From 2e587941c264dd6ebf89c0f7e00daf0c1807fab8 Mon Sep 17 00:00:00 2001
From: Myron Blair <myronblair@outlook.com>
Date: Fri, 22 May 2026 12:52:50 +0000
Subject: [PATCH] Initial commit

---
 .gitignore                   |    5 +
 .htaccess                    |  117 ++
 .htaccess.bak                |  117 ++
 admin/index.php              | 3191 +++++++++++++++++++++++++++++++++
 admin/login.php              |   54 +
 api/admin.php                |  971 ++++++++++
 api/billing.php              |   91 +
 api/broadcast.php            |   89 +
 api/cashout.php              |  148 ++
 api/cashout_method_types.php |   73 +
 api/chat.php                 |  124 ++
 api/game_aliases.php         |   65 +
 api/login.php                |   37 +
 api/logout.php               |    5 +
 api/me.php                   |   35 +
 api/my_activity.php          |   76 +
 api/my_purchases.php         |   17 +
 api/payment_settings.php     |   44 +
 api/payout_methods.php       |   75 +
 api/payout_process.php       |  153 ++
 api/platform_accounts.php    |   92 +
 api/platforms.php            |   93 +
 api/purchase.php             |  163 ++
 api/referrals.php            |  255 +++
 api/register.php             |   18 +
 api/resend_verify.php        |   16 +
 assets/img/egame99.svg       |   31 +
 assets/img/firekirin.svg     |   30 +
 assets/img/icon-192.png      |  Bin 0 -> 1088 bytes
 assets/img/icon-512.png      |  Bin 0 -> 3856 bytes
 assets/img/logo-icon.svg     |   38 +
 assets/img/milkyway.svg      |   35 +
 assets/img/noble777.svg      |   31 +
 assets/img/og-image.svg      |   46 +
 assets/img/pandamaster.svg   |   27 +
 assets/img/ultrapanda.svg    |   30 +
 assets/img/vblink777.svg     |   27 +
 bump_version.php             |   52 +
 favicon.ico                  |  Bin 0 -> 136 bytes
 favicon.svg                  |    5 +
 fix_broadcast.php            |   28 +
 games/index.php              |  232 +++
 get_location.php             |  108 ++
 index.php                    | 3283 ++++++++++++++++++++++++++++++++++
 install.php                  |  206 +++
 manifest.json                |   43 +
 phpcheck.php                 |   25 +
 ref_test.php                 |   26 +
 referral_setup.php           |   96 +
 robots.txt                   |   23 +
 sitemap.xml                  |   21 +
 test.php                     |    6 +
 test_login.php               |   18 +
 test_mail.php                |   91 +
 verify.php                   |   66 +
 55 files changed, 10748 insertions(+)
 create mode 100644 .gitignore
 create mode 100644 .htaccess
 create mode 100644 .htaccess.bak
 create mode 100644 admin/index.php
 create mode 100644 admin/login.php
 create mode 100644 api/admin.php
 create mode 100644 api/billing.php
 create mode 100644 api/broadcast.php
 create mode 100644 api/cashout.php
 create mode 100644 api/cashout_method_types.php
 create mode 100644 api/chat.php
 create mode 100644 api/game_aliases.php
 create mode 100644 api/login.php
 create mode 100644 api/logout.php
 create mode 100644 api/me.php
 create mode 100644 api/my_activity.php
 create mode 100644 api/my_purchases.php
 create mode 100644 api/payment_settings.php
 create mode 100644 api/payout_methods.php
 create mode 100644 api/payout_process.php
 create mode 100644 api/platform_accounts.php
 create mode 100644 api/platforms.php
 create mode 100644 api/purchase.php
 create mode 100644 api/referrals.php
 create mode 100644 api/register.php
 create mode 100644 api/resend_verify.php
 create mode 100644 assets/img/egame99.svg
 create mode 100644 assets/img/firekirin.svg
 create mode 100644 assets/img/icon-192.png
 create mode 100644 assets/img/icon-512.png
 create mode 100644 assets/img/logo-icon.svg
 create mode 100644 assets/img/milkyway.svg
 create mode 100644 assets/img/noble777.svg
 create mode 100644 assets/img/og-image.svg
 create mode 100644 assets/img/pandamaster.svg
 create mode 100644 assets/img/ultrapanda.svg
 create mode 100644 assets/img/vblink777.svg
 create mode 100644 bump_version.php
 create mode 100644 favicon.ico
 create mode 100644 favicon.svg
 create mode 100644 fix_broadcast.php
 create mode 100644 games/index.php
 create mode 100644 get_location.php
 create mode 100644 index.php
 create mode 100644 install.php
 create mode 100644 manifest.json
 create mode 100644 phpcheck.php
 create mode 100644 ref_test.php
 create mode 100644 referral_setup.php
 create mode 100644 robots.txt
 create mode 100644 sitemap.xml
 create mode 100644 test.php
 create mode 100644 test_login.php
 create mode 100644 test_mail.php
 create mode 100644 verify.php

diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..c90ad4e
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1,5 @@
+*.log
+.DS_Store
+*.swp
+
+uploads/
diff --git a/.htaccess b/.htaccess
new file mode 100644
index 0000000..381e984
--- /dev/null
+++ b/.htaccess
@@ -0,0 +1,117 @@
+# ══════════════════════════════════════════════════════════
+#  TomTomGames Security Configuration
+# ══════════════════════════════════════════════════════════
+
+Options -Indexes -Includes
+ServerSignature Off
+
+# ── Block all sensitive file types ───────────────────────
+<FilesMatch "\.(sql|env|log|sh|md|git|bak|backup|old|orig|tmp|swp|cfg|ini|conf|yaml|yml|json.bak)$">
+    Order allow,deny
+    Deny from all
+</FilesMatch>
+
+# ── Block direct access to sensitive PHP files ───────────
+<FilesMatch "^(phpcheck|test|test_mail|test_login|sgtest|install|config|db|auth|mailer|square|smtp)\.php$">
+    Order allow,deny
+    Deny from all
+</FilesMatch>
+
+# ── Block access to includes and vendor folders ──────────
+<IfModule mod_rewrite.c>
+    RewriteEngine On
+    RewriteRule ^includes/ - [F,L]
+    RewriteRule ^vendor/ - [F,L]
+    RewriteRule ^mail_queue/ - [F,L]
+    RewriteRule ^\.git/ - [F,L]
+</IfModule>
+
+# ── Block common attack vectors ──────────────────────────
+<IfModule mod_rewrite.c>
+    RewriteEngine On
+
+    # Block SQL injection attempts in query strings
+    RewriteCond %{QUERY_STRING} (union|select|insert|drop|delete|update|cast|exec|declare|char|convert|truncate).*= [NC,OR]
+    RewriteCond %{QUERY_STRING} (<|%3C).*script.*(>|%3E) [NC,OR]
+    RewriteCond %{QUERY_STRING} \.\./\.\. [NC,OR]
+    RewriteCond %{QUERY_STRING} (javascript|vbscript|expression|applet|meta|xml|blink|link|iframe|input|embed|script|object|marquee) [NC]
+    RewriteRule .* - [F,L]
+
+    # Block base64 encoded attacks
+    RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [NC,OR]
+    RewriteCond %{QUERY_STRING} base64_(en|de)code[^(]*\([^)]*\) [NC]
+    RewriteRule .* - [F,L]
+
+    # Block common exploit scanners and bad bots
+    RewriteCond %{HTTP_USER_AGENT} (nikto|sqlmap|havij|nessus|masscan|zgrab|python-requests/2\.6|libwww-perl|wget|curl\/7\.[0-4]) [NC]
+    RewriteRule .* - [F,L]
+</IfModule>
+
+# ── Block access to WordPress paths (scanners look for these) ──
+<IfModule mod_rewrite.c>
+    RewriteRule ^wp-admin - [F,L]
+    RewriteRule ^wp-login - [F,L]
+    RewriteRule ^xmlrpc - [F,L]
+    RewriteRule ^\.env - [F,L]
+    RewriteRule ^composer\. - [F,L]
+</IfModule>
+
+# ── Security Headers ──────────────────────────────────────
+<IfModule mod_headers.c>
+    # Prevent MIME type sniffing
+    Header always set X-Content-Type-Options "nosniff"
+
+    # Prevent clickjacking
+    Header always set X-Frame-Options "DENY"
+
+    # XSS protection
+    Header always set X-XSS-Protection "1; mode=block"
+
+    # Referrer policy
+    Header always set Referrer-Policy "strict-origin-when-cross-origin"
+
+    # Permissions policy — disable dangerous browser features
+    Header always set Permissions-Policy "camera=(), microphone=(), geolocation=(), payment=(), usb=(), magnetometer=(), gyroscope=()"
+
+    # Content Security Policy
+    Header always set Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://web.squarecdn.com https://sandbox.web.squarecdn.com https://js.squareup.com; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; font-src 'self' data: https://fonts.gstatic.com; img-src 'self' data: blob: https:; connect-src 'self' https: wss:; frame-src 'none'; object-src 'none'"
+
+    # Strict Transport Security — force HTTPS for 1 year
+    Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
+
+    # Remove server info headers
+    Header unset Server
+    Header unset X-Powered-By
+</IfModule>
+
+# ── Canonical HTTPS + non-www redirect ───────────────────
+<IfModule mod_rewrite.c>
+    RewriteEngine On
+    RewriteCond %{HTTPS} off
+    RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
+    RewriteCond %{HTTP_HOST} ^www\.(.+)$ [NC]
+    RewriteRule ^ https://%1%{REQUEST_URI} [R=301,L]
+</IfModule>
+
+# ── Block PHP execution in uploads folder (if it exists) ─
+<IfModule mod_rewrite.c>
+    RewriteRule ^uploads/.*\.php$ - [F,L]
+</IfModule>
+
+# ── Gzip compression ──────────────────────────────────────
+<IfModule mod_deflate.c>
+    AddOutputFilterByType DEFLATE text/html text/css text/javascript application/javascript application/json image/svg+xml
+</IfModule>
+
+# ── Browser caching ───────────────────────────────────────
+<IfModule mod_expires.c>
+    ExpiresActive On
+    ExpiresByType text/html              "access plus 1 hour"
+    ExpiresByType text/css               "access plus 1 month"
+    ExpiresByType application/javascript "access plus 1 month"
+    ExpiresByType image/svg+xml          "access plus 1 month"
+    ExpiresByType image/png              "access plus 1 month"
+    ExpiresByType image/jpeg             "access plus 1 month"
+    ExpiresByType image/webp             "access plus 1 month"
+    ExpiresByType application/json       "access plus 1 day"
+</IfModule>
diff --git a/.htaccess.bak b/.htaccess.bak
new file mode 100644
index 0000000..1424f36
--- /dev/null
+++ b/.htaccess.bak
@@ -0,0 +1,117 @@
+# ══════════════════════════════════════════════════════════
+#  TomTomGames Security Configuration
+# ══════════════════════════════════════════════════════════
+
+Options -Indexes -Includes
+ServerSignature Off
+
+# ── Block all sensitive file types ───────────────────────
+<FilesMatch "\.(sql|env|log|sh|md|git|bak|backup|old|orig|tmp|swp|cfg|ini|conf|yaml|yml|json.bak)$">
+    Order allow,deny
+    Deny from all
+</FilesMatch>
+
+# ── Block direct access to sensitive PHP files ───────────
+<FilesMatch "^(phpcheck|test|test_mail|test_login|sgtest|install|config|db|auth|mailer|square|smtp)\.php$">
+    Order allow,deny
+    Deny from all
+</FilesMatch>
+
+# ── Block access to includes and vendor folders ──────────
+<IfModule mod_rewrite.c>
+    RewriteEngine On
+    RewriteRule ^includes/ - [F,L]
+    RewriteRule ^vendor/ - [F,L]
+    RewriteRule ^mail_queue/ - [F,L]
+    RewriteRule ^\.git/ - [F,L]
+</IfModule>
+
+# ── Block common attack vectors ──────────────────────────
+<IfModule mod_rewrite.c>
+    RewriteEngine On
+
+    # Block SQL injection attempts in query strings
+    RewriteCond %{QUERY_STRING} (union|select|insert|drop|delete|update|cast|exec|declare|char|convert|truncate).*= [NC,OR]
+    RewriteCond %{QUERY_STRING} (<|%3C).*script.*(>|%3E) [NC,OR]
+    RewriteCond %{QUERY_STRING} \.\./\.\. [NC,OR]
+    RewriteCond %{QUERY_STRING} (javascript|vbscript|expression|applet|meta|xml|blink|link|iframe|input|embed|script|object|marquee) [NC]
+    RewriteRule .* - [F,L]
+
+    # Block base64 encoded attacks
+    RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [NC,OR]
+    RewriteCond %{QUERY_STRING} base64_(en|de)code[^(]*\([^)]*\) [NC]
+    RewriteRule .* - [F,L]
+
+    # Block common exploit scanners and bad bots
+    RewriteCond %{HTTP_USER_AGENT} (nikto|sqlmap|havij|nessus|masscan|zgrab|python-requests/2\.6|libwww-perl|wget|curl\/7\.[0-4]) [NC]
+    RewriteRule .* - [F,L]
+</IfModule>
+
+# ── Block access to WordPress paths (scanners look for these) ──
+<IfModule mod_rewrite.c>
+    RewriteRule ^wp-admin - [F,L]
+    RewriteRule ^wp-login - [F,L]
+    RewriteRule ^xmlrpc - [F,L]
+    RewriteRule ^\.env - [F,L]
+    RewriteRule ^composer\. - [F,L]
+</IfModule>
+
+# ── Security Headers ──────────────────────────────────────
+<IfModule mod_headers.c>
+    # Prevent MIME type sniffing
+    Header always set X-Content-Type-Options "nosniff"
+
+    # Prevent clickjacking
+    Header always set X-Frame-Options "DENY"
+
+    # XSS protection
+    Header always set X-XSS-Protection "1; mode=block"
+
+    # Referrer policy
+    Header always set Referrer-Policy "strict-origin-when-cross-origin"
+
+    # Permissions policy — disable dangerous browser features
+    Header always set Permissions-Policy "camera=(), microphone=(), geolocation=(), payment=(), usb=(), magnetometer=(), gyroscope=()"
+
+    # Content Security Policy — restrict where resources can load from
+    Header always set Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' https://web.squarecdn.com https://sandbox.web.squarecdn.com https://js.squareup.com; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; font-src 'self' https://fonts.gstatic.com; img-src 'self' data: https:; connect-src 'self' https: wss:; frame-src 'none'"
+
+    # Strict Transport Security — force HTTPS for 1 year
+    Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
+
+    # Remove server info headers
+    Header unset Server
+    Header unset X-Powered-By
+</IfModule>
+
+# ── Canonical HTTPS + non-www redirect ───────────────────
+<IfModule mod_rewrite.c>
+    RewriteEngine On
+    RewriteCond %{HTTPS} off
+    RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
+    RewriteCond %{HTTP_HOST} ^www\.(.+)$ [NC]
+    RewriteRule ^ https://%1%{REQUEST_URI} [R=301,L]
+</IfModule>
+
+# ── Block PHP execution in uploads folder (if it exists) ─
+<IfModule mod_rewrite.c>
+    RewriteRule ^uploads/.*\.php$ - [F,L]
+</IfModule>
+
+# ── Gzip compression ──────────────────────────────────────
+<IfModule mod_deflate.c>
+    AddOutputFilterByType DEFLATE text/html text/css text/javascript application/javascript application/json image/svg+xml
+</IfModule>
+
+# ── Browser caching ───────────────────────────────────────
+<IfModule mod_expires.c>
+    ExpiresActive On
+    ExpiresByType text/html              "access plus 1 hour"
+    ExpiresByType text/css               "access plus 1 month"
+    ExpiresByType application/javascript "access plus 1 month"
+    ExpiresByType image/svg+xml          "access plus 1 month"
+    ExpiresByType image/png              "access plus 1 month"
+    ExpiresByType image/jpeg             "access plus 1 month"
+    ExpiresByType image/webp             "access plus 1 month"
+    ExpiresByType application/json       "access plus 1 day"
+</IfModule>
diff --git a/admin/index.php b/admin/index.php
new file mode 100644
index 0000000..f651b0e
--- /dev/null
+++ b/admin/index.php
@@ -0,0 +1,3191 @@
+<?php
+ob_start();
+require_once __DIR__ . '/../../includes/auth.php';
+// Redirect to admin login if not logged in or not admin
+if (!isLoggedIn() || empty($_SESSION['is_admin'])) {
+    ob_end_clean();
+    header('Location: /admin/login.php'); exit;
+}
+ob_end_clean();
+?>
+<!DOCTYPE html>
+<html lang="en">
+<head>
+<meta charset="UTF-8">
+  <link rel="icon" type="image/svg+xml" href="/favicon.svg">
+  <link rel="icon" type="image/x-icon" href="/favicon.ico">
+<meta name="viewport" content="width=device-width, initial-scale=1.0">
+<meta name="robots" content="noindex, nofollow, noarchive, nosnippet">
+<meta name="googlebot" content="noindex, nofollow">
+<title>TomTomGames Admin</title>
+<link href="https://fonts.googleapis.com/css2?family=Exo+2:wght@400;600;700;900&family=Rajdhani:wght@400;500;600&display=swap" rel="stylesheet">
+<style>
+*,*::before,*::after{box-sizing:border-box;margin:0;padding:0}
+:root{
+  /* ── Typography Scale ── */
+  --fs-xs:11px;--fs-sm:13px;--fs-base:15px;--fs-md:16px;
+  --fs-lg:18px;--fs-xl:20px;--fs-2xl:24px;--lh:1.6;--bg:#0a0a12;--bg2:#10101e;--bg3:#181828;--card:#1a1a2e;--border:rgba(255,255,255,0.08);--gold:#f0c040;--gold2:#ffdc73;--cyan:#00e5ff;--purple:#9b5de5;--green:#00e676;--red:#ff4444;--yellow:#ffd60a;--text:#e8e8f0;--text2:#8888aa;--r:12px;--rs:8px}
+body{background:var(--bg);color:var(--text);font-family:'Rajdhani',sans-serif;font-size:16px;line-height:1.6;min-height:100vh;display:flex}
+aside{width:210px;min-height:100vh;background:var(--bg2);border-right:1px solid var(--border);padding:0;display:flex;flex-direction:column;position:fixed;left:0;top:0;bottom:0}
+.sidebar-head{padding:20px 18px 16px;border-bottom:1px solid var(--border)}
+.sidebar-logo{font-family:'Exo 2',sans-serif;font-weight:900;font-size:15px;display:flex;align-items:center;gap:8px}.sidebar-logo span{background:linear-gradient(135deg,var(--gold),var(--cyan));-webkit-background-clip:text;-webkit-text-fill-color:transparent}
+.sidebar-sub{font-size:12px;color:var(--text2);letter-spacing:1px;margin-top:2px;font-weight:700}
+.nav-section{padding:12px 12px 4px;font-size:12px;font-weight:700;color:var(--text2);letter-spacing:1.5px;text-transform:uppercase}
+.nav-item{display:flex;align-items:center;gap:9px;padding:10px 16px;color:var(--text2);cursor:pointer;transition:all .15s;font-weight:600;font-size:15px;border:none;background:none;width:100%;text-align:left;border-left:3px solid transparent}
+.nav-item:hover{color:var(--text);background:rgba(255,255,255,.03)}
+.nav-item.active{color:var(--gold);border-left-color:var(--gold);background:rgba(240,192,64,.05)}
+.nav-item .badge-count{margin-left:auto;background:var(--red);color:#fff;font-size:12px;font-weight:700;padding:1px 6px;border-radius:10px;min-width:18px;text-align:center}
+.sidebar-footer{margin-top:auto;padding:12px}
+.logout-btn{width:100%;padding:10px;border:1px solid rgba(255,68,68,.3);border-radius:var(--rs);background:rgba(255,68,68,.06);color:var(--red);cursor:pointer;font-family:'Exo 2',sans-serif;font-weight:700;font-size:14px;letter-spacing:.5px}
+
+main{margin-left:210px;flex:1;padding:28px 32px;min-height:100vh}
+.page-title{font-family:'Exo 2',sans-serif;font-weight:900;font-size:26px;margin-bottom:20px;background:linear-gradient(135deg,var(--gold),var(--cyan));-webkit-background-clip:text;-webkit-text-fill-color:transparent}
+.section{display:none}
+.section.active{display:block}
+
+/* STATS */
+.stats-grid{display:grid;grid-template-columns:repeat(auto-fit,minmax(160px,1fr));gap:14px;margin-bottom:28px}
+.stat-card{background:var(--card);border:1px solid var(--border);border-radius:var(--r);padding:18px 16px}
+.stat-label{font-size:12px;font-weight:700;color:var(--text2);letter-spacing:1.5px;text-transform:uppercase;margin-bottom:6px}
+.stat-value{font-family:'Exo 2',sans-serif;font-weight:900;font-size:30px;color:var(--gold);line-height:1}
+.stat-sub{font-size:13px;color:var(--text2);margin-top:4px}
+
+/* CARD */
+.card{background:var(--card);border:1px solid var(--border);border-radius:var(--r);padding:18px;margin-bottom:18px}
+.card-title{font-family:'Exo 2',sans-serif;font-weight:700;font-size:15px;margin-bottom:14px;color:var(--text);display:flex;align-items:center;gap:8px}
+
+/* TABLE */
+.tbl-wrap{overflow-x:auto}
+table{width:100%;border-collapse:collapse}
+th{text-align:left;font-size:12px;font-weight:700;color:var(--text2);letter-spacing:1px;text-transform:uppercase;padding:0 10px 10px;border-bottom:1px solid var(--border);white-space:nowrap}
+td{padding:10px;border-bottom:1px solid rgba(255,255,255,.03);font-size:15px;vertical-align:middle}
+tr:last-child td{border-bottom:none}
+tr:hover td{background:rgba(255,255,255,.015)}
+
+/* BADGES */
+.badge{display:inline-block;font-size:12px;font-weight:700;padding:2px 8px;border-radius:20px;letter-spacing:.3px;white-space:nowrap}
+.b-pending  {background:rgba(255,214,10,.15);color:var(--yellow)}
+.b-approved,.b-completed{background:rgba(0,230,118,.15);color:var(--green)}
+.b-rejected,.b-failed   {background:rgba(255,68,68,.15);color:var(--red)}
+.b-active   {background:rgba(0,230,118,.15);color:var(--green)}
+.b-suspended{background:rgba(255,68,68,.15);color:var(--red)}
+.b-card     {background:rgba(0,229,255,.12);color:var(--cyan)}
+.b-venmo    {background:rgba(59,89,200,.2);color:#7b9fff}
+.b-chime    {background:rgba(0,200,100,.12);color:#00e676}
+.b-cashapp  {background:rgba(0,180,50,.12);color:#4caf50}
+.b-zelle    {background:rgba(160,32,240,.15);color:#c77dff}
+
+/* BUTTONS */
+.btn{padding:7px 13px;border:none;border-radius:var(--rs);font-family:'Exo 2',sans-serif;font-weight:700;font-size:13px;letter-spacing:.5px;cursor:pointer;transition:all .15s;text-transform:uppercase;white-space:nowrap}
+.btn:active{transform:scale(.97)}
+.btn-green{background:rgba(0,230,118,.12);color:var(--green);border:1px solid rgba(0,230,118,.3)}
+.btn-green:hover{background:rgba(0,230,118,.22)}
+.btn-red{background:rgba(255,68,68,.12);color:var(--red);border:1px solid rgba(255,68,68,.3)}
+.btn-red:hover{background:rgba(255,68,68,.22)}
+.btn-gold{background:rgba(240,192,64,.12);color:var(--gold);border:1px solid rgba(240,192,64,.3)}
+.btn-gold:hover{background:rgba(240,192,64,.22)}
+.btn-cyan{background:rgba(0,229,255,.1);color:var(--cyan);border:1px solid rgba(0,229,255,.3)}
+
+/* FILTER TABS */
+.filter-bar{display:flex;gap:8px;margin-bottom:14px;flex-wrap:wrap}
+.ftab{padding:6px 14px;border:1px solid var(--border);border-radius:20px;background:none;color:var(--text2);cursor:pointer;font-size:14px;font-weight:600;transition:all .15s}
+.ftab.active{border-color:var(--gold);color:var(--gold);background:rgba(240,192,64,.06)}
+
+/* FORM inline */
+.fi-sm{background:var(--bg3);border:1px solid var(--border);border-radius:var(--rs);padding:7px 10px;color:var(--text);font-family:'Rajdhani',sans-serif;font-size:16px;line-height:1.6;outline:none}
+.fi-sm:focus{border-color:var(--cyan)}
+
+/* SEARCH */
+.search-row{margin-bottom:14px;display:flex;gap:10px;align-items:center}
+.search-row input{background:var(--bg3);border:1px solid var(--border);border-radius:var(--rs);padding:9px 13px;color:var(--text);font-family:'Rajdhani',sans-serif;font-size:16px;line-height:1.6;outline:none;width:260px}
+.search-row input:focus{border-color:var(--cyan)}
+
+/* PURCHASE CARD (milkyswipe style) */
+.purchase-row{background:var(--bg3);border:1px solid var(--border);border-radius:var(--r);padding:14px;margin-bottom:10px}
+.purchase-row.urgent{border-color:rgba(255,214,10,.3);background:rgba(255,214,10,.03)}
+.pr-top{display:flex;align-items:flex-start;justify-content:space-between;gap:10px;margin-bottom:10px}
+.pr-info{}
+.pr-user{font-weight:700;font-size:15px;color:var(--text)}
+.pr-ref{font-size:13px;color:var(--text2);margin-top:1px}
+.pr-amount{text-align:right}
+.pr-tokens{font-family:'Exo 2',sans-serif;font-weight:900;font-size:22px;color:var(--gold);line-height:1}
+.pr-dollars{font-size:14px;color:var(--green);font-weight:700}
+.pr-meta{display:flex;gap:6px;flex-wrap:wrap;margin-bottom:10px;align-items:center}
+.pr-actions{display:flex;gap:8px;align-items:center}
+.pr-note{flex:1}
+.pr-note input{width:100%;background:var(--bg);border:1px solid var(--border);border-radius:var(--rs);padding:7px 10px;color:var(--text);font-family:'Rajdhani',sans-serif;font-size:16px;line-height:1.6;outline:none}
+.pr-note input:focus{border-color:var(--cyan)}
+
+/* TOAST */
+#toast{position:fixed;top:18px;right:18px;padding:11px 18px;border-radius:var(--rs);font-weight:700;font-size:15px;z-index:999;display:none;box-shadow:0 4px 20px rgba(0,0,0,.4)}
+#toast.show{display:block}
+#toast.ok{background:#00e676;color:#000}
+#toast.err{background:#ff4444;color:#fff}
+#toast.info{background:var(--card);color:var(--cyan);border:1px solid rgba(0,229,255,.3)}
+
+.empty{text-align:center;padding:36px;color:var(--text2);font-size:15px}
+
+/* ─── ADMIN SAVED CARD ──────────────────────────────── */
+.admin-saved-card{background:linear-gradient(135deg,#1c1c3a,#2d1b69);border-radius:14px;padding:18px;position:relative;overflow:hidden;border:1px solid rgba(255,255,255,.1)}
+.admin-saved-card::before{content:'';position:absolute;top:-30px;right:-30px;width:110px;height:110px;border-radius:50%;background:rgba(255,255,255,.04)}
+
+/* ─── GAME MANAGEMENT ────────────────────────────────── */
+.game-row{display:flex;align-items:center;gap:14px;padding:14px 18px;border-bottom:1px solid var(--border);transition:background .15s}
+.game-row:last-child{border-bottom:none}
+.game-row:hover{background:rgba(255,255,255,.02)}
+.game-color-dot{width:14px;height:14px;border-radius:50%;flex-shrink:0;box-shadow:0 0 8px currentColor}
+.game-info{flex:1;min-width:0}
+.game-name{font-family:'Exo 2',sans-serif;font-weight:700;font-size:15px;color:var(--text)}
+.game-slug{font-size:13px;color:var(--text2);font-family:monospace;margin-top:1px}
+.game-urls{font-size:13px;color:var(--text2);margin-top:3px;display:flex;flex-direction:column;gap:1px}
+.game-url-row{display:flex;align-items:center;gap:5px;overflow:hidden}
+.game-url-label{font-weight:700;color:var(--cyan);flex-shrink:0;font-size:12px;letter-spacing:.5px}
+.game-url-val{overflow:hidden;text-overflow:ellipsis;white-space:nowrap;color:var(--text2)}
+.game-url-link{color:var(--cyan);text-decoration:none;font-size:12px;flex-shrink:0}
+.game-url-link:hover{text-decoration:underline}
+.game-actions{display:flex;gap:6px;flex-shrink:0}
+.game-edit-btn{padding:6px 12px;border-radius:6px;border:none;cursor:pointer;font-family:'Exo 2',sans-serif;font-weight:700;font-size:13px;transition:all .15s}
+.inactive-overlay{opacity:.5}
+
+/* ─── ADMIN CHAT ─────────────────────────────────── */
+.chat-inbox-row{display:flex;align-items:center;gap:14px;padding:14px 18px;border-bottom:1px solid var(--border);cursor:pointer;transition:background .15s}
+.chat-inbox-row:last-child{border-bottom:none}
+.chat-inbox-row:hover{background:rgba(255,255,255,.03)}
+.chat-inbox-row.unread{background:rgba(240,192,64,.04)}
+.ci-avatar{width:44px;height:44px;border-radius:50%;background:linear-gradient(135deg,var(--purple),var(--cyan));display:flex;align-items:center;justify-content:center;font-family:'Exo 2',sans-serif;font-weight:900;font-size:18px;color:#fff;flex-shrink:0}
+.ci-body{flex:1;min-width:0}
+.ci-top{display:flex;justify-content:space-between;align-items:baseline;gap:8px}
+.ci-name{font-weight:700;font-size:15px;color:var(--text);white-space:nowrap;overflow:hidden;text-overflow:ellipsis}
+.ci-time{font-size:13px;color:var(--text2);white-space:nowrap;flex-shrink:0}
+.ci-preview{font-size:14px;color:var(--text2);white-space:nowrap;overflow:hidden;text-overflow:ellipsis;margin-top:2px}
+.ci-preview.unread-preview{color:var(--text);font-weight:600}
+.ci-badge{background:var(--red);color:#fff;font-size:12px;font-weight:700;min-width:18px;height:18px;border-radius:9px;display:flex;align-items:center;justify-content:center;padding:0 4px;flex-shrink:0}
+.admin-chat-wrap{background:var(--card);border:1px solid var(--border);border-radius:var(--r);overflow:hidden;display:flex;flex-direction:column;height:calc(100vh - 180px)}
+.admin-chat-header{display:flex;align-items:center;gap:12px;padding:14px 18px;background:var(--bg2);border-bottom:1px solid var(--border);flex-shrink:0}
+.admin-chat-avatar{width:40px;height:40px;border-radius:50%;background:linear-gradient(135deg,var(--purple),var(--cyan));display:flex;align-items:center;justify-content:center;font-family:'Exo 2',sans-serif;font-weight:900;font-size:17px;color:#fff;flex-shrink:0}
+.admin-chat-name{font-family:'Exo 2',sans-serif;font-weight:700;font-size:15px;color:var(--text)}
+.admin-chat-meta{font-size:14px;color:var(--text2);margin-top:2px}
+.admin-chat-messages{flex:1;overflow-y:auto;padding:16px;display:flex;flex-direction:column;gap:8px}
+.admin-bubble-wrap{display:flex;flex-direction:column;max-width:75%}
+.admin-bubble-wrap.from-user{align-self:flex-start;align-items:flex-start}
+.admin-bubble-wrap.from-admin{align-self:flex-end;align-items:flex-end}
+.admin-bubble{padding:9px 14px;border-radius:18px;font-size:15px;line-height:1.45;word-break:break-word}
+.admin-bubble.from-user{background:var(--bg3);color:var(--text);border:1px solid var(--border);border-bottom-left-radius:4px}
+.admin-bubble.from-admin{background:linear-gradient(135deg,var(--gold),#d4a017);color:#000;font-weight:500;border-bottom-right-radius:4px}
+.admin-bubble-time{font-size:12px;color:var(--text2);margin-top:3px;padding:0 4px}
+.admin-chat-input-bar{display:flex;gap:8px;padding:12px 14px;border-top:1px solid var(--border);background:var(--bg2);flex-shrink:0}
+.admin-chat-input{flex:1;background:var(--bg3);border:1.5px solid var(--border);border-radius:24px;padding:9px 16px;color:var(--text);font-family:'Rajdhani',sans-serif;font-size:16px;line-height:1.6;outline:none;transition:border-color .15s}
+.admin-chat-input:focus{border-color:var(--cyan)}
+.admin-send-btn{width:38px;height:38px;border-radius:50%;background:linear-gradient(135deg,var(--gold),#d4a017);border:none;cursor:pointer;display:flex;align-items:center;justify-content:center;flex-shrink:0;color:#000}
+.admin-send-btn svg{stroke:#000}
+.admin-date-div{text-align:center;font-size:13px;color:var(--text2);font-weight:700;margin:8px 0;display:flex;align-items:center;gap:8px}
+.admin-date-div::before,.admin-date-div::after{content:'';flex:1;height:1px;background:var(--border)}
+
+/* ─── GAMER MANAGEMENT ───────────────────────────────── */
+.gm-toolbar{display:flex;align-items:center;gap:12px;margin-bottom:20px;flex-wrap:wrap}
+.gm-search-wrap{position:relative;flex:1;min-width:200px}
+.gm-search-icon{position:absolute;left:12px;top:50%;transform:translateY(-50%);width:16px;height:16px;color:var(--text2)}
+.gm-search{width:100%;background:var(--card);border:1px solid var(--border);border-radius:var(--r);padding:10px 14px 10px 36px;color:var(--text);font-family:'Rajdhani',sans-serif;font-size:16px;line-height:1.6;outline:none}
+.gm-search:focus{border-color:var(--cyan)}
+.gm-filters{display:flex;gap:6px;flex-shrink:0}
+.gm-filter{padding:7px 14px;border:1px solid var(--border);border-radius:20px;background:none;color:var(--text2);cursor:pointer;font-size:14px;font-weight:600;transition:all .15s;white-space:nowrap}
+.gm-filter.active{border-color:var(--gold);color:var(--gold);background:rgba(240,192,64,.07)}
+.gm-stats-mini{font-size:14px;color:var(--text2);white-space:nowrap}
+
+.gm-grid{display:grid;grid-template-columns:repeat(auto-fill,minmax(280px,1fr));gap:14px}
+.gm-card{background:var(--card);border:1px solid var(--border);border-radius:var(--r);padding:18px;cursor:pointer;transition:all .18s;position:relative;overflow:hidden}
+.gm-card:hover{border-color:rgba(240,192,64,.3);transform:translateY(-2px);box-shadow:0 6px 24px rgba(0,0,0,.3)}
+.gm-card.suspended{border-color:rgba(255,68,68,.2);background:rgba(255,30,30,.03)}
+.gm-card.unverified{border-color:rgba(255,214,10,.15);background:rgba(255,214,10,.02)}
+.gm-card-top{display:flex;align-items:center;gap:12px;margin-bottom:14px}
+.gm-card-avatar{width:46px;height:46px;border-radius:50%;display:flex;align-items:center;justify-content:center;font-family:'Exo 2',sans-serif;font-weight:900;font-size:20px;color:#fff;flex-shrink:0}
+.gm-card-info{flex:1;min-width:0}
+.gm-card-name{font-family:'Exo 2',sans-serif;font-weight:700;font-size:15px;color:var(--text);white-space:nowrap;overflow:hidden;text-overflow:ellipsis}
+.gm-card-alias{font-size:14px;color:var(--cyan);margin-top:2px}
+.gm-card-badges{display:flex;gap:5px;flex-wrap:wrap;margin-top:2px}
+.gm-card-stats{display:grid;grid-template-columns:1fr 1fr 1fr;gap:8px;margin-bottom:14px}
+.gm-stat{background:var(--bg3);border-radius:8px;padding:8px 10px;text-align:center}
+.gm-stat-val{font-family:'Exo 2',sans-serif;font-weight:700;font-size:16px;color:var(--gold)}
+.gm-stat-lbl{font-size:12px;color:var(--text2);font-weight:600;letter-spacing:.5px;margin-top:1px}
+.gm-card-email{font-size:13px;color:var(--text2);overflow:hidden;text-overflow:ellipsis;white-space:nowrap}
+.gm-card-joined{font-size:12px;color:var(--text2);margin-top:3px}
+.gm-card-hover-cta{position:absolute;bottom:0;left:0;right:0;background:linear-gradient(to top,rgba(240,192,64,.12),transparent);padding:8px 16px;font-size:13px;font-weight:700;color:var(--gold);letter-spacing:.5px;opacity:0;transition:opacity .2s;text-align:center}
+.gm-card:hover .gm-card-hover-cta{opacity:1}
+
+.gm-back-btn{display:flex;align-items:center;gap:7px;background:none;border:1px solid var(--border);border-radius:8px;color:var(--text2);cursor:pointer;font-family:'Exo 2',sans-serif;font-weight:700;font-size:15px;padding:8px 14px;margin-bottom:18px;transition:all .15s}
+.gm-back-btn:hover{color:var(--cyan);border-color:var(--cyan)}
+
+.gm-profile-card{background:linear-gradient(135deg,#1a1228,#0d1a2e);border:1px solid rgba(240,192,64,.2);border-radius:var(--r);padding:22px;margin-bottom:18px;display:flex;align-items:center;gap:18px;flex-wrap:wrap}
+.gm-profile-avatar{width:72px;height:72px;border-radius:50%;display:flex;align-items:center;justify-content:center;font-family:'Exo 2',sans-serif;font-weight:900;font-size:30px;color:#fff;flex-shrink:0;border:3px solid var(--gold);box-shadow:0 0 20px rgba(240,192,64,.3)}
+.gm-profile-info{flex:1;min-width:0}
+.gm-profile-name{font-family:'Exo 2',sans-serif;font-weight:900;font-size:22px;color:var(--text)}
+.gm-profile-alias{font-size:15px;color:var(--cyan);margin-top:2px}
+.gm-profile-email{font-size:15px;color:var(--text2);margin-top:4px}
+.gm-profile-right{text-align:right;flex-shrink:0}
+.gm-profile-tokens{font-family:'Exo 2',sans-serif;font-weight:900;font-size:32px;color:var(--gold);line-height:1}
+.gm-profile-tok-lbl{font-size:13px;color:var(--text2);margin-top:2px;letter-spacing:1px;text-transform:uppercase}
+.gm-profile-badges{display:flex;gap:6px;margin-top:8px;justify-content:flex-end}
+
+.gm-tabs{display:flex;gap:0;background:var(--bg3);border-radius:var(--r);padding:4px;margin-bottom:16px;overflow-x:auto;-webkit-overflow-scrolling:touch;scrollbar-width:none}
+.gm-tabs::-webkit-scrollbar{display:none}
+.gm-tab{flex:1;padding:9px 12px;border:none;background:none;color:var(--text2);font-family:'Exo 2',sans-serif;font-weight:700;font-size:14px;letter-spacing:.3px;border-radius:8px;cursor:pointer;transition:all .15s;white-space:nowrap}
+.gm-tab.active{background:linear-gradient(135deg,rgba(240,192,64,.15),rgba(0,229,255,.08));color:var(--gold)}
+
+.gm-tab-panel{display:none}
+.gm-tab-panel.active{display:block;animation:fadeUp .2s ease}
+
+.gm-info-grid{display:grid;grid-template-columns:repeat(auto-fit,minmax(200px,1fr));gap:12px;margin-bottom:16px}
+.gm-info-item{background:var(--card);border:1px solid var(--border);border-radius:var(--r);padding:14px}
+.gm-info-label{font-size:12px;font-weight:700;color:var(--text2);letter-spacing:1.5px;text-transform:uppercase;margin-bottom:5px}
+.gm-info-val{font-size:15px;font-weight:600;color:var(--text)}
+
+.gm-actions-panel{background:var(--card);border:1px solid var(--border);border-radius:var(--r);padding:16px}
+.gm-actions-title{font-size:13px;font-weight:700;color:var(--text2);letter-spacing:1.5px;text-transform:uppercase;margin-bottom:12px}
+.gm-action-btns{display:flex;gap:8px;flex-wrap:wrap}
+
+.gm-token-display{font-family:'Exo 2',sans-serif;font-weight:900;font-size:48px;color:var(--gold);text-align:center;padding:16px 0}
+.gm-edit-label{display:block;font-size:13px;font-weight:700;color:var(--text2);letter-spacing:1px;text-transform:uppercase;margin-bottom:6px}
+.gm-empty{text-align:center;padding:28px;color:var(--text2);font-size:15px}
+
+/* ─── PAYMENT LEDGER ─────────────────────────────────── */
+.pm-summary{display:grid;grid-template-columns:repeat(5,1fr);gap:10px;margin-bottom:16px}
+.pm-sum-item{background:var(--bg3);border:1px solid var(--border);border-radius:var(--rs);padding:10px;text-align:center}
+.pm-sum-val{font-family:'Exo 2',sans-serif;font-weight:900;font-size:18px;line-height:1}
+.pm-sum-lbl{font-size:12px;color:var(--text2);font-weight:700;letter-spacing:.5px;text-transform:uppercase;margin-top:3px}
+
+.pm-card{background:var(--bg3);border:1px solid var(--border);border-radius:var(--r);padding:14px;margin-bottom:10px;transition:border-color .15s}
+.pm-card.pm-completed{border-left:3px solid var(--green)}
+.pm-card.pm-pending{border-left:3px solid var(--yellow)}
+.pm-card.pm-failed{border-left:3px solid var(--red);opacity:.85}
+.pm-card-top{display:flex;justify-content:space-between;align-items:flex-start;margin-bottom:10px}
+.pm-order-id{font-family:'Exo 2',sans-serif;font-weight:700;font-size:15px;color:var(--text)}
+.pm-custom-badge{background:rgba(155,93,229,.2);color:#c77dff;font-size:12px;font-weight:700;padding:1px 7px;border-radius:10px;margin-left:6px;letter-spacing:.3px}
+.pm-date{font-size:13px;color:var(--text2);margin-top:2px}
+.pm-card-right{text-align:right}
+.pm-amount{font-family:'Exo 2',sans-serif;font-weight:900;font-size:22px;color:var(--green);line-height:1}
+.pm-tokens{font-size:14px;color:var(--gold);font-weight:700;margin-top:2px}
+.pm-card-mid{}
+.pm-detail-row{display:flex;align-items:center;gap:6px;flex-wrap:wrap;font-size:14px}
+.pm-lbl{color:var(--text2);font-weight:700}
+.pm-val{color:var(--text)}
+.pm-card-info{font-size:13px;color:var(--text2);background:var(--bg);border-radius:6px;padding:2px 8px}
+.pm-failure{background:rgba(255,68,68,.08);border:1px solid rgba(255,68,68,.2);border-radius:6px;padding:7px 10px;margin-top:8px;font-size:14px;color:var(--red)}
+.pm-admin-note{background:rgba(240,192,64,.05);border:1px solid rgba(240,192,64,.15);border-radius:6px;padding:7px 10px;margin-top:6px;font-size:14px;color:var(--gold2)}
+.pm-receipt-link{font-size:14px;color:var(--cyan);text-decoration:none;font-weight:600}
+.pm-receipt-link:hover{text-decoration:underline}
+.pm-actions{display:flex;gap:8px;align-items:center;margin-top:12px;padding-top:12px;border-top:1px solid var(--border)}
+.btn-sm{padding:6px 12px;font-size:13px}
+
+/* ── Responsive Typography ─────────────────────────────── */
+@media (min-width: 768px) {
+  body { font-size: 17px; }
+  .card { font-size: 16px !important; padding: 20px !important; }
+  .page-title { font-size: 26px !important; }
+  .nav-item { font-size: 15px !important; }
+}
+@media (min-width: 1200px) {
+  body { font-size: 18px; }
+  .card { font-size: 17px !important; }
+  .page-title { font-size: 28px !important; }
+}
+</style>
+</head>
+<body>
+
+<div id="toast"></div>
+
+<aside>
+  <div class="sidebar-head">
+    <div class="sidebar-logo" style="display:flex;align-items:center;gap:8px"><svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 48 48" width="28" height="28" style="display:inline-block;vertical-align:middle;flex-shrink:0"><defs><linearGradient id="li1" x1="0%" y1="0%" x2="100%" y2="100%"><stop offset="0%" stop-color="#f0c040"/><stop offset="100%" stop-color="#ff6b35"/></linearGradient><linearGradient id="li2" x1="0%" y1="0%" x2="100%" y2="100%"><stop offset="0%" stop-color="#00e5ff"/><stop offset="100%" stop-color="#7b2fbe"/></linearGradient></defs><rect x="6" y="16" width="36" height="22" rx="11" fill="url(#li1)"/><rect x="12" y="23" width="8" height="3" rx="1.5" fill="rgba(0,0,0,0.45)"/><rect x="15" y="20" width="3" height="8" rx="1.5" fill="rgba(0,0,0,0.45)"/><circle cx="32" cy="22" r="2.2" fill="#e63946" opacity=".9"/><circle cx="36" cy="25" r="2.2" fill="#2ec4b6" opacity=".9"/><circle cx="32" cy="28" r="2.2" fill="#7b2fbe" opacity=".9"/><circle cx="28" cy="25" r="2.2" fill="#f4a261" opacity=".9"/><rect x="21" y="24" width="6" height="3" rx="1.5" fill="rgba(0,0,0,0.3)"/><rect x="8" y="30" width="8" height="7" rx="4" fill="url(#li2)" opacity=".7"/><rect x="32" y="30" width="8" height="7" rx="4" fill="url(#li2)" opacity=".7"/><rect x="14" y="13" width="8" height="5" rx="2.5" fill="url(#li1)" opacity=".8"/><rect x="26" y="13" width="8" height="5" rx="2.5" fill="url(#li1)" opacity=".8"/></svg><span>TomTomGames</span></div>
+    <div class="sidebar-sub" style="-webkit-text-fill-color:var(--text2)">ADMIN PANEL</div>
+  </div>
+  <div class="nav-section">Main</div>
+  <button class="nav-item active" onclick="showSec('dashboard')">📊 Dashboard</button>
+  <button class="nav-item" onclick="showSec('users')">🎮 Players</button>
+  <button class="nav-item" onclick="showSec('pending')">⏳ Pending Signups <span class="badge-count" id="badge-pending">0</span></button>
+  <button class="nav-item" onclick="showSec('purchases')">🧾 Purchases <span class="badge-count" id="badge-purchases">0</span></button>
+  <button class="nav-item" onclick="showSec('cashouts')">💸 Cashouts <span class="badge-count" id="badge-cashouts">0</span></button>
+  <button class="nav-item" onclick="showSec('chat')">💬 Live Chat <span class="badge-count" id="badge-chat">0</span></button>
+  <button class="nav-item" onclick="showSec('broadcasts')">📢 Broadcasts</button>
+  <div class="nav-section">Manage</div>
+  <button class="nav-item" onclick="showSec('games')">🕹️ Game Management</button>
+  <button class="nav-item" onclick="showSec('referrals')">🎁 Referrals</button>
+  <button class="nav-item" onclick="showSec('platform-accounts')">🔑 Platform Accounts</button>
+  <button class="nav-item" onclick="showSec('payments')">💳 Payment Settings</button>
+  <button class="nav-item" onclick="showSec('cashout-methods')">💸 Cashout Methods</button>
+  <button class="nav-item" onclick="showSec('payout-settings')">💰 Payout Settings</button>
+  <button class="nav-item" onclick="showSec('history')">📋 All History</button>
+  <div class="sidebar-footer">
+    <button class="logout-btn" onclick="fetch('/api/logout.php').then(()=>location='/admin/login.php')">🚪 LOGOUT</button>
+  </div>
+</aside>
+
+<main>
+
+  <!-- DASHBOARD -->
+  <div class="section active" id="section-dashboard">
+    <div class="page-title">📊 Dashboard</div>
+    <!-- Unread messages alert -->
+    <div id="unread-chat-alert" style="display:none;background:linear-gradient(135deg,rgba(240,192,64,.12),rgba(0,229,255,.06));border:1px solid rgba(240,192,64,.3);border-radius:12px;padding:14px 18px;margin-bottom:16px;display:none;align-items:center;gap:14px;cursor:pointer" onclick="showSec('chat')">
+      <div style="font-size:28px">💬</div>
+      <div style="flex:1">
+        <div style="font-family:'Exo 2',sans-serif;font-weight:700;font-size:14px;color:var(--gold)">New Messages from Players</div>
+        <div id="unread-chat-alert-text" style="font-size:14px;color:var(--text2);margin-top:2px">Click to view and respond</div>
+      </div>
+      <div style="font-family:'Exo 2',sans-serif;font-weight:900;font-size:24px;color:var(--gold)" id="unread-chat-alert-count">0</div>
+    </div>
+    <div class="stats-grid">
+      <div class="stat-card"><div class="stat-label">Total Users</div><div class="stat-value" id="s-users">—</div></div>
+      <div class="stat-card"><div class="stat-label">Total Revenue</div><div class="stat-value" id="s-rev" style="color:var(--green)">—</div></div>
+      <div class="stat-card"><div class="stat-label">Tokens Sold</div><div class="stat-value" id="s-toks">—</div></div>
+      <div class="stat-card"><div class="stat-label">Pending Purchases</div><div class="stat-value" id="s-ppurch" style="color:var(--yellow)">—</div></div>
+      <div class="stat-card"><div class="stat-label">Pending Cashouts</div><div class="stat-value" id="s-pcash" style="color:var(--yellow)">—</div></div>
+    </div>
+    <div class="card">
+      <div class="card-title">⚡ Pending Purchase Approvals</div>
+      <div id="dash-purchases"></div>
+    </div>
+    <div class="card">
+      <div class="card-title">⚡ Pending Cashout Requests</div>
+      <div id="dash-cashouts"></div>
+    </div>
+  </div>
+
+  <!-- PURCHASES -->
+  <div class="section" id="section-purchases">
+    <div class="page-title">🧾 Token Purchases</div>
+    <div class="filter-bar">
+      <button class="ftab active" onclick="loadPurchases('pending',this)">⏳ Pending Approval</button>
+      <button class="ftab" onclick="loadPurchases('completed',this)">✅ Completed</button>
+      <button class="ftab" onclick="loadPurchases('failed',this)">❌ Failed</button>
+      <button class="ftab" onclick="loadPurchases('all',this)">📋 All</button>
+    </div>
+    <div id="purchases-list"></div>
+  </div>
+
+  <!-- CASHOUTS -->
+  <div class="section" id="section-cashouts">
+    <div class="page-title">💸 Cashout Requests</div>
+    <div class="filter-bar">
+      <button class="ftab active" onclick="loadCashouts('pending',this)">⏳ Pending</button>
+      <button class="ftab" onclick="loadCashouts('sent',this)">✅ Sent</button>
+      <button class="ftab" onclick="loadCashouts('rejected',this)">❌ Denied</button>
+      <button class="ftab" onclick="loadCashouts('deleted',this)">🗑 Deleted</button>
+    </div>
+    <div id="cashouts-table"></div>
+  </div>
+
+  <!-- USERS -->
+  <!-- GAMER MANAGEMENT -->
+  <div class="section" id="section-users">
+    <!-- LIST VIEW -->
+    <div id="gm-list-view">
+      <div class="page-title">🎮 Gamer Management</div>
+      <div class="gm-toolbar">
+        <div class="gm-search-wrap">
+          <svg class="gm-search-icon" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2"><circle cx="11" cy="11" r="8"/><line x1="21" y1="21" x2="16.65" y2="16.65"/></svg>
+          <input class="gm-search" id="gm-search" type="text" placeholder="Search username, alias, email..." oninput="filterGamers(this.value)">
+        </div>
+        <div class="gm-filters">
+          <button class="gm-filter active" onclick="setGamerFilter('all',this)">All</button>
+          <button class="gm-filter" onclick="setGamerFilter('active',this)">Active</button>
+          <button class="gm-filter" onclick="setGamerFilter('suspended',this)">Suspended</button>
+          <button class="gm-filter" onclick="setGamerFilter('unverified',this)">Unverified</button>
+        </div>
+        <div class="gm-stats-mini" id="gm-stats-mini"></div>
+      </div>
+      <div class="gm-grid" id="gm-grid"></div>
+    </div>
+
+    <!-- PLAYER DETAIL VIEW -->
+    <div id="gm-detail-view" style="display:none">
+      <button class="gm-back-btn" onclick="showGamerList()">
+        <svg viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2.5" width="16" height="16"><polyline points="15 18 9 12 15 6"/></svg>
+        Back to Players
+      </button>
+      <div class="gm-profile-card" id="gm-profile-card"></div>
+      <div class="gm-tabs">
+        <button class="gm-tab active" onclick="switchGamerTab('overview',this)">Overview</button>
+        <button class="gm-tab" onclick="switchGamerTab('aliases',this)">🎮 Aliases</button>
+        <button class="gm-tab" onclick="switchGamerTab('payout',this)">💸 Payout</button>
+        <button class="gm-tab" onclick="switchGamerTab('platforms',this)">🔑 Accounts</button>
+        <button class="gm-tab" onclick="switchGamerTab('tokens',this)">Tokens</button>
+        <button class="gm-tab" onclick="switchGamerTab('purchases',this)">Purchases</button>
+        <button class="gm-tab" onclick="switchGamerTab('cashouts',this)">Cashouts</button>
+        <button class="gm-tab" onclick="switchGamerTab('billing',this)">Billing</button>
+        <button class="gm-tab" onclick="switchGamerTab('chat',this)">Chat</button>
+        <button class="gm-tab" onclick="switchGamerTab('edit',this)">Edit</button>
+      </div>
+      <!-- TAB: OVERVIEW -->
+      <div class="gm-tab-panel active" id="gtab-overview">
+        <div class="gm-info-grid" id="gm-info-grid"></div>
+        <div class="gm-actions-panel">
+          <div class="gm-actions-title">Quick Actions</div>
+          <div class="gm-action-btns" id="gm-action-btns"></div>
+        </div>
+      </div>
+      <!-- TAB: PLATFORM ACCOUNTS -->
+      <div class="gm-tab-panel" id="gtab-platforms">
+        <div class="card" style="margin-bottom:12px">
+          <div class="card-title">🔑 Platform Accounts</div>
+          <div style="font-size:14px;color:var(--text2);margin-bottom:12px">Manage game platform logins for this player. When you approve a request and set a username/password, it will automatically update their alias.</div>
+          <div id="gm-platform-accounts-list"><div style="color:var(--text2);text-align:center;padding:16px">Loading...</div></div>
+        </div>
+      </div>
+
+      <!-- TAB: PAYOUT METHODS -->
+      <div class="gm-tab-panel" id="gtab-payout">
+        <div class="card">
+          <div class="card-title">💸 Payout Methods</div>
+          <div style="font-size:14px;color:var(--text2);margin-bottom:12px">Where this player receives their cashout payments.</div>
+          <div id="gm-payout-list"><div style="color:var(--text2);text-align:center;padding:16px">Loading...</div></div>
+        </div>
+      </div>
+
+      <!-- TAB: PLATFORM ACCOUNTS -->
+      <div class="gm-tab-panel" id="gtab-platforms">
+        <div class="card">
+          <div class="card-title">🔑 Platform Accounts</div>
+          <div style="font-size:14px;color:var(--text2);margin-bottom:12px">Game platform logins created for this player.</div>
+          <div id="gm-platforms-list"><div style="color:var(--text2);text-align:center;padding:16px">Loading...</div></div>
+        </div>
+      </div>
+
+      <!-- TAB: ALIASES -->
+      <div class="gm-tab-panel" id="gtab-aliases">
+        <div class="card" style="margin-bottom:12px">
+          <div class="card-title">🎮 Game Aliases</div>
+          <div style="font-size:14px;color:var(--text2);margin-bottom:14px">Player's in-game usernames per platform. Edit and save below.</div>
+          <div id="gm-aliases-list"><div style="color:var(--text2);text-align:center;padding:16px;font-size:15px">Loading...</div></div>
+          <div id="gm-aliases-alert" class="alert" style="margin-top:10px"></div>
+          <button class="btn btn-gold" onclick="gmSaveAllAliases()" style="margin-top:12px">💾 SAVE ALL ALIASES</button>
+        </div>
+      </div>
+
+      <!-- TAB: TOKENS -->
+      <div class="gm-tab-panel" id="gtab-tokens">
+        <div class="card" style="margin-bottom:14px">
+          <div class="card-title">💰 Token Balance</div>
+          <div class="gm-token-display" id="gm-token-display">—</div>
+        </div>
+        <div class="card" style="margin-bottom:14px">
+          <div class="card-title">Adjust Tokens</div>
+          <div style="display:grid;grid-template-columns:1fr 1fr;gap:10px;margin-bottom:12px">
+            <div><label class="gm-edit-label">Amount</label><input class="fi-sm" type="number" id="gm-tok-amount" placeholder="e.g. 50" style="width:100%;padding:10px 12px;font-size:15px"></div>
+            <div><label class="gm-edit-label">Reason</label><input class="fi-sm" type="text" id="gm-tok-reason" placeholder="e.g. Bonus" style="width:100%;padding:10px 12px;font-size:15px"></div>
+          </div>
+          <div style="display:flex;gap:8px">
+            <button class="btn btn-green" style="flex:1" onclick="gmAdjustTokens(1)">➕ ADD</button>
+            <button class="btn btn-red" style="flex:1" onclick="gmAdjustTokens(-1)">➖ REMOVE</button>
+          </div>
+          <div id="gm-tok-msg" class="alert" style="margin-top:12px"></div>
+        </div>
+        <div class="card">
+          <div class="card-title">Set Exact Balance</div>
+          <div style="display:flex;gap:8px">
+            <input class="fi-sm" type="number" id="gm-tok-set" placeholder="New balance" style="flex:1;padding:10px 12px;font-size:15px">
+            <button class="btn btn-gold" style="width:100px" onclick="gmSetTokens()">SET</button>
+          </div>
+        </div>
+      </div>
+      <!-- TAB: PURCHASES -->
+      <div class="gm-tab-panel" id="gtab-purchases">
+        <div id="gm-purchases-table"></div>
+      </div>
+      <!-- TAB: CASHOUTS -->
+      <div class="gm-tab-panel" id="gtab-cashouts">
+        <div class="card"><div class="tbl-wrap"><div id="gm-cashouts-table"></div></div></div>
+      </div>
+      <!-- TAB: BILLING -->
+      <div class="gm-tab-panel" id="gtab-billing">
+        <div class="card" style="margin-bottom:14px">
+          <div class="card-title">💳 Saved Payment Info</div>
+          <div id="gm-billing-card-display" style="display:none;margin-bottom:16px">
+            <div class="admin-saved-card" id="gm-billing-card"></div>
+            <div style="display:flex;gap:8px;margin-top:10px">
+              <button class="btn btn-red" style="flex:1" onclick="gmClearCard()">🗑 Remove Card</button>
+            </div>
+          </div>
+          <div id="gm-billing-no-card" style="display:none;padding:12px;background:var(--bg3);border-radius:var(--rs);font-size:15px;color:var(--text2);text-align:center;margin-bottom:12px">No card on file</div>
+          <div id="gm-billing-alert" class="alert" style="margin-bottom:12px"></div>
+          <div style="display:grid;grid-template-columns:1fr 1fr;gap:10px;margin-bottom:10px">
+            <div><label class="gm-edit-label">First Name</label><input class="fi-sm" id="gm-b-first" type="text" style="width:100%;padding:10px 12px"></div>
+            <div><label class="gm-edit-label">Last Name</label><input class="fi-sm" id="gm-b-last" type="text" style="width:100%;padding:10px 12px"></div>
+            <div><label class="gm-edit-label">Email</label><input class="fi-sm" id="gm-b-email" type="email" style="width:100%;padding:10px 12px"></div>
+            <div><label class="gm-edit-label">ZIP Code</label><input class="fi-sm" id="gm-b-zip" type="text" style="width:100%;padding:10px 12px"></div>
+          </div>
+          <div style="margin-bottom:10px"><label class="gm-edit-label">Street Address</label><input class="fi-sm" id="gm-b-address" type="text" style="width:100%;padding:10px 12px"></div>
+          <div style="display:grid;grid-template-columns:1fr 70px;gap:8px;margin-bottom:14px">
+            <div><label class="gm-edit-label">City</label><input class="fi-sm" id="gm-b-city" type="text" style="width:100%;padding:10px 12px"></div>
+            <div><label class="gm-edit-label">State</label><input class="fi-sm" id="gm-b-state" type="text" maxlength="2" style="width:100%;padding:10px 12px;text-transform:uppercase"></div>
+          </div>
+          <div style="display:flex;gap:8px">
+            <button class="btn btn-gold" style="flex:1" onclick="gmSaveBilling()">💾 SAVE BILLING INFO</button>
+            <button class="btn btn-red" style="width:120px" onclick="gmClearAllBilling()">🗑 Clear All</button>
+          </div>
+        </div>
+      </div>
+
+      <!-- TAB: CHAT -->
+      <div class="gm-tab-panel" id="gtab-chat">
+        <div class="admin-chat-wrap" style="height:400px">
+          <div class="admin-chat-messages" id="gm-chat-messages"></div>
+          <div class="admin-chat-input-bar">
+            <input class="admin-chat-input" id="gm-chat-input" type="text" placeholder="Message this player..." onkeydown="if(event.key==='Enter')gmSendMsg()">
+            <button class="admin-send-btn" onclick="gmSendMsg()">
+              <svg viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" width="18" height="18"><line x1="22" y1="2" x2="11" y2="13"/><polygon points="22 2 15 22 11 13 2 9 22 2"/></svg>
+            </button>
+          </div>
+        </div>
+        <button onclick="gmClearThread()" style="margin-top:10px;width:100%;background:rgba(255,68,68,.08);border:1px solid rgba(255,68,68,.2);color:var(--red);border-radius:8px;padding:10px;font-family:'Exo 2',sans-serif;font-weight:700;font-size:14px;cursor:pointer">
+          🗑 Clear This Conversation
+        </button>
+      </div>
+      <!-- TAB: EDIT -->
+      <div class="gm-tab-panel" id="gtab-edit">
+        <div class="card" style="margin-bottom:14px">
+          <div class="card-title">✏️ Edit Player Info</div>
+          <div id="gm-edit-alert" class="alert" style="margin-bottom:12px"></div>
+          <div style="display:grid;grid-template-columns:1fr 1fr;gap:12px;margin-bottom:14px">
+            <div><label class="gm-edit-label">Username</label><input class="fi-sm" id="gm-edit-username" type="text" style="width:100%;padding:10px 12px"></div>
+            <div><label class="gm-edit-label">Alias / Nickname</label><input class="fi-sm" id="gm-edit-alias" type="text" style="width:100%;padding:10px 12px"></div>
+            <div><label class="gm-edit-label">Email Address</label><input class="fi-sm" id="gm-edit-email" type="email" style="width:100%;padding:10px 12px"></div>
+            <div><label class="gm-edit-label">New Password <span style="color:var(--text2);font-weight:400">(blank = keep)</span></label><input class="fi-sm" id="gm-edit-password" type="password" placeholder="Leave blank to keep" style="width:100%;padding:10px 12px"></div>
+          </div>
+          <button class="btn btn-gold" onclick="gmSaveEdit()">💾 SAVE CHANGES</button>
+        </div>
+        <div class="card" style="border-color:rgba(255,68,68,.25)">
+          <div class="card-title" style="color:var(--red)">⚠️ Danger Zone</div>
+          <div style="display:flex;flex-direction:column;gap:8px">
+            <button class="btn btn-red" id="gm-suspend-btn" onclick="gmToggleSuspend()">Loading...</button>
+            <button class="btn" onclick="gmSendPasswordReset()" style="background:rgba(155,93,229,.12);color:#c77dff;border:1px solid rgba(155,93,229,.3)">🔑 Send Password Reset Email</button>
+            <button class="btn" id="gm-admin-toggle-btn" onclick="gmToggleAdmin()">Admin Toggle</button>
+            <button class="btn" onclick="gmDeleteAccount()" style="background:rgba(255,30,30,.18);color:#ff6666;border:1px solid rgba(255,30,30,.35)">🗑️ DELETE ACCOUNT PERMANENTLY</button>
+          </div>
+          <p style="font-size:15px;color:var(--text2);margin-top:12px;line-height:1.6">Deleting is permanent and removes all purchases, cashouts, and chat history.</p>
+        </div>
+      </div>
+    </div><!-- /gm-detail-view -->
+  </div><!-- /section-users -->
+
+  <!-- ── PAYMENT SETTINGS ─────────────────────────────────── -->
+  <div class="section" id="section-payments">
+    <div class="page-title">💳 Payment Settings</div>
+    <div style="background:rgba(0,229,255,.06);border:1px solid rgba(0,229,255,.15);border-radius:10px;padding:12px 16px;margin-bottom:16px;font-size:15px;color:var(--text2);line-height:1.6">
+      Enable or disable each payment method. Disabled methods are hidden from players instantly. Card payments run through Square — your Square account must be active for card to work.
+    </div>
+    <div id="payment-methods-list"></div>
+  </div>
+
+  <!-- ── PLATFORM ACCOUNTS ─────────────────────────────── -->
+  <!-- ── REFERRALS ──────────────────────────────────────── -->
+  <div class="section" id="section-referrals">
+    <div class="page-title">🎁 Referral Management</div>
+    <div style="display:flex;gap:8px;margin-bottom:16px;flex-wrap:wrap">
+      <button class="ftab active" onclick="loadAdminReferrals('pending',this)">⏳ Pending</button>
+      <button class="ftab" onclick="loadAdminReferrals('verified',this)">✅ Verified</button>
+      <button class="ftab" onclick="loadAdminReferrals('denied',this)">❌ Denied</button>
+      <button class="ftab" onclick="showRefSection('tiers')">⚙️ Manage Tiers</button>
+      <button class="ftab" onclick="showRefSection('shares')">📱 Social Shares</button>
+    </div>
+    <div id="ref-admin-list"></div>
+    <div id="ref-tiers-section" style="display:none">
+      <div class="card" style="margin-bottom:14px;border-color:rgba(240,192,64,.2)">
+        <div class="card-title" id="ref-tier-form-title">Add Referral Tier</div>
+        <div id="ref-tier-alert" class="alert" style="margin-bottom:8px"></div>
+        <input type="hidden" id="rt-id">
+        <div style="display:grid;grid-template-columns:1fr 1fr;gap:8px;margin-bottom:8px">
+          <div><label class="gm-edit-label">Tier Name</label><input class="fi-sm" id="rt-name" type="text" placeholder="e.g. Gold Referrer" style="width:100%;padding:8px 10px"></div>
+          <div><label class="gm-edit-label">Min Referrals</label><input class="fi-sm" id="rt-min" type="number" min="1" value="1" style="width:100%;padding:8px 10px"></div>
+        </div>
+        <div style="display:grid;grid-template-columns:1fr 1fr 1fr;gap:8px;margin-bottom:8px">
+          <div><label class="gm-edit-label">Tokens per Referral</label><input class="fi-sm" id="rt-per" type="number" min="0" step="0.5" value="5" style="width:100%;padding:8px 10px"></div>
+          <div><label class="gm-edit-label">Milestone Bonus</label><input class="fi-sm" id="rt-bonus" type="number" min="0" value="0" style="width:100%;padding:8px 10px"></div>
+          <div><label class="gm-edit-label">Sort Order</label><input class="fi-sm" id="rt-sort" type="number" value="0" style="width:100%;padding:8px 10px"></div>
+        </div>
+        <div style="margin-bottom:10px"><label class="gm-edit-label">Description</label><input class="fi-sm" id="rt-desc" type="text" placeholder="Shown to players" style="width:100%;padding:8px 10px"></div>
+        <div style="display:flex;gap:8px;margin-bottom:12px">
+          <div style="flex:1"><label class="gm-edit-label">Status</label>
+          <select class="fi-sm" id="rt-active" style="width:100%;padding:8px 10px;background:var(--bg3);color:var(--text);border:1px solid var(--border);border-radius:var(--rs)">
+            <option value="1">Active</option><option value="0">Inactive</option>
+          </select></div>
+        </div>
+        <div style="display:flex;gap:8px">
+          <button class="btn btn-gold" onclick="saveRefTier()" style="flex:1">Save Tier</button>
+          <button class="btn btn-outline" onclick="resetRefTierForm()" style="width:100px">Clear</button>
+        </div>
+      </div>
+      <div class="card" style="padding:0;overflow:hidden">
+        <div style="padding:14px 18px;border-bottom:1px solid var(--border);font-family:'Exo 2',sans-serif;font-weight:700;font-size:14px">All Tiers</div>
+        <div id="ref-tiers-admin-list"></div>
+      </div>
+    </div>
+    <div id="ref-shares-section" style="display:none">
+      <div style="display:flex;gap:8px;margin-bottom:12px">
+        <button class="ftab active" onclick="loadAdminShares('pending',this)">Pending</button>
+        <button class="ftab" onclick="loadAdminShares('approved',this)">Approved</button>
+        <button class="ftab" onclick="loadAdminShares('denied',this)">Denied</button>
+      </div>
+      <div id="ref-shares-admin-list"></div>
+    </div>
+  </div>
+
+  <div class="section" id="section-platform-accounts">
+    <div class="page-title">🔑 Platform Account Requests</div>
+    <div style="display:flex;gap:8px;margin-bottom:14px">
+      <button class="ftab active" onclick="loadPlatformAccountRequests('pending',this)">⏳ Pending</button>
+      <button class="ftab" onclick="loadPlatformAccountRequests('approved',this)">✅ Approved</button>
+      <button class="ftab" onclick="loadPlatformAccountRequests('denied',this)">❌ Denied</button>
+    </div>
+    <div id="pa-requests-list"></div>
+  </div>
+
+  <!-- ── BROADCASTS ──────────────────────────────────────── -->
+  <div class="section" id="section-broadcasts">
+    <div class="page-title">📢 Broadcast Messages</div>
+
+    <!-- Compose panel -->
+    <div class="card" style="margin-bottom:16px;border-color:rgba(240,192,64,.2)">
+      <div class="card-title" style="color:var(--gold)">✉️ Send Broadcast</div>
+      <div id="bc-alert" class="alert" style="margin-bottom:10px"></div>
+      <div class="fg" style="margin-bottom:10px">
+        <label class="gm-edit-label">Subject *</label>
+        <input class="fi-sm" id="bc-subject" type="text" placeholder="e.g. Important Update" style="width:100%;padding:10px 12px">
+      </div>
+      <div class="fg" style="margin-bottom:10px">
+        <label class="gm-edit-label">Message *</label>
+        <textarea id="bc-message" rows="4" placeholder="Write your message..." style="width:100%;box-sizing:border-box;background:var(--bg3);border:1px solid var(--border);border-radius:var(--rs);padding:10px 12px;color:var(--text);font-family:'Rajdhani',sans-serif;font-size:14px;resize:vertical;outline:none"></textarea>
+      </div>
+      <div style="display:grid;grid-template-columns:1fr auto;gap:10px;align-items:end">
+        <div>
+          <label class="gm-edit-label">Send To</label>
+          <select class="fi-sm" id="bc-target" style="width:100%;padding:10px 12px;background:var(--bg3);color:var(--text);border:1px solid var(--border);border-radius:var(--rs)">
+            <option value="all">👥 All Active Players</option>
+            <option value="verified">✅ Verified Players Only</option>
+            <option value="unverified">⏳ Unverified Players Only</option>
+            <option value="admins">🔑 Admins Only</option>
+          </select>
+        </div>
+        <button class="btn btn-gold" style="padding:11px 20px;white-space:nowrap" onclick="sendBroadcast()">📢 SEND BROADCAST</button>
+      </div>
+    </div>
+
+    <!-- Sent broadcasts list -->
+    <div class="card" style="padding:0;overflow:hidden">
+      <div style="padding:14px 18px;border-bottom:1px solid var(--border);display:flex;justify-content:space-between;align-items:center">
+        <div style="font-family:'Exo 2',sans-serif;font-weight:700;font-size:14px">Sent Broadcasts</div>
+        <button onclick="loadBroadcasts()" style="background:none;border:none;color:var(--cyan);cursor:pointer;font-size:14px;font-weight:700">↻ Refresh</button>
+      </div>
+      <div id="bc-list"></div>
+    </div>
+
+    <!-- Replies / Reads drawer -->
+    <div id="bc-drawer" style="display:none;margin-top:12px">
+      <div class="card" style="border-color:rgba(0,229,255,.2)">
+        <div style="display:flex;align-items:center;justify-content:space-between;margin-bottom:12px">
+          <div class="card-title" id="bc-drawer-title" style="margin-bottom:0">Details</div>
+          <button onclick="closeBcDrawer()" style="background:none;border:none;color:var(--text2);cursor:pointer;font-size:18px">✕</button>
+        </div>
+        <div style="display:flex;gap:8px;margin-bottom:14px">
+          <button class="ftab active" onclick="switchBcTab('replies',this)" id="bc-tab-replies">💬 Replies</button>
+          <button class="ftab" onclick="switchBcTab('reads',this)" id="bc-tab-reads">👁 Read By</button>
+        </div>
+        <div id="bc-drawer-content"></div>
+        <!-- Admin reply -->
+        <div style="margin-top:14px;display:flex;gap:8px">
+          <input class="fi-sm" id="bc-reply-input" type="text" placeholder="Reply to this broadcast..." style="flex:1;padding:10px 12px" onkeydown="if(event.key==='Enter')adminBroadcastReply()">
+          <button class="btn btn-gold" onclick="adminBroadcastReply()" style="padding:10px 16px">Send</button>
+        </div>
+      </div>
+    </div>
+  </div>
+
+  <!-- ── PAYOUT SETTINGS ─────────────────────────────── -->
+  <div class="section" id="section-payout-settings">
+    <div class="page-title">💰 Payout Settings</div>
+    <div style="background:rgba(0,229,255,.06);border:1px solid rgba(0,229,255,.15);border-radius:10px;padding:12px 16px;margin-bottom:16px;font-size:15px;color:var(--text2);line-height:1.7">
+      Configure how you send cashout payments to players. <strong style="color:var(--cyan)">Square Gift Card</strong> sends instantly. <strong style="color:var(--gold)">Manual methods</strong> show the player handle so you send from the app and mark done.
+    </div>
+    <div id="payout-settings-list"></div>
+  </div>
+
+  <!-- ── CASHOUT METHOD TYPES ──────────────────────────────── -->
+  <div class="section" id="section-cashout-methods">
+    <div class="page-title">💸 Cashout Methods</div>
+    <div style="background:rgba(0,229,255,.06);border:1px solid rgba(0,229,255,.15);border-radius:10px;padding:12px 16px;margin-bottom:16px;font-size:15px;color:var(--text2);line-height:1.6">
+      💸 Manage the payout method types available to players when they cash out. Active methods appear in the player's payout method dropdown.
+    </div>
+
+    <!-- Add / Edit form -->
+    <div class="card" id="cmt-form-card" style="margin-bottom:16px">
+      <div class="card-title" id="cmt-form-title">➕ Add Cashout Method</div>
+      <div id="cmt-form-alert" class="alert" style="margin-bottom:10px"></div>
+      <input type="hidden" id="cmt-id" value="">
+      <div style="display:grid;grid-template-columns:1fr 1fr;gap:10px;margin-bottom:10px">
+        <div>
+          <label class="gm-edit-label">Label *</label>
+          <input class="fi-sm" id="cmt-label" type="text" placeholder="e.g. Venmo" style="width:100%;padding:10px 12px">
+        </div>
+        <div>
+          <label class="gm-edit-label">Slug * <span style="font-weight:400;color:var(--text2)">lowercase, no spaces</span></label>
+          <input class="fi-sm" id="cmt-slug" type="text" placeholder="e.g. venmo" style="width:100%;padding:10px 12px" oninput="this.value=this.value.toLowerCase().replace(/[^a-z0-9_]/g,'')">
+        </div>
+      </div>
+      <div style="display:grid;grid-template-columns:80px 1fr;gap:10px;margin-bottom:10px">
+        <div>
+          <label class="gm-edit-label">Icon</label>
+          <input class="fi-sm" id="cmt-icon" type="text" value="💰" maxlength="4" style="width:100%;padding:10px 12px;font-size:20px;text-align:center">
+        </div>
+        <div>
+          <label class="gm-edit-label">Description <span style="font-weight:400;color:var(--text2)">shown to players</span></label>
+          <input class="fi-sm" id="cmt-desc" type="text" placeholder="e.g. Send via Venmo username" style="width:100%;padding:10px 12px">
+        </div>
+      </div>
+      <div style="display:grid;grid-template-columns:1fr 1fr;gap:10px;margin-bottom:14px">
+        <div>
+          <label class="gm-edit-label">Sort Order</label>
+          <input class="fi-sm" id="cmt-sort" type="number" value="99" min="0" style="width:100%;padding:10px 12px">
+        </div>
+        <div>
+          <label class="gm-edit-label">Status</label>
+          <select class="fi-sm" id="cmt-active" style="width:100%;padding:10px 12px;background:var(--bg3);color:var(--text);border:1px solid var(--border);border-radius:var(--rs)">
+            <option value="1">✅ Active</option>
+            <option value="0">⏸ Inactive</option>
+          </select>
+        </div>
+      </div>
+      <div style="display:flex;gap:8px">
+        <button class="btn btn-gold" style="flex:1" onclick="saveCashoutMethod()">💾 SAVE</button>
+        <button class="btn btn-outline" onclick="resetCmtForm()" style="width:100px">CLEAR</button>
+      </div>
+    </div>
+
+    <!-- Methods list -->
+    <div class="card" style="padding:0;overflow:hidden">
+      <div style="padding:14px 18px;border-bottom:1px solid var(--border);display:flex;justify-content:space-between;align-items:center">
+        <div style="font-family:'Exo 2',sans-serif;font-weight:700;font-size:14px">Active &amp; Inactive Methods</div>
+        <div style="font-size:14px;color:var(--text2)" id="cmt-count">Loading...</div>
+      </div>
+      <div id="cmt-list"></div>
+    </div>
+  </div>
+
+  <!-- ── GAME MANAGEMENT ─────────────────────────────────── -->
+  <div class="section" id="section-games">
+    <div class="page-title">🕹️ Game Management</div>
+
+    <!-- Add / Edit form -->
+    <div class="card" id="game-form-card" style="margin-bottom:16px">
+      <div class="card-title" id="game-form-title">➕ Add New Game</div>
+      <div id="game-form-alert" class="alert" style="margin-bottom:10px"></div>
+      <input type="hidden" id="gf-id" value="">
+      <div style="display:grid;grid-template-columns:1fr 1fr;gap:10px;margin-bottom:10px">
+        <div>
+          <label class="gm-edit-label">Game Name *</label>
+          <input class="fi-sm" id="gf-name" type="text" placeholder="e.g. VBlink 777" style="width:100%;padding:10px 12px">
+        </div>
+        <div>
+          <label class="gm-edit-label">Slug (ID) * <span style="font-weight:400;color:var(--text2)">lowercase, no spaces</span></label>
+          <input class="fi-sm" id="gf-slug" type="text" placeholder="e.g. vblink777" style="width:100%;padding:10px 12px" oninput="this.value=this.value.toLowerCase().replace(/[^a-z0-9_]/g,'')">
+        </div>
+      </div>
+      <div style="margin-bottom:10px">
+        <label class="gm-edit-label">Player URL * <span style="font-weight:400;color:var(--text2)">shown to players — opens the game</span></label>
+        <input class="fi-sm" id="gf-player-url" type="url" placeholder="https://game.example.com/play" style="width:100%;padding:10px 12px">
+      </div>
+      <div style="margin-bottom:10px">
+        <label class="gm-edit-label">Console / Admin URL <span style="font-weight:400;color:var(--text2)">only visible to admins</span></label>
+        <input class="fi-sm" id="gf-console-url" type="url" placeholder="https://admin.game.example.com" style="width:100%;padding:10px 12px">
+      </div>
+      <div style="display:grid;grid-template-columns:1fr 1fr 1fr;gap:10px;margin-bottom:14px">
+        <div>
+          <label class="gm-edit-label">Brand Color</label>
+          <div style="display:flex;align-items:center;gap:8px">
+            <input type="color" id="gf-color" value="#f0c040" style="width:44px;height:38px;padding:2px;border:1px solid var(--border);border-radius:6px;background:var(--bg3);cursor:pointer">
+            <input class="fi-sm" id="gf-color-hex" type="text" value="#f0c040" maxlength="7" style="flex:1;padding:10px 10px" oninput="syncColorPicker(this.value)">
+          </div>
+        </div>
+        <div>
+          <label class="gm-edit-label">Sort Order</label>
+          <input class="fi-sm" id="gf-sort" type="number" value="99" min="0" style="width:100%;padding:10px 12px">
+        </div>
+        <div>
+          <label class="gm-edit-label">Status</label>
+          <select class="fi-sm" id="gf-active" style="width:100%;padding:10px 12px;background:var(--bg3);color:var(--text);border:1px solid var(--border);border-radius:var(--rs)">
+            <option value="1">✅ Active</option>
+            <option value="0">⏸ Inactive</option>
+          </select>
+        </div>
+      </div>
+      <div style="display:flex;gap:8px">
+        <button class="btn btn-gold" style="flex:1" onclick="saveGame()">💾 SAVE GAME</button>
+        <button class="btn btn-outline" onclick="resetGameForm()" style="width:100px">CLEAR</button>
+      </div>
+    </div>
+
+    <!-- Games list -->
+    <div class="card" style="padding:0;overflow:hidden">
+      <div style="padding:14px 18px;border-bottom:1px solid var(--border);display:flex;justify-content:space-between;align-items:center">
+        <div style="font-family:'Exo 2',sans-serif;font-weight:700;font-size:14px">Active & Inactive Games</div>
+        <div style="font-size:14px;color:var(--text2)" id="games-count">Loading...</div>
+      </div>
+      <div id="games-list"></div>
+    </div>
+  </div>
+
+  <!-- ── HISTORY ─────────────────────────────────── -->
+  <div class="section" id="section-history">
+    <div class="page-title">📋 Full Audit Log <span style="font-size:15px;font-weight:400;color:var(--text2);margin-left:8px">90-day rolling · 20 per page</span></div>
+
+    <!-- Filters row -->
+    <div style="display:flex;gap:8px;margin-bottom:14px;flex-wrap:wrap;align-items:center">
+      <select id="hist-category" onchange="loadHistory(1)" style="background:var(--bg3);color:var(--text);border:1px solid var(--border);border-radius:8px;padding:8px 12px;font-family:'Exo 2',sans-serif;font-weight:700;font-size:14px;cursor:pointer">
+        <option value="">📂 All Categories</option>
+        <option value="auth">🔐 Auth (Login/Register)</option>
+        <option value="player">👤 Player Actions</option>
+        <option value="admin">🛡️ Admin Actions</option>
+        <option value="security">⚠️ Security Events</option>
+        <option value="general">📋 General</option>
+      </select>
+      <select id="hist-severity" onchange="loadHistory(1)" style="background:var(--bg3);color:var(--text);border:1px solid var(--border);border-radius:8px;padding:8px 12px;font-family:'Exo 2',sans-serif;font-weight:700;font-size:14px;cursor:pointer">
+        <option value="">🔍 All Severity</option>
+        <option value="critical">🔴 Critical</option>
+        <option value="warning">🟡 Warning</option>
+        <option value="info">🟢 Info</option>
+      </select>
+      <input type="text" id="hist-search" placeholder="Search user, action, detail..." onkeydown="if(event.key==='Enter')loadHistory(1)"
+        style="background:var(--bg3);color:var(--text);border:1px solid var(--border);border-radius:8px;padding:8px 12px;font-size:14px;width:200px">
+      <input type="date" id="hist-date" onchange="loadHistory(1)"
+        style="background:var(--bg3);color:var(--text);border:1px solid var(--border);border-radius:8px;padding:8px 12px;font-size:14px">
+      <button onclick="loadHistory(1)" style="background:rgba(0,229,255,.08);border:1px solid rgba(0,229,255,.2);color:var(--cyan);border-radius:8px;padding:8px 14px;font-family:'Exo 2',sans-serif;font-weight:700;font-size:14px;cursor:pointer">↻ Refresh</button>
+      <button onclick="exportHistory()" style="background:rgba(240,192,64,.08);border:1px solid rgba(240,192,64,.2);color:var(--gold);border-radius:8px;padding:8px 14px;font-family:'Exo 2',sans-serif;font-weight:700;font-size:14px;cursor:pointer">⬇ Export CSV</button>
+      <span id="hist-count" style="font-size:14px;color:var(--text2);margin-left:4px"></span>
+    </div>
+
+    <!-- Summary stats bar -->
+    <div id="hist-stats" style="display:grid;grid-template-columns:repeat(4,1fr);gap:8px;margin-bottom:14px"></div>
+
+    <!-- Log table -->
+    <div id="history-table"></div>
+
+    <!-- Pagination -->
+    <div id="hist-pagination" style="display:flex;gap:8px;justify-content:center;margin-top:16px;flex-wrap:wrap"></div>
+  </div>
+
+  <!-- PENDING SIGNUPS -->
+  <div class="section" id="section-pending">
+    <div class="page-title">⏳ Pending Signups</div>
+    <div style="background:rgba(0,229,255,.06);border:1px solid rgba(0,229,255,.15);border-radius:10px;padding:12px 16px;margin-bottom:14px;font-size:15px;color:var(--text2);line-height:1.6">
+      ⏳ Players who registered but haven't verified their email yet. <strong style="color:var(--gold)">Approve</strong> to create their account immediately, or <strong style="color:var(--red)">Delete</strong> to remove the request.
+    </div>
+    <div id="pending-list"></div>
+  </div>
+
+  <!-- CHAT INBOX -->
+  <div class="section" id="section-chat">
+    <div class="page-title">Live Chat
+      <span style="font-size:15px;font-weight:400;color:var(--green);margin-left:10px;letter-spacing:.5px">
+        ● Auto-refreshing every 5s
+      </span>
+    </div>
+
+    <!-- INBOX VIEW -->
+    <div id="chat-inbox-view">
+
+      <!-- NEW MESSAGE COMPOSE PANEL -->
+      <div class="card" style="margin-bottom:14px;border-color:rgba(240,192,64,.2);background:linear-gradient(135deg,#1a1228,#0d1820)">
+        <div class="card-title" style="color:var(--gold);margin-bottom:12px">✉️ Send Message to Player</div>
+        <!-- Player search -->
+        <div style="position:relative;margin-bottom:10px">
+          <input class="fi-sm" id="compose-search" type="text" placeholder="Search by name, alias or email..."
