revops + onboarding

2026-04-22 20:00:44 +02:00
parent ce724662d4
commit 7d2724b65d
37 changed files with 5073 additions and 1286 deletions
--- a/src/app/(main)/(app)/create/page.tsx
+++ b/src/app/(main)/(app)/create/page.tsx
@@ -1,8 +1,8 @@
 'use client';

-import React, { useState, useEffect, useRef } from 'react';
-import Link from 'next/link';
-import { useRouter } from 'next/navigation';
+import React, { useState, useEffect, useRef } from 'react';
+import Link from 'next/link';
+import { useRouter, useSearchParams } from 'next/navigation';
 import { QRCodeSVG } from 'qrcode.react';
 import { toPng } from 'html-to-image';
 import { Card, CardHeader, CardTitle, CardContent } from '@/components/ui/Card';
@@ -11,12 +11,14 @@ import { Select } from '@/components/ui/Select';
 import { Button } from '@/components/ui/Button';
 import { Badge } from '@/components/ui/Badge';
 import { calculateContrast, cn } from '@/lib/utils';
-import { useTranslation } from '@/hooks/useTranslation';
-import { useCsrf } from '@/hooks/useCsrf';
-import { showToast } from '@/components/ui/Toast';
-import {
-  Globe, User, MapPin, Phone, FileText, Smartphone, Ticket, Star, HelpCircle, Upload, Barcode as BarcodeIcon
-} from 'lucide-react';
+import { useTranslation } from '@/hooks/useTranslation';
+import { useCsrf } from '@/hooks/useCsrf';
+import { showToast } from '@/components/ui/Toast';
+import { trackEvent } from '@/components/PostHogProvider';
+import { appendRedirectParam, sanitizeRedirectPath } from '@/lib/auth-flow';
+import {
+  Globe, User, MapPin, Phone, FileText, Smartphone, Ticket, Star, HelpCircle, Upload, Barcode as BarcodeIcon
+} from 'lucide-react';
 import Barcode from 'react-barcode';

 // Tooltip component for form field help
@@ -99,9 +101,10 @@ function addBarcodeCaptionToSvg(svgElement: SVGElement, caption: string): string
  return new XMLSerializer().serializeToString(cloned);
 }

-export default function CreatePage() {
-  const router = useRouter();
-  const { t } = useTranslation();
+export default function CreatePage() {
+  const router = useRouter();
+  const searchParams = useSearchParams();
+  const { t } = useTranslation();
  const { fetchWithCsrf } = useCsrf();
  const [loading, setLoading] = useState(false);
  const [uploading, setUploading] = useState(false);
@@ -145,14 +148,14 @@ export default function CreatePage() {
  const [excavate, setExcavate] = useState(true);

  // QR preview
-  const [qrDataUrl, setQrDataUrl] = useState('');
+  const [qrDataUrl, setQrDataUrl] = useState('');

  // Check if user can customize colors (PRO+ only)
  const canCustomizeColors = userPlan === 'PRO' || userPlan === 'BUSINESS';

  // Load user plan
-  useEffect(() => {
-    const fetchUserPlan = async () => {
+  useEffect(() => {
+    const fetchUserPlan = async () => {
      try {
        const response = await fetch('/api/user/plan');
        if (response.ok) {
@@ -163,8 +166,44 @@ export default function CreatePage() {
        console.error('Error fetching user plan:', error);
      }
    };
-    fetchUserPlan();
-  }, []);
+    fetchUserPlan();
+  }, []);
+
+  useEffect(() => {
+    const queryContentType = searchParams.get('contentType');
+    const useCase = searchParams.get('useCase');
+    const titleParam = searchParams.get('title');
+    const isDynamicParam = searchParams.get('dynamic');
+
+    if (queryContentType) {
+      setContentType(queryContentType);
+    }
+
+    if (titleParam) {
+      setTitle(titleParam);
+    }
+
+    if (isDynamicParam) {
+      setIsDynamic(isDynamicParam === '1');
+    }
+
+    if (useCase === 'menu_pdf') {
+      setContent((prev: any) => ({ ...prev, fileUrl: prev.fileUrl || '' }));
+    } else if (useCase === 'contact_card') {
+      setContent((prev: any) => ({
+        ...prev,
+        firstName: prev.firstName || '',
+        lastName: prev.lastName || '',
+      }));
+    } else if (useCase === 'barcode') {
+      setContent((prev: any) => ({
+        ...prev,
+        format: prev.format || 'CODE128',
+      }));
+    } else if (queryContentType === 'URL') {
+      setContent((prev: any) => ({ ...prev, url: prev.url || '' }));
+    }
+  }, [searchParams]);

  const contrast = calculateContrast(foregroundColor, backgroundColor);
  const hasGoodContrast = contrast >= 4.5;
@@ -226,13 +265,19 @@ export default function CreatePage() {
  const downloadQR = async (format: 'svg' | 'png') => {
    if (!qrRef.current) return;
    try {
-      if (format === 'png') {
-        const dataUrl = await toPng(qrRef.current, { cacheBust: true, pixelRatio: 3, backgroundColor: 'transparent' });
-        const link = document.createElement('a');
-        link.download = `qrcode-${title || 'download'}.png`;
-        link.href = dataUrl;
-        link.click();
-      } else {
+      if (format === 'png') {
+        const dataUrl = await toPng(qrRef.current, { cacheBust: true, pixelRatio: 3, backgroundColor: 'transparent' });
+        const link = document.createElement('a');
+        link.download = `qrcode-${title || 'download'}.png`;
+        link.href = dataUrl;
+        link.click();
+        trackEvent('qr_code_downloaded', {
+          format: 'png',
+          content_type: contentType,
+          qr_type: isDynamic ? 'dynamic' : 'static',
+          plan: userPlan,
+        });
+      } else {
        // For SVG, we might still want to use the library or just toPng if SVG export of HTML is not needed
        // Simplest is to check if we can export the SVG element directly but that misses the frame HTML.
        // html-to-image can generate SVG too.
@@ -254,21 +299,34 @@ export default function CreatePage() {
              : new XMLSerializer().serializeToString(svgElement);
            const blob = new Blob([svgData], { type: 'image/svg+xml' });
            const url = URL.createObjectURL(blob);
-            const a = document.createElement('a');
-            a.href = url;
-            a.download = `qrcode-${title || 'download'}.svg`;
-            a.click();
-            URL.revokeObjectURL(url);
-          }
-        } else {
-          showToast('SVG download not available with frames yet. Downloading PNG instead.', 'info');
-          const dataUrl = await toPng(qrRef.current, { cacheBust: true, pixelRatio: 3, backgroundColor: 'transparent' });
-          const link = document.createElement('a');
-          link.download = `qrcode-${title || 'download'}.png`;
-          link.href = dataUrl;
-          link.click();
-        }
-      }
+            const a = document.createElement('a');
+            a.href = url;
+            a.download = `qrcode-${title || 'download'}.svg`;
+            a.click();
+            URL.revokeObjectURL(url);
+            trackEvent('qr_code_downloaded', {
+              format: 'svg',
+              content_type: contentType,
+              qr_type: isDynamic ? 'dynamic' : 'static',
+              plan: userPlan,
+            });
+          }
+        } else {
+          showToast('SVG download not available with frames yet. Downloading PNG instead.', 'info');
+          const dataUrl = await toPng(qrRef.current, { cacheBust: true, pixelRatio: 3, backgroundColor: 'transparent' });
+          const link = document.createElement('a');
+          link.download = `qrcode-${title || 'download'}.png`;
+          link.href = dataUrl;
+          link.click();
+          trackEvent('qr_code_downloaded', {
+            format: 'png',
+            content_type: contentType,
+            qr_type: isDynamic ? 'dynamic' : 'static',
+            plan: userPlan,
+            fallback_from: 'svg_with_frame',
+          });
+        }
+      }
    } catch (err) {
      console.error('Error downloading QR code:', err);
      showToast('Error downloading QR code', 'error');
@@ -354,18 +412,38 @@ export default function CreatePage() {
      const responseData = await response.json();
      console.log('RESPONSE DATA:', responseData);

-      if (response.ok) {
-        showToast(`QR Code "${title}" created successfully!`, 'success');
-
-        // Wait a moment so user sees the toast, then redirect
-        setTimeout(() => {
-          router.push('/dashboard');
-          router.refresh();
-        }, 1000);
-      } else {
-        console.error('Error creating QR code:', responseData);
-        showToast(responseData.error || 'Error creating QR code', 'error');
-      }
+      if (response.ok) {
+        trackEvent('qr_code_created', {
+          content_type: contentType,
+          qr_type: isDynamic ? 'dynamic' : 'static',
+          plan: userPlan,
+          has_logo: Boolean(logoUrl),
+          frame_type: frameType,
+        });
+
+        showToast(`QR Code "${title}" created successfully!`, 'success');
+
+        // Wait a moment so user sees the toast, then redirect
+        setTimeout(() => {
+          const redirectTarget = sanitizeRedirectPath(searchParams.get('redirect'));
+          if (searchParams.get('onboarding') === '1') {
+            router.push(appendRedirectParam('/onboarding', redirectTarget, { step: '8' }));
+          } else {
+            router.push('/dashboard');
+          }
+          router.refresh();
+        }, 1000);
+      } else {
+        console.error('Error creating QR code:', responseData);
+
+        if (response.status === 403 && responseData.error === 'Limit reached') {
+          showToast(responseData.message || 'You have reached your plan limit.', 'error');
+          router.push('/pricing?reason=limit_reached');
+          return;
+        }
+
+        showToast(responseData.error || 'Error creating QR code', 'error');
+      }
    } catch (error) {
      console.error('Error creating QR code:', error);
      showToast('Error creating QR code. Please try again.', 'error');
@@ -1180,4 +1258,4 @@ export default function CreatePage() {
      </form>
    </div>
  );
-}
+}
--- a/src/app/(main)/(app)/dashboard/page.tsx
+++ b/src/app/(main)/(app)/dashboard/page.tsx
@@ -7,12 +7,15 @@ import { StatsGrid } from '@/components/dashboard/StatsGrid';
 import { QRCodeCard } from '@/components/dashboard/QRCodeCard';
 import { Card, CardHeader, CardTitle, CardContent } from '@/components/ui/Card';
 import { Button } from '@/components/ui/Button';
-import { Badge } from '@/components/ui/Badge';
-import { useTranslation } from '@/hooks/useTranslation';
-import { useCsrf } from '@/hooks/useCsrf';
-import { showToast } from '@/components/ui/Toast';
-import { Dialog, DialogContent, DialogHeader, DialogTitle, DialogDescription, DialogFooter } from '@/components/ui/Dialog';
-import { QrCode } from 'lucide-react';
+import { Badge } from '@/components/ui/Badge';
+import { useTranslation } from '@/hooks/useTranslation';
+import { useCsrf } from '@/hooks/useCsrf';
+import { showToast } from '@/components/ui/Toast';
+import { Dialog, DialogContent, DialogHeader, DialogTitle, DialogDescription, DialogFooter } from '@/components/ui/Dialog';
+import { QrCode } from 'lucide-react';
+import { trackEvent, identifyUser } from '@/components/PostHogProvider';
+import { FREE_DYNAMIC_QR_LIMIT } from '@/lib/plans';
+import { OnboardingChecklist } from '@/components/dashboard/OnboardingChecklist';

 interface QRCodeData {
  id: string;
@@ -44,7 +47,8 @@ export default function DashboardPage() {
    conversionRate: 0,
    uniqueScans: 0,
  });
-  const [analyticsData, setAnalyticsData] = useState<any>(null);
+  const [analyticsData, setAnalyticsData] = useState<any>(null);
+  const [onboardingState, setOnboardingState] = useState<any>(null);


  const blogPosts = [
@@ -117,12 +121,11 @@ export default function DashboardPage() {
          // Store in localStorage for consistency
          localStorage.setItem('user', JSON.stringify(user));

