feat: implement host dashboard

Add Host Dashboard for event and guest management, accessible at /host.

Backend — new /api/v1/host/* endpoints (RequireHost auth):
- GET  /host/event                    → event name + lock/release state
- POST /host/event/close|open         → lock or unlock uploads; SSE broadcast
- POST /host/gallery/release          → set release timestamp, enqueue export jobs
- GET  /host/users                    → all guests with upload count & bytes
- POST /host/users/{id}/ban           → ban with optional upload-hide choice
- POST /host/users/{id}/unban         → lift ban
- PATCH /host/users/{id}/role         → promote guest→host or demote host→guest
- DELETE /host/upload/{id}            → host-level soft-delete + SSE
- DELETE /host/comment/{id}           → host-level soft-delete

Frontend — /host page:
- Event controls: lock/unlock toggle and release-gallery button with status badges
- Guest table: display name, role badge, upload count, storage used
- Ban flow: modal asking whether to keep or hide the user's uploads
- Promote/demote buttons respecting caller role (host can promote guests; admin can demote hosts)
- auth.ts: getRole() decodes JWT payload client-side to gate the route

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

.env.test

@@ -0,0 +1,45 @@
+# ── Domain ────────────────────────────────────────────────────────────────────
+# Public domain Caddy will serve and obtain a TLS certificate for.
+DOMAIN=my-event.example.com
+
+# ── App server ────────────────────────────────────────────────────────────────
+APP_PORT=3000
+
+# ── Database ──────────────────────────────────────────────────────────────────
+DATABASE_URL=postgres://eventsnap:secret@db:5432/eventsnap
+POSTGRES_USER=eventsnap
+POSTGRES_PASSWORD=secret
+POSTGRES_DB=eventsnap
+
+# ── Authentication ────────────────────────────────────────────────────────────
+# Generate with: openssl rand -hex 64
+JWT_SECRET=change_me_to_a_random_64_byte_hex_string
+SESSION_EXPIRY_DAYS=30
+
+# Admin dashboard password (bcrypt hash).
+# Generate with: htpasswd -bnBC 12 "" yourpassword | tr -d ':\n'
+ADMIN_PASSWORD_HASH=$2y$12$placeholder_replace_me
+
+# ── Event ─────────────────────────────────────────────────────────────────────
+EVENT_NAME=Max & Maria's Wedding
+EVENT_SLUG=max-maria-2026
+
+# ── Storage ───────────────────────────────────────────────────────────────────
+MEDIA_PATH=/media
+
+# ── Upload limits ─────────────────────────────────────────────────────────────
+DEFAULT_MAX_IMAGE_SIZE_MB=20
+DEFAULT_MAX_VIDEO_SIZE_MB=500
+
+# ── Rate limiting ─────────────────────────────────────────────────────────────
+DEFAULT_UPLOAD_RATE_PER_HOUR=10
+DEFAULT_FEED_RATE_PER_MIN=60
+DEFAULT_EXPORT_RATE_PER_DAY=3
+
+# ── Capacity ──────────────────────────────────────────────────────────────────
+DEFAULT_ESTIMATED_GUEST_COUNT=100
+# Fraction of total storage that triggers the "low storage" warning (0.0–1.0)
+DEFAULT_QUOTA_TOLERANCE=0.75
+
+# ── Workers ───────────────────────────────────────────────────────────────────
+COMPRESSION_WORKER_CONCURRENCY=2

backend/src/handlers/feed.rs

@@ -0,0 +1,258 @@
+use axum::extract::{Query, State};
+use axum::Json;
+use chrono::{DateTime, Utc};
+use serde::{Deserialize, Serialize};
+use uuid::Uuid;
+
+use crate::auth::middleware::AuthUser;
+use crate::error::AppError;
+use crate::state::AppState;
+
+#[derive(Deserialize)]
+pub struct FeedQuery {
+    pub cursor: Option<Uuid>,
+    pub limit: Option<i64>,
+    pub hashtag: Option<String>,
+}
+
+#[derive(Serialize)]
+pub struct FeedUpload {
+    pub id: Uuid,
+    pub user_id: Uuid,
+    pub uploader_name: String,
+    pub preview_url: Option<String>,
+    pub thumbnail_url: Option<String>,
+    pub mime_type: String,
+    pub caption: Option<String>,
+    pub like_count: i64,
+    pub comment_count: i64,
+    pub liked_by_me: bool,
+    pub created_at: DateTime<Utc>,
+}
+
+#[derive(Serialize)]
+pub struct FeedResponse {
+    pub uploads: Vec<FeedUpload>,
+    pub next_cursor: Option<Uuid>,
+}
+
+#[derive(sqlx::FromRow)]
+struct FeedRow {
+    id: Uuid,
+    user_id: Uuid,
+    uploader_name: String,
+    preview_path: Option<String>,
+    thumbnail_path: Option<String>,
+    mime_type: String,
+    caption: Option<String>,
+    like_count: i64,
+    comment_count: i64,
+    created_at: DateTime<Utc>,
+}
+
+pub async fn feed(
+    State(state): State<AppState>,
+    auth: AuthUser,
+    Query(q): Query<FeedQuery>,
+) -> Result<Json<FeedResponse>, AppError> {
+    let limit = q.limit.unwrap_or(20).min(100);
+
+    let rows = if let Some(hashtag) = &q.hashtag {
+        let tag = hashtag.trim().trim_start_matches('#').to_lowercase();
+        sqlx::query_as::<_, FeedRow>(
+            "SELECT v.id, v.user_id, v.uploader_name, v.preview_path, v.thumbnail_path,
+                    v.mime_type, v.caption, v.like_count, v.comment_count, v.created_at
+             FROM v_feed v
+             JOIN upload_hashtag uh ON uh.upload_id = v.id
+             JOIN hashtag h ON h.id = uh.hashtag_id AND h.tag = $1
+             WHERE v.event_id = $2
+               AND ($3::timestamptz IS NULL OR v.created_at < $3)
+             ORDER BY v.created_at DESC
+             LIMIT $4",
+        )
+        .bind(&tag)
+        .bind(auth.event_id)
+        .bind(
+            if let Some(cursor) = q.cursor {
+                get_cursor_time(&state.pool, cursor).await
+            } else {
+                None
+            },
+        )
+        .bind(limit + 1)
+        .fetch_all(&state.pool)
+        .await?
+    } else {
+        sqlx::query_as::<_, FeedRow>(
+            "SELECT id, user_id, uploader_name, preview_path, thumbnail_path,
+                    mime_type, caption, like_count, comment_count, created_at
+             FROM v_feed
+             WHERE event_id = $1
+               AND ($2::timestamptz IS NULL OR created_at < $2)
+             ORDER BY created_at DESC
+             LIMIT $3",
+        )
+        .bind(auth.event_id)
+        .bind(
+            if let Some(cursor) = q.cursor {
+                get_cursor_time(&state.pool, cursor).await
+            } else {
+                None
+            },
+        )
+        .bind(limit + 1)
+        .fetch_all(&state.pool)
+        .await?
+    };
+
+    let has_more = rows.len() as i64 > limit;
+    let rows: Vec<FeedRow> = rows.into_iter().take(limit as usize).collect();
+    let next_cursor = if has_more { rows.last().map(|r| r.id) } else { None };
+
+    // Batch check which uploads the current user has liked
+    let upload_ids: Vec<Uuid> = rows.iter().map(|r| r.id).collect();
+    let liked_set = get_liked_set(&state.pool, auth.user_id, &upload_ids).await;
+
+    let uploads = rows
+        .into_iter()
+        .map(|r| {
+            let preview_url = r.preview_path.map(|p| format!("/media/{p}"));
+            let thumbnail_url = r.thumbnail_path.map(|p| format!("/media/{p}"));
+            FeedUpload {
+                liked_by_me: liked_set.contains(&r.id),
+                id: r.id,
+                user_id: r.user_id,
+                uploader_name: r.uploader_name,
+                preview_url,
+                thumbnail_url,
+                mime_type: r.mime_type,
+                caption: r.caption,
+                like_count: r.like_count,
+                comment_count: r.comment_count,
+                created_at: r.created_at,
+            }
+        })
+        .collect();
+
+    Ok(Json(FeedResponse {
+        uploads,
+        next_cursor,
+    }))
+}
+
+#[derive(Deserialize)]
+pub struct DeltaQuery {
+    pub since: DateTime<Utc>,
+}
+
+#[derive(Serialize)]
+pub struct DeltaResponse {
+    pub uploads: Vec<FeedUpload>,
+    pub deleted_ids: Vec<Uuid>,
+}
+
+pub async fn feed_delta(
+    State(state): State<AppState>,
+    auth: AuthUser,
+    Query(q): Query<DeltaQuery>,
+) -> Result<Json<DeltaResponse>, AppError> {
+    let rows = sqlx::query_as::<_, FeedRow>(
+        "SELECT id, user_id, uploader_name, preview_path, thumbnail_path,
+                mime_type, caption, like_count, comment_count, created_at
+         FROM v_feed
+         WHERE event_id = $1 AND created_at > $2
+         ORDER BY created_at DESC",
+    )
+    .bind(auth.event_id)
+    .bind(q.since)
+    .fetch_all(&state.pool)
+    .await?;
+
+    let deleted_ids: Vec<(Uuid,)> = sqlx::query_as(
+        "SELECT id FROM upload
+         WHERE event_id = $1 AND deleted_at IS NOT NULL AND deleted_at > $2",
+    )
+    .bind(auth.event_id)
+    .bind(q.since)
+    .fetch_all(&state.pool)
+    .await?;
+
+    let upload_ids: Vec<Uuid> = rows.iter().map(|r| r.id).collect();
+    let liked_set = get_liked_set(&state.pool, auth.user_id, &upload_ids).await;
+
+    let uploads = rows
+        .into_iter()
+        .map(|r| FeedUpload {
+            liked_by_me: liked_set.contains(&r.id),
+            id: r.id,
+            user_id: r.user_id,
+            uploader_name: r.uploader_name,
+            preview_url: r.preview_path.map(|p| format!("/media/{p}")),
+            thumbnail_url: r.thumbnail_path.map(|p| format!("/media/{p}")),
+            mime_type: r.mime_type,
+            caption: r.caption,
+            like_count: r.like_count,
+            comment_count: r.comment_count,
+            created_at: r.created_at,
+        })
+        .collect();
+
+    Ok(Json(DeltaResponse {
+        uploads,
+        deleted_ids: deleted_ids.into_iter().map(|r| r.0).collect(),
+    }))
+}
+
+#[derive(Serialize)]
+pub struct HashtagCount {
+    pub tag: String,
+    pub count: i64,
+}
+
+pub async fn hashtags(
+    State(state): State<AppState>,
+    auth: AuthUser,
+) -> Result<Json<Vec<HashtagCount>>, AppError> {
+    let rows: Vec<(String, i64)> = sqlx::query_as(
+        "SELECT tag, upload_count FROM v_hashtag_counts WHERE event_id = $1",
+    )
+    .bind(auth.event_id)
+    .fetch_all(&state.pool)
+    .await?;
+
+    Ok(Json(
+        rows.into_iter()
+            .map(|(tag, count)| HashtagCount { tag, count })
+            .collect(),
+    ))
+}
+
+async fn get_cursor_time(pool: &sqlx::PgPool, cursor_id: Uuid) -> Option<DateTime<Utc>> {
+    let row: Option<(DateTime<Utc>,)> =
+        sqlx::query_as("SELECT created_at FROM upload WHERE id = $1")
+            .bind(cursor_id)
+            .fetch_optional(pool)
+            .await
+            .ok()?;
+    row.map(|r| r.0)
+}
+
+async fn get_liked_set(
+    pool: &sqlx::PgPool,
+    user_id: Uuid,
+    upload_ids: &[Uuid],
+) -> std::collections::HashSet<Uuid> {
+    if upload_ids.is_empty() {
+        return std::collections::HashSet::new();
+    }
+    let rows: Vec<(Uuid,)> = sqlx::query_as(
+        "SELECT upload_id FROM \"like\" WHERE user_id = $1 AND upload_id = ANY($2)",
+    )
+    .bind(user_id)
+    .bind(upload_ids)
+    .fetch_all(pool)
+    .await
+    .unwrap_or_default();
+
+    rows.into_iter().map(|r| r.0).collect()
+}