+            style="width:100%;padding:10px 12px;font-size:14px"
+            oninput="searchComposePlayers(this.value)" autocomplete="off">
+          <div id="compose-dropdown" style="display:none;position:absolute;top:100%;left:0;right:0;background:var(--bg3);border:1px solid var(--border);border-radius:8px;z-index:50;max-height:200px;overflow-y:auto;margin-top:4px;box-shadow:0 8px 24px rgba(0,0,0,.4)"></div>
+        </div>
+        <!-- Selected player chip -->
+        <div id="compose-selected" style="display:none;background:rgba(0,229,255,.08);border:1px solid rgba(0,229,255,.2);border-radius:8px;padding:8px 12px;margin-bottom:10px;display:none;align-items:center;gap:10px">
+          <div id="compose-player-avatar" style="width:32px;height:32px;border-radius:50%;display:flex;align-items:center;justify-content:center;font-family:'Exo 2',sans-serif;font-weight:700;font-size:14px;color:#fff;flex-shrink:0;background:#7b2fbe">?</div>
+          <div style="flex:1;min-width:0">
+            <div id="compose-player-name" style="font-family:'Exo 2',sans-serif;font-weight:700;font-size:15px;color:var(--text)">—</div>
+            <div id="compose-player-info" style="font-size:15px;color:var(--text2)">—</div>
+          </div>
+          <button onclick="clearComposePicker()" style="background:none;border:none;color:var(--text2);cursor:pointer;font-size:18px;line-height:1;padding:0 4px">×</button>
+        </div>
+        <!-- Message box -->
+        <textarea id="compose-msg" rows="3" placeholder="Type your message..."
+          style="width:100%;box-sizing:border-box;background:var(--bg3);border:1px solid var(--border);border-radius:8px;padding:10px 12px;color:var(--text);font-family:'Rajdhani',sans-serif;font-size:14px;resize:vertical;outline:none;margin-bottom:10px"
+          onkeydown="if(event.key==='Enter'&&event.ctrlKey)adminComposeSend()"></textarea>
+        <div style="display:flex;justify-content:space-between;align-items:center">
+          <div style="font-size:15px;color:var(--text2)">Ctrl+Enter to send · Player will see it in their Support chat</div>
+          <button class="btn btn-gold" style="width:120px" onclick="adminComposeSend()">
+            📨 SEND
+          </button>
+        </div>
+        <div id="compose-alert" class="alert" style="margin-top:10px"></div>
+      </div>
+
+      <!-- Inbox list -->
+      <div style="background:rgba(0,229,255,.06);border:1px solid rgba(0,229,255,.15);border-radius:10px;padding:12px 16px;margin-bottom:14px;font-size:15px;color:var(--text2);line-height:1.6;display:flex;align-items:center;gap:10px">
+        <span style="flex:1">📨 Messages from players appear below. Click any conversation to open it and reply.</span>
+        <button onclick="adminClearAllChats()" style="background:rgba(255,68,68,.1);border:1px solid rgba(255,68,68,.2);color:var(--red);border-radius:8px;padding:7px 12px;font-family:'Exo 2',sans-serif;font-weight:700;font-size:15px;cursor:pointer;white-space:nowrap;flex-shrink:0">
+          🗑 Clear All
+        </button>
+      </div>
+      <div class="card" style="padding:0;overflow:hidden">
+        <div id="chat-inbox-list"></div>
+      </div>
+    </div>
+
+    <!-- THREAD VIEW -->
+    <div id="chat-thread-view" style="display:none">
+      <div style="display:flex;align-items:center;gap:10px;margin-bottom:14px">
+        <button onclick="showChatInbox()" style="background:none;border:none;color:var(--cyan);cursor:pointer;font-family:'Exo 2',sans-serif;font-weight:700;font-size:15px;display:flex;align-items:center;gap:6px;padding:0;flex:1">
+          ← Back to Inbox
+        </button>
+        <button onclick="adminClearThread()" style="background:rgba(255,68,68,.1);border:1px solid rgba(255,68,68,.2);color:var(--red);border-radius:8px;padding:6px 12px;font-family:'Exo 2',sans-serif;font-weight:700;font-size:15px;cursor:pointer">
+          🗑 Clear Thread
+        </button>
+      </div>
+      <div class="admin-chat-wrap">
+        <div class="admin-chat-header" id="admin-chat-header">
+          <div class="admin-chat-avatar" id="admin-chat-avatar">?</div>
+          <div>
+            <div class="admin-chat-name" id="admin-chat-name">—</div>
+            <div class="admin-chat-meta" id="admin-chat-meta">—</div>
+          </div>
+        </div>
+        <div class="admin-chat-messages" id="admin-chat-messages"></div>
+        <div class="admin-chat-input-bar">
+          <input class="admin-chat-input" id="admin-chat-input" type="text" placeholder="Reply to player..."
+            onkeydown="if(event.key==='Enter')adminSendMsg()">
+          <button class="admin-send-btn" onclick="adminSendMsg()">
+            <svg viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" width="18" height="18"><line x1="22" y1="2" x2="11" y2="13"/><polygon points="22 2 15 22 11 13 2 9 22 2"/></svg>
+          </button>
+        </div>
+      </div>
+    </div>
+  </div>
+
+  <!-- PROCESS PAYOUT MODAL -->
+  <div id="process-payout-modal" style="display:none;position:fixed;inset:0;background:rgba(0,0,0,.85);z-index:900;align-items:center;justify-content:center;padding:20px">
+    <div style="background:var(--bg3);border:1px solid rgba(240,192,64,.3);border-radius:16px;padding:28px 24px;max-width:480px;width:100%;max-height:90vh;overflow-y:auto">
+      <div style="display:flex;align-items:center;justify-content:space-between;margin-bottom:16px">
+        <div style="font-family:'Exo 2',sans-serif;font-weight:900;font-size:20px;color:var(--gold)">Process Payout</div>
+        <button onclick="closePayoutModal()" style="background:none;border:none;color:var(--text2);font-size:20px;cursor:pointer">X</button>
+      </div>
+      <div id="ppm-player-info" style="background:var(--bg);border:1px solid var(--border);border-radius:10px;padding:14px;margin-bottom:16px"></div>
+      <div id="ppm-saved-method" style="margin-bottom:16px"></div>
+      <div class="fg" style="margin-bottom:12px">
+        <label style="font-size:15px;font-weight:700;color:var(--text2);text-transform:uppercase;letter-spacing:1px;display:block;margin-bottom:6px">Send Payment Via</label>
+        <select id="ppm-method-select" class="fi fi-select" style="width:100%" onchange="onPayoutMethodChange()">
+          <option value="">-- Select payout method --</option>
+        </select>
+      </div>
+      <div id="ppm-method-detail" style="margin-bottom:12px"></div>
+      <div class="fg" style="margin-bottom:16px">
+        <label style="font-size:15px;font-weight:700;color:var(--text2);text-transform:uppercase;letter-spacing:1px;display:block;margin-bottom:6px">Note (optional)</label>
+        <input class="fi-sm" type="text" id="ppm-note" placeholder="e.g. Sent via Venmo 3pm" style="width:100%;padding:10px 12px">
+      </div>
+      <div id="ppm-alert" class="alert" style="margin-bottom:10px"></div>
+      <button id="ppm-submit-btn" class="btn btn-gold" onclick="submitPayout()" style="width:100%;font-size:15px;padding:14px">Process Payout</button>
+      <div style="font-size:15px;color:var(--text2);text-align:center;margin-top:10px">This marks the cashout as Sent</div>
+    </div>
+  </div>
+
+</main>
+
+<script>
+const PLATS = <?= PLATFORMS ?>; // fallback static list
+let _dynamicPlats = null;
+const pname = id => {
+  const src = _dynamicPlats || PLATS;
+  const p = src.find(p=>(p.id||p.slug)===id);
+  return p ? p.name : (id || '—');
+};
+// Load dynamic platforms list from DB
+fetch('/api/platforms.php?action=admin_list').then(r=>r.json()).then(d=>{
+  if (d.success) _dynamicPlats = d.platforms.map(p=>({id:p.slug,name:p.name}));
+}).catch(()=>{});
+const CURRENT_ADMIN_ID = <?= (int)$_SESSION['user_id'] ?>;
+const MASTER_ADMIN_ID  = <?= MASTER_ADMIN_ID ?>;
+const IS_MASTER_ADMIN  = CURRENT_ADMIN_ID === MASTER_ADMIN_ID;
+const methodLabel = m => ({ card:'💳 Card', venmo:'💙 Venmo', chime:'🟢 Chime', cashapp:'💚 Cash App', zelle:'💜 Zelle' }[m] || m);
+const methodClass = m => ({ card:'b-card', venmo:'b-venmo', chime:'b-chime', cashapp:'b-cashapp', zelle:'b-zelle' }[m] || '');
+let allUsers = [];
+
+async function apiFetch(action, method='GET', body=null) {
+  const opts={method,headers:{'Content-Type':'application/json'}};
+  if(body)opts.body=JSON.stringify(body);
+  const r = await fetch(`/api/admin.php?action=${action}`,opts);
+  return r.json();
+}
+
+// ─── INIT ──────────────────────────────────────────────────
+loadStats();
+loadPurchases('pending');
+loadCashouts('pending');
+loadUsers();
+
+async function loadStats() {
+  const d = await apiFetch('stats');
+  if (!d.success) return;
+  const s = d.stats;
+  document.getElementById('s-users').textContent = s.total_users;
+  document.getElementById('s-rev').textContent   = '$'+parseFloat(s.total_revenue).toFixed(2);
+  document.getElementById('s-toks').textContent  = s.total_tokens_sold;
+  document.getElementById('s-ppurch').textContent= s.pending_purchases;
+  document.getElementById('s-pcash').textContent = s.pending_cashouts;
+  document.getElementById('badge-purchases').textContent = s.pending_purchases;
+  document.getElementById('badge-cashouts').textContent  = s.pending_cashouts;
+  const ps = s.pending_signups || 0;
+  document.getElementById('badge-pending').textContent  = ps;
+  document.getElementById('badge-pending').style.display = ps > 0 ? 'inline-block' : 'none';
+  // Dashboard quick lists
+  loadDashPurchases();
+  loadDashCashouts();
+  loadPendingSignups();
+}
+
+// ─── SECTION NAV ───────────────────────────────────────────
+
+// ─── PURCHASE CARD RENDERER ──────────────────────────────
+function purchaseCard(p, showActions=true) {
+  const isPending = p.status === 'pending';
+  const isManual  = p.payment_method !== 'card';
+  const amt       = (p.amount_cents/100).toFixed(2);
+  const date      = (p.created_at||'').substring(0,16);
+  const statusColors = { pending:'var(--gold)', completed:'var(--green)', failed:'var(--red)' };
+  const statusLabels = { pending:'⏳ Pending Approval', completed:'✅ Completed', failed:'❌ Failed' };
+  const statusColor  = statusColors[p.status] || 'var(--text2)';
+  const statusLabel  = statusLabels[p.status]  || p.status;
+  const mIcons  = { card:'💳', venmo:'💙', cashapp:'💚', zelle:'💜', chime:'🟢', manual:'💵' };
+  const mLabels = { card:'Square Card', venmo:'Venmo', cashapp:'Cash App', zelle:'Zelle', chime:'Chime', manual:'Manual' };
+  const mIcon  = mIcons[p.payment_method]  || '💰';
+  const mLabel = mLabels[p.payment_method] || p.payment_method;
+  const platformRow = p.platform_id
+    ? '<div style="font-size:14px;color:var(--text2);margin-top:4px">Platform: <strong style="color:var(--cyan)">'+pname(p.platform_id)+'</strong> · Alias: <strong style="color:var(--gold2)">'+escHtmlA(p.game_alias||'—')+'</strong></div>'
+    : '';
+  const actions = showActions && isPending
+    ? '<div style="display:flex;flex-direction:column;gap:8px;flex-shrink:0;min-width:160px">'+
+      '<input class="fi-sm" type="text" id="pnote-'+p.id+'" placeholder="Note to player (optional)" style="width:100%;font-size:14px;padding:8px 10px">'+
+      '<button class="btn btn-green" data-pid="'+p.id+'" onclick="resolvePurchase(this.dataset.pid,&quot;completed&quot;)" style="width:100%;font-size:15px;padding:10px;font-weight:700">✓ Approve &amp; Credit</button>'+
+      '<button class="btn btn-red" data-pid="'+p.id+'" onclick="resolvePurchase(this.dataset.pid,&quot;failed&quot;)" style="width:100%;font-size:15px;padding:10px">✗ Reject</button></div>'
+    : (p.admin_note ? '<div style="font-size:14px;color:var(--gold);padding:6px 8px;background:rgba(240,192,64,.07);border-radius:6px;margin-top:4px">📝 '+escHtmlA(p.admin_note)+'</div>' : '');
+
+  return '<div class="card" style="margin-bottom:10px;'+(isPending?'border-color:rgba(240,192,64,.25);background:rgba(240,192,64,.02)':'')+'">'+
+    '<div style="display:flex;align-items:flex-start;gap:12px;flex-wrap:wrap">'+
+    '<div style="flex:1;min-width:180px">'+
+    '<div style="display:flex;align-items:center;gap:8px;flex-wrap:wrap;margin-bottom:4px">'+
+    '<span style="font-family:\'Exo 2\',sans-serif;font-weight:700;font-size:15px">'+escHtmlA(p.username)+'</span>'+
+    '<span style="font-size:15px;color:var(--text2)">#'+p.id+'</span>'+
+    '<span style="font-size:15px;font-weight:700;color:'+statusColor+';background:rgba(0,0,0,.25);border:1px solid '+statusColor+';border-radius:6px;padding:2px 8px">'+statusLabel+'</span></div>'+
+    '<div style="font-size:14px;color:var(--text2)">'+escHtmlA(p.alias||'')+' · '+mIcon+' '+mLabel+' · '+date+'</div>'+
+    platformRow+
+    '<div style="font-family:\'Exo 2\',sans-serif;font-weight:900;font-size:24px;color:var(--gold);margin-top:6px">'+p.tokens+' 🪙</div>'+
+    '<div style="font-size:14px;font-weight:700;color:var(--green)">$'+amt+'</div>'+
+    (isManual?'<div style="margin-top:8px;background:rgba(0,229,255,.06);border:1px solid rgba(0,229,255,.15);border-radius:6px;padding:6px 10px;font-size:14px"><span style="color:var(--cyan);font-weight:700">Manual Payment</span> — verify before approving</div>':'')+
+    '</div>'+actions+'</div></div>';
+}
+
+
+async function loadPurchases(status, btn=null) {
+  if (btn) { document.querySelectorAll('#section-purchases .ftab').forEach(b=>b.classList.remove('active')); btn.classList.add('active'); }
+  const d = await apiFetch('purchases&status='+status);
+  const el = document.getElementById('purchases-list');
+  if (!d.success || !d.purchases.length) { el.innerHTML='<div class="empty">No purchases found.</div>'; return; }
+  el.innerHTML = d.purchases.map(p => purchaseCard(p, true)).join('');
+}
+
+async function loadDashPurchases() {
+  const d = await apiFetch('purchases&status=pending');
+  const el = document.getElementById('dash-purchases');
+  if (!d.success || !d.purchases.length) { el.innerHTML='<div class="empty">No pending purchases 🎉</div>'; return; }
+  el.innerHTML = d.purchases.map(p => purchaseCard(p, true)).join('');
+}
+
+async function resolvePurchase(id, status) {
+  const note = (document.getElementById('pnote-'+id)?.value||'').trim();
+  const d = await apiFetch('resolve_purchase','POST',{id,status,note});
+  if (d.success) {
+    toast(status==='completed' ? '✓ Tokens credited!' : '✗ Purchase rejected', status==='completed'?'ok':'err');
+    document.getElementById('pr-'+id)?.remove();
+    loadStats();
+  } else toast(d.error||'Error','err');
+}
+
+// ─── CASHOUTS ──────────────────────────────────────────────
+const PAYOUT_ICONS_A = { venmo:'💙', cashapp:'💚', zelle:'💜', chime:'🟢', bank:'🏦', other:'💰' };
+const PAYOUT_LABELS_A = { venmo:'Venmo', cashapp:'Cash App', zelle:'Zelle', chime:'Chime', bank:'Bank Transfer', other:'Other' };
+
+function cashoutRow(c, showActions=true) {
+  const payoutInfo = c.payout_handle
+    ? `<div style="margin-top:6px;background:rgba(0,229,255,.06);border:1px solid rgba(0,229,255,.15);border-radius:6px;padding:6px 10px;font-size:14px">
+        <span style="font-weight:700;color:var(--cyan)">${PAYOUT_ICONS_A[c.payout_method_type]||'💰'} ${PAYOUT_LABELS_A[c.payout_method_type]||c.payout_method_type}:</span>
+        <span style="color:var(--text);margin-left:4px">${escHtmlA(c.payout_handle)}</span>
+       </div>`
+    : '<div style="font-size:15px;color:var(--red);margin-top:4px">⚠️ No payout method on file</div>';
+
+  const statusColors = { pending:'var(--text2)', locked:'var(--cyan)', approved:'var(--green)', sent:'var(--green)', rejected:'var(--red)', deleted:'var(--text2)' };
+  const statusLabels = { pending:'⏳ Draft', locked:'🔒 Ready to Process', sent:'✅ Sent', approved:'✅ Sent', rejected:'❌ Denied', deleted:'🗑 Deleted' };
+  const statusColor  = statusColors[c.status] || 'var(--text2)';
+  const canAct       = showActions && (c.status === 'pending' || c.status === 'locked');
+  const isLocked     = c.status === 'locked';
+  const playerAlias  = c.user_alias || c.alias || c.username || '';
+
+  return `<div class="card" style="margin-bottom:10px;${isLocked?'border-color:rgba(0,229,255,.25);background:rgba(0,229,255,.02)':''}">
+    <div style="display:flex;align-items:flex-start;gap:12px;flex-wrap:wrap">
+      <div style="flex:1;min-width:180px">
+        <div style="display:flex;align-items:center;gap:8px;flex-wrap:wrap;margin-bottom:4px">
+          <span style="font-family:'Exo 2',sans-serif;font-weight:700;font-size:15px">${escHtmlA(c.username)}</span>
+          <span style="font-size:15px;color:var(--text2)">#${c.id}</span>
+          <span style="font-size:15px;font-weight:700;color:${statusColor};background:rgba(0,0,0,.25);border:1px solid ${statusColor};border-radius:6px;padding:2px 8px">${statusLabels[c.status]||c.status}</span>
+        </div>
+        <div style="font-size:14px;color:var(--text2)">${pname(c.platform_id)} · <span style="color:var(--cyan)">${escHtmlA(c.alias||'')}</span> · <span style="color:var(--text2)">${escHtmlA(playerAlias)}</span></div>
+        <div style="font-family:'Exo 2',sans-serif;font-weight:900;font-size:24px;color:var(--gold);margin-top:4px">${c.tokens} 🪙</div>
+        <div style="font-size:15px;color:var(--text2);margin-top:2px">${(c.created_at||'').substring(0,16)}</div>
+        ${payoutInfo}
+        ${c.admin_note ? `<div style="font-size:14px;color:var(--gold);margin-top:6px;padding:6px 8px;background:rgba(240,192,64,.07);border-radius:6px">📝 ${escHtmlA(c.admin_note)}</div>` : ''}
+      </div>
+      ${canAct ? `
+      <div style="display:flex;flex-direction:column;gap:8px;flex-shrink:0;min-width:160px">
+        <button class="btn btn-gold" onclick="openPayoutModal(${c.id})" style="width:100%;font-size:15px;padding:10px">
+          💰 Process Payout
+        </button>
+        <button class="btn btn-red" onclick="resolveCashout(${c.id},'rejected')" style="width:100%;font-size:14px;padding:8px">
+          ✗ Deny
+        </button>
+        <button onclick="resolveCashout(${c.id},'deleted')" style="width:100%;background:rgba(255,255,255,.04);border:1px solid var(--border);color:var(--text2);border-radius:8px;padding:8px;font-size:14px;cursor:pointer;font-family:'Exo 2',sans-serif;font-weight:700">
+          🗑 Delete
+        </button>
+      </div>` : ''}
+    </div>
+  </div>`;
+}
+
+async function loadCashouts(status, btn=null) {
+  if (btn) { document.querySelectorAll('#section-cashouts .ftab').forEach(b=>b.classList.remove('active')); btn.classList.add('active'); }
+  const d  = await apiFetch('cashouts&status=' + status);
+  const el = document.getElementById('cashouts-table');
+  if (!d.success || !d.cashouts.length) { el.innerHTML = '<div class="empty" style="padding:24px;text-align:center">No cashouts found.</div>'; return; }
+  el.innerHTML = d.cashouts.map(c => cashoutRow(c, true)).join('');
+}
+
+async function loadDashCashouts() {
+  const d  = await apiFetch('cashouts&status=pending');
+  const el = document.getElementById('dash-cashouts');
+  if (!d.success || !d.cashouts.length) { el.innerHTML = '<div class="empty">No pending cashouts 🎉</div>'; return; }
+  el.innerHTML = d.cashouts.map(c => cashoutRow(c, true)).join('');
+}
+
+async function resolveCashout(id, status) {
+  const labels = { approved:'✓ Payment Sent', rejected:'✗ Cashout Denied', deleted:'🗑 Request Deleted' };
+  const confirmMsgs = {
+    approved: 'Mark this cashout as SENT? This confirms you have sent the payment to the player.',
+    rejected: 'Deny this cashout request? Tokens will be returned to the player.',
+    deleted:  'Delete this cashout request?'
+  };
+  if (!confirm(confirmMsgs[status]||'Are you sure?')) return;
+  const note = (document.getElementById('cnote-'+id)?.value||'').trim();
+  const d    = await apiFetch('resolve_cashout','POST',{id,status,note});
+  if (d.success) {
+    toast(labels[status]||'Done', status==='approved'?'ok':'err');
+    loadCashouts('pending');
+    loadDashCashouts();
+    loadStats();
+  } else toast(d.error||'Error','err');
+}
+
+// ─── USERS ─────────────────────────────────────────────────
+// ─── GAMER MANAGEMENT ──────────────────────────────────────
+let GM = { all: [], filtered: [], filter: 'all', current: null, chatLastId: 0, chatPoll: null };
+
+const AVATAR_COLORS = ['#9b5de5','#e63946','#457b9d','#2ec4b6','#f4a261','#7b2fbe','#ff6b35','#00b4d8'];
+function avatarColor(username) { let h=0; for(let c of username) h=(h*31+c.charCodeAt(0))%AVATAR_COLORS.length; return AVATAR_COLORS[h]; }
+function avatarInit(username) { return (username||'?').charAt(0).toUpperCase(); }
+
+async function loadUsers() {
+  const d = await apiFetch('users');
+  if (!d.success) return;
+  GM.all = d.users;
+  applyGamerFilter();
+}
+
+function setGamerFilter(f, btn) {
+  GM.filter = f;
+  document.querySelectorAll('.gm-filter').forEach(b => b.classList.remove('active'));
+  btn.classList.add('active');
+  applyGamerFilter();
+}
+
+function filterGamers(q) {
+  const base = GM.filter === 'all' ? GM.all
+    : GM.filter === 'unverified' ? GM.all.filter(u => !parseInt(u.email_verified))
+    : GM.all.filter(u => u.status === GM.filter);
+  if (!q) { GM.filtered = base; }
+  else {
+    const lq = q.toLowerCase();
+    GM.filtered = base.filter(u =>
+      u.username.toLowerCase().includes(lq) ||
+      u.alias.toLowerCase().includes(lq) ||
+      (u.email||'').toLowerCase().includes(lq)
+    );
+  }
+  renderGamerGrid();
+}
+
+function applyGamerFilter() {
+  const q = document.getElementById('gm-search').value;
+  filterGamers(q);
+}
+
+function renderGamerGrid() {
+  const el = document.getElementById('gm-grid');
+  const users = GM.filtered;
+
+  // Mini stats
+  const total = GM.all.length;
+  const active = GM.all.filter(u=>u.status==='active'&&parseInt(u.email_verified)).length;
+  const susp = GM.all.filter(u=>u.status==='suspended').length;
+  const unver = GM.all.filter(u=>!parseInt(u.email_verified)).length;
+  document.getElementById('gm-stats-mini').innerHTML =
+    `<span style="color:var(--green)">${active} active</span> · <span style="color:var(--red)">${susp} suspended</span> · <span style="color:var(--yellow)">${unver} unverified</span> · ${total} total`;
+
+  if (!users.length) {
+    el.innerHTML = '<div class="gm-empty">No players match this filter.</div>';
+    return;
+  }
+
+  el.innerHTML = users.map(u => {
+    const color = avatarColor(u.username);
+    const init  = avatarInit(u.username);
+    const verified = parseInt(u.email_verified);
+    const isSupended = u.status === 'suspended';
+    const cardClass = isSupended ? 'suspended' : (!verified ? 'unverified' : '');
+    const lastSeen = u.last_login ? timeAgo(u.last_login) : 'Never';
+    return `
+    <div class="gm-card ${cardClass}" onclick="openGamer(${u.id})">
+      <div class="gm-card-top">
+        <div class="gm-card-avatar" style="background:linear-gradient(135deg,${color},${color}aa)">${init}</div>
+        <div class="gm-card-info">
+          <div class="gm-card-name">${escHtmlA(u.username)}</div>
+          <div class="gm-card-alias">${escHtmlA(u.alias)}</div>
+          <div class="gm-card-badges">
+            <span class="badge b-${u.status}">${u.status}</span>
+            ${verified ? '<span class="badge" style="background:rgba(0,230,118,.12);color:var(--green)">✓ verified</span>' : '<span class="badge b-pending">⚠ unverified</span>'}
+            ${u.is_admin ? '<span class="badge" style="background:rgba(240,192,64,.15);color:var(--gold)">admin</span>' : ''}
+          </div>
+        </div>
+      </div>
+      <div class="gm-card-stats">
+        <div class="gm-stat"><div class="gm-stat-val">${parseFloat(u.tokens||0)}</div><div class="gm-stat-lbl">TOKENS</div></div>
+        <div class="gm-stat"><div class="gm-stat-val" style="font-size:14px;color:var(--text2)">${(u.created_at||'').substring(0,10)}</div><div class="gm-stat-lbl">JOINED</div></div>
+        <div class="gm-stat"><div class="gm-stat-val" style="font-size:14px;color:var(--text2)">${lastSeen}</div><div class="gm-stat-lbl">LAST SEEN</div></div>
+      </div>
+      <div class="gm-card-email">${escHtmlA(u.email||'No email')}</div>
+      <div class="gm-card-hover-cta">VIEW PLAYER PROFILE →</div>
+    </div>`;
+  }).join('');
+}
+
+async function openGamer(uid) {
+  const d = await apiFetch('user_detail&user_id=' + uid);
+  if (!d.success) { toast('Failed to load player', 'err'); return; }
+  GM.current = d.user;
+  GM.chatLastId = 0;
+
+  document.getElementById('gm-list-view').style.display = 'none';
+  document.getElementById('gm-detail-view').style.display = 'block';
+
+  renderGamerProfile(d.user);
+  renderGamerOverview(d.user, d.stats);
+  populateGamerEdit(d.user);
+  updateAdminToggleBtn();
+  loadGamerPurchases(uid);
+  loadGamerCashouts(uid);
+  loadGamerChat(uid, true);
+
+  // Switch to overview tab
+  switchGamerTab('overview', document.querySelector('.gm-tab'));
+
+  // Poll chat while detail open
+  clearInterval(GM.chatPoll);
+  GM.chatPoll = setInterval(() => {
+    if (GM.current && document.getElementById('gtab-chat').classList.contains('active')) {
+      loadGamerChat(GM.current.id, false);
+    }
+  }, 3000);
+}
+
+function renderGamerProfile(u) {
+  const color = avatarColor(u.username);
+  const verified = parseInt(u.email_verified);
+  document.getElementById('gm-profile-card').innerHTML = `
+    <div class="gm-profile-avatar" style="background:linear-gradient(135deg,${color},${color}99)">${avatarInit(u.username)}</div>
+    <div class="gm-profile-info">
+      <div class="gm-profile-name">${escHtmlA(u.username)}</div>
+      <div class="gm-profile-alias">🎮 ${escHtmlA(u.alias)}</div>
+      <div class="gm-profile-email">📧 ${escHtmlA(u.email||'No email')}</div>
+      <div style="font-size:15px;color:var(--text2);margin-top:4px">
+        Joined ${(u.created_at||'').substring(0,10)} ·
+        Last login: ${u.last_login ? timeAgo(u.last_login) : 'Never'}
+      </div>
+    </div>
+    <div class="gm-profile-right">
+      <div class="gm-profile-tokens">${parseFloat(u.tokens||0)}</div>
+      <div class="gm-profile-tok-lbl">TOKENS</div>
+      <div class="gm-profile-badges">
+        <span class="badge b-${u.status}">${u.status}</span>
+        ${verified ? '<span class="badge" style="background:rgba(0,230,118,.12);color:var(--green)">✓ verified</span>' : '<span class="badge b-pending">unverified</span>'}
+        ${u.is_admin ? '<span class="badge" style="background:rgba(240,192,64,.15);color:var(--gold)">admin</span>' : ''}
+      </div>
+    </div>`;
+  // Update token display in tokens tab
+  document.getElementById('gm-token-display').textContent = parseFloat(u.tokens||0) + ' 🪙';
+  // Update suspend button
+  const sb = document.getElementById('gm-suspend-btn');
+  if (u.status === 'active') {
+    sb.textContent = '🔒 SUSPEND ACCOUNT (Lock Login)';
+    sb.className = 'btn btn-red';
+  } else {
+    sb.textContent = '🔓 ACTIVATE ACCOUNT (Restore Login)';
+    sb.className = 'btn btn-green';
+  }
+}
+
+function renderGamerOverview(u, stats) {
+  const verified = parseInt(u.email_verified);
+  document.getElementById('gm-info-grid').innerHTML = [
+    { label: 'User ID',       val: '#' + u.id },
+    { label: 'Username',      val: u.username },
+    { label: 'Alias',         val: u.alias },
+    { label: 'Email',         val: u.email || '—' },
+    { label: 'Status',        val: `<span class="badge b-${u.status}">${u.status}</span>` },
+    { label: 'Email Verified',val: verified ? '<span style="color:var(--green)">✓ Yes</span>' : '<span style="color:var(--yellow)">⚠ No</span>' },
+    { label: 'Token Balance',  val: `<span style="color:var(--gold);font-family:\'Exo 2\',sans-serif;font-weight:700">${parseFloat(u.tokens||0)} 🪙</span>` },
+    { label: 'Total Spent',        val: stats ? `<span style="color:var(--green);font-weight:700">$${parseFloat(stats.total_spent||0).toFixed(2)}</span>` : '—' },
+    { label: 'Tokens Purchased',    val: stats ? `<span style="color:var(--gold)">${stats.total_tokens_bought} 🪙</span>` : '—' },
+    { label: 'Completed Purchases', val: stats ? `<span style="color:var(--green)">${stats.completed_purchases}</span>` : '—' },
+    { label: 'Pending Payments',    val: stats ? `<span style="color:var(--yellow)">${stats.pending_purchases}</span>` : '—' },
+    { label: 'Failed Payments',     val: stats ? `<span style="color:var(--red)">${stats.failed_purchases}</span>` : '—' },
+    { label: 'Cashout Requests',    val: stats ? stats.total_cashouts + ' total' : '—' },
+    { label: 'Joined',        val: (u.created_at||'').substring(0,16) },
+    { label: 'Last Login',    val: u.last_login ? u.last_login.substring(0,16) : 'Never' },
+    { label: 'Admin Access',  val: u.is_admin ? '<span style="color:var(--gold)">Yes</span>' : 'No' },
+  ].map(item => `
+    <div class="gm-info-item">
+      <div class="gm-info-label">${item.label}</div>
+      <div class="gm-info-val">${item.val}</div>
+    </div>`).join('');
+
+  document.getElementById('gm-action-btns').innerHTML = `
+    <button class="btn btn-gold" style="flex:1;min-width:140px" onclick="switchGamerTab('tokens',document.querySelectorAll('.gm-tab')[1])">🪙 Manage Tokens</button>
+    <button class="btn btn-cyan" style="flex:1;min-width:140px" onclick="switchGamerTab('chat',document.querySelectorAll('.gm-tab')[4])">💬 Message Player</button>
+    <button class="btn" style="flex:1;min-width:140px;background:rgba(155,93,229,.12);color:#c77dff;border:1px solid rgba(155,93,229,.3)" onclick="switchGamerTab('edit',document.querySelectorAll('.gm-tab')[5])">✏️ Edit Account</button>
+    ${!parseInt(u.email_verified) ? '<button class="btn btn-gold" style="flex:1;min-width:140px" onclick="gmResendVerify()">📧 Resend Verify Email</button>' : ''}`;
+}
+
+function populateGamerEdit(u) {
+  document.getElementById('gm-edit-username').value = u.username || '';
+  document.getElementById('gm-edit-alias').value    = u.alias    || '';
+  document.getElementById('gm-edit-email').value    = u.email    || '';
+  document.getElementById('gm-edit-password').value = '';
+}
+
+async function loadGamerPurchases(uid) {
+  const d = await apiFetch('user_purchases&user_id=' + uid);
+  const el = document.getElementById('gm-purchases-table');
+  if (!d.success || !d.purchases.length) { el.innerHTML = '<div class="gm-empty">No purchases found.</div>'; return; }
+
+  // Summary strip
+  const total = d.purchases.length;
+  const completed = d.purchases.filter(p=>p.status==='completed').length;
+  const pending   = d.purchases.filter(p=>p.status==='pending').length;
+  const failed    = d.purchases.filter(p=>p.status==='failed').length;
+  const revenue   = d.purchases.filter(p=>p.status==='completed').reduce((s,p)=>s+(p.amount_cents/100),0);
+  const tokens    = d.purchases.filter(p=>p.status==='completed').reduce((s,p)=>s+parseInt(p.tokens),0);
+
+  el.innerHTML = `
+  <div class="pm-summary">
+    <div class="pm-sum-item"><div class="pm-sum-val" style="color:var(--green)">$${revenue.toFixed(2)}</div><div class="pm-sum-lbl">Revenue</div></div>
+    <div class="pm-sum-item"><div class="pm-sum-val" style="color:var(--gold)">${tokens} 🪙</div><div class="pm-sum-lbl">Tokens Sold</div></div>
+    <div class="pm-sum-item"><div class="pm-sum-val" style="color:var(--green)">${completed}</div><div class="pm-sum-lbl">Completed</div></div>
+    <div class="pm-sum-item"><div class="pm-sum-val" style="color:var(--yellow)">${pending}</div><div class="pm-sum-lbl">Pending</div></div>
+    <div class="pm-sum-item"><div class="pm-sum-val" style="color:var(--red)">${failed}</div><div class="pm-sum-lbl">Failed</div></div>
+  </div>
+  ${d.purchases.map(p => {
+    const isCustom  = parseInt(p.is_custom);
+    const isPending = p.status === 'pending';
+    const isManual  = p.payment_method !== 'card';
+    const billing   = [p.billing_name, p.billing_address, [p.billing_city, p.billing_state, p.billing_zip].filter(Boolean).join(' ')].filter(Boolean).join(' · ');
+    return `
+    <div class="pm-card pm-${p.status}">
+      <div class="pm-card-top">
+        <div class="pm-card-left">
+          <div class="pm-order-id">#${p.id} ${isCustom ? '<span class="pm-custom-badge">CUSTOM</span>' : ''}</div>
+          <div class="pm-date">${(p.created_at||'').substring(0,16)}</div>
+        </div>
+        <div class="pm-card-right">
+          <div class="pm-amount">$${(p.amount_cents/100).toFixed(2)}</div>
+          <div class="pm-tokens">${p.tokens} 🪙</div>
+        </div>
+      </div>
+      <div class="pm-card-mid">
+        <div class="pm-detail-row">
+          <span class="badge ${methodClass(p.payment_method)}">${methodLabel(p.payment_method)}</span>
+          <span class="badge b-${p.status}">${p.status}</span>
+          ${p.card_brand ? `<span class="pm-card-info">💳 ${p.card_brand} ····${p.card_last4||''}</span>` : ''}
+        </div>
+        <div class="pm-detail-row" style="margin-top:6px">
+          <span class="pm-lbl">Platform:</span> <span class="pm-val">${pname(p.platform_id)}</span>
+          &nbsp;·&nbsp;
+          <span class="pm-lbl">Alias:</span> <span class="pm-val" style="color:var(--cyan)">${escHtmlA(p.game_alias||'—')}</span>
+        </div>
+        ${billing ? `<div class="pm-detail-row" style="margin-top:4px"><span class="pm-lbl">Billing:</span> <span class="pm-val">${escHtmlA(billing)}</span></div>` : ''}
+        ${p.billing_email ? `<div class="pm-detail-row"><span class="pm-lbl">Email:</span> <span class="pm-val" style="color:var(--cyan)">${escHtmlA(p.billing_email)}</span></div>` : ''}
+        ${p.square_payment_id ? `<div class="pm-detail-row" style="margin-top:4px"><span class="pm-lbl">Square ID:</span> <span class="pm-val" style="font-family:monospace;font-size:15px;color:var(--text2)">${p.square_payment_id}</span></div>` : ''}
+        ${p.failure_reason ? `<div class="pm-failure">⚠️ ${escHtmlA(p.failure_reason)}</div>` : ''}
+        ${p.admin_note ? `<div class="pm-admin-note">📝 Admin: ${escHtmlA(p.admin_note)}</div>` : ''}
+        ${p.receipt_url ? `<div style="margin-top:6px"><a href="${p.receipt_url}" target="_blank" class="pm-receipt-link">🧾 View Receipt</a></div>` : ''}
+      </div>
+      ${isPending && isManual ? `
+      <div class="pm-actions">
+        <input type="text" class="fi-sm" id="pnote-${p.id}" placeholder="Admin note..." style="flex:1">
+        <button class="btn btn-green btn-sm" onclick="resolveGamerPurchase(${p.id},'completed',${uid})">✓ Approve</button>
+        <button class="btn btn-red btn-sm" onclick="resolveGamerPurchase(${p.id},'failed',${uid})">✗ Reject</button>
+      </div>` : ''}
+    </div>`
+  }).join('')}`;
+}
+
+async function resolveGamerPurchase(id, status, uid) {
+  const note = (document.getElementById('pnote-'+id)?.value||'').trim();
+  const d = await apiFetch('resolve_purchase','POST',{id,status,note});
+  if (d.success) {
+    toast(status==='completed'?'✓ Tokens credited!':'✗ Purchase rejected', status==='completed'?'ok':'err');
+    loadGamerPurchases(uid);
+    // Refresh profile token display
+    const uData = await apiFetch('user_detail&user_id='+uid);
+    if (uData.success) { GM.current = uData.user; renderGamerProfile(uData.user); }
+    loadStats();
+  } else toast(d.error||'Error','err');
+}
+
+async function loadGamerCashouts(uid) {
+  const d = await apiFetch('user_cashouts&user_id=' + uid);
+  const el = document.getElementById('gm-cashouts-table');
+  if (!d.success || !d.cashouts.length) { el.innerHTML = '<div class="gm-empty">No cashouts found.</div>'; return; }
+  el.innerHTML = `<table>
+    <thead><tr><th>#</th><th>Platform</th><th>Alias</th><th>Tokens</th><th>Status</th><th>Date</th></tr></thead>
+    <tbody>${d.cashouts.map(c => `<tr>
+      <td style="color:var(--text2)">#${c.id}</td>
+      <td>${pname(c.platform_id)}</td>
+      <td style="color:var(--cyan)">${escHtmlA(c.alias)}</td>
+      <td><strong style="color:var(--gold)">${c.tokens} 🪙</strong></td>
+      <td><span class="badge b-${c.status}">${c.status}</span></td>
+      <td style="color:var(--text2);font-size:15px">${(c.created_at||'').substring(0,16)}</td>
+    </tr>`).join('')}</tbody>
+  </table>`;
+}
+
+async function loadGamerChat(uid, scrollToBottom) {
+  const d = await apiFetch(`chat_thread&user_id=${uid}&since=${GM.chatLastId}`);
+  if (!d.success) return;
+  const container = document.getElementById('gm-chat-messages');
+  if (d.messages.length === 0 && GM.chatLastId === 0) {
+    container.innerHTML = '<div style="text-align:center;padding:24px;color:var(--text2);font-size:15px">No messages yet with this player.</div>';
+    return;
+  }
+  if (d.messages.length > 0) {
+    if (GM.chatLastId === 0) container.innerHTML = '';
+    let lastDate = '';
+    d.messages.forEach(msg => {
+      const msgDate = msg.created_at.substring(0,10);
+      if (msgDate !== lastDate) {
+        lastDate = msgDate;
+        const div = document.createElement('div');
+        div.className = 'admin-date-div';
+        div.textContent = formatAdminDateLabel(msgDate);
+        container.appendChild(div);
+      }
+      container.appendChild(buildAdminBubble(msg));
+      GM.chatLastId = Math.max(GM.chatLastId, parseInt(msg.id));
+    });
+    if (scrollToBottom || (container.scrollHeight - container.scrollTop - container.clientHeight < 120))
+      container.scrollTop = container.scrollHeight;
+  }
+}
+
+async function gmClearThread() {
+  if (!GM.current) return;
+  if (!confirm('Clear all chat messages with ' + GM.current.username + '?\n\nThis cannot be undone.')) return;
+  const d = await apiFetch('chat_clear_thread', 'POST', { user_id: GM.current.id });
+  if (d.success) {
+    document.getElementById('gm-chat-messages').innerHTML =
+      '<div style="color:var(--text2);font-size:15px;text-align:center;padding:24px">Conversation cleared.</div>';
+    GM.chatLastId = 0;
+    toast('Conversation cleared', 'ok');
+    loadChatBadge();
+  } else toast(d.error || 'Error', 'err');
+}
+
+async function gmSendMsg() {
+  const input = document.getElementById('gm-chat-input');
+  const msg = input.value.trim();
+  if (!msg || !GM.current) return;
+  input.value = '';
+  const container = document.getElementById('gm-chat-messages');
+  const temp = buildAdminBubble({ id:'tmp', sender:'admin', message:msg, created_at:new Date().toISOString().replace('T',' ').substring(0,19) });
+  temp.style.opacity = '0.6';
+  container.appendChild(temp);
+  container.scrollTop = container.scrollHeight;
+  const d = await apiFetch('chat_admin_send','POST',{user_id:GM.current.id, message:msg});
+  if (d.success) { temp.style.opacity='1'; GM.chatLastId = Math.max(GM.chatLastId, d.id); }
+  else { temp.remove(); toast('Send failed','err'); }
+}
+
+async function gmAdjustTokens(sign) {
+  const amt = parseFloat(document.getElementById('gm-tok-amount').value);
+  const reason = document.getElementById('gm-tok-reason').value.trim();
+  const msgEl = document.getElementById('gm-tok-msg');
+  if (isNaN(amt) || amt <= 0) { showAdminAlert(msgEl,'Enter a valid positive amount.','error'); return; }
+  const d = await apiFetch('adjust_tokens','POST',{user_id:GM.current.id, amount: sign * amt, reason});
+  if (d.success) {
+    GM.current.tokens = d.new_balance;
+    document.getElementById('gm-token-display').textContent = d.new_balance + ' 🪙';
+    document.getElementById('gm-profile-tokens') && (document.querySelector('.gm-profile-tokens') ? document.querySelector('.gm-profile-tokens').textContent = d.new_balance : null);
+    renderGamerProfile(GM.current);
+    showAdminAlert(msgEl, `Balance updated: ${d.new_balance} tokens`, 'success');
+    document.getElementById('gm-tok-amount').value = '';
+    loadUsers();
+  } else showAdminAlert(msgEl, d.error||'Error','error');
+}
+
+async function gmSetTokens() {
+  const newBal = parseFloat(document.getElementById('gm-tok-set').value);
+  const msgEl = document.getElementById('gm-tok-msg');
+  if (isNaN(newBal) || newBal < 0) { showAdminAlert(msgEl,'Enter a valid balance.','error'); return; }
+  const d = await apiFetch('set_tokens','POST',{user_id:GM.current.id, balance:newBal});
+  if (d.success) {
+    GM.current.tokens = d.new_balance;
+    document.getElementById('gm-token-display').textContent = d.new_balance + ' 🪙';
+    renderGamerProfile(GM.current);
+    showAdminAlert(msgEl, `Balance set to ${d.new_balance} tokens`, 'success');
+    document.getElementById('gm-tok-set').value = '';
+    loadUsers();
+  } else showAdminAlert(msgEl, d.error||'Error','error');
+}
+
+async function gmSaveEdit() {
+  const al = document.getElementById('gm-edit-alert');
+  const username = document.getElementById('gm-edit-username').value.trim();
+  const alias    = document.getElementById('gm-edit-alias').value.trim();
+  const email    = document.getElementById('gm-edit-email').value.trim();
+  const password = document.getElementById('gm-edit-password').value;
+  if (!username||!alias) { showAdminAlert(al,'Username and alias are required.','error'); return; }
+  const d = await apiFetch('edit_user','POST',{user_id:GM.current.id, username, alias, email, password});
+  if (d.success) {
+    GM.current = {...GM.current, username, alias, email};
+    renderGamerProfile(GM.current);
+    showAdminAlert(al,'Player info updated!','success');
+    loadUsers();
+    toast('Saved!','ok');
+  } else showAdminAlert(al, d.error||'Error saving.','error');
+}
+
+async function gmToggleSuspend() {
+  const isSuspended = GM.current.status === 'suspended';
+  const action = isSuspended ? 'activate' : 'suspend';
+  if (!isSuspended && !confirm(`Suspend ${GM.current.username}? They will be locked out immediately.`)) return;
+  const d = await apiFetch('toggle_user','POST',{user_id:GM.current.id});
+  if (d.success) {
+    GM.current.status = isSuspended ? 'active' : 'suspended';
+    renderGamerProfile(GM.current);
+    renderGamerOverview(GM.current, null);
+    toast(`Account ${isSuspended?'activated':'suspended'}`, 'ok');
+    loadUsers();
+  } else toast('Error','err');
+}
+
+async function gmSendPasswordReset() {
+  if (!GM.current.email) { toast('No email on file for this player','err'); return; }
+  const d = await apiFetch('send_password_reset','POST',{user_id:GM.current.id});
+  if (d.success) toast('Password reset email sent!','ok');
+  else toast(d.error||'Error','err');
+}
+
+async function gmResendVerify() {
+  if (!GM.current.email) { toast('No email on file','err'); return; }
+  const d = await apiFetch('resend_verification','POST',{user_id:GM.current.id});
+  if (d.success) toast('Verification email sent!','ok');
+  else toast(d.error||'Error','err');
+}
+
+async function gmToggleAdmin() {
+  const u = GM.current;
+  if (!u) return;
+  const making = !parseInt(u.is_admin);
+  const msg = making
+    ? 'Grant ADMIN access to ' + u.username + '? They will have full admin panel access.'
+    : 'Remove admin access from ' + u.username + '?';
+  if (!confirm(msg)) return;
+  const d = await apiFetch('toggle_admin','POST',{user_id: u.id});
+  if (d.success) {
+    GM.current.is_admin = d.is_admin;
+    const msg = d.is_admin ? u.username+' is now an ADMIN' : 'Admin removed from '+u.username;
+    toast(msg + ' — they must log out and back in for changes to take effect', 'ok');
+    renderGamerProfile(GM.current);
+    renderGamerOverview(GM.current, null);
+    updateAdminToggleBtn();
+    loadUsers();
+  } else {
+    toast(d.error || 'Error', 'err');
+  }
+}
+
+function updateAdminToggleBtn() {
+  const u = GM.current;
+  const btn = document.getElementById('gm-admin-toggle-btn');
+  if (!btn || !u) return;
+  // Only master admin can see/use this button
+  if (!IS_MASTER_ADMIN) { btn.style.display = 'none'; return; }
+  btn.style.display = 'block';
+  const isMaster = u.id == MASTER_ADMIN_ID;
+  if (isMaster) {
+    btn.textContent = '🔒 Master Admin (Locked)';
+    btn.disabled = true;
+    btn.className = 'btn';
+    btn.style.cssText = 'background:rgba(240,192,64,.08);color:var(--gold);border:1px solid rgba(240,192,64,.2);cursor:not-allowed;opacity:.7';
+  } else if (parseInt(u.is_admin)) {
+    btn.textContent = '⬇️ Remove Admin Access';
+    btn.disabled = false;
+    btn.className = 'btn btn-red';
+    btn.style.cssText = '';
+  } else {
+    btn.textContent = '⬆️ Grant Admin Access';
+    btn.disabled = false;
+    btn.className = 'btn btn-gold';
+    btn.style.cssText = '';
+  }
+}
+
+async function gmDeleteAccount() {
+  if (!confirm(`⚠️ PERMANENTLY delete ${GM.current.username}?\n\nThis removes all their data and cannot be undone.`)) return;
+  if (!confirm(`Are you absolutely sure? Type OK to confirm deletion of ${GM.current.username}.`)) return;
+  const d = await apiFetch('delete_user','POST',{user_id:GM.current.id});
+  if (d.success) {
+    toast(`${GM.current.username} deleted`,'ok');
+    clearInterval(GM.chatPoll);
+    showGamerList();
+    loadUsers();
+    loadStats();
+  } else toast(d.error||'Error','err');
+}
+
+function showGamerList() {
+  clearInterval(GM.chatPoll);
+  GM.current = null;
+  document.getElementById('gm-list-view').style.display = 'block';
+  document.getElementById('gm-detail-view').style.display = 'none';
+}
+
+function switchGamerTab(name, btn) {
+  document.querySelectorAll('.gm-tab').forEach(b => b.classList.remove('active'));
+  document.querySelectorAll('.gm-tab-panel').forEach(p => p.classList.remove('active'));
+  if (btn) btn.classList.add('active');
+  document.getElementById('gtab-'+name)?.classList.add('active');
+  if (name === 'chat' && GM.current) loadGamerChat(GM.current.id, true);
+  if (name === 'billing' && GM.current) loadGamerBilling(GM.current.id);
+  if (name === 'aliases' && GM.current) gmLoadAliases(GM.current.id);
+  if (name === 'payout'     && GM.current) gmLoadPayout(GM.current.id);
+  if (name === 'platforms'  && GM.current) gmLoadPlatformAccounts(GM.current.id);
+  if (name === 'platforms'  && GM.current) gmLoadPlatformAccounts(GM.current.id);
+}
+
+function showAdminAlert(el, msg, type) {
+  el.textContent = msg;
+  el.className = `alert show alert-${type}`;
+  setTimeout(() => el.className = 'alert', 4000);
+}
+
+function timeAgo(dtStr) {
+  const d = new Date(dtStr.replace(' ','T'));
+  const diff = (Date.now() - d) / 1000;
+  if (diff < 60) return 'Just now';
+  if (diff < 3600) return Math.floor(diff/60) + 'm ago';
+  if (diff < 86400) return Math.floor(diff/3600) + 'h ago';
+  if (diff < 604800) return Math.floor(diff/86400) + 'd ago';
+  return d.toLocaleDateString('en-US',{month:'short',day:'numeric'});
+}
+
+// Alias old functions so nothing breaks
+function filterUsers(q) { filterGamers(q); }
+function adjustTokens(uid) {}
+function toggleUser(uid) {}
+
+// ─── FULL HISTORY ──────────────────────────────────────────
+var _histPage = 1;
+
+async function loadHistory(page) {
+  if (page) _histPage = page;
+  const el   = document.getElementById('history-table');
+  const pgEl = document.getElementById('hist-pagination');
+  const ctEl = document.getElementById('hist-count');
+  const stEl = document.getElementById('hist-stats');
+
+  el.innerHTML = '<div style="padding:24px;text-align:center;color:var(--text2)">Loading audit log...</div>';
+  if (pgEl) pgEl.innerHTML = '';
+
+  const category = document.getElementById('hist-category')?.value || '';
+  const severity = document.getElementById('hist-severity')?.value || '';
+  const search   = document.getElementById('hist-search')?.value.trim() || '';
+  const date     = document.getElementById('hist-date')?.value || '';
+
+  const params = new URLSearchParams({
+    action: 'activity_log_v2',
+    page:   _histPage,
+    limit:  20,
+    category, severity, search, date
+  });
+
+  const d = await fetch('/api/admin.php?' + params.toString()).then(r=>r.json());
+  if (!d.success) { el.innerHTML = '<div class="empty">Failed to load audit log.</div>'; return; }
+
+  const events = d.events || [];
+  const total  = d.total  || 0;
+  const pages  = Math.ceil(total / 20);
+
+  if (ctEl) ctEl.textContent = total + ' total events';
+
+  // Stats bar
+  if (stEl && d.stats) {
+    const s = d.stats;
+    stEl.innerHTML = [
+      { label:'Total Events', val: total, color:'var(--text)' },
+      { label:'Critical', val: s.critical||0, color:'var(--red)' },
+      { label:'Warnings',  val: s.warning||0,  color:'var(--gold)' },
+      { label:'Unique IPs', val: s.unique_ips||0, color:'var(--cyan)' },
+    ].map(x =>
+      '<div class="card" style="text-align:center;padding:10px 8px">'+
+      '<div style="font-family:\'Exo 2\',sans-serif;font-weight:900;font-size:20px;color:'+x.color+'">'+x.val+'</div>'+
+      '<div style="font-size:14px;color:var(--text2);text-transform:uppercase;letter-spacing:.5px">'+x.label+'</div></div>'
+    ).join('');
+  }
+
+  if (!events.length) {
+    el.innerHTML = '<div class="empty" style="padding:24px;text-align:center">No events match these filters.</div>';
+    return;
+  }
+
+  const SEV_COLORS = { critical:'var(--red)', warning:'var(--gold)', info:'var(--text2)' };
+  const CAT_ICONS  = { auth:'🔐', player:'👤', admin:'🛡️', security:'⚠️', general:'📋' };
+
+  let lastDate = '';
+  let rows = '';
+  for (const e of events) {
+    const dt   = (e.created_at||'').substring(0,10);
+    const time = (e.created_at||'').substring(11,19);
+    if (dt !== lastDate) {
+      lastDate = dt;
+      const isToday = dt === new Date().toISOString().substring(0,10);
+      const label   = isToday ? 'Today' : new Date(dt+'T12:00:00').toLocaleDateString('en-US',{weekday:'short',month:'short',day:'numeric',year:'numeric'});
+      rows += '<div style="padding:10px 0 6px;font-size:15px;font-weight:700;color:var(--text2);letter-spacing:1px;text-transform:uppercase;border-bottom:1px solid var(--border);margin-bottom:6px">'+label+'</div>';
+    }
+
+    const sevColor = SEV_COLORS[e.severity] || 'var(--text2)';
+    const catIcon  = CAT_ICONS[e.category]  || '📋';
+    const who      = e.alias || e.username   || '—';
+    const adminBy  = e.admin_username ? ' <span style="font-size:14px;color:var(--gold)">by '+escHtmlA(e.admin_username)+'</span>' : '';
+    const action   = e.action.replace(/_/g,' ');
+
+    // Build detail row
+    let details = '';
+    if (e.detail)    details += '<div style="font-size:15px;color:var(--text2);margin-top:2px">'+escHtmlA(e.detail)+'</div>';
+    if (e.old_value && e.new_value)
+      details += '<div style="font-size:15px;margin-top:2px"><span style="color:var(--red)">'+escHtmlA(e.old_value)+'</span> → <span style="color:var(--green)">'+escHtmlA(e.new_value)+'</span></div>';
+    if (e.ip)        details += '<div style="font-size:14px;color:var(--text2);margin-top:2px">IP: '+escHtmlA(e.ip)+' | Session: '+escHtmlA(e.session_id||'—')+'</div>';
+    if (e.page)      details += '<div style="font-size:14px;color:var(--text2);">Page: '+escHtmlA(e.page)+'</div>';
+    if (e.user_agent)details += '<div style="font-size:15px;color:var(--text2);word-break:break-all;opacity:.7">UA: '+escHtmlA(e.user_agent.substring(0,120))+'</div>';
+
+    rows += '<div style="border-left:3px solid '+sevColor+';padding:8px 12px;margin-bottom:4px;border-radius:0 6px 6px 0;background:rgba(255,255,255,.02)">' +
+      '<div style="display:flex;align-items:flex-start;gap:10px">' +
+      '<span style="font-size:14px;flex-shrink:0;margin-top:1px">'+catIcon+'</span>' +
+      '<div style="flex:1;min-width:0">' +
+      '<span style="font-weight:700;font-size:15px;color:'+sevColor+'">'+action+'</span>'+adminBy +
+      details + '</div>' +
+      '<div style="text-align:right;flex-shrink:0;min-width:90px">' +
+      '<div style="font-size:14px;font-weight:700">'+escHtmlA(who)+'</div>' +
+      '<div style="font-size:14px;color:var(--text2)">'+time+'</div>' +
+      '<div style="font-size:15px;color:'+sevColor+';text-transform:uppercase;letter-spacing:.5px">'+e.severity+'</div>' +
+      '</div></div></div>';
+  }
+
+  el.innerHTML = '<div style="padding:4px 0">'+rows+'</div>';
+
+  // Pagination
+  if (pgEl && pages > 1) {
+    let pg = '';
+    if (_histPage > 1) pg += '<button onclick="loadHistory('+(_histPage-1)+')" class="btn btn-outline" style="padding:6px 14px;font-size:14px">← Prev</button>';
+    const start2 = Math.max(1, _histPage-2);
+    const end2   = Math.min(pages, _histPage+2);
+    for (let p = start2; p <= end2; p++) {
+      pg += '<button onclick="loadHistory('+p+')" class="btn '+(p===_histPage?'btn-gold':'btn-outline')+'" style="padding:6px 12px;font-size:14px">'+p+'</button>';
+    }
+    if (_histPage < pages) pg += '<button onclick="loadHistory('+(_histPage+1)+')" class="btn btn-outline" style="padding:6px 14px;font-size:14px">Next →</button>';
+    pg += '<span style="font-size:14px;color:var(--text2);align-self:center">Page '+_histPage+' of '+pages+'</span>';
+    pgEl.innerHTML = pg;
+  }
+}
+
+async function exportHistory() {
+  const category = document.getElementById('hist-category')?.value || '';
+  const severity = document.getElementById('hist-severity')?.value || '';
+  const search   = document.getElementById('hist-search')?.value.trim() || '';
+  const date     = document.getElementById('hist-date')?.value || '';
+  window.open('/api/admin.php?action=activity_log_csv&category='+encodeURIComponent(category)+'&severity='+encodeURIComponent(severity)+'&search='+encodeURIComponent(search)+'&date='+encodeURIComponent(date));
+}
+
+// ─── TOAST ─────────────────────────────────────────────────
+function toast(msg,type='ok'){const el=document.getElementById('toast');el.textContent=msg;el.className='show '+type;setTimeout(()=>el.className='',3000);}
+
+// ─── ADMIN GAMER ALIASES ──────────────────────────────────
+async function gmLoadPayout(uid) {
+  const el = document.getElementById('gm-payout-list');
+  const d  = await apiFetch('payout_methods_get&user_id=' + uid);
+  if (!d.success || !d.methods.length) {
+    el.innerHTML = '<div class="gm-empty">No payout methods saved by this player.</div>';
+    return;
+  }
+  const ICONS  = { venmo:'💙', cashapp:'💚', zelle:'💜', chime:'🟢', bank:'🏦', other:'💰' };
+  const LABELS = { venmo:'Venmo', cashapp:'Cash App', zelle:'Zelle', chime:'Chime', bank:'Bank Transfer', other:'Other' };
+  el.innerHTML = d.methods.map(m => `
+    <div style="display:flex;align-items:center;gap:12px;padding:12px;background:${parseInt(m.is_default)?'rgba(0,229,255,.07)':'var(--bg2)'};border:1px solid ${parseInt(m.is_default)?'rgba(0,229,255,.25)':'var(--border)'};border-radius:8px;margin-bottom:8px">
+      <span style="font-size:24px">${ICONS[m.method_type]||'💰'}</span>
+      <div style="flex:1">
+        <div style="font-family:'Exo 2',sans-serif;font-weight:700;font-size:15px">${escHtmlA(m.label)}
+          ${parseInt(m.is_default)?'<span style="font-size:14px;color:var(--cyan);border:1px solid rgba(0,229,255,.2);border-radius:4px;padding:2px 6px;margin-left:6px">DEFAULT</span>':''}
+        </div>
+        <div style="font-size:14px;color:var(--text2)">${LABELS[m.method_type]||m.method_type} · ${escHtmlA(m.account_handle)}</div>
+      </div>
+    </div>`).join('');
+}
+
+async function gmLoadPlatformAccounts(uid) {
+  const el = document.getElementById('gm-platforms-list');
+  const d  = await apiFetch('platform_accounts_user&user_id=' + uid);
+  if (!d.success || !d.accounts.length) {
+    el.innerHTML = '<div class="gm-empty">No platform account requests for this player.</div>';
+    return;
+  }
+  const STATUS = { pending:'⏳ Pending', approved:'✅ Active', denied:'❌ Denied', deleted:'🗑 Deleted' };
+  const SCLS   = { pending:'ac-pending', approved:'ac-completed', denied:'ac-failed', deleted:'ac-failed' };
+  el.innerHTML = d.accounts.map(a => `
+    <div style="border:1px solid var(--border);border-radius:8px;padding:12px;margin-bottom:8px">
+      <div style="display:flex;align-items:center;gap:10px;margin-bottom:${a.status==='approved'?'10':'0'}px">
+        <div style="font-size:20px">${a.color?`<span style="display:inline-block;width:10px;height:10px;border-radius:50%;background:${a.color}"></span>`:'🎮'}</div>
+        <div style="flex:1">
+          <div style="font-family:'Exo 2',sans-serif;font-weight:700;font-size:15px">${escHtmlA(a.display_name||a.platform_slug)}</div>
+          <span class="activity-status ${SCLS[a.status]||'ac-pending'}">${STATUS[a.status]||a.status}</span>
+        </div>
+        ${a.status==='approved'?`<button onclick="openPaUpdateModal(${a.id},'${escAttr(GM.current?.alias||'')}','${escAttr(a.display_name||'')}','${escAttr(a.provided_username||'')}','${escAttr(a.provided_password||'')}')" style="background:rgba(0,229,255,.08);border:1px solid rgba(0,229,255,.18);color:var(--cyan);border-radius:6px;padding:5px 10px;font-size:15px;font-weight:700;cursor:pointer">✏️ Update</button>`:
+        a.status==='pending'?`<button onclick="openPaModal(${a.id},'${escAttr(GM.current?.alias||'')}','${escAttr(a.display_name||'')}')" class="btn btn-green" style="padding:5px 12px;font-size:15px">✅ Approve</button>`:''}
+      </div>
+      ${a.status==='approved'?`<div style="background:rgba(0,229,255,.05);border:1px solid rgba(0,229,255,.12);border-radius:6px;padding:8px 10px;font-size:14px">
+        <div><span style="color:var(--text2)">Username:</span> <strong>${escHtmlA(a.provided_username||'—')}</strong></div>
+        <div><span style="color:var(--text2)">Password:</span> <strong style="color:var(--gold)">${escHtmlA(a.provided_password||'—')}</strong></div>
+        ${a.player_url?`<a href="${escHtmlA(a.player_url)}" target="_blank" style="color:var(--cyan);font-size:15px">↗ Open platform</a>`:''}
+      </div>`:''}
+    </div>`).join('');
+}
+async function gmLoadAliases(uid) {
+  const el = document.getElementById('gm-aliases-list');
+  const [aliasRes, platRes] = await Promise.all([
+    apiFetch('game_aliases_get&user_id=' + uid),
+    fetch('/api/platforms.php?action=list').then(r=>r.json())
+  ]);
+  const aliases   = (aliasRes.success ? aliasRes.aliases : {}) || {};
+  const platforms = platRes.success ? platRes.platforms : [];
+  if (!platforms.length) { el.innerHTML = '<div class="gm-empty">No games configured.</div>'; return; }
+  el.innerHTML = platforms.map(p => `
+    <div style="display:flex;align-items:center;gap:12px;padding:10px 0;border-bottom:1px solid var(--border)">
+      <div style="width:10px;height:10px;border-radius:50%;background:${p.color};box-shadow:0 0 8px ${p.color};flex-shrink:0"></div>
+      <div style="flex:1;min-width:0">
+        <div style="font-family:'Exo 2',sans-serif;font-weight:700;font-size:15px;color:var(--text);margin-bottom:5px">${escHtmlA(p.name)}</div>
+        <input class="fi-sm" id="gm-alias-${p.id}" type="text" maxlength="100"
+          value="${escHtmlA(aliases[p.id]||'')}"
+          placeholder="No alias set..."
+          style="width:100%;padding:8px 12px;font-size:15px">
+      </div>
+    </div>`).join('') + '<div style="height:1px"></div>';
+}
+
+async function gmSaveAllAliases() {
+  if (!GM.current) return;
+  const al = document.getElementById('gm-aliases-alert');
+  const aliases = {};
+  document.querySelectorAll('[id^="gm-alias-"]').forEach(el => {
+    const slug = el.id.replace('gm-alias-', '');
+    aliases[slug] = el.value.trim();
+  });
+  const d = await apiFetch('game_aliases_save_all', 'POST', { user_id: GM.current.id, aliases });
+  if (d.success) { showAdminAlert(al, 'Aliases saved!', 'success'); toast('Aliases saved', 'ok'); }
+  else showAdminAlert(al, d.error || 'Save failed', 'error');
+}
+async function loadGamerBilling(uid) {
+  const d = await apiFetch('billing_get&user_id=' + uid);
+  const noCard  = document.getElementById('gm-billing-no-card');
+  const cardDiv = document.getElementById('gm-billing-card-display');
+  const cardEl  = document.getElementById('gm-billing-card');
+
+  if (d.success && d.billing) {
+    const b = d.billing;
+    // Fill form
+    ['first','last','email','address','city','state','zip'].forEach(f => {
+      const el = document.getElementById('gm-b-'+f);
+      if (el) el.value = b[f==='first'?'first_name':f==='last'?'last_name':f] || '';
+    });
+    // Show card info
+    if (b.card_last4) {
+      cardEl.innerHTML = `
+        <div style="display:flex;justify-content:space-between;align-items:center;margin-bottom:16px">
+          <span style="font-family:'Exo 2',sans-serif;font-weight:900;font-size:16px;color:#fff;letter-spacing:2px">${escHtmlA(b.card_brand||'CARD')}</span>
+          <span style="font-size:20px">💳</span>
+        </div>
+        <div style="font-family:'Courier New',monospace;font-size:16px;color:#fff;letter-spacing:4px;margin-bottom:16px">···· ···· ···· ${escHtmlA(b.card_last4)}</div>
+        <div style="display:flex;justify-content:space-between;color:#fff">
+          <div><div style="font-size:15px;color:rgba(255,255,255,.5);margin-bottom:2px">CARD HOLDER</div><div style="font-weight:700">${escHtmlA([b.first_name,b.last_name].filter(Boolean).join(' '))||'—'}</div></div>
+          <div style="text-align:right"><div style="font-size:15px;color:rgba(255,255,255,.5);margin-bottom:2px">EXPIRES</div><div style="font-weight:700">${b.card_exp_month&&b.card_exp_year?b.card_exp_month+'/'+b.card_exp_year.slice(-2):'—'}</div></div>
+        </div>`;
+      cardDiv.style.display = 'block';
+      noCard.style.display  = 'none';
+    } else {
+      cardDiv.style.display = 'none';
+      noCard.style.display  = 'block';
+    }
+  } else {
+    cardDiv.style.display = 'none';
+    noCard.style.display  = 'block';
+  }
+}
+
+async function gmSaveBilling() {
+  if (!GM.current) return;
+  const al = document.getElementById('gm-billing-alert');
+  const data = {
+    user_id:    GM.current.id,
+    first_name: document.getElementById('gm-b-first')?.value.trim()   || '',
+    last_name:  document.getElementById('gm-b-last')?.value.trim()    || '',
+    email:      document.getElementById('gm-b-email')?.value.trim()   || '',
+    address:    document.getElementById('gm-b-address')?.value.trim() || '',
+    city:       document.getElementById('gm-b-city')?.value.trim()    || '',
+    state:      (document.getElementById('gm-b-state')?.value.trim()  || '').toUpperCase(),
+    zip:        document.getElementById('gm-b-zip')?.value.trim()     || '',
+  };
+  const d = await apiFetch('billing_save','POST', data);
+  if (d.success) { toast('Billing info saved','ok'); showAdminAlert(al,'Billing saved!','success'); }
+  else toast(d.error||'Error','err');
+}
+
+async function gmClearCard() {
+  if (!GM.current || !confirm('Remove saved card info for this player?')) return;
+  const d = await apiFetch('billing_clear_card','POST',{user_id:GM.current.id});
+  if (d.success) { toast('Card removed','ok'); loadGamerBilling(GM.current.id); }
+  else toast('Error','err');
+}
+
+async function gmClearAllBilling() {
+  if (!GM.current || !confirm('Clear ALL billing info for this player? Cannot be undone.')) return;
+  const d = await apiFetch('billing_clear_all','POST',{user_id:GM.current.id});
+  if (d.success) { toast('Billing cleared','ok'); loadGamerBilling(GM.current.id); }
+  else toast('Error','err');
+}
+
+// ─── PAYMENT SETTINGS ─────────────────────────────────────
+const PMT_ICONS = { venmo:'💙', chime:'🟢', cashapp:'💚', zelle:'💜' };
+
+async function loadPaymentSettings() {
+  const d  = await apiFetch('payment_settings_list');
+  const el = document.getElementById('payment-methods-list');
+  if (!d.success) { el.innerHTML = '<div class="empty">Failed to load.</div>'; return; }
+  // Sort: card first, then by sort_order
+  const methods = [...d.methods].sort((a,b) => a.method_key==='card'?-1:b.method_key==='card'?1:a.sort_order-b.sort_order);
+  el.innerHTML = methods.map(m => {
+    const isCard  = m.method_key === 'card';
+    const enabled = parseInt(m.is_enabled);
+    const icon    = PMT_ICONS[m.method_key] || '💰';
+    const bg      = enabled ? 'var(--green)' : 'rgba(255,255,255,.15)';
+    const knobL   = enabled ? '22px' : '2px';
+    const clr     = enabled ? 'var(--green)' : 'var(--red)';
+
+    const fields = isCard
+      ? '<div style="padding:10px 14px;background:rgba(0,229,255,.05);border-radius:8px;font-size:14px;color:var(--text2)">'+
+        'Card payments run through <strong style="color:var(--cyan)">Square</strong>. When enabled, players can pay by credit or debit card. Your Square account must be active and connected.'+
+        '<a href="https://squareup.com/dashboard" target="_blank" style="color:var(--cyan);display:block;margin-top:6px">Open Square Dashboard →</a></div>'
+      : '<div style="display:grid;grid-template-columns:1fr 1fr;gap:10px;margin-bottom:10px">'+
+        '<div><label class="gm-edit-label">Display Name</label>'+
+        '<input class="fi-sm" id="pmt-label-'+m.id+'" type="text" value="'+escHtmlA(m.label)+'" style="width:100%;padding:9px 12px"></div>'+
+        '<div><label class="gm-edit-label">Handle / Address</label>'+
+        '<input class="fi-sm" id="pmt-handle-'+m.id+'" type="text" value="'+escHtmlA(m.handle||'')+'" placeholder="@YourHandle" style="width:100%;padding:9px 12px"></div></div>'+
+        '<div style="margin-bottom:10px"><label class="gm-edit-label">Instructions (optional)</label>'+
+        '<input class="fi-sm" id="pmt-instructions-'+m.id+'" type="text" value="'+escHtmlA(m.instructions||'')+'" placeholder="Shown to player at checkout" style="width:100%;padding:9px 12px"></div>'+
+        '<button class="btn btn-gold" style="width:100%" onclick="savePaymentMethod('+m.id+')">Save</button>';
+
+    return '<div class="card" style="margin-bottom:12px;'+(isCard?'border-color:rgba(0,229,255,.25)':'')+'" id="pmt-card-'+m.id+'">'+
+      '<div style="display:flex;align-items:center;gap:12px;margin-bottom:12px">'+
+      '<div style="font-size:26px">'+icon+'</div>'+
+      '<div style="flex:1"><div style="font-family:\'Exo 2\',sans-serif;font-weight:700;font-size:15px">'+escHtmlA(m.label)+'</div>'+
+      '<div style="font-size:15px;color:var(--text2);margin-top:1px">'+(isCard?'Square Card Processing':'Manual payment'+(m.handle?' · '+escHtmlA(m.handle):''))+'</div></div>'+
+      '<label style="display:flex;align-items:center;gap:8px;cursor:pointer">'+
+      '<span style="font-size:14px;color:'+clr+'" id="pmt-status-'+m.id+'">'+(enabled?'Enabled':'Disabled')+'</span>'+
+      '<div onclick="togglePaymentMethod('+m.id+','+m.is_enabled+')" style="width:44px;height:24px;border-radius:12px;background:'+bg+';position:relative;cursor:pointer;transition:background .2s;flex-shrink:0" id="pmt-toggle-'+m.id+'">'+
+      '<div style="position:absolute;top:2px;left:'+knobL+';width:20px;height:20px;border-radius:50%;background:#fff;transition:left .2s" id="pmt-knob-'+m.id+'"></div></div>'+
+      '</label></div>'+
+      fields+'</div>';
+  }).join('');
+  window._pmtData = d.methods;
+}
+
+async function togglePaymentMethod(id, currentEnabled) {
+  const newEnabled = parseInt(currentEnabled) ? 0 : 1;
+  const d = await apiFetch('payment_settings_update','POST',{
+    id, is_enabled: newEnabled,
+    label: document.getElementById('pmt-label-'+id)?.value || '',
+    handle: document.getElementById('pmt-handle-'+id)?.value || '',
+    instructions: document.getElementById('pmt-instructions-'+id)?.value || '',
+    sort_order: 0
+  });
+  if (d.success) {
+    // Update toggle UI
+    const toggle = document.getElementById('pmt-toggle-'+id);
+    const knob   = document.getElementById('pmt-knob-'+id);
+    const status = document.getElementById('pmt-status-'+id);
+    if (toggle) toggle.style.background = newEnabled ? 'var(--green)' : 'rgba(255,255,255,.15)';
+    if (knob)   knob.style.left = newEnabled ? '22px' : '2px';
+    if (status) { status.textContent = newEnabled ? 'Enabled' : 'Disabled'; status.style.color = newEnabled ? 'var(--green)' : 'var(--red)'; }
+    // Update onclick for next toggle
+    const toggleEl = document.getElementById('pmt-toggle-'+id)?.parentElement;
+    if (toggleEl) toggleEl.setAttribute('onclick', `togglePaymentMethod(${id},${newEnabled})`);
+    toast(newEnabled ? 'Payment method enabled' : 'Payment method disabled', 'ok');
+  } else toast(d.error||'Error','err');
+}
+
+async function savePaymentMethod(id) {
+  const d = await apiFetch('payment_settings_update','POST',{
+    id,
+    label:        document.getElementById('pmt-label-'+id)?.value.trim() || '',
+    handle:       document.getElementById('pmt-handle-'+id)?.value.trim() || '',
+    instructions: document.getElementById('pmt-instructions-'+id)?.value.trim() || '',
+    is_enabled:   window._pmtData?.find(m=>m.id==id)?.is_enabled ?? 1,
+    sort_order:   window._pmtData?.find(m=>m.id==id)?.sort_order ?? 0,
+  });
+  if (d.success) toast('Saved!','ok');
+  else toast(d.error||'Save failed','err');
+}
+
+
+// PAYOUT SETTINGS
+async function loadPayoutSettings() {
+  const el = document.getElementById('payout-settings-list');
+  if (!el) return;
+  const d = await fetch('/api/payout_process.php?action=list_settings').then(r=>r.json());
+  if (!d.success || !d.settings.length) { el.innerHTML='<div class="empty">No payout settings.</div>'; return; }
+  window._payoutSettings = d.settings;
+  const icons = {venmo:'Venmo',cashapp:'Cash App',zelle:'Zelle',chime:'Chime',square_gift:'Square Gift Card'};
+  el.innerHTML = d.settings.map(s => {
+    const isGC = s.method_type === 'square_gift_card';
+    const enabled = parseInt(s.is_enabled);
+    return '<div class="card" style="margin-bottom:12px;' + (isGC?'border-color:rgba(0,229,255,.3)':'') + '">' +
+      '<div style="display:flex;align-items:center;gap:10px;margin-bottom:12px">' +
+      '<div style="flex:1"><div style="font-family:\'Exo 2\',sans-serif;font-weight:700;font-size:14px">' + escHtmlA(s.label) + '</div>' +
+      '<div style="font-size:15px;color:' + (isGC?'var(--cyan)':'var(--text2)') + '">' + (isGC?'Real-time via Square':'Manual — send outside app') + '</div></div>' +
+      '<label style="display:flex;align-items:center;gap:6px;cursor:pointer;font-size:14px;font-weight:700">' +
+      '<input type="checkbox" ' + (enabled?'checked':'') + ' onchange="togglePayoutSetting(' + s.id + ',this.checked)" style="width:16px;height:16px;accent-color:var(--green)"> ' +
+      (enabled?'<span style="color:var(--green)">Enabled</span>':'<span style="color:var(--text2)">Disabled</span>') + '</label></div>' +
+      (isGC ? '<div style="font-size:14px;color:var(--text2);padding:10px;background:rgba(0,229,255,.05);border-radius:8px">Creates a Square digital gift card loaded with the cashout amount. Player redeems anywhere Square is accepted. No handle needed.</div>' :
+        '<div style="display:grid;grid-template-columns:1fr 1fr;gap:8px;margin-bottom:8px">' +
+        '<div><label class="gm-edit-label">Your Handle</label><input class="fi-sm" type="text" id="ps-handle-' + s.id + '" value="' + escHtmlA(s.handle||'') + '" placeholder="@handle" style="width:100%;padding:8px 10px"></div>' +
+        '<div><label class="gm-edit-label">Sort</label><input class="fi-sm" type="number" id="ps-sort-' + s.id + '" value="' + s.sort_order + '" style="width:100%;padding:8px 10px"></div></div>' +
+        '<div style="margin-bottom:10px"><label class="gm-edit-label">Instructions</label><input class="fi-sm" type="text" id="ps-instr-' + s.id + '" value="' + escHtmlA(s.instructions||'') + '" placeholder="Steps to send" style="width:100%;padding:8px 10px"></div>' +
+        '<button class="btn btn-gold" onclick="savePayoutSetting(' + s.id + ')" style="font-size:14px;padding:8px 16px">Save</button>') +
+      '</div>';
+  }).join('');
+}
+async function togglePayoutSetting(id, enabled) {
+  await fetch('/api/payout_process.php?action=update_setting',{method:'POST',headers:{'Content-Type':'application/json'},body:JSON.stringify({id,is_enabled:enabled?1:0})}).then(r=>r.json());
+}
+async function savePayoutSetting(id) {
+  const d = await fetch('/api/payout_process.php?action=update_setting',{method:'POST',headers:{'Content-Type':'application/json'},
+    body:JSON.stringify({id,handle:document.getElementById('ps-handle-'+id)?.value.trim(),instructions:document.getElementById('ps-instr-'+id)?.value.trim(),sort_order:parseInt(document.getElementById('ps-sort-'+id)?.value)||0,is_enabled:1})}).then(r=>r.json());
+  if (d.success) toast('Saved','ok'); else toast('Error','err');
+}
+
+// PROCESS PAYOUT MODAL
+let PPM = {cashoutId:null,cashout:null,settings:[]};
+async function openPayoutModal(cashoutId) {
+  PPM.cashoutId=cashoutId;
+  const modal=document.getElementById('process-payout-modal');
+  modal.style.display='flex';
+  document.getElementById('ppm-alert').className='alert';
+  document.getElementById('ppm-note').value='';
+  document.getElementById('ppm-method-detail').innerHTML='';
+  const [dr,sr]=await Promise.all([
+    fetch('/api/payout_process.php?action=cashout_detail&id='+cashoutId).then(r=>r.json()),
+    fetch('/api/payout_process.php?action=list_settings').then(r=>r.json()),
+  ]);
+  if (!dr.success){toast('Load failed','err');closePayoutModal();return;}
+  PPM.cashout=dr.cashout;
+  PPM.settings=(sr.settings||[]).filter(s=>parseInt(s.is_enabled));
+  const c=PPM.cashout;
+  const amt=parseFloat(c.tokens).toFixed(2);
+  document.getElementById('ppm-player-info').innerHTML=
+    '<div style="display:flex;align-items:center;justify-content:space-between;gap:12px">'+
+    '<div><div style="font-family:\'Exo 2\',sans-serif;font-weight:700;font-size:16px">'+escHtmlA(c.alias||c.username)+'</div>'+
+    '<div style="font-size:14px;color:var(--text2)">@'+escHtmlA(c.username)+' | '+escHtmlA(c.email||'')+'</div>'+
+    '<div style="font-size:14px;color:var(--text2)">'+pname(c.platform_id)+' | '+escHtmlA(c.alias||'')+'</div></div>'+
+    '<div style="text-align:right"><div style="font-family:\'Exo 2\',sans-serif;font-weight:900;font-size:28px;color:var(--gold)">'+c.tokens+' Tokens</div>'+
+    '<div style="font-size:14px;font-weight:700;color:var(--green)">$'+amt+'</div></div></div>';
+  const spm=document.getElementById('ppm-saved-method');
+  const ph=c.saved_payout_handle||c.payout_handle;
+  const pt=c.saved_payout_label||c.payout_method_type||'';
+  spm.innerHTML=ph?