-          const { identifyUser, trackEvent } = await import('@/components/PostHogProvider');
-          identifyUser(user.id, {
-            email: user.email,
-            name: user.name,
-            plan: user.plan || 'FREE',
-            provider: 'google',
+          identifyUser(user.id, {
+            email: user.email,
+            name: user.name,
+            plan: user.plan || 'FREE',
+            provider: 'google',
          });

          trackEvent(isNewUser ? 'user_signup' : 'user_login', {
@@ -143,25 +146,35 @@ export default function DashboardPage() {
  }, [searchParams, router]);

  // Check for successful payment and verify session
-  useEffect(() => {
-    const success = searchParams.get('success');
-    if (success === 'true') {
-      const verifySession = async () => {
-        try {
-          const response = await fetch('/api/stripe/verify-session', {
-            method: 'POST',
-          });
-
-          if (response.ok) {
-            const data = await response.json();
-            setUserPlan(data.plan);
-            setUpgradedPlan(data.plan);
-            setShowUpgradeDialog(true);
-            // Remove success parameter from URL
-            router.replace('/dashboard');
-          } else {
-            console.error('Failed to verify session:', await response.text());
-          }
+  useEffect(() => {
+    const success = searchParams.get('success');
+    const sessionId = searchParams.get('session_id');
+
+    if (success === 'true' && sessionId) {
+      const verifySession = async () => {
+        try {
+          const response = await fetch('/api/stripe/verify-session', {
+            method: 'POST',
+            headers: {
+              'Content-Type': 'application/json',
+            },
+            body: JSON.stringify({ sessionId }),
+          });
+
+          if (response.ok) {
+            const data = await response.json();
+            setUserPlan(data.plan);
+            setUpgradedPlan(data.plan);
+            setShowUpgradeDialog(true);
+            trackEvent('upgrade_completed', {
+              plan: data.plan,
+              source: 'stripe_checkout',
+            });
+            // Remove success parameter from URL
+            router.replace('/dashboard');
+          } else {
+            console.error('Failed to verify session:', await response.text());
+          }
        } catch (error) {
          console.error('Error verifying session:', error);
        }
@@ -212,13 +225,19 @@ export default function DashboardPage() {
          setUserPlan(userData.plan || 'FREE');
        }

-        // Fetch analytics data for trends (last 30 days = month comparison)
-        const analyticsResponse = await fetch('/api/analytics/summary?range=30');
-        if (analyticsResponse.ok) {
-          const analytics = await analyticsResponse.json();
-          setAnalyticsData(analytics);
-        }
-      } catch (error) {
+        // Fetch analytics data for trends (last 30 days = month comparison)
+        const analyticsResponse = await fetch('/api/analytics/summary?range=30');
+        if (analyticsResponse.ok) {
+          const analytics = await analyticsResponse.json();
+          setAnalyticsData(analytics);
+        }
+
+        const onboardingResponse = await fetch('/api/onboarding');
+        if (onboardingResponse.ok) {
+          const onboardingData = await onboardingResponse.json();
+          setOnboardingState(onboardingData);
+        }
+      } catch (error) {
        console.error('Error fetching data:', error);
        setQrCodes([]);
        setStats({
@@ -341,9 +360,11 @@ export default function DashboardPage() {
        </div>
      </div>

-      {/* Stats Grid */}
-      <StatsGrid
-        stats={stats}
+      {/* Stats Grid */}
+      <OnboardingChecklist state={onboardingState} />
+
+      <StatsGrid
+        stats={stats}
        trends={{
          totalScans: analyticsData?.summary.scansTrend,
          comparisonPeriod: analyticsData?.summary.comparisonPeriod || 'month'
@@ -393,8 +414,8 @@ export default function DashboardPage() {
            <QrCode className="w-12 h-12 text-gray-300 mx-auto mb-4" />
            <h3 className="text-lg font-semibold text-gray-700 mb-2">Create your first QR code</h3>
            <p className="text-gray-500 mb-6 max-w-sm mx-auto">
-              You have 3 free dynamic QR codes. They redirect wherever you want and track every scan.
-            </p>
+              You have {FREE_DYNAMIC_QR_LIMIT} free dynamic QR codes. They redirect wherever you want and track every scan.
+            </p>
            <Link href="/create">
              <Button>Create QR Code — it takes 90 seconds</Button>
            </Link>
@@ -521,4 +542,4 @@ export default function DashboardPage() {
      </Dialog>
    </div>
  );
-}
+}
--- a/src/app/(main)/(auth)/login/LoginClient.tsx
+++ b/src/app/(main)/(auth)/login/LoginClient.tsx
@@ -5,9 +5,10 @@ import { useRouter, useSearchParams } from 'next/navigation';
 import Link from 'next/link';
 import { Card, CardContent } from '@/components/ui/Card';
 import { Input } from '@/components/ui/Input';
-import { Button } from '@/components/ui/Button';
-import { useTranslation } from '@/hooks/useTranslation';
-import { useCsrf } from '@/hooks/useCsrf';
+import { Button } from '@/components/ui/Button';
+import { useTranslation } from '@/hooks/useTranslation';
+import { useCsrf } from '@/hooks/useCsrf';
+import { appendRedirectParam, sanitizeRedirectPath } from '@/lib/auth-flow';

 type LoginClientProps = {
    showPageHeading?: boolean;
@@ -20,9 +21,10 @@ export default function LoginClient({ showPageHeading = true }: LoginClientProps
    const { fetchWithCsrf, loading: csrfLoading } = useCsrf();
    const [email, setEmail] = useState('');
    const [password, setPassword] = useState('');
-    const [loading, setLoading] = useState(false);
-    const [error, setError] = useState('');
-    const [showPassword, setShowPassword] = useState(false);
+    const [loading, setLoading] = useState(false);
+    const [error, setError] = useState('');
+    const [showPassword, setShowPassword] = useState(false);
+    const redirectTarget = sanitizeRedirectPath(searchParams.get('redirect'));

    const handleSubmit = async (e: React.FormEvent) => {
        e.preventDefault();
@@ -57,10 +59,12 @@ export default function LoginClient({ showPageHeading = true }: LoginClientProps
                    console.error('PostHog tracking error:', error);
                }

-                // Check for redirect parameter
-                const redirectUrl = searchParams.get('redirect') || '/dashboard';
-                router.push(redirectUrl);
-                router.refresh();
+                // Check for redirect parameter
+                const redirectUrl = data.needsOnboarding
+                    ? appendRedirectParam('/onboarding', redirectTarget)
+                    : (redirectTarget || '/dashboard');
+                router.push(redirectUrl);
+                router.refresh();
            } else {
                setError(data.error || 'Invalid email or password');
            }
@@ -71,10 +75,10 @@ export default function LoginClient({ showPageHeading = true }: LoginClientProps
        }
    };

-    const handleGoogleSignIn = () => {
-        // Redirect to Google OAuth API route
-        window.location.href = '/api/auth/google';
-    };
+    const handleGoogleSignIn = () => {
+        // Redirect to Google OAuth API route
+        window.location.href = appendRedirectParam('/api/auth/google', redirectTarget);
+    };

    return (
        <div className="min-h-screen bg-gradient-to-br from-primary-50 to-white flex items-center justify-center p-4">
@@ -199,9 +203,9 @@ export default function LoginClient({ showPageHeading = true }: LoginClientProps
                        <div className="mt-6 text-center">
                            <p className="text-sm text-gray-600">
                                Don't have an account?{' '}
-                                <Link href="/signup" className="text-primary-600 hover:text-primary-700 font-medium">
-                                    Sign up
-                                </Link>
+                                <Link href={appendRedirectParam('/signup', redirectTarget)} className="text-primary-600 hover:text-primary-700 font-medium">
+                                    Sign up
+                                </Link>
                            </p>
                        </div>
                    </CardContent>
--- a/src/app/(main)/(auth)/signup/SignupClient.tsx
+++ b/src/app/(main)/(auth)/signup/SignupClient.tsx
@@ -1,26 +1,29 @@
 'use client';

-import React, { useState } from 'react';
-import { useRouter } from 'next/navigation';
-import Link from 'next/link';
-import { Card, CardHeader, CardTitle, CardContent } from '@/components/ui/Card';
-import { Input } from '@/components/ui/Input';
-import { Button } from '@/components/ui/Button';
-import { useTranslation } from '@/hooks/useTranslation';
-import { useCsrf } from '@/hooks/useCsrf';
-
-export default function SignupClient() {
-    const router = useRouter();
-    const { t } = useTranslation();
-    const { fetchWithCsrf } = useCsrf();
+import React, { useState } from 'react';
+import { useRouter, useSearchParams } from 'next/navigation';
+import Link from 'next/link';
+import { Card, CardHeader, CardTitle, CardContent } from '@/components/ui/Card';
+import { Input } from '@/components/ui/Input';
+import { Button } from '@/components/ui/Button';
+import { useTranslation } from '@/hooks/useTranslation';
+import { useCsrf } from '@/hooks/useCsrf';
+import { appendRedirectParam, sanitizeRedirectPath } from '@/lib/auth-flow';
+
+export default function SignupClient() {
+    const router = useRouter();
+    const searchParams = useSearchParams();
+    const { t } = useTranslation();
+    const { fetchWithCsrf } = useCsrf();
    const [name, setName] = useState('');
    const [email, setEmail] = useState('');
    const [password, setPassword] = useState('');
    const [confirmPassword, setConfirmPassword] = useState('');
    const [loading, setLoading] = useState(false);
-    const [error, setError] = useState('');
-    const [showPassword, setShowPassword] = useState(false);
-    const [showConfirmPassword, setShowConfirmPassword] = useState(false);
+    const [error, setError] = useState('');
+    const [showPassword, setShowPassword] = useState(false);
+    const [showConfirmPassword, setShowConfirmPassword] = useState(false);
+    const redirectTarget = sanitizeRedirectPath(searchParams.get('redirect'));

    const handleSubmit = async (e: React.FormEvent) => {
        e.preventDefault();
@@ -68,9 +71,9 @@ export default function SignupClient() {
                    console.error('PostHog tracking error:', error);
                }