backend/src/handlers/host.rs

@@ -0,0 +1,260 @@
+use axum::extract::{Path, State};
+use axum::http::StatusCode;
+use axum::Json;
+use chrono::{DateTime, Utc};
+use serde::{Deserialize, Serialize};
+use uuid::Uuid;
+
+use crate::auth::middleware::RequireHost;
+use crate::error::AppError;
+use crate::models::comment::Comment;
+use crate::models::event::Event;
+use crate::models::upload::Upload;
+use crate::state::AppState;
+
+// ── DTOs ─────────────────────────────────────────────────────────────────────
+
+#[derive(Serialize, sqlx::FromRow)]
+pub struct UserSummary {
+    pub id: Uuid,
+    pub display_name: String,
+    pub role: String,
+    pub is_banned: bool,
+    pub uploads_hidden: bool,
+    pub upload_count: i64,
+    pub total_upload_bytes: i64,
+    pub created_at: DateTime<Utc>,
+}
+
+#[derive(Serialize)]
+pub struct EventStatus {
+    pub name: String,
+    pub is_active: bool,
+    pub uploads_locked: bool,
+    pub export_released: bool,
+}
+
+#[derive(Deserialize)]
+pub struct BanRequest {
+    pub hide_uploads: bool,
+}
+
+#[derive(Deserialize)]
+pub struct SetRoleRequest {
+    pub role: String,
+}
+
+// ── Handlers ─────────────────────────────────────────────────────────────────
+
+pub async fn get_event_status(
+    State(state): State<AppState>,
+    RequireHost(_auth): RequireHost,
+) -> Result<Json<EventStatus>, AppError> {
+    let event = Event::find_by_slug(&state.pool, &state.config.event_slug)
+        .await?
+        .ok_or_else(|| AppError::NotFound("Event nicht gefunden.".into()))?;
+
+    Ok(Json(EventStatus {
+        name: event.name,
+        is_active: event.is_active,
+        uploads_locked: event.uploads_locked_at.is_some(),
+        export_released: event.export_released_at.is_some(),
+    }))
+}
+
+pub async fn list_users(
+    State(state): State<AppState>,
+    RequireHost(auth): RequireHost,
+) -> Result<Json<Vec<UserSummary>>, AppError> {
+    let rows = sqlx::query_as::<_, UserSummary>(
+        "SELECT u.id,
+                u.display_name,
+                u.role::text AS role,
+                u.is_banned,
+                u.uploads_hidden,
+                COALESCE(COUNT(up.id), 0) AS upload_count,
+                u.total_upload_bytes,
+                u.created_at
+         FROM \"user\" u
+         LEFT JOIN upload up ON up.user_id = u.id AND up.deleted_at IS NULL
+         WHERE u.event_id = $1
+         GROUP BY u.id
+         ORDER BY u.created_at ASC",
+    )
+    .bind(auth.event_id)
+    .fetch_all(&state.pool)
+    .await?;
+
+    Ok(Json(rows))
+}
+
+pub async fn ban_user(
+    State(state): State<AppState>,
+    RequireHost(auth): RequireHost,
+    Path(user_id): Path<Uuid>,
+    Json(body): Json<BanRequest>,
+) -> Result<StatusCode, AppError> {
+    // Cannot ban yourself or another host/admin
+    if user_id == auth.user_id {
+        return Err(AppError::BadRequest("Du kannst dich nicht selbst sperren.".into()));
+    }
+    let target = sqlx::query_as::<_, (String,)>(
+        "SELECT role::text FROM \"user\" WHERE id = $1 AND event_id = $2",
+    )
+    .bind(user_id)
+    .bind(auth.event_id)
+    .fetch_optional(&state.pool)
+    .await?
+    .ok_or_else(|| AppError::NotFound("Benutzer nicht gefunden.".into()))?;
+
+    if target.0 == "admin" || (target.0 == "host" && auth.role != crate::models::user::UserRole::Admin) {
+        return Err(AppError::Forbidden("Du kannst diesen Benutzer nicht sperren.".into()));
+    }
+
+    sqlx::query(
+        "UPDATE \"user\" SET is_banned = TRUE, uploads_hidden = $2 WHERE id = $1",
+    )
+    .bind(user_id)
+    .bind(body.hide_uploads)
+    .execute(&state.pool)
+    .await?;
+
+    Ok(StatusCode::NO_CONTENT)
+}
+
+pub async fn unban_user(
+    State(state): State<AppState>,
+    RequireHost(_auth): RequireHost,
+    Path(user_id): Path<Uuid>,
+) -> Result<StatusCode, AppError> {
+    sqlx::query("UPDATE \"user\" SET is_banned = FALSE WHERE id = $1")
+        .bind(user_id)
+        .execute(&state.pool)
+        .await?;
+    Ok(StatusCode::NO_CONTENT)
+}
+
+pub async fn set_role(
+    State(state): State<AppState>,
+    RequireHost(auth): RequireHost,
+    Path(user_id): Path<Uuid>,
+    Json(body): Json<SetRoleRequest>,
+) -> Result<StatusCode, AppError> {
+    if user_id == auth.user_id {
+        return Err(AppError::BadRequest("Du kannst deine eigene Rolle nicht ändern.".into()));
+    }
+    let new_role = match body.role.as_str() {
+        "guest" => "guest",
+        "host" => "host",
+        _ => return Err(AppError::BadRequest("Ungültige Rolle. Erlaubt: guest, host.".into())),
+    };
+    sqlx::query("UPDATE \"user\" SET role = $2::user_role WHERE id = $1 AND event_id = $3")
+        .bind(user_id)
+        .bind(new_role)
+        .bind(auth.event_id)
+        .execute(&state.pool)
+        .await?;
+    Ok(StatusCode::NO_CONTENT)
+}
+
+pub async fn host_delete_upload(
+    State(state): State<AppState>,
+    RequireHost(_auth): RequireHost,
+    Path(upload_id): Path<Uuid>,
+) -> Result<StatusCode, AppError> {
+    let upload = Upload::find_by_id(&state.pool, upload_id)
+        .await?
+        .ok_or_else(|| AppError::NotFound("Upload nicht gefunden.".into()))?;
+
+    Upload::soft_delete(&state.pool, upload_id).await?;
+
+    let _ = state.sse_tx.send(crate::state::SseEvent {
+        event_type: "upload-deleted".to_string(),
+        data: serde_json::json!({ "upload_id": upload.id }).to_string(),
+    });
+
+    Ok(StatusCode::NO_CONTENT)
+}
+
+pub async fn host_delete_comment(
+    State(state): State<AppState>,
+    RequireHost(_auth): RequireHost,
+    Path(comment_id): Path<Uuid>,
+) -> Result<StatusCode, AppError> {
+    Comment::find_by_id(&state.pool, comment_id)
+        .await?
+        .ok_or_else(|| AppError::NotFound("Kommentar nicht gefunden.".into()))?;
+
+    Comment::soft_delete(&state.pool, comment_id).await?;
+    Ok(StatusCode::NO_CONTENT)
+}
+
+pub async fn close_event(
+    State(state): State<AppState>,
+    RequireHost(_auth): RequireHost,
+) -> Result<StatusCode, AppError> {
+    sqlx::query(
+        "UPDATE event SET uploads_locked_at = NOW() WHERE slug = $1 AND uploads_locked_at IS NULL",
+    )
+    .bind(&state.config.event_slug)
+    .execute(&state.pool)
+    .await?;
+
+    let _ = state.sse_tx.send(crate::state::SseEvent {
+        event_type: "event-closed".to_string(),
+        data: "{}".to_string(),
+    });
+
+    Ok(StatusCode::NO_CONTENT)
+}
+
+pub async fn open_event(
+    State(state): State<AppState>,
+    RequireHost(_auth): RequireHost,
+) -> Result<StatusCode, AppError> {
+    sqlx::query(
+        "UPDATE event SET uploads_locked_at = NULL WHERE slug = $1",
+    )
+    .bind(&state.config.event_slug)
+    .execute(&state.pool)
+    .await?;
+
+    let _ = state.sse_tx.send(crate::state::SseEvent {
+        event_type: "event-opened".to_string(),
+        data: "{}".to_string(),
+    });
+
+    Ok(StatusCode::NO_CONTENT)
+}
+
+pub async fn release_gallery(
+    State(state): State<AppState>,
+    RequireHost(_auth): RequireHost,
+) -> Result<StatusCode, AppError> {
+    let event = Event::find_by_slug(&state.pool, &state.config.event_slug)
+        .await?
+        .ok_or_else(|| AppError::NotFound("Event nicht gefunden.".into()))?;
+
+    if event.export_released_at.is_some() {
+        return Err(AppError::BadRequest("Galerie wurde bereits freigegeben.".into()));
+    }
+
+    sqlx::query("UPDATE event SET export_released_at = NOW() WHERE slug = $1")
+        .bind(&state.config.event_slug)
+        .execute(&state.pool)
+        .await?;
+
+    // Enqueue export jobs (processed by the export worker in a later step)
+    for export_type in ["zip", "html"] {
+        sqlx::query(
+            "INSERT INTO export_job (event_id, type) VALUES ($1, $2::export_type)
+             ON CONFLICT (event_id, type) DO NOTHING",
+        )
+        .bind(event.id)
+        .bind(export_type)
+        .execute(&state.pool)
+        .await?;
+    }
+
+    Ok(StatusCode::NO_CONTENT)
+}