+    '<div style="background:rgba(0,229,255,.06);border:1px solid rgba(0,229,255,.15);border-radius:8px;padding:10px 14px">'+
+    '<div style="font-size:15px;font-weight:700;color:var(--text2);margin-bottom:4px">PLAYER PAYOUT METHOD</div>'+
+    '<div style="font-size:14px;font-weight:700">'+escHtmlA(pt)+' | <span style="color:var(--cyan)">'+escHtmlA(ph)+'</span></div></div>':
+    '<div style="font-size:14px;color:var(--red)">No payout method on file for this player</div>';
+  const sel=document.getElementById('ppm-method-select');
+  sel.innerHTML='<option value="">-- Select method --</option>'+
+    PPM.settings.map(s=>'<option value="'+escHtmlA(s.method_key)+'" data-type="'+s.method_type+'">'+
+      (s.method_type==='square_gift_card'?'[INSTANT] ':'')+escHtmlA(s.label)+'</option>').join('');
+}
+function closePayoutModal(){
+  document.getElementById('process-payout-modal').style.display='none';
+  PPM={cashoutId:null,cashout:null,settings:[]};
+}
+function onPayoutMethodChange(){
+  const key=document.getElementById('ppm-method-select').value;
+  const detail=document.getElementById('ppm-method-detail');
+  const btn=document.getElementById('ppm-submit-btn');
+  if (!key){detail.innerHTML='';btn.textContent='Process Payout';return;}
+  const s=PPM.settings.find(x=>x.method_key===key);
+  if (!s) return;
+  const amt=parseFloat(PPM.cashout?.tokens||0).toFixed(2);
+  const c=PPM.cashout;
+  if (s.method_type==='square_gift_card'){
+    detail.innerHTML='<div style="background:rgba(0,229,255,.07);border:1px solid rgba(0,229,255,.2);border-radius:10px;padding:14px">'+
+      '<div style="font-size:15px;font-weight:700;color:var(--cyan);margin-bottom:8px">INSTANT Square Gift Card</div>'+
+      '<div style="font-size:15px">Creates a digital gift card for <strong style="color:var(--gold)">$'+amt+'</strong> via your Square account instantly. Card number shows here — send to player via chat.</div></div>';
+    btn.textContent='Process via Square Gift Card';
+  } else {
+    const ph=c?.payout_handle||c?.saved_payout_handle||'(none on file)';
+    detail.innerHTML='<div style="background:rgba(240,192,64,.07);border:1px solid rgba(240,192,64,.2);border-radius:10px;padding:14px">'+
+      '<div style="font-size:15px;font-weight:700;color:var(--gold);margin-bottom:8px">Manual Processing</div>'+
+      '<div style="font-size:15px;line-height:2.0">'+
+      '1. Open <strong>'+escHtmlA(s.label)+'</strong><br>'+
+      '2. Send <strong style="color:var(--gold)">$'+amt+'</strong> to: <span style="color:var(--cyan)"><strong>'+escHtmlA(ph)+'</strong></span><br>'+
+      (s.instructions?'3. '+escHtmlA(s.instructions):'')+'</div>'+
+      (s.handle?'<div style="font-size:14px;color:var(--text2);margin-top:8px">Your handle: <strong>'+escHtmlA(s.handle)+'</strong></div>':'')+'</div>';
+    btn.textContent='Mark as Sent (Manual)';
+  }
+}
+async function submitPayout(){
+  const key=document.getElementById('ppm-method-select').value;
+  const note=document.getElementById('ppm-note').value.trim();
+  const al=document.getElementById('ppm-alert');
+  al.className='alert';
+  if (!key){showAdminAlert(al,'Select a payout method.','error');return;}
+  const s=PPM.settings.find(x=>x.method_key===key);
+  if (!s) return;
+  const isGC=s.method_type==='square_gift_card';
+  const amt=parseFloat(PPM.cashout?.tokens||0).toFixed(2);
+  if (!confirm(isGC?'Create Square gift card for $'+amt+'?':'Confirm you have sent $'+amt+' via '+s.label+'. Mark as sent?')) return;
+  const btn=document.getElementById('ppm-submit-btn');
+  btn.disabled=true; btn.textContent='Processing...';
+  try {
+    const res=await fetch('/api/payout_process.php?action=process_payout',{method:'POST',headers:{'Content-Type':'application/json'},
+      body:JSON.stringify({cashout_id:PPM.cashoutId,payout_method_key:key,payout_type:s.method_type,note})}).then(r=>r.json());
+    if (res.success){
+      showAdminAlert(al,isGC?'Gift card created!':'Marked as sent!','success');
+      if (res.gift_card_gan){
+        al.innerHTML+='<div style="margin-top:10px;font-family:monospace;font-size:16px;color:var(--gold);word-break:break-all;user-select:all">Card #: <strong>'+res.gift_card_gan+'</strong></div>'+
+          '<div style="font-size:14px;color:var(--text2);margin-top:4px">Copy and send this card number to the player. Balance: $'+(res.gift_card_balance/100).toFixed(2)+'</div>';
+      }
+      toast(isGC?'Gift card sent!':'Marked sent','ok');
+      loadCashouts('pending');loadDashCashouts();loadStats();
+      if (!isGC) setTimeout(closePayoutModal,1500);
+    } else {
+      showAdminAlert(al,res.error||'Processing failed','error');
+    }
+  } catch(e){showAdminAlert(al,'Network error','error');}
+  finally{btn.disabled=false;btn.textContent=isGC?'Process via Square Gift Card':'Mark as Sent (Manual)';}
+}
+
+// ─── REFERRAL MANAGEMENT ──────────────────────────────────
+let _refTiers = [];
+
+function showRefSection(section) {
+  document.getElementById('ref-admin-list').style.display     = section==='list'?'block':'none';
+  document.getElementById('ref-tiers-section').style.display  = section==='tiers'?'block':'none';
+  document.getElementById('ref-shares-section').style.display = section==='shares'?'block':'none';
+  if (section==='tiers')  loadAdminTiers();
+  if (section==='shares') loadAdminShares('pending', document.querySelector('#ref-shares-section .ftab'));
+}
+
+async function loadAdminReferrals(status, btn) {
+  document.getElementById('ref-admin-list').style.display='block';
+  document.getElementById('ref-tiers-section').style.display='none';
+  document.getElementById('ref-shares-section').style.display='none';
+  if (btn) { document.querySelectorAll('#section-referrals .ftab').forEach(b=>b.classList.remove('active')); btn.classList.add('active'); }
+  const el = document.getElementById('ref-admin-list');
+  el.innerHTML = '<div style="padding:16px;text-align:center;color:var(--text2)">Loading...</div>';
+  const d = await fetch('/api/referrals.php?action=admin_list&status='+status).then(r=>r.json());
+  if (!d.success||!d.referrals.length) { el.innerHTML='<div class="empty" style="padding:24px;text-align:center">No '+status+' referrals.</div>'; return; }
+  el.innerHTML = d.referrals.map(r => buildRefCard(r, status)).join('');
+}
+
+function buildRefCard(r, status) {
+  const note    = r.admin_note ? '<div style="font-size:15px;color:var(--text2)">'+escHtmlA(r.admin_note)+'</div>' : '';
+  const awarded = r.tokens_awarded>0 ? '<div style="font-size:15px;color:var(--green)">+'+r.tokens_awarded+' tokens awarded</div>' : '';
+  const actions = status==='pending' ? [
+    '<input class="fi-sm" type="text" id="rn-'+r.id+'" placeholder="Note" style="width:100%;padding:7px 10px;font-size:14px;margin-bottom:6px">',
+    '<button class="btn btn-green" style="width:100%;font-size:14px;padding:7px;margin-bottom:4px" onclick="resolveReferral('+r.id+', \'verified\')">Verify + Award</button>',
+    '<button class="btn btn-red" style="width:100%;font-size:14px;padding:7px" onclick="resolveReferral('+r.id+', \'denied\')">Deny</button>',
+  ].join('') : '';
+  return '<div class="card" style="margin-bottom:10px"><div style="display:flex;align-items:flex-start;gap:12px">'+
+    '<div style="flex:1"><div style="font-size:15px"><strong>'+escHtmlA(r.referrer_alias||r.referrer_name)+'</strong> referred <strong>'+escHtmlA(r.referred_alias||r.referred_name)+'</strong></div>'+
+    '<div style="font-size:15px;color:var(--text2);margin-top:3px">'+(r.created_at||'').substring(0,16)+' | Email verified: '+(r.email_verified?'Yes':'No')+'</div>'+
+    awarded+note+'</div>'+
+    '<div style="flex-shrink:0;min-width:140px">'+actions+'</div></div></div>';
+}
+
+async function resolveReferral(id, status) {
+  const note = document.getElementById('rn-'+id)?.value.trim() || '';
+  if (!confirm(status==='verified' ? 'Verify and award tokens?' : 'Deny this referral?')) return;
+  const d = await fetch('/api/referrals.php?action=resolve_referral', {
+    method:'POST', headers:{'Content-Type':'application/json'},
+    body: JSON.stringify({id, status, note})
+  }).then(r=>r.json());
+  if (d.success) {
+    toast(status==='verified' ? 'Verified! '+d.tokens_awarded+' tokens awarded' : 'Denied', status==='verified'?'ok':'err');
+    loadAdminReferrals('pending', document.querySelector('#section-referrals .ftab'));
+    loadStats();
+  } else toast(d.error||'Error','err');
+}
+
+async function loadAdminTiers() {
+  const el = document.getElementById('ref-tiers-admin-list');
+  const d  = await fetch('/api/referrals.php?action=all_tiers').then(r=>r.json());
+  if (!d.success||!d.tiers.length) { el.innerHTML='<div class="empty" style="padding:20px;text-align:center">No tiers yet. Add one above.</div>'; return; }
+  _refTiers = d.tiers;
+  el.innerHTML = d.tiers.map(t => {
+    const inactive = !parseInt(t.is_active) ? '<span style="font-size:14px;color:var(--red);margin-left:6px">INACTIVE</span>' : '';
+    return '<div style="display:flex;align-items:center;gap:12px;padding:14px 18px;border-bottom:1px solid var(--border)">'+
+      '<div style="flex:1"><div style="font-family:\'Exo 2\',sans-serif;font-weight:700;font-size:14px">'+escHtmlA(t.name)+inactive+'</div>'+
+      '<div style="font-size:14px;color:var(--text2)">Min '+t.min_referrals+' refs | '+t.tokens_per_ref+' tok/ref'+(t.bonus_tokens>0?' + '+t.bonus_tokens+' milestone bonus':'')+'</div></div>'+
+      '<div style="display:flex;gap:6px">'+
+      '<button data-tid="'+t.id+'" onclick="editRefTier(this.dataset.tid)" style="background:rgba(0,229,255,.08);border:1px solid rgba(0,229,255,.2);color:var(--cyan);border-radius:6px;padding:6px 12px;font-size:14px;font-weight:700;cursor:pointer">Edit</button>'+
+      '<button data-tid="'+t.id+'" data-tname="'+escHtmlA(t.name)+'" onclick="deleteRefTier(this.dataset.tid,this.dataset.tname)" style="background:rgba(255,68,68,.08);border:1px solid rgba(255,68,68,.2);color:var(--red);border-radius:6px;padding:6px 12px;font-size:14px;font-weight:700;cursor:pointer">Del</button>'+
+      '</div></div>';
+  }).join('');
+}
+
+function editRefTier(id) {
+  const t = _refTiers.find(x=>x.id==id); if (!t) return;
+  document.getElementById('rt-id').value=t.id; document.getElementById('rt-name').value=t.name;
+  document.getElementById('rt-min').value=t.min_referrals; document.getElementById('rt-per').value=t.tokens_per_ref;
+  document.getElementById('rt-bonus').value=t.bonus_tokens; document.getElementById('rt-sort').value=t.sort_order;
+  document.getElementById('rt-desc').value=t.description||''; document.getElementById('rt-active').value=t.is_active;
+  document.getElementById('ref-tier-form-title').textContent = 'Editing: '+t.name;
+}
+
+function resetRefTierForm() {
+  ['rt-id','rt-name','rt-desc'].forEach(id=>document.getElementById(id).value='');
+  document.getElementById('rt-min').value=1; document.getElementById('rt-per').value=5;
+  document.getElementById('rt-bonus').value=0; document.getElementById('rt-sort').value=0;
+  document.getElementById('rt-active').value=1;
+  document.getElementById('ref-tier-form-title').textContent='Add Referral Tier';
+}
+
+async function saveRefTier() {
+  const al  = document.getElementById('ref-tier-alert');
+  const id  = document.getElementById('rt-id').value;
+  const data = {
+    id:             id ? parseInt(id) : undefined,
+    name:           document.getElementById('rt-name').value.trim(),
+    min_referrals:  parseInt(document.getElementById('rt-min').value)||1,
+    tokens_per_ref: parseFloat(document.getElementById('rt-per').value)||5,
+    bonus_tokens:   parseFloat(document.getElementById('rt-bonus').value)||0,
+    description:    document.getElementById('rt-desc').value.trim(),
+    sort_order:     parseInt(document.getElementById('rt-sort').value)||0,
+    is_active:      parseInt(document.getElementById('rt-active').value),
+  };
+  if (!data.name) { showAdminAlert(al,'Name is required.','error'); return; }
+  const d = await fetch('/api/referrals.php?action='+(id?'tier_update':'tier_create'),{
+    method:'POST', headers:{'Content-Type':'application/json'}, body:JSON.stringify(data)
+  }).then(r=>r.json());
+  if (d.success) { showAdminAlert(al,id?'Updated!':'Created!','success'); resetRefTierForm(); loadAdminTiers(); toast('Saved','ok'); }
+  else showAdminAlert(al,d.error||'Error','error');
+}
+
+async function deleteRefTier(id, name) {
+  if (!confirm('Delete tier "'+name+'"?')) return;
+  const d = await fetch('/api/referrals.php?action=tier_delete',{method:'POST',headers:{'Content-Type':'application/json'},body:JSON.stringify({id})}).then(r=>r.json());
+  if (d.success) { toast('Deleted','ok'); loadAdminTiers(); } else toast(d.error||'Error','err');
+}
+
+async function loadAdminShares(status, btn) {
+  if (btn) { document.querySelectorAll('#ref-shares-section .ftab').forEach(b=>b.classList.remove('active')); btn.classList.add('active'); }
+  const el = document.getElementById('ref-shares-admin-list');
+  const d  = await fetch('/api/referrals.php?action=admin_shares&status='+status).then(r=>r.json());
+  if (!d.success||!d.shares.length) { el.innerHTML='<div class="empty" style="padding:20px;text-align:center">No '+status+' shares.</div>'; return; }
+  el.innerHTML = d.shares.map(s => {
+    const btns = status==='pending' ?
+      '<div style="display:flex;gap:6px">'+
+      '<button data-sid="'+s.id+'" onclick="resolveShare(this.dataset.sid,&quot;approved&quot;)" class="btn btn-green" style="font-size:14px;padding:7px 12px">Approve</button>'+
+      '<button data-sid="'+s.id+'" onclick="resolveShare(this.dataset.sid,&quot;denied&quot;)" class="btn btn-red" style="font-size:14px;padding:7px 12px">Deny</button></div>' : '';
+    return '<div class="card" style="margin-bottom:8px;display:flex;align-items:center;gap:12px">'+
+      '<div style="flex:1"><div style="font-size:15px;font-weight:700">'+escHtmlA(s.alias||s.username)+' | <span style="color:var(--cyan)">'+escHtmlA(s.platform)+'</span></div>'+
+      '<div style="font-size:15px;color:var(--text2)">'+(s.created_at||'').substring(0,16)+' | Bonus: '+s.bonus_tokens+' tokens</div></div>'+btns+'</div>';
+  }).join('');
+}
+
+async function resolveShare(id, status) {
+  const d = await fetch('/api/referrals.php?action=resolve_share',{method:'POST',headers:{'Content-Type':'application/json'},body:JSON.stringify({id,status})}).then(r=>r.json());
+  if (d.success) { toast(status==='approved'?'Approved! Tokens awarded':'Denied','ok'); loadAdminShares('pending'); }
+  else toast(d.error||'Error','err');
+}
+
+// ─── PLATFORM ACCOUNTS ────────────────────────────────────
+async function loadPlatformAccountRequests(status, btn) {
+  if (btn) { document.querySelectorAll('#section-platform-accounts .ftab').forEach(b=>b.classList.remove('active')); btn.classList.add('active'); }
+  const el = document.getElementById('pa-requests-list');
+  el.innerHTML = '<div style="padding:16px;text-align:center;color:var(--text2)">Loading...</div>';
+  const d = await apiFetch('platform_accounts_list&status='+status);
+  if (!d.success||!d.accounts.length) { el.innerHTML='<div class="empty" style="padding:24px;text-align:center">No '+status+' requests.</div>'; return; }
+  el.innerHTML = d.accounts.map(a => buildAdminPaCard(a, status==='pending')).join('');
+}
+
+async function gmLoadPlatformAccounts(uid) {
+  const el = document.getElementById('gm-platform-accounts-list');
+  const d  = await apiFetch('platform_accounts_list&user_id='+uid);
+  if (!d.success||!d.accounts.length) { el.innerHTML='<div class="gm-empty">No platform account requests.</div>'; return; }
+  el.innerHTML = d.accounts.map(a => buildAdminPaCard(a, true)).join('');
+}
+
+function buildAdminPaCard(a, showActions) {
+  const statusLabel = { pending:'⏳ Pending', approved:'✅ Approved', denied:'❌ Denied', deleted:'🗑 Deleted' };
+  const statusColor = { pending:'var(--gold)', approved:'var(--green)', denied:'var(--red)', deleted:'var(--text2)' };
+  return '<div class="card" style="margin-bottom:12px">' +
+    '<div style="display:flex;align-items:flex-start;justify-content:space-between;gap:12px;margin-bottom:10px">' +
+    '<div><div style="font-family:\'Exo 2\',sans-serif;font-weight:700;font-size:14px">' + escHtmlA(a.username||'?') + ' <span style="color:var(--text2)">· ' + escHtmlA(a.user_alias||'') + '</span></div>' +
+    '<div style="font-size:14px;color:var(--cyan)">' + escHtmlA(a.platform_name||a.platform_slug) + '</div>' +
+    '<div style="font-size:15px;color:var(--text2)">' + (a.requested_at||'').substring(0,16) + '</div></div>' +
+    '<span style="font-size:15px;font-weight:700;color:' + (statusColor[a.status]||'var(--text2)') + ';border:1px solid currentColor;border-radius:6px;padding:3px 10px">' + (statusLabel[a.status]||a.status) + '</span></div>' +
+    '<div style="display:grid;grid-template-columns:1fr 1fr;gap:8px;margin-bottom:8px">' +
+    '<div><label class="gm-edit-label">Username</label><input class="fi-sm" type="text" id="pa-uname-' + a.id + '" value="' + escHtmlA(a.platform_username||'') + '" placeholder="username" style="width:100%;padding:8px 10px"></div>' +
+    '<div><label class="gm-edit-label">Password</label><input class="fi-sm" type="text" id="pa-pass-' + a.id + '" value="' + escHtmlA(a.platform_password||'') + '" placeholder="password" style="width:100%;padding:8px 10px"></div></div>' +
+    '<div style="margin-bottom:10px"><label class="gm-edit-label">Note to Player</label>' +
+    '<input class="fi-sm" type="text" id="pa-note-' + a.id + '" value="' + escHtmlA(a.admin_note||'') + '" placeholder="Optional note" style="width:100%;padding:8px 10px"></div>' +
+    '<div style="display:flex;gap:8px">' +
+    (a.status==='pending' ? '<button class="btn btn-green" onclick="resolvePlatformAccount('+a.id+',\'approved\')" style="flex:1;font-size:14px">Approve</button><button class="btn btn-red" onclick="resolvePlatformAccount('+a.id+',\'denied\')" style="font-size:14px;padding:8px 14px">Deny</button>' : '') +
+    (a.status==='approved' ? '<button class="btn btn-gold" onclick="updatePlatformAccount('+a.id+')" style="flex:1;font-size:14px">Update Credentials</button>' : '') +
+    '</div></div>';
+}
+
+async function resolvePlatformAccount(id, status) {
+  const uname = document.getElementById('pa-uname-'+id)?.value.trim();
+  const pass  = document.getElementById('pa-pass-'+id)?.value.trim();
+  const note  = document.getElementById('pa-note-'+id)?.value.trim();
+  if (status==='approved'&&!uname) { toast('Username required to approve','err'); return; }
+  if (!confirm(status==='approved'?'Approve and send credentials to player?':'Deny this request?')) return;
+  const d = await apiFetch('platform_account_resolve','POST',{id,status,platform_username:uname,platform_password:pass,admin_note:note});
+  if (d.success) {
+    toast(status==='approved'?'Approved!':'Denied','ok');
+    loadPlatformAccountRequests('pending', document.querySelector('#section-platform-accounts .ftab'));
+    if (GM.current) gmLoadPlatformAccounts(GM.current.id);
+  } else toast(d.error||'Error','err');
+}
+
+async function updatePlatformAccount(id) {
+  const d = await apiFetch('platform_account_update','POST',{
+    id, platform_username: document.getElementById('pa-uname-'+id)?.value.trim(),
+    platform_password: document.getElementById('pa-pass-'+id)?.value.trim(),
+    admin_note: document.getElementById('pa-note-'+id)?.value.trim()
+  });
+  if (d.success) toast('Updated','ok'); else toast(d.error||'Error','err');
+}
+
+async function sendBroadcast() {
+  const subject = document.getElementById('bc-subject')?.value.trim();
+  const message = document.getElementById('bc-message')?.value.trim();
+  const target  = document.getElementById('bc-target')?.value || 'all';
+  const al      = document.getElementById('bc-alert');
+  if (al) al.className = 'alert';
+
+  if (!subject) { if(al) showAdminAlert(al,'Subject is required.','error'); return; }
+  if (!message) { if(al) showAdminAlert(al,'Message is required.','error'); return; }
+
+  const btn = document.querySelector('#section-broadcasts .btn-gold');
+  if (btn) { btn.disabled = true; btn.textContent = 'Sending...'; }
+
+  const d = await apiFetch('broadcast_send','POST',{ subject, message, target });
+
+  if (btn) { btn.disabled = false; btn.textContent = '📢 SEND BROADCAST'; }
+
+  if (d.success) {
+    if (al) showAdminAlert(al, '✓ Broadcast sent to ' + (d.recipient_count||0) + ' players!', 'success');
+    document.getElementById('bc-subject').value = '';
+    document.getElementById('bc-message').value = '';
+    setTimeout(() => { if(al){al.className='alert';al.textContent='';} }, 4000);
+    loadBroadcasts();
+  } else {
+    if (al) showAdminAlert(al, d.error || 'Failed to send.', 'error');
+  }
+}
+
+async function loadBroadcasts() {
+  const el = document.getElementById('bc-list');
+  if (!el) return;
+  el.innerHTML = '<div style="padding:20px;text-align:center;color:var(--text2)">Loading broadcasts...</div>';
+  let d;
+  try { d = await apiFetch('broadcast_list'); } catch(e) {
+    el.innerHTML = '<div class="empty" style="padding:24px;text-align:center;color:var(--red)">Failed to load broadcasts.</div>';
+    return;
+  }
+  if (!d || !d.success) {
+    el.innerHTML = '<div class="empty" style="padding:24px;text-align:center;color:var(--red)">' + (d?.error||'Error loading broadcasts') + '</div>';
+    return;
+  }
+  if (!d.broadcasts || !d.broadcasts.length) {
+    el.innerHTML = '<div class="empty" style="padding:24px;text-align:center;color:var(--text2)">No broadcasts sent yet.</div>';
+    return;
+  }
+  const TGT = { all:'👥 All', verified:'✅ Verified', unverified:'⏳ Unverified', admins:'🔑 Admins' };
+  el.innerHTML = d.broadcasts.map(b => {
+    const readPct = b.total_players > 0 ? Math.round((b.read_count/b.total_players)*100) : 0;
+    const dt = (b.sent_at||'').substring(0,16).replace('T',' ');
+    return `<div class="card" style="margin-bottom:10px">
+      <div style="display:flex;align-items:flex-start;gap:12px;flex-wrap:wrap">
+        <div style="flex:1;min-width:200px">
+          <div style="font-family:'Exo 2',sans-serif;font-weight:700;font-size:16px;color:var(--text);margin-bottom:4px">${escHtmlA(b.subject)}</div>
+          <div style="font-size:14px;color:var(--text2);margin-bottom:8px;line-height:1.5">${escHtmlA(b.message.substring(0,120))}${b.message.length>120?'...':''}</div>
+          <div style="display:flex;gap:10px;flex-wrap:wrap;font-size:13px;color:var(--text2)">
+            <span style="color:var(--gold);font-weight:700">${TGT[b.target]||b.target}</span>
+            <span>📅 ${dt}</span>
+            <span>👤 ${escHtmlA(b.sender_name)}</span>
+            <span style="color:var(--cyan)">👁 ${b.read_count}/${b.total_players} read (${readPct}%)</span>
+            <span style="color:var(--purple)">💬 ${b.reply_count} ${b.reply_count==1?'reply':'replies'}</span>
+          </div>
+          <div style="margin-top:8px;background:rgba(255,255,255,.08);border-radius:4px;height:5px;width:200px;max-width:100%">
+            <div style="height:5px;border-radius:4px;background:var(--cyan);width:${readPct}%"></div>
+          </div>
+        </div>
+        <div style="display:flex;flex-direction:column;gap:6px;flex-shrink:0">
+          <button onclick="editBroadcast(${b.id},'${escAttr(b.subject)}','${escAttr(b.message)}','${b.target}')"
+            style="background:rgba(155,93,229,.1);border:1px solid rgba(155,93,229,.3);color:var(--purple);border-radius:6px;padding:7px 14px;font-size:13px;font-weight:700;cursor:pointer">✏️ Edit</button>
+          <button onclick="resendBroadcast(${b.id},'${escAttr(b.subject)}')"
+            style="background:rgba(0,229,255,.08);border:1px solid rgba(0,229,255,.2);color:var(--cyan);border-radius:6px;padding:7px 14px;font-size:13px;font-weight:700;cursor:pointer">↩ Resend</button>
+          <button onclick="deleteBroadcast(${b.id},'${escAttr(b.subject)}')"
+            style="background:rgba(255,68,68,.07);border:1px solid rgba(255,68,68,.2);color:var(--red);border-radius:6px;padding:7px 14px;font-size:13px;font-weight:700;cursor:pointer">🗑 Delete</button>
+        </div>
+      </div>
+    </div>`;
+  }).join('');
+}
+
+async function editBroadcast(id, subject, message, target) {
+  const newSubject = prompt('Edit Subject:', subject);
+  if (newSubject === null) return;
+  const newMessage = prompt('Edit Message:', message);
+  if (newMessage === null) return;
+  const targets = ['all','verified','unverified','admins'];
+  const labels  = ['All Players','Verified Only','Unverified Only','Admins Only'];
+  const tIdx    = targets.indexOf(target);
+  const newTarget = prompt('Send To (all/verified/unverified/admins):', target);
+  if (!targets.includes(newTarget)) { alert('Invalid target. Use: all, verified, unverified, or admins'); return; }
+  const d = await apiFetch('broadcast_edit','POST',{id, subject:newSubject, message:newMessage, target:newTarget});
+  if (d.success) { toast('Broadcast updated','ok'); loadBroadcasts(); }
+  else toast(d.error||'Failed to update','error');
+}
+
+async function resendBroadcast(id, subject) {
+  if (!confirm('Resend "'+subject+'" to all recipients? This will mark it as unread for everyone.')) return;
+  const d = await apiFetch('broadcast_resend','POST',{id});
+  if (d.success) { toast('Resent to '+d.recipient_count+' players','ok'); loadBroadcasts(); }
+  else toast(d.error||'Failed to resend','error');
+}
+
+async function openBcDrawer(id, subject) {
+  bcCurrentId = id;
+  document.getElementById('bc-drawer').style.display = 'block';
+  document.getElementById('bc-drawer-title').textContent = '📢 ' + subject;
+  document.getElementById('bc-drawer').scrollIntoView({behavior:'smooth'});
+  switchBcTab('replies', document.getElementById('bc-tab-replies'));
+}
+
+function closeBcDrawer() {
+  document.getElementById('bc-drawer').style.display = 'none';
+  bcCurrentId = null;
+}
+
+function switchBcTab(tab, btn) {
+  bcCurrentTab = tab;
+  document.querySelectorAll('#bc-drawer .ftab').forEach(b=>b.classList.remove('active'));
+  if (btn) btn.classList.add('active');
+  if (tab === 'replies') loadBcReplies();
+  else loadBcReads();
+}
+
+async function loadBcReplies() {
+  if (!bcCurrentId) return;
+  const el = document.getElementById('bc-drawer-content');
+  el.innerHTML = '<div style="color:var(--text2);font-size:15px;text-align:center;padding:16px">Loading...</div>';
+  const d = await apiFetch('broadcast_replies&broadcast_id=' + bcCurrentId);
+  if (!d.success || !d.replies.length) {
+    el.innerHTML = '<div style="color:var(--text2);font-size:15px;text-align:center;padding:16px">No replies yet.</div>';
+    return;
+  }
+  el.innerHTML = d.replies.map(r => {
+    const isAdm = parseInt(r.is_admin);
+    return `<div style="display:flex;gap:10px;margin-bottom:12px">
+      <div style="width:32px;height:32px;border-radius:50%;background:${isAdm?'linear-gradient(135deg,#f0c040,#d4a017)':'linear-gradient(135deg,#7b2fbe,#457b9d)'};display:flex;align-items:center;justify-content:center;font-family:'Exo 2',sans-serif;font-weight:700;font-size:14px;color:#fff;flex-shrink:0">${(r.username||'?').charAt(0).toUpperCase()}</div>
+      <div style="flex:1;background:${isAdm?'rgba(240,192,64,.07)':'var(--bg3)'};border:1px solid ${isAdm?'rgba(240,192,64,.2)':'var(--border)'};border-radius:8px;padding:8px 12px">
+        <div style="font-size:15px;font-weight:700;color:${isAdm?'var(--gold)':'var(--cyan)'};margin-bottom:4px">
+          ${escHtmlA(r.username)}${isAdm?' 🔑 (Admin)':' · '+escHtmlA(r.alias)} <span style="color:var(--text2);font-weight:400">· ${(r.created_at||'').substring(0,16)}</span>
+        </div>
+        <div style="font-size:15px;color:var(--text)">${escHtmlA(r.message)}</div>
+      </div>
+    </div>`;
+  }).join('');
+}
+
+async function loadBcReads() {
+  if (!bcCurrentId) return;
+  const el = document.getElementById('bc-drawer-content');
+  el.innerHTML = '<div style="color:var(--text2);font-size:15px;text-align:center;padding:16px">Loading...</div>';
+  const d = await apiFetch('broadcast_reads&broadcast_id=' + bcCurrentId);
+  if (!d.success || !d.reads.length) {
+    el.innerHTML = '<div style="color:var(--text2);font-size:15px;text-align:center;padding:16px">No reads yet.</div>';
+    return;
+  }
+  el.innerHTML = `<div style="display:flex;flex-wrap:wrap;gap:8px">${d.reads.map(r=>`
+    <div style="background:var(--bg3);border:1px solid var(--border);border-radius:8px;padding:6px 12px;font-size:14px">
+      <span style="font-weight:700;color:var(--text)">${escHtmlA(r.username)}</span>
+      <span style="color:var(--text2)"> · ${(r.read_at||'').substring(0,16)}</span>
+    </div>`).join('')}</div>`;
+}
+
+async function adminBroadcastReply() {
+  if (!bcCurrentId) return;
+  const input = document.getElementById('bc-reply-input');
+  const msg   = input.value.trim();
+  if (!msg) return;
+  input.value = '';
+  const d = await apiFetch('broadcast_reply','POST',{broadcast_id:bcCurrentId, message:msg});
+  if (d.success) { loadBcReplies(); loadBroadcasts(); }
+  else toast(d.error||'Error','err');
+}
+
+async function deleteBroadcast(id, subject) {
+  if (!confirm('Delete broadcast "' + subject + '"?\n\nThis will remove all replies and read receipts. Cannot be undone.')) return;
+  const d = await apiFetch('broadcast_delete','POST',{id});
+  if (d.success) { toast('Broadcast deleted','ok'); loadBroadcasts(); if (bcCurrentId===id) closeBcDrawer(); }
+  else toast(d.error||'Error','err');
+}
+
+// ─── CASHOUT METHOD TYPES ─────────────────────────────────
+async function loadCashoutMethods() {
+  const d  = await apiFetch('cashout_methods_list');
+  const el = document.getElementById('cmt-list');
+  const ct = document.getElementById('cmt-count');
+  if (!d.success) { el.innerHTML = '<div class="empty">Failed to load.</div>'; return; }
+  const types = d.types || [];
+  if (ct) ct.textContent = types.length + ' method' + (types.length !== 1 ? 's' : '');
+  if (!types.length) { el.innerHTML = '<div class="empty" style="padding:24px;text-align:center">No methods yet. Add one above.</div>'; return; }
+  window._cmtData = types;
+  el.innerHTML = types.map(m => `
+    <div class="game-row${!parseInt(m.is_active)?' inactive-overlay':''}">
+      <div style="font-size:26px;flex-shrink:0">${escHtmlA(m.icon||'💰')}</div>
+      <div class="game-info">
+        <div class="game-name">${escHtmlA(m.label)}
+          ${!parseInt(m.is_active)?'<span class="badge" style="background:rgba(255,68,68,.15);color:var(--red);font-size:15px;margin-left:6px">INACTIVE</span>':''}
+        </div>
+        <div class="game-slug">${escHtmlA(m.slug)}</div>
+        ${m.description?`<div style="font-size:14px;color:var(--text2);margin-top:2px">${escHtmlA(m.description)}</div>`:''}
+      </div>
+      <div style="text-align:right;flex-shrink:0">
+        <div style="font-size:15px;color:var(--text2);margin-bottom:6px">Order: ${m.sort_order}</div>
+        <div class="game-actions">
+          <button class="game-edit-btn" style="background:rgba(0,229,255,.1);color:var(--cyan);border:1px solid rgba(0,229,255,.2)" onclick="editCashoutMethod(${m.id})">✏️ Edit</button>
+          <button class="game-edit-btn" style="background:rgba(255,68,68,.1);color:var(--red);border:1px solid rgba(255,68,68,.2)" onclick="deleteCashoutMethod(${m.id},'${escAttr(m.label)}')">🗑</button>
+        </div>
+      </div>
+    </div>`).join('');
+}
+
+function editCashoutMethod(id) {
+  const m = (window._cmtData||[]).find(x=>x.id==id);
+  if (!m) return;
+  document.getElementById('cmt-id').value    = m.id;
+  document.getElementById('cmt-label').value = m.label;
+  document.getElementById('cmt-slug').value  = m.slug;
+  document.getElementById('cmt-slug').disabled = true;
+  document.getElementById('cmt-icon').value  = m.icon || '💰';
+  document.getElementById('cmt-desc').value  = m.description || '';
+  document.getElementById('cmt-sort').value  = m.sort_order;
+  document.getElementById('cmt-active').value= m.is_active;
+  document.getElementById('cmt-form-title').textContent = '✏️ Editing: ' + m.label;
+  document.getElementById('cmt-form-card').scrollIntoView({behavior:'smooth'});
+}
+
+function resetCmtForm() {
+  ['cmt-id','cmt-label','cmt-desc'].forEach(id => document.getElementById(id).value = '');
+  document.getElementById('cmt-slug').value    = '';
+  document.getElementById('cmt-slug').disabled = false;
+  document.getElementById('cmt-icon').value    = '💰';
+  document.getElementById('cmt-sort').value    = '99';
+  document.getElementById('cmt-active').value  = '1';
+  document.getElementById('cmt-form-title').textContent = '➕ Add Cashout Method';
+  document.getElementById('cmt-form-alert').className = 'alert';
+}
+
+async function saveCashoutMethod() {
+  const al  = document.getElementById('cmt-form-alert');
+  const id  = document.getElementById('cmt-id').value;
+  const data = {
+    id:          id ? parseInt(id) : undefined,
+    label:       document.getElementById('cmt-label').value.trim(),
+    slug:        document.getElementById('cmt-slug').value.trim(),
+    icon:        document.getElementById('cmt-icon').value.trim() || '💰',
+    description: document.getElementById('cmt-desc').value.trim(),
+    sort_order:  parseInt(document.getElementById('cmt-sort').value) || 99,
+    is_active:   parseInt(document.getElementById('cmt-active').value),
+  };
+  if (!data.label) { showAdminAlert(al,'Label is required.','error'); return; }
+  if (!id && !data.slug) { showAdminAlert(al,'Slug is required for new methods.','error'); return; }
+  const action = id ? 'cashout_methods_update' : 'cashout_methods_create';
+  const d = await apiFetch(action,'POST',data);
+  if (d.success) {
+    showAdminAlert(al, id ? 'Method updated!' : 'Method added!', 'success');
+    resetCmtForm();
+    loadCashoutMethods();
+    toast(id ? 'Updated' : 'Method added', 'ok');
+  } else showAdminAlert(al, d.error||'Save failed','error');
+}
+
+async function deleteCashoutMethod(id, label) {
+  if (!confirm('Delete cashout method "' + label + '"?\n\nPlayers using this method will still have their saved payout methods, but it won\'t appear as an option for new methods.')) return;
+  const d = await apiFetch('cashout_methods_delete','POST',{id});
+  if (d.success) { toast('Deleted','ok'); loadCashoutMethods(); }
+  else toast(d.error||'Error','err');
+}
+
+// ─── GAME MANAGEMENT ──────────────────────────────────────
+async function loadGames() {
+  const d = await apiFetch('platforms_admin');
+  const el = document.getElementById('games-list');
+  const ct = document.getElementById('games-count');
+  if (!d.success) { el.innerHTML = '<div class="empty">Failed to load games.</div>'; return; }
+  const games = d.platforms;
+  ct.textContent = games.length + ' game' + (games.length !== 1 ? 's' : '');
+  if (!games.length) { el.innerHTML = '<div class="empty" style="padding:24px;text-align:center">No games yet. Add one above.</div>'; return; }
+  el.innerHTML = games.map(g => `
+    <div class="game-row${!parseInt(g.is_active)?' inactive-overlay':''}">
+      <div class="game-color-dot" style="background:${g.color};color:${g.color}"></div>
+      <div class="game-info">
+        <div class="game-name">${escHtmlA(g.name)}
+          ${!parseInt(g.is_active) ? '<span class="badge" style="background:rgba(255,68,68,.15);color:var(--red);font-size:15px;margin-left:6px">INACTIVE</span>' : ''}
+        </div>
+        <div class="game-slug">${escHtmlA(g.slug)}</div>
+        <div class="game-urls">
+          <div class="game-url-row">
+            <span class="game-url-label">PLAYER</span>
+            <span class="game-url-val">${escHtmlA(g.player_url)}</span>
+            <a href="${escHtmlA(g.player_url)}" target="_blank" class="game-url-link">↗</a>
+          </div>
+          ${g.console_url ? `<div class="game-url-row">
+            <span class="game-url-label" style="color:var(--gold)">CONSOLE</span>
+            <span class="game-url-val">${escHtmlA(g.console_url)}</span>
+            <a href="${escHtmlA(g.console_url)}" target="_blank" class="game-url-link" style="color:var(--gold)">↗</a>
+          </div>` : ''}
+        </div>
+      </div>
+      <div style="text-align:right;flex-shrink:0">
+        <div style="font-size:15px;color:var(--text2);margin-bottom:6px">Order: ${g.sort_order}</div>
+        <div class="game-actions">
+          <button class="game-edit-btn" style="background:rgba(0,229,255,.1);color:var(--cyan);border:1px solid rgba(0,229,255,.2)" onclick="editGame(${g.id})">✏️ Edit</button>
+          <button class="game-edit-btn" style="background:rgba(255,68,68,.1);color:var(--red);border:1px solid rgba(255,68,68,.2)" onclick="deleteGame(${g.id},'${escAttr(g.name)}')">🗑</button>
+        </div>
+      </div>
+    </div>`).join('');
+  // Store for edit
+  window._gamesData = games;
+}
+
+function editGame(id) {
+  const g = (window._gamesData || []).find(x => x.id == id);
+  if (!g) return;
+  document.getElementById('gf-id').value         = g.id;
+  document.getElementById('gf-name').value       = g.name;
+  document.getElementById('gf-slug').value       = g.slug;
+  document.getElementById('gf-slug').disabled    = true; // slug can't change (used as FK in purchases)
+  document.getElementById('gf-player-url').value = g.player_url;
+  document.getElementById('gf-console-url').value= g.console_url || '';
+  document.getElementById('gf-color').value      = g.color || '#f0c040';
+  document.getElementById('gf-color-hex').value  = g.color || '#f0c040';
+  document.getElementById('gf-sort').value       = g.sort_order;
+  document.getElementById('gf-active').value     = g.is_active;
+  document.getElementById('game-form-title').textContent = '✏️ Editing: ' + g.name;
+  document.getElementById('game-form-card').scrollIntoView({behavior:'smooth'});
+}
+
+function resetGameForm() {
+  document.getElementById('gf-id').value          = '';
+  document.getElementById('gf-name').value        = '';
+  document.getElementById('gf-slug').value        = '';
+  document.getElementById('gf-slug').disabled     = false;
+  document.getElementById('gf-player-url').value  = '';
+  document.getElementById('gf-console-url').value = '';
+  document.getElementById('gf-color').value       = '#f0c040';
+  document.getElementById('gf-color-hex').value   = '#f0c040';
+  document.getElementById('gf-sort').value        = '99';
+  document.getElementById('gf-active').value      = '1';
+  document.getElementById('game-form-title').textContent = '➕ Add New Game';
+  document.getElementById('game-form-alert').className = 'alert';
+}
+
+function syncColorPicker(hex) {
+  if (/^#[0-9a-fA-F]{6}$/.test(hex)) document.getElementById('gf-color').value = hex;
+}
+
+async function saveGame() {
+  const al = document.getElementById('game-form-alert');
+  const id  = document.getElementById('gf-id').value;
+  const data = {
+    id:          id ? parseInt(id) : undefined,
+    name:        document.getElementById('gf-name').value.trim(),
+    slug:        document.getElementById('gf-slug').value.trim(),
+    player_url:  document.getElementById('gf-player-url').value.trim(),
+    console_url: document.getElementById('gf-console-url').value.trim(),
+    color:       document.getElementById('gf-color-hex').value.trim() || document.getElementById('gf-color').value,
+    sort_order:  parseInt(document.getElementById('gf-sort').value) || 99,
+    is_active:   parseInt(document.getElementById('gf-active').value),
+  };
+  if (!data.name || !data.player_url) { showAdminAlert(al,'Name and Player URL are required.','error'); return; }
+  if (!id && !data.slug) { showAdminAlert(al,'Slug is required for new games.','error'); return; }
+  const action = id ? 'platforms_update' : 'platforms_create';
+  const d = await apiFetch(action, 'POST', data);
+  if (d.success) {
+    showAdminAlert(al, id ? 'Game updated!' : 'Game added!', 'success');
+    resetGameForm();
+    loadGames();
+    toast(id ? 'Game updated' : 'Game added', 'ok');
+  } else {
+    showAdminAlert(al, d.error || 'Save failed.', 'error');
+  }
+}
+
+async function deleteGame(id, name) {
+  if (!confirm('Delete game "' + name + '"? This cannot be undone.\n\nNote: existing purchase records referencing this game will still show the old platform ID.')) return;
+  const d = await apiFetch('platforms_delete','POST',{id});
+  if (d.success) { toast('Game deleted','ok'); loadGames(); }
+  else toast(d.error||'Error','err');
+}
+
+// Sync hex input with color picker
+document.addEventListener('DOMContentLoaded', function() {
+  const picker = document.getElementById('gf-color');
+  const hex    = document.getElementById('gf-color-hex');
+  if (picker && hex) {
+    picker.addEventListener('input', function() { hex.value = picker.value; });
+  }
+});
+
+// ─── COMPOSE: send message to any player ──────────────────
+let composePlayer = null; // { id, username, alias, email }
+
+function searchComposePlayers(q) {
+  const dd = document.getElementById('compose-dropdown');
+  if (!q || q.length < 1) { dd.style.display = 'none'; return; }
+  const lq = q.toLowerCase();
+  const matches = (allUsers.length ? allUsers : GM.all || []).filter(u =>
+    u.username.toLowerCase().includes(lq) ||
+    (u.alias||'').toLowerCase().includes(lq) ||
+    (u.email||'').toLowerCase().includes(lq)
+  ).filter(u => !u.is_admin).slice(0, 8);
+
+  if (!matches.length) {
+    dd.innerHTML = '<div style="padding:12px;color:var(--text2);font-size:15px;text-align:center">No players found</div>';
+    dd.style.display = 'block'; return;
+  }
+  dd.innerHTML = matches.map(u => {
+    const color = avatarColor(u.username);
+    const init  = avatarInit(u.username);
+    return `<div onclick="selectComposePicker(${u.id},'${escAttr(u.username)}','${escAttr(u.alias||'')}','${escAttr(u.email||'')}','${color}')"
+      style="display:flex;align-items:center;gap:10px;padding:10px 14px;cursor:pointer;transition:background .1s"
+      onmouseover="this.style.background='rgba(255,255,255,.04)'" onmouseout="this.style.background='none'">
+      <div style="width:32px;height:32px;border-radius:50%;background:linear-gradient(135deg,${color},${color}99);display:flex;align-items:center;justify-content:center;font-family:'Exo 2',sans-serif;font-weight:700;font-size:14px;color:#fff;flex-shrink:0">${init}</div>
+      <div style="min-width:0">
+        <div style="font-weight:700;font-size:15px;color:var(--text)">${escHtmlA(u.username)} <span style="color:var(--cyan);font-weight:400">· ${escHtmlA(u.alias||'')}</span></div>
+        <div style="font-size:15px;color:var(--text2)">${escHtmlA(u.email||'No email')} · ${u.tokens||0} 🪙</div>
+      </div>
+    </div>`;
+  }).join('');
+  dd.style.display = 'block';
+}
+
+function selectComposePicker(id, username, alias, email, color) {
+  composePlayer = { id, username, alias, email };
+  const sel  = document.getElementById('compose-selected');
+  const av   = document.getElementById('compose-player-avatar');
+  const nm   = document.getElementById('compose-player-name');
+  const inf  = document.getElementById('compose-player-info');
+  av.textContent    = username.charAt(0).toUpperCase();
+  av.style.background = `linear-gradient(135deg,${color},${color}99)`;
+  nm.textContent    = username + ' · ' + alias;
+  inf.textContent   = email || 'No email';
+  sel.style.display = 'flex';
+  document.getElementById('compose-search').value = '';
+  document.getElementById('compose-dropdown').style.display = 'none';
+  document.getElementById('compose-msg').focus();
+}
+
+function clearComposePicker() {
+  composePlayer = null;
+  document.getElementById('compose-selected').style.display = 'none';
+  document.getElementById('compose-search').value = '';
+  document.getElementById('compose-alert').className = 'alert';
+}
+
+async function adminComposeSend() {
+  const al  = document.getElementById('compose-alert');
+  const msg = document.getElementById('compose-msg').value.trim();
+  if (!composePlayer) { showAdminAlert(al, 'Select a player first.', 'error'); return; }
+  if (!msg)           { showAdminAlert(al, 'Type a message first.', 'error'); return; }
+
+  const d = await apiFetch('chat_admin_send', 'POST', { user_id: composePlayer.id, message: msg });
+  if (d.success) {
+    document.getElementById('compose-msg').value = '';
+    showAdminAlert(al, '✓ Message sent to ' + composePlayer.username + '! They will see it in their Support chat.', 'success');
+    loadChatInbox(true); // refresh inbox
+    loadChatBadge();
+    // Optional: open the thread immediately
+    setTimeout(() => {
+      openChatThread(composePlayer.id, composePlayer.username, composePlayer.alias);
+    }, 800);
+  } else {
+    showAdminAlert(al, d.error || 'Failed to send.', 'error');
+  }
+}
+
+// Close compose dropdown when clicking outside
+document.addEventListener('click', function(e) {
+  const dd = document.getElementById('compose-dropdown');
+  const search = document.getElementById('compose-search');
+  if (dd && !dd.contains(e.target) && e.target !== search) {
+    dd.style.display = 'none';
+  }
+});
+async function loadPendingSignups() {
+  const d  = await apiFetch('pending_signups');
+  const el = document.getElementById('pending-list');
+  if (!d.success || !d.pending.length) {
+    el.innerHTML = '<div class="card"><div class="empty" style="padding:24px;text-align:center">✅ No pending registrations.</div></div>';
+    document.getElementById('badge-pending').style.display = 'none';
+    return;
+  }
+  const badge = document.getElementById('badge-pending');
+  if (badge) { badge.textContent = d.pending.length; badge.style.display = 'inline'; }
+
+  el.innerHTML = d.pending.map(p => {
+    const color    = avatarColor(p.username);
+    const init     = avatarInit(p.username);
+    const created  = (p.created_at||'').substring(0,16);
+    const expires  = (p.expires_at||'').substring(0,16);
+    const now      = new Date();
+    const expDate  = new Date(p.expires_at);
+    const expiring = (expDate - now) < 3600000; // < 1hr
+    return `
+    <div class="card" style="margin-bottom:10px;display:flex;align-items:center;gap:14px;flex-wrap:wrap">
+      <div style="width:44px;height:44px;border-radius:50%;background:linear-gradient(135deg,${color},${color}99);display:flex;align-items:center;justify-content:center;font-family:'Exo 2',sans-serif;font-weight:700;font-size:18px;color:#fff;flex-shrink:0">${init}</div>
+      <div style="flex:1;min-width:180px">
+        <div style="font-family:'Exo 2',sans-serif;font-weight:700;font-size:15px;color:var(--text)">${escHtmlA(p.username)}</div>
+        <div style="font-size:14px;color:var(--cyan);margin-top:1px">${escHtmlA(p.alias)}</div>
+        <div style="font-size:15px;color:var(--text2);margin-top:2px">${escHtmlA(p.email||'No email')}</div>
+        <div style="font-size:14px;margin-top:4px;display:flex;gap:10px;flex-wrap:wrap">
+          <span style="color:var(--text2)">Registered: ${created}</span>
+          <span style="color:${expiring?'var(--red)':'var(--text2)'}">Expires: ${expires}${expiring?' ⚠️':''}</span>
+        </div>
+      </div>
+      <div style="display:flex;gap:8px;flex-shrink:0">
+        <button class="btn btn-green" style="padding:8px 16px;font-size:14px" onclick="approvePending(${p.id},'${escAttr(p.username)}')">
+          ✓ Approve
+        </button>
+        <button class="btn btn-red" style="padding:8px 16px;font-size:14px" onclick="deletePending(${p.id},'${escAttr(p.username)}')">
+          ✗ Delete
+        </button>
+      </div>
+    </div>`;
+  }).join('');
+}
+
+async function approvePending(id, username) {
+  if (!confirm('Approve ' + username + '?\n\nThis will create their account immediately and bypass email verification.')) return;
+  const d = await apiFetch('approve_pending', 'POST', { id });
+  if (d.success) {
+    toast('✓ ' + d.username + ' approved and account created!', 'ok');
+    loadPendingSignups();
+    loadStats();
+    loadUsers();
+  } else {
+    toast(d.error || 'Error approving signup', 'err');
+  }
+}
+
+async function deletePending(id, username) {
+  if (!confirm('Delete pending signup for ' + username + '?\n\nThey will need to register again.')) return;
+  const d = await apiFetch('delete_pending', 'POST', { id });
+  if (d.success) { toast('Deleted', 'ok'); loadPendingSignups(); loadStats(); }
+  else toast('Error', 'err');
+}
+
+// ─── ADMIN CHAT ────────────────────────────────────────────
+let adminChat = { userId: null, lastId: 0, polling: null, inboxPolling: null };
+
+function showSec(name) {
+  document.querySelectorAll('.section').forEach(s=>s.classList.remove('active'));
+  document.querySelectorAll('.nav-item').forEach(b=>b.classList.remove('active'));
+  const sec = document.getElementById('section-'+name);
+  if (sec) sec.classList.add('active');
+  // Find the matching nav button safely
+  document.querySelectorAll('.nav-item').forEach(b => {
+    if (b.getAttribute('onclick') && b.getAttribute('onclick').includes("'"+name+"'")) {
+      b.classList.add('active');
+    }
+  });
+  if (name === 'chat') {
+    showChatInbox();
+    loadChatInbox();
+    // Auto-refresh inbox every 5s when inbox is visible
+    clearInterval(adminChat.inboxPolling);
+    adminChat.inboxPolling = setInterval(() => {
+      if (!adminChat.userId) { loadChatInbox(true); } // silent refresh
+    }, 5000);
+  } else {
+    clearInterval(adminChat.inboxPolling);
+  }
+  if (name === 'pending') loadPendingSignups();
+  if (name === 'history') loadHistory(1);
+  if (name === 'users') { loadUsers(); showGamerList(); }
+  if (name === 'referrals')        { loadAdminReferrals('pending', document.querySelector('#section-referrals .ftab')); }
+  if (name === 'platform-accounts') loadPlatformAccountRequests('pending', document.querySelector('#section-platform-accounts .ftab'));
+  if (name === 'broadcasts')        loadBroadcasts();
+  if (name === 'games')            loadGames();
+  if (name === 'payments')         loadPaymentSettings();
+  if (name === 'payout-settings')  loadPayoutSettings();
+  if (name === 'cashout-methods')  loadCashoutMethods();
+}
+
+async function loadChatInbox(silent) {
+  const el = document.getElementById('chat-inbox-list');
+  if (!silent) el.innerHTML = '<div class="empty" style="padding:24px">Loading conversations...</div>';
+  const d = await apiFetch('chat_inbox');
+  if (!d.success) return;
+  if (!d.inbox.length) {
+    el.innerHTML = '<div class="empty" style="padding:30px;text-align:center">&#128172; No messages yet.<br><span style="color:var(--text2);font-size:14px">Users will appear here when they send a message.</span></div>';
+    return;
+  }
+  // Update unread badge in nav
+  const totalUnread = d.inbox.reduce((s,r) => s + parseInt(r.unread_count||0), 0);
+  const badge = document.getElementById('badge-chat');
+  if (badge) { badge.textContent = totalUnread > 9 ? '9+' : totalUnread; badge.style.display = totalUnread > 0 ? 'inline' : 'none'; }
+
+  el.innerHTML = d.inbox.map(row => {
+    const init = (row.username||'?').charAt(0).toUpperCase();
+    const unread = parseInt(row.unread_count) > 0;
+    const preview = (row.last_sender === 'admin' ? 'You: ' : '') + (row.last_message || '').substring(0, 65);
+    const time = formatAdminTime(row.last_time);
+    return `<div class="chat-inbox-row${unread?' unread':''}" onclick="openChatThread(${row.user_id},'${escAttr(row.username)}','${escAttr(row.alias)}')">
+      <div class="ci-avatar" style="background:linear-gradient(135deg,${avatarColor(row.username)},${avatarColor(row.username)}aa)">${init}</div>
+      <div class="ci-body">
+        <div class="ci-top">
+          <div class="ci-name">${escHtmlA(row.username)} <span style="color:var(--cyan);font-weight:400;font-size:14px">· ${escHtmlA(row.alias)}</span></div>
+          <div class="ci-time">${time}</div>
+        </div>
+        <div class="ci-preview${unread?' unread-preview':''}">${escHtmlA(preview)}</div>
+      </div>
+      ${unread ? `<div class="ci-badge">${row.unread_count > 9 ? '9+' : row.unread_count}</div>` : ''}
+    </div>`;
+  }).join('');
+}
+
+function showChatInbox() {
+  document.getElementById('chat-inbox-view').style.display = 'block';
+  document.getElementById('chat-thread-view').style.display = 'none';
+  clearInterval(adminChat.polling);
+  adminChat.userId = null;
+  adminChat.lastId = 0;
+}
+
+async function openChatThread(userId, username, alias) {
+  clearInterval(adminChat.inboxPolling);
+  adminChat.userId = userId;
+  adminChat.lastId = 0;
+  document.getElementById('chat-inbox-view').style.display = 'none';
+  document.getElementById('chat-thread-view').style.display = 'block';
+  document.getElementById('admin-chat-name').textContent = username + ' · ' + alias;
+  document.getElementById('admin-chat-meta').textContent = 'Loading...';
+  document.getElementById('admin-chat-avatar').textContent = username.charAt(0).toUpperCase();
+  document.getElementById('admin-chat-messages').innerHTML = '<div style="color:var(--text2);font-size:14px;text-align:center;padding:20px">Loading...</div>';
+  await loadAdminThread(true);
+  clearInterval(adminChat.polling);
+  adminChat.polling = setInterval(() => loadAdminThread(false), 3000);
+}
+
+async function loadAdminThread(scrollToBottom) {
+  if (!adminChat.userId) return;
+  const d = await apiFetch('chat_thread&user_id=' + adminChat.userId + '&since=' + adminChat.lastId);
+  if (!d.success) return;
+  const container = document.getElementById('admin-chat-messages');
+
+  if (d.messages.length === 0 && adminChat.lastId === 0) {
+    container.innerHTML = '<div style="color:var(--text2);font-size:15px;text-align:center;padding:24px">No messages in this thread yet.</div>';
+  }
+
+  if (d.messages.length > 0) {
+    if (adminChat.lastId === 0) container.innerHTML = '';
+    let lastDate = '';
+    d.messages.forEach(msg => {
+      if (container.querySelector('[data-id="' + msg.id + '"]')) return;
+      const msgDate = msg.created_at.substring(0,10);
+      if (msgDate !== lastDate) {
+        lastDate = msgDate;
+        const div = document.createElement('div');
+        div.className = 'admin-date-div';
+        div.textContent = formatAdminDateLabel(msgDate);
+        container.appendChild(div);
+      }
+      const bubble = buildAdminBubble(msg);
+      if (msg.sender === 'user' && adminChat.lastId > 0) {
+        bubble.style.animation = 'fadeUp .25s ease';
+      }
+      container.appendChild(bubble);
+      adminChat.lastId = Math.max(adminChat.lastId, parseInt(msg.id));
+    });
+    if (scrollToBottom || (container.scrollHeight - container.scrollTop - container.clientHeight < 160)) {
+      container.scrollTop = container.scrollHeight;
+    }
+  }
+  if (d.user) {
+    document.getElementById('admin-chat-meta').textContent = 'Alias: ' + d.user.alias + ' · ' + d.user.tokens + ' tokens';
+  }
+}
+
+function buildAdminBubble(msg) {
+  const isAdmin = msg.sender === 'admin';
+  const wrap = document.createElement('div');
+  wrap.className = 'admin-bubble-wrap ' + (isAdmin ? 'from-admin' : 'from-user');
+  wrap.dataset.id = msg.id;
+  const time = msg.created_at.substring(11,16);
+  wrap.innerHTML =
+    '<div class="admin-bubble ' + (isAdmin ? 'from-admin' : 'from-user') + '">' + escHtmlA(msg.message) + '</div>' +
+    '<div class="admin-bubble-time">' + (isAdmin ? 'You · ' : 'User · ') + time + '</div>';
+  return wrap;
+}
+
+async function adminClearThread() {
+  if (!adminChat.userId) return;
+  const name = document.getElementById('admin-chat-name')?.textContent || 'this player';
+  if (!confirm('Clear all messages with ' + name + '?\n\nThis permanently deletes the entire conversation and cannot be undone.')) return;
+  const d = await apiFetch('chat_clear_thread', 'POST', { user_id: adminChat.userId });
+  if (d.success) {
+    document.getElementById('admin-chat-messages').innerHTML =
+      '<div style="color:var(--text2);font-size:15px;text-align:center;padding:24px">Conversation cleared.</div>';
+    adminChat.lastId = 0;
+    toast('Thread cleared', 'ok');
+    loadChatBadge();
+  } else toast(d.error || 'Error', 'err');
+}
+
+async function adminClearAllChats() {
+  if (!confirm('Clear ALL chat messages from ALL players?\n\nThis permanently deletes every conversation and cannot be undone.')) return;
+  if (!confirm('Are you absolutely sure? This will remove all chat history for every player.')) return;
+  const d = await apiFetch('chat_clear_all', 'POST', {});
+  if (d.success) {
+    toast('All chats cleared', 'ok');
+    showChatInbox();
+    loadChatInbox();
+    loadChatBadge();
+  } else toast(d.error || 'Error', 'err');
+}
+
+async function adminSendMsg() {
+  const input = document.getElementById('admin-chat-input');
+  const msg   = input.value.trim();
+  if (!msg || !adminChat.userId) return;
+  input.value = '';
+
+  const container = document.getElementById('admin-chat-messages');
+  const tempWrap = buildAdminBubble({ id: 'temp_' + Date.now(), sender:'admin', message:msg, created_at: new Date().toISOString().replace('T',' ').substring(0,19) });
+  tempWrap.style.opacity = '0.65';
+  container.appendChild(tempWrap);
+  container.scrollTop = container.scrollHeight;
+
+  const d = await apiFetch('chat_admin_send','POST',{ user_id: adminChat.userId, message: msg });
+  if (d.success) {
+    tempWrap.style.opacity = '1';
+    tempWrap.dataset.id = d.id;
+    adminChat.lastId = Math.max(adminChat.lastId, d.id);
+    loadChatBadge();
+  } else {
+    tempWrap.remove();
+    input.value = msg;
+    toast('Send failed','err');
+  }
+}
+
+async function loadChatBadge() {
+  const d = await apiFetch('chat_unread');
+  if (d.success) {
+    const b     = document.getElementById('badge-chat');
+    const alert = document.getElementById('unread-chat-alert');
+    const count = document.getElementById('unread-chat-alert-count');
+    const text  = document.getElementById('unread-chat-alert-text');
+    if (b) { b.textContent = d.count; b.style.display = d.count > 0 ? 'inline-block' : 'none'; }
+    if (alert) alert.style.display = d.count > 0 ? 'flex' : 'none';
+    if (count) count.textContent = d.count;
+    if (text)  text.textContent  = d.count + ' unread message' + (d.count !== 1 ? 's' : '') + ' waiting for a response';
+  }
+}
+
+function formatAdminTime(dt) {
+  if (!dt) return '';
+  const d = new Date(dt.replace(' ','T'));
+  const now = new Date();
+  const diff = (now - d) / 1000;
+  if (diff < 60) return 'Just now';
+  if (diff < 3600) return Math.floor(diff/60) + 'm ago';
+  if (diff < 86400) return d.toLocaleTimeString('en-US',{hour:'numeric',minute:'2-digit'});
+  return d.toLocaleDateString('en-US',{month:'short',day:'numeric'});
+}
+
+function formatAdminDateLabel(dateStr) {
+  const d = new Date(dateStr + 'T00:00:00');
+  const today = new Date(); today.setHours(0,0,0,0);
+  const diff = Math.round((today - d) / 86400000);
+  if (diff === 0) return 'Today';
+  if (diff === 1) return 'Yesterday';
+  return d.toLocaleDateString('en-US',{weekday:'long',month:'short',day:'numeric'});
+}
+
+function escHtmlA(s) { return String(s||'').replace(/&/g,'&amp;').replace(/</g,'&lt;').replace(/>/g,'&gt;').replace(/\n/g,'<br>'); }
+function escAttr(s) { return String(s||'').replace(/'/g,"\\'").replace(/"/g,'&quot;'); }
+
+// Poll chat badge every 10s
+setInterval(loadChatBadge, 10000);
+loadChatBadge();
+
+</script>
+<div style="position:fixed;bottom:8px;right:12px;font-size:14px;color:rgba(255,255,255,.2);font-family:'Exo 2',sans-serif;pointer-events:none;z-index:999">
+  TomTomGames Admin v1.0.0
+</div>
+</body>
+</html>
diff --git a/admin/login.php b/admin/login.php
new file mode 100644
index 0000000..55faefa
--- /dev/null
+++ b/admin/login.php
@@ -0,0 +1,54 @@
+<?php
+require_once __DIR__ . '/../../includes/auth.php';
+if (isLoggedIn() && !empty($_SESSION['is_admin'])) {
+    header('Location: /admin/index.php'); exit;
+}
+
+$error = '';
+if ($_SERVER['REQUEST_METHOD'] === 'POST') {
+    $result = loginUser($_POST['username'] ?? '', $_POST['password'] ?? '');
+    if ($result['success'] && !empty($_SESSION['is_admin'])) {
+        header('Location: /admin/index.php'); exit;
+    } elseif ($result['success']) {
+        logoutUser();
+        $error = 'Access denied. Admin account required.';
+    } else {
+        $error = $result['error'];
+    }
+}
+?>
+<!DOCTYPE html>
+<html lang="en">
+<head>
+<meta charset="UTF-8">
+<meta name="robots" content="noindex, nofollow, noarchive">
+<meta name="viewport" content="width=device-width, initial-scale=1.0">
+<title>TomTomGames Admin Login</title>
+<link href="https://fonts.googleapis.com/css2?family=Exo+2:wght@700;900&family=Rajdhani:wght@500;600&display=swap" rel="stylesheet">
+<style>
+*{box-sizing:border-box;margin:0;padding:0}
+body{background:#0a0a12;color:#e8e8f0;font-family:'Rajdhani',sans-serif;min-height:100vh;display:flex;align-items:center;justify-content:center;padding:24px}
+.box{background:#1a1a2e;border:1px solid rgba(255,255,255,.08);border-radius:16px;padding:40px;width:100%;max-width:380px}
+.logo{font-family:'Exo 2',sans-serif;font-weight:900;font-size:28px;background:linear-gradient(135deg,#f0c040,#00e5ff);-webkit-background-clip:text;-webkit-text-fill-color:transparent;margin-bottom:4px}
+.sub{color:#8888aa;font-size:13px;margin-bottom:28px;letter-spacing:1px}
+.form-group{margin-bottom:16px}
+label{font-size:12px;font-weight:700;color:#8888aa;letter-spacing:1px;text-transform:uppercase;margin-bottom:8px;display:block}
+input{width:100%;background:#181828;border:1px solid rgba(255,255,255,.07);border-radius:8px;padding:13px 15px;color:#e8e8f0;font-family:'Rajdhani',sans-serif;font-size:16px;outline:none;transition:border-color .2s}
+input:focus{border-color:#00e5ff}
+.btn{width:100%;padding:15px;border:none;border-radius:8px;background:linear-gradient(135deg,#f0c040,#d4a017);color:#000;font-family:'Exo 2',sans-serif;font-weight:700;font-size:16px;letter-spacing:1px;cursor:pointer;margin-top:8px}
+.error{background:rgba(255,68,68,.1);border:1px solid rgba(255,68,68,.3);color:#ff4444;padding:12px 14px;border-radius:8px;font-size:14px;font-weight:600;margin-bottom:16px}
+</style>
+</head>
+<body>
+<div class="box">
+  <div class="logo" style="display:flex;align-items:center;gap:10px;justify-content:center"><svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 48 48" width="36" height="36" style="display:inline-block;vertical-align:middle;flex-shrink:0"><defs><linearGradient id="ll1" x1="0%" y1="0%" x2="100%" y2="100%"><stop offset="0%" stop-color="#f0c040"/><stop offset="100%" stop-color="#ff6b35"/></linearGradient><linearGradient id="ll2" x1="0%" y1="0%" x2="100%" y2="100%"><stop offset="0%" stop-color="#00e5ff"/><stop offset="100%" stop-color="#7b2fbe"/></linearGradient><filter id="gll"><feGaussianBlur stdDeviation="1.5" result="b"/><feMerge><feMergeNode in="b"/><feMergeNode in="SourceGraphic"/></feMerge></filter></defs><rect x="6" y="16" width="36" height="22" rx="11" fill="url(#ll1)" filter="url(#gll)"/><rect x="12" y="23" width="8" height="3" rx="1.5" fill="rgba(0,0,0,0.45)"/><rect x="15" y="20" width="3" height="8" rx="1.5" fill="rgba(0,0,0,0.45)"/><circle cx="32" cy="22" r="2.2" fill="#e63946" opacity=".9"/><circle cx="36" cy="25" r="2.2" fill="#2ec4b6" opacity=".9"/><circle cx="32" cy="28" r="2.2" fill="#7b2fbe" opacity=".9"/><circle cx="28" cy="25" r="2.2" fill="#f4a261" opacity=".9"/><rect x="21" y="24" width="6" height="3" rx="1.5" fill="rgba(0,0,0,0.3)"/><rect x="8" y="30" width="8" height="7" rx="4" fill="url(#ll2)" opacity=".7"/><rect x="32" y="30" width="8" height="7" rx="4" fill="url(#ll2)" opacity=".7"/><rect x="14" y="13" width="8" height="5" rx="2.5" fill="url(#ll1)" opacity=".8"/><rect x="26" y="13" width="8" height="5" rx="2.5" fill="url(#ll1)" opacity=".8"/><circle cx="24" cy="7" r="2" fill="#f0c040" opacity=".9"/><circle cx="39" cy="10" r="1.2" fill="#00e5ff" opacity=".8"/><circle cx="9" cy="10" r="1.2" fill="#f0c040" opacity=".7"/></svg><span>TomTomGames</span></div>
+  <div class="sub">ADMIN ACCESS</div>
+  <?php if($error): ?><div class="error"><?= htmlspecialchars($error) ?></div><?php endif; ?>
+  <form method="POST">
+    <div class="form-group"><label>Username</label><input type="text" name="username" autocomplete="username" autocapitalize="none" required></div>
+    <div class="form-group"><label>Password</label><input type="password" name="password" autocomplete="current-password" required></div>
+    <button class="btn" type="submit">LOGIN TO ADMIN</button>
+  </form>
+</div>
+</body>
+</html>
diff --git a/api/admin.php b/api/admin.php
new file mode 100644
index 0000000..3333c82
--- /dev/null
+++ b/api/admin.php
@@ -0,0 +1,971 @@
+<?php
+require_once __DIR__ . '/../../includes/auth.php';
+header('Content-Type: application/json');
+requireAdmin();
+
+$action = $_GET['action'] ?? '';
+
+switch ($action) {
+
+    // ─── STATS ────────────────────────────────────────────────
+    case 'stats':
+        echo json_encode(['success' => true, 'stats' => [
+            'total_users'       => db()->query("SELECT COUNT(*) FROM users")->fetchColumn(),
+            'active_users'      => db()->query("SELECT COUNT(*) FROM users WHERE status='active'")->fetchColumn(),
+            'pending_purchases' => db()->query("SELECT COUNT(*) FROM token_purchases WHERE status='pending'")->fetchColumn(),
+            'pending_cashouts'  => db()->query("SELECT COUNT(*) FROM cashout_requests WHERE status='pending'")->fetchColumn(),
+            'pending_signups'   => db()->query("SELECT COUNT(*) FROM pending_registrations WHERE expires_at > NOW()")->fetchColumn(),
+            'total_tokens_sold' => db()->query("SELECT COALESCE(SUM(tokens),0) FROM token_purchases WHERE status='completed'")->fetchColumn(),
+            'total_revenue'     => db()->query("SELECT COALESCE(SUM(amount_cents),0)/100 FROM token_purchases WHERE status='completed'")->fetchColumn(),
+        ]]);
+        break;
+
+    // ─── PENDING SIGNUPS ──────────────────────────────────────
+    case 'pending_signups':
+        $rows = db()->query("SELECT id,username,alias,email,expires_at,created_at FROM pending_registrations WHERE expires_at > NOW() ORDER BY created_at DESC")->fetchAll();
+        echo json_encode(['success'=>true,'pending'=>$rows]);
+        break;
+
+    case 'delete_pending':
+        if ($_SERVER['REQUEST_METHOD'] !== 'POST') { echo json_encode(['success'=>false]); exit; }
+        $data = json_decode(file_get_contents('php://input'), true);
+        $id   = (int)($data['id'] ?? 0);
+        db()->prepare("DELETE FROM pending_registrations WHERE id=?")->execute([$id]);
+        echo json_encode(['success'=>true]);
+        break;
+
+    case 'approve_pending':
+        if ($_SERVER['REQUEST_METHOD'] !== 'POST') { echo json_encode(['success'=>false]); exit; }
+        $data = json_decode(file_get_contents('php://input'), true);
+        $id   = (int)($data['id'] ?? 0);
+        // Fetch the pending record
+        $stmt = db()->prepare("SELECT * FROM pending_registrations WHERE id=?");
+        $stmt->execute([$id]);
+        $pending = $stmt->fetch();
+        if (!$pending) { echo json_encode(['success'=>false,'error'=>'Pending signup not found']); exit; }
+        // Check username/email not already taken
+        $chkUser = db()->prepare("SELECT id FROM users WHERE username=?");
+        $chkUser->execute([$pending['username']]);
+        if ($chkUser->fetch()) { echo json_encode(['success'=>false,'error'=>'Username already taken']); exit; }
+        if (!empty($pending['email'])) {
+            $chkEmail = db()->prepare("SELECT id FROM users WHERE email=?");
+            $chkEmail->execute([$pending['email']]);
+            if ($chkEmail->fetch()) { echo json_encode(['success'=>false,'error'=>'Email already registered']); exit; }
+        }
+        // Create the user account — bypass email verification
+        db()->beginTransaction();
+        try {
+            db()->prepare("INSERT INTO users (username,password,alias,email,email_verified,tokens,is_admin,status)
+                VALUES (?,?,?,?,1,0,0,'active')")
+               ->execute([$pending['username'],$pending['password'],$pending['alias'],$pending['email']]);
+            db()->prepare("DELETE FROM pending_registrations WHERE id=?")->execute([$id]);
+            db()->commit();
+            logActivity('account_approved', (int)db()->lastInsertId(), (int)$_SESSION['user_id'], 'user', 0, 'Account approved for '.$pending['username']);
+            echo json_encode(['success'=>true,'username'=>$pending['username']]);
+        } catch (Exception $e) {
+            db()->rollBack();
+            echo json_encode(['success'=>false,'error'=>'Could not create account']);
+        }
+        break;
+
+    // ─── PURCHASES ────────────────────────────────────────────
+    case 'purchases':
+        $status = $_GET['status'] ?? 'pending';
+        if ($status === 'all') {
+            $stmt = db()->query("SELECT tp.*, u.username, u.alias FROM token_purchases tp JOIN users u ON tp.user_id=u.id ORDER BY tp.created_at DESC LIMIT 200");
+        } else {
+            $stmt = db()->prepare("SELECT tp.*, u.username, u.alias FROM token_purchases tp JOIN users u ON tp.user_id=u.id WHERE tp.status=? ORDER BY tp.created_at DESC LIMIT 200");
+            $stmt->execute([$status]);
+        }
+        echo json_encode(['success' => true, 'purchases' => $stmt->fetchAll()]);
+        break;
+
+    // ─── RESOLVE PURCHASE (approve manual / reject) ──────────
+    case 'resolve_purchase':
+        if ($_SERVER['REQUEST_METHOD'] !== 'POST') { echo json_encode(['success'=>false]); exit; }
+        $data   = json_decode(file_get_contents('php://input'), true);
+        $id     = (int)($data['id']     ?? 0);
+        $status = $data['status'] ?? '';
+        $note   = trim($data['note']   ?? '');
+
+        if (!in_array($status, ['completed','failed'])) {
+            echo json_encode(['success'=>false,'error'=>'Invalid status']); exit;
+        }
+
+        // Fetch purchase
+        $row = db()->prepare("SELECT * FROM token_purchases WHERE id=? AND status='pending'");
+        $row->execute([$id]);
+        $purchase = $row->fetch();
+
+        if (!$purchase) {
+            echo json_encode(['success'=>false,'error'=>'Purchase not found or already resolved']); exit;
+        }
+
+        db()->beginTransaction();
+        try {
+            if ($status === 'completed') {
+                // Credit tokens to user
+                logAdminAction('TOKENS_ADJUSTED', $adminId, 'user', isset($targetId)?(int)$targetId:0, 'Manual token adjustment: '.($data['tokens']??0).' tokens', '', ($data['tokens']??''), 'critical');
+                db()->prepare("UPDATE users SET tokens=tokens+? WHERE id=?")->execute([$purchase['tokens'], $purchase['user_id']]);
+            }
+            db()->prepare("UPDATE token_purchases SET status=?,admin_note=? WHERE id=?")->execute([$status, $note, $id]);
+            db()->commit();
+            echo json_encode(['success'=>true]);
+        } catch (Exception $e) {
+            db()->rollBack();
+            echo json_encode(['success'=>false,'error'=>'DB error']);
+        }
+        break;
+
+    // ─── CASHOUTS ─────────────────────────────────────────────
+    case 'cashouts':
+        $status = $_GET['status'] ?? 'pending';
+        $valid  = ['pending','sent','approved','rejected','deleted'];
+        if (!in_array($status, $valid)) $status = 'pending';
+        if ($status === 'pending') {
+            // Show both pending (player editing) and locked (submitted to admin)
+            $stmt = db()->prepare("SELECT cr.*, u.username, u.alias AS user_alias FROM cashout_requests cr JOIN users u ON cr.user_id=u.id WHERE cr.status IN ('pending','locked') ORDER BY cr.status DESC, cr.created_at DESC");
+            $stmt->execute();
+        } elseif ($status === 'sent') {
+            $stmt = db()->prepare("SELECT cr.*, u.username, u.alias AS user_alias FROM cashout_requests cr JOIN users u ON cr.user_id=u.id WHERE cr.status IN ('sent','approved') ORDER BY cr.created_at DESC");
+            $stmt->execute();
+        } else {
+            $stmt = db()->prepare("SELECT cr.*, u.username, u.alias AS user_alias FROM cashout_requests cr JOIN users u ON cr.user_id=u.id WHERE cr.status=? ORDER BY cr.created_at DESC");
+            $stmt->execute([$status]);
+        }
+        echo json_encode(['success'=>true,'cashouts'=>$stmt->fetchAll()]);
+        break;
+
+    case 'resolve_cashout':
+        if ($_SERVER['REQUEST_METHOD'] !== 'POST') { echo json_encode(['success'=>false]); exit; }
+        $data   = json_decode(file_get_contents('php://input'), true);
+        $id     = (int)($data['id']     ?? 0);
+        $status = $data['status'] ?? '';
+        $note   = trim($data['note']   ?? '');
+        // 'approved' is treated as 'sent' (payment sent to player)
+        if ($status === 'approved') $status = 'sent';
+        if (!in_array($status, ['sent','rejected','deleted'])) { echo json_encode(['success'=>false,'error'=>'Invalid status']); exit; }
+
+        $r = db()->prepare("SELECT user_id,tokens FROM cashout_requests WHERE id=? AND status IN ('pending','locked')");
+        $r->execute([$id]);
+        $req = $r->fetch();
+        if (!$req) { echo json_encode(['success'=>false,'error'=>'Not found or already resolved']); exit; }
+
+        db()->beginTransaction();
+        try {
+            // Return tokens to player if denied or deleted
+            if (in_array($status, ['rejected','deleted'])) {
+                db()->prepare("UPDATE users SET tokens=tokens+? WHERE id=?")->execute([$req['tokens'],$req['user_id']]);
+            }
+            db()->prepare("UPDATE cashout_requests SET status=?,admin_note=?,resolved_at=NOW() WHERE id=?")->execute([$status,$note,$id]);
+            db()->commit();
+            logActivity('cashout_'.$status, $req['user_id'], (int)$_SESSION['user_id'], 'cashout', $id,
+                'Cashout '.$status.' by admin. Tokens: '.$req['tokens'].($note?' Note: '.$note:''));
+            echo json_encode(['success'=>true,'status'=>$status]);
+        } catch (Exception $e) {
+            db()->rollBack();
+            echo json_encode(['success'=>false,'error'=>'DB error']);
+        }
+        break;
+        if (!in_array($status, ['approved','rejected'])) { echo json_encode(['success'=>false,'error'=>'Invalid status']); exit; }
+
+        if ($status === 'rejected') {
+            $r = db()->prepare("SELECT user_id,tokens FROM cashout_requests WHERE id=? AND status='pending'");
+            $r->execute([$id]);
+            $req = $r->fetch();
+            if ($req) db()->prepare("UPDATE users SET tokens=tokens+? WHERE id=?")->execute([$req['tokens'],$req['user_id']]);
+        }
+        db()->prepare("UPDATE cashout_requests SET status=?,admin_note=?,resolved_at=NOW() WHERE id=?")->execute([$status,$note,$id]);
+        echo json_encode(['success'=>true]);
+        break;
+
+    // ─── USERS LIST ───────────────────────────────────────────
+    case 'users':
+        $users = db()->query("SELECT id,username,alias,email,email_verified,tokens,is_admin,status,created_at,last_login FROM users ORDER BY created_at DESC")->fetchAll();
+        echo json_encode(['success'=>true,'users'=>$users]);
+        break;
+
+    // ─── SINGLE USER DETAIL ───────────────────────────────────
+    case 'user_detail':
+        $uid = (int)($_GET['user_id'] ?? 0);
+        if (!$uid) { echo json_encode(['success'=>false,'error'=>'user_id required']); exit; }
+        $stmt = db()->prepare("SELECT id,username,alias,email,email_verified,tokens,is_admin,status,created_at,last_login FROM users WHERE id=?");
+        $stmt->execute([$uid]);
+        $user = $stmt->fetch();
+        if (!$user) { echo json_encode(['success'=>false,'error'=>'User not found']); exit; }
+        // Rich stats
+        $s1 = db()->prepare("SELECT COALESCE(SUM(amount_cents),0)/100 FROM token_purchases WHERE user_id=? AND status='completed'");
+        $s1->execute([$uid]);
+        $s2 = db()->prepare("SELECT COUNT(*) FROM token_purchases WHERE user_id=? AND status='completed'"); $s2->execute([$uid]);
+        $s3 = db()->prepare("SELECT COUNT(*) FROM token_purchases WHERE user_id=? AND status='pending'");  $s3->execute([$uid]);
+        $s4 = db()->prepare("SELECT COUNT(*) FROM token_purchases WHERE user_id=? AND status='failed'");   $s4->execute([$uid]);
+        $s5 = db()->prepare("SELECT COUNT(*) FROM cashout_requests WHERE user_id=?"); $s5->execute([$uid]);
+        $s6 = db()->prepare("SELECT COALESCE(SUM(tokens),0) FROM token_purchases WHERE user_id=? AND status='completed'"); $s6->execute([$uid]);
+        $stats = [
+            'total_spent'        => $s1->fetchColumn(),
+            'completed_purchases'=> $s2->fetchColumn(),
+            'pending_purchases'  => $s3->fetchColumn(),
+            'failed_purchases'   => $s4->fetchColumn(),
+            'total_cashouts'     => $s5->fetchColumn(),
+            'total_tokens_bought'=> $s6->fetchColumn(),
+        ];
+        echo json_encode(['success'=>true,'user'=>$user,'stats'=>$stats]);
+        break;
+
+    // ─── USER PURCHASES ───────────────────────────────────────
+    case 'user_purchases':
+        $uid = (int)($_GET['user_id'] ?? 0);
+        $stmt = db()->prepare("SELECT id,tokens,amount_cents,payment_method,square_payment_id,platform_id,game_alias,player_name,billing_name,billing_address,billing_city,billing_state,billing_zip,billing_email,is_custom,failure_reason,card_brand,card_last4,receipt_url,status,admin_note,created_at FROM token_purchases WHERE user_id=? ORDER BY created_at DESC LIMIT 100");
+        $stmt->execute([$uid]);
+        echo json_encode(['success'=>true,'purchases'=>$stmt->fetchAll()]);
+        break;
+
+    // ─── USER CASHOUTS ────────────────────────────────────────
+    case 'user_cashouts':
+        $uid = (int)($_GET['user_id'] ?? 0);
+        $stmt = db()->prepare("SELECT * FROM cashout_requests WHERE user_id=? ORDER BY created_at DESC LIMIT 100");
+        $stmt->execute([$uid]);
+        echo json_encode(['success'=>true,'cashouts'=>$stmt->fetchAll()]);
+        break;
+
+    // ─── ADJUST TOKENS ────────────────────────────────────────
+    case 'adjust_tokens':
+        if ($_SERVER['REQUEST_METHOD'] !== 'POST') { echo json_encode(['success'=>false]); exit; }
+        $data   = json_decode(file_get_contents('php://input'), true);
+        $uid    = (int)($data['user_id'] ?? 0);
+        $amount = (float)($data['amount'] ?? 0);
+        db()->prepare("UPDATE users SET tokens=tokens+? WHERE id=?")->execute([$amount,$uid]);
+        $bal = db()->prepare("SELECT tokens FROM users WHERE id=?"); $bal->execute([$uid]);
+        $newBal = $bal->fetchColumn();
+        echo json_encode(['success'=>true,'new_balance'=>$newBal]);
+        break;
+
+    // ─── SET EXACT TOKEN BALANCE ──────────────────────────────
+    case 'set_tokens':
+        if ($_SERVER['REQUEST_METHOD'] !== 'POST') { echo json_encode(['success'=>false]); exit; }
+        $data   = json_decode(file_get_contents('php://input'), true);
+        $uid    = (int)($data['user_id'] ?? 0);
+        $bal    = (float)($data['balance'] ?? 0);
+        if ($bal < 0) { echo json_encode(['success'=>false,'error'=>'Balance cannot be negative']); exit; }
+        db()->prepare("UPDATE users SET tokens=? WHERE id=?")->execute([$bal,$uid]);
+        echo json_encode(['success'=>true,'new_balance'=>$bal]);
+        break;
+
+    // ─── EDIT USER ────────────────────────────────────────────
+    case 'edit_user':
+        if ($_SERVER['REQUEST_METHOD'] !== 'POST') { echo json_encode(['success'=>false]); exit; }
+        $data     = json_decode(file_get_contents('php://input'), true);
+        $uid      = (int)($data['user_id'] ?? 0);
+        $username = strtolower(trim($data['username'] ?? ''));
+        $alias    = trim($data['alias']    ?? '');
+        $email    = strtolower(trim($data['email']   ?? ''));
+        $password = trim($data['password'] ?? '');
+
+        if (!$uid || empty($username) || empty($alias))
+            { echo json_encode(['success'=>false,'error'=>'Username and alias required']); exit; }
+        if (!preg_match('/^[a-z0-9_]{3,50}$/', $username))
+            { echo json_encode(['success'=>false,'error'=>'Invalid username format']); exit; }
+        if (!empty($email) && !filter_var($email, FILTER_VALIDATE_EMAIL))
+            { echo json_encode(['success'=>false,'error'=>'Invalid email address']); exit; }
+
+        // Check username not taken by another user
+        $chk = db()->prepare("SELECT id FROM users WHERE username=? AND id!=?");
+        $chk->execute([$username,$uid]);
+        if ($chk->fetch()) { echo json_encode(['success'=>false,'error'=>'Username already taken']); exit; }
+
+        if (!empty($email)) {
+            $chk2 = db()->prepare("SELECT id FROM users WHERE email=? AND id!=?");
+            $chk2->execute([$email,$uid]);
+            if ($chk2->fetch()) { echo json_encode(['success'=>false,'error'=>'Email already in use']); exit; }
+        }
+
+        if (!empty($password)) {
+            if (strlen($password) < 6) { echo json_encode(['success'=>false,'error'=>'Password must be 6+ characters']); exit; }
+            $hash = password_hash($password, PASSWORD_BCRYPT);
+            db()->prepare("UPDATE users SET username=?,alias=?,email=?,password=? WHERE id=?")->execute([$username,$alias,$email,$hash,$uid]);
+        } else {
+            db()->prepare("UPDATE users SET username=?,alias=?,email=? WHERE id=?")->execute([$username,$alias,$email,$uid]);
+        }
+        echo json_encode(['success'=>true]);
+        break;
+
+    // ─── TOGGLE ADMIN ROLE ───────────────────────────────────
+    case 'toggle_admin':
+        if ($_SERVER['REQUEST_METHOD'] !== 'POST') { echo json_encode(['success'=>false]); exit; }
+        $data = json_decode(file_get_contents('php://input'), true);
+        $uid  = (int)($data['user_id'] ?? 0);
+        // Master admin (ID=1) can NEVER lose admin status
+        if ($uid === MASTER_ADMIN_ID) {
+            echo json_encode(['success'=>false,'error'=>'Master admin cannot be modified.']); exit;
+        }
+        // Cannot remove your own admin
+        if ($uid === (int)$_SESSION['user_id']) {
+            echo json_encode(['success'=>false,'error'=>'You cannot change your own admin status.']); exit;
+        }
+        // Only master admin can grant/revoke admin
+        if ((int)$_SESSION['user_id'] !== MASTER_ADMIN_ID) {
+            echo json_encode(['success'=>false,'error'=>'Only the master admin can change admin roles.']); exit;
+        }
+        $stmt = db()->prepare("SELECT is_admin FROM users WHERE id=?");
+        $stmt->execute([$uid]);
+        $current = $stmt->fetchColumn();
+        $new_val = $current ? 0 : 1;
+        if ($new_val) {
+            db()->prepare("UPDATE users SET is_admin=1, email_verified=1 WHERE id=?")->execute([$uid]);
+        } else {
+            db()->prepare("UPDATE users SET is_admin=0 WHERE id=?")->execute([$uid]);
+        }
+        // Force the affected user to re-login by invalidating their sessions
+        // Store a flag in DB that forces re-auth on next request
+        db()->prepare("UPDATE users SET last_login=last_login WHERE id=?")->execute([$uid]);
+        logActivity($new_val?'admin_granted':'admin_revoked', $uid, (int)$_SESSION['user_id'], 'user', $uid, 'Admin status changed to '.($new_val?'admin':'player'), '', 'admin', '', '', 'warning');
+        echo json_encode(['success'=>true, 'is_admin'=>$new_val, 'needs_relogin'=>true, 'message'=>$new_val ? 'Admin access granted. User must log out and back in.' : 'Admin access removed. User must log out and back in.']);
+        break;
+
+    // ─── TOGGLE SUSPEND ───────────────────────────────────────
+    case 'toggle_user':
+        if ($_SERVER['REQUEST_METHOD'] !== 'POST') { echo json_encode(['success'=>false]); exit; }
+        $data = json_decode(file_get_contents('php://input'), true);
+        $uid  = (int)($data['user_id'] ?? 0);
+        if ($uid === MASTER_ADMIN_ID) { echo json_encode(['success'=>false,'error'=>'Cannot suspend the master admin.']); exit; }
+        logAdminAction('USER_STATUS_CHANGE', $adminId, 'user', isset($userId)?(int)$userId:0, 'Changed user status to: '.($data['status']??'unknown'), '', ($data['status']??''), 'warning');
+        db()->prepare("UPDATE users SET status=IF(status='active','suspended','active') WHERE id=?")->execute([$uid]);
+        echo json_encode(['success'=>true]);
+        break;
+
+    // ─── DELETE USER ──────────────────────────────────────────
+    case 'delete_user':
+        if ($_SERVER['REQUEST_METHOD'] !== 'POST') { echo json_encode(['success'=>false]); exit; }
+        $data = json_decode(file_get_contents('php://input'), true);
+        $uid  = (int)($data['user_id'] ?? 0);
+        if (!$uid) { echo json_encode(['success'=>false,'error'=>'Invalid user']); exit; }
+        // Prevent deleting own account
+        if ($uid === MASTER_ADMIN_ID) { echo json_encode(['success'=>false,'error'=>'Cannot delete the master admin account.']); exit; }
+        if ($uid === (int)$_SESSION['user_id']) { echo json_encode(['success'=>false,'error'=>'Cannot delete your own account']); exit; }
+        db()->beginTransaction();
+        try {
+            db()->prepare("DELETE FROM chat_messages WHERE user_id=?")->execute([$uid]);
+            db()->prepare("DELETE FROM cashout_requests WHERE user_id=?")->execute([$uid]);
+            db()->prepare("DELETE FROM token_purchases WHERE user_id=?")->execute([$uid]);
+            db()->prepare("DELETE FROM users WHERE id=?")->execute([$uid]);
+            db()->commit();
+            echo json_encode(['success'=>true]);
+        } catch (Exception $e) {
+            db()->rollBack();
+            echo json_encode(['success'=>false,'error'=>'Delete failed']);
+        }
+        break;
+
+    // ─── SEND PASSWORD RESET ──────────────────────────────────
+    case 'send_password_reset':
+        if ($_SERVER['REQUEST_METHOD'] !== 'POST') { echo json_encode(['success'=>false]); exit; }
+        $data = json_decode(file_get_contents('php://input'), true);
+        $uid  = (int)($data['user_id'] ?? 0);
+        $stmt = db()->prepare("SELECT email,alias FROM users WHERE id=?");
+        $stmt->execute([$uid]);
+        $user = $stmt->fetch();
+        if (!$user || empty($user['email'])) { echo json_encode(['success'=>false,'error'=>'No email on file']); exit; }
+        // Generate reset token — reuse pending_registrations pattern
+        $token = bin2hex(random_bytes(32));
+        $exp   = date('Y-m-d H:i:s', time() + 3600); // 1 hour
+        db()->prepare("INSERT INTO pending_registrations (username,password,alias,email,token,expires_at) VALUES ('__reset__','',''.?,?,'__reset__',?) ON DUPLICATE KEY UPDATE token=VALUES(token),expires_at=VALUES(expires_at)")->execute([$user['alias'],$user['email'],$token,$exp]);
+        // Simple reset email
+        $resetUrl = rtrim(SITE_URL,'/') . '/reset_password.php?token=' . urlencode($token);
+        $subject  = SITE_NAME . ' — Password Reset Request';
+        $body     = "Hi {$user['alias']},\n\nA password reset was requested for your account.\n\nClick here to reset: {$resetUrl}\n\nExpires in 1 hour. If you didn't request this, ignore this email.\n\n— " . SITE_NAME;
+        $headers  = "From: " . MAIL_FROM_NAME . " <" . MAIL_FROM . ">\r\nReply-To: " . MAIL_REPLY_TO;
+        mail($user['email'], $subject, $body, $headers, '-f' . MAIL_FROM);
+        echo json_encode(['success'=>true]);
+        break;
+
+    // ─── PLATFORM ACCOUNTS ────────────────────────────────
+    case 'platform_accounts_list':
+        $status = $_GET['status'] ?? 'pending';
+        $uid    = (int)($_GET['user_id'] ?? 0);
+        if ($uid) {
+            $stmt = db()->prepare("SELECT pa.*, COALESCE(p.name,pa.platform_slug) AS platform_name, u.username, u.alias AS user_alias FROM platform_accounts pa LEFT JOIN platforms p ON pa.platform_slug=p.slug JOIN users u ON pa.user_id=u.id WHERE pa.user_id=? ORDER BY pa.requested_at DESC");
+            $stmt->execute([$uid]);
+        } else {
+            $valid = ['pending','approved','denied','deleted'];
+            if (!in_array($status,$valid)) $status='pending';
+            $stmt = db()->prepare("SELECT pa.*, COALESCE(p.name,pa.platform_slug) AS platform_name, u.username, u.alias AS user_alias FROM platform_accounts pa LEFT JOIN platforms p ON pa.platform_slug=p.slug JOIN users u ON pa.user_id=u.id WHERE pa.status=? ORDER BY pa.requested_at DESC");
+            $stmt->execute([$status]);
+        }
+        echo json_encode(['success'=>true,'accounts'=>$stmt->fetchAll()]);
+        break;
+
+    case 'platform_account_resolve':
+        if ($_SERVER['REQUEST_METHOD'] !== 'POST') { echo json_encode(['success'=>false]); exit; }
+        $d = json_decode(file_get_contents('php://input'), true);
+        $id=$d['id']??0; $status=$d['status']??'';
+        $uname=substr(trim($d['platform_username']??''),0,100);
+        $pass=substr(trim($d['platform_password']??''),0,200);
+        $note=substr(trim($d['admin_note']??''),0,300);
+        if (!in_array($status,['approved','denied','deleted'])){echo json_encode(['success'=>false,'error'=>'Invalid status']);exit;}
+        $chk=db()->prepare("SELECT user_id,platform_slug FROM platform_accounts WHERE id=?");$chk->execute([$id]);$row=$chk->fetch();
+        if (!$row){echo json_encode(['success'=>false,'error'=>'Not found']);exit;}
+        db()->prepare("UPDATE platform_accounts SET status=?,platform_username=?,platform_password=?,admin_note=?,resolved_at=NOW(),admin_id=? WHERE id=?")