-                // Redirect to dashboard
-                router.push('/dashboard');
-                router.refresh();
+                // Redirect to onboarding
+                router.push(appendRedirectParam('/onboarding', redirectTarget));
+                router.refresh();
            } else {
                setError(data.error || 'Failed to create account');
            }
@@ -81,10 +84,10 @@ export default function SignupClient() {
        }
    };

-    const handleGoogleSignIn = () => {
-        // Redirect to Google OAuth API route
-        window.location.href = '/api/auth/google';
-    };
+    const handleGoogleSignIn = () => {
+        // Redirect to Google OAuth API route
+        window.location.href = appendRedirectParam('/api/auth/google', redirectTarget);
+    };

    return (
        <div className="min-h-screen bg-gradient-to-br from-primary-50 to-white flex items-center justify-center p-4">
@@ -234,11 +237,11 @@ export default function SignupClient() {
                        </form>

                        <div className="mt-6 text-center">
-                            <p className="text-sm text-gray-600">
-                                Already have an account?{' '}
-                                <Link href="/login" className="text-primary-600 hover:text-primary-700 font-medium">
-                                    Sign in
-                                </Link>
+                            <p className="text-sm text-gray-600">
+                                Already have an account?{' '}
+                                <Link href={appendRedirectParam('/login', redirectTarget)} className="text-primary-600 hover:text-primary-700 font-medium">
+                                    Sign in
+                                </Link>
                            </p>
                        </div>
                    </CardContent>
--- a/src/app/(main)/(marketing)/newsletter/NewsletterClient.tsx
+++ b/src/app/(main)/(marketing)/newsletter/NewsletterClient.tsx
--- a/src/app/(main)/(marketing)/pricing/PricingClient.tsx
+++ b/src/app/(main)/(marketing)/pricing/PricingClient.tsx
@@ -8,6 +8,8 @@ import { showToast } from '@/components/ui/Toast';
 import { useRouter } from 'next/navigation';
 import { BillingToggle } from '@/components/ui/BillingToggle';
 import { ObfuscatedMailto } from '@/components/ui/ObfuscatedMailto';
+import { trackEvent } from '@/components/PostHogProvider';
+import { FREE_DYNAMIC_QR_LIMIT } from '@/lib/plans';

 export default function PricingPage() {
  const router = useRouter();
@@ -40,6 +42,13 @@ export default function PricingPage() {
    setLoading(plan);

    try {
+      trackEvent('upgrade_clicked', {
+        plan,
+        billing_interval: billingPeriod,
+        source: 'pricing_page',
+        current_plan: currentPlan,
+      });
+
      const response = await fetch('/api/stripe/create-checkout-session', {
        method: 'POST',
        headers: {
@@ -52,14 +61,15 @@ export default function PricingPage() {
      });

      if (!response.ok) {
-        throw new Error('Failed to create checkout session');
+        const errorData = await response.json().catch(() => null);
+        throw new Error(errorData?.error || 'Failed to create checkout session');
      }