backend/src/handlers/mod.rs

@@ -1,2 +1,5 @@
+pub mod feed;
+pub mod host;
+pub mod social;
 pub mod sse;
 pub mod upload;

backend/src/handlers/social.rs

@@ -0,0 +1,136 @@
+use axum::extract::{Path, State};
+use axum::http::StatusCode;
+use axum::Json;
+use serde::Deserialize;
+use uuid::Uuid;
+
+use crate::auth::middleware::AuthUser;
+use crate::error::AppError;
+use crate::models::comment::{Comment, CommentDto};
+use crate::models::hashtag::{self, Hashtag};
+use crate::state::AppState;
+
+pub async fn toggle_like(
+    State(state): State<AppState>,
+    auth: AuthUser,
+    Path(upload_id): Path<Uuid>,
+) -> Result<StatusCode, AppError> {
+    // Check if user is banned
+    let user = crate::models::user::User::find_by_id(&state.pool, auth.user_id)
+        .await?
+        .ok_or_else(|| AppError::NotFound("Benutzer nicht gefunden.".into()))?;
+    if user.is_banned {
+        return Err(AppError::Forbidden("Du bist gesperrt.".into()));
+    }
+
+    // Try to insert; if conflict, delete (toggle)
+    let result = sqlx::query(
+        "INSERT INTO \"like\" (upload_id, user_id) VALUES ($1, $2)
+         ON CONFLICT (upload_id, user_id) DO NOTHING",
+    )
+    .bind(upload_id)
+    .bind(auth.user_id)
+    .execute(&state.pool)
+    .await?;
+
+    if result.rows_affected() == 0 {
+        // Already liked — remove
+        sqlx::query("DELETE FROM \"like\" WHERE upload_id = $1 AND user_id = $2")
+            .bind(upload_id)
+            .bind(auth.user_id)
+            .execute(&state.pool)
+            .await?;
+    }
+
+    // Broadcast SSE
+    let _ = state.sse_tx.send(crate::state::SseEvent {
+        event_type: "like-update".to_string(),
+        data: serde_json::json!({ "upload_id": upload_id }).to_string(),
+    });
+
+    Ok(StatusCode::NO_CONTENT)
+}
+
+pub async fn list_comments(
+    State(state): State<AppState>,
+    _auth: AuthUser,
+    Path(upload_id): Path<Uuid>,
+) -> Result<Json<Vec<CommentDto>>, AppError> {
+    let comments = Comment::list_for_upload(&state.pool, upload_id).await?;
+    Ok(Json(comments))
+}
+
+#[derive(Deserialize)]
+pub struct AddCommentRequest {
+    pub body: String,
+}
+
+pub async fn add_comment(
+    State(state): State<AppState>,
+    auth: AuthUser,
+    Path(upload_id): Path<Uuid>,
+    Json(body): Json<AddCommentRequest>,
+) -> Result<(StatusCode, Json<CommentDto>), AppError> {
+    let user = crate::models::user::User::find_by_id(&state.pool, auth.user_id)
+        .await?
+        .ok_or_else(|| AppError::NotFound("Benutzer nicht gefunden.".into()))?;
+    if user.is_banned {
+        return Err(AppError::Forbidden("Du bist gesperrt.".into()));
+    }
+
+    let text = body.body.trim();
+    if text.is_empty() || text.len() > 500 {
+        return Err(AppError::BadRequest(
+            "Kommentar muss zwischen 1 und 500 Zeichen lang sein.".into(),
+        ));
+    }
+
+    let comment = Comment::create(&state.pool, upload_id, auth.user_id, text).await?;
+
+    // Process hashtags in comment body
+    let tags = hashtag::extract_hashtags(text);
+    for tag in &tags {
+        let h = Hashtag::upsert(&state.pool, auth.event_id, tag).await?;
+        sqlx::query(
+            "INSERT INTO comment_hashtag (comment_id, hashtag_id) VALUES ($1, $2) ON CONFLICT DO NOTHING",
+        )
+        .bind(comment.id)
+        .bind(h.id)
+        .execute(&state.pool)
+        .await?;
+    }
+
+    // Broadcast SSE
+    let _ = state.sse_tx.send(crate::state::SseEvent {
+        event_type: "new-comment".to_string(),
+        data: serde_json::json!({ "upload_id": upload_id }).to_string(),
+    });
+
+    let dto = CommentDto {
+        id: comment.id,
+        upload_id,
+        user_id: auth.user_id,
+        uploader_name: user.display_name,
+        body: comment.body,
+        created_at: comment.created_at,
+    };
+
+    Ok((StatusCode::CREATED, Json(dto)))
+}
+
+pub async fn delete_comment(
+    State(state): State<AppState>,
+    auth: AuthUser,
+    Path(comment_id): Path<Uuid>,
+) -> Result<StatusCode, AppError> {
+    let comment = Comment::find_by_id(&state.pool, comment_id)
+        .await?
+        .ok_or_else(|| AppError::NotFound("Kommentar nicht gefunden.".into()))?;
+
+    if comment.user_id != auth.user_id {
+        return Err(AppError::Forbidden("Nur eigene Kommentare löschen.".into()));
+    }
+
+    Comment::soft_delete(&state.pool, comment_id).await?;
+    Ok(StatusCode::NO_CONTENT)
+}

backend/src/handlers/sse.rs

@@ -1,28 +1,45 @@
 use std::convert::Infallible;
 use std::time::Duration;
 
-use axum::extract::State;
+use axum::extract::{Query, State};
 use axum::response::sse::{Event, KeepAlive, Sse};
 use futures::stream::Stream;
+use serde::Deserialize;
 use tokio_stream::wrappers::BroadcastStream;
 use tokio_stream::StreamExt;
 
-use crate::auth::middleware::AuthUser;
+use crate::auth::jwt;
 use crate::error::AppError;
+use crate::models::session::Session;
 use crate::state::AppState;
 
+#[derive(Deserialize)]
+pub struct SseQuery {
+    pub token: String,
+}
+
+/// SSE stream endpoint. Accepts JWT via query param since EventSource
+/// doesn't support custom headers.
 pub async fn stream(
     State(state): State<AppState>,
-    _auth: AuthUser,
+    Query(q): Query<SseQuery>,
 ) -> Result<Sse<impl Stream<Item = Result<Event, Infallible>>>, AppError> {
+    // Verify token
+    let _claims = jwt::verify_token(&q.token, &state.config.jwt_secret)
+        .map_err(|_| AppError::Unauthorized("Token ungültig.".into()))?;
+
+    let token_hash = jwt::hash_token(&q.token);
+    Session::find_by_token_hash(&state.pool, &token_hash)
+        .await
+        .map_err(|e| AppError::Internal(e.into()))?
+        .ok_or_else(|| AppError::Unauthorized("Sitzung nicht gefunden.".into()))?;
+
     let rx = state.sse_tx.subscribe();
-    let stream = BroadcastStream::new(rx).filter_map(|msg| {
+    let stream = BroadcastStream::new(rx).filter_map(|msg| match msg {
-        match msg {
         Ok(sse_event) => Some(Ok(Event::default()
             .event(sse_event.event_type)
             .data(sse_event.data))),
-            Err(_) => None, // Lagged — skip missed events
+        Err(_) => None,
-        }
     });
 
     Ok(Sse::new(stream).keep_alive(

backend/src/main.rs

@@ -1,6 +1,7 @@
 use anyhow::Result;
 use axum::routing::{delete, get, patch, post};
 use axum::Router;
+use tower_http::services::ServeDir;
 use tracing_subscriber::{layer::SubscriberExt, util::SubscriberInitExt};
 
 mod auth;
@@ -45,12 +46,38 @@ async fn main() -> Result<()> {
             "/api/v1/upload/{id}",
             patch(handlers::upload::edit_upload).delete(handlers::upload::delete_upload),
         )
+        // Feed
+        .route("/api/v1/feed", get(handlers::feed::feed))
+        .route("/api/v1/feed/delta", get(handlers::feed::feed_delta))
+        .route("/api/v1/hashtags", get(handlers::feed::hashtags))
+        // Social
+        .route("/api/v1/upload/{id}/like", post(handlers::social::toggle_like))
+        .route(
+            "/api/v1/upload/{id}/comments",
+            get(handlers::social::list_comments).post(handlers::social::add_comment),
+        )
+        .route("/api/v1/comment/{id}", delete(handlers::social::delete_comment))
         // SSE
-        .route("/api/v1/stream", get(handlers::sse::stream));
+        .route("/api/v1/stream", get(handlers::sse::stream))
+        // Host Dashboard
+        .route("/api/v1/host/event", get(handlers::host::get_event_status))
+        .route("/api/v1/host/event/close", post(handlers::host::close_event))
+        .route("/api/v1/host/event/open", post(handlers::host::open_event))
+        .route("/api/v1/host/gallery/release", post(handlers::host::release_gallery))
+        .route("/api/v1/host/users", get(handlers::host::list_users))
+        .route("/api/v1/host/users/{id}/ban", post(handlers::host::ban_user))
+        .route("/api/v1/host/users/{id}/unban", post(handlers::host::unban_user))
+        .route("/api/v1/host/users/{id}/role", patch(handlers::host::set_role))
+        .route("/api/v1/host/upload/{id}", delete(handlers::host::host_delete_upload))
+        .route("/api/v1/host/comment/{id}", delete(handlers::host::host_delete_comment));
+
+    // Serve media files from disk
+    let media_service = ServeDir::new(&config.media_path);
 
