerError).JSON(fiber.Map{"error": err.Error()})
+	}
+
+	return c.SendStatus(fiber.StatusNoContent)
+}
+
+func (h *FeaturesHandler) UnlinkChannel(c *fiber.Ctx) error {
+	user, ok := c.Locals("user").(*portalDomain.PortalUser)
+	if !ok || user == nil {
+		return c.Status(fiber.StatusUnauthorized).JSON(fiber.Map{"error": "Unauthorized"})
+	}
+
+	wid := c.Params("wid")
+	cid := c.Params("cid")
+
+	// Verify ownership
+	ws, err := h.wsRepo.GetClientWorkspace(c.Context(), wid)
+	if err != nil || ws.OwnerID != user.ClientID {
+		return c.Status(fiber.StatusForbidden).JSON(fiber.Map{"error": "forbidden"})
+	}
+
+	if err := h.wsUc.UnlinkChannelFromClientWorkspace(c.Context(), wid, cid); err != nil {
+		return c.Status(fiber.StatusInternalServerError).JSON(fiber.Map{"error": err.Error()})
+	}
+
+	return c.SendStatus(fiber.StatusNoContent)
+}
+
+// --- Workspace Guests ---
+
+func (h *FeaturesHandler) ListGuests(c *fiber.Ctx) error {
+	user, ok := c.Locals("user").(*portalDomain.PortalUser)
+	if !ok || user == nil {
+		return c.Status(fiber.StatusUnauthorized).JSON(fiber.Map{"error": "Unauthorized"})
+	}
+
+	wid := c.Params("wid")
+	// Verify ownership
+	ws, err := h.wsRepo.GetClientWorkspace(c.Context(), wid)
+	if err != nil || ws.OwnerID != user.ClientID {
+		return c.Status(fiber.StatusForbidden).JSON(fiber.Map{"error": "forbidden"})
+	}
+
+	guests, err := h.wsRepo.ListGuestsInClientWorkspace(c.Context(), wid)
+	if err != nil {
+		return c.Status(fiber.StatusInternalServerError).JSON(fiber.Map{"error": err.Error()})
+	}
+
+	if guests == nil {
+		guests = []wsDomain.ClientWorkspaceGuest{}
+	}
+
+	for i := range guests {
+		if wa, ok := guests[i].PlatformIdentifiers["whatsapp"]; ok {
+			guests[i].PlatformIdentifiers["whatsapp"] = utils.NormalizeWhatsAppIdentity(wa)
+			guests[i].PlatformIdentifiers["whatsapp_number"] = utils.NormalizeWhatsAppIdentity(wa)
+		}
+	}
+
+	return c.JSON(guests)
+}
+
+func (h *FeaturesHandler) CreateGuest(c *fiber.Ctx) error {
+	user, ok := c.Locals("user").(*portalDomain.PortalUser)
+	if !ok || user == nil {
+		return c.Status(fiber.StatusUnauthorized).JSON(fiber.Map{"error": "Unauthorized"})
+	}
+
+	wid := c.Params("wid")
+	// Verify ownership
+	ws, err := h.wsRepo.GetClientWorkspace(c.Context(), wid)
+	if err != nil || ws.OwnerID != user.ClientID {
+		return c.Status(fiber.StatusForbidden).JSON(fiber.Map{"error": "forbidden"})
+	}
+
+	var guest wsDomain.ClientWorkspaceGuest
+	if err := c.BodyParser(&guest); err != nil {
+		return c.Status(fiber.StatusBadRequest).JSON(fiber.Map{"error": "invalid request"})
+	}
+
+	guest.OwnerID = user.ClientID
+	guest.ClientWorkspaceID = wid
+
+	// Validate against owner client
+	client, err := h.clientService.GetByID(c.Context(), user.ClientID)
+	if err == nil && client != nil {
+		guestPhone := guest.PlatformIdentifiers["whatsapp"]
+		if utils.MatchWhatsAppIdentities(guestPhone, client.Phone) || utils.MatchWhatsAppIdentities(guestPhone, client.PlatformID) {
+			return c.Status(fiber.StatusBadRequest).JSON(fiber.Map{"error": "the owner client cannot be added as a guest in their own workspace"})
+		}
+	}
+
+	newGuest, err := h.wsUc.CreateGuest(c.Context(), guest)
+	if err != nil {
+		return c.Status(fiber.StatusInternalServerError).JSON(fiber.Map{"error": err.Error()})
+	}
+
+	return c.Status(fiber.StatusCreated).JSON(newGuest)
+}
+
+func (h *FeaturesHandler) UpdateGuest(c *fiber.Ctx) error {
+	user, ok := c.Locals("user").(*portalDomain.PortalUser)
+	if !ok || user == nil {
+		return c.Status(fiber.StatusUnauthorized).JSON(fiber.Map{"error": "Unauthorized"})
+	}
+
+	wid := c.Params("wid")
+	gid := c.Params("gid")
+
+	// Verify ownership of guest
+	guest, err := h.wsRepo.GetGuest(c.Context(), gid)
+	if err != nil || guest.OwnerID != user.ClientID {
+		return c.Status(fiber.StatusForbidden).JSON(fiber.Map{"error": "forbidden"})
+	}
+
+	var req wsDomain.ClientWorkspaceGuest
+	if err := c.BodyParser(&req); err != nil {
+		return c.Status(fiber.StatusBadRequest).JSON(fiber.Map{"error": "invalid request"})
+	}
+
+	req.ID = gid
+	req.OwnerID = user.ClientID
+	req.ClientWorkspaceID = wid // Ensure it stays in this workspace
+
+	// Validate against owner client
+	client, err := h.clientService.GetByID(c.Context(), user.ClientID)
+	if err == nil && client != nil {
+		guestPhone := req.PlatformIdentifiers["whatsapp"]
+		if utils.MatchWhatsAppIdentities(guestPhone, client.Phone) || utils.MatchWhatsAppIdentities(guestPhone, client.PlatformID) {
+			return c.Status(fiber.StatusBadRequest).JSON(fiber.Map{"error": "the owner client cannot be added as a guest in their own workspace"})
+		}
+	}
+
+	if err := h.wsUc.UpdateGuest(c.Context(), req); err != nil {
+		return c.Status(fiber.StatusInternalServerError).JSON(fiber.Map{"error": err.Error()})
+	}
+
+	return c.JSON(req)
+}
+
+func (h *FeaturesHandler) DeleteGuest(c *fiber.Ctx) error {
+	user, ok := c.Locals("user").(*portalDomain.PortalUser)
+	if !ok || user == nil {
+		return c.Status(fiber.StatusUnauthorized).JSON(fiber.Map{"error": "Unauthorized"})
+	}
+
+	gid := c.Params("gid")
+
+	// Verify ownership
+	guest, err := h.wsRepo.GetGuest(c.Context(), gid)
+	if err != nil || guest.OwnerID != user.ClientID {
+		return c.Status(fiber.StatusForbidden).JSON(fiber.Map{"error": "forbidden"})
+	}
+
+	if err := h.wsUc.DeleteGuest(c.Context(), gid); err != nil {
+		return c.Status(fiber.StatusInternalServerError).JSON(fiber.Map{"error": err.Error()})
+	}
+
+	return c.SendStatus(fiber.StatusNoContent)
+}

From 305f4a106ee62e7867ae8f4e11873b9032982bf8 Mon Sep 17 00:00:00 2001
From: Aziel <azielcruzado@gmail.com>
Date: Tue, 24 Feb 2026 12:19:37 -0500
Subject: [PATCH 08/12] [Workspace] Expand domain and persistence to support
 client workspaces and guests

---
 src/statics/workspaces/.gitkeep               |   1 -
 src/workspace/domain/channel/channel.go       |  57 +++--
 .../domain/workspace/client_workspace.go      |  36 +++
 src/workspace/domain/workspace/repository.go  |  23 +-
 src/workspace/manager.go                      |  63 +++--
 src/workspace/repository/sqlite_repo.go       | 231 ++++++++++++++++-
 src/workspace/repository/workspace_gorm.go    | 239 ++++++++++++++++++
 src/workspace/repository/workspace_repo.go    |  43 +---
 src/workspace/usecase/client_guest.go         | 206 +++++++++++++++
 src/workspace/usecase/workspace.go            |  63 +++++
 10 files changed, 868 insertions(+), 94 deletions(-)
 delete mode 100644 src/statics/workspaces/.gitkeep
 create mode 100644 src/workspace/domain/workspace/client_workspace.go
 create mode 100644 src/workspace/usecase/client_guest.go

diff --git a/src/statics/workspaces/.gitkeep b/src/statics/workspaces/.gitkeep
deleted file mode 100644
index 8b13789..0000000
--- a/src/statics/workspaces/.gitkeep
+++ /dev/null
@@ -1 +0,0 @@
-
diff --git a/src/workspace/domain/channel/channel.go b/src/workspace/domain/channel/channel.go
index daca533..d521868 100644
--- a/src/workspace/domain/channel/channel.go
+++ b/src/workspace/domain/channel/channel.go
@@ -5,6 +5,7 @@ import "time"
 type Channel struct {
 	ID              string             `json:"id"`
 	WorkspaceID     string             `json:"workspace_id"`
+	OwnerID         string             `json:"owner_id,omitempty"` // Client ID that owns this channel
 	Type            ChannelType        `json:"type"`
 	Name            string             `json:"name"`
 	Enabled         bool               `json:"enabled"`
@@ -45,30 +46,38 @@ const (
 )
 
 type ChannelConfig struct {
-	Settings              map[string]interface{}   `json:"settings"`
-	WebhookURL            string                   `json:"webhook_url,omitempty"`
-	WebhookSecret         string                   `json:"webhook_secret,omitempty"`
-	BotID                 string                   `json:"bot_id,omitempty"`
-	DefaultLanguage       string                   `json:"default_language,omitempty"`
-	Timezone              string                   `json:"timezone,omitempty"`
-	SkipTLSVerification   bool                     `json:"skip_tls_verification"`
-	AutoReconnect         bool                     `json:"auto_reconnect"`
-	Chatwoot              *ChatwootConfig          `json:"chatwoot,omitempty"`
-	Credentials           map[string]string        `json:"credentials,omitempty"`
-	AccessMode            AccessMode               `json:"access_mode,omitempty"`
-	AllowImages           bool                     `json:"allow_images"`
-	AllowAudio            bool                     `json:"allow_audio"`
-	AllowVideo            bool                     `json:"allow_video"`
-	AllowDocuments        bool                     `json:"allow_documents"`
-	AllowStickers         bool                     `json:"allow_stickers"`
-	VoiceNotesOnly        bool                     `json:"voice_notes_only"`
-	AllowedExtensions     []string                 `json:"allowed_extensions"`
-	MaxDownloadSize       int64                    `json:"max_download_size"` // in bytes
-	InactivityWarning     *InactivityWarningConfig `json:"inactivity_warning,omitempty"`
-	SessionClosing        *SessionClosingConfig    `json:"session_closing,omitempty"`
-	SessionTimeout        int                      `json:"session_timeout,omitempty"`         // Minutes. Default: 4
-	InactivityWarningTime int                      `json:"inactivity_warning_time,omitempty"` // Minutes. When to alert. Must be >= 80% of total
-	MaxHistoryLimit       int                      `json:"max_history_limit,omitempty"`       // Max messages in context. 0 = 10, -1 = Unlimited
+	Settings              map[string]interface{}      `json:"settings"`
+	WebhookURL            string                      `json:"webhook_url,omitempty"`
+	WebhookSecret         string                      `json:"webhook_secret,omitempty"`
+	BotID                 string                      `json:"bot_id,omitempty"`
+	DefaultLanguage       string                      `json:"default_language,omitempty"`
+	Timezone              string                      `json:"timezone,omitempty"`
+	SkipTLSVerification   bool                        `json:"skip_tls_verification"`
+	AutoReconnect         bool                        `json:"auto_reconnect"`
+	Chatwoot              *ChatwootConfig             `json:"chatwoot,omitempty"`
+	Credentials           map[string]string           `json:"credentials,omitempty"`
+	AccessMode            AccessMode                  `json:"access_mode,omitempty"`
+	AllowImages           bool                        `json:"allow_images"`
+	AllowAudio            bool                        `json:"allow_audio"`
+	AllowVideo            bool                        `json:"allow_video"`
+	AllowDocuments        bool                        `json:"allow_documents"`
+	AllowStickers         bool                        `json:"allow_stickers"`
+	VoiceNotesOnly        bool                        `json:"voice_notes_only"`
+	AllowedExtensions     []string                    `json:"allowed_extensions"`
+	MaxDownloadSize       int64                       `json:"max_download_size"` // in bytes
+	InactivityWarning     *InactivityWarningConfig    `json:"inactivity_warning,omitempty"`
+	SessionClosing        *SessionClosingConfig       `json:"session_closing,omitempty"`
+	SessionTimeout        int                         `json:"session_timeout,omitempty"`         // Minutes. Default: 4
+	InactivityWarningTime int                         `json:"inactivity_warning_time,omitempty"` // Minutes. When to alert. Must be >= 80% of total
+	MaxHistoryLimit       int                         `json:"max_history_limit,omitempty"`       // Max messages in context. 0 = 10, -1 = Unlimited
+	GuestAccess           map[string]GuestConfigCache `json:"guest_access,omitempty"`            // Guest specific config propagation
+}
+
+type GuestConfigCache struct {
+	GuestID    string `json:"guest_id"`
+	BotID      string `json:"bot_id"`
+	TemplateID string `json:"template_id"`
+	Name       string `json:"name"`
 }
 
 type SessionClosingConfig struct {
diff --git a/src/workspace/domain/workspace/client_workspace.go b/src/workspace/domain/workspace/client_workspace.go
new file mode 100644
index 0000000..df0aefe
--- /dev/null
+++ b/src/workspace/domain/workspace/client_workspace.go
@@ -0,0 +1,36 @@
+package workspace
+
+import "time"
+
+// ClientWorkspace es el agrupador lógico del cliente (ej: "Sucursal Norte").
+type ClientWorkspace struct {
+	ID          string    `json:"id"`
+	OwnerID     string    `json:"owner_id"` // Client dueño
+	Name        string    `json:"name"`
+	Description string    `json:"description"`
+	CreatedAt   time.Time `json:"created_at"`
+	UpdatedAt   time.Time `json:"updated_at"`
+}
+
+// ClientWorkspaceChannel enlaza un Workspace con un Canal real.
+type ClientWorkspaceChannel struct {
+	ClientWorkspaceID string    `json:"client_workspace_id"`
+	ChannelID         string    `json:"channel_id"`
+	CreatedAt         time.Time `json:"created_at"`
+}
+
+// ClientWorkspaceGuest representa al invitado que puede acceder a los bots.
+type ClientWorkspaceGuest struct {
+	ID                  string              `json:"id"`
+	OwnerID             string              `json:"owner_id"` // El cliente dueño
+	ClientWorkspaceID   string              `json:"client_workspace_id"`
+	Name                string              `json:"name"`
+	BotID               string              `json:"bot_id"`
+	BotTemplateID       string              `json:"bot_template_id"` // ID del Bot (o Bot:Variant)
+	PlatformIdentifiers PlatformIdentifiers `json:"platform_identifiers"`
+	CreatedAt           time.Time           `json:"created_at"`
+	UpdatedAt           time.Time           `json:"updated_at"`
+}
+
+// PlatformIdentifiers contiene los IDs por plataforma (ej: {"whatsapp": "+123456", "telegram": "pedro_caja"}).
+type PlatformIdentifiers map[string]string
diff --git a/src/workspace/domain/workspace/repository.go b/src/workspace/domain/workspace/repository.go
index 525c100..13c950c 100644
--- a/src/workspace/domain/workspace/repository.go
+++ b/src/workspace/domain/workspace/repository.go
@@ -22,13 +22,32 @@ type IWorkspaceRepository interface {
 	CreateChannel(ctx context.Context, ch channel.Channel) error
 	GetChannel(ctx context.Context, channelID string) (channel.Channel, error)
 	ListChannels(ctx context.Context, workspaceID string) ([]channel.Channel, error)
+	ListChannelsByOwnerID(ctx context.Context, ownerID string) ([]channel.Channel, error)
 	UpdateChannel(ctx context.Context, ch channel.Channel) error
 	DeleteChannel(ctx context.Context, channelID string) error
+	GetChannelByExternalRef(ctx context.Context, externalRef string) (channel.Channel, error)
 	AddChannelCost(ctx context.Context, channelID string, cost float64) error
 	AddChannelComplexCost(ctx context.Context, channelID string, total float64, details map[string]float64) error
 
-	// Queries
-	GetChannelByExternalRef(ctx context.Context, externalRef string) (channel.Channel, error)
+	// Client Workspace CRUD
+	CreateClientWorkspace(ctx context.Context, ws ClientWorkspace) error
+	GetClientWorkspace(ctx context.Context, id string) (ClientWorkspace, error)
+	ListClientWorkspaces(ctx context.Context, ownerID string) ([]ClientWorkspace, error)
+	UpdateClientWorkspace(ctx context.Context, ws ClientWorkspace) error
+	DeleteClientWorkspace(ctx context.Context, id string) error
+
+	// Client Workspace Channels
+	LinkChannelToClientWorkspace(ctx context.Context, workspaceID, channelID string) error
+	UnlinkChannelFromClientWorkspace(ctx context.Context, workspaceID, channelID string) error
+	ListChannelsInClientWorkspace(ctx context.Context, workspaceID string) ([]channel.Channel, error)
+
+	// Client Workspace Guests
+	CreateGuest(ctx context.Context, guest ClientWorkspaceGuest) error
+	GetGuest(ctx context.Context, id string) (ClientWorkspaceGuest, error)
+	ListGuestsInClientWorkspace(ctx context.Context, workspaceID string) ([]ClientWorkspaceGuest, error)
+	UpdateGuest(ctx context.Context, guest ClientWorkspaceGuest) error
+	DeleteGuest(ctx context.Context, id string) error
+	ListGuestsByOwnerID(ctx context.Context, ownerID string) ([]ClientWorkspaceGuest, error)
 
 	// Access Rules
 	GetAccessRules(ctx context.Context, channelID string) ([]common.AccessRule, error)
diff --git a/src/workspace/manager.go b/src/workspace/manager.go
index 822341e..3b69649 100644
--- a/src/workspace/manager.go
+++ b/src/workspace/manager.go
@@ -16,6 +16,7 @@ import (
 	coreconfig "github.com/AzielCF/az-wap/core/config"
 	"github.com/AzielCF/az-wap/infrastructure/valkey"
 	"github.com/AzielCF/az-wap/pkg/msgworker"
+	"github.com/AzielCF/az-wap/pkg/utils"
 	"github.com/AzielCF/az-wap/workspace/application"
 	channelDomain "github.com/AzielCF/az-wap/workspace/domain/channel"
 	messageDomain "github.com/AzielCF/az-wap/workspace/domain/message"
@@ -294,28 +295,44 @@ func (m *Manager) handleIncomingMessage(adapter channelDomain.ChannelAdapter, ms
 		msg.Metadata = make(map[string]any)
 	}
 
+	// --- Guest Access Integration (Employees/Workspaces) ---
+	// Processed before ClientCtx resolution to enforce security rules (AllowedBots).
+	var overrideGuestTemplate string
+	if ch.Config.GuestAccess != nil {
+		pID := utils.CleanWhatsAppID(msg.SenderID)
+
+		if guest, ok := ch.Config.GuestAccess[pID]; ok {
+			logrus.Infof("[WorkspaceManager] Guest verified: %s (ID: %s) -> Base Bot: %s, Template: %s", guest.Name, guest.GuestID, guest.BotID, guest.TemplateID)
+			if guest.BotID != "" {
+				botID = guest.BotID
+			}
+			overrideGuestTemplate = guest.TemplateID
+			msg.Metadata["guest_name"] = guest.Name
+			msg.Metadata["guest_id"] = guest.GuestID
+		} else {
+			// Try with full ID if not found (for other platforms/LID)
+			if guest, ok := ch.Config.GuestAccess[msg.SenderID]; ok {
+				logrus.Infof("[WorkspaceManager] Guest verified (FullID): %s -> Base Bot: %s, Template: %s", guest.Name, guest.BotID, guest.TemplateID)
+				if guest.BotID != "" {
+					botID = guest.BotID
+				}
+				overrideGuestTemplate = guest.TemplateID
+				msg.Metadata["guest_name"] = guest.Name
+				msg.Metadata["guest_id"] = guest.GuestID
+			}
+		}
+	}
+
 	// Resolve Global Client Context
 	if m.clientResolver != nil {
 		pType := string(adapter.Type()) // Use adapter type (e.g., "whatsapp")
 
-		// Use full SenderID for resolution to support LID
 		platformID := msg.SenderID
 
 		// Normalization for WhatsApp (JID and LID)
-		// Remove @s.whatsapp.net if present
-		platformID = strings.TrimSuffix(platformID, "@s.whatsapp.net")
-
-		// Remove device index suffix if present (e.g. 12345:1@lid -> 12345@lid)
-		if idx := strings.Index(platformID, ":"); idx != -1 {
-			atIdx := strings.Index(platformID, "@")
-			if atIdx != -1 && atIdx > idx {
-				platformID = platformID[:idx] + platformID[atIdx:]
-			} else if atIdx == -1 {
-				platformID = platformID[:idx]
-			}
-		}
+		platformID = utils.CleanWhatsAppID(platformID)
 
-		// JID de respaldo (original de la plataforma o número de teléfono)
+		// Backup JID (original from platform or phone number)
 		secondaryID := ""
 		if pn, ok := msg.Metadata["sender_pn"].(string); ok && pn != "" {
 			secondaryID = pn
@@ -324,15 +341,7 @@ func (m *Manager) handleIncomingMessage(adapter channelDomain.ChannelAdapter, ms
 		}
 
 		// Normalize secondaryID too
-		secondaryID = strings.TrimSuffix(secondaryID, "@s.whatsapp.net")
-		if idx := strings.Index(secondaryID, ":"); idx != -1 {
-			atIdx := strings.Index(secondaryID, "@")
-			if atIdx != -1 && atIdx > idx {
-				secondaryID = secondaryID[:idx] + secondaryID[atIdx:]
-			} else if atIdx == -1 {
-				secondaryID = secondaryID[:idx]
-			}
-		}
+		secondaryID = utils.CleanWhatsAppID(secondaryID)
 
 		logrus.WithFields(logrus.Fields{
 			"platform_id":   platformID,
@@ -354,6 +363,8 @@ func (m *Manager) handleIncomingMessage(adapter channelDomain.ChannelAdapter, ms
 			if overrideBotID != "" {
 				logrus.Infof("[WorkspaceManager] Overriding BotID from subscription: %s -> %s", botID, overrideBotID)
 				botID = overrideBotID
+				// Si la suscripción fuerza un bot override (ej: suspensión), prevalece sobre el invitado.
+				overrideGuestTemplate = ""
 			}
 
 			// Operational check: Allowed Bots
@@ -368,7 +379,6 @@ func (m *Manager) handleIncomingMessage(adapter channelDomain.ChannelAdapter, ms
 				if !allowed {
 					logrus.Warnf("[WorkspaceManager] Client %s (%s) is NOT allowed to use bot %s. Operational restriction applied.", clientCtx.DisplayName, clientCtx.ClientID, botID)
 					// If not allowed, we stop processing or return an error message
-					// For now, let's just log and block the bot interaction by returning
 					return
 				}
 			}
@@ -426,6 +436,11 @@ func (m *Manager) handleIncomingMessage(adapter channelDomain.ChannelAdapter, ms
 		logrus.Debugf("[WorkspaceManager] Bypassing access control for registered client: %s", clientCtx.ClientID)
 	}
 
+	// Aplicamos el TemplateID del Invitado de manera prioritaria al engine, pero luego de haber verificado permisos.
+	if overrideGuestTemplate != "" {
+		botID = overrideGuestTemplate
+	}
+
 	// Enqueue for debouncing
 	m.sessions.EnqueueDebounced(ctx, ch, msg, botID, func(chatID string, ids []string) {
 		_ = adapter.MarkRead(ctx, chatID, ids)
diff --git a/src/workspace/repository/sqlite_repo.go b/src/workspace/repository/sqlite_repo.go
index eafd3b9..776ee9d 100644
--- a/src/workspace/repository/sqlite_repo.go
+++ b/src/workspace/repository/sqlite_repo.go
@@ -94,12 +94,40 @@ func (r *SQLiteRepository) Init(ctx context.Context) error {
 		`ALTER TABLE scheduled_posts ADD COLUMN execution_count INTEGER DEFAULT 0;`,
 		// Migration: Convert empty external_ref to NULL to fix UNIQUE constraint issue
 		`UPDATE channels SET external_ref = NULL WHERE external_ref = '';`,
+		// Client Workspaces
+		`CREATE TABLE IF NOT EXISTS client_workspaces (
+			id TEXT PRIMARY KEY,
+			owner_id TEXT NOT NULL,
+			name TEXT NOT NULL,
+			description TEXT,
+			created_at DATETIME NOT NULL,
+			updated_at DATETIME NOT NULL
+		);`,
+		`CREATE TABLE IF NOT EXISTS client_workspace_channels (
+			client_workspace_id TEXT NOT NULL,
+			channel_id TEXT NOT NULL,
+			created_at DATETIME NOT NULL,
+			PRIMARY KEY (client_workspace_id, channel_id)
+		);`,
+		`CREATE TABLE IF NOT EXISTS client_workspace_guests (
+			id TEXT PRIMARY KEY,
+			owner_id TEXT NOT NULL,
+			client_workspace_id TEXT NOT NULL,
+			name TEXT NOT NULL,
+			bot_template_id TEXT NOT NULL,
+			platform_identifiers TEXT,
+			created_at DATETIME NOT NULL,
+			updated_at DATETIME NOT NULL
+		);`,
+		`CREATE INDEX IF NOT EXISTS idx_cw_owner ON client_workspaces(owner_id);`,
+		`CREATE INDEX IF NOT EXISTS idx_cwg_ws ON client_workspace_guests(client_workspace_id);`,
+		`CREATE INDEX IF NOT EXISTS idx_cwg_owner ON client_workspace_guests(owner_id);`,
 	}
 
 	for _, query := range queries {
 		if _, err := r.db.ExecContext(ctx, query); err != nil {
-			// Ignorar errores de "duplicate column" en migraciones ALTER TABLE
-			if strings.Contains(err.Error(), "duplicate column") {
+			// Ignorar errores de "duplicate column" o "already exists" en migraciones manuales
+			if strings.Contains(err.Error(), "duplicate column") || strings.Contains(err.Error(), "already exists") {
 				continue
 			}
 			return fmt.Errorf("failed to init schema: %w", err)
@@ -252,6 +280,35 @@ func (r *SQLiteRepository) ListChannels(ctx context.Context, workspaceID string)
 	return channels, nil
 }
 
+func (r *SQLiteRepository) ListChannelsByOwnerID(ctx context.Context, ownerID string) ([]channel.Channel, error) {
+	query := `SELECT id, workspace_id, type, name, enabled, config, status, external_ref, last_seen, accumulated_cost, cost_breakdown, created_at, updated_at FROM channels WHERE owner_id = ?`
+	rows, err := r.db.QueryContext(ctx, query, ownerID)
+	if err != nil {
+		return nil, err
+	}
+	defer rows.Close()
+
+	var channels []channel.Channel
+	for rows.Next() {
+		var ch channel.Channel
+		var config string
+		var breakdown sql.NullString
+		var extRef sql.NullString
+		if err := rows.Scan(&ch.ID, &ch.WorkspaceID, &ch.Type, &ch.Name, &ch.Enabled, &config, &ch.Status, &extRef, &ch.LastSeen, &ch.AccumulatedCost, &breakdown, &ch.CreatedAt, &ch.UpdatedAt); err != nil {
+			return nil, err
+		}
+		_ = json.Unmarshal([]byte(config), &ch.Config)
+		if breakdown.Valid {
+			_ = json.Unmarshal([]byte(breakdown.String), &ch.CostBreakdown)
+		}
+		if extRef.Valid {
+			ch.ExternalRef = extRef.String
+		}
+		channels = append(channels, ch)
+	}
+	return channels, nil
+}
+
 func (r *SQLiteRepository) UpdateChannel(ctx context.Context, ch channel.Channel) error {
 	config, _ := json.Marshal(ch.Config)
 