      const { url } = await response.json();
      window.location.href = url;
-    } catch (error) {
+    } catch (error: any) {
      console.error('Error creating checkout session:', error);
-      showToast('Failed to start checkout. Please try again.', 'error');
+      showToast(error?.message || 'Failed to start checkout. Please try again.', 'error');
      setLoading(null);
    }
  };
@@ -132,7 +142,7 @@ export default function PricingPage() {
      period: 'forever',
      showDiscount: false,
      features: [
-        '3 active dynamic QR codes (8 types available)',
+        `${FREE_DYNAMIC_QR_LIMIT} active dynamic QR codes (8 types available)`,
        'Unlimited static QR codes',
        'Basic scan tracking',
        'Standard QR design templates',
--- a/src/app/(main)/api/admin/revops/route.ts
+++ b/src/app/(main)/api/admin/revops/route.ts
@@ -0,0 +1,430 @@
+import { NextRequest, NextResponse } from 'next/server';
+import { cookies } from 'next/headers';
+import {
+  getGoalLabel,
+  getLifecycleStageLabel,
+  getRoleLabel,
+  getSourceLabel,
+  getTeamSizeLabel,
+  getUseCaseLabel,
+} from '@/lib/revops';
+import { db } from '@/lib/db';
+import { getMetricSnapshot, getUpgradeCandidateBadges } from '@/lib/revops-server';
+
+export const dynamic = 'force-dynamic';
+
+type HydratedUser = {
+  id: string;
+  name: string | null;
+  email: string;
+  emailDomain: string | null;
+  plan: string;
+  lifecycleStage: string;
+  fitScore: number;
+  intentScore: number;
+  leadScore: number;
+  signupSource: string | null;
+  signupSourceSelfReported: string | null;
+  signupCampaign: string | null;
+  signupLandingPath: string | null;
+  primaryUseCase: string | null;
+  primaryGoal: string | null;
+  jobRole: string | null;
+  companyName: string | null;
+  companyWebsite: string | null;
+  teamSizeBucket: string | null;
+  createdAt: string;
+  firstQrCreatedAt: string | null;
+  activationAt: string | null;
+  firstDynamicQrAt: string | null;
+  qrCount: number;
+  dynamicQrCount: number;
+  scanCount: number;
+  contentTypeCount: number;
+  upgradeBadges: string[];
+};
+
+function hasAdminSession() {
+  const adminCookie = cookies().get('newsletter-admin');
+  return adminCookie?.value === 'authenticated';
+}
+
+function toIso(value: Date | null) {
+  return value ? value.toISOString() : null;
+}
+
+function safeDate(value: string | null) {
+  if (!value) return null;
+  const parsed = new Date(value);
+  return Number.isNaN(parsed.getTime()) ? null : parsed;
+}
+
+function applyUserFilters(users: HydratedUser[], request: NextRequest) {
+  const stage = request.nextUrl.searchParams.get('stage');
+  const source = request.nextUrl.searchParams.get('source');
+  const campaign = request.nextUrl.searchParams.get('campaign');
+  const landingPath = request.nextUrl.searchParams.get('landingPath');
+  const useCase = request.nextUrl.searchParams.get('useCase');
+  const goal = request.nextUrl.searchParams.get('goal');
+  const role = request.nextUrl.searchParams.get('role');
+  const teamSize = request.nextUrl.searchParams.get('teamSize');
+  const plan = request.nextUrl.searchParams.get('plan');
+  const search = request.nextUrl.searchParams.get('search')?.toLowerCase().trim();
+  const from = safeDate(request.nextUrl.searchParams.get('from'));
+  const to = safeDate(request.nextUrl.searchParams.get('to'));
+
+  return users.filter((user) => {
+    const createdAt = new Date(user.createdAt);
+    const matchesSearch = !search || [
+      user.name,
+      user.email,
+      user.companyName,
+      user.emailDomain,
+    ].filter(Boolean).some((value) => value!.toLowerCase().includes(search));
+
+    return (
+      (!stage || user.lifecycleStage === stage) &&
+      (!source || user.signupSource === source) &&
+      (!campaign || user.signupCampaign === campaign) &&
+      (!landingPath || user.signupLandingPath === landingPath) &&
+      (!useCase || user.primaryUseCase === useCase) &&
+      (!goal || user.primaryGoal === goal) &&
+      (!role || user.jobRole === role) &&
+      (!teamSize || user.teamSizeBucket === teamSize) &&
+      (!plan || user.plan === plan) &&
+      (!from || createdAt >= from) &&
+      (!to || createdAt <= to) &&
+      matchesSearch
+    );
+  });
+}
+
+function sortUsers(users: HydratedUser[], sort: string) {
+  const sorted = [...users];
+
+  sorted.sort((a, b) => {
+    switch (sort) {
+      case 'createdAt_asc':
+        return new Date(a.createdAt).getTime() - new Date(b.createdAt).getTime();
+      case 'activationAt_desc':
+        return new Date(b.activationAt || 0).getTime() - new Date(a.activationAt || 0).getTime();
+      case 'leadScore_asc':
+        return a.leadScore - b.leadScore;
+      case 'fitScore_desc':
+        return b.fitScore - a.fitScore;
+      case 'intentScore_desc':
+        return b.intentScore - a.intentScore;
+      case 'leadScore_desc':
+      default:
+        return b.leadScore - a.leadScore || new Date(b.createdAt).getTime() - new Date(a.createdAt).getTime();
+    }
+  });
+
+  return sorted;
+}
+
+function buildGroupedRows(users: HydratedUser[], key: keyof HydratedUser) {
+  const rows = new Map<string, {
+    key: string;
+    signups: number;
+    firstQr: number;
+    activated: number;
+    hot: number;
+    upgradeCandidates: number;
+    paid: number;
+  }>();
+
+  users.forEach((user) => {
+    const rawValue = (user[key] as string | null) || 'unknown';
+    const row = rows.get(rawValue) || {
+      key: rawValue,
+      signups: 0,
+      firstQr: 0,
+      activated: 0,
+      hot: 0,
+      upgradeCandidates: 0,
+      paid: 0,
+    };
+
+    row.signups += 1;
+    if (user.firstQrCreatedAt) row.firstQr += 1;
+    if (user.activationAt) row.activated += 1;
+    if (user.lifecycleStage === 'hot') row.hot += 1;
+    if (user.lifecycleStage === 'upgrade_candidate') row.upgradeCandidates += 1;
+    if (user.lifecycleStage === 'paid') row.paid += 1;
+
+    rows.set(rawValue, row);
+  });
+
+  return Array.from(rows.values()).sort((a, b) => b.signups - a.signups);
+}
+
+function buildFunnel(users: HydratedUser[]) {
+  return {
+    signup: users.length,
+    sourceConfirmed: users.filter((user) => Boolean(user.signupSourceSelfReported)).length,
+    useCaseSelected: users.filter((user) => Boolean(user.primaryUseCase)).length,
+    goalSelected: users.filter((user) => Boolean(user.primaryGoal)).length,
+    profileCaptured: users.filter((user) => Boolean(user.jobRole && user.teamSizeBucket)).length,
+    firstQrCreated: users.filter((user) => Boolean(user.firstQrCreatedAt)).length,
+    firstDynamicQrCreated: users.filter((user) => Boolean(user.firstDynamicQrAt)).length,
+    activated: users.filter((user) => Boolean(user.activationAt)).length,
+  };
+}
+
+function buildLifecycleSummary(users: HydratedUser[]) {
+  return {
+    cold: users.filter((user) => user.lifecycleStage === 'cold').length,
+    activated: users.filter((user) => user.lifecycleStage === 'activated').length,
+    warm: users.filter((user) => user.lifecycleStage === 'warm').length,
+    hot: users.filter((user) => user.lifecycleStage === 'hot').length,
+    upgrade_candidate: users.filter((user) => user.lifecycleStage === 'upgrade_candidate').length,
+    paid: users.filter((user) => user.lifecycleStage === 'paid').length,
+  };
+}
+
+function buildCsv(rows: HydratedUser[]) {
+  const headers = [
+    'name',
+    'email',
+    'email_domain',
+    'plan',
+    'lifecycle_stage',
+    'fit_score',
+    'intent_score',
+    'lead_score',
+    'source',
+    'self_reported_source',
+    'campaign',
+    'landing_page',
+    'use_case',
+    'goal',
+    'role',
+    'company',
+    'team_size',
+    'created_at',
+    'first_qr_created_at',
+    'activation_at',
+    'qr_count',
+    'dynamic_qr_count',
+    'scan_count',
+  ];
+
+  const escape = (value: string | number | null) => {
+    const normalized = value == null ? '' : String(value);
+    return `"${normalized.replace(/"/g, '""')}"`;
+  };
+
+  const lines = rows.map((row) => [
+    row.name,
+    row.email,
+    row.emailDomain,
+    row.plan,
+    row.lifecycleStage,
+    row.fitScore,
+    row.intentScore,
+    row.leadScore,
+    row.signupSource,
+    row.signupSourceSelfReported,
+    row.signupCampaign,
+    row.signupLandingPath,
+    row.primaryUseCase,
+    row.primaryGoal,
+    row.jobRole,
+    row.companyName,
+    row.teamSizeBucket,
+    row.createdAt,
+    row.firstQrCreatedAt,
+    row.activationAt,
+    row.qrCount,
+    row.dynamicQrCount,
+    row.scanCount,
+  ].map(escape).join(','));
+
+  return [headers.join(','), ...lines].join('\n');
+}
+
+export async function GET(request: NextRequest) {
+  try {
+    if (!hasAdminSession()) {
+      return NextResponse.json({ error: 'Unauthorized - Admin login required' }, { status: 401 });
+    }
+
+    const rawUsers = await db.user.findMany({
+      select: {
+        id: true,
+        name: true,
+        email: true,
+        emailDomain: true,
+        plan: true,
+        lifecycleStage: true,
+        fitScore: true,
+        intentScore: true,
+        leadScore: true,
+        signupSource: true,
+        signupSourceSelfReported: true,
+        signupCampaign: true,
+        signupLandingPath: true,
+        primaryUseCase: true,
+        primaryGoal: true,
+        jobRole: true,
+        companyName: true,
+        companyWebsite: true,
+        teamSizeBucket: true,
+        createdAt: true,
+        firstQrCreatedAt: true,
+        firstDynamicQrAt: true,
+        activationAt: true,
+        qrCodes: {
+          select: {
+            type: true,
+            contentType: true,
+            createdAt: true,
+            _count: {
+              select: {
+                scans: true,
+              },
+            },
+          },
+        },
+      },
+      orderBy: {
+        createdAt: 'desc',
+      },
+    });
+
+    const users: HydratedUser[] = rawUsers.map((user) => {
+      const metrics = getMetricSnapshot(user.qrCodes);
+
+      return {
+        id: user.id,
+        name: user.name,
+        email: user.email,
+        emailDomain: user.emailDomain,
+        plan: user.plan,
+        lifecycleStage: user.lifecycleStage,
+        fitScore: user.fitScore,
+        intentScore: user.intentScore,
+        leadScore: user.leadScore,
+        signupSource: user.signupSource,
+        signupSourceSelfReported: user.signupSourceSelfReported,
+        signupCampaign: user.signupCampaign,
+        signupLandingPath: user.signupLandingPath,
+        primaryUseCase: user.primaryUseCase,
+        primaryGoal: user.primaryGoal,
+        jobRole: user.jobRole,
+        companyName: user.companyName,
+        companyWebsite: user.companyWebsite,
+        teamSizeBucket: user.teamSizeBucket,
+        createdAt: user.createdAt.toISOString(),
+        firstQrCreatedAt: toIso(user.firstQrCreatedAt),
+        activationAt: toIso(user.activationAt),
+        firstDynamicQrAt: toIso(user.firstDynamicQrAt),
+        qrCount: metrics.qrCount,
+        dynamicQrCount: metrics.dynamicQrCount,
+        scanCount: metrics.scanCount,
+        contentTypeCount: metrics.contentTypeCount,
+        upgradeBadges: getUpgradeCandidateBadges(user, metrics),
+      };
+    });
+
+    const filteredUsers = sortUsers(
+      applyUserFilters(users, request),
+      request.nextUrl.searchParams.get('sort') || 'leadScore_desc'
+    );
+
+    if (request.nextUrl.searchParams.get('format') === 'csv') {
+      const csv = buildCsv(filteredUsers);
+      return new NextResponse(csv, {
+        headers: {
+          'Content-Type': 'text/csv; charset=utf-8',
+          'Content-Disposition': 'attachment; filename="qrmaster-revops-export.csv"',
+        },
+      });
+    }
+
+    const page = Number(request.nextUrl.searchParams.get('page') || '1');
+    const pageSize = Number(request.nextUrl.searchParams.get('pageSize') || '25');
+    const total = filteredUsers.length;
+    const totalPages = Math.max(1, Math.ceil(total / pageSize));
+    const paginatedUsers = filteredUsers.slice((page - 1) * pageSize, page * pageSize);
+
+    const acquisitionBySource = buildGroupedRows(users, 'signupSource').map((row) => ({
+      ...row,
+      label: getSourceLabel(row.key),
+      activationRate: row.signups ? Math.round((row.activated / row.signups) * 100) : 0,
+    }));
+    const acquisitionByCampaign = buildGroupedRows(users, 'signupCampaign');
+    const acquisitionByLandingPath = buildGroupedRows(users, 'signupLandingPath');
+    const funnel = buildFunnel(users);
+    const lifecycleSummary = buildLifecycleSummary(users);
+
+    const mismatchCount = users.filter(
+      (user) =>
+        user.signupSource &&
+        user.signupSourceSelfReported &&
+        user.signupSource !== user.signupSourceSelfReported
+    ).length;
+
+    const upgradeCandidates = users
+      .filter((user) => user.plan === 'FREE' && user.lifecycleStage === 'upgrade_candidate')
+      .sort((a, b) => b.leadScore - a.leadScore)
+      .slice(0, 25);
+
+    const filterOptions = {
+      stages: ['cold', 'activated', 'warm', 'hot', 'upgrade_candidate', 'paid'],
+      sources: Array.from(new Set(users.map((user) => user.signupSource).filter((value): value is string => Boolean(value)))),
+      campaigns: Array.from(new Set(users.map((user) => user.signupCampaign).filter((value): value is string => Boolean(value)))),
+      landingPaths: Array.from(new Set(users.map((user) => user.signupLandingPath).filter((value): value is string => Boolean(value)))),
+      useCases: Array.from(new Set(users.map((user) => user.primaryUseCase).filter((value): value is string => Boolean(value)))),
+      goals: Array.from(new Set(users.map((user) => user.primaryGoal).filter((value): value is string => Boolean(value)))),
+      roles: Array.from(new Set(users.map((user) => user.jobRole).filter((value): value is string => Boolean(value)))),
+      teamSizes: Array.from(new Set(users.map((user) => user.teamSizeBucket).filter((value): value is string => Boolean(value)))),
+      plans: Array.from(new Set(users.map((user) => user.plan).filter((value): value is string => Boolean(value)))),
+    };
+
+    return NextResponse.json({
+      overview: {
+        totalUsers: users.length,
+        mismatchCount,
+        activatedUsers: funnel.activated,
+        paidUsers: lifecycleSummary.paid,
+      },
+      acquisition: {
+        bySource: acquisitionBySource,
+        byCampaign: acquisitionByCampaign.slice(0, 15),
+        byLandingPath: acquisitionByLandingPath.slice(0, 15),
+      },
+      funnel,
+      funnelBreakdowns: {
+        bySource: acquisitionBySource.slice(0, 10),
+        byUseCase: buildGroupedRows(users, 'primaryUseCase').map((row) => ({ ...row, label: getUseCaseLabel(row.key) })),
+        byRole: buildGroupedRows(users, 'jobRole').map((row) => ({ ...row, label: getRoleLabel(row.key) })),
+        byTeamSize: buildGroupedRows(users, 'teamSizeBucket').map((row) => ({ ...row, label: getTeamSizeLabel(row.key) })),
+      },
+      lifecycleSummary,
+      campaignSourceQuality: acquisitionBySource,
+      upgradeCandidates,
+      filterOptions,
+      segments: {
+        total,
+        page,
+        pageSize,
+        totalPages,
+        rows: paginatedUsers.map((user) => ({
+          ...user,
+          lifecycleStageLabel: getLifecycleStageLabel(user.lifecycleStage),
+          signupSourceLabel: getSourceLabel(user.signupSource),
+          signupSourceSelfReportedLabel: getSourceLabel(user.signupSourceSelfReported),
+          primaryUseCaseLabel: getUseCaseLabel(user.primaryUseCase),
+          primaryGoalLabel: getGoalLabel(user.primaryGoal),
+          jobRoleLabel: getRoleLabel(user.jobRole),
+          teamSizeLabel: getTeamSizeLabel(user.teamSizeBucket),
+        })),
+      },
+    });
+  } catch (error) {
+    console.error('Error fetching RevOps dashboard data:', error);
+    return NextResponse.json({ error: 'Failed to fetch RevOps dashboard data' }, { status: 500 });
+  }
+}
--- a/src/app/(main)/api/auth/google/route.ts
+++ b/src/app/(main)/api/auth/google/route.ts
@@ -1,14 +1,32 @@
-import { NextRequest, NextResponse } from 'next/server';
-import { db } from '@/lib/db';
-import { cookies } from 'next/headers';
-import { getAuthCookieOptions } from '@/lib/cookieConfig';
-
-export async function GET(request: NextRequest) {
-  const { searchParams } = new URL(request.url);
-  const code = searchParams.get('code');
-
-  // If no code, redirect to Google OAuth
-  if (!code) {
+import { NextRequest, NextResponse } from 'next/server';
+import { db } from '@/lib/db';
+import { getAuthCookieOptions } from '@/lib/cookieConfig';
+import {
+  appendRedirectParam,
+  GOOGLE_OAUTH_STATE_COOKIE_NAME,
+  POST_AUTH_REDIRECT_COOKIE_NAME,
+  sanitizeRedirectPath,
+} from '@/lib/auth-flow';
+import {
+  ATTRIBUTION_COOKIE_NAME,
+  getEmailDomain,
+  parseAttributionCookie,
+  shouldResumeOnboarding,
+} from '@/lib/revops';
+import { triggerLifecycleScoring } from '@/lib/revops-server';
+
+const isProduction = process.env.NODE_ENV === 'production';
+
+export async function GET(request: NextRequest) {
+  const { searchParams } = new URL(request.url);
+  const code = searchParams.get('code');
+  const state = searchParams.get('state');
+  const firstTouch = parseAttributionCookie(request.cookies.get(ATTRIBUTION_COOKIE_NAME)?.value);
+  const savedOauthState = request.cookies.get(GOOGLE_OAUTH_STATE_COOKIE_NAME)?.value;
+  const savedRedirect = sanitizeRedirectPath(request.cookies.get(POST_AUTH_REDIRECT_COOKIE_NAME)?.value);
+
+  // If no code, redirect to Google OAuth
+  if (!code) {
    const googleClientId = process.env.GOOGLE_CLIENT_ID;