     let router = Router::new()
         .route("/health", get(|| async { "ok" }))
         .merge(api)
+        .nest_service("/media", media_service)
         .with_state(state);
 
     let listener = tokio::net::TcpListener::bind(("0.0.0.0", config.app_port)).await?;

backend/src/models/comment.rs

@@ -0,0 +1,72 @@
+use chrono::{DateTime, Utc};
+use serde::Serialize;
+use sqlx::PgPool;
+use uuid::Uuid;
+
+#[derive(Debug, sqlx::FromRow)]
+pub struct Comment {
+    pub id: Uuid,
+    pub upload_id: Uuid,
+    pub user_id: Uuid,
+    pub body: String,
+    pub created_at: DateTime<Utc>,
+    pub deleted_at: Option<DateTime<Utc>>,
+}
+
+#[derive(Debug, Serialize, sqlx::FromRow)]
+pub struct CommentDto {
+    pub id: Uuid,
+    pub upload_id: Uuid,
+    pub user_id: Uuid,
+    pub uploader_name: String,
+    pub body: String,
+    pub created_at: DateTime<Utc>,
+}
+
+impl Comment {
+    pub async fn create(
+        pool: &PgPool,
+        upload_id: Uuid,
+        user_id: Uuid,
+        body: &str,
+    ) -> Result<Self, sqlx::Error> {
+        sqlx::query_as::<_, Self>(
+            "INSERT INTO comment (upload_id, user_id, body) VALUES ($1, $2, $3) RETURNING *",
+        )
+        .bind(upload_id)
+        .bind(user_id)
+        .bind(body)
+        .fetch_one(pool)
+        .await
+    }
+
+    pub async fn list_for_upload(pool: &PgPool, upload_id: Uuid) -> Result<Vec<CommentDto>, sqlx::Error> {
+        sqlx::query_as::<_, CommentDto>(
+            "SELECT c.id, c.upload_id, c.user_id, u.display_name AS uploader_name, c.body, c.created_at
+             FROM comment c
+             JOIN \"user\" u ON u.id = c.user_id
+             WHERE c.upload_id = $1 AND c.deleted_at IS NULL
+             ORDER BY c.created_at ASC",
+        )
+        .bind(upload_id)
+        .fetch_all(pool)
+        .await
+    }
+
+    pub async fn find_by_id(pool: &PgPool, id: Uuid) -> Result<Option<Self>, sqlx::Error> {
+        sqlx::query_as::<_, Self>(
+            "SELECT * FROM comment WHERE id = $1 AND deleted_at IS NULL",
+        )
+        .bind(id)
+        .fetch_optional(pool)
+        .await
+    }
+
+    pub async fn soft_delete(pool: &PgPool, id: Uuid) -> Result<(), sqlx::Error> {
+        sqlx::query("UPDATE comment SET deleted_at = NOW() WHERE id = $1")
+            .bind(id)
+            .execute(pool)
+            .await?;
+        Ok(())
+    }
+}

backend/src/models/mod.rs

@@ -1,3 +1,4 @@
+pub mod comment;
 pub mod event;
 pub mod hashtag;
 pub mod session;

frontend/src/lib/auth.ts

@@ -38,6 +38,17 @@ export function clearAuth(): void {
 	isAuthenticated.set(false);
 }
 
+export function getRole(): 'guest' | 'host' | 'admin' | null {
+	const token = getToken();
+	if (!token) return null;
+	try {
+		const payload = JSON.parse(atob(token.split('.')[1]));
+		return payload.role ?? null;
+	} catch {
+		return null;
+	}
+}
+
 export function initAuth(): void {
 	if (!browser) return;
 	isAuthenticated.set(!!getToken());

frontend/src/lib/components/CameraCapture.svelte

@@ -0,0 +1,238 @@
+<script lang="ts">
+	import { onMount, onDestroy } from 'svelte';
+
+	interface Props {
+		oncapture: (blob: Blob, type: 'photo' | 'video') => void;
+		onclose: () => void;
+	}
+
+	let { oncapture, onclose }: Props = $props();
+
+	let videoEl: HTMLVideoElement = $state()!;
+	let canvasEl: HTMLCanvasElement = $state()!;
+	let stream: MediaStream | null = $state(null);
+	let facingMode = $state<'environment' | 'user'>('environment');
+	let recording = $state(false);
+	let recordingTime = $state(0);
+	let error = $state<string | null>(null);
+	let mediaRecorder: MediaRecorder | null = null;
+	let recordedChunks: Blob[] = [];
+	let recordingInterval: ReturnType<typeof setInterval> | null = null;
+
+	onMount(() => {
+		startCamera();
+	});
+
+	onDestroy(() => {
+		stopCamera();
+		if (recordingInterval) clearInterval(recordingInterval);
+	});
+
+	async function startCamera() {
+		error = null;
+		stopCamera();
+
+		try {
+			stream = await navigator.mediaDevices.getUserMedia({
+				video: { facingMode, width: { ideal: 1920 }, height: { ideal: 1080 } },
+				audio: true
+			});
+			if (videoEl) {
+				videoEl.srcObject = stream;
+			}
+		} catch (err) {
+			if (err instanceof DOMException && err.name === 'NotAllowedError') {
+				error = 'Kamerazugriff wurde verweigert. Bitte erlaube den Zugriff in den Browsereinstellungen.';
+			} else if (err instanceof DOMException && err.name === 'NotFoundError') {
+				error = 'Keine Kamera gefunden.';
+			} else {
+				error = 'Kamera konnte nicht gestartet werden.';
+			}
+		}
+	}
+
+	function stopCamera() {
+		if (stream) {
+			for (const track of stream.getTracks()) {
+				track.stop();
+			}
+			stream = null;
+		}
+	}
+
+	async function toggleCamera() {
+		facingMode = facingMode === 'environment' ? 'user' : 'environment';
+		await startCamera();
+	}
+
+	function capturePhoto() {
+		if (!videoEl || !canvasEl) return;
+		const ctx = canvasEl.getContext('2d');
+		if (!ctx) return;
+
+		canvasEl.width = videoEl.videoWidth;
+		canvasEl.height = videoEl.videoHeight;
+		ctx.drawImage(videoEl, 0, 0);
+
+		canvasEl.toBlob(
+			(blob) => {
+				if (blob) oncapture(blob, 'photo');
+			},
+			'image/jpeg',
+			0.92
+		);
+	}
+
+	function startRecording() {
+		if (!stream) return;
+
+		recordedChunks = [];
+		recordingTime = 0;
+
+		const mimeType = MediaRecorder.isTypeSupported('video/webm;codecs=vp9')
+			? 'video/webm;codecs=vp9'
+			: MediaRecorder.isTypeSupported('video/webm')
+				? 'video/webm'
+				: 'video/mp4';
+
+		mediaRecorder = new MediaRecorder(stream, { mimeType });
+
+		mediaRecorder.ondataavailable = (e) => {
+			if (e.data.size > 0) recordedChunks.push(e.data);
+		};
+
+		mediaRecorder.onstop = () => {
+			const blob = new Blob(recordedChunks, { type: mediaRecorder?.mimeType ?? mimeType });
+			oncapture(blob, 'video');
+			recordedChunks = [];
+		};
+
+		mediaRecorder.start(1000);
+		recording = true;
+
+		recordingInterval = setInterval(() => {
+			recordingTime += 1;
+		}, 1000);
+	}
+
+	function stopRecording() {
+		if (mediaRecorder && mediaRecorder.state !== 'inactive') {
+			mediaRecorder.stop();
+		}
+		recording = false;
+		if (recordingInterval) {
+			clearInterval(recordingInterval);
+			recordingInterval = null;
+		}
+	}
+
+	function formatRecordingTime(seconds: number): string {
+		const m = Math.floor(seconds / 60);
+		const s = seconds % 60;
+		return `${m}:${String(s).padStart(2, '0')}`;
+	}
+</script>
+
+<div class="fixed inset-0 z-50 flex flex-col bg-black">
+	<!-- Camera preview -->
+	<div class="relative flex-1 overflow-hidden">
+		{#if error}
+			<div class="flex h-full items-center justify-center p-8">
+				<div class="rounded-lg bg-gray-900 p-6 text-center">
+					<svg class="mx-auto mb-3 h-12 w-12 text-red-400" fill="none" viewBox="0 0 24 24" stroke="currentColor">
+						<path stroke-linecap="round" stroke-linejoin="round" stroke-width="1.5" d="M15 10l-4 4m0-4l4 4m6-4a9 9 0 11-18 0 9 9 0 0118 0z" />
+					</svg>
+					<p class="text-sm text-white">{error}</p>
+					<button
+						onclick={onclose}
+						class="mt-4 rounded-lg bg-white/20 px-4 py-2 text-sm text-white"
+					>
+						Schliessen
+					</button>
+				</div>
+			</div>
+		{:else}
+			<!-- svelte-ignore a11y_media_has_caption -->
+			<video
+				bind:this={videoEl}
+				autoplay
+				playsinline
+				muted
+				class="h-full w-full object-cover {facingMode === 'user' ? 'scale-x-[-1]' : ''}"
+			></video>
+
+			{#if recording}
+				<div class="absolute left-4 top-4 flex items-center gap-2 rounded-full bg-red-600 px-3 py-1">
+					<div class="h-2 w-2 animate-pulse rounded-full bg-white"></div>
+					<span class="text-sm font-medium text-white">{formatRecordingTime(recordingTime)}</span>
+				</div>
+			{/if}
+		{/if}
+	</div>
+
+	<!-- Controls -->
+	{#if !error}
+		<div class="flex items-center justify-center gap-8 bg-black/80 px-4 py-6">
+			<!-- Close -->
+			<button
+				onclick={onclose}
+				class="flex h-12 w-12 items-center justify-center rounded-full bg-white/20 text-white"
+				aria-label="Schliessen"
+			>
+				<svg class="h-6 w-6" fill="none" viewBox="0 0 24 24" stroke="currentColor">
+					<path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M6 18L18 6M6 6l12 12" />
+				</svg>
+			</button>
+
+			<!-- Capture photo / record video -->
+			{#if recording}
+				<button
+					onclick={stopRecording}
+					class="flex h-16 w-16 items-center justify-center rounded-full border-4 border-white bg-red-600"
+					aria-label="Aufnahme stoppen"
+				>
+					<div class="h-6 w-6 rounded-sm bg-white"></div>
+				</button>
+			{:else}
+				<button
+					onclick={capturePhoto}
+					class="flex h-16 w-16 items-center justify-center rounded-full border-4 border-white bg-white/20 transition active:bg-white/40"
+					aria-label="Foto aufnehmen"
+				>
+					<div class="h-12 w-12 rounded-full bg-white"></div>
+				</button>
+			{/if}
+
+			<!-- Toggle camera / start recording -->
+			{#if recording}
+				<div class="h-12 w-12"></div>
+			{:else}
+				<button
+					onclick={toggleCamera}
+					class="flex h-12 w-12 items-center justify-center rounded-full bg-white/20 text-white"
+					aria-label="Kamera wechseln"
+				>
+					<svg class="h-6 w-6" fill="none" viewBox="0 0 24 24" stroke="currentColor">
+						<path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M4 4v5h.582m15.356 2A8.001 8.001 0 004.582 9m0 0H9m11 11v-5h-.581m0 0a8.003 8.003 0 01-15.357-2m15.357 2H15" />
+					</svg>
+				</button>
+			{/if}
+		</div>
+
+		<!-- Video record button -->
+		{#if !recording}
+			<div class="flex justify-center bg-black/80 pb-4">
+				<button
+					onclick={startRecording}
+					class="flex items-center gap-2 rounded-full bg-red-600/80 px-4 py-2 text-sm text-white transition hover:bg-red-600"
+				>
+					<div class="h-2.5 w-2.5 rounded-full bg-white"></div>
+					Video aufnehmen
+				</button>
+			</div>
+		{/if}
+	{/if}
+</div>
+
+<!-- Hidden canvas for photo capture -->
+<canvas bind:this={canvasEl} class="hidden"></canvas>