+           ->execute([$status,$uname,$pass,$note,(int)$_SESSION['user_id'],$id]);
+        if ($status==='approved'&&$uname) {
+            db()->prepare("INSERT INTO game_aliases (user_id,platform_slug,alias) VALUES (?,?,?) ON DUPLICATE KEY UPDATE alias=VALUES(alias)")
+               ->execute([$row['user_id'],$row['platform_slug'],$uname]);
+        }
+        echo json_encode(['success'=>true]);
+        break;
+
+    case 'platform_account_update':
+        if ($_SERVER['REQUEST_METHOD'] !== 'POST') { echo json_encode(['success'=>false]); exit; }
+        $d=json_decode(file_get_contents('php://input'),true);
+        $id=$d['id']??0;
+        $uname=substr(trim($d['platform_username']??''),0,100);
+        $pass=substr(trim($d['platform_password']??''),0,200);
+        $note=substr(trim($d['admin_note']??''),0,300);
+        $chk=db()->prepare("SELECT user_id,platform_slug FROM platform_accounts WHERE id=?");$chk->execute([$id]);$row=$chk->fetch();
+        if (!$row){echo json_encode(['success'=>false,'error'=>'Not found']);exit;}
+        db()->prepare("UPDATE platform_accounts SET platform_username=?,platform_password=?,admin_note=? WHERE id=?")
+           ->execute([$uname,$pass,$note,$id]);
+        if ($uname){
+            db()->prepare("INSERT INTO game_aliases (user_id,platform_slug,alias) VALUES (?,?,?) ON DUPLICATE KEY UPDATE alias=VALUES(alias)")
+               ->execute([$row['user_id'],$row['platform_slug'],$uname]);
+        }
+        echo json_encode(['success'=>true]);
+        break;
+        $rows = db()->query("
+            SELECT b.*, u.username AS sender_name,
+                   (SELECT COUNT(*) FROM broadcast_reads  WHERE broadcast_id=b.id) AS read_count,
+                   (SELECT COUNT(*) FROM broadcast_replies WHERE broadcast_id=b.id) AS reply_count,
+                   (SELECT COUNT(*) FROM users WHERE is_admin=0 AND status='active') AS total_players
+            FROM broadcasts b JOIN users u ON b.admin_id=u.id
+            ORDER BY b.sent_at DESC LIMIT 50
+        ")->fetchAll();
+        echo json_encode(['success'=>true,'broadcasts'=>$rows]);
+        break;
+
+    case 'broadcast_list':
+        try {
+            $sql = "SELECT b.id, b.subject, b.message, b.target, b.sent_at,
+                           u.username AS sender_name,
+                           (SELECT COUNT(*) FROM broadcast_reads WHERE broadcast_id=b.id) AS read_count,
+                           (SELECT COUNT(*) FROM broadcast_replies WHERE broadcast_id=b.id) AS reply_count,
+                           (SELECT COUNT(*) FROM users WHERE status='active' AND is_admin=0) AS total_players
+                    FROM broadcasts b
+                    JOIN users u ON b.admin_id=u.id
+                    ORDER BY b.sent_at DESC
+                    LIMIT 100";
+            $stmt = db()->query($sql);
+            echo json_encode(['success'=>true,'broadcasts'=>$stmt->fetchAll()]);
+        } catch(Exception $e) {
+            echo json_encode(['success'=>false,'error'=>$e->getMessage()]);
+        }
+        break;
+
+    case 'broadcast_send':
+        if ($_SERVER['REQUEST_METHOD'] !== 'POST') { echo json_encode(['success'=>false]); exit; }
+        $d       = json_decode(file_get_contents('php://input'), true);
+        $subject = substr(trim($d['subject']??''),0,200);
+        $message = substr(trim($d['message']??''),0,5000);
+        $target  = in_array($d['target']??'',['all','verified','unverified','admins']) ? $d['target'] : 'all';
+        if (!$subject||!$message) { echo json_encode(['success'=>false,'error'=>'Subject and message required']); exit; }
+        db()->prepare("INSERT INTO broadcasts (admin_id,subject,message,target) VALUES (?,?,?,?)")
+           ->execute([$_SESSION['user_id'],$subject,$message,$target]);
+        $bid = db()->lastInsertId();
+        // Count recipients
+        $countQ = [
+            'all'         => "SELECT COUNT(*) FROM users WHERE status='active' AND is_admin=0",
+            'verified'    => "SELECT COUNT(*) FROM users WHERE status='active' AND is_admin=0 AND email_verified=1",
+            'unverified'  => "SELECT COUNT(*) FROM users WHERE status='active' AND is_admin=0 AND email_verified=0",
+            'admins'      => "SELECT COUNT(*) FROM users WHERE is_admin=1",
+        ];
+        $count = db()->query($countQ[$target])->fetchColumn();
+        echo json_encode(['success'=>true,'id'=>$bid,'recipient_count'=>(int)$count]);
+        break;
+
+    case 'broadcast_delete':
+        if ($_SERVER['REQUEST_METHOD'] !== 'POST') { echo json_encode(['success'=>false]); exit; }
+        $d  = json_decode(file_get_contents('php://input'), true);
+        $id = (int)($d['id']??0);
+        db()->prepare("DELETE FROM broadcasts WHERE id=?")->execute([$id]);
+        echo json_encode(['success'=>true]);
+        break;
+
+    case 'broadcast_edit':
+        if ($_SERVER['REQUEST_METHOD'] !== 'POST') { echo json_encode(['success'=>false]); exit; }
+        $d = json_decode(file_get_contents('php://input'), true);
+        $id = (int)($d['id'] ?? 0);
+        $subject = substr(trim($d['subject'] ?? ''), 0, 200);
+        $message = trim($d['message'] ?? '');
+        $target  = in_array($d['target']??'', ['all','verified','unverified','admins']) ? $d['target'] : 'all';
+        if (!$id || !$subject || !$message) { echo json_encode(['success'=>false,'error'=>'Missing fields']); exit; }
+        db()->prepare("UPDATE broadcasts SET subject=?, message=?, target=? WHERE id=?")->execute([$subject, $message, $target, $id]);
+        logAdminAction('BROADCAST_EDITED', $adminId, 'broadcast', $id, 'Edited broadcast #'.$id, '', '', 'info');
+        echo json_encode(['success'=>true]);
+        break;
+
+    case 'broadcast_resend':
+        if ($_SERVER['REQUEST_METHOD'] !== 'POST') { echo json_encode(['success'=>false]); exit; }
+        $d = json_decode(file_get_contents('php://input'), true);
+        $id = (int)($d['id'] ?? 0);
+        if (!$id) { echo json_encode(['success'=>false,'error'=>'Missing ID']); exit; }
+        $bc = db()->prepare("SELECT * FROM broadcasts WHERE id=?");
+        $bc->execute([$id]);
+        $orig = $bc->fetch();
+        if (!$orig) { echo json_encode(['success'=>false,'error'=>'Broadcast not found']); exit; }
+        // Count recipients
+        $target = $orig['target'];
+        $countSql = "SELECT COUNT(*) FROM users WHERE status='active' AND is_admin=0";
+        if ($target === 'verified')   $countSql .= " AND email_verified=1";
+        if ($target === 'unverified') $countSql .= " AND email_verified=0";
+        $recipientCount = (int)db()->query($countSql)->fetchColumn();
+        // Delete old reads so everyone sees it again
+        db()->prepare("DELETE FROM broadcast_reads WHERE broadcast_id=?")->execute([$id]);
+        // Update sent_at to now
+        db()->prepare("UPDATE broadcasts SET sent_at=NOW() WHERE id=?")->execute([$id]);
+        logAdminAction('BROADCAST_RESENT', $adminId, 'broadcast', $id, 'Resent broadcast #'.$id.' to '.$recipientCount.' players', '', '', 'info');
+        echo json_encode(['success'=>true,'recipient_count'=>$recipientCount]);
+        break;
+
+    case 'broadcast_reads':
+        $bid  = (int)($_GET['broadcast_id']??0);
+        $rows = db()->prepare("SELECT br.read_at, u.username, u.alias FROM broadcast_reads br JOIN users u ON br.user_id=u.id WHERE br.broadcast_id=? ORDER BY br.read_at ASC");
+        $rows->execute([$bid]);
+        echo json_encode(['success'=>true,'reads'=>$rows->fetchAll()]);
+        break;
+
+    case 'broadcast_replies':
+        $bid  = (int)($_GET['broadcast_id']??0);
+        $rows = db()->prepare("SELECT br.*, u.username, u.alias, u.is_admin FROM broadcast_replies br JOIN users u ON br.user_id=u.id WHERE br.broadcast_id=? ORDER BY br.created_at ASC");
+        $rows->execute([$bid]);
+        echo json_encode(['success'=>true,'replies'=>$rows->fetchAll()]);
+        break;
+
+    case 'broadcast_reply':
+        if ($_SERVER['REQUEST_METHOD'] !== 'POST') { echo json_encode(['success'=>false]); exit; }
+        $d   = json_decode(file_get_contents('php://input'), true);
+        $bid = (int)($d['broadcast_id']??0);
+        $msg = substr(trim($d['message']??''),0,1000);
+        if (!$bid||!$msg) { echo json_encode(['success'=>false,'error'=>'Required fields missing']); exit; }
+        db()->prepare("INSERT INTO broadcast_replies (broadcast_id,user_id,message) VALUES (?,?,?)")
+           ->execute([$bid,$_SESSION['user_id'],$msg]);
+        echo json_encode(['success'=>true,'id'=>db()->lastInsertId()]);
+        break;
+        $rows = db()->query("SELECT * FROM cashout_method_types ORDER BY sort_order ASC, id ASC")->fetchAll();
+        echo json_encode(['success'=>true,'types'=>$rows]);
+        break;
+
+    case 'cashout_methods_create':
+        if ($_SERVER['REQUEST_METHOD'] !== 'POST') { echo json_encode(['success'=>false]); exit; }
+        $d    = json_decode(file_get_contents('php://input'), true);
+        $slug = preg_replace('/[^a-z0-9_]/','',strtolower(trim($d['slug']??'')));
+        $label= substr(trim($d['label']??''),0,100);
+        $icon = substr(trim($d['icon']??'💰'),0,10);
+        $desc = substr(trim($d['description']??''),0,200);
+        $sort = (int)($d['sort_order']??99);
+        $active=(int)(bool)($d['is_active']??1);
+        if (!$slug||!$label){echo json_encode(['success'=>false,'error'=>'Slug and label required']);exit;}
+        try {
+            db()->prepare("INSERT INTO cashout_method_types (slug,label,icon,description,is_active,sort_order) VALUES (?,?,?,?,?,?)")
+               ->execute([$slug,$label,$icon,$desc,$active,$sort]);
+            echo json_encode(['success'=>true,'id'=>db()->lastInsertId()]);
+        } catch(Exception $e){ echo json_encode(['success'=>false,'error'=>'Slug already exists']); }
+        break;
+
+    case 'cashout_methods_update':
+        if ($_SERVER['REQUEST_METHOD'] !== 'POST') { echo json_encode(['success'=>false]); exit; }
+        $d    = json_decode(file_get_contents('php://input'), true);
+        $id   = (int)($d['id']??0);
+        $label= substr(trim($d['label']??''),0,100);
+        $icon = substr(trim($d['icon']??'💰'),0,10);
+        $desc = substr(trim($d['description']??''),0,200);
+        $sort = (int)($d['sort_order']??0);
+        $active=(int)(bool)($d['is_active']??1);
+        if (!$id||!$label){echo json_encode(['success'=>false,'error'=>'ID and label required']);exit;}
+        db()->prepare("UPDATE cashout_method_types SET label=?,icon=?,description=?,is_active=?,sort_order=? WHERE id=?")
+           ->execute([$label,$icon,$desc,$active,$sort,$id]);
+        echo json_encode(['success'=>true]);
+        break;
+
+    case 'cashout_methods_delete':
+        if ($_SERVER['REQUEST_METHOD'] !== 'POST') { echo json_encode(['success'=>false]); exit; }
+        $d=(json_decode(file_get_contents('php://input'),true));
+        $id=(int)($d['id']??0);
+        if (!$id){echo json_encode(['success'=>false,'error'=>'ID required']);exit;}
+        db()->prepare("DELETE FROM cashout_method_types WHERE id=?")->execute([$id]);
+        echo json_encode(['success'=>true]);
+        break;
+
+    // ──
+    case 'platform_account_deny':
+        if ($_SERVER['REQUEST_METHOD']!=='POST'){echo json_encode(['success'=>false]);exit;}
+        $d=json_decode(file_get_contents('php://input'),true);
+        $id=(int)($d['id']??0);$nt=substr(trim($d['admin_note']??''),0,500);
+        db()->prepare("UPDATE platform_accounts SET status='denied',admin_note=?,admin_id=? WHERE id=?")->execute([$nt,$_SESSION['user_id'],$id]);
+        echo json_encode(['success'=>true]);
+        break;
+
+    case 'platform_account_delete':
+        if ($_SERVER['REQUEST_METHOD']!=='POST'){echo json_encode(['success'=>false]);exit;}
+        $d=json_decode(file_get_contents('php://input'),true);
+        $id=(int)($d['id']??0);
+        db()->prepare("DELETE FROM platform_accounts WHERE id=?")->execute([$id]);
+        echo json_encode(['success'=>true]);
+        break;
+
+    case 'platform_accounts_user':
+        $uid=(int)($_GET['user_id']??0);
+        $stmt=db()->prepare("SELECT pa.*,COALESCE(p.name,pa.platform_name,pa.platform_slug) AS display_name,p.color,p.player_url FROM platform_accounts pa LEFT JOIN platforms p ON pa.platform_slug=p.slug WHERE pa.user_id=? ORDER BY pa.requested_at DESC");
+        $stmt->execute([$uid]);
+        echo json_encode(['success'=>true,'accounts'=>$stmt->fetchAll()]);
+        break;
+    case 'activity_log':
+    case 'activity_log_v2':
+        $page     = max(1, (int)($_GET['page']??1));
+        $limit    = 20;
+        $offset   = ($page - 1) * $limit;
+        $category = trim($_GET['category'] ?? '');
+        $severity = trim($_GET['severity'] ?? '');
+        $search   = trim($_GET['search']   ?? '');
+        $date     = trim($_GET['date']     ?? '');
+
+        $where = ["al.created_at >= DATE_SUB(NOW(), INTERVAL 90 DAY)"];
+        $params = [];
+
+        if ($category) { $where[] = "al.category = ?"; $params[] = $category; }
+        if ($severity) { $where[] = "al.severity = ?"; $params[] = $severity; }
+        if ($date)     { $where[] = "DATE(al.created_at) = ?"; $params[] = $date; }
+        if ($search)   {
+            $where[] = "(al.action LIKE ? OR al.detail LIKE ? OR u.username LIKE ? OR u.alias LIKE ? OR al.ip LIKE ?)";
+            $s = '%'.$search.'%';
+            $params = array_merge($params, [$s,$s,$s,$s,$s]);
+        }
+
+        $whereStr = implode(' AND ', $where);
+        $baseQuery = "FROM activity_log al
+                      LEFT JOIN users u ON al.user_id  = u.id
+                      LEFT JOIN users a ON al.admin_id = a.id
+                      WHERE $whereStr";
+
+        $countStmt = db()->prepare("SELECT COUNT(*) $baseQuery");
+        $countStmt->execute($params);
+        $total = (int)$countStmt->fetchColumn();
+
+        $dataStmt = db()->prepare("SELECT al.*, u.username, u.alias,
+                                          a.username AS admin_username
+                                   $baseQuery
+                                   ORDER BY al.created_at DESC
+                                   LIMIT $limit OFFSET $offset");
+        $dataStmt->execute($params);
+        $events = $dataStmt->fetchAll();
+
+        // Stats for the current filter set
+        $statsParams = $params;
+        $statsStmt = db()->prepare("SELECT
+            SUM(al.severity='critical') AS critical,
+            SUM(al.severity='warning') AS warning,
+            COUNT(DISTINCT al.ip) AS unique_ips
+            $baseQuery");
+        $statsStmt->execute($statsParams);
+        $stats = $statsStmt->fetch();
+
+        echo json_encode(['success'=>true,'events'=>$events,'total'=>$total,'page'=>$page,'stats'=>$stats]);
+        break;
+
+    case 'activity_log_csv':
+        $category = trim($_GET['category'] ?? '');
+        $severity = trim($_GET['severity'] ?? '');
+        $search   = trim($_GET['search']   ?? '');
+        $date     = trim($_GET['date']     ?? '');
+
+        $where = ["al.created_at >= DATE_SUB(NOW(), INTERVAL 90 DAY)"];
+        $params = [];
+        if ($category) { $where[] = "al.category = ?"; $params[] = $category; }
+        if ($severity) { $where[] = "al.severity = ?"; $params[] = $severity; }
+        if ($date)     { $where[] = "DATE(al.created_at) = ?"; $params[] = $date; }
+        if ($search)   {
+            $where[] = "(al.action LIKE ? OR al.detail LIKE ? OR u.username LIKE ?)";
+            $s = '%'.$search.'%'; $params = array_merge($params, [$s,$s,$s]);
+        }
+
+        $whereStr = implode(' AND ', $where);
+        $stmt = db()->prepare("SELECT al.*, u.username, u.alias, a.username AS admin_username
+                               FROM activity_log al
+                               LEFT JOIN users u ON al.user_id=u.id
+                               LEFT JOIN users a ON al.admin_id=a.id
+                               WHERE $whereStr ORDER BY al.created_at DESC LIMIT 5000");
+        $stmt->execute($params);
+        $rows = $stmt->fetchAll();
+
+        header('Content-Type: text/csv');
+        header('Content-Disposition: attachment; filename="tomtomgames_audit_' . date('Y-m-d') . '.csv"');
+        $out = fopen('php://output', 'w');
+        fputcsv($out, ['ID','Timestamp','Category','Severity','Action','Username','Alias','Admin','Detail','Old Value','New Value','IP','User Agent','Page','Session ID']);
+        foreach ($rows as $r) {
+            fputcsv($out, [$r['id'],$r['created_at'],$r['category'],$r['severity'],$r['action'],
+                           $r['username']??'',$r['alias']??'',$r['admin_username']??'',
+                           $r['detail']??'',$r['old_value']??'',$r['new_value']??'',
+                           $r['ip']??'',$r['user_agent']??'',$r['page']??'',$r['session_id']??'']);
+        }
+        fclose($out);
+        exit;
+        break;
+
+    // ─── CASHOUT METHODS: list (admin) ────────────────────
+    case 'cashout_methods_list':
+        $rows = db()->query("SELECT * FROM cashout_method_types ORDER BY sort_order ASC, id ASC")->fetchAll();
+        echo json_encode(['success'=>true,'types'=>$rows]);
+        break;
+
+    // ─── PAYMENT SETTINGS: list (admin) ───────────────────
+    case 'payment_settings_list':
+        $rows = db()->query("SELECT * FROM payment_settings ORDER BY sort_order ASC, id ASC")->fetchAll();
+        echo json_encode(['success'=>true,'methods'=>$rows]);
+        break;
+
+    case 'payment_settings_update':
+        if ($_SERVER['REQUEST_METHOD'] !== 'POST') { echo json_encode(['success'=>false]); exit; }
+        $d = json_decode(file_get_contents('php://input'), true);
+        $id   = (int)($d['id'] ?? 0);
+        $label= substr(trim($d['label']??''), 0, 100);
+        $handle = substr(trim($d['handle']??''), 0, 200);
+        $inst = substr(trim($d['instructions']??''), 0, 500);
+        $enabled = (int)(bool)($d['is_enabled'] ?? 1);
+        $sort = (int)($d['sort_order'] ?? 0);
+        if (!$id) { echo json_encode(['success'=>false,'error'=>'ID required']); exit; }
+        db()->prepare("UPDATE payment_settings SET label=?,handle=?,instructions=?,is_enabled=?,sort_order=? WHERE id=?")
+             ->execute([$label,$handle,$inst,$enabled,$sort,$id]);
+        echo json_encode(['success'=>true]);
+        break;
+
+
+    // ─── PAYOUT METHODS: get for user ────────────────────────
+    case 'payout_methods_get':
+        $uid = (int)($_GET['user_id'] ?? 0);
+        if (!$uid) { echo json_encode(['success'=>false,'error'=>'user_id required']); exit; }
+        $rows = db()->prepare("SELECT * FROM payout_methods WHERE user_id=? ORDER BY is_default DESC, id ASC");
+        $rows->execute([$uid]);
+        echo json_encode(['success'=>true,'methods'=>$rows->fetchAll()]);
+        break;
+
+    // ─── GAME ALIASES: get ────────────────────────────────
+    case 'game_aliases_get':
+        $uid = (int)($_GET['user_id'] ?? 0);
+        if (!$uid) { echo json_encode(['success'=>false,'error'=>'user_id required']); exit; }
+        $stmt = db()->prepare("SELECT platform_slug, alias FROM game_aliases WHERE user_id=?");
+        $stmt->execute([$uid]);
+        $rows = $stmt->fetchAll();
+        $map  = [];
+        foreach ($rows as $r) $map[$r['platform_slug']] = $r['alias'];
+        echo json_encode(['success'=>true,'aliases'=>$map]);
+        break;
+
+    // ─── GAME ALIASES: save all ───────────────────────────
+    case 'game_aliases_save_all':
+        if ($_SERVER['REQUEST_METHOD'] !== 'POST') { echo json_encode(['success'=>false]); exit; }
+        $data    = json_decode(file_get_contents('php://input'), true);
+        $uid     = (int)($data['user_id'] ?? 0);
+        $aliases = $data['aliases'] ?? [];
+        if (!$uid) { echo json_encode(['success'=>false,'error'=>'user_id required']); exit; }
+        $stmt = db()->prepare("INSERT INTO game_aliases (user_id,platform_slug,alias) VALUES (?,?,?)
+            ON DUPLICATE KEY UPDATE alias=VALUES(alias)");
+        $del  = db()->prepare("DELETE FROM game_aliases WHERE user_id=? AND platform_slug=?");
+        foreach ($aliases as $slug => $alias) {
+            $slug  = preg_replace('/[^a-z0-9_]/', '', strtolower(trim($slug)));
+            $alias = substr(trim($alias), 0, 100);
+            if (!$slug) continue;
+            if ($alias === '') $del->execute([$uid, $slug]);
+            else $stmt->execute([$uid, $slug, $alias]);
+        }
+        echo json_encode(['success'=>true]);
+        break;
+
+    // ─── PLATFORMS: admin list ────────────────────────────
+    case 'platforms_admin':
+        $rows = db()->query("SELECT * FROM platforms ORDER BY sort_order ASC, id ASC")->fetchAll();
+        echo json_encode(['success'=>true,'platforms'=>$rows]);
+        break;
+
+    // ─── PLATFORMS: create ────────────────────────────────
+    case 'platforms_create':
+        if ($_SERVER['REQUEST_METHOD'] !== 'POST') { echo json_encode(['success'=>false]); exit; }
+        $d = json_decode(file_get_contents('php://input'), true);
+        $slug = preg_replace('/[^a-z0-9_]/', '', strtolower(trim($d['slug'] ?? '')));
+        $name = substr(trim($d['name'] ?? ''), 0, 100);
+        $purl = substr(trim($d['player_url'] ?? ''), 0, 500);
+        $curl = substr(trim($d['console_url'] ?? ''), 0, 500);
+        $color= preg_match('/^#[0-9a-fA-F]{3,8}$/', $d['color']??'') ? $d['color'] : '#f0c040';
+        $sort = (int)($d['sort_order'] ?? 99);
+        $active=(int)(bool)($d['is_active'] ?? 1);
+        if (!$slug||!$name||!$purl) { echo json_encode(['success'=>false,'error'=>'Slug, name, and player URL required']); exit; }
+        try {
+            db()->prepare("INSERT INTO platforms (slug,name,player_url,console_url,color,sort_order,is_active) VALUES (?,?,?,?,?,?,?)")
+               ->execute([$slug,$name,$purl,$curl,$color,$sort,$active]);
+            echo json_encode(['success'=>true,'id'=>db()->lastInsertId()]);
+        } catch (Exception $e) { echo json_encode(['success'=>false,'error'=>'Slug already exists']); }
+        break;
+
+    // ─── PLATFORMS: update ────────────────────────────────
+    case 'platforms_update':
+        if ($_SERVER['REQUEST_METHOD'] !== 'POST') { echo json_encode(['success'=>false]); exit; }
+        $d = json_decode(file_get_contents('php://input'), true);
+        $id   = (int)($d['id'] ?? 0);
+        $name = substr(trim($d['name'] ?? ''), 0, 100);
+        $purl = substr(trim($d['player_url'] ?? ''), 0, 500);
+        $curl = substr(trim($d['console_url'] ?? ''), 0, 500);
+        $color= preg_match('/^#[0-9a-fA-F]{3,8}$/', $d['color']??'') ? $d['color'] : '#f0c040';
+        $sort = (int)($d['sort_order'] ?? 99);
+        $active=(int)(bool)($d['is_active'] ?? 1);
+        if (!$id||!$name||!$purl) { echo json_encode(['success'=>false,'error'=>'ID, name, and URL required']); exit; }
+        db()->prepare("UPDATE platforms SET name=?,player_url=?,console_url=?,color=?,sort_order=?,is_active=? WHERE id=?")
+           ->execute([$name,$purl,$curl,$color,$sort,$active,$id]);
+        echo json_encode(['success'=>true]);
+        break;
+
+    // ─── PLATFORMS: delete ────────────────────────────────
+    case 'platforms_delete':
+        if ($_SERVER['REQUEST_METHOD'] !== 'POST') { echo json_encode(['success'=>false]); exit; }
+        $d  = json_decode(file_get_contents('php://input'), true);
+        $id = (int)($d['id'] ?? 0);
+        if (!$id) { echo json_encode(['success'=>false,'error'=>'ID required']); exit; }
+        db()->prepare("DELETE FROM platforms WHERE id=?")->execute([$id]);
+        echo json_encode(['success'=>true]);
+        break;
+    case 'billing_get':
+        $uid = (int)($_GET['user_id'] ?? 0);
+        if (!$uid) { echo json_encode(['success'=>false,'error'=>'user_id required']); exit; }
+        $stmt = db()->prepare("SELECT * FROM saved_billing WHERE user_id=?");
+        $stmt->execute([$uid]);
+        $row = $stmt->fetch();
+        // Admin sees masked card info
+        if ($row) {
+            $row['card_display'] = $row['card_brand'] && $row['card_last4']
+                ? $row['card_brand'] . ' ····' . $row['card_last4'] : null;
+            // Don't expose raw sq_card_id
+            unset($row['sq_card_id']);
+        }
+        echo json_encode(['success'=>true,'billing'=>$row ?: null]);
+        break;
+
+    // ─── BILLING: save/update ────────────────────────────────
+    case 'billing_save':
+        if ($_SERVER['REQUEST_METHOD'] !== 'POST') { echo json_encode(['success'=>false]); exit; }
+        $data = json_decode(file_get_contents('php://input'), true);
+        $uid  = (int)($data['user_id'] ?? 0);
+        if (!$uid) { echo json_encode(['success'=>false,'error'=>'user_id required']); exit; }
+        $stmt = db()->prepare("
+            INSERT INTO saved_billing (user_id,first_name,last_name,email,address,city,state,zip)
+            VALUES (?,?,?,?,?,?,?,?)
+            ON DUPLICATE KEY UPDATE
+                first_name=VALUES(first_name), last_name=VALUES(last_name),
+                email=VALUES(email), address=VALUES(address),
+                city=VALUES(city), state=VALUES(state), zip=VALUES(zip)
+        ");
+        $stmt->execute([
+            $uid,
+            substr(trim($data['first_name']??''),0,80),
+            substr(trim($data['last_name'] ??''),0,80),
+            substr(strtolower(trim($data['email']??'')),0,150),
+            substr(trim($data['address']   ??''),0,200),
+            substr(trim($data['city']      ??''),0,80),
+            strtoupper(substr(trim($data['state']??''),0,2)),
+            substr(trim($data['zip']       ??''),0,10),
+        ]);
+        echo json_encode(['success'=>true]);
+        break;
+
+    // ─── BILLING: clear card ─────────────────────────────────
+    case 'billing_clear_card':
+        if ($_SERVER['REQUEST_METHOD'] !== 'POST') { echo json_encode(['success'=>false]); exit; }
+        $data = json_decode(file_get_contents('php://input'), true);
+        $uid  = (int)($data['user_id'] ?? 0);
+        db()->prepare("UPDATE saved_billing SET card_brand=NULL,card_last4=NULL,card_exp_month=NULL,card_exp_year=NULL,sq_card_id=NULL WHERE user_id=?")->execute([$uid]);
+        echo json_encode(['success'=>true]);
+        break;
+
+    // ─── BILLING: clear all ──────────────────────────────────
+    case 'billing_clear_all':
+        if ($_SERVER['REQUEST_METHOD'] !== 'POST') { echo json_encode(['success'=>false]); exit; }
+        $data = json_decode(file_get_contents('php://input'), true);
+        $uid  = (int)($data['user_id'] ?? 0);
+        db()->prepare("DELETE FROM saved_billing WHERE user_id=?")->execute([$uid]);
+        echo json_encode(['success'=>true]);
+        break;
+
+    // ─── RESEND VERIFICATION (from admin) ─────────────────────
+    case 'resend_verification':
+        if ($_SERVER['REQUEST_METHOD'] !== 'POST') { echo json_encode(['success'=>false]); exit; }
+        $data = json_decode(file_get_contents('php://input'), true);
+        $uid  = (int)($data['user_id'] ?? 0);
+        $stmt = db()->prepare("SELECT email,alias FROM users WHERE id=?");
+        $stmt->execute([$uid]);
+        $user = $stmt->fetch();
+        if (!$user) { echo json_encode(['success'=>false,'error'=>'User not found']); exit; }
+        $result = resendVerification($user['email']);
+        echo json_encode($result);
+        break;
+
+    // ─── CHAT: inbox list ──────────────────────────────────
+    case 'chat_inbox':
+        $rows = db()->query("
+            SELECT u.id AS user_id, u.username, u.alias,
+                   cm.message AS last_message, cm.sender AS last_sender,
+                   cm.created_at AS last_time,
+                   (SELECT COUNT(*) FROM chat_messages
+                    WHERE user_id=u.id AND sender='user' AND is_read=0) AS unread_count
+            FROM users u
+            INNER JOIN chat_messages cm ON cm.id=(
+                SELECT id FROM chat_messages WHERE user_id=u.id ORDER BY id DESC LIMIT 1
+            )
+            ORDER BY cm.created_at DESC
+        ")->fetchAll();
+        echo json_encode(['success'=>true,'inbox'=>$rows]);
+        break;
+
+    // ─── CHAT: full thread for one user ───────────────────
+    case 'chat_thread':
+        $tid   = (int)($_GET['user_id'] ?? 0);
+        $since = (int)($_GET['since']   ?? 0);
+        if (!$tid) { echo json_encode(['success'=>false,'error'=>'user_id required']); exit; }
+        $stmt = db()->prepare("SELECT id,sender,message,is_read,created_at FROM chat_messages WHERE user_id=? AND id>? ORDER BY id ASC LIMIT 300");
+        $stmt->execute([$tid, $since]);
+        // Mark user messages read
+        db()->prepare("UPDATE chat_messages SET is_read=1 WHERE user_id=? AND sender='user' AND is_read=0")->execute([$tid]);
+        $uStmt = db()->prepare("SELECT id,username,alias,tokens FROM users WHERE id=?");
+        $uStmt->execute([$tid]);
+        echo json_encode(['success'=>true,'messages'=>$stmt->fetchAll(),'user'=>$uStmt->fetch()]);
+        break;
+
+    // ─── CHAT: admin reply ────────────────────────────────
+    case 'chat_admin_send':
+        if ($_SERVER['REQUEST_METHOD'] !== 'POST') { echo json_encode(['success'=>false]); exit; }
+        $data = json_decode(file_get_contents('php://input'), true);
+        $tid  = (int)($data['user_id'] ?? 0);
+        $msg  = trim($data['message']  ?? '');
+        if (!$tid || empty($msg)) { echo json_encode(['success'=>false,'error'=>'Invalid']); exit; }
+        $stmt = db()->prepare("INSERT INTO chat_messages (user_id,sender,message) VALUES (?,'admin',?)");
+        $stmt->execute([$tid, $msg]);
+        echo json_encode(['success'=>true,'id'=>db()->lastInsertId()]);
+        break;
+
+    // ─── CHAT: clear single user thread ───────────────────
+    case 'chat_clear_thread':
+        if ($_SERVER['REQUEST_METHOD'] !== 'POST') { echo json_encode(['success'=>false]); exit; }
+        $data = json_decode(file_get_contents('php://input'), true);
+        $tid  = (int)($data['user_id'] ?? 0);
+        if (!$tid) { echo json_encode(['success'=>false,'error'=>'user_id required']); exit; }
+        db()->prepare("DELETE FROM chat_messages WHERE user_id=?")->execute([$tid]);
+        echo json_encode(['success'=>true]);
+        break;
+
+    // ─── CHAT: clear ALL chats ────────────────────────────
+    case 'chat_clear_all':
+        if ($_SERVER['REQUEST_METHOD'] !== 'POST') { echo json_encode(['success'=>false]); exit; }
+        db()->exec("DELETE FROM chat_messages");
+        echo json_encode(['success'=>true]);
+        break;
+    case 'chat_unread':
+        $count = db()->query("SELECT COUNT(*) FROM chat_messages WHERE sender='user' AND is_read=0")->fetchColumn();
+        echo json_encode(['success'=>true,'count'=>(int)$count]);
+        break;
+
+    default:
+        echo json_encode(['success'=>false,'error'=>'Unknown action']);
+}
diff --git a/api/billing.php b/api/billing.php
new file mode 100644
index 0000000..5e6a8e2
--- /dev/null
+++ b/api/billing.php
@@ -0,0 +1,91 @@
+<?php
+require_once __DIR__ . '/../../includes/auth.php';
+header('Content-Type: application/json');
+
+if (!isLoggedIn()) { echo json_encode(['success'=>false,'error'=>'Not authenticated']); exit; }
+
+$action  = $_GET['action'] ?? '';
+$userId  = $_SESSION['user_id'];
+$isAdmin = !empty($_SESSION['is_admin']);
+
+switch ($action) {
+
+    // ── Get saved billing (user sees own; admin passes user_id param) ──
+    case 'get':
+        $uid = $isAdmin ? (int)($_GET['user_id'] ?? $userId) : $userId;
+        $stmt = db()->prepare("SELECT * FROM saved_billing WHERE user_id=?");
+        $stmt->execute([$uid]);
+        $row = $stmt->fetch();
+        if ($row && !$isAdmin) {
+            // Mask card number for non-admin
+            $row['card_display'] = $row['card_brand'] && $row['card_last4']
+                ? $row['card_brand'] . ' ····' . $row['card_last4']
+                : null;
+            unset($row['sq_card_id']);
+        }
+        echo json_encode(['success'=>true, 'billing'=>$row ?: null]);
+        break;
+
+    // ── Save / update billing info ─────────────────────────────
+    case 'save':
+        if ($_SERVER['REQUEST_METHOD'] !== 'POST') { echo json_encode(['success'=>false]); exit; }
+        $data = json_decode(file_get_contents('php://input'), true);
+        $uid  = $isAdmin && isset($data['user_id']) ? (int)$data['user_id'] : $userId;
+
+        $firstName = substr(trim($data['first_name'] ?? ''), 0, 80);
+        $lastName  = substr(trim($data['last_name']  ?? ''), 0, 80);
+        $email     = substr(strtolower(trim($data['email'] ?? '')), 0, 150);
+        $address   = substr(trim($data['address'] ?? ''), 0, 200);
+        $city      = substr(trim($data['city']    ?? ''), 0, 80);
+        $state     = strtoupper(substr(trim($data['state'] ?? ''), 0, 2));
+        $zip       = substr(trim($data['zip']     ?? ''), 0, 10);
+
+        // Card info — only update if provided
+        $cardBrand    = isset($data['card_brand'])    ? substr(trim($data['card_brand']),    0, 30)  : null;
+        $cardLast4    = isset($data['card_last4'])    ? substr(trim($data['card_last4']),    0, 4)   : null;
+        $cardExpMonth = isset($data['card_exp_month'])? substr(trim($data['card_exp_month']),0, 2)   : null;
+        $cardExpYear  = isset($data['card_exp_year']) ? substr(trim($data['card_exp_year']), 0, 4)   : null;
+        $sqCardId     = isset($data['sq_card_id'])    ? substr(trim($data['sq_card_id']),    0, 255) : null;
+
+        $stmt = db()->prepare("
+            INSERT INTO saved_billing
+                (user_id, first_name, last_name, email, address, city, state, zip,
+                 card_brand, card_last4, card_exp_month, card_exp_year, sq_card_id)
+            VALUES (?,?,?,?,?,?,?,?,?,?,?,?,?)
+            ON DUPLICATE KEY UPDATE
+                first_name=VALUES(first_name), last_name=VALUES(last_name),
+                email=VALUES(email), address=VALUES(address), city=VALUES(city),
+                state=VALUES(state), zip=VALUES(zip),
+                card_brand=COALESCE(VALUES(card_brand), card_brand),
+                card_last4=COALESCE(VALUES(card_last4), card_last4),
+                card_exp_month=COALESCE(VALUES(card_exp_month), card_exp_month),
+                card_exp_year=COALESCE(VALUES(card_exp_year), card_exp_year),
+                sq_card_id=COALESCE(VALUES(sq_card_id), sq_card_id)
+        ");
+        $stmt->execute([$uid,$firstName,$lastName,$email,$address,$city,$state,$zip,
+                        $cardBrand,$cardLast4,$cardExpMonth,$cardExpYear,$sqCardId]);
+        echo json_encode(['success'=>true]);
+        break;
+
+    // ── Clear card info only ───────────────────────────────────
+    case 'clear_card':
+        if ($_SERVER['REQUEST_METHOD'] !== 'POST') { echo json_encode(['success'=>false]); exit; }
+        $data = json_decode(file_get_contents('php://input'), true);
+        $uid  = $isAdmin && isset($data['user_id']) ? (int)$data['user_id'] : $userId;
+        db()->prepare("UPDATE saved_billing SET card_brand=NULL, card_last4=NULL, card_exp_month=NULL, card_exp_year=NULL, sq_card_id=NULL WHERE user_id=?")
+             ->execute([$uid]);
+        echo json_encode(['success'=>true]);
+        break;
+
+    // ── Clear all billing info ────────────────────────────────
+    case 'clear_all':
+        if ($_SERVER['REQUEST_METHOD'] !== 'POST') { echo json_encode(['success'=>false]); exit; }
+        $data = json_decode(file_get_contents('php://input'), true);
+        $uid  = $isAdmin && isset($data['user_id']) ? (int)$data['user_id'] : $userId;
+        db()->prepare("DELETE FROM saved_billing WHERE user_id=?")->execute([$uid]);
+        echo json_encode(['success'=>true]);
+        break;
+
+    default:
+        echo json_encode(['success'=>false,'error'=>'Unknown action']);
+}
diff --git a/api/broadcast.php b/api/broadcast.php
new file mode 100644
index 0000000..09654e4
--- /dev/null
+++ b/api/broadcast.php
@@ -0,0 +1,89 @@
+<?php
+ob_start();
+try { require_once __DIR__ . '/../../includes/auth.php'; } catch(Throwable $e) { ob_end_clean(); header('Content-Type: application/json'); echo json_encode(['success'=>false,'error'=>'Server error']); exit; }
+ob_end_clean();
+header('Content-Type: application/json');
+
+if (!isLoggedIn()) { echo json_encode(['success'=>false,'error'=>'Not authenticated']); exit; }
+
+$action  = $_GET['action'] ?? 'list';
+$userId  = (int)$_SESSION['user_id'];
+$isAdmin = !empty($_SESSION['is_admin']);
+
+switch ($action) {
+
+    // ── List broadcasts for this user ─────────────────────
+    case 'list':
+        // Get broadcasts targeting this user
+        $stmt = db()->prepare("
+            SELECT b.*,
+                   u.username AS sender_name,
+                   u.alias    AS sender_alias,
+                   (SELECT COUNT(*) FROM broadcast_replies WHERE broadcast_id=b.id) AS reply_count,
+                   (SELECT COUNT(*) FROM broadcast_reads WHERE broadcast_id=b.id AND user_id=?) AS is_read,
+                   (SELECT COUNT(*) FROM broadcast_reads WHERE broadcast_id=b.id) AS read_count
+            FROM broadcasts b
+            JOIN users u ON b.admin_id = u.id
+            WHERE b.target = 'all'
+               OR (b.target = 'verified'   AND EXISTS(SELECT 1 FROM users WHERE id=? AND email_verified=1 AND is_admin=0))
+               OR (b.target = 'unverified' AND EXISTS(SELECT 1 FROM users WHERE id=? AND email_verified=0))
+               OR (b.target = 'admins'     AND ?)
+            ORDER BY b.sent_at DESC
+        ");
+        $stmt->execute([$userId, $userId, $userId, $isAdmin ? 1 : 0]);
+        echo json_encode(['success'=>true, 'broadcasts'=>$stmt->fetchAll()]);
+        break;
+
+    // ── Mark as read ──────────────────────────────────────
+    case 'mark_read':
+        if ($_SERVER['REQUEST_METHOD'] !== 'POST') { echo json_encode(['success'=>false]); exit; }
+        $d  = json_decode(file_get_contents('php://input'), true);
+        $bid= (int)($d['broadcast_id'] ?? 0);
+        if (!$bid) { echo json_encode(['success'=>false]); exit; }
+        db()->prepare("INSERT IGNORE INTO broadcast_reads (broadcast_id,user_id) VALUES (?,?)")->execute([$bid,$userId]);
+        echo json_encode(['success'=>true]);
+        break;
+
+    // ── Get replies for a broadcast ───────────────────────
+    case 'replies':
+        $bid = (int)($_GET['broadcast_id'] ?? 0);
+        if (!$bid) { echo json_encode(['success'=>false]); exit; }
+        $stmt = db()->prepare("
+            SELECT br.*, u.username, u.alias, u.is_admin
+            FROM broadcast_replies br
+            JOIN users u ON br.user_id = u.id
+            WHERE br.broadcast_id = ?
+            ORDER BY br.created_at ASC
+        ");
+        $stmt->execute([$bid]);
+        echo json_encode(['success'=>true,'replies'=>$stmt->fetchAll()]);
+        break;
+
+    // ── Post a reply ──────────────────────────────────────
+    case 'reply':
+        if ($_SERVER['REQUEST_METHOD'] !== 'POST') { echo json_encode(['success'=>false]); exit; }
+        $d   = json_decode(file_get_contents('php://input'), true);
+        $bid = (int)($d['broadcast_id'] ?? 0);
+        $msg = substr(trim($d['message'] ?? ''), 0, 1000);
+        if (!$bid || !$msg) { echo json_encode(['success'=>false,'error'=>'broadcast_id and message required']); exit; }
+        db()->prepare("INSERT INTO broadcast_replies (broadcast_id,user_id,message) VALUES (?,?,?)")->execute([$bid,$userId,$msg]);
+        db()->prepare("INSERT IGNORE INTO broadcast_reads (broadcast_id,user_id) VALUES (?,?)")->execute([$bid,$userId]);
+        echo json_encode(['success'=>true,'id'=>db()->lastInsertId()]);
+        break;
+
+    // ── Unread count ──────────────────────────────────────
+    case 'unread_count':
+        $stmt = db()->prepare("
+            SELECT COUNT(*) FROM broadcasts b
+            WHERE (b.target='all' OR (b.target='verified' AND EXISTS(SELECT 1 FROM users WHERE id=? AND email_verified=1 AND is_admin=0))
+                   OR (b.target='unverified' AND EXISTS(SELECT 1 FROM users WHERE id=? AND email_verified=0))
+                   OR (b.target='admins' AND ?))
+            AND NOT EXISTS (SELECT 1 FROM broadcast_reads WHERE broadcast_id=b.id AND user_id=?)
+        ");
+        $stmt->execute([$userId,$userId,$isAdmin?1:0,$userId]);
+        echo json_encode(['success'=>true,'count'=>(int)$stmt->fetchColumn()]);
+        break;
+
+    default:
+        echo json_encode(['success'=>false,'error'=>'Unknown action']);
+}
diff --git a/api/cashout.php b/api/cashout.php
new file mode 100644
index 0000000..6cc2bd3
--- /dev/null
+++ b/api/cashout.php
@@ -0,0 +1,148 @@
+<?php
+ob_start();
+require_once __DIR__ . '/../../includes/auth.php';
+ob_end_clean();
+
+header('Content-Type: application/json');
+
+if (!isLoggedIn()) { echo json_encode(['success'=>false,'error'=>'Not authenticated']); exit; }
+
+$userId  = (int)$_SESSION['user_id'];
+$method  = $_SERVER['REQUEST_METHOD'];
+
+// ══════════════════════════════════════════════════════════
+// GET — player's own requests (list, delete, update, lock)
+// ══════════════════════════════════════════════════════════
+if ($method === 'GET') {
+    $action = $_GET['action'] ?? 'list';
+
+    if ($action === 'list') {
+        $stmt = db()->prepare("
+            SELECT cr.*,
+                   COALESCE(p.name, cr.platform_id) AS platform_name
+            FROM cashout_requests cr
+            LEFT JOIN platforms p ON cr.platform_id = p.slug
+            WHERE cr.user_id = ?
+            ORDER BY cr.created_at DESC
+            LIMIT 50
+        ");
+        $stmt->execute([$userId]);
+        echo json_encode(['success'=>true, 'requests'=>$stmt->fetchAll()]);
+        exit;
+    }
+
+    if ($action === 'delete') {
+        $id  = (int)($_GET['id'] ?? 0);
+        $chk = db()->prepare("SELECT id,tokens FROM cashout_requests WHERE id=? AND user_id=? AND status='pending'");
+        $chk->execute([$id, $userId]);
+        $row = $chk->fetch();
+        if (!$row) { echo json_encode(['success'=>false,'error'=>'Request not found or already locked']); exit; }
+        db()->prepare("UPDATE users SET tokens=tokens+? WHERE id=?")->execute([$row['tokens'], $userId]);
+        db()->prepare("DELETE FROM cashout_requests WHERE id=?")->execute([$id]);
+        $nb = db()->prepare("SELECT tokens FROM users WHERE id=?");
+        $nb->execute([$userId]);
+        echo json_encode(['success'=>true,'new_balance'=>(float)$nb->fetchColumn()]);
+        exit;
+    }
+
+    if ($action === 'update') {
+        $id      = (int)($_GET['id'] ?? 0);
+        $tokens  = (float)($_GET['tokens'] ?? 0);
+        $alias   = substr(trim($_GET['alias'] ?? ''), 0, 100);
+        $chk     = db()->prepare("SELECT id,tokens AS old_tokens FROM cashout_requests WHERE id=? AND user_id=? AND status='pending'");
+        $chk->execute([$id, $userId]);
+        $row     = $chk->fetch();
+        if (!$row)       { echo json_encode(['success'=>false,'error'=>'Request not found or already locked']); exit; }
+        if ($tokens < 1) { echo json_encode(['success'=>false,'error'=>'Minimum 1 token']); exit; }
+        $diff    = $tokens - $row['old_tokens'];
+        if ($diff > 0) {
+            $balChk = db()->prepare("SELECT tokens FROM users WHERE id=?");
+            $balChk->execute([$userId]);
+            if ($diff > (float)$balChk->fetchColumn()) { echo json_encode(['success'=>false,'error'=>'Insufficient balance']); exit; }
+        }
+        db()->beginTransaction();
+        db()->prepare("UPDATE users SET tokens=tokens-? WHERE id=?")->execute([$diff, $userId]);
+        db()->prepare("UPDATE cashout_requests SET tokens=?,alias=? WHERE id=?")->execute([$tokens, $alias, $id]);
+        db()->commit();
+        echo json_encode(['success'=>true]);
+        exit;
+    }
+
+    if ($action === 'lock') {
+        $id  = (int)($_GET['id'] ?? 0);
+        $chk = db()->prepare("SELECT id FROM cashout_requests WHERE id=? AND user_id=? AND status='pending'");
+        $chk->execute([$id, $userId]);
+        if (!$chk->fetch()) { echo json_encode(['success'=>false,'error'=>'Request not found']); exit; }
+        try {
+            db()->exec("ALTER TABLE cashout_requests MODIFY COLUMN status ENUM('pending','locked','sent','approved','rejected','deleted') DEFAULT 'pending'");
+        } catch (Exception $e) {}
+        db()->prepare("UPDATE cashout_requests SET status='locked' WHERE id=?")->execute([$id]);
+        echo json_encode(['success'=>true]);
+        exit;
+    }
+
+    echo json_encode(['success'=>false,'error'=>'Unknown action']);
+    exit;
+}
+
+// ══════════════════════════════════════════════════════════
+// POST — submit new cashout request
+// ══════════════════════════════════════════════════════════
+if ($method !== 'POST') { echo json_encode(['success'=>false,'error'=>'Method not allowed']); exit; }
+
+$data             = json_decode(file_get_contents('php://input'), true);
+$platformId       = trim($data['platform_id']        ?? '');
+$alias            = trim($data['alias']               ?? '');
+$tokens           = (float)($data['tokens']           ?? 0);
+$payoutMethodId   = (int)($data['payout_method_id']   ?? 0);
+$payoutMethodType = trim($data['payout_method_type']  ?? '');
+$payoutHandle     = trim($data['payout_handle']       ?? '');
+
+// Validate platform
+$platStmt = db()->prepare("SELECT slug FROM platforms WHERE slug=? AND is_active=1 LIMIT 1");
+$platStmt->execute([$platformId]);
+if (!$platStmt->fetch()) {
+    $platforms = json_decode(PLATFORMS, true);
+    if (empty(array_filter($platforms, fn($p) => $p['id'] === $platformId))) {
+        echo json_encode(['success'=>false,'error'=>'Invalid platform.']); exit;
+    }
+}
+
+if (empty($alias)) { echo json_encode(['success'=>false,'error'=>'Platform alias required.']); exit; }
+if ($tokens < 1)   { echo json_encode(['success'=>false,'error'=>'Minimum cashout is 1 token.']); exit; }
+
+// Validate payout method
+if ($payoutMethodId) {
+    $chk = db()->prepare("SELECT method_type,account_handle FROM payout_methods WHERE id=? AND user_id=?");
+    $chk->execute([$payoutMethodId, $userId]);
+    if ($pm = $chk->fetch()) {
+        $payoutMethodType = $pm['method_type'];
+        $payoutHandle     = $pm['account_handle'];
+    }
+}
+
+// Check balance
+$balStmt = db()->prepare("SELECT tokens FROM users WHERE id=?");
+$balStmt->execute([$userId]);
+$balance = (float)$balStmt->fetchColumn();
+if ($tokens > $balance) { echo json_encode(['success'=>false,'error'=>'Insufficient token balance.']); exit; }
+
+// Deduct & create
+db()->beginTransaction();
+try {
+    db()->prepare("UPDATE users SET tokens=tokens-? WHERE id=?")->execute([$tokens, $userId]);
+    db()->prepare("INSERT INTO cashout_requests (user_id,platform_id,alias,tokens,payout_method_type,payout_handle) VALUES (?,?,?,?,?,?)")
+       ->execute([$userId, $platformId, $alias, $tokens, $payoutMethodType, $payoutHandle]);
+    db()->commit();
+} catch (Exception $e) {
+    db()->rollBack();
+    echo json_encode(['success'=>false,'error'=>'Request failed. Try again.']); exit;
+}
+
+$newBalStmt = db()->prepare("SELECT tokens FROM users WHERE id=?");
+$newBalStmt->execute([$userId]);
+$nb = (float)$newBalStmt->fetchColumn();
+
+try { logActivity('cashout_request', $userId, null, 'cashout', 0, "Cashout: {$tokens} tokens via {$payoutMethodType}"); } catch(Exception $e){}
+
+echo json_encode(['success'=>true, 'new_balance'=>$nb]);
diff --git a/api/cashout_method_types.php b/api/cashout_method_types.php
new file mode 100644
index 0000000..b0cc1b4
--- /dev/null
+++ b/api/cashout_method_types.php
@@ -0,0 +1,73 @@
+<?php
+ob_start();
+try { require_once __DIR__ . '/../../includes/auth.php'; } catch(Throwable $e) { ob_end_clean(); header('Content-Type: application/json'); echo json_encode(['success'=>false,'error'=>'Server error']); exit; }
+ob_end_clean();
+header('Content-Type: application/json');
+
+$action  = $_GET['action'] ?? 'list';
+$isAdmin = isLoggedIn() && !empty($_SESSION['is_admin']);
+
+switch ($action) {
+
+    // Public: active types for player dropdown
+    case 'list':
+        $rows = db()->query("SELECT slug,label,icon,description FROM cashout_method_types WHERE is_active=1 ORDER BY sort_order ASC, id ASC")->fetchAll();
+        echo json_encode(['success'=>true, 'types'=>$rows]);
+        break;
+
+    // Admin: all types
+    case 'admin_list':
+        if (!$isAdmin) { echo json_encode(['success'=>false,'error'=>'Forbidden']); exit; }
+        $rows = db()->query("SELECT * FROM cashout_method_types ORDER BY sort_order ASC, id ASC")->fetchAll();
+        echo json_encode(['success'=>true, 'types'=>$rows]);
+        break;
+
+    // Admin: create
+    case 'create':
+        if (!$isAdmin || $_SERVER['REQUEST_METHOD'] !== 'POST') { echo json_encode(['success'=>false,'error'=>'Forbidden']); exit; }
+        $d    = json_decode(file_get_contents('php://input'), true);
+        $slug = preg_replace('/[^a-z0-9_]/', '', strtolower(trim($d['slug'] ?? '')));
+        $label= substr(trim($d['label'] ?? ''), 0, 100);
+        $icon = substr(trim($d['icon'] ?? '💰'), 0, 10);
+        $desc = substr(trim($d['description'] ?? ''), 0, 200);
+        $sort = (int)($d['sort_order'] ?? 99);
+        $active = (int)(bool)($d['is_active'] ?? 1);
+        if (!$slug || !$label) { echo json_encode(['success'=>false,'error'=>'Slug and label required']); exit; }
+        try {
+            db()->prepare("INSERT INTO cashout_method_types (slug,label,icon,description,is_active,sort_order) VALUES (?,?,?,?,?,?)")
+               ->execute([$slug,$label,$icon,$desc,$active,$sort]);
+            echo json_encode(['success'=>true,'id'=>db()->lastInsertId()]);
+        } catch (Exception $e) {
+            echo json_encode(['success'=>false,'error'=>'Slug already exists']);
+        }
+        break;
+
+    // Admin: update
+    case 'update':
+        if (!$isAdmin || $_SERVER['REQUEST_METHOD'] !== 'POST') { echo json_encode(['success'=>false,'error'=>'Forbidden']); exit; }
+        $d    = json_decode(file_get_contents('php://input'), true);
+        $id   = (int)($d['id'] ?? 0);
+        $label= substr(trim($d['label'] ?? ''), 0, 100);
+        $icon = substr(trim($d['icon'] ?? '💰'), 0, 10);
+        $desc = substr(trim($d['description'] ?? ''), 0, 200);
+        $sort = (int)($d['sort_order'] ?? 0);
+        $active = (int)(bool)($d['is_active'] ?? 1);
+        if (!$id || !$label) { echo json_encode(['success'=>false,'error'=>'ID and label required']); exit; }
+        db()->prepare("UPDATE cashout_method_types SET label=?,icon=?,description=?,is_active=?,sort_order=? WHERE id=?")
+           ->execute([$label,$icon,$desc,$active,$sort,$id]);
+        echo json_encode(['success'=>true]);
+        break;
+
+    // Admin: delete
+    case 'delete':
+        if (!$isAdmin || $_SERVER['REQUEST_METHOD'] !== 'POST') { echo json_encode(['success'=>false,'error'=>'Forbidden']); exit; }
+        $d  = json_decode(file_get_contents('php://input'), true);
+        $id = (int)($d['id'] ?? 0);
+        if (!$id) { echo json_encode(['success'=>false,'error'=>'ID required']); exit; }
+        db()->prepare("DELETE FROM cashout_method_types WHERE id=?")->execute([$id]);
+        echo json_encode(['success'=>true]);
+        break;
+
+    default:
+        echo json_encode(['success'=>false,'error'=>'Unknown action']);
+}
diff --git a/api/chat.php b/api/chat.php
new file mode 100644
index 0000000..daf0bad
--- /dev/null
+++ b/api/chat.php
@@ -0,0 +1,124 @@
+<?php
+require_once __DIR__ . '/../../includes/auth.php';
+header('Content-Type: application/json');
+
+if (!isLoggedIn()) { echo json_encode(['success'=>false,'error'=>'Not authenticated']); exit; }
+
+$action = $_GET['action'] ?? '';
+$userId = $_SESSION['user_id'];
+$isAdmin = !empty($_SESSION['is_admin']);
+
+switch ($action) {
+
+    // ── User: get own messages ─────────────────────────────
+    case 'messages':
+        $since = (int)($_GET['since'] ?? 0); // last message id for polling
+        $stmt = db()->prepare("
+            SELECT id, sender, message, is_read, created_at
+            FROM chat_messages
+            WHERE user_id = ? AND id > ?
+            ORDER BY id ASC
+            LIMIT 100
+        ");
+        $stmt->execute([$userId, $since]);
+        $msgs = $stmt->fetchAll();
+
+        // Mark admin messages as read
+        db()->prepare("UPDATE chat_messages SET is_read=1 WHERE user_id=? AND sender='admin' AND is_read=0")->execute([$userId]);
+
+        echo json_encode(['success'=>true, 'messages'=>$msgs]);
+        break;
+
+    // ── User: send message to admin ───────────────────────
+    case 'send':
+        if ($_SERVER['REQUEST_METHOD'] !== 'POST') { echo json_encode(['success'=>false]); exit; }
+        $data = json_decode(file_get_contents('php://input'), true);
+        $msg  = trim($data['message'] ?? '');
+        if (empty($msg) || mb_strlen($msg) > 2000) { echo json_encode(['success'=>false,'error'=>'Invalid message']); exit; }
+
+        $stmt = db()->prepare("INSERT INTO chat_messages (user_id, sender, message) VALUES (?, 'user', ?)");
+        $stmt->execute([$userId, $msg]);
+        echo json_encode(['success'=>true, 'id'=>db()->lastInsertId()]);
+        break;
+
+    // ── Admin: get inbox list (one row per user, latest msg) ──
+    case 'admin_inbox':
+        if (!$isAdmin) { echo json_encode(['success'=>false,'error'=>'Forbidden']); exit; }
+        $rows = db()->query("
+            SELECT
+                u.id AS user_id,
+                u.username,
+                u.alias,
+                cm.message AS last_message,
+                cm.sender  AS last_sender,
+                cm.created_at AS last_time,
+                SUM(CASE WHEN cm2.sender='user' AND cm2.is_read=0 THEN 1 ELSE 0 END) AS unread_count
+            FROM users u
+            JOIN chat_messages cm ON cm.id = (
+                SELECT id FROM chat_messages
+                WHERE user_id = u.id
+                ORDER BY id DESC LIMIT 1
+            )
+            LEFT JOIN chat_messages cm2 ON cm2.user_id = u.id
+            GROUP BY u.id, u.username, u.alias, cm.message, cm.sender, cm.created_at
+            ORDER BY cm.created_at DESC
+        ")->fetchAll();
+        echo json_encode(['success'=>true, 'inbox'=>$rows]);
+        break;
+
+    // ── Admin: get all messages for a specific user ────────
+    case 'admin_thread':
+        if (!$isAdmin) { echo json_encode(['success'=>false,'error'=>'Forbidden']); exit; }
+        $tid   = (int)($_GET['user_id'] ?? 0);
+        $since = (int)($_GET['since']   ?? 0);
+        if (!$tid) { echo json_encode(['success'=>false,'error'=>'user_id required']); exit; }
+
+        $stmt = db()->prepare("
+            SELECT id, sender, message, is_read, created_at
+            FROM chat_messages
+            WHERE user_id = ? AND id > ?
+            ORDER BY id ASC LIMIT 200
+        ");
+        $stmt->execute([$tid, $since]);
+        $msgs = $stmt->fetchAll();
+
+        // Mark user messages as read
+        db()->prepare("UPDATE chat_messages SET is_read=1 WHERE user_id=? AND sender='user' AND is_read=0")->execute([$tid]);
+
+        // Get user info
+        $uStmt = db()->prepare("SELECT id, username, alias, tokens FROM users WHERE id=?");
+        $uStmt->execute([$tid]);
+        $user = $uStmt->fetch();
+
+        echo json_encode(['success'=>true, 'messages'=>$msgs, 'user'=>$user]);
+        break;
+
+    // ── Admin: reply to a user ────────────────────────────
+    case 'admin_send':
+        if (!$isAdmin) { echo json_encode(['success'=>false,'error'=>'Forbidden']); exit; }
+        if ($_SERVER['REQUEST_METHOD'] !== 'POST') { echo json_encode(['success'=>false]); exit; }
+        $data   = json_decode(file_get_contents('php://input'), true);
+        $tid    = (int)($data['user_id'] ?? 0);
+        $msg    = trim($data['message'] ?? '');
+        if (!$tid || empty($msg) || mb_strlen($msg) > 2000) { echo json_encode(['success'=>false,'error'=>'Invalid']); exit; }
+
+        $stmt = db()->prepare("INSERT INTO chat_messages (user_id, sender, message) VALUES (?, 'admin', ?)");
+        $stmt->execute([$tid, $msg]);
+        echo json_encode(['success'=>true, 'id'=>db()->lastInsertId()]);
+        break;
+
+    // ── Unread count (for badge) ──────────────────────────
+    case 'unread':
+        if ($isAdmin) {
+            $count = db()->query("SELECT COUNT(*) FROM chat_messages WHERE sender='user' AND is_read=0")->fetchColumn();
+        } else {
+            $stmt = db()->prepare("SELECT COUNT(*) FROM chat_messages WHERE user_id=? AND sender='admin' AND is_read=0");
+            $stmt->execute([$userId]);
+            $count = $stmt->fetchColumn();
+        }
+        echo json_encode(['success'=>true, 'count'=>(int)$count]);
+        break;
+
+    default:
+        echo json_encode(['success'=>false,'error'=>'Unknown action']);
+}
diff --git a/api/game_aliases.php b/api/game_aliases.php
new file mode 100644
index 0000000..3832cc4
--- /dev/null
+++ b/api/game_aliases.php
@@ -0,0 +1,65 @@
+<?php
+ob_start();
+try { require_once __DIR__ . '/../../includes/auth.php'; } catch(Throwable $e) { ob_end_clean(); header('Content-Type: application/json'); echo json_encode(['success'=>false,'error'=>'Server error']); exit; }
+ob_end_clean();
+header('Content-Type: application/json');
+
+if (!isLoggedIn()) { echo json_encode(['success'=>false,'error'=>'Not authenticated']); exit; }
+
+$action  = $_GET['action'] ?? '';
+$userId  = $_SESSION['user_id'];
+$isAdmin = !empty($_SESSION['is_admin']);
+
+switch ($action) {
+
+    // ── Get all aliases for a user ────────────────────────
+    case 'get':
+        $uid = $isAdmin ? (int)($_GET['user_id'] ?? $userId) : $userId;
+        $stmt = db()->prepare("SELECT platform_slug, alias FROM game_aliases WHERE user_id=?");
+        $stmt->execute([$uid]);
+        $rows = $stmt->fetchAll();
+        $map  = [];
+        foreach ($rows as $r) $map[$r['platform_slug']] = $r['alias'];
+        echo json_encode(['success'=>true, 'aliases'=>$map]);
+        break;
+
+    // ── Save a single alias ───────────────────────────────
+    case 'save':
+        if ($_SERVER['REQUEST_METHOD'] !== 'POST') { echo json_encode(['success'=>false]); exit; }
+        $data  = json_decode(file_get_contents('php://input'), true);
+        $uid   = $isAdmin && isset($data['user_id']) ? (int)$data['user_id'] : $userId;
+        $slug  = preg_replace('/[^a-z0-9_]/', '', strtolower(trim($data['platform_slug'] ?? '')));
+        $alias = substr(trim($data['alias'] ?? ''), 0, 100);
+        if (!$slug) { echo json_encode(['success'=>false,'error'=>'Platform slug required']); exit; }
+        if ($alias === '') {
+            // Empty alias = delete it
+            db()->prepare("DELETE FROM game_aliases WHERE user_id=? AND platform_slug=?")->execute([$uid,$slug]);
+        } else {
+            db()->prepare("INSERT INTO game_aliases (user_id,platform_slug,alias) VALUES (?,?,?)
+                ON DUPLICATE KEY UPDATE alias=VALUES(alias)")->execute([$uid,$slug,$alias]);
+        }
+        echo json_encode(['success'=>true]);
+        break;
+
+    // ── Save all aliases at once (bulk) ───────────────────
+    case 'save_all':
+        if ($_SERVER['REQUEST_METHOD'] !== 'POST') { echo json_encode(['success'=>false]); exit; }
+        $data    = json_decode(file_get_contents('php://input'), true);
+        $uid     = $isAdmin && isset($data['user_id']) ? (int)$data['user_id'] : $userId;
+        $aliases = $data['aliases'] ?? [];
+        $stmt    = db()->prepare("INSERT INTO game_aliases (user_id,platform_slug,alias) VALUES (?,?,?)
+            ON DUPLICATE KEY UPDATE alias=VALUES(alias)");
+        $del     = db()->prepare("DELETE FROM game_aliases WHERE user_id=? AND platform_slug=?");
+        foreach ($aliases as $slug => $alias) {
+            $slug  = preg_replace('/[^a-z0-9_]/', '', strtolower(trim($slug)));
+            $alias = substr(trim($alias), 0, 100);
+            if (!$slug) continue;
+            if ($alias === '') $del->execute([$uid, $slug]);
+            else $stmt->execute([$uid, $slug, $alias]);
+        }
+        echo json_encode(['success'=>true]);
+        break;
+
+    default:
+        echo json_encode(['success'=>false,'error'=>'Unknown action']);
+}
diff --git a/api/login.php b/api/login.php
new file mode 100644
index 0000000..e263a49
--- /dev/null
+++ b/api/login.php
@@ -0,0 +1,37 @@
+<?php
+ob_start();
+try {
+    require_once __DIR__ . '/../../includes/auth.php';
+} catch (Throwable $e) {
+    ob_end_clean();
+    header('Content-Type: application/json');
+    echo json_encode(['success'=>false,'error'=>'Server error']);
+    exit;
+}
+ob_end_clean();
+header('Content-Type: application/json');
+
+if ($_SERVER['REQUEST_METHOD'] !== 'POST') {
+    echo json_encode(['success'=>false,'error'=>'Method not allowed']); exit;
+}
+
+$data     = json_decode(file_get_contents('php://input'), true);
+$username = trim($data['username'] ?? '');
+$password = trim($data['password'] ?? '');
+
+if (empty($username) || empty($password)) {
+    echo json_encode(['success'=>false,'error'=>'Username and password required']); exit;
+}
+
+try {
+    $result = loginUser($username, $password);
+} catch (Throwable $e) {
+    echo json_encode(['success'=>false,'error'=>'Login error. Please try again.']); exit;
+}
+
+if ($result['success'] && isset($result['user'])) {
+    logPlayerAction('LOGIN_SUCCESS', $result['user']['id'], 'User logged in', 'auth', 'info');
+    unset($result['user']['password']);
+}
+if (!$result['success']) { logSecurityEvent('LOGIN_FAILED', null, 'Failed login attempt for: ' . $username, 'warning'); }
+echo json_encode($result);
diff --git a/api/logout.php b/api/logout.php
new file mode 100644
index 0000000..2afa501
--- /dev/null
+++ b/api/logout.php
@@ -0,0 +1,5 @@
+<?php
+require_once __DIR__ . '/../../includes/auth.php';
+header('Content-Type: application/json');
+logoutUser();
+echo json_encode(['success' => true]);
diff --git a/api/me.php b/api/me.php
new file mode 100644
index 0000000..8b77479
--- /dev/null
+++ b/api/me.php
@@ -0,0 +1,35 @@
+<?php
+ob_start();
+try {
+    require_once __DIR__ . '/../../includes/auth.php';
+} catch (Throwable $e) {
+    ob_end_clean();
+    header('Content-Type: application/json');
+    echo json_encode(['success' => false, 'error' => 'Server error']);
+    exit;
+}
+ob_end_clean();
+header('Content-Type: application/json');
+
+if (!isLoggedIn()) {
+    echo json_encode(['success' => false, 'error' => 'Not authenticated']);
+    exit;
+}
+
+try {
+    $user = currentUser();
+} catch (Throwable $e) {
+    echo json_encode(['success' => false, 'error' => 'DB error']);
+    exit;
+}
+
+if (!$user) {
+    echo json_encode(['success' => false, 'error' => 'User not found']);
+    exit;
+}
+
+// Sync session is_admin with DB value — catches admin elevation/demotion
+$_SESSION['is_admin'] = (int)$user['is_admin'];
+
+unset($user['password']);
+echo json_encode(['success' => true, 'user' => $user]);
diff --git a/api/my_activity.php b/api/my_activity.php
new file mode 100644
index 0000000..b6268d6
--- /dev/null
+++ b/api/my_activity.php
@@ -0,0 +1,76 @@
+<?php
+ob_start();
+require_once __DIR__ . '/../../includes/auth.php';
+ob_end_clean();
+header('Content-Type: application/json');
+
+if (!isLoggedIn()) { echo json_encode(['success'=>false,'error'=>'Not authenticated']); exit; }
+
+$userId = (int)$_SESSION['user_id'];
+$action = $_GET['action'] ?? 'all';
+
+// ── Purchases ──────────────────────────────────────────────
+if ($action === 'all' || $action === 'purchases') {
+    $stmt = db()->prepare("
+        SELECT id, tokens, amount_cents, payment_method, platform_id, game_alias,
+               card_brand, card_last4, status, admin_note, created_at
+        FROM token_purchases
+        WHERE user_id=?
+        ORDER BY created_at DESC
+        LIMIT 50
+    ");
+    $stmt->execute([$userId]);
+    $purchases = $stmt->fetchAll();
+}
+
+// ── Cashouts ───────────────────────────────────────────────
+if ($action === 'all' || $action === 'cashouts') {
+    $stmt = db()->prepare("
+        SELECT cr.*,
+               COALESCE(p.name, cr.platform_id) AS platform_name
+        FROM cashout_requests cr
+        LEFT JOIN platforms p ON cr.platform_id = p.slug
+        WHERE cr.user_id=?
+        ORDER BY cr.created_at DESC
+        LIMIT 50
+    ");
+    $stmt->execute([$userId]);
+    $cashouts = $stmt->fetchAll();
+}
+
+// ── Broadcasts/Invites (use broadcasts as announcements) ───
+if ($action === 'all' || $action === 'broadcasts') {
+    $stmt = db()->prepare("
+        SELECT b.id, b.subject, b.message, b.sent_at,
+               u.username AS sender,
+               (SELECT COUNT(*) FROM broadcast_reads WHERE broadcast_id=b.id AND user_id=?) AS is_read,
+               (SELECT COUNT(*) FROM broadcast_replies WHERE broadcast_id=b.id AND user_id=?) AS replied
+        FROM broadcasts b
+        JOIN users u ON b.admin_id=u.id
+        WHERE b.target='all'
+           OR (b.target='verified'   AND EXISTS(SELECT 1 FROM users WHERE id=? AND email_verified=1))
+           OR (b.target='unverified' AND EXISTS(SELECT 1 FROM users WHERE id=? AND email_verified=0))
+           OR (b.target='admins'     AND 0)
+        ORDER BY b.sent_at DESC
+        LIMIT 20
+    ");
+    $stmt->execute([$userId,$userId,$userId,$userId]);
+    $broadcasts = $stmt->fetchAll();
+}
+
+if ($action === 'all') {
+    echo json_encode([
+        'success'    => true,
+        'purchases'  => $purchases,
+        'cashouts'   => $cashouts,
+        'broadcasts' => $broadcasts,
+    ]);
+} elseif ($action === 'purchases') {
+    echo json_encode(['success'=>true,'purchases'=>$purchases]);
+} elseif ($action === 'cashouts') {
+    echo json_encode(['success'=>true,'cashouts'=>$cashouts]);
+} elseif ($action === 'broadcasts') {
+    echo json_encode(['success'=>true,'broadcasts'=>$broadcasts]);
+} else {
+    echo json_encode(['success'=>false,'error'=>'Unknown action']);
+}
diff --git a/api/my_purchases.php b/api/my_purchases.php
new file mode 100644
index 0000000..b340f8f
--- /dev/null
+++ b/api/my_purchases.php
@@ -0,0 +1,17 @@
+<?php
+require_once __DIR__ . '/../../includes/auth.php';
+header('Content-Type: application/json');
+
+if (!isLoggedIn()) { echo json_encode(['success'=>false,'error'=>'Not authenticated']); exit; }
+
+$userId = $_SESSION['user_id'];
+$stmt = db()->prepare("
+    SELECT id, tokens, amount_cents, payment_method, platform_id, game_alias,
+           card_brand, card_last4, status, created_at
+    FROM token_purchases
+    WHERE user_id = ?
+    ORDER BY created_at DESC
+    LIMIT 20
+");
+$stmt->execute([$userId]);
+echo json_encode(['success'=>true, 'purchases'=>$stmt->fetchAll()]);
diff --git a/api/payment_settings.php b/api/payment_settings.php
new file mode 100644
index 0000000..d4f5267
--- /dev/null
+++ b/api/payment_settings.php
@@ -0,0 +1,44 @@
+<?php
+ob_start();
+try { require_once __DIR__ . '/../../includes/auth.php'; } catch(Throwable $e) { ob_end_clean(); header('Content-Type: application/json'); echo json_encode(['success'=>false,'error'=>'Server error']); exit; }
+ob_end_clean();
+header('Content-Type: application/json');
+
+$action  = $_GET['action'] ?? 'list';
+$isAdmin = isLoggedIn() && !empty($_SESSION['is_admin']);
+
+switch ($action) {
+
+    // Public: get all enabled payment methods including card status
+    case 'list':
+        // Include card row (is_enabled controls whether card appears at checkout)
+        $rows = db()->query("SELECT method_key, label, handle, instructions, is_enabled FROM payment_settings ORDER BY sort_order ASC, id ASC")->fetchAll();
+        echo json_encode(['success'=>true, 'methods'=>$rows]);
+        break;
+
+    // Admin: get all methods including disabled
+    case 'admin_list':
+        if (!$isAdmin) { echo json_encode(['success'=>false,'error'=>'Forbidden']); exit; }
+        $rows = db()->query("SELECT * FROM payment_settings ORDER BY sort_order ASC, id ASC")->fetchAll();
+        echo json_encode(['success'=>true, 'methods'=>$rows]);
+        break;
+
+    // Admin: update a single method
+    case 'update':
+        if (!$isAdmin || $_SERVER['REQUEST_METHOD'] !== 'POST') { echo json_encode(['success'=>false]); exit; }
+        $d    = json_decode(file_get_contents('php://input'), true);
+        $id   = (int)($d['id'] ?? 0);
+        $label= substr(trim($d['label']??''), 0, 100);
+        $handle = substr(trim($d['handle']??''), 0, 200);
+        $instructions = substr(trim($d['instructions']??''), 0, 500);
+        $enabled = (int)(bool)($d['is_enabled'] ?? 1);
+        $sort  = (int)($d['sort_order'] ?? 0);
+        if (!$id) { echo json_encode(['success'=>false,'error'=>'ID required']); exit; }
+        db()->prepare("UPDATE payment_settings SET label=?,handle=?,instructions=?,is_enabled=?,sort_order=? WHERE id=?")
+             ->execute([$label,$handle,$instructions,$enabled,$sort,$id]);
+        echo json_encode(['success'=>true]);
+        break;
+
+    default:
+        echo json_encode(['success'=>false,'error'=>'Unknown action']);
+}
diff --git a/api/payout_methods.php b/api/payout_methods.php
new file mode 100644
index 0000000..95249f7
--- /dev/null
+++ b/api/payout_methods.php
@@ -0,0 +1,75 @@
+<?php
+ob_start();
+try { require_once __DIR__ . '/../../includes/auth.php'; } catch(Throwable $e) { ob_end_clean(); header('Content-Type: application/json'); echo json_encode(['success'=>false,'error'=>'Server error']); exit; }
+ob_end_clean();
+header('Content-Type: application/json');
+
+if (!isLoggedIn()) { echo json_encode(['success'=>false,'error'=>'Not authenticated']); exit; }
+
+$action  = $_GET['action'] ?? '';
+$userId  = (int)$_SESSION['user_id'];
+$isAdmin = !empty($_SESSION['is_admin']);
+
+switch ($action) {
+
+    case 'list':
+        $uid = $isAdmin ? (int)($_GET['user_id'] ?? $userId) : $userId;
+        $rows = db()->prepare("SELECT * FROM payout_methods WHERE user_id=? ORDER BY is_default DESC, id ASC");
+        $rows->execute([$uid]);
+        echo json_encode(['success'=>true, 'methods'=>$rows->fetchAll()]);
+        break;
+
+    case 'add':
+        if ($_SERVER['REQUEST_METHOD'] !== 'POST') { echo json_encode(['success'=>false]); exit; }
+        $d = json_decode(file_get_contents('php://input'), true);
+        $uid   = $isAdmin && isset($d['user_id']) ? (int)$d['user_id'] : $userId;
+        $type  = preg_replace('/[^a-z0-9_]/', '', strtolower(trim($d['method_type'] ?? '')));
+        $label = substr(trim($d['label'] ?? ''), 0, 100);
+        $handle= substr(trim($d['account_handle'] ?? ''), 0, 200);
+        $def   = (int)(bool)($d['is_default'] ?? 0);
+        if (!$type || !$label || !$handle) { echo json_encode(['success'=>false,'error'=>'All fields required']); exit; }
+        db()->beginTransaction();
+        if ($def) db()->prepare("UPDATE payout_methods SET is_default=0 WHERE user_id=?")->execute([$uid]);
+        // If first method, auto-set as default
+        $count = db()->prepare("SELECT COUNT(*) FROM payout_methods WHERE user_id=?"); $count->execute([$uid]);
+        if ((int)$count->fetchColumn() === 0) $def = 1;
+        db()->prepare("INSERT INTO payout_methods (user_id,method_type,label,account_handle,is_default) VALUES (?,?,?,?,?)")
+           ->execute([$uid,$type,$label,$handle,$def]);
+        $newId = db()->lastInsertId();
+        db()->commit();
+        echo json_encode(['success'=>true,'id'=>$newId]);
+        break;
+
+    case 'set_default':
+        if ($_SERVER['REQUEST_METHOD'] !== 'POST') { echo json_encode(['success'=>false]); exit; }
+        $d  = json_decode(file_get_contents('php://input'), true);
+        $id = (int)($d['id'] ?? 0);
+        // Verify ownership
+        $chk = db()->prepare("SELECT user_id FROM payout_methods WHERE id=?"); $chk->execute([$id]);
+        $row = $chk->fetch();
+        if (!$row || ($row['user_id'] != $userId && !$isAdmin)) { echo json_encode(['success'=>false,'error'=>'Not found']); exit; }
+        $uid = $row['user_id'];
+        db()->prepare("UPDATE payout_methods SET is_default=0 WHERE user_id=?")->execute([$uid]);
+        db()->prepare("UPDATE payout_methods SET is_default=1 WHERE id=?")->execute([$id]);
+        echo json_encode(['success'=>true]);
+        break;
+
+    case 'delete':
+        if ($_SERVER['REQUEST_METHOD'] !== 'POST') { echo json_encode(['success'=>false]); exit; }
+        $d  = json_decode(file_get_contents('php://input'), true);
+        $id = (int)($d['id'] ?? 0);
+        $chk = db()->prepare("SELECT user_id,is_default FROM payout_methods WHERE id=?"); $chk->execute([$id]);
+        $row = $chk->fetch();
+        if (!$row || ($row['user_id'] != $userId && !$isAdmin)) { echo json_encode(['success'=>false,'error'=>'Not found']); exit; }
+        db()->prepare("DELETE FROM payout_methods WHERE id=?")->execute([$id]);
+        // If deleted default, set next one as default
+        if ($row['is_default']) {
+            $next = db()->prepare("SELECT id FROM payout_methods WHERE user_id=? LIMIT 1"); $next->execute([$row['user_id']]);
+            if ($n = $next->fetch()) db()->prepare("UPDATE payout_methods SET is_default=1 WHERE id=?")->execute([$n['id']]);
+        }
+        echo json_encode(['success'=>true]);
+        break;
+
+    default:
+        echo json_encode(['success'=>false,'error'=>'Unknown action']);
+}
diff --git a/api/payout_process.php b/api/payout_process.php
new file mode 100644
index 0000000..53993fb
--- /dev/null
+++ b/api/payout_process.php
@@ -0,0 +1,153 @@
+<?php
+ob_start();
+require_once __DIR__ . '/../../includes/auth.php';
+require_once __DIR__ . '/../../includes/square.php';
+ob_end_clean();
+header('Content-Type: application/json');
+
+if (!isLoggedIn() || empty($_SESSION['is_admin'])) {
+    echo json_encode(['success'=>false,'error'=>'Forbidden']); exit;
+}
+
+$adminId = (int)$_SESSION['user_id'];
+$method  = $_SERVER['REQUEST_METHOD'];
+$action  = $_GET['action'] ?? 'list_settings';
+
+// ── GET actions ──────────────────────────────────────────
+if ($method === 'GET') {
+    if ($action === 'list_settings') {
+        $rows = db()->query("SELECT * FROM admin_payout_settings ORDER BY sort_order ASC, id ASC")->fetchAll();
+        echo json_encode(['success'=>true, 'settings'=>$rows]);
+        exit;
+    }
+    if ($action === 'cashout_detail') {
+        $id = (int)($_GET['id'] ?? 0);
+        $stmt = db()->prepare("
+            SELECT cr.*, u.username, u.alias AS user_alias, u.email,
+                   pm.method_type AS saved_payout_type, pm.account_handle AS saved_payout_handle, pm.label AS saved_payout_label
+            FROM cashout_requests cr
+            JOIN users u ON cr.user_id = u.id
+            LEFT JOIN payout_methods pm ON pm.user_id = cr.user_id AND pm.is_default = 1
+            WHERE cr.id = ?