    if (!googleClientId) {
@@ -17,19 +35,56 @@ export async function GET(request: NextRequest) {
        { status: 500 }
      );
    }
-
-    const redirectUri = `${process.env.NEXT_PUBLIC_APP_URL}/api/auth/google`;
-    const scope = 'openid email profile';
-
-    const googleAuthUrl = `https://accounts.google.com/o/oauth2/v2/auth?client_id=${googleClientId}&redirect_uri=${redirectUri}&response_type=code&scope=${scope}`;
-
-    return NextResponse.redirect(googleAuthUrl);
-  }
-
-  // Handle callback with code
-  try {
-    const googleClientId = process.env.GOOGLE_CLIENT_ID;
-    const googleClientSecret = process.env.GOOGLE_CLIENT_SECRET;
+
+    const redirectUri = `${process.env.NEXT_PUBLIC_APP_URL}/api/auth/google`;
+    const scope = 'openid email profile';
+    const redirectTarget = sanitizeRedirectPath(searchParams.get('redirect'));
+    const oauthState = crypto.randomUUID();
+
+    const googleAuthUrl = new URL('https://accounts.google.com/o/oauth2/v2/auth');
+    googleAuthUrl.searchParams.set('client_id', googleClientId);
+    googleAuthUrl.searchParams.set('redirect_uri', redirectUri);
+    googleAuthUrl.searchParams.set('response_type', 'code');
+    googleAuthUrl.searchParams.set('scope', scope);
+    googleAuthUrl.searchParams.set('state', oauthState);
+
+    const response = NextResponse.redirect(googleAuthUrl);
+    response.cookies.set(GOOGLE_OAUTH_STATE_COOKIE_NAME, oauthState, {
+      httpOnly: true,
+      secure: isProduction,
+      sameSite: 'lax',
+      path: '/',
+      maxAge: 60 * 10,
+    });
+
+    if (redirectTarget) {
+      response.cookies.set(POST_AUTH_REDIRECT_COOKIE_NAME, redirectTarget, {
+        httpOnly: true,
+        secure: isProduction,
+        sameSite: 'lax',
+        path: '/',
+        maxAge: 60 * 10,
+      });
+    } else {
+      response.cookies.delete(POST_AUTH_REDIRECT_COOKIE_NAME);
+    }
+
+    return response;
+  }
+
+  // Handle callback with code
+  try {
+    if (!state || !savedOauthState || state !== savedOauthState) {
+      const invalidStateResponse = NextResponse.redirect(
+        `${process.env.NEXT_PUBLIC_APP_URL}/login?error=google-state-invalid`
+      );
+      invalidStateResponse.cookies.delete(GOOGLE_OAUTH_STATE_COOKIE_NAME);
+      invalidStateResponse.cookies.delete(POST_AUTH_REDIRECT_COOKIE_NAME);
+      return invalidStateResponse;
+    }
+
+    const googleClientId = process.env.GOOGLE_CLIENT_ID;
+    const googleClientSecret = process.env.GOOGLE_CLIENT_SECRET;

    if (!googleClientId || !googleClientSecret) {
      return NextResponse.json(
@@ -50,9 +105,9 @@ export async function GET(request: NextRequest) {
        code,
        client_id: googleClientId,
        client_secret: googleClientSecret,
-        redirect_uri: redirectUri,
-        grant_type: 'authorization_code',
-      }),
+        redirect_uri: redirectUri,
+        grant_type: 'authorization_code',
+      }),
    });

    if (!tokenResponse.ok) {
@@ -82,16 +137,27 @@ export async function GET(request: NextRequest) {
    const isNewUser = !user;

    // Create user if they don't exist
-    if (!user) {
-      user = await db.user.create({
-        data: {
-          email: userInfo.email,
-          name: userInfo.name || userInfo.email.split('@')[0],
-          image: userInfo.picture,
-          emailVerified: new Date(), // Google already verified the email
-          password: null, // OAuth users don't need a password
-        },
-      });
+    if (!user) {
+      const onboardingStartedAt = new Date();
+      user = await db.user.create({
+        data: {
+          email: userInfo.email,
+          name: userInfo.name || userInfo.email.split('@')[0],
+          image: userInfo.picture,
+          emailVerified: new Date(), // Google already verified the email
+          password: null, // OAuth users don't need a password
+          onboardingStartedAt,
+          emailDomain: getEmailDomain(userInfo.email),
+          signupSource: firstTouch?.signupSource || null,
+          signupMedium: firstTouch?.signupMedium || null,
+          signupCampaign: firstTouch?.signupCampaign || null,
+          signupContent: firstTouch?.signupContent || null,
+          signupTerm: firstTouch?.signupTerm || null,
+          signupReferrer: firstTouch?.signupReferrer || null,
+          signupLandingPath: firstTouch?.signupLandingPath || '/signup',
+          signupFirstSeenAt: firstTouch?.signupFirstSeenAt ? new Date(firstTouch.signupFirstSeenAt) : onboardingStartedAt,
+        },
+      });

      // Create Account entry for the OAuth provider
      await db.account.create({
@@ -144,22 +210,35 @@ export async function GET(request: NextRequest) {
            id_token: tokens.id_token,
          },
        });
-      }
-    }
-
-    // Set authentication cookie
-    cookies().set('userId', user.id, getAuthCookieOptions());
-
-    // Redirect to dashboard with tracking params
-    const redirectUrl = new URL(`${process.env.NEXT_PUBLIC_APP_URL}/dashboard`);
-    redirectUrl.searchParams.set('authMethod', 'google');
-    redirectUrl.searchParams.set('isNewUser', isNewUser.toString());
-
-    return NextResponse.redirect(redirectUrl.toString());
-  } catch (error) {
-    console.error('Google OAuth error:', error);
-    return NextResponse.redirect(
-      `${process.env.NEXT_PUBLIC_APP_URL}/login?error=google-signin-failed`
-    );
-  }
-}
+      }
+    }
+
+    triggerLifecycleScoring(user.id, isNewUser ? 'signup' : 'subscription_changed');
+
+    const onboardingTarget = isNewUser || shouldResumeOnboarding(user)
+      ? appendRedirectParam('/onboarding', savedRedirect, {
+          authMethod: 'google',
+          isNewUser: isNewUser.toString(),
+        })
+      : (savedRedirect || appendRedirectParam('/dashboard', null, {
+          authMethod: 'google',
+          isNewUser: isNewUser.toString(),
+        }));
+    const redirectUrl = new URL(`${process.env.NEXT_PUBLIC_APP_URL}${onboardingTarget}`);
+
+    const response = NextResponse.redirect(redirectUrl.toString());
+    response.cookies.set('userId', user.id, getAuthCookieOptions());
+    response.cookies.delete(GOOGLE_OAUTH_STATE_COOKIE_NAME);
+    response.cookies.delete(POST_AUTH_REDIRECT_COOKIE_NAME);
+    response.cookies.delete(ATTRIBUTION_COOKIE_NAME);
+    return response;
+  } catch (error) {
+    console.error('Google OAuth error:', error);
+    const errorResponse = NextResponse.redirect(
+      `${process.env.NEXT_PUBLIC_APP_URL}/login?error=google-signin-failed`
+    );
+    errorResponse.cookies.delete(GOOGLE_OAUTH_STATE_COOKIE_NAME);
+    errorResponse.cookies.delete(POST_AUTH_REDIRECT_COOKIE_NAME);
+    return errorResponse;
+  }
+}
--- a/src/app/(main)/api/auth/logout/route.ts
+++ b/src/app/(main)/api/auth/logout/route.ts
@@ -0,0 +1,30 @@
+import { NextResponse } from 'next/server';
+import { ATTRIBUTION_COOKIE_NAME } from '@/lib/revops';
+
+export async function POST() {
+  const response = NextResponse.json({ success: true });
+
+  response.cookies.set('userId', '', {
+    httpOnly: true,
+    secure: process.env.NODE_ENV === 'production',
+    sameSite: 'lax',
+    path: '/',
+    maxAge: 0,
+  });
+  response.cookies.set('newsletter-admin', '', {
+    httpOnly: true,
+    secure: process.env.NODE_ENV === 'production',
+    sameSite: 'lax',
+    path: '/',
+    maxAge: 0,
+  });
+  response.cookies.set(ATTRIBUTION_COOKIE_NAME, '', {
+    httpOnly: false,
+    secure: process.env.NODE_ENV === 'production',
+    sameSite: 'lax',
+    path: '/',
+    maxAge: 0,
+  });
+
+  return response;
+}
--- a/src/app/(main)/api/auth/signup/route.ts
+++ b/src/app/(main)/api/auth/signup/route.ts
@@ -1,14 +1,19 @@
-import { NextRequest, NextResponse } from 'next/server';
-import bcrypt from 'bcryptjs';
-import { cookies } from 'next/headers';
-import { db } from '@/lib/db';
+import { NextRequest, NextResponse } from 'next/server';
+import bcrypt from 'bcryptjs';
+import { db } from '@/lib/db';
 import { z } from 'zod';
 import { csrfProtection } from '@/lib/csrf';
 import { rateLimit, getClientIdentifier, RateLimits } from '@/lib/rateLimit';
-import { getAuthCookieOptions } from '@/lib/cookieConfig';
-import { signupSchema, validateRequest } from '@/lib/validationSchemas';
-import { sendWelcomeEmail } from '@/lib/email';
-import { sendConversionEvent } from '@/lib/meta';
+import { getAuthCookieOptions } from '@/lib/cookieConfig';
+import { signupSchema, validateRequest } from '@/lib/validationSchemas';
+import { sendWelcomeEmail } from '@/lib/email';
+import { sendConversionEvent } from '@/lib/meta';
+import {
+  ATTRIBUTION_COOKIE_NAME,
+  getEmailDomain,
+  parseAttributionCookie,
+} from '@/lib/revops';
+import { triggerLifecycleScoring } from '@/lib/revops-server';

 export async function POST(request: NextRequest) {
  try {
@@ -67,14 +72,29 @@ export async function POST(request: NextRequest) {
    // Hash password
    const hashedPassword = await bcrypt.hash(password, 12);