frontend/src/lib/components/FeedGrid.svelte

@@ -0,0 +1,80 @@
+<script lang="ts">
+	import type { FeedUpload } from '$lib/types';
+
+	interface Props {
+		uploads: FeedUpload[];
+		onlike: (id: string) => void;
+		oncomment: (id: string) => void;
+		onselect: (upload: FeedUpload) => void;
+	}
+
+	let { uploads, onlike, oncomment, onselect }: Props = $props();
+
+	function isVideo(mime: string): boolean {
+		return mime.startsWith('video/');
+	}
+
+	function imageUrl(upload: FeedUpload): string {
+		if (upload.thumbnail_url) return upload.thumbnail_url;
+		if (upload.preview_url) return upload.preview_url;
+		return '';
+	}
+</script>
+
+<div class="grid grid-cols-2 gap-2 sm:grid-cols-3">
+	{#each uploads as upload (upload.id)}
+		<div class="group relative aspect-square cursor-pointer overflow-hidden rounded-lg bg-gray-100">
+			<button
+				onclick={() => onselect(upload)}
+				class="block h-full w-full"
+				aria-label="Upload anzeigen"
+			>
+				{#if isVideo(upload.mime_type)}
+					<div class="flex h-full items-center justify-center bg-gray-800">
+						{#if imageUrl(upload)}
+							<img src={imageUrl(upload)} alt="" class="h-full w-full object-cover" />
+						{/if}
+						<div class="absolute inset-0 flex items-center justify-center">
+							<svg class="h-10 w-10 text-white/80" fill="currentColor" viewBox="0 0 24 24">
+								<path d="M8 5v14l11-7z" />
+							</svg>
+						</div>
+					</div>
+				{:else if imageUrl(upload)}
+					<img src={imageUrl(upload)} alt="" class="h-full w-full object-cover" loading="lazy" />
+				{:else}
+					<div class="flex h-full items-center justify-center text-gray-400">
+						<svg class="h-8 w-8" fill="none" viewBox="0 0 24 24" stroke="currentColor">
+							<path stroke-linecap="round" stroke-linejoin="round" stroke-width="1.5" d="M4 16l4.586-4.586a2 2 0 012.828 0L16 16m-2-2l1.586-1.586a2 2 0 012.828 0L20 14m-6-6h.01M6 20h12a2 2 0 002-2V6a2 2 0 00-2-2H6a2 2 0 00-2 2v12a2 2 0 002 2z" />
+						</svg>
+					</div>
+				{/if}
+			</button>
+
+			<!-- Overlay with name and stats -->
+			<div class="pointer-events-none absolute inset-x-0 bottom-0 bg-gradient-to-t from-black/60 to-transparent p-2">
+				<p class="truncate text-xs font-medium text-white">{upload.uploader_name}</p>
+				<div class="mt-0.5 flex items-center gap-3 text-xs text-white/80">
+					<button
+						class="pointer-events-auto flex items-center gap-0.5"
+						onclick={(e) => { e.stopPropagation(); onlike(upload.id); }}
+					>
+						<svg class="h-3.5 w-3.5 {upload.liked_by_me ? 'fill-red-400 text-red-400' : ''}" fill="none" viewBox="0 0 24 24" stroke="currentColor">
+							<path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M4.318 6.318a4.5 4.5 0 000 6.364L12 20.364l7.682-7.682a4.5 4.5 0 00-6.364-6.364L12 7.636l-1.318-1.318a4.5 4.5 0 00-6.364 0z" />
+						</svg>
+						{upload.like_count}
+					</button>
+					<button
+						class="pointer-events-auto flex items-center gap-0.5"
+						onclick={(e) => { e.stopPropagation(); oncomment(upload.id); }}
+					>
+						<svg class="h-3.5 w-3.5" fill="none" viewBox="0 0 24 24" stroke="currentColor">
+							<path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M8 12h.01M12 12h.01M16 12h.01M21 12c0 4.418-4.03 8-9 8a9.863 9.863 0 01-4.255-.949L3 20l1.395-3.72C3.512 15.042 3 13.574 3 12c0-4.418 4.03-8 9-8s9 3.582 9 8z" />
+						</svg>
+						{upload.comment_count}
+					</button>
+				</div>
+			</div>
+		</div>
+	{/each}
+</div>

frontend/src/lib/components/HashtagChips.svelte

@@ -0,0 +1,42 @@
+<script lang="ts">
+	interface HashtagCount {
+		tag: string;
+		count: number;
+	}
+
+	interface Props {
+		hashtags: HashtagCount[];
+		selected: string | null;
+		onselect: (tag: string | null) => void;
+	}
+
+	let { hashtags, selected, onselect }: Props = $props();
+</script>
+
+{#if hashtags.length > 0}
+	<div class="flex gap-2 overflow-x-auto pb-2">
+		<button
+			onclick={() => onselect(null)}
+			class="shrink-0 rounded-full px-3 py-1 text-sm font-medium transition {
+				selected === null
+					? 'bg-blue-600 text-white'
+					: 'bg-gray-200 text-gray-700 hover:bg-gray-300'
+			}"
+		>
+			Alle
+		</button>
+		{#each hashtags as h (h.tag)}
+			<button
+				onclick={() => onselect(h.tag)}
+				class="shrink-0 rounded-full px-3 py-1 text-sm font-medium transition {
+					selected === h.tag
+						? 'bg-blue-600 text-white'
+						: 'bg-gray-200 text-gray-700 hover:bg-gray-300'
+				}"
+			>
+				#{h.tag}
+				<span class="ml-1 text-xs opacity-70">{h.count}</span>
+			</button>
+		{/each}
+	</div>
+{/if}