+        ");
+        $stmt->execute([$id]);
+        $row = $stmt->fetch();
+        echo json_encode(['success'=>true, 'cashout'=>$row]);
+        exit;
+    }
+    echo json_encode(['success'=>false,'error'=>'Unknown action']); exit;
+}
+
+if ($method !== 'POST') { echo json_encode(['success'=>false,'error'=>'Method not allowed']); exit; }
+$d = json_decode(file_get_contents('php://input'), true);
+
+// ── Update payout settings ────────────────────────────────
+if ($action === 'update_setting') {
+    $id      = (int)($d['id'] ?? 0);
+    $handle  = substr(trim($d['handle']??''), 0, 200);
+    $instr   = substr(trim($d['instructions']??''), 0, 500);
+    $enabled = (int)(bool)($d['is_enabled']??1);
+    $label   = substr(trim($d['label']??''), 0, 100);
+    $sort    = (int)($d['sort_order']??0);
+    db()->prepare("UPDATE admin_payout_settings SET label=?,handle=?,instructions=?,is_enabled=?,sort_order=? WHERE id=?")
+       ->execute([$label,$handle,$instr,$enabled,$sort,$id]);
+    echo json_encode(['success'=>true]); exit;
+}
+
+// ── Process cashout payout ────────────────────────────────
+if ($action === 'process_payout') {
+    $cashoutId     = (int)($d['cashout_id'] ?? 0);
+    $payoutKey     = trim($d['payout_method_key'] ?? '');
+    $payoutType    = trim($d['payout_type'] ?? 'manual'); // 'manual' or 'square_gift_card'
+    $note          = substr(trim($d['note'] ?? ''), 0, 500);
+
+    // Load cashout
+    $stmt = db()->prepare("SELECT cr.*, u.username, u.alias, u.email FROM cashout_requests cr JOIN users u ON cr.user_id=u.id WHERE cr.id=? AND cr.status IN ('pending','locked')");
+    $stmt->execute([$cashoutId]);
+    $cashout = $stmt->fetch();
+    if (!$cashout) { echo json_encode(['success'=>false,'error'=>'Cashout not found or already processed']); exit; }
+
+    // Amount in cents (1 token = $1)
+    $amountCents = (int)round($cashout['tokens'] * 100);
+
+    // Load payout setting
+    $pset = db()->prepare("SELECT * FROM admin_payout_settings WHERE method_key=? AND is_enabled=1");
+    $pset->execute([$payoutKey]);
+    $setting = $pset->fetch();
+
+    $squareTxnId   = null;
+    $giftCardGan   = null;
+    $giftCardBal   = null;
+    $txnStatus     = 'completed';
+
+    if ($payoutType === 'square_gift_card') {
+        // ── Square Gift Card Flow ─────────────────────────
+        try {
+            // 1. Create gift card
+            $gcRes = SquareClient::post('/v2/gift-cards', [
+                'idempotency_key' => 'gc-create-' . $cashoutId . '-' . time(),
+                'location_id'     => SQUARE_LOCATION_ID,
+                'gift_card'       => ['type' => 'DIGITAL'],
+            ]);
+
+            if (empty($gcRes['gift_card']['id'])) {
+                throw new Exception('Failed to create gift card: ' . json_encode($gcRes));
+            }
+
+            $gcId  = $gcRes['gift_card']['id'];
+            $gcGan = $gcRes['gift_card']['gan'] ?? '';
+
+            // 2. Activate gift card with balance
+            $actRes = SquareClient::post('/v2/gift-card-activities', [
+                'idempotency_key'     => 'gc-activate-' . $cashoutId . '-' . time(),
+                'gift_card_activity'  => [
+                    'type'            => 'ACTIVATE',
+                    'location_id'     => SQUARE_LOCATION_ID,
+                    'gift_card_id'    => $gcId,
+                    'activate_activity_details' => [
+                        'amount_money' => [
+                            'amount'   => $amountCents,
+                            'currency' => 'USD',
+                        ],
+                    ],
+                ],
+            ]);
+
+            if (empty($actRes['gift_card_activity']['id'])) {
+                throw new Exception('Failed to activate gift card: ' . json_encode($actRes));
+            }
+
+            $giftCardGan = $gcGan;
+            $giftCardBal = $amountCents;
+            $squareTxnId = $actRes['gift_card_activity']['id'];
+
+        } catch (Exception $e) {
+            echo json_encode(['success'=>false,'error'=>'Square error: ' . $e->getMessage()]); exit;
+        }
+    }
+
+    // ── Mark cashout as sent ──────────────────────────────
+    db()->beginTransaction();
+    try {
+        db()->prepare("UPDATE cashout_requests SET status='sent', admin_note=?, resolved_at=NOW() WHERE id=?")
+           ->execute([$note, $cashoutId]);
+
+        db()->prepare("INSERT INTO cashout_transactions (cashout_id,admin_id,payout_method,payout_type,amount_cents,square_txn_id,gift_card_gan,gift_card_balance,note,status)
+            VALUES (?,?,?,?,?,?,?,?,?,'completed')")
+           ->execute([$cashoutId, $adminId, $payoutKey, $payoutType, $amountCents, $squareTxnId, $giftCardGan, $giftCardBal, $note]);
+
+        db()->commit();
+    } catch (Exception $e) {
+        db()->rollBack();
+        echo json_encode(['success'=>false,'error'=>'DB error: '.$e->getMessage()]); exit;
+    }
+
+    $response = ['success'=>true, 'status'=>'sent', 'amount_cents'=>$amountCents];
+    if ($giftCardGan) {
+        $response['gift_card_gan']     = $giftCardGan;
+        $response['gift_card_balance'] = $giftCardBal;
+    }
+    echo json_encode($response); exit;
+}
+
+echo json_encode(['success'=>false,'error'=>'Unknown action']);
diff --git a/api/platform_accounts.php b/api/platform_accounts.php
new file mode 100644
index 0000000..1df2991
--- /dev/null
+++ b/api/platform_accounts.php
@@ -0,0 +1,92 @@
+<?php
+ob_start();
+require_once __DIR__ . '/../../includes/auth.php';
+ob_end_clean();
+header('Content-Type: application/json');
+if (!isLoggedIn()) { echo json_encode(['success'=>false,'error'=>'Not authenticated']); exit; }
+$userId  = (int)$_SESSION['user_id'];
+$isAdmin = !empty($_SESSION['is_admin']);
+$method  = $_SERVER['REQUEST_METHOD'];
+$action  = $_GET['action'] ?? 'list';
+
+if ($method === 'GET') {
+    if ($action === 'list') {
+        $uid = $isAdmin ? (int)($_GET['user_id'] ?? $userId) : $userId;
+        $stmt = db()->prepare("SELECT pa.*, COALESCE(p.name, pa.platform_slug) AS platform_name, p.color
+            FROM platform_accounts pa LEFT JOIN platforms p ON pa.platform_slug=p.slug
+            WHERE pa.user_id=? ORDER BY pa.requested_at DESC");
+        $stmt->execute([$uid]);
+        $rows = $stmt->fetchAll();
+        foreach ($rows as &$row) {
+            if (!$isAdmin && $row['status'] !== 'approved') $row['platform_password'] = null;
+        }
+        echo json_encode(['success'=>true,'accounts'=>$rows]);
+    } elseif ($action === 'check_onboarding') {
+        $cnt = db()->prepare("SELECT COUNT(*) FROM platform_accounts WHERE user_id=?");
+        $cnt->execute([$userId]);
+        $hasAny = (int)$cnt->fetchColumn() > 0;
+        // Check flag — graceful fallback if column doesn't exist
+        $done = false;
+        try {
+            $s = db()->prepare("SELECT platform_onboarding_done FROM users WHERE id=?");
+            $s->execute([$userId]);
+            $r = $s->fetch(); $done = !empty($r['platform_onboarding_done']);
+        } catch(Exception $e){}
+        echo json_encode(['success'=>true,'needs_onboarding'=>(!$done && !$hasAny),'has_accounts'=>$hasAny]);
+    } else {
+        echo json_encode(['success'=>false,'error'=>'Unknown action']);
+    }
+    exit;
+}
+
+if ($method !== 'POST') { echo json_encode(['success'=>false,'error'=>'Method not allowed']); exit; }
+$d = json_decode(file_get_contents('php://input'), true);
+
+if ($action === 'request') {
+    $slug = preg_replace('/[^a-z0-9_]/','',strtolower(trim($d['platform_slug']??'')));
+    if (!$slug) { echo json_encode(['success'=>false,'error'=>'Platform required']); exit; }
+    try {
+        db()->prepare("INSERT INTO platform_accounts (user_id,platform_slug) VALUES (?,?)")->execute([$userId,$slug]);
+        try { db()->prepare("UPDATE users SET platform_onboarding_done=1 WHERE id=?")->execute([$userId]); } catch(Exception $e){}
+        echo json_encode(['success'=>true]);
+    } catch(Exception $e) { echo json_encode(['success'=>false,'error'=>'Already requested for this platform']); }
+    exit;
+}
+if ($action === 'dismiss_onboarding') {
+    try { db()->prepare("UPDATE users SET platform_onboarding_done=1 WHERE id=?")->execute([$userId]); } catch(Exception $e){}
+    echo json_encode(['success'=>true]);
+    exit;
+}
+if (!$isAdmin) { echo json_encode(['success'=>false,'error'=>'Forbidden']); exit; }
+if ($action === 'resolve') {
+    $id=$d['id']??0; $status=$d['status']??'';
+    $uname=substr(trim($d['platform_username']??''),0,100);
+    $pass=substr(trim($d['platform_password']??''),0,200);
+    $note=substr(trim($d['admin_note']??''),0,300);
+    if (!in_array($status,['approved','denied','deleted'])){echo json_encode(['success'=>false,'error'=>'Invalid status']);exit;}
+    $chk=db()->prepare("SELECT user_id,platform_slug FROM platform_accounts WHERE id=?");$chk->execute([$id]);$row=$chk->fetch();
+    if (!$row){echo json_encode(['success'=>false,'error'=>'Not found']);exit;}
+    db()->prepare("UPDATE platform_accounts SET status=?,platform_username=?,platform_password=?,admin_note=?,resolved_at=NOW(),admin_id=? WHERE id=?")
+       ->execute([$status,$uname,$pass,$note,(int)$_SESSION['user_id'],$id]);
+    if ($status==='approved'&&$uname) {
+        db()->prepare("INSERT INTO game_aliases (user_id,platform_slug,alias) VALUES (?,?,?) ON DUPLICATE KEY UPDATE alias=VALUES(alias)")
+           ->execute([$row['user_id'],$row['platform_slug'],$uname]);
+    }
+    echo json_encode(['success'=>true]);exit;
+}
+if ($action === 'update_credentials') {
+    $id=$d['id']??0;
+    $uname=substr(trim($d['platform_username']??''),0,100);
+    $pass=substr(trim($d['platform_password']??''),0,200);
+    $note=substr(trim($d['admin_note']??''),0,300);
+    $chk=db()->prepare("SELECT user_id,platform_slug FROM platform_accounts WHERE id=?");$chk->execute([$id]);$row=$chk->fetch();
+    if (!$row){echo json_encode(['success'=>false,'error'=>'Not found']);exit;}
+    db()->prepare("UPDATE platform_accounts SET platform_username=?,platform_password=?,admin_note=? WHERE id=?")
+       ->execute([$uname,$pass,$note,$id]);
+    if ($uname) {
+        db()->prepare("INSERT INTO game_aliases (user_id,platform_slug,alias) VALUES (?,?,?) ON DUPLICATE KEY UPDATE alias=VALUES(alias)")
+           ->execute([$row['user_id'],$row['platform_slug'],$uname]);
+    }
+    echo json_encode(['success'=>true]);exit;
+}
+echo json_encode(['success'=>false,'error'=>'Unknown action']);
diff --git a/api/platforms.php b/api/platforms.php
new file mode 100644
index 0000000..76a8a5d
--- /dev/null
+++ b/api/platforms.php
@@ -0,0 +1,93 @@
+<?php
+ob_start();
+try { require_once __DIR__ . '/../../includes/auth.php'; } catch(Throwable $e) { ob_end_clean(); header('Content-Type: application/json'); echo json_encode(['success'=>false,'error'=>'Server error']); exit; }
+ob_end_clean();
+header('Content-Type: application/json');
+
+$action  = $_GET['action'] ?? 'list';
+$isAdmin = isLoggedIn() && !empty($_SESSION['is_admin']);
+
+switch ($action) {
+
+    // ── Public: active platforms for player app ───────────
+    case 'list':
+        $stmt = db()->query("SELECT slug,name,player_url,color,icon_path FROM platforms WHERE is_active=1 ORDER BY sort_order ASC, id ASC");
+        $rows = $stmt->fetchAll();
+        // Normalize to match old CFG format
+        $out = array_map(fn($r) => [
+            'id'    => $r['slug'],
+            'name'  => $r['name'],
+            'url'   => $r['player_url'],
+            'color' => $r['color'],
+        ], $rows);
+        echo json_encode(['success'=>true, 'platforms'=>$out]);
+        break;
+
+    // ── Admin: full list including console_url and inactive ─
+    case 'admin_list':
+        if (!$isAdmin) { echo json_encode(['success'=>false,'error'=>'Forbidden']); exit; }
+        $rows = db()->query("SELECT * FROM platforms ORDER BY sort_order ASC, id ASC")->fetchAll();
+        echo json_encode(['success'=>true, 'platforms'=>$rows]);
+        break;
+
+    // ── Admin: create platform ────────────────────────────
+    case 'create':
+        if (!$isAdmin || $_SERVER['REQUEST_METHOD'] !== 'POST') { echo json_encode(['success'=>false,'error'=>'Forbidden']); exit; }
+        $d = json_decode(file_get_contents('php://input'), true);
+        $slug        = preg_replace('/[^a-z0-9_]/', '', strtolower(trim($d['slug'] ?? '')));
+        $name        = substr(trim($d['name']        ?? ''), 0, 100);
+        $player_url  = substr(trim($d['player_url']  ?? ''), 0, 500);
+        $console_url = substr(trim($d['console_url'] ?? ''), 0, 500);
+        $color       = preg_match('/^#[0-9a-fA-F]{3,8}$/', $d['color'] ?? '') ? $d['color'] : '#f0c040';
+        $sort_order  = (int)($d['sort_order'] ?? 99);
+        $is_active   = isset($d['is_active']) ? (int)(bool)$d['is_active'] : 1;
+        if (!$slug || !$name || !$player_url) { echo json_encode(['success'=>false,'error'=>'Slug, name, and player URL are required']); exit; }
+        try {
+            $stmt = db()->prepare("INSERT INTO platforms (slug,name,player_url,console_url,color,sort_order,is_active) VALUES (?,?,?,?,?,?,?)");
+            $stmt->execute([$slug,$name,$player_url,$console_url,$color,$sort_order,$is_active]);
+            echo json_encode(['success'=>true,'id'=>db()->lastInsertId()]);
+        } catch (Exception $e) {
+            echo json_encode(['success'=>false,'error'=>'Slug already exists or DB error']);
+        }
+        break;
+
+    // ── Admin: update platform ────────────────────────────
+    case 'update':
+        if (!$isAdmin || $_SERVER['REQUEST_METHOD'] !== 'POST') { echo json_encode(['success'=>false,'error'=>'Forbidden']); exit; }
+        $d = json_decode(file_get_contents('php://input'), true);
+        $id          = (int)($d['id'] ?? 0);
+        $name        = substr(trim($d['name']        ?? ''), 0, 100);
+        $player_url  = substr(trim($d['player_url']  ?? ''), 0, 500);
+        $console_url = substr(trim($d['console_url'] ?? ''), 0, 500);
+        $color       = preg_match('/^#[0-9a-fA-F]{3,8}$/', $d['color'] ?? '') ? $d['color'] : '#f0c040';
+        $sort_order  = (int)($d['sort_order'] ?? 99);
+        $is_active   = (int)(bool)($d['is_active'] ?? 1);
+        if (!$id || !$name || !$player_url) { echo json_encode(['success'=>false,'error'=>'ID, name, and player URL required']); exit; }
+        db()->prepare("UPDATE platforms SET name=?,player_url=?,console_url=?,color=?,sort_order=?,is_active=? WHERE id=?")
+             ->execute([$name,$player_url,$console_url,$color,$sort_order,$is_active,$id]);
+        echo json_encode(['success'=>true]);
+        break;
+
+    // ── Admin: delete platform ────────────────────────────
+    case 'delete':
+        if (!$isAdmin || $_SERVER['REQUEST_METHOD'] !== 'POST') { echo json_encode(['success'=>false,'error'=>'Forbidden']); exit; }
+        $d = json_decode(file_get_contents('php://input'), true);
+        $id = (int)($d['id'] ?? 0);
+        if (!$id) { echo json_encode(['success'=>false,'error'=>'ID required']); exit; }
+        db()->prepare("DELETE FROM platforms WHERE id=?")->execute([$id]);
+        echo json_encode(['success'=>true]);
+        break;
+
+    // ── Admin: reorder platforms ──────────────────────────
+    case 'reorder':
+        if (!$isAdmin || $_SERVER['REQUEST_METHOD'] !== 'POST') { echo json_encode(['success'=>false,'error'=>'Forbidden']); exit; }
+        $d = json_decode(file_get_contents('php://input'), true);
+        $order = $d['order'] ?? []; // array of IDs in desired order
+        $stmt = db()->prepare("UPDATE platforms SET sort_order=? WHERE id=?");
+        foreach ($order as $i => $pid) { $stmt->execute([$i, (int)$pid]); }
+        echo json_encode(['success'=>true]);
+        break;
+
+    default:
+        echo json_encode(['success'=>false,'error'=>'Unknown action']);
+}
diff --git a/api/purchase.php b/api/purchase.php
new file mode 100644
index 0000000..8ae4b39
--- /dev/null
+++ b/api/purchase.php
@@ -0,0 +1,163 @@
+<?php
+require_once __DIR__ . '/../../includes/auth.php';
+require_once __DIR__ . '/../../includes/square.php';
+
+header('Content-Type: application/json');
+
+if (!isLoggedIn()) { echo json_encode(['success'=>false,'error'=>'Not authenticated']); exit; }
+if ($_SERVER['REQUEST_METHOD'] !== 'POST') { echo json_encode(['success'=>false,'error'=>'Method not allowed']); exit; }
+
+$data       = json_decode(file_get_contents('php://input'), true);
+$sourceId   = trim($data['source_id']   ?? '');
+$tokens     = (int)($data['tokens']     ?? 0);
+$priceCents = (int)($data['price_cents'] ?? 0);
+$method     = trim($data['method']      ?? 'card');
+$platformId = trim($data['platform_id'] ?? '');
+$gameAlias  = trim($data['game_alias']  ?? '');
+$playerName = trim($data['player_name'] ?? '');
+$isCustom   = (bool)($data['is_custom'] ?? false);
+$billing    = $data['billing'] ?? [];
+$userId     = $_SESSION['user_id'];
+
+// ─── Validate ─────────────────────────────────────────────
+if ($tokens < 1 || $priceCents < 100) {
+    echo json_encode(['success'=>false,'error'=>'Minimum purchase is $1 (1 token).']); exit;
+}
+
+// Validate preset packages (custom bypasses preset check)
+if (!$isCustom) {
+    $packages = json_decode(TOKEN_PACKAGES, true);
+    $validPkg = false;
+    foreach ($packages as $pkg) {
+        if ($pkg['tokens'] === $tokens && ($pkg['price'] * 100) === $priceCents) { $validPkg = true; break; }
+    }
+    if (!$validPkg) {
+        echo json_encode(['success'=>false,'error'=>'Invalid token package.']); exit;
+    }
+} else {
+    // Custom: tokens must equal dollars (1:1 ratio), cap at $500
+    if ($tokens !== ($priceCents / 100) || $tokens > 500) {
+        echo json_encode(['success'=>false,'error'=>'Invalid custom amount.']); exit;
+    }
+}
+
+// Sanitize billing fields
+$billingFirst   = substr(trim($billing['first_name'] ?? ''), 0, 80);
+$billingLast    = substr(trim($billing['last_name']  ?? ''), 0, 80);
+$billingAddress = substr(trim($billing['address']    ?? ''), 0, 200);
+$billingCity    = substr(trim($billing['city']       ?? ''), 0, 80);
+$billingState   = strtoupper(substr(trim($billing['state'] ?? ''), 0, 2));
+$billingZip     = substr(trim($billing['zip']        ?? ''), 0, 10);
+$billingEmail   = substr(strtolower(trim($billing['email'] ?? '')), 0, 150);
+$cardholderName = trim("$billingFirst $billingLast");
+
+$isManual = in_array($method, ['venmo','chime','cashapp','zelle']);
+
+// ─── Manual payment ────────────────────────────────────────
+if ($isManual) {
+    $stmt = db()->prepare("
+        INSERT INTO token_purchases
+            (user_id, tokens, amount_cents, payment_method, platform_id, game_alias,
+             player_name, billing_name, billing_email, is_custom, status)
+        VALUES (?,?,?,?,?,?,?,?,?,?,'pending')
+    ");
+    $stmt->execute([
+        $userId, $tokens, $priceCents, $method, $platformId, $gameAlias,
+        $playerName, $cardholderName, $billingEmail, $isCustom ? 1 : 0
+    ]);
+    $pid = db()->lastInsertId();
+    logActivity('manual_payment_pending', $userId, null, 'purchase', 0, "Manual payment pending: {$paymentMethod} \${$amountDollars}");
+echo json_encode(['success'=>true,'manual'=>true,'purchase_id'=>$pid,
+        'message'=>"Request #{$pid} submitted! Tokens credited after payment verification."]);
+    exit;
+}
+
+// ─── Card payment via Square ───────────────────────────────
+if (empty($sourceId)) { echo json_encode(['success'=>false,'error'=>'Card payment token required.']); exit; }
+
+$square = new SquarePayment();
+$note   = "TomGames {$tokens}tok | {$platformId} | {$gameAlias} | user#{$userId}" . ($isCustom ? ' [CUSTOM]' : '');
+
+// Build buyer info for Square
+$buyerInfo = [];
+if ($cardholderName) $buyerInfo['buyer_email_address'] = $billingEmail ?: null;
+$billingAddr = [];
+if ($billingAddress) $billingAddr['address_line_1'] = $billingAddress;
+if ($billingCity)    $billingAddr['locality']        = $billingCity;
+if ($billingState)   $billingAddr['administrative_district_level_1'] = $billingState;
+if ($billingZip)     $billingAddr['postal_code']     = $billingZip;
+$billingAddr['country'] = 'US';
+
+$result = $square->charge($sourceId, $priceCents, $note, $cardholderName, $billingAddr, $billingEmail);
+
+if (!$result['success']) {
+    // Log failed attempt
+    db()->prepare("INSERT INTO token_purchases (user_id,tokens,amount_cents,payment_method,platform_id,game_alias,player_name,billing_name,billing_email,is_custom,status,failure_reason) VALUES (?,?,?,'card',?,?,?,?,?,?,'failed',?)")
+       ->execute([$userId,$tokens,$priceCents,$platformId,$gameAlias,$playerName,$cardholderName,$billingEmail,$isCustom?1:0,$result['error']]);
+    echo json_encode(['success'=>false,'error'=>$result['error']]); exit;
+}
+
+// ─── Credit tokens ─────────────────────────────────────────
+db()->beginTransaction();
+try {
+    db()->prepare("UPDATE users SET tokens=tokens+? WHERE id=?")->execute([$tokens,$userId]);
+    $cardBrand = $result['card_brand'] ?? null;
+    $cardLast4 = $result['last_4']     ?? null;
+    $receiptUrl= $result['receipt_url'] ?? null;
+
+    db()->prepare("
+        INSERT INTO token_purchases
+            (user_id, tokens, amount_cents, payment_method, square_payment_id,
+             platform_id, game_alias, player_name, billing_name, billing_address,
+             billing_city, billing_state, billing_zip, billing_email,
+             is_custom, card_brand, card_last4, receipt_url, status)
+        VALUES (?,?,?,'card',?,?,?,?,?,?,?,?,?,?,?,?,?,?,'completed')
+    ")->execute([
+        $userId, $tokens, $priceCents, $result['payment_id'],
+        $platformId, $gameAlias, $playerName,
+        $cardholderName, $billingAddress, $billingCity, $billingState, $billingZip, $billingEmail,
+        $isCustom ? 1 : 0, $cardBrand, $cardLast4, $receiptUrl
+    ]);
+
+    db()->commit();
+} catch (Exception $e) {
+    db()->rollBack();
+    echo json_encode(['success'=>false,'error'=>'Token credit failed. Payment ID: '.$result['payment_id']]); exit;
+}
+
+// ─── Update saved billing (separate try — must NOT roll back token credit) ──
+try {
+    db()->prepare("
+        INSERT INTO saved_billing (user_id,first_name,last_name,email,address,city,state,zip,card_brand,card_last4)
+        VALUES (?,?,?,?,?,?,?,?,?,?)
+        ON DUPLICATE KEY UPDATE
+            card_brand=VALUES(card_brand), card_last4=VALUES(card_last4),
+            first_name=COALESCE(NULLIF(VALUES(first_name),''),first_name),
+            last_name=COALESCE(NULLIF(VALUES(last_name),''),last_name),
+            email=COALESCE(NULLIF(VALUES(email),''),email),
+            address=COALESCE(NULLIF(VALUES(address),''),address),
+            city=COALESCE(NULLIF(VALUES(city),''),city),
+            state=COALESCE(NULLIF(VALUES(state),''),state),
+            zip=COALESCE(NULLIF(VALUES(zip),''),zip)
+    ")->execute([
+        $userId, $billingFirst, $billingLast, $billingEmail,
+        $billingAddress, $billingCity, $billingState, $billingZip,
+        $cardBrand, $cardLast4
+    ]);
+} catch (Exception $e) { /* non-critical — tokens already credited */ }
+
+$bal = db()->prepare("SELECT tokens FROM users WHERE id=?");
+$bal->execute([$userId]);
+$newBal = (float)$bal->fetchColumn();
+logActivity('token_purchase', $userId, null, 'purchase', (int)db()->lastInsertId(),
+    "Bought {$tokens} tokens via {$paymentMethod} for \${$amountDollars}");
+echo json_encode([
+    'success'      => true,
+    'manual'       => false,
+    'tokens_added' => (int)$tokens,
+    'new_balance'  => $newBal,
+    'payment_id'   => $result['payment_id'],
+    'card_brand'   => $cardBrand,
+    'card_last4'   => $cardLast4,
+    'receipt_url'  => $receiptUrl,
+]);
diff --git a/api/referrals.php b/api/referrals.php
new file mode 100644
index 0000000..b335c9b
--- /dev/null
+++ b/api/referrals.php
@@ -0,0 +1,255 @@
+<?php
+ob_start();
+require_once __DIR__ . '/../../includes/auth.php';
+ob_end_clean();
+header('Content-Type: application/json');
+
+if (!isLoggedIn()) { echo json_encode(['success'=>false,'error'=>'Not authenticated']); exit; }
+
+$userId  = (int)$_SESSION['user_id'];
+$isAdmin = !empty($_SESSION['is_admin']);
+$method  = $_SERVER['REQUEST_METHOD'];
+$action  = $_GET['action'] ?? 'status';
+
+// ── GET actions ───────────────────────────────────────────
+if ($method === 'GET') {
+
+    if ($action === 'status') {
+        // Player's referral dashboard data
+        $user = db()->prepare("SELECT referral_code, referred_by FROM users WHERE id=?");
+        $user->execute([$userId]);
+        $u = $user->fetch();
+
+        // Auto-generate code if missing
+        if (empty($u['referral_code'])) {
+            $code = strtoupper(substr(md5($userId.uniqid()),0,8));
+            db()->prepare("UPDATE users SET referral_code=? WHERE id=?")->execute([$code, $userId]);
+            $u['referral_code'] = $code;
+        }
+
+        // Count verified referrals
+        $countStmt = db()->prepare("SELECT COUNT(*) FROM referrals WHERE referrer_id=? AND status='verified'");
+        $countStmt->execute([$userId]);
+        $verified = (int)$countStmt->fetchColumn();
+
+        // All referrals
+        $refs = db()->prepare("
+            SELECT r.*, u.username, u.alias, u.email_verified, u.created_at AS joined_at
+            FROM referrals r
+            JOIN users u ON r.referred_id = u.id
+            WHERE r.referrer_id = ?
+            ORDER BY r.created_at DESC
+        ");
+        $refs->execute([$userId]);
+
+        // Current tier
+        $tier = db()->query("
+            SELECT * FROM referral_tiers
+            WHERE is_active=1 AND min_referrals <= $verified
+            ORDER BY min_referrals DESC LIMIT 1
+        ")->fetch();
+
+        // Next tier
+        $nextTier = db()->query("
+            SELECT * FROM referral_tiers
+            WHERE is_active=1 AND min_referrals > $verified
+            ORDER BY min_referrals ASC LIMIT 1
+        ")->fetch();
+
+        // Total tokens earned from referrals
+        $earned = db()->prepare("SELECT COALESCE(SUM(tokens_awarded),0) FROM referrals WHERE referrer_id=? AND status='verified'");
+        $earned->execute([$userId]);
+
+        // Social shares
+        $shares = db()->prepare("SELECT * FROM referral_social_shares WHERE user_id=? ORDER BY created_at DESC");
+        $shares->execute([$userId]);
+
+        echo json_encode([
+            'success'        => true,
+            'referral_code'  => $u['referral_code'] ?? '',
+            'referral_url'   => (defined('SITE_URL')?SITE_URL:'https://tomtomgames.com') . '/?ref=' . ($u['referral_code'] ?? ''),
+            'verified_count' => $verified,
+            'total_earned'   => (float)$earned->fetchColumn(),
+            'current_tier'   => $tier,
+            'next_tier'      => $nextTier,
+            'referrals'      => $refs->fetchAll(),
+            'social_shares'  => $shares->fetchAll(),
+        ]);
+        exit;
+    }
+
+    if ($action === 'tiers') {
+        $rows = db()->query("SELECT * FROM referral_tiers WHERE is_active=1 ORDER BY min_referrals ASC")->fetchAll();
+        echo json_encode(['success'=>true,'tiers'=>$rows]);
+        exit;
+    }
+
+    if ($action === 'all_tiers' && $isAdmin) {
+        $rows = db()->query("SELECT * FROM referral_tiers ORDER BY sort_order ASC, min_referrals ASC")->fetchAll();
+        echo json_encode(['success'=>true,'tiers'=>$rows]);
+        exit;
+    }
+
+    if ($action === 'admin_list' && $isAdmin) {
+        $status = $_GET['status'] ?? 'pending';
+        $stmt = db()->prepare("
+            SELECT r.*,
+                   ru.username AS referrer_name, ru.alias AS referrer_alias,
+                   rd.username AS referred_name, rd.alias AS referred_alias, rd.email_verified,
+                   t.name AS tier_name
+            FROM referrals r
+            JOIN users ru ON r.referrer_id = ru.id
+            JOIN users rd ON r.referred_id = rd.id
+            LEFT JOIN referral_tiers t ON r.tier_id = t.id
+            WHERE r.status = ?
+            ORDER BY r.created_at DESC
+            LIMIT 100
+        ");
+        $stmt->execute([$status]);
+        echo json_encode(['success'=>true,'referrals'=>$stmt->fetchAll()]);
+        exit;
+    }
+
+    if ($action === 'admin_shares' && $isAdmin) {
+        $status = $_GET['status'] ?? 'pending';
+        $stmt = db()->prepare("
+            SELECT rs.*, u.username, u.alias
+            FROM referral_social_shares rs
+            JOIN users u ON rs.user_id = u.id
+            WHERE rs.status = ?
+            ORDER BY rs.created_at DESC
+        ");
+        $stmt->execute([$status]);
+        echo json_encode(['success'=>true,'shares'=>$stmt->fetchAll()]);
+        exit;
+    }
+
+    echo json_encode(['success'=>false,'error'=>'Unknown action']); exit;
+}
+
+// ── POST actions ──────────────────────────────────────────
+if ($method !== 'POST') { echo json_encode(['success'=>false,'error'=>'Method not allowed']); exit; }
+$d = json_decode(file_get_contents('php://input'), true);
+
+if ($action === 'submit_share') {
+    $platform = preg_replace('/[^a-z0-9_]/', '', strtolower(trim($d['platform'] ?? '')));
+    if (!$platform) { echo json_encode(['success'=>false,'error'=>'Platform required']); exit; }
+    // Get bonus tokens for this platform from tiers config
+    $bonus = 5; // default
+    try {
+        db()->prepare("INSERT INTO referral_social_shares (user_id,platform,bonus_tokens) VALUES (?,?,?)")
+           ->execute([$userId, $platform, $bonus]);
+        echo json_encode(['success'=>true]);
+    } catch(Exception $e) {
+        echo json_encode(['success'=>false,'error'=>'Already submitted for this platform']);
+    }
+    exit;
+}
+
+// ── Admin only below ──────────────────────────────────────
+if (!$isAdmin) { echo json_encode(['success'=>false,'error'=>'Forbidden']); exit; }
+
+if ($action === 'resolve_referral') {
+    $id     = (int)($d['id'] ?? 0);
+    $status = $d['status'] ?? '';
+    $note   = substr(trim($d['note'] ?? ''), 0, 300);
+    if (!in_array($status, ['verified','denied','deleted'])) { echo json_encode(['success'=>false,'error'=>'Invalid status']); exit; }
+
+    $chk = db()->prepare("SELECT r.*, t.tokens_per_ref, t.min_referrals, t.bonus_tokens FROM referrals r LEFT JOIN referral_tiers t ON r.tier_id=t.id WHERE r.id=?");
+    $chk->execute([$id]);
+    $ref = $chk->fetch();
+    if (!$ref) { echo json_encode(['success'=>false,'error'=>'Not found']); exit; }
+
+    if ($status === 'verified') {
+        // Determine best tier for referrer
+        $countStmt = db()->prepare("SELECT COUNT(*) FROM referrals WHERE referrer_id=? AND status='verified'");
+        $countStmt->execute([$ref['referrer_id']]);
+        $verifiedCount = (int)$countStmt->fetchColumn() + 1; // +1 for this one
+
+        $tier = db()->query("SELECT * FROM referral_tiers WHERE is_active=1 AND min_referrals <= $verifiedCount ORDER BY min_referrals DESC LIMIT 1")->fetch();
+        $tokensToAward = $tier ? (float)$tier['tokens_per_ref'] : 5;
+
+        // Check if this hits a bonus milestone
+        $bonusTokens = 0;
+        if ($tier && $verifiedCount == (int)$tier['min_referrals']) {
+            $bonusTokens = (float)$tier['bonus_tokens'];
+        }
+
+        $totalAward = $tokensToAward + $bonusTokens;
+
+        db()->beginTransaction();
+        try {
+            db()->prepare("UPDATE referrals SET status='verified', tier_id=?, tokens_awarded=?, admin_id=?, admin_note=?, resolved_at=NOW() WHERE id=?")
+               ->execute([$tier['id'] ?? null, $totalAward, (int)$_SESSION['user_id'], $note, $id]);
+            db()->prepare("UPDATE users SET tokens=tokens+? WHERE id=?")->execute([$totalAward, $ref['referrer_id']]);
+            logAdminAction('REFERRAL_VERIFIED', (int)$_SESSION['user_id'], 'referral', $id, 'Verified referral #'.$id.' — awarded '.$totalAward.' tokens to user #'.$ref['referrer_id'], 'pending', 'verified', 'info');
+            db()->commit();
+            echo json_encode(['success'=>true,'tokens_awarded'=>$totalAward,'bonus'=>$bonusTokens,'tier'=>$tier['name']??'']);
+        } catch(Exception $e) {
+            db()->rollBack();
+            echo json_encode(['success'=>false,'error'=>'DB error']);
+        }
+    } else {
+        db()->prepare("UPDATE referrals SET status=?, admin_id=?, admin_note=?, resolved_at=NOW() WHERE id=?")
+           ->execute([$status, (int)$_SESSION['user_id'], $note, $id]);
+        echo json_encode(['success'=>true]);
+    }
+    exit;
+}
+
+if ($action === 'resolve_share') {
+    $id     = (int)($d['id'] ?? 0);
+    $status = $d['status'] ?? '';
+    if (!in_array($status, ['approved','denied'])) { echo json_encode(['success'=>false,'error'=>'Invalid']); exit; }
+    $chk = db()->prepare("SELECT * FROM referral_social_shares WHERE id=?"); $chk->execute([$id]); $share = $chk->fetch();
+    if (!$share) { echo json_encode(['success'=>false,'error'=>'Not found']); exit; }
+    db()->prepare("UPDATE referral_social_shares SET status=?,admin_id=?,resolved_at=NOW() WHERE id=?")->execute([$status,(int)$_SESSION['user_id'],$id]);
+    if ($status === 'approved') {
+        db()->prepare("UPDATE users SET tokens=tokens+? WHERE id=?")->execute([$share['bonus_tokens'],$share['user_id']]);
+    logAdminAction('SOCIAL_SHARE_APPROVED', (int)$_SESSION['user_id'], 'referral_share', $id, 'Approved social share #'.$id.' — awarded '.$share['bonus_tokens'].' bonus tokens to user #'.$share['user_id'], '', 'approved', 'info');
+    }
+    echo json_encode(['success'=>true]);
+    exit;
+}
+
+// ── Tier CRUD ─────────────────────────────────────────────
+if ($action === 'tier_create') {
+    $name     = substr(trim($d['name']??''),0,100);
+    $minRefs  = (int)($d['min_referrals']??1);
+    $tokPer   = (float)($d['tokens_per_ref']??5);
+    $bonus    = (float)($d['bonus_tokens']??0);
+    $desc     = substr(trim($d['description']??''),0,300);
+    $sort     = (int)($d['sort_order']??99);
+    $active   = (int)(bool)($d['is_active']??1);
+    if (!$name) { echo json_encode(['success'=>false,'error'=>'Name required']); exit; }
+    db()->prepare("INSERT INTO referral_tiers (name,min_referrals,tokens_per_ref,bonus_tokens,description,is_active,sort_order) VALUES (?,?,?,?,?,?,?)")
+       ->execute([$name,$minRefs,$tokPer,$bonus,$desc,$active,$sort]);
+    echo json_encode(['success'=>true,'id'=>db()->lastInsertId()]);
+    exit;
+}
+
+if ($action === 'tier_update') {
+    $id   = (int)($d['id']??0);
+    $name = substr(trim($d['name']??''),0,100);
+    $minRefs = (int)($d['min_referrals']??1);
+    $tokPer  = (float)($d['tokens_per_ref']??5);
+    $bonus   = (float)($d['bonus_tokens']??0);
+    $desc    = substr(trim($d['description']??''),0,300);
+    $sort    = (int)($d['sort_order']??0);
+    $active  = (int)(bool)($d['is_active']??1);
+    if (!$id||!$name) { echo json_encode(['success'=>false,'error'=>'ID and name required']); exit; }
+    db()->prepare("UPDATE referral_tiers SET name=?,min_referrals=?,tokens_per_ref=?,bonus_tokens=?,description=?,is_active=?,sort_order=? WHERE id=?")
+       ->execute([$name,$minRefs,$tokPer,$bonus,$desc,$active,$sort,$id]);
+    echo json_encode(['success'=>true]);
+    exit;
+}
+
+if ($action === 'tier_delete') {
+    $id = (int)($d['id']??0);
+    if (!$id) { echo json_encode(['success'=>false,'error'=>'ID required']); exit; }
+    db()->prepare("DELETE FROM referral_tiers WHERE id=?")->execute([$id]);
+    echo json_encode(['success'=>true]);
+    exit;
+}
+
+echo json_encode(['success'=>false,'error'=>'Unknown action']);
diff --git a/api/register.php b/api/register.php
new file mode 100644
index 0000000..6d2bce9
--- /dev/null
+++ b/api/register.php
@@ -0,0 +1,18 @@
+<?php
+require_once __DIR__ . '/../../includes/auth.php';
+header('Content-Type: application/json');
+
+if ($_SERVER['REQUEST_METHOD'] !== 'POST') {
+    echo json_encode(['success'=>false,'error'=>'Method not allowed']); exit;
+}
+
+$data        = json_decode(file_get_contents('php://input'), true);
+$username    = trim($data['username']     ?? '');
+$password    = trim($data['password']     ?? '');
+$alias       = trim($data['alias']        ?? '');
+$email       = trim($data['email']        ?? '');
+$referralCode= trim($data['referral_code']?? '');
+
+logSecurityEvent('REGISTER_ATTEMPT', null, 'Registration attempt for: ' . $email, 'info');
+$result = initiateRegistration($username, $password, $alias, $email, $referralCode);
+echo json_encode($result);
diff --git a/api/resend_verify.php b/api/resend_verify.php
new file mode 100644
index 0000000..7d1c539
--- /dev/null
+++ b/api/resend_verify.php
@@ -0,0 +1,16 @@
+<?php
+require_once __DIR__ . '/../../includes/auth.php';
+header('Content-Type: application/json');
+
+if ($_SERVER['REQUEST_METHOD'] !== 'POST') {
+    echo json_encode(['success'=>false,'error'=>'Method not allowed']); exit;
+}
+
+$data  = json_decode(file_get_contents('php://input'), true);
+$email = trim($data['email'] ?? '');
+
+if (empty($email) || !filter_var($email, FILTER_VALIDATE_EMAIL)) {
+    echo json_encode(['success'=>false,'error'=>'Valid email required']); exit;
+}
+
+echo json_encode(resendVerification($email));
diff --git a/assets/img/egame99.svg b/assets/img/egame99.svg
new file mode 100644
index 0000000..acbed0c
--- /dev/null
+++ b/assets/img/egame99.svg
@@ -0,0 +1,31 @@
+<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 120 120" width="120" height="120">
+  <defs>
+    <radialGradient id="bg" cx="50%" cy="50%" r="50%">
+      <stop offset="0%" stop-color="#001a2e"/>
+      <stop offset="100%" stop-color="#000810"/>
+    </radialGradient>
+    <linearGradient id="cyan" x1="0%" y1="0%" x2="100%" y2="100%">
+      <stop offset="0%" stop-color="#00e5ff"/>
+      <stop offset="100%" stop-color="#0066ff"/>
+    </linearGradient>
+    <filter id="glow">
+      <feGaussianBlur stdDeviation="2" result="blur"/>
+      <feMerge><feMergeNode in="blur"/><feMergeNode in="SourceGraphic"/></feMerge>
+    </filter>
+  </defs>
+  <rect width="120" height="120" rx="24" fill="url(#bg)"/>
+  <!-- Grid lines -->
+  <line x1="0" y1="40" x2="120" y2="40" stroke="#00e5ff" stroke-width="0.3" opacity="0.15"/>
+  <line x1="0" y1="80" x2="120" y2="80" stroke="#00e5ff" stroke-width="0.3" opacity="0.15"/>
+  <line x1="40" y1="0" x2="40" y2="120" stroke="#00e5ff" stroke-width="0.3" opacity="0.15"/>
+  <line x1="80" y1="0" x2="80" y2="120" stroke="#00e5ff" stroke-width="0.3" opacity="0.15"/>
+  <!-- Controller icon -->
+  <text x="60" y="56" font-size="36" text-anchor="middle" filter="url(#glow)" font-family="Arial">🎮</text>
+  <!-- eGame99 -->
+  <text x="60" y="78" font-size="13" font-weight="900" text-anchor="middle" fill="url(#cyan)" font-family="Arial Black, sans-serif" letter-spacing="1" filter="url(#glow)">eGAME 99</text>
+  <!-- Corner accents -->
+  <path d="M10 10 L25 10 L25 14 L14 14 L14 25 L10 25 Z" fill="url(#cyan)" opacity="0.6"/>
+  <path d="M110 10 L95 10 L95 14 L106 14 L106 25 L110 25 Z" fill="url(#cyan)" opacity="0.6"/>
+  <path d="M10 110 L25 110 L25 106 L14 106 L14 95 L10 95 Z" fill="url(#cyan)" opacity="0.6"/>
+  <path d="M110 110 L95 110 L95 106 L106 106 L106 95 L110 95 Z" fill="url(#cyan)" opacity="0.6"/>
+</svg>
diff --git a/assets/img/firekirin.svg b/assets/img/firekirin.svg
new file mode 100644
index 0000000..768a024
--- /dev/null
+++ b/assets/img/firekirin.svg
@@ -0,0 +1,30 @@
+<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 120 120" width="120" height="120">
+  <defs>
+    <radialGradient id="bg" cx="50%" cy="70%" r="60%">
+      <stop offset="0%" stop-color="#2a0800"/>
+      <stop offset="100%" stop-color="#0a0200"/>
+    </radialGradient>
+    <linearGradient id="fire" x1="0%" y1="100%" x2="100%" y2="0%">
+      <stop offset="0%" stop-color="#FF2200"/>
+      <stop offset="50%" stop-color="#FF7700"/>
+      <stop offset="100%" stop-color="#FFDD00"/>
+    </linearGradient>
+    <filter id="glow">
+      <feGaussianBlur stdDeviation="2.5" result="blur"/>
+      <feMerge><feMergeNode in="blur"/><feMergeNode in="SourceGraphic"/></feMerge>
+    </filter>
+  </defs>
+  <rect width="120" height="120" rx="24" fill="url(#bg)"/>
+  <rect x="2" y="2" width="116" height="116" rx="22" fill="none" stroke="url(#fire)" stroke-width="1.5" opacity="0.6"/>
+  <!-- Fire wave bottom -->
+  <path d="M0 100 Q20 85 40 95 Q60 105 80 90 Q100 75 120 88 L120 120 L0 120 Z" fill="#FF2200" opacity="0.25"/>
+  <!-- Fire emoji -->
+  <text x="60" y="58" font-size="40" text-anchor="middle" filter="url(#glow)" font-family="Arial">🔥</text>
+  <!-- KIRIN text -->
+  <text x="60" y="82" font-size="13" font-weight="900" text-anchor="middle" fill="url(#fire)" font-family="Arial Black, sans-serif" letter-spacing="2" filter="url(#glow)">KIRIN</text>
+  <!-- Sparks -->
+  <circle cx="35" cy="35" r="2" fill="#FF7700" opacity="0.7"/>
+  <circle cx="85" cy="28" r="1.5" fill="#FFDD00" opacity="0.8"/>
+  <circle cx="25" cy="60" r="1.5" fill="#FF2200" opacity="0.6"/>
+  <circle cx="95" cy="55" r="2" fill="#FF7700" opacity="0.7"/>
+</svg>
diff --git a/assets/img/icon-192.png b/assets/img/icon-192.png
new file mode 100644
index 0000000000000000000000000000000000000000..fd3f325e8f905bb8e77e4f05382cad10eb9d6647
GIT binary patch
literal 1088
zcmZuxdr(wW7(aJm;R?%2im;0=-hc$8flVPy20XAAWI<jl7UL#FEsw|w3WQ*Qi>`)*
zau*F9iIK%6KzY=fmCO`HGqJ;rBO42LdCnNI=q?Z;+r;fsN17U^>5p^H@B7a0@%?e;
zoJ~nO=;Gw*1ORZ6$B_zje)D+YJhV@J&87fg?<gmu(n>#C7@asb0bNNWH=TTNc39FN
z`^A%|dhZ#HY)o)tr^lCAL7z}pfA{WAvYq{;3TqR>aBh8dWZgw$ah^~3e$pDOH}Qvy
zg6O^@Vw#^Ac4!nZ+M@5$?CB{|DZh;|d?Fx_U}vR6PKL<6bqbz-saDrTS!DzMs9jp9
ze_OMeuDF@Uc*yMxkw<2&7PW)ws$YVw&6}t1Z3tvDssS@-XsQT5K(G#s#o17~7Jti5
z)nEFRC#Ik2%U{Kq<VmfbvR+y^90hGnCvLbAY-st5_B40CIbpM*GAdqRs0{D>a0|`l
zKT6*NZRN&yUk6NZ%u+lsRQikug%E6Up00(mmS~p;Fny-_ygN>F?nOaBlZHcEAl)FQ
zIZl^rr>c74juZ6F2CAyPcNP@TcJGH;Kq@>iegB2ATRUj(^k@5l#uN>0Ul>EN8eJpM
z_t*9u-$StF^J|DW0+`I`9t5@mW(H0p0K5Y>(VQh98hCeJpsX{Ag*;ce#6k7vtF`V_
z9Lg#NG^Y&6K|EyaO0X{}X8)F<Qb@4BrT+16sf4!RYtN$Ce>!ed+(SOWhNV7^+;Bi0
z<jE%*P|AOZ2cWH2Tes{?ntuwed(z_n1f~)wYF%E;0c7qIPM!BCDd`h&5_6RZH&VuV
z>ZivSo7{o%(~Su_E0C-t;xHoM&^Ocxmpz(H@B^(zbUO&LYP`zdw}&AnF=8pVM+1^=
zc0>kq7%{#H`nK@~Qp_jb1T~*uvBPB%+p966Y~m0UJsfMPwWFk__QEZo)uWrI)(R!R
z0%C3YC=^|vN)_aStd4v?Ur@7NEFlD=mK~>7C}~>fhyx(2R=_~YIXAGI5M(F6T*V^<
zKPO)Gg54kRaGAJC&xSzJ&}f%27bQ3D3W^lFp1B`ZviLhCb-VpQ8H}m5m%Bw}+Xz9-
z8^$4LEXzO1vMa+Gmpyf~Z|NN<+TCULMk8D|??<@PtU$QkoR9Fwg8+}sp5KRMb)50?
zBLv%qUvsd(W-4k$(_}=Xf^YqOnhPlD#iZnYP#RDA1regQmaP($ZaFK&V>J(Sn5j|2
z&9#A5jjF$(5S|t@z2kVwbFsFB=lK_pHE?g0#ek`sO?mg{GD2ZJqfLuhNzaD$)j6rh
nK!oF^fK`4-x>9@!J%M%bV`iwjqv&`x`Wb*cCW-8ce&ys}+1|4@

literal 0
HcmV?d00001

diff --git a/assets/img/icon-512.png b/assets/img/icon-512.png
new file mode 100644
index 0000000000000000000000000000000000000000..bf41cc8ffc16c9baee4038b4283a83349f4c8c38
GIT binary patch
literal 3856
zcmbVPdsI_b_TD#yw}B80K@g2Rg@{m*ilRK^B?Y8f1(Zi(9r0BS)hcv|$@NtN)TLDs
zEg;NTYkd(dMG!P(+QiYRTKiC<s7bG_ol+s(ajAF8ZJ2#4u5nh^`u*|yD`%hc?Qef)
z?~{A>seXNahQQ6w4FCk0^HLWA@Nmcj7w)IhFXc3VM{j0o@}i2y0dw)*@g3qF3+6mK
zlK;ce%FL2&*IKsuZLpu{KCuV>mD=byrn~I1`_H<+Kaj)NUuAX)2q(d!VVlMtFyb#w
zg97u&PnAxzg(wMvt5fy1JBC(1S#5l_RQyRG7>!jG6KG{}7@^q1Ty71qUtA@HyOR@+
zRBAODn?s-|Twf=k<cHR|z)F+z*(K~RZPN*>nEw93MdqYpCePqa`TyOEF8@4&Pufh9
zUA;!R$3AaJ@R=CZD%LE>o(D{h>R4wXyXzHC!dk^dyi&s6^a_IkDke3Lbrc1|QL6ik
zw<zUan%|P8T5(X$)=hgKKGS~Xwzj&bz)476GnMbSX|hB=^CH)os<t;7EivUn@}9AN
z+eMQ+P9h?=7>{k8K=)n`;VYc!nJsUyKW^L$ry>&wVGpk)6i(JO&$%G(aVe3)FV)Sn
zRH5pC*=dj`N>s)Ls>8<z!&+_g^w~0XtSSpiC5g-9g4D^XWOyh}Ebe@b{gBxMS0}4m
z%c__av@>xqi%tE0JuQ16Ar7XoQ<i<im}nuHY1DaLs<j00gg%LLFV|QUF@&~y;)JU~
z>fKFzsZ{+|^f6}LIWO{SYKBuxt$dZ3@C{QhJyXN99}tqsl*DmuwdE}bqO+LYqbR0_
z?=`?(nL6=I7b8|?!=Nb9-<-+*wIdihv~u@HVd~ytFS6FOoB!0Ohi-B))KMLTfU4IE
zh|Y92xFv_}pCJW_R?d5;#$xa1TTd~9q&9{(B?n3*nqLjMbZo(XxG>pHZS9~M&IA$_
zY3ykSo2h=;Ox{o<<L#{Xkyr0@!NNxQ#|7%eCxzq@O6eCjRqvZ6#2PnG8~Tv>bM}1D
zduje=7)J{Z9RgK|ee>4GRMxaef?34g<mFe}t~Bzk%jsusMKXPaw}?zMHHViqGoNRt
zf!bTsWVlDg$9NJ<23yQqZtN`;@rF8>T7G(s^7<G)9+N`;rP`?6MkvtyQ*3EI^%RVj
ziF?HIzqIs&Q9dDhJL7Y7zmwE%C2t$cS6{e<%i}P|vjlk(l5uw^^|5^NK^IS`DKxND
zR&4eHpmc5pX)4{NRjx_w9Aa&??iPp%ZBMWwjUMRgv*U0QX5O*;=0hA#P;8<Dy1%-P
zLw|)Q9ov2791eXIVRTOS7l&~uRwU9Zx*Gw;i{$6NT<1$NGGepX(y?~Hhh&D~sgL};
z`#Lend<lNWj=_jwzSJH{PM}TQ#!&QjYROSOyWTem=yG_cMrX<V(phTfk)^cYksyif
zb1>Gw4ls?%G9z!kGZU__DkiiVCD}opG>b^4-l-x=ziSwMb`c5Q^2<#Q!jUeJ*V;Y;
z_>-}G!&hMJkr}+`_PdclN4b?1sbZett_yjyW%@=Q?D3Lc$Adaj1G;M4Pj`?xk&K~a
zU2A}ndsr_p2izbjU6s}Ap2Ri~MIri6WR6mMJG6=|H)GLlK9p;9C%H(yo3JW9Lc<oy
zKVAux#mTy!J}L(Cede3%oN~f9NZ+v$o##M$jjok*$uB>EE__1;J#Y>63t%B%IwF9;
z6S##Z#HX*}&po143UIU^Lz#$&3&xU+QV{J=z~seVB%>P>9frg9cY*4OGF;_D%Xe6r
zkx$`qUo_B`u?jH{USD$(jG7#>-35}4=O9f0kr#}N2RxHl3BRBoVE@uM1bZkpao{Tm
zjwR=CU=xBb!sb8@j0vmfnRjzwDS}-T`5YJzpC*93=!)P>)LIOFoZrvrmj-|4hSfNX
zggZD4N1d^0sFRn(Nfvt~u@=u8*#NI`-UUF7Yyi~12-!6;kcgANdrU_&5|l5@$!Law
zjdSV4fD+!&I3x=}h3m&4p_8E(IrgK<t`J0uA!9T$hnUKRbTGV)!e7I%#dtJ(_~gn_
z>P^Wg!3pq6fTN=vv+%^qJq_bV9k`$p4BAb^<vy3qDdd<BBXg9KHR2^;7;e0f=sbW@
zL_jWlX(a^<R0nsH|CfR*-3(mW0(Ue1u)=NVSIk7u7_xg*E*ExG=1crrgd}6(8+`v8
z?uEoZV*gK~mloA{@O6YDc*GHITpr=^e&6x`pYA13jZ=~X__23X1pJdbWG^lKcLT?F
zJG2l`SsBmZT<RZE^Ibl11IXgv&OYVAjk*83toJ0H;L%UNedi8Ij-#a-jWNp)1Yo{W
z6(0pK?ESnz{pVp77$zk6ze|7_zhy59*I&oY_v;HPaQ@Kfyv`Z5-+J=of;$+_y&&~R
z(t@u$`le#b!d0c0&w)1l$?OP<6qMip4~{9qqqPg*QTlVS$A97W_c%V`XC9mpqsmSB
zFdY=7xdZ1Bl!Bmp9PPnx+m<73gRd87TyxJtBVLFx9`HE#iglMT#=96}%{!dCQ<Sn3
z@Xq%}^yOJGR^*OG?z%CUk&haSlmrwkP5?iMzW?u^eSi$XdLLiHF$EQW+K1r7=Q(3}
zQS2Qw4vym_mUow(#TX%vxvC9r94Nw_Pb=k8eE0i*oko(_Q=GQWTLCGN0PY3hNMBah
zkhc_|w4($?SuYHSqVe&$HJtH&;j<+G58F3$Mr`@+Hh}CkRa}1BoTi|0byYKGyuG{>
zVIQ{@axm?(hS}4RcBuV>?Nb1}Z_nh6Lw{R~Mw>a2Gww6tC?)(eF7x+m9+geuCf``I
z!x5yXUcs@j$XbR}s}3~D3DB<Q<Tp`$@oC(gx4f8u%Ua!FDxRs943+YjJ1z^TEE&K!
z`e+ju`cb6*>>F5nve?wSn7fsJ=}JOhbFM1C-WAdD)lvO#qB~xbk-vZY4@@10S;>>g
zzut*iG;~qJ=T+!Xus}5vH3jJ#8&E3QZk)04B<>emprz}5(cz)QlF5m&{cw(BE2Ved
zosHqIhU<5UxrtZl#Z%lc-eaw8Suye*Ojf!6&bQ+zE=y(ltv9*f5WPBVKuA_O!55}-
z+l3t75c;+-RPme5fT{Ei)Njha9RZ#KSkK+jcwHm3quSQj{^}S*iUa9ytRL9GgR*(5
z+fzGM!UR7kiqNkvH^0icOclx78Xk@3T#lK_A0;$6TmM2BT)D2nPE@Rdp}oxJd#3|A
z=;5*Q)5KCPy7dfGvJ0;<baFP<uQ}Mt>0lPBj-;P(=OX4Bdsm;i#7$O&>9ZcxIa!Y}
z+Z{@UmcQ=r=Vtp&`IA4HgPi1>^lw*0<U~p*^o`Qbew%BU3STr#6KRR-`(E;fOc#Ta
zvWYqiRVyD(0!>ZNd}{)|^H2?_rr5K$t~KSan9CbF&Qv<KiY)tPx*GB+oljhpKKNS^
zsWe)qmZhswN<+a?+oQ0?(oYUH!g#UfABMMSQ^7WvJ<0y@)*!0ztQ%1=pIzY~uhkjn
z^6@DU=5awHfA2>ZLoKBYsF3MhWg@cIB%eL>hDzWQg3pHLgz2?WhHv;*9_>%gr~Bkh
zP!yzgy%DN@;x8m+rd*z%F=~rHuk0+d&TyZaq4y>_)7W{~WOd))4R=G-k!SWXY069(
z6es!@6tgumLZPG9;(1D@?y2;~2D*y>yn)89dckN{{WW#W@p-H5qP6&54Ocg;<4Z%a
z6W`6u*(@T@FyANVu}%%HhOtzJ%L9|mgX`!0M*I2O#;-(!K0VXaUgS7a?$|+L&lI~9
z9@jL>ibB*ms(IWyp?LJ2a7&oDydsZX!yJH9!Rl|yQrU%Z^Wc_uqLRsGXI0d|sR(ud
zP#zmtu@yg1>Zi{iCGpx^{3Av+@8c^b;+rLdZQtlhm~&Kq=0bMo#z}-ZPZf?$|D27^
zgt<r+hnp5`oJg$lvUuGRY0i$3LNV3$IZNsGFXOi?!dFucn=|b&d{%4oSVBwY?SY{b
z)qB2C_I|B5w%hWMK_AWXt0}+~;8QG*O?zb$VXdTTDweMQ;s-t%W|Zs-qHH@ByMRus
z9B(tp9l!K~>ouP8Hl}ywY978YwwtB)y4&wT*%2mhaFRXXb{#~|Q>FKcMoOj&;Y}(i
zemB$6vJav^V1x~oCtRSd*4BP{Wj@dFIW@fg$0Z-a>(^A@a_!G=p6MSh+rC$np~06f
NWTwqeZJn#w_8(M0$IJi#

literal 0
HcmV?d00001

diff --git a/assets/img/logo-icon.svg b/assets/img/logo-icon.svg
new file mode 100644
index 0000000..cd251a4
--- /dev/null
+++ b/assets/img/logo-icon.svg
@@ -0,0 +1,38 @@
+<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 48 48" width="48" height="48">
+  <defs>
+    <linearGradient id="g1" x1="0%" y1="0%" x2="100%" y2="100%">
+      <stop offset="0%" stop-color="#f0c040"/>
+      <stop offset="100%" stop-color="#ff6b35"/>
+    </linearGradient>
+    <linearGradient id="g2" x1="0%" y1="0%" x2="100%" y2="100%">
+      <stop offset="0%" stop-color="#00e5ff"/>
+      <stop offset="100%" stop-color="#7b2fbe"/>
+    </linearGradient>
+    <filter id="glow">
+      <feGaussianBlur stdDeviation="1.5" result="blur"/>
+      <feMerge><feMergeNode in="blur"/><feMergeNode in="SourceGraphic"/></feMerge>
+    </filter>
+  </defs>
+  <!-- Controller body -->
+  <rect x="6" y="16" width="36" height="22" rx="11" fill="url(#g1)" filter="url(#glow)"/>
+  <!-- D-pad left side -->
+  <rect x="12" y="23" width="8" height="3" rx="1.5" fill="rgba(0,0,0,0.5)"/>
+  <rect x="15" y="20" width="3" height="8" rx="1.5" fill="rgba(0,0,0,0.5)"/>
+  <!-- Buttons right side -->
+  <circle cx="32" cy="22" r="2" fill="#e63946" opacity="0.85"/>
+  <circle cx="36" cy="25" r="2" fill="#2ec4b6" opacity="0.85"/>
+  <circle cx="32" cy="28" r="2" fill="#7b2fbe" opacity="0.85"/>
+  <circle cx="28" cy="25" r="2" fill="#f4a261" opacity="0.85"/>
+  <!-- Center connector / menu button -->
+  <rect x="21" y="24" width="6" height="3" rx="1.5" fill="rgba(0,0,0,0.35)"/>
+  <!-- Handle grips (left and right) -->
+  <rect x="8" y="30" width="8" height="6" rx="4" fill="url(#g2)" opacity="0.7"/>
+  <rect x="32" y="30" width="8" height="6" rx="4" fill="url(#g2)" opacity="0.7"/>
+  <!-- Top bumper buttons -->
+  <rect x="14" y="13" width="8" height="5" rx="2.5" fill="url(#g1)" opacity="0.8"/>
+  <rect x="26" y="13" width="8" height="5" rx="2.5" fill="url(#g1)" opacity="0.8"/>
+  <!-- Stars / sparkles -->
+  <circle cx="24" cy="8" r="1.5" fill="#f0c040" opacity="0.9"/>
+  <circle cx="38" cy="10" r="1" fill="#00e5ff" opacity="0.8"/>
+  <circle cx="10" cy="10" r="1" fill="#f0c040" opacity="0.7"/>
+</svg>
diff --git a/assets/img/milkyway.svg b/assets/img/milkyway.svg
new file mode 100644
index 0000000..b89a5fd
--- /dev/null
+++ b/assets/img/milkyway.svg
@@ -0,0 +1,35 @@
+<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 120 120" width="120" height="120">
+  <defs>
+    <radialGradient id="bg" cx="40%" cy="40%" r="60%">
+      <stop offset="0%" stop-color="#1a0a40"/>
+      <stop offset="60%" stop-color="#0a0520"/>
+      <stop offset="100%" stop-color="#050210"/>
+    </radialGradient>
+    <linearGradient id="purple" x1="0%" y1="0%" x2="100%" y2="100%">
+      <stop offset="0%" stop-color="#c77dff"/>
+      <stop offset="100%" stop-color="#7b2fbe"/>
+    </linearGradient>
+    <filter id="glow">
+      <feGaussianBlur stdDeviation="3" result="blur"/>
+      <feMerge><feMergeNode in="blur"/><feMergeNode in="SourceGraphic"/></feMerge>
+    </filter>
+  </defs>
+  <rect width="120" height="120" rx="24" fill="url(#bg)"/>
+  <!-- Galactic swirl -->
+  <ellipse cx="60" cy="60" rx="38" ry="12" fill="none" stroke="url(#purple)" stroke-width="1.5" opacity="0.5" transform="rotate(-30 60 60)"/>
+  <ellipse cx="60" cy="60" rx="28" ry="8" fill="none" stroke="#c77dff" stroke-width="1" opacity="0.4" transform="rotate(20 60 60)"/>
+  <!-- Stars -->
+  <circle cx="30" cy="25" r="1.5" fill="white" opacity="0.9"/>
+  <circle cx="88" cy="30" r="1" fill="white" opacity="0.7"/>
+  <circle cx="20" cy="70" r="1" fill="white" opacity="0.6"/>
+  <circle cx="95" cy="65" r="1.5" fill="white" opacity="0.8"/>
+  <circle cx="50" cy="15" r="1" fill="white" opacity="0.5"/>
+  <circle cx="75" cy="100" r="1.5" fill="white" opacity="0.7"/>
+  <circle cx="40" cy="95" r="1" fill="#c77dff" opacity="0.9"/>
+  <circle cx="100" cy="45" r="1" fill="#c77dff" opacity="0.6"/>
+  <!-- Galaxy emoji + text -->
+  <text x="60" y="56" font-size="34" text-anchor="middle" filter="url(#glow)" font-family="Arial">🌌</text>
+  <text x="60" y="80" font-size="11" font-weight="700" text-anchor="middle" fill="url(#purple)" font-family="Arial, sans-serif" letter-spacing="1.5">MILKY WAY</text>
+  <!-- Border glow -->
+  <rect x="2" y="2" width="116" height="116" rx="22" fill="none" stroke="url(#purple)" stroke-width="1" opacity="0.4"/>
+</svg>
diff --git a/assets/img/noble777.svg b/assets/img/noble777.svg
new file mode 100644
index 0000000..16a61e5
--- /dev/null
+++ b/assets/img/noble777.svg
@@ -0,0 +1,31 @@
+<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 120 120" width="120" height="120">
+  <defs>
+    <radialGradient id="bg" cx="50%" cy="50%" r="50%">
+      <stop offset="0%" stop-color="#1a1400"/>
+      <stop offset="100%" stop-color="#0a0800"/>
+    </radialGradient>
+    <linearGradient id="gold" x1="0%" y1="0%" x2="100%" y2="100%">
+      <stop offset="0%" stop-color="#FFD700"/>
+      <stop offset="50%" stop-color="#FFF0A0"/>
+      <stop offset="100%" stop-color="#CC9900"/>
+    </linearGradient>
+    <filter id="glow">
+      <feGaussianBlur stdDeviation="3" result="blur"/>
+      <feMerge><feMergeNode in="blur"/><feMergeNode in="SourceGraphic"/></feMerge>
+    </filter>
+  </defs>
+  <rect width="120" height="120" rx="24" fill="url(#bg)"/>
+  <!-- Diamond border -->
+  <rect x="8" y="8" width="104" height="104" rx="18" fill="none" stroke="url(#gold)" stroke-width="1.5" opacity="0.7"/>
+  <rect x="4" y="4" width="112" height="112" rx="20" fill="none" stroke="#FFD700" stroke-width="0.5" opacity="0.3"/>
+  <!-- Crown -->
+  <text x="60" y="54" font-size="38" text-anchor="middle" filter="url(#glow)" font-family="Arial">👑</text>
+  <!-- 777 NOBLE text -->
+  <text x="60" y="76" font-size="18" font-weight="900" text-anchor="middle" fill="url(#gold)" font-family="Arial Black, sans-serif" letter-spacing="3" filter="url(#glow)">777</text>
+  <text x="60" y="92" font-size="10" font-weight="700" text-anchor="middle" fill="#CC9900" font-family="Arial, sans-serif" letter-spacing="3" opacity="0.9">NOBLE</text>
+  <!-- Corner diamonds -->
+  <polygon points="20,12 24,16 20,20 16,16" fill="#FFD700" opacity="0.7"/>
+  <polygon points="100,12 104,16 100,20 96,16" fill="#FFD700" opacity="0.7"/>
+  <polygon points="20,108 24,104 20,100 16,104" fill="#FFD700" opacity="0.7"/>
+  <polygon points="100,108 104,104 100,100 96,104" fill="#FFD700" opacity="0.7"/>
+</svg>
diff --git a/assets/img/og-image.svg b/assets/img/og-image.svg
new file mode 100644
index 0000000..62fee62
--- /dev/null
+++ b/assets/img/og-image.svg
@@ -0,0 +1,46 @@
+<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 1200 630" width="1200" height="630">
+  <defs>
+    <linearGradient id="bg" x1="0%" y1="0%" x2="100%" y2="100%">
+      <stop offset="0%" stop-color="#0a0a12"/>
+      <stop offset="100%" stop-color="#1a1228"/>
+    </linearGradient>
+    <linearGradient id="gold" x1="0%" y1="0%" x2="100%" y2="100%">
+      <stop offset="0%" stop-color="#f0c040"/>
+      <stop offset="100%" stop-color="#ff6b35"/>
+    </linearGradient>
+    <linearGradient id="cyan" x1="0%" y1="0%" x2="100%" y2="100%">
+      <stop offset="0%" stop-color="#00e5ff"/>
+      <stop offset="100%" stop-color="#7b2fbe"/>
+    </linearGradient>
+  </defs>
+  <!-- Background -->
+  <rect width="1200" height="630" fill="url(#bg)"/>
+  <!-- Grid lines -->
+  <line x1="0" y1="315" x2="1200" y2="315" stroke="rgba(240,192,64,0.05)" stroke-width="1"/>
+  <line x1="600" y1="0" x2="600" y2="630" stroke="rgba(240,192,64,0.05)" stroke-width="1"/>
+  <!-- Glow circle -->
+  <circle cx="600" cy="315" r="280" fill="rgba(240,192,64,0.03)" stroke="rgba(240,192,64,0.08)" stroke-width="1"/>
+  <!-- Gamepad icon (simplified) -->
+  <g transform="translate(540,180) scale(2.5)">
+    <rect x="6" y="16" width="36" height="22" rx="11" fill="url(#gold)" opacity="0.9"/>
+    <rect x="12" y="23" width="8" height="3" rx="1.5" fill="rgba(0,0,0,0.5)"/>
+    <rect x="15" y="20" width="3" height="8" rx="1.5" fill="rgba(0,0,0,0.5)"/>
+    <circle cx="32" cy="22" r="2.2" fill="#e63946"/>
+    <circle cx="36" cy="25" r="2.2" fill="#2ec4b6"/>
+    <circle cx="32" cy="28" r="2.2" fill="#7b2fbe"/>
+    <circle cx="28" cy="25" r="2.2" fill="#f4a261"/>
+    <rect x="8" y="30" width="8" height="7" rx="4" fill="url(#cyan)" opacity="0.8"/>
+    <rect x="32" y="30" width="8" height="7" rx="4" fill="url(#cyan)" opacity="0.8"/>
+  </g>
+  <!-- Logo text -->
+  <text x="600" y="375" font-family="Georgia,serif" font-size="64" font-weight="700" fill="#f0c040" text-anchor="middle">TomTomGames</text>
+  <!-- Tagline -->
+  <text x="600" y="425" font-family="Arial,sans-serif" font-size="24" fill="#8888aa" text-anchor="middle">Buy tokens for VBlink777 · Fire Kirin · Milky Way · Ultra Panda &amp; more</text>
+  <!-- Bottom badges -->
+  <rect x="350" y="470" width="160" height="40" rx="8" fill="rgba(240,192,64,0.1)" stroke="rgba(240,192,64,0.3)" stroke-width="1"/>
+  <text x="430" y="496" font-family="Arial,sans-serif" font-size="16" fill="#f0c040" text-anchor="middle" font-weight="700">⚡ Instant Delivery</text>
+  <rect x="520" y="470" width="160" height="40" rx="8" fill="rgba(0,229,255,0.07)" stroke="rgba(0,229,255,0.2)" stroke-width="1"/>
+  <text x="600" y="496" font-family="Arial,sans-serif" font-size="16" fill="#00e5ff" text-anchor="middle" font-weight="700">🔒 SSL Secured</text>
+  <rect x="690" y="470" width="160" height="40" rx="8" fill="rgba(0,230,118,0.07)" stroke="rgba(0,230,118,0.2)" stroke-width="1"/>
+  <text x="770" y="496" font-family="Arial,sans-serif" font-size="16" fill="#00e676" text-anchor="middle" font-weight="700">💬 24/7 Support</text>
+</svg>
diff --git a/assets/img/pandamaster.svg b/assets/img/pandamaster.svg
new file mode 100644
index 0000000..b7ec28a
--- /dev/null
+++ b/assets/img/pandamaster.svg
@@ -0,0 +1,27 @@
+<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 120 120" width="120" height="120">
+  <defs>
+    <radialGradient id="bg" cx="50%" cy="30%" r="70%">
+      <stop offset="0%" stop-color="#0a1628"/>
+      <stop offset="100%" stop-color="#040810"/>
+    </radialGradient>
+    <linearGradient id="blue" x1="0%" y1="0%" x2="100%" y2="100%">
+      <stop offset="0%" stop-color="#64b5f6"/>
+      <stop offset="100%" stop-color="#1565c0"/>
+    </linearGradient>
+    <filter id="glow">
+      <feGaussianBlur stdDeviation="2" result="blur"/>
+      <feMerge><feMergeNode in="blur"/><feMergeNode in="SourceGraphic"/></feMerge>
+    </filter>
+  </defs>
+  <rect width="120" height="120" rx="24" fill="url(#bg)"/>
+  <!-- Crown at top -->
+  <path d="M42 28 L50 20 L60 26 L70 20 L78 28 L74 38 L46 38 Z" fill="#FFD700" opacity="0.9" filter="url(#glow)"/>
+  <circle cx="50" cy="20" r="3" fill="#FFD700"/>
+  <circle cx="60" cy="16" r="3.5" fill="#FFD700"/>
+  <circle cx="70" cy="20" r="3" fill="#FFD700"/>
+  <!-- Panda + paw -->
+  <text x="60" y="68" font-size="36" text-anchor="middle" filter="url(#glow)" font-family="Arial">🐾</text>
+  <!-- MASTER text -->
+  <text x="60" y="90" font-size="11" font-weight="900" text-anchor="middle" fill="url(#blue)" font-family="Arial Black, sans-serif" letter-spacing="2" filter="url(#glow)">MASTER</text>
+  <rect x="2" y="2" width="116" height="116" rx="22" fill="none" stroke="url(#blue)" stroke-width="1" opacity="0.5"/>
+</svg>
diff --git a/assets/img/ultrapanda.svg b/assets/img/ultrapanda.svg
new file mode 100644
index 0000000..f8e384f
--- /dev/null
+++ b/assets/img/ultrapanda.svg
@@ -0,0 +1,30 @@
+<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 120 120" width="120" height="120">
+  <defs>
+    <radialGradient id="bg" cx="50%" cy="50%" r="50%">
+      <stop offset="0%" stop-color="#1a1a2e"/>
+      <stop offset="100%" stop-color="#080814"/>
+    </radialGradient>
+    <linearGradient id="orange" x1="0%" y1="0%" x2="100%" y2="100%">
+      <stop offset="0%" stop-color="#FFB347"/>
+      <stop offset="100%" stop-color="#FF6B00"/>
+    </linearGradient>
+    <filter id="glow">
+      <feGaussianBlur stdDeviation="2" result="blur"/>
+      <feMerge><feMergeNode in="blur"/><feMergeNode in="SourceGraphic"/></feMerge>
+    </filter>
+  </defs>
+  <rect width="120" height="120" rx="24" fill="url(#bg)"/>
+  <rect x="2" y="2" width="116" height="116" rx="22" fill="none" stroke="url(#orange)" stroke-width="1.5" opacity="0.5"/>
+  <!-- Bamboo decorations -->
+  <rect x="12" y="30" width="5" height="65" rx="2" fill="#2d5a27" opacity="0.5"/>
+  <rect x="103" y="25" width="5" height="65" rx="2" fill="#2d5a27" opacity="0.5"/>
+  <rect x="10" y="48" width="9" height="3" rx="1" fill="#2d5a27" opacity="0.5"/>
+  <rect x="101" y="44" width="9" height="3" rx="1" fill="#2d5a27" opacity="0.5"/>
+  <!-- Panda emoji -->
+  <text x="60" y="60" font-size="42" text-anchor="middle" filter="url(#glow)" font-family="Arial">🐼</text>
+  <!-- ULTRA text -->
+  <text x="60" y="85" font-size="12" font-weight="900" text-anchor="middle" fill="url(#orange)" font-family="Arial Black, sans-serif" letter-spacing="2" filter="url(#glow)">ULTRA</text>
+  <!-- Stars -->
+  <text x="35" y="35" font-size="12" text-anchor="middle" fill="#FFD700" opacity="0.8">★</text>
+  <text x="85" y="35" font-size="12" text-anchor="middle" fill="#FFD700" opacity="0.8">★</text>
+</svg>
diff --git a/assets/img/vblink777.svg b/assets/img/vblink777.svg
new file mode 100644
index 0000000..47e8e61
--- /dev/null
+++ b/assets/img/vblink777.svg
@@ -0,0 +1,27 @@
+<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 120 120" width="120" height="120">
+  <defs>
+    <radialGradient id="bg" cx="50%" cy="50%" r="50%">
+      <stop offset="0%" stop-color="#1a0a2e"/>
+      <stop offset="100%" stop-color="#0d0620"/>
+    </radialGradient>
+    <linearGradient id="gold" x1="0%" y1="0%" x2="100%" y2="100%">
+      <stop offset="0%" stop-color="#FFD700"/>
+      <stop offset="100%" stop-color="#FF6B00"/>
+    </linearGradient>
+    <filter id="glow">
+      <feGaussianBlur stdDeviation="2" result="blur"/>
+      <feMerge><feMergeNode in="blur"/><feMergeNode in="SourceGraphic"/></feMerge>
+    </filter>
+  </defs>
+  <rect width="120" height="120" rx="24" fill="url(#bg)"/>
+  <rect x="2" y="2" width="116" height="116" rx="22" fill="none" stroke="url(#gold)" stroke-width="1.5" opacity="0.6"/>
+  <!-- Slot machine reel symbols -->
+  <text x="60" y="52" font-size="36" text-anchor="middle" fill="url(#gold)" filter="url(#glow)" font-family="Arial">🎰</text>
+  <!-- 777 text -->
+  <text x="60" y="84" font-size="22" font-weight="900" text-anchor="middle" fill="url(#gold)" font-family="Arial Black, sans-serif" filter="url(#glow)" letter-spacing="2">777</text>
+  <!-- Stars -->
+  <circle cx="22" cy="22" r="2" fill="#FFD700" opacity="0.8"/>
+  <circle cx="98" cy="22" r="2" fill="#FFD700" opacity="0.8"/>
+  <circle cx="22" cy="98" r="2" fill="#FF6B00" opacity="0.8"/>
+  <circle cx="98" cy="98" r="2" fill="#FF6B00" opacity="0.8"/>
+</svg>
diff --git a/bump_version.php b/bump_version.php
new file mode 100644
index 0000000..a5ab587
--- /dev/null
+++ b/bump_version.php
@@ -0,0 +1,52 @@
+<?php
+/**
+ * TomTomGames Version Manager
+ * Run after uploading a new build to update the DB version.
+ * Usage: https://tomtomgames.com/bump_version.php?key=ADMIN_KEY&version=1.0.2&notes=Your+notes+here
+ *
+ * Or auto-bump: ?key=ADMIN_KEY&bump=patch  (1.0.1 → 1.0.2)
+ *               ?key=ADMIN_KEY&bump=minor  (1.0.1 → 1.1.0)
+ *               ?key=ADMIN_KEY&bump=major  (1.0.1 → 2.0.0)
+ */
+
+define('BUMP_KEY', 'TTG_bump_2026!'); // Change this to your own secret key
+
+if (($_GET['key'] ?? '') !== BUMP_KEY) {
+    http_response_code(403);
+    echo json_encode(['error' => 'Forbidden']);
+    exit;
+}
+
+require_once __DIR__ . '/../includes/db.php';
+
+// Get current version
+$current = db()->query("SELECT version FROM app_version ORDER BY id DESC LIMIT 1")->fetchColumn() ?: '1.0.0';
+[$major, $minor, $patch] = array_map('intval', explode('.', $current));
+
+// Determine new version
+if (!empty($_GET['version'])) {
+    $newVersion = trim($_GET['version']);
+} elseif (!empty($_GET['bump'])) {
+    switch ($_GET['bump']) {
+        case 'major': $newVersion = ($major+1).'.0.0'; break;
+        case 'minor': $newVersion = $major.'.'.($minor+1).'.0'; break;
+        default:      $newVersion = $major.'.'.$minor.'.'.($patch+1); break;
+    }
+} else {
+    // Default: bump patch
+    $newVersion = $major.'.'.$minor.'.'.($patch+1);
+}
+
+$notes = trim($_GET['notes'] ?? 'Build ' . date('Y-m-d H:i:s'));
+
+db()->prepare("INSERT INTO app_version (version, notes) VALUES (?, ?)")