-    // Create user
-    const user = await db.user.create({
-      data: {
-        name,
-        email,
-        password: hashedPassword,
-      },
-    });
+    const firstTouch = parseAttributionCookie(request.cookies.get(ATTRIBUTION_COOKIE_NAME)?.value);
+    const onboardingStartedAt = new Date();
+
+    // Create user
+    const user = await db.user.create({
+      data: {
+        name,
+        email,
+        password: hashedPassword,
+        onboardingStartedAt,
+        emailDomain: getEmailDomain(email),
+        signupSource: firstTouch?.signupSource || null,
+        signupMedium: firstTouch?.signupMedium || null,
+        signupCampaign: firstTouch?.signupCampaign || null,
+        signupContent: firstTouch?.signupContent || null,
+        signupTerm: firstTouch?.signupTerm || null,
+        signupReferrer: firstTouch?.signupReferrer || null,
+        signupLandingPath: firstTouch?.signupLandingPath || '/signup',
+        signupFirstSeenAt: firstTouch?.signupFirstSeenAt ? new Date(firstTouch.signupFirstSeenAt) : onboardingStartedAt,
+      },
+    });
+
+    triggerLifecycleScoring(user.id, 'signup');

    // Send welcome email (fire-and-forget — never block signup)
    try {
@@ -97,20 +117,22 @@ export async function POST(request: NextRequest) {
    }).catch(console.error);

    // Create response
-    const response = NextResponse.json({
-      success: true,
-      user: {
-        id: user.id,
-        name: user.name,
-        email: user.email,
-        plan: 'FREE',
+    const response = NextResponse.json({
+      success: true,
+      needsOnboarding: true,
+      user: {
+        id: user.id,
+        name: user.name,
+        email: user.email,
+        plan: 'FREE',
      },
    });
-
-    // Set cookie for auto-login after signup
-    response.cookies.set('userId', user.id, getAuthCookieOptions());
-
-    return response;
+
+    // Set cookie for auto-login after signup
+    response.cookies.set('userId', user.id, getAuthCookieOptions());
+    response.cookies.delete(ATTRIBUTION_COOKIE_NAME);
+
+    return response;
  } catch (error) {
    if (error instanceof z.ZodError) {
      return NextResponse.json(
@@ -125,4 +147,4 @@ export async function POST(request: NextRequest) {
      { status: 500 }
    );
  }
-}
+}
--- a/src/app/(main)/api/auth/simple-login/route.ts
+++ b/src/app/(main)/api/auth/simple-login/route.ts
@@ -2,10 +2,11 @@ import { NextRequest, NextResponse } from 'next/server';
 import { db } from '@/lib/db';
 import bcrypt from 'bcryptjs';
 import { cookies } from 'next/headers';
-import { csrfProtection } from '@/lib/csrf';
-import { rateLimit, getClientIdentifier, RateLimits } from '@/lib/rateLimit';
-import { getAuthCookieOptions } from '@/lib/cookieConfig';
-import { loginSchema, validateRequest } from '@/lib/validationSchemas';
+import { csrfProtection } from '@/lib/csrf';
+import { rateLimit, getClientIdentifier, RateLimits } from '@/lib/rateLimit';
+import { getAuthCookieOptions } from '@/lib/cookieConfig';
+import { loginSchema, validateRequest } from '@/lib/validationSchemas';
+import { shouldResumeOnboarding } from '@/lib/revops';

 export async function POST(request: NextRequest) {
  try {
@@ -50,9 +51,18 @@ export async function POST(request: NextRequest) {
    const { email, password } = validation.data;

    // Find user
-    const user = await db.user.findUnique({
-      where: { email },
-    });
+    const user = await db.user.findUnique({
+      where: { email },
+      select: {
+        id: true,
+        email: true,
+        name: true,
+        plan: true,
+        password: true,
+        onboardingStartedAt: true,
+        onboardingCompletedAt: true,
+      },
+    });

    if (!user) {
      return NextResponse.json(
@@ -74,12 +84,13 @@ export async function POST(request: NextRequest) {
    // Set cookie
    cookies().set('userId', user.id, getAuthCookieOptions());

-    return NextResponse.json({
-      success: true,
-      user: { id: user.id, email: user.email, name: user.name, plan: user.plan || 'FREE' }
-    });
+    return NextResponse.json({
+      success: true,
+      needsOnboarding: shouldResumeOnboarding(user),
+      user: { id: user.id, email: user.email, name: user.name, plan: user.plan || 'FREE' }
+    });
  } catch (error) {
    console.error('Login error:', error);
    return NextResponse.json({ error: 'Internal server error' }, { status: 500 });
  }
-}
+}
--- a/src/app/(main)/api/onboarding/route.ts
+++ b/src/app/(main)/api/onboarding/route.ts
@@ -0,0 +1,119 @@
+import { NextRequest, NextResponse } from 'next/server';
+import { cookies } from 'next/headers';
+import { db } from '@/lib/db';
+import { csrfProtection } from '@/lib/csrf';
+import { getClientIdentifier, rateLimit, RateLimits } from '@/lib/rateLimit';
+import { onboardingUpdateSchema, validateRequest } from '@/lib/validationSchemas';
+import { getOnboardingState, triggerLifecycleScoring } from '@/lib/revops-server';
+
+export const dynamic = 'force-dynamic';
+
+export async function GET() {
+  try {
+    const userId = cookies().get('userId')?.value;
+
+    if (!userId) {
+      return NextResponse.json({ error: 'Unauthorized' }, { status: 401 });
+    }
+
+    const state = await getOnboardingState(userId);
+
+    if (!state) {
+      return NextResponse.json({ error: 'User not found' }, { status: 404 });
+    }
+
+    return NextResponse.json(state);
+  } catch (error) {
+    console.error('Error fetching onboarding state:', error);
+    return NextResponse.json({ error: 'Failed to fetch onboarding state' }, { status: 500 });
+  }
+}
+
+export async function PATCH(request: NextRequest) {
+  try {
+    const csrfCheck = csrfProtection(request);
+    if (!csrfCheck.valid) {
+      return NextResponse.json({ error: csrfCheck.error }, { status: 403 });
+    }
+
+    const userId = cookies().get('userId')?.value;
+    const clientId = userId || getClientIdentifier(request);
+    const rateLimitResult = rateLimit(clientId, RateLimits.PROFILE_UPDATE);
+
+    if (!rateLimitResult.success) {
+      return NextResponse.json(
+        {
+          error: 'Too many requests. Please try again later.',
+          retryAfter: Math.ceil((rateLimitResult.reset - Date.now()) / 1000),
+        },
+        { status: 429 }
+      );
+    }
+
+    if (!userId) {
+      return NextResponse.json({ error: 'Unauthorized' }, { status: 401 });
+    }
+
+    const body = await request.json();
+    const validation = await validateRequest(onboardingUpdateSchema, body);
+
+    if (!validation.success) {
+      return NextResponse.json(validation.error, { status: 400 });
+    }
+
+    const data = validation.data;
+    const now = new Date();
+    const existingUser = await db.user.findUnique({
+      where: { id: userId },
+      select: {
+        onboardingStartedAt: true,
+        sourceConfirmedAt: true,
+        useCaseSelectedAt: true,
+        goalSelectedAt: true,
+        profileCompletedAt: true,
+      },
+    });
+
+    if (!existingUser) {
+      return NextResponse.json({ error: 'User not found' }, { status: 404 });
+    }
+
+    await db.user.update({
+      where: { id: userId },
+      data: {
+        onboardingStartedAt: existingUser.onboardingStartedAt ?? now,
+        signupSourceSelfReported: data.signupSourceSelfReported,
+        primaryUseCase: data.primaryUseCase,
+        primaryGoal: data.primaryGoal,
+        jobRole: data.jobRole,
+        companyName: data.companyName,
+        companyWebsite: data.companyWebsite,
+        teamSizeBucket: data.teamSizeBucket,
+        sourceConfirmedAt:
+          data.signupSourceSelfReported && !existingUser.sourceConfirmedAt
+            ? now
+            : undefined,
+        useCaseSelectedAt:
+          data.primaryUseCase && !existingUser.useCaseSelectedAt
+            ? now
+            : undefined,
+        goalSelectedAt:
+          data.primaryGoal && !existingUser.goalSelectedAt
+            ? now
+            : undefined,
+        profileCompletedAt:
+          data.markProfileComplete && !existingUser.profileCompletedAt
+            ? now
+            : undefined,
+      },
+    });
+
+    triggerLifecycleScoring(userId, 'onboarding_update');
+    const state = await getOnboardingState(userId);
+
+    return NextResponse.json({ success: true, state });
+  } catch (error) {
+    console.error('Error updating onboarding state:', error);
+    return NextResponse.json({ error: 'Failed to update onboarding state' }, { status: 500 });
+  }
+}
--- a/src/app/(main)/api/qrs/route.ts
+++ b/src/app/(main)/api/qrs/route.ts
@@ -1,10 +1,12 @@
 import { NextRequest, NextResponse } from 'next/server';
 import { cookies } from 'next/headers';
 import { db } from '@/lib/db';
-import { generateSlug } from '@/lib/hash';
-import { createQRSchema, validateRequest } from '@/lib/validationSchemas';
-import { csrfProtection } from '@/lib/csrf';
-import { rateLimit, getClientIdentifier, RateLimits } from '@/lib/rateLimit';
+import { generateSlug } from '@/lib/hash';
+import { createQRSchema, validateRequest } from '@/lib/validationSchemas';
+import { csrfProtection } from '@/lib/csrf';
+import { rateLimit, getClientIdentifier, RateLimits } from '@/lib/rateLimit';
+import { DYNAMIC_QR_LIMITS } from '@/lib/plans';
+import { triggerLifecycleScoring } from '@/lib/revops-server';