frontend/src/lib/components/LightboxModal.svelte

@@ -0,0 +1,186 @@
+<script lang="ts">
+	import type { FeedUpload } from '$lib/types';
+	import { api, ApiError } from '$lib/api';
+	import { getUserId } from '$lib/auth';
+
+	interface CommentDto {
+		id: string;
+		upload_id: string;
+		user_id: string;
+		uploader_name: string;
+		body: string;
+		created_at: string;
+	}
+
+	interface Props {
+		upload: FeedUpload;
+		onclose: () => void;
+		onlike: (id: string) => void;
+	}
+
+	let { upload, onclose, onlike }: Props = $props();
+
+	let comments = $state<CommentDto[]>([]);
+	let newComment = $state('');
+	let loading = $state(false);
+	let userId = getUserId();
+
+	$effect(() => {
+		loadComments();
+	});
+
+	async function loadComments() {
+		try {
+			comments = await api.get<CommentDto[]>(`/upload/${upload.id}/comments`);
+		} catch {
+			// Ignore
+		}
+	}
+
+	async function submitComment() {
+		if (!newComment.trim()) return;
+		loading = true;
+		try {
+			const comment = await api.post<CommentDto>(`/upload/${upload.id}/comment`, {
+				body: newComment.trim()
+			});
+			comments = [...comments, comment];
+			newComment = '';
+		} catch {
+			// Ignore
+		} finally {
+			loading = false;
+		}
+	}
+
+	async function deleteComment(id: string) {
+		try {
+			await api.delete(`/comment/${id}`);
+			comments = comments.filter((c) => c.id !== id);
+		} catch {
+			// Ignore
+		}
+	}
+
+	function isVideo(mime: string): boolean {
+		return mime.startsWith('video/');
+	}
+
+	function handleKeydown(e: KeyboardEvent) {
+		if (e.key === 'Escape') onclose();
+	}
+
+	function formatTime(iso: string): string {
+		return new Date(iso).toLocaleString('de-DE', {
+			day: '2-digit', month: '2-digit', hour: '2-digit', minute: '2-digit'
+		});
+	}
+</script>
+
+<svelte:window onkeydown={handleKeydown} />
+
+<div class="fixed inset-0 z-50 flex items-center justify-center bg-black/80 p-4" role="dialog">
+	<div class="flex max-h-[90vh] w-full max-w-2xl flex-col overflow-hidden rounded-xl bg-white">
+		<!-- Media -->
+		<div class="relative bg-black">
+			<button onclick={onclose} class="absolute right-2 top-2 z-10 rounded-full bg-black/50 p-1.5 text-white hover:bg-black/70">
+				<svg class="h-5 w-5" fill="none" viewBox="0 0 24 24" stroke="currentColor">
+					<path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M6 18L18 6M6 6l12 12" />
+				</svg>
+			</button>
+			{#if isVideo(upload.mime_type)}
+				<video
+					src={upload.preview_url ?? ''}
+					controls
+					class="max-h-[50vh] w-full object-contain"
+					poster={upload.thumbnail_url ?? undefined}
+				></video>
+			{:else}
+				<img
+					src={upload.preview_url ?? ''}
+					alt=""
+					class="max-h-[50vh] w-full object-contain"
+				/>
+			{/if}
+		</div>
+
+		<!-- Info + Comments -->
+		<div class="flex flex-1 flex-col overflow-hidden">
+			<div class="border-b border-gray-100 p-3">
+				<div class="flex items-center justify-between">
+					<div>
+						<span class="font-medium text-gray-900">{upload.uploader_name}</span>
+						<span class="ml-2 text-xs text-gray-400">{formatTime(upload.created_at)}</span>
+					</div>
+					<button
+						onclick={() => onlike(upload.id)}
+						class="flex items-center gap-1 rounded-full px-2.5 py-1 text-sm transition {
+							upload.liked_by_me
+								? 'bg-red-50 text-red-600'
+								: 'bg-gray-100 text-gray-600 hover:bg-gray-200'
+						}"
+					>
+						<svg class="h-4 w-4 {upload.liked_by_me ? 'fill-current' : ''}" fill="none" viewBox="0 0 24 24" stroke="currentColor">
+							<path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M4.318 6.318a4.5 4.5 0 000 6.364L12 20.364l7.682-7.682a4.5 4.5 0 00-6.364-6.364L12 7.636l-1.318-1.318a4.5 4.5 0 00-6.364 0z" />
+						</svg>
+						{upload.like_count}
+					</button>
+				</div>
+				{#if upload.caption}
+					<p class="mt-1 text-sm text-gray-700">{upload.caption}</p>
+				{/if}
+			</div>
+
+			<!-- Comments list -->
+			<div class="flex-1 overflow-y-auto p-3">
+				{#if comments.length === 0}
+					<p class="text-center text-sm text-gray-400">Noch keine Kommentare.</p>
+				{:else}
+					<div class="space-y-3">
+						{#each comments as comment (comment.id)}
+							<div class="flex items-start gap-2">
+								<div class="flex-1">
+									<span class="text-sm font-medium text-gray-900">{comment.uploader_name}</span>
+									<span class="ml-1 text-sm text-gray-700">{comment.body}</span>
+									<div class="mt-0.5 text-xs text-gray-400">{formatTime(comment.created_at)}</div>
+								</div>
+								{#if comment.user_id === userId}
+									<button
+										onclick={() => deleteComment(comment.id)}
+										class="shrink-0 text-gray-400 hover:text-red-500"
+										aria-label="Löschen"
+									>
+										<svg class="h-3.5 w-3.5" fill="none" viewBox="0 0 24 24" stroke="currentColor">
+											<path stroke-linecap="round" stroke-linejoin="round" stroke-width="2" d="M6 18L18 6M6 6l12 12" />
+										</svg>
+									</button>
+								{/if}
+							</div>
+						{/each}
+					</div>
+				{/if}
+			</div>
+
+			<!-- Comment input -->
+			<form
+				onsubmit={(e) => { e.preventDefault(); submitComment(); }}
+				class="flex gap-2 border-t border-gray-100 p-3"
+			>
+				<input
+					type="text"
+					bind:value={newComment}
+					placeholder="Kommentar schreiben..."
+					maxlength={500}
+					class="flex-1 rounded-lg border border-gray-300 px-3 py-2 text-sm focus:border-blue-500 focus:outline-none"
+				/>
+				<button
+					type="submit"
+					disabled={loading || !newComment.trim()}
+					class="rounded-lg bg-blue-600 px-3 py-2 text-sm font-medium text-white transition hover:bg-blue-700 disabled:opacity-50"
+				>
+					Senden
+				</button>
+			</form>
+		</div>
+	</div>
+</div>

frontend/src/lib/sse.ts

@@ -0,0 +1,86 @@
+import { getToken } from './auth';
+
+type EventHandler = (data: string) => void;
+
+let eventSource: EventSource | null = null;
+let lastEventTime: string | null = null;
+const handlers: Map<string, EventHandler[]> = new Map();
+
+export function onSseEvent(eventType: string, handler: EventHandler): () => void {
+	if (!handlers.has(eventType)) {
+		handlers.set(eventType, []);
+	}
+	handlers.get(eventType)!.push(handler);
+
+	// Return unsubscribe function
+	return () => {
+		const list = handlers.get(eventType);
+		if (list) {
+			const idx = list.indexOf(handler);
+			if (idx >= 0) list.splice(idx, 1);
+		}
+	};
+}
+
+export function connectSse(): void {
+	const token = getToken();
+	if (!token || eventSource) return;
+
+	// EventSource doesn't support custom headers, so pass token as query param
+	// The backend will need to accept this — or we use a polyfill / fetch-based SSE
+	// For simplicity, use native EventSource with token in URL
+	eventSource = new EventSource(`/api/v1/stream?token=${encodeURIComponent(token)}`);
+
+	eventSource.onopen = () => {
+		lastEventTime = new Date().toISOString();
+	};
+
+	eventSource.addEventListener('new-upload', (e) => dispatch('new-upload', e.data));
+	eventSource.addEventListener('upload-processed', (e) => dispatch('upload-processed', e.data));
+	eventSource.addEventListener('like-update', (e) => dispatch('like-update', e.data));
+	eventSource.addEventListener('new-comment', (e) => dispatch('new-comment', e.data));
+	eventSource.addEventListener('export-available', (e) => dispatch('export-available', e.data));
+
+	eventSource.onerror = () => {
+		// EventSource auto-reconnects, but we track the time for delta-fetch
+		disconnectSse();
+		// Reconnect after a short delay
+		setTimeout(connectSse, 3000);
+	};
+}
+
+export function disconnectSse(): void {
+	if (eventSource) {
+		eventSource.close();
+		eventSource = null;
+	}
+}
+
+export function getLastEventTime(): string | null {
+	return lastEventTime;
+}
+
+export function setLastEventTime(time: string): void {
+	lastEventTime = time;
+}
+
+function dispatch(eventType: string, data: string): void {
+	lastEventTime = new Date().toISOString();
+	const list = handlers.get(eventType);
+	if (list) {
+		for (const handler of list) {
+			handler(data);
+		}
+	}
+}
+
+// Page Visibility API integration
+if (typeof document !== 'undefined') {
+	document.addEventListener('visibilitychange', () => {
+		if (document.hidden) {
+			disconnectSse();
+		} else {
+			connectSse();
+		}
+	});
+}

frontend/src/lib/types.ts

@@ -0,0 +1,23 @@
+export interface FeedUpload {
+	id: string;
+	user_id: string;
+	uploader_name: string;
+	preview_url: string | null;
+	thumbnail_url: string | null;
+	mime_type: string;
+	caption: string | null;
+	like_count: number;
+	comment_count: number;
+	liked_by_me: boolean;
+	created_at: string;
+}
+
+export interface FeedResponse {
+	uploads: FeedUpload[];
+	next_cursor: string | null;
+}
+
+export interface HashtagCount {
+	tag: string;
+	count: number;
+}

frontend/src/routes/feed/+page.svelte

@@ -2,36 +2,225 @@
 	import { goto } from '$app/navigation';
 	import { getToken, clearAuth } from '$lib/auth';
 	import { api } from '$lib/api';
-	import { onMount } from 'svelte';
+	import { connectSse, disconnectSse, onSseEvent } from '$lib/sse';
+	import { onMount, onDestroy } from 'svelte';
+	import FeedGrid from '$lib/components/FeedGrid.svelte';
+	import HashtagChips from '$lib/components/HashtagChips.svelte';
+	import LightboxModal from '$lib/components/LightboxModal.svelte';
+	import type { FeedUpload, FeedResponse, HashtagCount } from '$lib/types';
 
-	onMount(() => {
+	let uploads = $state<FeedUpload[]>([]);
+	let hashtags = $state<HashtagCount[]>([]);
+	let selectedHashtag = $state<string | null>(null);
+	let nextCursor = $state<string | null>(null);
+	let loadingMore = $state(false);
+	let selectedUpload = $state<FeedUpload | null>(null);
+	let sentinel: HTMLDivElement;
+
+	let unsubscribers: (() => void)[] = [];
+
+	onMount(async () => {
 		if (!getToken()) {
 			goto('/join');
+			return;
+		}
+
+		await Promise.all([loadFeed(), loadHashtags()]);
+		connectSse();
+
+		unsubscribers.push(
+			onSseEvent('new-upload', (data) => {
+				try {
+					const upload: FeedUpload = JSON.parse(data);
+					uploads = [upload, ...uploads];
+				} catch { /* ignore */ }
+			}),
+			onSseEvent('upload-processed', () => {
+				// Reload feed to get updated preview URLs
+				loadFeed(true);
+			}),
+			onSseEvent('like-update', () => {
+				loadFeed(true);
+			}),
+			onSseEvent('new-comment', () => {
+				loadFeed(true);
+			})
+		);
+
+		// Infinite scroll via IntersectionObserver
+		if (sentinel) {
+			const observer = new IntersectionObserver(
+				(entries) => {
+					if (entries[0].isIntersecting && nextCursor && !loadingMore) {
+						loadMore();
+					}
+				},
+				{ rootMargin: '200px' }
+			);
+			observer.observe(sentinel);
 		}
 	});
 