+   ->execute([$newVersion, $notes]);
+
+header('Content-Type: application/json');
+echo json_encode([
+    'success'      => true,
+    'previous'     => $current,
+    'new_version'  => $newVersion,
+    'notes'        => $notes,
+    'timestamp'    => date('Y-m-d H:i:s'),
+]);
diff --git a/favicon.ico b/favicon.ico
new file mode 100644
index 0000000000000000000000000000000000000000..ef9c61649366bd296d35e51c2f75986466bd7f86
GIT binary patch
literal 136
zcmZQzU<5(|0R|wcz)-}%z#s<1odJICyj)UTKqjxJhf5HU2C85X;9vui@}K`F0x3&R
z7srr_TgeFvOn(#{cxWFvt01w<MA)Q7;;aR)qN{P3Gut(WB9q{w6CA}lM3ytJTH><m
d32RWXGJ|vdR&B9lEp4D744$rjF6*2Ung9t@A+-Pi

literal 0
HcmV?d00001

diff --git a/favicon.svg b/favicon.svg
new file mode 100644
index 0000000..80a423b
--- /dev/null
+++ b/favicon.svg
@@ -0,0 +1,5 @@
+<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 32 32">
+  <rect width="32" height="32" rx="6" fill="#0a0a12"/>
+  <circle cx="16" cy="16" r="13" fill="#f0c040"/>
+  <text x="16" y="22" text-anchor="middle" font-family="Arial" font-weight="bold" font-size="18" fill="#000">T</text>
+</svg>
\ No newline at end of file
diff --git a/fix_broadcast.php b/fix_broadcast.php
new file mode 100644
index 0000000..b8b66f1
--- /dev/null
+++ b/fix_broadcast.php
@@ -0,0 +1,28 @@
+<?php
+// Fix broadcast_list in admin.php on server - delete after running
+$f = '/home/tomtomgames.com/public_html/api/admin.php';
+$c = file_get_contents($f);
+
+$idx = strpos($c, "case 'broadcast_list':");
+$end = strpos($c, "        break;", $idx) + 14;
+
+$new = "case 'broadcast_list':\n        try {\n            \$sql = \"SELECT b.id, b.subject, b.message, b.target, b.sent_at, u.username AS sender_name, (SELECT COUNT(*) FROM broadcast_reads WHERE broadcast_id=b.id) AS read_count, (SELECT COUNT(*) FROM broadcast_replies WHERE broadcast_id=b.id) AS reply_count, (SELECT COUNT(*) FROM users WHERE status='active' AND is_admin=0) AS total_players FROM broadcasts b JOIN users u ON b.admin_id=u.id ORDER BY b.sent_at DESC LIMIT 100\";\n            \$stmt = db()->query(\$sql);\n            echo json_encode(['success'=>true,'broadcasts'=>\$stmt->fetchAll()]);\n        } catch(Exception \$e) {\n            echo json_encode(['success'=>false,'error'=>\$e->getMessage()]);\n        }\n        break;";
+
+$c = substr($c, 0, $idx) . $new . substr($c, $end);
+file_put_contents($f, $c);
+
+// Verify it works
+require_once '/home/tomtomgames.com/includes/config.php';
+require_once '/home/tomtomgames.com/includes/db.php';
+
+try {
+    $stmt = db()->query("SELECT COUNT(*) FROM broadcasts");
+    echo "OK - broadcasts in DB: " . $stmt->fetchColumn() . "\n";
+    $stmt2 = db()->query("SELECT b.id, b.subject, b.sent_at, u.username AS sender_name FROM broadcasts b JOIN users u ON b.admin_id=u.id ORDER BY b.sent_at DESC LIMIT 5");
+    $rows = $stmt2->fetchAll();
+    echo "Query works - rows: " . count($rows) . "\n";
+    foreach($rows as $r) echo "  #{$r['id']}: {$r['subject']} by {$r['sender_name']}\n";
+} catch(Exception $e) {
+    echo "ERROR: " . $e->getMessage() . "\n";
+}
+echo "DONE - delete this file\n";
diff --git a/games/index.php b/games/index.php
new file mode 100644
index 0000000..87004dd
--- /dev/null
+++ b/games/index.php
@@ -0,0 +1,232 @@
+<!DOCTYPE html>
+<html lang="en">
+<head>
+<meta charset="UTF-8">
+<meta name="viewport" content="width=device-width, initial-scale=1.0">
+<meta name="robots" content="index, follow, max-snippet:-1, max-image-preview:large">
+<title>Buy Fish Table Game Tokens | VBlink777, Fire Kirin, Milky Way | TomTomGames</title>
+<meta name="description" content="Buy tokens for the best fish table and skill games online — VBlink777, Fire Kirin, Milky Way, Ultra Panda, Panda Master, Noble777, eGame99. Instant delivery, secure payments, 24/7 support. Join TomTomGames today.">
+<meta name="keywords" content="buy fish table tokens, VBlink777 tokens buy, Fire Kirin game tokens, Milky Way game credits, Ultra Panda tokens, Panda Master game, Noble777 tokens, eGame99 buy, fish table game portal, online skill games tokens, game tokens fast delivery">
+<link rel="canonical" href="https://tomtomgames.com/games/">
+
+<meta property="og:title" content="Buy Fish Table Game Tokens | TomTomGames">
+<meta property="og:description" content="The #1 token portal for VBlink777, Fire Kirin, Milky Way, Ultra Panda, Panda Master, Noble777 & eGame99. Buy tokens in minutes.">
+<meta property="og:url" content="https://tomtomgames.com/games/">
+<meta property="og:type" content="website">
+<meta property="og:image" content="https://tomtomgames.com/assets/img/og-image.png">
+
+<script type="application/ld+json">
+{
+  "@context": "https://schema.org",
+  "@type": "ItemList",
+  "name": "Fish Table & Skill Game Platforms",
+  "description": "Buy tokens for these top fish table and skill game platforms through TomTomGames",
+  "url": "https://tomtomgames.com/games/",
+  "itemListElement": [
+    {"@type":"ListItem","position":1,"name":"VBlink777","description":"Buy VBlink777 tokens instantly. Top-rated fish table game with fast payouts.","url":"https://tomtomgames.com/#vblink777"},
+    {"@type":"ListItem","position":2,"name":"Fire Kirin","description":"Fire Kirin game tokens — one of the most popular fish table games online.","url":"https://tomtomgames.com/#firekirin"},
+    {"@type":"ListItem","position":3,"name":"Milky Way","description":"Milky Way game credits. Secure, instant token delivery for Milky Way 777.","url":"https://tomtomgames.com/#milkyway"},
+    {"@type":"ListItem","position":4,"name":"Ultra Panda","description":"Ultra Panda tokens — buy game credits fast for one of the top skill games.","url":"https://tomtomgames.com/#ultrapanda"},
+    {"@type":"ListItem","position":5,"name":"Panda Master","description":"Panda Master game tokens. Instant delivery, multiple payment methods.","url":"https://tomtomgames.com/#pandamaster"},
+    {"@type":"ListItem","position":6,"name":"Noble 777","description":"Noble777 tokens — buy game credits securely through TomTomGames.","url":"https://tomtomgames.com/#noble777"},
+    {"@type":"ListItem","position":7,"name":"eGame99","description":"eGame99 token purchases. Fast credits, 24/7 support.","url":"https://tomtomgames.com/#egame99"}
+  ]
+}
+</script>
+
+<style>
+*{margin:0;padding:0;box-sizing:border-box}
+body{font-family:'Segoe UI',Arial,sans-serif;background:#0a0a12;color:#e8e8f0;line-height:1.6}
+a{color:#f0c040;text-decoration:none}
+a:hover{text-decoration:underline}
+.wrap{max-width:960px;margin:0 auto;padding:0 20px}
+header{background:linear-gradient(135deg,#0a0a12,#1a1228);border-bottom:1px solid rgba(240,192,64,.2);padding:16px 0}
+.logo{font-family:'Georgia',serif;font-size:24px;font-weight:700;color:#f0c040}
+.logo span{color:#00e5ff}
+nav{display:flex;gap:20px;align-items:center;margin-top:8px;font-size:14px}
+.hero{background:linear-gradient(135deg,#1a1228,#0d1a2e);padding:60px 0 50px;text-align:center;border-bottom:1px solid rgba(240,192,64,.15)}
+h1{font-size:clamp(26px,5vw,42px);font-weight:800;line-height:1.2;margin-bottom:16px;color:#fff}
+h1 em{color:#f0c040;font-style:normal}
+.hero p{font-size:18px;color:#aab0c0;max-width:620px;margin:0 auto 28px}
+.cta-btn{display:inline-block;background:linear-gradient(135deg,#f0c040,#d4a017);color:#000;font-weight:700;font-size:16px;padding:14px 32px;border-radius:8px;transition:transform .15s}
+.cta-btn:hover{transform:translateY(-2px);text-decoration:none}
+.trust-bar{display:flex;flex-wrap:wrap;justify-content:center;gap:28px;margin-top:32px;font-size:13px;color:#8888aa}
+.trust-bar span{display:flex;align-items:center;gap:6px}
+section{padding:52px 0}
+h2{font-size:28px;font-weight:700;color:#fff;margin-bottom:8px}
+.section-sub{color:#8888aa;margin-bottom:32px;font-size:16px}
+.games-grid{display:grid;grid-template-columns:repeat(auto-fill,minmax(260px,1fr));gap:20px}
+.game-card{background:#111827;border:1px solid rgba(255,255,255,.06);border-radius:12px;padding:24px;transition:transform .2s,border-color .2s}
+.game-card:hover{transform:translateY(-3px);border-color:rgba(240,192,64,.3)}
+.game-card h3{font-size:18px;color:#fff;margin-bottom:8px}
+.game-card p{font-size:14px;color:#8888aa;margin-bottom:16px}
+.game-card .buy-link{font-size:13px;font-weight:700;color:#f0c040;border:1px solid rgba(240,192,64,.3);padding:8px 16px;border-radius:6px;display:inline-block}
+.game-card .buy-link:hover{background:rgba(240,192,64,.1);text-decoration:none}
+.color-dot{width:12px;height:12px;border-radius:50%;display:inline-block;margin-right:8px;vertical-align:middle}
+.steps-grid{display:grid;grid-template-columns:repeat(auto-fill,minmax(200px,1fr));gap:20px}
+.step{background:#111827;border-radius:12px;padding:24px;text-align:center}
+.step-num{width:40px;height:40px;border-radius:50%;background:linear-gradient(135deg,#f0c040,#d4a017);color:#000;font-weight:800;font-size:18px;display:flex;align-items:center;justify-content:center;margin:0 auto 14px}
+.step h3{font-size:16px;color:#fff;margin-bottom:6px}
+.step p{font-size:13px;color:#8888aa}
+.pay-methods{display:flex;flex-wrap:wrap;gap:12px;margin-top:16px}
+.pay-badge{background:#111827;border:1px solid rgba(255,255,255,.08);border-radius:8px;padding:10px 18px;font-size:14px;font-weight:600;color:#e8e8f0}
+.faq{max-width:720px}
+.faq-item{border-bottom:1px solid rgba(255,255,255,.06);padding:20px 0}
+.faq-item h3{font-size:17px;color:#fff;margin-bottom:8px}
+.faq-item p{font-size:14px;color:#aab0c0}
+footer{background:#060608;border-top:1px solid rgba(255,255,255,.06);padding:32px 0;font-size:13px;color:#555;text-align:center}
+footer a{color:#777}
+</style>
+</head>
+<body>
+
+<header>
+  <div class="wrap" style="display:flex;align-items:center;justify-content:space-between;flex-wrap:wrap;gap:12px">
+    <a href="https://tomtomgames.com/" class="logo">TomTom<span>Games</span></a>
+    <nav>
+      <a href="https://tomtomgames.com/">🎮 Play Now</a>
+      <a href="https://tomtomgames.com/">Create Account</a>
+      <a href="https://tomtomgames.com/" style="background:rgba(240,192,64,.1);border:1px solid rgba(240,192,64,.3);padding:7px 16px;border-radius:6px;color:#f0c040;font-weight:700">Buy Tokens →</a>
+    </nav>
+  </div>
+</header>
+
+<section class="hero">
+  <div class="wrap">
+    <h1>Buy <em>Game Tokens</em> for Fish Table &amp; Skill Games</h1>
+    <p>The fastest, most trusted way to load up on tokens for VBlink777, Fire Kirin, Milky Way, Ultra Panda, Panda Master, Noble777, and eGame99.</p>
+    <a href="https://tomtomgames.com/" class="cta-btn">🪙 Buy Tokens Now</a>
+    <div class="trust-bar">
+      <span>🔒 SSL Secured</span>
+      <span>⚡ Instant Delivery</span>
+      <span>💳 Multiple Payment Methods</span>
+      <span>💬 24/7 Support</span>
+      <span>🎮 7 Game Platforms</span>
+    </div>
+  </div>
+</section>
+
+<section style="background:#080812;border-bottom:1px solid rgba(255,255,255,.04)">
+  <div class="wrap">
+    <h2>Supported Game Platforms</h2>
+    <p class="section-sub">Buy tokens for all major fish table and skill game platforms in one place.</p>
+    <div class="games-grid">
+      <div class="game-card">
+        <h3><span class="color-dot" style="background:#FF6B35"></span>VBlink777</h3>
+        <p>One of the most popular fish table games. Buy VBlink777 tokens securely and get them credited fast to your game account.</p>
+        <a href="https://tomtomgames.com/" class="buy-link">Buy VBlink777 Tokens →</a>
+      </div>
+      <div class="game-card">
+        <h3><span class="color-dot" style="background:#E63946"></span>Fire Kirin</h3>
+        <p>Fire Kirin is a top-rated skill game with exciting fish table gameplay. Purchase Fire Kirin tokens through TomTomGames for instant delivery.</p>
+        <a href="https://tomtomgames.com/" class="buy-link">Buy Fire Kirin Tokens →</a>
+      </div>
+      <div class="game-card">
+        <h3><span class="color-dot" style="background:#7B2FBE"></span>Milky Way</h3>
+        <p>Milky Way 777 game credits — buy tokens for one of the best online fish table platforms. Secure payment, fast top-up.</p>
+        <a href="https://tomtomgames.com/" class="buy-link">Buy Milky Way Tokens →</a>
+      </div>
+      <div class="game-card">
+        <h3><span class="color-dot" style="background:#F4A261"></span>Ultra Panda</h3>
+        <p>Ultra Panda game tokens for sale. Top up your account instantly through our secure portal and start playing right away.</p>
+        <a href="https://tomtomgames.com/" class="buy-link">Buy Ultra Panda Tokens →</a>
+      </div>
+      <div class="game-card">
+        <h3><span class="color-dot" style="background:#457B9D"></span>Panda Master</h3>
+        <p>Panda Master tokens — buy game credits quickly and safely. Multiple payment methods accepted including card, Venmo, and Cash App.</p>
+        <a href="https://tomtomgames.com/" class="buy-link">Buy Panda Master Tokens →</a>
+      </div>
+      <div class="game-card">
+        <h3><span class="color-dot" style="background:#FFD700"></span>Noble 777</h3>
+        <p>Noble 777 game token purchases made easy. Register, select your package, and have tokens in your account within minutes.</p>
+        <a href="https://tomtomgames.com/" class="buy-link">Buy Noble 777 Tokens →</a>
+      </div>
+      <div class="game-card">
+        <h3><span class="color-dot" style="background:#2EC4B6"></span>eGame99</h3>
+        <p>eGame99 tokens for sale at the best rates. Fast crediting, 24/7 customer support, and a seamless buying experience.</p>
+        <a href="https://tomtomgames.com/" class="buy-link">Buy eGame99 Tokens →</a>
+      </div>
+    </div>
+  </div>
+</section>
+
+<section>
+  <div class="wrap">
+    <h2>How to Buy Tokens in 3 Steps</h2>
+    <p class="section-sub">Get tokens credited to your game account in minutes.</p>
+    <div class="steps-grid">
+      <div class="step">
+        <div class="step-num">1</div>
+        <h3>Create Account</h3>
+        <p>Register free in under 60 seconds. Verify your email and log in.</p>
+      </div>
+      <div class="step">
+        <div class="step-num">2</div>
+        <h3>Select Game &amp; Package</h3>
+        <p>Choose your game platform, enter your in-game alias, and pick a token package — or enter a custom amount.</p>
+      </div>
+      <div class="step">
+        <div class="step-num">3</div>
+        <h3>Pay &amp; Play</h3>
+        <p>Pay securely by card or manual transfer. Tokens are credited to your game account fast.</p>
+      </div>
+    </div>
+    <div style="margin-top:32px">
+      <h3 style="color:#fff;margin-bottom:12px">Accepted Payment Methods</h3>
+      <div class="pay-methods">
+        <div class="pay-badge">💳 Credit / Debit Card</div>
+        <div class="pay-badge">💙 Venmo</div>
+        <div class="pay-badge">💚 Cash App</div>
+        <div class="pay-badge">🟢 Chime</div>
+        <div class="pay-badge">💜 Zelle</div>
+      </div>
+    </div>
+  </div>
+</section>
+
+<section style="background:#080812;border-top:1px solid rgba(255,255,255,.04)">
+  <div class="wrap">
+    <h2>Frequently Asked Questions</h2>
+    <p class="section-sub">Everything you need to know about buying game tokens.</p>
+    <div class="faq">
+      <div class="faq-item">
+        <h3>What is TomTomGames?</h3>
+        <p>TomTomGames is a token portal that lets you purchase game credits for popular fish table and skill games including VBlink777, Fire Kirin, Milky Way, Ultra Panda, Panda Master, Noble777, and eGame99. We handle the token purchase securely so you can focus on playing.</p>
+      </div>
+      <div class="faq-item">
+        <h3>How quickly are tokens delivered?</h3>
+        <p>Card payments are processed instantly through Square. Manual payments (Venmo, Zelle, Cash App, Chime) are credited within a few minutes after we confirm receipt of your payment.</p>
+      </div>
+      <div class="faq-item">
+        <h3>How much do tokens cost?</h3>
+        <p>Tokens are priced at $1 per token. We offer packages starting from 5 tokens ($5) up to 100 tokens ($100), or you can enter a custom amount up to $500. Volume packages are available — contact support for details.</p>
+      </div>
+      <div class="faq-item">
+        <h3>Is my payment information secure?</h3>
+        <p>Yes. All card transactions are processed through Square, a fully PCI-compliant payment processor. We never store your full card number. Manual payment methods require no card details at all.</p>
+      </div>
+      <div class="faq-item">
+        <h3>What if I need help?</h3>
+        <p>Our support team is available 24/7 through the live chat feature inside the app. You can also send a message through your account and we'll respond within minutes.</p>
+      </div>
+      <div class="faq-item">
+        <h3>Can I cash out my tokens?</h3>
+        <p>Yes. You can request a cashout through your account and receive your funds via your preferred payment method. Cashouts are processed by our team promptly.</p>
+      </div>
+    </div>
+    <div style="margin-top:36px;text-align:center">
+      <a href="https://tomtomgames.com/" class="cta-btn">Get Started — Create Free Account</a>
+    </div>
+  </div>
+</section>
+
+<footer>
+  <div class="wrap">
+    <p><strong style="color:#777">TomTomGames</strong> — Your trusted token portal for fish table and skill games.</p>
+    <p style="margin-top:8px"><a href="https://tomtomgames.com/">Home</a> · <a href="https://tomtomgames.com/games/">Games</a> · <a href="https://tomtomgames.com/">Support</a></p>
+    <p style="margin-top:12px">© <?= date('Y') ?> TomTomGames. All rights reserved. Game tokens are for entertainment purposes on supported platforms only. Please play responsibly.</p>
+  </div>
+</footer>
+
+</body>
+</html>
diff --git a/get_location.php b/get_location.php
new file mode 100644
index 0000000..cac2f09
--- /dev/null
+++ b/get_location.php
@@ -0,0 +1,108 @@
+<?php
+/**
+ * TomGames — Square Location ID Finder
+ * Upload this file, visit it in your browser ONCE to get your Location ID.
+ * Then paste the ID into includes/config.php and DELETE this file.
+ */
+
+$token = 'EAAAl1ECweOVgNiwhC2SuA56QFjlfRLkYxo4xe4r2fMLvqwLT0IKGUZNNOYy1NXn';
+$locations = [];
+$error = '';
+
+$ch = curl_init('https://connect.squareup.com/v2/locations');
+curl_setopt_array($ch, [
+    CURLOPT_RETURNTRANSFER => true,
+    CURLOPT_HTTPHEADER => [
+        'Authorization: Bearer ' . $token,
+        'Square-Version: 2024-01-18',
+        'Content-Type: application/json',
+    ],
+    CURLOPT_TIMEOUT => 15,
+]);
+$resp = curl_exec($ch);
+$code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
+curl_close($ch);
+
+if ($code === 200) {
+    $data = json_decode($resp, true);
+    $locations = $data['locations'] ?? [];
+} else {
+    $error = "HTTP $code: " . htmlspecialchars($resp);
+}
+?>
+<!DOCTYPE html>
+<html>
+<head>
+<meta charset="UTF-8">
+<meta name="viewport" content="width=device-width,initial-scale=1">
+<title>Square Location ID Finder</title>
+<style>
+body{font-family:'Segoe UI',sans-serif;background:#0a0a12;color:#e8e8f0;max-width:600px;margin:40px auto;padding:20px}
+h1{font-size:22px;background:linear-gradient(135deg,#f0c040,#00e5ff);-webkit-background-clip:text;-webkit-text-fill-color:transparent;margin-bottom:6px}
+.sub{color:#8888aa;font-size:13px;margin-bottom:28px}
+.loc{background:#1a1a2e;border:1px solid rgba(255,255,255,.1);border-radius:12px;padding:20px;margin-bottom:16px}
+.loc-name{font-size:18px;font-weight:700;color:#e8e8f0;margin-bottom:6px}
+.loc-id-wrap{display:flex;align-items:center;gap:10px;margin:10px 0}
+.loc-id{font-family:monospace;font-size:18px;font-weight:700;color:#f0c040;background:#0a0a12;border:1px solid rgba(240,192,64,.4);border-radius:8px;padding:10px 16px;flex:1;letter-spacing:1px}
+.copy-btn{padding:10px 16px;background:linear-gradient(135deg,#f0c040,#d4a017);border:none;border-radius:8px;color:#000;font-weight:700;font-size:13px;cursor:pointer}
+.copy-btn:hover{opacity:.9}
+.loc-meta{font-size:12px;color:#8888aa;margin-top:6px}
+.next{background:rgba(0,229,255,.08);border:1px solid rgba(0,229,255,.2);border-radius:12px;padding:18px;margin-top:24px}
+.next h2{color:#00e5ff;font-size:15px;margin-bottom:10px}
+.next ol{padding-left:18px;line-height:2;color:#c0c0d8;font-size:13px}
+.next code{background:#0a0a12;border:1px solid rgba(255,255,255,.15);border-radius:4px;padding:2px 7px;font-family:monospace;color:#f0c040}
+.err{background:rgba(255,68,68,.1);border:1px solid rgba(255,68,68,.3);border-radius:10px;padding:16px;color:#ff6666}
+.warn{background:rgba(255,214,10,.08);border:1px solid rgba(255,214,10,.2);border-radius:8px;padding:12px;margin-top:20px;font-size:12px;color:#ffd60a}
+</style>
+</head>
+<body>
+<h1>🔑 Square Location Finder</h1>
+<div class="sub">TomGames — Run once, then delete this file</div>
+
+<?php if ($error): ?>
+  <div class="err"><strong>Error fetching locations:</strong><br><?= $error ?></div>
+<?php elseif (empty($locations)): ?>
+  <div class="err">No locations found on this Square account.</div>
+<?php else: ?>
+  <p style="color:#8888aa;font-size:13px;margin-bottom:16px">Found <?= count($locations) ?> location(s). Copy the ID for your main location:</p>
+  <?php foreach ($locations as $loc): ?>
+  <div class="loc">
+    <div class="loc-name"><?= htmlspecialchars($loc['name']) ?> <?= $loc['status'] === 'ACTIVE' ? '✅' : '⚠️ ' . $loc['status'] ?></div>
+    <div class="loc-id-wrap">
+      <div class="loc-id" id="id-<?= $loc['id'] ?>"><?= htmlspecialchars($loc['id']) ?></div>
+      <button class="copy-btn" onclick="copyId('<?= $loc['id'] ?>', this)">COPY</button>
+    </div>
+    <div class="loc-meta">
+      <?= htmlspecialchars($loc['address']['address_line_1'] ?? '') ?>
+      <?= htmlspecialchars($loc['address']['city'] ?? '') ?> ·
+      Currency: <?= htmlspecialchars($loc['currency'] ?? 'USD') ?> ·
+      Country: <?= htmlspecialchars($loc['country'] ?? '—') ?>
+    </div>
+  </div>
+  <?php endforeach; ?>
+
+  <div class="next">
+    <h2>📋 Next Steps</h2>
+    <ol>
+      <li>Copy your Location ID above</li>
+      <li>Open <code>includes/config.php</code></li>
+      <li>Replace <code>YOUR_LOCATION_ID</code> with your copied ID</li>
+      <li>Also update <code>DB_PASS</code> with your MySQL password</li>
+      <li><strong>Delete this file from your server!</strong></li>
+    </ol>
+  </div>
+<?php endif; ?>
+
+<div class="warn">⚠️ <strong>Security:</strong> Delete <code>get_location.php</code> from your server after use. It exposes your access token.</div>
+
+<script>
+function copyId(id, btn) {
+  navigator.clipboard.writeText(id).then(() => {
+    btn.textContent = 'COPIED!';
+    btn.style.background = '#00e676';
+    setTimeout(() => { btn.textContent = 'COPY'; btn.style.background = ''; }, 2000);
+  });
+}
+</script>
+</body>
+</html>
diff --git a/index.php b/index.php
new file mode 100644
index 0000000..3d222b7
--- /dev/null
+++ b/index.php
@@ -0,0 +1,3283 @@
+<?php
+ob_start();
+require_once __DIR__ . '/../includes/config.php';
+require_once __DIR__ . '/../includes/square.php';
+ob_end_clean();
+$_appVersion = '1.0.2';
+?>
+<!DOCTYPE html>
+<html lang="en">
+<head>
+<meta charset="UTF-8">
+  <link rel="icon" type="image/svg+xml" href="/favicon.svg">
+  <link rel="icon" type="image/x-icon" href="/favicon.ico">
+<meta name="viewport" content="width=device-width, initial-scale=1.0, maximum-scale=1.0, user-scalable=no">
+<meta name="apple-mobile-web-app-capable" content="yes">
+<meta name="mobile-web-app-capable" content="yes">
+<meta name="apple-mobile-web-app-status-bar-style" content="black-translucent">
+<meta name="theme-color" content="#0a0a12">
+
+<!-- ═══ PRIMARY SEO ═══════════════════════════════════════════ -->
+<title>TomTomGames — Buy Game Tokens | VBlink777, Fire Kirin, Milky Way &amp; More</title>
+<meta name="description" content="TomTomGames is your trusted token portal for top fish table and skill games. Buy tokens instantly for VBlink777, Fire Kirin, Milky Way, Ultra Panda, Panda Master, Noble777 &amp; eGame99. Fast deposits, secure payments, 24/7 support.">
+<meta name="keywords" content="buy game tokens, fish table games, VBlink777 tokens, Fire Kirin tokens, Milky Way game, Ultra Panda game, Panda Master tokens, Noble777, eGame99, online skill games, token portal, game credits">
+<meta name="robots" content="index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1">
+<meta name="author" content="TomTomGames">
+<link rel="canonical" href="https://tomtomgames.com/">
+
+<!-- ═══ OPEN GRAPH (Facebook, Discord, iMessage) ═══════════════ -->
+<meta property="og:type" content="website">
+<meta property="og:url" content="https://tomtomgames.com/">
+<meta property="og:title" content="TomTomGames — Buy Game Tokens Instantly">
+<meta property="og:description" content="The fastest way to buy tokens for VBlink777, Fire Kirin, Milky Way, Ultra Panda, Panda Master, Noble777 &amp; eGame99. Secure payments, instant delivery.">
+<meta property="og:image" content="https://tomtomgames.com/assets/img/og-image.png">
+<meta property="og:image:width" content="1200">
+<meta property="og:image:height" content="630">
+<meta property="og:site_name" content="TomTomGames">
+<meta property="og:locale" content="en_US">
+
+<!-- ═══ TWITTER / X CARD ══════════════════════════════════════ -->
+<meta name="twitter:card" content="summary_large_image">
+<meta name="twitter:title" content="TomTomGames — Buy Game Tokens Instantly">
+<meta name="twitter:description" content="Buy tokens for Fish Table games — VBlink777, Fire Kirin, Milky Way &amp; more. Fast, secure, 24/7.">
+<meta name="twitter:image" content="https://tomtomgames.com/assets/img/og-image.png">
+
+<!-- ═══ STRUCTURED DATA (JSON-LD Schema) ═══════════════════════ -->
+<script type="application/ld+json">
+{
+  "@context": "https://schema.org",
+  "@graph": [
+    {
+      "@type": "Organization",
+      "@id": "https://tomtomgames.com/#organization",
+      "name": "TomTomGames",
+      "url": "https://tomtomgames.com",
+      "logo": {
+        "@type": "ImageObject",
+        "url": "https://tomtomgames.com/assets/img/logo-icon.svg"
+      },
+      "contactPoint": {
+        "@type": "ContactPoint",
+        "contactType": "customer support",
+        "availableLanguage": "English"
+      },
+      "sameAs": []
+    },
+    {
+      "@type": "WebSite",
+      "@id": "https://tomtomgames.com/#website",
+      "url": "https://tomtomgames.com",
+      "name": "TomTomGames",
+      "description": "Token portal for fish table and skill games including VBlink777, Fire Kirin, Milky Way, Ultra Panda, Panda Master, Noble777 and eGame99.",
+      "publisher": {"@id": "https://tomtomgames.com/#organization"},
+      "potentialAction": {
+        "@type": "SearchAction",
+        "target": "https://tomtomgames.com/?q={search_term_string}",
+        "query-input": "required name=search_term_string"
+      }
+    },
+    {
+      "@type": "WebApplication",
+      "@id": "https://tomtomgames.com/#app",
+      "name": "TomTomGames Token Portal",
+      "url": "https://tomtomgames.com",
+      "applicationCategory": "GameApplication",
+      "operatingSystem": "Web, iOS, Android",
+      "description": "Buy and manage game tokens for popular fish table games. Supports VBlink777, Fire Kirin, Milky Way, Ultra Panda, Panda Master, Noble777, and eGame99.",
+      "offers": {
+        "@type": "AggregateOffer",
+        "priceCurrency": "USD",
+        "lowPrice": "5",
+        "highPrice": "500",
+        "offerCount": "6"
+      },
+      "featureList": [
+        "Instant token delivery",
+        "Secure Square payments",
+        "24/7 support chat",
+        "Multiple game platforms supported",
+        "Mobile-first design"
+      ]
+    },
+    {
+      "@type": "FAQPage",
+      "mainEntity": [
+        {
+          "@type": "Question",
+          "name": "What games does TomTomGames support?",
+          "acceptedAnswer": {
+            "@type": "Answer",
+            "text": "TomTomGames supports VBlink777, Fire Kirin, Milky Way, Ultra Panda, Panda Master, Noble777, and eGame99 fish table and skill game platforms."
+          }
+        },
+        {
+          "@type": "Question",
+          "name": "How do I buy game tokens?",
+          "acceptedAnswer": {
+            "@type": "Answer",
+            "text": "Create an account, select your game platform, choose a token package (5 to 100+ tokens), and pay securely by credit card, Venmo, Cash App, Chime, or Zelle. Tokens are credited to your account instantly after payment."
+          }
+        },
+        {
+          "@type": "Question",
+          "name": "How fast are tokens delivered?",
+          "acceptedAnswer": {
+            "@type": "Answer",
+            "text": "Card payments are processed instantly. Manual payments via Venmo, Zelle, Cash App, or Chime are credited within minutes after we confirm receipt."
+          }
+        },
+        {
+          "@type": "Question",
+          "name": "Is TomTomGames safe?",
+          "acceptedAnswer": {
+            "@type": "Answer",
+            "text": "Yes. All card transactions are processed through Square, a PCI-compliant payment processor. We never store your full card details."
+          }
+        }
+      ]
+    }
+  ]
+}
+</script>
+
+<!-- ═══ PWA / APP META ════════════════════════════════════════ -->
+<link rel="manifest" href="/manifest.json">
+<link href="https://fonts.googleapis.com/css2?family=Exo+2:wght@400;600;700;900&family=Rajdhani:wght@400;500;600;700&display=swap" rel="stylesheet">
+<style>
+*,*::before,*::after{box-sizing:border-box;margin:0;padding:0}
+:root{
+  --bg:#0a0a12;--bg2:#10101e;--bg3:#181828;--card:#1a1a2e;
+  --border:rgba(255,255,255,0.07);--gold:#f0c040;--gold2:#ffdc73;
+  --cyan:#00e5ff;--purple:#9b5de5;--green:#00e676;--red:#ff4444;
+  --yellow:#ffd60a;--text:#e8e8f0;--text2:#8888aa;
+  --radius:16px;--rsm:10px;
+  /* ── Typography Scale ── */
+  --fs-xs:11px;--fs-sm:13px;--fs-base:15px;--fs-md:16px;
+  --fs-lg:18px;--fs-xl:20px;--fs-2xl:24px;--fs-3xl:28px;
+  --lh:1.6;--lh-tight:1.3;
+  --glow-gold:0 0 20px rgba(240,192,64,0.4);
+  --max:480px;--nav-h:64px
+}
+html{-webkit-tap-highlight-color:transparent}
+body{background:var(--bg);color:var(--text);font-family:'Rajdhani',sans-serif;font-size:17px;min-height:100dvh;overflow-x:hidden;-webkit-overflow-scrolling:touch}
+body::before{content:'';position:fixed;inset:0;background-image:linear-gradient(rgba(0,229,255,0.03) 1px,transparent 1px),linear-gradient(90deg,rgba(0,229,255,0.03) 1px,transparent 1px);background-size:40px 40px;pointer-events:none;z-index:0}
+
+/* AUTH */
+.auth-screen{display:flex;flex-direction:column;min-height:100vh;min-height:100dvh;background:var(--bg);padding:40px 24px 32px;max-width:var(--max);margin:0 auto;width:100%}
+.auth-logo{text-align:center;margin-bottom:36px}
+.auth-logo-text{font-family:'Exo 2',sans-serif;font-weight:900;font-size:32px;display:flex;align-items:center;justify-content:center;gap:12px}.auth-logo-text span{background:linear-gradient(135deg,var(--gold),var(--cyan));-webkit-background-clip:text;-webkit-text-fill-color:transparent}
+.auth-logo-sub{font-size:15px;color:var(--text2);margin-top:4px;letter-spacing:1px}
+.auth-tabs{display:flex;margin-bottom:24px;background:var(--bg3);border-radius:var(--rsm);padding:4px}
+.auth-tab{flex:1;padding:11px;border:none;background:none;color:var(--text2);font-family:'Exo 2',sans-serif;font-weight:700;font-size:15px;border-radius:8px;cursor:pointer;transition:all .2s;letter-spacing:.5px}
+.auth-tab.active{background:linear-gradient(135deg,rgba(240,192,64,.15),rgba(0,229,255,.08));color:var(--gold)}
+
+/* MAIN */
+#main-app{display:none;flex-direction:column;min-height:100vh;max-width:var(--max);margin:0 auto;position:relative;z-index:1;padding-bottom:0}
+.topbar{position:sticky;top:0;z-index:100;background:rgba(10,10,18,.96);backdrop-filter:blur(12px);border-bottom:1px solid var(--border);padding:0 16px;height:58px;display:flex;align-items:center;justify-content:space-between}
+.topbar-logo{font-family:'Exo 2',sans-serif;font-weight:900;font-size:18px;display:flex;align-items:center;gap:7px;letter-spacing:.5px}.topbar-logo span{background:linear-gradient(135deg,var(--gold),var(--cyan));-webkit-background-clip:text;-webkit-text-fill-color:transparent}
+.topbar-right{display:flex;align-items:center;gap:10px}
+.token-badge{background:linear-gradient(135deg,#1a1a2e,#252540);border:1px solid var(--gold);border-radius:20px;padding:4px 12px;display:flex;align-items:center;gap:5px;font-family:'Exo 2',sans-serif;font-weight:700;font-size:15px;color:var(--gold2);box-shadow:var(--glow-gold)}
+.avatar-btn{width:34px;height:34px;border-radius:50%;background:linear-gradient(135deg,var(--purple),var(--cyan));border:none;cursor:pointer;font-family:'Exo 2',sans-serif;font-weight:700;font-size:15px;color:#fff;display:flex;align-items:center;justify-content:center}
+
+/* PAGES */
+.page{display:none;padding:16px;padding-bottom:84px}
+/* ─── TOKEN COIN ──────────────────────────────────────────── */
+.token-coin{display:inline-flex;align-items:center;justify-content:center;vertical-align:middle;flex-shrink:0}
+.token-coin svg{display:block}
+
+.page.active{display:block}
+.page.active{display:block;animation:fadeUp .2s ease}
+@keyframes fadeUp{from{opacity:0;transform:translateY(8px)}to{opacity:1;transform:translateY(0)}}
+
+/* NAV */
+.navbar{position:fixed;bottom:0;left:50%;transform:translateX(-50%);width:100%;max-width:var(--max);height:var(--nav-h);background:rgba(10,10,18,.98);backdrop-filter:blur(16px);border-top:1px solid var(--border);display:flex;align-items:center;justify-content:space-around;z-index:100;padding-bottom:env(safe-area-inset-bottom)}
+.nav-btn{flex:1;display:flex;flex-direction:column;align-items:center;justify-content:center;gap:3px;border:none;background:none;color:var(--text2);cursor:pointer;padding:8px 4px;transition:color .2s;font-family:'Rajdhani',sans-serif;font-weight:600;font-size:12px;letter-spacing:.5px}
+.nav-btn svg{width:21px;height:21px}
+.nav-btn.active{color:var(--gold)}
+.nav-btn.active svg{filter:drop-shadow(0 0 5px rgba(240,192,64,.6))}
+
+/* SECTION TITLE */
+.section-title{font-family:'Exo 2',sans-serif;font-weight:700;font-size:18px;margin-bottom:16px;display:flex;align-items:center;gap:8px}
+.section-title span{background:linear-gradient(135deg,var(--gold),var(--cyan));-webkit-background-clip:text;-webkit-text-fill-color:transparent}
+
+/* CARDS */
+.card{background:var(--card);border:1px solid var(--border);border-radius:var(--radius);padding:18px;margin-bottom:14px}
+
+/* HERO BALANCE */
+.hero-balance{background:linear-gradient(135deg,#1a1228,#121a28);border:1px solid rgba(240,192,64,.2);border-radius:var(--radius);padding:22px 20px;text-align:center;margin-bottom:20px;position:relative;overflow:hidden;box-shadow:0 0 0 1px rgba(240,192,64,.15),0 8px 32px rgba(0,0,0,.4)}
+.hero-balance::before{content:'';position:absolute;top:-50px;right:-50px;width:160px;height:160px;background:radial-gradient(circle,rgba(240,192,64,.12) 0%,transparent 70%)}
+.balance-label{font-size:13px;font-weight:700;color:var(--text2);letter-spacing:2px;text-transform:uppercase;margin-bottom:6px}
+.balance-amount{font-family:'Exo 2',sans-serif;font-weight:900;font-size:48px;color:var(--gold);line-height:1;text-shadow:var(--glow-gold)}
+.balance-unit{font-size:15px;color:var(--text2);margin-top:2px;letter-spacing:1px}
+.balance-alias{margin-top:12px;font-size:15px;color:var(--text2)}
+.balance-alias strong{color:var(--cyan)}
+
+/* PLATFORM GRID */
+.platform-grid{display:grid;grid-template-columns:1fr 1fr;gap:10px}
+.platform-card{background:linear-gradient(145deg,#1a1a2e,#111120);border:1px solid var(--border);border-radius:14px;padding:14px 10px 12px;text-align:center;cursor:pointer;transition:all .2s;text-decoration:none;display:flex;flex-direction:column;align-items:center;gap:8px;position:relative;overflow:hidden}
+.platform-card::before{content:'';position:absolute;top:0;left:0;right:0;height:3px;background:var(--p-color);box-shadow:0 0 10px var(--p-color)}
+.platform-card:active{transform:scale(.96)}
+.platform-img-wrap{width:58px;height:58px;border-radius:14px;overflow:hidden;display:flex;align-items:center;justify-content:center;background:rgba(0,0,0,.3);border:1px solid rgba(255,255,255,.08)}
+.platform-img-wrap img{width:58px;height:58px;object-fit:cover}
+.platform-name{font-family:'Exo 2',sans-serif;font-weight:700;font-size:14px;color:var(--text)}
+.play-btn{font-size:12px;color:var(--text2);font-weight:600;letter-spacing:.5px}
+
+/* ─── PAYMENT FORM (milkyswipe style) ─── */
+.pay-form{background:var(--card);border:1px solid var(--border);border-radius:var(--radius);overflow:hidden;margin-bottom:14px}
+.pay-form-header{background:linear-gradient(135deg,#0d1a2e,#0a1220);padding:16px 18px;border-bottom:1px solid var(--border);display:flex;align-items:center;gap:10px}
+.pay-form-icon{width:36px;height:36px;border-radius:10px;background:linear-gradient(135deg,var(--gold),#d4a017);display:flex;align-items:center;justify-content:center;font-size:18px;flex-shrink:0}
+.pay-form-title{font-family:'Exo 2',sans-serif;font-weight:700;font-size:17px;color:var(--text)}
+.pay-form-sub{font-size:14px;color:var(--text2);margin-top:1px}
+.pay-form-body{padding:18px}
+
+/* Package pills */
+.pkg-scroll{display:flex;gap:8px;overflow-x:auto;padding-bottom:4px;margin-bottom:18px;-webkit-overflow-scrolling:touch;scrollbar-width:none}
+.pkg-scroll::-webkit-scrollbar{display:none}
+.pkg-pill{flex-shrink:0;background:var(--bg3);border:1.5px solid var(--border);border-radius:30px;padding:8px 16px;cursor:pointer;transition:all .2s;text-align:center;min-width:72px}
+.pkg-pill.popular{border-color:var(--gold)}
+.pkg-pill.selected{background:linear-gradient(135deg,rgba(240,192,64,.15),rgba(0,229,255,.08));border-color:var(--gold);box-shadow:0 0 12px rgba(240,192,64,.2)}
+.pkg-pill-tokens{font-family:'Exo 2',sans-serif;font-weight:900;font-size:17px;color:var(--gold2)}
+.pkg-pill-price{font-size:13px;color:var(--text2);font-weight:600;margin-top:1px}
+.pkg-pill.popular .pkg-pill-tokens::after{content:' ★';font-size:12px;color:var(--gold)}
+
+/* Amount display */
+.amount-display{background:var(--bg3);border:1px solid var(--border);border-radius:var(--rsm);padding:14px 16px;margin-bottom:14px;display:flex;align-items:center;justify-content:space-between}
+.amount-display-label{font-size:14px;color:var(--text2);font-weight:700;text-transform:uppercase;letter-spacing:1px}
+.amount-display-value{font-family:'Exo 2',sans-serif;font-weight:900;font-size:22px;color:var(--gold)}
+
+/* Form fields */
+.fg{margin-bottom:14px}
+.fg label{display:block;font-size:13px;font-weight:700;color:var(--text2);letter-spacing:1px;text-transform:uppercase;margin-bottom:7px}
+.fi{width:100%;background:var(--bg3);border:1.5px solid var(--border);border-radius:var(--rsm);padding:13px 14px;color:var(--text);font-family:'Rajdhani',sans-serif;font-size:17px;font-weight:500;outline:none;transition:border-color .2s;-webkit-appearance:none;appearance:none}
+.fi:focus{border-color:var(--cyan);box-shadow:0 0 0 3px rgba(0,229,255,.08)}
+.fi-select{background-image:url("data:image/svg+xml,%3Csvg xmlns='http://www.w3.org/2000/svg' width='12' height='8'%3E%3Cpath d='M0 0l6 8 6-8z' fill='%238888aa'/%3E%3C/svg%3E");background-repeat:no-repeat;background-position:right 14px center;padding-right:36px}
+.fi-row{display:grid;grid-template-columns:1fr 1fr;gap:12px}
+
+/* Custom token amount */
+.custom-amt-row{background:linear-gradient(135deg,rgba(240,192,64,.06),rgba(0,229,255,.03));border:1.5px dashed rgba(240,192,64,.3);border-radius:var(--rsm);padding:12px 14px;margin-top:8px;display:flex;align-items:center;justify-content:space-between;gap:12px;flex-wrap:wrap}
+.custom-amt-label{font-size:13px;font-weight:700;color:var(--gold);letter-spacing:.5px;margin-bottom:6px}
+.custom-amt-input-wrap{display:flex;align-items:center;background:var(--bg3);border:1.5px solid rgba(240,192,64,.3);border-radius:8px;overflow:hidden}
+.custom-amt-dollar{padding:0 10px;font-family:'Exo 2',sans-serif;font-weight:700;font-size:18px;color:var(--gold);background:rgba(240,192,64,.08);border-right:1px solid rgba(240,192,64,.2)}
+.custom-amt-input{background:transparent;border:none;padding:10px 12px;color:var(--text);font-family:'Exo 2',sans-serif;font-size:18px;font-weight:700;width:110px;outline:none;-moz-appearance:textfield}
+.custom-amt-input::-webkit-outer-spin-button,.custom-amt-input::-webkit-inner-spin-button{-webkit-appearance:none}
+.custom-amt-input::placeholder{color:var(--text2);font-size:15px;font-weight:400}
+.custom-amt-equiv{font-size:15px;color:var(--text2);white-space:nowrap}
+.custom-amt-equiv strong{color:var(--gold2);font-family:'Exo 2',sans-serif;font-size:18px}
+
+/* Order summary box */
+.order-summary{background:linear-gradient(135deg,#1a1228,#0d1820);border:1px solid rgba(240,192,64,.2);border-radius:var(--rsm);padding:14px 16px;margin-bottom:16px}
+.order-summary-row{display:flex;justify-content:space-between;align-items:center;padding:4px 0}
+.order-summary-label{font-size:14px;color:var(--text2);font-weight:600;letter-spacing:.5px}
+.order-summary-val{font-size:15px;color:var(--text);font-weight:600}
+.order-summary-divider{height:1px;background:rgba(255,255,255,.08);margin:8px 0}
+.order-summary-total{font-family:'Exo 2',sans-serif;font-weight:900;font-size:24px;color:var(--gold)}
+
+/* Payment method tabs */
+.pay-method-tabs{display:grid;grid-template-columns:repeat(5,1fr);gap:6px;margin-bottom:16px}
+.pmt{background:var(--bg3);border:1.5px solid var(--border);border-radius:var(--rsm);padding:10px 4px;text-align:center;cursor:pointer;transition:all .2s}
+.pmt.active{border-color:var(--cyan);background:rgba(0,229,255,.06)}
+.pmt-icon{font-size:20px;display:block;margin-bottom:3px}
+.pmt-label{font-size:11px;font-weight:700;color:var(--text2);letter-spacing:.3px;line-height:1.2}
+.pmt.active .pmt-label{color:var(--cyan)}
+
+/* Card container */
+#card-container{background:#fff;border:1.5px solid var(--border);border-radius:var(--rsm);padding:4px;margin-bottom:14px;min-height:90px;overflow:hidden}
+
+/* Manual pay instructions */
+.manual-box{background:linear-gradient(135deg,rgba(0,229,255,.04),rgba(0,0,0,.2));border:1px solid rgba(0,229,255,.15);border-radius:var(--rsm);padding:14px;margin-bottom:14px}
+.manual-box-title{font-weight:700;font-size:15px;color:var(--cyan);margin-bottom:8px;display:flex;align-items:center;gap:6px}
+.manual-step{display:flex;gap:10px;margin-bottom:8px;align-items:flex-start}
+.manual-step-num{width:20px;height:20px;border-radius:50%;background:var(--cyan);color:#000;font-size:13px;font-weight:700;display:flex;align-items:center;justify-content:center;flex-shrink:0;margin-top:1px}
+.manual-step-text{font-size:15px;color:var(--text);line-height:1.5}
+.manual-step-text strong{color:var(--gold2)}
+.manual-step-text .handle{background:rgba(240,192,64,.1);border:1px solid rgba(240,192,64,.3);border-radius:6px;padding:1px 8px;font-family:'Exo 2',sans-serif;font-weight:700;color:var(--gold);font-size:15px;letter-spacing:.5px}
+
+/* Buttons */
+.btn{width:100%;padding:15px;border:none;border-radius:var(--rsm);font-family:'Exo 2',sans-serif;font-weight:700;font-size:16px;letter-spacing:1px;cursor:pointer;transition:all .2s;text-transform:uppercase;display:flex;align-items:center;justify-content:center;gap:8px}
+.btn:active{transform:scale(.98)}
+.btn-gold{background:linear-gradient(135deg,var(--gold),#d4a017);color:#000;box-shadow:0 4px 20px rgba(240,192,64,.4)}
+.btn-outline{background:transparent;border:1.5px solid var(--gold);color:var(--gold)}
+.btn-cyan{background:linear-gradient(135deg,var(--cyan),#0099cc);color:#000;box-shadow:0 4px 20px rgba(0,229,255,.3)}
+.btn-danger{background:linear-gradient(135deg,var(--red),#cc0000);color:#fff}
+.btn-green{background:linear-gradient(135deg,var(--green),#00aa55);color:#000}
+
+/* Alerts */
+.alert{padding:12px 14px;border-radius:var(--rsm);margin-bottom:14px;font-weight:600;font-size:15px;display:none;line-height:1.4}
+.alert.show{display:block}
+.alert-error{background:rgba(255,68,68,.1);border:1px solid rgba(255,68,68,.3);color:var(--red)}
+.alert-success{background:rgba(0,230,118,.1);border:1px solid rgba(0,230,118,.3);color:var(--green)}
+.alert-info{background:rgba(0,229,255,.08);border:1px solid rgba(0,229,255,.2);color:var(--cyan)}
+
+/* Divider */
+.divider{display:flex;align-items:center;gap:10px;margin:18px 0;color:var(--text2);font-size:13px;font-weight:700;letter-spacing:1px}
+.divider::before,.divider::after{content:'';flex:1;height:1px;background:var(--border)}
+
+/* Cashout items */
+.cashout-item{background:var(--bg3);border:1px solid var(--border);border-radius:var(--rsm);padding:13px 14px;margin-bottom:8px;display:flex;align-items:center;justify-content:space-between;gap:8px}
+.badge{display:inline-block;font-size:12px;font-weight:700;padding:3px 9px;border-radius:20px;letter-spacing:.3px}
+.badge-pending{background:rgba(255,214,10,.15);color:var(--yellow)}
+.badge-approved{background:rgba(0,230,118,.15);color:var(--green)}
+.badge-rejected{background:rgba(255,68,68,.15);color:var(--red)}
+.badge-completed{background:rgba(0,229,255,.15);color:var(--cyan)}
+
+/* Profile */
+.profile-header{text-align:center;padding:20px 0 14px}
+.profile-avatar{width:76px;height:76px;border-radius:50%;background:linear-gradient(135deg,var(--purple),var(--cyan));display:flex;align-items:center;justify-content:center;font-family:'Exo 2',sans-serif;font-weight:900;font-size:30px;margin:0 auto 10px;border:3px solid var(--gold);box-shadow:var(--glow-gold)}
+
+/* Modal */
+.modal-overlay{display:none;position:fixed;inset:0;background:rgba(0,0,0,.85);z-index:200;align-items:flex-end;backdrop-filter:blur(4px)}
+.modal-overlay.show{display:flex}
+.modal-sheet{background:var(--bg2);border-radius:22px 22px 0 0;border-top:1px solid var(--border);padding:20px;width:100%;max-width:var(--max);margin:0 auto;max-height:90dvh;overflow-y:auto;animation:slideUp .3s ease}
+@keyframes slideUp{from{transform:translateY(100%)}to{transform:translateY(0)}}
+.modal-handle{width:40px;height:4px;background:var(--border);border-radius:2px;margin:0 auto 18px}
+
+/* Spinner */
+.spinner{width:18px;height:18px;border:2px solid rgba(255,255,255,.2);border-top-color:currentColor;border-radius:50%;animation:spin .8s linear infinite;display:inline-block;flex-shrink:0}
+@keyframes spin{to{transform:rotate(360deg)}}
+
+/* Order ref badge */
+.ref-badge{background:rgba(240,192,64,.1);border:1px solid rgba(240,192,64,.3);border-radius:8px;padding:10px 14px;margin-bottom:14px;font-size:15px;color:var(--text2)}
+.ref-badge strong{color:var(--gold2);font-family:'Exo 2',sans-serif}
+
+/* ─── PROFILE TABS ───────────────────────────────────── */
+.form-label{font-size:13px;font-weight:700;color:var(--text2);letter-spacing:1px;text-transform:uppercase;margin-bottom:6px;display:block}
+.profile-tabs{display:flex;flex-wrap:wrap;gap:3px;background:var(--bg3);border-radius:var(--rsm);padding:4px;margin-bottom:14px}
+.profile-tab{flex:1 1 calc(25% - 3px);min-width:72px;padding:10px 4px;border:none;background:none;color:var(--text2);font-family:'Exo 2',sans-serif;font-weight:700;font-size:13px;border-radius:8px;cursor:pointer;transition:all .2s;text-align:center}
+.profile-tab.active{background:linear-gradient(135deg,rgba(240,192,64,.15),rgba(0,229,255,.08));color:var(--gold)}
+.profile-tab-panel{display:none}
+.profile-tab-panel.active{display:block;animation:fadeUp .2s ease}
+
+/* ─── SAVED CARD CHIP ────────────────────────────────── */
+.saved-card-chip{background:linear-gradient(135deg,#1c1c3a,#2d1b69);border-radius:16px;padding:20px;margin-bottom:12px;position:relative;overflow:hidden;border:1px solid rgba(255,255,255,.1)}
+.saved-card-chip::before{content:'';position:absolute;top:-40px;right:-40px;width:140px;height:140px;border-radius:50%;background:rgba(255,255,255,.04)}
+.saved-card-chip-top{display:flex;justify-content:space-between;align-items:center;margin-bottom:24px}
+.saved-card-brand{font-family:'Exo 2',sans-serif;font-weight:900;font-size:18px;color:#fff;letter-spacing:2px;text-transform:uppercase}
+.saved-card-number{font-family:'Courier New',monospace;font-size:18px;font-weight:700;color:#fff;letter-spacing:4px;margin-bottom:20px}
+.saved-card-bottom{display:flex;justify-content:space-between;color:#fff}
+
+/* ─── PAYMENT PROCESSING OVERLAY ─────────────────────── */
+@keyframes rotateRing{to{transform:rotate(360deg)}}
+@keyframes pulseIcon{0%,100%{transform:scale(1)}50%{transform:scale(1.08)}}
+@keyframes stepFadeIn{from{opacity:0;transform:translateX(-8px)}to{opacity:1;transform:translateX(0)}}
+@keyframes successBurst{0%{transform:scale(.5);opacity:0}60%{transform:scale(1.1)}100%{transform:scale(1);opacity:1}}
+
+.pay-proc-ring{width:110px;height:110px;position:relative;margin-bottom:28px;flex-shrink:0}
+.pay-proc-spinner{position:absolute;inset:0;border-radius:50%;border:3px solid rgba(240,192,64,.15);border-top-color:var(--gold);border-right-color:var(--gold);animation:rotateRing 1s linear infinite}
+.pay-proc-icon{position:absolute;inset:0;display:flex;align-items:center;justify-content:center;font-size:40px;animation:pulseIcon 2s ease infinite}
+.pay-proc-title{font-family:'Exo 2',sans-serif;font-weight:900;font-size:24px;color:var(--text);margin-bottom:8px;text-align:center}
+.pay-proc-sub{font-size:15px;color:var(--text2);margin-bottom:32px;text-align:center}
+.pay-proc-steps{display:flex;flex-direction:column;gap:10px;width:100%;max-width:260px}
+.pay-proc-step{font-size:15px;font-weight:600;color:rgba(255,255,255,.2);padding:8px 14px;border-radius:8px;transition:all .4s;display:flex;align-items:center;gap:8px}
+.pay-proc-step.active{color:var(--text);background:rgba(240,192,64,.08);border-left:3px solid var(--gold);animation:stepFadeIn .3s ease}
+.pay-proc-step.done{color:var(--green);background:rgba(0,230,118,.06)}
+
+/* ─── PAYMENT RESULT OVERLAY ─────────────────────────── */
+.pay-result-wrap{text-align:center;width:100%;max-width:380px}
+.pay-result-icon{font-size:80px;margin-bottom:20px;display:block;animation:successBurst .5s ease}
+.pay-result-title{font-family:'Exo 2',sans-serif;font-weight:900;font-size:28px;margin-bottom:8px}
+.pay-result-title.success{background:linear-gradient(135deg,var(--gold),var(--green));-webkit-background-clip:text;-webkit-text-fill-color:transparent}
+.pay-result-title.error{color:var(--red)}
+.pay-result-title.pending{color:var(--gold)}
+.pay-balance-bump{font-family:'Exo 2',sans-serif;font-weight:900;font-size:56px;color:var(--gold);line-height:1;margin:12px 0;text-shadow:0 0 30px rgba(240,192,64,.5)}
+.pay-result-detail{background:rgba(255,255,255,.04);border:1px solid var(--border);border-radius:12px;padding:14px;margin:16px 0;font-size:15px;color:var(--text2);line-height:1.8;text-align:left}
+.pay-result-detail strong{color:var(--text)}
+.pay-result-btns{display:flex;flex-direction:column;gap:10px;margin-top:20px}
+
+/* ─── GAME ALIAS CARDS ────────────────────────────────── */
+.game-alias-card{background:var(--card);border:1px solid var(--border);border-radius:var(--rsm);padding:12px 14px;margin-bottom:10px;display:flex;align-items:center;gap:12px}
+.game-alias-dot{width:10px;height:10px;border-radius:50%;flex-shrink:0}
+.game-alias-name{font-family:'Exo 2',sans-serif;font-weight:700;font-size:15px;color:var(--text);margin-bottom:5px}
+.game-alias-input{width:100%;background:var(--bg3);border:1px solid var(--border);border-radius:8px;padding:8px 12px;color:var(--text);font-family:'Rajdhani',sans-serif;font-size:15px;outline:none;transition:border-color .15s;box-sizing:border-box}
+.game-alias-input:focus{border-color:var(--cyan)}
+.game-alias-input::placeholder{color:var(--text2)}
+
+/* ─── ACTIVITY DASHBOARD ──────────────────────────────── */
+.activity-ftab{background:var(--bg3);border:1px solid var(--border);color:var(--text2);border-radius:20px;padding:6px 14px;font-family:'Exo 2',sans-serif;font-weight:700;font-size:14px;cursor:pointer;white-space:nowrap;transition:all .15s;flex-shrink:0}
+.activity-ftab.active{background:rgba(240,192,64,.12);border-color:rgba(240,192,64,.35);color:var(--gold)}
+.activity-card{background:var(--bg3);border:1px solid var(--border);border-radius:var(--rsm);padding:12px 14px;margin-bottom:8px;display:flex;gap:12px;align-items:flex-start;transition:border-color .2s}
+.activity-card:hover{border-color:rgba(255,255,255,.12)}
+.activity-icon{width:36px;height:36px;border-radius:50%;display:flex;align-items:center;justify-content:center;font-size:17px;flex-shrink:0}
+.activity-body{flex:1;min-width:0}
+.activity-title{font-family:'Exo 2',sans-serif;font-weight:700;font-size:15px;color:var(--text);margin-bottom:2px}
+.activity-meta{font-size:13px;color:var(--text2)}
+.activity-status{display:inline-block;font-size:12px;font-weight:700;letter-spacing:.4px;text-transform:uppercase;border-radius:4px;padding:2px 7px;margin-top:4px}
+.ac-pending{background:rgba(240,192,64,.12);color:var(--gold)}
+.ac-locked{background:rgba(0,229,255,.1);color:var(--cyan)}
+.ac-completed,.ac-sent,.ac-approved{background:rgba(0,230,118,.1);color:var(--green)}
+.ac-rejected,.ac-failed,.ac-deleted{background:rgba(255,68,68,.1);color:var(--red)}
+.ac-new{background:rgba(240,192,64,.15);color:var(--gold)}
+.ac-read{background:rgba(255,255,255,.06);color:var(--text2)}
+.activity-amount{font-family:'Exo 2',sans-serif;font-weight:700;font-size:15px;text-align:right;flex-shrink:0}
+.summary-pill{background:var(--bg3);border:1px solid var(--border);border-radius:8px;padding:6px 12px;font-size:14px;font-family:'Exo 2',sans-serif;font-weight:700;white-space:nowrap}
+
+/* ─── CASHOUT REQUEST CARDS ───────────────────────────── */
+.co-card{background:var(--card);border:1px solid var(--border);border-radius:var(--rsm);padding:14px;margin-bottom:10px;transition:border-color .2s}
+.co-card.pending{border-color:rgba(240,192,64,.25)}
+.co-card.locked{border-color:rgba(0,229,255,.25);background:linear-gradient(135deg,rgba(0,229,255,.03),var(--card))}
+.co-card.sent,.co-card.approved{border-color:rgba(0,230,118,.25)}
+.co-card.rejected{border-color:rgba(255,68,68,.2);opacity:.75}
+.co-card.deleted{opacity:.45}
+.co-status-pill{display:inline-block;font-size:12px;font-weight:700;letter-spacing:.5px;text-transform:uppercase;border-radius:4px;padding:3px 8px;margin-left:8px}
+.co-status-pending{background:rgba(240,192,64,.12);color:var(--gold)}
+.co-status-locked{background:rgba(0,229,255,.1);color:var(--cyan)}
+.co-status-sent,.co-status-approved{background:rgba(0,230,118,.1);color:var(--green)}
+.co-status-rejected{background:rgba(255,68,68,.1);color:var(--red)}
+.co-status-deleted{background:rgba(255,255,255,.05);color:var(--text2)}
+.co-edit-row{display:flex;gap:6px;margin-top:10px;flex-wrap:wrap}
+
+/* ─── REFERRAL STYLES ─────────────────────────────────── */
+.ref-share-btn{border-radius:8px;padding:8px 14px;font-size:14px;font-weight:700;cursor:pointer;white-space:nowrap;transition:opacity .15s}
+.ref-share-btn:hover{opacity:.8}
+.ref-status-pending{color:var(--gold)}
+.ref-status-verified{color:var(--green)}
+.ref-status-denied{color:var(--red)}
+
+/* ─── PLATFORM ACCOUNTS ───────────────────────────────── */
+.pa-card{background:var(--bg3);border:1px solid var(--border);border-radius:var(--rsm);padding:14px;margin-bottom:10px}
+.pa-card.approved{border-color:rgba(0,230,118,.3);background:rgba(0,230,118,.03)}
+.pa-card.pending{border-color:rgba(240,192,64,.2)}
+.pa-card.denied{border-color:rgba(255,68,68,.2);opacity:.75}
+.pa-cred-box{background:var(--bg);border:1px solid var(--border);border-radius:8px;padding:10px 14px;margin-top:10px;font-family:monospace;font-size:15px}
+.pa-cred-row{display:flex;justify-content:space-between;align-items:center;margin-bottom:4px}
+.pa-cred-label{font-size:12px;font-weight:700;text-transform:uppercase;letter-spacing:.5px;color:var(--text2)}
+.pa-cred-val{font-size:15px;font-weight:700;color:var(--green)}
+.pa-cred-pass{filter:blur(4px);transition:filter .2s;cursor:pointer;user-select:all}
+.pa-cred-pass:hover,.pa-cred-pass.revealed{filter:none}
+/* Onboarding modal */
+#onboarding-modal{position:fixed;inset:0;background:rgba(0,0,0,.85);z-index:900;display:flex;align-items:center;justify-content:center;padding:20px}
+.onboarding-box{background:var(--bg3);border:1px solid rgba(240,192,64,.3);border-radius:16px;padding:28px 24px;max-width:420px;width:100%;text-align:center}
+.onboarding-title{font-family:'Exo 2',sans-serif;font-weight:900;font-size:22px;color:var(--gold);margin-bottom:10px}
+.onboarding-sub{font-size:15px;color:var(--text2);margin-bottom:24px;line-height:1.6}
+
+/* ─── BROADCAST STYLES ────────────────────────────────── */
+.bc-card{background:var(--card);border:1px solid var(--border);border-radius:var(--rsm);margin-bottom:12px;overflow:hidden;transition:border-color .2s}
+.bc-card.unread{border-color:rgba(240,192,64,.3);background:linear-gradient(135deg,rgba(240,192,64,.04),var(--card))}
+.bc-header{padding:14px 16px 10px;display:flex;gap:10px;align-items:flex-start}
+.bc-avatar{width:38px;height:38px;border-radius:50%;background:linear-gradient(135deg,var(--gold),#d4a017);display:flex;align-items:center;justify-content:center;font-size:18px;flex-shrink:0}
+.bc-subject{font-family:'Exo 2',sans-serif;font-weight:700;font-size:15px;color:var(--text)}
+.bc-meta{font-size:13px;color:var(--text2);margin-top:2px}
+.bc-body{padding:0 16px 12px;font-size:15px;color:var(--text2);line-height:1.6;white-space:pre-wrap}
+.bc-footer{padding:8px 16px;border-top:1px solid var(--border);display:flex;gap:10px;align-items:center}
+.bc-reply-wrap{padding:0 16px 14px;display:none}
+.bc-reply-wrap.open{display:block}
+.bc-replies-list{max-height:220px;overflow-y:auto;margin-bottom:10px}
+.bc-reply-row{display:flex;gap:8px;margin-bottom:8px}
+.bc-reply-bubble{background:var(--bg3);border:1px solid var(--border);border-radius:8px;padding:8px 12px;flex:1}
+.bc-reply-who{font-size:13px;font-weight:700;color:var(--cyan);margin-bottom:3px}
+.bc-reply-who.admin{color:var(--gold)}
+.bc-reply-msg{font-size:15px;color:var(--text)}
+
+/* ─── CHAT STYLES ─────────────────────────────────────── */
+@keyframes pulse2{from{opacity:.5}to{opacity:1}}
+@keyframes dotBounce{0%,60%,100%{transform:translateY(0)}30%{transform:translateY(-6px)}}
+
+.chat-header-avatar{width:40px;height:40px;border-radius:50%;background:linear-gradient(135deg,var(--gold),#d4a017);display:flex;align-items:center;justify-content:center;flex-shrink:0;box-shadow:var(--glow-gold)}
+.chat-status-dot{display:inline-block;width:7px;height:7px;border-radius:50%;background:var(--green);margin-right:4px;animation:pulse2 2s ease infinite alternate}
+
+/* Quick reply chips */
+.chat-quick-replies{display:flex;flex-wrap:wrap;gap:8px;padding:8px 14px 4px;flex-shrink:0}
+.chat-chip{background:rgba(240,192,64,.08);border:1px solid rgba(240,192,64,.25);border-radius:20px;padding:7px 14px;color:var(--gold);font-family:'Exo 2',sans-serif;font-weight:600;font-size:14px;cursor:pointer;transition:all .15s;white-space:nowrap}
+.chat-chip:active{background:rgba(240,192,64,.18);transform:scale(.97)}
+
+/* Loading dots */
+.chat-loading{display:flex;justify-content:center;align-items:center;padding:30px;color:var(--text2);font-size:15px}
+.chat-loading-dots{display:flex;gap:5px}
+.chat-loading-dots span{width:8px;height:8px;border-radius:50%;background:var(--text2);animation:dotBounce 1.2s ease infinite}
+.chat-loading-dots span:nth-child(2){animation-delay:.2s}
+.chat-loading-dots span:nth-child(3){animation-delay:.4s}
+
+/* Send button pulse when has text */
+.chat-send-btn.has-text{background:linear-gradient(135deg,var(--cyan),#0088cc);box-shadow:0 0 16px rgba(0,229,255,.35)}
+#page-chat{display:none;flex-direction:column;padding:0;padding-bottom:0;position:fixed;top:0;left:0;right:0;bottom:var(--nav-h);max-width:var(--max);margin:0 auto;overflow:hidden;z-index:10}
+#page-chat.active{display:flex}
+.chat-header{display:flex;align-items:center;gap:12px;padding:12px 16px;background:rgba(16,16,30,.98);border-bottom:1px solid var(--border);flex-shrink:0}
+.chat-header-avatar{width:40px;height:40px;border-radius:50%;background:linear-gradient(135deg,var(--gold),#d4a017);display:flex;align-items:center;justify-content:center;font-family:'Exo 2',sans-serif;font-weight:900;font-size:18px;color:#000;flex-shrink:0;box-shadow:var(--glow-gold)}
+.chat-header-name{font-family:'Exo 2',sans-serif;font-weight:700;font-size:16px;color:var(--text)}
+.chat-header-status{font-size:13px;color:var(--green);font-weight:600;margin-top:2px}
+.chat-messages{flex:1;overflow-y:auto;padding:16px;display:flex;flex-direction:column;gap:8px;-webkit-overflow-scrolling:touch;padding-bottom:8px}
+.chat-loading{color:var(--text2);font-size:15px;text-align:center;padding:20px}
+.chat-bubble-wrap{display:flex;flex-direction:column;max-width:78%}
+.chat-bubble-wrap.mine{align-self:flex-end;align-items:flex-end}
+.chat-bubble-wrap.theirs{align-self:flex-start;align-items:flex-start}
+.chat-bubble{padding:10px 14px;border-radius:18px;font-size:15px;line-height:1.45;word-break:break-word;position:relative}
+.chat-bubble.mine{background:linear-gradient(135deg,var(--gold),#d4a017);color:#000;border-bottom-right-radius:4px;font-weight:500}
+.chat-bubble.theirs{background:var(--card);color:var(--text);border:1px solid var(--border);border-bottom-left-radius:4px}
+.chat-time{font-size:12px;color:var(--text2);margin-top:3px;padding:0 4px}
+.chat-date-divider{text-align:center;font-size:13px;color:var(--text2);font-weight:700;letter-spacing:.5px;margin:8px 0;display:flex;align-items:center;gap:8px}
+.chat-date-divider::before,.chat-date-divider::after{content:'';flex:1;height:1px;background:var(--border)}
+.chat-input-bar{display:flex;gap:8px;padding:10px 12px;background:rgba(10,10,18,.98);border-top:1px solid var(--border);flex-shrink:0;padding-bottom:calc(10px + env(safe-area-inset-bottom));padding-bottom:max(10px,calc(10px + env(safe-area-inset-bottom)))}
+.chat-input{flex:1;background:var(--bg3);border:1.5px solid var(--border);border-radius:24px;padding:10px 16px;color:var(--text);font-family:'Rajdhani',sans-serif;font-size:16px;line-height:1.6;outline:none;transition:border-color .2s}
+.chat-input:focus{border-color:var(--cyan)}
+.chat-send-btn{width:42px;height:42px;border-radius:50%;background:linear-gradient(135deg,var(--gold),#d4a017);border:none;cursor:pointer;display:flex;align-items:center;justify-content:center;flex-shrink:0;transition:all .2s;color:#000}
+.chat-send-btn:active{transform:scale(.93)}
+.chat-send-btn svg{stroke:#000}
+.chat-nav-badge{position:absolute;top:4px;right:14px;background:var(--red);color:#fff;font-size:11px;font-weight:700;min-width:16px;height:16px;border-radius:8px;display:flex;align-items:center;justify-content:center;padding:0 4px}
+.chat-empty{text-align:center;padding:40px 20px;color:var(--text2);flex:1;display:flex;flex-direction:column;align-items:center;justify-content:center}
+.chat-empty-icon{font-size:52px;margin-bottom:14px}
+.chat-empty-text{font-size:15px;line-height:1.7}
+.chat-sender-label{font-size:12px;font-weight:700;color:var(--text2);letter-spacing:.5px;text-transform:uppercase;margin-bottom:3px;padding:0 4px}
+
+/* ── Responsive Typography ─────────────────────────────── */
+/* Tablet (≥768px) */
+@media (min-width: 768px) {
+  body { font-size: 17px; }
+  .card { font-size: 16px; padding: 22px; }
+  .page-title { font-size: 26px !important; }
+  .card-title { font-size: 18px; }
+  .btn { font-size: 16px; padding: 14px 24px; }
+  .activity-item { font-size: 15px; }
+}
+/* Desktop (≥1200px) */
+@media (min-width: 1200px) {
+  body { font-size: 18px; }
+  .card { font-size: 17px; padding: 24px; }
+  .page-title { font-size: 28px !important; }
+  .btn { font-size: 17px; }
+}
+</style>
+</head>
+<body>
+
+<!-- AUTH -->
+<!-- ONBOARDING MODAL -->
+<div id="onboarding-overlay" style="display:none;position:fixed;inset:0;background:rgba(0,0,0,.88);z-index:200;overflow-y:auto;padding:20px;-webkit-overflow-scrolling:touch">
+  <div style="max-width:440px;margin:0 auto;background:var(--card);border:1px solid rgba(240,192,64,.25);border-radius:18px;padding:28px 24px;position:relative;top:10%">
+    <div id="ob-step1">
+      <div style="text-align:center;margin-bottom:20px">
+        <div style="font-size:52px;margin-bottom:10px">🎮</div>
+        <div style="font-family:'Exo 2',sans-serif;font-weight:900;font-size:22px;color:var(--gold);margin-bottom:8px">Welcome to TomTomGames!</div>
+        <div style="font-size:14px;color:var(--text2);line-height:1.7">Do you already have a username/login<br>on any of our game platforms?</div>
+      </div>
+      <div style="display:flex;flex-direction:column;gap:10px">
+        <button class="btn btn-gold" onclick="obShowStep2()" style="font-size:15px;padding:14px">✅ Yes — I have existing logins</button>
+        <button class="btn" onclick="obRequestNew()" style="background:rgba(0,229,255,.07);border:1px solid rgba(0,229,255,.2);color:var(--cyan);padding:14px;font-size:15px">🆕 No — I want to request new logins</button>
+        <button onclick="obDismiss()" style="background:none;border:none;color:var(--text2);font-size:14px;cursor:pointer;margin-top:2px;padding:8px">Skip for now →</button>
+      </div>
+    </div>
+    <div id="ob-step2" style="display:none">
+      <div style="display:flex;align-items:center;gap:10px;margin-bottom:18px">
+        <button onclick="document.getElementById('ob-step2').style.display='none';document.getElementById('ob-step1').style.display='block';" style="background:none;border:none;color:var(--cyan);cursor:pointer;font-size:22px;padding:0;line-height:1">←</button>
+        <div>
+          <div style="font-family:'Exo 2',sans-serif;font-weight:900;font-size:17px">Request Game Accounts</div>
+          <div style="font-size:14px;color:var(--text2);margin-top:2px">Select platforms — our team will create your logins</div>
+        </div>
+      </div>
+      <div id="ob-platforms-list" style="margin-bottom:14px;max-height:300px;overflow-y:auto"></div>
+      <div id="ob-alert" class="alert" style="margin-bottom:10px"></div>
+      <div style="display:flex;gap:8px">
+        <button class="btn btn-gold" onclick="obSubmitRequests()" style="flex:1">📨 Submit Requests</button>
+        <button class="btn btn-outline" onclick="obDismiss()" style="width:80px;font-size:15px">Done</button>
+      </div>
+    </div>
+  </div>
+</div>
+
+<div id="auth-screen" class="auth-screen" style="display:flex">
+  <div class="auth-logo">
+    <div class="auth-logo-text" style="display:flex;align-items:center;justify-content:center;gap:12px"><svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 48 48" width="48" height="48" style="display:inline-block;vertical-align:middle;flex-shrink:0"><defs><linearGradient id="al1" x1="0%" y1="0%" x2="100%" y2="100%"><stop offset="0%" stop-color="#f0c040"/><stop offset="100%" stop-color="#ff6b35"/></linearGradient><linearGradient id="al2" x1="0%" y1="0%" x2="100%" y2="100%"><stop offset="0%" stop-color="#00e5ff"/><stop offset="100%" stop-color="#7b2fbe"/></linearGradient><filter id="agl"><feGaussianBlur stdDeviation="1.5" result="b"/><feMerge><feMergeNode in="b"/><feMergeNode in="SourceGraphic"/></feMerge></filter></defs><rect x="6" y="16" width="36" height="22" rx="11" fill="url(#al1)" filter="url(#agl)"/><rect x="12" y="23" width="8" height="3" rx="1.5" fill="rgba(0,0,0,0.45)"/><rect x="15" y="20" width="3" height="8" rx="1.5" fill="rgba(0,0,0,0.45)"/><circle cx="32" cy="22" r="2.2" fill="#e63946" opacity=".9"/><circle cx="36" cy="25" r="2.2" fill="#2ec4b6" opacity=".9"/><circle cx="32" cy="28" r="2.2" fill="#7b2fbe" opacity=".9"/><circle cx="28" cy="25" r="2.2" fill="#f4a261" opacity=".9"/><rect x="21" y="24" width="6" height="3" rx="1.5" fill="rgba(0,0,0,0.3)"/><rect x="8" y="30" width="8" height="7" rx="4" fill="url(#al2)" opacity=".7"/><rect x="32" y="30" width="8" height="7" rx="4" fill="url(#al2)" opacity=".7"/><rect x="14" y="13" width="8" height="5" rx="2.5" fill="url(#al1)" opacity=".8"/><rect x="26" y="13" width="8" height="5" rx="2.5" fill="url(#al1)" opacity=".8"/><circle cx="24" cy="7" r="2" fill="#f0c040" opacity=".9"/><circle cx="39" cy="10" r="1.2" fill="#00e5ff" opacity=".8"/><circle cx="9" cy="10" r="1.2" fill="#f0c040" opacity=".7"/></svg><span>TomTomGames</span></div>
+    <div class="auth-logo-sub">YOUR ULTIMATE GAMING PORTAL</div>
+  </div>
+  <div class="auth-tabs">
+    <button class="auth-tab active" onclick="switchTab('login')">LOGIN</button>
+    <button class="auth-tab" onclick="switchTab('register')">CREATE ACCOUNT</button>
+  </div>
+  <div id="tab-login">
+    <div id="login-alert" class="alert"></div>
+    <!-- Unverified notice (hidden by default) -->
+    <div id="login-unverified-box" style="display:none;background:rgba(255,214,10,.08);border:1px solid rgba(255,214,10,.25);border-radius:10px;padding:14px;margin-bottom:14px">
+      <div style="font-size:15px;color:#ffd60a;font-weight:700;margin-bottom:6px">📧 Email Not Verified</div>
+      <div style="font-size:14px;color:#cccc88;line-height:1.6;margin-bottom:10px">Check your inbox for the verification link, or resend it below.</div>
+      <div id="login-resend-alert" class="alert" style="margin-bottom:8px"></div>
+      <button class="btn btn-outline" onclick="resendFromLogin()" id="login-resend-btn" style="padding:10px;font-size:14px">Resend Verification Email</button>
+    </div>
+    <div class="fg"><label>Username</label><input class="fi" id="login-user" type="text" placeholder="your_username" autocomplete="username" autocapitalize="none"></div>
+    <div class="fg"><label>Password</label><input class="fi" id="login-pass" type="password" placeholder="••••••••" autocomplete="current-password"></div>
+    <button class="btn btn-gold" onclick="doLogin()" style="margin-top:6px" id="login-btn">LOGIN</button>
+  </div>
+  <div id="tab-register" style="display:none">
+    <!-- FORM STATE -->
+    <div id="reg-form-state">
+      <div id="reg-alert" class="alert"></div>
+      <div class="fg"><label>Username</label><input class="fi" id="reg-user" type="text" placeholder="choose_a_username" autocapitalize="none" autocomplete="username"></div>
+      <div class="fg"><label>Your Display Name <span style="font-size:15px;color:var(--text2);font-weight:400">— what you want to be known as</span></label><input class="fi" id="reg-alias" type="text" placeholder="e.g. LuckyAce, GameKing22..." autocomplete="nickname"></div>
+      <div class="fg">
+        <label>Email Address <span style="color:var(--red)">*</span></label>
+        <input class="fi" id="reg-email" type="email" placeholder="your@email.com" autocomplete="email">
+        <div style="font-size:15px;color:var(--text2);margin-top:5px">📧 Required — we'll send a verification link</div>
+      </div>
+      <div class="fg"><label>Password</label><input class="fi" id="reg-pass" type="password" placeholder="Min 6 characters" autocomplete="new-password"></div>
+      <button class="btn btn-gold" onclick="doRegister()" style="margin-top:6px" id="reg-btn">CREATE ACCOUNT</button>
+    </div>
+    <!-- VERIFY PENDING STATE (shown after registration) -->
+    <div id="reg-pending-state" style="display:none">
+      <div style="text-align:center;padding:12px 0 20px">
+        <div style="font-size:52px;margin-bottom:16px">📧</div>
+        <div style="font-family:'Exo 2',sans-serif;font-weight:700;font-size:20px;color:var(--gold);margin-bottom:10px">Check Your Email!</div>
+        <p style="font-size:14px;color:var(--text2);line-height:1.7;margin-bottom:6px">
+          We sent a verification link to:<br>
+          <strong style="color:var(--cyan)" id="reg-pending-email">—</strong>
+        </p>
+        <p style="font-size:15px;color:var(--text2);line-height:1.6;margin-bottom:24px">
+          Open the email and click the link to activate your account. Check your spam folder if you don't see it.
+        </p>
+        <div style="background:rgba(0,229,255,.06);border:1px solid rgba(0,229,255,.15);border-radius:10px;padding:14px;margin-bottom:20px;font-size:15px;color:var(--text2);text-align:left;line-height:1.7">
+          <strong style="color:var(--cyan)">Steps:</strong><br>
+          1. Open your email inbox<br>
+          2. Find email from <strong style="color:var(--text)">noreply@tomtomgames.com</strong><br>
+          3. Click <strong style="color:var(--gold)">VERIFY MY ACCOUNT</strong><br>
+          4. You'll be automatically logged in ✅
+        </div>
+        <div id="resend-alert" class="alert" style="margin-bottom:12px"></div>
+        <button class="btn btn-outline" onclick="resendVerify()" id="resend-btn" style="margin-bottom:10px">Resend Verification Email</button>
+        <button class="btn" onclick="showRegForm()" style="background:none;color:var(--text2);font-size:15px;padding:8px">← Use different email</button>
+      </div>
+    </div>
+  </div>
+</div>
+
+<!-- MAIN APP -->
+<div id="main-app" style="display:none">
+  <div class="topbar">
+    <div class="topbar-logo" style="display:flex;align-items:center;gap:8px"><svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 48 48" width="32" height="32" style="display:inline-block;vertical-align:middle;flex-shrink:0"><defs><linearGradient id="li1" x1="0%" y1="0%" x2="100%" y2="100%"><stop offset="0%" stop-color="#f0c040"/><stop offset="100%" stop-color="#ff6b35"/></linearGradient><linearGradient id="li2" x1="0%" y1="0%" x2="100%" y2="100%"><stop offset="0%" stop-color="#00e5ff"/><stop offset="100%" stop-color="#7b2fbe"/></linearGradient></defs><rect x="6" y="16" width="36" height="22" rx="11" fill="url(#li1)"/><rect x="12" y="23" width="8" height="3" rx="1.5" fill="rgba(0,0,0,0.45)"/><rect x="15" y="20" width="3" height="8" rx="1.5" fill="rgba(0,0,0,0.45)"/><circle cx="32" cy="22" r="2.2" fill="#e63946" opacity=".9"/><circle cx="36" cy="25" r="2.2" fill="#2ec4b6" opacity=".9"/><circle cx="32" cy="28" r="2.2" fill="#7b2fbe" opacity=".9"/><circle cx="28" cy="25" r="2.2" fill="#f4a261" opacity=".9"/><rect x="21" y="24" width="6" height="3" rx="1.5" fill="rgba(0,0,0,0.3)"/><rect x="8" y="30" width="8" height="7" rx="4" fill="url(#li2)" opacity=".7"/><rect x="32" y="30" width="8" height="7" rx="4" fill="url(#li2)" opacity=".7"/><rect x="14" y="13" width="8" height="5" rx="2.5" fill="url(#li1)" opacity=".8"/><rect x="26" y="13" width="8" height="5" rx="2.5" fill="url(#li1)" opacity=".8"/></svg><span>TomTomGames</span></div>
+    <div class="topbar-right">
+      <div class="token-badge" id="header-tokens-wrap"><span id="header-tokens">0</span></div>
+      <button class="avatar-btn" id="avatar-btn" onclick="showPage('profile')">?</button>
+    </div>
+  </div>
+
+  <!-- HOME -->
+  <div class="page active" id="page-home">
+    <div class="hero-balance">
+      <div class="balance-label">YOUR TOKENS</div>
+      <div class="balance-amount" id="home-balance">0</div>
+      <div class="balance-unit">TOKENS</div>
+      <div class="balance-alias">Playing as <strong id="home-alias">—</strong></div>
+      <div style="display:flex;gap:10px;margin-top:16px">
+        <button class="btn btn-gold" style="flex:1;padding:12px" onclick="showPage('buy')">BUY</button>
+        <button class="btn btn-outline" style="flex:1;padding:12px" onclick="showPage('cashout')">💸 CASH OUT</button>
+      </div>
+    </div>
+    <div class="section-title"><span>PLAY NOW</span></div>
+    <div class="platform-grid" id="platform-grid"></div>
+  </div>
+
+  <!-- ═══ BUY TOKENS (milkyswipe style) ═══ -->
+  <div class="page" id="page-buy">
+    <div class="section-title"><span>BUY TOKENS</span></div>
+
+    <div id="buy-alert" class="alert"></div>
+
+    <!-- Payment Form Card -->
+    <div class="pay-form">
+      <div class="pay-form-header">
+        <div class="pay-form-icon" id="buy-form-icon" style="font-size:0"><!-- coin --></div>
+        <div>
+          <div class="pay-form-title">Token Purchase</div>
+          <div class="pay-form-sub">$1 = 1 Token · All payments secure</div>
+        </div>
+      </div>
+      <div class="pay-form-body">
+
+        <!-- 1. Select Platform -->
+        <div class="fg">
+          <label>1. Select Your Gaming Platform</label>
+          <select class="fi fi-select" id="buy-platform" onchange="updatePayForm();prefillBuyAlias()">
+            <option value="">— Choose Platform —</option>
+          </select>
+        </div>
+
+        <!-- 2. Game Alias -->
+        <div class="fg">
+          <label>2. Your In-Game Username / Alias</label>
+          <input class="fi" id="buy-alias" type="text" placeholder="e.g. LuckyAce777" oninput="updatePayForm()" onblur="saveAliasFromBuyPage()">
+        </div>
+
+        <!-- 3. Token Package -->
+        <div class="fg">
+          <label>3. Select Token Package <span style="color:var(--text2);font-weight:400;font-size:15px">($1 = 1 Token)</span></label>
+          <div class="pkg-scroll" id="pkg-scroll"></div>
+          <!-- Custom amount row -->
+          <div class="custom-amt-row" id="custom-pkg-row">
+            <div class="custom-amt-wrap">
+              <div class="custom-amt-label">✏️ Custom Amount</div>
+              <div class="custom-amt-input-wrap">
+                <span class="custom-amt-dollar">$</span>
+                <input class="custom-amt-input" id="custom-amt" type="number" min="1" max="500" step="1"
+                  placeholder="Enter amount" oninput="selectCustomPkg(this.value)">
+              </div>
+            </div>
+            <div class="custom-amt-equiv" id="custom-amt-equiv" style="display:none">
+              = <strong id="custom-token-count">0</strong> Tokens
+            </div>
+          </div>
+        </div>
+
+        <!-- Amount / Order Summary display -->
+        <div class="order-summary" id="order-summary" style="display:none">
+          <div class="order-summary-row">
+            <span class="order-summary-label">Package</span>
+            <span class="order-summary-val" id="summary-pkg">—</span>
+          </div>
+          <div class="order-summary-row">
+            <span class="order-summary-label">Tokens</span>
+            <span class="order-summary-val" style="color:var(--gold2)" id="summary-tokens">0</span>
+          </div>
+          <div class="order-summary-divider"></div>
+          <div class="order-summary-row">
+            <span class="order-summary-label" style="font-weight:700;color:var(--text)">Total Due</span>
+            <span class="order-summary-total" id="summary-total">$0.00</span>
+          </div>
+        </div>
+
+        <!-- 4. Payment Method -->
+        <div class="fg">
+          <label>4. Payment Method</label>
+          <div class="pay-method-tabs" id="manual-payment-btns">
+            <!-- Populated dynamically by buildPaymentMethods() -->
+            <div class="pmt active" onclick="selectPMT(this,'card')" title="Credit/Debit Card">
+              <span class="pmt-icon">💳</span><span class="pmt-label">Card</span>
+            </div>
+          </div>
+        </div>
+
+        <!-- CARD fields (Square Web Payments) -->
+        <div id="section-card">
+          <div class="fg">
+            <label>Card Details <span style="font-size:14px;color:var(--green);font-weight:400" id="card-ready-label"></span></label>
+            <div id="card-container"></div>
+          </div>
+          <div class="fi-row">
+            <div class="fg">
+              <label>First Name</label>
+              <input class="fi" id="card-first-name" type="text" placeholder="First" autocomplete="given-name">
+            </div>
+            <div class="fg">
+              <label>Last Name</label>
+              <input class="fi" id="card-last-name" type="text" placeholder="Last" autocomplete="family-name">
+            </div>
+          </div>
+          <div class="fg">
+            <label>Billing Address</label>
+            <input class="fi" id="card-address" type="text" placeholder="Street address" autocomplete="street-address" style="margin-bottom:8px">
+            <div style="display:grid;grid-template-columns:1fr 60px 90px;gap:8px">
+              <input class="fi" id="card-city" type="text" placeholder="City" autocomplete="address-level2">
+              <input class="fi" id="card-state" type="text" placeholder="ST" maxlength="2" autocomplete="address-level1" style="text-transform:uppercase">
+              <input class="fi" id="card-zip" type="text" placeholder="ZIP" maxlength="10" autocomplete="postal-code">
+            </div>
+          </div>
+          <div class="fg">
+            <label>Email for Receipt</label>
+            <input class="fi" id="card-email" type="email" placeholder="your@email.com" autocomplete="email">
+          </div>
+        </div>
+
+        <!-- MANUAL payment instructions -->
+        <div id="section-manual" style="display:none">
+          <div class="manual-box" id="manual-box"></div>
+          <div class="ref-badge" id="ref-badge" style="display:none">
+            📋 Reference: <strong id="ref-platform">—</strong> | Player: <strong id="ref-alias">—</strong> | Include this in your payment note!