@@ -511,3 +568,173 @@ func (r *SQLiteRepository) DeleteScheduledPost(ctx context.Context, id string) e
 	_, err := r.db.ExecContext(ctx, query, id)
 	return err
 }
+
+// Client Workspace CRUD
+
+func (r *SQLiteRepository) CreateClientWorkspace(ctx context.Context, ws workspace.ClientWorkspace) error {
+	query := `INSERT INTO client_workspaces (id, owner_id, name, description, created_at, updated_at) VALUES (?, ?, ?, ?, ?, ?)`
+	_, err := r.db.ExecContext(ctx, query, ws.ID, ws.OwnerID, ws.Name, ws.Description, ws.CreatedAt, ws.UpdatedAt)
+	return err
+}
+
+func (r *SQLiteRepository) GetClientWorkspace(ctx context.Context, id string) (workspace.ClientWorkspace, error) {
+	query := `SELECT id, owner_id, name, description, created_at, updated_at FROM client_workspaces WHERE id = ?`
+	row := r.db.QueryRowContext(ctx, query, id)
+	var ws workspace.ClientWorkspace
+	err := row.Scan(&ws.ID, &ws.OwnerID, &ws.Name, &ws.Description, &ws.CreatedAt, &ws.UpdatedAt)
+	return ws, err
+}
+
+func (r *SQLiteRepository) ListClientWorkspaces(ctx context.Context, ownerID string) ([]workspace.ClientWorkspace, error) {
+	query := `SELECT id, owner_id, name, description, created_at, updated_at FROM client_workspaces WHERE owner_id = ?`
+	rows, err := r.db.QueryContext(ctx, query, ownerID)
+	if err != nil {
+		return nil, err
+	}
+	defer rows.Close()
+	var res []workspace.ClientWorkspace
+	for rows.Next() {
+		var ws workspace.ClientWorkspace
+		if err := rows.Scan(&ws.ID, &ws.OwnerID, &ws.Name, &ws.Description, &ws.CreatedAt, &ws.UpdatedAt); err != nil {
+			return nil, err
+		}
+		res = append(res, ws)
+	}
+	return res, nil
+}
+
+func (r *SQLiteRepository) UpdateClientWorkspace(ctx context.Context, ws workspace.ClientWorkspace) error {
+	query := `UPDATE client_workspaces SET name=?, description=?, updated_at=? WHERE id=?`
+	_, err := r.db.ExecContext(ctx, query, ws.Name, ws.Description, ws.UpdatedAt, ws.ID)
+	return err
+}
+
+func (r *SQLiteRepository) DeleteClientWorkspace(ctx context.Context, id string) error {
+	// Manual cleanup for SQLite
+	_, _ = r.db.ExecContext(ctx, "DELETE FROM client_workspace_channels WHERE client_workspace_id = ?", id)
+	_, _ = r.db.ExecContext(ctx, "DELETE FROM client_workspace_guests WHERE client_workspace_id = ?", id)
+	_, err := r.db.ExecContext(ctx, "DELETE FROM client_workspaces WHERE id = ?", id)
+	return err
+}
+
+func (r *SQLiteRepository) LinkChannelToClientWorkspace(ctx context.Context, workspaceID, channelID string) error {
+	var count int
+	err := r.db.QueryRowContext(ctx, "SELECT COUNT(*) FROM client_workspace_channels WHERE client_workspace_id = ? AND channel_id = ?", workspaceID, channelID).Scan(&count)
+	if err == nil && count > 0 {
+		return nil // Already linked
+	}
+
+	query := `INSERT INTO client_workspace_channels (client_workspace_id, channel_id, created_at) VALUES (?, ?, ?)`
+	_, err = r.db.ExecContext(ctx, query, workspaceID, channelID, time.Now())
+	return err
+}
+
+func (r *SQLiteRepository) UnlinkChannelFromClientWorkspace(ctx context.Context, workspaceID, channelID string) error {
+	query := `DELETE FROM client_workspace_channels WHERE client_workspace_id = ? AND channel_id = ?`
+	_, err := r.db.ExecContext(ctx, query, workspaceID, channelID)
+	return err
+}
+
+func (r *SQLiteRepository) ListChannelsInClientWorkspace(ctx context.Context, workspaceID string) ([]channel.Channel, error) {
+	query := `SELECT c.id, c.workspace_id, c.type, c.name, c.enabled, c.config, c.status, c.external_ref, c.last_seen, c.accumulated_cost, c.cost_breakdown, c.created_at, c.updated_at 
+	          FROM channels c 
+			  JOIN client_workspace_channels cwc ON cwc.channel_id = c.id 
+			  WHERE cwc.client_workspace_id = ?`
+	rows, err := r.db.QueryContext(ctx, query, workspaceID)
+	if err != nil {
+		return nil, err
+	}
+	defer rows.Close()
+
+	var channels []channel.Channel
+	for rows.Next() {
+		var ch channel.Channel
+		var config string
+		var breakdown sql.NullString
+		var extRef sql.NullString
+		if err := rows.Scan(&ch.ID, &ch.WorkspaceID, &ch.Type, &ch.Name, &ch.Enabled, &config, &ch.Status, &extRef, &ch.LastSeen, &ch.AccumulatedCost, &breakdown, &ch.CreatedAt, &ch.UpdatedAt); err != nil {
+			return nil, err
+		}
+		_ = json.Unmarshal([]byte(config), &ch.Config)
+		if breakdown.Valid {
+			_ = json.Unmarshal([]byte(breakdown.String), &ch.CostBreakdown)
+		}
+		if extRef.Valid {
+			ch.ExternalRef = extRef.String
+		}
+		channels = append(channels, ch)
+	}
+	return channels, nil
+}
+
+func (r *SQLiteRepository) CreateGuest(ctx context.Context, guest workspace.ClientWorkspaceGuest) error {
+	idents, _ := json.Marshal(guest.PlatformIdentifiers)
+	query := `INSERT INTO client_workspace_guests (id, owner_id, client_workspace_id, name, bot_template_id, platform_identifiers, created_at, updated_at) VALUES (?, ?, ?, ?, ?, ?, ?, ?)`
+	_, err := r.db.ExecContext(ctx, query, guest.ID, guest.OwnerID, guest.ClientWorkspaceID, guest.Name, guest.BotTemplateID, string(idents), guest.CreatedAt, guest.UpdatedAt)
+	return err
+}
+
+func (r *SQLiteRepository) GetGuest(ctx context.Context, id string) (workspace.ClientWorkspaceGuest, error) {
+	query := `SELECT id, owner_id, client_workspace_id, name, bot_template_id, platform_identifiers, created_at, updated_at FROM client_workspace_guests WHERE id = ?`
+	row := r.db.QueryRowContext(ctx, query, id)
+	var g workspace.ClientWorkspaceGuest
+	var idents string
+	err := row.Scan(&g.ID, &g.OwnerID, &g.ClientWorkspaceID, &g.Name, &g.BotTemplateID, &idents, &g.CreatedAt, &g.UpdatedAt)
+	if err != nil {
+		return workspace.ClientWorkspaceGuest{}, err
+	}
+	_ = json.Unmarshal([]byte(idents), &g.PlatformIdentifiers)
+	return g, nil
+}
+
+func (r *SQLiteRepository) ListGuestsInClientWorkspace(ctx context.Context, workspaceID string) ([]workspace.ClientWorkspaceGuest, error) {
+	query := `SELECT id, owner_id, client_workspace_id, name, bot_template_id, platform_identifiers, created_at, updated_at FROM client_workspace_guests WHERE client_workspace_id = ?`
+	rows, err := r.db.QueryContext(ctx, query, workspaceID)
+	if err != nil {
+		return nil, err
+	}
+	defer rows.Close()
+	var res []workspace.ClientWorkspaceGuest
+	for rows.Next() {
+		var g workspace.ClientWorkspaceGuest
+		var idents string
+		if err := rows.Scan(&g.ID, &g.OwnerID, &g.ClientWorkspaceID, &g.Name, &g.BotTemplateID, &idents, &g.CreatedAt, &g.UpdatedAt); err != nil {
+			return nil, err
+		}
+		_ = json.Unmarshal([]byte(idents), &g.PlatformIdentifiers)
+		res = append(res, g)
+	}
+	return res, nil
+}
+
+func (r *SQLiteRepository) UpdateGuest(ctx context.Context, guest workspace.ClientWorkspaceGuest) error {
+	idents, _ := json.Marshal(guest.PlatformIdentifiers)
+	query := `UPDATE client_workspace_guests SET client_workspace_id=?, name=?, bot_template_id=?, platform_identifiers=?, updated_at=? WHERE id=?`
+	_, err := r.db.ExecContext(ctx, query, guest.ClientWorkspaceID, guest.Name, guest.BotTemplateID, string(idents), guest.UpdatedAt, guest.ID)
+	return err
+}
+
+func (r *SQLiteRepository) DeleteGuest(ctx context.Context, id string) error {
+	_, err := r.db.ExecContext(ctx, "DELETE FROM client_workspace_guests WHERE id = ?", id)
+	return err
+}
+
+func (r *SQLiteRepository) ListGuestsByOwnerID(ctx context.Context, ownerID string) ([]workspace.ClientWorkspaceGuest, error) {
+	query := `SELECT id, owner_id, client_workspace_id, name, bot_template_id, platform_identifiers, created_at, updated_at FROM client_workspace_guests WHERE owner_id = ?`
+	rows, err := r.db.QueryContext(ctx, query, ownerID)
+	if err != nil {
+		return nil, err
+	}
+	defer rows.Close()
+	var res []workspace.ClientWorkspaceGuest
+	for rows.Next() {
+		var g workspace.ClientWorkspaceGuest
+		var idents string
+		if err := rows.Scan(&g.ID, &g.OwnerID, &g.ClientWorkspaceID, &g.Name, &g.BotTemplateID, &idents, &g.CreatedAt, &g.UpdatedAt); err != nil {
+			return nil, err
+		}
+		_ = json.Unmarshal([]byte(idents), &g.PlatformIdentifiers)
+		res = append(res, g)
+	}
+	return res, nil
+}
diff --git a/src/workspace/repository/workspace_gorm.go b/src/workspace/repository/workspace_gorm.go
index 1922c95..c949975 100644
--- a/src/workspace/repository/workspace_gorm.go
+++ b/src/workspace/repository/workspace_gorm.go
@@ -37,6 +37,7 @@ func (workspaceModel) TableName() string { return "workspaces" }
 type channelModel struct {
 	ID              string         `gorm:"primaryKey;column:id"`
 	WorkspaceID     string         `gorm:"column:workspace_id;not null;index"`
+	OwnerID         sql.NullString `gorm:"column:owner_id;index"` // Client ID
 	Type            string         `gorm:"column:type;not null"`
 	Name            string         `gorm:"column:name;not null"`
 	Enabled         bool           `gorm:"column:enabled;default:false"`
@@ -84,6 +85,39 @@ type scheduledPostModel struct {
 
 func (scheduledPostModel) TableName() string { return "scheduled_posts" }
 
+type clientWorkspaceModel struct {
+	ID          string         `gorm:"primaryKey;column:id"`
+	OwnerID     string         `gorm:"column:owner_id;not null;index"`
+	Name        string         `gorm:"column:name;not null"`
+	Description sql.NullString `gorm:"column:description"`
+	CreatedAt   time.Time      `gorm:"column:created_at;not null"`
+	UpdatedAt   time.Time      `gorm:"column:updated_at;not null"`
+}
+
+func (clientWorkspaceModel) TableName() string { return "client_workspaces" }
+
+type clientWorkspaceChannelModel struct {
+	ClientWorkspaceID string    `gorm:"primaryKey;column:client_workspace_id"`
+	ChannelID         string    `gorm:"primaryKey;column:channel_id"`
+	CreatedAt         time.Time `gorm:"column:created_at;not null"`
+}
+
+func (clientWorkspaceChannelModel) TableName() string { return "client_workspace_channels" }
+
+type clientWorkspaceGuestModel struct {
+	ID                  string    `gorm:"primaryKey;column:id"`
+	OwnerID             string    `gorm:"column:owner_id;not null;index"`
+	ClientWorkspaceID   string    `gorm:"column:client_workspace_id;not null;index"`
+	Name                string    `gorm:"column:name;not null"`
+	BotID               string    `gorm:"column:bot_id;not null"`
+	BotTemplateID       string    `gorm:"column:bot_template_id;not null"`
+	PlatformIdentifiers string    `gorm:"column:platform_identifiers;type:text"` // JSON
+	CreatedAt           time.Time `gorm:"column:created_at;not null"`
+	UpdatedAt           time.Time `gorm:"column:updated_at;not null"`
+}
+
+func (clientWorkspaceGuestModel) TableName() string { return "client_workspace_guests" }
+
 // --- Repository Implementation ---
 
 type WorkspaceGormRepository struct {
@@ -100,6 +134,9 @@ func (r *WorkspaceGormRepository) Init(ctx context.Context) error {
 		&channelModel{},
 		&accessRuleModel{},
 		&scheduledPostModel{},
+		&clientWorkspaceModel{},
+		&clientWorkspaceChannelModel{},
+		&clientWorkspaceGuestModel{},
 	)
 }
 
@@ -172,6 +209,18 @@ func (r *WorkspaceGormRepository) ListChannels(ctx context.Context, workspaceID
 	return res, nil
 }
 
+func (r *WorkspaceGormRepository) ListChannelsByOwnerID(ctx context.Context, ownerID string) ([]channel.Channel, error) {
+	var models []channelModel
+	if err := r.db.WithContext(ctx).Where("owner_id = ?", ownerID).Find(&models).Error; err != nil {
+		return nil, err
+	}
+	res := make([]channel.Channel, len(models))
+	for i, m := range models {
+		res[i] = fromChannelModel(m)
+	}
+	return res, nil
+}
+
 func (r *WorkspaceGormRepository) UpdateChannel(ctx context.Context, ch channel.Channel) error {
 	model := toChannelModel(ch)
 	return r.db.WithContext(ctx).Save(&model).Error
@@ -315,6 +364,141 @@ func (r *WorkspaceGormRepository) CountPendingScheduledPosts(ctx context.Context
 	return count, err
 }
 
+// Client Workspace CRUD
+
+func (r *WorkspaceGormRepository) CreateClientWorkspace(ctx context.Context, ws workspace.ClientWorkspace) error {
+	m := toClientWorkspaceModel(ws)
+	return r.db.WithContext(ctx).Create(&m).Error
+}
+
+func (r *WorkspaceGormRepository) GetClientWorkspace(ctx context.Context, id string) (workspace.ClientWorkspace, error) {
+	var m clientWorkspaceModel
+	if err := r.db.WithContext(ctx).First(&m, "id = ?", id).Error; err != nil {
+		return workspace.ClientWorkspace{}, err
+	}
+	return fromClientWorkspaceModel(m), nil
+}
+
+func (r *WorkspaceGormRepository) ListClientWorkspaces(ctx context.Context, ownerID string) ([]workspace.ClientWorkspace, error) {
+	var models []clientWorkspaceModel
+	if err := r.db.WithContext(ctx).Where("owner_id = ?", ownerID).Find(&models).Error; err != nil {
+		return nil, err
+	}
+	res := make([]workspace.ClientWorkspace, len(models))
+	for i, m := range models {
+		res[i] = fromClientWorkspaceModel(m)
+	}
+	return res, nil
+}
+
+func (r *WorkspaceGormRepository) UpdateClientWorkspace(ctx context.Context, ws workspace.ClientWorkspace) error {
+	m := toClientWorkspaceModel(ws)
+	return r.db.WithContext(ctx).Save(&m).Error
+}
+
+func (r *WorkspaceGormRepository) DeleteClientWorkspace(ctx context.Context, id string) error {
+	return r.db.WithContext(ctx).Transaction(func(tx *gorm.DB) error {
+		// Clean up links and guests first? Or let DB cascades handle it if configured.
+		// Manual cleanup to be safe:
+		if err := tx.Where("client_workspace_id = ?", id).Delete(&clientWorkspaceChannelModel{}).Error; err != nil {
+			return err
+		}
+		if err := tx.Where("client_workspace_id = ?", id).Delete(&clientWorkspaceGuestModel{}).Error; err != nil {
+			return err
+		}
+		return tx.Delete(&clientWorkspaceModel{}, "id = ?", id).Error
+	})
+}
+
+// Client Workspace Channels
+
+func (r *WorkspaceGormRepository) LinkChannelToClientWorkspace(ctx context.Context, workspaceID, channelID string) error {
+	var count int64
+	r.db.WithContext(ctx).Model(&clientWorkspaceChannelModel{}).
+		Where("client_workspace_id = ? AND channel_id = ?", workspaceID, channelID).
+		Count(&count)
+	if count > 0 {
+		return nil // Already linked, no error
+	}
+
+	m := clientWorkspaceChannelModel{
+		ClientWorkspaceID: workspaceID,
+		ChannelID:         channelID,
+		CreatedAt:         time.Now(),
+	}
+	return r.db.WithContext(ctx).Create(&m).Error
+}
+
+func (r *WorkspaceGormRepository) UnlinkChannelFromClientWorkspace(ctx context.Context, workspaceID, channelID string) error {
+	return r.db.WithContext(ctx).Delete(&clientWorkspaceChannelModel{}, "client_workspace_id = ? AND channel_id = ?", workspaceID, channelID).Error
+}
+
+func (r *WorkspaceGormRepository) ListChannelsInClientWorkspace(ctx context.Context, workspaceID string) ([]channel.Channel, error) {
+	var models []channelModel
+	err := r.db.WithContext(ctx).
+		Table("channels").
+		Joins("JOIN client_workspace_channels ON client_workspace_channels.channel_id = channels.id").
+		Where("client_workspace_channels.client_workspace_id = ?", workspaceID).
+		Find(&models).Error
+	if err != nil {
+		return nil, err
+	}
+
+	res := make([]channel.Channel, len(models))
+	for i, m := range models {
+		res[i] = fromChannelModel(m)
+	}
+	return res, nil
+}
+
+// Client Workspace Guests
+
+func (r *WorkspaceGormRepository) CreateGuest(ctx context.Context, guest workspace.ClientWorkspaceGuest) error {
+	m := toClientWorkspaceGuestModel(guest)
+	return r.db.WithContext(ctx).Create(&m).Error
+}
+
+func (r *WorkspaceGormRepository) GetGuest(ctx context.Context, id string) (workspace.ClientWorkspaceGuest, error) {
+	var m clientWorkspaceGuestModel
+	if err := r.db.WithContext(ctx).First(&m, "id = ?", id).Error; err != nil {
+		return workspace.ClientWorkspaceGuest{}, err
+	}
+	return fromClientWorkspaceGuestModel(m), nil
+}
+
+func (r *WorkspaceGormRepository) ListGuestsInClientWorkspace(ctx context.Context, workspaceID string) ([]workspace.ClientWorkspaceGuest, error) {
+	var models []clientWorkspaceGuestModel
+	if err := r.db.WithContext(ctx).Where("client_workspace_id = ?", workspaceID).Find(&models).Error; err != nil {
+		return nil, err
+	}
+	res := make([]workspace.ClientWorkspaceGuest, len(models))
+	for i, m := range models {
+		res[i] = fromClientWorkspaceGuestModel(m)
+	}
+	return res, nil
+}
+
+func (r *WorkspaceGormRepository) UpdateGuest(ctx context.Context, guest workspace.ClientWorkspaceGuest) error {
+	m := toClientWorkspaceGuestModel(guest)
+	return r.db.WithContext(ctx).Save(&m).Error
+}
+
+func (r *WorkspaceGormRepository) DeleteGuest(ctx context.Context, id string) error {
+	return r.db.WithContext(ctx).Delete(&clientWorkspaceGuestModel{}, "id = ?", id).Error
+}
+
+func (r *WorkspaceGormRepository) ListGuestsByOwnerID(ctx context.Context, ownerID string) ([]workspace.ClientWorkspaceGuest, error) {
+	var models []clientWorkspaceGuestModel
+	if err := r.db.WithContext(ctx).Where("owner_id = ?", ownerID).Find(&models).Error; err != nil {
+		return nil, err
+	}
+	res := make([]workspace.ClientWorkspaceGuest, len(models))
+	for i, m := range models {
+		res[i] = fromClientWorkspaceGuestModel(m)
+	}
+	return res, nil
+}
+
 // --- Mappers ---
 
 func toWorkspaceModel(ws workspace.Workspace) workspaceModel {
@@ -374,6 +558,7 @@ func toChannelModel(ch channel.Channel) channelModel {
 	return channelModel{
 		ID:              ch.ID,
 		WorkspaceID:     ch.WorkspaceID,
+		OwnerID:         sql.NullString{String: ch.OwnerID, Valid: ch.OwnerID != ""},
 		Type:            string(ch.Type),
 		Name:            ch.Name,
 		Enabled:         ch.Enabled,
@@ -406,6 +591,7 @@ func fromChannelModel(m channelModel) channel.Channel {
 	return channel.Channel{
 		ID:              m.ID,
 		WorkspaceID:     m.WorkspaceID,
+		OwnerID:         nullStringValue(m.OwnerID),
 		Type:            channel.ChannelType(m.Type),
 		Name:            m.Name,
 		Enabled:         m.Enabled,
@@ -491,3 +677,56 @@ func nullStringValue(ns sql.NullString) string {
 	}
 	return strings.TrimSpace(ns.String)
 }
+
+func toClientWorkspaceModel(ws workspace.ClientWorkspace) clientWorkspaceModel {
+	return clientWorkspaceModel{
+		ID:          ws.ID,
+		OwnerID:     ws.OwnerID,
+		Name:        ws.Name,
+		Description: sql.NullString{String: ws.Description, Valid: ws.Description != ""},
+		CreatedAt:   ws.CreatedAt,
+		UpdatedAt:   ws.UpdatedAt,
+	}
+}
+
+func fromClientWorkspaceModel(m clientWorkspaceModel) workspace.ClientWorkspace {
+	return workspace.ClientWorkspace{
+		ID:          m.ID,
+		OwnerID:     m.OwnerID,
+		Name:        m.Name,
+		Description: nullStringValue(m.Description),
+		CreatedAt:   m.CreatedAt,
+		UpdatedAt:   m.UpdatedAt,
+	}
+}
+
+func toClientWorkspaceGuestModel(g workspace.ClientWorkspaceGuest) clientWorkspaceGuestModel {
+	idents, _ := json.Marshal(g.PlatformIdentifiers)
+	return clientWorkspaceGuestModel{
+		ID:                  g.ID,
+		OwnerID:             g.OwnerID,
+		ClientWorkspaceID:   g.ClientWorkspaceID,
+		Name:                g.Name,
+		BotID:               g.BotID,
+		BotTemplateID:       g.BotTemplateID,
+		PlatformIdentifiers: string(idents),
+		CreatedAt:           g.CreatedAt,
+		UpdatedAt:           g.UpdatedAt,
+	}
+}
+
+func fromClientWorkspaceGuestModel(m clientWorkspaceGuestModel) workspace.ClientWorkspaceGuest {
+	var idents workspace.PlatformIdentifiers
+	_ = json.Unmarshal([]byte(m.PlatformIdentifiers), &idents)
+	return workspace.ClientWorkspaceGuest{
+		ID:                  m.ID,
+		OwnerID:             m.OwnerID,
+		ClientWorkspaceID:   m.ClientWorkspaceID,
+		Name:                m.Name,
+		BotID:               m.BotID,
+		BotTemplateID:       m.BotTemplateID,
+		PlatformIdentifiers: idents,
+		CreatedAt:           m.CreatedAt,
+		UpdatedAt:           m.UpdatedAt,
+	}
+}
diff --git a/src/workspace/repository/workspace_repo.go b/src/workspace/repository/workspace_repo.go
index 004e883..1ce3ca5 100644
--- a/src/workspace/repository/workspace_repo.go
+++ b/src/workspace/repository/workspace_repo.go
@@ -1,49 +1,10 @@
 package repository
 
 import (
-	"context"
-	"time"
-
-	"github.com/AzielCF/az-wap/workspace/domain/channel"
-	"github.com/AzielCF/az-wap/workspace/domain/common"
 	"github.com/AzielCF/az-wap/workspace/domain/workspace"
 )
 
+// IWorkspaceRepository is an alias for the domain repository interface to maintain backward compatibility in the repository package.
 type IWorkspaceRepository interface {
-	Init(ctx context.Context) error
-
-	// Workspace CRUD
-	Create(ctx context.Context, ws workspace.Workspace) error
-	GetByID(ctx context.Context, id string) (workspace.Workspace, error)
-	List(ctx context.Context) ([]workspace.Workspace, error)
-	Update(ctx context.Context, ws workspace.Workspace) error
-	Delete(ctx context.Context, id string) error
-
-	// Channel CRUD
-	CreateChannel(ctx context.Context, ch channel.Channel) error
-	GetChannel(ctx context.Context, channelID string) (channel.Channel, error)
-	ListChannels(ctx context.Context, workspaceID string) ([]channel.Channel, error)
-	UpdateChannel(ctx context.Context, ch channel.Channel) error
-	DeleteChannel(ctx context.Context, channelID string) error
-	AddChannelCost(ctx context.Context, channelID string, cost float64) error
-	AddChannelComplexCost(ctx context.Context, channelID string, total float64, details map[string]float64) error
-
-	// Queries
-	GetChannelByExternalRef(ctx context.Context, externalRef string) (channel.Channel, error)
-
-	// Access Rules
-	GetAccessRules(ctx context.Context, channelID string) ([]common.AccessRule, error)
-	AddAccessRule(ctx context.Context, rule common.AccessRule) error
-	DeleteAccessRule(ctx context.Context, id string) error
-	DeleteAllAccessRules(ctx context.Context, channelID string) error
-
-	// Scheduled Posts
-	CreateScheduledPost(ctx context.Context, post common.ScheduledPost) error
-	GetScheduledPost(ctx context.Context, id string) (common.ScheduledPost, error)
-	ListScheduledPosts(ctx context.Context, channelID string) ([]common.ScheduledPost, error)
-	ListPendingScheduledPosts(ctx context.Context) ([]common.ScheduledPost, error)
-	ListUpcomingScheduledPosts(ctx context.Context, limitTime time.Time) ([]common.ScheduledPost, error)
-	CountPendingScheduledPosts(ctx context.Context) (int64, error)
-	UpdateScheduledPost(ctx context.Context, post common.ScheduledPost) error
-	DeleteScheduledPost(ctx context.Context, id string) error
+	workspace.IWorkspaceRepository
 }
diff --git a/src/workspace/usecase/client_guest.go b/src/workspace/usecase/client_guest.go
new file mode 100644
index 0000000..fb2855a
--- /dev/null
+++ b/src/workspace/usecase/client_guest.go
@@ -0,0 +1,206 @@
+package usecase
+
+import (
+	"context"
+	"fmt"
+	"time"
+
+	"github.com/AzielCF/az-wap/pkg/utils"
+	"github.com/AzielCF/az-wap/workspace/domain/channel"
+	wsDomain "github.com/AzielCF/az-wap/workspace/domain/workspace"
+	"github.com/google/uuid"
+)
+
+// --- Guest Usecases ---
+
+func (u *WorkspaceUsecase) CreateGuest(ctx context.Context, guest wsDomain.ClientWorkspaceGuest) (wsDomain.ClientWorkspaceGuest, error) {
+	if guest.ID == "" {
+		guest.ID = uuid.NewString()
+	}
+	guest.CreatedAt = time.Now().UTC()
+	guest.UpdatedAt = time.Now().UTC()
+
+	// Validate channels and identifiers
+	channels, err := u.repo.ListChannelsInClientWorkspace(ctx, guest.ClientWorkspaceID)
+	if err != nil {
+		return wsDomain.ClientWorkspaceGuest{}, fmt.Errorf("failed to fetch workspace channels: %w", err)
+	}
+
+	if len(channels) == 0 {
+		return wsDomain.ClientWorkspaceGuest{}, fmt.Errorf("no channels associated with this workspace")
+	}
+
+	// Format platform identifiers appropriately
+	if waID, ok := guest.PlatformIdentifiers["whatsapp"]; ok && waID != "" {
+		utils.SanitizePhone(&waID) // appends @s.whatsapp.net if missing
+		guest.PlatformIdentifiers["whatsapp"] = waID
+	}
+
+	if err := u.repo.CreateGuest(ctx, guest); err != nil {
+		return wsDomain.ClientWorkspaceGuest{}, err
+	}
+
+	// Propagate
+	_ = u.propagateGuestToAllChannels(ctx, guest)
+
+	return guest, nil
+}
+
+func (u *WorkspaceUsecase) UpdateGuest(ctx context.Context, updated wsDomain.ClientWorkspaceGuest) error {
+	oldGuest, err := u.repo.GetGuest(ctx, updated.ID)
+	if err != nil {
+		return err
+	}
+
+	updated.UpdatedAt = time.Now().UTC()
+
+	channels, err := u.repo.ListChannelsInClientWorkspace(ctx, updated.ClientWorkspaceID)
+	if err != nil {
+		return fmt.Errorf("failed to fetch workspace channels: %w", err)
+	}
+
+	if len(channels) == 0 {
+		return fmt.Errorf("no channels associated with this workspace")
+	}
+
+	// Format platform identifiers appropriately
+	if waID, ok := updated.PlatformIdentifiers["whatsapp"]; ok && waID != "" {
+		utils.SanitizePhone(&waID) // appends @s.whatsapp.net if missing
+		updated.PlatformIdentifiers["whatsapp"] = waID
+	}
+
+	if err := u.repo.UpdateGuest(ctx, updated); err != nil {
+		return err
+	}
+
+	// 1. Clean up old identifiers if they changed
+	u.cleanupGuestOldIdentifiers(ctx, oldGuest, updated)
+
+	// 2. Propagate new ones
+	_ = u.propagateGuestToAllChannels(ctx, updated)
+
+	return nil
+}
+
+func (u *WorkspaceUsecase) DeleteGuest(ctx context.Context, id string) error {
+	guest, err := u.repo.GetGuest(ctx, id)
+	if err != nil {
+		return err
+	}
+
+	// 1. Clean accesses in channels
+	u.revokeGuestAccess(ctx, guest)
+
+	return u.repo.DeleteGuest(ctx, id)
+}
+
+// --- Propagator Internals ---
+
+func (u *WorkspaceUsecase) propagateGuestToAllChannels(ctx context.Context, guest wsDomain.ClientWorkspaceGuest) error {
+	channels, err := u.repo.ListChannelsInClientWorkspace(ctx, guest.ClientWorkspaceID)
+	if err != nil {
+		return err
+	}
+
+	for _, ch := range channels {
+		if ch.Config.GuestAccess == nil {
+			ch.Config.GuestAccess = make(map[string]channel.GuestConfigCache)
+		}
+
+		for _, ident := range guest.PlatformIdentifiers {
+			ch.Config.GuestAccess[ident] = channel.GuestConfigCache{
+				GuestID:    guest.ID,
+				BotID:      guest.BotID,
+				TemplateID: guest.BotTemplateID,
+				Name:       guest.Name,
+			}
+		}
+
+		_ = u.UpdateChannel(ctx, ch)
+	}
+	return nil
+}
+
+func (u *WorkspaceUsecase) propagateWorkspaceToChannel(ctx context.Context, workspaceID, channelID string) error {
+	guests, err := u.repo.ListGuestsInClientWorkspace(ctx, workspaceID)
+	if err != nil {
+		return err
+	}
+
+	ch, err := u.repo.GetChannel(ctx, channelID)
+	if err != nil {
+		return err
+	}
+
+	if ch.Config.GuestAccess == nil {
+		ch.Config.GuestAccess = make(map[string]channel.GuestConfigCache)
+	}
+
+	for _, g := range guests {
+		for _, ident := range g.PlatformIdentifiers {
+			ch.Config.GuestAccess[ident] = channel.GuestConfigCache{
+				GuestID:    g.ID,
+				BotID:      g.BotID,
+				TemplateID: g.BotTemplateID,
+				Name:       g.Name,
+			}
+		}
+	}
+
+	return u.UpdateChannel(ctx, ch)
+}
+
+func (u *WorkspaceUsecase) cleanupGuestOldIdentifiers(ctx context.Context, old, new wsDomain.ClientWorkspaceGuest) {
+	// Find which identifiers were removed or changed
+	toRemove := make([]string, 0)
+	for platform, oldIdent := range old.PlatformIdentifiers {
+		newIdent, exists := new.PlatformIdentifiers[platform]
+		if !exists || newIdent != oldIdent {
+			toRemove = append(toRemove, oldIdent)
+		}
+	}
+
+	if len(toRemove) == 0 {
+		return
+	}
+
+	channels, _ := u.repo.ListChannelsInClientWorkspace(ctx, old.ClientWorkspaceID)
+	for _, ch := range channels {
+		if ch.Config.GuestAccess == nil {
+			continue
+		}
+
+		changed := false
+		for _, ident := range toRemove {
+			if _, ok := ch.Config.GuestAccess[ident]; ok {
+				delete(ch.Config.GuestAccess, ident)
+				changed = true
+			}
+		}
+
+		if changed {
+			_ = u.UpdateChannel(ctx, ch)
+		}
+	}
+}
+
+func (u *WorkspaceUsecase) revokeGuestAccess(ctx context.Context, guest wsDomain.ClientWorkspaceGuest) {
+	channels, _ := u.repo.ListChannelsInClientWorkspace(ctx, guest.ClientWorkspaceID)
+	for _, ch := range channels {
+		if ch.Config.GuestAccess == nil {
+			continue
+		}
+
+		changed := false
+		for _, ident := range guest.PlatformIdentifiers {
+			if _, ok := ch.Config.GuestAccess[ident]; ok {
+				delete(ch.Config.GuestAccess, ident)
+				changed = true
+			}
+		}
+
+		if changed {
+			_ = u.UpdateChannel(ctx, ch)
+		}
+	}
+}
diff --git a/src/workspace/usecase/workspace.go b/src/workspace/usecase/workspace.go
index 1f0af10..538e165 100644
--- a/src/workspace/usecase/workspace.go
+++ b/src/workspace/usecase/workspace.go
@@ -80,6 +80,18 @@ func (u *WorkspaceUsecase) DeleteWorkspace(ctx context.Context, id string) error
 	return nil
 }
 