 // GET /api/qrs - List user's QR codes
 export async function GET(request: NextRequest) {
@@ -47,12 +49,7 @@ export async function GET(request: NextRequest) {
 }

 // Plan limits
-const PLAN_LIMITS = {
-  FREE: 3,
-  PRO: 50,
-  BUSINESS: 500,
-  ENTERPRISE: 99999,
-};
+const PLAN_LIMITS = DYNAMIC_QR_LIMITS;

 // POST /api/qrs - Create a new QR code
 export async function POST(request: NextRequest) {
@@ -208,9 +205,9 @@ END:VCARD`;
    const slug = generateSlug(body.title);

    // Create QR code
-    const qrCode = await db.qRCode.create({
-      data: {
-        userId,
+    const qrCode = await db.qRCode.create({
+      data: {
+        userId,
        title: body.title,
        type: isStatic ? 'STATIC' : 'DYNAMIC',
        contentType: body.contentType,
@@ -224,10 +221,12 @@ END:VCARD`;
        },
        slug,
        status: 'ACTIVE',
-      },
-    });
-
-    return NextResponse.json(qrCode);
+      },
+    });
+
+    triggerLifecycleScoring(userId, 'qr_created');
+
+    return NextResponse.json(qrCode);
  } catch (error) {
    console.error('Error creating QR code:', error);
    return NextResponse.json(
@@ -235,4 +234,4 @@ END:VCARD`;
      { status: 500 }
    );
  }
-}
+}
--- a/src/app/(main)/api/stripe/cancel-subscription/route.ts
+++ b/src/app/(main)/api/stripe/cancel-subscription/route.ts
@@ -1,8 +1,9 @@
 import { NextRequest, NextResponse } from 'next/server';
-import { cookies } from 'next/headers';
-import { stripe } from '@/lib/stripe';
-import { db } from '@/lib/db';
-import { rateLimit, getClientIdentifier, RateLimits } from '@/lib/rateLimit';
+import { cookies } from 'next/headers';
+import { stripe } from '@/lib/stripe';
+import { db } from '@/lib/db';
+import { rateLimit, getClientIdentifier, RateLimits } from '@/lib/rateLimit';
+import { scoreUserLifecycle } from '@/lib/revops-server';

 export async function POST(request: NextRequest) {
  try {
@@ -53,32 +54,35 @@ export async function POST(request: NextRequest) {
    // No active subscription
    if (!user.stripeSubscriptionId) {
      // Just update plan to FREE if somehow plan is not FREE but no subscription
-      await db.user.update({
-        where: { id: userId },
-        data: {
+      await db.user.update({
+        where: { id: userId },
+        data: {
          plan: 'FREE',
          stripePriceId: null,
          stripeCurrentPeriodEnd: null,
-        },
-      });
-      return NextResponse.json({ success: true });
+        },
+      });
+      await scoreUserLifecycle(userId, 'subscription_changed');
+      return NextResponse.json({ success: true });
    }

    // Cancel the Stripe subscription
    await stripe.subscriptions.cancel(user.stripeSubscriptionId);

    // Update user plan to FREE
-    await db.user.update({
-      where: { id: userId },
-      data: {
+    await db.user.update({
+      where: { id: userId },
+      data: {
        plan: 'FREE',
        stripeSubscriptionId: null,
        stripePriceId: null,
        stripeCurrentPeriodEnd: null,
-      },
-    });
-
-    return NextResponse.json({ success: true });
+      },
+    });
+
+    await scoreUserLifecycle(userId, 'subscription_changed');
+
+    return NextResponse.json({ success: true });
  } catch (error) {
    console.error('Error canceling subscription:', error);
    return NextResponse.json(
--- a/src/app/(main)/api/stripe/create-checkout-session/route.ts
+++ b/src/app/(main)/api/stripe/create-checkout-session/route.ts
@@ -65,13 +65,29 @@ export async function POST(request: NextRequest) {
      return NextResponse.json({ error: 'User not found' }, { status: 404 });
    }

-    // Create or get Stripe customer
-    let customerId = user.stripeCustomerId;
-
-    if (!customerId) {
-      const customer = await stripe.customers.create({
-        email: user.email,
-        metadata: {
+    // Create or get Stripe customer
+    let customerId = user.stripeCustomerId;
+
+    if (customerId) {
+      try {
+        const existingCustomer = await stripe.customers.retrieve(customerId);
+
+        if ('deleted' in existingCustomer && existingCustomer.deleted) {
+          customerId = null;
+        }
+      } catch (error: any) {
+        if (error?.code === 'resource_missing' || error?.type === 'StripeInvalidRequestError') {
+          customerId = null;
+        } else {
+          throw error;
+        }
+      }
+    }
+
+    if (!customerId) {
+      const customer = await stripe.customers.create({
+        email: user.email,
+        metadata: {
          userId: user.id,
        },
      });
@@ -79,30 +95,33 @@ export async function POST(request: NextRequest) {
      customerId = customer.id;

      // Update user with Stripe customer ID
-      await db.user.update({
-        where: { id: user.id },
-        data: { stripeCustomerId: customerId },
-      });
-    }
-
-    // Create Stripe Checkout Session
-    const checkoutSession = await stripe.checkout.sessions.create({
-      customer: customerId,
-      mode: 'subscription',
+      await db.user.update({
+        where: { id: user.id },
+        data: { stripeCustomerId: customerId },
+      });
+    }
+
+    const appUrl = process.env.NEXT_PUBLIC_APP_URL || request.nextUrl.origin;
+
+    // Create Stripe Checkout Session
+    const checkoutSession = await stripe.checkout.sessions.create({
+      customer: customerId,
+      mode: 'subscription',
      payment_method_types: ['card'],
      line_items: [
        {
          price: priceId,
          quantity: 1,
-        },
-      ],
-      success_url: `${process.env.NEXT_PUBLIC_APP_URL}/dashboard?success=true`,
-      cancel_url: `${process.env.NEXT_PUBLIC_APP_URL}/pricing?canceled=true`,
-      metadata: {
-        userId: user.id,
-        plan,
-      },
-    });
+        },
+      ],
+      success_url: `${appUrl}/dashboard?success=true&session_id={CHECKOUT_SESSION_ID}`,
+      cancel_url: `${appUrl}/pricing?canceled=true`,
+      metadata: {
+        userId: user.id,
+        plan,
+        billingInterval,
+      },
+    });

    return NextResponse.json({ url: checkoutSession.url });
  } catch (error) {
--- a/src/app/(main)/api/stripe/sync-subscription/route.ts
+++ b/src/app/(main)/api/stripe/sync-subscription/route.ts
@@ -1,7 +1,8 @@
 import { NextRequest, NextResponse } from 'next/server';
-import { cookies } from 'next/headers';
-import { stripe } from '@/lib/stripe';
-import { db } from '@/lib/db';
+import { cookies } from 'next/headers';
+import { stripe } from '@/lib/stripe';
+import { db } from '@/lib/db';
+import { scoreUserLifecycle } from '@/lib/revops-server';

 /**
 * Manual sync endpoint to update user subscription from Stripe
@@ -37,17 +38,19 @@ export async function POST(request: NextRequest) {

    if (subscriptions.data.length === 0) {
      // No active subscription - set to FREE
-      await db.user.update({
-        where: { id: user.id },
-        data: {
+      await db.user.update({
+        where: { id: user.id },
+        data: {
          stripeSubscriptionId: null,
          stripePriceId: null,
          stripeCurrentPeriodEnd: null,
          plan: 'FREE',
-        },
-      });
-
-      return NextResponse.json({
+        },
+      });
+
+      await scoreUserLifecycle(user.id, 'subscription_changed');
+
+      return NextResponse.json({
        success: true,
        plan: 'FREE',
        message: 'No active subscription found, set to FREE plan',
@@ -87,18 +90,20 @@ export async function POST(request: NextRequest) {
    });

    // Update user in database
-    await db.user.update({
-      where: { id: user.id },
-      data: {
+    await db.user.update({
+      where: { id: user.id },
+      data: {
        stripeSubscriptionId: subscription.id,
        stripePriceId: priceId,
        stripeCurrentPeriodEnd: currentPeriodEnd,
        plan: plan as any,
-      },
-    });
-
-    return NextResponse.json({
-      success: true,
+      },
+    });
+
+    await scoreUserLifecycle(user.id, 'subscription_changed');
+
+    return NextResponse.json({
+      success: true,
      plan,
      subscriptionId: subscription.id,
      currentPeriodEnd,
--- a/src/app/(main)/api/stripe/verify-session/route.ts
+++ b/src/app/(main)/api/stripe/verify-session/route.ts
@@ -1,7 +1,8 @@
 import { NextRequest, NextResponse } from 'next/server';
-import { cookies } from 'next/headers';
-import { stripe } from '@/lib/stripe';
-import { db } from '@/lib/db';
+import { cookies } from 'next/headers';
+import { stripe } from '@/lib/stripe';
+import { db } from '@/lib/db';
+import { scoreUserLifecycle } from '@/lib/revops-server';

 export async function POST(request: NextRequest) {
  try {
@@ -20,26 +21,30 @@ export async function POST(request: NextRequest) {
      return NextResponse.json({ error: 'User not found' }, { status: 404 });
    }

-    if (!user.stripeCustomerId) {
-      return NextResponse.json({ error: 'No Stripe customer ID' }, { status: 400 });
-    }
-
-    // Get the most recent checkout session for this customer
-    const checkoutSessions = await stripe.checkout.sessions.list({
-      customer: user.stripeCustomerId,
-      limit: 1,
-    });
-
-    if (checkoutSessions.data.length === 0) {
-      return NextResponse.json({ error: 'No checkout session found' }, { status: 404 });
-    }
-
-    const checkoutSession = checkoutSessions.data[0];
-
-    // Only process if payment was successful
-    if (checkoutSession.payment_status === 'paid' && checkoutSession.subscription) {
-      const subscriptionId = typeof checkoutSession.subscription === 'string'
-        ? checkoutSession.subscription
+    if (!user.stripeCustomerId) {
+      return NextResponse.json({ error: 'No Stripe customer ID' }, { status: 400 });
+    }
+
+    const { sessionId } = await request.json().catch(() => ({ sessionId: null }));
+
+    if (!sessionId || typeof sessionId !== 'string') {
+      return NextResponse.json({ error: 'Missing checkout session ID' }, { status: 400 });
+    }
+
+    const checkoutSession = await stripe.checkout.sessions.retrieve(sessionId);
+
+    const sessionBelongsToUser =
+      checkoutSession.metadata?.userId === user.id ||
+      checkoutSession.customer === user.stripeCustomerId;
+
+    if (!sessionBelongsToUser) {
+      return NextResponse.json({ error: 'Checkout session does not belong to user' }, { status: 403 });
+    }
+
+    // Only process if payment was successful
+    if (checkoutSession.payment_status === 'paid' && checkoutSession.subscription) {
+      const subscriptionId = typeof checkoutSession.subscription === 'string'
+        ? checkoutSession.subscription
        : checkoutSession.subscription.id;