+          </div>
+        </div>
+
+        <!-- Save billing checkbox -->
+        <div id="save-billing-wrap" style="display:flex;align-items:center;gap:10px;margin-bottom:14px;padding:10px 14px;background:rgba(0,229,255,.04);border:1px solid rgba(0,229,255,.12);border-radius:var(--rsm)">
+          <input type="checkbox" id="save-billing-cb" style="width:16px;height:16px;accent-color:var(--cyan);cursor:pointer" checked>
+          <label for="save-billing-cb" style="font-size:15px;color:var(--text2);cursor:pointer;line-height:1.4">
+            Save billing info for faster checkout next time
+          </label>
+        </div>
+
+        <!-- Submit -->
+        <button class="btn btn-gold" id="pay-submit-btn" onclick="submitPayment()">
+          COMPLETE PURCHASE
+        </button>
+        <div style="display:flex;align-items:center;justify-content:center;gap:8px;margin-top:10px">
+          <svg width="14" height="14" viewBox="0 0 24 24" fill="none" stroke="#8888aa" stroke-width="2"><rect x="3" y="11" width="18" height="11" rx="2" ry="2"/><path d="M7 11V7a5 5 0 0 1 10 0v4"/></svg>
+          <p style="font-size:15px;color:var(--text2)">256-bit SSL · Secured by Square</p>
+        </div>
+
+      </div>
+    </div>
+  </div>
+
+  <!-- CASHOUT -->
+  <div class="page" id="page-cashout">
+    <div class="section-title"><span>CASH OUT</span></div>
+    <div class="pay-form">
+      <div class="pay-form-header">
+        <div class="pay-form-icon">💸</div>
+        <div>
+          <div class="pay-form-title">Cashout Request</div>
+          <div class="pay-form-sub">Request withdrawal of your token balance</div>
+        </div>
+      </div>
+      <div class="pay-form-body">
+        <div style="display:flex;align-items:center;justify-content:space-between;background:var(--bg3);border:1px solid rgba(240,192,64,.2);border-radius:var(--rsm);padding:14px;margin-bottom:16px">
+          <div>
+            <div style="font-size:15px;color:var(--text2);font-weight:700;letter-spacing:1px;text-transform:uppercase">Available Balance</div>
+            <div style="font-family:'Exo 2',sans-serif;font-weight:900;font-size:28px;color:var(--gold)"><span id="cashout-balance">0</span> <span style="font-size:14px;color:var(--text2)">TOKENS</span></div>
+          </div>
+          <span style="font-size:36px">💰</span>
+        </div>
+        <div id="cashout-alert" class="alert"></div>
+
+        <!-- Payout Method Selector -->
+        <div class="fg">
+          <label>Send Payment To
+            <a onclick="showPage('profile');setTimeout(()=>{switchProfileTab('payout',document.querySelector('.profile-tab[onclick*=payout]'))},100)"
+              style="font-size:15px;color:var(--cyan);cursor:pointer;margin-left:8px;font-weight:400">+ Manage Methods</a>
+          </label>
+          <div id="cashout-payout-list" style="margin-bottom:8px">
+            <div style="color:var(--text2);font-size:15px;padding:10px;text-align:center">Loading payout methods...</div>
+          </div>
+          <div id="cashout-no-payout" style="display:none;background:rgba(240,192,64,.07);border:1px solid rgba(240,192,64,.2);border-radius:8px;padding:12px;font-size:15px;color:var(--gold);text-align:center">
+            No payout method saved. <a onclick="showPage('profile');setTimeout(()=>{switchProfileTab('payout',document.querySelector('[onclick*=payout]'))},100)" style="cursor:pointer;text-decoration:underline">Add one in your profile →</a>
+          </div>
+        </div>
+
+        <div class="fg"><label>Select Platform</label><select class="fi fi-select" id="cashout-platform" onchange="prefillCashoutAlias(this.value)"><option value="">— Choose Platform —</option></select></div>
+        <div class="fg"><label>Your In-Game Alias / Username</label><input class="fi" id="cashout-alias" type="text" placeholder="Your alias on that platform" onblur="saveCashoutAlias()"></div>
+        <div class="fg"><label>Tokens to Cash Out</label><input class="fi" id="cashout-tokens" type="number" min="1" placeholder="Enter amount (min: 1)"></div>
+        <button class="btn btn-cyan" onclick="submitCashout()">💸 SUBMIT CASHOUT REQUEST</button>
+        <p style="text-align:center;font-size:15px;color:var(--text2);margin-top:10px">Cashouts are reviewed and paid out within a few minutes</p>
+      </div>
+    </div>
+    <div class="divider">MY CASHOUT REQUESTS</div>
+    <div id="cashout-history">
+      <div style="color:var(--text2);font-size:15px;text-align:center;padding:20px">Loading your requests...</div>
+    </div>
+  </div>
+
+  <!-- PROFILE -->
+  <div class="page" id="page-profile">
+    <!-- Profile header -->
+    <div class="profile-header">
+      <div class="profile-avatar" id="profile-avatar">?</div>
+      <div style="font-family:'Exo 2',sans-serif;font-weight:700;font-size:22px;color:var(--text)" id="profile-username">—</div>
+      <div style="color:var(--text2);font-size:14px;margin-top:2px" id="profile-alias">—</div>
+    </div>
+    <!-- Balance card -->
+    <div class="card" style="margin-bottom:10px;background:linear-gradient(135deg,#1a1228,#121a28);border-color:rgba(240,192,64,.2)">
+      <div style="display:flex;justify-content:space-between;align-items:center">
+        <div>
+          <div style="font-size:15px;color:var(--text2);font-weight:700;letter-spacing:1px;text-transform:uppercase;margin-bottom:4px">Token Balance</div>
+          <div style="display:flex;align-items:center;gap:6px" id="profile-tokens"><span style="font-family:'Exo 2',sans-serif;font-weight:900;font-size:28px;color:var(--gold)">0</span></div>
+        </div>
+        <button class="btn btn-gold" style="width:auto;padding:10px 18px;font-size:15px" onclick="showPage('buy')">BUY</button>
+      </div>
+    </div>
+    <!-- Profile tabs -->
+    <div class="profile-tabs" id="profile-tabs">
+      <button class="profile-tab active" onclick="switchProfileTab('activity',this)">Activity</button>
+      <button class="profile-tab" onclick="switchProfileTab('games',this)">🎮 Games</button>
+      <button class="profile-tab" onclick="switchProfileTab('logins',this)">🔑 Logins</button>
+      <button class="profile-tab" onclick="switchProfileTab('payout',this)">💸 Payout</button>
+      <button class="profile-tab" onclick="switchProfileTab('referrals',this)">🎁 Refer</button>
+      <button class="profile-tab" onclick="switchProfileTab('billing',this)">Billing</button>
+      <button class="profile-tab" onclick="switchProfileTab('account',this)">Account</button>
+    </div>
+    <!-- TAB: ACTIVITY -->
+    <div class="profile-tab-panel active" id="ptab-activity">
+
+      <!-- Filter tabs -->
+      <div style="display:flex;gap:6px;margin-bottom:14px;overflow-x:auto;padding-bottom:2px">
+        <button class="activity-ftab active" onclick="filterActivity('all',this)">All</button>
+        <button class="activity-ftab" onclick="filterActivity('purchases',this)">💳 Purchases</button>
+        <button class="activity-ftab" onclick="filterActivity('cashouts',this)">💸 Cashouts</button>
+        <button class="activity-ftab" onclick="filterActivity('broadcasts',this)">📢 News</button>
+      </div>
+
+      <!-- Status summary bar -->
+      <div id="activity-summary" style="display:flex;gap:8px;flex-wrap:wrap;margin-bottom:14px"></div>
+
+      <!-- Live feed -->
+      <div id="activity-feed">
+        <div style="text-align:center;padding:24px;color:var(--text2);font-size:15px">
+          <span class="spinner" style="border-top-color:var(--gold)"></span>
+        </div>
+      </div>
+
+      <button class="btn btn-outline" onclick="showPage('cashout')" style="margin-top:12px;width:100%">💸 Request Cash Out</button>
+    </div>
+
+    <!-- TAB: PLATFORM LOGINS -->
+    <!-- TAB: LOGINS / PLATFORM ACCOUNTS -->
+    <div class="profile-tab-panel" id="ptab-logins">
+      <div style="font-size:14px;font-weight:700;color:var(--text2);text-transform:uppercase;letter-spacing:1px;margin-bottom:4px">Platform Logins</div>
+      <div style="font-size:14px;color:var(--text2);margin-bottom:14px;line-height:1.5">Your game platform accounts. Approved logins show your credentials below. Tap password to reveal.</div>
+
+      <!-- Accounts list - shows all requests + approved credentials -->
+      <div id="platform-logins-list">
+        <div style="text-align:center;padding:20px;color:var(--text2);font-size:15px">Loading...</div>
+      </div>
+
+      <!-- Request new account -->
+      <div class="card" style="margin-top:14px">
+        <div class="card-title" style="font-size:15px">➕ Request Platform Account</div>
+        <div style="font-size:14px;color:var(--text2);margin-bottom:10px">Don't have a login for a platform? Request one and our team will set it up for you.</div>
+        <div id="req-platform-alert" class="alert" style="margin-bottom:8px"></div>
+        <select class="fi fi-select" id="req-platform-slug" style="width:100%;margin-bottom:10px">
+          <option value="">— Select Platform —</option>
+        </select>
+        <button class="btn btn-gold" onclick="requestPlatformLogin()" style="width:100%">📨 REQUEST ACCOUNT</button>
+      </div>
+    </div>
+
+    <!-- TAB: REFERRALS -->
+    <div class="profile-tab-panel" id="ptab-referrals">
+      <div style="text-align:center;padding:16px 0 20px">
+        <div style="font-size:36px;margin-bottom:8px">🎁</div>
+        <div style="font-family:'Exo 2',sans-serif;font-weight:900;font-size:18px;color:var(--gold)">Refer &amp; Earn Tokens!</div>
+        <div style="font-size:15px;color:var(--text2);margin-top:6px;line-height:1.6">Share your referral link. Earn tokens for every friend who joins and gets verified.</div>
+      </div>
+
+      <!-- Referral link -->
+      <div class="card" style="margin-bottom:12px;border-color:rgba(240,192,64,.2)">
+        <div style="font-size:15px;font-weight:700;color:var(--text2);text-transform:uppercase;letter-spacing:1px;margin-bottom:8px">Your Referral Link</div>
+        <div style="display:flex;gap:8px;align-items:center">
+          <input class="fi" id="referral-link-input" type="text" readonly style="flex:1;font-size:14px;cursor:pointer" onclick="this.select()">
+          <button onclick="copyReferralLink()" style="background:rgba(240,192,64,.1);border:1px solid rgba(240,192,64,.25);color:var(--gold);border-radius:8px;padding:10px 14px;font-size:14px;font-weight:700;cursor:pointer;white-space:nowrap">📋 Copy</button>
+        </div>
+        <div id="ref-copy-msg" style="font-size:15px;color:var(--green);margin-top:6px;display:none">✓ Copied to clipboard!</div>
+      </div>
+
+      <!-- Stats -->
+      <div style="display:grid;grid-template-columns:1fr 1fr 1fr;gap:8px;margin-bottom:14px">
+        <div class="card" style="text-align:center;padding:12px 8px">
+          <div style="font-family:'Exo 2',sans-serif;font-weight:900;font-size:22px;color:var(--gold)" id="ref-count">0</div>
+          <div style="font-size:14px;color:var(--text2);text-transform:uppercase;letter-spacing:.5px">Referrals</div>
+        </div>
+        <div class="card" style="text-align:center;padding:12px 8px">
+          <div style="font-family:'Exo 2',sans-serif;font-weight:900;font-size:22px;color:var(--green)" id="ref-earned">0</div>
+          <div style="font-size:14px;color:var(--text2);text-transform:uppercase;letter-spacing:.5px">Tokens Earned</div>
+        </div>
+        <div class="card" style="text-align:center;padding:12px 8px">
+          <div style="font-family:'Exo 2',sans-serif;font-weight:900;font-size:16px;color:var(--cyan)" id="ref-tier">—</div>
+          <div style="font-size:14px;color:var(--text2);text-transform:uppercase;letter-spacing:.5px">Current Tier</div>
+        </div>
+      </div>
+
+      <!-- Next tier progress -->
+      <div id="ref-next-tier" style="margin-bottom:14px;display:none">
+        <div class="card" style="padding:12px 14px">
+          <div style="font-size:14px;color:var(--text2);margin-bottom:6px" id="ref-next-label">Next tier progress</div>
+          <div style="background:rgba(255,255,255,.08);border-radius:4px;height:6px;overflow:hidden">
+            <div id="ref-progress-bar" style="height:6px;border-radius:4px;background:linear-gradient(90deg,var(--gold),var(--cyan));transition:width .5s"></div>
+          </div>
+        </div>
+      </div>
+
+      <!-- Social share -->
+      <div class="card" style="margin-bottom:12px">
+        <div style="font-size:14px;font-weight:700;color:var(--text2);margin-bottom:8px;text-transform:uppercase;letter-spacing:1px">Social Share Bonus</div>
+        <div style="font-size:14px;color:var(--text2);margin-bottom:10px;line-height:1.5">Share TomTomGames on social media and earn bonus tokens when approved by our team.</div>
+        <div style="display:flex;gap:8px;flex-wrap:wrap" id="ref-share-btns">
+          <button onclick="submitShare('facebook')" class="ref-share-btn" style="background:rgba(24,119,242,.15);border:1px solid rgba(24,119,242,.3);color:#1877f2">📘 Facebook</button>
+          <button onclick="submitShare('twitter')" class="ref-share-btn" style="background:rgba(29,161,242,.15);border:1px solid rgba(29,161,242,.3);color:#1da1f2">🐦 Twitter/X</button>
+          <button onclick="submitShare('instagram')" class="ref-share-btn" style="background:rgba(225,48,108,.15);border:1px solid rgba(225,48,108,.3);color:#e1306c">📸 Instagram</button>
+          <button onclick="submitShare('tiktok')" class="ref-share-btn" style="background:rgba(0,0,0,.3);border:1px solid rgba(255,255,255,.15);color:#fff">🎵 TikTok</button>
+        </div>
+        <div id="ref-share-alert" class="alert" style="margin-top:8px"></div>
+        <div id="ref-shares-list" style="margin-top:10px"></div>
+      </div>
+
+      <!-- Tiers list -->
+      <div class="card">
+        <div style="font-size:14px;font-weight:700;color:var(--text2);margin-bottom:10px;text-transform:uppercase;letter-spacing:1px">Referral Tiers</div>
+        <div id="ref-tiers-list"></div>
+      </div>
+
+      <!-- My referrals -->
+      <div class="card" style="margin-top:12px">
+        <div style="font-size:14px;font-weight:700;color:var(--text2);margin-bottom:10px;text-transform:uppercase;letter-spacing:1px">My Referrals</div>
+        <div id="ref-list"></div>
+      </div>
+    </div>
+
+    <!-- TAB: PAYOUT METHODS -->
+    <div class="profile-tab-panel" id="ptab-payout">
+      <div style="font-size:14px;font-weight:700;color:var(--text2);text-transform:uppercase;letter-spacing:1px;margin-bottom:4px">Payout Methods</div>
+      <div style="font-size:14px;color:var(--text2);margin-bottom:14px;line-height:1.5">Where to send your cashout payments. The default method is used automatically.</div>
+      <div id="payout-methods-list"></div>
+      <!-- Add Method Form -->
+      <div class="card" style="margin-top:12px">
+        <div class="card-title" style="font-size:15px">➕ Add Payout Method</div>
+        <div style="display:grid;grid-template-columns:1fr 1fr;gap:8px;margin-bottom:8px">
+          <div>
+            <label style="font-size:15px;color:var(--text2);font-weight:700;display:block;margin-bottom:4px">Type</label>
+            <select class="fi" id="payout-type-new" style="font-size:15px">
+              <option value="">Loading...</option>
+            </select>
+          </div>
+          <div>
+            <label style="font-size:15px;color:var(--text2);font-weight:700;display:block;margin-bottom:4px">Label</label>
+            <input class="fi" id="payout-label-new" type="text" placeholder="e.g. My Venmo" style="font-size:15px">
+          </div>
+        </div>
+        <div style="margin-bottom:10px">
+          <label style="font-size:15px;color:var(--text2);font-weight:700;display:block;margin-bottom:4px">Handle / Phone / Email</label>
+          <input class="fi" id="payout-handle-new" type="text" placeholder="e.g. @username, phone, or email">
+        </div>
+        <div id="payout-add-alert" class="alert" style="margin-bottom:8px"></div>
+        <button class="btn btn-gold" onclick="addPayoutMethod()" style="width:100%">💾 SAVE METHOD</button>
+      </div>
+    </div>
+
+    <!-- TAB: PLATFORM ACCOUNTS -->
+    <!-- TAB: GAMES -->
+    <div class="profile-tab-panel" id="ptab-games">
+      <div style="font-size:14px;font-weight:700;color:var(--text2);text-transform:uppercase;letter-spacing:1px;margin-bottom:4px">Your Game Aliases</div>
+      <div style="font-size:14px;color:var(--text2);margin-bottom:14px;line-height:1.5">Save your in-game username for each platform. Your alias auto-fills when you buy tokens.</div>
+      <div id="game-aliases-list"><div style="color:var(--text2);text-align:center;padding:20px;font-size:15px">Loading games...</div></div>
+      <div id="game-aliases-alert" class="alert" style="margin-top:10px"></div>
+      <button class="btn btn-gold" onclick="saveAllAliases()" style="margin-top:12px">💾 SAVE ALL ALIASES</button>
+    </div>
+    <!-- TAB: BILLING -->
+    <div class="profile-tab-panel" id="ptab-billing">
+      <!-- Saved card display -->
+      <div id="saved-card-display" style="display:none">
+        <div class="saved-card-chip">
+          <div class="saved-card-chip-top">
+            <span class="saved-card-brand" id="saved-card-brand">VISA</span>
+            <span id="saved-card-dots">💳</span>
+          </div>
+          <div class="saved-card-number" id="saved-card-number">···· ···· ···· ····</div>
+          <div class="saved-card-bottom">
+            <div><div style="font-size:15px;color:rgba(255,255,255,.5);margin-bottom:2px">CARD HOLDER</div><div id="saved-card-name" style="font-size:15px;font-weight:700">—</div></div>
+            <div style="text-align:right"><div style="font-size:15px;color:rgba(255,255,255,.5);margin-bottom:2px">EXPIRES</div><div id="saved-card-exp" style="font-size:15px;font-weight:700">—</div></div>
+          </div>
+        </div>
+        <button class="btn btn-danger" onclick="clearSavedCard()" style="margin-top:10px;padding:10px;font-size:14px">🗑 Remove Saved Card</button>
+      </div>
+      <!-- Billing form -->
+      <div id="billing-form-section">
+        <div style="font-size:14px;font-weight:700;color:var(--text2);text-transform:uppercase;letter-spacing:1px;margin-bottom:12px">Billing Information</div>
+        <div id="billing-alert" class="alert" style="margin-bottom:12px"></div>
+        <div class="fi-row" style="margin-bottom:10px">
+          <div><label class="form-label">First Name</label><input class="fi" id="p-first" type="text" placeholder="First" autocomplete="given-name"></div>
+          <div><label class="form-label">Last Name</label><input class="fi" id="p-last" type="text" placeholder="Last" autocomplete="family-name"></div>
+        </div>
+        <div class="fg"><label class="form-label">Email</label><input class="fi" id="p-email" type="email" placeholder="your@email.com" autocomplete="email"></div>
+        <div class="fg"><label class="form-label">Street Address</label><input class="fi" id="p-address" type="text" placeholder="123 Main St" autocomplete="street-address"></div>
+        <div style="display:grid;grid-template-columns:1fr 60px 90px;gap:8px;margin-bottom:10px">
+          <div><label class="form-label">City</label><input class="fi" id="p-city" type="text" placeholder="City" autocomplete="address-level2"></div>
+          <div><label class="form-label">ST</label><input class="fi" id="p-state" type="text" placeholder="TX" maxlength="2" autocomplete="address-level1" style="text-transform:uppercase"></div>
+          <div><label class="form-label">ZIP</label><input class="fi" id="p-zip" type="text" placeholder="75001" maxlength="10" autocomplete="postal-code"></div>
+        </div>
+        <button class="btn btn-cyan" onclick="saveBillingProfile()" style="margin-bottom:8px">💾 SAVE BILLING INFO</button>
+        <button class="btn" onclick="clearAllBilling()" style="background:rgba(255,68,68,.08);border:1px solid rgba(255,68,68,.2);color:var(--red);font-size:14px;padding:10px">🗑 Clear All Saved Info</button>
+      </div>
+    </div>
+    <!-- TAB: ACCOUNT -->
+    <div class="profile-tab-panel" id="ptab-account">
+      <div style="font-size:14px;font-weight:700;color:var(--text2);text-transform:uppercase;letter-spacing:1px;margin-bottom:12px">Account Info</div>
+      <div class="card" style="margin-bottom:10px">
+        <div style="display:flex;flex-direction:column;gap:10px">
+          <div style="display:flex;justify-content:space-between"><span style="color:var(--text2);font-size:15px">Username</span><span id="acct-username" style="font-weight:700;color:var(--text)">—</span></div>
+          <div style="display:flex;justify-content:space-between"><span style="color:var(--text2);font-size:15px">Alias</span><span id="acct-alias" style="font-weight:700;color:var(--cyan)">—</span></div>
+          <div style="display:flex;justify-content:space-between"><span style="color:var(--text2);font-size:15px">Email</span><span id="acct-email" style="font-weight:700;font-size:15px">—</span></div>
+          <div style="display:flex;justify-content:space-between"><span style="color:var(--text2);font-size:15px">Member Since</span><span id="acct-joined" style="font-weight:700;color:var(--text2);font-size:14px">—</span></div>
+        </div>
+      </div>
+      <button class="btn btn-outline" onclick="showPage('buy')" style="margin-bottom:8px">Buy Tokens</button>
+      <button class="btn btn-outline" onclick="showPage('cashout')" style="margin-bottom:8px">💸 Cash Out</button>
+      <button class="btn btn-outline" onclick="showPage('chat')" style="margin-bottom:8px">💬 Contact Support</button>
+      <button class="btn btn-danger" onclick="doLogout()" style="margin-top:4px">LOG OUT</button>
+    </div>
+  </div>
+
+  <!-- ONBOARDING MODAL -->
+  <div id="onboarding-modal" style="display:none">
+    <div class="onboarding-box" id="onboarding-step-1">
+      <div style="font-size:48px;margin-bottom:12px">🎮</div>
+      <div class="onboarding-title">Welcome to TomTomGames!</div>
+      <div class="onboarding-sub">Do you already have a login account on any of our game platforms?</div>
+      <div style="display:flex;gap:10px;justify-content:center">
+        <button class="btn btn-gold" onclick="onboardingHasAccount()" style="flex:1;max-width:160px">Yes, I do</button>
+        <button class="btn btn-outline" onclick="onboardingNoAccount()" style="flex:1;max-width:160px">No, not yet</button>
+      </div>
+    </div>
+    <div class="onboarding-box" id="onboarding-step-2" style="display:none">
+      <div style="font-size:40px;margin-bottom:12px">📋</div>
+      <div class="onboarding-title">Request Platform Login</div>
+      <div class="onboarding-sub">Select which platform you want an account created on. Our team will set it up and send you your login details.</div>
+      <div id="onboarding-alert" class="alert" style="margin-bottom:12px"></div>
+      <div class="fg" style="margin-bottom:14px;text-align:left">
+        <label style="font-size:14px;font-weight:700;color:var(--text2);display:block;margin-bottom:6px">Select Platform</label>
+        <select class="fi fi-select" id="onboarding-platform" style="width:100%">
+          <option value="">— Choose a platform —</option>
+        </select>
+      </div>
+      <div style="display:flex;gap:10px">
+        <button class="btn btn-gold" onclick="onboardingRequestAccount()" style="flex:1">Request Account</button>
+        <button class="btn btn-outline" onclick="onboardingDone()" style="flex:1">Skip for now</button>
+      </div>
+    </div>
+    <div class="onboarding-box" id="onboarding-step-3" style="display:none">
+      <div style="font-size:48px;margin-bottom:12px">✅</div>
+      <div class="onboarding-title">Request Submitted!</div>
+      <div class="onboarding-sub" id="onboarding-confirm-text">Your account request has been sent. You can see the status in your Profile under Games.</div>
+      <div style="display:flex;gap:10px;justify-content:center">
+        <button class="btn btn-gold" onclick="onboardingRequestAnother()" style="flex:1;max-width:160px">+ Another Platform</button>
+        <button class="btn btn-outline" onclick="onboardingDone()" style="flex:1;max-width:160px">Go to Home</button>
+      </div>
+    </div>
+  </div>
+
+  <!-- BROADCASTS PAGE -->
+  <div class="page" id="page-broadcasts">
+    <div class="section-title"><span>📢 NEWS &amp; ANNOUNCEMENTS</span></div>
+    <div id="broadcasts-list">
+      <div style="color:var(--text2);text-align:center;padding:32px;font-size:15px">Loading...</div>
+    </div>
+  </div>
+
+  <!-- CHAT PAGE -->
+  <div class="page" id="page-chat">
+    <div class="chat-header">
+      <div class="chat-header-avatar">
+        <svg viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2.5" width="20" height="20"><path d="M21 15a2 2 0 0 1-2 2H7l-4 4V5a2 2 0 0 1 2-2h14a2 2 0 0 1 2 2z"/></svg>
+      </div>
+      <div style="flex:1">
+        <div class="chat-header-name">TomTomGames Support</div>
+        <div class="chat-header-status" id="chat-status-text">
+          <span class="chat-status-dot"></span> We reply within minutes
+        </div>
+      </div>
+      <div id="chat-typing-indicator" style="display:none;font-size:15px;color:var(--cyan);font-weight:600"></div>
+    </div>
+    <div class="chat-messages" id="chat-messages">
+      <div class="chat-loading">Loading messages...</div>
+    </div>
+    <div class="chat-quick-replies" id="chat-quick-replies" style="display:none">
+      <button class="chat-chip" onclick="quickReply('I need help with my tokens')">&#127918; Token issue</button>
+      <button class="chat-chip" onclick="quickReply('I have a cashout question')">&#128184; Cashout help</button>
+      <button class="chat-chip" onclick="quickReply('I need help with my account')">&#128100; Account help</button>
+      <button class="chat-chip" onclick="quickReply('I have a payment question')">&#128179; Payment help</button>
+    </div>
+    <div class="chat-input-bar">
+      <input class="chat-input" id="chat-input" type="text" placeholder="Type your message to support..." maxlength="1000"
+        onkeydown="if(event.key==='Enter'&&!event.shiftKey){event.preventDefault();sendChatMsg();}">
+      <button class="chat-send-btn" onclick="sendChatMsg()" id="chat-send-btn" title="Send message">
+        <svg viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2.5" width="18" height="18"><line x1="22" y1="2" x2="11" y2="13"/><polygon points="22 2 15 22 11 13 2 9 22 2"/></svg>
+      </button>
+    </div>
+  </div>
+
+  <nav class="navbar">
+    <button class="nav-btn active" data-page="home" onclick="showPage('home')">
+      <svg viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2"><path d="M3 9l9-7 9 7v11a2 2 0 0 1-2 2H5a2 2 0 0 1-2-2z"/><polyline points="9 22 9 12 15 12 15 22"/></svg>HOME
+    </button>
+    <button class="nav-btn" data-page="buy" onclick="showPage('buy')">
+      <svg viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2"><circle cx="12" cy="12" r="10"/><line x1="12" y1="8" x2="12" y2="16"/><line x1="8" y1="12" x2="16" y2="12"/></svg>BUY
+    </button>
+    <button class="nav-btn" data-page="cashout" onclick="showPage('cashout')">
+      <svg viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2"><line x1="12" y1="1" x2="12" y2="23"/><path d="M17 5H9.5a3.5 3.5 0 0 0 0 7h5a3.5 3.5 0 0 1 0 7H6"/></svg>CASH OUT
+    </button>
+    <button class="nav-btn chat-nav-btn" data-page="chat" onclick="showPage('chat')" style="position:relative">
+      <svg viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2"><path d="M21 15a2 2 0 0 1-2 2H7l-4 4V5a2 2 0 0 1 2-2h14a2 2 0 0 1 2 2z"/></svg>
+      <span class="chat-nav-badge" id="chat-nav-badge" style="display:none"></span>
+      SUPPORT
+    </button>
+    <button class="nav-btn" data-page="broadcasts" onclick="showPage('broadcasts')" style="position:relative">
+      <svg viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2"><path d="M22 16.92v3a2 2 0 0 1-2.18 2 19.79 19.79 0 0 1-8.63-3.07A19.5 19.5 0 0 1 4.69 11.5 19.79 19.79 0 0 1 1.61 2.84 2 2 0 0 1 3.58 1H6.5a2 2 0 0 1 2 1.72c.127.96.361 1.903.7 2.81a2 2 0 0 1-.45 2.11L7.91 8.5a16 16 0 0 0 5.54 5.54l.86-.87a2 2 0 0 1 2.11-.45c.907.339 1.85.573 2.81.7A2 2 0 0 1 21 15.5"/><path d="m22 2-7 7"/><path d="M15 2h7v7"/></svg>
+      <span class="chat-nav-badge" id="broadcast-nav-badge" style="display:none"></span>
+      NEWS
+    </button>
+    <button class="nav-btn" data-page="profile" onclick="showPage('profile')">
+      <svg viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2"><path d="M20 21v-2a4 4 0 0 0-4-4H8a4 4 0 0 0-4 4v2"/><circle cx="12" cy="7" r="4"/></svg>PROFILE
+    </button>
+  </nav>
+  <div id="copyright-footer" style="position:fixed;bottom:0;left:50%;transform:translateX(-50%);width:100%;max-width:var(--max);text-align:center;padding-bottom:calc(var(--nav-h) + 2px);pointer-events:none;z-index:99">
+    <span style="font-size:11px;color:rgba(255,255,255,.18);font-family:'Exo 2',sans-serif;letter-spacing:.3px">&copy; 2026 TomTomGames.com, a division of TomTom Enterprises &nbsp;&middot;&nbsp; v<?= $_appVersion ?></span>
+  </div>
+</div>
+
+<!-- SUCCESS MODAL -->
+<div class="modal-overlay" id="success-modal">
+  <div class="modal-sheet">
+    <div class="modal-handle"></div>
+    <div style="text-align:center;padding:16px 0 8px">
+      <div style="font-size:56px;margin-bottom:14px" id="modal-icon">🎉</div>
+      <div style="font-family:'Exo 2',sans-serif;font-weight:700;font-size:20px;color:var(--text);margin-bottom:16px" id="modal-title">Tokens Added!</div>
+      <div id="modal-card-content"></div>
+      <button class="btn btn-gold" style="margin-top:20px" id="modal-action-btn">AWESOME!</button>
+    </div>
+  </div>
+</div>
+
+<!-- PAYMENT PROCESSING OVERLAY -->
+<div id="pay-processing-overlay" style="display:none;position:fixed;inset:0;background:rgba(5,5,15,.96);z-index:500;flex-direction:column;align-items:center;justify-content:center;gap:0;backdrop-filter:blur(8px)">
+  <div class="pay-proc-ring">
+    <div class="pay-proc-spinner"></div>
+    <div class="pay-proc-icon" id="pay-proc-icon">🔒</div>
+  </div>
+  <div class="pay-proc-title" id="pay-proc-title">Processing Payment</div>
+  <div class="pay-proc-sub" id="pay-proc-sub">Please wait — do not close the app</div>
+  <div class="pay-proc-steps" id="pay-proc-steps">
+    <div class="pay-proc-step active" id="step-1">🔐 Securing connection</div>
+    <div class="pay-proc-step" id="step-2">💳 Authorizing card</div>
+    <div class="pay-proc-step" id="step-3">✅ Confirming payment</div>
+    <div class="pay-proc-step" id="step-4">Crediting tokens</div>
+  </div>
+</div>
+
+<!-- PAYMENT SUCCESS OVERLAY (replaces old modal) -->
+<div id="pay-success-overlay" style="display:none;position:fixed;inset:0;background:rgba(5,5,15,.97);z-index:501;flex-direction:column;align-items:center;justify-content:center;padding:32px;backdrop-filter:blur(8px)">
+  <div class="pay-result-wrap" id="pay-result-wrap"><!-- filled by JS --></div>
+</div>
+
+<!-- Square SDK loads async — won't block app startup -->
+<script src="<?= \SquarePayment::sdkUrl() ?>"></script>
+<script>
+const CFG = {
+  sqAppId:  '<?= SQUARE_APP_ID ?>',
+  sqLocId:  '<?= SQUARE_LOCATION_ID ?>',
+  sqEnv:    '<?= SQUARE_ENV ?>',
+  packages: <?= TOKEN_PACKAGES ?>,
+  platforms: [], // loaded dynamically from /api/platforms.php
+  pay: {
+    venmo:   '<?= PAY_VENMO ?>',
+    chime:   '<?= PAY_CHIME ?>',
+    cashapp: '<?= PAY_CASHAPP ?>',
+    zelle:   '<?= PAY_ZELLE ?>',
+  }
+};
+
+let S = { user:null, pkg:null, method:'card', sqCard:null };
+
+async function doLogin() {
+  const btn=document.getElementById('login-btn'); const al=document.getElementById('login-alert');
+  const u=document.getElementById('login-user').value.trim(); const p=document.getElementById('login-pass').value;
+  if (!u||!p){showAlert(al,'Please fill in all fields.','error');return;}
+  document.getElementById('login-unverified-box').style.display='none';
+  btn.innerHTML='<span class="spinner"></span>'; btn.disabled=true;
+  try {
+    const d=await api('/api/login.php',{username:u,password:p});
+    console.log('Login response:', JSON.stringify(d));
+    if(d.success){
+      if (d.user && d.user.is_admin == 1) {
+        window.location.href = '/admin/';
+        return;
+      }
+      console.log('Login success, calling showApp...');
+      S.user=d.user; showApp();
+    } else if(d.unverified) {
+      // Show unverified box with resend option
+      hideAlert(al);
+      S._unverifiedEmail = d.email || '';
+      document.getElementById('login-unverified-box').style.display='block';
+    } else {
+      showAlert(al,d.error||'Login failed.','error');
+    }
+  } catch{showAlert(al,'Network error.','error');}
+  btn.innerHTML='LOGIN'; btn.disabled=false;
+}
+
+// ─── INIT ──────────────────────────────────────────────────
+window.addEventListener('DOMContentLoaded', function() {
+  // Load platforms and payment methods dynamically, then build UI
+  Promise.all([
+    fetch('/api/platforms.php?action=list').then(r=>r.json()).catch(()=>({success:false})),
+    fetch('/api/payment_settings.php?action=list').then(r=>r.json()).catch(()=>({success:false}))
+  ]).then(function(results) {
+    if (results[0].success) CFG.platforms = results[0].platforms;
+    if (results[1].success) CFG.payMethods = results[1].methods;
+    try { buildPlatforms(); }        catch(e) {}
+    try { buildPkgPills(); }         catch(e) {}
+    try { buildCashoutPlatforms(); } catch(e) {}
+    try { buildPaymentMethods(); }   catch(e) {}
+  }).catch(function() {
+    try { buildPlatforms(); }        catch(e) {}
+    try { buildPkgPills(); }         catch(e) {}
+    try { buildCashoutPlatforms(); } catch(e) {}
+  });
+
+  fetch('/api/me.php')
+    .then(function(r) { return r.json(); })
+    .then(function(d) {
+      if (d && d.success && d.user) {
+        if (d.user.is_admin == 1) {
+          window.location.href = '/admin/';
+        } else {
+          S.user = d.user; showApp();
+        }
+      } else showAuth();
+    })
+    .catch(function() { showAuth(); });
+});
+
+function api(url, body) {
+  const opts = { method: body ? 'POST' : 'GET', headers: { 'Content-Type': 'application/json' } };
+  if (body) opts.body = JSON.stringify(body);
+  return fetch(url, opts).then(r => r.json());
+}
+
+function showApp() {
+  var auth = document.getElementById('auth-screen');
+  var app  = document.getElementById('main-app');
+  if (auth) auth.setAttribute('style', 'display:none');
+  if (app)  app.setAttribute('style', 'display:block;min-height:100vh;');
+  console.log('showApp: auth hidden, app visible');
+  try { updateUI(); }           catch(e) { console.warn('updateUI err:', e); }
+  try { loadCashoutHistory(); } catch(e) { console.warn('cashout err:', e); }
+  try { pollChatBadge(); }      catch(e) { console.warn('badge err:', e); }
+  // Load aliases for auto-prefill on buy page
+  api('/api/game_aliases.php?action=get').then(d => {
+    if (d.success) savedAliases = d.aliases || {};
+  }).catch(() => {});
+  loadCashoutMethodTypes();
+  setTimeout(pollBroadcastBadge, 1000);
+  setInterval(pollBroadcastBadge, 60000);
+  setTimeout(checkOnboarding, 1500);
+  // Inject coin into static elements
+  setTimeout(function() {
+    var bfi = document.getElementById('buy-form-icon');
+    if (bfi) bfi.innerHTML = tokenCoin(48);
+  }, 100);
+}
+function showAuth() {
+  var auth = document.getElementById('auth-screen');
+  var app  = document.getElementById('main-app');
+  if (app)  app.setAttribute('style', 'display:none;');
+  if (auth) auth.setAttribute('style', 'display:flex');
+}
+function switchTab(t) {
+  document.getElementById('tab-login').style.display    = t === 'login'    ? 'block' : 'none';
+  document.getElementById('tab-register').style.display = t === 'register' ? 'block' : 'none';
+  document.querySelectorAll('.auth-tab').forEach((el,i) =>
+    el.classList.toggle('active',(i===0&&t==='login')||(i===1&&t==='register'))
+  );
+}
+function showPage(n) {
+  document.querySelectorAll('.page').forEach(p => p.classList.remove('active'));
+  document.querySelectorAll('.nav-btn').forEach(b => b.classList.remove('active'));
+  document.getElementById('page-'+n)?.classList.add('active');
+  document.querySelector(`.nav-btn[data-page="${n}"]`)?.classList.add('active');
+  const _cr=document.getElementById('copyright-footer'); if(_cr) _cr.style.display=n==='home'?'block':'none';
+  if (n === 'buy') { updatePayForm(); initBuyPageBilling(); setTimeout(initSquare, 150); }
+  if (n === 'broadcasts') { loadBroadcasts_player(); }
+  if (n === 'cashout') {
+    updateUI();
+    loadCashoutHistory();
+    loadCashoutPayoutMethods();
+    // Prefill alias for currently selected platform if any
+    const pid = document.getElementById('cashout-platform')?.value;
+    if (pid) prefillCashoutAlias(pid);
+  }
+  if (n === 'profile') { loadActivityDashboard(); switchProfileTab('activity', document.querySelector('.profile-tab')); }
+  if (n === 'chat') {
+    // Clear badge when opening chat
+    document.getElementById('chat-nav-badge').style.display = 'none';
+    initChat();
+    setTimeout(scrollChat, 100);
+  }
+}
+
+function setText(id, val) { var el=document.getElementById(id); if(el) el.textContent=val; }
+function displayName(u) { return u ? (u.alias || u.username || '?') : '?'; }
+function updateUI() {
+  if (!S.user) return;
+  const t    = parseFloat(S.user.tokens) || 0;
+  const name = displayName(S.user);
+  const init = name.charAt(0).toUpperCase();
+  const setHTML = (id, html) => { const el=document.getElementById(id); if(el) el.innerHTML=html; };
+  setText('home-alias',       name);
+  setText('cashout-balance',  t);
+  setText('profile-username', name);
+  setText('profile-alias',    S.user.username ? '@' + S.user.username : '');
+  setText('avatar-btn',       init);
+  setText('profile-avatar',   init);
+  setHTML('header-tokens',  t + '&nbsp;' + tokenCoin(18));
+  setHTML('home-balance',   '<span style="font-family:\'Exo 2\',sans-serif">' + t + '</span>');
+  setHTML('profile-tokens', t + '&nbsp;' + tokenCoin(24));
+}
+async function refreshUser() {
+  const d = await api('/api/me.php');
+  if (d.success) { S.user = d.user; updateUI(); }
+}
+
+// ─── PLATFORMS ─────────────────────────────────────────────
+function buildPlatforms() {
+  document.getElementById('platform-grid').innerHTML = CFG.platforms.map(p => `
+    <a href="${p.url}" target="_blank" class="platform-card" style="--p-color:${p.color}">
+      <div class="platform-img-wrap">
+        <img src="/assets/img/${p.id}.svg" alt="${p.name}" onerror="this.style.display='none'">
+      </div>
+      <div class="platform-name">${p.name}</div>
+      <div class="play-btn">TAP TO PLAY →</div>
+    </a>`).join('');
+
+  // Also populate buy-platform select
+  const sel = document.getElementById('buy-platform');
+  CFG.platforms.forEach(p => {
+    const o = document.createElement('option');
+    o.value = p.id; o.textContent = p.name; sel.appendChild(o);
+  });
+}
+function buildCashoutPlatforms() {
+  const sel = document.getElementById('cashout-platform');
+  CFG.platforms.forEach(p => {
+    const o = document.createElement('option'); o.value = p.id; o.textContent = p.name; sel.appendChild(o);
+  });
+}
+
+// ─── TOKEN PACKAGES ────────────────────────────────────────
+function buildPkgPills() {
+  const container = document.getElementById('pkg-scroll');
+  container.innerHTML = CFG.packages.map((pkg, i) => `
+    <div class="pkg-pill${pkg.popular?' popular':''}" onclick="selectPkg(${i},this)">
+      <div class="pkg-pill-tokens">${pkg.tokens}</div>
+      <div class="pkg-pill-price">$${pkg.price}</div>
+    </div>`).join('');
+  const popularIdx = CFG.packages.findIndex(p => p.popular);
+  const idx = popularIdx >= 0 ? popularIdx : 0;
+  selectPkg(idx, container.querySelectorAll('.pkg-pill')[idx]);
+}
+function selectPkg(i, el) {
+  S.pkg = CFG.packages[i]; S.customPkg = false;
+  document.querySelectorAll('.pkg-pill').forEach(p => p.classList.remove('selected'));
+  el?.classList.add('selected');
+  const ci = document.getElementById('custom-amt');
+  if (ci) ci.value = '';
+  document.getElementById('custom-amt-equiv').style.display = 'none';
+  updateOrderSummary();
+}
+function selectCustomPkg(val) {
+  const amt = parseInt(val);
+  if (!amt || amt < 1) {
+    document.getElementById('custom-amt-equiv').style.display = 'none';
+    S.pkg = null; S.customPkg = false; updateOrderSummary(); return;
+  }
+  document.querySelectorAll('.pkg-pill').forEach(p => p.classList.remove('selected'));
+  S.customPkg = true;
+  S.pkg = { tokens: amt, price: amt, label: amt + ' Tokens (Custom)', popular: false };
+  document.getElementById('custom-token-count').textContent = amt;
+  document.getElementById('custom-amt-equiv').style.display = 'flex';
+  updateOrderSummary();
+}
+function updateOrderSummary() {
+  const el = document.getElementById('order-summary');
+  if (!S.pkg) { el.style.display='none'; return; }
+  document.getElementById('summary-pkg').textContent    = S.pkg.label || S.pkg.tokens+' Tokens';
+  const sumTok = document.getElementById('summary-tokens'); if(sumTok) sumTok.innerHTML = S.pkg.tokens + '&nbsp;' + tokenCoin(18);
+  document.getElementById('summary-total').textContent  = '$'+S.pkg.price+'.00';
+  el.style.display = 'block';
+}
+function updateAmountDisplay() { updateOrderSummary(); }
+function updatePayForm() {
+  updateAmountDisplay();
+  const alias = document.getElementById('buy-alias').value.trim();
+  const platformId = document.getElementById('buy-platform').value;
+  document.getElementById('ref-alias').textContent    = alias || '—';
+  document.getElementById('ref-platform').textContent = platformId ? CFG.platforms.find(p=>p.id===platformId)?.name : '—';
+  if (S.method !== 'card') renderManualInstructions();
+}
+
+// ─── PAYMENT METHOD ────────────────────────────────────────
+function selectPMT(el, method) {
+  document.querySelectorAll('.pmt').forEach(m => m.classList.remove('active'));
+  el.classList.add('active');
+  S.method = method;
+  document.getElementById('section-card').style.display   = method === 'card' ? 'block' : 'none';
+  document.getElementById('section-manual').style.display = method !== 'card' ? 'block' : 'none';
+  if (method !== 'card') renderManualInstructions();
+}
+
+function renderManualInstructions() {
+  const method = S.method;
+  const pkg    = S.pkg;
+  const alias  = document.getElementById('buy-alias').value.trim();
+  const platformId = document.getElementById('buy-platform').value;
+  const platformName = platformId ? CFG.platforms.find(p => p.id === platformId)?.name || platformId : '(your platform)';
+  const amt    = pkg ? `$${pkg.price}.00` : '(select a package)';
+  const handle = CFG.pay[method] || '—';
+
+  const iconMap = { venmo:'💙', chime:'🟢', cashapp:'💚', zelle:'💜' };
+  const nameMap = {
+    venmo: (CFG.payLabels&&CFG.payLabels.venmo)||'Venmo',
+    chime: (CFG.payLabels&&CFG.payLabels.chime)||'Chime',
+    cashapp:(CFG.payLabels&&CFG.payLabels.cashapp)||'Cash App',
+    zelle: (CFG.payLabels&&CFG.payLabels.zelle)||'Zelle',
+  };
+
+  document.getElementById('manual-box').innerHTML = `
+    <div class="manual-box-title">${iconMap[method]} ${nameMap[method]} Instructions</div>
+    <div class="manual-step">
+      <div class="manual-step-num">1</div>
+      <div class="manual-step-text">Open your <strong>${nameMap[method]}</strong> app and send <strong>${amt}</strong> to <span class="handle">${handle}</span></div>
+    </div>
+    <div class="manual-step">
+      <div class="manual-step-num">2</div>
+      <div class="manual-step-text">In the <strong>note/memo</strong>, include: <strong>${platformName}</strong> — <strong>${alias || 'your alias'}</strong></div>
+    </div>
+    <div class="manual-step">
+      <div class="manual-step-num">3</div>
+      <div class="manual-step-text">Click <strong>Submit Request</strong> below. We'll verify your payment and credit your tokens within a few hours.</div>
+    </div>`;
+
+  const refBadge = document.getElementById('ref-badge');
+  if (alias && platformId) { refBadge.style.display = 'block'; }
+  else { refBadge.style.display = 'none'; }
+}
+
+// ─── SQUARE ────────────────────────────────────────────────
+async function initSquare() {
+  if (!window.Square) {
+    console.warn('Square SDK not loaded — card unavailable');
+    document.getElementById('card-container').innerHTML =
+      '<div style="color:#ff6666;font-size:14px;padding:8px">Card form unavailable. Please refresh the page.</div>';
+    return;
+  }
+  try {
+    // Destroy existing instance before re-attaching
+    if (S.sqCard) {
+      try { await S.sqCard.destroy(); } catch(e) {}
+      S.sqCard = null;
+    }
+    // Clear container so Square has a clean div to inject into
+    var container = document.getElementById('card-container');
+    container.innerHTML = '';
+
+    var pay = window.Square.payments(CFG.sqAppId, CFG.sqLocId);
+    S.sqCard = await pay.card({
+      style: {
+        '.input-container'         : { borderColor: '#dddddd', borderRadius: '8px' },
+        '.input-container.is-focus': { borderColor: '#0095d9' },
+        'input'                    : { color: '#1a1a2e', fontSize: '16px' },
+        'input::placeholder'       : { color: '#aaaaaa' },
+      }
+    });
+    await S.sqCard.attach('#card-container');
+    console.log('Square card attached OK');
+    var lbl = document.getElementById('card-ready-label');
+    if (lbl) lbl.textContent = '✓ Ready';
+  } catch(e) {
+    console.error('Square init error:', e);
+    document.getElementById('card-container').innerHTML =
+      '<div style="color:#ff9999;font-size:14px;padding:8px">Card form error: ' + e.message + '</div>';
+  }
+}
+
+// ─── SUBMIT PAYMENT ────────────────────────────────────────
+// ─── PAYMENT PROCESSING OVERLAY ──────────────────────────
+const PROC_STEPS = ['step-1','step-2','step-3','step-4'];
+let procTimer = null;
+
+function showProcessingOverlay() {
+  const ov = document.getElementById('pay-processing-overlay');
+  ov.style.display = 'flex';
+  PROC_STEPS.forEach(s => {
+    const el = document.getElementById(s);
+    el.classList.remove('active','done');
+  });
+  document.getElementById('pay-proc-icon').textContent = '🔒';
+  document.getElementById('pay-proc-title').textContent = 'Processing Payment';
+  document.getElementById('pay-proc-sub').textContent = 'Please wait — do not close the app';
+  // Animate steps
+  let i = 0;
+  procTimer = setInterval(() => {
+    if (i > 0) document.getElementById(PROC_STEPS[i-1]).classList.replace('active','done');
+    if (i < PROC_STEPS.length) {
+      document.getElementById(PROC_STEPS[i]).classList.add('active');
+      i++;
+    } else { clearInterval(procTimer); }
+  }, 700);
+}
+
+function hideProcessingOverlay() {
+  clearInterval(procTimer);
+  document.getElementById('pay-processing-overlay').style.display = 'none';
+}
+
+function showPayResult(type, data) {
+  hideProcessingOverlay();
+  const ov = document.getElementById('pay-success-overlay');
+  const wrap = document.getElementById('pay-result-wrap');
+  ov.style.display = 'flex';
+
+  if (type === 'success') {
+    const newBal = parseFloat(S.user?.tokens || 0);
+    wrap.innerHTML = `
+      <span class="pay-result-icon">🎉</span>
+      <div class="pay-result-title success">Payment Approved!</div>
+      <div class="pay-balance-bump">+${data.tokens_added}&nbsp;${tokenCoin(28)}</div>
+      <div style="font-size:14px;color:var(--text2);margin-bottom:4px">New Balance</div>
+      <div style="font-family:'Exo 2',sans-serif;font-weight:700;font-size:26px;color:var(--gold2);margin-bottom:16px">${data.new_balance !== undefined ? data.new_balance : parseFloat(S.user?.tokens||0)} Tokens</div>
+      <div class="pay-result-detail">
+        <strong>Amount charged:</strong> $${data.amount || ''}<br>
+        <strong>Platform:</strong> ${data.platform || ''}<br>
+        <strong>Game alias:</strong> <span style="color:var(--cyan)">${data.alias || ''}</span><br>
+        ${data.card ? `<strong>Card:</strong> ${data.card}` : ''}
+      </div>
+      <div class="pay-result-btns">
+        <button class="btn btn-gold" onclick="closePayResult();showPage('home')">🎰 PLAY NOW!</button>
+        <button class="btn btn-outline" onclick="closePayResult();showPage('buy')" style="padding:10px;font-size:15px">Buy More Tokens</button>
+      </div>`;
+  } else if (type === 'manual') {
+    wrap.innerHTML = `
+      <span class="pay-result-icon">⏳</span>
+      <div class="pay-result-title pending">Request Submitted!</div>
+      <div style="font-size:14px;color:var(--text2);margin:12px 0 4px">Tokens pending — awaiting payment confirmation</div>
+      <div style="display:flex;align-items:center;justify-content:center;gap:8px;font-family:'Exo 2',sans-serif;font-weight:900;font-size:40px;color:var(--gold);margin-bottom:4px">${data.tokens}${tokenCoin(36)}</div>
+      <div style="font-size:14px;color:var(--text2);margin-bottom:16px">will be added to your account once payment is received</div>
+      <div class="pay-result-detail">
+        Order <strong style="color:var(--cyan)">#${data.purchase_id}</strong> received.<br><br>
+        <strong style="color:var(--gold)">📲 Next steps:</strong><br>
+        1. Send <strong>$${data.amount}</strong> via <strong>${data.method}</strong><br>
+        2. Include your order # <strong style="color:var(--cyan)">#${data.purchase_id}</strong> in the memo<br>
+        3. Tokens are credited <strong>within a few minutes</strong> after we confirm receipt<br><br>
+        <span style="color:var(--text2);font-size:14px">⚠️ Your token balance will not change until payment is verified by our team.</span>
+      </div>
+      <div class="pay-result-btns">
+        <button class="btn btn-gold" onclick="closePayResult();showPage('home')">GOT IT — HOME</button>
+        <button class="btn btn-outline" onclick="closePayResult();showPage('chat')" style="padding:10px;font-size:15px">💬 Contact Support</button>
+      </div>`;
+  } else {
+    wrap.innerHTML = `
+      <span class="pay-result-icon">❌</span>
+      <div class="pay-result-title error">Payment Failed</div>
+      <div class="pay-result-detail">${data.error || 'Your payment could not be processed. Please check your card details and try again.'}</div>
+      <div class="pay-result-btns">
+        <button class="btn btn-gold" onclick="closePayResult()">TRY AGAIN</button>
+        <button class="btn btn-outline" onclick="closePayResult();showPage('chat')" style="padding:10px;font-size:15px">💬 Contact Support</button>
+      </div>`;
+  }
+}
+
+function closePayResult() {
+  document.getElementById('pay-success-overlay').style.display = 'none';
+}
+
+async function submitPayment() {
+  const btn = document.getElementById('pay-submit-btn');
+  const al  = document.getElementById('buy-alert');
+
+  const platformId   = document.getElementById('buy-platform').value;
+  const gameAlias    = document.getElementById('buy-alias').value.trim();
+  const platformName = platformId ? CFG.platforms.find(p=>p.id===platformId)?.name || platformId : '';
+
+  if (!platformId)     { showAlert(al, 'Please select a gaming platform.', 'error'); return; }
+  if (!gameAlias)      { showAlert(al, 'Please enter your in-game alias.', 'error'); return; }
+  if (!S.pkg)          { showAlert(al, 'Please select a token package or enter a custom amount.', 'error'); return; }
+  if (S.pkg.price < 1) { showAlert(al, 'Minimum purchase is $1.', 'error'); return; }
+
+  const billing = {
+    first_name: (document.getElementById('card-first-name')?.value || '').trim(),
+    last_name:  (document.getElementById('card-last-name')?.value  || '').trim(),
+    address:    (document.getElementById('card-address')?.value    || '').trim(),
+    city:       (document.getElementById('card-city')?.value       || '').trim(),
+    state:      (document.getElementById('card-state')?.value      || '').trim().toUpperCase(),
+    zip:        (document.getElementById('card-zip')?.value        || '').trim(),
+    email:      (document.getElementById('card-email')?.value      || '').trim(),
+  };
+
+  if (S.method === 'card') {
+    if (!billing.first_name || !billing.last_name) { showAlert(al, 'Please enter the name on your card.', 'error'); return; }
+    if (!billing.zip) { showAlert(al, 'Billing ZIP code is required.', 'error'); return; }
+  }
+
+  btn.disabled = true;
+  hideAlert(al);
+
+  // ── Card tokenize BEFORE showing overlay (Square SDK needs DOM visible)
+  let sourceId = '';
+  if (S.method === 'card') {
+    if (!S.sqCard) { showAlert(al,'Card form not ready. Please refresh.','error'); btn.disabled=false; return; }
+    try {
+      const result = await S.sqCard.tokenize();
+      if (result.status !== 'OK') {
+        showAlert(al, result.errors?.[0]?.message || 'Card declined. Check your card details.', 'error');
+        btn.disabled=false; return;
+      }
+      sourceId = result.token;
+    } catch { showAlert(al,'Payment error. Try again.','error'); btn.disabled=false; return; }
+  }
+
+  // ── Show full-screen processing overlay
+  showProcessingOverlay();
+
+  try {
+    const d = await api('/api/purchase.php', {
+      source_id:   sourceId,
+      tokens:      S.pkg.tokens,
+      price_cents: S.pkg.price * 100,
+      method:      S.method,
+      platform_id: platformId,
+      game_alias:  gameAlias,
+      player_name: S.user?.alias || '',
+      is_custom:   S.customPkg || false,
+      billing,
+    });
+
+    // Mark all steps done
+    PROC_STEPS.forEach(s => {
+      const el = document.getElementById(s);
+      el.classList.remove('active');
+      el.classList.add('done');
+    });
+    await new Promise(r => setTimeout(r, 600)); // brief pause for visual satisfaction
+
+    if (d.success) {
+      // Update local token balance immediately from API response
+      if (d.new_balance !== undefined && S.user) {
+        S.user.tokens = d.new_balance;
+        updateUI();
+      }
+      await refreshUser(); // then sync full user object from server
+      // Auto-save billing if checkbox checked
+      const saveCb = document.getElementById('save-billing-cb');
+      if (saveCb?.checked && billing.first_name && S.method === 'card') {
+        const cardBrand = d.card_brand || '';
+        const cardLast4 = d.card_last4 || '';
+        await api('/api/billing.php?action=save', { ...billing, card_brand: cardBrand, card_last4: cardLast4 });
+      }
+      // Auto-save game alias for this platform
+      if (gameAlias && platformId) {
+        savedAliases[platformId] = gameAlias;
+        api('/api/game_aliases.php?action=save', { platform_slug: platformId, alias: gameAlias }).catch(()=>{});
+      }
+      // Reset form
+      const ci = document.getElementById('custom-amt');
+      if (ci) ci.value = '';
+      document.getElementById('custom-amt-equiv').style.display = 'none';
+      document.getElementById('order-summary').style.display = 'none';
+
+      if (d.manual) {
+        // Manual payment (Venmo, Zelle, Cash App, Chime) — pending admin approval
+        const methodLabels = { venmo:'Venmo', chime:'Chime', cashapp:'Cash App', zelle:'Zelle' };
+        showPayResult('manual', {
+          tokens:      S.pkg.tokens,
+          amount:      (S.pkg.price).toFixed(2),
+          method:      (CFG.payLabels && CFG.payLabels[S.method]) || methodLabels[S.method] || S.method,
+          purchase_id: d.purchase_id,
+        });
+      } else {
+        // Card payment — tokens credited immediately
+        const newBalance = d.new_balance !== undefined ? parseFloat(d.new_balance) : parseFloat(S.user?.tokens || 0);
+        showPayResult('success', {
+          tokens_added: d.tokens_added || S.pkg.tokens,
+          new_balance:  newBalance,
+          amount:       (S.pkg.price).toFixed(2),
+          platform:     platformName,
+          alias:        gameAlias,
+          card:         d.card_brand ? d.card_brand + ' ····' + d.card_last4 : null,
+        });
+      }
+    } else {
+      showPayResult('error', { error: d.error || 'Payment failed.' });
+    }
+  } catch {
+    hideProcessingOverlay();
+    showAlert(al, 'Network error. Please try again.', 'error');
+  }
+
+  btn.disabled = false;
+}
+
+// ─── PROFILE TABS ─────────────────────────────────────────
+function switchProfileTab(name, btn) {
+  document.querySelectorAll('.profile-tab').forEach(b => b.classList.remove('active'));
+  document.querySelectorAll('.profile-tab-panel').forEach(p => p.classList.remove('active'));
+  btn?.classList.add('active');
+  document.getElementById('ptab-'+name)?.classList.add('active');
+  if (name === 'billing')  loadBillingProfile();
+  if (name === 'account')  populateAccount();
+  if (name === 'games')    loadGameAliases();
+  if (name === 'payout')   { loadPayoutMethods(); loadCashoutMethodTypes(); }
+  if (name === 'activity') loadActivityDashboard();
+  if (name === 'referrals') loadReferralDashboard();
+  if (name === 'logins')   { loadPlatformLogins(); populatePlatformSelect('req-platform-slug'); }
+  if (name === 'logins')   loadPlatformLogins();
+}
+
+// ─── BROADCASTS (PLAYER) ───────────────────────────────────
+async function loadBroadcasts_player() {
+  const el = document.getElementById('broadcasts-list');
+  const d  = await api('/api/broadcast.php?action=list');
+  if (!d.success || !d.broadcasts.length) {
+    el.innerHTML = '<div style="text-align:center;padding:40px;color:var(--text2)"><div style="font-size:40px;margin-bottom:12px">📢</div><div style="font-size:14px">No announcements yet.</div><div style="font-size:14px;margin-top:4px">Check back later for news and updates.</div></div>';
+    return;
+  }
+  el.innerHTML = d.broadcasts.map(b => {
+    const unread = parseInt(b.is_read) === 0;
+    return `<div class="bc-card${unread?' unread':''}" id="bc-card-${b.id}">
+      <div class="bc-header">
+        <div class="bc-avatar">📢</div>
+        <div style="flex:1;min-width:0">
+          <div style="display:flex;align-items:center;gap:8px">
+            <div class="bc-subject">${escHtml(b.subject)}</div>
+            ${unread?'<span style="font-size:15px;font-weight:700;color:var(--gold);background:rgba(240,192,64,.15);border:1px solid rgba(240,192,64,.3);border-radius:4px;padding:2px 6px">NEW</span>':''}
+          </div>
+          <div class="bc-meta">From <strong>${escHtml(b.sender_name)}</strong> · ${(b.sent_at||'').substring(0,16)}</div>
+        </div>
+      </div>
+      <div class="bc-body">${escHtml(b.message)}</div>
+      <div class="bc-footer">
+        <button onclick="toggleBcReplies(${b.id})" style="background:none;border:none;color:var(--cyan);font-size:14px;font-weight:700;cursor:pointer;padding:0">
+          💬 ${b.reply_count} repl${parseInt(b.reply_count)!==1?'ies':'y'}
+        </button>
+        <span style="color:var(--text2);font-size:15px">👁 ${b.read_count} read</span>
+      </div>
+      <div class="bc-reply-wrap" id="bc-replies-${b.id}">
+        <div class="bc-replies-list" id="bc-rlist-${b.id}"></div>
+        <div style="display:flex;flex-direction:column;gap:8px">
+          <textarea id="bc-rinput-${b.id}" rows="3" placeholder="Write a reply..." style="width:100%;box-sizing:border-box;background:var(--bg3);border:1px solid var(--border);border-radius:10px;padding:12px 14px;color:var(--text);font-family:'Rajdhani',sans-serif;font-size:14px;resize:none;outline:none;transition:border-color .15s" onfocus="this.style.borderColor='var(--cyan)'" onblur="this.style.borderColor=''" onkeydown="if(event.key==='Enter'&&event.ctrlKey){event.preventDefault();playerBcReply(${b.id});}"></textarea>
+          <div style="display:flex;justify-content:space-between;align-items:center">
+            <span style="font-size:15px;color:var(--text2)">Ctrl+Enter to send</span>
+            <button class="btn btn-gold" onclick="playerBcReply(${b.id})" style="padding:10px 20px;font-size:15px">
+              <svg viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2.5" width="14" height="14" style="margin-right:5px"><line x1="22" y1="2" x2="11" y2="13"/><polygon points="22 2 15 22 11 13 2 9 22 2"/></svg>SEND REPLY
+            </button>
+          </div>
+        </div>
+      </div>
+    </div>`;
+  }).join('');
+  // Mark all as read
+  d.broadcasts.forEach(b => {
+    if (!parseInt(b.is_read)) {
+      api('/api/broadcast.php?action=mark_read',{broadcast_id:b.id}).catch(()=>{});
+    }
+  });
+  pollBroadcastBadge();
+}
+
+async function toggleBcReplies(id) {
+  const wrap = document.getElementById('bc-replies-'+id);
+  const isOpen = wrap.classList.contains('open');
+  wrap.classList.toggle('open', !isOpen);
+  if (!isOpen) await loadBcReplies_player(id);
+}
+
+async function loadBcReplies_player(id) {
+  const el = document.getElementById('bc-rlist-'+id);
+  el.innerHTML = '<div style="color:var(--text2);font-size:14px;padding:8px">Loading...</div>';
+  const d = await api('/api/broadcast.php?action=replies&broadcast_id='+id);
+  if (!d.success||!d.replies.length) { el.innerHTML='<div style="color:var(--text2);font-size:14px;padding:8px;text-align:center">No replies yet — be the first!</div>'; return; }
+  el.innerHTML = d.replies.map(r => {
+    const isAdm = parseInt(r.is_admin);
+    return `<div class="bc-reply-row">
+      <div style="width:28px;height:28px;border-radius:50%;background:${isAdm?'linear-gradient(135deg,#f0c040,#d4a017)':'linear-gradient(135deg,#7b2fbe,#457b9d)'};display:flex;align-items:center;justify-content:center;font-family:'Exo 2',sans-serif;font-weight:700;font-size:14px;color:#fff;flex-shrink:0">${(r.username||'?').charAt(0).toUpperCase()}</div>
+      <div class="bc-reply-bubble">
+        <div class="bc-reply-who${isAdm?' admin':''}">${escHtml(r.username)}${isAdm?' 🔑':''} <span style="font-weight:400;color:var(--text2)">· ${(r.created_at||'').substring(11,16)}</span></div>
+        <div class="bc-reply-msg">${escHtml(r.message)}</div>
+      </div>
+    </div>`;
+  }).join('');
+}
+
+async function playerBcReply(id) {
+  const input = document.getElementById('bc-rinput-'+id);
+  const msg   = input.value.trim();
+  if (!msg) return;
+  input.value = '';
+  input.style.borderColor = '';
+  const d = await api('/api/broadcast.php?action=reply',{broadcast_id:id,message:msg});
+  if (d.success) {
+    await loadBcReplies_player(id);
+    // Update reply count
+    const card = document.getElementById('bc-card-'+id);
+    if (card) {
+      const btn = card.querySelector('.bc-footer button');
+      if (btn) {
+        const current = parseInt(btn.textContent.match(/\d+/)?.[0]||0) + 1;
+        btn.textContent = `💬 ${current} repl${current!==1?'ies':'y'}`;
+      }
+    }
+  }
+}
+
+async function pollBroadcastBadge() {
+  try {
+    const d = await api('/api/broadcast.php?action=unread_count');
+    const badge = document.getElementById('broadcast-nav-badge');
+    if (badge) badge.style.display = d.count > 0 ? 'block' : 'none';
+  } catch(e) {}
+}
+const PAYOUT_ICONS = { venmo:'💙', cashapp:'💚', zelle:'💜', chime:'🟢', bank:'🏦', other:'💰' };
+const PAYOUT_LABELS = { venmo:'Venmo', cashapp:'Cash App', zelle:'Zelle', chime:'Chime', bank:'Bank Transfer', other:'Other' };
+let payoutMethods = [];
+
+function prefillCashoutAlias(platformId) {
+  const input = document.getElementById('cashout-alias');
+  if (!input) return;
+  input.value = (platformId && savedAliases[platformId]) ? savedAliases[platformId] : '';
+}
+
+function saveCashoutAlias() {
+  const platformId = document.getElementById('cashout-platform')?.value;
+  const alias      = document.getElementById('cashout-alias')?.value.trim();
+  if (!platformId || !alias || !S.user) return;
+  savedAliases[platformId] = alias;
+  api('/api/game_aliases.php?action=save', { platform_slug: platformId, alias }).catch(() => {});
+}
+
+async function loadPayoutMethods() {
+  const el = document.getElementById('payout-methods-list');
+  const d  = await api('/api/payout_methods.php?action=list');
+  payoutMethods = d.success ? (d.methods || []) : [];
+  renderPayoutMethodsList(el, payoutMethods);
+}
+
+async function loadCashoutPayoutMethods() {
+  const el   = document.getElementById('cashout-payout-list');
+  const noEl = document.getElementById('cashout-no-payout');
+  const d    = await api('/api/payout_methods.php?action=list');
+  payoutMethods = d.success ? (d.methods || []) : [];
+  if (!payoutMethods.length) {
+    if (el) el.innerHTML = '';
+    if (noEl) noEl.style.display = 'block';
+    return;
+  }
+  if (noEl) noEl.style.display = 'none';
+  if (el) {
+    el.innerHTML = payoutMethods.map(m => `
+      <label style="display:flex;align-items:center;gap:10px;background:${parseInt(m.is_default)?'rgba(0,229,255,.07)':'var(--bg3)'};border:1px solid ${parseInt(m.is_default)?'rgba(0,229,255,.25)':'var(--border)'};border-radius:8px;padding:10px 12px;margin-bottom:6px;cursor:pointer">
+        <input type="radio" name="cashout-payout" value="${m.id}" ${parseInt(m.is_default)?'checked':''} style="accent-color:var(--cyan)">
+        <span style="font-size:18px">${PAYOUT_ICONS[m.method_type]||'💰'}</span>
+        <div style="flex:1;min-width:0">
+          <div style="font-weight:700;font-size:15px">${escHtml(m.label)}</div>
+          <div style="font-size:14px;color:var(--text2)">${escHtml(m.account_handle)}</div>
+        </div>
+        ${parseInt(m.is_default)?'<span style="font-size:14px;font-weight:700;color:var(--cyan);border:1px solid rgba(0,229,255,.2);border-radius:4px;padding:2px 7px">DEFAULT</span>':''}
+      </label>`).join('');
+  }
+}
+
+function renderPayoutMethodsList(el) {
+  if (!el) return;
+  if (!payoutMethods.length) {
+    el.innerHTML = '<div style="color:var(--text2);font-size:15px;text-align:center;padding:16px">No payout methods saved yet.</div>';
+    return;
+  }
+  el.innerHTML = payoutMethods.map(m => `
+    <div style="display:flex;align-items:center;gap:10px;background:${parseInt(m.is_default)?'rgba(0,229,255,.07)':'var(--bg3)'};border:1px solid ${parseInt(m.is_default)?'rgba(0,229,255,.25)':'var(--border)'};border-radius:10px;padding:12px 14px;margin-bottom:8px">
+      <span style="font-size:22px">${PAYOUT_ICONS[m.method_type]||'💰'}</span>
+      <div style="flex:1;min-width:0">
+        <div style="font-weight:700;font-size:14px">${escHtml(m.label)}
+          ${parseInt(m.is_default)?'<span style="font-size:14px;font-weight:700;color:var(--cyan);border:1px solid rgba(0,229,255,.2);border-radius:4px;padding:2px 7px;margin-left:6px">DEFAULT</span>':''}
+        </div>
+        <div style="font-size:14px;color:var(--text2)">${PAYOUT_LABELS[m.method_type]||m.method_type} · ${escHtml(m.account_handle)}</div>
+      </div>
+      <div style="display:flex;gap:6px;flex-shrink:0">
+        ${!parseInt(m.is_default)?`<button onclick="setDefaultPayout(${m.id})" style="background:rgba(0,229,255,.08);border:1px solid rgba(0,229,255,.2);color:var(--cyan);border-radius:6px;padding:5px 10px;font-size:15px;font-weight:700;cursor:pointer;border:none">Set Default</button>`:''}
+        <button onclick="deletePayoutMethod(${m.id})" style="background:rgba(255,68,68,.08);border:1px solid rgba(255,68,68,.2);color:var(--red);border-radius:6px;padding:5px 10px;font-size:15px;font-weight:700;cursor:pointer">✕</button>
+      </div>
+    </div>`).join('');
+}
+
+async function addPayoutMethod() {
+  const al     = document.getElementById('payout-add-alert');
+  const type   = document.getElementById('payout-type-new').value;
+  const label  = document.getElementById('payout-label-new').value.trim();
+  const handle = document.getElementById('payout-handle-new').value.trim();
+  if (!label || !handle) { showAlert(al,'Please fill in all fields.','error'); return; }
+  const d = await api('/api/payout_methods.php?action=add', { method_type:type, label, account_handle:handle, is_default: payoutMethods.length===0 ? 1 : 0 });
+  if (d.success) {
+    document.getElementById('payout-label-new').value = '';
+    document.getElementById('payout-handle-new').value = '';
+    showAlert(al,'✓ Payout method saved!','success');
+    setTimeout(() => { al.className='alert'; al.textContent=''; }, 3000);
+    loadPayoutMethods();
+  } else showAlert(al, d.error||'Error saving','error');
+}
+
+async function setDefaultPayout(id) {
+  const d = await api('/api/payout_methods.php?action=set_default', { id });
+  if (d.success) { loadPayoutMethods(); loadCashoutPayoutMethods(); }
+}
+
+async function deletePayoutMethod(id) {
+  if (!confirm('Remove this payout method?')) return;
+  const d = await api('/api/payout_methods.php?action=delete', { id });
+  if (d.success) { loadPayoutMethods(); loadCashoutPayoutMethods(); }
+}
+
+function getSelectedPayoutId() {
+  const sel = document.querySelector('input[name="cashout-payout"]:checked');
+  return sel ? parseInt(sel.value) : null;
+}
+
+
+// ─── TOKEN COIN SVG ────────────────────────────────────────
+function tokenCoin(size) {
+  size = size || 22;
+  const s = size, r = s/2, ri = r*0.72, sh = r*0.14;
+  const id = 'tcg' + Math.random().toString(36).slice(2,6);
+  return `<svg width="${s}" height="${s+Math.round(sh*1.5)}" viewBox="0 0 ${s} ${s+Math.round(sh*1.5)}" style="display:inline-block;vertical-align:middle;flex-shrink:0" aria-label="token">
+    <defs>
+      <radialGradient id="cf${id}" cx="42%" cy="38%" r="58%">
+        <stop offset="0%" stop-color="#ffe87a"/>
+        <stop offset="50%" stop-color="#f0c040"/>
+        <stop offset="100%" stop-color="#c8900a"/>
+      </radialGradient>
+      <radialGradient id="ce${id}" cx="50%" cy="50%" r="50%">
+        <stop offset="65%" stop-color="#b07a18"/>
+        <stop offset="100%" stop-color="#7a5008"/>
+      </radialGradient>
+    </defs>
+    <ellipse cx="${r}" cy="${r+sh*1.5}" rx="${ri*0.7}" ry="${sh*0.6}" fill="rgba(0,0,0,0.18)"/>
+    <circle cx="${r}" cy="${r+sh}" r="${ri}" fill="url(#ce${id})"/>
+    <circle cx="${r}" cy="${r}" r="${ri}" fill="url(#cf${id})"/>
+    <circle cx="${r}" cy="${r}" r="${ri}" fill="none" stroke="#ffe87a" stroke-width="${s*0.04}" opacity="0.55"/>
+    <circle cx="${r}" cy="${r}" r="${ri*0.73}" fill="none" stroke="#c8900a" stroke-width="${s*0.025}" opacity="0.4"/>
+    <text x="${r}" y="${r+s*0.1}" font-family="'Exo 2',sans-serif" font-weight="900" font-size="${s*0.42}px" fill="#7a5008" text-anchor="middle" opacity="0.9">T</text>
+    <ellipse cx="${r*0.6}" cy="${r*0.55}" rx="${ri*0.28}" ry="${ri*0.15}" fill="rgba(255,255,220,0.38)" transform="rotate(-28 ${r*0.6} ${r*0.55})"/>
+  </svg>`;
+}
+
+// Replace all 🪙 emoji in text nodes with coin SVG
+function coinify(el) {
+  if (!el) return;
+  el.innerHTML = el.innerHTML.replace(/🪙/g, tokenCoin(20));
+}
+
+// ─── ONBOARDING MODAL ─────────────────────────────────────
+let obSelectedPlatforms = new Set();
+
+function showOnboardingIfNeeded() {
+  if (!S.user) return;
+  // Show once: only for verified players who haven't completed onboarding
+  if (S.user.email_verified && !parseInt(S.user.onboarding_done||0) && !S.user.is_admin) {
+    setTimeout(() => {
+      document.getElementById('onboarding-overlay').style.display = 'block';
+      obLoadPlatforms();
+    }, 800);
+  }
+}
+
+async function obLoadPlatforms() {
+  const d = await api('/api/platforms.php?action=list').catch(()=>({success:false}));
+  if (!d.success) return;
+  // Also load existing requests to skip already-requested ones
+  const existing = await api('/api/platform_accounts.php?action=my_accounts').catch(()=>({accounts:[]}));
+  const existingSlugs = new Set((existing.accounts||[]).filter(a=>['pending','approved'].includes(a.status)).map(a=>a.platform_slug));
+  const el = document.getElementById('ob-platforms-list');
+  if (!el || !d.platforms.length) return;
+  el.innerHTML = d.platforms.filter(p => !existingSlugs.has(p.id)).map(p => `
+    <label style="display:flex;align-items:center;gap:10px;padding:10px 12px;background:var(--bg3);border:1px solid var(--border);border-radius:8px;margin-bottom:6px;cursor:pointer" id="ob-plat-${p.id}">
+      <input type="checkbox" value="${p.id}" data-name="${escHtml(p.name)}"
+        onchange="obTogglePlatform('${p.id}',this.checked,'ob-plat-${p.id}')"
+        style="accent-color:var(--gold);width:16px;height:16px;flex-shrink:0">
+      <div style="width:10px;height:10px;border-radius:50%;background:${p.color};flex-shrink:0"></div>
+      <span style="font-family:'Exo 2',sans-serif;font-weight:700;font-size:14px">${escHtml(p.name)}</span>
+    </label>`).join('') || '<div style="color:var(--text2);text-align:center;padding:12px;font-size:15px">No platforms available to request.</div>';
+}
+
+function obTogglePlatform(id, checked, labelId) {
+  if (checked) obSelectedPlatforms.add(id);
+  else obSelectedPlatforms.delete(id);
+  const lbl = document.getElementById(labelId);
+  if (lbl) lbl.style.borderColor = checked ? 'rgba(240,192,64,.4)' : 'var(--border)';
+}
+
+function obShowStep2() {
+  document.getElementById('ob-step1').style.display = 'none';
+  document.getElementById('ob-step2').style.display = 'block';
+  obLoadPlatforms();
+}
+
+function obRequestNew() {
+  obShowStep2();
+}
+
+async function obSubmitRequests() {
+  const al = document.getElementById('ob-alert');
+  if (obSelectedPlatforms.size === 0) { showAlert(al,'Select at least one platform.','error'); return; }
+  let ok = 0;
+  for (const slug of obSelectedPlatforms) {
+    const name = document.querySelector(`input[value="${slug}"]`)?.dataset.name || slug;
+    const d = await api('/api/platform_accounts.php?action=request', { platform_slug: slug, platform_name: name });
+    if (d.success) ok++;
+  }
+  if (ok > 0) {
+    showAlert(al, `✓ ${ok} request${ok>1?'s':''} submitted! Our team will create your accounts shortly.`, 'success');
+    await api('/api/platform_accounts.php?action=skip_onboarding', {});
+    setTimeout(obDismiss, 2500);
+  } else showAlert(al, 'Something went wrong. Try again.', 'error');
+}
+
+async function obDismiss() {
+  document.getElementById('onboarding-overlay').style.display = 'none';
+  await api('/api/platform_accounts.php?action=skip_onboarding', {}).catch(()=>{});
+  if (S.user) S.user.onboarding_done = 1;
+}
+
+function obSkip() { obDismiss(); }
+
+// ─── PLATFORM LOGINS (Profile tab) ────────────────────────
+async function loadPlatformLogins() {
+  const el = document.getElementById('platform-logins-list');
+  if (!el) return;
+  el.innerHTML = '<div style="color:var(--text2);font-size:15px;text-align:center;padding:16px">Loading...</div>';
+  const d = await api('/api/platform_accounts.php?action=my_accounts');
+  if (!d.success) { el.innerHTML = '<div style="color:var(--text2);font-size:15px;text-align:center;padding:16px">Unable to load.</div>'; return; }
+
+  // Populate request dropdown - exclude already requested/approved
+  const existing = new Set(d.accounts.filter(a=>['pending','approved'].includes(a.status)).map(a=>a.platform_slug));
+  const sel = document.getElementById('req-platform-slug');
+  if (sel && CFG.platforms.length) {
+    sel.innerHTML = '<option value="">— Select Platform —</option>' +
+      CFG.platforms.filter(p => !existing.has(p.id)).map(p =>
+        `<option value="${p.id}" data-name="${escHtml(p.name)}">${escHtml(p.name)}</option>`
+      ).join('');
+  }
+
+  if (!d.accounts.length) {
+    el.innerHTML = '<div style="color:var(--text2);font-size:15px;text-align:center;padding:20px">No platform account requests yet.<br><span style="font-size:15px">Use the form below to request one.</span></div>';
+    return;
+  }
+
+  const STATUS_INFO = {
+    pending:  { icon:'⏳', label:'Awaiting Approval',   cls:'ac-pending', msg:'Our team will review and create your account shortly.' },
+    approved: { icon:'✅', label:'Account Ready',        cls:'ac-completed', msg:'' },
+    denied:   { icon:'❌', label:'Request Denied',       cls:'ac-failed', msg:'Contact support for more info.' },
+    deleted:  { icon:'🗑', label:'Deleted',              cls:'ac-failed', msg:'' },
+  };
+
+  el.innerHTML = d.accounts.map(a => {
+    const si = STATUS_INFO[a.status] || STATUS_INFO.pending;
+    const canDelete = a.status === 'pending';
+    const showCreds = a.status === 'approved' && a.provided_username;
+    return `<div class="activity-card" style="margin-bottom:10px;flex-direction:column;gap:0">
+      <div style="display:flex;gap:12px;align-items:flex-start;width:100%">
+        <div class="activity-icon" style="background:rgba(240,192,64,.1)">${si.icon}</div>
+        <div style="flex:1;min-width:0">
+          <div class="activity-title">${escHtml(a.display_name||a.platform_slug)}</div>
+          <span class="activity-status ${si.cls}">${si.label}</span>
+          ${a.admin_note ? `<div style="font-size:15px;color:var(--gold);margin-top:4px">📝 ${escHtml(a.admin_note)}</div>` : ''}
+          ${si.msg ? `<div style="font-size:15px;color:var(--text2);margin-top:4px">${si.msg}</div>` : ''}
+        </div>
+        ${canDelete ? `<button onclick="deletePlatformRequest(${a.id})" style="background:none;border:none;color:var(--red);cursor:pointer;font-size:18px;padding:0;flex-shrink:0">✕</button>` : ''}
+      </div>
+      ${showCreds ? `
+      <div style="margin-top:12px;background:rgba(0,229,255,.06);border:1px solid rgba(0,229,255,.2);border-radius:8px;padding:12px 14px;width:100%">
+        <div style="font-size:15px;font-weight:700;color:var(--cyan);margin-bottom:8px;letter-spacing:.5px">🔑 YOUR LOGIN CREDENTIALS</div>
+        <div style="display:grid;grid-template-columns:auto 1fr;gap:6px 12px;font-size:15px">
+          <span style="color:var(--text2)">Username:</span>
+          <span style="font-weight:700;color:var(--text);font-family:monospace">${escHtml(a.provided_username)}</span>
+          <span style="color:var(--text2)">Password:</span>
+          <span style="font-weight:700;color:var(--gold);font-family:monospace;cursor:pointer" onclick="this.style.filter='none'" style="filter:blur(5px)" title="Tap to reveal">${escHtml(a.provided_password)}</span>
+        </div>
+        <div style="font-size:14px;color:var(--text2);margin-top:8px">⚠️ Keep your credentials secure. Tap password to reveal.</div>
+        ${a.player_url ? `<a href="${escHtml(a.player_url)}" target="_blank" class="btn btn-gold" style="display:block;text-align:center;margin-top:10px;padding:8px;font-size:15px;text-decoration:none">▶ Play ${escHtml(a.display_name)}</a>` : ''}
+      </div>` : ''}
+    </div>`;
+  }).join('');
+}
+
+async function requestPlatformAccount() {
+  const sel  = document.getElementById('req-platform-slug');
+  const al   = document.getElementById('req-platform-alert');
+  const slug = sel?.value;
+  const name = sel?.options[sel.selectedIndex]?.dataset.name || slug;
+  if (!slug) { showAlert(al,'Select a platform.','error'); return; }
+  const d = await api('/api/platform_accounts.php?action=request', { platform_slug: slug, platform_name: name });
+  if (d.success) {
+    showAlert(al,'✓ Request submitted! We\'ll create your account shortly.','success');
+    setTimeout(() => { al.className='alert'; al.textContent=''; }, 3500);
+    loadPlatformLogins();
+  } else showAlert(al, d.error||'Request failed','error');
+}
+
+async function deletePlatformRequest(id) {
+  if (!confirm('Cancel this account request?')) return;
+  const d = await api('/api/platform_accounts.php?action=delete_request', { id });
+  if (d.success) loadPlatformLogins();
+}
+let cashoutMethodTypes = [];
+
+// ─── REFERRAL SYSTEM ──────────────────────────────────────
+let _refData = null;
+
+// Capture ?ref= code from URL on page load
+const _urlRef = new URLSearchParams(window.location.search).get('ref') || '';
+
+async function loadReferralDashboard() {
+  const d = await api('/api/referrals.php?action=status');
+  if (!d.success) {
+    const inp = document.getElementById('referral-link-input');
+    if (inp) inp.placeholder = d.error || 'Please log in to see your referral link';
+    return;
+  }
+  _refData = d;
+
+  // Referral link — build URL defensively
+  const inp = document.getElementById('referral-link-input');
+  if (inp) {
+    const code = d.referral_code || '';
+    const url  = code
+      ? (d.referral_url || ('https://tomtomgames.com/?ref=' + code))
+      : '';
+    inp.value = url;
+    inp.placeholder = code ? '' : 'Generating your referral link...';
+    // If no code yet, retry in 2 seconds
+    if (!code) setTimeout(loadReferralDashboard, 2000);
+  }
+
+  // Stats
+  setText('ref-count',  d.verified_count || 0);
+  setText('ref-earned', d.total_earned   || 0);
+  setText('ref-tier',   d.current_tier?.name || '—');
+
+  // Next tier progress
+  if (d.next_tier) {
+    const nextEl   = document.getElementById('ref-next-tier');
+    const labelEl  = document.getElementById('ref-next-label');
+    const barEl    = document.getElementById('ref-progress-bar');
+    const curr     = d.current_tier?.min_referrals || 0;
+    const next     = d.next_tier.min_referrals;
+    const count    = d.verified_count || 0;
+    const pct      = Math.min(100, Math.round(((count - curr) / (next - curr)) * 100));
+    if (nextEl) nextEl.style.display = 'block';
+    if (labelEl) labelEl.textContent = `${count}/${next} referrals to ${d.next_tier.name} (+${d.next_tier.tokens_per_ref} tokens/ref)`;
+    if (barEl)   barEl.style.width   = pct + '%';
+  }
+
+  // Tiers list
+  const tiersEl = document.getElementById('ref-tiers-list');
+  if (tiersEl) {
+    const tiers = await api('/api/referrals.php?action=tiers');
+    if (tiers.success) {
+      tiersEl.innerHTML = (tiers.tiers || []).map(t => `
+        <div style="display:flex;align-items:center;gap:10px;padding:10px 0;border-bottom:1px solid var(--border)">
+          <div style="flex:1">
+            <div style="font-family:'Exo 2',sans-serif;font-weight:700;font-size:15px;color:${d.current_tier?.id==t.id?'var(--gold)':'var(--text)'}">${escHtml(t.name)} ${d.current_tier?.id==t.id?'★':''}</div>
+            <div style="font-size:15px;color:var(--text2)">${escHtml(t.description||'')}</div>
+          </div>
+          <div style="text-align:right;font-size:14px">
+            <div style="font-weight:700;color:var(--green)">${t.tokens_per_ref} tokens/ref</div>
+            ${t.bonus_tokens>0?'<div style="color:var(--gold);font-size:15px">+'+t.bonus_tokens+' bonus</div>':''}
+            <div style="color:var(--text2);font-size:14px">${t.min_referrals} referrals</div>
+          </div>
+        </div>`).join('') || '<div style="color:var(--text2);font-size:15px">No tiers configured.</div>';
+    }
+  }
+
+  // My referrals list
+  const refListEl = document.getElementById('ref-list');
+  if (refListEl) {
+    const refs = d.referrals || [];
+    if (!refs.length) {
+      refListEl.innerHTML = '<div style="color:var(--text2);font-size:15px;text-align:center;padding:12px">No referrals yet. Share your link!</div>';
+    } else {
+      refListEl.innerHTML = refs.map(r => `
+        <div style="display:flex;align-items:center;gap:10px;padding:9px 0;border-bottom:1px solid var(--border)">
+          <div style="flex:1">
+            <div style="font-size:15px;font-weight:700">${escHtml(r.alias||r.username)}</div>
+            <div style="font-size:15px;color:var(--text2)">${(r.created_at||'').substring(0,10)}</div>
+          </div>
+          <div style="text-align:right">
+            <div class="ref-status-${r.status}" style="font-size:15px;font-weight:700;text-transform:uppercase">${r.status}</div>
+            ${r.tokens_awarded>0?'<div style="color:var(--green);font-size:15px">+'+r.tokens_awarded+' tokens</div>':''}
+          </div>
+        </div>`).join('');
+    }
+  }
+
+  // Social shares
+  const sharesList = document.getElementById('ref-shares-list');
+  if (sharesList && (d.social_shares||[]).length) {
+    sharesList.innerHTML = '<div style="font-size:15px;font-weight:700;color:var(--text2);margin-bottom:6px">Submitted Shares:</div>' +
+      d.social_shares.map(s => `<div style="font-size:14px;margin-bottom:4px">${escHtml(s.platform)} — <span class="ref-status-${s.status}">${s.status}</span>${s.status==='approved'?' (+'+s.bonus_tokens+' tokens)':''}</div>`).join('');
+  }
+}
+
+function copyReferralLink() {
+  const inp = document.getElementById('referral-link-input');
+  if (!inp) return;
+  inp.select();
+  navigator.clipboard?.writeText(inp.value).catch(() => {});
+  document.execCommand('copy');
+  const msg = document.getElementById('ref-copy-msg');
+  if (msg) { msg.style.display='block'; setTimeout(()=>msg.style.display='none', 2000); }
+}
+
+async function submitShare(platform) {
+  const al = document.getElementById('ref-share-alert');
+  const d  = await api('/api/referrals.php?action=submit_share', { platform });
+  if (d.success) {
+    showAlert(al, '✓ Share submitted for ' + platform + '! Our team will review and award your bonus tokens.', 'success');
+    setTimeout(() => { al.className='alert'; al.textContent=''; }, 5000);
+    loadReferralDashboard();
+  } else showAlert(al, d.error || 'Error', 'error');
+}
+
+// Pass referral code during registration
+function getUrlRefCode() { return _urlRef; }
+
+// ─── PLATFORM LOGINS (unified) ───────────────────────────
+async function loadPlatformLogins() {
+  const el = document.getElementById('platform-logins-list');
+  if (!el) return;
+  el.innerHTML = '<div style="text-align:center;padding:16px;color:var(--text2);font-size:15px"><span class="spinner" style="border-top-color:var(--gold)"></span></div>';
+  try {
+    const d = await api('/api/platform_accounts.php?action=list');
+    if (!d.success || !d.accounts.length) {
+      el.innerHTML = '<div style="text-align:center;padding:20px;color:var(--text2);font-size:15px">No platform account requests yet. Request one below!</div>';
+      return;
+    }
+    el.innerHTML = d.accounts.map(a => buildLoginCard(a)).join('');
+  } catch(e) {
+    el.innerHTML = '<div style="color:var(--red);text-align:center;padding:16px;font-size:15px">Unable to load. Try again.</div>';
+  }
+}
+
+function buildLoginCard(a) {
+  const statusLabel = { pending:'⏳ Request Pending', approved:'✅ Account Ready', denied:'❌ Request Denied', deleted:'🗑 Deleted' };
+  const statusCls   = { pending:'ac-pending', approved:'ac-completed', denied:'ac-failed', deleted:'ac-failed' };
+  const note = a.admin_note ? `<div style="font-size:15px;color:var(--gold);margin-top:6px;padding:6px 8px;background:rgba(240,192,64,.07);border-radius:6px">📝 ${escHtml(a.admin_note)}</div>` : '';
+
+  let creds = '';
+  if (a.status === 'approved' && a.platform_username) {
+    const passHtml = a.platform_password
+      ? `<div class="pa-cred-row">
+           <span class="pa-cred-label">Password</span>
+           <span class="pa-cred-val pa-cred-pass" onclick="this.classList.toggle('revealed')" title="Tap to reveal">${escHtml(a.platform_password)}</span>
+         </div>
+         <div style="font-size:14px;color:var(--text2);margin-top:3px">Tap password to reveal · Keep this safe!</div>`
+      : '';
+    creds = `<div class="pa-cred-box">
+      <div class="pa-cred-row"><span class="pa-cred-label">Username</span><span class="pa-cred-val">${escHtml(a.platform_username)}</span></div>
+      ${passHtml}
+    </div>`;
+  }
+
+  const pendingMsg = a.status === 'pending'
+    ? '<div style="font-size:15px;color:var(--text2);margin-top:8px;padding:8px;background:rgba(255,255,255,.03);border-radius:6px">Our team is setting up your account. Your login credentials will appear here once ready.</div>'
+    : '';
+
+  return `<div class="pa-card ${a.status}" style="margin-bottom:10px">
+    <div style="display:flex;align-items:center;justify-content:space-between;gap:10px">
+      <div>
+        <div style="font-family:'Exo 2',sans-serif;font-weight:700;font-size:15px">${escHtml(a.platform_name || a.platform_slug)}</div>
+        <div style="font-size:15px;color:var(--text2);margin-top:2px">${(a.requested_at||'').substring(0,10)}</div>
+        <span class="activity-status ${statusCls[a.status]||'ac-pending'}">${statusLabel[a.status]||a.status}</span>
+      </div>
+      ${a.status === 'pending' ? '<div style="font-size:15px;color:var(--text2);text-align:right">Pending<br>review</div>' : ''}
+    </div>
+    ${note}${creds}${pendingMsg}
+  </div>`;
+}
+
+async function requestPlatformLogin() {
+  const al   = document.getElementById('req-platform-alert');
+  const slug = document.getElementById('req-platform-slug')?.value;
+  if (!slug) { showAlert(al, 'Please select a platform.', 'error'); return; }
+  const platName = CFG.platforms.find(p => p.id === slug)?.name || slug;
+  const d = await api('/api/platform_accounts.php?action=request', { platform_slug: slug });
+  if (d.success) {
+    showAlert(al, `✓ Request submitted for ${platName}! Check back here once approved.`, 'success');
+    setTimeout(() => { al.className='alert'; al.textContent=''; }, 4000);
+    document.getElementById('req-platform-slug').value = '';
+    loadPlatformLogins();
+  } else {
+    showAlert(al, d.error || 'Error submitting request.', 'error');
+  }
+}
+
+function populatePlatformSelect(selId) {
+  const sel = document.getElementById(selId);
+  if (!sel || !CFG.platforms.length) return;
+  sel.querySelectorAll('option:not([value=""])').forEach(o => o.remove());
+  CFG.platforms.forEach(p => {
+    const o = document.createElement('option');
+    o.value = p.id; o.textContent = p.name;
+    sel.appendChild(o);
+  });
+}
+
+// ─── ONBOARDING FLOW ──────────────────────────────────────
+function showOnboarding() {
+  const modal = document.getElementById('onboarding-modal');
+  if (!modal) return;
+  populatePlatformSelect('onboarding-platform');
+  modal.style.display = 'flex';
+}
+function hideOnboarding() { const m=document.getElementById('onboarding-modal'); if(m)m.style.display='none'; }
+function showOnboardingStep(n) {
+  [1,2,3].forEach(i => { const el=document.getElementById('onboarding-step-'+i); if(el) el.style.display=i===n?'block':'none'; });
+}
+function onboardingHasAccount() {
+  api('/api/platform_accounts.php?action=dismiss_onboarding',{}).catch(()=>{});
+  hideOnboarding();
+}
+function onboardingNoAccount() { showOnboardingStep(2); }
+function onboardingRequestAnother() {
+  const al=document.getElementById('onboarding-alert'); if(al){al.className='alert';al.textContent='';}
+  document.getElementById('onboarding-platform').value='';
+  showOnboardingStep(2);
+}
+async function onboardingRequestAccount() {
+  const al=document.getElementById('onboarding-alert');
+  const slug=document.getElementById('onboarding-platform')?.value;
+  if (!slug) { showAlert(al,'Please select a platform.','error'); return; }
+  const platName=CFG.platforms.find(p=>p.id===slug)?.name||slug;
+  const d=await api('/api/platform_accounts.php?action=request',{platform_slug:slug});
+  if (d.success) {
+    const ct=document.getElementById('onboarding-confirm-text');
+    if (ct) ct.textContent=`Request for ${platName} submitted! Find your login details in Profile → Accounts once approved.`;
+    showOnboardingStep(3);
+  } else showAlert(al, d.error||'Error','error');
+}
+async function onboardingDone() {
+  api('/api/platform_accounts.php?action=dismiss_onboarding',{}).catch(()=>{});
+  hideOnboarding();
+}
+async function checkOnboarding() {
+  if (!S.user || S.user.is_admin) return;
+  try {
+    const d=await api('/api/platform_accounts.php?action=check_onboarding');
+    if (d.success && d.needs_onboarding) showOnboarding();
+  } catch(e){}
+}
+
+async function loadCashoutMethodTypes() {
+  try {
+    const d = await api('/api/cashout_method_types.php?action=list');
+    if (!d.success) return;
+    cashoutMethodTypes = d.types || [];
+    // Populate the payout type selector
+    const sel = document.getElementById('payout-type-new');
+    if (sel) {
+      sel.innerHTML = cashoutMethodTypes.map(t =>
+        `<option value="${escHtml(t.slug)}">${escHtml(t.icon)} ${escHtml(t.label)}</option>`
+      ).join('');
+    }
+    // Update PAYOUT_ICONS and PAYOUT_LABELS from live data
+    cashoutMethodTypes.forEach(t => {
+      PAYOUT_ICONS[t.slug]  = t.icon;
+      PAYOUT_LABELS[t.slug] = t.label;
+    });
+  } catch(e) { /* use defaults */ }
+}
+
+// Also load on app init so icons/labels are available everywhere
+function populateAccount() {
+  const u = S.user;
+  if (!u) return;
+  document.getElementById('acct-username').textContent = u.username || '—';
+  document.getElementById('acct-alias').textContent    = u.alias    || '—';
+  document.getElementById('acct-email').textContent    = u.email    || 'Not set';
+  document.getElementById('acct-joined').textContent   = (u.created_at||'').substring(0,10);
+}
+
+// ─── DYNAMIC PAYMENT METHODS ──────────────────────────────
+function buildPaymentMethods() {
+  const methods   = CFG.payMethods || [];
+  const container = document.getElementById('manual-payment-btns');
+  if (!container) return;
+
+  // Check if card is enabled from payMethods (or default to enabled if no card entry)
+  const cardSetting = methods.find(m => m.method_key === 'card');
+  const cardEnabled = cardSetting ? parseInt(cardSetting.is_enabled) : 1;
+  const manualMethods = methods.filter(m => m.method_key !== 'card' && parseInt(m.is_enabled));
+
+  let html = '';
+
+  // Card button — only show if enabled
+  if (cardEnabled) {
+    html += `<div class="pmt" onclick="selectPMT(this,'card')" title="Credit/Debit Card">
+      <svg viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" width="22" height="22"><rect x="1" y="4" width="22" height="16" rx="2"/><line x1="1" y1="10" x2="23" y2="10"/></svg>
+      <span>Card</span>
+    </div>`;
+  }
+
+  const iconMap = { venmo:'💙', chime:'🟢', cashapp:'💚', zelle:'💜' };
+  manualMethods.forEach(m => {
+    html += `<div class="pmt" onclick="selectPMT(this,'${m.method_key}')" title="${escHtml(m.label)}">
+      <span style="font-size:20px">${iconMap[m.method_key]||'💰'}</span>
+      <span>${escHtml(m.label)}</span>
+    </div>`;
+  });
+
+  container.innerHTML = html;
+
+  // If card is disabled and current method is card, switch to first available
+  if (!cardEnabled && S.method === 'card') {
+    const firstManual = manualMethods[0];
+    if (firstManual) {
+      const firstBtn = container.querySelector('.pmt');
+      if (firstBtn) selectPMT(firstBtn, firstManual.method_key);
+    }
+    // Also hide the card section entirely
+    const cardSection = document.getElementById('section-card');
+    if (cardSection) cardSection.style.display = 'none';
+    const manSection = document.getElementById('section-manual');
+    if (manSection) manSection.style.display = 'block';
+  }
+
+  // If no methods at all, show message
+  if (!cardEnabled && !manualMethods.length) {
+    container.innerHTML = '<div style="font-size:15px;color:var(--red);padding:8px">No payment methods are currently available. Please contact support.</div>';
+  }
+
+  // Update CFG.pay handles from DB
+  methods.forEach(m => {
+    if (CFG.pay && m.handle) CFG.pay[m.method_key] = m.handle;
+    if (!CFG.payLabels) CFG.payLabels = {};
+    CFG.payLabels[m.method_key] = m.label;
+    if (m.instructions) {
+      if (!CFG.payInstructions) CFG.payInstructions = {};
+      CFG.payInstructions[m.method_key] = m.instructions;
+    }
+  });
+}
+
+// Save alias from buy page back to profile
+async function saveAliasFromBuyPage() {
+  const platformId = document.getElementById('buy-platform')?.value;
+  const alias      = document.getElementById('buy-alias')?.value.trim();
+  if (!platformId || !alias || !S.user) return;
+  savedAliases[platformId] = alias;
+  await api('/api/game_aliases.php?action=save', { platform_slug: platformId, alias });
+}
+let savedAliases = {}; // { platform_slug: alias }
+
+async function loadGameAliases() {
+  const el = document.getElementById('game-alias-list') || document.getElementById('game-aliases-list');
+  try {
+    const [aliasRes, platRes] = await Promise.all([
+      api('/api/game_aliases.php?action=get'),
+      api('/api/platforms.php?action=list')
+    ]);
+    if (aliasRes.success) savedAliases = aliasRes.aliases || {};
+    const platforms = platRes.success ? platRes.platforms : CFG.platforms;
+    renderGameAliasList(platforms);
+  } catch(e) {
+    if (el) el.innerHTML = '<div style="color:var(--text2);text-align:center;padding:16px;font-size:15px">Could not load games.</div>';
+  }
+}
+
+function renderGameAliasList(platforms) {
+  const el = document.getElementById('game-aliases-list');
+  if (!el) return;
+  if (!platforms || !platforms.length) {
+    el.innerHTML = '<div style="color:var(--text2);text-align:center;padding:16px;font-size:15px">No games configured yet.</div>';
+    return;
+  }
+  el.innerHTML = platforms.map(p => `
+    <div class="game-alias-card">
+      <div class="game-alias-dot" style="background:${p.color};box-shadow:0 0 8px ${p.color}"></div>
+      <div style="flex:1;min-width:0">
+        <div class="game-alias-name">${escHtml(p.name)}</div>
+        <input class="game-alias-input" id="alias-${p.id}"
+          type="text" maxlength="100"
+          placeholder="Your in-game username..."