-	async function handleLogout() {
+	onDestroy(() => {
+		disconnectSse();
+		for (const unsub of unsubscribers) unsub();
+	});
+
+	async function loadFeed(refresh = false) {
 		try {
-			await api.delete('/session');
+			const params = new URLSearchParams();
-		} catch {
+			if (!refresh && nextCursor) params.set('cursor', nextCursor);
-			// Ignore errors — clear local state regardless
+			if (selectedHashtag) params.set('hashtag', selectedHashtag);
+			params.set('limit', '20');
+
+			const res = await api.get<FeedResponse>(`/feed?${params}`);
+
+			if (refresh) {
+				uploads = res.uploads;
+			} else {
+				uploads = res.uploads;
 			}
+			nextCursor = res.next_cursor;
+		} catch {
+			// Ignore
+		}
+	}
+
+	async function loadMore() {
+		if (!nextCursor || loadingMore) return;
+		loadingMore = true;
+		try {
+			const params = new URLSearchParams();
+			params.set('cursor', nextCursor);
+			if (selectedHashtag) params.set('hashtag', selectedHashtag);
+			params.set('limit', '20');
+
+			const res = await api.get<FeedResponse>(`/feed?${params}`);
+			uploads = [...uploads, ...res.uploads];
+			nextCursor = res.next_cursor;
+		} catch {
+			// Ignore
+		} finally {
+			loadingMore = false;
+		}
+	}
+
+	async function loadHashtags() {
+		try {
+			hashtags = await api.get<HashtagCount[]>('/hashtags');
+		} catch {
+			// Ignore
+		}
+	}
+
+	function selectHashtag(tag: string | null) {
+		selectedHashtag = tag;
+		nextCursor = null;
+		loadFeed();
+	}
+
+	async function handleLike(id: string) {
+		try {
+			await api.post(`/upload/${id}/like`);
+			// Toggle locally for instant feedback
+			uploads = uploads.map((u) =>
+				u.id === id
+					? {
+							...u,
+							liked_by_me: !u.liked_by_me,
+							like_count: u.liked_by_me ? u.like_count - 1 : u.like_count + 1
+						}
+					: u
+			);
+			// Also update lightbox if open
+			if (selectedUpload?.id === id) {
+				selectedUpload = {
+					...selectedUpload,
+					liked_by_me: !selectedUpload.liked_by_me,
+					like_count: selectedUpload.liked_by_me
+						? selectedUpload.like_count - 1
+						: selectedUpload.like_count + 1
+				};
+			}
+		} catch {
+			// Ignore
+		}
+	}
+
+	function openComments(id: string) {
+		const u = uploads.find((u) => u.id === id);
+		if (u) selectedUpload = u;
+	}
+
+	async function handleLogout() {
+		try { await api.delete('/session'); } catch { /* ignore */ }
 		clearAuth();
 		goto('/join');
 	}
 </script>
 
-<div class="min-h-screen bg-gray-50 p-4">
+<div class="min-h-screen bg-gray-50">
-	<div class="mx-auto max-w-2xl">
+	<!-- Header -->
-		<div class="mb-6 flex items-center justify-between">
+	<div class="sticky top-0 z-40 border-b border-gray-200 bg-white/95 backdrop-blur">
-			<h1 class="text-xl font-bold text-gray-900">Galerie</h1>
+		<div class="mx-auto flex max-w-2xl items-center justify-between px-4 py-3">
+			<h1 class="text-lg font-bold text-gray-900">Galerie</h1>
+			<div class="flex items-center gap-3">
+				<a
+					href="/upload"
+					class="rounded-lg bg-blue-600 px-3 py-1.5 text-sm font-medium text-white transition hover:bg-blue-700"
+				>
+					Hochladen
+				</a>
 				<button
 					onclick={handleLogout}
-				class="rounded-md bg-gray-200 px-3 py-1 text-sm text-gray-700 hover:bg-gray-300"
+					class="text-sm text-gray-500 hover:text-gray-700"
 				>
 					Abmelden
 				</button>
 			</div>
-		<p class="text-gray-600">Die Galerie wird bald hier angezeigt.</p>
+		</div>
+
+		<!-- Hashtag filter chips -->
+		<div class="mx-auto max-w-2xl px-4 pb-2">
+			<HashtagChips {hashtags} selected={selectedHashtag} onselect={selectHashtag} />
+		</div>
+	</div>
+
+	<!-- Feed grid -->
+	<div class="mx-auto max-w-2xl p-4">
+		{#if uploads.length === 0}
+			<div class="py-16 text-center">
+				<p class="text-lg text-gray-400">Noch keine Fotos.</p>
+				<p class="mt-1 text-sm text-gray-400">Sei der Erste und lade etwas hoch!</p>
+				<a href="/upload" class="mt-4 inline-block rounded-lg bg-blue-600 px-4 py-2 text-sm font-medium text-white">
+					Jetzt hochladen
+				</a>
+			</div>
+		{:else}
+			<FeedGrid
+				{uploads}
+				onlike={handleLike}
+				oncomment={openComments}
+				onselect={(u) => (selectedUpload = u)}
+			/>
+		{/if}
+
+		<!-- Infinite scroll sentinel -->
+		<div bind:this={sentinel} class="h-4"></div>
+
+		{#if loadingMore}
+			<div class="py-4 text-center">
+				<div class="inline-block h-6 w-6 animate-spin rounded-full border-2 border-gray-300 border-t-blue-600"></div>
+			</div>
+		{/if}
 	</div>
 </div>
+
+<!-- Lightbox -->
+{#if selectedUpload}
+	<LightboxModal
+		upload={selectedUpload}
+		onclose={() => (selectedUpload = null)}
+		onlike={handleLike}
+	/>
+{/if}