+func (u *WorkspaceUsecase) DeleteClientWorkspace(ctx context.Context, id string) error {
+	// 1. Get guests to revoke their access from linked channels
+	guests, err := u.repo.ListGuestsInClientWorkspace(ctx, id)
+	if err == nil {
+		for _, g := range guests {
+			u.revokeGuestAccess(ctx, g)
+		}
+	}
+
+	return u.repo.DeleteClientWorkspace(ctx, id)
+}
+
 func (u *WorkspaceUsecase) CreateChannel(ctx context.Context, workspaceID string, chType channel.ChannelType, name string) (channel.Channel, error) {
 	// Verify workspace exists
 	if _, err := u.repo.GetByID(ctx, workspaceID); err != nil {
@@ -331,3 +343,54 @@ func (u *WorkspaceUsecase) GetChannelProfilePhoto(ctx context.Context, channelID
 	}
 	return url, nil
 }
+
+// --- Client Workspace Usecases ---
+
+func (u *WorkspaceUsecase) CreateClientWorkspace(ctx context.Context, ownerID, name, description string) (wsDomain.ClientWorkspace, error) {
+	ws := wsDomain.ClientWorkspace{
+		ID:          uuid.NewString(),
+		OwnerID:     ownerID,
+		Name:        name,
+		Description: description,
+		CreatedAt:   time.Now().UTC(),
+		UpdatedAt:   time.Now().UTC(),
+	}
+	err := u.repo.CreateClientWorkspace(ctx, ws)
+	return ws, err
+}
+
+func (u *WorkspaceUsecase) ListClientWorkspaces(ctx context.Context, ownerID string) ([]wsDomain.ClientWorkspace, error) {
+	return u.repo.ListClientWorkspaces(ctx, ownerID)
+}
+
+func (u *WorkspaceUsecase) LinkChannelToClientWorkspace(ctx context.Context, workspaceID, channelID string) error {
+	// 1. Link channel
+	if err := u.repo.LinkChannelToClientWorkspace(ctx, workspaceID, channelID); err != nil {
+		return err
+	}
+	// 2. Propagate all guests from this workspace to this channel
+	return u.propagateWorkspaceToChannel(ctx, workspaceID, channelID)
+}
+
+func (u *WorkspaceUsecase) UnlinkChannelFromClientWorkspace(ctx context.Context, workspaceID, channelID string) error {
+	// 1. Get guests to know which keys to delete
+	guests, err := u.repo.ListGuestsInClientWorkspace(ctx, workspaceID)
+	if err == nil {
+		ch, err := u.repo.GetChannel(ctx, channelID)
+		if err == nil && ch.Config.GuestAccess != nil {
+			changed := false
+			for _, g := range guests {
+				for _, ident := range g.PlatformIdentifiers {
+					if _, ok := ch.Config.GuestAccess[ident]; ok {
+						delete(ch.Config.GuestAccess, ident)
+						changed = true
+					}
+				}
+			}
+			if changed {
+				_ = u.UpdateChannel(ctx, ch)
+			}
+		}
+	}
+	return u.repo.UnlinkChannelFromClientWorkspace(ctx, workspaceID, channelID)
+}

From a713609247d08e9c5ddb2eb8753c011e7d569817 Mon Sep 17 00:00:00 2001
From: Aziel <azielcruzado@gmail.com>
Date: Tue, 24 Feb 2026 12:20:06 -0500
Subject: [PATCH 09/12] [Core] Update client domain and app initialization for
 Portal integration

---
 src/clients/adapter/rest/dto.go       |  56 +++---
 src/clients/adapter/rest/handler.go   | 237 ++++++++++++++++++++++--
 src/clients/domain/models.go          |  15 ++
 src/clients/repository/client_gorm.go |  18 ++
 src/cmd/rest.go                       |  45 ++---
 src/cmd/root.go                       |  27 ++-
 src/core/config/config.go             |  12 +-
 src/core/kvstore/kvstore.go           | 253 ++++++++++++++++++++++++++
 src/go.mod                            |   4 +-
 src/infrastructure/valkey/client.go   |  14 ++
 src/pkg/utils/whatsapp.go             |  32 ++++
 src/pkg/utils/whatsapp_test.go        |  61 +++++++
 src/ui/rest/workspace.go              |   3 +
 13 files changed, 696 insertions(+), 81 deletions(-)
 create mode 100644 src/core/kvstore/kvstore.go

diff --git a/src/clients/adapter/rest/dto.go b/src/clients/adapter/rest/dto.go
index 288d124..36e8ebd 100644
--- a/src/clients/adapter/rest/dto.go
+++ b/src/clients/adapter/rest/dto.go
@@ -6,37 +6,39 @@ import (
 
 // CreateClientRequest representa la petición para crear un cliente
 type CreateClientRequest struct {
-	PlatformID   string         `json:"platform_id"`
-	PlatformType string         `json:"platform_type"`
-	DisplayName  string         `json:"display_name"`
-	Email        string         `json:"email"`
-	Phone        string         `json:"phone"`
-	Tier         string         `json:"tier"`
-	Tags         []string       `json:"tags"`
-	Metadata     map[string]any `json:"metadata"`
-	Notes        string         `json:"notes"`
-	Language     string         `json:"language"`
-	Timezone     string         `json:"timezone"`
-	Country      string         `json:"country"`
-	AllowedBots  []string       `json:"allowed_bots"`
-	IsTester     bool           `json:"is_tester"`
+	PlatformID    string         `json:"platform_id"`
+	PlatformType  string         `json:"platform_type"`
+	DisplayName   string         `json:"display_name"`
+	Email         string         `json:"email"`
+	Phone         string         `json:"phone"`
+	Tier          string         `json:"tier"`
+	Tags          []string       `json:"tags"`
+	Metadata      map[string]any `json:"metadata"`
+	Notes         string         `json:"notes"`
+	Language      string         `json:"language"`
+	Timezone      string         `json:"timezone"`
+	Country       string         `json:"country"`
+	AllowedBots   []string       `json:"allowed_bots"`
+	OwnedChannels []string       `json:"owned_channels"`
+	IsTester      bool           `json:"is_tester"`
 }
 
 // UpdateClientRequest representa la petición para actualizar un cliente
 type UpdateClientRequest struct {
-	PlatformID  *string        `json:"platform_id"`
-	DisplayName *string        `json:"display_name"`
-	Email       *string        `json:"email"`
-	Phone       *string        `json:"phone"`
-	Tier        *string        `json:"tier"`
-	Tags        []string       `json:"tags"`
-	Metadata    map[string]any `json:"metadata"`
-	Notes       *string        `json:"notes"`
-	Language    *string        `json:"language"`
-	Timezone    *string        `json:"timezone"`
-	Country     *string        `json:"country"`
-	AllowedBots []string       `json:"allowed_bots"`
-	IsTester    *bool          `json:"is_tester"`
+	PlatformID    *string        `json:"platform_id"`
+	DisplayName   *string        `json:"display_name"`
+	Email         *string        `json:"email"`
+	Phone         *string        `json:"phone"`
+	Tier          *string        `json:"tier"`
+	Tags          []string       `json:"tags"`
+	Metadata      map[string]any `json:"metadata"`
+	Notes         *string        `json:"notes"`
+	Language      *string        `json:"language"`
+	Timezone      *string        `json:"timezone"`
+	Country       *string        `json:"country"`
+	AllowedBots   []string       `json:"allowed_bots"`
+	OwnedChannels []string       `json:"owned_channels"`
+	IsTester      *bool          `json:"is_tester"`
 }
 
 // CreateSubscriptionRequest representa la petición para crear una suscripción
diff --git a/src/clients/adapter/rest/handler.go b/src/clients/adapter/rest/handler.go
index 0c1a452..e6cf386 100644
--- a/src/clients/adapter/rest/handler.go
+++ b/src/clients/adapter/rest/handler.go
@@ -3,6 +3,10 @@ package rest
 import (
 	"github.com/AzielCF/az-wap/clients/application"
 	"github.com/AzielCF/az-wap/clients/domain"
+	"github.com/AzielCF/az-wap/pkg/utils"
+	wsDomain "github.com/AzielCF/az-wap/workspace/domain/workspace"
+	wsRepo "github.com/AzielCF/az-wap/workspace/repository"
+	wsUcase "github.com/AzielCF/az-wap/workspace/usecase"
 	"github.com/gofiber/fiber/v2"
 )
 
@@ -10,13 +14,17 @@ import (
 type ClientHandler struct {
 	clientService *application.ClientService
 	subService    *application.SubscriptionService
+	wsRepo        wsRepo.IWorkspaceRepository
+	wsUc          *wsUcase.WorkspaceUsecase
 }
 
 // NewClientHandler crea una nueva instancia del handler
-func NewClientHandler(clientService *application.ClientService, subService *application.SubscriptionService) *ClientHandler {
+func NewClientHandler(clientService *application.ClientService, subService *application.SubscriptionService, wsRepo wsRepo.IWorkspaceRepository, wsUc *wsUcase.WorkspaceUsecase) *ClientHandler {
 	return &ClientHandler{
 		clientService: clientService,
 		subService:    subService,
+		wsRepo:        wsRepo,
+		wsUc:          wsUc,
 	}
 }
 
@@ -50,6 +58,27 @@ func (h *ClientHandler) RegisterRoutes(router fiber.Router) {
 
 	// Suscripciones por canal
 	router.Get("/channels/:channelId/subscribers", h.ListChannelSubscribers)
+
+	// Canales del cliente
+	clients.Get("/:id/channels", h.ListClientChannels)
+
+	// Workspaces y Guests de cliente (Admin Access)
+	clients.Get("/:id/workspaces", h.ListClientWorkspaces)
+	clients.Post("/:id/workspaces", h.CreateClientWorkspace)
+	clients.Get("/:id/workspaces/:wid", h.GetClientWorkspace)
+	clients.Put("/:id/workspaces/:wid", h.UpdateClientWorkspace)
+	clients.Delete("/:id/workspaces/:wid", h.DeleteClientWorkspace)
+
+	// Canales en Workspace
+	clients.Get("/:id/workspaces/:wid/channels", h.ListWorkspaceChannels)
+	clients.Post("/:id/workspaces/:wid/channels/:cid", h.LinkChannel)
+	clients.Delete("/:id/workspaces/:wid/channels/:cid", h.UnlinkChannel)
+
+	// Guests en Workspace
+	clients.Get("/:id/workspaces/:wid/guests", h.ListWorkspaceGuests)
+	clients.Post("/:id/workspaces/:wid/guests", h.CreateWorkspaceGuest)
+	clients.Put("/:id/workspaces/:wid/guests/:gid", h.UpdateWorkspaceGuest)
+	clients.Delete("/:id/workspaces/:wid/guests/:gid", h.DeleteWorkspaceGuest)
 }
 
 // ListClients lista clientes con filtros
@@ -88,20 +117,21 @@ func (h *ClientHandler) CreateClient(c *fiber.Ctx) error {
 	}
 
 	client := &domain.Client{
-		PlatformID:   req.PlatformID,
-		PlatformType: domain.PlatformType(req.PlatformType),
-		DisplayName:  req.DisplayName,
-		Email:        req.Email,
-		Phone:        req.Phone,
-		Tier:         domain.ClientTier(req.Tier),
-		Tags:         req.Tags,
-		Metadata:     req.Metadata,
-		Notes:        req.Notes,
-		Language:     req.Language,
-		Timezone:     req.Timezone,
-		Country:      req.Country,
-		AllowedBots:  req.AllowedBots,
-		IsTester:     req.IsTester,
+		PlatformID:    req.PlatformID,
+		PlatformType:  domain.PlatformType(req.PlatformType),
+		DisplayName:   req.DisplayName,
+		Email:         req.Email,
+		Phone:         req.Phone,
+		Tier:          domain.ClientTier(req.Tier),
+		Tags:          req.Tags,
+		Metadata:      req.Metadata,
+		Notes:         req.Notes,
+		Language:      req.Language,
+		Timezone:      req.Timezone,
+		Country:       req.Country,
+		AllowedBots:   req.AllowedBots,
+		OwnedChannels: req.OwnedChannels,
+		IsTester:      req.IsTester,
 	}
 
 	if err := h.clientService.Create(c.Context(), client); err != nil {
@@ -183,6 +213,9 @@ func (h *ClientHandler) UpdateClient(c *fiber.Ctx) error {
 	if req.AllowedBots != nil {
 		client.AllowedBots = req.AllowedBots
 	}
+	if req.OwnedChannels != nil {
+		client.OwnedChannels = req.OwnedChannels
+	}
 	if req.IsTester != nil {
 		client.IsTester = *req.IsTester
 	}
@@ -483,3 +516,177 @@ func (h *ClientHandler) UpdateSubscription(c *fiber.Ctx) error {
 
 	return c.JSON(sub)
 }
+
+// --- Client Workspace Handlers (Admin) ---
+
+func (h *ClientHandler) ListClientWorkspaces(c *fiber.Ctx) error {
+	clientID := c.Params("id")
+	workspaces, err := h.wsUc.ListClientWorkspaces(c.Context(), clientID)
+	if err != nil {
+		return c.Status(fiber.StatusInternalServerError).JSON(fiber.Map{"error": err.Error()})
+	}
+	return c.JSON(workspaces)
+}
+
+func (h *ClientHandler) CreateClientWorkspace(c *fiber.Ctx) error {
+	clientID := c.Params("id")
+	var req struct {
+		Name        string `json:"name"`
+		Description string `json:"description"`
+	}
+	if err := c.BodyParser(&req); err != nil {
+		return c.Status(fiber.StatusBadRequest).JSON(fiber.Map{"error": "invalid request"})
+	}
+
+	ws, err := h.wsUc.CreateClientWorkspace(c.Context(), clientID, req.Name, req.Description)
+	if err != nil {
+		return c.Status(fiber.StatusInternalServerError).JSON(fiber.Map{"error": err.Error()})
+	}
+	return c.Status(fiber.StatusCreated).JSON(ws)
+}
+
+func (h *ClientHandler) GetClientWorkspace(c *fiber.Ctx) error {
+	wid := c.Params("wid")
+	ws, err := h.wsRepo.GetClientWorkspace(c.Context(), wid)
+	if err != nil {
+		return c.Status(fiber.StatusNotFound).JSON(fiber.Map{"error": "workspace not found"})
+	}
+	return c.JSON(ws)
+}
+
+func (h *ClientHandler) UpdateClientWorkspace(c *fiber.Ctx) error {
+	wid := c.Params("wid")
+	var req struct {
+		Name        string `json:"name"`
+		Description string `json:"description"`
+	}
+	if err := c.BodyParser(&req); err != nil {
+		return c.Status(fiber.StatusBadRequest).JSON(fiber.Map{"error": "invalid request"})
+	}
+
+	ws, err := h.wsRepo.GetClientWorkspace(c.Context(), wid)
+	if err != nil {
+		return c.Status(fiber.StatusNotFound).JSON(fiber.Map{"error": "workspace not found"})
+	}
+
+	ws.Name = req.Name
+	ws.Description = req.Description
+	if err := h.wsRepo.UpdateClientWorkspace(c.Context(), ws); err != nil {
+		return c.Status(fiber.StatusInternalServerError).JSON(fiber.Map{"error": err.Error()})
+	}
+	return c.JSON(ws)
+}
+
+func (h *ClientHandler) DeleteClientWorkspace(c *fiber.Ctx) error {
+	wid := c.Params("wid")
+	if err := h.wsUc.DeleteClientWorkspace(c.Context(), wid); err != nil {
+		return c.Status(fiber.StatusInternalServerError).JSON(fiber.Map{"error": err.Error()})
+	}
+	return c.SendStatus(fiber.StatusNoContent)
+}
+
+func (h *ClientHandler) ListClientChannels(c *fiber.Ctx) error {
+	clientID := c.Params("id")
+	channels, err := h.wsRepo.ListChannelsByOwnerID(c.Context(), clientID)
+	if err != nil {
+		return c.Status(fiber.StatusInternalServerError).JSON(fiber.Map{"error": err.Error()})
+	}
+	return c.JSON(channels)
+}
+
+func (h *ClientHandler) ListWorkspaceChannels(c *fiber.Ctx) error {
+	wid := c.Params("wid")
+	channels, err := h.wsRepo.ListChannelsInClientWorkspace(c.Context(), wid)
+	if err != nil {
+		return c.Status(fiber.StatusInternalServerError).JSON(fiber.Map{"error": err.Error()})
+	}
+	return c.JSON(channels)
+}
+
+func (h *ClientHandler) LinkChannel(c *fiber.Ctx) error {
+	wid := c.Params("wid")
+	cid := c.Params("cid")
+	if err := h.wsUc.LinkChannelToClientWorkspace(c.Context(), wid, cid); err != nil {
+		return c.Status(fiber.StatusInternalServerError).JSON(fiber.Map{"error": err.Error()})
+	}
+	return c.SendStatus(fiber.StatusNoContent)
+}
+
+func (h *ClientHandler) UnlinkChannel(c *fiber.Ctx) error {
+	wid := c.Params("wid")
+	cid := c.Params("cid")
+	if err := h.wsUc.UnlinkChannelFromClientWorkspace(c.Context(), wid, cid); err != nil {
+		return c.Status(fiber.StatusInternalServerError).JSON(fiber.Map{"error": err.Error()})
+	}
+	return c.SendStatus(fiber.StatusNoContent)
+}
+
+func (h *ClientHandler) ListWorkspaceGuests(c *fiber.Ctx) error {
+	wid := c.Params("wid")
+	guests, err := h.wsRepo.ListGuestsInClientWorkspace(c.Context(), wid)
+	if err != nil {
+		return c.Status(fiber.StatusInternalServerError).JSON(fiber.Map{"error": err.Error()})
+	}
+	return c.JSON(guests)
+}
+
+func (h *ClientHandler) CreateWorkspaceGuest(c *fiber.Ctx) error {
+	clientID := c.Params("id")
+	wid := c.Params("wid")
+	var guest wsDomain.ClientWorkspaceGuest
+	if err := c.BodyParser(&guest); err != nil {
+		return c.Status(fiber.StatusBadRequest).JSON(fiber.Map{"error": "invalid request"})
+	}
+
+	guest.OwnerID = clientID
+	guest.ClientWorkspaceID = wid
+
+	// Validate that the guest does not have the same identifier as the workspace owner
+	client, err := h.clientService.GetByID(c.Context(), clientID)
+	if err == nil && client != nil {
+		guestPhone := guest.PlatformIdentifiers["whatsapp"]
+		if utils.MatchWhatsAppIdentities(guestPhone, client.Phone) || utils.MatchWhatsAppIdentities(guestPhone, client.PlatformID) {
+			return c.Status(fiber.StatusBadRequest).JSON(fiber.Map{"error": "the owner client cannot be added as a guest in their own workspace"})
+		}
+	}
+	newGuest, err := h.wsUc.CreateGuest(c.Context(), guest)
+	if err != nil {
+		return c.Status(fiber.StatusInternalServerError).JSON(fiber.Map{"error": err.Error()})
+	}
+	return c.Status(fiber.StatusCreated).JSON(newGuest)
+}
+
+func (h *ClientHandler) UpdateWorkspaceGuest(c *fiber.Ctx) error {
+	wid := c.Params("wid")
+	gid := c.Params("gid")
+	var req wsDomain.ClientWorkspaceGuest
+	if err := c.BodyParser(&req); err != nil {
+		return c.Status(fiber.StatusBadRequest).JSON(fiber.Map{"error": "invalid request"})
+	}
+
+	req.ID = gid
+	req.ClientWorkspaceID = wid
+
+	// Validar que el invitado no tenga el mismo número que el dueño del workspace
+	client, err := h.clientService.GetByID(c.Context(), c.Params("id"))
+
+	if err == nil && client != nil {
+		guestPhone := req.PlatformIdentifiers["whatsapp"]
+		if utils.MatchWhatsAppIdentities(guestPhone, client.Phone) || utils.MatchWhatsAppIdentities(guestPhone, client.PlatformID) {
+			return c.Status(fiber.StatusBadRequest).JSON(fiber.Map{"error": "the owner client cannot be added as a guest in their own workspace"})
+		}
+	}
+
+	if err := h.wsUc.UpdateGuest(c.Context(), req); err != nil {
+		return c.Status(fiber.StatusInternalServerError).JSON(fiber.Map{"error": err.Error()})
+	}
+	return c.JSON(req)
+}
+
+func (h *ClientHandler) DeleteWorkspaceGuest(c *fiber.Ctx) error {
+	gid := c.Params("gid")
+	if err := h.wsUc.DeleteGuest(c.Context(), gid); err != nil {
+		return c.Status(fiber.StatusInternalServerError).JSON(fiber.Map{"error": err.Error()})
+	}
+	return c.SendStatus(fiber.StatusNoContent)
+}
diff --git a/src/clients/domain/models.go b/src/clients/domain/models.go
index 245578b..e2b7a54 100644
--- a/src/clients/domain/models.go
+++ b/src/clients/domain/models.go
@@ -14,6 +14,10 @@ const (
 	TierEnterprise ClientTier = "enterprise"
 )
 
+const (
+	TagEnableWorkspaces = "enable_workspaces"
+)
+
 // PlatformType representa el tipo de plataforma de origen del cliente
 type PlatformType string
 
@@ -40,6 +44,7 @@ type Client struct {
 	Timezone              string         `json:"timezone,omitempty"`                // IANA timezone (e.g. America/Lima)
 	Country               string         `json:"country,omitempty"`                 // ISO 3166-1 alpha-2 (e.g. PE, US, DO)
 	AllowedBots           []string       `json:"allowed_bots"`                      // IDs de bots permitidos para este cliente
+	OwnedChannels         []string       `json:"owned_channels"`                    // IDs de los canales de los que el cliente es dueño
 	SessionTimeout        int            `json:"session_timeout,omitempty"`         // Minutos (Override)
 	InactivityWarningTime int            `json:"inactivity_warning_time,omitempty"` // Minutos (Override)
 	Enabled               bool           `json:"enabled"`
@@ -68,3 +73,13 @@ func (c *Client) HasTag(tag string) bool {
 	}
 	return false
 }
+
+// HasOwnedChannel verifica si el cliente es dueño de un canal
+func (c *Client) HasOwnedChannel(channelID string) bool {
+	for _, ch := range c.OwnedChannels {
+		if ch == channelID {
+			return true
+		}
+	}
+	return false
+}
diff --git a/src/clients/repository/client_gorm.go b/src/clients/repository/client_gorm.go
index 34cc6ba..2f0f5a2 100644
--- a/src/clients/repository/client_gorm.go
+++ b/src/clients/repository/client_gorm.go
@@ -30,6 +30,7 @@ type clientModel struct {
 	Timezone              sql.NullString
 	Country               sql.NullString
 	AllowedBots           sql.NullString `gorm:"type:text;default:'[]'"` // JSON
+	OwnedChannels         sql.NullString `gorm:"type:text;default:'[]'"` // JSON
 	SessionTimeout        int            `gorm:"default:0"`
 	InactivityWarningTime int            `gorm:"default:0"`
 	Enabled               bool           `gorm:"default:true"`
@@ -332,6 +333,15 @@ func toClientModel(c *domain.Client) (clientModel, error) {
 		return clientModel{}, fmt.Errorf("marshal allowed_bots: %w", err)
 	}
 
+	ownedChans := c.OwnedChannels
+	if ownedChans == nil {
+		ownedChans = []string{}
+	}
+	ownedChannelsJSON, err := json.Marshal(ownedChans)
+	if err != nil {
+		return clientModel{}, fmt.Errorf("marshal owned_channels: %w", err)
+	}
+
 	return clientModel{
 		ID:                    c.ID,
 		PlatformID:            c.PlatformID,
@@ -347,6 +357,7 @@ func toClientModel(c *domain.Client) (clientModel, error) {
 		Timezone:              sql.NullString{String: c.Timezone, Valid: c.Timezone != ""},
 		Country:               sql.NullString{String: c.Country, Valid: c.Country != ""},
 		AllowedBots:           sql.NullString{String: string(allowedBotsJSON), Valid: true},
+		OwnedChannels:         sql.NullString{String: string(ownedChannelsJSON), Valid: true},
 		SessionTimeout:        c.SessionTimeout,
 		InactivityWarningTime: c.InactivityWarningTime,
 		Enabled:               c.Enabled,
@@ -400,5 +411,12 @@ func fromClientModel(m clientModel) (*domain.Client, error) {
 		c.AllowedBots = []string{}
 	}
 
+	if m.OwnedChannels.Valid && m.OwnedChannels.String != "" {
+		_ = json.Unmarshal([]byte(m.OwnedChannels.String), &c.OwnedChannels)
+	}
+	if c.OwnedChannels == nil {
+		c.OwnedChannels = []string{}
+	}
+
 	return c, nil
 }
diff --git a/src/cmd/rest.go b/src/cmd/rest.go
index b522fca..24b2540 100644
--- a/src/cmd/rest.go
+++ b/src/cmd/rest.go
@@ -8,10 +8,10 @@ import (
 	"syscall"
 	"time"
 
-	clientsRepo "github.com/AzielCF/az-wap/clients/repository"
-	portalAuthApp "github.com/AzielCF/az-wap/clients_portal/auth/application"
 	portalAuthInfra "github.com/AzielCF/az-wap/clients_portal/auth/infrastructure"
 	portalAuthRepo "github.com/AzielCF/az-wap/clients_portal/auth/repository"
+	portalFeatures "github.com/AzielCF/az-wap/clients_portal/features/infrastructure"
+	clientPortalHTTP "github.com/AzielCF/az-wap/clients_portal/http"
 	coreconfig "github.com/AzielCF/az-wap/core/config"
 	coreDB "github.com/AzielCF/az-wap/core/database"
 	"github.com/AzielCF/az-wap/ui/rest"
@@ -129,6 +129,10 @@ func restServer(cmd *cobra.Command, _ []string) {
 			if c.Method() == fiber.MethodOptions {
 				return true
 			}
+			// SKIP Basic Auth for Portal routes (they handle their own auth)
+			if strings.HasPrefix(c.Path(), coreconfig.Global.App.BasePath+"/api/portal") {
+				return true
+			}
 			return false
 		},
 	}))
@@ -162,39 +166,20 @@ func restServer(cmd *cobra.Command, _ []string) {
 	rest.InitRestCache(apiGroup, cacheUsecase)
 	rest.InitRestMCP(apiGroup, mcpUsecase)
 	rest.InitRestHealth(apiGroup, healthUsecase)
+	rest.InitRestWorkspace(apiGroup, wkUsecase, workspaceManager, appUsecase)
+	rest.InitRestMonitoring(apiGroup, monitorStore, workspaceManager, contextCacheStore)
 
-	// --- CLIENTS PORTAL (NEW) ---
-	// 1. Initialize Portal Auth Components
-	portalAuthRepository := portalAuthRepo.NewGormAuthRepository(coreDB.GlobalDB)
-	// Inject existing CRM Client Repository
-	crmClientRepo := clientsRepo.NewClientGormRepository(coreDB.GlobalDB)
-	// Auto-migrate portal users table
-	if err := portalAuthRepository.AutoMigrate(); err != nil {
-		logrus.Errorf("Failed to migrate portal tables: %v", err)
-	}
-
-	portalAuthService := portalAuthApp.NewAuthService(portalAuthRepository, crmClientRepo)
+	// --- CLIENTS PORTAL (ALREADY INITIALIZED IN ROOT) ---
+	// Register Portal Handlers
 	portalAuthHandler := portalAuthInfra.NewAuthHandler(portalAuthService)
-	portalAuthMiddleware := portalAuthInfra.NewAuthMiddleware(portalAuthRepository)
+	portalFeaturesHandler := portalFeatures.NewFeaturesHandler(subService, clientService, newsletterUsecase, wkRepo, botUsecase, wkUsecase, workspaceManager)
+	// Re-instantiate middleware here or reuse if global, but for clarity using local repo instance as before
+	portalAuthMiddleware := portalAuthInfra.NewAuthMiddleware(portalAuthRepo.NewGormAuthRepository(coreDB.GlobalDB))
 
-	// 2. Create API Group for Portal (Isolated from Admin)
-	portalGroup := app.Group(coreconfig.Global.App.BasePath + "/api/portal")
-
-	// Public Portal Routes (Login)
-	portalGroup.Post("/login", portalAuthHandler.Login)
-	// TODO: Register should be protected or invitation-only, currently open for initial testing or move to admin
-	// portalGroup.Post("/register", portalAuthHandler.Register)
-
-	// Protected Portal Routes
-	portalProtected := portalGroup.Group("/")
-	portalProtected.Use(portalAuthMiddleware)
-	portalProtected.Get("/me", portalAuthHandler.Me) // Logged-in user profile
+	// Register ALL Portal Routes via Global Portal Router
+	clientPortalHTTP.RegisterPortalRoutes(app, apiGroup, portalAuthHandler, portalFeaturesHandler, portalAuthMiddleware)
 
 	// Unified Monitoring System (Multi-server aware)
-	rest.InitRestMonitoring(apiGroup, monitorStore, workspaceManager, contextCacheStore)
-
-	// Register Workspace Handlers
-	rest.InitRestWorkspace(apiGroup, wkUsecase, workspaceManager, appUsecase)
 
 	// Register Client Handlers
 	clientHandler.RegisterRoutes(apiGroup)
diff --git a/src/cmd/root.go b/src/cmd/root.go
index e00590a..e3a7213 100644
--- a/src/cmd/root.go
+++ b/src/cmd/root.go
@@ -27,6 +27,7 @@ import (
 
 	coreconfig "github.com/AzielCF/az-wap/core/config"
 	coreDB "github.com/AzielCF/az-wap/core/database"
+	"github.com/AzielCF/az-wap/core/kvstore"
 	coreSettings "github.com/AzielCF/az-wap/core/settings/application"
 
 	"github.com/AzielCF/az-wap/botengine"
@@ -73,7 +74,10 @@ import (
 	"github.com/sirupsen/logrus"
 	"github.com/spf13/cobra"
 	"go.mau.fi/whatsmeow"
-	// "go.mau.fi/whatsmeow/store/sqlstore"
+
+	// Portal Module
+	portalAuthApp "github.com/AzielCF/az-wap/clients_portal/auth/application"
+	portalAuthRepo "github.com/AzielCF/az-wap/clients_portal/auth/repository"
 )
 
 var (
@@ -119,6 +123,9 @@ var (
 
 	// Core Services
 	settingsSvc *coreSettings.SettingsService
+
+	// Portal
+	portalAuthService *portalAuthApp.AuthService
 )
 
 // rootCmd represents the base command when called without any subcommands
@@ -282,6 +289,15 @@ func initApp() {
 		logrus.Fatalf("failed to init subscription repo: %v", err)
 	}
 