+          value="${escHtml(savedAliases[p.id] || '')}"
+          onchange="saveOneAlias('${p.id}',this.value)">
+      </div>
+      <a href="${escHtml(p.url)}" target="_blank"
+        style="flex-shrink:0;width:36px;height:36px;border-radius:8px;background:rgba(255,255,255,.05);border:1px solid var(--border);display:flex;align-items:center;justify-content:center;text-decoration:none;font-size:16px"
+        title="Play ${escHtml(p.name)}">▶</a>
+    </div>`).join('');
+}
+
+async function saveOneAlias(slug, alias) {
+  savedAliases[slug] = alias.trim();
+  await api('/api/game_aliases.php?action=save', { platform_slug: slug, alias: alias.trim() });
+}
+
+async function saveAllAliases() {
+  const al = document.getElementById('game-aliases-alert');
+  const aliases = {};
+  (CFG.platforms || []).forEach(p => {
+    const el = document.getElementById('alias-' + p.id);
+    if (el) aliases[p.id] = el.value.trim();
+  });
+  // Also grab any inputs by the alias-* pattern
+  document.querySelectorAll('[id^="alias-"]').forEach(el => {
+    const slug = el.id.replace('alias-', '');
+    aliases[slug] = el.value.trim();
+  });
+  savedAliases = {...savedAliases, ...aliases};
+  const d = await api('/api/game_aliases.php?action=save_all', { aliases });
+  if (d.success) {
+    showAlert(al, '✓ All aliases saved!', 'success');
+    setTimeout(() => hideAlert(al), 3000);
+  } else {
+    showAlert(al, 'Save failed. Try again.', 'error');
+  }
+}
+
+// Auto-prefill alias on buy page when platform changes
+function prefillBuyAlias() {
+  const platformId = document.getElementById('buy-platform')?.value;
+  const aliasInput = document.getElementById('buy-alias');
+  if (platformId && aliasInput && savedAliases[platformId]) {
+    aliasInput.value = savedAliases[platformId];
+  } else if (aliasInput && platformId && !savedAliases[platformId]) {
+    aliasInput.value = '';
+  }
+}
+
+function escHtml(s) { return String(s||'').replace(/&/g,'&amp;').replace(/</g,'&lt;').replace(/>/g,'&gt;').replace(/"/g,'&quot;'); }
+async function loadBillingProfile() {
+  const d = await api('/api/billing.php?action=get');
+  if (d.success && d.billing) {
+    const b = d.billing;
+    // Show saved card chip if card on file
+    if (b.card_last4) {
+      document.getElementById('saved-card-brand').textContent  = b.card_brand || 'CARD';
+      document.getElementById('saved-card-number').textContent = '···· ···· ···· ' + b.card_last4;
+      document.getElementById('saved-card-name').textContent   = [b.first_name, b.last_name].filter(Boolean).join(' ') || '—';
+      const exp = (b.card_exp_month && b.card_exp_year) ? b.card_exp_month + '/' + b.card_exp_year.slice(-2) : '—';
+      document.getElementById('saved-card-exp').textContent = exp;
+      document.getElementById('saved-card-display').style.display = 'block';
+    } else {
+      document.getElementById('saved-card-display').style.display = 'none';
+    }
+    // Fill form fields
+    setVal('p-first',   b.first_name);
+    setVal('p-last',    b.last_name);
+    setVal('p-email',   b.email);
+    setVal('p-address', b.address);
+    setVal('p-city',    b.city);
+    setVal('p-state',   b.state);
+    setVal('p-zip',     b.zip);
+    // Also pre-fill buy form
+    prefillBuyForm(b);
+  } else {
+    document.getElementById('saved-card-display').style.display = 'none';
+  }
+}
+
+function prefillBuyForm(b) {
+  if (!b) return;
+  setVal('card-first-name', b.first_name);
+  setVal('card-last-name',  b.last_name);
+  setVal('card-address',    b.address);
+  setVal('card-city',       b.city);
+  setVal('card-state',      b.state);
+  setVal('card-zip',        b.zip);
+  setVal('card-email',      b.email);
+}
+
+function setVal(id, val) {
+  const el = document.getElementById(id);
+  if (el && val) el.value = val;
+}
+
+async function saveBillingProfile() {
+  const al = document.getElementById('billing-alert');
+  const data = {
+    first_name: (document.getElementById('p-first')?.value   || '').trim(),
+    last_name:  (document.getElementById('p-last')?.value    || '').trim(),
+    email:      (document.getElementById('p-email')?.value   || '').trim(),
+    address:    (document.getElementById('p-address')?.value || '').trim(),
+    city:       (document.getElementById('p-city')?.value    || '').trim(),
+    state:      (document.getElementById('p-state')?.value   || '').trim().toUpperCase(),
+    zip:        (document.getElementById('p-zip')?.value     || '').trim(),
+  };
+  const d = await api('/api/billing.php?action=save', data);
+  if (d.success) {
+    showAlert(al, 'Billing info saved!', 'success');
+    prefillBuyForm(data);
+  } else showAlert(al, d.error || 'Save failed.', 'error');
+}
+
+async function clearSavedCard() {
+  if (!confirm('Remove saved card info?')) return;
+  const d = await api('/api/billing.php?action=clear_card', {});
+  if (d.success) {
+    document.getElementById('saved-card-display').style.display = 'none';
+    // Clear card fields in buy form
+    ['card-first-name','card-last-name'].forEach(id => { const el=document.getElementById(id); if(el) el.value=''; });
+  }
+}
+
+async function clearAllBilling() {
+  if (!confirm('Clear all saved billing information? This cannot be undone.')) return;
+  const d = await api('/api/billing.php?action=clear_all', {});
+  if (d.success) {
+    loadBillingProfile();
+    ['p-first','p-last','p-email','p-address','p-city','p-state','p-zip'].forEach(id => {
+      const el=document.getElementById(id); if(el) el.value='';
+    });
+    const al = document.getElementById('billing-alert');
+    showAlert(al, 'All billing info cleared.', 'success');
+  }
+}
+
+// Auto-load billing when going to buy page
+async function initBuyPageBilling() {
+  const d = await api('/api/billing.php?action=get');
+  if (d.success && d.billing) prefillBuyForm(d.billing);
+}
+
+// ─── CASHOUT ───────────────────────────────────────────────
+async function submitCashout() {
+  const al       = document.getElementById('cashout-alert');
+  const pid      = document.getElementById('cashout-platform').value;
+  const alias    = document.getElementById('cashout-alias').value.trim();
+  const toks     = parseFloat(document.getElementById('cashout-tokens').value);
+  const payoutId = getSelectedPayoutId();
+
+  if (!payoutId)       { showAlert(al,'Please select a payout method above.','error'); return; }
+  if (!pid)            { showAlert(al,'Please select a platform.','error'); return; }
+  if (!alias)          { showAlert(al,'Please enter your in-game alias.','error'); return; }
+  if (!toks || toks<1) { showAlert(al,'Enter a valid token amount.','error'); return; }
+
+  // Get payout method details
+  const pm = payoutMethods.find(m => m.id == payoutId);
+
+  try {
+    const d = await api('/api/cashout.php', {
+      platform_id:       pid,
+      alias,
+      tokens:            toks,
+      payout_method_id:  payoutId,
+      payout_method_type: pm ? pm.method_type : '',
+      payout_handle:     pm ? pm.account_handle : '',
+    });
+    if (d.success) {
+      showAlert(al, '✓ Request created! Review and submit to admin when ready.', 'success');
+      S.user.tokens = d.new_balance; updateUI();
+      document.getElementById('cashout-tokens').value = '';
+      document.getElementById('cashout-alias').value  = '';
+      // Reload list and scroll to it
+      await loadCashoutHistory();
+      setTimeout(() => {
+        const hist = document.getElementById('cashout-history');
+        if (hist) hist.scrollIntoView({behavior:'smooth', block:'start'});
+        // Briefly highlight the first (newest) card
+        const first = hist?.querySelector('.co-card');
+        if (first) { first.style.boxShadow='0 0 0 2px var(--gold)'; setTimeout(()=>first.style.boxShadow='',2000); }
+      }, 200);
+    } else showAlert(al, d.error||'Request failed.','error');
+  } catch { showAlert(al,'Network error.','error'); }
+}
+
+async function loadCashoutHistory() {
+  const el = document.getElementById('cashout-history');
+  if (!el) return;
+  try {
+    const d = await api('/api/cashout.php?action=list');
+    if (!d.success || !d.requests.length) {
+      el.innerHTML = '<div style="color:var(--text2);font-size:15px;text-align:center;padding:20px">No cashout requests yet. Submit one above.</div>';
+      return;
+    }
+    el.innerHTML = d.requests.map(r => buildCashoutCard(r)).join('');
+  } catch(e) {
+    el.innerHTML = '<div style="color:var(--text2);font-size:15px;text-align:center;padding:16px">Unable to load requests.</div>';
+  }
+}
+
+function buildCashoutCard(r) {
+  const editable = r.status === 'pending';
+  const locked   = r.status === 'locked';
+  const statusLabel = { pending:'⏳ Pending', locked:'🔒 Sent to Admin', sent:'✅ Sent', approved:'✅ Sent', rejected:'❌ Denied', deleted:'🗑 Deleted' };
+  const payout   = r.payout_handle ? `<div style="font-size:15px;color:var(--cyan);margin-top:2px">${escHtml(r.payout_handle)}</div>` : '';
+  const adminNote= r.admin_note ? `<div style="font-size:15px;color:var(--gold);margin-top:4px;padding:6px 8px;background:rgba(240,192,64,.07);border-radius:6px">📝 ${escHtml(r.admin_note)}</div>` : '';
+  const actionBtns = editable ? `
+    <div class="co-edit-row">
+      <input class="fi" id="co-edit-tokens-${r.id}" type="number" min="1" value="${r.tokens}"
+        style="width:90px;padding:7px 10px;font-size:15px" placeholder="Tokens">
+      <input class="fi" id="co-edit-alias-${r.id}" type="text" value="${escHtml(r.alias||'')}"
+        style="flex:1;min-width:100px;padding:7px 10px;font-size:15px" placeholder="Game alias">
+      <button onclick="updateCashoutRequest(${r.id})"
+        style="background:rgba(0,229,255,.1);border:1px solid rgba(0,229,255,.25);color:var(--cyan);border-radius:8px;padding:7px 12px;font-size:14px;font-weight:700;cursor:pointer;white-space:nowrap">
+        ✏️ Update
+      </button>
+      <button onclick="deleteCashoutRequest(${r.id})"
+        style="background:rgba(255,68,68,.08);border:1px solid rgba(255,68,68,.2);color:var(--red);border-radius:8px;padding:7px 12px;font-size:14px;font-weight:700;cursor:pointer">
+        🗑
+      </button>
+      <button onclick="lockCashoutRequest(${r.id})"
+        style="background:rgba(240,192,64,.1);border:1px solid rgba(240,192,64,.25);color:var(--gold);border-radius:8px;padding:7px 12px;font-size:14px;font-weight:700;cursor:pointer;white-space:nowrap">
+        🔒 Submit to Admin
+      </button>
+    </div>` : '';
+  const lockNote = locked ? `<div style="font-size:15px;color:var(--cyan);margin-top:8px;padding:7px 10px;background:rgba(0,229,255,.06);border-radius:6px;border:1px solid rgba(0,229,255,.15)">🔒 This request has been submitted to our team. They will process it shortly.</div>` : '';
+
+  return `<div class="co-card ${r.status}" id="co-card-${r.id}">
+    <div style="display:flex;align-items:flex-start;justify-content:space-between;gap:10px">
+      <div style="flex:1;min-width:0">
+        <div style="display:flex;align-items:center;flex-wrap:wrap;gap:4px;margin-bottom:4px">
+          <span style="font-family:'Exo 2',sans-serif;font-weight:700;font-size:16px;color:var(--gold)">${r.tokens}</span>
+          <span style="margin-left:2px">${tokenCoin(18)}</span>
+          <span class="co-status-pill co-status-${r.status}">${statusLabel[r.status]||r.status}</span>
+        </div>
+        <div style="font-size:14px;color:var(--text2)">${escHtml(r.platform_name||r.platform_id)} · <span style="color:var(--cyan)">${escHtml(r.alias||'')}</span></div>
+        ${payout}
+        ${adminNote}
+        ${lockNote}
+      </div>
+      <div style="text-align:right;flex-shrink:0">
+        <div style="font-size:15px;color:var(--text2)">${(r.created_at||'').substring(0,10)}</div>
+        <div style="font-size:14px;color:var(--text2);margin-top:2px">#${r.id}</div>
+      </div>
+    </div>
+    ${actionBtns}
+  </div>`;
+}
+
+async function updateCashoutRequest(id) {
+  const tokens = parseFloat(document.getElementById('co-edit-tokens-'+id)?.value||0);
+  const alias  = document.getElementById('co-edit-alias-'+id)?.value.trim();
+  if (!tokens||tokens<1) { showAlert(document.getElementById('cashout-alert'),'Enter a valid token amount.','error'); return; }
+  const d = await api('/api/cashout.php?action=update&id='+id+'&tokens='+tokens+'&alias='+encodeURIComponent(alias));
+  if (d.success) {
+    showAlert(document.getElementById('cashout-alert'),'✓ Request updated!','success');
+    setTimeout(()=>{ const al=document.getElementById('cashout-alert'); if(al){al.className='alert';al.textContent='';} }, 3000);
+    loadCashoutHistory();
+  } else showAlert(document.getElementById('cashout-alert'), d.error||'Update failed','error');
+}
+
+async function deleteCashoutRequest(id) {
+  if (!confirm('Cancel this cashout request?\n\nYour tokens will be returned to your balance immediately.')) return;
+  const d = await api('/api/cashout.php?action=delete&id='+id);
+  if (d.success) {
+    if (d.new_balance !== undefined && S.user) { S.user.tokens = d.new_balance; updateUI(); }
+    const card = document.getElementById('co-card-'+id);
+    if (card) { card.style.transition='opacity .3s'; card.style.opacity='0'; setTimeout(()=>card.remove(), 300); }
+    showAlert(document.getElementById('cashout-alert'),'✓ Request cancelled. Tokens returned.','success');
+    setTimeout(()=>{ const al=document.getElementById('cashout-alert'); if(al){al.className='alert';al.textContent='';} }, 3000);
+  } else showAlert(document.getElementById('cashout-alert'), d.error||'Delete failed','error');
+}
+
+async function lockCashoutRequest(id) {
+  if (!confirm('Submit this cashout request to our team for processing?\n\nYou won\'t be able to edit it after this.')) return;
+  const d = await api('/api/cashout.php?action=lock&id='+id);
+  if (d.success) {
+    loadCashoutHistory();
+    showAlert(document.getElementById('cashout-alert'),'✓ Submitted! Our team will process it shortly.','success');
+    setTimeout(()=>{ const al=document.getElementById('cashout-alert'); if(al){al.className='alert';al.textContent='';} }, 4000);
+  } else showAlert(document.getElementById('cashout-alert'), d.error||'Error','error');
+}
+
+// ─── PLAYER ACTIVITY DASHBOARD ────────────────────────────
+let activityData  = null;
+let activityFilter = 'all';
+let activityPollTimer = null;
+
+async function loadProfileHistory() {
+  // Renamed alias kept for compatibility
+  await loadActivityDashboard();
+}
+
+async function loadActivityDashboard() {
+  const feed = document.getElementById('activity-feed');
+  const sumEl = document.getElementById('activity-summary');
+  if (!feed) return;
+  try {
+    const d = await api('/api/my_activity.php?action=all');
+    if (!d.success) throw new Error('Failed');
+    activityData = d;
+    renderActivitySummary(d, sumEl);
+    renderActivityFeed(activityFilter);
+    // Poll for real-time updates every 15s while profile is open
+    clearTimeout(activityPollTimer);
+    activityPollTimer = setTimeout(async () => {
+      const fresh = await api('/api/my_activity.php?action=all').catch(()=>null);
+      if (fresh?.success) { activityData = fresh; renderActivitySummary(fresh, sumEl); renderActivityFeed(activityFilter); }
+    }, 15000);
+  } catch(e) {
+    feed.innerHTML = '<div style="color:var(--text2);font-size:15px;text-align:center;padding:20px">Unable to load activity.</div>';
+  }
+}
+
+function filterActivity(filter, btn) {
+  activityFilter = filter;
+  document.querySelectorAll('.activity-ftab').forEach(b => b.classList.remove('active'));
+  if (btn) btn.classList.add('active');
+  renderActivityFeed(filter);
+}
+
+function renderActivitySummary(d, el) {
+  if (!el) return;
+  const purchases = d.purchases || [];
+  const cashouts  = d.cashouts  || [];
+  const pending_p = purchases.filter(p => p.status === 'pending').length;
+  const pending_c = cashouts.filter(c => c.status === 'pending' || c.status === 'locked').length;
+  const total_spent = purchases.filter(p => p.status !== 'failed').reduce((s,p) => s + (p.amount_cents/100), 0);
+  const total_cashed = cashouts.filter(c => c.status === 'sent' || c.status === 'approved').reduce((s,c) => s + parseFloat(c.tokens||0), 0);
+  const pills = [
+    total_spent > 0   ? `<div class="summary-pill">💳 $${total_spent.toFixed(2)} purchased</div>` : '',
+    total_cashed > 0  ? `<div class="summary-pill" style="color:var(--green)">💸 ${total_cashed} tokens cashed out</div>` : '',
+    pending_p > 0     ? `<div class="summary-pill" style="color:var(--gold);border-color:rgba(240,192,64,.3)">⏳ ${pending_p} purchase${pending_p>1?'s':''} pending</div>` : '',
+    pending_c > 0     ? `<div class="summary-pill" style="color:var(--cyan);border-color:rgba(0,229,255,.2)">⏳ ${pending_c} cashout${pending_c>1?'s':''} in review</div>` : '',
+  ].filter(Boolean).join('');
+  el.innerHTML = pills;
+}
+
+function renderActivityFeed(filter) {
+  const feed = document.getElementById('activity-feed');
+  if (!feed || !activityData) return;
+  const items = buildActivityItems(activityData, filter);
+  if (!items.length) {
+    const labels = {all:'activity', purchases:'purchases', cashouts:'cashout requests', broadcasts:'announcements'};
+    feed.innerHTML = `<div style="text-align:center;padding:28px;color:var(--text2);font-size:15px">No ${labels[filter]||filter} yet.</div>`;
+    return;
+  }
+  feed.innerHTML = items.map(renderActivityCard).join('');
+}
+
+function buildActivityItems(d, filter) {
+  let items = [];
+
+  if (filter === 'all' || filter === 'purchases') {
+    (d.purchases||[]).forEach(p => items.push({ _type:'purchase', _ts: p.created_at, ...p }));
+  }
+  if (filter === 'all' || filter === 'cashouts') {
+    (d.cashouts||[]).forEach(c => items.push({ _type:'cashout', _ts: c.created_at, ...c }));
+  }
+  if (filter === 'all' || filter === 'broadcasts') {
+    (d.broadcasts||[]).forEach(b => items.push({ _type:'broadcast', _ts: b.sent_at, ...b }));
+  }
+
+  // Sort newest first
+  items.sort((a,b) => new Date(b._ts) - new Date(a._ts));
+
+  // For 'all', interleave with date dividers
+  if (filter === 'all') {
+    const grouped = []; let lastDate = '';
+    items.forEach(item => {
+      const dt = (item._ts||'').substring(0,10);
+      if (dt !== lastDate) {
+        lastDate = dt;
+        const d0 = new Date(dt+'T00:00:00'), now = new Date();
+        now.setHours(0,0,0,0);
+        const diff = Math.round((now-d0)/86400000);
+        const label = diff===0?'Today':diff===1?'Yesterday':d0.toLocaleDateString('en-US',{month:'short',day:'numeric'});
+        grouped.push({ _type:'divider', label });
+      }
+      grouped.push(item);
+    });
+    return grouped;
+  }
+  return items;
+}
+
+const PMT_ICON = { card:'💳', venmo:'💙', cashapp:'💚', zelle:'💜', chime:'🟢' };
+
+function renderActivityCard(item) {
+  if (item._type === 'divider') {
+    return `<div style="font-size:15px;font-weight:700;color:var(--text2);letter-spacing:1px;text-transform:uppercase;padding:10px 0 6px;border-bottom:1px solid var(--border);margin-bottom:6px">${item.label}</div>`;
+  }
+
+  if (item._type === 'purchase') {
+    const statusMap = { completed:'✅ Completed', pending:'⏳ Awaiting Payment', failed:'❌ Failed', approved:'✅ Approved' };
+    const statusClass = { completed:'ac-completed', pending:'ac-pending', failed:'ac-failed', approved:'ac-completed' };
+    const icon  = PMT_ICON[item.payment_method] || '💳';
+    const amt   = item.amount_cents ? '$'+(item.amount_cents/100).toFixed(2) : '';
+    const card  = item.card_last4 ? `${item.card_brand||'Card'} ····${item.card_last4}` : '';
+    const note  = item.admin_note ? `<div style="font-size:15px;color:var(--gold);margin-top:4px">📝 ${escHtml(item.admin_note)}</div>` : '';
+    return `<div class="activity-card">
+      <div class="activity-icon" style="background:rgba(0,230,118,.1)">${icon}</div>
+      <div class="activity-body">
+        <div class="activity-title">Token Purchase · ${item.tokens} ${tokenCoin(14)}</div>
+        <div class="activity-meta">${pname(item.platform_id)}${item.game_alias?' · '+escHtml(item.game_alias):''}</div>
+        ${card?`<div class="activity-meta">${card}</div>`:''}
+        <span class="activity-status ${statusClass[item.status]||'ac-pending'}">${statusMap[item.status]||item.status}</span>
+        ${note}
+      </div>
+      <div class="activity-amount">
+        <div style="color:var(--green)">${amt}</div>
+        <div style="font-size:14px;color:var(--text2);font-weight:400;margin-top:2px">${(item.created_at||'').substring(0,10)}</div>
+      </div>
+    </div>`;
+  }
+
+  if (item._type === 'cashout') {
+    const statusMap = {
+      pending:'⏳ Draft — not submitted',
+      locked:'🔒 Submitted to admin',
+      sent:'✅ Payment Sent',
+      approved:'✅ Payment Sent',
+      rejected:'❌ Denied',
+      deleted:'🗑 Deleted'
+    };
+    const statusClass = { pending:'ac-pending', locked:'ac-locked', sent:'ac-completed', approved:'ac-completed', rejected:'ac-failed', deleted:'ac-failed' };
+    const payout = item.payout_handle ? `<div class="activity-meta">${escHtml(item.payout_handle)}</div>` : '';
+    const note   = item.admin_note ? `<div style="font-size:15px;color:var(--gold);margin-top:4px">📝 ${escHtml(item.admin_note)}</div>` : '';
+    const canEdit = item.status === 'pending';
+    return `<div class="activity-card" style="${item.status==='pending'?'border-color:rgba(240,192,64,.2)':item.status==='locked'?'border-color:rgba(0,229,255,.15)':''}">
+      <div class="activity-icon" style="background:rgba(240,192,64,.1)">💸</div>
+      <div class="activity-body">
+        <div class="activity-title">Cashout Request · ${item.tokens} ${tokenCoin(14)}</div>
+        <div class="activity-meta">${escHtml(item.platform_name||item.platform_id)}${item.alias?' · '+escHtml(item.alias):''}</div>
+        ${payout}
+        <span class="activity-status ${statusClass[item.status]||'ac-pending'}">${statusMap[item.status]||item.status}</span>
+        ${note}
+        ${canEdit?`<div style="margin-top:8px"><button onclick="showPage('cashout')" style="background:none;border:none;color:var(--cyan);font-size:15px;font-weight:700;cursor:pointer;padding:0">✏️ Edit on Cashout page →</button></div>`:''}
+      </div>
+      <div class="activity-amount">
+        <div style="font-size:14px;color:var(--text2);font-weight:400;margin-top:2px">${(item.created_at||'').substring(0,10)}</div>
+        <div style="font-size:14px;color:var(--text2)">#${item.id}</div>
+      </div>
+    </div>`;
+  }
+
+  if (item._type === 'broadcast') {
+    const isNew = !parseInt(item.is_read);
+    return `<div class="activity-card" style="${isNew?'border-color:rgba(240,192,64,.2)':''}">
+      <div class="activity-icon" style="background:rgba(240,192,64,.08)">📢</div>
+      <div class="activity-body">
+        <div class="activity-title">${escHtml(item.subject)}</div>
+        <div class="activity-meta">From ${escHtml(item.sender)} · ${(item.sent_at||'').substring(0,10)}</div>
+        <div style="font-size:14px;color:var(--text2);margin-top:4px;overflow:hidden;text-overflow:ellipsis;white-space:nowrap;max-width:220px">${escHtml(item.message)}</div>
+        ${isNew?'<span class="activity-status ac-new">● New</span>':'<span class="activity-status ac-read">Read</span>'}
+        ${parseInt(item.replied)?'<span class="activity-status ac-locked" style="margin-left:4px">Replied</span>':''}
+      </div>
+      <div>
+        <button onclick="showPage('broadcasts')" style="background:none;border:none;color:var(--cyan);font-size:15px;font-weight:700;cursor:pointer;padding:0;white-space:nowrap">View →</button>
+      </div>
+    </div>`;
+  }
+  return '';
+}
+
+function pname(id) {
+  return CFG.platforms?.find(p=>p.id===id)?.name || id || '—';
+}
+
+// ─── AUTH ──────────────────────────────────────────────────
+
+async function resendFromLogin() {
+  const btn=document.getElementById('login-resend-btn');
+  const al=document.getElementById('login-resend-alert');
+  const email=S._unverifiedEmail;
+  if(!email){showAlert(al,'Please register first.','error');return;}
+  btn.innerHTML='<span class="spinner"></span>'; btn.disabled=true;
+  try {
+    const d=await api('/api/resend_verify.php',{email});
+    if(d.success) showAlert(al,'Verification email resent! Check your inbox.','success');
+    else showAlert(al,d.error||'Could not resend.','error');
+  } catch{showAlert(al,'Network error.','error');}
+  btn.innerHTML='Resend Verification Email'; btn.disabled=false;
+}
+
+async function doRegister() {
+  const btn=document.getElementById('reg-btn'); const al=document.getElementById('reg-alert');
+  const u=document.getElementById('reg-user').value.trim();
+  const alias=document.getElementById('reg-alias').value.trim();
+  const email=document.getElementById('reg-email').value.trim();
+  const p=document.getElementById('reg-pass').value;
+  if(!u||!alias||!p){showAlert(al,'Username, alias and password are required.','error');return;}
+  if(!email){showAlert(al,'Email address is required for account verification.','error');return;}
+  btn.innerHTML='<span class="spinner"></span>'; btn.disabled=true;
+  try {
+    const d=await api('/api/register.php',{username:u,alias,email,password:p,referral_code:getUrlRefCode()});
+    if(d.success){
+      // Show pending verification state
+      document.getElementById('reg-pending-email').textContent = d.email || email;
+      S._pendingEmail = d.email || email;
+      showPendingState();
+      if (d.mail_warning) {
+        // Email failed to send - show resend option prominently
+        showAlert(document.getElementById('pending-alert')||al,
+          'Account created! We had trouble sending the verification email. Use the Resend button below.','error');
+      }
+    } else {
+      showAlert(al,d.error||'Registration failed.','error');
+    }
+  } catch{showAlert(al,'Network error.','error');}
+  btn.innerHTML='CREATE ACCOUNT'; btn.disabled=false;
+}
+
+function showPendingState() {
+  document.getElementById('reg-form-state').style.display='none';
+  document.getElementById('reg-pending-state').style.display='block';
+}
+
+function showRegForm() {
+  document.getElementById('reg-form-state').style.display='block';
+  document.getElementById('reg-pending-state').style.display='none';
+}
+
+async function resendVerify() {
+  const btn=document.getElementById('resend-btn');
+  const al=document.getElementById('resend-alert');
+  const email=S._pendingEmail;
+  if(!email){showAlert(al,'No email found. Please register again.','error');return;}
+  btn.innerHTML='<span class="spinner"></span>'; btn.disabled=true;
+  try {
+    const d=await api('/api/resend_verify.php',{email});
+    if(d.success) showAlert(al,'Verification email resent! Check your inbox.','success');
+    else showAlert(al,d.error||'Could not resend.','error');
+  } catch{showAlert(al,'Network error.','error');}
+  btn.innerHTML='Resend Verification Email'; btn.disabled=false;
+}
+
+async function doLogout() {
+  try { await fetch('/api/logout.php'); } catch(e) {}
+  S.user = null;
+  S.pkg  = null;
+  // Clear any cached state
+  if (window._refData) window._refData = null;
+  showAuth();
+}
+
+// ─── HELPERS ──────────────────────────────────────────────
+function showAlert(el,msg,type){el.textContent=msg;el.className='alert show alert-'+type;}
+function hideAlert(el){el.className='alert';}
+function showModal(id){document.getElementById(id).classList.add('show');}
+function closeModal(id){document.getElementById(id).classList.remove('show');}
+document.addEventListener('keydown',e=>{if(e.key==='Enter'){const t=document.getElementById('tab-login');if(t&&t.style.display!=='none')doLogin();}});
+
+// ─── CHAT ─────────────────────────────────────────────────
+let chatState = { lastId: 0, polling: null, initialized: false };
+
+function initChat() {
+  // Load/reload messages every time chat opens
+  loadChatMessages(true);
+  if (chatState.initialized) return;
+  chatState.initialized = true;
+  // Auto-refresh every 3s while chat is open
+  chatState.polling = setInterval(() => {
+    if (document.getElementById('page-chat').classList.contains('active')) {
+      loadChatMessages(false);
+    }
+    pollChatBadge();
+  }, 3000);
+}
+
+async function loadChatMessages(scrollToBottom) {
+  try {
+    const d = await api('/api/chat.php?action=messages&since=' + chatState.lastId);
+    if (!d.success) return;
+    const container = document.getElementById('chat-messages');
+    const quickReplies = document.getElementById('chat-quick-replies');
+
+    if (d.messages.length === 0 && chatState.lastId === 0) {
+      container.innerHTML = '<div class="chat-empty">' +
+        '<div class="chat-empty-icon">&#128172;</div>' +
+        '<div class="chat-empty-text">Have a question about tokens,<br>a cashout, or your account?<br>' +
+        '<strong style="color:var(--gold)">Send us a message below!</strong></div></div>';
+      if (quickReplies) quickReplies.style.display = 'flex';
+      return;
+    }
+
+    if (d.messages.length > 0) {
+      if (quickReplies) quickReplies.style.display = 'none';
+      const emptyEl = container.querySelector('.chat-empty, .chat-loading');
+      if (emptyEl) emptyEl.remove();
+
+      let lastDate = '';
+      d.messages.forEach(msg => {
+        // Skip if bubble already in DOM
+        if (container.querySelector('[data-id="' + msg.id + '"]')) return;
+        const msgDate = msg.created_at.substring(0,10);
+        if (msgDate !== lastDate) {
+          lastDate = msgDate;
+          const div = document.createElement('div');
+          div.className = 'chat-date-divider';
+          div.textContent = formatChatDate(msgDate);
+          container.appendChild(div);
+        }
+        const bubble = buildBubble(msg);
+        // Animate new incoming admin messages
+        if (msg.sender === 'admin' && chatState.lastId > 0) {
+          bubble.style.animation = 'fadeUp .3s ease';
+        }
+        container.appendChild(bubble);
+        chatState.lastId = Math.max(chatState.lastId, parseInt(msg.id));
+      });
+
+      if (scrollToBottom) scrollChat();
+      else {
+        const near = container.scrollHeight - container.scrollTop - container.clientHeight < 160;
+        if (near) scrollChat();
+      }
+    }
+  } catch(e) { console.warn('Chat poll error', e); }
+}
+
+function buildBubble(msg) {
+  const isMine = msg.sender === 'user';
+  const wrap = document.createElement('div');
+  wrap.className = 'chat-bubble-wrap ' + (isMine ? 'mine' : 'theirs');
+  wrap.dataset.id = msg.id;
+  const time = msg.created_at.substring(11,16);
+  const senderLabel = isMine ? '' : '<div class="chat-sender-label">Support</div>';
+  wrap.innerHTML = senderLabel +
+    '<div class="chat-bubble ' + (isMine ? 'mine' : 'theirs') + '">' + escHtml(msg.message) + '</div>' +
+    '<div class="chat-time">' + time + '</div>';
+  return wrap;
+}
+
+function scrollChat() {
+  const c = document.getElementById('chat-messages');
+  if (c) { c.scrollTop = c.scrollHeight; }
+}
+
+function onChatInput() {
+  const btn = document.getElementById('chat-send-btn');
+  const input = document.getElementById('chat-input');
+  if (btn) btn.classList.toggle('has-text', input.value.trim().length > 0);
+}
+
+function quickReply(text) {
+  const input = document.getElementById('chat-input');
+  if (input) {
+    input.value = text;
+    input.focus();
+    onChatInput();
+  }
+}
+
+async function sendChatMsg() {
+  const input = document.getElementById('chat-input');
+  const btn   = document.getElementById('chat-send-btn');
+  const msg   = input.value.trim();
+  if (!msg) return;
+  input.value = '';
+  if (btn) btn.classList.remove('has-text');
+
+  const container = document.getElementById('chat-messages');
+  const quickReplies = document.getElementById('chat-quick-replies');
+  const emptyEl = container.querySelector('.chat-empty, .chat-loading');
+  if (emptyEl) emptyEl.remove();
+  if (quickReplies) quickReplies.style.display = 'none';
+
+  // Optimistic bubble
+  const tempBubble = buildBubble({
+    id: 'temp_' + Date.now(), sender: 'user', message: msg,
+    created_at: new Date().toISOString().replace('T',' ').substring(0,19)
+  });
+  tempBubble.style.opacity = '0.65';
+  container.appendChild(tempBubble);
+  scrollChat();
+
+  try {
+    const d = await api('/api/chat.php?action=send', { message: msg });
+    if (d.success) {
+      tempBubble.style.opacity = '1';
+      tempBubble.dataset.id = d.id;
+      chatState.lastId = Math.max(chatState.lastId, d.id);
+    } else {
+      tempBubble.remove();
+    }
+  } catch { tempBubble.remove(); }
+}
+
+async function pollChatBadge() {
+  try {
+    const d = await api('/api/chat.php?action=unread');
+    const badge = document.getElementById('chat-nav-badge');
+    if (d.success && d.count > 0) {
+      badge.textContent = d.count > 9 ? '9+' : d.count;
+      badge.style.display = 'flex';
+    } else {
+      badge.style.display = 'none';
+    }
+  } catch(e) {}
+}
+
+function formatChatDate(dateStr) {
+  const d = new Date(dateStr + 'T00:00:00');
+  const today = new Date(); today.setHours(0,0,0,0);
+  const diff = Math.round((today - d) / 86400000);
+  if (diff === 0) return 'Today';
+  if (diff === 1) return 'Yesterday';
+  return d.toLocaleDateString('en-US', {month:'short', day:'numeric'});
+}
+
+function escHtml(s) {
+  return s.replace(/&/g,'&amp;').replace(/</g,'&lt;').replace(/>/g,'&gt;').replace(/\n/g,'<br>');
+}
+
+</script>
+</body>
+<!-- v<?= $_appVersion ?> --></html>
diff --git a/install.php b/install.php
new file mode 100644
index 0000000..d7f1275
--- /dev/null
+++ b/install.php
@@ -0,0 +1,206 @@
+<?php
+$key = $_GET['key'] ?? '';
+if ($key !== 'TomGames2024Admin') die('<h2 style="font-family:sans-serif;color:red">Access denied. Add ?key=TomGames2024Admin to URL.</h2>');
+
+require_once __DIR__ . '/../includes/config.php';
+
+$log = [];
+function ok($msg)   { global $log; $log[] = ['t'=>'ok',  'm'=>$msg]; }
+function err($msg)  { global $log; $log[] = ['t'=>'err', 'm'=>$msg]; }
+function warn($msg) { global $log; $log[] = ['t'=>'warn','m'=>$msg]; }
+function info($msg) { global $log; $log[] = ['t'=>'info','m'=>$msg]; }
+
+try {
+    $pdo = new PDO("mysql:host=".DB_HOST.";dbname=".DB_NAME.";charset=utf8mb4", DB_USER, DB_PASS,
+        [PDO::ATTR_ERRMODE => PDO::ERRMODE_EXCEPTION]);
+    ok('Connected to <strong>'.DB_NAME.'</strong> as <strong>'.DB_USER.'</strong>');
+} catch (Exception $e) {
+    die('<pre style="color:red">CONNECTION FAILED: '.htmlspecialchars($e->getMessage()).'</pre>');
+}
+
+// Helper: check if column exists
+function colExists(PDO $pdo, string $table, string $col): bool {
+    $r = $pdo->query("SHOW COLUMNS FROM `$table` LIKE '$col'")->fetch();
+    return (bool)$r;
+}
+
+// ── CREATE TABLES ───────────────────────────────────────────
+$tables = [
+'users' => "CREATE TABLE IF NOT EXISTS users (
+    id             INT AUTO_INCREMENT PRIMARY KEY,
+    username       VARCHAR(50) UNIQUE NOT NULL,
+    password       VARCHAR(255) NOT NULL,
+    alias          VARCHAR(100) NOT NULL,
+    email          VARCHAR(150) UNIQUE,
+    email_verified TINYINT(1) DEFAULT 0,
+    tokens         DECIMAL(10,2) DEFAULT 0,
+    is_admin       TINYINT(1) DEFAULT 0,
+    status         ENUM('active','suspended') DEFAULT 'active',
+    created_at     DATETIME DEFAULT CURRENT_TIMESTAMP,
+    last_login     DATETIME
+) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4",
+
+'pending_registrations' => "CREATE TABLE IF NOT EXISTS pending_registrations (
+    id         INT AUTO_INCREMENT PRIMARY KEY,
+    username   VARCHAR(50) NOT NULL,
+    password   VARCHAR(255) NOT NULL,
+    alias      VARCHAR(100) NOT NULL,
+    email      VARCHAR(150) NOT NULL,
+    token      VARCHAR(64) UNIQUE NOT NULL,
+    expires_at DATETIME NOT NULL,
+    created_at DATETIME DEFAULT CURRENT_TIMESTAMP
+) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4",
+
+'token_purchases' => "CREATE TABLE IF NOT EXISTS token_purchases (
+    id                INT AUTO_INCREMENT PRIMARY KEY,
+    user_id           INT NOT NULL,
+    tokens            INT NOT NULL,
+    amount_cents      INT NOT NULL,
+    payment_method    VARCHAR(20) DEFAULT 'card',
+    square_payment_id VARCHAR(255),
+    platform_id       VARCHAR(50),
+    game_alias        VARCHAR(100),
+    player_name       VARCHAR(100),
+    billing_name      VARCHAR(160),
+    billing_address   VARCHAR(200),
+    billing_city      VARCHAR(80),
+    billing_state     VARCHAR(2),
+    billing_zip       VARCHAR(10),
+    billing_email     VARCHAR(150),
+    is_custom         TINYINT(1) DEFAULT 0,
+    failure_reason    TEXT,
+    card_brand        VARCHAR(30),
+    card_last4        VARCHAR(4),
+    receipt_url       VARCHAR(512),
+    status            ENUM('pending','completed','failed') DEFAULT 'pending',
+    admin_note        TEXT,
+    created_at        DATETIME DEFAULT CURRENT_TIMESTAMP,
+    FOREIGN KEY (user_id) REFERENCES users(id)
+) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4",
+
+'cashout_requests' => "CREATE TABLE IF NOT EXISTS cashout_requests (
+    id          INT AUTO_INCREMENT PRIMARY KEY,
+    user_id     INT NOT NULL,
+    platform_id VARCHAR(50) NOT NULL,
+    alias       VARCHAR(100) NOT NULL,
+    tokens      DECIMAL(10,2) NOT NULL,
+    status      ENUM('pending','approved','rejected') DEFAULT 'pending',
+    admin_note  TEXT,
+    created_at  DATETIME DEFAULT CURRENT_TIMESTAMP,
+    resolved_at DATETIME,
+    FOREIGN KEY (user_id) REFERENCES users(id)
+) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4",
+
+'saved_billing' => "CREATE TABLE IF NOT EXISTS saved_billing (
+    id             INT AUTO_INCREMENT PRIMARY KEY,
+    user_id        INT UNIQUE NOT NULL,
+    first_name     VARCHAR(80),
+    last_name      VARCHAR(80),
+    email          VARCHAR(150),
+    address        VARCHAR(200),
+    city           VARCHAR(80),
+    state          VARCHAR(2),
+    zip            VARCHAR(10),
+    card_brand     VARCHAR(30),
+    card_last4     VARCHAR(4),
+    card_exp_month VARCHAR(2),
+    card_exp_year  VARCHAR(4),
+    sq_card_id     VARCHAR(255),
+    updated_at     DATETIME DEFAULT CURRENT_TIMESTAMP ON UPDATE CURRENT_TIMESTAMP,
+    FOREIGN KEY (user_id) REFERENCES users(id) ON DELETE CASCADE
+) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4",
+
+'chat_messages' => "CREATE TABLE IF NOT EXISTS chat_messages (
+    id         INT AUTO_INCREMENT PRIMARY KEY,
+    user_id    INT NOT NULL,
+    sender     ENUM('user','admin') NOT NULL,
+    message    TEXT NOT NULL,
+    is_read    TINYINT(1) DEFAULT 0,
+    created_at DATETIME DEFAULT CURRENT_TIMESTAMP,
+    FOREIGN KEY (user_id) REFERENCES users(id)
+) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4",
+];
+
+foreach ($tables as $name => $sql) {
+    try { $pdo->exec($sql); ok("Table <strong>$name</strong> ✓"); }
+    catch (Exception $e) { err("Table <strong>$name</strong>: ".htmlspecialchars($e->getMessage())); }
+}
+
+// ── ADD MISSING COLUMNS (compatible with MySQL 5.6/5.7/8) ──
+// Check existence first, then ALTER — works on all MySQL versions
+$addCols = [
+    // [table, column, definition, after]
+    ['token_purchases', 'billing_name',    "VARCHAR(160)",              'player_name'],
+    ['token_purchases', 'billing_address', "VARCHAR(200)",              'billing_name'],
+    ['token_purchases', 'billing_city',    "VARCHAR(80)",               'billing_address'],
+    ['token_purchases', 'billing_state',   "VARCHAR(2)",                'billing_city'],
+    ['token_purchases', 'billing_zip',     "VARCHAR(10)",               'billing_state'],
+    ['token_purchases', 'billing_email',   "VARCHAR(150)",              'billing_zip'],
+    ['token_purchases', 'is_custom',       "TINYINT(1) DEFAULT 0",      'billing_email'],
+    ['token_purchases', 'failure_reason',  "TEXT",                      'is_custom'],
+    ['token_purchases', 'card_brand',      "VARCHAR(30)",               'failure_reason'],
+    ['token_purchases', 'card_last4',      "VARCHAR(4)",                'card_brand'],
+    ['token_purchases', 'receipt_url',     "VARCHAR(512)",              'card_last4'],
+    ['token_purchases', 'admin_note',      "TEXT",                      'status'],
+    ['users',           'email_verified',  "TINYINT(1) DEFAULT 0",      'email'],
+];
+
+foreach ($addCols as [$tbl, $col, $def, $after]) {
+    if (colExists($pdo, $tbl, $col)) {
+        ok("Column <strong>$tbl.$col</strong> already exists ✓");
+    } else {
+        try {
+            $pdo->exec("ALTER TABLE `$tbl` ADD COLUMN `$col` $def AFTER `$after`");
+            ok("Column <strong>$tbl.$col</strong> added ✓");
+        } catch (Exception $e) {
+            err("Column <strong>$tbl.$col</strong>: ".htmlspecialchars($e->getMessage()));
+        }
+    }
+}
+
+// ── FIX ADMIN email_verified ────────────────────────────────
+try {
+    $n = $pdo->exec("UPDATE users SET email_verified=1 WHERE is_admin=1");
+    ok("Admin accounts email_verified set to 1 ($n updated)");
+} catch (Exception $e) { warn("Admin fix: ".htmlspecialchars($e->getMessage())); }
+
+// ── SUMMARY ─────────────────────────────────────────────────
+$tables_now = $pdo->query("SHOW TABLES")->fetchAll(PDO::FETCH_COLUMN);
+info("All tables: <strong>".implode(', ', $tables_now)."</strong>");
+
+try {
+    $total  = $pdo->query("SELECT COUNT(*) FROM users")->fetchColumn();
+    $admins = $pdo->query("SELECT COUNT(*) FROM users WHERE is_admin=1")->fetchColumn();
+    info("Users: <strong>$total total</strong>, $admins admin(s)");
+} catch (Exception $e) {}
+?>
+<!DOCTYPE html><html><head><meta charset="UTF-8"><meta name="viewport" content="width=device-width,initial-scale=1">
+<title>TomTomGames DB Install</title>
+<style>
+body{font-family:'Segoe UI',sans-serif;background:#0a0a12;color:#e8e8f0;max-width:680px;margin:40px auto;padding:20px}
+h1{font-size:20px;margin-bottom:4px;background:linear-gradient(135deg,#f0c040,#00e5ff);-webkit-background-clip:text;-webkit-text-fill-color:transparent}
+.sub{color:#8888aa;font-size:13px;margin-bottom:24px}
+.row{padding:9px 14px;border-radius:7px;margin-bottom:5px;font-size:13px;display:flex;align-items:flex-start;gap:10px}
+.ok  {background:rgba(0,230,118,.08);border:1px solid rgba(0,230,118,.2)}
+.err {background:rgba(255,68,68,.1);border:1px solid rgba(255,68,68,.3);color:#ff9999}
+.warn{background:rgba(255,214,10,.07);border:1px solid rgba(255,214,10,.2);color:#ffd60a}
+.info{background:rgba(0,229,255,.06);border:1px solid rgba(0,229,255,.15);color:#aaddff}
+.ic{flex-shrink:0;font-weight:700}
+.next{background:rgba(240,192,64,.07);border:1px solid rgba(240,192,64,.2);border-radius:10px;padding:16px;margin-top:24px}
+.next h2{color:#f0c040;font-size:14px;margin-bottom:8px}
+.next ol{padding-left:16px;line-height:2;color:#ccccdd;font-size:13px}
+.del{background:rgba(255,68,68,.07);border:1px solid rgba(255,68,68,.2);border-radius:7px;padding:10px 14px;margin-top:14px;font-size:12px;color:#ff9999}
+</style></head><body>
+<h1>🎮 TomTomGames — DB Install / Repair</h1>
+<div class="sub">Database: <strong><?= DB_NAME ?></strong></div>
+<?php foreach ($log as $e): $ic = $e['t']==='ok'?'✓':($e['t']==='err'?'✗':($e['t']==='warn'?'⚠':'ℹ')); ?>
+<div class="row <?= $e['t'] ?>"><span class="ic"><?= $ic ?></span><span><?= $e['m'] ?></span></div>
+<?php endforeach; ?>
+<div class="next"><h2>Next Steps</h2><ol>
+<li>All green ✓? Your database is fully set up</li>
+<li>Visit <strong>/create_admin.php</strong> to create admin account (if needed)</li>
+<li>Visit <strong>https://tomtomgames.com</strong> — app should load normally</li>
+<li><strong>Delete install.php</strong> from your server now</li>
+</ol></div>
+<div class="del">⚠ Delete <code>install.php</code> after use — it exposes DB structure.</div>
+</body></html>
diff --git a/manifest.json b/manifest.json
new file mode 100644
index 0000000..b6df8ee
--- /dev/null
+++ b/manifest.json
@@ -0,0 +1,43 @@
+{
+  "name": "TomTomGames — Game Token Portal",
+  "short_name": "TomTomGames",
+  "description": "Buy tokens for VBlink777, Fire Kirin, Milky Way, Ultra Panda, Panda Master, Noble777 and eGame99. Fast, secure, mobile-first.",
+  "start_url": "/",
+  "display": "standalone",
+  "background_color": "#0a0a12",
+  "theme_color": "#f0c040",
+  "orientation": "portrait",
+  "scope": "/",
+  "lang": "en-US",
+  "categories": ["games", "entertainment"],
+  "icons": [
+    {
+      "src": "/assets/img/icon-192.png",
+      "sizes": "192x192",
+      "type": "image/png",
+      "purpose": "any maskable"
+    },
+    {
+      "src": "/assets/img/icon-512.png",
+      "sizes": "512x512",
+      "type": "image/png",
+      "purpose": "any maskable"
+    }
+  ],
+  "shortcuts": [
+    {
+      "name": "Buy Tokens",
+      "short_name": "Buy",
+      "description": "Buy game tokens instantly",
+      "url": "/?action=buy",
+      "icons": [{ "src": "/assets/img/icon-192.png", "sizes": "192x192" }]
+    },
+    {
+      "name": "Support",
+      "short_name": "Help",
+      "description": "Contact TomTomGames support",
+      "url": "/?action=chat",
+      "icons": [{ "src": "/assets/img/icon-192.png", "sizes": "192x192" }]
+    }
+  ]
+}
diff --git a/phpcheck.php b/phpcheck.php
new file mode 100644
index 0000000..f97dab1
--- /dev/null
+++ b/phpcheck.php
@@ -0,0 +1,25 @@
+<?php
+// Admin only diagnostic - delete after use
+$files = [
+    '../../includes/db.php',
+    '../../includes/auth.php',
+    '../api/admin.php',
+];
+foreach ($files as $f) {
+    $full = __DIR__ . '/' . $f;
+    $out = shell_exec("php -l " . escapeshellarg($full) . " 2>&1");
+    echo $f . ": " . trim($out) . "\n";
+}
+
+// Also test DB connection directly
+try {
+    require_once __DIR__ . '/../../includes/config.php';
+    require_once __DIR__ . '/../../includes/db.php';
+    $v = db()->query("SELECT COUNT(*) FROM users")->fetchColumn();
+    echo "\nDB OK — users: $v\n";
+    $v2 = db()->query("SELECT version FROM app_version ORDER BY id DESC LIMIT 1")->fetchColumn();
+    echo "App version: $v2\n";
+} catch (Throwable $e) {
+    echo "\nDB ERROR: " . $e->getMessage() . "\n";
+    echo "File: " . $e->getFile() . " line " . $e->getLine() . "\n";
+}
diff --git a/ref_test.php b/ref_test.php
new file mode 100644
index 0000000..377e9b0
--- /dev/null
+++ b/ref_test.php
@@ -0,0 +1,26 @@
+<?php
+require_once __DIR__ . '/../includes/config.php';
+require_once __DIR__ . '/../includes/db.php';
+
+header('Content-Type: application/json');
+
+// Test what the referrals API would return for each user
+$users = db()->query("SELECT id, username, referral_code FROM users")->fetchAll();
+$out = [];
+foreach ($users as $u) {
+    $out[] = [
+        'id'            => $u['id'],
+        'username'      => $u['username'],
+        'referral_code' => $u['referral_code'],
+        'referral_url'  => 'https://tomtomgames.com/?ref=' . $u['referral_code'],
+    ];
+}
+
+// Also check tiers
+$tiers = db()->query("SELECT id, name, min_referrals, tokens_per_ref, bonus_tokens, is_active FROM referral_tiers ORDER BY sort_order")->fetchAll();
+
+echo json_encode([
+    'users' => $out,
+    'tiers' => $tiers,
+    'tier_count' => count($tiers),
+], JSON_PRETTY_PRINT);
diff --git a/referral_setup.php b/referral_setup.php
new file mode 100644
index 0000000..b5063b1
--- /dev/null
+++ b/referral_setup.php
@@ -0,0 +1,96 @@
+<?php
+require_once '/home/tomtomgames.com/includes/config.php';
+require_once '/home/tomtomgames.com/includes/db.php';
+
+// 1. referral_tiers
+db()->exec("CREATE TABLE IF NOT EXISTS referral_tiers (
+    id INT AUTO_INCREMENT PRIMARY KEY,
+    name VARCHAR(100) NOT NULL,
+    min_referrals INT NOT NULL DEFAULT 1,
+    tokens_per_ref DECIMAL(10,2) NOT NULL DEFAULT 10,
+    bonus_tokens DECIMAL(10,2) NOT NULL DEFAULT 0,
+    description VARCHAR(300),
+    is_active TINYINT(1) DEFAULT 1,
+    sort_order INT DEFAULT 0,
+    created_at DATETIME DEFAULT CURRENT_TIMESTAMP
+) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4");
+echo "referral_tiers table OK\n";
+
+// 2. Seed tiers
+$count = (int)db()->query("SELECT COUNT(*) FROM referral_tiers")->fetchColumn();
+if ($count == 0) {
+    $seeds = [
+        ['Bronze Referrer',  1,  5,   0,   'Earn 5 tokens for each verified referral',                1, 0],
+        ['Silver Referrer',  5,  8,   25,  'Earn 8 tokens per referral + 25 bonus at 5 referrals',   1, 1],
+        ['Gold Referrer',    10, 10,  100, 'Earn 10 tokens per referral + 100 bonus at 10 referrals', 1, 2],
+        ['Elite Referrer',   25, 15,  250, 'Earn 15 tokens per referral + 250 bonus at 25 referrals', 1, 3],
+    ];
+    $st = db()->prepare("INSERT INTO referral_tiers (name,min_referrals,tokens_per_ref,bonus_tokens,description,is_active,sort_order) VALUES (?,?,?,?,?,?,?)");
+    foreach ($seeds as $s) $st->execute($s);
+    echo "4 tiers seeded\n";
+} else {
+    echo "Tiers already exist: $count\n";
+}
+
+// 3. referrals table
+db()->exec("CREATE TABLE IF NOT EXISTS referrals (
+    id INT AUTO_INCREMENT PRIMARY KEY,
+    referrer_id INT NOT NULL,
+    referred_id INT NOT NULL UNIQUE,
+    tier_id INT,
+    status ENUM('pending','verified','denied','deleted') DEFAULT 'pending',
+    tokens_awarded DECIMAL(10,2) DEFAULT 0,
+    admin_id INT,
+    admin_note VARCHAR(300),
+    created_at DATETIME DEFAULT CURRENT_TIMESTAMP,
+    resolved_at DATETIME
+) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4");
+echo "referrals table OK\n";
+
+// 4. referral_social_shares
+db()->exec("CREATE TABLE IF NOT EXISTS referral_social_shares (
+    id INT AUTO_INCREMENT PRIMARY KEY,
+    user_id INT NOT NULL,
+    platform VARCHAR(50) NOT NULL,
+    bonus_tokens DECIMAL(10,2) DEFAULT 5,
+    status ENUM('pending','approved','denied') DEFAULT 'pending',
+    admin_id INT,
+    created_at DATETIME DEFAULT CURRENT_TIMESTAMP,
+    resolved_at DATETIME
+) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4");
+echo "referral_social_shares table OK\n";
+
+// 5. Add referral_code to users
+$cols = array_column(db()->query("SHOW COLUMNS FROM users")->fetchAll(), 'Field');
+if (!in_array('referral_code', $cols)) {
+    db()->exec("ALTER TABLE users ADD COLUMN referral_code VARCHAR(20) UNIQUE");
+    echo "referral_code column added\n";
+}
+
+// 6. Add referred_by to users
+if (!in_array('referred_by', $cols)) {
+    db()->exec("ALTER TABLE users ADD COLUMN referred_by INT DEFAULT NULL");
+    echo "referred_by column added\n";
+}
+
+// 7. Add referred_by to pending_registrations
+$pcols = array_column(db()->query("SHOW COLUMNS FROM pending_registrations")->fetchAll(), 'Field');
+if (!in_array('referred_by', $pcols)) {
+    db()->exec("ALTER TABLE pending_registrations ADD COLUMN referred_by INT DEFAULT NULL");
+    echo "pending_registrations.referred_by added\n";
+}
+
+// 8. Generate codes for users missing one
+$users = db()->query("SELECT id FROM users WHERE referral_code IS NULL OR referral_code = ''")->fetchAll();
+$upd = db()->prepare("UPDATE users SET referral_code=? WHERE id=?");
+foreach ($users as $u) {
+    $code = strtoupper(substr(md5($u['id'].uniqid()), 0, 8));
+    $upd->execute([$code, $u['id']]);
+}
+echo count($users) . " users given referral codes\n";
+
+// 9. Show sample
+$sample = db()->query("SELECT username, referral_code FROM users LIMIT 5")->fetchAll();
+foreach ($sample as $r) echo "  " . $r['username'] . ": " . $r['referral_code'] . "\n";
+
+echo "\nDONE\n";
diff --git a/robots.txt b/robots.txt
new file mode 100644
index 0000000..297f710
--- /dev/null
+++ b/robots.txt
@@ -0,0 +1,23 @@
+User-agent: *
+Allow: /
+Allow: /assets/
+Disallow: /admin/
+Disallow: /api/
+Disallow: /install.php
+Disallow: /test.php
+Disallow: /test_login.php
+Disallow: /get_location.php
+Disallow: /?q=
+
+# Block AI training bots (optional but protects content)
+User-agent: GPTBot
+Disallow: /
+
+User-agent: Google-Extended
+Disallow: /
+
+User-agent: CCBot
+Disallow: /
+
+# Sitemap
+Sitemap: https://tomtomgames.com/sitemap.xml
diff --git a/sitemap.xml b/sitemap.xml
new file mode 100644
index 0000000..661c133
--- /dev/null
+++ b/sitemap.xml
@@ -0,0 +1,21 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<urlset xmlns="http://www.sitemaps.org/schemas/sitemap/0.9"
+        xmlns:xhtml="http://www.w3.org/1999/xhtml">
+
+  <!-- Homepage / App -->
+  <url>
+    <loc>https://tomtomgames.com/</loc>
+    <lastmod>2026-05-19</lastmod>
+    <changefreq>daily</changefreq>
+    <priority>1.0</priority>
+  </url>
+
+  <!-- SEO Landing Page -->
+  <url>
+    <loc>https://tomtomgames.com/games/</loc>
+    <lastmod>2026-05-19</lastmod>
+    <changefreq>weekly</changefreq>
+    <priority>0.9</priority>
+  </url>
+
+</urlset>
diff --git a/test.php b/test.php
new file mode 100644
index 0000000..00f0b67
--- /dev/null
+++ b/test.php
@@ -0,0 +1,6 @@
+<?php
+echo json_encode([
+    'php'     => PHP_VERSION,
+    'time'    => date('Y-m-d H:i:s'),
+    'status'  => 'ok'
+]);
diff --git a/test_login.php b/test_login.php
new file mode 100644
index 0000000..08d99ca
--- /dev/null
+++ b/test_login.php
@@ -0,0 +1,18 @@
+<?php
+// POST test - simulates exactly what the app does
+ob_start();
+try { require_once __DIR__ . '/../includes/auth.php'; } catch(Throwable $e) { ob_end_clean(); die(json_encode(['boot_error'=>$e->getMessage()])); }
+ob_end_clean();
+header('Content-Type: application/json');
+
+if ($_SERVER['REQUEST_METHOD'] === 'POST') {
+    $data = json_decode(file_get_contents('php://input'), true);
+    $result = loginUser($data['username'] ?? '', $data['password'] ?? '');
+    if ($result['success']) unset($result['user']['password']);
+    echo json_encode($result);
+    exit;
+}
+
+// GET - show users
+$users = db()->query("SELECT id,username,alias,is_admin,email_verified,status FROM users")->fetchAll();
+echo json_encode(['users'=>$users,'session_id'=>session_id()]);
diff --git a/test_mail.php b/test_mail.php
new file mode 100644
index 0000000..daaa45e
--- /dev/null
+++ b/test_mail.php
@@ -0,0 +1,91 @@
+<?php
+// Standalone email test - no auth required for diagnosis
+// DELETE THIS FILE after confirming email works
+
+$result = [];
+$result['php_version'] = PHP_VERSION;
+$result['mail_function_exists'] = function_exists('mail');
+$result['server_software'] = $_SERVER['SERVER_SOFTWARE'] ?? 'unknown';
+$result['hostname'] = gethostname();
+
+// Check sendmail path
+$sendmail = ini_get('sendmail_path');
+$result['sendmail_path'] = $sendmail ?: 'not set';
+
+// Check if we can detect SMTP settings
+$result['smtp_host'] = ini_get('SMTP') ?: 'not set';
+$result['smtp_port'] = ini_get('smtp_port') ?: 'not set';
+
+$to = $_POST['to'] ?? '';
+$sent = false;
+$sendError = '';
+
+if ($to && filter_var($to, FILTER_VALIDATE_EMAIL) && isset($_POST['send'])) {
+    $subject = 'TomTomGames Email Test';
+    $message = "This is a test email from TomTomGames.\n\nIf you received this, PHP mail() is working correctly on this server.";
+    $headers  = "From: noreply@tomtomgames.com\r\n";
+    $headers .= "Reply-To: support@tomtomgames.com\r\n";
+    $headers .= "X-Mailer: PHP/" . PHP_VERSION;
+    
+    // Capture any mail errors
+    set_error_handler(function($errno, $errstr) use (&$sendError) {
+        $sendError = $errstr;
+    });
+    $sent = mail($to, $subject, $message, $headers, '-fnoreply@tomtomgames.com');
+    restore_error_handler();
+    $result['mail_return'] = $sent;
+    $result['mail_error']  = $sendError ?: 'none';
+}
+?>
+<!DOCTYPE html>
+<html>
+<head>
+<title>Email Test</title>
+<style>
+body{font-family:monospace;background:#0a0a12;color:#e8e8f0;padding:24px;max-width:600px;margin:0 auto}
+h2{color:#f0c040}
+.box{background:#1a1a2e;border:1px solid #333;border-radius:8px;padding:16px;margin:12px 0}
+.ok{color:#00e676}.err{color:#ff4444}.warn{color:#f0c040}
+input{background:#111;border:1px solid #444;color:#fff;padding:8px 12px;width:280px;border-radius:6px;font-size:14px}
+button{background:#f0c040;color:#000;border:none;padding:10px 20px;border-radius:6px;font-weight:700;cursor:pointer;margin-left:8px}
+label{display:block;margin-bottom:6px;color:#aaa;font-size:13px}
+</style>
+</head>
+<body>
+<h2>TomTomGames — Email Diagnostics</h2>
+
+<div class="box">
+<b>Server Info:</b><br>
+PHP: <span class="ok"><?= $result['php_version'] ?></span><br>
+Server: <?= htmlspecialchars($result['server_software']) ?><br>
+Hostname: <?= htmlspecialchars($result['hostname']) ?><br>
+mail() function: <span class="<?= $result['mail_function_exists'] ? 'ok' : 'err' ?>"><?= $result['mail_function_exists'] ? 'EXISTS' : 'MISSING' ?></span><br>
+sendmail_path: <span class="warn"><?= htmlspecialchars($result['sendmail_path']) ?></span><br>
+SMTP: <span class="warn"><?= htmlspecialchars($result['smtp_host']) ?>:<?= htmlspecialchars($result['smtp_port']) ?></span>
+</div>
+
+<?php if ($to): ?>
+<div class="box">
+<b>Send Result:</b><br>
+To: <?= htmlspecialchars($to) ?><br>
+mail() returned: <span class="<?= $sent ? 'ok' : 'err' ?>"><?= $sent ? 'TRUE (queued for delivery)' : 'FALSE (failed)' ?></span><br>
+Error: <span class="warn"><?= htmlspecialchars($result['mail_error']) ?></span><br>
+<?php if ($sent): ?>
+<br><span class="ok">Check your inbox (and spam folder). If nothing arrives in 5 minutes, the server is not sending outbound mail.</span>
+<?php else: ?>
+<br><span class="err">mail() returned false — server cannot send email. You need to configure SMTP (PHPMailer) or enable sendmail.</span>
+<?php endif; ?>
+</div>
+<?php endif; ?>
+
+<div class="box">
+<form method="POST">
+<label>Send test email to:</label>
+<input type="email" name="to" value="<?= htmlspecialchars($to) ?>" placeholder="your@email.com" required>
+<button type="submit" name="send" value="1">Send Test</button>
+</form>
+</div>
+
+<p style="color:#555;font-size:11px">Delete test_mail.php after diagnosis is complete.</p>
+</body>
+</html>
diff --git a/verify.php b/verify.php
new file mode 100644
index 0000000..e2d8d37
--- /dev/null
+++ b/verify.php
@@ -0,0 +1,66 @@
+<?php
+require_once __DIR__ . '/../includes/auth.php';
+
+$token  = $_GET['token'] ?? '';
+$result = verifyEmailToken($token);
+?>
+<!DOCTYPE html>
+<html lang="en">
+<head>
+<meta charset="UTF-8">
+<meta name="viewport" content="width=device-width, initial-scale=1.0">
+<title><?= SITE_NAME ?> — Email Verified</title>
+<link href="https://fonts.googleapis.com/css2?family=Exo+2:wght@400;700;900&family=Rajdhani:wght@400;500;600&display=swap" rel="stylesheet">
+<style>
+*{box-sizing:border-box;margin:0;padding:0}
+body{background:#0a0a12;color:#e8e8f0;font-family:'Rajdhani',sans-serif;min-height:100dvh;display:flex;align-items:center;justify-content:center;padding:24px}
+body::before{content:'';position:fixed;inset:0;background-image:linear-gradient(rgba(0,229,255,0.03) 1px,transparent 1px),linear-gradient(90deg,rgba(0,229,255,0.03) 1px,transparent 1px);background-size:40px 40px;pointer-events:none}
+.card{background:#1a1a2e;border:1px solid rgba(255,255,255,0.08);border-radius:20px;padding:40px 32px;max-width:420px;width:100%;text-align:center;position:relative;z-index:1}
+.icon{font-size:64px;margin-bottom:20px;display:block}
+.title{font-family:'Exo 2',sans-serif;font-weight:900;font-size:26px;margin-bottom:10px}
+.title.success{background:linear-gradient(135deg,#f0c040,#00e5ff);-webkit-background-clip:text;-webkit-text-fill-color:transparent}
+.title.error{color:#ff4444}
+.msg{font-size:15px;color:#aaaacc;line-height:1.7;margin-bottom:28px}
+.msg strong{color:#e8e8f0}
+.btn{display:block;width:100%;padding:15px;border:none;border-radius:10px;font-family:'Exo 2',sans-serif;font-weight:700;font-size:15px;letter-spacing:1px;cursor:pointer;text-decoration:none;text-align:center;transition:all .2s}
+.btn-gold{background:linear-gradient(135deg,#f0c040,#d4a017);color:#000;box-shadow:0 4px 20px rgba(240,192,64,.4)}
+.btn-outline{background:transparent;border:1.5px solid rgba(255,255,255,.2);color:#aaaacc;margin-top:10px}
+.logo{font-family:'Exo 2',sans-serif;font-weight:900;font-size:20px;background:linear-gradient(135deg,#f0c040,#00e5ff);-webkit-background-clip:text;-webkit-text-fill-color:transparent;margin-bottom:28px;letter-spacing:1px}
+.countdown{font-size:13px;color:#8888aa;margin-top:16px}
+</style>
+<?php if ($result['success']): ?>
+<script>
+// Auto-redirect to app after 4 seconds
+setTimeout(() => { window.location.href = '/'; }, 4000);
+</script>
+<?php endif; ?>
+</head>
+<body>
+<div class="card">
+  <div class="logo" style="display:flex;align-items:center;gap:10px;justify-content:center"><svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 48 48" width="36" height="36" style="display:inline-block;vertical-align:middle;flex-shrink:0"><defs><linearGradient id="ll1" x1="0%" y1="0%" x2="100%" y2="100%"><stop offset="0%" stop-color="#f0c040"/><stop offset="100%" stop-color="#ff6b35"/></linearGradient><linearGradient id="ll2" x1="0%" y1="0%" x2="100%" y2="100%"><stop offset="0%" stop-color="#00e5ff"/><stop offset="100%" stop-color="#7b2fbe"/></linearGradient><filter id="gll"><feGaussianBlur stdDeviation="1.5" result="b"/><feMerge><feMergeNode in="b"/><feMergeNode in="SourceGraphic"/></feMerge></filter></defs><rect x="6" y="16" width="36" height="22" rx="11" fill="url(#ll1)" filter="url(#gll)"/><rect x="12" y="23" width="8" height="3" rx="1.5" fill="rgba(0,0,0,0.45)"/><rect x="15" y="20" width="3" height="8" rx="1.5" fill="rgba(0,0,0,0.45)"/><circle cx="32" cy="22" r="2.2" fill="#e63946" opacity=".9"/><circle cx="36" cy="25" r="2.2" fill="#2ec4b6" opacity=".9"/><circle cx="32" cy="28" r="2.2" fill="#7b2fbe" opacity=".9"/><circle cx="28" cy="25" r="2.2" fill="#f4a261" opacity=".9"/><rect x="21" y="24" width="6" height="3" rx="1.5" fill="rgba(0,0,0,0.3)"/><rect x="8" y="30" width="8" height="7" rx="4" fill="url(#ll2)" opacity=".7"/><rect x="32" y="30" width="8" height="7" rx="4" fill="url(#ll2)" opacity=".7"/><rect x="14" y="13" width="8" height="5" rx="2.5" fill="url(#ll1)" opacity=".8"/><rect x="26" y="13" width="8" height="5" rx="2.5" fill="url(#ll1)" opacity=".8"/><circle cx="24" cy="7" r="2" fill="#f0c040" opacity=".9"/><circle cx="39" cy="10" r="1.2" fill="#00e5ff" opacity=".8"/><circle cx="9" cy="10" r="1.2" fill="#f0c040" opacity=".7"/></svg><span><?= SITE_NAME ?></span></div>
+
+  <?php if ($result['success']): ?>
+    <span class="icon">🎉</span>
+    <div class="title success">Account Verified!</div>
+    <p class="msg">
+      Welcome to <?= SITE_NAME ?>, <strong><?= htmlspecialchars($result['alias']) ?></strong>!<br><br>
+      Your account is active and you've been automatically logged in. Let's play!
+    </p>
+    <a href="/" class="btn btn-gold">🎮 ENTER TOMTOMGAMES</a>
+    <p class="countdown" id="countdown">Redirecting in 4 seconds...</p>
+    <script>
+      let s = 4;
+      const el = document.getElementById('countdown');
+      setInterval(() => { s--; if(s>0) el.textContent = `Redirecting in ${s} second${s!==1?'s':''}...`; else el.textContent = 'Redirecting...'; }, 1000);
+    </script>
+
+  <?php else: ?>
+    <span class="icon">❌</span>
+    <div class="title error">Verification Failed</div>
+    <p class="msg"><?= htmlspecialchars($result['error']) ?></p>
+    <a href="/" class="btn btn-gold">REGISTER AGAIN</a>
+    <a href="/" class="btn btn-outline">BACK TO HOME</a>
+  <?php endif; ?>
+</div>
+</body>
+</html>