Save workspace changes

.deploy/artwork-evolution-release/app/Http/Middleware/EnsureOnboardingComplete.php

@@ -0,0 +1,49 @@
+<?php
+
+namespace App\Http\Middleware;
+
+use Closure;
+use Illuminate\Http\Request;
+use Symfony\Component\HttpFoundation\Response;
+
+class EnsureOnboardingComplete
+{
+    /**
+     * Paths that must always be reachable regardless of onboarding state,
+     * so authenticated users can log out, complete OAuth flows, etc.
+     */
+    private const ALWAYS_ALLOW = [
+        'logout',
+        'auth/*',           // OAuth redirects & callbacks
+        'verify/*',         // email verification links
+        'setup/*',          // all /setup/* pages (password, username)
+        'up',               // health check
+    ];
+
+    public function handle(Request $request, Closure $next): Response
+    {
+        $user = $request->user();
+        if (! $user) {
+            return $next($request);
+        }
+
+        $step = strtolower((string) ($user->onboarding_step ?? ''));
+        if ($step === 'complete') {
+            return $next($request);
+        }
+
+        // Always allow critical auth / setup paths through.
+        if ($request->is(self::ALWAYS_ALLOW)) {
+            return $next($request);
+        }
+
+        $target = match ($step) {
+            'email'                   => '/login',
+            'verified'                => '/setup/password',
+            'password', 'username'    => '/setup/username',
+            default                   => '/setup/password',
+        };
+
+        return redirect($target);
+    }
+}