+	// 2.2 Clients Portal Module Initialization
+	kvstore.Init(vkClient)
+
+	portalAuthRepoInst := portalAuthRepo.NewGormAuthRepository(gormDB)
+	if err := portalAuthRepoInst.AutoMigrate(); err != nil {
+		logrus.Fatalf("[PORTAL] Failed to migrate portal auth table: %v", err)
+	}
+	portalAuthService = portalAuthApp.NewAuthService(portalAuthRepoInst, clientRepo, wkRepo, kvstore.Global)
+
 	// Client Services
 	clientService = clientsApp.NewClientService(clientRepo, subRepo)
 	subService = clientsApp.NewSubscriptionService(subRepo, clientRepo)
@@ -289,9 +305,6 @@ func initApp() {
 	// Client Resolver (for runtime context resolution)
 	clientResolver = clientsApp.NewClientResolver(clientRepo, subRepo, wkRepo)
 
-	// Client REST Handler
-	clientHandler = clientsRest.NewClientHandler(clientService, subService)
-
 	logrus.Info("[CLIENTS] Client module initialized successfully")
 
 	// 3. Monitoring and Typing (Distributed if Valkey is available)
@@ -324,6 +337,9 @@ func initApp() {
 	messageUsecase = usecase.NewMessageService(workspaceManager)
 	wkUsecase = workspaceUsecaseLayer.NewWorkspaceUsecase(wkRepo, workspaceManager)
 
+	// Client REST Handler (Admin)
+	clientHandler = clientsRest.NewClientHandler(clientService, subService, wkRepo, wkUsecase)
+
 	// 5. WhatsApp Adapter Factory
 	workspaceManager.RegisterFactory(channel.ChannelTypeWhatsApp, func(conf channel.ChannelConfig) (channel.ChannelAdapter, error) {
 		channelID, _ := conf.Settings["channel_id"].(string)
@@ -424,10 +440,11 @@ func initApp() {
 	botEngine.RegisterNativeTool(rTools.CountRemindersTool())
 
 	// Register Client Profile Tools (allow users to manage their personal info via AI)
-	cTools := onlyClients.NewClientTools(clientRepo)
+	cTools := onlyClients.NewClientTools(clientRepo, portalAuthService)
 	botEngine.RegisterNativeTool(cTools.UpdateMyInfoTool())
 	botEngine.RegisterNativeTool(cTools.GetMyInfoTool())
 	botEngine.RegisterNativeTool(cTools.DeleteMyFieldTool())
+	botEngine.RegisterNativeTool(cTools.GetPortalLinkTool())
 
 	// Register Currency Tools
 	cxTools := onlyClients.NewExchangeRateTools()
diff --git a/src/core/config/config.go b/src/core/config/config.go
index c100302..0d424bd 100644
--- a/src/core/config/config.go
+++ b/src/core/config/config.go
@@ -35,6 +35,7 @@ type AppConfig struct {
 	BaseUrl            string
 	CorsAllowedOrigins []string
 	ServerID           string
+	PortalURL          string
 }
 
 type MCPConfig struct {
@@ -93,7 +94,9 @@ type WorkerPoolConfig struct {
 }
 
 type SecurityConfig struct {
-	SecretKey string
+	SecretKey         string
+	PortalJWTSecret   string
+	PortalInternalKey string
 }
 
 type APIKeysConfig struct {
@@ -147,6 +150,7 @@ func LoadConfig() (*Config, error) {
 		BaseUrl:            getEnv("APP_BASE_URL", "http://localhost:3000"),
 		CorsAllowedOrigins: cors_origins,
 		ServerID:           getEnv("SERVER_ID", ""),
+		PortalURL:          getEnv("PORTAL_URL", ""),
 	}
 	if v := os.Getenv("APP_TRUSTED_PROXIES"); v != "" {
 		appCfg.TrustedProxies = strings.Split(v, ",")
@@ -216,7 +220,11 @@ func LoadConfig() (*Config, error) {
 		Whatsapp:   waCfg,
 		AI:         aiCfg,
 		WorkerPool: WorkerPoolConfig{Size: poolSize, QueueSize: getEnvInt("MESSAGE_WORKER_QUEUE_SIZE", 1000)},
-		Security:   SecurityConfig{SecretKey: getEnv("APP_SECRET_KEY", "changeme_please_change_me_in_prod_12345")},
+		Security: SecurityConfig{
+			SecretKey:         getEnv("APP_SECRET_KEY", "changeme_please_change_me_in_prod_12345"),
+			PortalJWTSecret:   getEnv("PORTAL_JWT_SECRET", getEnv("APP_SECRET_KEY", "changeme_portal_jwt")),
+			PortalInternalKey: getEnv("PORTAL_INTERNAL_KEY", "changeme_internal_key"),
+		},
 		APIKeys: APIKeysConfig{
 			Gemini: getEnv("GEMINI_API_KEY", ""),
 			OpenAI: getEnv("OPENAI_API_KEY", ""),
diff --git a/src/core/kvstore/kvstore.go b/src/core/kvstore/kvstore.go
new file mode 100644
index 0000000..19f48da
--- /dev/null
+++ b/src/core/kvstore/kvstore.go
@@ -0,0 +1,253 @@
+package kvstore
+
+import (
+	"context"
+	"path/filepath"
+	"sync"
+	"time"
+
+	"github.com/AzielCF/az-wap/infrastructure/valkey"
+	"github.com/sirupsen/logrus"
+)
+
+// KVStore defines the standard interface for key-value storage in the system.
+// It abstracts the implementation (Valkey vs Memory) while providing advanced features.
+type KVStore interface {
+	// Basic Operations
+	Set(ctx context.Context, key string, value string, ttl time.Duration) error
+	Get(ctx context.Context, key string) (string, error)
+	Delete(ctx context.Context, key string) error
+	Exists(ctx context.Context, key string) (bool, error)
+
+	// Locks (Atomic - useful for distributed tasks or avoiding race conditions)
+	Lock(ctx context.Context, key string, ttl time.Duration) (bool, error)
+	Unlock(ctx context.Context, key string) error
+
+	// Discovery
+	Keys(ctx context.Context, pattern string) ([]string, error)
+}
+
+type cachedItem struct {
+	value     string
+	expiresAt time.Time
+}
+
+type smartStore struct {
+	vkClient *valkey.Client
+	memory   sync.Map
+	locks    sync.Map // For memory-based locking
+}
+
+// NewSmartStore creates a store that automatically chooses between Valkey and Memory
+func NewSmartStore(vkClient *valkey.Client) KVStore {
+	s := &smartStore{
+		vkClient: vkClient,
+	}
+
+	// Start background cleanup for memory-only mode
+	if vkClient == nil {
+		go s.memoryCleanupLoop()
+	}
+
+	return s
+}
+
+func (s *smartStore) Set(ctx context.Context, key string, value string, ttl time.Duration) error {
+	if s.vkClient != nil && s.vkClient.IsConnected() {
+		err := s.vkClient.Set(ctx, key, value, ttl)
+		if err != nil {
+			logrus.Errorf("[KVStore] Valkey Set error for key %s: %v", key, err)
+			return err
+		}
+		return nil
+	}
+
+	// Fallback to memory
+	s.memory.Store(key, cachedItem{
+		value:     value,
+		expiresAt: time.Now().Add(ttl),
+	})
+	return nil
+}
+
+func (s *smartStore) Get(ctx context.Context, key string) (string, error) {
+	if s.vkClient != nil && s.vkClient.IsConnected() {
+		val, err := s.vkClient.Get(ctx, key)
+		if err != nil {
+			logrus.Errorf("[KVStore] Valkey Get error for key %s: %v", key, err)
+			return "", err
+		}
+		return val, nil
+	}
+
+	// Fallback to memory
+	val, ok := s.memory.Load(key)
+	if !ok {
+		return "", nil
+	}
+
+	item := val.(cachedItem)
+	if time.Now().After(item.expiresAt) {
+		s.memory.Delete(key)
+		return "", nil
+	}
+
+	return item.value, nil
+}
+
+func (s *smartStore) Exists(ctx context.Context, key string) (bool, error) {
+	if s.vkClient != nil && s.vkClient.IsConnected() {
+		res, err := s.vkClient.Inner().Do(ctx, s.vkClient.Inner().B().Exists().Key(key).Build()).AsInt64()
+		if err != nil {
+			logrus.Errorf("[KVStore] Valkey Exists error for key %s: %v", key, err)
+			return false, err
+		}
+		return res > 0, nil
+	}
+
+	val, ok := s.memory.Load(key)
+	if !ok {
+		return false, nil
+	}
+	item := val.(cachedItem)
+	if time.Now().After(item.expiresAt) {
+		s.memory.Delete(key)
+		return false, nil
+	}
+	return true, nil
+}
+
+func (s *smartStore) Delete(ctx context.Context, key string) error {
+	if s.vkClient != nil && s.vkClient.IsConnected() {
+		err := s.vkClient.Inner().Do(ctx, s.vkClient.Inner().B().Del().Key(key).Build()).Error()
+		if err != nil {
+			logrus.Errorf("[KVStore] Valkey Delete error for key %s: %v", key, err)
+			return err
+		}
+		return nil
+	}
+
+	s.memory.Delete(key)
+	return nil
+}
+
+func (s *smartStore) Lock(ctx context.Context, key string, ttl time.Duration) (bool, error) {
+	lockKey := "lock:" + key
+	if s.vkClient != nil && s.vkClient.IsConnected() {
+		err := s.vkClient.Inner().Do(ctx, s.vkClient.Inner().B().Set().Key(lockKey).Value("1").Nx().Ex(ttl).Build()).Error()
+		if err != nil {
+			if valkey.IsNil(err) {
+				return false, nil
+			}
+			logrus.Errorf("[KVStore] Valkey Lock error for key %s: %v", key, err)
+			return false, err
+		}
+		return true, nil
+	}
+
+	// Memory locking
+	now := time.Now()
+	val, loaded := s.locks.LoadOrStore(lockKey, now.Add(ttl))
+	if loaded {
+		// Check if existing lock is expired
+		expiry := val.(time.Time)
+		if now.After(expiry) {
+			s.locks.Store(lockKey, now.Add(ttl))
+			return true, nil
+		}
+		return false, nil
+	}
+	return true, nil
+}
+
+func (s *smartStore) Unlock(ctx context.Context, key string) error {
+	lockKey := "lock:" + key
+	if s.vkClient != nil && s.vkClient.IsConnected() {
+		err := s.vkClient.Inner().Do(ctx, s.vkClient.Inner().B().Del().Key(lockKey).Build()).Error()
+		if err != nil {
+			logrus.Errorf("[KVStore] Valkey Unlock error for key %s: %v", key, err)
+			return err
+		}
+		return nil
+	}
+
+	s.locks.Delete(lockKey)
+	return nil
+}
+
+func (s *smartStore) Keys(ctx context.Context, pattern string) ([]string, error) {
+	if s.vkClient != nil && s.vkClient.IsConnected() {
+		var allKeys []string
+		var cursor uint64
+		for {
+			res, err := s.vkClient.Inner().Do(ctx, s.vkClient.Inner().B().Scan().Cursor(cursor).Match(pattern).Count(100).Build()).AsScanEntry()
+			if err != nil {
+				logrus.Errorf("[KVStore] Valkey Scan error with pattern %s: %v", pattern, err)
+				return nil, err
+			}
+			allKeys = append(allKeys, res.Elements...)
+			cursor = res.Cursor
+			if cursor == 0 {
+				break
+			}
+		}
+		return allKeys, nil
+	}
+
+	// Memory keys search (simple glob matching)
+	var keys []string
+	s.memory.Range(func(key, value any) bool {
+		k := key.(string)
+		item := value.(cachedItem)
+		if time.Now().Before(item.expiresAt) {
+			if matched, _ := filepath.Match(pattern, k); matched {
+				keys = append(keys, k)
+			}
+		}
+		return true
+	})
+	return keys, nil
+}
+
+func (s *smartStore) memoryCleanupLoop() {
+	ticker := time.NewTicker(10 * time.Minute)
+	logrus.Debug("[KVStore] Memory cleanup loop started")
+	for range ticker.C {
+		now := time.Now()
+		cleanedMain := 0
+		cleanedLocks := 0
+
+		s.memory.Range(func(key, value any) bool {
+			item := value.(cachedItem)
+			if now.After(item.expiresAt) {
+				s.memory.Delete(key)
+				cleanedMain++
+			}
+			return true
+		})
+		s.locks.Range(func(key, value any) bool {
+			expiry := value.(time.Time)
+			if now.After(expiry) {
+				s.locks.Delete(key)
+				cleanedLocks++
+			}
+			return true
+		})
+
+		if cleanedMain > 0 || cleanedLocks > 0 {
+			logrus.Debugf("[KVStore] Memory Cleanup: removed %d items and %d expired locks", cleanedMain, cleanedLocks)
+		}
+	}
+}
+
+// Global instance helper
+var Global KVStore
+
+func Init(vkClient *valkey.Client) {
+	Global = NewSmartStore(vkClient)
+	if vkClient != nil {
+		logrus.Info("[CORE] KVStore initialized with Valkey support")
+	} else {
+		logrus.Warn("[CORE] KVStore initialized in-memory mode (distributed features disabled)")
+	}
+}
diff --git a/src/go.mod b/src/go.mod
index 939f816..8e54e27 100644
--- a/src/go.mod
+++ b/src/go.mod
@@ -9,6 +9,7 @@ require (
 	github.com/go-ozzo/ozzo-validation/v4 v4.3.0
 	github.com/gofiber/fiber/v2 v2.52.10
 	github.com/gofiber/websocket/v2 v2.2.1
+	github.com/golang-jwt/jwt/v5 v5.3.1
 	github.com/google/uuid v1.6.0
 	github.com/joho/godotenv v1.5.1
 	github.com/lib/pq v1.10.9
@@ -22,6 +23,7 @@ require (
 	github.com/valkey-io/valkey-go v1.0.70
 	github.com/valyala/fasthttp v1.68.0
 	go.mau.fi/whatsmeow v0.0.0-20260129212019-7787ab952245
+	golang.org/x/crypto v0.47.0
 	golang.org/x/image v0.33.0
 	google.golang.org/genai v1.43.0
 	google.golang.org/protobuf v1.36.11
@@ -52,7 +54,6 @@ require (
 	github.com/go-logr/logr v1.4.3 // indirect
 	github.com/go-logr/stdr v1.2.2 // indirect
 	github.com/go-viper/mapstructure/v2 v2.4.0 // indirect
-	github.com/golang-jwt/jwt/v5 v5.3.1 // indirect
 	github.com/google/go-cmp v0.7.0 // indirect
 	github.com/google/s2a-go v0.1.9 // indirect
 	github.com/googleapis/enterprise-certificate-proxy v0.3.11 // indirect
@@ -101,7 +102,6 @@ require (
 	go.opentelemetry.io/otel v1.32.0 // indirect
 	go.opentelemetry.io/otel/metric v1.32.0 // indirect
 	go.opentelemetry.io/otel/trace v1.32.0 // indirect
-	golang.org/x/crypto v0.47.0 // indirect
 	golang.org/x/exp v0.0.0-20260112195511-716be5621a96 // indirect
 	golang.org/x/net v0.49.0 // indirect
 	golang.org/x/sync v0.19.0 // indirect
diff --git a/src/infrastructure/valkey/client.go b/src/infrastructure/valkey/client.go
index e86e572..0c34772 100644
--- a/src/infrastructure/valkey/client.go
+++ b/src/infrastructure/valkey/client.go
@@ -123,3 +123,17 @@ func (c *Client) IsConnected() bool {
 func IsNil(err error) bool {
 	return valkeylib.IsValkeyNil(err)
 }
+
+// Set stores a value with an expiration in Valkey.
+func (c *Client) Set(ctx context.Context, key string, value string, ttl time.Duration) error {
+	return c.inner.Do(ctx, c.inner.B().Set().Key(key).Value(value).Ex(ttl).Build()).Error()
+}
+
+// Get retrieves a string value from Valkey. Returns empty string and nil error if key not found.
+func (c *Client) Get(ctx context.Context, key string) (string, error) {
+	val, err := c.inner.Do(ctx, c.inner.B().Get().Key(key).Build()).ToString()
+	if IsNil(err) {
+		return "", nil
+	}
+	return val, err
+}
diff --git a/src/pkg/utils/whatsapp.go b/src/pkg/utils/whatsapp.go
index 2f49a91..b3f1dec 100644
--- a/src/pkg/utils/whatsapp.go
+++ b/src/pkg/utils/whatsapp.go
@@ -832,3 +832,35 @@ func BuildForwarded(evt *events.Message) bool {
 	}
 	return false
 }
+
+// CleanWhatsAppID removes the standard @s.whatsapp.net domain and device index suffixes.
+// It preserves other domains like @lid.
+func CleanWhatsAppID(id string) string {
+	id = strings.TrimSuffix(id, "@s.whatsapp.net")
+	if idx := strings.Index(id, ":"); idx != -1 {
+		atIdx := strings.Index(id, "@")
+		if atIdx != -1 && atIdx > idx {
+			id = id[:idx] + id[atIdx:]
+		} else if atIdx == -1 {
+			id = id[:idx]
+		}
+	}
+	return id
+}
+
+// NormalizeWhatsAppIdentity removes all whatsapp platform suffixes (including @lid) for comparison.
+func NormalizeWhatsAppIdentity(id string) string {
+	id = CleanWhatsAppID(id)
+	id = strings.TrimSuffix(id, "@lid")
+	return id
+}
+
+// MatchWhatsAppIdentities compares two WhatsApp identifiers and returns true if they represent the same user,
+// ignoring platform specific suffixes like @s.whatsapp.net or @lid
+func MatchWhatsAppIdentities(id1, id2 string) bool {
+	if id1 == "" || id2 == "" {
+		return false
+	}
+
+	return NormalizeWhatsAppIdentity(id1) == NormalizeWhatsAppIdentity(id2)
+}
diff --git a/src/pkg/utils/whatsapp_test.go b/src/pkg/utils/whatsapp_test.go
index 369d904..89ba50d 100644
--- a/src/pkg/utils/whatsapp_test.go
+++ b/src/pkg/utils/whatsapp_test.go
@@ -50,3 +50,64 @@ func TestDetermineMediaExtension(t *testing.T) {
 		})
 	}
 }
+
+func TestMatchWhatsAppIdentities(t *testing.T) {
+	tests := []struct {
+		name string
+		id1  string
+		id2  string
+		want bool
+	}{
+		{
+			name: "exact match normal phone",
+			id1:  "51987654321",
+			id2:  "51987654321",
+			want: true,
+		},
+		{
+			name: "match with whatsapp net suffix",
+			id1:  "51987654321@s.whatsapp.net",
+			id2:  "51987654321",
+			want: true,
+		},
+		{
+			name: "match both with whatsapp net suffix",
+			id1:  "51987654321@s.whatsapp.net",
+			id2:  "51987654321@s.whatsapp.net",
+			want: true,
+		},
+		{
+			name: "match with lid suffix",
+			id1:  "123456789@lid",
+			id2:  "123456789",
+			want: true,
+		},
+		{
+			name: "mismatch different numbers",
+			id1:  "51999999999",
+			id2:  "51888888888",
+			want: false,
+		},
+		{
+			name: "one empty",
+			id1:  "",
+			id2:  "51987654321",
+			want: false,
+		},
+		{
+			name: "both empty",
+			id1:  "",
+			id2:  "",
+			want: false,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			got := MatchWhatsAppIdentities(tt.id1, tt.id2)
+			if got != tt.want {
+				t.Fatalf("MatchWhatsAppIdentities(%q, %q) = %v; want %v", tt.id1, tt.id2, got, tt.want)
+			}
+		})
+	}
+}
diff --git a/src/ui/rest/workspace.go b/src/ui/rest/workspace.go
index 590dc54..881f6ca 100644
--- a/src/ui/rest/workspace.go
+++ b/src/ui/rest/workspace.go
@@ -289,6 +289,9 @@ func (h *WorkspaceHandler) UpdateChannel(c *fiber.Ctx) error {
 	if req.Name != "" {
 		ch.Name = req.Name
 	}
+	// Update Owner
+	ch.OwnerID = req.OwnerID
+
 	// We assume if Config is passed, we update it.
 	// To be safer, we could check emptiness, but in Go zero value is empty strict.
 	// Since it's a PUT, full replacement of sent fields is expected.

From 305353f0b19093654007f9485f51add84bd50acc Mon Sep 17 00:00:00 2001
From: Aziel <azielcruzado@gmail.com>
Date: Tue, 24 Feb 2026 12:21:18 -0500
Subject: [PATCH 10/12] [AuthUI] Refactor theme-aware confirmation dialogs and
 expand client workspace management

---
 src/frontend/src/components/AppTabModal.vue   |   5 +-
 src/frontend/src/components/ChannelConfig.vue |  58 +-
 .../src/components/ConfirmationDialog.vue     |  26 +-
 .../src/components/ResourceSelector.vue       |  26 +-
 .../components/clients/ClientEditorModal.vue  | 318 +++++++++
 .../clients/ClientWorkspacesManager.vue       | 659 ++++++++++++++++++
 .../clients/tabs/ClientAccessTab.vue          | 228 ++++++
 .../clients/tabs/ClientContactTab.vue         |  76 ++
 .../clients/tabs/ClientIdentityTab.vue        |  78 +++
 .../clients/tabs/ClientSettingsTab.vue        | 100 +++
 src/frontend/src/views/ClientsView.vue        | 627 ++---------------
 src/frontend/vitest.config.ts                 |   3 +-
 12 files changed, 1624 insertions(+), 580 deletions(-)
 create mode 100644 src/frontend/src/components/clients/ClientEditorModal.vue
 create mode 100644 src/frontend/src/components/clients/ClientWorkspacesManager.vue
 create mode 100644 src/frontend/src/components/clients/tabs/ClientAccessTab.vue
 create mode 100644 src/frontend/src/components/clients/tabs/ClientContactTab.vue
 create mode 100644 src/frontend/src/components/clients/tabs/ClientIdentityTab.vue
 create mode 100644 src/frontend/src/components/clients/tabs/ClientSettingsTab.vue

diff --git a/src/frontend/src/components/AppTabModal.vue b/src/frontend/src/components/AppTabModal.vue
index 0ad2864..c1f82be 100644
--- a/src/frontend/src/components/AppTabModal.vue
+++ b/src/frontend/src/components/AppTabModal.vue
@@ -6,7 +6,7 @@ const props = defineProps<{
   modelValue: boolean
   title: string
   activeTab: string
-  tabs: Array<{ id: string; label: string; icon: any }>
+  tabs: Array<{ id: string; label: string; icon: any; alert?: boolean }>
   maxWidth?: string
   identity?: {
     name: string
@@ -69,6 +69,9 @@ function copyId(id: string) {
             >
               <component v-if="tab.icon" :is="tab.icon" class="w-4 h-4 flex-none" />
               <span class="text-xs">{{ tab.label }}</span>
+              <div v-if="tab.alert" class="ml-auto">
+                <div class="w-1.5 h-1.5 rounded-full bg-yellow-500 shadow-[0_0_8px_rgba(234,179,8,0.5)] animate-pulse"></div>
+              </div>
             </button>
           </div>
 
diff --git a/src/frontend/src/components/ChannelConfig.vue b/src/frontend/src/components/ChannelConfig.vue
index bc18404..458c7ff 100644
--- a/src/frontend/src/components/ChannelConfig.vue
+++ b/src/frontend/src/components/ChannelConfig.vue
@@ -26,6 +26,8 @@ const props = defineProps<{
 const emit = defineEmits(['saved', 'cancel', 'refresh'])
 const api = useApi()
 
+const clients = ref<any[]>([])
+
 const localChannel = ref(JSON.parse(JSON.stringify(props.channel)))
 
 const config = ref<any>({
@@ -76,7 +78,8 @@ const config = ref<any>({
           fr: '',
           ru: ''
       }
-  }
+  },
+  owner_id: props.channel.owner_id || ''
 })
 
 const extensionInput = ref('')
@@ -163,6 +166,21 @@ function loadInitialConfig() {
 
   loadAccessRules()
   refreshChannelData()
+  loadClients()
+}
+
+async function loadClients() {
+    try {
+        const res = await api.get('/clients')
+        // Map display_name to name for ResourceSelector compatibility
+        // Use .data instead of .results as per backend implementation
+        clients.value = (res.data || []).map((c: any) => ({
+            ...c,
+            name: c.display_name
+        }))
+    } catch (err) {
+        console.error('Failed to load clients', err)
+    }
 }
 
 async function refreshChannelData() {
@@ -293,6 +311,26 @@ async function deleteAccessRule(rid: string) {
 }
 
 async function save() {
+    // Verify if owner changed for security confirmation
+    const originalOwner = props.channel.owner_id || ''
+    const newOwner = config.value.owner_id || ''
+
+    if (originalOwner !== newOwner) {
+        confirmModal.value = {
+            show: true,
+            title: 'Change Channel Ownership?',
+            message: 'This operation is delicate. Changing the owner will affect which client can manage and pay for this infrastructure. Are you sure?',
+            type: 'warning',
+            confirmText: 'Yes, Change Owner',
+            onConfirm: () => executeSave()
+        }
+        return
+    }
+
+    await executeSave()
+}
+
+async function executeSave() {
   try {
     const payload = JSON.parse(JSON.stringify(config.value))
     const newName = payload.name
@@ -302,7 +340,8 @@ async function save() {
     // Update Instance Name
     await api.put(`/workspaces/${props.workspaceId}/channels/${props.channel.id}`, {
         name: newName,
-        type: props.channel.type
+        type: props.channel.type,
+        owner_id: config.value.owner_id
     })
 
     // Update Instance Config
@@ -478,11 +517,24 @@ onMounted(loadInitialConfig)
       <div v-if="activeTab === 'general'" class="space-y-10">
         <div class="section-title-premium text-primary/60">General Settings</div>
 
-        <section class="grid grid-cols-1 gap-8">
+        <section class="grid grid-cols-1 md:grid-cols-2 gap-8">
             <div class="form-control w-full">
                 <label class="label-premium">Friendly Name</label>
                 <input v-model="config.name" type="text" placeholder="e.g. Sales WhatsApp" class="input-premium h-14 w-full text-lg font-black" />
             </div>
+
+            <div class="form-control w-full">
+                <ResourceSelector
+                    v-model="config.owner_id"
+                    :items="clients"
+                    label="Assigned Client Owner"
+                    placeholder="Search/Select channel owner..."
+                    iconType="user"
+                    resourceLabel="Primary Owner"
+                    :nullable="true"
+                    color="amber"
+                />
+            </div>
         </section>
 
         <section class="space-y-6">
diff --git a/src/frontend/src/components/ConfirmationDialog.vue b/src/frontend/src/components/ConfirmationDialog.vue
index cefa51c..0826089 100644
--- a/src/frontend/src/components/ConfirmationDialog.vue
+++ b/src/frontend/src/components/ConfirmationDialog.vue
@@ -57,33 +57,33 @@ function confirm() {
 </script>
 
 <template>
-  <div v-if="modelValue" class="modal modal-open backdrop-blur-md z-[9999]" role="dialog">
-    <div class="modal-box p-0 bg-[#0f1219] border shadow-2xl overflow-hidden max-w-sm relative group" :class="[styles.borderColor, styles.glowColor]">
-      <!-- Decoration -->
-      <div class="absolute top-0 inset-x-0 h-1 bg-gradient-to-r from-transparent via-white/10 to-transparent opacity-50"></div>
+  <div v-if="modelValue" class="modal modal-open modal-bottom sm:modal-middle backdrop-blur-sm z-[9999] transition-all duration-300" role="dialog">
+    <div class="modal-box p-0 bg-[#0c0f16] border shadow-2xl overflow-hidden max-w-md relative group" :class="[styles.borderColor, styles.glowColor]">
+      <!-- Refined decoration -->
+      <div class="absolute top-0 inset-x-0 h-[1px] bg-gradient-to-r from-transparent via-white/20 to-transparent opacity-50"></div>
       
-      <div class="p-8 flex flex-col items-center text-center">
-        <div class="w-16 h-16 rounded-2xl bg-white/5 flex items-center justify-center mb-6 border border-white/5" :class="styles.iconColor">
-           <component :is="styles.icon" class="w-8 h-8" />
+      <div class="p-8 md:p-10 flex flex-col items-center text-center">
+        <div class="w-20 h-20 rounded-3xl bg-white/[0.03] flex items-center justify-center mb-8 border border-white/10 shadow-inner group-hover:scale-110 transition-transform duration-500" :class="styles.iconColor">
+           <component :is="styles.icon" class="w-10 h-10" />
         </div>
         
-        <h3 class="text-xl font-black uppercase tracking-tight mb-3" :class="styles.titleColor">{{ title || 'Confirmation' }}</h3>
+        <h3 class="text-2xl font-black uppercase tracking-tight mb-4" :class="styles.titleColor">{{ title || 'Confirmation' }}</h3>
         
-        <p class="text-slate-400 text-sm leading-relaxed font-medium mb-8">
+        <p class="text-slate-400 text-sm md:text-base leading-relaxed font-medium mb-10 max-w-[280px] md:max-w-xs">
             {{ message }}
         </p>
 
-        <div class="grid grid-cols-2 gap-4 w-full">
-            <button @click="close" class="btn h-12 bg-white/5 hover:bg-white/10 border-transparent text-slate-400 hover:text-white font-bold uppercase tracking-wider text-xs rounded-xl">
+        <div class="flex flex-col sm:grid sm:grid-cols-2 gap-3 w-full">
+            <button @click="close" class="btn h-14 bg-white/5 hover:bg-white/10 border-white/5 text-slate-400 hover:text-white font-bold uppercase tracking-wider text-xs rounded-2xl transition-all order-2 sm:order-1">
                 {{ cancelText || 'Cancel' }}
             </button>
-            <button @click="confirm" class="btn h-12 border-none font-black uppercase tracking-widest text-xs rounded-xl shadow-lg transition-transform active:scale-95" :class="styles.btnColor">
+            <button @click="confirm" class="btn h-14 border-none font-black uppercase tracking-widest text-xs rounded-2xl shadow-xl transition-all hover:brightness-110 active:scale-95 order-1 sm:order-2" :class="styles.btnColor">
                 {{ confirmText || 'Confirm' }}
             </button>
         </div>
       </div>
     </div>
-    <div class="modal-backdrop bg-black/90"></div>
+    <div class="modal-backdrop bg-[#050608]/80 cursor-default" @click="close"></div>
   </div>
 </template>
 
diff --git a/src/frontend/src/components/ResourceSelector.vue b/src/frontend/src/components/ResourceSelector.vue
index 3374bca..ad99f75 100644
--- a/src/frontend/src/components/ResourceSelector.vue
+++ b/src/frontend/src/components/ResourceSelector.vue
@@ -1,13 +1,13 @@
 <script setup lang="ts">
 import { ref, computed, h, nextTick } from 'vue'
-import { Search, X, Bot, Globe, Layout, ChevronDown } from 'lucide-vue-next'
+import { Search, X, Bot, Globe, Layout, ChevronDown, User } from 'lucide-vue-next'
 
 const props = defineProps<{
     modelValue: string | number
     items: Array<{ id: string | number; name: string; type?: string; [key: string]: any }>
     placeholder?: string
     label?: string
-    iconType?: 'bot' | 'channel' | 'workspace' | 'default'
+    iconType?: 'bot' | 'channel' | 'workspace' | 'user' | 'default'
     resourceLabel?: string
     nullable?: boolean
     color?: string
@@ -53,24 +53,28 @@ const getIcon = () => {
     if (props.iconType === 'bot') return Bot
     if (props.iconType === 'channel') return Globe
     if (props.iconType === 'workspace') return Layout
+    if (props.iconType === 'user') return User
     return Bot // default
 }
 
 const activeColorClass = computed(() => {
     if (props.color === 'indigo') return 'text-indigo-400 group-hover:text-indigo-300'
     if (props.color === 'primary') return 'text-primary group-hover:text-primary-focus'
+    if (props.color === 'amber') return 'text-amber-400 group-hover:text-amber-300'
     return 'text-primary'
 })
 
 const activeBgClass = computed(() => {
     if (props.color === 'indigo') return 'bg-indigo-500/10'
     if (props.color === 'primary') return 'bg-primary/10'
+    if (props.color === 'amber') return 'bg-amber-500/10'
     return 'bg-primary/10'
 })
 
 const activeBorderClass = computed(() => {
     if (props.color === 'indigo') return 'border-indigo-500/20'
     if (props.color === 'primary') return 'border-primary/20'
+    if (props.color === 'amber') return 'border-amber-500/20'
     return 'border-primary/20'
 })
 