frontend/src/routes/host/+page.svelte

@@ -0,0 +1,318 @@
+<script lang="ts">
+	import { goto } from '$app/navigation';
+	import { getToken, getRole } from '$lib/auth';
+	import { api } from '$lib/api';
+	import { onMount } from 'svelte';
+
+	interface UserSummary {
+		id: string;
+		display_name: string;
+		role: string;
+		is_banned: boolean;
+		uploads_hidden: boolean;
+		upload_count: number;
+		total_upload_bytes: number;
+		created_at: string;
+	}
+
+	interface EventStatus {
+		name: string;
+		is_active: boolean;
+		uploads_locked: boolean;
+		export_released: boolean;
+	}
+
+	let event = $state<EventStatus | null>(null);
+	let users = $state<UserSummary[]>([]);
+	let loading = $state(true);
+	let error = $state<string | null>(null);
+
+	// Ban modal state
+	let banTarget = $state<UserSummary | null>(null);
+	let banHideUploads = $state(false);
+	let banSubmitting = $state(false);
+
+	// Toast state
+	let toast = $state<string | null>(null);
+
+	onMount(async () => {
+		const token = getToken();
+		const role = getRole();
+		if (!token || (role !== 'host' && role !== 'admin')) {
+			goto('/join');
+			return;
+		}
+		await reload();
+	});
+
+	async function reload() {
+		loading = true;
+		error = null;
+		try {
+			[event, users] = await Promise.all([
+				api.get<EventStatus>('/host/event'),
+				api.get<UserSummary[]>('/host/users')
+			]);
+		} catch (e: unknown) {
+			error = e instanceof Error ? e.message : 'Fehler beim Laden.';
+		} finally {
+			loading = false;
+		}
+	}
+
+	function showToast(msg: string) {
+		toast = msg;
+		setTimeout(() => (toast = null), 3000);
+	}
+
+	async function toggleEventLock() {
+		if (!event) return;
+		try {
+			if (event.uploads_locked) {
+				await api.post('/host/event/open');
+				showToast('Uploads wurden wieder geöffnet.');
+			} else {
+				await api.post('/host/event/close');
+				showToast('Uploads wurden gesperrt.');
+			}
+			await reload();
+		} catch (e: unknown) {
+			showToast(e instanceof Error ? e.message : 'Fehler.');
+		}
+	}
+
+	async function releaseGallery() {
+		try {
+			await api.post('/host/gallery/release');
+			showToast('Galerie wurde freigegeben. Export wird vorbereitet…');
+			await reload();
+		} catch (e: unknown) {
+			showToast(e instanceof Error ? e.message : 'Fehler.');
+		}
+	}
+
+	function openBanModal(user: UserSummary) {
+		banTarget = user;
+		banHideUploads = false;
+	}
+
+	async function confirmBan() {
+		if (!banTarget) return;
+		banSubmitting = true;
+		try {
+			await api.post(`/host/users/${banTarget.id}/ban`, { hide_uploads: banHideUploads });
+			showToast(`${banTarget.display_name} wurde gesperrt.`);
+			banTarget = null;
+			await reload();
+		} catch (e: unknown) {
+			showToast(e instanceof Error ? e.message : 'Fehler.');
+		} finally {
+			banSubmitting = false;
+		}
+	}
+
+	async function unban(user: UserSummary) {
+		try {
+			await api.post(`/host/users/${user.id}/unban`);
+			showToast(`Sperre für ${user.display_name} aufgehoben.`);
+			await reload();
+		} catch (e: unknown) {
+			showToast(e instanceof Error ? e.message : 'Fehler.');
+		}
+	}
+
+	async function promoteToHost(user: UserSummary) {
+		try {
+			await api.patch(`/host/users/${user.id}/role`, { role: 'host' });
+			showToast(`${user.display_name} ist jetzt Host.`);
+			await reload();
+		} catch (e: unknown) {
+			showToast(e instanceof Error ? e.message : 'Fehler.');
+		}
+	}
+
+	async function demoteToGuest(user: UserSummary) {
+		try {
+			await api.patch(`/host/users/${user.id}/role`, { role: 'guest' });
+			showToast(`${user.display_name} ist jetzt Gast.`);
+			await reload();
+		} catch (e: unknown) {
+			showToast(e instanceof Error ? e.message : 'Fehler.');
+		}
+	}
+
+	function formatBytes(bytes: number): string {
+		if (bytes < 1024) return `${bytes} B`;
+		if (bytes < 1024 * 1024) return `${(bytes / 1024).toFixed(1)} KB`;
+		return `${(bytes / (1024 * 1024)).toFixed(1)} MB`;
+	}
+
+	const myRole = getRole();
+</script>
+
+<!-- Ban modal -->
+{#if banTarget}
+	<div class="fixed inset-0 z-50 flex items-center justify-center bg-black/50 p-4">
+		<div class="w-full max-w-sm rounded-2xl bg-white p-6 shadow-xl">
+			<h2 class="mb-1 text-lg font-bold text-gray-900">Benutzer sperren</h2>
+			<p class="mb-4 text-sm text-gray-600">
+				Was soll mit den Uploads von <strong>{banTarget.display_name}</strong> passieren?
+			</p>
+			<label class="mb-4 flex cursor-pointer items-center gap-3 rounded-lg border border-gray-200 p-3">
+				<input
+					type="checkbox"
+					bind:checked={banHideUploads}
+					class="h-4 w-4 rounded border-gray-300 text-red-600 focus:ring-red-500"
+				/>
+				<span class="text-sm text-gray-700">Uploads aus der Galerie ausblenden</span>
+			</label>
+			<div class="flex gap-2">
+				<button
+					onclick={() => (banTarget = null)}
+					class="flex-1 rounded-lg border border-gray-300 py-2 text-sm text-gray-700 hover:bg-gray-50"
+				>
+					Abbrechen
+				</button>
+				<button
+					onclick={confirmBan}
+					disabled={banSubmitting}
+					class="flex-1 rounded-lg bg-red-600 py-2 text-sm font-medium text-white hover:bg-red-700 disabled:opacity-50"
+				>
+					{banSubmitting ? 'Wird gesperrt…' : 'Sperren'}
+				</button>
+			</div>
+		</div>
+	</div>
+{/if}
+
+<!-- Toast -->
+{#if toast}
+	<div class="fixed bottom-6 left-1/2 z-50 -translate-x-1/2 rounded-full bg-gray-900 px-5 py-2.5 text-sm text-white shadow-lg">
+		{toast}
+	</div>
+{/if}
+
+<div class="min-h-screen bg-gray-50">
+	<!-- Header -->
+	<div class="border-b border-gray-200 bg-white">
+		<div class="mx-auto flex max-w-3xl items-center justify-between px-4 py-4">
+			<div>
+				<h1 class="text-xl font-bold text-gray-900">Host Dashboard</h1>
+				{#if event}
+					<p class="text-sm text-gray-500">{event.name}</p>
+				{/if}
+			</div>
+			<a href="/feed" class="text-sm text-blue-600 hover:underline">Zur Galerie</a>
+		</div>
+	</div>
+
+	<div class="mx-auto max-w-3xl space-y-4 p-4">
+		{#if loading}
+			<div class="py-16 text-center text-gray-400">Laden…</div>
+		{:else if error}
+			<div class="rounded-lg bg-red-50 p-4 text-sm text-red-700">{error}</div>
+		{:else if event}
+			<!-- Event controls -->
+			<div class="rounded-xl border border-gray-200 bg-white p-5">
+				<h2 class="mb-4 font-semibold text-gray-900">Veranstaltung</h2>
+				<div class="flex flex-wrap gap-3">
+					<button
+						onclick={toggleEventLock}
+						class="rounded-lg px-4 py-2 text-sm font-medium {event.uploads_locked
+							? 'bg-green-600 text-white hover:bg-green-700'
+							: 'bg-amber-500 text-white hover:bg-amber-600'}"
+					>
+						{event.uploads_locked ? 'Uploads wieder öffnen' : 'Uploads sperren'}
+					</button>
+					<button
+						onclick={releaseGallery}
+						disabled={event.export_released}
+						class="rounded-lg px-4 py-2 text-sm font-medium {event.export_released
+							? 'cursor-default bg-gray-100 text-gray-400'
+							: 'bg-blue-600 text-white hover:bg-blue-700'}"
+					>
+						{event.export_released ? 'Galerie bereits freigegeben' : 'Galerie freigeben'}
+					</button>
+				</div>
+				<div class="mt-3 flex gap-4 text-xs text-gray-500">
+					<span class="flex items-center gap-1">
+						<span class="h-2 w-2 rounded-full {event.uploads_locked ? 'bg-red-500' : 'bg-green-500'}"></span>
+						Uploads {event.uploads_locked ? 'gesperrt' : 'offen'}
+					</span>
+					<span class="flex items-center gap-1">
+						<span class="h-2 w-2 rounded-full {event.export_released ? 'bg-blue-500' : 'bg-gray-300'}"></span>
+						Export {event.export_released ? 'freigegeben' : 'gesperrt'}
+					</span>
+				</div>
+			</div>
+
+			<!-- User management -->
+			<div class="rounded-xl border border-gray-200 bg-white">
+				<div class="border-b border-gray-100 px-5 py-4">
+					<h2 class="font-semibold text-gray-900">Gäste ({users.length})</h2>
+				</div>
+				{#if users.length === 0}
+					<p class="px-5 py-8 text-center text-sm text-gray-400">Noch keine Gäste.</p>
+				{:else}
+					<div class="divide-y divide-gray-100">
+						{#each users as user}
+							<div class="flex items-center gap-3 px-5 py-3">
+								<div class="min-w-0 flex-1">
+									<div class="flex items-center gap-2">
+										<span class="truncate font-medium text-gray-900">{user.display_name}</span>
+										{#if user.role === 'host'}
+											<span class="rounded-full bg-blue-100 px-2 py-0.5 text-xs font-medium text-blue-700">Host</span>
+										{:else if user.role === 'admin'}
+											<span class="rounded-full bg-purple-100 px-2 py-0.5 text-xs font-medium text-purple-700">Admin</span>
+										{/if}
+										{#if user.is_banned}
+											<span class="rounded-full bg-red-100 px-2 py-0.5 text-xs font-medium text-red-700">Gesperrt</span>
+										{/if}
+									</div>
+									<p class="text-xs text-gray-400">
+										{user.upload_count} Upload{user.upload_count !== 1 ? 's' : ''} · {formatBytes(user.total_upload_bytes)}
+									</p>
+								</div>
+								<div class="flex shrink-0 gap-1.5">
+									{#if user.role !== 'admin'}
+										{#if user.is_banned}
+											<button
+												onclick={() => unban(user)}
+												class="rounded-lg bg-gray-100 px-3 py-1.5 text-xs font-medium text-gray-700 hover:bg-gray-200"
+											>
+												Entsperren
+											</button>
+										{:else}
+											{#if user.role === 'guest' && (myRole === 'host' || myRole === 'admin')}
+												<button
+													onclick={() => promoteToHost(user)}
+													class="rounded-lg bg-blue-50 px-3 py-1.5 text-xs font-medium text-blue-700 hover:bg-blue-100"
+												>
+													Host
+												</button>
+											{/if}
+											{#if user.role === 'host' && myRole === 'admin'}
+												<button
+													onclick={() => demoteToGuest(user)}
+													class="rounded-lg bg-gray-100 px-3 py-1.5 text-xs font-medium text-gray-700 hover:bg-gray-200"
+												>
+													Degradieren
+												</button>
+											{/if}
+											<button
+												onclick={() => openBanModal(user)}
+												class="rounded-lg bg-red-50 px-3 py-1.5 text-xs font-medium text-red-700 hover:bg-red-100"
+											>
+												Sperren
+											</button>
+										{/if}
+									{/if}
+								</div>
+							</div>
+						{/each}
+					</div>
+				{/if}
+			</div>
+		{/if}
+	</div>
+</div>

frontend/src/routes/upload/+page.svelte

@@ -3,11 +3,13 @@
 	import { getToken } from '$lib/auth';
 	import { addToQueue, loadQueue } from '$lib/upload-queue';
 	import UploadQueue from '$lib/components/UploadQueue.svelte';
+	import CameraCapture from '$lib/components/CameraCapture.svelte';
 	import { onMount } from 'svelte';
 
 	let caption = $state('');
 	let hashtags = $state('');
 	let fileInput: HTMLInputElement;
+	let showCamera = $state(false);
 
 	onMount(() => {
 		if (!getToken()) {
@@ -30,8 +32,23 @@
 		hashtags = '';
 		if (fileInput) fileInput.value = '';
 	}
+
+	async function handleCapture(blob: Blob, type: 'photo' | 'video') {
+		const ext = type === 'photo' ? 'jpg' : blob.type.includes('mp4') ? 'mp4' : 'webm';
+		const timestamp = new Date().toISOString().replace(/[:.]/g, '-');
+		const fileName = `${type}_${timestamp}.${ext}`;
+		const file = new File([blob], fileName, { type: blob.type });
+		await addToQueue(file, caption, hashtags);
+	}
 </script>
 
+{#if showCamera}
+	<CameraCapture
+		oncapture={handleCapture}
+		onclose={() => (showCamera = false)}
+	/>
+{/if}
+
 <div class="min-h-screen bg-gray-50 p-4">
 	<div class="mx-auto max-w-lg">
 		<div class="mb-6 flex items-center justify-between">
@@ -40,14 +57,16 @@
 		</div>
 
 		<div class="rounded-lg border border-gray-200 bg-white p-4">
+			<div class="grid grid-cols-2 gap-3">
+				<!-- File picker -->
 				<label
-				class="flex cursor-pointer flex-col items-center justify-center rounded-lg border-2 border-dashed border-gray-300 bg-gray-50 p-8 transition hover:border-blue-400 hover:bg-blue-50"
+					class="flex cursor-pointer flex-col items-center justify-center rounded-lg border-2 border-dashed border-gray-300 bg-gray-50 p-6 transition hover:border-blue-400 hover:bg-blue-50"
 				>
-				<svg class="mb-2 h-10 w-10 text-gray-400" fill="none" viewBox="0 0 24 24" stroke="currentColor">
+					<svg class="mb-2 h-8 w-8 text-gray-400" fill="none" viewBox="0 0 24 24" stroke="currentColor">
 						<path stroke-linecap="round" stroke-linejoin="round" stroke-width="1.5" d="M12 16V4m0 0l-4 4m4-4l4 4M4 20h16" />
 					</svg>
-				<span class="text-sm font-medium text-gray-600">Fotos oder Videos auswählen</span>
+					<span class="text-center text-sm font-medium text-gray-600">Galerie</span>
-				<span class="mt-1 text-xs text-gray-400">Mehrere Dateien möglich</span>
+					<span class="mt-1 text-center text-xs text-gray-400">Mehrere Dateien</span>
 					<input
 						bind:this={fileInput}
 						type="file"
@@ -58,6 +77,20 @@
 					/>
 				</label>
 
+				<!-- Camera button -->
+				<button
+					onclick={() => (showCamera = true)}
+					class="flex flex-col items-center justify-center rounded-lg border-2 border-dashed border-gray-300 bg-gray-50 p-6 transition hover:border-blue-400 hover:bg-blue-50"
+				>
+					<svg class="mb-2 h-8 w-8 text-gray-400" fill="none" viewBox="0 0 24 24" stroke="currentColor">
+						<path stroke-linecap="round" stroke-linejoin="round" stroke-width="1.5" d="M3 9a2 2 0 012-2h.93a2 2 0 001.664-.89l.812-1.22A2 2 0 0110.07 4h3.86a2 2 0 011.664.89l.812 1.22A2 2 0 0018.07 7H19a2 2 0 012 2v9a2 2 0 01-2 2H5a2 2 0 01-2-2V9z" />
+						<path stroke-linecap="round" stroke-linejoin="round" stroke-width="1.5" d="M15 13a3 3 0 11-6 0 3 3 0 016 0z" />
+					</svg>
+					<span class="text-sm font-medium text-gray-600">Kamera</span>
+					<span class="mt-1 text-xs text-gray-400">Foto & Video</span>
+				</button>
+			</div>
+
 			<div class="mt-4 space-y-3">
 				<input
 					type="text"