      // Retrieve the full subscription object
@@ -48,41 +53,32 @@ export async function POST(request: NextRequest) {
      // Determine plan from metadata or price ID
      const plan = checkoutSession.metadata?.plan || 'PRO';

-      // Debug log to see the subscription structure
-      console.log('Full subscription object:', JSON.stringify(subscription, null, 2));
-
-      // Get current_period_end - Stripe returns it as a Unix timestamp
-      // Try different possible field names
-      const periodEndTimestamp = subscription.current_period_end
-        || subscription.currentPeriodEnd
-        || subscription.billing_cycle_anchor;
+      // Get current_period_end - Stripe returns it as a Unix timestamp
+      const periodEndTimestamp = subscription.current_period_end
+        || subscription.currentPeriodEnd
+        || subscription.billing_cycle_anchor;

      const currentPeriodEnd = periodEndTimestamp
        ? new Date(periodEndTimestamp * 1000)
        : new Date(Date.now() + 30 * 24 * 60 * 60 * 1000); // Default to 30 days from now

-      console.log('Subscription data:', {
-        id: subscription.id,
-        periodEndTimestamp,
-        currentPeriodEnd,
-        priceId: subscription.items?.data?.[0]?.price?.id,
-      });
-
-      // Update user in database
-      await db.user.update({
-        where: { id: user.id },
-        data: {
-          stripeSubscriptionId: subscription.id,
-          stripePriceId: subscription.items.data[0].price.id,
+      // Update user in database
+      await db.user.update({
+        where: { id: user.id },
+        data: {
+          stripeSubscriptionId: subscription.id,
+          stripePriceId: subscription.items.data[0].price.id,
          stripeCurrentPeriodEnd: currentPeriodEnd,
          plan: plan as any,
-        },
-      });
-
-      return NextResponse.json({
-        success: true,
-        plan,
-        subscriptionId: subscription.id,
+        },
+      });
+
+      await scoreUserLifecycle(user.id, 'subscription_changed');
+
+      return NextResponse.json({
+        success: true,
+        plan,
+        subscriptionId: subscription.id,
      });
    }

--- a/src/app/(main)/api/stripe/webhook/route.ts
+++ b/src/app/(main)/api/stripe/webhook/route.ts
@@ -1,9 +1,10 @@
 import { NextRequest, NextResponse } from 'next/server';
 import { headers } from 'next/headers';
 import { stripe } from '@/lib/stripe';
-import { db } from '@/lib/db';
-import Stripe from 'stripe';
-import { sendConversionEvent } from '@/lib/meta';
+import { db } from '@/lib/db';
+import Stripe from 'stripe';
+import { sendConversionEvent } from '@/lib/meta';
+import { scoreUserLifecycle } from '@/lib/revops-server';

 export async function POST(request: NextRequest) {
  const body = await request.text();
@@ -50,17 +51,19 @@ export async function POST(request: NextRequest) {
            ? new Date(periodEndTimestamp * 1000)
            : new Date(Date.now() + 30 * 24 * 60 * 60 * 1000);

-          const updatedUser = await db.user.update({
-            where: {
-              stripeCustomerId: session.customer as string,
+          const updatedUser = await db.user.update({
+            where: {
+              stripeCustomerId: session.customer as string,
            },
            data: {
              stripeSubscriptionId: subscription.id,
              stripePriceId: subscription.items.data[0].price.id,
              stripeCurrentPeriodEnd: currentPeriodEnd,
              plan: (session.metadata?.plan || 'FREE') as any,
-            },
-          });
+            },
+          });
+
+          await scoreUserLifecycle(updatedUser.id, 'subscription_changed');

          // Meta CAPI — Purchase event
          const amountCents = session.amount_total ?? 0;
@@ -92,34 +95,43 @@ export async function POST(request: NextRequest) {
          ? new Date(periodEndTimestamp * 1000)
          : new Date(Date.now() + 30 * 24 * 60 * 60 * 1000);

-        await db.user.update({
-          where: {
-            stripeSubscriptionId: subscription.id,
+        await db.user.update({
+          where: {
+            stripeSubscriptionId: subscription.id,
          },
          data: {
            stripePriceId: subscription.items.data[0].price.id,
            stripeCurrentPeriodEnd: currentPeriodEnd,
-          },
-        });
-        break;
-      }
+          },
+        });
+        const updated = await db.user.findUnique({
+          where: { stripeSubscriptionId: subscription.id },
+          select: { id: true },
+        });
+        if (updated?.id) {
+          await scoreUserLifecycle(updated.id, 'subscription_changed');
+        }
+        break;
+      }

      case 'customer.subscription.deleted': {
        const subscription = event.data.object as Stripe.Subscription;

-        await db.user.update({
-          where: {
-            stripeSubscriptionId: subscription.id,
-          },
+        const updatedUser = await db.user.update({
+          where: {
+            stripeSubscriptionId: subscription.id,
+          },
          data: {
            stripeSubscriptionId: null,
            stripePriceId: null,
            stripeCurrentPeriodEnd: null,
-            plan: 'FREE',
-          },
-        });
-        break;
-      }
+            plan: 'FREE',
+          },
+        });
+
+        await scoreUserLifecycle(updatedUser.id, 'subscription_changed');
+        break;
+      }
    }

    return NextResponse.json({ received: true });
--- a/src/app/(main)/onboarding/OnboardingClient.tsx
+++ b/src/app/(main)/onboarding/OnboardingClient.tsx
--- a/src/app/(main)/onboarding/page.tsx
+++ b/src/app/(main)/onboarding/page.tsx
@@ -0,0 +1,15 @@
+import type { Metadata } from 'next';
+import OnboardingClient from './OnboardingClient';
+
+export const metadata: Metadata = {
+  title: 'Onboarding | QR Master',
+  description: 'Set up your QR Master workspace and create your first QR code.',
+  robots: {
+    index: false,
+    follow: false,
+  },
+};
+
+export default function OnboardingPage() {
+  return <OnboardingClient />;
+}
--- a/src/app/(main)/r/[slug]/route.ts
+++ b/src/app/(main)/r/[slug]/route.ts
@@ -1,6 +1,7 @@
-import { NextRequest, NextResponse } from 'next/server';
-import { db } from '@/lib/db';
-import { hashIP } from '@/lib/hash';
+import { NextRequest, NextResponse } from 'next/server';
+import { db } from '@/lib/db';
+import { hashIP } from '@/lib/hash';
+import { triggerLifecycleScoring } from '@/lib/revops-server';

 export async function GET(
  request: NextRequest,
@@ -10,13 +11,14 @@ export async function GET(
    const { slug } = await params;

    // Fetch QR code by slug
-    const qrCode = await db.qRCode.findUnique({
-      where: { slug },
-      select: {
-        id: true,
-        content: true,
-        contentType: true,
-      },
+    const qrCode = await db.qRCode.findUnique({
+      where: { slug },
+      select: {
+        id: true,
+        userId: true,
+        content: true,
+        contentType: true,
+      },
    });

    if (!qrCode) {
@@ -24,7 +26,7 @@ export async function GET(
    }

    // Track scan (fire and forget)
-    trackScan(qrCode.id, request).catch(console.error);
+    trackScan(qrCode.id, qrCode.userId, request).catch(console.error);

    // Determine destination URL
    let destination = '';
@@ -121,7 +123,7 @@ export async function GET(
  }
 }

-async function trackScan(qrId: string, request: NextRequest) {
+async function trackScan(qrId: string, userId: string, request: NextRequest) {
  try {
    const userAgent = request.headers.get('user-agent') || '';
    const referer = request.headers.get('referer') || '';
@@ -133,15 +135,30 @@ async function trackScan(qrId: string, request: NextRequest) {
    const dnt = request.headers.get('dnt');
    if (dnt === '1') {
      // Respect Do Not Track - only increment counter
-      await db.qRScan.create({
-        data: {
-          qrId,
-          ipHash: 'dnt',
-          isUnique: false,
-        },
-      });
-      return;
-    }
+      const scanTimestamp = new Date();
+      await db.qRScan.create({
+        data: {
+          qrId,
+          ipHash: 'dnt',
+          isUnique: false,
+          ts: scanTimestamp,
+        },
+      });
+      const activatedUsers = await db.user.updateMany({
+        where: {
+          id: userId,
+          firstScanAt: null,
+        },
+        data: {
+          firstScanAt: scanTimestamp,
+          activationAt: scanTimestamp,
+        },
+      });
+      if (activatedUsers.count > 0) {
+        triggerLifecycleScoring(userId, 'scan_recorded');
+      }
+      return;
+    }

    // Hash IP for privacy
    const ipHash = hashIP(ip);
@@ -222,22 +239,39 @@ async function trackScan(qrId: string, request: NextRequest) {
    const isUnique = !existingScan;

    // Create scan record
-    await db.qRScan.create({
-      data: {
-        qrId,
-        ipHash,
-        userAgent: userAgent.substring(0, 255),
-        device,
+    const scanTimestamp = new Date();
+    await db.qRScan.create({
+      data: {
+        qrId,
+        ts: scanTimestamp,
+        ipHash,
+        userAgent: userAgent.substring(0, 255),
+        device,
        os,
        country,
        referrer: referer.substring(0, 255),
        utmSource,
        utmMedium,
        utmCampaign,
-        isUnique,
-      },
-    });
-  } catch (error) {
+        isUnique,
+      },
+    });
+
+    const activatedUsers = await db.user.updateMany({
+      where: {
+        id: userId,
+        firstScanAt: null,
+      },
+      data: {
+        firstScanAt: scanTimestamp,
+        activationAt: scanTimestamp,
+      },
+    });
+
+    if (activatedUsers.count > 0) {
+      triggerLifecycleScoring(userId, 'scan_recorded');
+    }
+  } catch (error) {
    // Don't throw - this is fire and forget
  }
 }
@@ -250,4 +284,4 @@ function ensureAbsoluteUrl(url: string): string {
  }
  // Default to https for web URLs
  return `https://${url}`;
-}
+}