@@ -86,12 +90,20 @@ const activeBorderClass = computed(() => {
              :class="[activeBgClass, activeBorderClass]">
             <div class="flex items-center gap-4">
                 <div class="w-12 h-12 rounded-2xl flex items-center justify-center shadow-lg transition-colors"
-                     :class="[props.color === 'indigo' ? 'bg-indigo-600 text-white shadow-indigo-500/20' : 'bg-primary text-white shadow-primary/20']">
+                     :class="[
+                        props.color === 'indigo' ? 'bg-indigo-600 text-white shadow-indigo-500/20' : 
+                        props.color === 'amber' ? 'bg-amber-600 text-white shadow-amber-500/20' : 
+                        'bg-primary text-white shadow-primary/20'
+                     ]">
                     <component :is="getIcon()" class="w-6 h-6" />
                 </div>
                 <div>
                     <div class="font-black text-white uppercase text-sm tracking-tight">{{ selectedItem.name }}</div>
-                    <div class="text-xs font-mono uppercase" :class="[props.color === 'indigo' ? 'text-indigo-400' : 'text-primary/60']">
+                    <div class="text-xs font-mono uppercase" :class="[
+                        props.color === 'indigo' ? 'text-indigo-400' : 
+                        props.color === 'amber' ? 'text-amber-400' : 
+                        'text-primary/60'
+                    ]">
                         {{ resourceLabel || 'Selected' }}
                     </div>
                 </div>
@@ -135,7 +147,11 @@ const activeBorderClass = computed(() => {
                         :class="[props.color === 'indigo' ? 'hover:bg-indigo-500/10 hover:border-indigo-500/20' : 'hover:bg-primary/10 hover:border-primary/20']">
                     
                     <div class="w-10 h-10 rounded-xl bg-black/40 flex items-center justify-center text-slate-600 transition-colors"
-                         :class="[props.color === 'indigo' ? 'group-hover:text-indigo-400' : 'group-hover:text-primary']">
+                         :class="[
+                            props.color === 'indigo' ? 'group-hover:text-indigo-400' : 
+                            props.color === 'amber' ? 'group-hover:text-amber-400' : 
+                            'group-hover:text-primary'
+                         ]">
                         <component :is="getIcon()" class="w-5 h-5" />
                     </div>
                     
diff --git a/src/frontend/src/components/clients/ClientEditorModal.vue b/src/frontend/src/components/clients/ClientEditorModal.vue
new file mode 100644
index 0000000..42dbb98
--- /dev/null
+++ b/src/frontend/src/components/clients/ClientEditorModal.vue
@@ -0,0 +1,318 @@
+<script setup lang="ts">
+import { ref, computed, watch } from 'vue'
+import { useApi } from '@/composables/useApi'
+import AppTabModal from '@/components/AppTabModal.vue'
+import ClientIdentityTab from './tabs/ClientIdentityTab.vue'
+import ClientContactTab from './tabs/ClientContactTab.vue'
+import ClientSettingsTab from './tabs/ClientSettingsTab.vue'
+import ClientAccessTab from './tabs/ClientAccessTab.vue'
+import ClientWorkspacesManager from './ClientWorkspacesManager.vue'
+import { 
+  ShieldCheck, 
+  Contact, 
+  Layout, 
+  Bot, 
+  LayoutGrid, 
+  Users 
+} from 'lucide-vue-next'
+
+const props = defineProps<{
+  show: boolean
+  clientToEdit: any | null
+}>()
+
+const emit = defineEmits(['update:show', 'saved', 'closed'])
+
+const api = useApi()
+
+const isVisible = computed({
+  get: () => props.show,
+  set: (val) => {
+    emit('update:show', val)
+    if (!val) {
+      emit('closed')
+    }
+  }
+})
+
+const activeClientTab = ref('identity')
+const isLoadingClient = ref(false)
+const originalClientState = ref('')
+const clientChannels = ref<any[]>([])
+const bots = ref<any[]>([])
+
+const newClient = ref({
+  platform_id: '',
+  platform_type: 'whatsapp',
+  display_name: '',
+  email: '',
+  phone: '',
+  tier: 'standard',
+  tags: [] as string[],
+  notes: '',
+  language: 'en',
+  timezone: '',
+  country: '',
+  allowed_bots: [] as string[],
+  owned_channels: [] as string[],
+  is_tester: false
+})
+
+const lidVerified = ref(false)
+const validatingLid = ref(false)
+const lastValidatedPhone = ref('')
+const hasWorkspaceAlert = ref(false)
+
+const hasChanges = computed(() => {
+  if (!props.clientToEdit) {
+    return newClient.value.platform_id.length > 0
+  }
+  return JSON.stringify(newClient.value) !== originalClientState.value
+})
+
+watch(() => props.show, async (newVal) => {
+  if (newVal) {
+    initializeModalScope()
+  } else {
+    activeClientTab.value = 'identity'
+  }
+})
+
+async function initializeModalScope() {
+  isLoadingClient.value = true
+  
+  if (props.clientToEdit) {
+    newClient.value = {
+      platform_id: props.clientToEdit.platform_id,
+      platform_type: props.clientToEdit.platform_type,
+      display_name: props.clientToEdit.display_name,
+      email: props.clientToEdit.email || '',
+      phone: props.clientToEdit.phone || '',
+      tier: props.clientToEdit.tier,
+      tags: props.clientToEdit.tags || [],
+      notes: props.clientToEdit.notes || '',
+      language: props.clientToEdit.language || 'en',
+      timezone: props.clientToEdit.timezone || '',
+      country: props.clientToEdit.country || '',
+      allowed_bots: props.clientToEdit.allowed_bots || [],
+      owned_channels: props.clientToEdit.owned_channels || [],
+      is_tester: props.clientToEdit.is_tester || false
+    }
+
+    if (props.clientToEdit.platform_type === 'whatsapp' && props.clientToEdit.platform_id.includes('@lid')) {
+      lidVerified.value = true
+      lastValidatedPhone.value = props.clientToEdit.phone || ''
+    } else {
+      lidVerified.value = false
+      lastValidatedPhone.value = ''
+    }
+
+    api.get(`/clients/${props.clientToEdit.id}/channels`).then((res: any) => {
+      clientChannels.value = res || []
+    }).catch((err: any) => {
+      console.error('Failed to load client channels:', err)
+      clientChannels.value = []
+    })
+  } else {
+    newClient.value = {
+      platform_id: '',
+      platform_type: 'whatsapp',
+      display_name: '',
+      email: '',
+      phone: '',
+      tier: 'standard',
+      tags: [],
+      notes: '',
+      language: 'en',
+      timezone: '',
+      country: '',
+      allowed_bots: [],
+      owned_channels: [],
+      is_tester: false
+    }
+    lidVerified.value = false
+    lastValidatedPhone.value = ''
+    clientChannels.value = []
+  }
+
+  originalClientState.value = JSON.stringify(newClient.value)
+  isLoadingClient.value = false
+
+  // check for workspace revocations
+  checkWorkspaceRevocations()
+
+  // Load all bots so user can search and add any bot
+  try {
+    const bts = await api.get('/bots') as any
+    bots.value = bts?.results || []
+  } catch (err) {
+    console.error('Failed to load bots', err)
+    bots.value = []
+  }
+}
+
+async function checkWorkspaceRevocations() {
+  if (!props.clientToEdit) return
+  try {
+    const workspaces = await api.get(`/clients/${props.clientToEdit.id}/workspaces`) || []
+    for (const ws of workspaces) {
+      const guests = await api.get(`/clients/${props.clientToEdit.id}/workspaces/${ws.id}/guests`) || []
+      const hasRevoked = guests.some((g: any) => {
+        if (!g.bot_id) return false
+        if (!newClient.value.allowed_bots || newClient.value.allowed_bots.length === 0) return false
+        return !newClient.value.allowed_bots.includes(g.bot_id)
+      })
+      if (hasRevoked) {
+        hasWorkspaceAlert.value = true
+        return
+      }
+    }
+    hasWorkspaceAlert.value = false
+  } catch (e) {
+    console.error(e)
+  }
+}
+
+async function extractLid() {
+  const rawInput = newClient.value.platform_id || newClient.value.phone
+  if (!rawInput) {
+    alert('Please enter a phone number first')
+    return
+  }
+
+  if (rawInput.includes('@')) {
+    alert('Please enter the actual phone number (without @lid or @s.whatsapp.net). The system will resolve the LID for you.')
+    return
+  }
+
+  const phoneNumber = rawInput.replace(/[^\d]/g, '')
+  if (!phoneNumber || phoneNumber.length < 8) {
+    alert('Please enter a valid phone number')
+    return
+  }
+
+  const resWs = await api.get('/workspaces') as any
+  const workspaces = resWs || []
+
+  let targetWorkspace = null
+  let targetChannel = null
+
+  for (const ws of workspaces) {
+    const ch = ws.channels?.find((c: any) => (c.type === 'whatsapp' || c.platform_type === 'whatsapp') && (c.enabled || c.status === 'connected'))
+    if (ch) {
+      targetWorkspace = ws
+      targetChannel = ch
+      break
+    }
+  }
+
+  if (!targetChannel) {
+    alert('No active WhatsApp channel found (Enabled or Connected) to perform validation.')
+    return
+  }
+
+  validatingLid.value = true
+  try {
+    const res = await api.get(`/workspaces/${targetWorkspace.id}/channels/${targetChannel.id}/resolve-identity?identity=${phoneNumber}`) as any
+    if (res.resolved_identity) {
+      newClient.value.platform_id = res.resolved_identity
+      lidVerified.value = res.status === 'verified'
+      newClient.value.phone = phoneNumber
+      lastValidatedPhone.value = phoneNumber
+      if (!newClient.value.display_name && res.name) {
+        newClient.value.display_name = res.name
+      }
+    }
+  } catch (err) {
+    alert('Could not resolve LID. Make sure the channel is connected and the number is registered on WhatsApp.')
+  } finally {
+    validatingLid.value = false
+  }
+}
+
+async function saveClient() {
+  try {
+    if (props.clientToEdit) {
+      await api.put(`/clients/${props.clientToEdit.id}`, newClient.value)
+    } else {
+      await api.post('/clients', newClient.value)
+    }
+    isVisible.value = false
+    emit('saved')
+  } catch (err: any) {
+    if (err.status === 409) {
+      alert('CONFLICTO: Este ID ya está siendo usado por otro cliente. Busca el cliente duplicado y elimínalo primero.')
+    } else {
+      alert('Error saving client: ' + (err.message || 'Unknown error'))
+    }
+  }
+}
+</script>
+
+<template>
+  <AppTabModal 
+      v-model="isVisible"
+      :title="clientToEdit ? 'Edit Client' : 'New Client'"
+      v-model:activeTab="activeClientTab"
+      :saveDisabled="!hasChanges"
+      :tabs="[
+          { id: 'identity', label: 'Identity', icon: ShieldCheck as any },
+          { id: 'personal', label: 'Contact', icon: Contact as any },
+          { id: 'settings', label: 'Settings', icon: Layout as any },
+          { id: 'operational', label: 'Access', icon: Bot as any },
+          { id: 'workspaces', label: 'Workspaces', icon: LayoutGrid as any, alert: hasWorkspaceAlert }
+      ]"
+      :identity="clientToEdit ? {
+          name: (newClient.display_name || 'Anonymous Object'),
+          id: newClient.platform_id,
+          icon: Users as any,
+          iconType: 'component'
+      } : undefined"
+      saveText="Save"
+      @save="saveClient"
+      @cancel="isVisible = false"
+  >
+      <!-- Tab: Identity -->
+      <ClientIdentityTab 
+          v-if="activeClientTab === 'identity'" 
+          v-model="newClient" 
+          :editingClient="clientToEdit"
+          :lidVerified="lidVerified"
+          :validatingLid="validatingLid"
+          :lastValidatedPhone="lastValidatedPhone"
+          @extractLid="extractLid" 
+      />
+
+      <!-- Tab: Personal -->
+      <ClientContactTab 
+          v-if="activeClientTab === 'personal'" 
+          v-model="newClient" 
+      />
+
+      <!-- Tab: Settings -->
+      <ClientSettingsTab 
+          v-if="activeClientTab === 'settings'" 
+          v-model="newClient" 
+      />
+
+      <!-- Tab: Operational -->
+      <ClientAccessTab 
+          v-if="activeClientTab === 'operational'" 
+          v-model="newClient"
+          :editingClient="clientToEdit"
+          :clientChannels="clientChannels"
+          :bots="bots"
+      />
+
+      <!-- Tab: Workspaces -->
+      <div v-if="activeClientTab === 'workspaces'" class="h-full flex flex-col overflow-hidden">
+          <ClientWorkspacesManager 
+             v-if="clientToEdit"
+             :clientId="clientToEdit.id" 
+             :allowedBots="newClient.allowed_bots"
+             :bots="bots"
+             :clientChannels="clientChannels"
+          />
+      </div>
+  </AppTabModal>
+</template>
diff --git a/src/frontend/src/components/clients/ClientWorkspacesManager.vue b/src/frontend/src/components/clients/ClientWorkspacesManager.vue
new file mode 100644
index 0000000..7a54336
--- /dev/null
+++ b/src/frontend/src/components/clients/ClientWorkspacesManager.vue
@@ -0,0 +1,659 @@
+<script setup lang="ts">
+import { ref, onMounted, computed } from 'vue'
+import { 
+    Plus, Building2, Users2, ArrowLeft, 
+    Trash2, Settings2, Unlink,
+    UserPlus, Contact,
+    Smartphone, X, ChevronRight, ShieldCheck,
+    AlertTriangle
+} from 'lucide-vue-next'
+import ConfirmationDialog from '@/components/ConfirmationDialog.vue'
+import { useApi } from '@/composables/useApi'
+
+const props = defineProps<{
+    clientId: string
+    allowedBots: string[] // List of IDs whitelisted for the client
+    bots: any[]          // Complete list of bot objects
+    clientChannels: any[]
+}>()
+
+const api = useApi()
+
+// State
+const workspaces = ref<any[]>([])
+const loading = ref(true)
+const selectedWs = ref<any>(null)
+const wsChannels = ref<any[]>([])
+const wsGuests = ref<any[]>([])
+const loadingDetails = ref(false)
+const revocationMap = ref<Record<string, boolean>>({})
+const validatingLid = ref(false)
+const waInput = ref('')
+
+const isLidVerified = computed(() => {
+    return guestForm.value.platform_identifiers.whatsapp?.includes('@lid')
+})
+
+// Forms
+const showWsForm = ref(false)
+const editingWs = ref<any>(null)
+const wsForm = ref({ name: '', description: '' })
+
+const showGuestForm = ref(false)
+const editingGuest = ref<any>(null)
+
+function openGuestForm(guest: any = null) {
+    formError.value = null
+    editingGuest.value = guest
+    if (guest) {
+        guestForm.value = JSON.parse(JSON.stringify(guest))
+        waInput.value = guest.platform_identifiers.whatsapp_number || guest.platform_identifiers.whatsapp || ''
+    } else {
+        guestForm.value = { 
+            name: '', 
+            bot_id: '',
+            bot_template_id: '', 
+            platform_identifiers: { whatsapp: '', whatsapp_number: '' } 
+        }
+        waInput.value = ''
+    }
+    originalGuestState.value = JSON.stringify(guestForm.value)
+    showGuestForm.value = true
+}
+const guestForm = ref({ 
+    name: '', 
+    bot_id: '',
+    bot_template_id: '', 
+    platform_identifiers: { whatsapp: '', whatsapp_number: '' } as Record<string, string>
+})
+const originalGuestState = ref('')
+
+const hasGuestChanges = computed(() => {
+    return JSON.stringify(guestForm.value) !== originalGuestState.value
+})
+
+const showChannelPicker = ref(false)
+
+const confirmState = ref({
+    show: false,
+    title: '',
+    message: '',
+    type: 'danger' as 'danger' | 'warning' | 'info',
+    action: () => {}
+})
+
+const formError = ref<string | null>(null)
+
+function showConfirm(title: string, message: string, type: 'danger' | 'warning' | 'info', action: () => void) {
+    // Reset state first to ensure no leaks
+    confirmState.value.show = false
+    confirmState.value = { show: true, title, message, type, action }
+}
+
+const availableChannelsToLink = computed(() => {
+    return props.clientChannels.filter(c => !wsChannels.value.find(wc => wc.id === c.id))
+})
+
+const hasWhatsAppChannel = computed(() => {
+    return wsChannels.value.some(ch => ch.type === 'whatsapp')
+})
+
+const hasAnyChannel = computed(() => {
+    return wsChannels.value.length > 0
+})
+
+// Bot Helpers
+const botMap = computed(() => {
+    const m: Record<string, any> = {}
+    props.bots.forEach(b => {
+        m[b.id] = b
+    })
+    return m
+})
+
+const availableBots = computed(() => {
+    // Si allowedBots está vacío, mostramos todos (acceso global)
+    if (!props.allowedBots || props.allowedBots.length === 0) return props.bots
+    const allowed = props.bots.filter(b => props.allowedBots.includes(b.id))
+
+    // Si el guest ya tiene un bot asignado pero el cliente actual perdió el acceso
+    if (guestForm.value.bot_id && !props.allowedBots.includes(guestForm.value.bot_id)) {
+        const revokedBot = botMap.value[guestForm.value.bot_id]
+        if (revokedBot) {
+            allowed.push({
+                ...revokedBot,
+                name: `(Revoked) ${revokedBot.name || revokedBot.display_name || revokedBot.id}`,
+                display_name: `(Revoked) ${revokedBot.name || revokedBot.display_name || revokedBot.id}`
+            })
+        }
+    }
+    return allowed
+})
+
+const botVariants = computed(() => {
+    if (!guestForm.value.bot_id) return []
+    const bot = botMap.value[guestForm.value.bot_id]
+    if (!bot || !bot.variants) return []
+    return Object.entries(bot.variants).map(([id, v]: [string, any]) => ({
+        id,
+        ...v
+    }))
+})
+
+function getBotDisplayName(id: string) {
+    const bot = botMap.value[id]
+    return bot ? bot.name : id
+}
+
+function isRevoked(guest: any) {
+    if (!guest.bot_id) return false
+    if (!props.allowedBots || props.allowedBots.length === 0) return false
+    return !props.allowedBots.includes(guest.bot_id)
+}
+
+async function checkRevocations() {
+    workspaces.value.forEach(async (ws) => {
+        try {
+            const guests = await api.get(`/clients/${props.clientId}/workspaces/${ws.id}/guests`) || []
+            revocationMap.value[ws.id] = guests.some((g: any) => isRevoked(g))
+        } catch (e) {
+            revocationMap.value[ws.id] = false
+        }
+    })
+}
+
+function getTemplateName(guest: any) {
+    if (!guest.bot_id && !guest.bot_template_id) return 'Inherited from Workspace'
+    
+    let botName = 'Unknown Bot'
+    let templateName = guest.bot_template_id || 'Standard'
+
+    if (guest.bot_id && botMap.value[guest.bot_id]) {
+        const bot = botMap.value[guest.bot_id]
+        botName = bot.name || bot.display_name || bot.id
+
+        if (guest.bot_template_id && bot.variants && bot.variants[guest.bot_template_id]) {
+            const variant = bot.variants[guest.bot_template_id]
+            templateName = variant.name || variant.display_name || guest.bot_template_id
+        }
+    } else if (guest.bot_id) {
+        botName = guest.bot_id
+    }
+
+    return `${botName} : ${templateName}`
+}
+
+function getDisplayNumber(guest: any) {
+    if(guest.platform_identifiers?.whatsapp_number) {
+        return '+' + guest.platform_identifiers.whatsapp_number
+    }
+    const whatsappIdentifier = guest.platform_identifiers?.whatsapp
+    if(!whatsappIdentifier) return ''
+    // Fallback to numeric part
+    if(whatsappIdentifier.includes('@lid') || whatsappIdentifier.includes('@s.whatsapp.net')) {
+        return '+' + whatsappIdentifier.split('@')[0]
+    }
+    return '+' + whatsappIdentifier
+}
+
+// Acciones API
+async function loadWorkspaces() {
+    loading.value = true
+    try {
+        workspaces.value = await api.get(`/clients/${props.clientId}/workspaces`) || []
+        checkRevocations()
+    } finally {
+        loading.value = false
+    }
+}
+
+async function selectWs(ws: any) {
+    selectedWs.value = ws
+    loadingDetails.value = true
+    try {
+        const [channels, guests] = await Promise.all([
+            api.get(`/clients/${props.clientId}/workspaces/${ws.id}/channels`),
+            api.get(`/clients/${props.clientId}/workspaces/${ws.id}/guests`)
+        ])
+        wsChannels.value = channels || []
+        wsGuests.value = guests || []
+    } finally {
+        loadingDetails.value = false
+    }
+}
+
+async function saveWs() {
+    formError.value = null
+    try {
+        if (editingWs.value) {
+            await api.put(`/clients/${props.clientId}/workspaces/${editingWs.value.id}`, wsForm.value)
+        } else {
+            await api.post(`/clients/${props.clientId}/workspaces`, wsForm.value)
+        }
+        await loadWorkspaces()
+        showWsForm.value = false
+    } catch (err: any) {
+        formError.value = err.response?.data?.error || err.message || 'Unknown error'
+        console.error(err)
+    }
+}
+
+async function deleteWs(id: string) {
+    showConfirm('Delete Workspace', 'Are you sure? All guests will lose access.', 'danger', async () => {
+        try {
+            await api.delete(`/clients/${props.clientId}/workspaces/${id}`)
+            await loadWorkspaces()
+            if (selectedWs.value?.id === id) selectedWs.value = null
+        } catch (err) {
+            console.error(err)
+        }
+    })
+}
+
+async function linkChannel(channelId: string) {
+    try {
+        await api.post(`/clients/${props.clientId}/workspaces/${selectedWs.value.id}/channels/${channelId}`, {})
+        await selectWs(selectedWs.value)
+        showChannelPicker.value = false
+    } catch (err) {
+        console.error(err)
+    }
+}
+
+async function unlinkChannel(channelId: string) {
+    showConfirm('Unlink Channel', 'Are you sure you want to unlink this channel from the workspace?', 'warning', async () => {
+        try {
+            await api.delete(`/clients/${props.clientId}/workspaces/${selectedWs.value.id}/channels/${channelId}`)
+            await selectWs(selectedWs.value)
+        } catch (err) {
+            console.error(err)
+        }
+    })
+}
+
+async function saveGuest() {
+    formError.value = null
+    try {
+        if (editingGuest.value) {
+            await api.put(`/clients/${props.clientId}/workspaces/${selectedWs.value.id}/guests/${editingGuest.value.id}`, guestForm.value)
+        } else {
+            await api.post(`/clients/${props.clientId}/workspaces/${selectedWs.value.id}/guests`, guestForm.value)
+        }
+        await selectWs(selectedWs.value)
+        showGuestForm.value = false
+    } catch (err: any) {
+        formError.value = err.response?.data?.error || err.message || 'Unknown error'
+        console.error(err)
+    }
+}
+
+async function deleteGuest(id: string) {
+    showConfirm('Delete Person', 'Are you sure? This person will lose all access to configured bots.', 'danger', async () => {
+        try {
+            await api.delete(`/clients/${props.clientId}/workspaces/${selectedWs.value.id}/guests/${id}`)
+            await selectWs(selectedWs.value)
+        } catch (err) {
+            console.error(err)
+        }
+    })
+}
+
+async function resolveLid() {
+    const raw = waInput.value
+    if (!raw) return
+    
+    // If it's already a full JID, don't re-resolve
+    if (raw.includes('@')) return
+
+    const waChannel = wsChannels.value.find(ch => ch.type === 'whatsapp' && (ch.status === 'connected' || ch.enabled))
+    if (!waChannel) {
+        console.warn('No active WA channel to resolve LID')
+        return
+    }
+
+    validatingLid.value = true
+    try {
+        const phoneNumber = raw.replace(/[^\d]/g, '')
+        // We use the first connected WA channel in the workspace to resolve identity
+        const res = await api.get(`/workspaces/${selectedWs.value.id}/channels/${waChannel.id}/resolve-identity?identity=${phoneNumber}`) as any
+        if (res.resolved_identity) {
+            guestForm.value.platform_identifiers.whatsapp = res.resolved_identity
+            guestForm.value.platform_identifiers.whatsapp_number = phoneNumber
+            if (!guestForm.value.name && res.name) {
+                guestForm.value.name = res.name
+            }
+        }
+    } catch (err) {
+        console.error('Identity resolution failed', err)
+    } finally {
+        validatingLid.value = false
+    }
+}
+
+onMounted(loadWorkspaces)
+</script>
+
+<template>
+    <div class="h-full flex flex-col overflow-hidden">
+        <!-- Compact Header -->
+        <header class="flex items-center justify-between p-6 border-b border-white/5">
+            <div class="flex items-center gap-4">
+                <button v-if="selectedWs" @click="selectedWs = null" 
+                        class="btn btn-ghost btn-sm btn-circle bg-white/5">
+                    <ArrowLeft class="w-4 h-4" />
+                </button>
+                <div>
+                  <h3 class="text-lg font-black text-white uppercase tracking-tight flex items-center gap-2">
+                    <Building2 class="w-5 h-5 text-primary/60" />
+                    {{ selectedWs ? selectedWs.name : 'Workspaces' }}
+                  </h3>
+                  <p class="text-xs font-bold text-slate-500 uppercase tracking-widest mt-0.5">
+                    {{ selectedWs ? 'Configuring unit access' : 'Manage organizational units' }}
+                  </p>
+                </div>
+            </div>
+            
+            <button v-if="!selectedWs" @click="showWsForm = true; editingWs = null; wsForm = { name: '', description: '' }" 
+                    class="btn btn-sm btn-primary rounded-xl px-4 font-black uppercase tracking-tight h-10">
+                <Plus class="w-4 h-4 mr-2" /> New Workspace
+            </button>
+        </header>
+
+        <!-- Main Workspace List -->
+        <div v-if="loading" class="flex-1 flex items-center justify-center">
+            <span class="loading loading-spinner text-primary"></span>
+        </div>
+
+        <div v-else-if="!selectedWs" class="flex-1 overflow-y-auto p-6 space-y-3">
+            <div v-if="workspaces.length === 0" class="py-12 text-center border border-dashed border-white/5 rounded-3xl">
+                <p class="text-xs font-black text-slate-600 uppercase tracking-[0.2em]">No workspaces defined</p>
+            </div>
+            
+            <div v-for="ws in workspaces" :key="ws.id" 
+                 class="group p-5 bg-white/[0.02] border border-white/5 rounded-2xl flex items-center justify-between hover:border-primary/20 hover:bg-white/[0.04] transition-all cursor-pointer"
+                 @click="selectWs(ws)">
+                <div class="flex items-center gap-4">
+                    <div class="relative">
+                        <div class="w-12 h-12 rounded-xl bg-black border border-white/5 flex items-center justify-center text-primary/40 group-hover:text-primary transition-colors">
+                            <Building2 class="w-6 h-6" />
+                        </div>
+                        <div v-if="revocationMap[ws.id]" 
+                             class="absolute -top-1 -right-1 w-5 h-5 bg-[#161a23] rounded-full flex items-center justify-center border border-white/5">
+                            <AlertTriangle class="w-3 h-3 text-yellow-500 animate-pulse" />
+                        </div>
+                    </div>
+                    <div>
+                        <div class="flex items-center gap-2">
+                            <h4 class="text-sm font-black text-white uppercase tracking-tighter">{{ ws.name }}</h4>
+                            <span v-if="revocationMap[ws.id]" class="text-[8px] font-black bg-yellow-500/10 text-yellow-500 px-1.5 py-0.5 rounded border border-yellow-500/20 uppercase italic">
+                                Action Required
+                            </span>
+                        </div>
+                        <p class="text-xs text-slate-500 font-bold uppercase truncate max-w-[300px]">{{ ws.description || 'No description' }}</p>
+                    </div>
+                </div>
+                <div class="flex items-center gap-2">
+                    <button @click.stop="editingWs = ws; wsForm = { name: ws.name, description: ws.description }; showWsForm = true"
+                            class="p-2 text-slate-500 hover:text-white transition-colors">
+                        <Settings2 class="w-4 h-4" />
+                    </button>
+                    <button @click.stop="deleteWs(ws.id)"
+                            class="p-2 text-slate-500 hover:text-red-400 transition-colors">
+                        <Trash2 class="w-4 h-4" />
+                    </button>
+                    <ChevronRight class="w-5 h-5 text-slate-700 ml-2 group-hover:translate-x-1 group-hover:text-primary transition-all" />
+                </div>
+            </div>
+        </div>
+
+        <!-- Detail View -->
+        <div v-else class="flex-1 overflow-hidden flex divide-x divide-white/5">
+            <!-- Channels (Left) -->
+            <div class="w-1/3 flex flex-col p-6 bg-black/10">
+                <header class="flex items-center justify-between mb-6">
+                    <h4 class="text-xs font-black text-white uppercase tracking-widest flex items-center gap-2">
+                        <Smartphone class="w-3.5 h-3.5 text-primary" />
+                        Channels
+                    </h4>
+                    <button @click="showChannelPicker = true" class="btn btn-xs btn-circle btn-primary">
+                        <Plus class="w-3 h-3" />
+                    </button>
+                </header>
+
+                <div class="flex-1 overflow-y-auto space-y-2 pr-2 custom-scrollbar">
+                    <div v-for="ch in wsChannels" :key="ch.id" 
+                         class="group p-3 bg-white/[0.03] border border-white/5 rounded-xl flex items-center justify-between hover:border-primary/20">
+                        <div class="flex items-center gap-3">
+                            <div class="w-8 h-8 rounded-lg bg-black flex items-center justify-center text-primary/60">
+                                <Smartphone class="w-4 h-4" />
+                            </div>
+                            <h5 class="text-xs font-black text-white uppercase truncate max-w-[100px]">{{ ch.name }}</h5>
+                        </div>
+                        <button @click="unlinkChannel(ch.id)" class="p-2 text-slate-600 hover:text-red-500 transition-colors">
+                            <Unlink class="w-3.5 h-3.5" />
+                        </button>
+                    </div>
+                </div>
+            </div>
+
+            <!-- Guests (Right) -->
+            <div class="flex-1 flex flex-col p-6">
+                <header class="flex items-center justify-between mb-2">
+                    <h4 class="text-xs font-black text-white uppercase tracking-widest flex items-center gap-2">
+                        <Users2 class="w-3.5 h-3.5 text-primary" />
+                        Guests / Personnel
+                    </h4>
+                        <button @click="openGuestForm()" class="btn btn-primary btn-sm rounded-xl px-4 shrink-0">
+                            <UserPlus class="w-4 h-4 mr-2" />
+                            Add
+                        </button>
+                </header>
+
+                <!-- Workspace Level Alert -->
+                <div v-if="wsGuests.some(g => isRevoked(g))" class="flex items-center gap-3 p-3 rounded-xl bg-yellow-500/10 border border-yellow-500/20 mb-4 animate-in fade-in duration-500">
+                    <AlertTriangle class="w-4 h-4 text-yellow-500 shrink-0" />
+                    <p class="text-[9px] font-bold text-yellow-500/80 uppercase tracking-widest leading-relaxed">
+                        Detected guests with <span class="text-yellow-500">Revoked Bot Access</span>. They are currently inactive.
+                    </p>
+                </div>
+
+                <div class="flex-1 overflow-y-auto space-y-2 pr-2 custom-scrollbar">
+                    <div v-for="guest in wsGuests" :key="guest.id" 
+                         class="group flex items-center gap-4 p-4 bg-white/[0.02] border border-white/5 rounded-2xl hover:border-primary/10">
+                        <div class="w-11 h-11 rounded-xl flex items-center justify-center transition-colors"
+                             :class="isRevoked(guest) ? 'bg-yellow-500/10 text-yellow-500' : 'bg-black text-slate-500 group-hover:text-primary'">
+                            <AlertTriangle v-if="isRevoked(guest)" class="w-5 h-5" />
+                            <Contact v-else class="w-5 h-5" />
+                        </div>
+                        <div class="flex-1">
+                            <div class="flex items-center gap-2">
+                                <h5 class="text-xs font-black text-white uppercase truncate">{{ guest.name }}</h5>
+                                <div v-if="isRevoked(guest)" class="flex items-center gap-1 px-1.5 py-0.5 rounded-md bg-yellow-500/10 text-yellow-500 border border-yellow-500/20">
+                                    <AlertTriangle class="w-2.5 h-2.5" />
+                                    <span class="text-[9px] font-black uppercase italic">Revoked Access</span>
+                                </div>
+                            </div>
+                            <div class="flex items-center gap-2 mt-0.5">
+                                <span class="text-xs font-bold uppercase tracking-widest" :class="isRevoked(guest) ? 'text-yellow-500/60' : 'text-slate-500'">
+                                    {{ getTemplateName(guest) }}
+                                </span>
+                                <span v-if="guest.platform_identifiers?.whatsapp" class="text-xs px-1.5 py-0.5 rounded-md bg-green-500/10 text-green-500 font-mono italic">
+                                    {{ getDisplayNumber(guest) }}
+                                </span>
+                            </div>
+                        </div>
+                        <div class="flex gap-1 opacity-0 group-hover:opacity-100 transition-opacity">
+                            <button @click="openGuestForm(guest)" class="w-8 h-8 rounded-lg bg-white/5 flex items-center justify-center hover:bg-primary/20 hover:text-primary transition-all">
+                                <Settings2 class="w-4 h-4" />
+                            </button>
+                            <button @click="deleteGuest(guest.id)" class="p-2 text-slate-500 hover:text-red-500">
+                                <Trash2 class="w-3.5 h-3.5" />
+                            </button>
+                        </div>
+                    </div>
+                </div>
+            </div>
+        </div>
+
+        <!-- Overlays -->
+        <div v-if="showWsForm" class="absolute inset-0 z-10 bg-[#0b0e14]/95 flex items-center justify-center p-8 animate-in fade-in duration-200">
+            <div class="w-full max-w-md bg-[#161a23] border border-white/5 rounded-3xl p-8 shadow-2xl">
+                <h4 class="text-lg font-black text-white uppercase tracking-tight mb-8 italic">Workspace Settings</h4>
+                <div class="space-y-6 mb-8">
+                    <div class="form-control">
+                        <label class="label-premium">Display Name</label>
+                        <input v-model="wsForm.name" type="text" class="input-premium h-12 w-full" />
+                    </div>
+                    <div class="form-control">
+                        <label class="label-premium">Description</label>
+                        <textarea v-model="wsForm.description" class="input-premium w-full p-4 min-h-[100px] resize-none"></textarea>
+                    </div>
+                </div>
+                <div class="flex gap-3">
+                    <button @click="showWsForm = false" class="btn btn-ghost flex-1 rounded-xl">Cancel</button>
+                    <button @click="saveWs" class="btn btn-primary flex-1 rounded-xl" :disabled="!wsForm.name">Save</button>
+                </div>
+            </div>
+        </div>
+
+        <div v-if="showChannelPicker" class="absolute inset-0 z-10 bg-[#0b0e14]/95 flex items-center justify-center p-8 animate-in zoom-in-95 duration-200">
+            <div class="w-full max-w-sm bg-[#161a23] border border-white/5 rounded-3xl p-8 shadow-2xl">
+                <h4 class="text-sm font-black text-white uppercase tracking-widest mb-6 flex items-center justify-between">
+                    Link Channel
+                    <button @click="showChannelPicker = false"><X class="w-4 h-4" /></button>
+                </h4>
+                <div class="space-y-2 max-h-[300px] overflow-y-auto pr-1">
+                    <div v-for="ch in availableChannelsToLink" :key="ch.id" 
+                         @click="linkChannel(ch.id)"
+                         class="p-4 bg-white/[0.03] border border-white/5 rounded-2xl flex items-center gap-4 hover:border-primary transition-all cursor-pointer">
+                        <div class="w-10 h-10 rounded-xl bg-black flex items-center justify-center text-primary/60">
+                            <Smartphone class="w-5 h-5" />
+                        </div>
+                        <div class="flex-1 font-black text-xs text-white uppercase">{{ ch.name }}</div>
+                    </div>
+                </div>
+            </div>
+        </div>
+
+        <div v-if="showGuestForm" class="absolute inset-0 z-10 bg-[#0b0e14]/95 flex items-center justify-center p-8 animate-in slide-in-from-bottom-5 duration-200">
+            <div class="w-full max-w-lg bg-[#161a23] border border-white/5 rounded-3xl p-8 shadow-2xl">
+                <h4 class="text-lg font-black text-white uppercase tracking-tight mb-8 italic">Guest Identity</h4>
+                
+                <!-- Revocation Warning inside Form -->
+                <div v-if="guestForm.bot_id && props.allowedBots && props.allowedBots.length > 0 && !props.allowedBots.includes(guestForm.bot_id)" 
+                     class="flex items-start gap-4 p-4 rounded-2xl bg-yellow-500/10 border border-yellow-500/20 mb-8 animate-in slide-in-from-top-2 duration-300">
+                    <div class="w-10 h-10 rounded-xl bg-yellow-500/20 flex items-center justify-center shrink-0">
+                        <AlertTriangle class="w-5 h-5 text-yellow-500" />
+                    </div>
+                    <div class="flex-1">
+                        <h4 class="text-xs font-black text-yellow-500 uppercase tracking-widest italic">Revoked Bot Warning</h4>
+                        <p class="text-xs text-yellow-500/70 mt-1 leading-normal font-medium">
+                            Access to this bot was restricted for this client. The guest remains configured but the <span class="font-bold underline">backend will block</span> all interactions until you re-assign a valid bot.
+                        </p>
+                    </div>
+                </div>
+                
+                <!-- NEW: Unified Error Banner -->
+                <div v-if="formError" 
+                     class="flex items-start gap-4 p-4 rounded-2xl bg-red-500/10 border border-red-500/20 mb-8 animate-in shake duration-300">
+                    <div class="w-10 h-10 rounded-xl bg-red-500/20 flex items-center justify-center shrink-0">
+                        <X class="w-5 h-5 text-red-500" />
+                    </div>
+                    <div class="flex-1">
+                        <h4 class="text-xs font-black text-red-500 uppercase tracking-widest italic">Action Failed</h4>
+                        <p class="text-xs text-red-500/70 mt-1 leading-normal font-medium">
+                            {{ formError }}
+                        </p>
+                    </div>
+                    <button @click="formError = null" class="opacity-40 hover:opacity-100 transition-opacity">
+                        <X class="w-4 h-4 text-red-500" />
+                    </button>
+                </div>
+
+                <div class="grid grid-cols-2 gap-6 mb-8">
+                    <div class="form-control col-span-2">
+                        <label class="label-premium">Full Name / Alias</label>
+                        <input v-model="guestForm.name" type="text" class="input-premium h-12 w-full" />
+                    </div>
+                    <div class="form-control">
+                        <label class="label-premium">Base Bot</label>
+                        <select v-model="guestForm.bot_id" class="input-premium h-12 w-full">
+                            <option value="">(Inherit)</option>
+                            <option v-for="bot in availableBots" :key="bot.id" :value="bot.id">
+                                {{ bot.name || bot.display_name || bot.id }}
+                            </option>
+                        </select>
+                    </div>
+                    <div class="form-control">
+                        <label class="label-premium">Template (Variant)</label>
+                        <select v-model="guestForm.bot_template_id" class="input-premium h-12 w-full" :disabled="!guestForm.bot_id">
+                            <option value="">(Standard)</option>
+                            <option v-for="variant in botVariants" :key="variant.id" :value="variant.id">
+                                {{ variant.name || variant.display_name || variant.id }}
+                            </option>
+                        </select>
+                    </div>
+                    <div class="form-control col-span-2" v-if="hasWhatsAppChannel">
+                        <label class="label-premium">WhatsApp Number</label>
+                        <div class="flex gap-2">
+                            <input v-model="waInput" @input="guestForm.platform_identifiers.whatsapp = waInput; guestForm.platform_identifiers.whatsapp_number = waInput.replace(/[^\d]/g, '')" type="text" class="input-premium h-12 flex-1 font-mono" placeholder="+51..." @blur="resolveLid" />
+                            <button @click="resolveLid" 
+                                    :disabled="validatingLid || !waInput"
+                                    class="btn btn-square h-12 w-12 rounded-lg transition-all"
+                                    :class="isLidVerified ? 'bg-green-500/20 border-green-500/50 text-green-500 hover:bg-green-500/30' : 'btn-primary'">
+                                <span v-if="validatingLid" class="loading loading-spinner loading-xs"></span>
+                                <ShieldCheck v-else-if="isLidVerified" class="w-5 h-5" />
+                                <Smartphone v-else class="w-5 h-5" />
+                            </button>
+                        </div>
+                        
+                        <!-- Visual Feedback (Green labels) -->
+                        <div v-if="isLidVerified && guestForm.platform_identifiers.whatsapp !== waInput" class="mt-4 flex flex-wrap gap-x-6 gap-y-2 py-3 px-4 bg-green-500/5 border border-green-500/10 rounded-2xl animate-in fade-in slide-in-from-top-2 duration-300">
+                            <div>
+                                <span class="block text-[9px] font-black text-green-500/50 uppercase tracking-[0.2em] mb-1">Number</span>
+                                <span class="text-xs font-black text-green-400 font-mono italic">{{ waInput }}</span>
+                            </div>
+                            <div class="flex items-center text-green-500/30">
+                                <ChevronRight class="w-4 h-4" />
+                            </div>
+                            <div class="flex-1 min-w-0">
+                                <span class="block text-[9px] font-black text-green-500/50 uppercase tracking-[0.2em] mb-1">LID Identity</span>
+                                <span class="text-xs font-black text-green-500 font-mono truncate block">{{ guestForm.platform_identifiers.whatsapp }}</span>
+                            </div>
+                        </div>
+                        
+                        <p v-else class="text-xs text-slate-500 font-bold uppercase mt-3 tracking-tight flex items-center gap-1.5 pl-1">
+                            <Plus class="w-3 h-3" /> Format: +51... (Auto-resolves to LID)
+                        </p>
+                    </div>
+                </div>
+                <div class="flex gap-3">
+                    <button @click="showGuestForm = false" class="btn btn-ghost flex-1 rounded-xl">Discard</button>
+                    <button @click="saveGuest" 
+                            class="btn btn-primary flex-1 rounded-xl" 
+                            :disabled="!guestForm.name || !hasAnyChannel || (hasWhatsAppChannel && !guestForm.platform_identifiers.whatsapp) || !hasGuestChanges">
+                        Confirm
+                    </button>
+                </div>
+            </div>
+        </div>
+    <!-- Confirmation Modal -->
+    <ConfirmationDialog
+        v-model="confirmState.show"
+        :title="confirmState.title"
+        :message="confirmState.message"
+        :type="confirmState.type"
+        @confirm="confirmState.action"
+    />
+    </div>
+</template>
+
+<style scoped>
+.custom-scrollbar::-webkit-scrollbar {
+    width: 3px;
+}
+.custom-scrollbar::-webkit-scrollbar-thumb {
+    background: rgba(255, 255, 255, 0.05);
+    border-radius: 10px;
+}
+</style>
diff --git a/src/frontend/src/components/clients/tabs/ClientAccessTab.vue b/src/frontend/src/components/clients/tabs/ClientAccessTab.vue
new file mode 100644
index 0000000..25dee23
--- /dev/null
+++ b/src/frontend/src/components/clients/tabs/ClientAccessTab.vue
@@ -0,0 +1,228 @@
+<script setup lang="ts">
+import { computed, ref } from 'vue'
+import { ShieldCheck, Globe, Search, Bot, Plus, Trash2, Building2 } from 'lucide-vue-next'
+
+const props = defineProps<{
+  modelValue: any
+  editingClient: any
+  clientChannels: any[]
+  bots: any[]
+}>()
+
+const emit = defineEmits(['update:modelValue', 'resolve-bots'])
+
+const client = computed({
+  get: () => props.modelValue,
+  set: (val) => emit('update:modelValue', val)
+})
+
+const enableWorkspaces = computed({
+  get: () => {
+    if (!client.value.tags) return false
+    return client.value.tags.includes('enable_workspaces')
+  },
+  set: (val: boolean) => {
+    if (!client.value.tags) client.value.tags = []
+    if (val) {
+      if (!client.value.tags.includes('enable_workspaces')) {
+        client.value.tags.push('enable_workspaces')
+      }
+    } else {
+      client.value.tags = client.value.tags.filter((t: string) => t !== 'enable_workspaces')
+    }
+  }
+})
+
+const botSearch = ref('')
+const showBotResults = ref(false)
+
+const unselectedBots = computed(() => {
+  if (!client.value.allowed_bots) return []
+  return props.bots.filter(b => !client.value.allowed_bots.includes(b.id))
+})
+
+const filteredBots = computed(() => {
+  if (!botSearch.value) return unselectedBots.value.slice(0, 3)
+  const s = botSearch.value.toLowerCase()
+  return unselectedBots.value.filter(b => 
+    (b.name && b.name.toLowerCase().includes(s)) || 
+    (b.id && b.id.toLowerCase().includes(s))
+  ).slice(0, 3)
+})
+
+function addAllowedBot(botId: string) {
+  if (!botId) return
+  const idToAssign = botId.trim()
+  if (!client.value.allowed_bots) {
+    client.value.allowed_bots = []
+  }
+  if (!client.value.allowed_bots.includes(idToAssign)) {
+    client.value.allowed_bots.push(idToAssign)
+    emit('resolve-bots', [idToAssign])
+  }
+  botSearch.value = ''
+  showBotResults.value = false
+}
+
+function removeAllowedBot(botId: string) {
+  if (!client.value.allowed_bots) return
+  client.value.allowed_bots = client.value.allowed_bots.filter((id: string) => id !== botId)
+}
+
+function getBotById(id: string) {
+  return props.bots.find(b => b.id === id) || { name: 'Unknown Bot', id }
+}
+</script>
+
+<template>
+  <div class="space-y-8 animate-in fade-in slide-in-from-right-4 duration-300">
+    <header>
+      <h3 class="text-xl font-black text-white uppercase tracking-tight">System & Access</h3>
+      <p class="text-xs text-slate-500 font-bold uppercase tracking-widest mt-1">Bot control and debug mode</p>
+    </header>
+
+    <div class="p-6 bg-amber-500/5 border border-amber-500/20 rounded-2xl flex items-start gap-4">
+      <div class="w-10 h-10 rounded-xl bg-amber-500/10 flex items-center justify-center text-amber-500 shrink-0">
+        <ShieldCheck class="w-5 h-5" />
+      </div>
+      <div class="flex-1">
+        <div class="flex items-center justify-between mb-2">
+          <label class="text-sm font-black text-white uppercase tracking-tight">Tester Mode</label>
+          <input type="checkbox" v-model="client.is_tester" class="toggle toggle-warning toggle-sm" />
+        </div>
+        <p class="text-xs text-slate-400 font-medium leading-relaxed">
+          When enabled, all interactions from this client (messages, tool inputs, files) will be logged 
+          <span class="text-amber-500 font-bold">UNFILTERED (FULL DATA)</span> for debugging purposes. 
+          Use with caution and only for development accounts.
+        </p>
+      </div>
+    </div>
+
+    <!-- Gestión de Workspace -->
+    <div class="p-6 mb-8 bg-blue-500/5 border border-blue-500/20 rounded-2xl flex items-start gap-4">
+      <div class="w-10 h-10 rounded-xl bg-blue-500/10 flex items-center justify-center text-blue-500 shrink-0">
+        <Building2 class="w-5 h-5" />
+      </div>
+      <div class="flex-1">
+        <div class="flex items-center justify-between mb-2">
+          <label class="text-sm font-black text-white uppercase tracking-tight">Workspace Management</label>
+          <input type="checkbox" v-model="enableWorkspaces" class="toggle toggle-info toggle-sm" />
+        </div>
+        <p class="text-xs text-slate-400 font-medium leading-relaxed">
+          Allow this client to create and manage their own conversational workspaces and link channels natively from their UI.
+        </p>
+      </div>
+    </div>
+
+    <!-- Visualización dinámica de los Canales del Cliente -->
+    <div class="form-control mb-8">
+      <div class="flex items-center justify-between mb-4">
+        <span class="text-xs font-black text-slate-600 uppercase tracking-widest">Assigned Channels</span>
+      </div>
+      
+      <div v-if="!editingClient" class="py-10 text-center bg-black/20 rounded-[1.5rem] border border-dashed border-white/5">
+        <p class="text-xs font-bold text-slate-600 uppercase tracking-widest px-6">Select a client first to view their infrastructure</p>
+      </div>
+      
+      <!-- Lista reactiva de canales traídos on-demand -->
+      <div v-else-if="clientChannels && clientChannels.length > 0" class="flex flex-col gap-3">
+        <div v-for="channel in clientChannels" :key="'owned-' + channel.id" 
+              class="flex items-center justify-between p-4 rounded-2xl bg-primary/10 border border-primary/20 shadow-lg shadow-primary/5">
+          
+          <div class="flex items-center gap-4">
+            <div class="h-10 w-10 shrink-0 rounded-xl bg-primary flex items-center justify-center text-white shadow-inner">
+              <Globe class="w-5 h-5" />
+            </div>
+            <div class="flex-1 min-w-0">
+              <h4 class="text-sm font-black text-white uppercase truncate">{{ channel.name }}</h4>
+              <p class="text-xs font-bold text-slate-500 uppercase flex gap-1 items-center truncate">
+                {{ channel.type }} <span class="opacity-30">•</span> {{ channel.workspaceName || 'Assigned Channel' }}
+              </p>
+            </div>
+          </div>
+        </div>
+        
+        <div class="mt-4 p-4 bg-black/20 rounded-xl border border-white/5 text-center">
+          <p class="text-xs text-slate-500 font-bold uppercase tracking-widest">
+            To view details or remove channels, use the Workspace Tab.
+          </p>
+        </div>
+      </div>
+      <div v-else class="py-10 text-center bg-black/20 rounded-[1.5rem] border border-dashed border-white/5 flex flex-col items-center">
+        <Globe class="w-8 h-8 text-slate-700 mb-3 opacity-20" />
+        <p class="text-xs font-bold text-slate-600 uppercase tracking-widest">This client has no assigned channels</p>
+        <p class="text-xs text-slate-500 font-bold uppercase tracking-widest mt-2">
+          To manage their spaces, go to the Workspaces tab.
+        </p>
+      </div>
+    </div>
+
+    <header>
+      <h4 class="text-sm font-black text-slate-400 uppercase tracking-widest">Authorized Agents</h4>
+    </header>
+
+    <div class="form-control">
+      <div class="relative">
+        <div class="absolute left-4 top-1/2 -translate-y-1/2 text-slate-600">
+          <Search class="w-4 h-4" />
+        </div>
+        <input 
+          v-model="botSearch" 
+          @focus="showBotResults = true"
+          type="text" 
+          class="input-premium h-14 pl-12 w-full text-base font-medium placeholder:text-slate-700 bg-black/40" 
+          placeholder="Search for authorized agents..." 
+        />
+        
+        <!-- Search Results Dropdown -->
+        <div v-if="showBotResults && (botSearch || filteredBots.length > 0)" 
+             class="absolute z-20 top-full left-0 right-0 mt-2 bg-[#12161f] border border-white/10 rounded-2xl shadow-2xl max-h-64 overflow-y-auto p-2">
+          <div v-if="filteredBots.length === 0" class="py-4 text-center text-xs text-slate-600 font-black uppercase flex flex-col items-center gap-2">
+            <span>Zero matching local agents</span>
+            <button v-if="botSearch.length >= 10" @click="addAllowedBot(botSearch)" class="btn btn-sm btn-primary mt-2">
+              Add by exact ID
+            </button>
+          </div>
+          <button v-for="bot in filteredBots" :key="bot.id"
+                  @click="addAllowedBot(bot.id)"
+                  class="w-full flex items-center gap-4 p-3 hover:bg-primary/10 rounded-xl transition-all group text-left border border-transparent hover:border-primary/20">
+            <div class="w-10 h-10 rounded-lg bg-black flex items-center justify-center text-slate-500 group-hover:text-primary transition-all shadow-inner">
+              <Bot class="w-5 h-5" />
+            </div>
+            <div class="flex-1 min-w-0">
+              <div class="text-xs font-black uppercase text-white truncate">{{ bot.name }}</div>
+              <div class="text-xs font-mono text-slate-600 truncate uppercase">{{ (bot.id || '').substring(0,25) }}...</div>
+            </div>
+            <Plus class="w-4 h-4 text-slate-800 group-hover:text-primary" />
+          </button>
+        </div>
+      </div>
+      <div v-if="showBotResults" @click="showBotResults = false" class="fixed inset-0 z-10"></div>
+    </div>
+
+    <div class="flex-1 min-h-0 flex flex-col">
+      <div class="flex items-center justify-between mb-4">
+        <span class="text-xs font-black text-slate-600 uppercase tracking-widest">Currently Whitelisted</span>
+        <span v-if="!client.allowed_bots || client.allowed_bots.length === 0" class="text-xs font-bold text-slate-500 uppercase italic">Unrestricted Global Access</span>
+      </div>
+      
+      <div class="grid grid-cols-1 md:grid-cols-2 gap-4 pb-20">
+        <div v-for="botId in (client.allowed_bots || [])" :key="botId" 
+             class="flex items-center justify-between p-4 bg-primary/5 border border-primary/10 rounded-2xl group border-l-4 border-l-primary/40 hover:bg-primary/[0.08] transition-all">
+          <div class="flex items-center gap-4 min-w-0">
+            <div class="w-10 h-10 rounded-xl bg-[#0b0e14] border border-white/5 flex items-center justify-center text-primary shadow-xl">
+              <Bot class="w-5 h-5" />
+            </div>
+            <div class="min-w-0">
+              <div class="text-xs font-black uppercase text-white truncate">{{ getBotById(botId).name }}</div>
+              <div class="text-xs font-mono text-slate-500 truncate">{{ (botId || '').substring(0,12) }}...</div>
+            </div>
+          </div>
+          <button @click="removeAllowedBot(botId)" class="p-2 text-slate-700 hover:text-red-500 transition-colors">
+            <Trash2 class="w-4 h-4" />
+          </button>
+        </div>
+      </div>
+    </div>
+  </div>
+</template>
diff --git a/src/frontend/src/components/clients/tabs/ClientContactTab.vue b/src/frontend/src/components/clients/tabs/ClientContactTab.vue
new file mode 100644
index 0000000..fadc82a
--- /dev/null
+++ b/src/frontend/src/components/clients/tabs/ClientContactTab.vue
@@ -0,0 +1,76 @@
+<script setup lang="ts">
+import { computed, ref } from 'vue'
+import { Tag } from 'lucide-vue-next'
+
+const props = defineProps<{
+  modelValue: any
+}>()
+
+const emit = defineEmits(['update:modelValue'])
+
+const client = computed({
+  get: () => props.modelValue,
+  set: (val) => emit('update:modelValue', val)
+})
+
+const newTag = ref('')
+
+function addTag() {
+  if (newTag.value && !client.value.tags.includes(newTag.value)) {
+    client.value.tags.push(newTag.value)
+    newTag.value = ''
+  }
+}
+
+function removeTag(tag: string) {
+  client.value.tags = client.value.tags.filter((t: string) => t !== tag)
+}
+</script>
+
+<template>
+  <div class="space-y-8 animate-in fade-in slide-in-from-right-4 duration-300">
+    <header>
+      <h3 class="text-xl font-black text-white uppercase tracking-tight">Contact Info</h3>
+      <p class="text-xs text-slate-500 font-bold uppercase tracking-widest mt-1">Personal and communication data</p>
+    </header>
+
+    <div class="form-control">
+      <label class="label-premium text-slate-400">Display Name / Alias</label>
+      <input v-model="client.display_name" type="text" class="input-premium h-14 w-full text-lg font-black" placeholder="Contact Name" />
+    </div>
+
+    <div class="grid grid-cols-1 md:grid-cols-2 gap-8">
+      <div class="form-control">
+        <label class="label-premium text-slate-400">Primary Email</label>
+        <input v-model="client.email" type="email" class="input-premium h-14 w-full text-sm" placeholder="contact@domain.com" />
+      </div>
+      <div class="form-control">
+        <label class="label-premium text-slate-400">Universal Phone</label>
+        <input v-model="client.phone" 
+            type="tel" 
+            class="input-premium h-14 w-full text-sm font-mono" 
+            :class="{ 'opacity-50 cursor-not-allowed bg-black/20': client.platform_type === 'whatsapp' }"
+            :readonly="client.platform_type === 'whatsapp'"
+            placeholder="+XX XXX XXX XXX" />
+      </div>
+    </div>
+
+    <div class="form-control">
+      <label class="label-premium text-slate-400">Categorization Tags</label>
+      <div class="flex gap-2 mb-4">
+        <input v-model="newTag" type="text" class="input-premium h-12 flex-1 text-sm bg-black/40" placeholder="Add custom tag..." @keyup.enter="addTag" />
+        <button @click="addTag" class="btn-premium btn-premium-ghost h-12 px-6">
+          <Tag class="w-4 h-4" />
+        </button>
+      </div>
+      <div class="flex flex-wrap gap-2 p-4 bg-black/40 rounded-2xl border border-white/5 min-h-[60px]">
+        <span v-for="tag in client.tags" :key="tag" 
+              class="px-4 py-2 text-xs font-black uppercase tracking-widest bg-primary/10 text-primary border border-primary/20 rounded-xl flex items-center gap-3">
+          {{ tag }}
+          <button @click="removeTag(tag)" class="hover:text-white transition-colors">&times;</button>
+        </span>
+        <p v-if="client.tags.length === 0" class="text-xs text-slate-700 font-bold uppercase items-center flex">No tags assigned / global pool</p>
+      </div>
+    </div>
+  </div>
+</template>
diff --git a/src/frontend/src/components/clients/tabs/ClientIdentityTab.vue b/src/frontend/src/components/clients/tabs/ClientIdentityTab.vue
new file mode 100644
index 0000000..03b92a1
--- /dev/null
+++ b/src/frontend/src/components/clients/tabs/ClientIdentityTab.vue
@@ -0,0 +1,78 @@
+<script setup lang="ts">
+import { computed } from 'vue'
+import { CheckCircle2, RefreshCw } from 'lucide-vue-next'
+import TierBadge from '../TierBadge.vue'
+
+const props = defineProps<{
+  modelValue: any
+  editingClient: any
+  lidVerified: boolean
+  validatingLid: boolean
+  lastValidatedPhone: string
+}>()
+
+const emit = defineEmits(['update:modelValue', 'extractLid'])
+
+const client = computed({
+  get: () => props.modelValue,
+  set: (val) => emit('update:modelValue', val)
+})
+</script>
+
+<template>
+  <div class="space-y-8 animate-in fade-in slide-in-from-right-4 duration-300">
+    <header>
+      <h3 class="text-xl font-black text-white uppercase tracking-tight">Identification</h3>
+      <p class="text-xs text-slate-500 font-bold uppercase tracking-widest mt-1">Platform parameters and account tier</p>
+    </header>
+
+    <div class="grid grid-cols-1 md:grid-cols-2 gap-8">
+      <div class="form-control">
+        <label class="label-premium text-slate-400">Platform ID (LID)</label>
+        <div class="flex gap-2">
+          <input v-model="client.platform_id" 
+                 type="text" 
+                 class="input-premium h-14 flex-1 text-sm font-mono" 
+                 placeholder="Identification signal..." />
+          <button v-if="client.platform_type === 'whatsapp'" 
+                  type="button"
+                  class="btn-premium px-6 h-14" 
+                  :class="lidVerified ? 'btn-premium-ghost text-green-500 border-green-500/20' : 'btn-premium-ghost'"
+                  @click="emit('extractLid')"
+                  :disabled="validatingLid">
+              <CheckCircle2 v-if="lidVerified && !validatingLid" class="w-4 h-4" />
+              <RefreshCw v-else class="w-4 h-4" :class="{ 'animate-spin': validatingLid }" />
+          </button>
+        </div>
+        <div class="flex items-center justify-between mt-2">
+          <p class="text-xs text-slate-600 font-bold uppercase">Unique identifier for the selected platform.</p>
+          <p v-if="lidVerified" class="text-xs text-green-500 font-black uppercase flex items-center gap-1 animate-in fade-in slide-in-from-right-2">
+               <CheckCircle2 class="w-2.5 h-2.5" /> 
+               Number: {{ lastValidatedPhone }} <span class="mx-1 opacity-40">→</span> LID: {{ client.platform_id }}
+          </p>
+        </div>
+      </div>
+
+      <div class="form-control">
+        <label class="label-premium text-slate-400">Target Platform</label>
+        <select v-model="client.platform_type" class="input-premium h-14 w-full text-sm" :disabled="!!editingClient">
+          <option value="whatsapp">WhatsApp Protocol</option>
+          <option value="telegram">Telegram Bot API</option>
+          <option value="webchat">Internal WebChat</option>
+        </select>
+      </div>
+    </div>
+
+    <div class="form-control">
+      <label class="label-premium text-slate-400">Authorization Tier</label>
+      <div class="grid grid-cols-2 sm:grid-cols-4 gap-4">
+        <button v-for="t in ['standard', 'premium', 'vip', 'enterprise']" :key="t"
+                @click="client.tier = t" 
+                class="h-16 rounded-2xl border-2 transition-all flex items-center justify-center gap-2 cursor-pointer hover:scale-[1.02]"
+                :class="client.tier === t ? 'border-primary bg-primary/10 shadow-lg' : 'border-white/5 bg-black/40 text-slate-500'">
+            <TierBadge :tier="t" :show-icon="true" />
+        </button>
+      </div>
+    </div>
+  </div>
+</template>
diff --git a/src/frontend/src/components/clients/tabs/ClientSettingsTab.vue b/src/frontend/src/components/clients/tabs/ClientSettingsTab.vue
new file mode 100644
index 0000000..e993830
--- /dev/null
+++ b/src/frontend/src/components/clients/tabs/ClientSettingsTab.vue
@@ -0,0 +1,100 @@
+<script setup lang="ts">
+import { computed } from 'vue'
+import { Globe } from 'lucide-vue-next'
+
+const props = defineProps<{
+  modelValue: any
+}>()
+
+const emit = defineEmits(['update:modelValue'])
+
+const client = computed({
+  get: () => props.modelValue,
+  set: (val) => emit('update:modelValue', val)
+})
+</script>
+
+<template>
+  <div class="space-y-8 animate-in fade-in slide-in-from-right-4 duration-300">
+    <header>
+      <h3 class="text-xl font-black text-white uppercase tracking-tight">Preferences</h3>
+      <p class="text-xs text-slate-500 font-bold uppercase tracking-widest mt-1">Language, timezone and internal notes</p>
+    </header>
+
+    <div class="form-control max-w-sm">
+      <label class="label-premium text-slate-400">Primary AI Language</label>
+      <div class="relative group">
+        <div class="absolute left-4 top-1/2 -translate-y-1/2 text-primary opacity-40 group-focus-within:opacity-100 transition-opacity">
+          <Globe class="w-5 h-5" />
+        </div>
+        <select v-model="client.language" class="input-premium h-14 pl-12 w-full text-sm font-bold">
+          <option value="es">Español (Castellano)</option>
+          <option value="en">English (International)</option>
+          <option value="pt">Português</option>
+          <option value="fr">Français</option>
+          <option value="it">Italiano</option>
+          <option value="de">Deutsch</option>
+        </select>
+      </div>
+    </div>
+
+    <div class="form-control max-w-sm">
+      <label class="label-premium text-slate-400">Timezone Override</label>
+      <div class="relative group">
+        <div class="absolute left-4 top-1/2 -translate-y-1/2 text-primary opacity-40 group-focus-within:opacity-100 transition-opacity">
+          <Globe class="w-5 h-5" />
+        </div>
+        <select v-model="client.timezone" class="input-premium h-14 pl-12 w-full text-sm font-bold">
+          <option value="">Use Channel Default</option>
+          <option value="America/New_York">🇺🇸 (GMT-05:00) America/New_York</option>
+          <option value="America/Los_Angeles">🇺🇸 (GMT-08:00) America/Los_Angeles</option>
+          <option value="America/Chicago">🇺🇸 (GMT-06:00) America/Chicago</option>
+          <option value="America/Lima">🇵🇪 (GMT-05:00) America/Lima</option>
+          <option value="America/Bogota">🇨🇴 (GMT-05:00) America/Bogota</option>
+          <option value="America/Mexico_City">🇲🇽 (GMT-06:00) America/Mexico_City</option>
+          <option value="America/Santo_Domingo">🇩🇴 (GMT-04:00) America/Santo_Domingo</option>
+          <option value="America/Sao_Paulo">🇧🇷 (GMT-03:00) America/Sao_Paulo</option>
+          <option value="America/Buenos_Aires">🇦🇷 (GMT-03:00) America/Buenos_Aires</option>
+          <option value="America/Santiago">🇨🇱 (GMT-04:00) America/Santiago</option>
+          <option value="Europe/London">🇬🇧 (GMT+00:00) Europe/London</option>
+          <option value="Europe/Paris">🇫🇷 (GMT+01:00) Europe/Paris</option>
+          <option value="Europe/Madrid">🇪🇸 (GMT+01:00) Europe/Madrid</option>
+          <option value="Europe/Berlin">🇩🇪 (GMT+01:00) Europe/Berlin</option>
+          <option value="Asia/Tokyo">🇯🇵 (GMT+09:00) Asia/Tokyo</option>
+          <option value="Asia/Shanghai">🇨🇳 (GMT+08:00) Asia/Shanghai</option>
+          <option value="Asia/Dubai">🇦🇪 (GMT+04:00) Asia/Dubai</option>
+          <option value="Australia/Sydney">🇦🇺 (GMT+10:00) Australia/Sydney</option>
+        </select>
+      </div>
+      <p class="text-xs text-slate-600 font-bold uppercase mt-2">Individual timezone for this client. Overrides channel defaults.</p>
+    </div>
+
+    <div class="form-control max-w-sm">
+      <label class="label-premium text-slate-400">Country</label>
+      <div class="relative group">
+        <div class="absolute left-4 top-1/2 -translate-y-1/2 text-primary opacity-40 group-focus-within:opacity-100 transition-opacity">
+          <Globe class="w-5 h-5" />
+        </div>
+        <select v-model="client.country" class="input-premium h-14 pl-12 w-full text-sm font-bold">
+          <option value="">Not specified</option>
+          <option value="PE">🇵🇪 PE - Perú</option>
+          <option value="DO">🇩🇴 DO - República Dominicana</option>
+          <option value="US">🇺🇸 US - United States</option>
+          <option value="MX">🇲🇽 MX - México</option>
+          <option value="CO">🇨🇴 CO - Colombia</option>
+          <option value="AR">🇦🇷 AR - Argentina</option>
+          <option value="CL">🇨🇱 CL - Chile</option>
+          <option value="BR">🇧🇷 BR - Brasil</option>
+          <option value="ES">🇪🇸 ES - España</option>
+          <option value="GB">🇬🇧 GB - United Kingdom</option>
+        </select>
+      </div>
+    </div>
+
+    <div class="form-control">
+      <label class="label-premium text-slate-400">Internal Context / Notes</label>
+      <p class="text-[10px] text-slate-500 font-bold uppercase mb-2">Private observations not visible to the client or AI</p>
+      <textarea v-model="client.notes" class="input-premium py-4 w-full h-32 leading-relaxed" placeholder="Client specific context or background..."></textarea>
+    </div>
+  </div>
+</template>
diff --git a/src/frontend/src/views/ClientsView.vue b/src/frontend/src/views/ClientsView.vue
index 753b2d4..970ebab 100644
--- a/src/frontend/src/views/ClientsView.vue
+++ b/src/frontend/src/views/ClientsView.vue
@@ -2,26 +2,21 @@
 import { ref, onMounted, computed, watch } from 'vue'
 import { useApi } from '@/composables/useApi'
 import AppPageHeader from '@/components/AppPageHeader.vue'
-import AppTabModal from '@/components/AppTabModal.vue'
 import ConfirmationDialog from '@/components/ConfirmationDialog.vue'
 import TierBadge from '@/components/clients/TierBadge.vue'
+import ClientEditorModal from '@/components/clients/ClientEditorModal.vue'
 import { 
   Plus, 
   Trash2, 
   Edit3, 
-  CheckCircle2, 
   Users,
   RefreshCw,
   Search,
-  Tag,
   Link2,
   Eye,
   MessageSquare,
-  Globe,
-  Layout,
-  Contact,
-  ShieldCheck,
-  Bot
+  Key,
+  ShieldCheck
 } from 'lucide-vue-next'
 
 interface Client {
@@ -39,6 +34,7 @@ interface Client {
   timezone: string
   country: string
   allowed_bots: string[]
+  owned_channels: string[]
   is_tester: boolean
   enabled: boolean
   created_at: string
@@ -49,7 +45,7 @@ const loading = ref(true)
 const clients = ref<Client[]>([])
 const search = ref('')
 const stats = ref<Record<string, number>>({})
-const bots = ref<any[]>([])
+const portalAccounts = ref<Record<string, any>>({})
 
 const filteredClients = computed(() => {
   if (!search.value) return clients.value
@@ -65,148 +61,6 @@ const filteredClients = computed(() => {
 
 const showAddModal = ref(false)
 const editingClient = ref<Client | null>(null)
-const newClient = ref({
-  platform_id: '',
-  platform_type: 'whatsapp',
-  display_name: '',
-  email: '',
-  phone: '',
-  tier: 'standard',
-  tags: [] as string[],
-  notes: '',
-  language: 'en',
-  timezone: '',
-  country: '',
-  allowed_bots: [] as string[],
-  is_tester: false
-})
-const newTag = ref('')
-const workspaces = ref<any[]>([])
-const validatingLid = ref(false)
-const lidVerified = ref(false)
-const botSearch = ref('')
-const showBotResults = ref(false)
-const activeClientTab = ref('identity')
-const lastValidatedPhone = ref('')
-const originalClientState = ref('') // Para comparar cambios
-const isLoadingClient = ref(false) // Flag to prevent watchers during load
-
-const unselectedBots = computed(() => {
-  return bots.value.filter(b => !newClient.value.allowed_bots.includes(b.id))
-})
-
-const filteredBots = computed(() => {
-  if (!botSearch.value) return unselectedBots.value.slice(0, 3)
-  const s = botSearch.value.toLowerCase()
-  return unselectedBots.value.filter(b => 
-    b.name.toLowerCase().includes(s) || 
-    b.id.toLowerCase().includes(s)
-  ).slice(0, 3)
-})
-
-function addAllowedBot(botId: string) {
-  if (!newClient.value.allowed_bots.includes(botId)) {
-    newClient.value.allowed_bots.push(botId)
-  }
-  botSearch.value = ''
-  showBotResults.value = false
-}
-
-function removeAllowedBot(botId: string) {
-  newClient.value.allowed_bots = newClient.value.allowed_bots.filter(id => id !== botId)
-}
-
-function getBotById(id: string) {
-  return bots.value.find(b => b.id === id) || { name: 'Unknown Bot', id }
-}
-
-async function loadWorkspaces() {
-  try {
-    const res = await api.get('/workspaces') as any
-    const wsList = res || []
-    
-    // Fetch channels for each workspace to populate the list for validation
-    const channelsPromises = wsList.map((ws: any) => api.get(`/workspaces/${ws.id}/channels`))
-    const channelsResults = await Promise.allSettled(channelsPromises)
-    
-    workspaces.value = wsList.map((ws: any, idx: number) => {
-      const res = channelsResults[idx]
-      let channels: any[] = []
-      if (res && res.status === 'fulfilled') {
-        channels = (res as PromiseFulfilledResult<any>).value || []
-      }
-      return {
-        ...ws,
-        channels: channels
-      }
-    })
-  } catch (err) {
-    console.error('Failed to load workspaces or channels:', err)
-  }
-}
-
-async function extractLid() {
-  // Get the input value - prefer platform_id field, fallback to phone
-  const rawInput = newClient.value.platform_id || newClient.value.phone
-  if (!rawInput) {
-    alert('Please enter a phone number first')
-    return
-  }
-
-  // If the input already contains @, it's a LID/JID - we need the actual phone number
-  if (rawInput.includes('@')) {
-    alert('Please enter the actual phone number (without @lid or @s.whatsapp.net). The system will resolve the LID for you.')
-    return
-  }
-
-  // Clean the input to only digits
-  const phoneNumber = rawInput.replace(/[^\d]/g, '')
-  if (!phoneNumber || phoneNumber.length < 8) {
-    alert('Please enter a valid phone number')
-    return
-  }
-
-  // Find the first available whatsapp channel (enabled or connected)
-  let targetWorkspace = null
-  let targetChannel = null
-
-  for (const ws of workspaces.value) {
-    const ch = ws.channels?.find((c: any) => (c.type === 'whatsapp' || c.platform_type === 'whatsapp') && (c.enabled || c.status === 'connected'))
-    if (ch) {
-      targetWorkspace = ws
-      targetChannel = ch
-      break
-    }
-  }
-
-  if (!targetChannel) {
-    alert('No active WhatsApp channel found (Enabled or Connected) to perform validation.')
-    return
-  }
-
-  validatingLid.value = true
-  try {
-    const res = await api.get(`/workspaces/${targetWorkspace.id}/channels/${targetChannel.id}/resolve-identity?identity=${phoneNumber}`) as any
-    if (res.resolved_identity) {
-      // Save the LID to platform_id
-      newClient.value.platform_id = res.resolved_identity
-      lidVerified.value = res.status === 'verified'
-      
-      // Save the original phone number that was used for validation
-      newClient.value.phone = phoneNumber
-      lastValidatedPhone.value = phoneNumber
-
-      // Only fill display name if WhatsApp actually returned a name signal
-      if (!newClient.value.display_name && res.name) {
-        newClient.value.display_name = res.name
-      }
-    }
-  } catch (err) {
-    alert('Could not resolve LID. Make sure the channel is connected and the number is registered on WhatsApp.')
-  } finally {
-    validatingLid.value = false
-  }
-}
 
 const confirmModal = ref({
     show: false,
@@ -223,13 +77,21 @@ async function loadData() {
     const res = await api.get('/clients') as any
     clients.value = res.data || []
     
-    // Load bots for selector
-    const botsRes = await api.get('/bots') as any
-    bots.value = botsRes.results || []
+    // Load bots for selector only on demand, not in grid!
 
     // Load stats
     const statsRes = await api.get('/clients/stats') as any
     stats.value = statsRes.by_tier || {}
+
+    // Load portal account status for current page clients
+    try {
+      if (clients.value.length > 0) {
+        const ids = clients.value.map(c => c.id).join(',')
+        portalAccounts.value = await api.get(`/internal/portal-accounts?ids=${ids}`) as Record<string, any>
+      }
+    } catch (e) {
+      console.warn('Could not load portal account status', e)
+    }
   } catch (err) {
     console.error(err)
   } finally {
@@ -239,99 +101,13 @@ async function loadData() {
 
 function resetForm() {
   editingClient.value = null
-  newClient.value = {
-    platform_id: '',
-    platform_type: 'whatsapp',
-    display_name: '',
-    email: '',
-    phone: '',
-    tier: 'standard',
-    tags: [],
-    notes: '',
-    language: 'en',
-    timezone: '',
-    country: '',
-    allowed_bots: [],
-    is_tester: false
-  }
-  newTag.value = ''
-  lidVerified.value = false
-  lastValidatedPhone.value = ''
 }
 
 function openEdit(client: Client) {
-  isLoadingClient.value = true
   editingClient.value = client
-  newClient.value = {
-    platform_id: client.platform_id,
-    platform_type: client.platform_type,
-    display_name: client.display_name,
-    email: client.email || '',
-    phone: client.phone || '',
-    tier: client.tier,
-    tags: client.tags || [],
-    notes: client.notes || '',
-    language: client.language || 'en',
-    timezone: client.timezone || '',
-    country: client.country || '',
-    allowed_bots: client.allowed_bots || [],
-    is_tester: client.is_tester || false
-  }
-  
-  // Auto-verify ONLY if the loaded ID is a LID (NEVER JID)
-  if (client.platform_type === 'whatsapp' && client.platform_id.includes('@lid')) {
-    lidVerified.value = true
-    lastValidatedPhone.value = client.phone || ''
-  } else {
-    lidVerified.value = false
-    lastValidatedPhone.value = ''
-  }
-
-  // Save original state for dirty checking
-  originalClientState.value = JSON.stringify(newClient.value)
-  isLoadingClient.value = false
   showAddModal.value = true
 }
 
-const hasChanges = computed(() => {
-  // For new clients: enable if platform_id is filled
-  if (!editingClient.value) {
-    return newClient.value.platform_id.length > 0
-  }
-  // For editing: compare with original state
-  return JSON.stringify(newClient.value) !== originalClientState.value
-})
-
-function addTag() {
-  if (newTag.value && !newClient.value.tags.includes(newTag.value)) {
-    newClient.value.tags.push(newTag.value)
-    newTag.value = ''
-  }
-}
-
-function removeTag(tag: string) {
-  newClient.value.tags = newClient.value.tags.filter(t => t !== tag)
-}
-
-async function saveClient() {
-  try {
-    if (editingClient.value) {
-      await api.put(`/clients/${editingClient.value.id}`, newClient.value)
-    } else {
-      await api.post('/clients', newClient.value)
-    }
-    showAddModal.value = false
-    resetForm()
-    await loadData()
-  } catch (err: any) {
-    if (err.status === 409) {
-      alert('CONFLICTO: Este ID ya está siendo usado por otro cliente. Busca el cliente duplicado y elimínalo primero.')
-    } else {
-      alert('Error saving client: ' + (err.message || 'Unknown error'))
-    }
-  }
-}
-
 async function deleteClient(id: string) {
   confirmModal.value = {
       show: true,
@@ -363,18 +139,33 @@ async function toggleEnabled(client: Client) {
   }
 }
 
-// Only reset lidVerified when the user MANUALLY changes these fields
-
-watch(() => newClient.value.platform_id, (newVal, oldVal) => {
-  // Don't reset if we're loading, or if the new value IS a LID (meaning we just resolved it)
-  if (!isLoadingClient.value && oldVal && !newVal.includes('@lid')) {
-    lidVerified.value = false
+async function provisionPortalAccount(client: Client) {
+  confirmModal.value = {
+    show: true,
+    title: 'Enable Portal Access?',
+    message: `This will enable portal access for ${client.display_name}. ${client.email ? 'It will be linked to ' + client.email : 'The client can register their email later'}.`,
+    type: 'info',
+    confirmText: 'Enable Portal',
+    onConfirm: async () => {
+      try {
+        await api.post(`/internal/clients/${client.id}/portal-account`, {
+          email: client.email,
+          full_name: client.display_name
+        })
+        alert('Portal account enabled successfully.')
+      } catch (err: any) {
+        const msg = err.response?.data?.error || err.message || 'Unknown error'
+        alert('Error: ' + msg)
+      }
+    }
   }
-})
+}
+
+
 
 onMounted(() => {
   loadData()
-  loadWorkspaces()
+  // Workspaces y canales NO se cargan en la vista principal
 })
 </script>
 
@@ -388,9 +179,9 @@ onMounted(() => {
     <AppPageHeader title="Clients">
       <template #breadcrumb>
           <Users class="w-4 h-4 text-primary shrink-0" />
-          <span class="text-sm font-bold uppercase tracking-widest text-primary">Customer Hub</span>
+          <span class="text-sm font-bold uppercase tracking-widest text-primary">Clients</span>
           <span class="opacity-30 text-xs font-black text-slate-500">/</span>
-          <span class="text-xs font-bold uppercase tracking-widest text-slate-500">Global Registry</span>
+          <span class="text-xs font-bold uppercase tracking-widest text-slate-500">Registry</span>
       </template>
 
       <template #actions>
@@ -462,6 +253,9 @@ onMounted(() => {
                             <span class="text-xl font-black opacity-40">{{ client.display_name?.charAt(0) || 'C' }}</span>
                         </div>
                         <div class="flex gap-2">
+                            <button v-if="!portalAccounts[client.id]" class="btn-card-action" @click="provisionPortalAccount(client)" title="Provision Portal Access">
+                                <Key class="w-4 h-4 text-primary" />
+                            </button>
                             <button class="btn-card-action" @click="openEdit(client)" title="Edit">
                                 <Edit3 class="w-4 h-4" />
                             </button>
@@ -487,6 +281,25 @@ onMounted(() => {
                         </div>
                     </div>
 
+                    <!-- Portal Status Indicator -->
+                    <div class="mb-6 flex items-center gap-2">
+                      <div v-if="!portalAccounts[client.id]" class="px-3 py-1 rounded-full bg-slate-800/50 border border-white/5 text-xs font-bold text-slate-500 uppercase tracking-widest">
+                        Portal: Inactive
+                      </div>
+                      <div v-else-if="portalAccounts[client.id].is_shadow" class="px-3 py-1 rounded-full bg-amber-500/10 border border-amber-500/20 text-xs font-black text-amber-500 uppercase tracking-widest flex items-center gap-1.5">
+                        <div class="w-1.5 h-1.5 rounded-full bg-amber-500 animate-pulse"></div>
+                        Portal: Pending
+                      </div>
+                      <div v-else class="px-3 py-1 rounded-full bg-green-500/10 border border-green-500/20 text-xs font-black text-green-500 uppercase tracking-widest flex items-center gap-1.5">
+                        <div class="w-1.5 h-1.5 rounded-full bg-green-500"></div>
+                        Portal: Active
+                      </div>
+
+                      <span v-if="portalAccounts[client.id]?.email" class="text-xs font-bold text-slate-600 truncate max-w-[120px]">
+                        {{ portalAccounts[client.id].email }}
+                      </span>
+                    </div>
+
                     <div class="space-y-4 mt-auto">
                         <div class="storage-box-premium">
                             <div class="flex items-baseline justify-between mb-1">
@@ -507,7 +320,7 @@ onMounted(() => {
                                 +{{ client.tags.length - 3 }}
                             </span>
                         </div>
-                        
+
                         <div class="flex items-center justify-between pt-4">
                             <div class="flex items-center gap-2">
                                 <div class="w-1.5 h-1.5 rounded-full" :class="client.enabled ? 'bg-primary animate-pulse' : 'bg-slate-700'"></div>
@@ -528,312 +341,12 @@ onMounted(() => {
     </div>
 
     <!-- Add/Edit Client Modal -->
-    <AppTabModal 
-        v-model="showAddModal"
-        :title="editingClient ? 'Control Manifest: Edit Client' : 'Control Manifest: New Entry'"
-        v-model:activeTab="activeClientTab"
-        :saveDisabled="!hasChanges"
-        :tabs="[
-            { id: 'identity', label: 'Identity', icon: ShieldCheck },
-            { id: 'personal', label: 'Contact Details', icon: Contact },
-            { id: 'settings', label: 'Configuration', icon: Layout },
-            { id: 'operational', label: 'Authorization', icon: Bot }
-        ]"
-        :identity="editingClient ? {
-            name: (newClient.display_name || 'Anonymous Object'),
-            id: newClient.platform_id,
-            icon: Users,
-            iconType: 'component'
-        } : undefined"
-        saveText="Save"
-        @save="saveClient"
-        @cancel="showAddModal = false"
-    >
-        <!-- Tab: Identity -->
-        <div v-if="activeClientTab === 'identity'" class="space-y-8 animate-in fade-in slide-in-from-right-4 duration-300">
-            <header>
-                <h3 class="text-xl font-black text-white uppercase tracking-tight">Signal Identification</h3>
-                <p class="text-xs text-slate-500 font-bold uppercase tracking-widest mt-1">Core platform parameters and access tier</p>
-            </header>
-
-            <div class="grid grid-cols-1 md:grid-cols-2 gap-8">
-                <div class="form-control">
-                    <label class="label-premium text-slate-400">Platform ID (LID)</label>
-                    <div class="flex gap-2">
-                        <input v-model="newClient.platform_id" 
-                               type="text" 
-                               class="input-premium h-14 flex-1 text-sm font-mono" 
-                               placeholder="Identification signal..." />
-                        <button v-if="newClient.platform_type === 'whatsapp'" 
-                                type="button"
-                                class="btn-premium px-6 h-14" 
-                                :class="lidVerified ? 'btn-premium-ghost text-green-500 border-green-500/20' : 'btn-premium-ghost'"
-                                @click="extractLid"
-                                :disabled="validatingLid">
-                            <CheckCircle2 v-if="lidVerified && !validatingLid" class="w-4 h-4" />
-                            <RefreshCw v-else class="w-4 h-4" :class="{ 'animate-spin': validatingLid }" />
-                        </button>
-                    </div>
-                    <div class="flex items-center justify-between mt-2">
-                        <p class="text-xs text-slate-600 font-bold uppercase">Unique identifier for the selected platform.</p>
-                        <p v-if="lidVerified" class="text-xs text-green-500 font-black uppercase flex items-center gap-1 animate-in fade-in slide-in-from-right-2">
-                             <CheckCircle2 class="w-2.5 h-2.5" /> 
-                             Number: {{ lastValidatedPhone }} <span class="mx-1 opacity-40">→</span> LID: {{ newClient.platform_id }}
-                        </p>
-                    </div>
-                </div>
-
-                <div class="form-control">
-                    <label class="label-premium text-slate-400">Target Platform</label>
-                    <select v-model="newClient.platform_type" class="input-premium h-14 w-full text-sm" :disabled="!!editingClient">
-                        <option value="whatsapp">WhatsApp Protocol</option>
-                        <option value="telegram">Telegram Bot API</option>
-                        <option value="webchat">Internal WebChat</option>
-                    </select>
-                </div>
-            </div>
-
-            <div class="form-control">
-                <label class="label-premium text-slate-400">Authorization Tier</label>
-                <div class="grid grid-cols-2 sm:grid-cols-4 gap-4">
-                    <button v-for="t in ['standard', 'premium', 'vip', 'enterprise']" :key="t"
-                            @click="newClient.tier = t" 
-                            class="h-16 rounded-2xl border-2 transition-all flex items-center justify-center gap-2 cursor-pointer hover:scale-[1.02]"
-                            :class="newClient.tier === t ? 'border-primary bg-primary/10 shadow-lg' : 'border-white/5 bg-black/40 text-slate-500'">
-                        <TierBadge :tier="t" :show-icon="true" />
-                    </button>
-                </div>
-            </div>
-        </div>
-
-        <!-- Tab: Personal -->
-        <div v-if="activeClientTab === 'personal'" class="space-y-8 animate-in fade-in slide-in-from-right-4 duration-300">
-            <header>
-                <h3 class="text-xl font-black text-white uppercase tracking-tight">Contact Profile</h3>
-                <p class="text-xs text-slate-500 font-bold uppercase tracking-widest mt-1">Naming and communication vectors</p>
-            </header>
-
-            <div class="form-control">
-                <label class="label-premium text-slate-400">Display Name / Alias</label>
-                <input v-model="newClient.display_name" type="text" class="input-premium h-14 w-full text-lg font-black" placeholder="Contact Name" />
-            </div>
-
-            <div class="grid grid-cols-1 md:grid-cols-2 gap-8">
-                <div class="form-control">
-                    <label class="label-premium text-slate-400">Primary Email</label>
-                    <input v-model="newClient.email" type="email" class="input-premium h-14 w-full text-sm" placeholder="contact@domain.com" />
-                </div>
-                <div class="form-control">
-                    <label class="label-premium text-slate-400">Universal Phone</label>
-                    <input v-model="newClient.phone" 
-                        type="tel" 
-                        class="input-premium h-14 w-full text-sm font-mono" 
-                        :class="{ 'opacity-50 cursor-not-allowed bg-black/20': newClient.platform_type === 'whatsapp' }"
-                        :readonly="newClient.platform_type === 'whatsapp'"
-                        placeholder="+XX XXX XXX XXX" />
-                </div>
-            </div>
-
-            <div class="form-control">
-                <label class="label-premium text-slate-400">Categorization Tags</label>
-                <div class="flex gap-2 mb-4">
-                    <input v-model="newTag" type="text" class="input-premium h-12 flex-1 text-sm bg-black/40" placeholder="Add custom tag..." @keyup.enter="addTag" />
-                    <button @click="addTag" class="btn-premium btn-premium-ghost h-12 px-6">
-                        <Tag class="w-4 h-4" />
-                    </button>
-                </div>
-                <div class="flex flex-wrap gap-2 p-4 bg-black/40 rounded-2xl border border-white/5 min-h-[60px]">
-                    <span v-for="tag in newClient.tags" :key="tag" 
-                          class="px-4 py-2 text-xs font-black uppercase tracking-widest bg-primary/10 text-primary border border-primary/20 rounded-xl flex items-center gap-3">
-                        {{ tag }}
-                        <button @click="removeTag(tag)" class="hover:text-white transition-colors">&times;</button>
-                    </span>
-                    <p v-if="newClient.tags.length === 0" class="text-xs text-slate-700 font-bold uppercase items-center flex">No tags assigned / global pool</p>
-                </div>
-            </div>
-        </div>
-
-        <!-- Tab: Settings -->
-        <div v-if="activeClientTab === 'settings'" class="space-y-8 animate-in fade-in slide-in-from-right-4 duration-300">
-            <header>
-                <h3 class="text-xl font-black text-white uppercase tracking-tight">Vibe & Parameters</h3>
-                <p class="text-xs text-slate-500 font-bold uppercase tracking-widest mt-1">Linguistic and internal processing notes</p>
-            </header>
-
-            <div class="form-control max-w-sm">
-                <label class="label-premium text-slate-400">Primary AI Language</label>
-                <div class="relative group">
-                    <div class="absolute left-4 top-1/2 -translate-y-1/2 text-primary opacity-40 group-focus-within:opacity-100 transition-opacity">
-                        <Globe class="w-5 h-5" />
-                    </div>
-                    <select v-model="newClient.language" class="input-premium h-14 pl-12 w-full text-sm font-bold">
-                        <option value="es">Español (Castellano)</option>
-                        <option value="en">English (International)</option>
-                        <option value="pt">Português</option>
-                        <option value="fr">Français</option>
-                        <option value="it">Italiano</option>
-                        <option value="de">Deutsch</option>
-                    </select>
-                </div>
-            </div>
-
-            <div class="form-control max-w-sm">
-                <label class="label-premium text-slate-400">Timezone Override</label>
-                <div class="relative group">
-                    <div class="absolute left-4 top-1/2 -translate-y-1/2 text-primary opacity-40 group-focus-within:opacity-100 transition-opacity">
-                        <Globe class="w-5 h-5" />
-                    </div>
-                    <select v-model="newClient.timezone" class="input-premium h-14 pl-12 w-full text-sm font-bold">
-                        <option value="">Use Channel Default</option>
-                        <option value="America/New_York">🇺🇸 (GMT-05:00) America/New_York</option>
-                        <option value="America/Los_Angeles">🇺🇸 (GMT-08:00) America/Los_Angeles</option>
-                        <option value="America/Chicago">🇺🇸 (GMT-06:00) America/Chicago</option>
-                        <option value="America/Lima">🇵🇪 (GMT-05:00) America/Lima</option>
-                        <option value="America/Bogota">🇨🇴 (GMT-05:00) America/Bogota</option>
-                        <option value="America/Mexico_City">🇲🇽 (GMT-06:00) America/Mexico_City</option>
-                        <option value="America/Santo_Domingo">🇩🇴 (GMT-04:00) America/Santo_Domingo</option>
-                        <option value="America/Sao_Paulo">🇧🇷 (GMT-03:00) America/Sao_Paulo</option>
-                        <option value="America/Buenos_Aires">🇦🇷 (GMT-03:00) America/Buenos_Aires</option>
-                        <option value="America/Santiago">🇨🇱 (GMT-04:00) America/Santiago</option>
-                        <option value="Europe/London">🇬🇧 (GMT+00:00) Europe/London</option>
-                        <option value="Europe/Paris">🇫🇷 (GMT+01:00) Europe/Paris</option>
-                        <option value="Europe/Madrid">🇪🇸 (GMT+01:00) Europe/Madrid</option>
-                        <option value="Europe/Berlin">🇩🇪 (GMT+01:00) Europe/Berlin</option>
-                        <option value="Asia/Tokyo">🇯🇵 (GMT+09:00) Asia/Tokyo</option>
-                        <option value="Asia/Shanghai">🇨🇳 (GMT+08:00) Asia/Shanghai</option>
-                        <option value="Asia/Dubai">🇦🇪 (GMT+04:00) Asia/Dubai</option>
-                        <option value="Australia/Sydney">🇦🇺 (GMT+10:00) Australia/Sydney</option>
-                    </select>
-                </div>
-                <p class="text-xs text-slate-600 font-bold uppercase mt-2">Individual timezone for this client. Overrides channel defaults.</p>
-            </div>
-
-            <div class="form-control max-w-sm">
-                <label class="label-premium text-slate-400">Country</label>
-                <div class="relative group">
-                    <div class="absolute left-4 top-1/2 -translate-y-1/2 text-primary opacity-40 group-focus-within:opacity-100 transition-opacity">
-                        <Globe class="w-5 h-5" />
-                    </div>
-                    <select v-model="newClient.country" class="input-premium h-14 pl-12 w-full text-sm font-bold">
-                        <option value="">Not specified</option>
-                        <option value="PE">🇵🇪 PE - Perú</option>
-                        <option value="DO">🇩🇴 DO - República Dominicana</option>
-                        <option value="US">🇺🇸 US - United States</option>
-                        <option value="MX">🇲🇽 MX - México</option>
-                        <option value="CO">🇨🇴 CO - Colombia</option>
-                        <option value="AR">🇦🇷 AR - Argentina</option>
-                        <option value="CL">🇨🇱 CL - Chile</option>
-                        <option value="BR">🇧🇷 BR - Brasil</option>
-                        <option value="ES">🇪🇸 ES - España</option>
-                        <option value="GB">🇬🇧 GB - United Kingdom</option>
-                        <option value="FR">🇫🇷 FR - France</option>
-                        <option value="DE">🇩🇪 DE - Deutschland</option>
-                        <option value="IT">🇮🇹 IT - Italia</option>
-                        <option value="JP">🇯🇵 JP - Japan</option>
-                        <option value="CN">🇨🇳 CN - China</option>
-                        <option value="AE">🇦🇪 AE - United Arab Emirates</option>
-                        <option value="AU">🇦🇺 AU - Australia</option>
-                    </select>
-                </div>
-                <p class="text-xs text-slate-600 font-bold uppercase mt-2">Helps AI determine default currency and regional context.</p>
-            </div>
-
-            <div class="form-control">
-                <label class="label-premium text-slate-400">Internal Context Manifest</label>
-                <textarea v-model="newClient.notes" class="input-premium w-full text-sm min-h-[220px] p-6 resize-none leading-relaxed" placeholder="Detailed profile context, specific rules or historical patterns for this client..."></textarea>
-            </div>
-        </div>
-
-        <!-- Tab: Operational -->
-        <div v-if="activeClientTab === 'operational'" class="space-y-8 animate-in fade-in slide-in-from-right-4 duration-300 h-full flex flex-col">
-            <header>
-                <h3 class="text-xl font-black text-white uppercase tracking-tight">System & Authorization</h3>
-                <p class="text-xs text-slate-500 font-bold uppercase tracking-widest mt-1">Advanced access control and debug modes</p>
-            </header>
-
-            <div class="p-6 bg-amber-500/5 border border-amber-500/20 rounded-2xl flex items-start gap-4">
-                <div class="w-10 h-10 rounded-xl bg-amber-500/10 flex items-center justify-center text-amber-500 shrink-0">
-                    <ShieldCheck class="w-5 h-5" />
-                </div>
-                <div class="flex-1">
-                    <div class="flex items-center justify-between mb-2">
-                        <label class="text-sm font-black text-white uppercase tracking-tight">Tester Mode</label>
-                        <input type="checkbox" v-model="newClient.is_tester" class="toggle toggle-warning toggle-sm" />
-                    </div>
-                    <p class="text-xs text-slate-400 font-medium leading-relaxed">
-                        When enabled, all interactions from this client (messages, tool inputs, files) will be logged 
-                        <span class="text-amber-500 font-bold">UNFILTERED (FULL DATA)</span> for debugging purposes. 
-                        Use with caution and only for development accounts.
-                    </p>
-                </div>
-            </div>
-
-            <div class="divider border-white/5 my-4"></div>
-
-            <header>
-                <h4 class="text-sm font-black text-slate-400 uppercase tracking-widest">Authorized Agents</h4>
-            </header>
-
-            <div class="form-control">
-                <div class="relative">
-                    <div class="absolute left-4 top-1/2 -translate-y-1/2 text-slate-600">
-                        <Search class="w-4 h-4" />
-                    </div>
-                    <input 
-                        v-model="botSearch" 
-                        @focus="showBotResults = true"
-                        type="text" 
-                        class="input-premium h-14 pl-12 w-full text-base font-medium placeholder:text-slate-700 bg-black/40" 
-                        placeholder="Search for authorized agents..." 
-                    />
-                    
-                    <!-- Search Results Dropdown -->
-                    <div v-if="showBotResults && (botSearch || filteredBots.length > 0)" 
-                            class="absolute z-20 top-full left-0 right-0 mt-2 bg-[#12161f] border border-white/10 rounded-2xl shadow-2xl max-h-64 overflow-y-auto p-2">
-                        <div v-if="filteredBots.length === 0" class="py-4 text-center text-xs text-slate-600 font-black uppercase">Zero matching agents</div>
-                        <button v-for="bot in filteredBots" :key="bot.id"
-                                @click="addAllowedBot(bot.id)"
-                                class="w-full flex items-center gap-4 p-3 hover:bg-primary/10 rounded-xl transition-all group text-left border border-transparent hover:border-primary/20">
-                            <div class="w-10 h-10 rounded-lg bg-black flex items-center justify-center text-slate-500 group-hover:text-primary transition-all shadow-inner">
-                                <Bot class="w-5 h-5" />
-                            </div>
-                            <div class="flex-1 min-w-0">
-                                <div class="text-xs font-black uppercase text-white truncate">{{ bot.name }}</div>
-                                <div class="text-xs font-mono text-slate-600 truncate uppercase">{{ bot.id.substring(0,25) }}...</div>
-                            </div>
-                            <Plus class="w-4 h-4 text-slate-800 group-hover:text-primary" />
-                        </button>
-                    </div>
-                </div>
-                <div v-if="showBotResults" @click="showBotResults = false" class="fixed inset-0 z-10"></div>
-            </div>
-
-            <div class="flex-1 min-h-0 flex flex-col">
-                <div class="flex items-center justify-between mb-4">
-                    <span class="text-xs font-black text-slate-600 uppercase tracking-widest">Currently Whitelisted</span>
-                    <span v-if="newClient.allowed_bots.length === 0" class="text-xs font-bold text-slate-500 uppercase italic">Unrestricted Global Access</span>
-                </div>
-                
-                <div class="grid grid-cols-1 md:grid-cols-2 gap-4 pb-20">
-                    <div v-for="botId in newClient.allowed_bots" :key="botId" 
-                            class="flex items-center justify-between p-4 bg-primary/5 border border-primary/10 rounded-2xl group border-l-4 border-l-primary/40 hover:bg-primary/[0.08] transition-all">
-                        <div class="flex items-center gap-4 min-w-0">
-                            <div class="w-10 h-10 rounded-xl bg-[#0b0e14] border border-white/5 flex items-center justify-center text-primary shadow-xl">
-                                <Bot class="w-5 h-5" />
-                            </div>
-                            <div class="min-w-0">
-                                <div class="text-xs font-black uppercase text-white truncate">{{ getBotById(botId).name }}</div>
-                                <div class="text-xs font-mono text-slate-500 truncate">{{ botId.substring(0,12) }}...</div>
-                            </div>
-                        </div>
-                        <button @click="removeAllowedBot(botId)" class="p-2 text-slate-700 hover:text-red-500 transition-colors">
-                            <Trash2 class="w-4 h-4" />
-                        </button>
-                    </div>
-                </div>
-            </div>
-        </div>
-    </AppTabModal>
+    <ClientEditorModal 
+        v-model:show="showAddModal"
+        :clientToEdit="editingClient"
+        @saved="loadData"
+        @closed="resetForm"
+    />
 
     <ConfirmationDialog 
         v-model="confirmModal.show"
diff --git a/src/frontend/vitest.config.ts b/src/frontend/vitest.config.ts
index c328717..72243a6 100644
--- a/src/frontend/vitest.config.ts
+++ b/src/frontend/vitest.config.ts
@@ -1,5 +1,6 @@
 import { fileURLToPath } from 'node:url'
-import { mergeConfig, defineConfig, configDefaults } from 'vitest/config'
+import { mergeConfig } from 'vite'
+import { defineConfig, configDefaults } from 'vitest/config'
 import viteConfig from './vite.config'
 
 export default mergeConfig(

From af620113f34a5f678c821182aae4f7a644a29907 Mon Sep 17 00:00:00 2001
From: Aziel <azielcruzado@gmail.com>
Date: Tue, 24 Feb 2026 12:23:01 -0500
Subject: [PATCH 11/12] [Tools] Update client tools to support portal
 authentication services

---
 src/botengine/tools/only-clients/client_tools.go | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

diff --git a/src/botengine/tools/only-clients/client_tools.go b/src/botengine/tools/only-clients/client_tools.go
index 0625054..fe2732f 100644
--- a/src/botengine/tools/only-clients/client_tools.go
+++ b/src/botengine/tools/only-clients/client_tools.go
@@ -8,6 +8,7 @@ import (
 	"github.com/AzielCF/az-wap/botengine/domain"
 	domainMCP "github.com/AzielCF/az-wap/botengine/domain/mcp"
 	clientsDomain "github.com/AzielCF/az-wap/clients/domain"
+	portalAuth "github.com/AzielCF/az-wap/clients_portal/auth/application"
 )
 
 const (
@@ -33,12 +34,16 @@ var AllowedClientFields = []string{
 
 // ClientTools provides tools for the client to manage their information
 type ClientTools struct {
-	clientRepo clientsDomain.ClientRepository
+	clientRepo  clientsDomain.ClientRepository
+	authService *portalAuth.AuthService
 }
 
 // NewClientTools creates a new instance of ClientTools
-func NewClientTools(clientRepo clientsDomain.ClientRepository) *ClientTools {
-	return &ClientTools{clientRepo: clientRepo}
+func NewClientTools(clientRepo clientsDomain.ClientRepository, authService *portalAuth.AuthService) *ClientTools {
+	return &ClientTools{
+		clientRepo:  clientRepo,
+		authService: authService,
+	}
 }
 
 // UpdateMyInfoTool allows the client to update their personal information

From 112ca2576f7f7ee273c7996b60d7528cc36ef5b2 Mon Sep 17 00:00:00 2001
From: Aziel <azielcruzado@gmail.com>
Date: Wed, 25 Feb 2026 02:34:40 -0500
Subject: [PATCH 12/12] feat(api): expose channel access mode and phone, and
 implement whatsapp linking and control endpoints for portal

---
 .../features/infrastructure/handler.go        | 348 +++++++++++++++++-
 src/clients_portal/http/router.go             |   9 +
 src/ui/rest/workspace.go                      |  32 ++
 3 files changed, 385 insertions(+), 4 deletions(-)

diff --git a/src/clients_portal/features/infrastructure/handler.go b/src/clients_portal/features/infrastructure/handler.go
index b0aaab8..47bcbdb 100644
--- a/src/clients_portal/features/infrastructure/handler.go
+++ b/src/clients_portal/features/infrastructure/handler.go
@@ -2,10 +2,14 @@ package infrastructure
 
 import (
 	"context"
+	"fmt"
+	"os"
 	"sort"
 	"strings"
 	"time"
 
+	"github.com/sirupsen/logrus"
+
 	"github.com/AzielCF/az-wap/botengine/domain/bot"
 	clientsApp "github.com/AzielCF/az-wap/clients/application"
 	clientsDomain "github.com/AzielCF/az-wap/clients/domain"
@@ -229,9 +233,12 @@ func (h *FeaturesHandler) GetOwnedChannels(c *fiber.Ctx) error {
 		Name            string  `json:"name"`
 		Type            string  `json:"type"`
 		Status          string  `json:"status"`
+		Enabled         bool    `json:"enabled"`
 		BotName         string  `json:"bot_name,omitempty"`
 		BotDescription  string  `json:"bot_description,omitempty"`
 		AccumulatedCost float64 `json:"accumulated_cost,omitempty"`
+		Phone           string  `json:"phone,omitempty"`
+		AccessMode      string  `json:"access_mode,omitempty"`
 	}
 
 	// 1. Get all active subscriptions for this client to find bot overrides
@@ -248,10 +255,12 @@ func (h *FeaturesHandler) GetOwnedChannels(c *fiber.Ctx) error {
 	var safeChannels []SafeChannel
 	for _, ch := range channels {
 		sc := SafeChannel{
-			ID:     ch.ID,
-			Name:   ch.Name,
-			Type:   string(ch.Type),
-			Status: string(ch.Status),
+			ID:         ch.ID,
+			Name:       ch.Name,
+			Type:       string(ch.Type),
+			Status:     string(ch.Status),
+			Enabled:    ch.Enabled,
+			AccessMode: string(ch.Config.AccessMode),
 		}
 
 		// 2. Determine Bot ID (Subscription override > Channel config)
@@ -267,6 +276,26 @@ func (h *FeaturesHandler) GetOwnedChannels(c *fiber.Ctx) error {
 			}
 		}
 
+		phone := ""
+		if string(ch.Type) == "whatsapp" {
+			ext := ch.ExternalRef
+			if strings.Contains(ext, ":") { // Handle multi-device suffix
+				ext = strings.Split(ext, ":")[0]
+			}
+			if strings.Contains(ext, "@") {
+				ext = strings.Split(ext, "@")[0]
+			}
+
+			if ext != "" && !strings.Contains(ext, "-") && len(ext) > 5 && len(ext) <= 20 {
+				phone = ext
+			} else {
+				if p, ok := ch.Config.Settings["phone"].(string); ok {
+					phone = p
+				}
+			}
+		}
+		sc.Phone = phone
+
 		client, err := h.clientService.GetByID(ctxStd, user.ClientID)
 		if err == nil && client.IsTester {
 			sc.AccumulatedCost = ch.AccumulatedCost
@@ -816,3 +845,314 @@ func (h *FeaturesHandler) DeleteGuest(c *fiber.Ctx) error {
 
 	return c.SendStatus(fiber.StatusNoContent)
 }
+
+// --- WhatsApp Specific Channel Handlers ---
+
+func (h *FeaturesHandler) GetWhatsAppStatus(c *fiber.Ctx) error {
+	user, ok := c.Locals("user").(*portalDomain.PortalUser)
+	if !ok || user == nil {
+		return c.Status(fiber.StatusUnauthorized).JSON(fiber.Map{"error": "Unauthorized"})
+	}
+
+	cid := c.Params("cid")
+	// Verify possession
+	ch, err := h.wsRepo.GetChannel(c.Context(), cid)
+	if err != nil || ch.OwnerID != user.ClientID {
+		return c.Status(fiber.StatusForbidden).JSON(fiber.Map{"error": "forbidden"})
+	}
+
+	adapter, ok := h.wm.GetAdapter(cid)
+	if !ok {
+		// If adapter not running, check DB status for a "dry" status report
+		if err == nil {
+			return c.JSON(fiber.Map{
+				"is_connected": false,
+				"is_logged_in": ch.Status == channel.ChannelStatusConnected,
+				"status":       ch.Status,
+				"channel_id":   cid,
+				"is_paused":    !ch.Enabled,
+			})
+		}
+
+		return c.JSON(fiber.Map{
+			"is_connected": false,
+			"is_logged_in": false,
+			"status":       "disconnected",
+		})
+	}
+
+	if adapter.Type() != channel.ChannelTypeWhatsApp {
+		return c.Status(fiber.StatusBadRequest).JSON(fiber.Map{"error": "not a whatsapp channel"})
+	}
+
+	status := adapter.Status()
+	isConnected := status == channel.ChannelStatusConnected
+	isHibernating := status == channel.ChannelStatusHibernating
+	isLoggedIn := adapter.IsLoggedIn()
+
+	phone := ""
+	ext := ch.ExternalRef
+	if strings.Contains(ext, ":") {
+		ext = strings.Split(ext, ":")[0]
+	}
+	if strings.Contains(ext, "@") {
+		ext = strings.Split(ext, "@")[0]
+	}
+
+	if ext != "" && !strings.Contains(ext, "-") && len(ext) > 5 && len(ext) <= 20 {
+		phone = ext
+	} else {
+		if p, ok := ch.Config.Settings["phone"].(string); ok {
+			phone = p
+		}
+	}
+
+	if phone == "" && isConnected {
+		if me, err := adapter.GetMe(); err == nil && me.JID != "" {
+			jid := me.JID
+			if strings.Contains(jid, ":") {
+				jid = strings.Split(jid, ":")[0]
+			}
+			phone = strings.Split(jid, "@")[0]
+			ch.ExternalRef = phone
+			_ = h.wsRepo.UpdateChannel(c.Context(), ch)
+		}
+	}
+
+	// If manual sync requested and we are hibernating, try to resume
+	if c.Query("resume") == "true" && isHibernating {
+		logrus.Infof("[REST Portal] Force Status Sync: Resuming hibernated channel %s", cid)
+		_ = adapter.Resume(c.Context())
+		// Refresh status after resume
+		status = adapter.Status()
+		isConnected = status == channel.ChannelStatusConnected
+		isHibernating = status == channel.ChannelStatusHibernating
+	}
+
+	// Sync local DB if there's a discrepancy (e.g. manual DB deletion or hibernation)
+	if ch.Status != status {
+		ch.Status = status
+		_ = h.wsRepo.UpdateChannel(c.Context(), ch)
+	}
+
+	return c.JSON(fiber.Map{
+		"is_connected":   isConnected,
+		"is_logged_in":   isLoggedIn,
+		"is_hibernating": isHibernating,
+		"is_paused":      !ch.Enabled,
+		"status":         status,
+		"channel_id":     cid,
+		"phone":          phone,
+	})
+}
+
+func (h *FeaturesHandler) WhatsAppLogin(c *fiber.Ctx) error {
+	user, ok := c.Locals("user").(*portalDomain.PortalUser)
+	if !ok || user == nil {
+		return c.Status(fiber.StatusUnauthorized).JSON(fiber.Map{"error": "Unauthorized"})
+	}
+
+	cid := c.Params("cid")
+	// Verify possession
+	ch, err := h.wsRepo.GetChannel(c.Context(), cid)
+	if err != nil || ch.OwnerID != user.ClientID {
+		return c.Status(fiber.StatusForbidden).JSON(fiber.Map{"error": "forbidden"})
+	}
+
+	adapter, ok := h.wm.GetAdapter(cid)
+	if !ok {
+		// Try auto-start if not running
+		if err := h.wm.StartChannel(c.Context(), cid); err != nil {
+			return c.Status(fiber.StatusInternalServerError).JSON(fiber.Map{"error": fmt.Sprintf("channel start failed: %v", err)})
+		}
+		// Try get again
+		adapter, ok = h.wm.GetAdapter(cid)
+		if !ok {
+			return c.Status(fiber.StatusInternalServerError).JSON(fiber.Map{"error": "adapter failed to initialize"})
+		}
+	}
+
+	if err := adapter.Login(c.Context()); err != nil {
+		// If already connected but we are here, something is out of sync.
+		// Forced disconnect and retry once.
+		if strings.Contains(err.Error(), "already connected") {
+			logrus.Warnf("[REST Portal] Adapter %s reports already connected, forcing reset...", cid)
+			_ = adapter.Logout(c.Context())
+			if err := adapter.Login(c.Context()); err != nil {
+				return c.Status(fiber.StatusInternalServerError).JSON(fiber.Map{"error": "failed to reset connection: " + err.Error()})
+			}
+		} else {
+			return c.Status(fiber.StatusInternalServerError).JSON(fiber.Map{"error": err.Error()})
+		}
+	}
+
+	qrChan, err := adapter.GetQRChannel(c.Context())
+	if err != nil {
+		return c.Status(fiber.StatusConflict).JSON(fiber.Map{"error": err.Error()})
+	}
+
+	select {
+	case code, open := <-qrChan:
+		if !open {
+			return c.Status(fiber.StatusConflict).JSON(fiber.Map{"error": "qr channel closed"})
+		}
+		return c.JSON(utils.ResponseData{
+			Status:  200,
+			Code:    "SUCCESS",
+			Message: "QR Generated",
+			Results: fiber.Map{
+				"qr_link":     code,
+				"qr_duration": 60, // approximate
+			},
+		})
+	case <-c.Context().Done():
+		return c.Status(fiber.StatusRequestTimeout).JSON(fiber.Map{"error": "timeout waiting for qr"})
+	}
+}
+
+func (h *FeaturesHandler) WhatsAppLoginWithCode(c *fiber.Ctx) error {
+	user, ok := c.Locals("user").(*portalDomain.PortalUser)
+	if !ok || user == nil {
+		return c.Status(fiber.StatusUnauthorized).JSON(fiber.Map{"error": "Unauthorized"})
+	}
+
+	cid := c.Params("cid")
+	ch, err := h.wsRepo.GetChannel(c.Context(), cid)
+	if err != nil || ch.OwnerID != user.ClientID {
+		return c.Status(fiber.StatusForbidden).JSON(fiber.Map{"error": "forbidden"})
+	}
+
+	type req struct {
+		PhoneNumber string `json:"phone_number"`
+	}
+	var r req
+	if err := c.BodyParser(&r); err != nil {
+		return c.Status(fiber.StatusBadRequest).JSON(fiber.Map{"error": "invalid body"})
+	}
+
+	if r.PhoneNumber == "" {
+		return c.Status(fiber.StatusBadRequest).JSON(fiber.Map{"error": "phone_number is required"})
+	}
+
+	phone := strings.ReplaceAll(r.PhoneNumber, "+", "")
+	phone = strings.ReplaceAll(phone, " ", "")
+	phone = strings.ReplaceAll(phone, "-", "")
+	phone = strings.TrimSpace(phone)
+
+	adapter, ok := h.wm.GetAdapter(cid)
+	if !ok {
+		// Try auto-start if not running
+		if err := h.wm.StartChannel(c.Context(), cid); err != nil {
+			return c.Status(fiber.StatusInternalServerError).JSON(fiber.Map{"error": fmt.Sprintf("channel start failed: %v", err)})
+		}
+		adapter, ok = h.wm.GetAdapter(cid)
+		if !ok {
+			return c.Status(fiber.StatusNotFound).JSON(fiber.Map{"error": "channel adapter not available"})
+		}
+	}
+
+	code, err := adapter.LoginWithCode(c.Context(), phone)
+	if err != nil {
+		return c.Status(fiber.StatusInternalServerError).JSON(fiber.Map{"error": err.Error()})
+	}
+
+	return c.JSON(fiber.Map{
+		"code":   code,
+		"status": "pairing_code_generated",
+	})
+}
+
+func (h *FeaturesHandler) WhatsAppLogout(c *fiber.Ctx) error {
+	user, ok := c.Locals("user").(*portalDomain.PortalUser)
+	if !ok || user == nil {
+		return c.Status(fiber.StatusUnauthorized).JSON(fiber.Map{"error": "Unauthorized"})
+	}
+
+	cid := c.Params("cid")
+	ch, err := h.wsRepo.GetChannel(c.Context(), cid)
+	if err != nil || ch.OwnerID != user.ClientID {
+		return c.Status(fiber.StatusForbidden).JSON(fiber.Map{"error": "forbidden"})
+	}
+
+	logrus.Infof("[REST Portal] Logging out channel %s", cid)
+
+	adapter, ok := h.wm.GetAdapter(cid)
+	if ok {
+		if err := adapter.Logout(c.Context()); err != nil {
+			logrus.Warnf("[REST Portal] Logout failed for %s, but syncing state anyway: %v", cid, err)
+		}
+		if err := adapter.Cleanup(c.Context()); err != nil {
+			logrus.Warnf("[REST Portal] Cleanup failed for %s: %v", cid, err)
+		}
+		h.wm.UnregisterAdapter(cid)
+	} else {
+		logrus.Infof("[REST Portal] Channel %s not running, attempting to start for proper logout", cid)
+
+		if err := h.wm.StartChannel(c.Context(), cid); err == nil {
+			if adapter, ok := h.wm.GetAdapter(cid); ok {
+				if err := adapter.Logout(c.Context()); err != nil {
+					logrus.Warnf("[REST Portal] Logout failed for %s: %v", cid, err)
+				}
+				if err := adapter.Cleanup(c.Context()); err != nil {
+					logrus.Warnf("[REST Portal] Cleanup failed for %s: %v", cid, err)
+				}
+				h.wm.UnregisterAdapter(cid)
+			}
+		} else {
+			logrus.Warnf("[REST Portal] Could not start channel %s for logout, cleaning up files only: %v", cid, err)
+			waDBPath := fmt.Sprintf("storages/whatsapp-%s.db", cid)
+			waFiles := []string{waDBPath, waDBPath + "-shm", waDBPath + "-wal"}
+			for _, f := range waFiles {
+				if err := os.Remove(f); err != nil && !os.IsNotExist(err) {
+					logrus.Warnf("[REST Portal] Failed to remove %s: %v", f, err)
+				}
+			}
+		}
+	}
+
+	// Update DB status
+	ch.Status = channel.ChannelStatusDisconnected
+	_ = h.wsRepo.UpdateChannel(c.Context(), ch)
+
+	return c.JSON(fiber.Map{"status": "logged_out"})
+}
+
+func (h *FeaturesHandler) EnableChannel(c *fiber.Ctx) error {
+	user, ok := c.Locals("user").(*portalDomain.PortalUser)
+	if !ok || user == nil {
+		return c.Status(fiber.StatusUnauthorized).JSON(fiber.Map{"error": "Unauthorized"})
+	}
+
+	cid := c.Params("cid")
+	ch, err := h.wsRepo.GetChannel(c.Context(), cid)
+	if err != nil || ch.OwnerID != user.ClientID {
+		return c.Status(fiber.StatusForbidden).JSON(fiber.Map{"error": "forbidden"})
+	}
+
+	if err := h.wsUc.EnableChannel(c.Context(), cid); err != nil {
+		return c.Status(fiber.StatusInternalServerError).JSON(fiber.Map{"error": err.Error()})
+	}
+	if err := h.wm.StartChannel(c.Context(), cid); err != nil {
+		logrus.WithError(err).Warn("[REST Portal] Failed to start channel in manager after enabling")
+	}
+	return c.JSON(fiber.Map{"status": "enabled"})
+}
+
+func (h *FeaturesHandler) DisableChannel(c *fiber.Ctx) error {
+	user, ok := c.Locals("user").(*portalDomain.PortalUser)
+	if !ok || user == nil {
+		return c.Status(fiber.StatusUnauthorized).JSON(fiber.Map{"error": "Unauthorized"})
+	}
+
+	cid := c.Params("cid")
+	ch, err := h.wsRepo.GetChannel(c.Context(), cid)
+	if err != nil || ch.OwnerID != user.ClientID {
+		return c.Status(fiber.StatusForbidden).JSON(fiber.Map{"error": "forbidden"})
+	}
+
+	if err := h.wsUc.DisableChannel(c.Context(), cid); err != nil {
+		return c.Status(fiber.StatusInternalServerError).JSON(fiber.Map{"error": err.Error()})
+	}
+	h.wm.UnregisterAdapter(cid)
+	return c.JSON(fiber.Map{"status": "disabled"})
+}
diff --git a/src/clients_portal/http/router.go b/src/clients_portal/http/router.go
index f4914ac..8ea87b9 100644
--- a/src/clients_portal/http/router.go
+++ b/src/clients_portal/http/router.go
@@ -54,6 +54,15 @@ func RegisterPortalRoutes(
 	// Edit Channel
 	protected.Put("/owned-channels/:cid/name", featuresHandler.UpdateChannelName)
 
+	// WhatsApp Channel Controls
+	protected.Get("/owned-channels/:cid/whatsapp/status", featuresHandler.GetWhatsAppStatus)
+	protected.Get("/owned-channels/:cid/whatsapp/login", featuresHandler.WhatsAppLogin)
+	protected.Post("/owned-channels/:cid/whatsapp/login-code", featuresHandler.WhatsAppLoginWithCode)
+	protected.Get("/owned-channels/:cid/whatsapp/logout", featuresHandler.WhatsAppLogout)
+
+	protected.Post("/owned-channels/:cid/enable", featuresHandler.EnableChannel)
+	protected.Post("/owned-channels/:cid/disable", featuresHandler.DisableChannel)
+
 	// Workspace Management (ABAC restricted)
 	protected.Get("/workspaces", featuresHandler.ListWorkspaces)
 	protected.Get("/workspaces/:wid/channels", featuresHandler.ListWorkspaceChannels)
diff --git a/src/ui/rest/workspace.go b/src/ui/rest/workspace.go
index 881f6ca..d6e7293 100644
--- a/src/ui/rest/workspace.go
+++ b/src/ui/rest/workspace.go
@@ -451,12 +451,44 @@ func (h *WorkspaceHandler) GetWhatsAppStatus(c *fiber.Ctx) error {
 		_ = h.uc.UpdateChannel(c.Context(), ch)
 	}
 
+	phone := ""
+	if err == nil && ch.Type == channel.ChannelTypeWhatsApp {
+		ext := ch.ExternalRef
+		if strings.Contains(ext, ":") {
+			ext = strings.Split(ext, ":")[0]
+		}
+		if strings.Contains(ext, "@") {
+			ext = strings.Split(ext, "@")[0]
+		}
+
+		if ext != "" && !strings.Contains(ext, "-") && len(ext) > 5 && len(ext) <= 20 {
+			phone = ext
+		} else {
+			if p, ok := ch.Config.Settings["phone"].(string); ok {
+				phone = p
+			}
+		}
+	}
+
+	if phone == "" && isConnected {
+		if me, err := adapter.GetMe(); err == nil && me.JID != "" {
+			jid := me.JID
+			if strings.Contains(jid, ":") {
+				jid = strings.Split(jid, ":")[0]
+			}
+			phone = strings.Split(jid, "@")[0]
+			ch.ExternalRef = phone
+			_ = h.uc.UpdateChannel(c.Context(), ch)
+		}
+	}
+
 	return c.JSON(fiber.Map{
 		"is_connected":   isConnected,
 		"is_logged_in":   isLoggedIn,
 		"is_hibernating": isHibernating,
 		"status":         status,
 		"channel_id":     cid,
+		"phone":          phone,
 	})
 }